Exploring Windows 2003 Security: Overview

Events
- JupiterEvents
- internet.com/webcasts
Jobs
Partners
Solutions
- eBooks
- Video
Shop

News
Trends
Tutorials
Stats
Hardware
Reviews
Unix Roundup
Hot Topics
Forum
Product Watch
Glossary

Web
Mail
Real-Time Communication
Application
FTP
Proxy
Collaboration
List
Telnet
Operating System
Server Attic

Sitemap
Contact Us
Home
Technology Jobs

Reprise: Leopard vs. Vista on Security

Zeroshell and My Interop Security Hangover

Ripping Passwords With Your Friend John

More Open Networks Today

Become a Marketplace Partner

Remote Data Backup - Fast Flexible Easy

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Partner With Us
Hurricane Shutters
Car Donations
Online Shopping
Auto Insurance Quote
Boat Donations
KVM over IP
Domain registration
Online Education
Server Racks
Holiday Gift Ideas
Web Design
GPS Devices
Imprinted Promotions
Remote Online Backup

Hyper-V: The Killer Feature in Windows Server 2008
It's fair to say that while many of the other new features are evolutionary, Hyper-V, by contrast, is revolutionary. Paul Rubens explores Microsoft's big step into virtualization. »

Download the Windows Server 2008 Trial
With Windows Server 2008 you can develop, deliver, and manage rich user experiences and applications, provide a secure network infrastructure, and increase technological efficiency and value within your organization. »

Reduce Complexity and Costs with Microsoft Identity and Access Solutions
Your organization depends on making digital information accessible to a broad spectrum of users over range of devices and networks. Register now for free Identity and Access Solutions from Microsoft. »

Virtualization from the Data Center to the Desktop
Integrated virtualization solutions from Microsoft can help you meet evolving demands more effectively as you transform your IT infrastructure from a cost center to a strategic business asset. »

Exploring Windows 2003 Security: More Active Directory Security Improvements
Exploring Windows 2003 Security: Active Directory and Authentication Security Improvements
Exploring Windows 2003 Security: Configuring Code Access Security
Exploring Windows 2003 Security: The .NET Framework
Exploring Windows 2003 Security: SID Filtering and Software Restriction Policies
ServerWatch Articles by Marcin Policht

Datasheet: OS Deployment with System Center Configuration Manager. Get a centralized, scalable & customizable way for IT administrators to deploy Client & Server operating systems quickly & cost-effectively.

ServerWatch > Tutorials

July 17, 2003
Exploring Windows 2003 Security: Overview
By Marcin Policht

Back in January 2002, Microsoft launched "Trustworthy Computing," an initiative focused on securing the Windows platform. This directly impacted the release dates of the next wave of Microsoft products (grouped under .NET umbrella), but additional months of development effort resulted in products much more secure and stable than any of their predecessors.

This article is the first in a series that will cover these security enhancements introduced in Windows 2003 Server.

New features designed to offer increasing levels of security are present in nearly every area of the new operating system's functionality. We will start with the ones that affect a great number of Windows users and administrators.

Default NTFS and Shared Permissions

In the previous version of Windows, the default permissions granted Full Control to Everyone (in both cases), effectively leaving the file system entirely nonsecure (in case of a local access to the system). This has changed, starting in Windows XP Professional.

NTFS permissions to the root drive granted to Everyone group are limited to Read and Execute and apply only to the root folder. This means that Everyone group does not inherit these permissions on any subfolder created under the root directory. Everyone group is also excluded from the Access Control List for more secure file system areas such as Program Files or Windows folders. Users, in addition to Read and Execute, can create subfolders (inheritable) and files in the subfolders. (Note that this does not include the root drive.) The level of permissions granted to System account and members of local Administrators group has not changed -- they still retain Full Control to the root folder and all of its subfolders and files. Creator Owner is granted Full Control to subfolders and files in them, which allows users to fully manage subfolders they created.

Shared permissions to newly created shares are now limited to Read for Everyone.

In addition, Everyone group no longer includes anonymous SID, which further mitigates the possibility of unauthorized access to the file system. You can also quickly verify how well your NTFS security works by using the Effective Permissions tab on the Advanced Security Settings for a selected file or folder. This eliminates any guesswork and possibly complex analysis of the inherited and directly assigned NTFS permissions. However, this feature does not take shared permissions into account.

File and Folder Ownership

Now, you can not only take ownership of a selected file system object (file or folder), but you can also grant it to any user using the Owner tab of the Advanced Security Setting dialog box for that file or folder. This feature simplifies dealing with Windows disk quotas, which are based on the ownership property. For example, an administrator creating a new file a on user's behalf (e.g., via file copy or new program installation) results in the administrator becoming an owner of that file. Therefore, the new file size does not count toward the user's quota limit. In the past, this would require cumbersome workarounds or use of third-party tools. With the assignment of ownership functionality available through the user interface, this problem can be easily fixed (for any type of operating system using NTFS -- including Windows NT 4.0, 2000, and XP Professional -- as long as the change is performed on the Windows 2003 Server).

Note that the same functionality (effective permissions and assigning ownership) is also available for Active Directory objects managed from Windows 2003 servers (via Effective Permissions and Owner tabs on the Advanced Security dialog box within Active Directory Users and Computers MMC snap-in).

Windows Services Configuration

Windows Services Configuration changes can be grouped into two main categories:

Startup Type: Several likely exploitable services, such as Clipbook, Network DDE (and Network DDE DSDM), Telnet, or WebClient are disabled by default. Others are enabled only when necessary (e.g., Intersite Messaging during domain controller promotion; or Routing and Remote Access Service when configuring Windows 2003 server as a router, demand-dial, or remote access server).
Log On As Account: Fewer services are running in the security context of the Local System because this account has unlimited local privileges. Instead, in many cases, Local System is replaced with the Local Service or Network Service accounts. Both have privileges only slightly higher than those of authenticated users. As their names indicate, Local Service account is intended for local system services (and has no capability to authenticate over the network), whereas Network Service is assigned to services that require network access. (It impersonates computer accounts when authenticating over the network.)

Authentication

Authentication enhancements apply to authenticating against both local systems and Active Directory domains.

Default local system authentication settings limit the use of local accounts with blank passwords to the console only. This means that such accounts cannot be used for any type of access originating from a remote systems (such as drive mapping or remote desktop/remote assistance connections).

Active Directory authentication changes are most prominent when dealing with cross-forest trusts. Cross-forest trust functionality allows creating Kerberos-based trust relationships between forest root domains (which requires both forests operate on the Windows 2003 functional level, implying all domain controllers are running Windows 2003 servers and all domains are at Windows 2003 domain functional level).

Such trust relationships are transitive, which means that they extend to all lower level domains in each of the forests. This allows any user in one forest to securely access any resource residing in the other forest, including cross-forest logons (using UPN naming conventions). With the default settings, authentication is forestwide, giving all security principals from other forests the same ability to access local resources as users and computers from the local forest. In both cases, users are subject to permissions set on these resources.

If you do not feel comfortable with this type of scenario, you can configure selective authentication on a per-forest trust level that requires Windows 2003 forest functional level. In this case, you will be able to designate user or group accounts from the other forest that will be allowed to authenticate as well as select resources in your forest that these accounts will be allowed to authenticate against. This process consists of two main stages.

The first stage involves granting security principals from the other forest "Allowed to Authenticate" permissions on the Active Directory object representing the computer account containing the resource. For example, assume there is a trust relationship between two Windows 2003 functional level forests -- ForestA and ForestB -- configured with selective authentication. UserA in DomainA of ForestA must access ShareB share on ServerB in DomainB of the ForestB. To accomplish this, the following sequence of steps must take place.

An administrator of DomainA creates a global group (e.g., GroupA) in DomainA and includes UserA as its member. You can also grant appropriate permissions directly to UserA (one advantage to this approach is transparency), but dealing with individual user accounts becomes inefficient if there are many.
Launch Active Directory Users and Computers with the focus on the DomainB. Locate ServerB and double-click on its icon to bring up the ServerB Properties dialog box.
Click on the Security tab and add the DomainA\GroupA to the list in the upper portion of the box. In the lower portion, select the checkbox in the Allow column for the "Allowed to Authenticate" and "Read" permissions. This will complete the first step -- and allow members of DomainA\GroupA to be authenticated when accessing DomainB\ServerB.

In the second stage, simply grant the desired level of permissions to ShareB on ServerB to the DomainA\GroupA global group (alternatively, you can add the DomainA\GroupA global group to a DomainB domain local group and grant permissions to the local group). This can be done using standard methods (typically GUI or command line tools, like CACLS).

Cross-forest authentication can also be performed for user logins via Internet Authentication Service (although in this case, two-way cross forest trusts are required).

This concludes the first article in the Windows 2003 security series. The next installment will examine other topics relating to new Active Directory security features (such as SID Filtering) and look into application code control for managed and nonmanaged code.

Tools:

Add serverwatch.com to your favorites

Add serverwatch.com to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x

Tutorials Archives

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info

Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Solutions

Whitepapers and eBooks
Microsoft Article: HyperV-The Killer Feature in WinServer �08 Avaya Article: How to Feed Data into the Avaya Event Processor Microsoft Article: Install What You Need with Win Server �08 HP eBook: Putting the Green into IT Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1 Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency		Avaya Article: Setting Up a SIP A/S Development Environment IBM Article: How Cool Is Your Data Center? Microsoft Article: Managing Virtual Machines with Microsoft System Center HP eBook: Storage Networking , Part 1 Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007 MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts
Intel Video: Are Multi-core Processors Here to Stay? On-Demand Webcast: Five Virtualization Trends to Watch HP Video: Page Cost Calculator Intel Video: APIs for Parallel Programming		HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2 MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits
Sun Download: Solaris 8 Migration Assistant Sybase Download: SQL Anywhere Developer Edition Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook		Red Gate Download: SQL Compare Pro 6 Iron Speed Designer Application Generator MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors IBM Article: Collaborating in the High-Performance Workplace		HP Demo: StorageWorks EVA4400 Microsoft How-to Article: Get Going with Silverlight and Windows Live MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES