Title: Administering a Security Configuration
1Administering a Security Configuration
- Security Configuration Overview
- Auditing
- Using Security Logs
- User Rights
- Using Security Templates
- Security Configuration and Analysis
- Troubleshooting a Security Configuration
2Security Configuration Overview
- Security Configuration Settings
3Security Areas Configured for a Nonlocal GPO
- Account policies
- Local policies
- Event log
- Restricted groups
- System services
- Registry
- File system
- Public key policies
- IP security policies
4Account Policies Overview
- The account policies security area applies to
user accounts. - Microsoft Windows 2000 allows only one domain
account policy, which is the account policy
applied to the root domain of the domain tree. - The domain account policy becomes the default
account policy of any Windows 2000 workstation or
server that is a member of the domain. - Exception When another account policy is defined
for an OU, the OUs account policy settings
affect the local policy on any computers
contained in the OU, as is the case with a Domain
Controllers OU
5Account Policies Attributes
- Password Policy For domain or local user
accounts, determines settings for passwords such
as enforcement and lifetimes - Account Lockout Policy For domain or local user
accounts, determines when and for whom an account
will be locked out of the system - Kerberos Policy For domain user accounts,
determines Kerberos-related settings, such as
ticket lifetimes and enforcement
6Local Policies Overview
- The local policies security area pertains to the
security settings on the computer used by an
application or user. - Local policies are based on the computer to which
a user logs on and the rights the user has on
that particular computer. - Local policies are local to a computer, by
definition. - When imported to a GPO in Active Directory, local
policies affect the local security settings of
any computer accounts to which that GPO is
applied.
7Local Policies
- Audit Policy
- User Rights Assignment
- Security Options
8Event Log
- The event log security area defines attributes
related to the Application, Security, and System
event logs. - Maximum log size
- Access rights for each log
- Retention settings and methods
- The event log size and log wrapping should be
defined to match the business and security
requirements. - Event log settings should be implemented at the
site, domain, or OU level, to take advantage of
group policy settings.
9Event Log Settings
10Restricted Groups Overview
- The restricted groups security area provides an
important new security feature that acts as a
governor for group membership. - Automatically provides security memberships for
default Windows 2000 groups that have predefined
capabilities. - Any groups considered sensitive or privileged to
the Restricted Groups security list can be added
later.
11Restricted Groups Configuring
- Configuring the restricted groups security area
ensures that group memberships are set as
specified. - Groups and users not specified in restricted
groups are removed from the specific group. - The reverse membership configuration option
ensures that each restricted group is a member of
only those groups specified in the Member Of
column. - Restricted groups should be used primarily to
configure membership of local groups on
workstation or member servers.
12System Services
- The system services security area is used to
configure security and startup settings for
services running on a computer. - Security properties for the service determine
what user or group accounts have the following
permissions Read/Write/Delete/Execute,
inheritance settings, auditing, and ownership
permission. - If choosing an Automatic startup, adequate
testing must be performed to verify that the
services can start without user intervention. - System services used on a computer should be
tracked. - Unnecessary or unused services should be set to
Manual.
13Registry and File System Areas
- Registry security area Used to configure
security on registry keys. - File system security area Used to configure
security on specific file paths. - The Security properties of the registry key or
file path can be edited to determine what user or
group accounts have Read/Write/Delete/Execute
permissions, as well as inheritance settings,
auditing, and ownership permission.
14Policies
- Public key policies Used to configure encrypted
data recovery agents, domain roots, and trusted
certificate authorities - IP security policies Used to configure network
IP security
15Auditing
- Understanding Auditing
- Using an Audit Policy
- Audit Policy Guidelines
- Configuring Auditing
- Setting Up an Audit Policy
- Auditing Access to Files and Folders
- Auditing Access to Active Directory Objects
- Auditing Access to Printers
- Auditing Practices
- Practice Auditing Resources and Events
16Understanding Auditing
- Auditing The process of tracking both user
activities and Windows 2000 activities, called
events. - Auditing is used to specify which events are
written to the security log. - An audit entry in the security log contains
- The action that was performed.
- The user who performed the action.
- The success or failure of the event and when the
event occurred.
17Using an Audit Policy
- An audit policy defines the categories of events
that Windows 2000 records in the security log on
each computer. - The security log allows specified events to be
tracked. - Windows 2000 writes an event to the security log
on the computer where the event occurs.
18General Audit Policy Guidelines
- Determine the computers on which to set up
auditing. - Auditing is turned off by default.
- Plan the events to audit on each computer.
- Determine whether to audit the success of events,
failure of events, or both. - Tracking successful events identifies which users
gained access to specific files, printers, or
objects, information that can be used for
resource planning. - Tracking failed events may alert the
administrator of possible security breaches.
19Other Policy Guidelines
- Determine whether to track trends of system
usage. - Review security logs frequently.
- Define an audit policy that is useful and
manageable. - Audit resource access by the Everyone group
instead of the Users group. - Audit all administrative tasks by the
administrative groups.
20Configuring Auditing Overview
- An audit policy is implemented based on the role
of the computer in the Windows 2000 network. - The event categories on a domain controller are
identical to those on a computer that is not a
domain controller.
21Computer Roles
- For member or stand-alone servers and computers
running Windows 2000 Professional - An audit policy is set for each individual
computer. - Events are audited by configuring a local group
policy for that computer. - Domain controllers
- An audit policy is set for all domain controllers
in the domain. - Events are audited by configuring the audit
policy in a nonlocal GPO for the domain, which
applies to all DCs and is accessible through the
Domain Controllers OU.
22Auditing Requirements
- The Manage Auditing And Security Log user right
for the computer is necessary to configure an
audit policy or review an audit log. - Files and folders to be audited must be on
Microsoft Windows NTFS volumes.
23Setting Up Auditing
- Set the audit policy Enables auditing of objects
but does not activate auditing of specific types - Enable auditing of specific resources The
specific events to track for files, folders,
printers, and Active Directory objects must be
identified - Windows 2000 then tracks and logs the specified
events.
24Setting Up an Audit Policy
- Categories of events that Windows 2000 audits are
selected. - Configuration settings indicate whether to track
successful or failed attempts for each event
category to be audited. - Audit policies are set in the Group Policy
snap-in. - The security log is limited in size.
- The events to be audited must be selected
carefully. - The amount of disk space to devote to the
security log must be considered.
25Types of Events Audited by Windows 2000
- Account logon
- Account management
- Directory service access
- Logon events
- Object access
- Policy change
- Privilege use
- Process tracking
- System events
26Auditing Access to Files and Folders
- If security breaches are an issue for an
organization, auditing should be set up for files
and folders on NTFS partitions. - To audit user access to files and folders, the
Audit Object Access event category is set in the
audit policy. - After Audit Object Access is set in the audit
policy, auditing for specific files and folders
is enabled, specifying which types of access to
audit, either by users or by groups.
27Auditing Entry For Dialog Box
28User Events
- Traverse Folder/Execute File
- List Folder/Read Data
- Read Attributes and Read Extended Attributes
- Create Files/Write Data
- Create Folders/Append Data
- Write Attributes and Write Extended Attributes
- Delete Subfolders And Files
- Read Permissions
- Change Permissions
- Take Ownership
29Auditing Access to Active Directory Objects
- Similar to auditing file and folder access.
- An audit policy must be configured, and then
auditing for specific objects must be set by
specifying which types of access, and by whom, to
audit. - Active Directory objects are audited to track
access to them. - The Audit Directory Service Access event category
is set in the audit policy to enable auditing of
user access to AD objects.
30Auditing Entry For Dialog Box
31Active Directory Object Events
- Full Control
- List Contents
- Read All Properties
- Write All Properties
- Create All Child Objects
- Delete All Child Objects
- Read Permissions
- Modify Permissions
- Modify Owner
32Auditing Access to Printers
- Use auditing to track access to sensitive
printers. - Set the Audit Object Access event category in the
audit policy, which includes printers. - Enable auditing for specific printers and specify
the types of access, and by whom, to audit. - Use the same procedure used to set up auditing on
files and folders.
33Auditing Entry For Dialog Box
34RecommendedAudit Events
35Using Security Logs
- Understanding Windows 2000 Logs
- Viewing Security Logs
- Locating Events
- Filtering Events
- Configuring Security Logs
- Archiving Security Logs
- Practice Using the Security Log
36Security Log Overview
- The security log contains information on security
events specified in the audit policy. - To view the security log, use the Event Viewer
console. - Event Viewer also allows specific events within
the log files to be found, the events shown in
log files to be filtered, and archive security
log files to be archived.
37Understanding Windows 2000 Logs
- Three logs are available to view in Event Viewer
by default. - All users can view application and system logs.
- Security logs are accessible only to system
administrators. - Security logging is turned off by default.
- Group policy must be used at the appropriate
level to set up an audit policy.
38Logs Maintained by Windows 2000
- Application log
- Contains errors, warnings, or information that
programs, such as a database program or an e-mail
program, generate. - The program developer presets which events to
record. - Security log
- Contains information about the success or failure
of audited events. - The events Windows 2000 records are a result of
the audit policy. - System log
- Contains errors, warnings, and information that
Windows 2000 generates. - Windows 2000 presets which events to record.
39Viewing Security Logs
- The security log contains information about
events monitored by an audit policy, such as
failed and successful logon attempts. - Windows 2000 records events in the security log
on the computer at which the event occurred. - Events can be viewed from any computer with
assigned administrative privileges for the
computer where the events occurred.
40Event Viewer
41Locating Events
- Event Viewer automatically displays all events
recorded in the security log when its first
started. - The Find command is used to search for specific
events.
42The Find In Dialog Box
43Options on the Find In Dialog Box
44Filtering Events
- The Filter command displays specific events that
appear in the security log. - The Filter command is used to narrow down the
displayed events.
45Options on the Filter Tab of the Security
LogProperties Dialog Box
46Configuring Security Logs
- Security logging begins when an audit policy is
set for the domain controller or local computer. - Security logging stops when the security log
becomes full and cannot overwrite itself an
error may be written to the application log. - A full security log is avoided by logging only
key events. - The properties of each individual audit log can
be configured.
47Security Log
- When the security log is full and no more events
can be logged, the log can be freed by manually
clearing it. - Clearing the log erases all events permanently.
- Reducing the amount of time that an event log is
kept frees the log if it allows the next record
to be overwritten.
48Archiving Security Logs
- Archiving maintains a history of security-related
events. - Archived logs often are kept for a specified
period, to track security-related information
over time. - The entire log is saved, regardless of filtering
options. - Event Viewer is used to reopen a log archived in
a log-file format.
49Archiving Security Logs (cont)
- Logs saved as event logs (.evt) retain the binary
data for each event recorded. - Logs archived in text or comma-delimited format
(.txt and .csv, respectively) can be reopened in
other programs, such as word processing or
spreadsheet programs. - Logs saved in text or comma-delimited format do
not retain the binary data. - An archived log is removed from the system by
deleting the file in Windows Explorer.
50User Rights
- User Rights
- Privileges
- Logon Rights
- Assigning User Rights
51User Rights Overview
- Specific rights can be assigned to group accounts
or to individual user accounts. - Authorize users to perform specific actions.
- Differ from permissions, because user rights
apply to user accounts, whereas permissions are
attached to objects. - Because user rights are part of a GPO, they can
be overridden depending on the GPO affecting the
user.
52User Rights Administration
- User rights define the capabilities of a user at
a local level. - User rights can be applied to individual user
accounts, but are best administered on a group
account basis. - Ensures that a user logging on as a member of a
group automatically inherits the rights
associated with that group - Simplifies user account administration by
associating user rights to groups rather than
individual users
53User Rights Assignment
- User rights assigned to a group are applied to
all members of the group while they remain
members. - User rights are cumulative when a user is a
member of multiple groups. - A user can have more than one set of rights.
- Possible conflicts of user rights may occur in
the case of certain logon rights. - Generally, user rights assigned to one group do
not conflict with the rights assigned to another
group. - To remove rights from a user, the user is removed
from the group. - The two types of user rights are privileges and
logon rights.
54Privileges
- Specify allowable user actions on the network.
- Some privileges can override permissions set on
an object. - A user right takes precedence over all file and
directory permissions.
55Logon Rights Overview
- Logon rights specify the ways in which a user can
log on to a system. - The special user account LocalSystem has almost
all privileges and logon rights assigned to it,
because all processes running as part of the OS
are associated with this account. - OS processes require a complete set of user
rights.
56Logon Rights
57Assigning User Rights
- Assigning user rights eases the task of user
account administration by assigning user rights
primarily to group accounts, rather than to
individual user accounts. - Assigning rights to a group account automatically
assigns those rights to users when they become a
member of that group.
58Using Security Templates
- Security Templates Overview
- Security Template Uses
- Predefined Security Templates
- Managing Security Templates
- Practice Managing Security Templates
59Using Security Templates Overview
- Windows 2000 provides a centralized method of
defining security using security templates. - A security template is a physical representation
of a security configuration, a file in which a
group of security settings are stored. - Locating all security settings in one place
streamlines security administration. - Each template is saved as a text-based .inf file,
which allows some or all of the template
attributes to be copied, pasted, imported, or
exported. - All security attributes can be contained in a
security template, except IP Security and Public
Key policies.
60Security Templates Uses
- The security settings in the local GPO are the
initial settings applied to a computer. - The local security settings can be exported to a
security template file to preserve initial system
security settings, which enables the restoration
of the initial security settings at any later
point.
61Security Templates Importing
- A security template file can be imported to a
local or nonlocal GPO. - Any computer or user accounts in the site,
domain, or OU to which the GPO is applied will
receive the security template settings. - Importing a security template to a GPO eases
domain administration by configuring security for
multiple computers at once.
62Security Templates Exporting
- The local security settings are exported to a
security template file to preserve initial system
security settings. - Both local and effective security settings can be
exported to a security template. - Initial system settings are preserved.
- Local security settings are available for
restoration later because domain-based GPOs
override the local GPO. - By exporting the effective security settings to a
security template, the settings can be imported
into a security database, new templates can be
overlaid, and potential conflicts can be analyzed.
63Predefined Security Templates
- Windows 2000 includes a set of predefined
security templates. - Each predefined template is based on the role of
a computer and common security scenarios, from
security settings for low-security domain clients
to highly secure domain controllers. - Predefined templates can be used as provided, can
be modified, or can serve as a basis for creating
custom security templates. - By default, predefined security templates are
stored in the systemroot\Security\Templates
folder.
64Security Levels
- Basic BASIC.INF
- Compatible COMPAT.INF
- Secure SECURE.INF
- Highly Secure HISEC.INF
65Tasks for Managing Security Templates
- Accessing the Security Templates console
- Customizing a predefined security template
- Defining a new security template
- Importing a security template to a local and
nonlocal GPO - Exporting security settings to a security template
66Security Templates Console
67Security Configuration and Analysis
- How the Security Configuration and Analysis
Console Works - Security Configuration
- Security Analysis
- Using Security Configuration and Analysis
- Practice Using Security Configuration and
Analysis
68Security Configuration and Analysis Overview
- Security Configuration and Analysis is a tool
that offers the ability to configure security,
analyze security, view results, and resolve any
discrepancies revealed by analysis. - This tool is located on the Security
Configuration and Analysis console.
69How the Security Configuration and Analysis
Console Works
- The console uses a database to perform
configuration and analysis functions. - The database is a computer-specific data store.
- The database architecture allows the use of
personal databases, security template import and
export, and the combination of multiple security
templates into one composite security template
that can be used for analysis or configuration. - New security templates can be incrementally added
to the database to create a composite security
template. - Overwriting a template is also an option.
- Personal databases can be created for storing
customized security templates.
70Security Configuration
- The Security Configuration and Analysis console
can be used to configure local system security. - Security templates created with the Security
Templates console can be imported and applied to
the GPO for the local computer. - System security is immediately configured with
the levels specified in the template.
71Security Analysis
- The state of the OS and applications on a
computer is dynamic. - Changes made to meet specific needs may not be
reversed when the requirement is finished. - The computer may no longer meet the requirements
for enterprise security. - The Security Configuration and Analysis console
allows administrators to perform a quick security
analysis. - In the analysis, recommendations are presented
alongside current system settings icons or
remarks are used to highlight any areas where the
current settings do not match the proposed level
of security.
72Security Analysis (cont)
- The Security Configuration and Analysis console
offers the ability to resolve any discrepancies
revealed by analysis. - Regular analysis enables an administrator to
track and ensure an adequate level of security on
each computer as part of an enterprise risk
management program. - Analysis is highly specified and information
about all system aspects related to security is
provided in the results. - Enables an administrator to tune the security
levels and to detect any security flaws that may
occur in the system over time.
73Tasks For Using Security Configuration and
Analysis
- Access the Security Configuration and Analysis
console. - Set a working security database.
- Import a security template into a security
database. - Analyze system security.
- View security analysis results.
- Configure system security.
- Export security database settings to a security
template.
74Importing a Security Template into a Security
Database
- Several different templates can be merged into
one composite template that can be used for
analysis or configuration of a system, by
importing each template into a working database. - The database will merge the various templates to
create one composite template, resolving
conflicts in order of import the last template
imported takes precedence when there is
contention. - Templates will not be merged into a composite
template if overwrite is chosen. - Once the templates are imported to the selected
database, the system can be analyzed or
configured.
75Analyzing System Security
- The Security Configuration and Analysis console
compares the current state of the system security
against a security template that has been
imported to a personal database. - This template is the database configuration that
contains the preferred or recommended security
settings for that system. - Security Configuration and Analysis queries the
systems security settings for all security areas
in the database configuration. - Values found are compared to the database
configuration. - If the current system settings match the database
configuration settings, they are assumed to be
correct. - The policies in question are displayed as
potential problems that need investigation.
76Viewing Security Analysis Results
- The Security Configuration and Analysis console
displays the analysis results organized by
security area with visual flags to indicate
problems. - The current database and computer configuration
settings are displayed for each security policy
in the security area.
77Analysis Results for Password Policy
78Configuring System Security
- The Security Configuration and Analysis console
offers the ability to resolve any discrepancies
revealed by analysis. - The import process can be repeated and multiple
templates can be loaded. - The database merges the various templates to
create one composite template, resolving
conflicts in order or import. - The last template imported takes precedence when
there is contention. - After the templates are imported to the database,
choosing Configure System Now applies the stored
template to the system. - Using the Security Configuration and Analysis
console is not recommended when analyzing
security for domain-based clients, because going
to each client individually would be necessary. - When analyzing security for domain-based clients,
it is best to return to the Security Templates
console, modify the template, and reapply it to
the appropriate GPO.
79Exporting Security Templates
- The export feature provides the ability to save a
security database configuration as a new template
file that can be - Imported into other databases
- Used as is to analyze or configure a system
- Redefined with the Security Templates console
80Troubleshooting a Security Configuration
- Symptoms
- Received error message Event message Event ID
1202, Event source scecli, Warning (0xx) occurs
to apply security policies. - Received error message Failed To Open The Group
Policy Object. - Modified security settings are not taking effect.
- Policies do not migrate from Windows NT 4.0 to
Windows 2000.
81Symptom Received Error Message Event Message
Event ID 1202, Event Source scecli, Warning
(0xx) Occurs to Apply Security Policies
- Cause Group policy was not refreshed after
changes were made - Solution Trigger another application of group
policy settings or local policy refresh by using
the Secedit command-line tool to refresh security
settings
82Symptom Received Error Message Failed To Open
The Group Policy Object
- Cause The most likely causes for this error are
network-related - Solution Check the DNS configuration for the
following - Make sure no stale entries exist in the DNS
database. - Resolve local DNS servers and ISP DNS server
entries.
83Symptom Modified Security Settings are Not
Taking Effect
- Causes
- Any policies configured locally may be overridden
by like policies specified in the domain. - If the setting shows up in local policy but not
in effective policy, it implies that a policy
from the domain is overriding the setting. - As group policy changes are applied periodically,
it is likely that the policy changes made in the
directory have not yet been refreshed in the
computer. - Solution Manually do a policy refresh by typing
the following at the command line secedit
/refreshpolicy machine_policy
84Symptom Policies Do Not Migrate from Windows NT
4.0 to Windows 2000
- Cause Windows NT 4.0 policies cannot be migrated
to Windows 2000 - Solution
- Windows NT 4.0 clients accessing a Windows 2000
Server computer, and Windows 2000 Professional
clients accessing a Windows NT 4.0 Server
computer, will use the Netlogon share. - With Windows 2000 Server, when a Windows NT 4.0
client is upgraded to Windows 2000, it will get
only Active Directorybased group policy settings
and not Windows NT 4.0style policies. - Although Windows NT 4.0style policies may be
enabled if the administrator chooses to do so,
this practice is strongly discouraged. - Because Windows NT 4.0style policies are applied
only during the logon process, both computer and
user settings are processed (but not optimal
behavior).