CHAPTER 9
DESIGNING MICROSOFT WINDOWS 2000
SERVICES SECURITY
The Web site will be hosted on an Internet Information Services (IIS) server located at the
company’s
that support the forest root domain and provide DNS services are located in the forest root domain.
Users and computers in each office are members of the domain that describes their geographic
region. Lucerne Publishing wants to make sure that client computers can take over the registration
of DNS resource records when they’re upgraded to Windows 2000.Lucerne Publishing wants to
ensure that only approved or authorized computers are able to use RIS for operating system installation.
Lucerne Publishing will use the SNMP software to detect network settings but not to reconfigure
network devices. To allow these computers to use the newer software, Terminal Services is deployed
at each office to allow clients to connect to the server by using the Terminal Services client software.
and account information aren’t compromised on the network.
======================================================================
winsec9.html PAGE
2 2002/04/27
Lesson 1:
Designing DNS Security
Deploying DNS service is one of the key steps in designing your Active Directory. DNS acts as a
locator in a Windows 2000 network.
Assessing Security Risks for the DNS Service
DNS gives you the ability to resolve host names to IP addresses on a Transmission Control Protocol
(TCP/IP) network. Within a Windows 2000 network, DNS provides the locator service for Windows
2000 service through the implementation of service (SRV) resource records as defined in RFC 2782,
as well as standard DNS resource records such as Host (A), Canonical Name (CNAME), Mail
Exchanger (MX), and Pointer (PTR) records.
The potential risks of deploying the DNS Service with inadequate security include the following:
Dynamic Update can allow client computers to overwrite existing DNS resource records and hijack
sessions.
Without adequate security, an attacker can create a secondary DNS zone and obtain a read-only
copy of your DNS zone data, which will reveal all resource records located within the source data.
DNS services available on the Internet could expose the internal IP addressing scheme of the
internal network.
Securing Dynamic Updates
The DNS service in Windows 2000 provides security through a new zone type known as an Active
Directory-integrated zone. When the data is stored in Active Directory, each resource record exists
as an object in Active Directory and has a DACL that limits which computers can update the resource
record.
Deploying Active Directory-integrated zones offers the
following advantages:
· Fault Tolerance of zone data.
· Reduction in replication traffic.
· Security on resource records. Only the resource record’s owner can modify the
resource record.
· To enable this feature, set the dynamic update option to only allow secure updates.
NOTE: Many networks implement BIND DNS servers for their DNS service.
======================================================================
winsec9.html PAGE
3 2002/04/24
Restricting Zone Transfers
Zone transfers are used to transfer zone data to secondary DNS servers. This
ensures that there is current information.
NOTE: Active Directory-integrated zones are limited to a single domain. If you need to have zone
data available in multiple domains, you must still implement secondary DNS zones.
NSLOOKUP is used to acquire zone data from a DNS server.
Forwarder
A forwarder is used if you have an internal and external DNS server. You need to do this when the
Active Directory forest root uses the same DNS domain name as the external network.
Restricting Membership in the DNS Admins
Group
The DNS Admins group is assigned the right to create new DNS zones at a DNS server and to
modify the properties of a DNS server. Only authorized user accounts should be members of the
DNS Admins group. By using Restricted Groups in Group Policy, you can restrict DNS Admins
group membership. There are no members by default.
Summary:
The DNS service is required for Windows 2000 Active Directory. Consider the security implications
of the DNS service when you design your DNS zones. Use Active Directory-integrated zones to
ensure that the owner of a DNS resource record is the only one who can update the resource record.
Lesson 2:
Designing DHCP Security
DHCP allows a client computer to lease an IP address from a DHCP server so that the client can
participate in the network.
======================================================================
winsec9.html PAGE
4 2002/04/24
If the client were to receive an incorrect IP address from the DHCP service, the result could be a
loss of connectivity on the network and, in the worst case, provide connectivity to unauthorized
servers on the network.
The DHCP Service’s security risks can be broken down into three categories:
· The risk of an unauthorized DHCP server assigning incorrect IP addressing information.
· The ability of DHCP server to overwrite static IP address information in DNS.
· Unauthorized DHCP clients leasing IP addresses on the network. Such as Notepad or Laptops.
Preventing Unauthorized DHCP Servers
A common security concern is the possibility that an unauthorized DHCP server might provide
incorrect IP addressing information to the DHCP clients. Only authorized servers can issue IP
addresses for DHCP clients.
The DHCP server won’t issue IP addresses to clients if it determines that it’s not authorized to do
so.
By default, only members of the Enterprise Admins Universal Group can authorize DHCP servers
in Active Directory.
WARNING: One way to configure the IP address of an unauthorized DHCP server is to run
IPCONFIG/ALL at a client computer that has received incorrect IP addressing information.
Preventing DHCP servers from overwriting Static IP addresses
in DNS
You can configure DHCP servers to perform the updates on behalf of these clients by selecting the
Enable Updates for DNS Clients That Do Not Support Dynamic Update check box for a DHCP
scope.
If the DNS update is sent to an Active Directory-integrated zone, the DHCP server will become
the owner of the DNS resource records in Active Directory.
The default behavior for registration of DNS resource records for Windows 2000 client is as
follows:
The DHCP server updates the Pointer (PTR) resource records to the reverse lookup zone.
The Windows 2000 client updates the Host (A) resource record to the forward lookup zone.
======================================================================
winsec9.html PAGE
5 2002/04/24
If the DHCP server is the owner of the DNS resource record, the Windows 2000 client won’t
be able to update the resource record.
If the DHCP server is a member of the DNSUpdate Proxy group, it won’t take ownership of
any DNS resource records that it writes to the DNS Active Directory – integrated zone. The
client is able to register the resource records after upgrade and then take ownership of the
resource record.
WARNING: Membership in the DNSUpdateProxy group doesn’t differentiate between resource
records registered on behalf of another client and resource records registered by the specific client.
Preventing Unauthorized DHCP Clients from Leasing IP
Addresses
In higher-security networks, DHCP may introduce security weaknesses because any DHCP client
can lease a valid IP address on the network. To prevent this, you must reserve all IP addresses
in the scope to specific Media Access Control (MAC) addresses.
Also, you can assign static IP addresses.
Lesson Summary:
DHCP is a key service on most Windows 2000 networks.
If an unauthorized DHCP server is introduced on the network, the results can range from temporary
loss of connectivity to the loss of data to an unauthorized server posing as the actual server.
Lesson 3:
Designing RIS Security
To simplify the deployment of Windows 2000 clients, many organizations use RIS to help deploy
Windows 2000 Professional images to desktop computers.
RIS is very picky to work, you need a special NIC card with the PXE and the hardware must just
be right. Also, when you install RIS you can install other applications such as OFFICE SUITE etc.
you just make it also part of the image to be transferred. You can also use NTFS permissions to
prevent users from seeing the image. Another TIP is do not install as the Administrator, you can
create another account for the installation purpose and use that account to install.
======================================================================
winsec9.html PAGE
6 2002/04/24
RIS is simply a collection of services that work together to allow remote installations of preconfigured
Windows 2000 Professional desktop computers. The service that comprise RIS include the following:
BINL (Boot Information Negotiation Layer). The BINL service answers DHCP requests from the
Preboot Execution Environment (PXE) network adapters or clients using a remote installation floppy.
TFTPD (Trivial File Transfer Protocol Daemon). The files that initiate the RIS installation are
transferred from the RIS to the client by using TFTP.
SIS (Single Instance Store). The SIS allows multiple RIS images to be stored at a RIS server but
reduces the duplication of files stored at the RIS server.
Important things to Remember with RIS:
doesn’t have the DHCP Service installed.
NOTE: When a PXE client is started on the network, the DHCP discover packet sent by the PXE
client will request both an IP address for the client and the location of a PXE boot server, also
known as the RIS server. The RIS installation can’t proceed unless both the client IP address and
he RIS server are provided.
For higher-security networks, you should not only enable the RIS server to respond to installation
requests, but you should also restrict the responses to prestaged clients.
Prestaged client computers. These are computers that have a computer account existing in Active
Directory before RIS is installed. A common method of prestaging clients is to configure the
globally unique (GUID) attribute for the computer account in Active Directory.
======================================================================
winsec9.html PAGE
7 2002/04/24
Restricting Which RIS Images a User Can Load
If you plan for users to select from multiple RIS images, you can restrict which images are available
o users by configuring DACLs to change the default permissions.
By creating a custom domain local group that contains the user accounts that can install specific RIS
mage, you can restrict who can install each image and show users only images they are allowed to
see when they perform a remote installation.
NOTE: Because you use RIS to install a client operating system, you can’t implement IPSec to
protect the TFTP data stream between the RIS server and the RIS client computers. Only the
windows 2000 operating system supports the use of IPSec.
Lesson Summary:
RIS is a key component of change and configuration management within Windows 2000.
IN CLASSROOM NOTES:
Active Directory Users and Computers/OU Properties/Edit/Group Policy/computer configuration/
Windows Settings/Security Settings/rightclick settings and get Import
Templates imported, you must have a computer within an OU to have the policy applied.
Clear this database before importing. It is a good idea to check this box, so you can ensure that
the new policy is applied.
You can remotely analyze and configure a computer.
DNS security is so important, because you do not want to expose IP addresses and protect PTR
and A records. A hacker can modify the SRV record and change the IP addresses.
The potential risk of deploying the DNS Service with inadequate security include the following:
Dynamic update can allow client computers to overwrite existing DNS resource records and
hijack sessions.
Without adequate security an attacker can create a secondary DNS zone and obtain a read-only
copy of your DNS zone data, which will reveal all resource records located within the source data.
DNS services available on the Internet could expose the internal IP addressing scheme of the
internal network.
======================================================================
winsec9.html PAGE
8 2002/04/24
Lesson 4:
Designing SNMP Security
SNMP is used to detect problems with the network! SNMP allows a network administrator to
proactively manage a network by providing early detection of network faults or incorrect network
configuration. Network administrators use SNMP to do the following:
Monitor network performance. SNMP can determine network throughput and determine if data
is being transferred successfully on the network. Detect network faults or unauthorized access.
Configure network devices. Use SNMP to configure SNMP agents remotely.
Audit network usage. Use SNMP to determine network usage. You can use this information to
determine overused areas of the network.
SNMP management stations.
NOTE: Windows 2000 doesn’t ship with an SNMP management station component. The
Windows 2000 support tools includes a simple graphical SNMP manager called SNMPUtilg.exe.
For an extended feature set, consider implementing third-party solutions such as HP Open View
from Hewlett-Packard or Unicenter TNG form Computer Associates.
MIB When you install services such as DHCP/DNS etc. these services will have MIB to talk to
agents.
SNMP agents. SNMP agents run a service that’s able to respond to SNMP management requests
and to alert SNMP management stations when unauthorized management is attempted or when
redefined events take place.
SNMP agents send status messages to the SNMP management station. The status messages include
regular update sent to an SNMP management station or responses to SNMP queries. In specific
instance the SNMP agent will send an SNMP trap message to indicate that a defined event has
taken place.
NOTE: Another difference between SNMP status messages and SNMP trap messages is that
they’re directed to different ports on the SNMP management station. SNMP status messages
are sent to “User Datagram Protocol” (UDP) port 161 on the SNMP management station, and
“SNMP trap messages” are sent to UDP port 162.
======================================================================
winsec9.html PAGE
9 2002/04/24
Assessing the Security Risks of SNMP
Must be part of the SNMP community
Configuration of approved SNMP management stations.
Interception of SNMP status message and SNMP trap messages.
Restricting Management to Specific SNMP Communities
An agent can belong to multiple communities, and you can configure rights for each community.
You can assign rights to be:
None or Notify. The SNMP agent does not process the request. When the agent receives an
SNMP message from a management system in this community, it discards the request and
regenerates an authentication trap.
Read only. The SNMP agent processes Get, GET-NEXT, and GET-BULK.
Read Create or Read Write. SET requests are limited to the addition of new objects in a
Management Information Base (MIB) table.
Protecting SNMP Messages from Interception
You can configure IPSec to require that SNMP status messages and SNMP trap messages be
encrypted.
Be careful when implementing IPSec. All SNMP agents must support the use of IPSec. If a single
SNMP agent doesn’t support IPSec, you’ll have to configure IPSec to only request and not require
IPSec encryption. Otherwise, you’ll have to remove the SNMP agent that doesn’t support IPSec
from your management scheme.
Ensure that the community of PUBLIC is renamed, it is too easy to guess.
Lesson Summary:
security, you can prevent attackers from taking advantage of security weaknesses in the SNMP
protocol.
======================================================================
winsec9.html PAGE
10 2002/04/24
Lesson 5:
Designing Terminal Services Security
You can load Terminal Service client on Windows 3.1, Windows for Workgroup 3.11 Windows
95 & 98 and Windows NT-based clients.
Designing Terminal Service Security
Terminal Services allows clients to run Windows 2000 compatible applications on a terminal
server without loading Windows 2000 at the client computer. The terminal server hosts all client
data processing, application execution, and data storage.
In your network design you must include security design for the following Terminal Services issues:
The potential for remote administration of a terminal server.
All Terminal Service clients require access to the local file system.
To use Terminal Services, the Terminal Services client must have the Log on Locally right to the
terminal server.
By default, security is assigned to the terminal server User Group and isn’t based on the individual
group memberships of the Terminal Service clients.
Data sent between the terminal server and the Terminal Service client could be intercepted.
(no encryption). Two-factor authentication methods, such as smart card logon, aren’t supported
within Terminal Services.
** THE TERMINAL YOU ARE PERFORMING THE
REMOTE ADMINISTRATION
ON ACTS AS A DUMB
TERMINAL ***
TWO MODES:
Remote Administration. You must be in the Administrators group and there can only
be two concurrent connections.
Application mode. You can be any user with access to terminal services, and there
can be unlimited connections at the same time.
======================================================================
winsec9.html PAGE
11 2002/04/24
Types of Encryption:
Low Encryption. Low encryption encrypts only traffic sent from the client to the server.
Low encryption provides protection for passwords and any data inputted by the user
(keyboard) but doesn’t encrypt the screen data sent from the server to the client.
Medium Encryption. Medium encrypts all data transmitted between client and the
server. Medium encryption provides encryption for passwords and any data inputted
by the user and encrypts the screen data sent from the server to the client.
High Encryption. High encryption encrypts all data transmitted between the client
and the server. If the high encryption pack isn’t installed at either the terminal server or
the client computer running the Terminal Service client software, security will fall back
to the medium encryption level.
Apply to the Case Study:
Terminal Service Mode. Design for normal users to use so you need to configure as
application mode.
Excess right assignments. Logon locally permission.
Terminal server encryption. Medium or High encryption.
Additional configuration. Configure each terminal server so that all file volumes
use the NTFS file system to ensure local security of all files.
Lesson Summary:
· Terminal Services enables non-windows 2000-based clients to operate applications
in a full
· Windows 2000 environment.
· Determine if you want low, medium or high encryption.