Introduce security configuration

1
Goals

• Introduce security configuration
• Introduce auditing
• Set audit policy on a domain controller
• Set audit policy on a stand-alone server or
  computer
• View the Security log
• Audit user access to Active Directory objects
• Assign user rights to users and groups

2
Goals (2)

• Implement account policy
• Implement security templates
• Use the Security Configuration and Analysis
  console
• Use the Security Configuration and Analysis
  console to configure security
• Troubleshoot security configuration issues

3
(Skill 1)
Introducing Security Configuration

• Security configuration is the process of setting
  up a security policy
• For an individual system
• For a network
• Security policies are required
• Guard against unauthorized internal users
• Protect from external threats

4
(Skill 1)
Introducing Security Configuration (2)

• Use security configuration
• To set up security policies
• Account
• Local
• To create access control policies
• Services
• Registry
• Files

5
(Skill 1)
Introducing Security Configuration (3)

• Use security configuration
• To define event logs settings
• To determine group membership settings
  (restricted groups)
• To create public key policies
• To set Internet Protocol (IP) security policies

6
(Skill 1)
Introducing Security Configuration (4)

• Factors to consider while designing security
  policies
• Physical distribution of the network
• Business model of the organization
• Network load due to inter-computer dataflow and
  access
• Overall computer usage

7
(Skill 1)
Introducing Security Configuration (5)

• Windows Server 2003 Security Configuration tools
• Group Policy Object Editor is used to apply
  security settings centrally for the computers in
  a domain.
• Use the Security Settings extension in the Group
  Policy Object Editor to apply different
  categories of security policies

8
(Skill 1)
Figure 12-1 Security extension of the Group
Policy Object Editor
9
(Skill 1)
Introducing Security Configuration (6)

• Categories of security policies
• Account policies
• Can only be set for the entire domain
• Password policy
• Account lockout policy
• Kerberos policy

10
(Skill 1)
Figure 12-2 Password Policy settings
11
(Skill 1)
Introducing Security Configuration (7)

• Categories of security policies
• Local policies
• Audit policy
• User rights assignment
• Security options

12
(Skill 1)
Introducing Security Configuration (8)

• Categories of security policies
• Event log allows you to specify security log
  settings
• Maximum size of the event log file
• Logging options
• Event log access rights

13
(Skill 1)
Introducing Security Configuration (9)

• Categories of security policies
• Restricted Groups allows you to define additional
  control over the membership of key groups
• Defining a group as a restricted group
• Setting the membership for the group
• Configuring member groups and users for the
  restricted group

14
(Skill 1)
Introducing Security Configuration (10)

• Categories of security policies
• System Services allows you to configure the
  startup settings for services on a computer
• Startup mode settings Automatic, Manual, and
  Disabled
• Can specify which security group or user can
  modify a services properties (start, stop, or
  pause)

15
(Skill 1)
Figure 12-3 System Services security settings
16
(Skill 1)
Introducing Security Configuration (11)

• Categories of security policies
• Registry
• Registry security settings allow you to set
  permissions for users to read, modify, and add
  new keys to the Registry
• File System
• Allows you to set access permissions for folders
  and files on the computer
• Settings only apply to computers with NTFS drives

17
(Skill 1)
Figure 12-4 Files and Folders permissions settings
18
(Skill 1)
Introducing Security Configuration (12)

• Categories of security policies
• Wireless Network (IEEE 802.11) Policies control
  network security settings for supported wireless
  networking devices
• Public Key Policies are used to configure the
  public key encryption
• IP Security Policies are used to configure IP
  security for TCP/IP-based communication between
  servers, clients, and domain controllers using
  Microsofts version of IPSec

19
(Skill 2)
Introducing Auditing

• Auditing is used to track user activities and
  object access on the computers on a network
• Regular auditing ensures security of network
  resources
• Auditing can discover security breaches
• Auditing can help in resource planning for the
  computers on the network

20
(Skill 2)
Introducing Auditing (2)

• Steps in setting up a security audit
• Determine carefully the events to be audited on
  each computer
• Security events that can be tracked
• Who logged on to a computer and when?
• What files were accessed or folders were created?
• What printers were used?
• What Registry keys were accessed when, and by
  whom?
• What actions the users attempted to perform on
  them?

21
(Skill 2)
Introducing Auditing (3)

• Steps in setting up a security audit
• Decide the computers, users, or groups to be
  tracked
• Activate the audit object access policy.

22
(Skill 2)
Introducing Auditing (4)

• Activating the audit object access policy
• Configure the audit object access policy in the
  Properties dialog box and the System ACL editor
  for the object
• Select who you are going to audit
• Choose what file system actions you want to
  monitor in the SACL editor for the file or folder

23
(Skill 2)
Introducing Auditing (5)

• Monitoring a particular event
• Define an audit policy in the Audit Policy folder
• The audit policy tells the operating system what
  to record in the Security event log on each
  computer
• On a domain controller, modify the default domain
  policy by using the Group Policy Management
  console
• Only Domain Administrators and Enterprise
  Administrators can configure auditing at the
  domain level

24
(Skill 2)
Figure 12-5 Audit policy
25
(Skill 2)
Introducing Auditing (6)

• Audited events are stored in the Security event
  log
• Success and failure can both be recorded
• Security log can be viewed using the Event Viewer
• The Security log entries allow identification of
  existing security problems in the overall
  network, as well as on individual computers

26
(Skill 2)
Figure 12-6 The Security Event log
27
(Skill 3)
Setting Audit Policy on a Domain Controller

• Unauthorized access to a domain must be monitored
• Set up an audit policy on a domain controller by
  configuring Group Policy
• Link the GPO to the default Domain Controllers OU
  
• You must have the Manage auditing and security
  log right on the system to configure auditing

28
(Skill 3)
Setting Audit Policy on a Domain Controller (2)

• Setting up auditing is a two-step process
• Step 1
• Configure the audit policy to track particular
  events, for success, for failure or both
• Step 2
• Open the specific resource you wish to audit
• Enable auditing by selecting the type of event
  you want to track and the user group or groups
  for which you want to track that event

29
(Skill 3)
Figure 12-7 Creating a GPO
30
(Skill 3)
Figure 12-8 The Audit account logon events
Properties dialog box
31
(Skill 3)
Figure 12-9 The Audit object access Properties
dialog box
32
(Skill 3)
Figure 12-10 Advanced Security Settings for
Annual Reports
33
(Skill 3)
Figure 12-11 Selecting the actions to be audited
34
(Skill 3)
Figure 12-12 A Security warning dialog box
35
(Skill 4)
Setting Audit Policy on a Stand-Alone Server or
Computer

• Problems auditing stand-alone servers and
  workgroup computers running Windows 2000 or XP
  Professional
• They do not belong to a domain
• A domain controller-based audit policy cannot be
  applied to them
• Stand-alone computers and the network computers
  may be able to access each other and hence
  require monitoring

36
(Skill 4)
Setting Audit Policy on a Stand-Alone Server or
Computer (2)

• Audit policy should be set for stand-alone
  computers
• To monitor network access attempts
• To monitor local security events

37
(Skill 4)
Figure 12-13 Audit Policy in the Local Security
Settings console
38
(Skill 4)
Figure 12-14 Enabling auditing for local logon
attempts
39
(Skill 4)
Figure 12-15 Updating local security policy
40
(Skill 5)
Viewing the Security Log

• Problems with implementation of audit policies
• Increases the overhead on a computer
• Slows down CPU performance
• Security event log can become inundated with
  entries
• Solutions
• Set a schedule for checking the Security log
  regularly
• Specify a maximum file size for Security log

41
(Skill 5)
Viewing the Security Log (2)

• Be aware when the Security log reaches the
  maximum file size
• You may lose data if the log becomes full before
  you archive it
• Archiving is the process of saving a history of
  events so you can track trends in resource usage
• When the log is full, the operating system will
  stop recording events

42
(Skill 5)
Figure 12-16 The Security Log Properties dialog
box
43
(Skill 5)
Viewing the Security Log (3)

• Set filters to control what is recorded in the
  log
• Event type Information, Warning, Error, or
  Success or Failure audit
• Event source Choose a particular source, such as
  Spooler, LSA (Local Security Authority), or SC
  (Service Control) Manager
• Category Account Logon, Account Management,
  Directory Service Access, Privilege Use, Object
  Access events, and so on
• Event ID
• User
• Computer
• Specific time periods

44
(Skill 5)
Figure 12-17 The Filter tab in the Security
Properties dialog box
45
(Skill 5)
Figure 12-18 The Security log
46
(Skill 5)
Figure 12-19 Filtering the Security log
47
(Skill 5)
Figure 12-20 Viewing event details box
48
(Skill 6)
Auditing User Access to Active Directory Objects

• Active Directory objects
• Are the essential building blocks of a Windows
  Server 2003 network
• Include users, computers, OUs, groups, published
  printers, and so on
• Audit policies for Active Directory objects
• Are set based explicitly on their functionality
• An audit policy set for an Active Directory
  object is inherited by its child object through
  Policy Inheritance by default

49
(Skill 6)
Figure 12-21 The Auditing tab
50
(Skill 6)
Figure 12-22 Setting printer audit policy
51
(Skill 7)
Assigning User Rights to Users and Groups

• User rights are different from permissions
• Permissions allow a user access to certain
  resources
• User rights allow the user to perform certain
  restricted actions, such as shutting down the
  system or logging on locally

52
(Skill 7)
Assigning User Rights to Users and Groups (2)

• User Rights Assignment policy is used to grant
  users rights
• Rights should be assigned to groups for ease of
  administration
• Users can be added to the group to grant them the
  same level of user rights
• Assign user rights to allow particular users to
  carry out specific functions
• This increases the security of the system

53
(Skill 7)
Figure 12-23 User rights assignments
54
(Skill 7)
Figure 12-24 Adding a group to assign user rights
55
(Skill 7)
Figure 12-25 The Access this computer from the
network Properties dialog box
56
(Skill 8)
Implementing Account Policy

• Account policies
• Used to set the user account properties that
  control the logon process
• Types of policies
• Account lockout policies
• Password policies
• Kerberos policies

57
(Skill 8)
Implementing Account Policy (2)

• Configuring account policies
• Group Policy Object Editor snap-in
• Group Policy Management console (GPMC)

58
(Skill 8)
Implementing Account Policy (3)

• Account lockout policy
• Objective of the policy is to prevent users from
  guessing passwords
• There is immediate replication of Active
  Directory data between Windows Server 2003 domain
  controllers when an account is locked out

59
(Skill 8)
Implementing Account Policy (4)

• Account Lockout policy is configured by setting
  following policies
• Account lockout threshold Specify the number (0
  to 999) of allowed invalid logon attempts
• Account lockout duration Specify the time
  duration (0 to 99999 minutes) during which the
  account remains disabled
• Reset account lockout counter after Set the time
  (1 and 99999 minutes) duration that must elapse
  after an invalid logon attempt before the account
  lockout counter is reset to 0

60
(Skill 8)
Implementing Account Policy (5)

• Password policy
• Allows you to specify how users must manage their
  passwords
• Factors to be considered
• Password history
• Password age
• Password length
• Complexity requirements
• Encryption and storage methods

61
(Skill 8)
Implementing Account Policy (6)

• Kerberos policies
• The Kerberos V5 authentication protocol is
  implemented through a Key Distribution Center
  (KDC)
• They are applicable to domain user accounts or
  computer accounts only
• They define settings such as ticket lifetimes and
  logon restriction enforcement

62
(Skill 8)
Figure 12-26 The Kerberos policies
63
(Skill 8)
Implementing Account Policy (7)

• Kerberos policy settings
• Enforce user logon restrictions policy If
  enabled, the KDC performs certain checks before
  issuing a session ticket
• Validity of the user account
• User rights policy on the target computer
• Maximum lifetime for service ticket Sets the
  maximum length of time for a Logon Session Ticket
• Maximum lifetime for user ticket Sets the
  maximum length of time that the Ticket Granting
  Ticket (TGT) will be valid
• Maximum lifetime for user ticket renewal Sets
  the maximum lifetime for both the Ticket Granting
  Ticket (TGT) and the Logon Session Ticket

64
(Skill 8)
Implementing Account Policy (8)

• Kerberos policy settings
• Maximum tolerance for computer clock
  synchronization
• Sets the maximum number of minutes that the clock
  on the KDC can be different from the clock on the
  Kerberos client
• This acts as a deterrent in replay attacks

65
(Skill 8)
Figure 12-27 The Account lockout threshold
Properties dialog box
66
(Skill 8)
Figure 12-28 The Suggested Value Changes dialog
box
67
(Skill 8)
Figure 12-29 The Enforce password history
Properties dialog box
68
(Skill 8)
Figure 12-30 The Minimum password length
Properties dialog box
69
(Skill 8)
Figure 12-31 The Maximum lifetime for service
ticket Properties dialog box
70
(Skill 8)
Figure 12-32 The Suggested Value Changes dialog
box for Maximum lifetime for user ticket
71
(Skill 9)
Implementing Security Templates

• Security template
• A group of security settings used to implement
  security in computers running Windows 2000 or
  later operating systems
• A text-based file with an .inf file extension
• You can import these templates into GPOs, and
  apply the set of common security settings to
  multiple computers with similar functionality
• You can use them to save and restore security
  settings of a computer

72
(Skill 9)
Implementing Security Templates (2)

• Windows Server 2003 provides several predefined
  security templates located in the folder
• Systemroot\Security\Templates
• The predefined security templates have four
  standard security levels
• Basic
• Compatible
• Secure
• Highly Secure

73
(Skill 9)
Figure 12-33 The predefined security templates
74
(Skill 9)
Implementing Security Templates (3)

• Implementing security templates consists of five
  steps
• 1.  Accessing the Security Templates console
• You can access the Security Templates console in
  an existing console by adding the Security
  Templates snap-in to it
• You can also create a new Microsoft Management
  Console (MMC), and add the Security Templates
  snap-in to it

75
(Skill 9)
Implementing Security Templates (4)

• Implementing security templates consists of five
  steps
• 2. Customizing a predefined security template
• You can edit a predefined security template
• Save the modified template as a new template
• 3. Defining a new security template
• You can define security settings in a new
  customized security template according to the
  specific security requirements of your
  organization

76
(Skill 9)
Implementing Security Templates (5)

• Implementing security templates consists of five
  steps
• 4. Importing a security template to a GPO
• To apply the same security settings to multiple
  objects using a GPO, you can import an
  appropriate security template into the GPO

77
(Skill 9)
Implementing Security Templates (6)

• Implementing security templates consists of five
  steps
• 5. Exporting security settings to a security
  template
• You can export the initial security configuration
  for a computer to a security template.
• Similarly, the effective security settings (the
  security settings currently applied on the
  computer) for a computer can be exported to a
  security template
• The initial security template can be used to
  restore the settings

78
(Skill 9)
Figure 12-34 Creating a new security template
79
(Skill 9)
Figure 12-35 Exporting policy settings to a
template
80
(Skill 9)
Figure 12-36 Importing a security template
81
(Skill 10)
Using the Security Configuration and Analysis
Console

• Use the Security Configuration and Analysis
  snap-in to configure the local security settings
  on a computer
• Importing a security template
• Comparing the template to the currently
  configured computer settings
• Performing a what-if analysis

82
(Skill 10)
Figure 12-37 The Security Configuration and
Analysis snap-in
83
(Skill 10)
Using the Security Configuration and Analysis
Console (2)

• Analyzing the comparisons
• The security settings that match are marked by a
  green check mark icon
• The security settings that do not match are
  marked with a red x icon
• Action
• Update the security settings on the computer that
  do not match the database settings

84
(Skill 10)
Figure 12-38 Importing a template
85
(Skill 10)
Figure 12-39 The Analyzing System Security window
86
(Skill 10)
Figure 12-40 System security analysis results
87
(Skill 11)
Using the Security Configuration and Analysis
Console to Configure Security

• Use the Security Configuration and Analysis tool
  to configure security on individual computers
• Set security settings by removing or updating any
  inconsistencies discovered in the analysis
• You can construct a composite database security
  template by importing templates (either
  predefined or customized) into the database

88
(Skill 11)
Figure 12-41 The Configure System dialog box
89
(Skill 11)
Figure 12-42 Configuring Computer Security
90
(Skill 11)
Figure 12-43 Editing a configuration setting
91
(Skill 11)
Figure 12-44 The edited security settings
92
(Skill 12)
Troubleshooting Security Configuration Issues

• Improving the success rate for network security
• Examine the level of security requirements for
  the network
• High level of security
• Reduces efficiency
• Increases cost and administrative effort
• Low level security leads to unauthorized access,
  which can have serious repercussions
• Identify existing and potential problems in the
  Security event log and update the security
  settings accordingly

93
(Skill 12)
Troubleshooting Security Configuration Issues (2)

• Improving the success rate for network security
• Determine network usage for certain resources
  that may cause problems in the future
• Identify security patterns that may cause
  problems in the future

94
(Skill 12)
Figure 12-45 Security audit event details