Xem mẫu
- Windows 2000 Security
Security Essentials
The SANS Institute
Windows 2000 Security - SANS ©2001 1
This section will build on the basic NT security knowledge you have already gained. However, you
will find that every NT security function is magnified in Windows 2000, and Windows 2000 has ten
times the security features available in Windows NT. If NT were a row boat, Windows 2000 is the
QE2. If NT were a cottage, then Windows 2000 is a 56 room mansion. Active Directory, security
templates, Group Policy, System File Protection, Radius, IPSec, EFS, PKI, Kerberos, a new
permission inheritance model, and granular assignment of administrative authority are but a few of
the technologies and processes that you must understand if you are to design and implement security
in Windows 2000. This section will introduce you to the possibilities.
3-1
- Your Goals
• Understand Security Baselining
• Describe Security features – all
versions/roles
• Describe Security features - Active
Directory domain
• List 10 hardening steps
Windows 2000 Security - SANS ©2001 2
Goals and Objectives
We cannot talk about security and Windows 2000 without recognizing that there is more than one
version of Windows 2000 and there are many functional roles that Windows 2000 may perform
within a network or standing alone. Windows 2000 may be on a laptop computer as it travels from
hotel to hotel to home to office. It may be on massive database servers, or limited desktop systems.
Windows 2000 may serve as the OS for mail servers, web servers, file servers, firewalls and many
other roles. When you discuss security and Windows 2000 you must discuss it within the context of
its use. How secure is Windows 2000? How secure do you need it to be? How much knowledge do
you have of its features and function? Where will it be asked to perform? Who will be using it? All
of these questions must be asked and understood.
In this section, we will discuss the need for security baselining, or the matching of security needs
with system functions, and the specification of basic security requirements for different computer
roles within a network. Next, we will examine the security features available in Windows 2000; first
discussing those that are available for all systems, and then looking at the additional features
available within a Windows 2000 Active Directory domain. Finally, 10 hardening steps, steps that
should be taken during or immediately after Windows 2000 installation, will be presented. Please
note that thorough discussion of Windows 2000 security, and the ability to configure and use these
features to your benefit, require more study than this introduction can provide. Your goal should be
to become comfortable with the features available, so that you can evaluate them more thoroughly
against the background of your organizations or your personal requirements.
3-2
- Security Baselining
• Define the role
• Understand the platform
• Document the Desired Security
Policy
• Deploy
Windows 2000 Security - SANS ©2001 3
Security Baselining
In order to examine the concept of security baselining, we will pick three common computer roles:
Desktop, File Server, and Domain Controller. What version of Windows 2000 will each require?
What is the security model for each? Who will be users on these systems? Where? How? For what?
As we answer the questions about these roles, we can examine Windows 2000 to determine how it
can fulfill them.
Once computer use and desired security policy is determined, your job is to seek out the most
relevant, efficient, and easily maintainable way to accomplish these goals. Several native Windows
2000 tools will be introduced in which will provide you with automated means to do so.
But first lets define the Windows 2000 family.
3-3
- Win 2K OS Versions
• Professional
• Server
• Advanced Server
• Datacenter Server
Windows 2000 Security - SANS ©2001 4
OS Versions
Windows 2000 Professional is the desktop version of the operating system Windows NT
Workstation and Windows 95 and 98 can be upgraded to Professional. Professional can be a
member of a Windows NT 4.0 or Windows 2000 domain, or operate in a workgroup or without
networking at all. Security is managed by local security settings. If a W2K Professional system is a
member of a Window 2000 domain, local security settings are overridden by those set at the domain
level.
Windows 2000 Server and Advanced Server are similar in feature and function. They are meant to
serve as domain controller, file server, database server, mail server, application server, web server,
and the like. Unlike Windows NT, Windows 2000 servers may be promoted to domain controllers
from member server status, and even demoted back to member server. Advanced server allows more
flexibility in the number of processors and offers Quality of Service drivers, and the ability to do
network load balancing and perform as part of a cluster. Windows NT Server (3.51 and 4.0) may be
upgraded to Windows 2000 Server.
Datacenter Server is meant to be the host for massive databases or for other powerful applications.
This OS version is not sold independently of its hardware platform. Datacenter Server can have up
to 32 processors.
Professional Server Advanced Server
Minimum RAM 64 128 128
Maximum RAM 4 GB 4 GB
Minimum Processor 133 Mhz/Pentium compatible
Hard Drive Space Required 2 GB/ 650MB free 2 GB/ 1.0 GB free
Processors 1 or 2 1 to 4 1 to 8
NLB no no yes
Cluster? no no yes
3-4
- Baseline - Desktop
• Windows 2000 Professional
– Separate accounts for each user
– No local accounts, except defaults, if
part of a domain
– Strong local account policy
– Local audit settings
What else would your organization specify?
Windows 2000 Security - SANS ©2001 5
Once a specific computer role is defined, the first step is to choose a platform. Let’s start with an
example where the computer will be used as a desktop system. It makes sense to assign Windows
2000 Professional. Although one could run word processing and other applications on a Windows
2000 Server, it would not make good economic or efficiency sense. Servers are optimized for
background applications such as those accessed across the network by multiple users. Applications
in the foreground, such as word processing, receive less attention, and productivity could suffer as a
result.
What security requirements does this system have? Well, that depends on the network (or lack of
network) within which it resides. We can begin with a list of well-known best practices, or abstract
them from organizational policy.
3-5
- Baseline File Server
• Windows 2000 Server or Advanced
Server
– No local accounts except defaults
– Strong local account policy
– Domain member
– Local audit settings
– Limited physical access
What else would your organization specify?
Windows 2000 Security - SANS ©2001 6
We also have choices here. While Windows 2000 Professional can share files, unless we have an
awfully small network, it will be an entirely inefficient choice. Professional is optimized for one-on-
one use. Foreground processes, such as productivity applications (word processing, spreadsheet, and
personal database) are given priority. There are limited resources available for network access.
Windows 2000 Server or Advanced Server will be better choices. Unless there is also a need for
load balancing, or more than 4 processors are required to manage the load, Server will probably be
fine.
Notice the similar requirements for security. Keep that thought in mind for the next section.
In addition to similar needs, a file server requires additional precautions. Good physical security is
required. In most environments this means location = server room, access = legitimate needs met via
a supervised visit, and then only direct console access by a qualified and designated administrator.
3-6
- Baseline – Domain Controller
• Domain Controller
– There are no PDC/BDC roles in W2K
– Physical security
– Special points to secure
– Special security capabilities
– Security policy for domain members
not just single system
Windows 2000 Security - SANS ©2001 7
A domain controller (DC) requires special security handling. The DC is the seat of your user
account database and the center for security policy controls. If an attacker can penetrate the security
of your DC, he can wreak havoc on the entire domain, not just a single machine.
The special role at the seat of security policy allows centralized control for many computers and
users. Careful baselining of security for an entire logical group of computers and users is required.
Security policies set at the domain will override those set on a local machine. Baselining for a DC
leads to the incorporation of baselines for many computer and user roles.
In order to plan appropriately, consider the domain in Windows 2000 as the security boundary.
That is, access by one domain’s users to another domain’s resources is non-existent (with one
exception) until granted by domain administrators. This does not mean that every domain stands
alone, rather that for those linked to other domains via trust relationships, several security features
must be set only at the domain level. An example of this is the password policy which details,
among other things, how long a password must be and how frequently it must be changed. If
different areas of your organization require a different password policy, they must maintain separate
domains.
Within the domain, however, there are a vast assortment of possibilities for granular
administration. Different types of users and computers can be placed within containers in the Active
Directory. Administrative authority to manage these collections of accounts can be delegated.
In addition, many security features (such as PKI, EFS, Radius, et al) are extended or only possible
within a domain setting. Security policy to cover these new requirements should be specified.
Before implementing DC’s, desktops, file servers, and other W2K systems, you must establish the
security baseline for each. The tools used to implement, maintain, and audit these baselines are part
of the OS.
3-7
- Common Security
Features/Tools
• MMC
• Users and Groups
• NTFS File System
• System File Checker
• Windows Update Service
• Local Security Policy
• Security Configuration and Analysis
• IPSec
• VPN
Windows 2000 Security - SANS ©2001 8
All Windows 2000 computers have many security features in common. Security features can be
divided between those available to all Windows 2000 computers no matter their role, and those that
are extended or only available within an Active Directory Domain.
The common features listed in the slide are available on all W2K platforms. However, the nature of
the feature and the ability to use each feature, or to use it to control other systems is platform and
workgroup vs. domain specific. A VPN tunnel server may only be established on a W2K server for
example, while a W2K Professional system can be a VPN client. Examples of these differences in a
domain vs. a workgroup setting are the new groups available, the integration of DNS and PKI
available, and the domain-wide management of security policies, IPSec, and Remote Access.
3-8
- Microsoft Management
Console
• Flexible
• Multi-purpose
• Several pre-built Administrative
Tools or pre-loaded MMC’s
Windows 2000 Security - SANS ©2001 9
Administration of Windows NT is often complicated by the large number of Administrative Tools,
each of which had its own interface. Management of security features has to be carried out by using
many of these tools.
One of the Windows 2000 design goals was to reduce the number of tools necessary and to create a
common interface which worked across all tools. The Microsoft Management Console (MMC) is the
result. This tool is merely a shell within which many components or ‘snap-ins’ can be loaded to
build customized administration tools.
A few, pre-built, customized MMCs are listed and available from the Administrative Tools section of
Programs from the Start button or from the Control Panel. Additional tools are built by
administrators by adding various administrative ‘snap-ins’ to one or many MMCs. Frequently,
special tools are built for delegated responsibilities. In this case, a normal user account is given
specific administrative authority and a special tool, which can only be used for that duty, is built for
the user.
3-9
- Windows 2000 Security - SANS ©2001 10
The Computer Management Console
Click Control Panel → Administrative Tools → Computer Management for a great example of one of the
consoles that can be used to manage a Windows 2000 system. This is a great way to learn how your system is
set up and we strongly encourage you to spend some time poking around (on a test system of course!). When
you use Computer Management as a Power User, not all of the options are shown, but you limit the harm you
can cause to your operating system and this might be the best way to start.
For instance, under System Information, hardware resources, components, drivers, environmental variable,
startup programs, etc are displayed. In addition, you can see your installed software by opening the
Applications container. Of course this may not be perfect. If you have installed a number of applications, you
may find that only Microsoft products show in the Applications container. A better place to really spend some
time learning about the system, is the Software Environment view. From there, if you select loaded modules,
you will see that it really was worth your money to invest in the RAM upgrade to run your Windows 2000
system.
The Event Viewer is used to examine system logs. Application and System logs record events and may be
used to troubleshoot system problems. These event logs are not called audit logs. Auditing, the recording of
security related events, is not turned on by default. After auditing is turned on (using Local Security Policy or
Group Policy, as well as appropriate file and registry key selections) auditing information is recorded in the
Security Log.
On the slide above, the Event Viewer\Application log is open. Information, Error, and Warning messages
are exposed. Although it is not shown, this particular event is a message which explains changes made to the
CRM log file and indicates that if the computer name was recently changed, this is an expected event. Since
this system’s name was recently changed, the warning can be ignored. If the name had not recently been
changed, this warning would need to be investigated further. The error messages in this case were also
expected. Spend time with the Event Viewer to understand normal and abnormal events.
3 - 10
- Windows 2000 Security - SANS ©2001 11
Windows 2000 Local Users and Groups
In Windows 2000, you can limit or extend the ability of users and groups to perform certain actions
by assigning or denying them rights and permissions. A right authorizes a user to perform certain
actions on a computer, such as backing up files and folders, or shutting down a computer.
Administrators and some others have the right to logon to a Windows 2000 Server console. Users do
not. A permission is a rule associated with an object (usually a file, folder, or printer), and it
regulates which users can have access to the object and in what manner. Permission settings are
preset (but can be modified) in the registry and within the system files that assist in protecting them.
Windows 2000 Professional and Server systems have a built-in local account database with two
default users (Administrator and Guest) as well as several default groups. The users and groups are
much like those found in Windows NT and have similar rights and permissions.
When you create new user accounts and assign them to groups, there are important security issues,
since default groups have different security rights and permissions. Typically, as in Windows NT,
you can define user roles and if default groups do not fulfill these roles, special, or custom groups
can be created, and rights and permissions assigned to meet the requirements of the role. User
accounts obtain these rights and permissions when they are placed within these groups, and lose
them when removed. An example of a special group might be ‘OrderManagers’, This group might
then be given read access to files which contain orders. Another group, ‘Clerks’, might be given
read and write access to these files. Clerks do data entry; managers review.
Local Users and Groups are managed through the Computer Management Console.
3 - 11
- Users and Power Users
To avoid loosening security on a Windows 2000
system, an administrator should:
• Make sure that end users are members of the
Users group only
• Deploy programs, such as certified Windows 2000
programs, that members of the Users group can run
successfully
Windows 2000 Security - SANS ©2001 12
Users cannot modify system-wide registry settings, operating system files, or most program files. Users can shut
down W2K Professional, but not W2K Servers. Users can create local groups, but can manage only the local
groups that they created. They can run certified Windows 2000 programs that have been installed or deployed
by administrators and which they have been given permission to run. Users can also run programs installed by
Power Users. If a user has the right to copy a file to a disk where they have read, write and execute privileges, a
user can copy an executable file there and run it. Users have full control over all of their own data files and
their own portion of the registry (HKEY_CURRENT_USER). Windows 2000 users have fewer rights and
permissions than Users in Windows NT.
Power Users - The default Windows 2000 security settings for Power Users are very similar to the default
security settings for Users in Windows NT 4.0. Any W2K compatible program that a User can run in Windows
NT 4.0, a Power User can run in Windows 2000. A User may or may not be able to run the same program.
Power Users and Users do not have access to the data of other users on an NTFS volume, unless they have been
granted permission. Power Users can install or modify many programs. Some programs, however, such as
those that require the installation of services, those which specifically require an Administrative account, or
rights and permissions only granted to Administrator, cannot be installed by Power Users. For example, a
program may modify data in areas of the registry to which Power Users have no access, or may improperly open
a registry key or file for read, write and execute, when only read permission is necessary. If Power Users have
read permission and Administrators have full control, its obvious result is that the Power User will not be able
to install the program. A properly programmed install wizard might have allowed Power Users to install the
program.
Certification specifications exist for software which is designed to run on Windows 2000. Different
specifications exist for Professional, Server, Advanced Server, and Datacenter Server. If an application is not
certified, that does not mean it will not run, however it does mean there may be problems.
3 - 12
- Replicator
• Used in a Windows 2000 Domain
for Active Directory Replication
• No user accounts should be in this
group
Windows 2000 Security - SANS ©2001 13
The Replicator group is used in a domain environment and ignored elsewhere. Its purpose is to
provide a local group which represents rights and privileges on the local machine that might be
required by the domain level replication efforts. It should be ignored in a workgroup environment,
and never should contain ordinary user accounts.
Replication of files from file server to laptop is managed by the Offline Files feature and uses the
synchronization manager to schedule and manage the task. A synchronization permission is required
on the folders and files to be synchronized.
If users need to synchronize files between two computers, they can do so without membership in this
group. All that is required is the ability to share the files and in doing so, set Offline access to the
folder. (File Sharing properties page\Caching button\ ‘allow caching of files in this shared folder’).
Then, after connecting to the share, the user must mark folders ‘make available offline’.
3 - 13
- Implicit Groups
• Interactive
• Network
• Everyone
• Authenticated Users
• Self
• Creator Owner
Windows 2000 Security - SANS ©2001 14
There are several implicit, or built-in Security Principals groups that are automatically created by
Windows 2000. Membership in these group is based on something that users are doing and as such,
is not under administrative control. Several of these groups are defined below.
•Interactive. This group contains any user that is logged on locally to the computer
•Network. This group contains all users who are currently accessing the system over the network
•Creator Owner. This group contains the individual who created the object
•Creator Group. When a member of the Administrators group creates a file or folder, the owner of
the file is the Administrators group, not the administrator that created it.
•Dial-up. Users who have accessed the network remotely via dial-up
•Terminal Server Users. Users using terminal services
•Self. The user or group itself (allows access to properties of the user or group)
•Service. User accounts logged on as a service
These groups can be used to control access to resources based on the manner in which the resource is
accessed. For example, if we assign the INTERACTIVE group read and write access to the file
‘secret.txt’ and the NETWORK group only read access to ‘secret.txt’, then John, when he is logged
on to the console, can read and write the file but when he accesses the same file over the network, he
can only read the file.
3 - 14
- Like Windows NT, Windows 2000 makes available the NTFS file system. Like Windows NT, file
and folder access is restricted by assigning permissions to users and groups. Those not allowed
access are implicitly denied. In addition, Windows 2000 extended this model by making available
granular explicit ‘deny’ permissions and by modifying the inheritance model. The most notable
effect of this model change is that permission inheritance can be denied. When settings are
established on a subfolder, a simple checkbox allows or prevents parent folder permissions from
propagating to subfolders. This is extremely important in order to protect settings from being
overridden by less secure settings made on parent folders. The ‘Allow inheritable permissions from
parent to propagate to this object’ checkbox is used to allow or implicitly deny permission
inheritance. Note that in the slide, this check box is unchecked on the system folder WINNT. Thus,
permission setting on this folder will not be changed should Administrators change the setting on the
root of the file system.
Another new feature of NTFS is the Encrypting File System. Users can encrypt and decrypt their
files. Another user, even one with ‘read’ permission on the file, cannot read it. Default recovery
agents are able to retrieve files if user’s keys are lost or corrupted.
3 - 15
- Windows File Protection
• Prevents applications from overwriting
or deleting important system files
• Ensures that your system files are up-
to-date
• A command-line tool, System File
Checker, can be used to check files on
demand
Windows 2000 Security - SANS ©2001 16
What Are System Files?
In previous versions of Windows, applications often overwrote shared .dll files and .exe system files. (If you’ve
worked with any version of Windows, you're probably very familiar with the term "DLL hell.") When installation
programs mess with key system files, your system can become unusable, and troubleshooting can be a nightmare. And
if you think that only third-party applications are guilty of overwriting your system files, think again. Many of
Microsoft’s applications are notorious for overwriting system files – even files that other Microsoft software uses.
The problem is that many applications (including Microsoft's) don't check existing system file versions before
overwriting the files. Most vendors are interested in ensuring that their software runs without problems, and the
software you installed most recently probably works flawlessly – but it might work at the expense of other applications.
For example, if you install audio applications from competing vendors, the one you install last will have the best chance
of working properly. Developers aren't solely to blame for these system-file problems – several other factors are
involved, including OS limitations.
OS stability is more important than application stability. This is addressed in Win2K by Windows File Protection .
Windows File Protection runs in the background and ensures that setup programs don't permanently delete or overwrite
any important system files. By default, Win2K enables Windows File Protection.
When a program attempts to delete or move a protected system file, Windows File Protection checks the digital
signature of the file to ensure that it's a correct version. If it is not the correct version, Windows File Protection attempts
to copy the file from the %systemrooot%\System32\Dllcache folder. If the necessary file is not in the cache, a prompt
for the W2K installation CD-ROM appears.
The System File Checker (or SFC) is a command-line tool which can be used to scan a W2K system and verify
that the versions of protected system files are correct. If a protected system file has moved or has disappeared, SFC
automatically replaces the file with the correct version from the Dllcache folder, or prompts for the installation CD-
ROM. This tool also lets you set the Windows File Protection cache file size, thus allowing more or fewer system files
to be available during unattended operation. You must be a member of the Administrators group to run SFC.
3 - 16
- Windows 2000 Security - SANS ©2001 17
Using SFC to check System Files
Typing SFC at the command prompt will display the options available.
sfc /scannow immediately scans the system files.
sfc /scanonce scans the system files once, and sfc /scanboot scans protected system files
every time you reboot your computer.
If you've scheduled a scan and you change your mind, sfc /cancel cancels the scan. If you
don’t want the SFC to prompt you about each file that it intends to replace, use sfc /quiet.
SFC switches which manipulate the Windows File Protection are:
sfc /purgecache - purges the file cache and scans all system files immediately.
sfc /cachesize - configures the size of the Windows File Protection cache. For example, to
restrict a cache size to 2MB, type sfc /cachesize=2048.
sfc /enable - returns to the default Windows File Protection operation. In this mode, SFC
automatically restores or prompts you to restore the correct system file version whenever it detects
that an application has overwritten a file. Don’t forget to enable this option before you exit the
command prompt window.
3 - 17
- Windows 2000 Security - SANS ©2001 18
Local Security Policy
The Administrative Tools\Local Security Policy console can be used to configure security settings for a single Windows
2000 system. This is an especially important tool for users of standalone W2K Professional systems. If Windows 2000
Professional is a domain member, local security settings will be overwritten by policies established at the domain level.
Users with laptops who have local administrative user accounts on their systems, can also configure system security using
this tool. When they are logged on using the local account, security policies set locally will apply. If they are logged on
using their domain account, domain policies will apply. This tool will show you both your local settings and also your
effective (domain) settings. If the domain controller overrides your local setting, these will not match.
The slide shows configuration of a warning banner for logins. A warning banner will not prevent unauthorized users
from logging on, but serves as notice that they should not do so. Logon banners may serve as legal notices. Court cases
involving network penetration have been dismissed when logon banners which read ‘welcome’ were used. Using banners
which have strong legal warnings and acceptable use information help honest individuals understand how the system should
be used and may assist in obtaining convictions, or support sanctions when the policy is ignored.
Security settings that can thwart attackers and provide evidence of their attempts also are present in security settings and
can be used effectively by domain and local administrators to protect the system. Imagine that you are traveling a lot with
your laptop. It might be a good idea to have a more stringent policy for the local settings then when you are at home with
your alarm system, big dog, and neighbors that primarily work in high security government positions. Likewise, if your job
is to protect corporate road warriors from themselves, you will want to thoroughly understand and set security on laptops for
them. Potential defensive settings include the ability to lock out accounts after a number of failed logins, requiring complex
passwords, auditing successful and failed access of sensitive files, policies and such, restricting user rights, renaming the
administrator account, blocking the loading of unsigned drivers, preventing the use of EFS, and establishing secure network
communications via IPSec policies. We’ll be talking more about many of these security features, but for now you should
remember where to look for the security policy that is effective on a local machine, and where you might be able to manage
these settings.
3 - 18
- Windows 2000 Security - SANS ©2001 19
Security Configuration and Analysis
A marvelous new tool available with Windows 2000 is the Security Configuration and Analysis and
Security Templates snap-ins to the MMC. Security templates (either pre-configured default
templates or customized templates) can be used to quickly apply security settings to a host, or to
analyze the current settings against a template representing policy. Analysis provides a simple way
for administrators and auditors to determine the security configuration status of a particular machine.
Remember the security baselines we examined for desktop, server, and DC? Pre-configured,
recommended security templates are available for each of these baselines. In fact, default templates
exist for three levels of security; default, secure, and high security for domain controllers,
workstations, and servers.
Security template settings mirror those available in Local Security Policy. Additional templates are
available for web servers and other models. Templates may be customized by changing settings and
adding new features. New templates can also be created. In the slide, mydomain, and mylocal
represent custom templates. The red x’s indicate the results of an analysis of the current computer’s
settings against a desired policy. Each container, when opened, documents variance from policy.
The analysis does not modify settings on the host.
3 - 19
- Windows 2000 Security - SANS ©2001 20
Windows Update
Other tools are available in the Support Tools folder on the Windows 2000 server CD-ROM, in the
Windows 2000 Resource Kit, and online. Two important online sites are Windows Update and
Windows 2000 Security (www.microsoft.com\technet\security)
The Windows Update site, seen here, provides information on Critical and Recommended updates
for Windows systems. With permission, the current machine can be scanned and Windows Update
will recommend updates and then allow them to be run. Updates include service packs, newer
device drivers, and security patches. Explanations are also available. While organizations should
manage enterprise-wide updating of windows systems, this site is important to users of Windows
who are not managed in this fashion. Similar updating is available for users of Microsoft Office.
The Windows security site provides detailed security information and notice and explanation of
security patches with links to free downloads. It also includes multiple free security tools. Detailed
list of hardening steps for Windows systems is also available. You can sign up for a security bulletin
list, which will email you as new security bulletins and patches are available.
3 - 20
nguon tai.lieu . vn
