Chapter 1, Introduction to Microsoft Windows 2000 Security

|1| Chapter Overview

Microsoft Windows 2000 Security Services Overview

Security subsystem components

Local Security Authority (LSA) functionality

Windows 2000 security protocols

Security Support Provider Interface (SSPI)

Determining Security Business Requirements

Determining Security to Meet Technical Requirements

Chapter 1, Lesson 1

|2| Microsoft Windows 2000 Security Services Overview

Use the diagram on Slide 3 to visualize and compare the functions of the services to their location in the Windows 2000 architecture.

|3| 1. Introduction

A. Two processor access modes

1. Applications generally run in user mode.

2. OS functions run in kernel mode.

B. Protected access to kernel mode

1. User mode ensures that a user process cannot corrupt system drivers located in kernel mode.

2. The user application requests system services through an application programming interface (API), which is forwarded to the required kernel mode services.

C. Windows 2000 security split

1. User mode

a. Active Directory directory service runs in the security subsystem.

2. Kernel mode

a. The security reference monitor enforces the security rules of the security subsystem.

b. Enforcing security in kernel mode prevents user intervention.

Note The security subsystem passes the request to the security reference monitor in kernel mode for comparison to the discretionary access control list (DACL) of the object it is being connected to.

D. Integration of the Active Directory within the security subsystem

1. Active Directory access can be protected by a combination of

a. Authentication

b. Verification of the security principal’s identity and authorization

c. Validation that the security principal has the necessary permissions to perform the task

|4| 2. Security Subsystem Components

A. Introduction

1. The security subsystem runs within the security context of the local security authority (LSA) process.

2. The LSA process is split between user mode and kernel mode.

B. Netlogon service (Netlogon.dll)

1. Maintains a computer’s secure channel to a domain controller (DC) in its domain

2. Passes credentials to the DC via a secure channel and returns an access token populated with Security Identifiers (SIDs) and user rights for the security principal

Note In mixed mode, the Netlogon service is responsible for the replication of Active Directory data to any Microsoft Windows NT backup domain controllers (BDCs) that exist in the domain.

C. NTLM authentication protocol (Msv1_0.dll)

1. Authenticates clients that cannot use Kerberos authentication

2. Includes Microsoft Windows 95, Microsoft Windows 98, and Windows NT computers

Note question: What application layer protocol is used to secure credit card transactions on the Internet?

D. Secure Sockets Layer (SSL) authentication protocol (Schannel.dll)

1. Application layer protocol

2. Provides encryption services to transported data

3. Encrypts all data passing through the channel

4. The application must be coded to recognize and implement SSL.

E. Kerberos v5 authentication protocol (Kerberos.dll)

1. Default authentication protocol used by Windows 2000

2. Uses ticket granting tickets (TGTs) and service tickets (STs)

F. Kerberos Key Distribution Center (KDC) service (Kdcsvc.dll)

1. Issues TGTs to a client when it initially authenticates with the network

2. Uses a TGT for subsequent requests to acquire service tickets to provide authentication of the requesting client

G. LSA server service (Lsasrv.dll)

1. Enforces all defined security policies within Active Directory

H. Security Accounts Manager (SAM) (Samsrv.dll)

1. Stores local security accounts on non-DCs

2. Enforces all locally stored policies

I. Directory Service module (ntdsa.dll)

1. Supports replication between Windows 2000 DCs

2. Supports all Lightweight Directory Access Protocol (LDAP) access to Active Directory

3. Manages three partitions of data

a. Domain naming context

b. Configuration naming context

c. Schema naming context

J. Multiple Authentication Provider (Secur32.dll)

1. A Security Support Provider (SSP)

2. Supports all security packages available on the system

a. Secure channel

b. Distributed Password Authentication (DPA)

c. Kerberos

d. NT LAN Manager (NTLM)

|5| 3. LSA Functionality

A. Allows users to authenticate interactively

B. Generates an access token for the security principal

1. The access token contains the SIDs for the user account and all groups that contain the user account as a member.

Note If the user account or group account was previously a member of a different domain, the SIDHistory attribute is also populated in the user’s access token. This allows the user to access any resources that contain the previous SID in the object’s DACL.

C. Manages local security policy

1. Includes all security policies that have been defined for the local computer

2. Security policy settings may be overridden if any Group Policies are defined.

D. Manages audit policy and settings

1. Includes writing the alert to the correct event log

E. Builds a list of trusted domains

F. Determines user privileges

G. Reads the system access control lists (SACL) for each object

H. Ensures that a security principal has the necessary rights to perform tasks

I. Manages memory quotes for the use of both paged and nonpaged memory

|6| 4. Windows 2000 Security Protocols

A. Introduction

1. Multiple network security protocols provide authentication services.

2. Broad support ensures maximum compatibility for network clients.

3. Clients include previous Microsoft operating systems and foreign clients, such as UNIX.

4. Use of a specific security protocol is not required.

B. Distributed Password Authentication (DPA)

1. A shared secret authentication protocol used by Internet membership organizations such as MSN

2. Part of Microsoft Commercial Internet System (MCIS) services

3. Allows a single account and password to be used to connect to all Internet sites that are members of the same Internet membership organization

4. Uses the MCIS security services (known as the membership service) for membership authentication and server-specific access information

C. Secure channel (SChannel) services

1. Provides the ability to authenticate using public key-based protocols

a. Provides authentication of both client and servers

c. Protocols include SSL and Transport Layer Security (TLS)

2. When deploying a public key infrastructure, use Certificate Services to establish Certification Authorities (CAs).

a. CAs are responsible for issuing digital certificates.

b. Digital certificates can be used for authentication.

|7| D. Windows NT LAN Manager (NTLM)

1. Used by Windows NT 4.0 and Windows 95 and Windows 98 clients with the Directory Services client installed

2. Used for pass-through network authentication and local account authentication for Microsoft Windows 2000 Professional and Windows 2000 member servers

3. The NTLM security provider uses the MSV1_0 authentication service and the Netlogon service to provide client authentication and authorization.

|8| E. Kerberos v5

1. The default security protocol for Windows 2000–based computers

2. Provides mutual authentication of client and server

3. Provides better performance and also provides support for delegation

4. Uses the KDC service on a DC and Active Directory for obtaining TGTs and STs

|9| 5. Security Support Provider Interface (SSPI)

A. Conceals Windows 2000 security protocols from applications

B. Communicates with a Win32 API based on the Generic Security Service Application Program Interface (GSSAPI)

C. Provides similar interface abstraction for security context management

D. Applications do not have to be coded to specifically support each network security protocol.

E. Applications call SSPI routines directly or use connection management protocols provided by Remote Procedure Calls (RPCs) or Distributed Component Object Model (DCOM) processes to authenticate.

Chapter 1, Lesson 2

|10| Determining Security Business Requirements

1. Introduction

A. Collect and understand all the business requirements of the organization.

B. Assume that business requirements define the criteria for the security design.

C. Identify company priorities.

D. Recognize the organization's risk level.

|11| 2. Analyzing Business Requirements

A. Business model

1. Affects an organization’s network security plan

a. Multiple branch organizations may have security requirements different from those of organizations at a single location.

2. Decision-making method within the company affect the security design

a. A centralized decision process will lead to a centralized security plan.

B. Business processes

1. Day-to-day business processes must not be hindered by security.

2. Know how an organization’s daily business processes flow.

3. Understand everyone’s part in the project and their actions in the business processes.

a. Business processes help define permissions for resources and planning group strategies in Active Directory.

4. Know what rights are required for the management of the company.

a. To define the delegation of the administration structure

C. Projected growth

1. Do not deploy security plans with short life spans.

2. Ensure that the security plan will be flexible and will provide for growth.

a. Understand existing relationships with partners.

b. Determine if mergers or acquisitions are planned.

D. Management strategy

1. Know whether the company uses centralized or decentralized management practices, or a mixture of each.

2. Know who manages user and computer resources.

E. Current security policy

1. Many organizations have predefined security policies.

2. Defines the organization’s aversion to risk

3. States what the organization considers to be the minimum acceptable levels of security within the organization

4. Each facet of the network may have its own security policy.

F. Tolerance of risk

1. By determining an organization’s tolerance of risk, it is possible to design security to reduce the perceived risks faced by the organization.

2. Risk is defined by the costs faced if the risk occurs, multiplied by the probability that the risk will actually take place.

3. Converting risk into a numeric formula will assist in prioritizing risks.

G. Laws and regulations

1. An organization must abide by the laws and regulations of the jurisdictions where the organization performs business.

2. Some countries require that all network management take place from within the actual country, which will require decentralized management of security within that country.

3. Security design is affected by U.S. export rules and the import laws of the countries the organization does business in.

H. Financial status of the organization

1. The security solution will have a dollar value associated with it.

2. Know the projected costs for implementing a security solution.

Instructor Note Economics plays a big part in designing network security. If the best security solution is not economically possible, alternative solutions may need to be developed and presented to the company.

I. Current employee skill sets

1. Identify skill set shortfalls in a security solution.

2. Possible solutions: bring in consultants with the required skills, or provide training for the current staff.

3. Both methods have costs associated with them.

|12| 3. Making the Decision: Business Requirements

A. Centralized administration model

1. Management of membership within all administrative groups

2. Minimizes the number of domains

B. Decentralized administration model

1. Determine which users will require administrative abilities.

2. Determine exactly what rights and permissions the users will require.

3. Determine whether the administration can be limited to specific classes of objects or to specific attributes of an object.

4. Determine if delegation of administration will meet the organization’s needs.

C. Business processes

1. Identify the flow of all information involved in the business process.

2. Determine which users require access to the services involved in the business process.

3. Determine the level of access that each participant requires.

D. Growth projection

1. Project the future number of users and computers that will be a part of the network.

2. Determine the geographic spread of the organization.

3. Include a security strategy so that the plan does not need to be modified.

E. Risk aversion

1. Determine exactly what the organization considers to be risky.

2. The design must mitigate the risks and include what actions to take if the risks occur.

F. International business

1. Determine if any of the participating countries’ laws will affect decisions for security implementation.

2. Identify all import and export laws.

G. Cost constraints

1. Ensure that the security plan is designed within the organization’s budget.

2. Report all forecasted costs early in the design process so the design can be modified earlier in the process if costs are too high

H. Required skill sets

1. Determine what skill sets are lacking in the organization.

2. Determine whether it is more effective to bring in third-party skills or implement training of the current staff..

|13| 4. Applying the Decision: Business Requirements

A. Centralized administration for user accounts

1. All user accounts are created and modified at the head office in Tokyo.

2. The number of domains in the forest must be minimized.

3. Membership in the Domain Admins, Enterprise Admins, Administrators, and Account Operators groups must be carefully monitored.

B. Decentralized administration of servers

1. The local servers are managed by the local IT staff at each office.

2. Ensure that IT support staff are members of the Server Operators group in the domains where the servers are located.

C. Decentralized administration of user passwords

1. The help desk staff must have the ability to reset all user passwords.

2. The right to reset passwords should be delegated to a local group that contains all help desk user accounts.

3. Ensures that help desk personnel will not be granted excess privileges

D. Business process alignment

1. Help desk personnel can only reset passwords.

2. The Tokyo IT department must make any other changes to user accounts.

E. Plans for future growth

1. Windows 2000 Active Directory supports larger domains than Windows NT 4.0.

2. Additional sites must be defined for each of the distribution centers.

3. Current embargoes on Cuba may require a separate domain to be established for the Havana office.

F. Issues concerning the Havana office

1. Cuba is currently on the list of U.S. embargoed countries.

2. Exportation of 128-bit encryption products to Cuba is prohibited.

3. The design of the online ordering application will be affected.

G. Considerations for risk aversion

1. The company’s Web site was recently hacked.

2. Security design for the Web site must take into account how the previous attack was accomplished.

3. The design must ensure that the same methods cannot be used again.

H. Skill set shortages

1. The staff does not have the necessary skill sets to implement network security improvements to the online ordering Web site.

2. The Web administrator’s suggestion of three weeks of specialized training is inadequate to effectively reduce the risk of the ordering Web site being hacked.

3. Consultants must be brought in to design the ordering Web site.

4. The actual creation of the Web site and all necessary security mechanisms could be outsourced.

Chapter 1, Lesson 3

|14| Designing Security to Meet Technical Requirements

1. Introduction

A. A security plan must meet both the business requirements and the technical requirements defined by the organization.

B. Technical requirements serve as constraints in the security plan.

C. All technical requirements must be met by the proposed solution.

|15| 2. Determining Technical Requirements

A. Total size and distribution of resources

1. Determine how security must be defined for an organization.

2. The distribution will define Active Directory sites, domains, and organizational units (OUs).

B. Performance considerations

1. Implementation of encryption technologies results in performance costs.

2. The organization must define acceptable performance standards for common tasks.

C. WAN links

1. Evaluate how remote offices are connected to the corporate office.

2. Determine whether dedicated network links exist or whether to use virtual networking.

3. Determine what level of encryption is required for WAN links.

4. Determine if tunneling protocols will interoperate with any third-party products.

D. WAN usage

1. Identify the current utilization of any existing WAN links.

2. Do not simply identify the speed of the WAN links.

E. How data is accessed

1. Identify which protocols, applications, users, and computers are used.

2. Ensure that security is maintained as data is accessed.

F. Administrative structure

1. Identify who administers the network and where administration takes place.

a. Leads to the best Active Directory structure for an organization and administrative group memberships

b. Helps design the delegation of administration strategy for managing objects in Active Directory and network resources

G. Current application base

1. Windows 2000 introduces a stronger base security for computers.

2. Windows 2000 security is not always compatible with earlier versions of applications.

3. Identify any necessary application migration that must take place.

4. The security plan must contain all required testing and proposed solutions for migration to a Windows 2000–compatible version of the application.

|16| 3. Making the Decision: Technical Requirements

A. Introduction

1. Defining the technical requirements that affect the organization sets the performance guidelines that must be met.

2. Implementing security within a network is achieved at a cost to the organization, often loss of productivity or performance.

3. The organization must determine what is an acceptable cost before proceeding with the implementation of the security design.

B. Physical sites

1. Determine all physical sites for defining Active Directory sites.

2. Determine placement of network services to meet performance requirements.

C. Performance requirements

1. Develop physically measurable numbers for performance.

2. Test performance using a network that emulates the production environment.

D. Existing WAN links

1. Determine what applications currently use the WAN links.

2. Identify each application’s current bandwidth usage.

3. Determine if Active Directory replication and WAN usage can be handled using the available bandwidth.

E. Current administrative structure

1. If centralized management is used, restrict access to the Domain Admins group

2. If decentralized management is used, design an OU structure that supports delegation of administration.

F. Current application base

1. Test all applications to determine compatibility of the applications.

2. Identify whether the applications are supported, require an update, or will prevent an upgrade to Windows 2000.

|17| 4. Applying the Decision: Technical Requirements at Lucerne Publishing

A. Logon performance

1. The Caracas site is connected to the corporate network via a 256 KB WAN link at 80-percent utilization.

2. The remote sales force personnel are complaining about authentication speed.

3. Logon performance gains can only be increased by locating Domain Name System (DNS) services, a DC, and a global catalog server at the Caracas site.

4. Placing a DC in Caracas will increase replication traffic on the link.

5. The WAN link must be monitored to determine if additional bandwidth is ultimately required.

|18| B. Site definitions

1. Define Active Directory sites that map to the physical network topology.

2. Map the subnet address for each location to the site name.

3. Potential site configuration (see Table 1.3, page 18).

C. Server distribution and placement

1. Each site should have at least one DNS server, one DC, and one global catalog server.

2. For redundancy and fault tolerance, include two of each category.

D. Other performance requirements

1. New distribution centers in Europe and North America will require additional WAN links and site definitions.

2. The new distribution centers will require local DCs and global catalog servers to ensure local authentication.

E. Current administrative structure

1. The Active Directory design must reflect the current administrative structure.

2. The Active Directory design must allow for centralized user account management and decentralized server management.

3. Membership of the Domain Admins, Enterprise Admins, Administrators, and Account Operators groups must be managed by the organization.

4. Membership in the Server Operators group allows decentralized management of servers.