Windows 2000 provides a set of security configuration tools that are designed to reduce the costs associated with security configuration and analysis of Windows 2000 networks. These tools are the Microsoft Management Console (MMC) snap-ins that allow you to configure Windows 2000 security settings and perform periodic analyses of the system to ensure that the configuration remains intact or to make necessary changes over time. Security settings include security policies (account and local policies), access control (services, files, and the registry), event logs, group membership (restricted groups), IPSec security policies, and public key policies. The security configuration tools include three snap-ins: the Security Configuration And Analysis snap-in, the Security Templates snap-in, and the Group Policy snap-in.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
The Security Configuration And Analysis snap-in allows you to configure and analyze local system security.
The Security Configuration And Analysis snap-in can also be used to directly configure local system security. You can import security templates created with the Security Templates snap-in and apply these templates to the group policy object (GPO) for the local computer. This immediately configures the system security with the levels specified in the template.
The state of the operating system and applications on a computer is dynamic. For example, security levels may be required to change temporarily to enable immediate resolution of an administration or network issue; this change can often go unreversed. This means that a computer may no longer meet the requirements for enterprise security.
Regular analysis enables an administrator to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. Analysis is highly specified; information about all system aspects related to security is provided in the results. This enables an administrator to tune the security levels and, most important, to detect any security flaws that may occur in the system over time.
The Security Configuration And Analysis snap-in enables quick review of security analysis results. Recommendations are presented along with current system settings, and icons or remarks are used to highlight any areas where current settings do not match the proposed level of security. The Security Configuration And Analysis snap-in also allows you to resolve any discrepancies revealed by analysis.
If frequent analysis of a large number of computers is required, as in a domain-based infrastructure, the Secedit command-line tool may be used as a method of batch analysis. However, analysis results still must be viewed by using the Security Configuration And Analysis snap-in. For more information about the Secedit utility, see Windows 2000 Help.
The Security Configuration And Analysis snap-in (Figure 27.16) reviews and analyzes your system security settings and recommends modifications to the current system settings. Administrators can use the snap-in to adjust the security policy and detect security flaws that arise in the system.
Figure 27.16 Security Configuration And Analysis snap-in
The Security Configuration And Analysis snap-in allows you to perform a variety of tasks. They are:
For details about how to perform each of these tasks, see Windows 2000 Help.
A security template is a physical representation of a security configuration; it is a file where a group of security settings may be stored. Windows 2000 includes a set of security templates. Each template is based on the role of a computer. The templates range from security settings for low security domain clients to highly secure domain controllers. They can be used as provided, be modified, or serve as a basis for creating custom security templates.
The Security Templates snap-in (Figure 27.17) is a tool for creating and assigning security templates for one or more computers.
Figure 27.17 Security Templates snap-in
A security template is a physical file representation of a security configuration, and can be applied to a local computer or imported to a GPO in the Active Directory service. When you import a security template to a GPO, Group Policy processes the template and makes the corresponding changes to the members of that GPO, which may be users or computers.
The Security Templates snap-in allows you to perform a variety of tasks:
In this practice you create a custom snap-in containing the Security Analysis And Configuration snap-in and the Security Templates snap-in. Next, you customize a template and open a new database using the custom template. You then analyze the security settings of Server01 against the template and apply the template's configuration to the security settings of Server01. Complete this practice on Server01.
You run the MMC and add the Security Analysis And Configuration snap-in. MMC version 1.2, which is included with Windows 2000, allows you to add multiple snap-ins to an existing console. For the purpose of clarity, in this practice you create a new console rather than adding to an existing console running other snap-ins.
The Run dialog box appears.
An empty MMC console named Console1 opens.
The Add/Remove Snap-in dialog box appears.
The Add Standalone snap-in window appears.
The Add/Remove Snap-in dialog box appears.
The Save As dialog box appears.
Before analyzing Server01 and applying new security settings, you install the Security Template snap-in to the Security console.
The Add/Remove Snap-in dialog box appears.
The Add Standalone Snap-in window appears.
The Add/Remove Snap-in dialog box appears.
All of the defined templates appear in the console tree and in the details pane.
This is an incremental security template usually used after a basic security template is applied. For the purpose of this exercise, this template is sufficient.
Password policy settings appear in the details pane.
The Template Security Policy Setting dialog box appears.
The Save As window appears.
The Security Template Description box appears.
Notice in the details pane that customdc now has a description associated with it.
In this exercise you create a new security database.
The Open Database dialog box appears.
The Import Template dialog box appears.
This is the custom template you created in the Exercise 2.
In this exercise you analyze the current settings of Server01 against the custom template you created in Exercise 2.
The Perform Analysis dialog box appears an it is shows the path and name of the error log as C:\Documents and Settings\Administrator\Local Settings\Temp\training.log.
The Analyzing System Security status box appears as various aspect of Server01's security configuration are checked against the template.
In the details pane, both template settings and the computer's settings are displayed for each policy. Discrepancies appear with a red circle with a white "X" in the center. Consistencies appear with a white circle and a green check mark in the center. If there is no flag or check mark, the security setting is not specified in the template.
The Configure System dialog box appears.
The Perform Analysis dialog box appears.
The Microsoft Management Console message box appears.
Security settings define the security-relevant behavior of the system. Through the use of GPOs in Active Directory services, administrators can centrally apply the security levels required to protect enterprise systems.
When determining settings for a GPO that contains multiple computers, the organizational and functional character of that given site, domain, or organizational unit (OU) must be considered. For example, the security levels necessary for an OU containing computers in a sales department would be very different from that for an OU containing finance department computers.
The Group Policy snap-in allows you to configure security centrally in the Active Directory store. A Security Settings folder is located on the Computer Configuration node and the User Configuration node. The security settings allow Group Policy administrators to set policies that can restrict user access to files and folders, set how many incorrect passwords a user can enter before the user is locked out, and control user rights, such as which users are able to log on at a domain server.
Windows 2000 provides a set of security configuration tools that allow you to configure Windows 2000 security settings and perform periodic analyses of the system to ensure that the configuration remains intact or to make necessary changes over time. The Security Configuration And Analysis snap-in allows you to configure and analyze local system security. It reviews and analyzes your system security settings and recommends modifications to the current system settings. The Security Templates snap-in allows you to create and assign security templates for one or more computers. The Group Policy snap-in allows you to configure security centrally in the Active Directory store.