CHAPTER 8
SECURING MICROSOFT WINDOWS
2000
BASED COMPUTERS
Chapter Scenario: Market Florist
Internet based company, need Web security to validate orders on the server.
There are three domains within their Active Directory directory service structure.
Other Information:
NLBS Cluster is a group of machines working together.
Flower Power Application is a back-end application installed on the external Web Servers.
The application required additional NT file system (NTFS) permissions to be defined for the
Flower Power folder structure and for the registry entries created by the Flower Power
applications.
Computer\Windows Settings\File System\add new NTFS permissions.
======================================================================
winsec8.html PAGE
2 2002/04/24
Lesson 1:
Planning Microsoft Windows 2000 Security Templates
Security templates allow you to define baseline security for computers that share similar security
requirements. This way the same security can be applied on multiple computers.
CLASSROOM NOTES:
You can fine tune OUs in the NTFS permissions. To do this the computer must be in the OU or in
the Default Domain Controller Policy.
Active Directory Users and Computers\Domain Controller\Server04 shows up. Apply the Policy
here and it can deny permissions at this level.
%username% = system drive = C
GPO for the Default Domain Controller overrides any down-level GPOs. You can add a policy
and when you log back on the computer compares the two and reverts back to the Default
Domain Controller Policy. Default Domain Controller Policy is the BIBLE.
UNLESS, you check off some of the override boxes, such as do not allow permissions on this
folder to be replaced.
A template is really just an .inf file.
A template has pre-defined parameters.
Mmc/ add remove snap-in and add the security template.
Introducing Windows 2000 Security Templates
Security templates allow you to define baseline security for computers that share similar security
requirements. Using security templates ensures that security can be applied consistently to multiple
computers.
Windows 2000 has made it easier to apply consistent security by introducing security templates.
Security templates define security based on seven categories of configuration. You use each
category to apply specific computer-based security settings. These categories include:
Account Policy. Defines account authentication configuration settings.
======================================================================
winsec8.html PAGE
3 2002/04/24
Password Policy. They include minimum password length, password history, password
age, complexity and the use of reversible encryption for storing passwords.
Account Lockout Policy. How to take action when a user enters incorrect passwords,
and how frequently to reset counters associated with account lockout.
Kerberos Policy. Defines kerberos v5 protocol settings. TCTs, Service Tickets (STs),
maximum clock deviance, and the verification of group members hip and account lockout
status.
Local Policy. Defines security settings only for the computer on which the security template
is applied.
Audit Policy. Defines the events that will be audited, you can use success or failure or both.
User Rights Assignment. Defines which security principals will be assigned user rights
on the local computer.
Security Options. You can configure the settings in the Registry.
Event Log. Defines the properties of the application, security, and system logs.
Restricted Groups. Used to define membership of security groups.
Systems Services. Allows you to define restrictions for services installed on a computer.
For example you can configure a policy used to disable Routing and Remote Access service
on all client workstations to prevent users from configuring their desktop computers as
dial-up servers.
Registry. Allows you to define security for registry keys and their subtrees. Security
settings for whether subtrees will have their permissions replaced.
File System. Defines discretionary access control list (DACL) and system access control
list (SACL) settings for any folders included within this policy. This policy requires NTFS
to be used as the file system where the folders exit.
Determining Common Security Requirements
Before defining security templates, you must identify computers on your network that require
similar security configurations.
Each role will ultimately be associated with a security template that identifies the baseline
(or required) security for that class of computer. Some of the more common roles that you
can define for computers include:
The security requirements for securing Active Directory will be more stringent than any
other security requirements on the network.
======================================================================
winsec8.html PAGE
4 2002/04/24
server applications, such as Web-based applications, structured query language (SQL)
databases, and Microsoft Exchange Mail Servers.
among network users.
Active Directory.
premises.
outside of the office network.
run a single application for public usage.
Making the Decision
When you determine the roles of Windows 2000-based computers within your organization do
the following:
and DCs.
configurations.
NOTE: You can apply Windows 2000 security templates only to Windows 2000-based
computers. Therefore, only Windows 2000-based computers in your role definitions.
Applying the Decision
Based on the information given in this scenario, Market Florist could use the following categories of
computers:
DCs. This group contains all DCs in each of the three domains.
File and print servers. Each file and print server requires similar security configuration.
Internal SQL servers. The internal SQL servers require unique security configuration
based on internal usage only.
External SQL server. Because one SQL server stores data from the external Web Site,
you might need additional security configuration for this SQL server.
======================================================================
winsec8.html PAGE
5 2002/04/24
Web servers. The four Web servers require identical security configuration to ensure
that the Web site has consistent security applied to matter which Web server in the NLBS
cluster is contacted.
Client computers. All client computers require the same security configuration.
Laptop computers. All laptop computers have unique security requirements for the
deployment of Windows 2000.
Analyzing Default Security in Windows 2000
One of the common complaints about Windows NT 4.0 was that the operating system wasn’t
secure after a default installation was performed. The default settings were applied in one of the
two ways:
Newly installed computers. A newly installed Windows 2000-based computer will have the
default security template applied during installation. It also has the NTFS permissions and
egistry permissions.
WARNING: For the default security settings to be fully applied, Windows 2000 must be installed
to an NTFS partition.
Upgraded computers. Upgraded computers maintain their previous Windows NT 4.0 settings.
You can apply the basic template to an upgraded computer to ensure that the default Windows
2000 security settings are also applied to upgraded computers.
Securing Newly Installed Computers
As mentioned earlier, newly installed Windows 2000-based computers will have the Default
security template applied during the computer’s installation. There are three default security
templates:
Deftwk.inf. Applied to workstations in Windows 2000 Professional.
Defltsv.inf. Applied to servers running Windows 2000 Server, Windows 2000 Advanced
Server, and Windows 2000 Data Center.
Defltdc.inf. Applied to all DCs running Windows 2000.
Securing Upgraded Computers
When Windows 2000-based computers are upgraded from previous versions of Windows NT,
they don’t have the Default template applied. The Basic templates will apply the same setting
configured in the default security templates with the exception or restricted groups and user rights.
You can apply the following Basic templates to upgraded Windows 2000-based computers:
======================================================================
winsec8.html PAGE
6 2002/04/24
Basicwk.inf. Workstations in Windows 2000 Professional.
Basicsv.inf. Windows 2000 as long as they’re not functioning as DCs.
Basicdc.inf. Can be applied to DCs running Windows 2000.
NOTE: You can find the three Basic templates in the systemroot\security\templates folder.
Making the Decision
*** See the chart on
page 249 ***
Applying the Decision
To ensure consistent default security on the Market Florist network.
Additionally, you should inspect the membership of the local Administrators group of the
Windows 2000 Professional clients that were upgraded from Windows 95. By default, an
upgrade from Windows 95 to Windows 2000 Professional places any existing user accounts
into the Local Administrator group.
Using Incremental Security Templates
Although the default Windows 2000 security configurations provide adequate security for many
situations, additional security configuration is required.
These incremental templates provide security settings that are best applied in specific scenarios,
such as when Terminal Services is deployed on a Windows 2000 Server.
NOTE: The incremental templates are effective only if the default or basic templates have already
been applied.
======================================================================
winsec8.html PAGE
7 2002/04/24
Windows 2000 provides the following incremental security
templates:
The No Terminal Server Security Identifier (SID) (Nottssid.inf) template. This template removes
he Terminal Server Users SID from all DACLs. By default, Terminal Services applies consistent
security settings to all Terminal Services users by defining resources access for the Terminal Server
Users security group.
The Windows NT 4.0 Compatible Security (Compatws.inf) template.
With the increased security in Windows 2000, some older applications may not function correctly.
Alternate Methods of Providing Application Compatibility
When you upgrade a new operating system such as Windows 2000, some older applications might
fail to operate correctly in the new environment. For example, Microsoft Office 97 isn’t a Windows
2000 certified application. ** See page 251 ***
The Initial DC Configuration template (DC security.inf). When a Windows 2000-based
server is promoted to a DC, you must apply specific file and registry permissions to ensure
security in the new role.
The Optional Components templates (Ocfilesw.inf and Ocfiles.inf). These templates
increase the local security for optional components that might be installed on Windows 2000
Professional or Windows 2000 Server-based computers, including applications such as
Microsoft Internet Explorer, Microsoft NetMeeting and Internet Information Services (IIS) 5.0
The Secure Templates (securews.inf and Securedc.inf). These templates provide
security beyond DACLs on the registry and the file system. The Secure templates force the
operating system to behave more securely and include modifications for account policy.
The High Secure templates (Hisecws.inf and Hisecdc.inf). These templates offer
increased security over the secure templates for higher security networks.
WARNING Implementing the High Secure templates may prevent down-level Windows clients
from participating in the network. Only deploy the High Secure templates when all client computers
are running Windows 2000.
*** See the charts on
page 254 ***
Applying the Decision
For this scenario they want to prevent down-level clients from connecting to the network while
maintaining the highest level of security on the internal network. You can do this by applying the
High Security Templates to all its Windows 2000-based computers.
You must apply High Security templates (Hisecws.inf and Hisecdc.inf) only to computers that have
Windows 2000 default security applied, as mentioned earlier.
Creating Custom Security Templates
======================================================================
winsec8.html PAGE
8 2002/04/24
While the Default templates meet most security requirements, you may need to create modified
templates to define security baselines for some computer roles. Try not to apply too many settings.
Making the Decision
When designing custom security templates, consider the following:
Identify an existing security template to be your starting point. You can save this with a different name
then you can play around with it, and not jeopardize ruining the original one.
Configure any additional settings. Document the changes and give reasons for your decisions.
Test the newly create security template against a new installation.
Applying the Decision
Market Florist must create a custom security template for the Web servers hosting the
www.marketflorist.tld Web and the Flower Power application. You must include the following
in your custom security template:
Disabling nonrequired services. Some the services that you can disable include FTP
Publishing, Telnet , SMTP are common services that are exploited by attackers.
Custom NTFS permissions for the Flower Power folder structure. This will ensure
security where you want it.
Custom Registry permissions for the Flower Power application. You must determine
what security principals can modify registry settings related to the Flower Power application.
Extending the Security Configuration Tool Set
SCTS the Security Configuration Tool Set helps create custom templates. This tool can be used to
ensure that DNS uses dynamic updates, or prevent dynamic updates from occurring in the registry.
*** See the
description top of 257 ***
======================================================================
winsec8.html PAGE
9 2002/04/24
The Sceregvl.inf File
This file is a setup file provided with Windows 2000. The Sceregvl.inf file is split into three distinct
sections:
Version.
Register Registry Values. Lists all registry values listed in Security Options with the Security
Templates console.
Registry Path.
Data Type REG_SZ(1), REG_EXPAND_SZ (2), REG_BINARY(3), REG_DWORD(4),
REG_MULTI_SZ(7).
Display name.
Display type. Boolean(0). Number (1), String (2), and Choices (3).
Strings. Used to expand any variables that may have been used in the Register Registry Values
section.
The path to the registry value is HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
Current ControlVersion\Policies\System\Don’tDisplayLast UserName.
The DontDisplayLast User Name is a REG_DWORD value type.
SICK of this see page 258, too much programming stuff.
Applying the Decision
You must extend the security templates to allow the listening port for the Flower Power application
to be changed. This change requires modifications of the Sceregvl.inf file at any Windows 2000-
based computers where the security templates will be modified.
Once you’ve made the modifications to the Sceregvl.inf file, you must reregister the file by running
the command REGSVR32 SCECLI.DLL at the computer with the modified Sceregvl.inf
configuration file. You must repeat this process at any workstations where the security template
will be defined.
Lesson 2: Analyzing
Security Settings with Security Configuration and Analysis
Before deploying security templates, you need to compare a target computer’s current security
settings to the desired settings configured in the security template for that class of computer.
Comparing current security to desired security helps you identify:
Current Security weaknesses on your network. You will have a baseline to compare to if the
current security template is a weak one.
Security Template deficiencies. You must perform testing at a computer separate from the
computer where the security template was created.
Modified security configuration at the testing station.
======================================================================
winsec8.html PAGE
10 2002/04/24
Performing the Analysis
Using the Security Configuration and Analysis console to analyze a computer’s current security
settings against a security template. To perform the analysis, complete the following steps:
Load the Security Configuration and Analysis console in an MMC console.
Create a new database locally for storing the imported security template and the analysis data.
Import the desired security template into the security database.
Analyze the current security against the security configuration now stored in the security database.
Review the analysis information.
Choose with to rework the security template or to apply the security template to the local
security configuration.
NOTE: The only time it’s recommended to apply the security template at this point is when the
computer being analyzed is in a workgroup or non-Windows 2000 network environment. In an
Active Directory environment, it’s better to import the security template into Group Policy to
ensure the security template’s continued application.
You can perform long-term analysis by using the Secedit command-line tool with the /ANALYZE
option.
TIP: You can collect the Secedit log files by using Microsoft Systems Management Server (SMS)
and then search for the phrase “Mismatch”. Mismatch indicates that the current configuration of a
computer doesn’t match the security template.
Making the Decision
When determining whether a computer matches the security template, include the following in your
security design:
======================================================================
winsec8.html PAGE
11 2002/04/24
to collect the analysis logs, you can set regular intervals to search for the Mismatch phrase in the
collected log files.
Lesson 3:
Planning the Deployment of Security by Using Security
Templates:
Once you’ve designed your custom security templates and determined that they meet the security
baseline for your network, you must deploy the templates to the required computers. The decision
on how to deploy the templates will vary depending on whether the underlying network uses Active
Directory or is based on another network operating system or a workgroup environment.
Deploying Security Templates in a Workgroup
A workgroup or non-Microsoft network is unable to use Group Policy to provide continued
deployment of the security template. The only way to ensure continued application of the security
template is to import the security template into local computer policy.
You can also apply the security template automatically by saving the security template locally to
the computer and using the Secedit command within a batch file to apply the security template.
Secedit ^/configure
Switches:
/DB filename. Provides the path to the database file
/CFG filename Provides a path to the security template.
/OVERWRITE Ensures that any previous security template
imported into the security database is overwritten
with the information in the indicated security
template.
/LOG logpath The path that’s used to log the reports of the
analysis.
/VERBOSE Indicates that the log file contains more detailed
progress information than is regularly recorded.
/QUIET Suppresses all log and screen output.
======================================================================
winsec8.html PAGE
12 2002/04/24
Secedit^/analyze^/db^c:\lab\mydb.sdb^/cfg^C:\winnt\security\templates\hisec.inf^log^c:\lab\
mylog.txt
Making the Decision
In a workgroup or non- Microsoft environment, deploy security templates by performing the following
tasks:
command.
Deploying Security Templates in A Windows 2000 Domain
An administrator of a Windows 2000 domain can leverage Active Directory for the continued
application of security templates. Security templates can be imported into Group Policy objects
defined at the site, domain, or OU.
To facilitate the deployment of security templates, you must define an OU structure that reflects the
categories of computers that you’ve defined for your network. You should have at least one OU
for each security template that you wish to deploy.
Group Policy supports policy inheritance by default. This allows child OUs to inherit a Group
Policy object applied at a parent OU.
Making the Decision
Your OU structure must reflect the categories of computers that require security templates.
Place all computers that require a security template in the same OU or OU structure.
Import the custom security template into the correct OU.
Group Policy application isn’t immediate.
NOTE: You can force a Windows 2000-based security settings immediately by running the
following command at the Command Prompt:
SECEDIT
/REFRESHPOLICY MACHINE_POLICY /ENFORCE.
======================================================================
winsec8.html PAGE
13 2002/04/24
Lesson Summary:
windows 2000-based computers, you must develop a method to ensure the continued application
of the security templates.