Professional Documents
Culture Documents
Books
Contents
Chapter 5 Windows Server 2003 Security Enhancements . . . . . . . . . . . . . 81
Securing the Wire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Shoring Up with SMB Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Win98 Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
NT 4.0 Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Win95 Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Manipulating the Servers to Not Require SMB Signing . . . . . . . . . . . . . . . . . . . . . 85
Shoring Up with Secure Channel Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Shoring Up with LDAP Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Shoring Up by Eliminating NTLM and LM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Enabling NTLMv2 Authentication at the Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
NTLMv2 for NT 4.0 Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
NTLMv2 for Win9x Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Disabling NTLM and LM at the Domain Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
ACL Viewing and Editing Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Security Principals Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Schema Updates and Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Next: Backup, Restore, and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
81
Chapter 5:
Figure 5.1
Warnings about downlevel machines
The screen in Figure 5.1 indicates that you might have problems with older downlevel machines.
The good news is that connections to every Windows 2003 share will be “signed” (i.e., authenticated)
each time a client makes a connection. Indeed, each SMB packet carries a unique signature that the
recipient validates. Therefore, malicious users can’t pretend to be what they’re not.
The bad news, however, is twofold. First, older downlevel clients will fail to connect because
they can’t “speak” the revised protocol’s language. Second, when clients can use SMB signing, it will
slow connections down a bit, probably by 10 percent to 15 percent.
The real problem, however, is that because older downlevel clients can’t perform SMB signing,
they can’t log on. To log on to the network, each client must connect to a domain controller’s (DC’s)
Netlogon share. Therefore, each client must be able to perform SMB signing to that Netlogon share to
validate to the network. Clients that can’t perform SMB signing are out of luck. Because Windows 98
can respond to SMB signing, you’ll only need to troubleshoot problems. Also, you can make changes
to address SMB signing for Windows NT 4.0 and Windows 95 clients.
Win98 Clients
Win98 clients, by default, can respond to SMB signing requests. This capability means that you don’t
have to change or set up anything on your Win98 clients for them to participate in domains with
Windows 2003 DCs.
However, if you have one or two Win98 clients that can’t log on to Windows 2003 DCs or
connect to Windows 2003 shares, the client’s ability to respond to SMB signing might be disabled.
To turn off a Win98 machine’s ability to respond to SMB signing, someone must manually add a
registry value.
Therefore, if you suspect a Win98 machine isn’t responding to SMB signing requests, you’ll need
to dive into the registry and look for the addition of either of two registry settings.
Navigate to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNetsup
subkey and look for an EnableSecuritySignature value of type REG_DWORD. The default is that this
value is absent, which means SMB signing is enabled. To turn off SMB signing, you would create this
value and set it to 0. Therefore, to re-enable SMB signing, set the value to 1 (Enable). The client will
then respond to SMB signing.
Also, look for an RequireSecuritySignature value of type REG_DWORD. The default is 0.
Manually setting the value to 1 (Enable) requires that all SMB traffic be signed.
Again, you’re checking to see whether someone has created these values. If they exist, someone
might well have specifically disabled a machine’s ability to respond to SMB signing.
NT 4.0 Clients
NT 4.0 Service Pack 3 (SP3) clients won’t perform SMB signing by default. You’ll have to enable SMB
signing through the registry, as I discuss below.
If you’ve already loaded your NT 4.0 clients with SP4 or later – the clients can by default respond
to SMB signing requests. Therefore, you won’t need to set up or change anything on your NT 4.0 SP4
clients to have them participate in domains with Windows 2003 DCs.
However, if you have one or two NT 4.0 clients with SP4 that can’t log on to Windows 2003 DCs
or connect to Windows 2003 shares, someone might have disabled the machines’ ability to respond
to SMB signing – in much the same way that I discussed relative to Win98.
Enabling SMB signing on NT 4.0 SP3 machines and troubleshooting NT 4.0 SP4 or later machines
that aren’t responding to SMB signing requests involves the same two registry values. For NT 4.0 SP3
machines, if the values don’t exist, you’ll create them, then set both values to enable SMB signing. If
the values do exist, set them to enable the feature. For NT 4.0 SP4 or later machines, you might
create and set or re-set the values to re-enable the feature.
Navigate to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer
\Parameters subkey and look for an EnableSecuritySignature value of type REG_DWORD. The default
is that the value is absent, which means that the client will respond to SMB signing. A value of 0
means the client won’t respond to SMB signing. To enable or re-enable SMB signing, set the value
to 1 (Enable) – the client will then respond to SMB signing.
Also, look for a RequireSecuritySignature value of type REG_DWORD. The default is 0. Manually
setting the value to 1 (Enable) requires that all SMB traffic be signed.
Win95 Clients
As the Active Directory Installation Wizard screen in Figure 5.1 indicated, Win95 clients can’t log on
to Windows 2003 DCs. If Win95 clients attempt to log on, they get the message that Figure 5.2
shows.
Figure 5.2
Message returned if a Win95 client attempts to log on to a Windows 2003 network
To get your Win95 clients up to speed, you’ll need to load the Active Directory Client Extension
(ADC; aka Directory Service Client – DS Client). The DS Client apparently isn’t on the Windows 2003
CD, but you can find it on any Win2K CD-ROM, in the \CLIENTS\Win9x directory. To run
DSClient.exe, you’ll need to have Internet Explorer (IE) 4.0 or later loaded. Figure 5.3 shows the
Directory Service Client Setup Wizard that you can use to load DS Client onto Win95.
Figure 5.3
Directory Service Client Setup Wizard
After you load the DS Client, Win95 machines won’t need any additional registry settings to
respond to SMB-signed traffic. In other words, just load the DS Client on your Win95 clients, and
you’re “in like Flynn.”
and you still need to have your clients log on to Windows 2003 DCs and connect to Windows 2003
file shares? You have a final option: You can configure the domain to not require SMB signing.
However, this approach is definitely a “last resort” because it really decreases the intended security.
Nevertheless, if you must disable SMB signing, click Start, Programs, Domain Controller Security
Policy. Navigate to Windows Settings\Security Settings\Local Policies\Security Options. Locate
Microsoft network server: Digitally sign communications (always), which Figure 5.4 shows. With the
Define this policy setting check box selected, change the default from Enabled to Disabled.
Figure 5.4
Disabling SMB signing
j Tip
Even if you need to disable SMB signing as described above, you can still leave the sister policy,
Microsoft network server: Digitally sign communications (if client agrees), enabled without
penalty. This setting lets clients and servers that can use SMB signing do so.
Figure 5.5
Disabling secure channel signing
j Tip
For more information and to see which specific applets inside the Windows 2003
administration tools explicitly use LDAP signing, go to Knowledge Base article Q325465,
“Windows 2000 Domain Controllers Require SP3 or Later When Using Windows Server 2003
Administration Tool,” at the Microsoft Product Support Services (PSS) URL below:
http://support.microsoft.com/?kbid=325465
The upshot is that the only two secure mechanisms for password validation are Kerberos and
NTLMv2. If intruders intend to capture traffic on the wire – and the traffic includes NTLM and LM
traffic from NT 4.0 SP3 and earlier or from Win9X – they would soon have the passwords that rely
on the weaker authentication methods.
My suggestion if you have mixed downlevel clients is to accept the default Windows 2003
security – and harden your overall security significantly by eliminating NTLM and LM authentication.
Eliminating the weaker authentication methods could be the most important security step for your
Windows 2003 network.
To eliminate NTLM and LM authentication, follow these steps:
1. Update the client software. For NT 4.0 machines, load SP4. For Win9X machines, load the
AD client, as I described previously.
2. Enable NTLMv2 authentication on the client.
3. At the domain level, refuse NTLM and LM authentication traffic; accept only Kerberos and
NTLMv2 traffic.
j Tip
You can set additional registry options at this time. For more information, read the Knowledge
Base article Q147706, “How to Disable LM Authentication on Windows NT,” at the URL
below.
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb
/articles/q147/7/06.asp&NoWebContent=1
j Tip
You can set additional registry options at this time. For more information, read the Knowledge
Base article Q239869, “How to Enable NTLM 2 Authentication,” at the URL below.
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb
/articles/q239/8/69.asp&nowebcontent=1
Figure 5.6
Defining authentication levels
d Caution
If you disable NTLM and LM responses, you lock out clients that support only those
authentication methods, including Macintosh clients and Services for UNIX (SFU) clients. The
disabling could also be harmful to alternate authentication methods such as Win2K Routing and
Remote Access Service (RRAS); Cisco, Shiva, or Ascend dial-in modems; and other products
that use Windows authentication. Such products might rely on NTLM or LM authentication.
Additionally, although it’s not strictly necessary, it’s also good to expunge the recorded traces of
LM passwords from your DCs. You can do so by selecting the Group Policy Network security: Do
not store LAN Manager hash value on next password change policy, which Figure 5.7 shows. With
the Define this policy setting check box selected, you define and enable the policy.
Figure 5.7
Eliminating LM password hash values from DCs
After you’ve enabled this policy, the AD doesn’t store the LM values when users’ passwords are
changed. If a DC is compromised, no one will be able to use the values to gain access.
Figure 5.8
Overview of Win2K and Windows 2003 inheritance
Inherited
Joe User
Sales
In
he
Directory2
rit
ed
Joe User
Marketing
Directory3
In Win2K, however, it was difficult to determine the effective permissions in a lower directory.
Effective permissions come into play whenever a user or group might have explicit permissions and
inherited permissions. How can you know what the effective permissions are?
For example, consider Directory 2 in Figure 5.8. What are Joe’s effective permissions if he inherits
rights from Directory1, but is also a member of Sales, which has its own permissions?
You can see that permissions could quickly become confusing. To combat this confusion,
Windows 2003 has added a new ACL editor that lets you easily discover and edit permissions. With
Windows 2003, you’ll find an Effective Permissions tab on every directory and file.
Simply right-click and select Properties for the directory or file whose effective permissions you
want to examine, select the security tab, and click the Advanced button. You can then click the
Effective Permissions tab, which Figure 5.9 shows.
Figure 5.9
Windows 2003’s new ACL editor
Just click Select, select a user or group, and you can see the precise access control placed upon
that object for a specific user or group. The new ACL editor makes knowing “who” has permissions
“where” a lot easier.
So why might you need the InetOrgPerson object if user objects already work well in Windows
2003? Because InetOrgPerson objects comply with Request for Comments (RFC) 2798, whereas
regular user objects don’t. This difference is a concern in a limited set of circumstances. You might
need InetOrgPerson objects if you use a third-party metadirectory service (e.g., Sun’s iPlanet) to
update both your AD and your iPlanet directory. iPlanet expects its input and output to be an
RFC-compliant InetOrgPerson object – not a Windows 2003/Win2K user object. You can check out
the InetOrgPerson RFC at http://www.faqs.org/rfcs/rfc2798.html. InetOrgPerson objects are easy to
create, potentially useful, and have few drawbacks.
You can create an InetOrgPerson object as easily as you create a new user object. Figure 5.10
shows how you create an InetOrgPerson object in the Active Directory Users and Computers console.
Figure 5.10
Creating an InetOrgPerson object
You can create your “User” objects the standard way or choose to make them “InetOrgPerson”
objects. You incur no penalty if you make your user objects InetOrgPerson objects rather than User
objects. However, you should continue to use regular User objects unless you know you need
InetOrgPerson objects to be 100 percent compatible with RFC-compliant metadirectory services.
d Caution
You should be aware that InetOrgPerson objects aren’t compatible with Exchange 2000.
That is, you can’t enable an InetOrgPerson mailbox.
Figure 5.11
SMS 2003 (not yet released) option to extend the schema
Schema updates have been permanent – until Windows 2003. That fact made many developers
hesitate to write applications that leveraged the advantages of a schema update. Win2K application
developers had a problem if they ever wanted to distribute an update to their application that
changed their use of the schema.
For example, if an application vendor had made a schema modification by adding an attribute
called SHOE SIZE, which accepted a numeric value – that modification might work well at the time.
However, if the vendor then wanted to update the attribute to accept a character (e.g., S, M, L) rather
than a numeric value, the vendor would have to introduce another schema modification attribute to
accept the value types desired. This situation occurred because “under the hood” of the schema, each
attribute is assigned a unique Object Identification Number (OID).
Win2K allows a schema attribute to be considered “defunct.” This ability to change the “status”
works well; however, if you consider the example above, in which the vendor wants to change the
SHOE SIZE attribute from accepting numbers to accepting characters, the vendor would have to get
another OID and code the application to insert yet another permanent schema addition to add the
new attribute.
Windows 2003 also lets a schema attribute be considered defunct. However, you can reuse the
underlying OID with a different name or value. Additionally, you can set attributes to be Defunct or
Active at any time.
n Note At no time is the attribute ever truly deleted. Rather, the attribute is classified as defunct so
that you can reuse its OID.
j Tip
According to rumor, future versions of AD will support “tombstoning” and purging defunct
schema definitions. Tombstoning is similar to deleting except that when you tombstone, you
inform other servers that you’re removing the schema object definitions so that those servers
can update their databases. Again, Windows 2003 doesn’t yet support these features.
If you have an attribute you want to designate as defunct, you’ll need to follow several steps,
as I outline below. First, you’ll need to register the schmmgmt.dll with regsv32.exe, as Figure 5.12
shows.
Figure 5.12
Registering the schmmgmt.dll
d Caution
Any changes you make to the schema are at your own risk. Make changes to the schema only
in a test lab. To modify the schema, you must enter a registry value in the registry upon the
schema master. By default, AD servers don’t let anyone edit the schema.
Figure 5.13
Entering a registry value before you modify the schema
Next, add the Active Directory Schema snap-in to the Microsoft Management Console (MMC).
Figure 5.14 shows how you select Active Directory Schema to add it as a standalone snap-in.
Figure 5.14
Adding the Active Directory Schema snap-in
By default, you can’t see defunct objects. If you want to see them, right-click the Active Directory
Schema and select View, Defunct Objects, as Figure 5.15 shows.
Figure 5.15
The view inside the schema
To make an object defunct, locate the attribute, examine its properties, and clear the default
Attribute is active check box, as Figure 5.16 shows.
Figure 5.16
Clearing the Attribute is active check box
At this point, you can create a new attribute with the same OID but a different name and value
type. Windows 2003’s improved schema modification functions make it easier for application vendors
to write applications that modify the schema to get the most from AD.