Security is essentially a matter of controlling access to
network resources. In theory, one can create a perfectly secure system
simply by denying everyone access to it, but this is hardly a feasible
solution for a data network. Some of the basic security principles for
the small business network administrator to consider are as follows:
-
Allow users to access the network resources they need to perform their jobs.
-
Prevent unauthorized network users from accessing administrative tools and settings.
-
Allow network users to access the Internet without providing Internet users unrestricted access to the network.
The following sections examine the primary mechanisms and design decisions in Windows SBS 2011 that enable administrators to realize these goals.
Authentication, one of the two fundamental security
functions, is the process of verifying a user’s identity in preparation
for granting that user access to a protected resource. To authenticate
a user, a system requires at least one of the following:
-
Something the user knows
The most common form of authentication
requires users to supply a piece of information, such as a password,
which the system already possesses. The complicating factor in this
type of authentication is the security
of the passwords, which can conceivably be intercepted during
transmission or compromised by the user. Windows SBS 2011 uses
password-based authentication by default, with authentication protocols
that protect the passwords from capture during network transmission.
-
Something the user has
Some security systems require users to possess a smart
card or other identifying device that they must supply to the computer
before they can access protected resources. Windows SBS 2011 supports
smart card authentication, but it is not configured to do so by
default. The main drawback of this authentication method is the
additional cost for the cards and the card reader hardware. Smart cards
can also be easily lost or stolen, so users are nearly always required
to provide a password as well.
-
Something the user is
Some security systems require users to confirm their
identities by scanning physiological characteristics, such as
fingerprints. This technology is known as biometrics.
Biometrical authentication is one of the most secure systems available
because fingerprints and other physiological characteristics are
difficult to spoof or steal. Windows Server 2008 R2 does not include
direct support for biometrical authentication (although Windows 7 now
does, in the form of the Windows Biometric framework), but it does
support modular authentication protocols that enable the system to
interact with third-party hardware and software authentication
solutions.
Active Directory Domain Services (AD
DS) is responsible for authenticating network users in Windows SBS
2011. When you create user accounts, you specify passwords for them,
which AD DS stores in its database. When users log on from their
workstations, they type their passwords as part of the authentication
process.
The biggest problem with password-based authentication is the
tendency of the passwords to be compromised. There are two potential
avenues of compromise: the network and the users themselves. If client
applications transmit passwords over the network in clear text, it is
possible for someone to capture the network packets and read the
passwords inside them. Even if a client application encrypts the
passwords before transmitting them, a potential intruder can often
identify the data string that contains the encrypted password and use it to create an illicit logon by replaying it back to a server, still in its encrypted form.
To protect the user passwords, AD DS uses Kerberos,
an advanced authentication protocol that enables clients to log on
without transmitting passwords over the network in any form, clear or
encrypted. Named for the three-headed dog of Greek mythology that
guards the entrance to Hades, Kerberos
is a highly complex protocol that requires three elements to function:
the client attempting to access a protected resource, the server
hosting the protected resource, and an authentication provider. In Windows SBS 2011, the AD DS domain controller is the authentication provider, and it is involved in every security
transaction, even when a user accesses a resource on another server. To
avoid transmitting passwords over the network, Kerberos uses
cryptographic values derived from the passwords to create unique tickets
that clients and servers exchange to gain access to protected
resources. Because the tickets are generated for a specific use at a
specific time, intruders capturing the packets cannot replay them or
derive user passwords from them.
Passwords are also vulnerable to low-tech forms of compromise, typically resulting from users’ sloppy or naive security
habits. Users often write passwords down, give them to coworkers for
the sake of convenience, or are duped into supplying them through
social engineering. To address these problems, Windows SBS 2011 uses
Group Policy settings to compel users to change their passwords at
regular intervals. You can modify these settings to suit the security
needs of your organization.
Note
Social engineering is
the term used to define the process by which intruders gain access to
protected resources by manipulating users into providing their
credentials or other information. For example, a friendly stranger
claiming to be from the company’s IT department calls a user on the
phone and says that he has been instructed to upgrade the user’s
account, but he needs the user’s password to do so. The user, without
verifying the caller’s identity, supplies the password and thinks no
more of it. In many cases, social engineering is a far easier and more
effective tactic for penetrating a network’s security than other
high-tech alternatives.
The other fundamental security function is authorization, which is defined
as the process of specifying which protected resources an authenticated
user is permitted to access. Authentication confirms the user’s
identity, but authorization actually provides access to the network
resources. In Windows SBS 2011, various permission systems authorize
users to access protected resources.
Although they function in much the same way, Windows SBS 2011 has
separate permission systems for each of the following resources:
-
NTFS files and folders
-
Folder shares
-
Printer shares
-
AD DS objects
-
Registry keys
Permissions
are flags that enable a particular user or group of users to perform
specific actions on a specific resource. For example, a user who
possesses the Read permission for an NTFS file is allowed to read the
contents of the file, but the user cannot modify the file nor do
anything other than read it without additional permissions.
Windows stores permissions as a part of the objects they protect. Each protected element has an access control list (ACL) that consists of individual access control entries (ACEs). Each ACE consists of a security principal (the user, group, or computer receiving access) and the permissions assigned to that security principal. In Windows SBS 2011, when you open the Properties sheet for a file, the Security tab contains the interface you can use to modify the file’s ACL, as shown in Figure 1.
Other elements, such as folder and printer shares, AD DS objects, and
registry keys, have different types of permissions, but you use the
same interface to manage them.
In Windows SBS 2011, as with all the other Windows operating
systems, permissions are always a part of the protected element, not
the entity receiving access to that element. Each file on an NTFS
volume, for example, has an ACL specifying the users and groups that
can access it. If you move the file
to another NTFS drive, the ACL goes with it. However, user and group
objects in the AD DS database do not have a list of the files and other
resources they are permitted to access.
Access
control—the process of regulating who can use specific system
resources—is one of the fundamental tasks of the network administrator.
Windows SBS 2011,
like all of the Windows operating systems, uses permissions to control
access to shares, file systems, printers, and many other resources.
Shared folders have their own independent set of permissions,
completely separate from the other Windows permission systems, such as
the NTFS permissions you use to control access to files and folders. The main difference between share permissions
and NTFS permissions is that share permissions apply only when a user
attempts to access a protected resource over the network. NTFS
permissions apply both over the network and on the local console.
For example, users who have the NTFS permissions needed to access a
server folder, but who lack share permissions for that same folder, can
access it from the server console, but not over the network. Users that
have share permissions but lack NTFS permissions cannot access the
folder at all.
Note
The FAT file systems that Windows Server 2008 R2 supports have no built-in access control capabilities. Therefore, a computer with FAT
volumes must rely on share permissions, as they are the only form of
access control available. However, in today’s computing environment,
there are few—if any—compelling reasons to use the FAT file systems, so
the need to rely on share permissions for access control is now a
rarity.
Because users must have both share and NTFS permissions to access a
particular resource from the network, many administrators choose to
avoid confusion by using only one of the available permission systems.
NTFS permissions are the logical choice because they provide more
comprehensive and flexible protection. In fact, this is the approach
that Windows SBS 2011 takes in its default shares. All three of the
default shares that Windows SBS 2011 creates for user access have the Allow Full Control permission assigned to the Everyone special
identity, which means that all network users can connect to them
without restriction. To control access to the shares on a granular
level, Windows SBS 2011 assigns NTFS permissions.
Note
A special identity is a
Windows element that stands for all objects sharing a specific trait or
condition. For example, assigning permissions to the Authenticated Users special identity causes all users that are logged on to the domain to receive those permissions.
Establishing Permission Policies
One of the key elements of network administration is making sure
that all the people sharing responsibility for a specific function are
on the same page with regard to how they should use that function. In
small businesses, this is sometimes not a big problem because there are
only a few administrators (or maybe only one) who need to receive the
word. On the other hand, administration on small business networks is
often more informal than it is on larger ones, and administrators are
less likely to establish policies and see to it that everyone follows
them.
With regard to share and NTFS permission systems, it is important
for someone to decide early on how administrators should use them on
this particular network and see to it that those decisions are
enforced. In some cases, this might simply be a matter of one person
declaring that administrators should leave all share permissions wide
open and use only NTFS permissions to secure resources. Other
permission policies might dictate that administrators use Allow
permissions, but not Deny permissions, and specify when and if
administrators can block or otherwise control permission inheritance.
It is certainly not required that administrators of small business
networks avoid using share permissions for access control, but it is
recommended. Using share permissions and NTFS permissions is like
having two locked doors that require two different keys to get into
your house. Sure, it’s safer, but consider carefully whether it is
really necessary.
Whichever combination of permissions you choose to employ
on your network, failure to create explicit policies in these matters
can lead to chaos in the future when a user cannot gain access to a
resource. If one administrator prefers to use share instead of NTFS
permissions, or Deny instead of Allow permissions, or explicit
permissions on every folder instead of inherited ones, troubleshooting
becomes a nightmare, with everyone trying to maintain their own
standards at the same time. 
