Introducing Windows 2000 Security: Features and Management

84-02-01

DATA SECURITY MANAGEMENT INTRODUCING WINDOWS 2000 SECURITY: FEATURES AND MANAGEMENT

David Goldman

INSIDE Computer Management Console; Local Security Settings Console; File System Enhancements; Encrypting File System; Disk Quotas; ACL Editor; Policy Enhancements; Password Complexity Requirements; Reversible Encryption; Audit Policy; New User Rights; Security Options

The first major difference that administrators will notice when they click Start->Programs->Administrative Tools is that the familiar set of tools (User Manager for Domains, Server Manager, Event Viewer, Disk Administrator, etc.) has been replaced by two Microsoft Management Console (MMC) snap-ins (Exhibit 1). The MMC is historically known as the interface for ad- ministering Internet Information Server 4.0, and is now the central location for all enterprisewide management of Windows 2000 objects. In an environment without Active Directory Services, the Computer Management and Local Security Settings consoles provide access to all the configuration options previously available through the tools above, and many that required still other tools or resource kit PAYOFF IDEA utilities. In an environment with Ac- Although Windows 2000 has been out for several months now, many companies are employing a tive Directory Services, the following wait-and-see approach while others have placed functions are managed through the the software in the confines of engineering. As a Active Directory Users and Comput- result, many systems administrators and opera- ers and Active Directory Domains tions support personnel may not have had an op- portunity to explore the new operating system and Trusts MMC consoles. Further, and obtain a solid understanding of its enhance- within an environment with Active ments. This article explores two major areas of Directory Services, the concepts of Windows 2000: the new security features and group policies and delegation are in- the new toolset for management of those features. It is assumed that the reader has a solid un- troduced. These concepts are beyond derstanding of the tools and security features the scope of this article. available in Windows NT 4.0.

EXHIBIT 1 — Microsoft Management Console (MMC)

A brief feature overview of the Computer Management console dem- onstrates the beneﬁts of the consolidated management toolset. These features include:

1. Local users and groups. All security in the Windows environment re- volves around access controls assigned to users and groups. Within this section, users and groups can be created, edited, and otherwise managed. Accounts can be disabled and unlocked, passwords reset, and profiles set. 2. Disk management. Without utilizing the appropriate file system, access controls cannot be placed on files and directories. Through the use of this option, hard drives can be formatted with NTFS. Further, the concept of disk quotas has been introduced and settings can be implemented on a per-user basis. 3. Shared folders. Once there is a defined set of users and an environment to support access controls, those users must be granted access to resources. When creating or managing shares through this interface, both the share-level permissions and the NTFS-level permissions for the shared resource can be set. 4. Event viewer. Once resources are secured, monitoring ensues. In addition to the three logs familiar to past users — System, Application,

and Security — new logs have been introduced. These new logs include DNS Server, File Replication Service, and Directory Service. Both log settings and event viewing occur here. 5. Performance logs and alerts. While event logs require someone to physically view the logs, this feature supports defining performance objects, performance counters, and object instances, and setting thresholds for system services that can initiate actions when reached. 6. System information. When alerts are raised or event logs entries de- note problems, this option, formerly referred to as Windows NT Di- agnostics, provides detailed system information from device interrupts to environment variables, and is often invaluable for re- solving resource conflicts. 7. Device manager. If resource conflicts or other hardware problems are discovered, the device manager allows the manipulation of DMA, IRQ, and other hardware settings to resolve these issues.

While this console provides access to many other functions, the benefits of consolidation can already be seen. Similarly, the Local Security Settings console organizes those compo- nents of Windows 2000 security that must be carefully configured to en- sure system confidentiality, integrity, and availability. These features include:

1. Password policy. In addition to the familiar password settings, two new options are introduced, “Passwords must meet complexity requirements” and “Store passwords using reversible encryption for all users in the domain.” These new options are discussed later. 2. Account lockout. Users of the old resource kit utility passprop.exe will be pleased to learn the administrator account is now required to adhere to the account lockout policy for network logons. 3. Audit policy. Some audit categories have changed their names and two new ones have been added, “Account logon events” and “Direc- tory service access,” which are discussed later. 4. User rights assignment. The number of user rights has increased by seven, to 34. These seven rights include “Deny” for the four logon types (from the network, as a batch job, as a service, and locally). New rights include “Enable computer and user accounts to be trusted for delegation,” “Remove computer from docking station,” and “Syn- chronize directory service data,” all to be discussed later. 5. Security options. The oft-daunting task of modifying the registry is somewhat eased through this new interface that provides access to old and new security settings and which are detailed later.

Public key policies for the Encrypting File System and IPSec policies are also conﬁgured here, creating a powerful security management tool.

With the concept of centralized management covered, one might ask, “What new features can one manage?” These features can be grouped into two categories: file system enhancements and policy enhancements. The first group includes the Encrypting File System, disk quotas, and access controls lists (ACLs), while the second includes password policies, audit policies, user rights, and the security options of the security policy console. To introduce the first group, there is the Encrypting File System (EFS) that encrypts files on NTFS partitions using the DES algorithm and a user’s private key. The operating system automatically decrypts the files when loaded, provided the correct user is the one accessing the files. The only users who can decrypt or read an encrypted file are the user who encrypted the file and any specified recovery agents. As alluded to earlier, recovery agents can be managed through the Local Security Set- tings console. A file can be encrypted simply by right-clicking on it in Ex- plorer, selecting Properties, clicking Advanced, and checking the box labeled “Encrypt contents to secure data.” Another new feature supported by the file system is disk quotas. While quotas have been a feature of other operating systems, under Win- dows NT 4.0, third-party tools were necessary to manage and restrict disk usage. Quotas are set on a per-group or per-user basis by right-clicking on a drive in Computer Management or Explorer. The first step requires checking the box “Enable quota management” and is a per-drive setting. From there, options including disk space, warning threshold, which quota events to log, and the ability to deny disk space to users who exceed their limit, can all be set. After that, there is the simple matter of assigning quota amounts to the desired user accounts. The next new feature, which also relates to the file system, is the only one not managed through a console. With the release of Service Pack 4 for Windows NT 4.0, Microsoft introduced a new ACL editor and ex- posed the new interface native to Windows 2000. The new ACL editor provides increased functionality and more granularity when assigning access to files and directories. This enhanced model introduces the ability to explicitly deny access to a user or group, to set the inheritance for the object being secured, and, for folders, the ability to apply the ACL to objects at a level never before available (Exhibit 2). The second group of enhancements, the policy enhancements, cov- ers those items previously labeled with the phrase “which are discussed later.” The first of the two new items of the password policy is “Pass- words must meet complexity requirements” and its purpose is fairly ob- vious. This option is akin to implementing the resource kit utility passprop/complex or passfilt.dll on a Windows NT 4.0 Domain Con- troller. This setting requires passwords to be comprised of a variety of mixed-case characters, numerals, and symbols.

EXHIBIT 2 — The New ACL Editor

The second option, which is far less intuitive, “Store passwords using reversible encryption for all users in the domain,” should only be utilized in instances where users log on from an Apple Macintosh computer or when Shiva Password Authentication Protocol (SPAP) is the primary means of authentication. This selection weakens the stored password and increases the likelihood that it will be cracked if obtained. The two new options of the audit policy are also somewhat obscure. The “account logon events” refers to logon attempts by privileged accounts that log on to the domain controller. These audit events are gen-

erated when the Kerberos Key Distribution Center logs on to the domain controller (and by MSV1_0 for Windows NT 4.0-style logons). The “directory service access” audit event is generated when access to objects within the active directory is attempted. Like “audit object access,” this event will only be recorded after auditing has been set on specific objects. Moving along, the seven new user rights cover a variety of areas. As mentioned previously, the ability to explicitly deny access to the four logon types has been introduced. The rights “deny access to this computer from the network,” “deny logon as a batch job,” “deny logon as a service,” and “deny logon locally” give system administrators and security policy authors more power to grant and restrict access to resources. The “enable computer and user accounts to be trusted for delegation” allows the user to set the “Trusted for Delegation” setting on a user or computer object. This user setting has not been discussed and is available only in environments utilizing active directory. The “remove computer from docking station” privilege is self-explanatory and allows a user to undock a laptop from within the GUI. The last new user rights is “synchronize directory service data,” which enables the holder to read all objects and properties in the directory service, regardless of the protection on the objects and properties. Similar to “backup files and directories” and “restore files and directories,” this powerful user right allows the holder to circumvent explicit access controls. The final new feature of this section is the security options of the security policy console. This list of options provides a simple and conve- nient layer of abstraction to many security enhancements introduced to Windows NT 4.0 through service packs and registry modifications. These actual values of these options currently reside in the registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values

A brief description of these options is found in Exhibit 3. The comments column of this table refers the reader to articles in the Microsoft Knowledge Base, referred to as Q articles. The articles can be found on- line at www.microsoft.com, or on MSDN media if one’s organization sub- scribes to this service. Additionally, if a registry key is mentioned, it refers to a Windows NT 4.0 key with which one may be familiar.

CONCLUSION As one can see, Windows 2000 has dramatically increased the ease of im- plementation of security options. In addition, many features previously available, but undocumented or poorly documented are now centralized and easily conﬁgured.

EXHIBIT 3 — Features of the Security Options of the Security Policy Console

Feature Options Comments

Additional restrictions for None. Rely on default Available since Windows NT 4.0 anonymous connections permissions. SP3 as RestrictAnonymous Do not allow registry key. See KB article enumeration of SAM Q143474. accounts and shares. No access without explicit anonymous permissions. Allow server operators to Enabled SubmitControl registry key. schedule tasks Disabled Normally, only administrators can use the AT command. See KB article Q124859. Allow system to be shut Enabled ShutdownWithoutLogon registry down without having to Disabled key. See KB article Q216083. log on Allowed to eject removable Administrators New option to Windows 2000. NTFS media Administrators and power users Administrators and interactive users Amount of idle time 1 to 99,999 minutes Autodisconnect registry key. required before This option disconnects idle disconnecting sessions LAN sessions after a set number of minutes. This is different from disconnect RAS sessions. See KB article Q138365. Audit the access of global Enabled AuditBaseObjects registry key. system objects Disabled This option is normally not needed and can fill audit logs quickly. It may be desirable to enable this in a development environment. Audit use of Backup and Enabled FullPrivilegeAuditing registry Restore privilege Disabled key. Generates an event for each file access during a backup or restore. Generally, this is unneeded and will flood logs. Automatically log off users Enabled enableforcedlogoff registry key, when logon time expires Disabled which was hidden under LanmanServer\ Parameters in Windows NT 4.0. Clear virtual memory Enabled ClearPageFileAtShutdown pagefile when system Disabled registry key. May be desirable shuts down in a high-security environment. Digitally sign client Enabled RequireSecuritySignature communication (always) Disabled (LamManWorkstation) registry key. This option requires SMB signing. SMB signing should be enabled when network security is a high concern. Because SMB signing requires that every packet be signed for and verified, performance can degrade by as much as 15 percent. See KB article Q161372.

EXHIBIT 3 — Features of the Security Options of the Security Policy Console (Continued)

Feature Options Comments

Digitally sign client Enabled EnableSecuritySignature communication (when Disabled (LamManWorkstation) registry possible) key. This option negotiates signing with the Domain Controller and enables it when possible. See above. Digitally sign server Enabled RequireSecuritySignature communication (always) Disabled (LamManServer) registry key. This option requires SMB signing. See above. Digitally sign server Enabled EnableSecuritySignature communication (when Disabled (LamManServer) registry key. possible) This option negotiates signing with the workstaion and enables it when possible. Disable CTRL+ALT+DEL Enabled New option to Windows 2000. requirement for logon Disabled Enabling this option suppresses the Windows 2000 splash screen bearing ‘Press Ctrl-Alt-Delete to begin’, the ‘Computer Locked’ dialog box, and any text specified in the Legal Notice Caption and Legal Notice Text. Do not display last user Enabled DontDisplayLastUserName name in logon screen Disabled registry key. LAN Manager Authentication Send LM & NTLM Incompatibilitylevel registry key. Level responses This has client and server side Send LM & NTLM — use settings and implications. See NTLMv2 sessions KB article Q147706. security if negotiated Send NTLM response only Send NTLMv2 response only Send NTLMv2 response only\refuse LM Send NTLMv2 response only\refuse LM & NTLM Message text for users (User defined text) LegalNoticeText registry key. attempting to log on Should be crafted by legal department. Message title for users (User defined text) LegalNoticeCaption registry key. attempting to log on This is the text in the title bar of the window displaying the legal notice. Number of previous logons 0 to 50 CachedLogonsCount registry to cache key. See KB article Q172931. If set to 0 and the domain controller is unavailable, the user trying to logon will receive the message, “The system cannot log you on now because the domain is not available.” Prevent system maintenance Enabled DisablePasswordChange registry of computer account Disabled key. See KB article Q154501. password

EXHIBIT 3 — Features of the Security Options of the Security Policy Console (Continued)

Feature Options Comments

Prevent users from installing Enabled AddPrintDrivers registry key. printer drivers Disabled Enabling this value allows only Administrators and Print Operators to install printer drivers. Prompt user to change 0 to 999 days PasswordExpiryWarning registry password before key. See KB article Q135403. expiration (This value has defaulted to 14 days since Windows NT 3.1.) Recovery console: allow Enabled New option to Windows 2000. automatic administrative Disabled The recovery console allows logon one to boot to Windows 2000 without the GUI and perform limited file operations. This option allows use of the console without the need to enter the administrator password. See KB article Q229716. Recovery console: allow Enabled New option to Windows 2000. floppy copy access to all Disabled This option, closely related to drives and all folders the one above, enables the SET command within the console and allows access to the entire file system. See KB article Q235364. Rename administrator (User-defined text) Specifies a new name for the account built-in administrator account. It is good practice to rename this account, as it is known to exist on all systems and is often a target for attack. Rename guest account (User-defined text) See previous entry. Restrict CD-ROM access to Enabled AllocateCDRoms registry key. locally logged-on user Disabled Prevents users from sharing only their local CD-ROM drive. See KB article Q172520. Restrict floppy access to Enabled AllocateFloppies registry key locally logged-on user Disabled prevents users from sharing only their local floppy drive. Secure channel: digitally Enabled RequireSignOrSeal registry key. encrypt or sign secure Disabled This flag should only be set if channel data (always) all of the domain controllers in all the trusted domains support signing and sealing. See KB article Q183859. Secure channel: digitally Enabled SealSecureChannel registry key. encrypt secure channel Disabled Specifies that all outgoing data (when possible) secure channel traffic should be encrypted. See KB article Q183859. Secure channel: digitally Enabled SignSecureChannel registry key. sign secure channel data Disabled Specifies that all outgoing (when possible) secure channel traffic should be signed. See KB article Q183859. Secure channel: require Enabled New option to Windows 2000. strong (Windows 2000 or Disabled This relates to the three later) session key options above and should only be used in a pure Windows 2000 environment.

EXHIBIT 3 — Features of the Security Options of the Security Policy Console (Continued)

Feature Options Comments

Send unencrypted password Enabled EnablePlainTextPassword to connect to third-party Disabled registry key. Some non- SMB servers Microsoft SMB servers only support unencrypted (plaintext) password exchanges during authentication. This option should only be enabled if required by your SMB server. See KB article Q166730. Shut down system Enabled CrashOnAuditFail registry key. If immediately if unable to Disabled the system is halted as a result log security audits of a full security log, it must be restarted and reconfigured to continue to prevent auditable activities from occurring while the log is full. After the system is restarted, only administrators can log on until the security log is cleared. Smart card removal behavior No action New option to Windows 2000. Lock workstation When one removes a smart card from the machine, Force logoff Windows 2000 can take one of several actions. The first option does nothing and allows the authenticated session to continue. The second option locks the computer and keeps the session protected. The third option logs one off and ends the session. Strengthen default Enabled ProtectionMode registry key. permissions of global Disabled Enabling this option allows system objects only administrators to redefine certain systemwide resource attributes such as COM ports, serial ports, or printers. Unsigned driver installation Silently succeed New option to Windows 2000. behavior Warn but allow The O/S checks the signature installation of a driver before it is installed to determine if it has been Do not allow installation signed as known-good. This option specifies the action to take based on the results of the check. This can provide increased security as drivers from untrusted sources can be reviewed before installation, and it can provide greater system stability as some third- party drivers can degrade system performance. Unsigned non-driver Silently succeed New option to Windows 2000. installation behavior Warn but allow Related to the option above installation and specifies the action to take when attempting to install a Do not allow installation non-signed driver.

The reader should now have a good understanding of the where, what, and how of basic Windows 2000 security. From here, one’s best bet is to get a Windows 2000 server and start configuring options. Use the new tools, change the new options, and note the results. During the transition period, one will want to refer back to the Windows NT 4.0 server as one strives to find the new way to perform some of the same functions. For further resources, and as evident from the descriptions above, the Microsoft Knowledge Base is an invaluable tool for locating information regarding specific security settings.

David Goldman is in the Technology Risk Services division of PricewaterhouseCoopers’ New York ofﬁce.