Chapter 3 - Establishing Robust Security
An effective security infrastructure must address a number of different needs:
Core OS security. This prevents unauthorized behavior by application programs.
Application security. This protects programs and information resources from unauthorized use.
Authentication security. This ensures that a user, application, or agent is in fact the entity that it claims to be.
Communications security. This prevents the unauthorized disclosure or modification of information that is transmitted across both external and internal communication networks.
Monitoring and management. This detects and responds to attempts to violate security, and includes the process of improving security techniques as technology and potential threats change.
Multi-level security. This includes the capability of users with varying levels of access privileges to share information resources with appropriate controls.
Security certifications. This includes implementing new ISO-standard certifications that replace United States-specific levels such as C2.
On This Page
Brief Historical Perspective on Security
Computer security often involves trade-offs, and the trade-off between security and convenience is a common one. For example, in the early days of computers, computer security was defined by physical security. This meant that computers were kept in locked rooms, guarded and monitored by trusted personnel, and disconnected from outside devices. This security model severely limits the system's usefulness because a computer in a locked room without outside connectivity is inconvenient to use. Any access to the system requires travel to the secure location and physical control of the console. Although this style of security still exists today for a few very highly sensitive systems, a key to successful security measures is a design that minimizes inconvenience.
Microsoft minimizes inconvenience to users and security administrators by providing tools that accomplish security-related tasks. Active Directory® is a repository of information that ensures administrators can manage user authentication and access control easily and efficiently. It also allows central management of many aspects of security policy for the enterprise and offers the user the convenience of a single authentication password to remember. Microsoft Systems Management Server (SMS) 2003 lets administrators deploy and manage the distribution of security-related software updates, freeing the individual user or department from the need to consider the applicability of updates.
Vulnerability Arises from Offering Services
In contrast to the old isolated computers that were inaccessible from outside connections, today's systems offer a wide variety of network-based services, for example, file sharing, Web access, and database access. Any system that offers such services or that is connected to the Internet, whether running UNIX or Microsoft Windows or a mainframe operating system, is vulnerable to attack from outside sources.
When comparing alternative operating systems, evaluate the effort required to implement a corporate policy controlling services offered from individual desktops and departmental servers. Active Directory facilitates enforcement of corporate standards throughout the enterprise.
Authentication, Authorization, and Accounting
Through authentication, authorization, and accounting, computers providing services across a network are capable to distinguish between legitimate requests and unauthorized attempts at access.
Authentication is the means to identify a valid user. A valid user presents some proof of identity that is checked against a directory containing the authentication tokens of valid users to confirm identity. In a large organization, administration of such directories is a vital part of maintaining security. Active Directory offers a centralized service that stores and validates user credentials across an entire organization. This service is easier to manage than a distributed collection of authentication services. Furthermore, Active Directory is integrated as part of the Windows operating environment and does not require a third party add-in.
Authorization defines what rights and services a user is allowed after access is granted. Large-scale systems must be capable to limit access to services based on each user’s role and responsibility and according to policies set by management. As with the user directory, correct administration of policies and roles granting access is vital to security. Active Directory provides the means to control resource access by comprehensively establishing and enforcing policies and group membership.
Accounting collects information about the end user's access to resources and resource consumption, which can then be processed for billing, auditing, and capacity-planning purposes. Windows integrates accounting information with other events, including security events, to permit correlation and in-depth analysis.
However, even with careful attention to access control, systems can be vulnerable to security attacks due to unforeseen circumstances, including software flaws that are exploited, errors in system configuration, or an authorized user that compromises security. Access to secure systems must be monitored so that in the event of an attack any damage can be detected, limited, and repaired. Part of the data for monitoring access comes from accounting information logged in the processes described in the previous section, but additional monitoring for intrusion is also important to security.
Balancing Risk and Value
Developing a security policy entails identifying corporate information assets, characterizing threats against these assets, balancing the possible damage from a security breach and the likelihood of such a breach, and the cost of measures to prevent or deter the attack. If a computer system holds data that is of little value and can be easily replaced, elaborate security measures are not warranted. However, a system holding crucial high-value information justifies strong protective measures. Again, the central management provided by Active Directory and Systems Management Server lowers the cost of protective measures and eases the identification of assets and threats.
UNIX was created at AT&T Bell Laboratories as a research project, initially used by a small community of engineers. Because this was a relatively benign security environment, security was not a key requirement in the UNIX design. UNIX provided user authentication service and differentiated between ordinary work and system administration, but security was not an important consideration.
For example, the user identity file /etc/passwd, was publicly readable, and some application programs required access to it. User passwords included in that text file were encrypted but were subject to a dictionary attack or to the brute force decryption of passwords by the more powerful computers available today. In response to this vulnerability, UNIX developers relocated encrypted passwords to the shadow password file so they were no longer readable by all users. Modern UNIX systems provide common, secure user authentication across multiple computers in a network through mechanisms such as NIS+.
The original UNIX authorization system centered around file system ownership and permissions. A file in the file system is owned by a user and group and three sets of permissions to read, write or execute are defined for the file: one set for the owning user, one for the owning group, and a third set for all other system users. Each user can be a member of more than one group. A single special user, root, is defined as the system administrator and has full access to all system resources, regardless of ownership or permissions.
Development of Network Access
AT&T initially made UNIX available at a low cost to the academic community. The University of California at Berkeley licensed UNIX from AT&T and developed substantial components for the system, including the first implementation of the TCP/IP network stack and the socket-based application program interface that are still in use. Until that time, early versions of UNIX did not provide network access, but did support remote access through serial lines, including dial-up modems.
The academic security environment surrounding UNIX was mostly benign because key administrative data processing systems were typically supported on mainframes. Functionality rather than security was the main UNIX design goal and developers added many insecure services to the system, such as telnet, ftp, and rsh that used password authentication, but communicated passwords and all other data unencrypted across the network.
The growth of UNIX coincided with the development of what eventually became the Internet. This growing wide area network connected many of the systems at universities, exposing them to many possible security threats.
Modern network services rely on encryption for security. Secure protocols employ encryption for authentication, through either a shared secret or a public/private key pair. Encryption also provides communication channels safe from unauthorized access and tampering.
UNIX systems typically incorporate encryption for communication security, whether provided by open source software, manufacturer provided components or additional third-party products. Standard network protocols incorporating encryption include:
A secure Web service (for example, HTTPS, SSL, and TLS)
A virtual private network protocol (for example, IPSec)
Secure authentication and authorization protocol (for example, Kerberos)
Protocols incorporating digital signatures (for example, S/MIME for encrypted e-mail)
Microsoft Windows incorporates standards-based encryption protocols as well as an encrypted file system and a cryptographic API supporting third-party security devices such as smart cards.
A network firewall provides a single point of control to defend a private network from unauthorized access originating in the public Internet. The firewall limits access by rejecting unauthorized network traffic from the outside network, preventing possibly dangerous traffic from reaching computers on the internal network.
Windows client and server systems include Internet Connection Firewall (ICF), providing packet filtering and network address translation (NAT) capabilities. These features can be used to protect a single system from attack or to create a full scale firewall, separating a protected network from the Internet.
A firewall protects against software flaws in services provided on the protected network by excluding traffic that may exploit a flaw. It can also prevent an inadvertent administrative configuration error from compromising security by preventing incoming traffic from reaching an incorrectly configured system. By centralizing policy control and monitoring, a firewall reduces the number of systems that need to be carefully administered and monitored, ultimately increasing security and reducing costs.
To provide remote network access for traveling users or to share resources with business partners, firewalls can provide virtual private networks (VPNs), using the public Internet to create an encrypted network-to-network connection.
Windows client and server systems include VPN capability based on IPSec.
Although a network firewall limits the services accessible from the outside network, usually some services must be allowed. Any permitted service represents a potential vulnerability.
Furthermore, firewalls cannot protect systems from attack by an insider. Whether connected directly to the protected internal network, or connected from outside through an authorized mechanism, an insider may have access to systems and services not under the control of the firewall.
Bugs and Updates
As the Internet has grown, organizations responding to security vulnerabilities have evolved. The CERT Coordination Center disseminates information on security flaws that affect the Internet. The lists of bugs and updates maintained by this and other security-related organizations clearly demonstrate that all software manufacturers face the same problem: new flaws are constantly discovered and must be fixed quickly and the fixes distributed to customers using the affected software.
One alternative to UNIX and Windows is Linux. However, a recent Forrester Research study indicated that Microsoft responses to security threats were faster than those of major Linux vendors including Red Hat and Debian.
For more information on this study, refer to:
In any large enterprise, keeping up with the flow of security-related updates is a challenge. Automated tools to manage the update process are a necessity. Microsoft provides the Windows Update Services (WUS) and the Systems Management Server (SMS) to address this need.
For more information on Windows Update Services, refer to:
For more information on Systems Management Server, refer to:
For more information on the CERT Coordination Center, refer to:
As noted earlier, early UNIX systems were often shipped with many of the security services disabled. This is an example of the security versus convenience trade-off. A system shipped with services disabled required an experienced administrator to select and configure the appropriate services in a given application. Software vendors have acknowledged that in the face of today's security threats, systems should be shipped in a more secure default configuration.
One aspect of the Microsoft Trustworthy Computing Initiative, a company-wide initiative to ensure the delivery of four essential aspects of trustworthy computing — security, privacy, reliability, and business integrity — in its products and services, is that newer Microsoft systems are more secure by default. Providing secure services, such as Active Directory’s Kerberos authentication system, that replace or enhance the function of less secure services limits the loss of convenience.
Access Control Lists (ACLs)
The original UNIX authorization mechanism provided limited flexibility in assigning access rights. Modern UNIX systems have been augmented with an optional component that includes access control lists that provide finer-grained authorization. Windows also provides access control through ACLs, an integral part of the modern Windows design.
Windows Server System Security
Since its inception, the Windows Server has held security as a focus of its architecture because it was specifically created for enterprise computing. Today's Windows Server has exceptional core security features such as Federal Information Processing Standards (FIPS) certification and industry-standard Kerberos authentication services. Windows Server also provides Credential Manager, which allows for the secure storage of user credentials, including passwords and X.509 certificates. This provides a consistent single sign-on experience for users.
OS-based security in the Windows Server System is implemented on an object and policy basis, rather than partition basis. That is, the OS provides the tools to associate permissions to individual system objects, including — but not limited to — users, computers, and organizational units. By using the tools, users establish policies for how those permissions and user privileges interact. Administrators can set access permissions, assign ownership, and monitor user access at the individual or group level.
Administering security on a local computer or on multiple computers is accomplished by controlling password policies, account lockout policies, Kerberos policies, auditing policies and user rights. System-wide policies can be created by using security templates, applying templates using Security Configuration and Analysis, or editing policies on the local computer, organizational unit, or domain.
Windows Server 2003 OS Security
Each edition of Windows Server 2003 supports the indicated security-related attributes:
Windows Server 2003, Standard Edition: Internet Connection Firewall (ICF), Public Key Infrastructure (PKI), Certificate Services, and Smart Cards
Windows Server 2003, Enterprise Edition: ICF, PKI, Certificate Services, and Smart Cards
Windows Server 2003, Datacenter Edition: PKI, Certificate Services, and Smart Cards
Windows Server 2003, Web Edition: PKI, Certificate Services
ICF provides protection to computers directly connected to the Internet and prevents scanning of ports and resources, such as file and printer shares, from external sources. This feature is available for LAN or dial-up networking, VPN, and Point-to-Point Protocol using Ethernet (PPPoE) connections.
PKI allows Windows Server 2003 users to implement standards-based technologies, such as smart card logon capabilities, client authentication through Secure Sockets Layer (SSL) and Transport Layer Security (TLS), secure e-mail, digital signatures, and secure connectivity using Internet Protocol Security (IPSec).
Using Certificate Services, users establish and manage certification authorities that issue and revoke X.509 v3 certificates independently of commercial client authentication services, although commercial authentication can be optionally integrated into the PKI. There is little distinction between OS and application security in the Windows Server family. Applications not only have full access to the security services built into the OS environment, but also cannot circumvent them.
The Common Language Runtime (CLR) is a key element of Windows Server 2003 that reduces the number of bugs and security holes caused by common programming mistakes, resulting in fewer vulnerabilities for attackers to exploit. CLR verifies that applications can run without errors and checks for appropriate security permissions; ensuring that code only performs appropriate operations. It does this by checking where the code was downloaded or installed from, whether it has a digital signature from a trusted developer, and whether the code has been altered since it was digitally signed.
Security Configuration and Analysis enables quick review of security analysis results. It presents recommendations alongside current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security Configuration and Analysis also offers the capability to resolve any discrepancies that analysis reveals. Windows Server Management Services provides different levels of security to suit the organization, or creates a new security template with specific preferences.
Security certifications are also in place to ensure the integrity of the Windows Server System. Windows 2000 Professional, Server, and Advanced Server all meet Common Criteria EAL 4, augmented with Systematic Flaw Remediation (ALC_FLR.3). This latter augmentation level refers to the proven-effective process that Microsoft has established for responding to emerging security threats.
For more information on Windows Server 2003 security, refer to:
Authentication and Applications Security
Authentication security is also integrated into the Windows Server System. Several varieties of authentication are available, and their use is controlled by policies established by administrators. The Active Directory service ensures that administrators can manage user authentication and access control easily and efficiently.
Active Directory provides protected storage of user account and group information by exerting access control on objects and user credentials. Because Active Directory stores not only user credentials but also access control information, users who log on to the network obtain both authentication and authorization to access system resources. For example, when a user logs on to the network, the security system authenticates the user with information stored in Active Directory. When the user attempts to access a service on the network, the system checks the properties defined in the discretionary access control list (DACL) for that service.
For more information on Active Directory, refer to:
Windows Server 2003 can be used for authentication and as an identity store within heterogeneous Windows Server System and UNIX environments. Windows uses the standards-based security and directory services provided by LDAP and Kerberos to provide secure and single sign-on capabilities between Windows, UNIX, and Linux systems.
For more information on Windows security and directory services, refer to:
Microsoft also provides Microsoft Identity Integration Server (MIIS) a centralized service that stores the identity information of users, applications, and network resources. MIIS reduces the security risks and costs associated with managing and integrating identity information across the enterprise. MIIS also simplifies the process of synchronizing information, provisioning and de-provisioning accounts, and managing passwords.
For more information on MIIS, refer to:
Internet Security and Acceleration (ISA) Server connects the modern distributed systems infrastructure to the outside world, allowing for safe two-way interconnection to the Internet while accelerating performance by pooling connections and reusing cached content.
ISA Server is an enterprise-level firewall and proxy server that provides fast, secure, and manageable connectivity. ISA Server is easier to use than traditional firewalls and enhances Internet connectivity and e-mail security, including networking on a VPN. ISA Server supports industry standard protocols and increases productivity by providing quicker access to the Web, active caching and refreshing of frequently used content, and conserving network bandwidth resources.
A single server running ISA Server can meet small business or branch office needs with integrated wizards for VPN deployment, simple management, security, proxy, and caching functionality. The size of an ISA Web cache can be easily increased by adding more servers to enable a Web proxy array of virtually unlimited size for high availability and accelerated Web access.
For example, an eleven-computer ISA Server array running at the Microsoft corporate campus serves approximately 130,000 unique IP addresses and averages about 75,000 concurrent sessions. During a five-day work week, the array services 732 million Web page requests. Of that traffic, approximately 6 terabytes are retrieved from the Internet, while approximately 700 GB are retrieved from the ISA Server cache.
For more examples of ISA Server performance, refer to:
For more information on ISA Server, refer to:
Microsoft Response to Security
By virtue of its ubiquity, the Windows Desktop and — to a lesser extent — Windows Server, is the preferred target of hackers, viruses, and other security threats. This is because there are more Windows systems available to attack than all other types of systems combined. When a new virus or worm that targets Windows is discovered, it is immediately reported through various media outlets because of the potential impact it may have on millions of users and applications.
Microsoft has been rated by the multinational Common Criteria for Information Technology Security Evaluation (CCITSE) as having a rapid and effective response mechanism for correcting emergent security vulnerabilities. This capability to quickly and effectively respond to threats ensures that Windows users will have the minimum number of days of exposure between the discovery of any vulnerability and its correction.
As the importance of enterprise information systems has grown and the Internet has evolved, companies have increasingly recognized the need for information security. Security is not merely a technical matter, but also is an ongoing process of choosing good policies, selecting and implementing tools to support those policies, and monitoring the results.
Microsoft has recognized and responded strongly to the security needs of its customers by emphasizing security in the design of the Windows Server, by implementing tools to ease security administration, by offering enterprise-level security products, and by developing and pursuing the Trustworthy Computing Initiative.
For more information on the Microsoft response to security issues, refer to:
For more information on the Microsoft Trustworthy Computing Initiative, refer to:
Sources for Detailed Guidance
For more information on Windows Server 2003 Security, refer to: