Windows Security Collection
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Windows Security Collection
As organizations expand the availability of network data, applications, and systems, it becomes more challenging to ensure the security of the network infrastructure. Security technologies in the Microsoft Windows Server 2003 operating system enable organizations to better protect their network resources and organizational assets in increasingly complex environments and business scenarios.
Fundamental Security Principles
Windows Server 2003 security technologies address fundamental security requirements that help meet the complex security needs of organizations of all types and sizes. Windows Server 2003 security is based on the following fundamental principles:
Identification. To help ensure that only the appropriate users and computers have access to resources, it is first necessary to identify users and computers on the network. This involves setting up and maintaining account information for users and computers, preferably in a single, easy-to-access location so that it is easy to set up, modify, and maintain. The user name generally is a unique identifier.
Authentication. The authentication process validates the authentication data of a user or computer against the information in a database. This authentication data can include the user name, logon domain, password, and other credentials. After a user or computer has been authenticated, the operating system examines the privileges that are assigned to the user account. The information relating to the user in the account database is used to create an access token, which is then used to determine the access rights of a user or computer during the current session.
Authorization and access control. Access rights to a given resource are validated based on access control lists (ACLs) associated with the resource. The contents of the access token are compared to the contents of the ACL in order to determine the rights of the user in regard to the resource.
Confidentiality. Confidentiality helps prevent the intentional or unintentional disclosure of data or of the actions that a user is performing on the data — for example, a withdrawal from a bank account. Confidentiality is typically accomplished by means of encryption as data crosses exposed portions of a network.
Integrity. Integrity services help to ensure that the content of a message or data file has not been modified when it travels over a network.
Nonrepudiation. Nonrepudiation, an extension of authentication and integrity, prevents a user from denying, after the fact, that they sent a message or signed a document. It can also be used to prove that the message was sent, that it was delivered, and that it was received.
Trusts. Logical relationships are established between domains, by means of trusts, to allow pass-through authentication, in which one domain accepts the logon authentications of the other domain. A trust either allows or disallows authentication traffic to flow between two or more domains.
Audit entries. Audit entries represent data that is recorded in the security event log of a server or workstation when specified system, application, and security-related events take place. Audit entries provide valuable data about system operations, which can be used to identify system use and misuse, and to diagnose system behavior.
The Windows Server 2003 security infrastructure consists of the following components:
Logon and authentication technologies. Logon and authentication technologies include a variety of protocols, including Kerberos version 5 authentication, NTLM, Secure Sockets Layer/Transport Layer Security (SSL/TLS), and Digest; as well as features such as Stored User Names and Passwords that enable single sign-on (SSO) and reduced sign-on (RSO).
Authorization and access control technologies. The ACL-based impersonation model and a new roles-based protected subsystem model enable extremely flexible and manageable authorization and access control strategies.
Data security technologies. Encrypting File System (EFS), Internet Protocol security (IPSec), system key utility (Syskey), and Routing and Remote Access Services (RRAS) provide additional security for data under a variety of special circumstances.
Group Policy technologies. Group Policy options that can enhance security management include security policy and software restriction policies.
Trust technologies. Trusts can be established between domains and across forests to improve security and business processes for complex organizations.
Public key infrastructure (PKI) technologies. Certificates, Certificate Services, and certificate policy-enabled qualified subordination can be used to support a variety of application-specific security solutions.
Each of these sets of technologies can be used in conjunction with the other sets of technologies — such as networking and storage — to enable secure network-enabled business processes.
Logon and Authentication Technologies
Applications integrated with Windows Server 2003 and Active Directory directory service use the built-in features of the operating system to perform authentication. Authentication mechanisms are fundamental to system security.
Authentication mechanisms verify the identity of users who attempt to log on to a domain or to access network resources. Authentication, the act of proving the identity of a user to an application or resource, is typically done by cryptographically signing data with a key only the user knows.
The server side of the authentication exchange compares the signed data with a known cryptographic key to validate the authentication attempt. Because the cryptographic keys are stored in a secure central location, the authentication process is scalable and maintainable. In the Windows operating system, the recommended locations for storing identity information, including the cryptographic keys that are the credentials of the users, is the Local Security Authority (LSA) of a client computer or Active Directory on a network.
Windows Server 2003 implements a number of authentication protocols, including Kerberos v 5 authentication, NTLM, secure channel, Passport, and Digest. These protocols enable authentication of users, computers, and services in a variety of network scenarios, including private networks based on Active Directory, networks based on Microsoft Windows NT 4.0 domains, and clients and servers based on non-Windows operating systems, and also across the public Internet.
Windows makes it possible to use a single user identity across a local network by locally caching user credentials in the Local Security Authority (LSA) of a client computer. When a user logs on to a domain, Windows authentication packages transparently use the credentials to provide single sign-on when authenticating to network resources on servers that trust the user’s account domain.
However, as more companies deploy Internet applications that are used by partners and customers, the authentication mechanisms they currently use to provide single sign-on to their intranets are not always adequate. In fact, the technologies required for Internet-facing Web application single sign-on are significantly different. For this reason, the authentication process they provide is referred to by a different term, Web single sign-on.
Sometimes it is not possible to achieve single sign-on. In these cases, reduced sign-on (RSO) is preferred. This reduces the number of times a user must enter their credentials to access resources and applications.
Stored User Names and Passwords improves the SSO and RSO experience by simplifying the management and use of multiple sets of logon credentials, including X.509 certificates used with smart cards and Passport credentials. The credentials — part of the user’s profile — are stored until needed as an encrypted part of a user’s local profile and can even roam with the user if the user’s network policy supports Roaming Profiles.
Authentication in Windows Server 2003 also includes two-factor authentication, such as smart cards, which are a tamper-resistant and portable way to provide security solutions for tasks such as client authentication, logging on to a Windows Server 2003 domain, code signing, and helping to secure e-mail.
Authorization and Access Control Technologies
How you choose to give and manage appropriate access to individual users and groups of users is the key to your resource authorization and access control strategy. Users must be authorized to access specific resources, but only at the level of access they need.
Authorization and access control in Windows are based on user rights and permissions. User rights grant specific privileges and logon rights to users and groups in your computing environment. Permissions define the type of access granted to a user or group for an object or object property.
Windows Server 2003 manages user rights and permissions based on the following two primary authorization models:
The ACL-based impersonation model
A new roles-based protected subsystem model
Logging on does not automatically give users access to the resources that they require. With the impersonation model, an authentication package authenticates the user and then builds an access token that represents the security context for that user. The security context represents the identity and groups that a user is a member of, as well as the privileges or rights that are granted to that user to perform specific tasks that affect an entire computer system.
Many users and computers have identical needs for access to a network resource. For this reason, the ACL-based impersonation model allows you to place users and computers in security groups in order to manage the rights and permissions of many users and computers at the same time.
If your organization has Active Directory, it can serve as the focal point for managing and administering user accounts, security group memberships, security policies, and organizational resources such as computers, printers, and servers. Organizations that use Active Directory as the authoritative store for identity, authentication, and authorization information can extend this access control framework to other applications, systems, and, by means of Lightweight Directory Access Protocol (LDAP) compliance, to other platforms.
After the authentication package generates the security context, an application or service can be given the security context to use for accessing resources. In other words, the service can use the user’s security context to obtain access to resources instead of using the service’s own context.
Another component of the impersonation model is the object-based ACL. The ACL for an object indicates what level of access any number of security principals have to the object. For example, the ACL on a file might define that one user has the ability to read the file while another user has the ability to both read and delete the file.
The operating system, specifically the Windows Object Manager, is the final arbitrator of access to objects that are using the impersonation model. The Object Manager does this by comparing the security context of the user against the ACL on the object. Because the operating system is the final arbitrator, the ACL-based impersonation model has security characteristics that are good for scenarios in which multiple applications can access a system resource.
Windows Server 2003, Enterprise Edition introduces a new roles-based protected subsystem authorization model, a feature called Authorization Manager. In the roles-based protected subsystem model, users are assigned to roles and the security settings that authorize users for specific sets of tasks are based on authorization rules that allow you to apply fine-grained control over the mapping between access control and the structure and tasks performed in your organization. For example, under the roles-based protected subsystem model, a bank teller is allowed to enter account deposits and withdrawals for a customer. If this employee suddenly becomes a loan officer, the application rules can dynamically allow him or her to view a customer’s bank balances and record new loans, but prevent him or her from making deposits or withdrawals on behalf of a customer.
Windows Server 2003 provides complete authorization auditing support. For the ACL-based impersonation model, the Object Manager reports audits for resource access according to the audit configuration. This configuration can be enforced by means of Group Policy or manually on each server. The roles-based protected subsystem model supports both run-time auditing and policy change auditing. Run-time auditing uses either fail or success audits to report application initialization, context creation and deletion, and object access.
Data Security Technologies
Applications consume authentication and authorization data to allow or deny access to a user. However, the business requirements of an organization — for example, the need to support mobile users who travel with sensitive corporate data or the need to communicate sensitive data securely over the public Internet — make additional data protection strategies necessary.
IT professionals can use the data security technologies in Windows Server 2003 to complement the data security features that are coded into an application. Windows Server 2003 includes the following disk-based encryption features:
Encrypting File System (EFS). Stored data (stored online or offline) can be protected by means of EFS and digital signatures. By using EFS, you can encrypt data as it is stored on disk. EFS uses public key encryption to encrypt local NTFS file system data.
The system key utility (Syskey). Syskey provides additional protection against password-cracking software. It uses strong encryption techniques to secure account password information that is stored in the Security Accounts Manager (SAM) database or in directory services.
Additional Windows Server 2003 features can protect network data as it passes in and out of your site (across intranets, extranets, or an Internet gateway). These features include:
Internet Protocol Security (IPSec). IPSec is a suite of industry-standard cryptography-based protection services and security protocols that are used to protect local area network (LAN) traffic. IPSec provides computer-level authentication, as well as data encryption, for virtual private network (VPN) connections that use the Layer 2 Tunneling Protocol (L2TP).
Routing and Remote Access. The Routing and Remote Access service for the Windows Server family is a full-featured software router and an open platform for routing and internetworking. It offers routing services to businesses in LAN and wide area network (WAN) environments, or over the Internet, by using secure VPN connections.
Internet Authentication Service (IAS). Internet Authentication Service (IAS) in Windows Server 2003 provides security and authentication for dial-in users and for local networks by means of 802.1x.
Group Policy Technologies
Windows Server 2003 Group Policy technologies enable you to efficiently manage groups of users and computers by configuring Group Policy objects (GPOs) and linking them to an organizational unit, domain, or site.
Group Policy allows an organization to more effectively manage its applications and operating environments on a per-computer or per-user basis.
Group Policy in Windows Server 2003 includes extensions for the following:
Wireless network policies
Internet Explorer maintenance
Quality of service
Remote installation services
You can use security settings policies as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization. Security settings policies are used to manage the following aspects of security:
User authentication to a network or computer
Resources that users are permitted to access
Whether to record a user’s or group’s actions in the Event log
Membership in a group
This assists administrators in the following tasks:
Ensuring that corporate security policies are enforced across desktops and servers.
Keeping desktops and servers up-to-date with the latest security patches.
Monitoring systems for potential security compromises.
Software restriction policies further enhance an organization’s ability to enforce security policy on its computers and network by limiting the opportunities for malicious code to enter an operating system and impact an organization.
Users can receive hostile code in many forms, ranging from native Windows executable files (.exe), to macros in documents (such as .doc files), to scripts (such as .vbs files). Attackers often use social engineering methods, such as viruses and worms, to cause users to activate their code. If such code is activated, it can generate denial-of-service attacks on the network, send sensitive or private data to the Internet, put the security of the computer at risk, or damage the contents of the hard disk drive.
To help protect network computers from both hostile code and unknown or unsupported software, administrators can use software restriction policies to define which applications are allowed or not allowed to run on a target computer. To help organizations address the problem of unknown code, administrators can use software restriction policies to perform the following tasks:
Counteract computer viruses.
Regulate which ActiveX controls can be downloaded.
Run only digitally signed scripts.
Enforce the policy that only approved software is installed on system computers.
Lock down a computer.
For more information about Group Policy, see the Group Policy Collection.
The goals of SSO and RSO are largely based on trusts establish between domains and forests. However, SSO and RSO can be difficult to establish and maintain when organizations are continuously evolving with mergers, acquisitions, and divestitures, as well as a wide variety of partnerships with business partners.
The trust technologies in Windows Server 2003 help organizations address these business requirements and enhance their ability to offer and maintain SSO and RSO. When a trust exists between two domains, the authentication mechanisms for each domain trust the authentication data coming from the other domain. Trusts help provide for controlled access to shared resources in a resource domain (the trusting domain) by verifying that incoming authentication requests come from a trusted authority (the trusted domain).
Applications integrated with Windows Server 2003 and Active Directory use the built-in features of the operating system to establish and maintain trust for a wide variety of business requirements and scenarios, including forest trusts and cross forest trusts.
Windows Server 2003 fully audits trust configuration at a detailed level. Auditable events include the creation, deletion, and modification of trusts.
A different form of trust can be implemented by using a public key infrastructure (PKI). A PKI is a system of digital certificates, certification authorities (CAs) and registration authorities (RAs) that verify and authenticate the validity of each party involved in an electronic transaction by means of the use of public key cryptography. For this to occur, however, each party must trust the issuer of the certificate, most often a CA.
For Windows Server 2003 users, computers, and services, trust in a CA is established when a copy of the root certificate, as well as a valid certification path, exists in the trusted root certification authorities store. A valid certification path means that none of the certificates in the certification path has been revoked or has expired. The process of importing a root certificate into the trusted root certification authorities store is the most straightforward way to establish a PKI trust for a computer and the applications hosted by that computer.
While the root store certification authority mechanism is fairly easy to deploy, it might not meet the security requirements of complex scenarios for establishing a federated trust between two organizations. One solution is to use qualified subordination.
Qualified subordination allows you to place certificate issuance constraints on subordinate CAs and to place usage constraints on the certificates they issue. By using qualified subordination, you can focus subordinate CAs according to specific certification needs and administer your PKI more efficiently. Qualified subordination also allows you to establish trust between CAs in separate trust hierarchies. This type of trust relationship is also called cross-certification. With this trust relationship, qualified subordination is not limited to subordinate CAs. Trust between hierarchies can be established using a subordinate CA in one hierarchy and the root CA in another hierarchy.
As organizations grow and evolve, the need for security technologies that help to protect system resources becomes more critical. For example:
A growing number of users have laptop computers which they are just as likely to use away from the office as at a network-connected desktop.
Many organizations are making business processes more efficient by eliminating paper documents and replacing them with electronic documents that may be more difficult to track or control.
Many organizations are increasing their use of contractors and consultants, and entering partnerships that require a high level of information sharing.
These types of scenarios require organizations to conduct in-depth security audits and evaluations on a regular basis to ensure that existing and potential security threats are addressed to the extent possible.
It is important to evaluate the potential security implications for every network application and technology that you deploy. It is also important to consider the security technologies in Windows Server 2003 any time that you plan to introduce new capabilities in your organization. Security technologies in Windows Server 2003 provide many enhanced security advantages, including the following:
Enhanced single sign on by means of Kerberos authentication and domain trusts.
Greater control over access control by means of applications that apply roles-based authorization.
Increased flexibility and security for employees who are traveling and accessing the network remotely, by means of the use of EFS and Routing and Remote Access connectivity.
Improved password protection by means of PKI-enabled smart card authentication or security policy settings that require users to set complex passwords and change them regularly.
The ability to create security groups and GPOs that allow contractors and business partners limited access to set ACLs on carefully defined sets of resources.