Configuring Virtual Private Networking for Remote Clients

How to Configure VPN Client Access
Before any users can access ISA Server using a VPN, you must enable VPN client access. When you enable this option, ISA Server enables VPN access using a default configuration that you can modify to meet your organization’s requirements.
The VPN client access configuration is managed using the Configure VPN Client Access dialog box in ISA Server Management. To access this dialog box, open ISA Server Management and click Virtual Private Networks (VPN).

Default VPN Client Access Configuration
When you enable VPN client access, the following default settings are applied:
1- System policy rules When VPN client access is enabled, a system policy rule named Allow VPN Client Traffic To ISA Server is enabled. Depending on which protocols are configured for remote-client access, the system policy rule allows the use of PPTP, L2TP, or both, from the external network to the computer running ISA Server (Local Host network).

2- VPN access network By default, ISA Server will listen for VPN client connections only on the external network. This property can be modified. When this property is modified, the system policy rule is changed automatically to apply to the additional or changed networks.

3- VPN protocol By default, only PPTP is enabled for VPN client access. This can be modified to include L2TP/IPSec only or both protocols. When this setting is modified, the system policy rule is updated to allow the appropriate protocol.

4- Network rules Enabling VPN client access does not modify the network rules configured on ISA Server. When you install ISA Server, two network rules are created that include the VPN Clients network, one specifying a route relationship between the VPN Clients network and the internal network, and one specifying a NAT relationship between the VPN Clients network and the external network. The second rule is part of the Internet access rule that also defines the relationship between the internal network and external network.

5- Firewall-access rules By default, clients on the VPN Clients network cannot access any resources on any other network. You can manually configure a firewallaccess rule that enables this access, or you can use a network template to configure the rule. If you use a network template, a firewall-access rule named VPN Clients to Internal Network is created. This rule allows access from the VPN Clients network to the internal network using all protocols. The VPN Clients network is also included in any rule that you create using a network template to grant Internet access. For example, if you use a network template to enable Internet access using all protocols, clients on the VPN Clients network will be able to access the Internet using that rule.

6- Remote-access policy When you enable ISA Server for VPN client access, a remote-access policy named ISA Server Default Policy is created in Routing and Remote Access. This default policy denies access to all VPN connections except those explicitly allowed by the remote-access profile. The remote-access profile for the default policy enables MS-CHAP v2 authentication and requires authentication for all VPN connections.

Lesson 2: Configuring Multiple Networking on ISA Server

ISA Server Support for Multiple Networks
ISA Server 2004 uses networks to define blocks of IP addresses that may be directly attached to the ISA Server computer or IP addresses that may be remote networks. ISA Server uses these networks as components when you create access rules. ISA Server supports an unlimited number of networks.

What Is Multinetworking?
Multinetworking means that you can configure multiple networks on ISA Server, and then configure network and access rules that inspect and filter all network traffic between all networks. Multinetworking enables flexible options for network configuration. One common network configuration is a three-legged firewall.
In this configuration, you create three networks:
1- The servers that are accessible from the Internet are usually isolated on their own network, such as a perimeter network.
2- The internal client computers and servers that are not accessible from the Internet are located on an internal network.
3- The third network is the Internet.
ISA Server multinetworking functionality supports this configuration. You can configure how clients on the corporate network access the perimeter network, and how external clients access the perimeter network. You can also define access rules for all
network traffic flowing from the Internal network to the Internet. You can also configure the relationships between the various networks, defining different network rules between each network.

You might also need to configure a more complicated network environment. In this scenario, you could have the following:
1- Two perimeter networks Perhaps you are deploying some servers that are domain members and other servers that are stand-alone servers. The domain members need to be able to communicate with domain controllers that are located on your internal network. In this scenario, you could configure a second perimeter network for the servers that need to be members of the domain.
2- Two internal networks You might have a group of client computers that needs to access the Internet using a different application or with security rules different from the other client computers. You can create an additional internal network and configure specific Internet access rules for each network.
3- VPN client and VPN remote-site networks ISA Server defines a network for VPN clients, and you can define a network for each remote site connected with a site-to-site VPN connection.

How to Create and Modify Network Objects
For a small organization with a fairly simple network, the default network objects may provide all the configuration options required. However, in a larger organization with a more complex network environment and more complicated requirements, you may need to create and modify the network objects.
To create a new network object, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration node and click Networks.
2. In the Details pane, click the Network tab.
3. On the Tasks tab, click Create a New Network.
4. On the Welcome to the New Network Wizard page, in the Network Name: box,type the name for the network. Click Next.
5. On the Network Type page, select the type of network
you are creating. Select one of the following options:
. External Network
. Internal Network
. Perimeter Network
. VPN Site-To-Site Network
6. After selecting the network type, click Next.
7. If you selected an internal, perimeter, or external network type, on the Network Addresses page, click Add.
8. In the IP Address Range Properties page, type the starting and ending addresses,and then click OK.
9. On the Completing The New Network Wizard page, review the settings and then click Finish.
To modify a network, click the network in ISA Server Management Console and then click Edit Selected Network.

Introduction to ISA Server as a Firewall

What Is Application-Layer Filtering?
Application-layer filtering enables the firewall to inspect the application data in a TCP/IP packet for unacceptable commands and data. For example, a Simple Mail Transport Protocol (SMTP) filter intercepts network traffic on Port 25 and inspects it to make sure the SMTP commands are authorized before passing the communication to the destination server. An HTTP filter performs the same function on all HTTP packets. Firewalls that are capable of application-layer filtering can stop dangerous code at the edge of the network before it can do any damage.

Advantages and Disadvantages of Application-Layer Filtering
Application-layer filtering can be used to stop attacks from sources such as viruses and worms. To the packet-filtering firewall, most worms look like legitimate network traffic. The headers of the packets are identical in format to those of legitimate traffic. It is the payload that is malicious; only when all the packets are put together can the worm be identified as malicious code, so these exploits often travel straight through to the private network because the firewall allowed what appeared to be legitimate application data.

But the advantages of application-layer filtering transcend the prevention of attacks. It can also be used to protect your network and systems from the harmful actions often taken by unaware employees. For example, you can configure filters that prevent potentially harmful programs from being downloaded through the Internet, or ensure that critical customer data does not leave the network in an e-mail.

Application-layer filtering can also be used to more broadly limit employee actions on the network. You can use an application filter to restrict common types of inappropriate communication on your network. For example, you can block peer-to-peer fileexchange services. These types of services can consume substantial network resources and raise legal liability concerns for your organization.

What Is Intrusion Detection?
Intrusion detection is a means of detecting when an attack against a network is attempted or in progress. If you detect an intrusion attempt early enough, you may be able to prevent a successful intrusion. If an intrusion does occur, you must be alerted as soon as possible to reduce the potential impact of the intrusion and to eliminate the vulnerability in your network security.

An intrusion-detection system (IDS) that is located at the edge of a network inspects all traffic in and out of the network and identifies patterns that may indicate a network or system attack. An IDS is usually configured with information about a wide variety of known attacks, then monitors the network traffic for signatures indicating that a known attack is occurring. An IDS can also be configured with information about normal network traffic and then be configured to detect variations from the normal traffic.

A complete IDS includes several layers. One device may be located at the network perimeter and monitor all traffic entering and leaving the network. Additional devices may be deployed on the internal networks, or on routers connecting networks. A final layer of protection is provided by host-based systems in which an IDS is configured on individual computers. The most sophisticated IDS can collect information from all the layers and correlate data to make the most accurate intrusion-detection decisions.

Intrusion-detection systems also provide options for configuring alerts or responses to intrusion attempts. At the very least, an IDS should alert an administrator when an attack is detected. More sophisticated IDSs provide additional responses to attacks, including shutting down or limiting the functionality of the systems under attack.

ISA Server and Intrusion Detection
ISA Server includes intrusion-detection functionality that monitors for several wellknown vulnerabilities. ISA Server detects intrusions at two different network layers. First, ISA Server detects intrusions at the network layer. This enables ISA Server to detect vulnerabilities that are inherent to the IP layer. Second, ISA Server uses application filters to detect intrusions at the application layer. You can use third-party application filters to add more intrusion detection or create your own application filters using the filter application programming interfaces (APIs) defined in the ISA Server software development kit (SDK).

Installing and Managing ISA Server Clients

Lesson 1: Choosing an ISA Server Client :

ISA Server Client Options :

An ISA Server client is a client computer that connects to resources on another network by going through the ISA Server computer. In most cases, ISA Server clients are used to provide access to the Internet for users on the Internal network. The type of client you use on your network depends primarily on your security requirements and on whether you want to deploy Firewall Client software to each client computer on your network.

ISA Server supports three types of clients:
1- Firewall clients Firewall clients are computers on which Firewall Client software has been installed and enabled. When a computer with the Firewall Client software installed requests resources on the Internet, the request is directed to the Firewall service on the ISA Server computer. The Firewall service authenticates and authorizes the user and filters the request based on Firewall rules and application filters or other add-ins. Firewall clients provide the highest level of functionality and security.

2- SecureNAT clients SecureNAT clients do not require any client installation or configuration. SecureNAT clients are configured to route all requests for resources on other networks to the internal Internet Protocol (IP) address of the ISA Server computer. If the network includes only a single segment, the SecureNAT client is configured to use the internal IP address on the computer running ISA Server as the default gateway. SecureNAT clients are easiest to configure because only the
default gateway on the client computers must be configured.

3- Web Proxy clients Web Proxy clients are any computers that run Web applications that comply with Hypertext Transfer Protocol (HTTP) 1.1, such as Web browsers. Requests from Web Proxy clients are directed to the Firewall service on the ISA Server computer. Because most client computers already run Web Proxy–compatible applications, Web Proxy clients do not require the installation of special software. However, the Web application must be configured to use the ISA
Server computer.

Both Firewall client computers and SecureNAT client computers may also be Web Proxy clients. If the Web application on the computer is configured explicitly to use ISA Server for proxy services, all HTTP, File Transfer Protocol (FTP), and Hypertext Transfer Protocol Secure (HTTPS) are sent to the Web Proxy listener on ISA Server.

What Is a Firewall Client?
The Firewall client computer uses the Firewall Client application when initiating connections to the ISA Server computer. This means that the Firewall Client application must be installed on each client computer.

Many applications running on Windows computers use the Winsock application programming interface (API) to communicate with services running on other computers. Winsock applications use sockets to connect to applications running on another computer. For example, for a Web browser to connect to a Web server, the Web browser uses a Transmission Control Protocol (TCP) socket to connect to the Web server. In this case, the socket includes the IP address of the destination computer, the protocol used (TCP), and the port number on which the server is listening (Port 80). All applications
use the same sockets to connect to the same services regardless of the operating system that is running on the client computer and the application server.

The Firewall Client application changes how a client computer connects to resources on the Internet using Winsock applications. After you install the Firewall Client, when the client computer initiates a Winsock application, the Firewall Client intercepts the application calls. The Firewall Client checks the destination computer name or IP address and determines whether to route the request to the ISA Server computer or to a server on the local network. If the destination computer is not local, the request is sent to the Firewall service on the ISA server computer. The Firewall service accepts
the request and authenticates the user. The Firewall service also checks whether any filtering rules apply to the request. If the request is allowed, the Firewall service initiates a new socket connection with the destination server. The destination server responds to the ISA Server computer, which then replies to the client computer.

Securing and Maintaining ISA Server 2004

Lesson 1: Securing ISA Server 2004

Securing the computer running ISA Server is vital to ensuring your organization’s security. To secure the ISA Server computer, ensure the security of the computer itself, the operating system running on the computer, and the ISA Server configuration. After installation, ISA Server starts with a default configuration that blocks all traffic between networks connected to ISA Server but enables some traffic between the ISA Server computer and other networks. As an ISA Server administrator, you will need to modify the default configuration. The third step in ensuring ISA Server security is to manage the administrative permissions users have on ISA Server.

How to Harden the Server :

ISA Server runs on computers running Microsoft Windows 2000 Server or Windows Server 2003, so the first step of securing ISA Server is to ensure that the computer and operating system are as secure as possible. Securing the computer includes the following components:
1 - Securing the network interfaces
2 - Ensuring that only required system services are enabled
3 - Ensuring that security updates are applied.

How to Secure the Network Interfaces
To secure ISA Server, begin by securing the network interfaces connected to the server.By default, network interfaces in both Windows 2000 Server and Windows Server 2003are configured to facilitate connecting other computers on the network to the server.On an ISA Server computer, ensure that clients can connect to the network interfacesonly to access specific resources. Although both the interface connected to the Internetand the interface connected to the Internal network need to be secured, it is particularly important to secure the interface that is connected to the Internet.

Securing the External Network Interface
The external interface of your ISA Server computer is likely to be directly attached to the Internet, where it may be exposed to an attack from anywhere on the Internet. To secure the external interface on the ISA Server computer, complete the following actions:

1- Disable File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks. File and Printer Sharing for Microsoft Networks allows the machine to share Server Message Block/Common Internet File System (SMB/CIFS) resources. The Client for Microsoft Networks allows the machine to access SMB/CIFS resources. These options can enable NetBIOS and Direct Hosting ports, both of which are used for conventional file sharing and access on Microsoft networks.
2- Disable NetBIOS over TCP/IP. NetBIOS over TCP/IP is required if the computer needs to be configured as a Windows Internet Naming Service (WINS) client,needs to send out NetBIOS broadcasts, needs to send out browser service announcements, or needs to access NetBIOS resources. The ISA Server computer should not send or receive any NetBIOS packets to the Internet.
3- Disable the LMHOSTS Lookup option. The LMHOSTS file is used to enable NetBIOS name lookups. The ISA Server computer should not connect to any computers on the Internet using NetBIOS. If you disable LMHOSTS lookup, be aware that this option is disabled for all network interfaces on the ISA Server computer.
4- Disable automatic Domain Name System (DNS) name registration. By default, Windows 2000 and Windows Server 2003 computers attempt to register their IP addresses with a DNS server. The ISA Server computer should not register the IP address for its external interface with DNS servers on the Internet or with DNS servers inside the network.

Securing the Internal Network Interface
In addition to securing the external interface,you should secure the internal interface on the computer running ISA Server.However, in many cases, you may require more functionality on the internal interface,so you must ensure that you disable only the components that are not required.
■ Leave File and Printer Sharing for Microsoft Networks enabled on the internal interface if you want internal network clients to access the Firewall Client software.If the client installation files are stored on another computer, you can disableFile and Printer Sharing.
■ Client for Microsoft Networks must also be enabled if you want to access resources on the internal network or authenticate to internal resources.
■ Disable NetBIOS over TCP/IP if you do not have any legacy client computers or Net-BIOS-based applications on the network that need access to the ISA Server computer.
■ Leave automatic DNS name resolution enabled on the internal network interface so that the ISA Server computer’s IP address is registered in DNS. If you do nothave automatic updates enabled on the DNS zone, disable this option and manuallyconfigure the host record in DNS.

MCP 70-350 : Installing ISA Server 2004

Network Infrastructure Requirements :

For your ISA Server implementation to succeed, you must ensure that the network infrastructure
supports the ISA Server implementation. To support your ISA Server infrastructure, the following networking services must be installed and configured on your network:
- DNS
- Domain controllers
- DHCP
These supporting services are critical to the proper functioning of your ISA Server network infrastructure.
Domain Name System Requirements
To connect to resources on the Internet, client computers must be able to resolve the DNS names for servers on the Internet to IP addresses. If you publish internal servers to the Internet, users on the Internet must be able to resolve the DNS names for the published servers to an IP address. To enable both of these scenarios, a DNS infrastructure must be in place to provide name-resolution services.

To enable access to Internet resources, ensure that all client computers can resolve Internet DNS names. At a high level, you have two options for enabling name resolution for Internet resources: You can use an internal DNS server that can resolve both internal and Internet DNS addresses, or you can use an external DNS server to resolve IP addresses on the Internet.

To Use an Internal DNS Server Many organizations have deployed DNS servers on their internal networks. If you have deployed Active Directory in Microsoft Windows 2000 Server or in Windows Server 2003, DNS is required for domain replication and user authentication, so all client computers running Windows 2000 or later must be able to resolve the DNS names for domain controllers. In this environment, the internal DNS server is configured with DNS zones for your Active Directory domains.

To allow internal users to access Internet resources, the internal DNS servers must also be configured to resolve Internet DNS names. One way to enable this is to configure the DNS servers to forward all requests for Internet name resolution to DNS servers on the Internet. When you configure a DNS server to use a forwarder, it sends to the forwarder requests for domains for which it is not authoritative.

To Use an External DNS Server Some organizations have not deployed internal DNS servers or have not configured the internal DNS servers to resolve Internet DNS addresses. In this situation, all Internet name resolution must be performed by DNS servers on the Internet. You have two options to enable this. If you use Web Proxy clients and Firewall clients, ISA Server can function as a DNS proxy server to resolve Internet DNS requests on the client’s behalf.

Domain Controller Requirements :
If you want to restrict access to Internet resources based on user accounts, or if you want to require authentication before users can access published servers, ISA Server must be able to access a directory of user accounts to determine whether the user should have access. ISA Server provides several options for authenticating the users, including Remote Authentication Dial-In User Service (RADIUS), RSA SecureID, or the local user account database on the computer running ISA Server. However, the easiest option to implement for most organizations is to use a domain directory service to authenticate the users. Most organizations already have a domain infrastructure that includes all the user accounts; in such cases, ISA Server can use this directory service to authenticate user
accounts.

You can use Windows 2000, Windows Server 2003, or Windows NT 4 domains to perform this service. To use the domain for authentication, the server running ISA Server must be a member of the domain. In addition, ISA Server must be able to communicate with the domain controllers on the internal network. If you use Active Directory in Windows Server 2003 or Windows 2000, you must configure the internal network interface on the ISA Server computer with the IP address of a DNS server that can resolve the IP addresses for the local domain controllers.

MCP 70-350 : Introduction to ISA Server 2004

Lesson 3: Explaining ISA Server Deployment Scenarios

How ISA Server Works as an Internet-Edge Firewall :

One of the primary deployment scenarios for ISA Server 2004 is as an Internet-edge firewall. An Internet-edge firewall is deployed at the connecting point between the Internet and the internal network. In this scenario, ISA Server provides both a secure gateway for internal users to the Internet and a firewall that prevents unauthorized access and malicious content from entering the network.
As an Internet-edge firewall, ISA Server is the one entry point, as well as the primary security boundary, between the internal network and the Internet. ISA Server is deployed with one network interface card (NIC) connected to the Internet and a second NIC connected to the internal network. In some cases, ISA Server may also have a third NIC that is connected to a perimeter network. In this scenario, the following occurs:
1- ISA Server blocks all Internet traffic from entering an organization’s network unless the traffic is explicitly allowed. Because ISA Server is the primary security boundary, all components of ISA Server firewall functionality are implemented, including multilayered traffic filtering, application filtering, and intrusion detection. In addition, the operating system on the ISA Server computer must be hardened
to protect against operating system–level attacks.
2- ISA Server is used to make specified servers or services on the internal network accessible to Internet clients. This access is configured by publishing the server or by configuring firewall access rules. ISA Server filters all inbound requests and allows only traffic specified by the access rules.
3- ISA Server may also be the VPN access point to the internal network. In this case, all VPN connections from the Internet are routed through ISA Server. All access rules and quarantine requirements for VPN clients are enforced by ISA Server.

4- All client requests for resources on the Internet pass through ISA Server. ISA Server enforces an organization’s policies defining which users are allowed to access the Internet, which applications and protocols can be used to do so, and which Web sites are permitted.

How ISA Server Works as a Back-End Firewall :

In some cases, an organization may choose to deploy ISA Server as a second firewall in a multiple-firewall configuration. This scenario enables organizations to use their existing firewall infrastructure but also enables the use of ISA Server as an advanced application-filtering firewall.

Many organizations implement a back-to-back firewall configuration. In this configuration, one network adapter on the front-end firewall is connected to the Internet while the second network adapter on the firewall is connected to the perimeter network. The back-end firewall has one network adapter that is connected to the perimeter network and a second network adapter connected to the internal network. All network traffic must flow through both firewalls and through the perimeter network to pass between the Internet and the internal network.

For organizations that already have a hardware-based firewall deployed as the Internet- edge firewall, ISA Server can provide valuable additional functionality as the backend firewall. In particular, the advanced application-filtering functionality of ISA Server can ensure that specific applications are published securely. In this scenario, the following occurs:
1- ISA Server can be used to provide secure access to an organization’s Exchange Server computers. Because computers running Exchange Server must be members of an Active Directory domain, some organizations prefer not to locate the Exchange Server computers in a perimeter network. ISA Server enables access to the Exchange Server computers on the internal network through secure OWA pub-lishing, secure SMTP server publishing, and secure Exchange RPC publishing for Outlook clients.
2- ISA Server may also be used to publish other secure Web sites or Web applications. If the Web servers are located on the internal network, ISA Server can be configured to publish the Web servers to the Internet. In this case, the advanced application filters on ISA Server can be used to inspect all network traffic being forwarded to the Web server.
3- ISA Server may also be used as a Web proxy and caching server in the above scenario. In this case, all client requests for resources on the Internet or within the perimeter network pass through ISA Server. ISA Server enforces the organization’s policies for secure Internet access.

11 Deploying, Configuring, and Managing SSL Certificates

Client Certificates :
Although Basic, Digest, and Integrated Windows authentication are the most common ways to authenticate users, you can also authenticate users with certificates. In anonymous environments, where many requests go unauthenticated, client certificates are not a good solution. Client certificates require an administrator to have access to the IIS server and to each client that will be connecting to it. This is not feasible in many Internet solutions, in which clients from just about anywhere can be used to attempt a connection. On the other hand, client certificates are the only way to connect to IIS when all other authentication methods—Anonymous, Basic, Integrated, Digest, and Passport— are disabled on the server.

Although the simplest way to authenticate users with certificates is to allow any user with a valid certificate to access the site, this does little to provide security for your organization. By default, your IIS server will trust certificates issued by any trusted root CA, including public CAs that issue user certificates to people you might not want accessing your site.

One-to-one client certificate mapping :
Client certificate mapping has two modes: one-to-one and many-to-one. One-to-one certificate mapping relates a single exported certificate to an Active Directory user account, as shown in Figure 11.4. When Web users present the certificate, they will be authenticated as if they had presented a valid user name and password.

To add one-to-one certificate mappings, first export the user’s certificate. Then perform these steps:
1. View the properties for the Web site, click the Directory Security tab, and click the Edit button in the Secure Communications box.
2. Select the Enable Client Certificate Mapping check box, and then click the Edit button.
3. Click the 1-1 tab, and then click the Add button.
4. Select the exported certificate, and then click Open.
5. Complete the Map Name, Account, and Password boxes, and then click OK.
6. Confirm the password when prompted, and then click OK again.

Many-to-one client certificate mapping :
Many-to-one certificate mapping uses wildcard matching rules that verify whether a client certificate contains specific information, such as the issuer or subject. This mapping does not identify individual client certificates; it accepts all client certificates fulfilling the specific criteria. If a client gets another certificate containing all the same user information, the existing mapping will still work. Certificates do not need to be exported for use in many-to-one mappings.
To add many-to-one certificate mappings, follow this procedure:

1. View the properties for the Web site, and then click the Directory Security tab.
2. Click the Edit button in the Secure Communications box.
3. Select the Enable Client Certificate Mapping check box, and then click the Edit button.
4. Click the Many-1 tab, and then click the Add button.
5. On the General page, type a name for the rule in the Description box. Click Next.
6. On the Rules page, click New to add a rule.
7. In the Edit Rule Element dialog box, click the Certificate Field list to choose either Issuer or Subject. Select Issuer to filter based on the CA that issued the certificate. Choose Subject to filter based on who the certificate was issued to. After completing the rule element, click OK.
8. To add an additional rule, return to step 6.
9. Click Next.
10. On the Mapping page, click Refuse Access to reject logons that match the criteria,or click Accept This Certificate For Logon Authentication to map matching certificates to a user account. If you choose to accept the certificate, complete the Account and Password boxes. Click Finish. If prompted, confirm the password and then click OK.

Certificate trust lists :
You can use the Certificate Trust List Wizard to obtain and manage CTLs. A CTL is a list of trusted CAs for a particular Web site. By configuring your CTL, you can allow client certificates issued by a specific CA but deny client certificates issued from other CAs. CTLs are available only at the Web-site level and are not available for File Transfer Protocol (FTP) sites.
To use the Certificate Trust List Wizard, perform the following steps:
1. View the properties for the Web site, click the Directory Security tab, and then click the Edit button in the Secure Communications box.
2. Select the Enable Certificate Trust List check box.
3. Click the New button to open the Certificate Trust List Wizard, which allows you to select CAs from the local machine authority or an exported certificate file.

Troubleshooting SSL :
Troubleshooting SSL-encrypted connections is difficult because, like IPSec connections, the traffic is encrypted. In some ways, troubleshooting SSL is even more difficult than troubleshooting IPSec because of the wide variety of Web browser clients that need to be able to analyze your public key certificate and establish an HTTPS connection to your Web server. Though the problems are much less frequent than they were in the late 1990s when the use of HTTPS was only beginning to gain popularity, you can run into problems when using a non-Microsoft browser that you would not experience when using Internet Explorer. Because you often have no control over what browser end users use, you might have to isolate the source of the problem to determine which component is not compliant with standards.

The SSL Diagnostic Utility for IIS, available from http://www.microsoft.com/technet /prodtechnol/windowsserver2003/downloads/ssldiags.asp, is helpful for isolating SSLrelated problems. As shown in Figure 11.6, it provides a much more detailed analysis of HTTPS traffic than is possible by capturing SSL traffic by using Network Monitor.

The SSL Diagnostic Utility has the capability to quickly create a self-signed SSL certificate. If you are experiencing problems with a certificate, you can create a self-signed certificate to determine whether the problem occurs with a different certificate. If the problem occurs with your original certificate but not with the certificate generated by the SSL Diagnostic Utility, you know the problem you are experiencing is related to a unique aspect of the original certificate. You can then quickly restore the original certificate to continue troubleshooting.

10 Planning and Implementing Security for Wireless Networks

Lesson 1: Wireless Network Security Fundamentals

Wireless networks have these weaknesses too, but they lack the inherent physical security of wired networks. In fact, most corporate wireless networks can be accessed by people with mobile computers in the business’ parking lot. To make matters worse, attackers have significant motivation to abuse wireless networks. Accessing a wireless network might grant an attacker access to resources on an organization’s internal network. Or it might allow the attacker to access the public Internet while hiding his or her identity, which would allow the intruder to attack hosts on remote networks while disguised with the organization’s IP addresses.

The concerns over the abuse of wireless networks are far from theoretical. Intruders have a wide variety of tools available for detecting, connecting to, and abusing wireless networks. As with most aspects of security, there are technologies available that can help you to limit the vulnerabilities presented by wireless networks. Specifically, you can require wireless communications to be authenticated and encrypted. This provides assurance similar to that offered by the physical security of wired networks. The game between security experts and attackers continues, however, and early wireless authentication and encryption technologies can now be easily defeated by an intruder.

Security Threats :
Because wireless communications are not contained within the physical medium of a wire, wireless networks are more vulnerable to several types of attacks, including:
■ Eavesdropping. Attackers can capture traffic as it is sent between a wireless computer and the WAP. Depending on the type of antenna used and the transmitting power, an attacker might be able to eavesdrop from hundreds or thousands of feet away.
■ Masquerading. Attackers might be able to gain access to restricted network resources by impersonating authorized wireless users.
■ Attacks against wireless clients. Attackers can launch a network-based attack on a wireless computer that is connected to an ad hoc or untrusted wireless network.
■ Denial of service. Attackers can jam the wireless frequencies by using a transmitter,preventing legitimate users from successfully communicating with a WAP.
■ Data tampering. Attackers can delete, replay, or modify wireless communications with a man-in-the-middle attack.

WEP :
WEP is a wireless security protocol that helps protect your information by using a security setting, called a shared secret or a shared key, to encrypt network traffic before transmitting it over the airwaves. This helps prevent unauthorized users from accessing the data as it is being transmitted.

Unfortunately, some smart cryptographers found several theoretical ways to discover WEP’s shared secret by analyzing captured traffic. These theoretical weaknesses were quickly implemented in freely available software. The combination of free tools for cracking WEP encryption, the ease of capturing wireless traffic, and the dense proliferation of wireless networks have led WEP to become the most frequently cracked network encryption protocol today.

Besides weak cryptography, another factor contributing to WEP’s vulnerability is that WEP is difficult to manage because it doesn’t provide any mechanism for changing the shared secret. On wireless networks with hundreds of hosts configured to use a WAP, it is practically impossible to regularly change the shared secret on all hosts. As a result, the WEP shared secret tends to stay the same indefinitely. This gives attackers sufficient opportunity to crack the shared secret and all the time they need to abuse their ill-gotten network access.

Lesson 3: Troubleshooting IPSec

General Troubleshooting Guidelines
Regardless of the type of problem you are experiencing, you should first make sure that the necessary services are started and set to automatic on both IPSec peers. On computers running Windows Server 2003, the IPSec Services service must be started. On computers running Windows 2000, the IPSec Policy Agent service must be started. Sometimes, especially after making significant changes, you might be able to resolve a problem by restarting IPSec services. This completely clears the IKE negotiation state. You can restart IPSec services from a command prompt by running the following commands:

net stop policyagent
net start policyagent

This is simply a quick way to restart IPSec without restarting the computer. After restarting the IPSec services on both computers, attempt to establish a secure connection. If the problem persists, restart the operating systems on both IPSec peers and try again.

Kerberos Authentication Problems :
Kerberos authentication is the default IPSec authentication method. You can quickly identify whether IPSec connectivity problems are caused by authentication by temporarily changing the IPSec authentication method on both IPSec peers to Preshared Key. If IPSec communications succeed with Preshared Key, Kerberos authentication is probably the source of the problem.

For Kerberos authentication to be successful, both IPSec peers must have valid computer accounts in trusted domains, and they must be able to authenticate the remote computers. Each IPSec peer must be able to communicate with domain controllers without having the authentication requests filtered. In earlier versions of Windows, IPSec automatically allowed Kerberos traffic. However, the Kerberos protocol is no longer a default exemption in Windows Server 2003.

Certificate Authentication Problems :
Certificates are a common method for authenticating computers that are not in a trusted domain environment. If you are experiencing problems with IPSec and want to verify that the problem is related to authentication, temporarily change the IPSec authentication method on both IPSec peers to Preshared Key. If IPSec communications succeed with Preshared Key but fail with certificates, the problem is almost certainly related to certificates.
If you have multiple rules in a policy, double-check that those rules will use the same authentication method consistently for any single remote computer. It is acceptable to have a policy that configures Kerberos authentication for hosts on an internal network and uses certificates for hosts on an external network. However, you cannot create one rule that uses Kerberos to authenticate just Transmission Control Protocol (TCP) data and a second rule that authenticates User Datagram Protocol (UDP) traffic by using certificates, for example. The IP Security Policy Management snap-in will not prevent you from creating these rules, but they will not work properly. All rules that apply to a single remote host must use a single authentication method.

Troubleshooting Firewalls, Routers, and Packet Filtering :
Packet filtering at firewalls is a common source of IPSec problems because IPSec cannot be permitted or blocked by applying the techniques used for most applications. First, your firewall must allow two-way traffic with a UDP destination port of 500. If the firewall is also a NAT server and you will be using Network Address Translation Traversal (NAT-T), you must also allow UDP traffic with a destination port of 4500. Second, the firewall must allow traffic with an IP protocol ID of 50, which is used by ESP. If you are using AH instead of ESP, you must allow IP protocol 51.

Network Address Translation Problems :
Network Address Translation (NAT) is a common technique for connecting a privately numbered internal network to a public network such as the Internet. As Chapter 8 discussed, earlier implementations of IPSec were not compatible with NAT. This makes sense, because NAT’s purpose is to modify the source or destination IP address in a packet without the client or server being aware, and part of IPSec’s purpose is to discard packets that have been modified in transit.

MCP 70-299 : 8 - Planning and Configuring IPSec

Lesson 3: Configuring IPSec

IP Filters :

IP filters describe network traffic and are used by IPSec policies to determine whether an IP security rule should apply to an individual packet. IP filters can specify traffic to or from a set of IP addresses, WINS servers, DNS servers, DHCP servers, or a default gateway. You can also configure an IP filter to match a packet’s source or destination port number, or even a packet’s IP protocol number. Each of the following examples can be specified by either a single IPSec IP filter or a combination of multiple filters:
■ All traffic to or from IP address 10.4.22.17
■ All Internet Control Message Protocol (ICMP) traffic to or from the default gateway
■ All traffic sent to TCP port 80, except traffic sent from the internal network
■ All outbound connections, except those to specific servers
Multiple IP filters can be combined into an IP filter list. In fact, adding an IP filter to an IP filter list is the only thing you can do with an IP filter, because IPSec policies only allow you to specify IP filter lists. If your needs are simple, you can make an IP filter list that consists of a single IP filter. However, most IP filter lists will consist of multiple IP filters.

Filter Actions :

You use filter actions, also referred to as security methods, to define how an IPSec policy should handle traffic that matches an IP filter. A filter action responds in one of three ways: it drops the traffic, it allows the traffic, or it attempts to negotiate security. If you choose the Permit or Block options for a filter action, there is nothing left to configure. In fact, you never need more than one filter action for each of the Permit and Block options.

There are several additional settings to consider when you configure a filter action to negotiate security. First, you must choose whether the server will allow communications with clients that do not support IPSec by selecting or clearing the Allow Unsecured Communication With Non-IPSec-Aware Computers check box. You can only require IPSec when you have only IPSec-enabled all client computers. Otherwise, clients without IPSec will be denied access to the server. Generally, this setting is enabled only when Active Directory is used to deploy IPSec configuration settings to all networked computers.
You should use the Filter Action Wizard to configure filter actions whenever possible, because configuring integrity and encryption settings can be complicated. The IP Traffic Security page of the wizard enables you to specify the protection suites associated with the filter action. You can choose Integrity And Encryption, Integrity Only, or Custom. If you select Integrity And Encryption, the wizard configures the filter action with ESP-based integrity verification (using Secure Hash Algorithm 1 [SHA1] by default) and encryption (using 3DES by default). If you select Integrity Only, Triple-Data Encryption Standard (3DES) encryption is disabled.

IP Security Rules :

An IP security rule consists of an IP filter list, a filter action, and, optionally, a connection type and tunnel endpoint. You can specify only one IP filter list and one filter action per rule. If the rule pertains to traffic traveling between networks across an IPSec tunnel, you should provide the IP address of the tunnel endpoint. This does not conflict with your ability to add IP filter lists; you can configure an endpoint and apply the rule only to traffic on a specific subnet within the destination network accessible through the IPSec tunnel.
The default response rule is used to configure the computer to respond to requests for secure communication when no other rules match the traffic. If an active policy does not have a rule defined for a computer that is requesting secure communication, the default response rule is applied and security is negotiated. For example, when Computer A communicates securely with Computer B, and Computer B does not have an inbound filter defined for Computer A, the default response rule is used.

Configuring IP Security Policies with Graphical Tools :

IP filters, filter actions, and IP security rules are only useful when added to an IP security policy. When configuring IP security policies on the local computer, you can use the IP Security Policy Management snap-in. You can also use the Group Policy Object Editor snap-in to edit either local or domain GPOs. In the Group Policy Object Editor, expand Computer Configuration, Windows Settings, Security Settings, and then click either IP Security Policies On Local Computer or IP Security Policies On Active Directory. Because this node might have several different labels, this chapter will refer to it
as simply IP Security Policies.
To create a new security policy, right-click the applicable IP Security Policies node in the Group Policy Object Editor or IP Security Policy Management snap-in, and then click Create IP Security Policy. This opens the IP Security Policy Wizard, which guides you through the process of creating a security policy.
During the configuration process, you will be prompted to activate the default response rule. In most cases, you should enable the default response rule. If you do, you will be prompted to select an authentication method. For more information about rules, see the section "IP Security Rules" in this lesson.

Configuring IP Security Policies with Command-Line Tools :

Though you should usually use graphical tools to configure IP security policies, Windows Server 2003 also provides the Netsh command-line tool for scripting IPSec configuration. Netsh is a native Windows Server 2003 command-line scripting tool that you can use to display or modify the local or remote network configuration. The Netsh IPSec commands cannot be used on any other version of Windows.
To use the command line to configure IPSec policies on computers running Windows XP, use Ipseccmd.exe, which is provided on the Windows XP CD, in the \Support\Tools folder. To use the command line to configure IPSec policies on computers running Windows 2000, use Ipsecpol.exe, which is provided with the Windows 2000 Server Resource Kit.
To use Netsh interactively to view or modify IPSec settings, open a command prompt and run the command Netsh with no parameters. This starts the Netsh interactive command prompt. Then type Ipsec static or Ipsec dynamic to set the context for Netsh. For example, the following commands launch Netsh and set the context to Ipsec dynamic:

C:\>netsh
netsh>ipsec
netsh ipsec>static
netsh ipsec static>

Static mode allows you to create, modify, and assign policies without affecting the active IPSec policy. Dynamic mode allows you to display the active state and immediately implement changes to the active IPSec policy. Dynamic Netsh commands affect the service only when it is running. If it is stopped, dynamic policy settings are discarded.

MCP 70-299 : 8 - Planning and Configuring IPSec

Negotiating IPSec Connections :

Unfortunately, IP was not originally designed with authentication or encryption in mind. As the internet grew and TCP/IP became the network protocol of choice, this unsecured form of communication became the standard. IPSec allows computers to continue using IP, while adding authentication and encryption.
However, most computers on IP networks today do not have IPSec enabled. As a result, computers with IPSec enabled are usually configured to politely ask remote computers to use IPSec to improve the security of the connection. If the two computers determine that they both have IPSec configured, and can agree upon a set of security standards, they can begin to use IPSec. This process is known as IPSec negotiation.

Not all IPSec negotiations are successful. Often the negotiations will fail because one of the two computers is not capable of using IPSec. Alternatively, the computers might not have the same security protocols enabled, which would mean that they wouldn’t be able to agree on a set of standards. In these cases, the computers will either revert to unprotected IP communications or determine that they will not communicate at all if they cannot use IPSec.

Internet Key Exchange (IKE) is the algorithm by which the first secure Security Association, or SA (a secure channel), is negotiated. IKE is a combination of the Internet Security Association Key Management Protocol (ISAKMP) and the Oakley Key Determination protocol and performs a two-phase negotiation: Main Mode and Quick Mode.

Main Mode
The initial long form of the IKE negotiation (Main Mode or Phase 1) performs the authentication and generates the master key material to establish an ISAKMP SA between machines. The result is referred to as an ISAKMP SA or an IKE SA. After the ISAKMP SA is established, it will remain in place for the period of time defined on the host computers—by default, it will last for 8 hours on computers running Windows. If data is actively being transferred at the end of the 8 hours, the Main Mode security association (SA) will be renegotiated automatically.
Main Mode negotiation occurs in three parts:
1. Negotiation of protection suites
2. Diffie-Hellman exchange
3. Authentication

Quick Mode
Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of SAs that are negotiated on behalf of the IPSec service, the SAs created during Quick Mode are called the IPSec SAs. Two SAs are established, each with its own Security Parameter Index (SPI) label. One IPSec SA is used for inbound traffic, and the other is used for outbound traffic. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specific IP traffic is also selected.
IPSec hosts will perform IKE Quick Mode negotiation on a regular basis to reduce the risk of an attacker using brute force methods to determine the keys used in the communications. Each renegotiation re-establishes two new IPSec security associations with new keys and SPIs. By default, computers running Windows will perform Quick Mode negotiation every hour (3600 seconds) or after 100 megabytes have been transferred.
Either side of the connection can start the renegotiation process. Therefore, the site that first reaches the defined session key limit will initiate renegotiation. Lesson 3 describes how to specify session key limits.
Authentication Header and ESP :IPSec can use two protocols: Authentication Header (AH) and ESP. The protocols canbe used either separately or together. AH provides data origin authentication, dataintegrity, and anti-replay protection for the entire packet, including the IP header andthe data payload carried in the packet. Naturally, AH does not provide protection forthe fields in the IP header that are allowed to change in transit, such as the hop count.AH does not encrypt data, which means it does not provide privacy. Attackers can readthe contents of packets if they can intercept them, but the packets cannot be modified.ESP is more commonly used than AH because it provides data origin authentication,data integrity, anti-replay protection, and the option of privacy. While AH and ESP canbe used together, you will use ESP alone in most circumstances. You should chooseAH over ESP only when the data and header in the packet need to be protected frommodification and authentication but not encrypted. You might do this if you have anintrusion detection system, firewall, or quality of service (QoS) router that needs toinspect the contents of the packet. Otherwise, take advantage of the privacy providedby encryption, and use ESP. If IPSec traffic must traverse a NAT server, you must useESP, because ESP is the only IPSec protocol that supports NAT-T.

IPSec in Windows :

IPSec is natively available and can be used to protect network communications for Windows 2000, Windows XP Professional, and Windows Server 2003. Additionally, a legacy client is available for Microsoft Windows NT 4.0, Windows 98, and Windows Millennium Edition (ME). You can download the legacy client from

http://www.microsoft.com /windows2000/server/evaluation/news/bulletins/l2tpclient.asp.

MCP 70-299 : 8 - Planning and Configuring IPSec

Lesson 1: IPSec Fundamentals

IPSec in the Windows Server 2003 operating system protects networks from active and passive attacks by securing IP packets through the use of packet filtering, cryptography, and the enforcement of trusted communication. IPSec is useful for improving the privacy and integrity of host-to-host, host-to-network, and network-to-network communications. IPSec can also be used as a host-based firewall to harden clients and servers by using packet filtering.

IPSec Overview :

IPSec is a framework of open standards for helping to ensure private, secure communications over Internet Protocol (IP) networks through the use of cryptographic security services. IPSec supports network-level data integrity, data confidentiality, data origin authentication, and replay protection. Because IPSec is integrated at the Internet layer (layer 3), it provides security for almost all protocols in the TCP/IP suite, and because IPSec is applied transparently to applications, there is no need to configure separate security for each application that uses TCP/IP.
IPSec can be used to provide packet filtering, to encrypt and authenticate traffic between two hosts, and to create a virtual private network (VPN). Using these capabilities of IPSec helps to provide protection against:
■ Network-based denial-of-service attacks from untrusted computers.
■ Data corruption.
■ Data theft.
■ User-credential theft.
■ Administrative control of servers, other computers, and the network.

Besides simply improving security, IPSec can be used to save money by enabling communications
between remote offices and remote access clients across the public Internet, rather than more costly dedicated circuits that offer privacy at the physical level.

Securing Host-to-Host Communications :

You can use IPSec to encrypt and validate the integrity of communications between two computers. For example, IPSec can protect traffic between domain controllers in different sites, between Web servers and database servers, or between Web clients and Web servers. When an IPSec client attempts to initiate a connection to an IPSec server, the client and server negotiate IPSec integrity and encryption protocols. After the IPSec connection is established, the application’s data is transported within the IPSec connection.
For example, consider the common scenario of a user downloading e-mail from a server using Post Office Protocol version 3 (POP3). If IPSec is not enabled, the e-mail client software initiates a connection directly to the e-mail server software. The user name and password will be transmitted in clear text, so that anyone with a protocol analyzer such as Network Monitor can intercept the user’s credentials. An attacker who has control of a router can modify the contents of the user’s e-mail messages as they are downloaded without being detected.

Securing Host-to-Network Communications :

IPSec is often used to authenticate and encrypt traffic sent directly between two hosts. However, IPSec can also protect traffic traveling from a single host to an entire network, as illustrated in Figure 8.2. This is most commonly used in remote access scenarios. In the past, many organizations required users to dial in to remote access servers connected to the organization’s private network. Today, organizations can eliminate the cost of maintaining dial-in servers by using IPSec to allow remote users to connect to an organization’s private network across the Internet. Most security experts agree that IPSec provides a level of security similar to that of dial-up remote access.

Securing Network-to-Network Communications :

IPSec can also be used to connect two remote networks. Before Internet connectivity was common, remote offices were connected with private links provided by communications companies. These links would typically consist of a circuit (such as a T1 in the United States or an E1 in Europe) from each of the remote offices that connected to a switched frame relay network that would carry the traffic over long distances.
Today, many organizations still use private links to connect offices. Private links offer some distinct advantages, most notably predictability and stability. Although the Internet continues to become more reliable, performance factors such as usable bandwidth, latency, and jitter fluctuate unpredictably. Private links dedicate bandwidth to a communication link and always follow the same path—guaranteeing that performance will always stay the same.

MCP 70-299 : Assessing and Deploying a Patch Management Infrastructure

Lesson 2: Deploying Updates on New Clients
Security Considerations :

Computers are under attack from the moment they connect to the Internet. Worms and viruses are constantly active, probing every IP address for vulnerabilities. Microsoft Windows Server 2003 is much more resilient to attacks that might occur during the installation process than earlier versions of Windows because it adheres to the “secure by default” ideal. However, vulnerabilities have been discovered in unpatched computers running Windows Server 2003, and these vulnerabilities might be exploited during the setup process.
Although it is possible to update and secure a computer running Windows so that it can be connected directly to the Internet without becoming infected by a worm or a virus, a computer does not have the benefit of updates or security hardening during the installation process. If you attempt to install Windows on a computer while it is connected to the Internet, there is a high probability that it will be attacked, and possibly exploited.

Integrated Installation :

You can apply service packs, but not necessarily other types of updates, directly to Windows 2000, Windows XP, and Windows Server 2003 installation files. The process of integrating a service pack into the original setup files for an operating system is called slipstreaming. Slipstreaming creates an integrated installation—including the latest service pack—that can be used when installing the operating system on new computers. Using this process improves the security of new computers, and reduces the time required to apply updates after completing the initial installation. You can either perform the installation from a shared folder or create a CD with the integrated setup files.
Because the integrated installation replaces individual files, the space requirements for this installation type are almost identical to the space requirements for the base operating system. After you slipstream a service pack into the operating system setup files, you cannot remove the service pack.

Lesson Summary :

■ Computers should not be connected to the Internet or even to a private network with other hosts, until after the operating system and all updates have been installed.
■ Computers can be built while connected to the network if you create an isolated network segment with a minimal number of trusted computers that have been scanned for worms, viruses, and other malicious software.
■ You can reduce the time required to install new updates by slipstreaming a service pack into operating system installation files and configuring other updates to be automatically applied.

MCP 70-299 : Planning and Configuring an Authentication Strategy

Lesson 1: Understanding the Components of an Authentication Model :

The Difference Between Authentication and Authorization :

The two processes are closely related and often confused. To understand the difference between authentication and authorization, consider an example in the physical world that most people are familiar with: boarding an airplane. Before you can board a plane, you must present both your identification and your ticket. Your identification, typically a driver’s license or a passport, enables the airport staff to determine who you are. Validating your identity is the authentication part of the boarding process. The airport staff also checks your ticket to make sure that the flight you are boarding is the correct one. Verifying that you are allowed to board the plane is the authorization process.

Storing User Credentials :

The server that authenticates the user must be able to determine that the user’s credentials are valid. To do this, the server must store information that can be used to verify the user’s credentials. How and where this information is stored are important decisions to make when designing an authentication model.

Lesson Summary :

■ Authentication is the process of proving your identity. In Windows networks, users frequently authenticate themselves using a user name and password pair. How the user name and password are communicated across the network has changed with different versions of Windows.
■ Earlier versions of Windows use LM authentication, which is still supported by Windows Server 2003 for backward compatibility but carries with it potential security vulnerabilities. LM authentication should be disabled whenever compatibility with Windows 95 or Windows 98 is not required.
■ If LM authentication cannot be disabled, the storage of the LMHash can be avoided for specific user accounts by using passwords greater than 14 characters or passwords that contain special ALT characters.
■ Newer versions of Windows use NTLMv1, NTLMv2, or Kerberos authentication. The Kerberos protocol is designed to be more secure and scalable than NTLM authentication.
■ Local passwords are stored and maintained by the Local Security Authority (LSA). The LSA is responsible for managing local security policies, authenticating users, creating access tokens, and controlling audit policies.
■ Windows Server 2003 and the Resource Kit include the Kerbtray.exe, Klist.exe, and CmdKey.exe tools for troubleshooting Kerberos authentication problems.

Lesson 2: Planning and Implementing an Authentication Strategy :

Considerations for Evaluating Your Environment :

When evaluating your environment, identify the following:

■ The number of domain controllers in your organization. Ensure that there are enough domain controllers to support client logon requests and authentication requests while meeting your redundancy requirements.

■ The type of network connectivity between site locations in your organization. Ensure that clients in remote sites are connected well enough to authenticate to domain controllers located in main sites.

■ The number of certification authorities (CAs) that are available in your organiza tion and their locations. Ensure that you have enough CAs to support the anticipated number of certificate requests.

What is a strong password?

A strong password is one that can be remembered by the user but that is also complex enough to be difficult to guess. For example, *&_I5y#<.h may appear to be a good password, but the user might be forced to write it down in order to remember it, creating a significant security vulnerability. Fortunately, there are techniques for creating strong passwords that the human brain can remember.

an easy-to-remember suffix to it to make it more secure: 99Butterflies@complexpass word.com. You now have a password that is 33 characters long, uses uppercase, lowercase, and symbols, is easy to remember, and that, because of the length, is harder than the *&_I5y#<.h password to crack.

Strong password policy :

When implementing and enforcing a password policy, consider the users’ inability to remember passwords that are too complex, change too often, and are too long. When passwords are too complex or too long, the eventuality that users will use other methods to remember their passwords, such as writing them down, is more likely.

Password Complexity is enforced by default in the Windows Server 2003 environment. The Password Complexity feature requires that passwords:
■ Do not contain all or part of the user’s account name.
■ Be at least six characters in length.
■ Contain characters from three of the following four categories:
❑ Uppercase characters (A through Z)
❑ Lowercase characters (a through z)
❑ Base 10 digits (0 through 9)
❑ Non-alphabetic characters (for example, !, $, #, %).

Windows 2003 Authentication Methods for Earlier Operating Systems :

Authentication protocols have improved over time and will continue to improve in the future. As a result, earlier operating systems support fewer and less secure authentication protocols than newer operating systems. By default, computers running Windows Server 2003 can accept all types of authentication protocols, including LM, NTLMv2, and Kerberos, to ensure compatibility with earlier operating systems. If your organization does not require this backward compatibility, you can you can configure security policy to support only the more secure protocols, such as NTLMv2 and Kerberos.

The Network Security LAN Manager Authentication Level policy defines which authentication protocols a computer sends and accepts. This policy is contained within the Local Policies\Security Options security policy node. Table 1.6 describes the options for this policy setting. The policy settings are listed in order from least to most secure. Increasing the security of this policy reduces compatibility with earlier clients and servers.

Enabling secure authentication for domain controllers :

To configure domain controllers to reject LM authentication:

1. On a domain controller, click Start, click Administrative Tools, and then click Domain Controller Security Policy.
2. Expand Local Policies and then select Security Options
3. Double-click Network Security: LAN Manager Authentication Level. The Network Security: LAN Manager Authentication Level Properties dialog box appears.
4. Select the Define This Policy Setting check box, if it is not already selected.
5. Select Send NTLMv2 Response Only\Refuse LM, and then click OK.
6. Close the Default Domain Controller Security Settings console.
7. Click Start, and then click Run. Type gpupdate.exe, and click OK. This causes the policy to take effect on the local domain controller immediately.

Lesson Summary :

■ Use security policy settings to configure authentication requirements.
■ Implement a strong password policy in your organization to reduce the likelihood that your users’ credentials will be compromised.
■ Although you can enforce complex passwords by using security policy in Windows Server 2003 Active Directory, employee education is the only way to keep users from writing down passwords or using discoverable personal information in passwords.
■ An account lockout policy prevents malicious attackers from logging on by continually guessing passwords; however, it enables malicious attackers to perform a denial-of-service attack that denies valid users from successful authentication.
■ Kerberos ticket lifetimes must be short enough to prevent attackers from cracking the cryptography that protects the ticket’s stored credentials, but long enough to minimize the number of tickets that clients request.
■ Use delegated authentication and constrained delegation as strategies for implementing supplemental authentication where required.
■ Any application that has the Certified for Windows Server 2003 logo has been tested to ensure that it will function in environments that require multifactor authentication.

Lesson 3: Configuring Authentication for Web Users :

Configuring Anonymous Access for Web Users :

Most public Web sites on the Internet allow anonymous access for at least a portion of the site. In other words, the general public can retrieve pages from the Web server without providing credentials. This does not mean that authentication is not taking place, however. Any user or process that accesses a file or other network resource must do so in the context of a security principal (a user, a computer, or a service account). When Internet Information Services (IIS) accesses files to be sent to an anonymous user, it uses a specified user account to access those files. When anonymous access is not allowed, users must provide their own credentials.

Configuring Web Authentication :

This chapter has already described three authentication protocols: LM, NTLM, and Kerberos.
However, none of these protocols can be used by a Web browser to authenticate a user to a Web server because Web browsers and Web servers can use only Hypertext Transfer Protocol (HTTP) to communicate. Web browsers must authenticate to Web servers using an authentication protocol that is contained within HTTP. Administrators configuring an IIS server have several authentication options that differ in how they pass the credentials to IIS and which browsers support them:

■ Basic Authentication. Selecting this option enables browsers to submit the user’s password in an encoded format that is equivalent to clear text. If the authentication traffic is intercepted, an attacker could easily determine the user’s password.
While this authentication method is vulnerable to being intercepted, it is supported by a wide range of browsers.
■ Digest Authentication For Windows Domain Servers. Selecting this option allows the Web browser to submit the user’s password in an MD5 hash. If digest authentication traffic is intercepted, an attacker would be able to easily determine the user’s password.
■ Integrated Windows Authentication. Selecting this option enables Kerberos v5 authentication and NTLM authentication within the Web requests. This allows the Web browser to send the user’s password in the form of a hash without requiring the user’s password to be stored using reversible encryption.
■ .NET Passport Authentication. Select this option if your organization is using the .NET Passport service for authentication. .NET Passport provides a central authentication service that many different organizations can use and allows users to authenticate themselves to many different, unrelated Web sites.