Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید







Securing COM, COM+, and DCOM Applications Using Component Services


Component Object Model (COM), COM+, and Distributed COM (DCOM) applications are managed from the Component Services console, as displayed in Figure 4-31. You can manage security for these applications inasmuch as the application provides interfaces for doing so. COM+ applications, for example, may define roles that have specific privileges and permissions within the application. You can manage roles using the console if roles have been defined in the application.

Figure 4-31. The Component Services console is used to manage security for COM+ and COM applications.

[View full size image]

Security for all COM, COM+, and DCOM applications consists of the following:

Setting user rights, audit, and resources permissions such as those set on NTFS folders and files.

Setting system-wide properties that will be used by all applications that you do not manage explicitly.

Setting Application properties for each application that you want to manage explicitly.

Adding users and groups to roles in role-enabled COM+ applications.

Ensuring only administrators can modify application settings and add users to roles.

Limiting the number of administrators who can modify COM+ security.


WARNING: Don't Adjust Existing COM+ Application Properties

It is not recommended that you adjust application properties because applications may contain code that requires the default settings to be in place. Modifying settings may cause an application to fail, become unstable, or behave less securely. Unless you thoroughly understand the application and know why modifying settings can improve security, you should leave settings as they are. The best time to question the default settings used on an application is during its development.

Configuring Security for COM and COM+ Application Interaction


A number of properties can be configured:

Authentication level for calls

Authorization

Security Level

Impersonation

Identification

Launch Permissions

Access Permissions


Authentication Level for Calls

An identity is a characteristic such as a user ID or computer name. Authentication is the process by which an identity proves it is who it claims to be. Calls to COM+ components may be restricted to users with a specific role, in which case authentication is used to determine if the user is who they say they are, and then their membership is checked.

NOTE: Resource

You can learn more about managing COM+ applications from the platform Software Development KIT (SDK). You can locate a copy online at the MSDN site, http://msdn.microsoft.com.

Authentication level is specified in the Component Services tool, or it can be managed programmatically using Administrative SDK functions. COM+ server and client applications can require authentication. Authentication can be set to a range of degrees, from none to encryption of every packet and all method call parameters. The following list is ordered from no authentication to the highest level. Authentication is negotiated between the client and the server, and the more secure setting of the two is used. You can control authentication from the server side by setting authentication to the highest level you desire. Machine-wide settings (the default is connect) are used if the authentication level is not set for an application. Authentication levels are as follows:

None
No authentication occurs.

Connect
Credentials are checked only when a connection is made.

Call
Credentials are checked at the beginning of each call.

Packet
Credentials are checked, and verification that all called data is received takes place.

Packet integrity
Credentials are checked, and verification that call data has not changed in transit takes place.

Packet privacy
Credentials are checked, and verification that all information in the packet, including sender's identity and signature, are encrypted


To set machine-wide authentication level, follow these steps:


1.

Open the Component Services administrative tool.

2.

Right-click on the Computer container and click Properties.

3.

Select the Default Properties tab, as shown in Figure 4-32.

Figure 4-32. The default properties of the application can enable the use of application-defined roles.

4.

Ensure that the Enable Distributed COM on this computer option is checked.

5.

Use the Default Authentication Level box to select a value.

6.

Click OK.


Authorization

If role-based security is available in the COM+ application, enable authorization checking. Users who access the application are checked for role membership before being authorized to do anything in the application. To enable authorization checking, follow these these steps:


1.

Open the Component Services console.

2.

Right-click on the COM+ application, and then click Properties.

3.

Select the Security tab.

4.

In the Authorization box, select the Enforce access checks for this application check box, as shown in Figure 4-33.

Figure 4-33. Use the Security tab to set authorization level, security level, and impersonation level.

5.

Click OK.


Security Level

The security level sets the level at which access level checks are performed in role-enabled COM+ applications. Access checks can be set at the component level or at the process level. Setting access checks at the component level enables roles. Roles can be assigned to components, interfaces, and methods within the COM+ application. Process-level access checks apply only to application boundaries.

To set a security level, follow these steps:


1.

Open the Component Services console.

2.

Right-click the application and click Properties.

3.

Select the Security tab.

4.

Under Security level, as shown in Figure 4-33, select either


Perform access checks only at the process level

or


Perform access checks at the process and component level

5.

Click OK.

6.

Restart the application for the checks to take place.


Impersonation and Delegation

When a server makes a call on behalf of a client and uses the client's credentials instead of its own, it is performing impersonation. Resource access is thus expanded, or restricted, depending on what the user can do. For example, you may need the server application to access data in a database, in which case you would want it to be able to get any data that the client has permission to access.

Impersonation levels are as follows:

Anonymous
Client is anonymous as far as the server is concerned. The server can impersonate the client, but no information about the client is in the impersonation token.

Identify
The default; the server can obtain the client's identity and can impersonate. Used for determining access-checking levels.

Impersonate
Default for COM+ server apps. The server can impersonate the client but is restricted. The server can access resources on the same computer as the client. If the server is on the same computer as the client, it can access network resources on the client's behalf. If it is not, it can only access resources on the computer it resides on.

Delegate
The server can impersonate the client, whether or not it is on the same computer as the client. Client credentials can be passed to any number of machines.


To set the impersonation level, follow these steps:


1.

Open the Component Services console.

2.

Right-click the application and click Properties.

3.

Select the Security tab.

4.

Use the Impersonation Level box, as shown previously in Figure 4-32, to set the impersonation level.

5.

Click OK.

6.

Restart the application for the checks to take place.


Delegation is a special type of impersonation used over the network. The server and client applications do not reside on the same computer, and yet the server uses the client's identity to access resources on a third remote machine. Delegation is controlled with the Active Directory Service. To set delegation, see Chapter 8, "Trust." Two requirements must be met:

The identity the server is running under (the account it uses to run its service) must be marked "Trusted for delegation."

The client application must be running under an identity that is not marked as "Account is sensitive and cannot be delegated."


Identification

COM and COM+ applications may run as a service. When they do, they run within the security context of an account or the Local System. If they are not implemented as a service, they may impersonate or act on the authority of the user account used to run them.

Application identity is set during application installation and is only relevant for server applications. Identity is the user account that the application runs under and uses when it calls other applications and resources. Library identity is not set. Library COM+ applications use the identity of the host. Using a specific account, either Local service or an assigned user account is more secure than allowing the identity to be interactive. Interactive means that the COM+ application runs with the authority of the logged on user. If, for example, the local administrator is logged on, COM+ applications could be running with his authority and could be used to make calls and access resources, even for clients. If no one is logged on, then the application cannot be run. Identity can be set to this:

Interactive
The user who is logged on

Local service user
An account with minimal permissions to run a locally accessible service

A specific valid user account


WARNING: Password Storage for COM+ Identity

COM+ stores passwords in LSA secrets, and thus an administrator can obtain them. Be sure to use an account created just for the COM+ application and deny the account the right to log on locally.

Launch Permissions

Launch permissions specify a list of users who can be granted or denied permission to run or launch component model applications. When set in the properties of the computer, permission to launch is conferred for all applications that do not set their own launch permissions list. The default list is INTERACTIVE (anyone logged on locally), SYSTEM, and Administrators.

To set launch permissions:


1.

Open the Component Services console.

2.

Right-click the computer you want to set system-wide launch permissions for and click Properties.

3.

Select the Default COM Security tab.

4.

In the Launch Permissions box, select Edit Default, as shown in Figure 4-34.

Figure 4-34. Launch Permissions are set from the Default COM Security tab.

5.

Add user groups and assign them the launch permissions, either Allow or Deny.


Launch Permissions can be set for individual applications. Examine a few applications, and you will learn that most simply use the default, but there are exceptions. If you open the properties for Automatic Updates, as shown in Figure 4-35, you can see that the launch permissions are customized. They are restricted to the SYSTEM and Administrators, while the default permissions are INTERACTIVE, SYSTEM, and Administrators.

Figure 4-35. Automatic Updates is assigned custom launch permissions.

[View full size image]

Setting launch permissions is a good way to restrict software use. You can set launch permissions on any Component Services application and allow only certain users to run them. For example, the default for Media Player is the default settings: Administrator, SYSTEM, and INTERACTIVE. If you want to restrict startup (launch permissions), use (access permissions), or configuration (configuration), you can make those adjustments here.

WARNING: Modifying Settings

Before you jump in and modify settings, you need to understand the impact of your actions. If you don't know what an application is doing, don't change its settings. If you do know, consider where you might want to restrict the application's use. If you feel no need to manage Media Player so closely, well then, how about NetMeeting? Should NetMeeting sessions be run from a server? Any desktop? By anyone? You can easily make locking down Component Services applications a part of a comprehensive security policy strategy. Just make sure it does not become part of a strategy that makes systems unusable.

Limiting Application Privilege with Library Applications


There are two types of COM+ applications: applications and libraries. Libraries are hosted by another process, which means they run under the host security rather than their own user's identity. Their privilege is only that assigned to the host. Library applications may participate in authentication by default, but they can be configured not to use authentication by disabling it. (This is not a good idea.) A COM+ application can be deliberately limited by developing it as a library application. It can only access the resources that its client, the host process, can access. When calls are made outside of the application, or access to resources such as files depends on a security descriptor, they appear to be the client. If you are developing an application that performs sensitive work, and you want to limit its use to only those with permissions to do that work, then make it a library application.

Assigning Users to Roles


Roles are user categories defined within an application by the developer. Like Authorization Manager-enabled applications, COM+ applications may define roles that dictate what a user can do when running the application. The roles enforce an access control policy specific to the application and are built into the application by the developers. Administrators assign Windows users and groups to application roles. An example of COM+ application roles can be viewed in the Component Services console. Open the console and expand My Computer, COM+ Applications, System Application, and then Roles. Expand each role and the Users container underneath it. The results are illustrated in Figure 4-36.

Figure 4-36. The System Application has roles defined, and in many cases, Windows groups are assigned.

[View full size image]

Each role also has a description that explains what the user who is assigned that role can do. For the System application, the roles, descriptions, and user groups are defined in Table 4-4.

Table 4-4. System Application Roles

Role

Description

Default Users

Administrator

Can configure this COM+ application on this system.

Local Administrators

Any Application

Identities under which any application on this system may run.

Everyone

QC Trusted User

Trusted to transmit messages for queued components on behalf of other users.

No users are assigned to this role

Reader

Examine configuration of items and view performance information on running applications.

Everyone

Server Application

Identities under which COM+ Server applications run on this system.

Everyone

An application that uses role-based security checks the role membership of a user every time he uses any part of the application. If he doesn't belong to the role that is authorized to access the resource or make the call, the call fails. You must carefully assign users to the roles that match their real-world roles. Application documentation should clearly state what each role means and what rights and permissions within the application it has. Administrators need to know which users' business needs map to the defined role. A breakdown in communications here can mean that a user who needs to do her job can't do it or that some unauthorized individual might gain access he shouldn't.


Can Application Role Confusion Cause DoS?


At the Advanced Services Corporation, a small Midwestern consulting firm, Donna Advertius was tasked with modifying the PBX system. This system had just been upgraded to Windows Server 2003 and used Microsoft SQL Server for its database of users, messages properties, rules, and restrictions. An advertised benefit of the system is the ability to record incoming calls and mail them to Microsoft Exchange so that mailbox owners can listen to their voice messages from their PCs. The company decided that this feature would be especially helpful to traveling consultants because they could check their voice mail at the same time they checked their email. The feature would also give all users more flexible access to messages. Another advantage would be that immediate callbacks could be made without entering a phone number.

Documentation was sparse, but Donna had studied the PBX systems and was very comfortable with Windows Server 2003, Exchange, and SQL Server. It looked like all she needed to do was set up SQL Mail and make a few other minor changes. Setting up SQL Mail is not difficult, but it requires a number of steps, one of which is to set up an account for the service to use and to create a profile for the account. SQL Mail then uses that account to send messages to any user account. A few quick adjustments, and SQL Mail was working.

Next, one line in the PBX documentation indicated changing the service account for the PBX system to the same account used for SQL Mail. Do you get the picture now? The PBX system would record the message and use SQL Mail to deliver it to the user's mailbox. Donna easily changed the account, and the PBX service started right back up. Good, she thought as she looked at the clock. A quick test of the system, and I'll be home by midnight.

To test the system, she decided to call her own number from the phone in the server room and then visit her PC to listen to the message. She couldn't make the call. There was no dial tone. Nothing. She checked at least a dozen phonesnada, no dial tone. She'd killed the phones. Was it some new problem with Windows Server 2003? Was the documentation missing steps? Had she done something wrong?

Then it hit her. COM+ roles? She fired up the Component Services console, and sure enough, the PBX application was listed there. A role called Administrator was present, but only the SYSTEM was assigned. She checked Launch Permissions and found that they, too were limited to SYSTEM. Because the initial PBX setting assigned the Local System as its service account, the system had worked fine. When she changed the account, PBX no longer had permission to access its own components. End of phone service. Changing the Administrator role assignment and giving Launch Permissions to the new service account was all that was needed to get the phones running again.

Even if you do not want to configure COM+ application security or don't have applications that have built-in roles for you to administer, you should manage roles on the System Application. These roles determine who can install COM+ applications and who can administer COM+ applications and the COM+ application environment. By default, the local Administrators group is a role member. While only members of the Administrators group can administer COM+ security, you may want to restrict administration further. To do so, follow these steps:


1.

Open the Component Services Console (Start, Programs, Administrative Tools).

2.

Expand the System Application node and then expand the Roles icon.

3.

Expand the Role node.

4.

Right-click the Users folder under the role, select New, and then click User.

5.

Enter the username in the Select Users or Groups windows or use the Advanced button and then the Find now button to select a user or group from a list of users and groups on this computer.

6.

Restart the computer for the changes to take effect.


Setting Software Restriction Policies for a COM+ Application


A Software Restriction Policy can be set directly in COM+ Application properties on a Windows Server 2003 server. By default, the system-level Software Restriction Policy security level is set the same for all server applications because they all run in the same file, dllhost.exe. If you need to change the policy for specific COM+ applications, you do so by setting Software Restriction Policies directly in the properties of a COM+ application. Software Restriction Policies set here take precedence over system-wide policy settings.

To set COM+ application Software Restriction Policy, do this:


1.

Open Administrative Tools, Component Services Tool.

2.

Right-click the COM+ application you want to manage.

3.

Select the Security tab.

4.

Select the Apply software restriction policy check box under Software Restriction Policy to enable setting the security level, as shown in Figure 4-37. (If the check box is clear, the system-wide Software Restriction Policy is in effect.)

Figure 4-37. Software Restriction Policy for a COM+ application can be set in its property pages.

5.

Set the restriction level, either Disallowed (the application can load untrusted and trusted components but cannot use the full privileges of the user) or Unrestricted (the application has unrestricted access to the user's privileges; only components with an Unrestricted trust level can be loaded into it).



/ 194