Windows 2000

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:21

lượt xem

Windows 2000

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

As we begin to focus on Windows 2000 for the rest of this section, the three primary differences from Windows NT are: Active Directory, Group Policy, and templates. We will first introduce the Active Directory. Years ago, a standards organization called the CCITT (now International Telecommunication Union, or ITU) created a recommendation for a standard for a world wide directory service that was ratified by the International Organization for Standards (ISO).

Chủ đề:

Nội dung Text: Windows 2000

  1. Windows 2000 Secure System Administration - SANS GIAC © 2000, 2001 1 As we begin to focus on Windows 2000 for the rest of this section, the three primary differences from Windows NT are: Active Directory, Group Policy, and templates. We will first introduce the Active Directory. Years ago, a standards organization called the CCITT (now International Telecommunication Union, or ITU) created a recommendation for a standard for a world wide directory service that was ratified by the International Organization for Standards (ISO). Please visit for further information. The standard was known as X.500 The ISO looked like they would supplant the TCP/IP protocol suite with their own Open Systems Interconnect (OSI) based model, but bad standards and engineering caused that effort to crash. The Internet’s reigning standards body is called the Internet Engineering Task Force (IETF) and it is well worth your time to visit and web sites. The IETF produced an alternate directory service to X.500 called LDAP. CREDIT: If you are taking this for academic credit, develop a two page paper on Lightweight Directory Access Protocol, LDAP, its history and its workings. 1
  2. Active Directory • DNS Domain: collection of related hosts, the database is called a zone table “” • NT 4.0 Domain: hosts that share an authentication database, the SAM and Security Hives in the Registry • Windows 2000 domain: collection of hosts with both a common DNS domain and security trustmodel. The database is the Active Directory Secure System Administration - SANS GIAC © 2000, 2001 2 LDAP is of course the basis for Active Directory. Computers have been linked before, through NFS or NetBIOS shares. These file structures have been primitive and localized. LDAP or Active Directory scales to global proportions. Recall that you learned in “Information Security: The Big Picture” that DNS uses a large number of DNS servers, each authoritative for its own autonomous domain. This is exactly what Active Directory does. The data objects are stored as records in the Directory Database, NTDS.DIT. Almost everything is referred to in this system by its Common Name (cn), such as cn=Northcutt. Other designators include Domain Components (dc). These tie Active Directory to DNS. The LDAP name for an Active Directory domain for would be: dc=sans, dc=org. One last designator is the Organizational Unit (OU). Since GIAC is a division in SANS, you might have dc=sans, ou=giac. Printers, computers, files, policies, groups and users are all stored in the Active Directory. Every entry in the database belongs to and is affected by policies set at the Common Name, Domain Component and Organization Unit levels, but since Organization Unit (or OU) is applied last it is the most powerful place to implement policy. 2
  3. Win 2000 Users and Groups • Administrator • Power Users • Users • Back-up Operators • Special Groups Local Users and Groups are not available on domain controllers. Use Active Directory Users and Computers to manage global users and groups. Secure System Administration - SANS GIAC © 2000, 2001 3 In Windows 2000, you can limit the ability of users and groups to perform certain actions by assigning them rights and permissions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders, or shutting down a computer. A permission is a rule associated with an object (usually a file, folder, or printer), and it regulates which users can have access to the object and in what manner. When you create new user accounts and assign them to groups, there are important security issues since the groups have different security rights and permissions. To create a new user you can use NET USER: NET USER snorthc * /add /fullname:Stephen Northcutt Now, what is wrong with this picture? We really should be adding snorthc into one of those OU / organization units we discussed earlier or we will have a mess of a directory and will have no hope of managing it past 25 or so users. In Windows 2000, just like with every operating system, there is more than one way to do almost anything. However, if you want to be able to manage the system over the long run, use Windows’ Management Consoles for system administration tasks. This applies to security as well. If there is no security policy for the rights and permissions we give users, directories and files, it makes it really hard to find problems. 3
  4. Users and Power Users To secure a Windows 2000 system, an administrator should: • Make sure that end users are members of the Users group only. • Deploy programs, such as certified Windows 2000 programs, that members of the Users group can run successfully. Secure System Administration - SANS GIAC © 2000, 2001 4 Users cannot modify system-wide registry settings, operating system files, or program files. Users can shut down workstations, but not servers. Users can create local groups, but can manage only the local groups that they created. They can run certified Windows 2000 programs that have been installed or deployed by administrators. This is actually called a restricted user by the system. Users have full control over all of their own data files and their own portion of the registry (HKEY_CURRENT_USER). Power Users - The default Windows 2000 security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any program that a User can run in Windows NT 4.0, a Power User can run in Windows 2000. Power Users do not have access to the data of other users on an NTFS volume, unless those users grant them permission. According to all the Windows documentation I have seen, Power Users can install or modify programs. In practice this does not appear to be so true, several installation wizards require the user to be Administrator. This is unfortunate since the whole point of Power Users was to have a privileged user class that did not operate at the Administrator level. 4
  5. Backup Operators Secure System Administration - SANS GIAC © 2000, 2001 5 NTBackup is vastly improved over Windows 98 and Windows NT and is worth a close look. Start → Programs → Accessories → NTBackup. (Editor’s note: The NTBackup program is located at Start → Programs → Accessories → System Tools → Backup. It can also be accessed via Start → Run → ntbackup.exe. – JEK) The non-Adminstrator group that can backup and restore all files is the group Backup Operators. This group is the same as in NT 4.0. Members of the Backup Operators group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log on to the computer and shut it down, but they cannot change security settings. Backing up and restoring data files and system files requires permissions to read and write those files. The same default permissions granted to Backup Operators that allow them to back up and restore files also makes it possible for them to use the group's permissions for other purposes, such as reading another user's files or installing Trojan Horse programs. Group Policy settings SHOULD be used to create an environment in which Backup Operators only can run a backup program. (Editor’s note: Backup Operators are able to back up and restore files through two explicit Windows permissions: “Back up files and directories”, and “Restore files and directories”. The Backup Operators group (and the Administrator’s group) has both of these permissions by default. For security purposes, you may wish to remove the “Restore files and directories” permission from the Backup Operators group, and create a separate Restore Operators group that has only the “Restore” permission. – JEK) 5
  6. Secure System Administration - SANS GIAC © 2000, 2001 6 There are several additional groups are automatically created by Windows 2000. • Interactive. This group contains any user that is logged on locally to the computer. During an upgrade to Windows 2000, members of the Interactive group will also be added to the Power Users group, so that legacy applications will continue to function as they did before the upgrade. (At least that was the plan, in our testing, the Power User group doesn’t seem to have much difference than a “normal” User.) • Network. This group contains all users who are currently accessing the system over the network. • Terminal Server User. When Terminal Servers are installed in application serving mode, this group contains any users who are currently logged on to the system using Terminal Server. Any program that a user can run in Windows NT 4.0 will run for a Terminal Server User in Windows 2000. The default permissions assigned to the group were chosen to enable a Terminal Server User to run most legacy programs. • Replicator. Members of this group are able to replicate folders across networked systems These default groups give us some management control already, but we can extend this with Group Policy. Groups is a powerful concept for security, on this slide we show a special group that I have created so that snorthc (Stephen) and knorthc, (Kathy) can set our laptops up to replicate the MyDocuments folder we use on our laptop to each other’s laptop every time the system systems are connected. I can even do this when I am on travel and connected to a hotel’s LAN or a terminal room. Kathy can see my replicated files on her computer. For this to work we are both members of the Replicator group. If I give someone else a login on my computer, they are not a member of the group and cannot see the replicated folders. 6
  7. Group Policy • Local Policies \\%systemroot% \System32\GroupPolicy • Active Directory Policies \\%systemroot% \Sysvol\Sysvol\YourDomainName • Container Classes: – Domain-DNS – Site – Container – Organizational Unit (OU) Secure System Administration - SANS GIAC © 2000, 2001 7 Group Policies are stored in a container. The container classes are shown on the slide. The Active Directory is an object-oriented database and some of its objects contain other objects, some don’t. Container objects can hold other objects, and some directory objects hold other objects; however file objects do not. Each of the classes on the slide has restrictions that keep them from being useful to structure directories. For instance, there can only be one Domain-DNS instance in any given domain, which makes sense ( != But it means you can’t use that as an organizational tool. OU is ideal for use as a general purpose container for directory structure. The OU, Domain, and Site containers can be linked to Group Policy and then all user and computer objects under that container inherit the policy. Policy is applied first to Sites, then Domains and finally to OUs. [Editor’s note, you may see a reference to \\winnt\System32\GroupPolicy, in Windows documentation. The reference on your slide is better practice. Not everyone uses \winnt as the install directory. Additionally, you should *never* have Active Directory on the same partition as the system drive (C:). One important reason is that the system drive has IIS installed, whether you want this to be or not. IIS has about as much security integrity as a screen door on a submarine. You don't want Active Directory, the "central nervous system" of W2K, anywhere near IIS. System stuff should go on C:, Active Directory stuff should go on D:, and everything else should go on E:] 7
  8. Secure System Administration - SANS GIAC © 2000, 2001 8 Start → Run → GPEDIT.MSC will launch the Group Policy Editor console. Templates are the recommended way to implement security for Windows 2000. Each policy has a name and and can be configured or not. [Editor’s note Templates are by default stored in \%systemroot%\security\templates, and they are usually invoked via the secedit command. ] For instance, have you ever really taken a look at the security settings for Internet Explorer? It matters! There have been a number of serious security problems with Internet Explorer. You can limit your risk on your copy of Internet Explorer by Tools → Internet Options → Advanced, and move down to the Security section. For instance, the SSL V.2 is vulnerable to man-in-the-middle cryptographic attacks. You could choose to uncheck it and find out which web servers haven’t bothered to upgrade. If you do a significant amount of purchasing over the Internet that might be a recommended thing to do. But that only changes your personal setting. It is possible to configure all users’ settings with Group Policy. For instance, suppose you have a proxy (a proxy is a security measure to keep users from directly connecting with web servers since some of these are hostile) firewall for outbound World Wide Web Access. If the proxy port is 8000, you could either set every browser individually or you could run Group Policy Editor (GPEDIT.MSC → Internet Explorer Maintenance → Connections → Proxy) and configure all users to use the proxy port. 8
  9. Secure System Administration - SANS GIAC © 2000, 2001 9 One last word about browsers: almost everything is done through browsers or consoles. The command line is essentially obsolete. It looks like Microsoft tried to get to a single browser for both Internet and system and didn’t quite make it. A key point from a security point of view is that Internet surfing as a privileged user is really dangerous and should be avoided. The one exception is updating your computer. Windows 2000 and Windows ME rely on the browser-based Update facility to “patch” the operating system. So far, I am having to run update at least monthly to keep up with the security fixes. Since your browser is the primary way you interface with your Win2K computer’s operating system and the primary way you interface with other computers, it really makes sense to take the time to look at your security settings. We introduced the risk of SSL 2.0 in the previous slide; here is something else to be aware of. A great way to snag financial data or even web based server administration pages is to view the cached versions of encrypted pages (pages sent or received using SSL). It is a good idea to disable the saving of encrypted pages within Internet Explorer. Click Tools → Internet Options and click on the Advanced tab. Check the box marked “Do Not Save Encrypted Pages to Disk.” 9
  10. Secure System Administration - SANS GIAC © 2000, 2001 10 This slide shows the update screen. The two places to check are Critical Updates and Recommended Updates. If you are running Microsoft Office products you will need to check for updates there as well, there are a number of security problems that must be patched. 10
  11. Secure System Administration - SANS GIAC © 2000, 2001 11 The Administrative Tools selection has been moved from Start → Programs to the Control Panel. From here you can do most of your auditing and configuring for Windows 2000. Anything you can do with these tools can be done with templates, so you can more easily standardize your configuration if you running a large number of systems with templates. 11
  12. Secure System Administration - SANS GIAC © 2000, 2001 12 The tools are: Component Services, Computer Management, Data Sources (ODBC), Event Viewer, Local Security Policy, Performance, Services,and Telnet Server Administration. Computer Management is used the most for configuration. Performance is shown below: 12
  13. Secure System Administration - SANS GIAC © 2000, 2001 13 Control Panel → Administrative Tools → Computer Management is a great example of one of the consoles that can be used to manage a Windows 2000 system. This is a great way to learn how your system is set up and we strongly encourage you to spend some time poking around. When you use Computer Management as a Power User, not all of the options are shown, but you limit the harm you can cause to your operating system and this might be the best way to start. For instance, under System Information, you can see your installed software using Applications. Of course this may not be perfect. After I had installed a number of applications I ran this and was amused that only Microsoft products showed up here. One of the places to really spend some time learning your system is the Software Environment view. From there, if you select loaded modules, you will see that it really was worth your money to invest in the RAM upgrade to run your Windows 2000 system. For logs to exist at all, the system must enable logging. Some auditing is turned on as a default (or at least is has been on all the systems I have looked at) but Control Panel → Administrative Tools → Local Security Policy (or a template in the Active Directory) allows you to do additional auditing. I would certainly activate logon events. (Editor’s note: Windows NT and Windows 2000 will write events to the System and Application logs by default. NO events will be written to the Security log by default, and it is strongly recommended that you enable security auditing. – JEK) Now, on this slide, you see we are working with the Event Viewer. We have highlighted Application on the left and Warning on the right. The Event Source is COM+ (we will define COM on the next slide). The log says “Event Category: CRM. The CRM log file was originally created on a computer with a different name. It has been updated with the name of the current computer. If this warning appears when the computer name has been changed then no further action is required”. So this happened when I was setting up the network and named the computer. Spending some time with your Event Viewer is highly recommended for Windows 2000. 13
  14. Component Services • Application Types – COM – COM+ • Security Considerations – Distributed Transactions – Application Roles – Application Identity Secure System Administration - SANS GIAC © 2000, 2001 14 A COM application example is Microsoft Excel, which consists of a primary executable and accompanying application extension DLLs (Dynamicaly Linked Libraries) for spell checking, Visual Basic functionality, and so on. These use the machine-wide security settings. COM+ applications, on the other hand, are groups of COM components developed and configured together to make use of Component Services such as queuing, role-based security, and so on. In addition, COM+ applications can be divided into two types, each with distinct administrative needs. There are COM+ server applications which run in their own process space (a group of DLLs that encapsulate payroll processing, for instance). We also have COM+ library applications. These run in another host's process space. These would be a group of DLLs that provide services to other application components, and that can share the security characteristics of those components. To enhance your control of security, you can use reference tracking to make additional security checks and keep track of additional information to keep objects from being accidentally or maliciously released too early. 14
  15. Component Services • Authentication Level • Impersonation Level • Access Permissions • Launch Permissions • Reference Tracking Secure System Administration - SANS GIAC © 2000, 2001 15 Authentication Level: Authentication is the process by which client and server verify one another's identity using credentials, and by which they verify and encrypt data that passes between them. The authentication level setting indicates what degree of authentication is required for communication with an application (when it makes or receives calls). Higher authentication levels provide greater security and data integrity, though usually with some performance degradation. You should use caution in changing the authentication level: COM will negotiate the authentication level between client and server to be the maximum specified by either. However, this negotiation can fail if the client specifies the authentication level programmatically to a lower level than that required by the server. If you change the authentication level, it can potentially cause some calls to fail (for example, if you raise the server authentication to a level above that specified programmatically by a client). Such failures are often difficult to diagnose and to predict. There is also a proxy, or impersonation level, where a process can work in a client’s behalf. Below is a list of the permissions and an additional security measure, reference tracking. Access Permissions specify a list of users who are granted or denied access to COM applications. The machine-wide access permissions apply to all COM applications that do not specify their own access permissions. When setting access permissions, you must ensure that SYSTEM is included in the list of users that are granted access. If you have granted access permissions to Everyone, SYSTEM is included implicitly. Launch Permissions specify a list of users who are granted or denied permission to launch, or start, COM applications. The machine-wide launch permissions apply to all COM applications that do not specify their own launch permissions. This does not affect COM+ applications. Reference Tracking: When you enable reference tracking (also known as secure reference counting), COM will do additional security checks to authenticate reference count calls and will track additional information to prevent objects from being accidentally or maliciously released too early. Enabling reference tracking increases system security but can decrease performance. [Slide by James Manion MWC] 15
  16. Secure System Administration - SANS GIAC © 2000, 2001 16 What Are System Files? In previous versions of Windows, applications often overwrote shared .dll files and .exe system files. (If you’ve worked with any version of Windows, you're probably very familiar with the term "DLL hell.") When installation programs mess with.dll, .exe, .sys, .ocx, .fon, and .ttf system files, your system can become unusable, and troubleshooting the problem can be a nightmare. And if you think that only third-party applications are guilty of overwriting your system files, think again. Many of Microsoft’s applications are notorious for overwriting system files – even files that other Microsoft software uses. The problem is that many applications (and Microsoft's are no exception) don't check existing system file versions before overwriting the files. Most vendors are interested in ensuring that their software runs without problems, and the software you installed most recently probably works flawlessly – but it might work at the expense of other applications. For example, if you install audio applications from competing vendors, the one you install last will have the best chance of working properly. Frankly, developers aren't solely to blame for these system-file problems – several other factors are involved, including OS limitations. The OS stability is more important than application stability, something Microsoft addresses in Win2K with Windows File System. Windows File System runs in the background and ensures that Win2K setup programs don't delete any important system files. By default, Win2K enables Windows File Protection. When a program attempts to delete or move a protected system file, Windows File Protection checks the digital signature of the file to ensure that it's a correct version. If it is not the correct version, Windows File Protection copies the file from the Win2K CD-ROM or from the %systemrooot%\System32\Dllcache folder. Sometimes the system can't locate a file, so it prompts you for the location. [Slide by James Manion MWC] 16
  17. System File Checker (SFC) • Prevents applications from overwriting or deleting important system files • Ensures that your system files are up to date Secure System Administration - SANS GIAC © 2000, 2001 17 The System File Checker (or SFC) is a command-line tool (that makes it a very odd duck in Windows 2000 since almost everything is done via the browser) that lets you scan your system and verify that the versions of your protected system files are up to date. If a protected system file has moved or has disappeared, SFC automatically replaces the file with the correct version from the Dllcache folder. This tool also lets you set the Windows File Protection cache file size. You must log on as an Administrator or be a member of the Administrators group to run SFC. As the previous slide showed, you can type sfc /? to see the options available to you with the SFC utility. What if the file cache in the Dllcache folder becomes corrupted? sfc /scannow immediately scans the system files, sfc /scanonce scans the system files once, and sfc /scanboot scans protected system files every time you reboot your computer. If you've scheduled a scan and you change your mind, sfc /cancel cancels the scan. If you don’t want the SFC to prompt you about each file that it intends to replace, use sfc /quiet. SFC gives you a couple of switches that let you manipulate the Windows File Protection cache. sfc /purgecache purges the file cache and scans all system files immediately. sfc /cachesize configures the size of the Windows File Protection cache. For example, to restrict a cache size to 2MB, type sfc /cachesize=2048. Finally, to return to the default Windows File Protection operation, type sfc /enable. In this mode, SFC automatically prompts you to restore the correct system file version whenever it detects that an application has overwritten a file. Don’t forget to enable this option before you exit the command prompt window. 17
  18. Secure System Administration - SANS GIAC © 2000, 2001 18 Another tool available from Control Panel → Administrative Tools is the Local Security Settings console. If you are not part of a network and a domain, such as my Windows 2000 laptop that spends about half the time connected to the home network and half the time on the road, this is an area you really want to become familiar with. When you connect back to your network, your domain controller settings will override your local settings. This tool will show you both your local setting and also your effective setting. If the domain controller overrides your local setting, these will not match. On the slide we see that I am configuring a warning banner for logins. Since this is a laptop and I am traveling a lot, it might be a good idea to have a more stringent policy for the local settings then when I am at home with my alarm system, big dog, and neighbors that primarily work in high security government positions. For instance, I might want to have account lockout kick in after three or four failed logins. We really can’t go in to every tool. Some have fairly special purpose such as the ODBC applet. If you end up doing database management you will end up needing this tool. It allows you to link tables and locate database drivers. However, I find I can get along without it just fine! 18
  19. Secure System Administration - SANS GIAC © 2000, 2001 19 Most system tools are the same as in Windows NT. One change you’ll want to make in Windows 2000 is to disable unwanted services. So right-click My Computer and select Manage. From the Computer Management Console, go to Services and Applications and disable any services you don’t need. 19
  20. Tools c • NET USER • Component Services snorthc * /add • Computer Manager • Group Policy Editor • ODBC • SFC • Local Security Settings • NTBackup Secure System Administration - SANS GIAC © 2000, 2001 20 And that is the end of our tour of Windows 2000. If you have not had a chance to begin working with this operating system, be sure and volunteer when your organization is looking for people to shake it down. It is not perfect by any means – it can make my 700Mhz speed step Pentium III look like a 386 sometimes – but it is more stable that any Windows NT configuration I have had the privilege to work with. If I was buying computers for a new office or company, not yet saddled with legacy applications, I would use Windows 2000 in a heartbeat if I chose Windows at all. Right now, I am part of a huge team, over 70 people, trying to evaluate the template settings, it will be a while before the jury is in, but all and all, this is a well written, fairly securable operating system. Give it a go. 20
Đồng bộ tài khoản