181_HPnew_FC 9/20/01 11:51 AM Page 1 1YEAR UPGRADE BUYER PROTECTION PLAN ™ Your Complete Guide to Configuring a Secure Windows 2000 Network •Complete Coverage of InternetInformation Services (IIS) 5.0 • Hundreds of Configuring & Implementing,Designing & Planning Sidebars, Security Alerts,and FAQs • Complete Coverage of Kerberos,Distributed Security Services,and Public Key Infrastructure Chad Todd Norris L. Johnson, Jr. Technical Editor FFrroomm tthhee aauutthhoorrss ooff tthhee bbeessttsseelllliinngg HHAACCKK PPRROOOOFFIINNGG™™YYOOUURR NNEETTWWOORRKK 181_SerSec2e_FM 9/20/01 1:07 PM Page i s o l u t i o n s @ s y n g r e s s . c o m With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. [email protected] is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: (cid:2) One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. (cid:2) “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. (cid:2) Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. (cid:2) Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 181_SerSec2e_FM 9/20/01 1:07 PM Page ii 181_SerSec2e_FM 9/20/01 1:07 PM Page iii 1YEAR UPGRADE BUYER PROTECTION PLAN ™ Chad Todd Norris L. Johnson, Jr. Technical Editor FFrroomm tthhee aauutthhoorrss ooff tthhee bbeessttsseelllliinngg HHAACCKK PPRROOOOFFIINNGG™™YYOOUURR NNEETTWWOORRKK 181_SerSec2e_FM 9/20/01 1:07 PM Page iv Syngress Publishing,Inc.,the author(s),and any person or firm involved in the writing,editing,or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind,expressed or implied,regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights,which vary from state to state. In no event will Makers be liable to you for damages,including any loss of profits,lost savings,or other incidental or consequential damages arising out from the Work or its contents.Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages,the above limitation may not apply to you. You should always use reasonable care,including backup and other appropriate precautions,when working with computers,networks,data,and files. Syngress Media®,Syngress®,and “Career Advancement Through Skill Enhancement®,”are registered trademarks of Syngress Media,Inc. “Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,” “Hack Proofing™,”and “The Only Way to Stop a Hacker is to Think Like One™”are trademarks of Syngress Publishing,Inc.Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 AJNR2U394F 002 BKAER9325R 003 ZLKRT9BSW4 004 VKF95TMKMD 005 BWE9SD4565 006 CAL44GMLSA 007 XD2KLFW3RM 008 QM4VLR39P6 009 5MVREM56PK 010 9VNLA2MER3 PUBLISHED BY Syngress Publishing,Inc. 800 Hingham Street Rockland,MA 02370 Hack Proofing Windows 2000 Copyright © 2001 by Syngress Publishing,Inc.All rights reserved.Printed in the United States of America. Except as permitted under the Copyright Act of 1976,no part of this publication may be reproduced or distributed in any form or by any means,or stored in a database or retrieval system,without the prior written permission of the publisher,with the exception that the program listings may be entered,stored,and executed in a computer system,but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-931836-49-3 Technical Editor:Norris L.Johnson,Jr. Cover Designer:Michael Kavish Co-Publisher:Richard Kristof Page Layout and Art by:Shannon Tozier Acquisitions Editor:Catherine B.Nolan Copy Editor:Darlene Bordwell Developmental Editor:Jonathan Babcok Indexer:Robert Saigh Freelance Editorial Manager:Maribeth Corona-Evans Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada. 181_SerSec2e_FM 9/20/01 1:07 PM Page v Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof and Duncan Anderson of Global Knowledge,for their generous access to the IT industry’s best courses,instructors,and training facilities. Ralph Troupe,Rhonda St.John,and the team at Callisma for their invaluable insight into the challenges of designing,deploying and supporting world-class enterprise networks. Karen Cross,Lance Tilford,Meaghan Cunningham,Kim Wylie,Harry Kirchner, Kevin Votel,Kent Anderson,Eric Green,Dave Dahl,Elise Cannon,Chris Barnard, John Hofstetter,and Frida Yara of Publishers Group West for sharing their incredible marketing experience and expertise.In addition,a special thanks to Janis Carpenter, Kimberly Vanderheiden,and all of the PGW Reno staff for help on recent projects. Mary Ging,Caroline Hird,Simon Beale,Caroline Wheeler,Victoria Fuller,Jonathan Bunkell,and Klaus Beran of Harcourt International for making certain that our vision remains worldwide in scope. Anneke Baeten and Annabel Dent of Harcourt Australia for all their help. David Buckland,Wendi Wong,Daniel Loh,Marie Chieng,Lucy Chong,Leslie Lim, Audrey Gan,and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Joe Pisco,Helen Moyer,Paul Zanoli,Alan Steele,and the great folks at Graphic Services/InterCity Press for all their help. vv 181_SerSec2e_FM 9/20/01 1:07 PM Page vi From the Author I would like to thank Paul Salas,coauthor of Administering Cisco QOS for IP Networks by Syngress Publishing,for introducing me to the folks at Syngress and Chris Jackson for his support and encouragement.I would also like to thank the authors of Configuring Windows 2000 Server Security,Thomas Shinder,Debra Shinder,and Lynn White,for providing the foundation for this book.Finally,a thank you to the editors that made this book possible—Jon Babcock,Catherine Nolan,Norris Johnson, Thomas Llewellyn,and Melissa Craft. I would also like to thank my wife Sarah who is a tremendous help in my work and supportive of the numerous hours spent on my various projects.Without Sarah’s loving support,I would not be able to accomplish my personal or professional goals. 181_SerSec2e_FM 9/20/01 1:07 PM Page vii Author Chad Todd (MCSE,MCT,CNE,CNA,A+,Network+,i-Net+) is a Systems Trainer for Ikon Education Services,a global provider of tech- nical training.He currently teaches Windows 2000 Security classes.In addition to training for Ikon,Chad also provides private consulting for small- to medium-sized companies.Chad writes practice tests for Boson Software and is the coauthor of Test 70-227:Installing,Configuring,and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000,Enterprise Edition.Chad first earned his MCSE on Windows NT 4.0 and has been working with Windows 2000 since its first beta release. He was awarded Microsoft Charter Member 2000 for being one of the first 2000 engineers to attain Windows 2000 MCSE certification.Chad lives in Columbia,SC with his wife Sarah. Technical Editor Norris L.Johnson,Jr. (MCSE,MCT,CTT,A+,Network +) is a Technology Trainer and Owner of a consulting company in the Seattle- Tacoma area.His consultancies have included deployments and security planning for local firms and public agencies.He specializes in Windows NT 4.0 and Windows 2000 issues,providing planning and implementation and integration services.In addition to consulting work,Norris is a Trainer for the AATP program at Highline Community College’s Federal Way,WA campus and has taught in the vocational education arena at Bates Technical College in Tacoma,WA.Norris holds a bachelor’s degree from Washington State University.He is deeply appreciative of the guidance and support pro- vided by his parents and wife Cindy while transitioning to a career in Information Technology. vii 181_SerSec2e_FM 9/20/01 1:07 PM Page viii Contributors Dr.Thomas W.Shinder,M.D. (MCSE,MCP+I,MCT) is a Technology Trainer and Consultant in the Dallas-Ft.Worth metroplex.He has consulted with major firms,including Xerox,Lucent Technologies,and FINA Oil, assisting in the development and implementation of IP-based communica- tions strategies.Tom is a Windows 2000 editor for Brainbuzz.com,a Windows 2000 columnist for Swynk.com,and is the author of Syngress’s bestselling Configuring ISA Server 2000 (1-928994-29-6). Tom attended medical school at the University of Illinois in Chicago and trained in neurology at the Oregon Health Sciences Center in Portland,OR.His fascination with interneuronal communication ulti- mately melded with his interest in internetworking and led him to focus on systems engineering.Tom and his wife,Debra Littlejohn Shinder, design elegant and cost-efficient solutions for small- and medium-sized businesses based on Windows NT/2000 platforms.Tom has contributed to several Syngress titles,including Configuring Windows 2000 Server Security (ISBN:1-928994-02-4),and Managing Windows 2000 Network Services (ISBN:1-928994-06-7),and is the coauthor of Troubleshooting Windows 2000 TCP/IP (1-928994-11-3). Debra Littlejohn Shinder (MCSE,MCT,MCP+I),is an Independent Technology Trainer,Author,and Consultant who works in conjunction with her husband,Dr.Thomas Shinder,in the Dallas-Ft.Worth area.She has been an instructor in the Dallas County Community College District since 1992,and is the Webmaster for the cities of Seagoville and Sunnyvale,TX. Deb is a featured Windows 2000 columnist for Brainbuzz.com and a regular contributor to TechRepublic’s TechProGuild.She and Tom have authored numerous online courses for DigitalThink (www.digitalthink.com) and have given presentations at technical confer- ences on Microsoft certification and Windows NT and 2000 topics.Deb is also the Series Editor for the Syngress/Osborne McGraw-Hill viii 181_SerSec2e_FM 9/20/01 1:07 PM Page ix Windows 20000 MCSE study guides.She is a member of the Author’s Guild,the IEEE IPv6 Task Force,and local professional organizations. Deb and Tom met online and married in 1994.They opened a net- working consulting business and developed the curriculum for the MCSE training program at Eastfield College before becoming full-time tech- nology writers.Deb is the coauthor of Syngress’s bestselling Configuring ISA Server 2000 (1-928994-29-6).She has also coauthored Syngress’s Troubleshooting Windows 2000 TCP/IP (ISBN:1-928994-11-3) and has contributed to several Syngress titles,including Managing Windows 2000 Network Services (ISBN:1-928994-06-7) and Configuring Windows 2000 Server Security (ISBN:1-928994-02-4). Stace Cunningham (CMISS,CCNA,MCSE,CLSE,COS/2E,CLSI, COS/2I,CLSA,MCPS,A+) is a Security Consultant.He has assisted sev- eral clients,including a casino,in the development and implementation of network security plans for their organizations.He has held the positions of Network Security Officer and Computer Systems Security Officer while serving in the United States Air Force. While in the Air Force,Stace was also heavily involved for over 14 years in installing,troubleshooting,and protecting long-haul circuits with the appropriate level of cryptography necessary to protect the level of information traversing the circuit as well as protecting the circuits from TEMPEST hazards.This not only included American equipment but also equipment from Britain and Germany while he was assigned to Allied Forces Southern Europe (NATO). Stace was an active contributor to The SANS Institute booklet “Windows NT Security Step by Step.”In addition,he has coauthored over 18 books published by Osborne/McGraw-Hill,Syngress Media,and Microsoft Press.He has also performed as Technical Editor for various other books and is a published author in Internet Security Advisor magazine. His wife Martha and daughter Marissa are very supportive of the time he spends with his computers,routers,and firewalls in the “lab”of their house.Without their love and support he would not be able to accomplish the goals he has set for himself. ix