Implementing the Naval Postgraduate School's Security Policy Using Windows 2000

Implementing the Naval Postgraduate School's Security Policy Using Windows 2000

Calhoun: The NPS Institutional Archive DSpace Repository Theses and Dissertations 1. Thesis and Dissertation Collection, all items 2001-09 Implementing the Naval Postgraduate School's security policy using Windows 2000 McKinley, David R. Monterey, California. Naval Postgraduate School http://hdl.handle.net/10945/2093 Downloaded from NPS Archive: Calhoun NAVAL POSTGRADUATE SCHOOL Monterey, California THESIS IMPLEMENTING THE NAVAL POSTGRADUATE SCHOOL’S SECURITY POLICY USING WINDOWS 2000 by David R. McKinley September 2001 Thesis Advisor: Paul Clark Associate Advisors: William Haga Doug Brinkley Approved for public release; distribution is unlimited. REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704- 0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503. 1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED September 2001 Master’s Thesis 4. TITLE AND SUBTITLE: Implementing the Naval Postgraduate School’s 5. FUNDING NUMBERS Security Policy Using Windows 2000 6. AUTHOR(S) David R McKinley 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Naval Postgraduate School REPORT NUMBER Monterey, CA 93943-5000 9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING / MONITORING N/A AGENCY REPORT NUMBER 11. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government. 12a. DISTRIBUTION / AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE Approved for public release; distribution is unlimited. When the Naval Postgraduate School (NPS) fully migrates to Microsoft Windows 2000 as the primary operating system on desktop PCs and servers, security configuration will be a major concern. Windows 2000 provides a consolidated tool set as a means to securely configure these systems. It also provides a pre-configured list of security templates that may be applied when initially configuring different types of systems. The purpose of this thesis is to provide: (1) brief overview of the Microsoft Windows 2000 security architecture, (2) a description of the Windows 2000 Security Configuration Tool Kit and how to configure security settings, (3) a discussion on security policy and how it effects security configurations, (4) recommendations on how to translate the Naval Postgraduate School’s Security Policy into Windows 2000 security settings, and (5) a pre-configured, recommended security template for all students attending NPS. 14. SUBJECT TERMS Windows 2000, Computer Security, Operating System Security 15. NUMBER OF PAGES 16. PRICE CODE 17. SECURITY 18. SECURITY 19. SECURITY 20. LIMITATION CLASSIFICATION OF CLASSIFICATION OF THIS CLASSIFICATION OF OF ABSTRACT REPORT PAGE ABSTRACT Unclassified Unclassified Unclassified UL NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. 239-18 THIS PAGE INTENTIONALLY LEFT BLANK ii THIS PAGE INTENTIONALLY LEFT BLANK iv ABSTRACT When the Naval Postgraduate School (NPS) fully migrates to Microsoft Windows 2000 as the primary operating system on desktop PCs and servers, security configuration will be a major concern. Windows 2000 provides a consolidated tool set as a means to securely configure these systems. It also provides a pre-configured list of security templates that may be applied when initially configuring different types of systems. The purpose of this thesis is to provide: (1) brief overview of the Microsoft Windows 2000 security architecture, (2) a description of the Windows 2000 Security Configuration Tool Kit and how to configure security settings, (3) a discussion on security policy and how it effects security configurations, (4) recommendations on how to translate the Naval Postgraduate School’s Security Policy into Windows 2000 security settings, and (5) recommendations on a pre-configured, security template for all students attending NPS. v THIS PAGE INTENTIONALLY LEFT BLANK vi TABLE OF CONTENTS I. INTRODUCTION TO WINDOWS 2000 SECURITY ARCHITECTURE............ 1 A. INTRODUCTION........................................................................................... 1 1. Problem ................................................................................................. 1 2. Solutions Offered by this Thesis ......................................................... 1 3. Consequences if Problem is Not Solved.............................................. 1 B. THE NT LEGACY .......................................................................................... 2 C. INTRODUCTION TO WINDOWS 2000 SECURITY................................ 5 D. ACTIVE DIRECTORIES .............................................................................. 6 E. AUTHENTICATION SERVICES AND KERBEROS................................ 7 F. CERTIFICATE SERVER .............................................................................. 9 G. ENCRYPTED FILE SERVICE..................................................................... 9 H. IPSEC............................................................................................................. 10 I. SUMMARY.................................................................................................... 10 II. THE NAVAL POSTGRADUATE SCHOOL’S SECURITY POLICY............... 13 A. INTRODUCTION......................................................................................... 13 B. DEFINING SECURITY POLICY............................................................... 13 C. EFFECTIVE SECURITY POLICY............................................................ 15 D. CHAPTER SUMMARY ............................................................................... 17 III. ATTACK METHODOLOGIES AND PREVENTATIVE MEASURES............ 19 A. INTRODUCTION......................................................................................... 19 B. THE SECURITY RISK FROM INSIDERS AND MITIGATION TECHNIQUES ........................................................................................ 19 1. Attack Methodology........................................................................... 19 2. Scanning .............................................................................................. 20 3. Enumeration ....................................................................................... 22 4. Gaining Access and Escalating Privileges........................................ 25 C. SUMMARY.................................................................................................... 28 IV. RECOMMENDATIONS FOR THE SECURITY TEMPLATE AND FINAL THOUGHTS........................................................................................................ 29 A. INTRODUCTION......................................................................................... 29 B. SECURITY SETTINGS USING TEMPLATES ........................................ 29 1. Introduction to Security Templates.................................................. 29 2. Security Options .................................................................................. 30 3. Password Policies................................................................................ 32 4. Account Lockout Policies................................................................... 32 5. Audit Policy......................................................................................... 32 6. Audit Log Settings.............................................................................. 33 7. User Rights.......................................................................................... 33 C. AREAS FOR FURTHER STUDY AND CONSIDERATION.................. 34 D. FINAL THOUGHTS..................................................................................... 35 vii LIST OF REFERENCES ............................................................................................... 37 APPENDIX A: WINDOWS SECURITY TOOL SET ............................................... 39 A. INTRODUCTION......................................................................................... 39 B. SECURITY POLICY.................................................................................... 39 C. WINDOWS 2000 WORKSTATIONS AND SERVERS............................ 40 1. Windows 2000 Professional and Member Servers.......................... 40 2. Windows 2000 Domain Controllers.................................................. 42 D. WINDOWS SECURITY CONFIGURATION AND ANALYSIS TOOL43 E. DEFAULT SECURITY TEMPLATES....................................................... 44 1. Conpat.inf............................................................................................ 45 2. Securews.inf and Securedc.inf........................................................... 46 3. Hisecdc.inf and Hisecws.inf............................................................... 47 F. ANALYZING AND CONFIGURING

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    318 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us