|
Configuring
Windows 2000 Server Security Copyright 2000 by Syngress Media, all rights reserved
|
Contents
Chapter 1 The
Windows 2000 Server Security Migration Path
Brief Overview of
Windows 2000 Server Security
Windows 2000 Server
Security White Paper
Why the Change?
Differences in
Windows 2000 Server Security
Problems with and
Limitations
What Is the Same?
Upgrading/Migrating
Considerations
Network Security
Plan
How to Begin the
Process
Getting Started
Issues to Present to
Your Manager
Proper Analysis
Timing
Cost
Resources
Summary
FAQs
Chapter 2 Default
Access Control Settings
Introduction
Administrators Group
Users Group
Power Users Group
Configuring Security
During Windows 2000 Setup
Default File System
and Registry Permissions
Default User Rights
Default Group
Membership
Summary
FAQs
Chapter 3 Kerberos
Server Authentication
Introduction
Authentication in
Windows 2000
Benefits of Kerberos
Authentication
Standards for
Kerberos Authentication
Extensions to the
Kerberos Protocol
Overview of the
Kerberos Protocol
Basic Concepts
Authenticators
Key Distribution
Center
Session Tickets
Ticket-Granting
Tickets
Services Provided by
the Key Distribution Center
Subprotocols
AS Exchange
TGS Exchange
CS Exchange
Option Flags for
KRB_AS_REQ and KRB_TGS_REQ Messages
Tickets
Proxy Tickets and
Forwarded Tickets
Kerberos and Windows
2000
Key Distribution
Center
Kerberos Policy
Contents of a
Microsoft Kerberos Ticket
Delegation of
Authentication
Preauthentication
Security Support
Providers
Credentials Cache
DNS Name Resolution
UDP and TCP Ports
Authorization Data
KDC and
Authorization Data
Services and
Authorization Data
Summary
FAQs
Chapter 4 Secure
Networking Using Windows 2000 Distributed Security Services
Introduction
The Way We Were:
Security in NT
A Whole New World:
Distributed Security in
Windows 2000
Distributed Services
Open Standards
Windows 2000
Distributed Security Services
Active Directory and
Security
Advantages of Active
Directory Account
Management
Managing Security
via Object Properties
Managing Security
via Group Memberships
Active Directory
Object Permissions
Relationship between
Directory and Security
Services
Domain Trust
Relationships
Delegation of
Administration
Fine-Grain Access
Rights
Inheritance of
Access Rights
Multiple Security
Protocols
NTLM Credentials
Kerberos Credentials
Getting a Ticket to
Ride
Private/Public Key
Pairs and Certificates
Other Supported
Protocols
Enterprise and
Internet Single Sign-on
Security Support
Provider Interface
Internet Security
for Windows 2000
Client
Authentication with SSL 3.0
Authentication of
External Users
Microsoft
Certificate Services
CryptoAPI
Interbusiness
Access: Distributed Partners
Summary
FAQs
Chapter 5 Security
Configuration Tool Set
Introduction
Security
Configuration Tool Set Overview
Security
Configuration Tool Set Components
Security Configuration
and Analysis Snap-in
Security Setting
Extensions to Group Policy
Security Templates
The secedit.exe
Command Line Tool
Security
Configurations
Security
Configuration and Analysis Database
Security
Configuration and Analysis Areas
Account Policies
Local Policies
Event Log
Restricted Groups
System Services
Registry
File System
Security
Configuration Tool Set User Interfaces
Security
Configuration and Analysis Snap-in
The Security
Settings Extension to the Group
Policy Editor
The secedit.exe
Command Line Tool
Configuring Security
Account Policies
Local Policies and
Event Log
Event Log
Restricted Groups
Registry Security
File System Security
System Services
Security
Analyzing Security
Account and Local
Policies
Restricted Group
Management
Registry Security
File System Security
System Services
Security
Group Policy
Integration
Security
Configuration in Group Policy Objects
Additional Security
Policies
Using the Tools
Using the Security
Configuration and Analysis Snap-in
Using Security
Settings Extension to Group Policy Editor
Summary
FAQs
Chapter 6 Encrypting
File System for Windows 2000
Introduction
Using an Encrypting
File System
Encryption
Fundamentals
How EFS Works
User Operations
File Encryption
Assessing an
Encrypted File
Copying an Encrypted
File
COPY Command
Moving or Renaming
an Encrypted File
Decrypting a File
Cipher Utility
Directory Encryption
Recovery Operations
EFS Architecture
EFS Components
The Encryption
Process
The EFS File
Information
The Decryption
Process
Summary
FAQs
Chapter 7 IP
Security for Microsoft Windows 2000 Server
Introduction
Network Encroachment
Methodologies
Snooping
Spoofing
TCP/IP Sequence
Number Attack
Password Compromise
Denial of Service
Attacks
TCP SYN Attack
SMURF Attack
Teardrop Attack
Ping of Death
Man-in-the-Middle
Attacks
Application-Directed
Attacks
Compromised Key
Attacks
IPSec Architecture
Overview of IPSec Cryptographic
Services
Message Integrity
Message
Authentication
Confidentiality
IPSec Security
Services
Authentication
Header (AH)
Encapsulating
Security Payload (ESP)
Security
Associations and IPSec Key
Management Procedure
IPSec Key Management
Deploying Windows IP
Security
Evaluating
Information
Evaluating the
“Enemy”
Determining Required
Security Levels
Building Security
Policies with Customized
Building an IPSec
MMC
Flexible Security
Policies
Rules
Flexible Negotiation
Policies
Filters
Creating a Security
Policy
Making the Rule
Compatibility Notes
Summary
FAQs
Chapter 8 Smart
Cards
Introduction
Interoperability
ISO 7816, EMV, and
GSM
PC/SC Workgroup
The Microsoft
Approach
A Standard Model for
Interfacing Smart Card
readers and Cards with PCs
Device-Independent
APIs for Enabling
Smart-Card-Aware Applications
Integration with
Various Microsoft Platforms
Smart Card Base
Components
Service Providers
Cryptographic
Service Providers
Smart Card Service
Providers
Cards
Resource Manager
Enhanced Solutions
Client
Authentication
Public-Key
Interactive Logon
Smart Card Reader
Installation
Smart Card
Certificate Enrollment
Smart Card Logon
Secure E-Mail
Summary
FAQs
Chapter 9 Microsoft
Windows 2000 Public Key Infrastructure
Introduction
Concepts
Public Key
Cryptography
Public Key
Functionality
Digital Signatures
Authentication
Secret Key Agreement
via Public Key
Bulk Data Encryption
without
Protecting and
Trusting Cryptographic Keys
Certificates
Certificate
Authorities
Certificate Types
Trust and Validation
Windows 2000 PKI
Components
Certificate
Authorities
Certificate
Hierarchies
Deploying an
Enterprise CA
Trust in Multiple CA
Hierarchies
Enabling Domain
Clients
Generating Keys
Key Recovery
Certificate
Enrollment
Renewal
Using Keys and
Certificates
Roaming
Revocation
Trust
PK Security Policy
in Windows 2000
Trusted CA Roots
Certificate
Enrollment and Renewal
Smart Card Logon
Applications
Overview
Web Security
Secure E-mail
Digitally-Signed
Content
Encrypting File
System
SmartCard Logon
IP Security (IPSec)
Preparing for
Windows 2000 PKI
Summary
FAQs
Chapter 10 Windows
2000 Server Security Fast Track
Introduction
What Is Windows 2000
Server Security, and Why Do You Need to Know About It?
How Do You Spell
“Security”?
Authentication
Authorization
Privacy
Integrity
Auditability
The Component
Security Model
Bringing It All
Together: A Security Policy
The Historical
Perspective: A Review of Authentication
Authorization
Privacy
Integrity
Auditability
Important Features
or Design Changes
Industries and
Companies Affected by Windows 2000 Security
Advantages and
Disadvantages
Advantages of
Windows 2000 Server Security
Problems with
Windows 2000 Server Security
Windows 2000 and
Security
FAQs
Index