P1: GSB/FFX P2: GSB/FFX QC: IML/FFX T1: IML
WL040C-63 WL040/Bidgoli-Vol III-Ch-64 June 23, 2003 16:45 Char Count= 0
Windows 2000 SecurityWindows 2000 Security
E. Eugene Schultz,University of California–Berkley LabWhat is W2K? 792
How W2K Works 792
Domains 792
Active Directory 793
Organizational Units (OUs) 797
Access Permissions 797
Kerberos 797
Security Support Provider Interface (SSPI) 798
Auditing 798
Encrypting File System (EFS) 799
Encryption of Network Transmissions 799
Routing and Remote Access Service (RRAS) 799Certificate Services 799
Distributed File System (DFS) 799
Microsoft Management Console (MMC) 799
How Secure Is W2K? 799
How Secure Is W2K by Default? 799
Major Types of Vulnerabilities 800
How Secure Can You Make W2K Systems? 800
Baseline Security Measures 800
Conclusion 803
Glossary 803
Cross References 804
Further Reading 804WHAT IS W2K?
Microsoft’s Windows 2000 (W2K) is an operating system
product that includes both workstation (Windows 2000
Professional) and server (such as Windows 2000 Server
and Windows 2000 Advanced Server) versions. It supports
not only desktop and office automation applications but
can also be used to run network applications that sup-
port mail, Web, and file transfer services, a domain name
service (DNS) server, and even routing and firewalling net-
work traffic. W2K also includes many features that were
not available in W2K’s predecessor, Windows NT (NT), the
most notable of which is W2K directory services (called
Active Directory). Active Directory provides an infrastruc-
ture and related services that enable users and applica-
tions both to locate and access objects such as files and
printers and services throughout the network. Active Di-
rectory is a directory service (similar to Novell’s Netware
Directory Service) that acts as the main basis for holding
and distributing data about accounts, groups, Organiza-
tional Units (OUs), security policies, services, domains,
trust, and even Active Directory itself. This directory ser-
vice not only stores data of this nature but also makes
it available to users and programs, providing updates as
needed.
Active Directory also supports security by storing
security-related parameters and data and supporting ser-
vices (e.g., time services) needed for achieving system and
network security. Active Directory is, in fact in many re-
spects, the “center of the universe” in W2K.HOW W2K WORKS
A good starting point in exploring how W2K works is W2K
domains, the focus of the next part of this chapter.Domains
W2K machines can be configured in either of two ways:
as part of a domain or as part of a workgroup consist-
ing of one or more machines. A domain is a group ofservers and (normally) workstations that are part of one
unit of management. Each domain has its own security
policy settings. Policies are rules that affect how features
and capabilities in W2K work; they can determine allow-
able parameters (such as the minimum number of char-
acters in passwords), enable functions (such as the right
to increase or decrease the priority with which a program
runs), or restrict the ability to perform these functions (I
cover policies in more detail later in the chapter). Domain
controllers (DCs) hold information related to policies, au-
thentication, and other variables. When a change to a pol-
icy is made, a new account is created or deleted, or a new
OU is created, the changes are recorded by a DC within
a domain, and then replicated to all the other DCs within
the domain within a designated time interval.
Domains are good for security, provided, of course, that
they are set up and maintained properly. It is possible to
set domain policies so that (with a few exceptions) they
will be applied to virtually every server and workstation
within a domain. This decreases the likelihood that any
system within the domain will be a “weak link” system,
one that is an easy target for attackers. Additionally, do-
main functionality includes important features such as
the ability limit the workstations and servers that may be
added to a domain.
The other option is to belong to a “workgroup.” By de-
fault, a system that is not part of a domain is a member
of its own workgroup. In workgroups, anyone with Ad-
ministrator privileges on a workstation or server and who
knows the name of a certain workgroup can add that ma-
chine to the workgroup, something that makes possible
discovering a great deal of information about each ma-
chine and user in the workgroup. This information can
be used advantageously to attack the other systems. Ac-
cess to resources (such as files, folders directories, print-
ers, and so forth) is determined locally by the particular
server or workstation within the workgroup that contains
the resources. No built-in central control capabilities ex-
ist. Users whose machines are part of workgroups can en-
gage in functions such as sending mail, transferring files,792