3 - 1 Windows 2000 Security - SANS ©2001 1 Windows 2000 Security Security Essentials The SANS Institute This section will build on the basic NT security knowledge you have already gained. However, you will find that every NT security function is magnified in Windows 2000, and Windows 2000 has ten times the security features available in Windows NT. If NT were a row boat, Windows 2000 is the QE2. If NT were a cottage, then Windows 2000 is a 56 room mansion. Active Directory, security templates, Group Policy, System File Protection, Radius, IPSec, EFS, PKI, Kerberos, a new permission inheritance model, and granular assignment of administrative authority are but a few of the technologies and processes that you must understand if you are to design and implement security in Windows 2000. This section will introduce you to the possibilities. 3 - 2 Windows 2000 Security - SANS ©2001 2 Your Goals • Understand Security Baselining • Describe Security features – all versions/roles • Describe Security features - Active Directory domain • List 10 hardening steps Goals and Objectives We cannot talk about security and Windows 2000 without recognizing that there is more than one version of Windows 2000 and there are many functional roles that Windows 2000 may perform within a network or standing alone. Windows 2000 may be on a laptop computer as it travels from hotel to hotel to home to office. It may be on massive database servers, or limited desktop systems. Windows 2000 may serve as the OS for mail servers, web servers, file servers, firewalls and many other roles. When you discuss security and Windows 2000 you must discuss it within the context of its use. How secure is Windows 2000? How secure do you need it to be? How much knowledge do you have of its features and function? Where will it be asked to perform? Who will be using it? All of these questions must be asked and understood. In this section, we will discuss the need for security baselining, or the matching of security needs with system functions, and the specification of basic security requirements for different computer roles within a network. Next, we will examine the security features available in Windows 2000; first discussing those that are available for all systems, and then looking at the additional features available within a Windows 2000 Active Directory domain. Finally, 10 hardening steps, steps that should be taken during or immediately after Windows 2000 installation, will be presented. Please note that thorough discussion of Windows 2000 security, and the ability to configure and use these features to your benefit, require more study than this introduction can provide. Your goal should be to become comfortable with the features available, so that you can evaluate them more thoroughly against the background of your organizations or your personal requirements. 3 - 3 Windows 2000 Security - SANS ©2001 3 Security Baselining • Define the role • Understand the platform • Document the Desired Security Policy • Deploy Security Baselining In order to examine the concept of security baselining, we will pick three common computer roles: Desktop, File Server, and Domain Controller. What version of Windows 2000 will each require? What is the security model for each? Who will be users on these systems? Where? How? For what? As we answer the questions about these roles, we can examine Windows 2000 to determine how it can fulfill them. Once computer use and desired security policy is determined, your job is to seek out the most relevant, efficient, and easily maintainable way to accomplish these goals. Several native Windows 2000 tools will be introduced in which will provide you with automated means to do so. But first lets define the Windows 2000 family. 3 - 4 Windows 2000 Security - SANS ©2001 4 Win 2K OS Versions • Professional •Server • Advanced Server • Datacenter Server OS Versions Windows 2000 Professional is the desktop version of the operating system Windows NT Workstation and Windows 95 and 98 can be upgraded to Professional. Professional can be a member of a Windows NT 4.0 or Windows 2000 domain, or operate in a workgroup or without networking at all. Security is managed by local security settings. If a W2K Professional system is a member of a Window 2000 domain, local security settings are overridden by those set at the domain level. Windows 2000 Server and Advanced Server are similar in feature and function. They are meant to serve as domain controller, file server, database server, mail server, application server, web server, and the like. Unlike Windows NT, Windows 2000 servers may be promoted to domain controllers from member server status, and even demoted back to member server. Advanced server allows more flexibility in the number of processors and offers Quality of Service drivers, and the ability to do network load balancing and perform as part of a cluster. Windows NT Server (3.51 and 4.0) may be upgraded to Windows 2000 Server. Datacenter Server is meant to be the host for massive databases or for other powerful applications. This OS version is not sold independently of its hardware platform. Datacenter Server can have up to 32 processors. Professional Server Advanced Server Minimum RAM 64 128 128 Maximum RAM 4 GB 4 GB Minimum Processor 133 Mhz/Pentium compatible Hard Drive Space Required 2 GB/ 650MB free 2 GB/ 1.0 GB free Processors 1 or 2 1 to 4 1 to 8 NLB no no yes Cluster? no no yes 3 - 5 Windows 2000 Security - SANS ©2001 5 Baseline - Desktop • Windows 2000 Professional – Separate accounts for each user – No local accounts, except defaults, if part of a domain – Strong local account policy – Local audit settings What else would your organization specify? Once a specific computer role is defined, the first step is to choose a platform. Let’s start with an example where the computer will be used as a desktop system. It makes sense to assign Windows 2000 Professional. Although one could run word processing and other applications on a Windows 2000 Server, it would not make good economic or efficiency sense. Servers are optimized for background applications such as those accessed across the network by multiple users. Applications in the foreground, such as word processing, receive less attention, and productivity could suffer as a result. What security requirements does this system have? Well, that depends on the network (or lack of network) within which it resides. We can begin with a list of well-known best practices, or abstract them from organizational policy. 3 - 6 Windows 2000 Security - SANS ©2001 6 Baseline File Server • Windows 2000 Server or Advanced Server – No local accounts except defaults – Strong local account policy – Domain member – Local audit settings – Limited physical access What else would your organization specify? We also have choices here. While Windows 2000 Professional can share files, unless we have an awfully small network, it will be an entirely inefficient choice. Professional is optimized for one-on- one use. Foreground processes, such as productivity applications (word processing, spreadsheet, and personal database) are given priority. There are limited resources available for network access. Windows 2000 Server or Advanced Server will be better choices. Unless there is also a need for load balancing, or more than 4 processors are required to manage the load, Server will probably be fine. Notice the similar requirements for security. Keep that thought in mind for the next section. In addition to similar needs, a file server requires additional precautions. Good physical security is required. In most environments this means location = server room, access = legitimate needs met via a supervised visit, and then only direct console access by a qualified and designated administrator. 3 - 7 Windows 2000 Security - SANS ©2001 7 Baseline – Domain Controller • Domain Controller – There are no PDC/BDC roles in W2K – Physical security – Special points to secure – Special security capabilities – Security policy for domain members not just single system A domain controller (DC) requires special security handling. The DC is the seat of your user account database and the center for security policy controls. If an attacker can penetrate the security of your DC, he can wreak havoc on the entire domain, not just a single machine. The special role at the seat of security policy allows centralized control for many computers and users. Careful baselining of security for an entire logical group of computers and users is required. Security policies set at the domain will override those set on a local machine. Baselining for a DC leads to the incorporation of baselines for many computer and user roles. In order to plan appropriately, consider the domain in Windows 2000 as the security boundary. That is, access by one domain’s users to another domain’s resources is non-existent (with one exception) until granted by domain administrators. This does not mean that every domain stands alone, rather that for those linked to other domains via trust relationships, several security features must be set only at the domain level. An example of this is the password policy which details, among other things, how long a password must be and how frequently it must be changed. If different areas of your organization require a different password policy, they must maintain separate domains. Within the domain, however, there are a vast assortment of possibilities for granular administration. Different types of users and computers can be placed within containers in the Active Directory. Administrative authority to manage these collections of accounts can be delegated. In addition, many security features (such as PKI, EFS, Radius, et al) are extended or only possible within a domain setting. Security policy to cover these new requirements should be specified. Before implementing DC’s, desktops, file servers, and other W2K systems, you must establish the security baseline for each. The tools used to implement, maintain, and audit these baselines are part of the OS. 3 - 8 Windows 2000 Security - SANS ©2001 8 Common Security Features/Tools • MMC • Users and Groups • NTFS File System • System File Checker • Windows Update Service • Local Security Policy • Security Configuration and Analysis •IPSec •VPN All Windows 2000 computers have many security features in common. Security features can be divided between those available to all Windows 2000 computers no matter their role, and those that are extended or only available within an Active Directory Domain. The common features listed in the slide are available on all W2K platforms. However, the nature of the feature and the ability to use each feature, or to use it to control other systems is platform and workgroup vs. domain specific. A VPN tunnel server may only be established on a W2K server for example, while a W2K Professional system can be a VPN client. Examples of these differences in a domain vs. a workgroup setting are the new groups available, the integration of DNS and PKI available, and the domain-wide management of security policies, IPSec, and Remote Access. 3 - 9 Windows 2000 Security - SANS ©2001 9 Microsoft Management Console • Flexible • Multi-purpose • Several pre-built Administrative Tools or pre-loaded MMC’s Administration of Windows NT is often complicated by the large number of Administrative Tools, each of which had its own interface. Management of security features has to be carried out by using many of these tools. One of the Windows 2000 design goals was to reduce the number of tools necessary and to create a common interface which worked across all tools. The Microsoft Management Console (MMC) is the result. This tool is merely a shell within which many components or ‘snap-ins’ can be loaded to build customized administration tools. A few, pre-built, customized MMCs are listed and available from the Administrative Tools section of Programs from the Start button or from the Control Panel. Additional tools are built by administrators by adding various administrative ‘snap-ins’ to one or many MMCs. Frequently, special tools are built for delegated responsibilities. In this case, a normal user account is given specific administrative authority and a special tool, which can only be used for that duty, is built for the user. 3 - 10 Windows 2000 Security - SANS ©2001 10 The Computer Management Console Click Control Panel → Administrative Tools → Computer Management for a great example of one of the consoles that can be used to manage a Windows 2000 system. This is a great way to learn how your system is set up and we strongly encourage you to spend some time poking around (on a test system of course!). When you use Computer Management as a Power User, not all of the options are shown, but you limit the harm you can cause to your operating system and this might be the best way to start. For instance, under System Information, hardware resources, components, drivers, environmental variable, startup programs, etc are displayed. In addition, you can see your installed software by opening the Applications container. Of course this may not be perfect. If you have installed a number of applications, you may find that only Microsoft products show in the Applications container. A better place to really spend some time learning about the system, is the Software Environment view. From there, if you select loaded modules, you will see that it really was worth your money to invest in the RAM upgrade to run your Windows 2000 system. The Event Viewer is used to examine system logs. Application and System logs record events and may be used to troubleshoot system problems. These event logs are not called audit logs. Auditing, the recording of security related events, is not turned on by default. After auditing is turned on (using Local Security Policy or Group Policy, as well as appropriate file and registry key selections) auditing information is recorded in the Security Log. On the slide above, the Event Viewer\Application log is open. Information, Error, and Warning messages are exposed. Although it is not shown, this particular event is a message which explains changes made to the CRM log file and indicates that if the computer name was recently changed, this is an expected event. Since this system’s name was recently changed, the warning can be ignored. If the name had not recently been changed, this warning would need to be investigated further. The error messages in this case were also expected. Spend time with the Event Viewer to understand normal and abnormal events. [...]... - 19 Windows 2000 Security - SANS ©2001 20 Windows Update Other tools are available in the Support Tools folder on the Windows 2000 server CD-ROM, in the Windows 2000 Resource Kit, and online Two important online sites are Windows Update and Windows 2000 Security (www.microsoft.com\technet \security) The Windows Update site, seen here, provides information on Critical and Recommended updates for Windows. .. exit the command prompt window 3 - 17 Windows 2000 Security - SANS ©2001 18 Local Security Policy The Administrative Tools\Local Security Policy console can be used to configure security settings for a single Windows 2000 system This is an especially important tool for users of standalone W2K Professional systems If Windows 2000 Professional is a domain member, local security settings will be overwritten... these security features, but for now you should remember where to look for the security policy that is effective on a local machine, and where you might be able to manage these settings 3 - 18 Windows 2000 Security - SANS ©2001 19 Security Configuration and Analysis A marvelous new tool available with Windows 2000 is the Security Configuration and Analysis and Security Templates snap-ins to the MMC Security. .. portion of the registry (HKEY_CURRENT_USER) Windows 2000 users have fewer rights and permissions than Users in Windows NT Power Users - The default Windows 2000 security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0 Any W2K compatible program that a User can run in Windows NT 4.0, a Power User can run in Windows 2000 A User may or may not be able to... the same host as IIS, or any other web server, due to the security risks Although the default installation of Windows 2000 Servers includes IIS, this option should be unchecked during installation 3 - 24 What’s in a Name? • • • • DNS Domain NT 4.0 Domain Windows 2000 domain Organizational Unit Windows 2000 Security - SANS ©2001 25 When discussing Windows networks, its important to clarify the meaning... Computer Management Console 3 - 11 Users and Power Users To avoid loosening security on a Windows 2000 system, an administrator should: • Make sure that end users are members of the Users group only • Deploy programs, such as certified Windows 2000 programs, that members of the Users group can run successfully Windows 2000 Security - SANS ©2001 12 Users cannot modify system-wide registry settings,... authentication of down-level clients (Windows 9x, Windows NT) to more advanced authentication algorithms The clients must also be configured to respond appropriately 3 - 32 Additional Security Settings • • • • • • • Event Log Restricted Groups System Services Registry File System Public Key Policies IP Security Policies Windows 2000 Security - SANS ©2001 33 Additional security settings are possible both... is also affected by Local Security Policy However, any conflicts between Local Security Policy and any GPO are won by the GPO, as Local Security Policy is applied before the application of GPOs Exceptions to the ‘last applied wins’ rule do exist but are beyond the scope of our discussion here today 3 - 34 PKI Setup Windows 2000 Security - SANS ©2001 35 Enterprise PKI Windows 2000 certificate services... Administrative authority can be assigned in granular fashion using Delegation of Authority Windows 2000 domains offer additional security benefits, such as secure dynamic DNS update and enterprise integrated PKI Active Directory serves as a security framework on which to model enterprise-wide security management A Windows 2000 Server is promoted to domain controller status by using the dcpromo command In... designed to run on Windows 2000 Different specifications exist for Professional, Server, Advanced Server, and Datacenter Server If an application is not certified, that does not mean it will not run, however it does mean there may be problems 3 - 12 Replicator • Used in a Windows 2000 Domain for Active Directory Replication • No user accounts should be in this group Windows 2000 Security - SANS ©2001 . 3 - 1 Windows 2000 Security - SANS ©2001 1 Windows 2000 Security Security Essentials The SANS Institute This section will build on the basic NT security. security function is magnified in Windows 2000, and Windows 2000 has ten times the security features available in Windows NT. If NT were a row boat, Windows