Network attacks are the biggest risk for Windows 2000 servers. Since the release of the old Windows NT 3.1, hackers have been actively looking for bugs in Microsoft Windows operating systems. Tools like SecHole, IISInjector, NAT (NetBIOS Auditing Tool), SMBRelay and L0pthcrack have been developed to reveal passwords, execute actions on a server, forge network connections and degrade system performance. In addition, several critical security vulnerabilities have been recently released for Windows 2000 that can completely expose a network to an intruder.
User-level access control methods (Smart Cards; User Passwords) are not sufficient to protect network attacks because they rely (mostly) on user names and passwords. One computer is usually shared by several users and as a result, the computer is often left logged-on, leaving an open door in the network. If a username and password is intercepted and hijacked, user-level access security cannot stop the attacker from accessing all the confidential resources and systems.
Although the above risks and problems exist, Windows 2000 Server provides several protection features: IPSec (Internet Protocol Security), Terminal Services High Encryption Security, PKI (Public Key Infrastructure), S/MIME (Secure Multipurpose Internet Mail Extensions), Kerberos and L2TP (Layer 2 Tunneling Protocol).
We will explore how using some of these technologies can encrypt and secure all the messages that are transmitted over the network, and defend all data from being intercepted and modified by intruders or malicious users.
To Create Kerberos Account Mappings for Unix Services:
1. Click Start, and then Click Run. The Run… dialog box appears.
2. In the Run… dialog box, type cmd.exe.
3. In the command prompt, type ktpass /princ principalname@yourdomainname /mapuser useraccount /pass complexpassword /out sapsolaris7.keytab, where principalname is the host principal name, useraccount is the host account in Active Directory and complexpassword is the password for the account.
This command generates a UNIX host keytab file, maps the account and sets the service password. After executing the command, join the keytab file with the /etc/krb5.keytab file on the UNIX host. Ktpass is included in the Windows 2000 support tools.
IPSec: The End-to-End Security Solution
Windows 2000 providers support for two types of data protection -network and stored data. Originally designed by the IETF (Internet Engineering Task Force), IPSec is a security protocol that provides data and identity protection for each message that is transmitted over the network (packet). This protocol provides the ability to protect communication links between workgroups, local area networks, branch offices and any remote computer that needs aggressive protection against network attacks.
IPSec has two main goals: to protect network packets and defend them against attacks. By protecting the data so that hackers find it almost impossible to understand, IPSec can prevent sniffer, data modification, denial-of-services and identity spoofing attacks. In addition, though use of cryptography based protection and dynamic key management programs, a verification process is used to establish confidence between the communicating computers and only trusted systems which communicate with each other. The sending computer secures the information prior to transmission, and the receiving computer unsecures the data only after it has been received. This type of protection is especially useful to protect data in a public environment when the network traffic is susceptible to unauthorized monitoring and access.
To Configure IPSec Filters and Rules:
1. Click Start, click Run, type MMC, and then click OK.
2. On the Console menu, click Add/Remove Snap-in.
3. Click Add.
4. In the Add Snap-in dialog box, click Group Policy, and then click Add.
5. Click Local Computer to view the local Group Policy object, or Browse to find the Group Policy object that you want to use.
6. Expand Computer Configuration, Security Settings.
7. Right Click on IP Security Policies on the Local Machine , select Manage IP Filter Lists and Actions.
Windows 2000 IPSec protects each IP packet by adding an additional header to each network message. The Authentication Header (AH) provides verification and certification for the entire packet. It works as a signature for each message that is transmitted. The Encapsulation Security Payload (ESP) provides privacy for the data that is in the packet.
Terminal Services Security: Ensuring Maximum Protection
Terminal Services is now included in the Windows 2000 Server operating system. Terminal Services allows users to access desktops and any installed applications for client computers. This feature is especially useful for remotely managing application servers, developing applications and controlling network resources regardless of where they are located.
Windows 2000 allows to run Terminal Services in two modes, remote administration mode and application sharing mode. Remote administration mode is used mainly to administer and provide maintenance for security administrators. This mode allows only members of the administrators group to log on locally. Application sharing mode allows any client to run programs on the server as if they were running locally.
Network security protection can be increased by using terminal services high encryption mode. Windows 2000 Server can assign one of the three different levels of encryption to client and server connections: Low Encryption, Medium Encryption and High Encryption. Using Low Encryption Mode, traffic from the client to the server is encrypted using the RC4 algorithm and a 56-bit key. Traffic from the server to the client is unencrypted. Low encryption protects sensitive information like passwords and applications data.
To Set Up High Encryption Mode on Terminal Services:
1. Open Terminal Services Configuration, on the Administrative Tools program group.
2. Click Connections, right-click the connection you want to modify, and click Properties.
3. In the Encryption level option, select High.
Medium Encryption and High Encryption secure data sent in both directions, from the client to the server and from the server to the client. This provides a two way secure communication system between client and server.
The main difference between these two modes rely on the encryption strength. Medium Encryption mode uses the RC4 algorithm and a 56-bit key (40-bit for RDP 4.0 clients), while high encryption uses RC4 and a 128-bit key.
About This Section…
Whether you want to learn what network security is, how firewalls work, or how to script a program in C to manage Active Directory security, this section is designed to provide useful and easy to understand articles for all levels of Information Technology professionals. Rather than provide theoretical views and terms of security principles and systems, we will give you straightforward, real-life information to apply at work. Some of the topics that we will put in plain words in our section will be: How to Build a Firewall with Internet Security and Acceleration (ISA) Server, Analyzing and Monitoring Network Attacks with Windows 2000 and Using and Creating Advanced Windows 2000 Security Tools and Utilities with Simple Programs. As a final point, we will focus on providing the depth necessary to pass any Microsoft-related security exam.
*Originally published at 2000Trainers.com
Click here to sign up for FREE Tech. newsletters from murdok!
Leonard Loro, MCSE, MCSD, ISS, MCT, CCNA, is a recognized e-Business specialist. His experience includes engaging, managing and implementing large consulting projects for government agencies and companies like Microsoft, Nissan as well as other Fortune 500’s. Leonard can be reached at Leonardo.loro@enresource.com.
