Windows Server 2003 Security: A Technical ReferenceBy
Table of Contents
| Index
If you''''re a working Windows administrator, security is your #1
challenge. Now there''''s a single-source reference you can rely on
for authoritative, independent help with every Windows Server
security feature, tool, and option: Windows Server 2003
SecurityRenowned Windows security expert Roberta Bragg has brought
together information that was formerly scattered through dozens of
books and hundreds of online sources. She goes beyond facts and
procedures, sharing powerful insights drawn from decades in IT
administration and security. You''''ll find expert implementation tips
and realistic best practices for every Windows environment, from
workgroup servers to global domain architectures. Learn how to:
Reflect the core principles of information security throughout
your plans and processes
Establish effective authentication and passwords
Restrict access to servers, application software, and
data
Make the most of the Encrypting File System (EFS)
Use Active Directory''''s security features and secure Active
Directory itself
Develop, implement, and troubleshoot group policies
Deploy a secure Public Key Infrastructure (PKI)
Secure remote access using VPNs via IPSec, SSL, SMB
signing,
LDAP signing, and more
Audit and monitor your systems, detect intrusions, and respond
appropriately
Maintain security and protect business continuity on an ongoing
basis"Once again, Roberta Bragg proves why she is a leading authority
in the security field! It''''s clear that Roberta has had a great deal
of experience in real-world security design and implementation. I''''m
grateful that this book provides clarity on what is often a
baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical
Hacker
James@accusource.net"Full of relevant and insightful information. Certain to be a
staple reference book for anyone dealing with Windows Server 2003
security. Roberta Bragg''''s Windows Server 2003 Security is a
MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation
phil.cox@systemexperts.com"Few people in the security world understand and appreciate
every aspect of network security like Roberta Bragg. She is as
formidable a security mind as I have ever met, and this is
augmented by her ability to communicate the concepts clearly,
concisely, and with a rapier wit. I have enjoyed working with
Roberta more than I have on any of the other 20 some odd books to
which I have contributed. She is a giant in the field of network
security."Bob Reinsch
bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do
things and then tells you how to do it! It is a comprehensive guide
to Windows security that provides the information you need to
secure your systems. Read it and apply the information."Richard Siddaway, MCSE
rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically
accurate. It will be a valuable resource for network administrators
and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT
mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg
writes and I have ''''always'''' found her writing to be perfectly
focused on issues I ''''need'''' to know in my workplace when dealing
with my users. Her concise writing style and simple solutions bring
me back to her columns time after time. When I heard she had
written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding
common pitfalls, and her easy to follow guidelines on how to lock
down my network and user environments (those darned users!) has me
(and my clients) much more comfortable with our Win2k3 Server
deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra
Vista
AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows
Security Information Technology Consultant
harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more
than just lucid coverage of how things work, but also offers sound
advice on how to make them work better."Chris Quirk; MVP Windows shell/user
cquirke@mvps.org"This book is an invaluable resource for anyone concerned about
the security of Windows Server 2003. Despite the amount and
complexity of the material presented, Roberta delivers very
readable and clear coverage on most of the security-related aspects
of Microsoft''''s flagship operative system. Highly recommended
reading!"Valery Pryamikov, Security MVP, Harper Security Consulting
valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have
four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel
Corp.
bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized, with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron
CPCU, CCP, AAI Microsoft MVPWindows Security Information
Technology Consultant
Avoiding Data LossPlanning for RecoveryBefore EFS is used, a recovery plan should be developed and put into place. Unfortunately, EFS is enabled by default, and few organizations create and implement an effective EFS policy before users are logged on to the system. Users can easily encrypt and decrypt files without realizing that they should be archiving keys. Using EFS to encrypt and decrypt files is easy. On the other hand, while recovery is not difficult, it requires thought and potentially substantial action. Private keys must be archived and protected. Recovery Plans for Standalone Systems and Domains Without CAsIt will be difficult to institute a plan for EFS file recovery based on end users' archival of EFS keys. Most users don't back up their data and aren't expected to do so. Data is often stored by policy on network servers and backed up by using automated programs and dedicated staff. When standalone systems are used to encrypt files with EFS, there is no centralized mechanism for archiving keys. (In a domain environment, other options exist.)Unless EFS is restricted to a few users, it will be impossible to create a workable and sustainable EFS key archival plan.Classic EFS, as implemented in Windows 2000, attempts to solve this problem by requiring the presence of a recovery agent before encryption can occur. On the standalone machine, this recovery agent is the local administrator. In the Windows 2000 domain, it's the first administrator who signed on after the first DC in the domain was dcpromoed. The recovery agent public key is used to encrypt every FEK; the recovery agent's private key can be used to recover all EFS-encrypted files. In a perfect world, there is no need for archived end-user encryption keys. The recovery agent can be used to recover EFS-encrypted files for which the original end user's keys are damaged or lost. For extra insurance, a recovery plan need only include the archival of the recovery agent keys. However, where all computers are standalone, archival of these keys presents the same problem that archiving end-user keys does: There is a unique recovery agent for each stand alone system. Furthermore, many of the reasons that can cause end-user keys to become damaged and lost can also impact recovery keys, so the archival of these keys is important. Windows XP and Windows Server 2003 standalone systems do not automatically create a recovery agent, and the existence of recovery agent keys is not necessary for encryption. In all cases, the recovery plan depends on the scrupulous archival and maintenance of asymmetric keys.NOTE: Public Key Policy Resides at the Domain LevelPublic key policy is configured at the domain levelthat is, recovery agents are created by default in the PKI policy of the domain. A forest-wide public key policy on recovery can be technically controlled by implementing PKI and controlling the assignment of recovery certificates.Another problem with this plan is that on the standalone computer, the recovery keys are present on the local hard drive. That means that a Windows 2000 laptop has not only user keys but also recovery keys traveling right along with it. If the laptop is stolen, there are two chances to subvert the process and decrypt the files. If the password to either the user's account or the local administrator's account can be cracked, the thief has access to the file. The legitimate administrator also has free and easy access to encrypted files, either as recovery agent or by changing the password of the user account and logging on as the user.Windows XP Professional and Windows Server 2003 attempt to correct this issue by removing the requirement for a recovery agent. This means that XP Professional in a domain will use a recovery agent if one is present, but a standalone Windows XP system does not have a recovery agent. Another change in Windows XP Professional and Server 2003 is that on a standalone machine, if an administrator resets the user's password, the association with the public key set is lost. Even though the administrator can now log on as the user, he cannot decrypt the files. (Should this accidentally occur, if the user has a password reset disk, she can use it to reset the password to the original one and thus can decrypt her files.) Ordinary password changes made by the logged on user do not cause a problem with EFS-encrypted files. In a domain, of course, the user's password may be reset with no ill effect.The fact that there is no recovery agent in a standalone system means there is no fall back if the user's keys are destroyed or if the user forgets his password and doesn't have a password reset disk. The EFS- encrypted files cannot be decrypted. To ensure a recovery strategy, each user's EFS keys must be archived. Recovery Policy and Disabling EFSIn Group Policy, the Encrypting File System policy can be used to disable EFS or to manage the recovery agent certificates. This policy is located in local or domain-based Group Policy in the Windows Settings, Security Settings, Public Key Polices container. The recovery agent certificate(s), if present, can be viewed in the policy, as shown in Figure 6-15. The certificate information shows the account assigned as the recovery agent. On a standalone Windows Server 2003 and Windows XP Professional computer, by default, there is no Encrypting File System policy recovery agent, as shown in Figure 6-16. However, the property page of the policy can be used to disable or re-enable the use of EFS on the system. Figure 6-15. In a domain, the EFS policy displays the recovery agent certificate(s).[View full size image]  Figure 6-16. On a standalone system, the EFS policy remains empty unless a recovery agent is added.Chapter 12.In a Windows Server 2003 domain, implement certificate services and add key archival.Disable EFS for each computer by modifying the registry of each standalone computer or by configuring the local Group Policy. Delete the EFS Policy and Create an Empty PolicyDisable EFSDifferent techniques can be used to disable EFS. Some of them are dependent on the operating system.To disable EFS for Windows 2000, delete the recovery agent certificate from the Local Security policy of a standalone system or from the domain public key policy of the domain GPO.To disable EFS for a Windows XP Professional standalone system, right-click on the Local Security Policy, Public Key Policy, Encrypting File System and uncheck the box Allow users to encrypt files using Encrypting File System (EFS), as shown in Figure 6-17. This sets the registry key shown in the next bullet.Figure 6-17. Clearing this box will disable EFS. Tools for Recovering the UnrecoverableFor several years, there has been little help for users of EFS who failed to archive keys and develop and implement a reasonable recovery policy. Today, though, several products offer possible file recovery. These solutions, however, rely on the existence of the keys in the file system and knowledge of the user's password, or the ability to crack the user's password. Since many otherwise hopeless scenarios can provide this information, these products have met with some success. For example, if the operating system is reinstalled, it is possible that the original user's profile is still on the disk, even though it is impossible to reassociate the profile with any new account or gain access to old accounts. If the user still knows the password used with the now-defunct account, recovery may be possible using one of these tools. In addition, if forensic tools can be used to access data on the disk, even if the loss is the result of a hard disk crash, recovery may still be possible. Solving this problem resolves many of the legitimate "Help, I encrypted my files and now I can't access them" issues.The tools are not going to be useful if the password is not known and cannot be deduced.The following products may be useful in recovery of EFS-encrypted files.Encase A forensic program available from Guidance Software (www.guidancesoftware.com) has an EFS module available.Advanced EFS Data Recovery A commercial utility available for purchase from Elcomsoft (http://www.elcomsoft.com/aefsdrl).EFS Key A utility available from http://www.lostpassword.com/efs.reccerts.exe A Microsoft Product Support Services (PSS) tool (www.microsoft.com/support).
|
لطفا منتظر باشید ...
