Administering a Security Configuration • Security Configuration Overview • Auditing • Using Security Logs • User Rights • Using Security Templates • Security Configuration and Analysis • Troubleshooting a Security Configuration
Security Configuration Overview Security Configuration Settings
Security Areas Configured for a Nonlocal GPO • Account policies • Local policies • Event log • Restricted groups • System services • Registry • File system • Public key policies • IP security policies
Account Policies: Overview • The account policies security area applies to user accounts. • Microsoft Windows 2000 allows only one domain account policy, which is the account policy applied to the root domain of the domain tree. • The domain account policy becomes the default account policy of any Windows 2000 workstation or server that is a member of the domain. • Exception: When another account policy is defined for an OU, the OU’s account policy settings affect the local policy on any computers contained in the OU, as is the case with a Domain Controllers OU
Account Policies: Attributes • Password Policy: For domain or local user accounts, determines settings for passwords such as enforcement and lifetimes • Account Lockout Policy: For domain or local user accounts, determines when and for whom an account will be locked out of the system • Kerberos Policy: For domain user accounts, determines Kerberos-related settings, such as ticket lifetimes and enforcement
Local Policies: Overview • The local policies security area pertains to the security settings on the computer used by an application or user. • Local policies are based on the computer to which a user logs on and the rights the user has on that particular computer. • Local policies are local to a computer, by definition. • When imported to a GPO in Active Directory, local policies affect the local security settings of any computer accounts to which that GPO is applied.
Local Policies • Audit Policy • User Rights Assignment • Security Options
Event Log • The event log security area defines attributes related to the Application, Security, and System event logs. • Maximum log size • Access rights for each log • Retention settings and methods • The event log size and log wrapping should be defined to match the business and security requirements. • Event log settings should be implemented at the site, domain, or OU level, to take advantage of group policy settings.
Restricted Groups: Overview • The restricted groups security area provides an important new security feature that acts as a governor for group membership. • Automatically provides security memberships for default Windows 2000 groups that have predefined capabilities. • Any groups considered sensitive or privileged to the Restricted Groups security list can be added later.
Restricted Groups: Configuring • Configuring the restricted groups security area ensures that group memberships are set as specified. • Groups and users not specified in restricted groups are removed from the specific group. • The reverse membership configuration option ensures that each restricted group is a member of only those groups specified in the Member Of column. • Restricted groups should be used primarily to configure membership of local groups on workstation or member servers.
System Services • The system services security area is used to configure security and startup settings for services running on a computer. • Security properties for the service determine what user or group accounts have the following permissions: Read/Write/Delete/Execute, inheritance settings, auditing, and ownership permission. • If choosing an Automatic startup, adequate testing must be performed to verify that the services can start without user intervention. • System services used on a computer should be tracked. • Unnecessary or unused services should be set to Manual.
Registry and File System Areas • Registry security area: Used to configure security on registry keys. • File system security area: Used to configure security on specific file paths. • The Security properties of the registry key or file path can be edited to determine what user or group accounts have Read/Write/Delete/Execute permissions, as well as inheritance settings, auditing, and ownership permission.
Policies • Public key policies: Used to configure encrypted data recovery agents, domain roots, and trusted certificate authorities • IP security policies: Used to configure network IP security
Auditing • Understanding Auditing • Using an Audit Policy • Audit Policy Guidelines • Configuring Auditing • Setting Up an Audit Policy • Auditing Access to Files and Folders • Auditing Access to Active Directory Objects • Auditing Access to Printers • Auditing Practices • Practice: Auditing Resources and Events
Understanding Auditing • Auditing: The process of tracking both user activities and Windows 2000 activities, called events. • Auditing is used to specify which events are written to the security log. • An audit entry in the security log contains • The action that was performed. • The user who performed the action. • The success or failure of the event and when the event occurred.
Using an Audit Policy • An audit policy defines the categories of events that Windows 2000 records in the security log on each computer. • The security log allows specified events to be tracked. • Windows 2000 writes an event to the security log on the computer where the event occurs.
General Audit Policy Guidelines • Determine the computers on which to set up auditing. • Auditing is turned off by default. • Plan the events to audit on each computer. • Determine whether to audit the success of events, failure of events, or both. • Tracking successful events identifies which users gained access to specific files, printers, or objects, information that can be used for resource planning. • Tracking failed events may alert the administrator of possible security breaches.
Other Policy Guidelines • Determine whether to track trends of system usage. • Review security logs frequently. • Define an audit policy that is useful and manageable. • Audit resource access by the Everyone group instead of the Users group. • Audit all administrative tasks by the administrative groups.
Configuring Auditing: Overview • An audit policy is implemented based on the role of the computer in the Windows 2000 network. • The event categories on a domain controller are identical to those on a computer that is not a domain controller.
Computer Roles • For member or stand-alone servers and computers running Windows 2000 Professional • An audit policy is set for each individual computer. • Events are audited by configuring a local group policy for that computer. • Domain controllers • An audit policy is set for all domain controllers in the domain. • Events are audited by configuring the audit policy in a nonlocal GPO for the domain, which applies to all DCs and is accessible through the Domain Controllers OU.
Auditing Requirements • The Manage Auditing And Security Log user right for the computer is necessary to configure an audit policy or review an audit log. • Files and folders to be audited must be on Microsoft Windows NTFS volumes.
Setting Up Auditing • Set the audit policy: Enables auditing of objects but does not activate auditing of specific types • Enable auditing of specific resources: The specific events to track for files, folders, printers, and Active Directory objects must be identified • Windows 2000 then tracks and logs the specified events.
Setting Up an Audit Policy • Categories of events that Windows 2000 audits are selected. • Configuration settings indicate whether to track successful or failed attempts for each event category to be audited. • Audit policies are set in the Group Policy snap-in. • The security log is limited in size. • The events to be audited must be selected carefully. • The amount of disk space to devote to the security log must be considered.
Types of Events Audited by Windows 2000 • Account logon • Account management • Directory service access • Logon events • Object access • Policy change • Privilege use • Process tracking • System events
Auditing Access to Files and Folders • If security breaches are an issue for an organization, auditing should be set up for files and folders on NTFS partitions. • To audit user access to files and folders, the Audit Object Access event category is set in the audit policy. • After Audit Object Access is set in the audit policy, auditing for specific files and folders is enabled, specifying which types of access to audit, either by users or by groups.
User Events • Traverse Folder/Execute File • List Folder/Read Data • Read Attributes and Read Extended Attributes • Create Files/Write Data • Create Folders/Append Data • Write Attributes and Write Extended Attributes • Delete Subfolders And Files • Read Permissions • Change Permissions • Take Ownership
Auditing Access to Active Directory Objects • Similar to auditing file and folder access. • An audit policy must be configured, and then auditing for specific objects must be set by specifying which types of access, and by whom, to audit. • Active Directory objects are audited to track access to them. • The Audit Directory Service Access event category is set in the audit policy to enable auditing of user access to AD objects.
Active Directory Object Events • Full Control • List Contents • Read All Properties • Write All Properties • Create All Child Objects • Delete All Child Objects • Read Permissions • Modify Permissions • Modify Owner
Auditing Access to Printers • Use auditing to track access to sensitive printers. • Set the Audit Object Access event category in the audit policy, which includes printers. • Enable auditing for specific printers and specify the types of access, and by whom, to audit. • Use the same procedure used to set up auditing on files and folders.
Using Security Logs • Understanding Windows 2000 Logs • Viewing Security Logs • Locating Events • Filtering Events • Configuring Security Logs • Archiving Security Logs • Practice: Using the Security Log
Security Log Overview • The security log contains information on security events specified in the audit policy. • To view the security log, use the Event Viewer console. • Event Viewer also allows specific events within the log files to be found, the events shown in log files to be filtered, and archive security log files to be archived.
Understanding Windows 2000 Logs • Three logs are available to view in Event Viewer by default. • All users can view application and system logs. • Security logs are accessible only to system administrators. • Security logging is turned off by default. • Group policy must be used at the appropriate level to set up an audit policy.
Logs Maintained by Windows 2000 • Application log • Contains errors, warnings, or information that programs, such as a database program or an e-mail program, generate. • The program developer presets which events to record. • Security log • Contains information about the success or failure of audited events. • The events Windows 2000 records are a result of the audit policy. • System log • Contains errors, warnings, and information that Windows 2000 generates. • Windows 2000 presets which events to record.
Viewing Security Logs • The security log contains information about events monitored by an audit policy, such as failed and successful logon attempts. • Windows 2000 records events in the security log on the computer at which the event occurred. • Events can be viewed from any computer with assigned administrative privileges for the computer where the events occurred.
Locating Events • Event Viewer automatically displays all events recorded in the security log when it’s first started. • The Find command is used to search for specific events.
Filtering Events • The Filter command displays specific events that appear in the security log. • The Filter command is used to narrow down the displayed events.
Configuring Security Logs • Security logging begins when an audit policy is set for the domain controller or local computer. • Security logging stops when the security log becomes full and cannot overwrite itself; an error may be written to the application log. • A full security log is avoided by logging only key events. • The properties of each individual audit log can be configured.
Security Log • When the security log is full and no more events can be logged, the log can be freed by manually clearing it. • Clearing the log erases all events permanently. • Reducing the amount of time that an event log is kept frees the log if it allows the next record to be overwritten.
Archiving Security Logs • Archiving maintains a history of security-related events. • Archived logs often are kept for a specified period, to track security-related information over time. • The entire log is saved, regardless of filtering options. • Event Viewer is used to reopen a log archived in a log-file format.
Archiving Security Logs (con’t) • Logs saved as event logs (.evt) retain the binary data for each event recorded. • Logs archived in text or comma-delimited format (.txt and .csv, respectively) can be reopened in other programs, such as word processing or spreadsheet programs. • Logs saved in text or comma-delimited format do not retain the binary data. • An archived log is removed from the system by deleting the file in Windows Explorer.
User Rights • User Rights • Privileges • Logon Rights • Assigning User Rights