MCSE Top-Rated Sites


 

These aspects include performance and stability. You should evaluate the company’s existing and planned technical environment. You should attempt to predict the impact of the Active Directory design on the existing and planned technical environment. The following factors are critical:

O - Available connectivity between the geographic locations of sites 
O - Available network bandwidth and latency 
O - Company size 
O - Existing and planned network and systems management 
O - Existing methods for accessing data and systems 
O - Network roles and responsibilities 
O - Performance requirements 
O - Technical support structure 
O - User and resource distribution 

EVALUATING THE EXISTING AND PLANNED TECHNICAL ENVIRONMENT  

Areas you will want to consider in assessing the existing technical environment and developing a plan for the transition to Windows 2000 include:

O - Proactive training of users before the rollout of the new operating system.
O - Training of all technical personnel on the new operating system and how to use the directory services.
O - Written documentation to aid in assisting users with common problems, and documenting reported problems.

Analyzing Company Size and User and Resource Distribution
The geographic scope plays an important part of designing your Directory Services. You must take into account the size and geographic location of all parts of the company. Analysis should also include the size and distribution of users, both internal and external. Resource allocation for peripherals and server access must be determined. Connectivity issues across geographic locations and within sites must also be documented. Identify if users are connecting for authentication only or for the entire session as with a Terminal Server.

Assessing Available Connectivity and Bandwidth
You must work closely with the network operations team to assess network connectivity and performance based on reliability, capacity, and latency. Reliability is how dependable the network link is. Capacity is the ability of the connection to transfer data packets. Bandwidth is the theoretical capacity of the network connection. Latency, or delay, is the delay of how long it takes to get data from one point to another.

Performance Requirements
To obtain peak performance, you must assess performance requirements, and create a baseline from which to judge future modifications. You must determine peak utilization, the type of circuits used, application requirements, and resource conflicts. During this analysis, identify any bottlenecks or potential performance hazards.

Analyzing Data and System Access Patterns
In your analysis, you need to determine if all resources are centralized or remotely disbursed.

Frequently used resources should be across a highly reliable connection. You must determine if users should go through a firewall, or if they need to use encryption. Authentication can be accomplished through the use of the following:

CHAP Challenge Handshake Authentication Protocol. Does not use clear text passwords.

EAP Extensible Authentication Protocol. The client and the server negotiate the protocol that will be used. Protocols include one-time passwords, username / password combinations, or access tokens.

MS-CHAP Microsoft Challenge Handshake Authentication Protocol. Requires the client to be using a Microsoft Operating System (Version 2), or other compatible Operating Systems (Version 1).

PAP Password Authentication Protocol. Uses a plain-text password authentication method and should only be used if clients cannot handle encryption.

SPAP Shiva Password Authentication Protocol. For backward compatibility and is not favored for new installations.

Analyzing Network Roles and Responsibilities
Administrative roles are predefined by the operating system with additional responsibilities above the normal user. Administrative type roles include Backup Operator, Server Operator, Print Operator, and Account Operator. Service roles run as services, without user interaction, in the operating system. User roles include the right to logon and use network resources.

Other roles include being an application, a group, or owner.

Analyzing Security Considerations
The most effective means of implementing security with Windows 2000 clients is through the use of Group Policies. You must analyze security considerations and provide information about access to data and resources, password policies, security protocols (IPSec), disaster recover, and authentication. You must analyze what are the needs of the organization, and what operating systems does the organization support. In the analysis, ensure that all potential solutions will not conflict with existing third-party tools and applications.

ANALYZING THE IMPACT OF SECURITY DESIGN  

Assessing Existing Systems and Applications
To provide high levels of security, Windows 2000 provides the following security features:

IPSec, L2TP, Kerberos, an Encrypting Files system (EFS), public key infrastructure, RADIUS, smart card support, and security groups. You need to understand current server applications that may require service packs or patches. You should compile a list of all routers, modems, and remote access servers. This list should include BIOS settings, peripheral device configurations, and driver versions. Determine if current hardware or software is not working due to security reasons. Examine non-Windows NT DNS servers for their implementation of dynamic registration and service (SRV) resource records.

Identifying Upgrades and Rollouts
Identify upgrades and rollouts that are currently in progress. Inquire about and document anything in a planning stage.

Analyze Technical Support Structure
You must determine what kind of support is available, how it’s managed, and the level of support staff expertise is.

Analyze Existing and Planned Network and Systems Management
In analyzing the network and systems management, you must document existing policy and guidelines on security. This will help you to determine requirements for appropriate network usage. You must indicate Internet access, all users and their purpose for the Internet access.

Document existing policies in place regarding partner access to company networks, whether they are able to access the entire work as recognized users or as anonymous users. Document if encryption and security standards in place or planned, password standards, domain structure, and trust relationships. Identify what security protocols are implemented on the network, (SSL, IPSec or PPTP. Indicate authentication methods for Internet users, dial-up users, and access across WAN links.

Analyzing Security Requirements
DESIGNING A SECURITY BASELINE  

DOMAIN CONTROLLERS BASELINE
A domain controller is a Windows 2000 Server that has been configured using the Active Directory Installation Wizard. All Windows 2000 domain controllers store writeable directories.

The domain controller manages authentication, user logon processing, directory searches and storage of directory data. You may choose to have several domains to ensure high availability and fault tolerance. The default installation for Windows 2000 Server and Advanced Server is the standalone server model. Servers may be promoted to domain controller status or may be demoted by running the dcpromo wizard.

OPERATIONS MASTERS
Limiting the role of a domain controller may improve performance. The five operations master roles can be assigned to one or more domain controllers. The roles are schema master, domain naming master, relative ID master, primary domain controller (PDC) emulator, and infrastructure master. There can be only one schema master and one domain naming master in the forest at one time. The schema master controls updates and modifications to the schema. To change the forest schema, you must have access to this domain controller and be a member of the Schema Admins group. The domain naming master is in charge of additions and deletions of domains in the forest and of sites. The domain naming master should be located on a system that also contains the Global Catalog. Three roles are domain-wide. There can be only one PDC emulator, one infrastructure master, and one relative ID master in a domain at one time. The relative ID master allocates relative ID sequences to each domain controller. Each new user, group, or computer in a domain gets a unique security ID composed of a unique domain security ID and a relative ID. The relative ID master operations master is required to move objects within domains using the movetree.exe command. The infrastructure master updates the group-to-user references when group members are changed.

The infrastructure master compares its data to the Global Catalog data and requests changes.

It then replicates this information to other domain controllers in the domain. The PDC emulator acts as a Windows NT PDC if non-Windows 2000 clients are in the domain, or if Windows NT BDCs are present. It can process password changes and replicate updates to the BDCs. The infrastructure master and the Global Catalog host should not be the same domain controller.

APPLICATION SERVERS
The security baseline settings for application servers will depend on the server applications that are running. If the application meets the specification for the Windows 2000 logo, then all users should be members of the Users group. By default, Windows 2000 assigns some non-administration rights and access. This includes making the Authenticated Users group a member of the Power Users group for servers. You can remove this setting to further secure servers on which only logo applications are run. If the applications running on the system do not meet the logo requirements, you may have to make all users Power Users to allow them to run the applications. Another way to do this is to use the compatws template.

FILE AND PRINT SERVERS
Baseline settings for file and print servers should be based on usage considerations of the files stored and the printers that it controls. One method of ensuring a measure of security is to set the Unsigned Driver Installation Behavior option to Do Not Allow Installation. Print servers should enable the security option Prevent Users from Installing Printer Drivers.

RAS SERVERS
Remote access permissions and settings include:

Access by the user Determined by remote access permission for each user account.

Access by policy (native-mode domain) Set to Control Access through Remote Access Policy to explicit allow, explicit deny, and implicit deny.

Access by policy in (mixed-mode domain) Control Access Through Remote Access Policy option is not available on the user account. Access is based on matching a user account to the conditions of a policy.

As part of the baseline, you should specify the authentication service used (Windows, RADIUS, EAP) and the resolution of other security issues (use of reversible encrypted password, smart card remote access, certificate-based EAP).

DESKTOP COMPUTERS
Desktop computers are used based on the abilities and duties of their users. Appropriate polices, and templates should be designed based on the role the desktops play. You should set a security baseline for all desktop computers, whether they are laptops, Windows NTcompatible laptops, or secure desktops located in confidential or sensitive areas of the company.

Use standard templates and adapt them to the appropriate security policy. Use the hisecws.inf template to develop a special template for laptop computers. The compatws.inf template can be used to assure compatibility with applications that do not meet the Windows 2000 standards. This template is consistent with most legacy applications.

KIOSKS
Kiosks are generally located in public areas, and security is a major concern. Kiosks can include any system used in an open area to look up items, give directions, or provide information.

Security can be enhanced by removing keyboards and allow only touch screens, mouse devices, or other pointing devices; and removing external access from modems or the networks.

In most cases, a logon will not be required, and data is not stored locally.

IDENTIFYING REQUIRED LEVELS OF SECURITY  

PRINTER
Printer permissions are set on the Security tab of the Printer property pages. Printer permissions control who can print, manage a printer, or manage documents. You must identify the role each printer takes, and determine whether you want to restrict printing access to certain printers. These printers include printers that print sensitive or confidential material, or printers that are costly to operate. The Users group is given Print Permission by default. This allows users to connect and print to a printer, pause, resume, restart, and cancel their own documents. You should create a group or choose a user to manage the printer. The Manage Documents permission allows Control Job Settings for All Documents and Pause, Restart, and Delete All Documents. Manage Printer allows a user to Share a Printer, Change Printer Properties, Delete Printers, and Change Printer Permissions. Administrators, Server Operators, and Print Operators groups are given this permission by default.

INTERNET ACCESS
Internet access security can be specified by identifying where access occurs and who has what access permissions. You must identify whether computers have dial-up access via modems, if a proxy server, firewall, or routers are utilized on the network. When using a proxy server, you can control access using Windows 2000 users and groups. Firewalls can be used to both block external access to the network, and server to guard access to the Internet. You should identify the specific type of Internet resource (ftp server, telnet), and identify usage intent. Determine if external users access your network from the Internet, and what servers they should have access to.

DIAL-IN ACCESS
To control dial-in access, you need to restrict the right to even connect to the network. For an Windows NT network, after connecting, resource access can be restricted by setting the ability to access resources on just the RAS server, or throughout the network. In a Windows 2000 network where the RAS server is a Windows 2000 Server, you can restrict access through the Routing and Remote Access console. Access is controlled based on dial-in properties of user accounts and policies which are created and maintained through the Remote Access Policies section. Granular access to resources is controlled by native systems, such as ----------http://www.troytec.com 7 by setting NTFS permissions on files and folders, and registry access permissions by using regedt32.exe.

Designing a Windows 2000 Security Solution
DESIGNING AND AUDIT POLICY  

In developing an effective audit policy you should determine what can be audited, which objects you need to audit, and on what timed schedule, and what you intend to do with the produced reports. Auditable events include:

O - System events 
O - Account logon events 
O - Logon events 
O - Account management 
O - Privilege use 
O - Directory service access 
O - Object access 
O - Policy change 
O - Process tracking 

DESIGNING A DELEGATION OF AUTHORITY STRATEGY  
To limit the scope and power of users in your domain, you can give users administrative rights for a single organizational unit or OU hierarchy within a domain. You can limit rights within the OU, and other OUs nested within the OU hierarchy. To further delegate control, you can adjust the permission to change attributes at the file or folder level.

DESIGNING THE PLACEMENT AND INHERITANCE OF SECURITY POLICIES  
Group Policy containers (GPCs) hold collections of computers or users. By creating appropriate Group Policies and linking them to Group Policy containers, you can implement security polices in Windows 2000. Improperly created or applied policy can have serious impact on system operation, performance, and security. You can use Group Policy to set many security settings for implementation across sites, domains, and OUs. Security templates (such as Account Policies, User Rights Assignment, Audit Policy, Public Key Policies, etc.) are available to help develop the appropriate policy. The template is divided into two sections: Computer Configuration and User Configuration.

DESIGNING AN ENCRYPTING FILE SYSTEM STRATEGY  
Encrypting File System (EFS) enables users to encrypt files and folders. If folders are encrypted, users need do nothing to encrypt and decrypt any file they place in the folder. You must determine whether you want to disable EFS anywhere, where files should be stored, and who is in charge of recovery keys. You must establish if the EFS should use its own certificates, or should a CA be used. You need to train users to encrypt folders not files, encrypt both the My Documents and Temp folders, and use Active Directory or Certificate services and use Group Policy to implement a central recovery agent.

DESIGNING AND AUTHENTICATION STRATEGY  

AUTHENTION METHODS
Certificate-Based Authentication Accomplished by setting up a public key infrastructure (PKI) via installing Certificate Services, or by using third-party Certificate Authority Services. PKI is used to secure Web communications and Web sites, secure email, digitally sign files, implement smart card authentication and to provide IPSec authentication.

Kerberos 
Kerberos defines the rationale behind the framework on which Active Directory lies. It is used by default to authenticate network users using Windows 2000 clients who are logging into a Windows 2000 domain. Kerberos is an IETF standard for authentication. A Kerberos system is made up of several elements:

Component Description  
Authentication Server Performs authentication of the client against the Kerberos Distribution Center (KDC).

Kerberos Administration Server (KADM) All modification of the KDC is done from the KADM.

Kerberos Distribution Center (KDC) The KDC is a service comprised of the Authentication Service and the Ticket-Granting Service.

Kerberos realm Logical organization of Kerberos servers and clients., Key storage In Kerberos classic, a database called the Kerberos Database (KDB) stores keys. Windows 2000 uses Active Directory for key storage.

Ticket-Granting Server Grants tickets for resource servers to authenticated clients.

Digest Authentication Windows NT IIS implementation has been capable of using the Windows NT authentication process to authenticate users without passing passwords in clear text. Windows-integrated authentication is limited in that clients must have a Windows NT account on the IIS Server or in its domain or one it trusts. Digest authentication is not supported by non-Microsoft servers, and cannot pass through a firewall via a proxy unless tunneled. It uses a challenge/ response mechanism.

Smart Cards Smart cards work by having a smart card reader attached to the computer, inserting a valid smart card, and entering a password or PIN. A private key is in a chip on the smart card.

Smart cards can be used for SSL authentication and to secure email. Windows 2000 supports smart cards and readers that are compliant with Personal Computer/Smart Card (PC/CS).

NTLM 
NTLM is the backward compatible authentication protocol that is used in mixed mode domains.

It provides authentication between NT 4.0 BDCs and the Windows 2000 security system. The use of NTLM and NTLMv2 for network authentication is considered much more of a security risk than the use of Kerberos, and its use can be restricted through policy settings in Windows 2000, and registry settings in Windows 9x and Windows NT 4.0. T I P RADIUS Remote Authentication Dial-In User Service (RADIUS) is primarily used for two purposes:

to authenticate users for access to the Internet, and to authenticate users for remote access to internal networks. It can also be configured to collect information about logon requests, denials, account lockout, and logon and logoff records. Authorization for remote access can be controlled via policy and can include the time (of day or month), the channel used (modem, ISDN, VPN tunnel), the phone number called, the phone number called from, the RADIUS client, and so on.

SSL 
SSL provides message integrity, data encryption, server authentication, and optional client authentication. An SSL server and an SSL browser are necessary for operation. SSL is used to encrypt credit card transaction on the Internet. You can set up an SSL-enabled IIS 5.0 server. IIS can also be used to mix basic authentication with SSL.

DESIGNING A SECURITY GROUP STRATEGY  
A security group strategy should identify the additional security groups you will create, establish their scope, and identify membership requirements. Not everyone is created equal. No one assignment of rights strategy is possible for the diverse users and information resources in your enterprise. You can match your users to these groups and privileges and, where necessary, extend the model to meet your needs.

If the server is promoted to a domain controller, the Administrator account becomes a member in the following groups:

O - Domain Admins 
O - Domain Users 
O - Enterprise Admins 
O - Group Policy Creator Owners 
O - Schema Admins 

The Guest account is also created during installation. It is a member of the Guests group on the local system. Its purpose is to provide an account that can be used by the user who may need occasional access to the computer or to some resource on the computer.

Because this account does not require a password, it can make access convenient and dangerous.

The Guest account is dangerous because administrators forget about its existence; they forget that this account can be used by anyone. If the Guest account is enabled, users whose accounts have been disabled can use it.

DESIGNING A PUBLIC KEY INFRASTRUCTURE  
A PKI establishes a system of asymmetric key pairs for use in authentication. Users from within and outside of an organization can be vetted and assigned keys. These keys can be linked to access rights, enable closer control over recovery agents in the Encrypting File System (EFS), coupled with smart cards, serve as server authenticators for Web sites, and secure servers of any type. A PKI can go a long way toward implementing tighter security.

A PKI is the technology, hardware, and software that supports the use of public/private key pairs for authentication between servers and clients. In public key technology, a key pair is used. A message, or bit of data, is encrypted with one key and can only be decrypted by using the other key. One key, called the public key, is stored where anyone who knows its location can get it. The other, the private key, is kept secret by its owner. Each participant in the system owns a public and a private key. To join the system, each applicant goes through an enrollment process. This process produces the public/private key pair and returns a certificate and a private key. The certificate contains the public key, identifying information, and is signed by the CA that issued it.

CERTIFICATE AUTHORITY HIERARCHIES
Certificate Authority hierarchies consist of a self-signed root CA and multiple subordinate CAs. The subordinate CAs have a certificate issued by the root, and trust is then inherited from the root. Hierarchies are thought to provide better security and improved scalability.

According to Microsoft, a depth of 3–4 CAs allows the best operations and security compromise.

With this level of CAs, you can place the first and second tiers offline for security purposes. A shorter hierarchy decreases security and can provide operational problems because the secured, offline root must frequently be accessed.

CERTIFICATE SERVER ROLES
When you install Certificate Services on a Windows 2000 computer, you create a certificate server. During the installation process, you are asked to choose a role for this CA:

O - Enterprise root CA—Most trusted CA in enterprise; requires Active Directory.

O - Enterprise subordinate CA—Issues certificates and obtains certificate from another enterprise CA.

O - Standalone root CA—Most trusted CA in hierarchy; doesn’t require Active Directory.

O - Standalone subordinate CA—Issues certificates and obtains certificate from another CA.

INTEGRATE WITH THIRD-PARTY CAs
Windows 2000 PKI is based on standards and is interoperable with other PKI products.

Interoperability with specific products varies because these products may have chosen to follow proprietary methods or may have implemented the standard in a slightly different way.

Common operations such as CA trust, certificate enrollment, certificate path validation, revocation status checking, and use of public key–enabled applications may be fully supported, supported with workarounds, or not supported in an integrated PKI. You can often anticipate whether Windows 2000 PKI will inter-operate with another PKI by examining the goals of each PKI implementation and the standards that they adhere to.

MAPPING CERTIFICATES
To allow users who are not members of your company access to your resources, you may have decided on a PKI. To allow users who do not have an account in Active Directory to authenticate, the following must be true:

O - The user needs a certificate.

O - You have created a user account for use by this user or many external users.

O - The certificate must be issued by a CA listed in the CTL for the site, domain, or OU in which the user account is created.

O - You must map the external user certificate to the Active Directory account (see Step by Step 11.10).

A Certificate Authority Trust can be established by your internal Windows 2000 enterprise root CA. Windows 2000 will then distribute the root certificates. Other root certificates can be distributed using Group Policy. You determine the type of mapping you want based on your desired use of the certificate.

You should choose Use Subject of Alternate Security Identity if multiple types of certificate exist and you want to be specific about which ones are mapped to the user account you have selected.

DESIGN WINDOWS 2000 NETWORK SERVICES SECURITY  

DNS SECURITY
DNS in Windows 2000 supports dynamic DNS updates. DNS resource records can be automatically updated by computers and by the Windows 2000 DHCP server. Also new to Microsoft DNS in Windows 2000 is the capability to secure DNS using Active Directoryintegrated zone files and the capability to register and use service (SRV) records. SRV records are registered by services with DNS so that clients can locate services by using DNS.

When this record is placed in DNS, clients can use it to locate domain controllers nearby.

Every domain controller registers services by creating SRV records in DNS. The records are created automatically and are added to DNS database using the dynamic update protocol. All DNS records are kept in zone files or, if the zone is an Active Directory-integrated zone, in Active Directory. Each zone file represents computers in a contiguous address space.

DNS Server Zone Types and Zone Replication in Windows 2000 Zone files represent contiguous address spaces or DNS domains. Traditional DNS consists of two zone types: primary and secondary. These are called standard primary and standard secondary
in Windows 2000. New in Windows 2000 is the Active Directory-integrated zone. Windows 2000 zone files are defined as follows:

O - Standard primary—This is a read/write zone file. Changes to records are recorded in this standard text file.

O - Standard secondary—This is a read-only zone file. Changes recorded to the primary file are replicated to a secondary file. Secondary zone files are used to distribute the workload across computers and to provide backup.

O - Active Directory-integrated—This zone file exists only in Active Directory, not in a text file. Updates occur during Active Directory replication, which can simplify planning and configuration of the DNS namespaces because you don’t need to tell DNS servers to specify how and when updates occur. Instead, Active Directory maintains the zone information.

No primary and secondary zones exist in an Active Directory-integrated DNS zone. (However, you can create a standard secondary zone and point it to an Active Directory- integrated zone.) If your Active Directory consists of a single domain, there is no need for a secondary or backup file to spread the workload or to be available in case of disaster if you have configured DNS on multiple domain controllers. The workload is spread over multiple computers by virtue of AD replication, and multiple copies of the zone file are always available.

In a multiple-domain Active Directory, you may need to create standard secondary zones that replicate data held in Active Directory-integrated zones. This is because the replication of Active Directory-integrated zone information is limited to the domain in which the zone is created. The standard secondary zone can assure the availability of another domain’s zone information. This is especially useful in providing backup and availability of reverse lookup zones and in providing local zone information in remote sites where you do not want to have a domain controller. In traditional DNS and in standard and primary zone files, data is replicated from the primary to the secondary zone. In Windows 2000, it is updated by incremental zone transfer (IXFR), which replicates changes only to the zone file, not the whole file.

Secondary zones are created to provide additional copies of zone file information. When the secondary zone file is created, it receives a copy of the current primary zone file.

When new hosts and other records are added to the primary zone file, they are not automatically added to every secondary zone file. Replication must be configured between the primary and secondary zone files.

Active Directory-integrated zone files automatically replicate zone information as part of Active Directory replication. Every domain controller for the domain that is configured to be a DNS server will receive all changes to zone information. There is no need to set up zone replication separately. Each of these domain controllers can be used to make changes to the zone information.

Because replication is managed by the Active Directory replication process, it is multimaster.

A second possibility is to use Active Directory-integrated zones instead of the more traditional zones, and configure the zones to accept only secure updates. When Active Directory-integrated zones are used, you can protect the DNS server from unauthorized updating by configuring secure dynamic updates. There are other advantages as well:

O - No single point of failure.

O - Fault tolerance. All zones are primary zones. Each server that hosts a zone maintains it, but all records are replicated in Active Directory.

O - Single replication topology is used. No separate zone transfer takes place. Replication is done in Active Directory replication; you don’t configure replication for DNS separately.

O - Secure dynamic updates are possible. You can set permissions on zones and records within those zones. Updates that use dynamic update protocol can be updated only by the computer that owns the record.

RIS SECURITY
Remote Operating System Installation is a feature of Windows 2000 that is designed to automate installation of Windows 2000 Professional. Remote Installation Services (RIS) is a service that allows installation of Windows 2000 Professional from a RIS server.

The RIS server can deliver unattended system setup, fast recovery, and a network client computer configuration enabled for the remote-boot Preboot Execution Environment (PXE).

RIS can support Windows 2000 clients whose operating system needs to be restored, or new clients that have never had an operating system installed. It cannot be used to upgrade existing operating systems to Windows 2000 from downlevel Windows clients. RIS allows the creation of a computer account in Active Directory, if configured to respond to any request for service from an authenticated user. In addition, you can define computer naming policy and the container within which the computer account is created.

Designing Security for RIS Securing RIS requires knowledge of its operation and the requirements of your organization.

Several features of RIS can be configured to make it more secure.

To restrict which computers can update or install the OS, you con-figure the RIS administrative option Do Not Respond to Unknown Client Computers. When this option is checked, only computers that exist in or that have been prestaged (that is, those that have a computer account created in Active Directory) can access the RIS server.

Requirements for RIS To utilize RIS, you must have the following:

O - RIS installed on a Windows 2000 Server.

O - A DNS server must be present on the network (any DNS server that supports service records [SRV RR] [RFC 2782] and the dynamic update protocol [RFC 2136]).

O - A DHCP server must be present on the network. Remote boot clients will obtain an IP address from the DHCP server.

O - Access to Active Directory (membership in an Active Directory domain). RIS uses Active Directory to locate clients and other RIS servers.

O - Client machines that meet certain hardware requirements.

SNMP
SNMP is a network management protocol used with TCP/IP networks.

SNMP Security Settings SNMP agents respond to requests for information, so this information should be restricted.

Only rudimentary security configuration is available. Configuring security for SNMP may include any of the following:

O - Configure traps to do security checking.

O - Join hosts and agents to SNMP communities, and use these to authenticate SNMP messages.

O - Secure SNMP messages with IP security.

Traps are configured to generate a message when an event occurs. Such events might be requests for information from an unknown management system or for password violation.

TERMINAL SERVICES
Terminal Services provides access via a Terminal Services client to a Windows 2000 Server.

Clients send only keystrokes and mouse clicks. All processing occurs on the server. Terminal Services is available over any TCP/IP connection, including the following:

O - Remote access O - Ethernet O - Internet O - Wireless O - WAN O - VPN Terminal Services clients are available for Windows clients and for other clients via third party products.

Terminal Services provides Windows 32-bit application emulation. Because only keystrokes and mouse-clicks cross the network from the client and displays from the server, network bandwidth usage is minimized. Centralized security is provided by the data center deployment.

Terminal Server Modes Windows 2000 Terminal Services runs on standalone member servers or domain controllers.

Do not
install Terminals Services in application sharing mode on a domain controller. If you do you, will give the Domain Users group logon local permission on the domain controller.

This, of course, is not a good thing. User profiles can be established for Terminal Services users. If users already have a Windows 2000 profile, the Terminal Services profile can be set up separately. Administrators control access to applications by using mandatory profiles.

Providing Secure Access Between Networks
The following services and processes contribute to secure network communications:

O - NAT and Internet Connection Sharing 
O - Proxy server 
O - Routing and Remote Access Services 
O - Internet Authentication Services 
O - Virtual private networking 
O - Terminal Services 

NAT AND INTERNET CONNECTION SHARING  
Network Address Translation (NAT) is an IP router defined in RFC 1631. NAT is used to hide internal IP addresses by inserting new IP addresses and possibly new TCP/UDP port numbers of packets from one network before they are forwarded to another. NAT is also used to connect many computers to the Internet without having a corresponding number of valid Internet addresses. Private network addresses can be mapped to one or to multiple Internet addresses.

Mapping can be dynamic or static. Private IP addressing can be used for the internal, private network. The private IP addressing scheme includes several ranges of IP addresses that are not usable on the Internet. Companies can use these for computers that do not directly connect to the Internet. When these computers need Internet access, they must use a proxy or other address translation scheme. NAT can do this. The computer address (and maybe the port of the source computer) is replaced by the NAT server with a legal Internet address.

When the response is returned to the NAT server, NAT replaces the translated address with the private address. NAT is part of the Windows 2000 Routing and Remote Access Protocol.

It is also available as part of the Internet Connection Sharing feature of the Dial-up connections folder. Internet Connection Sharing uses a scaled-down version of NAT. Its version of NAT is less configurable than that in the Routing and Remote Access Protocol.

NAT adds no additional authentication or other security configuration or processes.

ROUTING AND REMOTE ACCESS SERVICES  
Windows 2000 Routing and Remote Access Services is composed of the following:

O - Routing Information Protocol (RIP) version 2, the routing protocol for IP and IPX 
O - Open Shortest Path First (OSPF) routing protocol for IP 
O - Demand-dial routing 
O - ICMP router discovery 
O - Internet Group Management Protocol (IGMP) and multicast boundary support 
O - Remote Authentication Dial-In Service (RADIUS) client 
O - IP and IPX packet filtering 
O - Point-to-Point Tunneling Protocol (PPTP) support for router-to-router VPN connections 
O - Routing and Remote Access Console and Netsh (command line) for administration 
O - Network Address Translation (NAT) 
O - Integrated AppleTalk routing 
O - Layer 2 Tunneling Protocol (L2TP) over IP Security (IPSec) support for router-to-router VPN connections 
O - Support for client-to-router VPN connections 

Remote Access Server 
The remote access server accepts Point-to-Point Protocol (PPP) connections. PPP can be configured to require authentication. The Windows 2000 PPP infrastructure provides support for the following:

O - Dial-up remote access 
O - VPN remote access using either PPTP or L2TP over IPSec 
O - On-demand or persistent dial-up demand routing 
O - On-demand or persistent VPN demand-dial routing 

INTERNET AUTHENTICATION SERVICES  
Internet Authentication Services (IAS) is a Microsoft Windows 2000 implementation of Remote Authentication Dial-In User Service (RADIUS). IAS can be used to perform centralized authentication, authorization, and accounting of dial-up and virtual private network remote access and demand-dial connections. It should be used in connection with Windows 2000 Routing and Remote Access Services.

RADIUS Protocol  
RADIUS is an industry standard that provides authorization, authentication, identification, and accounting services. User information is sent to a RADIUS server from a dial-up server.

RADIUS servers have been typically located at Internet service providers. The ISPs then established dial-up servers and leased accounts on these servers to the public. The dial-up server is known as the RADIUS client.

VIRTUAL PRIVATE NETWORKING  
Virtual private networking is the act of setting up a connection between two parts of a private network across a shared network such as the Internet so that it emulates a private link. Data is encapsulated or given a header that includes routing information. Data may be encrypted for confidentiality. The link is set up between two end-points, either a client and a router, or two routers. This connection is called a virtual private network (VPN). The logical path from endpoint to endpoint is often called a tunnel.

VPN Connections
Two types of connections are possible: the remote access connection and the router-to-router connection. The remote access connection is made between a Windows client and the Routing and Remote Access Server. The router-to-router connection is established between two Routing and Remote Access Servers. In the router-to-router VPN connection, the calling router becomes the VPN client. VPN connections can be established across any IP network.

Many VPN connections are designed to be established across the Internet, but there is no reason that a VPN tunnel cannot be created across a private network to establish secure communications.

Connections include the following properties:

O - Encapsulation 
O - Data encryption from one tunnel endpoint to the other. The process used depends on the tunneling protocol used and how it is configured.
O - Authentication. Both user information and data can be authenticated. Authentication can be configured to authenticate the client only, or both the server and the client. Data can contain a cryptographic checksum based on a shared secret key. This allows either endpoint to ensure that data received originated from the other end.

Address and name server assignment. 
The VPN server establishes a virtual interface that consists of an IP address for the client and for itself, and the IP address of the DNS and/or WINS servers in the server environment. This information is delivered to the VPN client if the connection is approved.

Tunneling Protocols
Two options exist for tunneling protocols for Windows 2000 VPN connections:

O - PPTP 
O - L2TP over IPSec 

PPTP requires an IP connection between the client and the server. The connection can be made via dial-up. Authentication is via the same mechanisms as PPP. Encryption can be accomplished with Microsoft Point-to-Point Encryption (MPPE) if EAP-TLS or MS-CHAP is used. Encryption is link to link—that is, from the client to the server. Data that travels from the server endpoint across its network to other computers is not encrypted. End-to-end encryption can be accomplished if IPSec is used after the tunnel is established.

SECURE ACCESS TO PUBLIC NETWORKS  
Irrespective of company property use, legal issues, and work-avoidance issues, public network access raises many security issues that should be addressed. Although it is impossible to eliminate every risk entirely, you can reduce their probability. To do so, you must focus on the following six areas:

O - Protect internal networking address schemes from exposure on the public network.
O - Set up server-side configuration to control content access (and level of such access) in the event of a security breach.
O - Set up client-side configuration to mitigate the risk.
O - Allow only specific protocols to exit and return the organization’s boundaries.
O - Limit exit and entry points to the network.
O - Consider policy, procedure, and politics.

SECURE ACCESS TO PRIVATE NETWORK RESOURCES  
To provide secure access from public networks to your private resources, you may want to determine the purpose of the access.

To secure resources, use DACLs and auditing. Reduce user accounts on the exposed machines to the defaults. Protect these accounts with complex passwords. Use the “no access/no time/no where” practice on the Guest account. This practice makes sure that the Guest account is disabled but doesn’t rely on it. It does not let one little option stand between a secure network and one that can easily be penetrated.

SECURE ACCESS BETWEEN PRIVATE NETWORKS  
Any company that has multiple locations has faced the task of providing connectivity between those locations. This has taken many forms, from private leased lines, to shared Frame Relay, to VPNs constructed across the Internet. Today’s enterprise organizations also demand connectivity with their business partners. Suppliers, business customers, and trusted partners in joint projects all want to be able to communicate instantly to trade goods and ideas. Security has never been more paramount.

The security of their connections needs to be designed into the connectivity type chosen. Part of ensuring secure access is to begin with security right within the smallest component of the network, the LAN. Your design should begin there and then expand to cover the following:

O - Secure access within a WAN 
O - Secure access across a public network 

Security and the LAN
Secure access within a LAN requires the following:

O - Securing administrative access and assigning administrative roles 
O - Understanding and dealing with IP risks and using IPSec for data encryption and/or signing 
O - Controlling access to shared resources 
O - Securing non-Microsoft client access to shared resources 

Securing WAN Access
Secure access across a WAN includes access across dedicated links, Frame Relay, and ATM.

Although dedicated connections would seem to provide the ultimate in security, you should still maintain your server, file system and user policies. You might consider smart card or certificate deployment to aid in security efforts.

Tunneling across WAN links can also be a good policy. By providing a VPN connection, you are layering security. You can use Internet Authentication Server to authenticate access from branch offices via WAN links as well as dial-up lines. Nothing precludes establishing a firewall or limiting protocol access. Finally, you can use IPSec to secure data transfer as necessary.

DESIGN WINDOWS 2000 SECURITY FOR REMOTE ACCESS USERS  
You and your ISP may want to consider placing an IAS server at their location to authenticate access to the tunnel. This is also a good solution when you need to provide remote access for users in other locations. By selecting an ISP with locations that match your needs, you can provide secure remote access. If you have traveling users, choose an ISP with nationwide (or if necessary, worldwide) access points. Some ISPs may also be able to provide you with better quality of service, and possibly more secure arrangements, because they can route your communications across their backbone network instead of relying strictly on links shared with other ISPs.

You may also choose to locate all hardware and software on your network. In either case, be sure to provide adequate backup for the IAS server.

Designing Security for Communication Channels
When dealing with LANs, WANs, and communications that take you to and across public networks, two methods can help you: SMB signing and IPSec. SMB signing refers to the digital signing of each packet in a Server Message Block (SMB) communication between two computers. IPSec, or IP Security, is a protocol that you can use to provide integrity, confidentiality, and authentication of network communications. You can use IPSec to protect communications between Windows 2000 computers. You can use Group Policy to enable and enforce both of these methods.

SMB SIGNING  
SMB is the file-sharing protocol used by Windows computers. It is also known as the Common Internet File System (CIFS). A newer version of this protocol has been available for Windows NT 4.0 since Service Pack 3. This version added two features: the support for mutual authentication and the support for message authentication.

Mutual authentication requires both the client and the server to identify themselves. When authentication is required, the attacker may be able to pretend to be either the client or the server, but he has a hard time proving it.

SMB signing prevents the data in packets from being changed during transit. On Windows NT 4.0 and Windows 98 clients, two registry key entries must be made to implement SMB signing. One key is used to “enable” signing, the other to “require” signing. Both keys must be configured. If servers are configured to enable signing and not configured to require it, unconfigured clients may still communicate in the normal manner. Clients configured to enable SMB signing will communicate in the secure manner. If servers are configured to require signing, communication with nonenabled clients cannot take place.

By default, installing the service pack does not enable or require SMB signing when installed on a server. It is enabled by default when you install it on a Windows NT 4.0 Workstation.

SMB signing does not work with direct host IPX protocol because the direct host IPX protocol modifies SMBs and makes them incompatible with SMB signing. CPU performance is reduced when SMB signing is enabled and required.

IPSEC The IPSec protocol is used in two ways in Windows 2000: transport mode (used to secure communications between computers within your internal network) and with an L2TP tunnel (to secure, via a VPN and the use of L2TP, communications between net-works).

IPSec also has a tunnel mode, but the current recommendation is to use the tunnel mode of L2TP and use IPSec for encryption. In the first case, the computers involved are each configured to use IPSec when communicating between themselves; in the latter, Routing and Remote Access Service is configured to provide a tunnel endpoint for router-to-router or clientto- router communications.

Both communications are controlled through Group Policy. You can use IPSec to provide the following:

O - Access control—Connection negotiation and filtering of inbound communications.

O - Integrity—Checksums and message digest algorithms are used to allow detection of tampered packets.

O - Data origin authentication—Ensuring source.

O - Outbound protocol filtering—Management of data before it leaves the system.

The IPSec architecture consists of the following:

O - Key management via Internet Key Exchange (IKE) formerly referred to as ISAKMP/Oakley 
O - A Security Policy database that defines the rules for the disposition of all traffic (inbound or outbound) 
O - The Authentication Header (AH) protocol, which provides integrity and data origin authentication 
O - The Encapsulating Security Payload (ESP), which provides packet encryption, integrity, and data origin authentication 
O - Native IP stack implementation 

IPSec Encryption Scheme Design
Design an IPSec encryption scheme. Determining the IPSec encryption scheme to be used depends on an evaluation of the available protocols for both negotiation phases against the issues of performance and cost. It also requires a decision about the reuse of keying material.

Designing IPSec Management
IPSec management is accomplished by specifying IPSec policies. Because IPSec policies affect communications between systems, IPSec policies are generally implemented at the site, domain, or OU level, not at the local computer policy level. Computers that store or manage extremely sensitive information can be grouped in an OU. Client systems allowed to communicate with them can also be placed in an OU.

Systems that, although they are joined in a domain, are temporarily out of communication with a domain controller have their policy information cached in their registry. Systems not joined in a domain can have local policies defined.

Management may be delegated to OUs if the OUs represent groups of computers that need to communicate with each other. Domain-level polices can be implemented to cover broad applications such as a requirement to use 3DES as the encryption protocol for all IPSec communications.

IPSec management should be considered when designing OUs and the delegation of administrative responsibilities for those OUs. Three possible OUs might be for computers holding classified, sensitive, or normal information, If computers have been administratively grouped to provide it, policies for these systems can be developed and applied with Group Policy to ensure its usage.

Designing Negotiation Policies and Encryption Schemes
Negotiation of connections is managed by IKE. Two phases are used: one for ensuring a secure communications channel, and the other to negotiate the use of SAs. To design policies that stipulate these negotiations, you must understand their process. Design, then, consists of making the choices in each area negotiated, which will best fulfill the desired level of security for each IPSec connection.

Design security policies.
IPSec policies are composed of rules that determine how and when the policies are used.

Rules are triggered by source, destination, and type of IP traffic. The rules consist of a list of filters and filter actions. A match between a filter and packet header information triggers the rule. What happens when the rule is triggered is determined by the filter actions. Each policy can have multiple rules, and the rules can all be active simultaneously or singly.

Designing IPSec policies, then, consists of the following:

O - Designing filters 
O - Designing rules by determining which filters belong in which rule 
O - Designing policies by determining which rules should be part of the policy 

Design IP filters
Filters determine whether a rule is triggered. They determine this by specifying information that can be matched with complementary information in the packets being inspected. IP packet headers contain information on its source and destination address, and the type of traffic.

Filters then are designed to indicate acceptance or rejection of each packet based on this information. The process by which they do so is called packet filtering.

Each filter contains the following:

Source and destination address - Can be specific IP addresses, subnets, or networks.

Protocol - The default covers all protocols in the TCP/IP suite. Individual protocols can be specified.

Source and destination ports (TCP and UDP) - The default covers all ports, but can be configured to apply only to packets on a particular port. Both inbound and outbound filters must exist. In both inbound and outbound communications, packets are matched with filters.

Outbound filters trigger a security negotiation The most common filter to implement is to identify the IP address or range of addresses with which a computer or a group of computers would be allowed to communicate. This is how communications could be secured within a group of computers that consist of sensitive servers of a particular type and the clients that were allowed to communicate with them.

Filters could also be included for specific protocols. If these are implemented, however, care must be taken to include a filter for every protocol that might be used for the allowed communications between the systems.

Filter Lists Filter lists can include more than one filter. If you are using a filter to cover all computers, use the generic Any IP Address instead of trying to specify all the computers. Filter list order does not matter. All filters are simultaneously retrieved by the IPSec Policy Agent and are processed from most to least specific.

Filter Actions Filter actions, or what happens if a match is found, is the other part of policy design. Each rule needs to specify what will happen. Filter actions often define the type of policy. They also indicate the connection type and authentication method. The type of policy can be as follows:

O - Passthrough policy—IPSec ignores the traffic.

O - Blocking policy—This traffic will not be accepted or allowed to pass. This will help stop communication from a rogue computer; it can also prevent traffic from leaving a system.

O - Permit policy—No traffic is allowed unless a filter for it is defined.

O - Negotiated policy—The policy is negotiated with other IPSec-enabled computers, but allows communication with non-IPSec–enabled computers.

Passthrough policy is a good idea when communication is necessary with a computer that cannot be secured, the traffic is not considered sensitive enough, or the traffic provides it own protection (Kerberos, SSL, PPTP). Blocking policy is used to prevent communications with rogue computers. You can also use it to prevent such traffic from leaving a computer.

A permit policy only “permits” traffic to pass that has been specifically identified. Policy negotiations are necessary sometimes—this is a good idea in situations in which you need to control communications from sensitive computers, but allow it from nonsensitive computers.

You must control communications with the nonsensitive computer in other ways. This policy is also put into place to ensure some communications if other policies are preventing it incorrectly, or as a default for all communication not specified in the policy.

This type of fallback policy is useful during testing, but can allow unprotected communication if policy negotiations for the more secure policies fail. The connection type defines whether the rule applies to a particular interface such as dial-up adapter or network card. A use of connection type specificity enables you to relegate the use of policy (but only when you are on the road, not when connected to the local LAN).

Authentication methods identify which method can be used for the connection. Because a match must be made with the other side of the connection, some policies specify multiple methods to ensure one can be agreed upon. Greater security can be ensured if smaller ranges are identified. Authentication methods include the following:

O - Kerberos v5 - This is the default authentication protocol in Windows 2000. It can be used for any clients using Kerberos v5 that are members of a trusted domain. (Non- Windows 2000 systems that implement Kerberos v5 and members of a trusted domain can use this method.) 

O - Public key certificates - These are necessary for Internet communications, remote access, external partner access, L2TP communications, and computers that do not use Kerberos v5. To use certificates, at least one trusted Certificate Authority (CA) must be configured.

O - Preshared keys - These are agreed upon by two users. Both must manually configure IPSec policies. The key is used for authentication, not encryption. The key is stored, unprotected in IPSec policy.

Predefined Policies
Before you develop IPSec policies, you should examine the default policies to see whether they meet some or all of your needs. They are also a good source to examine to understand how GUI interfaces represent rules and filters and their corresponding actions. You can use them as templates in designing your own rules. Predefined default policies, rules, and filter actions are as follows:

O - Client (Respond Only)—Does not secure communications most of the time. Can respond to requests for secure communications by using default response rule. Only requested port and protocol traffic is secured. This is a good policy to set on clients. When the client needs to access a secured server, it will respond; but otherwise, use normal communications.

O - Server (Request Security)—Secures communication most of the time. Allows unsecured communication from non-IPSec–enabled computers.

O - Server (Require Security)—Always requires secured communications. Unsecured communications from any source are rejected.

Levels of computer security identified by Microsoft include the following:

O - Minimal—No sensitive data, no IPSec.

O - Standard—Balanced security using a range of policies including minimal policies (including polices such as enabled, but not required).

O - High security—Highly sensitive data at risk of theft or disruption (that is, remote dialup, public network communications).