Windows 2000 Security

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:47

lượt xem

Windows 2000 Security

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

This section will build on the basic NT security knowledge you have already gained. However, you will find that every NT security function is magnified in Windows 2000, and Windows 2000 has ten times the security features available in Windows NT. If NT were a row boat, Windows 2000 is the QE2. If NT were a cottage, then Windows 2000 is a 56 room mansion. Active Directory, security templates.

Chủ đề:

Nội dung Text: Windows 2000 Security

  1. Windows 2000 Security Security Essentials The SANS Institute Windows 2000 Security - SANS ©2001 1 This section will build on the basic NT security knowledge you have already gained. However, you will find that every NT security function is magnified in Windows 2000, and Windows 2000 has ten times the security features available in Windows NT. If NT were a row boat, Windows 2000 is the QE2. If NT were a cottage, then Windows 2000 is a 56 room mansion. Active Directory, security templates, Group Policy, System File Protection, Radius, IPSec, EFS, PKI, Kerberos, a new permission inheritance model, and granular assignment of administrative authority are but a few of the technologies and processes that you must understand if you are to design and implement security in Windows 2000. This section will introduce you to the possibilities. 3-1
  2. Your Goals • Understand Security Baselining • Describe Security features – all versions/roles • Describe Security features - Active Directory domain • List 10 hardening steps Windows 2000 Security - SANS ©2001 2 Goals and Objectives We cannot talk about security and Windows 2000 without recognizing that there is more than one version of Windows 2000 and there are many functional roles that Windows 2000 may perform within a network or standing alone. Windows 2000 may be on a laptop computer as it travels from hotel to hotel to home to office. It may be on massive database servers, or limited desktop systems. Windows 2000 may serve as the OS for mail servers, web servers, file servers, firewalls and many other roles. When you discuss security and Windows 2000 you must discuss it within the context of its use. How secure is Windows 2000? How secure do you need it to be? How much knowledge do you have of its features and function? Where will it be asked to perform? Who will be using it? All of these questions must be asked and understood. In this section, we will discuss the need for security baselining, or the matching of security needs with system functions, and the specification of basic security requirements for different computer roles within a network. Next, we will examine the security features available in Windows 2000; first discussing those that are available for all systems, and then looking at the additional features available within a Windows 2000 Active Directory domain. Finally, 10 hardening steps, steps that should be taken during or immediately after Windows 2000 installation, will be presented. Please note that thorough discussion of Windows 2000 security, and the ability to configure and use these features to your benefit, require more study than this introduction can provide. Your goal should be to become comfortable with the features available, so that you can evaluate them more thoroughly against the background of your organizations or your personal requirements. 3-2
  3. Security Baselining • Define the role • Understand the platform • Document the Desired Security Policy • Deploy Windows 2000 Security - SANS ©2001 3 Security Baselining In order to examine the concept of security baselining, we will pick three common computer roles: Desktop, File Server, and Domain Controller. What version of Windows 2000 will each require? What is the security model for each? Who will be users on these systems? Where? How? For what? As we answer the questions about these roles, we can examine Windows 2000 to determine how it can fulfill them. Once computer use and desired security policy is determined, your job is to seek out the most relevant, efficient, and easily maintainable way to accomplish these goals. Several native Windows 2000 tools will be introduced in which will provide you with automated means to do so. But first lets define the Windows 2000 family. 3-3
  4. Win 2K OS Versions • Professional • Server • Advanced Server • Datacenter Server Windows 2000 Security - SANS ©2001 4 OS Versions Windows 2000 Professional is the desktop version of the operating system Windows NT Workstation and Windows 95 and 98 can be upgraded to Professional. Professional can be a member of a Windows NT 4.0 or Windows 2000 domain, or operate in a workgroup or without networking at all. Security is managed by local security settings. If a W2K Professional system is a member of a Window 2000 domain, local security settings are overridden by those set at the domain level. Windows 2000 Server and Advanced Server are similar in feature and function. They are meant to serve as domain controller, file server, database server, mail server, application server, web server, and the like. Unlike Windows NT, Windows 2000 servers may be promoted to domain controllers from member server status, and even demoted back to member server. Advanced server allows more flexibility in the number of processors and offers Quality of Service drivers, and the ability to do network load balancing and perform as part of a cluster. Windows NT Server (3.51 and 4.0) may be upgraded to Windows 2000 Server. Datacenter Server is meant to be the host for massive databases or for other powerful applications. This OS version is not sold independently of its hardware platform. Datacenter Server can have up to 32 processors. Professional Server Advanced Server Minimum RAM 64 128 128 Maximum RAM 4 GB 4 GB Minimum Processor 133 Mhz/Pentium compatible Hard Drive Space Required 2 GB/ 650MB free 2 GB/ 1.0 GB free Processors 1 or 2 1 to 4 1 to 8 NLB no no yes Cluster? no no yes 3-4
  5. Baseline - Desktop • Windows 2000 Professional – Separate accounts for each user – No local accounts, except defaults, if part of a domain – Strong local account policy – Local audit settings What else would your organization specify? Windows 2000 Security - SANS ©2001 5 Once a specific computer role is defined, the first step is to choose a platform. Let’s start with an example where the computer will be used as a desktop system. It makes sense to assign Windows 2000 Professional. Although one could run word processing and other applications on a Windows 2000 Server, it would not make good economic or efficiency sense. Servers are optimized for background applications such as those accessed across the network by multiple users. Applications in the foreground, such as word processing, receive less attention, and productivity could suffer as a result. What security requirements does this system have? Well, that depends on the network (or lack of network) within which it resides. We can begin with a list of well-known best practices, or abstract them from organizational policy. 3-5
  6. Baseline File Server • Windows 2000 Server or Advanced Server – No local accounts except defaults – Strong local account policy – Domain member – Local audit settings – Limited physical access What else would your organization specify? Windows 2000 Security - SANS ©2001 6 We also have choices here. While Windows 2000 Professional can share files, unless we have an awfully small network, it will be an entirely inefficient choice. Professional is optimized for one-on- one use. Foreground processes, such as productivity applications (word processing, spreadsheet, and personal database) are given priority. There are limited resources available for network access. Windows 2000 Server or Advanced Server will be better choices. Unless there is also a need for load balancing, or more than 4 processors are required to manage the load, Server will probably be fine. Notice the similar requirements for security. Keep that thought in mind for the next section. In addition to similar needs, a file server requires additional precautions. Good physical security is required. In most environments this means location = server room, access = legitimate needs met via a supervised visit, and then only direct console access by a qualified and designated administrator. 3-6
  7. Baseline – Domain Controller • Domain Controller – There are no PDC/BDC roles in W2K – Physical security – Special points to secure – Special security capabilities – Security policy for domain members not just single system Windows 2000 Security - SANS ©2001 7 A domain controller (DC) requires special security handling. The DC is the seat of your user account database and the center for security policy controls. If an attacker can penetrate the security of your DC, he can wreak havoc on the entire domain, not just a single machine. The special role at the seat of security policy allows centralized control for many computers and users. Careful baselining of security for an entire logical group of computers and users is required. Security policies set at the domain will override those set on a local machine. Baselining for a DC leads to the incorporation of baselines for many computer and user roles. In order to plan appropriately, consider the domain in Windows 2000 as the security boundary. That is, access by one domain’s users to another domain’s resources is non-existent (with one exception) until granted by domain administrators. This does not mean that every domain stands alone, rather that for those linked to other domains via trust relationships, several security features must be set only at the domain level. An example of this is the password policy which details, among other things, how long a password must be and how frequently it must be changed. If different areas of your organization require a different password policy, they must maintain separate domains. Within the domain, however, there are a vast assortment of possibilities for granular administration. Different types of users and computers can be placed within containers in the Active Directory. Administrative authority to manage these collections of accounts can be delegated. In addition, many security features (such as PKI, EFS, Radius, et al) are extended or only possible within a domain setting. Security policy to cover these new requirements should be specified. Before implementing DC’s, desktops, file servers, and other W2K systems, you must establish the security baseline for each. The tools used to implement, maintain, and audit these baselines are part of the OS. 3-7
  8. Common Security Features/Tools • MMC • Users and Groups • NTFS File System • System File Checker • Windows Update Service • Local Security Policy • Security Configuration and Analysis • IPSec • VPN Windows 2000 Security - SANS ©2001 8 All Windows 2000 computers have many security features in common. Security features can be divided between those available to all Windows 2000 computers no matter their role, and those that are extended or only available within an Active Directory Domain. The common features listed in the slide are available on all W2K platforms. However, the nature of the feature and the ability to use each feature, or to use it to control other systems is platform and workgroup vs. domain specific. A VPN tunnel server may only be established on a W2K server for example, while a W2K Professional system can be a VPN client. Examples of these differences in a domain vs. a workgroup setting are the new groups available, the integration of DNS and PKI available, and the domain-wide management of security policies, IPSec, and Remote Access. 3-8
  9. Microsoft Management Console • Flexible • Multi-purpose • Several pre-built Administrative Tools or pre-loaded MMC’s Windows 2000 Security - SANS ©2001 9 Administration of Windows NT is often complicated by the large number of Administrative Tools, each of which had its own interface. Management of security features has to be carried out by using many of these tools. One of the Windows 2000 design goals was to reduce the number of tools necessary and to create a common interface which worked across all tools. The Microsoft Management Console (MMC) is the result. This tool is merely a shell within which many components or ‘snap-ins’ can be loaded to build customized administration tools. A few, pre-built, customized MMCs are listed and available from the Administrative Tools section of Programs from the Start button or from the Control Panel. Additional tools are built by administrators by adding various administrative ‘snap-ins’ to one or many MMCs. Frequently, special tools are built for delegated responsibilities. In this case, a normal user account is given specific administrative authority and a special tool, which can only be used for that duty, is built for the user. 3-9
  10. Windows 2000 Security - SANS ©2001 10 The Computer Management Console Click Control Panel → Administrative Tools → Computer Management for a great example of one of the consoles that can be used to manage a Windows 2000 system. This is a great way to learn how your system is set up and we strongly encourage you to spend some time poking around (on a test system of course!). When you use Computer Management as a Power User, not all of the options are shown, but you limit the harm you can cause to your operating system and this might be the best way to start. For instance, under System Information, hardware resources, components, drivers, environmental variable, startup programs, etc are displayed. In addition, you can see your installed software by opening the Applications container. Of course this may not be perfect. If you have installed a number of applications, you may find that only Microsoft products show in the Applications container. A better place to really spend some time learning about the system, is the Software Environment view. From there, if you select loaded modules, you will see that it really was worth your money to invest in the RAM upgrade to run your Windows 2000 system. The Event Viewer is used to examine system logs. Application and System logs record events and may be used to troubleshoot system problems. These event logs are not called audit logs. Auditing, the recording of security related events, is not turned on by default. After auditing is turned on (using Local Security Policy or Group Policy, as well as appropriate file and registry key selections) auditing information is recorded in the Security Log. On the slide above, the Event Viewer\Application log is open. Information, Error, and Warning messages are exposed. Although it is not shown, this particular event is a message which explains changes made to the CRM log file and indicates that if the computer name was recently changed, this is an expected event. Since this system’s name was recently changed, the warning can be ignored. If the name had not recently been changed, this warning would need to be investigated further. The error messages in this case were also expected. Spend time with the Event Viewer to understand normal and abnormal events. 3 - 10
  11. Windows 2000 Security - SANS ©2001 11 Windows 2000 Local Users and Groups In Windows 2000, you can limit or extend the ability of users and groups to perform certain actions by assigning or denying them rights and permissions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders, or shutting down a computer. Administrators and some others have the right to logon to a Windows 2000 Server console. Users do not. A permission is a rule associated with an object (usually a file, folder, or printer), and it regulates which users can have access to the object and in what manner. Permission settings are preset (but can be modified) in the registry and within the system files that assist in protecting them. Windows 2000 Professional and Server systems have a built-in local account database with two default users (Administrator and Guest) as well as several default groups. The users and groups are much like those found in Windows NT and have similar rights and permissions. When you create new user accounts and assign them to groups, there are important security issues, since default groups have different security rights and permissions. Typically, as in Windows NT, you can define user roles and if default groups do not fulfill these roles, special, or custom groups can be created, and rights and permissions assigned to meet the requirements of the role. User accounts obtain these rights and permissions when they are placed within these groups, and lose them when removed. An example of a special group might be ‘OrderManagers’, This group might then be given read access to files which contain orders. Another group, ‘Clerks’, might be given read and write access to these files. Clerks do data entry; managers review. Local Users and Groups are managed through the Computer Management Console. 3 - 11
  12. Users and Power Users To avoid loosening security on a Windows 2000 system, an administrator should: • Make sure that end users are members of the Users group only • Deploy programs, such as certified Windows 2000 programs, that members of the Users group can run successfully Windows 2000 Security - SANS ©2001 12 Users cannot modify system-wide registry settings, operating system files, or most program files. Users can shut down W2K Professional, but not W2K Servers. Users can create local groups, but can manage only the local groups that they created. They can run certified Windows 2000 programs that have been installed or deployed by administrators and which they have been given permission to run. Users can also run programs installed by Power Users. If a user has the right to copy a file to a disk where they have read, write and execute privileges, a user can copy an executable file there and run it. Users have full control over all of their own data files and their own portion of the registry (HKEY_CURRENT_USER). Windows 2000 users have fewer rights and permissions than Users in Windows NT. Power Users - The default Windows 2000 security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any W2K compatible program that a User can run in Windows NT 4.0, a Power User can run in Windows 2000. A User may or may not be able to run the same program. Power Users and Users do not have access to the data of other users on an NTFS volume, unless they have been granted permission. Power Users can install or modify many programs. Some programs, however, such as those that require the installation of services, those which specifically require an Administrative account, or rights and permissions only granted to Administrator, cannot be installed by Power Users. For example, a program may modify data in areas of the registry to which Power Users have no access, or may improperly open a registry key or file for read, write and execute, when only read permission is necessary. If Power Users have read permission and Administrators have full control, its obvious result is that the Power User will not be able to install the program. A properly programmed install wizard might have allowed Power Users to install the program. Certification specifications exist for software which is designed to run on Windows 2000. Different specifications exist for Professional, Server, Advanced Server, and Datacenter Server. If an application is not certified, that does not mean it will not run, however it does mean there may be problems. 3 - 12
  13. Replicator • Used in a Windows 2000 Domain for Active Directory Replication • No user accounts should be in this group Windows 2000 Security - SANS ©2001 13 The Replicator group is used in a domain environment and ignored elsewhere. Its purpose is to provide a local group which represents rights and privileges on the local machine that might be required by the domain level replication efforts. It should be ignored in a workgroup environment, and never should contain ordinary user accounts. Replication of files from file server to laptop is managed by the Offline Files feature and uses the synchronization manager to schedule and manage the task. A synchronization permission is required on the folders and files to be synchronized. If users need to synchronize files between two computers, they can do so without membership in this group. All that is required is the ability to share the files and in doing so, set Offline access to the folder. (File Sharing properties page\Caching button\ ‘allow caching of files in this shared folder’). Then, after connecting to the share, the user must mark folders ‘make available offline’. 3 - 13
  14. Implicit Groups • Interactive • Network • Everyone • Authenticated Users • Self • Creator Owner Windows 2000 Security - SANS ©2001 14 There are several implicit, or built-in Security Principals groups that are automatically created by Windows 2000. Membership in these group is based on something that users are doing and as such, is not under administrative control. Several of these groups are defined below. •Interactive. This group contains any user that is logged on locally to the computer •Network. This group contains all users who are currently accessing the system over the network •Creator Owner. This group contains the individual who created the object •Creator Group. When a member of the Administrators group creates a file or folder, the owner of the file is the Administrators group, not the administrator that created it. •Dial-up. Users who have accessed the network remotely via dial-up •Terminal Server Users. Users using terminal services •Self. The user or group itself (allows access to properties of the user or group) •Service. User accounts logged on as a service These groups can be used to control access to resources based on the manner in which the resource is accessed. For example, if we assign the INTERACTIVE group read and write access to the file ‘secret.txt’ and the NETWORK group only read access to ‘secret.txt’, then John, when he is logged on to the console, can read and write the file but when he accesses the same file over the network, he can only read the file. 3 - 14
  15. Like Windows NT, Windows 2000 makes available the NTFS file system. Like Windows NT, file and folder access is restricted by assigning permissions to users and groups. Those not allowed access are implicitly denied. In addition, Windows 2000 extended this model by making available granular explicit ‘deny’ permissions and by modifying the inheritance model. The most notable effect of this model change is that permission inheritance can be denied. When settings are established on a subfolder, a simple checkbox allows or prevents parent folder permissions from propagating to subfolders. This is extremely important in order to protect settings from being overridden by less secure settings made on parent folders. The ‘Allow inheritable permissions from parent to propagate to this object’ checkbox is used to allow or implicitly deny permission inheritance. Note that in the slide, this check box is unchecked on the system folder WINNT. Thus, permission setting on this folder will not be changed should Administrators change the setting on the root of the file system. Another new feature of NTFS is the Encrypting File System. Users can encrypt and decrypt their files. Another user, even one with ‘read’ permission on the file, cannot read it. Default recovery agents are able to retrieve files if user’s keys are lost or corrupted. 3 - 15
  16. Windows File Protection • Prevents applications from overwriting or deleting important system files • Ensures that your system files are up- to-date • A command-line tool, System File Checker, can be used to check files on demand Windows 2000 Security - SANS ©2001 16 What Are System Files? In previous versions of Windows, applications often overwrote shared .dll files and .exe system files. (If you’ve worked with any version of Windows, you're probably very familiar with the term "DLL hell.") When installation programs mess with key system files, your system can become unusable, and troubleshooting can be a nightmare. And if you think that only third-party applications are guilty of overwriting your system files, think again. Many of Microsoft’s applications are notorious for overwriting system files – even files that other Microsoft software uses. The problem is that many applications (including Microsoft's) don't check existing system file versions before overwriting the files. Most vendors are interested in ensuring that their software runs without problems, and the software you installed most recently probably works flawlessly – but it might work at the expense of other applications. For example, if you install audio applications from competing vendors, the one you install last will have the best chance of working properly. Developers aren't solely to blame for these system-file problems – several other factors are involved, including OS limitations. OS stability is more important than application stability. This is addressed in Win2K by Windows File Protection . Windows File Protection runs in the background and ensures that setup programs don't permanently delete or overwrite any important system files. By default, Win2K enables Windows File Protection. When a program attempts to delete or move a protected system file, Windows File Protection checks the digital signature of the file to ensure that it's a correct version. If it is not the correct version, Windows File Protection attempts to copy the file from the %systemrooot%\System32\Dllcache folder. If the necessary file is not in the cache, a prompt for the W2K installation CD-ROM appears. The System File Checker (or SFC) is a command-line tool which can be used to scan a W2K system and verify that the versions of protected system files are correct. If a protected system file has moved or has disappeared, SFC automatically replaces the file with the correct version from the Dllcache folder, or prompts for the installation CD- ROM. This tool also lets you set the Windows File Protection cache file size, thus allowing more or fewer system files to be available during unattended operation. You must be a member of the Administrators group to run SFC. 3 - 16
  17. Windows 2000 Security - SANS ©2001 17 Using SFC to check System Files Typing SFC at the command prompt will display the options available. sfc /scannow immediately scans the system files. sfc /scanonce scans the system files once, and sfc /scanboot scans protected system files every time you reboot your computer. If you've scheduled a scan and you change your mind, sfc /cancel cancels the scan. If you don’t want the SFC to prompt you about each file that it intends to replace, use sfc /quiet. SFC switches which manipulate the Windows File Protection are: sfc /purgecache - purges the file cache and scans all system files immediately. sfc /cachesize - configures the size of the Windows File Protection cache. For example, to restrict a cache size to 2MB, type sfc /cachesize=2048. sfc /enable - returns to the default Windows File Protection operation. In this mode, SFC automatically restores or prompts you to restore the correct system file version whenever it detects that an application has overwritten a file. Don’t forget to enable this option before you exit the command prompt window. 3 - 17
  18. Windows 2000 Security - SANS ©2001 18 Local Security Policy The Administrative Tools\Local Security Policy console can be used to configure security settings for a single Windows 2000 system. This is an especially important tool for users of standalone W2K Professional systems. If Windows 2000 Professional is a domain member, local security settings will be overwritten by policies established at the domain level. Users with laptops who have local administrative user accounts on their systems, can also configure system security using this tool. When they are logged on using the local account, security policies set locally will apply. If they are logged on using their domain account, domain policies will apply. This tool will show you both your local settings and also your effective (domain) settings. If the domain controller overrides your local setting, these will not match. The slide shows configuration of a warning banner for logins. A warning banner will not prevent unauthorized users from logging on, but serves as notice that they should not do so. Logon banners may serve as legal notices. Court cases involving network penetration have been dismissed when logon banners which read ‘welcome’ were used. Using banners which have strong legal warnings and acceptable use information help honest individuals understand how the system should be used and may assist in obtaining convictions, or support sanctions when the policy is ignored. Security settings that can thwart attackers and provide evidence of their attempts also are present in security settings and can be used effectively by domain and local administrators to protect the system. Imagine that you are traveling a lot with your laptop. It might be a good idea to have a more stringent policy for the local settings then when you are at home with your alarm system, big dog, and neighbors that primarily work in high security government positions. Likewise, if your job is to protect corporate road warriors from themselves, you will want to thoroughly understand and set security on laptops for them. Potential defensive settings include the ability to lock out accounts after a number of failed logins, requiring complex passwords, auditing successful and failed access of sensitive files, policies and such, restricting user rights, renaming the administrator account, blocking the loading of unsigned drivers, preventing the use of EFS, and establishing secure network communications via IPSec policies. We’ll be talking more about many of these security features, but for now you should remember where to look for the security policy that is effective on a local machine, and where you might be able to manage these settings. 3 - 18
  19. Windows 2000 Security - SANS ©2001 19 Security Configuration and Analysis A marvelous new tool available with Windows 2000 is the Security Configuration and Analysis and Security Templates snap-ins to the MMC. Security templates (either pre-configured default templates or customized templates) can be used to quickly apply security settings to a host, or to analyze the current settings against a template representing policy. Analysis provides a simple way for administrators and auditors to determine the security configuration status of a particular machine. Remember the security baselines we examined for desktop, server, and DC? Pre-configured, recommended security templates are available for each of these baselines. In fact, default templates exist for three levels of security; default, secure, and high security for domain controllers, workstations, and servers. Security template settings mirror those available in Local Security Policy. Additional templates are available for web servers and other models. Templates may be customized by changing settings and adding new features. New templates can also be created. In the slide, mydomain, and mylocal represent custom templates. The red x’s indicate the results of an analysis of the current computer’s settings against a desired policy. Each container, when opened, documents variance from policy. The analysis does not modify settings on the host. 3 - 19
  20. Windows 2000 Security - SANS ©2001 20 Windows Update Other tools are available in the Support Tools folder on the Windows 2000 server CD-ROM, in the Windows 2000 Resource Kit, and online. Two important online sites are Windows Update and Windows 2000 Security (\technet\security) The Windows Update site, seen here, provides information on Critical and Recommended updates for Windows systems. With permission, the current machine can be scanned and Windows Update will recommend updates and then allow them to be run. Updates include service packs, newer device drivers, and security patches. Explanations are also available. While organizations should manage enterprise-wide updating of windows systems, this site is important to users of Windows who are not managed in this fashion. Similar updating is available for users of Microsoft Office. The Windows security site provides detailed security information and notice and explanation of security patches with links to free downloads. It also includes multiple free security tools. Detailed list of hardening steps for Windows systems is also available. You can sign up for a security bulletin list, which will email you as new security bulletins and patches are available. 3 - 20
Đồng bộ tài khoản