Citrix Access Suite 4 for Windows Server 2003: The Official Guide, Third Edition

For a business with no preexisting security policy, establishing and implementing a viable security policy is a daunting task. When on-demand access is a key part of the business model, some aspects of overall security are greatly simplified (security of individual desktop PCs), while others become far more critical (access to applications servers). Further, the manner in which on-demand services are delivered to remote users (Internet, VPN, Citrix Secure Gateway, and Wireless LAN/WAN) becomes a significant factor in selecting which measures are used to enforce the security policy. In any case, the tasks required to develop a corporate security policy are similar:

• – Assess the security posture (base- lining ).

• – Define written policy requirements and goals.

• – Design technical, administrative, and physical security measures.

• – Implement and test.

Security Posture Assessment

A security posture assessment establishes the baseline for "what is." Posture assessments are typically very granular evaluations of all aspects of the network; they include

• – Current documented policies and procedures (administrative measures).

• – Physical security of resources (servers, network hardware, tape and software libraries).

• – Network access and exposure points.

• – Mapping of hosts (devices), operating systems and versioning, and services (HTTP, ICA, and so on).

• – Definition of protection requirements. For example: Is data on disk to be stored as clear text or encrypted? Will Terminal Services applications allow anonymous access?

• – Efficacy of antivirus software.

• – A multiperspective simulated attack on network resources. This typically includes internal and external penetration and exploit attempts as well as denial of service attacks on ingress points.

• – Risk assessment.

Risk Assessment

Risk assessment is the process of evaluating each security weakness or threat and determining both the potential impact and the probability or likelihood that the weakness can be exploited. Clearly identifying risks and their potential business impact helps determine whether a specific security measure is ultimately cost-effective . Figure 8-3 shows the correlation between security risk or exposure and the cost to mitigate the risk. Weaknesses stem from one of three common sources:

• – Technology weaknesses Inherent limitations in network and computing technology; for example, the predictable TCP sequence numbers generated by the Microsoft IP protocol stack. Technology weaknesses are usually mitigated by a technical security measure.

• – Configuration weaknesses Improper configuration of any network service can create an easy avenue of attack. Configuration weaknesses are usually mitigated by a combination of administrative security measures, including configuration control and configuration audits .

• – Policy weaknesses Inappropriate, poorly defined, or improperly implemented and managed policies. For example, a policy that allows weak passwords. Policy weaknesses also include internal politics that circumvent or subvert necessary security measures.

Figure 8-3: Implementation cost vs. risk

Threats are broadly categorized by source: internal (from within the organization) or external (from outside the organization); and by type: reconnaissance, unauthorized access or use, denial of service, or data manipulation.

Policy Definition

There are three broad concepts for security paradigms :

• – Open Common in academia and other bastions of anarchy

• – Restricted The most common balance of security needs versus business requirements and cost

• – Closed Often seen in DoD and some financial environments

In most corporate enterprise networks, the Restricted paradigm is preferred.

At the top level, the security policy should address the security needs and manner by which security is managed and controlled. Specific security measures (physical, administrative, and technical) should be identified in the overall security policy. The security policy, once defined, must be maintained and iteratively validated to ensure that policies and security measures are appropriate for changing threats and risks, and that technical configuration elements are being maintained. This implies that a change/configuration control process is required.

Physical Security Measures

Physical security may not seem complex, but critical resources (server rooms, network equipment closets, and data and software storage) are often left open to unrestricted access. Security consultants and auditors are often able to walk directly into server rooms and even remove equipment without being challenged. Any resource that can be physically accessed (server, firewall, router, and so forth) can be compromised. Depending on the sensitivity of the data, measures may range from simple lock-and-key security measures to electronically monitored and controlled access (badges, retina scanners , and other devices).

Administrative Security Measures

Written, enforceable administrative policies and practices are essential elements of the overall security policy. Administrative security measures can become an end in themselves if not approached with common sense. Businesses often focus too much on documenting and delineating every aspect of security and end up with a one-time written policy that is neither enforced nor enforceable. To be viable, security policy documents must be clear, concise , and specific in scope, applicability, and responsibility. Standards and procedures must be supported and enforced from the top down. If violating a security policy has no consequences, the policy itself is inconsequential. Common policy requirements include

• – Acceptable encryption

• – Acceptable use of information systems

• – Modem connections

• – Antivirus

• – Security audits

• – Database credentials

• – Firewall configuration control and management

• – DMZ system security

• – Password management and control

• – Remote access

• – Risk assessment

• – Router security

• – Server security

• – Third-party network connections

• – Virtual private network

• – Wireless network connectivity

• – Facility access controls

Technical Security Measures

Technical security measures constitute the most significant and costly portion of the overall security plan. Technical measures are implemented end-to-end to enforce security without relying on human intervention. These measures include capabilities such as firewalls, proxies, encryption, multifactor authentication, operating system hardening, and user environment control. Technical security measures should enforce conduct, behavior, and boundaries defined in the corporate security policies.

Security Design Technical Considerations

In a typical distributed network, computing resources are dispersed throughout the enterprise, as shown in Figure 8-4. This means that sensitive information resides on the hard drives of employees ' personal computers and on work group servers at several locations. If physical access to data is one area of concern for securing that data, it can be said that such a distributed model is less secure than a centralized model.

Figure 8-4: A distributed network in which each regional work site has it own resident file server

In the centralized model, shown in Figure 8-5, the bulk of computing resources are concentrated in one or just a few data centers. As a result, physical access to that data is much more restricted. Does this mean that on-demand access is inherently more secure than distributed computing? It may seem so, but there are numerous areas of concern in on-demand access that make such a blanket assertion shortsighted.

Figure 8-5: A centralized network in which the load-balanced file servers reside all in one place

Areas of Exposure

Like the network design considerations discussed in Chapter 6, security in an on-demand Terminal Services network has much in common with security on a traditional network, as well as a number of unique exposures. The common exposure areas parallel the hierarchical design modules (building blocks) from Chapter 6.

Access Layer Exposures

The point where clients first access the Citrix infrastructure is the most critical line of defense. Proper security enforcement at the edge reduces the complexity of security measures that must be implemented in the core on the servers.

• – LAN access Internal LAN users are generally the most trusted group of users because their environment and behavior can be seen and easily monitored. Minimal security measures must still be in place to protect the network hardware, network bandwidth, and other LAN access segments. Port-based security on Layer 2 switches can effectively lock out unauthorized client devices and notify an administrator of any unauthorized event. Access lists at Layer 2toLayer 3 boundaries can enforce and restrict traffic flows to only authorized address ranges. Virus protection and control, although often overlooked when all the critical applications and data are made on-demand, is an absolute must. Even if client devices cannot propagate malicious logic to the application servers or network data stores, client-to-client propagation of the infection (Code Red, Nimda, and so on) can saturate network bandwidth or server resources and result in denial of service.

• – WLAN access Wireless LAN segments (not to be confused with wireless access via public networks) present additional risks to any network. Above and beyond the security exposure of wired LAN segments, WLANs can allow surreptitious connection without need of physical access to the network. WLAN identification features such as the Service Set Identifier (SSID) are often misconstrued as security features. The SSID is simply a network name and allows visibility of the network much the same as a browse list in Windows networking. The SSID is clear text and can be sniffed by any client. Effective WLAN security in a corporate environment requires three components . First, extensible authentication methods (EAP) should be used so that users must authenticate before being granted any access to the network. Second, the wireless LAN segment should be isolated from the rest of the enterprise by strict firewall rules. In a traditional distributed computing network, this is extremely complex and often ends with rules that allow any wireless source to pass through the firewall. In an on-demand access network, security is far easieronly the client transport protocol must be allowed through (ICA, RDP, and SSL). Finally, the WLAN segment must use more advanced security techniques in lieu of Wired Equivalent Privacy (WEP). Current wireless technology supports a long list of security enhancements that all WLAN segments should use Wi-Fi Protected Access 2 (WPA2). WPA2 changes the basic authentication and encryption paradigms to comply with IEEE 802.11i standards for wireless networks:

  • – WPA2 encryption is based on the Advanced Encryption Standard (AES) and uses Counter Mode (CM) with Cipher Block Chaining Message Authentication Code Protocol (CBC-MAC) (CCMP). The CM component provides privacy while the CBC-MAC component provides authentication and data integrity.

  • – WPA2 eliminates weaknesses in previous generations of wireless encryption that used the RC4 Stream Cipher.

  • – WPA2 includes built-in message integrity checks to overcome "man-in-the-middle" attacks and is FIPS 140-2 compliant.

  • – WPA2 provides superior key management through a Pair-wise Master Key (PMK) (4-Way Handshake) with a Group Master Key, and supports key caching and preauthentication.

  • – WPA2 uses IEEE 802.1x-compliant Extensible Authentication Protocols, including LEAP, PEAP, EAP-TLS, and EAP-TTLS. All of these technologies require RADIUS and/or certificates (public key cryptography).

• – WAN access (private networks) Remote branch offices connected over dedicated media are secured much the same as local LAN access segments, but primary filtering should be done at the remote site to avoid data transmission over expensive WAN links. Virus protection remains essential at remote branches.

• – WAN access (virtual private networks) VPN-connected remote branch offices are like dedicated media-connected offices, with the exception of the site-to-site transport. All data transported between the sites is by definition "trusted," but it traverses the untrusted Internet and must be encrypted for transmission. VPN connections should always use IPsec with ESP mode.

• – Internet access/Internet remote access Internet access exposures are the most threatening and most exploited. All Internet access should be protected by a reliable firewall, monitored by intrusion detection capabilities, and authenticated to positively identify inbound access requests as legitimate . At a minimum, the logon process should be encrypted to protect usernames and passwords from compromise. Highly secure access to the on-demand access resources requires full encryption via IPsec VPN or SSL/TLS. If SSL/TLS is selected, connections should traverse an application proxy to prevent direct access to the internal servers. In terms of security boundaries, the emerging technologies associated with wireless cellular (WWAN) access are really just another Internet user with limited bandwidth.

• – Direct-dial access Security measures associated with direct dial-up access are similar to those employed for WLAN segments. Remote Access Service (RAS) users can be given essentially open access to the Internet and external resources, but they should be limited to RDP/ICA/SSL access.

Distribution Layer Exposure

The network distribution layer is an ideal enforcement point to control data flow from segment to segment as well as to implement intrusion detection systems (IDSs). Although we normally think of the firewall as an Internet firewall, the DMZ portions of the firewall that support remote RAS and WLAN segments are really part of the network distribution layer. For additional protection, remote WAN and Layer 3 LAN aggregation points can provide firewall functionality through router-based firewall features.

Core Layer Exposure

The core layer requires special attention in the on-demand access model. The core hardware (switch) requires only the normal protection afforded network hardware, but the connected servers that provide application services (Citrix), data storage (file servers and database servers), and network services (authentication, name resolution, and so on) must be secured to a greater degree than in the traditional distributed environment. Remember, the user's applications and environment exist on the application serverthe user is already inside all of the filters, firewalls, and access lists provided by the network infrastructure. Security within these core servers falls into two general categories: server hardening (the measures taken to implement server-side security through access controls, software configuration, and policies) and user environment control (measures to contain and restrict the users to their approved applications and access capabilities).

Technical Measures

This section will provide more detail on suggested technical measures to ensure enterprise security. Measures addressed are the most commonly needed and employed technologies, but the list is not all-inclusive.

Firewalls

Network firewalls are the primary line of defense against external security threats; however, a firewall is not a panacea for network security. A firewall is a system or group of systems that enforce a boundary between two or more networks. In the classic implementation (shown in Figure 8-6), the firewall system consists of a packet-filtering perimeter router, an isolation LAN (screened subnet) with a dual- homed bastion host, and an interior packet-filtering router.

Figure 8-6: Classic firewall system

Commercially developed firewalls are available in two primary form factors: appliances and computers. Appliances are preconfigured with an operating system and necessary network connections, while computer-based products provide software only and allow the user to determine what hardware is employed. Firewall software can be either a purpose-built hardened OS or application software that executes firewall functions on a general-purpose (GP) operating system (Windows, UNIX variations, and so on). Application software that rides on a GP OS should be avoided. In addition to the processing overhead (GUI interface, "user" features), the firewall is subject to the inherent weaknesses in the GP OS design, which are publicly available as application interface specifications. A quick look at reports of hacking and intrusions will show that every GP OS has a long list of vulnerabilities.

Most firewalls perform a number of different functions, but the following are common capabilities:

• – Protection of internal resources Hides internal addressing schemes and hosts from external detection.

• – Authentication Uses strong authentication techniques to verify a user's identity before granting access to corporate information.

• – Privacy Protects, via encryption, sessions, and data streams destined for a remote network segment over untrusted networks (VPNs).

• – Auditing Provides detailed logging and accounting of communication attempts and other relevant metrics.

In addition to these common features, firewall solutions should offer:

• – Attack and intrusion detection The firewall should be able to detect common attacks and intrusion attempts such as denial of service and spoofing.

• – Content security A firewall should be "application aware" for a minimal set of common Internet applications (FTP, SMTP, and so on). It should be possible to define access rules based on the application that is attempting to pass through the firewall.

• – High availability The firewall systems should be hardened enough to protect themselves from being brought down by an attack or simple mishap. More critical, firewall implementations should be redundant, with automatic fail-over .

• – Electronic countermeasures The firewall system should be able to mitigate common attacks and intrusion attempts such as denial of service and spoofing, as well as able to protect the firewall itself from direct attack.

Types of Firewalls There are four general types of Internet firewalls, or to be more accurate, three types plus a hybrid.

• – Packet filtering firewalls Filtering firewalls screen packets based on addresses and packet options. They operate at the IP packet level (Layer 3) and make simple security decisions (drop or forward) based on data in the packet header. Packet filtering firewalls may be one of three subtypes :

  • – Static filtering This is used on most routers. Filter rules must be manually changed and consist of source and destination pairs as well as protocol and port values. No logic is used to determine session state or packet sequence.

  • – Dynamic filtering In this subtype, an outside process changes the filtering rules dynamically, based on router- observed events (for example, one might allow FTP packets in from the outside, if someone on the inside requested an FTP session).

  • – Stateful inspection This technology is similar to dynamic filtering, with the addition of more granular examination of data contained in the IP packet.

  Dynamic filtering and stateful inspection firewalls keep a dynamic state table to make changes to the filtering rules according to events.

• – Circuit gateways Circuit gateways operate at the network transport layer. Again, connections are authorized according to address pairs. Circuit gateways usually cannot look at data traffic flowing between one network and another, but they do prevent direct connections between one network and another. Sessions from outside are terminated on the gateway and a new session from the gateway to the internal protected host is generated. Circuit gateways may introduce latency and jitter into RDP or ICA sessions under heavy loads.

• – Application gateways Application gateways (or proxy-based firewalls) operate at the application level (Layer 7) and can examine information at that level. Decisions are made in accordance with address pairs, application content (for instance, URLs), and application data, such as commands passed within FTP or SMTP command channels. Few vendors provide application-aware firewalls capable of managing RDP or ICA traffic, and enhancements to RDP or ICA require a revision of the firewall source code. One notable exception is Secure Computing's Sidewinder G ₂ firewall (actually a hybrid firewall), which includes a Citrix-certified application proxy for ICA traffic.

• – Hybrid firewalls As the name implies, hybrid firewalls use elements of more than one type of firewall. Most modern firewalls combine stateful inspection and application gateway services to manage the security boundary.

Firewalls for On-Demand Access Computing Hybrid firewall systems are strongly recommended for on-demand access. Industry leaders in firewall technology include Cisco Systems (ASA), CheckPoint (NG/NGX), Fortinet (FortiGate), and Secure Computing (Sidewinder G ₂ ). The firewall system, shown in Figure 8-7, should include a perimeter router capable of static or dynamic packet filtering (to offload simple filtering and protect the firewall from direct attack), a hybrid firewall element using stateful inspection and either a cut-through proxy or an ICA application proxy, and an interior router capable of static or dynamic packet filtering.

Figure 8-7: The basic enterprise firewall system

Enhancements to ICA since early Citrix Presentation Server versions eliminate the need for firewalls to support UDP Passthrough for ICA browser services (UDP port 1604). Stateful inspection firewalls must "approximate" a session state for UDP by using timers, since UDP is a stateless protocol. Citrix now supports TCP-based XML services in lieu of ICA browser services.

Encryption

Using the Internet as part of the corporate WAN infrastructure has obvious security implications. The Internet is a public network and as such exposes an enterprise's private information to unauthorized individuals by its very nature. The Internet is often an integral part of delivering applications to remote users in a on-demand access network, however. Internet delivery provides virtually universal access to clients, built-in resilience, and dramatic cost reductions as compared to dedicated media. Two basic encrypted transport methodologies are used for Citrix remote network connectivity: virtual private networks (VPNs) and Public Key Infrastructure (PKI) encryption via Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

Encryption Standards Encryption standards define both the mechanics of the encryption process and the complexity of the key. For all at-risk data transmissions (anything traversing the Internet), strong encryption should always be used. For SSL/TLS, use a minimum 128-bit key (RC4 with 128-bit encryption and MD5 message authentication, yielding 3.4 — 10 ³⁸ possible key values). If security is paramount, consider Triple-DES (3DES with 168-bit key and SHA-1 message authentication yields 3.7 — 10 ⁵⁰ possible key values) or step up to AES, where AES-128 offers 3.4 — 10 ³⁸ possible 128-bit keys, AES-192 affords 6.2 — 10 ⁵⁷ possible 192-bit keys, and AES-256 provides 1.1 — 10 ⁷⁷ possible 256-bit keys. When SSL is used, avoid SSL 2.0 implementations, and instead use SSL 3.0 or TLS. There are two basic types of encryption algorithms: symmetric (or private key) and public key. Private key encryption requires that the same key used to encrypt the data be used to decrypt the data; it is most commonly seen in VPN configurations. The advantage is speed, since less computation is involved than in other methods. The main disadvantage is that the key must be distributed to the intended recipient through some secure mechanism; the symmetric algorithm itself provides no way to distribute the key. The second type of algorithm, the public key, calculates a list of keys, some of which can only encrypt the data and some of which can only decrypt the data. The encryption key is the public key, and the decryption key is the private key. A message encrypted with the former can be decrypted only by the latter. A major advantage of this scheme is that the encryption key can travel in the open without compromising security. Having the public key will not allow someone to decrypt the data.

Several encryption algorithm and transport standards have arisen that have been adopted by Microsoft, Citrix, and others. Understanding them will allow an administrator to judge for himself or herself whether a specific standard is appropriate for their on-demand access project. By implementing an encryption algorithm and transport method in the network backbone, the task of authenticating and securing the network session is made further transparent to the end user. Cisco, Lucent, Nortel, and other vendors facilitate this seamless authentication by their adoption of one or more security standards.

• – Microsoft Point-to-Point Encryption (MPPE) MPPE uses preshared keys for authentication. This method uses a shared, secret key that is previously agreed upon by two systems. MPPE can be used as the authentication method for PPTP or L2TP. Both are supported in Windows 2000 Server and Windows Server 2003.

• – Internet Protocol Security (IPsec) IPsec is the de facto standard for point-to-point VPN encryption. The great advantage of IPsec is that it is end-to-end at the network layer. Application security protocols like SSL require the application to change, while data link protocols like PPTP only protect a user on that specific link; the packets travel over other links in the clear. IPsec provides two choices of security service: Authentication Header (AH), which essentially allows authentication of the sender of data and is not considered highly secure, and Encapsulating Security Payload (ESP), which supports both authentication of the sender and encryption of data. The specific information associated with each of these services is inserted into the packet in a header that follows the IP packet header. Separate key protocols can be selected, such as the ISAKMP/Oakley protocol. Since it is implemented at the protocol layer, IPsec is an excellent choice for on-demand access. It does not interfere with higher-level protocols like ICA and therefore is nearly transparent to the end user.

• – Point-to-Point Tunneling Protocol (PPTP) PPTP is an extension of the Point-to-Point Protocol (PPP) and has two functions. First, it establishes a control channel between the client and the server. Second, it builds a "tunnel" for passing data between the client and the server. The tunnel is constructed using an encryption algorithm (PPTP can support many) so that the client and server exchange keys. PPTP supports multiple tunnels with a single control channel and can multiplex between them. PPTP currently enjoys the widest support in network backbone equipment such as routers and switches.

• – Layer 2 Tunneling Protocol (L2TP) L2TP is an alternative to PPTP proposed by Cisco Systems. Like PPTP, L2TP is an extension of PPP; it attempts to include the best features of PPTP. Like PPTP, it can encapsulate other protocols besides TCP/IP. L2TP provides flexibility in the assignment of IP addresses when TCP/ IP is used. Dynamic, static, and privately managed IP addresses are supported. It uses a similar keyed encryption scheme to establish a tunnel. Both L2TP and PPTP are proposed IETF standards. Both are also supported as standards in all Cisco routers.

Encryption for On-Demand Access Both ICA and RDP support basic encryption services through their respective client and server configurations. RDP requires what many enterprise security administrators consider to be a "non-standard" port (TCP 3389) to be open through the firewall and does not support authentication prior to connecting to the target server (secure application proxy). ICA has variable levels of security and can be encapsulated to operate on a "standard" port that is usually permitted through enterprise firewallsTCP 443 (HTTPS). By default, the ICA protocol adds little to the security already existing in Terminal Services; ICA uses a very basic method to encrypt, or more accurately "scramble," the data stream by using a key. It is really meant to help ensure that clear text is not visible in the data stream. By invoking the 128-bit encryption option for ICA connections, the ICA session is encrypted with a 128-bit-key RC5 encryption algorithm from RSA Data Security. RC5 uses a combination of symmetric and public-private key algorithms. The Presentation Server client and server use the Diffie-Hellman key agreement algorithm with a 1,024-bit key to generate RC5 keys. Citrix bills this client as being safe enough to run sessions over the Internet, and indeed, many companies use or base their products on the RC5 encryption algorithm. Windows Server 2003 Remote Desktop Connection (RDC) services use 128-bit, bidirectional RC4 encryption. Both Windows 2003 (with the encryption module) and Citrix Presentation Server are now certified as FIPS 140compliant for use in federal government information systems. In either case, the direct connection from client to target server creates additional concerns, even when passing through most stateful inspection firewalls.

Citrix remedied this problem through its Secure Gateway component of Citrix Presentation Server as shown in Figure 8-8. Secure Gateway is a specialized SSL application proxy, which supports integration with Web-based application access (such as Presentation Server's Web Interface), multifactor authentication technologies like RADIUS or Secure Computing's SecureID, application layer isolation of internal and external hosts (internal Citrix servers are not exposed to the public Internet), and session management via ticketing. As compared to Citrix MetaFrame XP, Citrix Presentation Server 4 changes this deployment scenario only slightlythe Secure Ticketing Authority (STA) is now integrated into each Presentation Server.

Figure 8-8: Secure Gateway of Citrix Presentation Server

The Citrix Access Gateway (Figure 8-9) replaces Secure Gateway and adds significant improvements in features, functionality, and security. The Citrix Access Gateway (CAG) consolidates Secure Gateway on to a hardened-OS appliance form factor and provides not only the SSL application proxy, but also a universal SSL VPN that transparently supports virtually all ports and protocols (including UDP-based Voice-Over-IP Soft Phones). When deployed with Advanced Access Control (AAC), the CAG provides real-time end-point analysis to dynamically control which Presentation Server applications are accessible to remote users on the basis of identity, source address, originating device security, and other factors. Additionally, AAC can control access to application behavior per user session (e.g., the right to view, edit, or print) using the same endpoint analysis criteria.

Figure 8-9: Citrix Access Gateway

The actual implementation (network and security architecture) of the Citrix Access Gateway, Web Interface, and Secure Gateway components determine which transport connections are encrypted. For design and deployment considerations for both Secure Gateway and Citrix Access Gateway, see Chapter 16.

Authentication, Authorization, and Accounting Services

Authentication, authorization, and accounting (AAA) services provide the means to identify a user, grant access to specific resources, and document what the user did and when the user did it. The vast majority of AAA services in a Windows Server 2003 server environment are provided by the Windows security model with authentication in the form of user account/password settings, authorization provided by discretionary access control lists (on files, shares, and other OS-controlled resources like print services), and accounting provided through event logs and event auditing policies. Windows Server 2003 Terminal Services and Presentation Server 4 both support two-factor authentication (smart card). More robust authentication such as three-factor authentication requires third-party software.

Auditing

Basic auditing should always be provided by server event logs and system logs from firewalls and routers. Most database applications can support record-level auditing and transaction logging. Auditing by itself is a nice feature for 20/20 hindsight but is of little use unless audit events are configured to generate administrative alert and notification messages.

Windows Server 2003 adds additional auditing capabilities to meet common government requirements and supplement intrusion detection mechanisms. Notable changes include operation-based auditing (analogous to accounting in AAA services); per user selective auditing (by name) and enhanced logon/logoff and account management. Auditinglogon/ logoff events now contain IP address and caller information.

The Microsoft Audit Collection System (MACS), a client/server application to be released in support of Windows Server 2003, provides real-time security event collection and stores event data in a SQL database for ready analysis. MACS can create a security boundary so that event-log data can be independently audited without the possibility that users or administrators will tamper with the event data. This type of independent collection and audit is becoming the norm for regulated industries.

Intrusion Detection Systems

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are now built in to many firewall products. A fully evolved enterprise IDS/IPS system should encompass both network-based sensors and enforcement points implemented on firewalls, routers, or appliances and host-based sensors and enforcement points implemented via software services on vulnerable servers. Enterprise IDS/IPS services go well beyond the built-in capabilities of most firewalls. For example, Cisco's PIX firewall recognizes fewer than 100 attack profiles (natively), has only limited autonomous response capability, and does not provide for regular update of attack signatures. When it is coupled with Cisco's IDS/IPS appliances, thousands of attacks are recognized, signatures are updated much as in antivirus software, and the IDS appliance can dynamically issue configuration change commands to the firewall to block attacks as they occur. A host-based intrusion detection system (HIDS), on the other hand, functions much like a firewall at the OS kernel level; any API or kernel call that is not specifically preapproved by the administrator requires explicit authorization. Calls that are not "authorized" are blocked by default, which means an HIDS can block and log as-yet "undefined" attacks. Newer-generation firewall appliances and Cisco's Integrated Services Router (ISR) series now contain a built-in IDS/IPS.

Content Filtering

Although not a technical security measure per se, filtering and management of Internet content (more specifically, Web electronic mail content) are used to address two of the biggest liability and reputation issues in business today. Uncontrolled employee access to inappropriate (as determined by the corporate acceptable use policy) Internet sites can not only damage the corporate image and risk civil and legal prosecution but can be a precursor to internal attacks on network security and resources. Case in point: an employee who surfs hacker Web sites may be looking for tools to use or may be technologically illiterate and download malicious logic that compromises the network. With regard to electronic mail, businesses may be concerned about unacceptable mail content originated or received under the corporate identity, spam that consumes storage resources, or originated content that divulges sensitive information. E-mail filtering is usually accomplished both on a bastion host in an Internet DMZ (ingress filtering of objectionable content and spam) and on the corporate mail server itself to control employee-to-employee and employee-to-external content. An additional "filtering" capability can be provided by the Packeteer bandwidth manager discussed in Chapter 6. Since the Packeteer recognizes applicationsincluding chat and instant messaging programs and protocols (MS-Chat, AIM, MSN Messenger), peer-to-peer sharing applications (Napster, Gnutella, Bear Share, Lime Wire), and commonly abused Internet bandwidth hogs (Windows Media, QuickTime, Real Media)these applications can be assigned a policy of zero bits per second or "never admit" to block access by application. Chat programs are of particular concern, as they often use dynamic ports and are one of the most active vectors for malicious logic ("bots"). Few business users can substantiate a legitimate need for chat, instant messaging, Internet file sharing, or streaming media.

Virus Protection

Enterprise virus protection is a "must have" in any computing environment. A single uncontrolled outbreak can cost tens of thousand of dollars in PC disinfection costs alone. Heavily infected networks must often be isolated from the Internet and taken out of service to allow IT staff to get ahead of rampant infections. Although most enterprise anti-virus solutions offer similar capabilities, the solutions' effectiveness is determined more by ease of implementation and maintenance than actual protection. The system must be universally installed, employ a locked configuration to prevent software from being disabled, and support centralized real-time reporting and alerting. In a Citrix environment, the most common differentiator is the behavior of the scanner software in a multiuser environment. Initially, only Trend Micro's Server Protect product would consistently run correctly in a multiuser environmentmost products created a new instance of the scanner for every instance of a user application or session; Server Protect generated a single instance in the system's context to monitor all writes to the server. Virus protection products must work seamlessly on all of the enterprise computer systems. Other enterprise vendors have since improved their products' support for Windows Terminal Services and Citrix Presentation Server.

Server Hardening

Server hardening measures are specific to the server OS and applications. In the Windows NT Terminal Server/Citrix MetaFrame XP environment, extensive modifications to the Registry, directory and file permissions, and Registry permissions were required to "secure" the server. Beginning with Windows 2000 and continuing in Windows Server 2003, the vast majority of these changes are made dynamically when Terminal Services mode is invoked. Server hardening in general can be riskyalthough standard security lockdowns may work with terminal servers and well-behaved applications, most legacy applications do not fully comply with Microsoft's Terminal Services API and will experience problems.

To fully harden a Terminal Server (as in the DoD C2 Trusted Computer System Criteria), some changes are still required. Microsoft and Citrix have online databases and security sites that detail changes in server configuration from file and directory permissions, to password and authentication methods, to configuration of server-side protocol stacks. Additional changes to baseline security configurations can be implemented with Microsoft's Security Configuration Editor. If you want government-type security restrictions, configuration guides (including Windows 2000 Terminal Services) and pre-configured *.inf files for the Security Configuration Editor may be downloaded from the National Security Agency's (NSA) System and Network Attack Center (SNAC) at http://www.nsa.gov/snac/.

Patching known vulnerabilities and exploits with hotfixes and service packs is really fundamental software maintenance, yet it is often overlooked. Built-in features like Windows Update are more robust in Windows Server 2003. Supplemental tools such as the Baseline Security Analyzer, which includes a command-line hotfix checker (HFNet-Check), can help verify the state of the server.

Service management has historically been a manual process. Microsoft designed Windows NT and Windows 2000 with a rather extensive list of services that were installed by default. Windows Server 2003 has eliminated 19 major services from the default installation sequence.

The following is a short summary list of important security changes in Windows Server 2003:

• – Stronger ACL to stop access to the root directory (c:\).

• – Changed default share ACL from Everyone:F to Everyone:R.

• – Changed DLL search order to start in system directory.

• – Hardened Internet Explorer.

• – Increased restrictions on Anonymous users and changed group membership: Anonymous users are no longer members of "Everyone" by default.

• – Limits on blank passwords. Changed account permissions; local accounts that have blank passwords cannot be used to remotely connect to a machine.

• – LanManCompatibilityLevel=2 on Servers\Domain Controllers set by default. Windows Server 2003 will not emit insecure LanMan responses, without being set to do so.

• – Remote execution of console applications restricted to administrators only.

• – Two new accounts to run services with lower privileges.

• – IIS not installed by default.

• – Some services changed to disabled by default, including

  • – Alerter

  • – Clipbook

  • – Distributed link tracking server

  • – License logging

  • – Messenger

  • – NetMeeting remote desktop sharing

  • – Routing and remote access

  • – Themes

Microsoft supplies a wide variety of built-in tools to help secure the terminal server. In Windows 2003, policy-based enforcement (group policies) is expanded to include Terminal Servicesspecific policies.

One interesting feature provided by PowerFuse, a third-party environment lockdown utility designed for Terminal Services, is the ability to protect the terminal server from "rogue" applications (accidental or intentional). Administrators can define resource consumption limits for applications, and the PowerFuse CPUShield will police the application to prevent denial of service.

User Environment Management

Because the user environment and experience in a Citrix environment exist on the server, lockdown can be easier than in a distributed computing environment. Conversely, there is a far greater need for such security measures.

In relatively simple (from a security standpoint) Windows networks, Windows' group policies are an effective means of controlling the user environment. In Windows Server 2003, the cumbersome Windows AppSec tool for locking down application availability has been replaced with built-in Software Restriction Policies.

In a Citrix server environment, many lockdown tasks are mitigated by Citrix's ability to publish applications and content directly, without the complexities and security problems associated with a full windows "shell." When possible, running only Published Applications obviates the need to lock down many settings associated with desktops and menus applications run in a seamless window with no exposure of the underlying windows shell (explorer.exe).

As the number of users, different policies, and nested policies grow, the viability of group policies diminishes rapidly . Not only are complex nested policies hard to understand and decipher, excessive nesting can slow logon times substantially. Even the Citrix Published Applications are not suitable for all environments. Users may need, or legacy applications may demand, access to window shell components. In the worst-case scenarios, applications may be dependent upon "desktop" functionality but incapable of running correctly when standard group policies are applied. In complex situations, third-party lockdown products like PowerFuse greatly simplify administration. Users and applications can be provided a dynamic locked desktop, complete with an alternate (more secure) windows shell component. PowerFuse adds a number of essential features, such as the ability to control the spawning of child processes and executables, for example, the ability to block calls to launch Internet Explorer from an embedded URL in an e-mail message.