Windows NT ® Security Management: Extending Windows NT 5.0 Security Management Tools, Part 2 Praerit Garg Program Manager Windows NT Security Microsoft Corporation

Today’s Agenda  What is Security Configuration Tool Set ?  What problems does it solve?  As a developer, how can you leverage this framework?  Finally, some guidelines

Customer Questions How do we easily…  Implement security recommendations?  Duplicate settings to every new system added?  Track security measures on a regular basis?  Enforce similar security measures across large number of systems in the enterprise?

Security Configuration Tool Set  Security Configuration Editor Define the security configurations Define the security configurations Predefined configurations included Predefined configurations included  Security Configuration Manager Apply configurations and analyze Apply configurations and analyze  Group Policy Editor Security Extension Propagate configurations to multiple systems Propagate configurations to multiple systems  SecEdit.exe - command line tool

Security Configuration Editor  Define Security Configurations Edit and Save to configurations files Edit and Save to configurations files

A Security Configuration  Covers various security areas Account policies - password, account lockout and kerberos Account policies - password, account lockout and kerberos Local policies - auditing, user rights… Local policies - auditing, user rights… Restricted groups - Administrators, Power Users… Restricted groups - Administrators, Power Users… Registry and File System - object security descriptors Registry and File System - object security descriptors Services - startup mode and security descriptors Services - startup mode and security descriptors

Security Configuration Manager  Analyze current configuration Compare to stored configuration Compare to stored configuration Reconfigure to fix problems Reconfigure to fix problems  Single machine only  Database driven  Import configurations Multiple configurations Multiple configurations Apply/Edit stored configurations Apply/Edit stored configurations

Group Policy Editor  Hierarchical set of group policy objects Domain Policy Objects (GPO's) Domain Policy Objects (GPO's) Organizational unit Policy Objects (GPO's) Organizational unit Policy Objects (GPO's)  Computers in the same OU have the same security policy settings DCs, desktops, application servers DCs, desktops, application servers

Group Policy Editor Security extension  Computer settings, security settings Define or import a security configuration as part of Group Policy object Define or import a security configuration as part of Group Policy object  Applied as part of Group Policy enforcement in the enterprise Policy from multiple scopes accumulated Policy from multiple scopes accumulated

Demonstration  Editing configurations with Security Configuration Editor  Applying configurations and performing analysis with Security Configuration Manager  Configuring security policies using Group Policy Security Settings Extension

Answer To Problem #1  How do we easily implement security recommendations? Use the provided secure configurations Use the provided secure configurations Customize them for your environment Customize them for your environment E.g., new name for admin account E.g., new name for admin account Import configuration to system database and select “Configure” Import configuration to system database and select “Configure”

Answer To Problem #2  How do we easily duplicate security configuration? “Export” configuration from the system of choice and save it “Export” configuration from the system of choice and save it Copy the configuration to a share Copy the configuration to a share Apply the configuration to large number of machines Apply the configuration to large number of machines Manually Manually Using Systems Management Server Using Systems Management Server Group Policy… Group Policy…

Answer To Problem #3  How do I track security on regular basis? Analyze using the Security Configuration Manager Analyze using the Security Configuration Manager Reconfigure to fix deviations Reconfigure to fix deviations Edit to implement new settings Edit to implement new settings Systems Management Server + Security Configuration Manager Systems Management Server + Security Configuration Manager secedit.exe to collect analysis via Systems Management Server secedit.exe to collect analysis via Systems Management Server Manager to locate/fix problems Manager to locate/fix problems

Answer To Problem #4  How do I enforce similar security measures across large number of systems in the enterprise Use Group Policy to define a configuration at a scope Use Group Policy to define a configuration at a scope Propagated to all systems in that scope Propagated to all systems in that scope Use Systems Management Server to apply configurations using “secedit.exe” command line Use Systems Management Server to apply configurations using “secedit.exe” command line

How Does This All Work?

Tool Set Architecture  Client/server based Server - scesrv.exe Server - scesrv.exe Client Interface - scecli.dll Client Interface - scecli.dll  Clients Security Configuration Editor Security Configuration Editor Security Configuration Manager Security Configuration Manager Security Extension to GPE Security Extension to GPE Winlogon Security Policy GP Extension Winlogon Security Policy GP Extension NT SETUP, Setup APIs and DC Promotion NT SETUP, Setup APIs and DC Promotion LSA Downlevel Policies Filter LSA Downlevel Policies Filter

Engine Server (scesrv.exe)  Configure System  Analyze System  Persist state in database Inspectiondatabase Engine Client (scecli.dll)  Communicate with Server  Edit Configuration Files Configurationfiles Core Infrastructure

Configurationfiles Engine Client (scecli.dll)  Communicate with Server  Edit Configuration Files Security Configuration Editor Security Settings Extension to Group Policy Editor Working With Configuration Files

Engine Server (scesrv.exe) Inspectiondatabase Engine Client (scecli.dll)  NT Setup  DC Promotion  Setup APIs Defaultconfiguration Winlogon Security GP Ext. Group Policies Working With OS

Engine Client (scecli.dll) LSA DC? YES Backward Compatibility Engine Server (scesrv.exe) InspectiondatabaseNO

Enterprise Policy Enforcement  Group Policy enforced via ZAW framework Client pulls policies and applies them Client pulls policies and applies them Security policies included Security policies included Integrity protected, low network traffic Integrity protected, low network traffic

How Can This Be Extended To Support Application Or Service Specific Security?

An Infrastructure To Build On…  Problems Security is very broad Security is very broad Customer configurations and concerns vary Customer configurations and concerns vary The system is ever improving and growing The system is ever improving and growing  Solution - service attachment model Provide an extensibility framework Provide an extensibility framework Fit security of your services Fit security of your services You can build custom solutions You can build custom solutions

Engine Server (scesrv.exe)  Configure System  Analyze System  Persist state in database Engine Client (scecli.dll)  Communicate with Server  Edit Configuration Files Attachmentengines Extension snap-ins for attachments Extension Framework

Attachment Model  Two pieces to implement Attachment engine DLL Attachment engine DLL MMC extension snap-in DLL MMC extension snap-in DLL  Attachment engine A DLL which implements well defined interfaces A DLL which implements well defined interfaces Registers at install time Registers at install time Interfaces invoked by SCTS during configuration and inspection Interfaces invoked by SCTS during configuration and inspection

Core engine Snap-inExtensionsnap-insAttachmentengines Attachment Model  MMC extension snap-in Populated under individual templates Populated under individual templates Populated under inspection for analysis Populated under inspection for analysis  Well defined interfaces provided No direct communication with templates or database No direct communication with templates or database

Win32 ® Helper APIs - sddl.h  ConvertSecurityDescriptorTo StringSecurityDescriptor Converts a self relative security descriptor into a string representation Converts a self relative security descriptor into a string representation  ConvertStringSecurityDescriptorTo SecurityDescriptor Converts a string security descriptor to a self relative binary form Converts a string security descriptor to a self relative binary form

Data Structures And Functions  Callback structure Context handle Context handle PFSCE_QUERY_INFO callback PFSCE_QUERY_INFO callback PFSCE_SET_INFO callback PFSCE_SET_INFO callback PFSCE_FREE_INFO callback PFSCE_FREE_INFO callback PFSCE_LOG_INFO callback PFSCE_LOG_INFO callback  Configuration structure Modified configuration information Modified configuration information

Attachment Interfaces SCESTATUSSceSvcAttachmentConfig( IN PSCESVC_CALLBACK_INFO pSceCbInfo); SCESTATUS SceSvcAttachmentAnalyze( IN PSCESVC_CALLBACK_INFO pSceCbInfo ); SCESTATUS SceSvcAttachmentUpdate( IN PSCESVC_CALLBACK_INFO pSceCbInfo, IN PSCESVC_CONFIGURATION_INFO ServiceInfo );

Attachment Interface 1  SceSvcAttachmentConfig Called during Called during SCM “Configure” SCM “Configure” GP “Refresh Policy” GP “Refresh Policy”  Configure attachment specific security information  Use callback functions  Code sample

Attachment Interface 2  SceSvcAttachmentAnalyze Called during SCM “Analyze” Called during SCM “Analyze”  Inspect attachment specific security settings  Use callback functions  Code sample

Attachment Interface 3  SceSvcAttachmentUpdate Called during Called during SCE Save SCE Save SCM Save SCM Save  To support in place editing of Configurations Configurations Database configuration Database configuration  Code sample

Securityconfigurationeditorsnap-inAttachmentextensionsnap-in IDataObjectClipboardFormat Extension Snap-In  Implement required MMC Interfaces for an extension snap-in Register as extension to security configuration editor Register as extension to security configuration editor  Additionally, implement another interface Use SeCEdit provided interface as required Use SeCEdit provided interface as required

Supplied COM Interface  ISceSvcAttachmentData Provided by SCTS Snap-ins Provided by SCTS Snap-ins Call Initialize() to setup context Call Initialize() to setup context Call GetData() to get Attachment specific data Call GetData() to get Attachment specific data Call FreeBuffer() to release memory Call FreeBuffer() to release memory Call FreeHandle() to release context Call FreeHandle() to release context  Code sample

COM Interface To Implement  ISceSvcAttachment PersistInfo Implemented by Extension snapin Implemented by Extension snapin SCTS snapins call SCTS snapins call IsDirty() to check user edits in the extension IsDirty() to check user edits in the extension Save() to get the data that needs to be saved Save() to get the data that needs to be saved FreeBuffer() to let extension memory it allocated FreeBuffer() to let extension memory it allocated  Code sample

And Finally…

If You Are A Developer…  Think SECURE!!  Evaluate your registry keys, files Do you secure them? Do you secure them? Are they security sensitive? Are they security sensitive?  Plug in security attachments for your applications and services Build an engine attachment Build an engine attachment Build a MMC extension snap-in Build a MMC extension snap-in  Use Setup APIs to setup securely

If You Are A Tester…  Think SECURE!!  Stop running your tests under administrator account Use a normal user account Use a normal user account  Test your components on secure systems Use predefined configurations Use predefined configurations Use the Editor to build custom configurations if needed Use the Editor to build custom configurations if needed

Availability  Windows NT ® 4.0 Service Pack 4 Security Configuration Editor Security Configuration Editor With built-in analysis tool With built-in analysis tool No Group Policy support No Group Policy support Use secedit.exe with Systems Management Server Use secedit.exe with Systems Management Server  Windows NT 5.0 Complete tool set Complete tool set  Use Service Pack release today! Provide us feedback to make it more useful… Provide us feedback to make it more useful…

Call To Action  Use Security Configuration Editor Define your own or customize existing configurations Define your own or customize existing configurations  Use Group Policy Security Extension Enforce security on large number of systems Enforce security on large number of systems  Use Security Configuration Manager Track, analyze and reconfigure system security Track, analyze and reconfigure system security

For More Information…  White papers Windows NT Security Configuration Tool Set Windows NT Security Configuration Tool Set Guide to Securing Windows NT Installations Guide to Securing Windows NT Installations Group Policy Group Policy  Windows NT 5.0 Beta2 walkthroughs  Microsoft Security Advisor