In Windows 2000, Microsoft introduced the Encrypted File System (EFS) – a new feature built into the operating system that allows users to access files much better than just the file system permissions that were available on NTFS partitions in previous versions of Windows.
The main reason for this enhancement is that NTFS security can be easily bypassed when an attacker gains physical access to the computer. A number of affordable third-party tools can be used to gain read and write access to information stored on NTFS partitions, bypassing the protection provided by the operating system. When the system is compressed from a floppy containing a third-party NTFS driver, the disk and all its data become easily accessible.
Although you can password protect the BIOS and restrict which devices are bootable, this does not prevent someone from removing the hard drives. drive it, connecting it to another computer, and accessing it through another Windows 2000/XP installation or installing another instance of Windows entirely. Fortunately, EFS can help protect your data in these scenarios.
EFS uses a combination of symmetric and public/private key encryption to secure user-designated content on files residing on NTFS partitions. A symmetric key (dynamically created at the time of encryption and different for each encrypted file) is used to complete the encryption process and is stored together with the encrypted file. The public key is used for symmetric key encryption and is stored together with the encrypted file. The private key, necessary for decryption, resides in the user’s profile. In this way, the data stored on the hard drive, although still accessible by third-party utilities, is actually there. the form is unreadable and therefore useless without the private key.
There are, however, some possible security issues with EFS that users should be aware of;
· Encrypted keys are accessible to anyone in possession of the private key, which is a symmetric key with the public key (usually recovered from the same key as the private key). This applies to the user who encrypts these files and to another Windows system designated as the Data Recovery Agent (DRA). By default in Windows 2000, this is the Administrator account (local administrator on sun systems and domain administrator on a domain). While it is possible to use third-party tools to replace the local Administrator password or any other local account (as long as physical access to the target computer is available), slant-only systems are internally insecure.
· While in a Windows 2000 domain culture, replacing the local administrator password will not affect the security of local computer files protected by EFS; however, users’ private keys could be compromised as long as they are available on the local computer. Since the environments in which EFS is implemented typically rely on a roaming profile (this ensures that the same private key is used by all encrypted files of the same user), the user’s profile is copied to the local system during every login. To prevent attackers from using copies of the private keys stored in these profiles, you must use Group Policy to force the removal of roaming profiles at logoff. You must also designate a dedicated Disaster Recovery Agent account and ensure that the private key is backed up and stored. into a safe place.
Both of the problems described above have been eliminated in Windows XP Professional systems thanks to two changes to the EFS implementation:
· Default DRA is no more. Also, unlike in Windows 2000, DRA is no longer necessary for EFS to function. Administrators of Windows 2000 environments should keep this in mind. It could be possible to block the Windows 2000 background environment in the domain domain by initialising an empty Policy for Encrypted Data Recovery agents. This is done by opening the Group Policy MMC, selecting the group policy object linked to your control, going to Computer Configuration->Windows Options->Security Settings->Public Key Policy->Encrypted Data Recovery Agent, right clicking on in the last step, the folder labeled Encrypted Data Recovery Agents, and selecting Initialize empty from the context-sensitive menu. This was enough to remove the ability for users to use EFS on any Windows 2000 system that is a member of the farm.
In Windows XP, this is no longer possible. To disable EFS at the region level in an environment where Windows XP computers are used, you must Microsoft Management Console from Windows Professional XP computer that was a member of the domain, load the Group Policy Editor, and set the focus to the Group Policy object for the domain. Once the hack is loaded, drill down to Computer Configuration->Windows Settings->Security Options->Public Key Policies-> Encrypting Files folder, right click on it and select Properties from the context sensitive menu. After the dialog box with one checkbox “Allow users to encrypt files using Encrypting File System (EFS)” is displayed make sure to check to clear you (which is checked by default).
· EFS adds another level of encryption, which uses the user’s password to the private key residing in the user’s profile. On the other hand, this prevents the situation in which attacking the password of any location in the storage system in an attempt to receive access to EFS encrypted files (once the password is reset, the private key stored in the private storage can no longer be used. ). On the other hand, it creates a problem if users forget their passwords (hence the need for password recovery using a Password Recovery disk).
As you can see, there are many considerations to keep in mind when deploying EFS in a Windows 2000/XP Professional environment. Increased security has its price in terms of administrative capital, but it’s well worth the extra effort in uncovering it.
Pre-Installation Preparation
1. Easy to hate. Is the test network location physically secure enough that additional security is not necessary? Consider adding body hair and/or setting up a smart card or biometric authentication once the system is installed.
2. Configure the hardware and BIOS. Remove the floppy drive. (After installation, consider removing the CD ROM.) Reducing the surface attack of sound systems is always the starting point. Remove unnecessary physical ports, if possible, or disable them in the BIOS. Ensure that the system is not accessible by other devices on the test network unless the installation server is in use. Disconnect the test network from the Internet and add enough internal drives to install the appropriate parts to separate the drives as possible. See the BIOS password for this computer.
Institution
This is not a step-by-step how-to list for installing Windows Server 2003. Rather, it is a list of points during installation when you need to make security choices.
1. Note on license agreement. Significant changes include proposals for digital rights management technology (MS DRM) for obtaining digital content. They indicate that Microsoft has the right to access this system to update the technology. Any access to the DC from outside your organization should be monitored at a minimum. Submit your legal license agreement.
2. Rename the system folder. Default names for system folders are known by attackers. While it is easy to discover which folder is the system folder, many attack scripts simplistically and hard-code the name of the “Windows” folder. Renaming the folder for those raw scripts.
3. Do not check the box that includes East Asian language support (unless it’s in your environment) on this server. I don’t know of any vulnerabilities that could be introduced by this, but there is less code running on the system, so there are fewer opportunities for exploitation later.
4. Allow “Yes, download updated setup files”. Instead, check “No, skip this step and continue the installation”. If you don’t, your system will try to access Microsoft over the Internet to locate updated files. What do you think of Microsoft? Any system is vulnerable by installation and should not be exposed to the Internet.
5. Compose and format the partition with NTFS. AGE There is no reason to use anything else. You can secure or upgrade this system to a DC without an NTFS partition.
6. Choose a computer name that does not indicate a computer role for this system. Do not, for example, name “DC1.”
7. Enter a valid password for the Administrator account and type it. While it is true that you should remember passwords and not write them down where others can find them, it is equally true that it is easy to forget that password during installation. Write it down and keep it until you have a memory, change it, or replace it with other technology. Note that Windows 2003 tries to help you here by giving a warning if you try to use blank passwords, common words, or passwords that do not meet the complexity requirements.
8. Configure the customer’s network settings. All DCs must have static addresses; just put Also set the gateway and DNS network. If the first DC will also be a DNS server, I will point to the server itself. You will find error messages in the tree until you add the DNS service, but don’t forget this basic step when promoting a server to DC. Disable NetBIOS over TCP/IP if no pre-Windows 2000 computers need to communicate with this server.
9. Install the server in the workgroup and rename the workgroup. A little added darkness.
Server-to-DC Promotion
1. Use it occasionally to explore the environment between the installation and the DC parts. There are several steps you can take to control the system. While you may want to do this after DC promotion, spend time now on this first step. Promoting the server to DC changes some settings and you will want to know both the default and basic DC environments.
2. Note which services are disabled by default and which are not. Can you disable additional services without hindering promotion? What are they? Windows 2003 is an interim OS. While it does not complete the most reliable computing command, it is a step on the way. One security feature is that many services are disabled by default or, like IIS, not installed at all. . A future column will explain what services are used and what happens when they are disabled, as well as provide advice when they are disabled.
3. Open the System Applet in the Panel and, in the Update tab, check “Keep my computer up to date” (Figure 1). The system in DCs, if not all systems, you need to arrange in a different way. You don’t want to risk instability or compromise because you’re unaware of code changes in key systems. Updates need to be tested and not removed for each device individually. Doing so is incredibly wasteful and potentially destabilizing.
4. Also in the System Applet, but on the Remote Access tab, make sure the remote help and remote access check boxes are blank. After the setup is complete, configure and secure remote access management and use Group Policy to set the remote access/assistance policy for the domain. For now, you want to ensure that no outsider can access the system.
Note: You may remember that the ability of the regular user to provide remote assistance was first provided in Windows XP. All the user has to do is send an invitation via e-mail or instant message, and another user sends it. they can connect from afar. With the original user’s permission, this person can make changes to the user’s device. The issue, of course, is the approach to control systems. An innocent request for help using remote assistance can open every computer on your network to penetration from less-than-friendly sources. . In the early 60s, the forest has no place.
5. There is no tool update for the Manage Your Server applet (Figure 2). The concept of assigning tasks to computers and paying attention to their roles is not new. There are new extensive, step-by-step documentation and security tips available through this interface. These days training and reduced travel plans, you’ve got a whole course of Windows 2003 network benefits on your desktop. It is convenient. Think about it: If each of you read and took this information to heart, your network would be safer—and the entire Internet would be.
6. Begin to examine your studies as a function. Don’t forget to review “Next Steps” (things you’ll bring after DC), which outlines many useful security tips and tricks. Use the “Manage Your Server” tab to apply for the DC server role. When you select “Domain Controller” as this computer’s role, the promotion includes the option to configure a DNS server on your network or install a service on this DC. I recommend this option for you to get DNS information as part of your DC plan.
7. Choose an appropriate DNS domain name. If the policy does not dictate and you choose a domain name that is not registered on the Internet, be sure to use the correct format. Do not use a name that lacks a period, as the added figure is necessary. Not only can this be difficult to find, but it can hinder your efforts to apply domain-wide security. If computers cannot locate and connect to DCs, Group Policy cannot be replicated and security settings cannot be applied.
8. Replace the Active Directory database (%system folder%NTDS) on a different drive than logs (logNDS). This will improve and make recovery easier.
9. Select the compatibility mode as Win2K and higher. If the compatibility with legacy media mode is selected, the security in the system is relaxed; This includes anonymous access to shares.
10. Set a strong Directory Services Restore Mode Administrator password and make it different from the Domain Administrator password. These reasons are different. Only Directory Services Restore Mode to restore account state backup can be used. By giving these accounts different passwords, you can separate services—always a good idea for security. Be sure to write down and store the password in a safe place. The need for this may be after the person who installed this server has left the company.
After installation
1. Complete access to the timeserver. The default account is pointed to at time.windows.com; but after you promote this machine to be the first DC in the root region, it becomes the time source for all computers in the forest. You must coordinate it with a certain time source.
2. Check DNS. In particular, look for error messages that the registrations do not meet and check the DNS server for proof of the correct addition of all registers for this DC. Remember, problems with DNS can mean that carefully constructed security measures are never applied.
3. Review the default security settings. For example, the Audit plan is set. This is the best. Figure 3 shows the default settings. It should be known, however, that things only turn towards success. You’ll want to improve these plans so you’ll also want to note the results of the failure. Default settings are welcome to change!
4. Disable EFS. Now, you need to know how to set up all users before using EFS, as well as setting up recovery methods. Windows 2003 offers a recovery key in addition to recovery, but both solutions must be viewed and require configuration and installation. Disable EFS until you have your policy and solution in place by checking the “Allow Users to Encrypt Files Using the Encrypting File System” box on the Properties page of the Public Key Policy in the Default Domain Policy Security settings.
This is different than the procedure followed for Win2K. Figure 4 shows this dialog box. In the background, you can see the recovery certificate for the region. There is no need to remove this certificate to disable EFS. Windows 2003 does not need to have a Recovery Agent certificate to use EFS, but one is provided by default, and you can use this certificate to encrypt files on computers in the region.
5. Examine the use of all groups in User Rights. While Windows 2003 does not include the anonymous SID in the Everyone group, you should still stay away from this group where possible. Be careful! It is necessary to join this group without removing the mind that the appropriate group approach can be harmful. Note that it includes all operating systems. You do not want to remove licenses to the operating system.
6. Note the default application security for communications in Security Options. Signing a message and blocking the use of LAN Manager not only does a lot to secure network communications between Windows computers but also prevents legacy systems altogether to share Others do conformation.
7. Secure Remote Desktop for administrators using Group Policy.
8. Remove the administrator account from membership in Schema Admins. If modification of the Scheme is necessary, it can be added again. By removing the system now, you make the recognition of these types of modifications more likely because no one can simply install an application that can accidentally change the schema.
9. Develop and implement a comprehensive security baseline for DCs.
References
Adi Shamir, Eran Tromer, “The Cost of Factory RSA-1024”, RSA CryptoBytes. Vol. 6, No. 2, 10-19, 2003
A.J. Menezes, P.C. Van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptology, chap. 3.2.6-3.2.7, pp. 95-98, 1997
Arjen K. Lenstra, Adi Shamir, “Analysis and optimization of a spark factor machine”, Proc. Euro-Cryptae 2002, LNCS 1807 35-52, Springer-Verlag, 2000
Arjen K. Lenstra, Adi Shamir, Jim Tomlinson, Eran Tromer, “Bernstein Circuit Factorization Analysis”, Proc. Asiacrypt 2002, LNCS 2501, 1-26, Springer-Verlag, 2002
Daniel J. Bernstein, “Circuits For Integer Factorization: A Proposal”, NSF DMS, 2001
“Factoring Large Numbers: Fun or Science?”, http://www.cwi.nl/publications/annualreports/1999/AR/PDF/factoring.pdf
Sashisu Bajracharya and Han Sang, “Comparison of Factorization Algorithms for Large Numbers – Project Specification”, 2004
