List of Figures | Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)

Chapter 1: The Challenge of Trusted Security Infrastructures

Figure 1.1: The access or TSI layer.
Figure 1.2: Positioning trusted security infrastructures.
Figure 1.3: The fundamental role of trust.
Figure 1.4: Shift from authorization service decentralization to centralization.
Figure 1.5: TSI overview.
Figure 1.6: MIIS 3.0 architecture.
Figure 1.7: MOM architecture.
Figure 1.8: SMS architecture.
Figure 1.9: MPS architecture.

Chapter 2: Windows Security Authorities and Principals

Figure 2.1: Security authority.
Figure 2.2: LSA process and subprocesses available on Windows domain controllers.
Figure 2.3: Windows Server 2003 AD domains, trees, and an AD forest.
Figure 2.4: Security authority and security principals.
Figure 2.5: Defining UPN suffixes.
Figure 2.6: Using setspn to display the SPNs linked to a machine.
Figure 2.7: Configuring a service to use the local service account.
Figure 2.8: Using net user with the /random switch.
Figure 2.9: Using the MBSA tool to audit password quality.
Figure 2.10: L0phtcrack GUI.
Figure 2.11: Configuring Syskey.
Figure 2.12: Pwdump3 output.
Figure 2.13: Running John the Ripper.
Figure 2.14: Account lockout process.
Figure 2.15: Suggested account lockout policy settings.
Figure 2.16: Additional account info tab.
Figure 2.17: LockoutStatus.exe tool.

Chapter 3: Windows Trust Relationships

Figure 3.1: Security authorities and trust relationships.
Figure 3.2: Trust relationships: trusting versus trusted domain.
Figure 3.3: Windows trust types.
Figure 3.4: Trusts tab.
Figure 3.5: Trust properties.
Figure 3.6: Number of trust relationships required in Windows Server 2003 and NT4.
Figure 3.7: Trust relationships: behind the scenes.
Figure 3.8: Checking out TDO objects using ADSI Edit.
Figure 3.9: Cross-forest trust transitivity between two forests.
Figure 3.10: Cross-forest trust between multiple forests.
Figure 3.11: The new Windows Server 2003 Trust Wizard.
Figure 3.12: Windows Server 2003 forest trust attributes (as viewed from AdsiEdit).
Figure 3.13: Display of other forest “hptest.net” in Object Picker.
Figure 3.14: TLN restrictions example: disabling DNS namespaces.
Figure 3.15: TLN restrictions example: enabling DNS namespaces when running the Trust Wizard.
Figure 3.16: TLN restrictions example: disabling DNS namespaces from the Trust Properties.
Figure 3.17: TLN restrictions example.
Figure 3.18: TLN restriction for *.hr.hewlettpackardtest.net: main view.
Figure 3.19: TLN restriction for *.hr.hewlettpackardtest.net: edit view.
Figure 3.20: Enabling the selective authentication feature of a forest trust relationship.
Figure 3.21: Setting the “Allowed to Authenticate” permission for a foreign security principal.
Figure 3.22: SID filtering between two forests.
Figure 3.23: Validating a secure channel from the GUI.
Figure 3.24: RPC operation.

Chapter 4: Introducing Windows Authentication

Figure 4.1: Authentication Infrastructure terminology.
Figure 4.2: Interactive authentication architecture.
Figure 4.3: Noninteractive authentication architecture.
Figure 4.4: Role of the Negotiate SSPI.
Figure 4.5: Using SSPI Workbench.
Figure 4.6: Machine startup.
Figure 4.7: User logon process.
Figure 4.8: Finding out the authenticating DC using “set l.”
Figure 4.9: Basic NTLM authentication flow.
Figure 4.10: Running runas.exe from the command line.
Figure 4.11: Running runas.exe from the command line with smart card credentials.
Figure 4.12: Secondary logon process from Windows Explorer.
Figure 4.13: Successful logon event.
Figure 4.14: Failed logon event.
Figure 4.15: Using the nlparse.exe tool.

Chapter 5: Kerberos

Figure 5.1: Session keys and encrypted session keys.
Figure 5.2: Kerberos authentication is based on symmetric key cryptography.
Figure 5.3: A KDC provides scalability.
Figure 5.4: Kerberos entities and master key concept.
Figure 5.5: Windows Server 2003 key hierarchy.
Figure 5.6: Kerberos ticket distribution Method 1.
Figure 5.7: Kerberos ticket distribution Method 2.
Figure 5.8: The use of the master key.
Figure 5.9: The role of the Kerberos TGT.
Figure 5.10: The complete Kerberos protocol. Request Ticket + Auth
Figure 5.11: Local logon process in a single domain environment.
Figure 5.12: Network logon process in a single domain environment.
Figure 5.13: Local logon in a multiple domain environment.
Figure 5.14: Network logon in a multiple domain environment.
Figure 5.15: Effect of a shortcut trust on multiple domain logon traffic.
Figure 5.16: Transitive trusts in mixed-mode domains.
Figure 5.17: Multiple domain logon process revisited.
Figure 5.18: Multiple domain logon process: under the hood.
Figure 5.19: Forest trust authentication flow.
Figure 5.20: Basic S4U2Proxy operation.
Figure 5.21: Configuring delegation in Windows Server 2003.
Figure 5.22: The new “msDSAllowedToDelegate To” AD account attribute enabling constrained delegation.
Figure 5.23: Basic S4U2Self operation.
Figure 5.24: Combined S4U2Self operation and S4U2Proxy operation.
Figure 5.25: Sample scenario.
Figure 5.26: From Windows Server 2003 authentication to authorization.
Figure 5.27
Figure 5.28: Kerberos and disabled accounts: Example
Figure 5.29: Relationship between Kerberos ticket and authenticator.
Figure 5.30: Looking at the Kerberos ticket cache using the Klist utility.
Figure 5.31: Looking at the Kerberos ticket cache using the Kerbtray utility.
Figure 5.32: Smart card logon trust model.
Figure 5.33: Smart card logon process.
Figure 5.34: Kerberos-related GPO settings.
Figure 5.35: Sample SNTP hierarchy.
Figure 5.36: Defining Kerberos account mappings.
Figure 5.37: UNIX-Windows Server 2003 Kerberos interoperability using a cross-realm trust.

Chapter 6: IIS Authentication

Figure 6.1: IIS 6.0 architecture.
Figure 6.2: Configuring IIS authentication options.
Figure 6.3: SecurID-based IIS authentication.
Figure 6.4: Typical HTTP authentication exchange.
Figure 6.5: Anonymous access exchange.
Figure 6.6: Using the IIS Resource Kit WebFetch (WFetch) tool.
Figure 6.7: Basic authentication exchange.
Figure 6.8: Basic authentication credential prompt.
Figure 6.9: Basic authentication warning.
Figure 6.10: Basic authentication credential prompt with custom realm.
Figure 6.11: Digest authentication warning.
Figure 6.12: Digest authentication exchange.
Figure 6.13: Digest authentication dialog box.
Figure 6.14: WFetch advanced digest authentication exchange.
Figure 6.15: Integrated Windows authentication dialog box.
Figure 6.16: Internet Explorer SSL/TLS lock symbol.
Figure 6.17: SSL Web server certificate wizard.
Figure 6.18: Starting the Web server certificate wizard.
Figure 6.19: Configuring SSL/TLS.
Figure 6.20: Setting up a many- to-one certificate mapping rule in the ISM.
Figure 6.21: Enabling the Windows directory service mapper.
Figure 6.22: Certificate validation process.
Figure 6.23: (a) Browser-side certificate trust error, and (b) browser-side certificate time and name error.
Figure 6.24: Browser-side SSL/TLS revocation check error.
Figure 6.25: Browser-side SSL/TLS certificate revocation checking option.
Figure 6.26: SSL and HTTP proxy approaches: SSL tunneling.
Figure 6.27: SSL and HTTP proxy approaches: SSL bridging (single tunnel terminated on proxy).
Figure 6.28: SSL and HTTP proxy approaches: SSL bridging (single tunnel terminated on Web server).
Figure 6.29: SSL and HTTP proxy approaches: SSL bridging (two tunnels).
Figure 6.30: Setting up SSL bridging using the OWA Publishing Wizard.

Chapter 7: Microsoft Passport

Figure 7.1: Passport infrastructure.
Figure 7.2: Passport authentication sequence.
Figure 7.3: Windows XP and Windows Server 2003 built-in MS Passport login dialog box:(a) MoneyCentral login and(b) bCentral login.
Figure 7.4: .NET Passport Wizard.
Figure 7.5: Disabling automatic cookie handling in Internet Explorer 6.0.
Figure 7.6: Internet Explorer cookie “privacy alert.”
Figure 7.7: Passport authentication sequence including cookies: initial login (Windows XP and Windows Server 2003).
Figure 7.8: Passport authentication sequence including cookies: log in to second site (Windows XP and Windows Server 2003).
Figure 7.9: The “Edit your .NET Passport profile” dialog box.
Figure 7.10: Checking out a site’s P3P privacy report in Internet Explorer 6.0.
Figure 7.11: WFetch HTTP Passport authentication trace.

Chapter 8: UNIX and Windows Authentication Interoperability

Figure 8.1: The PAM architecture.
Figure 8.2: The NIS Architecture.
Figure 8.3: The NIS+ architecture.
Figure 8.4: The NSS architecture.
Figure 8.5: AD4Unix AD schema style configuration.
Figure 8.6: AD user and group object properties with a UNIX-specific property tab.
Figure 8.7: SFU Server for NIS architecture.
Figure 8.8: Samba architecture.
Figure 8.9: SFU Name User Mapping Service architecture.
Figure 8.10: SFU password synchronization architecture: Windows to UNIX.
Figure 8.11: SFU password synchronization architecture: UNIX to Windows.
Figure 8.12: NIS/LDAP gateway architecture.
Figure 8.13: The pam_unix-centric architecture.
Figure 8.14: Pam_LDAP-centric architecture.
Figure 8.15: Kerberos-centric architecture: Windows KDCs.
Figure 8.16: Kerberos-centric architecture: UNIX and Windows KDCs.
Figure 8.17: Vintela Authentication Services (VAS)
Figure 8.18: Samba Winbind architecture.

Chapter 9: Single Sign-On

Figure 9.1: SSO with a single authentication authority and a single authentication server.
Figure 9.2: SSO in an environment with a single authentication authority and multiple authentication servers.
Figure 9.3: Authentication in an environment with multiple authentication authorities.
Figure 9.4: Authentication in a token-based SSO environment.
Figure 9.5: Authentication in a PKI-based SSO environment.
Figure 9.6: Password synchronization-based SSO.
Figure 9.7: Authentication in an SSO environment using a client-side secure cache.
Figure 9.8: Authentication in a secure server-side credential caching SSO environment.
Figure 9.9: Credential Manager key ring UI.
Figure 9.10: Credential Manager operation.
Figure 9.11: Dialog boxes after disablingCredential Manager.
Figure 9.12: Cmdkey operation.
Figure 9.13: IAS scenarios.

Chapter 10: Windows Server 2003 Authorization

Figure 10.1: Generic authorization model.
Figure 10.2: Windows authorization model.
Figure 10.3: Using whoami /all to look at the access token content.
Figure 10.4: Access control list (ACL) content.
Figure 10.5: Windows 2000 ACL editor GUI.
Figure 10.6: Inheritance in the ACL editor’s advanced view (Windows 2000).
Figure 10.7: Inheritance in the ACL editor’s advanced view (Windows Server 2003).
Figure 10.8: Controlling inheritance using blocking.
Figure 10.9: Setting inheritance in the ACL editor (file system).
Figure 10.10: ACL editor warning message.
Figure 10.11: ACL editor warning message (AD only).
Figure 10.12: Setting inheritance in the ACL editor (file system).
Figure 10.13: Object type–based ACEs.
Figure 10.14: Object type-based ACEs in the ACL editor—advanced view.
Figure 10.15: Object type-based ACEs in the ACL editor—advanced view, permission entry details.
Figure 10.16: Dssec.dat content.
Figure 10.17: Property-based ACEs.
Figure 10.18: Property-based ACEs in the ACL editor.
Figure 10.19: Property-based ACEs in the ACL editor.
Figure 10.20: Changing the attributeSecurityGUID property for the Telephone-Number attribute.
Figure 10.21: Extended rights types.
Figure 10.22: Canonical evaluation order.
Figure 10.23: ACL evaluation example 1.
Figure 10.24: ACL evaluation example 2.
Figure 10.25: Effective permissions tab.
Figure 10.26: Modifying the default AD Security descriptor.
Figure 10.27: Using ldp.exe.
Figure 10.28: AD object quota error.
Figure 10.29: Security to distribution group conversion warning.
Figure 10.30: Windows administrator pyramid.
Figure 10.31: Group usage guidelines.
Figure 10.32: Organizational unit hierarchy example.
Figure 10.33: Delegation wizard.
Figure 10.34: Delegation tab in GPMC.
Figure 10.35: Delegwiz.inf configuration file.
Figure 10.36: Setting permissions for the pwdLastSet user account attribute.
Figure 10.37: Default permissions for self security principal

Chapter 11: Malicious Mobile Code Protection

Figure 11.1: Malicious mobile code protection architecture.
Figure 11.2: Setting the default security level.
Figure 11.3: Creating a hash rule for the Solitaire executable.
Figure 11.4: Setting SRP- designated file-type properties.
Figure 11.5: Sample SRP rule scenario.
Figure 11.6: .NET Framework Configuration tool and Security Policy containers.
Figure 11.7: Code group properties.
Figure 11.8: CAS policy evaluation order.
Figure 11.9: Default CAS policy evaluation process.
Figure 11.10: Effect of the “Exclusive” code group attribute on CAS security policy evaluation.
Figure 11.11: Effect of the “LevelFinal” code group attribute on CAS security policy evaluation.
Figure 11.12: Normal CAS stack walk behavior.
Figure 11.13: Normal CAS stack walk behavior: protection against luring attack.
Figure 11.14: CAS stack walk behavior with the “Assert” stack walk modifier.
Figure 11.15: CAS stack walk behavior with the “Deny” stack walk modifier.

Chapter 12: New Authorization Tracks: Role-Based Access Control and Digital Rights Management

Figure 12.1: Comparing the DAC and the RBAC models.
Figure 12.2: Authorization Manager architecture overview.
Figure 12.3: Authorization Manager MMC snap-in (azman.msc).
Figure 12.4: Authorization Manager concepts.
Figure 12.5: Impersonation/delegation versus trusted application model.
Figure 12.6: XrML license example.
Figure 12.7: Setting RM on PowerPoint 2003 presentation.
Figure 12.8: IE with RM add-on.
Figure 12.9: WRM information flow.

Chapter 13: Introducing Windows Server 2003 Public Key Infrastructure

Figure 13.1: : Microsoft Windows NT and PKI timeline.
Figure 13.2: Certificate Server architecture.
Figure 13.3: Querying AD for PKI-related information using the Sites and Services MMC snap-in.
Figure 13.4: PKIView tool.
Figure 13.5: CryptoAPI architecture.
Figure 13.6: The Windows certificate viewer.
Figure 13.7: The Windows Server 2003 Certificate Templates MMC snap-in.
Figure 13.8: General tab in the cross-certification authority certificate template’s properties.
Figure 13.9: Windows Server 2003 and XP physical and logical certificate stores.
Figure 13.10: Classifying certificates in a certificate store based on certificate purpose.
Figure 13.11: Viewing logical certificates stores from theCertificates MMC snap-in.
Figure 13.12: Viewing physical certificates stores from theCertificates MMC snap-in.
Figure 13.13: nShield device with internal SCSI connector.
Figure 13.14: An nShield security world and its different components.
Figure 13.15: The Luna CA HSM.
Figure 13.16: DPAPI key protection architecture.
Figure 13.17: Setting strong private key protection.

Chapter 14: Trust in Windows Server 2003 PKI

Figure 14.1: A trust taxonomy: direct trust relationships.
Figure 14.2: A trust taxonomy: indirect trust relationships.
Figure 14.3: A trust taxonomy: indirect trust relationships.
Figure 14.4: Hierarchical trust model.
Figure 14.5: Networked trust model.
Figure 14.6: Cross-certification CA trust relationship.
Figure 14.7: Meshed trust model.
Figure 14.8: Bridge CA trust model.
Figure 14.9: Hybrid trust model.
Figure 14.10: The new constraint extensions in the certificate viewer.
Figure 14.11: Basic constraints—Path Length Constraint example.
Figure 14.12: Name Constraints example.
Figure 14.13: Issuance policy example.
Figure 14.14: Application policy example.
Figure 14.15: Issuance policy mapping for cross-certified CAs example.
Figure 14.16: Issuance policy mapping PKI user example.
Figure 14.17: Require explicit policy Policy Constraint example.
Figure 14.18: Inhibit policy mapping Policy Constraint example.
Figure 14.19: Pop-up dialog box when adding a certificate to the root certificate store.
Figure 14.20: GPO trusted root certification authorities settings.
Figure 14.21: Configuring trust settings on individual certificates.
Figure 14.22: Specifying CTL time and application trust limits.
Figure 14.23: CA type dialog box.
Figure 14.24: Hierarchical trust example.
Figure 14.25: Cross-certified trust example.
Figure 14.26: Cross-certification scenarios.
Figure 14.27: Issuance requirements for cross-certification authority certificate.
Figure 14.28: crossCertificatePair attribute for an AD CA object (viewed using AdsiEdit).
Figure 14.29 crossCertificatePair attribute for an AD CA object (viewed using AdsiEdit).
Figure 14.30: Setting application policies on a version 2 certificate template.
Figure 14.31: Setting application policies on a version 2 certificate template.
Figure 14.32: Setting application policies on a version 2 certificate template.

Chapter 15: The Certificate Life Cycle

Figure 15.1: The certificate life cycle.
Figure 15.2: Automatic Certificate Request Wizard.
Figure 15.3: Setting autoenrollment permissions on the certificate template level.
Figure 15.4: Setting autoenrollment properties at the GPO level.
Figure 15.5: Autoenrollment text balloon.
Figure 15.6: Forcing user certificate autoenrollment.
Figure 15.7: User autoenrollment confirmation dialog box.
Figure 15.8: Forcing user certificate autoenrollment.
Figure 15.9: Issuance requirements in certificate template properties.
Figure 15.10: Setting up superseding certificate templates.
Figure 15.11: Certificate Request Wizard.
Figure 15.12: Certificate Request Wizard error message.
Figure 15.13: Web enrollment interface.
Figure 15.14: Web enrollment warning message (following the IE enhanced security configuration).
Figure 15.15: Content of a certificate request.
Figure 15.16: Changing a stand- alone CA’s policy properties.
Figure 15.17: Certificate template property for certificate AD publication.
Figure 15.18: Backing up the private key using the Certificate Export Wizard.
Figure 15.19: Windows Server 2003 key archival process.
Figure 15.20: Archived key column in CA interface.
Figure 15.21: CA key recovery settings.
Figure 15.22: Key archival settings in certificate template properties.
Figure 15.23: Key recovery tool.
Figure 15.24: The Exchange 2003 KMS Key Export Wizard.
Figure 15.25: Manual CA archival database import.
Figure 15.26: Certificate validation steps.
Figure 15.27: Bringing up anX.509 certificate’s critical extensions.
Figure 15.28: Certificate chain processing.
Figure 15.29: Certificate chain processing examples 1 and 2.
Figure 15.30: Certificate chain processing example 3.
Figure 15.31: Certificate chain viewed from the certificate properties: (a) trusted CA certificate and (b) untrusted CA certificate.
Figure 15.32: Certificate part of a certificate chain starting of (a) a valid CTL and (b) an invalid CTL.
Figure 15.33: Cross-certification example.
Figure 15.34: Additional cross-certificate download locations.
Figure 15.35: Certification revocation reason codes.
Figure 15.36: Certificate revocation list distribution points (CDPs) operation.
Figure 15.37: Configuring CDPs.
Figure 15.38: The URL retrieval tool.
Figure 15.39: Configuring (a) CRL publication intervals and (b) viewing CRLs.
Figure 15.40: CRL (a) layout and (b) content.
Figure 15.41: Delta CRL operation.
Figure 15.42: Delta CRL layout.

Chapter 16: Building and Maintaining a Windows PKI

Figure 16.1: The four major phases of a PKI project.
Figure 16.2: Insourcing and outsourcing models.
Figure 16.3: CA key and certificate options during CA installation.
Figure 16.4: Certificate lifetime and key length in a typical PKI hierarchy.
Figure 16.5: CA naming and certificate lifetime options.
Figure 16.6: Using certutil to check the CA’s sanitized names.
Figure 16.7: A installation warning.
Figure 16.8: CA database installation options.
Figure 16.9: Defining CDPs using the replaceable parameter syntax.
Figure 16.10: Configuring AIAs from the CA properties.
Figure 16.11: Setting CA object permissions.
Figure 16.12: Assigning certificate managers restrictions.
Figure 16.13: Exporting a CA’s private key and certificate.
Figure 16.14: Backing up the system state and CA configuration data using the backup wizard.
Figure 16.15: Renew CA certificate wizard.
Figure 16.16: CA properties: CA certificates.
Figure 16.17: CA auditing settings.

Chapter 17: Windows Server 2003 PKI-enabled Applications

Figure 17.1: : How EFS encryption works.
Figure 17.2: How EFS decryption works.
Figure 17.3: Using efsinfo.
Figure 17.4: Setting up an EFS recovery agent using GPOs.
Figure 17.5: Setting up EFS file sharing.
Figure 17.6: Setting up a Web folder.
Figure 17.7: Enabling EFS encryption for offline files and folders.
Figure 17.8: Viewing the encryption details on the offline files and folders CSC database.
Figure 17.9: Define an EFS data recovery policy.
Figure 17.10: Starting up the Forgotten Password wizard.
Figure 17.11: Basic S/MIME operation.
Figure 17.12: S/MIME configuration in Exchange 2003.
Figure 17.13: Setting up OWA S/MIME support.
Figure 17.14: Clear versus opaque S/MIME signing.
Figure 17.15: Setting opaque and clear signing message properties in Outlook 2003.
Figure 17.16: Setting opaque and clear signing message properties in Outlook Express 6.0.
Figure 17.17: S/MIME signed receipt tracking information.
Figure 17.18: eAlladin eToken Format utility.
Figure 17.19: Smart card certificate enrollment station interface.
Figure 17.20: Smart card logon interface.

Chapter 18: Windows Server 2003 Security Management

Figure 18.1: Coverage of security-related configuration settings by Windows security policy management tools.
Figure 18.2: GPE and different containers and settings.
Figure 18.3: GPMC interface.
Figure 18.4: Administrative template changes.
Figure 18.5: Local security policy configuration tool.
Figure 18.6: Security Templates MMC snap-in.
Figure 18.7: Importing security templates for a GPO’s security settings.
Figure 18.8: Security Configuration Wizard.
Figure 18.9: Microsoft Security Baseline Analyzer.
Figure 18.10: Checking for security updates from the MBSA.
Figure 18.11: Windows Update.
Figure 18.12: Configuring automatic patch updates using GPO.
Figure 18.13: Automatic updates dialog box.
Figure 18.14: SUS administration interface.
Figure 18.15: Security event log properties.
Figure 18.16: The eventcombmt tool.
Figure 18.17: Setting up auditing.