Windows 2000
Security
T
his chapter starts you off with a discussion on the need
for powerful distributed security before introducing you
to the specifics of Windows 2000 distributed security services.
It also reviews the new Windows 2000 security protocols, and
protection of services and data.
Windows 2000 Security
While the new era of computing and Windows 2000 will bring
forth many benefits, it will also herald dastardly attempts to
rob you, beat you up, and shut you down. There are many
forces out there that have only one thing on their evil minds,
and that is to find any way to break into your network to plun-
der and pillage.
Before you start building your new corporate infrastructure
around Windows 2000, it will pay for you to become thor-
oughly versed in the security mechanisms the operating sys-
tem offers and how to go about locking down your assets.
Without a doubt, it is probably the most secure operating sys-
tem available today. Not only has it inherited the Windows NT
C2 security compliance, which was a ton of work for Microsoft
and set the stage for a secure Windows 2000, but also, if there
were showbiz awards for security, Windows 2000 would clean
up at the Oscars, the Golden Globes, the Grammies, and more.
But before we get into Windows 2000 security specifics, let’s
look at the problem holistically, then you can evaluate your
current security status before devising a security plan.
You have probably heard the term everywhere, so what does
C2 security mean to you, the network or server administrator?
Absolutely nothing. C2 security is nothing more than a U.S.

compliant. This means locking down objects, setting up audit trails, creating user
accounts with secure password philosophy, and so on. Only when a machine has
been fully locked down can it be rated as C2-compliant . . . no matter if it’s a wash-
ing machine or a file server.
C2 security meant a lot to Windows NT, and whatever hoops and hurdles Microsoft
went through and over to gain C2 security is not lost in Windows 2000. However,
we are now playing away from home . . . the field is the Internet, and the game is
e-commerce. You have high-powered security protocols to configure, and you
have lots more room to drop the ball.
Another reason that C2 is not important to you is that, as mentioned earlier, out of
the box Windows 2000 is as locked down as the space above your head. You have
to lock down every aspect of it; the network is only as secure as you make it. If
Windows 2000 is not properly configured, claiming awards like C2 will not get you
out of a jam when a hacker pulls your pants down on the Internet. We know we are
being blunt, but security is part of the day-to-day life of a network administrator. If
you don’t have a security problem, you don’t have a network.
The Need for Security
If you are new to network administration in general and Windows 2000 (and NT) in
particular, then before you devise a security plan, you need to understand the risks
to your network and yourself. Unless you plan to hire a security expert, you will
probably have to come up with a plan yourself. Chances are your company will ask
this of you . . . your superior will assume that you are well versed in the subject. If
you are well versed in the security threat, you can skip this part and go directly to
the section titled “Rising to the Challenge.”
A company’s data is its lifeblood, and it needs to be vigorously protected. As the
network administrator, you will be required to ensure that data is kept confidential
and that it can be relied upon. There are numerous mechanisms in place to assist
you with respect to data integrity and confidentiality, and they range from sensible
access control policy to encryption, backup, and availability.
Note

pany secrets, employee secrets, product plans, financial situation, strategy, and
so forth. This level of threat is the most virulent. The attackers have strong
motives to get the attack under way and to ensure they succeed. The attackers
do not want to be discovered and will continue to hide in your environment as
long as they need to. The damage is often irreparable if the attackers are undis-
covered. This is the most difficult form of attack to counter because, for the
most part, you do not know where they are hitting you or why.
While bugging devices and spying are not usually the responsibility of the net-
work or server administrator, espionage via the network is becoming more
probable every day because it is so easy and it is where all the jewels are
located.
4667-8 ch03.f.qc 5/15/00 1:57 PM Page 67
68
Part I ✦ Windows 2000 Server Architecture
Over the network, hackers will read files and e-mail, and try to log in to data-
bases wherever they can to steal credit card numbers, bank account numbers,
and so forth. An attacker can, for example, find out the password of your
voice mail system and then listen to your messages.
2. Denial of Service (DoS): These attackers are intent on destroying you. They
can attack your physical premises or locations, which is becoming harder to
do all the time, or they can target your network, which is becoming easier to
do because you are connected to the Internet or because you provide users
with remote access. This is fast becoming the favorable means of attack for
stopping your work: firstly, because of the dependency your company has on
the network, and secondly, because the attacker does not need to be physi-
cally present for the attack.
DoS attacks are made by flooding your network portal (targeting your gateway
to the Internet) with massive floods of e-mail, or with syn attacks, which are
the low-level communication barrages that suck up all the server’s resources,
finally causing it to crash. Sometimes the objective is to crash the server just

Chapter 3 ✦ Windows 2000 Security
✦ The internal environment: The threat comes from people who have a rela-
tionship with the company, from employees to contractors to customers.
The attack usually comes from the inside. In some cases, it comes from the
outside, with inside information. Other times, the threat is not born out of
revenge or criminal intent, but ignorance.
The External Environment
Not too long ago, the only way to threaten or attack an organization, its people,
or its business was through some sort of physical act. This is no longer the case.
It costs far less money and is much safer for a hacker to stay in a safe haven and
attempt to break into a network through a RAS portal or connection to the Internet.
For many, it means the possibility of financial reward; for others, it has to do with
some form of demented feeling of achievement.
Now that many small companies can afford dedicated connections to the Internet,
the pickings have become very attractive. While we have not yet realized the paper-
less office, almost all data is placed on the network in share-points and databases.
The network and server storage silos are thus loaded with valuable information.
Attackers also no longer need to proactively choose their targets. They create hos-
tile code that gets inadvertently downloaded from the Internet and gets executed
by a number of mechanisms, from rebooting to the mere act of unzipping a file.
The code then can gather intelligence and send it to its master. It is therefore essen-
tial that you establish policy to ensure that code downloaded from the Internet is
authenticated and signed with the digital signature (a public key) of a trusted soft-
ware publisher.
E-mail is now very much tangible property, and it can be used in court cases as evi-
dence and as a source of information that can be used to plan an attack on a person
or an organization. We all communicate more by e-mail than we do by snail mail, yet
e-mail is treated like a postcard. We do not enclose our messages in an envelope
and seal it. We just put it in the mail for anyone to look at.
E-mail needs to be secured on two levels. We need to be sure that the people with

nizations from smuggling out the software.
And as for the comparison with UNIX, UNIX systems are more at risk today than
Windows 2000. Since the UNIX source code is open for all to see, many hackers can
read the code to look for weak points and plot their attacks. Server for server, there
are still more UNIX machines on the Internet than Window NT or Windows 2000
machines. On Windows NT, hackers resort to scanning network communications to
look for information with which to replay attacks. Data interception was and still is
a common form of attack against an NT network.
For Windows 2000 to compete and even excel over the competition in the risky and
exposed world of e-commerce, it needed to be the most secure operating system.
The following sections explore the standard Windows 2000 security mechanisms
Microsoft has implemented in Windows 2000:
✦ Kerberos
✦ IPSec
✦ PKI
✦ NT LAN Manager (NTLM)
All the fancy encryption algorithms you use will be useless if your server stands in
the middle of an open-plan office for anyone to plunder or sneak out. Unless a
server or key systems and data storage are locked up behind secured barriers, you
might as well forget the rest of this chapter.
Note
4667-8 ch03.f.qc 5/15/00 1:57 PM Page 70
71
Chapter 3 ✦ Windows 2000 Security
Before you tackle the protocols, you need to get up to speed on the cloak-and-
dagger stuff.
Encryption 101
This is a true story. A man walked into a diner one morning and ordered fried eggs.
When the eggs were delivered, he changed his mind and advised the waitress that
he had ordered scrambled eggs. The waitress, peeved at the cheek of the client,

4667-8 ch03.f.qc 5/15/00 1:57 PM Page 71
72
Part I ✦ Windows 2000 Server Architecture
Cryptography
Cryptography dates back more than 4,000 years. Over the past millennia, it has
protected many a culture’s communications and has brought them through wars,
treaties with neighbors, and more.
In recent years, electronic data communications have escalated to such volume and
importance in our lives that without electronic or digital cryptography we would
not be able to continue on our logical course.
In fact, we owe our computerized environment to cryptography. If you have time
during the locking down of your networks, you should read the biography of Alan
Turing, who directed the British to build the first digital computers to break the
German’s Enigma code.
Pretty Good Privacy (PGP) is a software program written originally and distributed
illegally for no financial gain by Phil Zimmerman, who believed that the cryptography
algorithms that were being protected by patents should be made public property . . .
worldwide. He created PGP back in 1991, and over the years, it was disseminated
around the world on the “undernet.” Even though its export was expressly forbidden
by the U.S. government’s International Traffic in Arms Regulations, which classified
his software as a munition, it became available everywhere on bulletin board systems
and the first pioneer sites of the World Wide Web. In the last decade, PGP was pretty
much the only means of securing data and communications on the Internet and cor-
porate networks of the world.
But encrypting data always required a user to make an effort to secure communica-
tions. Lethargy and lack of knowledge have always left room for error and holes.
Only with the incorporation of the encryption algorithms in the very core of the
operating systems and standards-based network protocols would encryption
become as pervasive and as transparent as air.
We have come a long way since Phil Zimmerman risked detention to make the slo-

wrong hands, then all bets are off. But it can be used in network authentication
where the compromising of a key is highly unlikely.
Public Keys
Public key encryption uses two keys. One key is public, and the other is private.
Both keys can encrypt data, but only the private key can decrypt the data. To be
pervasive, the technology depends on a public key infrastructure (PKI), which
Windows 2000 now supports (more about PKI later).
A mathematical process is used to generate the two keys, and the keys are related to
each other by the product of that mathematical process. So the message encrypted
with one key can be decrypted only with the other. This is how it works:
You want to send an encrypted message. The receiver has a public key, which he
or she makes publicly available for encrypting messages. You encrypt the message
using the public key and send it. When the receiver gets your message, he or she
can decrypt it using the private key, which is mathematically related to the public
key. No one, including you, can decrypt the message with the public key.
It goes without saying that the private key must be closely held or your messages
will be compromised.
4667-8 ch03.f.qc 5/15/00 1:57 PM Page 73
74
Part I ✦ Windows 2000 Server Architecture
Session Keys
The chief problem in making public keys widely available is that the encryption
algorithms used to generate public keys are too slow for the majority of just-in-time
communications (there are numerous algorithms used to create the keys, but the
technology is beyond the scope of this book). For this reason, a simpler session key
is generated, and it in turn holds the “key” to the encrypted data.
1. A session key is randomly generated for every communication that requires
encryption. A key distribution authority (or the originator of the communica-
tion, or a vouchsafe process) creates the session key for the communication
or message.

75
Chapter 3 ✦ Windows 2000 Security
Digital signatures are thus used to authenticate the sender, to legally bind parties
in digital transactions, to authenticate content, and to be sure that content has not
been changed or tampered with in any way.
Windows 2000 makes wide use of the encryption mechanics described above. One
of the most important implementations is in the use of the Kerberos protocol,
which is now the most important means of authentication and protection of data
in not only Windows 2000, but also all major operating systems.
Kerberos
What if we told you that every time you come to work you have to go to a certain
security officer who signs you in and issues you a clip-on tag that allows you to
enter the building and go to your desk, but do nothing else? And that you had to
check in with the officer every hour to renew your tag?
What if you then needed to go to this person for a new tag every time you needed
to access a resource in the company, such as the file room or the copier machine?
And then what would you think if we told you that you have to present this tag to
guards that protect each resource so that they can verify that you are legitimate?
You’d say, “Wow, this is overkill. Why is security so tight here?” It would probably
be hard to work in such an environment. But what if several companies, or a whole
city, adopted such stringent security practices? Life in the city would be so secure
that companies would be able to trust each other enough to share resources. But
for all intents and purposes, it would still be hard to work in such an environment.
Yet, this is precisely how Kerberos works. The only difference is that the security
check-ins and tag issues are handled transparently by the underlying protocols,
and everything takes place in network transmissions. The user is oblivious to what
is going on under the network hood.
Kerberos is based on a system of tickets, which are packets of encrypted data that
are issued by a Key Distribution Center (KDC)— the security officer we just men-
tioned. This ticket is your “passport” and carries with it a myriad of security infor-

Also, trusts between heterogeneous networks are not as transparent as the trusts
between Active Directory domains, in which the domain controllers can explicitly
vouch for the users. Trusts between Windows 2000 forests, Windows 2000 and
Windows NT, and Windows 2000 and other realms involve manual setup between
each domain’s or realm’s respective administrator. The process that takes place in
the UNIX or IRIX realm may be very different to the setup that takes place between
Windows 2000 realms.
When planning the physical layout of the network, if you have multiple domains that
communicate across a WAN, you will need to establish shortcuts or the best possi-
ble routes that ticket transmission can use to move from realm to realm. Shortcuts
may be required so that authentication does not become bogged down in network
traffic over a small pipe.
If authentication is slow due to slow links between networks, you may have a
good reason to establish the site as a new domain. For more information on
deciding when to create a new domain, check out Chapter 7.
Kerberos is, however, a very fast protocol and is an ideal environment for imple-
menting the Single Sign-On paradigm in network authentication.
Kerberos and the Single Sign-On Initiative
Single Sign-On is long overdue. From a security angle, it provides tremendous bene-
fits. If a user has six or seven passwords, it means he or she has six or seven more
opportunities to compromise security. Many people are so sick of the different pass-
words they have to deal with that they would rather not have a password. This is a
problem in systems where the password creation and application is in the hands
Note
4667-8 ch03.f.qc 5/15/00 1:57 PM Page 76