120 Chapter 4 • Secure Networking Using Windows 2000 Distributed Security Services improvement over the Registry-based implementation in terms of both perfor- mance and scalability. It is also easier to manage.Active Directory provides repli- cation and availability of account information to multiple domain controllers and can be administered remotely. In addition,Windows 2000 employs a new domain model that uses Active Directory to support a multilevel hierarchy tree of domains. Managing the trust relationships between domains has been enormously simplified by the transitive trust model that extends throughout the forest. Windows 2000’s trusts work differently from those in NT, which affects secu- rity issues and administration in the Active Directory environment. Before you try to understand how trusts work, it is important to understand how Active Directory is designed.A properly designed Active Directory forest can create all the necessary trusts automatically. Active Directory Components When the first Windows 2000 Server computer in a network is promoted to domain controller, it creates the root domain for your organization. Since this domain is the first one created in your forest, it becomes the root for the forest and the root for its tree. It will have a hierarchical name, such as mycompany.com. When additional domains are created in your company’s network (by pro- moting other Windows 2000 servers to domain controllers and designating them as domain controllers for the new domains), there are three options: ■ They can be created as children of the forest root domain. ■ They can be created as root domains for new trees in the existing forest. ■ They can be created as root domains for a new forest. Let’s take a moment to discuss the preceding scenarios and to learn some basic rules about Active Directory.What are the components that make up our enterprise? Active Directory is made up of the following main components: ■ Forest A logical grouping of trees; defines an organization. ■ Tree A logical grouping of domains. ■ Domain A security boundary and unit of replication for Active Directory. ■ Organizational units (and containers) Hold objects and provide logical separation for the domain. www.syngress.com 181_SerSec2e_04 9/5/01 1:47 PM Page 120 Secure Networking Using Windows 2000 Distributed Security Services • Chapter 4 121 ■ Leaf objects Examples are users, machines, printers, and groups. Leaf objects do not contain other objects. OUs and leaf objects, discussed earlier in this chapter, have nothing to do with trust relationships. In this section, we focus on forests, domains, and trees and how they fit together. Let’s start small and work our way up from there. Domains are the main security boundary for Active Directory.Account poli- cies are applied at the domain level. Users log into a domain.They do not log in to a tree or a forest. Every domain has its own set of objects (users, groups, machines, and so on). Every domain also has its own administrators. Domains are installed into trees. A tree is a grouping of domains that share a contiguous namespace.What does this mean? There is something in common about all the domain names in a tree. Each child domain shares the naming context of its parent.The first domain cre- ated in a tree is called the tree root.Trees are created inside the forest. A forest is a collection of trees (and domains).All domains within a forest share a common schema, global catalog, and configuration. If you need to main- tain two different schemas, you must have two separate forests.The first domain created in your forest is called the forest root.The entire forest is named after the forest root. Forestwide settings are set at the forest root domain only. NOTE Computers are not installed as domain controllers. You must promote them. You can promote a computer by running the Active Directory Installation Wizard. You can start the wizard by running the command Dcpromo from the Run button or by using the Configure Your Server Wizard from Administrative Tools. When you run Dcpromo, it allows you to choose where you want to install your new domain controller. This is where you choose to create a new forest, a new domain, or a new tree. This is also where you can join an existing forest, domain, or tree. Let’s apply what we’ve learned to Figure 4.11.There are two trees: mycompany.com and yourcompany.com. Mycompany.com was created before yourcompany.com, which makes mycompany.com the forest root. Both trees have subdomains.There are four subdomains in all: www.syngress.com 181_SerSec2e_04 9/5/01 1:47 PM Page 121 122 Chapter 4 • Secure Networking Using Windows 2000 Distributed Security Services ■ Sales.mycompany.com ■ Sales.yourcompany.com ■ Accounting.yourcompany.com ■ Payroll.accounting.yourcompany.com Notice how each of the subdomains has the name of its parent.The payroll domain is a subdomain of a subdomain. It shares both its parents’ names.All these domains and trees are said to be in the mycompany.com forest. The Great Link: Kerberos Trusts between Domains In NT networks, every domain was an island. In order for users in one domain to access resources in another, administrators of the two domains had to set up an explicit trust relationship. Moreover, these trusts were one-way; if the administra- tors wanted a reciprocal relationship, two separate trusts had to be created because these trusts were based on the NTLM security protocol, which does not include mutual authentication. Figure 4.12 gives an example of using NT 4.0 trusts to configure complete trusts (all domains trust each other) between six domains. If www.syngress.com Figure 4.11 The Relationships of Domains within a Tree and Trees within a Forest mycompany.com accounting.yourcompany.com sales.yourcompany.com sales.mycompany.com yourcompany.com payroll.accounting.yourcompany.com 181_SerSec2e_04 9/5/01 1:47 PM Page 122 Secure Networking Using Windows 2000 Distributed Security Services • Chapter 4 123 you want to configure all six domains to trust each other, you must manually create 16 one-way trusts. In Windows 2000 networks, that has been changed.With the Kerberos pro- tocol, all trust relationships are two-way, and an implicit, automatic trust exists between every parent and child domain; it is not necessary for administrators to create these trusts. Finally, these trusts are transitive, which means that if the first domain trusts the second domain, and the second domain trusts the third domain, the first domain will trust the third domain, and so on.This transitive state comes about through the use of the Kerberos referral; as a result, every domain in a tree implicitly trusts every other domain in that tree. All this would be cause enough for celebration for administrators who have struggled with the trust nightmares inherent in the previous NT way of doing things, but there is one final benefit.The root domains in a forest of domain trees also have an implicit two-way transitive trust relationship with each other. By traversing the trees, then, every domain in the forest trusts every other domain.As long as a user’s account has the appropriate permissions, the user has access to resources anywhere on the network, without worrying about the domain in which those resources reside. For practical purposes, a user in the payroll.accounting .yourcompany.com domain who needs to access a file or printer in the sales .mycompany.com domain can do so (provided that the user’s account has the appropriate permissions).The user’s domain, payroll.accounting.yourcompany.com, trusts its parent, accounting.yourcompany.com, which in turn trusts its own parent, yourcompany.com. Since yourcompany.com is an internal root domain in the same www.syngress.com Figure 4.12 Trust Relationships in NT 4.0 A B C E F D 181_SerSec2e_04 9/5/01 1:47 PM Page 123 124 Chapter 4 • Secure Networking Using Windows 2000 Distributed Security Services forest as mycompany.com, those two domains have an implicit two-way transitive trust; thus mycompany.com trusts sales.mycompany.com—and the chain of Kerberos referrals has gone up one tree and down the other to demonstrate the path of the trust that exists between payroll.accounting.yourcompany.com and sales.mycompany.com.This referral process is described as walking the tree.In Windows 2000, we need only 5 trusts to accomplish the same thing that we needed 16 trusts for in Windows NT 4.0.The best part is that all the trusts are set up automatically in Windows 2000. These Kerberos trusts apply only to Windows 2000 domains. If the network includes down-level (NT) domains, they must still use the old NTLM one-way, explicit trusts in order to share resources to or from the Windows 2000 domains. NOTE Despite the transitive trust relationships between domains in a Windows 2000 network, administrative authority is not transitive; the domain is still an administrative boundary. Taking a Shortcut Walking the tree requires many referrals, which is why shortcut trusts are useful. Shortcut trusts are two-way transitive trusts that allow you to shorten the path in a complex forest.These trusts must be explicitly created by the administrators to create a direct trust relationship between Windows 2000 domains in the same forest.A shortcut trust is used to optimize performance optimization and shorten the trust path that Windows 2000 security must take for authentication purposes. The most effective use of shortcut trusts is between two domain trees in a forest. Shortcut trusts are one of the two types of explicit domain trees that can be established in Windows 2000; the other is the external trust used to establish a trust relationship with domains that are not part of the forest.The external trust is one-way and nontransitive, as in NT 4.0 domain models. However, as with NT, two one-way trusts can be established if a two-way relationship is desired. Figure 4.13 demonstrates both shortcut trusts and external trusts. To keep things simple, the domains in Figure 4.13 are named A, B, C, D, E, F, G, and NT 4.0. Let’s review how each of the trust relationships will be used. Users within the forest (Domains A–G) can access resources (if permissions allow it) at any of the domains within the forest. Users in Domains F and G can share www.syngress.com 181_SerSec2e_04 9/5/01 1:47 PM Page 124 Secure Networking Using Windows 2000 Distributed Security Services • Chapter 4 125 resources directly with each other without having to be referred up and down the tree. Lastly, users in the NT 4.0 domain can access resources in the G domain, but not vice versa. Active Directory automatically creates the parent/child and tree root trusts for you.You must manually create all shortcut and external trusts.Trusts can be created from the command prompt using Netdom or from the GUI using Active Directory Domains and Trusts. Exercise 4.2 walks you through using Active Directory Domains and Trusts to create trusts. Table 4.1 explains the syntax for using Netdom to create trusts.The Netdom syntax is as follows: NETDOM TRUST trusting_domain_name / Domain:trusted_domain_name [/UserD:user] [/PasswordD:[password | *]] [UserO:user] [/PasswordO:[password | *]][/Verify] [/RESEt] [/PasswordT:new_realm_trust_password][/Add] [/REMove] [/Twoway] [/Kerberos] [/Transitive[:{yes | no}]] [/OneSide:{trusted | trusting}] [/Force] www.syngress.com Figure 4.13 Connecting to an External Domain A C D F B E G NT 4.0 Shorcut Trust External Trust 181_SerSec2e_04 9/5/01 1:47 PM Page 125 126 Chapter 4 • Secure Networking Using Windows 2000 Distributed Security Services Table 4.1 Netdom Syntax Option Description /Domain Specifies the name of the trusted domain. /UserD Account used to make the connection to the trusted domain. /PasswordD Password of the user account specified by /UserD. /UserO User account for making the connection to the trusting domain. /PasswordO Password of the user account specified By /UserO. /Verify Verifies the trust. / RESE Resets the trust passwords. /PasswordT New trust password. /Add Specifies the trust to add. /Remove Specifies the trust to remove. /Twoway Specifies a bidirectional trust. /OneSide Indicates that the trust should be created on only one domain. Exercise 4.2 Creating Trusts with Active Directory Domains and Trusts 1. Click Start. 2. Go to Programs | Administrative Tools | Active Directory Domains and Trusts. 3. Within Active Directory Domains and Trust (shown in Figure 4.14), right-click your domain name and choose Properties.You will see the window shown in Figure 4.15. 4. There are two sections in the Trusts tab of your domain’s properties.You add the trusted domains to the top section and the trusting domains to the bottom section. Click the Add button in the Trusted section.You’ll see the window shown in Figure 4.16. 5. Type the name of the trusted domain and the trust password twice. When you’re finished, click OK to return to the Trusts tab, as shown in Figure 4.15. 6. Click the Add button in the Trusting section.You will see the window shown in Figure 4.17. www.syngress.com 181_SerSec2e_04 9/5/01 1:47 PM Page 126 Secure Networking Using Windows 2000 Distributed Security Services • Chapter 4 127 www.syngress.com Figure 4.14 Active Directory Domains and Trusts Figure 4.15 The Trusts Tab of the Domain Properties Window 181_SerSec2e_04 9/5/01 1:47 PM Page 127 128 Chapter 4 • Secure Networking Using Windows 2000 Distributed Security Services 7. Type the name of the trusting domain and the trust password twice.When you’re finished, click OK to return to the Trusts tab. 8. Click OK on the Trusts tab to save your changes, and close the Trusts window. Delegation of Administration One of Active Directory’s strongest points—and one of its most attractive points, to administrators in large, complex enterprise networks—is the ability it confers to delegate administrative authority all the way down to the lowest levels of the orga- nization. It grants this ability by creating an OU tree, in which OUs can be nested inside one another and administrative responsibility for any part of the OU subtree can be assigned to specific groups or users, without giving them administrative control over any other part of the domain.This was not possible in NT networks, where administrative authority was assigned on only a domainwide basis. You will still have an Administrator account and a Domain Administrators group with administrative authority over the entire domain, but you can reserve www.syngress.com Figure 4.16 The Add Trusted Domain Window Figure 4.17 The Add Trusting Domain Window 181_SerSec2e_04 9/5/01 1:47 PM Page 128 Secure Networking Using Windows 2000 Distributed Security Services • Chapter 4 129 these accounts for occasional use by a limited number of highly trusted administrators. NOTE Because logging on routinely with an Administrator account can pose a security risk, even trusted administrative personnel should normally use a nonadministrative account for daily business. Windows 2000 provides the secondary logon service, which allows you to use the run as command to run programs that require administrative privileges while you are logged on to a nonadministrative account. To use the run as command within the GUI, hold down the Shift key and right-click the application that you want to run with different cre- dentials. From the popup box, click Run as. Enter in the username, domain, and password of the account whose credentials you want to use. You can also use run as from the command prompt. Type runas /? at the command line to view the correct syntax. The delegation of administration responsibilities can be defined in three ways: ■ Permissions can be delegated to change properties on a particular OU. ■ Permissions can be delegated to create and delete child objects of a specific type beneath an OU. ■ Permissions can be delegated to update specific properties on child objects of a specific type beneath an OU. You can delegate administrative control to any level of a domain tree by cre- ating OUs within the domain and delegating administrative control for specific organizational units to particular users or groups.This practice lets you define the most appropriate administrative scope for a particular person, whether that scope includes an entire domain, all the OUs within a domain, or just a single OU. Microsoft has made it easy for you to use this newfound power to delegate by providing a Delegation of Control Wizard that walks you through the steps in the process (see Figure 4.18). To access the wizard, open Active Directory Users and Computers, double-click the domain node in the console tree, right-click the container or organizational unit for which you want to delegate administrative authority, and select Delegate control.These steps will start the wizard. www.syngress.com 181_SerSec2e_04 9/5/01 1:47 PM Page 129 [...]... one object at a time by selecting multiple objects; to do so, hold down the Control key while you make your selections Figure 4. 23 Moving an Active Directory Object www.syngress.com 133 181_SerSec2e_04 134 9/5/01 1:47 PM Page 134 Chapter 4 • Secure Networking Using Windows 2000 Distributed Security Services What happens to the permissions that have been set on those objects (or that were inherited from... services, such as Microsoft Network (MSN) www.syngress.com 137 181_SerSec2e_04 138 9/5/01 1:47 PM Page 138 Chapter 4 • Secure Networking Using Windows 2000 Distributed Security Services NOTE The Security Support Provider Interface defines the security APIs for network authentication It is the architectural layer of Windows 2000 that provides a generic Win32 system API, so that security providers can use various... from other organizations to access your domain’s resources without the need for you to create domain accounts for them in Windows 2000 Microsoft Certificate Server The Microsoft Certificate Server (MCS) included with Windows 2000 Server is an upgraded version of the Certificate Server software included in the NT 4.0 Option Pack with IIS 4.0 It includes enhanced capabilities such as a customizable policy... protocols, the Microsoft Certificate Server, and the CryptoAPI components for certificate management and administration www.syngress.com 139 181_SerSec2e_04 140 9/5/01 1:47 PM Page 140 Chapter 4 • Secure Networking Using Windows 2000 Distributed Security Services Microsoft’s Web browser software, Internet Explorer (MSIE), and Internet Information Server (IIS), its Web server software, use many of these... relatively low overhead, which helps explain why Microsoft made it Windows 2000 s primary security protocol NOTE Kerberos works only between Windows 2000 clients and servers, so if you have a mixed-mode environment, NTLM is used to interact with NT systems www.syngress.com 181_SerSec2e_04 9/5/01 1:47 PM Page 137 Secure Networking Using Windows 2000 Distributed Security Services • Chapter 4 Private and Public... Windows 2000, unlike NT, supports a multiplicity of security protocols.These include Microsoft’s proprietary NTLM for backward compatibility as well as industry-standard specifications such as the popular Kerberos protocol and Public Key Infrastructure with X.509v3 certificates Microsoft has provided many security-related services and components with Windows 2000 Server, such as Microsoft Certificate Server. .. applied The Incremental template types are Compatible (workstations or servers), Secure (workstations, servers, domain controllers), Highly Secure (workstations, servers, domain controllers), Optional Components (workstations, servers), and No Terminal SID.Two templates function as logs.The Initial Domain Controller Configuration and Initial Server or Workstation Configuration templates contain the settings... pair.Windows 2000 uses a certificate authority to store the public and private keys Digital certificates are used to verify that the public key really belongs to the user to whom it is supposed to belong.The certificate is issued by a trusted third party—in this case, Microsoft Certificate Services running on the Windows 2000 server and guarantees that the public key you are using is valid Windows 2000 s PKI... object along with permissions defined for all parent objects in the directory.This structure gives you the ability to change access control on www.syngress.com 131 181_SerSec2e_04 132 9/5/01 1:47 PM Page 132 Chapter 4 • Secure Networking Using Windows 2000 Distributed Security Services parts of the directory tree by making changes to a specific container that will then automatically affect all subcontainers... Figure 4.24 Windows 2000 Setting Up Secure Communication with Multiple Vendors via SSO UNIX Windows 2000 MacIntosh SSL Web Clients SNA Lan Manager NTLM Novell Other Windows 3. x Windows NT Kerberos 181_SerSec2e_04 Windows 95 Windows 98 Mainframe (AS/400) Internet Security for Windows 2000 Microsoft’s Windows 2000 Internet security infrastructure is based on industry standards for public key security.This . Viewing Explicit Permissions Figure 4. 23 Moving an Active Directory Object 181_SerSec2e_04 9/5/01 1:47 PM Page 133 134 Chapter 4 • Secure Networking Using Windows 2000 Distributed Security Services What. Inherited Permissions 181_SerSec2e_04 9/5/01 1:47 PM Page 132 Secure Networking Using Windows 2000 Distributed Security Services • Chapter 4 133 The Effect of Moving Objects on Security It is easy. Windows 2000 domain controllers and uses Active Directory for secure storage. www.syngress.com 181_SerSec2e_04 9/5/01 1:47 PM Page 135 136 Chapter 4 • Secure Networking Using Windows 2000 Distributed