Section 7: Implementing Security Using Group Policy Exploring the Windows Security Architecture Securing User Accounts Exploring Security Policies Hardening.

Slides:



Advertisements
Similar presentations
Chapter Five Users, Groups, Profiles, and Policies.
Advertisements

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies
Chapter 13 Securing Windows Server 2008
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Administering Active Directory
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Understanding Active Directory
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
Module 7: Implementing Security Using Group Policies.
9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam Microsoft® Windows® 2000 Directory Services Infrastructure.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.
70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.
9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
1 Chapter Overview Understanding Group Policies Implementing Group Policies Using Security Policies Troubleshooting Group Policy Problems.
Corso referenti S.I.R.A. – Modulo 2 07 – Group Policy 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Using Group Policy to Manage User Environments. Overview Introduction to Managing User Environments Introduction to Administrative Templates Assigning.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2008
6.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 6: Administering User Accounts.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Module 6: Designing Active Directory Security in Windows Server 2008.
C HAPTER 6 NTFS PERMISSIONS & SECURITY SETTING. INTRODUCTION NTFS provides performance, security, reliability & advanced features that are not found in.
Section 2: Using Group Policy Management Tools Local vs. Domain Policies Editing Local Policies Managing Domain Policies Understanding Group Policy Refresh.
Designing Active Directory for Security
Section 3: Designing a Group Policy Infrastructure Overview of Active Directory Introducing the Design Stages for Implementing Group Policy Planning Your.
Designing Group Security Designing security groups Designing user rights.
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
Securing AD DS Module A 3: Securing AD DS
1 Chapter Overview Configuring Account Policies Configuring User Rights Configuring Security Options Configuring Internet Options.
8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Section 5: Troubleshooting and Backing Up GPOs Using Group Policy Troubleshooting Tools Integration of RSoP Functionality Using Logging Options Backing.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
NT4 SP4 Security Jack Schmidt - Fermilab
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Module 3: Managing a Microsoft ® Windows ® Small Business Server Environment.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.
Section 4: Understanding the Architecture of Group Policy Processing Group Policy Components in AD DS Understanding the Group Policy Processing Sequence.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Administering Group Policy Chapter Eleven. Exam Objectives in this Chapter  Plan a Group Policy strategy using Resultant Set of Policy Planning mode.
Module 7: Implementing Security Using Group Policy.
Week 4 Objectives Overview of Group Policy Group Policy Processing Implementing a Central Store for Administrative Templates.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Unit 8 NT1330 Client-Server Networking II Date: 2?10/2016
Configuring the User and Computer Environment Using Group Policy Lesson 8.
Introduction to Group Policy Lesson 7. Group Policy Group Policy is a method of controlling settings across your network. – Group Policy consists of user.
Configuring Windows Firewall with Advanced Security
Unit 8 NT1330 Client-Server Networking II Date: 8/2/2016
Windows Server 2008 Administration
Greta Mameniskyte IV course 3rd group
Security Templates Lecture 7.
Presentation transcript:

Section 7: Implementing Security Using Group Policy Exploring the Windows Security Architecture Securing User Accounts Exploring Security Policies Hardening Windows Environments Implementing Domain Security New Security Policy Options for Windows 8 Client and Windows Server 2012 Managing Windows Environments with Group Policy

© 2013 Global Knowledge Training LLC. All rights reserved. Section Objectives After completing this section, you will be able to: Describe the Windows security architecture Explain how to secure user accounts with Group Policy Describe the purpose of local policies Explain how to harden computer accounts Explain how to control the domain security policy with a GPO 7-2

© 2013 Global Knowledge Training LLC. All rights reserved. Exploring the Windows Security Architecture The main security components of a Windows 2000 and later operating system are: Security principals Access control lists Security groups NTUSER.DAT The registry 7-3

© 2013 Global Knowledge Training LLC. All rights reserved. Security Principles are objects within Active Directory that are assigned SIDs for access control purposes. Security Principles 7-4 UsersGroups Computers

© 2013 Global Knowledge Training LLC. All rights reserved. Access Control Lists Access control lists are permissions granted to objects within a Windows environment. ACLs are available on: Files and folders Registry keys Printers Active Directory objects Group Policy objects 7-5

© 2013 Global Knowledge Training LLC. All rights reserved. Security Groups GroupsMembership FromAccess to Resources Local groupsFrom any trusted domain To the local computer only Domain local groups From any trusted domainTo the local domain only Global groups From the local domain only To any trusted domain Universal groupsFrom any trusted domainTo any trusted domain 7-6

© 2013 Global Knowledge Training LLC. All rights reserved. NTUSER.DAT: The User Profile Group Policy information is stored in specific policy folders in either the user or system hives of the registry. 7-7

© 2013 Global Knowledge Training LLC. All rights reserved. The Registry The registry is the ultimate storage location for many Group Policy settings. The SECURITY hive contains the bulk of the security settings for users and groups. 7-9

© 2013 Global Knowledge Training LLC. All rights reserved. Securing User Accounts Authentication protocols Password security Account lockout settings Kerberos Policy Users Domain Controller 7-11

© 2013 Global Knowledge Training LLC. All rights reserved. Authentication Protocols NT LAN Manager NTLMv1 NTLMv2 Uses 56-bit DES Kerberos 128 bit 256 bit AES Smart-card logon 7-12

© 2013 Global Knowledge Training LLC. All rights reserved. Password Security Password strength Configuring the Default Domain Policy Implementing fine-grained password policies CtrlAltDelete 7-14

© 2013 Global Knowledge Training LLC. All rights reserved. Password Strength Complex is not always stronger. Frequent changing encourages written passwords. Password length is the key to greater security. The ultimate goal would be smart cards instead of passwords. 7-15

© 2013 Global Knowledge Training LLC. All rights reserved. Configuring the Default Domain Policy Basic password policies are configured at the domain level. All operating systems understand domain password policies. 7-17

© 2013 Global Knowledge Training LLC. All rights reserved. Implementing Fine-Grained Password Policies Understanding fine-grained password policies Creating fine grained password policies Applying policies to users and groups Viewing policy results 7-18

© 2013 Global Knowledge Training LLC. All rights reserved. Understanding Fine-Grained Password Policies Fine-grained password policies allow for many different password guidelines within a single domain. Two new object classes: Password Settings Container Password Settings PSOs are applied to groups or users, not OUs. Create PSOs with: Active Directory Administrative Center PowerShell ADSIEdit 7-19

© 2013 Global Knowledge Training LLC. All rights reserved. Creating Fine-Grained Password Policies Password Settings objects are created using a single window containing all settings. 7-20

© 2013 Global Knowledge Training LLC. All rights reserved. Applying Policies to Users and Groups PSOs can be assigned to users or groups. 7-21

© 2013 Global Knowledge Training LLC. All rights reserved. Viewing Policy Results The resultant password settings that affect a user can be viewed at any time. 7-22

© 2013 Global Knowledge Training LLC. All rights reserved. Account Lockout Settings Account Lockout Threshold Sets the number of allowed invalid logon attempts Larger numbers reduce support calls Account Lockout Duration Sets the amount of time before the account can be used again A value of 0 means the account will remain locked until it is unlocked by an administrator Account Lockout Reset Configures the amount of time before the number of attempted logons will reset 7-23

© 2013 Global Knowledge Training LLC. All rights reserved. Kerberos policies govern the length of time that ticket-granting and service tickets will be cached. Kerberos Policy 7-24

© 2013 Global Knowledge Training LLC. All rights reserved. Exploring Security Policies Important Security Policy Settings: Audit PolicyUser Rights Assignment Security Options 7-26 Advanced Audit Policy

© 2013 Global Knowledge Training LLC. All rights reserved. Audit Policy Audit who is logging on and accessing files. 7-27

© 2013 Global Knowledge Training LLC. All rights reserved. Advanced Audit Policy Audit at a more granular level with Advanced Audit Policies: 7-28

© 2013 Global Knowledge Training LLC. All rights reserved. User Rights Assignments User rights assignments can be used to define the special abilities that some users will have within the operating system. 7-31

© 2013 Global Knowledge Training LLC. All rights reserved. Security Options Security Options can be used to configure access to the system both locally and over the network. 7-33

© 2013 Global Knowledge Training LLC. All rights reserved. Security Settings Spreadsheet Microsoft provides a downloadable spreadsheet that details many of the default settings that are configured in the operating system. 7-36

© 2013 Global Knowledge Training LLC. All rights reserved. Hardening Windows Environments 7-37 What Is Hardening? Security Configuration Wizard Microsoft Security Compliance Manager

© 2013 Global Knowledge Training LLC. All rights reserved. What Is Hardening? Hardening is the strengthening of the default levels of security. For Windows 2000 and later, computer account security is broken down into three subgroups: Account Policies Account Lockout Policies Kerberos Policies By default, you can increase the default security levels at the domain level. The default values already enabled are merely starting points. Only one domain account policy is allowed. 7-37

© 2013 Global Knowledge Training LLC. All rights reserved. Security Configuration Wizard The Security Configuration Wizard builds a single security-related GPO. Configuration detail is saved as an XML file. Can be applied to an individual computer. Convert to a GPO to apply to more than one computer. 7-39

© 2013 Global Knowledge Training LLC. All rights reserved. Converting an SCW XML File to a GPO Use the Security Configuration Wizard to create and save the settings to an XML file. Use scwcmd transform to convert the file. The converted GPO will contain both security settings and administrative templates settings. The GPO can then be linked to an appropriate OU. 7-39

© 2013 Global Knowledge Training LLC. All rights reserved. Microsoft Security Compliance Manager The Security Compliance Manager is a free download that can help you assess security and implement a hardened environment. 7-40

© 2013 Global Knowledge Training LLC. All rights reserved. Implementing Domain Security 7-41 Security Levels Controlling File Security through the ACL Managing Registry Security Using ACLs Controlling Network Services with Group Policy Enforcing an Audit Policy Restricting Security Group Membership

© 2013 Global Knowledge Training LLC. All rights reserved. Security Levels Microsoft recommends three levels of security: Domain Assigned server role Baseline 7-42

© 2013 Global Knowledge Training LLC. All rights reserved. Controlling File Security through the ACL The File System setting can centrally define ACLs. Group Policy refresh keeps the ACL at the specified values. 7-43

© 2013 Global Knowledge Training LLC. All rights reserved. Managing Registry Security Using ACLs You can use ACLs to update registry security in the following ways: Locking down registry permissions so users cannot change local settings Adding user permissions to a key to allow Windows software that was written before Windows 2000 to work Adding or modifying permissions that are required in your environment for older software applications 7-44

© 2013 Global Knowledge Training LLC. All rights reserved. Controlling Network Services with Group Policy Examples of network services to control are: Windows Time Automatic Updates Help and Support Remote Registry Telnet 7-45

© 2013 Global Knowledge Training LLC. All rights reserved. Enforcing an Audit Policy Audit policy can be defined at the site, domain, or OU GPO. Administrators can monitor user and system activity for many security-related activities, including: Account logon Account management Directory service access Object access Events that are triggered by the audit are stored in the Event Viewer security log. 7-46

© 2013 Global Knowledge Training LLC. All rights reserved. Restricting Security Group Membership With the Restricted Groups option, you can centrally configure the membership of a group on a local computer. The Group Policy refresh cycle sets the membership back to this value even if it is changed locally. 7-47

© 2013 Global Knowledge Training LLC. All rights reserved. New Security Policy Options for Windows 8 Client and Windows Server 2012 Several new policy options have been added to the security section in Windows 8 Client and Windows Server 2012: 7-48 Accounts: Block Microsoft accounts Interactive logon: Machine account lockout threshold Interactive logon: Machine inactivity limit Microsoft network server: Attempt S4U2Self to obtain claim information

© 2013 Global Knowledge Training LLC. All rights reserved. Summary The main security components of a Windows 2000 and later operating system are: Security principals: The operating system assigns a SID to every user, group, or computer object on a standalone Windows computer system or one that is a member of a domain. Some security principals are created by default by the operating system. 7-52

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Access control lists: Every object and process created on an NTFS file-system partition can be controlled using file and folder permissions. Permissions are assigned using ACLs that contain a list of security principals. DACL, discretionary ACL, is the specific allow and/or deny privilege given to each security principal. SACLs, system ACLs, are used to audit selected users and groups if you want to monitor the assigned level of permissions on any object or process. Security groups: Used to assign rights and permissions to processes and objects using the ACLs, DACLs, and SACLs. 7-52

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) NTUSER.DAT: Used to hide part of each user profile and is loaded when the user successfully logs on to a Windows client. This user profile registry hive is mapped to the HKEY_CURRENT_USER section of the registry after the user is logged on. The registry: Many Group Policy settings update the registry database on the local computer, even if the settings are deployed through Active Directory. The hives that apply to Group Policy are: HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_CLASSES_ROOT HKEY_USERS HKEY_CURRENT_CONFIG 7-52

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) To secure user accounts, you must consider the following: Authentication protocols Password security Account Lockout settings Kerberos policy settings Local policies are policy settings that can be configured on a per-machine basis with the Group Policy Management Editor. These settings are useful when the machine is in a workgroup or is being staged for deployment. 7-52

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Computer account security is divided into three subgroups: Account policies, account lockout policies, and Kerberos policies. You can use two tools to harden computer accounts, the GPOAccelerator and the Security Configuration Wizard. The GPOAccelerator tool builds a series of preconfigured GPOs with a security emphasis. The Security Configuration Wizard builds a single security-related GPO. 7-52

© 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) To control domain security policy with a GPO, configure the different security policy settings in a GPO for the domain. You can do the following: Control the file and registry security Restrict the network services Configure the public key policies Enforce auditing Restrict group membership 7-52

© 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check 1.Which Windows security component is used to assign rights and permissions to processes and objects using the ACLs, DACLs, and SACLs? a.Security groups b.Security principals c.Access control lists d.The registry 7-53

© 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 2.What do you have to consider when you secure user accounts with Group Policy? (Choose all that apply.) a.Password security b.Account lockout settings c.How often the user logs on d.Authentication protocols 7-53

© 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 3.What is the purpose of local policies? Local policies are policy settings that can be configured on a per-machine basis. They are useful when the machine is in a workgroup or is being staged for deployment. 4.Briefly explain how to harden computer accounts. Increase the default security level of Windows by using the GPOAccelerator to provide sample, hardened templates. Use the Security Configuration Wizard to display the current security settings and configure a more secure template to apply to other systems. 7-53

© 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 5.List the things that you can do to control the domain security policy with a GPO. Control the file and registry security Restrict the network services Configure the public key policies Enforce auditing Restrict group membership 7-53

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.