module 3: planning administrative access. overview determining the appropriate administrative model...

Module 3: Planning Administrative Access

Overview

Determining the Appropriate Administrative Model

Designing Administrative Group Strategies

Planning Local Administrative Access

Planning Remote Administrative Access

Managing network administration becomes increasingly important as networks grow in size and complexity. Failure to adequately anticipate growth and complexity can pose a security threat to your network by allowing undetected and unauthorized access to resources. As you develop an administrative access design, you must consider the potential changes to network requirements.

Maintaining a secure network requires an understanding of the administrative infrastructure and the tasks necessary to manage administrative access.

At the end of this module, you will be able to:

Select an administrative model for an organization.

Plan memberships in the Microsoft® Windows® 2000 administrative groups.

Plan secure local administrative access to the network.

Plan secure remote administrative access to the network.


Choosing Centralized Administrative Models

Choosing Decentralized and Hybrid Administrative Models

Identifying Network Resource Administrative Tasks

Identifying Administrative Tasks

Defining Security Management Tasks

An administrative model defines how the administrative control of a network will occur. The model describes the administrative accounts and the skills that are necessary to manage resources and users on a network. The model also describes the administrative roles and tasks required to support security, availability, and performance for users of the network.

In this lesson you will learn about the following topics:

Choosing centralized administrative models

Choosing decentralized and hybrid administrative models

Identifying network resource administrative tasks

Identifying administrative tasks

Defining security management tasks

Choosing Centralized Administrative Models

Centralized Administration

!! ??ii

Organizations with small, single-location local area networks (LANs), or organizations where management policy mandates that administration must not be delegated, can use a centralized administration model. Centralized administration minimizes the number of accounts used to manage the network.

Use centralized administration where security concerns are greatest and the number of accounts performing administration must be minimized. For example, a military research organization might maintain an isolated network with one forest, and one domain in the forest, controlled by a single Administrator account. The Administrator account may be restricted to a single, secured physical logon location, requiring smart card identification to enter the location and to authenticate on the network.

Consider centralized administration when:

Security considerations mandate centralized control with a minimum number of identities.

The network consists of a single domain, with no requirement for delegated administrative control.

The network consists of a single site based on a high-speed network.

Locations are connected by wide area network (WAN) links with sufficient bandwidth to allow administration from a central location.

There are no geographical, geopolitical, or language complexities.

Choosing Decentralized and Hybrid Administrative Models

Decentralized Resource

Administration

Human Resources Dept.

Centralized User AccountAdministration Decentralized Administration

Hybrid Administration

In larger networks and organizations that span geographic locations, administration may be distributed throughout the network. If administration is distributed throughout the network, you must define the administrative roles and tasks at each location. Many organizations will use a hybrid of the centralized and decentralized models. For example, an organization may allow only Human Resources personnel to centralize and perform administration of user accounts, and may delegate administration of file and print resources to the location where the resource resides.

Decentralized Administration

Use decentralized administration where the risks associated with multiple points of administration are acceptable. For example, if an organization has delegated administration of user accounts to many organizational units (OUs), they must trust that administrators will not abuse their privileges. Risks may include the creation of accounts for non-qualified personnel, the inclusion of inappropriate user accounts in groups, and the abuse or alteration of account properties.

You may need to logically partition a network to decentralize the administrative tasks. OUs are the smallest scope to which you can delegate administrative authority for objects and attributes. You can delegate user, resource, and administrative tasks to a local administrator. When decentralizing administration, consider the following:

Split the network into separately administered domains in which different administrative personnel manage groups of users.

Split a domain into OUs to reflect the administrative structure of your organization.

Split a domain into OUs to permit delegation of administrative control over smaller groups of users, groups, and resources. You can delegate complete administrative control of OUs (including tasks, such as creating users and changing passwords), or limited control of OUs (with specific tasks such as changing user account passwords).

Split a domain into OUs if your organizational structure is likely to change later. Whenever possible, organize domains so that they will not need to be moved or split often in the future.

By creating OUs within domains, you have two types of hierarchies within a domain tree: the hierarchy of the domains in a domain tree, and the hierarchies of the OUs within a domain.

Multi-tiered hierarchies allow a great deal of flexibility in defining the scope of administration. For example, in an organization whose network is managed by a central group of administrators, the administrators could create OUs that represent accounts and resources within each domain in the enterprise. The central administrators could delegate administrative authority to each of these OUs, while retaining administrative control over all of the OUs as a whole.

Hybrid Administration

Use a hybrid administrative model when some functions must be kept centralized and others can be distributed. For example, an organization may delegate administration of resources to local administrators, but centralize the creation, deletion, and modification of user accounts.

Identifying Network Resource Administration Tasks

Network ResourcesNetwork

Resources

AccountAdministration

!! ??ii

ResourceAdministration

BackupAdministration

Any user account with the required authority can administer resources defined in the Active Directory™ directory service. Resources may be categorized based on the administration model implemented. For example, an organization may create an administrative role for users and workstations and a separate administrative role for shared resources and printing functions. The grouping of managed resources is arbitrary, but generally relates to the administrative roles that an organization defines.

The following table shows typical administrative roles and tasks.

Type of resource Type of resource administrationadministration

Administration tasks includeAdministration tasks include

Account administration Management of various types of accounts, including computer, user, and group accounts.

Resource administration Control of both hardware and software-related items, such as file and folder resources, printers, event logs, and data storage.

Backup administration Processes for the storage, backup, and recovery of data.

Identifying Administrative Tasks

StorageManagementStorageManagement

Batch/OutputManagementBatch/OutputManagement

ProblemManagementProblemManagement

PerformanceManagementPerformanceManagement

SecurityManagementSecurityManagement

Change andConfiguration Management

Change andConfiguration Management

EventManagementEventManagement

Information Technology (IT) groups, such as data center operations, network support, and help desk support often split the tasks of managing an organizations computer facilities. The normally separate roles of these IT groups may overlap when managing resources, such as applications, servers, computers, and other networking components. Each group performs many individual tasks that can be collected into functional roles, or disciplines, such as the following:

Change and configuration management. Includes server and desktop administration, state management, and software life-cycle control.

Security management. Includes management of user authentication, control of access policies, security of resources, and audit of user and resource access.

Performance management. Includes tracking, tuning, modeling, and monitoring for servers, services, and applications.

Problem management. Includes end-user support, error isolation, troubleshooting, and trouble ticketing.

Batch and output management. Includes job control and queuing, and scheduling facilities, such as printer pools, for printing output.

Storage management. Includes control of data storage, retrieval of data, backup of automated data, and archiving of data.

Event management. Includes consolidation, aggregation, and monitoring of both logs and status information.

Defining Security Management Tasks

Secure Physical Systems and Devices

Manage Users, Groups, and Policies

Define and Implement Authentication and Data Transmission Security

Control and Monitor Access to Shared Resources

Create and Implement an Audit Policy

Create and Implement a Backup and Recovery Plan

Create and Implement Desktop Policies

StorageManagement

Batch/OutputManagement

ProblemManagement

PerformanceManagement

Change andConfigurationManagement

EventManagement

SecurityManagementSecurityManagement

Protection of data and resource facilities is essential to maintain the required level of privacy for an organization's intellectual property. An organization may have a range of intellectual property and physical assets that must be secured at security levels ranging from public access to highly restricted access. The security management functional role consists of specific tasks designed to maintain the proper level of security for any particular resource. These tasks include:

Securing physical systems and devices. Protect against theft and illegal physical access by means such as using locked computer rooms and resource facilities.

Managing users, groups, and account policies. Create accounts and assign required rights and privileges for roles. Includes the management of policies that affect accounts, such as password length and account lockout policy.

Defining and implementing authentication and data transmission security. Restrict network logon authentication and secure local and remote logon authentication. Implement digital signatures and a Public Key Infrastructure (PKI). Implement encrypted data transmissions.

Controlling and monitoring access to shared resources. Define permissions on folders, files, printers, and shared folders.

Creating and implementing an audit policy. Define audit triggers and monitor audit logs.

Creating and implementing a backup and recovery plan. Define back up and restore procedures and policies.

Creating and implementing desktop policies. Define security configurations for network access devices, such as desktop computers. This can include requiring password-protected screen savers, restricting network access, restricting access to local services and applications, and mandating virus checks.


Creating Custom Groups

Nesting Groups

Managing Administration Memberships

To simplify administration, administrators can create new custom security groups and assign members to those groups, thereby allowing the members to perform common tasks. Administrators can create custom groups for each required administrative role. Each group can then be assigned the necessary rights and permissions to perform the administrative role. Groups can be nested to allow collections of users and groups to be obtain rights and permissions.


Creating custom groups

Nesting Groups

Managing administration memberships

Custom Groups

Default Group

Rights:• Backup• Restore

Rights: Backup

Rights: Restore

Backup OperatorsBackup Operators

Backup OnlyBackup Only

Restore OnlyRestore Only

Creating Custom Groups

Default groups allocate rights and permissions to complete predefined tasks. For example, members of the Backup Operators group can both back up and restore files. You can require custom groups that separate backup and restore rights into two separate groups.

When reviewing the default permissions and user rights assigned to the default groups in Windows 2000, you may identify cases in which limited rights are required. Assign to custom groups only those rights that are necessary. When creating custom role definitions and groups:

Minimize the number of groups and roles to minimize overhead.

Minimize broadly functional roles.

Allocate the minimum rights and permissions to perform the defined roles.

Minimize membership in the groups.

Only assign rights to groups, rather than directly to users.

Nesting Groups

Employee Reviewers(Universal Group)

Employee Records(Domain Local Group)

Sales Mgrs(Global Group)

IS Mgrs(Global Group)

Product Mgrs(Global Group)

All Managers(Global Group)All Managers

(Global Group)

Human Resources(Global Group)

Rights and permissionsto modify employee records

allocated to group

Rights and permissionsto modify employee records

allocated to group

In Windows 2000, groups can contain other groups. This capability is called nesting. Nesting groups allows an administrator to collect existing groups and make these groups members of another group that provides defined rights and permissions to perform a role.

In the preceding illustration, an administrator creates separate global groups called Sales Mgrs, IS Mgrs, and Product Mgrs, each containing accounts for users who are managers of separate departments. The administrator can then add these groups to another global group called All Managers. The All Managers group can then be added to a universal group called Employee Reviewers. Employee Reviewers can finally be added to a domain local group that provides all members with the required rights and permissions to modify employee records.

When using group nesting to control an administrative structure, do not allocate permissions and rights to groups that will be nested. Always apply rights and permissions at the lowest level in the structure.

Nesting is an efficient way to handle large memberships and to delegate management of group membership. For example, in an organization that uses a hybrid administrative model, the central administrators can create a top-level universal group that contains only global groups from each domain in your forest. The administrators of the domains containing these global groups can then manage the membership within their own domains. The centralized administrators can then manage the universal group membership, adding and removing global groups. The domain administrators manage the memberships of the global groups in a specific domain, adding and deleting domain users. The domain administrators also manage local groups allocated rights and permissions within the domain.

Managing Administration Memberships

Using Restricted Groups

Monitoring Memberships

A security plan for an organization must specify that the network administrator periodically verify the membership of any key security groups to ensure that membership is correct. This verification must include checking the membership of the built-in groups, including Enterprise Admins, Domain Admins, Administrators, and Schema Admins groups. An unauthorized membership in any key security group may result in major security breaches.

Using Restricted Groups

Setting the Restricted Groups option in Group Policy can control membership of any group in which the members are well defined. When changes to administrative group membership must occur without the use of Restricted Groups, an auditing policy must exist. The policy is used to monitor and report if required security levels are not maintained.

Monitoring Memberships

Maintaining the security and administrative structure requires continuous monitoring of group membership. If inappropriate groups or accounts are added to local groups with administrative rights and permissions, security may be breached. The Restricted Groups feature in Windows 2000 allows an administrator to control the membership of selected groups, including the membership of a group and the nesting of groups. Consider including Restricted Groups in any decentralized administrative structure to ensure that group memberships are controlled.


Controlling Physical Administration Points

Planning Logical Security Settings

Using the RunAs Service

Physical or logical access to computers and networks can be controlled to prevent unauthorized access to resources. Physical access to administration points, such as a computer dedicated to performing administrative tasks, can be protected by requiring the use of smart cards or by physically locating the administration point in a secure area.

Logical security settings include methods taken to restrict access by using controls that the operating system provides. The RunAs Service in Windows 2000 allows administrative tasks to be executed in a higher security context while the user remains logged on with a normal user account.


Controlling physical administration points

Planning logical security settings

Using the RunAs service

Controlling Physical Administration Points

Physical Security

Smart Card Logon Access

Cert

ReaderReaderReaderReader

Smart Card

Smart Card

An organization may have data that it considers sensitive enough to be physically separated and secured from the majority of corporate users. For example, data for Finance or Human Resources departments requires high security. In organizations with high security requirements, the use of a user name and password to access the system may not be considered sufficiently secure. Other than providing physical security at access points, the use of certificate-based devices (smart cards) can reduce the possibility of a security breach.

Where loss of data can occur physically, secure the servers where the data is stored and limit physical access. Where increased assurance of user identity is required, such as the identification of administrative accounts, use smart cards to improve security.

Physical Security

When it is necessary to control who can perform particular physical tasks, such as accessing removable media and opening the computer case, physical security is required. Physical security can be applied by the use of hardware-locking devices or by placing the computer in a controlled environment, such as a security-card-secured computer room, which reduces access by unauthorized persons.

Smart Card Logon Access

The strongest form of account authentication in Windows 2000 is the use of smart cards. The use of smart cards can be considered on systems requiring heightened security. The smart card contains a chip that stores a user's private key, logon information, and public key certificate. The user inserts the card into a smart card reader attached to the computer. When requested, the user then types in a personal identification number (PIN) to complete the authentication process.

This combination of a physical device and required PIN is more difficult to attack because an additional layer of information is needed to impersonate a user. In addition, after a small number of unsuccessful PIN inputs occur consecutively, a smart card is locked. This reduces the effectiveness of password-cracking programs.

Tip: A PIN is not necessarily limited to a series of numbers; it can be required to incorporate other alphanumeric characters.

Windows 2000 provides the option to configure a user account so that a smart card-equipped computer is required for the user to log on to the network. Using smart cards for user authentication on a computer requires that a PKI exist to distribute the required certificates.

Planning Logical Security Settings

Restrictive Logon Hours

Xy!2#Hv*j

Strong Passwords

WorkstationRestrictions

Active Directory User Account Options

Smart Card

Smart Card

Logical security includes methods taken to protect data by using controls that the operating system provides, such as logon authentication and access permissions. Logical administrative security prevents unauthorized access by restricting certain aspects of resource use.

Strong Passwords

Passwords can be the weakest link in a computer security scheme. Strong passwords are important because password-cracking tools continue to improve and the computers used to determine passwords are increasingly powerful. After a password is compromised, an attacker will have the same access to the network as the user who owns the user account. This access includes access to all certificates stored in the local profile, including Encrypting File System (EFS) recovery certificates.

Password-cracking software uses one of several approaches: intelligent guessing, dictionary attacks, and automation. Automation tries every possible combination of characters, and given enough time, can crack any password. For a password to be strong and hard to crack, it is recommended that you use a combination of the following:

Choosing uppercase and lowercase letters (EXample passWORD)

Integrating numbers (7Sample03)

Including symbols (7$#Sample:03)

Note: You can enforce these stronger password requirements for user accounts by enabling the Group Policy Option Passwords must meet complexity requirements option for the Default Domain Policy.

In addition to combining password rules, other rules that can be followed when selecting an administrator password include:

Ensuring that passwords are at least 10 to twelve characters in length.

Requiring that new passwords differ significantly from prior passwords.

Recommending that passwords do not contain the user's name.

Recommending that passwords do not use a common word or name.Tip: It is a best practice to periodically audit passwords to identify weak passwords.

Restrictive Logon Hours

You can use the Logon Hours setting to specify the days and times that a user is permitted to log on to a domain. By default, restricting a user's logon hours does not disconnect a user from a domain controller when the user's logon hours expire. A restriction on logon hours only prevents a user from logging on to the domain during specific hours. As an option, however, you can configure domain-wide settings to disconnect users when their logon hours expire.

Workstation Restrictions

The Logon Workstations setting limits which computers (by using network basic input/output system (NetBIOS) computer names) a specific user account can use to log on to the network. The Logon Workstations setting can protect against the use of administrative accounts to log on to unauthorized computers or computers that are not located in a secure room. This setting requires the use of NetBIOS names and the NetBIOS protocol on the network.

Active Directory User Account Options

Each Active Directory user account has a number of security-related options that determine how someone logging on with that particular user account is authenticated on the network. The following are some of the advanced security-specific options that you can configure:

Select the Smart card required for interactive logon option

Select the Don't require Kerberos preauthentication option

Select the Use DES encryption types for this account option

Select the Smart card required for interactive logon option

To ensure that the account can only be used in conjunction with a smart card. If the smart card is not used, the account will be unable to log on to the network. Use of a smart card requires that the system also include a smart card reader.

Select the Don't require Kerberos preauthentication option

If the account uses an implementation of Kerberos version 5 that does not support preauthorization in the same manner as Windows 2000.

Select the Use DES encryption types for this account option

Enhances previous Plug and Play functionality and allows: If you need the Data Encryption Standard (DES). DES supports multiple levels of encryption.

Running Applications

Providing Alternate Credentials

Using the RunAs Service

User Account

Process

User Account

Process

User Account

Process

Administrative Account

Process

It is good practice for administrators to use an account with restrictive permissions to perform routine, non-administrative tasks, and to use an account with administrative permissions only when performing specific administrative tasks. To change permissions without logging off and logging back on, an administrator can log on with a regular user account and use the runas command to run the tools that require the broader permissions.

Running Applications

The RunAs Service in Windows 2000 provides a way to start applications in different security contexts without requiring the user to log off. The RunAs Service allows administrators to log on to a non-administrative account and still be able to perform administrative tasks.

The RunAs Service requires administrators to have two user accounts: a regular user account that has basic rights and security; and an administrative account with specific or wide-reaching rights and permissions that can be different for each administrator, or shared among multiple administrators.

Methods of using the RunAs Service:

Hold the SHIFT key, right-click the shortcut, and select Run as to start a program by using a higher security context.

Create an administrative script that starts an administrative tool by using a higher security context.

Use the runas command at a command prompt

Example:

RUNAS /user:UserName program

Providing Alternate Credentials

The net use command provides an option to include an alternate user name and password when connecting to a remote computer. The user name that is provided will be used to determine whether access is given to the resource.

Example:

Net use x: \\computer\share /user:[email protected] [password]

Demonstration: Using the RunAs Service


Encrypted Authentication and Data Transmission

Customizing Microsoft Management Console

Using Terminal Services for Remote Administration

Using Telnet for Remote Administration

Administrators can perform most Windows 2000 administrative tasks over the network from a remote workstation. However, additional security considerations need to be evaluated before allowing remote administration.

When performing remote administration, data can be encrypted and stronger authentication methods can be selected to increase security. The various applications can be used to perform administrative tasks, such as Microsoft Management Console (MMC)-based tools, Terminal Services, or Telnet.


Encrypted authentication and data transmission


Using terminal services for remote administration

Using Telnet for remote administration

Encrypted Authentication and Data Transmission

Securing Authentication

Securing PPP and PPTP Connections

Securing L2TP Connections

Design Decisions

When your administrative model allows remote administration, there is a risk that the communication between the administrator and the administered server may be captured and analyzed to derive an administrative password. To minimize the risk of security breaches, encrypt data communications with the strongest authentication algorithms possible.

Securing Authentication

The following table shows the requirements for password security and data encryption set by the selection of the authentication methods.

Password Password securitysecurity

Require data Require data encryptionencryption

Authentication methodsAuthentication methods

Optional Optional Password Authentication Protocol (PAP), CHAP, Shiva Password Authentication Protocol (SPAP), MS-CHAP, MS-CHAP v2

Require security

Optional CHAP, MS-CHAP, MS-CHAP v2

Require security

Required MS-CHAP, MS-CHAP v2

Require Smart card

Optional EAP-TLS

Require Smart card

Required EAP-TLS

Securing PPP and PPTP Connections

Point-to-Point Protocol (PPP) and Point-to-Point Tunneling Protocol (PPTP) use Microsoft Point-To-Point Encryption (MPPE) when either the Extensible Authentication Protocol-Transport Level Security (EAP-TLS) or MS-CHAP (version 1 or version 2) authentication protocols are used. MPPE can be configured to use 40-bit, 56-bit, or 128-bit encryption keys in remote access policy. To get 128-bit encryption, you must install the High Encryption Pack for Windows 2000.

Note: The High Encryption Pack for Windows 2000 is eligible for export from the U.S. to customers worldwide, except to US-embargoed destinations. Please see www.microsoft.com/exporting/ for details. The Windows 2000 High Encryption Pack may be downloaded from the Microsoft Windows Update Web site. Other countries may exercise a separate jurisdiction over the import, export, or use of encryption products.

Securing L2TP Connections

Layer Two Tunneling Protocol (L2TP) over Internet Protocol Security (IPSec) can be used for virtual private network (VPN) connections. The data within an L2TP-based connection is encrypted by using IPSec. Windows 2000 supports 40-bit DES and 56-bit DES encryption by default. If the High Encryption Pack for Windows 2000 is installed, you can implement Triple DES (3DES) encryption for the strongest form of encryption.

IPSec can be configured to use computer-based certificates for authentication, thereby reducing the ability of an unauthorized computer to impersonate an authorized computer.

Design Decisions

Select MS-CHAP v2 or smart cards by using EAP-TLS to provide the highest level of security for dial-up and VPN connections. You can configure the requirement to use these methods in the remote access policy so that the remote access server will prevent weaker methods from being used.

Choose PPP or PPTP and MPPE as the remote access data encryption method where no computer certificate infrastructure exists, or when you require support for Windows 95, Windows 98, or Windows NT 4.0 clients.

Choose L2TP over IPSec as the remote access data encryption method if a public certificate infrastructure exists.

Save As RemoteAdminConsole.msc


Restricting Access to MMC

Distributing MMC

Performing administrative tasks typically requires the use of several tools. You can put these MMC snap-ins into one MMC console. The MMC allows the inclusion of all of the tools required for a particular task in a single MMC console. Any tools released as MMC snap-ins can be included in a custom MMC console.

Although system administration is not always clearly categorized within an organization, there is usually a hierarchy of administrative levels assigned according to the delegated tasks for the administrator. MMC simplifies the administration of Windows-based environments by providing a consistent and integrated administration user interface that supports any administration model.

Restricting Access to MMC

Including a policy for MMC and snap-ins in the Group Policy object (GPO) can restrict use of MMC to authorized accounts. The following restrictions can be applied in both a local computer and Group Policy:

Restrict access to author mode in MMC.

Restrict access to a permitted list of snap-ins.

Permit or restrict access to a particular snap-in. Note: Policies regarding MMC and snap-ins are applicable to individual users and groups of users. The policies cannot be applied to computers.

Distributing MMC

MMC must contain only those tools necessary for an administrator to perform specific delegated tasks. Selected tool configurations can be saved as MMC console (.msc) files. These custom tools, assigned to users or groups by using Group Policy, can be sent to users or groups by e-mail, or posted to a shared folder that is only available to designated administrative users or groups. When a workgroup manager opens the particular .msc file, access will be restricted to those tools that the system administrator provides.

If a remote administrator opens an .msc file, the plug-ins required must be available locally to load in MMC. If the required plug-ins are not available, they can be automatically downloaded by including a Microsoft Installer (.msi) file.

For a snap-in to be automatically downloaded and installed, an installation package must be created for that snap-in. An installation package contains all of the information that MSI requires to install or uninstall an application or product, and to run the setup user interface (if one exists).

Using Terminal Services for Remote Administration

Server RunningTerminal Services

Administrator Computer Running Terminal

Services Client

Encrypted Screen Data

Encrypted Keyboard and Mouse Data

User Rights

Administrator Security

Data Encryption

Additional Security Considerations

Windows 2000 administration tasks can be performed remotely by using Terminal Services. Terminal Services allows a remote administrator to perform administrative tasks on a server while only the screen content is transmitted over the network between the two computers. The communication between the client and the server uses minimal bandwidth, so this type of administrative connection is ideal where dial-up connections are being used.

User Rights

Terminal Services in remote administration mode only grants rights to administrators on the computer. To connect to a computer running Terminal Services, a user must have local logon rights on that computer. The groups and users allowed to log on, and the control granted to them, can be altered through the Terminal Services Configuration feature.

Users who are granted access through Remote Desktop Protocol (RDP), and who interactively log on to a Terminal Services-enabled server, are automatically included in the built-in Terminal Services Users local group. A user only belongs to this group while he or she is interactively logged on to a computer running Terminal Services. This built-in group gives administrators control over resources that Terminal Services users can access.

Avoid configuring Terminal Services on a domain controller because any user rights policies that you apply will then apply to all domain controllers in the domain. For example, to use Terminal Services, users must be authorized to log on locally. If the server running Terminal Services is a domain controller, users will be able to log on locally to all domain controllers in the same OU as the domain controller running Terminal Services.

Administrator Security

Logging on to Terminal Services must always be completed with the minimum administrative rights possible, thereby minimizing the damage that may occur if the account is compromised. After an administrator is connected, he or she can run administrative programs at a higher security level by using the RunAs Service, provided that he or she has the required user name and password to allow execution of the programs.

The RunAs Service is used primarily to allow users to execute applications by using a different security context. The runas command can be used to start applications under a different context without the user having to log off and then log on by using an administrative user account. You can enter the runas command from the command prompt, or it can be incorporated into an application shortcut. The log on prompts the user for the Windows 2000 domain user account and password to authenticate the new security context prior to executing the application.

Data Encryption

The data transferred between the client and server can be protected by encryption. Terminal Services supports:

Low Encryption. Traffic from the client to the server, including password information, is encrypted by using the RC4 algorithm and a 56-bit key (40?bit key for RDP 4.0 clients). Traffic from the server to the client is unencrypted.

Medium Encryption. Traffic in both directions is encrypted by using the RC4 algorithm and a 56-bit key (40-bit key for RDP 4.0 clients).

High Encryption. Traffic in both directions is encrypted by using the RC4 algorithm and a 128-bit key. If the High Encryption Pack for Windows 2000 is not installed, high encryption uses RC4 and a 56-bit key (40-bit for RDP 4.0 clients).

Additional Security Considerations

When planning security for Terminal Services, consider:

Smart cards

Network and communicationssecurity

Unused services

Smart cards

The Windows 2000 interactive logon process has the ability to authenticate a user with the Active Directory network by using an X.509 version 3 certificate stored on a smart card, along with the private key. However, smart card logon and other hardware-based authentication devices are not available to users authenticating through Terminal Services.

Network and communications security

Remote access does not limit access to Terminal Services users, so if one user establishes a modem or VPN link to the Internet or another system, every user on Terminal Services has access to the link.

Unused services

Removing unused services, such as the IBM OS/2 and POSIX subsystems, can prevent users from executing OS/2 or POSIX applications that circumvent security regulations.

Using Telnet for Remote Administration

Windows 2000 administration tasks can be performed remotely by using Telnet. Telnet supports a character-based command-line interface, allowing administration tasks to be performed by using any command-line tools, including executable scripts.

The Telnet server included with Windows 2000 allows a maximum of two Telnet clients to connect at any given time. If more connections must be supported, install Services for UNIX, which supports a maximum of 63 Telnet client connections. By default, the Telnet server is not started when the operating system starts. If administration must be performed by using the Telnet client, ensure that the server is set to start automatically when the operating system starts.

When designing administrative remote access by using Telnet, always use NTLM user authentication to reduce the risk of password discovery. Select the default Telnet server when the number of connections will be two or fewer. Install the Services for UNIX Telnet server when a larger number of connections must be supported, when password synchronization with UNIX is required, or when a common administrative command set will be used on both Windows 2000-based and UNIX-based computers.

Note: Regardless of the authentication mechanism used for Telnet, all keystrokes are sent across the network in clear text. This means that passwords typed while in Telnet will be available in clear text on the network. To prevent password and data interception, use IPSec to encrypt network traffic when using Telnet for remote administration.

Lab A: Planning Secure Administrative Access

Review



