Securing Windows Server 2003

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Security is one of the primary functions of any server-based operating system. Without security, any user or program could do anything to your servers—and wreak havoc on your ability to effectively manage the environment. As a security administrator, you want to provide functionality and security to your users without burdening them or restricting them in a way that hinders their work. This is the mark of a great security administrator: the ability to successfully balance the security of proprietary and personal data and the usability of your systems in a way that maximizes the productivity of your organization. This book will show you how to do exactly that.

To have a meaningful discussion of security in Windows Server 2003, we should first establish what security is. A dictionary definition might refer to security as "measures adopted to provide safety." For the purposes of this book, that definition will work very well.

Computer security is not normally defined as a state of safety. Rather, it is defined as the collection of protective measures (including technology-based and non-technology-based measures) that provide a defined level of safety. When security is mentioned throughout the book, you should keep this definition in mind. Security is neither a single protective measure nor a complete protection against all attacks. It is a set of measures that provide the desired level of protection.

Many readers may say "I want complete security for my data against all attacks. Tell me how to do that." The only solution that provides complete security is to put that data on a hard drive, incinerate the drive until it is completely turned to vapor, and then randomly mix the hard drive vapor with outside air until completely dissipated. Anything less is a compromise of security in the interest of another business factor such as usability or cost. The need for such compromises is a common theme throughout all computer security topics and is discussed in every chapter of this book.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

To have a meaningful discussion of security in Windows Server 2003, we should first establish what security is. A dictionary definition might refer to security as "measures adopted to provide safety." For the purposes of this book, that definition will work very well.

Computer security is not normally defined as a state of safety. Rather, it is defined as the collection of protective measures (including technology-based and non-technology-based measures) that provide a defined level of safety. When security is mentioned throughout the book, you should keep this definition in mind. Security is neither a single protective measure nor a complete protection against all attacks. It is a set of measures that provide the desired level of protection.

Many readers may say "I want complete security for my data against all attacks. Tell me how to do that." The only solution that provides complete security is to put that data on a hard drive, incinerate the drive until it is completely turned to vapor, and then randomly mix the hard drive vapor with outside air until completely dissipated. Anything less is a compromise of security in the interest of another business factor such as usability or cost. The need for such compromises is a common theme throughout all computer security topics and is discussed in every chapter of this book.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Windows Server 2003 in its several editions is the latest generation of the Microsoft family of server operating systems, incorporating the advances achieved by the earlier Windows NT and Windows 2000 Server families of products. These operating systems have been tested and proven since 1993 to be a solid platform for applications and server-based functions.

Windows XP is also derived from the same code base as Windows Server 2003. This common base ensures that the core functionality of the two operating systems remains identical. The numerous benefits this approach provides include the following:

Common device drivers: If you've ever gone searching for a device driver for a specific operating system, you can immediately recognize this benefit. Hardware vendors need to write only one device driver that will work on both operating systems.
Software compatibility: If software works on Windows XP, it'll work on Windows Server 2003.
More stable core: All the work done to make Windows XP a solid and stable operating system benefits Windows Server 2003, as it's simply an extension of that work. Windows Server 2003 benefits from having had an additional year of bulletproofing done on top of the enormous work already done on Windows XP. In addition, many flaws discovered in Windows XP were fixed in Windows Server 2003 before it even shipped.
Unified user interface and experience: Although some of the "pretty" features have been removed from Windows Server 2003 to gain performance benefits, an administrator who is comfortable working with Windows XP will immediately feel at home with the server version. Almost all user interface objects are in the same place, which decreases the time needed to master the differences.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The Windows NT and Windows 2000 operating systems were designed from inception to be secure. Both enforce user logon and ensure that all software runs within the context of an account, which can be restricted or permitted appropriately. Windows security is not limited to user logon-based security, but extends to all objects within the operating system. Files on the hard drive, entries in the registry, software components—all these elements have a security aspect. Operating system components can access objects only with the appropriate permissions and credentials. This can be both a benefit and a detriment.

Enforcing security restrictions on every component of the operating system can seem daunting. Access checks must occur when one Windows component talks to another. These include programs, device drivers, core operating system components, and so on—in short, everything. Setting appropriate security permissions is a task that requires detailed knowledge of the subject and the interaction between the components being configured. Misconfiguration of these permissions could cause undesirable behavior ranging in severity from a minor and easily fixed problem to a complete and irreversible loss of functionality.

The fact that this daunting security environment is part of the fundamental design of Windows Server 2003 is a big advantage. If strong and pervasive security is not designed into the core of an operating system (for example, Windows 95), it is nearly impossible to add it later. Developers and testers may find holes or make compromises when they patch security into an operating system. Legitimate components may already be designed to take advantage of the lack of security. The environment would necessarily be less secure than one designed for security from the beginning.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Compared to their predecessors, Windows NT and Windows 2000 provided numerous security features. In fact, since the inception of Windows NT Advanced Server 3.1 in 1993, the Windows NT family has always provided a suite of security-focused features. Over the years, subsequent releases have added new security features and expanded existing ones.

Just as with earlier releases, Windows Server 2003 improves on previous operating system releases by enhancing existing security features and adding new ones. Some of the security features that are carried forward from previous versions include:

Kerberos authentication: Kerberos is a standardized and widely used network authentication protocol. Originally incorporated into Windows 2000, Kerberos provides proof of identity for users, computers, and services running on Windows 2000, Windows XP Professional, and Windows Server 2003. Prior to the use of Kerberos in Windows 2000, NTLM was used as the authentication protocol. While NTLM is still a useful protocol for maintaining compatibility with older operating systems, it is not as efficient or interoperable as Kerberos. NTLM also has some security shortfalls that Kerberos does not. Kerberos and NTLM are described in depth in Chapter 7.
IP Security: TCP/IP's use has become widespread. While TCP/IP provides enormous benefits over other network protocols, it is not desirable from a security standpoint. Data sent over a network with this suite of protocols is not designed to be secure and can be easily intercepted and decoded. IP Security (IPSec) is a set of RFC-based standards that defines how data can be sent securely via TCP/IP. Data can be encrypted, digitally signed, or both using IPSec. Many hardware devices, such as routers and firewalls, support IPSec communications. IPSec is available in Windows 2000, Windows XP Professional, and Windows Server 2003 family products. It's incorporated right into the networking drivers, which allows it to integrate smoothly with the existing TCP/IP software. The implementation is compliant with established standards, which allows Windows Server 2003 to communicate with other properly equipped network devices via IPSec. IPSec is described in depth in Chapter 8.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The Windows Server 2003 family of servers is the latest generation of operating systems to be built on the Windows NT code base. It provides numerous security advantages over its predecessors, but ultimately the level of security it provides depends on the level of security you want to deploy.

Throughout this book, I will examine the various security technologies that are a part of Windows Server 2003. Typically, I'll provide a detailed explanation of how each works and how it can be used within a comprehensive security plan. Then I'll examine common scenarios and show you, in detail, how to employ the technology correctly. I'll also cross-reference complementary security technologies that should be used together to provide a complete solution.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Computer security is becoming more and more important to Windows administrators. This trend is a result of several conditions in today's world, including the increase of computer competence among evildoers, the worldwide terror threat that was clearly illustrated on September 11, 2001, and the proliferation of computers and the Internet. Many companies are retraining their IT staffs to be more security-aware. Threat modeling in the data center has become commonplace. There are even vendor-independent security certifications, such as Certified Information Systems Security Professional (CISSP), which have become widely known and sought after. But before the security of your Windows Server 2003 computers can be addressed, you need to understand some of the basic concepts and terms of computer security. In this chapter, I'll introduce you to computer security fundamentals such as encryption and show you the difference between technology-based security and administration-based security. I'll also discuss other fundamental concepts like password strength and the idea of authorization versus authentication. If you are new to computer security or would like a refresher of the concepts and terms that will be used in the rest of the book, this chapter is for you.

It's almost impossible not to recognize the importance of computer security in today's economic and political climate. The national news media devotes ample coverage to computer security issues, often sensationalizing the latest computer virus or so-called hacker attack. In fact, that very sensationalism can distract you from day-to-day security threats. Computer security encompasses a wide range of potential threats and basic concepts, and you can never underestimate the real business costs of security failures. Consider the following:

Most companies store proprietary information regarding their products or services both online and in hardcopy documents. If competitors obtain a company's product specifications and plans, they may be able to drive it out of business.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

It's almost impossible not to recognize the importance of computer security in today's economic and political climate. The national news media devotes ample coverage to computer security issues, often sensationalizing the latest computer virus or so-called hacker attack. In fact, that very sensationalism can distract you from day-to-day security threats. Computer security encompasses a wide range of potential threats and basic concepts, and you can never underestimate the real business costs of security failures. Consider the following:

Most companies store proprietary information regarding their products or services both online and in hardcopy documents. If competitors obtain a company's product specifications and plans, they may be able to drive it out of business.
Companies have a legal obligation to protect the sensitive employee information they collect for payroll and other purposes. If the security of that information is compromised, the company may be subject to lawsuits and legal fines.
Some companies, such as banks, are subject to laws regarding the security of the information they use. For example, if a bank's customer records are accessed by unauthorized personnel, the bank can be subject to hundreds of thousands of dollars in fines, not to mention lawsuits by their customers.

Sixty years ago, companies kept sensitive information in locked filing cabinets. The cabinets made the information difficult to share throughout the company, but they helped keep the information secure. Today, almost every important piece of company information is kept on a computer. Computers make it very easy for employees to share information with one another—even if that information is sensitive and shouldn't be shared. As more and more information is stored on computers, computer security will play a more important role in protecting that information. And because some of that information is more sensitive than others, you should consider defining the security criteria for that information. See the "How Secure Is `Secure Enough'?" sidebar and Chapter 15 for more information.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Operating systems like Windows Server 2003 provide powerful tools to protect data, including the Encrypting File System (EFS), file permissions, user accounts and passwords, and much more. As powerful as those tools are, though, they can't provide a completely secure environment by themselves. For example, Windows can ensure that only authorized users have access to a particular file, but Windows can't stop users from leaving hardcopies of the document lying on their desks. All the computer security in the world is useless if information that is protected on your computers can be compromised in other ways. Similarly, suppose you implement a complete security plan includes computer-based file protection and locked filing cabinets. Without a well-thought-out physical security plan, there might not be anything stopping someone from carrying away a computer or filing cabinet, which would completely defeat your security measures.

Any useful computer security plan has to provide a complete security solution: one that addresses both technological solutions and administration solutions to security threats. If you find that your company is unwilling or unable to implement a complete security plan, you probably don't need to spend a lot of time worrying about the computer-specific aspects of security. Again, you don't need to spend weeks locking down your servers against intruders if your company won't keep sensitive computers in a locked room where they can't be easily carried away by a physical intruder.

That said, security is not an all-or-nothing game. While locking your file cabinet may not be a complete security solution, it is one element of that solution. Locking the front door, arming the burglar alarm, and hiring a security guard may be other elements that contribute to an overall security solution for the data in that filing cabinet. The same works for data security. While IPSec, for example, may be a great security solution, it should never be considered the only data security mechanism in a whole solution. Other components such as Internet Connection Firewall (ICF), EFS, NTFS, or access control lists (ACLs) may be incorporated with IPSec to provide a complete security solution. Each is valuable by itself; together, they provide the desired level of protection.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

One of the most common (and commonsense) concepts in computer security is POLA, the principle of least access. It simply states that employees should have access to only the resources they need to perform their day-to-day tasks. POLA applies to noncomputer security, although most people don't think of it that way very often.

You may also hear POLA referred to as the principle of least privilege.

For example, suppose you work for a bank. As in most banks, your customers' data is kept in computer files, but you still have to maintain paper records for many documents, such as signature cards. Those cards might be kept in locked cabinets in your bank's headquarters. Tellers don't need to access the signature cards very often, so they aren't given keys to the cabinets. When a teller needs to access a signature card, he asks a manager to unlock the cabinet and retrieve the card. That's POLA in action. It's not that the bank doesn't want the tellers to see the cards; the bank just doesn't want tellers to have casual access to the cards. The tellers have the least amount of access possible for the day-to-day needs, and when they need to go beyond those needs on occasion, they have a means to do so.

In the world of computer security, POLA is most often applied to administrators. Although administrators have job tasks that require a great deal of privilege over computer systems, they're also regular users who check email, work with Microsoft Word, and surf the Internet. POLA means that administrators should have a regular user account that doesn't have administrative privileges and that they should use that account when they're performing regular, day-to-day tasks. A second computer account might belong to the Domain Admins group, and administrators would log on with that account to perform administrative tasks.

POLA offers real security benefits in any environment. Because of the job tasks they must complete, administrators (when logged on with an administrative user account) have an incredible amount of control over a company's computer systems. Programs like viruses can take advantage of that control and wreak havoc on a company's network. When administrators use a regular user account, though, they can perform only actions that a regular user could perform—limiting the scope of damage a malicious virus can cause.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Cryptography is perhaps one of the most important fundamental concepts in computer security today. Cryptography has played a role in every version of Windows to date, and it plays an even larger role in Windows Server 2003 than ever before. Many of the technologies and techniques I discuss in this book rely heavily on cryptography, including smart cards, data encryption, digital signatures, and email security. For that reason, it's important that you understand what cryptography is and how it works.

At its heart, cryptography is about scrambling data so that only the sender and the recipient can read it. Modern cryptography serves the same purpose as the secret decoder ring you had as a kid, although it's vastly more complex and powerful than that ring. Modern cryptography uses complicated mathematical processes called algorithms to scramble and unscramble data. And I mean complicated. In fact, some of the world's most popular cryptography algorithms are so complex and unique that they've received worldwide patents.

There are three basic kinds of cryptography: keyed hashing, shared secret keys, and public keys. Each provides a slightly different technique for encrypting data, and each is used for a specific set of purposes.

A hash is a form of encryption in which a computer uses a well-known algorithm to scramble data and return a fixed-length result that is reasonably unique to the data. Theoretically, hashes aren't really that secure, because the algorithm is often very well known. The most common use of a hash, however, cannot be decrypted by anyone. Such one-way hashes are "lossy" and do not contain a full representation of all the original data, making it impossible to ever decrypt the result and retrieve the original data. As an analogy, one-way hashes are similar to your fingerprint. I can't make a complete copy of you out of your fingerprint, but I can statistically rely on the fact that your thumbprint is unique to you.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Two additional security concepts you need to be familiar with are authorization and authentication.

Authentication is the process of validating a user's identity, ensuring he is who he says he is. Passwords are a common component in the authentication process, although the use of biometric components like smart cards and fingerprint readers are becoming more common.

Authorization is the process of determining what an authenticated user has access to. Windows Server 2003 uses a variety of mechanisms to accomplish authorization on files and folders, for remote access, and so forth, which you'll learn about throughout this book.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Passwords are the basis of most security schemes, including Windows Server 2003. Passwords are used by client computers to log on to a domain, and they're also used by users to log on to a domain or to a computer's local user accounts.

In a default Windows Server 2003 environment, passwords are the keys to the entire kingdom. For example, the only difference between an unauthorized intruder and a domain administrator is that the domain administrator knows the password to a powerful user account. For that reason, it's important that you implement procedures and policies that require strong passwords of your users.

Strong passwords are passwords that are difficult for intruders to guess or successfully duplicate. So, before you can accurately define strong, you need to understand the techniques that an intruder might use to compromise a password.

As I mentioned earlier in this chapter, Windows Server 2003 stores passwords after running them through a one-way hash. That means attackers have no possibility of successfully decrypting a stored password, even if they somehow come into possession of a stored password. If an attacker does manage to obtain a hashed password and knows the hash algorithm (which she will), she must run combinations of passwords through the hash algorithm until she gets a hash result that matches the stored password. Then she'll know the clear-text version of the password. The most common form of this attack is called a dictionary attack, which I described earlier.

Another way attackers can compromise a password is to try and log on to the domain, guessing a new password until the domain lets them in. There are readily available tools that can do this for the attacker rapidly. This technique is often called a brute force attack, because the attacker is simply trying every possible password in a brute attempt to obtain the right one. This technique isn't really that different than the first technique, although an administrator can implement account policies to limit the effectiveness of this attack. If you've also implemented a strong password requirement, the odds that the attacker can guess the right password before being caught or locked out are slim.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The first step most companies take for their physical security is simple: locked doors to keep out potential intruders. Network security plays a similar role in computer security, by simply keeping unauthorized personnel away from your sensitive data. Network security also needs to address the times when data must be transmitted outside of your company's secure network and should address the possibility of your network's outer security being compromised. I'll discuss two kinds of network security in this book: boundary security, which is a technique that protects your network from outside attack and is intended to protect your network from intrusion, and data encryption, which protects data that travels outside your network and provides data protection within your secure network.

Network security, like physical security, starts with strong walls. Typically, those walls are provided by firewalls, which prevent unauthorized data from traveling to and from your network. Windows Server 2003 doesn't provide the functionality required of a firewall, although it does provide an excellent platform for firewall products, such as Microsoft's Internet Security and Acceleration Server.

There are a wide variety of firewall products on the market, including some that are built into or run on various Microsoft operating systems. Other firewalls are implemented as standalone devices. All networks should have one or more firewalls, period. Exactly which firewall product you should use, where you should place it, and how you should configure it, is beyond the scope of this book. However, you'll find dedicated books available for most major firewall products that can help you make those decisions.

Windows Server 2003 does provide one feature that firewalls can take advantage of: port blocking. Port blocking allows Windows Server 2003 to accept or reject specific types of data sent to or from specific IP addresses or ports. Firewalls use this capability to prevent unauthorized data from entering or leaving your network. Firewalls usually expand on this capability by analyzing data and allowing only authorized users to send or receive data outside your network. You can read more about Windows Server 2003's basic port blocking capabilities in Chapter 14.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The key to successful security is constant vigilance. While you can configure your servers with strong passwords, restrictive security policies, and powerful network protection, attackers can almost always find a way to get through if they're determined enough. The only way to catch them is to constantly be on your guard. This includes watching for security intrusion signs, patching security vulnerabilities immediately, and remaining alert for new conditions that could expose your enterprise to attack.

Windows Server 2003 provides a number of tools for monitoring security. The Windows Event Log has an entire Security Log in it, and Windows supports complete security auditing for file and object access, user logons, and so forth. You'll learn more about auditing in Chapter 15, where I'll also discuss the Security Log in more detail and show several types of security events that you can look for in your environment. Web sites, DNS services, and many other network services maintain their own logs, which you can review for possible security problems. You'll learn about those services and their security implications throughout this book.

Of course, you'll want to establish a regular pattern of security checks in your environment. That way, you'll be sure to check each and every facet of your organization that is open to security breaches. The exact contents of a security checklist will depend on your organization's security needs, but might include:

Checking the Security Event Log for any unusual messages: If you've enabled auditing, watch for events that indicate a user is being repeatedly denied access to a file. That behavior may indicate an in-progress attack.
Watching the Security Event Log for logon failures: These are often a first pointer to attackers performing a dictionary attack, both successful and not.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Computer security is a lot more complicated than just making your users change their passwords every so often. Computer security involves powerful cryptography, a variety of security mechanisms, and principles designed to prevent security breaches. But computer security does not stand alone. It requires strong administrative security policies that define security within your organization and policies that protect data even after it leaves the computers.

All companies need to have a written security policy that describes what resources require protection. Such a policy must come from company management, not from network administrators. Several characteristics of a good policy were shown in this chapter.

The encryption technologies used within Windows Server 2003 (hashing, shared secret encryption, and public key encryption) are important to understand. These technologies play a key role in Windows authentication, the Encrypting File System, and other security technologies. You'll see them come up again and again in the following chapters.

Strong passwords are extremely important in all environments. Attackers use many techniques to compromise passwords. But there are ways that you can help users (and other administrators!) create memorable, strong passwords on your network.

In the next chapters, I'll build on the basics that I covered here. You'll find that encryption plays a strong role throughout Windows Server 2003, for example. Also, much of the rest of this book focuses on how to implement security, meaning you should already have a written policy that tells you what needs to be secured.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You might think it strange for a book on Windows Server 2003 security to discuss physical security. After all, Windows Server 2003 itself doesn't make any significant contribution to physical security. Yet without physical security, Windows Server 2003's own powerful security mechanisms can be easily defeated. As you learned in Chapter 2, administrative security mechanisms—including physical security—are just as important as the technology-based security provided by Windows Server 2003.

In this chapter, I'm going to start by identifying physical security vulnerabilities. Try to get into a paranoid frame of mind for this discussion and think of every little thing that could represent a weak point in your company's physical security. After we've gotten a plate full of potential vulnerabilities, I'll show you some strategies for addressing these vulnerabilities. By the end of the chapter, you'll automatically scrutinize the physical security of virtually every building you enter—a good behavior for a security administrator.

No matter how secure your server operating systems are, physical security vulnerabilities can allow intruders—or even misguided employees—to compromise your company's information security. Learning to identify physical security vulnerabilities requires you to look at your entire network from a whole new point of view. It's time to get paranoid and think about all the ways in which your network's security could be compromised.

Even if your company's security plans don't require you to provide a solution for every physical security vulnerability you find, you should make yourself aware of them all anyway. You never know when your company might need to provide extra security for some collection of information, and understanding your vulnerabilities up front will make that task easier.

As an example, let's consider a typical corporate office with typical physical security measures. The office contains any number of client computers, which connect to network jacks installed in the walls. Those jacks, in turn, are wired back to a cable plant, where they're all connected to switches or hubs. Larger offices might have several cable plants, or wiring closets, which are connected to one another. The office probably has a data center of some size. Access to the data center might be restricted to individuals with an authorized card key, or the data center's door might have a combination lock. Within the data center, servers are installed in racks. Especially security-aware companies might even keep a log of who goes in and out of the computer room. Card key systems make that easier, since the systems can usually keep track of who uses the door in a master log file.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

No matter how secure your server operating systems are, physical security vulnerabilities can allow intruders—or even misguided employees—to compromise your company's information security. Learning to identify physical security vulnerabilities requires you to look at your entire network from a whole new point of view. It's time to get paranoid and think about all the ways in which your network's security could be compromised.

Even if your company's security plans don't require you to provide a solution for every physical security vulnerability you find, you should make yourself aware of them all anyway. You never know when your company might need to provide extra security for some collection of information, and understanding your vulnerabilities up front will make that task easier.

As an example, let's consider a typical corporate office with typical physical security measures. The office contains any number of client computers, which connect to network jacks installed in the walls. Those jacks, in turn, are wired back to a cable plant, where they're all connected to switches or hubs. Larger offices might have several cable plants, or wiring closets, which are connected to one another. The office probably has a data center of some size. Access to the data center might be restricted to individuals with an authorized card key, or the data center's door might have a combination lock. Within the data center, servers are installed in racks. Especially security-aware companies might even keep a log of who goes in and out of the computer room. Card key systems make that easier, since the systems can usually keep track of who uses the door in a master log file.

Your company's offices are probably similar to that theoretical office. And that means your network is positively full of security vulnerabilities.

Tommy Lee Jones said it best in the movie Men in Black: people are stupid. They're often the biggest security vulnerability in any company. From a two-person office to a multinational conglomerate, you can expect some significant percentage of people will have no idea about security. These people are a bigger risk than the failure of a firewall, the opening of a port, or the receipt of an email virus.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

So how paranoid do you have to be to protect your company's information? That depends entirely on your company, the potential cost of losing data, and the security policies your company adopts. Typical American businesses might not need to worry about intruders tapping into their network cables, but many government organizations worry about precisely that. Most companies might not need to worry about someone reprogramming hubs and switches to eavesdrop on network traffic, although large financial institutions, with their increased liability for compromised information, take extra steps to protect their hubs and switches. Some organizations, such as companies in the health care industry, are required by law to provide security measures for certain types of data. Physical security can be expensive; the level of physical security you implement will depend upon your organization's needs and requirements.

As I mentioned earlier, simply knowing about your security vulnerabilities—even if you choose to do nothing about them—is half the battle. Once you know what your vulnerabilities are, you and your company's managers can look at the cost of fixing those vulnerabilities and decide what's right for your company.

As with all security implementations, the measures you take to mitigate vulnerabilities depend on your particular situation. There is no one-size-fits-all security strategy. For example, an airline may value its reservations database above all other assets, and any compromise of that database would cause irreparable harm to the company. On the other hand, a law firm may care little about its databases but place immense value on its file shares that contain client communications and legal research. These two companies will eventually need to assign values to the importance and expected cost of compromise of their assets and implement appropriate security based on these values. This type of analysis and cost factoring is discussed in Chapter 15.

In the next few sections, I'll give you some tips for securing specific vulnerabilities.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Although you have to think about security vulnerabilities individually, you should plan your security solutions as a system of complementary techniques and technologies. Each level of the security solution should take into account preceding layers, but never assume that those preceding layers will stop an intruder. The following tips are best practices that most companies can use to significantly enhance their physical security:

Your network's physical cabling is almost impossible to completely secure. Do the best you can by locking up wiring closets, hubs, switches, and so on, and assume that intruders will find a way to access transmitted data anyway.
Use technology-based solutions like IPSec to protect network transmissions against eavesdroppers.
Buy a laptop chain lock whenever a new laptop is purchased, and instruct the new laptop owner on its proper use. These simple $20 devices deter many thieves. You should also implement policy that requires their use at all times and specifically states that anyone whose laptop is stolen without the cable connected will repay the company for the laptop and the cost of the security administration (i.e., revoking certificates on the laptop).
Keep unauthorized computers off your network completely by not issuing IP addresses to unknown MAC addresses. You can also use nonstandard network plugs and jacks, which make it more difficult for outsiders to physically connect to your network (although expensive, this is a popular technique in high-security government facilities and some technology companies).
Secure your data center with electronic locks and, if possible, recording cameras. Require anyone exiting the data center to use his card key and you'll have a complete electronic in-and-out log.
Lock servers in cabinets with secure cabinet rear doors and sidewalls. Keep the cabinet keys in a secure location, and require administrators to check keys out using a card key or some other system.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

All the technological security marvels in the world are useless without proper accompanying physical security. While most companies implement some form of physical security, few take into account the many security vulnerabilities that exist in their environment. Take the time to think about physical security, document the vulnerabilities in your environment, and make business decisions about how to prevent those vulnerabilities from compromising the security of your company's information systems.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Whenever data is stored on physical media, it has the potential to become compromised. For example, secret notes between Napoleon and his generals were compromised and led, in part, to his defeat. Napoleon's secret notes were written on leather or paper and sent by fast riders. In a computer context, those secret notes are stored on a hard drive and either used locally or transmitted across a network to a friend, coworker, Internet site, or other location beyond your server or organization. In this chapter, you'll see who can access those secret notes on the local hard drive and how to ensure only the desired people and groups can access them. Techniques for ensuring that your data remains secret when transmitted on a network will be covered in subsequent chapters.

The use of long-term computer data storage, whose benefits are numerous, raises special security consideration for the system administrator: how do you protect data so that only the intended user has access while ensuring some level of recoverability over time? In this chapter, you'll learn how to use file permissions and EFS—the two main file protection mechanisms provided by Windows Server 2003—to control user access to files. You'll see how to use these mechanisms appropriately and how they are often misconfigured in ways that prevent desired access. You'll also learn how to plan for a number of special security concerns specific to the use of portable computers. These plans may include Syskey, a special tool for protecting the account database, which I show you how to use properly.

The primary technique for protecting data on a hard drive is to use the built-in NTFS file permissions to allow or restrict specific users and groups. A user could allow his user account to access his personal research data while restricting other users. He could also designate some files as readable by all users but writable by only his coworkers and manager. At home, he could restrict certain folders so that only he could read their contents, while allowing only himself and his wife to read others. You may want to share files on Windows Server 2003 and allow only the HR group access. File permissions are configurable and flexible enough to work in many different scenarios.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The primary technique for protecting data on a hard drive is to use the built-in NTFS file permissions to allow or restrict specific users and groups. A user could allow his user account to access his personal research data while restricting other users. He could also designate some files as readable by all users but writable by only his coworkers and manager. At home, he could restrict certain folders so that only he could read their contents, while allowing only himself and his wife to read others. You may want to share files on Windows Server 2003 and allow only the HR group access. File permissions are configurable and flexible enough to work in many different scenarios.

When a user logs into a Windows system, as described in Chapter 7, an access token is granted to the user's session, which the operating system uses to prove her identity to local and network resources. Every access token contains the security identifier (SID) of the user as its key component and the SIDs of the groups she belongs to. This information allows operating system components that are concerned about security to simply check to see whether any of the SIDs provided in the access token have been granted or denied access to their data or services.

File permissions simply attach a list of SIDs and the access rights granted or denied for each SID to a file or directory. This list of SIDs is known as an access control list (ACL), and each entry in the list is an access control entry (ACE). An ACL is composed of one or more ACEs. Whenever a user or process makes a request to access a file or directory, NTFS retrieves the corresponding ACL for that object. It then runs down the list of ACEs on the object, comparing each to every SID in the access token of the requesting entity (usually a user). NTFS accumulates the permissions it finds and determines whether the permissions are enough to meet the requested needs of the requester. If the permissions are sufficient, the process succeeds and the requester accesses the object. When all the requested permissions are not granted, the request fails.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

As I discussed in the previous section, NTFS checks the ACL for each file and folder a user accesses and compares it against her access token. Access is granted only when the appropriate permissions are held by the the requester. However, this architecture has the potential to be circumvented. If NTFS isn't used to access the hard disk, the data can be read just like any other data. Because Windows Server 2003 and Windows XP allow only NTFS to access its own partitions, this security is effective. If another operating system is used, or if special disk-reading equipment is connected to the hard disk, the data is completely unprotected.

The only way to ensure that data on the hard disk is not susceptible to this type of attack is to protect it with encryption. Storing the data on the hard drive in an encrypted state means that the requester must provide the decryption key for the data to be usable. Without the decryption key, the data is useless to the requester—regardless of the operating system making the request. Windows XP and Windows Server 2003 allow files on the hard disk to be encrypted using the Encrypting File System, or EFS.

To discuss the concepts and processes of EFS, I must first dispel a myth. EFS is not really a file system at all. It is a set of functions that work in conjunction with NTFS to encrypt and decrypt files that are stored on the hard drive. NTFS provides the core mechanics of fetching data from the hard drive, writing to the hard drive, checking ACLs, and so on. EFS does the added work of determining when a file must be encrypted or decrypted and performing that action.

Specifically, EFS works by generating a random symmetric key for a file, called the file encryption key (FEK), and encrypting the data portion of the file with that key. It then takes the requester's public key from the local key store and encrypts the FEK with that public key. This chunk of encrypted data that allows the requester to decrypt the file is called the data decryption field (DDF). There is always at least one DDF for an encrypted file.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

EFS protects files on the hard disk against attack, but the storage location of the private keys for the EFS-protected files presents unique challenges for the system administrator.

As previously discussed, EFS files are encrypted with a FEK that is itself encrypted with the user's public key. The user must possess the corresponding private key to decrypt that data. During normal operation, that private key must obviously be stored somewhere on the hard drive—if it were stored only in protected volatile memory, EFS files would not be accessible once a computer was restarted.

The location of a user's private keys is not a big secret, although it is obfuscated to keep casual attackers away. The keys are stored in a protected key store database. These keys are all protected by a single key called a master key. Other keys used by the system for various cryptographic operations, called protection keys, are also stored in a similar fashion.

Because an attacker who is able to obtain the master key for that account can decrypt the stored private keys, it must be protected. To counter this type of attack, Microsoft provides a utility called Syskey.

When activated as shown later, the Syskey utility simply encrypts the private key store and the SAM using a 128-bit symmetric key called the system key, or syskey. The syskey must be read into system memory during boot to decrypt the SAM and private key store to allow the operating system to start. Without this information, the operating system itself cannot start and will fail. This is a minor benefit, as failure to boot may thwart lightweight attackers. Syskey also prevents offline attackers from copying the SAM and using brute force attacks against stored passwords.

One other very important piece of information protected by Syskey is the administrator's safe mode password. If you are unable to provide the information necessary for Syskey to start the operating system (in mode 2 or 3, described in this section), safe mode will not be available. This is done to ensure that data is not compromised by a specific attack against the safe mode password.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Security settings on files and folders can prevent unauthorized users from accessing data. Setting file security is appropriate for most files on the hard drive, as it adds no discernible overhead and works with little or no additional configuration. EFS protects files from intruders who have physical access to the hard drive (such as when it's stolen). Syskey provides strong protection against compromised computers, because it encrypts a great deal of the registry and helps stop an attacker from using the existing operating system. When configured correctly, the combination of file security, Syskey, and EFS helps to ensure that only authorized users may access data.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Group Policy is one of the best features of Microsoft Active Directory. Introduced in Windows 2000, Group Policy provides a way for administrators to apply consistent configurations to groups of users and computers. Group policies can help you enforce your organization's written policies. For example, your company's security manual might require that all computers in the research department display a message when users log on, informing them of increased security monitoring in that department. Group Policy allows you to centrally configure, implement, and manage such a warning message, and apply it to the necessary computers.

One of the greatest security-related features of Group Policy is the ability to deploy security templates across an enterprise. Security templates, which I'll discuss throughout this chapter, make it possible to bundle an entire security configuration into a single file (the template). For example, you might create a security template for client computers in your organization and then use Group Policy to deploy the security template to the client computers. In this manner, you can centrally configure computers to have a consistent security configuration. You're assured that the configuration will be enforced, thus protecting your computers. Because templates can be centrally managed, you can update, revise, and improve your security configuration over time as required by your organization.

Group Policy has many other important benefits. These include its ability to configure logon and logoff scripts for users and computers, which allows you to run code on target computers that can perform any management or configuration operations you desire. Also, Group Policy has a useful though somewhat limited software distribution feature. While not nearly as robust as Microsoft's Systems Management Server (SMS), this feature can prove useful in deploying necessary software to your end users and servers.

In this chapter, I'll introduce you to Group Policy and show you how Group Policy can be used to enhance the security in your organization. I'll also introduce you to security templates and to the tools Windows Server 2003 provides to create and manage security templates. Keep in mind that Group Policy offers much broader functionality than just security, which is what I focus on in this chapter. If you'd like to learn more about Group Policy and its many other uses, refer to

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Bu

Table of Contents