CHAPTER 13
ADMINISTERING A SECURITY
CONFIGURATION
Lesson 1:
Security Configuration Overview
A security configuration consists of security settings applied to each security area supported by
Microsoft Windows 2000. Using the Security Settings extension in the Group Policy snap-in, the
following Security areas may be configured for a nonlocal GPO:
Account Policies
Account policies apply to user accounts. This security area contains attributes for :
Password Policy. For domain or local user accounts, determines settings for passwords such as
enforcement and lifetimes.
Account Lockout Policy. For domain or local user accounts, determines when and for whom an
account will be locked out of the system.
Kerberos Policy. For domain user accounts, determines Kerberos-related settings, such as ticket
lifetimes and enforcement.
IMPORTANT: Account policies should not be configured for organizational units (OUs) that do
not contain any computers, and OUs that contain only users will always receive account policy
from the domain.
Local Policies
These policies pertain to the security settings on the computer used by an application or user. Local
policies are based on the computer you are logged on to and the rights you have on that particular
computer.
======================================================================
winads13.html PAGE
2 2002/03/04
Audit Policy. Determines which security events are logged into the security log on the computer
(successful attempts, failed attempts, or both). The security log is a part of the Event Viewer console).
User Rights Assignment. Determines which users or groups have logon or task privileges on the
computer.
Security Options. Enables or disables security settings for the computer.
Local policies, by definition, are local to a computer. When these settings are imported to a GPO
in Active Directory, they will affect the local security settings of any computer accounts to which
that GPO is applied.
Event Log
The Event logs are Application, Security and System.
Restricted Groups
Restricted groups automatically provides security memberships for default Windows 2000 groups that
have predefined capabilities, such as Administrators, Power Users, Print Operators, Server Operators,
and Domain Admins.
For example, the Power Users group is automatically part of Restricted Groups, since it is a default
Windows 2000 group.
System Services
The system services area is used to configure security and startup settings for services running on a
computer.
The startup settings are:
· Automatic. Starts a service automatically at system start time.
· Manual. Starts a service only if manually started.
· Disabled. The service is disabled so it cannot be started.
Registry and File System Areas
The file system area is used to configure security on specific file paths. You can edit the Security
properties of the registry key or file path: what user or group accounts have permission to read-
write/delete/execute, as well as inheritance settings, auditing, and ownership permissions.
======================================================================
winads13.html PAGE
3 2002/03/04
Public Key Policies
They are used to configure encrypted data recovery agents, domain roots, and trusted certificate
authorities.
IP Security Policies
The IP Security Policies are used to configure network Internet Protocol (IP) security.
Lesson Summary:
Security configuration settings in a nonlocal GPO.
Lesson 2:
Auditing
Windows 2000 auditing is a tool used for maintaining network security. Auditing allows you
to track user activities and system-wide events.
Understanding Auditing
Auditing in Microsoft Windows 2000 is the process of tracking both user activities and Windows
2000 activities, which are called events, on a computer. An audit entry in the security log contains
the following information:
· The action that was performed.
· The user who performed the action.
· The success or failure of the event and when the event occurred.
Using an Audit Policy
An audit policy, defines the categories of events that Windows 2000 records in the security log on
each computer. The security log allows you to track the events that you specify.
Windows 2000 writes events to the security log on the computer where the event occurs. You
can set up an audit policy for a computer to do the following:
======================================================================
winads13.html PAGE
4 2002/03/04
Track the success and failures of events, such as logon attempts by users, an attempt by a particular
user to read a specific file, changes to a user account or to a group memberships, and changes to
your security settings. Eliminates or minimize the risk of unauthorized use of resources.
You use Event Viewer to view events that Windows 2000 has recorded in the security log. You
can also archive log files to track trends over time, for example, to determine the use of printers or
files or to verify attempts at unauthorized use of resources.
Proxy Server:
It is not a firewall. Do not surf on the Internet using the Administrator Password. The Proxy
Server does not Open and close accounts.
Audit Policy Guidelines
When you plan an audit policy you must determine the computers on which to set up auditing.
Auditing is turned off by default.
· Determine what to audit
· Which machines to audit.
· Logon to the Domain, or Local Policy.
· GPO/Settings Auditing/Success and Failures etc.
NOTE: Successes can find to use a stagnant account, or if someone is on holidays, and a user is
hacking using the dormant account.
L S D
O (Local, Site, Domain,
OU policy implementation)
logs.
security logs because configuring auditing alone does not alert you to security breaches.
confidential data.
will ensure that you audit everyone who can connect to the network, not just the users for
whom you create users accounts in the domain.
======================================================================
winads13.html PAGE
5 2002/03/04
***** IMPORTANT CHART
*****
=======================================================================
Event Category Description
=======================================================================
Account Logon A domain controller received a request to validate a
user account.
Account Management An administrator created, changed, or deleted, a user
Account or group.
Directory service access A user gained access to an Active Directory object.
Logon events A user logged on or logged off, or a user made or
Canceled a network connection to the computer.
Object access A user gained access to a file, folder, or printer.
You must configure specific files, folders, or
Printers.
Policy change A change was made to the user security options,
user rights, or audit policies.
Privilege use A user exercised a right, such as changing the
system time (this does not include rights that are
Related to logging on and logging off). H/W.
Process tracking A program performed an action. The information
is generally useful only for programmers who want
to track details of programs execution. (Only for
Developers.)
System events A user restarted or shut down the computer, or an
Event occurred that affects Windows 2000 security
or the security log (for example, the audit log is full
and Windows 2000 discards entries).
========================================================================
The refresh policy is:
Secedit^/refreshpolicy^machine_policy
======================================================================
winads13.html PAGE
6 2002/03/04
Auditing Access to Files and Folders
If security breaches are an issue for your organization, you can set up auditing for files and folders
on NTFS partitions.
Auditing Access to Active Directory Objects
Similar to auditing files and folders access, to audit Active Directory object access, you have to
configure an audit policy and then set auditing for specific objects, such as users, computers, and
OUs, or groups, by specifying which types of access and access by which users to audit. You
audit Active directory objects to tack access to Active Directory objects, such as changing the
properties on a user account.
Auditing Access to Printers
Audit access to printers to track access to sensitive printers. To audit access to printers, set the
Audit Object Access event category in your audit policy, which includes printers. Then enable
auditing for specific printers and specify which types of access and access by which users to audit.
Lesson Summary:
successful or failed attempts.
an audit policy is set for each individual computer. To audit events that occur on a local
computer, you configure a local group policy for that computer, which applies to that
computer only.
audit events that occur on domain controllers, you configure a nonlocal group policy for
the domain, which applies to all domain controllers.
Lesson 3:
Using Security Logs
The security log contains information on security events that are specified in the audit policy.
======================================================================
winads13.html PAGE
7 2002/03/04
Understanding Windows 2000 Logs
You use the Event Viewer console to view information contained in Windows 2000 Logs. By
default, there are three logs available in Event Viewer.
=====================================================================
Log
Description
=====================================================================
Application Log Contains errors, warnings, or
information that programs,
such as a database program or e-mail program, generate.
Security Log Contains information about the success or failure of audited
events.
System Log Contains errors, warnings, and information that Windows
2000 generates. Windows 2000 presents which events to
record.
======================================================================
The Application and system logs can be viewed by all users. The security logs are accessed only
by the system administrators. By default, security logging is turned off. To enable security logging,
you must use group policy at the appropriate level to set up an audit policy.
NOTE: If additional services are installed, they might add their own event log. For example, the
Domain Name System (DNS) service logs events that this service generates in the DNS server log.
Filter Events
To show specific events that appear in the security log, you can filter events such as: Event types,
event source, category, event ID, User and Computer.
Archiving Security Logs
Many organizations have policies on keeping archive logs for a specified period to track security-
related information over time. When you archive a log file, the entire log is saved, regardless of
filtering options.
If you archive a log in log-file format you can reopen it in Event Viewer. Logs saved as event log
files (*.evt) retain the binary data for each event record. If you archive a log in text or comma-
delimited format (*.txt and *.csv, respectively) you can reopen the logs in other programs such
as work processing or spreadsheet programs.
======================================================================
winads13.html PAGE
8 2002/03/04
Lesson Summary:
view the application and system but only the system administrator can view the Security
logs.
Lesson 4:
User Rights
Windows 2000 objects such as files, folders, and printers is controlled by permissions, user
rights grant other privileges and logon rights to users and groups in your computer environment.
User Rights
Administrators can assign specific rights to group accounts or to individual user accounts.
These rights authorize users to perform specific actions, such as logging on to a system
nteractively or backing up rights apply to user accounts, and permissions are attached to
objects. Additionally, because user rights are part of a GPO, user rights can be overridden
epending on the GPO affecting the user.
User rights define capabilities at the local level. There is a backup manager by default, which
has the permissions of backing up and restoring. But, you should create a restore manager
and assign them permissions.
There are two types of user rights: privileges and logon rights.
Privileges
Privileges specify allowable user actions on the network.
*** See the table
pages 494 and 495 ***
======================================================================
winads13.html PAGE
9 2002/03/04
Logon rights
Logon rights specify the ways in which a user can log on to a system.
** See the table page
497 *** IMPORTANT, know the defaults
Assigning User Rights
To ease the task of user account administration, you should assign user rights primarily to
group accounts, rather than to individual user accounts.
Lesson Summary:
ways in which a user can log on to a system.
Lesson 5:
Security Templates
Windows 2000 provides a centralized method of defining security using security templates.
Security Templates Overview
A security template is an physical representation of a security configuration, a single file where
a group of security settings is stored. Templates are stored as a text-based .inf file. With the
exceptions of IP Security and Public Key policies, all security attributes can be contained in
a security template.
Security Templates Uses
You can import (apply) a security template file to a local or nonlocal GPO. You can export
the local security settings to a security template file to preserve initial system security settings.
======================================================================
winads13.html PAGE
10 2002/03/04
Predefined Security Templates
These templates can be used as provided, they can be modified, or they can serve as a basis
for creating custom security templates. Do not apply predefined security templates to
production systems without testing to ensure that the right level of application functionality is
maintained for your network and system architecture.
The predefined Security Templates are:
By default, these templates are stored in the systemroot\Security Templates folder
Security Levels
Basic (BASIC*.INF) The basic configurations apply the Windows 2000 default security
settings to all security areas except those pertaining to user rights.
Compatible (COMPAT*.INF). By default, Windows 2000 security is configured such
that members of the local users group have ideal security settings and members of the local
Power Users group have security settings that are compatible with Windows NT 4.0 users.
Secure (SECURE*.INF). The secure templates implement recommended security settings
for all security areas except files, folders, and registry keys.
Highly Secure (HISEC*.INF). The highly secure templates define security settings for
Windows 2000 network communications. They will not be able to communicate with
computers running Windows 95, Windows 98, or Windows NT.
======================================================================
winads13.html PAGE
11 2002/03/04
Importing a Security Template to a GPO
You can import a security template to local or nonlocal GPOs. Importing security templates
make administration easier because security is configured in one step for multiple objects.
Exporting Security Settings to a Security Template
You can export both local and effective security settings to a security template. Because the
local GPO is overridden by domain-based GPOs, the local security settings are available for
restoration later, if necessary.
Lesson Summary:
Lesson 6:
Security Configuration and Analysis
analyze security, view results, and resolve any discrepancies revealed by analysis.
import and export, and the combination of multiple security templates into one composite
security template that can be used for analysis or configuration.
Security Configuration
The security Configuration and Analysis console can be used to configure local system security.
Through its use of personal databases, you can import security templates created with the Security
Templates console and apply these templates to the GPO for the local computer.
======================================================================
winads13.html PAGE
12 2002/03/04
Security Analysis
The state of the operating system and applications on a computer is dynamic. For example, to
enable immediate resolution of an administration or network issue, security levels may
occasionally be required to change temporarily.
Regular analysis enables an administrator to track and ensure an adequate level of security on
each computer as part of an enterprise risk management program.
Configuring System Security
Security configuration and analysis offers the ability to resolve any discrepancies revealed by
analysis, including the following:
Accepting or changing some or all of the values flagged or not included in the configuration if you
determine the local system security levels are valid due to the context (role) of that computer.
Configuring the system to the original database configuration values if you determine the system is
not in compliance with valid security levels.
Importing a more appropriate template, for the role of that computer, into the database as the new
database configuration and applying it to the system.
Lesson Summary:
and edit that template or export the stored configuration to the same template file.
Lesson 7:
Troubleshooting a Security Configuration
It is important to ensure that you have connectivity on the system before you start assuming it is
something very important that is wrong.
Also you can manually refresh the policy in command line by typing:
Secedit^/^refreshpolicy^machine_policy