Chapter 1
The Windows 2000 Server Security Migration Path
Brief Overview of Windows 2000 Server Security
Windows 2000 Server Security White Paper
Differences in Windows 2000 Server Security
Upgrading/Migrating Considerations
Issues to Present to Your Manager
This chapter includes:
· Brief Overview of Windows 2000 Server Security
· Windows 2000 Server Security White Paper
Brief
Overview of Windows 2000 Server Security
Why should you worry about security in your network environment? There are several reasons. First, you need to be sure that only authorized users have access to your network. Without this level of security, anyone can use your network resources and possibly steal sensitive business data. Second, even if your network utilizes login security, a mechanism must be in place to protect data from users who do not need access to it. For example, personnel in the marketing department do not need access to data used by the payroll department. These two mechanisms help to protect network resources from damage and unauthorized access. As networks become more evolved and organizations are more dependent on them, additional protections must be put in place to maintain network integrity.
Security for Microsoft’s network operating system has been greatly enhanced with the arrival of Windows 2000 Server. It is obvious from the improvements that have been made in this version that the software giant does take security seriously. Some of the new features include:
· Multiple methods of authenticating internal and external users
· Protection of data stored on disk drives using encryption
· Protection of data transmitted across the network using encryption
· Per-property access control for objects
· Smart card support for securing user credentials securely
· Transitive trust relationships between domains
· Public Key Infrastructure (PKI)
Windows 2000
Server Security White Paper
Windows 2000 Server security goes well beyond the security available in earlier versions of the network operating system. In today’s ever-changing global environment, the more security that can be provided by a network operating system, the better off the organizations that use it will be, since organizations depend heavily on their information systems.
The change in security in Windows 2000 Server is necessary as more organizations use the operating system for mission-critical applications. The more widely an operating system is used in industry, the more likely it is to become a target. The weaknesses in Windows NT came under constant attack as it became more prevalent in industry. One group, L0pht Heavy Industries, showed how weak Windows NT’s password encryption for the LAN Manager hash was. Because the LAN Manager hash was always sent, by default, when a user logged in, it was easy to crack the password. It was good that L0pht Heavy Industries revealed this weakness in the network operating system. Microsoft made provisions for fixing the problem in a Service Pack release, but in Windows 2000 Server it has replaced the default authentication with Kerberos v5 for an all–Windows 2000 domain-controller-based network.
Differences in Windows 2000 Server Security
One of the enhancements to the security in Windows 2000 Server is that Windows 2000 Server supports two authentication protocols, Kerberos v5 and NTLM (NT LAN Manager). Kerberos v5 is the default authentication method for Windows 2000 domains, and NTLM is provided for backward compatibility with Windows NT 4.0 and earlier operating systems. (See Chapter 3, “Kerberos Server Authentication .”)
Another security enhancement is the addition of the Encrypting File System (EFS). EFS allows users to encrypt and decrypt files on their system on the fly. This provides an even higher degree of protection for files than was previously available using NTFS (NT File System) only. (See Chapter 6, “Encrypting File System for Windows 2000.”)
The inclusion of IPSec (IP Security) in Windows 2000 Server enhances security by protecting the integrity and confidentiality of data as it travels over the network. Its easy to see why IPSec is important; today’s networks consist of not only intranets, but also branch offices, remote access for travelers, and, of course, the Internet. (See Chapter 7, “ IP Security for Microsoft Windows 2000 Server.”)
Each object in the Active Directory can have the permissions controlled at a very high granularity level. This per-property level of permissions is available at all levels of the Active Directory. (See Chapter 4, “ Secure Networking Using Windows 2000 Distributed Security Services.”)
Smart cards are supported in Windows 2000 Server to provide an additional layer of protection for client authentication as well as providing secure e-mail. The additional layer of protection comes from an adversary’s needing not only the smart card but also the Personal Identification Number (PIN) of the user to activate the card. (See Chapter 8, “Smart Cards.”)
Transitive trust relationships are a feature of Kerberos v5 that is established and maintained automatically. Transitive trusts rely on Kerberos v5, so they are applicable only to Windows 2000 Server–only domains. (See Chapter 4.)
Windows 2000 Server depends heavily on Public Key Infrastructure (PKI). PKI consists of several components: public keys, private keys, certificates, and certificate authorities (CAs). (See Chapter 10, “Microsoft Windows 2000 Public Key Infrastructure.”)
For
IT Professionals Only
Where
Is the User Manager for Domains?
There are several changes to the tools used to administer the network in Active Directory. Users and groups are administered in a new way. Everyone who is familiar with User Manager for Domains available in Windows NT 4.0 and earlier versions will now have to get used to the Active Directory Users and Computers snap-in for the Microsoft Management Console (MMC) when they manage users in a pure Windows 2000 domain. The MMC houses several new tools used for managing the Windows 2000 Server environment such as the QoS Admission Control and Distributed File System. The MMC also includes old tools such as the Performance Monitor and Event Viewer. Table 1.1 shows the differences between some of the tools used in Windows NT 4.0 and those used in Windows 2000 Server.
Table 1.1 Tools Used in Windows NT 4.0 and Windows 2000 Server
|
Windows NT 4.0 |
Windows 2000 Server |
|
User Manager for Domains |
Active Directory Users and Computers is used for modification of user accounts. The Security Configuration Editor is used to set security policy. |
|
System Policy Editor |
The Administrative Templates extension to group policy is used for registry-based policy configuration. |
|
Add User Accounts (Administrative Wizard) |
Active Directory Users and Computers is used to add users. |
|
Group Management (Administrative Wizard) |
Active Directory Users and Computers is used to add groups. Group policy enforces policies. |
|
Server Manager |
Replaced by Active Directory Users and Computers. |
Windows Server 2000 maintains compatibility with downlevel clients (Windows NT 4.0, Windows 95, and Windows 98), so it uses the NTLM and LM authentication protocol for logins. This means that the stronger Kerberos v5 authentication is not used for those systems. NTLM and LM is still used, so the passwords for those users can be compromised. NTLMv2, released in Service Pack 4 for Windows NT 4, is not supported in Windows 2000. Figure 1.1 shows a packet capture of a Windows 98 client logging on a Windows 2000 Server domain. The Windows 98 machine is sending out a broadcast LM1.0/2.0 LOGON Request.
Figure 1.1 This is how a Windows 98 client sends a LM1.0/2.0 LOGON request.
Figure 1.2 shows a Windows 2000 Server responding to the request sent by the Windows 98 client. The Windows 2000 Server responds with a LM2.0 Response to the logon request.
Figure 1.2 Windows 2000 Server responds with a LM2.0 Response to the Windows 98 logon request.
NTLM is also used to authenticate Windows NT 4.0, but LM is used to authenticate Windows 95 and Windows 98 systems. NTLM is used to authenticate logons in these cases:
· Users in a Windows NT 4.0 domain authenticating to a Windows 2000 domain
· A Windows NT 4.0 Workstation system authenticating to a Windows 2000 domain controller
· A Windows 2000 Professional system authenticating to a Windows NT 4.0 primary or backup domain controller
· A Windows NT 4.0 Workstation system authenticating to a Windows NT 4.0 primary or backup domain controller
The difficulty with using NTLM or LM as an authentication protocol cannot be overcome easily. The only way to get around using NTLM or LM at the moment is to replace the systems, using earlier versions of Windows with Windows 2000 systems. This probably is not economically feasible for most organizations.
Windows NT 3.51 presents another problem. Even though it is possible to upgrade Windows NT 3.51 to Windows 2000 Server, Microsoft does not recommend running Windows NT Server 3.51 in a Windows 2000 Server domain, because Windows NT 3.51 has problems with authentication of groups and users in domains other than the logon domain.
Windows 2000 Server has grown by several million lines of code over the earlier versions of Windows NT, so it may be hard to believe that anything is the same as in the earlier versions. NTLM is the same as it was in earlier versions because it has to support downlevel clients.
Global groups and local groups are still present in Windows 2000 Server with an additional group added (see Chapter 5, “Security Configuration Tool Set.”)
Otherwise, for security purposes, this is a new operating system with many new security features and functions for system administrators to learn about.
Upgrading/Migrating Considerations
Upgrading/migrating from Windows NT 4.0 to Windows 2000 Server is a totally different issue than it was when you upgraded from Windows NT 3.51 to Windows NT 4.0. Windows 2000 Server includes several new security features that were not present in any earlier version of Windows NT, so it is important to carefully consider, before implementation, exactly how you will take advantage of the new security features in the operating system.
One security item to consider before upgrading/migrating to Windows 2000 Server is the development of the Network Security Plan. Without it, you may not have as secure a network as possible, given the new tools available in Windows 2000 Server. Depending on the size of your network, you may actually need more than a single Network Security Plan. Organizations that span the globe may need a different plan for each of their major locations to fit different needs. Smaller organizations may find that they need only a single plan. No matter what size your organization is, a Network Security Plan is extremely important. Microsoft recommends that, as a minimum, these steps be included in your plan:
· Security group strategies
· Security group policies
· Network logon and authentication strategies
· Strategies for information security
Security group strategies are used to plan the use of the three group types: universal, global, and local. Universal is a new group that was not present in Windows NT 4.0, so make sure you include it in your plan (see Chapter 4). You need to decide how you will use the existing built-in groups and what new groups you will need to create when you formulate your Network Security Plan.
After you have defined the group strategies necessary for your organization, move on to the security group policies, including: Active Directory Objects, File System, Registry, System Services, Network Account, Local Computer, Event Log, and Restricted Groups. Group policy filters within your organization can control each of these items. It is best to minimize the number of group policies, because they must be downloaded to each computer during startup and to each user profile during logon. (See Chapter 5, “ Security Configuration Tool Set “).
The third step to plan for is the Network Logon and Authentication Strategies necessary for your organization. Will your organization utilize Kerberos logon, NTLM logon, smart card logon, or even certificate mapping? Depending on the makeup of your organization, Windows 2000 Server can operate in either mixed mode or native mode. NTLM is not available in native mode (see Chapter 4).
The fourth step is to develop Strategies for Information Security. This includes your organization’s Public Key Infrastructure, use of the Encrypting File System, authentication for remote access users, IPSec utilization, secure e-mail, security for your Web site, and, if applicable, the signing of software code.
Table 1.2 is a checklist that can help you create the Network Security Plan for your organization.
Table 1.2 Checklist for the Network Security Plan
|
Assignment |
Comments |
|
What universal groups are necessary in the organization? |
|
|
What global groups are necessary in the organization? |
|
|
How will we utilize the built-in local groups? |
|
|
What local groups are necessary in the organization? |
|
|
What filters are necessary for group policies in the organization? |
|
|
What policies are required for Active Directory objects in the organization? |
|
|
What policies are required for the file system in the organization? |
|
|
What policies are required for registries in the organization? |
|
|
What policies are required for system services in your organization? |
|
|
What policies are required for network accounts in the organization? |
|
|
What policies are required for local computers in the organization? |
|
|
What policies are required for Event Logs in your organization? |
|
|
What policies are required for restricted groups in your organization? |
|
|
How will we perform network logon and authentication in the organization? |
|
|
What approach do we take with smart cards in the organization? |
|
|
What approach do we take with certificate mapping in the organization? |
|
|
How do we implement Public Key Infrastructure within the organization? |
|
|
How do we implement the Encrypting File System in the organization? |
|
|
How will we provide authentication for remote access users? |
|
|
What approach do we take with IPSec in the organization? |
|
|
What approach do we take with secure e-mail in the organization? |
|
|
How do we protect the organization’s Web site? |
|
|
How do implement code signing in the organization? |
|
After determining the plan for network security, you need to test it in a controlled lab environment to ensure that it meets the needs of the organization before you implement the changes in a production environment. Failure to do this could result in catastrophe, both to the organization and to your job security.
The best way to test your Network Security Plan is to set up a lab that realistically mimics your existing network structure. For example, if your network consists of a Windows NT 4.0 PDC and three Windows NT 4.0 BDCs, as shown in Figure 1.3, then that is what you should strive to have in your test environment.
Figure 1.3 This is an example network layout to mimic for testing.
By realistically duplicating your existing network, you can easily uncover problems that may occur when you implement the upgrade for real, without any risk.
This procedure is applicable to both the test environment and the actual organization. Before you perform the upgrade, you must ensure that you have a good backup of each of your existing domain controllers in case something goes awry during the upgrade process. The first system that has to be upgraded in your existing environment is the primary domain controller. This is necessary so that the upgrade of the existing domain into a Windows 2000 domain can be successful. During the upgrade of the existing PDC, you must install Active Directory so that the data store, including the Kerberos authentication protocol, is installed. The existing Security Accounts Manager (SAM) is copied from the Registry to the new data store of the Active Directory. The installation process starts the Kerberos services, allowing it to process logon authentications. The domain is operating in the mixed mode of security, which means that it will honor both the Kerberos and NTLM authentication. Backup domain controllers recognize the new Windows 2000 Server as the domain master. The Windows 2000 server can synchronize security changes to the BDCs successfully.
After the PDC has been successfully upgraded, your staff can continue upgrading the rest of your BDCs until they all are Windows 2000 Servers, or they can leave the BDCs as Windows NT 4.0 systems if you want to continue operating using both operating systems. When you begin your rollout, you should continue migration for all of your BDCs to Windows 2000 Server, so that you can take full advantage of all the security features present in the operating system.
After you upgrade the domain controllers to Windows 2000 Server, you can start implementing the items in your Network Security Plan such as group policies and the implementation of PKI.
For
IT Professionals Only
What
Happened to My Backup Domain Controllers?
In a pure Windows 2000 domain there are no longer BDCs or a PDC; there are only member servers and domain controllers. Member servers do not perform user authentication or store security policy information. Each domain controller runs Active Directory, which stores all domain account and policy information. Each domain controller in the domain has read/write capability to Active Directory, so updates can be performed at any domain controller and then replicated out to the remaining domain controllers.
Issues to
Present to Your Manager
It is important that your manager be involved in the Network Security Plan, as this determines how the network will be organized in the Windows 2000 environment. Without the support of your manager, you may have a difficult time implementing the necessary security measures for your organization.
Another issue to present to your manager is the question of operating in mixed mode or native mode. If you decide to switch over to native mode, your manager needs to know these things:
· The domain controller that acts as the PDC cannot synchronize data with any remaining Windows NT BDCs.
· Domain controllers no longer support NTLM authentication.
· New Windows NT domain controllers cannot be added to the Windows 2000 domain.
· Downlevel clients cannot log on the Windows 2000 domain unless they utilize the Distributed Security Client.
Before you implement Windows 2000 Server in your environment, you must perform a proper analysis that must take into consideration the timing, cost, and the resources necessary for the installation, especially the security features required for the organization.
Timing is very important for any new application, but especially for a network operating system. You must determine what effects it will have on the users of the network and how much time it will take to implement the new security features that are required for your organization. This is one reason it is good to begin with a controlled lab environment. This will give you a good idea of how long it will take to implement your plan in the production environment. Another issue to consider is other activity in your organization. If it is a particularly busy time of year, you may want to hold off the implementation until things calm down somewhat.
Cost analysis for upgrading to Windows 2000 Server goes well beyond the cost for the licenses. It must also include any hardware upgrades that are required, as well as the cost of training users and administrators in the use of the new features available in Windows 2000 domains, especially Active Directory and the new security features available with Distributed Security Services. You must determine whether the greater security available in Windows 2000 Server lessens the chance of downtime due to security incidents. With less downtime, the organization may experience greater productivity, which may lead to an increased return on investment.
Resources consist of both humans and hardware. Both must be analyzed to ensure that sufficient resources are available to implement and sustain the upgrade to Windows 2000 Server. Windows 2000 Server has higher minimum requirements than did previous versions of the operating system, so you may have to add new hardware or enhance the existing hardware in your organization. You also need to analyze the human resources that are available for implementing and administering the upgrade.
Windows 2000 Server adds a great number of security enhancements to those that were available in previous versions of the operating system. These enhancements include Public Key Infrastructure capabilities, the Kerberos v5 authentication protocol, smart card support, the Encrypting File System, and IPSec. These new additions to security are necessary to protect data as organizations start depending on their information technology infrastructure even more than in the past. Any vulnerability could wreak havoc on those mission-critical systems.
The Network Security Plan is vital to the upgrading of your network from Windows NT 4.0 to Windows 2000 Server. It must be carefully thought out so that your organization can take advantage of the new security features in Windows 2000 Server. If the plan is not thought out carefully, then the necessary security you desire may not be put into place. At a minimum your Network Security Plan must include security group strategies, security group policies, network logon and authentication strategies, and strategies for information security.
Before you upgrade to Windows 2000 Server in a production environment, you need to test it. The test environment should mimic the production environment so that you can obtain an accurate picture of how the implementation will affect the production environment. When you are satisfied with the results of your testing, you should carefully consider the timing of rolling out the upgrade to the production environment to ensure that there will not be an interruption during a particularly busy time for your organization.
Q: Why do I have to upgrade my primary domain controller first?
A: The primary domain controller must be upgraded first to ensure a successful upgrade of a Windows NT domain to a Windows 2000 domain. Information from the Security Accounts Manager on the PDC is copied over to the data store of the Active Directory.
Q: How can I enable my Windows 98 clients to use Kerberos v5 authentication?
A: Install the Distributed Security Client on all of your Windows 98 clients.
Q: Can I still use Windows NT 4.0 backup domain controllers in a Windows 2000 domain?
A: Yes, Windows NT 4.0 BDCs can still be used in a Windows 2000 domain. One of the Windows 2000 Server domain controllers acts as a PDC emulator, so communication can occur to/from the Windows NT 4.0 BDCs .