70-299 : Module 12 : Securing Remote Access

Lesson 1: Remote Access Fundamentals

Windows Server 2003 provides two main types of remote access methods: dial-up and VPN. For each remote access type, there are several authentication and encryption protocols to choose from. You will have to choose the remote access type and security protocols based on the clients that will be connecting to your internal network and based on your existing infrastructure. This lesson will describe the two remote access methods and the various encryption and authentication protocols to allow you to make educated recommendations.

Remote Access Methods :

There are two primary methods for connecting remote users to a private network: dialup networking and virtual private networking. Dial-up networking enables a remote access client to establish a temporary dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider, such as analog phone lines, Integrated Services Digital Network (ISDN), or X.25. The most common use of dial-up networking is that of a dial-up networking client that dials the phone number of a modem attached to the remote access server. This establishes a circuit
between the two devices.

Virtual private networking is the creation of an encrypted, authenticated point-to-point connection across a public network such as the Internet. A VPN client uses special network protocols called tunneling protocols to make a virtual call to a virtual port on a VPN server.

VPN Protocols :

Windows Server 2003 supports two VPN protocols: PPTP and L2TP. In most circumstances,either protocol will work equally well. They both provide similar levels of privacy and data integrity because they support the same authentication and encryption standards. They primarily differ in stability and compatibility. PPTP is more mature, but it is not an Internet standard. L2TP is relatively new, but it might be supported by a wider variety of non-Microsoft clients because it is an Internet standard.

MCP 70-299 : 8 - Planning and Configuring IPSec

Negotiating IPSec Connections :

Unfortunately, IP was not originally designed with authentication or encryption in mind. As the internet grew and TCP/IP became the network protocol of choice, this unsecured form of communication became the standard. IPSec allows computers to continue using IP, while adding authentication and encryption.
However, most computers on IP networks today do not have IPSec enabled. As a result, computers with IPSec enabled are usually configured to politely ask remote computers to use IPSec to improve the security of the connection. If the two computers determine that they both have IPSec configured, and can agree upon a set of security standards, they can begin to use IPSec. This process is known as IPSec negotiation.

Not all IPSec negotiations are successful. Often the negotiations will fail because one of the two computers is not capable of using IPSec. Alternatively, the computers might not have the same security protocols enabled, which would mean that they wouldn’t be able to agree on a set of standards. In these cases, the computers will either revert to unprotected IP communications or determine that they will not communicate at all if they cannot use IPSec.

Internet Key Exchange (IKE) is the algorithm by which the first secure Security Association, or SA (a secure channel), is negotiated. IKE is a combination of the Internet Security Association Key Management Protocol (ISAKMP) and the Oakley Key Determination protocol and performs a two-phase negotiation: Main Mode and Quick Mode.

Main Mode
The initial long form of the IKE negotiation (Main Mode or Phase 1) performs the authentication and generates the master key material to establish an ISAKMP SA between machines. The result is referred to as an ISAKMP SA or an IKE SA. After the ISAKMP SA is established, it will remain in place for the period of time defined on the host computers—by default, it will last for 8 hours on computers running Windows. If data is actively being transferred at the end of the 8 hours, the Main Mode security association (SA) will be renegotiated automatically.
Main Mode negotiation occurs in three parts:
1. Negotiation of protection suites
2. Diffie-Hellman exchange
3. Authentication

Quick Mode
Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of SAs that are negotiated on behalf of the IPSec service, the SAs created during Quick Mode are called the IPSec SAs. Two SAs are established, each with its own Security Parameter Index (SPI) label. One IPSec SA is used for inbound traffic, and the other is used for outbound traffic. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specific IP traffic is also selected.
IPSec hosts will perform IKE Quick Mode negotiation on a regular basis to reduce the risk of an attacker using brute force methods to determine the keys used in the communications. Each renegotiation re-establishes two new IPSec security associations with new keys and SPIs. By default, computers running Windows will perform Quick Mode negotiation every hour (3600 seconds) or after 100 megabytes have been transferred.
Either side of the connection can start the renegotiation process. Therefore, the site that first reaches the defined session key limit will initiate renegotiation. Lesson 3 describes how to specify session key limits.
Authentication Header and ESP :IPSec can use two protocols: Authentication Header (AH) and ESP. The protocols canbe used either separately or together. AH provides data origin authentication, dataintegrity, and anti-replay protection for the entire packet, including the IP header andthe data payload carried in the packet. Naturally, AH does not provide protection forthe fields in the IP header that are allowed to change in transit, such as the hop count.AH does not encrypt data, which means it does not provide privacy. Attackers can readthe contents of packets if they can intercept them, but the packets cannot be modified.ESP is more commonly used than AH because it provides data origin authentication,data integrity, anti-replay protection, and the option of privacy. While AH and ESP canbe used together, you will use ESP alone in most circumstances. You should chooseAH over ESP only when the data and header in the packet need to be protected frommodification and authentication but not encrypted. You might do this if you have anintrusion detection system, firewall, or quality of service (QoS) router that needs toinspect the contents of the packet. Otherwise, take advantage of the privacy providedby encryption, and use ESP. If IPSec traffic must traverse a NAT server, you must useESP, because ESP is the only IPSec protocol that supports NAT-T.

IPSec in Windows :

IPSec is natively available and can be used to protect network communications for Windows 2000, Windows XP Professional, and Windows Server 2003. Additionally, a legacy client is available for Microsoft Windows NT 4.0, Windows 98, and Windows Millennium Edition (ME). You can download the legacy client from

http://www.microsoft.com /windows2000/server/evaluation/news/bulletins/l2tpclient.asp.

MCP 70-299 : Planning and Configuring an Authentication Strategy

Lesson 1: Understanding the Components of an Authentication Model :

The Difference Between Authentication and Authorization :

The two processes are closely related and often confused. To understand the difference between authentication and authorization, consider an example in the physical world that most people are familiar with: boarding an airplane. Before you can board a plane, you must present both your identification and your ticket. Your identification, typically a driver’s license or a passport, enables the airport staff to determine who you are. Validating your identity is the authentication part of the boarding process. The airport staff also checks your ticket to make sure that the flight you are boarding is the correct one. Verifying that you are allowed to board the plane is the authorization process.

Storing User Credentials :

The server that authenticates the user must be able to determine that the user’s credentials are valid. To do this, the server must store information that can be used to verify the user’s credentials. How and where this information is stored are important decisions to make when designing an authentication model.

Lesson Summary :

■ Authentication is the process of proving your identity. In Windows networks, users frequently authenticate themselves using a user name and password pair. How the user name and password are communicated across the network has changed with different versions of Windows.
■ Earlier versions of Windows use LM authentication, which is still supported by Windows Server 2003 for backward compatibility but carries with it potential security vulnerabilities. LM authentication should be disabled whenever compatibility with Windows 95 or Windows 98 is not required.
■ If LM authentication cannot be disabled, the storage of the LMHash can be avoided for specific user accounts by using passwords greater than 14 characters or passwords that contain special ALT characters.
■ Newer versions of Windows use NTLMv1, NTLMv2, or Kerberos authentication. The Kerberos protocol is designed to be more secure and scalable than NTLM authentication.
■ Local passwords are stored and maintained by the Local Security Authority (LSA). The LSA is responsible for managing local security policies, authenticating users, creating access tokens, and controlling audit policies.
■ Windows Server 2003 and the Resource Kit include the Kerbtray.exe, Klist.exe, and CmdKey.exe tools for troubleshooting Kerberos authentication problems.

Lesson 2: Planning and Implementing an Authentication Strategy :

Considerations for Evaluating Your Environment :

When evaluating your environment, identify the following:

■ The number of domain controllers in your organization. Ensure that there are enough domain controllers to support client logon requests and authentication requests while meeting your redundancy requirements.

■ The type of network connectivity between site locations in your organization. Ensure that clients in remote sites are connected well enough to authenticate to domain controllers located in main sites.

■ The number of certification authorities (CAs) that are available in your organiza tion and their locations. Ensure that you have enough CAs to support the anticipated number of certificate requests.

What is a strong password?

A strong password is one that can be remembered by the user but that is also complex enough to be difficult to guess. For example, *&_I5y#<.h may appear to be a good password, but the user might be forced to write it down in order to remember it, creating a significant security vulnerability. Fortunately, there are techniques for creating strong passwords that the human brain can remember.

an easy-to-remember suffix to it to make it more secure: 99Butterflies@complexpass word.com. You now have a password that is 33 characters long, uses uppercase, lowercase, and symbols, is easy to remember, and that, because of the length, is harder than the *&_I5y#<.h password to crack.

Strong password policy :

When implementing and enforcing a password policy, consider the users’ inability to remember passwords that are too complex, change too often, and are too long. When passwords are too complex or too long, the eventuality that users will use other methods to remember their passwords, such as writing them down, is more likely.

Password Complexity is enforced by default in the Windows Server 2003 environment. The Password Complexity feature requires that passwords:
■ Do not contain all or part of the user’s account name.
■ Be at least six characters in length.
■ Contain characters from three of the following four categories:
❑ Uppercase characters (A through Z)
❑ Lowercase characters (a through z)
❑ Base 10 digits (0 through 9)
❑ Non-alphabetic characters (for example, !, $, #, %).

Windows 2003 Authentication Methods for Earlier Operating Systems :

Authentication protocols have improved over time and will continue to improve in the future. As a result, earlier operating systems support fewer and less secure authentication protocols than newer operating systems. By default, computers running Windows Server 2003 can accept all types of authentication protocols, including LM, NTLMv2, and Kerberos, to ensure compatibility with earlier operating systems. If your organization does not require this backward compatibility, you can you can configure security policy to support only the more secure protocols, such as NTLMv2 and Kerberos.

The Network Security LAN Manager Authentication Level policy defines which authentication protocols a computer sends and accepts. This policy is contained within the Local Policies\Security Options security policy node. Table 1.6 describes the options for this policy setting. The policy settings are listed in order from least to most secure. Increasing the security of this policy reduces compatibility with earlier clients and servers.

Enabling secure authentication for domain controllers :

To configure domain controllers to reject LM authentication:

1. On a domain controller, click Start, click Administrative Tools, and then click Domain Controller Security Policy.
2. Expand Local Policies and then select Security Options
3. Double-click Network Security: LAN Manager Authentication Level. The Network Security: LAN Manager Authentication Level Properties dialog box appears.
4. Select the Define This Policy Setting check box, if it is not already selected.
5. Select Send NTLMv2 Response Only\Refuse LM, and then click OK.
6. Close the Default Domain Controller Security Settings console.
7. Click Start, and then click Run. Type gpupdate.exe, and click OK. This causes the policy to take effect on the local domain controller immediately.

Lesson Summary :

■ Use security policy settings to configure authentication requirements.
■ Implement a strong password policy in your organization to reduce the likelihood that your users’ credentials will be compromised.
■ Although you can enforce complex passwords by using security policy in Windows Server 2003 Active Directory, employee education is the only way to keep users from writing down passwords or using discoverable personal information in passwords.
■ An account lockout policy prevents malicious attackers from logging on by continually guessing passwords; however, it enables malicious attackers to perform a denial-of-service attack that denies valid users from successful authentication.
■ Kerberos ticket lifetimes must be short enough to prevent attackers from cracking the cryptography that protects the ticket’s stored credentials, but long enough to minimize the number of tickets that clients request.
■ Use delegated authentication and constrained delegation as strategies for implementing supplemental authentication where required.
■ Any application that has the Certified for Windows Server 2003 logo has been tested to ensure that it will function in environments that require multifactor authentication.

Lesson 3: Configuring Authentication for Web Users :

Configuring Anonymous Access for Web Users :

Most public Web sites on the Internet allow anonymous access for at least a portion of the site. In other words, the general public can retrieve pages from the Web server without providing credentials. This does not mean that authentication is not taking place, however. Any user or process that accesses a file or other network resource must do so in the context of a security principal (a user, a computer, or a service account). When Internet Information Services (IIS) accesses files to be sent to an anonymous user, it uses a specified user account to access those files. When anonymous access is not allowed, users must provide their own credentials.

Configuring Web Authentication :

This chapter has already described three authentication protocols: LM, NTLM, and Kerberos.
However, none of these protocols can be used by a Web browser to authenticate a user to a Web server because Web browsers and Web servers can use only Hypertext Transfer Protocol (HTTP) to communicate. Web browsers must authenticate to Web servers using an authentication protocol that is contained within HTTP. Administrators configuring an IIS server have several authentication options that differ in how they pass the credentials to IIS and which browsers support them:

■ Basic Authentication. Selecting this option enables browsers to submit the user’s password in an encoded format that is equivalent to clear text. If the authentication traffic is intercepted, an attacker could easily determine the user’s password.
While this authentication method is vulnerable to being intercepted, it is supported by a wide range of browsers.
■ Digest Authentication For Windows Domain Servers. Selecting this option allows the Web browser to submit the user’s password in an MD5 hash. If digest authentication traffic is intercepted, an attacker would be able to easily determine the user’s password.
■ Integrated Windows Authentication. Selecting this option enables Kerberos v5 authentication and NTLM authentication within the Web requests. This allows the Web browser to send the user’s password in the form of a hash without requiring the user’s password to be stored using reversible encryption.
■ .NET Passport Authentication. Select this option if your organization is using the .NET Passport service for authentication. .NET Passport provides a central authentication service that many different organizations can use and allows users to authenticate themselves to many different, unrelated Web sites.

Module 2 ( 70-291) : Allocation de l'adressage IP à l'aide du protocole DHCP

Définition :

Le protocole DHCP est une norme IP permettant de simplifier la gestion de la configuration IP hôte. La norme DHCP permet d'utiliser les serveurs DHCP pour gérer l'allocation dynamique des adresses IP et des autres données de configuration IP pour les clients DHCP de votre réseau.

Pourquoi utiliser le protocole DHCP ?

Pour les réseaux basés sur le protocole TCP/IP, le protocole DHCP simplifie et réduit le travail administratif impliqué dans la reconfiguration des ordinateurs.

Pour comprendre en quoi le protocole DHCP simplifie la configuration du protocole TCP/IP sur des ordinateurs clients, il est utile de comparer les configurations manuelle et automatique du protocole TCP/IP, la configuration automatique utilisant le protocole DHCP.

Configuration manuelle du protocole TCP/IP :

Lorsque vous configurez les données de configuration IP pour chaque hôte en entrant manuellement les informations, telles que l'adresse IP, le masque de sous-réseau ou la passerelle par défaut, vous pouvez faire des erreurs typographiques. Ces erreurs peuvent créer des problèmes de communication ou des incidents liés aux adresses IP dupliquées. De plus, il en résulte des tâches administratives supplémentaires sur les réseaux où les ordinateurs sont souvent déplacés d'un sous-réseau à l'autre. De même, lorsque vous devez modifier une valeur IP pour plusieurs clients, il vous faut mettre à jour la configuration IP de chaque client.

Procédure 1 :

Pour ajouter un service Serveur DHCP, procédez comme suit :

1. Connectez-vous à l'aide d'un compte d'utilisateur non-administratif.

2. Cliquez sur Démarrer, puis sur Panneau de configuration.

3. Dans le Panneau de configuration, ouvrez Outils d'administration, cliquez avec le bouton droit sur Gérer votre serveur, puis sélectionnez Exécuter en tant que.

4. Dans la boîte de dialogue Exécuter en tant que, sélectionnez L'utilisateur suivant, entrez un compte d'utilisateur et un mot de passe ayant les autorisations adéquates pour exécuter la tâche, puis cliquez sur OK.

5. Dans la fenêtre Gérer votre serveur, cliquez sur Ajouter ou supprimer un rôle.

6. Dans la page Étapes préliminaires, cliquez sur Suivant.

7. Dans l'Assistant Configurer votre serveur, sélectionnez Serveur DHCP, puis cliquez sur Suivant.

8. Dans la page Aperçu des sélections, cliquez sur Suivant.
9. Dans l'Assistant Nouvelle étendue, cliquez sur Annuler pour interrompre la création d'une étendue à ce stade.
10. Dans l'Assistant Configurer votre serveur, cliquez sur Terminer.

Procédure 2 : configuration des étendues DHCP :

Pour configurer une étendue DHCP, procédez comme suit :

1. Ouvrez la console DHCP.

2. Dans l'arborescence de la console, cliquez sur le serveur DHCP concerné.

3. Dans le menu Action, cliquez sur Nouvelle étendue.

4. Dans l'Assistant Nouvelle étendue, cliquez sur Suivant.

5. Dans la page Nom de l'étendue, configurez les options Nom et Description.

6. Dans la page Plage d'adresses IP, configurez les options Adresse IP de début, Adresse IP de fin et Masque de sous-réseau.

7. Dans la page Ajout d'exclusions, configurez les options Adresse IP de début et Adresse IP de fin, le cas échéant. S'il n'existe qu'une seule exclusion d'adresse IP, configurez cette adresse IP comme l'adresse IP de début.

8. Dans la page Durée du bail, configurez les options Jours, Heures et Minutes.

9. Dans la page Configuration des paramètres DHCP, sélectionnez Non, je configurerai ces options ultérieurement.

10. Dans la page Fin de l'Assistant Nouvelle étendue, cliquez sur Terminer.

Procédure de configuration d'une réservation DHCP :

Pour configurer une réservation DHCP, procédez comme suit :

1. Ouvrez la console DHCP.

2. Dans l'arborescence de la console, cliquez sur Réservations.

3. Dans le menu Action, cliquez sur Nouvelle réservation.

4. Dans la boîte de dialogue Nouvelle réservation, renseignez les champs suivants :

a. Nom de réservation

b. Adresse IP

c. Adresse MAC (sans trait d'union)

d. Description

5. Sous Types pris en charge, sélectionnez l'une des options suivantes :

a. Les deux

b. DHCP seulement

c. BOOTP seulement

6. Dans la boîte de dialogue Nouvelles réservations, cliquez sur Ajouter, puis sur Fermer.

Procédure 3 : vérification d'une réservation DHCP :

Pour vérifier la réservation DHCP, procédez comme suit :

1. Sur l'ordinateur client, à l'invite de commandes, libérez l'adresse IP du clienà l'aide de la commande ipconfig /release.

2. Sur l'ordinateur serveur, dans la console DHCP, sous Baux d'adresse, vérifiez que la réservation s'affiche comme étant désactivée.

3. Sur l'ordinateur client, à l'invite de commandes, renouvelez l'adresse IP du client à l'aide de la commande ipconfig /renew.

4. Sur l'ordinateur serveur, dans la console DHCP, sous Baux d'adresse, vérifiez que la réservation s'affiche comme étant activée.

Procédure 4 : configuration des options de serveur DHCP :

Pour configurer une option de serveur DHCP, procédez comme suit :

1. Ouvrez la console DHCP.

2. Dans l'arborescence de la console, sous le nom du serveur, cliquez sur Options de serveur.

3. Dans le menu Action, cliquez sur Configurer les options.

4. Dans la boîte de dialogue Options Serveur, sélectionnez l'option à configurer dans la liste des Options disponibles.

5. Sous Entrée de données, entrez les informations requises pour configurcette option.

6. Dans la boîte de dialogue Options Serveur, cliquez sur OK.

Comment fonctionne un agent de relais DHCP :

Les procédures suivantes décrivent le fonctionnement d'un agent de
relais DHCP :
1. Le client DHCP diffuse un paquet DHCPDISCOVER.
2. L'agent de relais DHCP sur le sous-réseau du client envoie le message DHCPDISCOVER au serveur DHCP à l'aide de la monodiffusion.
3. Le serveur DHCP utilise la monodiffusion pour envoyer un message DHCPOFFER à l'agent de relais DHCP.
4. L'agent de relais DHCP diffuse le paquet DHCPOFFER au sous-réseau du client DHCP.
5. Le client DHCP diffuse un paquet DHCPREQUEST.
6. L'agent de relais DHCP sur le sous-réseau du client envoie le message DHCPREQUEST au serveur DHCP à l'aide de la monodiffusion.
7. Le serveur DHCP utilise la monodiffusion pour envoyer un message DHCPACK à l'agent de relais DHCP.
8. L'agent de relais DHCP diffuse le paquet DHCPACK au sous-réseau du client DHCP.

Procédure 4 : ajout d'un agent de relais DHCP :

Pour ajouter un agent de relais DHCP, procédez comme suit :

1. Ouvrez la console Routage et accès distant.

2. Cliquez avec le bouton droit sur le serveur, puis cliquez sur Configurer et activer le routage et l'accès distant.

3. Dans la page Bienvenue !, cliquez sur Suivant.

4. Dans la page Configuration, sélectionnez Configuration personnalisée, puis cliquez sur Suivant.

5. Dans la page Configuration personnalisée, sélectionnez Routage réseau, puis cliquez sur Suivant.

6. Dans la page Fin de l'Assistant Installation du serveur du routage et d'accès distant, cliquez sur Terminer.

7. Dans la boîte de dialogue d'avertissement Routage et accès distant, cliquez sur Oui pour démarrer le service.

8. Dans la page Ce serveur est maintenant un serveur d'accès distant et de réseau VPN, cliquez sur Terminer.

9. Dans l'arborescence de la console, développez successivement le serveur et Routage IP, puis sélectionnez Général.

10. Cliquez avec le bouton droit sur Général, puis cliquez sur Nouveau protocole de routage.

11. Dans la boîte de dialogue Nouveau protocole de routage, cliquez sur Agent de relais DHCP, puis sur OK.