- 1 Exploring Windows 2003 Security: More About Certificate Services
- 2 Exploring Windows 2003 Security: Certificate Services
- 3 Exploring Windows 2003 Security: Additional Active Directory Authentication Improvements
- 4 Exploring Windows 2003 Security: Additional Active Directory Authentication Improvements
- 5 ServerWatch Articles by Marcin Policht
Exploring Windows 2003 Security: Networking Functionality
This installment of our Windows Server 2003 Security series examines networking functionality enhancements in Windows Server 2003, with a focus on the following network-related improvements:
- More granular level of permissions for controlling access to network configuration
- Increased manageability of network configuration settings
- Enhanced network troubleshooting toolset
- Simplified configuration of security-related settings in DHCP service
- Increased security of DNS service
- Built-in entry-level firewall
Controlling Access to Network Configuration SettingsOur Windows Server 2003 Security series marches on to cover networking functionality enhancements made to the operating system, including more granular permission levels, increased manageability of network configuration settings, and an enhanced toolset for troubleshooting.
Local security, controlled through registry and file system permissions as well as rights assigned to local groups, such as Local Administrators, Power Users, or Server Operators, has been available since Windows NT and its immediate successor Windows 2000. However, the main drawback of these implementations was the lack of granularity in how some types of privileges could be granted. One common administrative complaint was the inability to allow users or first-level support staff to modify the networking configuration of a workstation or a laptop (including forcing a refresh of DHCP assigned settings), without placing them in one of the privileged groups, such as Administrators or Server Operators (which, in turn, was giving them additional rights, thus increasing the probability of system misconfiguration or a security compromise).
Windows XP and Windows 2003 resolved this problem with the introduction of a local group called Network Configuration Operators. Members of this group are allowed to:
- Modify local and remote network connection properties, such as their names, IP addresses, subnet masks, default gateways, and name servers
- Enable or disable local and remote connections
- Delete remote connections
- Renew the DHCP-assigned IP configuration settings (by executing IPCONFIG /RELEASE and IPCONFIG /RENEW commands)
Additional granularity is achieved with the application of group policy settings residing under User Configuration->Administrative Templates->Network->Network Connections, which take precedence over rights resulting from membership in any of the privileged groups. In a domain environment, membership in the local Network Configuration Operators group is controlled through Restricted Groups functionality, which is available in Active Directory Group Policy (under Computer Configuration->Windows Settings->Security Settings node).
Increased Manageability of Network Configuration Settings
Group policy settings have been covered more thoroughly in previous articles in this series, with discussion of new ways to control network configuration, including assigning Wireless Network (IEEE 802.11) authentication and encryption methods, DNS client settings (such as suffix search order, registration of PTR records, and connection-specific DNS suffix). Administrators can also restrict users' abilities to install or configure network bridging, Internet Connection Sharing, or Internet Connection Firewall (using options located in Computer Configuration->Administrative Templates->Network->Network Connections node).
Improved Network Troubleshooting Methods
Windows Server 2003 includes a number of new and improved network troubleshooting and diagnostics tools. From a security perspective, the most relevant are:
- This latest version of NETSTAT offers -o switch providing, in addition to a port number and associated protocol and its state, as well as an ID of each individual process using the port. By comparing this list with content on the Processes tab of Task Manager (or output of TASKLIST command line utility), the correlation between ports and actual executables responsible for their use is easily determined.
- The IASPARSE.EXE command line utility parses logs produced by Internet Authentication Service and Remote Access Service and converts them into readable format. This typically is done for accounting and authentication troubleshooting purposes.
- New versions of DCDIAG, NETDIAG, and REPADMIN command line utilities provide more detailed information than their Windows 2000 counterparts.
- The DHCPLOC utility is capable of detecting and issuing notifications about unauthorized DHCP servers on a network.
- IP Security Monitor provides a graphical interface for managing IPSec policies and security associations. (The next article in this series will cover IP Security related enhancements.)
Simplified Configuration of DHCP Service
One of the security implications of Windows 2000's implementation of DHCP service was its susceptibility to Dynamic DNS name hijacking if the DHCP service is installed on a domain controller. The term "hijacking" refers to a scenario where a rogue system modifies a DNS record of another host through a dynamic update. It is possible to mitigate risk resulting from using dynamic DNS by implementing Active Directory integrated zones and granting permissions to modify individual records only to restricted group of accounts. This approach becomes problematic, however, when DHCP service is running on a domain controller, where, by default, it operates in the security context of the domain controller computer account and has full permissions to every record in the Active Directory integrated zones. Since DHCP service is frequently used to update DNS records on behalf of DNS clients (specifics depend on the options selected on the DNS tab of the DHCP Server Properties dialog box), this might lead to a DNS name hijacking even with permissions on individual records in place.
Initially, Microsoft simply recommended avoiding such configurations. Later, it decided to include a fix with Windows 2000 Service Pack 1. The fix involved running a NETSH command line utility to alter an account used by DHCP service for DNS registrations with the syntax:
NETSH DHCP SERVER SET DNSCREDENTIALS UserName Domain Password
where UserName, Domain, and Password entries contain credentials to be used. This fairly unknown configuration option is still available in Windows Server 2003; however, there is also a more straightforward way to set up a new account using the Credentials command button on the Advanced tab of DHCP Server Properties dialog box.
Increased Security of DNS Service
By separating Active Directory integrated DNS zones from other Active Directory partitions, Microsoft further secured their content. You can store and replicate DNS data across all domain controllers in the same domain, you can limit it only to DNS servers in the same domain (DomainDNSZones application partition) or forest (ForestDNSZones application partition), or you can designate your own, custom application partition (created using the NTDSUTIL.EXE command line utility or via programming/scripting methods).
Built-in Entry Level Firewall
Just like Windows XP, Windows Server 2003 Standard and Enterprise editions include Internet Connection Firewall. Its implementation in Windows 2003 is identical to that of the XP version. Like its predecessor, its limited capabilities render it intended as an entry-level firewall for a SOHO environment, used typically in combination with Internet Connection Sharing.
By default, the firewall allows all outgoing traffic and prevents any incoming communication that has not been initiated by the local system (replies to requests initiated on internal network are permitted). The configuration is modified by allowing incoming traffic for specific types of services (based on the protocol/port/destination IP address combination). A set of pre-defined services is listed on the Services tab of the Advanced Settings dialog box for the network connection on which the IFC has been enabled (FTP Server, IMAP3 and IMAP4 servers, SMTP server, POP3 server, Remote Desktop connection, Web Server and Secure Web Server -- HTTP and HTTPS, and Telnet server), but the administrator can also define the type of incoming traffic to be allowed. Responses to incoming ICMP traffic are controlled from ICMP tab. ICF also offers logging capabilities (configurable from the Security Logging tab).
That concludes our discussion of networking functionality. The next article in this series will focus on improvements related to IP Security and VPN areas.