CHAPTER
11
SECURING
DATA AT THE APPLICATION LAYER
Once you make configuration changes, application security works seamlessly. The
application, however, must support the application-layer security.
Scenario: Fabrikam Inc.
can use SMB for a mix of systems.
======================================================================
winsec11.html PAGE
2 2002/04/30
Lesson 1:
Planning Authenticity and Integrity of Transmitted Data
A common security goal when designing application-level security is to prevent impersonation.
Impersonation often involves an attacker who assumes the identity of a trusted individual on the
network.
Providing Authenticity and Integrity of Transmitted Data
A Windows 2000 network has two distinct methods of providing authenticity and integrity of
transmitted data at the application layer. Server message block (SMB) signing can help ensure
that file transmissions between a client and a server aren’t modified in transit.
S/MIME and PGP (Secure/Multipurpose Internet Mail Extensions) and Pretty Good Privacy
provide the ability to digitally sign e-mail messages to protect them from being modified in transit.
Planning SMB Signing
SMB signing, also known as Common Internet File System CIFS signing, ensures the authenticity
and integrity of packets transmitted between a client and a server. It does this by signing each
packet as it’s transmitted and verifying the signature at the recipient computer.
WARNING: When SMB signing is implemented, the performance for transmitted data decreases.
The overhead involved in signing and verifying each packet is roughly 10 to 15% more than when
packets are transmitted without SMB signing.
*** See page 394-395
***
Process of Signing:
MD5 is a key used to create the digests.
clients and servers.
======================================================================
winsec11.html PAGE
3 2002/04/30
Planning the Deployment of SMB Signing
SMB signing requires modification of the registry in Windows 2000, Windows NT 4.0
(SP3 or higher), and Windows 98.
In a Windows 2000 environment, which method you use to deploy SMB signing depends
on whether the Windows 2000-based computers are participating in a workgroup or domain
environment. In a workgroup environment, you deploy the security template file by using the
Secedit command. In a domain environment, you can store the required modifications in a
security template file and then deploy them by using Group Policy.
When you configure a security template to use SMB signing, you can enable four separate
options to tailor the SMB signing options to meet your organization’s security requirements.
Windows 2000-based computers.
configures the Windows 2000-based computer to request the use of SMB signing when
acting as a client in a Windows 2000 file session.
2000-based computers.
configures the Windows 2000-based computer to request to use of SMB signing when acting
as the server in a Windows 2000 file session.
You can create an OU for the servers, place all servers within the OU, and then import a
security template that enables the Digitally Sign Server Communications (Always) security
option, as shown on page 397.
In a workgroup environment you must copy the completed security template locally to each
Windows 2000-based computer that requires enabled SMB signing.
Deploying SMB Signing for Windows NT 4.0-based clients
Windows NT 4.0 clients support for SMB signing in Service Pack 3. The ability to deploy
SMB signing in Windows NT 4.0 requires editing the registry.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\LanManServer\Parameters
======================================================================
winsec11.html PAGE
4 2002/04/30
NOTE: Once you’ve completed the registry modifications, you need to reboot the Windows
98-based computer before the modified settings take effect.
For Windows 98-based computers, the easiest way to deploy this setting would be to e-mail
a .reg file containing the desired settings to all Windows 98-based clients. Users import the
settings at their computers by double-clicking the .reg file. You can use system policies only
if the network has no Windows 95-based clients. Windows 95-based clients don’t support
SMB signing.
Planning Digital Signing
While SMB signing protects transmissions between a client and a server, digital signatures
ensure authenticity and integrity of e-mail messages between clients.
Digital signatures ensure that the contents of e-mail messages aren’t modified in transit. First,
it prevents someone from impersonating another e-mail users, and second, it prevents an
e-mail user from denying that he sent a specific e-mail message.
POP3/ and SMTP
By default, Post Office Protocol V3 (POP3)/Simple Mail Transfer Protocol (SMTP) e-mail
clients send their messages in plaintext format.
Determining Protocol Choices for Digital Signing
Secure Multipurpose Internet Mail Extensions (S/MIME). A standard for encryption and
digitally sign e-mail messages by using private and public keys.
PGP. Is also a protocol that provides the ability to encrypt and digitally sign e-mail messages,
but not an industry standard.
Deploying Public Keys **
important **
To ensure the availability of public keys, do the following:
Configure e-mail clients to include their certificate with all signed messages. Including the
certificate in the signed message ensures that the recipient has the public key required to
decrypt the message digest. The public key associated with the digital certificate is included
as an attribute of the digital certificate.
Implement the Key Management Service (KMS). The KMS service manages private/public
key pairs and ensures that the public keys are stored within the directory.
======================================================================
winsec11.html PAGE
5 2002/04/30
Lesson Summary:
server takes place and prevents an attacker from impersonating a client or server.
impersonating an authorized user or computer.
Lesson 2:
Planning Encryption of Transmitted Data
Protecting data from being modified during transmission is critical, but sometimes you must
further protect the transmitted data by encrypting it. Encryption protects the transmitted
data from inspection by unauthorized users.
Planning Secure E-Mail Encryption
Although digital signing protects e-mail from modifications, it doesn’t prevent someone
from inspecting them during transmission across the network. The default protocol used
for sending e-mail messages is SMTP. Simple Mail Transfer Protocol doesn’t include an
extensions for encryption of e-mail.
The sender of an e-mail uses the recipients public key to encrypt the e-mail.
The recipient uses their own private key to decrypt the e-mail.
E-mail messages can be encrypted by using different algorithms.
Rivest’s Cipher v2 (RC2). RC2 is a secret-key block encryption algorithm.
Data Encryption Standard (DES).
Triple DES (3DES). 3DES increases the strength of DES by using an encrypt-decrypt-
encrypt process that uses three keys.
======================================================================
winsec11.html PAGE
6 2002/04/30
IMPORTANT: Use of RC2 (128 bit) and 3DES require the Windows 2000 High
Encryption Pack to be installed. The installation of the Windows 2000 High Encryption
Pack is subject to your country’s import and export laws.
You can’t mix encryption protocols for e-mail. If you use S/MIME to encrypt the
message, you have to use S/MIME to decrypt it.
Planning Application-Level Encryption with SSL/TLS
Applications other than e-mail, such as Web pages containing sensitive data, also require
encryption of data when it’s transmitted. For example, Windows 2000 supports two forms
f application-level encryption. SSL and Transport Layer Security (TLS).
SSL. Provides encryption services to several applications by using public and private keys
to encrypt data transmitted between a server and a client.
TLS. TLS is very similar to SSL in that it provides communications privacy, authentication,
and message integrity by using a combination of public key and symmetric encryption.
Both SSL and TLS are implemented between the TCP Transport and application layer.
Standard and SSL Ports
=====================================================================
Protocol
=====================================================================
Hypertext Transfer Protocol (HTTP) 80 443
Internet Message Access Protocol v4 (IMAP4) 143 993
Lightweight Directory Access Protocol (LDAP) 389 636
Network News Transfer Protocol (NNTP) 119 563
Post Office Protocol v3 (POP3) 110 995
Simple Mail Transfer Protocol (SMTP) 25 465
======================================================================
winsec11.html PAGE
7
2002/04/30
NOTE: Only applications that are programmed to use SSL and TLS can implement the two forms of
encryption. Only applications that recognize SSL and TLS can make the appropriate calls to
programming interfaces to encrypt and decrypt data.
Lesson Summary:
transferred across the network.
computers is needed to deploy the application-layer security.
certificates. You can secure areas of a Web Site by creating a Virtual Directory. In this area of the