Planning and Implementing Server Roles and Server Security


Role-based security is implemented by using a layered approach to security; the most general security settings are applied at the highest level and grow increasingly more restrictive as you go deeper into the organizational structure of the domain. Through the use of the preconfigured security templates included with Windows Server 2003, combined with careful planning and attentive administration of the network, you will be able to implement a role-based security solution.

Windows Server 2003 comes with a complete set of preconfigured security templates that you can use to quickly apply standardized security settings to a single computer, an Organizational Unit (OU), or a domain if desired. In addition to these preconfigured security templates, Microsoft has made available additional security templates that you can use to enforce specific security settings on Windows Server 2003 computers, depending on their assigned roles.

Organizational Units (OU), sometimes thought of as nothing more than an organizational tool to "clean" up the visual appearance of Active Directory, are actually among the most powerful tools for planning, implementing, and maintaining a secure network environment. OUs offer an easy way to segment users and other security principals, specifically computers in this instance, for the purpose of creating and enforcing administrative boundaries. By nesting OUs within each other, each with its own specific Group Policy Object (GPO), you can quickly piece together the overall security solution for your network.

You can identify the default security settings on a newly installed Windows Server 2003 member server through a variety of different means, such as the Local Group Policy console, the Local Security Policy console, or the Resultant Set of Policy (RSoP) snap-in.

A security template is little more than a specially formatted flat text file that can be read by the Security Configuration Manager tools. These preconfigured templates have the extension .inf and can be located in the %systemroot%\security\templates folder on your Windows Server 2003 computer. You can use the Security Configuration and Analysis console, the secedit.exe tool, or the Local Security Policy console to apply these templates to a local computer. You can apply templates to an Organizational Unit or domain by importing them into the Security Settings section of the applicable Group Policy using the Group Policy Editor. You also can use these preconfigured templates to baseline an unknown system against a known set of configuration settings by using the Security Configuration and Analysis console or the secedit.exe tool.

Table 1 details the preconfigured security templates that ship with Windows Server 2003.

All the preconfigured security templates are incremental, meaning that they have been designed to be applied to computers that use the default security settings.

These templates do not implement the default security settings before applying their security settings.

The Security Configuration Manager tools are to be used to design, test, and implement these (and other) security templates. The components of the Security Configuration Manager include

  • The Security Configuration and Analysis snap-in

  • The Security Templates snap-in

  • Group Policy security extensions

  • The secedit.exe command

The Security Configuration and Analysis snap-in is an important tool in any administrator's security template toolbox. By using the Security Configuration and Analysis snap-in, you can create, configure, test, and implement security template settings for a local computer. Therein lies its one real weakness: You can use it to work only with the settings of a local computer. You can, however, find ways to work around this limitation by using the other tools that are at your disposal, including secedit.exe and the security extensions to Group Policy.

The Security Configuration and Analysis snap-in can be used in two basic modes, as its name suggests ”configuration and analysis ”although not necessarily in that order. When you're using the Security Configuration and Analysis snap-in to analyze the current system security configuration, no changes are ever made to the computer being analyzed . The administrator simply selects a security template to compare the computer against (either a preconfigured template or a custom created template). The settings from the template are loaded into a database and then compared to the settings currently implemented on the computer. It is possible to import multiple templates into this database, thus merging their settings into one conglomerate database. In addition, you can specify that existing database settings are to be cleared before another template is imported into the database. When the desired security templates have been loaded into the database, any number of analysis actions can be performed, both by the Security Configuration and Analysis snap-in and by the secedit.exe command.

Table 1. The Preconfigured Security Templates in Windows Server 2003

Template (Filename)

Description

Default security ( Setup security.inf )

This template is created during the installation of Windows Server 2003 on the computer. This template is variable between one computer to the next , depending on whether the installation was performed as a clean install or an upgrade. Setup security.inf represents the default security settings that the computer started with and thus can be used to reset portions of security as required. This template can be applied to both workstations and member servers, but not to domain controllers and should never be applied via Group Policy due to the large amount of data it contains; it can result in performance degradations.

Default DC security ( DC security.inf )

This template is automatically created when a member server is promoted to domain controller. It represents the file, Registry, and system service default security settings for that domain controller and can be used later to reset these areas to their default configuration.

Compatible ( compatws.inf )

The compatible workstation/member server template provides a means to allow members of the Users group to run applications that do not conform to the Windows Logo Program. Applications that do conform to the Windows Logo Program can be, in most cases, successfully run by members of the Users group without any further modifications required. For applications that do not conform, two basic choices are available: make the users members of the Power Users group or relax the default permissions of the Users group. The compatible template solves this problem by changing the default file and Registry permissions that are granted to the Users group to allow them to run most applications that are not part of the Windows Logo Program.

As a side effect of applying this template, all users are removed from the Power Users group because the basic assumption is that the template is being applied in an effort to prevent the need for Power Users. This template should not be applied to domain controllers, so be sure not to import it into the Default Domain Policy or the Default Domain Controller Policy.

Secure ( securews.inf , securedc.inf )

The secure templates are the first ones to actually begin the process of locking down the computer to which they are applied. The two different secure templates are securews.inf , which is for workstations and member servers, and securedc.inf , which is for domain controllers only.

The secure templates prevent the use of the LAN Manager (LM) authentication protocol. Windows 9 x clients need to have the Active Directory Client Extensions installed to enable NTLM v2 to allow them to communicate with Windows 2000 and later clients and servers using these templates. These templates also impose additional restrictions on anonymous users, such as preventing them from enumerating account and share information.

The secure templates also enable Server Message Block (SMB) signing on the server side. By default, SMB signing is enabled on client computers. When this template is applied, SMB packet signing is always negotiated between clients and servers.

Highly Secure ( hisecws.inf , hisecdc.inf )

The highly secure templates impose further restrictions on computers they are applied to. Whereas the secure templates require at least NTLM authentication, the highly secure templates require NTLM v2 authentication. The secure templates enable SMB packet signing; the highly secure templates require SMB packet signing.

In addition to the various additional security restrictions that are imposed by the highly secure templates, these templates also make several changes to group membership and the login process. All members of the Power Users group are removed from this group. Also, only Domain Admins and the local administrative account are allowed to be members of the local Administrators group.

When the highly secure templates are used, it is assumed that only Windows Logo Program “compliant applications are in use. As such, there is no provision in place for users to use noncompliant applications because the compatible template is not needed and the Power Users group has no members. Members of the Users group can use applications that are Windows Logo Program compliant. Additionally, members of the Administrators group can use any application they want.

System root security ( Rootsec.inf )

This template defines the root permissions for the root of the system volume. Should these permissions be changed, they can be reapplied using this template. This template can also be modified to apply the same permissions to other volumes . Explicitly configured permissions are not overwritten on child objects when using this template.

No Terminal Server use SID ( Notssid.inf )

This template is used on servers that are not running Terminal Services to remove all unnecessary Terminal Services SIDs from the file system and Registry. This, however, does not increase the security of the server.

After the database has been populated and an analysis scan has been initiated, the Security Configuration and Analysis snap-in examines every configurable Group Policy option and then reports back to you the results of the analysis scan. Each setting is marked with an icon that denotes one of several possible outcomes , such as that the settings are the same, the settings are different, or the settings do not apply. Table 2 outlines the possible icons that you might see and what they indicate .

Table 2. The Preconfigured Security Template Icons in Windows Server 2003

Icon

Description

Red circle with white X

The item is defined in the analysis database and on the computer but does not match the currently configured setting.

Green check mark

The item is defined in the analysis database and on the computer and matches the currently configured setting.

Question mark

The item is not defined in the analysis database and was not examined on the computer.

Exclamation point

The item is defined in the analysis database but not on the computer.

No special icon

The item is not defined in the analysis database or the computer.

You can analyze and configure several areas by using the Security Configuration and Analysis snap-in:

  • Account Policies ” This node contains items that control user accounts. In Windows NT 4.0, these items are managed from the User Manager for Domains. This node has two subnodes: Password Policy and Account Lockout Policy. The Password Policy node deals with account password- related items, such as minimum length and maximum age. The Account Lockout Policy node contains options for configuring account lockout durations and lockout reset options.

  • Local Policies ” This node contains policies that are applied to the local machine. It has three subnodes: Audit Policy, User Rights Assignment, and Security Options. The Audit Policy node is relatively self-explanatory: It offers options for configuring and implementing various auditing options. The User Rights Assignment node contains miscellaneous options that deal with user rights, such as the ability to log in to a computer across the network. The Security Options node contains many other options ”such as the option to set a login banner or allow the system to be shut down without being logged in first ”that previously could be edited only in the Windows NT 4.0 Registry or by using System Policies.

  • Event Log ” This node contains options that allow you to configure the behavior and security of the event log. In this node, for example, you can include maximum log sizes and disallow guest access to the event logs.

  • Restricted Groups ” This node allows you to permanently configure which users are allowed to be members of specific groups. For example, company policy may provide the ability to perform server backups to a specific group of administrators. If another user who is not otherwise authorized with these privileges is added to this group and not removed after he or she has performed the intended function, you have created a security problem because the user has more rights than normally authorized. By using the Restricted Groups node, you can reset group membership to the intended membership.

  • System Services ” This node allows you to configure the behavior and security assignments associated with all system services running on the computer. Options include defining that a service is to start automatically or be disabled. In addition, you can configure the user accounts that are to have access to each service.

  • Registry ” This node allows you to configure access restrictions that specify who is allowed to configure or change individual Registry keys or entire hives. This option does not provide you with the means to create or modify Registry keys, however; that must still be done by using the Registry Editor.

  • File System ” This node allows you to set folder and file NTFS permissions. This capability is especially handy if you need to reset the permissions on a large number of folders or files.

The Security Templates snap-in might at first seem to have no real purpose. However, this is not the case at all. You can use this snap-in to modify existing templates or create new ones from scratch without the danger or possibility of accidentally applying the template to the computer or GPO.

You can easily and quickly import security templates into GPOs by using the Group Policy Editor to allow you to configure large portions of your network with the settings contained in the security template. You should apply the most generic settings at the domain level and then at the OU level apply specific settings that pertain to the computers in that OU; this is the cornerstone of role-based network security.

You can use secedit to perform the same functions as the Security Configuration and Analysis snap-in, plus a couple of additional functions not found in the snap-in. The secedit command has the following top-level switches available for use:

  • /analyze This option allows you to analyze the security settings of a computer by comparing them against the baseline settings in a database.

  • /configure This option allows you to configure the security settings of the local computer by applying the settings contained in a database.

  • /export This option allows you to export the settings configured in a database to a security template .inf file.

  • /import This option allows you to import the settings configured in a security template .inf file into a database. If you will be applying multiple security templates to a database, you should use this option before performing the analysis or configuration.

  • /validate This option validates the syntax of a security template to ensure that it is correct before you import the template into a database for analysis or configuration.

  • /GenerateRollback This option allows you to create a rollback template that can be used to reset the security configuration to the values it had before the security template was applied.

Of the available options, you will most often use the /analyze and /configure switches.

Security policies (via security templates and GPOs) are typically applied at the three following hierarchical levels to create role-based security:

  • Domain ” The most common security requirements, such as password and account lockout policies are applied at the domain level. These policies are applied to all computers ”servers and workstations alike ”within the domain.

  • Baseline ” This policy contains security configuration items that apply to all member servers, such as auditing policies and user rights assignments.

  • Role-specific ” To address the specific security needs of each specific server role, member servers are divided into role-based groups using OUs and have specific, individual security policies applied to them.



MCSE Windows Server 2003 Network Infrastructure (Exam 70-293)
MCSE 70-293 Exam Prep: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (2nd Edition)
ISBN: 0789736500
EAN: 2147483647
Year: 2003
Pages: 151
Authors: Will Schmied

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net