OReilly securing windows server 2003 nov 2004 ISBN 0596006853

Securing Windows Server 2003 not only shows you how to put Windows security tools to work, but guides you through ways to plan and implement a secure operating environment... This book c

you need for securing your network Securing

Windows Server 2003 not only shows you

how to put Windows security tools to work, but guides you through ways to plan and

implement a secure operating environment.

Printed in the United States of America

Published by O'Reilly Media, Inc., 1005 Gravenstein HighwayNorth, Sebastopol, CA 95472

O'Reilly books may be purchased for educational, business, orsales promotional use Online editions are also available for

most titles (http://safari.oreilly.com) For more information,contact our corporate/institutional sales department: (800)

998-9938 or corporate@oreilly.com

Nutshell Handbook, the Nutshell Handbook logo, and the

O'Reilly logo are registered trademarks of O'Reilly Media, Inc.Securing Windows Server 2003, the image of a wandering

albatross, and related trade dress are trademarks of O'ReillyMedia, Inc

Microsoft, MSDN, the NET logo, Visual Basic, Visual C++,

Visual Studio, and Windows are registered trademarks of

Microsoft Corporation

Many of the designations used by manufacturers and sellers todistinguish their products are claimed as trademarks Wherethose designations appear in this book, and O'Reilly Media, Inc.was aware of a trademark claim, the designations have beenprinted in caps or initial caps

While every precaution has been taken in the preparation of thisbook, the publisher and authors assume no responsibility forerrors or omissions, or for damages resulting from the use ofthe information contained herein

As the title implies, this book is about security in the WindowsServer 2003 operating system and how to put it to work onbehalf of your organization and your users

Windows Server 2003 has quite a number of uses It can serve

in a network support role, supplying services such as DHCP andDNS It can take a more active part in object management,such as when used as an Active Directory domain controller Itcan also serve as a personal operating system, since it is soclosely tied with its brother, Windows XP In this role, it mightprovide security of local data and host-based network

communications

I've broken down the book by technology Each chapter coversone or more of the technologies that Windows Server 2003provides Most of thesesuch as IPSecare primarily security-focused However, somesuch as DHCPare not

Each chapter answers three questions about the technology itcovers:

What the technology is and how it's used

Each chapter begins with a brief introduction to the

technology If you have no idea what this technology does,this is a quick way to learn about it I don't bore you withmarketing spin or polished terms I just tell you what thetechnology does and what a few of the most likely usesmight be

To understand a technology's security implications, you

usually need to know how it works This section is kept

deliberately brief and sometimes excludes details that youdon't need to know I do this, not to keep you in the dark,but to make sure that you're focused on how the thing

works and that you don't bog down in minutia that, in yourjob and scope, would be useless and distracting

How to use the technology properly to serve your system

Through lots of research and direct interaction, the book'scontributors and I have come up with a set of common usesfor the technologies detailed in this book All of these arebased on real experience, not theoretical environments ormarketing-based blue sky scenarios I take you throughthese examples and show you exactly how to get the

desired results In most cases, I provide a keystroke level ofdetail to ensure you don't miss a thing

Of course, all possible scenarios can't be covered in this

book Because the different Windows components can beconfigured so many ways, it would be impossible to presentall approaches to all possible scenarios But the content ofthis book should provide more than enough information foryou to make decisions on the technologies as well as testand understand them

One thing you'll see in this book that you may not have seenbefore is Security Showdown sections This is a point-

counterpoint debate between myself and a semifictional

coworker, Don I use it several times throughout the book toshow that some debates about security methodologies and

techniques are not easily answered Some of them are so

contentious that they seem like religious debates at times You

as I've intended, as an open discussion of the merits and

hazards of multiple tactics to achieve the same goal

This book consists of 15 chapters and an appendix Here is abrief overview of each chapter:

Chapter 1

This chapter sets the stage for the book by providing anintroduction to Windows Server 2003

Chapter 2

This chapter covers basic computer security concepts,including cryptography and fundamental practices forsecurity administrators

Chapter 3

This chapter covers various aspects of physical security,which is essential for any data security to succeed

Chapter 4

This chapter is all about securing files with Encrypting FileSystem and other file-oriented technologies

Chapter 5

This chapter focuses on using Group Policy as a security tooland utilizing Security Templates.

This chapter focuses on the grotesque lack of security inDHCP and DNS technologies and how you can try to shorethem up

Chapter 14

This chapter covers the security features of Remote Access,including dial-up and VPN connectivity

Chapter 15

This chapter covers additional topics such as administrativesecurity, patch management, and auditing

Appendix, Sending Secure Email

This appendix covers topics relating to secure email.

I've written this book for the folks who actually use WindowsServer 2003 If you use Windows Server 2003 in any

environment, you most likely already have a basic knowledge ofthe operating system and how it works So that fundamentalknowledge is assumed in this book

I jump straight into the topics of interest in the security area.However, I don't assume you have a deep architectural

knowledge of every Windows component and subsystem So,when appropriate, I use diagrams and flowcharts to help

illustrate security-specific features and components that youmay not have encountered

This book covers Windows Server 2003 and some amount ofWindows XP security It is almost entirely focused on Windows-based security, but has several sections on non-Windows

security topics that must be understood These include physicalsecurity, security policy, and risk management

Now that you know what this book is about, I should explainwhat this book is not about This book is not a compendiousreference of every possible setting or feature in Windows It'snot intended to be a sit-on-the-shelf book I've written it so thatyou can actually use the content to do things As such, it's

direct and brief I've included links to resources when

appropriate so you can access the reference-style material youmight need without having to slog through it here

You should have a fundamental understanding of Windows

server operating systems to use this book If you have

experience installing and running Windows Server 2003 andWindows XP, you will get a lot out of this book

To an extent, I assume you're running Windows Server 2003 in

a business of some significant size Many of the examples in thebook assume a network infrastructure that is most often seen inmid- to large-size businesses, such as a distributed Active

Directory forest However, I do attempt to frame each examplewith the assumptions I make for it In most cases, these

examples will scale up or down to fit your specific environment

You do not need an in-depth understanding of security topics or

a Ph.D in mathematics to read this book Who would use a

book like that anyway? Those people already know everything

The following typographical conventions are used in this book:

Plain text

Indicates menu titles, menu options, menu buttons, andkeyboard accelerators (such as Alt and Ctrl)

Italic

Indicates new terms, URLs, email addresses, filenames, fileextensions, pathnames, directories, and Unix utilities

Constant width

Indicates commands, options, switches, parameters, thecontents of files, or the output from commands

This icon indicates a warning or caution.

Please address comments and questions concerning this book tothe publisher:

http://www.oreilly.com/catalog/securews

To comment or ask technical questions about this book, sendemail to:

bookquestions@oreilly.com

For more information about our books, conferences, ResourceCenters, and the O'Reilly Network, see our web site at:

http://www.oreilly.com

This book would not be possible without the gracious help of thefollowing individuals, who are listed in no particular order

Content

Derek Melber wrote the Active Directory chapter of this

book Without that content, there would have been a hugehole in coverage of Active Directory Well done, Derek

Technical input

No single person could possibly know everything about

Windows security I was happy to receive technical inputfrom all of these people, without whom the book would

in beer and toys for their services)

Writing input

Knowing how to say something is often more important

than saying it I received great advice on this front fromVince "Kahuna" Abella, Jen Bayer, John Coates, Jason

Technical editing

I feel lucky in that I had great technical editing feedbackfrom Rick Kingslan, Joe Richards, Paul Robichaux, MitchTulloch, and Bob Williams My thanks to them for catchingall the errors and omissions before the readers did

Editing

Robbie Allen did a phenomenal job of putting up with mycrap and still getting the book out He made me look good

by fixing so many errors Most importantly, Robbie ran

interference when he knew I couldn't deal with situations.For that, I'll be eternally grateful I could never have

shipped this book without him

Norma Emory did a very thorough copyedit, and Brian

MacDonald supplied a valuable developmental edit at justthe right time that helped streamline the content, especially

in the PKI chapter Rob Romano of O'Reilly did a bang-upjob of the book's art John Osborn of O'Reilly was a greatsupport when Robbie and I needed help but spared the rodmore often than not

Special thanks

Special thanks go to Jeremy Eisenman of nCipher for theuse of an HSM, Brian Valentine for the WIM, and my

Deepest thanks go to my wife Heide, who supported me allthrough the process of this book's creation This book tookprecedence over so many other things, and she alwaysunderstood and made it OK She also made sure I got thework done!

Server 2003 Security

Security is one of the primary functions of any server-basedoperating system Without security, any user or program could

do anything to your serversand wreak havoc on your ability toeffectively manage the environment As a security

administrator, you want to provide functionality and security toyour users without burdening them or restricting them in a waythat hinders their work This is the mark of a great securityadministrator: the ability to successfully balance the security ofproprietary and personal data and the usability of your systems

in a way that maximizes the productivity of your organization.This book will show you how to do exactly that

To have a meaningful discussion of security in Windows Server

2003, we should first establish what security is A dictionarydefinition might refer to security as "measures adopted to

provide safety." For the purposes of this book, that definitionwill work very well

Computer security is not normally defined as a state of safety.Rather, it is defined as the collection of protective measures(including technology-based and non-technology-based

measures) that provide a defined level of safety When security

is mentioned throughout the book, you should keep this

definition in mind Security is neither a single protective

measure nor a complete protection against all attacks It is aset of measures that provide the desired level of protection

Many readers may say "I want complete security for my data

against all attacks Tell me how to do that." The only solutionthat provides complete security is to put that data on a harddrive, incinerate the drive until it is completely turned to vapor,and then randomly mix the hard drive vapor with outside airuntil completely dissipated Anything less is a compromise ofsecurity in the interest of another business factor such as

usability or cost The need for such compromises is a commontheme throughout all computer security topics and is discussed

in every chapter of this book

Windows Server 2003 in its several editions is the latest

generation of the Microsoft family of server operating systems,incorporating the advances achieved by the earlier Windows NTand Windows 2000 Server families of products These operatingsystems have been tested and proven since 1993 to be a solidplatform for applications and server-based functions

Windows XP is also derived from the same code base as

Windows Server 2003 This common base ensures that the corefunctionality of the two operating systems remains identical.The numerous benefits this approach provides include the

following:

Common device drivers

If you've ever gone searching for a device driver for a

specific operating system, you can immediately recognizethis benefit Hardware vendors need to write only one

device driver that will work on both operating systems

Software compatibility

If software works on Windows XP, it'll work on WindowsServer 2003

More stable core

All the work done to make Windows XP a solid and stableoperating system benefits Windows Server 2003, as it's

bulletproofing done on top of the enormous work alreadydone on Windows XP In addition, many flaws discovered inWindows XP were fixed in Windows Server 2003 before iteven shipped

Unified user interface and experience

Although some of the "pretty" features have been removedfrom Windows Server 2003 to gain performance benefits,

an administrator who is comfortable working with Windows

XP will immediately feel at home with the server version.Almost all user interface objects are in the same place,

which decreases the time needed to master the differences

Windows Server 2003 is the operating system platform that isused by Microsoft and other companies to run server-basedsoftware such as Microsoft SQL Server and Microsoft ExchangeServer This requires Windows Server 2003 to be scalable whileachieving the stability needed to provide critical business

services and the necessary uptime Windows Server 2003

delivers in all these areas This is in contrast to other serveroperating systems that usually focus on only one of the

following areas: raw horsepower, usability, security, and thelike Windows provides strength in all these areas without

significantly detracting from any others In this book, I'll focus

on security and show how the built-in features of Windows canhelp provide very secure solutions without sacrificing the otherbenefits of the operating system

The Windows NT and Windows 2000 operating systems weredesigned from inception to be secure Both enforce user logonand ensure that all software runs within the context of an

account, which can be restricted or permitted appropriately.Windows security is not limited to user logon-based security,but extends to all objects within the operating system Files onthe hard drive, entries in the registry, software componentsallthese elements have a security aspect Operating system

components can access objects only with the appropriate

permissions and credentials This can be both a benefit and adetriment

Enforcing security restrictions on every component of the

operating system can seem daunting Access checks must occurwhen one Windows component talks to another These includeprograms, device drivers, core operating system components,and so onin short, everything Setting appropriate security

permissions is a task that requires detailed knowledge of thesubject and the interaction between the components being

configured Misconfiguration of these permissions could causeundesirable behavior ranging in severity from a minor and

easily fixed problem to a complete and irreversible loss of

functionality

The fact that this daunting security environment is part of thefundamental design of Windows Server 2003 is a big

advantage If strong and pervasive security is not designed intothe core of an operating system (for example, Windows 95), it

is nearly impossible to add it later Developers and testers mayfind holes or make compromises when they patch security into

an operating system Legitimate components may already bedesigned to take advantage of the lack of security The

environment would necessarily be less secure than one

designed for security from the beginning

2003 Family

Compared to their predecessors, Windows NT and Windows

2000 provided numerous security features In fact, since theinception of Windows NT Advanced Server 3.1 in 1993, the

focused features Over the years, subsequent releases haveadded new security features and expanded existing ones

Windows NT family has always provided a suite of security-Just as with earlier releases, Windows Server 2003 improves onprevious operating system releases by enhancing existing

security features and adding new ones Some of the securityfeatures that are carried forward from previous versions

to the use of Kerberos in Windows 2000, NTLM was used asthe authentication protocol While NTLM is still a useful

protocol for maintaining compatibility with older operatingsystems, it is not as efficient or interoperable as Kerberos.NTLM also has some security shortfalls that Kerberos doesnot Kerberos and NTLM are described in depth in Chapter7

IP Security

network with this suite of protocols is not designed to besecure and can be easily intercepted and decoded IP

Security (IPSec) is a set of RFC-based standards that

defines how data can be sent securely via TCP/IP Data can

be encrypted, digitally signed, or both using IPSec Manyhardware devices, such as routers and firewalls, supportIPSec communications IPSec is available in Windows 2000,Windows XP Professional, and Windows Server 2003 familyproducts It's incorporated right into the networking drivers,which allows it to integrate smoothly with the existing

additional measure of safety can be taken to safeguard

against data stolen from a hard drive The Encrypting FileSystem (EFS) can be used to encrypt the data written tothe hard drive This ensures that only the user holding theappropriate decryption key can retrieve the data If the

hard drive is compromised and the decryption key is notstored on that hard drive, the data is not readable EFS isdescribed in depth in Chapter 4

Group Policy

on Group Policy provides a mechanism to transparentlyconfigure computers within an enterprise with all desiredsecurity settings You, as an administrator, can force usersand computers to use the settings you want This allowsyou to keep your users more secure and protect them

against a multitude of attacks Users do not know how theyreceive the security settings, and the settings cannot beoverridden without the appropriate privilege Group Policy isdescribed in depth in Chapter 5

Certificate Services

Use of public key cryptography has become common across

a wide variety of applications and services Public key

certificates are essential to providing and trusting thesekeys across organizations and around the world CertificateServices provides a software application that receives,

approves, issues, and stores public key certificates Thisbook examines both the cryptography behind the

certificates and exactly how to plan and deploy a public keyinfrastructure (PKI) Public key cryptography is discussed indepth in Chapter 2 Because of the complexity and

importance of Certificate Services, it is covered in depth inChapter 9

Smart card support

All security in Windows is based on the concept of a usercontext This user context is usually proven to the local andremote computers with the use of a username and

Because the username and password are bits of information

a user enters, they can be replicated or stolen in a variety

of ways Requiring some physical component in addition tothe username and password data adds a great deal of

security to that user context Smart cards are devices thatare designed to store information that, in conjunction with apersonal identification number (PIN), takes the place of theusername and password If you require the use of smartcards, a user cannot prove his identity without both the

physical card and the corresponding PIN Smart cards arediscussed in depth in Chapter 10

1.4.1 Security Enhancements in Windows XP

and the Windows Server 2003 Family

During the development of Windows XP and Windows Server

2003, Microsoft gave close scrutiny to all security components.This scrutiny culminated in a months-long halt to the

development of Windows so that Microsoft could take the time itneeded to examine existing code, processes, and features forvulnerabilities and weaknesses These were analyzed and

addressed in a methodical fashion Occasionally this review

bordered on the brutal in its results, with entire features beingremoved from the operating system when they could not bemade reasonably secure Some less frequently used or morevulnerable features were not removed, although their

configuration was changed to make them disabled or not

installed by default Although this effort did delay the

production of Windows Server 2003, it was certainly a valuableinvestment of time and resources

Because Windows XP and Windows Server 2003 share manycommon software components, some of the security

improvements affect both versions in the same way Besides the

observe and configure several improvements A few of the bigones include:

Encrypting File System (EFS) improvements

In Windows 2000, EFS provided encryption for files with theDESX encryption algorithm (a stronger variant of the DataEncryption StandardDES) This algorithm provides betterdata protection than the generic DES algorithm, but severalstronger options are available In Windows XP and WindowsServer 2003, EFS can now encrypt files using the triple-DES(3DES) encryption algorithm This improvement provides168-bit encryption for data, which is reasonably resistant tomost current attacks Another improvement to EFS is theremoval of the requirement for a data recovery agent Thisallows you to configure EFS with fewer options for

recovering data but increases the level of data security Inaddition, you can add more than one user to an EFS file toallow multiple users to decrypt the contents This enablesmore secure file sharing both locally and over the network

Smart card support

Windows 2000 provided a foundation for smart card

support However, its use was somewhat restricted to logonoperations within an Active Directory domain A commonadministrative scenario that was not addressed by Windows

2000 smart card support was using smart card credentials

to run specific applications while remaining logged in as adifferent user This scenario is addressed in Windows XP andWindows Server 2003 and allows an administrator to

remain logged in as a standard user while providing

specific, isolated administrative functions using credentials

IP Security

While the underlying components of IPSec remain largelythe same as Windows 2000, a significant improvement isintroduced for its monitoring and troubleshooting In

Windows 2000, a standalone tool called IPSecMon was theonly way to discover what IPSec was doing In Windows XPand Windows Server 2003, a new Microsoft ManagementConsole tool is available to monitor IPSec Called IP SecurityMonitor, it provides detail about the operation of IPSec andcan help assess misconfigurations IP Security Monitor

works well as a complement to other tools such as

Resultant Set of Policy (RSoP), Netdiag, Network Monitor,and the IPSec logs to help ensure that your IPSec

communications are indeed secure

1.4.2 Security Enhancements in Windows Server

2003, Standard Server Edition

Windows Server 2003 Standard Server is the foundation of theWindows Server 2003 server architecture This version of

Windows Server 2003 is suitable for a wide range of

applications in a server environment, providing services fromfile storage to user account management to HTTP Because it islikely to be used for many different tasks, numerous securityimprovements were made to Windows Server 2003 StandardServer, including:

Even stronger encryption for EFS

physical compromise of a computer, you want to use thestrongest possible encryption available The recently

finalized Advanced Encryption Standard (AES) algorithmwas designed as a replacement for the DES suite of

algorithms EFS supports file encryption with this new AESalgorithm, which uses a 256-bit key

Enhanced Group Policy

Group Policy remains the easiest and most powerful way torestrict and configure a user's experience Because

numerous features have been added to Windows XP andWindows Server 2003, new group policy settings were

added to configure them This allows these new features to

be used exactly as you want across the organization or

disabled entirely when appropriate And proper

configuration of all features through rich Group Policy isessential to deploying and configuring more secure clientand server environments

Software Restriction Policy

Users running arbitrary software from unsafe sources aresome of the biggest security risks you will face as an

administrator Ensuring they are protected from email

attachments and software sent on CD-ROM or other

removable media is critical Virus scanners are often

effective in combating this issue, but new virus variants andmethods appear almost daily To help stop the problem atits source, Windows Server 2003 Standard Server provides

a specific type of group policy restriction called the softwarerestriction policy (SRP) This allows you to describe whatprograms users can or cannot run Users who try to run

2003 Configuring SRP is discussed in depth in Chapter 6

Improved certification authority

The certification authority available on Windows 2000

provided a simple way to configure and issue certificates tousers and computers in an enterprise It did not provide agreat deal of flexibility for customization or newly developedPKI-aware applications Windows Server 2003 StandardServer further improves the certification authority by

offering new features such as client autoenrollment to

automatically deploy and manage client certificates,

configurable application and issuance policies to give theadministrator deep configuration control of issued

certificates, and certificate authority administrative roles tohelp prevent any single administrator from holding too

much power within a certification authority

IIS Lockdown

Internet Information Services (IIS) provides web-basedservices for Windows and is in widespread use It is

frequently used on computers that are accessed

anonymously from the Internet Its security must often bemore relaxed than other computers within an organization

to allow some of its primary functions to run correctly Inaddition, many administrators never configure IIS on theirservers, especially if it is not intended to be used on thatcomputer or if the computer is not exposed directly to theInternet

Internet, its relaxed security requirements and its frequentmisconfiguration make it one of the biggest areas of

security exposure for Windows 2000 This is addressed byWindows Server 2003 in a straightforward manner: IIS isnot installed by default When IIS is explicitly installed,

most of its features are disabled and must be enabled

manually For previous versions of IIS and Windows, a toolcalled IIS Lockdown was provided The functionality of thattool is now integrated with Windows Server 2003 and IIS6.0 For more information on IIS and its new security

options, see Chapter 12

1.4.3 Security Enhancements in Windows Server

2003, Enterprise Server Edition

Windows Server 2003 Enterprise Server is the most feature-richversion of Windows Server 2003 available It has the ability toscale to meet the needs of most deployments

There are several differences in the security features betweenWindows Server 2003 Standard Server and Windows Server

2003 Enterprise Server Windows Server 2003 Enterprise Serverprovides all the functionality of Windows Server 2003 StandardServer plus several enhancements:

Configurable certificate templates

All public key certificate requests are issued based on

configuration settings Some of these settings are

configured for each certification authority, while others areconfigured based on the type of certificate requested

Certificate templates contain the settings for each type ofcertificate that can be issued In Windows Server 2003

deleted, and customized to provide the exact functionalitydesired

Separation of certification authority roles

A number of standards define how a certification authoritymust be administered Most of them require different users

to perform different tasks, such as requiring an

administrator to configure the certification authority and aseparate auditor to monitor the activity on that certificationauthority Role separation is a new feature that requires auser to have no more than one certification authority

requester's identification, and other information that is

configured in the certificate template The associated

private key is generated on the requester's computer anddoes not leave that computer, assuring its secrecy Whenkey recovery is configured on Windows Server 2003, thecertificate request process will also securely provide therequester's private key to the certification authority Thecertification authority will then encrypt and store that keyuntil the requester needs to recover it At that time, a

designated recovery agent will decrypt the private key andprovide it to the requester The requester need not lose alldata encrypted with that private key if it is stored on thecertification authority

2003 Standard and Enterprise, including a significant price

difference Any decision to deploy one version in preference tothe other should be made only after carefully planning the

server's business roles and determining the needs it must meet.Once you define the functionality you need, you should carefullyreview each product's features and from that determine whichone best suits your needs Both servers provide the same level

of core securityit's not easier to compromise Standard Serverthan the Enterprise Edition The difference lies in the additionalsecurity features that Enterprise Edition provides and the highercost of its license

The Windows Server 2003 family of servers is the latest

generation of operating systems to be built on the Windows NTcode base It provides numerous security advantages over itspredecessors, but ultimately the level of security it providesdepends on the level of security you want to deploy

Throughout this book, I will examine the various security

technologies that are a part of Windows Server 2003 Typically,I'll provide a detailed explanation of how each works and how itcan be used within a comprehensive security plan Then I'llexamine common scenarios and show you, in detail, how toemploy the technology correctly I'll also cross-reference

complementary security technologies that should be used

together to provide a complete solution

Computer security is becoming more and more important toWindows administrators This trend is a result of several

conditions in today's world, including the increase of computercompetence among evildoers, the worldwide terror threat thatwas clearly illustrated on September 11, 2001, and the

proliferation of computers and the Internet Many companiesare retraining their IT staffs to be more security-aware Threatmodeling in the data center has become commonplace Thereare even vendor-independent security certifications, such asCertified Information Systems Security Professional (CISSP),which have become widely known and sought after But beforethe security of your Windows Server 2003 computers can beaddressed, you need to understand some of the basic conceptsand terms of computer security In this chapter, I'll introduceyou to computer security fundamentals such as encryption andshow you the difference between technology-based security andadministration-based security I'll also discuss other

fundamental concepts like password strength and the idea ofauthorization versus authentication If you are new to computersecurity or would like a refresher of the concepts and terms thatwill be used in the rest of the book, this chapter is for you