1 Administering a Security Configuration Security Configuration Overview Auditing Using Security Logs User Rights Using Security Templates Security Configuration and Analysis Troubleshooting a Security Configuration

2 Security Configuration Overview Security Configuration Settings

3 Security Areas Configured for a Nonlocal GPO Account policies Local policies Event log Restricted groups System services Registry File system Public key policies IP security policies

4 Account Policies: Overview The account policies security area applies to user accounts. Microsoft Windows 2000 allows only one domain account policy, which is the account policy applied to the root domain of the domain tree. The domain account policy becomes the default account policy of any Windows 2000 workstation or server that is a member of the domain. Exception: When another account policy is defined for an OU, the OU’s account policy settings affect the local policy on any computers contained in the OU, as is the case with a Domain Controllers OU

5 Account Policies: Attributes Password Policy: For domain or local user accounts, determines settings for passwords such as enforcement and lifetimes Account Lockout Policy: For domain or local user accounts, determines when and for whom an account will be locked out of the system Kerberos Policy: For domain user accounts, determines Kerberos-related settings, such as ticket lifetimes and enforcement

6 Local Policies: Overview The local policies security area pertains to the security settings on the computer used by an application or user. Local policies are based on the computer to which a user logs on and the rights the user has on that particular computer. Local policies are local to a computer, by definition. When imported to a GPO in Active Directory, local policies affect the local security settings of any computer accounts to which that GPO is applied.

7 Local Policies Audit Policy User Rights Assignment Security Options

8 Event Log The event log security area defines attributes related to the Application, Security, and System event logs. Maximum log size Access rights for each log Retention settings and methods The event log size and log wrapping should be defined to match the business and security requirements. Event log settings should be implemented at the site, domain, or OU level, to take advantage of group policy settings.

9 Event Log Settings

10 Restricted Groups: Overview The restricted groups security area provides an important new security feature that acts as a governor for group membership. Automatically provides security memberships for default Windows 2000 groups that have predefined capabilities. Any groups considered sensitive or privileged to the Restricted Groups security list can be added later.

11 Restricted Groups: Configuring Configuring the restricted groups security area ensures that group memberships are set as specified. Groups and users not specified in restricted groups are removed from the specific group. The reverse membership configuration option ensures that each restricted group is a member of only those groups specified in the Member Of column. Restricted groups should be used primarily to configure membership of local groups on workstation or member servers.

12 System Services The system services security area is used to configure security and startup settings for services running on a computer. Security properties for the service determine what user or group accounts have the following permissions: Read/Write/Delete/Execute, inheritance settings, auditing, and ownership permission. If choosing an Automatic startup, adequate testing must be performed to verify that the services can start without user intervention. System services used on a computer should be tracked. Unnecessary or unused services should be set to Manual.

13 Registry and File System Areas Registry security area: Used to configure security on registry keys. File system security area: Used to configure security on specific file paths. The Security properties of the registry key or file path can be edited to determine what user or group accounts have Read/Write/Delete/Execute permissions, as well as inheritance settings, auditing, and ownership permission.

14 Policies Public key policies: Used to configure encrypted data recovery agents, domain roots, and trusted certificate authorities IP security policies: Used to configure network IP security

15 Auditing Understanding Auditing Using an Audit Policy Audit Policy Guidelines Configuring Auditing Setting Up an Audit Policy Auditing Access to Files and Folders Auditing Access to Active Directory Objects Auditing Access to Printers Auditing Practices Practice: Auditing Resources and Events

16 Understanding Auditing Auditing: The process of tracking both user activities and Windows 2000 activities, called events. Auditing is used to specify which events are written to the security log. An audit entry in the security log contains The action that was performed. The user who performed the action. The success or failure of the event and when the event occurred.

17 Using an Audit Policy An audit policy defines the categories of events that Windows 2000 records in the security log on each computer. The security log allows specified events to be tracked. Windows 2000 writes an event to the security log on the computer where the event occurs.

18 General Audit Policy Guidelines Determine the computers on which to set up auditing. Auditing is turned off by default. Plan the events to audit on each computer. Determine whether to audit the success of events, failure of events, or both. Tracking successful events identifies which users gained access to specific files, printers, or objects, information that can be used for resource planning. Tracking failed events may alert the administrator of possible security breaches.

19 Other Policy Guidelines Determine whether to track trends of system usage. Review security logs frequently. Define an audit policy that is useful and manageable. Audit resource access by the Everyone group instead of the Users group. Audit all administrative tasks by the administrative groups.

20 Configuring Auditing: Overview An audit policy is implemented based on the role of the computer in the Windows 2000 network. The event categories on a domain controller are identical to those on a computer that is not a domain controller.

21 Computer Roles For member or stand-alone servers and computers running Windows 2000 Professional An audit policy is set for each individual computer. Events are audited by configuring a local group policy for that computer. Domain controllers An audit policy is set for all domain controllers in the domain. Events are audited by configuring the audit policy in a nonlocal GPO for the domain, which applies to all DCs and is accessible through the Domain Controllers OU.

22 Auditing Requirements The Manage Auditing And Security Log user right for the computer is necessary to configure an audit policy or review an audit log. Files and folders to be audited must be on Microsoft Windows NTFS volumes.

23 Setting Up Auditing Set the audit policy: Enables auditing of objects but does not activate auditing of specific types Enable auditing of specific resources: The specific events to track for files, folders, printers, and Active Directory objects must be identified Windows 2000 then tracks and logs the specified events.

24 Setting Up an Audit Policy Categories of events that Windows 2000 audits are selected. Configuration settings indicate whether to track successful or failed attempts for each event category to be audited. Audit policies are set in the Group Policy snap-in. The security log is limited in size. The events to be audited must be selected carefully. The amount of disk space to devote to the security log must be considered.

25 Types of Events Audited by Windows 2000 Account logon Account management Directory service access Logon events Object access Policy change Privilege use Process tracking System events

26 Auditing Access to Files and Folders If security breaches are an issue for an organization, auditing should be set up for files and folders on NTFS partitions. To audit user access to files and folders, the Audit Object Access event category is set in the audit policy. After Audit Object Access is set in the audit policy, auditing for specific files and folders is enabled, specifying which types of access to audit, either by users or by groups.

27 Auditing Entry For Dialog Box

28 User Events Traverse Folder/Execute File List Folder/Read Data Read Attributes and Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes and Write Extended Attributes Delete Subfolders And Files Read Permissions Change Permissions Take Ownership

29 Auditing Access to Active Directory Objects Similar to auditing file and folder access. An audit policy must be configured, and then auditing for specific objects must be set by specifying which types of access, and by whom, to audit. Active Directory objects are audited to track access to them. The Audit Directory Service Access event category is set in the audit policy to enable auditing of user access to AD objects.

30 Auditing Entry For Dialog Box

31 Active Directory Object Events Full Control List Contents Read All Properties Write All Properties Create All Child Objects Delete All Child Objects Read Permissions Modify Permissions Modify Owner

32 Auditing Access to Printers Use auditing to track access to sensitive printers. Set the Audit Object Access event category in the audit policy, which includes printers. Enable auditing for specific printers and specify the types of access, and by whom, to audit. Use the same procedure used to set up auditing on files and folders.

33 Auditing Entry For Dialog Box

34 Recommended Audit Events

35 Using Security Logs Understanding Windows 2000 Logs Viewing Security Logs Locating Events Filtering Events Configuring Security Logs Archiving Security Logs Practice: Using the Security Log

36 Security Log Overview The security log contains information on security events specified in the audit policy. To view the security log, use the Event Viewer console. Event Viewer also allows specific events within the log files to be found, the events shown in log files to be filtered, and archive security log files to be archived.

37 Understanding Windows 2000 Logs Three logs are available to view in Event Viewer by default. All users can view application and system logs. Security logs are accessible only to system administrators. Security logging is turned off by default. Group policy must be used at the appropriate level to set up an audit policy.

38 Logs Maintained by Windows 2000 Application log Contains errors, warnings, or information that programs, such as a database program or an program, generate. The program developer presets which events to record. Security log Contains information about the success or failure of audited events. The events Windows 2000 records are a result of the audit policy. System log Contains errors, warnings, and information that Windows 2000 generates. Windows 2000 presets which events to record.

39 Viewing Security Logs The security log contains information about events monitored by an audit policy, such as failed and successful logon attempts. Windows 2000 records events in the security log on the computer at which the event occurred. Events can be viewed from any computer with assigned administrative privileges for the computer where the events occurred.

40 Event Viewer

41 Locating Events Event Viewer automatically displays all events recorded in the security log when it’s first started. The Find command is used to search for specific events.

42 The Find In Dialog Box

43 Options on the Find In Dialog Box

44 Filtering Events The Filter command displays specific events that appear in the security log. The Filter command is used to narrow down the displayed events.

45 Options on the Filter Tab of the Security Log Properties Dialog Box

46 Configuring Security Logs Security logging begins when an audit policy is set for the domain controller or local computer. Security logging stops when the security log becomes full and cannot overwrite itself; an error may be written to the application log. A full security log is avoided by logging only key events. The properties of each individual audit log can be configured.

47 Security Log When the security log is full and no more events can be logged, the log can be freed by manually clearing it. Clearing the log erases all events permanently. Reducing the amount of time that an event log is kept frees the log if it allows the next record to be overwritten.

48 Archiving Security Logs Archiving maintains a history of security-related events. Archived logs often are kept for a specified period, to track security-related information over time. The entire log is saved, regardless of filtering options. Event Viewer is used to reopen a log archived in a log-file format.

49 Archiving Security Logs (con’t) Logs saved as event logs (.evt) retain the binary data for each event recorded. Logs archived in text or comma-delimited format (.txt and.csv, respectively) can be reopened in other programs, such as word processing or spreadsheet programs. Logs saved in text or comma-delimited format do not retain the binary data. An archived log is removed from the system by deleting the file in Windows Explorer.

50 User Rights Privileges Logon Rights Assigning User Rights

51 User Rights: Overview Specific rights can be assigned to group accounts or to individual user accounts. Authorize users to perform specific actions. Differ from permissions, because user rights apply to user accounts, whereas permissions are attached to objects. Because user rights are part of a GPO, they can be overridden depending on the GPO affecting the user.

52 User Rights: Administration User rights define the capabilities of a user at a local level. User rights can be applied to individual user accounts, but are best administered on a group account basis. Ensures that a user logging on as a member of a group automatically inherits the rights associated with that group Simplifies user account administration by associating user rights to groups rather than individual users

53 User Rights: Assignment User rights assigned to a group are applied to all members of the group while they remain members. User rights are cumulative when a user is a member of multiple groups. A user can have more than one set of rights. Possible conflicts of user rights may occur in the case of certain logon rights. Generally, user rights assigned to one group do not conflict with the rights assigned to another group. To remove rights from a user, the user is removed from the group. The two types of user rights are privileges and logon rights.

54 Privileges Specify allowable user actions on the network. Some privileges can override permissions set on an object. A user right takes precedence over all file and directory permissions.

55 Logon Rights Overview Logon rights specify the ways in which a user can log on to a system. The special user account LocalSystem has almost all privileges and logon rights assigned to it, because all processes running as part of the OS are associated with this account. OS processes require a complete set of user rights.

56 Logon Rights

57 Assigning User Rights Assigning user rights eases the task of user account administration by assigning user rights primarily to group accounts, rather than to individual user accounts. Assigning rights to a group account automatically assigns those rights to users when they become a member of that group.

58 Using Security Templates Security Templates Overview Security Template Uses Predefined Security Templates Managing Security Templates Practice: Managing Security Templates

59 Using Security Templates Overview Windows 2000 provides a centralized method of defining security using security templates. A security template is a physical representation of a security configuration, a file in which a group of security settings are stored. Locating all security settings in one place streamlines security administration. Each template is saved as a text-based.inf file, which allows some or all of the template attributes to be copied, pasted, imported, or exported. All security attributes can be contained in a security template, except IP Security and Public Key policies.

60 Security Templates: Uses The security settings in the local GPO are the initial settings applied to a computer. The local security settings can be exported to a security template file to preserve initial system security settings, which enables the restoration of the initial security settings at any later point.

61 Security Templates: Importing A security template file can be imported to a local or nonlocal GPO. Any computer or user accounts in the site, domain, or OU to which the GPO is applied will receive the security template settings. Importing a security template to a GPO eases domain administration by configuring security for multiple computers at once.

62 Security Templates: Exporting The local security settings are exported to a security template file to preserve initial system security settings. Both local and effective security settings can be exported to a security template. Initial system settings are preserved. Local security settings are available for restoration later because domain-based GPOs override the local GPO. By exporting the effective security settings to a security template, the settings can be imported into a security database, new templates can be overlaid, and potential conflicts can be analyzed.

63 Predefined Security Templates Windows 2000 includes a set of predefined security templates. Each predefined template is based on the role of a computer and common security scenarios, from security settings for low- security domain clients to highly secure domain controllers. Predefined templates can be used as provided, can be modified, or can serve as a basis for creating custom security templates. By default, predefined security templates are stored in the systemroot\Security\Templates folder.

64 Security Levels Basic: BASIC*.INF Compatible: COMPAT*.INF Secure: SECURE*.INF Highly Secure: HISEC*.INF

65 Tasks for Managing Security Templates Accessing the Security Templates console Customizing a predefined security template Defining a new security template Importing a security template to a local and nonlocal GPO Exporting security settings to a security template

66 Security Templates Console

67 Security Configuration and Analysis How the Security Configuration and Analysis Console Works Security Configuration Security Analysis Using Security Configuration and Analysis Practice: Using Security Configuration and Analysis

68 Security Configuration and Analysis Overview Security Configuration and Analysis is a tool that offers the ability to configure security, analyze security, view results, and resolve any discrepancies revealed by analysis. This tool is located on the Security Configuration and Analysis console.

69 How the Security Configuration and Analysis Console Works The console uses a database to perform configuration and analysis functions. The database is a computer-specific data store. The database architecture allows the use of personal databases, security template import and export, and the combination of multiple security templates into one composite security template that can be used for analysis or configuration. New security templates can be incrementally added to the database to create a composite security template. Overwriting a template is also an option. Personal databases can be created for storing customized security templates.

70 Security Configuration The Security Configuration and Analysis console can be used to configure local system security. Security templates created with the Security Templates console can be imported and applied to the GPO for the local computer. System security is immediately configured with the levels specified in the template.

71 Security Analysis The state of the OS and applications on a computer is dynamic. Changes made to meet specific needs may not be reversed when the requirement is finished. The computer may no longer meet the requirements for enterprise security. The Security Configuration and Analysis console allows administrators to perform a quick security analysis. In the analysis, recommendations are presented alongside current system settings; icons or remarks are used to highlight any areas where the current settings do not match the proposed level of security.

72 Security Analysis (con’t) The Security Configuration and Analysis console offers the ability to resolve any discrepancies revealed by analysis. Regular analysis enables an administrator to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. Analysis is highly specified and information about all system aspects related to security is provided in the results. Enables an administrator to tune the security levels and to detect any security flaws that may occur in the system over time.

73 Tasks For Using Security Configuration and Analysis Access the Security Configuration and Analysis console. Set a working security database. Import a security template into a security database. Analyze system security. View security analysis results. Configure system security. Export security database settings to a security template.

74 Importing a Security Template into a Security Database Several different templates can be merged into one composite template that can be used for analysis or configuration of a system, by importing each template into a working database. The database will merge the various templates to create one composite template, resolving conflicts in order of import; the last template imported takes precedence when there is contention. Templates will not be merged into a composite template if overwrite is chosen. Once the templates are imported to the selected database, the system can be analyzed or configured.

75 Analyzing System Security The Security Configuration and Analysis console compares the current state of the system security against a security template that has been imported to a personal database. This template is the database configuration that contains the preferred or recommended security settings for that system. Security Configuration and Analysis queries the system’s security settings for all security areas in the database configuration. Values found are compared to the database configuration. If the current system settings match the database configuration settings, they are assumed to be correct. The policies in question are displayed as potential problems that need investigation.

76 Viewing Security Analysis Results The Security Configuration and Analysis console displays the analysis results organized by security area with visual flags to indicate problems. The current database and computer configuration settings are displayed for each security policy in the security area.

77 Analysis Results for Password Policy

78 Configuring System Security The Security Configuration and Analysis console offers the ability to resolve any discrepancies revealed by analysis. The import process can be repeated and multiple templates can be loaded. The database merges the various templates to create one composite template, resolving conflicts in order or import. The last template imported takes precedence when there is contention. After the templates are imported to the database, choosing Configure System Now applies the stored template to the system. Using the Security Configuration and Analysis console is not recommended when analyzing security for domain-based clients, because going to each client individually would be necessary. When analyzing security for domain-based clients, it is best to return to the Security Templates console, modify the template, and reapply it to the appropriate GPO.

79 Exporting Security Templates The export feature provides the ability to save a security database configuration as a new template file that can be Imported into other databases Used as is to analyze or configure a system Redefined with the Security Templates console

80 Troubleshooting a Security Configuration Symptoms: Received error message: Event message: Event ID 1202, Event source: scecli, Warning (0x%x) occurs to apply security policies. Received error message: Failed To Open The Group Policy Object. Modified security settings are not taking effect. Policies do not migrate from Windows NT 4.0 to Windows 2000.

81 Symptom: Received Error Message: Event Message: Event ID 1202, Event Source: scecli, Warning (0x%x) Occurs to Apply Security Policies Cause: Group policy was not refreshed after changes were made Solution: Trigger another application of group policy settings or local policy refresh by using the Secedit command-line tool to refresh security settings

82 Symptom: Received Error Message: Failed To Open The Group Policy Object Cause: The most likely causes for this error are network-related Solution: Check the DNS configuration for the following: Make sure no stale entries exist in the DNS database. Resolve local DNS servers and ISP DNS server entries.

83 Symptom: Modified Security Settings are Not Taking Effect Causes: Any policies configured locally may be overridden by like policies specified in the domain. If the setting shows up in local policy but not in effective policy, it implies that a policy from the domain is overriding the setting. As group policy changes are applied periodically, it is likely that the policy changes made in the directory have not yet been refreshed in the computer. Solution: Manually do a policy refresh by typing the following at the command line: secedit /refreshpolicy machine_policy

84 Symptom: Policies Do Not Migrate from Windows NT 4.0 to Windows 2000 Cause: Windows NT 4.0 policies cannot be migrated to Windows 2000 Solution: Windows NT 4.0 clients accessing a Windows 2000 Server computer, and Windows 2000 Professional clients accessing a Windows NT 4.0 Server computer, will use the Netlogon share. With Windows 2000 Server, when a Windows NT 4.0 client is upgraded to Windows 2000, it will get only Active Directory– based group policy settings and not Windows NT 4.0–style policies. Although Windows NT 4.0–style policies may be enabled if the administrator chooses to do so, this practice is strongly discouraged. Because Windows NT 4.0–style policies are applied only during the logon process, both computer and user settings are processed (but not optimal behavior).