Presentation is loading. Please wait.

Presentation is loading. Please wait.

Greta Mameniskyte IV course 3rd group

Published byBenedek Mészáros Modified over 5 years ago

Similar presentations

Presentation on theme: "Greta Mameniskyte IV course 3rd group"— Presentation transcript:

1 Greta Mameniskyte IV course 3rd group
Local Security Policy Greta Mameniskyte IV course 3rd group

2 Table of contents Definition
How to open Local Security Policy settings Account policies Local policies LSA Policy Objects How to use LSA Objects

3 Definition The Local Security Authority (LSA) is a protected subsystem of Windows that maintains information about all aspects of local security on a system, collectively known as the local security policy of the system. In other words, the local security policy of a system is a set of information about the security of a local computer. The local security policy information includes the following: The domains trusted to authenticate logon attempts. Which user accounts may access the system and how. For example, interactively, through a network, or as a service. The rights and privileges assigned to accounts. The security auditing policy. The Local Security Authority (LSA) stores the local policy information in a set of LSA Policy Objects.

4 How to open local security policy settings
Windows+r -> secpol.msc Control panel -> Administrative tools -> Local Security Policy

5 Local security policies
Account policies Password Policy Account Lockout Policy Local policies Audit Policy User Rights Assignment Security Options

6 Password policies Enforce password history Maximum password age
Minimum password age Minimum password length Password must meet complexity requirements Store password using reversable encryption Enforce password history This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. Maximum password age This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. Minimum password age This security setting determines the period of time (in days) that a password must be used before the user can change it. Password must meet complexity requirements This security setting determines whether passwords must meet complexity requirements. Store password using reversable encryption This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.

7 Account lockout policy
Account lockout duration This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. Account lockout threshold This security setting determines the number of failed logon attempts that causes a user account to be locked out. Reset account lockout counter after This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.

8 Audit policies Audit policies records certain events that occur on your computer. Later you can go to the Event Viewer and see all the information about the events that have been set to be audited.

9 User Rights Assignment

10 User Rights Assignment

11 Security options

12 Security options

13 LSA Policy Objects The LSA stores local security policy information in a set of objects. Your application can query or edit the local security policy by accessing these objects. The set consists of the following four objects: Policy contains global policy information. TrustedDomain contains information about a trusted domain. Account contains information about a user, group, or local group account. Private Data contains protected information, such as server account passwords. This information is stored as encrypted strings

14 Using LSA Policy Opening a Policy Object Handle
Managing Policy Information Receiving Policy Change Events Managing Account Permissions Managing Trusted Domain Information Translating Between Names and SIDs Storing Private Data Using LSA Unicode Strings

15 Opening a Policy Object Handle
Most LSA Policy functions require a handle to the Policy object for the system to query or modify. To obtain a handle to a Policy object, call LsaOpenPolicy and specify the name of the system you want to access and the set of access permissions required.

16 Managing Policy Information
To retrieve information about the local security policy, call LsaQueryInformationPolicy. To set local security policy, call LsaSetInformationPolicy. The description of the POLICY_INFORMATION_CLASS enumeration details the types of policy information that can be queried or set.

17 Receiving Policy Change Events (1)
To receive notification, create a new event object by calling the CreateEvent function, and then call the LsaRegisterPolicyChangeNotification function.

18 Receiving Policy Change Events (2)
When your application no longer needs to receive notifications, it should call LsaUnregisterPolicyChangeNotification and then call CloseHandle to free the event object handle.

19 Managing Account Permissions (1)
To access all accounts that have a particular permission, call LsaEnumerateAccountsWithUserRight. This function populates an array with the SIDs (security Identifiers) of all accounts that have the specified permission.

20 Managing Account Permissions (2)
After you have obtained the SID of an account, you can modify its permissions. Call LsaAddAccountRights to add permissions to the account. If the specified account does not exist, LsaAddAccountRights creates it. To remove permissions from an account, call LsaRemoveAccountRights. If you remove all permissions from an account, LsaRemoveAccountRights also deletes the account.

21 Managing Account Permissions (3)
Your application can check the permissions currently assigned to an account by calling LsaEnumerateAccountRights. This function populates an array of LSA_UNICODE_STRING structures. Each structure contains the name of a privilege held by the specified account.

22 Managing Trusted Domain Information (1)
You can enumerate the trusted domains by calling LsaEnumerateTrustedDomainsEx. To retrieve information about a trusted domain, call either LsaQueryTrustedDomainInfo or LsaQueryTrustedDomainInfoByName. Both functions return the same information; however, LsaQueryTrustedDomainInfo identifies the trusted domain by SID, and LsaQueryTrustedDomainInfoByName identifies the trusted domain by name.

23 Managing Trusted Domain Information (2)
To set information for a trusted domain, call either LsaSetTrustedDomainInformation or LsaSetTrustedDomainInfoByName. As with the query functions, LsaSetTrustedDomainInformation identifies the trusted domain by SID, while LsaSetTrustedDomainInfoByName identifies the trusted domain by name.

24 Translating Between Names and SIDs
To locate account names, call the LsaLookupNames function. This function returns the SID as a RID/Domain index pair. To get the SID as a single element, call the LsaLookupNames2 function. To locate SIDs, call LsaLookupSids.

25 Storing Private Data Call the LsaStorePrivateData function to store and encrypt private data. To retrieve and decode previously stored private data, call LsaRetrievePrivateData. Note that you cannot retrieve machine private data objects; machine objects can be retrieved only by the operating system.

26 Using LSA Unicode Strings
Several of the LSA Policy functions use the LSA_UNICODE_STRING structure to store string information. This structure stores the string and its length information.

27 Sources of information
information sids

28 Do you have any questions?
Thank you! Do you have any questions?

Download ppt "Greta Mameniskyte IV course 3rd group"

Similar presentations

Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 6: Configure and Troubleshoot Local User and Group Accounts.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 6: Configure and Troubleshoot Local User and Group Accounts.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Administering Active Directory

Administering Active Directory
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006.

Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.

11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication.
70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.

70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.
Understanding Workgroups and Active Directory Lesson 3.

Understanding Workgroups and Active Directory Lesson 3.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Similar presentations

Ads by Google