Authentication

One fundamental issue in security is the process of verifying that an entity or object really is what, or who, it claims it is. How can you be sure it really is Opus Rossberg who is trying to read a file on one of your servers? (As a matter of fact, we would be surprised if it really was Opus Rossberg, since one of us has a cat with this name, so christened after penguin Opus in the comic Bloom County. But the point is still valid.) Authentication confirms the identity of any user trying to log on to a domain or access network resources.

In Windows Server 2003 you find the following types of authentication:

• Kerberos version 5: This is the default network authentication method for network services. The Kerberos protocol can use either a smart card or a password for interactive logon, so it is quite flexible.

• Digest authentication: When using this method, credentials are transmitted across the network as an MD5 hash or as a message digest.

• Passport authentication: You have probably used Passport authentication to access Microsoft's Web pages. When you use this user-authentication service, you can get a single sign-in for your Web site or network, just to mention two examples. This means you only have to log on once; all other authentication is done transparently.

• NTLM: This protocol is provided for backward compatibility with Windows NT 4.0–based systems.

• Secure Sockets Layer/Transport Layer Security (SSL/TLS): This protocol comes into play when a user is accessing a secure Web site.

Note

Two-factor authentication is included in the Windows Server families. This means you can integrate stuff like smart cards to provide a secure solution for client authentication, logging on to a domain, code signing, and securing e-mail. Support for cryptographic smart cards is a key feature of the Public Key Infrastructure (PKI) that Microsoft has integrated into the Windows Server families and Windows XP. When logging on to a domain using smart card, you do not have to press Ctrl-Alt-Del to log on. When you insert the smart card, the computer simply asks for your pincode, instead of the username and password you normally supply.

Object-Based Access Control

When a user is authenticated, other issues arise. What can a user do? What resources does he or she have access to? Since you never want to give all users access to everything, you need to let your administrators control this. They can do this by assigning security descriptors to objects stored in Active Directory (AD). This means they can control which user accounts and groups in Active Directory have access to a specific object. The administrators can even control access to specific attributes of an object, giving them quite a lot of power.

Note

If Active Directory is not installed or the server is not a member of a domain, you can use the same technique with local users and groups on the machine.

To secure a computer or computers, you grant users or groups specific rights. You can also grant certain rights to resources on the computer, like files, folders, or even services. These rights determine the actions the user or group can perform on the object.

What kind of rights can you assign? The first one is permissions. Permissions define the type of access a user or group is granted to an object and its properties. You can assign permissions to files, Active Directory objects, or registry objects. The permissions you can grant depend on the object they are set to. For a file, you can for example grant read, write, modify, or delete permissions.

Another right you can assign is ownership of an object. When an object is created, the creator is assigned ownership of the object. This right can easily be transferred to another user or group.

You can also let objects inherit permissions from other objects. The easiest way to illustrate this is by imagining a folder in Windows Explorer. You can let the files in the folder inherit the permissions applied to the folder, but only permissions marked for inheritance will actually be inherited.

Access control is a major tool when securing your servers. The rule of thumb is this: Do not give anyone or anything more rights than they actually need—not even to yourself! You will seldom need to log on as administrator and have all the rights associated with that account. Remove the Everyone group from all objects and only give those who need access to the objects the permissions they need.

A cool feature in Windows Server 2003 is shown in Figure 4-26. It used to be difficult trying to guess the permissions assigned to an object. Now you are presented with a tab that displays the effective permissions for objects. You can select a user or a group, and see the effective permissions for that specific object. To try this, open Windows Explorer. Right-click any file or folder. Select Properties. On the Security tab click Advanced. Now you can select any user or group and see its effective permission on this object, a very welcome feature to Windows.

Auditing

To see what is happening to your system, you need a way to track various events. By carefully selecting the behaviors you want to watch, you can track potential security problems. Of course, you want to configure your security so it will take some time for an unwanted guest to get through. When he or she gets through, you can use auditing as evidence for the security breach. Hopefully you can learn from these breaches to tighten security more.

One thing you need to understand when it comes to security is that you should not for a moment believe you can stop anyone from getting past your security walls. If somebody wants to get through, that person will. It is just a matter of time. What you can hope for, and what you should strive for, is presenting so much trouble that the intruder will be slowed down. Because if you can slow intruders down, you have a better chance of discovering them before they get all the way through.

To audit effectively, you need to establish an audit policy. When you do this, you choose which categories of events, objects, and accesses to audit. You must also have a strategy with your policy. What do you want to achieve? Do you want to record those who have accessed the system or data on the system? Do you want to record all failed logon attempts? Do you want to detect unauthorized attempts to mess with the operating system?

When you set up an audit policy, you should usually try to audit the following:

• Access to important data like files, folders, or both.

• Logon/logoff to the system. You should monitor both the successful and unsuccessful attempts.

• User accounts/group management, to see if anyone has done something they were not allowed to do.

These are just a few options, and there are many more. When you deploy your audit policy, you can use the local security policy tool, if you are auditing a stand-alone machine, or a group policy if you have a domain. When the policy is deployed, you must not forget to regularly check the log files; otherwise you have wasted your time setting up the policy.

Another thing you should not forget is testing your policy before deploying it. Does it really catch the events you want it to catch? You might need to tune it before you deploy it. You should also not forget to keep on tuning it as it is deployed. Based on the logs, you might notice if you audit too much or too little, so you may need to change it regularly.

Active Directory Security

Beside the obvious benefits for administrators and users of having a directory where you can store data, objects, and resources, Active Directory also enhances security. All information about user accounts and groups is stored in a protected way in Active Directory. This makes it harder for an unauthorized user to gain access to your information. Another benefit is that AD both authenticates and authorizes users that log on to your domain. This way you can more easily control access to system resources. When a user logs on to the domain, the security system authenticates the user with information stored in Active Directory. When the user then tries to access a service on the network, the system checks the properties defined in the Discretionary Access Control List (DACL) for that service.

EFS, Digital Certificates, and Data Protection

One important aspect of security is protecting your data on disk. Windows now has a very easy way of doing this with the Encrypted File System. Another way is by using digital certificates.

Let us have a look at EFS first. EFS is extremely easy to use. To see for yourself, open Windows Explorer and create an ordinary text file in a folder of your choice. Right-click the file and select Properties from the menu. Click the Advanced button. A form like the one you see in Figure 4-27 is shown. To encrypt the file, simply check the "Encrypt contents to secure data" option and click OK.

Click OK again and you are done. (Notice the change of the file's color in Windows Explorer.) This procedure works on folders, too. If you encrypt a folder, all files in it will be encrypted as well.

Note

By using the cipher command from a command window, you can also encrypt/decrypt files and folders. Type Cipher /? to access all options for this command.

Digital signatures are also a good way of securing data. By using them you ensure the integrity and origin of the data. Digital signatures provide strong evidence that the data has not been altered since it was signed. They also confirm the identity of the person or entity that signed the data. When you have systems involved in e-commerce, digital signing is a good way of enabling integrity. Keep in mind that digital signatures do not protect the data per se—they just tell you it is the same data that the creator generated, and that no one has altered it.

Public Key Infrastructure (PKI)

A rapidly growing and constantly evolving technology is PKI, or Public Key Infrastructure. PKI helps you in verifying the identity of a person accessing information. It also helps in controlling which information a person has access to, once his or her identity has been established. You can use PKI to distribute and manage identification credentials easily and securely over your organization.

When you use PKI, you verify and authenticate each participant involved through the use of public key cryptography. PKI basically consists of three parts:

• Digital certificates

• Certification Authorities (CAs)

• Other Registration Authorities (RAs)

The digital certificate is a digital statement issued by an authority. The authority vouches for the identity of the certificate holder. The identity can be bound to a person, a computer, or a service. The object the certificate is bound to holds the private key used in the identification process. Many Internet banks use certificates to identify account owners, thereby giving them access to their accounts when they access the bank over the Internet. You can use digital certificates for other things like secure e-mail, Internet Protocol Security (IPSec), and Transport Layer Security (TLS) as well.

Note

When a host, such as a secure Web server, designates an issuer as a trusted root authority, the host implicitly trusts the policies that the issuer has used to establish the bindings of certificates it issues. In effect, the host trusts that the issuer has verified the identity of the certificate subject. A host designates an issuer as a trusted root authority by placing the issuer's self-signed certificate, which contains the issuer's public key, into the trusted root Certification Authority certificate store of the host computer. Intermediate or subordinate Certification Authorities are trusted only if they have a valid certification path from a trusted root Certification Authority. (For more information, see Technet white paper "Windows 2000 Security Technical Overview" at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/deploy/confeat/sectech.asp)

A certificate can hold many pieces of information, but these are the most common:

• Validity information (valid from [date and time]–valid to [date and time])

• The subject's/holder's public key value

• The subject's/holder's identifier information (name, e-mail, and so on)

• Issuer identification

• Digital signature of the issuer so you know the validity of the binding between the holder's public key and its identifier information

There are several reasons for deploying a PKI using Windows. The first is its support for strong security. You can have a strong authentication by using smart cards. To be sure of the confidentiality and integrity of your transmitted data, you can use IPSec on public networks. The data you store on your servers can be protected with EFS. As you see, you can combine techniques to strengthen your security.

Secondly, PKI also helps in simplifying management. You can set up a certificate infrastructure that lets you issue certificates, and by integrating these with other technologies, like smart cards, you remove the need for password.

If you need to revoke a certificate, you can easily do that using the Certification Authority MMC. If you use Active Directory, you can integrate PKI with this, and then get the ability to control certificates through group policy. It is also possible to map certificates to specific user accounts.

Note

Certification Services is the component in Windows Server used to create and manage Certification Authorities. Certification Services is managed through the Certification Authority MMC console.

As all this shows, you have many ways to keep your solutions secure. One of the most obvious things Microsoft has done is not mentioned here, but has been covered in a previous chapter. What we are referring to is the way Windows behaves after installation. As opposed to previous versions, practically nothing is enabled by default. This is a very smart move on the part of Microsoft. To get your system up and running, you need to know what you are doing. You must enable the services you need, since the number of services enabled by default has been cut drastically. There is no way that you can install IIS by accident, for instance. Even if you did, it still would not serve other than static content. ASP and ASP.NET support will have to be enabled manually.

So we can confidently say Microsoft has taken gigantic leaps forward in making a secure environment for applications.

Note

In this book, in particular the demo application in Chapter 9, we will not use all of the features, of course. You need to be aware of them, though, so you can make the right choice when the moment comes. This is one of the cornerstones of good design.