Securing .NET Server Tips and Tricks Guide To Roberta Bragg

Securing .NET Server Tips and Tricks Guide To Roberta Bragg
realtimepublishers.com
tm
Tips and Tricks Guide To
tm
Securing .NET Server
Roberta Bragg
Volume 2
Note to Reader: This book presents tips and tricks for eight Windows .NET Server security
topics. For ease of use, the questions and their solutions are divided into chapters based on topic,
and each question is numbered based on the chapter, including:
•
Chapter 1: Understanding and Utilizing PKI in .NET
•
Chapter 2: Securing Web Services and Web Servers—the Administrative Perspective
•
Chapter 3: Understanding Active Directory Foundations
•
Chapter 4: Fulfilling the Promises of Group Policy
•
Chapter 5: Administrative Authority
•
Chapter 6: Triple A’s—Authentication, Authorization, and Audit
•
Chapter 7: Remote Access
•
Chapter 8: Security Tools, Mechanisms, and Emerging Issues.
Chapter 1: Understanding and Utilizing PKI in .NET.....................................................................1
Q 1.2: Developing a public key infrastructure using Windows Certificate Services seemed like
the way to go until I discovered that there is no auto enrollment. Do you expect that users will be
able to obtain certificates on their own? ..........................................................................................1
Quick Steps to Auto Enrollment ..........................................................................................2
Chapter 2: Securing Web Services and Web Servers—the Administrative Perspective.................9
Q 2.2: I keep hearing about the new NetworkService account in Windows .NET Server.
Microsoft says that this account is less privileged than the Local System account but doesn’t
explain what that means. Any ideas?...............................................................................................9
What Can the NetworkService Account Do? ....................................................................10
What Can the Local System Account Not Do? .................................................................10
Chapter 3: Understanding Active Directory Foundations .............................................................12
Q 3.2: Help! We have a large, multidomain forest that contains thousands of users, and we use
universal groups extensively to provide access to resources. We also have many small branch
offices that have only a handful of users each. Because the Global Catalog server must be
accessed at logon to determine membership in universal groups, all users at branch offices access
Global Catalogs across the WAN even though they have a domain controller locally. If I make
the domain controllers at these branch offices Global Catalog servers, I’ve increased the
replication traffic by an unacceptable amount. Does Windows .NET Server have an answer?....12
Win2K Branch Office Solutions........................................................................................14
.NET Universal Group Membership Caching ...................................................................16
Chapter 4: Fulfilling the Promises of Group Policy ......................................................................18
Q 4.2: How can I prevent users from running tools that they should not run?..............................18
Setting Restrictive File Permissions ..................................................................................18
Removing Executables.......................................................................................................18
Using Software Restriction Policies ..................................................................................18
i
Volume 2
A Simple Policy to Restrict Tool Use................................................................................19
Creating a Simple Software Restriction Policy .....................................................20
Testing the Policy ..................................................................................................22
Examining the Policy for Holes.............................................................................22
Certificate Rules.................................................................................................................23
Trusted Publishers..................................................................................................24
Moving On .........................................................................................................................24
Chapter 5: Administrative Authority .............................................................................................26
Q 5.2: I seem to have locked out the Administrator account in the domain. I can no longer log on
to the domain using this account. What should I do? ....................................................................26
Chapter 6: Triple A’s—Authentication, Authorization, and Audit ...............................................28
Q 6.2: I am tasked with tracing logon behavior across our Windows .NET forest and would like
some help understanding the difference between the Audit categories Audit Account Logon and
Audit Logon. What is the difference?............................................................................................28
Logon Events .....................................................................................................................29
Tracing a User’s Logon and Logoff Events.......................................................................30
Chapter 7: Remote Access .............................................................................................................34
Q 7:2: What is the Session Initiation Protocol? .............................................................................34
Internet Engineering Task Force RFC SIP Security ..........................................................35
Message Integrity, Authorization, and Authentication ..........................................35
Message Privacy ....................................................................................................35
Route Privacy.........................................................................................................36
Identity Privacy......................................................................................................37
Miscellaneous Uses of Cryptography ................................................................................37
Microsoft Implementation .................................................................................................38
Chapter 8: Security Tools, Mechanisms, and Emerging Issues.....................................................40
Q 8.2: Managing multiple Windows boxes is like herding cats. It’s hard to keep up with which
systems have up-to-date patches and which still need them. How can I figure this out?..............40
Analyzing the Analyzer: MBSA Internals.........................................................................40
Understanding Prerequisites ..................................................................................41
Getting Secure the MBSA Way.............................................................................42
Now What? ............................................................................................................44
ii
Volume 2
Copyright Statement
© 2002 Realtimepublishers.com, Inc. All rights reserved. This site contains materials that
have been created, developed, or commissioned by, and published with the permission
of, Realtimepublishers.com, Inc. (the “Materials”) and this site and any such Materials are
protected by international copyright and trademark laws.
THE MATERIALS ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice
and do not represent a commitment on the part of Realtimepublishers.com, Inc or its web
site sponsors. In no event shall Realtimepublishers.com, Inc. or its web site sponsors be
held liable for technical or editorial errors or omissions contained in the Materials,
including without limitation, for any direct, indirect, incidental, special, exemplary or
consequential damages whatsoever resulting from the use of any information contained
in the Materials.
The Materials (including but not limited to the text, images, audio, and/or video) may not
be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any
way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify
or obscure any copyright or other proprietary notice.
The Materials may contain trademarks, services marks and logos that are the property of
third parties. You are not permitted to use these trademarks, services marks or logos
without prior written consent of such third parties.
If you have any questions about these terms, or if you would like information about
licensing materials from Realtimepublishers.com, please contact us via e-mail at
[email protected]
iii
Volume 2
Chapter 1: Understanding and Utilizing PKI in .NET
Q 1.2: Developing a public key infrastructure using Windows
Certificate Services seemed like the way to go until I discovered that
there is no auto enrollment. Do you expect that users will be able to
obtain certificates on their own?
A: Enrollment of thousands of users is no picnic. Windows .NET Server makes this process
easier—automatic enrollment is possible with Windows .Net Certificate Services. Automatic
enrollment means that users do not have to learn about certificates, nor about how to obtain one.
It also means that re-enrollment can be transparent as well. However, you must configure auto
enrollment for each type of certificate you intend to distribute. This requirement is a good thing,
as you may not want all certificates distributed in this manner. It does, however, mean more
planning and administrative work must be done.
The first step is to determine which certificates should be automatically distributed. For our
example, we’ll use the ordinary User certificate. This certificate can be used for authentication,
email encryption, and the Encrypting File System (EFS). To provide User certificates that can be
auto enrolled, you must create a new type of certificate template—a Version 2 certificate
template—and configure it for auto enrollment.
Windows 2000 (Win2K) Enterprise Certificate Services use Version 1 standard templates, and
although a variety of templates exist, it is not possible to customize templates. Windows.NET
Certificate Services can use Version 1 and Version 2 templates, and Version 2 templates are
customizable. You create customized Version 2 templates by copying Version 1 templates, then
modifying them. After you’ve created and modified a template to suite your business needs, you
can use the template to create certificates using the typical end-user or enrollment-agent
enrollment process. Templates modified to allow auto enrollment will be automatically issued to
new users. Such templates can also be used to automatically replace expiring Version 1
certificates, or even be quickly pushed out to replace existing certificates.
In addition to auto enrollment, other template modifications are possible. Choices for
customization are not endless, but you can add to and modify many aspects of a template,
including
•
Customization of enrollment policies (who can enroll who)
•
Certificate authorization (who can authorize a certificate issuance)
•
Domain authentication (which domain contains the user’s account)
•
Certificate administrator (who manages the Certificate Authority—CA)
•
Enrollment agent signed (which enrollment agent is used)
•
Key creation (where keys are created and how)
•
Key type and Cryptographic Service Provider (CSP) type (which key and which CSP will
be used)
•
Certificate contents (what information will be included in the certificate)
1
Volume 2
•
Validity, issuance, and application policies and key usages (what can the certificate be
used for)
•
Key archiving (can the key be automatically archived)
0 To create Version 2 templates, you must use a.NET Enterprise Server. In addition, only.NET and
Windows XP are able to utilize certificates created with Version 2 templates.
Modifying templates is not difficult, but there are some requirements. You should spend some
time evaluating your template requirements as part of your plan for your public key
infrastructure (PKI) design. The following considerations might impact the design:
•
If you require modified templates, your design must include a .NET Enterprise CA
installed on a.NET Enterprise Server.
•
Although you might have mixed CA hierarchies consisting of Win2K and.NET servers,
only.NET and Windows XP computers can utilize Version 2 certificates and the
advanced features they offer.
Quick Steps to Auto Enrollment
Before you can modify templates, you must set up a.NET CA. The CA is responsible for issuing
certificates. Although an offline root CA is not required, best practices include establishing a
standalone root CA that you keep offline and physically secured. Although PKI designs will
vary, at least one .NET Enterprise subordinate CA should be established to manage Version 2
certificates. An Enterprise CA is integrated with Active Directory (AD). I’m going to assume for
the moment that you either understand how to set up Certificate Services or that you already
have a pristine.NET CA in a test environment to experiment with. To prepare User certificates
for auto enrollment you have only to do the following:
1. Log on as an Enterprise Administrator or as a member of Domain Admins in the root
domain in the forest.
2. Load the new certificate template snap-in either by opening it in an empty Microsoft
Management Console (MMC). Alternatively, you can click Start, Run, then type
certtmpl.msc
Or you can right-click the Certificate Templates folder in the Certificate Authorities
console, and select Manage, as Figure 1.2 illustrates.
2
Volume 2
Figure 1.2: .NET provides the new Certificates Templates MMC console.
3. To create a Version 2 template, you must copy a Version 1 template. To do so, right-click
the template you want to copy, and select Duplicate Template from the resulting menu.
4. A copy of the template is made and its property pages displayed. Change the template
display name (which automatically changes the template name). This opportunity is the
only one you will have to do so. After you’ve saved the new template, you can’t change
the template’s name. In Figure 1.3, the User template has been copied and renamed
User2.
)
You can also make other changes at this time on the various property pages. You can modify the
validity period, renewal period, and storage location of the certificate on the General tab.
0 Caution should be taken not to change the validity period to exceed the lifetime of the CA ticket.
No changes are made in our example.
3
Volume 2
Figure 1.3: Changing the template’s display name.
5. Select the Request Handling tab, which Figure 1.4 shows. Because the certificate can be
used for EFS, it is tempting to select Archive subject’s encryption private key check box.
However, many other steps must be taken to make this choice usable. In addition to
creating a certificate template that allows this, a key recovery agent must be appointed
and enrolled and the CA must be configured. We’ll leave the check box clear for this
example. Other adjustable items on this tab are key size, CSP, permission to export the
private key, and the requirement for user input (for example, confirmation that a user
wants a certificate) during auto enrollment.
4
Volume 2
Figure 1.4: The Request Handling tab.
6. View, but do not change, the Issuance Requirements tab, which Figure 1.5 shows. On this
tab, you can require approval before certificate issuance. However, requiring approval
before auto enrolment is a little counter-productive.
Figure 1.5: The Issuance Requirements tab.
5
Volume 2
7. Select the Superseded Templates tab, which Figure 1.6 shows. On this tab, click Add to
add the user Version 1 template to the Superceded window. (Superceded templates are
templates that this new template will replace automatically.) In my design, I want only
the User2 template to be used, so I have indicated that the User2 template supersede the
User template. In another design, one in which both .NET or Windows XP and Win2K
systems coexist, leaving the User template available makes more sense. Win2K systems
cannot use Version 2 templates but might need to be able to enroll User certificates.
0 Be very careful in your design—if you intend, for example, to require key archival for certificates that
can be used for EFS, Win2K clients must not be able to obtain an EFS certificate at all. Neither the
EFS Version 1 nor User Version 1 templates can be configured for key archival, and Win2K cannot
use Version 2 templates.
Figure 1.6: Identifying templates for the new template to supersede.
8.
Select the Security tab, which Figure 1.7 shows. Select the group or groups that should
use auto enroll for this template. In my scenario, I want Domain Users to auto enroll;
however, your design might require you to create a special group. .NET, like Win2K,
uses the discretionary access control lists (DACLs) set on certificate templates to
determine who can manage or obtain a particular certificate type. .NET uses the auto
enroll DACL to determine whether a group of users or computers should auto enroll the
certificate.
6
Volume 2
Figure 1.7: You must modify template DACLs to determine who will auto enroll.
9. Click OK to save the template, then close the Certificate Templates console.
10. Open the Certification Authority console.
11. Right-click Certificate Templates, select New, then select Certificate Template to Issue.
In the resulting window, which Figure 1.8 shows, select the User2 template, then click
OK.
Figure 1.8: The certificate must be enabled for each CA that will issue it.
7
Volume 2
12. If you would like to replace current User certificates with User2 certificates, right-click
the Certificates container, and select Re-enroll All Certificate Holders.
0 Before you replace certificates, be aware of the capabilities of the certificate you may be replacing.
For an example of what you don’t want to happen, look no further than EFS. When a new certificate is
issued, subsequent files will be encrypted using the new certificate, but what about those already
encrypted? The old private key will still be needed to decrypt those files. Changing a certificate has
ramifications beyond the simple act of modifying the certificate and superceding an older one. You
must carefully consider all sides of the issue.
For more information about PKI enhancements in .NET Server and Windows XP Pro, check out
http://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/whatsnew.asp.
8
Volume 2
Chapter 2: Securing Web Services and Web Servers—the
Administrative Perspective
Q 2.2: I keep hearing about the new NetworkService account in
Windows .NET Server. Microsoft says that this account is less
privileged than the Local System account but doesn’t explain what
that means. Any ideas?
A: Most services in Windows 2000 (Win2K) run under the Local System or SYSTEM account.
Thus, they operate with 21 security privileges. Services, then, can do just about anything,
whether they need to or not. Because of this power they often attract privilege escalation attacks
that are successful. If an attacker can break the service, the attacker might be able to run code
under the security context of the operating system (OS), and thus fully own that system.
Microsoft has long indicated that best practices require services to run under the least privileged
account possible but has not provided much help for those who want to restrict the services that
Microsoft provides. The NetworkService and LocalService accounts are two new accounts in
Windows XP and Windows .NET Server that are suitable for use by many services. (For
information about the Local System approach vs. .NET’s approach, see the sidebar “Privilege
Best Practices.”)
One of the prime candidates for the NetworkService account is IIS 6.0. In .NET, IIS will install as a
static Web server, and requires very few privileges to run. Expectations are that Web masters that
require additional abilities will add the abilities as they are needed and adjust the privileges of the
service account if necessary. This administrative method is an about-face from the traditional
Microsoft everything-is-on out-of-the-box configuration.
If the two accounts have the same privileges, why are there two? The answer lies in how the OS
makes use of each. A service running in the security context of the LocalService account will
access a remote system anonymously. Let’s pretend that a service running on computer
LocalDesk attempts to connect to a network share on FileSrv2. If anonymous privileges are
appropriately curtailed on the remote system, access will be denied. If we change the account
assigned to the service to NetworkService and attempt to access the same share, we might
succeed because the service is now accessing the remote system FileSrv2 as the local computer
LocalDesk. If the computer account LocalDesk has been give appropriate privileges on the share
on FileSrv2, it will be able to connect.
These conditions help to set some guidelines for the use of these new accounts. If a service does
not need network access privileges, use the LocalService account. If it does, use
NetworkService.
9
Volume 2
Privilege Best Practices
It’s difficult to think rationally about this topic. On one hand, everyone can understand that running a
service with an account that only has the privileges it needs is a good thing. It follows the security dictum
of least privilege. On the other hand, creating and maintaining a large number of accounts—one for each
service—could be an administrative nightmare. Although creating the account and assigning privileges
could be a function of the service installation, how can passwords be easily maintained? I can understand
why using Local System seemed to be easy, but I believe it has contributed to the problem. After all,
processes running with bloated privilege assignments eventually expand their operations to include the
use of those privileges, and therefore make it harder to replace the Local System account with a less
privileged account—no one knows anymore what the process really needs. .NET‘s approach is long
overdue. Less privileged, yet default, accounts are present, and services can be designed around their
use.
What Can the NetworkService Account Do?
In Writing Secure Code (Microsoft Press, 2001), David LeBlanc and Michael Howard report
four privileges for both accounts: SeSystemtimePrivilege, SeAuditPrivilege,
SeChangeNotifyPrivilege, and SeUndockPrivilege. In an April 2002 Microsoft TechEd session,
five privileges were identified. This disparity is not at all uncommon in a product under
development. It is sufficient to say that the number of privileges for these accounts lies far shy of
those of Local System. An explanation of NetworkService’s account privileges as identified at
the April TechEd session is shown in Table 2.1.
Privilege
Discussion
Required for
IIS?
SeAuditPrivilege
Required to generate audit log entries.
Yes
SeIncreaseQuotaPrivilege
Required, along with
SeAssignPrimaryTokenPrivilege to access a process
token and create a new process that uses the
security context of the user of the other process—
possibly resulting in a privilege escalation.
Required for
Common
Gateway
Interface (CGI)
programs
SeAssignPrimaryTokenPrivilege
Required, along with SeIncreaseQuotaPrivilege, to
access a process token and create a new process
that uses the security context of the user of the other
process—possibly resulting in a privilege escalation.
Required for
CGI programs
SeChangeNotifyPrivilege
This privilege lets a user receive notification of
changes to files and directories. It is used to bypass
directory traversal checks and for NTFS optimization.
Yes
SeUndockPrivilege
Required to remove a computer from a docking
station.
No
Table 2.1: Explanation of the NetworkService account’s privileges.
What Can the Local System Account Not Do?
Everyone complains that the Local System account has too many privileges to be used to run any
service. It is true that this account essentially operates as the OS and has more privileges than the
Administrator account. But is it all-powerful? Let’s consider what it can’t do. It can’t shut down
remote systems. This inability makes sense—what business would it have shutting down remote
systems? It also can’t create a new computer account, synchronize directory service data, or
10
Volume 2
enable computer or user accounts for delegation. If these limitations seem strange to you, look
closely. In every case, these privileges have a more global effect. In other words, they allow
management of systems in the domain, and this ability exceeds the security boundary of the local
computer. In its own realm, Local System is still the most powerful account.
Finding the privileges of a running process is not something you will find listed in the application
documentation. The reason is that the process runs in the security context of the user account that is
running it. Services, of course, run in the security context of the account used to log on the service
during startup. If these accounts are standard OS accounts, you might be able to find a list of
privileges assigned to them in Microsoft’s documentation. If you would like to find out the privileges in
real time, you can compile and run the Token Monitor application provided in Writing Secure Code.
11
Volume 2
Chapter 3: Understanding Active Directory Foundations
Q 3.2: Help! We have a large, multidomain forest that contains
thousands of users, and we use universal groups extensively to
provide access to resources. We also have many small branch offices
that have only a handful of users each. Because the Global Catalog
server must be accessed at logon to determine membership in
universal groups, all users at branch offices access Global Catalogs
across the WAN even though they have a domain controller locally. If
I make the domain controllers at these branch offices Global Catalog
servers, I’ve increased the replication traffic by an unacceptable
amount. Does Windows .NET Server have an answer?
A: Windows .NET Server does provide a better way to handle this problem. To understand why
Microsoft developed .NET’s solution and when it should be used, you must understand the
relationship between authentication, universal groups, native mode, and Global Catalog (GC)
servers in Windows 2000. Win2K universal groups can exist only in native-mode domains.
Universal groups can have as members any user from any domain in the forest, from any other
universal group, and from any global group from any domain in the forest. Universal groups can
be granted access to any resource in the forest. They often serve as collections of global groups
from multiple domains. Thus, any resource can, with the inclusion of a single access control
entry (ACE), provide access to large numbers of users. This functionality simplifies
administration of resources and reduces the size of the discretionary access control list (DACL)
on any one object, as Figure 3.7 illustrates. In the diagram, the ForestPrinters universal group is
granted the right to print to printers located in domains A, B, and C. The ForestPrinters group has
as members three global groups: Aprinters, Bprinters, and Cprinters. Each of the three groups
consists of users from the respective domains.
12
Volume 2
Figure 3.7: Use of the universal group ForestPrinters reduces the number of ACEs in a DACL.
When Nancy, a user in domain C, logs on to the domain controller in domain C, her membership
in any universal groups must be determined. This information is determined by querying the GC
server. In this forest, the available GC server is a domain controller in domain A. The group
security IDs (SIDs) of the groups Nancy is a member of, including the ForestPrinters group,
become part of the information in the Kerberos tickets returned to her computer and can be used
to create access tokens. This activity is transparent to Nancy. If everything works as designed,
Nancy gets her desktop and is able to compose documents, print them, and do other jobs.
A problem can occur, however, if Nancy works in a branch office and there is no domain
controller from her domain present in her branch office. If such is the case, to complete her log
on, her computer must be able to access a domain controller and a GC across the WAN. Figure
3.8 illustrates this process. In step 1, Nancy’s computer will contact the domain controller
located at headquarters. In step 2, the domain controller contacts the GC to determine Nancy’s
universal group membership. Finally, in step 3, the information is returned to Nancy’s computer
as part of a Kerberos ticket. If the WAN link is down, Nancy’s computer will not be able to
reach the domain controller or the GC server. She will not be able, therefore, to be authenticated
by the domain controller or obtain current information about her membership in and groups,
including universal groups. She can, of course, log on with cached credentials, but might then be
limited in her ability to access network resources. Cached credentials may be out of date and,
thus, not provide correct information to provide her with the rights and privileges she needs to do
her job. She also may have trouble connecting to and using network resources as neither her
system nor the network resource can complete the processing necessary.
13
Volume 2
Figure 3.8: Logging on from a branch office requires WAN access to a domain controller and GC server.
Win2K Branch Office Solutions
The intuitive solution to branch office logon for mixed-mode Win2K environments is to place a
domain controller in all but the very smallest branch offices. By very small, I mean less than 10
employees. Microsoft guidelines also discuss the use of a single domain controller in a branch
office that houses between 10 and 50 users, or calculating the number of domain controllers
required based on Group Policy requirements and the use of applications that rely heavily on
Lightweight Directory Access Protocol (LDAP) queries against Active Directory (AD).
These guidelines work well while the domain is in mixed mode. However, when domains are
moved to native mode, you can create universal groups, which means that logons from branch
offices will seek a GC server across the WAN if necessary regardless of whether a domain
controller is present. The intuitive solution no longer works. Figure 3.9 illustrates this scenario.
When Nancy attempts to log on, her computer is able to communicate with the local domain
controller. However, to find a GC, the domain controller must communicate across the WAN to
a GC at headquarters. The figure also represents, with the use of dotted lines, replication of data
between GCs at headquarters. (Actual replication patterns will vary, but the concept is correctly
displayed—information from all domains is replicated to all GCs.) Locating a GC only at
headquarters may be an acceptable practice if the number of users in Nancy’s branch office is
small and WAN connections are stable and meet bandwidth requirements. However, if the WAN
link is down, the GC cannot be reached and normal logon will not be possible. If, however,
cached credentials exist for Nancy on the computer she is using, then logon will occur.
14
Volume 2
Figure 3.10: A domain controller at a branch office doesn’t eliminate the need for WAN access to a GC.
Is it possible that the lack of a GC server can mean that clients will not be able to log on? Yes, if no
cached credentials exist for a user in a native-mode domain and the GC cannot be reached, the user
cannot be logged on. This behavior will not affect an administrator. For more information please see
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q216970.
A solution to this is to place a GC server at each branch office that has a domain controller.
However, although this setup means localization of authentication traffic, it means increased
replication traffic over the WAN. The GCs must replicate changes in forest data between
themselves. Branch offices with low bandwidth connections might find replication demands
excessive. In addition, branch office domain controllers might not meet the increased memory
and processor requirements of a GC. Figure 3.10 illustrates the authentication and GC replication
patterns in this scenario.
Many forests consist of domains that are in mixed mode and domains that are in native mode. Nancy
might be a member of universal groups located in the native-mode domains while her domain is still
in mixed mode. What will the logon behavior be? In this scenario, Nancy’s logon does not have to
access a GC. Instead, should Nancy attempt to access a resource that has universal group access
assigned, the domain controller for that domain will be contacted, then the domain controller will
contact the GC to determine whether any universal group membership SIDs need to be added to
Nancy’s access token.
15
Volume 2
Figure 3.10: Authentication traffic across the WAN can be decreased by placing a GC at a branch office, but
this setup means increased replication traffic across the WAN.
.NET Universal Group Membership Caching
.NET provides a simple solution to the problem. Because the major reason that branch offices
need access to a GC is to determine group membership in universal groups, .NET lets you
configure domain controllers to provide universal group membership caching. If this option is
enabled, the first time a user logs on, universal group membership must be determined by
contacting the GC server across the WAN. Membership information is then cached indefinitely
on the designated domain controller. The following rules govern this behavior:
•
Cached data is periodically refreshed.
•
The default refresh time is 8 hours
•
As many as 500 users’ cached universal group membership data can be refreshed at a
single time.
•
The ability to cache membership data is site specific; thus, all domain controllers in that
site must be .NET Server machines.
Universal group membership caching allows faster logons and reduces the need for locating GC
servers at branch offices; thus, reducing replication traffic on the WAN. GC servers may still be
required at branch offices that use applications that rely heavily on LDAP searches of AD. To
configure a .NET domain controller for universal group membership caching:
16
Volume 2
1. Open Active Directory Sites and Services.
2. Expand the Site object for the site at which universal group membership caching is
desired.
3. Double-click the NTDS Site Setting object.
4. On the Site Setting tab of the NTDS Site Setting Properties page, which Figure 3.11
shows, select the Enable Universal Group Membership Caching check box.
5. In the Refresh cache from drop-down box, select the site from which the cache should be
refreshed.
Figure 3.12: Configuring universal group membership caching.
17
Volume 2
Chapter 4: Fulfilling the Promises of Group Policy
Q 4.2: How can I prevent users from running tools that they should
not run?
A: Although you didn’t mention which tools you don’t want users to run, I can think of
numerous tools that should not be used by most ordinary users, such as registry editing tools,
networking utilities, and resource kit utilities. There are three ways that you can prevent users
from running these tools:
•
Protect executable files by using file permissions
•
Remove executable files from users’ machines
•
Use Software Restriction Policies
Setting Restrictive File Permissions
Setting restrictive file permission is the time-honored way of restricting the use of files.
Recommended security practices include making sure that all drives on all Windows NT,
Windows 2000 (Win2K), Windows XP, and Windows .NET computers are NTFS formatted.
When Windows is installed on NTFS drives, standard file permission settings on system folders
are fairly secure; the administrator’s responsibility is to lock down other folders and files and
consistently investigate, test, and deploy more restrictive settings on system files and
administrative tools. However, this method doesn’t prevent the savvy user from placing a copy
of a restricted tool in a folder in which the user has the right to run the program. And there is also
no guarantee that for every machine, every permission setting is correct.
You can write Group Policies that set file and folder permissions to a corporate standard, and
push these settings across an enterprise. However, a sophisticated user or an attacker has only to
provide their own copies of the restricted tools to foil these administrative tactics.
Removing Executables
Another sound practice is to remove the executables. There are two problems with this approach.
First, a user can still provide their own copy of a tool. Second, Windows File Protection (WFP)
might make it difficult to remove tools that are considered part of the OS and thus protected.
Another concern is that patches, system updates, and additional Windows components might
reinstall the removed executable without warning.
Using Software Restriction Policies
The ability to use Software Restriction Policies is new with Windows XP and .NET. Software
Restriction Policies offer a new way to prevent unauthorized use of system tools, restrict users to
only approved software, and prevent attackers from using system tools in an attack on the
system. Software Restriction Policies let you, the administrator, either create a policy that
disallows any software, then create unrestricted rules that let only approved software run, or
create a policy that lets all software run, then create disallowed rules that prevent identified
software from running. Software is either disallowed or unrestricted based on the following rule
types:
18
Volume 2
•
Path—Explicitly identify the program path.
•
Hash—When a program is selected, a cryptographic hash is built. Any attempt to run the
program will result in a check of the hash, and the program will be allowed to run (or not
allowed to run) based on the type of policy. The program can reside anywhere, and the
action will be the same. This option is useful to prevent software from running no matter
the location.
•
Certificate—Rules are built based on the presence of a code publishers’ software signing
certificate.
•
Internet zone—You can prevent software from running from a particular Internet
Explorer (IE) software zone. You cannot prevent software that has been downloaded
from that zone from running.
Enforcement properties include or exclude DLLs and identify whether the policy applies to
members of the Administrators group. Additional settings allow addition or deletion of file types
(designated file types) that can be managed and determine whether users, computer
administrators, or enterprise administrators are affected by trusted publishers. By default,
policies apply to all users and program files except library files such as DLLs.
Software Restriction Policies might not appear where you would expect them in a Resultant Set of
Policies (RSOP) report. When you run RSOP to determine the effective policy applied for a user, you
would expect Software Restriction Policies to appear in the location in which they are configured
(User Configuration, Windows Settings, Security Settings, Software Restrictions). However, Software
Restriction Policies might appear under Extra Registry Settings instead.
To create, examine, or manage local Software Restriction Policies:
13. Click Start, select Run, and type
secpol.msc
in the Run text box.
14. Click OK or open the Administrative Tools, Local Security Policy console.
15. Select the Software Restriction Policies container.
16. If no policy exists, right-click the container, and select Create Software Restriction
Policy.
To create or manage Software Restriction Polices for a site, domain, or organizational unit (OU),
open the Group Policy Object (GPO) for the appropriate container. The Software Restriction
Policy container is located under Computer Settings, Security Settings.
A Simple Policy to Restrict Tool Use
You can easily create a policy that restricts the use of tools. You will have to determine the list of
tools that need to be restricted and the type of rule that will be used. Unfortunately, you’ll have
to come up with your own list of tools, but I can help you understand how to make choices for
the type of Software Restriction rule to use, and provide you with a step-by-step policy-creation
exercise.
19
Volume 2
0 It is possible to create a Software Restriction Policy that can prevent systems from running.
Therefore, the best procedure to follow is to create a policy in the Local Security Policy of a single
Windows XP system. Then test the policy by applying it to a single OU that represents a test
computer or computers. When you are sure that this policy meets your requirements for software
restriction without breaking other software, you can use the policy to restrict multiple systems.
A good first policy will start with all software allowed to run and will contain rules that prevent
individual programs from running. This process will give you the opportunity to learn how the
policy works without taking as large a risk of making the system inoperable. The following
Local Security Policy example meets these requirements.
0 Again, always test Software Restriction Policies on a single machine first! It is possible to crash the
operating system (OS) by being overly restrictive.
Creating a Simple Software Restriction Policy
This example policy will prevent the following tools from running:
•
All software located in the C:\alpha geek tools folder
•
Regedit32.exe (no matter where it is located)
•
Software on sites included in the IE Restricted Sites security zone
•
Solitaire game (sol.exe—no matter where it is located)
Figure 4.3 shows the completed policy.
Figure 4.3: The Additional Rules section of a policy lists the policy type and basic information.
This policy should not restrict administrators, so the first step to take is to set the policy so that it
will only affect ordinary users:
1. Double-click the Enforcement object at the root of the Software Restriction Policy
container.
2. In the resulting window, which Figure 4.4 shows, change the setting from the default by
selecting the All users except local administrators check box, then click OK.
20
Volume 2
Figure 4.4: Be sure to change the policy from the default setting to let local administrators use the restricted
tools.
Next, a rule for each tool, folder, or certificate should be restricted:
1. Right click the Additional Rules container, and select Create new path rule.
2. Enter the path C:\alpha geek tools (or browse to select it).
3. Leave the security level at Disallowed, and click OK.
4. Right click the Additional Rules container, and select New Internet Zone Rule.
(Differences in options may exist due to different versions of beta software.)
5. Select the Internet zone Restricted Sites.
6. Leave the security level at Disallowed.
7. Change the description to comment that these sites are ones you do not trust, and click
OK.
8. Right-click the Additional Rules container, and select New Hash Rule.
9. Browse to a copy of the sol.exe file. The hash appears in the File Hash box, and
information about the file will appear in the File Information box. Leave the security
level at Disallowed, and click OK.
10. Repeat these steps, except browse to a copy of the regedt32.exe file in step 9.
21
Volume 2
Testing the Policy
The first time you create a rule of a particular type, test the rule. You can do so by logging off
and logging on as an ordinary user, then attempting to run the tool. You should be refused and
receive the message that Figure 4.5 shows.
Figure 4.5: If a user attempts to run a restricted program, an error message will appear.
Next, log on as an administrator and attempt to run the tool. You should be able to. The
instructions I previously provided don’t include these testing instructions for brevity sake.
Finally, when the policy is complete, test all rules to ensure that they operate as you expect. Any
changes to the rules should require a retest.
0 Are these tests sufficient? You should always seek to write exhaustive tests for your policy. No one
list of testing scenarios will work for every rule set. Do not rely on these suggestions alone to work for
your policy.
To test this policy, make sure that you have designated in the Restricted Sites zone in IE a Web
site that has software that can be run from its Web pages. To test the policy that we created in
our example, log on as an ordinary user and attempt to run files in the alpha geek folder. Attempt
to play solitaire. Attempt to run regedt32. Copy the sol.exe file to a temporary folder. Attempt to
play solitaire. Open IE and navigate to the previously designated Web site. Attempt to run
software. All of these tests should fail. A pop-up message similar to the one that Figure 4.5
shows should be the result of each attempt. Next, try to download software from the restricted
Web site and run it. This attempt should be successful. The Software Restriction Internet zone
rule only applies to programs that are run from within the zone. Next, log on as Administrator,
and repeat the tests. You should be successful each time.
Examining the Policy for Holes
It might be possible, even desirable, to create multiple rules to handle some areas. For example,
if your policy seeks to absolutely prevent users from running certain tools, you should create
hash rules for each tool. Path rules, such as the one written for C:/alpha geek tools, will only
prevent the running of tools from within this folder and its subfolders. If the user can copy a tool
from the folder to another, that user can run the tool. If the user can obtain a copy of the tool
from another source, the user can run the tool. A hash rule, however, will prevent the software
from running from any location on the computer.
The rationale behind path rules is twofold. First, it quickly blocks any new tool that is added to
the folder. This affords some protection while the Group Policy is adjusted and a hash rule is
written for the specific program. Second, if the Software Restriction Policy is written to disallow
22
Volume 2
all software, a large number of system programs must be allowed to run. Being able to do so by
selecting a folder versus creating individual rules for all system files is essential. Hash rules can
be used to specifically prevent some tools located within the system folder from running. Also, if
system files are being blocked, don’t forget to think about the copies that may be in dllcache.
0 If you are not using hash rules to prevent software from running, don’t forget to make a path rule that
includes %windir%\system32\dllcache. A copy of the disallowed program might be at this location,
and if a path rule does not cover it, the program will be able to run.
You should also be clear about which program file types are covered by your policies? When a
path rule is written, if a program file type is not covered, the program will be allowed to run. You
can examine which program file types are covered by opening the Designated File Types object
of the Software Restriction Policies container. From this window, you can also add and remove
file types.
Another policy hole consideration results from a program that calls another program that calls
another program—is this behavior restricted or allowed? The answer is not simple and there is
no blanket rule. If a program is disallowed, it cannot call other programs. If a program can run on
its own or is called from within another unrestricted program, the program will run. Conversely,
if an unrestricted program calls a disallowed program, the disallowed program will not run,
possibly resulting in the failure to run of the unrestricted program.
What will happen if multiple policies apply to the same programs? As the following list shows,
an order of precedence exists. The first element listed, hash rule, is highest in the order and will
take precedence:
1. Hash rule
2. Certificate rule
3. Path rule (if path rules conflict, the most restrictive will take precedence)
4. Internet zone rule
Finally, you should realize that later versions of a restricted program might not be restricted by
the rules you have written. A hash rule applied to a known virus file, for example, cannot restrict
a later version of the virus.
Certificate Rules
Another type of software restriction rule is the certificate rule type. Certificate rules apply to
scripts and .MSI files only. To use them, a code-signing certificate is used to sign the files.
Certificate rules are used to identify the code-signing certificates that are valid on this computer
or on the computers within the Group Policy Container (GPC) of this GPO. Certificate rules are
an excellent way to ensure that only approved scripts can be run. They also solve the dilemma
caused by the following scenario: If all software is disallowed, rules might be written that let the
OS run. In addition, rules can be written that allow only the software a user needs to run. How
then, can logon scripts, new software installations, and maintenance scripts be allowed to run? If
a rule is written that indicates that certificate A is approved, any script or .MSI file that is signed
with certificate A will run. Those not signed by this certificate will not run.
23
Volume 2
Trusted Publishers
In a related area, Trusted Publishers Properties, which Figure 4.6 shows, should be configured to
determine who can select trusted publishers in IE. Trusted publishers can be designated within
the Content tab, Trusted Publishers section of IE. This designation lets software that is signed by
approved software publishers be run from IE. The default setting is to allow end users to select
trusted publishers.
Figure 4.6: The default rule for trusted publisher lets users select them.
Moving On
Now that you can successfully create a small local software restriction policy, you might want to
design and execute domain-wide policies. Before you attempt to do so, you should be aware of
several considerations. First, be aware how very new this process is. Second, .NET has not been
released. Third, you will need to develop sophisticated troubleshooting skills and procedures and
detailed testing plans before deploying widespread policies.
There is a lot more to software restriction policies than you first might believe. This area is new
and will take a while before all the bugs and best techniques are worked out. In the time it took
to write the first draft of this answer and do my first review, a bug was discovered in the
processing of rules that restrict 16-bit programs. The Microsoft article “Software Restriction
Policies Do Not Recognize 16-Bit Programs” at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q319458 states that 16-bit software
24
Volume 2
that is run in the virtual machine (ntvdm.exe) is not recognized by software restriction policies.
Thus, the rule written to prevent the running of command.com or edit.exe doesn’t work. Users
can run these programs even if the programs were specifically denied by software restriction
rules. Microsoft already has a fix to correct this problem. It can be obtained from Microsoft
support services. The company advises you to obtain and use the fix only if you are attempting to
restrict such software.
Win2K cannot process software restriction policies. You will have to wait for .NET Server and
your migration to .NET domain controllers if you want to fully benefit from these practices. You
will only be able to impact users with Windows XP on the desktop. Still, software restriction
policies will be useful policies as you move forward.
Even simple software restriction policies can easily frustrate. A simple troubleshooting technique
is to allow the collection of processing into a log file. You can do so by adding a value to the
registry and entering the path and file name of the log. To do so, add the string value
LogFileName to the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
registry key. For my test, I then entered the value C:\temp2\softstop.txt (see Figure 4.7), then ran
some tests. Files that I didn’t explicitly run showed up on the list.
Figure 4.7: You can troubleshoot software restriction rule problems by creating a log through registry edits.
25
Volume 2
Chapter 5: Administrative Authority
Q 5.2: I seem to have locked out the Administrator account in the
domain. I can no longer log on to the domain using this account.
What should I do?
A: You probably have introduced an empty Restricted Groups policy for the Administrators
group at the domain controller Group Policy Object (GPO) level. You will need to add the
Administrator account to this policy.
Windows 2000 (Win2K) introduced the concept of Restricted Groups and it is present in the
same form in Windows .NET. This Group Policy was developed to allow domain administrators
to control the membership of local groups on computers within an organizational unit (OU) or
within the domain. Let me explain further.
Each Win2K, Windows XP, and .NET computer has a local Administrators group and a local
Security Accounts Manager (SAM) database of accounts even if the computer has been joined in
a domain. As you know, account membership in the local Administrators group gives broad
powers on the local machine. This access is a very good reason for restricting membership in this
group to only those individuals who require such power. Unfortunately, it is difficult to restrict
those who are given membership in the Administrators group from adding other members. It is
also an attack technique to add users to administrative groups after successfully obtaining
administrative access. The attackers can then use those user accounts in the future.
However, if a group is added to the Restricted Groups policy, and users are added to this group,
only these group members will be allowed. If members are added to the group on the local
machine, when the policy is refreshed, they will be removed. I’ve illustrated this confusing
concept in the following example scenario:
Sally’s account is given membership in the Administrator’s group of her Windows XP machine.
A Group Policy exists for the OU in which Sally’s computer account resides. The
Administrator’s group is added to the Restricted Groups policy in this Group Policy. Sally’s
account is added to the Administrators group within the policy. Sally is tricked into adding
Tom’s account to the local Administrators group on her computer. Tom has no domain
administrative privileges. During policy refresh, the discrepancy is found. Tom’s account is not
in the Restricted Groups Administrators group. Tom’s account is removed from the local
Administrators group on Sally’s computer. That afternoon, Tom attempts to remotely edit the
registry on Sally’s’ machine to play a trick on her. He cannot do so. At the end of the week, John
reviews the audit logs on Sally’s machine and finds the records in which Sally added Tom to the
Administrators group and Tom attempted to remotely access the registry. Tom and Sally are in a
little bit of trouble.
You can user Restricted Groups to manage membership in any group, whether it is default or
created. However, problems might be caused by people who do not read instructions or because
it is easy to select the default groups that exist on the domain controller instead of the desired
groups on the local machines. Because many people do not study the documentation and insist
on trying configuration on production machines without proper testing, it is possible to prevent
authorized individuals from doing their administrative job, and indeed, it is possible to lock out
the domain Administrator account. It happens because two steps must be taken to create a proper
26
Volume 2
policy. First, the group must be added to the Restricted Groups policy. Second, authorized
members must be added to the group. Any authorized member that is not added to the group
inside the Restricted Groups policy will be removed from the group. The two-step process is not
intuitive and doesn’t produce a warning if not carried out properly. The administrator or
consultant who likes to break things to learn about them will be rewarded here.
What happens if an Administrator for a child domain removes the Enterprise Admins group from the
local Administrators group in his or her domain? Members of the Enterprise Admins group have
limited access to child domains. (To totally prevent the Enterprise Admins group from having any
access in a child domain requires a little bit more work.) Can the Enterprise Admins get their access
back? Yes. They can do so by creating a SITE policy that adds the Administrator group of the child
domain, then adds the Enterprise Admins group to the Administrators group in the policy. At the next
policy refresh, the Enterprise Admins will have access to the child domain.
Unfortunately, it is also possible for the careful reader of documentation to create a Restricted
Groups policy with unexpected results. For example, suppose your domain,
east.newyork.mpptp.local, is a Win2K domain and all your clients are Windows XP. You want
to create a policy to restrict membership in the local Administrators group of all Windows XP
computers. To do so, you open the Domain Security Policy, right-click Restricted Groups, click
Add Group, click Browse, select Administrators, and click OK. Because this policy is for the
Windows XP computers and you do not want the default Administrator account to be part of this
group, you do not add any members. You close the Default Security Policy.
Sound correct? Yes, except for one thing. Because the domain policy will be applied to every
domain computer, it is also applied to the domain controllers. Browsing in the Add User
windows located in the domain Administrators group, you will find that the Administrator
account cannot log on to the domain. To correct this situation, an Enterprise Admin can logon
from another domain and open Active Directory Users and Computers. By changing the focus of
the console to the east.newyork.mpptp.local domain, the Enterprise Admin can edit the
Restricted Groups policy to correct the situation. To do so, the Enterprise Admin member needs
to remove the domain\Administrators group from the Restricted Groups policy, then add a group
by typing
Administrators
This policy will then apply to the local Administrators group on the computers in the domain
instead of the built-in Administrators group on the domain controllers.
27
Volume 2
Chapter 6: Triple A’s—Authentication, Authorization, and
Audit
Q 6.2: I am tasked with tracing logon behavior across our Windows
.NET forest and would like some help understanding the difference
between the Audit categories Audit Account Logon and Audit Logon.
What is the difference?
A: Here’s a simple explanation of the difference between the two:
•
Setting Audit Account Logon Events records events where the account resides. If Nancy
sits at her desktop computer and logs on to the domain, Account Logon Events will be
recorded in the Security event log of the domain controller. Many Account Logon events
are Kerberos events.
•
Setting Audit Logon Events records events where the logon event occurs. These events
are recorded in the Security event log of Nancy’s desktop computer.
Thus, to have a clear picture of a user’s domain log on and log off behavior, you must enable
auditing of Audit Account Logon Events on the domain controllers and Audit Logon Events on
every computer that the user might use to log on to the domain. You will then need to
consolidate event logs from multiple computers and query for the different logon events
associated with that user. You must also keep in mind the many logon events that might be
generated during this user’s normal activities:
•
Account Logon Events might be recorded when the user attempts to access resources, not
just when the user logs into the domain.
•
Multiple logons by the user from different computers.
•
Logons by the same user using another account.
•
Unlock workstation events.
•
The user’s use of the run as command to perform secondary logons
•
The user’s employment of alternative credentials when mapping network drives.
Tracking logons is not a simple task, but a user’s activity can be tracked with a little practice and
the knowledge of typical events’ meanings.
28
Volume 2
Logon Events
Multiple events might be recorded. Tables 6.1, 6.2, and 6.3 detail Account Logon Events and
Logon Events.
Event
Definition
Comments
672
Authentication Server (AS)
ticket issued
This ticket is the first Kerberos ticket issued if the user presents
valid credentials; it essentially says “OK, this user is who they say
they are.”
673
Ticket Granting Service
(TGS) ticket issued
This ticket is issued for a specific server or service. When the
user, for example, wants to access files on a file server, a TGS
ticket for the file server is required.
674
Security principle renewed
an AS ticket or TGS ticket
Tickets are renewable (see Kerberos policy definitions in the
domain Group Policy).
675
Pre-authentication failure
Authentication failed, many times as a result of a timesynchronization failure.
677
TGS was not granted
Failure perhaps as a result of an invalid AS, unknown server or
service, or time skew.
678
Account mapped to domain
account
A confirmation that the account has been located.
681
Domain account logon
attempt
If an account exists within the domain, logon can fail for many
reasons (see error codes listed in Table 6.2).
Table 6.1: Account logon events are recorded where the account resides.
Error
Code
Definition
Comments
1326
Unknown user or bad
password
The user account or password is invalid.
1328
Time restriction violation
A valid logon time range is defined for this user account and this
time is not within that range.
1331
Account disabled
The account is disabled at this time.
1329
Log on not allowed at this
computer
The computers from which this account can logon are specified in
the account for the user. This computer name is not within that
list.
1327
Logon of this type not
allowed at this computer
Policy does not allow this type of log on (network, interactive,
remote) at this computer.
1330
Account password expired
The password for this account expired.
1792
Netlogon not active
The Netlogon service has stopped.
Table 6.2: Account logon failure codes for Event 681.
29
Volume 2
Event
Definition
Comment
528
User successfully
logged off
Always present if a user logged off in normal fashion.
529
Failure due to bad
password or unknown
user name
Either an attack or the user forgot his or her password.
530
Attempt to log on
outside of allowed time
Allowed time range is set in user account properties.
531
Attempt to log on using
a disabled account
A disabled account is not a locked out account. A disabled account is
made so by an administrator selecting the check box labeled
Disabled. A locked out account is locked out due to unsuccessful
logon attempts.
532
Attempt to log on using
an expired account
Temporary workers’ accounts are often set with expiration dates that
can be changed. This event is probably the result of a contractor
staying beyond the estimated job tenure.
533
User is not allowed to
log on from this
computer
Allowed computers for logon can be set in user properties. This
computer is not one of those listed for this user.
534
Attempt to log on with a
type of logon that is not
allowed
Logon on locally, network logon, batch logon, service logon, and
remote logon can all be denied implicitly or explicitly.
535
Attempt to log on with
an expired password
Passwords can be set to expire (there is a difference between
expired account and expired password).
536
The Netlogon service is
not active
Netlogon stopped or is otherwise malfunctioning.
537
Failed for some other
reason
Other reasons not documented.
538
User logged off
User employed Ctrl+Alt+Del to log off.
539
Account is locked out
Bad logon attempts reached the account lockout threshold for this
account.
540
Successful log on to a
computer
Logon was successful.
541 –
547
Logon events related to
IKE
Computer endpoints can be authenticated using IPSec policies.
These logon events are reported as well.
Table 6.3: Logon events.
Tracing a User’s Logon and Logoff Events
One of the benefits of understanding ordinary events is that you’ll know what extraordinary
events mean. A good exercise is to attempt to determine which events will be found in the logs
of the client computer and the domain controller during an ordinary logon. After compiling your
list, log on at a client as an ordinary user. Leave the user logged on while you examine the event
logs of the domain controller. Are you able to find what you expected? Remember that you can
filter the Security event log by the user’s name but that Kerberos logon events will be register as
system events (NT AUTHORITY\SYSTEM). Find the user logon event (an event 528 logon type
3 for network logon) using the filter on the user’s name, then remove the filter and examine the
nearby events. You will find that when opened, the details list the user ID. Return to the client
30
Volume 2
computer and log off the user. Log on as Administrator to view the security events. What would
you expect to find here?
On the local workstation you should find a 528 event—successful logon, as Figure 6.5 shows. In
this figure, Nancy, is clearly identified within the body of the event message. Her SID is the only
identity in the main event heading because this event was pulled from an exported event log. On
the local workstation VMXP1, the user Nancy replaces the SID. If the local workstation log had
been exported in comma or tab-delimited format, the name Nancy, not the SID, would appear.
Working with user names is easier than working with SIDs, which provides a good reason for
exporting logs in comma or tab-delimited format for review.
Figure 6.5: Successful interactive logon at the workstation VMXP1 by Nancy.
On the domain controller, we will find events that record the Kerberos ticket requests and a 528
event with a logon type of 3 for network logon. Successful Kerberos events are 672,
authentication ticket request, as Figure 6.6 shows.
31
Volume 2
Figure 6.6: A successful authentication ticket requests indicates the user’s credentials are in order.
As Figure 6.6 shows, the user is identified by presenting proper credentials (user ID and
password). As Figure 6.7 illustrates, event 673 shows a service ticket request in which the user
requests a service ticket to use the workstation desktop.
Figure 6.7: A successful service ticket request is required before the user can access his or her desktop.
32
Volume 2
In this figure, note the logon ID. This number is unique for each logon session. Later in the day
when the user logs off, the same logon ID will be used (as Figure 6.8 shows). If a user performs
multiple logons and log offs at the same computer, each log on can be matched to its log off
event by using the logon ID. When audit logs are consolidated, several logon IDs may be present
for the same user. They will represent different logon sessions, either at the same computer or at
multiple computers. Connecting logon events by comparing logon IDs will keep things straight.
This information might be important if you are trying to determine the timeframes at which a
particular user was actually online.
Figure 6.8: Event 538 indicates a successful logoff.
33
Volume 2
Chapter 7: Remote Access
Q 7:2: What is the Session Initiation Protocol?
A: Session Initiation Protocol (SIP) is an emerging Internet standard described in Request for
Comments (RFC) 2543. The SIP signaling protocol is used to establish, create, and manage
sessions between communication devices such as PCs, PDAs, and smart phones. It provides the
benefits of presence (who is online and what is their status), notification (you’ve got a call),
request (do you want this connection?), and mobility (can find you anywhere on any device).
Many of you are familiar with Microsoft’s Messenger and other instant messaging (IM) products
that provide these features. SIP, however, can be used for much, much more. Because developers
are able to depend on devices built to the standard, applications such as conferencing, customer
relationship management (CRM), call centers, and others yet unimagined can be built. SIP
allows the integration of location via Universal Resource Identifier (URI—defined in RFC 2396)
and allows the integration of messaging, multimedia conferences, and telephony. The
components of SIP are:
•
URI—Uniquely identifies users
•
Call_ID—Globally unique identifier (GUID) that identifies a particular conversation. It
includes an undue cryptographically random number generated by SIP and the URI of the
client.
•
Client software (such as IMs)
•
Registration servers—Store URIs.
•
Proxies—To pass on communications.
•
Gateways—Integrate with older phone-based communication systems and with the older
h.323 telephony standard.
Server and gateway products are available from Tellme, Webley Systems, WorldCom, and Level3
Communications. Microsoft .NET Server will also provide SIP components.
Although the ability to communicate across the Internet in real time to share files, applications,
and video is nice, there are some serious security concerns. How can you ensure that only those
invited to the conference can join? Can conversations and shared documents be kept private?
How can you be sure that the participants are who they say they are? What kind of information
might an attacker gain by tracing how and who is talking to whom? These concerns have
answers within the standard.
34
Volume 2
Internet Engineering Task Force RFC SIP Security
Four security issues are addressed in the SIP specification:
•
Message integrity, authorization, and authentication
•
Message privacy
•
Route privacy
•
Identity privacy
Message Integrity, Authorization, and Authentication
In a perfect world, accident or attack would never modify the contents of a message between
sender and recipient and invalid attempts to redirect messages or spuriously terminate them
would not be an issue. Because the perfect world does not exist contingencies must be made to
ensure message integrity and validate users, computers, and requests. Checksums and
timestamps can be used to ensure message integrity. The checksum ensures that the message has
not changed, and the timestamp helps to prevent successful replay of attacks. Likewise,
authentication mechanisms can be used to prove the identity of the proxy, sender, and recipient.
In addition to Secure Sockets Layer (SSL), SIP supports HTTP authentication mechanisms such
as basic and digest. Pretty good privacy (PGP) can also be used.
After identification of user or proxy, authorization is checked. Authorization can be set to
include the client-side rights of the caller (sender) to call, type of call, entry to conference, or use
of advanced features such as application sharing. Authorization to use specific proxies for
particular purposes can also be set and based on identification of caller. IPSec can be used for
authentication between client and proxy and proxy to proxy.
Responses that may redirect calls or terminate them should be authenticated. Such calls, if not
validated, can lead to session hijack, premature termination, and denial of service.
Unauthenticated responses will be dropped.
Message Privacy
Session requests, responses, and message bodies might include sensitive information. Message
bodies might also include copies of encryption keys. SIP systems can encrypt the message body
and those parts of the message header that are not necessary for routing or identification. End-toend encryption is accomplished by using the user keys.
Although a common explanation of public key cryptography explains that the recipient’s public key is
used to encrypt the message so that the recipient’s private key can be used to read it, such is not
usually the case. Instead, to improve performance, the message is usually encrypted using a session
key, which is then encrypted with the public key of the recipient. To decrypt the encrypted session
key, the private key of the recipient is used. Then the session key can be used to decrypt the
message.
Should Alice, for example, send a secure IM message to Bob, the message is first split into two
parts—the header fields that are to be encrypted and the message body make one part and the
other part is a short header that remains in clear text. A session key may be used to encrypt the
header fields and message body. Next, Bob’s public key is used to encrypt the session key. The
35
Volume 2
encryption field of the header is used to specify the type of encryption used, and information
about which key to be used in the response is included. Bob’s client receives the message and
uses Bob’s private key to decrypt the session key, which then is used to decrypt the message. If
Bob sends a response, it should be encrypted with a session key and Alice’s public key used to
encrypt the session key.
Because Alice may have many public key pairs, the secure IM message will let Bob know which
public key to use. The public key may be included in the message as well. This inclusion avoids
confusion. When Bob’s response, encrypted with Alice’s public key, returns, Alice’s client won’t have
to guess which of her private keys to use to decrypt it.
Typically, encryption will occur at the client, but implementation may provide encryption by the
SIP proxy if clients are not capable or if administrative policy requires enforcement of security
policies. Users of end-to-end encryption should note that it only provides privacy—there is no
guarantee that messages come from the sender indicated.
Route Privacy
Within the SIP message header, the VIA field includes routing information. VIA is not an
acronym, it merely serves to indicate that the field holds information about how the data should
go (it should go via the route included). Hop by hop, additional VIA statements are added until
the end of a message route where the path taken is revealed fully within the message. This
information can be used by the response, as each VIA statement can be used to find the way back
to the previous routing device. One by one, addresses are followed until the response is delivered
back to the sender.
This type of routing information can provide useful information to an attacker, and so hop-byhop encryption of VIA fields is also possible. During this process, the request Hide field is used
to request that VIA fields are hidden from subsequent proxies. Each proxy encrypts the VIA field
address that identifies the previous proxy. The proxy can choose the mechanism because only
that proxy will decrypt it. The VIA header field is cached along with an association to the header
field. The index into the cache is placed into the VIA header field. It then adds its own address to
the VIA field, maintains the Hide field (instructing the next proxy to encrypt this new
information), and passes the message on. At each proxy, the only information that can be
determined is the identification of the previous hop.
When a response must be returned, the client has the address of the last proxy in the chain. This
proxy takes the address from its cache, decrypts the VIA field information (because it originally
encrypted it) to discover where it must pass the message. The process is repeated at the next
proxy and so on until the response has returned to the originator of the request.
Because route hiding of this type may not prevent message looping, additional information is
added to the VIA field so that the proxy can tell that it has seen the message before. This ID
obviously cannot be the proxy name as that would not hide the route. Instead, a secret key,
timestamp, and checksum is used. A checksum can detect that the decryption returned correct
information and the timestamp can help to prevent a replay attack.
36
Volume 2
)
To ensure that VIA information continues to be encrypted proxy by proxy, messages must be sent to
trusted proxies. A trusted proxy is one which is controlled by some party that you trust to configure for
the security controlled mandated by your policy. This could be a proxy owned by your organization or
that of a business partner or associate with whom mutual trust relationships have been developed.
Identity Privacy
In addition to route and message privacy, there is often reason to hide who is talking to whom.
You can do so by using hop-to-hop encryption. IPSec, Transparent LAN service (TLS) or some
other transport or network layer encryption may be used to encrypt messages as they travel
between proxies. The message may be unencrypted as it travels from sender to proxy and from
proxy to recipient. Hop-to-hop privacy may also be used with end-to-end encryption. Figure 7.4
illustrates the difference between end-to-end and hop-to-hop encryption. In the top half of the
figure, all communications from the first PC to the last are encrypted (end-to-end encryption).
The bottom half of the figure represents hop-to-hop encryption. Data is only encrypted between
any two points on the path.
Figure 7.4: End-to-end encryption vs. hop-to-hop encryption.
Miscellaneous Uses of Cryptography
Cryptography is used throughout the specification to ensure privacy or to help aid in mitigating
attack. Many users will have multiple devices and yet a single SIP URL (the user address or
location registered for the user). A single SIP URL ensures that the user can be located wherever
he or she may be and may use any device desired or available. Smart phones, for example, may
be more convenient in airport terminals if the message is text, while PCs are more useful for
multimedia conferencing. However, the possibility for misdirection by chance or by malicious
action is possible. To ensure consistent communication and to mitigate the possibility of a
hijacked session, a tag in the from section of the message header is used. This tag is
cryptographically random and globally unique and identifies the return of responses to the
correct device.
37
Volume 2
Microsoft Implementation
You might have already recognized some of the SIP communication specifications in Messenger
and other IM applications. .NET Messenger Service integrates SIP on the Internet, and Microsoft
Exchange 2000 Instant Messaging Server utilizes SIP on the intranet. Although security
implementation is lacking in current versions of Messenger, SIP is integrated into .NET Server to
provide secure real-time communication technology. Real-time communication is based on the
Real Time Protocol (RTP) for Voice over IP (VoIP).
Microsoft RTC Server is incorporated in .NET Server as a basic infrastructure service and is
fully complaint with the IETF standard. Standard services, a SIP proxy, and registration
extension module are available by default, and a rich API is present so that programmers may
build even more exotic applications. The registration extension module will register users and
track online information. Messaging can be federated across boundaries, and therefore will be
available to provide secure communications between forests. Authentication can be configured
within the property pages of the RTC Server, as Figure 7.5 shows.
Figure 7.5: Authentication can be configured on the property pages of the RTC Server.
38
Volume 2
Think of the possibilities! Microsoft mentions real-time help and support via phone available at the
click of a Help button, purchasing applications that can access and retrieve order status in real-time
and make that information available to the customer, and network messaging to users—say an
instant notification that the Exchange server is going down for maintenance. But what can you
envision? I think of instant alerts to my pager about my flight status so that I don’t run thorough the
airport only to discover that the flight has been delayed or cancelled. Or maybe notice that my room
at the hotel is available for early check-in and that it’s non-smoking and on the quiet side of the hotel
as I requested. What are your ideas?
For more information about SIP, check out the following Web sites:
http://www.microsoft.com/windows2000/server/evaluation/business/rtcfaq.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/evaluate/i
nsid01.asp
http://www.rfc-editor.org/rfcsearch.html
39
Volume 2
Chapter 8: Security Tools, Mechanisms, and Emerging Issues
Q 8.2: Managing multiple Windows boxes is like herding cats. It’s hard
to keep up with which systems have up-to-date patches and which
still need them. How can I figure this out?
A: Microsoft has three free tools that may help you: HFNetChk, QChain, and Microsoft
Baseline Security Analyzer (MBSA). HFNetChk is a command-line tool that can analyze a
Windows NT, Windows XP, or Windows 2000 (Win2K) computer and report missing hotfixes.
QChain is a tool to help you apply multiple hotfixes to a computer at a time without excess
rebooting between fixes. MBSA is a GUI tool that
•
Analyzes basic security on an NT, Windows XP, or Win2K system
•
Analyzes security settings for IIS (if present on the system)
•
Analyzes security settings for SQL Server (if present on the system)
•
Determines which hotfixes are missing
•
Provides a way to immediately download and apply missing fixes.
•
Scans a Windows .NET system and reports vulnerabilities (although MBSA doesn’t
officially support .NET)
Although a combination of HFNetChk and QChain can help you keep systems up to date with
hotfixes, they do nothing about basic system security analysis and require some sophistication to
run. MBSA, however, provides a quick and easy security assessment and an immediate way to
update a system. Although MBSA might not answer all your questions and is not exactly the
solution for large enterprises, it is a valuable aide for the harried systems administrator.
Analyzing the Analyzer: MBSA Internals
MBSA is at heart a GUI interface for HFNetChk. Rather than learning how to operate a
command-line tool, users and new administrators can simply start a GUI product and click their
way to security—or so they may think. In reality, of course, they should be thinking about what
they are doing.
As with any product, there are three things to understand in order to use it. Before you run
MBSA, and certainly before you attempt to act on any of the results, consider the following:
•
What is necessary to run it?
•
How do you run it?
•
How should you interpret and act on the results?
40
Volume 2
Understanding Prerequisites
When MBSA is installed, you are asked if you want to view a readme file (the file is also
available pre-installation at the download site) that explains that MBSA is simple to run but does
have basic requirements. MBSA can only be hosted by Win2K and Windows XP systems, but
can be used to scan NT and unofficially .NET systems. Table 8.1 lists OS specifics.
OS
Host
Scan Locally
Scan Remotely
Windows 9x, ME
No
No
No
NT Workstation
No
Yes
Yes
Win2K Professional
Yes
Yes
Yes
Win2K
Server/Advanced
Server
Yes
Yes
Yes
Windows XP
Professional
Yes
Yes
Yes
Windows XP
Professional using
simple file sharing
Yes
Yes
No
Windows XP Home
Edition
Yes
Yes
No
.NET Servers
No
No
Yes (but not officially
supported in version
1)
Table 8.1: Where to run and what to scan using MBSA.
Before a successful scan can be run, the user running the scan must have local administrative
privileges on the system to be scanned. Thus, if you are running a scan, you must be logged on to
the scanning machine using an administrative account in the domain of the scanned machine.
The application will not prompt you to enter alternative user account names and passwords if
your currently logged on account is not valid. If you want to scan a subnet, you must have
administrative privileges on every machine in the subnet or it will not be scanned. The scanning
system must meet several requirements:
•
Win2K or Windows XP system
•
Internet Explorer (IE) 5.01 or later or other versions of IE and an XML parser
•
XML parser (MSXML version 3.0 SP2)—An XML parser is part of IE 5.01 or later;
however, if you’re running an earlier version of IE, you can install version 3.0 SP2 of the
XML parser during the installation of MBSA or obtain it from the Microsoft Web site.
•
If you are going to remotely scan IIS computers, you will need to install IIS Common
Files on the computer from which the scan will be made.
41
Volume 2
The remotely scanned system must meet the following requirements:
•
NT 4.0 SP4 and later, Win2K, or Windows XP Professional
•
Server service must be running
•
Remote registry service must be running on Windows XP and Win2K systems
•
.NET can be scanned, but scanning of beta products is not officially supported
Obviously, the SQL Server, IIS, and Microsoft Office scans will only be completed if these
products are located on the scanned computer.
Getting Secure the MBSA Way
During the installation, you may choose to install MBSA just for your use or for anyone to run.
However, MBSA can only scan computers for which its user has administrative privileges, so
installing for anyone to run is the equivalent of installing for any administrator to run, not just
anyone. MBSA is started by clicking the desktop icon or running it from Start menu, Programs,
Microsoft Security Baseline Analyzer. It can also be run from the command line. Next, you can
make scans or review scan reports. Three scanning choices are possible: scanning the local
computer, scanning one remote computer via IP address, or scanning a range of computers or an
entire domain. The scan reports, one for each computer scanned, are then saved to the local
machine in the %userprofile%\SecurityScans folder and can be reviewed at any time.
Scan reports are stored in the user profile of the user who performed the scan. Thus, they are not
normally viewable by another user of the computer. However, precaution should be taken to ensure
the security of the scan. Information about the status and configuration of any computer should not be
made widely available. Best practices include performing the scan remotely for most systems and
using Encrypting File System (EFS) to secure the reports. Be aware, however, that extremely
sensitive systems do not allow remote administration, and thus, should not be configured (by enabling
the remote registry service) for remote scanning. These systems should be reviewed for proper
security configuration and patch updates from the console.
Each report consists of the results of reviews in several areas along with details of what was
scanned and instructions about how to correct the situation. General security settings are marked
with a red x if they are very weak, medium issues with a yellow x, and good settings are marked
with a green check mark, as Figure 8.4 shows. Yellow x’s may also indicate an area which
MBSA cannot conclusively determine. For example, some hotfixes should only be installed in
certain circumstances. The basic areas scanned are:
•
Service pack and patch updates—MBSA uses a version of HFNetChk to check registry
key, file versions, and file checksums against an XML file at the Microsoft download
center Web site to determine whether the computer is up-to-date with service packs and
updates. Each missing hotfix is reported, and a link to associated Knowledge Base
articles and the download location is provided. Administrators may access, download,
and apply a missing patch directly from within MBSA. No attempt however is made to
fully explain the patch or to link multiple patch requirements into a single install.
•
Passwords—MBSA checks the local Security Accounts Manager (SAM) database for
weak passwords by scanning for accounts for which the password is blank; is the same as
the username; is the same as the machine name; or equals password, admin, or
Administrator. This check is not made on domain controllers.
42
Volume 2
•
Account checks—Accounts are checked for password expiration and the number of
accounts for which passwords do no expire is reported.
•
Administrator group check—The number of members in the Administrators group is
reported. MBSA considers more than two administrators on a local machine
questionable.
•
Guest account—The status of the guest account is checked. Having the guest account
disabled is a plus.
•
Restrict anonymous—MBSA considers a restrict anonymous setting of 2 to be the goal.
Fortunately, a brief explanation of these settings and why setting restrict anonymous to 2
is not a good idea on domain controllers.
•
File System—The file system on all drives is checked to see if it is NTFS.
•
Auto Logon—The system is checked to make sure auto logon is not configured.
Figure 8.4: MBSA returns information about common vulnerabilities and how to fix the situation.
43
Volume 2
Other areas are evaluated, including:
•
Auditing—Is it enabled? Are both logon success and failure checked?
•
Services—Are any of the especially dangerous services (RAS, Telnet, FTP, WWW, or
SMTP) installed?
•
Shares—Which shares are present and what are the permissions settings on them?
•
OS version
If IIS or SQL Server is present on the machine and the check boxes to scan them have not been
cleared, MBSA will also look for common vulnerabilities in those products.
Password checks can take a very long time if multiple accounts exist. In addition, if account
lockout is set, it is possible that the multiple password tests—because most should and will fail—
may lock out accounts. MBSA documentation suggests that account lockout is changed so that
such will not happen. However, early reports of account lockout were reported. Password checks
are not run against domain controllers.
Now What?
There is actually quite a lot of useful security information available in a scan, but MBSA has the
same problems that any vulnerability checker has. Users of the scanner must realize that there are
no hard and fast security rules. When the scanner tags having more than two administrators as a
vulnerability, it cannot take into account the number of computers that are managed in a
network. Networks with hundreds of computers will require more than two administrators to
manage them; networks with thousands of nodes even more. Likewise, hotfixes should be
evaluated on their own merit. If a hotfix should only be applied in some circumstances, it is
difficult for a vulnerability checker to indicate so in a manner that will make everyone think
before applying it. A third issue also involves the application of hotfixes. MBSA provides a click
through so that the administrator can locate, download, and apply a hotfix immediately.
However, when multiple hotfixes are needed, there is no way to automatically build a chain.
Savvy administrators will use the report to determine status of the machine, then use other
methods to bring the system up to date.
Nevertheless, MBSA is a useful tool. Home users and network administrators can evaluate basic
security against a common norm. They can, and should, make decisions about which parts of the
report are valid for themselves.
44
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement