Chapter 6: Configuring Security - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Chapter 6: Configuring Security

Description:

Using Local Group Policies. Used to manage configuration settings for workstations in a workgroup ... to the system, not file permissions. Change System Time ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 27
Provided by: janet71
Learn more at: http://faculty.ccri.edu
Category:

less

Transcript and Presenter's Notes

Title: Chapter 6: Configuring Security


1
Chapter 6 Configuring Security
2
Options for Managing Security Configurations
  • LGPO (Local Group Policy Object)
  • Used if Computer is not part of a domain
    environment
  • Set of security configuration settings that are
    created and stored on the local computer
  • Users
  • Computers
  • Stored in \systemroot\System32\GroupPolicyUsers
  • GPO (Group Policy Objects)
  • Used if Computer is part of an Active Directory
    domain
  • Allows for remote and centrally managed security
  • Has a more levels of security structure, and thus
    more granular control

3
Group Policy and LGPO (Local Group Policy
Objects) Setting Options
  • Software Installation
  • not available with LGPOs
  • Remote Installation Services
  • Scripts
  • Printers
  • Security Settings
  • Policy-based QOS
  • Administrative Templates
  • Folder Redirection
  • not available with LGPOs
  • Internet Explorer Configuration

4
GPO Inheritance
  • Order of Inheritance
  • Local
  • Site (physical location)
  • Domain
  • Organizational Unit (OU)
  • Containers higher are called parents and lower
    are called children.
  • Children inherit from the parent and
    non-conflicting settings are additive. If
    settings conflict, then the child overrides the
    parent.
  • Two types of Policy Settings
  • Computer Settings
  • User Settings
  • If a conflict occurs than the Computer setting is
    applied.

5
GPO Inheritance
  • Special Options, for overriding the default
    behavior of GPO execution.
  • No Override
  • Used to specify that a child can not override the
    policy settings of a parent higher level
    container.
  • Block Inheritance
  • Used to allow a child container to be able to
    block the inheritance of a policy from a parent
    container.
  • If a conflict occurs between No Override and
    Block Inheritance than No Override would win
    and be applied.

6
Group Policy Result Tool
  • Because of the overlapping nature of Group
    Policies, Vista provides a tool to help determine
    what policies will applied.
  • Tool is accessed through the GPResult.exe
    command-line utility.
  • GPResult displays the Resultant Set of Policy
    (RSOP) for the computer and the user who is
    currently logged in.
  • C/gtGPResult.exe /r

7
Using Local Group Policies
  • Used to manage configuration settings for
    workstations in a workgroup environment without
    an Active Directory domain
  • Created and assigned through the Local Group
    Policy snap-in in MMC
  • Microsoft Management Console
  • Two types of policies
  • Computer Configuration
  • User Configuration

8
Multiple Local Group Policy Objects (MLGPOs)
  • New to Windows Vista
  • Enables Vista to apply LGPOs to specific users
    rather than apply them to every user on a
    computer
  • Applied in the following order
  • Local Computer Policy (User and Computer)
  • Administrators and Non-Administrators Local Group
    Policy (User only)
  • User-Specific Group Policy (User only)
  • Again, GPO settings applied lower will override
    parent settings in the event of a conflict.
  • AD GPO will override conflicting LGPO

9
Setting Computer Configuration Policies
  • Three folders within the Computer Configuration
    folder
  • Software Settings
  • Windows Settings
  • Administrative Templates
  • Scripts and Security Settings are found within
    the Windows Settings folder.

10
Windows Settings
  • Scripts
  • Logon Startup
  • Logoff Shutdown
  • Security Settings
  • Account Policies
  • Local Policies
  • Windows Firewall with Advanced Security
  • Public Key Policies
  • Software Restriction Policies
  • IP Security Policies
  • Policy-based QOS

11
Account Policies
  • Password Policy
  • Enforce Password History
  • No repeated passwords
  • Maximum Password Age
  • Time until password change
  • Minimum Password Age
  • Keeps user from immediately changing password
    back to what it was
  • Minimum Password Length
  • If not set, then no password is required
  • Password Must Meet Complexity Requirements
  • Must be 6 characters or longer, can not contain
    the username or any part of the full name, and
    must contain 3 of the following
  • English Upper Case Character
  • English Lower Case Character
  • Decimal Digit
  • Symbols
  • Store Passwords Using Reversible Encryption
  • Higher level of Encryption security


12
Account Policies
  • Account Lockout Policy
  • Account Lockout Duration
  • How long the account will remain locked if
    Threshold is reached.
  • Account Lockout Threshold
  • Specifies how many invalid attempts can be made
    before the account is locked.
  • Reset Account Lockout Counter After
  • How many minutes the counter will remember
    unsuccessful login attempts.

13
Local PoliciesAfter Login
  • Audit Policy (Too many will degrade performance)
  • Used to track success or failure of user actions.
  • Login Attempts
  • Object Access
  • User Rights Assessment
  • User rights as they apply to the system, not file
    permissions
  • Change System Time
  • Add workstations to the Domain
  • Backup files and directories
  • Security Options
  • Security as it relates to the computer, not the
    user.
  • Contains new policies relating to User Account
    Control (UAC)
  • Require approval for administrative operations
  • Specifies the method of approval
  • Prompt for Consent
  • Prompt for Credentials

14
User Account Control
  • New to Windows Vista
  • Protects computers by requiring privilege
    elevation for all users including local
    Administrators (except the built-in Administrator
    account)
  • Local Administrative users act as standard users,
    until doing something which requires
    administrative privileges
  • Standard users, will be prompted for the
    credentials of an admin user.
  • Privilege escalation is required whenever the
    four-color shield icon is present

15
Windows Security Center
  • Used to monitor and configure critical settings
    through a centralized dialogue box for
  • Windows Firewall
  • Automatic Updating
  • Malware Protection
  • Other Security Settings
  • Will list whether the security feature is enabled
    and whether it is up to date.

16
Windows Firewall
  • Protects computer from unauthorized users or
    malicious software. It does not allow
    unsolicited traffic to pass that was not
    requested.
  • Configuration
  • General Tab
  • On or Off, as well as Block all Incoming
  • Exceptions Tab
  • Define which programs and services can pass
    through the firewall
  • Advanced Tab
  • Specify firewall settings at a more granular
    level by reducing control to the specific
    connection.
  • Windows Firewall with Advanced Security is used
    to configure advanced settings, including inbound
    and outbound rules

17
Windows Defender
  • Formerly Microsoft AntiSpyware
  • Protects computer from spyware threats
  • Tools and Settings
  • Options
  • Default Actions
  • Automatic Scans
  • Realtime Protection
  • Microsoft SpyNet
  • Online Community for such things as what to do
    with non-classified software
  • Quarantined Items
  • Allowed recovery of software found to be ok
  • Allowed Items
  • List of trusted applications
  • Software Explorer
  • Lists installed software and its classification
  • Windows Defender website

18
BitLocker Drive Encryption
  • Included with Vista Enterprise and Vista Ultimate
  • Used to encrypt the system drive
  • The security key is stored on the systems TPM
    (Trusted Platform Module) chip. If no TPM is
    present, it can be store on a thumb drive. The
    USB thumb drive will be required each time you
    boot the system.
  • The 48 digit BitLocker recovery password, must
    not be lost so as to recover from a lost or
    corrupted USB drive.
  • Files on other drives must be encrypted with
    another method, such as Encrypting File System
    (EFS), as BitLocker only does the System Drive

19
File and Folder Access Security
  • Vista allows you to very easily share and secure
    files and folders.
  • A users access rights to specific folders will
    be based on their logon name and group
    associations by applying NTFS (New Technology
    File System) permissions.

20
NTFS Permissions
  • If permissions are not explicitly granted in
    NTFS, then they are implicitly denied.
    Explicitly denied, overrides explicitly granted
    permissions
  • Six levels of permissions
  • Full Control
  • Modify
  • Read Execute
  • List Folder Contents
  • Read
  • Write

21
Controlling Inheritance
  • By default, subfolders and files inherit the
    permissions assigned to the parent folder.
  • Prevent permissions from propagating to
    subfolders and files by clearing the Include
    Inheritable Permissions from This Objects Parent
    check box.

22
Determining Effective Permissions
  • To determine a users effective rights to a file
    or folder
  • Add all the permissions that are allowed to the
    user to all permissions granted to the groups of
    which the user is a member.
  • Subtract any permissions similarly denied to the
    user or the users groups.

23
Determining NTFS Permissions for Copied and Moved
Files
Move File Copy File
Same Partition Retains original NTFS permissions Inherits permissions from destination folder
Different Partition Inherits permissions from destination folder Inherits permissions from destination folder
24
Managing Network Access
  • Share folders that contain files you want to be
    accessible over the network
  • Configure sharing from the Sharing tab of the
    folder properties dialog box

25
Configuring Share Permissions
  • Permissions can be assigned to users and groups
  • Full Control
  • Allows full access to the folder
  • Change
  • Allows users to change data in files or to delete
    files
  • Read
  • Allows users to view and execute files

26
NTFS Permissions Shared Permissions
  • NTFS security and shared folder security work
    together
  • The most restrictive permissions are the
    effective permissions
  • NTFS security more restrictive than shared folder
    security NTFS permissions are effective
  • Shared folder security more restrictive than NTFS
    security Shared folder permissions are
    effective
Write a Comment
User Comments (0)
About PowerShow.com