3. To install the Resource Kit tools, run the rktools.exe package. Using
Windows Explorer, browse to the location where you downloaded rktools.exe and double-click the file. This starts the Windows Resource Kit Tools Setup Wizard.
4. Click Next.
5. In the End User License Agreement dialog box, select I agree, and then click Next.
6. In the User Information dialog box, enter your name and organization, and then click Next.
7. Click Install Now, and then click Finish.
8. All necessary files are installed to the %Program Files%\Windows Resource Kits\Tools folder.
9. Before starting and using the Resource Kit tools, please be sure to read the Readme.htm file, which is located in the %Program Files%\Windows Resource Kits\Tools folder. Readme.htm can also be accessed by clicking Start, selecting All Programs, selecting Windows Resource Kit Tools, and then selecting Windows Resource Kit Tools Readme.
Security Options
There are a number of measures that you should take to increase the security of your KDC. These measures can be classified into two categories:
● Measures that improve the security of Kerberos
● Measures that improve the security of Windows Server 2003 itself
The following sections provide some guidelines and suggestions for configuration changes that can be made to enhance your organization's security.
Network Security
If your organization's network is connected to any other networks, either directly or indirectly over the Internet, you should be using some form of perimeter protection to prevent unauthorized access to your network. An example layout of an organization's network is shown in Figure 7.2.
Figure 7.2
Example scenario for network security configuration.
In the scenario presented in Figure 7.2, the organization has two Kerberos realms at different sites that have a cross-realm trust between them that is connected over the Internet. There are Kerberos clients at both sites and Kerberos clients external to the sites that authenticate to the Kerberos KDC. The KDCs synchronize time and obtain DNS information from sources external to the organization. This scenario contains all of the basic network security concepts required for any Kerberos-based security solution.
Table 7.1 lists the ports that are required to be opened for the correct operation of Kerberos 5 across both Windows and UNIX or Linux platforms.
Table 7.1: Required TCP/UDP Ports for the Correct Operation of Kerberos 5 Port Description
53/UDP 53/TCP
The DNS Service. The internal Active Directory DNS server needs to be accessible to all clients for the location of KDC computers. The
Active Directory domain controllers need to be capable of accessing external DNS servers for resolving external domain name requests.
88/TCP 88/UDP
The Kerberos Ticket Granting Service. All clients need to be capable of connecting to this port on the KDC Servers.
123/UDP The SNTP and NTP Service. All clients need to be capable of connecting to this port for time synchronization, either to an internal time server or to an external time source. The internal time server will need to connect to an external time source to synchronize.
749/TCP The Kerberos 5 password changing service. This port is also used by the MIT implementation of Kerberos to provide administrative services. This should be accessible to all clients.
The only port required for authentication to work is port 88; the others are peripheral to authentication, but are required for the infrastructure to function optimally.
Specific firewall configuration is beyond the scope of this guide, and you should refer to your vendor documentation for more information.
Windows Server 2003 has the capability to use IPSec Filters to block and allow specific ports on the domain controller itself. IPSec can perform host-based packet filtering to provide limited firewall capabilities for end systems. You can configure IPSec to permit or block specific types of unicast IP traffic based on source and destination address
combinations and specific protocols and specific ports.
Note For more information on IPSec and its use within Windows Server 2003, refer to the IPSec Technical Reference available at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/techref/w 2k3tr_ipsec_intro.asp
Table 7.2 lists all of the filters that can be created on a Windows Server 2003 Active Directory Domain controller to maximize security.
Table 7.2: Domain Controller IPSec Filter Network Traffic Map Service Protocol Source
Port
Service Protocol Source Port
Destin-ation Port
Source Address
Destination Address
Action Mirror
Replication Server
DC Comms ANY ANY ANY ME Domain
controller
ALLOW YES
DC Comms ANY ANY ANY ME Domain
controller 2
ALLOW YES
ICMP ICMP ANY ANY ME ANY ALLOW YES
All Inbound Traffic
ANY ANY ANY ANY ME BLOCK YES
The following procedure shows you how to add an IPSec Filter to allow port 88 for Kerberos authentication. There are two aspects to IPSec filtering: there is an IPSec Filter List that contains details of the port and the source of packets that are required to be filtered, and then there is an IPSec Filter Action that performs an action on an item in the filter list. To create filters for other ports, you will need to modify the procedure details to reflect the port and the actions that you want to take.
X To create an IPSec Filter List, follow these steps:
1. Click Start, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers.
2. In the Active Directory Users and Computers window, right-click your domain name and select Properties from the menu.
3. In your Domain Properties dialog box, select the Group Policy tab.
4. Select the Default Domain Policy group policy object and click Edit.
5. Expand the Default Domain Policy tree through Computer Configuration, and then through Windows Settings, and then through Security Settings. Right-click IP Security Policies and select Manage IP filter lists and filter actions….
6. In the Manage IP Filter Lists dialog box, select the Manage IP Filter Lists tab, and then click Add. This action is shown in Figure 7.3.
Figure 7.3
Manage IP filter lists and filter actions dialog box
7. Enter a name and description into the Name and Description fields. In this example, you can use "Kerberos Filter" for the name and "Allow traffic to TCP and UDP port 88" for the description. This is shown in Figure 7.4.
Figure 7.4
IP Filter List dialog box
8. Clear the Use Add Wizard check box and click Add.
9. In the IP Filter Properties dialog box, select the Addresses tab, change the Source address to Any IP Address and change the Destination address to My IP Address. Ensure that the Mirrored check box is selected to allow all return traffic to pass unrestricted. This is shown in Figure 7.5.
Figure 7.5
IP Filter Properties Addresses tab
10. Click the Protocol tab and change the Select a protocol type to TCP, select the From any port radio button and the To this port radio button, enter 88 into the text field, and click OK. This is shown in Figure 7.6.
Figure 7.6
IP Filter Properties Protocol tab
11. Repeat steps 8 through 10, replacing TCP with UDP in the protocol type.
This procedure creates an IP Filter List that details packets from any address to the Windows Server 2003 computer on TCP and UDP port 88, and it also includes all responses from the Windows Server 2003 computer to the requesting computer.
An "action" needs to be created to define the steps that are to be carried out on any network traffic that meets the criteria specified in Table 7.3. This is done by carrying out the following procedure.
X To create an IPSec Policy for the IPSec Filter List, follow these steps:
1. Click Start, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers.
2. In the Active Directory Users and Computers window, right-click your domain name and select Properties from the menu.
3. In your Domain Properties dialog box, select the Group Policy tab.
4. Select the Default Domain Policy group policy object and click Edit.
5. Expand the Default Domain Policy tree through Computer Configuration, then through Windows Settings, and then through Security Settings. Right-click IP Security Policies and select Create IP Security Policy….
6. In the Welcome to the IP Security Policy Wizard, click Next.
7. In the IP Security Policy Name dialog box, enter a relevant value into the Name and Description fields and click Next. In this example, type Kerberos TGS Policy in the Name field and type Allow access to the Kerberos Ticket Granting Service on Port 88 in the Description field. This is shown in Figure 7.7.
Figure 7.7
IP Security Policy Name and Description
8. Clear the Activate the default response rule check box and click Next.
9. Select the Edit properties check box and click Finish.
10. In the Kerberos TGS Properties dialog box, click the Rules tab, clear the Use Add Wizard check box, and then click Add. This is shown in Figure 7.8.
Figure 7.8
New IP Security Policy Properties dialog box
11. In the New Rule Properties dialog box, click the IP Filter List tab and select the radio button next to Kerberos Filter in the IP Filter Lists: area. This is shown in Figure 7.9.
Figure 7.9
New Rule Properties selecting IP Filter