Planning Distributed Security |
The following concepts are useful in describing distributed security strategies under Windows 2000. You might also find it useful to include them in your security plan to familiarize readers with distributed security.
Windows 2000 security is based on a simple model of authentication and authorization that uses Microsoft® Active Directory™ directory service. Authentication identifies the user when the user logs on and when the user makes network connections to services. Once identified, the user is authorized access to a specific set of network resources based on permissions. Authorization takes place through the mechanism of access control, using access control lists (ACLs) that define permissions on file systems, network file and print shares, and entries in Active Directory.
In Windows 2000, a domain is a collection of network objects, such as user accounts, groups, and computers, that share a common directory database with respect to security. A domain identifies a security authority and forms a boundary of security with consistent internal policies and explicit security relationships to other domains.
A trust is a logical relationship established between domains to allow pass-through authentication in which a trusting domain honors the logon authentications of a trusted domain. The term transitive trust refers to authentication across a chain of trust relationships. In Windows 2000, trust relationships support authentication across domains by using Kerberos v5 protocol and NTLM authentication for backward compatibility.
Security policy settings define the security behavior of the system. Through the use of Group Policy objects in Active Directory, administrators can centrally apply explicit security profiles to various classes of computers in the enterprise. For example, Windows 2000 comes with a default Group Policy object called Default Domain Controllers Policy that governs the security behavior of domain controllers.
Security Configuration and Analysis, a feature of Windows 2000, offers the ability to compare the security settings of a computer to a standard template, view the results, and resolve any discrepancies revealed by the analysis. You can also import a security template into a Group Policy object and apply that security profile to many computers at once. Windows 2000 contains several predefined security templates appropriate to various levels of security and to different types of clients and servers on the network.
Also called secret key encryption, symmetric key encryption uses the same key to encrypt and decrypt the data. It provides rapid processing of data and is used in many forms of data encryption for networks and file systems.
Public key encryption has two keys, one public and one private. Either key can encrypt data that can only be decrypted by the other key. This technology opens up numerous security strategies and is the basis for several Windows 2000 security features. These features are dependent on a public key infrastructure (PKI). For more information about PKI, see "Planning Your Public Key Infrastructure"in this book.
Authentication confirms the identity of any user trying to log on to a domain or to access network resources. Windows 2000 authentication enables single sign-on to all network resources. With single sign-on, a user can log on to the client computer once, using a single password or smart card, and authenticate to any computer in the domain. Authentication in Windows 2000 is implemented by using Kerberos v5 protocol, NTLM authentication, or the Windows NT logon feature to Windows NT 4.0 domains.
Users dislike having to authenticate separately to multiple network servers and applications. A user might have to provide separate passwords to log on to the local computer, to access a file or print server, to send an e-mail, to use a database, and so forth. Different servers can demand a change of password at different intervals, often with no reuse permitted; so a typical user might be required to remember half a dozen passwords. Not only is authentication tedious for the user, but at some point, users begin to write down a list of current passwords. In this way, a multiple-authentication network can become vulnerable to identity interception.
The single sign-on strategy makes a user authenticate interactively once and then permits authenticated sign-on to other network applications and devices. These subsequent authentication events are transparent to the user.
Two-factor authentication requires users to present a physical object that encodes their identities plus a password. The most common example of two-factor authentication is the automated teller machine (ATM) card that requires a personal identification number (PIN).
Biometric identification is another form of two-factor authentication. A special device scans the user's handprint, thumbprint, iris, retina, or voiceprint in place of an access card. Then the user enters the equivalent of a password. This approach is expensive but it makes identity interception and masquerading very difficult.
For business enterprises, the emerging two-factor technology is the smart card. This card is not much larger than an ATM card and is physically carried by the user. It contains a chip that stores a digital certificate and the user's private key. The user enters a password or PIN after inserting the card into a card reader at the client computer. Because the private key is carried on a chip in the user's pocket, it is very hard for a network intruder to steal. Windows 2000 directly supports smart card authentication.
Access control is the model for implementing authorization. After a user has authenticated to a domain and attempts to access a resource, such as a network file, the type of operation permitted is determined by the permissions that are attached to the resource, such as read-only or read/write. Access control in Windows 2000 is implemented by using object-specific ACLs. You can view an ACL on the Security tab of the property sheet of a file or folder. The list contains the names of user groups that have access to the object.
Ensuring data integrity means to protect data against malicious or accidental modification. For stored data, this means that only authorized users can edit, overwrite, or delete the data. On a network, this means that a data packet must contain a digital signature so that tampering with the packet can be detected by the recipient computer.
A strategy of data confidentiality means to encrypt data before it passes through the network and to decrypt it afterward. This strategy prevents data from being read by someone eavesdropping on the network (data interception). A packet of nonencrypted data that is transmitted across a network can be easily viewed from any computer on the network by using a packet-sniffing program downloaded from the Internet.
There are two parts to a nonrepudiation strategy. The first is to establish that a message was sent by a specific user, who cannot disavow it. The second part is to ensure that the message could not have been sent by anyone masquerading as the user.
This is another application for public key infrastructure. The user's private key is used to place a digital signature on the message. If the recipient can read the message using the sender's public key, then the message could have been sent only by that specific user and no one else.
This strategy requires that code downloaded from the Internet be signed with the digital signature of a trusted software publisher. You can configure Web browsers to avoid running unsigned code. Note that software signing proves that the code is authentic, meaning it has not been tampered with after publication. It does not guarantee that the code is safe to run. You have to decide which software publishers to trust. (The digital signature on the executable file is another example of public key infrastructure.)
Auditing user account management as well as access to important network resources is an important security policy. Auditing leaves a trail of network operations, showing what was attempted and by whom. Not only does this help to detect intrusion, but the logs become legal evidence if the intruder is caught and prosecuted. Finally, finding and deleting or modifying the audit logs poses an additional time-consuming task for the sophisticated intruder, making detection and intervention easier.
It goes without saying that a critical enterprise network services network needs to reside in locked facilities. If intruders can sit down at the network server console, they might be able to take control of the network server. If critical network servers are not physically secure, a disgruntled employee can damage your hardware by using a simple, old-fashioned tool, such as a hammer. Your data is also open to physical attack: every novice user knows how to press the delete key. Damage from such intrusions can result in just as much loss of data and downtime as you can have from a more sophisticated, external attack to your network. Attacks on the network do not have to be sophisticated to be effective.
The best defense against a social engineering attack is to educate your users about keeping their passwords confidential and secure. Business policies about distribution of critical information need to be clearly stated. Publish a security policy and require everyone to follow it. One way to educate is by example: make sure that your IT professionals protect their passwords and that they encourage users to protect theirs too.