Professional Windows Server 1002003 Security A Technical Reference [Electronic resources]

Management Practices

Administrative practices are also important to security. One example, change management, was introduced earlier in this chapter. This section introduces the best practices for securing administrative practices, including the use of administrative tools.

Adopt Secure Administration Practices

Administrators are entrusted with the security of the network, and yet few controls are placed on administration activity. Although administrators must have elevated privileges to do their job, many controls can be used to limit them to "just" the activities they need to do. There are ways to monitor their activity and to protect the process and lessen the possibility of account compromise. Monitoring administrative practice is discussed in Chapters 18 and 19. The other controls are described in this section.

Limiting Administrative Power

The security principles of separation of duties and limiting user rights and permissions to those needed to do their job also apply to Administrators. The first step is to realize that not every administrator needs to be able to do everything. To do so, examine default Windows Server 2003 administrative roles and create new roles where it is practical.

Default Administrative roles in Windows Server 2003 are described in Table 16-4.

Custom groups can be used as administrative groups. These groups obtain their administrative rights via delegation, using the Delegation of Control Wizard or by assigning the group specific user rights. By using these methods, you can ensure that users only have the administrative rights they need over the user and computer accounts that they are authorized to manage. For example, a sound recommendation is to leave the membership of the Backup Operators group empty and create two groups, a Backup group and a Restore group, then give them the Backup or Restore privilege, respectively. This provides a way to separate those functions, thus fulfilling the separation of duties security principle.

In addition to limiting administrative users by assignment of rights and permissions, separation of duties is partially obtainable, if not completely enforceable, by technical controls. Two types of administrators should be defined: service administrators and data administrators. Data administrators are responsible for managing users, computers, databases, printers, and so forth. Service administrators manage the infrastructure of the Active Directory network. Service administrators are members of Domain Admins, Schema Admins, Enterprise Admins, and other groups created to manage infrastructure. Data administrators are members of other groups restricted to specific data tasks or to limited administrative roles, such as local administrator.

Data administrators, because of the groups that they are members of, do not have service administrator rights. Do not provide them with these rights. Service administrators, however, by default do have data administrator rights, and must even use some of them in day-to-day operations. Service administrators, for example, should administer their own group membership and the accounts of service administrators. There would be more risk if data administrators were able to manage service administrator accounts and groups than can be gained by separating the privilege of user management. If data administrators could manage administrator accounts and groups, data administrators or others might be given elevated privileges. To assist in maintaining this separation, place administrative accounts in special OUs and, when giving user and group management duties to data administrators, either give data administrators membership in the Account Operators group or use delegation and only give them account management rights in OUs where no service administrator accounts or groups exist.

NOTE: FYI

For more information on service and data administrators, read the article "Design Considerations for Delegation of Administration in Active Directory" at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows2000/plan/addeladm.asp.

Protecting the Administrative Process

Securing the administrative process is a combination of securing administrative account, securing administration tools, securing the administrative workstations, and securing communications between administrative workstations and computers that are being remotely administered.

In addition to hardening the computer used as an administrative workstation, additional security can be gained by putting these computers on a separate, protected subnet and by providing additional physical security along with limiting the use of remote administration tools and connections to servers to the administrative workstations. Connections to servers can be limited by creating IPSec policies. Policies on servers should be configured to only accept remote administration tool connections from administrative workstations.

Protecting Administrative Accounts

All administrative activity, no matter how carefully assigned and limited, can be subverted if administrator accounts are compromised. Fortunately, when all administrative accounts are only given the admin rights necessary to perform required duties, the impact of an account compromise might be less of a disaster. However, administrative account access should be protected. Because many security breaches occur when an unauthorized individual gains control of an account by learning its password, passwords for administrative accounts should be stronger than the general domain account password policy. Although you cannot provide different technical controls (the same password policy is used throughout the domain), you can require that administrators use longer passwords or provide them with smart cards or other authentication devices. The actual use of long passwords can be verified by using a password cracker. Don't forget to obtain written management approval before using a password cracker even on your own network for this purpose.

Hardening Remote Administrative Tools

In addition to the administrative tools present on the console, native Windows Server 2003 tools exist that can be used for remote administration. These tools can also be used to administer Windows XP. Remote administration tools include the Remote Desktop Connection for Windows Server 2003 (known as Terminal Services in Administrative Mode in Windows 2000) and Remote Assistance.

Remote Desktop Connection for Windows Server 2003

The Remote Desktop Connection for Windows Server 2003 was called Terminal Server in Remote Administration Mode in Windows 2000. (Terminal services in application mode, the other terminal services mode that allows clients to connect and run applications, is simply called Terminal Server in Windows Server 2003.) Remote Desktop does not require the installation of a terminal server. However, terminal services, a Windows Server 2003 service, is enabled and started by default. The Remote Desktop application must be enabled in order to use the service. Remote Desktop is not meant to be used as an application provider. Its only purpose is to provide support for remote administration. Using Remote Desktop, an administrator can administer the server using the server's local administration tools. Like terminal services, screen displays and keystrokes are the only data transferred between the administrator's desktop and the remote computer. All data is encrypted by default. 128-bit encryption is the default; however, this can be reduced if legacy clients must be used for administrative purposes. There is no computer authentication; however, only authorized administrators can use the service. If further securityincluding mutual authenticationis desired, it can be added by using IPSec.

Additionally, Remote Desktop provides roaming disconnect supportthat is, an administrator can start a lengthy task and disconnect, and then come back later. The Remote Desktop client is part of Windows Server 2003 and Windows XP. It can be installed on Windows 98, Windows Me, and Windows 2000 SP2 and above.

NOTE: FYI

Download the Remote Desktop client for earlier versions of Windows from http://www.microsoft.com/downloads/details.aspx?FamilyID=a8255ffc-4b4a-40e7-a706-cde7e9b57e79&DisplayLang=en.

Configuration Options for the Client

The Remote Desktop client provides a console where connections can be defined. Once defined, the connection can simply be clicked to start the connection process. Multiple connections can be stored. Each connection is configured with connection information (user name and password, server address), and each connection can be set up to allow connection to the local drives during the session and to either connect to the console or start a specific program. The drive connection option is actually giving permission for the connected server to access the local drives and ports. Although this option makes it convenient, as files can easily be transferred, it also makes the local system more vulnerable to an attack that originates at the server.Figure 16-17. These properties can be configured on the server and in Group Policy. Settings in Group Policy override local server and Remote Desktop connection settings. Server settings override Remote Desktop connections.

To create a connection, follow these steps:

Configuration Options on the Server 2003 Computer

Windows Server 2003 Remote Desktop connections can be controlled by

Configuring the Remote tab in the System applet in Control Panel

Enabling or disabling the Terminal Services service

Setting local server options in Terminal Services Configuration

Using the Terminal Services settings in Group Policy

You can effectively block all terminal services connections, including Remote Desktop connections from administrators, either by disabling the Terminal Services service or by deselecting the Remote Desktop Allow users to connect remotely to this computer check box, as shown in Figure 16-22. If your policy is to disallow connections via terminal services, do both.

Local Terminal Services Configuration settings are managed by opening the Terminal Services Configuration console, as shown in Figure 16-23, and setting properties for the RDP-TCP protocol. To access the properties, right-click the RDD-Tcp node in the detail pane and select Properties. There are four important security considerations.

Encryption level The General tab, shown in Figure 16-24, provides the option to change the encryption strength in the Encryption level drop-down box. Set encryption to High or FIPS compatible. The object here is to ensure the best encryption. If clients cannot match the High or FIPS compatible encryption setting, a different client should be used for administrative purposes. Encryption settings are detailed in Table 16-6.

Resource redirection Override user settings by disabling resource redirection on the Client Settings tab, as shown in Figure 16-25. To disable any use of local resources during a Remote Desktop session, uncheck Use connection settings from user settings. To disable the use of a specific resource, use the Disable the following: section and check the resource.

Override User Program Requests Use the Environment tab to override any user request to start a program on connection. It is important to control access to server resources.

Permissions By default, Administrators have Full Control, and Remote Desktop Users (a configurable group that does not include all users) are given User Access and Guest Access, as shown in Figure 16-26. User Access only allows viewing (query, connect, logon). If this is not necessary (the only users who should be able to use the terminal services connection should be administrators), you may delete the Remote Desktop Users selection. You may also want to grant or restrict access to a subset of the Administrators group. You can create a unique group, add administrator or delegated administrators accounts to it, and then assign the new group appropriate permissions.

Group Policy Configuration Options

Group Policy settings for Remote Desktop connections are configured in the Terminal Services section of Computer Configuration, Figure 16-27, and User Configuration, Figure 16-28, under the Administrative Tools, Windows Components sections. Use a GPO linked to an OU to manage different servers differently. For example, you may want to insist on 128-bit encryption when administering more sensitive servers, but modify that setting for others.

Allowing client compatibility for encryption settings when terminal services will be used for administrative purposes is a bad idea. Doing so would mean that you want administrators to be able to use Windows 98, for example, to remotely administer servers. Windows 98 cannot be secured, and you should secure administrative workstations. Always use the best security you can when performing remote administration.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
\TerminalServer\WinStations\RDP-Tcp\PortNumber

Remote Assistance

Remote Assistance is different from Remote Desktop. Remote Assistance is designed to offer selected users, even users who do not have domain logons, to remotely control a Windows desktop. The Remote Assistance feature was introduced with Windows XP and can be used to offer repair, troubleshooting, and instruction to users of Windows XP and Windows Server 2003. Unlike Remote Desktop, connection with or without remote control is not possible unless a user is logged on to the remote computer. Like Remote Desktop, Terminal Services Configuration and Group Policy settings for terminal services can be used to prevent or manage Remote Assistance connections.

Although primarily a feature designed for use by help desk employees in their job as first-level response to user PC problems, Remote Assistance can be used to provide administrative assistance to those empowered to manage Windows Server 2003 servers. In large organizations, branch offices and other locations may require servers, but justification for a full-time staff of Windows experts may not be present. Instead, IT pros with less experience or personnel with other duties may be responsible for the operation of the servers. Remote Assistance may be the ideal way to offer these individuals expert assistance when they need it.

Group Policy settings can and should be configured to securely manage Remote Assistance. If it is not managed, it may be possible for unauthorized persons to obtain administrative access to XP or Windows Server 2003 computers. Users of Remote Assistance, both the novice requesting help and the expert providing help, should receive training in how to use Remote Assistance. Two strategies are outlined here: first, how to use Remote Assistance in a secure manner, and second, how to absolutely prevent its use. Your implementation of Remote Assistance may be a combination of both strategies, securing remotes assistance for some computers but not for others. You can manage Remote Assistance using Group Policy to provide this option.

Using Remote Assistance

To use Remote Assistance,

The novice must have available either Windows Messenger or a Messaging Applications Programming Interface (MAPI) compliant email program, such as Microsoft Outlook or Outlook Express.

Both the novice and expert computers must be connected to the Internet (or a TCP/IP network if email is used).

The Turn on Remote Assistance and allow invitation to be sent from this computer option in the System\Remote Property page in Control Panel must be checked.

The Allow this computer to be controlled remotely check box in the Advanced page of the Remote Property page in Control Panel must be checked if remote control is desired (see Figure 16-29).

Any firewalls between the novice and expert computer must be configured to allow Remote Assistance traffic. Port 3389 is used by the novice's computer to accept Remote Assistance communications. Or, the Remote Desktop Web connection must be deployed.

Remote Assistance must be configured and not blocked by Control Panel settings or security settings in Group Policy. Do not rely on a firewall or the use of a NAT device to prevent a Remote Assistance connection. If you do not want to allow Remote Assistance, disable it. Using Remote Assistance through a NAT device is possible if the NAT device supports Universal Plug and Play (UPnP). For example, the Windows Internet Connection Firewall does support UPnP, and a Remote Assistance connection can be used as long as both novice and expert computers are not behind NAT devices.

In addition to using the Remote Desktop connection client, a Remote Desktop Web Connection option is available for use when the IIS Remote Desktop Web Connection subcomponent of IIS is installed. The client can then use Internet Explorer to download and install the ActiveX control. This control can then be used to use Remote Desktop services and Remote Assistance.

Remote Assistance is configured either directly in Control Panel or through Group Policy. By default, it is enabled. The Remote Assistance process can be divided into four parts:

First, the novice requests Remote Assistance by sending a Windows Messenger instant message or an email to another individual. (An option to create an invitation in a file and send it as part of an email message is also provided.)

Second, this individual accepts the request.

Third, the novice is asked to accept the expert's connection to their computer.

Finally, if novice authorizes it, the remote connection is established.

After the connection is established, the expert can then provide the following assistance:

View the desktop of the remote computer in real time.

Chat with the novice.

If given approval, take remote control of the novice's desktop by clicking the Take Control button. (This ability is disabled by default and must be approved by the novice.)

Send and receive files.

Requesting Remote Assistance

To use the Windows Messenger option, follow these steps:

To use email, follow thses steps:

Offering Remote Assistance

Remote Assistance can also be offered without an invitation if the following is present:

The Administrative Templates, System, Remote Assistance, Offer Remote Assistance setting in Group Policy, as shown in Figure 16-33, must be enabled and configured on the user's computer.

The user offering assistance must be listed as a Helper in the Offer Remote Assistance policy or a member of the Administrators group on the computer. The Helper list is configured by clicking the Helpers: Show button.

The Solicited Remote Assistance Policy, as shown in Figure 16-34, must be enabled.

The user must give permission before the assistance can see the user's desktop. The user must also give permission before remote control can proceed. To offer assistance, the expert should do the following:

Configuring Remote Assistance for Security

Create a Remote Assistance policy that specifies who will classify computers that are allowed to request Remote Assistance, and who can actually offer assistance. Then, configure computers either directly or in Group Policy.

To control Remote Assistance locally, follow these steps:

To control Remote Assistance via Group Policy, follow these steps:

Prevent Remote Assistance

To prevent employees from using Remote Assistance, especially to prevent Remote Assistance on servers, use the Group Policy Solicited Remote Assistance. This policy is located in the Computer Configuration, Administrative Templates, System, Remote Assistance area of Group Policy. If this policy is enabled, a user can request help and another user can connect to the computer. If the setting is disabled, no user can solicit help, and no user can assist using Remote Assistance. (If the setting is not configured, local requirements can be set.)

TIP: Terminal Services Setting

The Terminal Services service is installed and enabled by default. However, this does not make the Windows Server 2003 server a terminal server that can be used to allow users to run applications on the terminal server. Instead, this service is used to provide Remote Desktop and Remote Assistance tools. If this service is disabled, these tools cannot be used.