Title: 70290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Wind
170-290 MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment,
EnhancedChapter 14Windows Server 2003
Security Features
2Objectives
- Identify the various elements and techniques that
can be used to secure a Windows Server 2003
system - Use Security Configuration and Analysis tools to
configure and review security settings - Audit access to resources and review Security log
settings
3Securing Your Windows 2003 System
- Five broad categories of security-related
features - Authentication
- Access control
- Encryption
- Security policies
- Service packs and hot fixes
4Authentication
- Most basic level is requiring a user id and
password to log on to some system - In a domain environment, authentication is
centralized on the network while in a workgroup
environment, authentication is local - In a domain environment, a single authentication
can provide access to multiple domains and
forests - Additional authentication methods can apply to
other services (e.g., IIS)
5Access Control
- Access control is used to secure resources such
as files, folders, and printers - Common types of access control are NTSF and
shared folder permissions, printer permissions,
Active Directory object permissions - The principle of least privilege implies that
users should only have the access that they
really need
6Encryption
- Confidential files can be encrypted using the
Encrypting File System (EFS) for local files
stored on NTFS volumes - EFS uses a combination of public and private keys
- The IPSec protocol can encrypt the contents of
packets sent across a TCP/IP network - There are two IPSec modes transport and tunnel
- IPSec is used to make it difficult for hackers to
intercept sensitive network data
7Security Policies
- Security policy settings can be configured from
the Local Security Policy and Group Policy Object
Editor MMC snap-ins - Security policies control a range of security
settings - Windows Server 2003 includes tools that analyze
policy settings compared to pre-configured
security templates - Security Configuration and Analysis MMC snap-in
- Command-line SECEDIT utility
8Service Packs and Hot Fixes
- Many critical updates and patches are related to
security issues - Hot fixes address a specific identified issue
- A service pack is a cumulative collection of hot
fixes and updates - Service packs and hot fixes can be downloaded and
installed from Microsoft - Software Update Services can assist in automating
and managing the distribution of updates
9Using Security Configuration Manager Tools
- Windows Server 2003 provides tools specifically
designed to help configure and manage security
settings (Security Configuration Manager tools) - These tools plus Group Policies can be used to
set up a Security Policy template which is
administered centrally
10Using Security Configuration Manager Tools
(continued)
- The Security Configuration and Analysis tool will
compare a security template to existing settings - The Security Configuration Manager tools include
these components - Security templates
- Security settings in Group Policy objects
- Security Configuration and Analysis tool
- SECEDIT command-line tool
11Security Templates
- Templates help ensure consistency and ease
maintenance across multiple machines - Templates are text-based files
- Should not be edited or changed using a
text-based editor - There are a number of pre-defined templates for
various settings
12Security Templates (continued)
13Activity 14-1 Browsing Security Templates
- Objective To become familiar with built-in
security templates - Start ? Run ? type mmc ? OK ? File ? Add/Remove
Snap-in ? Add - Locate and view the available templates as
directed - Browse through the available templates and the
specific policies associated with them
14Analyzing the Pre-configured Security Templates
- Network computers can be categorized as
- Workstations
- Servers
- Domain controllers
- Pre-configured templates are applicable to a
specific category of computer - Only Windows Server 2003, Windows XP, and Windows
2000 can use security templates
15The Default Template
- The Setup Security.inf template contains default
security settings applied when Windows Server
2003 is installed - Contents depend upon the original configuration
of computer (fresh install, upgrade, etc.) - Allows an administrator to return to original
settings easily - Should not be applied using Group Policy
16Incremental Templates
- Modify security configurations incrementally
- Can only be applied on top of default security
settings because they do not specify baseline
configurations - Templates include compatws.inf, securews.inf,
securedc.inf, hisecws.inf, hisecdc.inf,
iesacls.inf, dc security.inf, rootsec.inf - Custom templates can also be created
17Applying Security Templates
- Security templates can be applied to local
machine or a domain - For local machine
- Open Local Security Setting MMC snap-in and
import a policy - For domain
- Use Group Policy Objects
- Security settings from GPOs override local
settings
18Applying Security Templates (continued)
19Activity 14-2 Creating a Security Template
- Objective to explore the creation of a custom
security template - Open a New Template from the MMC Security
Templates snap-in as directed - Configure settings for the new template as
specified - Save the template
- View the template file
20Activity 14-3 Applying Security Template
Settings to Group Policy Objects
- Objective to use Group Policy to deploy
security template settings - Start ? Administrative Tools ? Active Directory
Users and Computers - Open the Default Domain Policy from the
Properties of the domain - Import the previously created template as
directed - Verify settings
21Security Configuration and Analysis
- The Security Configuration and Analysis snap-in
permits the comparison of current system settings
to those configured in templates - The comparison identifies changes and potential
weaknesses - Multiple templates can be compared at once
- Multiple templates can be combined and saved
- Changes can be made directly within the snap-in
by selecting the desired configuration
22Security Configuration and Analysis (continued)
23Activity 14-2 Creating a Security Template
(continued)
24Activity 14-4 Analyzing Security Settings Using
Security Configuration and Analysis
- Objective To use the Security Configuration and
Analysis snap-in to compare current configuration
with security template settings - Open the Security Configuration and Analysis
snap-in as directed and open a new database - Import the hisecdc.inf template for comparison
- Perform the analysis
- Review and compare the settings as directed
25Activity 14-4 (continued)
26SECEDIT Command-Line Tool
- SECEDIT is a command-line tool used to create and
apply security templates and analyze settings - Can be used where Group Policy cannot be applied
- Six main switches
- Analyze
- Configure
- Export
- Import
- Validate
- GenerateRollback
27Auditing Access to Resources and Analyzing
Security Logs
- Auditing is used to track events on a network
- An audit policy defines which events should be
recorded - and whether successes and/or failures should be
recorded - Audited events are written into a security log
which can be viewed with Event Viewer
28Activity 14-5 Exploring Default Auditing Settings
- Objective to explore the auditing settings of
the default domain controller GPO - Open the Properties of the Domain Controllers OU
in Active Directory Users and Computers - Edit the Default Domain Controllers Policy on the
Group Policy tab as directed - Open the Audit Policy node and browse through the
various policy settings
29Activity 14-5 (continued)
30Activity 14-5 (continued)
31Configuring Auditing
- The role of a computer on the network influences
how an audit policy is configured - For member servers or workstations
- Audit policies are implemented using GPOs
assigned to the domain or OUs - For domain controllers
- Audit policies are implemented via the Default
Domain Controllers Policy applied to Domain
Controllers OU - For standalone workstations and servers
- Audit policies defined using Local Security
Policy tool
32Requirements and Configuring an Audit Policy
- Requirements
- You must have proper permissions (Administrators
Group or Manage auditing and security log user
right) - Auditing files and folders can only be done on
NTFS volumes - Configuring an audit policy
- Configure auditing on events to be monitored and
if logging occurs on success and/or failure - Configure auditing on specific resource objects
such as files, folders, printers, and Active
Directory objects
33Configuring an Audit Policy (continued)
34Activity 14-6 Configuring and Testing New Audit
Policy Settings
- Objective to become familiar with changing and
testing the configuration of audit policy
settings - Open the Default Domain Controllers Policy GPO
auditing settings - Reconfigure the settings as directed
- Manually refresh the Group Policy settings
- Test the new settings and view results using
Event Viewer
35Auditing Object Access
- When files and folders reside on an NTFS volume,
you can monitor attempted and successful accesses
of these objects - Caution -- this can result in a large number of
events being logged - Object auditing is configured through the
Advanced Security Settings on the resource - Auditing is also possible for Active Directory
objects
36Auditing Object Access (continued)
37Activity 14-7 Configuring Auditing on an NTFS
Folder
- Objective to log failed and successful accesses
to an NTFS folder - Create and configure NTFS permissions for a new
folder - Configure auditing settings for the folder
- Test the auditing settings and permissions by
attempting to access and delete the folder - Use Event Viewer to verify correct auditing
38Activity 14-7 (continued)
39Best Practices
- Plan carefully before implementing an audit
policy - General guidelines
- Only audit events that provide truly useful
information - Review entries in the security log regularly
- Audit sensitive and confidential information
- Audit the Everyone group it includes
unauthenticated users - Audit the assignment of user rights
- Audit the Administrators group
40Analyzing Security Logs
- For each event defined in an audit policy, an
entry is written in the Security log if that
event occurs - Use Event Viewer to examine the Security log
- The log provides a summary of the date and time
of each event, and the user performing the action - More details by double-clicking the entry
- Event Viewer provides find and filter options to
assist in managing the Security log
41Analyzing Security Logs (continued)
42Analyzing Security Logs (continued)
43Activity 14-8 Configuring Event Viewer Log
Properties
- Objective to use the find and filter features in
Event Viewer to manage log files - Open Event Viewer and view local Security log
- Use the Find feature to locate specific types of
events as directed - Next, use the Filter feature to manage the log,
displaying only events meeting specified criteria - Redisplay all records in the log as directed
44Configuring Event Viewer
- There are a number of configurable settings that
determine the size, number of entries, and
overwrite policy in a security log - Default initial security log size is 16 MB in
Windows Server 2003 (up from 512 KB in 2000) - Settings are configured from the Properties of
the Security log in Event Viewer
45Configuring Event Viewer (continued)
46Activity 14-9 Editing Security Log Settings and
Saving Events
- Objective to configure properties of the
Security log and save event entries for archiving
purposes - Open the Properties of the Security log through
Event Viewer - Reconfigure the Security log size and overwrite
properties as directed - Save and clear the Security log as noted
- Open the saved log to verify
47Summary
- Windows Server 2003 offers security-related
features in five categories authentication,
access control, encryption, security policies,
and service packs and hot fixes - Windows Server 2003 offers a package of Security
Configuration Manager tools - Security templates, security settings in GPOs,
Security Configuration and Analysis tool, SECEDIT
command-line tool
48Summary (continued)
- Auditing is used to log specific events within a
Windows Server 2003 configuration - An audit policy defines the events to be
monitored - Specific resources and objects can be configured
for auditing access attempts - A Security log contains record of audited events
- Event Viewer is used to display and manage
Security logs