1 1 Secure System Administration - SANS GIAC © 2000, 2001 Windows 2000 As we begin to focus on Windows 2000 for the rest of this section, the three primary differences from Windows NT are: Active Directory, Group Policy, and templates. We will first introduce the Active Directory. Years ago, a standards organization called the CCITT (now International Telecommunication Union, or ITU) created a recommendation for a standard for a world wide directory service that was ratified by the International Organization for Standards (ISO). Please visit www.ISO.ch for further information. The standard was known as X.500 The ISO looked like they would supplant the TCP/IP protocol suite with their own Open Systems Interconnect (OSI) based model, but bad standards and engineering caused that effort to crash. The Internet’s reigning standards body is called the Internet Engineering Task Force (IETF) and it is well worth your time to visit www.ietf.org and www.normos.org web sites. The IETF produced an alternate directory service to X.500 called LDAP. CREDIT: If you are taking this for academic credit, develop a two page paper on Lightweight Directory Access Protocol, LDAP, its history and its workings. 2 2 Secure System Administration - SANS GIAC © 2000, 2001 Active Directory • DNS Domain: collection of related hosts, the database is called a zone table “sans.org” • NT 4.0 Domain: hosts that share an authentication database, the SAM and Security Hives in the Registry • Windows 2000 domain: collection of hosts with both a common DNS domain and security trustmodel. The database is the Active Directory LDAP is of course the basis for Active Directory. Computers have been linked before, through NFS or NetBIOS shares. These file structures have been primitive and localized. LDAP or Active Directory scales to global proportions. Recall that you learned in “Information Security: The Big Picture” that DNS uses a large number of DNS servers, each authoritative for its own autonomous domain. This is exactly what Active Directory does. The data objects are stored as records in the Directory Database, NTDS.DIT. Almost everything is referred to in this system by its Common Name (cn), such as cn=Northcutt. Other designators include Domain Components (dc). These tie Active Directory to DNS. The LDAP name for an Active Directory domain for sans.org would be: dc=sans, dc=org. One last designator is the Organizational Unit (OU). Since GIAC is a division in SANS, you might have dc=sans, ou=giac. Printers, computers, files, policies, groups and users are all stored in the Active Directory. Every entry in the database belongs to and is affected by policies set at the Common Name, Domain Component and Organization Unit levels, but since Organization Unit (or OU) is applied last it is the most powerful place to implement policy. 3 3 Secure System Administration - SANS GIAC © 2000, 2001 Win 2000 Users and Groups •Administrator • Power Users • Users • Back-up Operators •Special Groups Local Users and Groups are not available on domain controllers. Use Active Directory Users and Computers to manage global users and groups. In Windows 2000, you can limit the ability of users and groups to perform certain actions by assigning them rights and permissions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders, or shutting down a computer. A permission is a rule associated with an object (usually a file, folder, or printer), and it regulates which users can have access to the object and in what manner. When you create new user accounts and assign them to groups, there are important security issues since the groups have different security rights and permissions. To create a new user you can use NET USER: NET USER snorthc * /add /fullname:Stephen Northcutt Now, what is wrong with this picture? We really should be adding snorthc into one of those OU / organization units we discussed earlier or we will have a mess of a directory and will have no hope of managing it past 25 or so users. In Windows 2000, just like with every operating system, there is more than one way to do almost anything. However, if you want to be able to manage the system over the long run, use Windows’ Management Consoles for system administration tasks. This applies to security as well. If there is no security policy for the rights and permissions we give users, directories and files, it makes it really hard to find problems. 4 4 Secure System Administration - SANS GIAC © 2000, 2001 Users and Power Users To secure a Windows 2000 system, an administrator should: • Make sure that end users are members of the Users group only. • Deploy programs, such as certified Windows 2000 programs, that members of the Users group can run successfully. Users cannot modify system-wide registry settings, operating system files, or program files. Users can shut down workstations, but not servers. Users can create local groups, but can manage only the local groups that they created. They can run certified Windows 2000 programs that have been installed or deployed by administrators. This is actually called a restricted user by the system. Users have full control over all of their own data files and their own portion of the registry (HKEY_CURRENT_USER). Power Users - The default Windows 2000 security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any program that a User can run in Windows NT 4.0, a Power User can run in Windows 2000. Power Users do not have access to the data of other users on an NTFS volume, unless those users grant them permission. According to all the Windows documentation I have seen, Power Users can install or modify programs. In practice this does not appear to be so true, several installation wizards require the user to be Administrator. This is unfortunate since the whole point of Power Users was to have a privileged user class that did not operate at the Administrator level. 5 5 Secure System Administration - SANS GIAC © 2000, 2001 Backup Operators NTBackup is vastly improved over Windows 98 and Windows NT and is worth a close look. Start → Programs → Accessories → NTBackup. (Editor’s note: The NTBackup program is located at Start → Programs → Accessories → System Tools → Backup. It can also be accessed via Start → Run → ntbackup.exe. – JEK) The non-Adminstrator group that can backup and restore all files is the group Backup Operators. This group is the same as in NT 4.0. Members of the Backup Operators group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log on to the computer and shut it down, but they cannot change security settings. Backing up and restoring data files and system files requires permissions to read and write those files. The same default permissions granted to Backup Operators that allow them to back up and restore files also makes it possible for them to use the group's permissions for other purposes, such as reading another user's files or installing Trojan Horse programs. Group Policy settings SHOULD be used to create an environment in which Backup Operators only can run a backup program. (Editor’s note: Backup Operators are able to back up and restore files through two explicit Windows permissions: “Back up files and directories”, and “Restore files and directories”. The Backup Operators group (and the Administrator’s group) has both of these permissions by default. For security purposes, you may wish to remove the “Restore files and directories” permission from the Backup Operators group, and create a separate Restore Operators group that has only the “Restore” permission. – JEK) 6 6 Secure System Administration - SANS GIAC © 2000, 2001 There are several additional groups are automatically created by Windows 2000. • Interactive. This group contains any user that is logged on locally to the computer. During an upgrade to Windows 2000, members of the Interactive group will also be added to the Power Users group, so that legacy applications will continue to function as they did before the upgrade. (At least that was the plan, in our testing, the Power User group doesn’t seem to have much difference than a “normal” User.) • Network. This group contains all users who are currently accessing the system over the network. • Terminal Server User. When Terminal Servers are installed in application serving mode, this group contains any users who are currently logged on to the system using Terminal Server. Any program that a user can run in Windows NT 4.0 will run for a Terminal Server User in Windows 2000. The default permissions assigned to the group were chosen to enable a Terminal Server User to run most legacy programs. • Replicator. Members of this group are able to replicate folders across networked systems These default groups give us some management control already, but we can extend this with Group Policy. Groups is a powerful concept for security, on this slide we show a special group that I have created so that snorthc (Stephen) and knorthc, (Kathy) can set our laptops up to replicate the MyDocuments folder we use on our laptop to each other’s laptop every time the system systems are connected. I can even do this when I am on travel and connected to a hotel’s LAN or a terminal room. Kathy can see my replicated files on her computer. For this to work we are both members of the Replicator group. If I give someone else a login on my computer, they are not a member of the group and cannot see the replicated folders. 7 7 Secure System Administration - SANS GIAC © 2000, 2001 Group Policy • Local Policies \\%systemroot% \System32\GroupPolicy • Active Directory Policies \\%systemroot% \Sysvol\Sysvol\YourDomainName •Container Classes: –Domain-DNS –Site –Container – Organizational Unit (OU) Group Policies are stored in a container. The container classes are shown on the slide. The Active Directory is an object-oriented database and some of its objects contain other objects, some don’t. Container objects can hold other objects, and some directory objects hold other objects; however file objects do not. Each of the classes on the slide has restrictions that keep them from being useful to structure directories. For instance, there can only be one Domain-DNS instance in any given domain, which makes sense (sans.org != xyz.int). But it means you can’t use that as an organizational tool. OU is ideal for use as a general purpose container for directory structure. The OU, Domain, and Site containers can be linked to Group Policy and then all user and computer objects under that container inherit the policy. Policy is applied first to Sites, then Domains and finally to OUs. [Editor’s note, you may see a reference to \\winnt\System32\GroupPolicy, in Windows documentation. The reference on your slide is better practice. Not everyone uses \winnt as the install directory. Additionally, you should *never* have Active Directory on the same partition as the system drive (C:). One important reason is that the system drive has IIS installed, whether you want this to be or not. IIS has about as much security integrity as a screen door on a submarine. You don't want Active Directory, the "central nervous system" of W2K, anywhere near IIS. System stuff should go on C:, Active Directory stuff should go on D:, and everything else should go on E:] 8 8 Secure System Administration - SANS GIAC © 2000, 2001 Start → Run → GPEDIT.MSC will launch the Group Policy Editor console. Templates are the recommended way to implement security for Windows 2000. Each policy has a name and and can be configured or not. [Editor’s note Templates are by default stored in \%systemroot%\security\templates, and they are usually invoked via the secedit command. ] For instance, have you ever really taken a look at the security settings for Internet Explorer? It matters! There have been a number of serious security problems with Internet Explorer. You can limit your risk on your copy of Internet Explorer by Tools → Internet Options → Advanced, and move down to the Security section. For instance, the SSL V.2 is vulnerable to man-in-the-middle cryptographic attacks. You could choose to uncheck it and find out which web servers haven’t bothered to upgrade. If you do a significant amount of purchasing over the Internet that might be a recommended thing to do. But that only changes your personal setting. It is possible to configure all users’ settings with Group Policy. For instance, suppose you have a proxy (a proxy is a security measure to keep users from directly connecting with web servers since some of these are hostile) firewall for outbound World Wide Web Access. If the proxy port is 8000, you could either set every browser individually or you could run Group Policy Editor (GPEDIT.MSC → Internet Explorer Maintenance → Connections → Proxy) and configure all users to use the proxy port. 9 9 Secure System Administration - SANS GIAC © 2000, 2001 One last word about browsers: almost everything is done through browsers or consoles. The command line is essentially obsolete. It looks like Microsoft tried to get to a single browser for both Internet and system and didn’t quite make it. A key point from a security point of view is that Internet surfing as a privileged user is really dangerous and should be avoided. The one exception is updating your computer. Windows 2000 and Windows ME rely on the browser-based Update facility to “patch” the operating system. So far, I am having to run update at least monthly to keep up with the security fixes. Since your browser is the primary way you interface with your Win2K computer’s operating system and the primary way you interface with other computers, it really makes sense to take the time to look at your security settings. We introduced the risk of SSL 2.0 in the previous slide; here is something else to be aware of. A great way to snag financial data or even web based server administration pages is to view the cached versions of encrypted pages (pages sent or received using SSL). It is a good idea to disable the saving of encrypted pages within Internet Explorer. Click Tools → Internet Options and click on the Advanced tab. Check the box marked “Do Not Save Encrypted Pages to Disk.” 10 10 Secure System Administration - SANS GIAC © 2000, 2001 This slide shows the update screen. The two places to check are Critical Updates and Recommended Updates. If you are running Microsoft Office products you will need to check for updates there as well, there are a number of security problems that must be patched. [...]... 2001 21 v1.5 – S Northcutt – 25 Jun 2000 v1.6 – edited by C Wendt – Jul 2000 v1.7 – edited by J Kolde – 27 Jul 2000 v1.8 – adjusted by S Northcutt – 28 Jul 2000 v1.9 – rewrite/retape by S Northcutt – 8 Oct 2000 v2.0 – reconciled with audio and format grayscale for b/w printing by J Kolde – 23 Nov 2000 v2.1 – edit S Northcutt 28 Dec 2000 21 ... with Windows File System Windows File System runs in the background and ensures that Win2K setup programs don't delete any important system files By default, Win2K enables Windows File Protection When a program attempts to delete or move a protected system file, Windows File Protection checks the digital signature of the file to ensure that it's a correct version If it is not the correct version, Windows. .. use Windows 2000 in a heartbeat if I chose Windows at all Right now, I am part of a huge team, over 70 people, trying to evaluate the template settings, it will be a while before the jury is in, but all and all, this is a well written, fairly securable operating system Give it a go 20 Course Revision History c Secure System Administration - SANS GIAC © 2000, 2001 21 v1.5 – S Northcutt – 25 Jun 2000. .. Windows 2000 system For logs to exist at all, the system must enable logging Some auditing is turned on as a default (or at least is has been on all the systems I have looked at) but Control Panel → Administrative Tools → Local Security Policy (or a template in the Active Directory) allows you to do additional auditing I would certainly activate logon events (Editor’s note: Windows NT and Windows 2000. .. allows you to link tables and locate database drivers However, I find I can get along without it just fine! 18 Secure System Administration - SANS GIAC © 2000, 2001 19 Most system tools are the same as in Windows NT One change you’ll want to make in Windows 2000 is to disable unwanted services So right-click My Computer and select Manage From the Computer Management Console, go to Services and Applications... Administration - SANS GIAC © 2000, 2001 20 And that is the end of our tour of Windows 2000 If you have not had a chance to begin working with this operating system, be sure and volunteer when your organization is looking for people to shake it down It is not perfect by any means – it can make my 700Mhz speed step Pentium III look like a 386 sometimes – but it is more stable that any Windows NT configuration... gives you a couple of switches that let you manipulate the Windows File Protection cache sfc /purgecache purges the file cache and scans all system files immediately sfc /cachesize configures the size of the Windows File Protection cache For example, to restrict a cache size to 2MB, type sfc /cachesize=2048 Finally, to return to the default Windows File Protection operation, type sfc /enable In this... to enable this option before you exit the command prompt window 17 Secure System Administration - SANS GIAC © 2000, 2001 18 Another tool available from Control Panel → Administrative Tools is the Local Security Settings console If you are not part of a network and a domain, such as my Windows 2000 laptop that spends about half the time connected to the home network and half the time on the road, this... network and named the computer Spending some time with your Event Viewer is highly recommended for Windows 2000 13 Component Services • Application Types – COM – COM+ • Security Considerations – Distributed Transactions – Application Roles – Application Identity Secure System Administration - SANS GIAC © 2000, 2001 14 A COM application example is Microsoft Excel, which consists of a primary executable... system security but can decrease performance [Slide by James Manion MWC] 15 Secure System Administration - SANS GIAC © 2000, 2001 16 What Are System Files? In previous versions of Windows, applications often overwrote shared dll files and exe system files (If you’ve worked with any version of Windows, you're probably very familiar with the term "DLL hell.") When installation programs mess with.dll, exe, . SANS GIAC © 2000, 2001 Windows 2000 As we begin to focus on Windows 2000 for the rest of this section, the three primary differences from Windows NT are:. Administration - SANS GIAC © 2000, 2001 Most system tools are the same as in Windows NT. One change you’ll want to make in Windows 2000 is to disable unwanted