Section 8.1. Planning and Implementing Server Roles and Server Security

8.1. Planning and Implementing Server Roles and Server Security

The Windows operating system has workstation and server versions. Generally, computers running Windows XP Professional or other workstation operating systems are configured as clients, and computers running Windows Server 2003 are configured as servers. While computers acting as clients have general-purpose roles in the enterprise as user machines, most servers have general-purpose roles and specific roles for which they are configured, allowing the servers to act as domain controllers, name servers, file servers, print servers, etc. From the general to the specific, each role brings with it different security considerations. A computer's baseline security configuration prepares it for a general role in the enterprise. A computer's role-specific security configuration prepares it to act in a specific role.

8.1.1. Evaluating and Selecting the Operating System to Install on Computers in an Enterprise

Selecting the operating system to install on computers is a key decision that administrators must make. Computers should be configured with the operating system that is appropriate for the role they will fill as clients or servers. Every organization should have specific guidelines for choosing which operating system to use when; those guidelines should include specifics on hardware requirements, duty life, and upgrade frequency. Prior to purchasing or requisitioning computers, administrators should have a list of hardware requirements for each role the computers will fill and should configure the computers accordingly.

8.1.1.1. Choosing client operating systems

Before choosing an operating system for a client computer, administrators should ask themselves what is the minimum configuration to satisfy security requirements. In most cases, the answer to this question will have to do with:

• The ability of the computer to act as an Active Directory client

• The ability of the computer to have a computer account and join the domain

Why are these issues important? When a client computer can act as an Active Directory client, the computer can join a domain and take advantage of directory services. When a client computer has a computer account, administrators have better control over security and can manage the account as they manage any other type of account. For these reasons, every client configured on a Windows network should be able to act as an Active Directory client and have a computer account.

Both workstation and home user versions of the Windows operating system are available. In most cases, clients that connect directly to the network or connect through remote access should be configured with a workstation version of the Windows operating system. This ensures that the client computer can access the network as an Active Directory client and that it has a computer account, and can take advantage of all the features that are offered, including security enhancements (available only on workstation versions of Windows). Workstation versions of Windows include Windows NT Workstation, Windows 2000 Professional, and Windows XP Professional. Although Windows NT Workstation computers can be part of a domain, only Windows 2000 Professional and Windows XP Professional have all the latest capabilities. Windows Vista is the latest workstation version of the Windows operating system.

Home user versions of Windows include Windows 95, Windows 98, and Windows Me. While Windows 95, Windows 98, and Windows Me computers can be configured as Active Directory clients, they are not best suited to the task. Clients running these operating systems do not become members of the domain in the same way as computers running workstation versions of the Windows operating system, which makes it more difficult to manage security for these computers. Clients running these operating systems also cannot take advantage of many of the current security enhancements.

Windows XP Home Edition is another home user version of Windows. Unlike Windows 95, Windows 98, and Windows Me, however, Windows XP Home Edition does not have an Active Directory client and cannot join a domain. Because of this, computers that will be used in the enterprise should not use Windows XP Home Edition.

Table 8-1 provides a summary of operating system support for Active Directory.

8.1.1.2. Choosing server operating systems

Windows Server 2003 is available in multiple editions, including Windows Server 2003, Web Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. Each edition is designed for a specific purpose.

Windows Server 2003, Web Edition is designed specifically to provide web services for enterprise Intranets and Internet web sites. While this edition includes the Microsoft .NET Framework, Microsoft Internet Information Services (IIS), ASP.NET, and network load-balancing features, it lacks many other features, including Active Directory.

Windows Server 2003, Standard Edition is designed specifically for small or branch office use, and is a direct replacement for Windows NT 4.0 Server and Windows 2000 Server. Servers running this edition should be used to provide the day-to-day needs of the average business, and to provide services and resources to other systems in the enterprise.

Windows Server 2003, Enterprise Edition is designed specifically for larger organizations and where functional needs surpass those of Windows Server 2003, Standard Edition. It is a direct replacement for Windows NT Server 4 Enterprise Edition and Windows 2000 Advanced Server. Servers running this edition can be used in large-scale deployments and in clustering configurations.

Windows Server 2003, Datacenter Edition is designed specifically for large-scale data centers where high availability and high scalability are requirements, and for use with business-critical and mission-critical applications that require high availability and high scalability. It is a direct replacement for Windows 2000 Datacenter Server.

Table 8-2 provides an overview and comparison of each edition of Windows Server 2003. With the exception of Web Edition, all other editions of Windows Server 2003 support both 32-bit and 64-bit computing. 32-bit versions of Windows Server 2003 are designed for x86-based processors. 64-bit versions of Windows Server 2003 are designed for Intel Itanium (IA-64) and 64-bit extended systems.

When you look beyond supported components, maximum RAM, and maximum processors, you'll find each edition of Windows Server 2003 supports the same core features and administration tools, allowing you to manage servers running the various editions using the same tools and techniques. The way in which a server is used in the enterprise largely depends on the roles for which the server is configured.

8.1.2. Planning and Implementing Server Roles

Servers are generally assigned to be part of a workgroup or a domain. A workgroups is a loose grouping of computers in which each individual computer is managed separately. A domain is a tight grouping of computers in which each computer can be managed collectively using Active Directory and Group Policy.

When you install a server running Windows Server 2003, you can configure the server to be:

• A member server

• A domain controller

• A standalone server

The differences between these configurations are subtle but important. Member servers are a part of a domain but don't store directory information. Domain controllers store directory information, provide authentication, and offer directory services for a domain. Standalone servers aren't part of a domain and are instead members of a workgroup. Standalone servers have their own security database for authenticating logon requests.

Like Windows 2000, Windows Server 2003 uses a multimaster replication model where any domain controller can process directory changes, and then replicate those changes to other domain controllers. This differs from the Windows NT single master replication model in which the primary domain controller stores a master copy and backup controllers store backup copies of the master. Additionally, while Windows NT distributed only the Security Account Manager (SAM) database, Windows Server 2003 distributes its entire data store of directory information.

Domains that use Active Directory are referred to as Active Directory domains . Although you could deploy an Active Directory domain with only one domain controller, you more typically deploy multiple domain controllers to ensure availability of directory services, should one or more of the domain controllers fail. In an Active Directory domain, any member server can be promoted to a domain controller by installing the Active Directory component on the server. Similarly, you can demote domain controllers and make them member servers, by removing the Active Directory component on the server.

You promote and demote domain controllers using the Active Directory Installation Wizard (dcpromo). To start this wizard, click Start Run. Type dcpromo in the Open field, and then click OK.

In addition to having a role as a domain controller, servers can have other roles as well. These additional roles are based on the services for which the servers are configured. Any server can support one or more of roles described in Table 8-3.

After installing a server, you can add or remove server roles using the Manage Your Server console, the Configure Your Server wizard, or the Add/Remove Programs utility. You access Manage Your Server from the Administrative Tools menu. Click Start Programs Manage Your Server. When you start Manage Your Server, the currently configured roles are listed, and for each configured role, youll find quick access links for performing related tasks. For example, if the server is configured as a file server, you'll have links for managing the file server and adding shared folders.

To add or remove a role using Manage Your Server, follow these steps:

1. Click the Add Or Remove A Role link. This starts the Configure Your Server Wizard. You can also start the Configure Your Server Wizard from the Administrative Tools menu.

2. Click Next twice. After Windows Server 2003 gathers information about the server's current roles, the Server Role page is displayed with a list of available server roles and details on whether a role is configured.

3. If a role isn't configured and you want to add the role, click the role in the Server Role column, and then click Next. Follow the prompts.

4. If a role is configured and you want to remove the role, click the role in the Server Role column, and then click Next. Follow the prompts.

8.1.3. Planning a Secure Baseline Installation

Security should be a primary consideration when you set up a network, add computers to a network, and configure computers. You should select clients and servers based on specific manageability, supportability, and security requirements. Prior to deploying clients and servers, you should develop a comprehensive deployment plan that includes detailed instructions for establishing a secure baseline installation for each anticipated client and server configuration. The baseline installation should provide a secure starting point for the final configuration. For clients and servers with strict/high security requirements, you may need to build on the baseline installation by modifying settings, installing additional security components, or making other such changes to strengthen security as appropriate.

8.1.3.1. Planning a strategy to enforce system default security settings on new systems

Creating a security plan for clients and servers is not something individual administrators should do alone. More typically, a security plan for clients and servers is part of larger enterprise effort and one that is designed to ensure that security settings meet or exceed a specific set of minimum security requirements. As an administrator, you need a careful understanding of the security capabilities of the Windows operating system, and you must be familiar with the default security settings so that you know what settings can and should be changed to enhance security for computers configured in specific roles as clients or servers.

When creating a security strategy for clients and servers, you'll need to determine which specific security features to use; often, you'll do this in accordance with the objectives and requirements of the organization's enterprise-wide security policy. Many organizations also have specifically assigned security teams that are responsible for security policy throughout the enterprise.

Typically, enterprise-wide security policies:

• Identify potential security risks

• Specify minimum security requirements

• Specify the minimum set of required security features

• Provide plans for meeting required security levels

If your organization doesn't have enterprise-wide security policies or specific security requirements for networked computers, you should work toward establishing such, and the effort should be managed by a designated security team. This team should include users, administrators, and managesall of which should have a strong understanding of security, the organization's structure and resources, and how security can be implemented to meet the organization's needs.

The security policy developed by the security team should view security as an ongoing effort, and one that, like software deployment, has an ongoing life cycle. The security policy should include:

• A plan for securing the organization's infrastructure

• A plan for implementing required security features

• A plan for ongoing management and evaluation of security

• A plan for monitoring security breaches

Most security plans should cover access controls, authentication, and auditing. Access controls are used to manage access to resources and determine who has access to what. Authentication mechanisms are used to verify a user's identity prior to providing access to resources. Auditing is used to monitor access and use of privileges.

Techniques for preventing unauthorized access to the network and resources also should be covered in the security plan. Network security can be enhanced using firewalls, proxies, and Network Address Translation (NAT). Resource access can be more tightly controlled using encrypted passwords, certificates, and hardware devices such as smart card scanner. Data can be protected using NTFS security and the Encrypting File System (EFS).

After developing a plan to secure the organization's infrastructure, the security team needs to develop a plan to implement the security recommendations and requirements. As appropriate for an individual's need to know to ensure enforcement and implementation, parts of the implementation plan should be distributed throughout the organization. It is the responsibility of the security team to ensure that the implementation plan is followed and that the messaging related to security policy are expressed in ways that get maximum organizational involvement. Not everyone will adhere to the security plan. Not everyone will understand the need to implement security in a certain way. Because of this, you'll need an ongoing monitoring and management effort to ensure that security is implemented as expected. Part of the management effort should include ongoing instruction for all personnel as to the importance of and the need for security.

8.1.3.2. Identifying client and server operating system default security settings

As an administrator, you should have a strong understanding of the default security settings for Windows Server 2003 and Windows XP Professional. A strong understanding of the default security settings helps you determine what settings may need changes to enhance security when a computer is deployed in a specific role.

Windows Server 2003 and Windows XP Professional are the primary operating systems for use on networks as servers and clients. Both operating systems are designed with security in mind. Whether these computers are part of a workgroup or domain, security is largely dependent on:

• Filesystem permissions

• Share permissions

• Registry permissions

• Active Directory permissions

• Account policies

• Local policies

• Audit policies

8.1.3.2.1. Identifying default security for filesystem permissions

Filesystem permissions are available and applicable only when you format a computer's drives using NTFS. Under NTFS, many different levels of permissions can be set to control access to files and folders. As discussed in Chapter 2 under "Configuring Filesystem Permissions," both basic and advanced permissions can be used with NTFS, all files and folders have specific owners that can be changes, and certain permissions are inherited from parent folders. You can modify permissions, ownership, and inheritance using a file or folder's Properties dialog box, which is accessible by right-clicking the file or folder, selecting Properties, and then clicking the Security tab (see Figure 8-1).

Figure 8-1. Manage permissions on the Security tab.

When you install a computer running Windows Server 2003 or Windows XP Professional in an Active Directory domain and format the system drive using NTFS, the Setup program configures the computer's system drive with a specific default set of permissions. Table 8-4 summarizes the default permissions for the system drive (domains only). If the computer has other drives, Setup doesn't grant any special permissions on these additional drives. Instead, Setup grants Full Control on the entire drive to the Everyone group; it is up to the administrator to configure appropriate permissions.

8.1.3.2.2. Identifying default security for share permissions

As discussed in Chapter 2 under "Configuring Access to Shared Folders," shares are used to share folders over the network, and several administrative shares are created automatically each time the operating system is started. While the administrative shares that are available depend on the system configuration, the key ones that administrators work with are the hidden drive shares . These special shares for the root of each available drive letter on the computer are named with the drive letter followed by a dollar sign ($). Drive shares are available to members of the Administrators group, and the permissions for these shares cannot be modified.

When you create a new folder share on a computer running Windows Server 2003, you can configure specific permissions by choosing one of the available configuration options:

All Users Have Read-Only Access

Grants the Everyone group Read access (the default).

Administrators Have Full Access; Other Users Have Read-Only Access

Grants Administrators Full Control and the Everyone group Read access.

Administrators Have Full Access; Other Users Have Read And Write Access

Grants Administrators Full Control and the Everyone group Change access.

Use Custom Share And Folder Permissions

Allows you to configure access by accessing Full Control, Change, and Read access to specific users and groups (recommended).

Once you share a folder, it is available to users automatically and can be accessed using a network drive. You can manage the permissions on the shared folder by right-clicking the share, selecting Properties, and then using the options of the Share Permissions tab.

While under Windows Server 2003, the Everyone group has Read permissions on a share by default, and Windows 2000 (all service packs) and Windows XP computers (prior to Service Pack 2) grant the Everyone group Full Control by default. Because of this, you must modify the share permissions to properly control access.

When you share folders on NTFS volumes, share permissions provide the top-level access control and NTFS permissions provide the base-level access controls. In other words, share permissions determine the maximum allowed access level. If a user has Read permission on a share, the most the user can do is perform read operations. If a user has Change permission on a share, the most the user can do is perform Read and Change operations. If a user has Full Control permission, the user has full access to the share. However, in any case, filesystem permissions can further restrict or block access.

8.1.3.2.3. Identifying default security for Registry permissions

The Registry contains configuration details for system components, services, and applications. The Registry is organized into a formal grouping of keys, subkeys, and value entries. Root keys form the primary branches of the Registry. The two primary root keys are HKEY_LOCAL_MACHINE (HKLM) and HKEY_USERS (HKU). Other root keys in the Registry are logical subtrees of the two primary root keys.

When you install applications and configure Windows settings, changes are made to the Registry. Access to the Registry is controlled by a separate set of security permissions. The default security permissions for the Registry are as follows:

• Members of the Administrators group have Full Control permissions for all keys.

• The System user has Full Control permissions for all keys.

• The Everyone group has Read permission for the HKEY_LOCAL_MACHINE (HKLM) and HKEY_USERS (HKU) keys.

• The Authenticated Users group have Read permissions for HKEY_CLASSES_ROOT.

• The Server Operators group has permissions that enable members to read, create, and modify keys in HKEY_CLASSES_ROOT.

• The Users group has Read permissions for HKEY_CURRENT_CONFIG.

You can view and manage the Registry using the Registry Editor (regedit.exe). To start the Registry Editor, type regedit at a command prompt.

8.1.3.2.4. Identifying default security for Active Directory permissions

In Active Directory, objects are used to represent users, groups, computers, printers, and other resources. Use Active Directory permissions to specify who can access and manage the objects in the Active Directory database. As an administrator, one of your primary duties is to create and manage directory objects. Permissions for creating and managing objects can be delegated to nonadministrators as well.

Create new domains in Active Directory by running the Active Directory Installation Wizard (dcpromo) and assigning the first domain controller in the new domain. During the configuration of the domain and the domain controller, the operating system establishes default security for several key groups. The default security permissions for Active Directory are as follows:

• Members of the Enterprise Admins group have Full Control permission over the domain.

• Members of the Domain Admins and Administrators groups are assigned permissions that allow them to create and manage most Active Directory objects in the domain.

• Members of the Account Operators group are granted Full Control permission over Domain Users, Domain Computers, Domain Guests, and similar account-related groups.

• Members of the Server Operators group are granted Full Control over Domain C.

• Members of the Authenticated Users group are assigned Read permissions throughout the domain, and in some, members are assigned limited special permissions in specific instances.

Windows Server 2003 includes many other built-in groups as well, which all have a specific default set of permissions. Security groups are the primary way to manage Active Directory permissions. Typically, when individuals need to perform specific management tasks in the domain, you'll handle this by making the user a member of the appropriate security group. If no security group is available to meet a specific need, you can create additional security groups and configure permissions as appropriate for those groups. In a few special situations, you might want to delegate permissions to individuals that should be allowed to perform specific tasks in a domain or organizational unit.

Delegation is useful if you want to give someone limited administrative privileges. Delegate control to grant a user permission to manage users, groups, computers, organizational units, or other objects stored in Active Directory. To delegate administration, you can use the following technique:

1. Open Active Directory Users And Computers.

2. Right-click the domain or organizational unit for which you want to delegate administration, and then select Delegate Control.

3. When the Delegation Of Control Wizard starts, click Next.

4. On the Users Or Groups page, shown in Figure 8-2, click Add. Select the users and groups for which you want to delegate control. Click OK.

   Figure 8-2. Specify the users and groups for which you want to delegate control.

   

5. Click Next to continue.

6. On the Tasks To Delegate page, specify the administration tasks to delegate (see Figure 8-3) to the previously selected users or groups.

   Figure 8-3. Specify the administration tasks to delegate.

   

7. Click Next, and then click Finish.

On rare occasions, you may need to review or manage the specific set of Active Directory permissions assigned to an object. You can do this by using the Advanced Features view in Active Directory Users And Computers. The Advanced Features view gives you access to additional advanced properties for objects, including those for published certificates and Active Directory permissions.

To view or manage Active Directory permissions for an object, you can use the following technique:

1. Open Active Directory Users And Computers.

2. Select Advanced Features on the View menu in Active Directory Users And Computers.

3. Right-click the object, and then select Properties.

4. Use the Security tab options, shown in Figure 8-4, to view or manage Active Directory permissions for the selected object.

   Figure 8-4. Accessing the Security tab of an Active Directory object.

   

8.1.3.2.5. Identifying default security for account policies

In Active Directory domains, Group Policy is used to manage security settings for users and computers, each of which is managed with a separate set of policies:

• User settings are managed through User Configuration policies and are applied to a user account during logon. User settings affect individual user accounts, according to groups of which a user is a member.

• Computer settings are managed through Computer Configuration policies and are applied to a computer at startup. Computer settings affect all users who log on to or access a computer.

The most important default security settings to be aware of are those for password policy, account lockout policy, and Kerberos policy that should be managed using the highest precedence Group Policy Object (GPO) linked to a domain. By default, the highest precedent GPO linked to a domain is the Default Domain Policy GPO.

While previous versions of Windows did not define specific password and account lockout policies, Windows Server 2003 does assign specific default settings to these policies.

Password policies control how passwords are managed, whether they expire, and when they expire. In Group Policy, the following password policies are stored under Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy:

Enforce password history

Determines how many previously used passwords will be maintained in the user's password history. As a user cannot use a password that is in the history, a user cannot reuse a recently used password. The maximum value is 24. If this value is set to zero, no password history is maintained and users are able to reuse old passwords, which can be a security concern. The default value is 24 passwords remembered.

Maximum password age

Determines when the user is required to change a password. The maximum value is 999 days. If this value is set to zero, the password never expires, which can be a security concern. The default value is 42 days.

Minimum password age

Requires that a specific number of days must pass before a user can change their password. This setting must be configured to be less than the Maximum password age policy. If this value is set to zero, the user can change their password immediately. The default value is 1 day.

Minimum password length

Determines the minimum number of characters required for the length of the password. Longer passwords are more secure than shorter ones. The default value is seven characters.

Passwords must meet complexity requirements

Determines whether the password must meet specific complexity requirements. If this policy is defined, a password cannot contain the user account name, must contain at least six characters, and must have characters that have upper- and lowercase letters, Arabic numerals, and nonalphanumeric characters (symbols). By default, this policy is enabled.

Store passwords using reversible encryption

Determines whether passwords use plain-text encryption of passwords. Basically the same as storing passwords as plain text and is only to be used when applications use protocols that require information about the user's password. By default, this policy is disabled.

Account lockout policies control whether and how accounts are locked out if successive invalid passwords are provided. In Group Policy, the following password policies are stored under Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy:

Account lockout duration

Determines the period of time that must elapse before Active Directory will unlock an account that has been locked out due to Account Lockout policy. This setting is dependent on the account lockout threshold setting. The value range is from 0 through 99,999 minutes. If this value is set to zero, the account will be locked out indefinitely. By default, this policy is not defined.

Account lockout threshold

Determines how many failed logon attempts trigger an automatic lockout. The valid range is from 0 to 999. The default value is zero, which means the account will never be locked out due to Account Lockout policy, and the user will be allowed unlimited failed logon attempts.

Reset account lockout counter after

Determines the number of minutes after a failed logon attempt before the lockout counter is reset to zero. The valid range is from 1 to 99,999 minutes. This must be less than or equal to the Account lockout duration setting if the Account lockout threshold policy is enabled. By default, this policy is not defined.

Kerberos policies control the way Kerberos authentication is used in a domain. In Group Policy, the following Kerberos policies are stored under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy:

Enforce User Logon Restrictions

Ensures that user account restrictions, such as logon hours and logon workstations, are enforced. By default, the policy is enabled.

Maximum Lifetime For Service Ticket

Sets the maximum duration for which a service is valid. By default, service tickets have a maximum duration of 600 minutes.

Maximum Lifetime For User Ticket

Sets the maximum duration for which a user ticket is valid. By default, user tickets have a maximum duration of 10 hours.

Maximum Lifetime For User Ticket Renewal

Sets the maximum amount of time for renewal of a user ticket. By default, the maximum renewal period is seven days.

Maximum Tolerance For Computer Clock Synchronization

Sets the maximum amount of tolerance for discrepancies in computer clock time. By default, computers in the domain must be synchronized within five minutes of each other. If they aren't, authentication fails.

You can access the Default Domain Policy GPO using the Group Policy editing tools. If you are using the Group Policy Management Console, the Default Domain Policy GPO is accessible when you click the domain name in the console tree. You then need to right-click the Default Domain Policy node and select Edit. If you want only to work with security settings in the Default Domain Policy GPO, you can use the Domain Security Policy console, which is found on the Administrative Tools menu.

8.1.3.2.6. Identifying default security for local policies

When working with Group Policy, you'll also want to carefully manage local policies. In Group Policy, the following Local policies are stored under Computer Configuration\Windows Settings\Security Settings\Local Policies:

Audit Policy

Used to manage audit policy for an Active Directory domain

User Rights Assignment

Used to manage user rights assignment for an Active Directory domain

Security Options

Used to manage additional security options for accounts, auditing, devices, interactive logon, network access, and more

In the default configuration, all related policies are Not Defined. This means you must configure Audit Policy to enable auditing. You may also need to configure user rights assignments as well as security options.

The best way to manage local policies for a domain is to use the policies that apply to your organization's domain controllers, member servers, and workstations. For example, all domain controllers are placed in the Domain Controllers OU by default. This means any security setting applied to this OU will apply to all domain controllers automatically.

You can access the Default Domain Controllers Policy GPO using the Group Policy editing tools. If you are using the Group Policy Management Console, you'll see the Default Domain Controllers Policy GPO when you click the Domain Controllers node in the console tree. You then need to right-click the Default Domain Controllers Policy and select Edit. If you want only to work with security settings in the Default Domain Policy GPO, you can use the Domain Security Policy console, which is found on the Administrative Tools menu.

8.1.4. Planning Security for Servers That Are Assigned Specific Roles

Hardening servers to ensure that they are secure involves deploying specific security configuration baselines using Group Policy and creating custom security templates to enhance security as necessary to support various server roles. Creating a secure baseline provides a starting point for ensuring the security of computers on the network. Creating role-specific security templates ensures enforcement of security policy based on a computer's role on the network.

Windows Server 2003 Service Pack 1 includes the Security Configuration Wizard, which you can use to create a security policy that can be applied to any server on the network. The wizard can be used to create a new security policy, to edit or apply an existing security policy, or to rollback the last applied security policy. The wizard does not install components or set up a server to perform specific roles.

8.1.4.1. Deploying the security configuration for servers that are assigned specific roles

In an Active Directory domain, a computer's baseline security can be configured using Group Policy. During startup, a computer processes computer policy settings according to the GPOs that apply to the computer. A history of the registry-based settings that are applied to the computer are stored in %AllUsersProfile%\Ntuser.pol. Because of the object-based hierarchy used by Active Directory, multiple GPOs can apply. When Group Policy is set for a computer, everyone who logs on to the computer is affected by the policy settings.

When multiple policies are in place, the policies are applied in the following order:

1. Local computer group policy

2. Site group policy

3. Domain group policy

4. OU group policy

If there are conflicts among the policy settings, the settings applied later have precedence by default, meaning they overwrite previously applied settings. The cumulative affects of policy settings in multiple GPOs are determined by inheritance- and policy-processing rules. When you apply a policy setting in a top-level GPO, the lower-level GPOs inherit the setting, unless inheritance is blocked or overridden. Because of this, a setting in a top-level GPO can affect every user and computer throughout the enterprise. The end result of inheritance and policy processing is referred to as the Resultant Set of Policy (RSoP). By determining the RSoP for a user or computer, you can determine the specific policy settings that are being applied to that user or computer.

To determine what policies apply to a computer, you must first determine where the related computer object is stored in Active Directory. By default, workstations and member servers are placed in the Computers container within Active Directory, and domain controllers are placed in the Domain Controllers OU. In this default configuration, workstations and member servers are only affected by site and domain GPOs, while domain controllers are affected by site and domain GPOs as well as any GPOs applied to the Domain Controllers OU. The highest precedence GPO applied to the Domain Controllers OU by default is the Default Domain Controllers Policy GPO.

The best way to apply a specific secure baseline to workstations and member servers is to create new organizational units in the domain, configure the appropriate policy settings for the related OU GPOs, and then move the computer objects into the OUs you've created. In this way, you associate a GPO containing your secure baseline with the computers placed in the GPO. As a rule, each type of computer that requires a different security configuration should have its own OU. Following this, you might use the following OUs to implement role-specific security configurations:

Domain Controllers

The default OU for domain controllers.

Workstations

An OU for general-purpose workstations.

ApplicationServers

An OU for application servers and internal web servers.

InfrastructureServers

An OU for member servers that provide essential services, such as DNS, DHCP, and WINS.

FilePrintServers

An OU for file and print servers.

MailDBServers

An OU for mail and database servers.

In Group Policy, the primary security settings you'll want to manage for computers are stored under Computer Configuration\Windows Settings\Security Settings and include:

Account policy

These settings control security for passwords, account lockout, and Kerberos.

Local policy

These settings control security for auditing, user rights assignment, and other security options.

Event log policy

These settings control security for event logging.

Restricted groups policy

These settings control security for local group membership administration.

System services policy

These settings control security and startup mode for local services.

Filesystem policy

These settings control security for the local filesystem.

Registry policy

These settings control the values of security-related registry keys.

These are the same areas of policy that are managed using security templates.

8.1.4.2. Creating custom security templates based on server roles

To deploy security configurations, you can use security templates that contain customized sets of group policy definitions that are used to apply essential security settings. Security templates are stored as .INF files in the %SystemRoot%\Security\Templates folder.

Windows Server 2003 installations include a standard set of security templates that can be imported into any GPO. Table 8-5 summarizes the standard templates you'll work with the most.

When you are configuring computer security, you'll use both the Security Templates snap-in and the Security Configuration And Analysis snap-in. Use the Security Templates snap-in to view and create security templates. Use the Security Configuration And Analysis snap-in to apply templates and to compare the settings in a template to the existing settings on a computer. You can use the following technique to access these tools:

1. Click Start Run. Type mmc in the Open field, and then click OK.

2. In the Standalone tab, click Add.

3. In the Add Standalone Snap-In dialog box, click Security Templates, and then click Add.

4. Click Security Configuration And Analysis, and then click Add.

5. Close the Add Standalone Snap-In dialog box by clicking Close, and then click OK.

You should create a custom security template for each server role you've identified in the organization. Rather than starting from scratch, you should use the standard templates as a starting point for your role-specific security configurations. Do this by creating a copy of a template and then modifying it to meet the security requirements of the server role.

You can create a copy of a template and modify it by completing these steps:

1. Open the Security Templates console.

2. Right-click the template you want to copy and click Save As.

3. Type of new name for the template, and then click Save.

4. This creates a copy of the template with the same settings as the original template.

5. Modify the settings to meet the needs of the computer role/type for which you are configuring the template.

You can create a new template without initial settings by completing the following steps:

1. Right-click the C:\Windows\security\templates node in the Security Templates snap-in, and then select New Template.

2. Type a name and description for the template.

3. Click OK.

8.1.4.3. Configuring security for servers that are assigned specific roles

Once you've created your role-specific security templates, you can deploy the security configurations. To deploy a security template through Group Policy, you import the security template into a GPO and in this way, apply the security template to every computer object in the GPO. One way to import a security template into a GPO is to follow these steps:

1. Open Active Directory Users And Computers.

2. Right-click the role-specific OU into which you want to import a security template, and then select Properties.

3. On the Group Policy tab, click the GPO you want to work with in the Group Policy Object Links list, and then click Edit.

4. Under Computer Configuration, expand Windows Settings Security Settings.

5. In the Import Policy From dialog box, shown in Figure 8-5, select the security template to import, and then click Open.

   Figure 8-5. Select the security template to import.

   

The imported policy is applied to computers in the OU the next time Group Policy is refreshed. You can force the computer to refresh by restarting it or by running the Gpupdate command-line utility.

To apply a security template to an individual computer, you can use the Security Configuration And Analysis snap-in. This snap-in can also be used to compare the settings in a template to the effective settings on a computer. In either case, Security Configuration And Analysis uses a working database to store the settings in the template that you are applying.

You can create a database and apply a template using the following technique:

1. Open the Security Configuration And Analysis snap-in.

2. Right-click the Security Configuration And Analysis node, and then click Open Database.

3. Type a new database name in the File Name field, and then click Open.

4. In the Import Template dialog box, select the security template to apply, and then click Open.

5. Right-click the Security Configuration And Analysis node and choose Configure Computer Now.

6. When prompted to set the error log path, accept the default or type a new path. Click OK.

7. View the configuration error log by right-clicking the Security Configuration And Analysis node and choosing View Log File.

To compare a computer's current security settings to a particular template, you can use the following technique:

1. Open the Security Configuration And Analysis snap-in.

2. Right-click the Security Configuration And Analysis node, and then click Open Database.

3. Type a new database name in the File Name field, and then click Open.

4. In the Import Template dialog box, select the security template to apply, and then click Open.

5. Right-click the Security Configuration And Analysis node, and then choose Configure Computer Now.

6. When prompted to set the error log path, accept the default or type a new path. Click OK.

7. Right-click the Security Configuration And Analysis node, and then choose Analyze Computer Now.

8. When prompted to set the error log path, type a new path or click OK to use the default path.

9. Expand nodes and select entries to pinpoint discrepancies between the template and the computer's current settings.

Before you apply a template, you may want to create a rollback template. To do this, use the following syntax with the secedit command-line utility:

 secedit /generaterollback /cfg filename /rbk filename /log filename 

where /cfg filename sets the name of the security template for which you are creating a rollback template, /rbk filename sets the name of a security template into which the reverse settings should be stored, and /log filename sets the name of an optional log file to use, such as:

 secedit /generaterollback /cfg hisecws.inf /rbk rev-hisecws.inf /log rollback.log 

In the previous example, you are creating a rollback template for the Hisecws.inf template. While a rollback template allows you to remove the settings applied with a template, it does not recover settings for access control lists on files or the Registry. These settings must be recovered manually.