Hardening Communications
(Page 1 of 11 )
This nuts and bolts approach provides useful tips for protecting LAN and WAN communications. The discussion covers IPSec and SMB, and how to harden remote access clients. (From
Hardening Windows Systems, by Roberta Bragg, McGraw-Hill/Osborne, ISBN: 0072253541.)
Three basic security processes can be used to harden network communications: authentication, integrity, and encryption. Computer authentication is essential in order to ensure that data is actually coming from and going to appropriate computers. If a communication can spoof its origination, or if a destination can be spoofed, then there is no way to know if the information is correct, and no way to avoid sending confidential information where it should not go. Integrity ensures that the data has not changed during transport. If integrity is not guaranteed, then an attacker might successfully change data. Encryption protects data by making the message useless to any but those possessing the key. While not every protocol designed for communications security does all three, the best protection for data communications will.
An additional security mechanism, message signing, can guarantee that a specific message came from the computer identified as the source of the message. As part of the negotiation process, the client and server are authenticated. If authentication fails, the communication does not proceed. If authentication is successful, each packet sent is signed by the source. Without message signing, session hijacking can occur. Session hijacking is an attack where communications are intercepted and modified en route.
Protect LAN Communications Communications between computers on the LAN can be secured using either SMB message signing or IPSec. While IPSec is a more secure protocol, it is not as easily implemented, nor available for all versions of Windows. SMB message signing can be configured for Windows NT 4.0 (post service pack 3) as well as Windows XP, Windows Server 2003, and Windows 2000. Windows 95/98 computers running the Directory Services client can also be configured to do SMB message signing. Windows 9 x, Windows ME, and Windows NT 4.0 cannot use IPSec in transport mode.
NOTE: An update for Windows 9x,Windows ME, and Windows NT 4.0 allows these OSs to participate in L2TP/IPSec VPNs. This is different, however, than IPSec in transport mode. |
Use SMB Message Signing and Session Security for NTLM
Server Message Block (SMB) is the protocol used for file sharing and other communications between Windows computers. It is the basis for NetBIOS communications. SMB signing guarantees the origination of the communication. It is enabled by default on Windows Server 2003 computers but must be configured on the other Windows OSs. Once configured, SMB signing is negotiated during the connection request and systems that cannot use SMB signing may not be able to communicate with those that can. Two different types of configuration can be configured. First, and most effective, is to configure both server and client to always require SMB signing. Alternatively, signing can be established by mutual agreement. NTLM Session security allows encryption (confidentiality) and integrity to be configured.
HEADS UP! When SMB signing is required, legacy operating systems and some legacy programs will not be able to communicate. There may also be compatibility issues between later versions of Windows. For example, the KB article 823659 indicates that the secure channel of a trust between Windows NT 4.0 and Windows Server 2003 cannot be reset, that copying files between Windows XP and Windows Server 2003 will be much slower, and that you will not be able to map a network drive from the client.
Configure Message Signing Using Group Policy To configure SMB message signing in Windows Server 2003, Windows XP, and Windows 2000, use the following Group Policy options:
- Microsoft Network client: Digitally sign communications (always)
- Microsoft Network client: Digitally sign communications (if server agrees)
- Microsoft Network server: Digitally sign communications (always)
- Microsoft Network server: Digitally sign communications (if client agrees)
Configure Message Signing Using Registry Entries To configure client-side SMB message signing in Windows NT 4.0 post service pack 3, and in Windows 95/98 computers running the Directory Services client, add the REG_ DWORD registry value RequireSecuritySignature or EnableSecuritySignature and set the value to 1. To disable SMB signing, set the value to 0. The value location is the registry path
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\ LanmanWorkstation\Parameters\RequireSecuritySignature
To configure server-side SMB message signing for Windows NT 4.0 post service pack 3, configure the value at the registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ Parameters\RequireSecuritySignature
Windows NT 4.0 must be restarted for the configuration to be enabled.
Configure NTLM Session Security Two Group Policy Security Options control NTLM Session security settings:
- Network Security: Minimum session Security for NTLM SSP-based (including secure RPC) clients
- Network Security: Minimum session Security for NTLM SSP-based (including secure RPC) servers
For each, four options are available:
- Require message integrity
- Require message confidentiality
- Require NTLMv2 session security
- Require 128-bit encryption
 This is from Hardening Windows Systems, by Roberta Bragg, (McGraw-Hill/Osborne, ISBN: 0072253541). Check it out at your favorite bookstore today. Buy this book now. |
Next: Use IPSec Policies >>
More Windows Security Articles
More By McGraw-Hill/Osborne
