Chapter 3: Establishing Robust Security
An effective security infrastructure must address a number of different needs:
Core OS security. This prevents unauthorized behavior by application programs.
Application security. This protects programs and information resources from unauthorized use.
Authentication security. This ensures that a user, application, or agent is in fact the entity that it claims to be.
Communications security. This prevents the unauthorized disclosure or modification of information that is transmitted across both external and internal communication networks.
Monitoring and management. This detects and responds to attempts to violate security, and includes the process of improving security techniques as technology and potential threats change.
Multi-level security. This includes the capability of users with varying levels of access privileges to share information resources with appropriate controls.
Security certifications. This includes implementing new ISO-standard certifications that replace United States-specific levels such as C2.
Since its inception, the Windows Server has held security as a focus of its architecture because it was specifically created for enterprise computing. Today's Windows Server has exceptional core security features such as Federal Information Processing Standards (FIPS) certification and industry-standard Kerberos authentication services. Windows Server also provides Credential Manager, which allows for the more secure storage of user credentials, including passwords and X.509 certificates. This provides a consistent single sign on experience for users.
Microsoft has been rated by the multinational Common Criteria for Information Technology Security Evaluation (CCITSE) as having a rapid and effective response mechanism for correcting emergent security issues. This capability to quickly and effectively respond to threats ensures that Windows users will have the minimum number of days of exposure between the discovery of any issue and its correction.
By virtue of its ubiquity, the Windows Desktop and — to a lesser extent — Windows Server, is the preferred target of hackers, viruses, and other security threats. This is because more Windows systems are available to attack than all other types of systems combined. When a new virus or worm that targets Windows is discovered, it is immediately reported through various media outlets because of the potential impact it may have on millions of users and applications.
Many existing Windows applications came online during a time when centralized management of computing was not necessarily the standard. Many organizations allowed, and even encouraged, distribution of responsibility for computing to end users and departmental staffs that did not have the skills or knowledge necessary to properly execute security responsibilities. The Windows Server System has excellent security management capabilities and tools, and when managed with the same discipline and professionalism typically reserved for mainframes, can be as secure and reliable as a mainframe.
On This Page
Mainframe Security Overview
Although they maintain a reputation for strong security, mainframes are as new to Internet commerce as any other type of processor. In fact, it is arguable that because of the mainframe's genesis during the "pre-hacker" era, there may be a false sense of security that is overly focused on control of physical access.
Mainframe OSs provide strong hardware and software isolation features to prevent applications from interfering with each other or with the supervisory programs of the OS, whether maliciously or accidentally. Applications are typically allocated keys which are then matched to hardware-defined keys in specific address spaces. Any attempt to access memory outside of the permitted address space is not allowed.
Even more physical segregation can be imposed through hardware configuration. Some of these isolation techniques are legacies of the need to share resources among many programs without excessive processing overhead, and their designs were not originally driven strictly by security concerns.
Application security is usually based on access control supervisory programs such as OS/390 Security Server, formerly known as Resource Access Control Facility (RACF), but legacy instances of access controls built into the application are still common. RACF is a venerable and proven solution to controlling almost any type of resource that an application or user may need to use, such as executable programs, datasets, terminals, and Customer Information Control System (CICS)-defined transactions.
Managing access to resources in multiple vendor networked environments generally requires the use of third-party products such as Computer Associates’ ACF2, Top Secret products, or IBM’s Tivoli management products. These products have the same core capabilities as RACF, but are oriented more to the needs of organizations that do business in a multivendor environment.
Authentication security is sometimes confined to user identification (UID) and password control, the level at which RACF itself authenticates. Temporary passtickets can also be created for the use of hardware devices such as multiuser workstations. Digital certificates are processed outside of RACF, and must be converted to a viable UID and password for validation. Again, third-party tools are generally required to enable solutions suitable for modern multivendor environments.
Note that older mainframe-oriented application and authentication security software may have built-in exception provisions that allow system programmers to make special arrangements that bypass standard requirements for individual users, applications, or other resources. This is usually a compromise to achieve adequate performance, and is accepted because many mainframe applications predate the modern Internet era, and were designed at a time when the physical security of the data center was the focus of security efforts.
Networking and communications security is a topic that involves issues in transmission networks that are beyond the control of mainframe security specialists, and the scope of this book. However, two topics related to this aspect of security are within the purview of mainframe IT security: firewalls and encryption:
Firewalls are responsible for filtering access from the “outside” (the Internet) by both the type of access requested and the source of the request. In addition, firewalls hide the identity and details of internal addresses from the Internet by providing “proxy” Internet access services.
Encryption not only protects the content of messages, but functionally provides for the dynamic creation of a VPN that allows secure communication between users in a defined community to be exchanged over the Internet.
The role of the mainframe in providing these services is an example of how the philosophy of centralization and shared use of scarce resources has been challenged by new technologies and new architectural norms. IBM's z/OS and OS/390 include Security and Communications Servers that can deliver these services, but many organizations would not attach a mainframe directly to the Internet, especially in a scenario where the services must ultimately be delivered to a diverse population of end users, most of whom are using networked workstations.
Security monitoring and management functions are available from a variety of mainframe tools. RACF reporting is rather simplistic but thorough, while more advanced software such as Computer Associates' ACF2 and the IBM Tivoli management suite provide sophisticated and easier-to-use analysis capabilities.
Multi-level security is a relatively new issue associated with the current emphasis on government inter-agency data sharing, which is a result of recent security and regulatory concerns. The newest mainframe OSs, such as z/OS, have optional features designed to allow users to access resources and information specific to their role and classification within a multiple agency environment or database.
New security certifications have also been adopted to replace United States-specific certifications such as the Trusted Computer System Evaluation Criteria (TCSEC), with its well known C2 rating. The Common Criteria for Information Technology Security Evaluation (often referred to as Common Criteria) was accepted as an ISO standard in 1999.
IBM zSeries 800 and 900 Processor Resource/System Manager (PR/SM) is certified at Evaluation Assurance Level (EAL) 4 of the Common Criteria. PR/SM is an option that provides flexibility by allowing a single machine to be set up to provide a wide range of machine partitions, including z/OS, OS/390, z/VM, VM/ESA, VSE/ESA, or Linux that allow requirements for different OS environments to be met. PR/SM provides separation of workloads, prevents the flow of information between partitions, and may be used where the separation is based on an individual basis, or where data at different security classifications must be isolated.
Windows Server System Security
OS-based security in the Windows Server System is implemented on an object and policy basis, instead of partition basis. That is, the OS provides the tools to associate permissions to individual system objects, including — but not limited to — users, computers, and organizational units. By using the tools users establish policies for how those permissions and user privileges interact. Administrators can set access permissions, assign ownership, and monitor user access at the individual or group level.
Administering security on a local computer or on multiple computers is accomplished by controlling password policies, account lockout policies, Kerberos policies, auditing policies and user rights. System-wide policies can be created by using security templates, applying templates using Security Configuration and Analysis, or editing policies on the local computer, organizational unit, or domain. This is in contrast to mainframe security, which tends to depend more on the physical or logical segregation of workloads.
Windows Server 2003 OS Security
Each edition of Windows Server 2003 supports the indicated security-related attributes:
Windows Server 2003, Standard Edition: Internet Connection Firewall (ICF), Public Key Infrastructure (PKI), Certificate Services, and Smart Cards
Windows Server 2003, Enterprise Edition: ICF, PKI
Windows Server 2003, Datacenter Edition: PKI, Certificate Services, and Smart Cards
Windows Server 2003, Web Edition: PKI, Certificate Services
ICF provides protection to computers directly connected to the Internet and prevents scanning of ports and resources, such as file and printer shares, from external sources. This feature is available for LAN or dial-up networking, VPN, and Point-to-Point Protocol over Ethernet (PPPoE) connections.
PKI allows Windows Server 2003 users to implement standards-based technologies, such as smart card logon capabilities, client authentication through Secure Sockets Layer (SSL) and Transport Layer Security (TLS), secure e-mail, digital signatures, and secure connectivity using Internet Protocol Security (IPSec).
Using Certificate Services, users establish and manage certification authorities that issue and revoke X.509 v3 certificates independently of commercial client authentication services, although commercial authentication can be optionally integrated into the PKI. Little distinction exists between OS and application security in the Windows Server family. Applications not only have full access to the security services built into the OS environment, but also cannot circumvent them.
The Common Language Runtime (CLR) is a key element of Windows Server 2003 that reduces the number of bugs and security holes caused by common programming mistakes, resulting in fewer areas for attackers to exploit. CLR verifies that applications can run without errors and checks for appropriate security permissions; ensuring that code only performs appropriate operations. It does this by checking where the code was downloaded or installed from, whether it has a digital signature from a trusted developer, and whether the code has been altered because it was digitally signed.
The Windows Server Encrypting Files System (EFS) is the core technology for encrypting and decrypting files stored on NTFS volumes. A FIPS-compliant, kernel-mode, crypto module lets governmental organizations deploy FIPS 140-1-compliant, IPSec implementations using Layer Two Tunneling Protocol (L2TP).
Security Configuration and Analysis enables quick review of security analysis results. It presents recommendations alongside current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security Configuration and Analysis also offers the capability to resolve any discrepancies that analysis reveals. Windows Server Management Services has predefined templates to set different levels of security to suit the organization, or to create a new security template with specific preferences.
Security certifications are also in place to ensure the integrity of the Windows Server System. Windows 2000 Professional, Server, and Advanced Server all meet Common Criteria EAL 4, augmented with Systematic Flaw Remediation (ALC_FLR.3). This latter augmentation level refers to the proven-effective process that Microsoft has established for responding to emerging security threats.
For more information on Windows Server 2003 security, refer to:
Authentication and Applications Security
Authentication security is also integrated into the Windows Server System. Several varieties of authentication are available, and their use is controlled by policies established by administrators. The Active Directory® service ensures that administrators can manage user authentication and access control easily and efficiently.
Active Directory provides protected storage of user account and group information by exerting access control on objects and user credentials. Because Active Directory stores not only user credentials but also access control information, users who log on to the network obtain both authentication and authorization to access system resources. For example, when a user logs on to the network, the security system authenticates the user with information stored in Active Directory. When the user attempts to access a service on the network, the system checks the properties defined in the discretionary access control list (DACL) for that service.
For more information on Active Directory, refer to:
The equivalent of the mainframe RACF security subsystem for multiple vendor environments in Windows is Microsoft Identity Integration Server (MIIS). MIIS is a centralized service that stores the identity information of users, applications, and network resources. MIIS reduces the security risks and costs associated with managing and integrating identity information across the enterprise. MIIS also simplifies the process of synchronizing information, provisioning and de-provisioning accounts, and managing passwords.
For more information on MIIS, refer to:
Internet Security and Acceleration (ISA) Server connects the modern distributed systems infrastructure to the outside world, allowing for safe two-way interconnection to the Internet while accelerating performance by pooling connections and reusing cached content.
ISA Server is an enterprise-level firewall and proxy server that provides fast, more secure, and manageable connectivity. ISA Server is easier to use than traditional firewalls and enhances Internet connectivity and e-mail security, including networking on a VPN. ISA Server supports industry standard protocols and increases productivity by providing quicker access to the Web, active caching and refreshing of frequently used content, and conserving network bandwidth resources.
A single server running ISA Server can meet small business or branch office needs with integrated wizards for VPN deployment, simple management, security, proxy, and caching functionality. The size of an ISA Web cache can easily be increased by adding more servers to enable a Web proxy array of virtually unlimited size for high availability and accelerated Web access.
For example, an eleven-computer ISA Server array running at the Microsoft corporate campus serves approximately 130,000 unique IP addresses and averages about 75,000 concurrent sessions. During a five-day work week, the array services 732 million Web page requests. Of that traffic, approximately 6 terabytes are retrieved from the Internet, while approximately 700 GB are retrieved from the ISA Server cache.
For more examples of ISA Server performance, refer to:
For more information on ISA Server, refer to:
Sources for Detailed Guidance
For more information on Windows Server 2003 Security, refer to: