Although security technologies are highly advanced, effective security must combine technology with good planning for business and social practices. No matter how advanced and well implemented the technology is, it is only as good as the methods used in employing and managing it.
Implementing the appropriate security standards is a key issue for most organizations. To implement security standards, devise a security plan that applies a set of security technologies consistently to protect your organization's resources. After you have established your plan, implement the appropriate Windows 2000 Professional security features.
Consider developing a security plan that describes how you will use the features of Windows 2000 to establish a secure, usable environment. A typical security plan might include the following sections:
Security goals: Describe what you are protecting.
Security risks: Enumerate the types of security hazards that affect your enterprise, including what poses the threats and how significant the threats are.
Security strategies: Describe the general security strategies necessary to meet the threats and mitigate the risks.
Security group descriptions: Describe security groups and their relationship to one another. This section maps security policies to security groups.
Security Policy: Describe Group Policy security settings, such as network password policies. Note that if you add your Windows 2000 Professional-based computer to a domain, your Security Policy settings will be affected by domain Security Policies.
Network logon and authentication strategies: If you work in a networked environment, consider authentication strategies for logging on to the network and for using remote access and smart card to log on.
Information security strategies: Include how you implement information security solutions, such as an encrypted file system (EFS), Internet Protocol security, and access authorization using permissions.
Administrative policies: Include policies for delegation of administrative tasks and monitoring of audit logs to detect suspicious activity.
Public key usage policies: Include your plans for how clients will use certification authorities for internal and external security features.
Your security plan can contain more sections, but these are suggested as a starting point. If possible, test and revise your security plans using test labs that model the computing environments for your organization. Also, conduct pilot programs to further test and refine your network security plans.
Mobile computing provides more flexibility to users, allowing them to work in a wider range of situations, increasing work potential. However, mobile computing also increases security risks.
Mobile Computing Security Threats
Because portable computers are easily stolen, there are greater physical security risks with mobile computing. If information on the hard disk drive is not encrypted with EFS, information stored on the hard disk drive, as well as any authentication information stored on the computer, might be compromised.
Another security threat when using a mobile computer is data being intercepted when it is transferred across phone lines. Users can ensure their connections are secure by using protocols to create virtual private networks.
Before examining Windows 2000 security features, it is good to understand what threats security technologies address. Table 13.3 describes several types of attacks. Different attacks pose different dangers, including the loss of data confidentiality, integrity, and availability.
Creating a list similar to this in your security plan demonstrates the complexity of security problems you face and will help you establish a set of standard labels for each category of risk.
Table 13.3 Types of Attacks That Pose Security Risks in an Organization
| Security Attack | Description |
|---|---|
| Identity interception | The intruder discovers the user name and password of a valid user. This can occur by a variety of methods, both social and technical. |
| Masquerade | An unauthorized user pretends to be a valid user. For example, a user assumes the IP address of a trusted system and uses it to gain the access rights that are granted to the impersonated device or system. |
| Replay attack | The intruder records a network exchange between a user and a server and plays it back at a later time to impersonate the user. |
| Data interception | If data is moved across the network as plaintext, unauthorized persons can monitor and capture the data. |
| Manipulation | The intruder causes network data to be modified or corrupted. Unencrypted network financial transactions are vulnerable to manipulation. Viruses can corrupt network data. |
| Repudiation | Network-based business and financial transactions are compromised if the recipient of the transaction cannot be certain who sent the message. |
| Macro viruses | Application-specific viruses exploit the macro language of sophisticated documents and spreadsheets. |
| Denial of service | The intruder floods a server with requests that consume system resources and either crash the server or prevent useful work from being done. Crashing the server sometimes provides opportunities to penetrate the system. |
| Malicious mobile code | This term refers to malicious code running as an auto-executed ActiveX® control or Java applet downloaded from the Internet. |
| Misuse of privileges | An administrator of a computing system uses full privileges over the operating system to obtain private data. |
| Trojan horse | This is a general term for a malicious program that masquerades as a desirable and harmless tool. For example, a screen saver that mimics a logon dialog box in order to acquire a user's name and password and then secretly sends that password to an attacker. |
| Social engineering attack | Sometimes breaking into a network is as simple as calling new employees, telling them you are from the IT department, and asking them to verify their password for your records. |
The following concepts are useful in describing security strategies under Windows 2000. All these technologies aid in creating a more secure environment, although where technology addresses a specific attack, the defense is described below.
When planning for security in Windows 2000, it is valuable to understand how Windows 2000 provides security, as well as the environment in which you will be working.
Security Model
Windows 2000 provides security through authentication and authorization. Authentication ensures that users are who they claim to be. After a user's identity has been authenticated, that user is authorized to use network resources. Authorization is made possible by access control which uses permissions on any resource such as file systems, network files, and print shares.
Windows 2000 Professional in a Windows 2000 Server Domain Model
If you are using Windows 2000 Professional in a Microsoft® Windows® 2000 Server environment, your Windows 2000 Professional computer can join a domain. A domain is a collection of objects, such as users, computers, and groups, that share a security directory database. A domain is centered around a security authority that gates access and establishes a logical boundary. This logical boundary ensures consistent security policy and determines how objects in one domain relate to objects in other domains. Windows 2000 Professional computers that are stand-alone computers or that are members of a workgroup are not directly affected by domains.
Authentication and Its Benefits
Authentication is the first part of the Windows 2000 security model. Authentication confirms users are who they claim to be. Authentication can be completed in a variety of ways and provide a range of benefits. Windows 2000 authentication enables single sign-on to all network resources. With single sign-on, a user can log on to the client computer once, using a single password or smart card, and authenticate to any computer in the domain. Authentication in Windows 2000 is implemented by using the Kerberos v5 protocol, NTLM authentication, or the Windows NT logon feature for Windows NT 4.0 domains.
Authentication specifically prevents:
Masquerade attacks: Users must prove their identity, so it is more difficult to masquerade as another.
Replay attacks: Because Windows 2000 authentication protocols use timestamps, it is difficult to reuse stolen authentication information.
Identity interception: Because exchanges are encrypted, intercepted identities are useless.
Two-Factor Authentication
Two-factor authentication requires users that present a physical object that encodes their identity plus a password. The most common example of two-factor authentication is the automated teller machine (ATM) that requires an ATM card that encodes the owner's identity and a personal identification number (PIN) that serves as a password.
Biometric identification is another form of two-factor authentication. A special device scans the user's handprint, thumbprint, iris, retina, or voiceprint in place of an access card. Then the user enters the equivalent of a password. This approach is expensive but it makes identity interception and masquerading very difficult.
For business enterprises, the emerging two-factor technology is the smart card. This card is the same size as an ATM card and is physically carried by the user. It contains a chip that stores a digital certificate and the user's private key. The user enters a password or PIN after inserting the card into a card reader at the client computer. Smart cards are not open to network attacks like a password can be. Smart cards use a private key and a PIN that are never on the network, and the private key never leaves the smart card, reducing the opportunities for attack. Windows 2000 directly supports smart card authentication.
Another common form of two-factor authentication is a token card. Token cards provide a token, such as a string of numbers, that changes at regular intervals. Users enter their PIN and the numbers presented on the card and they are authenticated. However, because the numbers the card presents change at a regular interval, intercepted authentication is only valid for a short time, making it minimally useful to attackers.
Single Sign-on
Authentication with Windows 2000 makes it possible for users to have access to a range of resources that might otherwise require repeated authentication. For example, without single sign-on, a user might have to provide separate passwords to log on to the local computer, to access a file or print server, to send e-mail, to use a database, and so on. Different servers can demand a change of password at different intervals, often with no reuse permitted; so a system without single sign-on might require a typical user to remember half a dozen passwords. This makes authentication an inconvenience for users, and more seriously, puts your security at risk when users begin to write down a list of current passwords.
The single sign-on strategy makes a user authenticate interactively once and then permits authenticated sign-on to other network applications and devices. These subsequent authentication events are transparent to the user.
Code Authentication
Users often download and install software on their computers. In doing so, users might inadvertently compromise your security if they download software that has been written to steal passwords, data, or other confidential information. Code authentication identifies the code publisher and determines whether the code has been modified since publication. You can configure your Web browser to refuse to run unsigned software and decide which software you will trust. Note that code authentication only ensures that the software has not been modified since it was signed, so if malicious components have been included in software before signing, these will not be detected.
Code authentication specifically prevents:
Macro viruses: Macro viruses added after code signing are detected by code authentication.
Malicious mobile code: You can prevent unsigned code from being installed or detect code that has inserted itself into code after that code's signing. This is an example of a Trojan horse.
After users have been authenticated, they are granted authorization which is implemented using access control. A user who has authenticated and attempts to access a resource, such as a network file, is permitted to do so based on the permissions attached to the resource, such as read-only or read/write. Permissions implement access control in Windows 2000. You can view permissions on the Security tab of the property sheet of a file or folder. The list contains the names of user groups that have access to the object.
Encryption technologies can be used to assure your data is confidential.
Symmetric Key Encryption
Also called secret key encryption, symmetric key encryption uses the same key to encrypt and decrypt the data. It provides rapid processing of data and is used in many forms of data encryption for networks and file systems.
Public Key Encryption
Public key encryption has two keys, one public and one private. This technology opens up numerous security strategies and is the basis for several Windows 2000 security features including digital signing, which ensures authenticity, and encryption, which ensures secrecy. These features are dependent on a public key infrastructure (PKI). For more information about PKI, see "Planning Your Public Key Infrastructure" in the Microsoft® Windows® 2000 Server Resource Kit Deployment Planning Guide.
Public key encryption is used in a variety of situations. For example, public key encryption is used for Web authentication by the Secure Sockets Layer (SSL) protocol.
Data Integrity
Ensuring data integrity means to protect data against malicious or accidental modification. For stored data, this means that only authorized users can edit, overwrite, or delete the data. On a network, this means that data packets are digitally signed, so tampering with the packet can be detected by the recipient. Integrity is ensured by hashing the contents of a file and then signing that hash using public key technology.
Data Confidentiality
A strategy of data confidentiality means to encrypt data before it passes through the network and to decrypt it afterward. This prevents eavesdroppers from reading the data as it travels over the network. When a packet of nonencrypted data is transmitted across a network, attackers can intercept and view it from any computer on the network. Data confidentiality uses symmetric key encryption.
Nonrepudiation
Windows 2000 uses public key technology to provide nonrepudiation. There are two parts to a nonrepudiation strategy. The first part is to establish that a message was sent by a specific user, and the second is to ensure that the message could not have been sent by anyone other than the user.
This is another application for public key technologies, and it depends upon the presence of PKI. A user's private key is used to place a digital signature on the message. If the recipient can read the message using the sender's public key, then the message could have been sent only by that user and no one else.
Nonrepudiation specifically prevents repudiation because the user, and no other party, controls the private key, so the user cannot repudiate a message signed with his or her private key.
Managing Security on Your System
Windows 2000 provides a robust set of technologies to protect your data, but you must ensure the system is running effectively and consistently. Windows 2000 provides features that help you use security technologies to achieve their intents.
Security Policy
Security policy is a subset of Group Policy. You can manage security policy on stand-alone computers, or your Group Policy can be enforced throughout a domain using Group Policy objects in Active DirectoryTM. For more information about domainwide Group Policy objects, see the Microsoft® Windows 2000 Server Resource Kit and Windows 2000 Server Help.
Using security policy, you can apply explicit security settings to your computer and its security groups.
Audit Logs
Auditing user account management, along with having access to important network resources, is an important security feature. Auditing leaves a trail of network operations, showing what was attempted and by whom. Not only does this help to detect intrusion, but the logs can become legal evidence if the intruder is caught and prosecuted. Finally, finding and deleting or modifying the audit logs poses an additional time-consuming task for the sophisticated intruder, making detection and intervention easier.
Security Configuration and Analysis
Security Configuration and Analysis offers the ability to compare the security settings of a computer to a standard template, view the results, and resolve any discrepancies revealed by the analysis. You can also import a security template into a Group Policy object and apply that security profile to your computer or to many computers at once. Windows 2000 contains several predefined security templates appropriate to various levels of security and to different types of clients.
Non-software Factors Relating to Security
Although properly configuring your software contributes to secure computing, proper configuration alone will not ensure security. You must take steps to ensure the security you establish using Windows 2000 is not circumvented.
Physical Security
You must keep your computer safe from attackers. Keep your computer in a locked location when unattended, because users with direct access to computers might be able to compromise your system. Furthermore, rudimentary attacks (such as destroying your hard disk drive with a hammer) can only be prevented by physical security. Attacks on your computer do not have to be sophisticated to be effective.
User Education
It is easy for users to defeat the best laid plans through insecure practices. Writing down passwords, leaving computers unlocked, or finding other ways to circumvent the security you have put in place can quickly neutralize your security implementation. Write down effective security practices in a security policy, distribute the policy, and make your users follow it.
User education specifically prevents:
Identity interception: Teaching users about what information they should and should not reveal will help prevent inadvertent security leaks to people posing as employees or other authorities.
Social engineering attack: Educating users will prevent social engineering attacks, such as identity interceptions, but can also help prevent allowing unauthorized users to circumvent physical security or other such measures.
Ineffective passwords: Teach users how to construct passwords that are not easy to decrypt. Any word, name, or number, regardless of whether it's spelled backward, for example, can be easily cracked using dictionary attacks. Create passwords that use symbols, numbers, and both uppercase and lowercase characters. You can attempt to prevent ineffective passwords by requiring users' passwords to meet criteria such as minimum password length using Password Policy. For more information, see "Password Policy" later in this chapter.