Вы находитесь на странице: 1из 146

Planning Server Security

Server Roles Review


The physical hardware and logical components of the network are necessary to provide a number
of features for the network, such as connectivity, routing and switching capabilities, network
security, and access control. The network infrastructure has to exist before the servers needed to
support services and applications which are required by your users can be deployed into your
networking environment. While Windows Server 2003 provides a number of features and tools
when you install it on a computer, you have to implement additional features and functionality
on a server to provide the services and capabilities required by the organization and its users.
With Windows Server 2003 came the introduction of server roles. Server roles group related
administrative tasks, and are used to provide a specific capability or function to the network
design. With Windows Server 2003, if you configure a server for a certain server role, a number
of additional services, features and tools are installed for the server. In this manner, the server is
set up to provide the required services to your users. Servers can be configured to perform a
number of roles. The applications that the server is running specify the role of the particular
server.

A few common
server roles are listed below. For Windows Server 2003, there are a number of different server
roles that you can configure using the Configure Your Server Wizard of the Manage Your Server
utility:
• File server role; the file server role is responsible for storing data for network users, and
providing access to files stored on the file server. File servers enable users to store files in
a centralized location, and enables a user to share files with another user.
• Print server role; this role enables administrators to configure network printing
capabilities for the network and manage printing functions on the network. The print
server is the computer where the print drivers are located that manage printing between
printers and client computers. The print servers manage the print queues, and can also
supply audit logs on jobs printed by users.
• Application server role; the application server role makes Web applications and
distributed applications available to users. A Web server typically contains a copy of a
World Wide Web site and can also host Web based applications. Internet Information
Services 6.0 (IIS 6.0) is Microsoft's integrated Web server that enables you to create and
manage Web sites within your organization. Through IIS, you can create and manage
Web sites, and share and distribute information over the Internet or intranet. With the
introduction of Windows Server 2003, came the advent of Internet Information Services
(IIS) 6.
• Mail server role; the mail server role provides e-mail services for the network, by
providing the functionality needed for users to send and receive e-mail messages. Mail
servers store e-mail data, process client requests and receive incoming e-mail from the
Internet. The Simple Mail Transfer Protocol (SMTP) and Post Office Protocol 3 (POP3)
TCP/IP based protocols are installed when you configure the mail server role.
• Terminal server role; Terminal Services have the ability to operate as an application
server that remote clients can connect to, and run sessions from. The Terminal Services
server runs the applications. When a client establishes a connection to Terminal Services,
it creates a Terminal Services session for the client. All processing is handled by the
Terminal Services server. Clients use insignificant bandwidth on the underlying network
when they establish a connection.
• Remote access server/VPN server; the Windows Server 2003 remote access and VPN
server role can be used to provide remote access to clients through dial-up connections or
through Virtual private networks (VPNs). The Windows Server 2003 Routing and
Remote Access Service (RRAS) server provides a number of features and capabilities,
including LAN-to-LAN routing, LAN-to-WAN routing, Virtual private network (VPN)
routing, Network Address Translation (NAT) routing, additional routing features such as
IP multicasting and packet filtering, and can assign DHCP addresses to RRAS clients.

• Domain controllers role; a domain controller is a computer running Windows 2000 or


Windows Server 2003 that contains a replica of the Active Directory domain directory. A
domain controller is a server that stores a write copy of Active Directory, and maintains
the Active Directory data store. Domain controllers in Active Directory also maintain the
security policy of the domain. Domain controllers provide security for the domain by
authenticating user logon attempts. Specific roles can be assigned to domain controllers
within a domain and forest. Domain controllers that are assigned special master roles are
called Operations Masters. These domain controllers host a master copy of specific data
in Active Directory. They also copy data to the remainder of the domain controllers. The
different types of master roles which can be configured on domain controllers are the
Schema Master role, Domain Naming Master role, Relative ID (RID) Master role, PDC
Emulator role, and Infrastructure Master role. In addition to these roles, a Global Catalog
(GC) server role can also be installed on a domain controller. The global catalog server
stores a full replica of all objects in its host domain, and a partial replica of objects for the
remainder of the domains in the forest. The partial replica contains those objects which
are frequently searched for.
• DNS server role; the DNS server role resolves IP addresses to domain names, and
domain name to IP addresses. A DNS server is a computer running the DNS service that
provides domain name services. The information in the DNS database of a DNS server
pertains to a portion of the DNS domain tree structure or namespace. This information is
used to provide responses to client requests for name resolution. A DNS server is
authoritative for the contiguous portion of the DNS namespace over which it resides. You
can configure different server roles for your DNS servers. The different DNS server roles
which you can configure are the Standard Primary DNS server, Standard Secondary DNS
server, Caching-only DNS server, Master DNS server, and Dynamic DNS Server.
• WINS server role; a WINS server is an enhanced NetBIOS name server designed by
Microsoft to resolve NetBIOS computer names to IP addresses. The WINS provides
name resolution services for clients that need to resolve IP addresses to NetBIOS names,
and vice versa. A WINS enabled client can communicate with a WINS server that is
located anywhere on the internetwork. All Windows operating system prior to Windows
2000 require NetBIOS name support. This is due to Windows 2000 being the first
Windows operating system where NetBIOS naming was no longer required. You might
still need to provide support for NetBIOS naming if you have legacy applications.
• DHCP server; the primary function of a DHCP server is to automatically assign IP
addresses to DHCP clients. You can configure a server as a DHCP server so that the
DHCP server can automatically assign IP addresses to DHCP clients. The DHCP server
dynamically assign IP addresses to DHCP clients, and also can also assign TCP/IP
configuration information to DHCP clients, including subnet mask information, default
gateway IP addresses, DNS server IP addresses, and WINS server IP addresses.
• Streaming media server; the streaming media role provides media services so that clients
can access streaming audio and video. The Windows Media Services is used to provide
media services to clients, and can be configured on server platforms, and on enterprise
platforms.
Selecting the Operating System (OS)
For each of the above mentioned different server roles which can be configured in Windows
Server 2003, you need to decide on the necessary security configurations which should be
utilized for each specific server role. When planning server security, one of the initial elements
that you need to ascertain is which Windows operating system (OS) you will utilize in the
organization. This is particularly important because each specific operating system offers
different security configurations which you can use to implement server security.
The Windows server operating systems are listed below, together with the minimum system
requirements for installing each specific operating system. For you to install a particular
Windows operating system for a server, the particular server should meet the minimum system
requirements of the particular operating system:
• Windows NT Server 4:
○ Processor; 486/33 MHz or higher Pentium; OR Pentium Pro
○ Hard disk; For Intel/compatible systems 125MB minimum available hard disk
space. For RISC based systems 160MB minimum available hard disk space
○ RAM; 16MB (recommended, 32MB).
○ CPU; Retail, up to 4 CPUs. Hardware vendor, up to 32 CPUs.
• Windows 2000 Server:
○ Processor; 133 MHz or higher Pentium compatible
○ Hard disk; 2GB, 1GB free space
○ RAM; 128MB (recommended, 256MB; maximum 4GB)
○ CPU; 4 CPUs
• Windows 2000 Advanced Server:
○ Processor; 133 MHz or higher Pentium compatible
○ Hard disk; 2GB, 1GB free space
○ RAM; 128MB (recommended, 256MB; maximum 8GB)
○ CPU; 8 CPUs
• Windows 2000 Datacenter:
○ Processor; Pentium III Xeon or higher
○ Hard disk; 2GB, 1GB free space
○ RAM; 256MB
○ CPU; 4 CPUs - 8-way capable or above server
• Windows Server 2003 Standard Edition:
○ Processor; 133 MHz or higher Pentium compatible
○ Hard disk; 1.5GB
○ RAM; 128MB (recommended, 256MB)
○ CPU; 4 CPUs
• Windows Server 2003 Enterprise Edition:
○ Processor; For Itanium computers 733 MHz. For x86 computers 133 MHz.
○ Hard disk; For Itanium computers 2GB. For x86 computers 1.5GB.
○ RAM; 128MB (recommended, 256MB)
○ CPU; 8 CPUs
• Windows Server 2003 Web Edition:
○ Processor; 133 MHz or higher Pentium compatible
○ Hard disk; 1.5GB
○ RAM; 128MB (recommended, 256MB)
○ CPU; 2 CPUs
• Windows Server 2003 Datacenter Edition:
○ Processor; For Itanium computers 733 MHz. For x86 computers 400 MHz.
○ Hard disk; For Itanium computers 2GB. For x86 computers 1.5GB.
○ RAM; 512MB
○ CPU; 8-way capable or above, up to 64.
As mentioned previously, each Windows server operating system provides different features, and
different security configurations which can be enabled to enhance server security and network
security. Therefore, before deciding on the operating system to utilize, you have to know which
server system functionality and security features are required for your network design, as
determined by the organization's requirements. Each Windows server system version that was
introduced is accompanied by new features and additional security enhancements. This concept
is illustrated in the remainder of this Section of the Article.
The editions of Windows 2000 have been designed for increased system reliability and
availability, and scalability.
• Windows 2000 Server: Windows 2000 Server is an application, print and file server, and
Web server OS. Windows 2000 Server provides a reliable, secure and performance
enhanced network client computer and desktop operating system. It includes a new file
encryption system, and better management tools than those provided by Windows NT.
Windows 2000 Server also includes a few additional server capabilities. Windows 2000
includes infrastructure services based on the Active Directory services. Data encryption
over the network (IPSec) and in the file system (EFS) was initially provided in Windows
2000 Server.
• Windows 2000 Advanced Server: This edition of Windows 2000 builds on the features
provided by Windows 2000 Server to offer enhanced scalability, and higher availability.
This makes Windows 2000 Advanced Server perfect for those larger organizations that
need high availability for mission critical data.
• Windows Server 2000 Datacenter Server: Windows 2000 Datacenter Server edition
includes all the features of Windows 2000 Advanced Server, but it also provides load
balancing services and enhanced clustering services. This edition of Windows 2000 is
ideal for large data warehouses, and online transaction processing (OLTP).
Windows 2000 Server supports enhanced TCP/IP networking services such as Dynamic DNS
(DDNS), Dynamic Host Configuration Protocol (DHCP), Automatic Private IP Addressing
(APIPA), and Windows Internet Name Service (WINS) for backward support in mixed mode
environments. Windows 2000 Server also provides Internet Information Services (IIS),
Distributed File System (DFS), Routing and Remote Access for policy based management of
remote access servers, the Terminal Services feature, Removable Storage for managing
removable media, Services for Macintosh, Gateway Services for NetWare, and Services for Unix
for interoperability in a heterogeneous network environment. Windows 2000 also supports Open
Database Connectivity (ODBC) software, Message Queuing Services, and Component Object
Model (COM+). This makes it possible for new applications to interoperate with existing
software and data. Windows 2000 includes new printers, modem and hardware drivers which
further simplifies hardware installation, and makes it more effective. Windows 2000 includes
support for USB, IEEE 1394, and Advanced Configuration Power Interface (ACPI) device
configuration and power management. Windows 2000 can support device types that are
cumbersome to use in Windows NT, and includes a bidirectional parallel port driver that enables
communication with many more devices. Windows 2000 includes the Plug and Play (PnP)
feature. Windows 2000 supports the Win32 Driver Model (WDM) and the device driver signing
feature. Lastly, Windows 2000 provides the NTFS version 5 features and security enhancements.
The Kerberos authentication protocol is the default authentication protocol used for Windows
2000, Windows XP Professional, and Windows Server 2003. Kerberos authentication was
initially introduced in Windows 2000. Kerberos utilizes mutual authentication to verify the
following:
• Verify the identity of the user
• Verify whether the service or network resource can be accessed.
Kerberos authentication offers improved security over the NTLM authentication protocol,
including the following
• Delegated authentication enables services to pose as clients when accessing network
resources.
• Mutual authentication makes it possible for the server to be authenticated to the client.
• A server can authenticate a client with no need of contacting a domain controller.
• Transitive trust can be used between domains within the same forest, and for domains
which are connected with a forest trust relationship.
Kerberos version 5 makes use of a 'ticket' strategy to authenticate valid network users, and
provides mutual authentication between users and resources. The Kerberos authentication type is
dependant on the Key Distribution Center (KDC) to issue tickets. Each network client makes use
of DNS to find the closest available KDC to obtain a Kerberos ticket. The ticket usually remains
active for about 8 or 10 hours. The Key Distribution Center (KDC) is a service which runs as a
component of Active Directory. The Key Distribution Center (KDC) manages the database of
security account information for each security principal within a domain. The KDC holds the
cryptographic key which is only known by the particular security principal, and the KDC. This
cryptographic key, also called a long term key, is formed from the logon password of the user,
and is used when the KDC and the security principal interact. Because each domain controller in
Windows Server 2003 domains operates as a KDC, fault tolerance is enabled for the domain.
Windows Server 2003 supports the NTLM authentication protocol to provide compatibility for
the earlier operating systems (OSs) such as for Windows NT 4 compatibility. Secure Sockets
Layer/Transport Security Layer (SSL/TLS) and digest authentication is typically used for Web
applications. SSL/TLS is based on X.509 public-key certificates and enables mutual
authentication between the client and server.
The Windows 2000 operating system also included support for smart cards. Smart card
authentication is based on the use of smart cards and is supported in Windows 2000 and
Windows Server 2003. A smart card is a security device or credit card sized hardware token
which can be used to provide additional protection to applications and security protocols.
Smart cards provide the following features:
• Secure method of user authentication
• Interactive logon
• Remote access logons
• Administrator logons
• Secure code signing
• Secure e-mail
In network environments, smart cards are typically used for following purposes
• Logging on to a computer
• Encryption of e-mail
• Encryption of disk files through EFS
Active Directory is in actual fact the most important feature introduced in Windows 2000
because it brings about a few important domain structural changes. Domains in Active Directory
use the DNS domain naming structure, and not the NetBIOS naming structure used in Windows
NT domains. Because of DNS, Active Directory domains are structured in a hierarchical model.
Domain trees is the concept used to describe hierarchically structured groups of domains with a
contiguous namespace, while the grouping of trees with a noncontiguous namespaces are called
forests. You can define trust relationships among forests to facilitate communication.
With the release of Microsoft Windows Server 2003 quite a few enhancements and features were
introduced that were not previously available in Windows 2000 Active Directory. These
enhancements were aimed at improving the scalability, efficiency, speed and performance of
Active Directory, and addressed a few deficiencies or shortcomings of the earlier version of
Active Directory utilized in Windows 2000 Server. When a domain controller running Windows
Server 2003 is created, a number of Active Directory basic features are immediately installed
and available to the Windows Server 2003 domain controller. Certain other Active Directory
features are only available when particular conditions exist in the network.
Additional Active Directory features can be enabled but is dependant on the following
conditions, or factors:
• The operating system (OS) running on the domain controller.
• The domain functional level. In Windows 2000 Active Directory, the domain mode
terminology was utilized.
• The forest functional level.
• Whether the functional level is raised for the domain only, or for the forest.
Domain and forest functional levels provides the means by which you can enable additional
domain-wide and forest-wide Active Directory features, remove outdated backward
compatibility within your environment, and improve Active Directory performance and security.
The domain functional levels that can be set for Active Directory in Windows Server 2003 are
listed below. The Windows 2000 Mixed and Windows Native domain functional levels were
available in Windows 2000 to enable backward compatibility to operating systems such as
Windows NT 4.0. The latter two functional levels are only available with Windows Server 2003.
• Windows 2000 Mixed: This is the default functional level implemented when you install a
Windows Server 2003 domain controller. The basic Active Directory features are
available when this mode is configured. The Active Directory domain features that are
available in Windows 2000 mixed domain functional level include support for Local
groups, Global groups and Distribution Groups, Distribution Group nesting, Global
Catalog support and up to 40,000 domain objects are supported
• Windows 2000 Native: In Windows 2000 Native functional level, the backup domain
controllers of Windows NT is not supported as domain controllers in the domain. Only
Windows 2000 domain controllers and Windows Server 2003 domain controllers are
supported. The main differences between Windows 2000 Mixed and Windows 2000
Native is that features like group nesting, or using Universal Groups and Security ID
Histories (SIDHistory) is not available in Windows 2000 Mixed, but is available in
Windows 2000 Native.
• Windows Server 2003 Interim: This functional level is used when Windows NT domains
are directly upgraded to Windows Server 2003. Windows Server 2003 Interim is
basically identical to Windows 2000 Native. The key point to remember on Windows
Server 2003 Interim is that this domain functional level is used when the forests in your
environment do not have Windows 2000 domain controllers.
• Windows Server 2003: The Windows Server 2003 domain functional level is used when
the domain only includes Windows Server 2003 domain controllers. Once the domain
level is set as Windows Server 2003 domain functional level, it cannot be lowered to any
of the previous domain functional levels. All Active Directory domain features are
available in Windows Server 2003 domain functional level, including Local and Global
groups, Distribution Groups, Distribution group nesting, Security group nesting,
Universal Groups, Group conversion between Security Groups and Distribution Groups,
Global Catalog support, SID History, Up to 1,000,000 domain objects are supported,
Renaming domain controllers, Update logon timestamp, Users/Computers container
redirection, Constrained delegation and User password support on the InetOrgPerson
object.
The forest functional levels that can be set for Active Directory in Windows Server 2003 listed
below.
• Windows 2000: In this forest functional level, Windows NT, Windows 2000 and
Windows Server 2003 domain controllers can exist in domains. The Active Directory
forest features that are available in Windows 2000 forest functional level include
Universal Group caching, Application directory partitions, Global Catalog replication
enhancements, Installations from backups, the Active Directory quota feature, and SIS
for system access control lists (SACL).
• Windows Server 2003 Interim: Windows NT backup domain controllers and Windows
Server 2003 domain controllers can exist in domains.
• Windows Server 2003: All domain controllers in the forest have to be running Windows
Server 2003 for the forest functional level to be raised to the Windows Server 2003 forest
functional level. With the Windows Server 2003 forest functional level, all forest-wide
Active Directory features are available, including Domain renaming, Forest Trust,
Defunct schema objects, Dynamic auxiliary classes, Application groups, Universal Group
caching, Application directory partitions, Global Catalog replication enhancements,
Installations from backups, Active Directory quota feature, SIS for system access control
lists (SACL), Improved Knowledge Consistency Checker (KCC) replication algorithms,
Linked value replication, InetOrgPerson objectClass and NTDS.DIT size reduction.
How to check which domain function level is set for the domain
1. Open the Active Directory Domains And Trusts console.
2. Right-click the particular domain whose functional level you want verify, and select
Raise Domain Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens.
4. You can view the existing domain functional level for the domain in Current domain
functional level.
How to raise the domain functional level to the Windows 2000 native domain functional level or
Windows Server 2003 domain functional level
Before you can raise the domain functional level to Windows Server 2003 domain functional
level, each domain controller in the domain has to running Windows Server 2003.
To raise the domain functional level for a domain,
1. Open the Active Directory Domains And Trusts console
2. Right-click the particular domain whose functional level you want to raise, and select
Raise Domain Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens.
4. Use the Select An Available Domain Functional Level list to choose the domain
functional level for the domain.
5. Click Raise.
6. Click OK.
How to check which forest functional level is set for the forest
1. Open the Active Directory Domains And Trusts console
2. Right-click Active Directory Domains and Trusts in the console tree, and select Raise
Forest Functional Level from the shortcut menu.
3. The Raise Forest Functional Level dialog box opens
4. You can view the existing forest functional level for in Current forest functional level.
How to raise the forest functional level to Windows Server 2003 forest functional level
Each domain controller in the forest has to be running Windows Server 2003 before you can
change the forest functional level to Windows Server 2003. When you raise the forest functional
level, all domains in the forest will automatically have their domain functional level raised to
Windows Server 2003.
To raise the forest functional level for a forest,
1. Open the Active Directory Domains And Trusts console
2. Right-click Active Directory Domains And Trusts in the console tree, and select Raise
forest Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens
4. Click Raise.
5. Click OK.
Understanding the Security Features of Firewalls
The method, by which you can physically secure the network, is through the usage of firewalls.
While firewalls provide some level of physical security, you should bear in mind that firewalls
are just barriers which make it difficult for intruders to attack the network.
Firewalls are categorized as follows:
• Network firewalls: These firewalls monitor traffic entering and exiting the network, in an
attempt to protect the perimeter network. Software based Microsoft Internet Security and
Acceleration (ISA) Server and the hardware based Nortel Networks Alteon Switched
Firewall System are network firewall solutions.
• Host-based firewalls: These firewalls protect those computers it is defined to protect. The
network to which the computer is connected to is irrelevant. The Internet Connection
Firewall (ICF) feature of Windows XP and Windows Server 2003 is a host-based firewall
solution.
Firewalls work by checking packets to determine whether packets should be permitted to be
forwarded, or whether packets should be dropped. The main function of the firewall is to filter
traffic. TCP/IP packets have an IP packet header, followed by the actual content of the packet.
The IP packet header is either a TCP header or a UDP header. The TCP header or UDP header
contains the IP addresses and port number of the sender (source), and the IP addresses and port
numbers of the receiver (destination). A TCP header contains the following additional
information as well: Sequence numbers and acknowledgment numbers, and conversation state.
As packets pass over the firewall, packets are examined according to the filtering parameters
configured for the firewall to filter traffic on. The filtering parameters define which packets
should be allowed to pass over the firewall. The default configuration is that firewalls typically
deny all packets other than those which it has been explicitly set up to allow. In networking
environments, firewalls are usually configured to block all incoming traffic, and to allow
outbound traffic from the private internal network.
Packet filters are used to define the traffic types that should be denied by a firewall. You need to
implement firewalls and router packet filters to secure the resources within your private network
from Internet users.
When you configure IP packet filters, you can specify what traffic is allowed or denied, based on
the following:
• Source address
• Destination address
• Source and destination TCP port number
• Source and destination UDP port number
• The interface that the packet arrives on.
• The interface that the packet should be forwarded to
• IP protocol numbers
• ICMP types and codes
IP packet filters should be used for the purposes:
• To restrict traffic being sent to, or from a specific computer, you can filter on
source/destination IP address range.
• To restrict traffic coming from, or being sent to a specific IP address range of a network
segment, you can filter on source/destination IP address range.
• To restrict traffic being transmitted to/from a particular application, you can filter on
protocol number.
Advanced firewalls include a number of additional security features, including:
• Stateful inspection: Here, packets are examined when they reach the firewall. However,
packets are allowed to access internal network resources as determined by the configured
access policy. Stateful inspection capabilities are provided by proxy servers and firewall
solutions that support Network Address Translation (NAT).
• Intrusion detection features: Firewalls that include intrusion detection features are able to
detect possible network attack attributes as they inspect packets. These firewalls can
perform a number of activities when they detect a network attack:
○ Start a counter attack.
○ Block access from the network of the intruder.
○ Notify an administrator of the network attack.
• Application layer intelligence capabilities: These firewalls allow or drop packets based
on the content of the packet. The firewalls are capable of inspecting and analyzing data
within the traffic flows.
• Virtual Private Network (VPN) capabilities: These types of firewalls enable remote
networks to connect with other remote networks over the Internet. If you use both a VPN
and a firewall solution, the firewall is able to filter traffic within the VPN tunnel.
Understanding Perimeter Networks
The main role of a perimeter network, also called demilitarized zone (DMZ), is to provide an
additional layer of protection for the internal private network when a server on the perimeter
network is compromised. The perimeter network typically hosts Web services that are extended
to Internet clients.
A perimeter network usually consists of the following elements:
• A firewall for protecting the front-end servers from the Internet traffic.
• A firewall between the back-end servers and private network. This firewall should allow
communication between back-end servers and specific servers located on the private
network.
• Hardened servers for supporting the services provided by the applications. Hardened
servers can be configured to disable unsafe Internet services.
A perimeter network is either a single firewall configuration, or back to back firewall
configuration:
• Single firewall configuration: Here a single firewall is used with a network interface card
(NIC) connected to the perimeter network, a NIC connected to the Internet, and another
NIC connected to the private network. The private network comprises of the
organization's network, computers and servers that are not extended to the public
network. This is the simplest firewall configuration strategy. Because this configuration
consists of only one firewall, the private network is vulnerable when an attacker is able to
bypasses the firewall.
• Back to back firewalls configuration: Here, one firewall is utilized to connect the front
end of the perimeter network to the Internet, and another firewall is utilized to connect
the back end of the perimeter network to the private network. This method provides more
protection to the private network. Additional firewalls can be implemented between the
Web tiers in the perimeter network to further enhance security for the private network.
Web Content servers and front end servers usually reside in the perimeter network. A perimeter
network can be further segmented:
• A segment should be utilized to implement a management network.
• The various forms of Internet traffic such as HTTP and FTP should be routed to separate
Web clusters.
• Non routable network addresses should be assigned to the internal networks of the Web
site.
• Internet traffic should be separated from the internal network or back end traffic.
• Ensure that IP forwarding is not enabled for the front end servers.
Understanding Windows Server 2003 Security Settings
Auditing enables you to determine which activities are occurring on your system. Through
auditing, administrators can collect information associated with resource access and usage on
your system. You can audit system logon, file access, object access, as well as any configuration
changes. When an event or action takes place that is configured for auditing, the action or event
is written to the security log. Security auditing events are written to the security log of the
system, and can be accessed from Event Viewer.
The main types of events which you should audit are listed below:
• Computer logons
• Computer logoffs
• Access to objects, and files and folders
• System events, such as when the following occurs:
○ Computer reboots
○ Computer shutdowns.
○ System time is modified
○ Audit logs are cleared.
• Performance of user and computer account management activities, such as:
○ Creating new accounts
○ Changing permissions
○ Modifying account statuses
You can define audit polices for the local computer, a domain controller, a domain or an
organization unit (OU).
The audit policies that you can configure with Windows Server 2003 are listed here:
• Audit Account logon events: This policy is typically enabled on domain controllers, to
track users which are logging on to the computer.
• Audit Account management: This policy tracks account management tasks performed on
the computer, including creating, changing, and deleting user objects; and changing
account passwords.
• Audit Directory service access: For domain controllers, the policy tracks when users
access Active Directory objects which have system access control lists (SACLs).
• Audit Logon events: This audit policy tracks when the user logons and logoffs.
• Audit Object access: Tracks when a user accesses operating system components such as
files, folders or registry keys.
• Audit Policy change: This policy tacks when changes are made to the security
configuration settings of the computer, and includes changes made to Audit policies,
Trust policies, and User rights.
• Audit Privilege use: Tracks when a user effects a user right. The user rights excluded
from auditing because of the volume of log entries which they generate are: Back Up
Files And Directories, Bypass Traverse Checking , Create A Token Object, Debug
Programs, Generate Security Audits, Replace Process Level Token, and Restore Files
And Directories.
• Audit Process tracking: This policy tracks when certain events take place on the
computer, such as when a program starts, or a process ends.
• Audit System events: This policy tracks events such as when computer restarts or shuts
down; and any events that impact the security log or the security of the system.
For each of the above mentioned event categories, you can choose between three values when
you enable auditing. These values in turn determine the condition for which an audit entry would
be created:
• Successes only; an audit entry will be created when a particular event or action
successfully finalizes.
• Failure only; an audit entry will be created when a particular event or action fails.
• Successes and Failures; an entry will be created when the particular event or action
successfully finalizes or fails.
An important management tool for administrators of Windows Server 2003 is the Event Log.
Event Viewer stores events that are logged in a system log, application log, and security log. You
can access Event Viewer from the Administrative Tools folder.
The maximum size of the Event Log, Event Log performance, and other attributes are controlled
by the following Event Log policies:
• Maximum log size; specifies the maximum size for the log file.
• Retain log; sets the time duration for which the Event Log information should be
retained.
• Retention method for log; sets what actions should occur when the Event Log's maximum
size is reached:
○ Overwrite Events By Days option
○ Overwrite Events As Needed option
○ Do Not Overwrite Events (Clear Log Manually) option.
• Prevent local guests group from accessing log; defines whether the local guests group is
allowed to access the Event log.
You can enable the Security Options policies to secure certain server components from a number
of threats and accidents. Through Security Options policies, you can secure specific server
components. A few Security Options policies which you should consider activating are listed
below:
• Accounts: Administrator Account Status; enables/disables the local Administrator
account of the computer.
• Accounts: Guest Account Status; enables/disables the local Guest account of the
computer.
• Accounts: Rename Administrator Account; defines the alternative name for the security
identifier (SID) of the local Administrator account.
• Accounts: Rename Guest Account; defines the alternative name for the security identifier
(SID) of the local Guest account
• Audit: Audit The Use Of Backup And Restore Privilege; when the Audit Privilege Use
policy is enabled, it configures the computer to audit user privileges.
• Audit: Shut Down System Immediately If Unable To Log Security Audits; results in the
computer shutting down when no further auditing entries can be written to the security
log due to the log reaching its maximum size limit.
• Devices: Allowed To Format And Eject Removable Media; defines those local groups
which are allowed to format and eject removable NTFS file system media.
• Devices: Restrict CD-ROM Access To Locally Logged-on User Only; stops users from
accessing the CD-ROM drives of the computer.
• Devices: Restrict Floppy Access To Locally Logged-on User Only; stops users from
accessing the floppy disk drive of the computer.
• Domain Member: Maximum Machine Account Password Age; sets the frequency at
which the computer account password of the system is modified.
• Interactive Logon: Do Not Require CTRL+ALT+DEL; specifies the Disable option so
that users are secured from Trojan horse attacks.
• Interactive Logon: Require Domain Controller Authentication To Unlock Workstation;
stops the computer from being unlocked through cached credentials.
• Microsoft Network Client: Digitally Sign Communications (Always); sets the computer
to require packet signatures for Server Message Block client communications.
• Microsoft Network Server: Digitally Sign Communications (Always); sets the computer
to require packet signatures for Server Message Block server communications.
• Network Access: Do Not Allow Anonymous Enumeration Of SAM Accounts And
Shares; stops anonymous users from gathering information on the names of local user
accounts and shares.
• Network Access: Remotely Accessible Registry Paths And Sub-paths; defines the
registry paths and sub-paths which certain users can access.
• Network Access: Shares That Can Be Accessed Anonymously; defines the shares which
can be accessed by anonymous users.
• Network Security: Force Logoff When Logon Hours Expire; configures the computer to
end any current local user connections that have used up their defined logon hours or
time.
• Shutdown: Allow System To Be Shut Down Without Having To Log On; enables the
Shut Down button in the Log On To Windows dialog box.
Services can be defined as system programs, processes or routines running in the background
that performs a specific operation within the operating system. Administrators need to monitor
services and also change the configuration of services when necessary. When the Windows
Server 2003 operating system installs, some services are automatically installed with the
operating system. These services are usually set with the Automatic startup type. This means that
the service starts automatically when the operating system starts or boots. The startup type
specified for the service controls when and how the service starts.
A few services that have the Automatic startup type configured are Automatic Updates, DHCP
Client, DNS Client, IPSec Services, Remote Procedure Call (RPC), Server, Security Accounts
Manager, and System Event Notification.
For those services that have the Automatic startup type configured, you can use System Services
policies to disable those services which a specific server does not require. A few services for
which you can configure the startup type as Disabled (if the server does not require the service)
are Application Management, Distributed File System, Distributed Transaction Coordinator, Fax
Service, ClipBook, Indexing Service, Internet Connection Sharing (ICS), and Smart Card.
Restricted Groups contains groups for specific security restrictions. You can configure Restricted
Groups to ensure that group memberships remain defined as it was specified. Restricted Groups
policies ensure that the Members attributes and Members Of attributes remain consistent. You
configure Restricted Groups policies by adding a policy and then specifying the members of the
policy.
Account Policies include attributes for password policy, account lockout policy and Kerberos
policy. Password policy determines settings for passwords for domain user accounts, and local
user accounts. You can implement strong password policies by using the following security
policy settings located in the Password Policy node in Account Policies:
• Maximum password age: This security policy setting determines the duration after which
a user is forced to change a password.
• Enforce password history: This security policy setting prevents users from re-specifying
or reusing previously used passwords.
• Minimum password age: This security policy setting determines the length of time that a
user has to keep a password before he/she can modify the password.
• Minimum password length: This security policy setting stipulates the minimum length
that a password can have.
Account lockout policies should be implemented if your environment is particularly vulnerable to
threats arising from passwords which are being guessed. Implementing an account lockout policy
basically ensures that the account of a user is locked after an individual has unsuccessfully tried
for several times to provide the correct password. The important factor to remember when
defining an account lockout policy is that you should implement a policy that permits some
degree of user error, but that also prevents unauthorized usage of your user accounts.
The following password and account lockout settings are located in the Account Lockout Policy
area in Account Policies:
• Account lockout threshold: This setting controls the number of times after which an
incorrect password attempt results in the account being locked out of the system.
• Account lockout duration: This setting controls the duration that an account which is
locked, remains locked. A setting of 0 means that an administrator has to manually
unlock the specific locked account.
• Reset account lockout counter after: This setting determines the time duration that must
pass subsequent to an invalid logon attempt occurring prior to the reset account lockout
counter being reset.
How to Plan a Security Framework
A security framework can be defined as the process used when the organization has to perform
the activities listed below:
• Define security requirements.
• Determine security risks.
• Select the appropriate security features.
• Select and implement security policies.
• Define security implementations.
• Define security management policies.
Most organizations use a security design committee or team to determine the security needs of
the organization and to deploy security policies which can meet these requirements.
A security design committee/team includes individuals that are knowledgeable on the following
factors:
• The mission critical resources of the organization.
• The security weaknesses or vulnerabilities of the organization.
• The threats to which the mission critical resources of the organization is exposed.
• The resources which are mainly at risk.
• The loss to the organization should particular resources of the organization be
compromised.
• The level of security needed to secure the organization's resources.
• The security features and security policies which can be used to secure the resources of
the organization.
• The security features and security policies which are ideal to secure particular resources.
• The impact of implementing security features and security policies on employees, users
and administrators.
• The requirements for deploying identified security solutions.
A typical security life cycle is made up of the following steps:
• Determining and designing the security infrastructure: The design phase of the security
life cycle includes elements such as identifying the resources of the organization that
needs to be secured, and then designing the security infrastructure to protect these
resources. The security design team should be accountable for creating and designing
security policies for the organization.
• Deploying and implementing the security features and security policies: The security
design team should also be responsible for implementing security features and security
policies.
• Continually managing the security solution: All security software should be upgraded as
necessary, and audit logs should be regularly examined.
Because the security requirements of organizations differ, you have to determine which security
features, tools and policies are needed by the specific organization whose server security you
are planning. From the discussions so far, it becomes evident that identifying the security
requirements of the organization is a task requiring quite some analysis. One of the initial steps
to identifying the security requirements of the organization is to determine which security
weaknesses or vulnerabilities currently exist, the threats to which the mission critical resources
of the organization is exposed, and the resources which are mainly at risk to being compromised.
There are a number of different risks that have an impact on an organization. Some of the
primary threats which you should address are listed here:
• Environmental threats; pertains to both environmental disasters and disasters due to
human intervention. Examples of environmental threats are fires, earthquakes, storms,
faulty wiring, and so forth.
• Accidental threats; relate to threats which are caused without malicious intent. Accidental
risks occur when an employee accidentally deletes important files, or modifies data that
should not have been changed.
• Deliberate threats; relate to threats which are caused with malicious intent as the primary
objective. Examples of deliberate threats are viruses, Trojan horses, and all other network
attacks caused by hackers and intruders.
Once the risk which your organization is vulnerable to is determined, you have to determine
which resources and assets of the company could become affected by each identified risk/threat.
Assets and company resources can be categorized as follows:
• Hardware; such as devices, servers, workstations, printers, and so forth.
• Software; includes software designed specifically for the organization and other software
products.
• Company data; includes databases, and files and documents.
• The physical building.
• Sundry equipment; such as office furniture and other supplies.
• Employees of the organization.
To secure company assets and resources from all identified security risks, you have to determine
which security configurations can match the security requirements of the organization.

Auditing Security Events


An Overview of Auditing
Auditing enables you to determine which activities are occurring on your system. Through
auditing, you can track access to objects, files and folders; as well as any modifications made to
the objects, files and folders. Auditing therefore enables you to collect information associated
with resource access and usage on your system by allowing you to audit system logon, file
access, object access, as well as any configuration changes. An audit trail can be defined as a list
of audit entries which portray the life span of an object, or file and folder. When an event or
action takes place that's configured for auditing, the action or event is written to the security log.
Security auditing events are thus written to the security log of the system, and can be accessed
from Event Viewer.

Audit entries in the


security log can be one of the following:
• Success event
• Failure event
The main types of events which you should audit are listed below:
• Computer logons and computer logoffs
• Access to objects, and files and folders
• System events, such as when the following occurs:
○ Computer reboots and computer shutdowns.
○ System time is modified
○ Audit logs are cleared.
• Performance of user and computer account management activities, such as:
○ Creating new accounts
○ Changing permissions
○ Modifying account statuses
One of the primary steps in implementing auditing is to create an audit plan which would define
the objectives of implementing auditing on your system. The aspects which should be included
in your audit plan are:
• List the type of access and information which should be audited.
• Determine whether success events, failure events, or both success and failure events
should be audited.
• Determine the resources which are available for auditing purposes. Resources in this case
refers to disk space , and memory and processor usage
• Plan the scope of auditing according to the resources which are available for auditing
purposes. A wide auditing scope with auditing of both success and failure events can
cause a large quantity of data to be collected. This in turn could prevent you from easily
finding the information considered important.
• Define the quantity of time which would be required to view and analyze audit logs.
Auditing of security event categories are disabled by default. In order to track access to objects,
and files and folders, you have to define and configure an audit policy. You have to determine
the types of events which you want to audit, and include the security requirements of the
organization when you configure audit policies. Another step in defining audit policies is to
determine the particular event categories which should be audited.
The event categories which you can audit are
• Account logon events: This policy is typically enabled on domain controllers, to track
users which are logging on to the computer.
• Account management: This policy tracks account management tasks performed on the
computer, including creating, changing, and deleting user objects; and changing account
passwords.
• Directory service access: For domain controllers, the policy tracks when users access
Active Directory objects which have system access control lists (SACLs).
• Logon events: This audit policy tracks when the user logons and logoffs.
• Object access: Tracks when a user accesses operating system components such as files,
folders or registry keys.
• Policy change: This policy tacks when changes are made to the security configuration
settings of the computer, and includes changes made to:
○ Audit policies
○ Trust policies
○ User rights
• Privilege use: Tracks when a user effects a user right. The user rights excluded from
auditing because of the volume of log entries which they generate are:
○ Back Up Files And Directories
○ Bypass Traverse Checking
○ Create A Token Object
○ Debug Programs
○ Generate Security Audits
○ Replace Process Level Token
○ Restore Files And Directories
• Process tracking: This audit policy tracks when certain events take place on the
computer, such as when a program starts, or a process ends.
• System events: This policy tracks the following events:
○ The computer restarts, or shuts down.
○ Any events that impact the security log or the security of the system.
For each of the above mentioned event categories, you can choose between three values when
you enable auditing. These values in turn determine the condition for which an audit entry would
be created:
• Successes only; an audit entry will be created when a particular event or action
successfully finalizes.
• Failure only; an audit entry will be created when a particular event or action fails.
• Successes and Failures; an entry will be created when the particular event or action
successfully finalizes or fails.
You can define audit polices for:
• The local computer
• A domain controller
• A domain
• An organization unit (OU)
Audit policies can be configured through Group Policy for the entire site, or a domain and OU.
You can also configure audit policies for servers and workstations.
You can enable the Security Options policies to secure certain server components from a number
of threats and accidents:
• Accounts: Administrator Account Status; enables/disables the local Administrator
account of the computer.
• Accounts: Guest Account Status; enables/disables the local Guest account of the
computer.
• Accounts: Rename Administrator Account; defines the alternative name for the security
identifier (SID) of the local Administrator account
• Accounts: Rename Guest Account; defines the alternative name for the security identifier
(SID) of the local Guest account
• Audit: Audit The Use Of Backup And Restore Privilege; when the Audit Privilege Use
policy is enabled, it configures the computer to audit user privileges.
• Audit: Shut Down System Immediately If Unable To Log Security Audits; results in the
computer shutting down when no further auditing entries can be written to the security
log due to the log reaching its maximum size limit.
• Devices: Allowed To Format And Eject Removable Media; defines those local groups
which are allowed to format and eject removable NTFS file system media.
• Devices: Restrict CD-ROM Access To Locally Logged-on User Only; stops users from
accessing the CD-ROM drives of the computer.
• Devices: Restrict Floppy Access To Locally Logged-on User Only; stops users from
accessing the floppy disk drive of the computer.
• Domain Member: Maximum Machine Account Password Age; sets the frequency at
which the computer account password of the system is modified.
• Interactive Logon: Do Not Require CTRL+ALT+DEL; specifies the Disable option so
that users are secured from Trojan horse attacks.
• Interactive Logon: Require Domain Controller Authentication To Unlock Workstation;
stops the computer from being unlocked through cached credentials.
• Microsoft Network Client: Digitally Sign Communications (Always); sets the computer
to require packet signatures for Server Message Block client communications.
• Microsoft Network Server: Digitally Sign Communications (Always); sets the computer
to require packet signatures for Server Message Block server communications.

• Network Access : Do Not Allow Anonymous Enumeration Of SAM Accounts And


Shares; stops anonymous users from gathering information on the names of local user
accounts and shares.
• Network Access: Remotely Accessible Registry Paths And Sub-paths; defines the
registry paths and sub-paths which certain users can access.
• Network Access: Shares That Can Be Accessed Anonymously; defines the shares which
can be accessed by anonymous users.
• Network Security: Force Logoff When Logon Hours Expire; configures the computer to
end any current local user connections that have used up their defined logon hours or
time.
• Shutdown: Allow System To Be Shut Down Without Having To Log On; enables the
Shut Down button in the Log On To Windows dialog box.
The information recorded on an event in a security event log is listed below:
• The type of event logged: Error, Warning, or Information, and Success Audit or Failure
Audit
• The date on which the event occurred
• The software or program that logged or recorded the event.
• The user that performed the action which resulted in an event being logged.
• The computer name on which this action was performed
• The event identity number
• The event description
A few recommendations for auditing security events are summarized below:
• Define an audit plan which details what you want to audit
• Configure the security event log size so that it is suitable for the security requirements of
the organization
• Archive security logs on a regular basis.
• Audit both success events and failure events in the System Events category
How to define an audit policy on the local computer
1. Click Start, Programs, Administrative Tools, and then click Local Security Policy.
2. Expand the Local Policies in the left pane.
3. Click Audit Policy.
4. The options which you can define audit policy for are listed in the right pane.
5. Proceed to select and double-click the desired option.
6. When the Properties dialog box for the policy which you have selected opens, enable
success audit, failure audit, or both success and failure audits.
7. Click OK.
How to define an audit policy on the domain controller
1. Click Start, Programs, Administrative Tools, and then click Domain Controller Security
Policy.
2. Expand the appropriate nodes in the left pane to move to Computer Configuration,
Windows Settings, Security Settings, Local Policies, and then Audit Policy.
3. Click Audit Policy.
4. Proceed to select and double-click the desired option.
5. When the Properties dialog box for the policy which you have selected opens, enable
success audit, or failure audit, or both success and failure audits.
6. Click OK.
How to define the event categories to audit for a site,
domain, or OU
1. Click Start, Administrative Tools, and then click Active Directory Users And Computers
2. In the left console pane, right-click the site, domain, or OU; and then select Properties
from the shortcut menu.
3. Click the Group Policy tab, add a new policy, and click Edit
4. In the Group Policy Object Editor console, in the left console tree, expand Computer
Configuration, Windows Settings, Security Settings, Local Policies and then expand
Audit Policy
5. In the details pane, right-click the particular event category which you want to audit; and
then select Properties from the shortcut menu.
6. When the Properties dialog box of the event category opens, select one or both of the
following options: Success, Failure
7. Click OK.
How to enable auditing for Active Directory objects.
1. Open the Active Directory Users And Computers console
2. Ensure that Advanced Features are enabled on the View menu
3. Select the Active Directory object which you want to configure auditing for, and then
select Properties on Action menu.
4. When the Properties dialog box of the object opens, click the Security tab.
5. Click Advanced to move to the Advanced Security Settings For dialog box for the Active
Directory object.
6. Click the Auditing tab.
7. Click Add, and then specify the users or groups for which you want to audit object
access.
8. Click OK.
9. When the Auditing Entry For dialog box for the object appears, choose the event(s) that
you want to audit by choosing either one of, or both of the following options: Successful,
Failed; alongside the particular event(s).
10. Use the Apply Onto list box to set where the auditing should take place. The default
setting is This Object And All Child Objects.
11. Click OK.
How to enable auditing for files and folders
1. Open Windows Explorer.
2. Right-click the file or folder which you want to configure auditing for, and then select
Properties from the shortcut menu.
3. On the Security tab, click Advanced.
4. Click the Auditing tab on the Advanced Security Settings For dialog box of the file or
folder.
5. Click Add, and then choose the users/groups for which you want to audit file or folder
access. Click OK.
6. In the Auditing Entry For dialog box for the file/folder, select the events that you want to
audit by checking either the Successful option, Failed option, or both of these options
alongside the particular event(s). You can choose to audit the following events:
○ Full Control
○ Traverse Folder/Execute File
○ List Folder/Read Data
○ Read Attributes
○ Read Extended Attributes
○ Create Files/Write Data
○ Create Folders/Append Data
○ Write Attributes
○ Write Extended Attributes
○ Delete Subfolders and Files
○ Delete
○ Read Permissions
○ Change Permissions
○ Take Ownership
7. Use the Apply Onto list box to specify the location where auditing should occur. The
default setting is This Folder, Subfolders And Files.
8. Click OK.
How to apply an audit policy to Active Directory users and
OUs using Group Policy
1. Click Start, Run, enter mmc in the Run dialog box, and click OK.
2. Using the File menu, click Add Snap in, and then click Add.
3. Select the Group Policy Object Editor management tool and then click Add.
4. When the Select Group Policy Object dialog box opens, click Browse to choose the
proper GPO for the specific domain or OU.
5. In the left pane, expand Computer Configuration, Windows Settings, Security Settings,
and then expand File System to set a audit policy for the file system
6. Right-click the File System node to add audit settings for a file/folder.
7. Using the browse interface, locate the file/folder for which you want to configure
auditing.
8. Click Edit Security to specify the auditing settings.
How to access Event Viewer to view security log information
1. Click Start, Programs, Administrative Tools, and then click Event Viewer
How to view information in the security log through Event
Viewer
1. Open Event Viewer
2. In the console tree in the left pane, click Security
3. The details pane is populated with all events that exist in the security log, together with
summary information such as Date, Time, Category, Event ID, and User; on each entry.
○ A key icon is displayed alongside successful audit events.
○ A lock icon is displayed alongside unsuccessful audit events.
4. You can double-click on an event entry to view its properties.
How to filter events in the security log
1. Open Event Viewer
2. In the console tree in the left pane, click Security
3. On the View menu, click the Filter option.
4. On the Filter tab, specify the filter criteria that you want to use to display a specific
event(s) in the security log.
5. In the Event Types section of the dialog box, specify the types of events that you want to
display in the security log.
6. In the Event Source list, choose the source that logged the event(s) which you want to
display.
7. In the Category list, choose the event category.
8. In the Event ID box, enter the event identity number
9. In the User box, enter the user name
10. In the Computer box, enter the computer name.
11. Use the From list boxes to enter the start parameters for the events which should be
filtered.
12. Use To list boxes to enter the end parameters for the events which should be filtered.
13. Click OK to display the filtered events in the security log.
14. Clicking the Restore Defaults button on the Filter tab removes the security log filter.
How to configure the size of the security event log
1. Open Event Viewer
2. In the console tree in the left pane, right-click Security and then select Properties on the
shortcut menu.
3. When the Security Properties dialog box opens, on the General tab, enter the maximum
log file size. The default setting is 512 KB. You can set the maximum log file size to any
size from 64 KB to 4,194,240 KB.
4. Choose one of the following options listed beneath the When Maximum Log File Size Is
Reached section of the dialog box:
○ Overwrite Events As Needed: When selected, the oldest events in the security log
are replaced when new events need to be logged.
○ Overwrite Events Older Than _ Days: Enter the number of days after which the
system can overwrite an event.
○ Do Not Overwrite Events (Clear Log Manually): When selected, you have chosen
to manually clear the security log. The system does not overwrite or replace any
events in the security log when the maximum log file size is reached. If the
security log is not manually cleared, all new events are dropped, and are therefore
not recorded in the security log.
How to clear the security log
1. Open Event Viewer
2. In the console tree in the left pane, right-click Security and then select Clear All Events
on the shortcut menu.
3. When the Event Viewer message box appears, click Yes to archive the existing entries in
the security log prior to it being cleared; or click No to simply delete the existing entries
in the log.
4. If you chose to archive the entries in the security log, enter a name and a file format for
the log file.
5.
6. Click Save.
How to archive a security log
1. Open Event Viewer.
2. In the console tree in the left pane, right-click Security and then select Save Log File on
the shortcut menu.
3. Enter a name for the file and then enter a file format for the file.
4. Click Save.

Authentication Types
What is Authentication
Authentication is the process whereby the system identifies legitimate users from unauthorized
users. It is the process in which a user identifies his/her self to the system. How effective an
authentication process is, is determined by the authentication protocols and mechanisms being
used. Windows Server 2003 provides a few different authentication types which can be used to
verify the identities of network users, including:
• Kerberos authentication protocol
• NT LAN Manager (NTLM) authentication protocol
• Secure Sockets Layer/Transport Security Layer (SSL/TLS)
• Digest authentication
• Smart cards
• Virtual Private Networking (VPN) and Remote Access Services (RAS)
The Kerberos version 5 authentication protocol is the default authentication type for a Windows
Server 2003 environment. Kerberos version 5 makes use of a 'ticket' strategy to authenticate
valid network users, and provides mutual authentication between users and resources. Windows
Server 2003 supports the NTLM authentication protocol to provide compatibility for the earlier
operating systems (OSs) such as for Windows NT 4 compatibility. Secure Sockets
Layer/Transport Security Layer (SSL/TLS) and digest authentication is typically used for Web
applications. SSL/TLS is based on X.509 public-key certificates, and enables mutual
authentication between the client and server.
A few authentication features introduced with Windows Server 2003 are outlined below:
• Windows Server 2003 includes support for smart cards, as well as support for a few
different multifactor authentication mechanisms. Windows Server 2003 can also support
a number of authentication protocols, such as NTLM, NTLMv2, and Kerberos version 5.
• With Windows Server 2003 Active Directory, the Active Directory directory service
stores the security credentials, such as the passwords of users, which are used for the
authentication process. Active Directory directory service can store security credentials
for each authentication protocol. The service also enables users to log on to computers in
an Active Directory environment that contains multiple domains and forests.
• A user can log on to any computer through a single domain account. This is known as
single sign-on. A user basically only needs to log on to a domain account once, and with
one password. The sign-on security information of the user is stored in Active Directory.
Whenever a user attempts to access a resource within a domain, network authentication
takes place.
The remainder of this Article focuses on the different authentication types which you can
implement to enforce an authentication strategy within your environment.
Kerberos Authentication Protocol
The foremost authentication protocol type used within a Windows Server 2003 Active Directory
domain is the Kerberos version 5 authentication protocol. The Kerberos authentication protocol
provides the following authentication features:
• Verifies the identify of network users
• Verifies whether the network service that a user is attempting to access is valid. This
security feature prevents users from accessing any fake network services which could
have possibly been created by unauthorized network users. These fake services are
normally created to deceive network users into disclosing their logon credentials.
The terminology used to describe the process by which both the identity of users, and the identity
of services being accessed are verified, is mutual authentication. The name of the Kerberos
authentication protocol is derived from Greek mythology (three headed dog). This is because of
the following three components of the protocol:
• A client requesting authentication or a service
• A server on which the service that the client requests, resides.
• A computer which both the client and server trusts. This is typically a Windows Server
2003 domain controller on which the Key Distribution Center service is running.
The Kerberos authentication type does not transmit passwords during the authentication process.
Instead, it uses tickets. Tickets are specially formatted data packets that allow a client to access a
resource. The ticket contains the identity of the user in an encrypted data format. When
decrypted, the data or information verifies the identity of the client. Because the Kerberos
authentication type makes use of tickets, it offers more security for the authentication process.
The Kerberos authentication type is dependant on the Key Distribution Center (KDC) to issue
tickets. Each network client makes use of DNS to find the closest available KDC to obtain a
Kerberos ticket. The ticket usually remains active for about 8 or 10 hours. The Key Distribution
Center (KDC) is a service which runs as a component of Active Directory. In fact, each domain
controller in a Windows Server 2003 domain operates as a Key Distribution Center (KDC). It is
the Key Distribution Center (KDC) which manages the database of security account information
for each security principal within a domain. Security principals that form the foundation of the
Active Directory security architecture are user accounts, security groups, and computer accounts.
Administrators of domains assign permissions to security principals to access network resources,
and to perform certain actions on these resources. The KDC holds the cryptographic key which is
only known by the particular security principal, and the KDC. This cryptographic key, also
called a long term key, is formed from the logon password of the user, and is used when the KDC
and security principal interact. Because each domain controller in Windows Server 2003
domains operates as a KDC, fault tolerance is enabled for the domain. When one domain
controller is unavailable, any other domain controller in the domain is able to issue tickets.
Kerberos authentication can be used by clients and servers running the following operating
systems (OSs):
• Windows 2000
• Windows XP Professional
• Windows Server 2003
Windows 2000, Windows XP Professional, and Windows Server 2003 computers which are
members of a Windows 2000 or Windows Server 2003 domain use the Kerberos protocol for
network authentication for domain resources. This is the default configuration for these domains.
When a down level client attempts to access a Kerberos secured resource, NTLM authentication
is used; and not Kerberos authentication.
How the Kerberos authentication process work
The steps outlined below describe the Kerberos authentication process.
1. The user provides his/her user name and password. The computer transmits these details
to the KDC.
2. The KDC creates a session key, and a Ticket Granting Ticket (TGT). A TGT is a ticket
that enables a client to receive temporary tickets from the ticket granting service for each
authentication, and it includes the following:
○ A copy of the session key
○ The name of the user
○ An expiration time
3. The TGT is encrypted by the KDC through its master key.
4. The client computer then receives this information from the KDC. At this point the client
computer holds the session key and TGT, and is authenticated to the domain. The session
key and TGT is stored in volatile memory because it offers better security than storing
the information on the hard disk.
5. A Kerberos client passes its TGT and a timestamp encrypted with its session key, to the
KDC when it needs to access resources hosted on a server which is a member of the same
domain. The KDC utilizes its master key to decrypt the TGT, and it utilizes the session
key to decrypt the timestamp. Since the user is the only individual that can use the
session key, the KDC is able to verify that the request to access resources originated from
the particular user.
6. At this point, the KDC generates a ticket for the client and a ticket for the server hosting
the resources which the client wants to access. Each ticket has a new key which the
server and client will share between each other, and contains the following information:
○ The name of the user
○ The recipient of the user request
○ A timestamp which indicates the time that the ticket was created.
○ The expiration time of the ticket
7. The server master key is used by the KDC to encrypt the ticket of the server. The ticket
of the server is stored within the ticket of the client. The session key which the KDC
shares with the particular user is then used to encrypt the entire set of information. This is
then transmitted to the user.
8. The user decrypts the ticket it receives using the session key. The user encrypts the
timestamp through the new key, and then transmits this information and the ticket of the
server hosting resources which it wants to access. Next, the server uses the server master
key to decrypt the server ticket. The new key is then used to decrypt the timestamp.
NT LAN Manager (NTLM) Authentication Protocol
The NT LAN Manager (NTLM) authentication protocol is the main authentication type used to
enable network authentication for versions of Windows earlier than Windows 2000, such as for a
Windows NT 4. The authentication protocol is essentially used for authentication between
machines running Windows NT and Windows Server 2003 machines.
The NTLM authentication type is typically used in the scenarios listed below:
• By Workstations and standalone servers that are members of workgroups.
• By Windows 2000 or Windows XP Professional computers accessing a Windows NT 4.0
primary domain controller or backup domain controller.
• By Windows NT 4.0 domain users when trusts exist with a Windows 2000 or Windows
Server 2003 Active Directory domain or forest.
• By Windows NT 4.0 Workstation clients who want to authenticate to a Windows NT 4.0,
Windows 2000 or Windows Server 2003 domain controller.
Windows Server 2003 supports the following forms of challenge- response authentication
methods:
• LAN Manager (LM): The LM authentication protocol is used to enable backward
compatibility with the earlier OSs such as Windows 95, Windows 98, Windows NT 4.0
SP 3, and earlier OSs. LM authentication is considered the weakest authentication
protocol because it is the easiest to compromise. LM authentication should not be used in
Windows Server 2003 environments.
• NTLM version 1: NTLM version 1 is more secure than LM authentication because it uses
56-bit encryption, and user credentials are stored in the NT Hash format. This format is
more secure than the level of encryption used in LM authentication.
• NTLM version 2: NTLM version 2 utilizes a 128-bit encryption, and therefore offers the
highest level of encryption.
NTLM authentication works by encrypting the logon information of the user. This is done by
applying a hash to the password of the user. A hash is a mathematical function. The security
account database contains the value of the hash which is generated when the password is
encrypted by NTLM. The password of the user is not transmitted over the network. What
happens is that the client applies the hash to the password of the user, prior to it actually sending
the information to the domain controller. The value of the hash is also encrypted.
How the NTLM authentication process works
1. The client and server negotiate the authentication protocol to use.
2. The client transmits the name of the user and the name of the domain to the domain
controller.
3. At this point, the domain controller creates a nonce. This is a 16-byte random character
string.
4. The nonce is encrypted by the client using the hash of the user password. The client
forwards this to the domain controller.
5. The domain controller then obtains the hash of the user password from the security
account database to encrypt the nonce.
6. This is then compared to the hash value which the client forwarded.
7. Authentication occurs when the two values are identical.
Secure Sockets Layer/Transport Layer Security (SSL/TLS)
Secure Socket Layer (SSL) is a Windows Server 2003 security protocols which utilizes a public-
key technology to provide a secure channel for applications communicating over a non-secure
network such as the Internet. SSL is typically used by Web browsers and Web servers for secure
communication channels. The Secure Socket Layer (SSL) protocol functions at the OSI model's
network layer to provide encryption for the following protocols:
• HTTP
• LDAP
• IMAP
The SSL protocol provides the following functions:
• Server authentication makes it possible for the user to verify that the Web server he/she
is accessing is, in fact the server it is portrayed as being.
• Client authentication enables the server to verify the identity of the user.
• Encrypted connections enable data confidentiality, because information passed between
the server and client are encrypted and decrypted.
Before a client and server can partake in secure Internet communication, the client and server
have to perform a security handshake. The security handshake is a process that authenticates
each entity involved in communication, and also establishes the level of security to use for
communication.
The following events occur when a client and server partake in a security handshake:
1. The client sends a request for a secure channel connection to the server.
2. The server sends its public-key certificate to the client. The server can also request the
certificate of the client for mutual authentication.
3. The client then verifies the authenticity of the certificate of the server. At this stage, the
client sends its certificate to the server if the server requested it in Step 2. The server
proceeds to verify the client's certificate.
4. The client produces a session key, and encrypts the session key with the public key of
server.
5. The server and client now have a secure channel for communication, because information
passed between the two are encrypted and decrypted with the session key.
The Transport Layer Security (TLS) protocol, currently being development by the Internet
Engineering Task Force (IETF), will replace the SSL protocol as the new protocol for securing
Internet traffic.
Digest Authentication
Digest authentication is typically used for authenticating Web applications running Internet
Information Services (IIS). Digest authentication utilizes the Digest Access Protocol in the
authentication process. The Digest Access Protocol employs a challenge-response mechanism
for applications using HTTP or Simple Authentication Security Layer (SASL) communications.
Once a client is authenticated, the session key of the client is located on the Web server. When
digest authentication transmits user information over the network, it does so using an encrypted
hash. This prevents unauthorized users who may be attempting to access network resources,
from intercepting the credentials of the user. Any ensuing authentication requests submitted by
the same client are dealt with by using this session key. Because of this feature of digest
authentication, the client does not need to authenticate with a domain controller each time that it
submits an authentication request.
A few conditions have to be met prior to using digest authentication on IIS servers. These are
listed below.
• Any client that wants to access a digest authentication secured resource has to be running
Internet Explorer 5 or later.
• The IIS server has to be running Windows 2000 or above.
• The domain, to which the IIS server is a member of, has to include a domain controller
that is running Windows Server 2003 or Windows 2000.
• The IIS server and a user that wants to log on to the IIS server has to belong to the same
domain. They can however be joined through trusts.
• Each user that needs to be authenticated must have a legitimate account in Active
Directory, on the particular domain controller.
• The passwords of users have to be stored in a reversibly encrypted format in Active
Directory. You can use the Active Directory Users and Computers console to access the
Account tab of the Properties dialog box of a user, to enable reversible encryption.
Web sites that utilize passport authentication make use of a central Passport server to
authenticate users. Passport authentication works with Microsoft Internet Explorer, Netscape
Navigator, and even with some UNIX systems and browsers. This is due to the fact that passport
authentication is not proprietary. Passport encryption utilizes the following Web technologies:
• SSL encryption
• Symmetric key encryption
• HTTP redirects
• Cookies
A few features of passport authentication are listed below:
• All Web pages which are used to manage sign-in and sign-out operations are located in a
central repository.
• These Web pages make use of SSL encryption to transmit information on user names,
and user account passwords.
• The Web site does not receive the actual passport of the user. Instead, it receives a cookie
which includes the encrypted timestamps which was generated when the user initially
signed in.
• Web sites using passport authentication make use of encrypted cookies to enable users to
access multiple sites, with the user not being required to resubmit his/her login
credentials. The actual cookie files utilize strong encryption.
• The central Passport server uses encryption when it sends sign-in credentials and any
other user information to a Web site enabled with passport authentication.
Smart Cards
Windows Server 2003 supports smart card authentication. Smart cards can be used to secure the
following items:
• The certificates of your users
• Public and private keys
• Passwords and other confidential data.
A smart card is a device similar in size to that of a credit card. Smart cards are dependent on the
Windows Server 2003 public key infrastructure (PKI). A smart card is used in conjunction with
an identification number (PIN) to enable authentication and single sign-on in the enterprise. The
smart card actually stores the private key of the user, public key certificate and logon
information. The user attaches the smart card into the smart card reader that is attached to the
computer. The user next inserts the PIN when prompted for the information.
Smart cards are typically used for interactive user logons to provide further security and
encryption for logon credentials. Smart card readers can be installed on servers, so that you can
require administrators to use smart card authentication when using an administrator account. You
can also require remote access logons to use smart card authentication. This assists in preventing
unauthorized users from using VPN or dial-up connections to launch an attack on your network.
Through smart cards, you can encrypt confidential files and other confidential user information
as well.
The cost associated with implementing and administering a smart card authentication strategy is
determined by the following elements:
• The number of and location of users that are to be enrolled in your smart card
authentication strategy.
• The method which the organization is going to utilize to issue smart cards to users.
• The procedures which are going to be implemented to deal with users who misplace their
smart cards.
In addition to the above, with smart card authentication, each computer has to have a smart card
reader, and one computer has to be configured as the smart card enrollment station. It s
recommend to use only plug and play Personal Computer/Smart Card (PC/SC) compliant smart
card readers. The user responsible for the smart card enrollment station has to be issued with an
Enrollment Agent certificate. The owner of this certificate can issue smart cards for users.
Internet Authentication Service (IAS)
The Internet Authentication Service (IAS) functions as a remote Authentication Dial-In User
Service (RADIUS) server, and can be used to manage the login process of users by providing the
following key features:
• Management of user authentication: IAS can be used for dial-up and VPN access, and for
wireless access.
• The IAS service provides the RADIUS protocol which it utilizes to pass authentication
and authorization requests to the proper Active Directory domain.
• Verification of the user to access network resources
• Tracking of user activity
Internet Authentication Service (IAS) is supported in the following editions of Windows Server
2003:
• Windows Server 2003 Standard Edition
• Windows Server 2003 Enterprise Edition
• Windows Server 2003 Datacenter Edition
The default authentication protocols supported by IAS are:
• Point-to-Point Protocol (PPP): The following PPP protocols are supported by IAS:
○ EAP-MD5
○ Extensible Authentication Protocol-Transport Level Security (EAP-TLS)
Although EAP-TLS is considered the strongest remote access services authentication
method, it can only be used when clients are running Windows 2000, Windows XP or
Windows Server 2003. EAP-TLS utilizes public key certificate based authentication to
provide authentication for wireless connections.
• Extensible Authentication Protocol (EAP): The following EAP protocols are supported
by IAS:
○ Password Authentication Protocol (PAP): Windows Server 2003 supports PAP
for backward compatibility. With PAP, user information (user name and
password) is transmitted in clear text.
○ Challenge Handshake Authentication Protocol (CHAP): CHAP encrypts the user
name and password of the user through MD5 encryption. A requirement of CHAP
is that user password information has to be stored using reversible encryption in
Active Directory.
○ Microsoft Challenge Handshake Authentication Protocol (MS-CHAP): MS-
CHAP provides better security than that provided by CHAP. The passwords of
users do not have to be stored using reversible encryption.
○ Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP
version 2): MS-CHAP version 2 includes the security capability of mutual
authentication. Mutual authentication occurs when the server and client both
verify the identity of each other. MS-CHAP version 2 utilizes separate encryption
keys for sending and receiving security information.
Once IAS has authenticated the user, it can use a few authorization methods to verify that the
authenticated user is permitted to access the network resource(s) he/she is requesting to access.
This includes the following:
• Automatic Number Identification/Calling Line Identification (ANI/CLI): With ANI/CLI,
authorization is determined by the number which the user is calling from.
• Dialed Number Identification Service (DNIS): Authorization is determined by examining
the phone number which the caller is using.
• Remote access policies: Remote access policies can be used to allow or deny network
connection attempts, based on conditions such as group membership details, time of day,
time of week, the access number being used, and other conditions. You can also use
remote access policies to control the amount of time which a remote access client can be
connected to the network. You can specify an encryption level which a remote access
client should use to access network resources.
• Guest authorization: Guest authorization enables users to perform limited tasks, without
needing to provide user credentials (user name and password).
Wireless clients can use certificates, smart cards, and a user name or password to authenticate to
an IAS server. Before a wireless client can connect to your corporate network, you need to define
the following:
• Create a remote access policy for the wireless users which permits these users to access
the corporate network. The remote access policy should include:
○ The access method
○ User and group information
○ The authentication method
○ The policy encryption method
○ The appropriate permissions
• All Wireless APs should be added on the IAS server as RADIUS clients. This ensures that
login information can be forwarded to IAS.
The events which occur when wireless clients requests network access are outlined below.
1. The Wireless AP requests authentication information from the wireless client.
2. The wireless client then passes this information to the Wireless AP. The Wireless AP
forwards the information to IAS.
3. When the information IAS receives is valid, it passes an encrypted authentication key to
the Wireless AP.
4. The Wireless AP next utilizes the encrypted authentication key to create a session with
the wireless client.
How to install the Internet Authorization Service (IAS) on a
domain controller
1. Click Start, Programs, Control Panel, and then double-click Add/Remove Programs.
2. Select Add/Remove Windows Components.
3. This launches the Windows Components Wizard.
4. Click Networking Services. Click Details.
5. When the Networking Services dialog box opens, enable the Internet Authentication
Service checkbox.
6. Click OK.
7. To start the actual installation of IAS, click Next.
8. When prompted, place the Windows Server 2003 CD into the CD-ROM drive.
9. Once the installation of IAS is complete, click Finish, and then click Close.
10. To register the IAS server with Active Directory so that it can obtain user information
from Active Directory domains, click Start, Programs, Administrative Tools, and then
Internet Authentication Service.
11. Right-click Internet Authentication Service, and then select Register Server in Active
Directory on the shortcut menu.
12. Click OK.
How to create a remote access policy
1. Click Start, Programs, Administrative Tools, and then Internet Authentication Service.
2. Right-click Remote Access Policies and then click New Remote Access Policy on the
shortcut menu.
3. This action starts the New Remote Access Policy Wizard. Click Next on the welcome
screen of the wizard.
4. Click the Use the wizard to set up a typical policy for a common scenario option, and
enter a name for the new remote access policy in the Policy name box. Click Next.
5. When the Access Method screen appears, choose the Dialup access method. The other
access method options include:
○ VPN access
○ Wireless access
○ Ethernet
6. Click Next.
7. Select Group and then choose the group to which you want to grant remote access
permission. Click Next.
8. When the Authentication Methods screen appears, choose the one of the following
authentication methods for the new remote access policy.
○ Extensible Authentication Protocol (EAP)
○ Microsoft Challenge Handshake Authentication Protocol version 2 (MS-
CHAPv2)
○ Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
9. Click Next
10. Specify the encryption level which users should utilize to connect to the IAS server.
Click Next.
11. Click Finish.
If you want to set any further remote access conditions, right-click the particular remote access
policy, and click Properties from the shortcut menu.

Planning and Implementing an


Authentication Solution
An Overview on Authentication
Authentication is the process of identifying authorized valid users from unauthorized users. It is
therefore the initial step in defining and implementing a network security strategy because it
deals with restricting access to the network. A solid authentication solution prevents
unauthorized users such as hackers, and Trojan horses from accessing network resources.
Implementing the ideal authentication strategy for your network could be tricky because while
too much authentication would keep unauthorized network access under control, it could also
prevent authorized network users from legitimately accessing network resources.
Authentication also opens the door to other security strategies and implementations such as
authorization and auditing. Authentication is typically performed by the user attempting to
access the system, providing a user name and password. A user is authenticated once the
authentication strategy implemented within your organization verifies that the user is indeed who
he/she claims to be, based on the user name and password combination provided. At this point,
the system does not know whether the user is authorized to access the network resource(s) he/she
is attempting to access. Authorization is the process that verifies whether a user is permitted to
access network resources by checking the ACL of a resource, and by differentiating between
standard users, groups, administrators, and guests. From this short discussion, you can see how
important the security concepts of authentication and authorization are, and how authentication
makes it possible for authorization to be implemented and operational in your network. Auditing
on the other hand, deals with monitoring and tracking those actions which were performed on a
network resource(s). Auditing is also referred to as Accounting.
It is evident that a strong security strategy has to focus on authentication, authorization and
accounting/auditing. The location of the users that need to access the network, and the client and
server operating system (OS) employed within your environment greatly influences which
authentication solution you need to implement. Users can be connected through a simple dial-up
connection, or through a high-speed network connection.
Implementing a strong authentication solution would most certainly require the combined usage
of protocols, mechanisms and strategies. All of these facets should inter-operate to ensure that a
user attempting to access the system is in fact the user that he/she is portraying to be.
The following protocols and mechanisms can be used to perform authentication:
• Kerberos authentication protocol
• NT LAN Manager (NTLM) authentication protocol
• Secure Sockets Layer/Transport Security Layer (SSL/TLS)
• Digest authentication
• Smart cards
• Virtual Private Networking (VPN) and Remote Access Services (RAS)
Password authentication is on the whole the more general authentication method implemented.
Password authentication is the process whereby a user provides a user name and password to the
computer and the computer checks that the credentials provided by the user matches with those
credentials stored in the system for the particular user name. When a match occurs, the user is
permitted to access the system. One of the factors that affect the success of password
authentication is the manner in which the password of the user is transmitted over the network.
Authenticating passwords should not be transmitted in a clear text format over the network.
Kerberos and NT LAN Manager (NTLM), the later authentication methods, do not transmit the
true user password over the network connection. While you can control whether or not
passwords are transmitted in clear text format over the network, you have far less control over
whether or not users are actually using strong passwords, and whether or not they are revealing
their user credentials to other parties. Strategies such as implementing password policies can
assist in ensuring that users do indeed use robust intricate passwords.
A few methods of securing user accounts are listed below:
• You should control membership to the administrative security groups listed below.
Standard network users that do not need to perform any administrative duties should not
be included as members of any administrative security groups:
• Domain Admins security group
• Enterprise Admins security group
• Schema Admins security group
• You can limit administrator accounts or members of the Domain Admins group to log on
only to specific computers within your network
• You can also restrict administrators to only using an administrative account when
needing to perform administrative functions, and to use a standard account for normal
functions such as reading e-mail.
• Through the use of smart cards, you can implement an additional level of authentication
for administrators, by forcing them to use smart cards to authenticate if they are logging
on to the system via an administrative account.
Windows Server 2003 includes support for the Single Sign-on authentication feature. Single
Sign-on authentication enables domain users to authenticate only once with any computer within
a domain. Because users basically only need to be authenticated once, Administrator does not
need to manage multiple user accounts over domains and severs. For Single Sign-on
authentication to work, the following has to occur:
• The user has to perform an interactive logon: This is the process of a user providing their
network credentials to the operating system. The logon name and password can be one of
the components listed below:
• A domain user account located on a domain controller within a domain. Domain
account information is store within Active Directory, and once authenticated, the
user is able to access the domain, and the local workstation.
• A user account stored in the Security Account Manager (SAM) database of the
local computer. User accounts in the SAM database are only used to access the
local computer. A member server or workstation server holds the SAM account.
• Network authentication is the process whereby users are authenticated to access resources
that reside in a different location in the network after the user is able to access a physical
workstation. Kerberos, NT LAN Manager (NTLM) and Secure Sockets Layer/Transport
Security Layer (SSL/TLS) enable network authentication.
Understanding how Password Polices affects Authentication
Microsoft defines a strategy called an extensive defense model for implementing a security
solution. An extensive defense model is the implementation of numerous security mechanisms
and practices; so that when one security mechanism is compromised, other security mechanisms
are already set up to assist in blocking any further unauthorized access attempts.
A few main elements in the extensive defense model are summarized below:
• You can use the system key utility feature on your mission critical network machines. The
system key utility feature encrypts passwords that are stored in the local SAM database.
• Educate your users on the importance of security within your network environment. For
instance, educate users on factors such as locking unattended workstations, and keeping
their passwords safe. Users should also be educated on not saving their passwords on a
local workstation.
• The password should be immediately changed on any user account that has been
compromised.
• You should implement a password policy and a password lockout policy that suites the
security needs of the organization.
• When you have applications within your network that use service accounts to access the
operating system, ensure that each service account has a unique password. Using the
same password for a set of service accounts could result in many applications being
vulnerable when the password is compromised.
Passwords are probably the component that presents the most vulnerability in an authentication
implementation. Passwords that are weak can easily be identified, even when password
encryption is used. Password encryption is the process whereby the password of the user is
encrypted. What this means is that the password is not transmitted over the network in clear text.
When users actually use strong complicated passwords, an unauthorized individual attempting to
access the system should not easily be able to interpret or decipher the password. Regularly
having users change their passwords also ensures that even when a strong password is
deciphered by an unauthorized user, the password would probably be invalid.
What is a weak password? A weak password is a password that contains one of, or a segment of
the following information:
• The name of the user
• The name of the organization
• The login ID of the user
• The word ‘password’
• Blank passwords
What is a strong password? A strong password typically contains none of the above mentioned
segments of information. Strong passwords have the following characteristics:
• The password is intricate so that it cannot be deciphered by unauthorized network users,
but can also be remembered by the user. The user should not need to document the
password because he/she cannot remember it.
• The password should be at least seven characters in length.
• The password should include characters from three of the following groups:
• Uppercase characters: Letters A through to Z
• Lowercase characters: Letters a through to z
• Non-alphabetic characters such as: $, #, %
• Numeric digits such as 0 through to 9
Implementing Password Polices
You can implement a strong password policy by using the following security policy settings
located in the Password Policy node in Account Policies:
• Maximum password age: This security policy setting determines the duration after which
a user is forced to change a password.
• Enforce password history: This security policy setting prevents users from re-specifying
or reusing previously used passwords.
• Minimum password age: This security policy setting determines the length of time that a
user has to keep a password before he/she can modify the password.
• Minimum password length: This security policy setting stipulates the minimum length
that a password can have.
Account lockout policies should be implemented if your environment is particularly vulnerable to
threats arising from passwords which are being guessed. Implementing an account lockout policy
basically ensures that the account of a user is locked after an individual has unsuccessfully tried
for several times to provide the correct password. The important factor to remember when
defining an account lockout policy is that you should implement a policy that permits some
degree of user error, but that also prevents unauthorized usage of your user accounts.
The following password and account lockout settings are located in the Account Lockout Policy
area in Account Policies:
• Account lockout threshold: This setting controls the number of times after which an
incorrect password attempt results in the account being locked out of the system.
• Account lockout duration: This setting controls the duration that an account which is
locked, remains locked. A setting of 0 means that an administrator has to manually
unlock the locked account.
• Reset account lockout counter after: This setting determines the time duration that must
pass subsequent to an invalid logon attempt occurring prior to the reset account lockout
counter being reset.
How to implement a domain password policy
1. Open the Active Directory Users and Computers console under the Administrative Tools
Menu.
2. In the console tree, locate and right-click the domain for which you want to implement a
password policy, and then select Properties from the shortcut menu.
3. When the Properties dialog box for the domain opens, select the Group Policy tab. From
this tab, you can create a new password policy for the domain, or you can change the
default domain policy. To create a new policy, click New; or alternatively click Edit to
change the default policy.
4. Click Edit to change the default policy.
5. Click Computer Configuration, expand Windows Settings, Security Settings, Account
Policies, and then expand Password Policy.
6. Right-click the password policy that you want to implement and then select Properties
from the shortcut menu. You can configure the following password policies from here:
○ Enforce password history, Maximum password age, Minimum password age,
Minimum password length, Password must meet complexity requirements, Store
passwords using reversible encryption.
How to implement an account lockout policy
1. Open the Active Directory Users and Computers console under the Administrative Tools
Menu.
2. In the console tree, locate and right-click the domain that you want to work with, and
then select Properties from the shortcut menu.
3. Select Default Domain Policy, and then click Edit.
4. Click Computer Configuration, expand Windows Settings, Security Settings, Account
Policies, and then expand Account Lockout Policy.
5. Right-click the account lockout policy that you want to implement and then select
Properties from the shortcut menu. You can configure the following password policies
from here:
○ Account lockout duration, Account lockout threshold, Reset account lockout
counter after.
How to reset a local user account
1. Access the workstation using a Domain Admins account, or the local Administrator
account.
2. Click Start, All Programs, Administrative Tools and then click Computer Management.
3. This action opens the Computer Management console.
4. In the left console tree, click Computer Management, click System Tools, click Local
Users and Groups, and then click Users.
5. Right-click the user account that you want to reset the password of, and select Set
Password from the shortcut menu.
6. When a message dialog appears, warning that the user could possibly lose data as a result
of the password reset process, click the Proceed button.
7. Set the new password for the user.
8. Click OK.
9. The system next informs you that the password of the local user account was successfully
reset. Click OK.
10. In the Computer Management console, right-click the user account that you just reset the
password for, and then select Properties from the shortcut menu.
11. Enable the User Must Change Password at Next Logon option
12. Click OK.
How to create a password reset disk
When a user forgot his/her password, an Administrator had to manually reset the password of the
particular user, in previous versions of Windows such as Windows 2000. With the introduction
of Windows XP, and Windows Server 2003 , the feature exists whereby a user can create a
password reset disk for his/her local user account. Creating password reset disks prevents users
from losing any encrypted files or Internet passwords that were saved on his/her local computer.
This sort of data loss typically occurs when passwords are manually reset by administrators.
The following sequence of events occurs when a password reset disk is created:
1. The system creates a public key and private key pair.
2. The public key encrypts the password of the local account of the user.
3. The private key is stored within the password reset disk.
4. The private key is accessed when a user forgets his/her password. This key decrypts the
existing password of the user.
5. The user has to immediately change any local user account password which was obtained
from a password reset disk.
Use the steps below to create a password reset disk,
1. Hold down the Ctrl+Alt+Del key combination, and click the Change Password option.
2. Enter the logon information for the account that you want to create a password reset disk
for in the User Name box.
3. Local Computer Name should be set in the Log On box.
4. Click the Backup button.
5. This action launches the Forgotten Password wizard.
6. On the initial Welcome screen of the Forgotten Password wizard, click Next.
7. When prompted, insert a blank diskette into the A:\ drive.
8. Click Next to create the actual password reset disk.
How to create a system key
The System Key utility feature encrypts password information stored in the SAM database. To
create a system key, use the steps summarized below.

1. After accessing a Windows Server 2003 server desktop, click Start, Run, enter syskey
in the Run dialog box, and then click OK.
2. Click the Encryption Enabled option, and click the Update button.
3. Select one of the following options:
○ Password Startup option: Although this option encrypts password information on
the local computer, you have to specify a password that protects the actual system
key. You have to then provide this particular password when you reboot the
computer.
○ System Generated Password option: After selecting this option, you have to select
one of the following options:
 Store Startup Key on Floppy Disk: This option stores the system key on a
diskette. This diskette has to be inserted when the system starts up.
 Store Startup Key Locally: This option stores the key used for encrypting
password information on the local computer. Store Startup Key Locally is
the option that offers the least security.
4. Click OK.
Windows Server 2003 Authentication Protocols
Windows Server 2003 supports the following authentication protocols:
• NT LAN Manager (NTLM) authentication protocol: The NTLM authentication protocol
employs the challenge-response authentication strategy (the user is challenged to supply
unique confidential information) to authenticate the following types of users and
computers:
• Users/computers running the Windows Me OS, and prior OSs.
• Computers running Windows 2000 or later which are not members of a domain.
The following types of challenge- response authentication methods are supported in Windows
Server 2003:
○ LAN Manager (LM): This is the least secure challenge-response authentication
method, and was initially developed for Workgroups, Windows 95, Windows 98,
and Windows Me. With LM authentication, servers performing authentication
have to store user credentials in LMHash.
○ NTLMv1: With NTLMv1 authentication, the server stores user credentials in
NTHash. NTLMv1 utilizes 56-bit encryption for security, and is a more secure
challenge-response authentication method than the LM challenge-response
authentication method. It is used to connect to servers running Windows NT with
SP3 or prior.
○ NTLMv2: NTLMv1 utilizes 128-bit encryption for security, and is typically used
to connect to servers running Windows 2000, Windows XP and Windows NT
with SP4 or above.
• Kerberos authentication protocol: The Kerberos authentication protocol is the default
authentication protocol used for Windows 2000, Windows XP Professional, and
Windows Server 2003. Kerberos authentication offers improved security over the NTLM
authentication protocol, including the following:
○ Delegated authentication enables services to pose as clients when accessing
network resources.
○ Mutual authentication makes it possible for the server to be authenticated to the
client.
○ A server can authenticate a client with no need of contacting a domain controller.
○ Transitive trust can be used between domains within the same forest, and for
domains which are connected with a forest trust relationship.
Authentication Methods for Earlier Operating Systems
(OSs)
Because authentication protocols typically progress as time passes, the authentication methods
used in earlier OSs are in fact less secure than those used in later OSs. To provide backward
compatibility with the earlier operating systems, Windows Server 2003 can support quite a few
authentication protocols. This includes support for authentication protocols such as Kerberos,
LM, and NTLMv2. It is strongly recommended to use the more secure authentication protocols
such as NTLMv2 and Kerberos if you do not need to cater for compatibility with any earlier
operating systems. The Network Security LAN Manager Authentication Level policy determines
and stipulates which authentication protocols a computer can transmit, and receive or accept. The
Network Security LAN Manager Authentication Level policy is located under Local Policies in
the Security Options security policy node. As you increase the security of this particular policy,
the less the compatibility which exists between your system and those earlier OSs.
The LM Authentication Levels that can be selected are listed below, and are ordered from the
least secure option to the most secure option.
• Send LM & NTLM responses: When enabled, domain controllers accept LM, NTLM, and
NTLMv2 authentication. This ensures that clients can authenticate with servers running
OSs prior to Windows NT 4.0 Service Pack 4. Clients on the other hand only use LM and
NTLM authentication.
• Send LM & NTLM responses\use NTLMv2 session security if negotiated: Clients use LM
and NTLM authentication, but can also use NTLMv2 authentication if the server supports
the protocol. Domain controllers also accept LM, NTLM, and NTLMv2 authentication.
• Send NTLM response only: When this security policy setting is enabled, clients can use
NTLM authentication, and can only use NTLMv2 if the server supports the protocol. LM
authentication is not used. Domain controllers accept LM, NTLM, and NTLMv2
authentication.
• Send NTLMv2 response only: When this security policy setting is selected, clients use
NTLMv2 authentication only. Domain controllers accept LM, NTLM, and NTLMv2
authentication.
• Send NTLMv2 response only\refuse LM: When selected, clients use NTLMv2
authentication. Domain controllers only accept NTLM and NTLMv2 authentication.
• Send NTLMv2 response only\refuse LM & NTLM: If selected, clients use NTLMv2
authentication. Domain controllers only accept NTLMv2 authentication.
Anonymous authentication is an authentication method that actually allows a user and network
client to be authenticated with the user/client furnishing no user credentials. However, if you are
running Windows Server 2003, the user will not be authorized to access network resources. With
the earlier Windows operating systems, this was not the case. Anonymous authentication is
typically used to supply backward compatibility with systems earlier to Windows 2000, for the
following scenarios.
• Windows NT 4.0 could possibly use anonymous access to obtain information from
domain controllers.
• Remote Access Server (RAS) servers on Windows NT 4.0 utilizes anonymous access for
ascertaining dial-in permissions
• Older OSs could also use anonymous access to change passwords (Pre–Windows 2000–
compatible access group) in Active Directory.
To enable anonymous authentication, activate one of the following security policy settings:
• Network Access: Share That Can Be Accessed Anonymously: Use this security policy
setting to define specific shares which can be accessed.
• Network Access: Let Everyone Permissions Apply To Anonymous Users: When enabled,
anonymous users are added to the Everyone group.
A better method of enabling anonymous access is to include the Anonymous Logon security
principal in the access control list (ACL) that needs access.
How to configure domain controllers to only accept only NTLM authentication and to refuse LM
authentication
1. After accessing the domain controller, click Start, Administrative Tools, and then click
Domain Controller Security Policy.
2. Open Local Policies, and then click Security Options.
3. Double-click Network Security: LAN Manager Authentication Level
4. This opens the Network Security: LAN Manager Authentication Level Properties dialog
box.
5. Enable the Define This Policy Setting checkbox.
6. Choose the Send NTLMv2 Response Only\Refuse LM option from the list of available
options.
7. Click OK
8. You can force the policy to be immediately implemented for the domain controller by
clicking Start, clicking Run, entering gpupdate.exe in the Run dialog box, and the
clicking OK.
What is Multifactor Authentication?
A key authentication feature of Windows Server 2003 is its support for multifactor
authentication. Multifactor authentication increases authentication security because smart cards
are supported, as well a number of other authentication mechanisms using non-Microsoft
hardware or software. Because of the costs element associated with implementing smart cards,
they are typically only used for specific user accounts such as administrator accounts. Before
implementing or requiring smart cards for authentication, ensure first that your existing
applications are able to operate together with smart cards. Applications that have the Certified
for Windows Server 2003 marking have been tested for meeting the security standards for
Windows Server 2003.
Applications that have the Certified for Windows Server 2003 marking have the following
characteristics:
• These applications include support for smart card logons, and should be able to operate
together with smart card authentication.
• An application can use Kerberos, NTLM, and the Secure Sockets Layer (SSL) protocol.
• The applications use secure network connections, and do not use protocols with known
vulnerabilities. The applications therefore do not use NTLM. They use strong
authentication methods and account policies.
The Authentication Methods used with Active Directory
Trusts in Windows Server 2003
Trust is the terminology used to describe a relationship between domains or forests in Active
Directory that allows users in one domain to be authenticated by a different or remote domain.
This makes it possible for users, computers, or groups from one domain to be authenticated by
domain controllers located in different domains. Configuring trust relationships between
domains or forests does not however enable users to access resources in domains other than the
domain in which they are located. Configuring domain and forest trust relationships is however a
key component for the process of permitting users to access resources in other domains.
The different types of trusts that can be configured if you are running Windows Server 2003
Active Directory are listed below. The authentication protocols used with each trust type are
noted alongside each trust type.
• Parent/child trust is the default trust type that exists between each domain in a forest. The
Kerberos authentication protocol and the NTLM authentication protocol are used with
this trust type.
• Tree/root trust is the default trust type that exists between each domain tree in a forest.
The Kerberos and NTLM authentication protocols are used with tree/root trust.
• External trust has to be explicitly configured between domains that are not located in the
same forest. The NTLM authentication protocol is used with external trust.
• Realm trust has to be explicitly configured between a non-Windows domain such as a
Kerberos realm, and a Windows Server 2003 domain. The Kerberos authentication
protocol is used with realm trust.
• Shortcut trust is typically configured to reduce logon times between domains in a forest.
The Kerberos authentication protocol and NTLM authentication protocol is used with
shortcut trust.
• Forest trust is explicitly configured between forests raised to the Windows Server 2003
domain forest level. The Kerberos authentication protocol and NTLM authentication
protocol is used with forest trust.
The actual operating system used for a domain or forest determines the authentication protocol
which you can use. For instance, the earlier OSs could only use the LM authentication protocol.
Because of this, the OS used actually dictates which of type of trust you can configure between
domains and forests.
Kerberos authentication can only be used between Windows Server 2003 forests. Because
Windows 2000 forests cannot locate the Kerberos Key Distribution Centers (KDCs) in different
domains, Kerberos trust cannot be formed between Windows Server 2003 and Windows 2000
forests. You would need to configure external trust relationships between Windows Server 2003
and Windows 2000 forests. The same type of configuration is necessary to create a trust
relationship between a Windows Server 2003 forest and a Windows NT 4.0 forest. With
Windows Server 2003 Active Directory, you can create trusts between Windows Server 2003
domains, and domains using UNIX or some other OS which includes support for MIT-compliant
Kerberos.
The Active Directory Domains And Trusts console is the Active Directory management tool
which you need to use to configure trusts between domains within the same forest, or to
configure trusts between forests. DNS name resolution should be operational between any two
forests for which you are planning to configure a trust relationship. The functional level of each
forest in the trust relationship should be raised to the Windows Server 2003 forest functional
level before you can create the actual trust relationship.
Implementing an Authentication Strategy for Web Users
The LM, NTLM and Kerberos authentication protocols cannot be used by a Web browser to
authenticate users to a Web server. This is because Web servers use the Hypertext Transfer
Protocol (HTTP) to communicate. What this means is that for a user to be authenticated to a Web
server, the Web browser has to actually use an authentication protocol located in HTTP.
The following authentication methods can be implemented so that a Web browser can
authenticate users to a Web server:
• Basic Authentication: Even though basic authentication is the least secure authentication
method to implement, it is supported by a number of Web browsers. With basic
authentication, the password of the user is basically transmitted in a format which is the
same as the clear text format.
• Digest Authentication For Windows Domain Servers: This authentication method uses a
Message Digest 5 hash to submit the password of the user.
• Integrated Windows Authentication: This authentication method is supported by only a
few Web browsers, of which Microsoft Internet Explorer is one. When this authentication
method is enabled, Kerberos version 5 authentication and NTLM authentication is
enabled within the Web request.
• .NET Passport Authentication: This authentication method is usually enabled if the .NET
Passport service is used for authentication.
The majority of public Web sites on the Internet permit anonymous access for a segment of the
Web site. What this means is that a user does not need to provide user credentials to access
certain information on the Web site. Internet Information Services (IIS) accesses the network
resources on behalf of anonymous users, and uses a particular user account to access these
resources. The IUSR_computername user name account is the default account used by IIS for
this purpose. This account is automatically created when IIS is installed. You can however
specify that IIS should use a different user account.
To specify a user account that IIS should use to access network resources on behalf of
anonymous users, use the steps listed below:
1. Using administrative rights, log on to the computer.
2. Click Start, Administrative Tools, and then click Internet Information Services Manager.
3. Open the computer node, expand Web Sites, right-click the node that contains the Web
site which you want to work with, and then click Properties from the shortcut menu.
4. Select the Directory Security tab.
5. Click Edit in the Authentication And Access Control portion of the tab.
6. When the Authentication Methods dialog box opens, enter the name of the user account
in the User Name box, and then enter the password for the account in the Password box.
7. Click OK.
You can remove anonymous access by deselecting the Enable Anonymous Access checkbox on
the Authentication Methods dialog box.
Planning and Implementing an Authorization
Solution
An Overview on Authorization
Authentication is the first step in implementing a security strategy to protect your network
resources and elements from unauthorized users, because it is the process that deals with
identifying valid authorized network users from unauthorized users. Authentication therefore
verifies the identity of users. The next step in securing your network resources and elements
from unauthorized access is authorization. Authorization is the process that controls which
objects an authenticated network user can access. Just because a user is authenticated, does not
necessarily mean that the particular user is permitted to access all network resources.
Authorization determines whether the user can indeed access, and perform the requested actions
on the network resources, which the user is attempting to access.

Access to network
resources is controlled by setting permissions for objects, and assigning rights to users.
Permissions define the users, or groups which are permitted to access the network resource.
Permissions also detail the type of access permitted to a particular network resource. Access to a
network resource is controlled by the owner of that particular resource or object.
An effective authorization strategy should limit the access which a user needs to only those
network resources which the particular user needs to accesses, to perform its daily duties. You
can therefore also think of authorization as the process of differentiating between standard users,
administrators, and guests. Individually assigning rights to users could become impractical in a
large organization. Implementing groups and then assigning rights to groups is a more feasible
solution. Groups facilitate simpler access management processes.
Authorization practically occurs each time that a user who has passed authentication, attempts to
access the following objects or network resources:
• Active Directory directory service objects
• Files and folders
• Shared folders
• Network services
• Windows Management Interface objects
• Registry keys and values
• Terminal Services connections
Because of the diverse number of object types that typically exists in a network environment,
Windows Server 2003 attempts to simplify authorization management tasks. Assigning
permissions to each particular object type could become a cumbersome task. Windows Server
2003 utilizes a standard authorization model or strategy for all types of network objects. The
interface used to configure permissions for each type of object is very much the same as well.
The standard authorization model utilizes the following components to implement authorization:
• Access Control Lists (ACLs)
• Inherited permissions
• Standard Permissions
• Special Permissions
Understanding Access Control Lists (ACLs)
ACLs hold information on the users or groups which are allowed or denied access to a particular
object. What this means is that the ACL identifies those users who can access a particular
resource. The ACL of an object is managed by the owner or creator of that particular object. An
ACL contains access control entries (ACEs). The ACE is an entry in the ACL of an object which
grants permissions to users/groups to access the object. A user is granted access to an object, if
an ACL explicitly identifies the particular user, or if it explicitly identifies a group to which the
particular user is a member of. Similarly, the user is denied access to the object when the ACL
does not explicitly identify the user, or any group to which the user is a member of.
Access control lists (ACLs) consists of the following sets of permissions:
• NTFS Permissions: These permissions are applied on files and folders. It is generally
recommended to utilize NTFS permissions to control user access to files and folders.
• Share Permissions: Share permissions are applied for users who connect over the
network to an object. It is recommended to keep share permissions at their default
permission settings. NTFS permissions should be used to control user access to files and
folders. This is because of the disadvantages associated with share permissions, including
the following:
• You cannot back up share permissions.
• Any specified share permissions are no longer valid if the particular folder is
unshared.
• Share permissions cannot be inherited, or audited.
Understanding Standard Permissions and Special
Permissions
When you configure the access control lists for the different object types, you can use standard
permissions and special permissions.
• Standard Permissions: Standard object permissions include the following permissions:
• Reading the object
• Reading the permissions of the object
• Modifying the object
• Modifying the permissions of the object
• Deleting the object
• Changing the owner of the object
• Special permissions: When you specify a standard permission, a set of special
permissions associated with the particular standard permission become available, and
enable you to more finely manage the access which the user has to the object.
The standard and special permissions which can be applied to files and folders are listed in the
following section
• Standard Permissions for files and folders:
• Full Control; users can create and delete files and folders, and change the
permissions on files and folders.
• Modify; users can read, change, and delete files and folders.
• Read & Execute; users can read files, and execute applications attached to files.
• List Folder Contents; users can list the contents of a folder.
• Write; users can create files and folders.
• Read; users can read files, and view the contents of a folder.
• Special Permissions for files and folders:
• Traverse Folder/Execute File; Traverse Folder enables a user to traverse folders,
and Execute File enables users to run application files.
• List Folder/Read Data; List Folder permits/denies users to view the names of
subfolders and files, and Read Data allows users to read the file’s content.
• Read Attributes; permits/denies users to read the file/folder’s attributes.
• Read Extended Attributes; permits users to read the file/folder’s extended
attributes.
• Create Files/Write Data; Create Files allows users to create files in folders, and
Write Data permits users to change the current content of a file.
• Create Folders/Append Data; Create Folders allows users to create folders in
other folders, and Append Data allows users to implement changes at the end of a
file. Existing file content cannot however be overwritten.
• Write Attributes; allows/denies users to change the file/folder’s attributes.
• Write Extended Attributes; allows/denies users to change the file/folder’s
extended attributes.
• Delete Subfolders and Files; enables users to delete subfolders and files.
• Delete; enables users to delete files and folders.
• Take Ownership; allows for the taking of ownership of the file/folder.
• Read Permissions; allows the user to view the file/folder’s permissions.
• Change Permissions; allows the user to change the file/folder’s permissions.
How to view, configure, or change special permissions for files and folders
1. Open Windows Explorer
2. Locate, and right-click the file or folder, and then select Properties from the shortcut
menu.
3. When the Properties dialog box of the file or folder opens, click the Security tab.
4. Click the Advanced button
○ If you want to configure a special permission for a user/group, click Add, and
then enter the name of the user/group in the Name box. Click OK
○ If you want to view or change the special permissions for a user/group, select the
user/group, and then click the View or Edit.
○ If you want to remove a user/group, and any associated special permissions,
simply select the user/group, and then click Remove.
5. If you are working with a folder, specify where the permission should be applied in
Apply Onto, on the Permission Entry dialog box.
6. Specify the Allow or Deny for each particular permission
7. Click OK.
The standard permissions which can be applied to shares are summarized below.
• Full Control; allows the user to read, write and change permissions on files and folders
included in the share.
• Change; allows users to read and write to files/folders contained by the share.
• Read; allows users to read the files/folders contained by the share.
How to set share permissions
1. Open the File Server Management console.
2. Select Shared Folder, and then access the Shares subfolder.
3. Locate and right-click the shared folder that you want to set permissions for, and select
Properties from the shortcut menu.
4. Click the Share Permissions tab.
5. Specify the appropriate share permissions.
6. Click OK.
The standard and special permissions which can be applied to Active Directory objects are
listed in the following section.
• Standard Permissions for Active Directory objects:
• Full Control; users can perform all actions (read, write, change permissions, and
so forth) on the particular Active Directory object.
• Read; users can read or view the permissions, properties and contents of the
Active Directory object.
• Write; users can change the properties of the Active Directory object.
• Create All Child Objects; users can create child objects in the container, if the
particular object is a container (organizational unit).
• Delete All Child Objects; users can delete child objects in the container, if the
particular object is a container (organizational unit).
• Special Permissions for Active Directory objects: There are a few special permissions
which you can specify for Active Directory objects on the Advanced Security Settings
dialog box for the object using the Active Directory Users and Computers console. For
instance, for the Create All Child Objects, and Delete All Child Objects standard
permission, you use special permissions to restrict the types of objects which the user can
create or delete.
How to assign standard permissions for an Active Directory object
1. Click Start, Administrative Tools, and Active Directory Users And Computers.
2. Advanced Features should be enabled. Verify this on the View menu.
3. Locate and right-click the Active Directory object which you want to assign permissions
for, and click Properties on the shortcut menu.
4. When the Properties dialog box of the object opens, click the Security tab.
5. Click Add.
6. When the Select Users, Computers, Or Groups dialog box opens, enter the name of the
user/group for which you want to configure permissions. Click OK.
7. Use the Allow and Deny checkboxes to add, change or deny permissions.
8. Click OK.
The standard and special permissions which can be applied to printers are summarized below.
• Standard Permissions for printers:
• Print; enables users to connect to a printer, and to transmit documents to the
printer for printing.
• Manage Printers; users can perform all administrative tasks on the printer. This
includes among other tasks, pausing and restarting the printer, changing printer
permissions, and changing the properties of the printer.
• Manage Documents, permits users to restart, cancel, pause, and rearrange the
order of documents submitted by other users to the printer.
• Special Permissions for printers: There are about 6 special permissions which can be
assigned to users for printers.
How to change the standard permissions configured on a printer
1. On the Start menu, access the Printers and Faxes folder.
2. Right-click the printer for which you want to change standard permissions, and click
Properties from the shortcut menu.
3. In the Properties dialog box of the printer, click the Security tab
○ If you want to add a user/group to the list of users assigned permissions to the
printer, click Add, and enter the name of the user/group.
○ If you want to modify the current permissions for a user/group, select the
user/group, and then specify the permissions for the particular user/group.
○ If you want remove a user/group, select the user/group, and then click Remove
4. Click OK
The standard and special permissions which can be applied to services are summarized below.
• Standard Permissions for services:
• Full Control; enables users to perform all functions on the particular service. This
includes among other activities, changing the permissions of the service, and
starting/stopping the service.
• Read; users are only permitted to view the permissions, status, and dependencies
of the service.
• Start, Stop, And Pause; enables a user to start, pause, or stop the service.
• Write; users are permitted to set whether the service should be started manually or
automatically when the server reboots.
• Delete; enables the user to delete the service
• Special Permissions for services: As is the case with the other object types, there are over
10 special permissions which you can assign to users, for a service.
The standard and special permissions which can be applied to registry keys and values are
summarized below.
• Standard Permissions for registry keys and values:
• Full Control; enables users to create new registry keys or values, and to edit and
delete existing registry keys or values.
• Read; users can only view registry subkeys and values.
• Special Permissions for registry keys and values: There are over 10 special permissions
for registry keys and values which you can assign to users.
Understanding Explicit Permissions, Inherited Permissions
and Effective Permissions
Permissions that are directly set for an objects such as folders, files, or Active Directory objects
are called explicit permissions. In an effort to ease the administrative tasks necessary to assign
permissions, inherited permissions are used. Inherited permissions enable permissions to be
propagated from a parent object to child objects. The default configuration for inherited
permissions is that all newly created child objects automatically obtain the permissions specified
on its associated parent object. You can stop a child object from inheriting the permissions of a
parent object by clearing the Allow Inheritable Permissions From The Parent To Propagate To
This Object And All Child Objects checkbox.
Because users can be assigned permissions from different sources, the actual permission effect is
considered cumulative. Another way of saying this is that the permissions which are granted to a
user or group are cumulative. Individual user permissions can be either the allowed permission
or the denied permission for resource access. In addition to this, a user can be a member of many
different groups. Groups can also be nested within other groups. When determining the effective
permissions of a user, all the above has to be considered, while bearing in mind that any denied
permissions always override allowed permissions. This includes inherited permissions.
Deciding on the appropriate ACL access method to
implement for controlling access to resources
If you are dealing with a small organization that has roughly ten users or less, you can implement
the User/ACL method to control access to resources. This method only tends to work optimally
in small organizations that only need a small number of groups to manage resource access. In
large organizations, the User/ACL method has the following shortcomings:
• The ACLs would grow into unmanageable sizes, which would eventually lead to
degraded performance.
• Managing the User/ACL method in large organizations tends to lead to increased
administrative costs.
• Monitoring and troubleshooting user permissions to resources would be a time
consuming task.
• In large organizations, where user access requirements typically differ, an Administrator
would have to manually manage and change the rights for users who need additional
access to resources.
With the Account Group/ACL method for controlling access to resources, the global group in
which users are placed, is added to the ACL. What this means is that permissions to resources is
assigned on a per group basis. Using groups, you can configure the same permissions for all
users in the group that need to access the resources. This in turn leads to simpler management.
Global groups can also be added to the ACLs of any trusted domains. The Account Group/ACL
method also has a few limitations. These are detailed below.
• As the number of account groups which are added to a particular resource increases, the
more complicated it can be to perform administrative tasks.
• Deciding on the proper permissions needed for each group can be an intricate task.
With the Account Group/Resource Group method of controlling access to resources, users which
have similar access requirements to resources are added to an account group. The Account
Group/Resource Group method is the most feasible method to control access to resources in
large organizations. The Account Group/Resource Group method has the following benefits:
• To provide groups with access to the required resources, you merely have to add the
necessary account groups into resource groups.
• You no longer need to change permissions for each group individually. All you have to
do is add the account group to the particular resource group which has desired
permissions.
• Account groups can be added to ACLs in trusted domains.
• The Account Group/Resource Group method provides improved flexibility over the
Account Group/ACL method and User/ACL method.
• The Account Group/Resource Group method also simplifies administration typically
needed to control access to resources.
Deciding on the appropriate Group strategy to implement
for accessing resources
Groups assist in managing users, computers, and other objects; and in controlling access to
network objects or resources. The group scopes available in Windows Server 2003 are briefly
listed below.
• Global Groups are used to group users or computers which belong to the same domain.
• Domain Local groups can include users from any domain in the forest, and are used to
control access to resources which reside in the same group as the particular Domain
Local group.
• Universal groups can include users and groups from any domain in the forest. Universal
groups can be used to control access to resources that reside in any domain.
The strategy which Microsoft recommends for implementing a permission structure to control
access to resources is called AGDLP. This consists of the following steps:
1. Add domain users to global groups.
2. Add global groups to domain local groups.
3. Assign the domain local groups the permissions on the particular resource(s).
When including Universal groups, the permission structure is known as AGUDLP.
4. Add domain users to global groups.
5. Add global groups to universal groups.
6. Add universal groups to domain local groups.
7. Assign the domain local groups the permissions on the particular resource(s).
A few key factors to remember when nesting or combining groups are summarized below. While
nesting or combining groups can indeed significantly reduce network traffic and the
administrative overhead necessary to manage access to resources, you have to take time to plan
the group nesting strategy which you want to implement in your environment.
• When planning your group nesting strategy, remember the following:
• You can nest Domain local groups in other Domain Local groups.
• You cannot however nest Domain local groups in Global groups or Universal
groups.
• You can nest Global groups in Domain Local groups, Universal groups and in
other Global groups.
• Universal groups can be nested in other Universal groups.
• You can add Global groups to Universal groups.
• You cannot add Universal groups to Global groups
• You should record or document the description of each group, and the functionality of
each group, so that you can readily access this information if you need to troubleshoot
permission issues.
• You should always strive to reduce the level of nesting required. Having the number of
nested groups at a maximum of two levels or three levels is ideal.
How to troubleshoot authorization problems
Troubleshooting simple authorization issues typically involves the following process.
1. Determine the effective permissions of the user for the particular object.
2. Examine the effective permissions, and then assign the user or the group to which the
user belongs; the necessary permissions to perform the required tasks.
To determine the effective permissions of a user,
1. Examine the permissions of the particular object.
2. Select the Advanced button.
3. When the Advanced Security Settings dialog box opens, click the Effective Permissions
tab.
4. Click Select, and in the Select User, Computer, Or Group dialog box, enter the user’s
name for which you want to determine effective permissions. Click OK.
5. Proceed to examine the permissions that the user has, and compare this to the permissions
that the user requires. Click OK
6. You can now assign any other necessary permission to the user.
For complex authorization problems, where it is more complicated to determine whether an
application is attempting to access an Active Directory object, service, file, or registry value; you
can enable and use failure auditing to determine which objects the application or user is
unsuccessfully trying to access.
To enable failure auditing,
1. Log on to the appropriate system or domain controller.
2. Click Start, Administrative Tools.
3. If you are logged on to a member server, or standalone server, click Local Security
Policy.
4. If you are logged on to a domain controller, click Domain Controller Security Policy.
5. Proceed to expand Local Policies. Click Audit Policy.
6. For Active Directory object access problems, double-click Audit Directory Service
Access.
7. For other object types, double-click Audit Object Access.
8. Record the existing settings so that you can reconfigure them after you have
troubleshooted the authorization problem at hand.
9. Select Define These Policy Settings, and select Failure.
10. Click OK.
Now that you have enabled failure auditing for either the Audit Directory Services Access policy
or the Audit Object Access policy, the following step in troubleshooting the authorization
problem is to enable auditing for the particular resource(s).
You can enable auditing for the files and folders object type by using the following steps:
1. Open Windows Explorer
2. Locate and right-click the file or folder which you want to enable auditing for, and then
select Properties from the shortcut menu.
3. When the Properties dialog box of the file/folder opens, click the Security tab, and then
click Advanced.
4. Click the Auditing tab.
5. Record the current auditing settings, so that you can reconfigure them after you have
completed troubleshooting the authorization problem.
6. Click Add
7. Enter the name of the particular user experiencing the problem in the Select User Or
Group dialog box. Click OK.
8. When the Auditing Entry dialog box appears, click the Failed checkbox for Full Control.
This automatically checks all other Failed checkboxes. Click OK.
9. An event will now be logged in the Security event log whenever the particular user is
denied access to the resource.
10. You can analyze these failure events using Event Viewer.

Defining a Baseline Security Template


Security Templates Review
A security template is collection of security configuration settings that can be applied to a
domain controller, member server or a workstation. The settings within a security template
control the security configuration of a computer through both local policies and group policies. A
security template can be applied to a local computer, or incorporated into a Group Policy object
in Active Directory. You can manage one computer or multiple computers through the security
settings contained within a security template. For computers that do not belong to an Active
Directory domain, you can use the Security Templates snap-in and the Security Configuration
and Analysis feature to both create and apply security templates to specific computers. Security
templates can be used to apply a number of security policies and also customize a number of
security policies to suit the security requirements of your organization.

Windows Server
2003 includes predefined security templates that hold security settings for different levels of
security. The security level is determined by the type of server that the template is applied to.
The Security Template areas where you can configure security for Windows 2000, Windows XP,
and Windows Server 2003 networking environments are listed here:
• Account policies. The Account Polices area is associated with policies that are connected
to user accounts.
• Local policies. Local policies deal with who has local access or network access to the
computer. It also includes the manner in which events are audited.
• Event log. This includes settings that indicate the manner in which Application logs,
Security logs, and System logs performs, when the logs are overwritten, and how long
logs are kept. You can view Event logs in the Event Viewer tool.
• Restricted groups. Restricted groups are used to add members to built-in user groups.
Built-in user groups consist of Administrators, Backup Operators and Power Users.
• System services. System Services include security settings of the system services (file,
network, print) on the local computer.
• Registry. Registry includes settings for registry keys.
• File System. File System is used to set access permissions for the directories and files on
the local system.
There are a number of predefined security templates as well:
• setup security.inf; contains the default security settings created by the Windows Server
2003 Setup program when a computer is installed.
• Compatws.inf; enables most types of applications to run. All members in the Power Users
group on computers running Windows Server 2003 is removed, and security is relaxed to
enable applications to run without errors.
• DC security.inf; defines default system services settings, default security settings, and file
system and Registry settings for a domain controller.
• hisecdc.inf is a highly secure template which contains security settings for domain
controllers. The hisecdc template provides NTLM version 2 and applies Registry and file
security. The hisecdc template disables all additional services and removes all members
from the Power Users group.
• hisecws.inf is a highly secure server or workstation template which contains security
settings for workstations. The hisecws template applies security settings to servers and
workstations, which are similar to those applied in the hisecdc template to domain
controllers.
• securedc.inf; contains security settings for domain controllers and maintains
compatibility with most functions and applications. The securedc template includes
enhanced security options, auditing policies, and includes restrictions for anonymous
users.
• securews.inf; contains enhanced security settings for workstations and member servers
that are not domain controllers. The template maintains compatibility with most functions
and applications. The securews template includes enhanced security options and auditing
policies.
• Rootsec.inf; contains the default file system permissions that can be applied as the root
permissions to the system drive of a computer.
• iesacls.inf; includes settings that can be utilized to audit registry settings that control
Internet Explorer security.
You can use the Security Templates snap-in to create a security template file which can be
deployed using either of these methods:
• The text security template file can be imported to the Security Settings extension to
configure security policy for the local computer, Active Directory domain, or Active
Directory organizational unit (OU).
• The Secedit.exe command-line tool can be used to apply a security template as well.
• The Security Configuration and Analysis snap-in can be used to analyze system security
based on the settings within the security template.
To create a new security template
1. First create a MMC console and add the Security Templates snap-in to it.
2. Open the Security Templates management console.
3. Proceed to expand the Security Templates node.
4. Right-click the Security Templates node and then select New Template Search Path from
the shortcut menu.
5. Enter the location which will be used to store your new security template. Click OK.
6. Now, right-click the security template search path, and then click New Template from the
shortcut menu.
7. Enter a name and description for the new security template.
8. Click OK.
9. You should now edit your new security template. Through the Security Templates snap-
in, you can add security policies to the template.
To customize an existing security template
1. First create a MMC console and add the Security Templates snap-in to it.
2. Open the Security Templates management console.
3. Proceed to expand the Security Templates node.
4. Select the default path folder
5. Right-click the security template you want to change in the right pane.
6. Click Save As
7. Enter a name for the security template.
8. Click Save,
9. The security template you have just created is displayed in the right pane.
10. Double-click the new security template to change the security settings.
11. To change a setting, right-click the appropriate attribute, and then select Properties from
the shortcut menu.
Defining Baseline Security Templates
You can use the Security Configuration And Analysis console included in Windows Server 2003
to define a baseline security template. The Security Configuration And Analysis console utilizes
a database specific to the computer to analyze computer security.
The features of Security Configuration And Analysis allow you to perform a number activities
and functions to define a baseline security template, including the following:
• Create your own databases to store customized security templates.
• Analyze security and view results, and sort out any detected discrepancies revealed by the
security analysis.
• Overwrite existing security templates.
• Add new security templates to the database.
• Import and export security templates.
• Combine multiple security templates into one multipart security template.
The typical activities which you need to perform to define a baseline security template through
the Security Configuration and Analysis console are listed here:
• Create a security database.
• Import a security template into your security database.
• Analyze security.
• View the results of the security analysis.
• Resolve security discrepancies - configure system security.
• Export the settings of the security database to a security template.
A few best practices for using the Security Configuration and Analysis feature are listed here:
• To avoid settings implemented through the Security Configuration And Analysis tool
from overriding local Group Policy settings, only use the Security Configuration And
Analysis tool to configure security settings for system services, local files/folders, and
registry keys.
• You should not use the Security Configuration And Analysis feature to configure domain
or organizational unit security. You should rather use either of these methods:
○ Create a security template through the Security Templates snap-in, and apply it to
the suitable Group Policy Object (GPO).
○ The Security Settings extension to Group Policy should be used to change any
specific security settings on a particular GPO.
• You should use the Secedit command-line tool to analyze a large number of computers.
To add the Security Configuration And Analysis console to a MMC
1. Click Start, Run, and enter mmc in the dialog box. Click OK.
2. Using the Console menu, click Add/Remove Snap-In, and then click Add.
3. When the Add Standalone Snap-In dialog box opens, select the Security Configuration
And Analysis feature, and then click Add.
4. Click Close. Click OK.
5. Using the Console menu, click Save and enter a name for the console.
6. Click Save.
7. The Security Configuration And Analysis console can now be accessed from the
Administrative Tools menu.
How to create a security database
Before you can analyse system security and define a baseline security template, you first have to
create a security database:
1. Open the Security Configuration And Analysis console.
2. Right-click Security Configuration And Analysis, and then select Open Database from
the shortcut menu.
3. When the Open Database dialog box opens, enter the name of the file in File Name, and
then click Open.
4. When the Import Template dialog box opens, choose the security template that should be
imported into the new security database.
5. Click Open.
How to analyze system security settings
1. Open the Security Configuration And Analysis console.
2. You need to have already created the security configuration and analysis database.
3. Right-click Security Configuration And Analysis and then select Analyze Computer Now
on the shortcut menu.
4. When the Perform Analysis dialog box opens, verify that the path specified for the log
file is correct.
5. Click OK to start the analysis of the computer.
How to view the security analysis results
1. Open the Security Configuration And Analysis console.
2. Expand the Security Configuration And Analysis node, expand the appropriate security
policies node such as Account Polices or Local Policies, and then select the policy whose
results you want to examine.
3. The analysis results are displayed in the details pane of the Security Configuration And
Analysis console, together with flags that indicate whether issues were detected or not.
4. The columns displayed in the details pane of the Security Configuration And Analysis
console are:
○ Policy column; contains the policy name for the results.
○ Database Setting; contains the value within the security template.
○ Computer Setting; displays the security setting configured for the system.
5. The different flags which can be displayed are:
○ Red X; signifies a disparity from the security database.
○ Green checkmark; signifies consistency with the security database.
○ Red exclamation; signifies an entry which was specified in the security database,
but which does not exist in the system which was analyzed.
○ Black question mark; signifies an entry which was not specified in the security
database. The item was therefore not included in the analysis.
○ No icon; signifies a policy that was not in the template.

How to examine the Security Analysis log file


1. Open the Security Configuration And Analysis console.
2. Right-click Security Configuration And Analysis and then select View Log File from the
shortcut menu.
3. Any discrepancies between the security template and the existing security settings on the
computer are specified as a mismatch.
How export the security database settings to a security
template
1. Open the Security Configuration And Analysis console.
2. Right-click Security Configuration And Analysis and then select Export Template on the
shortcut menu.
3. The Export Template To dialog box opens.
4. Enter a name for the file in the File Name box.
5. In the Save In box enter the path wherein the template should be saved.
6. In the Save As Type list, select the type of file which should be saved.
7. Click Save.
How to resolve security configuration discrepancies
There are a number of options which you can consider to resolve security discrepancies detected
from the security analysis:
• Edit the security database to reflect the existing system security configuration.
• Import a more suitable template to the security database, and use this template as the
baseline security template for the system.
• Set existing system security to reflect the settings within the security database.
To edit the security database to reflect the existing system security configuration,
1. Open the Security Configuration And Analysis console.
2. In the details pane of the console, double-click the particular security setting that you
want to change.
3. Enable the Define This Policy In The Database checkbox.
4. Specify the security value which should be reflected in the security database.
5. Click OK.
To import a more suitable template to the security database,
1. Open the Security Configuration And Analysis console.
2. Right-click Security Configuration And Analysis and then select Open Database from the
shortcut menu.
3. When the Open Database dialog box opens, select the security database that the security
template should be imported to, and then click Open.
4. Right-click Security Configuration And Analysis in the left pane again and then select
Import Template from the shortcut menu.
5. When the Import Template dialog box opens, select the security template file which you
want to import.
6. Click Open.
To configure system security to match the security configuration and analysis database,
1. Open the Security Configuration And Analysis console.
2. The security database should be set already.
3. Right-click Security Configuration And Analysis and then select Configure Computer
Now from the shortcut menu.
4. The Configure System dialog box opens.
5. In the Error Log File Path box specify the path for the Security Analysis log file.
6. Click OK.
Troubleshooting Security Configuration And Analysis
A few typical issues encountered when using Security Configuration And Analysis are listed
here, together with a few recommendations for resolving the issues:
• If a particular security policy is not propagating as it should, use the RSoP feature to
determine which GPO is relevant for the computer. Then, use the log file to identify the
specific issues which happened when the security policy was propagated.
• If you suspect that you have a corrupt security and analysis database, first run esentutl/g
to determine whether the database is corrupt. Next, perform either of these actions to
resolve the issue:
○ Run esentutl/r on the %Systemroot%\Security folder to recover the security and
analysis database.
○ Run esentutl/p on %Systemroot%\Security\Database\Secedit.sdb to repair the
security database. You then have to manually delete the log files in the
%Systemroot%Security folder.

Designing Network Infrastructure Security


Network Infrastructure Security Overview
Network infrastructure refers to the grouping of physical hardware and logical components
which are needed to provide a number of features for the network, such as connectivity, routing
and switching capabilities, network security, and access control. The physical infrastructure of
the network refers to the physical design of the network together with the hardware components.
The logical infrastructure of the network consists of all the software components required to
enable connectivity between devices, and to provide network security. The network's logical
infrastructure consists of software products and networking protocols and services.

While Windows
Server 2003
provides a number of features and tools when you install it on a computer, you have to
implement additional features and functionality on a server to provide the services and
capabilities required by the organization and its users.
There are a number of different risks that have an impact on an organization. Some of the
primary threats which you should address are listed here:
• Environmental threats pertain to both environmental disasters and disasters
due to human intervention. Examples of environmental threats are fires,
earthquakes, storms, faulty wiring, and so forth.
• Accidental threats relate to threats which are caused without malicious
intent. Accidental risks occur when an employee accidentally deletes
important files, or modifies data that should not have been changed.
• Deliberate threats relate to threats which are caused with malicious intent as
the primary objective. Examples of deliberate threats are viruses, Trojan
horses, and all other network attacks caused by hackers and intruders.
A typical security life cycle is consists of the following processes:
• Determining and designing the security infrastructure: The design phase of
the security life cycle includes elements such as identifying the resources of
the organization that needs to be secured, and then designing the security
infrastructure to protect these resources. The security design team should be
accountable for creating and designing security policies for the organization.
• Deploying and implementing security features and security policies: The
security design team should also be responsible for implementing security
features and security policies.
• Continually managing the security solution: All security software should be
upgraded as necessary, and audit logs should be regularly examined.
A number of common steps or processes have to be completed to design network infrastructure
security:
• Determine the security requirements of the organization.
• Plan network security which should be implemented.
• Establish and create secure boundaries.
• Implement security technologies for the network.
• Implement server security technologies.
• Implement application security technologies.
• Implement user security technologies.
• Implement an auditing strategy.
• Implement a network monitoring strategy.
A few methods of securing your network infrastructure are listed here:
• Physically secure all mission-critical network servers: A few guidelines and
recommendations for implementing physical security are detailed below:
○ All servers should be secured in a locked server room.
○ Only those individuals that need access should be permitted to access
the server room using a key or security code. You can also implement
a mechanism that monitors who enters and leaves the server room.
○ All hubs, routers and switches should be placed in a wiring closet, or in
a locked cable room.
○ You should use case locks on your servers. You can also install case
locks on other systems that can be physically accessed.
○ You should restrict access to the floppy drive as well.
○ Set a BIOS password on all systems. This would prevent an
unauthorized person from accessing the BIOS.
○ You should change the operating system selection timeout interval to 0
in order for Windows to boot automatically.
○ When you are setting up Windows, disconnect the server from the
Internet.
○ Install Windows operating systems to a NTFS partition.
○ Ensure that you use a strong local administrator password during
setup.
• Using the NTFS file system and its security features.
• Using the Encrypting File System (EFS).
• Securing network access points.
• Enforcing user authentication.
• Securing network access.
• Enforcing the use of strong passwords.
• Securing confidential network service data as it moves over the network.
• Securing confidential application data as it moves over the network.
• Securing confidential user data as it moves over the network.
Each Windows server operating system provides different features, and different security
configurations which can be enabled to enhance network security and server security. Before
deciding on the operating system to utilize, you have to know which security features are
required for your network design, as determined by the organization's requirements.
Most organizations use a security design committee or team to determine the security needs of
the organization and to deploy security policies which can meet these requirements.
The members of the network security design committee should be knowledgeable on a number
of factors, including the following:
• The mission critical resources of the organization.
• The security weaknesses or vulnerabilities of the organization.
• The threats to which the mission critical resources of the organization is
exposed.
• The resources which are mainly at risk.
• The loss to the organization should particular resources of the organization
be compromised.
• The level of security needed to secure the organization's resources.
• The security features and security policies which can be used to secure the
resources of the organization.
• The security features and security policies which are ideal to secure
particular resources.
• The impact of implementing security features and security policies on
employees, users and administrators.
• The requirements for deploying identified security solutions.

Finding the Balance between Security and Usability


One of the trickiest challenges of designing network infrastructure security is to establish a
balance between security and usability. The network has to be secure so that valuable network
resources can be protected, but it also has to allow the sufficient extent of usability. Networks
that are too secure, or that have an exceptional high level of security can end up having low
levels of usability. This typically leads to users not being able to access network resources and
services. On the other hand, a network that has an exceptionally low level of network security
has a somewhat higher level of vulnerability to network attacks and data corruption.
To find a balance between security and usability, the following approach is recommended:
• Determine the risk to which the network and its data is exposed to, and then
establish the level of security needed to alleviate and protect against these
risk: This would typically involve an assessment of the physical security of
your network infrastructure:
○ Assessing whether the physical building is secured.
○ Assessing whether the network location is secured.
○ Determining whether access to the physical building is access
controlled.
○ Determine the impact of data being compromised.
• Determine which data is valuable and mission critical data: Valuable and
mission critical data would typically include usernames and passwords,
confidential customer information, company financial and legal information,
and so forth. As mentioned previously, one of the challenges you face when
designing network infrastructure security is to find a balance between
security and usability. You also need to find a balance between securing
valuable or mission critical data and performance of the network. For each
traffic class that should be secured, an additional layer of processing is added
to the actual processing of IP packets. This makes the process of identifying
valuable and mission critical data a bit more complicated. You need to find an
acceptable balance between applying too much security and applying too
little security.
• Determine which security policies need to be implemented. You should only
attempt to determine the security policies that need to be implemented after
you have determined the risk that the network and its data is exposed to,
and the data that is considered valuable and mission critical data. The
security policies that you identify should be based on all of this previously
collected information. Windows Server 2003 and the IPSec framework specify
three levels of security. IPSec is a framework of open standards which can be
used to encrypt TCP/IP traffic. IPSec works by encrypting the information
contained in IP datagrams through encapsulation. This in turn provides
network level data integrity, data confidentiality, data origin authentication,
and replay protection. To secure data moving over the intranet, extranet, and
Internet, IPSec can be used. The three levels of security specified by Windows
Server 2003 and the IPSec framework are listed here:
○ Minimum security level: This is the default level of security. The
minimum security level has the following characteristics:
 The system and its data is exposed to low risk, and not to
substantial risk
 IPSec is not implemented.
 No confidential or valuable data is exchanged.
○ Standard security level: The standard security level has the following
characteristics:
 There are a number of computers and servers that store mission
critical, sensitive data. These servers need to be secured.
 Windows Server 2003 utilizes security policies to secure
valuable data. The Client (Respond Only) and Server (Request
Security) policies can be utilized to secure data.
○ High security level: The high security level has the following
characteristics:
 There a number of computers and servers that store highly
sensitive data. These servers need to be highly secured.
 All communication has to be secured.
 The Windows Server 2003 Secure Server (Require Security)
policy can be used to provide the highest level of security to
secure data.
• Identify how the optimal method of implementing security policies: There are
a number of methods which can be used to implement security policies. The
recommended method is through IPSec policies that comprise of a number of
IPSec rules. An IPSec rule contains the following components:
○ A filter list.
○ A filter action.
○ An authentication method.
○ A connection type.
○ A tunnel configuration
When you configure and manage IPSec policies, you would basically be configuring a
number of aspects of IPSec policies:
○ Assign the predefined default IPSec policies OR
○ Create customized IPSec policies that include customized IPSec rules
and filters.
○ Control how IPSec policies are applied.
○ Apply IPSec policies at different levels on the network. IPSec policies
can be applied at the following levels within a network:
 Active Directory domain
 Active Directory site
 Active Directory organizational unit
 Computers
 Applications
• Implement security technologies and management requirements. You have
to ensure that these technologies are both implemented and available. Active
Directory was the important feature introduced in Windows 2000 because it
brought about a few important domain structural changes. Domains in Active
Directory use the DNS domain naming structure, and not the NetBIOS naming
structure used in Windows NT domains. Because of DNS, Active Directory
domains are structured in a hierarchical model. Domain trees is the concept
used to describe hierarchically structured groups of domains with a
contiguous namespace, while the grouping of trees with a noncontiguous
namespaces are called forests. Active Directory should be deployed to
ensure that the network infrastructure is as secured as can be. Active
Directory enables you to perform policy based administration through Group
Policy. Through group policies, you can deploy applications and configure
scripts to execute at startup, shutdown, logon, or logoff. You can also
implement password security, control certain desktop settings, and redirect
folders. With Active Directory, permissions control access to resources, while
user rights define what actions users can perform. Security groups are
considered security principal accounts because they can contain user
accounts. It is the security principal accounts that are used in authentication
and access control. The security settings of a security principal account
controls whether the user, group, or computers are authorized to access the
following:
○ Active Directory
○ Domain controllers
○ Member servers
○ Client computers
○ Applications
○ Printer and file system objects
○ Other network components
• You can apply standard permissions or special permissions to Active
Directory objects. Access control and authentication are extremely important
components in Active Directory security. Domain and forest functional levels
provides the means by which you can enable additional domain-wide and
forest-wide Active Directory features, remove outdated backward
compatibility within your environment, and improve Active Directory security.
An organizational unit (OU) is a container that is used to organize Active
Directory objects into logical administrative groups. An OU enables you to
apply security policies, deploy applications, delegate administrative control
for Active Directory objects, and to run scripts. A good security management
strategy would be to group computers that have similar roles into Active
Directory OUs. You can then apply IPSec policies and security templates to all
the computers located within the OU.
• Implement a secure, yet simple method for users to access the necessary
resources: As mentioned previously, you have to determine the balance
between securing valuable data and allowing authorized users to access the
necessary resources. The higher the level of security, the slower the response
times users experience. Using group policies to control security policies, and
using IPSec and smart cards are options that should be explored.

Determining Security Requirements of the Organization


To determine the security requirements of the organization, you have to include a number of
business factors:
• The business model that the organization uses greatly influences the type of
security an organization implements. An organization that has world-wide
branches would have different security requirements to a business that has a
single office.
• To successfully implement security, you have to know how business
processes within the organization work. You have to ensure that security
does not prevent business processes from being carried out.
• As the business grows so too must the security policies and processes be
able to cater for this growth.
• Determine the risk tolerance of the organization. The level of risk tolerance
would differ between organizations.
• Determine whether there are any laws and regulations that the organization
has to adhere to. This is especially important when you draw up the security
design.
• The management strategy being used should be included as well.
Organizations can use either a centralized management strategy or a
decentralized management strategy.
• The existing security policies and procedures should be included when you
define the security requirements of the organization
• The financial stance of the organization would also influence which security
design is implemented.
Assessing the existing security processes and security policies would typically involve
determining what the current security processes and security policies are, and whether these can
be improved to meet the security requirements of the organization.
There are a number of recommendations which you can use to match the business requirements
to the security plan:
• The organization uses business processes,
○ You should determine how these business processes flow and how the
data associated with these processes flow.
○ You should determine the users that need to access services used in
the business processes.
• The organization uses a centralized management strategy,
○ You should minimize the number of domains
○ Include the management of administrative group membership.
• The organization uses a decentralized management strategy,
○ You should determine the rights that users require.
○ You should determine whether users need administrative abilities on
the network, and if yes, determine who those users are.
• The risk tolerance level of the organization indicates an aversion to risks,
○ You should determine the risks that the organization is not prepared to
tolerate.
○ Identify the actions which are necessary should the risk become a
reality, and then include this in the security plan.
• The organization expects business growth in the next number of years,
○ You should try to estimate how many users and computers will be
needed to provide for future business expansion.
○ Try to determine how the business will be geographically dispersed.

Designing Security based on Technical Requirements


There are also a number of technical requirements which could have an impact on your security
plan, that have to be met: The common technical requirements are listed here:
• How users and computers are distributed has a direct impact on how security
is implemented for an organization. The distribution and size of these
resources would impact:
○ How Active Directory sites are defined.
○ How Active Directory domains and organizational units are defined.
• Before network infrastructure security can be implemented, the organization
has to determine what the desired levels of performance which have to be
maintained are. For instance, deploying additional authentication methods,
and implementing encryption technologies affect performance levels.
• The methods in which data is accessed would affect the security plan. You
should include all the components used to access data:
○ Users
○ Computers
○ Protocols
○ Services
○ Applications
• How remote branches access the corporate network also has an impact on
the security plan. Dedicated network links or virtual networking can be used
to enable connectivity to the corporate network. Included in your security
plan, should be the level of encryption that is required for WAN links.

IPSec Fundamentals Summary


IPSec is a framework of open standards for encrypting TCP/IP traffic within networking
environments. IPSec works by encrypting the information contained in IP datagrams through
encapsulation to provide data integrity, data confidentiality, data origin authentication, and
replay protection. IPSec uses cryptography to provide authentication, data integrity, and data
confidentiality services.
IPSec uses the Authentication Header (AH) protocol and Encapsulating Security Payload (ESP)
protocol to provide data security on client computers, domain servers, corporate workgroups,
LANs, WANs and remote offices. The Authentication Header (AH) protocol provides data
authentication and integrity, and can be used on its own when data integrity and authentication
are important to the organization but confidentiality is not. The AH protocol does not provide for
encryption, and therefore cannot provide data confidentiality. The Encapsulating Security
Payload (ESP) protocol ensures data confidentiality through encryption, data integrity, data
authentication, and other features that support optional anti-replay services. To ensure data
confidentiality, a number of encryption algorithms are used. The main difference between the
AH protocol and the ESP protocol is that the ESP protocol provides all the security services
provided by the AH protocol, together with data confidentiality through encryption.
When you install IPSec, the two main IPSec components which are installed are the IPSec Policy
Agent and the IPSec driver. The IPSec Policy Agent is a service running on a Windows Server
2003 computer that accesses IPSec policy information. The IPSec Policy Agent accesses the
IPSec policy information in the local Windows registry or in Active Directory, and then passes
the information to the IPSec driver. The IPSec driver performs a number of operations to enable
secure network communications such as initiating IKE communication, creating IPSec packets,
encrypting data, and calculating hashes.
IPSec can operate in either Tunnel mode or in Transport mode. IPSec Tunnel mode should be
used to provide security for WAN and VPN connections that use the Internet. In tunnel mode,
IPSec encrypts the IP header and the IP payload. With tunneling, the data contained in a packet
is encapsulated inside an additional packet. The new packet is then sent over the network. In
Transport Mode, the default mode of operation used by IPSec, only the IP payload is encrypted.
Transport mode is used for end-to-end communication security between two computers on the
network.
The security features provided by IPSec are summarized here:
• Authentication; a digital signature is used to verify the identity of the sender
of the information. IPSec can use Kerberos, a preshared key, or digital
certificates for authentication.
• Data integrity; a hash algorithm is used to ensure that data is not tampered
with. A checksum called a hash message authentication code (HMAC) is
calculated for the data of the packet. When a packet is modified while in
transit, the calculated HMAC changes. This change will be detected by the
receiving computer.
• Data privacy; encryption algorithms are utilized to ensure that data being
transmitted is undecipherable.
• Anti-replay; prevents an attacker from resending packets in an attempt to
gain access to the private network.
• Nonrepudiation; public key digital signatures are used to prove message
origin.
• Dynamic rekeying; keys can be created during data sending to protect
segments of the communication with different keys.
• Key generation; the Diffie-Hellman key agreement algorithm is used to
enable two computers to exchange a shared encryption key.
• IP Packet filtering; the packet filtering capability of IPSec can be used to filter
and block specific types of traffic, based on either of the following elements
or on a combination of them:
○ IP addresses
○ Protocols
○ Ports
To secure and protect data, IPSec uses cryptography to provide the following capabilities:
• Authentication: Authentication deals with verifying the identity of the
computer sending the data, or the identity of the computer receiving the
data. The methods which IPSec can use to authenticate the sender or
receiver of data are:
○ Digital certificates: Provides the most secure means of authenticating
identities. Certificate authorities (CAs) such as Netscape, Entrust,
VeriSign, and Microsoft provide certificates which can be used for
authentication purposes.
○ Kerberos authentication: A downside of using the Kerberos v5
authentication protocol is that the identity of the computer remains
unencrypted up to the point that the whole payload is encrypted.
○ Pre-shared keys; should be used when none of the former
authentication methods can be used.
• Anti-replay ensures that the authentication data cannot be interpreted as it is
sent over the network. In addition to authentication, IPSec can provide
nonrepudiation. With nonrepudiation, the sender of the data cannot at a later
stage deny actually sending the data.
• Data integrity: Data integrity deals with ensuring that the data received at
the recipient has not been tampered with. A hashing algorithm is used to
ensure that the data is not modified as it is passed over the network. The
hashing algorithms which can be used by IPSec are:
○ Message Digest (MD5); a one-way hash that results in a 128-bit hash
which is used for integrity checking.
○ Secure Hash Algorithm 1 (SHA1); a 160-bit secret key to generate a
160-bit message digest which provides more security than MD5.
• Data confidentiality: IPSec ensures data confidentiality by applying
encryption algorithms to data before it is sent over the network. If the data is
intercepted, encryption ensures that the intruder cannot interpret the data.
To ensure data confidentiality, IPSec can use either of the following
encryption algorithms:
○ Data Encryption Standard (DES); the default encryption algorithm used
in Windows Server 2003 which uses 56-bit encryption.
○ Triple DEC (3DES); data is encrypted with one key, decrypted with
another key, and encrypted again with a different key.
○ 40-bit DES; the least secure encryption algorithm.

IPSec Policies Summary


IPSec policies are used to apply security in your network. The IPSec policies define when and
how data should be secured. The IPSec policies also determine which security methods to use
when securing data at the different levels in your network. You can configure IPSec policies so
that different types of traffic are affected by each individual policy.
The IPSec policy components are:
• IP filter; informs the IPSec driver on the type of inbound traffic and outbound
traffic which should be secured.
• IP filter list; used to group multiple IP filters into a single list in order to isolate
a specific set of network traffic.
• Filter action; used to define how the IPSec driver should secure traffic.
• Security method; refers to security types and algorithms used for the key
exchange process and for authentication.
• Connection type: identifies the type of connection which the IPSec policy
impacts.
• Tunnel setting; the tunnel endpoint's IP address/DNS name.
• Rule; a grouping of components such as filters and filter actions to secure a
specific subset of traffic in a particular manner:
IPSec policies can be applied at the following levels within a network:
• Active Directory domain; Active Directory site; Active Directory organizational
unit; Computers; Applications.
Windows Server 2003 IPSec deployments include predefined IPSec rules, filter lists, filter
actions, and three default IPSec policies. Each default IPSec policy contains a set of predefined
rules, filter lists and filter actions.
The three predefined IPSec policies are:
• Client (Respond Only): The Client (Respond Only) default IPSec policy is the
least secure predefined policy. Here, the computer assigned the policy never
initiates secure data communication. The computer only responds to IPSec
requests from those computers who request it. The Client (Respond Only)
predefined IPSec policy contains the default response rule that creates
dynamic IPSec filters for inbound and outbound traffic based on the protocol
and port which was requested.
• Secure Server (Request Security): With the Secure Server (Request Security)
default IPSec policy, the computer prefers and initiates secure data
communication. If the other computer supports IPSec, secure data
communication will take place. If the other computer does not support IPSec,
the computer will allow unsecured communication with that computer.
• Secure Server (Require Security): With the Secure Server (Require Security)
default IPSec policy only secure data communication is allowed. If the other
computer does not support IPSec, the connection is not established.
You can create customized IPSec policies that include customized rules and filters that suit
specific security requirements of the organization. You can also create your own IPSec policy by
using the IP Security Wizard which you can initiate from within the IP Security Policy
Management MMC.
Microsoft Best Practices for Implementing IPSec
The Microsoft best practices for implementing IPSec are summarized here:
• You need to plan your IPSec implementation and configuration.
• You should develop a test tab and use the test lab to test the implementation
of your IPSec policies. There are a few features of IPSec that are not
supported in all versions of the Windows operating systems. Windows Server
2003 does though support all the features of IPSec and it also includes IPSec-
specific enhancements.
• Because preshared keys is considered the least secure supported
authentication method, you should only use preshared keys when you cannot
use digital certificates or the Kerberos v5 authentication protocol.
• You should not use the Kerberos v5 authentication protocol for computers
that are connected to the Internet. This is primarily because the identity of
the computer remains unencrypted up to the point that the whole payload is
encrypted.
• You should use digital certificates as the authentication method for
computers that are connected to the Internet. When sending the certificate
request, do not however transmit the name of the Certification Authority (CA)
together with the request.
• For computers that are connected to the Internet, only allow secured
connections and communication to occur. Ensure that the Allow Unsecured
Communication With Non-IPSec Aware Computers option and Accept
Unsecured Communication, But Always Respond Using IPSec option is
disabled.
• Diffie-Hellman key agreement enables two computers to create a shared
private key that authenticates data and encrypts an IP datagram. IPSec in
Windows Server 2003 includes support for the Group 3 2048-bit Diffie-
Hellman key exchange which is much stronger and more complex than the
previous Group 2 1024-bit Diffie-Hellman key exchange. If you need
backward compatibility with Windows 2000 and Windows XP, then you have
to use the Group 2 1024-bit Diffie-Hellman key exchange. You should though
never use Group 1 768-bit Diffie-Hellman key exchange because it offers the
lowest keying strength.
• If you are running Windows XP and Windows Server 2003 computers, use the
Triple Data Encryption Standard (3DES) encryption algorithm which provides
the strongest encryption algorithm. When you use 3DES, data is encrypted
with one key, decrypted with another key, and encrypted again with a
different key. If you running Windows 2000 computers, install the High
Encryption Pack or Service Pack 2 so that 3DES can be used.

Securing DNS Infrastructure


The common threats to a DNS infrastructure are:
• Denial-of-service (DoS) attacks occur when DNS servers are flooded with
recursive queries in an attempt to prevent the DNS server from servicing
legitimate client requests for name resolution. A successful DoS attack can
result in the unavailability of DNS services, and in the eventual shut down of
the network.
• Footprinting occurs when an intruder intercepts DNS zone information. When
the intruder has this information, the intruder is able to discover the DNS
domain names, computer names, and IP addresses that are being used on
the network. The intruder can then utilize this information to decide on which
computers he/she wants to attacks.
• IP Spoofing: After an intruder has obtained a valid IP address from a
footprinting attack, the intruder can use that IP address to send malicious
packets to the network, or access network services. The intruder can also use
the valid IP address to modify data.
• A redirection attack occurs when an intruder is able to make the DNS server
forward or redirect name resolution requests to the incorrect servers. In this
case, the incorrect servers are under the control of the intruder. A redirection
attack is achieved by an intruder corrupting the DNS cache in a DNS server
that accepts unsecured dynamic updates.
There are a number of by which you can secure DNS servers:
• If you are using DNS zone files to store zone data, change the zone file
permissions or the folder's permissions that stores the zone files to only allow
Full Control to the System group.
• The DNS registry keys stored in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS should be
secured as well.
• If you have a DNS server that is not configured to resolve Internet names,
you should configure the root hints to point to those DNS servers hosting the
root domain.
• If you have a DNS server that is not configured with forwarders, and the DNS
server does not respond to any DNS clients directly, then it is recommended
that your disable recursion for the DNS server.
• Configure the Secure cache against pollution option to protect the DNS server
from an intruder that might be attempting to pollute the DNS cache with the
incorrect information.
• Limit the number of IP addresses that the DNS server listens to for DNS
queries
The DNS security recommendations for an external DNS implementation are summarized below:
• You should harden your DNS servers, and place your DNS servers in a DMZ or
in a perimeter network.
• Ensure that access rules and packet filtering is defined on your firewalls to
control source and destination addresses and ports.
• Install the latest service packs on your DNS servers, and remove all
unnecessary services from these servers.
• Eliminate all single points of failure.
• Host your DNS servers on different subnets and ensure that your DNS servers
have different configured routers.
• Ensure that zone transfer is only allowed to specific IP addresses.
• Secure zone transfer data by using VPN tunnels or IPSec.
• You can use a stealth primary server to update secondary DNS servers which
are registered with ICANN.
• For Internet facing DNS servers, disable recursion, disable dynamic updates,
and enable protection against cache pollution
• Monitor your DNS logs. DNS logging is enabled by default. The DNS service
generates DNS logging information that you can use to monitor for attacks on
your DNS servers.

Designing Security for Data being Transmitted


Other than IPSec, there are a number of methods which you can use to secure data transmission
for a number of different circumstances:
• Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol
• S/MIME
• Server Message Block (SMB) signing
• Port Authentication for switches
• Through segmented networks

Secure Sockets Layer/Transport Layer Security (SSL/TLS) Protocol


Overview
The Secure Sockets Layer (SSL) protocol was developed by Netscape Communications to secure
communication over the Internet. SSL works at the transport layer of Transmission Control
Protocol/Internet Protocol (TCP/IP), which makes the protocol independent of the application
layer protocol functioning on top of it. SSL is an open standard protocol and is supported by a
range of servers and clients.
SSL can be utilized for the following:
• To encrypt Web traffic using Hypertext Transfer Protocol (HTTP). When HTTP
is utilized together with SSL, it is known as HTTPS.
• To authenticate Web servers, and to encrypt communications between Web
browsers and Web servers.
• To encrypt mail and newsgroup traffic.
SSL works by combining public key cryptography and secret key encryption to ensure data
confidentiality. The Rivest-Shamir-Adleman (RSA) public key algorithm is used to generate the
certificates, and the public and private key pairs utilized in SSL. When a client Web browser
connects to a Web server that is configured for SSL, a SSL handshake process is initiated with
the Web server. The SSL handshake process occurs to negotiate the secret key encryption
algorithm which the client and Web server will utilize to encrypt the data which is transmitted in
the SSL session.
Transport Layer Security (TLS) is an Internet standard version of Secure Sockets Layer (SSL),
and is very similar to Secure Sockets Layer version 3 (SSLv3). The key differences between
SSLv3 and TLS are:
• You can extend TLS by adding new authentication methods.
• TLS utilizes session caching, thereby improving on SSL performance.
• TLS also distinctly separates the handshake process from the record layer.
The record layer holds the data.
The different situations where an SSL/TLS implementation normally occurs:
• SSL/TLS can be utilized to authenticate client access to a secure site. You can
require client and server certificates, and only allow access to the site to
those clients that are authenticated.
• Applications which support SSL can require authentication for remote users
logging on to the system.
• Exchange servers can use SSL/TLS to provide data confidentiality when data
is transmitted between servers on the intranet or Internet.
The benefits of implementing SSL/TLS are:
• SSL/TLS is easy to deploy.
• Server authentication, and client authentication (optional) occurs.
• Message confidentiality and integrity are ensured.
• The parties partaking in the secure session can choose the authentication
methods, and encryption and hash algorithms.
The shortcomings associated with deploying SSL/TLS are:
• SSL/TLS needs additional CPU resources to establish the secure session
between the server and client.
• Because SSL/TLS utilizes certificates, you would need administrators to
manage these certificates, and the certificate systems.

S/MIME Overview
Secure /Multipurpose Internet Mail Extensions (S/MIME) can be used to provide end-to-end
security for e-mail traffic. You can implement S/MIME to digitally sign e-mail messages being
transmitted, thereby protecting the information from being modified.
Digitally signing e-mail messages provides the following key security features:
• Origin integrity
• Message integrity
• E-mail messages can be encrypted as well.
Microsoft Exchange Server 2000 and Exchange Server 2003 support S/MIME. To implement
S/MIME, S/MIME requires e-mail application support only. The e-mail servers do not need to
support S/MIME.
Server Message Block (SMB) Protocol Signing Overview
Server Message Block (SMB) signing can be implemented to ensure the validity and integrity of
data in transit between a client and a server. Server Message Block (SMB) signing can therefore
be used to prevent man-in-the-middle attacks. SMB signing ensures the authenticity of a user and
the server on which the data resides. To prevent the modification of SMB packets while in
transit, SMB supports the digital signing of SMB packets. The signature is then verified at the
recipient computer. To sign SMB packets, a mathematical algorithm is run over specific fields
within the packet, to calculate a mathematical result. The recipient runs the same mathematical
algorithm and then compares the mathematical result. When the two mathematical results match,
it means that the data was not modified while in transit. A failure on either the server end or
client end results in data not being transmitted.
To protect against the impersonation of clients and servers in high security networking
environments that include Windows 2000 based clients and down-level Windows clients,
consider implementing SMB signing.
SMB signing is negotiated between the client and the server at the time when the SMB session is
established:
1. A client wants to establish a connection with a server that is defined to
require SMB signing.
2. The server responds by sending a challenge to the server. The challenge
takes the form of the data that the client will encrypt to the server.
3. The client responds by encrypting the challenge with a 168-bit session key.
The session key is calculated from the password of the user. Both the
response and the actual algorithm which was utilized to encrypt the
challenge are sent to the server.
4. The server utilizes its stored value for the user password to carry out the
same algorithm on the challenge, and then compares its results to the results
received from the client. Authentication of the user occurs when there is a
match between the mathematical results.
5. The server and client then negotiate the SMBs version which will be used. The
version selected is the highest SMBs version supported by both the server
and the client.
6. All messages sent between the client and server is protected through the
calculation of a digest. The digest is then included with each message.
When you configure a security template to utilize SMB signing, you can select between the
following options:
• Microsoft network client Digitally sign communications (always)
• Microsoft network client Digitally sign communications (if server agrees)
• Microsoft network server Digitally sign communications (always)
• Microsoft network server Digitally sign communications (if client agrees)
When designing SMB signing security, consider the following factors:
• By default, server end SMB signing is only enabled on domain controllers. It is
not enabled for member servers.
• By default, client end SMB signing is enabled on domain controllers, servers,
and workstations.
• If you want all communication with a server to require SMB signing;
○ The server must be configured to enable and require the utilization of
SMB signing.
○ The client computers have to be configured to enable or require SMB
signing.
• If you want communication with a server to allow SMB signing and unsigned
communications;
○ The server must be configured to only enable SMB signing.

Designing Security for Wireless Networks


The different categories of wireless networks are:
• Wireless local area networks (WLANs) make it possible for data to be shared
within a local area. Wireless bridges connect devices to the wireless network,
and can also connect two wireless networks.
• Wireless metropolitan area networks (WMANs) make it possible to connect
buildings in a city. WMANs use either infrared or radio frequency.
• The second generation of Wireless wide area networks (WWANs) technology
is used by cellular phones at the moment. Global System for Mobile
Communications (GSM), Cellular Digital Packet Data (CDPD) and Code
Division Multiple Access (CDMA) are enterprises that provide WWAN
technologies.
• Wireless personal area networks (WPANs) connect personal devices so that
data can be shared over an area. The personal devices that WPANs connect
are devices such as personal digital assistants (PDAs), laptop computers and
cellular phones. WPANs can operate using either infrared or radio frequency.
Wireless networks are exposed to the following types of threats are
• Data modification; data is modified while being transmitted
• Eavesdropping; data is captured while being transmitted.
• Denial of service (DoS); the server is flooded with unauthorized requests,
making it impossible for the server to service authorized user requests.
• Spoofing; data is modified so that it looks as though it came from the
sender/receiver.
• Free-loading; network bandwidth is used by an unauthorized individual.
• Accidental network access; a user with a wireless connection on a device
accidentally accesses the network.
• Rogue wireless networks; authorized users create an unauthorized wireless
LAN, connected to the company network.
To secure wireless networks and wireless connections, administrators can require all wireless
communications to be authenticated and encrypted. There are a number of wireless security
technologies that can be used to protect wireless networks from the different types of attacks that
these networks are vulnerable to.
The more common technologies used to protect wireless networks from security threats are:
• Wired Equivalent Privacy (WEP) encryption
• Wi-Fi Protected Access (WPA)
• IEEE 802.1X authentication
To provide protection from casual eavesdropping, there are a number of options which WEP
provides, including the following:
• With 64-bit encryption the length of the encryption key defines the degree of
encryption that is provided to secure transmissions.
• 128-bit encryption provides greater security than 64-bit encryption.
• When WEP is configured with the No encryption option, all transmissions are
sent in clear text.
A few advantages of using WEP to prevent intruders from examining traffic in transit are listed
here:
• WEP is easy to implement. You only have to configure the encryption key on
the APs and your clients.
• WEP can provide basic security for WLAN applications.
• Transmission privacy is ensured through RC4 encryption. This means that the
shared secret key has to be used for decryption.
• Transmission integrity is ensured by the CRC-32 checksum.
802.1X authentication uses the Extensible Authentication Protocol (EAP) to provide
authenticated communication between the client, the wireless access point (WAP), and a Remote
Access Dial-In User Server (RADIUS) service. The Extensible Authentication Protocol (EAP) is
an Internet Engineering Task Force (IETF) standard protocol. To provide a secure authentication
process, the EAP protocol regularly produces a new encryption key. This in turn reduces the
vulnerabilities of the WEP protocol.
The authentication components used in the 802.1X authentication process are:
• EAP-TLS authentication: With EAP-TLS authentication, public key certificates
are used to authenticate the RADIUS service, and the client. EAP-TLS
authentication is a stronger authentication method than PEAP authentication.
To implement EAP-TLS authentication, you need to use a Public Key
Infrastructure (PKI).
• Protected EAP (PEAP) authentication: While EAP-TLS utilizes public key
certificates to authenticate clients; PEAP authentication utilizes a user name
and password to authenticate clients. EAP-TLS is therefore the stronger
authentication method to authenticate wireless clients. One advantage of
using PEAP authentication is that it is easy to implement. When PEAP
authentication and the RADIUS service are used together, the encryption
keys have to be changed on a regular basis. This in turn ensures that WEP
encryption cannot be easily broken. The PEAP authentication process has the
following two stages:
○ The RADIUS server is authenticated through the examination of its
public key certificate. A Transport Layer Security (TLS) session is
established between the client and the RADIUS server.
○ An additional EAP method within the PEAP session authenticates the
client to the RADIUS service.
• RADIUS service: The RADIUS service is used mainly to authenticate dial-up
users, and can be used to authenticate wireless users when they attempt to
connect to the network. One of the main benefits of using the RADIUS service
is that user authentication for wireless networks are centralized. When a
client transmits a request to establish a connection, the RADIUS service
verifies the identity of the client by looking for a match in its authentication
database. You can also configure a maximum session time limit which forces
clients to regularly re-authenticate to the RADIUS service. During re-
authentication, a new shared secret is generated, which makes it more
difficult for attackers to decipher the shared secret keys.
When designing security for wireless networks, the factors listed below have to be determined or
clarified:
• Determine whether the Wi-Fi Protected Access (WPA) protocol or the Wired
Equivalent Privacy (WEP) protocol will be used.
• If you select to use the WAP protocol, determine whether your hardware
needs to be upgraded to support WPA.
• If you select to use the WEP protocol, determine whether 64-bit or 128-bit
encryption will be used.
• Determine whether 802.1X authentication will be used.
• Determine whether wireless clients will use IPSec.
• Determine whether MAC address filtering will be used to limit wireless access
based on MAC addresses.
• Determine whether Group Policy will be used to configure wireless client
security settings; or whether it will be manually configured.
• Determine whether your wireless network security strategy involves
monitoring of wireless network activity, and if yes, how and when will you
monitor wireless network traffic.

Maintaining a Security Plan


The typical circumstances under which a security plan should be updated are summarized here:
• A change occurs to the existing organizational structure.
• There is a change in the existing security policy or strategy of the
organization.
• Microsoft issued a new security update to deal with a security threat.
• Mergers and takeovers usually mean an expansion or complete modification
of existing security plans.
One of the challenges you face when designing network infrastructure security is to maintain an
already implemented security plan. This is necessary to ensure that your existing security plan
remains current, valuable and effective.
• To keep updated on all new security threats;
○ Regularly reference network security Web sites.
○ Subscribe to security bulletins.
• To keep up to date on all released security fixes;
○ Apply all the latest hotfixes and service packs to computers.
○ Reference the Microsoft Web site to check your system for missing
security fixes.
• To make certain that the security plan is based on the security policy;
○ Regularly update the security plan when modifications are made to the
security policy of the organization.
○ Regularly examine the security plan to ensure that it is still based on
the security policy.

Identifying Security Issues Common to All


Server Roles
Physical Security Issues
Server security is basically one of the initial security requirements when you install any server
operating system . Servers have to be physically secure from physical threats such as physical
unauthorized access. Physical security prevents an individual from physically accessing your
server, and performing malicious actions.

A few guidelines
and recommendations for implementing physical server security are detailed below:
• All servers should be secured in a locked server room.
• Only those individuals that need access should be permitted to access the server room
using a key or security code. You can also implement a mechanism that monitors who
enters and leaves the server room.
• All hubs, routers and switches should be placed in a wiring closet, or in a locked cable
room.
• You should use case locks on your servers. You can also install case locks on other
systems that can be physically accessed.
• You should restrict access to the floppy drive as well.
• Set a BIOS password on all systems. This would prevent an unauthorized person from
accessing the BIOS.
• You should change the operating system selection timeout interval to 0 in order for
Windows to boot automatically.
• When you are setting up Windows, disconnect the server from the Internet.
• Install Windows operating systems to a NTFS partition.
• Ensure that you use a strong local administrator password during setup.
Using NT File System (NTFS)
To store data on a local partition on a Windows server, you have to format it with a file system.
The system that you use determines the manner in which data is stored on the disk. It also
specifies the security that can be defined for folders and files stored on the partitions. While
Windows operating systems offer support for the File Allocation Table (FAT) file system, NT
file system (NTFS), and CDFS (Compact Disc File System), the file systems generally utilized
by local partitions is the FAT file system and NTFS file system. The file system that offers the
best level of security is NT file system (NTFS).
NTFS partitions enable you to specify security for the file system after a user has logged on.
NTFS permissions control the access users and groups have to files and folders on NTFS
partitions. You can set an access level for each particular user to the folders and files hosted on
NTFS partitions. You can allow access to the NTSF files and folders, or you can deny access to
the NTFS files and folders. The NTFS file system also includes other features such as
encryption, disk quotas, file compression, mounted drives, NTFS change journal, and multiple
data streams. You can also store Macintosh files on NTFS partitions.
Encrypting File System (EFS) enables users to encrypt files and folders, and entire data drives on
NTFS formatted volumes. Users that are utilizing EFS can share encrypted files with other users
on file shares and even Web folders. You can configure EFS features through Group Policy and
command-line tools. Through disk quotas, you can manage disk space utilization of your users
for critical NTFS volumes. Disk quotas are used to track disk space usage on a per user, per
NTFS volume basis.
Before you can apply NTFS permissions, you have to format the disk partition as an NTFS
partition. NTFS permissions are applied through Windows Explorer. You simply have to right-
click the particular file or folder that you want to control access to and select Properties from the
shortcut menu. The Properties dialog box of NTFS files and folders contains a Security tab. This
the tab utilized to apply NTFS permissions.
Deploying Service Packs and Hotfixes
A service pack is a collection of updates, or executable files that relate to an operating system
(OS). Service packs typically deal with setup, security, and application compatibility
enhancements or issues. Service packs are issued by Microsoft every couple of months to ensure
that the operating system is up to date, and to correct any existing issues. Service packs improve
on the functionality of a computer when they include new tools and capabilities. They can also
contain device drivers.
A hotfix consists of one or multiple files that are applied to the operating system to fix a specific
critical problem. Hotfixes corrects a particular critical operating system fault. A hotfix can
include once-off fixes for a server or client problem. Hotfixes can be downloaded from the
Windows Update site, or from the TechNet Security page at
www.microsoft.com/technet/security/default.asp. The Microsoft Network Security Hotfix
Checker (HFNetChk) included with the Microsoft Baseline Security Analyzer (MBSA) tool can
be used to determine whether your network computers have all the necessary hotfixes. This
powerful tool can speedily check all your network computers. The MBSA tool can also be used
to identify security misconfigurations and weaknesses.
Microsoft Baseline Security Analyzer (MBSA) can be run on Windows 2000, Windows XP and
Windows Server 2003 computers to scan for security weaknesses and missing hotfixes. MBSA
works for:
• Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Professional,
Windows XP Professional, Windows NT 4.0, SQL Server 2000, SQL Server 7.0, Internet
Information Server 4.0 / 5.0, IE 5.01, and Office 2000, and Office 2002 - XP
The Microsoft Network Security Hotfix Checker (HFNetChk) included in the Microsoft Baseline
Security Analyzer tool can be used to analyze one or multiple computers for necessary service
packs. The attractive feature of this tool is that it can be scripted to scan a number of different
configurations. It can also scan for necessary updates for one or multiple products. The
HFNetChk tool uses a XML file when it runs that contains detailed information on all the
available hotfixes for many products. The XML file is downloaded from the Microsoft Web site
when it is not included in the directory from where HFNetChk is run.
HFNetChk can scan the following:
• Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Professional,
Windows XP Professional, Windows NT 4.0, Windows Media Player, Microsoft Data
Engine 1.0, Exchange Server 5.0, and 2000, SQL Server 2000, SQL Server 7.0, Internet
Information Server 4.0 / 5.0, IE 5.01, and Office 2000 and Office 2002 - XP
You can use either of the following methods or technologies to deploy necessary updates on your
existing computers:
• Windows Update, Automatic Updates, Software Update Services (SUS), Scripting,
Systems Management Server (SMS), or Group Policy
• You can also manually deploy an update from a network share or CD-ROM after you
have obtained it.
Automatic Updates, manual deployment, and Windows Update can only deploy the update to a
single computer or a small number of computers. Software Update Services (SUS), Group
Policy, and scripting, can apply updates to multiple computers. Software Update Services (SUS)
can only be used to deploy service packs and hot fixes for Windows 2000, Windows XP and
Windows Server 2003 computers. Scripting and SMS can be used to deploy hot fixes and service
packs to all the versions of Windows computers. The Software Installation and Maintenance
feature of Group Policy, and scripting work well when a large number of network computers
require the identical update.
You can only use Automatic Updates on:
• Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Professional
with SP2 or above, Windows XP Professional Windows XP Home Edition with SP1
You can use Systems Management Server (SMS) to install service packs on SMS client
computers from a network distribution share. Using SMS for deploying updates involves the
following steps:
• You have to create a SMS package that includes the location of the service pack source
files and the package definition file (.pdf) for distributing the service pack. The package
definition file includes the information that would be needed to create the SMS package.
The SMS package includes command-line executables as well. These executables runs on
the SMS client computers to manage how the SMS package executes.
• You then have to distribute the SMS package to the distribution points that you have
identified
• Lastly, you have to create an SMS advertisement that will inform the SMS clients of the
available service packs.
Disabling Unnecessary Services
When you install the Windows Server 2003 operating system, there are a few services which are
automatically installed with the operating system. These services are usually configured with the
Automatic startup type. This means that the service starts automatically when the operating
system starts. The startup type specified for the service controls when and how the service starts.
The configuration of a service is stored in the following location in the Registry
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services key
A service can also be configured with one of the startup types listed below:
• Automatic; the service starts automatically when the operating system starts or boots.
Some services that have the Automatic startup type configured when you install
Windows Server 2003 are Automatic Updates, DHCP Client, DNS Client, IPSec
Services, Remote Procedure Call (RPC), Server, Security Accounts Manager, and System
Event Notification.
• Manual; this service needs to be started manually by an Administrator. However, if a
service or process needs to start a particular service, it can start the service.
• Disabled; for a service with the Disabled startup type to start, the actual startup type
needs to be changed to either Automatic or Manual. A service cannot start another
service if that particular service’s startup type is Disabled.
For the following services, it is recommended that you configure the Disabled startup type, if the
server does not require the service:
○ Alerter
○ Application Management
○ ClipBook
○ Distributed File System
○ Distributed Transaction Coordinator
○ Fax Service
○ Indexing Service
○ Internet Connection Sharing (ICS)
○ Internet Connection Firewall (ICF)
○ License Logging
○ Messenger
○ NetMeeting Remote Desktop Sharing
○ Network DDE
○ Network DDE DSDM
○ Print Spooler
○ Remote Access Auto Connection Manager
○ Remote Access Connection Manager
○ Removable Storage
○ Routing And Remote Access
○ Secondary Logon
○ Task Scheduler
○ Telephony
○ Telnet
○ Uninterruptible Power Supply
The System Services area of the Security Configuration and Analysis management console is
used to manage startup and permissions for system services. If you have unnecessary services
running within your environment, you can disable the services. When services are disabled, they
are stopped from starting when the computer starts. The components of the service which you
disable are not uninstalled.
To check the status of a service,
1. Open the Computer Management console
2. Right-click Computer Management in the left console pane, and click Connect To
Another Computer on the shortcut menu.
3. Specify whether you want to check the status of a service on the local computer, or on a
remote computer.
4. Proceed to expand the Services And Applications node.
5. Select Services.
6. The Services window displays the service name, startup type and status of the service, as
well as other information.
To disable unnecessary services,
1. Open the Computer Management console.
2. Right-click Computer Management in the left console pane, and click Connect To
Another Computer on the shortcut menu. Specify whether you want to manage services
on the local computer, or on a remote computer.
3. Expand the Services And Applications node, and select Services
4. Right-click the particular service which you want to disable, and then select Properties
from the shortcut menu.
5. On the General tab of the Properties dialog box, select Disabled in the Startup Type drop-
down list box.
6. Click OK.
Disabling Unnecessary Accounts
All accounts which are not being utilized should be deleted or disabled.
• For employees that are no longer employed at the company, delete this specific
employee’s user account.
• For employees or users that have some form of definite temporarily absence period,
disable the specific employee’s user account.
Additionally, it is recommended that you also disable the following accounts:
• Administrator account: The Administrator account is a well-known account which
provides access to services, files and directories. The Administrator account has full
system access. Once the system is installed, administrators are typically made members
of the Administrators group. You can easily remove administrative rights when
administrators are members of the Administrators group. Ensure that the local
Administrator account has a secure password. If the Administrator account’s password is
weak, unauthorized individuals might be able to access the domain or system. You can
also rename the account, and create a fake Administrator account that has no permissions.
• Guest Account: The Guest account is normally used for users who need infrequent access.
The Guest account is by default disabled when Windows Server 2003 is installed.
Because the Guest account is a member of the Everyone group, it has access to files and
folders. It is recommended to restrict the utilization of the Guest account. You can also
rename the Guest account, and you should change the password regularly.
Allowing users and computers unlimited access to system resources and network resources can
ultimately compromise the security organization. Even though users and computers need to
access network and system resources to perform certain tasks, the access that they require should
be limited to those necessary to perform their required tasks.
User accounts are required to log on to a Windows NT, Windows 2000, Windows XP and
Windows Server 2003 network. User accounts are used for authentication, authorization, and
auditing. A user account enables a user to log on to the domain and to access resources. A local
user account enables a user to log on to a computer and access local resources on that particular
computer. A domain user account enables a user to log on to a domain, and access network
resources. Built-in user accounts are typically used for administrative tasks. You should strive to
assign users, services, and computers with the least number of privileges necessary to perform
the tasks they need to.
Enforce Strong Password Usage
Passwords are used to protect networks and computers from unauthorized individuals from
accessing network resources. A strong password stands a better chance of protecting network
resources because they are harder to interpret by unauthorized individuals. A good strong
password should not be an alteration of the logon name, and should definitely not be the name of
the user. It should at least be seven characters in length, and should include two alphabetic
characters and a non-alphabetic character.
Passwords are probably the component that presents the most vulnerability in an authentication
implementation. Passwords that are weak can easily be identified, even when password
encryption is used. Password encryption is the process whereby the password of the user is
encrypted. What this means is that the password is not transmitted over the network in clear text.
When users actually use strong complicated passwords, an unauthorized individual attempting to
access the system should not easily be able to interpret or decipher the password. Regularly
having users change their passwords also ensures that even when a strong password is
deciphered by an unauthorized user, the password would probably be invalid.
A weak password is a password that includes some of the following information:
• The name of the user
• The name of the organization
• The login ID of the user
• The word ‘password’
• Blank passwords
A strong password contains none of the above mentioned pieces of information. Strong
passwords have the following characteristics:
• The password is intricate so that it cannot be deciphered by unauthorized network users,
but can also be remembered by the user. The user should not need to document the
password to remember it.
• The password should be at least seven characters in length.
• The password should include characters from three of the following groups:
• Uppercase characters: Letters A through to Z
• Lowercase characters: Letters a through to z
• Non-alphabetic characters such as: $, #, %
• Numeric digits such as 0 through to 9
Password rules are based on the settings defined in password policies. You can define password
policies by:
• Enforce Password History. Used to prohibit users from using the identical password
when they are specifying a new password. By default, 24 passwords are remembered.
• Maximum Password Age. Indicates the time, in days, that a user can have the identical
password. The default setting is 42 days
• Minimum Password Age. Indicates the time, in days, that a user is required to use the
identical password. The default setting is 1 day.
• Minimum Password Length. Indicates the least number of characters a password has to
have. The default setting is 7 characters.
• Password Must Meet Complexity Requirements. The password in this case has to be at
least six characters in length, and cannot include the account name of the user. The
password also has to include characters from three of these groups: Numbers, non
alphabetic numbers, English uppercase letters, And English Lowercase Letters. The
default setting is enabled.
• Store Passwords Using Reversible Encryption. Indicates whether the operating system
uses reversible encryption when storing the password of the user. The default setting is
disabled.
Perform Regular Backups
A backup is the process of archiving data and system files on a computer to a different location
on a hard disk, or other media type.
Backups are typically preformed for a number of reasons, including the following:
• Protect the network environment from the accidental deletion of, or modification of data,
and from hardware failures: Backups prove invaluable when authorized users
intentionally delete or modify data. The backup would enable you to restore data to its
previous state of integrity. Because certain hardware failures such as corrupted hard disk
drives can cause considerable loss of data, backing up your data would ensure that the
company can continue to perform its mission critical functions when such an event does
occur.
• Store mission critical data: It is recommended to regularly back up mission critical data
so that any previous version of information can be accessed, if necessary, at some time in
the future.
A backup plan should be drawn up to detail the data that has to be backed up, the manner in
which the data should be backed up, the frequency at which the backups should occur, and the
manner in which data restorations should occur. Mission critical data should be backed up, while
temporary files do not possibly need to be backed up. System State data should be backed up.
System State data contains the files which the operating system utilizes, such as the boot files
and system files, and any additional files which the Windows operating system needs to restore
the system. System state data basically contains the main configuration information in Windows
2000, and Windows Server 2003. What actual information is included in system state data is
determined by operating system configuration.
System state typically includes the following important data, files and components:
• The Windows Registry
• The contents of the SYSVOL directory
• Files which are protected by the Windows File Protection system
• Boot and system files: Ntdetect.com, Ntldr and Bootsect.dat.
• The COM+ Class Registration database
• The Active Directory database (Ntds.dit), including all log files and checkpoint files
• Cluster service files
• Certificate service files
• The Internet Information Server (IIS) metabase
It is recommended to backup all data on a server and System State data. You are then prepared
for a disaster such as a hard disk failure on the server because a full backup exists to restore the
server.
The Windows Server 2003 Backup utility offers a few methods that you can use to create backup
jobs and execute backup jobs. You create a backup job by specifying the drives, directories and
files that should be backed up, the storage medium for the backup, the time when the backup
should occur, and other backup options.
1. Click Start, Programs, Accessories, System Tools, and Backup to start the Windows
Server 2003 Backup utility.
2. The Welcome page for the Backup Or Restore Wizard is displayed.
The Backup Or Restore Wizard guides you through the process of backing up the server, and
restoring an existing backup from the hard disk or other media. You can use the Welcome page
of the Backup Or Restore Wizard to open Backup in Advanced Mode. The Advanced Mode
provides more features and flexibility. Clear the checkbox for Always Start In Wizard mode and
select the Advanced Mode link.
With Backup in Advanced Mode, you are given the following options:
• Start the Backup Wizard
• Start the Restore Wizard
• Start the Automated System Recovery Wizard
Previously in Windows NT and Microsoft Windows 2000 operating systems, the emergency
repair disk (ERD) feature was used to recover the system when disasters occurred. Windows XP
Professional and Windows Server 2003 now include the Automated System Recovery (ASR)
feature for recovering the system in disaster situations. The Automated System Recovery (ASR)
feature is a new feature found in the Windows Backup utility.
The ASR disk contains vital configuration information which can be used to fix the following:
• Boot sector
• System files
• Startup environment
When a server failure occurs, all you have to do is restart the computer using the Windows XP
Professional or Windows Server 2003 installation CD-ROM. During Setup, select the Automated
System Recovery option. The information on the ASR disk is then utilized to restore all standard
drivers and files, and the ASR backup is used to restore the rest of the files.
The Windows Backup utility is used to create ASR sets. You can access the Backup Utility
through one of the following methods:
• Click Start, click Run, and enter Ntbackup.exe in the dialog box.
• Click Start, All Programs, Accessories, System Tools and then select the Backup utility.
Simply follow the prompts of the Automated System Recovery Preparation Wizard to back up
your system configuration and to create the ASR floppy disk listing the information for restoring
your system. The ASR floppy disk that is created is specific to the system and the time when
ASR set was created

Understanding and Implementing Access


Control
An Overview of Access Control
Allowing users and computers unlimited access to system resources and network resources can
ultimately compromise the security and stability of an organization. Even though users and
computers need to access network and system resources to perform certain tasks, the access that
they require should be limited to those necessary to perform these tasks. Access control has since
evolved from being access oriented with Windows 2000 and earlier to being control oriented
with Windows Server 2003 . With the launch of Windows Server 2003, Microsoft tightened its
default security settings by granting the Everyone group read and execute permission on NTFS
files and folders, and limiting the Everyone group to read permissions on shared files and
folders. This group in Windows 2000 and earlier had full control on all newly created files or
folders.

Access control
deals with
determining whether a user that has been authenticated can perform particular activities. When
an attempt is made to access objects, access control determines whether the object can be
accessed. Objects include Active Directory objects, files and folders, shared folders, network
services, printers, registry keys and values, Windows Management Interface objects, and
Terminal Services connections. Windows Server 2003 simplifies access control management by
using a standard model which utilizes access control lists (ACLs), inherited permissions, and
standard and special permissions, for all the different types of objects.
Before exploring access control any further, you should familiarize yourself with the following
terms:
• Security principal: Any user, group, computer or service can be a security
principal. A security principal has accounts. Local accounts are maintained by
the Local Security Accounts Manager (SAM) on the computer. Accounts in a
Windows 2000 Server, or Windows Server 2003 domain are managed by
Active Directory. Accounts in a Windows NT 4.0 domain are managed by the
SAM database. This database resides on the primary domain controller (PDC).
• Security identifier (SID): When accounts are created, they receive a unique
SID. A SID therefore identifies a user, group, computer or service in the
organization. What this means is that security principals are identified via
SIDS and not their associated names.
• Security descriptor: A security descriptor includes the security information of
an object, and utilizes the SID of the object to identify its owner. When an
object has permissions set up for it, the security descriptor includes the
discretionary access control list (DACL) and the SIDs of the users and groups
which are either allowed or denied access to the secured object.
• Security context: This is information that indicates the identity of a security
principle and its permitted activities on the computer. The security
subsystem utilizes the security context to ascertain what actions can be
performed to the objects on a computer.
• Security groups: These are groups utilized to manage users and domain
objects. Through security groups, you can configure security permissions to
users or members of a particular group.
• Security Settings: These are security configuration settings which can be
applied to computers locally or through the Security Settings extension of
Group Policy.
• Access token: Access tokens contain the following:
○ The SID for a security principal
○ The SIDs for the groups that the security principal is a member of
○ A list of a rights of the security principle on the local computer
An Access token supply the security context for the actions of the security
principle on the computer; and it supply the security context for application
threads utilized by the security principle.
• Object: An object refers to a resource that can be utilized by a process or
program. Objects are files, printers, registry keys, Active Directory objects,
sessions, access tokens, and processes and threads
• Inheritance: This is the means by which access control information is moved
via an associated tree of objects, and the child objects obtain the access
control information of its parent object. This typically happens with files
inheriting access control information from its parent folder.
• Access control lists (ACLs): ACLs contain access control entries (ACEs) that
describe the permissions associated with objects and object properties. For a
security principal, an ACE defines the rights which are denied, allowed and
audited for a particular security principal. Access control lists basically deal
with the following layers of security:
○ NTFS permissions: NTFS permissions are applied to files and folders.
This is the more favourable permissions because it can support
intricate file and folder structures.
○ Share permissions: Share permissions basically apply to users that are
connecting over the network to a network resource. Share permissions
do not support inheritance, and are not as flexible as NTFS
permissions.
• Owner: The owner of an object can deny or allow access to the particular
object that it is the owner of. The owner of an object can also enable a
different security principal to take ownership of the ownership.
• Permissions: Permissions are assigned to Active Directory objects, registry
objects, and files and folders. Permissions basically specify the type of access
given to a user, group, or computer, and can be applied to any user, group or
computer. Permissions can also be applied to special identities such as the
creator owner, interactive group, local system, network group, and service
group. Because permissions are inherited, you can configure child objects to
inherit its parent object permissions.
• Rights: Rights enable a user to carry out certain activities such as restarting
the computer.

Planning for Effective Access Control


Because the management of security groups, ACLs, and security settings needs careful planning,
you need to create an access control plan that could assist in preventing standard security
problems from occurring. Standard security problems you want to prevent from occurring are:
• Inefficiently protecting network resources
• Assigning users too much rights and permissions, or too little rights and
permissions to perform their daily tasks. You should strive to assign users,
services, and computers with the least number of privileges necessary to
perform the tasks they need to.
• Continuously performing ad hoc security configurations to correct security
settings.
A good access control plan should include the following components or tasks.
• Security goals: This component of the security plan should identify the
resources and processes that you want to control access to.
• Security risks: You should identify the security vulnerabilities of the
organization and identify security loopholes. The following elements should
be included when analyzing security risks:
○ Physical data loss
○ Data corruption
○ Unauthorized data access and data modification
○ Incorrectly configured permissions that could lead to security
breaches.
• Security strategies: This component should outline general security strategies
that deals with all possible threats identified as security risks.
• Security group descriptions: You should identify the permissions which you
want to apply to different users, user groups, and resources. From this
information, you should define security groups so that you can implement
permissions effectively.
• Security policy: Determine the configuration settings you want to implement
for the Security Settings of Group Policy if you are using Active Directory.
• Information security strategies: This component should detail the manner in
which you plan to implement information security solutions like encrypting
file system (EFS), if applicable for your environment.
• Administrative policies: This component involves detailing those policies for
delegating administrative tasks, and should also include all your auditing
practices.

Access Control Lists (ACLs) and Access Control Entries


(ACEs)
An ACL controls access to resources. The two types of ACLs are:
• Discretionary Access Control Lists (DACL): DACLs identify the users and
groups which are allowed or denied to access a particular resource.
• System Access Control Lists (SACLs): SACLs control how access is audited
and specify the events which are audited for a user or group
Each ACL includes a number of access control entries (ACEs). An ACE holds the following
information:
• The security ID (SID) for a user or group
• The special permissions which detail access rights
• Inheritance information
• Information on whether the particular ACE is an Allow ACE or Deny ACE
The process detailed below explains the manner in which the DACL is set when new objects are
created:
• The DACL of a new object is the DACL from the security descriptor when the
object is created. Inheritable ACEs from the parent object is included in the
DACL.
• When there is no defined security descriptor, the DACL of the new object is
created from the inheritable ACEs in the DACL of the parent object.
• When the parent object does not include any inheritable ACEs, the Object
Manager is queried for a default DACL.
• When the Object Manager returns no default DACL, the access token of the
user is checked for a default DACL.
• When the access token of the user has no default DACL, the new object
includes no DACL. This means that the Everyone group has unrestricted
access to the new object.

Using the User/ACL method to control access to resources


In this method, users are added directly to the ACL for the resource and are granted permissions
for that particular resource. The User/ACL method is easy to implement but is only effective in
small organizations. It is typically used when an owner of a file or folder resource wants to share
access to the file or folder. The User/ACL method does not work well in large organizations
where access control has to be effectively implemented and efficiency managed.
Using the Account Group/ACL (AG/ACL) method to control access to
resources
In this method, global groups are utilized and not individual user accounts. The global groups are
added to the ACL instead of individual user accounts. The group is then assigned access
permissions to the resource. When the permissions need to be changed for the particular
resource, the permissions for the group need to be amended. Using groups simplifies
management.
Using the Account Group/Resource Group method to control access to
resources
With this method users with similar access requirements are assigned to account groups. The
account groups are then added to a resource group that has the necessary resource access
permissions. The Account Group/Resource Group method is typically utilized in large
organizations to control access to resources.
Understanding Standard and Special Permissions
You can use standard and special permissions when setting up access control lists for Active
Directory objects, services, printers, registry keys, and files and folders. The differences between
the two permissions are summarized below:
• Special Permissions: These permissions enable Administrators to exercise
thorough control over the access a user has to an object. When you assign a
standard permission, such as the Read & Execute standard permission, a set
of special permissions which are associated with the particular standard
permission are granted as well. When you deny a particular standard
permission, the associated special permissions are also denied. You can
access these permissions under the Advanced button on the Properties dialog
box of the particular object.
• Standard Permissions: These permissions are evident when you access the
Security tab of the properties dialog box of a particular file or folder. The Full
Control, Modify, Write, Read & Execute, and Read permissions are standard
permissions.

File and folder permissions


The standard file and folder permissions that can be applied to files and folders on NTFS
partitions are listed below. The permissions that are available are determined by the security
context of the object:
• Full Control enables users to perform numerous actions on the file or folder
including creating and deleting files and folders, changing permissions, taking
ownership, and deleting subfolders and files.
• Modify: This permission allows users to read, edit and delete files and folders.
It enables users to perform activities allowed by the Write and Read &
Execute permissions.
• Read & Execute enables users to traverse folders and run applications. Users
receive rights assigned via the Read permission and the List Folder Contents
permission
• Read: Enables a user to view the files and subfolders in a folder and view
folder attributes, ownership and permissions. Users are able to view a file's
contents, attributes, ownership and permissions as well.
• Write: This permission enables users to create new files and subfolders in the
folder, view folder ownership and permissions, change file/folder attributes,
and overwrite a file.
• List Folder Contents: Enables users to browse to a folder and view the names
of subfolders and files within the particular folder.
The special or advanced file and folder permissions are listed below. These permissions are
automatically selected when one or more of the standard permissions are selected:
• Traverse Folder/Execute File: The Transverse Folder permission is only for
folders. The permission either allows access or denies access to navigate
through folders to access other folders or files. Traverse Folder is applied
when the user/group does not have the Bypass traverse checking user right.
Execute File enables users to execute program files. The permission only
applies to files.
• List Folder/Read Data: List Folder is applicable for folders only, and either
allows or denies the viewing of file names and subfolder names in the
particular folder. Read Data is for file access, and either allows or denies the
viewing of the file's contents.
• Read Attributes: Either allows or denies the viewing of the attributes of a
file/folder.
• Read Extended Attributes: Either allows or denies the viewing of the
extended attributes of a file/folder.
• Create Files/Write Data: Create Files is applicable to folders only. It allows or
denies the creating of files within the folder. Write Data pertains to files, and
either allows or denies changes to be made to the file, and for the file's
content to be overwritten.
• Create Folders/Append Data: The Create Folders permission applies to folders
and either allows or denies folders to be created within the folder. The
Append Data permission is for files and either allows or denies changes to be
made to the end of the file. This excludes changing, overwriting and deleting
the existing data.
• Write Attributes: This permission either allows or denies the attributes of
files/folders to be changed.
• Write Extended Attributes: This permission either allows or denies the
extended attributes of files/folders to be changed.
• Delete Subfolders and Files: This permission either allows or denies
subfolders and files to be deleted.
• Delete: This permission either allows or denies folders and files to be deleted.
• Read Permissions either allows or denies reading permissions on the
file/folder. This includes Full Control, Read and Write
• Change Permissions either allows or denies change permissions on the
file/folder. This includes Full Control, Read and Write
• Take Ownership either allows or denies taking of ownership of a file/folder.

Active Directory permissions


Permissions to Active Directory objects are typically assigned using the Directory Users And
Computers (ADUC) console. The standard permissions that can be applied to Active Directory
objects are summarized below:
• Full Control enables users to perform numerous actions on Active Directory
objects such as creating/deleting objects. Users can also modify object
permissions if assigned the Full Control permission.
• Read: Enables users to view the properties, permissions, and contents of the
Active Directory object
• Write: This permission enables users to edit the properties of a particular
object.
• Create All Child Objects enables a user to create a type of child object in a
container such as an organizational unit (OU).
• Delete All Child Objects enables a user to delete a type of child object in a
container such as an organizational unit (OU).
• Special permission can also be assigned to users and groups.
Service permissions
You can change service permissions through the Services console. The standard permissions that
can be applied to services are summarized below:
• Full Control enables users to perform numerous actions on a service such as
starting/stopping the service, changing the permissions of the service, and
defining whether the service starts automatically.
• Read: Enables users to view the permissions, status of a service, as well as
the dependencies associated with a service.
• Start, Stop, And Pause: Enables users to start, stop and pause the service.
• Write enables users to define whether the service can be started manually or
automatically, and whether it can be disabled.
• Delete enables users to delete the service

Registry permissions
Access to registry keys and values are typically restricted because recklessly changing these keys
or values can have catastrophic consequences. The standard permissions that can be applied to
registry keys and values are summarized below:
• Full Control enables users to perform numerous actions on a registry key and
value. This includes creating and deleting registry subkeys and values
• Read: Enables users to view registry subkeys and values.
• A few special permissions can also be assigned to a user or group.

Printer permissions
The standard permissions that can be applied to printers are summarized below:
• Print: Members of the Everyone group are by default assigned the Print
permission. This permission enables users to connect to a printer, and
transmit documents for printing.
• Manage Printers: This permission enables users to control the activities of the
printer including pausing/restarting the printer, setting Print permissions,
changing printer properties, and sharing the printer.
• Manage Documents allow users to pause, restart, cancel, resume, and
rearrange the order by which documents were submitted to the printer.
• A few special permissions can be assigned for users and groups.

The Different Types of Security Groups


User accounts are members of security groups. The groups which are utilized to manage access
are defined by the scope, rights and role of the group. You normally define groups to control user
accounts, computer accounts and other group accounts. The scope of a security group can be a
computer, a domain, or even multiple domains in a forest. Windows 2000, Windows XP
Professional, and Windows Server 2003 groups are part of one of the following types of groups:
• Computer local groups: These groups are utilized to control permissions to
resources that exist on the local computer. You can use the Local Users and
Groups snap-in to the Microsoft Management Console (MMC) to change
membership to Computer local groups.
• Global groups. These groups reside in Active Directory and are created on
domain controllers. Global groups are utilized to group and manage users
that share the same job function, who require similar network access. Global
groups can be members of different global groups, domain local groups, and
universal groups.
• Domain local groups too reside in Active Directory. These groups are used to
assign permissions to resources which reside in the same domain as the
particular domain local group.
• Universal groups: These groups reside in Active Directory and are only
utilized in multiple domain trees or forests that have a global catalog.
Universal groups are typically utilized to nest global groups with the purpose
of assigning permissions to associated resources in multiple domains.
• Built-in security principals/special identities: The built-in security principals do
not contain members like the previously discussed groups, but apply to an
account which utilizes the computer in a particular manner. You can use built-
in security principals to specify security according to the manner in which a
resource is being accessed.
The following tools and utilities can be utilized to manage security groups and access control.
• Active Directory Users and Computers (ADUC): You can use ADUC to manage
users and groups in Active Directory.
• Local Users and Groups MMC snap-in: Use Local Users and Groups to create
and also modify users and groups in the local user database.
• Dsadd: You can use this command line tool to create groups and change
group membership
• Getsid: The Getsid command line tool can be used to compare the SIDs of
two user accounts.
• Ifmember: This tool can be used to find the groups that a member is included
in.
• Whoami: This command line tool can be used to view an access token's
contents.

Built-in Groups
When you create an Active Directory domain, a few built-in groups are automatically created
which can be utilized to manage access to shared resources and to delegate particular domain
wide administrative roles. When the built-in groups are created, they are typically also
automatically assigned with specific user rights. These user rights in turn determine which
activities a group and its associated members can perform in the domain or forest. A few built-in
groups are summarized below:
• Account Operators: Members of the Account Operators group have the Allow
logon locally and Shut down the system user rights. Members of these groups
can create, modify and delete accounts for users, groups and computers
residing in the organizational units (OUs), Users container and Computers
container in the domain.
• Administrators: Members of the Administrators group have most of the
available user rights, and have full control over the server. Its members can
assign server rights and access control permissions for other users.
• Backup Operators: The Backup Operators group has no default members. Any
members added to the Backup Operators group have the Allow logon locally,
Back up files and directories, Restore files and directories and Shut down the
system user right by default.
• Network Configuration Operators: Members of this group can modify the
Transmission Control Protocol/Internet Protocol (TCP/IP) settings. They
typically manage the network configuration settings of servers and
workstations within the domain.
• Incoming Forest Trust Builders: Members added to this group can create
incoming forest trusts (one way) to the forest root domain.
• Print Operators: Members of the Print Operators group can manage Active
Directory printer objects in the domain, and can create, share and delete
printers that are connected to domain controllers. Group members have the
Allow logon locally and Shut down the system default user rights.
• Server Operators: This group's members have the Allow logon locally, Back
up files and directories, Change the system time, Force shutdown from a
remote system, Restore files and directories, and Shut down the system
default user rights.
• Remote Desktop Users. Members can remotely log on to domain controllers.
• Terminal Server License Servers: Members of the Terminal Server License
Servers group have permission to access the Terminal Server License
servers.
• Performance Log Users: Members added to the Performance Log Users can
manage performance counters, logs and alerts on domain controllers.
• Performance Monitor Users: This group's members can monitor performance
counters on domain controllers.
• Users: Members of the Users group can run applications, and use network
printers.

How to view ACLs


1. Right-click the particular object (file, folder), and choose Properties from the
shortcut menu.
2. When the Properties dialog box of the object opens, click the Security tab.
3. The Group or user names box holds the users/groups that have permissions
assigned for the particular object. Use the Add button and Remove button to
modify this list.
4. When you select a particular user or group, the Permissions for box indicates
the permissions allowed or denied for the user/group that you have selected.
You can use the Allow and Deny checkboxes to specify permissions.
5. You can click the Advanced button to view or set advanced permissions on
the Advanced Security Settings dialog box. This includes:
○ Viewing and changing special permissions for a user/group, and
effective permissions
○ Viewing and changing access inheritance settings for the object and
any associated child objects
○ Viewing and changing ownership for the object and any associated
child objects
○ Viewing auditing information on access to the object

How to create a new security group using Active Directory


Users And Computers
1. Open Active Directory Users And Computers
2. In the console tree, right-click the Users container, and select New and then
Group from the shortcut menu.
3. When the New Object – Group dialog box appears, enter the name of the
group in the Group Name field.
4. Click OK

How to set the Administrators group as the owner of objects


1. Open Control Panel, click Performance and Maintenance, and then click
Administrative Tools.
2. Proceed to double-click Local Security Policy.
3. Next, double-click Local Policies beneath Security Settings.
4. Click Security Options
5. Open the System objects: Default owner for objects created by members of
the administrators group policy
6. Choose Administrators group from the list
7. Click OK

How to view or modify special permissions for files and


folders
1. Use Windows Explorer to find the file or folder that you want to view or
configure special permissions for.
2. Right-click the file or folder, and choose Properties from the shortcut menu
3. Click the Advanced button
4. If you want to view or change special permissions for an existing user/group,
simply select the user/group, and click either View or Edit.
5. If you want to remove a user/group and all its associated special permissions,
simply select the user/group, and click Remove.
6. If you want to specify special permissions for a newly created user/group,
click Add, and enter the name of the user/group.
How to stop child folders and files from inheriting
permission changes performed on parent folders
1. Use Windows Explorer to find the folder you want to configure settings for.
2. Right-click the particular object (folder), and choose Properties from the
shortcut menu.
3. When the Properties dialog box of the object opens, click the Security tab,
and click the Advanced button.
4. When the Advanced Security Settings dialog box appears, click the
Permissions tab
5. Uncheck the Inherit from parent the permission entries that apply to child
objects. Include these with entries explicitly defined here checkbox
6. Click OK

How to set permission for files and folders through Group


Policy
1. Open Active Directory Users and Computers
2. Right-click the root of the domain, and select Properties from the shortcut
menu.
3. Click the Group Policy tab
4. Choose the Default Domain Policy, and then click Edit
5. Proceed to expand Computer Configuration, Windows Settings, and then File
System.
6. Right-click File System and then choose Add from the shortcut menu
7. Locate the file/folder which you want to configure permissions for, and click
OK
8. You can now set permissions for the file/folder.

How to set security on accounts using Group Policy


1. Open Active Directory Users and Computers
2. Right-click the root of the domain, and select Properties from the shortcut
menu.
3. Click the Group Policy tab
4. Choose the Default Domain Policy, and then click Edit
5. Proceed to expand Computer Configuration, Windows Settings, and then
Account Policies
6. You can now specify settings for the following policies:
○ Password policy
○ Account Lockout policy
○ Kerberos policy
How to view registry access permissions
Any changes made to the registry keys and values are effective immediately.
1. Click Start, click Run, and enter regedt32 in the Run dialog box. Click OK
2. The Registry Editor now opens.
3. The left pane shows the nodes in the Registry tree, and the right pane details
the nodes or keys included in a particular node when you select it from the
left pane.
4. The My Computer node contains the following nodes:
○ HKEY_CLASSES_ROOT
○ HKEY_CURRENT_USER
○ HKEY_LOCAL_MACHINE
○ HKEY_USERS
○ HKEY_CURRENT_CONFIG
5. The HKEY_CURRENT_USER node includes the Control Panel, Printers, and
software keys, as well as other keys.
6. To change permissions for the node, right-click it, and then choose
Permissions from the shortcut menu.
7. When the Permissions dialog box for the particular node appears, set the
appropriate permissions.
8. Click the Advanced button to specify advanced settings.

How to set Registry access permissions using Group Policy


1. Click Start, click Run, and enter mmc in the Run dialog box. Click OK
2. When the Microsoft MMC opens, click File, and Add/Remove Snap-in
3. When the Add/Remove Snap-in dialog box opens, click Add to find the Group
Policy Object Editor
4. Click Add to start the Select Group Policy Object Wizard
5. Because the default Group Policy Object (GPO) specified is Local Computer,
click Browse to locate the Default Domain Policy. Click OK
6. Close the wizard and all open dialog boxes.
7. In the left tree, expand Default Domain Policy, Computer Configuration,
Windows Settings, and Security Settings.
8. Locate and select the Registry node to expand the tree of this node. You can
change any existing polices from here, and add new keys.

How to audit access control


You can enable audit polices to monitor and track authorized access and unauthorized access to
resources. Because auditing typically affects performance, you should carefully plan which
resources you want to audit access for. The following audit polices can be enabled:
• Audit account logon events: When enabled, an event is logged when a user
attempts to log on. You can specify whether to track success logon events,
failed logon events, or both of these events.
• Audit Account management: When enabled, an event is logged when an
account is managed. This includes activities such as deleting accounts, and
changing passwords.
• Audit directory service access: When enabled, Active Directory objects with a
system access control list (SACL) specified is tracked.
• Audit logon events: When enabled, logon events that occur over the network
such as accessing resources on file and print servers are tracked.
• Audit object access: When enabled, users accessing objects such as files,
folders, shared folders, Registry keys, and printers are tracked.
• Audit policy change: When enabled, changes to Audit policies, Kerberos
policies and User Rights Assignment policies are tracked.
• Audit privilege use: When enabled, a user is audited when he/she utilizes
special privileges.
• Audit process tracking: When enabled, the activities of a process initiated by
a user are tracked.
• Audit system events: When enabled, certain system events such as restarting
a computer are tracked.

How to enable auditing for a file or folder


1. Use Windows Explorer to find the file or folder that you want to view or
configure auditing for.
2. Right-click the particular object (file, folder), and choose Properties from the
shortcut menu.
3. When the Properties dialog box of the object opens, click the Security tab,
and click the Advanced button.
4. When the Advanced Security Settings dialog box appears, click the Auditing
tab.
5. Click Add and choose the users/groups that you want to audit.
6. You next have to indicate whether you want to audit success, failure, or both
of these.
7. Click OK

How to enable auditing via Group Policy


1. Open Active Directory Users and Computers
2. Right-click the root of the domain, and select Properties from the shortcut
menu.
3. Click the Group Policy tab, choose the Default Domain Policy, and then click
Edit
4. Proceed to expand Computer Configuration, Windows Settings, Security
Settings, Local Policies, and Audit Policy.
5. Proceed to enable the appropriate audit policies, and specify whether you
want to audit success, failure, or both of these.

Implementing Account and Security Policies


Understanding Security Policy Types
With Windows Server 2003, you can implement and manage security settings at the following
levels:

• Local
computer
(local security policies)
• Active Directory site, domain, or organizational unit (domain security policies
)
Local security policies are managed through Local Computer Group Policy Objects (GPOs), and
domain security policies are managed through Group Policy with the Active Directory Domain
Controller GPOs. However, domain security policies override local security policies.
In Windows Server 2003 Active Directory environments, group policies include configuration
settings for the following:
• Software policies
• Scripts
• Security policies
• Application and file deployment policies
What is Group policy and GPOs?
Group Policy settings are stored in a Group Policy Object (GPO). Group Policy is an Active
Directory feature that provides the means for you to effectively and efficiently manage large
numbers of computers. You can manage both user and computer configuration settings centrally.
You can define group policies that affect a computer, irrespective of the particular user logging
on to the computer. For instance, you can through a policy, configure the proxy server settings
for a computer. You can define group policies that affect a user, irrespective of the computer
which the user utilizes to log on to the system. For instance, you can use group policies to
specify the applications or programs which are available to the user, and the programs which
should exist on the user's desktop
You can define group policies as being a collection of user and computer configuration settings
which you can link to computers, sites, domains and organizational units (OUs). Once linked,
Group Policy defines the manner in which the operating system, network resources, and
applications and programs operate for users within the organization.
A group policy object (GPO) is an Active Directory object which contains one or more Group
Policy settings which affect the configuration settings for users or computers. A GPO acts as a
container for the settings configured in Group Policy files. The Active Directory components that
can be linked to a GPO are computers, sites, domains, organizational units (OUs). By linking a
GPO to sites, domains, and OU actually applies the GPO settings to any user or computer objects
within that particular container.
An important Group Policy concept is that Group Policy settings are hierarchical. What this
means is that it can be linked and applied at different levels, as illustrated below:
• Sites: You can define GPOs, and link it to an entire site in Active Directory.
The GPOs would then apply to each domain and server that belongs to the
particular site. If the site contains multiple domains, the GPOs are applied to
all the domains within the site.
• Domains: When you define GPOs, and link it to a particular domain in Active
Directory, it is applied to all Computer objects and User objects that belong
to, or are stored within that particular domain.
• Organizational Units (OUs): As is the case with the other two levels at which
you can link and apply GPOs, you can define and link GPOs to a specific OU in
Active Directory. The GPOs are then applied to all Active Directory objects
stored within the particular OU.
All computers and users located beneath the container that the GPO is linked to, is automatically
within the scope of the particular GPO. They will therefore be affected by each and every Group
Policy setting specified in the GPO.
Because multiple GPOs can be linked to sites, domains, and OUs, they are applied to either the
user or to the computer in a particular sequence or order. This concept is illustrated below:
1. Local GPO: A computer running Windows Server 2003 has a local GPO. The
local GPO is applied first and therefore has the least precedence when group
policies are applied. They are always overridden by Active Directory based
GPOs. Active Directory based GPOs are also referred to as nonlocal GPOs.
2. Site GPOs: A GPO linked to a site in Active Directory is applied after the local
GPO is applied. Because multiple GPOs can be linked to a particular site, the
site GPOs are applied in the order as specified by the Administrator.
3. Domain GPOs: Domain GPOs are applied next, and therefore have higher
precedence than site GPOs and the local GPO. Again, when multiple GPOs are
linked to a particular domain, they are applied in the order as defined by the
Administrator.
4. OU GPOs: OU GPOs have the highest precedence. Group Policy application
starts at the top of the tree, and then moves down to the OU containing the
user object or computer object.
Group Policy settings are usually passed from a parent OU to a child OU. This is known as
Group Policy inheritance. When Group Policy settings are specified for a parent OU, the Group
Policy settings are applied to each child OU associated with the particular parent OU. If the same
Group Policy setting is specified for a parent OU and a child OU, the setting of the child OU
overrides the setting of the parent OU. You can however override Group Policy inheritance to
prevent a child OU from receiving the Group Policy settings of its parent OU.
To configure and manage policy settings in GPOs, and link GPOs to computers, sites, domains
and organizational units (OUs), Windows Server 2003 provides the following set of management
tools:
• The Active Directory Users And Computers (ADUC) console
• The Group Policy Management console
• The Group Policy Object Editor
• The Resultant Set Of Policy snap-in
• The Windows Settings node in the Computer Configuration node and in the
User Configuration node contains the following nodes: Scripts extension: You
can define the following types of scripts:
○ In Computer Configuration: Startup and shutdown scripts execute
when the computer starts, or shuts down
○ In User Configuration: Logon and logoff scripts execute when the user
logs on or logs off the particular computer.
• When more than one script exists for a user or computer, logoff scripts are
processed before shutdown scripts.
• Security Settings node: You can define the security levels assigned to a local
GPO or nonlocal GPO.

The security policies that can be configured are:


○ Account policies
○ Local policies
○ Public key policies
○ Software Restriction Policies
○ IP Security Policies

Understanding and Configuring Account Policies


• Account policies contain the following security configuration
settings:Password policy
• Account lockout policy
• Kerberos Policy
Through account policies, you can configure security settings for passwords, account lockout
options, and Kerberos authentication.
Account policies can be accessed by expanding Local Computer Policy, Computer
Configuration, Windows Settings, Security Settings, then expanding Account Policies.
• If you are logged on to a Windows Server 2003 member server, the following
nodes are displayed within the Account Policies node:Password policy
• Account lockout policy
• If you are logged on to a Windows Server 2003 domain controller, the
following nodes are displayed within the Account Policies node: Password
policy
• Account lockout policy
• Kerberos Policy
Password Policies
Passwords are probably the component that presents the most vulnerability in an authentication
implementation. Passwords that are weak can easily be identified, even when password
encryption is used. Password policies dictate the characteristics of passwords which are allowed
for user accounts and ensure that they are enforced on the computer. Password policies are
configured on a computer, and not for individual user accounts.
• You can implement a strong password policy by using the following security
policy settings located in the Password Policy node within Account Policies
:Enforce password history: Prevents users from re-specifying or reusing
previously used passwords. You can specify the number of previous
passwords which have to be maintained so that users cannot reuse the same
password.
• Minimum password age: Determines the length of time that a user has to
keep a password before he/she can modify the password. It specifies how
long a user has to wait before being allowed to change a newly specified
password.
• Maximum password age: Determines the duration after which a user is forced
to change a password. Users have to change their passwords when the
maximum password age is reached.
• Minimum password length: Specifies the minimum length that a password
can have. When a user attempts to use a password that has fewer characters
than the minimum password length, the password is rejected.
• Passwords Must Meet Complexity Requirements: Used to control which
format a user utilizes when defining passwords. When enabled, passwords
specified by users should include characters from three of the following
groups:
○ Uppercase characters: Letters A through to Z
○ Lowercase characters: Letters a through to z
○ Non-alphabetic characters such as: $, #, %
○ Numeric digits such as 0 through to 9
• Store Password Using Reversible Encryption For All Users In The Domain: User
passwords are stored using reversible encryption. To use the Challenge
Handshake Authentication Protocol (CHAP) authentication method, you have
to use group policy and enable the Store Passwords Using Reversible
Encryption password policy and then reset all users password so that it can
be interpreted by CHAP.

How to configure password policy on a computer


1. Click Start, click Run, enter mmc in the Run dialog box, and click OK
2. A blank MMC console is opened
3. Click Add/Remove Snap-In from the File menu. Click Add
4. When the Add Standalone Snap-In dialog box is displayed, choose Group
Policy. Click Add
5. The Select Group Policy Object dialog box is displayed next. This is where you
point the Group Policy snap-in at either the local computer or at a remote
computer
6. The Allow The Focus Of The Group Policy Snap-In To Be Changed When
Launching From The Command Line check box is where you set whether the
option should be given when you launch the MMC to select the computer on
which to use Group Policy.
7. Click Finish to have the Group Policy pointed at the local computer.
8. Click Close to exit the Add Standalone Snap-In dialog box
9. Click OK in the Add/Remove Snap-In dialog box, and save the console with
Local Group Policy
10.Proceed to expand Local Computer Policy and beneath Computer
Configuration expand Windows Settings, expand Security Settings, then
expand Account Policies and click Password Policy. 1
11.You can configure the following settings in the details pane: Enforce Password
History, Maximum Password Age, Minimum Password Age, Minimum
Password Length, Passwords Must Meet Complexity Requirements, Store
Password Using Reversible Encryption For All Users In The Domain.

How to configure a domain password policy


1. Open the Active Directory Users and Computers console under the
Administrative Tools Menu.
2. In the console tree, locate and right-click the domain for which you want to
implement a password policy, and then select Properties from the shortcut
menu.
3. When the Properties dialog box for the domain opens, select the Group Policy
tab.
4. From Group Policy tab, you can create a new password policy for the domain,
or you can change the default domain policy.
5. To create a new policy, click New; or alternatively click Edit to change the
default policy.
6. Click Edit to change the default policy.
7. Click Computer Configuration, expand Windows Settings, Security Settings,
Account Policies, and then expand Password Policy.
○ Right-click the password policy that you want to implement and then
select Properties from the shortcut menu. You can configure the
following password policies from here:
Enforce password history, Maximum password age, Minimum password
age, Minimum password length, Password must meet complexity
requirements, Store passwords using reversible encryption.
Account Lockout Policies
Account lockout policies should be implemented if your networking environment is particularly
vulnerable to threats arising from passwords which are being guessed. Implementing an account
lockout policy basically ensures that the account of a user is locked after an individual has
unsuccessfully tried for several times to provide the correct password.
The important factor to remember when defining an account lockout policy is that you should
implement a policy that permits some degree of user error, but that also prevents unauthorized
usage of your user accounts.
The following account lockout settings are located in the Account Lockout Policy area of the
Account Policies node:
• Account lockout threshold: Controls the number of times after which an
incorrect password attempt results in the account being locked out of the
system.
• Account lockout duration: Controls the duration that an account which is
locked, remains locked. A setting of 0 means that an administrator has to
manually unlock the locked account.
• Reset account lockout counter after: Determines the time duration that must
pass subsequent to an invalid logon attempt occurring prior to the reset
account lockout counter being reset.

How to configure an account lockout policy for a domain


1. Open the Active Directory Users and Computers console under the
Administrative Tools Menu.
2. In the console tree, locate and right-click the domain that you want to work
with, and then select Properties from the shortcut menu.
3. Select Default Domain Policy, and then click Edit.
4. Click Computer Configuration, expand Windows Settings, Security Settings,
Account Policies, and then expand Account Lockout Policy.
○ Right-click the account lockout policy that you want to implement and
then select Properties from the shortcut menu. You can configure the
following password policies from here:
Account lockout duration, Account lockout threshold, Reset account
lockout counter after.

How to reset a locked out user account


1. Access the workstation using a Domain Admins account, or the local
Administrator account.
2. Click Start, All Programs, Administrative Tools and then click Computer
Management.
3. This action opens the Computer Management console.
4. In the left console tree, click Computer Management, click System Tools, click
Local Users and Groups, and then click Users.
5. Right-click the user account that you want to reset the password of, and
select Set Password from the shortcut menu.
6. When a message dialog appears, warning that the user could possibly lose
data as a result of the password reset process, click the Proceed button.
7. Set the new password for the user.
8. Click OK.
9. The system next informs you that the password of the local user account was
successfully reset. Click OK.
10.In the Computer Management console, right-click the user account that you
just reset the password for, and then select Properties from the shortcut
menu. 1
11.Enable the User Must Change Password at Next Logon option 1
12.Click OK.

Kerberos Policies
The Kerberos authentication does not transmit passwords during the authentication process.
Instead, it uses tickets. Tickets are specially formatted data packets that allow a client to access a
resource. The Kerberos authentication type is dependant on the Key Distribution Center (KDC)
to issue tickets. Each network client makes use of DNS to find the closest available KDC to
obtain a Kerberos ticket. The ticket usually remains active for about 8 or 10 hours. The Key
Distribution Center (KDC) is a service which runs as a component of Active Directory. In fact,
each domain controller in a Windows Server 2003 domain operates as a Key Distribution Center
(KDC). It is the Key Distribution Center (KDC) which manages the database of security account
information for each security principal within a domain. Security principals that form the
foundation of the Active Directory security architecture are user accounts, security groups, and
computer accounts.
• Kerberos policies are used to define and configure Kerberos specific settings
for domain user accounts only. The following Kerberos policy settings are
located within the Kerberos Policy area of the Account Policies node: Enforce
User logon restrictions: When enabled, the Kerberos Key Distribution Center
(KDC) validates each request received for a session ticket against the user
rights policy of the user account sending the request.
• Maximum lifetime for service ticket: Specifies the time (in minutes) that a
user can utilize a Kerberos session ticket to access a specific service.
• Maximum lifetime for user ticket: Specifies the maximum time duration for
which a user is allowed to utilize a ticket granting ticket (TGT) before the user
has to request a new ticket granting ticket. The default setting is 10 hours.
• Maximum lifetime for user ticket renewal: Specifies the amount of time that a
user can renew a ticket granting ticket (TGT). The default value is 7 days.
• Maximum tolerance for computer clock synchronization: Specifies the
maximum time difference which can be present between the server and the
client computer.

Understanding and Configuring Local Policies


• Local policies contain the following security policy settings: Audit policy
• User Rights Assignment policy
• Security Options policy
Local policies can be accessed by expanding Local Computer Policy, Computer Configuration,
Windows Settings, Security Settings, then expanding Local Policies.
Audit Policies
• Auditing of security event categories are disabled by default. To track access
to objects, and files and folders, you have to define and configure an audit
policy. For each security event category, you can choose between three
values when you enable auditing. These values in turn determine the
condition for which an audit entry would be created:Successes only; an audit
entry will be created when a particular event or action successfully finalizes.
• Failure only; an audit entry will be created when a particular event or action
fails.
• Successes and Failures; an entry will be created when a particular event or
action successfully finalizes or fails.
• The different audit policy options you can configure are listed here: Audit
Account logon events: Enabled on domain controllers to track users which are
logging on to the computer.
• Audit Account management: Tracks account management tasks performed
on the computer, including creating, changing, and deleting user objects; and
changing account passwords.
• Audit Directory service access: Tracks when users access Active Directory
objects which have system access control lists (SACLs).
• Audit Logon events: Tracks when the user logs on and logs off.
• Audit Object access: Tracks when a user accesses operating system
components such as files, folders or registry keys.
• Audit Policy change: Tracks when a change is made to the security
configuration settings of the computer, and includes changes made to audit
policies, trust policies and user rights.
• Audit Privilege use: Tracks when a user effects a user right. The user rights
excluded from auditing because of the volume of log entries which they
generate are Back Up Files And Directories, Bypass Traverse Checking,
Create A Token Object, Debug Programs, Generate Security Audits, Replace
Process Level Token, and Restore Files And Directories.
• Audit Process tracking: Tracks when certain events take place on the
computer, such as when a program starts, or a process ends.
• Audit System events: Tracks system events such as when the computer
restarts, or shuts down; and all other events that impact the security log or
the security of the system.
How to configure an audit policy for the local computer
1. Click Start, Programs, Administrative Tools, and then click Local Security
Policy.
2. Expand the Local Policies in the left pane.
3. Click Audit Policy.
4. The options which you can define audit policy for are listed in the right pane.
5. Proceed to select and double-click the desired option.
6. When the Properties dialog box for the policy which you have selected opens,
enable success audit, failure audit, or both success and failure audits.
7. Click OK.

How to configure an audit policy for a domain controller


1. Click Start, Programs, Administrative Tools, and then click Domain Controller
Security Policy.
2. Expand the appropriate nodes in the left pane to move to Computer
Configuration, Windows Settings, Security Settings, Local Policies, and then
Audit Policy.
3. Click Audit Policy.
4. Proceed to select and double-click the desired option.
5. When the Properties dialog box for the policy which you have selected opens,
enable success audit, or failure audit, or both success and failure audits.
6. Click OK.

User Rights Assignment Policies


It is important not to confuse user rights with permissions. Permissions determine which users
are allowed to access specific objects such as files and folders. User rights determine which
actions a user is allowed to perform.
• The user rights assignment policies which you can configure are listed here:
Access This Computer From The Network; enables a user to access the
computer over the network.
• Act As Part Of The Operating System; enables authentication services to
authenticate as a user.
• Add Workstations To Domain; enables a user to create computer accounts for
the domain.
• Adjust Memory Quotas For A Process; enables a user to change the memory
that a process can utilize.
• Allow Log On Locally; enables a user to interactively log on to a computer
when Ctrl+Alt+Del is pressed.
• Allow Log On Through Terminal Services; enables a user to log using a
Terminal Services client.
• Back Up Files And Directories; the user is able to back up files and directories.
• Bypass Traverse Checking; enables a user to traverse the directory even
when the user has no permission to list the directory's content.
• Change The System Time; the user is able to modify the time of the
computer.
• Create A Page File; the user is able to create a page file and change the size
of the page file.
• Create A Token Object; enables a process to create a token object.
• Create Permanent Shared Objects; enables a process to create directory
objects using the Windows Server 2003 Object Manager.
• Debug Programs; enables a user to use debug programs.
• Deny Access To This Computer From The Network; used to deny users access
to a computer from over the network.
• Deny Logon As A Batch Job; used to prevent users from logging on as a batch
job.
• Deny Logon As A Service; used to prevent users from logging on as a service.
• Deny Logon Locally; used to prevent a user from interactively logging on to a
computer when Ctrl+Alt+Del is pressed.
• Deny Log On Through Terminal Services; used to prevent a user from logging
on using a Terminal Services client.
• Enable Computer And User Accounts To Be Trusted For Delegation; users are
allowed to specify the Trusted For Delegation setting for user and computer
objects.
• Force Shutdown From A Remote System; the system can be shut down by a
remote user.
• Generate Security Audits; a user/group/process is able to add entries to the
Security log.
• Increase Scheduling Priority; enables a process to change the priority that is
assigned to other processes.
• Load And Unload Device Drivers; enables a user to both load and unload Plug
and Play device drivers.
• Lock Pages In Memory; used to keep pages in physical memory. Not available
in Windows Server 2003.
• Log On As A Batch Job; used to allow a process to log on as a batch job.
• Log On As A Service; used to allow a service to log on as a service.
• Manage Auditing And Security Log; enables a user to manage the Security
log.
• Modify Firmware Environment Variables; enables a user/process to change
the firmware environment variables.
• Perform Volume Maintenance Tasks; enables users to run maintenance tasks
for a volume.
• Profile Single Process; enables a user to track non-system processes.
• Profile System Performance; enables a user to track system processes.
• Remove Computer From Docking Station; users are allowed to undock a
laptop using a Windows Server 2003 user interface.
• Replace A Process Level Token; enables a process to replace a process level
token.
• Restore Files And Directories; a user is able to restore files and directories.
• Shut Down The System; enables the user to shut down the local computer.
• Synchronize Directory Service Data; the user is able to synchronize directory
service data.
• Take Ownership Of Files Or Other Objects; enables a user to take ownership
of objects.

How to configure user right assignment policies


1. Click Start, click Administrative Tools, and then Security.
2. Expand the Local Computer Policy snap-in, expand Computer Configuration,
Windows Settings, Security Settings, Local Policies, and then expand User
Rights Assignment.
3. Open the user rights assignment policies that you want to configure.

Security Options Policies


You can enable Security Options policies to secure server components from a number of threats
and accidents. Security Options policies is used to define security for the computer.
• Because there are over 70 security options which you can configure in
Windows Server 2003, the security options are organized into a number of
categories: Accounts; contains a number of security options such as:
○ Administrator Account Status; enables/disables the local Administrator
account of the computer.
○ Guest Account Status; enables/disables the local Guest account of the
computer.
○ Rename Administrator Account; defines the alternative name for the
security identifier (SID) of the local Administrator account.
○ Rename Guest Account; defines the alternative name for the security
identifier (SID) of the local Guest account.
• Audit; contains security options which are specific to auditing, such as:
○ The Use Of Backup And Restore Privilege; when the Audit Privilege Use
policy is enabled, it configures the computer to audit user privileges
○ Shut Down System Immediately If Unable To Log Security Audits;
results in the computer shutting down when no further auditing entries
can be written to the security log due to the log reaching its maximum
size limit.
• Devices; contains options that control access to devices, such as:
○ Allowed To Format And Eject Removable Media; defines those local
groups which are allowed to format and eject removable NTFS file
system media.
○ Restrict CD-ROM Access To Locally Logged-on User Only; stops users
from accessing the CD-ROM drives of the computer.
○ Restrict Floppy Access To Locally Logged-on User Only; stops users
from accessing the floppy disk drive of the computer.
• Domain controllers; contains options that be used to apply security on a
domain controller, such as:
○ Maximum Machine Account Password Age; sets the frequency at which
the computer account password of the system is modified.
• Domain member; contains options that be used for encryption, session keys,
and computer account passwords.
• Interactive Logon; contains options for interactive log on, such as
○ Do Not Require CTRL+ALT+DEL; specifies the Disable option so that
users are secured from Trojan horse attacks.
○ Require Domain Controller Authentication To Unlock Workstation; stops
the computer from being unlocked through cached credentials.
• Microsoft Network Client; contains options for specifying digitally signed
communications, such as:
○ Digitally Sign Communications (Always); sets the computer to require
packet signatures for Server Message Block client communications.
• Microsoft Network Server; contains options for specifying digitally signed
communications and session idle timeout, such as:
○ Digitally Sign Communications (Always); sets the computer to require
packet signatures for Server Message Block server communications
• Network Access; contains options to configure anonymous network access
settings, such as:
○ Do Not Allow Anonymous Enumeration Of SAM Accounts And Shares;
stops anonymous users from gathering information on the names of
local user accounts and shares.
○ Remotely Accessible Registry Paths And Sub-paths; defines the registry
paths and sub-paths which certain users can access.
○ Shares That Can Be Accessed Anonymously; defines the shares which
can be accessed by anonymous users.
• Network Security; contains options for configuring network security, such as:
○ Force Logoff When Logon Hours Expire; configures the computer to
end any current local user connections that have used up their defined
logon hours or time.
• Recovery Console; contains options for specifying Recovery Console security.
• Shutdown; contains options that control system shutdown, such as:
○ Allow System To Be Shut Down Without Having To Log On; enables the
Shut Down button in the Log On To Windows dialog box.
• System Cryptography; contains options for encryption, signing, and hashing.
• System Objects; contains options for system objects.
• System Settings; contains options for additional system security settings.

Public Key Policies


These policies are used to define how computers send requests to Certificate Authorities (CAs)
so that they can install public keys.
Defining System Policies
• There are a number of policy settings which can be defined and configured
through System Policies: User Profiles policies: A few common User Profiles
policies which you can configure are:
○ Delete Cached Copies Of Roaming Profiles; the local copy of the
roaming profile is not saved to the local computer.
○ Do Not Detect Slow Network Connections; the system will not detect
and respond to slow network connections.
○ Slow Network Connection Timeout For User Profiles; used to define
slow network connections.
○ Wait For Remote User Profile; used to specify that the roaming user
profile should be used over the cached copy of the user profile.
○ Prompt User When Slow Link Is Detected; used to notify a user of slow
network connections. The user can then select to use either the
roaming user profile or the locally cached copy.
○ Timeout For Dialog Boxes; used to set the time-out value for dialog
boxes.
○ Log Users Off When Roaming Profile Fails; logs the user off when the
roaming profile is unavailable.
○ Maximum Retries To Unload And Update User Profile; used to set the
maximum number of retries allowed when the system is unable to
update user profile information.
• Logon policies: A few common Logon policies which you can configure are:
○ Run Logon Scripts Synchronously; when enabled, logon scripts are run
and completed before the Windows Explorer interface is run.
○ Run Startup Scripts Asynchronously; when enabled, startup scripts are
run at the same time.
○ Run Startup Scripts Visible; when enabled, the startup scripts'
instructions are displayed.
○ Run Shutdown Scripts Visible; when enabled, the shutdown scripts'
instructions are displayed.
○ Maximum Wait Time For Group Policy Scripts; used to set the
maximum time for which the system waits for scripts.
• Disk quota policies: A few common Disk Quota policies which you can
configure are:
○ Enable Disk Quotas; enables disk quota management for each NTFS
volume for the computer.
○ Enforce Disk Quota Limit; enforces the disk quota limit if it is defined.
○ Default Quota Limit And Warning Level; used to define the default
quota limit and disk usage threshold settings.
○ Log Event When Quota Limit Exceeded; used to enable logging for
when users exceed their specific quota limits.
○ Log Event When Quota Warning Level Exceeded; used to enable
logging for when users reach their specific warning levels.
• Group Policy policies: A few common Group Policy policies which you can
configure are:
○ Turn Off Background Refresh Of Group Policy; group policies are not
updated when the computer is being utilized.
○ Apply Group Policy For Users Asynchronously During Startup; the
Windows Desktop is displayed before Group Policy for the computer is
updated.
○ Group Policy Refresh Intervals For Computers; used to set the rate at
which Group Policy of computers will be updated.
○ Group Policy Refresh Intervals For Domain Controllers; used to set the
rate at which Group Policy of domain controllers will be updated.
○ User Group Policy Loopback Processing Mode; used to define whether
group policy is replaced or merged.
○ Group Policy Slow Link Detection; used to define a slow network
connection in terms of updating group policies.
○ Registry Policy Processing; used to define how Registry policies are
applied or processed.
○ Internet Explorer Maintenance Policy Processing; used to define how
Internet Explorer Maintenance policies are applied or processed.
○ Software Installation Policy Processing; used to define how Software
Installation policies are applied or processed.
○ Folder Redirection Policy Processing; used to define how Folder
Redirection policies are applied or processed.
○ Scripts Policy Processing; used to define how shared script policies are
applied or processed.
○ Security Policy Processing; used to define how security policies are
updated.
○ IP Security Policy Processing; used to define how IP security policies
are processed.
○ EFS Recovery Policy; used to define how encryption policies are
processed.
○ Disk Quota Policy Processing; for defining the manner in which quota
policies are updated.
• Windows file protection policies: A few common Windows file protection
policies which you can configure are:
○ Set Windows File Protection Scanning; used to set how often Windows
File Protection scans.
○ Hide the File Scan Progress Window; used to hide the File Scan
Progress window.
○ Limit Windows File Protection Cache Size; used to set a limit for the
amount of disk space which Windows File Protection can use.
○ Specify Windows File Protection Cache Location; used to set the
Windows File Protection cache's location.

Configuring and Applying Security Templates


A security template is a collection of security configuration settings that can be applied to a
domain controller, member server or a workstation. The settings within a security template are
used to control the security configuration of a computer through both local policies and group
policies. The security configuration settings contained within security templates are stored in text
files. A security template can be applied to a local computer, or incorporated into a Group Policy
object in Active Directory. Security templates enable administrators to create consistent security
settings within the organization. In addition, the security settings can also be reproduced.
• Windows Server 2003 includes predefined security templates that hold security settings
for different levels of security. The predefined security templates are listed here:setup
security.inf; contains the default security settings created by the Windows Server 2003
Setup program when a computer is installed.
• Compatws.inf; enables most types of applications to run, thereby enabling
the older applications to run.
• DC security.inf; defines default system services settings, default security
settings, and file system and Registry settings for a domain controller.
• hisecdc.inf; highly secure template which contains security settings for
domain controllers.
• hisecws.inf; a highly secure server or workstation template which contains
security settings for workstations.
• securedc.inf; contains security settings for domain controllers that enhance
security on a domain controller while at the same time maintaining
compatibility with most functions and applications.
• ecurews.inf; contains enhanced security settings for workstations and
member servers that are not domain controllers.
• Rootsec.inf; the template contains the default file system permissions that
can be applied as the root permissions to the system drive of a computer.
• iesacls.inf; includes settings that can be utilized to audit registry settings that
control Internet Explorer security.
The Security Configuration and Analysis feature, initially introduced in Windows 2000, enables
you to create, modify and apply security settings in the Registry through the use of security
templates. The tool is useful for scanning, analyzing, and setting local system security. A
security template makes it possible for you to configure security settings and store these settings
in a file. You can apply security templates which were created in the Security Templates console
to the local computer by importing them into a GPO.
1. The common process for using the Security Configuration and Analysis tool is
listed below: Create, or open an existing security configuration and analysis
database. This is the database that the Security Configuration And Analysis
feature would compare the current security settings of the local computer to.
2. Analyze the system security of the local computer.
3. Examine the results of the security analysis, and resolve any reported
discrepancies.
4. Export the security database settings to a security template
There are seven Security Template areas where you can configure security for Windows 2000,
Windows XP, and Windows Server 2003 networking environments:
• Account policies, Local policies, Event log, Restricted groups, System
services, Registry, and File System
To avoid settings implemented through the Security Configuration And Analysis tool from
overriding local Group Policy settings, you should only use the Security Configuration And
Analysis tool to configure security settings for system services, local files/folders, and registry
keys.
How to open the Security Configuration and Analysis console
1. Click Start, Run, and enter mmc in the Run dialog box. Click OK.
2. In the Console menu, click Add/Remove Snap-In, and click Add.
3. Click Security Configuration And Analysis, and then click Add
4. Click Close, click OK,
5. In the Console menu, click Save.
6. Enter a name for the console, and then click Save.
7. You can now access the Security Configuration And Analysis console from the
Administrative Tools menu.

How to analyze the security settings of the local computer


1. Open the Security Configuration And Analysis console
2. Right-click Security Configuration And Analysis and then select Analyze
Computer Now on the shortcut menu.
3. When the Perform Analysis dialog box opens, verify that the path specified
for the log file is correct. If not, enter the proper path for the log file.
4. Click OK to start the analysis of the computer.
5. You can view the contents of the log file by right-clicking the Security
Configuration And Analysis, and then clicking View Log File on the shortcut
menu.

Network Attacks
Understanding Network Attacks
A network attack can be defined as any method, process or means used to maliciously attempt to
compromise the security of the network.

There are a number


of reasons why an individual(s) would want to attack corporate networks. The individuals
performing network attacks are commonly referred to as network attackers or hackers or
crackers.
A few different types of malicious activities performed by network attackers and hackers are
summarized here:
• Illegally using user accounts and privileges.
• Stealing hardware.
• Stealing software.
• Running code to damage systems.
• Running code to damage and corrupt data.
• Modifying stored data.
• Stealing data.
• Using data for financial gain or for industrial espionage
• Performing actions that prevent legitimate authorized users from accessing network
services and resources.

• Performing actions to deplete network resources and bandwidth.


A few reasons why network attackers attempt to attack corporate networks are listed here:
• Individuals seeking fame or some sort of recognition. Script kiddies usually seek some
form of fame when they attempt to crash Web sites and other public targets on the
Internet. A script kiddie could also be looking for some form of acceptance or recognition
from the hacker community or from black hat hackers.
• Possible motives for structured external threats include:
○ Greed
○ Industrial espionage
○ Politics
○ Terrorism
○ Racism
○ Criminal payoffs
• Displeased employees might seek to damage the organization's data, reliability, or
financial standing.
• There are though some network attackers that simply enjoy the challenge of trying to
compromise the security systems of highly secured networks. These types of attackers
simply see their actions as a means by which existing security vulnerabilities can be
exposed.
Network attacks can be classified into the following four types of attacks:
• Internal threats
• External threats
○ Unstructured threats
○ Structured threats
Threats to the network can be initiated from a number of different sources, hence the reason why
network attacks are classified as either external network attacks/threats, or internal network
attacks/threats:
• External threats: External threats or network attacks are carried out by individuals with
no assistance from internal employees or contractors. These attacks are typically
performed by a malicious experienced individual, a group of experienced individuals, an
experienced malicious organization, or by inexperienced attackers (script kiddies).
External threats are usually performed by using a predefined plan and the technologies
(tools) or techniques of the attacker(s). One of the main characteristics of external threats
is that it usually involves scanning and gathering information. You can therefore detect
an external attack by scrutinizing existing firewall logs. You can also install an Intrusion
Detection System to quickly identify external threats. External threats can be further
categorized into either structured threats or unstructured threats:
○ Structured external threats: These threats originate from a malicious individual, a
group of malicious individual(s) or from a malicious organization. Structured
threats are usually initiated from network attackers that have a premeditated
thought on the actual damages and losses which they want to cause. Possible
motives for structured external threats include greed, politics, terrorism, racism
and criminal payoffs. These attackers are highly skilled on network design, the
methods on avoiding security measures, Intrusion Detection Systems (IDSs),
access procedures, and hacking tools. They have the necessary skills to develop
new network attack techniques and the ability to modify existing hacking tools for
their exploitations. In certain cases, the attacker could be assisted by an internal
authorized individual.
○ Unstructured external threats: These threats originate from an inexperienced
attacker, typically from a script kiddie. A script kiddie is the terminology used to
refer to an inexperienced attacker who uses cracking tools or scripted tools readily
available on the Internet, to perform a network attack. Script kiddies are usually
inadequately skilled to create the threats on their own. Script kiddies can be
considered as being bored individuals seeking some form of fame by attempting
to crash Web sites and other public targets on the Internet.
External attacks can also occur either remotely or locally:
○ Remote external attacks: These attacks are usually aimed at the services which an
organization offers to the public. The various forms which remote external attacks
can take are listed here:
 Remote attacks aimed at the services available for internal users. This
remote attack usually occurs when there is no firewall solution
implemented to protect these internal services.
 Remote attacks aimed at locating modems to access the corporate
network.
 Denial-of-service (DoS) attacks to place an exceptional processing load on
servers in an attempt to prevent authorized user requests from being
serviced.
 War-dialing of the corporate private branch exchange (PBX).
 Attempts to brute force password authenticated systems.
○ Local external attacks: These attacks typically originate from situations where
computing facilities are shared, and access to the system can be obtained.
• Internal threats: Internal attacks originate from dissatisfied or unhappy inside employees
or contractors. Internal attackers have some form of access to the system and usually try
to hide their attack as a normal process. For instance, internal disgruntled employees have
local access to some resources on the internal network already. They could also have
some administrative rights on the network. One of the best means to protect against
internal attacks is to implement an Intrusion Detection System, and to configure it to scan
for both external and internal attacks. All forms of attacks should be logged and the logs
should be reviewed and followed up.
With respect to network attacks, the core components which should be included when you design
network security are:
• Network attack prevention.
• Network attack detection.
• Network attack isolation.
• Network attack recovery.
What is hacking?
The terminology, hacking, was initially used to refer to the process of finding solutions to rather
technical issues or problems. These days, hacking is used to refer to the process whereby
intruders maliciously attempt to compromise the security of corporate networks to destroy,
interpret or steal confidential data; or to prevent an organization from operating.
Different terminology is used to refer to criminal hacking:
• Cracking
• Cybercrime
• Cyberespionage
• Phreaking
To access a network system, the intruder (hacker) performs a number of activities:
• Footprinting: This is basically the initial step in hacking a corporate network. Here the
intruder attempts to gain as much information on the targeted network by using sources
which the public can access. The aim of footprinting is to create a map of the network to
determine what operating systems, applications and address ranges are being utilized, and
to identify any accessible open ports. The methods used to footprint a network are listed
here:
○ Access information publicly available on the company Web site to gain any useful
information.
○ Try to find any anonymous File Transfer Protocol (FTP) sites and intranet sites
which are not secured.
○ Gather information on the domain name of the company and the IP address block
being used.
○ Test for hosts in the IP address block of the network. Tools such as Ping or Fping
are typically used.
○ Using tools such as Nslookup, the intruder attempts to perform Domain Name
System (DNS) zone transfers.
○ A tool such as Nmap is used to find out what the operating systems are which are
being used.
○ Tools such as Tracert are used to find routers and to collect subnet information.
• Port scanning: Port scanning or simply scanning, is the process whereby which intruders
collect information on the network services on a target network. Here, the intruder
attempts to find open ports on the target system. The different scanning methods used by
network attackers are:
○ Vanilla scan/SYNC scan: TCP SYN packets are sent to the ports of each address
in an attempt to connect to all ports. Port numbers 0 - 65,535 are utilized.
○ Strobe scan: Here, the attacker attempts to connect to a specific range of ports
which are typically open on Windows based hosts or UNIX/Linux based hosts.
○ Sweep: A large set of IP addresses are scanned in an attempt to detect a system
that has one open port.
○ Passive scan: Here, all network traffic entering or leaving the network is captured
and traffic is then analyzed to determine what the open ports are on the hosts
within the network.
○ User Datagram Protocol (UDP) scan: Empty UDP packets are sent to the different
ports of a set of addresses to determine how the operating responds. Closed UDP
ports respond with the Port Unreachable message when any empty UDP packets
are received. Other operating systems respond with the Internet Control Message
Protocol (ICMP) error packet.
○ FTP bounce: To hide the location of the attacker, the scan is initiated from an
intermediary File Transfer Protocol (FTP) server.
○ FIN scan: TCP FIN packets that specify that the sender wants to close a TCP
session are sent to each port for a range of IP addresses.
• Enumeration: The unauthorized intruder uses a number of methods to collect information
on applications and hosts on the network, and on the user accounts utilized on the
network. Enumeration is particularly successful in networks that contain unprotected
network resources and services:
○ Network services that are running but which are not being utilized.
○ Default user accounts which have no passwords specified.
○ Guest accounts which are active.
• Acquiring access: Access attacks are performed when an attacker exploits a security
weakness so that he/she can obtain access to a system or the network. Trojan horses and
password hacking programs are typically used to obtain system access. When access is
obtained, the intruder is able to modify or delete data; and add, modify or remove
network resources. The different types of access attacks are listed here:
○ Unauthorized system access entails the practice of exploiting the vulnerabilities of
operating systems, or executing a script or a hacking program to obtain access to a
system.
○ Unauthorized privilege escalation is a frequent type of attack. Privilege escalation
occurs when an intruder attempts to obtain a high level of access like
administrative privileges to gain control of the network system.
○ Unauthorized data manipulation involves interpreting, altering and deleting
confidential data.
• Privilege escalation: When an attacker initially gains access to the network, low level
accounts are typically used. Privilege escalation occurs when an attacker escalates his/her
privileges to obtain a higher level of access, like administrative privileges, in order to
gain control of the network system. The privilege escalation methods used by attackers
are listed here:
○ The attacker searches the registry keys for password information.
○ The attacker can search documents for information on administrative privileges.
○ The attacker can execute a password cracking tool on targeted user accounts.
○ The attacker can use a Trojan in an attempt to obtain the credentials of a user
account that has administrative privileges.
• Install backdoors: A hacker can also implement a mechanism such as some form of
access granting code with the intent of using it at some future stage. Backdoors are
typically installed by attackers so that they can easily access the system at some later
date. After a system is compromised, you can remove any installed backdoors by
reinstalling the system from a backup which is secure.
• Removing evidence of activities: Attackers typically attempt to remove all evidence of
their activities.
What are hackers or network attackers?
A hacker or network attacker is someone who maliciously attacks networks, systems, computers,
applications; and who captures, corrupts, modifies, steals or deletes confidential company
information.
A hacker can refer to a number of different individuals who perform activities aimed at hacking
systems and networks, and it can also refer to individuals who perform activities that have
nothing to do with criminal activity:
• Programmers who hack complex technical problems to come up with solutions.
• Script kiddies who use readily available tools on the Internet to hack into systems.
• Criminal hackers who steal or destroy company data.
• Protesting activists who deny access to specific Web sites as part of their protesting
strategy.
Hackers these days are classified according to the hat they wear. This concept is illustrated
below:
• Black hat hackers are malicious or criminal hackers who hack at systems and computers
to damage data or who attempt to prevent businesses from rendering their services. Some
black hat hackers simply hack security protected systems to gain prestige in the hacking
community.
• White hat hackers are legitimate security experts who are trying to expose security
vulnerabilities in operating system platforms. White hat hackers have the improvement of
security as their motive. They do not damage or steal company data, nor do they seek any
fame. These security experts are usually quite knowledgeable on the hacking methods
utilized by black hat hackers.
• Grey hat hacker: These are individuals who have motives between that of black hat
hackers and white hat hackers.
The Common Types of Network Attacks
While there are many different types of network attacks, a few can be regarded as the more
commonly performed network attacks. These network attacks are discussed in this section of the
Article:
• Data modification or data manipulation pertains to a network attack where confidential
company data is interpreted, deleted, or modified. Data modification is successful when
data is modified without the sender actually being aware that it was tampered with. A few
methods of preventing attacks aimed at compromising data integrity are listed here:
○ Use digital signatures to ensure that data has not been modified while it is being
transmitted or simply stored.
○ Implement access control lists (ACLs) to control which users are allowed to
access your data.
○ Regularly back up important data.
○ Include specific code in applications that can validate data input.
• Eavesdropping: This type of network attack occurs when an attacker monitors or listens
to network traffic in transit, and then interprets all unprotected data. While you need
specialized equipment and access to the telephone company switching facilities to
eavesdrop telephone conversations, all you need to eavesdrop on an Internet Protocol (IP)
based network is a sniffer technology to capture the traffic being transmitted. This is
basically due to the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol
being an open architecture which transmits unencrypted data over the network. A few
methods of preventing intruders from eavesdropping on the network are listed here:
○ Implement Internet Protocol Security (IPSec) to secure and encrypt IP data before
it is sent over the network.
○ Implement security policies and procedures to prevent attackers from attaching a
sniffer on the network.
○ Install antivirus software to protect the corporate network from Trojans. Trojans
are typically used to discover and capture sensitive, valuable information, such as
user credentials.
• IP address spoofing or IP spoofing or identity spoofing: IP address spoofing occurs when
an attacker assumes the source Internet Protocol (IP) address of IP packets to make it
appear as though the packet originated from a valid IP address. The aim of an IP address
spoofing attack is to identify computers on a network. The majority of IP networks utilize
the IP address of the user to verify identities, and routers also typically ignore source IP
addresses when routing packets. Routers use the destination IP addresses to forward
packets to the intended destination network. These factors could enable an attacker to
bypass a router and to launch a number of subsequent attacks, including:
○ Initiation of a denial of service (DoS) attacks.
○ Initiation of man-in-the-middle (MITM) attacks to hijack sessions.
○ Redirect traffic.
A few methods of preventing IP address spoofing attacks are listed here:
○ Encrypt traffic between routers and external hosts.
○ Define ingress filters on routers and firewalls to stop inbound traffic where the
source address is from a trusted host on the internal network
• Sniffer attacks: Sniffing refers to the process used by attackers to capture and analyze
network traffic. The contents of packets on a network are analyzed. The tools which
attackers use for sniffing are called sniffers or more correctly, protocol analyzers. While
protocol analyzers are really network troubleshooting tools, they are also used by hackers
for malicious purposes. Sniffers are used to monitor, capture and obtain network
information, such as passwords and valuable customer information. When an individual
has physical access to a network, he/she can easily attach a protocol analyzer to the
network and then capture traffic. Remote sniffing can also be performed and is typically
used by network attackers. There are protocol analyzers or sniffers available for most
networking technologies including:
○ Asynchronous Transfer Mode (ATM)
○ Ethernet
○ Fiber Channel
○ Serial connections
○ Small Computer System Inter-face (SCSI)
○ Wireless
There are a number of common sniffers which are used by network security
administrators and malicious hackers:
○ Dsniff
○ Ethereal
○ Etherpeek
○ Network Associates's Sniffer
○ Ngrep
○ Sniffit
○ Snort
○ Tcpdump
○ Windump
To protect against sniffers, implement Internet Protocol Security (IPSec) to encrypt
network traffic so that any captured information cannot be interpreted.
• Password attacks: Password based attacks or password crackers are aimed at guessing
the password for a system until the correct password is determined. One of the primary
security weaknesses associated with password based access control is that all security is
based on the user ID and password being utilized. But who is the individual using the
credentials at the keyboard? There are some of the older applications that do not protect
password information. The password information is simply sent in clear or plain text - no
form of encryption is utilized! Remember that network attackers can obtain user ID and
password information and can then pose as authorized users and attack the corporate
network. Attackers can use dictionary attacks or brute force attacks to gain access to
resources with the same rights as the authorized user. A big threat would be present if the
user has some level of administrative rights to certain portions of the network. An even
bigger threat would exist if the same password credentials are used for all systems. The
attacker would then have access to a number of systems. There are two ways in which
password based attacks are performed:
○ Online cracking: The network attacker sniffs network traffic to seize
authentication sessions in an attempt to capture password based information.
There are tools which are geared at sniffing out passwords from traffic.
○ Offline cracking: The network attacker gains access to a system with the intent of
gaining access to password based information. The attacker then runs some
password cracker technology to decipher valid user account information.
A dictionary attack occurs when all the words typically used for passwords are attempted
to detect a password match. There are some technologies that can generate a number of
complex word combinations and variations.
The Microsoft Windows Server 2003 operating system only stores passwords in an
encrypted format. To obtain password credentials, you have to have administrative
credentials to access the system and information. Operating systems these days also
support password policies. Password policies can be used to define how passwords are
managed, and to define the characteristics of passwords which are considered acceptable.

Password policy settings can be used to specify and enforce a number of rules for
passwords:
○ Define whether passwords are simple or complex.
○ Define whether password history is maintained.
○ Define the minimum length for passwords.
○ Define the minimum password age.
○ Define the maximum password age.
○ Define whether passwords are stored using reversible encryption or irreversible
encryption.
Account lockout policies should be implemented if your environment is particularly
vulnerable to threats arising from passwords which are being guessed. Implementing an
account lockout policy ensures that the account of a user is locked after an individual has
unsuccessfully tried for several times to provide the correct password. The important
factor to remember when defining an account lockout policy is that you should
implement a policy that permits some degree of user error, but that also prevents hackers
from using your user accounts. The following password and account lockout settings are
located in the Account Lockout Policy area in Account Policies:
○ Account lockout threshold: This setting controls the number of times after which
an incorrect password attempt results in the account being locked out of the
system.
○ Account lockout duration: This setting controls the duration that an account which
is locked, remains locked. A setting of 0 means that an administrator has to
manually unlock the locked account.
○ Reset account lockout counter after: This setting determines the time duration that
must pass subsequent to an invalid logon attempt occurring prior to the reset
account lockout counter being reset.
• Brute force attack: Brute force attacks simply attempt to decode a cipher by trying each
possible key to find the correct one. This type of network attack systematically uses all
possible alpha, numeric, and special character key combinations to find a password that is
valid for a user account. Brute force attacks are also typically used to compromise
networks that utilize Simple Mail Transfer Protocol (SNMP). Here, the network attacker
initiates a brute force attack to find the SNMP community names so that he/she can
outline the devices and services running on the network. A few methods of preventing
brute force attacks are listed here:
○ Enforce the use of long password strings.
○ For SNMP use long, complex strings for community names.
○ Implement an intrusion detection system (IDS). By examining traffic patterns, an
IDS is capable of detecting when brute force attacks are underway.
• Denial of Service (DoS) attack: A DoS attack is aimed at preventing authorized,
legitimate users from accessing services on the network. The DoS attack is not aimed at
gathering or collecting data. It is aimed at preventing the normal use of computers or the
network by authorized, legitimate users. The SYN flood from 1996 was the earliest form
of a DoS attack which exploited a vulnerability of the Transmission Control Protocol
(TCP). A DoS attack can be initiated by sending invalid data to applications or network
services until the server hangs or simply crashes. The most common form of a DoS attack
is TCP attacks. DoS attacks can use either of the following methods to prevent authorized
users from using the network services, computers, or applications:
○ Flood the network with invalid data until traffic from authorized network users
cannot be processed.
○ Flood the network with invalid network service requests until the host providing
that particular service cannot process requests from authorized network users. The
network would eventually become overloaded.
○ Disrupt communication between hosts and clients through either of the following
methods:
 Modification of system configurations.
 Physical destruction of the network. Crashing a router for instance would
prevent users from accessing the system.
There are a number of tools easily accessible and available on the Internet which can be
used to initiate DoS attacks:
○ Bonk
○ LAND
○ Smurf
○ Teardrop
○ WinNuke
A network attacker can increase the enormity of a DoS attack by initiating the attack
against a single network from multiple computers or systems. This type of attack is
known as a distributed denial of service (DDoS) attack. Network administrators can
experience great difficulty in fending off DDoS attacks, simply because blocking all the
attacking computers, can also result in blocking authorized users. The following
measures can be implemented to protect a network against DoS attacks:
○ Implement and enforce strong password policies.
○ Back up system configuration data regularly.
○ Disable or remove all unnecessary network services.
○ Implement disk quotas for your user and service accounts.
○ Configure filtering on your routers and patch operating systems.
The following measures can be implemented to protect a network against DDoS attacks:
○ Limit the number of ICMP and SYN packets on router interfaces.
○ Filter private IP addresses using router access control lists.
○ Apply ingress and egress filtering on all edge routers.
• Man-in-the-middle (MITM) attack: A man-in-the-middle (MITM) attack occurs when a
hacker eavesdrops on a secure communication session and monitors, captures and
controls the data being sent between the two parties communicating. The attacker
attempts to obtain information so that he/she can impersonate the receiver and sender
communicating. For a man-in-the-middle (MITM) attack to be successful, the following
sequence of events has to occur:
○ The hacker must be able to obtain access to the communication session to capture
traffic when the receiver and sender establish the secure communication session.
○ The hacker must be able to capture the messages being sent between the parties
and then send messages so that the session remains active.
There are some public key cryptography systems, such as Diffie-Hellman (DH) key
exchange which are rather susceptible to man-in-the-middle attacks. This is due to the
Diffie-Hellman (DH) key exchange using no authentication.
What are viruses?
A virus can be defined as a malicious code which affects and infects files on a system. Numerous
instances of the files are then recreated. Viruses usually lead to some sort of data loss, and/or
system failure.
There are numerous methods by which a virus can get into a system:
• Through infected floppy disks.
• Through an e-mail attachment infected with the virus.
• Through downloading software infected with the virus.
A few common types of viruses are listed here:
• Boot sector viruses: These are viruses that infect a hard drive's master boot record. The
virus is then loaded into memory whenever the system starts or is rebooted.
• File viruses or program viruses or parasitic viruses: These are viruses that are attached
to executable programs. Whenever the particular program is executed, the viruses are
loaded into memory.
• Multipartite viruses: These are viruses which are a combination of a boot sector virus and
a file virus.
• Macro viruses: These are viruses that are written in macro languages utilized by
applications, of which Microsoft Word is one. Macro viruses usually infect systems
through e-mail.
• Polymorphic viruses: These viruses can be considered as being the more difficult viruses
to fend against because they can modify their code. Virus protection software often finds
polymorphic viruses harder to detect and remove.
If you discover that a virus has infected your system, use the recommendations listed here:
• Scan each of your systems to gauge how infected your infrastructure is.
• To prevent the virus from spreading any further. You should immediately disconnect all
infected systems.
• All infected systems should be installed from a clean backup copy, that is, a back up
which was taken when the system was clean from virus infections.
• Inform the antivirus vendor so that the vendor's virus signature database is updated
accordingly.
A few methods of protecting your network infrastructure against viruses are listed here:
• Install virus protection software on systems.
• Regularly update all installed virus protection software.
• Regularly back up systems after they have been scanned for viruses, and are considered
clean from virus infection.
• Your users should be educated to not open any e-mail attachments which were sent from
individuals they do not recognize.
What are worms?
As mentioned previously, a virus is a form of malicious code that infects files on the system. A
worm on the other hand is an autonomous code that propagates over a network, targeting hard
drive space and processor cycles. Worms not only infects files on one system but can propagate
to other systems on the network. The purpose of a worm is to deplete available system resources.
Hence the reason why a worm makes copies of itself over and over and over. Worms basically
make copies of itself or replicate until available memory is used, bandwidth is unavailable, and
legitimate network users are no longer able to access network resources or services.
There are a few worms that are sophisticated enough to corrupt files, render systems un-
operational, and even steal data. These worms usually have one or numerous viral codes.
A few previously encountered worms are listed here:
• The ADMw0rm worm took advantage of a buffer overflow in Berkeley Internet Name
Domain (BIND).
• The Code Red worm utilized a buffer overflow vulnerability in Microsoft Internet
Information Services (IIS) version 4 and IIS version 5.
• The LifeChanges worm exploited a Microsoft Windows weakness which allowed scrap
shell files to be utilized for running arbitrary code.
• The LoveLetter worm used a Visual Basic Script to replicate or mass mail itself to all
individuals in the Windows address book.
• The Melissa worm utilized a Microsoft Outlook and Outlook Express vulnerability to
mass mail itself to all individuals in the Windows address book.
• The Morris worm exploited a Sendmail debug mode vulnerability.
• The Nimda worm managed to run e-mail attachments in Hypertext Markup Language
(HTML) messages through the exploitation of HTML IFRAME tag.
• The Slapper worm exploited an Apache Web server platform buffer overflow
vulnerability.
• The Slammer worm exploited a buffer overflow vulnerability on un-patched machines
running Microsoft SQL Server.
What are Trojan Horses?
A Trojan horse or simply Trojan, is a file or e-mail attachment which is disguised as being a
friendly, legitimate file. When executed though, the file corrupts data and can even install a
backdoor which hackers can utilize to access the network.
A Trojan horse differs to a virus or worm in the following ways:
• Trojan horses disguise themselves as friendly programs. Viruses and worms are much
more obvious in their actions.
• Trojan horses do not replicate like worms and viruses do.
A few different types of Trojan horses are listed here:
• Keystroke loggers monitor the keystrokes that a user types and then e-mails the
information to the network attacker.
• Password stealers are disguised as legitimate login screens which wait for users to
provide their passwords so that they can be stolen by hackers. Password stealers are
aimed at discovering and stealing system passwords for hackers.
• Remote administration tools (RATs) are used by hackers to gain control over the network
from some remote location.
• Zombies are typically used to initiate distributed denial of service (DDoS) attacks on the
hosts within a network.
Predicting Network Threats
To protect your network infrastructure, you need to be able to predict the types of network
threats to which it is vulnerable. This should include an analysis of the risks that each identified
network threat imposes on the network infrastructure.
A model known as STRIDE is used by security experts to classify network threats:
• Spoofing identity: These are attacks that are aimed at obtaining user account information.
Spoofing identity type attacks typically affect data confidentiality.
• Tampering with data: These are attacks that are aimed at modifying company
information. Data tampering usually ends up in affecting the integrity of data. A man-in-
the-middle attack is a form of data tampering.
• Repudiation: Repudiation takes place when a user performs some form of malicious
action on a resource and then later denies carrying out that particular activity. Network
administrators usually have no evidence which they can use to back up their suspicions.
• Information disclosure: Here, private and confidential information is made available to
individuals who should not have access to the particular information. Information
disclosure usually impacts data confidentiality and network resource confidentiality.
• Denial of service: These attacks affect the availability of company data and network
resources and services. DoS attacks are aimed at preventing legitimate users from
accessing network resources and data.
• Elevation of privilege: Elevation of privilege occurs when an attacker escalates his/her
privileges to obtain a high level of access like administrative privileges, in an attempt to
gain control of the network system.
Identifying Threats to DHCP Implementations
A few threats specific to DHCP implementations are listed here:
• Because the IP address number in a DHCP scope is limited, an unauthorized user could
initiate a denial of service (DoS) attack by requesting or obtaining a large numbers of IP
addresses.
• A network attacker could use a rogue DHCP server to offer incorrect IP addresses to your
DHCP clients.
• A denial of service (DoS) attack can be launched through an unauthorized user
performing a large number of DNS dynamic updates via the DHCP server.
• Assigning DNS IP addresses and WINS IP addresses through the DHCP server increases
the possibility of hackers using this information to attack your DNS and WINS servers.
protect your DHCP environment from network attacks, use the following strategies:
• Implement firewalls
• Close all open unused ports
• If necessary, use VPN tunnels.
• You can use MAC address filters.
Identifying Threats to DNS Implementations
A few threats specific to DNS implementations:
• Denial of service (DoS) attacks occurs when DNS servers are flooded with recursive
queries in an attempt to prevent the DNS server from servicing legitimate client requests
for name resolution. A successful DoS attack can result in the unavailability of DNS
services, and in the eventual shut down of the network.
• In DNS, footprinting occurs when an intruder intercepts DNS zone information. When
the intruder has this information, the intruder is able to discover DNS domain names,
computer names, and IP addresses which are being used on the network. The intruder
then uses this information to decide on which computers he/she wants to attacks.
• IP Spoofing: After an intruder has obtained a valid IP address from a footprinting attack,
the intruder can use the IP address to send malicious packets to the network, or access
network services. The intruder can also use the valid IP address to modify data.
• In DNS, a redirection attack occurs when an intruder is able to make the DNS server
forward or redirect name resolution requests to the incorrect servers. In this case, the
incorrect servers are under the control of the intruder. A redirection attack is achieved by
an intruder corrupting the DNS cache in a DNS server that accepts unsecured dynamic
updates.
To protect an external DNS implementation from network attacks, use the following list of
recommendations:
• DNS servers should be placed in a DMZ or in a perimeter network.
• Access rules and packet filtering should be configured firewalls to control both source
and destination addresses and ports.
• Host your DNS servers on different subnets and ensure that the DNS servers have
different configured routers.
• Install the latest service packs on your DNS servers
• All unnecessary services should be removed.
• Secure zone transfer data by using VPN tunnels or IPSec.
• Ensure that zone transfer is only allowed to specific IP addresses.
• For Internet facing DNS servers, disable recursion, disable dynamic updates, and enable
protection against cache pollution
• You can use a stealth primary server to update secondary DNS servers which are
registered with ICANN.
Identifying Threats to Internet Information Server (IIS) servers (Web servers)
The security vulnerabilities of the earlier versions of Internet Information Server (IIS), including
IIS version 5, were continuously patched up by service packs and hotfixes available from
Microsoft. Previously when IIS was installed, all services were enabled and started; all service
accounts had high system rights; and permissions were assigned to the lowest levels. This
basically meant that the IIS implementation was vulnerable to all sorts of attacks from hackers.
Microsoft introduced the Security Lockdown Wizard in an attempt to address the security
loopholes and vulnerabilities which existed in the previous versions of IIS. The Security
Lockdown Wizard in IIS 6 has been included in the Web Service Extensions (WSE).
IIS is installed in locked-down mode with IIS 6. The only feature immediately available is to
access static content. You actually need to utilize the WSE feature in the IIS Manager console
tree to manually enable IIS to run applications and its features. By default, all applications and
extensions are prohibited from running.
To protect IIS servers from network attacks, use the following recommendations:
• To prevent hackers from using default account names, all default account names,
including the Administrator account and Guest account should be changed. You should
utilize names for these accounts which are difficult to guess.
• To prevent a hacker from compromising Active Directory should the Web server be
compromised, the Web server should be a stand-alone server or a member of a forest,
other than the forest which is used by the private network.
• All the latest released security updates, service packs, and hotfixes should be applied to
the Web server.
• All sample applications should be removed from a Web server. A few sample application
files are installed by default with IIS 5.0.
• All unnecessary services should be removed or disabled. This would ensure that network
attackers cannot exploit these services to compromise the Web server.
• Disable the utilization of parent paths. Hackers typically attempt to access unauthorized
disk subsystem areas through parent paths.
• Apply security to each content type. Content should be categorized into separate folders,
based on content type. You should then apply discretionary access control lists for each
content type you have identified.
• To protect commonly attacked ports, use IPSec.
• To protect the secure areas of the Web server, use the Secure Socket Layer (SSL)
protocol.
• To detect hacking activity, implement an intrusion detection system (IDS).
• A few recommendations for writing secure code for ASP or ASP.NET applications are
summarized here:
○ ASP pages should not contain any hard-coded administrator account names and
administrator account passwords.
○ Sensitive and confidential information and data should not be stored in hidden
input fields on Web pages and in cookies.
○ Verify and validate form input prior to it being processed.
○ Do not use information from HTTP request headers to code decision branches for
applications.
○ Be wary of buffer overflows generated by unsound coding standards.
○ Use Secure Sockets Layer (SSL) to encrypt session cookies.
Identifying Threats to Wireless Networks
A few threats specific to DNS implementations:
• Eavesdropping attacks: The hacker attempts to capture traffic when it is being transmitted
from the wireless computer to the wireless access point (WAP).
• Masquerading: Here, the hacker masquerades as an authorized wireless user to access
network resources or services.
• Denial of service (DoS) attacks: The network attacker attempts to prevent authorized
wireless users from accessing network resources by using a transmitter to block wireless
frequencies.
• Man-in-the-middle attacks: If an attacker successfully launches a man-in-the-middle
attack, the attacker could be able to replay, and modify wireless communications.
• Attacks at wireless clients: The attacker starts a network attack at the actual wireless
computer which is connected to an untrusted wireless network.
To protect wireless networks from network attacks, use the following strategies:
• Administrators should require all wireless communications to be authenticated and
encrypted. The common technologies used to protect wireless networks from security
threats are Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and IEEE
802.1X authentication
• Regularly apply all firmware updates to your wireless devices.
• Place the wireless network in a wireless demilitarized zone (WDMZ). A router or firewall
should isolate the private corporate network from the WDMZ. DHCP should not be used
in the wireless demilitarized zone.
• To ensure a high level of wireless security, your wireless devices should support 802.1X
authentication using Extensible Authentication Protocol (EAP) authentication; Temporal
Key Integrity Protocol (TKIP); and use IPSec to secure communication between the AP
and the RADIUS server.
• The default administrative password utilized to manage the AP should be a complex,
strong password.
• The SSID should not contain the name of the company, the address of the company, and
any other identification-type information
• You should not utilize shared key encryption because it can lead to the compromise of
the WEP keys.
• To protect the network from site survey mechanisms, disable SSID broadcasts.
Determining Security Requirements for Different Data
Types
When determining security requirements for different data types it is often helpful to categorize
data as follows:
• Public data: This category includes all data which is already publicly available on the
company's Web site or news bulletins. Because the data is already publicly available, no
risk is typically associated with the data being stolen. You do however need to maintain
and ensure the integrity of public data.
• Private data: Data that falls within this category is usually well-known within your
organization's environment but is not well-known to the outside public. A typical
example of data that falls within this category is data on the corporate intranet.
• Confidential data: Data that falls within this category is data such as private customer
information that should be protected from unauthorized access. The organization would
almost always suffer some sort of loss if confidential data is intercepted.
• Secret data: This is data which can be considered more confidential and sensitive in
nature than confidential data. Secret data consists of trade secrets, new product and
business strategy information, and patent information. Secret data should have the highest
levels of security.
Creating an Incidence Response Plan
The terminology, incident response, refers to planned actions in response to a network attack or
any similar event that affects systems, networks and company data. An Incident Response plan is
aimed at outlining the response procedures that should take place when a network is being
attacked or security is being compromised.
The Incident Response plan should assist an organization with dealing with the incident in an
orderly manner. Reacting to network attacks by following a planned approach defined by a
security policy is the better approach.
These security policies should clearly define the following:
• The response to follow for each different type of incident.
• The individual(s) who are responsible for dealing with these incidents.
• The escalation procedures which should be followed.
An Incident Response plan can be divided into the following four steps:
• Response: Determine how network attacks and security breaches will be dealt with.
• Investigation: Determine how the attack occurred, why the specific attack occurred, and
the extent of the attack.
• Restoration: All infected systems should be taken offline and then restored from a clean
backup.
• Reporting: The network attack or security breach should be reported to the appropriate
authorities.
Before you attempt to determine the existing state of a machine that is being attacked, it is
recommended that you first record the information listed here:
• The name of the machine.
• The IP address of the machine.
• The installed operating system, operating system version, and installed service packs.
• All running processes and services.
• List all parties that are dependent on the server. These are the individuals which you need
to inform of the current situation.
• Obtain the following valuable information:
○ Application event log information.
○ System event log information.
○ Security event log information.
○ All other machine specific event logs, such as DNS logs, DHCP logs, or File
Replication logs.
• Record all information which indicates malicious activities. This should include:
○ All files that have been modified, corrupted, or deleted.
○ All unauthorized processes running.
• Try to identify and record the source of the network attack.

Responding to Network Attacks and Security


Incidents
Network Attacks Review
A network attack occurs when an attacker or hacker uses certain methods or technologies to
maliciously attempt to compromise the security of a network. Hackers attack corporate networks
to use data for financial gain or for industrial espionage, to illegally use user accounts and
privileges, to run code to damage and corrupt data, to steal data and software, to prevent
legitimate authorized users from accessing network services , and for a number of other reasons.
External attacks are
performed by
individuals who are external to the target network or organization. External threats are usually
performed by using a predefined plan and the skills of the attacker(s). One of the main
characteristics of external threats is that they usually involve scanning and gathering information.
Structured external threats originate from criminal hackers and are usually initiated by attackers
that have a premeditated thought on the actual damages and losses which they want to cause.
Possible motives for structured external threats include greed, politics, terrorism, racism and
criminal payoffs. Criminal hackers are highly skilled on network design, the methods on
avoiding security measures, Intrusion Detection Systems (IDSs), access procedures, and hacking
tools.
Unstructured external threats originate from an inexperienced attacker, typically from a script
kiddie. A script kiddie is an inexperienced attacker who uses cracking or scripted tools readily
available on the Internet, to perform a network attack.
Remote external attacks are usually aimed at the services which an organization offers to the
public. Remote external attacks can also be aimed at the services available for internal users,
aimed at locating modems to access the corporate network, and attempts to brute force password
authenticated systems. Local external attacks originate from situations where computing
facilities are shared, and access to the system can be obtained.
Internal threats originate from dissatisfied or unhappy internal employees or contractors. Internal
attackers have some form of access to the system and usually try to hide their attack as a normal
process.
Hackers normally launch a number of different attacks to attempt to access a network.
Footprinting is the initial step in hacking a corporate network. The purpose of footprinting is to
create a map of the network to determine what operating systems, applications and address
ranges are being utilized, and to identify any accessible open ports. Port scanning occurs when a
hacker collects information on the network services on a target network. The hacker attempts to
find open ports on the target system. A hacker might use Enumeration to collect information on
applications and hosts on the network, and on the user accounts utilized on the network.
Enumeration is particularly successful in networks that contain unprotected network resources
and services. A network attacker can launch an Access attack to exploit a security weakness in
order to gain access to a system or the network. Trojan horses and password hacking programs
are typically used to obtain system access. When access is obtained, the intruder is able to
modify or delete data and add, modify or remove network resources. Unauthorized privilege
escalation is another common type of attack. Privilege escalation occurs when an intruder
attempts to obtain a higher level of access such as administrative privileges to gain control of the
network system. A hacker can also implement a mechanism such as some form of access
granting code with the intent of using it at some future stage. Backdoors are installed by
attackers so that they can easily access the system at some later date. After a system is
compromised, you can remove any installed backdoors by reinstalling the system from a backup
which is secure.
A few of the more common types of network attacks initiated by hackers are listed here:

• An eavesdropping attack occurs when an attacker monitors or listens to network traffic


in transit, and then interprets all unprotected data. Hackers only need a sniffer technology
to eavesdrop on an Internet Protocol (IP) based network to capture traffic in transit.
• IP address spoofing occurs when an attacker assumes the source IP address of IP packets
to make it appear as though the packet originated from a valid IP address. The aim of an
IP address spoofing attack is to identify computers on a network.
• Sniffing occurs when attackers capture and analyze network traffic. The tools used for
sniffing are called sniffers or protocol analyzers. A Sniffer attack occurs when hackers
use Sniffers to monitor, capture and obtain specific network information, such as
passwords and valuable customer information.
• Password attacks are aimed at guessing the password for a system until the correct
password is determined. Network attackers can obtain user ID and password information
and can then pose as authorized users and attack the corporate network. Attackers can
utilize attacks such as dictionary attacks or brute force attacks to obtain access to
resources with the same rights as the authorized user.
• A Brute force attack attempts to decode a cipher by attempting each possible key to find
the correct one. This type of network attack systematically utilizes all possible alpha,
numeric, and special character key combinations to discover a password that is valid for a
user account. Brute force attacks are also typically used to compromise networks that
utilize Simple Mail Transfer Protocol (SNMP).
• A Denial of Service (DoS) attack is aimed at preventing authorized, legitimate users from
accessing services on the network. A DoS attack can be initiated by sending invalid data
to applications or network services until the server hangs or simply crashes. The most
common form of a DoS attack is TCP attacks.
• A network attacker can increase the enormity of a DoS attack by initiating the attack
against a single network from multiple computers or systems. This type of attack is
known as a distributed denial of service (DDoS) attack. Network administrators can
experience great difficulty in fending off DDoS attacks, simply because blocking all the
attacking computers, can also result in blocking authorized users.
• A man-in-the-middle (MITM) attack occurs when a hacker eavesdrops on a secure
communication session and monitors, captures and controls the data being sent between
the two parties communicating. The attacker attempts to obtain information so that he/she
can impersonate the receiver and sender.
The best method of protecting a network against external and internal attacks is to implement an
Intrusion Detection System (IDS), and to configure it to scan for both external and internal
attacks. All forms of attacks should be logged and the logs should be reviewed and followed up.
To protect your network against network attacks and security breaches, you need to be able to
predict the types of network threats to which the network is vulnerable. This should include an
analysis of the risks that each identified network threat imposes on the network infrastructure.
You should create an Incident Response plan to assist you with dealing with all security
breaches and incidents in an orderly manner. Reacting to network attacks by following a planned
approach defined by a security policy is the better approach. These security policies should
clearly define the response to follow for each different type of incident, the individual(s) who are
responsible for dealing with these incidents, and the escalation procedures which should be
followed. Ensure that the Incident Response plan details response procedures that should take
place when the network is being attacked or security is being compromised.
Your Incident Response plan should indicate who the members of the Incident Response team
are. The members of the Incident Response team would be responsible for dealing with network
attacks and security breaches when they occur. The Incident Response team should consist of
individuals who are skilled and trained to deal with security incidents in a systematic manner so
that the organization can quickly recover from security incidents and resume its normal
operations.
Analyzing a Security Incident
A security incident can fall in either of the following broad categories of threats:
• Cracking in progress attacks: Cracking is the terminology utilized to refer to the illegal
process of changing software, deciphering encrypted data, or evading authentication
solutions to break into a system or network to access data. Cracking in progress attacks
refer to threats occurring where the attacker’s presence still exists on the network. If the
network attacker is no longer present on the network, there is a big possibility that the
attacker might still return. After an analysis of the evidence of the incident indicates this
type of threat, the Incident Response team should be prepared for almost anything. Most
hackers though try not to get caught. They usually access the system, install a backdoor,
hide their activities, and then leave the system, only to return at some later date. Cracking
in progress attacks are not typically encountered on networks while they are actually
happening.
Should you however discover a hacker actively busy on the network you can do either of
the following
○ Immediately prevent the hacker from performing any further activities by
blocking access to the system from the connection used by the hacker.
○ Monitor the activities of the hacker to try and establish the source.
• Denial of Service (DoS) attacks: DoS attacks are aimed at preventing authorized,
legitimate users from accessing services on the network. There are numerous different
forms of a DoS attack. The different methods hackers can use to initiate DoS attacks are
listed here:
○ The hacker can flood the network with invalid data until traffic from authorized
network users cannot be processed.
○ The hacker can flood the network with invalid network service requests until the
host providing that particular service cannot process requests from authorized
network users. The network would eventually become overloaded.
○ The attacker can disrupt communication between hosts and clients by modifying
system configurations, or through the physical destruction of the network.
With respect to DHCP, a denial of service (DoS) attack can be launched through an
unauthorized user performing a large number of DNS dynamic updates via the DHCP
server. With DNS, DoS attacks occur when DNS servers are flooded with recursive
queries in an attempt to prevent the DNS server from servicing legitimate client requests
for name resolution. A successful DoS attack can result in the unavailability of DNS
services, and in the eventual shut down of the network. With wireless networks, the
network attacker usually initiates a DoS attack in an attempt to prevent authorized
wireless users from accessing network resources by using a transmitter to block wireless
frequencies.
The different forms of DoS attacks are:
○ Smurf attack: Smurf attacks exploit Internet Control Message Protocol (ICMP).
The methods which you can use to handle Smurf attacks are listed here:
 Disable hosts from responding to ICMP packets transmitted to a broadcast
address.
 Disable IP broadcast traffic on perimeter routers.
 To stop spoofed traffic from moving over the network, enable ingress
filtering on perimeter routers.
○ SYN flooding attacks: This form of DoS attack uses SYN packets in the attack to
deplete system resources. The methods which you can use to handle SYN
flooding attacks are listed here:
 Enable ingress filtering on service provider routers.
 Configure firewalls to block SYN attacks when they actually happen.
 To allow a greater number of simultaneous connection attempts, you
should increase the size of your TCP connection buffers.
 Consider decreasing the time out setting for TCP connection attempts.
• Network scanning: Scanning occurs when intruders collect information on the services
and resources on a target network. Here, the intruder attempts to find open ports on the
target system. A few scanning methods used by network attackers to gather information
on your network are:
○ With the Vanilla scan/SYNC scan, TCP SYN packets are sent to the ports of each
address in an attempt to connect to all ports. Port numbers 0 - 65,535 are utilized.
○ With a Strobe scan, the attacker attempts to connect to a specific range of ports
which are typically open on Windows based hosts or UNIX/Linux based hosts.
○ A Sweep scan scans a large set of IP addresses in an attempt to detect a system
that has one open port.
○ A Passive scan occurs when network traffic entering or leaving the network is
captured and the traffic is then analyzed to determine what the open ports are on
the hosts within the network.
○ With a User Datagram Protocol (UDP) scan, empty UDP packets are sent to the
different ports of a set of addresses to determine how the operating responds.
Closed UDP ports respond with the Port Unreachable message when any empty
UDP packets are received. Other operating systems respond with the Internet
Control Message Protocol (ICMP) error packet.
○ With a FTP bounce, the scan is initiated from an intermediary File Transfer
Protocol (FTP) server in an attempt to hide the location of the attacker.
○ In a FIN scan, TCP FIN packets that specify that the sender wants to close a TCP
session are sent to each port for a range of IP addresses.
Because the attacker uses network scanning to basically collect information on your
network, you should immediately block access to the network.
• Evidence of previous compromise: There may be occasions when you discover puzzling
files on a server. This could be indicative that the system was attacked without you being
aware of it. This type of attack should be dealt with immediately because the hacker
could be returning at any time to fully compromise your systems.
What is a compromised system?
A compromised system is a system that had its security defences penetrated by a hacker through
some form of vulnerability being exploited. In this case, the hacker usually assumed some form
of control over the target system.
Systems end up being compromised when hackers find vulnerabilities in the system. A few
vulnerabilities that hackers typically exploit to access and compromise systems are:
• Errors in the configuration of a network service.
• A known weakness in an underlying protocol utilized by a service hosted on the system.
• An operating system bug.
• An application bug.
A few recommendations for dealing with compromised systems are listed here:
• The system should be disconnected from the network.
• You should immediately report the attack to management and your law enforcement
body, and you should also report the event to an incident response center.
• If possible, you should perform imaging of the system for analysis of the attack.
• Look for any modifications made to the following components:
○ System files.
○ Data files.
○ Configuration files.
○ Configuration settings
○ Deleted data.
• You should use a clean install to recover a compromised system.
• The system should then be hardened from attacks of the same nature.
Collecting Evidence of Network Attacks
Before you attempt to determine the existing state of a machine that is being attacked, it is
recommended that you first record information such as the name and IP address of the machine,
the installed operating system, operating system version, installed service packs, and record all
running processes and services.
Collecting evidence of network attacks, involves the following activities:
• Obtaining the following valuable information:
○ Application event log information.
○ System event log information.
○ Security event log information.
○ All other machine specific event logs, such as DNS logs, DHCP logs, or File
Replication logs.
• Recording all information which indicates malicious activities. This should include:
○ All files that have been modified, corrupted, or deleted.
○ All unauthorized processes running.
The main locations that you can gather evidence of network attacks are listed here:
• System logs: Maintaining system logs can be invaluable when faced with a network
attack. When the system is under attack, you should immediately transfer a copy of your
logs to a system which is not being attacked.
• Network logs: This includes IDS, router, and firewall logs; which are ultimately
important when you need to gather information on an intrusion. Network logs are a good
source of information when it comes to analyzing the extent to an attack.
• System state: Hackers are also able to change system state. It is therefore recommended
that you copy your system state information to a safe location and then analyze this
information at a later stage.
• Network state: Sniffers can provide important information on the different traffic which
accessed a server. You can also use a Sniffer to recreate sessions. This would enable you
to analyze the sequence of events that occurred.
Neutralizing Network Attackers
There are a number of methods which you can use to neutralize the activities of network
attackers. The actual method(s) which you utilize should be dictated by your security policies
and your Incident Response plan.
A few common methods of neutralizing the activities of hackers include:
• Creating and applying access control lists on firewalls and routers.
• Disconnecting the system being attacked.
• Disconnecting the host being attacked from the network
• Disconnecting the site from the Internet
It is important to review an attack after it has been neutralized. Doing this could provide you
with some valuable information on how to prevent the same attack from occurring. While you
might not be able to completely prevent the attack from reoccurring, you should at least be able
to alleviate the risk.
A hacker also almost always creates some sort of strange network traffic. You can use a Sniffer
on the network to detect the presence of strange network behaviour.
How to Detect Network Intrusions
The best method which you can employ to detect network intrusions is to actually monitor for
intrusions on a daily basis. While most hackers attempt to disguise their initial network attack
activities, you look for any strange activities or strange files on your network.
The network also provides a variety of sources of logging information:
• Firewall logs: You should configure your firewalls to log all traffic that it blocks.
Monitoring firewall logs is a quick way to detect an intruder’s activities. If you have
configured your firewalls correctly, you should be able to discover when an attacker
probes the network. Probing activities usually create extensive audit logs.
• Intrusion detection system (IDS) logs: Intrusion Detection Systems (IDSs) continuously
monitor the network activities passing through it, and can detect any scanning and
probing activities or traffic patterns that are suspicious. An IDS sends alarms when any
intrusive activities are detected, and can also be configured to implement preventative
measures to stop any additional unauthorized access. An intrusion detection system can
be located at a number of places on the network. Sensors should be located on both the
private internal network and on the external demilitarized zone. These sensors would
collect all information which could be indicative of an intruder’s activities.
IDS systems can be located on a host, on a network, or you can implement a combination
of both methods:
○ Network based intrusion detection; probes or sensors are used throughout the
network to monitor traffic.
○ Host based intrusion detection; IDS software which will monitor traffic received
by hosts needs to be installed on the hosts on the network. Host based IDSs
monitors the activities of the intruder and can analyze whether the specific attack
was a success.
• Event logs (Windows hosts): Event Viewer is used to monitor events that took place on a
computer. Event Viewer stores events that are logged in a system log, application log,
and security log. The system log contains events that are associated with the operating
system. The application log stores events that pertain to applications running on the
computer. Events that are associated with auditing activities are logged in the security
log. This makes Event Viewer a good mechanism to monitor for, and troubleshoot
problems. To open Event Viewer, select Start, Select Administrative Tools, and then
select Event Viewer. Simply click the Event log you would like to examine. An audit trail
can be defined as a list of audit entries which portray the life span of an object, or file and
folder. When an event or action takes place that’s configured for auditing, the action or
event is written to the security log. Security auditing events are thus written to the
security log of the system, and can be accessed from Event Viewer.
The main types of events which you should audit are listed below:
○ Computer reboots and computer shutdowns.
○ Computer logons and computer logoffs
○ Access to objects, and files and folders
○ System events, such as when the following occurs:
 Computer reboots and computer shutdowns.
 System time is modified
 Audit logs are cleared.
○ Performance of user and computer account management activities, such as:
 Creating new accounts
 Changing permissions
 Modifying account statuses
• Syslog data (UNIX hosts): For UNIX logging, Syslog is utilized. With Syslog, you have
to be logging at the appropriate level if you want to detect security incidents on devices.
Understanding Penetration Testing
Penetration testing refers to testing the security of the defense mechanisms of a network or
system, to determine whether it works, and whether there are existing vulnerabilities.
Penetration testing can test numerous different network components:
• Local area network (LAN)
• Dial-in Wide area network (WAN) links
• leased-line WAN links
• Firewalls
• Operating systems
• Servers
• Applications
• workstations
Penetration testing can also assist administrators in revealing a number of vulnerabilities in the
defenses of a network:
• Incorrect configuration settings.
• Weaknesses in security processes and policies.
The different penetration testing methods which can be performed are listed here:
• Remote penetration testing: This method of penetration testing is performed from outside
of the network being tested. Remote penetration testing can be carried out with no
knowledge on the network, or with information and documentation on the network.
• Internal penetration testing: This method of penetration testing is performed from within
the network being tested. Internal penetration testing is typically performed by carrying
out a number of different tests, and by examining system configuration settings.
The benefits of penetration testing are:
• There are readily available intrusion tools in the hacking community which can be used
to perform penetration testing on the network. No additional equipment needs to be
purchased to perform the test.
• Penetration testing can be used to verify the effectiveness and validity of existing security
policies and procedures.
• Penetration testing usually results in administrators increasing their knowledge on the
systems and the network.
• By assuming the role of a hacker and then scrutinizing the network, administrators are
able to identify both security strengths, and possible security weaknesses which can be
exploited by criminal hackers.
• Through penetration testing, you can verify that all unusual traffic patterns are being
detected by your IDS.
• You can also verify that the filters configured on firewalls are operational, and are
filtering traffic as expected.
• You can use the information obtained in a penetration testing exercise to request financial
support for intrusion detection systems, and firewall solutions.
A typical penetration test performed on a network should consist of the following steps:
• Create the attack plan: The attack plan should list all the steps that must be performed in
the penetration test. An attack plan usually contains the following components:
○ The target of the attack.
○ The goal of the attack
○ A precise description of what you expect to discover.
○ The method you plan to use to reach the goal.
○ A list of all limitations.
○ A list of possible complications
• Scan the network: This is usually the first penetration test performed. Hackers usually
initially scan and probe the network to learn information about the network and to
discover vulnerabilities:
○ Nessus is a freely available security scanning tool that you can use to remotely
scan a network for security vulnerabilities. Nessus can run in either of following
modes:
 In Nondestructive mode, Nessus simply checks for security weaknesses
which criminal hackers can exploit.
 You can also configure Nessus to exploit any detected vulnerabilities.
○ Network mapper (Nmap) is another freely available tool that you can use to scan
networks for vulnerabilities. Network mapper can be used to determine the
following information:
 The hosts residing on the network.
 The operating system version running on each host.
 The services hosted on each host.
• Use the data collected from scanning to formulate an attack on the network. Hackers first
collect as much information from scanning, and then use this information to plan an
attack against a target network.
• Perform the actual attack: Using all information gathered and the attack plan, the next
step would be to actually attempt to penetrate the security of the network to determine
what the impact of these actions is.
• Resolve all issues: Any issues discovered during the previous step should be resolved. It
is recommended that you regularly perform penetration testing on the network.

Вам также может понравиться