• 7
  • Configuring Proxy Server Security and Authentication
    • Workgroups vs. Domains
    • Login Process
    • Domain Controllers
    • The User Manager for Domains
      • NT Security Groups
      • Creating a Global Security Group
      • Granting Proxy Permission to the New Group
      • Understanding Users Access Rights
    • Controlling Inbound Access from the Internet
    • Isolating Microsoft Proxy Server on Its Own Domain
    • Summary

7

Configuring Proxy Server Security and Authentication

NT security is a difficult thing for some people to grasp. Most people are familiar with logging in to Windows 3.x or Windows 95, but few realize what that process does as far as network security goes. This chapter details the issues involved with security on an NT based network and how you can optimize your network arrangement when dealing with Microsoft Proxy Server.

Workgroups vs. Domains

If you're a network administrator for a company, or just for yourself, you probably already understand the difference between workgroups and domains. Much of this chapter may cover elements of NT you are already very familiar with. To be on the safe side, I'll cover security from the ground up. If you are an administrator for a medium or large NT-based network, arranging your NT security groups correctly up front can save you from redoing your security arrangement time and time again. The first element you should be clear on is the difference between workgroups and domains. The purpose of both is to group a set of users and systems into a coherent relationship for easy management and navigation. Workgroups have no central security figure while domains do.

• Workgroup logins place network validation responsibility on the workstation level. Each workstation will maintain a list of user names and associated passwords.
• Domain logins place network validation responsibility on the primary domain control, or one of the backup domain controllers of a network.

In a Windows NT-based network, you are the name and password you log in to a network workstation with. Other actions that require passwords, such as dialing in to a remote access server, allow you to enter an alternate name and password, but this information only applies to the single action such as gaining authorization to connect. Once a RAS connection is gained with a separate user name and password, all other network authorization is done based on the Windows login name and password given when the workstation was first started.

Microsoft Proxy Server security relies directly on the internal security found in Windows NT architecture. When NT servers are used in a workgroups based network, the user information provided on each server is separate and independent. Each server (or NT workstation system) can maintain a full database of users and groups. These user and group definitions only apply to accessing the particular server on which they are kept.

Arranging a network into a domain takes a little more effort to manage, but the benefits of less confusion and tighter security far outweigh the extra management effort. NT servers in a workgroup are like islands of independent security. The security credentials needed to access resources or services on one NT server may not be the same as needed for a different NT server.

Login Process

Several things happen when a workstation logs on to a network. If the workstation is set to logon as a workgroup member, the workstation itself performs user authentication with its own user database of information. If the workstation is set to logon as a domain member, the workstation machine will consult the primary domain controller of the domain for user authentication. A login proceeds in this manner:

1. The domain controller must be found before the logon, when the system is started. This process is called discovery, and is only done when a workstation is set to log on to a domain. The actual method of discovery depends on the protocol(s) the network uses. To discovery a PDC (primary domain controller), a workstation generally must perform a network broadcast, which will trigger the PDC of the network to perform its own broadcast to indicate where the PDC can be found with a directed datagram. Once the workstation receives the broadcast response from the PDC letting the workstation know exactly where it can find the PDC with directed datagrams, the next step of logging on can proceed.
2. Once the PDC is found, the workstation attempts to establish a secure channel between itself and the PDC (or backup domain controller if the BDC (backup domain controller) responded in place of the PDC). This secure channel consists of datagrams directed back and forth between the workstation and PDC. Each side must prove to the other that they are who they say they are. This process is called Secure Channel Setup.
3. Once the workstation and the PDC have found each other and set up a secure channel, Pass Through Authentication can occur. This process is where the workstation sends the login user name and password to the PDC (or a BDC) in encrypted format. If the user information is correct, the PDC sends back an OK for the workstation to permit the login.
4. After authentication is complete, the system and user are given a security token by the controller that performed the authentication. This token is the actual network item which is passed around to network servers accessed by the client workstation. Any target server will use this token to consult a controller to find out if it is valid and if the associated user should be granted access to use whatever resource the user is attempting to access.

A Microsoft Proxy Server is like any other resource on the network. Accessing it takes proper network validation. The Microsoft Proxy Server service is fully capable of utilizing the internal NT security process.

Domain Controllers

On an NT-based network, the central authority figures are know as controllers. There is one primary domain controller and any number of backup domain controllers. These systems are responsible for fielding all Microsoft Network Domain logins and granting or denying access to secured network resources. PDCs and BDCs will always be NT servers and will all share information. User data stored on the PDC is replicated to all BDCs across the domain. The network administrator determines which NT systems are to be BDC machines when these systems are installed. The job of BDCs is to share some of the workload of the PDC. On medium or large networks, a single authority figure might quickly become overloaded with network traffic. BDCs help to ensure that network performance is kept as high as it can be.

Administration of user data can be done from any NT machine, server, or workstation, so long as the user logged in has administrator rights. The main application for modifying user data is User Manager for Domains, which is found in the Administrative Tools folder. When systems are not members of a domain, this application will only modify user information stored in the local user database. When an NT system is a member of a domain, this application will link to an available controller and modify the domain-wide user database.

When talking about user information concerning Microsoft Proxy Server authentication, I'm talking about a domain-wide database of user information. Yes, a Microsoft Proxy Server machine can be a completely isolated server, not part of any domain. However, if a Microsoft Proxy Server is running on an isolated system, the task of managing separate authorization for network users and Microsoft Proxy Server users becomes far more time-consuming and counterproductive.

Likewise, I deal exclusively with a domain-based network. If your network is a workgroup-based network, this chapter will still hold valuable information for you. However, the discussion will then pertain to managing the user database only on the NT server running Microsoft Proxy Server because workgroup machines do not share common authentication data.

The User Manager for Domains

The User Manager for Domains (UMDÑdon't ya just love the endless barrage of acronyms?) can be found in the Administrative Tools folder. It can also be manually started by running USRMGR.EXE. This utility will only run on an NT system. Figure 7.1 shows the User Manager for Domains.

Figure 7.1. The NT User Manager for Domains.

This section will not cover all aspects of the UMD. It will cover how to create security groups and perform basic user management tasks.

The top portion of the UMD shows the members of the currently selected domain (which is displayed at the very top of the UMD). The bottom portions of the UMD shows the security groups for the current domain. By default, NT comes preconfigured with a full range of security groups.

This chapter assumes that you have an understanding of the basic UMB functions, such as creating new user accounts and assigning them to local groups (the Users group or the Administrators group, for example).

NT Security Groups

NT security uses two kinds of groups; local and global. The difference between the two is difficult to grasp at times. In general, local groups define security for groups of users only on the local domain. Global groups are used to group users from one domain so that they can easily be granted access rights on another domain. Trust relationships can be established between two or more NT domains that make it simple for users of one domain to access resources found in another domain without requiring the user to get an actual login account on the other domain. Global security groups can only contain users, whereas local groups can contain users and other groups.

Another major difference between local and global groups is that by default, global groups have no permissions assigned to them. Only local groups have permissions for NT actions. Global groups are primarily used for grouping sets of users. In order to assign permissions for various NT activities, users must be assigned to a local group.

In the lower portion of the UMD, the globe and users icon denotes a global group, and the computer and users icon denotes a local group.

The best approach to NT security for Microsoft Proxy Server users is to create at least one global group for Internet users. If you need to separate out users for various Internet protocols (such as FTP, HTTP, Gopher, or any of the protocols supported by the WinSock Proxy such as NNTP, SMTP, or POP3), you can create global groups for each protocol and assign users to those groups for easy installation into the security definitions within Microsoft Proxy Server.

Creating a Global Security Group

To create a global group, follow these steps:

1. Click the File menu in the User Manager for Domains.
2. Click the New Global Group selection.
3. A create global group dialog box will appear, as shown in Figure 7.2.

   Figure 7.2. Adding a new global group.

4. The name of the group should appear in the Group Name field. In this example it should be "Proxy Users".
5. The Description field can be any description you want to give this group.
6. Next, you will need to indicate which users should be members of this group. The Not Members list shows all users who are not currently members of this group. Because this is a new group, the Not Members list shows all NT users. Select all users who should be allowed general proxy access and then click Add.
7. Click OK and the Proxy Users group will be created and a set of users defined.

Make sure you do not add the IUSR_servername user to the group. This account is created by the IIS installation routine and is used for anonymous access to IIS services. If this account is added to the group, anonymous users will be granted access to whatever features you assign to the Proxy Users group. This account should only be dealt with on an individual basis and never assigned to any global group.

Once the group is created, it can then be used within Microsoft Proxy server to define access to various protocols. If this group needs to have special NT network permissions granted to it, the group can be nested within an existing local group that already has the permissions assigned to it. This approach is a simple way of cutting down some of the management time spent on security. If a group of users needs to have certain access permissions in more than one domain, two groups should be created, one local and one global. Both can have the same name. Users should then be assigned to the global group, and the global group should be nested within the local group. The local group can then be granted whatever permissions are needed, and those permissions will filter down to the global group users.

The next step is to grant this group access to a supported protocol, either in the Web Proxy or the WinSock Proxy.

Granting Proxy Permission to the New Group

Open the IIS Service Manager, and then open the properties for the Web Proxy. I will discuss how to grant permission to a group within Microsoft Proxy Server, but Chapter 8, "Configuring Proxy Server Security and Authentication," covers in greater detail the issues associated with Microsoft Proxy Server configuration. Once you have opened properties of the Web Proxy, select the Permissions tab. Figure 7.3 shows this dialog box.

Figure 7.3. Web Proxy Permissions.

By default, no permissions are configured for any protocol in Microsoft Proxy Server. Therefore, no users have access to get out to the Internet through the Web Proxy (or the WinSock Proxy). In order to grant access permission to the new Proxy Users group, do the following:

1. Select the protocol you wish to grant access to in the Protocol drop down list. For this example, I'll select the WWW (HTTP) protocol.
2. Click the Add button. This will call up a dialog box for adding groups or users to the access list for this protocol. This dialog box is shown in Figure 7.4.

Figure 7.4. The Add Users and Groups dialog box.

1. The List Names from drop down list will allow you to select any domain you currently have access to. Access to foreign domains can be through a trust relationship or from having a parallel account in other domains. By default, you will be selecting users and groups from the local domain.
2. The default only lists both local and global groups. However, you can list users by clicking the Show Users button. This will display the users of the domain as well as the groups. Configuring individual users is OK for small networks or special cases, but can be a management nightmare for medium or large networks. You should always work with groups whenever possible.
3. Scroll down the Names list until the Proxy Users group is displayed.
4. Highlight the Proxy Users group, and click the Add button. This will add the Proxy Users group to the Add Names list.
5. You can select any additional groups or users to grant WWW access permission to if you have need.
6. Click OK to return to the Permissions tab, and the group will show up in the Grant Access To list area as having access to use the WWW protocol.

The Members button on the Add Users and Groups dialog box will display a list of users for the currently highlighted group. This is shown in Figure 7.5.

Figure 7.5. Displaying the members of a group.

If more than one group is selected, this button will not be available. The Add button at the bottom of this dialog box will add the group to the Add Name list on the Add Users and Groups dialog box. It is not for adding additional users to the group. This function allows you to view which users are members of the group, if you can't recall from memory.

The Search button on the Add Users and Groups dialog box will let you search for users or groups on the local domain, or on domains that you have access to (either through a trust relationship, or by having a parallel account on the other domain(s)). Figure 7.6 shows this dialog box.

Figure 7.6. Searching for a user or group.

In this dialog box you can indicate which domains to search and the name of the user or group you want to search for. You can search in the local domain or in all available domains. By default, all domains will be searched. If my network had access to other domains, the other domains would be listed as well.

Search results will be displayed in the lower area. Elements of the search result can be selected and the Add button can be clicked to add the user or group to the permissions list.

Once you have added the Proxy Users group to the permission list for the WWW protocol, the users of that group will be able to use web browsers through Microsoft Proxy Server Web Proxy to access WWW sites on the Internet.

Complete this process for all of the protocols (WWW, FTP, Gopher or Secure) you need to grant users permissions to. The process for adding permissions to WinSock Protocols is very similar, but the WinSock Proxy has special universal access settings that make it easier to grant global protocol permissions for a group of users. This will be covered in greater detail in Chapter 8.

Understanding Users Access Rights

Users access rights are network function permissions which are assigned to local groups. User rights can grant permission to perform such actions as log onto the PDC, and perform file backup on files owned by other users. Groups can have access rights assigned to them, and individual users can have additional specific access rights granted to them without having to be part of a group that already has the desired right. Accessing the User Rights Policy configuration dialog box is done through the User Rights option on the Policy menu in User Manager for Domains. Figure 7.7 shows this dialog box:

Figure 7.7. The User Rights editor.

The Rights drop down list can be used to select which system right to assign to a group or a user. The Grant To list area shows which groups and users already have the selected right.

The Add button can be used to assign other groups or users the selected right. The Add button will produce a dialog box which is identical to the one shown earlier in Figure 7.4. From this dialog box, you can select a group or user to whom to grant the selected right.

The Show Advanced User Rights check box will make available an expanded set of user rights to configure.

Accessing Microsoft Proxy Server requires no special user rights. Access to protocols supported by both the Web Proxy and the WinSock Proxy is controlled purely on a group or individual user basis. Some inexperienced network administrators get confused by the difference between user rights and group access. User rights are solely associated with performing pre-established network functions. To become more familiar with what user rights are part of the NT operating system, enable Show Advanced User Rights and scroll through the right drop down list. Most of the rights are self-explanatory.

Controlling Inbound Access from the Internet

When Microsoft Proxy Server is installed, two elements of NT are altered so that security is enhanced. The first element that is altered is IP Forwarding. IP Forwarding is a setting found within the TCP/IP settings. This is turned off. It controls whether or not NT will forward IP packets between network interfaces in managers (such as a network card and a RAS connections to an Internet Provider). Under conditions where a dedicated full time Internet connection is available to a network, and each workstation on the LAN is configured for its own direct Internet access, IP forwarding must be enabled for workstations to pass their packets out to the Internet and vice versa. This in itself will halt all inbound traffic at the NT server, which is connected to the Internet.

To further restrict access to the NT server from clients connecting from the Internet, Microsoft Proxy Server disables listening on all TCP/IP ports which do not have permissions set for them. This means that any Internet server application (such as an FTP server, a telnet server, or a POP3 server) running on the connected NT server will be unable to hear any external inbound traffic until permissions are set for the associated protocol in the WinSock Proxy. The Web Proxy only listens to port 80 for traffic. If permissions are set for any of the supported protocols in the Web Proxy, port 80 will be listened to for inbound traffic.

Isolating Microsoft Proxy Server on Its Own Domain

If you want to set your network security at a very high level for proxy access, one approach is to set up the NT server running Microsoft Proxy Server as a primary domain controller of its own domain. A one way trust relationship can then be established between the Proxy domain and the network domain. The Proxy domain would be set to trust the network domain, but the network domain would not trust the Proxy domain. This arrangement will further limit the access that can take place between the proxy server and all other systems on the network domain.

This arrangement also works well when the network is not set as a domain, but rather a workgroup. The NT server running Microsoft Proxy Server can be set on a primary domain controller of its own domain, which will give greater security control and allow easier expansion for future growth.

Summary

NT Security is fairly easy to understand and administer. The global nature of an NT domain makes is very simple to manage a group of users and grant them permission to access such things as Microsoft Proxy Server. How you structure your access groups depends what level of control you need to have of your LAN users. If you have a large LAN with a wide range of users needing different types of access, setting up multiple global groups will help you maintain easy control. Setting users as members of global groups will also allow you to grant access to users from other domains to use a Microsoft Proxy Server on your domain and vice versa.