Security Features in Win2K

Part 1: Active Directory Services features

Once e-Businesses have weathered the Y2K chaos, they’ll be setting their sites on a new 2K: Windows 2000. The release date for this product has shifted several times over the past few months, but it looks eminent. In the past, Microsoft has taken more than a few hits from the media and security experts about security flaws in their Windows 9x and NT operating systems. Domain administration for Windows NT was also troublesome because it did not scale well in large environments and was not designed to work flexibly over the Internet.

Microsoft appears to have taken note of these concerns because Win2K features a large number of security enhancements designed to meet the expanding needs of e-Business customers.

Active Directory Service (ADS) is Microsoft’s implementation of a directory service. Directory services provide a repository for user account management, authentication, and access control data. Some of the benefits of ADS that organizations can leverage in their e-Business architecture are:

• Hierarchy. ADS supports a hierarchical name space. This allows companies to create organizational units that business unit owners can control. This is an improvement over the flat account structure of previous NT releases.
• Certificate storage. ADS supports the storage of public key certificates for organizations that have implemented, or plan to implement, a PKI.
• Authorization and access control. ADS can be used to store user account information and access control attributes.
• Delegated administration. The new, hierarchical structure allows organizations to delegate administration of user accounts to business unit owners. Access rights to objects in the directory can be granted on an individual or group basis to ease the burden of administration and provide finer-grained security.

THE HURWITZ TAKE:

The flat structure of the previous NT domain control system did not support the requirements of large, distributed e-Businesses. The integration of ADS in Win2K has the potential to allow e-Businesses to leverage true directory service technology. Microsoft states that ADS can hold up to one million objects, but the scalability of its directory has not yet been proven in production environments the way the Novell network directory services (NDS) has.

Although Microsoft provides an API to help organizations extend the ADS beyond the Windows environment via the active directory services interface (ADSI), there will still be a need for custom coding and integration. And, as with any large directory service implementation, organizations will need to define a coherent strategy before they can fully utilize a directory service within and across the entire e-Business.

Part 2: Kerberos Authentication and Certificate Services

Previously, Hurwitz Group took a look at the Active Directory Services (ADS) features in Windows 2000. Here, Security Strategies reviews Kerberos authentication and certificate services.

Kerberos Authentication

The primary authentication protocol for Win2K is Kerberos. It is a ticket-based Internet standard and was originally developed at MIT. Win2K supports Version 5 of Kerberos and, for backwards compatibility to Windows NT 4.0 and earlier servers, it supports the traditional NT LAN Manager (NTLM) authentication protocols. The Microsoft implementation of Kerberos is based on RFC 1510.

Kerberos provides mutual authentication of client and server and supports authorization delegation, via proxy, for clients. The delegation feature is a big improvement over the older versions of Windows NT authentication. Lack of delegation restricts e-Businesses from designing security architectures that depend on NT passing client credentials from one server to another. This may seem like a strange requirement for an e-Business application, but it is actually rather important.

Without delegation, if a user logs onto an application running on Server A and then queries the application for data that resides on Server B, the application can’t pass the query to Server B as the user. Because the query can’t be passed through to Server B with the user’s credentials, the query isn’t restricted on Server B to the user’s access control and authorization restrictions. To get around this limitation, many applications were architected so that the application itself had a login on Server B. This solution was not ideal because giving the application an account can compromise security controls it limits the accountability of transactions on Server B because the transactions were attributed to the application on Server A. It also limits the organization’s ability to implement role-based data access rules on back-end servers.

Certificate Services

Win2K comes complete with a Certificate Server that can issue x.509 v.3 certificates. To help consumers integrate certificates into Win2K, MS has created a new CryptoAPI especially for certificate management. The CryptoAPI can manage MS Cert Server certificates as well as those issued from other PKI vendor servers. Certificate security is activated by the system administrator who sets which CAs (the issuer and signer of a certificate) will be trusted in the domain.

Another important e-Business feature in Win2K is the ability to map certificates to existing Windows accounts. For example, administrators can create an account for a business partner company that is linked to a particular CA. The users at the business partner company do not need individual accounts on the Windows 2000 system to gain access. Instead, they present their certificate during the authentication process, and the Windows system maps it to an existing group account that has access privileges specially set for the business partner. This allows organizations to provide privileged access to all partner users without having to create multiple accounts.

THE HURWITZ TAKE:

The introduction of delegation into the authentication model can provide increased security to e-Business applications, especially to n-tier applications. It’s important to keep in mind, however, that the backend applications must be able to accept Kerberos authentication or they will not be able to take advantage of this new feature. Also, early reports from integrators indicate that the MS implementation of Kerberos may not be fully compliant with RFC 1510.

Hurwitz Group believes that the ability to map certificates to Windows logins is a positive addition to Windows. Because Win2K can accept certificates for authentication from business partners and consumers, it increases the overall value of the public key infrastructure (PKI) investment for organizations. It remains to be seen, however, if this will encourage more users to implement a PKI.

PART 3: Encrypting File System (EFS)

Previously, Hurwitz Group has reviewed some new security features that will be in Windows 2000, including Active Directory Services and Kerberos authentication and certificate services. In this final section, we complete our three-part series with a look at the Encrypting File System (EFS).

Encrypting File System (EFS) this is how secure sockets layer (SSL) works. However, many companies fail to encrypt sensitive data when it is stored on server and user hard drives. Storing data in an unencrypted format leaves it highly vulnerable. If a laptop is lost or a server is compromised, all data stored there can be read easily by an attacker. Also, weak access control or the business requirement for unrestricted group access to an NT server can lead to unauthorized access by users. To manage this risk, organizations can use EFS to store all of the data encrypted.

Win2K will ship with file encryption technology that can store Windows NT file system (NTFS) files in an encrypted format. e-Businesses are familiar with the concept of encrypting (scrambling) data before sending it across a network

EFS uses public key cryptography and interacts with the MS CryptoAPI. To start, EFS generates a key pair and then has the public key signed by an approved certificate authority (CA). If there is no approved CA, EFS will sign the key itself. A randomly generated key is created for each file and then used to encrypt and decrypt the file. Microsoft has stated that DESX is the encryption algorithm that will be used in the first iteration of EFS. In the future, Microsoft plans to support additional algorithms. Users can encrypt files or directories and can access the encryption function through Windows Explorer or a command-line interface.

Encryption technology locks files so that they can only be opened with the correct key. This raises the concern that a user could lose or destroy the key, thereby cutting off access to the data. EFS allows organizations to set a data recovery policy on the server, which allows the domain administrator to generate a recovery key that can be used to restore encrypted data even if the user key is lost.

THE HURWITZ TAKE:

Microsoft is not the first company to provide file encryption technology, but users and administrators will be much more likely to use file encryption now that it is fully integrated with the operating system. Hurwitz Group encourages savvy e-Businesses to make it a policy to keep intellectual property and other sensitive data encrypted whenever it is stored on a hard drive. One caveat is that the first release of EFS is not seamlessly integrated with file sharing features. Organizations should be careful to implement the proper procedures around the key recovery process. Failure to do so could lead to an attacker gaining access to the data by generating a new recovery key.