CHAPTER 17 Windows 2000 Security Issues 321 Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use. 322 Network Security: A Beginner’s Guide M icrosoft Windows 2000 is rapidly replacing Windows NT in internal and exter - nal server installations. There is little doubt that Windows 2000 will become one of the most prevalent (if not the most prevalent) operating system across the Internet. It is obvious that Windows 2000 will be found in traditional Windows NT roles such as file, print, and database servers for internal use and Web and application server for Internet use. Additional features, such as a telnet server, may push Windows 2000 into functions that have been reserved for Unix systems. However it may be used, it is clear that Windows 2000 will store and operate on sensitive information. As we did in Chapter 15, we will discuss the basic steps to take during system setup and how to properly manage users within a Windows 2000 domain. Finally, we will dis - cuss system management issues from a security perspective. The final section of this chapter will try to identify key indicators that administrators should watch for when looking for potential intrusions. SETTING UP THE SYSTEM Windows 2000 has added some significant security features over those available un- der Windows NT. As you will see in the following sections, the capabilities of these new tools are quite significant. Unfortunately, their use requires a homogenous Windows 2000 environment. When used in mixed Windows 2000 and Windows NT environments, the system must default to the weaker Windows NT configurations to allow interoperability. Windows 2000 is not secure straight out of the box (although it is better than Win- dows NT). Given this, there are some settings that should be made before the system goes into production that will make the system more secure. The configuration settings are divided into Local Security Policy Settings and System Configuration Settings. Local Security Policy Settings New to Windows 2000 is the local policy editor GUI. You can find this tool by going to Control Panel | Administrative Tools | Local Security Policy (see Figure 17-1). This tool allows you to set account policies as well as local security policies. We will talk more about account configuration later. For now, let’s focus on the local security policies. The Local Security Policy GUI is actually just a front end for changes to the Registry. Therefore, the use of regedit or regedit32 are no longer required to make common Reg - istry setting changes. Generally, for these security changes, it is better to use the tool than to go into the Registry to make your own changes. Chapter 17: Windows 2000 Security Issues 323 Figure 17-2 shows the policy items that are configurable through the Local Security Policy GUI. The following sections go into more detail about recommended changes to the security policy. NOTE: Windows 2000 provides a number of security configuration templates that can be used to set system configurations, local security policy, and user management settings on the system. If you choose to use one of these templates, make sure you understand the changes that will be made to your system. Logon Message Windows 2000 provides two settings to configure a logon message to be displayed to users: ▼ Message Text for Users Attempting to Log On ▲ Message Title for Users Attempting to Log On Set both of these with the appropriate logon message for your organization. Figure 17-1. Local Security Policy Management GUI Clear Virtual Memory Pagefile When System Shuts Down The virtual memory pagefile contains important system information when the system is running. This system information may include encryption keys or password hashes. To force Windows 2000 to clear the system pagefile on shutdown, enable the Clear Virtual Memory Pagefile When System Shuts Down setting. Allow System to Be Shut Down Without Having to Log On Individuals should not be able to shut down systems if they cannot log on. Therefore, the Allow System to be Shut Down Without Having to Log On setting should be disabled. LAN Manager Authentication Level LAN Manager authentication is an authentication system that allows Windows 2000 servers to work with Windows 95 and Windows 98 clients (as well as Windows for Workgroups). LAN Manager authentication schemes are significantly weaker than the NT or Windows 2000 authentication systems (called NTLM v2) and thus may allow an in - 324 Network Security: A Beginner’s Guide Figure 17-2. Local Security Policy configurable items truder to perform a brute-force attack on the encrypted passwords using much less com - puting power. To force the use of NTLM v2 authentication, use the following settings: 1. Select the LAN Manager Authentication Level policy setting. 2. Select the appropriate level from the pull-down menu. The value you set depends upon your environment. There are six levels defined as: ▼ Send LM and NTLM Responses—This is the default level. Send both LAN Manager and NTLM responses. The system will never use NTLM v2 session security. ■ Send LM and NTLM, Use NTLM v2 If Negotiated. ■ Send NTLM Response Only. ■ Send NTLM v2 Response Only. ■ Send NTLM v2 Response Only, Refuse LM. ▲ Send NTLM v2 Response Only, Refuse LM and NTLM. NOTE: Before making the change to this policy setting, determine the operating requirements for your network. If you have Windows 95 or Windows 98 clients on your network, you must allow LAN Manager responses. Additional Restrictions for Anonymous Connections This policy setting allows the administrator to define what is allowed via an anonymous connection. The three choices are ▼ None, Rely On Default Permissions ■ Do Not Allow Enumeration of SAM Accounts and Shares ▲ No Access Without Explicit Anonymous Permissions These settings can prevent null user sessions from gaining information about users on a system. System Configuration There are several differences between Windows 2000 and Windows NT when it comes to system configuration. Windows 2000 does introduce new security features but it is help - ful to understand the advantages and disadvantages of each of the new features. In the following sections, we will discuss four primary areas: ▼ File systems ■ Network settings Chapter 17: Windows 2000 Security Issues 325 326 Network Security: A Beginner’s Guide ■ Account settings ▲ Service packs and hot-fixes As a general rule, the specific settings should be governed by the organization’s secu - rity policy and system configuration requirements. File Systems All file systems on Windows 2000 systems should be converted to NTFS. Since FAT file sys - tems do not allow for file permissions, NTFS is better from a security point of view. If any of your file systems are FAT, you can use the program CONVERT to change it to NTFS. This program requires a reboot but it can be done with information already on the drive. It should also be noted that Windows 2000 ships with a new version of NTFS, NTFS-5. NTFS-5 comes with a new set of individual permissions: ▼ Traverse Folder/Execute File ■ List Folder/Read Data ■ Read Attributes ■ Read Extended Attributes ■ Create Files/Write Data ■ Create Folders/Append Data ■ Write Attributes ■ Write Extended Attributes ■ Delete Subfolders and Files ■ Delete ■ Read Permissions ■ Change Permissions ▲ Take Ownership Before putting Windows 2000 into production, administrators and security staff should understand the new permissions and review the permissions structure on files and directories. Encrypting File System One weakness in the NTFS file system is that it only protects files when used with Windows NT or Windows 2000. If an intruder can boot a system using another operating system (such as DOS), he or she could then use a program (such as NTFSDOS) to read the files and thus go around the NTFS access controls. Windows 2000 adds the Encrypting File System (EFS) to protect sensitive files from this type of attack. EFS is designed to be transparent to the user. Therefore, the user does not have to ini - tiate the decryption or encryption of the file (once EFS is invoked for the file or directory). To invoke EFS, select the file or directory you wish to protect, right-click, and select Prop - erties. Select the Advanced button on the General screen and select Encrypt Contents to Secure Data. When a file is designated to be encrypted, the system chooses a key to be used by a symmetric key algorithm and encrypts the file. The key is then encrypted with the public key of one or more users who will have access to the file. It should be noted here that the EFS has a built-in mechanism to allow for the recovery of encrypted information. By de - fault, the local Administrator account will always be able to decrypt any EFS files. Because of the way EFS interfaces with the user and the operating systems, some com - mands will cause a file to be decrypted and other will not. For example, the Ntbackup command will copy an encrypted file as is. However, if the user executes a Copy com - mand, the file will be decrypted and rewritten to disk. If the destination location for the file is a non-NTFS 5.0 partition or a floppy disk, the file will not be encrypted when writ - ten. Also, if the file is copied to another computer, it will be re-encrypted with a different symmetric algorithm key. Thus, the two files will appear different on the two different computer systems even though the unencrypted contents of the file will be the same. Shares As with Windows NT, Windows 2000 creates administrative shares when it boots. These are the C$, D$, IPC$, ADMIN$, and NETLOGON (only found on domain controllers) shares. The complete list of current shares can be examined by the Computer Management tool by selecting Control Panel | Administrative Tools (see Figure 17-3). While these shares can be used to attempt to brute-force the administrator password, it is not recommended that you turn any of these off. Chapter 17: Windows 2000 Security Issues 327 Figure 17-3. Computer Management shows existing shares 328 Network Security: A Beginner’s Guide Network Networking with Windows 2000 has changed significantly from Windows NT. In addi - tion to the standard Windows port (135, 137, and 139), Windows 2000 adds Port 88 for Kerberos, Port 445 for SMB over IP, Port 464 for Kerberos kpasswd, and Port 500 (UDP only) for Internet Key Exchange (IKE). What this means is that if you want to remove NetBIOS from a Windows 2000 system, you actually have to disable File and Print Sharing for Microsoft Networks on the specific interface. You can do this from the Net - work and Dial-up Connections window. Select the Advanced menu and then select Ad - vanced Settings to see the Adapters and Bindings tab (see Figure 17-4). The network continues to be a key part of Windows 2000. Windows 2000 domains re - move the concept of PDCs and BDCs. There are now only domain controllers (DCs). Win - dows 2000 domains still maintain the centralized control of the user database. However, the active directory structure now allows for a hierarchical concept. This means that Figure 17-4. Removing the bindings for NetBIOS Chapter 17: Windows 2000 Security Issues 329 groups can be created above or below other groups and the domain can be separated into organization units with local control. NOTE: Before Windows 2000 is deployed within your organization, the domain structure should be properly planned. Just moving an existing domain structure from Windows NT to Windows 2000 is not appropriate and can cause future problems. It should also be noted that Windows 2000 does make a change in the way trust rela - tionships work within a domain and between domains. In Windows NT, it had to be ex - plicitly established for each direction. In a Windows 2000 system, trust relationship is bi-directional by default. Trust in Windows 2000 is also transitive. This means that if Do - main A has a trust relationship with Domain B and Domain B has a trust relationship with Domain C, then Domain A also has a trust relationship with Domain C and vice versa. Account Settings Windows 2000 comes with two default accounts: Administrator and Guest. Both of these accounts can be renamed by using the Local Security Settings tool. Select the policy items Rename Administrator Account and Rename Guest Account to make these changes. The Guest account should also be disabled. I also change the password on the Guest account to something very long and very random just in case. Every Windows 2000 workstation server in the organization will have an Administra- tor account that is local to that machine and thus will require protection. To protect these accounts, a procedure should be established to define a password that is very strong. The password should be written down, sealed in an envelope, and stored in a locked cabinet. Password Policy The system password policy is defined by using the Local Security Set - tings tool (see Figure 17-5). This screen allows you to set password parameters and strength requirements. As with any computer system, these settings should be made in accordance with your organization’s security policy. If you choose to enable the Passwords Must Meet Complexity Requirements setting, you will be invoking the default password filter (PASSFILT.DLL). This will require all passwords to be at least six characters long, not contain any component of the user name, and contain at least three of the following: numbers, symbols, lowercase, or uppercase. Unless absolutely necessary, you should not enable the Store Passwords Using Re - versible Encryption setting. Account Lockout Policy The account lockout policy is configured using the Local Security Settings tool as well (see Figure 17-6). These settings should be made according to your organization’s security policy. NOTE: The account lockout policy is used to prevent an attacker from conducting a brute-force at - tack to guess passwords. It can also be used to cause a denial-of-service condition to the entire user community. Therefore, it may be wise to consider the consequences of prolonged lockouts of the user community when setting this policy. The lockout will not be enforced against the Administrator account. The Administra - tor account will always be able to log in from the system console. Service Packs and Hot-Fixes As of this writing, there is one service pack for Windows 2000. Additional hot-fixes and service packs will come out over time. As with Windows NT updates, service packs and hot-fixes should be implemented within an organization after appropriate testing. 330 Network Security: A Beginner’s Guide Figure 17-5. Using the Local Security Settings tool to establish password policy TEAMFLY Team-Fly ® . be decrypted and rewritten to disk. If the destination location for the file is a non-NTFS 5.0 partition or a floppy disk, the file will not be encrypted when writ - ten. Also, if the file is. Settings to see the Adapters and Bindings tab (see Figure 17-4). The network continues to be a key part of Windows 2000. Windows 2000 domains re - move the concept of PDCs and BDCs. There are now