Security Chapter Download

Administrator’s Guide to
Windows Server 2003

Security
Best practices for securing Windows
Server 2003
Oct. 20, 2003
By Brien M. Posey, MCSE
I
f you’ve ever deployed Windows NT figuring a server to act as a simple, but secure,
Server or Windows 2000 Server, you prob- file server. I’ll try to point out some things that
ably know that Microsoft designed those you might do differently if the server is filling
products to be unsecure by default. Although an alternate role. Just please understand that
Microsoft has provided many security mecha- this isn’t intended as a comprehensive guide to
nisms, it’s been up to you to implement them. securing every type of server.
But when Microsoft released Windows 2003
Server, the company switched philosophies. Physical security
The new philosophy is that the server should To achieve true security, your server must be in
be secure by default. a secure location. Normally, this means placing
This is generally a good idea, but Microsoft the server behind a locked door. Physical secu-
didn’t take it quite far enough. While a default rity is extremely important because many
Windows 2003 installation is certainly more administrative and disaster recovery tools exist
secure than a default Windows NT or Win- that can double as hacker tools. Anyone with
dows 2000 installation, it is still anything but such tools and a minimal skill level can hack a
totally secure. Let’s discuss some relatively easy server in a matter of minutes once they have
measures that you can take to make Windows physical access to the machine. Your only hope
2003 Server even more secure. against preventing such attacks is to place the
server in a secure area. This is true of any
Know your role Windows 2003 Server, regardless of its role.
Understanding the server’s role (i.e., intended
purpose) is absolutely critical to the security Creating a baseline
process. There are many roles for which a Aside from establishing good physical security,
Windows Server can be configured. For exam- the best advice that I can give you when
ple, a Windows 2003 Server can act as a deploying a series of Windows 2003 Servers is
domain controller, a member server, an infra- to decide on your security requirements prior
structure server, a file server, a print server, an to deployment and to enforce those policies
IIS Server, an IAS server, a terminal server, immediately after deployment.
and the list goes on. A server can even be con- The best way to do this is to create a secu-
figured to fill a combination of roles. rity baseline. A security baseline is a list of
The problem with this is that each server documented and accepted security settings. In
role has its own security needs. For example, if most cases, your baseline settings will differ
your server is going to function as an IIS considerably depending on the server’s role. So
server, you need to enable the IIS services. the best thing to do is to create several differ-
However, if the server is going to function ent baselines that you can apply to various dif-
solely as a file and print server, enabling IIS ferent types of servers. For example, you
would be a huge security risk. might have one baseline for file servers,
The reason I’m telling you this is to point another for domain controllers, and still
out that there is no way that I can just give you another for IAS servers.
a set of steps to follow and expect those steps Windows 2003 contains a tool called the
to work in every situation. A server’s security Security Configuration And Analysis Tool.
needs vary tremendously by the server’s role This tool allows you to compare a server’s cur-
and by the server’s environment. rent security policy against a baseline security
Because there are many ways to harden a policy contained within a template file. You
server, I’ll discuss the steps necessary for con- can either create these templates yourself or
use one of the included template files.
Security 189
Administrator's Guide to Order now and
Windows Server 2003 receive free

shipping!
TechRepublic's Administrator's Guide to Windows Server

2003 gets you up to speed quickly on Microsoft's newest
server operating system. Each chapter is packed with the
clear and concise how-to information you need to opti-
mize,
troubleshoot and secure Windows Server 2003.
Tap field-tested solutions. Minimize your learning curve. Turn
to the Administrator's Guide to Windows Server 2003 book and
accompanying CD to learn how to:
Plan for and deploy Windows Server 2003
Configure VPN connections
Fine-tune servers for optimum performance
Solve Group Policy problems
Troubleshoot Active Directory
Overcome DNS errors
Lock down servers
Secure wireless connections
Recover from disasters
And more
Eliminate guesswork. Leverage the proven expertise in TechRepublic’s
Administrator’s Guide to Windows Server 2003. Designed by IT pros for IT
pros, this unique book and CD set provide you with the tools and information
required to become an effective Windows Server 2003 administrator.
Order now and receive free shipping!

The security templates are a series of text- essary database will be created using the name
based INF files stored in the %SYSTEM- that you provided.
ROOT%\SECURITY|TEMPLATES folder. Next, right-click on the Security Configura-
The easiest way to examine or modify the indi- tion And Analysis container and select the
vidual templates is through the Microsoft Import Template command from the shortcut
Management Console (MMC). menu. You’ll see a list of all of the available
To open the console, enter the MMC com- templates. Select the template that contains
mand at the Run prompt. When the empty your security policy settings and click Open.
console loads, select the Add/Remove Snap-in After the template has been imported, right-
command from the File menu. This will cause click on the Security Configuration And Analy-
Windows to display the Add/Remove Snap-in sis container once again and select the Analyze
properties sheet. Click the Add button found Computer Now command from the shortcut
on the properties sheet’s Standalone tab and menu. Windows will prompt you for a location
you will see a list of all of the available console to write the error log. Enter a file path and
snap-ins. Select the Security Templates snap-in click OK.
from the list and then click the Add, Close, At this point, Windows will compare your
and OK buttons. server’s existing security settings against those
Once the Security Templates snap-in is in the template file. You can see the results of
loaded, you can view each of the security tem- the comparison by navigating through the
plates. As you navigate through the console Security Configuration And Analysis console.
tree, you will see that each template mimics the Each group policy setting displays both the
group policy structure. The template names current setting and the template setting.
reflect each template’s purpose. For example, Once you’ve had a chance to look through
the HISECDC template is a high-security the list of discrepancies, it’s time to enforce
domain controller template. the security policy based on the template. To
If you’re trying to secure a file server, I rec- do so, right-click on the Security Configuration
ommend starting with the SECUREWS tem- And Analysis container one last time and select
plate. As you look through all of the template’s the Configure Computer Now command from
settings, you will find that although the tem- the shortcut menu. The tool will then modify
plate can be used to make the server more your computer’s security policy to match the
secure than it currently is, it may not meet your template policy.
needs. Certain security settings may be too Group policies are hierarchical in nature. A
strict or too relaxed. I would recommend group policy may be applied at the local com-
either modifying the existing settings to meet puter level, the site level, the domain level, or
your needs or creating a brand new policy. You the OU level. When you implement security
can easily create a new template by right-click- based on a template, you’re modifying the
ing on the C:\WINDOWS\Security\Tem- computer-level group policy. Other group poli-
plates folder within the console and selecting cies aren’t directly affected, although the final
the New Template command from the result- policy may reflect a change due to a setting in
ing menu. the computer policy being inherited by higher
Once you have created a security template level policies.
that meets your needs, go back to the
Add/Remove Snap-in properties sheet and Modifying built-in accounts
add a snap-in called Security Configuration For years, Microsoft has been preaching that
And Analysis. When the snap-in loads, right- you need to rename the Administrator
click on the Security Configuration And Analy- account and disable the Guest account to
sis container, then select the Open Database achieve good security. In Windows Server
command from the resulting menu. Since no 2003, the Guest account is disabled by default,
database currently exists, make up a name for but renaming the Administrator account is
the security database. Click Open, and the nec- still a good idea because it’s common for
192 Administrator’s Guide to Windows Server 2003

attackers to try to compromise the Adminis- System services
trator account. There is a fundamental law of computing that
There are a number of hacker tools that states that the more code running on a system,
reveal the Administrator account’s real name the greater the chance that the code will con-
by examining the account’s SID. Unfortu- tain a security vulnerability. One of the pri-
nately, you can’t change this account’s SID mary security strategies that you should focus
and there is really no way of preventing such on is to reduce the amount of code running
a tool from determining the Administrator on your server. Doing so reduces security risks
account’s real name. Even so, I encourage and will also improve the server’s performance.
everyone to rename the Administrator In Windows 2000, there were a lot of serv-
account and to change the account’s descrip- ices that were running by default, but were
tion for two reasons. totally unnecessary in most environments. In
First, less sophisticated hackers may not fact, a default installation of Windows 2000
know of the existence of such tools or have even included a fully operational IIS server. In
access to them. Second, renaming the Admin- Windows Server 2003, Microsoft turned off
istrator’s account to a unique name makes it most of the services that aren’t absolutely nec-
easy for you to monitor attacks against the essary. Even so, there are some services that
account. are running by default, but are open to debate.
Another tip pertains to member servers. One such service is the Distributed File Sys-
Member servers have their own built-in local tem (DFS) service. The DFS service was pri-
administrative account that is completely sepa- marily designed to make a user’s life easier.
rate from the domain Administrator account. DFS allows an administrator to create a logical
You can configure every member server to use name space containing resources from multi-
a different administrator account name and ple servers or partitions. To a user, all of these
password. The idea is that if someone were to distributed resources appear to exist within a
figure out the local administrator account single folder.
name and password on one member server, I personally like DFS, especially because of
you wouldn’t want them to be able to use those its fault tolerance and scalability features.
credentials to hack your other servers too. Of However, if you were to not use DFS, you
course, if you have good physical security in would force users to know the actual path to a
place, no one should be able to gain access to a specific resource instead of being able to
server to be able to use a local account. access all resources through a single path. In
Service accounts some environments, this may translate to bet-
ter security. In my opinion, though, the
Windows Server 2003 is designed in a way that
minimizes the need for service accounts. Even rewards of DFS far outweigh the risks.
so, some third-party applications absolutely Another such service is the File Replication
insist on a traditional service account. If possi- Service (FRS). The FRS is used to replicate
ble, always use a local account as the service data between servers. This is a mandatory
account instead of using a domain account, service on domain controllers because it’s
because if someone were to gain physical responsible for keeping the SYSVOL folder
access to the server, they could dump the synchronized. For member servers, however,
server’s LSA secrets and compromise the pass- this service isn’t mandatory unless you are run-
word. If you use a domain password, the pass- ning DFS.
word can be used from any computer within If you have a file server that isn’t a domain
the forest to gain access to the domain. If a controller and isn’t using DFS, I recommend
local account is used, though, the password is disabling the FRS. Disabling the FRS decreases
useless from anywhere other than the compro- an attacker’s ability to replicate a malicious file
mised machine and doesn’t provide any access across multiple servers. The FRS is enabled by
to the domain. default.
Security 193
Another service worth taking a look at is an error message or an event log. However, I
the Print Spooler service. The Print Spooler recommend simply turning on the Print
manages all local and network print queues Spooler Service when it is needed rather than
and controls all of the print jobs within these leaving it on all the time for non-print servers.
queues. The Print Spooler is required for all Believe it or not, the Print Spooler is one of
printing operations and is enabled by default. the most heavily exploited Windows compo-
The flip side to this is that not every server nents. There are countless Trojans that work
requires printing capabilities. Unless a server is by replacing the Print Spooler’s executable file.
acting as a print server, you should disable the The reason for such an attack is that the Print
print spooler. After all, why should a dedicated Spooler operates as a system-level service and,
file server run the print spooler? Normally, no therefore, has a high level of privileges. So any
one should be sitting at the server console Trojan posing as the Print Spooler can also
working, so there should be no need to print gain these high-level privileges. To protect your
locally or from across the network. server from such an attack, just prevent the
I realize that often during disaster recovery Print Spooler service from running.
operations, it might become necessary to print
Tips to help secure Windows Server 2003

Active Directory
Oct. 27, 2003
I
f I were to tell you that Windows NT Given physical access to the server, it is eas-
Server 4.0 was a lot more secure than Win- ily possible for someone with minimal com-
dows 2000 Server, you would probably puter knowledge to hack the server in a matter
think that I had lost my mind. Sometimes, of minutes. So don’t even bother trying to
though, truth is stranger than fiction. In some secure AD until you’ve made sure that all of
ways, Windows NT Server was more secure your servers are placed in a secure location.
than Windows 2000 Server. However,
Microsoft learned from their mistakes and Windows NT vs. Windows 2000
implemented a Windows NT-like security Don’t get me wrong. In many areas, Windows
structure into Windows Server 2003’s Active 2000’s security is far superior to that offered by
Directory. Let’s discuss these security issues Windows NT. However, there is a basic law of
and learn some tips you can use to build a computing that states that the more complex a
secure Active Directory (AD) environment. piece of software is, the greater the chance
that it will contain a security hole or a major
Physical security is job 1 bug that can be exploited. As we all know,
When attempting to secure AD, it’s critical that Windows 2000 is a lot more complex than
you implement physical security first. If any- Windows NT.
one you wouldn’t trust with the Administrative Perhaps the best example of simplicity and
password has physical access to a domain con- security going hand-in-hand involves the
troller or to your DNS servers, you don’t have domain model implemented by each server
a secure AD. Many administrative and disaster operating system. In Windows NT, the domain
recovery tools exist that can easily double as was pretty much the only organizational struc-
hacker tools. ture that existed. A domain often contained all

of the users, groups, and computers for an rectly modified an AD. If the change that the
entire organization. If an organization was administrator made was to a forest-level AD
really big, they could create multiple domains component, the change would eventually be
and have the domains trust each other; but, propagated to every domain controller in the
each domain was an independent structure. entire forest, thus corrupting every single
When Microsoft created Windows 2000, copy of AD and potentially crashing the
they realized that the Windows NT domain entire network.
model just didn’t scale well into larger organi- Let’s compare this situation to Windows
zations. So, they based the AD on a structure NT. Even if one domain trusts another
called a forest. A forest is basically a collection domain, both domains include a copy of the
of domain trees. Within a forest, you can have Security Accounts Manager pertaining to
many different domains and can even use their own domain only. In this way, rogue
parent and child domain trees. Just as was the administrators can’t make a change to the
case with Windows NT, each domain has its SAM in their domain and then use that
own Administrator. This is where the similari- change to corrupt other domains. Likewise,
ties end, though. there is no all-powerful group within Win-
In Windows 2000, Microsoft decided they dows NT that a rogue administrator could
needed to make the domains more manage- use to gain control over every domain in the
able. They created different levels of domain entire organization.
administration. For example, a member of the Another nice thing about the way that Win-
Domain Admins group could typically admin- dows NT’s trust relationships worked was that
ister the current domain and any child domains trust relationships could either be one-way or
beneath it. A member of the Enterprise two-way, and they were never transitive in
Admins group had the ability to administer nature. This meant that if you had a Users
any domain within the entire forest. Herein domain and an Admin domain, you could
lies the problem. either allow both domains to trust each other
The fatal flaw in the Windows 2000 AD or you could configure the network so that the
model is that every domain completely trusts Users domain trusted the Admin domain, but
every other domain within the forest. This not vice versa. It also meant that if Domain A
causes a couple of problems. First, if security trusted domain B and domain B trusted
has not been applied properly, administrators domain C, then domain A didn’t trust domain
can just add their accounts to the Enterprise C unless you told it to.
Admins group to gain control over the entire
forest. If the domain is a bit more secure, Windows Server 2003 security
rogue administrators need only to tamper with You’re probably wondering what all of this has
the SID history and launch an elevation of to do with Windows Server 2003. I went into
privileges attack against the forest. By manipu- the long comparison between Windows NT
lating the SID history, administrators could and Windows 2000 because in Windows
give themselves Enterprise Admin status. Server 2003, Microsoft incorporated the best
There are other inherent weaknesses in the of both worlds. And so, to properly secure
Windows 2000 AD security model as well. As your Windows Server 2003 network, you need
you probably know, each domain requires at to understand the strengths and weaknesses of
least one domain controller. Likewise, each both security models.
domain controller contains information relat- The biggest AD security weakness in Win-
ing not only to the domain but also to the for- dows 2000 is that all domains within a forest
est. Such information includes AD’s schema are linked together by a common administra-
and some basic configuration. tive structure, the forest itself. In Windows
Now, imagine you had an administrator Server 2003, the forest structure still exists and
who wasn’t being intentionally malicious but works almost identically to the way it did in
who installed a malicious application or incor- Windows 2000.
Security 195
What is different about the forest structure between forests in Windows Server 2003. Per-
in Windows Server 2003 than that of Win- haps the most difficult of these is that any for-
dows 2000 Server is that Windows Server 2003 est involved in the trust must be running at
makes it relatively easy to establish trust rela- Windows Server 2003 forest functional level.
tionships between forests. Inter-forest trusts Windows 2000 allowed you to run AD in
were possible in Windows 2000; but, in Win- either mixed mode or in native mode. The
dows Server 2003, inter-forest trusts are actu- functional level in Windows Server 2003 is
ally useful. When a trust relationship exists very similar to this. Setting a forest to Win-
between forests, an administrator can grant dows Server 2003 forest functional level
access to a resource in a user from a foreign requires every domain controller within the
forest in the same manner that they would if forest to be running Windows Server 2003.
the user existed within the local forest. Also, to create an inter-forest trust, you
must be a member of the Enterprise Admins
Single forest vs. multiple forests group. You must also have your DNS server
A single forest environment is ideal for most configured so that it can resolve the names of
small to medium-sized companies. Single for- domains and servers within the forest with
est environments are easy to manage. But which you’re establishing the trust relationship.
larger companies often need each office or Finally, you may recall from Windows 2000,
each department to be able to have full admin- every forest has a root domain and all other
istrative capabilities over its own users and domains fall beneath the root. Windows Server
computers. In such environments, there is 2003 can create an inter-forest trust only from
often a high degree of distrust between these the root domain, because inter-forest trusts are
various groups. In a situation like this, inter- transitive at the domain level. This means that
connected forests are ideal because they give if you were to establish a trust between Forest
each group total autonomy. A and Forest B, then every domain in Forest A
At the same time, even though the adminis- will trust every domain in Forest B, and vice
trative burden is distributed, such a model usu- versa. Forest trusts are not transitive at the for-
ally has a much higher administrative burden est level, though.
than a single forest environment, which results For example, if Forest A trusts Forest B and
in higher administrative costs to the company Forest B trusts Forest C, Forest A will not trust
as a whole. My point is that, in a Windows Forest C unless you tell it to do so. As you can
Server 2003 AD environment, there is a trade- see, the transitive nature of inter-forest trusts
off between cost and security. makes them fairly powerful. If your forest has
Inter-forest trusts multiple domains, you don’t want an adminis-
trator of some lower-level domain creating an
Let’s discuss the specifics behind using multiple
forests as a mechanism for securing your orga- inter-forest trust without your knowledge or
nization’s AD. First, each forest has its own AD; consent. That would cause huge security prob-
there is no common thread of any kind tying lems. This is why you can create an inter-forest
the forests together. So, it’s possible to config- trust only at the forest root level.
ure each forest to use a common DNS server. Another interesting thing about creating
Assuming that the DNS server and backup trusts with Windows Server 2003 is that you
DNS server are managed by someone trustwor- don’t necessarily have to create a full inter-for-
thy, DNS server consolidation is a great way to est trust. Suppose your business needs to
reduce cost and lessen the administrative bur- establish a trust relationship with a supplier.
den. On the flip side, sharing a common DNS You probably need to establish a trust relation-
server can also be a single point of failure for ship with only one of the supplier’s domains.
the network if no backup DNS server is used. You probably aren’t interested in the supplier’s
There are some prerequisites you must meet human resources or marketing domains. In
before you can establish a trust relationship such a case, you can create what’s called an
external trust.

An external trust is a trust relationship Cross-forest authorization
between domains, similar to the trust relation- Another feature that’s great about Windows
ships that existed in Windows NT. An external Server 2003 is cross-forest authorization. This
trust can be established from any domain allows you to assign permissions to users
within your forest and links to a domain in a within both the local forest and trusted forests
foreign forest. Aside from being able to estab- directly through an Access Control List (ACL).
lish the external trust at any domain level, This comes in handy for both granting and
there are other critical differences between an denying permissions.
external trust and an inter-forest trust. Suppose you were an administrator for your
Unlike an inter-forest trust, an external company’s research and development depart-
trust is completely nontransitive, which ment and that your job was to keep all of the
means the trust applies only to the domains files on your server confidential. The forest-
that the trust is assigned to. Other domains level administrator for your company didn’t
within the two forests don’t acknowledge the know what he was doing, and he created an
trust relationship. inter-forest trust with a competitor. If you
Whether you are forming an Inter-forest wanted to keep users at the competitor’s firm
trust or an external trust, you have the option from being able to access your data, you could
of creating a two-way trust, a one-way incom- give those users an explicit deny at the root
ing trust, or a one-way outgoing trust. A two- level of each of the servers in your domain.
way trust simply means that both domains As nice as this capability sounds, though,
trust each other. A one-way incoming trust there is a catch. You must completely type in
means that users in the current domain or for- the names of users or groups from trusted
est can be authenticated by the foreign domain forests. Enumeration and wild cards aren’t sup-
or forest. Likewise, a one-way outgoing trust ported. This means that you can’t just imple-
means that users in the foreign forest or ment a blanket policy that says don’t let anyone
domain can be authenticated by the local from that other forest access any of my data.
domain or forest. You could, however, get the names of each of
Cross-forest authentication the domains belonging to the other forest and
deny access to the Everyone group belonging
Windows Server 2003 inter-forest trusts sup-
port cross-forest authentications. Suppose a to each of those domains.
user who normally logged in to Forest A made The best of both worlds
a business trip to the company hosting Forest Even though Windows 2000 is newer than
B. With forest authentication, users from For- Windows NT, some of the improvements
est A could log in to Forest B just as though actually decreased security in your organiza-
they were logging in to Forest A. tion. Windows Server 2003 gives you added
This might seem strange at first since nei- flexibility to restore that security. One way to
ther the domain controllers nor the global cat- achieve effective security within an organiza-
alog in Forest B would have any knowledge of tion is to implement multiple forests and cre-
a user from Forest A. When the user tries to ate trust relationships between them. However,
log in, the computer checks the domain con- this isn’t a process to be taken lightly, because
troller and then the global catalog for the user’s there are many prerequisites and the process
account. Because the account is not found, the tends to increase costs and the administrative
system implements a cross-forest, name- burden.
matching function. This function compares
the user’s credentials with those found within
all recognized namespaces (forests). The com-
parison is made via Kerberos and NTLM, so
the process is secure.
Security 197

shipping!

mize,
Overcome DNS errors
Lock down servers
And more

Securing information with Windows
Rights Management Services
April 22, 2004
M
ost companies go to great lengths to tial e-mail message to the managers telling
protect data. All of your efforts to them that 20 percent of the staff was to be
secure files basically boil down to laid off. Although the message was supposed
how much you trust your employees. You have to be confidential, one of the managers for-
always been able to control access to files warded the e-mail to her entire staff, who in
through authentication and permissions, but turn forwarded the message to a bunch of
until now it has been impossible to control what other people. By the end of the day, pretty
an authorized individual does with the files once much everyone in the company had seen the
they gain access. This is where Windows Rights memo. Sure, the manager who leaked the
Management Services (RMS) comes in. RMS memo was promptly fired, but the damage
offers persistent security that stays with a file, had already been done.
no matter where that file may go. If this situation were to occur today, the
president could actually integrate WRM into
A practical example the e-mail message. This would prevent the
For example, suppose that I had some super- message from being forwarded to anyone
secret Microsoft Word document explaining except for those people that he specifically
how I was going to take over the world. Nor- designated. He could even go so far as to put a
mally, I would grant a couple of highly trusted time bomb in the message so that the message
people access to the document and pray that would “self destruct” after a specific length of
they didn’t pass the document on to anyone else. time or after being opened.
With Windows Rights Management, in
addition to the normal permissions on the file Implementing Windows Rights
server where I keep my secret plans, I could Management Services
actually build permissions into the document Obviously, RMS is a very useful technology,
saying that only certain people are allowed to but you are probably wondering how it works.
access the document. That way, if one of my There are two primary components to RMS.
trusted staff members gave a copy of the doc- First, there’s the RMS Service itself. This is a
ument to someone else, that someone else server-level component that provides the
would be unable to open the document. authentication services. Second, there is the
client component. Typically, the client compo-
Beyond passwords nent is embedded into an RMS-enabled appli-
As you know, for years now it has been possi-
cation such as Microsoft Office 2003. There is
ble to password protect Microsoft Office doc-
also a software developer’s kit that developers
uments. RMS goes way beyond password
can use to build RMS security into custom
protection. After all, it’s way too easy for
applications.
someone to pass a document along to some-
Although the RMS is designed to run on
one else along with an e-mail message that says
Windows Server 2003, it does not ship with
something like: “Here’s the document that I
Windows Server 2003. Instead, it is a down-
told you about. The password to open the doc-
loadable add-on. You can download the RMS
ument is Scarab.”
service from Microsoft’s Windows Server 2003
Speaking of e-mail messages, RMS can even
Web site (http://www.microsoft.com/win-
be applied to an e-mail message. For example,
dowsserver2003/technologies/rightsmgmt/
years ago I worked for an insurance company
default.mspx). The RMS setup file consists of
that was having some financial problems. The
a 2.12 MB self-extracting executable file.
president of the company sent out a confiden-

Although the RMS service is a free add-on, to the server. The server didn’t have a certifi-
there are some licensing requirements that you cate and therefore could not support HTTPS.
need to be aware of before you install it. As I Once IIS is installed, you must install the
explained earlier, RMS rides on top of Win- Message Queuing service on your Windows
dows Server 2003. Therefore, everyone who 2003 Server. To do so, open the server’s Con-
uses RMS either to protect data or to access trol Panel and select the Add/Remove Pro-
protected data requires a Windows Server grams option. When you do, you will see the
2003 client access license. Additionally, each Add/Remove Programs dialog box. Click on
RMS user also requires an RMS Client Access the Add/Remove Windows Components but-
License (also called a RMS User CAL). This ton to display a list of the various Windows
license costs about $37 per user. As an alterna- components. Select the Application Server
tive, though, you can purchase device-specific option and click the Details button. This will
RMS client access licenses instead of user spe- cause Windows to display a list of the various
cific licenses. Application Server Components. Select the
The problem with this type of licensing is check box next to Message Queuing and click
that it makes it difficult to allow RMS security OK. Click Next and Windows will copy the
to be used by those outside of your company. necessary files. Click Finish when the file copy
Because of this, Microsoft also offers an RMS process completes.
external connector license. The RMS External One last bit of prep work that you must
Connector license grants unlimited RMS perform is to open the Active Directory Users
access to anyone outside of your company. And Computers console, right-click on each
The price for an RMS External Connector user’s account, and select the Properties com-
License is $18,066 per RMS Server. mand from the resulting shortcut menu. This
Although RMS does have some rather strin- will reveal the user’s properties sheet. Check
gent license requirements, there is an upside. out the General tab and make sure that the
Up to two users may access an RMS server e-mail address is filled in. Even if the user
simultaneously (for administrative purposes) doesn’t actually have an e-mail address, RMS
without an RMS client access license. absolutely will not work unless this field is
filled in for each user. In my test environment,
The prep work after I had deployed RMS, I kept receiving an
Before you can install RMS, you need to do a error message that said “An Unexpected Error
little bit of prep work on your server. RMS is Has Occurred” every time I would try to con-
dependent on IIS, so you must verify that IIS nect to the server with an RMS client. It took
is installed. Furthermore, IIS must be given a me a week to figure out that the problem was
certificate so that it can provide secure com- related to the fact that my Administrator
munications. account didn’t have an e-mail address.
There really isn’t much documentation
available on RMS. When I began working on Installing RMS
this article, I had no idea that IIS required a Now that the Message Queuing Service is
certificate in order for RMS to work (although installed, it’s time to install RMS. To do so,
looking back it makes sense). You can actually copy the RMS Setup file to your Windows
make it all the way through the installation and 2003 Server and double-click on it. When you
configuration process without IIS having a cer- do, Windows will extract the Setup files and
tificate. However, when you eventually try to will display the Windows Rights Management
attach an RMS client to the server, you will get Services Setup Wizard.
an error message telling you that Internet Click Next to bypass the Welcome screen,
Explorer is set to work offline. and you will see the end user license agree-
It took me days to figure out the real cause ment. Accept the license agreement, click
of the problem. What was happening was that Next, and you will be prompted for the path to
the RMS client was passing an HTTPS request install RMS to. Enter the desired path and click
Security 201
Next, followed by Install, to begin the installa- resources necessary for RMS to support certi-
tion process. After the necessary files are fication. The provisioning process is done
copied, click Close to complete the installation through IIS. You must select a Web site to act
process. as the host for the provisioning process. Using
the server’s default Web site is fine because
Provisioning RMS simply borrows the site. After the provi-
After you have installed RMS, the next thing sioning process is complete, RMS no longer
that you have to do is to provision it. The pro- needs IIS.
visioning process creates the root certification To begin the provisioning process, click the
server and configures all of the services and Start button and then select the All Programs\
Windows RMS\Windows RMS Administra-
Figure A
tion command. When you do, you will see a
screen similar to the one shown in Figure A.
Now, click the Provision RMS On This Web
Site link next to the Default Web Site option.
When you do, you will see the screen shown in
Figure B. As you can see in the figure, you are
asked whether you want RMS to use a local
database or a remote database. Just enter the
name of a SQL server in your organization that
can be used to store RMS data.
Next, you will be asked to specify the RMS
service account. The RMS Service account
must be a different account than the one that
was used to install RMS. If RMS will be run-
ning only on a single server, you can use the
local system account. However, the local sys-
tem account has access to practically every-
thing on the server, so there are some serious
You must use a Web interface to provision RMS.
security implications to using the local system
account in a production environment.
Figure B After entering the service account creden-
tials, scroll down and you will see the fields
shown in Figure C. The first thing that you
must enter on this portion of the screen is
the URL used by the root certification cluster.
By default, http://servername/_WMCS will
be used.
Next, you must enter a password that will
be used to encrypt the RMS private key in the
database. After entering the encryption pass-
word, enter the server licensor certificate
name. By default, this is the same as the server
name. You also have the option of listing an
administrative contact.
If your network uses a proxy server, then you
will have to enter the proxy server’s URL and
the IP address range for the local address table.
The final portion of the provisioning screen
You must supply the name of a database server and the name for an RMS service account. allows you to enter the name of a file that

contains a public key that can be used to sign Figure C
the revocation list. This is useful in disaster
recovery situations. After you finish filling in
all of the various fields, click Submit and then
go get yourself a cold drink because the provi-
sioning process takes a while to complete.
When the provisioning process completes,
you must specify the RMS service connection
point. To do so, go to http://servername/
_wmcs/admin/default.aspx. Now, scroll to
the bottom of the page and click the link that
says RMS Service Connection Point. When
you do, you will see a screen that allows you to
set the RMS connection point by simply click-
ing the Update button.
Installing the client component

Before you will be able to use RMS to restrict
access to anything, including Microsoft Office
You must enter a cluster URL, private key protection enrollment, and some RMS proxy
documents, you must install the client compo- settings.
nent onto your workstations. To do so, you will
need to download the RMS client from Figure D
Microsoft’s Windows Rights Management
Client Web site (http://www.microsoft.com/
downloads/details.aspx?familyid=3115A3
74-116D-4A6F-BEB2-D6EB6FA66EEC&
displaylang=en). The download consists of
a 3.59 MB self-extracting executable file.
Microsoft Office 2003 also contains an option
for downloading the latest RMS automatically
from within Office.
After downloading the RMS client, copy it
to the workstation (or access it through a net-
work drive) and double-click on it. When you
do, Windows will extract the files from the Enter the e-mail addresses of the users who are allowed to read
or make changes to the document.
setup files in the RMS client file and will
launch the Setup wizard. When the Setup wiz-
ard begins, click Next to bypass the welcome Word 2003. Select the Permissions | Restrict
screen. You will then see the Windows Rights Permission As command from Word’s File
Management Client Privacy Statement. This is menu. When you do, Word will take a minute
basically just a statement indicating that the or two to negotiate a connection with your
RMS client does not try to personally identify RMS server. After the negotiation process
you to Microsoft or keep information about completes, you may see a screen asking you if
your system on file for an extended period of you want to create the RMS permissions by
time. Click Next and you will be asked to using a .NET Passport account or a Microsoft
accept the end user license agreement. After Windows account. If you see this screen, it
accepting the license agreement the installer means that RMS didn’t validate the user’s cre-
will copy the necessary files to the workstation. dentials somewhere and you need to go back
Click Close to complete the installation. and figure out what went wrong.
Once you have installed the client compo- What you should see instead is a screen ask-
nent, you can test it by opening Microsoft ing you which user account you want to use in
Security 203
order to create or open restricted content. If you would prefer to have some slightly
Select your account and click OK. At this more advanced configuration options, then
point, you will see the screen shown in Figure D. click the More Options button and you will see
This screen allows you to enter the e-mail the screen shown in Figure E. As you can see in
addresses of users who are allowed to read or the figure, this Permission dialog box allows
make changes to the document. you to set an expiration date for the document.
After the expiration date, the document “self
Figure E destructs.” You can also control whether speci-
fied users are allowed to print or copy the doc-
ument’s content or access it programmatically.
You can even allow users to browse a docu-
ment with previous versions of Office and to
request additional permissions to a document.
Trust, but verify

Although you may go to great lengths to pro-
tect the documents on your network, it’s too
easy for an employee with authorized access to
a document to copy the document and pass it
on to someone outside of the company. RMS
will prevent this type of information disclo-
sure by limiting who can open the document,
even if the file itself leaves your network.
The Permission dialog box gives you greater control over a

document’s permissions.

Run Microsoft Baseline Security Analyzer 1.2
from the command line
July 6, 2004
By Scott Lowe ,MCSE
W
ith the release of version 1.2 of the Microsoft Baseline Security Analyzer. Please
Microsoft Baseline Security Ana- note that if you have the GUI MBSA utility
lyzer (MBSA 1.2), Microsoft has open, the command-line version will not run.
vastly improved this already excellent proactive By default, the results of a scan are stored in
security tool and turned it into a much more the C:\Documents and Settings\user name\
full-featured utility. The MBSA includes a SecurityScans folder and have names similar to
powerful graphical user interface that provides “WORKGROUP - W2K3 (5-20-2004 5-35
administrators with a way to interactively scan PM),” where the workgroup/domain is listed
the local and remote servers and desktop along with the system name and the date and
machines. From the reports generated, admin- time of the scan. This is true for both the GUI
istrators can take appropriate action to address and the command line, but you don’t usually
potential security problems, such as installing have to know this for the GUI, since the pro-
required patches, enabling automatic updates, gram handles the report display.
or turning on the Windows XP firewall.
Using the command line
Scripted scans There are two ways to run the command-line
One area that the GUI does not address is the version of MBSA. The first syntax actually
ability to script a scanning session. Most performs scans, and the second one provides a
administrators work normal business hours, listing of results from the most recent scan.
which are times that heavy scans are usually So, it’s a two-pass process.
avoided because of their potential impact on
the network, servers, and desktop computers.
Running a basic local scan
Mbsacli.exe doesn’t actually require any param-
For this reason, the MBSA includes a com-
eters. If you omit them, the local computer is
mand-line utility that performs the same func-
simply scanned, assuming that you have
tions as its GUI counterpart and can be
administrative rights with the current logon.
included in nightly/weekly/monthly routines
The results of a local scan from the command
to scan for vulnerabilities. From this scan, a
line should look something like Listing A.
report is generated from which an administra-
tor can take proactive steps to protect the Viewing the results of the basic scan
infrastructure. As with the GUI version, the command-line
version of MBSA produces very detailed results
The executables to help you pinpoint and address potential secu-
MBSA includes two executables: mbsa.exe and
rity weaknesses in your network. I like the fact
mbsacli.exe. The mbsa.exe executable powers
that it doesn’t just assume you want things
the GUI side of the utility, while, as you might
“fixed.” Instead, it provides information so you
expect, the mbsacli.exe executable is the com-
can make a decision about what to address or
mand-line side. By default, both of these exe-
ignore. To get the results, type the following,
cutables are stored in C:\Program Files\
substituting the appropriate report name:
Listing A
Computer Name, IP Address, Assessment, Report Name
—————————————————————————————————————————————————————————
WORKGROUP\W2K3, 192.168.1.103, Severe Risk, WORKGROUP - W2K3 (6-1-2004 6-21 PM)
Security 205
mbsacli /ld "WORKGROUP - W2K3 to just run a scan or view the results of a pre-
(6-1-2004 6-21 PM)" viously run scan. Here’s the full syntax of the
When reports are generated using a com- mbsacli command:
mand-line scan, they can also be viewed with mbsacli [/c|/i|/r|/d domain] [/n
the GUI at your leisure. Both the GUI and the option] [/o file] [/f file] [/qp]
command line store their files in the same loca- [/qe] [/qr]
tion, so each utility can use the scan results gen- Switches you can use include:
erated from the other utility. Figure A displays X /c domain\computer—Scan the computer
the local scan showing up as an entry in the named in domain\computer.
GUI’s Pick A Security Report To View option.
X /i IP_addr—Scan the computer identified
Figure B shows the first page of that scan.
by the IP address provided.
Personally, I like to be able to script this
kind of stuff and view the results with a GUI. X /r “IP_addr-IP_addr”—Scan the comput-
The command-line viewing option works, but ers in the range of IP addresses provided.
it’s more difficult to interpret. X /d domain—Scan all computers in the tar-
get domain.
Full syntax
As I mentioned, there are two syntaxes for X /n option—By default, MBSA performs all
mbsacli.exe, depending on whether you want scans against the targets. Use /n to remove
specific scans. Valid options are OS, SQL,
Figure A IIS, Updates, Password. To omit more than
one scan, separate the /n options with a +
(plus sign).
X /o file—Specify the name of the file to
which to write the results. A default name is
presented above with the syntax “%D% -
%C% (%T%)”, where %D% is the domain
or workgroup name, %C% is the name of
the computer, and %T% is the date and
time of the scan.
X /f file—Write console output to the file
specified.
The recent scan also shows up in the GUI.
X /qp—Don’t display the progress of the
Figure B current scan.
X /qe—Don’t display errors present in the
current scan.
X /qr—Don’t display the list of reports.
X /s 1—Suppress security notes.
X /s 2—Suppress security notes and warnings.
X /nvc—By default, MBSA always checks for
a new version of itself when it runs. Use
/nvc to skip this check.
X /baseline—Check only for baseline secu-
rity updates rather than all updates (default
in GUI).
X /nosum—Do not verify checksums for
security updates. Use only if you need dif-
The is the first page of the scan. ferent language versions of patches and

need to rename them for a language sup- X /ld file—Display the complete details of
ported by MBSA (default in GUI). the report named by file.
X /sus [susserver | susfilename]—Get a list X /Unicode—Output Unicode only.
of approved updates from a SUS server. X /v—Display the reason codes for security
This option requires the URL of the SUS updates.
server and will look for a file named
approveditems.txt. X /hf—Run in hfnetchk mode. Use "mbsacli
-hf /?" for details. This mode allows you to
X /hf—Run in hfnetchk mode. Use “mbsacli use the extremely granular scanning and
-hf /?” for details. This mode allows you to reporting functionality that was present in
use the extremely granular scanning and the command-line hfnetchk utility. Note
reporting functionality that was present in that, unlike straight-up mbsacli, this does
the command-line hfnetchk utility. Note not produce XML output.
that, unlike straight-up mbsacli, this does
not produce XML output. More flexibility from the
The report syntax and switches slightly vary. command line
The report syntax is: Note that MBSA can scan up to 10,000
mbsacli [/e] [/l] [/ls] [/lr file] machines simultaneously. If you need to scan
[/ld file] [/unicode] [/hf] [/?] more, you’ll have to perform multiple scans.
Switches include: Scanning by IP address is limited to 256
X /e—Show the errors from the most machines. If you want to scan off-hours or run
recently run scan. scans regularly and view the results at your
X /l—Show a list of all reports that are avail- leisure, mbsacli.exe is invaluable and is espe-
able for viewing. cially useful when combined with the reporting
functions of the GUI version of MBSA.
X /ls—List the reports available from the
most recent scan. Remember that a report is
generated for each system in a scan.
X /lr file—Display the overview of the report
named by file.
Security 207

shipping!

mize,
Overcome DNS errors
Lock down servers
And more

Check Group Policy assignment with RSoP
March 24, 2004
By Jim Boyce
I
t’s a good bet you’re familiar with group enable the No Override attribute for the OU-
policy, which enables administrators to based GPO. Now, even though the domain
assert change control and set a broad GPO would be applied after the OU policy
range of settings for the operating system, and therefore take precedence, the No Over-
desktop and working environment, network, ride attribute on the OU GPO prevents its set-
and much more for servers and workstations. tings from being overwritten.
You might also know that group policy can be One other factor that determines whether
applied at different levels, which opens the the settings in a given GPO become effective
possibility for a policy at one level to override is the permissions set on the GPO. For exam-
the policy set at another level. So, determining ple, if you remove the Read Or Apply Group
the resultant set of policy (RSoP) can some- Policy permissions for a given security group,
times be difficult. At best, it can be confusing. the GPO’s policies will not be set for users in
To help administrators get a handle on group that target group.
policy, Microsoft introduced the Resultant Set
of Policy MMC snap-in. Here’s what the RSoP What’s the RSoP snap-in?
snap-in does and how you can use it to get a The RSoP snap-in enables you to query cur-
handle on your own policies. rent or planned policies and view the results of
that query, which is the resultant set of poli-
How Group Policies are applied cies, for a specified target user and computer.
Understanding how RSoP works requires that In addition to group policies, RSoP includes
you first understand how group policy is administratively assigned settings including
applied and the factors that affect policy appli- those from administrative templates, folder
cation. Group policy can be applied at the site, redirection, Internet Explorer maintenance,
domain, domain controller, organizational unit security settings, scripts, and software installa-
(OU), and local levels. Whether a particular tion policies. By including these objects, RSoP
policy is effective depends on the level at provides a complete view of the environment
which it is applied and whether the same pol- resulting from all of these settings.
icy is set differently at a level with higher The RSoP snap-in operates in one of two
precedence. Group policy is applied in the fol- modes: Logging Mode or Planning Mode. In
lowing order of precedence: Logging Mode, the RSoP snap-in queries poli-
X OU policy cies and displays the resulting policy set for a
given user and computer. Logging Mode there-
X Domain controller policy
fore enables you to review the policy settings
X Domain policy that are applied for the target user/computer.
X Site policy Logging Mode can be a valuable and effective
X Local policy tool for troubleshooting policy application
problems and determining how security
In addition, you can set the No Override
groups affect policy settings.
attribute for a group policy object (GPO).
Planning Mode enables you to explore differ-
When No Override is enabled, other GPOs
ent policy scenarios. In Planning Mode you
that set corresponding policies cannot override
specify several items of information about the
the ones set in the protected GPO. For exam-
desired target including container or user, com-
ple, assume you set a policy at the OU level,
puter, site, security group membership, and
which gets applied first, and set the policy dif-
other factors to determine the resultant set of
ferently in a GPO that is assigned at the
policy based on those selections. Planning Mode
domain level. At this point, the domain policy
offers an excellent means for determining the
will overwrite the OU policy. However, you

results of planned policy deployment and testing Figure A
the deployment before actually rolling it out.
The RSoP snap-in is available with Win-
dows XP as well as Windows Server 2003. You
don’t need to run the snap-in on a domain
controller to gather information about a user
or computer from the Active Directory in
Planning Mode. Instead, you can run it from a The RSoP MMC starts off empty.
Windows XP workstation.
Both RSoP modes are useful in different Figure B
scenarios. I’ll explore both, beginning with
Planning Mode. All examples assume you are
running the RSoP snap-in on Windows Server
2003, but it’s very similar on Windows XP.
Using RSoP in Logging Mode

If you’ll be querying policies from a remote
computer, you must first log on as a member
of the Domain Admins or Enterprise Admins
security groups, or you must have been dele-
gated Generate Resultant Set of Policy (log-
ging) rights. (I cover delegation later in this
article.) For local querying and logging, any
user can run a Logging Mode query on the
local computer.
To begin using RSoP, you need to open the
RSoP snap-in. Choose Start, Run, and enter
MMC. When the MMC opens, choose File,
Add/Remove Snap-In. On the Standalone tab,
Select the computer to examine.
click Add to open the Add Standalone Snap-In
dialog box. Scroll down, choose Resultant Set
Of Policy, click Add, and then click Close. settings from the query. This is handy when
Click OK on the Standalone tab to close it and you want to focus solely on user policies, such
return to the MMC. as when you suspect a user setting is causing
The RSoP snap-in at first doesn’t look like the problem at hand. Using this option
much (Figure A) because you haven’t queried excludes half of the possibilities and simplifies
for any policies yet. To query policy, you need the resulting policy set.
to run the Resultant Set Of Policy Wizard. Next, the wizard prompts you to specify
Right-click the Resultant Set Of Policy branch whether to use the current user (the one under
in the left pane and choose Generate RSoP which you are logged on) or to select a specific
Data to start the wizard. Click Next to get past user (Figure C). What the user list displays in the
the obligatory splash screen and then choose wizard depends on how you are logged on. If
Logging Mode. When you click Next, the wiz- you are logged on with a regular local account,
ard prompts you to select the computer to use you’ll see only that account. If you log on as
as the target (Figure B). You can choose the the local administrator, you’ll see the local
local computer, specify the remote computer administrator account and all other local
name, or click Browse to look for the com- accounts that have been used to log on at least
puter in the Active Directory. once (accounts that have never logged on do
The option at the bottom of the Computer not appear). It’s necessary to log on with a
Selection dialog box lets you exclude computer domain user account prior to running RSoP if
Security 211
you want to view the policies for that domain After the wizard finishes the query, the
account. Logging on with the domain adminis- RSoP snap-in will probably look a little more
trator account lets you choose that domain familiar to you (Figure D), particularly if you
administrator account or any local accounts have worked with the Group Policy Editor.
that have been used previously to log on. The left pane provides a hierarchical tree of
You can also select an option here to exclude settings. When you click a branch in the left
the user settings and show only the computer pane, the policies under that branch appear in
settings. Again, this option is handy when you the right pane. The columns in the right pane
want to focus solely on computer settings and are essentially the same as in the Group Policy
simplify the resulting query. The Summary dia- Editor, but with the addition of a Source GPO
log box that appears when you click Next column that indicates the source for the policy
shows the settings you have selected. setting. You can double-click a policy to open a
dialog box that shows more information about
Figure C the policy, including its value (Figure E) and
precedence (Figure F).
At this point you can browse through the
policies as needed. If you need to view policies
for a different computer or user, you can either
clear the current query and reissue it, or open
another instance of the snap-in focused on the
desired target. To clear the query and start a
new one, right-click the upper-most branch of
the policy target in the left pane and choose
Change Query to start the Resultant Set Of
Policy Wizard. Follow the steps in the wizard
to specify the information for the new query,
just as you did for the old one.
Opening a new instance of the RSoP snap-
in rather than clearing the existing query is
useful when you need to compare settings
between policy targets. Just add the snap-in as
Select what user to check policy on.
you did for the first one, then right-click the
new instance in the left pane and choose Gen-
Figure D erate RSoP Data.
Using RSoP in Planning Mode

As I mentioned at the beginning of this article,
Planning Mode enables you explore different
policy scenarios. Essentially, Planning Mode
lets you play “What if ?” with policies and can
be extremely useful for the following tasks:
X Simulating the effects of policy changes at
various levels
X Viewing policies of new user accounts in
the Active Directory
X Testing policy precedence when the com-
puter and user are in different security
groups or different OUs
Here’s a completed RSoP MMC.
X Determining the effects of moving a com-
puter to a new location

Figure E Figure F
You can view the value of a policy. You can also view the group policy precedence.
X Simulating a slow network connection Figure G

X Simulating a policy loopback scenario
I’ll cover these in a moment. For now, let’s
get into Planning Mode. Start by adding the
RSoP snap-in to an MMC console. After
you’ve added the snap-in, right-click the Resul-
tant Set of Policy branch of the snap-in in the
left pane and choose Generate RSoP Data to
start the Resultant Set Of Policy Wizard. In
the wizard, choose Planning Mode when
prompted to choose the mode and then click
Next. The wizard displays the User And Com-
puter Selection page shown in Figure G. Here
you choose either a user or a container in the
AD. You also specify the container for the
computer or choose a specific computer.
On the Advanced Simulation Options page
(Figure H) you can specify some additional
options to test certain scenarios. For example, Choose the container here.
choose the Slow Network Connection option if
you want to test the effect of a slow network
connection on the application of group policy. The Loopback Processing option lets you
Why do that? A slow network connection can simulate the effect of configuring the User
affect policy application, causing some policies Group Policy Loopback Processing Mode pol-
not to be applied. Choosing the option to simu- icy for a GPO. Loopback provides a mecha-
late a slow network connection causes the RSoP nism by which you can control the way group
console to slow the data transfer, enabling you policies are applied. This policy offers two val-
to see the effects on the resultant set of policies. ues when set to Enabled: Replace or Merge.
Security 213
When Replace is selected, the group policy snap-in in Planning Mode has the same effect
object list for the user is replaced entirely by as setting the User Group Policy Loopback
the list already obtained for the computer at Processing Mode policy for the target GPO.
startup. When set to Merge, the group policy The Advanced Simulation Options page also
list is a concatenation of the computer list allows you to choose a site for the scenario. Site
obtained at startup and the user list obtained selection here enables you to analyze the effect
after logon. Setting this option in the RSoP of settings based on startup or logon on a sub-
net other than the one from which you are
running the query. In the Alternate Active
Figure H Directory Paths page that follows in the wizard
(Figure I), you specify the location in which the
target policy is intended to be applied.
In the next two pages of the wizard you have
the capability to specify the security groups in
which the user and the computer reside. Figure J
shows the User Security Groups page (the
Computer Security Groups page is similar).
You can add and remove groups to simulate the
effect of actually changing group membership
for the target. However, you’re changing only
the simulated group membership, not the actual
group membership. In this way you can test
the effects of membership changes before you
actually make those changes.
The next two pages of the wizard prompt
you to specify how WMI filters for the GPO
are to be handled. WMI filters enable you to
filter the application of group policy based on
You can select additional options for the RSoP console.
criteria such as hardware configuration. With
these two pages you can specify that all WMI
Figure I filters be applied or only selected filters be
applied for the user and/or computer. The final
page of the wizard displays a summary of your
selections and allows you to choose the domain
controller on which to process the simulation.
As with Logging Mode, Planning Mode gen-
erates a policy set that you can navigate and
view. Policies that have a setting other than Not
Defined have a red circle and X icon. This helps
you quickly identify policies that have been set.
Viewing error information

Unless you direct it not to do so, the RSoP
snap-in collects extended error information as
it performs the query. You can view this error
information to determine if any problems
occurred during the query. The availability of
these error messages can help you not only
identify problems with the RSoP snap-in but
Choose a site for your test scenario. also identify network or Active Directory

problems that are causing policy application Figure J
problems.
To view the error information, right-click
the Computer Configuration or User Configu-
ration branch after the query is complete and
choose Properties. Click the Error Information
tab, which lists each group policy component
that RSoP used to generate the policy report.
The list indicates the success or failure for each
component. Click on a component to view spe-
cific error information for that component.
Delegating RSoP
As I hinted at earlier in this article, you can dele-
gate permission to generate RSoP queries to
help distribute administrative workload. A user
who has been delegated the necessary permis-
sion can perform queries in either Logging
Mode or Planning Mode (as you designate) with-
out having to log on as or be a member of the You can simulate the effects on different groups.
Domain Admins or Enterprise Admins groups.
To delegate RSoP, open the Active Direc- Figure K
tory Users And Computers console. Right-
click the OU and choose Delegate Control to
start the Delegation Of Control Wizard. Click
Next, add the user or group to which you want
to delegate, and click Next. In the Tasks To
Delegate page (Figure K), place a check beside
Generate Resultant Set of Policy (Logging)
and / or Generate Resultant Set of Policy
(Planning) and then click Next. Click Finish to
apply the delegation.
Using the Delegation Of Control Wizard, you can allow other users to run the
RSoP MMC.
Security 215
New Windows Server 2003 tool boosts
group-policy control
March 6, 2003
A
nyone who has ever administered Just because the Group Policy Management
group policies in a Windows 2000 Console integrates functionality from all of the
Server environment knows that the different tools that I mentioned earlier, it isn’t
process can be both confusing and frustrating. intended as a replacement for these tools.
Although Microsoft’s hierarchical approach to Remember that group policies are designed to
group policy implementation makes sense at a control security. While security settings are
logistical level, the management interface is certainly available through tools like Active
lacking, to say the least. Fortunately, this is one Directory Users And Computers or Active
of the major problems that Microsoft has Directory Sites And Services, those tools’ pri-
addressed in Windows Server 2003. When mary functions are related to administration,
Microsoft releases Windows Server 2003, it not security. Therefore, you’ll still use the tools
plans to simultaneously release a brand-new that I listed in the same manner that you
Group Policy Management console that pro- always have.
vides a single interface for managing group In case you’re wondering, the Group Policy
policies across the entire enterprise. Snap-In was replaced by the Group Policy
Object Editor in Windows Server 2003. How-
What is the Group Policy ever, the Group Policy Management Console
Management Console? didn’t overwrite the Group Policy Snap-In. All
The Group Policy Management Console is of the Group Policy Object Editor’s function-
Microsoft’s all-in-one solution for working ality has been rolled into the Group Policy
with group policy objects. It consists of a Management Console, but that doesn’t mean
Microsoft Management Console (MMC) Snap- that you can’t still use the Group Policy Snap-
In and a set of script interfaces for managing In if you want. The Group Policy Manage-
group policies via script. ment Console is available for download at
To get an idea of why the Group Policy http://www.microsoft.com/downloads/
Management Console will be such a great tool, details.aspx?FamilyId=0A6D4C24-8CBD-
consider this: Administrators today use a vari- 4B35-9272-DD3CBFC81887&display-
ety of different tools to implement group pol- lang=en.
icy settings. These tools include things such as:
X Active Directory Users and Computers System requirements
The Group Policy Management Console’s sys-
X Active Directory Sites and Services tem requirements are a little strange to say the
X The Resultant Set Of Policy Snap-In least. For example, the product supports Win-
X The Access Control List (ACL) Editor dows 2000, but it won’t run on Windows
2000. The new Group Policy Management
X The Delegation Wizard Console can be used to manage group policies
Each of these tools exposes some fragment in both the Windows 2000 and Windows
of the total group policy functionality. The Server 2003 version of Active Directory. This
Group Policy Management Console combines means that you’ll be able to take full advantage
all of the group policy functions currently of the tool’s new management capabilities
available through these tools and combines even if you aren’t planning to upgrade to Win-
them into a single interface. The utility also dows Server 2003.
includes things like backup, restore, copy, and The catch is that the utility won’t run on the
import functionality. Windows 2000 operating system. Instead, you

can run the Group Policy Management Con- you had to perform an authoritative restore on
sole only on machines running Windows the entire Active Directory. This meant that
Server 2003 or Windows XP. If you’re plan- other things, like user accounts or printer defi-
ning on running the utility under Windows XP, nitions, were also reverted to the time that the
there are some additional system requirements backup was made. The new utility, however,
that you need to be aware of. allows you to restore only the group policy set-
You’ll be able to run the Group Policy Man- tings for a domain.
agement Console under Windows XP only if Yet another new feature is the generation of
you’ve installed Service Pack 1 and the HTML reports related to group policy settings
Microsoft .NET Framework support. There is and the resultant set of policy data. You can
also a post-Service Pack 1 hot fix that must be even save or print these reports.
installed prior to installing the utility. The hot Finally, import/export, copy/paste, and
fix was previously available on the Microsoft scripting features have been included in the
Web site in Knowledgebase article Q326469. Group Policy Management Console. Although
However, Microsoft has temporarily removed you can’t script individual group policy values,
the hot fix. According to the Web site, the nec- the scripting does have a definite purpose.
essary hot fix will be included with the Group The import/export, copy/paste, and scripting
Policy Management Console download. functions all work together to allow you to
In case you’re wondering, the Group Policy migrate group policies between domains.
Management Console will be localized. When
the product is complete, versions will be avail- Migrating group policy objects
able in English, Japanese, French, and Ger- to another domain
man. The current beta release is available in The new Group Policy Management Console
English and Japanese only. Additionally, the allows you to migrate group policies from one
Group Policy Management Console will be domain to another. There are lots of situations
fully supported by Microsoft Primer Support where such an operation is desirable. For
Service, once released. example, if you perfected a new policy in a test
domain, it would usually be easier to migrate
Key features and capabilities the policy than to manually re-create it in the
The Group Policy Management Console new location. Another possible situation is if
includes an MMC Snap-In and a set of script- your company adopted a new set of security
ing utilities. The main idea behind the MMC standards, you wouldn’t want to have to manu-
Snap-In is that it exposes group policy settings ally implement those standards across every
in the way that users tend to use them rather domain. Instead, it’s now possible to create the
than in the way that the technology is designed. new policy in one domain and roll it out to all
For example, the group policy settings relating other domains.
to users are kept in a different area of the There are a couple of reasons why migrat-
Active Directory from the group policy settings ing group policy objects between domains is
related to Sites And Services. Therefore, such a big deal. The first reason is that a group
Microsoft initially created two different tools policy is a collection of security settings
(Active Directory Users And Computers and applied through various mechanisms to vari-
Active Directory Sites And Services) to deal ous objects. Components of a group policy
with the two different areas of the Active might exist in the registry, Active Directory,
Directory. The new Group Policy Management the file system, or just about anywhere else. It
Console combines the security-related func- isn’t like all of a group policy’s components
tionality found in both of these and other tools exist in a single folder that can easily be copied
and rolls it into a single snap-in. from machine to machine.
The new utility will also feature backup and The other issue that makes copying group
restore capabilities. Previously, if you wanted policy objects between domains difficult is that
to back up and restore group policy settings, certain group policy settings contain data that
Security 217
simply doesn’t migrate well. The two main ever, doing so may still be a fairly involved
types of data that tend to cause problems are process. The Group Policy Management Con-
security principles and Universal Naming Con- sole is capable of performing four functions
ventions (UNCs). that are related to policy archival. These func-
Security principles are often found in the tions are:
form of security identifiers (SIDs). SIDs are X Backup
unique identification numbers that are applied
to each object. For example, objects such as X Restore
users, groups, and computers all have SIDs X Copy
associated with them. Because of the unique X Import
nature of SIDs, a SID that’s valid in one
Don’t even try to use the Backup and
domain wouldn’t necessarily be valid in
Restore operations for migrations. It’s impossi-
another domain.
ble to restore a policy backup to a different
Just as SIDs can throw a monkey wrench
domain. You can use the Import function with
into the process of migrating a group policy
the Backup function as a technique for updat-
object, so too can UNCs. A UNC refers to a
ing a group policy object’s existing settings, but
path that’s expressed in the \\servername\
to do so, a group policy object must already
sharename format. The problem is that a
exist in the destination directory, even if the
server name and share name that are valid in
existing group policy object is empty. The
one domain may not be valid in another
Copy function is almost always the tool of
domain.
choice for migrations, because the Copy
The Group Policy Management Console
process doesn’t require you to have a group
takes a lot of the work out of migrating
policy object that’s already in place in the desti-
group policy objects to a new domain. How-
nation domain.
As you can see, the two main problems
WATCH OUT FOR THESE ITEMS associated with migrating group policy objects
The following items contain security princi-
between domains are the distributed nature of
ples and can therefore cause problems the policy settings and the fact that SIDs and
because they may reference SIDs: UNCs would be mismatched if the policies
XSecurity policy settings found in user were to be copied directly. Fortunately, with a
right assignments little work, you can use the Group Policy Man-
XRestricted groups agement Console to overcome both of these
XServices
problems. Overcoming the problem of distrib-
uted information is easy and automatic. Since
XThe file system the Group Policy Management Console
XThe registry already knows where all of the group policy
XAdvanced folder redirection policies setting information is stored, you don’t have to
XThe GPO DACL worry about tracking it down.
Overcoming the information mismatch
XThe DACL applied to software installa-
problem is a little more complicated though.
tion objects In order to deal with SID and UNC mis-
Also, UNC paths, which can lead to prob- matches, you must create a migration table. A
lems with group policy object migrations as migration table is an XML file that maps an
well, can be found in: old value to a new value. I’m not going to get
XFolder redirection policies into the specifics of creating migration tables,
XSoftware installation policies because it would be possible to write an entire
article on this one step of the process. What I
XLogin scripts
can tell you though is that each entry in a
XStartup scripts migration table has three values: an object
type, a source value, and a destination value.

For example, if a particular group policy another can be a real pain in the neck. Before
was applied to a global group called Test you criticize the Group Policy Management
Group in a domain called TEST, and you Console too much though, remember that up
wanted the policy to apply to the Finance until now there was no way of migrating a
group in the PRODUCTION domain, then group policy object to another domain.
the object type would be a global group, the Migrating a group policy object through the
source value would be TEST\TEST GROUP, Group Policy Management Console is a crude
and the destination value would be PRODUC- process, but this is first-generation software
TION\FINANCE. that’s still in its beta testing phase. I think that
After looking at my sample entry in a migra- it’s likely for future versions to include a user
tion table, the process of creating migration interface for creating migration tables.
tables may not seem that complicated. The
problem is that in the Beta 2 release of the Good things come to those
Group Policy Management Console, there was who wait
no user interface for creating migration tables. As you can see, the Group Policy Management
Therefore, if you need a migration table, you Console should make life much easier for
must either write some raw XML code, or you those who manage group policies. Further-
can use a script to generate the XML code and more, this utility could drive down Windows’
then use a text editor to modify the code and total cost of ownership since it will make the
fill in the appropriate values. Either way is management process much easier and more
tedious and complicated. efficient.
As you can see, the process of migrating
group policy objects from one domain to
Security 219

shipping!

mize,
Overcome DNS errors
Lock down servers
And more

Learn how to take advantage of the Group
Policy Management Console
Feb. 18, 2004
By Louis Nel
M
anaging Group Policies in Windows HTML reporting of GPO settings and RSoP
has typically required a bit of a jug- data. What’s more, most of these operations
gling act, especially in large corpo- are scriptable. Using these operations, you can
rate environments with a complex Active plan, create, test, and migrate Group Policies.
Directory (AD) structure. But those days are GPMC can be used to manage Windows
gone, thanks to the Group Policy Manage- Server 2003 and Windows 2000 domains. Of
ment Console (GPMC), a free tool that course, Active Directory must already be
Microsoft has made available for download enabled. The GPMC console itself can be
at http://www.microsoft.com/windows installed on a workstation running Windows
server2003/gpmc/default.mspx. Server 2003, Windows XP Professional with
Without GPMC, you have to employ a vari- Service Pack 1 (plus an additional post-SP1 hot
ety of different tools—such as Active Direc- fix that is included with GPMC), and the
tory Users And Computers, AD Sites And Microsoft .NET Framework (http://www.
Services, Access Control List Editor, the microsoft.com/downloads/details.aspx?
Resultant Set of Policy (RSoP) snap-in, and FamilyID=262d25e3-f589-4842-8157-
Delegation Wizards—to tame the many- 034d1e7cf3a3&DisplayLang=en). GPMC
headed beast of Group Policies in Active does not, however, run under Windows 2000.
Directory. GPMC brings the functionality of Also, in terms of the license, you must have at
all those tools neatly together into a single, least one copy of Windows 2003 running on
powerful management console that enables your network (or have one license of Windows
you to manage multiple domains and forests Server 2003 available).
with ease, thanks to a unified interface.
Using GPMC
What GPMC can do Let’s take a look at the unified management
In addition to the features mentioned above, console (Figure A) in GPMC, which is the most
GPMC has the ability to back up and restore important aspect of the tool.
Group Policy objects (GPOs); import/export Until now, a GPO’s strength—an orderly,
and copy/paste GPOs and Windows Manage- categorized collection of layer upon layer of
ment Instrumentation (WMI) filters; provide settings—was also its weakness, because there
was no easy way to get a bird’s eye view of the
Figure A policy settings. If this was a problem with one
GPO, the problem became compounded by
the number of GPOs you had to manage and
keep track of.
With GPMC, that has changed. For an
overview of a GPO’s settings (called report-
ing), expand Group Policy Objects and select
the GPO (Figure B).
In the right-hand pane, under the Settings
tab, click on Show All at the top right. A sum-
mary of the GPO’s settings will be displayed
as an HTML report. This report can be gen-
erated by any user with read access to the
GPO. Previously, users required read and write

permissions to the GPO to open it. Why the Figure B
change? This makes things easier for certain
categories of users who need to see but not
edit GPO settings, such as helpdesk techni-
cians or administrators troubleshooting a
Group Policy issue.
With GPMC you now also have the ability
to save all the settings in a GPO to a file for
printing or viewing. Just right-click the
desired category or categories that you’ve
opened, and select Print or Save report from
the context menu. Reports can be saved to a
file as either HTML or XML. To view a saved
report directly in a Web browser, you need
Internet Explorer 6 or Netscape 7. You can
also generate similar reports for Group Policy
Modeling and Group Policy Results (more
about these later).
GPMC will provide you with just as simpli-
AUTHOR’S NOTE
fied an overview of the net effect of all your
Where have all the sites gone? The Sites node is initially
GPOs using Group Policy Results, formerly
empty. Right-click on it and select Show Sites for your sites
known as the Resultant Set of Policy tool.
Can’t see the forest through the trees? to appear. The absence of sites is “to speed up console per-
GPMC allows you to list only the forests and formance by not enumerating a potentially large number of
domains you wish to see. Simply right-click the sites in the forest, unless explicitly requested by the user,”
forest or domain node and select Remove. according to Microsoft.
Getting forests back (or adding more) is as
easy as right-clicking Group Policy Manage- to the RSoP. The former is a powerful new fea-
ment and selecting Add Forest. ture enabling you to simulate the effect of pol-
icy settings for planning purposes. You can
AUTHOR’S NOTE simulate the effect of policies for any user and
By default you can add a forest to GPMC computer in a forest. The Group Policy Results
only if there is a two-way trust with the for- node provides you with the actual resultant set
est of the user running GPMC. You can, of policies for users and computers.
however, get GPMC to work with only Group Policy Results is available only for
one-way trust or even no trust, but that is computers running Windows XP or Windows
beyond the scope of this article. Server 2003. But although you cannot obtain
Group Policy Results data for a Windows 2000
As you probably noticed, a forest has four computer, you can simulate the RSoP data
subnodes: Domains, Sites, Group Policy Mod- using Group Policy Modeling.
eling, and Group Policy Results. The Group Although GPMC, by default, uses the same
Policy Modeling node (the new name for the domain controller for all operations in that
Resultant Group Policies in Planning node) will domain, you can choose which domain con-
be visible only in a forest that has the Windows troller to use for each domain, as well for all
Server 2003 schema for Active Directory. You sites in a forest. You have a choice between the
will also need at least one domain controller PDC emulator, any available DC, any available
running Windows Server 2003 if you want to DC running Windows Server 2003 (useful if
perform a Group Policy Modeling analysis. you are restoring a deleted GPO containing
Both the Group Policy Modeling node and Group Policy software installation settings), or
the Group Policy Results node give you access any DC you specify. To choose a DC, right-click
Security 223
the domain node and select Change Domain Once you have created the GPOs, you have
Controller. To choose a DC for operations on to define settings. To do so (as you did up to
sites, right-click the Sites node and click now using the Group Policy snap-in, Group
Change Domain Controller. Policy Editor, or GPedit), merely right-click a
Microsoft warns that it is important to con- GPO and choose Edit.
sider the choice of domain controller in order Applying a GPO (referred to as “scoping
to avoid replication conflicts. “This is espe- the GPO”) to users and computers by linking it
cially important to consider since GPO data to a site, domain, or OU is easy using GPMC.
resides in both Active Directory and on
SYSVOL, and two independent replication AUTHOR’S NOTE
mechanisms must be used to replicate GPO GPOs can be applied to sites, domains, and
data to the various domain controllers in the OUs. These GPO targets have often been
domain. If two administrators are simultane- referred to as SDOU, but the preferred term
ously editing the same GPO on different now is Scope of Management, or SOM.
domain controllers, it is possible for the
changes written by one administrator to be Here are the ways you can link a GPO
overwritten by another administrator, depend- to SOMs:
ing on replication latency. To avoid this situa- X Right-click a domain or OU node, and
tion, GPMC uses the PDC emulator in each choose Create And Link A GPO Here.
domain as the default to help ensure that all X Right-click a site, domain, or OU node, and
administrators are using the same domain con- choose Link An Existing GPO Here.
troller. However, it may not always be desirable
to use the PDC. For example, if the adminis- X Drag a GPO from under the Group Policy
trator resides in a remote site or if the majority objects node to the OU (you can drag-and-
of the users or computers targeted by the drop only within the same domain).
GPO are in a remote site, then the administra- If you need to specify new locations in which
tor may want to choose to target a domain to place new user accounts, new computer
controller at the remote location. It’s impor- accounts, or both, Windows Server 2003 has
tant to note that if multiple administrators two new tools for the job. Redirusr.exe (for user
manage a common GPO, it is recommended accounts) and Redircomp.exe (for computer
that all administrators use the same domain accounts) can be found in the %windir%\
controller when editing a particular GPO, to system32 directory of a WS2K3 system.
avoid collisions in File Replication Services
(FRS).” This comes from the Microsoft White
GPO security filtering
GPMC simplifies security filtering for a GPO.
Paper “Administering Group Policy with the
Security filtering refers to managing permis-
GPMC” (http://www.microsoft.com/win-
sions on a GPO. You can employ this to fur-
dowsserver2003/gpmc/gpmcwp.mspx).
ther help you determine which users and
Creating GPOs computers will receive the settings in a GPO.
There are various ways you can create GPOs For a GPO to apply to a user or computer, that
using the GPMC: user or computer must have both Read and
X Right-click any domain or Organization Apply Group Policy permissions on the GPO.
Unit (OU) and choose Create and Link. Up to now, you had to use the ACL editor
You can then simultaneously create a new to set the Read And Apply Group Policy per-
GPO and link it to the domain or OU. missions for users, computers, and groups if
you wanted to change the scope of a GPO.
X Right-click Group Policy Objects and click With GPMC, all you have to do is add or
New to create a new unlinked GPO. remove security principals (users, computers,
X Use a script, like the sample script called groups) in the security filtering section under
CreateGPO.wsf, included in GPMC. the Scope tab for the GPO or the GPO link.
X Copy the GPOs. The Read And Apply Group Policy permis-

sions for the relevant security principal is then ment, you can test and validate changes to your
automatically set or removed. policy deployment. Once you’re happy with
the result, you can import and/or copy the
Group Policy inheritance GPOs to the production environment.
You can also use GPMC to see the effect of To help you set up a test environment that
Group Policy inheritance. Just select the con- closely resembles the production environment,
tainer and choose the Group Policy Inheri- Microsoft has provided two sample scripts:
tance tab in the details pane. All the GPOs for
X CreateXMLFromEnvironment.wsf – As
the selected container will be shown that
Microsoft states: “This script uses the infor-
would be inherited from parent containers
mation in a live domain to generate an XML
(except for GPOs linked to sites). Note the
file and a set of GPO backups that repre-
Precedence column. It shows the order of
sent the policy information for that domain.
precedence for all the links that would be
The XML file captures information such as
applied to objects in this container.
OU structure, groups and users, GPOs and
To block inheritance, right-click on the
the settings contained in them, links to
GPO link and deselect Enforced. You can also
GPOs, security on GPOs, and WMI filters.
set a GPO link to Enabled (again, right-click
By running this script against a production
the link and select Enabled from the drop-
domain, you can capture the essential policy
down menu) to allow it to be processed.
information for that domain for later re-use.”
WMI Filters X CreateEnvironmentFromXML.wsf –
A new feature of Windows Server 2003 and “This script populates a domain with policy
Windows XP is WMI Filters, which enable you information such as OU structure, groups,
to dynamically determine the scope of GPOs and users, GPOs and the settings contained
based on attributes of the target computer. As in them, links to GPOs, security on GPOs,
Microsoft says, “This provides the administrator and WMI filters using an XML file and a set
with the potential to dramatically extend the fil- of GPO backups referenced in the XML.
tering capabilities for GPOs well beyond the pre- The XML file required as the input for this
viously available security filtering mechanism.” script can be generated using the previous
To create WMI Filters, right-click either the script. By using this second script in con-
WMI Filters container or the Contents pane junction with the XML file previously gen-
for this node and select New. erated, you can replicate the contents of
There are three ways to link such a filter to one domain to another.”
a GPO: For details on using these scripts, see the
X On the Scope tab of the GPO, use the chapter “Staging Group Policy Deployments”
WMI Filter drop-down menu to select a in the Windows Server 2003 Deployment Kit
WMI Filter to link to the GPO. (http://www.microsoft.com/windows
X On the General tab of a WMI Filter, right- server2003/techinfo/reskit/deploykit.mspx).
click the GPOs that use this WMI Filter
section and select Add.
Summary
This tutorial has walked you through the details
X Drag a WMI Filter onto a GPO. of using the Group Policy Management Con-
sole (GPMC) to streamline the creation and
GPO operations deployment of Group Policies. This article has
Because there is too much detail about GPO also explained several caveats that you need to
operations—the ability to backup (export), be aware of when working with the GPMC and
restore, import, and copy GPOs—to cover in Group Policies. All in all, most administrators
this article, I will focus on one aspect here: the should be happy to have the GPMC to simplify
ability for planning, creating, testing, and Group Policy management.
migrating group policies.
Using a test environment closely resembling
the AD structure of your production environ-
Security 225
Configuring wireless security in
Windows Server 2003
Feb. 2, 2004
T
raditionally, one of the biggest prob- Wireless Configuration Properties sheet that’s
lems with wireless network security is shown in Figure A.
that it must be maintained individu- Set the Startup type to Automatic and click
ally for every client. New features in Win- the Start button to start the service. Click OK
dows Server 2003 allow you to control to close the properties sheet.
wireless security for Windows XP and Win-
dows 2003 clients via group policy. Here’s Wireless security and
how it’s done. group policies
So far, I’ve explained that there is a Wireless
The Wireless Configuration Configuration Service that allows wireless con-
Service nections to be automatically configured. What
Windows Server 2003 is designed to interact you might not know is that you can actually
with your wireless network. But in order to do design a group policy that dictates wireless
so, it must have a functional Wi-Fi compatible configuration. Aside from easing the adminis-
NIC, and the Wireless Configuration Service trative burden, you might want to also look at
must be started. The Wireless Configuration automatically configuring wireless connections
Service enables automatic configuration of for security reasons.
Wi-Fi NICs. By default, the Wireless Configu- For example, suppose that your Finance
ration Service is set to start manually. department and your Sales department both had
To do so, click Start l Administrative Tools| wireless networks. You would probably want to
Services. You’ll then see the Services console prevent anyone from Sales from using the access
appear. Scroll the right pane and double-click point in Finance, and vice versa. This could be
the Wireless Configuration Service to open the easily implemented through group policies.
Figure A Figure B
The New Wireless Network Policy Properties sheet allows

You must start the Wireless Configuration Service. you to configure the wireless networking portion of the
domain level group policy.

Remember that group policies can be be more secure if you were to set the Network
applied at the local computer, site, domain, and To Access option to Access Point (Infrastruc-
organizational unit levels. Therefore, one way ture) Networks Only.
of achieving the desired results would be to At the bottom of the General tab there are
create separate domains for Finance and Sales. two check boxes that deserve some attention.
You could then modify the Default Domain The first of these check boxes is Use Windows
Security Policy for each domain to control the To Configure Wireless Network Settings For
wireless configuration for the domain. Clients. This check box is selected by default
To modify the wireless network policies for and should remain selected unless you have a
a domain, go to a domain controller for the compelling reason to perform manual client
domain and select the Domain Security Policy configurations. Keep in mind, though, that
command from the server’s Administrative only Windows XP and 2003 clients can be
Tools menu. When you do, Windows will open configured by Windows Server 2003.
the Default Domain Security Settings console. The other check box is Automatically Con-
Navigate through the console tree to Security nect To Non-preferred Networks. This check
Settings | Wireless Network (IEEE 802.11) box is not selected by default. I recommend
Policies. When you select this container, the leaving this check box deselected because this
pane on the right will display a New Wireless is a very dangerous option. Normally, you
Network Policy. Double-click on this policy to would have some access points within your
open the New Wireless Network Policy Prop- network that you have designated as preferred
erties sheet, shown in Figure B. networks.
The first thing that I recommend doing is However, if someone installed a rogue
replacing the name New Wireless Network access point on your network or if a neighbor
Policy with something more meaningful. For installed an access point on their network that
example, I’m creating a wireless network policy was within range of your clients, the network
for a domain called test.com. Therefore, I’ll would be recognized as a non-preferred net-
use the name Wireless Network Policy For work. If the Automatically Connect To Non-
Test.Com. You can then enter a meaningful preferred Networks check box were selected,
description of the policy’s purpose if you want. your clients could end up connecting to access
The next option on the Properties sheet’s points that don’t even belong to your network.
General tab is an option to check for policy The other tab on the New Wireless Net-
changes at a predetermined frequency. By work Policy Properties sheet is the Preferred
default, Windows checks for policy changes Networks tab. As the name implies, this tab
every three hours. There is really no reason to allows you to designate which access points
change this unless you expect to be making a represent your preferred networks. These will
lot of changes to the policy. receive preferential treatment when clients are
The appropriate setting for the next option, determining which access point to use for
Network To Access, really depends on your accessing a network.
environment. The available choices include To designate an access point, click the Add
Any Available Network (Access Point Pre- button and you’ll see the New Preferred Set-
ferred), Access Point (Infrastructure) Net- ting Properties sheet. Begin filling in this prop-
works Only, and Computer-To-Computer (Ad erties sheet by entering the network name in
Hoc) Networks Only. the Network Name (SSID) field on the Net-
The default setting of Any Available Net- work Properties tab. The network name is the
work will work in just about any situation. SSID of the access point. Once you have
However, if security is what you’re interested entered the access point’s SSID, enter a
in, keep in mind that if no one in your office description in the space provided. You might
has a legitimate use for ad hoc networks, describe the physical location of the access
there’s no reason to allow ad hoc connections. point or note why the access point is being
In such an environment your network would listed as a preferred network.
Security 227
The next section of the Network Properties this check box, all other options on the tab are
tab, shown in Figure C, contains three check disabled. Deselecting this check box tells Win-
boxes used to reflect the access point’s WEP dows that rather than using 802.1X authentica-
configuration. By default, the options Data tion, you’ll use some other authentication
Encryption (WEP Enabled) and This Key Is method, such as smart cards, certificates, or
Provided Automatically are selected. Keep in passwords.
mind, though, that these are not always the The next field that you must complete is the
most appropriate choices. There are still a lot EAPOL-Start message. The options in the
of wireless networks that use shared keys that corresponding drop-down list allow you to
are not automatically provided. In such a case, control the EAPOL-Start message’s transmis-
you would deselect the Key Is Provided Auto- sion behavior. Your choices are Transmit, Do
matically check box, and select the Network Not Transmit, and Transmit Per 802.1X. The
Authentication (Shared Mode) check box. Transmit option is selected by default.
The final element of the Network Proper- Next on the IEEE 802.1X tab is the Para-
ties tab is the This Is A Computer-To-Com- meters (Seconds) section. This section allows
puter (Ad Hoc) Network check box. Most of you to configure the parameters that are used
the time you would not select this check box. with the EAPOL start message (assuming that
You’d use this option only if you were actually EAPOL start messages are being transmitted).
trying to configure an ad hoc network as a pre- The first field in the Parameters section is
ferred network. the Max Start field. This field allows you to
Once you have filled in the Network Prop- enter the maximum number of start messages
erties tab, you need to fill in the IEEE 802.1X that will be generated by a client. Normally, a
tab. This tab allows you to specify all of the client will transmit an EAPOL start message
parameters that are associated with 802.1X and will wait for a response. If no response is
network access control. received, the client will transmit additional
The first element on the IEEE 802.1X tab start messages. This parameter defines the
is the Enable Network Access Control Using maximum number of start messages that a
IEEE 802.1X. This check box is selected by client is allowed to transmit when attempting
default, as shown in Figure D. If you deselect to connect to the designated network.
Figure C Figure D
The Network Properties tab allows you to designate the SSID The IEEE 802.1X tab allows you to configure 802.1X
and WEP settings for the preferred access point. authentication.

Next, you must fill in the Start Period, Figure E
which is the number of minutes that a client
will wait after transmitting a start message
before transmitting another one. For example,
if the maximum number of start messages is
three and the start period is 60, then a client
would transmit a start message and wait one
minute for a response. If no response is
received within a minute, then the client would
transmit another message and wait another
minute. The cycle would continue until either a
response to the message is received or the
maximum number of start messages has been
used and the start period for the final transmis-
sion has expired.
Another value in the Parameters section is
the Held Period. The Held Period is the
amount of time that a client must wait after it
has received an authentication failure error
message from the authenticator. This prevents You must choose between a smart card and a certificate.
a malfunctioning client from flooding the net-
work with authentication requests.
The final value that must be configured If you’ve chosen to use a certificate, you
within the Parameters section is the Authenti- must select the Validate Server Certificate
cation Period. The Authentication Period check box. You must then tell Windows which
works similarly to the Start period in that it certificate authority it will use. If your com-
tells the client how long to wait before taking pany doesn’t subscribe to a commercial certifi-
additional action. The difference is that the cate authority, then select Enterprise CA. This
Start period refers to a wait period while the allows you to configure one of the servers on
client is initially trying to establish communica- your network to act as a Certificate Authority.
tions. The Authentication period is the amount Click OK to return to the IEEE 802.1X tab
of time that the client must wait before of the New Preferred Settings Properties
retransmitting any non-acknowledged 802.1X sheet. You now have just a couple of check
requests after the initial end-to-end authentica- boxes that need to be configured. The first is
tion has been established. the Authenticate As Guest When User Or
The next thing that must be configured on Computer Information Is Unavailable. This
the 802.1X tab is the EAP Type. The EAP option is disabled by default and should
refers to the Extensible Authentication Proto- remain disabled. Enabling this check box
col. Your choices are Smart Card Or Other would allow unauthenticated computers or
Certificate or Protected EAP (PEAP). Once users to access your wireless network.
you have made your selection, you must click You also should take a look at the Authenti-
the Settings button to specify the actual EAP cate As Computer When Computer Informa-
configuration information. tion Is Available check box. This check box is
For example, if you were to select Smart selected by default. It allows a computer to
Card Or Other Certificate and click Settings, access the wireless network even if the user is
you would see the Smart Card Or Other Cer- not logged on. Doing so allows the computer
tificate Properties sheet, shown in Figure E. As to receive antivirus updates, operating system
you can see in the figure, the top portion of patches, and so forth.
this properties sheet gives you a choice of The final option on the IEEE 802.1X tab is
using a smart card or using a certificate. the Computer Authentication drop-down list.
Security 229
This list allows you to control how computer When you have finally finished filling in the
authentication works with user authentication. New Preferred Setting Properties sheet, click
The default option is With User Re-authenti- OK. The network is now added to the Pre-
cation. This means that any time the user is ferred Network tab found on the New Wire-
not logged on, authentication is performed less Network Policy Properties sheet, as shown
using the computer’s credentials. However, in Figure F. Click OK to create the new wireless
when a user logs on, the user’s credentials are policy.
used for authentication. When the user logs
off, the system goes back to using computer The Wireless Monitor
credentials. Another handy new tool included in Windows
Another option is With User Authentica- Server 2003 is the Wireless Monitor. The
tion. When this option is used, computer cre- Wireless Monitor allows you to keep tabs on
dentials are used until a user logs on. The all of the wireless network connections avail-
computer credentials stay in effect unless the able near your server. In order to use the
user moves to a different access point. At that Wireless Monitor, your server must have a
point the user credentials take over. The only functional wireless NIC and also must be run-
other option is Computer Only. This option ning the Wireless Configuration Service.
means that the user’s credentials are never To access the Wireless Monitor, enter the
taken into account and the computer’s creden- MMC command at the Run prompt. When
tials are used for authentication. you do, Windows will open an empty
Microsoft Management Console. When the
console opens, select the Add/Remove Snap-
Figure F in command from the console’s File menu.
When you do, you’ll see the Add/Remove
Snap-in properties sheet appear. Click the Add
button found on the properties sheet’s Stand-
alone tab to see a list of all of the available
snap-ins. Select Wireless Monitor from the list
and click Add, Close, and OK. The Wireless
Monitor is now loaded within the console.
Now that the console is loaded, navigate
through the console tree to Console Root |
Wireless Monitor | Your Server Name. When
you expand the container with the same name
as your server, there will be about a ten-second
delay, and then two additional containers will
appear: Access Point Information and Wireless
Client Information.
If you select the Access Point Information
container, you’ll see information related to any
The preferred network is added to the list. wireless access points that the server can see.
Figure G
The Access Point Information container gives you information about any access points that the server can see.

For example, if you look at Figure G, you can The Wireless Client Information container
see that there is one access point in the area, contains information about wireless clients
named Posey. connected directly to the server through an ad
The console displays information related to hoc connection. You can view information
the network type (which should always be about wireless clients such as the connection
Access Point), the MAC address of the access type, connection duration, local MAC address,
point, signal strength, data rate, and GUID. You remote MAC address, network name, and even
can also look at this screen to see if privacy is a description of the client.
enabled. Privacy refers to WEP or WAP encryp- As you can see, the Wireless Monitor isn’t
tion. You might notice that Windows provides a really a security tool. However, it is a good
column for Radio Channel, as well. In the figure, place to get detailed information about all of
the channel is blank because my access point is the server’s wireless connections.
configured to use channel hopping.
Securing IIS 6.0

Dec. 18, 2003
By Jim Boyce
M
icrosoft made several changes to use the Runas command to start processes in
Internet Information Services (IIS) the administrator context when your limited
6.0 to improve security, not the least account doesn’t provide the necessary privi-
of which was a complete architectural over- leges for the management task at hand. Also
haul. This change, combined with others in IIS consider implementing a strong password pol-
function and management, make IIS 6.0 a icy, especially for groups with administrative
more secure platform than previous versions. privileges. Deny remote access to the server
Many of the methods for securing IIS 6.0 are unless absolutely necessary.
the same as in previous versions, but there are It’s also imperative that you protect the file
several new methods you can use to secure the system, and the only way to ensure such pro-
server in general and specific sites in particular. tection is to use NTFS on all partitions on the
Here are the most common methods you can server as well as on any partitions hosting
use to secure IIS 6.0. shared volumes that the server accesses across
the network. Take the time to review permis-
General server security sions on all volumes and folders with an eye
There are common threads for securing out for potential security risks. Also remove
servers, regardless of the services they are run- unnecessary shares and hide shares by prefix-
ning. Physical security, for example, is often ing the share name with $ whenever possible.
overlooked, particularly by smaller companies. Keeping the server up to date is another
All of your servers should be in a locked room necessity. This means not only installing secu-
with limited access and proper site preparation rity updates and patches as they come along
for cooling, fire prevention, and power man- but also ensuring that the server includes a
agement. You should never leave a server working virus scrubber that you update at least
logged on and unattended. You should always once a week. A perimeter scrubber that moni-
log off, but at the very least, press [Ctrl][Alt] tors all incoming traffic is a great addition to
[Del] and lock the server. You should also use your network as the first line of defense
a limited logon account whenever possible and against viruses and worms, although you
Security 231
should include virus scrubbers on each server requests to identify unusually large transaction
and workstation as well. requests that are indicative of an attack. You
Finally, use member or stand-alone servers can also configure IIS 6.0 to recycle worker
whenever possible to host IIS and dependent processes if they consume too much physical
services. Keep IIS off of your domain con- or virtual memory based on limits that you
trollers to improve DC performance but, more specify on a per-application-pool basis, reduc-
important, to ensure that if the server is coming the impact of memory overflow exploits.
promised your domain security isn’t also com- Your capability to isolate sites and applications
promised. using multiple application pools and to config-
ure recycling parameters for those pools helps
IIS 6.0 global security reduce the effect of denial-of-service attacks.
improvements IIS 6.0 includes other features and changes
There are several changes for IIS 6.0 in Win- to reduce its susceptibility to attacks. For
dows Server 2003 that improve server and net- example, IIS 6.0 serves only those file types
work security. First, when you install Windows explicitly defined by the administrator. If a
Server 2003, Setup does not install IIS by request arrives for an unregistered file type,
default (a significant security improvement for IIS 6.0 returns a 404.3 error to the client. The
Windows Server overall). You can also config- server also strips out scripts embedded in
ure group policy to prevent IIS from being incoming requests before processing those
installed. These two changes reduce the chance requests. Command-line tools are disabled for
that IIS will end up on servers where it should IIS 6.0 by default, and running executable files
not be, thereby reducing the network’s expo- is allowed only to members of the Administra-
sure to attack. tors group and to selected built-in accounts,
When you do install IIS on Windows Server preventing anonymous users from running
2003, Setup installs the software in a more executable files. In addition, anonymous users
secure state than in previous versions. For are denied write access to Web content by
example, the server is configured by default to default. Script source access is protected by a
serve only static pages, with ASP.NET and CGI new permission, which is disabled by default.
disabled. Other services and components are All of these features help block or limit the
disabled as well, including server-side includes, impact of various types of Web server attacks.
Internet Data Connector, WebDAV, Internet
Printing ISAPI, and Index Server ISAPI. Front- Authentication options for IIS 6.0
Page Server Extensions are disabled, as is the You’ll find some changes in IIS 6.0 authentica-
password change interface. The FTP and SMTP tion options that also improve site and server
services are also disabled by default. security. For example, anonymous authentica-
The architectural changes in IIS 6.0 also tion no longer requires the Log On Locally
make for a more secure platform. Worker right. In addition, sub-authentication, which
processes run in user mode and therefore can’t enables IIS to manage passwords for anony-
access privileged items in the kernel. They also mous accounts, is no longer enabled by
run in the context of the Network Service default. You can, however, enable it if needed.
account with relatively low privileges. Built-in UNC pass-through authentication is also
ASP functions run in the context of the changed in IIS 6.0 from previous versions.
IUSR_machine account UNC pass-through authentication enables IIS
Your capability to configure application to access resources stored on other computers
pools enables you to limit the kernel request through Universal Naming Convention (UNC)
queue size, limit CPU utilization, and apply paths. UNC paths and UNC pass-through
other restrictions to help ensure that an attack, authentication are commonly used to support
when it comes, will have its impact minimized virtual directories hosted by other computers.
on the server overall. To help combat buffer If you specify a user name and password for a
overflow attacks, IIS 6.0 monitors incoming UNC share, those credentials are used by IIS
6.0 to access the remote resource.

Specifying an incorrect user name or pass- Figure A
word results in a 500 Internal Server Error to
the client when the client tries to access the
virtual directory. If no credentials are supplied,
IIS 6.0 uses the credentials of the requesting
client to access the resource. If the client is
accessing the site anonymously, the account
assigned for anonymous access (such as
IUSR_machine) is used to authenticate on the
remote server. If the client has specified
account credentials, those credentials are used
to access the remote UNC resource.
Also new in IIS 6.0 is support for Advanced
Digest Authentication. Advanced Digest
Authentication improves security because the
MD5 hash is virtually impossible to decrypt.
You can allow or prohibit services.
Advanced Digest Authentication provides
higher domain security overall, as well, because Figure B
Windows stores user credentials as an MD5
hash in the Active Directory, eliminating the
need to configure the AD to store passwords
with reversible encryption. In order to use
Advanced Digest Authentication, clients must
be running a Web browser that supports
HTTP 1.1, must be in the same domain as the
server or in a trusted domain, and must be in a
domain controller that is running Windows
Server 2003. IIS drops back to Digest Authen-
tication if the domain controller is not running
Windows Server 2003.
Securing your server and sites

Now that you have some background in the
security changes and improvements in IIS 6.0,
you can turn your attention to protecting your
sites and servers. First, let’s look at enabling and Application pools can help protect your server.
disabling Web service extensions. Open the IIS
Manager console from the Administrative against attacks. To configure default applica-
Tools folder and click the Web Service Exten- tion pool properties, right-click the Applica-
sions branch in the left pane. The IIS Manager tion Pools branch in the IIS Manager and
displays the installed and defined extensions in choose Properties. When you do, you’ll see the
the right pane, as shown in Figure A. screen shown in Figure B.
To enable or disable a particular extension, In the Memory Recycling area, enable the
select the extension in the list and click Allow Maximum Virtual Memory and Maximum
or Prohibit, respectively. If you need to sup- Used Memory options and specify the memory
port ASP, for example, you will need to enable limits based on the system’s memory configura-
the Active Server Pages extension. You can tion and server load. It’s best to start with the
also add new extensions from this branch. suggested default values and adjust as needed.
Next, turn your attention to configuring Next, click the Health tab and verify that
application pools to help protect your server the Enable Rapid-Fail Protection option is
Security 233
enabled. Also click the Identity tab and verify open the MIME Types dialog box. You’ll then
that the default security account is set to Net- see the screen shown in Figure C.
work Service. From here you can edit or remove existing
Another security-related task you will likely MIME types or create new ones. Bear in mind
need to accomplish is to configure the file types that the global MIME types are inherited at the
that IIS 6.0 will support. You do so by modify- virtual server and directory levels. Unless you
ing the MIME type definitions for the server. need to add a type globally, it’s best to add it
You can configure MIME types on a global or only at the level where it is required. To man-
site basis. To configure them at the global level, age MIME types for a virtual server, right-click
open the IIS Manager console, right-click the the Web site and choose Properties. Click the
server, and choose Properties. On the Internet HTTP Headers tab and click MIME Types to
Information Services tab, click MIME Types to open the MIME Types dialog box, where you
can accomplish the same types of tasks as at
the server level. To manage MIME types at the
Figure C directory level, right-click the physical or vir-
tual directory in the IIS Manager console,
choose Properties, click the HTTP Headers
tab, and click MIME Types.
At this point, consider authentication
requirements for the server and/or sites. To
configure UNC pass-through authentication,
right-click an existing virtual directory that
points to a UNC share and choose Properties.
This will display the screen shown in Figure D.
On the Virtual Directory tab, click Connect
As to open the Network Directory Security
Credentials dialog box. Here you can specify
an explicit set of credentials to be used to
access the remote UNC share’s contents. If
Configure the file types your server supports. you want IIS to use the user’s own credentials
to authenticate on the remote server, choose
Figure D the option Always Use The Authenticated
User’s Credentials When Validating Access To
The Network Directory. Keep in mind that if
you enable this option, anonymous users are
authenticated with the server’s IIS_machine
account. Configure accounts and permissions
as necessary on the server hosting the share.
Craft your authentication scheme to provide
only the bare minimum permissions necessary
for each user to perform his or her specific
tasks in the folder.
Next, look at the authentication require-
ments for the Web sites or specific directories
that use other than anonymous authentication.
Right-click the Web site or directory, choose
Properties, and click the Directory Security
tab. Then click Edit in the Authentication And
Access Control group to open the Authentica-
You should set authentication on virtual directories. tion Methods dialog box.

To prevent anonymous access, deselect the Figure E
Enable Anonymous Access option. Select the
other authentication methods you need to sup-
port from the Authenticated Access group. If
you choose Digest Authentication, IIS 6.0 will
attempt to use Advanced Digest Authentica-
tion and, failing that, will fall back to Digest
Authentication. If you choose Digest Authen-
tication or .NET Passport Authentication, you
also need to specify the Realm and Default
Domain, respectively.
While you have the Directory Security tab
open, consider whether you need to impose
connection restrictions on the Web site or
directory. If you have a directory that should
be accessible only by users internal to your
LAN, click Edit in the IP Address and Domain
Name Restrictions group, then add the individ-
ual IP address or subnet ranges of the allowed
clients. You can also specify a domain name, Set permissions on the Home Directory.
but using this option requires a reverse DNS
lookup, which imposes server overhead and
requires that the clients have their IP addresses anonymous access for users, create a virtual
appropriately registered in DNS. directory named anonymous and configure
You should also verify permissions for each that directory’s permissions as needed for
site and virtual directory. Open the site’s or anonymous users.
directory’s properties and click the Home Under this directory, add the directory
Directory or Directory tab. This will display structure you want anonymous users to see.
the screen shown in Figure E. Disable Write permission in the site’s main
Ensure that you have not enabled Write folder, and then only after verifying the under-
permission unless users need to be able to post lying NTFS permissions of each directory
to the site. Script Source Access and Directory should you enable anonymous access. By cre-
Browsing should be disabled unless specifically ating a virtual directory with the alias “anony-
needed, and Execute Permissions should be mous,” you force anonymous users into that
set to None unless you want to enable scripts virtual directory when they log on. Although
to execute. Finally, it’s a good idea to remove they can CD to the site’s root folder, you have
all of the extra default documents that IIS disabled Write permission, preventing users
adds for a site or directory. Click the Docu- from writing to the home directory. Create
ments tab and remove all but the specific other virtual directories for authenticated
default document your site or directory uses. access by other users, matching the virtual
directory alias to the user’s name, which will
Securing other functions cause the user to be placed in that directory
When you finish configuring Web site proper- when they log on.
ties, you’re not finished configuring server For the SMTP service, review the relay set-
security. Although IIS 6.0 does not by default tings to ensure that your server will not be
enable FTP or SMTP, you should review secu- used for unauthorized relay. Open the proper-
rity for these services, as well. In the case of ties for the virtual server, click the Access tab,
FTP, I recommend you disable anonymous and click Relay. Choose the option Only The
access for FTP before ever considering taking List Below, then click Add and add the IP
an FTP site live. If you do want to provide address, subnet, or domain hosts that can relay
Security 235

shipping!

mize,
Overcome DNS errors
Lock down servers
And more

through the server. Keep the list as restricted applications, network and company policies,
as possible. firewall configuration, and a host of other non-
IIS issues ultimately affect IIS server security.
Don’t stop there! Identifying these and reviewing them in light of
Securing your IIS 6.0 server certainly isn’t a overall security can go a long way toward secur-
one-click operation. When you finish reviewing ing your servers and your network.
all of the security-related properties on the
server, turn your attention outward. Add-on
Working with Windows Server 2003’s

IP Security Monitor
Feb. 16, 2004
W
hen Microsoft originally released IPSECMON.EXE utility that’s included with
Windows 2000, it included a new Windows 2000 Server. Notice that the utility
protocol called IPSec. The idea was contains no menu options and only two but-
that network security could be greatly tons: Options and Minimize. The only thing
increased by encrypting traffic as it flowed you can do with the Options button is change
across the wire. Although IPSec was a good the refresh rate. My point is that although
idea, the problem was that far too many IPSECMON.EXE does a decent job of count-
administrators would enable it and never really ing confidential and authenticated bytes, there
do anything to confirm that IPSec was actually really isn’t much more that you can do with it.
encrypting traffic. This was unfortunate Now that you’ve seen what the IPSEC-
because Windows 2000 included a utility called MON.EXE utility looks like, let’s take a look at
IPSECMON.EXE that made it easy to check if the IP Security Monitor Console. As you can
IPSec was working properly. see in Figure B, the console looks a lot different
Over the years, I’ve grown quite fond of than IPSECMON.EXE, but the differences
IPSECMON.EXE. I was really surprised to aren’t just cosmetic.
see that it didn’t exist in Windows Server 2003. Earlier, I mentioned that the IP Security
Although IPSECMON.EXE is gone, Micro- Monitor Console had been extended to support
soft replaced it with a new tool called the IP all of IPSec’s new features. There are too many
Security Monitor Console. In creating this tool, new IPSec features to discuss here, but I wanted
Microsoft has basically rewritten IPSEC- to at least take a moment and talk about some
MON.EXE to make it work within a console. of the things that the IP Security Monitor Con-
It then added support for all of the new IPSec sole does that IPSECMON.EXE didn’t.
features that exist in Windows 2003. In this As you look at the console, one of the first
article, I’ll introduce you to this new tool and things you might notice is that just below the
show you how to use it to verify that IPSec is IP Security Monitor container is a server listed
working as intended. by name. The reason for this is that the IP
Security Monitor Console can monitor the
What’s new IPSec statistics for multiple computers rather
Before you can really appreciate the IP Secu- than just for the local computer, as was the
rity Monitor Console, you need to see what its case with IPSECMON.EXE.
predecessor looked like. Figure A shows the

Another nice new addition to the console is Figure A
the ability to view individual IPSec policies.
You can use the console to view things such as
the policy name, description, modification
date, store, path, OU, and even the name of
the group policy that it is being called from.
Yet another new feature is the ability to use
DNS name resolution for filter and security
association output. At first, this might not
seem like a big deal. After all, if you look at
Figure A, you’ll notice that most of the host
names are being resolved already. Therefore,
DNS name resolutions might not even seem
like a new feature. The difference, though, is
that all of the host names you see in Figure A
belong to hosts on my local network. The new
IP Security Monitor Console allows you to
resolve host names from across the Internet. The IPSECMON.EXE tool allowed you to confirm that IPSec was working, but
was crude, to say the least.
This is important because Windows Server
2003 supports using IPSec over a NAT firewall. Figure B
One last new feature that I want to talk
about is the filter search. As you probably
know, IPSec policies are based on filters and
rules. For example, a filter rule might dictate
that traffic flowing from and addressed to a
specific address must be encrypted. Although
filters and rules tend to work well, the very
nature of the Active Directory allows conflicts
to occur. When conflicts occur between filters,
one filter will take priority over another, and
the lower-priority filter will be ignored. This
can cause IPSec to behave unexpectedly.
If you notice IPSec acting strangely, you can
use the new console to search for specific fil-
ters or rules. This allows you to locate the filter
that is causing the unexpected behavior.
Accessing the IP Security The IP Security Monitor Console has been extended to take advantage
Configuration Console of all of the new IPSec features.
Now that I’ve shown you some of the differ-

ences between IPSECMON.EXE and the IP command from the console’s File menu. This
Security Monitor Console, I want to demon- will cause Windows to display the Add /
strate how you can use the console to help Remove Snap-in properties sheet. Click the
monitor and enforce IP security within your Add button found on the properties sheet’s
own organization. Standalone tab to reveal a list of the available
Begin by entering the MMC command at snap-ins. Select IP Security Monitor from the
the Run prompt. When you do, Windows will list of available snap-ins and click Add, fol-
load an empty Microsoft Management Con- lowed by Close and OK. The IP Security Mon-
sole. Now, select the Add / Remove Snap In itor should now appear within the console.
Security 239
Adding a computer X Active Policy
Since the IP Security Monitor allows you to X Main Mode
monitor multiple computers, the first thing you X Quick Mode
need to know how to do is add another com-
puter to the list of systems to be monitored. Active Policy
To do so, right-click on the IP Security Moni- As you’re no doubt aware, IPSec policies are
tor container and select the Add Computer applied as a part of a group policy. Further-
command from the resulting shortcut menu. more, group policies are hierarchical in nature.
When you do, you’ll see the Add Computer Group policies can be applied at the local
dialog box. It’s important to note that the IP computer level, the site level, the domain level,
Security Monitor can monitor only computers and the Organizational Unit level. This means
running Windows Server 2003. that several policies can be applied to a user or
Monitoring a computer to a computer. As you might expect, it’s possi-
ble for policies to contradict with one another.
After you finish adding the computers to be
When group policies contradict, Windows uses
monitored to the list, it’s time to begin the
an algorithm to determine which group policy
actual monitoring process. Expand the com-
is in effect.
puter container and, after a brief delay, you’ll
What this means is that IPSec policies can
see three subcontainers:
be applied at many different levels as well. If
Figure C
The Active Policy container shows which policy is in effect.
Figure D
The Generic Filter container applies policy number 1 to all traffic coming from my computer.

Figure E
The Specific Filters container shows which filters apply to the machine, but in more detail than the Generic Filters container shows.
you need to know what IPSec policy is cur- Figure F

rently active, you can work through the algo-
rithm and determine the resultant set of policy,
or you can just open the IP Security Monitor
console and look at the Active Policy section.
The Active Policy section, shown in Figure C,
contains all of the pertinent details regarding
the policy that is presently in effect. As you can
see in the figure, the Active Policy container
lists the policy name and provides a descrip-
tion of what the policy is designed to do. You
can also see the date of the most recent modi-
fication to the policy. Although they’re not
applicable to my current configuration, you
can also see in Figure C that when appropriate,
the Active Policy container also displays infor-
mation regarding the policy path, organiza-
tional unit, and Group Policy Object Name.
Main Mode
The next section is the Main Mode container. Each IKE policy consists of one or more methods.
The Main Mode container’s job is to display
various Internet Key Exchange (IKE) statis- is policy number 1, which is the machine’s
tics. The Main Mode container is divided into default policy.
five separate subcontainers: Generic Filters, The next container in the Main Mode area
Specific Filters, IKE Policies, Statistics, and is the Specific Filters container. This is really
Security Associations. just an expansion of the information found in
The Generic Filters container, shown in the Generic Filters container. As you can see in
Figure D, contain a generic representation of Figure E, the specific filters actually list the
the current IKE policy. For example, on my machine’s IP address rather than just saying Me
test machine, the generic filter is configured to as the source. Furthermore, the Specific Filters
use my computer as the source and any com- container also shows the direction of the traf-
puter as the destination. The authentication fic. As you can see in the figure, there are actu-
method is Kerberos, and the filter applies to all ally two filters, one to handle inbound traffic
connections. The policy that the filter links to and one to handle outbound traffic.
Security 241
Figure G
The Security Associations container shows which computers are using the IKE policy to secure communications.
Earlier, I mentioned that the generic filter container. This container, shown in Figure G,
(as well as the specific filter) was linked to the shows the peer machines that the IKE policy is
default policy, or policy number 1. That policy being used with. Basically, this screen means
is contained within the IKE Policies container. that communications between my machine
The default view simply shows the policy’s (147.100.100.99) and the machines Relevant
number and the fact that it has four security (147.100.100.58) and Homer (147.100.100.52)
methods associated with it. However, if you are encrypted by the current IKE policy.
right-click on the policy and select the Proper- The last Main Mode feature that I want to
ties command from the resulting shortcut talk about is the Statistics container, shown in
menu, you can see exactly what the four meth- Figure H. As you can see, there are quite a few
ods consist of, as shown in Figure F. different statistics. The statistics you’ll find
I want to momentarily skip over the Statistics include:
container and look at the Security Associations X Active Acquire: This reflects the number
of queued requests to initiate IKE negotia-
Figure H tion in an effort to establish a secure con-
nection. Under heavy loads, it’s normal for
this number to be one higher than the
actual number of queued requests.
X Active Receive: This is the number of IKE
messages that have been received and are
queued for processing.
X Acquire Failures: This reflects the total
number of outbound acquire requests that
have failed since the last time the IPSec
service was started.
X Receive Failures: This is the total number
of errors occurring while receiving IKE
messages since the last time the IPSec serv-
ice was started.
X Send Failures: This is the total number of
errors that have occurred while transmitting
IKE messages since the last time the IPSec
The IP Security Monitor collects a number of IKE statistics. service was started. It is normal for this to

be a high number if a dial-up connection is Figure I
in use.
X Acquire Heap Size: This is the number of
successful acquires.
X Receive Heap Size: This is the number of
currently buffered inbound IKE messages.
X Authentication Failures: These are the
total number of times that authentication has
failed since the IPSec service was last started.
X Negotiation Failures: The total number of
negotiation failures that have occurred since
the IPSec service was last started. This
counter tracks negotiation failures in Main
Mode and in Quick Mode.
X Invalid Cookies Received: This is the
total number of cookies that couldn’t be
matched to a Security Authority since the Quick Mode offers some statistics of its own.
IPSec service was last started. In this case,
cookies refer to an identifying value in an
inbound IKE message. X Key Update Failures: These are the total
X Total Acquire: This is the total number of number of failed inbound Quick Mode
requests issued to IKE since the last time Security Authority addition requests sent to
the IPSec service was started. the IPSec driver by IKE since the last time
the IPSec Service was started.
X Total Get SPI: This is the total number of
requests for a Security Parameter Index X ISADB List Size: This displays the total
(SPI) made since the last time the IPSec number of Main Mode negotiations (suc-
Service was started. cessful or not).
X Key Additions: These are the total number X Connection List Size: This is the current
of outbound Quick Mode security authori- number of Quick Mode negotiations that
ties that have been added to the IPSec are in progress.
driver by IKE since the last time the IPSec X IKE Main Mode: This shows the total num-
Service was started. ber of successful SAs that have been nego-
X Key Updates: These are the total number tiated during Main Mode negotiations since
of inbound Quick Mode security authorities the last time the IPSec Service was started.
that have been added to the IPSec driver by X IKE Quick Mode: This is the total number
IKE since the last time the IPSec Service of successful SAs that have been negotiated
was started. during Quick Mode negotiations since the
X Get SPI Failures: These are the total num- last time the IPSec Service was started.
ber of failed requests that have been sent to X Soft Associations: These are the total
the IPSec driver by IKE since the last time number of security associations formed
the IPSec Service was started. with computers that failed to respond to
X Key Addition Failures: These are the total Main Mode negotiation attempts.
number of failed outbound Quick Mode X Invalid Packets Received: This shows the
Security Authority addition requests sent to total number of invalid or corrupt IKE
the IPSec driver by IKE since the last time messages that have been received since the
the IPSec Service was started. last time the IPSec Service was started.
Security 243
Quick Mode X Packets Not Authenticated: This is the
Quick Mode works just like Main Mode except total number of packets that have failed
that Quick Mode deals with IPSec instead of integrity verification since the last reboot.
IKE. You might have noticed that Main Mode X Packets With Replay Detection: This is
has a container named IKE Policies, while the total number of packets with invalid
Quick Mode has a container named Negotia- sequence numbers since the computer was
tion Policies. Although the policy types are dif- last rebooted. If this number increases
ferent, the actual method for viewing the steadily, it could be an indication of an
policies remains the same whether you’re in attempted replay hack.
Main Mode or in Quick Mode. X Confidential Bytes Sent: This shows the
The only real difference between Main total number of sent packets encrypted by
Mode and Quick Mode (aside from the obvi- ESP since the last reboot.
ous) is the statistics that are displayed. You can
see the Quick Mode statistics in Figure I. The X Confidential Bytes Received: This is the
statistics you’ll find include: total number of received packets encrypted
by ESP since the last reboot.
X Active Security Associations: This is the
number of currently active Quick Mode X Authenticated Bytes Sent: This is the
security associations. total number of transmitted bytes
encrypted by the AH or the ESP protocol.
X Offloaded Security Associations: This
shows the current number of Quick Mode X Authenticated Bytes Received: This is
security associations that have been the total number of received bytes
offloaded to an IPSec-compatible NIC. encrypted by the AH or the ESP protocol.
X Pending Key Operations: This is the X Transport Bytes Sent: This shows the
number of IPSec key exchange operations number of bytes sent using IPSec transport
that are currently going on but that have not mode since the last reboot.
yet completed. X Transport Bytes Received: This is the
X Key Additions: These are the total number number of bytes received using IPSec trans-
of successful key additions for Quick Mode port mode since the last reboot.
security association negotiations that have X Bytes Sent in Tunnels: This shows the
been successfully added since the computer number of bytes sent in IPSec tunnels since
was last rebooted. the last reboot.
X Key Deletions: These are the total number X Bytes Received in Tunnels: This is the
of successful key deletions for Quick Mode number of bytes received in IPSec tunnels
security association negotiations that have since the last reboot.
been successfully deleted since the com-
X Offloaded Bytes Sent: This is the total
puter was last rebooted.
number of bytes transmitted using IPSec
X Rekeys: These are the number of success- hardware offloading since the last reboot.
ful Quick Mode rekey operations since the
X Offloaded Bytes Received: This is the
last reboot.
total number of bytes received using
X Active Tunnels: This shows the total num- IPSec hardware offloading since the last
ber of currently active IPSec tunnels. reboot.
X Bad SPI Packets: These are the number of
packets that have had an incorrect SPI since
the last time the computer was rebooted.
X Packets Not Decrypted: This shows the
number of packets that could not be
decrypted since the last reboot.


shipping!

mize,
Overcome DNS errors
Lock down servers
And more

Security Chapter Download

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Security Chapter Download

Enviado por

Direitos autorais:

Formatos disponíveis

Administrator’s Guide to

Windows Server 2003

Windows Server 2003 receive free

TechRepublic's Administrator's Guide to Windows Server

Order now and receive free shipping!

192 Administrator’s Guide to Windows Server 2003

Tips to help secure Windows Server 2003

194 Administrator’s Guide to Windows Server 2003

196 Administrator’s Guide to Windows Server 2003

Windows Server 2003 receive free

TechRepublic's Administrator's Guide to Windows Server

Order now and receive free shipping!

200 Administrator’s Guide to Windows Server 2003

202 Administrator’s Guide to Windows Server 2003

Installing the client component

Trust, but verify

The Permission dialog box gives you greater control over a

204 Administrator’s Guide to Windows Server 2003

206 Administrator’s Guide to Windows Server 2003

Windows Server 2003 receive free

TechRepublic's Administrator's Guide to Windows Server

Order now and receive free shipping!

210 Administrator’s Guide to Windows Server 2003

Using RSoP in Logging Mode

Using RSoP in Planning Mode

212 Administrator’s Guide to Windows Server 2003

X Simulating a slow network connection Figure G

Viewing error information

214 Administrator’s Guide to Windows Server 2003

216 Administrator’s Guide to Windows Server 2003

218 Administrator’s Guide to Windows Server 2003

Windows Server 2003 receive free

TechRepublic's Administrator's Guide to Windows Server

Order now and receive free shipping!

222 Administrator’s Guide to Windows Server 2003

224 Administrator’s Guide to Windows Server 2003

The New Wireless Network Policy Properties sheet allows

226 Administrator’s Guide to Windows Server 2003

228 Administrator’s Guide to Windows Server 2003

230 Administrator’s Guide to Windows Server 2003

Securing IIS 6.0

232 Administrator’s Guide to Windows Server 2003

Securing your server and sites

234 Administrator’s Guide to Windows Server 2003

Windows Server 2003 receive free

TechRepublic's Administrator's Guide to Windows Server

Order now and receive free shipping!

Working with Windows Server 2003’s

238 Administrator’s Guide to Windows Server 2003

Now that I’ve shown you some of the differ-

The Active Policy container shows which policy is in effect.

240 Administrator’s Guide to Windows Server 2003

you need to know what IPSec policy is cur- Figure F

242 Administrator’s Guide to Windows Server 2003

244 Administrator’s Guide to Windows Server 2003

Windows Server 2003 receive free

TechRepublic's Administrator's Guide to Windows Server

Order now and receive free shipping!

Você também pode gostar