Local Security Policy Settings New to Windows 2000 is the local policy editor GUI.. NOTE: Windows 2000 provides a number of security configuration templates that can be used to set syste
Trang 1CHAPTER 17
Windows 2000 Security Issues
321
Copyright 2001 The McGraw-Hill Companies, Inc Click Here for Terms of Use
Trang 2Microsoft Windows 2000 is rapidly replacing Windows NT in internal and
exter-nal server installations There is little doubt that Windows 2000 will become one
of the most prevalent (if not the most prevalent) operating system across the Internet It is obvious that Windows 2000 will be found in traditional Windows NT roles such as file, print, and database servers for internal use and Web and application server for Internet use Additional features, such as a telnet server, may push Windows 2000 into functions that have been reserved for Unix systems However it may be used, it is clear that Windows 2000 will store and operate on sensitive information
As we did in Chapter 15, we will discuss the basic steps to take during system setup and how to properly manage users within a Windows 2000 domain Finally, we will dis-cuss system management issues from a security perspective The final section of this chapter will try to identify key indicators that administrators should watch for when looking for potential intrusions
SETTING UP THE SYSTEM
Windows 2000 has added some significant security features over those available un-der Windows NT As you will see in the following sections, the capabilities of these new tools are quite significant Unfortunately, their use requires a homogenous Windows
2000 environment When used in mixed Windows 2000 and Windows NT environments, the system must default to the weaker Windows NT configurations to allow interoperability
Windows 2000 is not secure straight out of the box (although it is better than Win-dows NT) Given this, there are some settings that should be made before the system goes into production that will make the system more secure The configuration settings are divided into Local Security Policy Settings and System Configuration Settings
Local Security Policy Settings
New to Windows 2000 is the local policy editor GUI You can find this tool by going to Control Panel | Administrative Tools | Local Security Policy (see Figure 17-1) This tool allows you to set account policies as well as local security policies We will talk more about account configuration later For now, let’s focus on the local security policies The Local Security Policy GUI is actually just a front end for changes to the Registry Therefore, the use of regedit or regedit32 are no longer required to make common Reg-istry setting changes Generally, for these security changes, it is better to use the tool than to go into the Registry to make your own changes
Trang 3Figure 17-2 shows the policy items that are configurable through the Local Security
Policy GUI The following sections go into more detail about recommended changes to
the security policy
NOTE: Windows 2000 provides a number of security configuration templates that can be used to set
system configurations, local security policy, and user management settings on the system If you
choose to use one of these templates, make sure you understand the changes that will be made to
your system
Logon Message
Windows 2000 provides two settings to configure a logon message to be displayed to users:
▼ Message Text for Users Attempting to Log On
▲ Message Title for Users Attempting to Log On
Set both of these with the appropriate logon message for your organization
Figure 17-1. Local Security Policy Management GUI
Trang 4Clear Virtual Memory Pagefile When System Shuts Down
The virtual memory pagefile contains important system information when the system is running This system information may include encryption keys or password hashes To force Windows 2000 to clear the system pagefile on shutdown, enable the Clear Virtual Memory Pagefile When System Shuts Down setting
Allow System to Be Shut Down Without Having to Log On
Individuals should not be able to shut down systems if they cannot log on Therefore, the Allow System to be Shut Down Without Having to Log On setting should be disabled
LAN Manager Authentication Level
LAN Manager authentication is an authentication system that allows Windows 2000 servers to work with Windows 95 and Windows 98 clients (as well as Windows for Workgroups) LAN Manager authentication schemes are significantly weaker than the
NT or Windows 2000 authentication systems (called NTLM v2) and thus may allow an
in-Figure 17-2. Local Security Policy configurable items
Trang 5truder to perform a brute-force attack on the encrypted passwords using much less
com-puting power To force the use of NTLM v2 authentication, use the following settings:
1 Select the LAN Manager Authentication Level policy setting
2 Select the appropriate level from the pull-down menu
The value you set depends upon your environment There are six levels defined as:
▼ Send LM and NTLM Responses—This is the default level Send both
LAN Manager and NTLM responses The system will never use NTLM
v2 session security
■ Send LM and NTLM, Use NTLM v2 If Negotiated
■ Send NTLM Response Only
■ Send NTLM v2 Response Only
■ Send NTLM v2 Response Only, Refuse LM
▲ Send NTLM v2 Response Only, Refuse LM and NTLM
NOTE: Before making the change to this policy setting, determine the operating requirements for
your network If you have Windows 95 or Windows 98 clients on your network, you must allow LAN
Manager responses
Additional Restrictions for Anonymous Connections
This policy setting allows the administrator to define what is allowed via an anonymous
connection The three choices are
▼ None, Rely On Default Permissions
■ Do Not Allow Enumeration of SAM Accounts and Shares
▲ No Access Without Explicit Anonymous Permissions
These settings can prevent null user sessions from gaining information about users on
a system
System Configuration
There are several differences between Windows 2000 and Windows NT when it comes to
system configuration Windows 2000 does introduce new security features but it is
help-ful to understand the advantages and disadvantages of each of the new features In the
following sections, we will discuss four primary areas:
▼ File systems
■ Network settings
Trang 6■ Account settings
▲ Service packs and hot-fixes
As a general rule, the specific settings should be governed by the organization’s secu-rity policy and system configuration requirements
File Systems
All file systems on Windows 2000 systems should be converted to NTFS Since FAT file sys-tems do not allow for file permissions, NTFS is better from a security point of view If any of your file systems are FAT, you can use the program CONVERT to change it to NTFS This program requires a reboot but it can be done with information already on the drive
It should also be noted that Windows 2000 ships with a new version of NTFS, NTFS-5 NTFS-5 comes with a new set of individual permissions:
▼ Traverse Folder/Execute File
■ List Folder/Read Data
■ Read Attributes
■ Read Extended Attributes
■ Create Files/Write Data
■ Create Folders/Append Data
■ Write Attributes
■ Write Extended Attributes
■ Delete Subfolders and Files
■ Delete
■ Read Permissions
■ Change Permissions
▲ Take Ownership
Before putting Windows 2000 into production, administrators and security staff should understand the new permissions and review the permissions structure on files and directories
Encrypting File System One weakness in the NTFS file system is that it only protects files when used with Windows NT or Windows 2000 If an intruder can boot a system using another operating system (such as DOS), he or she could then use a program (such as NTFSDOS) to read the files and thus go around the NTFS access controls Windows 2000 adds the Encrypting File System (EFS) to protect sensitive files from this type of attack EFS is designed to be transparent to the user Therefore, the user does not have to ini-tiate the decryption or encryption of the file (once EFS is invoked for the file or directory)
To invoke EFS, select the file or directory you wish to protect, right-click, and select Prop-erties Select the Advanced button on the General screen and select Encrypt Contents to Secure Data
Trang 7When a file is designated to be encrypted, the system chooses a key to be used by a
symmetric key algorithm and encrypts the file The key is then encrypted with the public
key of one or more users who will have access to the file It should be noted here that the
EFS has a built-in mechanism to allow for the recovery of encrypted information By
de-fault, the local Administrator account will always be able to decrypt any EFS files
Because of the way EFS interfaces with the user and the operating systems, some
com-mands will cause a file to be decrypted and other will not For example, the Ntbackup
command will copy an encrypted file as is However, if the user executes a Copy
com-mand, the file will be decrypted and rewritten to disk If the destination location for the
file is a non-NTFS 5.0 partition or a floppy disk, the file will not be encrypted when
writ-ten Also, if the file is copied to another computer, it will be re-encrypted with a different
symmetric algorithm key Thus, the two files will appear different on the two different
computer systems even though the unencrypted contents of the file will be the same
Shares As with Windows NT, Windows 2000 creates administrative shares when it
boots These are the C$, D$, IPC$, ADMIN$, and NETLOGON (only found on domain
controllers) shares The complete list of current shares can be examined by the Computer
Management tool by selecting Control Panel | Administrative Tools (see Figure 17-3)
While these shares can be used to attempt to brute-force the administrator password, it is
not recommended that you turn any of these off
Figure 17-3. Computer Management shows existing shares
Trang 8Networking with Windows 2000 has changed significantly from Windows NT In addi-tion to the standard Windows port (135, 137, and 139), Windows 2000 adds Port 88 for Kerberos, Port 445 for SMBover IP, Port 464 for Kerberos kpasswd, and Port 500 (UDP only) for Internet Key Exchange (IKE) What this means is that if you want to remove NetBIOS from a Windows 2000 system, you actually have to disable File and Print Sharing for Microsoft Networks on the specific interface You can do this from the Net-work and Dial-up Connections window Select the Advanced menu and then select Ad-vanced Settings to see the Adapters and Bindings tab (see Figure 17-4)
The network continues to be a key part of Windows 2000 Windows 2000 domains re-move the concept of PDCs and BDCs There are now only domain controllers (DCs) Win-dows 2000 domains still maintain the centralized control of the user database However, the active directory structure now allows for a hierarchical concept This means that
Figure 17-4. Removing the bindings for NetBIOS
Trang 9groups can be created above or below other groups and the domain can be separated into
organization units with local control
NOTE: Before Windows 2000 is deployed within your organization, the domain structure should be
properly planned Just moving an existing domain structure from Windows NT to Windows 2000 is not
appropriate and can cause future problems
It should also be noted that Windows 2000 does make a change in the way trust
rela-tionships work within a domain and between domains In Windows NT, it had to be
ex-plicitly established for each direction In a Windows 2000 system, trust relationship is
bi-directional by default Trust in Windows 2000 is also transitive This means that if
Do-main A has a trust relationship with DoDo-main Band DoDo-main Bhas a trust relationship with
Domain C, then Domain A also has a trust relationship with Domain C and vice versa
Account Settings
Windows 2000 comes with two default accounts: Administrator and Guest Both of these
accounts can be renamed by using the Local Security Settings tool Select the policy items
Rename Administrator Account and Rename Guest Account to make these changes The
Guest account should also be disabled I also change the password on the Guest account
to something very long and very random just in case
Every Windows 2000 workstation server in the organization will have an
Administra-tor account that is local to that machine and thus will require protection To protect these
accounts, a procedure should be established to define a password that is very strong The
password should be written down, sealed in an envelope, and stored in a locked cabinet
Password Policy The system password policy is defined by using the Local Security
Set-tings tool (see Figure 17-5) This screen allows you to set password parameters and
strength requirements As with any computer system, these settings should be made in
accordance with your organization’s security policy
If you choose to enable the Passwords Must Meet Complexity Requirements setting,
you will be invoking the default password filter (PASSFILT.DLL) This will require all
passwords to be at least six characters long, not contain any component of the user name,
and contain at least three of the following: numbers, symbols, lowercase, or uppercase
Unless absolutely necessary, you should not enable the Store Passwords Using
Re-versible Encryption setting
Account Lockout Policy The account lockout policy is configured using the Local Security
Settings tool as well (see Figure 17-6) These settings should be made according to your
organization’s security policy
Trang 10NOTE: The account lockout policy is used to prevent an attacker from conducting a brute-force
at-tack to guess passwords It can also be used to cause a denial-of-service condition to the entire user community Therefore, it may be wise to consider the consequences of prolonged lockouts of the user community when setting this policy
The lockout will not be enforced against the Administrator account The Administra-tor account will always be able to log in from the system console
Service Packs and Hot-Fixes
As of this writing, there is one service pack for Windows 2000 Additional hot-fixes and service packs will come out over time As with Windows NT updates, service packs and hot-fixes should be implemented within an organization after appropriate testing
330 Network Security: A Beginner’s Guide
Figure 17-5. Using the Local Security Settings tool to establish password policy
TE AM
FL Y
Team-Fly®
Trang 11USER MANAGEMENT
The management of users on a Windows 2000 system is critical to the security of the system
and the organization Proper procedures should be in place within the organization to
identify the proper permissions each new user should receive When an employee leaves
the organization, procedures should be in place to make sure that the employee loses access
rights to the organization’s systems
Adding Users to the System
When adding new users to the system, make sure you follow your User Management
procedures These procedures should define who may request new accounts and who
may approve these requests New users are added to a system or domain through the
Figure 17-6. Using the Local Security Settings tool to establish account lockout policy