Professional Windows Server 1002003 Security A Technical Reference [Electronic resources]

Establish Security Configuration

In addition to physical security, DCs must also be secured by configuring DC security settings and by establishing administrative boundaries. Proper configuration supports administrative boundaries, which can ensure better security configuration.Chapter 11 gives more information on using security baselines to establish security for systems throughout the forest.

Administrative boundaries are created by ensuring that administrators are limited to a role-specific scope. Examples of this are using default groups to assign privileges, creating custom groups for this purpose, and using delegation of authority.

DC Security Baseline Configuration

A DC security baseline is the sum of all DC, Active Directory, and DC-based security configuration. Each organization should establish the written policy, document, set using technical controls, and maintain a baseline. Establishing a security configuration baseline for domain controllers consists of accepting or modifying the following:

Default Domain GPO Account Policy settings

Default Domain Controller GPO User Rights policy and Auditing Policy settings

Server-related security settings in the default Domain Controller GPO or in additional GPOs linked to the Domain Controller OU

Domain security settings such as Public Key Policy, IPSec Security Policy, and Software Restriction Policies in either or both default GPOs

Additional security settings, such as permissions on files, folders, registry keys, and printers

A good way to document and provide a tool for quickly setting, resetting, or auditing the base security of DCs is to use security templates. Security templates are collections of security settings that can be either applied to a one computer at a time or imported into a Group Policy and, therefore, applied automatically to many computers. Although not all security settings are exposed in the templates, many are. Additional settings can be added. Default security settings for domain controllers are preconfigured in the default Domain Controller Security Policy, and default security settings for the domain are pre-configured in the default Domain Security Policy and the default Domain Controller security policy. The settings can be adjusted in the default policies. However, you can use security templates as an alternative method of adapting default settings to those more appropriate for your organization. The "Windows Server 2003 Security Guide" provides and describes a baseline template for DCs that hardens DC security. Organizations can use this template, modify it to fit their circumstances, or create their own. Once a security baseline template is constructed, the template is applied by importing it into a GPO that is linked to the Domain Controller OU. You can find more information on the recommendations made in the following by obtaining the guide that comes with preconfigured security templates. The guide includes a baseline template for DCs, servers, and many other server role-specific templates. Download the guide and the templates at http://www.microsoft.com/downloads/details.aspx?familyid=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en.

Using the template provided with the guide is a good way to get started, but you should establish your specific requirements and adjust the template for your own use. The guide also provides a realistic approach to security by listing settings for legacy clients, enterprise clients, and high-security situations.

Security Template/Domain Policy Configuration

Sections within the Security Template correspond to areas of the DC that should be secured. These same areas are also represented in the Security Settings portion of a Group Policy Object. Two types of security settings, the Account Policy and the Local Policy, are not typically set in security templates. Instead, they are configured directly in the Default Domain Policy and the Default Domain Controller Policy, respectively. Each following section represents some portion of the total security policy that protects Active Directory. Recommendations for their configuration are provided, but the best settings for each organization will have to be determined by that organization.

Domain Account Policy

A strong domain account policy is critical to the protection of AD. Weak passwords and account controls can allow unauthorized access to network resources and to the domain controller. Weak passwords could also allow an attacker to modify Active Directory schema, change data in the Active Directory, and modify permission on Active Directory objects. (Modifying permissions on Active directory objects is also a subtle way to take control of other parts of the network because changes in these permissions is ordinarily difficult to detect. Permissions on active directory objects, for example, can provide administrative control to Exchange Servers, Certification Authorities, certificate templates, and so on.) Administrative accounts cannot be protected if the account policy is not hardened. The account policy consists of Password Policy, Account Lockout Policy, and Kerberos Policy.

Password Policy

A strong password policy cannot be entirely enforced by technical means. While one of the potential password policy settings is Passwords Must Meet Complexity Requirements, this setting requires only that users create passwords composed of three of four things: uppercase and lowercase letters, numbers, and symbols. It does not allow additional specifications. A strong password policy incorporates the complexity requirements enforced by this setting and other practices that help make them more crack-resistant.

Requirements must be part of the written password policy and must be enforced through user education and auditing. Some of them can be enforced through the Windows password policy. Each Windows Server 2003 domain has a default password policy, as shown in Figure 10-3. This policy is located in the default domain policy. This policy can be modified, and each domain in the forest can have a separate password policy, but for each domain, all users with domain accounts are subject to the same policy. Thus, the tailspintoys.com domain might have a password policy that specifies a password minimum length of 12 characters, while its child domain, newyork.tailspintoys.com, can have a password policy that specifies a minimum length of 8 characters. However, all users with an account in the domain must have a minimum password length of 12 characters. To modify the policy, do the following:

The password policy for the domain affects all domain accounts, but a password policy created for a server or workstation will control passwords created for its own local accounts. To create a password policy that affects all domain accounts, modify the default domain GPO. To create a password policy that affects the local accounts of specific computers, create a GPO and link it to the OU where these computer accounts reside. If a user has both a domain account in the domain and a local account on his workstation, when he logs on using his domain account, the domain password policy will be in effect; when he logs on using his local account, the policy effective for that local computer account will be in effect.

The minimum recommendations for Windows Server 2003 domain password policy are set as the defaults. Table 10-1 lists defaults and recommendations for improving security.

Account Lockout Policy

The account lockout policy is not set by default. As shown in Figure 10-5, it can be set to lock out accounts for which a number of incorrect password attempts have been entered.

Account Lockout settings are

Account Lockout Duration Indicates the amount of time before a locked out account is automatically reset. A value of 0 means that an administrator or account that has been given that privilege must manually reset it.

Account Lockout Threshold Indicates how many password errors can be made before the account is locked out.

Reset Account Lockout Counter After Indicates how many minutes to wait before reseting the counter to 0. For example, if 3 is the threshold and 2 wrong attempts have been entered, and the user stops, the counter is reset to 0 after the number of minutes entered for Reset Account Lockout Counter After.

When an online guessing or brute-force attack is launched against the account database, the account lockout feature can prevent all but the very lucky attacker from succeeding. However, should an attack be launched against the entire database, it could lock out so many users that, although no password is compromised, a denial of service attack is successful. Another problem can occur if the accounts do not reset fast enough: remote users might accidentally lock themselves out, and because they are unable to reach the help desk, might not be able to obtain critical access.

Although opinions vary, a reasonable approach is to set account lockout threshold high, for example, 25 attempts. In this way, accidental lockouts cannot occur, and the chance for compromise is slim. The account lockout reset function should also be used. Also, if systems are being monitored, and a large-scale attack is occurring, it will be obvious, and it may be possible to block any access from that source before the DoS causes undue harm.

Kerberos Policy

The Kerberos Policy settings should remain as set by default, as shown in Figure 10-6.

Two settings are often changed because administrators are seeking better performance. However, these settings should not be changed:

Enforce User Logon Restrictions Enabled by default, this setting ensures that the user rights policy is checked before users are granted service ticket. The user rights policy includes items such as the right to log on from the network, which may affect whether a ticket is granted or not. When this setting is disabled, the check is not made, and it may be possible for a user who is not authorized to authenticate to a server to do so.

Time Maximum Tolerance For Computer Clock Synchronization This setting is set by default to 5 minutes, and it defines the amount of time difference between the timestamp on client authentication requests and the time on the DC. If the time difference is greater than this value, the request is denied. When this setting is increased, there is more time for a possible replay attack. An example of a replay attack would be the case where a user Kerberos TGT is captured and repurposed in an attempt to obtain a session ticket for some resource. Such an attack would be difficult, but given enough time, anything is possible. However, with the default tolerance intact, it is likely that the timestamp on the credentials would be much older than the time on the KDC computer, and therefore, the replay attack would be unsuccessful.

Local Policy

The Local Policy section of Group Policy consists of Audit Policy, User Rights Assignment, and Security Options. Audit Policy, including the ability to monitor the use of Active Directory objects, is discussed in Chapters 19.

User Rights

User Rights for users in the domain should be defined in the default Domain Controllers Policy, as shown in Figure 10-7. (User Rights for local users on specific servers should be defined in a GPO linked to the OU in which the computer account resides.)

User rights in Windows Server 2003 are less extensive than in previous version of the Windows operating system but can still be hardened. Consider the following suggestions for user right management as part of your security plan for AD:

The Allow Log On Locally right is necessary for interactive logon at the DC console. This right is given by default to the groups Administrators, Backup Operators, Account Operators, and Server Operators. Account Operators manage domain accounts but do not need to do so by logging on to a DC console. Instead, they should be using administrative tools from a workstation. Remove the group Account Operators from this right.

The Shut Down The System right is necessary to shut down the DC using operating system commands. This right is given by default to the groups Administrators, Backup Operators, Print Operators, and Server Operators. Print Operators and Account Operators do not need this right. Remove the groups Account Operators and Print Operators from this right. Backup Operators should not need this right, and you may find you can remove that group.

The Backup Operators group has the right to back up and restore files and directories. If followed, the security principles of least privilege and of separation of duties would separate these rights. Instead of giving this group both rights, create a separate "recovery operators" group; remove Backup Operators from the right to restore files and folders, and add the new recovery operators group to that right.

The Deny Access To This Computer From The Network right should be given to the local Administrator account, the Support_388945a0 account, the guest account, and all NON operating system service accounts. Requiring the local Administrator account to be used locally prevents attacks that rely on the knowledge of the known administrator SID. The support_388945a0 account can be programmed for use by help services and should not be allowed access to a DC. If a domain account is assigned as a service account on some server in the domain, that account may have elevated privileges, and its compromise might be used to leverage an attack against the DC. If these accounts are denied logon access, that attack vector will be mitigated.

For similar reasons, the Support_-388945a0 account and the Guest account should be denied the ability to log on as batch job to prevent these accounts from being used to execute a virus, Trojan, or worm.

The Deny Log on Through Terminal Services right should be given to the built-in administrator account and the NON-operating systems account for the reasons given previously.

Careful consideration of the way groups are used in your organization may suggest other uses of User Rights to provide protection for domain controllers, and hence Active Directory. Be sure to test these changes before using them on production domain controllers.

TIP: USE AD SECURITY SETTINGS TO BENEFIT OTHER SYSTEMS

Active Directory is not the only beneficiary of hardening user rights. Other computers and operations can benefit as well. For example, the user right Logon To This System From the Network can be modified on servers and other computers to which you want to restrict access. To secure file servers that store sensitive documents, change this right to only include those groups that should have access to the documents. There is no need to allow every employee access to the servers. Although file permissions allow you to control access to the files, preventing unauthorized users from even authenticating to the file server provides another layer of protection.

Security Options

Security Options make registry changes that affect security. Several of these options can be used to secure DCs. In addition to the registry changes made by Security Options that are visible in the GUI, other registry entries can be made that will tighten security. These registry entries can be applied in numerous ways, one of them being by adding them to a security template and then importing the template into a GPO.

Table 10-2 lists and discusses the recommendations for Security Options settings that differ from the default. Security Options, such as auditing related policies, that are discussed in other chapters are not included in Table 10-2.

If you are familiar with previous versions of Windows, you may recognize Security Options as items previously set directly in the registry. In fact, when Security Options are enabled and Group Policy applied, equivalent registry settings are made. Using Security Options prevents the problems that direct registry editing can cause, such as adding the wrong settings (hence security is not strengthened) or the destruction of some critical part of the registry (hence possibly damaging operating system or other component operation). In addition to preconfigured Security Options, however, other hardening techniques can be implemented directly through registry entries. These changes can be automated by making them part of a security template and automatically applying them instead of requiring a direct registry edit. An example of such an entry is disabling 8.3 names. The NTFS file system automatically creates old 8.3 names from long file names. 8.3 names can therefore be used to support legacy applications. However, they may provide attackers access from systems that do not understand longer file names or allow hard-coded attacks that use 8.3 names to succeed. You should not be running applications on the DC that need the 8.3 name. Because many malicious scripts, including viruses, are 16-bit applications and are written with 8.3 names coded in, preventing 8.3 name generations may block some of these scripts from running. To disable 8.3 name generation, set the value of the following REG_DWORD value to 1:

Hklm\system\currentcontrolset\control\file systemNtfsDisable8dot3NameCreation

Event Log Settings

Event log settings for the three logs identified in Group Policy (security, application, system) as displayed in Figure 10-8 should be adjusted to support the amount of security auditing enabled. By default, these settings are not defined. Recommended settings for the domain controller event logs are as follows:

Log file size 128 MB

Prevent local guest group from accessing application, security or systems log (3 policies) Enabled

Retain eventlog log (where eventlog is the name of a log) Can remain not defined because the retention method is set to overwrite events as needed

Retention method for logs (3 policies) Overwrite events as needed

In addition to the event log files available on all Windows Server 2003 computers, several other event logs are present on domain controllers:

Directory Service

DNS Server

File Replication Service

Settings for these event logs must be set by opening their property pages, as shown in Figure 10-9, or must be scripted. Property pages are available by opening the Event Viewer, right-clicking the event log, and selecting Properties.

System Services

Windows Server 2003 disables many services by default and doesn't start others. However, ensure that disabled services remain disabled unless needed, and you may want to disable other services. A full discussion of services in a baseline template for servers and workstations in a domain is included in Chapter 11. You need to add additional services to this baseline in order for domain controllers to function.

The following services are disabled in sample Microsoft baseline security templates for servers, but they need to be enabled for domain controllers. (A baseline template for domain controllers is also available from Microsoft.) You may need to enable other services, depending on the other functions a specific DC is used for. For example, if DNS is installed on a domain controller, the DNS server service needs to be enabled. The following additional services are necessary for domain controllers to function:

Distributed File System Required for the Active Directory SYSVOL share.

File Replication Service Needed for File Replication of SYSVOL.

Kerberos Key Distribution Center Enables logon using Kerberos protocol.

Intersite Messaging Used for mail-based replication between sites.

Remote Procedure Call (RPC) Locator Used for management of RPC name service database. RPC is used during replication.

In addition to controlling whether services are disabled or enabled, services settings determine whether a service is interactively started or stopped and whether it is started or not during boot. These settings can be configured interactively through the Services administrative tool, or set in the Services section of a GPO. The Services section of a GPO can be used to control who has the authority to stop, start, and otherwise change services configuration. To prevent unauthorized management of services, follow these steps:

Registry and File System

The Registry and File System section of a GPO can be used to provide systematic refresh of critical security permission on registry keys, files, and folders. However, even if there are no changes, security settings are periodically refreshed. If a significant number of permissions are part of the GPO, the amount of information replicated can impact the efficiency of replication and even prevent it from occurring. The constant, large download to domain member computers can significantly impact network efficiency. Best practices now recommend that this element be used cautiously in a GPO and rarely, if ever, in a large Active Directory forest. However, the use of a security template and the Security Configuration and Analysis tool to set security on the entire systems path is a sound concept. A template is used during server installation and during dcpromo to initially set file and folder security. These default templates should be modified, if necessary, with any specific changes required by your organization. After installation, browse the Setup Security template to see the security that was set during installation. Looking at the File System portion of this template, as shown in Figure 10-11, gives you an idea of the large number of permissions. This template could also be used to reset these permissions to the defaults. However, you should realize that any permission set on a file or folder not listed here would not be changed when the template is applied.

Be extremely careful when modifying permissions on system folders, files, and registry keys. There are many reasons for the settings as they stand, and it is possible that changing these settings will break some critical function. Be especially careful in implementing without first reviewing recommendations found in articles and on web sites because they may have been developed for very specific circumstances. Look for evidence of testing in environments similar to yours, and prepare to do significant testing of your own. Any change to system file and folder permissions or registry permissions, especially on a domain controller, can cause problems that are not immediately evident and may not be immediately diagnosed as a file or registry key permission problem.

TIP: TEMPLATE REGISTRY SETTINGS ARE ONLY FOR PERMISSIONS

The Registry section is just for setting permissions on keys. You cannot change registry settings at that location. To make changes to registry settings using GPOs or security templates, you must either use the predefined security options from the Security Options section of the GPO or template, or add registry settings to the Registry Keys section of a security template, as shown in Figure 10-12. A modified security template can be imported into a GPO.