|
How do you protect against XML Web services security threats?
 The
DataPower XS40 XML Security Gateway is
a secure, simple-to-manage, datacenter-grade Web services security solution.
New to Web services? Download "Security Best Practices" WP
or attend the "XML WS Security for Security Professionals" Webinar.
For more information contact DataPower
at
617-864-0455 or info@datapower.com
|
|
12.11.03
 By
Leonard Loro
Network attacks are the biggest risk for Windows 2000 servers. Since
the release of the old Windows NT 3.1, hackers have been actively
looking for bugs in Microsoft Windows operating systems. Tools like
SecHole, IISInjector, NAT (NetBIOS Auditing Tool), SMBRelay and L0pthcrack
have been developed to reveal passwords, execute actions on a server,
forge network connections and degrade system performance. In addition,
several critical security vulnerabilities have been recently released
for Windows 2000 that can completely expose a network to an intruder.
User-level access control methods (Smart Cards; User Passwords)
are not sufficient to protect network attacks because they rely (mostly)
on user names and passwords. One computer is usually shared by several
users and as a result, the computer is often left logged-on, leaving
an open door in the network. If a username and password is intercepted
and hijacked, user-level access security cannot stop the attacker
from accessing all the confidential resources and systems. |
Although
the above risks and problems exist, Windows 2000 Server provides several
protection features: IPSec (Internet Protocol Security), Terminal
Services High Encryption Security, PKI (Public Key Infrastructure),
S/MIME (Secure Multipurpose Internet Mail Extensions), Kerberos and
L2TP (Layer 2 Tunneling Protocol).
We will explore how using some of these technologies can encrypt and
secure all the messages that are transmitted over the network, and
defend all data from being intercepted and modified by intruders or
malicious users.
| On The Scene At Search Engine Strategies |  Garrett French, editor of WebProNews, is reporting live from the Search Engine Strategies Conference in Chicago. Visit WebProWorld for the latest highlights on SEO strategies.
|
To Create Kerberos Account Mappings for Unix Services:
1. Click Start, and then Click Run. The Run...
dialog box appears.
2. In the Run... dialog box, type cmd.exe.
3. In the command prompt, type ktpass /princ principalname@yourdomainname
/mapuser useraccount /pass complexpassword /out sapsolaris7.keytab,
where principalname is the host principal name, useraccount is the
host account in Active Directory and complexpassword is the password
for the account.
This command generates a UNIX host keytab file, maps the account and
sets the service password. After executing the command, join the keytab
file with the /etc/krb5.keytab file on the UNIX host. Ktpass is included
in the Windows 2000 support tools.
IPSec: The End-to-End Security Solution
Windows 2000 providers support for two types of data protection -network
and stored data. Originally designed by the IETF (Internet Engineering
Task Force), IPSec is a security protocol that provides data and identity
protection for each message that is transmitted over the network (packet).
This protocol provides the ability to protect communication links
between workgroups, local area networks, branch offices and any remote
computer that needs aggressive protection against network attacks.
IPSec has two main goals: to protect network packets and defend them
against attacks. By protecting the data so that hackers find it almost
impossible to understand, IPSec can prevent sniffer, data modification,
denial-of-services and identity spoofing attacks. In addition, though
use of cryptography based protection and dynamic key management programs,
a verification process is used to establish confidence between the
communicating computers and only trusted systems which communicate
with each other. The sending computer secures the information prior
to transmission, and the receiving computer unsecures the data only
after it has been received. This type of protection is especially
useful to protect data in a public environment when the network traffic
is susceptible to unauthorized monitoring and access.
To Configure IPSec Filters and Rules:
1. Click Start, click Run, type MMC, and
then click OK.
2. On the Console menu, click Add/Remove Snap-in.
3. Click Add.
4. In the Add Snap-in dialog box, click Group Policy,
and then click Add.
5. Click Local Computer to view the local Group Policy
object, or Browse to find the Group Policy object that you
want to use.
6. Expand Computer Configuration, Security Settings.
7. Right Click on IP Security Policies on the Local Machine
, select Manage IP Filter Lists and Actions.
Windows 2000 IPSec protects each IP packet by adding an additional
header to each network message. The Authentication Header (AH) provides
verification and certification for the entire packet. It works as
a signature for each message that is transmitted. The Encapsulation
Security Payload (ESP) provides privacy for the data that is in the
packet.
Terminal Services Security: Ensuring Maximum Protection
Terminal Services is now included in the Windows 2000 Server operating
system. Terminal Services allows users to access desktops and any
installed applications for client computers. This feature is especially
useful for remotely managing application servers, developing applications
and controlling network resources regardless of where they are located.
Windows 2000 allows to run Terminal Services in two modes, remote
administration mode and application sharing mode. Remote administration
mode is used mainly to administer and provide maintenance for security
administrators. This mode allows only members of the administrators
group to log on locally. Application sharing mode allows any client
to run programs on the server as if they were running locally.
Network security protection can be increased by using terminal services
high encryption mode. Windows 2000 Server can assign one of the three
different levels of encryption to client and server connections: Low
Encryption, Medium Encryption and High Encryption. Using Low Encryption
Mode, traffic from the client to the server is encrypted using the
RC4 algorithm and a 56-bit key. Traffic from the server to the client
is unencrypted. Low encryption protects sensitive information like
passwords and applications data.
To Set Up High Encryption Mode on Terminal Services:
1. Open Terminal Services Configuration, on the Administrative
Tools program group.
2. Click Connections, right-click the connection you
want to modify, and click Properties.
3. In the Encryption level option, select High.
Medium Encryption and High Encryption secure data sent in both directions,
from the client to the server and from the server to the client. This
provides a two way secure communication system between client and
server.
The main difference between these two modes rely on the encryption
strength. Medium Encryption mode uses the RC4 algorithm and a 56-bit
key (40-bit for RDP 4.0 clients), while high encryption uses RC4 and
a 128-bit key.
About This Section...
Whether you want to learn what network security is, how firewalls
work, or how to script a program in C to manage Active Directory security,
this section is designed to provide useful and easy to understand
articles for all levels of Information Technology professionals. Rather
than provide theoretical views and terms of security principles and
systems, we will give you straightforward, real-life information to
apply at work. Some of the topics that we will put in plain words
in our section will be: How to Build a Firewall with Internet Security
and Acceleration (ISA) Server, Analyzing and Monitoring Network Attacks
with Windows 2000 and Using and Creating Advanced Windows 2000 Security
Tools and Utilities with Simple Programs. As a final point, we will
focus on providing the depth necessary to pass any Microsoft-related
security exam.
*Originally published at 2000Trainers.com
About the Author:
Leonard Loro, MCSE, MCSD, ISS, MCT, CCNA, is a recognized e-Business
specialist. His experience includes engaging, managing and implementing
large consulting projects for government agencies and companies like
Microsoft, Nissan as well as other Fortune 500's. Leonard can be reached
at Leonardo.loro@enresource.com.
Read this newsletter at: http://www.securitypronews.com/2003/1211.html |
|
| From the Forum: | | Networking Security | With business interest in internetworking technology expanding almost as fast as the hackers can breed, security - as a design factor - must be a real headache.
So, for the technology options available, say ISDN (B and D channel) or broadband, point-point or VPN, what are the major security headaches and solutions? ... |
 | |
