Share via


Security Considerations for Administrative Authority

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
On This Page

The Focus of This Paper
Introduction
General Considerations
Operating System Security
Communications Security
Public Key Infrastructures
Applications Security
Security Management

The Focus of This Paper

Because it's impossible to discuss all the security responsibilities of the Administrative Authority in detail in a single paper, this paper provides an overview of the topic.

Throughout the paper, it is important to keep in mind two important facts:

  • The implementation of a security solution is always a trade-off between security and ease of use. Ease of use usually means less or even no security. Good security usually means no ease of use. It's a big challenge for every security architect to find the right balance between the two.

  • Security is everybody's responsibility. The creation of a secure IT environment is not just the responsibility of your organization's IT staff. Everyone in the organization has the responsibility to respect and implement the corporate security policies.

Introduction

All administrative authority related security solutions discussed in this paper can be implemented to provide or to support the following security services:

  • Confidentiality. This security service protects against unauthorized disclosure of information.

  • Authentication. This security service guarantees the origin of data and the identity of persons.

  • Availability. This assures that data or systems are available all the time independent of any external disturbance.

  • Integrity. This security service assures that information cannot be tampered with or at least that tampering can be detected.

The different security solutions can be categorized in the key areas listed below. These areas are covered in this paper:

  • General Considerations

  • Operating system security

  • Communications security

  • Applications security

  • Public key infrastructures

  • Security management

General considerations

This section covers critical security topics that affect all the other areas discussed later including operating system security, communications security, applications security, public key infrastructure, and security management. The topics are:

  • Security Policy

  • Intrusion detection

  • Security compromise action plan

OS security

A discussion on operating system security should cover all the security services implemented as part of the OS kernel. OS security is based on the following core services:

  • Authentication

  • Authorization

  • Auditing

Communications security

Communications security deals with the security (authenticity, confidentiality, integrity, etc.) of information while it is being transmitted across a communication channel. Communications security can be grouped into these categories:

  • Remote Access Security

  • Virtual Private Networking

  • Firewall Architecture

Public Key Infrastructures

In the future the administrative authority will have to deal with the impact of a Public Key Infrastructure on its IT environment. A PKI will become an integral part of the security infrastructure; it can provide strong security services to different types of applications.

Applications security

Applications security deals with the security aspects that are specific to an application. This also includes PKI-enabled applications.

Security Management

This section explores the general management approaches and Windows security management tools.

General Considerations

This section discusses general security topics that affect all the other areas discussed later. Topics include: the security policy, intrusion detection systems (IDS) and the security compromise action plan or business continuity plan.

Security Policy

A critical element of any security system or solution is the security policy. Because it is not directly related to information technology it is often forgotten or neglected by technical people.

The security policy is a document that outlines what can and cannot be done with the IT resources of your organization. The IT managers and general managers of your organization drive the creation of this high-level document.

Two approaches are taken when defining a security policy:

  • A prohibitive approach in which everything that is not explicitly permitted is forbidden.

  • A restrictive approach in which everything that is not explicitly forbidden is permitted.

Because of its complexity, many organizations call on external specialists for the creation of their corporate security policy. A good example of an IT security policy is available from the website of Murdoch University in Perth, Australia: https://wwwits2.murdoch.edu.au/security/policy.html

Intrusion detection

The goal of Intrusion Detections Systems (IDS) is to detect a hacker breaking into your corporate IT infrastructure or a legitimate user misusing your IT resources. Many organizations neglect the enemy inside: the legitimate user who is misusing, by accident or intentionally, your IT infrastructure. Recent studies in the FBI computer crime survey show that about 60 percent of the attacks is carried out by legitimate users.

An intrusion can be defined as any attempt to compromise the confidentiality, integrity, availability or authenticity of one of your corporate IT resources.

Intrusion detection tools fall into in two classes: audit tools and analysis tools. Audit tools detect misuses of any corporate IT resource; analysis tools detect deviations from normal system usage patterns. One of the tasks of an analysis tool is to analyze the audit trails.

A good IDS has a high availability, which means it is highly fault-tolerant. It runs in a completely transparent way without any performance impact on the computer systems.

Some well-known vendors of IDS products

Company

Product

Webpage

Cisco Systems

Cisco Secure IDS

https://www.cisco.com

Internet Security Systems

RealSecure

https://www.iss.net

RSA security

Kane Security Analyst

https://www.rsa.com

Cybersafe

Centrax

https://www.cybersafe.com

Security Compromise Action Plan and Business Continuity Plan

Two other key documents are the security compromise action plan and the business continuity plan. They are closely related and, in most organizations, are bundled in one document. They describe what must be done when the security of some of your corporate IT resources is compromised. They answer questions such as:

  • What are the actions taken following a hacker attack on the corporate website?

  • What are the actions taken following a serious hardware failure on one of your critical Windows 2000 domain controllers?

  • What happens when an employee steals corporate data and sends them out to one of your competitors?

  • What happens with the corporate IT infrastructure after a major disaster such as a fire or a flood?

Operating System Security

Authentication

Authentication answers the questions "Who is the system talking to?" and, in the case of mutual authentication, "What system is the user talking to?"

Some authentication-related tasks for the administrative authority include:

  • Evaluate the available authentication protocols in Windows 2000. What are the protocols' weaknesses and strengths? How can Windows 2000 authenticate logons and resource requests of legacy clients? The Windows 2000 authentication protocols are discussed in the next paragraph.

  • Evaluate the credential (user IDs and passwords) quality: the corporate password policies, the way authentication credentials are stored, and the way those authentication credentials are administered and updated.

  • Evaluate whether the current authentication methods are interoperable with the Windows 2000 authentication protocols (for example, Kerberos, NTLM, DPA, or Secure Channel).

  • Evaluate the need for Single-sign in your corporate IT environment. You must take into account the different operating systems in use within your organization and their associated authentication methods and protocols (NetWare, OS/2, UNIX, PathWorks, AS/400, Linux). Also consider the different authentication scopes: intranet (LAN), extranet, and internet authentication. Pay special attention to browser security.

Authentication protocols

Different authentication protocols available in Windows 2000 and their strengths and weaknesses

Authentication protocol

Strengths and Weaknesses

NTLM

Pros:
Low administration overhead
Challenge-response based
Supported on Windows 95, 98, 2000 and NT4

 

Cons:
Cannot be used for authentication across a firewall
Needs pass-through authentication
Does not support delegation forwarding
Needs online Key Distribution Center (DC)
Uses symmetric key cryptography
Proprietary Microsoft protocol

Kerberos

Pros:
Can be used for authentication across a firewall
Supports delegation forwarding
Supports mutual authentication
Open standard
Low administration overhead

 

Cons:
Needs online Key Distribution Center (DC)
Uses symmetric key cryptography
Only supported in Windows 2000

Kerberos PKINIT

Pros:
Uses asymmetric key cryptography
Support secure storage of credentials (smart card)
Open standard
Mutual authentication

 

Cons:
Requires the deployment of additional hardware
Administration overhead (smart card maintenance)

Certificate-based authentication (SSL-TLS)

Pros:
Scalability
Uses asymmetric key cryptography
Possibility for mutual authentication
Can be used for authentication across a firewall

 

Cons:
Administration overhead (certificate maintenance)

Digest Authentication

Pros:
Can be used for authentication across a firewall
Based on digest function
Open standard

 

Cons:
Limited support so far (only latest Microsoft products)

Basic Authentication

Pros:
Simple setup
Can be used for authentication across a firewall

 

Cons:
No credential protection

Authentication scopes

Available authentication methods for the different authentication scopes: intranet, extranet and Internet

Authentication Scope

Available Authentication methods

Intranet (LAN)

Kerberos-Kerberos PKINIT

Extranet (MAN-WAN)

SSL-TLS, Digest, Basic authentication, Anonymous

Internet (WAN)

SSL-TLS, Digest, Basic authentication, Anonymous

Single sign-on (SSO)

In a Windows 2000 environment two authentication technologies can be considered for Single sign-on (SSO): Kerberos and PKI.

So far only Kerberos can be considered a mature single sign-on solution. Implementations of Kerberos from different vendors are available on different platforms. Although this is also true for PKI, PKI is not yet widely regarded as a mature solution for single-sign on for operating systems. PKI is already accepted as a SSO solution for applications. Two PKI-related products that are worth evaluating in the SSO space are the products from Diversinet ( https://www.dvnet.com ). PKI is discussed later in this paper.

Authorization/Access Control

Authorization answers the questions "Can a user access the resources available on a computer system?" and "How can the user access the resources?" Resources can be anything from files to printers and modems. Authorization raises the following security-related tasks for the administrative authority:

  • Evaluate the way access control settings are administered.

  • Evaluate the way the organization manages its resources: centralized or decentralized.

  • Related to the previous topic: Evaluate the use of or the needs for administrative delegation. Windows 2000 includes extended support for administrative delegation.

  • Evaluate the way authorization data are maintained and backed up.

  • Because many organizations use more than just one operating system, access control settings interoperability should be evaluated. For example: how do you deal with access control interoperability between Windows 2000 and Netware? Or between Windows 2000 and SAMBA?

The latest trend in access control is attribute certificates. These are certificates with a short lifetime that are dedicated to access control. Organizations considering the deployment of a PKI might as well consider attribute certificates.

Auditing

The purpose of auditing is to gather all security-related information occurring on a computer system. Auditing provides a way to analyze the correct or incorrect usage of a computer system. Auditing brings up the following security-related tasks for the administrative authority:

  • Evaluate the way auditing can be implemented. Similar to access control? Centralized or decentralized?

  • When auditing is implemented in a centralized way you must look at ways to consolidate log and audit information.

  • Evaluate the different solutions and technologies that are available for auditing purposes.

Windows 2000 comes out-of-the-box with two OS auditing tools: the Event View and the Security Configuration and Analysis tool (SCA). Advanced OS auditing tools are available from other software vendors.

Communications Security

RAS security

Remote access security (RAS) assures that users can access the resources of a corporate domain in a secure way, using a telephone connection, using POTS or ISDN lines. RAS brings up the following security related tasks for the administrative authority:

  • The design of RAS security solution requires a solid understanding of how RAS is implemented. You must evaluate and decide on which products and providers are involved and who will administer and maintain the RAS solution.

  • Evaluate the use of a specialized triple-A (authentication, authorization, auditing) RAS security protocol, such as RADIUS or TACACS.

  • Evaluate how RAS security architecture interacts with other security elements, such as firewalls, content checking software, virtual private networking solutions, authentication systems, authorization systems, etc.

Virtual Private Networking

Using a Virtual Private Network (VPN), an organization can ensure secure networking over an untrusted communication channel, such as the Internet. Virtual Private Networking brings up the following security related tasks for the administrative authority:

  • Evaluate the reasons to implement a VPN:

    • Communication cost reduction

    • Advanced security

  • Decide where the VPN solution should be implemented.

  • Determine the primary security requirements for the VPN: data confidentiality, integrity or simply data or entity authentication.

  • Evaluate the different ways a VPN designs:

Voluntary versus compulsory tunneling

Gateway versus tunnel VPN

Dial-up, site-to-site versus secure intranet

  • Evaluate the features and strengths of the different VPN protocols. Check the following for the different solutions:

    • Tunneling protocol (for example, IPSec)

    • Carrier protocol (for example, IP)

    • Passenger protocol (for example, TCP)

    • Encapsulation protocol (for example, ESP, AH)

    • Decide which Microsoft and third party products can be involved.

    • Evaluate the way the VPN solution will be administered and maintained.

    • Evaluate how the VPN architecture interacts with other security elements, such as firewalls, content checking software, remote access security solutions, authentication systems, authorization systems, and auditing systems.

Firewall Architecture

A firewall secures the communication links between a trusted and an untrusted network. The firewall architecture raises the following security related tasks for the administrative authority:

  • Decide where the firewall solutions should be implemented: within the corporate intranet, or between the intranet and the Internet.

    Decide which types of firewalls will be implemented.

    • Packet filters

    • Application gateways (proxies)

    • Stateful inspection solutions

  • Evaluate how the firewall policy will be defined. Which are the most important policy rules?

  • Evaluate the firewall architecture that will be used. Do you need a Demilitarized Zone (DMZ)? Which servers will be on the DMZ? Which types of firewalls will safeguard the entry points to the DMZ?

  • Evaluate how the firewall architecture interacts with other security elements, such as VPNs, remote access security solutions, content checking software, authentication systems, authorization systems, and auditing systems.

  • Decide which firewall products will be involved.

  • Decide who will administer the firewall solution and how it will be done.

  • Evaluate the impact on the firewall architecture and the firewall policies of running Windows 2000.

Public Key Infrastructures

Planning for a public key infrastructure brings up the following security-related questions for the administrative authority:

  • Where will the Certificate Servers (CAs) be located?

  • Will the CAs be integrated with the Active Directory?

  • How will PKI trust relationships be organized?

  • How will the CA hierarchies be built?

  • Where do you need a cross-certification between hierarchies?

  • Will there be trust relationships between CAs using different CA software?

  • Will the client in-source or out-source part or all of the PKI administration tasks?

  • Will the client use Microsoft Certificate Server products or third-party products (Entrust, Verisign, ID2, Baltimore, Utimaco)?

    Which of the following applications will use the PKI infrastructure:

    • S/MIME (secure Exchange or Internet mail)

    • Secure Web applications (SSL, TLS)

    • Code Signing applications (Authenticode)

    • Smartcard Logon

    • IPSec (Tunneling protocol)

    • Encrypting File System (NTFSv5)

  • How is the PKI administered?

  • How can the PKI interoperate with other PKI products?

  • Does your PKI solution adhere to the PKI standards? (PKINIT, PKCS, RFC 2459)

  • How do PKI and Kerberos work together?

Applications Security

General application security considerations

In this section, the administrative authority should look at the security settings of the organization's core applications. It should identify how the access to each application's code and resources are defined. These questions should be asked:

  • What authentication mechanisms are and can be used?

  • How is access to the application's code and resources defined?

PKI-enabled applications

Applications security also includes the planning for PKI-enabled applications:

  • Smart card logon

  • EFS

  • S/MIME

  • Secure Channel, etc.

Security Management

When discussing the administrative model, you must examine different organization aspects: the business structure, the geographical locations (sites), the placement of Help Desk and operations staff, and the existing security model. You should focus on the way security administration can be organized:

  • Centralized or distributed security administration?

  • Which administration tools can be used: Windows 2000 tools and third-party tools?

Centralized versus Decentralized

When deciding which administration model will be used it is critical that you obtain an outline of your support, operations, and administration practices. This should include a specification of the geographical locations, the level of delegation of administrative rights and the administrative roles (account operators, backup and other operators, etc.). Determine if one central group manages the whole organization, or if each part of your organization has its own infrastructure. Also check which groups have which level of expertise in Microsoft Windows 2000 technologies. More specifically, consider the following:

  • List all the possible administrators' roles in the organization

  • Determine if the client delegates administrative tasks to local administrators

  • Determine how many levels of administration exist (central, regional, local)

Administration Tools

Determine what tools (OS standard and third party tools) are used to manage the existing environment. It is important that you understand the tool's features and check to see if similar functionalities are available with the Windows 2000 tools.

The table below provides an overview of the Windows 2000 security administration tools shipped with the Windows 2000 resource kit. It not only includes Microsoft security administration tools, but also some third-party tools.

Microsoft security administration tools

 

OS Security: Authentication

 

Kerbtray

Kerberos Tray is a GUI tool that displays ticket information for a computer running the Kerberos protocol.

Klist

Kerberos List is a command-line tool that enables you to view and delete Kerberos tickets granted to the current logon session. To use this tool, and see any tickets, your Windows 2000 computer must be joined to a Windows 2000 domain.

Dommon

Domain Monitor monitors the status of servers in a domain and the secure channel status to the domain controller and to domain controllers in trusted domains. Domain Monitor displays the domain controller name and a list of trusted domains, plus various status errors.

Getsid

GetSID compares the user security IDs (SIDs) of two accounts. You can use it to compare account SIDs between a primary domain controller and backup domain controller when you suspect user database corruption.

Setspn

This command-line tool allows you to manage the Service Principal Names (SPN) directory property for an Active Directory directory service account. SPNs are used to locate a target principal name for running a service. SetSpn allows you to view the current SPNs, reset the host SPNs, and add or delete supplemental SPNs.

OS Security: Access Control

 

Appsec

The Application Security tool is a GUI-based application that allows an administrator in a multi-user environment to restrict the access of ordinary users to a predefined set of applications on the network. Enabling application security using this tool will cause the system to reject any attempts by ordinary users to execute a program that they are not authorized to use.

Showpriv

ShowPriv is a command-line tool that displays the users and groups granted a particular privilege. This tool must be run locally on the target computer or on a domain controller to display users and groups with domain privileges.

Svcacls

This command-line tool sets access control lists (ACLs) on service objects, enabling administrators to delegate control of services.

Enumprop

This command-line tool dumps all properties set on any directory service object. Using EnumProp, you can display the security descriptor or list only a given set of attributes for an object.

Global

This command-line tool displays members of global groups on remote servers or domains.

Grpcpy

This GUI-based tool enables users to copy the user names in an existing group to another group in the same or another domain or on a computer running Microsoft Windows 2000.

Local

This command-line tool displays members of local groups on remote servers or domains.

ntrights

With this command-line tool, you can grant or revoke any Windows 2000 right for a user or group of users on a local or remote computer. You can also place an entry in the computer's event log noting the change.

permcopy

This command-line tool copies share (Full Control, Read, Change) and file (Full Control, Modify, Read & Execute, Read, Write, Traverse Directory) level permissions (ACLs) from one share to another.

perms

Perms displays a user's access permissions for a specified file or set of files.

showacls

This command-line tool enumerates access rights for files, folders, and trees. It allows masking to enumerate only specific ACLs.

showgrps

This command-line tool shows the groups to which a user belongs, even within a given network domain.

subinacl

With this command-line tool, administrators can obtain security information on files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

showmbrs

This command-line tool shows the user names of members of a given group, even within a given network domain.

Usrtogrp

This command-line tool adds users to a local or global group according to information contained in a user-specified input text file.

xcacls

This tool allows you to set all file-system security options accessible in Windows Explorer from the command line. XcAcls does this by displaying and modifying the access control lists (ACLs) of files.

OS Security: Auditing

 

Auditpol

AuditPol is a command-line tool that enables the user to modify the audit policy of the local computer or of any remote computer. To run AuditPol, the user must have administrator privileges on the target computer.

Dumpel

Dump Event Log is a command-line tool that dumps an event log for a local or remote system into a tab-separated text file. This tool can also be used to filter for or filter out certain event types.

Logevent

This tool enables you to make entries to the Event Log on either a local or remote computer from the command prompt or a batch file.

Communications Security

 

Iasparse

This command-line tool parses Internet Authentication Service (IAS) and remote access server logs and converts them into a readable format. The log file generated both these services is very cryptic and is difficult for ordinary users to understand.

ipsecpol

This command-line tool configures Internet Protocol Security (IPSec) policies in the directory service, or in a local or remote registry. It does everything that the IPSec Microsoft Management Console (MMC) snap-in does, and is even modeled after the snap-in.

Public Key Infrastructure

 

Dsstore

This tool assists in managing Enterprise Public Key Integration. It includes functionality necessary for several deployment scenarios.

Efsinfo

This command-line tool displays information about files and folders encrypted with Encrypting File System (EFS) on NTFS partitions.

Third-party tools

 

System Scanner

System Scanner for Windows is a security assessment solution for Microsoft Windows 2000, Microsoft Windows NT version 4.0, Microsoft Windows 95, and Microsoft Windows 98.

CyberSafe Log Analyst

CyberSafe Log Analyst is a Microsoft Windows 2000 Security Event Log analysis tool. Designed as a snap-in to the Microsoft Management Console (MMC) used with Windows 2000, the CyberSafe Log Analyst assists you in organizing and interpreting security event logs from Windows 2000, providing more effective, system-wide user activity analysis.

Tru Access manager Lite

TRU Access Manager Lite is a comprehensive network accounting application developed by Telco Research that lets you track and report use of your network by users and/or workgroups.

Microsoft Corporation. All rights reserved.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Microsoft is either a registered trademark or a trademark of Microsoft in the United States and/or other countries.