Security Basics | Microsoft Windows 2000 Server Administrators Companion (IT-Administrators Companion)

[Previous] [Next]

The term security covers a lot of ground, and Windows 2000 uses a wide range of methods and mechanisms to implement security. But before you can evaluate those mechanisms, you need to know what a good security system is designed to accomplish. For all the protocols, passwords, and secret keys, security revolves around three basic concepts:

Authentication Confirming the identity of a person or entity before allowing accesses to a resource

Data protection Ensuring the privacy and integrity of transmitted or stored data

Access control Restricting the access of data and resources to privileged users

In addition to these three security mainstays, two other security features are discussed in this section: auditing and nonrepudiation.

Authentication

Authentication describes the process in which a person or entity identifies itself to a second party. In general terms, this can mean showing a driver's license to a bank teller or inserting a bank card into an ATM and entering a PIN. In computer language, authentication is a bit more deductive. Unlike the bank teller, who has the luxury of personal contact, nearly all computer-related authentication scenarios are virtual. In a Windows 2000 environment, authentication involves two distinct processes: interactive logon and network authentication.

Interactive logon means logging on to either a domain account or a local computer. Previous versions of Windows were password-based only; Windows 2000 logon now allows smart card authentication. Once the user is logged on to the domain account, network authentication is required to identify the user to each network resource he or she requires.

Proof of Identity

Typically, proof of identity comes in the form of a shared secret between the requestor and the authenticator: a password, a PIN, an encryption key. The principle word here is "secret." The fulcrum of the entire authentication process is the authenticator's belief that the requestor—and only the requestor—possesses that secret. Once this fails to be true, the system, to some degree or another, is compromised.

Depending on the protocol being used, the shared secret is communicated to the authenticator, who then either grants or denies access. Secure protocols protect the secret in transit; more elaborate schemes don't send the secret at all. Public-key technology uses a pair of encryption keys—a private key that is never exposed and a public key that can be disseminated. The next section explores the types of protocols Windows 2000 uses to prove possession of identification credentials.

Authentication Protocols

Clearly, the effectiveness of an authentication process and the safety of your secret depend on the protocol being used. Countless books before this one have guided users through installations that require choosing a unique password and then warned them against the hazards of losing the password. Yet how many of our passwords leave our fingertips and slip unprotected through a network? Table 171 shows the Windows 2000 protocols that are designed purposely to thwart would-be attackers and that authenticate both internal and external users. Active Directory maintains user accounts that hold security credentials for authentication purposes, such as passwords and public-key certificates, and it can store multiple security credentials for each of these protocols.

Table 17-1. Authentication protocols

Protocol	Used For
Kerberos version 5	Network authentication. Provides mutual authentication between user and resource.
Secure Socket Layer/Transport Layer Security (SSL/TLS)	Network authentication. Based on X.509 public-key certificates.
Windows NT LAN Manager (NTLM)	Network authentication. Used for Windows NT 4 compatibility.
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)	Network and dial-up authentication. Uses separate encryption keys for sending and receiving.
Extensible Authentication Protocol (EAP)	Network and dial-up authentication. Provides support for additional authentication schemes, including smart cards.
Password Authentication Protocol (PAP)	Network and dial-up authentication. Sends passwords in clear text.

Hardware-Enabled Authentication

Hardware is used for authentication purposes to make it more difficult for someone to impersonate a requestor. By storing encryption keys on a smart card, a PC Card, or any other cryptographic token, the logon becomes a more secure process. It requires an extra level of possession that a mere password does not. It requires something you know—a PIN or password to access the smart card—and something you have—the smart card itself. An attacker might somehow obtain your PIN, but without the smart card, the PIN or password is useless. To decrease the vulnerability of secret keys, well-designed cryptographic tokens generate encryption keys directly on the token and prohibit extraction of encryption keys, except possibly in encrypted form.

We're also beginning to hear much about the use of biometrics to facilitate authentication: fingerprint identification, face recognition, and hand geometry verification. Biometrics extend the logon requirements considerably, from something you know or have, to something you are.

MORE INFO
Federal Information Processing Standards Publication number 1401 (FIPS 140-1) is a standard published by the National Institute of Standards and Technology (NIST) that specifies security requirements for cryptographic modules. The standard identifies four levels of security: Levels 1-4, with Level 1 representing the lowest level of security and Level 4 representing the highest. You can find this standard at http://csrc.nist.gov/fips/fips1401.htm.

Mutual Authentication

Authentication isn't necessarily a one-way street. Many times a requester will want proof of identity from the authenticating host. For instance, when creating a secure link to a restricted directory over which confidential data is to be exchanged, the identity of both the client and the server is important. Protocols like SSL/TLS allow mutual authentication between client and server.

Single Sign-on

One of the additional Windows 2000 security features is the ability to authenticate to any computer or resource on the network by logging on to a single domain account. Through single sign-on, the user can log on to a domain account once, with a single password or smart card. The user's single sign-on security credentials are stored in Active Directorys and each time a domain resource is required, a network authentication occurs transparently.

The advantages of single sign-on, as opposed to authenticating to each network resource when it's needed, are quite obvious. Users have fewer passwords to remember and fewer authentication screens to endure; administrators find it easier to manage only one account per user.

Data Protection

The authentication schemes that protect passwords as they cross an unsecured network are critical to maintaining a secure system; equally important is the data you send once you're logged on. Whether it's a company's proprietary information or a personal credit card, the concern is the same: keeping network information from being read by unauthorized persons and preventing it from being modified.

Of course, sensitive information doesn't need to be on its way somewhere to be vulnerable. While tools like network sniffers can weed out data packets, attacks can also occur on files sitting on a hard disk. In addition to network security, Windows 2000 provides security for your stored data.

Data Confidentiality

The privacy of data, whether it's an e-mail message, input to a Web page, or distinct IP packets, is jeopardized once the information is transmitted over nonsecure communication lines, such as the Internet. Using encryption algorithms and keys, data privacy can be protected. Without the appropriate decryption keys, unintended recipients intercepting the transmission will receive nothing but encrypted garbage.

NOTE
Cryptographic operations use both an algorithm and a key. The algorithm is the specific mathematical process that performs the operation. The key is the input to the algorithm.

The strength of the encryption also depends on the algorithm used and the length of the key. With enough computing power, any encryption key can be broken. Windows 2000 supports a range of key lengths, from 40-bit encryption for export internationally, to 128-bit encryption for use within North America.

Typically, the bulk of data is encrypted using a cipher block algorithm (also known as a symmetric algorithm) and a key. The strength of this method lies in the cipher block chaining (CBC). Encrypting a block at a time, the output of one block is used as the input of the next. In this way, repeated patterns of data won't produce the same encrypted data. The input to the first block is a random number called an initialization vector (IV). The IV assures that each time a message is encrypted, a unique result is produced.

For confidentiality of transmitted data at the network level, Windows 2000 employs Internet Protocol Security (IPSec). IPSec encrypts TCP/IP packets before transmission and decrypts them upon receipt.

Confidentiality of stored data is also a concern. Although access to stored files can be restricted for certain users through file permissions, intruders who gain unauthorized access to your hard disk can modify those permissions. To combat this problem, Windows 2000 uses a transparent encryption scheme called Encrypting File System (EFS). Files on NTFS volumes can be encrypted and decrypted with users' EFS public/private-key information. Users need only select the files to be encrypted. The actual encryption occurs behind the scenes. This system, however, allows only self-encrypting—files can't be encrypted and then shared with other users.

Data Integrity

While encryption can guarantee the confidentiality of a file, it can't guarantee the file's data integrity—that is, that the file has not been modified or tampered with. Fortunately, Windows 2000 also supports digital signing. Digital signing of a file, module, or other software component is somewhat like signing a contract on paper. The signer is responsible for what he or she signs. Whoever subsequently views the document and signature can tell who signed it.

However, digital signatures offer a great deal of security beyond that. A digital signature is generated by hashing the document and encrypting it with the signer's private encryption key. This procedure produces a signature that is cryptographically tied to both the signer and the content of the document. Changing the content breaks the signature.

Upon verification, the digital signature is decrypted with the signer's public key. The resulting hash is compared against a newly computed hash of the message. This process proves undeniably that the signer signed the message, because his or her key was used to verify the signature; in addition, it verifies that the contents of the document haven't changed because the encrypted hash matched the newly computed hash.

In Windows 2000, digital signing has two meaningful purposes. First, it guarantees the integrity of data stored locally or being passed over a network. Second, it authenticates modules or other software components that are obtained from untrusted sources, such as the Internet. Validating the signature of a module verifies that the software hasn't been tampered with and that it was signed by a trusted software publisher.

The two most common digital signature algorithms are RSA and Digital Signature Algorithm (DSA). DSA signatures are 40 bytes long, while the length of RSA signatures depends on the key size. A key pair, consisting of a public key and a private key, with a 128-byte public key typically produces a 128-byte signature.

Access Control

As explained earlier, authentication is the first layer of security in the protection of network objects and resources. The second layer is access control—that is, controlling which resources can be accessed, by whom, and with which permissions. An authenticated user doesn't necessarily have authorization to access all files, printers, and registry keys. Access control is enforced by the manager for each object type, but it's up to the object owner to determine which access control restrictions to impose.

Access is controlled by assigning rights to users and by setting permissions for objects. Permissions specify which users can access a specific object and which type of access is allowed. For example, the owner of a quarterly finance spreadsheet might set permissions that allow read/write access to the head of finance, allow read-only access to everyone in finance, and deny access to everyone else.

Groups of users have their own rights, and those can be specified when granting object permissions. In the previous example, establishing read-only permissions for everyone in finance probably means setting a group's rights, not setting users' rights individually.

Permissions can be explicitly set for an object, or for ease of administration, they can be inherited from parent objects. However, the granularity of access control doesn't stop at objects. Permissions can even be set for attributes of an object, allowing access to some fields, such as the e-mail address of a user account, but denying access to other fields, such as the user's telephone number. Standard object permissions include the following:

Reading an object

Modifying an object

Deleting an object

Reading an object's permissions

Modifying an object's permissions

Changing an object's owner

Auditing

Another Windows 2000 security feature is auditing, which allows an administrator to keep tabs on events that might possibly compromise the system. Events such as logons and logoffs, access to files, and user-account management can all be audited. The administrator can choose which objects to audit, which events on that object to audit, and which users or groups using that object to audit. Both successful and unsuccessful access attempts can be audited.

TIP
Viruses can leave trails of inappropriate writing of executables and DLLs. Auditing successful and failed write access to these files and monitoring the security log for unexpected occurrences will give you a head start at detecting viruses on your system.

In addition to auditing users' security-related events, Windows 2000 provides a means of tracking security management events because an audit trail will reflect any changes in security policies. For instance, if an administrator changes the permissions of a particular object to deny access to a specific group, this change in permissions will appear on the audit trail. Chapter 18 shows how to manage the security log that Windows 2000 generates.

Nonrepudiation

Finally, let's take a look at nonrepudiation, another Windows 2000 security feature. Nonrepudiation is undeniable proof that a correspondence was sent or received and usually refers to security-enhanced e-mail messages. Proof that a message was sent is a property exhibited by digital signatures. For undeniable proof of receipt, the recipient of a signed or encrypted message responds to the sender with a signed receipt.

CAUTION
Some e-mail packages allow for receipts of signed messages, but this doesn't necessarily demonstrate nonrepudiation. A signed receipt is undeniable proof that a message was received only if it is cryptographically tied to both the recipient and the original message.