Administering a Security Configuration - PowerPoint PPT Presentation

1 / 84
About This Presentation
Title:

Administering a Security Configuration

Description:

... Delete/Execute permissions, as well as inheritance settings, auditing, ... An audit policy must be configured, and then auditing for specific objects must ... – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 85
Provided by: MikeS6
Category:

less

Transcript and Presenter's Notes

Title: Administering a Security Configuration


1
Administering a Security Configuration
  • Security Configuration Overview
  • Auditing
  • Using Security Logs
  • User Rights
  • Using Security Templates
  • Security Configuration and Analysis
  • Troubleshooting a Security Configuration

2
Security Configuration Overview
  • Security Configuration Settings

3
Security Areas Configured for a Nonlocal GPO
  • Account policies
  • Local policies
  • Event log
  • Restricted groups
  • System services
  • Registry
  • File system
  • Public key policies
  • IP security policies

4
Account Policies Overview
  • The account policies security area applies to
    user accounts.
  • Microsoft Windows 2003 allows only one domain
    account policy, which is the account policy
    applied to the root domain of the domain tree.
  • The domain account policy becomes the default
    account policy of any Windows 2003 workstation or
    server that is a member of the domain.
  • Exception When another account policy is defined
    for an OU, the OUs account policy settings
    affect the local policy on any computers
    contained in the OU, as is the case with a Domain
    Controllers OU

5
Account Policies Attributes
  • Password Policy For domain or local user
    accounts, determines settings for passwords such
    as enforcement and lifetimes
  • Account Lockout Policy For domain or local user
    accounts, determines when and for whom an account
    will be locked out of the system
  • Kerberos Policy For domain user accounts,
    determines Kerberos-related settings, such as
    ticket lifetimes and enforcement

6
Local Policies Overview
  • The local policies security area pertains to the
    security settings on the computer used by an
    application or user.
  • Local policies are based on the computer to which
    a user logs on and the rights the user has on
    that particular computer.
  • Local policies are local to a computer, by
    definition.
  • When imported to a GPO in Active Directory, local
    policies affect the local security settings of
    any computer accounts to which that GPO is
    applied.

7
Local Policies
  • Audit Policy
  • User Rights Assignment
  • Security Options

8
Event Log
  • The event log security area defines attributes
    related to the Application, Security, and System
    event logs.
  • Maximum log size
  • Access rights for each log
  • Retention settings and methods
  • The event log size and log wrapping should be
    defined to match the business and security
    requirements.
  • Event log settings should be implemented at the
    site, domain, or OU level, to take advantage of
    group policy settings.

9
Event Log Settings
10
Restricted Groups Overview
  • The restricted groups security area provides an
    important new security feature that acts as a
    governor for group membership.
  • Automatically provides security memberships for
    default Windows 2003 groups that have predefined
    capabilities.
  • Any groups considered sensitive or privileged to
    the Restricted Groups security list can be added
    later.

11
Restricted Groups Configuring
  • Configuring the restricted groups security area
    ensures that group memberships are set as
    specified.
  • Groups and users not specified in restricted
    groups are removed from the specific group.
  • The reverse membership configuration option
    ensures that each restricted group is a member of
    only those groups specified in the Member Of
    column.
  • Restricted groups should be used primarily to
    configure membership of local groups on
    workstation or member servers.

12
System Services
  • The system services security area is used to
    configure security and startup settings for
    services running on a computer.
  • Security properties for the service determine
    what user or group accounts have the following
    permissions Read/Write/Delete/Execute,
    inheritance settings, auditing, and ownership
    permission.
  • If choosing an Automatic startup, adequate
    testing must be performed to verify that the
    services can start without user intervention.
  • System services used on a computer should be
    tracked.
  • Unnecessary or unused services should be set to
    Manual.

13
Registry and File System Areas
  • Registry security area Used to configure
    security on registry keys.
  • File system security area Used to configure
    security on specific file paths.
  • The Security properties of the registry key or
    file path can be edited to determine what user or
    group accounts have Read/Write/Delete/Execute
    permissions, as well as inheritance settings,
    auditing, and ownership permission.

14
Policies
  • Public key policies Used to configure encrypted
    data recovery agents, domain roots, and trusted
    certificate authorities
  • IP security policies Used to configure network
    IP security

15
Auditing
  • Understanding Auditing
  • Using an Audit Policy
  • Audit Policy Guidelines
  • Configuring Auditing
  • Setting Up an Audit Policy
  • Auditing Access to Files and Folders
  • Auditing Access to Active Directory Objects
  • Auditing Access to Printers
  • Auditing Practices
  • Practice Auditing Resources and Events

16
Understanding Auditing
  • Auditing The process of tracking both user
    activities and Windows 2003 activities, called
    events.
  • Auditing is used to specify which events are
    written to the security log.
  • An audit entry in the security log contains
  • The action that was performed.
  • The user who performed the action.
  • The success or failure of the event and when the
    event occurred.

17
Using an Audit Policy
  • An audit policy defines the categories of events
    that Windows 2003 records in the security log on
    each computer.
  • The security log allows specified events to be
    tracked.
  • Windows 2003 writes an event to the security log
    on the computer where the event occurs.

18
General Audit Policy Guidelines
  • Determine the computers on which to set up
    auditing.
  • Auditing is turned off by default.
  • Plan the events to audit on each computer.
  • Determine whether to audit the success of events,
    failure of events, or both.
  • Tracking successful events identifies which users
    gained access to specific files, printers, or
    objects, information that can be used for
    resource planning.
  • Tracking failed events may alert the
    administrator of possible security breaches.

19
Other Policy Guidelines
  • Determine whether to track trends of system
    usage.
  • Review security logs frequently.
  • Define an audit policy that is useful and
    manageable.
  • Audit resource access by the Everyone group
    instead of the Users group.
  • Audit all administrative tasks by the
    administrative groups.

20
Configuring Auditing Overview
  • An audit policy is implemented based on the role
    of the computer in the Windows 2003 network.
  • The event categories on a domain controller are
    identical to those on a computer that is not a
    domain controller.

21
Computer Roles
  • For member or stand-alone servers and computers
    running Windows 2003 Professional
  • An audit policy is set for each individual
    computer.
  • Events are audited by configuring a local group
    policy for that computer.
  • Domain controllers
  • An audit policy is set for all domain controllers
    in the domain.
  • Events are audited by configuring the audit
    policy in a nonlocal GPO for the domain, which
    applies to all DCs and is accessible through the
    Domain Controllers OU.

22
Auditing Requirements
  • The Manage Auditing And Security Log user right
    for the computer is necessary to configure an
    audit policy or review an audit log.
  • Files and folders to be audited must be on
    Microsoft Windows NTFS volumes.

23
Setting Up Auditing
  • Set the audit policy Enables auditing of objects
    but does not activate auditing of specific types
  • Enable auditing of specific resources The
    specific events to track for files, folders,
    printers, and Active Directory objects must be
    identified
  • Windows 2003 then tracks and logs the specified
    events.

24
Setting Up an Audit Policy
  • Categories of events that Windows 2003 audits are
    selected.
  • Configuration settings indicate whether to track
    successful or failed attempts for each event
    category to be audited.
  • Audit policies are set in the Group Policy
    snap-in.
  • The security log is limited in size.
  • The events to be audited must be selected
    carefully.
  • The amount of disk space to devote to the
    security log must be considered.

25
Types of Events Audited by Windows 2003
  • Account logon
  • Account management
  • Directory service access
  • Logon events
  • Object access
  • Policy change
  • Privilege use
  • Process tracking
  • System events

26
Auditing Access to Files and Folders
  • If security breaches are an issue for an
    organization, auditing should be set up for files
    and folders on NTFS partitions.
  • To audit user access to files and folders, the
    Audit Object Access event category is set in the
    audit policy.
  • After Audit Object Access is set in the audit
    policy, auditing for specific files and folders
    is enabled, specifying which types of access to
    audit, either by users or by groups.

27
Auditing Entry For Dialog Box
28
User Events
  • Traverse Folder/Execute File
  • List Folder/Read Data
  • Read Attributes and Read Extended Attributes
  • Create Files/Write Data
  • Create Folders/Append Data
  • Write Attributes and Write Extended Attributes
  • Delete Subfolders And Files
  • Read Permissions
  • Change Permissions
  • Take Ownership

29
Auditing Access to Active Directory Objects
  • Similar to auditing file and folder access.
  • An audit policy must be configured, and then
    auditing for specific objects must be set by
    specifying which types of access, and by whom, to
    audit.
  • Active Directory objects are audited to track
    access to them.
  • The Audit Directory Service Access event category
    is set in the audit policy to enable auditing of
    user access to AD objects.

30
Auditing Entry For Dialog Box
31
Active Directory Object Events
  • Full Control
  • List Contents
  • Read All Properties
  • Write All Properties
  • Create All Child Objects
  • Delete All Child Objects
  • Read Permissions
  • Modify Permissions
  • Modify Owner

32
Auditing Access to Printers
  • Use auditing to track access to sensitive
    printers.
  • Set the Audit Object Access event category in the
    audit policy, which includes printers.
  • Enable auditing for specific printers and specify
    the types of access, and by whom, to audit.
  • Use the same procedure used to set up auditing on
    files and folders.

33
Auditing Entry For Dialog Box
34
RecommendedAudit Events
35
Using Security Logs
  • Understanding Windows 2003 Logs
  • Viewing Security Logs
  • Locating Events
  • Filtering Events
  • Configuring Security Logs
  • Archiving Security Logs
  • Practice Using the Security Log

36
Security Log Overview
  • The security log contains information on security
    events specified in the audit policy.
  • To view the security log, use the Event Viewer
    console.
  • Event Viewer also allows specific events within
    the log files to be found, the events shown in
    log files to be filtered, and archive security
    log files to be archived.

37
Understanding Windows 2003 Logs
  • Three logs are available to view in Event Viewer
    by default.
  • All users can view application and system logs.
  • Security logs are accessible only to system
    administrators.
  • Security logging is turned off by default.
  • Group policy must be used at the appropriate
    level to set up an audit policy.

38
Logs Maintained by Windows 2003
  • Application log
  • Contains errors, warnings, or information that
    programs, such as a database program or an e-mail
    program, generate.
  • The program developer presets which events to
    record.
  • Security log
  • Contains information about the success or failure
    of audited events.
  • The events Windows 2003 records are a result of
    the audit policy.
  • System log
  • Contains errors, warnings, and information that
    Windows 2003 generates.
  • Windows 2003 presets which events to record.

39
Viewing Security Logs
  • The security log contains information about
    events monitored by an audit policy, such as
    failed and successful logon attempts.
  • Windows 2003 records events in the security log
    on the computer at which the event occurred.
  • Events can be viewed from any computer with
    assigned administrative privileges for the
    computer where the events occurred.

40
Event Viewer
41
Locating Events
  • Event Viewer automatically displays all events
    recorded in the security log when its first
    started.
  • The Find command is used to search for specific
    events.

42
The Find In Dialog Box
43
Options on the Find In Dialog Box
44
Filtering Events
  • The Filter command displays specific events that
    appear in the security log.
  • The Filter command is used to narrow down the
    displayed events.

45
Options on the Filter Tab of the Security
LogProperties Dialog Box
46
Configuring Security Logs
  • Security logging begins when an audit policy is
    set for the domain controller or local computer.
  • Security logging stops when the security log
    becomes full and cannot overwrite itself an
    error may be written to the application log.
  • A full security log is avoided by logging only
    key events.
  • The properties of each individual audit log can
    be configured.

47
Security Log
  • When the security log is full and no more events
    can be logged, the log can be freed by manually
    clearing it.
  • Clearing the log erases all events permanently.
  • Reducing the amount of time that an event log is
    kept frees the log if it allows the next record
    to be overwritten.

48
Archiving Security Logs
  • Archiving maintains a history of security-related
    events.
  • Archived logs often are kept for a specified
    period, to track security-related information
    over time.
  • The entire log is saved, regardless of filtering
    options.
  • Event Viewer is used to reopen a log archived in
    a log-file format.

49
Archiving Security Logs (cont)
  • Logs saved as event logs (.evt) retain the binary
    data for each event recorded.
  • Logs archived in text or comma-delimited format
    (.txt and .csv, respectively) can be reopened in
    other programs, such as word processing or
    spreadsheet programs.
  • Logs saved in text or comma-delimited format do
    not retain the binary data.
  • An archived log is removed from the system by
    deleting the file in Windows Explorer.

50
User Rights
  • User Rights
  • Privileges
  • Logon Rights
  • Assigning User Rights

51
User Rights Overview
  • Specific rights can be assigned to group accounts
    or to individual user accounts.
  • Authorize users to perform specific actions.
  • Differ from permissions, because user rights
    apply to user accounts, whereas permissions are
    attached to objects.
  • Because user rights are part of a GPO, they can
    be overridden depending on the GPO affecting the
    user.

52
User Rights Administration
  • User rights define the capabilities of a user at
    a local level.
  • User rights can be applied to individual user
    accounts, but are best administered on a group
    account basis.
  • Ensures that a user logging on as a member of a
    group automatically inherits the rights
    associated with that group
  • Simplifies user account administration by
    associating user rights to groups rather than
    individual users

53
User Rights Assignment
  • User rights assigned to a group are applied to
    all members of the group while they remain
    members.
  • User rights are cumulative when a user is a
    member of multiple groups.
  • A user can have more than one set of rights.
  • Possible conflicts of user rights may occur in
    the case of certain logon rights.
  • Generally, user rights assigned to one group do
    not conflict with the rights assigned to another
    group.
  • To remove rights from a user, the user is removed
    from the group.
  • The two types of user rights are privileges and
    logon rights.

54
Privileges
  • Specify allowable user actions on the network.
  • Some privileges can override permissions set on
    an object.
  • A user right takes precedence over all file and
    directory permissions.

55
Logon Rights Overview
  • Logon rights specify the ways in which a user can
    log on to a system.
  • The special user account LocalSystem has almost
    all privileges and logon rights assigned to it,
    because all processes running as part of the OS
    are associated with this account.
  • OS processes require a complete set of user
    rights.

56
Logon Rights
57
Assigning User Rights
  • Assigning user rights eases the task of user
    account administration by assigning user rights
    primarily to group accounts, rather than to
    individual user accounts.
  • Assigning rights to a group account automatically
    assigns those rights to users when they become a
    member of that group.

58
Using Security Templates
  • Security Templates Overview
  • Security Template Uses
  • Predefined Security Templates
  • Managing Security Templates
  • Practice Managing Security Templates

59
Using Security Templates Overview
  • Windows 2003 provides a centralized method of
    defining security using security templates.
  • A security template is a physical representation
    of a security configuration, a file in which a
    group of security settings are stored.
  • Locating all security settings in one place
    streamlines security administration.
  • Each template is saved as a text-based .inf file,
    which allows some or all of the template
    attributes to be copied, pasted, imported, or
    exported.
  • All security attributes can be contained in a
    security template, except IP Security and Public
    Key policies.

60
Security Templates Uses
  • The security settings in the local GPO are the
    initial settings applied to a computer.
  • The local security settings can be exported to a
    security template file to preserve initial system
    security settings, which enables the restoration
    of the initial security settings at any later
    point.

61
Security Templates Importing
  • A security template file can be imported to a
    local or nonlocal GPO.
  • Any computer or user accounts in the site,
    domain, or OU to which the GPO is applied will
    receive the security template settings.
  • Importing a security template to a GPO eases
    domain administration by configuring security for
    multiple computers at once.

62
Security Templates Exporting
  • The local security settings are exported to a
    security template file to preserve initial system
    security settings.
  • Both local and effective security settings can be
    exported to a security template.
  • Initial system settings are preserved.
  • Local security settings are available for
    restoration later because domain-based GPOs
    override the local GPO.
  • By exporting the effective security settings to a
    security template, the settings can be imported
    into a security database, new templates can be
    overlaid, and potential conflicts can be analyzed.

63
Predefined Security Templates
  • Windows 2003 includes a set of predefined
    security templates.
  • Each predefined template is based on the role of
    a computer and common security scenarios, from
    security settings for low-security domain clients
    to highly secure domain controllers.
  • Predefined templates can be used as provided, can
    be modified, or can serve as a basis for creating
    custom security templates.
  • By default, predefined security templates are
    stored in the systemroot\Security\Templates
    folder.

64
Security Levels
  • Basic BASIC.INF
  • Compatible COMPAT.INF
  • Secure SECURE.INF
  • Highly Secure HISEC.INF

65
Tasks for Managing Security Templates
  • Accessing the Security Templates console
  • Customizing a predefined security template
  • Defining a new security template
  • Importing a security template to a local and
    nonlocal GPO
  • Exporting security settings to a security template

66
Security Templates Console
67
Security Configuration and Analysis
  • How the Security Configuration and Analysis
    Console Works
  • Security Configuration
  • Security Analysis
  • Using Security Configuration and Analysis
  • Practice Using Security Configuration and
    Analysis

68
Security Configuration and Analysis Overview
  • Security Configuration and Analysis is a tool
    that offers the ability to configure security,
    analyze security, view results, and resolve any
    discrepancies revealed by analysis.
  • This tool is located on the Security
    Configuration and Analysis console.

69
How the Security Configuration and Analysis
Console Works
  • The console uses a database to perform
    configuration and analysis functions.
  • The database is a computer-specific data store.
  • The database architecture allows the use of
    personal databases, security template import and
    export, and the combination of multiple security
    templates into one composite security template
    that can be used for analysis or configuration.
  • New security templates can be incrementally added
    to the database to create a composite security
    template.
  • Overwriting a template is also an option.
  • Personal databases can be created for storing
    customized security templates.

70
Security Configuration
  • The Security Configuration and Analysis console
    can be used to configure local system security.
  • Security templates created with the Security
    Templates console can be imported and applied to
    the GPO for the local computer.
  • System security is immediately configured with
    the levels specified in the template.

71
Security Analysis
  • The state of the OS and applications on a
    computer is dynamic.
  • Changes made to meet specific needs may not be
    reversed when the requirement is finished.
  • The computer may no longer meet the requirements
    for enterprise security.
  • The Security Configuration and Analysis console
    allows administrators to perform a quick security
    analysis.
  • In the analysis, recommendations are presented
    alongside current system settings icons or
    remarks are used to highlight any areas where the
    current settings do not match the proposed level
    of security.

72
Security Analysis (cont)
  • The Security Configuration and Analysis console
    offers the ability to resolve any discrepancies
    revealed by analysis.
  • Regular analysis enables an administrator to
    track and ensure an adequate level of security on
    each computer as part of an enterprise risk
    management program.
  • Analysis is highly specified and information
    about all system aspects related to security is
    provided in the results.
  • Enables an administrator to tune the security
    levels and to detect any security flaws that may
    occur in the system over time.

73
Tasks For Using Security Configuration and
Analysis
  • Access the Security Configuration and Analysis
    console.
  • Set a working security database.
  • Import a security template into a security
    database.
  • Analyze system security.
  • View security analysis results.
  • Configure system security.
  • Export security database settings to a security
    template.

74
Importing a Security Template into a Security
Database
  • Several different templates can be merged into
    one composite template that can be used for
    analysis or configuration of a system, by
    importing each template into a working database.
  • The database will merge the various templates to
    create one composite template, resolving
    conflicts in order of import the last template
    imported takes precedence when there is
    contention.
  • Templates will not be merged into a composite
    template if overwrite is chosen.
  • Once the templates are imported to the selected
    database, the system can be analyzed or
    configured.

75
Analyzing System Security
  • The Security Configuration and Analysis console
    compares the current state of the system security
    against a security template that has been
    imported to a personal database.
  • This template is the database configuration that
    contains the preferred or recommended security
    settings for that system.
  • Security Configuration and Analysis queries the
    systems security settings for all security areas
    in the database configuration.
  • Values found are compared to the database
    configuration.
  • If the current system settings match the database
    configuration settings, they are assumed to be
    correct.
  • The policies in question are displayed as
    potential problems that need investigation.

76
Viewing Security Analysis Results
  • The Security Configuration and Analysis console
    displays the analysis results organized by
    security area with visual flags to indicate
    problems.
  • The current database and computer configuration
    settings are displayed for each security policy
    in the security area.

77
Analysis Results for Password Policy
78
Configuring System Security
  • The Security Configuration and Analysis console
    offers the ability to resolve any discrepancies
    revealed by analysis.
  • The import process can be repeated and multiple
    templates can be loaded.
  • The database merges the various templates to
    create one composite template, resolving
    conflicts in order or import.
  • The last template imported takes precedence when
    there is contention.
  • After the templates are imported to the database,
    choosing Configure System Now applies the stored
    template to the system.
  • Using the Security Configuration and Analysis
    console is not recommended when analyzing
    security for domain-based clients, because going
    to each client individually would be necessary.
  • When analyzing security for domain-based clients,
    it is best to return to the Security Templates
    console, modify the template, and reapply it to
    the appropriate GPO.

79
Exporting Security Templates
  • The export feature provides the ability to save a
    security database configuration as a new template
    file that can be
  • Imported into other databases
  • Used as is to analyze or configure a system
  • Redefined with the Security Templates console

80
Troubleshooting a Security Configuration
  • Symptoms
  • Received error message Event message Event ID
    1202, Event source scecli, Warning (0xx) occurs
    to apply security policies.
  • Received error message Failed To Open The Group
    Policy Object.
  • Modified security settings are not taking effect.
  • Policies do not migrate from Windows NT 4.0 to
    Windows 2003.

81
Symptom Received Error Message Event Message
Event ID 1202, Event Source scecli, Warning
(0xx) Occurs to Apply Security Policies
  • Cause Group policy was not refreshed after
    changes were made
  • Solution Trigger another application of group
    policy settings or local policy refresh by using
    the Secedit command-line tool to refresh security
    settings

82
Symptom Received Error Message Failed To Open
The Group Policy Object
  • Cause The most likely causes for this error are
    network-related
  • Solution Check the DNS configuration for the
    following
  • Make sure no stale entries exist in the DNS
    database.
  • Resolve local DNS servers and ISP DNS server
    entries.

83
Symptom Modified Security Settings are Not
Taking Effect
  • Causes
  • Any policies configured locally may be overridden
    by like policies specified in the domain.
  • If the setting shows up in local policy but not
    in effective policy, it implies that a policy
    from the domain is overriding the setting.
  • As group policy changes are applied periodically,
    it is likely that the policy changes made in the
    directory have not yet been refreshed in the
    computer.
  • Solution Manually do a policy refresh by typing
    the following at the command line secedit
    /refreshpolicy machine_policy

84
Symptom Policies Do Not Migrate from Windows NT
4.0 to Windows 2003
  • Cause Windows NT 4.0 policies cannot be migrated
    to Windows 2003
  • Solution
  • Windows NT 4.0 clients accessing a Windows 2003
    Server computer, and Windows 2003 Professional
    clients accessing a Windows NT 4.0 Server
    computer, will use the Netlogon share.
  • With Windows 2003 Server, when a Windows NT 4.0
    client is upgraded to Windows 2003, it will get
    only Active Directorybased group policy settings
    and not Windows NT 4.0style policies.
  • Although Windows NT 4.0style policies may be
    enabled if the administrator chooses to do so,
    this practice is strongly discouraged.
  • Because Windows NT 4.0style policies are applied
    only during the logon process, both computer and
    user settings are processed (but not optimal
    behavior).
Write a Comment
User Comments (0)
About PowerShow.com