NT Security Model
To a large extent, today’s Windows networks are dependent on the NT security model, unless you use Unix or another operating system to manage all your critical application services. You may be using NT Server Terminal Server Edition, NT Server, NT Workstation, or NT Server Enterprise Edition. In each of these cases, the components that help secure the environment — that ensure that applications don’t access processors, files, memory, and I/O resources without appropriate authorization — are
the Security Subsystem
the logon process
the Security Reference Monitor
NT is designed to comply with the Department of Defense (DoD) C2-level security classification. The C2-level classification mandates the following four features:
Discretionary access control — In a C2-classified system, the owner of a resource (for example, a file or a directory) controls access to that resource. The operating system can protect itself from the modification of a running system or system files.
Object re-use protection — The operating system protects objects so that other processes don’t reuse them. For example, the contents of a process’s memory address space can’t be read after the process finishes its execution. Similarly, when a file is deleted, a user can’t access its data.
Mandatory logon — Users must log on with a unique user name and a password before being allowed to use the system. The system uses this unique identification to track the activities of the user.
Auditing — The Security Subsystem defines access-validation and audit-generation policy and the Security Reference Monitor enforces these policies. As a result, all events can be audited.
Files and Directories
File access permissions control who can use a file and how the file can be used. The following levels of access are available:
No Access — No access is allowed.
Read — The user can display the file’s data and attributes.
Change — In addition to having Read access, the user can run the file, display the file’s owner and permissions, and change the file’s attributes.
Full Access — In addition to having Change access, the user can change data in and append data to the file, set all permissions, set any combination of Read, Write, Execute, Delete, and Change permissions, and take ownership.
The permissions are governed by the following rules:
No Access overrides all other permissions.
Permissions are cumulative.
By default, new files and subdirectories inherit the permissions of the directory in which they are created.
The user who creates a file is always the owner of that file or directory and can always control access by changing the file’s or directory’s permissions.
Members of the Administrators group can always take ownership of a file or directory.
It is always easier to administer security by setting permissions for groups instead of individual users.
To change permissions on a file or directory, you must be the owner.
When you first view the permissions of a new file or directory, the Permissions dialog box shows the permissions inherited from the directory containing the file or directory.
Device Security
Three security standards are making their way into most Windows platforms:
External drive devices will have security capabilities. Each removable media device on a NetPC system will be capable of being secured to prevent unauthorized access to data. The device is rendered useless, either electronically or mechanically.
PC cases and switches will have locking capabilities to prevent unauthorized internal access — an OEM-specific method can be implemented, either electronically or mechanically. Usability controls — such as volume, brightness, and contrast — that are usually configured by the end user may be exempt from this requirement.
Secure, remote management capabilities will allow only authorized levels of access.
These standards arose as a result of NC and NetPC systems.
User Security and Authentication with Windows NT
The Security Accounts Manager (SAM) database stores all user records. Each user has two passwords — the NT password and the LAN Manager-compatible password. The NT password is based on the Unicode character set and is case-sensitive. LAN Manager passwords are always forced into uppercase and therefore are considered to be a security risk. Each password is encrypted twice and stored in the SAM database.
NT, by default, supports two types of challenge/response authentication: NT Challenge/Response and LAN Manager (LM) Challenge/Response. If all the clients in your network are NT computers and you don’t have any LAN Manager clients, you may want to disable LM Authentication. To do so, you must install Service Pack 3 and the LM hot fix. Once the Service Pack and hot fix are installed, you can edit the LMCompatibilityLevel value in the Registry key
The LMCompatibilityLevel specifies the type of authentication that can be used. The data type is REG_DWORD and by default is set to 0. When the value is set to 0, NT sends LM and NT authentication. A value of 1 sends NT authentication from a client and, if the server requests it, the client sends an LM authentication. A value of 2 sets authentication so that the LM Challenge/Response is never sent.
Caution: You can’t access Windows 95 and Windows for Workgroups computers from an NT computer if LM Authentication is disabled.
Network Access
Secure network access in Windows networks is accomplished using one or all of the following methods:
Proprietary protocols
Security settings for TCP/IP
Point-to-Point Tunneling Protocol (PPTP)
Encrypted tunnels
Security settings for NT 4.0 and 2000 Server are quite different from each other. In NT 4.0, you can use TCP/IP’s Properties, Advanced, and Security settings to define the TCP and UDP ports to which you allow access. Also, in the IP Protocols dialog box, you can define the IP protocol numbers that should be allowed access (6 for TCP, 17 for UDP, etc.).
In 2000 Server, a more robust form of security can be implemented, using IPSEC, the standard secure communications mechanism. (A detailed discussion of IPSEC is beyond the scope of this book; for more information, see the 2000 Server documentation.) To implement IPSEC, right-click My Network Places, and select Internet Protocol (TCP/IP) Properties, Advanced, IP Settings, Options, IP Security, Properties. (You can also load the IPSEC.MSC tool using the Microsoft Management Console (MMC)). Figure 10.7 shows the IPSEC options.
The four available IPSEC security options are
Secure Initiator — Accept unsecured communications from any host but respond using IPSEC. If the host doesn’t have IPSEC capabilities, communicate in an unsecured fashion (using no encryption) after a timeout period.
Secure Responder — Communicate in clear text (no encryption). If other hosts request IPSEC, use IPSEC for the protocol and port for which IPSEC is requested.
Secure L2TP Only — Encrypt password and data for L2TP connections but not for traffic for other services. This option requires an L2TP server (typically Unix or NT servers) that supports DES Encryption.
Lockdown — Always communicate securely with encrypted data.
You can configure each of these four options and make them active or inactive by right-clicking each from the MMC Details pane. Ports, services, authentication methods, and tunneling servers can all be configured from the MMC.
Security Objects
Security objects essentially describe the user to the system. The access token is a security object. Whenever a user wants to access a resource, an access token is used to identify the user. The access token contains the user’s security ID, the user’s defined rights, and group membership information.
Some of the main points to remember are
NT represents all resources (files, directories, processes, threads, and windows) as objects.
Only NT can access objects. Applications can’t directly access objects; they must go through the security subsystem.
Security objects control and track accesses to objects and prevent monopolization of objects.
If you have installed Service Pack 4 for NT, you can add the Security Configuration Manager (SCM) to your system. SCM lets you more easily control and manage access to various resources. SCM can be used to apply specific security profiles to NT Workstations, Servers, and domain controllers.
Registry Security
Because the Registry is the central repository of configuration, security, and application service information on Windows computers, it’s important to secure these files thoroughly. Typically, you need to
protect Registry files
assign access rights to Registry keys
audit Registry activities
secure RPC-related connections
disable connections to Registry files
It’s just as important to protect the Registry on workstations as it is to protect it on servers. For some reason, most NT sites seem to protect the servers well but don’t protect the workstations’ Registries. You can take a few simple steps to prevent users from accidentally or deliberately modifying the Registry.
First, don’t allow users to log on as members of the Administrators group. If a specific user has administrative duties, you may create a local group with specific privileges and add that user to that local group. Treat the Administrator account on NT with the same respect as root on Unix.
Special Note: When a user tries to connect to the Registry remotely, NT looks for the winreg subkey. If winreg is in the Registry, the ACL for winreg determines which users can connect to the Registry remotely. To connect to the Registry, a user must have at least read/write permission, including permission to create subkeys and set values. If winreg doesn’t appear in the Registry, all users can connect to the Registry remotely. After a user is connected to the Registry, the ACL for each Registry key or subkey determines whether the user can read, edit, add, and/or delete Registry contents.
The winreg subkey must be located in the following Registry path:
By default, winreg is included in the Registry of NT 4.0 Servers only. Administrators can add winreg to the Registry of NT Workstations. For more information, see the appendix to the Windows NT Resource Kit, Supplement One.
The AllowedPaths Registry subkey allows exceptions to the ACL. Here, you can specify paths that users who aren’t listed in the winreg ACL can access.
Use the following procedure to control remote access to the Registry:
In the Special Access dialog box, select Set Value and Create Subkey.
Close the dialog boxes and then the Registry editor.
Secure Services
DCE Compatible Remote Procedure Calls, Windows Sockets, ODBC, and OLE/COM can be used to allow applications and services to communicate with each other. Because security capabilities vary considerably across different applications and services — based on implementation as well as the fundamental technology itself — it can be a challenge to secure all the various applications that run on a Windows platform. In general, disable any service that isn’t being used on servers.
Critical Challenges of ESI & Email Retention Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.
Rev Up Your IT Know-How with Our Recharged Magazine! The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!
Get It All with Windows IT Pro VIP Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro
Register
