Improved Default Security in Windows 2003


To improve security in Windows Server 2003, Microsoft reduced the attack surface area of the operating System. This was done by

  • Creating stronger default policies for the file system Access Control Lists (ACL)

  • Redesigning IIS

  • Providing a systemic way to configure a server based on predefined roles

  • Reducing the total number of services

  • Reducing the number of services running by default

  • Reducing the number of services running as system

More specifically , in Windows Server 2003, Microsoft disabled 19 services and modified several services to run under lower privileges. For example, installing Windows Server 2003 does not install IIS 6 by default. You must explicitly select and install it or choose Web Server as the system role via the Configure Your Server Wizard. When a server is upgraded to Windows Server 2003, IIS 6 will be disabled by default. If IIS 6 is installed, it will default to a locked down state. After installation, IIS 6 will accept requests only for static files. It must be intentionally configured to serve dynamic content. All time-outs and settings are set to aggressive security defaults. IIS 6 can also be disabled using Windows Server 2003 group policies to prevent rogue administrators from opening unauthorized Web servers.

Windows 2003 has stronger default ACLs on the file system. This, in turn , results in stronger default ACLs on file shares. For example, the everyone group has been removed from default ACLs.

Two new user accounts have been created to run services with lower privilege levels. This helps to prevent vulnerabilities in services from being exploited to take over systems. DNS Client and all IIS Worker Processes now run under the new Network Service account. Telnet now runs under the new Local Service account.

Right out of the box, Windows 2003 is built as a secure system. The system installs only the components it needs to operate rather than installing additional services by default. Windows 2003 defaults to settings that eliminate a large number of potential security holes by not supporting legacy operating systems that are known to be less than secure. During the installation of Windows 2003 the system will warn you that it will be unable to authenticate Windows 9x clients and Windows NT 4.0 clients prior to Service Pack 3. This is because Windows 2003 sets two specific settings in the Domain Controller Security Policy:

  • Microsoft network server: Digitally sign communications (always)Enabled

  • Network security: LAN Manager Authentication levelSend NTLM response only

Although these settings can be altered to allow the legacy operating systems to authenticate, it is not recommended to do so. This would reopen the security holes this policy is designed to close. Many administrators will remember the days when Web sites could issue LanMan (LM) requests of a host and the host would offer up the username and the LM hash of the password. The LM hash is a very weak encryption that can be broken quite rapidly via a brute force attack. Although the LM hash is stored in a non-reversible encryption, the encryption algorithm is commonly known. By having a program generate a password and apply the algorithm to it, the result can be compared to the stolen hash to see if they match. If they do, the source password is known and the system is compromised. This is exceptionally fast if the password exists in a dictionary. Going beyond the scope of Windows 2003, it is a very good idea to disable the local storage of LM hashes on all systems in the network via Group Policy Object (GPO). To define the group policy setting that limits the storage of the LM Hash Value, follow these steps:

  1. For the Group Policy object, choose Computer Configuration, Windows Settings, Security Settings, Local Policies, and then click Security Options.

  2. In the list of available policies, double-click Network Security: Do Not Store LAN Manager Hash Value on Next Password Change.

  3. Click Define This Policy Setting, choose Enabled, and then click OK.

Improvements over Windows 2000

Perhaps the single greatest improvement in security over Windows 2000 is not a technology but a procedure. Windows 2000 installed Internet Information Server by default, it installed OS2 and Posix subsystems, and it offered little insight into the implications of installing various services and applications. Windows 2003, on the other hand, introduces the Configure Your Server Wizard. This wizard launches by default when a Windows 2003 server is first built. It asks the installer what the intended role of the server is and makes the appropriate changes on the system. Files are installed, service securities are set, and the administrator can feel comfortable that the system hasn't installed unnecessary services. This alone eliminates the largest cause of system insecuritymisconfiguration.

New Security Technologies Introduced in Windows 2003

One of the new technologies introduced in Windows 2003 is Internet Information Services 6. IIS was redesigned in Windows Server 2003 to further improve security for Web-based transactions. IIS 6 enables you to isolate an individual Web application into a self-contained Web service process. This prevents one application from disrupting other applications running on the same Web server. IIS also provides built-in monitoring capabilities to find, fix and avoid Web application failures. In IIS 6, third-party application code runs in isolated worker processes, which now use the lower-privileged Network Service logon account. Worker process isolation offers the capability to confine a Web site or application to its root directory through Access Control Lists (ACL). This further shields the system from exploits that walk the file system to try to execute scripts or other built-in code.

Windows 2003 has also improved network communication security through the support of strong authentication protocols such as 802.1x (WiFi) and Protected Extensible Authentication Protocol (PEAP). Internet Protocol Security (IPSec) support has been enhanced and further integrated into the operating system to improve LAN and WAN data encryption.

Microsoft introduced the Common Language Runtime (CLR) software engine in Windows Server 2003 to improve reliability and create a safer computing environment. CLR verifies that applications can run without error and checks security permissions to ensure that code does not perform illegal operations. CLR reduces the number of bugs and security holes caused by common programming mistakes. This results in less vulnerability for hackers to exploit.

Another technology introduction in Windows 2003 is the concept of Forest Trusts. Windows Server 2003 supports cross-forest trusts, allowing companies to better integrate with other companies that use the Active Directory. Setting up a cross-forest trust with a partner's Active Directory enables users to securely access resources without losing the convenience of single sign-on. This feature enables you to use ACL resources with users or groups from the partner's Active Directory. This technology is a great boon in situations where one company has acquired another. Establishing a cross-forest trust allows the two companies to immediately start sharing resources in a secured manner.

The idea of single sign-on is further improved by the introduction of Credential Manager. This technology provides a secure store for usernames and passwords as well as links to certificates and keys. This enables a consistent single sign-on experience for users. Single sign-on enables users to access resources over the network without having to repeatedly supply their security credentials.

Windows Server 2003 supports Constrained Delegation. Delegation in this context means allowing a service to impersonate a user or computer account to access resources on the network. This new feature in Windows Server 2003 enables you to limit this type of delegation to specific services or resources. For example, a service that uses delegation to access a system on behalf of a user could now be constrained such that it could only impersonate the user to connect to a single specific system and not to other machines or services on the network. This is similar in concept to the ability to limit a user to attaching to a restricted list of systems.

Protocol Transition is a technology that allows a service to convert to a Kerberos-based identity for a user without knowing the user's password or requiring the user to authenticate via Kerberos. This enables an Internet user to authenticate using a custom authentication method and receive a Windows identity. This technology is now available in Windows 2003. This can be very useful for companies that are planning to heavily leverage Kerberos as a centralized point of authentication for both Windows and Linux systems.

Windows Server 2003 now offers .NET Passport Integration with Active Directory. This enables the use of Passportbased authentication to provide partners and customers with a single sign-on experience to Windowsbased resources and applications. By leveraging .NET Passport services, companies can often reduce their cost of managing user IDs and passwords for applications with large numbers of external users. Microsoft has gone to great lengths to ensure that .NET Passport information is stored as securely as possible to foster confidence in the industry and help grow the technology.

Although Windows 2000 supported encrypted folders, Windows Server 2003 now allows offline files and folders to be encrypted using EFS as well. Offline Files, or client-side caching, was introduced in Windows 2000 and allows mobile users to work with a local copy of a file while disconnected from the network. When the user reconnects to the server, the system reconciles the changes with the older versions of the documents on the server. This allows files to continue to be protected when cached locally on a mobile computer.

Stronger encryption technologies for EFS are available in Windows 2003. Windows Server 2003 now supports encryption for EFS that is stronger than the default Data Encryption Standard (DESX) algorithm. By default EFS will use the Advanced Encryption Standard (AES-256) for all encrypted files. Clients can also use Federal Information Processing Standards (FIPS) 140-1 compliant algorithms, such as the 3DES algorithm, which is also included with Windows XP Professional.



Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net