Appendix A2
Operating System
Security
Linux Operating System Level Security
Operating System Level Vulnerabilities
Security is very important when a large number of computers or servers are
interconnected in a corporate or enterprise network. Security is also important in
small business networks and home networks. Network operating system (NOS)
security is used to control access to network resources on internal and external
networks and to determine the type of information or resources that users have
permission to access internally or externally. Cisco routers and firewalls are
typically used to implement data transfers, to control internal and external access,
and to enforce the rules for access and data transfers. Cisco routers and firewalls
provide secure and effective defense strategies. However, there are many threats
and vulnerabilities that can impact network systems and servers both internally
and externally. In addition to routers and firewalls, an entirely secure network
includes secure access to end-user systems and servers
Network security has never been more important than it is now. This is especially
true for large companies. System administrators have reported possible threats
and security risks for years. In the past, it was difficult to convince the people in
charge of corporate budgets to provide for these security risks. Now these large
companies may be threatened by external attacks as well as internal attacks. This
chapter discusses some possible attacks and describes how end-user systems and
servers can be secured to prevent any unauthorized access. Part 1 of this chapter
will discuss Linux operating systems and Part 2 will discuss Windows operating
systems.
The newest releases of Windows and Linux include many sophisticated security
tools. A vulnerability that unprotected network operating systems are exposed to
is the attempt to compromise the file systems. A Linux system may have many
important files and directories that can be exploited by hackers if they are not
properly protected. For example, if a Linux file system is not protected and a
hacker breaks in and is able to access the file system, the hacker could upload
several programs, modify the /bin/login file, and gain unlimited future access to
the server. Unprotected Linux servers are also vulnerable to attacks to their
running processes. Most of the processes that operate on a Linux server do so
with root privileges. When the running processes are exploited by hackers, the
hackers can gain root access to the Linux server.
An unprotected Linux server is also vulnerable to attacks to the various daemons
and processes that are running. This section will discuss some of these threats
and explain how available security tools, secure passwords, and appropriate file
configurations can be used to secure a system against these threats.
2 - 59
Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Securing Running Processes
A Linux server can operate many different processes and daemons that are used
by thousands of users. If these processes and daemons are compromised, it could
cost a company thousands of U.S. dollars in network downtime. For example, a
hacker could compromise a Linux mail server. If a hacker deactivated the
processes and daemons that control the e-mailing functions of a company, such
as the Sendmail daemon, then valuable and irreplaceable e-mails could be lost or
would not be sent. The loss of e-mailing capabilities could cripple some large
corporations or companies that rely on e-mail to conduct daily business.
One method that can be used to secure the processes on a Linux system is the
Linux Intrusion Detection System (LIDS). LIDS is an effective security policy
that can be implemented on a Linux server to prevent attacks that compromise
the root account and allow intruders to gain administrative access. LIDS can
increase security on a Linux server by limiting the root account privileges. LIDS
also offers other security features such as security protection, incident detection,
and incident-response capabilities. LIDS can provide protection in the following
ways:
• Protects files and directories from unauthorized access on any local file
system
• Enables an administrator to select specific files and directories that
cannot be modified by the root user if the system hacked and the root
account is compromised
• Reduces the privileges of the root account and prevents critical processes
from being terminated by anyone, including the root user
• Prevents I/O operations from being accessed by unauthorized programs
• Prevents the master boot record (MBR) from being damaged
It is almost impossible for any network to close off all of its ports. Some ports
need to be open for information that must be accessed from within a network and
outside of a network. For example, common ports that need to remain open on a
network are FTP, HTTP, and e-mail ports. Intruders can use port scanners to scan
networks for these open ports and gain unauthorized access to a server. LIDS can
detect if an intruder is scanning the ports with a port scanner and will send an e-
mail to notify the system administrator. LIDS can also create notification entries
in security log files if any security rules are violated. If LIDS detects an intrusion
it can terminate the remote session of the attacker.
Installing LIDS on a Linux Server
To install LIDS, a patch must be applied to the kernel and a series of packages
that contain the administrative tools to enhance system security from within the
kernel must be installed. LIDS relies on the kernel for information. Therefore, the
most recent kernel source must be installed before LIDS is installed. The newest
LIDS patch for the kernel source should be downloaded and installed. After the
patch has been applied, the updated kernel will need to be compiled and updated.
3 - 59
Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
The newest kernel sources can be found at
and the newest LIDS
patches can be found at the LIDS project website at
.
Protecting Daemons
The LIDS installation includes additional security files that can be configured to
enhance security. For example, the /etc/lids/lids.cap file is used to determine
which daemons and processes are operated by the root account.
The etc/lids/lids.cap file can be used to modify the init process, which controls
important daemon processes, so that it cannot be shut down by the root account.
The etc/lids/lids.cap file uses plus (+) and minus (-) signs to indicate which
processes are controlled by the root account. A plus (+) sign indicates that the
root account has control and a minus (-) sign indicates that the root account does
not have control.
A text editor can be used to change the plus (+) sign in the +30:CAP_INIT_KILL
file to a minus (-) sign. This change would protect the init process from being
killed by the root.
After this file is edited with all the necessary changes, the LIDS configuration
will need to be reloaded. To do this, enter the following command at the shell
prompt:
/sbin/lidsadm -S
Hiding Running Processes
Another important entry in the etc/lids/lids.cap file is the CAP_HIDDEN entry.
By default, this entry is enabled, which allows the root to hide a process from the
rest of the system. For example, to protect a Linux Web server that is running the
Apache server process, enter the following command at the shell prompt:
lidsadm -A -s /usr/local/apache/bin/httpd -t -o
CAP_HIDDEN -j INHERIT
This command will label the process as hidden. A hidden process cannot be
found with any commands such as ps or top, and will not even show up in the
/proc file system.
Limiting Administrative Capabilities
LIDS can also help secure the processes of a server by disabling administrative
tasks. When the CAP_NET_ADMIN line in the etc/lids/lids.cap file is disabled,
several common network administration tasks cannot be performed. Some of the
administrative tasks that will be shut off are as follows:
• IP firewall configuration
• Ethernet interface configuration
• Routing table modifications
• Setting debug option on sockets
• Binding to addresses for transparent proxying
4 - 59
Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
• Configuring promiscuous mode
• Clearing driver statistics
• Reading or writing device-specific registers
• Multicasting
This setting is disabled by default and does not allow the root account to operate
any administrative tasks. The default setting is recommended on a server that
must be securely maintained at all times. If any administrative tasks need to be
done, the system administrator can temporarily shut down LIDS to perform the
task. To do this, enter the following command at the shell prompt:
/sbin/lidsadm -S -- -LIDS
Using the Immutable Flag Feature
After LIDS has been installed and all security files such as the etc/lids/lids.cap
file have been configured, the system processes will have more protection from
an intruder that compromises the root account. However, an experienced intruder
that takes control of the root account could easily open the etc/lids/lids.cap file
and make the necessary changes to leave the system unprotected. The ext2 and
ext3 file systems have a feature that enables files to be flagged as immutable. A
file with an immutable flag cannot be edited, renamed, or deleted. For example,
to make the etc/lids/lids.cap file immutable so that it cannot be edited, enter the
following command at the shell prompt:
chattr +i etc/lids/lids.cap
The root user can change the immutable flag for a file by entering the following
command at the shell prompt:
chattr -i etc/lids/lids.cap
To prevent the immutable flag attribute being removed from a file, disable the
CAP_LINUX_IMMUTABLE capability in the etc/lids/lids.cap file.
File System and Directory Security
It is important to understand the file system and directory structure, permissions,
and security tools of a computer system to protect system integrity and enforce
security. If a system administrator does not understand how the file system is
organized and how to protect sensitive files and directories from an intruder,
virtually the entire contents of a system will be vulnerable to an attack.
The file system is at the core of every computer system. Almost everything that
is done on a computer involves the creation, access, configuration, or deletion of
the files and directories on a computer or server. Most people lack the knowledge
necessary to protect the files and directories that are used on their systems or on a
remote server. This can lead to serious security threats. This section covers some
of the important security implications that are involved with files and directories
and discusses some tools that can be used to secure the file system on a Linux
server.
5 - 59
Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Permissions
To manage file system security, it is important to understand how permissions
are assigned and changed for files and directories. Two important concepts to
understand about file system permissions related to security are file ownership
and how to change the ownership of files and directories. This section is mostly
summarized to provide a review.
Any file or directory is owned by the user who created it by default. A group of
files is the default group of the owner. A regular user cannot change the owner of
a file or directory but the root user can with the chown command. The root user
can also change the group ownership of files by using the chgrp command. The
permissions of any file or directory can also be changed by the root user with the
chmod command.
By default, Red Hat Linux sets the permissions for files that are created so that
only the user who creates a file can read, edit, or delete the file. Also, by default,
all users are members of their own default groups, which have the same names as
their usernames. Both of these default settings are used to enhance security. The
permissions are set so that other users and groups cannot read, edit, or delete the
files that have the default permissions set.
Another important setting that will maintain the consistency of user and group
permissions is to only create, modify, or delete users and groups by using the
useradd, usermod, userdel, groupadd, groupmod, and groupdel
commands. User and groups accounts can also be managed manually by editing
the /etc/group and /etc/passwd files. However, these edits could result in an
unsecured environment where user or group accounts are left unaccounted.
Ensuring File System Security
Some basic measures can be taken to ensure that the file system of a Linux server
will be protected. A network administrator can define a system-wide permission
setting, identify the world-accessible files on the server, and configure set-UID
(SUID) and set-GID (SGID) properly.
The Red Hat Linux file system follows the Filesystem Hierarchy Standard
(FHS), which is a common arrangement of the files and directories in UNIX-
based systems that many different developers and groups such as Red Hat have
agreed to use. This definition is from the FHS website
.
One file system security requirement of the FHS is that the /usr directory must be
read-only. In Red Hat Linux systems, the /usr directory is not read-only. This is
because when new software is installed, files must be written to the /usr directory
or one of its subdirectories. A read-only /usr directory will significantly enhance
the security of a Linux server by not allowing any of the binaries in the /usr
directory or one of its subdirectories to be modified.
It is easy to make the /usr directory read-only. It involves an edit to the /etc/fstab
file:
1. The first step is to open the /etc/fstab file with a text editor and comment
out the following line by placing a pound sign (#) in front of the line:
LABEL=/usr /usr ext3 defaults 1 2
6 - 59
Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
2. Then create a new line like the following:
LABEL=/usr /usr ext3
ro,suid,dev,auto,nouser,async 1 2
This will tell this system to mount /usr as read-only.
Defining a System-Wide Permission Setting
Security can be further enhanced with the establishment of a system-wide default
permission setting, which is called the mask value. The default mask value can
be changed to edit the default permission settings for all the files and directories
that are created on a server. This is done by using the umask command. The
following lines are used to determine the umask settings for users:
If [ ‘id –gn’ = ‘id –un’ –a ‘id –u’ –gt 14 ]: then
umask
002
else
umask
022
If
This indicates that users with a UID greater than 14, which includes all regular
user accounts, get a umask setting of 002 and a default permission setting of 775
on files and directories that they create. A UID less than 14, which includes the
root account, gets a umask setting of 022 and a default permission setting of 775.
These default permissions where covered in the previous section. These settings
will allow users to read and execute files and to navigate to new directories that
are created by other users. This may create a security risk. Use the following
steps to change the default umask settings:
1. Use a text editor to open the /etc/profile file and locate the lines in the
previous paragraph.
2. Change the umask 002 value to umask 077. This means that when users
create files and directories they will have a more restrictive 700 permission
mode.
3. Change the umask 022 value to umask 007. This means that when users with
UIDs less than 14 create files and directories, they will have a less restrictive
755 permission mode.
Identify the World-Accessible Files
A world-accessible file or directory is available to any user who is authenticated
on a server. After the default system-wide permissions have been set, it is best to
identify the world-accessible files on a server and remove any unnecessary ones.
The necessity of world-accessible files or directories will depend on the type of
server a system is configured to be. For example, if a system is a Web server or
FTP server then the world-accessible files or directories that are used to allow
access to the Web server or FTP server cannot be removed.
7 - 59
Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Configuring SUID and SGID
The SUID and SGID settings allow regular users to run SUID programs with the
privileges of another user. These settings are typically used to allow users to run
certain programs or execute certain commands that would normally require root
privileges. This can be convenient. However, it can also pose a security risk. For
example, a system administrator may create scripts that users can run to automate
various tasks that would otherwise be too complicated for a regular user to
implement. Some tasks or commands that need to be executed may require root
privileges. The system administrator can set the UID of the script to root so that
regular users can execute the script. The chmod command is used to change the
settings of the set-uid bit.
For most scripts, this is a safe and effective way to allow users to execute scripts
without giving them root privileges. However, this can make a server vulnerable
to outside attacks. If hackers break into a server, it is possible for them to scan
for SUID programs and find ways to exploit them. Intruders can find the SUID
scripts and examine the source code to learn why each SUID script is required.
Intruders can then use these scripts to initiate an attack, since the scripts are
written to run with root privileges. For example, some SUID scripts are written
so that they write to the root directory. Intruders could easily examine and edit
the code in these scripts so that they cause serious damage to the server when
they are run. Therefore, it may be best to use another method to allow users to
run some scripts as root. This depends on the type of server and the information
that the server contains.
Tripwire
Tripwire is a file-and-directory integrity checker. It is used to ensure that all the
files and directories on a system are working properly, do not contain any errors,
and have not been damaged by a hacker. Tripwire first creates a database of
signatures for all the files and directories on a system. Tripwire can be run again
to create a new database of signatures for the current state of files and directories
on a system. Tripwire then compares the new signatures with the old signatures
to determine if any discrepancies exist. If any inconsistencies are found, it will
report the file or directory name with information about the discrepancy. This
method can be used to determine which files have been damaged if a hacker
breaks into a system.
Tripwire must be installed when a server is being built to ensure the security of
the file system. Use the following guidelines to create a new server system:
• Do not hook a server up to the network or Internet while it is being built,
until it is absolutely necessary. This will help prevent any viruses or
other threats to the security of a system.
• Run Tripwire to create a database of all the important system files,
configuration files, and binaries.
• Back up the database to removable media such as a zip disk or a CD-R.
This will prevent the original database from being corrupted.
8 - 59
Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
• Configure Tripwire to run as a cron job daily, weekly, or monthly with
the version that was backed up to the removable media.
Where to Find Tripwire
A version of Tripwire is included with Linux installation disks. A free version
can also be downloaded from the Internet at
or from the
Tripwire Open Source development website at
http://soundforge.net/projects/tripwire/
.
Configuring Tripwire
After the newest version of Tripwire has been downloaded and the binary
packages have been installed, some configuration is still necessary for it to work
properly. One of the first configurations is to set the local pass phrase. This pass
phase is an important step because it encrypts the Tripwire database and report
files that are created when the program is run.
The next phase of Tripwire configuration is to define the rules that Tripwire will
use to perform file system integrity checks. This will create the policy file. These
are the rules that determine which files and directories to check and what kind of
checks will be performed. Each rule that is created is given a name and a severity
level. If a rule does not pass the integrity check, the severity level indicates if the
problem is major or minor. There are a few guidelines to follow when the rules
for the policy file are created:
• Never create more than one rule that applies to the same directory. Use
one rule for each file or directory.
• When rules are created for subdirectories within a directory, the more
specific rule will be applied. For example, if a rule is created for the
/etc/rc.d/ directory and another rule is created for the /etc/rc.d/init.d
directory, the /etc/rc.d/init.d directory will use the rule that is applied to
that directory and not the rule that was applied to the /etc/rc.d/ directory.
Creating the Database
It is important to create the database on a server that is completely free of any
infections. It is best to create a database on a server when it is first built and not
connected to the network or Internet. To begin creating the signature database,
run the following command from the shell prompt:
/usr/sbin/tripwire --init
This command will apply the rules that were created in the policy file located in
the /etc/tripwire/tw.pol file. The database will be created in the
/var/lib/tripwire/k2.intevo.com file. After the database has been created, the
database should be copied to a portable medium such as a CD-R disk, zip disk, or
floppy disk.
9 - 59
Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Protecting the Tripwire Database
After the signature database has been created, it needs to be protected. The
integrity of the file system depends on the integrity of the database that checks it.
It is possible for a hacker to modify the Tripwire binary files or the policy file to
hide any traces of a break in. To protect the database, it is necessary create a
separate set of signatures to check the integrity of the Tripwire binary files and
policy file. To do this, run the following two commands from the shell prompt:
/usr/sbin/siggen –a /usr/sbin/tripwire
/usr/sbin/siggen –a /etc/tripwire/tw.pol
It may also be necessary to create a set of signature for the siggen utility. If
Tripwire is not working or a break in has been detected, run these two commands
and verify that the Tripwire program and policy files are intact. If the signatures
do not match, replace them with new copies, which should be located on the
removable media, and investigate how the files became corrupted.
Updating the Database
The Tripwire database will need to be updated whenever a change is made to the
file system, a configuration file is modified, or a file is removed that Tripwire is
monitoring in its database. If the database is not updated, it will generate a
violation report when it runs the integrity checks on the files that were changed.
There are two ways that the update can be done:
•
Run the /usr/sbin/tripwire --init command from the shell
prompt to reinitialize the database.
•
Run the /usr/sbin/tripwire --update command from the
shell prompt to update the database.
The database will also need to be updated if any changes are made to the policy
file. To update the Tripwire policy file without reinitializing the entire database,
enter the following command at the shell prompt:
/usr/sbin/tripwire --update-policy
/etc/tripwire/tw.pol.txt
Receiving Tripwire Report Automatically
It is possible to configure Tripwire to automatically e-mail reports about any
violations to the system administrator. This feature is helpful when many servers
are being managed. Tripwire can also be set to run integrity checks that run in
scheduled cron jobs. To receive e-mails when violations are detected, the
emailto attribute must be added to every rule that it created in the policy file.
After the attribute has been added to the rules, the /etc/tripwire/twcfg.txt file
must be configured properly with the e-mail settings for the e-mail account of the
system administrator. Then this file needs to be rebuilt. To do this, enter the
following command at the shell prompt:
10 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
/usr/sbin/twadmin --create-cfgfile
/etc/tripwire/twcfg.txt
To send a test e-mail to confirm that the file has been configured properly, enter
the following command at the command prompt:
/usr/sbin/tripwire -m t -email emailaddress
Authentication Security
Linux authentication security is a vast subject. There are many different ways to
authenticate users in a Linux system and there are many different authentication
security techniques. To select the best technique, first determine what kind of a
server is being built. If it will be a Telnet or remote access server, then a form of
Secure Remote Password (SRP) or OpenSSH authentication can be used. If the
server is a Web or FTP server, then a form of OpenSSL authentication should be
used. If the server is a NIS server or a file server running Samba, then a form of
OpenSSH or Shadow Password authentication should be used. All the details
about each authentication security method would go beyond the scope of this
course. There are entire books and courses related to each method. This section
will focus on the main points and processes that different authentication security
methods use to enhance server security and prevent unauthorized access to an
operating system.
Shadow Passwords
Authentication security is intended to control user-access risks. Authentication
security in a Linux system is somewhat difficult to manage because it involves
the creation of user accounts on a server, which is security risk. It is not practical
to completely remove all user access to a Linux server. In a Linux installation, it
important to understand the risks involved in user access. It is very easy for an
experienced hacker to retrieve Linux user information. A hacker can use a sniffer
program to sniff IP packets moving in and out of a network that contain user
account names and passwords. The hacker can use this information to break into
the network
Shadow Passwords are used so that the file that contains the user account and
password information cannot be accessed. Red Hat Linux uses the Shadow
Password scheme by default, which makes it easy to implement. This scheme
prevents passwords from being stored in a world-readable file like /etc/passwd.
Passwords are stored in the /etc/shadow file in an encrypted form.
The pwck command should also be used to check the integrity of the /etc/passwd
file and /etc/shadow file.
Another important security feature that will enhance authentication security is to
turn off the Telnet service. In Red Hat Linux, the Telnet service is on by default.
Telnet uses clear-text authentication and does not use Shadow Passwords. This
leaves the Linux server vulnerable to hackers that use sniffer programs to detect
passwords.
11 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
OpenSSH
The FTP, POP, and IMAP protocols send password information in encrypted
form by default. Other protocols do not. There are other ways to securely encrypt
passwords and data. One method is the Secure Socket Shell (SSH) protocol. The
SSH protocol is designed to be secure and prevents a password from being used
even if it is intercepted.
SSH provides another method of secure authentication to a server. SSH can store
a special key on the server and one on the client. The client uses this key, instead
of a password, to authenticate to the server. This configuration provides a secure
means of authentication. However, there are some security risks involved. For
example, if an intruder gained access to a client computer, then the intruder could
gain access to the server.
It is also important to mention the r-commands for password authentication. The
r-commands are the
rlogin
,
rsh
, and
rcp
commands. These commands allow
users on UNIX or Linux systems to log in to, run programs on, and copy files to
or from other UNIX or Linux systems without authentication. To accomplish
this, an rhosts file is created in the home directory of a user. This file contains
lists of other hosts that are trusted. The trusted hosts can gain access to a server
without the need to be authenticated. This form of authentication can also result
in some security issues and care should be taken when the list of trusted hosts is
created.
OpenSSL
Secure Socket Layer (SSL) protocol is another way to secure communications on
a network. A disadvantage of OpenSSL is that it operates at the application layer.
Therefore, it must be supported by the user application.
OpenSSL was developed by Netscape to provide security for its Web browser.
OpenSSL uses public and private key encryption.
Although OpenSSL is often referred to as public key encryption, the correct term
is public/private key encryption. This is because SSL encryption uses two keys,
referred to as a key pair. One key is published and is widely available. The other
key is private and known only to the user. Users need both keys to complete the
secure communication. This type of encryption is also referred to as asymmetric
encryption. The following example discusses the use of public/private
encryption.
Carol and Ted exchange their public keys. It does not matter if the exchange is
not secure because the messages cannot be deciphered with just the public key.
Carol wants to send a message to Ted, so she encrypts the message with Ted's
public key. A public key is associated with one private key. This private key is
required to decrypt a message that was encrypted with the public key. A public
key is required to decrypt a message that was encrypted with the corresponding
private key.
12 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Ted can use his private key to decrypt the message from Carol since it was
encrypted with his public key. Notice that only Ted's public and private keys
were used in this encryption process.
If Carol had used her private key to encrypt the message, anyone could use her
public key to decrypt the message.
Both keys of the same key pair must be used for this encryption to work, and no
user needs to know the private key of another user.
13 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Linux Infrastructure Level Security
Securing Samba
There are four different levels of Samba security. Each level has different rules
for client/server authentication. The four Samba security levels are as follows:
• User
• Share
• Server
• Domain
The security parameter in the global section of the smb.conf file is used to set the
security level.
User-Level Security
User-level security is the default level in Samba. If this type of authentication is
used, the Samba server will only accept or reject user access based on username
and password information. This type of Samba authentication security does not
offer any way to control user access to resources on the Samba server after the
correct username and password have been provided.
User-level Samba authentication security uses Pluggable Authentication Modules
(PAM) to authenticate users to the Samba server. This means that the /etc/passwd
or /etc/shadow files are used to verify that users have entered a correct username
and password. There are many programs on a Linux system such as Samba that
use PAM to handle authentication. In the newest releases of Linux, most of the
programs that require user authentication have PAM built into them. This allows
system administrators to use multiple types of authentication schemes for a single
application. In previous versions of Linux, system administrators that wanted to
implement different authentication schemes for a program had to update and
recompile the privilege-granting program. With PAM, Samba can understand the
Shadow Password scheme it uses for authentication. Samba will use the PAM
library for user-level security authentication.
Share-Level Security
To configure share-level security in a Samba server, the security parameter in the
smb.conf file must be set to share. With this type of security, clients must enter
a password for each shared drive that they want to access. System administrators
can use share-level security to protect certain files or directories in the Samba file
server. Users do not have to enter multiple usernames because Samba will match
previously given usernames and will use the /etc/passwd or /etc/shadow files to
authenticate users and verify that they have entered the correct username and
password.
14 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
One advantage of share-level security is that a user account does not need to be
created for each user on the Samba server. System administrators can set the
guest account parameter to sambaguest in the smb.conf file to create one user
account called sambaguest and create passwords for the various shares to control
access to certain files and directories.
Server-Level Security
When server-level security is implemented on a Samba server, users must enter a
username and password just as they would in user-level security mode. To users,
the session will be established and appear to run exactly as it would in user-level
mode. However, the authentication process is passed on to an external password
server, which is typically a Windows 2000 server, to check the username and
password and handle the authentication process. The external server can also be
another Samba server, which operates in user-level security mode. Server-level
Samba authentication can be used to enhace security since user accounts do not
need to be created on the Samba server. Server-level security can use encrypted
passwords. However, this option must be set on both the Samba server and the
external password server. To configure Samba for server-level security, set the
security parameter in the smb.conf file to server.
Domain-Level Security
Domain-level security uses the same methods as server-level security with a few
exceptions. User authentication to the Samba is handled by an external password
server. However, the dedicated connection is not maintained like it is in server-
level security. The Samba server connects to the remote password server for as
long as it needs to authenticate the user and then disconnects. Another difference
is that the Samba server can use the trusted domain feature if the password server
is a Windows 2000 server that is a member of a Windows 2000 domain or is a
Windows 2000 domain controller. To configure Samba for server-level security,
the security parameter in the smb.conf file needs to be set to domain and the
Windows 2000 domain name and Samba NetBIOS name must be entered in the
smb.conf file.
Additional Samba Security Tasks
In addition to the four levels of security that a Samba server can use, some other
tasks and methods that can be implemented to enhance security are as follows:
•
Use encrypted passwords instead of plain-text passwords.
•
Allow users to access the server from trusted Windows 2000 domains.
•
Use OpenSSL for Samba access control by network interface, hostname,
or IP address.
Plain-text passwords should never be used for Samba authentication. This is how
Samba authenticates users by default. A Samba server can easily be configured to
use encrypted passwords instead of plain-text passwords. The first step is to
uncomment out the encrypted passwords = yes and smb passwd
file = /etc/samba/smbpasswd lines in the smb.conf file.
15 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
The second step is to create the smbpasswd file to store the encrypted passwords.
The actual passwords are not stored on the smbpasswd file. Only the encrypted
versions of the passwords are stored. Complete the following steps to create the
smbpasswd file:
1. Log in as the root user.
2. Enter the following command to create the smbpasswd file.
cat /etc/passwd | /usr/bin/mksmbpasswd.sh >
/etc/samba/smbpasswd
3. Create Samba user accounts the same way that regular user accounts are
created. However, use the smbpasswd command instead of the passwd
command to create the password for the Samba user. This will use encrypted
passwords instead of plain-text passwords.
To allow users to access the Samba server from trusted domains, configure the
Samba server in domain-level security mode. This security feature is helpful
when a trust relationship has already been established between Windows 2000
domain controllers. When a Linux Samba server is installed in a domain, users
from a separate, trusted domain can be authenticated to the Samba server with
their Windows 2000 active directory authentication username and password.
Samba access can also be controlled by network interface. This is useful for a
Samba server that has two network interface cards (NICs). In the smb.conf file,
the interfaces parameter will need to be configured with the IP address of
the interface that will allow Samba access and the bind interfaces only
parameter will need to be set to yes.
The use of OpenSSL to control Samba authentication is probably the most secure
way to allow users to access a Samba server. The OpenSSL process uses public
and private keys instead of usernames and passwords for authentication. To use
OpenSSL, the Samba program needs to be recompiled and configured with SSL.
Securing NFS
There are several security issues that must be considered when a Network File
System (NFS) server is installed in a Linux network. Several different methods
can be used to enhance the security of an NFS server:
•
Grant read-only access to exported directories.
•
Disable access to certain directories.
•
Secure the portmap setting.
•
Limit root privileges.
Granting Read-Only Access
NFS shares are exported from an NFS server to an NFS client. The ro parameter
must be applied to the file system or directory that is exported to the NFS client
to allow read-only access privileges. For example, to apply this parameter to the
/www directory for the webdev.cisco.com client, use the following syntax:
/www webdev.cisco.com(ro)
16 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Disabling Access to Directories
When file systems or directories are exported to an NFS client and restrictions
such as read-only access are assigned, the same restrictions are applied to all of
the subdirectories. In many situations, this is not desirable. In these instances, the
noaccess parameter can be added to the directories and subdirectories that will
remain restricted to clients that are using the exported file system or directory.
Use the following syntax to apply the parameter to a subdirectory of the /www
directory for the webdev.cisco.com client:
/www webdev.cisco.com(ro)
/www/webadmin_access(noaccess)
Securing the Portmap Setting
The portmap setting can be used to control access to Linux NFS shares. When
the ALL parameter is used for the portmap setting in the /etc/hosts.deny file, a
system administrator can restrict access to an exported file system or directory
for all users. The /etc/host.allow file can then be used to allow access to certain
hosts from specified networks. Only use network IP addresses to specify which
hosts have access. Errors can occur if specific hostnames are entered. Use the
following entry in the /etc/hosts.deny file:
portmap: ALL
Use the following entry in the /etc/hosts.allow file to allow access from the
10.0.2.0/255.255.255.0 network:
portmap: 10.0.2.0/255.255.255.0
Limiting Privileges of the Root Account
The root account privileges should be limited to increase security on a Linux
server. This will limit the amount of damage that can occur if a hacker breaks
into the server and compromises the root account. This type of attack can make a
system administrator virtually defenseless. Therefore, it is best to limit, restrict,
or eliminate any privileges of the root account. Two methods that can be used to
limit the privileges of the root account are to explicitly deny root control, which
is referred to as squashing the root user, and to use the NOSUID and NOEXEC
options.
By default, Linux prohibits root privileges on the NFS client from being treated
as root on the NFS server. This means that any file that is owned by the root user
on the NFS server cannot be modified by the root user on an NFS client. These
properties can be enforced for any exported file system or directory. To explicitly
enforce this policy on the /admin_access directory use the following syntax in the
/etc/exports file:
17 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
/admin_folder webdev.cisco.com(rw, root_squash)
When this parameter is entered on exported file systems or directories, the root
account in the NFS client will not be able to access or modify any exported file
system or directory. Only the root account on the NFS server can access or
modify them.
A system administrator can use the NOSUID option to disable set-UID programs
on the NFS share by using the nosuid parameter in the /etc/exports file. The
syntax for this is as follows:
/admin_folder webdev.cisco.com(rw, root_squash,
nosuid)
The NOEXEC option will prevent any files or programs from being executed on
the NFS share.
Securing the Xinetd Daemon
The xinetd daemon starts, stops, and runs many important services that are used
on a typical Linux server. For example, the xinetd daemon runs FTP, Apache,
HTTP, Sendmail, and POP3. On most large networks, only one of these services
will handle the workload. There is usually one or more dedicated Web servers for
Internet or Intranet services. There may also be one or more dedicated e-mail
servers to send and receive e-mail. When the xinetd daemon handles the only
service operating on a Linux server, it is important to enforce effective security
measures. The xinetd daemon is a common target for intruder attacks. If the
xinetd daemon is compromised the entire server can be shut down or severely
damaged.
Some common security measures that will help protect the xinetd daemon are as
follows:
•
Strengthen the default configurations.
•
Control access by hostname, IP address, or time of day.
•
Take steps to reduce the risks of Denial-of-Service (DoS) attacks.
Xinetd Default Settings
The default settings of the xinetd daemon are in the /etc/xinetd.conf file. This file
has no security settings by default. The general rule is to limit access to the users
that need it. The default settings of this file violate this rule. To deny access to
everyone, add the following line to this file:
no_access = 0.0.0.0/0
This IP address configuration covers the entire range of possible addresses and
the no_access attribute states that any system that attempts to get access to the
xinetd daemon from that IP address will be denied. The next step is to enable
configuration so that access can be granted to the users that need access.
The first recommendation is to change the interval parameter from the default
value of 60 to a more manageable number such as 15 or 20. This parameter
18 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
indicates the number of simultaneous connections that can be made at the same
time. This number may need to be adjusted.
Next, add the line per_source = 10, to the /etc/xinetd.conf file. This will
limit the number of connections that one remote host can make to a service.
Finally, disable the r* services. These are remote access commands such as
rlogin, rsh, and rexec. These commands are not secure and should not be
used. These commands can be deleted by adding the following line to the
/etc/xinetd.conf file:
disabled = rlogin rsh rexec
After the default settings in the /etc/xinetd.conf file have been configured
properly, the xinetd daemon can be started. Service-specific configuration files
can then be used to allow access to users or addresses that require access. This
process will be explained in the following sections.
Filtering Access by Hostname, IP Address, or Time of Day
The xinetd daemon can easily control access by using hostnames or IP addresses.
In the past, this was a complicated process that required entries to be made in the
/etc/hosts.allow and /etc/hosts.deny files. The xinetd daemon can handle this
process internally.
Every service that xinetd controls has its own service configuration file. For
example, to control user access to the Telnet service, the /etc/xinetd.d/telnet file
must be configured with the appropriate settings. If a system administrator wants
to restrict Telnet access to users on the internal network with an IP address of
10.3.2.0/24, the following lines must be added to the /etc/xinetd.d/telnet file:
# only allow access from the 10.3.2.0/24 subnet
only_from
=
10.3.2.0/24
The only_allow attribute is used to specify which hosts, subnets, or IP
addresses will be allowed access.
The only_allow attribute can also be used to allow access from specific IP
addresses or hostnames. The IP addresses or hostnames of the systems that will
be allowed access will need to be entered. Any number of entries can be entered.
The no_access attribute can be used to disable access for a particular subnet
of IP addresses, a single IP address, or a set of hostnames. The syntax for the
no_access attribute is as follows.
# Don’t allow access from the 192.168.1.0/24 subnet
no_access
=
192.168.1.0/24
The access_times attribute is used to restrict access times. When access
times are restricted, the time indicated shows when access is allowed, not when
access is restricted. This feature can be helpful if a server requires maintenance
or a system backup. Security is not the only reason to limit access times for
certain services. The syntax for the access_times attribute is as follows:
19 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
# Allow access only during the following hours
access_times = 07:00-20:00
Reducing DoS Attacks
DoS attacks are a common threat. A typical DoS attack will overwhelm server
resources and cause a server to lock up, crash, or become so slow that legitimate
access cannot be granted. There are several xinetd security features that can be
enforced to reduce the risk of a DoS attack. It is difficult to prevent all DoS
attacks but the following methods will help reduce the risks.
The number of instances of a service that can be opened concurrently can be
reduced to lower the chance that a DoS attack can completely consume all the
system resources.
The size of log files can be limited to reduce the risk of a DoS attack. Many of
the xinetd daemon services add entries to a log file when a user accesses them.
An attacker that understands this process can send many requests to a daemon,
which will write log file entries, and can overwhelm the server. To limit a log file
size to 10 MB and receive a warning when the size has reached 8 MB, use the
following syntax:
log_type FILE /var/log/xxxxx.log 8388608 10485760
The xxxxx.log represents the log file that needs to be limited.
A limited rate of connections will also help reduce the risk of DoS attacks. This
will limit the number of times xinetd can start per second. There are two numbers
that need to be entered. The first number controls the frequency and the second
number specifies how long xinetd will wait after the limit has been reached. The
syntax for this would be as follows:
#Only 5 connections per second
cps
= 10 60
In the preceding example the maximum amount of servers that can be started is
10 and the server will wait 60 seconds if this limit is reached. Requests that are
made during this waiting period are denied and the service will be unavailable.
20 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Securing Linux Network Services
Protecting a Linux FTP server
There are several different types of FTP servers that can be used on a Linux
server. This course will focus on the security of the wu-ftpd FTP server. The
newest versions of Red Hat use this FTP server by default so it should already be
installed. If not, the RPM package can be downloaded at
There are several ways to enhance the security of an FTP server. The best
method will depend on the users that will access the server and from which
locations they will access it. The following security methods will be discussed:
•
Restrict FTP access by username.
•
Restrict FTP access to a particular group.
•
Use a chroot jail.
•
Use options in the /etc/ftpaccess file to secure the wu-ftpd server.
Restricted Users from Access
The wu-ftpd server uses PAM to authenticate users. The PAM authentication file
that wu-ftpd uses is /etc/pam.d/ftp.
It is easy to deny FTP access to certain users by editing the /etc/ftpusers file. This
file is used to deny FTP access to users. There are several default entries in this
file. These are user accounts that typically cause security issues if access is
granted. Any username that should be denied FTP access should be entered in
this file.
Restricting FTP Access by Groups
It can be difficult for a system administrator to deny access for individual users.
It is almost impossible to keep track of all the users that should not have access.
This would also violate the security code that states, “Deny access to everyone,
allow access to only users that require access”. Users can be restricted on an
individual basis for a small network where security is not as big of a threat as it is
for a large corporation. In small networks it is easier to deny all FTP access and
then create groups of users that are allowed access.
To accomplish this, a file must be created for entries that will allow access to
groups of users. To do this, use the following steps:
1. Open the /etc/pam.d/ftp file with a text editor and comment out the
pam_listfile line.
21 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
2. Add the following line to the /etc/pam.d/ftp file as the first line in the file.
auth required /lib/security/pam_listfile.so
item=user sense=allow file=/etc/userlist.ftp
onerr=fail
3. Create a file named /etc/userlist.ftp. Add users and groups to this list that
will have FTP access.
Creating a Chroot Jail
The use of a Linux server as an FTP server is a difficult concept because when
users connect to the FTP server, they will be taken to the FTP root directory by
default. However, they will be able to move in any directory, which includes the
root directory and all its subdirectories. This can lead to many security issues.
This can be solved by creating a chroot jail.
A chroot jail will restrict user access on an FTP server to a specified directory,
which is typically the user’s home directory. This directory can also be the FTP
root directory, which is more desirable if many users will access the FTP server.
This will only show the part of the filesystem that FTP users are intended to see.
Using the /etc/ftpaccess File to Restrict FTP Access
The main file that wu-ftpd uses to manage security is the /etc/ftpaccess file.
There are several settings in this file that can be modified from the default
settings to enhance FTP security. This section will cover these settings and how
to modify them.
It is important to log inbound and outbound traffic, file transfers, and security
violations on an FTP server. The default settings in the /etc/ftpaccess file are set
to log inbound and outbound traffic. To configure this file to log file transfers as
well modify the log transfers file as follows:
log transfers anonymous, real, guest
inbound.outbound
This will add log entries for every file that is uploaded or downloaded from the
server.
There are two types of security information that should be logged, security
violations and commands that are entered by users. To log security violations
from all users connected to the server modify the log security parameter as
follows:
log security anonymous, real, guest
To log all the commands that are entered by users on the FTP server modify the
log commands parameter as follows:
log commands anonymous, real, guest
By default, users that access an FTP server have no restrictions on the files and
directories they are allowed to browse. To restrict this capability without a chroot
jail, modify the noretrieve parameter with the files or directories that should
be restricted. The syntax for restricting a file or directory is as follows:
22 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
noretrieve file | dir [class=anonymous | real |
guest
To restrict access to the /etc directory add the following line to the /etc/ftpaccess
file:
noretrieve /etc
This file contains several other parameters that can be modified to control how
wu-ftpd controls access. This file should be read carefully to understand the
capabilities of these other parameters.
Protecting a Linux Web Server
To understand the methods that are used to enhance Web server security it is
important to learn about the risks and vulnerabilities of Web servers. When the
Internet first began, the Web was a collection of simple text files that people used
to share information. Now websites are interactive portals that give people access
to vast amounts of information. Web server security is a major concern because
hundreds of thousands of businesses use the Internet to sell their products to
international audiences. Large corporations and small businesses have become
targets for Internet hackers. One major problem with Web security is that Web
servers have to be accessed by the public.
This section will focus on how to enhance the Apache Web server that Linux
uses. Some issues that will be covered to help configure security settings for
Apache include the following:
•
Create dedicated user and group accounts.
•
Use a directory structure that can be easily configured for security purposes.
•
Establish permissions and index files.
Establishing User and Group Accounts for Apache
The Apache Web server operates either in stand-alone mode or as a service that
is run by the inetd daemon. If the system is in stand-alone mode, there is no need
to establish dedicated users and groups. Users and groups should be defined if it
is running as an inetd daemon. This makes it much easier to control security
because it allows an administrator to use permission-specific rights such as
assigning only the read permission to the Apache user group. An administrator
can also give write permissions to a user group if they need a directory in which
to write Common Gate Interface (CGI) script data.
Creating a Safe Directory Structure
The default directory structure of Apache has four main directories:
•
The ServerRoot directory /home/webadmin stores the Apache server
configuration files and binaries.
•
The DocumentRoot directory /www/htdocs stores the HTML Web content.
•
The ScriptAlais directory /cgi-bin saves the CGI scripts.
23 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
•
The CustomLog and ErrorLog directories /www/logs store various access
and error log files. These two directories can be counted as one because they
should be combined to store all the log files in one directory.
The recommended directory structure for these four directories is as follows:
•
These four individual directories should be independent of each other.
•
Only the root user should be able to access the ServerRoot directory.
•
User and group account access for the DocumentRoot directory should have
permissions set so that the website administrator and the Apache user group
specified in the httpd.conf file have access.
•
The ScriptAlais directory should only be accessed by users who create
scripts for the website.
•
The CustonLog and ErrorLog directories should only be able to be accessed
by root.
This type of file structure is typically safe. Since each directory is independent of
the others, security cannot be compromised if a permission error is made.
Setting the Correct Permissions
The DocumentRoot directory should only be accessed by users who provide
content for Apache. However it may be necessary to allow other users to access
the website and contribute content. To do this, create a temporary group and add
the user to that group. Then change the group ownership of the DocumentRoot
directory to the new group that was created but leave the directory ownership to
Apache. Then set the permissions for the DocumentRoot directory so that the
new group can read, write, and execute files that they add to it. This makes it
possible to add temporary users to the group that was created without giving
them ownership of the entire directory.
Disabling Default Access
A common security method that has been discussed in this chapter is to deny
access to everyone and then configure the appropriate settings to allow access to
specified users. This method also applies to Web server security.
To deny all access to the ServerRoot directory /home/webadmin, use the
following syntax in the httpd.conf file:
<Directory /home/webadmin>
Order
deny.allow
Deny from all
</home/webadmin>
Then, to only allow root account access for this directory, use the following
syntax:
<Directory /home/webadmin>
Order
deny.allow
Allow from root
24 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
</home/webadmin>
Protecting a Linux Mail Server
Mail servers experience many of the same security risks as Web servers. Now
businesses rely on e-mail for company communications more than ever before. It
is estimated that over a billion e-mails are sent throughout the world every day.
Some of the most harmful viruses have been sent through e-mail. An attacker can
disguise a virus as an e-mail to easily get into the network and then the virus can
expand exponentially to other desktops and servers. This chapter discusses some
vulnerabilities of e-mail servers and identifies ways to enhance the security of a
Linux e-mail server.
Testing for Vulnerabilities
The best way to determine if the current configuration of a mail server is
vulnerable to an attack is to run some tests. The most widely-used protocol to
handle e-mail transport is Simple Mail Transport Protocol (SMTP). SMTP is not
designed to provide any security. One of the biggest threats to e-mail servers is
Spam. Spam refers to e-mails that are sent through insecure e-mail servers that
do not block open relay mail. To enhance security, first disable the open relay
capabilities of a mail server. To test how vulnerable the mail server is to open
relay attacks, perform the following functions:
1. From a Linux client system or server that has Telnet client tools, run the
following command. This command will perform a search for all the MX
records in the domain. The MX records indicate the mail servers in a domain
Substitute the appropriate domain name in place of the cisco.com domain
nslookup –q=mx cisco.com.
2. Take a note of all the mail servers that are returned by this command. Run
the following command for all the mail servers that are found. Substitute the
correct domain name for the one used in this example. This will make a
Telnet connection to the SMTP port, which is Port 25, on the mail server.
telnet mail.cisco.com 25
3. Run the following command to instruct the mail server to initialize the
connection.
ehlo localhost
4. Instruct the mail server to send a test e-mail to an e-mail address outside of
the internal network. To do this enter the following command and substitute
the correct e-mail address. This command tells the e-mail server to send an
e-mail from the
e-mail account.
mail from: cisco@hotmail.com
The mail server should return a response similar to the following.
250 cisco@hotmail.com... Sender ok
25 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
If this command is entered correctly and the mail server does not
respond, then it is probably configured to not allow open relay mail
transfers. This means that part of the e-mail server is configured
correctly for optimum security. If this response is sent, then continue on
to the next step.
5. Enter the following command to instruct the e-mail server to send that e-
mail from the cisco@hotmail.com account to an external e-mail account
such as cisco@yahoo.com.
rcpt to: cisco@yahoo.com
The mail server should return a response similar to the following.
250 cisco@yahoo.com... Recipient ok
If the e-mail server rejects these requests then the e-mail is properly secure
against open relay, which can be used to send spam and leaves the e-mail server
vulnerable to attacks. If these requests do go through, take the necessary step to
properly configure the e-mail server to block open relay mail.
Securing Sendmail Against Attacks
Sendmail is the most popular Mail Transfer Agent (MTA) for UNIX and UNIX-
based operating systems such as Linux. An MTA is an ordinary e-mail server
that is configured with a program such as Sendmail to forward and receive e-mail
from users within a domain. One of the first steps to secure Sendmail is to
download and install the newest version of the program from a website such as
. The newest versions are automatically configured to not
allow open mail relay.
The REJECT command can be used to block mail from a specific domain or e-
mail address. For example, to block mail from the spamcompany.com domain
add the following entry to the /etc/mail/access file:
spamcompany.com REJECT
The REJECT command can also be used to deny e-mail from specified e-mail
addresses.
Filtering Tools
Most e-mail viruses and attacks are contained in attachments that are sent with e-
mail messages. This scenario occurs frequently. The e-mail message appears to
be harmless and instructs the recipient to open the attachment. After the
attachment is opened, the virus is spread. Linux includes a filtering tool called
procmail that can be used to scan headers and the body of each message for
patterns based on customized rules.
The newest set of rules that procmail will use to filter mail can be downloaded at
www.impsec.org/email-tools/procmail-security.html. The procmail program can
be downloaded at
. Before procmail is installed, add the
following lines to the /etc/mail/sendmail.cf file.
FEATURE(local_procmail)dnl
26 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
MAILER(procmail)dnl
For optimal performance, either install procmail from the distribution CD or
from a trusted site such as
27 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Linux Network Security and Filtering
Methods
TCP Wrappers
Transmission Control Protocol (TCP) Wrappers are used in conjunction with
inetd, which is no longer used with Linux Mandrake or Red Hat Linux. These
two distributions use xinetd. TCP Wrappers use a program called tcpd. Without
tcpd, a server would call another server directly with inetd. When the tcpd
program is used, the inetd program calls tcpd. The tcpd program checks to see if
a client is authorized to access the server. If the client is authorized, then the tcpd
program will allow the client to access the server.
There are two files that are used to configure the TCP Wrappers, /etc/hosts.allow
and /etc/hosts.deny. Users can edit these files and add hostnames to either allow
or deny access to a system. Hostnames that are entered in the hosts.allow file can
access a system. If a hostname that is not entered in the hosts.allow file attempts
to access the system, access will be denied. Hostnames entered in the hosts.deny
file are also denied access to the system.
Entries in these files may consist of the following lines:
• daemon-list: client-list – The daemon-list specifies the names of servers
that appear in /etc/services. These are the servers to which access will
either be granted or denied. The client-list specifies which clients are
granted access or denied access to the server in the corresponding
daemon-list. Entries in the client-list can be identified by a hostname or
by an IP address.
• xinetd – The Mandrake and Red Hat Distributions of Linux use xinetd
instead of inetd. Mandrake and Red Hat edit the /etc/xinetd.conf file to
control access. Edits that are made in the xinetd.conf file make calls to
other files located in the /etc/xinetd.d directory. These files control the
access to the different daemons on a system. Configuration is done for
each server with the bind, only_from, and no_access parameters.
• Bind – This instructs xinetd to listen to only one network interface for
the service. For example, if the entry bind = 10.2.5.1 is added to a file, a
router will only listen to that Ethernet card address on the network.
• only_from – This is similar to the hosts.allow file because the user can
specify IP addresses, network addresses, or hostnames to allow
connections only from the entries listed in the file.
• no_access – This is similar to the hosts.deny file because the entries
listed on this line will be denied access to the server.
28 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Network Address Translation (NAT)
Network Address Translation (NAT) is a process that usually runs on a router or
a Linux server configured as a router. A Linux server can also be configured to
run NAT. A router usually acts as a gateway to the Internet. A router that is
running NAT rewrites the addressing information that is contained in IP packets.
Administrators use NAT to alter the source address of packets that originate from
secure LANs. Private IP addresses can be assigned to these secure LANs.
Private IP addresses are not routed on the Internet. An outside hacker cannot gain
direct access to a computer with a private address. Hosts with private IP
addresses cannot directly reach Internet hosts. However, a NAT router can take a
packet that originates from a host with a private address. The NAT router then
replaces the source IP address of the packet with a public, globally routable
address. The NAT router records this address translation in a table. After the
addressing information is rewritten, the NAT router forwards the packet toward
the destination host. When the outside destination replies, the reply packet is
routed back to the NAT router. The NAT router then consults the translation
table. The NAT router rewrites the addressing information based on the entries in
the table. After the address is rewritten, the packet can be routed back to the
original, privately addressed host.
NAT is often deployed in conjunction with proxy services and IP packet filters. It
is also used in homes and small offices. NAT allows hundreds of computers to
borrow a public, globally routable IP address. This process is sometimes called
many-to-one NAT, address overloading, or port address translation (PAT).
Popular desktop operating systems include built-in NAT services such as
Microsoft Windows Internet Connection Sharing. NAT services are also included
in NOSs. Red Hat Linux uses the ipchains program to perform NAT. Other NAT
programs include ipmasquerade and natd.
Some experts make a distinction between NAT and a firewall. Others regard
NAT as part of a comprehensive firewall solution. A NAT server can protect a
network from an attack. Outsiders may not be able to send packets directly to
inside targets, or use scanning techniques to map the internal network.
Firewalls and Proxy Services
The primary defense against Internet attackers is an Internet firewall. A firewall
is specialized software, hardware, or both. An Internet firewall is used to prevent
unwanted or malicious IP packets from reaching a secure network.
Firewall technology has evolved significantly over the last decade. In the past,
firewalls used addressing information to filter packets. These firewalls were built
and maintained by large organizations. Modern desktop OSs such as Windows
XP include built-in firewall capabilities that are geared toward the average home
user. The increasing number of hacker exploits and Internet worms make firewall
technology an essential aspect of any enterprise network.
The term firewall refers to several different approaches to protecting networks.
These methods are described in the following sections.
29 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
A boundary router connects an enterprise LAN to its ISP or the Internet. A
boundary router LAN interface leads to a network designed for public access.
This network contains NOS servers that provide the World Wide Web, e-mail,
and other Internet services. This public network is sometimes referred to as a
dirty LAN or sacrificial LAN because public requests are allowed on the
network. It is also commonly called the Demilitarized Zone (DMZ). The DMZ
acts as a buffer area. A boundary router should include an IP filter that protects
against obvious vulnerabilities. For example, the SNNP management protocol
should not be allowed into the network from the outside. The NOS servers in a
DMZ should be tightly configured. A boundary router should allow only specific
types of traffic to these servers. The boundary router should only allow HTTP,
FTP, e-mail, and DNS-related traffic.
A dedicated firewall solution such as a Cisco Private Internet eXchange (PIX),
connects the DMZ to a protected LAN. A PIX performs additional IP filtering,
stateful filtering, proxy services, NAT, or a combination of these functions. The
DMZ is designed to keep the inside network clean.
A NOS such as Linux can function as part of a firewall solution. The NOS can
filter packets, run NAT, or act as a proxy server. In high-traffic environments, a
specialized packet filtering and NAT solution is recommended. A specialized
device such as a router or firewall appliance is designed to switch packets and
manipulate them very quickly. A NOS that runs on ordinary hardware may be
able to do the job. However, this will add latency and overhead on the server.
In low-traffic environments such as small offices and home networks, a NOS
firewall solution is a good choice.
Packet Filters
An Internet firewall is usually a host that runs IP packet filtering software. Most
LANs run IP packet filters on routers or specialized hosts. Specialized hosts such
as Linux servers can also perform routing. Home users can run IP packet filtering
on an end system such as a Linux or Windows PC.
The most basic firewall solution is an IP packet filter. To configure a packet
filter, a network administrator must define the rules that describe how to handle
specified packets.
The first packet filters were based on the addressing information contained in the
packet headers. Specifically the source and destination IP addresses. At the time
the IP packet headers operated at Layer 3 of the OSI model and the packet filters
worked only at Layer 3.
Packet filters were later designed to base decisions on information contained in
the TCP or User Datagram Protocol (UDP) header at Layer 4. Both TCP and
UDP use port numbers to address specific applications that run on a host. Layer 4
access lists can be configured to permit or deny packets. This configuration is
based on source or destination ports and IP address information. For example, a
Layer 4 access list can be configured to permit traffic destined for a specific IP at
Port 80. This is a well-known port that Web servers monitor.
30 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Access Control Lists (ACLs)
Packet filters are sometimes called access control lists (ACLs). An IP packet
filter begins with a list of rules. The rules tell the router or host how to handle
packets that match the specified criteria. For example, a packet that matches a
particular source address can be dropped, forwarded, or processed in some
special way. There are several aspects of common matching criteria:
• IP address, source, and destination
• TCP/UDP port number, source, and destination
•
Upper layer protocol, HTTP, and FTP
A host configured with an IP packet filter checks packets that come in or out of a
specified interface or interfaces. Based on the rules defined, the host can drop the
packet or accept it. This approach is also referred to as rules-based forwarding.
Administrators can use this approach to configure routers to drop unwanted or
potentially harmful packets. Administrators configure the routers before the
packets reach the secure LAN.
Proxy Services
In networking, a proxy is software that interacts with outside networks on behalf
of a client host. Client hosts on a secure LAN will usually request a Web page
from a server that runs proxy services. The proxy server will go on the Internet to
retrieve the Web page. The Web page is then copied to the proxy server. This
process referred to as caching. Finally, the proxy server will transmit the Web
page to the client. When a proxy is used to provide these services, the client
never interacts directly with outside hosts. This protects clients from potential
Internet threats. Administrators can configure proxy servers to reject certain
client requests or outside Internet responses. For example, schools can use proxy
servers to control what websites can be accessed. Since all Web requests are
directed to the proxy, administrators can control which requests are accepted.
Microsoft has a comprehensive proxy service available for its NOS, which is
called Microsoft Proxy Server 2.0.
Proxy servers are used to insulate LANs and protect hosts from outside threats.
The ability of a proxy server to cache Web pages is important. This is beneficial
when a proxy service is used for HTTP. Multiple clients can access the HTTP
content with significantly improved response time. When frequently accessed
HTTP content is cached on a local server, this results in the improved response
time.
31 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Windows 2000 Authentication Security
Identifying the Security Architecture
Windows 2000 security is more complex than previous Windows NOSs. It offers
a completely new security model. It includes many new security technologies
that can be used to secure network access, resources, and the privacy and
integrity of data and communications.
Windows 2000 provides an integrated set of security services with features such
as support for the Kerberos authentication protocol, file system encryption, active
directory service, and Internet Protocol Security (IPSec). The distributed security
services are an essential part of the OS and provide for many important business
requirements.
The Windows 2000 security model provides excellent administration tools and a
solid security infrastructure that supports the company and the Internet. Windows
2000 uses trusted domain controller authentication, delegation of trust between
services, and object-based access control to allow organizations to easily protect
their information and networked resources.
Authenticating Users in Windows 2000
Windows 2000 security is based on a simple model of authentication and
authorization. Authentication is the process used to prove and validate the
identity of an entity. An entity can be a user, a computer, or a service. Computers
and services are authenticated when they make network connections to other
servers.
A principal is identified by a Security Identifier (SID) and uses credentials to
prove its identity during the authentication process. Credentials validate the
identity of a user. Examples of credentials are the account name and password of
a principal, smart cards, and certificates. After the credentials have been verified,
authorization occurs. Authorization is the process used to determine if an identity
and the set of attributes associated with that identity can perform an action such
as accessing a resource.
How Authentication Works
The two types of authentication are logon authentication and network
authentication. Logon authentication occurs when a user signs onto a network.
Microsoft refers to the logon process as a local or interactive logon because users
interact with the computer when they type in a username and password. The
interactive logon process begins when a user presses the key combination Ctrl-
Alt-Delete. This initializes Secure Attention Sequence (SAS) on computers with
standard Windows 2000 configurations. In response to SAS, Winlogon, which is
a security service that provides interactive authentication, alerts the Graphical
Identification and Authentication (GINA) module. The GINA component
displays the logon interface. After a username and password are supplied and a
domain name is selected, GINA collects the logon information. GINA securely
32 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
packages the information in a data structure and returns it to the Winlogon
service. Winlogon sends the data to the Local Security Authority (LSA) for
authentication. The LSA is the OS kernel component that handles user
authentication. The LSA compares credentials with entries in its authentication
database to validate users. If a user account is issued by the LSA, the LSA can
check its own account database to verify the user information. If an account is
issued by the security authority for a local domain or a trusted domain, the LSA
must contact the security authority to verify the user information. A valid
interactive logon will result in a local logon session. Otherwise, a user will be
denied access.
Network authentication confirms the identity of a user to the network services or
resources that the user attempts to access. Network authentication is transparent
to the user due to a feature called single sign-on. Single sign-on allows network
users to access all authorized network resources after an initial authentication.
When the initial authentication occurs, the credentials of the user are cached. If a
user wants to access a Windows 2000 system that is located across the network,
the LSA on the workstation will establish an identity with the LSA on the remote
computer. This identity is established with the cached credentials and is called an
interactive logon.
The authentication process is used to verify the identity of a user, computer, or
service, but the steps vary for different authentication protocols. Windows 2000
supports several protocols to verify the identities of users that want to gain access
to a system. However, there are only two options for network authentication
within and between Windows 2000 domains, Windows NT LAN Manager
(NTLM) and Kerberos Version 5.
NTLM is an advanced challenge/response based protocol. NTLM is the default
network authentication protocol for systems with earlier versions of the Windows
NT operating system than Windows 2000 and standalone systems.
Kerberos Version 5 is the default network authentication protocol for computers
that use Windows 2000. Kerberos is a distributed security protocol that is based
on Internet standard security. Kerberos is used to provide fast, single sign-on to
network services within a domain, and to services in trusted domains. It also
provides service to other environments that support the Kerberos protocol.
33 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
How Kerberos Authentication Works
The Kerberos authentication protocol uses a ticketing system. This ticketing
system uses two basic ticket types, ticket-granting tickets (TGTs) and service or
resource tickets. A Kerberos ticket provides a way to transport a Kerberos
session key. A session key is the basic entity Kerberos uses for authentication
across the network securely. The Kerberos authentication protocol also provides
mutual authentication between resources before a network connection is made.
Kerberos uses the Data Encryption Standard (DES) shared-secret key concept for
authentication. Communication partners will share a cryptography key instead of
a password. Each partner uses the key to verify the identity of the other partner.
The shared-secret key must be symmetric for this technique of authentication to
work. This means that a single key must be capable of both encryption and
decryption.
In Windows 2000, a trusted third party must mediate between two authenticating
entities. A Kerberos Distribution Center (KDC) acts as the mediator. Windows
2000 implements a KDC on every domain controller. This is referred to as the
Kerberos realm. Since each domain controller is a KDC, physical security is a
high priority.
How Kerberos Works
When a user logs into a Windows 2000 domain or Kerberos realm, the user is
issued a TGT by the KDC service. A TGT contains information about the user.
This information is encrypted in a key known by the KDC. The TGT acts as the
network authentication for the user. At logon and at each TGT renewal, users use
their passwords to authenticate to the KDC. In subsequent ticket requests, users
only need to use their session key, which their TGT contains, to authenticate to
the KDC. As a result, user password authentication is reduced, which reduces the
possibility of attacks.
Note
If users change their passwords during a logon session, they must reenter their
user IDs and password to obtain a new TGT.
When a client wants to access a network resource or service, the client presents
the TGT to a Kerberos server and requests access to the resource or service. The
Kerberos service will construct a ticket for the resource or service. The ticket will
randomly generate a session key, which is sent to the client and the resource or
service by way of the client. When a server receives a ticket and an authenticator
from the client, the server has enough information to authenticate the client. The
Kerberos protocol verifies both the identity of the user and of the network
resource or service. The client authenticates to the server and the server
authenticates to the client. As a result, a mutual authentication occurs.
34 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Windows 2000 Operating System Level
Security
Securing File and Print Resources
Organizations must identify the data that they want to protect, classify this data
accordingly to its value, and implement the necessary protection. To determine
the appropriate level of security, it is important to understand how data is stored
in a Windows 2000 system.
A file system is the principal method of data storage. An operating system uses a
file system to store data on the hard disk of a computer. A file system provides
controls and determines how data is stored and shared. Windows 2000 supports
the following file systems:
• File Allocation Table (FAT) or FAT16 – commonly used in MS-DOS,
Windows 3.x, and Windows 95
• File Allocation Table 32 (FAT32) – commonly used in Windows 98
• New Technology Filing System 4 (NTFS4) – commonly used in
Windows NT4.0
• New Technology Filing System 5 (NTFS5) – commonly used in
Windows 2000
There are different reasons to use each of the file systems. FAT16 is the old MS-
DOS file system. FAT16 uses 16-bit disk addresses, which limits it to disk
partitions that do not exceed 2 gigabytes (GB). FAT32 uses 32-bit disk addresses
and supports disk partitions up to 2 TB. NTFS is a new file system that was
developed specifically for Windows NT and carried over to Windows 2000.
NTFS uses 64-bit disk addresses and can support disk partitions of up to 16
exabytes. However, other factors limit it to smaller sizes. Windows 2000 also
supports read-only file systems for CD-ROMs and DVDs. In many instances,
multiple file system types may be available on a single system.
The FAT file system offers very little security. File attributes can be set to system
or read only, which makes it more difficult to accidentally delete a file. NTFS is
the file system that is recommended by Microsoft for the highest level of security
in Windows 2000. NTFS offers features to control access to the hard drives and
their contents. NTFS also offers significant performance advantages over FAT
file systems.
Sharing Data
An important requirement of users is the ability to share network files or data.
Files must be shared before users can access them across a network. In Windows
2000, a file cannot be directly shared. One of the most common ways to facilitate
file or data sharing is to use shared folders. Windows 2000 shared folders or
shares can be used to publish files, folders, printers, and other resources for
network users to access. When a folder is shared, users can connect to the shared
folder from their client computers and access the files under the shared folder as
35 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
if the files are stored in their local computers. It is important to ensure that shared
resources are secure since shares may contain important data.
One benefit of the NTFS file system that is not included in the FAT file system is
the ability to set permissions to protect resources. The NTFS file system works
with the Windows 2000 user account system to allow authenticated users access
to resources. Permissions can be set on shared folders, files, printers, and active
directory objects. Permissions define the level of access a user has to a resource
and specifies the actions a user can perform.
Users must be granted access to a shared folder before they can access files in the
folder. Shared folder permissions can be set to control user access to the shared
folders in a network. There are three permissions that can be assigned to users for
a share:
•
Read
•
Change
•
Full Control
Permissions for shares are additive or least restrictive. This means that the least
restrictive of all the permissions apply to the user. For example, if a user belongs
to a group that has been assigned Full Control permission to a share and another
group that has been assigned Read permission, the user will have Full Control of
the share. Full Control is the least restrictive of the two permissions.
Shared folder permissions can only be applied to the folder, not to the individual
files and sub-folders that the shared folder contains. Shared folder permissions
apply only to users who connect to the folder over a network. These permissions
do not restrict the access of users who log on locally to a computer.
NTFS permissions can be used to control user access to files and folders on a
local computer and in shared folders on a network. NTFS supports the following
base-level file permissions:
•
Full Control
•
Modify
•
Read and Execute
•
Read
•
Write
NTFS also supports the following base-level folder permissions:
•
Full Control
•
Modify
•
Read and Execute
•
List folder contents
•
Read
•
Write
For simplicity, the file system combines the base permissions into commonly
used high-level permissions for files and for folders. Permissions for files and
folders are also least restrictive.
36 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Both shared folder and NTFS permissions can be used to protect the privacy of
user data. Both types of permissions can be assigned to multiple groups and
users for the same files or the same shared folders.
The correct combination of shared folder and NTFS permissions must be applied
to supply an appropriate amount of data protection. It is important to understand
how shared folder and NTFS permissions can be combined to create effective
permissions. Effective permissions must be calculated correctly to ensure that the
proper amount of protection is in place. First calculate for files and folders, then
calculate separately for shares. Both calculations should be prepared with the
least restrictive rule. Next, calculate the total effective permissions and use the
most restrictive rule to combine the two. For example, if the least restrictive
permission for a user’s files or folders is Read and the least restrictive permission
for shared folders is Change, the most restrictive rule can be used to calculate the
user’s effective permissions as Read. Read is the more restrictive permission.
To summarize, use the least restrictive rule to calculate a user's permissions to
files, then use the least restrictive rule to calculate the user's permissions to the
share. After completing these calculations, use the more restrictive of the two.
More detailed information about shared data and security can also be found at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt
echnol/windows2000serv/deploy/c13w2kad.asp
When NTFS permissions and shared folder permissions are both set for a shared
folder, the administration effort is doubled. Therefore, some companies use only
NTFS permissions to control user access on shared data both locally and through
a network.
Sharing Printers
Printers must be shared before users can access them across a network. A printer
share is similar to shares for files and folders, except access cannot be limited in
a print share. By default, a print share is open to everyone, and this cannot be
modified. However, security permissions can be used to restrict access to print
shares.
In Windows 2000, printer permissions are separated into three categories:
•
•
Manage documents or jobs
•
Manage printers
A user can be assigned all of the permissions. When multiple permissions are
assigned to a group of users, the least restrictive permissions will apply. When
deny is applied, it takes precedence over any other permission.
37 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Encrypted File System
The Encrypting File System (EFS) was designed to address weaknesses in NTFS.
EFS provides file encryption capabilities on an NTFS file system. EFS is an
integrated system service, which makes it easy to administer and difficult to
attack. EFS is based on public-key encryption and uses the Data Encryption
Standard X (DESX) as the encryption algorithm. The standard is 128 bit in North
America and 40 bit internationally. EFS ensures the privacy of sensitive data and
only allows the owner of a file to access the file. EFS users are issued a digital
certificate with a public and private key pair that is used for EFS operations. EFS
requires certificates for both a file owner and a recovery agent account. These are
stored in the certificate storage area on a local computer. If these certificates are
not found when a user logs on to a network, EFS will build them. If no certificate
service exists, EFS will create a key-pair and generate a self-signed certificate,
which will allow a user to use EFS without any additional configuration. A user
only needs to be issued a valid certificate once.
Note
EFS can use Microsoft Certificate Services to issue certificates to users and
recovery agents.
EFS uses symmetric key encryption in conjunction with public-key encryption to
provide confidentiality for NTFS files. Symmetric key encryption, which is also
known as secret key encryption, is an algorithm that requires the same secret key
to be used for both encryption and decryption. Symmetric encryption algorithms
are very fast and are typically used to encrypt large amounts of data. Public-key
encryption, which is also known as asymmetric key cryptography, is slower and
more secure. Public-key encryption uses two different, complimentary keys that
are called a key set or key pair. One key is the private key. The private key is the
secret key, which is held only by its owner. The private key is typically used to
digitally sign data and to decrypt data that has been encrypted with the
corresponding public-key. The second key is the public-key. The public key is
the half of the key pair that can be made available to others with whom the user
must interact. The public key is typically used to verify digital signatures or
decrypt data that has been encrypted with the corresponding private key. Both the
public and the private keys must encrypt and decrypt the data contained within a
secure transaction. The public-key approach can also be used to sign encrypted
data. This allows the recipient to verify that the decrypted message came from
the individual whose public-key was used to encrypt the message.
How EFS Works
Since symmetric key encryption provides faster speeds and less security and
public-key encryption provides more security with slower speeds, EFS benefits
from a combination of both techniques. EFS uses symmetric key encryption to
encrypt the data faster. This generates a unique key called a file encryption key
(FEK). The FEK is then encrypted with the more secure and slower public-key
encryption method. This combines the benefits of faster data encryption with
more secure encryption to safeguard the FEK. It also provides the benefit of a
digital signature. The encrypted FEK can safely be included with the encrypted
file for storage and to be retrieved by each recipient. When the file needs to be
38 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
accessed, the private key is used to decrypt the FEK. After the FEK has been
decrypted, it is used to decrypt the file.
To encrypt or decrypt a file or folder, a corresponding attribute must be set. The
attribute for encryption and decryption is set the same way as a read-only,
compressed, or hidden attribute. If a folder is encrypted, all files and subfolders
in the folder are automatically encrypted. Microsoft recommends these types of
encryptions. When a folder is decrypted, the user can choose to decrypt only the
folder, or to decrypt the files and subfolders also. If the user chooses to decrypt
only the folder, the encrypted files and folders within the decrypted folder will
remain encrypted. Any new files or folders that are created in the decrypted
folder will not be encrypted unless the user encrypts them manually.
Data Recovery System
EFS requires a certificate for both the file owner and a recovery agent account.
An EFS Encrypted Data Recovery Agent policy identifies the data recovery
agent (DRA) accounts. This policy must be set before EFS can be used. The
policy should be set at the domain level, or at the local level for standalone
machines. If a policy is defined at the domain level, it will be enforced on all
computers in that domain.
A recovery agent account is used to restore data for all computers that are
covered by a policy. In data recovery operations, recovery agent accounts issue
recovery agent certificates with both public and private keys. Recovery agents
can be used to access encrypted data in circumstances such as the loss of an EFS
private key or a user that is no longer available. This ensures that files can still be
accessed if the user that encrypted the data is not available. The recovery agent
account is the highest-level administrator account by default. In a Windows 2000
domain, the domain administrator account for the first installed domain controller
is the default recovery agent account. In a standalone machine, the local
administrator is the default recovery agent account. The EFS recovery policy can
be modified to designate additional recovery agents. Separate recovery policies
can also be configured for different parts of an enterprise.
Note
If an EFS recovery policy is configured with no recovery agent certificates, EFS
will be disabled.
How Recovery Works
In EFS, no recovery utility is necessary to recover an encrypted file. The
procedure for file recovery is essentially the same as the procedure for file
decryption. Every time a file is encrypted, the FEK is also encrypted with the
public-key of the recovery agent. This encrypted FEK is attached to the file with
the copy of the FEK that is encrypted with the public key of the owner. When the
file needs to be recovered, the DRA can double-click on the file icon to open the
file. The private key of the recovery agent is used to decrypt the FEK. After the
FEK has been decrypted, it is used to decrypt the file. Since the word recovery is
misleading, a more appropriate name for a DRA might be a secondary access
account.
To open the file, the administrator or DRAs private file recovery key must also
be present on the machine where the file resides. In a domain environment, this
private key does not reside on the local machine. It resides on the first installed
39 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
domain controller in the domain. In a standalone environment, the private key
resides on the local machine of an administrator. In either situation, the encrypted
file and the DRA private key must exist on the same machine to recover the file.
An encrypted file cannot be copied to another computer by anyone other than the
user who performs the encryption. To recover the file, the DRA must either
import the DRA private key to the computer on which the file resides, or move
the file to a computer where the DRA private key has already been imported.
This section will examine both procedures.
From Certificates in Microsoft Management Console (MMC), use the export
command to export the file recovery certificate and private key to a floppy disk.
Use the import command from Certificates in MMC on the machine with the
encrypted file to import the file recovery certificate and private key into the
personal store on the local machine. The DRA can now start the recovery
process.
Note
If access to the second computer is available through a roaming user profile, it is
not necessary to export and import the file encryption certificate and private key because
they are available on any computer after logon.
After the recovery certificate and private key have been exported, make a copy
on a floppy or CD and keep it in a secure place. If the file recovery certificate or
private key on the computer is ever damaged or deleted, the stored copy can be
used to replace the damaged or deleted certificate and private key.
Use Backup in Windows 2000 or another backup program for Windows 2000 to
make a backup version of the encrypted files or folder. Backup programs that are
designed for Windows 2000 retain the encryption of the backed-up files. Restore
the user backup version of the encrypted file or folder to the computer on which
the file recovery certificate is located. After the file has been decrypted, send the
backup version of the decrypted file or folder to the user as an e-mail attachment,
on a floppy disk, or on a network share.
Auditing Resources Access
Auditing is the ability to track security events such as user activitiess and
processes. It is a valuable tool that can help maintain the security of network
systems. Auditing enables administrators to identify security issues and react to
vulnerabilities before an attack or lapse occurs. Auditing is a better method than
manually monitoring because it monitors the system even when the administrator
cannot. Auditing also maintains a record of system access. It is nearly impossible
to identify security lapses and get the information needed to resolve an issue
without auditing.
Microsoft has improved the Windows auditing features in Windows 2000. One
of the enhanced features is the process used to configure the auditing policy.
Windows NT 4.0 restricts the auditing policy to a local machine or to all
controllers in a domain. In Windows 2000, audit policies that are set at the
domain level can also filter down to servers and workstations within the domain.
The settings made at the domain level will override local settings. Another new
feature in Windows 2000 is the ability to audit active directory-related events.
40 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Setting Up Auditing
Before auditing is enabled, it is important to determine which information needs
to be recorded. In Windows 2000, almost any action can be audited by either the
system or a user. Auditing provides a lot of useful information. However, it also
consumes system resources such as memory, processing power, and disk space.
The more an administrator audits, the more it will impact system performance.
Auditing also creates a lot of information that needs to be studied and reviewed
to find patterns. The goal is to achieve a balance between auditing enough events
to be effective, yet not so many that important information is overlooked.
An NTFS file system is required to implement auditing. Auditing is not enabled
by default when Windows 2000 Server is installed. Auditing must be enabled on
the server or domain controller of a local computer before events auditing can be
logged. Windows 2000 auditing uses six possible logs for the services that are
installed:
•
Application
•
System
•
Security
•
Directory Service
•
File Replication
•
DNS Server
This section will focus on the Security log.
The Security log contains information that is related to security events. These
events range from valid and invalid logon attempts, to creating, opening, or
deleting files. These actions can be audited on a success or failure basis. For
example, if user logins were being audited, a success audit would indicate that a
user logged in successfully and a failure audit would indicate that a user tried to
log in, but was denied access.
An auditing policy must be configured before security events can be audited. An
administrator or a member of the administrator group must set up auditing. The
method used to create an audit policy will depend on whether the policy is being
created on a domain controller, member server or workstation, or a standalone
machine. The same basic tools are used in each situation and the methods only
very slightly. All of the methods use the security-related MMC snap-ins. The
main difference is that the active directory Users and Computers snap-in is used
to configure a domain controller, member server, or a workstation. The Local
Security Settings snap-in is used to configure a standalone system.
Auditing can also be applied to objects. Windows 2000 object auditing can be
applied in a variety of areas such as files and folders, printers, or the registry and
directory services. To begin the process of auditing access to directory objects on
a domain controller, turn on the Audit Directory Service Access category. Turn
on the Audit Object Access category to begin the process of auditing access to
system, registry, or printer objects. The next step is to set auditing on the
individual objects.
Auditing is only part of the process. For auditing to be effective, it is necessary to
review the log and scan events. The event viewer console, which is located in the
Administrative Tools folder, can be used to view all system logs. A user must be
41 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
logged on with administrative privileges to access the event viewer and Security
Log.
To view the details of an event, select the entry in the log. Events are listed either
as audit successes, which are designated by key icons, or as audit failures, which
are designated by padlock icons.
Note
Directory access audit information appears in the Directory Service event log.
The Directory Service event log only appears in the Event Viewer on Windows 2000
domain controllers.
42 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Windows 2000 Infrastructure Level
Security
Securing Active Directory
Windows 2000 Server includes a directory service called active directory. The
active directory service is a combination of a directory and services. A directory
is physical storage that contains various objects. Services enable the resources in
the directory to be used. In active directory, the combination provides a network-
based object store and service that manages resources and makes these resources
available to authorized users and groups.
Active directory provides network administrators with a single point of
administration for all network objects. It replaces the Window NT account
database as the repository for user and machine account information. Active
directory also contains policy information, certificates, and additional objects
such as applications, printers, and devices.
Active directory uses the following logical components:
• Objects – The actual instances of object classes that are created to define
how active directory is organized. Objects represent information and
resources and are organized according to how they are used.
• Attributes – The characteristics of an object
There are four basic components that make up an active directory structure:
• Sites – A location in a network that holds active directory servers. A site
contains one or more Internet Protocol (IP) subnets. These subnets are
tied together by high-speed, reliable connections. When a site is defined
as a set of subnets, administrators can configure active directory access
and the replication topology in a way that takes advantage of the physical
network. When users log on to the network, active directory clients find
active directory servers that are in the same site as the client.
• Domains – The core unit of the logical structure in active directory. A
domain is basically a security boundary. It is an administrator-defined
logical grouping of computers, servers, and other hardware, which share
a common directory database. A domain provides access to the
centralized user and group accounts maintained by the system
administrator.
• Forests – Domains are arranged in a hierarchical structure called a
forest. This structure starts with a domain called the forest root domain.
The domain is then arranged in a format that is similar to a family tree
with parent and child domains. These trees share a common schema,
configuration, and global catalog. The two main purposes of a forest are
to simplify the management of multiple domains and to simplify user
interaction with the directory. By default, every child domain has a two-
way trust with its parent. This trust, which is called a transitive trust, is
extended to all other domains in the forest, to help form a single unit.
43 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
• Organizational Units (OUs) – Container objects that active directory
system administrators use to organize objects within a domain. An OU
can contain objects such as user and group accounts, servers, computers,
printers, and applications
The ability to centralize administration and the control of resources provided by
active directory, are important to create a secure system. Active directory uses
OUs to organize network resources in a logical hierarchy. It stores information
about accounts and resources in one location and allows network administrators
to update the information easily. To access network resources, users only need to
pass through a single checkpoint, instead of having to log on repeatedly to access
resources on different systems.
Active Directory Security
The integrity of active directory is also vital to the overall security of a network.
Active directory provides a single point of administration for all network objects.
It is extremely important to restrict access to active directory. Access to active
directory information can be controlled down to the object attribute level. Each
object and object attribute has a unique identifier that allows it to be individually
secured.
Windows 2000 provides protection for active directory with the following
features:
• Discretionary access control lists (DACL) are used to determine which
users can see an object and the actions that each user can perform. A
DACL can be used for individuals or groups and applies to object
attributes and object classes.
• Delegation allows administrators to delegate selected responsibilities for
OU ownership and administration to designated users.
• Access rights are used to grant or deny user rights and actions to
individuals and groups for objects or classes of objects.
• Trust relationships allow users in one domain to access resources and
information in other domains.
To provide protection for active directory, administrators can implement policy-
based management that allows them to assign specific security controls to
specific classes of objects from a single location.
Managing Security with Group Policy
Group policy provides enhanced capabilities that can be used to specify user and
computer configurations. Administrators can use this tool to define and control
how network resources, the operating system, and programs operate for users and
computers in an organization. Administrators can use Group Policy to ensure that
the machines on a network remain in a secure configuration after deployment.
In an active directory environment, Group Policy settings are associated with an
active directory container such as a site, domain, or OU. Settings are applied to
users or computers on the basis of their membership in these containers. By
default, settings in a Group Policy are inherited from a site, to a domain, and
44 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
finally to the OU level. A policy can be blocked at the active directory site,
domain, or OU level. A policy can also be enforced on a per Group Policy object
basis.
By default, Group Policy affects all computers and users in a selected active
directory container. However, filters can be used within a Group Policy based on
user and computer memberships in a Windows 2000 security group. This can
simplify the administration process for users with different security requirements.
Security configurations provide preconfigured security settings that can be
applied as part of Group Policy enforcement. The security areas that can be
configured for computers include the following:
• Account Policies – Computer security settings that are only effective at
the domain level for password policies, lockout policies, and Kerberos
policies in Windows 2000 domains
• Local Policies – Include user rights, security settings for audit policies,
and security options
• Event Log – Includes control settings for application, security and
system event logs, which can be accessed through the Event Viewer
• Restricted Groups – Enable administrators to enforce membership
policies for sensitive groups such as Enterprise Administrators
• System services – Control startup mode and access permissions for
system services
• Registry – Used to configure security settings such as access control,
auditing, and ownership for file-system objects
Security Templates and Security Configuration and Analysis Tools
Security Templates and Security Configuration and Analysis are two tools that
are used to apply network security policies and evaluate individual machines to
determine if they comply with the policies. These tools can be used to configure
templates with specific security settings. These settings can be applied to systems
and periodically evaluated to verify that they remain properly configured.
Security Templates can be used to build templates that can be imported into
Group Policies. This process will apply all the settings that are configured in a
template, to all the computers in a container that are linked to the Group Policy.
The Security Configuration and Analysis tool can also be used to verify the
security settings applied with Group Policy. It can also be used to apply the
Security Template to a system. If the Security Configuration and Analysis tool is
used to apply the security settings, a user can permanently reconfigure them. If a
user changes a security setting in Group Policy, the setting will be changed back
to its original value the next time Windows 2000 applies the policy. Therefore, it
is better to use Group Policy for this purpose.
Securely Updating DNS Records
Active directory follows the Domain Name System (DNS) standard to name
objects. DNS is an industry standard name resolution service that allows clients
to locate active directory services. DNS can be used for internal and external
name resolution in a company.
45 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
The integration of DNS and active directory is an important feature of Windows
2000. Active directory relies heavily on DNS. It uses DNS to publish the active
directory services. Other Windows 2000 systems can easily locate these services,
regardless of where they are located in the enterprise. DNS maps hostnames to
numerical IP addresses. DNS allows a host to be assigned a more meaningful
name. DNS is able to resolve the following:
•
IP addresses to hostnames
•
Hostnames to IP addresses
•
Services to both hostnames and IP addresses
Since DNS and active directory are closely integrated, they must be given equal
importance when a security strategy is defined.
Name servers with Internet access are exposed to a wide variety of DNS attacks.
DNS security can be provided in the following ways:
• Secure the name server by refusing queries, zone transfer requests, and
dynamic updates from unauthorized addresses
• Secure zone data by digitally signing it
• Secure transactions by securing queries, responses, and other messages
that the name server sends and receives. For example, if recursion is
disabled, the name servers will go into passive mode. It tells the servers
to never send queries on behalf of other name servers or resolvers. Since
a non-recursive name server does not send queries, it does not cache any
data.
Note
Recursion cannot be disabled on a server if any other name servers use the
server as a forwarder. This is also true if any resolvers use the server for querying
purposes. If recursion cannot be turned off on a server, another option is to restrict
queries. DNS can be configured to accept queries from only known addresses and zones.
• Restrict the server by refusing queries, zone transfer requests, and
dynamic updates from unauthorized addresses. Restricting zone transfers
prevents others from taxing the name server. It also prevents hackers
from listing contents of the zones to identify targets or to gain host
demographic information. For example, dynamic updates should be
restricted to individual addresses as much as possible. While dynamic
updates are useful, they are also dangerous. If unauthorized people gain
access to a dynamic update, they can delete all the records from a zone
and add in completely different records.
Some additional recommendations to secure DNS are as follows:
• Separate DNS zones with a firewall. Two DNS zones can be created with
the same name on either side of a firewall. In this scenario, an internal
DNS server with active directory services will maintain records and
handle requests from machines on the LAN. A second DNS server that
does not manage active directory services will maintain records and
handle requests for hosts on the public network. This will protect the
internal DNS server from unknown hosts.
46 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
• Run the newest name server version. This does not guarantee that a name
server will be protected, but it can minimize the possibility of an attack.
• Follow relevant newsgroups and mailing lists closely to learn about
vulnerabilities and any necessary reconfiguration or patches quickly.
47 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Securing Windows Network Services
As the importance and convenience of the Internet continues to grow in
businesses, so does the need for Web servers in the business computing
environment. To address this need, Windows 2000 Server includes an updated
version of Internet Information Services (IIS), called IIS 5.0. IIS 5.0 is the World
Wide Web service integrated into Windows 2000 Server. IIS provides support
for standard Internet services such as FTP, SMTP, and Network News Transfer
Protocol. To ensure server security, IIS 5.0 adds support for important industry
standard security protocols such as Kerberos v5 authentication protocol,
Transport Layer Security Server Gated Cryptography, Digest Authentication, and
Fortezza.
There are five major security mechanisms that are used to secure IIS 5.0:
•
Authentication – Can be used to confirm the identity of anyone who
requests access to a website. IIS 5.0 supports the following authentication
types:
• Anonymous authentication
• Basic FTP authentication
• Anonymous FTP authentication
• Integrated Windows authentication.
•
Certificates – Digital identification documents that allow servers and clients
to authenticate each other
•
Access control – Allows permissions to be configured for websites. IIS uses
two layers of access control:
• Web permissions – Define which HTTP verbs can be used to access
server resources
• NTFS permissions – Define the level of access that user accounts
have for directories and files on a server
•
Encryption – Scrambles information before it is sent. Decryption
unscrambles the information after it has been received.
•
Auditing – Policies created to monitor directory and file access or server
events. Includes monitoring the security logs to detect security breaches.
Protecting a World Wide Web Server
The World Wide Web service supports HTTP functionality, which provides
tighter logon security, faster transfer speeds, and additional virtual hosting
abilities. It allows users to publish content to the Internet. To share content, files
are placed in directories on a website. These files are viewed with a Web browser
such as Microsoft Internet Explorer.
A home directory is the central location for files that are published in a website.
A default home directory \wwwroot is created when the Web service is installed.
The location of the default home directory can be changed. It is important to
protect the privacy of the content in these directories. The Directory Security
48 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
property sheet can be used to configure the Web server security features. It
consists of the following sections:
• Anonymous Access and Authentication Control – Consists of three
authentication methods. One or more of these methods can be selected.
• Allow Anonymous Access – Allows users to connect to a Web server
with an anonymous or guest account.
• Basic Authentication – Requires a username and password when the
Allow Anonymous option is disabled or access to the server is
determined by NTFS Access Control Lists. When this option is enabled,
the password is sent in clear text.
• Windows NT Challenge/Response – Requires a username and
password when the Allow Anonymous option is disabled or access to the
server is determined by NTFS Access Control Lists. When this option is
enabled, the password is sent encrypted.
• Secure Communications – Uses Key Manager to create a certificate
request.
• IP Address and Domain Name Restrictions – Allows administrators to
grant or deny access to resources with IP addresses or Internet Domain
names.
Protecting a File Transfer Protocol Server (FTP)
FTP is the protocol used to copy files to and from remote computer systems over
a TCP/IP network. Although Web services have replaced many of the FTP
functions, FTP is still used to copy files between clients and servers over the
Internet.
Both Windows 2000 security and the IIS Internet Service Manager control the
security of an FTP service. A combination of the two can be used to enforce
effective security on an FTP server.
Windows 2000 Security is similar to that of a Web server. A default home
directory called \Ftproot is created when an FTP service is installed. The location
of this directory can be changed. The Home Directory and Directory Security
sheets can be used to set access privileges. Access can be limited to specific users
or groups by specifying IP addresses.
All FTP property sheets can be accessed with the IIS Internet Service Manager
(ISM). One of the property sheet features is connection configuration, which can
be used to set the length of time before the server disconnects an inactive user.
Logging can also be enabled. Logging records details about user activity and
creates logs in a chosen format. Another important feature is the use of security
accounts. Security accounts can be used to control user access to a server. The
account for anonymous client logon requests can also be specified on this sheet.
There are many vulnerabilities and attacks that threaten both Web and FTP
servers. It is important to secure the servers before they are put on the Internet.
Unlike most types of servers, which restrict access to selected users, Web and
FTP servers often allow unrestricted access to their services. Some of the users
that connect to these servers may try to compromise the data or attack the server.
The following guidelines are specific to Web and FTP server security:
49 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
• Isolate the Web and FTP servers if possible. When these systems are
connected to the rest of the network, it creates a door into the network.
• Setup Web and FTP servers to meet specific needs. Remove all Web or
FTP services unless they have a specific purpose.
• Keep current with service packs and patches.
• Setup alternate accounts. Anonymous logons may be necessary if the
general public needs to access a website. However, anonymous logons
should be carefully planned to protect the network. When IIS is installed,
it automatically creates a generic account as IUSER_MACHINENAME.
This account name should be changed immediately after IIS is installed.
• Restrict or grant access to the Web and FTP server by IP address.
• Set properties for each Web and FTP folder. Establish usernames and
passwords to control access to parts of the website and to secure data.
Protecting a Windows Mail Server
Mail delivery has become a common component of Internet sites. The SMTP
service component, which is installed with IIS, facilitates the transmission of
Internet mail. Microsoft SMTP service provides full support for SMTP and is
compatible with standard SMTP mail clients. SMTP is the protocol for e-mail
messages that are sent between servers. The SMTP service uses the SMTP
protocol to transport and deliver messages.
The SMTP service in IIS is completely directory based. The SMTP installation
creates the following directory structure in the \inetpub\mailroot directory:
• BADMAIL – Stores messages that the SMTP service is unable to deliver
• DROP – Holds all mail for the SMTP service. Each file represents an
email message.
• PICKUP – Picks up outgoing messages that are manually created as text
files and copied to the directory. As soon as a mail message goes into
this directory, the SMTP service picks it up and either delivers it to the
Drop directory or sends it to the SMTP service for the destination
domain.
• QUEUE – Holds messages for delivery. If the SMTP service cannot
deliver a message immediately because of a network problem or other
connectivity problem, the message queues in the Queue directory. The
SMTP service holds the message for a configurable length of time, then
tries to retransmit it a configurable number of times.
• ROUTE, SORTTEMP, and MAILBOX – Uses these directories to sort
and rearrange outgoing messages for more efficient delivery. If several
messages are going to the same remote host, IIS tries to send them with a
single connection instead of transmitting each one individually and
reconnecting multiple times.
The SMTP service uses five property sheets to configure different aspects of the
service. ISM can be used to access all SMTP property sheets:
50 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
• SMTP Site – Used to choose the name and IP Address of the SMTP site
and configure the ports and connection settings. Can also be used to
enable logging.
• Operators – Used to designate permissions for specific user accounts for
the SMTP site
• Messages – Used to set limits for messages such as size and number of
recipients
• Delivery – Used to set delivery and routing options such as maximum
retries, maximum hop count, and security options
• Directory Security – Used to specify the methods for anonymous access
and authentication control and to set up secure communication methods
SSL/TLS
Two common secure Web communication protocols are Secure Sockets Layer
(SSL) and the open Transport Layer Security (TLS) protocol, which is based on
SSL. The SSL and TLS protocols are widely used to provide secure channels for
confidential TCP/IP communication on the Web. SSL and TLS guarantee the
authenticity of Web content and provide reliably verification for the identity of
users who access restricted websites.
Other protocols, such as HTTP and LDAP, run on top of TCP/IP. This means
that they all use TCP/IP to support typical application tasks such as to run email
servers or display Web pages. The SSL protocol runs above TCP/IP and below
higher-level protocols such as HTTP. It uses TCP/IP on behalf of the higher-level
protocols. TLS is a protocol that enables authentication and data encryption over
insecure networks. It is implemented as a layer between TCP/IP and higher-level
network protocols such as HTTP and SMTP. The TLS protocol is an updated
version of the SSLv3 protocol. The two protocols are closely related but not
directly interoperable.
How SSL and TSL Work
At the beginning of an SSL and TLS session, the client and server try to agree on
a cipher suite, which is a group of cryptographic algorithms that they will use for
authentication and session encryption. The server chooses the strongest
cryptography that is available to both the server and client. After the client and
server have negotiated a cipher suite, they can authenticate each other and create
a session key, which is generated by the Web browser. The browser encrypts the
session key with the public key of the server. It then sends the encrypted session
key to the Web server. The server uses its own private key to decrypt the session
key and establish a secure channel. The Web server and the browser then use the
session key to encrypt and decrypt all data traffic sent between the client and the
server.
51 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Window Network Security Methods
The Internet offers many valuable services. An Internet connection allows the
members of an organization to obtain information from many resources. Staff
members can also use company resources from their homes or remote locations,
which allows them to work more effectively. This has resulted in an increased
demand for Internet access. Increased usage of the Internet creates increased
risks. Services that are accessible from the Internet can be misused. It is
important for organizations to employ security strategies that will protect the
privacy of their data. Windows 2000 includes a variety of technologies to secure
a company network for access to and from the Internet.
Many organizations now have smaller networks that are partially separated from
the main network. These smaller networks are usually peer-to-peer networks. A
peer-to-peer network, which is also called a workgroup, is commonly used for
Small Office/Home Office (SOHO) networks. In this type of network, computers
communicate with each other directly on a single subnet and do not require a
server to manage network resources. In general, a peer-to-peer network is most
appropriate where there are less than ten computers located in the same area.
Windows 2000 includes two technologies that allow translated connections
between clients on the SOHO and either the Internet, the corporate network, or
both. These technologies are Internet connection sharing and network address
translation. Both technologies provide translation, automatic IP addressing, and
name resolution services to all computers on a SOHO network.
Internet Connection Sharing
Internet connection sharing (ICS) is a feature of network and dial-up connections
that allows multiple machines to simultaneously access the Internet with a single
Internet connection. With ICS, a single computer is connected to the Internet and
the Internet service is shared with other computers on the SOHO network. ICS
can be configured on Windows 2000 Server, Professional, or Windows 98
Second Edition.
ICS configuration is simple. The computer on which ICS is configured is called
an ICS host. In the Network and Dial-up Connections component on the ICS
host, check the Enable Internet connection sharing for this connection box to
share the dial-up, virtual private network (VPN), or incoming connection. After
ICS is enabled, each computer can use programs such as Internet Explorer and
Outlook Express as if they were directly connected to the Internet.
How ICS Works
The ICS host computer requires at least two network interfaces or connections.
This can be accomplished with two network cards or a network card and a dial-
up connection. The LAN interface connects to computers on a SOHO network
through a network adapter. The Internet interface connects the SOHO network to
the Internet through a dial-up modem, ISDN, DSL or a cable modem. ICS is
configured on the Internet interface, because this is the interface that will be
52 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
shared. The Internet interface has an external IP address. This address is assigned
through a local ISP dial-up or a fixed network connection. After ICS is enabled,
the network adapter for the Internet interface is automatically configured with a
static IP address of 192.168.0.1. This address is part of the IP address range of
192.168.0.0 to 192.168.254.254.
In addition to the configuration of the ICS host computer, the SOHO network
users must also configure Internet options for ICS on their local machines. The
ICS host also has a DNS proxy function, which means that all client hostname
resolution requests will be forwarded to the ICS host for resolution through the
configured external DNS parameters. Client machine TCP/IP properties must be
configured to obtain IP addresses automatically. Clients point to the 192.168.0.1
interface as their default gateway and are assigned IP addresses in the appropriate
range. The ICS host also has a DNS proxy function, which means that all client
hostname resolution requests will be forwarded to the ICS host for resolution
through the configured external DNS parameters.
Note
After ICS is enabled, no other networking services such as DHCP and DNS are
allowed on the network. These services are all implemented by the ICS system.
Network Address Translation
Network address translation (NAT) is a feature of Routing and Remote Access
that is similar to ICS, but more flexible. While it contains some of the same
functionality as ICS, NAT has some additional features that make it more
suitable in some environments.
NAT is used to allow multiple computers on a private network to share a single
Internet connection. The computer that NAT is installed on, which is called the
NAT host, can act as a network address translator, a simplified DHCP server, a
DNS proxy, and WINS proxy. Unlike ICS, which can be configured on multiple
Windows operating systems, NAT requires at least a Windows 2000 server.
NAT requires at least one external public IP address. All client requests for
Internet services or external resources are made by using this external address.
As a result, all requests for Internet services appear to originate from a single
address. This provides a layer of obscurity for the private network and protects
the IP addresses of NAT clients from hosts outside of the private network.
How NAT Works
When a client wants to transmit information to a server on the Internet, it sends a
packet. The source fields of the packet contain the IP or source address of the
client and the port number. The destination fields contain the IP or destination
address of the server and the port number. Since the destination computer is
external to a network, the client will forward the packet to the NAT server that
acts as the default gateway.
The NAT server will then create a port mapping for the packet. The port mapping
consists of the IP address and port of the destination server, the IP address and
port of the NAT server, the network protocol in use, and the internal IP address
53 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
and port from the client. The port mapping is maintained in a table that is stored
on the NAT server.
Before the NAT server forwards a packet to the destination server, it translates
the packet. Packet translation is done by swapping the source field information
included in the packet. The source field information of the client machine is
replaced with the source field information of the NAT server. As a result, when
the destination server receives the packet, it will think it is only communicating
with the NAT server. The destination server will address response packets to the
external IP address and port of the NAT and use its own IP address and port in
the source fields.
When the NAT server receives a response to a request it compares the ports of
the received packet to its table of stored port mappings. It attempts to find a port
mapping where the IP address and port, destination port, and network protocol of
the incoming packet corresponds to the remote host IP address and port, external
port, and network protocol. If the NAT server finds a match, it performs a reverse
translation. The NAT server will replace the external IP address and port in the
destination fields of the packet with the private IP address and internal port of the
client machine. Then the NAT server forwards the reply to the client machine.
Note
If the NAT server does not find a matching port mapping, the incoming packet will
be dropped and the connection will be broken.
Routing and Remote Access Services
Windows 2000 Routing and Remote Access (RRAS) service was first introduced
in Service Pack 4 for Windows NT Server 4.0. It is a much-enhanced version of
the previous Remote Access Service (RAS) that was provided in Windows NT.
The earlier version of RAS only provided dial-up capabilities. Routing was a
completely separate service. Windows 2000 combines remote access services
with routing services on the same computer to create a Windows 2000 remote
access router. This allows RRAS to provide both dial-up and routing capabilities.
Routing
Routing is the process used to direct data from one network segment to another,
or to communicate with hosts outside of a LAN if no specific or direct route is
known. The addressing information in a network packet is used to determine the
best path to deliver a packet on the network. As networks increase in size, so
does the addressing complexity, which increases the need for routing. Routing is
extremely valuable because it enables a network to handle increased users and
data without sacrificing performance. More importantly, routing gives networks
the capability to filter certain traffic for security.
Windows 2000 Server routing capabilities offer several benefits over a dedicated
hardware router. In a small to medium-size organization, which is typically less
than 50 network segments, the budget may not support the cost of a dedicated
hardware router. If a site decides to build a small, special purpose LAN, a router
is a relatively large expense. When a Windows 2000 system is implemented to
54 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
function as a router, the need for the expertise necessary to maintain and
administer a traditional router is eliminated.
Windows 2000 Server offers several routing capabilities. It provides multi-
protocol LAN-to-LAN, LAN-to-WAN, VPN, and NAT services. It also supports
several different routable protocol suites such as TCP/IP and IPX Routing. These
routing options allow Windows 2000 to be integrated into an existing network.
Windows 2000 routing features offer the ability to secure access to network
resources with packet filtering. When packet filters are enabled on router
interfaces, detailed rules control which traffic will be accepted or forwarded on
that interface.
Remote Access Services
As mentioned earlier, RRAS also offers services for remote access. Medium to
large networks need a more powerful architecture to provide users with remote
access. RRAS allows remote access clients to use the Internet as a data path to
send and receive data more securely and efficiently. RRAS connects remote
users to resources on an internal network as if their computers were physically
connected to the network. It also provides many new features to improve upon
the Windows NT version of RAS. RRAS allows remote users to connect to their
corporate network through traditional dial-up connections and also provides new
features as VPNs, infrared, and direct cable connections. This service provides
several ways to maximize security.
How Remote Access Works
To connect to an internal network from a remote location, a user must first dial a
remote access server on the network. The user is granted access to the network
under the following conditions:
•
The request matches one of the remote access policies defined for the server
•
The user account has been enabled for remote access
•
The user is authorized to access the network
If authentication is successful, the user is permitted to access the network. If
authentication is not successful, access is denied.
Remote Access Policies
Windows 2000 RRAS offers many enhanced security features that were not
included in Windows NT RAS. One of the best new features in RRAS is the
addition of remote access policies. In Windows NT, user authorization was based
on a simple Grant Dial-In Permission to User option. Callback options were also
managed on a per-user basis. In Windows 2000, user authorization is granted or
denied based on the dial-in properties of a user account and the remote access
policies that are designated by the administrator.
Remote access policies establish which requests a server will accept for remote
access, which users are permitted or denied to connect through remote access, the
properties of the connection, which protocols are used, and the types of
authentication that are required. If no policies are established, all remote access
connection attempts to the RRAS server will be denied. Remote access policies,
whether implemented as local policies or as part of Group Policy, can enforce the
use of the authentication and encryption methods that are selected. There can be
multiple remote access policies per server. As a result, different policies can be
55 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
applied to different groups of users. The Windows 2000 RRAS service uses
remote access policies to determine whether to accept or reject connection
attempts. Authorization is based on the evaluation of policy conditions, user
permissions, and user profiles. Policy conditions are the basic parameters that
must be met before a connection to the server will be allowed. Policy conditions
are evaluated based to their order in the list of policies. If a user does not meet
the conditions in policy 1, then policy 2 will be evaluated. This process will be
continued until the user meets the conditions of a policy. That policy will be the
last policy that is evaluated. If there are ten policies and the user meets the policy
conditions in policy 5, the remaining policies will not be evaluated. If a user does
not meet the conditions of any policy, then access is denied.
After the policy conditions have been successfully evaluated and met, the user
account permissions will be evaluated. These permissions relate to the dial-in
settings that can be configured for a user account. There are three permissions
that can be set:
•
Allow access
•
Deny access
•
Control Access through remote access policy
The allow access and the deny access permission options will either allow or
deny remote access to the system. The control access through remote access
policy option instructs the remote access permission policy to override the user
remote access permissions.
If user permissions allow access, the final level of evaluation involves the use of
profile settings. A remote access policy profile is a set of properties that are
applied to a connection after the connection is authorized.
Internet Authentication Service (IAS) and Remote
Authentication Dial-in User Service (RADIUS)
Windows 2000 Internet Authentication Service (IAS) is the Microsoft version of
the Remote Authentication Dial-in User Service (RADIUS) server. IAS
implements the IETF standard RADIUS protocol, which enables use of a
homogeneous or heterogeneous network of dial-up or VPN equipment. RADIUS
and IAS work together to perform centralized connection authentication,
authorization, and accounting (AAA) services for dial-up, VPN remote access,
and router-to-router connections. IAS and RADIUS can also be used in
conjunction with the Windows 2000 Routing and Remote Access service to
provide centralized control over the authentication of users, accounting of their
connection start and stop times, and authorization through the use of remote
access policies.
In large corporate networks, it may be difficult to manage remote user access.
IAS offers many features that allow corporations to manage all remote access
from a single point of administration. The following sections discuss some IAS
features.
Centralized user authentication
When authenticating a user, IAS verifies the credentials of the client computer
that is initiating the connection against an authentication authority. The
56 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
authentication authority is a domain controller. Authentication can occur in any
domain that is accessible to Windows 2000. This includes Windows NT 4.0,
Windows 2000 mixed mode and native-mode domains, and any domains that are
accessible through trust relationships.
Point-to-Point Protocol (PPP) is used to send the credentials of a client computer
to the domain controller. PPP is a set of standard authentication protocols that
allow remote access software from different vendors to interoperate.
Authentication protocols are used to determine which level of security validation
the remote access server can perform and the requirements of the server. There
are many PPP authentication protocols that differ in the level of security that is
provided. IAS also allows administrators to plug in arbitrary authentication
methods to meet the network authentication requirements.
Centralized Authorization
IAS determines authorization for a connection request based on the user account
properties and connection parameters. It uses the dial-in properties of a user
account and remote access policies to verify that a user has the correct rights or
permissions.
Remote access policies are a set of conditions that provide flexibility to control
which users are allowed to connect to a network. By default, remote access
policies are stored on the server on which they are created. IAS provides the
ability to centralize the distribution of remote access policies. If a remote access
server is set up as a RADIUS client, all remote access policies on the server will
be ignored and the policies configured on the IAS server will be used instead.
For Windows 2000 IAS servers, remote access policies are administered from
either the RRAS administrator tool, if it is configured for Windows
authentication, or the IAS administrative tool.
Accounting Services
IAS supports RADIUS accounting, which allows IAS to collect accounting
records that are sent by the NAS at a single point. Accounting services can be
used to track network usage for auditing and billing purposes. IAS can log
information such as logon and logoff records or authentication success and
rejects records. RADIUS accounting provides a real-time collection of data that
can be analyzed by other products to provide charge-back, performance, and
exception reports.
In addition to these features, IAS also provides a graphical user interface that can
be used to configure local and remote servers. IAS is scalable. Therefore, it can
be used in a variety of network configurations that differ in size.
Internet Protocol Security
Internet Protocol Security (IPSec) is an architecture that consists of a suite of
protocol standards that are designed for data protection of network traffic. IPSec
provides cryptographic security services between two computers over an insecure
network. These services allow for authentication, integrity, access control, and
confidentiality. Encryption is applied at the IP network layer and is transparent to
most applications. Transparency is possible because applications do not need to
57 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
have knowledge of IPSec to be able to use it. Since these services operate at the
IP layer, any higher-layer protocols such as TCP and UDP can use them.
Note: Microsoft and Cisco Systems, Inc. jointly developed the design and integration of
IPSec services and support in Windows 2000. An agreement was made to integrate Cisco
ISAKMP/IKE with the Microsoft IPSec kernel driver. This agreement also involved the
development of an IPSec policy for use with active directory.
IPSec consists of two separate protocols:
•
Authentication Headers (AH)
•
Encapsulated Security Payload (ESP)
AH provides authentication, integrity, and anti-replay. However, AH does not
encrypt data. As a result, it is used when only the connection needs to be secure,
not the data. In contrast, ESP provides authentication, integrity, anti-replay, and
data encryption. It is used to protect both the connection and the data. Because of
its data encryption capabilities, greater system overhead is associated with ESP.
IPSec consists of three main components:
•
Policy Agent
•
Internet Key Exchange (IKE) module
•
IPSec driver
These three components, in conjunction with other Windows components such as
the TCP/IP driver and cryptoAPI, provide for seamless IPSec functionality in
Windows 2000.
Policy Agent is a service that is loaded at system startup to retrieve an IPSec
policy from the appropriate policy store, which is either the active directory or
the local registry. After the IPSec policy has been obtained, the appropriate
components are distributed to either the IKE module or the IPSec Driver.
The IKE module is started by the Policy Agent service. Its function is to
negotiate Security Associations (SAs) for both ISAKMP Phase I and IPSec Phase
II. These negotiations are based on the authentication and security settings it
receives from the Policy Agent.
The SA is the negotiated set of protocols and parameters that two computers use
to communicate. After the computers have established a secure communications
channel, each will use its own SA to manage the channel. Computers do not
share an SA.
The IPSec Driver uses filters and maintains the status of connections. It receives
the active IP filter list from the IPSec Policy Agent and then matches every
inbound and outbound packet against filters in the list. The IPSec driver uses the
defined filters to determine which packets are permitted, blocked, or secured.
When IPSec is implemented on a Windows computer, the user must first create
an IP security policy. The policy contains security rules that determine how
traffic is protected. A single policy contains many rules, which contain many IP
filters. Only a single policy can be activated on a computer at any given time.
58 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Computer 1 will initiate communications with computer 2. Each computer first
goes through Phase I, which is also called IKE SA. During the IKA SA process,
the computers authenticate with each other and use ISAKMP/IKE to prove their
identities. In Phase II, IKE begins to negotiate the security protocols that will be
used to set up a secure communications channel between the two computers.
Computer 1 may offer both ESP and AH as the protocols that it will accept.
Computer 2 may be configured to use only the ESP protocol. Therefore, it will
respond with that option. At this point, an agreement is made to use ESP and IKE
will set up the secure channel and pass off the SA to be processed by the IPSec
Driver.
59 - 59 Fundamentals of Network Security v 1.1 Appendix A2
Copyright
2003, Cisco Systems, Inc
Wyszukiwarka
Podobne podstrony:
Mobile OS Security
Mobile OS Security
S Majka II Oś
Wykład 3 Określenie danych wyjściowych do projektowania OŚ
Wykład wb os 4
Wykład VIp OS 2009
Turystyka os b niepe énosprawnych
OS 1 2 3 5
OS gr03 cw4 id 340946 Nieznany
Ćw lab1 Gleb wilg gleby OŚ
os obrot stada
Bromatologia7 OS
037 Ustawa o podatku dochodowym od os b prawnych
appb (2)
O2 OS
os sciaga
więcej podobnych podstron