Contact Us   |   FAQ   |   Cart/Checkout
  |   Register   |  
Search  
SHOP BY TOPIC

Windows Server 2003/2000 Terminal Server Solutions, Third Edition, Implementing Windows Terminal Services and Citrix MetaFrame Presentation Server 3.0

Last Updated 2/3/2009 3:43:04 PM


Abstract
In this chapter from "Windows Server 2003/2000 Terminal Server Solutions, Third Edition, Implementing Windows Terminal Services and Citrix MetaFrame Presentation Server 3.0," you'll learn how to strike the right balance between mitigating risks while still providing an environment within which the end user can perform their dictated job function. In essence, this chapter will help you decide and implement the desired level of security suitable for your Terminal Server implementation.

'

BEFORE YOU BEGIN

Regardless of the size of your Terminal Server environment, it is imperative that you take the time to properly assess the security requirements of your infrastructure. Unlike the typical Windows server, a Terminal Server lets users interact with the server in very unpredictable ways. You must provide a security mechanism that protects the Terminal Server both internally and externally. After the user has established a connection, he or she has an interactive presence on the server with direct access to the resources shared between all users, such as disk and memory. Actions of one user can have an impact on all other users on the system unless the proper steps are taken to protect against this possibility. This requirement covers all users, including system and network administrators.'

Considering the multiuser nature of a Terminal Server environment, even with little risk of a malicious threat, an accidental change performed by a single user could affect every other user on the system. For this reason, the key to developing a suitable security configuration requires the right balance between mitigating risks while still providing an environment within which the end user can perform their dictated job function. While a server can be hardened to the point where it is extremely secure, the end result might be a configuration completely unusable from an end user's perspective. This chapter focuses on helping you decide and implement the desired level of security suitable for your Terminal Server implementation.'

Most security settings discussed in this chapter are implemented using group policy objects (GPOs) in a Windows Active Directory domain. An overview of implementation and use of a GPO is provided in Chapter 15, "Group Policy Configuration." The information covered in Chapter 15 forms the foundation on which the security changes in this chapter are discussed. If you're unfamiliar with configuration of group policies in an active directory, I highly recommend reviewing Chapter 15 before proceeding. Figure 16.1 shows the sample organizational unit (OU) configuration I use to demonstrate the security changes discussed in this chapter. As you can see, this follows the suggestions outlined in Chapter 15, whereby an organizational unit called Member Servers exists off the domain root, and under here an OU exists for each of the subcategories of member servers. In this case, I have an OU for Terminal Servers, file servers, and print servers.

NOTE: Entire books have been written on the subject of Active Directory configuration, and details of such a configuration are beyond the scope of this book. For the purpose of this chapter I focus on configuration of the Terminal Server organizational unit in an active directory.

While most screen shots in this chapter come from a Windows 2000 domain controller, unless otherwise noted, the exact same steps can be performed against a Windows 2003 domain controller.

In Chapter 8, "Server Installation and Management Planning," I briefly discussed the eight areas of Terminal Server security that I recommend all administrators consider when developing a security implementation plan for their environment. Figure 16.2 shows a simple visual representation of these eight layers, which I discuss in more detail in the next few sections of this chapter.

  1. Physical access — Physical access to your Terminal Server (and associated server hardware) should be restricted as much as possible to only the people responsible for managing the Terminal Server environment.


  2. Administrative delegation — Before any other security considerations can be addressed, a decision must be made as to who will have administrative authority over the Terminal Server OU and all servers that reside within this OU.


  3. User authentication — Almost all Terminal Server implementations have some form of user authentication to verify that a user is who they declare themselves to be. The most common form of authentication is the combination of user ID and password. In most organizations, this is also typically the weakest and most vulnerable of the security layers.


  4. User authorization — Unlike user authentication, which deals with verifying identity of a user, user authorization deals with regulating what users have access to log on and what server resources they can access. Just because a user is who they say they are does not necessarily mean they are authorized to access the resource they are attempting to use.


  5. System privileges and restrictions — Once an authorized user has logged on to the Terminal Server, their ability to interact with objects on the server is managed through user rights, security restrictions, and administrative templates. These three components work in combination to limit a user's access to only those components of the server pertinent to their job function.
  6. Application privileges and restrictions — Usually access to the applications on a Terminal Server should be restricted to a subset of users based on their job function. For example, administrative applications are available only to administrators, while accounting-related applications should be accessible only to the accounting staff.


  7. System auditing — Once you have implemented the desired security configuration for your Terminal Servers, you need a means of monitoring effectiveness of the configuration and flagging suspicious activity when it occurs. System auditing is an important part of any secure environment but is of little use unless an effective means of monitoring the logged information is also implemented.


  8. Security patch management — A critical part of any secure environment is the timely deployment of all appropriate security patches. Poor patch management can be particularly damaging to a Terminal Server environment, since many of the exploits released into the wild specifically target end users and impact common applications such as Outlook or Internet Explorer. While a properly secured server normally limits the effects a user can have on stability of the server, some exploits can specifically target privilege elevation, effectively granting administrative access to the user's session and allowing a malicious program to cause system-wide problems. In Chapter 9, "Service Pack and Hotfix Management," I discussed security patch management in detail.

PHYSICAL ACCESS

Whenever possible, one of the first steps in securing your Terminal Server environment should be to establish a secure location to store the servers and all associated hardware. The goal is to limit physical contact to only authorized Terminal Server administrators. Surprisingly, physical security is not always practiced as diligently as might be expected. Once physical security has been compromised, an otherwise secured server is at risk to a number of threats. Aside from the obvious concerns such as theft, easy-to-use tools exist that can be used to reset an administrator's password simply by booting the server from a floppy disk or CD-ROM. Through this, code can easily be inserted onto the server allowing for further privilege elevation or data theft. Such physical attacks can completely bypass any other security and auditing measures that you may have in place. Aside from malicious threats, accidental interference is also a real concern. For example, a poorly placed server could be mistaken for a different piece of hardware and accidentally shut down.

NOTE: I once audited an environment where they had to leave a note taped to the server reminding users not to turn the machine off. The server was stored in a stationary closet accessible by all the employees in the branch location. The note was required because certain users were frequently powering the machine off and on in order to try to fix the application problems they were experiencing instead of first contacting a support person.

Physical security should also be a consideration in large corporate data centers. Many large companies have a single data center containing all the servers (file, print, e-mail, and so on) for the organization. In these types of environments there are usually a large number of people with access to this room, all of whom are responsible for administering a subset of these servers. In this situation you should consider investing in secured server racks that can be locked to prevent administrators of another system from accidentally tampering with one of your servers.

Here are the two basic guidelines to follow when physically securing your servers:
  1. Store servers in a room closed off from general staff traffic and accessible only with some form of card or key authentication.


  2. If necessary, lock the servers in their own rack or shelving device accessible only by valid Terminal Server administrators.

ADMINISTRATION DELEGATION

It should be fairly obvious that granting a regular user administrative privileges to a Terminal Server will inevitably result in stability issues. It may not be quite so obvious that the exact same threat exists when legitimate administrators in your domain who are unfamiliar with managing a Terminal Server environment are also granted administrative access to your servers. In this situation, the administrator is just as likely as the regular user (if not more so) to cause server-wide problems based on a change made to the server or an application's configuration.

Historically it has been common to have only one administrative classification in a Windows environment without any further subdivision of privileges into more granular groupings. When someone requires administrative privileges to manage resources in a domain, they are likely added to the Domain Admins group, giving them full administrative privileges that span the entire domain. The result is an environment with multiple administrators with full control over all resources in the domain, yet they may lack the experience to properly administer many of the resources they have full control over. For example, someone skilled in maintenance of Windows file servers may not be qualified to manage Active Directory, a Microsoft SQL Server, or even a Terminal Server. While many argue that it is just "easier" to manage the resources with these privileges, allowing this practice in a Terminal Server environment can introduce a significant threat to your infrastructure's stability.

To help ensure a stable and secure Terminal Server environment, you must not give anyone administrative authority on your servers unless they are qualified to use it. The more Terminal Server administrators you have, the greater the risk of an undesirable change affecting your production environment.

Terminal Server Domain Group Creation

When configuring administrative delegations for your Terminal Server environment, a logical starting point is creation of the four global domain security groups listed in Table 16.1. These are the same groups discussed in Chapter 8 and used when demonstrating group policy object creation in Chapter 15. I review the specific roles of the Terminal Server Operators and User Support groups in more detail in Chapter 22, "Server Operations and Support."

Table 16.1: Terminal Server Administrative Domain Groups
Domain Group NameDescription
Terminal Server Administrators This domain group is granted full control over the Terminal Server organizational unit and all Terminal Servers in the OU. Members of this group have full authority to manage the Terminal Server environment, and as a result, membership in this group must be tightly managed.
Terminal Server Operators Users with this privilege level have the authority to monitor the various system functions and perform such tasks as shutting down the server or terminating a process. They don't have the ability to make any system changes or perform application installations.
Terminal Server& User Support Members of this group can perform basic support functions such as shadowing another user's session or logging an active user off. They don't have the ability to restart a server or perform any other server maintenance operations.
Terminal Server Users This domain group is used to grant basic user access to the production Terminal Servers in the environment. A member of this group can log on to a production Terminal Server and access all the generally available applications. The user has no administrative privileges of any kind.


Delegating Organizational Unit Authority

Once the domain groups are created, you need to delegate administrative privileges for the Terminal Server Administrators group to the Terminal Servers OU. There are two ways you can accomplish this: Either utilize the Delegation of Control wizard, accessible by right-clicking the OU and selecting Delegate Control; or directly update the access control entries from the Security tab found under the properties for the OU, as shown in Figure 16.3. If the Security tab is not visible on the Properties page, you will need to select the Advanced Features option from the View menu.

Figure 16.3 The Security tab for the Terminal Server organizational unit. Once the Terminal Server Administrators group has been added, I suggest disabling inheritance of permissions from the OU's parent container. This ensures that permissions must be defined directly against the OU in order to affect delegation of authority, reducing the chances that an undesirable change performed in a parent container will negatively affect this OU's access control list (ACL).

Inheritance is disabled by deselecting the check box labeled "Allow inheritable permissions from parent to propagate to this object." In a Windows 2000 domain, this check box appears on the main Security tab (see Figure 16.3), while in a Windows 2003 domain, you must first click the Advanced button to bring up the dialog box containing this check box. When this option is deselected, you then must make a choice between whether you will keep a copy of inherited permissions or remove all inherited permissions and keep only permissions explicitly defined for the OU.

For this Terminal Server OU, I suggest removing all inherited permissions and keeping only those explicitly defined. In a typical Active Directory environment, your access control list would then look similar to the following:
  • Account Operators
  • Authenticated Users
  • Domain Admins
  • Print Operators
  • ENTERPRISE DOMAIN CONTROLLERS (Windows 2003 Active Directory only)
  • SYSTEM
  • Terminal Server Administrators
Management of this OU should be restricted further by removing the Account Operators object and the Print Operators object from the ACL, leaving Terminal Server Administrators and Domain Admins as the two groups with full authority over the organizational unit. If you have any concerns that a member of the Domain Admins group might inadvertently modify properties of the Terminal Servers OU, you should consider restricting this group's access to the OU as well, either by completely removing the group from the ACL or by modifying the permissions to restrict activities the group can perform.

NOTE: On more than one occasion I've debated the reasons for granting or revoking Domain Admins group access to manage a Terminal Server organizational unit or server. Very often it is argued that the Domain Admins group simply must retain complete control over all elements of a domain, including the Terminal Server environment.

While in theory I agree that this should be the proper configuration, the one condition I feel must be met is that membership in the Domain Admins group be tightly controlled and only those users actually requiring administrative privileges in the domain belong to this group. If this group contains users requiring administrative access to a resource in the domain but not the entire domain itself, I would consider the administrative hierarchy in the domain to be "broken" and would advise against allowing the Domain Admins group to administer the Terminal Server environment. It is simply too risky to give users not familiar with, or responsible for, the Terminal Server environment the ability to modify a Terminal Server's configuration.

Managing Local Group Membership

Now that administrative permissions for the Terminal Server OU have been delegated accordingly, the next step is to create and populate the necessary local groups on each of your Terminal Servers. The idea is to use the local groups on a Terminal Server to assign all the necessary server privileges and then delegate these privileges by populating these groups with the appropriate domain groups. We begin by delegating administrative authority through these local groups and return later in this chapter to assign the appropriate user privileges.

When server security is implemented in this fashion it greatly simplifies administration by introducing a layer of abstraction between the domain and the server. When you know that all security on a server relates back to the local groups, you can verify who has access to what resources simply by viewing local group membership. If domain groups or individual users were directly assigned to the access control lists (ACL) of resources on the server, you would be required to trace back permissions from these resources to the appropriate domain group to ensure that security had not been compromised (intentionally or accidentally).

Before domain groups can be assigned to the local groups on a Terminal Server, we must ensure that these local groups exist. As I discussed in Chapter 8, I typically recommend that the following two additional local groups be created on a Terminal Server to allow for more granular delegation of administrative authority on a Terminal Server:
  • Terminal Server Operators — Used to assign a subset of administrative privileges to those users responsible for managing the day-to-day operations of the Terminal Server. For example, members of this group would have the ability to terminate processes or restart the Terminal Server but would not have the ability to install/remove applications or modify configuration of the server.
  • Terminal Server User Support — Used to assign privileges to those users who would perform typical user support functions. Among other privileges, members of this group would have the ability to shadow other users — something a regular user can't do.
While local groups can be added to a Terminal Server by manually creating them through the Microsoft Management Console (MMC) Computer Management snap-in, I prefer scripting their creation using the Net LocalGroup command. The script is run locally on a Terminal Server during the initial configuration phase to create the desired local groups. The following code sample demonstrates how these two groups could be created using a script: 
@ECHO OFF
REM Create the desired local groups on the Terminal Server
net localgroup 'Terminal Server Operators' /add
net localgroup 'Terminal Server User Support' /add
Once the necessary local groups have been created, we are ready to assign the appropriate domain groups. The most common means of assigning a domain group to a local server group is directly through the MMC Computer Management snap-in, as shown in Figure 16.4. While easy enough, this method is still prone to error when the task must be duplicated across a number of Terminal Servers. Another option to consider is scripting the local group assignment, similar to what I suggested for creation of the local groups. Unfortunately this is really effective only if the local group memberships will remain static. In a production Terminal Server environment, it is likely that local group membership assignments will change over time. In a large Terminal Server environment it would not be practical to adjust and rerun a membership script on all servers. As a result, an alternative allowing more dynamic control over local group membership is necessary.

The preferred method of managing local group membership is through a group policy object (GPO) in an Active Directory domain. Through a single GPO we can define a local group membership standard that is consistent across all Terminal Servers in the domain. This method not only allows for consistent definition of the local group members but also provides dynamic control over the membership we are looking for.

To demonstrate how this is done, I use the 'Terminal Server Machine Policy' created in Chapter 15. This GPO contains all the base computer configuration settings for all the Terminal Servers in the OU. There are no user configuration options defined in this GPO. The local group membership is controlled from within the Restricted Groups policy, located under Computer Configuration\Windows Settings\Security Settings.

Managing the local group membership is a two-stage process. First the local groups that will be populated are added to the Restricted Groups policy, and then the desired domain members are added to each of these groups. The local groups are added to the policy by right-clicking Restricted Groups and selecting the Add Group menu option. The dialog box shown in Figure 16.5 opens, where you can enter the desired local group name.

Note that there is no validation performed on any groups that you add to the Restricted Groups policy. If the group name you provide does not exist on the Terminal Server, the group name is simply ignored and is not automatically created by the GPO.

Typically I define the following local groups within the Restricted Groups policy:
  • Administrators — Members of this group will have full administrative control over the Terminal Server. Because of this, access should be very tightly controlled.
  • Terminal Server Operators — This group name is used to assign a subset of administrative privileges to those users responsible for managing the day-to-day operations of the Terminal Server.
  • Terminal Server User Support — Those users responsible for performing typical user support functions such as shadowing or session logoffs would be members of this group.
  • Remote Desktop Users (Windows Server 2003 only) — To remotely log on to a Windows 2003 Terminal Server, a user must be a member of this existing local server group.
  • Users — All regular users who require access to run one or more applications on the Terminal Server are assigned to this local group.
  • Power Users, Guests — These two groups are included in the Restricted Groups policy to ensure that no users are members of either of them.
  • Anonymous (MetaFrame servers only) — When MetaFrame is installed on a Terminal Server, it adds support for anonymous logons through the special Anonymous group. Just as with the Power Users and Guests groups, this group is included in the Restricted Groups policy to ensure that no users belong to this group. Of course, if your MetaFrame server will allow this type of support you will need to omit this entry from the GPO.
TIP: If you are running Active Directory Users and Computers directly off a domain controller, then browsing for the group name to add to the Restricted Groups policy will present you with only the available domain groups. To be able to browse for local groups on a Terminal Server, you need to run Active Directory Users and Computers directly from the member Terminal Server. From a domain controller, you can still type in the desired local Terminal Server group name; you're just unable to browse for it using the GUI.

After all the local groups have been defined within the Restricted Groups policy, the next step is to assign the appropriate domain groups to these local groups. This is done by right-clicking the desired local group in the right-hand pane and selecting the Security option from the pull-down menu. The Configure Membership dialog box appears, as shown in Figure 16.6. By default this group contains no members and belongs to no other group. If these options are left as-is, then when the policy is applied to the server, all members who may have been manually added to the local group are removed. Domain groups are added by clicking the Add button on the upper half of the dialog box for the Members of This Group option. Since we're configuring only local groups on the Terminal Server, there is no need to modify the lower portion of the dialog box, labeled This Group Is a Member Of.

Once the Add button has been clicked, an Add Members dialog box appears. This dialog box lets you type in the name of the domain group or click the Browse button to find the desired group within the domain. Multiple groups can be entered at once by separating them with a semicolon. When manually typing in the group name, be sure to precede it with the domain name and a backslash. For example, to add the domain group Terminal Server Operators of the domain called PRODUCTION, you would type the following: 
  PRODUCTION\Terminal Server Operators
When you have completed entering the desired domain groups for a given local group, click OK to close the Configure Membership dialog box. Each of the local groups listed in the Restricted Groups policy now appears in the Members column when the Details view is active (see Figure 16.7, which shows the defined groups in a Windows 2000 domain). When the GPO is applied to all servers in the Terminal Server OU, all the listed local groups are updated with the corresponding domain groups. As I mentioned, groups with no explicit memberships will have any existing memberships removed on the affected Terminal Servers. Table 16.2 summarizes my suggestions for local group membership in a Terminal Server Restricted Groups policy. The domain groups listed in this table were discussed in the "Terminal Server Domain Group Creation" section, earlier in this chapter.

Table 16.2: Terminal Server Restricted Group Membership Suggestions
Local Terminal Server Group NameDomain Group Membership Suggestion
Administrators Terminal Server Administrators — Only administrators will have full authority on a Terminal Server.
Anonymous Leaving this group empty ensures that the local group contains no user accounts.
Guests Leave this group empty.
Power Users Leave this group empty.
Remote Desktop Users (Windows Server 2003 only) Terminal Server Users, Terminal Server Administrators — For users to be able to log on via a Terminal Server session (RDP or ICA), they must belong to this group. This applies to a Windows Server 2003 Terminal Server only.
Terminal Server Operators Terminal Server Operators.
Terminal Server User Support Terminal Server User Support.
Users Terminal Server Users Users with standard access to a Terminal Server and its applications.


NOTE: I've found that managing security exclusively through the local security groups on a Terminal Server is also helpful when migrating a Terminal Server from one domain to another. I was once involved in a project where a number of Terminal Servers were being tested in a test domain that was an exact duplicate of production but completely segregated from the production domain. Once the testing and validation had been completed, the Terminal Servers were removed from one domain and added to the other. Once the Terminal Servers were in the production domain, the only change required was to assign the appropriate domain groups to the local groups on the Terminal Server. All other aspects of the servers remained unchanged, helping ensure that the configuration tested matched the final production deployment as much as possible.


USER AUTHENTICATION

Almost all Terminal Server implementations require that the users perform some form of authentication in order to verify that they are who they say they are. Exceptions to this rule would include kiosk-type implementations where anonymous users access a general-purpose Terminal Server session in order to utilize a specific application. Most corporate Windows environments utilize the familiar Windows logon dialog box (see Figure 16.8) to enforce use of a user ID/password combination for user authentication. While this is the most common form of authentication, it unfortunately is also typically the weakest and most vulnerable of the security layers.

The reason for this weakness is not simply technical but also educational. In most organizations, the user community lacks understanding regarding the importance of adequate password "strength" and the potential consequences of a compromised user account. Password-cracking tools are readily available and can easily be used to discover weak passwords in an organization.

TIP: The term strength is often used to describe the relative complexity of a password and its resistance to cracking through either manual or automated means. Some common weak passwords include the following:

  • A blank password or no password at all.
  • Some variant of the word password.
  • A password based on the user's name, their spouse's name, or some other common dictionary word such as bird, tree, snow, monkey, dog, and so on.
  • A password based on a user's phone number, home address number, birthday, an so on.
Password-cracking tools attempt to exploit use of weak passwords and typically u'tilize a combination of three cracking strategies to achieve their goal:
  • Dictionary attacks — Common words found in the dictionary are used to try to quickly match user passwords.
  • Targeted-word attacks — A customized dictionary of specific words is used to try to determine the user password. Custom dictionaries are usually created based on information gathered either through social engineering or other means of personal information acquisition and typically target a specific user or group of users.
  • Brute-force attacks — Every possible combination of characters is used to try to discern the password. In many cases the dictionary and brute-force attacks are integrated to try to find quick hits. With sufficient time, a brute-force attack will determine any password. Of course, the complexity and length of a password determine whether such an attack can discover a password in a realistically finite amount of time.
It is not difficult to see that these strategies would easily pick off passwords such as disney, porsche, or jennifer27, all of which are passwords I've encountered within large production Terminal Server environments.

A number of different password-cracking tools are readily available for most operating systems. A small sample of these include
  • LC5 — The latest version of the famous L0phtCrack password auditing and recovery tool. Different variants of this product are available to be purchased, with the high-end product offering a number of different password-cracking techniques such as brute-force, dictionary attacks and pre-computed password tables (also known as rainbow tables). Trial versions used to be available for the product, but at the time of this writing, the latest version did not offer a trial version. The Website is http://www.atstake.com/products/lc/
  • Cain & Abel — A robust and powerful password recovery tool, Cain boasts an astounding array of features, including a number of different network packet filtering options. Best (or worst) of all, this tool is completely freeware. The product can be found at http://www.oxid.it/projects.html.
  • Sarca Rainbow Tables — An online Web site that allows you to paste LanManager and NT password hashes onto the site and submit them for cracking using their generated rainbow tables. The site only processes hashes once per day but can crack a large number of passwords. Limitations on the actual processing are discussed on the site. http://sarcaprj.wayreth.eu.org
Not only are such tools a threat on their own, but when used in combination can very easily crack even relatively complex passwords. Of course certain conditions must be met, namely the potential cracker must be able to access the encrypted passwords. In most cases administrative privileges are required to access this information, but certain exploits may make such information available without directly acquiring these rights. Just another reason for keeping up-to-date with the available security patches for your environment.

My reason for listing these tools here is purely to demonstrate how readily up-to-date password-cracking and acquisition tools are available. Listing them here does not imply that I endorse the use of these tools for anything other than testing the strength of the passwords in an environment. I recommend caution when looking to use any password-auditing tool, particularly in production.

Please understand the risks involved in such endeavors. Use common sense when downloading and testing any software that may be coming from a suspect source.

While it is obvious that a "strong" password will be much more difficult to crack than a "weak" one, the added complexity can be a formidable obstacle during early stages of implementation, with the primary issue being simply that it is more difficult for the end user to remember a new, stronger password. In nearly every situation where I have been party to introduction of complex password requirements, the end user community in general has commented that the new passwords are "far too confusing," and "not necessary" for their organization or department. Without the proper education, users are unclear as to why they must use a complex password and as such become easily frustrated if the simple tasking of logging on is delayed enough to impact their ability to work. Failure to successfully introduce and enforce strong-password requirements in most cases is a result of the system administrator's inability to adequately manage the initial flood of demands from users requesting password resets or unlocking of a locked-out account in a timely fashion.

NOTE: Microsoft has tried to stress to administrators the idea of teaching users the concept of a "passphrase" instead of simply a password. While many users can struggle with trying to come up with and remember a seven-character password, a common phrase such as "I really love to drink coffee" can be easier to remember, easier to type, and stronger than a typical seven-character password. In an environment that is enforcing complex passwords, one way to ease password creation is to develop a passphrase that can then be used to "build" the password.

For example, a common technique I've used is to create a passphrase such as "Todd loves to spend money on his sports car." I then delete all but the first letter of each word and substitute the word to with 2 and money with $. The result is the password Tl2s$ohsc, which is suitably complex and also very easy to remember. I talk more about enforcing strong passwords in the next section of this chapter.

Account Password Policies

Unfortunately, education alone rarely ensures that all users in your organization use only a strong password. Most users, given the opportunity, try to use as simple a password as possible and recycle this password (or minor variations) over and over, if periodic password changes are required. As a general rule, an administrator should never leave it solely up to the end user to ensure that a sufficiently strong password is being used.

As a complement to user education, an administrator should leverage the security features available in Windows 2000/2003 to help enforce strong user password requirements. Both Windows versions support the same six password policies shown in Figure 16.9. A subset of these policies is enabled by default in a Windows 2003 domain; unfortunately the same cannot be said for a Windows 2000 domain, where none of these policies is enabled by default.

To modify the default password requirements in a Windows domain, these settings must be defined within the Default Domain Policy group policy object (GPO), located at the root of the domain. For example, in my noisyriversoftware.com domain, this GPO is found under the Group Policy tab for the noisyriversoftware.com object. If you wish to define these password settings for local accounts on a member server or PC, a GPO containing these settings must be created and assigned to an OU that contains the computers you want to update.

WARNING: Many organizations make the mistake of assuming that only those accounts with administrative privileges require strong passwords and that "regular" user accounts are not really as much of a concern. This is a dangerous misconception, particularly in an environment where regular patch management is not being performed. Frequently exploits are discovered that make it possible for a regular user to elevate their privileges beyond what they have been assigned and to gain full administrative control. Because of this, password security really must be enforced for all users in your environment and not only for those users with administrative privileges.

The six policies shown in Figure 16.9 provide the following functionality:
  • Enforce password history — To counteract the tendency of users to reuse the same password (or small set of passwords) over and over, this policy ensures that a specific number of unique passwords are used before a user's oldest password can be reused. By default this option is set to the maximum of 24 passwords remembered in a Windows 2003 domain.
           A possible side effect of enforcing a lengthy password history is that users may start maintaining a paper record of their password to help them remember what they are currently using. The two most effective ways to counteract this are through the proper education of secure computing practices and the use of a suitably long maximum password age (described next) to allow the user time to learn the password before the system once again requires them to change it. My preference is to use the maximum value of 24 in all production Windows domains whenever possible.
  • Maximum password age — The longer a user is allowed to retain the same password, the greater the chances that the account may be successfully cracked or accessed by someone who may already have the password to the account. Periodically forcing a user to change their password helps minimize these risks. A Windows 2003 domain has a maximum password age of 42 days, which most administrators find to be an optimal medium between frequent password change requirements and adequate password aging.
           Similar to enforcing a large password history, requiring users to change their passwords too often will likely result in at least some of the users keeping a paper record of their current password, often in an easily accessible location (taped to the monitor, under the keyboard, and so on). I highly recommend not setting the maximum password aging to zero (0) but instead using the default of 42 days.
  • Minimum password age — Complimenting the maximum password age policy is the minimum password age policy. This policy defines the minimum number of days a user must use the same password before it can be changed. The main reason for this policy is to ensure that users do not attempt to quickly change their password multiple times in order to reuse a desired password, effectively circumventing the "Enforce password history" policy.
           Windows 2003 defaults to a minimum password age of one (1) day, meaning that a user can change their password only once per day. This policy does not prevent an administrator from resetting a user's password.
  • Minimum password length — An adequate password length is critical to ensuring that user passwords remain secure by minimizing the effectiveness of bruteforce attacks. Each increase in the minimum password length by one character exponentially increases the number of possible password permutations. Using only the standard characters on the keyboard, users have 94 possible characters to choose from when selecting their password. These 94 characters are comprised of 52 alphabetical characters (uppercase and lowercase), 32 additional characters (#, $, *, @, etc.), and 10 numeric characters (0, 1, 2, 3, etc.). When the minimum password length is 7, the user can choose from 947 (approximately 64,000,000,000,000) possible different passwords.
           Of course, as the password length increases, so does the risk that a user will be unable to remember the password they are using. Windows 2003 defaults to a minimum length of seven characters, and I recommend that passwords use at least this many characters.
  • Password must meet complexity requirements — Even with all these password requirements in place, education alone will not ensure that the end user consistently selects a strong password. Without some means of ensuring that a minimum level of strength is being used, the users are likely to pick the simplest password possible that complies with the policies in place.
The "Password must meet complexity requirements" policy lets you enable your Windows environment to perform a complexity validation check whenever a user's password is changed. Here are the complexity requirements

Password must have a minimum length of six characters.

This requirement takes priority over the "Minimum password length" policy if the minimum length has been set to less than six characters.

The password must contain characters from at least three of the following categories:
  • Uppercase characters "A" through "Z."
  • Lowercase characters "a" through "z."
  • Numeric characters 0 through 9.
  • Non-alphanumeric symbols such as !, @, #, %, and so on.
The password cannot contain substrings of three or greater characters in length found in the user's full account name. When this requirement is validated, the user's full name is broken up into substrings using commas, periods, dashes, hyphens, underscores, number signs, and spaces as string delimiters. The password is then searched for substrings matching these tokens. If any matches are found, the password is rejected. Any substrings of three or fewer characters are ignored. For example, if a user has the name Steven Li Chan, it is broken into three substrings: "Steven", "Li", and "Chan". The name "Li" is dropped because it is less than three characters, while the other two tokens are used to search the password. If either "Steven" or "Chan" appears in the password, it is rejected. The searches are case insensitive, so "CHaN", "chan", and "ChaN" are all considered to be the same.

When a user's password is changed and it fails validation, a message similar to the one in Figure 16.10 appears. The Windows 2000 message differs slightly, providing a more verbose description of the password requirements. Invariably, when this policy is first implemented, users have a difficult time interpreting the password requirements. I've found that a separate description of the password requirements (including some password examples) made available to the user, either via an e-mail message or as a physical printout, can greatly ease transition pains associated with enforcement of complex passwords.

TIP: Password validation requirements are provided as part of the passfilt.dll system file. When a password change request is made, the Local Security Authority (LSA) module of the Windows subsystem calls the password filters provided in this DLL to validate the password requirements. While the password requirements supplied with the default passfilt.dll file cannot be modified, a custom passfilt.dll file could be created containing customized password requirements for your organization. Details of such an undertaking are beyond the scope of this book, but if you are interested, you can find more information on the Microsoft Developers Network (MSDN) Web site at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/

  • Store passwords using reversible encryption — In most situations, this policy should never be enabled because it forces Windows to store passwords in such a way that they can be decrypted. This is inherently much weaker than the standard method of one-way encryption and provides an attacker with an additional means of compromising one or more user accounts.
With proper use of these six security policies you can minimize the vulnerabilities traditionally found with ID/password user authentication.

Account Lockout Policies

In addition to enforcing use of strong passwords, another mechanism for increasing security of Windows user authentication is use of user account lockout policies. Essentially, these policies provide a means of temporarily disabling a user's account if a predefined number of unsuccessful user ID/password authentication attempts are performed within a given period of time. Figure 16.11 shows the three account lockout policies found in both Windows 2000 and Windows 2003. By default none of these options are enabled in either operating system.

The three policies shown in Figure 16.11 provide the following functionality:
  • Account lockout duration — This policy determines the amount of time a user's account remains disabled until it is automatically re-enabled by the system. I typically recommend that the duration be set to zero (0) in order to minimize the number of brute-force or dictionary-based attempts that can be performed against a user account before an administrator's intervention is required. When set to zero, an account remains locked until manually unlocked by an administrator.
           The one thing to consider when setting the lockout duration to zero is that a user cannot log on until an administrator manually re-enables the account. To minimize the chances of a user legitimately locking themselves out, settings for the other two account lockout policies must be set accordingly, as discussed in the following points.
  • Account lockout threshold — The lockout threshold represents the number of incorrect password attempts allowed before a user's account is disabled. One factor influencing this value is the lockout duration you configured for your environment. If the duration is set to zero (0), the lockout threshold can typically be assigned a value of 10 to 15. In most situations a user is not likely to repeatedly try their password this many times within the account lockout reset interval (see the following point).
  • Reset account lockout counter after — This setting dictates the amount of time that must pass before the lockout counter is automatically reset to zero. A value of 30 minutes is usually appropriate for most environments.
When first implementing account lockout policies in your organization, it is not unusual to see a high number of account lockouts occur, particularly when first implementing strong password requirements. It will likely take a few days before the issues balance out to an acceptable level. At this time you may need to make minor adjustments to your configuration to reach a mutually agreeable configuration for both users and administrators.

WARNING: An unfortunate downside that exists when lockout policies have been implemented is that a malicious user could exploit this configuration to purposely lockout user accounts, effectively performing a denial of service (DOS) attack on the environment. This is one of the reasons why the administrator's account cannot by default be locked out. While there is no sure-fire way to prevent this, limiting external access to the environment as much as possible will at least help to contain such a threat to within the confines of the internal network.


CONNECTION AUTHORIZATION

While user authentication deals with verification of a user's identity, connection authorization deals with regulating what server resources a validated user is authorized to access. For example, you may have 500 users in your organization, all of which have access to resources in the Windows domain (printers, file servers, and so on) but only 100 of which require access to log on to and function within the Terminal Server environment. While it may appear easier from an administrative standpoint to simply allow all users access to the Terminal Server environment, this invariably results in users not supposed to be logged on to the environment in fact being logged on, either intentionally or by accident. In addition to the obvious security concerns this can raise is the issue of license and server resource consumption. If you have implemented a Terminal Server environment to support 100 concurrent users, you had better be certain that you have the mechanisms in place to ensure these resources are available for the intended users.

In the "Administrative Delegation" section earlier in this chapter, I discussed use of local security groups to delegate user permissions on a Terminal Server. We now leverage the local group configuration discussed in that section to manage the connection authorization for a Terminal Server. All properties for Terminal Server connections, including security, are managed through the Terminal Services Configuration application in the Administrative Tools folder on the Start menu. Figure 16.12 shows the Terminal Services Configuration application for a Windows 2000 Terminal Server supporting both RDP and ICA connections. The Windows 2003 Terminal Services Configuration tool has the exact same interface.

Connectivity permissions for a Terminal Server are managed through the Permissions tab, found on the Properties page for each of the listed connection types, as shown in Figure 16.13. As with other access control lists in Windows, this tab lets you specify what groups have connectivity access to the Terminal Server and what specific privileges they possess. Table 16.3 shows both the default and recommended connectivity permissions for the RDP and ICA protocols. As you can see in the table, the default connection permissions differ slightly between the Windows 2000 (RDP 5.0) and 2003 (RDP 5.2) protocols.

Windows Terminal Server 2003 utilizes three group/user objects not found in Windows 2000:
  • LOCAL SERVICE — This is a special built-in user account that has the same privileges as a member of the local Users group. This account has very limited access to network resources, presenting only null session information with no user credentials when prompted by a remote system. This account exists to make it easier for an administrator to grant limited privileges to services that require only local access on a server. By default this account has permissions to send text messages to all RDP protocol users on a server.
  • NETWORK SERVICE — This built-in account also has privileges equivalent to a member of the local Users group. Where this account differs from the LOCAL SERVICE account is in the network privileges it has been granted. When prompted by a remote system for network credentials, this account sends the computer's account credentials.
  • Remote Desktop Users — By default, a user requires membership in this local group in order to log on to a Windows 2003 Terminal Server. The appropriate connection privileges and local user rights are all preconfigured for members of this group.
The main reason for creation of this group was to improve default security of a Terminal Server by negating the assumption that all members of the local Users group should be granted access to log on to a Terminal Server session. A common security problem in the Windows 2000 Terminal Server environment occurred immediately after the server was added into a domain, because a byproduct of domain membership is that the domain Users group is automatically added to the computer's local Users group. This resulted in granting all domain users connectivity privileges necessary to be able to log on to the Terminal Server remotely. An administrator needed to be aware of this situation and modify the connectivity permissions accordingly in order to negate this potential security issue.

Table 16.3: Default and Recommended Terminal Server Connection Permissions
Default RDP Settings (Windows 2000 and 2003) Default ICA Settings (MetaFrame XP)
Account/Group Access Account/Group Access
Administrators (local) Full Control Administrators (local) Full Control
SYSTEM Full Control Everyone Guest Access
Users (local)
(W2K only)		User Access
Guest Access		 Guests (local) Guest Access
LOCAL SERVICE
(W2K3 only) 		Special — Message only SYSTEM Full Control
NETWORK SERVICE
(W2K3 only) 		Special — Message only Users (local) User Access Guest Access
Remote Desktop Users (local)
(W2K3 only) 		User Access Guest Access   
Recommended RDP and ICA Settings (Windows 2000) Recommended RDP and ICA Settings (Windows 2003)
Account/Group Access Account/Group Access
Administrators (local) Full Control Administrators (local) Full Control
SYSTEM Full Control SYSTEM Full Control
Users (local) User Access
Guest Access 		Remote Desktop
Users (local) 		User Access
Guest Access
Terminal Server
Operators (local) 		User Access
Guest Access
Special
    Allow Reset
    Allow Remote Control
    Allow Logoff
    Allow Disconnect 		Terminal Server
Operators (local) 		User Access
Guest Access
Special
    Allow Remote Control
    Allow Logoff
    Allow Disconnect
Terminal Server User User Access Terminal Server User User Access
Support (local) Guest Access
Special
    Allow Reset
    Allow Remote Control
    Allow Logoff
    Allow Disconnect		 Support (local) Guest Access
Special
    Allow Remote Control
    Allow Logoff
    Allow Disconnect
   LOCAL SERVICE Special — Message only
   NETWORK SERVICE Special — Message only

When configuring the RDP connection permissions, you do not need to modify the default entries, but if you plan to utilize the local Terminal Server User Support and Server Operators groups discussed earlier in this chapter, you should configure their appropriate connectivity privileges. In Table 16.3 I configured these two groups with the same permissions, but you can make the User Support permissions more restrictive if desired.

Both these groups have been assigned the same User and Guest Access privileges assigned to normal Terminal Server users, but special privileges have been added to elevate their access for specific functions. The individual permissions are assigned by clicking the Advanced button on the Permissions tab and then highlighting and editing the desired permission entry, as shown in Figure 16.14. When the additional permissions are assigned, they grant the following privileges:
  • Reset (Windows 2000 only) — This attribute grants the user the ability to reset any RDP connection to the server. A reset forces the connection to be terminated and the resources allocated to be immediately freed. Unlike the execution of the Logoff command (controlled using the Logoff privilege; see the third point in this list), this does not send the Windows logoff message to the session's running applications, allowing them to terminate. If a user has an application open and their connection is reset, any unsaved data is likely lost.
  • Remote Control — This attribute grants the user the ability to remotely control (or shadow) another user's session. The specific remote control permissions are discussed in Chapters 19 and 20, where I discuss connection-specific settings for both the RDP and ICA clients.
  • Logoff — This attribute lets a user log off another user's session just as if that target user had themselves selected Logoff from the Start menu. All running applications receive the Windows logoff message, allowing them an opportunity to cleanly shut themselves down before the user's session is terminated.
  • Disconnect — Instead of being logged off, a user can also be disconnected. This simply terminates the presentation connection between the client and the server but leaves the running desktop session active on the Terminal Server. Any running applications continue to run and be available if the user reconnects before the session is terminated by an administrator or automatically logged off by the system. Maintaining disconnected sessions on a server for long periods of time is usually discouraged because maintaining the state information consumes additional server resources.
Unlike the default RDP permissions, the default ICA permissions are not as secure, providing connectivity permission entries for both the Guests and Everyone groups in addition to the local Administrators, SYSTEM, and local Users. These privileges are not secure and at the very least should be modified to remove the Guests and Everyone groups.

TIP: If a presentation protocol (RDP or ICA) is not going to be used in your environment, then one way to further secure the environment is to disable or completely remove the unused protocol entry. Removing a presentation protocol is not a permanent thing; in fact it can be re-added at any time if the requirements ever change. Another option is to further restrict the unused protocol by limiting access to only Administrators and SYSTEM. This makes the protocol available if an administrator ever requires it, while ensuring that users cannot use it to gain unauthorized (or uncontrolled) access to the environment.
       For example, a common configuration when implementing Citrix MetaFrame is to make RDP connections available but limit their access to only two to four administrative accounts. This type of access can be valuable for an administrator, particularly if there are issues connecting using the ICA protocol.

In addition to the presentation protocols, when reviewing connection security other forms of potentially available connectivity should be examined. The number of running services should be minimized to limit the number of open ports on the server. The fewer network ports that are open, the fewer points of entry that are exposed. In Chapter 11, "Terminal Services Configuration and Tuning," I discussed stopping unnecessary services on a Terminal Server.

Page: 1, 2
next page

Rate this:
Recent Comments
There are currently no comments. Be the first to make a comment.
Ads by Google
Sponsored Links
Featured Links
© 2010 Penton Media, Inc.  |  Terms of Use  |  Privacy Statement