Windows Server 2003 Security: A Technical ReferenceBy
Table of Contents
| Index
If you''''re a working Windows administrator, security is your #1
challenge. Now there''''s a single-source reference you can rely on
for authoritative, independent help with every Windows Server
security feature, tool, and option: Windows Server 2003
SecurityRenowned Windows security expert Roberta Bragg has brought
together information that was formerly scattered through dozens of
books and hundreds of online sources. She goes beyond facts and
procedures, sharing powerful insights drawn from decades in IT
administration and security. You''''ll find expert implementation tips
and realistic best practices for every Windows environment, from
workgroup servers to global domain architectures. Learn how to:
Reflect the core principles of information security throughout
your plans and processes
Establish effective authentication and passwords
Restrict access to servers, application software, and
data
Make the most of the Encrypting File System (EFS)
Use Active Directory''''s security features and secure Active
Directory itself
Develop, implement, and troubleshoot group policies
Deploy a secure Public Key Infrastructure (PKI)
Secure remote access using VPNs via IPSec, SSL, SMB
signing,
LDAP signing, and more
Audit and monitor your systems, detect intrusions, and respond
appropriately
Maintain security and protect business continuity on an ongoing
basis"Once again, Roberta Bragg proves why she is a leading authority
in the security field! It''''s clear that Roberta has had a great deal
of experience in real-world security design and implementation. I''''m
grateful that this book provides clarity on what is often a
baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical
Hacker
James@accusource.net"Full of relevant and insightful information. Certain to be a
staple reference book for anyone dealing with Windows Server 2003
security. Roberta Bragg''''s Windows Server 2003 Security is a
MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation
phil.cox@systemexperts.com"Few people in the security world understand and appreciate
every aspect of network security like Roberta Bragg. She is as
formidable a security mind as I have ever met, and this is
augmented by her ability to communicate the concepts clearly,
concisely, and with a rapier wit. I have enjoyed working with
Roberta more than I have on any of the other 20 some odd books to
which I have contributed. She is a giant in the field of network
security."Bob Reinsch
bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do
things and then tells you how to do it! It is a comprehensive guide
to Windows security that provides the information you need to
secure your systems. Read it and apply the information."Richard Siddaway, MCSE
rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically
accurate. It will be a valuable resource for network administrators
and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT
mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg
writes and I have ''''always'''' found her writing to be perfectly
focused on issues I ''''need'''' to know in my workplace when dealing
with my users. Her concise writing style and simple solutions bring
me back to her columns time after time. When I heard she had
written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding
common pitfalls, and her easy to follow guidelines on how to lock
down my network and user environments (those darned users!) has me
(and my clients) much more comfortable with our Win2k3 Server
deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra
Vista
AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows
Security Information Technology Consultant
harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more
than just lucid coverage of how things work, but also offers sound
advice on how to make them work better."Chris Quirk; MVP Windows shell/user
cquirke@mvps.org"This book is an invaluable resource for anyone concerned about
the security of Windows Server 2003. Despite the amount and
complexity of the material presented, Roberta delivers very
readable and clear coverage on most of the security-related aspects
of Microsoft''''s flagship operative system. Highly recommended
reading!"Valery Pryamikov, Security MVP, Harper Security Consulting
valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have
four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel
Corp.
bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized, with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron
CPCU, CCP, AAI Microsoft MVPWindows Security Information
Technology Consultant
Certificate Services ProcessingPKI components, both those on clients such as certificate stores and certificates and those on the CA, interoperate to provide public key technologies as part of network operations. Many operating system processes and applications use these services. Many of these processes, such as the use of certificates by IPSec policies and VPNs, are detailed in other chapters. Others, such as certificate enrollment and revocation, that are part of the certificate lifecycle and certificate chaining, which is key to certificate validation, are described in this section. Certificate LifecycleThe certificate lifecycle consists of several events:EnrollmentRenewalUsageRecoveryRevocationExpiration Certificate EnrollmentThe Certificate Enrollment function consists of a request, approval, and distribution or rejection. Requests may be made either manually or automatically. The process for requests made to an Enterprise CA follows these steps: TIP: Use Web Enrollment to Obtain V2 CertificatesA Windows 2000 computer cannot request a V2 certificate using the Certificates console. However, any computer using IE 5.01 or later can use web-enrollment methods and an ActiveX control to request and download V2 certificates. The ActiveX control can only be downloaded to the computer by a member of the Administrators or Power Users group. V2 certificates downloaded to a Windows XP Professional or a Windows Server 2003 computer can also be exported and then imported to a Windows 2000 computer.Using the Certificates Console to Request a Certificate Use of the Certificates console to request a certificate does not require any special permission if the certificate request is for a certificate for the current user. If the request is for a different entity, such as a computer or a service, administrative privileges are necessary.The Certificates console cannot be used in the following circumstances:A standalone CA is the issuing CA.You cannot select options you need from the Certificate Console Certificate Request Wizard. Some options are not available from this wizard, such as the following:Marking keys as exportable.Choosing the hash algorithm.Saving the request as a PKCS# 10 file.Windows does not generate the certificate subject name.You are requesting a CA certificate from a Windows 2000 CA. In these circumstances, you must use the certificate enrollment pages. These pages are located at http://servername/certsrv. These pages must also be used to download certificates that require approval.TIP: DSS CertificatesIf you require a Digital Signature Standard (DSS) certificate from an enterprise CA, select the User Signature Only certificate template from the wizard certificate page. This certificate uses the Digital Signature Algorithm (DSA) standard for its signature algorithm and the SHA-1 message hash algorithm. DSA can be used only for signatures, not for encryption.To request a personal certificate, follow these steps:
Using the Web Enrollment Pages to Request a Certificate Web enrollment pages are located at http://servername/certsrv, where servername is the name of the Windows Server 2003 computer that is hosting web enrollment. This can be either the CA or the RA. Web enrollment pages must be used when the CA is a standalone CA. Additionally, you can also use the web enrollment pages toCheck the status of a pending certificate requestDownload a CRLRetrieve a CA certificate from a CASubmit a request using a PKCS #10 or PKCS #7 fileRequest a smart card certificate on behalf of another user To request a certificate, follow these steps:
If certificates must be approved, you may be asked to return later to obtain the certificate. To check on a pending certificate, follow these steps: Request a Certificate Using a PKCS #7 or PKCS #10 File If the CA is offline or is online but unreachable from the client, a certificate request may be saved in a file. To complete the request and obtain the certificate, you must take the request and access the CA either from its console or from a computer that can reach it online. To do so, follow these steps:
Command-Line Options for Requesting Certificates The certreq command can be used to request a certificate. This tool is part of the support tools available on the Windows Server 2003 installation CD-ROM. To use the tool, use the syntax as described at http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_cs_certreq2.asp.For example, request a certificate from the regalinn CA installed on the server regalinn by using this command: Then, enter the name of the certificate request file you have prepared. Certificate Distribution and Automatic EnrollmentReading about and requesting a single certificate makes the distribution part of the enrollment process seem effortless, as indeed it can be. When large numbers of users must individually request certificates, and when certificates must be manually requested for computers, however, the process is not so easily accomplished. Many users will have difficulty with the procedure, and the time that might be spent helping them or requesting certificates for them can be substantial. In addition, if an administrator must manually request every computer certificate, this too can become tedious.Automatic enrollment can be used to solve these problems. Windows 2000 can be configured to automatically enroll computers, but not to provide automatic enrollment for user certificates. Windows Server 2003 offers automatic enrollment for user and computer certificates. Autoenrollment can reduce the cost of implementing and managing PKI. Certificate renewal, superseding of certificates, and multiple signature requirement certificate requests can also be automatically enrolled. In some cases, the process may require some user intervention and may provide user notification. For example, when smart card certificates are required, the user will be prompted to insert a smart card. Examples of the types of certificates that can be automatically enrolled include the following:Smart card logonEFSSecure Sockets Layer (SSL)Secure/Multipurpose Internet Mail Extension (S/MIME)UserComputerCertificate autoenrollment is based on Group Policy settings and the use of V2 certificates. V2 certificates can use autoenrollment or can require a request. Autoenrollment is only possible if the requestor is registered and authenticated as a user or computer in Active Directory. In addition, the following operating systemspecific requirements must be met:Windows Server 2003 schema and Group Policy updatesWindows Server 2000 Service Pack 3 or later domain controllersWindows XP or Windows Server 2003 clientsWindows Server 2003 Enterprise Edition or Datacenter Edition Enterprise CA TIP: V2 Certificate Client EnrollmentOnly Windows XP and Windows Server 2003 computers can participate in the V2 certificate client enrollment process, and only a Windows Server 2003 Enterprise Edition or Datacenter Edition CA can develop the V2 certificate templates.NOTE: Auto DownloadAuto download of CA certificates and CTL can also be provided by the autoenrollment service.The NTAuth store is created during the setup of Enterprise CA. The store designates CAs that can issue certificates for use in smart card logon and use the enroll on behalf of right. It can be added to using the DSSTORE command in Windows 2000 and the certutil command for Windows XP and Windows Server 2003.Group Policy is used to manage autoenrollment. The user configuration container is used for user certificates, and the computer configuration container for computer certificates. Once configured, autoenrollment is triggered by logon, at boot for computers, and at logon for users. Policy is refreshed every eight hours, and this timeframe can be configured in Group Policy. Once configured, the autoenrollment process proceeds as follows: TIP: Certificate Requests via Terminal ServerMany certificate requests, including autoenrollment requests, can be made through a Windows Server 2003 terminal server if the Windows Remote Display Protocol (RDP) 5.1 client is used. Enrollment agent requests cannot be made through a terminal server session. Certificate RenewalA certificate renewal request can be made from the web enrollment pages, or it can be configured to occur automatically by configuring a V2 certificate template. The information on the current certificate creates the renewal certificate. New keys can be generated or the existing keys can be renewed. Automatic certificate renewal can occur when the autoenrollment process is triggered and when the certificate has reached 80 percent of its lifetime, or by the certificate renewal period set on the certificate. (The default is six weeks, but it can be changed.) Revoked certificates cannot be automatically renewed. A new manual request is required after a certificate is revoked.Enrollment can be forced for all V2 autoenrollment certificates by updating the version number of the certificates. The version number is checked during the autoenrollment process, and if the number has changed, the certificate is added to the request list. To force autoenrollment, follow these steps:
Superceding CertificatesNew certificate templates or revised templates can be specified to supercede existing templates. This allows V2 certificates to supercede existing ones. For example, to take advantage of key archival for EFS certificates, a new V2 template can be created and configured to supercede the existing EFS certificates. Likewise, to use autoenrollment to renew certificates, create a V2 certificate template and set it to supercede the existing certificate. A new certificate will be issued. This illustrates using superceding to move users from V1 to V2 certificates; other uses of superceding include the following:Changing certificate lifetimeChanging key sizeAdding extended key use of application policyCorrecting enrollment policy errorsThe Supercede attribute is set in the certificate template on the Superceded page. Clicking the Add button displays a list of certificates to select from. Figure 12-22 shows that the new V2 template for EFS will supercede the EFS certificate. Figure 12-22. A superceded certificate will be replaced by a new template if the new template is configured to do so. Certificate and Key Recovery and ArchivalCertificates can be exported to a file with or without the associated private key. This method is often used to enable the use of a certificate and private key on another computer or as a form of backup. If the certificate and private key are exported, the file can be used to recover the certificate and private key. Additional methods for recovery exist.Chapter 13.Exporting Certificate and Private Key Exporting a certificate and private key provides a simple backup solution. This is especially critical for certificates where creating a new key pair would remove the user's ability, for example, in the case of EFS certificates where key archival is not used. Exporting keys can also create a security issue. If users export certificate and key to a floppy disk, protect it with a weak password, and leave the disk easily available, it is subject to theft and might be used to attack the system and, in the case of EFS, to decrypt sensitive files. Whether users should be allowed to export keys should be a management decision and should be part of your organization's security policy.The ability to export keys can be technically constrained by selecting an attribute on the certificate. To export a certificate, follow these steps:
Certificate Chaining and Certificate RevocationCertificate chaining is the process of completing the path from the end-use certificate back to the root of its trust and includes the validation of each certificate in the chain. The process is carried out by a chaining engine (a process running on the local computer) and includes the following steps:
Cross-Certification and Qualified SubordinationQualified Subordination is a characteristic of Windows Server 2003 CAs that allows cross-certification of CA certificates and provides precise control of certificate trusts. Cross-certification is the process of creating a certificate trust between two CA hierarchies. Certificate trusts are created when cross-certification certificates from two different CA hierarchies are traded. If a certificate trust is created, certificates from either CA hierarchy can be trusted if the root CA certificate of one hierarchy is available.For example, if two companies want to share documents between researchers at both companies, they must implement some form of authentication to make sure only the right individuals can access the documents. If each company has implemented PKI using their own in-house root CA, certificates from each may be presented as part of the authentication process. Because neither company has a copy of the root A certificate of the other, how can trust be established? It's always possible to provide a copy of the root CA certificate from each company to the other, and then import that certificate into the certificate stores of any computer in the extra net. This may be unwieldy if many computers must import the CA certificate and if Group Policy cannot be used. If each CA hierarchy provides a cross-certification certificate to the other, holders of either root CA certificate will trust certificates from either CA hierarchy.In addition to providing basic trust, the trust can be constrained by rules established when the certificates are created. For example, certificates from a specific CA can be excluded from the trust, or specific certificate purposes can be trusted or not trusted. If, for example, IPSec certificate purpose was excluded from the trust, a computer certificate that can be used for domain authentication and for IPSec will be restricted and will only be useful for domain authentication.Two typical places for installing the cross-certification certificate are with the root CA, as shown in Figure 12-28, and with a subordinate CA, as shown in Figure 12-29. When cross-certification is created at the root, and the certificate trust is not restricted by qualified subordination, every certificate issued by one CA is trusted by the other. On the other hand, if the trust is created at a subordinate CA level and is not restricted, only the certificates issued from the subordinate CA or its children are trusted by the other CA. In Figure 12-29, the CAs trusted by Regalinn are circled in the Motorinn Hierarchy. Figure 12-28. Cross-certification at the root extends trust throughout the hierarchy. Figure 12-29. Trust at the subordinate CA level extends trust from the subordinate CA and below. A bridge CA provides an easy way of creating trust relationships between multiple CA hierarchies. In this scenario, a CA serves as the managing hub or bridge for the trust relationships, as illustrated in Figure 12-30. All that is necessary is for each CA hierarchy to cross-certify with the bridge CA. This type of trust is not meant to combine multiple unrelated organizations with each other. However, it is extremely useful for large organizations composed of independent entities, such as a decentralized governmental organization. Figure 12-30. A bridge CA can establish trust relations between multiple CAs. |
لطفا منتظر باشید ...
