Escolar Documentos
Profissional Documentos
Cultura Documentos
I
f you’ve ever deployed Windows NT figuring a server to act as a simple, but secure,
Server or Windows 2000 Server, you prob- file server. I’ll try to point out some things that
ably know that Microsoft designed those you might do differently if the server is filling
products to be unsecure by default. Although an alternate role. Just please understand that
Microsoft has provided many security mecha- this isn’t intended as a comprehensive guide to
nisms, it’s been up to you to implement them. securing every type of server.
But when Microsoft released Windows 2003
Server, the company switched philosophies. Physical security
The new philosophy is that the server should To achieve true security, your server must be in
be secure by default. a secure location. Normally, this means placing
This is generally a good idea, but Microsoft the server behind a locked door. Physical secu-
didn’t take it quite far enough. While a default rity is extremely important because many
Windows 2003 installation is certainly more administrative and disaster recovery tools exist
secure than a default Windows NT or Win- that can double as hacker tools. Anyone with
dows 2000 installation, it is still anything but such tools and a minimal skill level can hack a
totally secure. Let’s discuss some relatively easy server in a matter of minutes once they have
measures that you can take to make Windows physical access to the machine. Your only hope
2003 Server even more secure. against preventing such attacks is to place the
server in a secure area. This is true of any
Know your role Windows 2003 Server, regardless of its role.
Understanding the server’s role (i.e., intended
purpose) is absolutely critical to the security Creating a baseline
process. There are many roles for which a Aside from establishing good physical security,
Windows Server can be configured. For exam- the best advice that I can give you when
ple, a Windows 2003 Server can act as a deploying a series of Windows 2003 Servers is
domain controller, a member server, an infra- to decide on your security requirements prior
structure server, a file server, a print server, an to deployment and to enforce those policies
IIS Server, an IAS server, a terminal server, immediately after deployment.
and the list goes on. A server can even be con- The best way to do this is to create a secu-
figured to fill a combination of roles. rity baseline. A security baseline is a list of
The problem with this is that each server documented and accepted security settings. In
role has its own security needs. For example, if most cases, your baseline settings will differ
your server is going to function as an IIS considerably depending on the server’s role. So
server, you need to enable the IIS services. the best thing to do is to create several differ-
However, if the server is going to function ent baselines that you can apply to various dif-
solely as a file and print server, enabling IIS ferent types of servers. For example, you
would be a huge security risk. might have one baseline for file servers,
The reason I’m telling you this is to point another for domain controllers, and still
out that there is no way that I can just give you another for IAS servers.
a set of steps to follow and expect those steps Windows 2003 contains a tool called the
to work in every situation. A server’s security Security Configuration And Analysis Tool.
needs vary tremendously by the server’s role This tool allows you to compare a server’s cur-
and by the server’s environment. rent security policy against a baseline security
Because there are many ways to harden a policy contained within a template file. You
server, I’ll discuss the steps necessary for con- can either create these templates yourself or
use one of the included template files.
Security 189
Administrator's Guide to Order now and
Security 193
Another service worth taking a look at is an error message or an event log. However, I
the Print Spooler service. The Print Spooler recommend simply turning on the Print
manages all local and network print queues Spooler Service when it is needed rather than
and controls all of the print jobs within these leaving it on all the time for non-print servers.
queues. The Print Spooler is required for all Believe it or not, the Print Spooler is one of
printing operations and is enabled by default. the most heavily exploited Windows compo-
The flip side to this is that not every server nents. There are countless Trojans that work
requires printing capabilities. Unless a server is by replacing the Print Spooler’s executable file.
acting as a print server, you should disable the The reason for such an attack is that the Print
print spooler. After all, why should a dedicated Spooler operates as a system-level service and,
file server run the print spooler? Normally, no therefore, has a high level of privileges. So any
one should be sitting at the server console Trojan posing as the Print Spooler can also
working, so there should be no need to print gain these high-level privileges. To protect your
locally or from across the network. server from such an attack, just prevent the
I realize that often during disaster recovery Print Spooler service from running.
operations, it might become necessary to print
I
f I were to tell you that Windows NT Given physical access to the server, it is eas-
Server 4.0 was a lot more secure than Win- ily possible for someone with minimal com-
dows 2000 Server, you would probably puter knowledge to hack the server in a matter
think that I had lost my mind. Sometimes, of minutes. So don’t even bother trying to
though, truth is stranger than fiction. In some secure AD until you’ve made sure that all of
ways, Windows NT Server was more secure your servers are placed in a secure location.
than Windows 2000 Server. However,
Microsoft learned from their mistakes and Windows NT vs. Windows 2000
implemented a Windows NT-like security Don’t get me wrong. In many areas, Windows
structure into Windows Server 2003’s Active 2000’s security is far superior to that offered by
Directory. Let’s discuss these security issues Windows NT. However, there is a basic law of
and learn some tips you can use to build a computing that states that the more complex a
secure Active Directory (AD) environment. piece of software is, the greater the chance
that it will contain a security hole or a major
Physical security is job 1 bug that can be exploited. As we all know,
When attempting to secure AD, it’s critical that Windows 2000 is a lot more complex than
you implement physical security first. If any- Windows NT.
one you wouldn’t trust with the Administrative Perhaps the best example of simplicity and
password has physical access to a domain con- security going hand-in-hand involves the
troller or to your DNS servers, you don’t have domain model implemented by each server
a secure AD. Many administrative and disaster operating system. In Windows NT, the domain
recovery tools exist that can easily double as was pretty much the only organizational struc-
hacker tools. ture that existed. A domain often contained all
Security 195
What is different about the forest structure between forests in Windows Server 2003. Per-
in Windows Server 2003 than that of Win- haps the most difficult of these is that any for-
dows 2000 Server is that Windows Server 2003 est involved in the trust must be running at
makes it relatively easy to establish trust rela- Windows Server 2003 forest functional level.
tionships between forests. Inter-forest trusts Windows 2000 allowed you to run AD in
were possible in Windows 2000; but, in Win- either mixed mode or in native mode. The
dows Server 2003, inter-forest trusts are actu- functional level in Windows Server 2003 is
ally useful. When a trust relationship exists very similar to this. Setting a forest to Win-
between forests, an administrator can grant dows Server 2003 forest functional level
access to a resource in a user from a foreign requires every domain controller within the
forest in the same manner that they would if forest to be running Windows Server 2003.
the user existed within the local forest. Also, to create an inter-forest trust, you
must be a member of the Enterprise Admins
Single forest vs. multiple forests group. You must also have your DNS server
A single forest environment is ideal for most configured so that it can resolve the names of
small to medium-sized companies. Single for- domains and servers within the forest with
est environments are easy to manage. But which you’re establishing the trust relationship.
larger companies often need each office or Finally, you may recall from Windows 2000,
each department to be able to have full admin- every forest has a root domain and all other
istrative capabilities over its own users and domains fall beneath the root. Windows Server
computers. In such environments, there is 2003 can create an inter-forest trust only from
often a high degree of distrust between these the root domain, because inter-forest trusts are
various groups. In a situation like this, inter- transitive at the domain level. This means that
connected forests are ideal because they give if you were to establish a trust between Forest
each group total autonomy. A and Forest B, then every domain in Forest A
At the same time, even though the adminis- will trust every domain in Forest B, and vice
trative burden is distributed, such a model usu- versa. Forest trusts are not transitive at the for-
ally has a much higher administrative burden est level, though.
than a single forest environment, which results For example, if Forest A trusts Forest B and
in higher administrative costs to the company Forest B trusts Forest C, Forest A will not trust
as a whole. My point is that, in a Windows Forest C unless you tell it to do so. As you can
Server 2003 AD environment, there is a trade- see, the transitive nature of inter-forest trusts
off between cost and security. makes them fairly powerful. If your forest has
Inter-forest trusts multiple domains, you don’t want an adminis-
trator of some lower-level domain creating an
Let’s discuss the specifics behind using multiple
forests as a mechanism for securing your orga- inter-forest trust without your knowledge or
nization’s AD. First, each forest has its own AD; consent. That would cause huge security prob-
there is no common thread of any kind tying lems. This is why you can create an inter-forest
the forests together. So, it’s possible to config- trust only at the forest root level.
ure each forest to use a common DNS server. Another interesting thing about creating
Assuming that the DNS server and backup trusts with Windows Server 2003 is that you
DNS server are managed by someone trustwor- don’t necessarily have to create a full inter-for-
thy, DNS server consolidation is a great way to est trust. Suppose your business needs to
reduce cost and lessen the administrative bur- establish a trust relationship with a supplier.
den. On the flip side, sharing a common DNS You probably need to establish a trust relation-
server can also be a single point of failure for ship with only one of the supplier’s domains.
the network if no backup DNS server is used. You probably aren’t interested in the supplier’s
There are some prerequisites you must meet human resources or marketing domains. In
before you can establish a trust relationship such a case, you can create what’s called an
external trust.
Security 197
Administrator's Guide to Order now and
M
ost companies go to great lengths to tial e-mail message to the managers telling
protect data. All of your efforts to them that 20 percent of the staff was to be
secure files basically boil down to laid off. Although the message was supposed
how much you trust your employees. You have to be confidential, one of the managers for-
always been able to control access to files warded the e-mail to her entire staff, who in
through authentication and permissions, but turn forwarded the message to a bunch of
until now it has been impossible to control what other people. By the end of the day, pretty
an authorized individual does with the files once much everyone in the company had seen the
they gain access. This is where Windows Rights memo. Sure, the manager who leaked the
Management Services (RMS) comes in. RMS memo was promptly fired, but the damage
offers persistent security that stays with a file, had already been done.
no matter where that file may go. If this situation were to occur today, the
president could actually integrate WRM into
A practical example the e-mail message. This would prevent the
For example, suppose that I had some super- message from being forwarded to anyone
secret Microsoft Word document explaining except for those people that he specifically
how I was going to take over the world. Nor- designated. He could even go so far as to put a
mally, I would grant a couple of highly trusted time bomb in the message so that the message
people access to the document and pray that would “self destruct” after a specific length of
they didn’t pass the document on to anyone else. time or after being opened.
With Windows Rights Management, in
addition to the normal permissions on the file Implementing Windows Rights
server where I keep my secret plans, I could Management Services
actually build permissions into the document Obviously, RMS is a very useful technology,
saying that only certain people are allowed to but you are probably wondering how it works.
access the document. That way, if one of my There are two primary components to RMS.
trusted staff members gave a copy of the doc- First, there’s the RMS Service itself. This is a
ument to someone else, that someone else server-level component that provides the
would be unable to open the document. authentication services. Second, there is the
client component. Typically, the client compo-
Beyond passwords nent is embedded into an RMS-enabled appli-
As you know, for years now it has been possi-
cation such as Microsoft Office 2003. There is
ble to password protect Microsoft Office doc-
also a software developer’s kit that developers
uments. RMS goes way beyond password
can use to build RMS security into custom
protection. After all, it’s way too easy for
applications.
someone to pass a document along to some-
Although the RMS is designed to run on
one else along with an e-mail message that says
Windows Server 2003, it does not ship with
something like: “Here’s the document that I
Windows Server 2003. Instead, it is a down-
told you about. The password to open the doc-
loadable add-on. You can download the RMS
ument is Scarab.”
service from Microsoft’s Windows Server 2003
Speaking of e-mail messages, RMS can even
Web site (http://www.microsoft.com/win-
be applied to an e-mail message. For example,
dowsserver2003/technologies/rightsmgmt/
years ago I worked for an insurance company
default.mspx). The RMS setup file consists of
that was having some financial problems. The
a 2.12 MB self-extracting executable file.
president of the company sent out a confiden-
Security 201
Next, followed by Install, to begin the installa- resources necessary for RMS to support certi-
tion process. After the necessary files are fication. The provisioning process is done
copied, click Close to complete the installation through IIS. You must select a Web site to act
process. as the host for the provisioning process. Using
the server’s default Web site is fine because
Provisioning RMS simply borrows the site. After the provi-
After you have installed RMS, the next thing sioning process is complete, RMS no longer
that you have to do is to provision it. The pro- needs IIS.
visioning process creates the root certification To begin the provisioning process, click the
server and configures all of the services and Start button and then select the All Programs\
Windows RMS\Windows RMS Administra-
Figure A
tion command. When you do, you will see a
screen similar to the one shown in Figure A.
Now, click the Provision RMS On This Web
Site link next to the Default Web Site option.
When you do, you will see the screen shown in
Figure B. As you can see in the figure, you are
asked whether you want RMS to use a local
database or a remote database. Just enter the
name of a SQL server in your organization that
can be used to store RMS data.
Next, you will be asked to specify the RMS
service account. The RMS Service account
must be a different account than the one that
was used to install RMS. If RMS will be run-
ning only on a single server, you can use the
local system account. However, the local sys-
tem account has access to practically every-
thing on the server, so there are some serious
You must use a Web interface to provision RMS.
security implications to using the local system
account in a production environment.
Figure B After entering the service account creden-
tials, scroll down and you will see the fields
shown in Figure C. The first thing that you
must enter on this portion of the screen is
the URL used by the root certification cluster.
By default, http://servername/_WMCS will
be used.
Next, you must enter a password that will
be used to encrypt the RMS private key in the
database. After entering the encryption pass-
word, enter the server licensor certificate
name. By default, this is the same as the server
name. You also have the option of listing an
administrative contact.
If your network uses a proxy server, then you
will have to enter the proxy server’s URL and
the IP address range for the local address table.
The final portion of the provisioning screen
You must supply the name of a database server and the name for an RMS service account. allows you to enter the name of a file that
Security 203
order to create or open restricted content. If you would prefer to have some slightly
Select your account and click OK. At this more advanced configuration options, then
point, you will see the screen shown in Figure D. click the More Options button and you will see
This screen allows you to enter the e-mail the screen shown in Figure E. As you can see in
addresses of users who are allowed to read or the figure, this Permission dialog box allows
make changes to the document. you to set an expiration date for the document.
After the expiration date, the document “self
Figure E destructs.” You can also control whether speci-
fied users are allowed to print or copy the doc-
ument’s content or access it programmatically.
You can even allow users to browse a docu-
ment with previous versions of Office and to
request additional permissions to a document.
W
ith the release of version 1.2 of the Microsoft Baseline Security Analyzer. Please
Microsoft Baseline Security Ana- note that if you have the GUI MBSA utility
lyzer (MBSA 1.2), Microsoft has open, the command-line version will not run.
vastly improved this already excellent proactive By default, the results of a scan are stored in
security tool and turned it into a much more the C:\Documents and Settings\user name\
full-featured utility. The MBSA includes a SecurityScans folder and have names similar to
powerful graphical user interface that provides “WORKGROUP - W2K3 (5-20-2004 5-35
administrators with a way to interactively scan PM),” where the workgroup/domain is listed
the local and remote servers and desktop along with the system name and the date and
machines. From the reports generated, admin- time of the scan. This is true for both the GUI
istrators can take appropriate action to address and the command line, but you don’t usually
potential security problems, such as installing have to know this for the GUI, since the pro-
required patches, enabling automatic updates, gram handles the report display.
or turning on the Windows XP firewall.
Using the command line
Scripted scans There are two ways to run the command-line
One area that the GUI does not address is the version of MBSA. The first syntax actually
ability to script a scanning session. Most performs scans, and the second one provides a
administrators work normal business hours, listing of results from the most recent scan.
which are times that heavy scans are usually So, it’s a two-pass process.
avoided because of their potential impact on
the network, servers, and desktop computers.
Running a basic local scan
Mbsacli.exe doesn’t actually require any param-
For this reason, the MBSA includes a com-
eters. If you omit them, the local computer is
mand-line utility that performs the same func-
simply scanned, assuming that you have
tions as its GUI counterpart and can be
administrative rights with the current logon.
included in nightly/weekly/monthly routines
The results of a local scan from the command
to scan for vulnerabilities. From this scan, a
line should look something like Listing A.
report is generated from which an administra-
tor can take proactive steps to protect the Viewing the results of the basic scan
infrastructure. As with the GUI version, the command-line
version of MBSA produces very detailed results
The executables to help you pinpoint and address potential secu-
MBSA includes two executables: mbsa.exe and
rity weaknesses in your network. I like the fact
mbsacli.exe. The mbsa.exe executable powers
that it doesn’t just assume you want things
the GUI side of the utility, while, as you might
“fixed.” Instead, it provides information so you
expect, the mbsacli.exe executable is the com-
can make a decision about what to address or
mand-line side. By default, both of these exe-
ignore. To get the results, type the following,
cutables are stored in C:\Program Files\
substituting the appropriate report name:
Listing A
Computer Name, IP Address, Assessment, Report Name
—————————————————————————————————————————————————————————
WORKGROUP\W2K3, 192.168.1.103, Severe Risk, WORKGROUP - W2K3 (6-1-2004 6-21 PM)
Security 205
mbsacli /ld "WORKGROUP - W2K3 to just run a scan or view the results of a pre-
(6-1-2004 6-21 PM)" viously run scan. Here’s the full syntax of the
When reports are generated using a com- mbsacli command:
mand-line scan, they can also be viewed with mbsacli [/c|/i|/r|/d domain] [/n
the GUI at your leisure. Both the GUI and the option] [/o file] [/f file] [/qp]
command line store their files in the same loca- [/qe] [/qr]
tion, so each utility can use the scan results gen- Switches you can use include:
erated from the other utility. Figure A displays X /c domain\computer—Scan the computer
the local scan showing up as an entry in the named in domain\computer.
GUI’s Pick A Security Report To View option.
X /i IP_addr—Scan the computer identified
Figure B shows the first page of that scan.
by the IP address provided.
Personally, I like to be able to script this
kind of stuff and view the results with a GUI. X /r “IP_addr-IP_addr”—Scan the comput-
The command-line viewing option works, but ers in the range of IP addresses provided.
it’s more difficult to interpret. X /d domain—Scan all computers in the tar-
get domain.
Full syntax
As I mentioned, there are two syntaxes for X /n option—By default, MBSA performs all
mbsacli.exe, depending on whether you want scans against the targets. Use /n to remove
specific scans. Valid options are OS, SQL,
Figure A IIS, Updates, Password. To omit more than
one scan, separate the /n options with a +
(plus sign).
X /o file—Specify the name of the file to
which to write the results. A default name is
presented above with the syntax “%D% -
%C% (%T%)”, where %D% is the domain
or workgroup name, %C% is the name of
the computer, and %T% is the date and
time of the scan.
X /f file—Write console output to the file
specified.
The recent scan also shows up in the GUI.
X /qp—Don’t display the progress of the
Figure B current scan.
X /qe—Don’t display errors present in the
current scan.
X /qr—Don’t display the list of reports.
X /s 1—Suppress security notes.
X /s 2—Suppress security notes and warnings.
X /nvc—By default, MBSA always checks for
a new version of itself when it runs. Use
/nvc to skip this check.
X /baseline—Check only for baseline secu-
rity updates rather than all updates (default
in GUI).
X /nosum—Do not verify checksums for
security updates. Use only if you need dif-
The is the first page of the scan. ferent language versions of patches and
Security 207
Administrator's Guide to Order now and
I
t’s a good bet you’re familiar with group enable the No Override attribute for the OU-
policy, which enables administrators to based GPO. Now, even though the domain
assert change control and set a broad GPO would be applied after the OU policy
range of settings for the operating system, and therefore take precedence, the No Over-
desktop and working environment, network, ride attribute on the OU GPO prevents its set-
and much more for servers and workstations. tings from being overwritten.
You might also know that group policy can be One other factor that determines whether
applied at different levels, which opens the the settings in a given GPO become effective
possibility for a policy at one level to override is the permissions set on the GPO. For exam-
the policy set at another level. So, determining ple, if you remove the Read Or Apply Group
the resultant set of policy (RSoP) can some- Policy permissions for a given security group,
times be difficult. At best, it can be confusing. the GPO’s policies will not be set for users in
To help administrators get a handle on group that target group.
policy, Microsoft introduced the Resultant Set
of Policy MMC snap-in. Here’s what the RSoP What’s the RSoP snap-in?
snap-in does and how you can use it to get a The RSoP snap-in enables you to query cur-
handle on your own policies. rent or planned policies and view the results of
that query, which is the resultant set of poli-
How Group Policies are applied cies, for a specified target user and computer.
Understanding how RSoP works requires that In addition to group policies, RSoP includes
you first understand how group policy is administratively assigned settings including
applied and the factors that affect policy appli- those from administrative templates, folder
cation. Group policy can be applied at the site, redirection, Internet Explorer maintenance,
domain, domain controller, organizational unit security settings, scripts, and software installa-
(OU), and local levels. Whether a particular tion policies. By including these objects, RSoP
policy is effective depends on the level at provides a complete view of the environment
which it is applied and whether the same pol- resulting from all of these settings.
icy is set differently at a level with higher The RSoP snap-in operates in one of two
precedence. Group policy is applied in the fol- modes: Logging Mode or Planning Mode. In
lowing order of precedence: Logging Mode, the RSoP snap-in queries poli-
X OU policy cies and displays the resulting policy set for a
given user and computer. Logging Mode there-
X Domain controller policy
fore enables you to review the policy settings
X Domain policy that are applied for the target user/computer.
X Site policy Logging Mode can be a valuable and effective
X Local policy tool for troubleshooting policy application
problems and determining how security
In addition, you can set the No Override
groups affect policy settings.
attribute for a group policy object (GPO).
Planning Mode enables you to explore differ-
When No Override is enabled, other GPOs
ent policy scenarios. In Planning Mode you
that set corresponding policies cannot override
specify several items of information about the
the ones set in the protected GPO. For exam-
desired target including container or user, com-
ple, assume you set a policy at the OU level,
puter, site, security group membership, and
which gets applied first, and set the policy dif-
other factors to determine the resultant set of
ferently in a GPO that is assigned at the
policy based on those selections. Planning Mode
domain level. At this point, the domain policy
offers an excellent means for determining the
will overwrite the OU policy. However, you
Security 211
you want to view the policies for that domain After the wizard finishes the query, the
account. Logging on with the domain adminis- RSoP snap-in will probably look a little more
trator account lets you choose that domain familiar to you (Figure D), particularly if you
administrator account or any local accounts have worked with the Group Policy Editor.
that have been used previously to log on. The left pane provides a hierarchical tree of
You can also select an option here to exclude settings. When you click a branch in the left
the user settings and show only the computer pane, the policies under that branch appear in
settings. Again, this option is handy when you the right pane. The columns in the right pane
want to focus solely on computer settings and are essentially the same as in the Group Policy
simplify the resulting query. The Summary dia- Editor, but with the addition of a Source GPO
log box that appears when you click Next column that indicates the source for the policy
shows the settings you have selected. setting. You can double-click a policy to open a
dialog box that shows more information about
Figure C the policy, including its value (Figure E) and
precedence (Figure F).
At this point you can browse through the
policies as needed. If you need to view policies
for a different computer or user, you can either
clear the current query and reissue it, or open
another instance of the snap-in focused on the
desired target. To clear the query and start a
new one, right-click the upper-most branch of
the policy target in the left pane and choose
Change Query to start the Resultant Set Of
Policy Wizard. Follow the steps in the wizard
to specify the information for the new query,
just as you did for the old one.
Opening a new instance of the RSoP snap-
in rather than clearing the existing query is
useful when you need to compare settings
between policy targets. Just add the snap-in as
Select what user to check policy on.
you did for the first one, then right-click the
new instance in the left pane and choose Gen-
Figure D erate RSoP Data.
You can view the value of a policy. You can also view the group policy precedence.
Security 213
When Replace is selected, the group policy snap-in in Planning Mode has the same effect
object list for the user is replaced entirely by as setting the User Group Policy Loopback
the list already obtained for the computer at Processing Mode policy for the target GPO.
startup. When set to Merge, the group policy The Advanced Simulation Options page also
list is a concatenation of the computer list allows you to choose a site for the scenario. Site
obtained at startup and the user list obtained selection here enables you to analyze the effect
after logon. Setting this option in the RSoP of settings based on startup or logon on a sub-
net other than the one from which you are
running the query. In the Alternate Active
Figure H Directory Paths page that follows in the wizard
(Figure I), you specify the location in which the
target policy is intended to be applied.
In the next two pages of the wizard you have
the capability to specify the security groups in
which the user and the computer reside. Figure J
shows the User Security Groups page (the
Computer Security Groups page is similar).
You can add and remove groups to simulate the
effect of actually changing group membership
for the target. However, you’re changing only
the simulated group membership, not the actual
group membership. In this way you can test
the effects of membership changes before you
actually make those changes.
The next two pages of the wizard prompt
you to specify how WMI filters for the GPO
are to be handled. WMI filters enable you to
filter the application of group policy based on
You can select additional options for the RSoP console.
criteria such as hardware configuration. With
these two pages you can specify that all WMI
Figure I filters be applied or only selected filters be
applied for the user and/or computer. The final
page of the wizard displays a summary of your
selections and allows you to choose the domain
controller on which to process the simulation.
As with Logging Mode, Planning Mode gen-
erates a policy set that you can navigate and
view. Policies that have a setting other than Not
Defined have a red circle and X icon. This helps
you quickly identify policies that have been set.
Delegating RSoP
As I hinted at earlier in this article, you can dele-
gate permission to generate RSoP queries to
help distribute administrative workload. A user
who has been delegated the necessary permis-
sion can perform queries in either Logging
Mode or Planning Mode (as you designate) with-
out having to log on as or be a member of the You can simulate the effects on different groups.
Domain Admins or Enterprise Admins groups.
To delegate RSoP, open the Active Direc- Figure K
tory Users And Computers console. Right-
click the OU and choose Delegate Control to
start the Delegation Of Control Wizard. Click
Next, add the user or group to which you want
to delegate, and click Next. In the Tasks To
Delegate page (Figure K), place a check beside
Generate Resultant Set of Policy (Logging)
and / or Generate Resultant Set of Policy
(Planning) and then click Next. Click Finish to
apply the delegation.
Using the Delegation Of Control Wizard, you can allow other users to run the
RSoP MMC.
Security 215
New Windows Server 2003 tool boosts
group-policy control
March 6, 2003
By Brien M. Posey, MCSE
A
nyone who has ever administered Just because the Group Policy Management
group policies in a Windows 2000 Console integrates functionality from all of the
Server environment knows that the different tools that I mentioned earlier, it isn’t
process can be both confusing and frustrating. intended as a replacement for these tools.
Although Microsoft’s hierarchical approach to Remember that group policies are designed to
group policy implementation makes sense at a control security. While security settings are
logistical level, the management interface is certainly available through tools like Active
lacking, to say the least. Fortunately, this is one Directory Users And Computers or Active
of the major problems that Microsoft has Directory Sites And Services, those tools’ pri-
addressed in Windows Server 2003. When mary functions are related to administration,
Microsoft releases Windows Server 2003, it not security. Therefore, you’ll still use the tools
plans to simultaneously release a brand-new that I listed in the same manner that you
Group Policy Management console that pro- always have.
vides a single interface for managing group In case you’re wondering, the Group Policy
policies across the entire enterprise. Snap-In was replaced by the Group Policy
Object Editor in Windows Server 2003. How-
What is the Group Policy ever, the Group Policy Management Console
Management Console? didn’t overwrite the Group Policy Snap-In. All
The Group Policy Management Console is of the Group Policy Object Editor’s function-
Microsoft’s all-in-one solution for working ality has been rolled into the Group Policy
with group policy objects. It consists of a Management Console, but that doesn’t mean
Microsoft Management Console (MMC) Snap- that you can’t still use the Group Policy Snap-
In and a set of script interfaces for managing In if you want. The Group Policy Manage-
group policies via script. ment Console is available for download at
To get an idea of why the Group Policy http://www.microsoft.com/downloads/
Management Console will be such a great tool, details.aspx?FamilyId=0A6D4C24-8CBD-
consider this: Administrators today use a vari- 4B35-9272-DD3CBFC81887&display-
ety of different tools to implement group pol- lang=en.
icy settings. These tools include things such as:
X Active Directory Users and Computers System requirements
The Group Policy Management Console’s sys-
X Active Directory Sites and Services tem requirements are a little strange to say the
X The Resultant Set Of Policy Snap-In least. For example, the product supports Win-
X The Access Control List (ACL) Editor dows 2000, but it won’t run on Windows
2000. The new Group Policy Management
X The Delegation Wizard Console can be used to manage group policies
Each of these tools exposes some fragment in both the Windows 2000 and Windows
of the total group policy functionality. The Server 2003 version of Active Directory. This
Group Policy Management Console combines means that you’ll be able to take full advantage
all of the group policy functions currently of the tool’s new management capabilities
available through these tools and combines even if you aren’t planning to upgrade to Win-
them into a single interface. The utility also dows Server 2003.
includes things like backup, restore, copy, and The catch is that the utility won’t run on the
import functionality. Windows 2000 operating system. Instead, you
Security 217
simply doesn’t migrate well. The two main ever, doing so may still be a fairly involved
types of data that tend to cause problems are process. The Group Policy Management Con-
security principles and Universal Naming Con- sole is capable of performing four functions
ventions (UNCs). that are related to policy archival. These func-
Security principles are often found in the tions are:
form of security identifiers (SIDs). SIDs are X Backup
unique identification numbers that are applied
to each object. For example, objects such as X Restore
users, groups, and computers all have SIDs X Copy
associated with them. Because of the unique X Import
nature of SIDs, a SID that’s valid in one
Don’t even try to use the Backup and
domain wouldn’t necessarily be valid in
Restore operations for migrations. It’s impossi-
another domain.
ble to restore a policy backup to a different
Just as SIDs can throw a monkey wrench
domain. You can use the Import function with
into the process of migrating a group policy
the Backup function as a technique for updat-
object, so too can UNCs. A UNC refers to a
ing a group policy object’s existing settings, but
path that’s expressed in the \\servername\
to do so, a group policy object must already
sharename format. The problem is that a
exist in the destination directory, even if the
server name and share name that are valid in
existing group policy object is empty. The
one domain may not be valid in another
Copy function is almost always the tool of
domain.
choice for migrations, because the Copy
The Group Policy Management Console
process doesn’t require you to have a group
takes a lot of the work out of migrating
policy object that’s already in place in the desti-
group policy objects to a new domain. How-
nation domain.
As you can see, the two main problems
WATCH OUT FOR THESE ITEMS associated with migrating group policy objects
The following items contain security princi-
between domains are the distributed nature of
ples and can therefore cause problems the policy settings and the fact that SIDs and
because they may reference SIDs: UNCs would be mismatched if the policies
XSecurity policy settings found in user were to be copied directly. Fortunately, with a
right assignments little work, you can use the Group Policy Man-
XRestricted groups agement Console to overcome both of these
XServices
problems. Overcoming the problem of distrib-
uted information is easy and automatic. Since
XThe file system the Group Policy Management Console
XThe registry already knows where all of the group policy
XAdvanced folder redirection policies setting information is stored, you don’t have to
XThe GPO DACL worry about tracking it down.
Overcoming the information mismatch
XThe DACL applied to software installa-
problem is a little more complicated though.
tion objects In order to deal with SID and UNC mis-
Also, UNC paths, which can lead to prob- matches, you must create a migration table. A
lems with group policy object migrations as migration table is an XML file that maps an
well, can be found in: old value to a new value. I’m not going to get
XFolder redirection policies into the specifics of creating migration tables,
XSoftware installation policies because it would be possible to write an entire
article on this one step of the process. What I
XLogin scripts
can tell you though is that each entry in a
XStartup scripts migration table has three values: an object
type, a source value, and a destination value.
Security 219
Administrator's Guide to Order now and
M
anaging Group Policies in Windows HTML reporting of GPO settings and RSoP
has typically required a bit of a jug- data. What’s more, most of these operations
gling act, especially in large corpo- are scriptable. Using these operations, you can
rate environments with a complex Active plan, create, test, and migrate Group Policies.
Directory (AD) structure. But those days are GPMC can be used to manage Windows
gone, thanks to the Group Policy Manage- Server 2003 and Windows 2000 domains. Of
ment Console (GPMC), a free tool that course, Active Directory must already be
Microsoft has made available for download enabled. The GPMC console itself can be
at http://www.microsoft.com/windows installed on a workstation running Windows
server2003/gpmc/default.mspx. Server 2003, Windows XP Professional with
Without GPMC, you have to employ a vari- Service Pack 1 (plus an additional post-SP1 hot
ety of different tools—such as Active Direc- fix that is included with GPMC), and the
tory Users And Computers, AD Sites And Microsoft .NET Framework (http://www.
Services, Access Control List Editor, the microsoft.com/downloads/details.aspx?
Resultant Set of Policy (RSoP) snap-in, and FamilyID=262d25e3-f589-4842-8157-
Delegation Wizards—to tame the many- 034d1e7cf3a3&DisplayLang=en). GPMC
headed beast of Group Policies in Active does not, however, run under Windows 2000.
Directory. GPMC brings the functionality of Also, in terms of the license, you must have at
all those tools neatly together into a single, least one copy of Windows 2003 running on
powerful management console that enables your network (or have one license of Windows
you to manage multiple domains and forests Server 2003 available).
with ease, thanks to a unified interface.
Using GPMC
What GPMC can do Let’s take a look at the unified management
In addition to the features mentioned above, console (Figure A) in GPMC, which is the most
GPMC has the ability to back up and restore important aspect of the tool.
Group Policy objects (GPOs); import/export Until now, a GPO’s strength—an orderly,
and copy/paste GPOs and Windows Manage- categorized collection of layer upon layer of
ment Instrumentation (WMI) filters; provide settings—was also its weakness, because there
was no easy way to get a bird’s eye view of the
Figure A policy settings. If this was a problem with one
GPO, the problem became compounded by
the number of GPOs you had to manage and
keep track of.
With GPMC, that has changed. For an
overview of a GPO’s settings (called report-
ing), expand Group Policy Objects and select
the GPO (Figure B).
In the right-hand pane, under the Settings
tab, click on Show All at the top right. A sum-
mary of the GPO’s settings will be displayed
as an HTML report. This report can be gen-
erated by any user with read access to the
GPO. Previously, users required read and write
Security 223
the domain node and select Change Domain Once you have created the GPOs, you have
Controller. To choose a DC for operations on to define settings. To do so (as you did up to
sites, right-click the Sites node and click now using the Group Policy snap-in, Group
Change Domain Controller. Policy Editor, or GPedit), merely right-click a
Microsoft warns that it is important to con- GPO and choose Edit.
sider the choice of domain controller in order Applying a GPO (referred to as “scoping
to avoid replication conflicts. “This is espe- the GPO”) to users and computers by linking it
cially important to consider since GPO data to a site, domain, or OU is easy using GPMC.
resides in both Active Directory and on
SYSVOL, and two independent replication AUTHOR’S NOTE
mechanisms must be used to replicate GPO GPOs can be applied to sites, domains, and
data to the various domain controllers in the OUs. These GPO targets have often been
domain. If two administrators are simultane- referred to as SDOU, but the preferred term
ously editing the same GPO on different now is Scope of Management, or SOM.
domain controllers, it is possible for the
changes written by one administrator to be Here are the ways you can link a GPO
overwritten by another administrator, depend- to SOMs:
ing on replication latency. To avoid this situa- X Right-click a domain or OU node, and
tion, GPMC uses the PDC emulator in each choose Create And Link A GPO Here.
domain as the default to help ensure that all X Right-click a site, domain, or OU node, and
administrators are using the same domain con- choose Link An Existing GPO Here.
troller. However, it may not always be desirable
to use the PDC. For example, if the adminis- X Drag a GPO from under the Group Policy
trator resides in a remote site or if the majority objects node to the OU (you can drag-and-
of the users or computers targeted by the drop only within the same domain).
GPO are in a remote site, then the administra- If you need to specify new locations in which
tor may want to choose to target a domain to place new user accounts, new computer
controller at the remote location. It’s impor- accounts, or both, Windows Server 2003 has
tant to note that if multiple administrators two new tools for the job. Redirusr.exe (for user
manage a common GPO, it is recommended accounts) and Redircomp.exe (for computer
that all administrators use the same domain accounts) can be found in the %windir%\
controller when editing a particular GPO, to system32 directory of a WS2K3 system.
avoid collisions in File Replication Services
(FRS).” This comes from the Microsoft White
GPO security filtering
GPMC simplifies security filtering for a GPO.
Paper “Administering Group Policy with the
Security filtering refers to managing permis-
GPMC” (http://www.microsoft.com/win-
sions on a GPO. You can employ this to fur-
dowsserver2003/gpmc/gpmcwp.mspx).
ther help you determine which users and
Creating GPOs computers will receive the settings in a GPO.
There are various ways you can create GPOs For a GPO to apply to a user or computer, that
using the GPMC: user or computer must have both Read and
X Right-click any domain or Organization Apply Group Policy permissions on the GPO.
Unit (OU) and choose Create and Link. Up to now, you had to use the ACL editor
You can then simultaneously create a new to set the Read And Apply Group Policy per-
GPO and link it to the domain or OU. missions for users, computers, and groups if
you wanted to change the scope of a GPO.
X Right-click Group Policy Objects and click With GPMC, all you have to do is add or
New to create a new unlinked GPO. remove security principals (users, computers,
X Use a script, like the sample script called groups) in the security filtering section under
CreateGPO.wsf, included in GPMC. the Scope tab for the GPO or the GPO link.
X Copy the GPOs. The Read And Apply Group Policy permis-
Security 225
Configuring wireless security in
Windows Server 2003
Feb. 2, 2004
By Brien M. Posey, MCSE
T
raditionally, one of the biggest prob- Wireless Configuration Properties sheet that’s
lems with wireless network security is shown in Figure A.
that it must be maintained individu- Set the Startup type to Automatic and click
ally for every client. New features in Win- the Start button to start the service. Click OK
dows Server 2003 allow you to control to close the properties sheet.
wireless security for Windows XP and Win-
dows 2003 clients via group policy. Here’s Wireless security and
how it’s done. group policies
So far, I’ve explained that there is a Wireless
The Wireless Configuration Configuration Service that allows wireless con-
Service nections to be automatically configured. What
Windows Server 2003 is designed to interact you might not know is that you can actually
with your wireless network. But in order to do design a group policy that dictates wireless
so, it must have a functional Wi-Fi compatible configuration. Aside from easing the adminis-
NIC, and the Wireless Configuration Service trative burden, you might want to also look at
must be started. The Wireless Configuration automatically configuring wireless connections
Service enables automatic configuration of for security reasons.
Wi-Fi NICs. By default, the Wireless Configu- For example, suppose that your Finance
ration Service is set to start manually. department and your Sales department both had
To do so, click Start l Administrative Tools| wireless networks. You would probably want to
Services. You’ll then see the Services console prevent anyone from Sales from using the access
appear. Scroll the right pane and double-click point in Finance, and vice versa. This could be
the Wireless Configuration Service to open the easily implemented through group policies.
Figure A Figure B
Security 227
The next section of the Network Properties this check box, all other options on the tab are
tab, shown in Figure C, contains three check disabled. Deselecting this check box tells Win-
boxes used to reflect the access point’s WEP dows that rather than using 802.1X authentica-
configuration. By default, the options Data tion, you’ll use some other authentication
Encryption (WEP Enabled) and This Key Is method, such as smart cards, certificates, or
Provided Automatically are selected. Keep in passwords.
mind, though, that these are not always the The next field that you must complete is the
most appropriate choices. There are still a lot EAPOL-Start message. The options in the
of wireless networks that use shared keys that corresponding drop-down list allow you to
are not automatically provided. In such a case, control the EAPOL-Start message’s transmis-
you would deselect the Key Is Provided Auto- sion behavior. Your choices are Transmit, Do
matically check box, and select the Network Not Transmit, and Transmit Per 802.1X. The
Authentication (Shared Mode) check box. Transmit option is selected by default.
The final element of the Network Proper- Next on the IEEE 802.1X tab is the Para-
ties tab is the This Is A Computer-To-Com- meters (Seconds) section. This section allows
puter (Ad Hoc) Network check box. Most of you to configure the parameters that are used
the time you would not select this check box. with the EAPOL start message (assuming that
You’d use this option only if you were actually EAPOL start messages are being transmitted).
trying to configure an ad hoc network as a pre- The first field in the Parameters section is
ferred network. the Max Start field. This field allows you to
Once you have filled in the Network Prop- enter the maximum number of start messages
erties tab, you need to fill in the IEEE 802.1X that will be generated by a client. Normally, a
tab. This tab allows you to specify all of the client will transmit an EAPOL start message
parameters that are associated with 802.1X and will wait for a response. If no response is
network access control. received, the client will transmit additional
The first element on the IEEE 802.1X tab start messages. This parameter defines the
is the Enable Network Access Control Using maximum number of start messages that a
IEEE 802.1X. This check box is selected by client is allowed to transmit when attempting
default, as shown in Figure D. If you deselect to connect to the designated network.
Figure C Figure D
The Network Properties tab allows you to designate the SSID The IEEE 802.1X tab allows you to configure 802.1X
and WEP settings for the preferred access point. authentication.
Security 229
This list allows you to control how computer When you have finally finished filling in the
authentication works with user authentication. New Preferred Setting Properties sheet, click
The default option is With User Re-authenti- OK. The network is now added to the Pre-
cation. This means that any time the user is ferred Network tab found on the New Wire-
not logged on, authentication is performed less Network Policy Properties sheet, as shown
using the computer’s credentials. However, in Figure F. Click OK to create the new wireless
when a user logs on, the user’s credentials are policy.
used for authentication. When the user logs
off, the system goes back to using computer The Wireless Monitor
credentials. Another handy new tool included in Windows
Another option is With User Authentica- Server 2003 is the Wireless Monitor. The
tion. When this option is used, computer cre- Wireless Monitor allows you to keep tabs on
dentials are used until a user logs on. The all of the wireless network connections avail-
computer credentials stay in effect unless the able near your server. In order to use the
user moves to a different access point. At that Wireless Monitor, your server must have a
point the user credentials take over. The only functional wireless NIC and also must be run-
other option is Computer Only. This option ning the Wireless Configuration Service.
means that the user’s credentials are never To access the Wireless Monitor, enter the
taken into account and the computer’s creden- MMC command at the Run prompt. When
tials are used for authentication. you do, Windows will open an empty
Microsoft Management Console. When the
console opens, select the Add/Remove Snap-
Figure F in command from the console’s File menu.
When you do, you’ll see the Add/Remove
Snap-in properties sheet appear. Click the Add
button found on the properties sheet’s Stand-
alone tab to see a list of all of the available
snap-ins. Select Wireless Monitor from the list
and click Add, Close, and OK. The Wireless
Monitor is now loaded within the console.
Now that the console is loaded, navigate
through the console tree to Console Root |
Wireless Monitor | Your Server Name. When
you expand the container with the same name
as your server, there will be about a ten-second
delay, and then two additional containers will
appear: Access Point Information and Wireless
Client Information.
If you select the Access Point Information
container, you’ll see information related to any
The preferred network is added to the list. wireless access points that the server can see.
Figure G
The Access Point Information container gives you information about any access points that the server can see.
M
icrosoft made several changes to use the Runas command to start processes in
Internet Information Services (IIS) the administrator context when your limited
6.0 to improve security, not the least account doesn’t provide the necessary privi-
of which was a complete architectural over- leges for the management task at hand. Also
haul. This change, combined with others in IIS consider implementing a strong password pol-
function and management, make IIS 6.0 a icy, especially for groups with administrative
more secure platform than previous versions. privileges. Deny remote access to the server
Many of the methods for securing IIS 6.0 are unless absolutely necessary.
the same as in previous versions, but there are It’s also imperative that you protect the file
several new methods you can use to secure the system, and the only way to ensure such pro-
server in general and specific sites in particular. tection is to use NTFS on all partitions on the
Here are the most common methods you can server as well as on any partitions hosting
use to secure IIS 6.0. shared volumes that the server accesses across
the network. Take the time to review permis-
General server security sions on all volumes and folders with an eye
There are common threads for securing out for potential security risks. Also remove
servers, regardless of the services they are run- unnecessary shares and hide shares by prefix-
ning. Physical security, for example, is often ing the share name with $ whenever possible.
overlooked, particularly by smaller companies. Keeping the server up to date is another
All of your servers should be in a locked room necessity. This means not only installing secu-
with limited access and proper site preparation rity updates and patches as they come along
for cooling, fire prevention, and power man- but also ensuring that the server includes a
agement. You should never leave a server working virus scrubber that you update at least
logged on and unattended. You should always once a week. A perimeter scrubber that moni-
log off, but at the very least, press [Ctrl][Alt] tors all incoming traffic is a great addition to
[Del] and lock the server. You should also use your network as the first line of defense
a limited logon account whenever possible and against viruses and worms, although you
Security 231
should include virus scrubbers on each server requests to identify unusually large transaction
and workstation as well. requests that are indicative of an attack. You
Finally, use member or stand-alone servers can also configure IIS 6.0 to recycle worker
whenever possible to host IIS and dependent processes if they consume too much physical
services. Keep IIS off of your domain con- or virtual memory based on limits that you
trollers to improve DC performance but, more specify on a per-application-pool basis, reduc-
important, to ensure that if the server is com- ing the impact of memory overflow exploits.
promised your domain security isn’t also com- Your capability to isolate sites and applications
promised. using multiple application pools and to config-
ure recycling parameters for those pools helps
IIS 6.0 global security reduce the effect of denial-of-service attacks.
improvements IIS 6.0 includes other features and changes
There are several changes for IIS 6.0 in Win- to reduce its susceptibility to attacks. For
dows Server 2003 that improve server and net- example, IIS 6.0 serves only those file types
work security. First, when you install Windows explicitly defined by the administrator. If a
Server 2003, Setup does not install IIS by request arrives for an unregistered file type,
default (a significant security improvement for IIS 6.0 returns a 404.3 error to the client. The
Windows Server overall). You can also config- server also strips out scripts embedded in
ure group policy to prevent IIS from being incoming requests before processing those
installed. These two changes reduce the chance requests. Command-line tools are disabled for
that IIS will end up on servers where it should IIS 6.0 by default, and running executable files
not be, thereby reducing the network’s expo- is allowed only to members of the Administra-
sure to attack. tors group and to selected built-in accounts,
When you do install IIS on Windows Server preventing anonymous users from running
2003, Setup installs the software in a more executable files. In addition, anonymous users
secure state than in previous versions. For are denied write access to Web content by
example, the server is configured by default to default. Script source access is protected by a
serve only static pages, with ASP.NET and CGI new permission, which is disabled by default.
disabled. Other services and components are All of these features help block or limit the
disabled as well, including server-side includes, impact of various types of Web server attacks.
Internet Data Connector, WebDAV, Internet
Printing ISAPI, and Index Server ISAPI. Front- Authentication options for IIS 6.0
Page Server Extensions are disabled, as is the You’ll find some changes in IIS 6.0 authentica-
password change interface. The FTP and SMTP tion options that also improve site and server
services are also disabled by default. security. For example, anonymous authentica-
The architectural changes in IIS 6.0 also tion no longer requires the Log On Locally
make for a more secure platform. Worker right. In addition, sub-authentication, which
processes run in user mode and therefore can’t enables IIS to manage passwords for anony-
access privileged items in the kernel. They also mous accounts, is no longer enabled by
run in the context of the Network Service default. You can, however, enable it if needed.
account with relatively low privileges. Built-in UNC pass-through authentication is also
ASP functions run in the context of the changed in IIS 6.0 from previous versions.
IUSR_machine account UNC pass-through authentication enables IIS
Your capability to configure application to access resources stored on other computers
pools enables you to limit the kernel request through Universal Naming Convention (UNC)
queue size, limit CPU utilization, and apply paths. UNC paths and UNC pass-through
other restrictions to help ensure that an attack, authentication are commonly used to support
when it comes, will have its impact minimized virtual directories hosted by other computers.
on the server overall. To help combat buffer If you specify a user name and password for a
overflow attacks, IIS 6.0 monitors incoming UNC share, those credentials are used by IIS
6.0 to access the remote resource.
Security 233
enabled. Also click the Identity tab and verify open the MIME Types dialog box. You’ll then
that the default security account is set to Net- see the screen shown in Figure C.
work Service. From here you can edit or remove existing
Another security-related task you will likely MIME types or create new ones. Bear in mind
need to accomplish is to configure the file types that the global MIME types are inherited at the
that IIS 6.0 will support. You do so by modify- virtual server and directory levels. Unless you
ing the MIME type definitions for the server. need to add a type globally, it’s best to add it
You can configure MIME types on a global or only at the level where it is required. To man-
site basis. To configure them at the global level, age MIME types for a virtual server, right-click
open the IIS Manager console, right-click the the Web site and choose Properties. Click the
server, and choose Properties. On the Internet HTTP Headers tab and click MIME Types to
Information Services tab, click MIME Types to open the MIME Types dialog box, where you
can accomplish the same types of tasks as at
the server level. To manage MIME types at the
Figure C directory level, right-click the physical or vir-
tual directory in the IIS Manager console,
choose Properties, click the HTTP Headers
tab, and click MIME Types.
At this point, consider authentication
requirements for the server and/or sites. To
configure UNC pass-through authentication,
right-click an existing virtual directory that
points to a UNC share and choose Properties.
This will display the screen shown in Figure D.
On the Virtual Directory tab, click Connect
As to open the Network Directory Security
Credentials dialog box. Here you can specify
an explicit set of credentials to be used to
access the remote UNC share’s contents. If
Configure the file types your server supports. you want IIS to use the user’s own credentials
to authenticate on the remote server, choose
Figure D the option Always Use The Authenticated
User’s Credentials When Validating Access To
The Network Directory. Keep in mind that if
you enable this option, anonymous users are
authenticated with the server’s IIS_machine
account. Configure accounts and permissions
as necessary on the server hosting the share.
Craft your authentication scheme to provide
only the bare minimum permissions necessary
for each user to perform his or her specific
tasks in the folder.
Next, look at the authentication require-
ments for the Web sites or specific directories
that use other than anonymous authentication.
Right-click the Web site or directory, choose
Properties, and click the Directory Security
tab. Then click Edit in the Authentication And
Access Control group to open the Authentica-
You should set authentication on virtual directories. tion Methods dialog box.
Security 235
Administrator's Guide to Order now and
W
hen Microsoft originally released IPSECMON.EXE utility that’s included with
Windows 2000, it included a new Windows 2000 Server. Notice that the utility
protocol called IPSec. The idea was contains no menu options and only two but-
that network security could be greatly tons: Options and Minimize. The only thing
increased by encrypting traffic as it flowed you can do with the Options button is change
across the wire. Although IPSec was a good the refresh rate. My point is that although
idea, the problem was that far too many IPSECMON.EXE does a decent job of count-
administrators would enable it and never really ing confidential and authenticated bytes, there
do anything to confirm that IPSec was actually really isn’t much more that you can do with it.
encrypting traffic. This was unfortunate Now that you’ve seen what the IPSEC-
because Windows 2000 included a utility called MON.EXE utility looks like, let’s take a look at
IPSECMON.EXE that made it easy to check if the IP Security Monitor Console. As you can
IPSec was working properly. see in Figure B, the console looks a lot different
Over the years, I’ve grown quite fond of than IPSECMON.EXE, but the differences
IPSECMON.EXE. I was really surprised to aren’t just cosmetic.
see that it didn’t exist in Windows Server 2003. Earlier, I mentioned that the IP Security
Although IPSECMON.EXE is gone, Micro- Monitor Console had been extended to support
soft replaced it with a new tool called the IP all of IPSec’s new features. There are too many
Security Monitor Console. In creating this tool, new IPSec features to discuss here, but I wanted
Microsoft has basically rewritten IPSEC- to at least take a moment and talk about some
MON.EXE to make it work within a console. of the things that the IP Security Monitor Con-
It then added support for all of the new IPSec sole does that IPSECMON.EXE didn’t.
features that exist in Windows 2003. In this As you look at the console, one of the first
article, I’ll introduce you to this new tool and things you might notice is that just below the
show you how to use it to verify that IPSec is IP Security Monitor container is a server listed
working as intended. by name. The reason for this is that the IP
Security Monitor Console can monitor the
What’s new IPSec statistics for multiple computers rather
Before you can really appreciate the IP Secu- than just for the local computer, as was the
rity Monitor Console, you need to see what its case with IPSECMON.EXE.
predecessor looked like. Figure A shows the
Accessing the IP Security The IP Security Monitor Console has been extended to take advantage
Configuration Console of all of the new IPSec features.
Security 239
Adding a computer X Active Policy
Since the IP Security Monitor allows you to X Main Mode
monitor multiple computers, the first thing you X Quick Mode
need to know how to do is add another com-
puter to the list of systems to be monitored. Active Policy
To do so, right-click on the IP Security Moni- As you’re no doubt aware, IPSec policies are
tor container and select the Add Computer applied as a part of a group policy. Further-
command from the resulting shortcut menu. more, group policies are hierarchical in nature.
When you do, you’ll see the Add Computer Group policies can be applied at the local
dialog box. It’s important to note that the IP computer level, the site level, the domain level,
Security Monitor can monitor only computers and the Organizational Unit level. This means
running Windows Server 2003. that several policies can be applied to a user or
Monitoring a computer to a computer. As you might expect, it’s possi-
ble for policies to contradict with one another.
After you finish adding the computers to be
When group policies contradict, Windows uses
monitored to the list, it’s time to begin the
an algorithm to determine which group policy
actual monitoring process. Expand the com-
is in effect.
puter container and, after a brief delay, you’ll
What this means is that IPSec policies can
see three subcontainers:
be applied at many different levels as well. If
Figure C
Figure D
The Generic Filter container applies policy number 1 to all traffic coming from my computer.
The Specific Filters container shows which filters apply to the machine, but in more detail than the Generic Filters container shows.
Main Mode
The next section is the Main Mode container. Each IKE policy consists of one or more methods.
The Main Mode container’s job is to display
various Internet Key Exchange (IKE) statis- is policy number 1, which is the machine’s
tics. The Main Mode container is divided into default policy.
five separate subcontainers: Generic Filters, The next container in the Main Mode area
Specific Filters, IKE Policies, Statistics, and is the Specific Filters container. This is really
Security Associations. just an expansion of the information found in
The Generic Filters container, shown in the Generic Filters container. As you can see in
Figure D, contain a generic representation of Figure E, the specific filters actually list the
the current IKE policy. For example, on my machine’s IP address rather than just saying Me
test machine, the generic filter is configured to as the source. Furthermore, the Specific Filters
use my computer as the source and any com- container also shows the direction of the traf-
puter as the destination. The authentication fic. As you can see in the figure, there are actu-
method is Kerberos, and the filter applies to all ally two filters, one to handle inbound traffic
connections. The policy that the filter links to and one to handle outbound traffic.
Security 241
Figure G
The Security Associations container shows which computers are using the IKE policy to secure communications.
Earlier, I mentioned that the generic filter container. This container, shown in Figure G,
(as well as the specific filter) was linked to the shows the peer machines that the IKE policy is
default policy, or policy number 1. That policy being used with. Basically, this screen means
is contained within the IKE Policies container. that communications between my machine
The default view simply shows the policy’s (147.100.100.99) and the machines Relevant
number and the fact that it has four security (147.100.100.58) and Homer (147.100.100.52)
methods associated with it. However, if you are encrypted by the current IKE policy.
right-click on the policy and select the Proper- The last Main Mode feature that I want to
ties command from the resulting shortcut talk about is the Statistics container, shown in
menu, you can see exactly what the four meth- Figure H. As you can see, there are quite a few
ods consist of, as shown in Figure F. different statistics. The statistics you’ll find
I want to momentarily skip over the Statistics include:
container and look at the Security Associations X Active Acquire: This reflects the number
of queued requests to initiate IKE negotia-
Figure H tion in an effort to establish a secure con-
nection. Under heavy loads, it’s normal for
this number to be one higher than the
actual number of queued requests.
X Active Receive: This is the number of IKE
messages that have been received and are
queued for processing.
X Acquire Failures: This reflects the total
number of outbound acquire requests that
have failed since the last time the IPSec
service was started.
X Receive Failures: This is the total number
of errors occurring while receiving IKE
messages since the last time the IPSec serv-
ice was started.
X Send Failures: This is the total number of
errors that have occurred while transmitting
IKE messages since the last time the IPSec
The IP Security Monitor collects a number of IKE statistics. service was started. It is normal for this to
Security 243
Quick Mode X Packets Not Authenticated: This is the
Quick Mode works just like Main Mode except total number of packets that have failed
that Quick Mode deals with IPSec instead of integrity verification since the last reboot.
IKE. You might have noticed that Main Mode X Packets With Replay Detection: This is
has a container named IKE Policies, while the total number of packets with invalid
Quick Mode has a container named Negotia- sequence numbers since the computer was
tion Policies. Although the policy types are dif- last rebooted. If this number increases
ferent, the actual method for viewing the steadily, it could be an indication of an
policies remains the same whether you’re in attempted replay hack.
Main Mode or in Quick Mode. X Confidential Bytes Sent: This shows the
The only real difference between Main total number of sent packets encrypted by
Mode and Quick Mode (aside from the obvi- ESP since the last reboot.
ous) is the statistics that are displayed. You can
see the Quick Mode statistics in Figure I. The X Confidential Bytes Received: This is the
statistics you’ll find include: total number of received packets encrypted
by ESP since the last reboot.
X Active Security Associations: This is the
number of currently active Quick Mode X Authenticated Bytes Sent: This is the
security associations. total number of transmitted bytes
encrypted by the AH or the ESP protocol.
X Offloaded Security Associations: This
shows the current number of Quick Mode X Authenticated Bytes Received: This is
security associations that have been the total number of received bytes
offloaded to an IPSec-compatible NIC. encrypted by the AH or the ESP protocol.
X Pending Key Operations: This is the X Transport Bytes Sent: This shows the
number of IPSec key exchange operations number of bytes sent using IPSec transport
that are currently going on but that have not mode since the last reboot.
yet completed. X Transport Bytes Received: This is the
X Key Additions: These are the total number number of bytes received using IPSec trans-
of successful key additions for Quick Mode port mode since the last reboot.
security association negotiations that have X Bytes Sent in Tunnels: This shows the
been successfully added since the computer number of bytes sent in IPSec tunnels since
was last rebooted. the last reboot.
X Key Deletions: These are the total number X Bytes Received in Tunnels: This is the
of successful key deletions for Quick Mode number of bytes received in IPSec tunnels
security association negotiations that have since the last reboot.
been successfully deleted since the com-
X Offloaded Bytes Sent: This is the total
puter was last rebooted.
number of bytes transmitted using IPSec
X Rekeys: These are the number of success- hardware offloading since the last reboot.
ful Quick Mode rekey operations since the
X Offloaded Bytes Received: This is the
last reboot.
total number of bytes received using
X Active Tunnels: This shows the total num- IPSec hardware offloading since the last
ber of currently active IPSec tunnels. reboot.
X Bad SPI Packets: These are the number of
packets that have had an incorrect SPI since
the last time the computer was rebooted.
X Packets Not Decrypted: This shows the
number of packets that could not be
decrypted since the last reboot.