AD is a new environment for Windows 2000, and is based on theopen standard of Lightweight Directory Access Protocol LDAP instead ofthe more proprietary Users, Groups, and Domains.. Table
Trang 1Microsoft RAS and VPN for Windows 2000
Solutions in this chapter:
■ What’s New in Windows 2000
■ Discovering the Great Link: Kerberos Trusts between Domains
■ Understanding EAP, RADIUS, and IPSec
■ Configuring Microsoft RAS and VPN for Windows 2000
■ Avoiding Possible Security Risks
Chapter 6
189
Trang 2The latest release of Microsoft’s network operating system (NOS) is
Windows 2000 Many employees will use Windows 2000 at home to accesstheir corporate networks One thing that you must make sure of is thattheir connection will be safe for your network Allowing access into yournetwork from anywhere outside your security measures creates an oppor-tunity for someone to exploit any weaknesses in the software and gainaccess to your network
Invariably, Microsoft had to provide solutions to this problem, so theyincorporated a host of new security features in Windows 2000 The mostnotable addition to Windows 2000 could quite possibly be Active Directory(AD) AD is a new environment for Windows 2000, and is based on theopen standard of Lightweight Directory Access Protocol (LDAP) instead ofthe more proprietary Users, Groups, and Domains A single sign-on
method has also been incorporated to allow for a single sign-on process foraccess to network resources
This new directory structure brings several key security pieces to thetable The addition of Kerberos v5 allows, again, for an open standardapproach, and NT LAN Manager (NTLM) provides compatibility with pre-vious OS versions Some of the other open standards embraced in
Windows 2000 include:
■ IP Security (IPSec) Allows for secure transmissions within IP
net-works Incorporates security using an Encapsulating SecurityPayload (ESP) or an Authentication Header (AH)
■ Extensible Authentication Protocol (EAP) Provides support for
third-party authentication products, to be used with PPP EAPallows for support of Kerberos, Secure Key (S/Key), and PublicKey
■ Remote Access Dial-In User Service (RADIUS) A client/server
authentication method that provides a way to offload the Windows
2000 server of authentication duties
With this in mind, the objective of this chapter is to introduce you tosome of the new features with the Remote Access Service (RAS) and virtualprivate network (VPN) technology in Windows 2000 After you have com-pleted this chapter, you should be familiar with Microsoft’s new securityfeatures, the implementation of RAS and VPN, as well as how they all worktogether
Trang 3What’s New in Windows 2000
Like every other operating system on the market, Microsoft needed tocreate a secure networked environment for Windows users Microsoftresponded to the need for security by increasing its attention to securityissues in the Windows NT operating system as the product matured (infact, many of its service packs have addressed just that issue), but securityhas always been considered by many to be one of Windows NT’s less-than-strong points when compared to alternative network operating systems
The NT LAN Manager (NTLM) security protocol used in NT, although viding a reasonable level of security for most purposes, has several draw-backs:
pro-■ It is proprietary, not an industry-wide standard, and not popularoutside Microsoft networking
■ It does not provide mutual authentication; that is, although theserver authenticates the client, there is no reciprocal authentica-tion on the part of the client It is just assumed that the server’scredentials are valid This has been a weak spot, leaving NT net-works vulnerable to hackers and crackers whose programs, bymasquerading as servers, could gain access to the system
One of the enhancements to the security in Windows 2000 Server isthat Windows 2000 Server supports two authentication protocols, Kerberosv5 and NTLM Kerberos v5 is the default authentication method for
Windows 2000 domains, and NTLM is provided for backward compatibilitywith Windows NT 4.0 and earlier operating systems
Another security enhancement is the addition of the Encrypting FileSystem (EFS) EFS allows users to encrypt and decrypt files on theirsystem on the fly This provides an even higher degree of protection forfiles than was previously available using NTFS (NT File System) securityonly
The inclusion of IP Security (IPSec) in Windows 2000 enhances security
by protecting the integrity and confidentiality of data as it travels over thenetwork It is easy to see why IPSec is important; today’s networks consist
of not only intranets, but also branch offices, remote access for muters, and, of course, the Internet
telecom-Each object in the Active Directory can have the permissions controlled
at a very high granularity level This per-property level of permissions isavailable at all levels of the Active Directory
Trang 4Smart cards are supported in Windows 2000 to provide an additionallayer of protection for client authentication as well as providing secure e-mail The additional layer of protection comes from an adversary’s needingnot only the smart card but also the Personal Identification Number (PIN)
of the user to activate the card
Transitive trust relationships are a feature of Kerberos v5 that is lished and maintained automatically Transitive trusts rely on Kerberos v5,
estab-so they are applicable only to Windows 2000 Server–only domains
Windows 2000 depends heavily on Public Key Infrastructure (PKI) PKIconsists of several components: public keys, private keys, certificates, andcertificate authorities (CAs)
Where Is the User Manager for Domains?
There are several changes to the tools used to administer the network inActive Directory Users, and groups are administered in a new way.Everyone who is familiar with User Manager for Domains available inWindows NT 4.0 and earlier versions now must get used to the ActiveDirectory Users and Computers snap-in for the Microsoft ManagementConsole (MMC) when they manage users in a pure Windows 2000domain The MMC houses several new tools used for managing theWindows 2000 Server environment such as the Quality of Service (QoS)Admission Control and Distributed File System The MMC also includesold tools such as the Performance Monitor and Event Viewer Table 6.1shows the differences between some of the tools used in Windows NT4.0 and those used in Windows 2000 Server
Table 6.1Tools Used in Windows NT 4.0 and Windows 2000 Server
Windows NT 4.0 Windows 2000 Server
User Manager for Domains Active Directory Users and Computers is
used for modification of user accounts The Security Configuration Editor is used
to set security policy
Continued
Trang 5Problems and Limitations
Windows 2000 Server maintains compatibility with down-level clients(Windows NT 4.0, Windows 95, and Windows 98), so it uses the NTLM and
LM authentication protocol for logins This means that the strongerKerberos v5 authentication is not used for those systems NTLM and LMare still used, so the passwords for those users can be compromised
Figure 6.1 shows a packet capture of a Windows 98 client logging on aWindows 2000 domain The Windows 98 machine is sending out a broad-cast LM1.0/2.0 logon request
Figure 6.2 shows a Windows 2000 server responding to the requestsent by the Windows 98 client The Windows 2000 server responds with aLM2.0 response to the logon request
NTLM is also used to authenticate Windows NT 4.0, but LM is used toauthenticate Windows 95 and Windows 98 systems NTLM is used toauthenticate logons in the following cases:
■ Users in a Windows NT 4.0 domain authenticating to a Windows
2000 domain
■ A Windows NT 4.0 Workstation system authenticating to aWindows 2000 domain controller
■ A Windows 2000 Professional system authenticating to a Windows
NT 4.0 primary or backup domain controller
■ A Windows NT 4.0 Workstation system authenticating to aWindows NT 4.0 primary or backup domain controller
System Policy Editor The Administrative Templates extension
to Group Policy is used for registry-based policy configuration
Add User Accounts Active Directory Users and Computers is (Administrative Wizard) used to add users
Group Management Active Directory Users and Computers is (Administrative Wizard) used to add groups Group policy
Trang 6Figure 6.1A Windows 98 client sends a LM1.0/2.0 logon request.
Figure 6.2Windows 2000 server responds with a LM2.0 response to theWindows 98 client logon request
Trang 7The difficulty with using NTLM or LM as an authentication protocolcannot be overcome easily The only way to get around using NTLM or LM
at the moment is to replace the systems using earlier versions of Windowswith Windows 2000 systems This probably is not economically feasible formost organizations
Windows NT 3.51 presents another problem Even though it is possible
to upgrade Windows NT 3.51 to Windows 2000 Server, Microsoft does notrecommend running Windows NT Server 3.51 in a Windows 2000 Serverdomain, because Windows NT 3.51 has problems with authentication ofgroups and users in domains other than the logon domain
What Is the Same?
Windows 2000 Server has grown by several million lines of code over theearlier versions of Windows NT, so it may be hard to believe that anything
is the same as in the earlier versions NTLM is the same as it was in earlierversions because it has to support down-level clients
Global groups and local groups are still present in Windows 2000Server, with an added group Otherwise, for security purposes, this is anew operating system with many new security features and functions forsystem administrators to learn about
Windows 2000’s security protocols (note the plural; the new operatingsystem’s support for multiple protocols is one of its strongest features) aredifferent; they are part of what is known as the distributed services
Distributed services is a term that pops up frequently when we discuss
net-work operating systems, and it seems to be mentioned even more often as
we familiarize ourselves with the Windows 2000 Server family Most work administrators have a vague idea of what it means, but probablyhave never really sat down and tried to define it, especially in terms ofsecurity
Open Standards
Windows 2000 signals a big change in direction for Microsoft, away fromthe proprietary nature of many of Windows NT’s features, and moving
Trang 8toward the adoption of industry standards This new path is demonstratedmost prominently in the area of distributed services Active Directory itself
is based on the Lightweight Directory Access Protocol (LDAP), thus making
it compatible with other directory services, such as Novell’s Netware
Directory Services (NDS), which adhere to this open Internet standard
One of the primary requirements of an enterprise level NOS is theability to protect the integrity and privacy of the network’s data So it is nosurprise that there have been major, drastic changes made to the securitysubsystem in the latest implementation of Windows server software
Much as it has adopted open directory services standards, Microsofthas incorporated into Windows 2000 support for the widely utilized andrespected Kerberos security protocol developed at the MassachusettsInstitute of Technology (MIT), and the ISO’s X.509 v3 public key security,another accepted standard These are in addition to the NTLM securityprotocol used in Windows NT, which is included in Windows 2000 for com-patibility with down-level clients Figure 6.3 gives an overview of the
Windows 2000 security structure
The following section examines Windows 2000’s distributed securityservices in detail, with the focus on how intimately the security and direc-tory services are intertwined, and how Active Directory’s objects can besecured in a granular manner that was never possible in Windows NT Italso looks at the security protocols themselves, and the role and function
of each Finally, it addresses the special area of Internet security, and theadded level of protection from unauthorized outside access provided by theWindows 2000 distributed security subsystem
Trang 9Windows 2000 Distributed Security Services
What exactly are these security services that are distributed throughoutthe network, and how do they work together to ensure more robust protec-tion for user passwords and other confidential data? A number of securityfeatures, which together make up the distributed security services, arebuilt into Windows 2000:
Active Directory security This includes the new concept of transitive
trusts, which allows user account authentication to be distributed acrossthe enterprise, as well as the granular assignment of access rights and thenew ability to delegate administration below the domain level
Multiple security protocols Windows 2000 implements the popular
Kerberos security protocol, supports PKI, and has backward compatibilitywith Windows NT and Windows 9x through the use of NTLM
Security Support Provider Interface (SSPI) This component of the
secu-rity subsystem reduces the amount of code needed at the application level
to support multiple security protocols by providing a generic interface forthe authentication mechanisms that are based on shared-secret or publickey protocols
Secure Sockets Layer (SSL) This protocol is used by Internet browsers
and servers, and is designed to provide for secure communications overthe Internet by using a combination of public and secret key technology
Applications
Security Provider Interface
Network
Network ProtocolsHTTP RPC LDAP
Security ProvidersKerberos PKI NTLM SSL
Figure 6.3The Windows 2000 security structure
Trang 10Microsoft Certificate Server This service was included with IIS 4.0 in the
NT 4.0 Option Pack and has been upgraded and made a part of Windows
2000 Server It is used to issue and manage the certificates for applicationsthat use public key cryptography to provide secure communications overthe Internet, as well as within the company’s intranet Within Windows
2000, it has been renamed to Certificate Services
CryptoAPI (CAPI) As its name indicates, this is an application
program-ming interface that allows applications to encrypt data using independentmodules known as cryptographic service providers (CSPs), and protects theuser’s private key data during the process
Single Sign-On (SSO) This is a key feature of Windows 2000
authentica-tion, which allows a user to log on the domain just one time, using a singlepassword, and authenticate to any computer in the domain, thus reducinguser confusion and improving efficiency, and at the same time decreasingthe need for administrative support
As a network administrator, you are probably not most concerned withthe intricacies of how the various cryptographic algorithms work (althoughthat can be an interesting sideline course of study, especially if you aremathematically inclined) This jumble of acronyms can be used to keepyour organization’s sensitive data secure This chapter emphasizes justthat—combining the distributed security services of Windows 2000 in away that balances security and ease of accessibility in your enterprise net-work
Active Directory and Security
It should come as no surprise, given the amount of time and care Microsofthas put into developing its directory services for Windows 2000, that agreat deal of attention was paid to making Active Directory a feature-richservice that will be able to compete with other established directory ser-vices in the marketplace After extensive study of what network adminis-trators out in the field want and need in a directory service, Active
Directory was designed with security as a high priority item
These are some of the important components of Active Directory’s rity functions:
secu-■ Storage of security credentials for users and computers in ActiveDirectory, and the authentication of computers on the networkwhen the network is started
■ The transitive trust model, in which all other domains in thedomain tree accept security credentials that are valid for onedomain
Trang 11■ Secure single sign-on to the enterprise (because security tials are stored in Active Directory, making them available todomain controllers throughout the network).
creden-■ Replication of all Active Directory objects to every domain troller in a domain
con-■ Management and accessibility of user and computer accounts,policies, and resources at the “nearest” (in terms of network con-nectivity) domain controller
■ Inheritance of Active Directory object properties from parentobjects
■ Creation of account and policy properties at the group level, whichcan then be applied to all new and existing members
■ Delegation of specific administrative responsibilities to specificusers or groups
■ Ability of servers to authenticate on behalf of clients
■ Ability of these features to work together, as part of ActiveDirectory and the security subsystem Compared to Windows NT,this is a whole new (and better) way of doing things
■ Management of user and computer accounts in the enterprise
Advantages of Active Directory Account Management
Windows NT, as it came out of the box, was not a particularly secure ating system, for several reasons First, during the timeframe in whichWindows NT was initially developed, security was not as big a concern inthe corporate environment as it has become in the past several years
oper-Second, security is not traditionally as crucial in smaller network ments as in large ones, and Windows NT was not in widespread use inlarge-enterprise situations Finally, Microsoft’s focus in designing Windows
environ-NT was ease of use; there will always be a trade-off between security leveland accessibility With Windows 2000, security is built right into ActiveDirectory
Active Directory will support a much larger number of user objects(more than a million) with better performance than the Windows NTRegistry-based domain model Maximum domain size is no longer limited
by the performance of the security account repository A domain tree cansupport much larger, complex organizational structures, making Windowstruly suitable for enterprise networking
Trang 12Since account management is the foundation of any Windows NT orWindows 2000 security plan, it stands to reason that the easier and morespecific management of user accounts is, the better it will be for securitypurposes.
Account management is an important issue Every user initially entersthe network through a user account; this is the beginning point for assign-ment of user rights and permissions to access resources, individually or(as Microsoft recommends) through membership in security groups (seeFigure 6.4)
In Windows NT 4.0 Server, user accounts were administered from theUser Manager for Domains and computer accounts were managed viaServer Manager In a Windows 2000 domain, both types of accounts aremanaged from a single point, the Active Directory Users and ComputersMMC snap-in To access this tool, follow this path: Start menu | Programs
| Administrative Tools | Active Directory Users and Computers
Figure 6.5 shows the separate folders for computers and users(showing the Users folder expanded)
This one-stop account management setup makes it easier for the work administrator to address the issues that arise in connection with thesecurity-oriented administration of users, computers, and resources
net-User Account
Username and Password
Privileges
Local Groups GlobalGroups
Permissions to access resources User Rights
Administrative Authority
Universal Groups
Group Memberships
Figure 6.4The user account is the entry point to the network and the basisfor security
Trang 13Group names, as well as individual user accounts, are included in theUsers folder
Managing Security via Object Properties
In Active Directory, everything is an object, and every object has ties, also called attributes The attributes of a user account include secu-rity-related information In the case of a user account, this would includememberships in security groups and password and authentication require-ments Windows 2000 makes it easy for the administrator to access theattributes of an object (and allows for the recording of much more informa-tion than was possible with Windows NT) Figure 6.6 shows the Accountproperty sheet of a user account and some of the optional settings that can
proper-be applied
It is possible to specify the use of Data Encryption Standard (DES)encryption or no requirement for Kerberos preauthentication, along withother security criteria for this user account, simply by clicking on a checkbox The same is true of trusting the account for delegation or prohibitingthe account from being delegated Other options that can be selected here(not shown in Figure 6.6, but available by scrolling up the list) include:
Figure 6.5Accounts can be managed with the Active Directory Users andComputers snap-in
Trang 14■ Requirement that the user change the password at next logon
■ Prohibition on the user’s changing the password
■ Specification that the password is never to expire
■ Specification that the password is to be stored using reversibleencryption
Some of the settings in the user account properties sheet (such as word expiration properties and logon hours) could be set in Windows NTthrough the User Manager for Domains Others are new to Windows 2000
pass-Managing Security via Group Memberships
In most cases, in a Windows 2000 domain, access to resources is assigned
to groups, and then user accounts are placed into those groups Thismakes access permissions much easier to handle, especially in a large andconstantly changing network
Assigning and maintaining group memberships is another importantaspect of user account management, and Active Directory makes this easy
as well Group memberships are managed through another tab on theproperty sheet, the Member Of tab (see Figure 6.7)
As Figure 6.7 shows, you can add or remove the groups associated withthis user’s account with the click of a mouse
Figure 6.6This is the user account properties sheet (Account tab)
Trang 15Active Directory Object Permissions
Permissions can be applied to any object in Active Directory, but themajority of permissions should be granted to groups, rather than to indi-vidual users This eases the task of managing permissions on objects
You can assign permissions for objects to:
■ Groups, users, and special identities in the domain
■ Groups and users in that domain and any trusted domains
■ Local groups and users on the computer where the object resides
To assign Active Directory permissions to a directory object, do one ofthese things:
■ Open the Active Directory Domains and Trusts tool by followingthis path: Start | Programs | Administrative Tools | ActiveDirectory Domains and Trusts Right-click the selected domainand choose Manage
■ Open the Active Directory Users and Computers tool directly, andexpand the tree for the domain you wish to manage
Figure 6.7Security can be managed through group membershipassignments
Trang 16In the View menu, be sure Advanced Features is checked (see ure 6.8).
To view additional special permissions that may be set on this object,click the Advanced button at the bottom left of the dialog box Figure 6.10shows that the resultant dialog box allows you to choose permissionsentries to view or edit
Now select the entry that you wish to view, and click View | Edit Thespecial permissions are shown in Figure 6.11
Finally, to view the permissions for specific attributes, click theProperties tab (see Figure 6.12)
Active Directory permissions can be fine-tuned to an extraordinarydegree But remember, especially as you begin to deploy your security plan
using Windows 2000’s new features, just because you can do something, this does not mean you should do it.
Figure 6.8The Advanced Features option on the View menu must be
selected in order to set Active Directory permissions on an object
Trang 17Figure 6.9Active Directory permissions are assigned in the Security section
of the Properties sheet
Figure 6.10The Access Control Settings dialog box
Trang 18Figure 6.11Special permissions for an Active Directory object.
Figure 6.12The Properties tab on the Permission Entry box showspermissions that can be granted for specific property attributes
Trang 19Although Windows 2000 gives you the ability to assign Active Directorypermissions not only to objects themselves but to their individual
attributes, Microsoft recommends in general that you should not grant missions for specific object attributes, because this can complicate admin-istrative tasks and disrupt normal operations
per-WARNING
You should use Active Directory Permissions only when absolutely sary, and only when you are absolutely sure of the effects your actionswill have
neces-Relationship between Directory and Security Services
Every object in Active Directory has a unique security descriptor thatdefines the access permissions that are required in order to read or updatethe object properties Active Directory uses Windows 2000 access verifica-tion to determine whether an Active Directory client can read or update aparticular object Because of this, LDAP client requests to the directoryrequire that the operating system enforce access control, instead of havingActive Directory make the access-control decisions
In Windows 2000, security is directly integrated with the directory vices This differs from the Windows NT model In Windows NT 4.0, theSAM (Security Accounts Manager) database and the characteristics of theNTLM trust relationship combined to limit security to three levels withinthe domain: global and local groups, and individual users With ActiveDirectory, the database is distributed throughout the enterprise
ser-The result is that security can be administered with much more larity and flexibility One example is the ability to delegate administrativeauthority at the organizational unit (OU) level In NT, assignment of admin-istrative privileges made that user an administrator throughout the entiredomain
granu-Windows 2000 Distributed Security Services use Active Directory as thecentral repository for account information and domain security policy This
is a big improvement over the registry-based implementation in terms ofboth performance and scalability It is also easier to manage ActiveDirectory provides replication and availability of account information tomultiple Domain Controllers, and can be administered remotely
Trang 20In addition, Windows 2000 employs a new domain model that usesActive Directory to support a multilevel hierarchy tree of domains.
Managing the trust relationships between domains has been enormouslysimplified by the treewide transitive trust model that extends throughoutthe domain tree
Windows 2000’s trusts work differently from those in Windows NT,and this affects security issues and administration in the Active Directoryenvironment
Domain Trust Relationships
The Kerberos security protocol is the basis for the trust relationshipsbetween domains in a Windows 2000 network For the purposes of thischapter, it is important to understand that Kerberos is what makes thetwo-way transitive trusts of Windows 2000 work
For an Active Directory namespace, when the first Windows 2000server computer in a network is promoted to domain controller, this cre-ates the internal root domain for your organization It will have a hierar-
chical name, like mycompany.com.
Microsoft calls this the root domain I use the term internal root
domain to distinguish it from the Internet root domain, which is
repre-sented by a dot On the Internet, mycompany.com, although referred to
as a second-level domain, resides below both the Internet root and the external top-level domain “com”).
When additional domains are created in your company’s network (by promoting other Windows 2000 servers to domain controllers and designating them as DCs for the new domains), there are two options:
■ They can be created as children of the internal root domain, ifthey include the internal root’s namespace in their own; forinstance, sales.mycompany.com is a child domain of
mycompany.com
■ They can be created as root domains for new domain trees in theforest, if they use an unrelated namespace (also called a noncon-tiguous namespace); for example, the creation of a domain namedyourcompany.com would start a new domain tree that can exist
in the same forest as the tree for which mycompany.com is theroot
Trang 21Figure 6.13 illustrates the relationships of parent and child domainswithin a tree, and trees within a forest.
In Figure 6.13, two domain trees exist in the forest The internal rootdomains are mycompany.com and yourcompany.com; each has one ormore child domains that include the parents’ namespace, and as you cansee, the child domains can have children of their own (to continue theanalogy, these would be the grandchildren of the internal root domain)
The Great Link: Kerberos Trusts between Domains
In Windows NT networks, every domain was an island In order for users
in one domain to access resources in another, administrators of the twodomains had to set up an explicit trust relationship Moreover, these trustswere one-way; if the administrators wanted a reciprocal relationship, twoseparate trusts had to be created, because these trusts were based on theNTLM security protocol, which does not include mutual authentication
Trang 22In Windows 2000 networks, that has been changed With the Kerberosprotocol, all trust relationships are two-way, and an implicit, automatictrust exists between every parent and child domain; it is not necessary foradministrators to create them Finally, these trusts are transitive, whichmeans that if the first domain trusts the second domain, and the seconddomain trusts the third domain, the first domain will trust the third
domain, and so on This comes about through the use of the Kerberosreferral, and as a result every domain in a tree implicitly trusts every otherdomain in that tree
All this would be cause enough for celebration for those administratorswho have struggled with the trust nightmares inherent in the Windows NTway of doing things, but there is one final benefit The root domains in aforest of domain trees also have an implicit two-way transitive trust rela-tionship with each other By traversing the trees, then, every domain in theforest trusts every other domain As long as a user’s account has theappropriate permissions, the user has access to resources anywhere onthe network, without worrying about the domain in which those resourcesreside
For practical purposes, as is shown in Figure 6.13, a user in the roll.acctg.yourcompany.com domain who needs to access a file or printer
pay-in the sales.mycompany.com domapay-in can do so (provided the user’s
account has the appropriate permissions) The user’s domain,
payroll.acctg.yourcompany.com, trusts its parent, acctg.yourcompany.com,which in turn trusts its own parent, yourcompany.com Since yourcom-pany.com is an internal root domain in the same forest as
mycompany.com, those two domains have an implicit two-way transitivetrust; thus mycompany.com trusts sales.mycompany.com—and the chain
of Kerberos referrals has gone up one tree and down the other to strate the path of the trust that exists between payroll.acctg.yourcom-pany.com and sales.mycompany.com
demon-On the other hand, these Kerberos trusts apply only to Windows 2000domains If the network includes down-level (Windows NT) domains, theymust still use the old NTLM one-way explicit trusts in order to share
resources to or from the Windows 2000 domains
NOTE
Despite the transitive trust relationships between domains in a Windows
2000 network, administrative authority is not transitive; the domain isstill an administrative boundary
Trang 23Extensible Authentication Protocol (EAP)
Extensible Authentication Protocol (EAP) is an open standard defined inRequest for Comments (RFC) 2284, and is used by Microsoft to allow fordevelopers to add support for third-party security features in Windows2000’s RAS or VPN service sets EAP, a Layer 2 protocol, adds support forthe integration of services such as Biometric authentication devices (finger
or voice printing), Message Digest 5-Challenge Handshake AuthenticationProtocol (MD5-CHAP), or Transport Level Security (TLS) TLS allows thedeployment of devices such as Token or Smart cards Instead of choosing
an authentication type during the link control protocol (LCP) function, EAPleaves that up to the client and server during the authentication phase
EAP was proposed by the IETF, as an addition to Point-to-PointProtocol (PPP), so that vendors could add support for any of the securitydevices that will be developed in the future In essence, this works as fol-lows: ACME company designs a fingerprint security system that will prob-ably be used with Windows 2000 After the product is developed, ACMEcan use EAP to create a plug-in security module for both the client and theserver sides of the connection
NOTE
EAP does not work in a Windows NT 4.0 environment
Remote Authentication Dial-in User Service (RADIUS)
Remote Authentication Dial-in User Service (RADIUS) is used by Windows
2000 as a way to offload the authorization, accounting, and auditing (AAA)functions from the server In the older Windows NT 4.0 model, the DomainController handles all of these features
RADIUS accounting systems can be used to show how much time auser was connected, how many packets were sent, or how many byteswere sent By utilizing RADIUS, you can take a lot of burden off of yourservers so that they can be used for other network functions
Figure 6.14 shows how RADIUS works in a Windows 2000 ment
Trang 24environ-First, the Remote User will dial into his or her ISP’s RADIUS clientsystem The ISP client system will not make any determination of authenti-cation credentials, but will instead forward the request to the remoteRADIUS server for processing.
Next, the RADIUS server (represented in Figure 6.14 as the systemnamed “IAS with IIS”) will determine what services the Remote User’srequest will be allowed to have The Internet Authentication Server (IAS)provides the authentication offload for the network servers, and may alsoprovide the accounting and auditing services listed earlier
Once authentication is complete, the Remote User’s session will beactive with the network
Internet Protocol Security (IPSec)
The IETF RFC (RFC 2401), IPSec tunnel protocol specifications did notinclude mechanisms suitable for remote access VPN clients Omitted fea-tures include user authentication options or client IP address configura-tion To use IPSec tunnel mode for remote access, some vendors chose toextend the protocol in proprietary ways to solve these issues Although afew of these extensions are documented as Internet drafts, they lack stan-dards status and are not generally interoperable As a result, customersmust seriously consider whether such implementations offer suitable mul-tivendor interoperability
Building an IPSec Policy
IPSec uses policy to determine how and when secure communications areemployed IPSec policy is built either at the local machine, or in the Active
Trang 25Directory IPSec policies created in the Active Directory take precedenceover local IPSec policies The IPSec policies themselves are driven by FilterLists, Filter Rules, and Filter Actions.
Each IPSec policy can contain multiple rules that determine the rity settings of a secure connection when the link matches parameters set
secu-in the rule For example, we can create a policy called “Secure from Legal
to Accounting.” In this policy we can create a list of rules to apply Eachrule contains its own “Filter List.” The filter list determines when the rule
is applied Rules can be set up for IP Address, Network ID, or DomainName System (DNS) name
You could set up a filter list that includes the Network IDs of the legaland accounting departments Whenever the source and destination IPaddress of a communication matches this filter, the authenticationmethods, filter actions, and tunnel settings for that rule go into effect
Building an IPSec MMC Console
Let’s take a look at how we can configure a custom IPSec console that wecan use to configure IPSec policy and monitor significant IPSec-relatedevents
1 Click the run command and type mmc Click OK.
2 Click the console menu, then click Add/Remove Snap in Click theAdd button, select Computer Management and click Add A dialogbox will appear that will want to know what computer the snap-inwill manage Select Local computer (the computer this console isrunning on) Click Finish
3 Scroll through the list of available snap-ins and select GroupPolicy and click Add At this point the wizard will query you onwhat group policy object you want to manage Confirm that it saysLocal Computer in the text box and click Finish
4 Scroll through the list of group policy objects again, and selectCertificates Click Add The Certificate Snap-in dialog box asks forthe kind of certificate you want to manage (Figure 6.15) SelectComputer Account, click Next, and then select Local Computer forthe computer you want the Snap-in to manage Click Finish
5 Click close on the Add Standalone Snap-in dialog box and thenclick OK in the Add/Remove Snap-in dialog box Expand the firstlevel of each of the snap-ins You should see something similar toFigure 6.16
Trang 26We can configure and manage IPSec policy from the custom console.Note that in this example, we’ve chosen to manage IPSec policy for thissingle machine This might be appropriate if you were configuring IPSecpolicy for a file or application server If you wanted to manage policy for an
Figure 6.15Certificate Management Plug-in for local computer
Figure 6.16Custom IPSec Security Management Console