Administering a Security Configuration

1
Administering a Security Configuration

• Security Configuration Overview
• Auditing
• Using Security Logs
• User Rights
• Using Security Templates
• Security Configuration and Analysis
• Troubleshooting a Security Configuration

2
Security Configuration Overview

• Security Configuration Settings

3
Security Areas Configured for a Nonlocal GPO

• Account policies
• Local policies
• Event log
• Restricted groups
• System services
• Registry
• File system
• Public key policies
• IP security policies

4
Account Policies Overview

• The account policies security area applies to
  user accounts.
• Microsoft Windows 2003 allows only one domain
  account policy, which is the account policy
  applied to the root domain of the domain tree.
• The domain account policy becomes the default
  account policy of any Windows 2003 workstation or
  server that is a member of the domain.
• Exception When another account policy is defined
  for an OU, the OUs account policy settings
  affect the local policy on any computers
  contained in the OU, as is the case with a Domain
  Controllers OU

5
Account Policies Attributes

• Password Policy For domain or local user
  accounts, determines settings for passwords such
  as enforcement and lifetimes
• Account Lockout Policy For domain or local user
  accounts, determines when and for whom an account
  will be locked out of the system
• Kerberos Policy For domain user accounts,
  determines Kerberos-related settings, such as
  ticket lifetimes and enforcement

6
Local Policies Overview

• The local policies security area pertains to the
  security settings on the computer used by an
  application or user.
• Local policies are based on the computer to which
  a user logs on and the rights the user has on
  that particular computer.
• Local policies are local to a computer, by
  definition.
• When imported to a GPO in Active Directory, local
  policies affect the local security settings of
  any computer accounts to which that GPO is
  applied.

7
Local Policies

• Audit Policy
• User Rights Assignment
• Security Options

8
Event Log

• The event log security area defines attributes
  related to the Application, Security, and System
  event logs.
• Maximum log size
• Access rights for each log
• Retention settings and methods
• The event log size and log wrapping should be
  defined to match the business and security
  requirements.
• Event log settings should be implemented at the
  site, domain, or OU level, to take advantage of
  group policy settings.

9
Event Log Settings
10
Restricted Groups Overview

• The restricted groups security area provides an
  important new security feature that acts as a
  governor for group membership.
• Automatically provides security memberships for
  default Windows 2003 groups that have predefined
  capabilities.
• Any groups considered sensitive or privileged to
  the Restricted Groups security list can be added
  later.

11
Restricted Groups Configuring

• Configuring the restricted groups security area
  ensures that group memberships are set as
  specified.
• Groups and users not specified in restricted
  groups are removed from the specific group.
• The reverse membership configuration option
  ensures that each restricted group is a member of
  only those groups specified in the Member Of
  column.
• Restricted groups should be used primarily to
  configure membership of local groups on
  workstation or member servers.

12
System Services

• The system services security area is used to
  configure security and startup settings for
  services running on a computer.
• Security properties for the service determine
  what user or group accounts have the following
  permissions Read/Write/Delete/Execute,
  inheritance settings, auditing, and ownership
  permission.
• If choosing an Automatic startup, adequate
  testing must be performed to verify that the
  services can start without user intervention.
• System services used on a computer should be
  tracked.
• Unnecessary or unused services should be set to
  Manual.

13
Registry and File System Areas

• Registry security area Used to configure
  security on registry keys.
• File system security area Used to configure
  security on specific file paths.
• The Security properties of the registry key or
  file path can be edited to determine what user or
  group accounts have Read/Write/Delete/Execute
  permissions, as well as inheritance settings,
  auditing, and ownership permission.

14
Policies

• Public key policies Used to configure encrypted
  data recovery agents, domain roots, and trusted
  certificate authorities
• IP security policies Used to configure network
  IP security

15
Auditing

• Understanding Auditing
• Using an Audit Policy
• Audit Policy Guidelines
• Configuring Auditing
• Setting Up an Audit Policy
• Auditing Access to Files and Folders
• Auditing Access to Active Directory Objects
• Auditing Access to Printers
• Auditing Practices
• Practice Auditing Resources and Events

16
Understanding Auditing

• Auditing The process of tracking both user
  activities and Windows 2003 activities, called
  events.
• Auditing is used to specify which events are
  written to the security log.
• An audit entry in the security log contains
• The action that was performed.
• The user who performed the action.
• The success or failure of the event and when the
  event occurred.

17
Using an Audit Policy

• An audit policy defines the categories of events
  that Windows 2003 records in the security log on
  each computer.
• The security log allows specified events to be
  tracked.
• Windows 2003 writes an event to the security log
  on the computer where the event occurs.

18
General Audit Policy Guidelines

• Determine the computers on which to set up
  auditing.
• Auditing is turned off by default.
• Plan the events to audit on each computer.
• Determine whether to audit the success of events,
  failure of events, or both.
• Tracking successful events identifies which users
  gained access to specific files, printers, or
  objects, information that can be used for
  resource planning.
• Tracking failed events may alert the
  administrator of possible security breaches.

19
Other Policy Guidelines

• Determine whether to track trends of system
  usage.
• Review security logs frequently.
• Define an audit policy that is useful and
  manageable.
• Audit resource access by the Everyone group
  instead of the Users group.
• Audit all administrative tasks by the
  administrative groups.

20
Configuring Auditing Overview

• An audit policy is implemented based on the role
  of the computer in the Windows 2003 network.
• The event categories on a domain controller are
  identical to those on a computer that is not a
  domain controller.

21
Computer Roles

• For member or stand-alone servers and computers
  running Windows 2003 Professional
• An audit policy is set for each individual
  computer.
• Events are audited by configuring a local group
  policy for that computer.
• Domain controllers
• An audit policy is set for all domain controllers
  in the domain.
• Events are audited by configuring the audit
  policy in a nonlocal GPO for the domain, which
  applies to all DCs and is accessible through the
  Domain Controllers OU.

22
Auditing Requirements

• The Manage Auditing And Security Log user right
  for the computer is necessary to configure an
  audit policy or review an audit log.
• Files and folders to be audited must be on
  Microsoft Windows NTFS volumes.

23
Setting Up Auditing

• Set the audit policy Enables auditing of objects
  but does not activate auditing of specific types
• Enable auditing of specific resources The
  specific events to track for files, folders,
  printers, and Active Directory objects must be
  identified
• Windows 2003 then tracks and logs the specified
  events.

24
Setting Up an Audit Policy

• Categories of events that Windows 2003 audits are
  selected.
• Configuration settings indicate whether to track
  successful or failed attempts for each event
  category to be audited.
• Audit policies are set in the Group Policy
  snap-in.
• The security log is limited in size.
• The events to be audited must be selected
  carefully.
• The amount of disk space to devote to the
  security log must be considered.

25
Types of Events Audited by Windows 2003

• Account logon
• Account management
• Directory service access
• Logon events
• Object access
• Policy change
• Privilege use
• Process tracking
• System events

26
Auditing Access to Files and Folders

• If security breaches are an issue for an
  organization, auditing should be set up for files
  and folders on NTFS partitions.
• To audit user access to files and folders, the
  Audit Object Access event category is set in the
  audit policy.
• After Audit Object Access is set in the audit
  policy, auditing for specific files and folders
  is enabled, specifying which types of access to
  audit, either by users or by groups.

27
Auditing Entry For Dialog Box
28
User Events

• Traverse Folder/Execute File
• List Folder/Read Data
• Read Attributes and Read Extended Attributes
• Create Files/Write Data
• Create Folders/Append Data
• Write Attributes and Write Extended Attributes
• Delete Subfolders And Files
• Read Permissions
• Change Permissions
• Take Ownership

29
Auditing Access to Active Directory Objects

• Similar to auditing file and folder access.
• An audit policy must be configured, and then
  auditing for specific objects must be set by
  specifying which types of access, and by whom, to
  audit.
• Active Directory objects are audited to track
  access to them.
• The Audit Directory Service Access event category
  is set in the audit policy to enable auditing of
  user access to AD objects.

30
Auditing Entry For Dialog Box
31
Active Directory Object Events

• Full Control
• List Contents
• Read All Properties
• Write All Properties
• Create All Child Objects
• Delete All Child Objects
• Read Permissions
• Modify Permissions
• Modify Owner

32
Auditing Access to Printers

• Use auditing to track access to sensitive
  printers.
• Set the Audit Object Access event category in the
  audit policy, which includes printers.
• Enable auditing for specific printers and specify
  the types of access, and by whom, to audit.
• Use the same procedure used to set up auditing on
  files and folders.

33
Auditing Entry For Dialog Box
34
RecommendedAudit Events
35
Using Security Logs

• Understanding Windows 2003 Logs
• Viewing Security Logs
• Locating Events
• Filtering Events
• Configuring Security Logs
• Archiving Security Logs
• Practice Using the Security Log

36
Security Log Overview

• The security log contains information on security
  events specified in the audit policy.
• To view the security log, use the Event Viewer
  console.
• Event Viewer also allows specific events within
  the log files to be found, the events shown in
  log files to be filtered, and archive security
  log files to be archived.

37
Understanding Windows 2003 Logs

• Three logs are available to view in Event Viewer
  by default.
• All users can view application and system logs.
• Security logs are accessible only to system
  administrators.
• Security logging is turned off by default.
• Group policy must be used at the appropriate
  level to set up an audit policy.

38
Logs Maintained by Windows 2003

• Application log
• Contains errors, warnings, or information that
  programs, such as a database program or an e-mail
  program, generate.
• The program developer presets which events to
  record.
• Security log
• Contains information about the success or failure
  of audited events.
• The events Windows 2003 records are a result of
  the audit policy.
• System log
• Contains errors, warnings, and information that
  Windows 2003 generates.
• Windows 2003 presets which events to record.

39
Viewing Security Logs

• The security log contains information about
  events monitored by an audit policy, such as
  failed and successful logon attempts.
• Windows 2003 records events in the security log
  on the computer at which the event occurred.
• Events can be viewed from any computer with
  assigned administrative privileges for the
  computer where the events occurred.

40
Event Viewer
41
Locating Events

• Event Viewer automatically displays all events
  recorded in the security log when its first
  started.
• The Find command is used to search for specific
  events.

42
The Find In Dialog Box
43
Options on the Find In Dialog Box
44
Filtering Events

• The Filter command displays specific events that
  appear in the security log.
• The Filter command is used to narrow down the
  displayed events.

45
Options on the Filter Tab of the Security
LogProperties Dialog Box
46
Configuring Security Logs

• Security logging begins when an audit policy is
  set for the domain controller or local computer.
• Security logging stops when the security log
  becomes full and cannot overwrite itself an
  error may be written to the application log.
• A full security log is avoided by logging only
  key events.
• The properties of each individual audit log can
  be configured.

47
Security Log

• When the security log is full and no more events
  can be logged, the log can be freed by manually
  clearing it.
• Clearing the log erases all events permanently.
• Reducing the amount of time that an event log is
  kept frees the log if it allows the next record
  to be overwritten.

48
Archiving Security Logs

• Archiving maintains a history of security-related
  events.
• Archived logs often are kept for a specified
  period, to track security-related information
  over time.
• The entire log is saved, regardless of filtering
  options.
• Event Viewer is used to reopen a log archived in
  a log-file format.

49
Archiving Security Logs (cont)

• Logs saved as event logs (.evt) retain the binary
  data for each event recorded.
• Logs archived in text or comma-delimited format
  (.txt and .csv, respectively) can be reopened in
  other programs, such as word processing or
  spreadsheet programs.
• Logs saved in text or comma-delimited format do
  not retain the binary data.
• An archived log is removed from the system by
  deleting the file in Windows Explorer.

50
User Rights

• User Rights
• Privileges
• Logon Rights
• Assigning User Rights

51
User Rights Overview

• Specific rights can be assigned to group accounts
  or to individual user accounts.
• Authorize users to perform specific actions.
• Differ from permissions, because user rights
  apply to user accounts, whereas permissions are
  attached to objects.
• Because user rights are part of a GPO, they can
  be overridden depending on the GPO affecting the
  user.

52
User Rights Administration

• User rights define the capabilities of a user at
  a local level.
• User rights can be applied to individual user
  accounts, but are best administered on a group
  account basis.
• Ensures that a user logging on as a member of a
  group automatically inherits the rights
  associated with that group
• Simplifies user account administration by
  associating user rights to groups rather than
  individual users

53
User Rights Assignment

• User rights assigned to a group are applied to
  all members of the group while they remain
  members.
• User rights are cumulative when a user is a
  member of multiple groups.
• A user can have more than one set of rights.
• Possible conflicts of user rights may occur in
  the case of certain logon rights.
• Generally, user rights assigned to one group do
  not conflict with the rights assigned to another
  group.
• To remove rights from a user, the user is removed
  from the group.
• The two types of user rights are privileges and
  logon rights.

54
Privileges

• Specify allowable user actions on the network.
• Some privileges can override permissions set on
  an object.
• A user right takes precedence over all file and
  directory permissions.

55
Logon Rights Overview

• Logon rights specify the ways in which a user can
  log on to a system.
• The special user account LocalSystem has almost
  all privileges and logon rights assigned to it,
  because all processes running as part of the OS
  are associated with this account.
• OS processes require a complete set of user
  rights.

56
Logon Rights
57
Assigning User Rights

• Assigning user rights eases the task of user
  account administration by assigning user rights
  primarily to group accounts, rather than to
  individual user accounts.
• Assigning rights to a group account automatically
  assigns those rights to users when they become a
  member of that group.

58
Using Security Templates

• Security Templates Overview
• Security Template Uses
• Predefined Security Templates
• Managing Security Templates
• Practice Managing Security Templates

59
Using Security Templates Overview

• Windows 2003 provides a centralized method of
  defining security using security templates.
• A security template is a physical representation
  of a security configuration, a file in which a
  group of security settings are stored.
• Locating all security settings in one place
  streamlines security administration.
• Each template is saved as a text-based .inf file,
  which allows some or all of the template
  attributes to be copied, pasted, imported, or
  exported.
• All security attributes can be contained in a
  security template, except IP Security and Public
  Key policies.

60
Security Templates Uses

• The security settings in the local GPO are the
  initial settings applied to a computer.
• The local security settings can be exported to a
  security template file to preserve initial system
  security settings, which enables the restoration
  of the initial security settings at any later
  point.

61
Security Templates Importing

• A security template file can be imported to a
  local or nonlocal GPO.
• Any computer or user accounts in the site,
  domain, or OU to which the GPO is applied will
  receive the security template settings.
• Importing a security template to a GPO eases
  domain administration by configuring security for
  multiple computers at once.

62
Security Templates Exporting

• The local security settings are exported to a
  security template file to preserve initial system
  security settings.
• Both local and effective security settings can be
  exported to a security template.
• Initial system settings are preserved.
• Local security settings are available for
  restoration later because domain-based GPOs
  override the local GPO.
• By exporting the effective security settings to a
  security template, the settings can be imported
  into a security database, new templates can be
  overlaid, and potential conflicts can be analyzed.

63
Predefined Security Templates

• Windows 2003 includes a set of predefined
  security templates.
• Each predefined template is based on the role of
  a computer and common security scenarios, from
  security settings for low-security domain clients
  to highly secure domain controllers.
• Predefined templates can be used as provided, can
  be modified, or can serve as a basis for creating
  custom security templates.
• By default, predefined security templates are
  stored in the systemroot\Security\Templates
  folder.

64
Security Levels

• Basic BASIC.INF
• Compatible COMPAT.INF
• Secure SECURE.INF
• Highly Secure HISEC.INF

65
Tasks for Managing Security Templates

• Accessing the Security Templates console
• Customizing a predefined security template
• Defining a new security template
• Importing a security template to a local and
  nonlocal GPO
• Exporting security settings to a security template

66
Security Templates Console
67
Security Configuration and Analysis

• How the Security Configuration and Analysis
  Console Works
• Security Configuration
• Security Analysis
• Using Security Configuration and Analysis
• Practice Using Security Configuration and
  Analysis

68
Security Configuration and Analysis Overview

• Security Configuration and Analysis is a tool
  that offers the ability to configure security,
  analyze security, view results, and resolve any
  discrepancies revealed by analysis.
• This tool is located on the Security
  Configuration and Analysis console.

69
How the Security Configuration and Analysis
Console Works

• The console uses a database to perform
  configuration and analysis functions.
• The database is a computer-specific data store.
• The database architecture allows the use of
  personal databases, security template import and
  export, and the combination of multiple security
  templates into one composite security template
  that can be used for analysis or configuration.
• New security templates can be incrementally added
  to the database to create a composite security
  template.
• Overwriting a template is also an option.
• Personal databases can be created for storing
  customized security templates.

70
Security Configuration

• The Security Configuration and Analysis console
  can be used to configure local system security.
• Security templates created with the Security
  Templates console can be imported and applied to
  the GPO for the local computer.
• System security is immediately configured with
  the levels specified in the template.

71
Security Analysis

• The state of the OS and applications on a
  computer is dynamic.
• Changes made to meet specific needs may not be
  reversed when the requirement is finished.
• The computer may no longer meet the requirements
  for enterprise security.
• The Security Configuration and Analysis console
  allows administrators to perform a quick security
  analysis.
• In the analysis, recommendations are presented
  alongside current system settings icons or
  remarks are used to highlight any areas where the
  current settings do not match the proposed level
  of security.

72
Security Analysis (cont)

• The Security Configuration and Analysis console
  offers the ability to resolve any discrepancies
  revealed by analysis.
• Regular analysis enables an administrator to
  track and ensure an adequate level of security on
  each computer as part of an enterprise risk
  management program.
• Analysis is highly specified and information
  about all system aspects related to security is
  provided in the results.
• Enables an administrator to tune the security
  levels and to detect any security flaws that may
  occur in the system over time.

73
Tasks For Using Security Configuration and
Analysis

• Access the Security Configuration and Analysis
  console.
• Set a working security database.
• Import a security template into a security
  database.
• Analyze system security.
• View security analysis results.
• Configure system security.
• Export security database settings to a security
  template.

74
Importing a Security Template into a Security
Database

• Several different templates can be merged into
  one composite template that can be used for
  analysis or configuration of a system, by
  importing each template into a working database.
• The database will merge the various templates to
  create one composite template, resolving
  conflicts in order of import the last template
  imported takes precedence when there is
  contention.
• Templates will not be merged into a composite
  template if overwrite is chosen.
• Once the templates are imported to the selected
  database, the system can be analyzed or
  configured.

75
Analyzing System Security

• The Security Configuration and Analysis console
  compares the current state of the system security
  against a security template that has been
  imported to a personal database.
• This template is the database configuration that
  contains the preferred or recommended security
  settings for that system.
• Security Configuration and Analysis queries the
  systems security settings for all security areas
  in the database configuration.
• Values found are compared to the database
  configuration.
• If the current system settings match the database
  configuration settings, they are assumed to be
  correct.
• The policies in question are displayed as
  potential problems that need investigation.

76
Viewing Security Analysis Results

• The Security Configuration and Analysis console
  displays the analysis results organized by
  security area with visual flags to indicate
  problems.
• The current database and computer configuration
  settings are displayed for each security policy
  in the security area.

77
Analysis Results for Password Policy
78
Configuring System Security

• The Security Configuration and Analysis console
  offers the ability to resolve any discrepancies
  revealed by analysis.
• The import process can be repeated and multiple
  templates can be loaded.
• The database merges the various templates to
  create one composite template, resolving
  conflicts in order or import.
• The last template imported takes precedence when
  there is contention.
• After the templates are imported to the database,
  choosing Configure System Now applies the stored
  template to the system.
• Using the Security Configuration and Analysis
  console is not recommended when analyzing
  security for domain-based clients, because going
  to each client individually would be necessary.
• When analyzing security for domain-based clients,
  it is best to return to the Security Templates
  console, modify the template, and reapply it to
  the appropriate GPO.

79
Exporting Security Templates

• The export feature provides the ability to save a
  security database configuration as a new template
  file that can be
• Imported into other databases
• Used as is to analyze or configure a system
• Redefined with the Security Templates console

80
Troubleshooting a Security Configuration

• Symptoms
• Received error message Event message Event ID
  1202, Event source scecli, Warning (0xx) occurs
  to apply security policies.
• Received error message Failed To Open The Group
  Policy Object.
• Modified security settings are not taking effect.
• Policies do not migrate from Windows NT 4.0 to
  Windows 2003.

81
Symptom Received Error Message Event Message
Event ID 1202, Event Source scecli, Warning
(0xx) Occurs to Apply Security Policies

• Cause Group policy was not refreshed after
  changes were made
• Solution Trigger another application of group
  policy settings or local policy refresh by using
  the Secedit command-line tool to refresh security
  settings

82
Symptom Received Error Message Failed To Open
The Group Policy Object

• Cause The most likely causes for this error are
  network-related
• Solution Check the DNS configuration for the
  following
• Make sure no stale entries exist in the DNS
  database.
• Resolve local DNS servers and ISP DNS server
  entries.

83
Symptom Modified Security Settings are Not
Taking Effect

• Causes
• Any policies configured locally may be overridden
  by like policies specified in the domain.
• If the setting shows up in local policy but not
  in effective policy, it implies that a policy
  from the domain is overriding the setting.
• As group policy changes are applied periodically,
  it is likely that the policy changes made in the
  directory have not yet been refreshed in the
  computer.
• Solution Manually do a policy refresh by typing
  the following at the command line secedit
  /refreshpolicy machine_policy

84
Symptom Policies Do Not Migrate from Windows NT
4.0 to Windows 2003

• Cause Windows NT 4.0 policies cannot be migrated
  to Windows 2003
• Solution
• Windows NT 4.0 clients accessing a Windows 2003
  Server computer, and Windows 2003 Professional
  clients accessing a Windows NT 4.0 Server
  computer, will use the Netlogon share.
• With Windows 2003 Server, when a Windows NT 4.0
  client is upgraded to Windows 2003, it will get
  only Active Directorybased group policy settings
  and not Windows NT 4.0style policies.
• Although Windows NT 4.0style policies may be
  enabled if the administrator chooses to do so,
  this practice is strongly discouraged.
• Because Windows NT 4.0style policies are applied
  only during the logon process, both computer and
  user settings are processed (but not optimal
  behavior).