Ask Us About... Security, August 2001

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

By Joel Scambray

Just over a year ago, Ask Us About Security was born to much fanfare, and over the past year, I have thoroughly enjoyed answering all of your questions in this space. It is thus with some sadness that I announce that this month will be the last AUAS column authored by me, as I have decided to focus on my new book, Hacking Exposed: Windows 2000, in the coming months before its scheduled release in October of this year. Hacking Exposed: Windows 2000 continues in the tradition of the main Hacking Exposed title (due out in a Third Edition in October as well), with an extended and expanded focus on Microsoft Windows® 2000. AUAS will live on under new ownership starting in September.

Well, shoot. Before I get all misty-eyed here, let's take a look back at what I consider some of the more important security nuggets we've covered in the last year.

On This Page

Active Directory Security
IPSec Filters
Client-Side Security
Encrypting File System (EFS)
Plan for Security, and Keep Up With Patches

Active Directory Security

From the very start, the AUAS Inbox was well populated with questions on Active Directory® directory service security. Here is a compendium of the tips covered in this space.

Backwards Compatibility

When a computer running Windows 2000 is promoted to a domain controller, the Active Directory Installation Wizard (dcpromo.exe) asks several questions about the directory configuration. One of those questions is whether security should be relaxed on directory objects to permit access from down-level systems like Microsoft Windows NT® 4 RAS servers and computers running SQL Server™. If you choose to relax security, the Everyone identity is added to the Pre-Windows 2000 Compatible Access group. Pre-Windows 2000 Compatible Access has read permissions on many critical directory objects, including the Users and Groups containers. Thus, by selecting legacy security, Everyone has permissions to enumerate user accounts and group names on the domain. You can alleviate this situation by removing Everyone from the Pre-Windows 2000 Compatible Access group like so:

net localgroup "Pre-Windows 2000 Compatible Access" everyone /delete

Remember that this will affect down-level client access to certain directory objects. Thus, it's best to try and migrate Windows NT 4 RAS and SQL Server systems to Windows 2000 first.

Security Boundary: The Forest

Many people have also asked me whether a domain is still the primary security boundary in Windows 2000. For the most part, a domain still provides an administrative boundary, but due to the extensive two-way trusts inherent in a Windows 2000 forest, the only way to prevent certain users from ever being granted permissions to certain resources is to put them in a different forest than the resources. If necessary, you can use explicit trust relationships to allow those users to be granted access to resources in specific domains. In addition, service accounts that exist in one domain of the forest but are authenticated in another are at risk of having their passwords revealed from the LSA Secrets cache if the domain in which they authenticate is compromised. Finally, it is possible for a domain administrator in any domain in the forest who has been delegated the ability to create objects to intentionally or unintentionally create a denial of service condition by rapidly creating or deleting objects, thus causing a large amount of replication to the global catalog. For these key reasons, I recommend that you consider the forest to be the absolute boundary of security in Windows 2000.

IPSec Filters

My September 2000 column covered the use of IPSec filters for their personal firewall-like functionality. Setting up IPSec filters is relatively easy for knowledgeable network security personnel, using either the graphical interface under Security Policy | IPSec Policies on Local Machine or the ipsecpol command-line tool from the Resource Kit (also available within the Windows 2000 Internet Server Security Configuration Tool for Internet Information Server 5 (IIS5)). Here is a good article on building IPSec filters, and here are some custom filters written by some colleagues of mine who are well-known in the security field

One key issue that was highlighted in that column is the NoDefaultExempt Registry key. Some recent research has prompted me to strongly recommend setting this key to 1 when using IPSec filters. Otherwise, Kerberos and RSVP traffic are allowed to bypass IPSec, and could potentially be leveraged by an attacker. That key again is:

HKLM\SYSTEM \CurrentControlSet \Services \IPSEC: NoDefaultExempt, DWORD=1

Kerberos and RSVP traffic are no longer exempted by default if this registry is set to 1. Broadcast, multicast, and IKE traffic are still exempt even when this key is set to 1 (Windows XP may implement a 2 value here that includes broadcast and multicast).

Client-Side Security

Another popular topic in my Inbox was Internet Explorer and Microsoft Outlook® and Outlook Express security, and rightly so. The server side of Internet security gets all of the headlines, while the client side opens just as many holes and gets much less attention. Make sure your personal slice of the Internet is secured by following these simple guidelines we discussed in my previous columns.

First, familiarize yourself with Internet Explorer's Security Zones. I set the Internet Zone on a fairly restrictive setting, as shown below:

Category

Setting Name

Recommended Setting

Comment

ActiveX® controls and plug-ins

Script ActiveX controls marked "safe for scripting"

Disable

Client-resident "safe" controls can be exploited

Cookies

Allow per-session cookies (not stored)

Enable

Less secure but more user-friendly

Downloads

File download

Enable

Internet Explorer will automatically prompt for download based on the file extension

Scripting

Active scripting

Enable

Less secure but more user-friendly

I also set the Restrictive Sites zone to the most restrictive settings possible (I basically disable everything). I then set my Outlook/Outlook Express to use the Restricted Sites zone when reading e-mail.

For sites that I trust that require additional features to be enabled on my browser, I add them to my Trusted Sites zone, which is very liberally configured (I set it close to the Low setting). This allows me to browse sites like Microsoft Update and enjoy all of the functionality of the ActiveX content on the site.

Speaking of Windows Update, remember to keep Internet Explorer and Outlook/Outlook Express updated with the latest patches, many of which address security issues. If you haven't installed the Outlook E-Mail Security Update, you're really lagging!

Finally, remember that Office applications can also be leveraged in client-side attacks. Make sure to turn macro security to High under Tools | Macro | Security for each Office application (Word, Excel, PowerPoint, and Access).

Did I forget to remind everyone to install, use, and maintain a current antivirus application on his or her systems? No, I couldn't have!

Encrypting File System (EFS)

EFS was a perennial source of questions for AUAS over the last year. The most important things to understand about EFS is that it can only ensure the confidentiality of data in the face of physical attack if it is used in conjunction with SYSKEY mode 2 or 3. Remember the Third Immutable law of Security:

"If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."

Plan for Security, and Keep Up With Patches

Sometimes, security seems simple: configure systems to offer only the required applications, design and implement those applications securely, and keep up with patches. Certainly the first two recommendations are proactive steps that can prevent security issues before they happen. However, you can never underestimate the value of keeping current with Service Packs and Hotfixes, which sometimes fix problems that no amount of forethought can anticipate. Running on the Hotfix treadmill can seem tedious at times, and it should not be used as an excuse to get lazy during design and configuration phases, but it is a necessary component of any modern, software-drive technology environment. Thankfully, Microsoft has dedicated itself to improving the software patching process across all of its products. I've been biting my tongue for the past few weeks in anticipation of the release of a new tool called the Network Security Hotfix Checker, which will do just that. I won't steal the thunder of the folks who have worked hard to make this tool a reality, and will leave the details of the tool's function to the official announcement. Keep your eyes peeled!

On that forward-looking note, I will sign off by saying thanks to all who asked questions over the last year, all of the people at Microsoft TechNet and within the Microsoft Security Response Organization who supported me in the writing of the column each month, and the many others who contributed to the great success of the first year of Ask Us About Security. Keep up the great work!

Joel Scambray is a Principal of Foundstone. He is co-author of Hacking Exposed: Network Security Secrets and Solutions from Osborne-McGraw Hill.

Send your Security questions to the Ask Us About Security mailbox. If your question is selected, you will see your answer in a forthcoming column.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.