Deploying Windows® 2000 Deploying Windows® 2000 Security in Corporate Security in Corporate NetworksNetworks
Brent LaneBrent LaneOakRidge Consulting GroupOakRidge Consulting Group
Session PrerequisitesSession Prerequisites
Familiarity with Windows 2000, beta Familiarity with Windows 2000, beta 3 or later3 or later
General knowledge of Windows General knowledge of Windows security and administration security and administration principlesprinciples
Topics CoveredTopics Covered
WindowsWindows®® 2000 default security 2000 default security Single Sign OnSingle Sign On Network authenticationNetwork authentication
Kerberos v5Kerberos v5 NTLM v2NTLM v2
Security InteroperabilitySecurity Interoperability Network data protectionNetwork data protection
Administrators Administrators Versus UsersVersus Users AdministratorsAdministrators
Full control of the operating systemFull control of the operating system Install system components, driversInstall system components, drivers Upgrade or repair the systemUpgrade or repair the system
UsersUsers Cannot compromise system integrityCannot compromise system integrity Read-only access to system resourcesRead-only access to system resources Interactive and network logon rightsInteractive and network logon rights Can shutdown desktop systemCan shutdown desktop system Legacy application issuesLegacy application issues
Power UsersPower Users Have sufficient access to run Have sufficient access to run
legacy applicationslegacy applications Can add files to system directory Can add files to system directory Cannot modify existing system filesCannot modify existing system files
Create, manage non-admin resources:Create, manage non-admin resources: Users and groups, file and print sharesUsers and groups, file and print shares
Default Group MembershipDefault Group Membership
Local Group Default Workstation Members
Default Server Members
Administrators Administrator Administrator
Power Users Interactive Users
Users Authenticated Users
Authenticated Users
Secondary LogonSecondary Logon Run commands as another user Run commands as another user
without logoff - logonwithout logoff - logon RunAsRunAs
Command lineCommand line runas /user:MyDomain\Admin cmdrunas /user:MyDomain\Admin cmd
Shell supportShell support
Optional support for user profileOptional support for user profile Terminal Server – separate console for Terminal Server – separate console for
adminadmin
Windows Single Sign OnWindows Single Sign On
Single account store in Active Directory Single account store in Active Directory Easier to administer user accountsEasier to administer user accounts Single user id and passwordSingle user id and password Application integrationApplication integration
KerberosKerberosBasic ConceptsBasic Concepts
Authentication Authentication Key DistributionKey Distribution Session TicketsSession Tickets
Requested for each network connectionRequested for each network connection Contains authorization dataContains authorization data
Ticket Granting Ticket Ticket Granting Ticket Protected by user’s secret keyProtected by user’s secret key Contains session key for KDCContains session key for KDC
Active Active DirectoryDirectory
Key DistributionKey DistributionCenter (KDC)Center (KDC)
Windows Domain ControllerWindows Domain Controller
1.1. Locate KDC for domain Locate KDC for domain by DNS lookup forby DNS lookup forActive Directory Active Directory serviceservice
2.2. Use hash(pwd) Use hash(pwd) to sign pre-auth to sign pre-auth data in AS requestdata in AS request
3.3. Group membership Group membership expanded by KDC, expanded by KDC, added to TGT added to TGT auth dataauth data
TGTTGTTicket - NTWTicket - NTW
4.4. Send TGS request Send TGS request for service ticket to for service ticket to workstationworkstation
Kerberos AuthenticationKerberos Authentication Interactive domain logonInteractive domain logon
Application Server (target)Application Server (target)
3.3. Verifies session Verifies session
ticket issuedticket issuedby KDCby KDC
Active Active DirectoryDirectory
Key DistributionKey DistributionCenter (KDC)Center (KDC)
Windows domain controllerWindows domain controller
1.1. Send TGTSend TGTand request and request session session ticket from KDC ticket from KDC for target serverfor target server
TGTTGT
2.2. Present session ticketPresent session ticketat connection setupat connection setup
TargetTarget
Kerberos Authentication Kerberos Authentication Network server connectionNetwork server connection
Kerberos Authentication UseKerberos Authentication Use
LDAP to Active DirectoryLDAP to Active Directory CIFS/SMB remote file accessCIFS/SMB remote file access Secure dynamic DNS updateSecure dynamic DNS update Distributed file system managementDistributed file system management Host-host authentication for IP securityHost-host authentication for IP security Secure Intranet web services in IISSecure Intranet web services in IIS Authenticate certificate request to Authenticate certificate request to
Enterprise CAEnterprise CA DCOM/RPC security providerDCOM/RPC security provider
Active DirectoryActive Directory
KDCKDC
Microsoft Microsoft DNS ServerDNS Server
DNSDNS
DHCPDHCP
157.55.20.10157.55.20.10
host.domain.company.comhost.domain.company.com
Secure Dynamic DNS Secure Dynamic DNS UpdateUpdate
Cross-platform InteroperabilityCross-platform Interoperability Based on Kerberos V5 ProtocolBased on Kerberos V5 Protocol Windows 2000 hosts the KDCWindows 2000 hosts the KDC
UNIX clients to Unix ServersUNIX clients to Unix Servers UNIX clients to Windows ServersUNIX clients to Windows Servers Windows NT clients to UNIX ServersWindows NT clients to UNIX Servers
Simple cross-realm authenticationSimple cross-realm authentication UNIX realm to Windows domainUNIX realm to Windows domain
Cross-platform StrategyCross-platform StrategyCommon Kerberos DomainCommon Kerberos Domain
Windows Windows DesktopDesktop
SSPISSPI
Kerberos SSPKerberos SSP
Application protocolApplication protocol
Windows Windows KDCKDC
TICKETTICKETGSS-APIGSS-API
Application protocolApplication protocol
GSS KerberosGSS Kerberosmechanismmechanism
UnixUnixServerServer
Windows 2000 Windows 2000 ProfessionalProfessional
Smart Card Smart Card LogonLogon
Windows Windows 2000 Server2000 Server
Web ServerWeb Server
SolarisSolarisUNIX ServerUNIX Server
Oracle Oracle ApplicationApplication
IISIISISAPIISAPI
ExtensionExtension
SSPI/KrbSSPI/Krb
AppAppServiceService
GSS/KrbGSS/Krb
IE5IE5
SSPI/KrbSSPI/Krb
HTTPHTTP TCPTCP
InteroperabilityInteroperabilityCross platform secure 3-tier appCross platform secure 3-tier app
1.1. NTLM challenge/responseNTLM challenge/response
Application server Application server
Windows NT domain controllerWindows NT domain controller
MSV1_0MSV1_0
NetlogonNetlogon
5. Server5. Serverimpersonatesimpersonates client client
2.2. Uses LSA Uses LSA to log onto log onto domainto domain
3.3. NetlogonNetlogonservice returnsservice returnsuser and groupuser and groupSIDs from domainSIDs from domaincontrollercontroller
Windows NTWindows NTDirectory ServiceDirectory Service
4. SP4 Netlogon4. SP4 Netlogon secure channel secure channel is protected is protected
NTLM Authentication NTLM Authentication Version 2Version 2
NTLMv2NTLMv2 Unique session key per connectionUnique session key per connection
Key exchange key protects session keyKey exchange key protects session key Generate unique keys for integrity and Generate unique keys for integrity and
encryption of session data encryption of session data Client -> Server, Server -> ClientClient -> Server, Server -> Client
NTLMv2 DeploymentNTLMv2 Deployment LMCompatibilityLevel = {0..5}LMCompatibilityLevel = {0..5} Upgrade DCs for user account domainsUpgrade DCs for user account domains Upgrade clients and servers Upgrade clients and servers
Use Level 1 to negotiate NTLMv2Use Level 1 to negotiate NTLMv2 Use Level 3 to eliminate LM supportUse Level 3 to eliminate LM support
If users never need to connect to If users never need to connect to pre-SP4 serverspre-SP4 servers Use Level 4 at the DC to refuse LM clientsUse Level 4 at the DC to refuse LM clients
Network Data ProtectionNetwork Data Protection Options to enable data integrity Options to enable data integrity
and privacyand privacy File ProtectionFile Protection
Protect systems and applications from Protect systems and applications from network attacksnetwork attacks
Strong network encryption availableStrong network encryption available 56-bit encryption world-wide56-bit encryption world-wide
IPSecIPSec
File Server EncryptionFile Server Encryption
Changed through BrowserChanged through Browser Can easily let Administrator lock files Can easily let Administrator lock files
or folders with encryptionor folders with encryption
IP SecurityIP Security
Host-to-host authentication and Host-to-host authentication and encryptionencryption Network layerNetwork layer
IP security policy with domain policyIP security policy with domain policy Negotiation policies, IP filtersNegotiation policies, IP filters
SummarySummary
WindowsWindows®® 2000 default security 2000 default security Single Sign OnSingle Sign On Network authenticationNetwork authentication Security InteroperabilitySecurity Interoperability Network data protectionNetwork data protection
For More InformationFor More Information
Refer to the TechNet website at Refer to the TechNet website at www.microsoft.com/technetwww.microsoft.com/technet
Web PagesWeb Pages http://www.microsoft.com/ntserver/http://www.microsoft.com/ntserver/
security/default.aspsecurity/default.asp http://www.http://www.microsoftmicrosoft.com/security.com/security
For More InformationFor More Information
http://www.microsoft.com/ntserver/http://www.microsoft.com/ntserver/security/default.aspsecurity/default.asp
http://www.microsoft.com/securityhttp://www.microsoft.com/security http://www.microsoft.com/technethttp://www.microsoft.com/technet http://msdn.microsoft.com/winlogo/http://msdn.microsoft.com/winlogo/
win2000.aspwin2000.asp
Session CreditsSession Credits
Author: Brent Lane Author: Brent Lane Producer/Editor: Alan MaierProducer/Editor: Alan Maier