Before you administer Win2K, INSTALL THESE essential security-related utilities
When you peruse the Microsoft Windows 2000 Server Resource Kit, you'll find the usual wealth of additional documentation and utilities that constitute a Microsoft resource kit. However, this resource kit is especially valuable to administrators who put a premium on security. In this article, I highlight just 10 of the many security-related reasons the resource kit is well worth its $300 price tag. Along the way, I point out several gotchas and drawbacks that you need to be aware of. (Be careful not to confuse the Win2K Server resource kit with the Microsoft Windows 2000 Professional Resource Kit, which is only a subset of the former.)
10. Analyze Security Logs with CLA
When I discovered that the valuable CyberSafe Log Analyst (CLA) is included in the Win2K Server resource kit, I did a double-take. CLA is a Microsoft Management Console (MMC) snap-in that lets you analyze the scattered Security logs of the systems in your domain as a whole. CLA has 11 prebuilt reports that provide useful views of your systems' security activity, but you can also design custom reports. To use CLA, you must first run setup.exe from the resource kit CD-ROM's \apps\loganalyst directory. Then, you can use the new shortcut in Administrative Tools to open CLA.
Using CLA is a three-step process. First, you need to tell CLA which event logs to analyze. To test CLA, you can copy the local system's current event log by right-clicking Logs to be Analyzed and selecting Cut Live Local Event Log. If you want to run reports on the merged activity of multiple systems, you'll first need to use Event Viewer to save each system's event log to an .evt file. (You can also use an event-log-dumping utility. For information about such utilities, see "Archiving and Analyzing the NT Security Log," August 2000.) After saving your logs, add them to CLA by selecting Add Event Log File from the Logs to be Analyzed context menu. Second, to tell CLA to analyze selected logs, select Analyze from the Logs to be Analyzed context menu. This action imports all the selected logs into CLA's native format, from which CLA can then run reports. Third, select and generate the desired report from the Report Templates folder. Figure 1 shows the prebuilt reports you can choose from.
CLA fills an important gap in Win2K's security-monitoring capabilities. Not only does CLA generate sophisticated reports (e.g., failed logon activity) but it gives you an enterprise view of your entire network's combined activity—not just one system at a time.
9. Control PKI with DSStore
Directory Services Store (DS-Store) is a general-purpose command-line utility that helps you diagnose and maintain a Win2K public key infrastructure (PKI) integrated with Active Directory (AD). If you aren't using enterprise root Certificate Authorities (CAs) to run a PKI in Win2K, you won't need this tool. But if you are, this tool is a godsend. DSStore is part of the resource kit's Security Tools component.
Although you can handle most PKI tasks from within the MMC Active Directory Users and Computers snap-in and the MMC Certificate Services snap-in, some operations aren't available from these MMC locations. DSStore lets you list, add, and delete Enterprise Root CAs and maintain certificate revocation lists (CRLs) in AD. DSStore also lets you add Win2K CAs or offline CAs to your enterprise PKI published in AD.
Win2K automatically enrolls users and computers with certificates the first time they perform an operation that requires a certificate. However, you've probably discovered that this process can be time-consuming in large networks. To speed up the process, DSStore lets you pulse auto-enrollment events, which proactively enroll users with appropriate certificates. You can also check the status of domain controller (DC) certificates and verify the validity of smart cards. Look in the resource kit's Tools Help document for more information about DSStore.
8. Manage EFS with EFSinfo
Encrypting File System (EFS) is a new and valuable Win2K feature that lets you protect confidential files—even from intruders who gain physical access to the disk while remaining transparent to the user. (For more information about EFS, see Mark Russinovich, NT Internals, "Inside Encrypting File System, Part 1," June 1999, and "Inside Encrypting File System, Part 2," July 1999.)
EFS currently lets one user per file designate a file or entire directory as encrypted. To encrypt a directory, you simply open the directory's Properties menu, click Advanced, then select the Encrypt contents to secure data check box, as Figure 2 shows. After you encrypt the directory, you can use the files as you usually do, without thinking about encryption. Win2K automatically encrypts and decrypts file data in memory as applications write to and read the file.
Win2K also supports data-recovery agents so that you can recover data that a user encrypted. You can use Group Policy to assign data-recovery agents to computers. If a user uses EFS to encrypt a file, only the data-recovery agents specified in Group Policy can access that file. Therefore, server administrators might feasibly encounter files they can't read on their own servers.
What if a server administrator needs to recover data but can't determine who originally encrypted it? EFSinfo, a command-line utility that installs with the resource kit's Security Tools component, solves this problem. EFSinfo displays encryption information for a specified directory or file. If you don't specify a pathname, EFSinfo displays encryption information for each file in the current directory.
If you type
efsinfo /u
you learn whether the file is encrypted and who can decrypt it (i.e., who originally encrypted the file). To display a file's authorized data-recovery agents, use the /r switch. In the following example, secret formula.txt was encrypted by Administrator, who is also the data-recovery agent for this system.
D:\confidential>efsinfo /r "secret formula.txt"
D:\confidential
secret formula.txt: Encrypted
Recovery Agents:
MTG\Administrator (OU=EFS File
Encryption Certificate, L=EFS,
CN=Administrator)