Network attacks are the biggest risk for Windows
2000 servers. Since the release of the old Windows NT 3.1, hackers have been
actively looking for bugs in Microsoft Windows operating systems. Tools like
SecHole, IISInjector, NAT (NetBIOS Auditing Tool), SMBRelay and L0pthcrack have
been developed to reveal passwords, execute actions on a server, forge network
connections and degrade system performance. In addition, several critical
security vulnerabilities have been recently released for Windows 2000 that can
completely expose a network to an intruder.

User-level access control methods (Smart Cards; User Passwords) are not sufficient
to protect network attacks because they rely (mostly) on user names and passwords.
One computer is usually shared by several users and as a result, the computer
is often left logged-on, leaving an open door in the network. If a username
and password is intercepted and hijacked, user-level access security cannot
stop the attacker from accessing all the confidential resources and systems.



Although the above risks and problems exist, Windows 2000 Server provides several
protection features: IPSec (Internet Protocol Security), Terminal Services High
Encryption Security, PKI (Public Key Infrastructure), S/MIME (Secure Multipurpose
Internet Mail Extensions), Kerberos and L2TP (Layer 2 Tunneling Protocol).

We will explore how using some of these technologies can encrypt and secure
all the messages that are transmitted over the network, and defend all data
from being intercepted and modified by intruders or malicious users.

To Create Kerberos Account Mappings for Unix
Services:

1. Click Start, and then Click Run.
   The Run... dialog box appears.
2. In the Run... dialog box, type
   cmd.exe.
3. In the command prompt, type ktpass /princ principalname@yourdomainname
   /mapuser useraccount /pass complexpassword /out sapsolaris7.keytab,
   where principalname is the host principal name, useraccount
   is the host account in Active Directory and complexpassword is the
   password for the account.

    

   

    

   This command generates a UNIX host keytab
   file, maps the account and sets the service password. After executing the
   command, join the keytab file with the /etc/krb5.keytab file on the UNIX host.
   Ktpass is included in the Windows 2000 support
   tools.

 

IPSec: The End-to-End
Security Solution



Windows 2000 providers support for two types of data protection -network and
stored data. Originally designed by the IETF (Internet Engineering Task Force),
IPSec is a security protocol that provides data and identity protection for each
message that is transmitted over the network (packet). This protocol provides
the ability to protect communication links between workgroups, local area
networks, branch offices and any remote computer that needs aggressive
protection against network attacks.



IPSec has two main goals: to protect network packets and defend them against attacks.
By protecting the data so that hackers find it almost impossible to understand,
IPSec can prevent sniffer, data modification, denial-of-services and identity
spoofing attacks. In addition, though use of cryptography based protection and
dynamic key management programs, a verification process is used to establish confidence
between the communicating computers and only trusted systems which communicate
with each other. The sending computer secures the information prior to transmission,
and the receiving computer unsecures the data only after it has been received.
This type of protection is especially useful to protect data in a public environment
when the network traffic is susceptible to unauthorized monitoring and access.

To Configure IPSec Filters and Rules:

1. >Click Start, click Run, type
   MMC, and then click OK.
2. On the Console menu, click
   Add/Remove Snap-in.
3. Click Add.
4. In the Add Snap-in dialog box, click
   Group Policy, and then click Add. 
5. Click Local Computer to view the
   local Group Policy object, or Browse to find the Group Policy object
   that you want to use.
6. Expand Computer Configuration,
   Security Settings.
7. Right Click on IP Security Policies on
   the Local Machine , select Manage IP Filter Lists and Actions.

    

   

Windows 2000 IPSec protects each IP packet by adding an additional header to
each network message. The Authentication Header (AH) provides verification and
certification for the entire packet. It works as a signature for each message
that is transmitted. The Encapsulation Security Payload (ESP) provides privacy
for the data that is in the packet.



Terminal Services Security: Ensuring Maximum Protection



Terminal Services is now included in the Windows 2000 Server operating system.
Terminal Services allows users to access desktops and any installed applications
for client computers. This feature is especially useful for remotely managing
application servers, developing applications and controlling network resources
regardless of where they are located.



Windows 2000 allows to run Terminal Services in two modes, remote administration
mode and application sharing mode. Remote administration mode is used mainly to
administer and provide maintenance for security administrators. This mode allows
only members of the administrators group to log on locally. Application
sharing mode allows any client to run programs on the server as if they were
running locally.



Network security protection can be increased by using terminal services high
encryption mode. Windows 2000 Server can assign one of the three different
levels of encryption to client and server connections: Low Encryption, Medium
Encryption and High Encryption. Using Low Encryption Mode, traffic from the
client to the server is encrypted using the RC4 algorithm and a 56-bit key.
Traffic from the server to the client is unencrypted. Low encryption protects
sensitive information like passwords and applications data.

 

To Set Up High Encryption Mode on Terminal
Services:

1. Open Terminal Services Configuration,
   on the Administrative Tools program group.
2. Click Connections, right-click the
   connection you want to modify, and click Properties.
3. In the Encryption level option,
   select High.

    

   

    

Medium Encryption and High Encryption secure data sent in both directions, from
the client to the server and from the server to the client. This provides a
two way secure communication system between client and server.



The main difference between these two modes rely on the encryption strength.
Medium Encryption mode uses the RC4 algorithm and a 56-bit key (40-bit for RDP
4.0 clients), while high encryption uses RC4 and a 128-bit key.

About This Section...

Whether you want to learn what network security is, how firewalls work, or
how to script a program in C to manage Active Directory security, this section
is designed to provide useful and easy to understand articles for all levels
of Information Technology professionals. Rather than provide theoretical views
and terms of security principles and systems, we will give you straightforward,
real-life information to apply at work. Some of the topics that we will put
in plain words in our section will be: How to Build a Firewall with Internet
Security and Acceleration (ISA) Server, Analyzing and Monitoring Network Attacks
with Windows 2000 and Using and Creating Advanced Windows 2000 Security Tools
and Utilities with Simple Programs. As a final point, we will focus on providing
the depth necessary to pass any Microsoft-related security exam.

---

By Leonard Loro

Leonard Loro, MCSE, MCSD, ISS, MCT, CCNA, is a recognized e-Business specialist.
His experience includes engaging, managing and implementing large consulting projects
for government agencies and companies like Microsoft, Nissan as well as other
Fortune 500's. Leonard can be reached at Leonardo.loro@enresource.com.