List of Figures

Chapter 1: Basic Windows 2000 Security: Using Security Templates

Figure 1.1: A Basic Windows NT Domain

Figure 1.2: A Multimaster Windows NT Domain

Figure 1.3: The Windows 2000 Active Directory Domain Model with Forests, Trees, and Organizational Units

Figure 1.4: Using Organizational Units to Simplify Management

Figure 1.5: Using Groups to Assign Specific Permissions

Figure 1.6: Using the Local Security Settings Console

Figure 1.7: Accessing Security Configuration Settings at the Site Level

Figure 1.8: Configuring the Domain-Level Security Policy

Figure 1.9: Using the Active Directory Users and Computers Console to Configure Security Settings

Figure 1.10: Managing Domain Security from Active Directory Users and Computers

Figure 1.11: The Results of a Security Analysis in the Security Configuration and Analysis Snap-In

Figure 1.12: Account Policies

Figure 1.13: Local Policies

Figure 1.14: Event Log Policies

Figure 1.15: The Restricted Groups Node

Figure 1.16: The Add Groups Window

Figure 1.17: The Select Groups Window

Figure 1.18: The Configure Membership for Administrators Window

Figure 1.19: Content of the Services Node

Figure 1.20: The Security Policy Setting Window

Figure 1.21: Configuring Security for a Service

Figure 1.22: The Registry Security Node

Figure 1.23: The Select Registry Key Window

Figure 1.24: The Database Security Window

Figure 1.25: The Template Security Policy Setting Window

Figure 1.26: The File System Security Node

Figure 1.27: Adding a File or Folder

Figure 1.28: The Database Security Window

Figure 1.29: The Template Security Policy Window

Figure 1.30: Configuring the Password History Setting

Figure 1.31: Configuring Account Lockout Settings

Figure 1.32: Saving Template Changes

Figure 1.33: Exporting a Security Template

Figure 1.34: Defining a New Template Search Path

Figure 1.35: Importing Security Templates from Security Configuration and Analysis

Figure 1.36: Group Policy Application Order

Figure 1.37: The Group Policy Tab of the Organizational Unit Properties Page

Figure 1.38: Group Policy Security Settings

Figure 1.39: Selecting a Domain for Group Policy Editing

Figure 1.40: Performing a Deployment Using secedit

Figure 1.41: Verifying the Template Deployment was Successful

Figure 1.42: The Open Database Dialog Box

Figure 1.43: The Import Template Dialog Box

Figure 1.44: Running the Analysis

Figure 1.45: Changing Settings from within the Database

Figure 1.46: Finding Differences in the Password Policies

Figure 1.47: Performing an Analysis Using secedit

Figure 1.48: Identifying Mismatches in the Text Log Output of secedit

Figure 1.49: Using Windows Grep to Search the Log File

Chapter 2: Advanced Security Template and Group Policy Issues

Figure 2.1: Configuring Security for the Enterprise

Figure 2.2: The Domain Controllers OU

Figure 2.3: Inspecting the Changes Before They Are Made

Figure 2.4: Importing the Template

Figure 2.5: Selecting the Type of Server to Lock Down

Figure 2.6: The IIS Lockdown Tool Making Configuration Changes

Figure 2.7: Configuring the Scan Parameters

Figure 2.8: Installing Required Updates

Figure 2.9: Getting the MBSA Scan Results

Figure 2.10: Getting the HFNetChk Results

Figure 2.11: Selecting the Type of Server to Lock Down

Figure 2.12: Selecting the Services

Figure 2.13: Selecting the Location for the Extracted IIS Lockdown Files

Figure 2.14: URLScan Is Active and Protecting the IIS Server

Figure 2.15: Selecting the Type of Server to Lock Down

Figure 2.16: Selecting Services to Remain Enabled

Figure 2.17: Configuring Script Mapping

Figure 2.18: Configuring Additional Security Options for the IIS Server

Figure 2.19: Ready to Apply Settings

Figure 2.20: Finding the Data Recovery Agent

Figure 2.21: Exporting the Administrator File Recovery Certificate and Keys

Figure 2.22: Deleting the Private Key

Figure 2.23: Completing the Certificate Export Wizard Summarizes Your Actions

Figure 2.24: Event ID 1704: All Is Well

Figure 2.25: Editing the Registry to Increase Logging

Figure 2.26: Configuring SMB Signing

Chapter 3: Identifying, Installing, and Troubleshooting Required Updates

Figure 3.1: The Windows Update Web Site

Figure 3.2: Selecting Required Updates

Figure 3.3: Checking Previously Installed Updates

Figure 3.4: Selecting the Extraction Location for the HFNetChk Files

Figure 3.5: Starting the Analysis Process with HFNetChk

Figure 3.6: Getting the XML File

Figure 3.7: The Scan Is Complete

Figure 3.8: The Results of the HFNetChk Analysis

Figure 3.9: Configuring the Installation of MBSA

Figure 3.10: Configuring the Local Computer Scan Options

Figure 3.11: The MBSA Results

Figure 3.12: Examining Specific Items

Figure 3.13: Starting an MBSA Scan from the Command Line

Figure 3.14: MBSA Command-Line Scan Is Complete

Figure 3.15: Viewing the MBSA Scan Results in the GUI

Figure 3.16: Extracting the Service Pack Files

Figure 3.17: Entering the Extraction Location

Figure 3.18: The Integration Process

Figure 3.19: RIS Awaits Its Configuration…

Figure 3.20: Selecting the Location for the RIS Root

Figure 3.21: Entering a User-Friendly Name and Description for the RIS Image

Figure 3.22: Completing the RIS Setup Wizard

Figure 3.23: Managing Authorized Servers—Not Just for DHCP Anymore!

Figure 3.24: Placing the Qchain.exe Batch File in the Startup Scripts Folder of the Group Policy Object

Figure 3.25: Locating the Startup Script Folder

Figure 3.26: Examining the Critical Updates and Service Packs List

Figure 3.27: Reviewing Selected Updates

Figure 3.28: Accepting the Licensing Agreement

Figure 3.29: Windows Update Downloads and Installs the Updates

Figure 3.30: The Windows Update Catalog

Figure 3.31: Selecting the Search Criteria

Figure 3.32: Listing the Updates

Figure 3.33: Preparing to Download the Selected Update Items

Figure 3.34: Keeping Track of Downloaded Updates

Figure 3.35: Selecting File Location Options

Figure 3.36: Selecting the Installation Method; Be Wary of Allowing Automatic Approvals

Figure 3.37: Administering the SUS Server

Figure 3.38: Configuring the Synchronization Schedule

Figure 3.39: Downloading Required Updates

Figure 3.40: Selecting the Approved Updates

Figure 3.41: A New Applet Appears

Figure 3.42: Adding a New Template

Figure 3.43: Selecting the New Template

Figure 3.44: Configuring the Configure Automatic Updates Object

Figure 3.45: Configuring the Specify Intranet Microsoft Update Server Location Object

Figure 3.46: Inspecting the Work of the Automatic Updates Service

Chapter 4: Installing, Configuring, & Managing Windows 2000 Certificate Authorities

Figure 4.1: Encrypting Data

Figure 4.2: Generating a Digital Signature

Figure 4.3: Plaintext Authentication Challenge

Figure 4.4: Examining the Trusted Root CAs

Figure 4.5: Adding Windows Components

Figure 4.6: Installation Warning Window

Figure 4.7: Choosing a Certification Authority Type

Figure 4.8: The Public and Private Key Pair

Figure 4.9: Certification Authority Identifying Information

Figure 4.10: Selecting Database Storage

Figure 4.11: Stopping IIS

Figure 4.12: Selecting the Certificates Snap-in

Figure 4.13: Requesting a Certificate with the Wizard

Figure 4.14: Selecting the Certificate Type

Figure 4.15: Entering Details for the Certificate

Figure 4.16: Installing the New Certificate

Figure 4.17: Requesting a Certificate via Web Enrollment

Figure 4.18: Advanced Request Options

Figure 4.19: Selecting the Template

Figure 4.20: Exporting the Certificate

Figure 4.21: To Export the Private Key or Not to Export the Private Key

Figure 4.22: Selecting Certificate Export Options

Figure 4.23: The Certificate Export was Successfully Completed

Figure 4.24: The Exported Certificate File

Figure 4.25: Selecting the Certificate to Import

Figure 4.26: Configuring Advanced Import Options

Figure 4.27: Adding the Certificate to the Root Store

Figure 4.28: Listing the Issued Certificates

Figure 4.29: Selecting the Revocation Reason

Figure 4.30: Manually Publishing a New CRL

Figure 4.31: Configuring the CRL Publication Schedule

Figure 4.32: Viewing the Current CRL

Figure 4.33: Configuring the CRL Distribution Points

Figure 4.34: Selecting the Certificates to Issue

Figure 4.35: Adding New Templates

Figure 4.36: The Group Policy Editor

Figure 4.37: Configuring Automatic Certificate Enrollments

Figure 4.38: Selecting a Template for Use

Figure 4.39: Configuring Trusted Root CAs

Figure 4.40: Selecting Items to be Backed Up

Figure 4.41: Stopping Certificate Services

Figure 4.42: Selecting What to Restore

Figure 4.43: Restarting Certificate Services

Figure 4.44: Selecting the Publication Location for New Certificates

Figure 4.45: The Exchange System Manager

Figure 4.46: Entering the KMS Administrative Password

Figure 4.47: Selecting the User Selection Method

Figure 4.48: Selecting Users for Recovery

Figure 4.49: Configuring for E-mail Security

Figure 4.50: Locating the Auto-enrollment Setting

Figure 4.51: Configuring the Auto-enrollment Settings Object

Figure 4.52: Configuring Computer Auto-enrollment

Chapter 5: Managing and Troubleshooting the Encrypting File System

Figure 5.1: Public Key Encryption and Decryption

Figure 5.2: Secret Key Algorithm

Figure 5.3: The EFS Encryption Process

Figure 5.4: Enabling Encryption

Figure 5.5: Confirming Attribute Changes

Figure 5.6: Applying Attributes

Figure 5.7: The Confirm Attribute Changes Dialog Box

Figure 5.8: Executing the Cipher Command with No Switches

Figure 5.9: Executing the Cipher Command at the Directory Level

Figure 5.10: Active Directory Users and Computers

Figure 5.11: The Group Policy Tab of a Domain's Properties

Figure 5.12: Editing the Group Policy Object

Figure 5.13: Welcome to the Certificate Request Wizard

Figure 5.14: The Certificate Template Window

Figure 5.15: The Description Window

Figure 5.16: Completing the Certificate Request Wizard

Figure 5.17: Viewing or Installing a Certificate

Figure 5.18: Viewing an EFS Recovery Certificate

Figure 5.19: The Certificate Request Successful Message Box

Figure 5.20: Welcome to the Add Recovery Agent Wizard

Figure 5.21: The Select Recovery Agents Window

Figure 5.22: Finding Users to Be Recovery Agents

Figure 5.23: Completing the Add Recovery Agent Wizard

Figure 5.24: EFS Components

Figure 5.25: EFS File Information

Chapter 6: Configuring and Troubleshooting Windows IP Security

Figure 6.1: The Datagram after Applying the Authentication Header in Transport Mode

Figure 6.2: The Datagram after Applying the Encapsulating Security Payload Header in Transport Mode

Figure 6.3: A Datagram with ESP Header in Tunnel Mode

Figure 6.4: IPSec Policies Snap-in and Tasks

Figure 6.5: The IPSec Monitor

Figure 6.6: The Windows XP IPSec Monitor Console

Figure 6.7: Changing IP Security Policies through TCP/IP Properties

Figure 6.8: Adding the Certificate Management Snap-in for the Local Computer

Figure 6.9: The Custom IPSec Security Management Console

Figure 6.10: The Three Built-in IPSec Policies

Figure 6.11: The Server (Request Security) Properties Dialog Box

Figure 6.12: The All IP Traffic Edit Rule Properties Dialog Box

Figure 6.13: The IP Filter List Dialog Box

Figure 6.14: The Request Security (Optional) Properties Dialog Box

Figure 6.15: The Authentication Methods Configuration Tab

Figure 6.16: The Connection Type Tab

Figure 6.17: The New Security Method Dialog Box

Figure 6.18: The Custom Security Method Settings Dialog Box

Figure 6.19: Specifying a Source IP Address for a New Filter

Figure 6.20: Selecting a Protocol Included in the New Filter

Figure 6.21: Entering an IP Security Policy Name

Figure 6.22: Handling Requests for Secure Communication

Figure 6.23: Completing the IP Security Policy Wizard

Figure 6.24: The MedRecToFloor IPSec Policy Properties

Figure 6.25: Selecting a Tunnel Endpoint

Figure 6.26: Choosing the Network Type

Figure 6.27: Select an Authentication Protocol

Figure 6.28: Adding a New Filter List

Figure 6.29: The IP Filter List

Figure 6.30: Choosing the IP Traffic Source

Figure 6.31: Choosing the IP Traffic Destination

Figure 6.32: Choosing the IP Protocol Type

Figure 6.33: The Filter Properties Dialog Box

Figure 6.34: Selecting the MedRec to Floor Filter List

Figure 6.35: The Filter Action Dialog Box of the Security Rule Wizard

Figure 6.36: Naming the Filter Action

Figure 6.37: Setting the Filter Action Behavior

Figure 6.38: Preventing Communication with Non-IPSec Computers

Figure 6.39: Setting IP Traffic Security

Figure 6.40: The Custom Security Method Settings

Figure 6.41: Enabling Perfect Forward Secrecy

Figure 6.42: The General Tab for the IPSec Policy Properties

Figure 6.43: The Key Exchange Setting

Figure 6.44: The Key Exchange Methods

Chapter 7: Implementing Secure Wireless Networks

Figure 7.1: An Ad Hoc Network Configuration

Figure 7.2: Infrastructure Network Configuration

Figure 7.3: Shared-Key Authentication

Figure 7.4: EAPOL Traffic Flow

Figure 7.5: Discovering Wireless LANs Using NetStumbler

Figure 7.6: The Wireless Tab

Figure 7.7: Configuring a New Connection

Figure 7.8: Configuring 802.1x Security

Figure 7.9: Configuring the Certificate Properties

Figure 7.10: Windows 2000 Network Adapter Properties

Figure 7.11: Configuring a New Profile

Figure 7.12: Specifying a New Profile

Figure 7.13: Configuring the WEP Properties

Chapter 8: Configuring Secure Network and Internet Authentication Methods

Figure 8.1: The Authenticator Process

Figure 8.2: Client Requests Access to the Server

Figure 8.3: Client Sends the Session Ticket to the Server

Figure 8.4: The Kerberos AS and TGS Processes

Figure 8.5: Cross-realm Authentication

Figure 8.6: Using Proxy Tickets

Figure 8.7: Using Forwarded Tickets

Figure 8.8: The Kerberos KDC Service

Figure 8.9: The krbtgt Account

Figure 8.10: Attempting to Enable the krbtgt Account

Figure 8.11: The Kerberos Policy Options

Figure 8.12: Changing the Maximum Lifetime for a User Ticket Renewal

Figure 8.13: Configuring a User for Delegation

Figure 8.14: Configuring a Computer for Delegation

Figure 8.15: Manually Configuring a Kerberos Domain Name

Figure 8.16: The Relationships of Domains within a Tree and Trees within a Forest

Figure 8.17: Trust Relationships in Windows NT 4.0

Figure 8.18: Connecting to an External Domain

Figure 8.19: Active Directory Domains and Trusts

Figure 8.20: The Trusts Tab of the Domain Properties Window

Figure 8.21: The Add Trusted Domain Window

Figure 8.22: The Add Trusting Domain Window

Figure 8.23: Enabling Advanced Features

Figure 8.24: The Domain Controllers Properties Window

Figure 8.25: The Group Policy Editor Window

Figure 8.26: The Security Policy Setting Window

Figure 8.27: User Account Properties

Figure 8.28: Opening the Web Site Properties

Figure 8.29: Configuring Web Site Security

Figure 8.30: Configuring the Certificate Name and Key Length

Figure 8.31: Selecting the Organization Name and OU Information

Figure 8.32: The Directory Security Tab of a Web Site's Properties

Figure 8.33: Choosing Authentication Methods

Figure 8.34: Changing the Account Used for Anonymous Access

Figure 8.35: The Cleartext Warning Dialog

Figure 8.36: Configuring the Basic Authentication Default Domain

Figure 8.37: The Digest Authentication Warning Dialog Box

Figure 8.38: Configuring SSL Properties

Chapter 9: Configuring and Troubleshooting Remote Access and VPN Authentication

Figure 9.1: The Routing and Remote Access Console

Figure 9.2: The Action Menu of the Routing and Remote Access Console

Figure 9.3: The Routing and Remote Access Server Setup Wizard

Figure 9.4: Common Configurations

Figure 9.5: Remote Client Protocols

Figure 9.6: Macintosh Guest Authentication

Figure 9.7: IP Address Assignment

Figure 9.8: Address Range Assignment

Figure 9.9: New Address Range

Figure 9.10: Address Range Assignment with the Newly Created Address Pool

Figure 9.11: Managing Multiple Remote Access Servers

Figure 9.12: Managing Multiple Remote Access Servers

Figure 9.13: Initializing the Routing and Remote Access Service

Figure 9.14: Help Screens

Figure 9.15: Routing and Remote Access Console Configured for Use

Figure 9.16: Opening the Port Properties

Figure 9.17: Port Properties

Figure 9.18: Configuring a Device Port for Inbound Remote Access Connections

Figure 9.19: The Modem Port Has Been Assigned to RAS

Figure 9.20: Configuring a Device Port for Inbound Remote Access Connections

Figure 9.21: Checking the Port Status

Figure 9.22: Resetting the Configuration

Figure 9.23: The Reset Warning Message

Figure 9.24: Selecting VPN Server from the Common Configurations Menu

Figure 9.25: Selecting the Server's Internet Connection

Figure 9.26: Selecting the Server's Internet Connection

Figure 9.27: Completing the Installation

Figure 9.28: Checking the Changes Made to the Interfaces

Figure 9.29: Selecting the Interface Properties

Figure 9.30: The General Tab of the Local Area Connection Properties Screen

Figure 9.31: Input Filters

Figure 9.32: Output Filters

Figure 9.33: The Server Properties General Tab

Figure 9.34: The Server Properties Security Tab

Figure 9.35: The Authentication Methods Screen

Figure 9.36: The Extensible Authentication Protocol Methods Dialog Box

Figure 9.37: The Server Properties IP Tab

Figure 9.38: The Server Properties PPP Tab

Figure 9.39: The Server Properties Event Logging Tab

Figure 9.40: Ports Properties: Configuring the WAN Miniport (PPTP) Ports

Figure 9.41: The Configure Device – WAN Miniport PPTP Dialog Box

Figure 9.42: The Port Status – WAN Miniport PPTP VPN Port Dialog Box

Figure 9.43: The Add Remote Access Policy Screen: Policy Name

Figure 9.44: Add Remote Access Policy Conditions

Figure 9.45: Selecting the Attribute(s)

Figure 9.46: Time of Day Constraints

Figure 9.47: The New Access Policy Condition

Figure 9.48: Add Access Policy Conditions

Figure 9.49: Add Access Policy Conditions

Figure 9.50: The New Remote Access Policy Has Been Entered

Figure 9.51: Remote Access Profile Dial-in Constraints

Figure 9.52: Remote Access Profile IP

Figure 9.53: Remote Access Profile Multilink

Figure 9.54: Remote Access Profile Authentication

Figure 9.55: Remote Access Profile Encryption

Figure 9.56: Remote Access Profile Advanced

Figure 9.57: Creating a VPN Connection

Figure 9.58: Entering the VPN Server DNS Name or IP Address

Figure 9.59: Creating a VPN Connection

Chapter 10: Configuring and Using Auditing and the Event Logs

Figure 10.1: Defense in Depth

Figure 10.2: Viewing Logon Event Auditing

Figure 10.3: Viewing Account Management Auditing

Figure 10.4: Viewing an Audit Logon Event

Figure 10.5: Viewing an Audit Object Event

Figure 10.6: Viewing an Audit Policy Change Event

Figure 10.7: Viewing an Audit Privilege Use Event

Figure 10.8: Viewing an Audit Process-Tracking Event

Figure 10.9: Viewing an Audit System Event

Figure 10.10: Opening and Using the Local Security Policy

Figure 10.11: Enabling Auditing on a Local Machine

Figure 10.12: Setting Success- and Failure-Based Auditing

Figure 10.13: Viewing Events Generated within the Security Log

Figure 10.14: Enabling Auditing Using Group Policy

Figure 10.15: Event ID 531 Appears Frequently

Figure 10.16: Logon Hours Configuration

Figure 10.17: Viewing Event ID 517 in the Security Log

Figure 10.18: Analyzing System Security

Figure 10.19: Using the Security Configuration and Analysis Tool

Figure 10.20: Adjusting the Security Log Properties

Figure 10.21: Viewing the IIS Internet Services Manager

Figure 10.22: Default Web Site Settings

Figure 10.23: Viewing the W3C Extended Logging Properties

Figure 10.24: Viewing the EventCombMT Instructions

Figure 10.25: Using the EventCombMT GUI

Figure 10.26: Viewing the Temp File Contents

Chapter 11: Responding to and Recovering from Security Breaches

Figure 11.1: Getting the Trojan Payload in an E-Mail

Figure 11.2: An Executed, Running, and Able Agent of Destruction

Figure 11.3: Removing the Options to Have All Your Files Hidden from You

Figure 11.4: Working with the BO2K Server Configuration

Figure 11.5: Adding Servers to the Server List

Figure 11.6: The Logo of Cult of the Dead Cow, Makers of Back Orifice

Figure 11.7: The Back Orifice Configuration Wizard

Figure 11.8: Using the SMBdie Tool

Figure 11.9: A View of Recruiting Zombies

Appendix A: Utilities for the White Hat

Figure A.1: Viewing the GFI LANguard Network Scanner

Figure A.2: Scanning and Reviewing the Results of a Windows 2000 Server

Figure A.3: Viewing CGI Abuses

Figure A.4: Running a Scan with the Linux-based Nmap

Figure A.5: Using the Windows-based Version of NmapWin

Figure A.6: Using Ethereal to Perform Passive Attacks

Figure A.7: Using Secure Shell to Work with Remote Systems

Figure A.8: Using the PGP Key Ring

Appendix B: Port Numbers and Associated Attacks

Figure B.1: Viewing a Web Browser Using the HTTP Service