Your Complete Guide to Configuring a Secure Windows 2000 Network • Complete Coverage of Internet Information Services (IIS) 5.0 • Hundreds of Configuring & Implementing,Designing & Planning Sidebars, Security Alerts,and FAQs • Complete Coverage of Kerberos, Distributed Security Services, and Public Key Infrastructure Chad Todd Norris L. Johnson, Jr. Technical Editor From the authors of the bestselling HACK PROOFING ™ YOUR NETWORK ™ 1YEAR UPGRADE BUYER PROTECTION PLAN From the authors of the bestselling HACK PROOFING ™ YOUR NETWORK 181_HPnew_FC 9/20/01 11:51 AM Page 1 solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 181_SerSec2e_FM 9/20/01 1:07 PM Page i 181_SerSec2e_FM 9/20/01 1:07 PM Page ii From the authors of the bestselling HACK PROOFING ™ YOUR NETWORK ™ 1YEAR UPGRADE BUYER PROTECTION PLAN From the authors of the bestselling HACK PROOFING ™ YOUR NETWORK Chad Todd Norris L. Johnson, Jr. Technical Editor 181_SerSec2e_FM 9/20/01 1:07 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,” are registered trademarks of Syngress Media, Inc. “Ask the Author™,” “Ask the Author UPDATE™,” “Mission Critical™,” “Hack Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 AJNR2U394F 002 BKAER9325R 003 ZLKRT9BSW4 004 VKF95TMKMD 005 BWE9SD4565 006 CAL44GMLSA 007 XD2KLFW3RM 008 QM4VLR39P6 009 5MVREM56PK 010 9VNLA2MER3 PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Windows 2000 Copyright © 2001 by Syngress Publishing, Inc.All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-931836-49-3 Technical Editor: Norris L. Johnson, Jr. Cover Designer: Michael Kavish Co-Publisher: Richard Kristof Page Layout and Art by: Shannon Tozier Acquisitions Editor: Catherine B. Nolan Copy Editor: Darlene Bordwell Developmental Editor: Jonathan Babcok Indexer: Robert Saigh Freelance Editorial Manager: Maribeth Corona-Evans Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada. 181_SerSec2e_FM 9/20/01 1:07 PM Page iv v Acknowledgments v We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof and Duncan Anderson of Global Knowledge, for their generous access to the IT industry’s best courses, instructors, and training facilities. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Eric Green, Dave Dahl, Elise Cannon, Chris Barnard, John Hofstetter, and Frida Yara of Publishers Group West for sharing their incredible marketing experience and expertise. In addition, a special thanks to Janis Carpenter, Kimberly Vanderheiden, and all of the PGW Reno staff for help on recent projects. Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making certain that our vision remains worldwide in scope. Anneke Baeten and Annabel Dent of Harcourt Australia for all their help. David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Joe Pisco, Helen Moyer, Paul Zanoli,Alan Steele, and the great folks at Graphic Services/InterCity Press for all their help. 181_SerSec2e_FM 9/20/01 1:07 PM Page v From the Author I would like to thank Paul Salas, coauthor of Administering Cisco QOS for IP Networks by Syngress Publishing, for introducing me to the folks at Syngress and Chris Jackson for his support and encouragement. I would also like to thank the authors of Configuring Windows 2000 Server Security, Thomas Shinder, Debra Shinder, and Lynn White, for providing the foundation for this book. Finally, a thank you to the editors that made this book possible—Jon Babcock, Catherine Nolan, Norris Johnson, Thomas Llewellyn, and Melissa Craft. I would also like to thank my wife Sarah who is a tremendous help in my work and supportive of the numerous hours spent on my various projects.Without Sarah’s loving support, I would not be able to accomplish my personal or professional goals. 181_SerSec2e_FM 9/20/01 1:07 PM Page vi vii Author Chad Todd (MCSE, MCT, CNE, CNA, A+, Network+, i-Net+) is a Systems Trainer for Ikon Education Services, a global provider of tech- nical training. He currently teaches Windows 2000 Security classes. In addition to training for Ikon, Chad also provides private consulting for small- to medium-sized companies. Chad writes practice tests for Boson Software and is the coauthor of Test 70-227: Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition. Chad first earned his MCSE on Windows NT 4.0 and has been working with Windows 2000 since its first beta release. He was awarded Microsoft Charter Member 2000 for being one of the first 2000 engineers to attain Windows 2000 MCSE certification. Chad lives in Columbia, SC with his wife Sarah. Norris L. Johnson, Jr. (MCSE, MCT, CTT,A+, Network +) is a Technology Trainer and Owner of a consulting company in the Seattle- Tacoma area. His consultancies have included deployments and security planning for local firms and public agencies. He specializes in Windows NT 4.0 and Windows 2000 issues, providing planning and implementation and integration services. In addition to consulting work, Norris is a Trainer for the AATP program at Highline Community College’s Federal Way,WA campus and has taught in the vocational education arena at Bates Technical College in Tacoma,WA. Norris holds a bachelor’s degree from Washington State University. He is deeply appreciative of the guidance and support pro- vided by his parents and wife Cindy while transitioning to a career in Information Technology. Technical Editor 181_SerSec2e_FM 9/20/01 1:07 PM Page vii viii Contributors Dr.Thomas W. Shinder, M.D. (MCSE, MCP+I, MCT) is a Technology Trainer and Consultant in the Dallas-Ft.Worth metroplex. He has consulted with major firms, including Xerox, Lucent Technologies, and FINA Oil, assisting in the development and implementation of IP-based communica- tions strategies.Tom is a Windows 2000 editor for Brainbuzz.com, a Windows 2000 columnist for Swynk.com, and is the author of Syngress’s bestselling Configuring ISA Server 2000 (1-928994-29-6). Tom attended medical school at the University of Illinois in Chicago and trained in neurology at the Oregon Health Sciences Center in Portland, OR. His fascination with interneuronal communication ulti- mately melded with his interest in internetworking and led him to focus on systems engineering.Tom and his wife, Debra Littlejohn Shinder, design elegant and cost-efficient solutions for small- and medium-sized businesses based on Windows NT/2000 platforms.Tom has contributed to several Syngress titles, including Configuring Windows 2000 Server Security (ISBN: 1-928994-02-4), and Managing Windows 2000 Network Services (ISBN: 1-928994-06-7), and is the coauthor of Troubleshooting Windows 2000 TCP/IP (1-928994-11-3). Debra Littlejohn Shinder (MCSE, MCT, MCP+I), is an Independent Technology Trainer,Author, and Consultant who works in conjunction with her husband, Dr.Thomas Shinder, in the Dallas-Ft.Worth area. She has been an instructor in the Dallas County Community College District since 1992, and is the Webmaster for the cities of Seagoville and Sunnyvale,TX. Deb is a featured Windows 2000 columnist for Brainbuzz.com and a regular contributor to TechRepublic’s TechProGuild. She and Tom have authored numerous online courses for DigitalThink (www.digitalthink.com) and have given presentations at technical confer- ences on Microsoft certification and Windows NT and 2000 topics. Deb is also the Series Editor for the Syngress/Osborne McGraw-Hill 181_SerSec2e_FM 9/20/01 1:07 PM Page viii ix Windows 20000 MCSE study guides. She is a member of the Author’s Guild, the IEEE IPv6 Task Force, and local professional organizations. Deb and Tom met online and married in 1994.They opened a net- working consulting business and developed the curriculum for the MCSE training program at Eastfield College before becoming full-time tech- nology writers. Deb is the coauthor of Syngress’s bestselling Configuring ISA Server 2000 (1-928994-29-6). She has also coauthored Syngress’s Troubleshooting Windows 2000 TCP/IP (ISBN: 1-928994-11-3) and has contributed to several Syngress titles, including Managing Windows 2000 Network Services (ISBN: 1-928994-06-7) and Configuring Windows 2000 Server Security (ISBN: 1-928994-02-4). Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS,A+) is a Security Consultant. He has assisted sev- eral clients, including a casino, in the development and implementation of network security plans for their organizations. He has held the positions of Network Security Officer and Computer Systems Security Officer while serving in the United States Air Force. While in the Air Force, Stace was also heavily involved for over 14 years in installing, troubleshooting, and protecting long-haul circuits with the appropriate level of cryptography necessary to protect the level of information traversing the circuit as well as protecting the circuits from TEMPEST hazards.This not only included American equipment but also equipment from Britain and Germany while he was assigned to Allied Forces Southern Europe (NATO). Stace was an active contributor to The SANS Institute booklet “Windows NT Security Step by Step.” In addition, he has coauthored over 18 books published by Osborne/McGraw-Hill, Syngress Media, and Microsoft Press. He has also performed as Technical Editor for various other books and is a published author in Internet Security Advisor magazine. His wife Martha and daughter Marissa are very supportive of the time he spends with his computers, routers, and firewalls in the “lab” of their house.Without their love and support he would not be able to accomplish the goals he has set for himself. 181_SerSec2e_FM 9/20/01 1:07 PM Page ix [...]... Policy Security Templates The Secedit.exe Command-Line Tool Security Configurations Security Configuration and Analysis Database 11 9 12 0 12 6 12 8 13 1 13 1 13 4 13 4 13 5 13 6 13 7 13 7 13 8 13 9 14 0 14 0 14 0 14 1 14 1 14 3 14 4 14 7 14 9 15 0 15 0 15 1 15 1 15 1 15 2 15 4 15 4 15 4 18 1_SerSec2e_TOC 9/20/ 01 1 :10 PM Page xv Contents Understand the Secedit.exe Command The secedit.exe commandline interface allows the administrator to:... Exercise 5.5 Analyzing the Local Machine Account and Local Policies Restricted Group Management Registry Security xv 15 6 15 7 15 8 15 8 15 8 15 8 15 8 15 8 15 9 15 9 16 1 16 5 16 5 16 8 17 4 17 6 17 7 17 9 17 9 18 1 18 1 18 4 18 5 18 6 18 6 18 8 18 8 18 8 18 1_SerSec2e_TOC xvi 9/20/ 01 1 :10 PM Page xvi Contents Learn the Syntax for the EfsRecvr Command Line Item Function /S Recovers the files in the given directory and all subdirectories... EFS Recovery Certificate EFS Architecture EFS Components The Encryption Process The EFS File Information The Decryption Process 18 9 19 0 19 1 19 1 19 1 19 3 19 4 19 5 19 7 19 9 200 2 01 2 01 203 204 205 207 208 209 209 210 211 212 213 213 218 2 21 222 224 227 229 18 1_SerSec2e_TOC 9/20/ 01 1 :10 PM Page xvii Contents Summary Solutions Fast Track Frequently Asked Questions Implement IPSec Security Services IPSec engages... Exercise 12 .8 Installing System Scanner 1. 1 Exercise 12 .9 Running a Scan with System Scanner Summary Solutions Fast Track Frequently Asked Questions xxv 579 5 81 582 582 585 587 588 589 590 590 5 91 593 594 594 595 595 595 597 598 6 01 602 602 608 612 612 615 Appendix A Port Numbers 617 Index 653 18 1_SerSec2e_TOC 9/20/ 01 1 :10 PM Page xxvi 18 1_SerSec2e_ 01 9/5/ 01 1:43 PM Page 1 Chapter 1 The Windows 2000 Server. .. Services 10 7 Open Standards 10 7 Windows 2000 Distributed Security Services 10 9 Active Directory and Security 11 0 Advantages of Active Directory Account Management 11 1 Managing Security via Object Properties 11 3 Managing Security via Group Memberships 11 5 Active Directory Object Permissions 11 5 Exercise 4 .1 Assigning Active Directory Permissions to a Directory Object 11 6 18 1_SerSec2e_TOC xiv 9/20/ 01 1 :10 ... Frequently Asked Questions 1 2 3 3 4 7 9 9 9 11 12 13 15 16 16 16 17 18 18 19 Chapter 2 Default Access Control Settings Introduction The Administrators Group The Users Group The Power Users Group 21 22 23 24 24 xi 18 1_SerSec2e_TOC xii 9/20/ 01 1 :10 PM Page xii Contents Configuring Security during Windows 2000 Setup Default File System and Registry Permissions Default User Rights Exercise 2 .1 Checking User Rights... Configuring the Template Files Deploying the Template Files Auditing IIS Exercise 11 .6 Configuring Auditing for an Organizational Unit Summary Solutions Fast Track Frequently Asked Questions xxiii 476 480 4 81 4 81 482 484 485 485 487 490 495 497 505 505 509 510 511 511 513 514 515 515 524 526 527 529 530 533 18 1_SerSec2e_TOC xxiv 9/20/ 01 1 :10 PM Page xxiv Contents Use the Service Monitoring Tool The Service Monitoring... but in Windows 2000 Server it has replaced the default authentication with Kerberos v5 for an all-Windows 2000- based network (clients and servers) www.syngress.com 3 18 1_SerSec2e_ 01 4 9/5/ 01 1:43 PM Page 4 Chapter 1 • The Windows 2000 Server Security Migration Path Differences in Windows 2000 Server Security One of the enhancements to Windows 2000 Server security is that Windows 2000 Server supports... some of the tools used in Windows NT 4.0 and those used in Windows 2000 Server Figure 1. 1 Active Directory Users and Computers Continued www.syngress.com 5 18 1_SerSec2e_ 01 6 9/5/ 01 1:43 PM Page 6 Chapter 1 • The Windows 2000 Server Security Migration Path Table 1. 1 Windows NT 4.0 and Windows 2000 Server Tools Windows NT 4.0 Windows 2000 Server User Manager for Domains Active Directory Users and Computers... to cease having access to certain information s The certificate was obtained through forgery xix 309 311 311 313 Chapter 9 Microsoft Windows 2000 Public Key Infrastructure 315 Introduction 316 Concepts 316 Public Key Cryptography 317 Public Key Functionality 319 Digital Signatures 319 Authentication 3 21 Secret Key Agreement via Public Key 322 Bulk Data Encryption without Prior Shared Secrets 322 Protecting . bestselling HACK PROOFING ™ YOUR NETWORK ™ 1YEAR UPGRADE BUYER PROTECTION PLAN From the authors of the bestselling HACK PROOFING ™ YOUR NETWORK 18 1_HPnew_FC 9/20/ 01 11: 51 AM Page 1 solutions@syngress.com With. listening. www.syngress.com/solutions 18 1_SerSec2e_FM 9/20/ 01 1:07 PM Page i 18 1_SerSec2e_FM 9/20/ 01 1:07 PM Page ii From the authors of the bestselling HACK PROOFING ™ YOUR NETWORK ™ 1YEAR UPGRADE BUYER PROTECTION. 11 Getting Started 12 Exercise 1. 1 Switching to Native Mode 13 Issues to Present to Your Manager 15 Proper Analysis 16 Timing 16 Cost 16 Resources 17 Summary 18 Solutions Fast Track 18 Frequently