Far too often, organizations with a Windows environment grossly underutilize the resources already available to...
them. The main disconnect perhaps comes from networking engineers' disinterest in servers, who often prefer racks of blinky switch lights to cumbersome operating systems. Say what you will about Windows, but Microsoft has done a great job delivering all the necessary puzzle pieces to network administrators across the globe.
Clearly when configuring a Windows Server 2008 (or even 2003) network infrastructure environment, there are a plethora of other server roles, functions and services we can enable for even more features. These four components, however, are all network managers need to implement a full network security solution.
- Windows Active Directory Domain Services: A foundation that provides data storage for a network's users, computers, printers and services. It is also used for user and group management.
- Windows Network Policy Server: A RADIUS server that provides centralized connection authentication and authorization for wireless and virtual private network (VPN) connections, along with other types of network access. (Also known as IAS in Windows 2003 and earlier operating systems.)
- Microsoft NAP: A platform that controls network access based on evaluation, health and group associations of the host endpoint.
- Windows Client XP SP3 or later (clients for interacting with Windows 2008).
Individually or in combination, these services can be utilized for many network security implementation scenarios. First, let's look at its wired and wireless security uses:
- Wired port security authentication: By authenticating users to the network, we can ensure only authorized users are connecting. This lets us protect the network at the edge, thwarting a variety of attacks and ensuring integrity at the point of connection. Adding port security is like setting up your own little gatekeepers at every Ethernet port. Most people are shocked to learn they can immediately configure a full network port security solution, including IEEE 802.1X, a standard for port-based network access control and authentication, with their current Windows infrastructure. This can be done without the addition of software or licenses. The only caveat here is that 802.1X will require a server side certificate for PEAP (Microsoft's protected extensible authentication protocol). The good news is a Windows self-signed certificate will work just fine to get started and takes only moments to configure.
The switch of choice is simply configured to use port security and point to the RADIUS (Windows NPS) Server using a predefined shared secret. The Windows NPS Server needs to show the switch as a valid RADIUS client and have a custom or default catch-all policy for connecting wired devices. The connecting Windows Client XP SP3 or later is directed to use 802.1X authentication in the network settings (a configuration that can be pushed by Windows Active Directory Group Policy). Although the endpoint (the Windows client) may use certificates or tokens, the most popular credential method is the pass-through of users' Windows logins.
The same process is followed for MAC address-based authentication. The only change there is the omission of the server certificate requirement and the client network configuration. The endpoint's MAC address is passed as credentials to Windows NPS and AD instead of a user's Windows login. Port security can be a cumbersome undertaking if not planned well. Misconfigurations can lead to unavailability of resources and effectively lead to a self-inflicted denial-of-service (DoS) attack.
More Windows netsec advice from Jennifer Jabbusch
Complexity and cost may keep you from investing in NAC. Fear not, endpoint integrity enforcement, for example, can be achieved through directory group policies.
is restricted until an authentication action fully 'opens' or 'enables' the port for regular traffic. If you're going to be turning off access to a device, you want to know ahead of time. In the case of servers and other critical shared resources, the best practice is to NOT use port security in those areas. Generally, servers and sensitive data are in a physically secured area and less vulnerable to the types of attacks port security protects from. If access to a server was accidentally blocked, it could create a huge mess in an enterprise.
There's not a good silver bullet for performing network surveys. There are plenty of software-based tools (free and paid) that map and trace networks, but they are never 100% accurate and it's possible they can miss entire segments of a network that are protected by routing rules or
firewalls. The best network survey is one that includes a physical component, where each closet is visited and interconnectivity verified. Those results can then be supplemented or verified with a software-based mapping tool.
- Secure wireless authentication
Just as we can use Windows Active Directory, Windows NPS and a Windows client for wired port authentication to the network, we can perform a similar yet simpler configuration for wireless authentication. Currently, 802.1X is the only method recognized as an enterprise-level security option for wireless authentication and key rotation; all other methods have been compromised one way or another.
In this instance, instead of a wired switch, a wireless device of choice (usually a controller or access point) is configured for authentication and points to the Windows NPS Server for RADIUS. Again, the server needs a certificate, the NPS needs a policy for wireless clients, and the server needs to know the AP or controller is a RADIUS client. The connecting Windows client will recognize the wireless network as being secured and provide the user options for submitting credentials. The wireless settings can be preconfigured and also pushed out through Windows Active Directory Group Policy. Due to the nature of wireless connectivity, implementing secure wireless with 802.1X is much less painful that coordinating a wired authentication plan. Network administrators can provision multiple wireless SSIDs on a single AP for testing and playing while they work out the kinks.
- Device network authentication
Just as we can use the network to authenticate users, we can also use the network to authenticate itself. Similar to wired port security (above), we can apply the same port authentication properties to authenticate infrastructure devices: switches, routers and access points. As was the case in our earlier example, we can use both 802.1X and MAC address based authentication for these devices. Infrastructure authentication is often a starting point for organizations looking to implement port security on a network.
Enforcing device authentication gives organizations the peace of mind that everything connecting to the network belongs there. This verification process creates a trusted infrastructure, which is key to preventing attacks on the network such as eavesdropping, redirection attacks and man-in-the-middle attacks. Trusted infrastructures also protect the network from non-malicious attacks in the form of rogue devices; a common accident that occurs when users bring an unapproved device (such as a wireless router or switch) to the office for their own use. In addition to an all around increase in security, organizations with this protection are one step closer to meeting a variety of compliance and regulations that govern the management and accessibility of networks and network data, especially financial data and PII.
In my next tip, I will review how the Windows server 2008 components will help with other authentication and access control needs.
Jennifer Jabbusch is an infrastructure security consultant with Carolina Advanced Digital, Inc., a security integrator based in North Carolina. She specializes in areas of network security, NAC/NAP, 802.1X and wireless security, and consults for a variety of government agencies, educational institutions and Fortune 100 and 500 corporations. She serves as a contributing SME on access control, business continuity and telecommunications, and lead SME in the cryptography domains of the official (ISC)2 CISSP courseware and maintains SecurityUncorked.com blog.
Send comments on this technical tip to firstname.lastname@example.org.