Your SlideShare is downloading. ×

Introduction to Windows Server 2003 Chapter 10


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Hands-On Microsoft Windows Server 2003 Chapter 10 Securing Windows Server 2003
  • 2. Objectives • Understand the use of Group Policy • Secure Windows Server 2003 using security policies • Manage security by using the Security Templates Snap-in • Configure client security by using Windows Server 2003 policies • Configure the Encrypting File System 2
  • 3. Introduction to Group Policy • Group Policy in Windows Server 2003 allows a standardized working environment for clients and servers • Evolved from the NT Server 4.0 system policy concept • Has more capabilities than system policy – – – – Can extend to cover multiple domains in one site Set for more environments More secure because users cannot modify policies Dynamically updates, and configured to reflect current needs 3
  • 4. Group Policy characteristics • Can be set for a site, domain, OU, or local computer • Cannot be set for non-OU folder containers • Policy settings for groups are stored in Group Policy objects (GPOs) – Each GPO has a unique name and GUID • There are local and nonlocal GPOs – When there are multiple GPOs, their effect is incremental – The ordering is local, default domain, site, OUs • Group Policy can be set up to affect user accounts, computers, or both • When Group Policy is updated, old policies are removed or updated for all clients 4
  • 5. 5
  • 6. Securing Windows Server 2003 Using Security Policies • Security policies are a subset of the Group Policy • Some commonly used security policies – – – – – Account policies Audit policy User rights Security options IP Security policies • Can be configured with the following tools – Domain Security Policy tool can be used for domain and local computer – Group Policy Object Editor Snap-in has the most functionality – Active Directory Users and Computers tool can be used for domain or OU 6
  • 7. Establishing Account Policies • Account policies are located in the following Group Policy path: – Computer Configuration, Windows Settings, Security Settings • Account policy options – Password security – Account Lockout – Kerberos security 7
  • 8. Password Security Options • Enforce password history – Requires users to choose new passwords when they make a password change • Maximum password age – Sets maximum time before password expires – Commonly 45 to 90 days • Minimum password age • Minimum password length – A minimum of seven characters for a “strong password” • Password must meet complexity requirements – Filter of customized password requirements • Store passwords using reversible encryption 8
  • 9. 9
  • 10. Account Lockout Options • Account lockout duration – Permits you to specify in minutes how long the system keeps an account locked out after reaching the specified number of unsuccessful logon attempts • Account lockout threshold – Enables you to set a limit to the number of unsuccessful attempts to log on to an account • Reset account lockout counter after – Enables you to specify the number of minutes between two consecutive unsuccessful logon attempts to make sure that the account is not locked out too soon 10
  • 11. Kerberos Security • Involves the use of tickets that are exchanged between the client who requests access and the server or Active Directory that grants access • A key distribution center (DC or server) stores user accounts and passwords • The client computer sends an account name and password to the key distribution center • The key distribution center issues a temporary ticket granting access to the ticket-granting server • The ticket-granting server issues a service ticket for the duration of a logon session 11
  • 12. Kerberos Security Options • Enforce user logon restrictions – Turns on Kerberos security, which is the default • Maximum lifetime for a service ticket – Maximum time in minutes that a ticket can access a particular service in one service session • Maximum lifetime for a user ticket – Maximum time in hours that a ticket can be used in one continuous session for access to a computer or domain • Maximum lifetime for user ticket renewal – Maximum number of days that the same Kerberos ticket can be renewed each time a user logs on • Maximum tolerance for computer clock synchronization – Length in minutes a client waits until synchronizing its clock 12
  • 13. 13
  • 14. Establishing Audit Policies • Account management • Directory service and object access • Logon and logoff events for an account and at the local computer • Policy change and privilege use • Process tracking and system events 14
  • 15. 15
  • 16. Configuring User Rights • User rights enable an account or group to perform predefined tasks such as the following: – Access a server – Create accounts – Manage server functions • Assign user rights to groups instead of to individual user accounts – Members of a group inherit the user rights of the group 16
  • 17. 17
  • 18. Configuring Security Options • Over 65 specialized security options in the following categories – – – – – – – – Accounts Audit Devices Domain controller Domain member Interactive logon Microsoft network client Network access 18
  • 19. Configuring Security Options (cont.) – – – – – – Network security Recovery console Shutdown System cryptography System objects System settings • Options in each category are specialized to the category 19
  • 20. 20
  • 21. Using IP Security Policies • IPSec provides secure communications and encryption standards for all TCP/IP- based application and communications protocols • IPSec process – Computers exchange certificates to authenticate receiver and sender – Data is encrypted at the NIC of the sending computer as it is formatted into an IP packet • IPSec configuration tools – Domain Security Policy tool – IPSec Policies Management Snap-in 21
  • 22. Using IP Security Policies (cont.) • IPSec roles – Client (Respond Only) • When Windows Server 2003 is contacted by a client using IPSec, it responds by using IPSec communication – Server (Request Security) • When Windows Server 2003 is contacted or initiates a communication, it uses IPSec by default • If the responding client does not support IPSec, the server switches to clear mode – Secure Server (Require Security) • Windows Server 2003 only responds using IPSec communication 22
  • 23. 23
  • 24. Security Templates Snap-in • Useful when there are multiple Group Policies or multiple OUs that share the same Group Policy • Sets up security for the following – – – – – – Account and local policies Event log tracking policies Group restrictions Service access security Registry security File system security 24
  • 25. Creating a New Security Template • Make sure there is no default security template that matches your needs • Group Policy Object Editor Snap-in and Security Templates Snap-ins should be installed • Create a new template through the Security Template’s Action menu – Configure the settings • Import the new template to a Group Policy by using the Security Configuration and Analysis Snap-in 25
  • 26. Default Security Templates • Provides compatible settings for Server 2003 and NT – compatws • Sets default security for DCs or root domains – DC security, rootsec • Sets maximum security for Windows Server 2003 DCs or workstations accessing Windows Server 2003 – hisecdc, hisecws • Provides recommended security on DCs or client workstations – securedc, securews • Provides “out of the box” security – setup security 26
  • 27. Configuring Client Security • Provides improvements in security • Ensures a consistent working environment in an organization • When a client logs onto to the server or network, the policies are applied to the client • Examples of use: – Folder redirection for sensitive data – Desktop icon management to start applications the same way for all clients 27
  • 28. Manually Configuring Policies for Clients • Use the Group Policy Object Editor Snap-in 28
  • 29. 29
  • 30. 30
  • 31. Using Preconfigured Administrative Templates • Multiple templates can be added to one Group Policy 31
  • 32. 32
  • 33. Publishing and Assigning Software • Users can employ the same software with the same software settings for the sake of productivity and security • Publishing applications involves setting up software through a Group Policy so that clients install the software from a central distribution server • Assigning applications involves configuring a policy so that a particular software application is started automatically through a desktop shortcut • Use the Software Installation Properties dialog box under User Configuration Software Settings 33
  • 34. 34
  • 35. Resultant Set of Policy • A new feature included with Windows Server 2003 • Used to make the implementation and troubleshooting of Group Policies much simpler for an administrator • Two modes: – Planning mode generates a report and provides the result of proposed policy changes – Logging mode generates a report based on the current policies in place and provides the resulting policy changes 35
  • 36. 36
  • 37. Configuring the Encrypting File System • EFS configures a unique, private encryption key that is associated with the user account that encrypted the folder or file – Protects data from unauthorized use • Use the cipher command from the Command Prompt windows to configure file or folder encryption – If no parameters are specified with the command, the encryption status of the current folder is displayed 37
  • 38. 38
  • 39. Summary • A Group Policy enables you to standardize how people use server and client computers on a network • Security policies are part of a Group Policy and are configured to protect users and resources • Configure account policies to apply to OU, domains, sites, or local computers – Password policies, account lockout policies, and Kerberos authentication policies • Use audit policies to track how resources are accessed, such as folders, files, or user accounts 39
  • 40. Summary • User rights policies enable you to create specific security controls over privileges and logon access • Security options are specialized policies for accounts, auditing, devices, domain controllers, logon, clients, network access, network security, and other activities • Use the Security Templates Snap-in to apply default security settings or to create different Group Policy objects for different OUs, domains, or sites • For better control over the activities of clients, manually configure administrative templates or apply preconfigured administrative templates (or both) 40
  • 41. Summary • Publish and assign applications to manage how clients use them • Use the Resultant Set of Policy Snap-in to plan and troubleshoot Group Policies • Fine-tune the use of the Encrypting File System by using the cipher command in the Command Prompt window 41