CHAPTER 1

INTRODUCTION TO WINDOWS 2000 SECURITY

Chapter Scenario:

Cuba, no encryption due to current embargos.

3 weeks ISP training not enough.

Help Desk Personnel must have the access to certain objects in Active Directory to reset

the passwords, but that is all that they can change.

Caracus is sluggish at 80%, overloaded, may want to log the performance to see where

you can improve it.

Lesson 1: Microsoft Windows 2000 Security Services Overview

Knowing how security integrates into the Windows 2000 architecture will assist you in

designing security for your Windows 2000 network.

Windows 2000 operating system provides two processor access modes to. Applications

generally run in user mode and operating system functions run in kernel mode.

The integration of Active Directory within the security subsystem ensures that distributed

security can exist in a Windows 2000 network. Because Active Directory is located in the

security subsystem, you can protect all access by a combination of three elements:

Authentication
Authorization
Validation that the security principal has the necessary permission to perform the task.

The DACL or discretionary access control list contains ACEs (Assess Control Entries) that

define the permissions assigned to security principals for the object. Each ACE defines a s

security principal and the permissions that are assigned to that security principal for the object.

====================================================================

winsec1.html PAGE 2 2002/04/10

Security Subsystem Components

The security subsystem runs within the security context of the local security authority (LSA) process.

Netlogon service (Netlogon.dll). The Netlogon service maintains a computer’s secure

channel to a domain controller in its domain. An access token is returned that identifies

the user rights for the security principal.

Authenticates clients that are NTLM authentication protocol (Msv1_0.dll).

unable to use Kerberos authentication. This includes Windows 95, Windows 98, and

Windows NT computers. (mixed mode)

Secure Sockets Layer (SSL) authentication protocol (Schannel.dll).

Provides encryption services to transported data at the application layer.

Kerberos v5 Authentication protocol (Kerberos.dll). This is the default

authentication protocol used by Windows 2000. Grants tickets (TGT).

Kerberos Key Distribution Center (KDC) service.

LSA Server Service. Enforces all defined policies.

Security Accounts Manager (SAM). Used on non-domain controllers.

Directory Services module. Supports replication LDAP.

Multiple Authentication Provider. SSP supports all security packages available on

the system.

LSA Functionality

The LSA maintains all local security information for a Windows 2000-based computers. For instance

the logon drop-down box.

It allows users to authenticate interactively with the Windows 2000-based computer.
It generates an access token for the security principal during the authentication process.

The access token contains the SIDS for the user account and all groups that contain the

user account as a member.

It manages local security policy.
It manages audit policy and settings.
It builds a list of trusted domains that are provided to populate the Log On To drop-down

list in the

====================================================================

winsec1.html PAGE 3 2002/04/10

Windows 2000 authentication dialog box.

It determines which users have been assigned privileges.

It reads the system access control lists (SACL) for each object to determine what security auditing

has been defined for the object.

It determines what user rights have been assigned to a security principal and ensures that a security

principal can’t perform tasks they don’t have rights for. A right is for example “log on locally”.

It manages memory quotes for the usage of both paged and nonpaged memory usage.

Windows 2000 Security Protocol

These clients can include Microsoft clients from previous operating systems as well as foreign clients,

such as UNIX clients. Windows 2000 supports 4 different security protocols:

Windows NT LAN Manager (NTLM). Used by Windows NT, Windows 95 & 98

clients with the Directory Services client installed. The NTLM security provider uses the

MSV1_0 authentication service and the Netlogon service to provide client authentication

and authorization.

Kerberos v5. Kerberos provides mutual authentication of client and server. The client

asks the server are you who you say you are to ensure that it is legitamate.

Distributed Password Authentication (DPA). A shared secret authentication

protocol used by Internet membership organizations such as MSN.

Secure channel (Schannel) services. These CAs are responsible for issuing digital

certificates that will be used for authentication. Smart Cards for example.

The Security Support Provider Interface (SSPI)

The SSPI prevents applications from determining what Windows 2000 security protocols are used

to authenticate the security principal. The security protocol is hidden from the application.

Lesson Summary:

You don’t have to understand how security is implemented in Windows 2000 in order to design

security. But it is useful to know how the security functions interact with the Windows 2000

operating system.

====================================================================

winsec1.html PAGE 4 2002/04/10

Lesson 2: Determining Security Business Requirements

Determining Business Requirements

Your network’s security design will be based on meeting your organization’s business requirement.

The Business model. You have to know how decisions are made within the company.
The Business processes. You need to know how business processes flow.
The projected growth. You don’t want to deploy a security plan with a short life span.
The management strategy. Does the organization use a centralized or decentralized

management strategy?

The current security policy. The security policy defines the organization’s aversion to risk.

For example, because certain Internet protocols may have potential security weaknesses,

the organization may restrict them from being used on the corporate network.

The tolerance of risk. 10 character passwords or 6, determine the organization’s risk

tolerance.

Risk = Cost X probability. Converting risk into a numeric formula will help you prioritize

risks as you develop a security solution.

The laws and regulations that affect the organization. This rule affects your security design

because it requires decentralized management of security within that country. For example

if you wish to use strong encryption in your security solution (for example, using 3DES

encryption with IPSec), you should be aware that it is forbidden to export strong encryption

to countries on the U.S. embargo list.

Also you may not be able to remotely administer the system.
The organization’s financial status. Security costs money, is it in the budget.
The employees skill level. Do they require more training.

Making the Decision.

Use this chart to help determine the best security strategy. *** See page 12 ***

====================================================================

winsec1.html PAGE 5 2002/04/10

Applying the Decision

Lucerne Publishing must meet the following business requirements in its Windows

2000 security design:

Centralized administration of user accounts. The user accounts are created and administered

at the head office in Tokyo. You must minimize the number of domains in the forest.

Decentralized administration of servers. The nearness of the IP support staff allows for quicker

recovery times in the event of a server failure.

Decentralized administration of user password. You can delegate the right to reset passwords

to a local group that contains all help desk users accounts.

Match the business process. Granting help desk operators only the ability to reset passwords

ensures that the help desk personnel must contact the Tokyo IT department for any other

necessary changes to user accounts.

Plans for growth. The only planned expansion that could affect the Active Directory design is

the plan to expand into Cuba. Due to current embargoes on Cuba, there may be a requirement

for a separate domain to be established for the Havana office.

Issues concerning the Havana office. Strong encryption products can’t be exported to Cuba.

Meets current risk aversion. Since the Lucerne Publishing site was recently hacked, the security

design for the Web site must take into account how it happened.

Skill set shortages. Just sending the Web administrator for three weeks of training is not enough.

Lesson Summary:

A security plan must meet all of an organization’s business requirements.

When you begin to design your security plan, make sure that you collect all the business require-

ements so that your plan will meet them.

Lesson 3: Designing Security to Meet Technical Requirements

Not only must a security plan meet business requirements, but it also must meet any technical

requirements that an organization defines.

Total size and distribution of resources. It will help you define Active Directory, sites, domains,

and OUs.

====================================================================

winsec1.html PAGE 6 2002/04/10

Performance considerations. Implementing encryption technologies in a network will result in

performance costs.

Wide Area Network links. How will you connect remote to local offices? PPTP or L2TP

with IPSec can be used.

Wide Area Network Usage. At first glance, you might assume that there is more available

bandwidth to the first branch office. Only after analyzing current usage can you verify this

assumption.

How data is accessed. This must include which protocols, applications, users and computers

are used to access the data.

Administrative Structure. Determining the administrative structure will lead you to the best

Active Directory structure for an organization and administrative group memberships.

Current application base. This stronger base security isn’t always compatible with older

versions of applications.

Making the Decision

To plan for technical requirements, first you have to gather the technical requirements that

affect your organization. Most often this cost is a loss of productivity or performance.

*** See page 17****

Applying the Decision

Logon performance. The Caracus site is connected to the corporate network by a 256K

WAN link that’s currently 80% utilized. The WAN link must be monitored.

Site Definitions. They must define a site for each physical location of the network and

map the subnet address for that location to the site name.

Server Placement. To ensure that authentication takes place locally, each site should

have at least one DNS server, one domain controller for each domain that users can

computers will require for authentication, and one global catalog server.

Other performance requirements. There are centers all over the world, this should be a

consideration.

Current administrative structure. The Active Directory Design for Lucerne Publishing

must ensure that it reflects the current administrative structures.

====================================================================

winsec1.html PAGE 7 2002/04/10

Lesson Summary:

When you gather technical requirements, make sure that each one is measurable so that you

can test the security plan to ensure that it meets those requirements.