Secure System Administration - SANS GIAC © 2000, 2001 Windows 2000 As we begin to focus on Windows 2000 for the rest of this section, the three primary differences from Windows NT are: A
Trang 1Secure System Administration - SANS GIAC © 2000, 2001
Windows 2000
As we begin to focus on Windows 2000 for the rest of this section, the three primary differences
from Windows NT are: Active Directory, Group Policy, and templates We will first introduce the
Active Directory.
Years ago, a standards organization called the CCITT (now International Telecommunication Union,
or ITU) created a recommendation for a standard for a world wide directory service that was ratified
by the International Organization for Standards (ISO) Please visit www.ISO.ch for further
information The standard was known as X.500 The ISO looked like they would supplant the
TCP/IP protocol suite with their own Open Systems Interconnect (OSI) based model, but bad
standards and engineering caused that effort to crash The Internet’s reigning standards body is
called the Internet Engineering Task Force (IETF) and it is well worth your time to visit
www.ietf.org and www.normos.org web sites The IETF produced an alternate directory service to
X.500 called LDAP.
CREDIT: If you are taking this for academic credit, develop a two page paper on Lightweight
Directory Access Protocol, LDAP, its history and its workings
Trang 2Secure System Administration - SANS GIAC © 2000, 2001
• DNS Domain: collection of related hosts, the
database is called a zone table “sans.org”
• NT 4.0 Domain: hosts that share an
authentication database, the SAM and
Security Hives in the Registry
• Windows 2000 domain: collection of hosts
with both a common DNS domain and
security trustmodel The database is the
Active Directory
LDAP is of course the basis for Active Directory Computers have been linked before, through NFS
or NetBIOS shares These file structures have been primitive and localized LDAP or Active
Directory scales to global proportions
Recall that you learned in “Information Security: The Big Picture” that DNS uses a large number of
DNS servers, each authoritative for its own autonomous domain This is exactly what Active
Directory does The data objects are stored as records in the Directory Database, NTDS.DIT
Almost everything is referred to in this system by its Common Name (cn), such as cn=Northcutt
Other designators include Domain Components (dc) These tie Active Directory to DNS The
LDAP name for an Active Directory domain for sans.org would be: dc=sans, dc=org
One last designator is the Organizational Unit (OU) Since GIAC is a division in SANS, you might
have dc=sans, ou=giac Printers, computers, files, policies, groups and users are all stored in the
Active Directory Every entry in the database belongs to and is affected by policies set at the
Common Name, Domain Component and Organization Unit levels, but since Organization Unit (or
OU) is applied last it is the most powerful place to implement policy
Trang 3Secure System Administration - SANS GIAC © 2000, 2001
Win 2000 Users and Groups
Computers to manage global users and groups
In Windows 2000, you can limit the ability of users and groups to perform certain actions by
assigning them rights and permissions A right authorizes a user to perform certain actions on a
computer, such as backing up files and folders, or shutting down a computer A permission is a rule
associated with an object (usually a file, folder, or printer), and it regulates which users can have
access to the object and in what manner
When you create new user accounts and assign them to groups, there are important security issues
since the groups have different security rights and permissions To create a new user you can use
NET USER:
NET USER snorthc * /add /fullname:Stephen Northcutt
Now, what is wrong with this picture? We really should be adding snorthc into one of those OU /
organization units we discussed earlier or we will have a mess of a directory and will have no hope
of managing it past 25 or so users In Windows 2000, just like with every operating system, there is
more than one way to do almost anything However, if you want to be able to manage the system
over the long run, use Windows’ Management Consoles for system administration tasks This
applies to security as well If there is no security policy for the rights and permissions we give users,
directories and files, it makes it really hard to find problems
Trang 4Secure System Administration - SANS GIAC © 2000, 2001
To secure a Windows 2000 system, an administrator
should:
• Make sure that end users are members of the
Users group only
• Deploy programs, such as certified Windows 2000
programs, that members of the Users group can run
successfully
Users cannot modify system-wide registry settings, operating system files, or program files Users
can shut down workstations, but not servers Users can create local groups, but can manage only the
local groups that they created They can run certified Windows 2000 programs that have been
installed or deployed by administrators This is actually called a restricted user by the system
Users have full control over all of their own data files and their own portion of the registry
(HKEY_CURRENT_USER)
Power Users - The default Windows 2000 security settings for Power Users are very similar to the
default security settings for Users in Windows NT 4.0 Any program that a User can run in
Windows NT 4.0, a Power User can run in Windows 2000 Power Users do not have access to the
data of other users on an NTFS volume, unless those users grant them permission According to all
the Windows documentation I have seen, Power Users can install or modify programs In practice
this does not appear to be so true, several installation wizards require the user to be Administrator
This is unfortunate since the whole point of Power Users was to have a privileged user class that did
not operate at the Administrator level
Trang 5Secure System Administration - SANS GIAC © 2000, 2001
Backup Operators
NTBackup is vastly improved over Windows 98 and Windows NT and is worth a close look Start
→Programs →Accessories →NTBackup (Editor’s note: The NTBackup program is located at
Start →Programs →Accessories →System Tools →Backup It can also be accessed via Start →
Run →ntbackup.exe – JEK)
The non-Adminstrator group that can backup and restore all files is the group Backup Operators
This group is the same as in NT 4.0 Members of the Backup Operators group can back up and
restore files on the computer, regardless of any permissions that protect those files They can also
log on to the computer and shut it down, but they cannot change security settings
Backing up and restoring data files and system files requires permissions to read and write those
files The same default permissions granted to Backup Operators that allow them to back up and
restore files also makes it possible for them to use the group's permissions for other purposes, such as
reading another user's files or installing Trojan Horse programs Group Policy settings SHOULD be
used to create an environment in which Backup Operators only can run a backup program (Editor’s
note: Backup Operators are able to back up and restore files through two explicit Windows
permissions: “Back up files and directories”, and “Restore files and directories” The Backup
Operators group (and the Administrator’s group) has both of these permissions by default For
security purposes, you may wish to remove the “Restore files and directories” permission from the
Backup Operators group, and create a separate Restore Operators group that has only the
“Restore” permission – JEK)
Trang 6There are several additional groups are automatically created by Windows 2000.
• Interactive This group contains any user that is logged on locally to the computer During an
upgrade to Windows 2000, members of the Interactive group will also be added to the Power Users
group, so that legacy applications will continue to function as they did before the upgrade (At least
that was the plan, in our testing, the Power User group doesn’t seem to have much difference than a
“normal” User.)
• Network This group contains all users who are currently accessing the system over the network
• Terminal Server User When Terminal Servers are installed in application serving mode, this
group contains any users who are currently logged on to the system using Terminal Server Any
program that a user can run in Windows NT 4.0 will run for a Terminal Server User in Windows
2000 The default permissions assigned to the group were chosen to enable a Terminal Server User
to run most legacy programs
• Replicator Members of this group are able to replicate folders across networked systems
These default groups give us some management control already, but we can extend this with Group
Policy.
Groups is a powerful concept for security, on this slide we show a special group that I have created
so that snorthc (Stephen) and knorthc, (Kathy) can set our laptops up to replicate the MyDocuments
folder we use on our laptop to each other’s laptop every time the system systems are connected I
can even do this when I am on travel and connected to a hotel’s LAN or a terminal room Kathy can
see my replicated files on her computer For this to work we are both members of the Replicator
group If I give someone else a login on my computer, they are not a member of the group and
cannot see the replicated folders
Trang 7– Organizational Unit (OU)
Group Policies are stored in a container The container classes are shown on the slide The Active
Directory is an object-oriented database and some of its objects contain other objects, some don’t
Container objects can hold other objects, and some directory objects hold other objects; however file
objects do not Each of the classes on the slide has restrictions that keep them from being useful to
structure directories For instance, there can only be one Domain-DNS instance in any given
domain, which makes sense (sans.org != xyz.int) But it means you can’t use that as an
organizational tool OU is ideal for use as a general purpose container for directory structure
The OU, Domain, and Site containers can be linked to Group Policy and then all user and computer
objects under that container inherit the policy Policy is applied first to Sites, then Domains and
finally to OUs
[Editor’s note, you may see a reference to \\winnt\System32\GroupPolicy, in Windows
documentation The reference on your slide is better practice Not everyone uses \winnt as the
install directory Additionally, you should *never* have Active Directory on the same partition as
the system drive (C:) One important reason is that the system drive has IIS installed, whether you
want this to be or not IIS has about as much security integrity as a screen door on a submarine You
don't want Active Directory, the "central nervous system" of W2K, anywhere near IIS System stuff
should go on C:, Active Directory stuff should go on D:, and everything else should go on E:]
Trang 8Start →Run →GPEDIT.MSCwill launch the Group Policy Editor console.
Templates are the recommended way to implement security for Windows 2000 Each policy has a
name and and can be configured or not
[Editor’s note Templates are by default stored in \%systemroot%\security\templates, and they are
usually invoked via the secedit command ]
For instance, have you ever really taken a look at the security settings for Internet Explorer? It
matters! There have been a number of serious security problems with Internet Explorer You can
limit your risk on your copy of Internet Explorer by Tools →Internet Options →Advanced, and
move down to the Security section For instance, the SSL V.2 is vulnerable to man-in-the-middle
cryptographic attacks You could choose to uncheck it and find out which web servers haven’t
bothered to upgrade If you do a significant amount of purchasing over the Internet that might be a
recommended thing to do But that only changes your personal setting
It is possible to configure all users’ settings with Group Policy For instance, suppose you have a
proxy (a proxy is a security measure to keep users from directly connecting with web servers since
some of these are hostile) firewall for outbound World Wide Web Access If the proxy port is 8000,
you could either set every browser individually or you could run Group Policy Editor
(GPEDIT.MSC→Internet Explorer Maintenance →Connections →Proxy) and configure all users
to use the proxy port
Trang 9Secure System Administration - SANS GIAC © 2000, 2001
One last word about browsers: almost everything is done through browsers or consoles The
command line is essentially obsolete It looks like Microsoft tried to get to a single browser for both
Internet and system and didn’t quite make it A key point from a security point of view is that
Internet surfing as a privileged user is really dangerous and should be avoided The one exception is
updating your computer Windows 2000 and Windows ME rely on the browser-based Update
facility to “patch” the operating system So far, I am having to run update at least monthly to keep
up with the security fixes
Since your browser is the primary way you interface with your Win2K computer’s operating system
and the primary way you interface with other computers, it really makes sense to take the time to
look at your security settings We introduced the risk of SSL 2.0 in the previous slide; here is
something else to be aware of A great way to snag financial data or even web based server
administration pages is to view the cached versions of encrypted pages (pages sent or received using
SSL) It is a good idea to disable the saving of encrypted pages within Internet Explorer Click Tools
→Internet Options and click on the Advanced tab Check the box marked “Do Not Save Encrypted
Pages to Disk.”
Trang 10This slide shows the update screen The two places to check are Critical Updates and Recommended
Updates If you are running Microsoft Office products you will need to check for updates there as
well, there are a number of security problems that must be patched
Trang 11Secure System Administration - SANS GIAC © 2000, 2001
The Administrative Tools selection has been moved from Start →Programs to the Control Panel
From here you can do most of your auditing and configuring for Windows 2000 Anything you can
do with these tools can be done with templates, so you can more easily standardize your
configuration if you running a large number of systems with templates
Trang 12The tools are: Component Services, Computer Management, Data Sources (ODBC), Event Viewer,
Local Security Policy, Performance, Services,and Telnet Server Administration Computer
Management is used the most for configuration Performance is shown below:
Trang 13Secure System Administration - SANS GIAC © 2000, 2001
Control Panel →Administrative Tools →Computer Management is a great example of one of the
consoles that can be used to manage a Windows 2000 system This is a great way to learn how your
system is set up and we strongly encourage you to spend some time poking around When you use
Computer Management as a Power User, not all of the options are shown, but you limit the harm you
can cause to your operating system and this might be the best way to start
For instance, under System Information, you can see your installed software using Applications Of
course this may not be perfect After I had installed a number of applications I ran this and was
amused that only Microsoft products showed up here One of the places to really spend some time
learning your system is the Software Environment view From there, if you select loaded modules,
you will see that it really was worth your money to invest in the RAM upgrade to run your Windows
2000 system
For logs to exist at all, the system must enable logging Some auditing is turned on as a default (or at
least is has been on all the systems I have looked at) but Control Panel →Administrative Tools →
Local Security Policy (or a template in the Active Directory) allows you to do additional auditing I
would certainly activate logon events (Editor’s note: Windows NT and Windows 2000 will write
events to the System and Application logs by default NO events will be written to the Security log by
default, and it is strongly recommended that you enable security auditing – JEK)
Now, on this slide, you see we are working with the Event Viewer We have highlighted Application
on the left and Warning on the right The Event Source is COM+ (we will define COM on the next
slide) The log says “Event Category: CRM The CRM log file was originally created on a computer
with a different name It has been updated with the name of the current computer If this warning
appears when the computer name has been changed then no further action is required” So this