Successfully reported this slideshow.

Chapter14 Windows Server 2003 Security Features


Published on

Published in: Technology

Chapter14 Windows Server 2003 Security Features

  1. 1. Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features
  2. 2. Objectives <ul><li>Identify the various elements and techniques that can be used to secure a Windows Server 2003 system </li></ul><ul><li>Use Security Configuration and Analysis tools to configure and review security settings </li></ul><ul><li>Audit access to resources and review Security log settings </li></ul>
  3. 3. Securing Your Windows 2003 System <ul><li>Five broad categories of security-related features: </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Access control </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>Security policies </li></ul></ul><ul><ul><li>Service packs and hot fixes </li></ul></ul>
  4. 4. Authentication <ul><li>Most basic level is requiring a user id and password to log on to some system </li></ul><ul><li>In a domain environment, authentication is centralized on the network while in a workgroup environment, authentication is local </li></ul><ul><li>In a domain environment, a single authentication can provide access to multiple domains and forests </li></ul><ul><li>Additional authentication methods can apply to other services (e.g., IIS) </li></ul>
  5. 5. Access Control <ul><li>Access control is used to secure resources such as files, folders, and printers </li></ul><ul><li>Common types of access control are NTSF and shared folder permissions, printer permissions, Active Directory object permissions </li></ul><ul><li>The “principle of least privilege” implies that users should only have the access that they really need </li></ul>
  6. 6. Encryption <ul><li>Confidential files can be encrypted using the Encrypting File System (EFS) for local files stored on NTFS volumes </li></ul><ul><li>EFS uses a combination of public and private keys </li></ul><ul><li>The IPSec protocol can encrypt the contents of packets sent across a TCP/IP network </li></ul><ul><li>There are two IPSec modes: transport and tunnel </li></ul><ul><li>IPSec is used to make it difficult for hackers to intercept sensitive network data </li></ul>
  7. 7. Security Policies <ul><li>Security policy settings can be configured from the Local Security Policy and Group Policy Object Editor MMC snap-ins </li></ul><ul><li>Security policies control a range of security settings </li></ul><ul><li>Windows Server 2003 includes tools that analyze policy settings compared to pre-configured security templates </li></ul><ul><ul><li>Security Configuration and Analysis MMC snap-in </li></ul></ul><ul><ul><li>Command-line SECEDIT utility </li></ul></ul>
  8. 8. Service Packs and Hot Fixes <ul><li>Many critical updates and patches are related to security issues </li></ul><ul><li>Hot fixes address a specific identified issue </li></ul><ul><li>A service pack is a cumulative collection of hot fixes and updates </li></ul><ul><li>Service packs and hot fixes can be downloaded and installed from Microsoft </li></ul><ul><li>Software Update Services can assist in automating and managing the distribution of updates </li></ul>
  9. 9. Using Security Configuration Manager Tools <ul><li>Windows Server 2003 provides tools specifically designed to help configure and manage security settings (Security Configuration Manager tools) </li></ul><ul><li>These tools plus Group Policies can be used to set up a Security Policy template which is administered centrally </li></ul>
  10. 10. Using Security Configuration Manager Tools (continued) <ul><li>The Security Configuration and Analysis tool will compare a security template to existing settings </li></ul><ul><li>The Security Configuration Manager tools include these components: </li></ul><ul><ul><li>Security templates </li></ul></ul><ul><ul><li>Security settings in Group Policy objects </li></ul></ul><ul><ul><li>Security Configuration and Analysis tool </li></ul></ul><ul><ul><li>SECEDIT command-line tool </li></ul></ul>
  11. 11. Security Templates <ul><li>Templates help ensure consistency and ease maintenance across multiple machines </li></ul><ul><li>Templates are text-based files </li></ul><ul><ul><li>Should not be edited or changed using a text-based editor </li></ul></ul><ul><li>There are a number of pre-defined templates for various settings </li></ul>
  12. 12. Security Templates (continued)
  13. 13. Activity 14-1: Browsing Security Templates <ul><li>Objective: To become familiar with built-in security templates </li></ul><ul><li>Start  Run  type mmc  OK  File  Add/Remove Snap-in  Add </li></ul><ul><li>Locate and view the available templates as directed </li></ul><ul><li>Browse through the available templates and the specific policies associated with them </li></ul>
  14. 14. Analyzing the Pre-configured Security Templates <ul><li>Network computers can be categorized as: </li></ul><ul><ul><li>Workstations </li></ul></ul><ul><ul><li>Servers </li></ul></ul><ul><ul><li>Domain controllers </li></ul></ul><ul><li>Pre-configured templates are applicable to a specific category of computer </li></ul><ul><li>Only Windows Server 2003, Windows XP, and Windows 2000 can use security templates </li></ul>
  15. 15. The Default Template <ul><li>The Setup Security.inf template contains default security settings applied when Windows Server 2003 is installed </li></ul><ul><li>Contents depend upon the original configuration of computer (fresh install, upgrade, etc.) </li></ul><ul><li>Allows an administrator to return to original settings easily </li></ul><ul><li>Should not be applied using Group Policy </li></ul>
  16. 16. Incremental Templates <ul><li>Modify security configurations incrementally </li></ul><ul><li>Can only be applied on top of default security settings because they do not specify baseline configurations </li></ul><ul><li>Templates include: compatws.inf, securews.inf, securedc.inf, hisecws.inf, hisecdc.inf, iesacls.inf, dc security.inf, rootsec.inf </li></ul><ul><li>Custom templates can also be created </li></ul>
  17. 17. Applying Security Templates <ul><li>Security templates can be applied to local machine or a domain </li></ul><ul><li>For local machine </li></ul><ul><ul><li>Open Local Security Setting MMC snap-in and import a policy </li></ul></ul><ul><li>For domain </li></ul><ul><ul><li>Use Group Policy Objects </li></ul></ul><ul><li>Security settings from GPOs override local settings </li></ul>
  18. 18. Applying Security Templates (continued)
  19. 19. Activity 14-2: Creating a Security Template <ul><li>Objective: to explore the creation of a custom security template </li></ul><ul><li>Open a New Template from the MMC Security Templates snap-in as directed </li></ul><ul><li>Configure settings for the new template as specified </li></ul><ul><li>Save the template </li></ul><ul><li>View the template file </li></ul>
  20. 20. Activity 14-3: Applying Security Template Settings to Group Policy Objects <ul><li>Objective: to use Group Policy to deploy security template settings </li></ul><ul><li>Start  Administrative Tools  Active Directory Users and Computers </li></ul><ul><li>Open the Default Domain Policy from the Properties of the domain </li></ul><ul><li>Import the previously created template as directed </li></ul><ul><li>Verify settings </li></ul>
  21. 21. Security Configuration and Analysis <ul><li>The Security Configuration and Analysis snap-in permits the comparison of current system settings to those configured in templates </li></ul><ul><li>The comparison identifies changes and potential weaknesses </li></ul><ul><li>Multiple templates can be compared at once </li></ul><ul><li>Multiple templates can be combined and saved </li></ul><ul><li>Changes can be made directly within the snap-in by selecting the desired configuration </li></ul>
  22. 22. Security Configuration and Analysis (continued)
  23. 23. Activity 14-2: Creating a Security Template (continued)
  24. 24. Activity 14-4: Analyzing Security Settings Using Security Configuration and Analysis <ul><li>Objective: To use the Security Configuration and Analysis snap-in to compare current configuration with security template settings </li></ul><ul><li>Open the Security Configuration and Analysis snap-in as directed and open a new database </li></ul><ul><li>Import the hisecdc.inf template for comparison </li></ul><ul><li>Perform the analysis </li></ul><ul><li>Review and compare the settings as directed </li></ul>
  25. 25. Activity 14-4 (continued)
  26. 26. SECEDIT Command-Line Tool <ul><li>SECEDIT is a command-line tool used to create and apply security templates and analyze settings </li></ul><ul><li>Can be used where Group Policy cannot be applied </li></ul><ul><li>Six main switches </li></ul><ul><ul><li>Analyze </li></ul></ul><ul><ul><li>Configure </li></ul></ul><ul><ul><li>Export </li></ul></ul><ul><ul><li>Import </li></ul></ul><ul><ul><li>Validate </li></ul></ul><ul><ul><li>GenerateRollback </li></ul></ul>
  27. 27. Auditing Access to Resources and Analyzing Security Logs <ul><li>Auditing is used to track events on a network </li></ul><ul><li>An audit policy defines which events should be recorded </li></ul><ul><ul><li>and whether successes and/or failures should be recorded </li></ul></ul><ul><li>Audited events are written into a security log which can be viewed with Event Viewer </li></ul>
  28. 28. Activity 14-5: Exploring Default Auditing Settings <ul><li>Objective: to explore the auditing settings of the default domain controller GPO </li></ul><ul><li>Open the Properties of the Domain Controllers OU in Active Directory Users and Computers </li></ul><ul><li>Edit the Default Domain Controllers Policy on the Group Policy tab as directed </li></ul><ul><li>Open the Audit Policy node and browse through the various policy settings </li></ul>
  29. 29. Activity 14-5 (continued)
  30. 30. Activity 14-5 (continued)
  31. 31. Configuring Auditing <ul><li>The role of a computer on the network influences how an audit policy is configured </li></ul><ul><li>For member servers or workstations </li></ul><ul><ul><li>Audit policies are implemented using GPOs assigned to the domain or OUs </li></ul></ul><ul><li>For domain controllers </li></ul><ul><ul><li>Audit policies are implemented via the Default Domain Controllers Policy applied to Domain Controllers OU </li></ul></ul><ul><li>For standalone workstations and servers </li></ul><ul><ul><li>Audit policies defined using Local Security Policy tool </li></ul></ul>
  32. 32. Requirements and Configuring an Audit Policy <ul><li>Requirements </li></ul><ul><ul><li>You must have proper permissions (Administrators Group or Manage auditing and security log user right) </li></ul></ul><ul><ul><li>Auditing files and folders can only be done on NTFS volumes </li></ul></ul><ul><li>Configuring an audit policy </li></ul><ul><ul><li>Configure auditing on events to be monitored and if logging occurs on success and/or failure </li></ul></ul><ul><ul><li>Configure auditing on specific resource objects such as files, folders, printers, and Active Directory objects </li></ul></ul>
  33. 33. Configuring an Audit Policy (continued)
  34. 34. Activity 14-6: Configuring and Testing New Audit Policy Settings <ul><li>Objective: to become familiar with changing and testing the configuration of audit policy settings </li></ul><ul><li>Open the Default Domain Controllers Policy GPO auditing settings </li></ul><ul><li>Reconfigure the settings as directed </li></ul><ul><li>Manually refresh the Group Policy settings </li></ul><ul><li>Test the new settings and view results using Event Viewer </li></ul>
  35. 35. Auditing Object Access <ul><li>When files and folders reside on an NTFS volume, you can monitor attempted and successful accesses of these objects </li></ul><ul><li>Caution -- this can result in a large number of events being logged </li></ul><ul><li>Object auditing is configured through the Advanced Security Settings on the resource </li></ul><ul><li>Auditing is also possible for Active Directory objects </li></ul>
  36. 36. Auditing Object Access (continued)
  37. 37. Activity 14-7: Configuring Auditing on an NTFS Folder <ul><li>Objective: to log failed and successful accesses to an NTFS folder </li></ul><ul><li>Create and configure NTFS permissions for a new folder </li></ul><ul><li>Configure auditing settings for the folder </li></ul><ul><li>Test the auditing settings and permissions by attempting to access and delete the folder </li></ul><ul><li>Use Event Viewer to verify correct auditing </li></ul>
  38. 38. Activity 14-7 (continued)
  39. 39. Best Practices <ul><li>Plan carefully before implementing an audit policy </li></ul><ul><li>General guidelines: </li></ul><ul><ul><li>Only audit events that provide truly useful information </li></ul></ul><ul><ul><li>Review entries in the security log regularly </li></ul></ul><ul><ul><li>Audit sensitive and confidential information </li></ul></ul><ul><ul><li>Audit the Everyone group – it includes unauthenticated users </li></ul></ul><ul><ul><li>Audit the assignment of user rights </li></ul></ul><ul><ul><li>Audit the Administrators group </li></ul></ul>
  40. 40. Analyzing Security Logs <ul><li>For each event defined in an audit policy, an entry is written in the Security log if that event occurs </li></ul><ul><li>Use Event Viewer to examine the Security log </li></ul><ul><li>The log provides a summary of the date and time of each event, and the user performing the action </li></ul><ul><li>More details by double-clicking the entry </li></ul><ul><li>Event Viewer provides find and filter options to assist in managing the Security log </li></ul>
  41. 41. Analyzing Security Logs (continued)
  42. 42. Analyzing Security Logs (continued)
  43. 43. Activity 14-8: Configuring Event Viewer Log Properties <ul><li>Objective: to use the find and filter features in Event Viewer to manage log files </li></ul><ul><li>Open Event Viewer and view local Security log </li></ul><ul><li>Use the Find feature to locate specific types of events as directed </li></ul><ul><li>Next, use the Filter feature to manage the log, displaying only events meeting specified criteria </li></ul><ul><li>Redisplay all records in the log as directed </li></ul>
  44. 44. Configuring Event Viewer <ul><li>There are a number of configurable settings that determine the size, number of entries, and overwrite policy in a security log </li></ul><ul><li>Default initial security log size is 16 MB in Windows Server 2003 (up from 512 KB in 2000) </li></ul><ul><li>Settings are configured from the Properties of the Security log in Event Viewer </li></ul>
  45. 45. Configuring Event Viewer (continued)
  46. 46. Activity 14-9: Editing Security Log Settings and Saving Events <ul><li>Objective: to configure properties of the Security log and save event entries for archiving purposes </li></ul><ul><li>Open the Properties of the Security log through Event Viewer </li></ul><ul><li>Reconfigure the Security log size and overwrite properties as directed </li></ul><ul><li>Save and clear the Security log as noted </li></ul><ul><li>Open the saved log to verify </li></ul>
  47. 47. Summary <ul><li>Windows Server 2003 offers security-related features in five categories: authentication, access control, encryption, security policies, and service packs and hot fixes </li></ul><ul><li>Windows Server 2003 offers a package of Security Configuration Manager tools: </li></ul><ul><ul><li>Security templates, security settings in GPOs, Security Configuration and Analysis tool, SECEDIT command-line tool </li></ul></ul>
  48. 48. Summary (continued) <ul><li>Auditing is used to log specific events within a Windows Server 2003 configuration </li></ul><ul><li>An audit policy defines the events to be monitored </li></ul><ul><li>Specific resources and objects can be configured for auditing access attempts </li></ul><ul><li>A Security log contains record of audited events </li></ul><ul><li>Event Viewer is used to display and manage Security logs </li></ul>