70290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Wind

1
70-290 MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment,
EnhancedChapter 14Windows Server 2003
Security Features
2
Objectives

• Identify the various elements and techniques that
  can be used to secure a Windows Server 2003
  system
• Use Security Configuration and Analysis tools to
  configure and review security settings
• Audit access to resources and review Security log
  settings

3
Securing Your Windows 2003 System

• Five broad categories of security-related
  features
• Authentication
• Access control
• Encryption
• Security policies
• Service packs and hot fixes

4
Authentication

• Most basic level is requiring a user id and
  password to log on to some system
• In a domain environment, authentication is
  centralized on the network while in a workgroup
  environment, authentication is local
• In a domain environment, a single authentication
  can provide access to multiple domains and
  forests
• Additional authentication methods can apply to
  other services (e.g., IIS)

5
Access Control

• Access control is used to secure resources such
  as files, folders, and printers
• Common types of access control are NTSF and
  shared folder permissions, printer permissions,
  Active Directory object permissions
• The principle of least privilege implies that
  users should only have the access that they
  really need

6
Encryption

• Confidential files can be encrypted using the
  Encrypting File System (EFS) for local files
  stored on NTFS volumes
• EFS uses a combination of public and private keys
  
• The IPSec protocol can encrypt the contents of
  packets sent across a TCP/IP network
• There are two IPSec modes transport and tunnel
• IPSec is used to make it difficult for hackers to
  intercept sensitive network data

7
Security Policies

• Security policy settings can be configured from
  the Local Security Policy and Group Policy Object
  Editor MMC snap-ins
• Security policies control a range of security
  settings
• Windows Server 2003 includes tools that analyze
  policy settings compared to pre-configured
  security templates
• Security Configuration and Analysis MMC snap-in
• Command-line SECEDIT utility

8
Service Packs and Hot Fixes

• Many critical updates and patches are related to
  security issues
• Hot fixes address a specific identified issue
• A service pack is a cumulative collection of hot
  fixes and updates
• Service packs and hot fixes can be downloaded and
  installed from Microsoft
• Software Update Services can assist in automating
  and managing the distribution of updates

9
Using Security Configuration Manager Tools

• Windows Server 2003 provides tools specifically
  designed to help configure and manage security
  settings (Security Configuration Manager tools)
• These tools plus Group Policies can be used to
  set up a Security Policy template which is
  administered centrally

10
Using Security Configuration Manager Tools
(continued)

• The Security Configuration and Analysis tool will
  compare a security template to existing settings
• The Security Configuration Manager tools include
  these components
• Security templates
• Security settings in Group Policy objects
• Security Configuration and Analysis tool
• SECEDIT command-line tool

11
Security Templates

• Templates help ensure consistency and ease
  maintenance across multiple machines
• Templates are text-based files
• Should not be edited or changed using a
  text-based editor
• There are a number of pre-defined templates for
  various settings

12
Security Templates (continued)
13
Activity 14-1 Browsing Security Templates

• Objective To become familiar with built-in
  security templates
• Start ? Run ? type mmc ? OK ? File ? Add/Remove
  Snap-in ? Add
• Locate and view the available templates as
  directed
• Browse through the available templates and the
  specific policies associated with them

14
Analyzing the Pre-configured Security Templates

• Network computers can be categorized as
• Workstations
• Servers
• Domain controllers
• Pre-configured templates are applicable to a
  specific category of computer
• Only Windows Server 2003, Windows XP, and Windows
  2000 can use security templates

15
The Default Template

• The Setup Security.inf template contains default
  security settings applied when Windows Server
  2003 is installed
• Contents depend upon the original configuration
  of computer (fresh install, upgrade, etc.)
• Allows an administrator to return to original
  settings easily
• Should not be applied using Group Policy

16
Incremental Templates

• Modify security configurations incrementally
• Can only be applied on top of default security
  settings because they do not specify baseline
  configurations
• Templates include compatws.inf, securews.inf,
  securedc.inf, hisecws.inf, hisecdc.inf,
  iesacls.inf, dc security.inf, rootsec.inf
• Custom templates can also be created

17
Applying Security Templates

• Security templates can be applied to local
  machine or a domain
• For local machine
• Open Local Security Setting MMC snap-in and
  import a policy
• For domain
• Use Group Policy Objects
• Security settings from GPOs override local
  settings

18
Applying Security Templates (continued)
19
Activity 14-2 Creating a Security Template

• Objective to explore the creation of a custom
  security template
• Open a New Template from the MMC Security
  Templates snap-in as directed
• Configure settings for the new template as
  specified
• Save the template
• View the template file

20
Activity 14-3 Applying Security Template
Settings to Group Policy Objects

• Objective to use Group Policy to deploy
  security template settings
• Start ? Administrative Tools ? Active Directory
  Users and Computers
• Open the Default Domain Policy from the
  Properties of the domain
• Import the previously created template as
  directed
• Verify settings

21
Security Configuration and Analysis

• The Security Configuration and Analysis snap-in
  permits the comparison of current system settings
  to those configured in templates
• The comparison identifies changes and potential
  weaknesses
• Multiple templates can be compared at once
• Multiple templates can be combined and saved
• Changes can be made directly within the snap-in
  by selecting the desired configuration

22
Security Configuration and Analysis (continued)
23
Activity 14-2 Creating a Security Template
(continued)
24
Activity 14-4 Analyzing Security Settings Using
Security Configuration and Analysis

• Objective To use the Security Configuration and
  Analysis snap-in to compare current configuration
  with security template settings
• Open the Security Configuration and Analysis
  snap-in as directed and open a new database
• Import the hisecdc.inf template for comparison
• Perform the analysis
• Review and compare the settings as directed

25
Activity 14-4 (continued)
26
SECEDIT Command-Line Tool

• SECEDIT is a command-line tool used to create and
  apply security templates and analyze settings
• Can be used where Group Policy cannot be applied
• Six main switches
• Analyze
• Configure
• Export
• Import
• Validate
• GenerateRollback

27
Auditing Access to Resources and Analyzing
Security Logs

• Auditing is used to track events on a network
• An audit policy defines which events should be
  recorded
• and whether successes and/or failures should be
  recorded
• Audited events are written into a security log
  which can be viewed with Event Viewer

28
Activity 14-5 Exploring Default Auditing Settings

• Objective to explore the auditing settings of
  the default domain controller GPO
• Open the Properties of the Domain Controllers OU
  in Active Directory Users and Computers
• Edit the Default Domain Controllers Policy on the
  Group Policy tab as directed
• Open the Audit Policy node and browse through the
  various policy settings

29
Activity 14-5 (continued)
30
Activity 14-5 (continued)
31
Configuring Auditing

• The role of a computer on the network influences
  how an audit policy is configured
• For member servers or workstations
• Audit policies are implemented using GPOs
  assigned to the domain or OUs
• For domain controllers
• Audit policies are implemented via the Default
  Domain Controllers Policy applied to Domain
  Controllers OU
• For standalone workstations and servers
• Audit policies defined using Local Security
  Policy tool

32
Requirements and Configuring an Audit Policy

• Requirements
• You must have proper permissions (Administrators
  Group or Manage auditing and security log user
  right)
• Auditing files and folders can only be done on
  NTFS volumes
• Configuring an audit policy
• Configure auditing on events to be monitored and
  if logging occurs on success and/or failure
• Configure auditing on specific resource objects
  such as files, folders, printers, and Active
  Directory objects

33
Configuring an Audit Policy (continued)
34
Activity 14-6 Configuring and Testing New Audit
Policy Settings

• Objective to become familiar with changing and
  testing the configuration of audit policy
  settings
• Open the Default Domain Controllers Policy GPO
  auditing settings
• Reconfigure the settings as directed
• Manually refresh the Group Policy settings
• Test the new settings and view results using
  Event Viewer

35
Auditing Object Access

• When files and folders reside on an NTFS volume,
  you can monitor attempted and successful accesses
  of these objects
• Caution -- this can result in a large number of
  events being logged
• Object auditing is configured through the
  Advanced Security Settings on the resource
• Auditing is also possible for Active Directory
  objects

36
Auditing Object Access (continued)
37
Activity 14-7 Configuring Auditing on an NTFS
Folder

• Objective to log failed and successful accesses
  to an NTFS folder
• Create and configure NTFS permissions for a new
  folder
• Configure auditing settings for the folder
• Test the auditing settings and permissions by
  attempting to access and delete the folder
• Use Event Viewer to verify correct auditing

38
Activity 14-7 (continued)
39
Best Practices

• Plan carefully before implementing an audit
  policy
• General guidelines
• Only audit events that provide truly useful
  information
• Review entries in the security log regularly
• Audit sensitive and confidential information
• Audit the Everyone group it includes
  unauthenticated users
• Audit the assignment of user rights
• Audit the Administrators group

40
Analyzing Security Logs

• For each event defined in an audit policy, an
  entry is written in the Security log if that
  event occurs
• Use Event Viewer to examine the Security log
• The log provides a summary of the date and time
  of each event, and the user performing the action
• More details by double-clicking the entry
• Event Viewer provides find and filter options to
  assist in managing the Security log

41
Analyzing Security Logs (continued)
42
Analyzing Security Logs (continued)
43
Activity 14-8 Configuring Event Viewer Log
Properties

• Objective to use the find and filter features in
  Event Viewer to manage log files
• Open Event Viewer and view local Security log
• Use the Find feature to locate specific types of
  events as directed
• Next, use the Filter feature to manage the log,
  displaying only events meeting specified criteria
• Redisplay all records in the log as directed

44
Configuring Event Viewer

• There are a number of configurable settings that
  determine the size, number of entries, and
  overwrite policy in a security log
• Default initial security log size is 16 MB in
  Windows Server 2003 (up from 512 KB in 2000)
• Settings are configured from the Properties of
  the Security log in Event Viewer

45
Configuring Event Viewer (continued)
46
Activity 14-9 Editing Security Log Settings and
Saving Events

• Objective to configure properties of the
  Security log and save event entries for archiving
  purposes
• Open the Properties of the Security log through
  Event Viewer
• Reconfigure the Security log size and overwrite
  properties as directed
• Save and clear the Security log as noted
• Open the saved log to verify

47
Summary

• Windows Server 2003 offers security-related
  features in five categories authentication,
  access control, encryption, security policies,
  and service packs and hot fixes
• Windows Server 2003 offers a package of Security
  Configuration Manager tools
• Security templates, security settings in GPOs,
  Security Configuration and Analysis tool, SECEDIT
  command-line tool

48
Summary (continued)

• Auditing is used to log specific events within a
  Windows Server 2003 configuration
• An audit policy defines the events to be
  monitored
• Specific resources and objects can be configured
  for auditing access attempts
• A Security log contains record of audited events
• Event Viewer is used to display and manage
  Security logs