Rather than intersplicing the two or three different ways of securing files, communications, wireless, or email within each section of the balance of this Short Cut, this section will address the standard manual method of encryption all at once, and very briefly. The goal is not to educate you on how to do security the manual wayrather, by describing the manual process, it will make the automated processes, assisted by Windows 2003 autoenrollment of certificates, much clearer. Those who want to jump right in to the certificate-based autoenrollment method of encryption can skip this section and proceed directly to the "Installing a Windows Certificate of Authority Server" section. Creating Basic Shared Folder SecurityBasic security for shared folders is done by adding users from a directory list into the file permissions section of a shared folder. When a user is added to the file permissions, she can be given full control, change, or read access rights for a shared folder. To add access rights, do the following:
Caution Read and Change permissions allow a user or a group of users to access a folder, subfolders, and files within the folder. The user can read the file, modify it, and add more files in the shared folder. A user with Full Control can allow or deny access to other users and effectively become the administrator for the shared folder, which you likely would not enable as a default for other users. Users or groups of users can be added to the permissions for access to the files and shares, and access rights can be allocated for access to the information. However, for file permission access to data, the problem is that information data is not encrypted, so no privacy or information security is ensured. The only way to revoke a user's access to the information is to remove the user from the permission rights for the entire share. The security options are limited, but more details are provided in the section on "Implementing Encrypted File System (EFS)" later in this text. Manually Configuring IPSec-Encrypted CommunicationsInternet Protocol Security, or IPSec ("eye-pee-sehk"), provides encrypted communications between computer systems. IPSec provides privacy of information, and limits who has access to information from a communications access perspective. With IPSec enabled on a server, the only way a user can access information over the network is to have IPSec enabled on his workstation. The encryption key used on the workstation needs to be the same as the encryption key on the server for the workstation user to successfully decrypt the communications and access the information. The encryption and decryption keys used on the source and destination system can be created manually or automatically. In the "Creating a Group Policy for IPSec Encryption for the Server" section later in this text, the preferred automated method using group policies will be addressed. In this section, however, the manual method will be used to describe the process for server administrators to create an encryption key, and provide that information to a user who must enter the encryption key information into her computer in order to access the information on the server. To enable manual IPSec encryption on a server, do the following:
By following the preceding steps, IPSec will be configured and enabled on the server. In order for a workstation to access this server, the workstation will also need to configure and enable IPSec using the exact same shared key. Note We have configured the server with the Server (Require Security) option instead of the Secure Server (Request Security) option. If you do not want to force IPSec encryption on all communications, select the Secure Server (Request Security) option so that not all communications will be encrypted. However, in order for a server to successfully operate as a Secure Server, the system cannot be a domain controller, DNS server, or other utility server that has to communicate with non-IPSec systems, such as other domain controllers or an external DNS source. By requiring security, all communications must be IPSec encrypted. Therefore, to require security, the system should be a dedicated application server, and any devices that it needs to communicate with should at least have Secure Server (Request Security) enabled. Note The steps for configuring IPSec on a workstation are nearly identical to configuring IPSec on a server with the exception of configuring and enabling the Client (Respond Only) option. To configure IPSec on a workstation from a Windows XP desktop or laptop, do the following:
Once IPSec has been enabled on both a server and a client system, the communications between the two devices will be secured and encrypted using a 168-bit encryption algorithm. To confirm that IPSec-encrypted communications is working, run the IP Security Monitor to view the traffic between devices. To run the IP Security Monitor, do the following:
Note Connections that are encrypted will show ESP Confidentiality with 3DES or another encryption method noted for the connections setting. Because the server is configured with requested security and not required security in this example, you can have some connections that have <None> as the ESP Confidentiality (note that those connections are not encrypted). The problem with manual IPSec encryption is that the key is static, meaning that if the key information is accidentally or purposely shared with someone who should not have access to the information, although the information will be encrypted, virtually anyone can have access to the information. By automating encryption using certificates, if a key is compromised, new keys can be automatically issued to computer systems, thus enabling access to any computer that has the new encryption key. The automated process will be covered in the "Implementing IPSec-Encrypted Transport Communications" section later in this text. Using Wired Equivalent Privacy (WEP) for Wireless SecurityWireless communication security using the Wired Equivalent Privacy, or WEP ("wehp"), is very similar to the shared key system in IPSec. Effectively, a wireless access point has a static key entered into the security table of the device. In order for laptop or wireless devices to connect to the wireless access point, the client needs to enter the static key into her computer system. The shared information provides a common secured link between the wireless client and the wireless network. To enable WEP on an access point device, you would enter a series of numbers and letters (09, AF, no spaces or punctuation) into the access point WEP configuration page. Every access point device has a slightly different configuration page option; however, a sample page is shown in Figure 5. Figure 5. Sample access point WEP configuration page.In this example, WEP has been configured with 128-bit encryption, thus requiring 26 hexadecimal digits in the encryption key. After WEP is configured on the access point device, the user needs to manually enter the exact same WEP key into the wireless configuration settings on his laptop or mobile device. In Windows XP, the process is as follows:
Unfortunately, just like shared-key IPSec, if the WEP key is compromised by someone providing information to people who should not have access to the key, virtually anyone with the key will then have access to the wireless access device. The only way for the organization to resecure wireless access is to change the WEP key on the access point device, and then tell all users what the new access key is for wireless access. It could be just a matter of days or hours before that wireless access key is compromised, and then the process starts all over again for reissuing a new key. Basic Encrypted Communications Using OutlookEncryption is also used for email communications to enable users to send and receive secured communications between each other. In Microsoft Exchange, there is an encryption system built in that allows users within an Exchange environment to send email messages to other users within that environment in an encrypted manner. The problem with the default encryption in Exchange is that it does not provide encryption outside of the company's Exchange environment. So most organizations do not use the built-in email encryption in Exchange, but rather a more standard method of encrypted communications built on the Public Key Infrastructure (PKI) standard. There are several methods of providing encrypted communications between users within and external to a Microsoft Exchange and Outlook email system. Users can each get a certificate from an organization such as VeriSign and perform encrypted communications. Or an organization can purchase an enterprise license of Pretty Good Privacy (PGP) that provides encryption between users and organizations also using PGP email security. In the following example, the use of individual VeriSign certificates will be explained. A user who wants to encrypt messages between herself and another user needs to get an individual email certificate and install it in her Microsoft Outlook email client software. The user would go to http://www.verisign.com/products-services/security-services/pki/pki-application/email-digital-id/index.html and, for approximately $20 a year, both users can purchase a certificate. The individuals share the public portion of their certificates with the others with whom they want to communicate using encrypted messaging. To acquire a certificate, do the following:
This process of purchasing, downloading, and installing a certificate only needs to be done once a year. Note If you use multiple computers, you need to install the certificate on each machine that runs the Outlook client in order to send and receive encrypted email messages. After you have downloaded and installed the certificate on your computer, you need to configure Outlook to support the certificate. To do so, do the following:
Depending on the user's computer sophistication, he might have difficulties signing up, downloading, and installing the certificate, as well as configuring his Outlook client to send emails. Additionally, because the certificates are individual-based, each individual user has to do this process himself every year and for every system on which he conducts email communications. As you will see in the "Implementing Secured Email Communications with Exchange 2003" section, the issuance of certificates and the configuration of the user's Outlook client can be completed automatically using autoenrollment of certificates, as well as using group policy objects in Windows 2003 Active Directory. |