P1: GSB/FFX P2: GSB/FFX QC: IML/FFX T1: IML
WL040C-63 WL040/Bidgoli-Vol III-Ch-64 June 23, 2003 16:45 Char Count= 0
HOWSECUREISW2K? 799Audit process tracking (e.g., user attempts to start or
stop programs)
Audit system events (e.g., system startups and shut-
downs)GPOs can be used to set the audit policy for all the
DCs within a domain as well as for member servers and
workstations. Additionally, property settings for each of
the types of logs determine the maximum size of each log
and the retention method (e.g., whether to overwrite log
entries only when the maximum log size is reached or not
to overwrite events, that is, to clear the log manually).Encrypting File System (EFS)
EFS provides encryption of folders and/or files stored on
servers and workstations. EFS encryption is an advanced
attribute for each folder and/or file. When a user enables
encryption for a file, for example, a file encrypting key
(FEK) is used to encrypt the file contents. When the user
accesses the file (e.g., through an application), the FEK
(which is used in connection with secret key encryption)
decrypts the file. When the user finishes accessing the
file, the FEK once again encrypts it. A key encrypting key
(KEK), one of a public–private key pair, is used to encrypt
a copy of the FEK. If something goes wrong, for exam-
ple, if the KEK is deleted, authorized persons (by default,
Administrators) can access the Data Recovery Agent snap-
in, which uses the other key of the key pair to decrypt the
FEK. Unfortunately, EFS in W2K is beset with a number
of problems, including the necessity of sharing a user’s
FEK with others when more than one user needs to ac-
cess an EFS-encrypted file. Despite the potential utility of
folder and file encryption, the use of EFS in W2K thus is
not generally advisable.Encryption of Network Transmissions
W2K offers a number of ways to encrypt data sent over the
network, including IPsec, the Point-to-Point Tunneling
Protocol (PPTP), and other methods. IPsec is the secure IP
protocol that features an authenticating header (AH) and
encapsulated security payload (ESP). The AH provides a
cryptographic checksum of the contents of each packet
header that enables machines that receive “spoofed” pack-
ets, i.e., packets with falsified source addresses, to reject
them. The ESP provides encryption of the data contents
of packets, such that if anyone plants a sniffer on a net-
work, the perpetrator cannot read the packet contents in
cleartext. W2K provides IPsec support, although its imple-
mentation of the IPsec protocol limits the range of other
systems with which W2K systems can set up IPsec ses-
sions. W2K policy settings allow system administrators
to set variables such as the conditions under which IPsec
is used, the strength of encryption, and others. PPTP can
also provide confidentiality of data sent over the network,
although PPTP cannot verify the integrity of packets.Routing and Remote Access Service (RRAS)
RRAS, another important W2K service, can be used to
manage parameter settings for the W2K Remote Access
Service (RAS), PPTP, and the Layer 2 Tunneling Protocol(L2TP). Among other things RRAS can be used to ele-
vate security, in that this service can fix the method of
authentication to be used (Kerberos, the older NTLM au-
thentication method, and so forth) as well as filter and
log incoming IP packets. IP packet filters can selectively
determine whether packets will be received and/or for-
warded on the basis of source IP address, destination IP
address, and type of protocol. RRAS also allows system
administrators to log all incoming IP traffic, something
that is potentially very useful in identifying and investi-
gating remote attacks.Certificate Services
The Advanced Server version of W2K also offers certificate
services. These include creation and release of X.509v3
certificates and even Public Key Infrastructure (PKI)
capabilities. PKIs provide a hierarchical structure of
Certification Authorities (CAs) that issue and validate cer-
tificates.Distributed File System (DFS)
DFS is a function that enables system administrators to
create and administer domain shares through a central-
ized function on each DC. DFS also allows administrators
to assign permissions to shares, thus potentially limiting
the level of access to resources throughout each domain.Microsoft Management Console (MMC)
The MMC in W2K features “snap-ins,” convenient objects
that allow control of settings (group policy settings, in
particular). Some of the snap-ins allow control of certifi-
cates, others are for computer management, others are for
the event viewer, others are for group policy, and still oth-
ers are for security templates. Security templates provide
groups of settings that affect security and can be used to
either evaluate the security level or to change unsafe set-
tings to ones that are more suitable for security.
The services, functions, and properties discussed in
this section are not the only ones that W2K offers, but
they represent some of the most important services from
a functionality and security standpoint. In the next sec-
tion, I discuss the strengths and weaknesses of W2K
security.HOW SECURE IS W2K?
After all the problems that organizations and the user
community have had with NT security, it is important to
ask how secure W2K really is. The question really breaks
down into two questions, however: (a) How secure is W2K
out-of-the-box? and (b) How high a level of security can
W2K achieve?How Secure Is W2K by Default?
Some of same security-related problems that plagued
NT are still present in W2K systems immediately after
an installation of W2K. The permissions for the critical
%systemroot%\directory, for example, allow Full Con-
trol to Everyone in W2K. Additionally, in W2K Server
and W2K Advanced Server, the IIS Admin Service runs