70299 MCSE Guide to Implementing and Administering Security in a Microsoft Windows Server 2003 Netwo

1
70-299 MCSE Guide to Implementing and
Administering Security in a Microsoft Windows
Server 2003 Network

• Chapter 10
• Planning and Deploying Authentication for Remote
  Access Users

2
Objectives

• Deploy and manage SSL certificates
• Configure a Web server for SSL certificates
• Configure a client for SSL certificates
• Determine certificate renewal
• Configure security for Remote Access users

3
Objectives (continued)

• Provide Remote Access over a VPN
• Manage client configuration for Remote Access
  security

4
Deploying and Managing SSL Certificates

• Need to install IIS in a highly secure and locked
  configuration
• Secure Sockets Layer (SSL) public keybased
  security protocol used by Internet services and
  clients for authentication, message integrity,
  and confidentiality
• SSL process uses
• Certificates for authentication
• Encryption for message integrity and
  confidentiality
• Requires installation of valid server certificate
  to establish encrypted communications using SSL

5
Deploying and Managing SSL Certificates
(continued)

• Certificate-based SSL features in IIS consist of
• A server certificate
• A client certificate
• Various digital keys
• Ways to obtain certificates
• Can be created using Certificate Services
• Can be obtained from a mutually trusted
  third-party organization called a certification
  authority (CA)

6
Deploying and Managing SSL Certificates
(continued)
Table 10-1 IIS Authentication Methods
7
HTTPS

• HTTPS (HTTP over Secure Sockets Layer)
• A technology that encrypts individual messages in
  Web communications rather than establishing a
  secure channel
• Popular e-commerce technology and is used for
  secure online shopping
• Communicates on port 443
• SSL-secured URLs begin with https// prefix
• Created by the Netscape Corporation and used a
  40-bit RC4 stream encryption algorithm now
  128-bit encryption keys available

8
LDAPS

• Lightweight Directory Access Protocol (LDAP)
• Used to secure Active Directory traffic using SSL
• Enabled by installing a properly formatted
  certificate from a certification authority (CA)
• LDAPS communication occurs over port TCP 636
• LDAPS communication to a global catalog server
  occurs over TCP 3269
• SSL/TLS is negotiated before any LDAP traffic is
  exchanged when connecting to ports 636 or 3269

9
LDAPS (continued)
Figure 10-1 LDAP communications on port 636
10
Wireless Networks

• Possible to secure wireless communications using
  Secure Shell (SSH) or HTTP with SSL or TLS

Table 10-2 SSL Advantages and Disadvantages
11
Configuration of the Web Server for SSL
Certificates

• Use SSL encryption only for sensitive
  information encrypted transmissions can
  significantly reduce transmission rates and
  server performance
• Server certificates provide a way for users to
  confirm the identity of your Web site
• A server certificate contains following
  information
• Organization name affiliated with the server
  content
• Name of the organization that issued the
  certificate
• A public key that is used to establish an
  encrypted connection

12
Configuration of the Web Server for SSL
Certificates (continued)
Figure 10-2 Web Server Certificate Wizard screen
13
Configuration of the Web Server for SSL
Certificates (continued)
Figure 10-3 Certificate Request Submission screen
14
Configuration of the Web Server for SSL
Certificates (continued)

• Possible to configure Web server to require a
  128-bit minimum session-key strength for all
  SSL-secured communication sessions
• You can configure computers running WS 2003 with
  IIS 6.0 to accept certificates from predefined
  list of CAs
• Each Web site can be configured to accept
  certificates from a different list by using CTLs
• Certificate Trust List Wizard can be used to
• Create and edit CTLs
• Add new root certificates to your CTLs

15
Configuration of the Web Server for SSL
Certificates (continued)
Figure 10-4 Welcome to the Certificate Import
Wizard screen
16
Configuration of the Web Server for SSL
Certificates (continued)
Figure 10-5 Welcome to the Certificate Trust
List Wizard screen
17
Self-Issued Certificates

• Considerations when deciding to issue your own
  server certificates
• Microsoft Certificate Services can accommodate
  different certificate formats and provide for
  auditing and logging of certificate-related
  activity
• Evaluate the cost of each
• Keep the learning curve in mind
• Evaluate the willingness of outside vendors
  clients to trust your organization as a
  certificate supplier

18
Publicly Issued Certificates

• Used when a user suspects your self-issued
  certificates
• Certificate can be obtained from a mutually
  trusted, third-party CA, e.g., VeriSign or Thawte
• Requirements to obtain certificates from CA
• Providing of identification information
• Might require a personal interview with the CA
• Endorsement of a notary
• Wait time Several days to several months
• Must be renewed on a regular basis

19
Publicly Issued Certificates (continued)

• General rules about any type of Web certificates
• Each Web site can have only one server
  certificate assigned to it
• One certificate can be assigned to multiple Web
  sites
• You can assign multiple IP addresses per Web site
• You can assign multiple SSL ports per Web site

20
Configuration of the Client for SSL Certificates

• Typical client certificate contains following
  items of information
• Identity of the user
• Identity of the certification authority
• A public key used for establishing encrypted
  communications
• Validation information, such as an expiration
  date and serial number

21
Configuration of the Client for SSL Certificates
(continued)

• To protect your Web content from unauthorized
  access you must do one of the following
• Use Basic, Digest, or Integrated Windows
  authentication, in addition to requiring a client
  certificate
• Create a Windows account mapping for client
  certificates

22
Configuration of the Client for SSL Certificates
(continued)
Figure 10-6 SSL browser options
23
Certificate Renewal

• Security and renewal requirements for
  certificates should be based on following
  factors
• Value of the network resources protected by the
  CA trust chain
• Degree to which you trust your certificate users
• Amount of administrative effort that you are
  willing to devote to certificate renewal and CA
  renewal
• Business value of the certificate

24
Certificate Renewal (continued)
Table 10-3 Recommendations for Validity Periods
25
Configuring Security for Remote Access Users

• Secure and reliable remote access solution
  requires careful planning and testing of remote
  access design
• Types of remote access authentication protocol
• Password Authentication Protocol (PAP)
• Challenge Handshake Authentication Protocol
  (CHAP)
• Microsoft CHAP (MS-CHAP)
• Microsoft CHAP version 2 (MS-CHAP v2)
• Extensible Authentication Protocol (EAP)

26
Configuring Security for Remote Access Users
(continued)
Figure 10-7 Configure Routing and Remote Access
Server screen
27
Configuring Security for Remote Access Users
(continued)
Figure 10-8 Configured Routing and Remote Access
28
Configuring Security for Remote Access Users
(continued)
Figure 10-9 Configured Routing and Remote Access
Authentication policy
29
Password Authentication Protocol

• Uses a two-way handshake to provide for user
  authentication server asks for the credentials
  and the user supplies them
• PAP is strongly discouraged users credentials
  are sent over the wire in clear text and can be
  easily sniffed by an attacker
• Cannot be used with Microsoft Point-to-Point
  Encryption (MPPE)
• Currently used only by older UNIX-based servers

30
Challenge Handshake Authentication Protocol

• Used to provide on-demand authentication within
  an ongoing data transmission
• CHAP uses a one-way hashing function
  authenticator compares clients hash value with
  its own calculated value
• Process is repeated at random intervals during a
  data transaction session
• CHAP authentication cannot be used with MPPE
• Two forms of CHAP that are Microsoft-specificMS-
  CHAP and MS-CHAPv2

31
Microsoft Challenge Handshake Authentication
Protocol

• MS-CHAP uses same type of challenge/response
  mechanism as CHAP but it uses a nonreversible
  encrypted password
• MS-CHAP v2 challenge/response mechanism is much
  more sophisticated than that of MS-CHAP
• Server must first prove to the client that it
  knows the correct password, client then answers
  the challenge of the server
• A dial-up connection typically uses MS-CHAP v2
• Supported by Windows XP, 2000, 98, ME, and NT v4.0

32
Extensible Authentication Protocol

• EAP is an extension to PPP
• An arbitrary authentication mechanism that
  authenticates a remote access connection
• Authentication mechanism is not chosen during the
  link establishment phase
• EAP negotiation is performed during the
  connection authentication phase
• Routing and Remote Access includes support for
  EAP-TLS and MD-5 Challenge by default

33
Extensible Authentication Protocol (continued)

• EAP-MD5 used to authenticate the credentials of
  remote access clients by using username and
  password-based security systems requires that
  local or domain passwords are stored in a
  reversibly encrypted form
• EAP-TLS designed for use with a certificate
  infrastructure and either certificates or smart
  cards supported only on servers that are
• Running routing and remote access
• Configured to use windows authentication
• Members of a domain

34
Multifactor Authentication

• Combining of two or three of the following
  factors for proof of identification
• Something he or she knows e.g., a password or a
  PIN for a smart card can be used
• Something he or she has e.g., smart card or
  access card can be used
• Something he or she is e.g., a fingerprint or
  retinal scan can be used
• Considerations for using smart card
  authentication cost, infrastructure,
  administrative overhead, and remote connections

35
Providing Remote Access Over a VPN

• Virtual private network (VPN) method for
  allowing remote access users to connect to a
  corporate network over the Internet
• Uses a combination of tunneling, authentication,
  and encryption technologies to create secure
  connections
• VPNs offer following benefits
• Saves long-distance phone expenses
• Requires less hardware
• Prevents unauthorized users from connecting
• Difficult for a hacker to read sent data

36
Providing Remote Access Over a VPN (continued)

• Procedure for designing security for a VPN remote
  access server solution
• Choose a VPN protocol
• Decide which authentication protocols are needed
• Pick the extent and level of encryption to use
• If organizational needs warrant the use of
  certificates, plan a certificate infrastructure
  that supports client authentication for remote
  access
• Consider enhancing security by using remote
  access account lockout

37
Internet Service Providers

• Two ways to access the Internet
• Register an IP address and maintain DNS server
  and DNS resolution
• Uses a DNS server and equipment that has been
  registered by someone else, namely an ISP
• Benefits of ISP
• Cost savings by minimizing both setup and
  operations costs
• Guaranteed level of service for some or all
  components of your remote access solution

38
Client Operating Systems

• Windows Server 2003 supports two VPN protocols
• Point-to-Point Tunneling Protocol (PPTP)
• Layer Two Tunneling Protocol with Internet
  Protocol security (L2TP/IPSec)

Table 10-4 Comparison of Client Support for
Tunneling Protocols
39
Client Operating Systems (continued)
Figure 10-10 Configuring a client tunneling
protocol
40
Using Point-to-Point Tunneling Protocol

• Allows tunneling that works at Layer 2 of the OSI
  model and enables single point-to-point
  connection
• Connection types where PPTP may be used
• Over the Internet (such as VPN)
• Via a dial-up connection
• Embeds its own network protocol within TCP/IP
  packets carried by the Internet
• PPTPVPN connections require use of following
  MS-CHAP, MS-CHAP v2, or EAP-TLS
• Not the most secure method

41
Using Layer Two Tunneling Protocol

• L2TP is an extension of the PPP protocol, created
  by combining the best qualities of PPTP and Layer
  2 Forwarding (L2F) sets up a single
  point-to-point connection between two computers
• L2TP/IPSec provides following for each packet
  data integrity, data origin authentication, data
  confidentiality, and replay protection
• It is protocol-independent and includes an
  authentication mechanism

42
Using Layer Two Tunneling Protocol (continued)

• L2TP/IPSec uses
• PPP user authentication methods
• IPSec encryption to encrypt IP traffic
• L2TP/IPSec can be used only by Windows 2000
  Professional and newer clients
• For the highest level of security, use a remote
  access VPN based on L2TP/IPSec with
  certificate-based IPSec authentication and
  Triple-DES for encryption
• If using a PPTP-based VPN solution, it is best to
  use MS-CHAP v2

43
Using Layer Two Tunneling Protocol (continued)

• When choosing an authentication protocol for VPN
  connections, keep the following in mind
• When using smart cards or certificates, use
  EAP-TLS for both PPTP and L2TP connections
• When using a password-based authentication
  protocol, choose MS-CHAP v2, then use Group
  Policy to enforce strong passwords
• Always use the most secure protocols that your
  network access servers and clients can support

44
Network Address Translation Devices

• Translate IP addresses and TCP/UDP port numbers
  of packets, thereby preventing others from
  knowing real address of your private network
  allows to use one public address to provide
  Internet access to many users simultaneously
• PPTP with its built-in MPPE encryption is able to
  interoperate with NAT
• Microsoft servers prior to Windows Server 2003
  could not use IPSec and NAT together

45
Network Address Translation Devices (continued)
Figure 10-11 Demand Dial Interface Wizard
46
Network Address Translation Devices (continued)
Figure 10-12 Completing the Demand-Dial
Interface Wizard screen
47
IP NAT Traversal

• Enables IPSec VPNs to work with NAT devices
• Works by providing UDP encapsulation of IPSec
  packets to enable IKE and ESP protected traffic
  to pass through the NAT device
• In case of VPN client use with NAT
• PPTP-based VPN clients can be located behind NAT
  if NAT includes an editor and Remote Access
  service
• If you locate L2TP/IPSec-based clients or servers
  behind a NAT device, both client and server must
  support IPSec NAT Traversal

48
Routing and Remote Access Servers

• Steps to be taken when deploying a VPN
• Configure the server as a VPN remote access
  server
• Configure routing on the VPN server
• Implement security
• If required, install certificates
• Configure the remote access policy for the VPN
  server
• Configure remote access account lockout if
  necessary

49
Routing and Remote Access Servers (continued)
Figure 10-13 Configuring remote access account
lockout
50
Routing and Remote Access Servers (continued)

• Options to increase the server performance when
  planning deployment of remote access servers
• Upgrading the server hardware
• Increasing the amount of RAM
• Using separate remote servers

51
Routing and Remote Access Servers (continued)

• Guidelines for upgrading the server hardware in
  case of dial-up networking
• Modem or a multiport adapter and access to analog
  telephone line for large number of clients,
  install modem bank equipment and multiple phone
  lines
• For each modem, a server serial port or for modem
  banks, a multiport serial adapter or a
  high-density combination card
• Consider using multiport serial boards to offload
  processing from the remote access server

52
Routing and Remote Access Servers (continued)

• Guidelines for upgrading the server hardware in
  case of VPN
• Use network adapters capable of IPSec hardware
  offloading for interfaces on the public network
• Configure all devices to 100 Mbps full duplex
• Private network interfaces and data servers and
  routers that remote access clients will access
  should be directly connected to a high-capacity
  switch

53
VPN Router Placement in Relation to Firewalls
Table 10-5 Comparison of Port Configuration
Based on Firewall Placement
54
Managing Client Configuration for Remote Access
Security

• WS 2003 has built-in tools to assist in managing
  client access to a remote access server
• Clients can be configured using
• Native connection features in Windows best
  suited for when there are few users connecting to
  the network
• Managed client solution, such as Connection
  Manager and its components enables a network
  administrator to preconfigure remote access
  clients

55
Remote Access Policy

• A collection of conditions and settings that
  define authorization and access privileges for
  connection attempts
• Consist of three components that work together to
  allow or deny the connection conditions,
  permissions, and profiles
• Possible to configure multiple remote access
  policies on a single server
• Default remote access policy Connections to
  Microsoft Routing and Remote Access server

56
Remote Access Policy (continued)

• Conditions are attributes that must be met in
  order to satisfy the policy
• First component that is checked on a connection
  attempt
• Checked only at the initial time of the
  connection attempt
• Might include Day and time restrictions,
  connection types, and security group memberships
• All of the conditions must be met to satisfy the
  policy if multiple conditions are set

57
Remote Access Policy (continued)

• Permissions checked after conditions, assuming
  that a condition to deny has not already been met
• User dial-in permissions can be set to Allow,
  Deny, or Control Access through Remote Access
  Policy (if domain is in at least Windows 2000
  native mode)
• Profiles must be met in order to obtain and to
  continue a connection if user permissions are set
  to Control access through Remote Access Policy
• Profiles can include day and time restrictions,
  idle-timeouts, session-timeouts, encryption,
  authentication, connection types etc.

58
Remote Access Policy (continued)
Figure 10-14 New remote access policy
59
Connection Manager Administration Kit

• Connection Manager consists of three different
  pieces
• The Connection Manager client provides a
  simplified way of connecting to a remote network
• The Connection Manager Administration Kit (CMAK)
  allows the administrator to create and configure
  the service profile
• Connection Point Services (CPS) allows for
  creation and maintaining of phone books

60
Connection Manager Administration Kit (continued)

• New features on the CMAK Wizard for Windows
  Server 2003 include
• Provide routing table updates that apply only
  while clients are connected to your server (split
  tunneling)
• Automatically configure Internet Explorer proxy
  settings for a client computer
• Enable clients to choose which VPN server to use
  when they make a connection
• Automatically run applications on the client
  computer or on the server at the time of the
  connection

61
Customizing Connection Manager

• Connection Manager also has the ability to run
  custom actions at various points when
  establishing a connection
• CMAK Wizard is used to include custom actions in
  your service profile, such as automatically
  starting programs when users connect
• Custom actions are quite flexible and can include
  batch files, executable files, and dynamic link
  libraries (DLLs), or they can use installed or
  distributed programs

62
Customizing Connection Manager (continued)

• List of the custom actions that can be performed
• Preinitialization actions
• Preconnect actions
• Predial actions
• Pretunnel actions
• Postconnect actions
• Disconnect actions
• On cancel actions
• On error actions

63
Customizing Connection Manager (continued)
Figure 10-15 Configuring CMAK
64
Customizing Connection Manager (continued)
Figure 10-16 Configuring a custom action
65
Deploying Remote Access Clients

• CMAK can be used to automate client configuration
  process
• Ways to distribute client configuration
• Distribute CDs or floppy disks containing your
  self-installing Connection Manager package
• Send a service profile through e-mail to your
  users
• Set up a Web site where users can download the
  service profile
• Install the service profile on each client
  individually.
• Use a combination of distribution methods

66
Summary

• SSL protocol can be used with IIS 6.0 to encrypt
  confidential information exchanged between the
  Web server and the client
• SSL process uses certificates for authentication,
  and encryption for message integrity and
  confidentiality
• You can configure computers running WS 2003 with
  IIS 6.0 to accept certificates from a predefined
  list of certification authorities
• To place the VPN router behind the firewall and
  attach the firewall to the Internet is recommended

67
Summary (continued)

• You can use remote access account lockout on
  remote access accounts
• With remote access policy, users can be allowed
  or denied access based on many factors
• WS 2003 supports two VPN protocols PPTP and
  L2TP/IPSec
• NAT devices work by translating port numbers of
  packets that are forwarded between private
  network and Internet
• You can use CMAK Wizard to create a custom
  service profile