3 - 1
Windows 2000 Security - SANS
©2001
1
Windows 2000 Security
Security Essentials
The SANS Institute
This section will build on the basic NT security knowledge you have already gained. However, you
will find that every NT security function is magnified in Windows 2000, and Windows 2000 has ten
times the security features available in Windows NT. If NT were a row boat, Windows 2000 is the
QE2. If NT were a cottage, then Windows 2000 is a 56 room mansion. Active Directory, security
templates, Group Policy, System File Protection, Radius, IPSec, EFS, PKI, Kerberos, a new
permission inheritance model, and granular assignment of administrative authority are but a few of
the technologies and processes that you must understand if you are to design and implement security
in Windows 2000. This section will introduce you to the possibilities.
3 - 2
Windows 2000 Security - SANS
©2001
2
Your Goals
• Understand Security Baselining
• Describe Security features – all
versions/roles
• Describe Security features - Active
Directory domain
• List 10 hardening steps
Goals and Objectives
We cannot talk about security and Windows 2000 without recognizing that there is more than one
version of Windows 2000 and there are many functional roles that Windows 2000 may perform
within a network or standing alone. Windows 2000 may be on a laptop computer as it travels from
hotel to hotel to home to office. It may be on massive database servers, or limited desktop systems.

Windows 2000 may serve as the OS for mail servers, web servers, file servers, firewalls and many
other roles. When you discuss security and Windows 2000 you must discuss it within the context of
its use. How secure is Windows 2000? How secure do you need it to be? How much knowledge do
you have of its features and function? Where will it be asked to perform? Who will be using it? All
of these questions must be asked and understood.
In this section, we will discuss the need for security baselining, or the matching of security needs
with system functions, and the specification of basic security requirements for different computer
roles within a network. Next, we will examine the security features available in Windows 2000; first
discussing those that are available for all systems, and then looking at the additional features
available within a Windows 2000 Active Directory domain. Finally, 10 hardening steps, steps that
should be taken during or immediately after Windows 2000 installation, will be presented. Please
note that thorough discussion of Windows 2000 security, and the ability to configure and use these
features to your benefit, require more study than this introduction can provide. Your goal should be
to become comfortable with the features available, so that you can evaluate them more thoroughly
against the background of your organizations or your personal requirements.
3 - 3
Windows 2000 Security - SANS
©2001
3
Security Baselining
• Define the role
• Understand the platform
• Document the Desired Security
Policy
• Deploy
Security Baselining
In order to examine the concept of security baselining, we will pick three common computer roles:
Desktop, File Server, and Domain Controller. What version of Windows 2000 will each require?
What is the security model for each? Who will be users on these systems? Where? How? For what?
As we answer the questions about these roles, we can examine Windows 2000 to determine how it

can fulfill them.
Once computer use and desired security policy is determined, your job is to seek out the most
relevant, efficient, and easily maintainable way to accomplish these goals. Several native Windows
2000 tools will be introduced in which will provide you with automated means to do so.
But first lets define the Windows 2000 family.
3 - 4
Windows 2000 Security - SANS
©2001
4
Win 2K OS Versions
• Professional
•Server
• Advanced Server
• Datacenter Server
OS Versions
Windows 2000 Professional is the desktop version of the operating system Windows NT
Workstation and Windows 95 and 98 can be upgraded to Professional. Professional can be a
member of a Windows NT 4.0 or Windows 2000 domain, or operate in a workgroup or without
networking at all. Security is managed by local security settings. If a W2K Professional system is a
member of a Window 2000 domain, local security settings are overridden by those set at the domain
level.
Windows 2000 Server and Advanced Server are similar in feature and function. They are meant to
serve as domain controller, file server, database server, mail server, application server, web server,
and the like. Unlike Windows NT, Windows 2000 servers may be promoted to domain controllers
from member server status, and even demoted back to member server. Advanced server allows more
flexibility in the number of processors and offers Quality of Service drivers, and the ability to do
network load balancing and perform as part of a cluster. Windows NT Server (3.51 and 4.0) may be
upgraded to Windows 2000 Server.
Datacenter Server is meant to be the host for massive databases or for other powerful applications.
This OS version is not sold independently of its hardware platform. Datacenter Server can have up

to 32 processors.
Professional Server Advanced Server
Minimum RAM 64 128 128
Maximum RAM 4 GB 4 GB
Minimum Processor 133 Mhz/Pentium compatible
Hard Drive Space Required 2 GB/ 650MB free 2 GB/ 1.0 GB free
Processors 1 or 2 1 to 4 1 to 8
NLB no no yes
Cluster? no no yes
3 - 5
Windows 2000 Security - SANS
©2001
5
Baseline - Desktop
• Windows 2000 Professional
– Separate accounts for each user
– No local accounts, except defaults, if
part of a domain
– Strong local account policy
– Local audit settings
What else would your organization specify?
Once a specific computer role is defined, the first step is to choose a platform. Let’s start with an
example where the computer will be used as a desktop system. It makes sense to assign Windows
2000 Professional. Although one could run word processing and other applications on a Windows
2000 Server, it would not make good economic or efficiency sense. Servers are optimized for
background applications such as those accessed across the network by multiple users. Applications
in the foreground, such as word processing, receive less attention, and productivity could suffer as a
result.
What security requirements does this system have? Well, that depends on the network (or lack of
network) within which it resides. We can begin with a list of well-known best practices, or abstract

them from organizational policy.
3 - 6
Windows 2000 Security - SANS
©2001
6
Baseline File Server
• Windows 2000 Server or Advanced
Server
– No local accounts except defaults
– Strong local account policy
– Domain member
– Local audit settings
– Limited physical access
What else would your organization specify?
We also have choices here. While Windows 2000 Professional can share files, unless we have an
awfully small network, it will be an entirely inefficient choice. Professional is optimized for one-on-
one use. Foreground processes, such as productivity applications (word processing, spreadsheet, and
personal database) are given priority. There are limited resources available for network access.
Windows 2000 Server or Advanced Server will be better choices. Unless there is also a need for
load balancing, or more than 4 processors are required to manage the load, Server will probably be
fine.
Notice the similar requirements for security. Keep that thought in mind for the next section.
In addition to similar needs, a file server requires additional precautions. Good physical security is
required. In most environments this means location = server room, access = legitimate needs met via
a supervised visit, and then only direct console access by a qualified and designated administrator.
3 - 7
Windows 2000 Security - SANS
©2001
7
Baseline – Domain Controller

• Domain Controller
– There are no PDC/BDC roles in W2K
– Physical security
– Special points to secure
– Special security capabilities
– Security policy for domain members
not just single system
A domain controller (DC) requires special security handling. The DC is the seat of your user
account database and the center for security policy controls. If an attacker can penetrate the security
of your DC, he can wreak havoc on the entire domain, not just a single machine.
The special role at the seat of security policy allows centralized control for many computers and
users. Careful baselining of security for an entire logical group of computers and users is required.
Security policies set at the domain will override those set on a local machine. Baselining for a DC
leads to the incorporation of baselines for many computer and user roles.
In order to plan appropriately, consider the domain in Windows 2000 as the security boundary.
That is, access by one domain’s users to another domain’s resources is non-existent (with one
exception) until granted by domain administrators. This does not mean that every domain stands
alone, rather that for those linked to other domains via trust relationships, several security features
must be set only at the domain level. An example of this is the password policy which details,
among other things, how long a password must be and how frequently it must be changed. If
different areas of your organization require a different password policy, they must maintain separate
domains.
Within the domain, however, there are a vast assortment of possibilities for granular
administration. Different types of users and computers can be placed within containers in the Active
Directory. Administrative authority to manage these collections of accounts can be delegated.
In addition, many security features (such as PKI, EFS, Radius, et al) are extended or only possible
within a domain setting. Security policy to cover these new requirements should be specified.
Before implementing DC’s, desktops, file servers, and other W2K systems, you must establish the
security baseline for each. The tools used to implement, maintain, and audit these baselines are part
of the OS.

3 - 8
Windows 2000 Security - SANS
©2001
8
Common Security
Features/Tools
• MMC
• Users and Groups
• NTFS File System
• System File Checker
• Windows Update Service
• Local Security Policy
• Security Configuration and Analysis
•IPSec
•VPN
All Windows 2000 computers have many security features in common. Security features can be
divided between those available to all Windows 2000 computers no matter their role, and those that
are extended or only available within an Active Directory Domain.
The common features listed in the slide are available on all W2K platforms. However, the nature of
the feature and the ability to use each feature, or to use it to control other systems is platform and
workgroup vs. domain specific. A VPN tunnel server may only be established on a W2K server for
example, while a W2K Professional system can be a VPN client. Examples of these differences in a
domain vs. a workgroup setting are the new groups available, the integration of DNS and PKI
available, and the domain-wide management of security policies, IPSec, and Remote Access.
3 - 9
Windows 2000 Security - SANS
©2001
9
Microsoft Management
Console

• Flexible
• Multi-purpose
• Several pre-built Administrative
Tools or pre-loaded MMC’s
Administration of Windows NT is often complicated by the large number of Administrative Tools,
each of which had its own interface. Management of security features has to be carried out by using
many of these tools.
One of the Windows 2000 design goals was to reduce the number of tools necessary and to create a
common interface which worked across all tools. The Microsoft Management Console (MMC) is the
result. This tool is merely a shell within which many components or ‘snap-ins’ can be loaded to
build customized administration tools.
A few, pre-built, customized MMCs are listed and available from the Administrative Tools section of
Programs from the Start button or from the Control Panel. Additional tools are built by
administrators by adding various administrative ‘snap-ins’ to one or many MMCs. Frequently,
special tools are built for delegated responsibilities. In this case, a normal user account is given
specific administrative authority and a special tool, which can only be used for that duty, is built for
the user.
3 - 10
Windows 2000 Security - SANS
©2001
10
The Computer Management Console
Click Control Panel → Administrative Tools → Computer Management for a great example of one of the
consoles that can be used to manage a Windows 2000 system. This is a great way to learn how your system is
set up and we strongly encourage you to spend some time poking around (on a test system of course!). When
you use Computer Management as a Power User, not all of the options are shown, but you limit the harm you
can cause to your operating system and this might be the best way to start.
For instance, under System Information, hardware resources, components, drivers, environmental variable,
startup programs, etc are displayed. In addition, you can see your installed software by opening the
Applications container. Of course this may not be perfect. If you have installed a number of applications, you

may find that only Microsoft products show in the Applications container. A better place to really spend some
time learning about the system, is the Software Environment view. From there, if you select loaded modules,
you will see that it really was worth your money to invest in the RAM upgrade to run your Windows 2000
system.
The Event Viewer is used to examine system logs. Application and System logs record events and may be
used to troubleshoot system problems. These event logs are not called audit logs. Auditing, the recording of
security related events, is not turned on by default. After auditing is turned on (using Local Security Policy or
Group Policy, as well as appropriate file and registry key selections) auditing information is recorded in the
Security Log.
On the slide above, the Event Viewer\Application log is open. Information, Error, and Warning messages
are exposed. Although it is not shown, this particular event is a message which explains changes made to the
CRM log file and indicates that if the computer name was recently changed, this is an expected event. Since
this system’s name was recently changed, the warning can be ignored. If the name had not recently been
changed, this warning would need to be investigated further. The error messages in this case were also
expected. Spend time with the Event Viewer to understand normal and abnormal events.
3 - 11
Windows 2000 Security - SANS
©2001
11
Windows 2000 Local Users and Groups
In Windows 2000, you can limit or extend the ability of users and groups to perform certain actions
by assigning or denying them rights and permissions. A right authorizes a user to perform certain
actions on a computer, such as backing up files and folders, or shutting down a computer.
Administrators and some others have the right to logon to a Windows 2000 Server console. Users do
not. A permission is a rule associated with an object (usually a file, folder, or printer), and it
regulates which users can have access to the object and in what manner. Permission settings are
preset (but can be modified) in the registry and within the system files that assist in protecting them.
Windows 2000 Professional and Server systems have a built-in local account database with two
default users (Administrator and Guest) as well as several default groups. The users and groups are
much like those found in Windows NT and have similar rights and permissions.

When you create new user accounts and assign them to groups, there are important security issues,
since default groups have different security rights and permissions. Typically, as in Windows NT,
you can define user roles and if default groups do not fulfill these roles, special, or custom groups
can be created, and rights and permissions assigned to meet the requirements of the role. User
accounts obtain these rights and permissions when they are placed within these groups, and lose
them when removed. An example of a special group might be ‘OrderManagers’, This group might
then be given read access to files which contain orders. Another group, ‘Clerks’, might be given
read and write access to these files. Clerks do data entry; managers review.
Local Users and Groups are managed through the Computer Management Console.
3 - 12
Windows 2000 Security - SANS
©2001
12
Users and Power Users
To avoid loosening security on a Windows 2000
system, an administrator should:
• Make sure that end users are members of the
Users group only
• Deploy programs, such as certified Windows 2000
programs, that members of the Users group can run
successfully
Users cannot modify system-wide registry settings, operating system files, or most program files. Users can shut
down W2K Professional, but not W2K Servers. Users can create local groups, but can manage only the local
groups that they created. They can run certified Windows 2000 programs that have been installed or deployed
by administrators and which they have been given permission to run. Users can also run programs installed by
Power Users. If a user has the right to copy a file to a disk where they have read, write and execute privileges, a
user can copy an executable file there and run it. Users have full control over all of their own data files and
their own portion of the registry (HKEY_CURRENT_USER). Windows 2000 users have fewer rights and
permissions than Users in Windows NT.
Power Users - The default Windows 2000 security settings for Power Users are very similar to the default

security settings for Users in Windows NT 4.0. Any W2K compatible program that a User can run in Windows
NT 4.0, a Power User can run in Windows 2000. A User may or may not be able to run the same program.
Power Users and Users do not have access to the data of other users on an NTFS volume, unless they have been
granted permission. Power Users can install or modify many programs. Some programs, however, such as
those that require the installation of services, those which specifically require an Administrative account, or
rights and permissions only granted to Administrator, cannot be installed by Power Users. For example, a
program may modify data in areas of the registry to which Power Users have no access, or may improperly open
a registry key or file for read, write and execute, when only read permission is necessary. If Power Users have
read permission and Administrators have full control, its obvious result is that the Power User will not be able
to install the program. A properly programmed install wizard might have allowed Power Users to install the
program.
Certification specifications exist for software which is designed to run on Windows 2000. Different
specifications exist for Professional, Server, Advanced Server, and Datacenter Server. If an application is not
certified, that does not mean it will not run, however it does mean there may be problems.
3 - 13
Windows 2000 Security - SANS
©2001
13
Replicator
• Used in a Windows 2000 Domain
for Active Directory Replication
• No user accounts should be in this
group
The Replicator group is used in a domain environment and ignored elsewhere. Its purpose is to
provide a local group which represents rights and privileges on the local machine that might be
required by the domain level replication efforts. It should be ignored in a workgroup environment,
and never should contain ordinary user accounts.
Replication of files from file server to laptop is managed by the Offline Files feature and uses the
synchronization manager to schedule and manage the task. A synchronization permission is required
on the folders and files to be synchronized.

If users need to synchronize files between two computers, they can do so without membership in this
group. All that is required is the ability to share the files and in doing so, set Offline access to the
folder. (File Sharing properties page\Caching button\ ‘allow caching of files in this shared folder’).
Then, after connecting to the share, the user must mark folders ‘make available offline’.
3 - 14
Windows 2000 Security - SANS
©2001
14
Implicit Groups
• Interactive
•Network
•Everyone
• Authenticated Users
•Self
•Creator Owner
There are several implicit, or built-in Security Principals groups that are automatically created by
Windows 2000. Membership in these group is based on something that users are doing and as such,
is not under administrative control. Several of these groups are defined below.
•Interactive. This group contains any user that is logged on locally to the computer
•Network. This group contains all users who are currently accessing the system over the network
•Creator Owner. This group contains the individual who created the object
•Creator Group. When a member of the Administrators group creates a file or folder, the owner of
the file is the Administrators group, not the administrator that created it.
•Dial-up. Users who have accessed the network remotely via dial-up
•Terminal Server Users. Users using terminal services
•Self. The user or group itself (allows access to properties of the user or group)
•Service. User accounts logged on as a service
These groups can be used to control access to resources based on the manner in which the resource is
accessed. For example, if we assign the INTERACTIVE group read and write access to the file
‘secret.txt’ and the NETWORK group only read access to ‘secret.txt’, then John, when he is logged

on to the console, can read and write the file but when he accesses the same file over the network, he
can only read the file.
3 - 15
Like Windows NT, Windows 2000 makes available the NTFS file system. Like Windows NT, file
and folder access is restricted by assigning permissions to users and groups. Those not allowed
access are implicitly denied. In addition, Windows 2000 extended this model by making available
granular explicit ‘deny’ permissions and by modifying the inheritance model. The most notable
effect of this model change is that permission inheritance can be denied. When settings are
established on a subfolder, a simple checkbox allows or prevents parent folder permissions from
propagating to subfolders. This is extremely important in order to protect settings from being
overridden by less secure settings made on parent folders. The ‘Allow inheritable permissions from
parent to propagate to this object’ checkbox is used to allow or implicitly deny permission
inheritance. Note that in the slide, this check box is unchecked on the system folder WINNT. Thus,
permission setting on this folder will not be changed should Administrators change the setting on the
root of the file system.
Another new feature of NTFS is the Encrypting File System. Users can encrypt and decrypt their
files. Another user, even one with ‘read’ permission on the file, cannot read it. Default recovery
agents are able to retrieve files if user’s keys are lost or corrupted.
3 - 16
Windows 2000 Security - SANS
©2001
16
Windows File Protection
• Prevents applications from overwriting
or deleting important system files
• Ensures that your system files are up-
to-date
• A command-line tool, System File
Checker, can be used to check files on
demand

What Are System Files?
In previous versions of Windows, applications often overwrote shared .dll files and .exe system files. (If you’ve
worked with any version of Windows, you're probably very familiar with the term "DLL hell.") When installation
programs mess with key system files, your system can become unusable, and troubleshooting can be a nightmare. And
if you think that only third-party applications are guilty of overwriting your system files, think again. Many of
Microsoft’s applications are notorious for overwriting system files – even files that other Microsoft software uses.
The problem is that many applications (including Microsoft's) don't check existing system file versions before
overwriting the files. Most vendors are interested in ensuring that their software runs without problems, and the
software you installed most recently probably works flawlessly – but it might work at the expense of other applications.
For example, if you install audio applications from competing vendors, the one you install last will have the best chance
of working properly. Developers aren't solely to blame for these system-file problems – several other factors are
involved, including OS limitations.
OS stability is more important than application stability. This is addressed in Win2K by Windows File Protection .
Windows File Protection runs in the background and ensures that setup programs don't permanently delete or overwrite
any important system files. By default, Win2K enables Windows File Protection.
When a program attempts to delete or move a protected system file, Windows File Protection checks the digital
signature of the file to ensure that it's a correct version. If it is not the correct version, Windows File Protection attempts
to copy the file from the %systemrooot%\System32\Dllcache folder. If the necessary file is not in the cache, a prompt
for the W2K installation CD-ROM appears.
The System File Checker (or SFC) is a command-line tool which can be used to scan a W2K system and verify
that the versions of protected system files are correct. If a protected system file has moved or has disappeared, SFC
automatically replaces the file with the correct version from the Dllcache folder, or prompts for the installation CD-
ROM. This tool also lets you set the Windows File Protection cache file size, thus allowing more or fewer system files
to be available during unattended operation. You must be a member of the Administrators group to run SFC.
3 - 17
Windows 2000 Security - SANS
©2001
17
Using SFC to check System Files
Typing SFC at the command prompt will display the options available.

sfc /scannow immediately scans the system files.
sfc /scanonce scans the system files once, and sfc /scanboot scans protected system files
every time you reboot your computer.
If you've scheduled a scan and you change your mind, sfc /cancel cancels the scan. If you
don’t want the SFC to prompt you about each file that it intends to replace, use sfc /quiet.
SFC switches which manipulate the Windows File Protection are:
sfc /purgecache - purges the file cache and scans all system files immediately.
sfc /cachesize - configures the size of the Windows File Protection cache. For example, to
restrict a cache size to 2MB, type sfc /cachesize=2048.
sfc /enable - returns to the default Windows File Protection operation. In this mode, SFC
automatically restores or prompts you to restore the correct system file version whenever it detects
that an application has overwritten a file. Don’t forget to enable this option before you exit the
command prompt window.
3 - 18
Windows 2000 Security - SANS
©2001
18
Local Security Policy
The Administrative Tools\Local Security Policy console can be used to configure security settings for a single Windows
2000 system. This is an especially important tool for users of standalone W2K Professional systems. If Windows 2000
Professional is a domain member, local security settings will be overwritten by policies established at the domain level.
Users with laptops who have local administrative user accounts on their systems, can also configure system security using
this tool. When they are logged on using the local account, security policies set locally will apply. If they are logged on
using their domain account, domain policies will apply. This tool will show you both your local settings and also your
effective (domain) settings. If the domain controller overrides your local setting, these will not match.
The slide shows configuration of a warning banner for logins. A warning banner will not prevent unauthorized users
from logging on, but serves as notice that they should not do so. Logon banners may serve as legal notices. Court cases
involving network penetration have been dismissed when logon banners which read ‘welcome’ were used. Using banners
which have strong legal warnings and acceptable use information help honest individuals understand how the system should
be used and may assist in obtaining convictions, or support sanctions when the policy is ignored.

Security settings that can thwart attackers and provide evidence of their attempts also are present in security settings and
can be used effectively by domain and local administrators to protect the system. Imagine that you are traveling a lot with
your laptop. It might be a good idea to have a more stringent policy for the local settings then when you are at home with
your alarm system, big dog, and neighbors that primarily work in high security government positions. Likewise, if your job
is to protect corporate road warriors from themselves, you will want to thoroughly understand and set security on laptops for
them. Potential defensive settings include the ability to lock out accounts after a number of failed logins, requiring complex
passwords, auditing successful and failed access of sensitive files, policies and such, restricting user rights, renaming the
administrator account, blocking the loading of unsigned drivers, preventing the use of EFS, and establishing secure network
communications via IPSec policies. We’ll be talking more about many of these security features, but for now you should
remember where to look for the security policy that is effective on a local machine, and where you might be able to manage
these settings.
3 - 19
Windows 2000 Security - SANS
©2001
19
Security Configuration and Analysis
A marvelous new tool available with Windows 2000 is the Security Configuration and Analysis and
Security Templates snap-ins to the MMC. Security templates (either pre-configured default
templates or customized templates) can be used to quickly apply security settings to a host, or to
analyze the current settings against a template representing policy. Analysis provides a simple way
for administrators and auditors to determine the security configuration status of a particular machine.
Remember the security baselines we examined for desktop, server, and DC? Pre-configured,
recommended security templates are available for each of these baselines. In fact, default templates
exist for three levels of security; default, secure, and high security for domain controllers,
workstations, and servers.
Security template settings mirror those available in Local Security Policy. Additional templates are
available for web servers and other models. Templates may be customized by changing settings and
adding new features. New templates can also be created. In the slide, mydomain, and mylocal
represent custom templates. The red x’s indicate the results of an analysis of the current computer’s
settings against a desired policy. Each container, when opened, documents variance from policy.

The analysis does not modify settings on the host.
3 - 20
Windows 2000 Security - SANS
©2001
20
Windows Update
Other tools are available in the Support Tools folder on the Windows 2000 server CD-ROM, in the
Windows 2000 Resource Kit, and online. Two important online sites are Windows Update and
Windows 2000 Security (www.microsoft.com\technet\security)
The Windows Update site, seen here, provides information on Critical and Recommended updates
for Windows systems. With permission, the current machine can be scanned and Windows Update
will recommend updates and then allow them to be run. Updates include service packs, newer
device drivers, and security patches. Explanations are also available. While organizations should
manage enterprise-wide updating of windows systems, this site is important to users of Windows
who are not managed in this fashion. Similar updating is available for users of Microsoft Office.
The Windows security site provides detailed security information and notice and explanation of
security patches with links to free downloads. It also includes multiple free security tools. Detailed
list of hardening steps for Windows systems is also available. You can sign up for a security bulletin
list, which will email you as new security bulletins and patches are available.
3 - 21
Protecting host-to-host communications with IP Security Policies
IP Security (IPSec) is an Internet standard for the protection of data communications between
systems. It can also be used to filter, and thus allow or block data coming and going through an IP
stack. IPSec is built into the TCP/IP stack of all Windows 2000 systems. To be used, IPSec policies
must be written and assigned.
Possible uses for IPSec may be to block access to a system by filtering on protocol ID or port
numbers, to block all but specifically identified protocols, or to negotiate secure communications
between two machines. Security can be negotiated including confidentiality (encryption) , integrity
(data received is the data sent), and authentication (mutual identification of the two computers
involved). A selection of security algorithms is available.

IPSec policies may be written for any Windows 2000 system, either through Local Security Policy,
through the IPSec MMC snap-in, via the command line, or in a domain environment through Group
Policy.
3 - 22
Windows 2000 Security - SANS
©2001
22
PKI
• Self-signed certificates for EFS
• Standalone CA on workgroup
server
• Follows standards
Windows 2000 Server and Advanced server can be used as Certificate Authorities (CA) and thus
establish a Public Key Infrastructure. Either standalone (no domain membership required) or
Enterprise (domain integration required) CA’s can be established. Certificates can be issued and used
for authentication (user and/or machine), email, VPN, and file encryption. An Enterprise CA can be
used for additional purposes.
Windows 2000 PKI follows Internet PKI standards and is compatible with other PKI vendors who
use these standards.
A hierarchical trust model is available to allow root CA protection and a distributed CA architecture
for enterprise deployment. Implementation is via service installation and configuration. There is no
additional charge.
3 - 23
Virtual Private Networks establish secure communications between two networks over a third. As such,
they are excellent additions to any enterprise which requires branch-to-corporate headquarters communication
or telecommuter and/or traveling employee access to internal network resources.
Windows 2000 Servers can be configured as VPN endpoints for remote access via VPN clients or for the
establishment of gateway-to-gateway tunnels between two networks. Windows 2000 Professional can act as a
VPN client. Two possible protocols for VPN exist.
As with NT before it, Windows 2000 continues to make the Point to Point Tunneling Protocol (PPTP)

available. Data encryption for a PPTP VPN is managed via Microsoft point-to-point Encryption (MPPE). 40-
bit and 128-bit RSA RC4 is available.
Windows 2000 also introduces Layer 2 Tunneling Protocol (L2TP) over IPSec for VPN tunnels. L2TP is
used to establish a tunnel, and IPSec is used for encryption. Various encryption strengths are available
depending on connection type and encryption strength, as illustrated below:
Basic : 40-bit MPPE RC4 or DES
Stronger: 56-bit MPPE RC4 or DES
Strongest: 128-bit MPPE RC4 or triple DES
By default, L2TP over IPSec VPNs require certificates for authentication. However, you may configure
VPNs which use shared key authentication.
On the next slide, titled Active Directory, we will discuss an information system directory that can serve as
a single point of access for information about authorized users, computers, services, and devices in a network.
It can also serve as a framework for the security of that network. Rudimentary directory services exist in
Windows NT 4.0. The SAM portion of the registry is a computer and user database, and other registry areas
serve as depositories for service, software, and device information. The structure of these information
repositories is proprietary and does not offer the functionality of more modern extensible directory services.
Versions of Exchange Server prior to 2000, implemented directory services that were similar to existing
standards of the time – X.500.
3 - 24
Windows 2000 Security - SANS
©2001
24
Active Directory
• Active Directory as a Security
Framework
• Delegation of Authority
•Group Policy
• Secure DNS Dynamic Update
• Enterprise Integrated PKI
The x.500 standard was intended to be a standard for a world wide directory service. However, it proved too difficult

and complex to implement and maintain. A related protocol, the Directory Access Protocol (DAP) defined how
information in the X.500 directory was accessed and maintained. An easier protocol to use, the Lightweight Directory
Access Protocol (LDAP) was soon developed and eventually became more than an access protocol. Instead, it also defined
a directory service. LDAP is defined in RFC 2251 which can be obtained from the Internet Engineering Task Force (IETF
– www.ietf.org). Additional RFC’s describe other aspects of LDAP, such as related PKI standards, and how other
extensions work.
Windows 2000 directory services (Active Directory) follows the LDAP standard. An understanding of LDAP and how
to use it to read and modify directory information is necessary for administrators of Windows 2000. While basic
administrative chores are carried out via GUI tools, troubleshooting and repair either require or are easier with LDAP-
based commands and knowledge. LDAP can also be used to script and automate administrative chores. Incidentally,
Exchange and Windows NT 4.0 directories, though they do not implement the entire standard, can be manipulated via
LDAP.
To implement the Active Directory, you must establish a Windows 2000 domain(s). Multiple domains can exist in a
Kerberos-style trust with a single Active Directory architecture. This is referred to as a ‘forest’. Security policy in a
domain is managed via Group Policy, and Administrative authority can be assigned in granular fashion using Delegation of
Authority. Windows 2000 domains offer additional security benefits, such as secure dynamic DNS update and enterprise
integrated PKI. Active Directory serves as a security framework on which to model enterprise-wide security management.
A Windows 2000 Server is promoted to domain controller status by using the dcpromo command. In your Active
Directory design, best practices recommend that you separate Active Directory from system files and other application and
data files. This allows you to provide adequate disk space for the growth of the Active Directory database and to protection
it from other services. You might install the operating system on C:\, Active Directory on D:\, and use a third volume or
drive for everything else. Active Directory should never be run on the same host as IIS, or any other web server, due to the
security risks. Although the default installation of Windows 2000 Servers includes IIS, this option should be unchecked
during installation.
3 - 25
Windows 2000 Security - SANS
©2001
25
What’s in a Name?
• DNS Domain

• NT 4.0 Domain
• Windows 2000 domain
• Organizational Unit
When discussing Windows networks, its important to clarify the meaning of the word ‘domain’. A DNS Domain is a
collection of related hosts. A DNS database is known as a zone table. Sans.org, is a DNS domain name and the zone table
would be sans.org. DNS is used for name resolution. A Windows 2000 domain is a logical collection of hosts which share
a common DNS domain namespace and security trust model. The database is the Active Directory.
DNS uses multiple DNS servers, each authoritative for its own autonomous domain. Active Directory follows this
model and uses DNS namespace naming conventions. Data objects are stored as records in the Directory Database,
NTDS.DIT. Domain information is shared via a multi-master replication model between multiple domain controllers in a
domain. Some W2K domain information is shared between domains, which are associated via Kerberos trust relationships
(the forest).
Active Directory’s LDAP structure uses object names to identify an object’s location within the directory structure.
Almost everything is referred to in this system by its Common Name (cn) (such as cn=Northcutt) but other designators
serve to fully identify objects. Other designators include Domain Component (dc) and Organizational Unit (OU). The
location of Active Directory objects can be found, given enough information on its object name. Even a DNS domain
name can be expressed in LDAP format. The LDAP name for an Active Directory domain for sans.org would be:
dc=sans, dc=org.
An Organizational Unit (OU) can only exist as a child of a domain object. Thus, we could create an OU named
GIAC, which is a division of SANS, as dc=sans, ou=giac. Information on printers, services, computers, file shares,
policies, groups, and users can be stored in the Active Directory. Most of these objects exist as actual Active Directory
objects, while others (such as file shares) exist elsewhere, but can be documented in AD. Every entry in the database
belongs to and is affected by policies set at the site (a logical expression of your physical network), Domain, and
Organization Unit levels. Just as Local Security Policy impacts objects in the local system database, system-wide policies
or Group Policies control security in an Active Directory environment.
Intelligent use of these facts allows distributed and granular administration of subsets of computers and users. If
computer and user accounts are distributed in OU containers, security and administrative policy can be applied to only
these portions of the enterprise. Likewise, administrative authority can be delegated over these subsets of computers and
users.