Tips and tricks to secure Windows Server 2003 Protect your authentication mechanisms

There's an old proverb stating that a chain is only asstrong as its weakest link. That saying is especially true when you are talkingabout a network's chain of security mechanisms. I know a lot of people whospend countless hours making sure that every packet flowing across the networkis authenticated and encrypted, and that all of the files on the server's harddisk have the proper permissions assigned to them. Such measures are important,but the fact is that the vast majority of hacks are perpetrated by usinglegitimate user accounts.

User IDs and passwords
In most networks, the user accounts themselves are by farthe weakest part of the network's entire security infrastructure. A hacker onlyneeds to know two pieces of information (a user name and a password) to be ableto access anything on your entire network. Sure, encrypting all of the packetsas they flow across the wire will help to prevent a hacker from sniffingpasswords, but there are plenty of other ways that hackers can acquirepasswords. One of the oldest password acquisition methods still worksto this day. That's a brute force crack. Like I said, a hacker must have ausername and a password in order to gain full access to your network resources.Of course, Microsoft was kind enough to provide the hackers with the user namefor you; Administrator. That means that hackers only need to figure out theAdministrator's password in order to gain access to your network. Microsoft has long recommended that you change the name ofthe Administrator account so that hackers won't know what it is. The problem isthat even if you change the account name, the account's SID remains the same.Since Microsoft uses a specific SID for the Administrator account, it's fairlyeasy to figure out what the account has been renamed to, just by examining theSIDs. In fact, there are even GUI utilities that can automatically tell you whatname the Administrator's account is using. Although this is the case, I still recommend renaming theAdministrator account, because doing so may deter less sophisticated hackers.Besides, your other security mechanisms, such as your firewall, and packetlevel encryption, may help prevent such utilities from functioning correctly. Let's assume for a moment that a hacker knows what they aredoing and they are able to quickly determine the name of your Administratoraccount. They would then simply need to figure out the password. This is wherethe brute force crack that I mentioned earlier comes into play. Windows isdesigned so that the Administrator account can't be locked out. This means thata hacker is free to perform a brute force crack against the password withoutfear of locking out the account.

The reason why this technique is so dangerous is because ifyou don't set up your alternate administrative accounts just right. Technically. If you've got auditing enabled. the server must know the user's password so that itcan compare the password that has been entered against the stored password.Normally. To make matters worse. themethod that I am about to show you can be very dangerous. Renaming Administrator What a lot of people don't realize though is that there isanother way of defending yourself against this type of attack. SAM While I am on the subject of stolen passwords. the SAM doesn't contain the passwordsthemselves. and then the hash is encrypted and storedwithin the SAM. and you need tocarefully consider its impact before attempting this. Unlike other versions of Windows Server. XP. Ifthat happened. In fact. your defenses against such an attack are frequentpassword changes and reviews of the audit logs. Thereare also a few "password recovery utilities" that are allegedly ableto retrieve passwords directly from the SAM database. or 2003 stores user's passwordswithin the Security Accounts Manager. it sounds fairly secure. The idea is that it takes solong to crack a complex password that you change the password before the hackerhas the chance to try every possible password. you mayfind yourself permanently unable to perform essential tasks. If controlling physical . There are a couple of problems with thestorage method. there are several utilities availableoff the shelf that will allow anyone who has physical access to the machine toreset a password without knowing supplying any sort of login credentials. Anycomputer that's running Windows 2000. When you first read about the way that Windows storespasswords. and you might not even beable to do that if your backup software requires authentication. your first line of defense against such anexploit is to make sure that your servers are kept behind a locked door toprevent anyone from gaining physical would also notice a very high number of unsuccessful login attempts. If a server is toauthenticate user's logins. Windows Server 2003allows you to manually disable the Administrator account. Someone could lock you completely out of your network by purposelyentering incorrect passwords for your alternate administrative accounts. there isanother technique that hackers can use to steal a password. You must also keepin mind that your alternate accounts can be locked out by incorrect passwordattempts. the encryption key is stored on the server rightalong with the hashes that the key encrypts. it is useless because the account is disabled. You can therefore setother users up with administrative privileges and then disable the Administratoraccount. the hashingalgorithm is fairly well known. That way. However. Naturally. the only way that you could get back into your network would beto perform an authoritative Active Directory restore. if a hacker does figure out the name of the Administrator'saccount. For starters. The password is hashed.

One other thing that you can do to help secure theauthentication process is to use multiple authentication methods. the server will be unbootable. In my opinion. the server will be rendered unbootable. Granting privileges Up to this point. or something that theperson knows. Before I explain how to accomplish this. The other option that you have is to encrypt the encryptionkey. which allows Windows to access the SAMdatabase. When designing a secure network. There arethree things that can be used to authenticate a person's identity. I need to warn youthat this is another dangerous operation. you must also consider what a usershould and should not have access to once they log in. Likewise. you couldpotentially lose the ability to remotely reboot the server depending on howyour remote control software works. If you wereto forget the password. you might add something that the user is (biometrics) or somethingthat the user has (such as a smart card). The current standard for user rights is that users shouldhave the lowest possible set of privileges that will permit them to do theirjobs. something the person has. For example. then there is a technique that you can use to move the encryption keyoff of the server. Upon doing so.Windows decrypts the encryption key. If you lose the disk or if the diskbecomes damaged or unreadable. Doing so makes network management a lot . This method involves assigning a password to the encryption key. you have two options. Rather than granting theindividual users permission at the NTFS level. but the technique still has risks. The most effective way to assign these permissions is almost alwaysthrough security groups. An out of the box Windows deployment typically uses only one of thethree authentication tests. If you decide that you want to protect theencryption key. When youboot the server. The test used by Windows is something that theperson knows. you should create a group forthe users who will need access to the payroll database and assign permissionsto that group. or if you just want to provide an extra level ofsecurity. the MicrosoftKnowledgebase contains an excellent article that explains how to go aboutdoing so. The reason why this is dangerous is because when you boot theserver it will ask for the floppy disk. Your first option is to export the encryption key toa floppy disk. I have talked primarily about varioustechniques that you can use to enhance the security associated with user'spasswords. you will be prompted to enter the password. Dual authentication You can achieve much greater security by using at least twoauthentication methods for users. You can usesomething that the person is. Since Windows already uses something that theuser knows.access isimpossible where you work. When you lock down the encryptionkey. which is of course a username / password combination. this technique is a little safer than exporting theencryption key to a floppy disk. suppose that you had some users whoneeded access to the company's payroll database. Theother down side to using this method is that you lose the ability to remotelyreboot the server because you can't boot the server without physicallyinserting a disk.

In this article. although it does require aserver reboot. then the array makes an excellent choice because the database isprotected from drive failure and because array's offer better performance thana standalone hard disk.easier. If someone asked you who had access topayroll. Imagine for example that everyone in the financedepartment needs access to the payroll database. You could theoreticallycreate a folder called finance and then grant the finance group permissions toit. everyone in the payroll group and in thefinance group would have access to the payroll. By doing so. but that there are a few peoplefrom outside of finance that also need payroll access. You could then place the payroll folder beneath the finance folder andcreate a payroll group. just use theMOVE DB TO or MOVE LOGS To command to move the database and its log files tothe new location. All of thisinformation is maintained within the Active Directory. As you plan your network's security structure. Moving the databases is simple. What a lot of people don't realize is that you can make ahacker's job just a little bit more difficult by moving the Active Directorydatabase to an unexpected location. If someone wereto ask you which users have access to the payroll database. . Boot the machine into Active Directory Restore mode and thenenter the NTDSUTIL command followed by the Files command. I'll admit that theActive Directory isn't the easiest thing in the world to hack. but the ActiveDirectory database does make a tempting target because it consists of easilyrecognizable files (NTDS. I recommendcreating groups and designing the server's folder structure in such a way thatthere are no overlaps. but your life will be a lot easier if you avoidoverlapping permissions whenever possible. Active Directory There is one last security trick that I want to show you.DIT. If your domain controller happens to have aRAID array. Do the basics Although there are a lot of standard techniques for deployinga secure network. it is often better to throw the hackers a few curve ballsthan to do everything by the book. you could simplycheck the group membership rather than tracking down a bunch of individualpermissions. Although this arrangement would technically work. It isn't always possible toavoid overlapping permissions. and TEMP. Now.EDB) and those files reside ina predictable location (usually C:\Windows\NTDS). especially when different people need differentlevels of access to a folder.Throughout this article. EDB. I have shown you severalsecurity techniques that you can use to make your Windows deployment moresecure. it isn't agood idea to configure your folder structure in this way because as the networkgrows. you would have to check the payroll group and the finance group.rather than being able to check one single group.LOG. management becomes difficult. I have talked about ways that authentications can becompromised and how groups can be configured for optimal security.