Active Directory, security templates, Group Policy, System File Protection, Radius, IPSec, EFS, PKI, Kerberos, a new permission inheritance model, and granular assignment of administrati
Trang 1Windows 2000 Security - SANS ©2001 1
Windows 2000 Security
Security Essentials The SANS Institute
This section will build on the basic NT security knowledge you have already gained However, you will find that every NT security function is magnified in Windows 2000, and Windows 2000 has ten times the security features available in Windows NT If NT were a row boat, Windows 2000 is the QE2 If NT were a cottage, then Windows 2000 is a 56 room mansion Active Directory, security templates, Group Policy, System File Protection, Radius, IPSec, EFS, PKI, Kerberos, a new
permission inheritance model, and granular assignment of administrative authority are but a few of the technologies and processes that you must understand if you are to design and implement security
in Windows 2000 This section will introduce you to the possibilities
Trang 2Windows 2000 Security - SANS ©2001 2
Your Goals
• Understand Security Baselining
• Describe Security features – all
versions/roles
• Describe Security features - Active
Directory domain
• List 10 hardening steps
Goals and Objectives
We cannot talk about security and Windows 2000 without recognizing that there is more than one version of Windows 2000 and there are many functional roles that Windows 2000 may perform within a network or standing alone Windows 2000 may be on a laptop computer as it travels from hotel to hotel to home to office It may be on massive database servers, or limited desktop systems Windows 2000 may serve as the OS for mail servers, web servers, file servers, firewalls and many other roles When you discuss security and Windows 2000 you must discuss it within the context of its use How secure is Windows 2000? How secure do you need it to be? How much knowledge do you have of its features and function? Where will it be asked to perform? Who will be using it? All
of these questions must be asked and understood
In this section, we will discuss the need for security baselining, or the matching of security needs with system functions, and the specification of basic security requirements for different computer roles within a network Next, we will examine the security features available in Windows 2000; first discussing those that are available for all systems, and then looking at the additional features
available within a Windows 2000 Active Directory domain Finally, 10 hardening steps, steps that should be taken during or immediately after Windows 2000 installation, will be presented Please note that thorough discussion of Windows 2000 security, and the ability to configure and use these features to your benefit, require more study than this introduction can provide Your goal should be
to become comfortable with the features available, so that you can evaluate them more thoroughly against the background of your organizations or your personal requirements
Trang 3Windows 2000 Security - SANS ©2001 3
Security Baselining
• Define the role
• Understand the platform
• Document the Desired Security
As we answer the questions about these roles, we can examine Windows 2000 to determine how it can fulfill them
Once computer use and desired security policy is determined, your job is to seek out the most relevant, efficient, and easily maintainable way to accomplish these goals Several native Windows
2000 tools will be introduced in which will provide you with automated means to do so
But first lets define the Windows 2000 family
Trang 4Windows 2000 Security - SANS ©2001 4
Windows 2000 Professional is the desktop version of the operating system Windows NT
Workstation and Windows 95 and 98 can be upgraded to Professional Professional can be a
member of a Windows NT 4.0 or Windows 2000 domain, or operate in a workgroup or without networking at all Security is managed by local security settings If a W2K Professional system is a member of a Window 2000 domain, local security settings are overridden by those set at the domain level
Windows 2000 Server and Advanced Server are similar in feature and function They are meant to serve as domain controller, file server, database server, mail server, application server, web server, and the like Unlike Windows NT, Windows 2000 servers may be promoted to domain controllers from member server status, and even demoted back to member server Advanced server allows more flexibility in the number of processors and offers Quality of Service drivers, and the ability to do network load balancing and perform as part of a cluster Windows NT Server (3.51 and 4.0) may be upgraded to Windows 2000 Server
Datacenter Server is meant to be the host for massive databases or for other powerful applications This OS version is not sold independently of its hardware platform Datacenter Server can have up
to 32 processors
Professional Server Advanced Server Minimum RAM 64 128 128
Maximum RAM 4 GB 4 GB
Minimum Processor 133 Mhz/Pentium compatible
Hard Drive Space Required 2 GB/ 650MB free 2 GB/ 1.0 GB free
Processors 1 or 2 1 to 4 1 to 8
NLB no no yes
Trang 5Windows 2000 Security - SANS ©2001 5
Baseline - Desktop
• Windows 2000 Professional
– Separate accounts for each user – No local accounts, except defaults, if part of a domain
– Strong local account policy – Local audit settings
What else would your organization specify?
Once a specific computer role is defined, the first step is to choose a platform Let’s start with an example where the computer will be used as a desktop system It makes sense to assign Windows
2000 Professional Although one could run word processing and other applications on a Windows
2000 Server, it would not make good economic or efficiency sense Servers are optimized for background applications such as those accessed across the network by multiple users Applications
in the foreground, such as word processing, receive less attention, and productivity could suffer as a result
What security requirements does this system have? Well, that depends on the network (or lack of network) within which it resides We can begin with a list of well-known best practices, or abstract them from organizational policy
Trang 6Windows 2000 Security - SANS ©2001 6
Baseline File Server
• Windows 2000 Server or Advanced
Server
– No local accounts except defaults – Strong local account policy
– Domain member – Local audit settings – Limited physical access
What else would your organization specify?
We also have choices here While Windows 2000 Professional can share files, unless we have an awfully small network, it will be an entirely inefficient choice Professional is optimized for one-on-one use Foreground processes, such as productivity applications (word processing, spreadsheet, and personal database) are given priority There are limited resources available for network access
Windows 2000 Server or Advanced Server will be better choices Unless there is also a need for load balancing, or more than 4 processors are required to manage the load, Server will probably be fine
Notice the similar requirements for security Keep that thought in mind for the next section
In addition to similar needs, a file server requires additional precautions Good physical security is required In most environments this means location = server room, access = legitimate needs met via
a supervised visit, and then only direct console access by a qualified and designated administrator
Trang 7Windows 2000 Security - SANS ©2001 7
Baseline – Domain Controller
A domain controller (DC) requires special security handling The DC is the seat of your user account database and the center for security policy controls If an attacker can penetrate the security
of your DC, he can wreak havoc on the entire domain, not just a single machine
The special role at the seat of security policy allows centralized control for many computers and users Careful baselining of security for an entire logical group of computers and users is required Security policies set at the domain will override those set on a local machine Baselining for a DC leads to the incorporation of baselines for many computer and user roles
In order to plan appropriately, consider the domain in Windows 2000 as the security boundary That is, access by one domain’s users to another domain’s resources is non-existent (with one exception) until granted by domain administrators This does not mean that every domain stands alone, rather that for those linked to other domains via trust relationships, several security features must be set only at the domain level An example of this is the password policy which details, among other things, how long a password must be and how frequently it must be changed If different areas of your organization require a different password policy, they must maintain separate domains
Within the domain, however, there are a vast assortment of possibilities for granular
administration Different types of users and computers can be placed within containers in the Active Directory Administrative authority to manage these collections of accounts can be delegated
In addition, many security features (such as PKI, EFS, Radius, et al) are extended or only possible within a domain setting Security policy to cover these new requirements should be specified.Before implementing DC’s, desktops, file servers, and other W2K systems, you must establish the security baseline for each The tools used to implement, maintain, and audit these baselines are part
of the OS
Trang 8Windows 2000 Security - SANS ©2001 8
Common Security Features/Tools
• MMC
• Users and Groups
• NTFS File System
• System File Checker
• Windows Update Service
• Local Security Policy
• Security Configuration and Analysis
• IPSec
• VPN
All Windows 2000 computers have many security features in common Security features can be divided between those available to all Windows 2000 computers no matter their role, and those that are extended or only available within an Active Directory Domain
The common features listed in the slide are available on all W2K platforms However, the nature of the feature and the ability to use each feature, or to use it to control other systems is platform and workgroup vs domain specific A VPN tunnel server may only be established on a W2K server for example, while a W2K Professional system can be a VPN client Examples of these differences in a domain vs a workgroup setting are the new groups available, the integration of DNS and PKI available, and the domain-wide management of security policies, IPSec, and Remote Access
Trang 9Windows 2000 Security - SANS ©2001 9
One of the Windows 2000 design goals was to reduce the number of tools necessary and to create a common interface which worked across all tools The Microsoft Management Console (MMC) is the result This tool is merely a shell within which many components or ‘snap-ins’ can be loaded to build customized administration tools
A few, pre-built, customized MMCs are listed and available from the Administrative Tools section of Programs from the Start button or from the Control Panel Additional tools are built by
administrators by adding various administrative ‘snap-ins’ to one or many MMCs Frequently, special tools are built for delegated responsibilities In this case, a normal user account is given specific administrative authority and a special tool, which can only be used for that duty, is built for the user
Trang 10Windows 2000 Security - SANS ©2001 10
The Computer Management Console
Click Control Panel → Administrative Tools → Computer Management for a great example of one of the consoles that can be used to manage a Windows 2000 system This is a great way to learn how your system is set up and we strongly encourage you to spend some time poking around (on a test system of course!) When you use Computer Management as a Power User, not all of the options are shown, but you limit the harm you can cause to your operating system and this might be the best way to start
For instance, under System Information, hardware resources, components, drivers, environmental variable, startup programs, etc are displayed In addition, you can see your installed software by opening the
Applications container Of course this may not be perfect If you have installed a number of applications, you may find that only Microsoft products show in the Applications container A better place to really spend some time learning about the system, is the Software Environment view From there, if you select loaded modules, you will see that it really was worth your money to invest in the RAM upgrade to run your Windows 2000 system
The Event Viewer is used to examine system logs Application and System logs record events and may be used to troubleshoot system problems These event logs are not called audit logs Auditing, the recording of security related events, is not turned on by default After auditing is turned on (using Local Security Policy or Group Policy, as well as appropriate file and registry key selections) auditing information is recorded in the Security Log
On the slide above, the Event Viewer\Application log is open Information, Error, and Warning messages are exposed Although it is not shown, this particular event is a message which explains changes made to the CRM log file and indicates that if the computer name was recently changed, this is an expected event Since this system’s name was recently changed, the warning can be ignored If the name had not recently been changed, this warning would need to be investigated further The error messages in this case were also
expected Spend time with the Event Viewer to understand normal and abnormal events
Trang 11Windows 2000 Security - SANS ©2001 11
Windows 2000 Local Users and Groups
In Windows 2000, you can limit or extend the ability of users and groups to perform certain actions
by assigning or denying them rights and permissions A right authorizes a user to perform certain
actions on a computer, such as backing up files and folders, or shutting down a computer
Administrators and some others have the right to logon to a Windows 2000 Server console Users do
not A permission is a rule associated with an object (usually a file, folder, or printer), and it
regulates which users can have access to the object and in what manner Permission settings are preset (but can be modified) in the registry and within the system files that assist in protecting them
Windows 2000 Professional and Server systems have a built-in local account database with two default users (Administrator and Guest) as well as several default groups The users and groups are much like those found in Windows NT and have similar rights and permissions
When you create new user accounts and assign them to groups, there are important security issues, since default groups have different security rights and permissions Typically, as in Windows NT, you can define user roles and if default groups do not fulfill these roles, special, or custom groups can be created, and rights and permissions assigned to meet the requirements of the role User accounts obtain these rights and permissions when they are placed within these groups, and lose them when removed An example of a special group might be ‘OrderManagers’, This group might then be given read access to files which contain orders Another group, ‘Clerks’, might be given read and write access to these files Clerks do data entry; managers review
Local Users and Groups are managed through the Computer Management Console
Trang 12Windows 2000 Security - SANS ©2001 12
Users and Power Users
To avoid loosening security on a Windows 2000 system, an administrator should:
• Make sure that end users are members of the Users group only
• Deploy programs, such as certified Windows 2000 programs, that members of the Users group can run successfully
Users cannot modify system-wide registry settings, operating system files, or most program files Users can shut
down W2K Professional, but not W2K Servers Users can create local groups, but can manage only the local groups that they created They can run certified Windows 2000 programs that have been installed or deployed
by administrators and which they have been given permission to run Users can also run programs installed by Power Users If a user has the right to copy a file to a disk where they have read, write and execute privileges, a user can copy an executable file there and run it Users have full control over all of their own data files and their own portion of the registry (HKEY_CURRENT_USER) Windows 2000 users have fewer rights and permissions than Users in Windows NT
Power Users - The default Windows 2000 security settings for Power Users are very similar to the default
security settings for Users in Windows NT 4.0 Any W2K compatible program that a User can run in Windows
NT 4.0, a Power User can run in Windows 2000 A User may or may not be able to run the same program Power Users and Users do not have access to the data of other users on an NTFS volume, unless they have been granted permission Power Users can install or modify many programs Some programs, however, such as those that require the installation of services, those which specifically require an Administrative account, or rights and permissions only granted to Administrator, cannot be installed by Power Users For example, a program may modify data in areas of the registry to which Power Users have no access, or may improperly open
a registry key or file for read, write and execute, when only read permission is necessary If Power Users have read permission and Administrators have full control, its obvious result is that the Power User will not be able
to install the program A properly programmed install wizard might have allowed Power Users to install the program
Certification specifications exist for software which is designed to run on Windows 2000 Different
specifications exist for Professional, Server, Advanced Server, and Datacenter Server If an application is not certified, that does not mean it will not run, however it does mean there may be problems
Trang 13Windows 2000 Security - SANS ©2001 13
Replicator
• Used in a Windows 2000 Domain
for Active Directory Replication
• No user accounts should be in this
group
The Replicator group is used in a domain environment and ignored elsewhere Its purpose is to provide a local group which represents rights and privileges on the local machine that might be required by the domain level replication efforts It should be ignored in a workgroup environment, and never should contain ordinary user accounts
Replication of files from file server to laptop is managed by the Offline Files feature and uses the synchronization manager to schedule and manage the task A synchronization permission is required
on the folders and files to be synchronized
If users need to synchronize files between two computers, they can do so without membership in this group All that is required is the ability to share the files and in doing so, set Offline access to the folder (File Sharing properties page\Caching button\ ‘allow caching of files in this shared folder’) Then, after connecting to the share, the user must mark folders ‘make available offline’
Trang 14Windows 2000 Security - SANS ©2001 14
is not under administrative control Several of these groups are defined below
•Interactive This group contains any user that is logged on locally to the computer
•Network This group contains all users who are currently accessing the system over the network
•Creator Owner This group contains the individual who created the object
•Creator Group When a member of the Administrators group creates a file or folder, the owner of
the file is the Administrators group, not the administrator that created it
•Dial-up Users who have accessed the network remotely via dial-up
•Terminal Server Users Users using terminal services
•Self The user or group itself (allows access to properties of the user or group)
•Service User accounts logged on as a service
These groups can be used to control access to resources based on the manner in which the resource is accessed For example, if we assign the INTERACTIVE group read and write access to the file
‘secret.txt’ and the NETWORK group only read access to ‘secret.txt’, then John, when he is logged
on to the console, can read and write the file but when he accesses the same file over the network, he can only read the file
Trang 15Like Windows NT, Windows 2000 makes available the NTFS file system Like Windows NT, file and folder access is restricted by assigning permissions to users and groups Those not allowed access are implicitly denied In addition, Windows 2000 extended this model by making available granular explicit ‘deny’ permissions and by modifying the inheritance model The most notable effect of this model change is that permission inheritance can be denied When settings are
established on a subfolder, a simple checkbox allows or prevents parent folder permissions from propagating to subfolders This is extremely important in order to protect settings from being overridden by less secure settings made on parent folders The ‘Allow inheritable permissions from parent to propagate to this object’ checkbox is used to allow or implicitly deny permission
inheritance Note that in the slide, this check box is unchecked on the system folder WINNT Thus, permission setting on this folder will not be changed should Administrators change the setting on the root of the file system
Another new feature of NTFS is the Encrypting File System Users can encrypt and decrypt their files Another user, even one with ‘read’ permission on the file, cannot read it Default recovery agents are able to retrieve files if user’s keys are lost or corrupted
Trang 16Windows 2000 Security - SANS ©2001 16
Windows File Protection
• Prevents applications from overwriting
or deleting important system files
• Ensures that your system files are to-date
up-• A command-line tool, System File Checker, can be used to check files on demand
What Are System Files?
In previous versions of Windows, applications often overwrote shared dll files and exe system files (If you’ve worked with any version of Windows, you're probably very familiar with the term "DLL hell.") When installation programs mess with key system files, your system can become unusable, and troubleshooting can be a nightmare And
if you think that only third-party applications are guilty of overwriting your system files, think again Many of
Microsoft’s applications are notorious for overwriting system files – even files that other Microsoft software uses.The problem is that many applications (including Microsoft's) don't check existing system file versions before overwriting the files Most vendors are interested in ensuring that their software runs without problems, and the
software you installed most recently probably works flawlessly – but it might work at the expense of other applications For example, if you install audio applications from competing vendors, the one you install last will have the best chance
of working properly Developers aren't solely to blame for these system-file problems – several other factors are involved, including OS limitations
OS stability is more important than application stability This is addressed in Win2K by Windows File Protection Windows File Protection runs in the background and ensures that setup programs don't permanently delete or overwrite any important system files By default, Win2K enables Windows File Protection
When a program attempts to delete or move a protected system file, Windows File Protection checks the digital signature of the file to ensure that it's a correct version If it is not the correct version, Windows File Protection attempts
to copy the file from the %systemrooot%\System32\Dllcache folder If the necessary file is not in the cache, a prompt for the W2K installation CD-ROM appears
The System File Checker (or SFC) is a command-line tool which can be used to scan a W2K system and verify
that the versions of protected system files are correct If a protected system file has moved or has disappeared, SFC automatically replaces the file with the correct version from the Dllcache folder, or prompts for the installation CD-ROM This tool also lets you set the Windows File Protection cache file size, thus allowing more or fewer system files
to be available during unattended operation You must be a member of the Administrators group to run SFC
Trang 17Windows 2000 Security - SANS ©2001 17
Using SFC to check System Files
Typing SFC at the command prompt will display the options available
sfc /scannow immediately scans the system files
sfc /scanonce scans the system files once, and sfc /scanboot scans protected system files every time you reboot your computer
If you've scheduled a scan and you change your mind, sfc /cancel cancels the scan If you don’t want the SFC to prompt you about each file that it intends to replace, use sfc /quiet
SFC switches which manipulate the Windows File Protection are:
sfc /purgecache - purges the file cache and scans all system files immediately
sfc /cachesize - configures the size of the Windows File Protection cache For example, to restrict a cache size to 2MB, type sfc /cachesize=2048
sfc /enable - returns to the default Windows File Protection operation In this mode, SFC automatically restores or prompts you to restore the correct system file version whenever it detects that an application has overwritten a file Don’t forget to enable this option before you exit the command prompt window
Trang 18Windows 2000 Security - SANS ©2001 18
Local Security Policy
The Administrative Tools\Local Security Policy console can be used to configure security settings for a single Windows
2000 system This is an especially important tool for users of standalone W2K Professional systems If Windows 2000 Professional is a domain member, local security settings will be overwritten by policies established at the domain level Users with laptops who have local administrative user accounts on their systems, can also configure system security using this tool When they are logged on using the local account, security policies set locally will apply If they are logged on using their domain account, domain policies will apply This tool will show you both your local settings and also your effective (domain) settings If the domain controller overrides your local setting, these will not match
The slide shows configuration of a warning banner for logins A warning banner will not prevent unauthorized users from logging on, but serves as notice that they should not do so Logon banners may serve as legal notices Court cases involving network penetration have been dismissed when logon banners which read ‘welcome’ were used Using banners which have strong legal warnings and acceptable use information help honest individuals understand how the system should
be used and may assist in obtaining convictions, or support sanctions when the policy is ignored
Security settings that can thwart attackers and provide evidence of their attempts also are present in security settings and can be used effectively by domain and local administrators to protect the system Imagine that you are traveling a lot with your laptop It might be a good idea to have a more stringent policy for the local settings then when you are at home with your alarm system, big dog, and neighbors that primarily work in high security government positions Likewise, if your job
is to protect corporate road warriors from themselves, you will want to thoroughly understand and set security on laptops for them Potential defensive settings include the ability to lock out accounts after a number of failed logins, requiring complex passwords, auditing successful and failed access of sensitive files, policies and such, restricting user rights, renaming the administrator account, blocking the loading of unsigned drivers, preventing the use of EFS, and establishing secure network communications via IPSec policies We’ll be talking more about many of these security features, but for now you should remember where to look for the security policy that is effective on a local machine, and where you might be able to manage these settings
Trang 19Windows 2000 Security - SANS ©2001 19
Security Configuration and Analysis
A marvelous new tool available with Windows 2000 is the Security Configuration and Analysis and Security Templates snap-ins to the MMC Security templates (either pre-configured default
templates or customized templates) can be used to quickly apply security settings to a host, or to analyze the current settings against a template representing policy Analysis provides a simple way for administrators and auditors to determine the security configuration status of a particular machine
Remember the security baselines we examined for desktop, server, and DC? Pre-configured,
recommended security templates are available for each of these baselines In fact, default templates exist for three levels of security; default, secure, and high security for domain controllers,
workstations, and servers
Security template settings mirror those available in Local Security Policy Additional templates are available for web servers and other models Templates may be customized by changing settings and adding new features New templates can also be created In the slide, mydomain, and mylocal
represent custom templates The red x’s indicate the results of an analysis of the current computer’s settings against a desired policy Each container, when opened, documents variance from policy The analysis does not modify settings on the host
Trang 20Windows 2000 Security - SANS ©2001 20
Windows Update
Other tools are available in the Support Tools folder on the Windows 2000 server CD-ROM, in the Windows 2000 Resource Kit, and online Two important online sites are Windows Update and Windows 2000 Security (www.microsoft.com\technet\security)
The Windows Update site, seen here, provides information on Critical and Recommended updates for Windows systems With permission, the current machine can be scanned and Windows Update will recommend updates and then allow them to be run Updates include service packs, newer device drivers, and security patches Explanations are also available While organizations should manage enterprise-wide updating of windows systems, this site is important to users of Windows who are not managed in this fashion Similar updating is available for users of Microsoft Office
The Windows security site provides detailed security information and notice and explanation of security patches with links to free downloads It also includes multiple free security tools Detailed list of hardening steps for Windows systems is also available You can sign up for a security bulletin list, which will email you as new security bulletins and patches are available
Trang 21Protecting host-to-host communications with IP Security Policies
IP Security (IPSec) is an Internet standard for the protection of data communications between systems It can also be used to filter, and thus allow or block data coming and going through an IP stack IPSec is built into the TCP/IP stack of all Windows 2000 systems To be used, IPSec policies must be written and assigned
Possible uses for IPSec may be to block access to a system by filtering on protocol ID or port numbers, to block all but specifically identified protocols, or to negotiate secure communications between two machines Security can be negotiated including confidentiality (encryption) , integrity (data received is the data sent), and authentication (mutual identification of the two computers involved) A selection of security algorithms is available
IPSec policies may be written for any Windows 2000 system, either through Local Security Policy, through the IPSec MMC snap-in, via the command line, or in a domain environment through Group Policy
Trang 22Windows 2000 Security - SANS ©2001 22
Windows 2000 PKI follows Internet PKI standards and is compatible with other PKI vendors who use these standards
A hierarchical trust model is available to allow root CA protection and a distributed CA architecture for enterprise deployment Implementation is via service installation and configuration There is no additional charge
Trang 23Virtual Private Networks establish secure communications between two networks over a third As such, they are excellent additions to any enterprise which requires branch-to-corporate headquarters communication
or telecommuter and/or traveling employee access to internal network resources
Windows 2000 Servers can be configured as VPN endpoints for remote access via VPN clients or for the establishment of gateway-to-gateway tunnels between two networks Windows 2000 Professional can act as a VPN client Two possible protocols for VPN exist
As with NT before it, Windows 2000 continues to make the Point to Point Tunneling Protocol (PPTP) available Data encryption for a PPTP VPN is managed via Microsoft point-to-point Encryption (MPPE) 40-bit and 128-bit RSA RC4 is available
Windows 2000 also introduces Layer 2 Tunneling Protocol (L2TP) over IPSec for VPN tunnels L2TP is used to establish a tunnel, and IPSec is used for encryption Various encryption strengths are available depending on connection type and encryption strength, as illustrated below:
Basic : 40-bit MPPE RC4 or DES
Stronger: 56-bit MPPE RC4 or DES
Strongest: 128-bit MPPE RC4 or triple DES
By default, L2TP over IPSec VPNs require certificates for authentication However, you may configure VPNs which use shared key authentication
On the next slide, titled Active Directory, we will discuss an information system directory that can serve as
a single point of access for information about authorized users, computers, services, and devices in a network
It can also serve as a framework for the security of that network Rudimentary directory services exist in Windows NT 4.0 The SAM portion of the registry is a computer and user database, and other registry areas serve as depositories for service, software, and device information The structure of these information
repositories is proprietary and does not offer the functionality of more modern extensible directory services Versions of Exchange Server prior to 2000, implemented directory services that were similar to existing
standards of the time – X.500