Chapter 6: Configuring Security

1
Chapter 6 Configuring Security
2
Group Policy and LGPO Setting Options

• Software Installation
• not available with LGPOs
• Remote Installation Services
• Scripts
• Printers
• Security Settings
• Policy-based QOS
• Administrative Templates
• Folder Redirection
• not available with LGPOs
• Internet Explorer Configuration

3
GPO Inheritance

• Order of Inheritance
• Local
• Site (physical location)
• Domain
• Organizational Unit (OU)
• Special Options
• No Override
• Block Inheritance

4
Group Policy Result Tool

• Tool is accessed through the GPResult.exe
  command-line utility.
• GPResult displays the Resultant Set of Policy
  (RSOP) for the computer and the user who is
  currently logged in.

5
Using Local Group Policies

• Used to manage configuration settings for
  workstations in a workgroup environment without
  an Active Directory domain
• Created and assigned through the Local Group
  Policy snap-in
• Two types of policies
• Computer Configuration
• User Configuration

6
Multiple Local Group Policy Objects (MLGPOs)

• New to Windows Vista
• Enables Vista to apply LGPOs to specific users
  rather than apply them to every user on a
  computer
• Applied in the following order
• Local Computer Policy
• Administrators and Non-Administrators Local Group
  Policy
• User-Specific Group Policy

7
Setting Computer Configuration Policies

• Three folders within the Computer Configuration
  folder
• Software Settings
• Windows Settings
• Administrative Templates
• Scripts and Security Settings are found within
  the Windows Settings folder.

8
Windows Settings

• Scripts
• Logon Startup
• Logoff Shutdown
• Security Settings
• Account Policies
• Local Policies
• Windows Firewall with Advanced Security
• Public Key Policies
• Software Restriction Policies
• IP Security Policies
• Policy-based QOS

9
Account Policies

• Password Policy
• Enforce Password History
• Maximum Password Age
• Minimum Password Age
• Minimum Password Length
• Password Must Meet Complexity Requirements
• Store Passwords Using Reversible Encryption
• Account Lockout Policy
• Account Lockout Duration
• Account Lockout Threshold
• Reset Account Lockout Counter After

10
Local Policies

• Audit Policy
• User Rights Assessment
• Security Options
• Contains new policies relating to User Account
  Control (UAC)

11
User Account Control

• New to Windows Vista
• Protects computers by requiring privilege
  elevation for all users including local
  Administrators (except the built-in Administrator
  account)
• Privilege escalation is required whenever the
  four-color shield icon is present

12
Windows Security Center

• Used to configure settings for
• Windows Firewall
• Automatic Updating
• Malware Protection
• Other Security Settings

13
Windows Firewall

• Protects computer from unauthorized users or
  malicious software
• Configuration
• General Tab
• Exceptions Tab
• Advanced Tab
• Windows Firewall with Advanced Security is used
  to configure advanced settings, including inbound
  and outbound rules

14
Windows Defender

• Formerly Microsoft AntiSpyware
• Protects computer from spyware threats
• Tools and Settings
• Options
• Microsoft SpyNet
• Quarantined Items
• Allowed Items
• Software Explorer
• Windows Defender website

15
BitLocker Drive Encryption

• Included with Vista Enterprise and Vista Ultimate
• Used to encrypt the system drive
• Files on other drives must be encrypted with
  another method, such as Encrypting File System
  (EFS)

16
NTFS Permissions

• Six levels of permissions
• Full Control
• Modify
• Read Execute
• List Folder Contents
• Read
• Write

17
Controlling Inheritance

• By default, subfolders and files inherit the
  permissions assigned to the parent folder.
• Prevent permissions from propagating to
  subfolders and files by clearing the Include
  Inheritable Permissions from This Objects Parent
  check box.

18
Determining Effective Permissions

• To determine a users effective rights to a file
  or folder
• Add all the permissions that are allowed to the
  user to all permissions granted to the groups of
  which the user is a member.
• Subtract any permissions similarly denied to the
  user or the users groups.

19
Determining NTFS Permissions for Copied and Moved
Files
20
Managing Network Access

• Share folders that contain files you want to be
  accessible over the network
• Configure sharing from the Sharing tab of the
  folder properties dialog box

21
Configuring Share Permissions

• Permissions can be assigned to users and groups
• Full Control
• Allows full access to the folder
• Change
• Allows users to change data in files or to delete
  files
• Read
• Allows users to view and execute files

22
NTFS Permissions Shared Permissions

• NTFS security and shared folder security work
  together
• The most restrictive permissions are the
  effective permissions
• NTFS security more restrictive than shared folder
  security NTFS permissions are effective
• Shared folder security more restrictive than NTFS
  security Shared folder permissions are
  effective