The Basic Windows 2000 Security Tools | MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

This section introduces the functions and uses of the Windows 2000 Security Configuration Tool Set. The Tool Set is a response to systems administrators' need for a central, easy-to-use program that easily allows the configuration of domain, OU, and local security within any size Windows 2000 organization. In Windows NT 4.0, configuration of various security parameters required using multiple tools, such as User Manager, User Manager for Domains, Transmission Control Protocol/Internet Protocol (TCP/IP) properties, direct Registry edits, the RAS administrator, and more. The Tool Set makes it possible to configure and manage these security services from a single, centralized interface.

In addition to conveniently bringing together formerly widely disparate programs into a single interface, the Security Configuration and Analysis snap-in allows the administrator to analyze a local machine's current configuration. This analysis can be performed against security templates so that the network manager can compare the present configuration to a proposed ideal configuration, which can then be applied with a couple of simple clicks of the mouse.

The Security Configuration Tool Set comes at an opportune time. Never before has a Microsoft operating system offered the degree of airtight security that Windows 2000 offers. Neither has security been so configurable at such a granular level. The Tool Set allows the administrator to get a handle on configuring and managing the Windows 2000 security scheme.

Security Configuration Tool Set

The Security Configuration Tool Set is a collection of security configuration and management programs included in Windows 2000.The primary goal of each of these components is to make it easier to manage enterprisewide security parameters. The administrator can group the Tool Set components together into a single Microsoft Management Console (MMC) and manage security for the entire enterprise from a central location.

Each component of the Security Configuration Tool Set is integrated into the Windows 2000 security infrastructure.The new Distributed Security Services model, as defined in Windows 2000, requires a central interface to manage an enterprise's complex security requirements. The Tool Set components interact with Active Directory, Kerberos Authentication mechanisms, and Windows 2000 PKI.

The four main components of the Security Configuration Tool Set are:

Security templates
Group Policy security configuration objects
Security Configuration and Analysis snap-in
Command-line tools

Security Templates

Microsoft provides a full set of templates that conform to a number of common security scenarios. These security templates can be broken into two general categories: default and incremental. The default, or basic, templates are applied by the operating system when a clean install is performed. They are not applied if an upgrade installation is done.

The incremental templates should be applied after the basic security templates have been applied. The incremental template types are compatible (for workstations or servers), secure (workstations, servers, domain controllers), highly secure (workstations, servers, domain controllers), optional components (workstations, servers), and no terminal SID.

If a template name ends in SV, it is for a standalone computer or member server (not a domain controller). If a template name ends in DC, it is for a domain controller. Template names ending in WK are for client computers (workstations). For example, the template basicsv.inf is used to restore a standalone server to the default state of a fresh install; basicwk.inf is used to accomplish the same thing for workstations. Table 1.2 describes the function of these provided templates.

Table 1.2: Windows 2000 Security Templates
Security Level	Template Name	Template Description
Basic	basicwk.inf basicsv.inf basicdc.inf	The basic templates are used to set the initial security configuration of a particular computer. The basic templates can also be used to correct the current configuration on a computer. When a basic template is applied to a computer, the security settings will be rolled back to the installation defaults.
Compatible	compatws.inf	If you do not want your users to have Power User rights but still need them to be able to install and run most legacy applications, the compatible configuration alters the default permissions for the Users group so that legacy applications can run properly. This is not a secure environment; the template creates compatibility by reducing the default security levels on the folders, files, and Registry keys that applications typically access.
Secure	securews.inf securedc.inf	The secure templates increase the level of security for account policy, certain Registry keys, and auditing. Permissions for file system objects are not affected by this configuration. Two secure templates are provided: securedc.inf for DCs and securews.inf for workstations and member servers. The secure templates provide a medium level of security, stricter than the basic templates but not as secure as the highly secure templates
Highly secure	hisecws.inf hisecdc.inf	Highly secure configurations add security to network communications. IPSec is configured for these machines and is required for communications. Two highly secure templates are provided: hisecdc.inf for domain controllers and hisecws.inf for workstations and member servers. The highly secure templates provide the highest level of preconfigured security available but cause communications problems with legacy clients due the requirement of IPSec for network communications.
Out of box	DC security.inf	The DC security.inf template contains the file and Controller Registry settings initially applied to Windows 2000 Configuration DC during promotion.
	setup security.inf	The setup security.inf template contains the security workstation settings applied to Windows 2000 servers and workstations at the time of installation. For clean installations, these are the same settings as basicsv.inf and basicwk.inf. Unlike basicsv.inf and basicwk.inf, setup security.inf shows the actual values added instead of using variables.
Optional components	ocfiless.inf ocfilesw.inf	These templates improve the local security for optional components such as terminal services and certificate services that are not automatically added to Windows 2000 systems when they are installed.
No terminal server SID	notssid.inf	This template removes the terminal server SID from all Registry and file system objects.

The administrator can save time and effort during an initial rollout by applying these templates to workstations, DCs, and member and standalone servers. Then, as time allows, the administrator can customize and fine-tune security settings for local computers, OUs, or an entire domain. In this chapter, we examine both the application of the initial template and the subsequent fine-tuning configuration of the applied template.

In addition to the templates that ship with Windows 2000, a number of other templates are available from Microsoft as part of the Security Operations Guide for Windows 2000 Server, located at www.microsoft.com/technet/security/prodtech/windows/windows2000/staysecure/default.asp. We explore some of these role-specific templates later in Chapter 2.

Exam Warning

You absolutely must have a solid grasp on the purpose and role of each security template that ships with Windows 2000. Key points to keep in mind when working with security templates are which ones are standalone, which ones are incremental, and the basic purpose of each, including the type of computer on which the template is to deployed. Know those security templates!

Group Policy Security Settings

Security in Windows 2000 is applied using primarily Group Policies. Group Policy can be applied in an organization at four distinctly different levels, each inheriting the settings from the level above it. Group Policy is applied at the following levels (and in this order):

Local This is Group Policy applied directly to the local computer itself.
Site Site-level Group Policy objects are applied to all objects within that site. Site Group Policy objects (GPOs) overwrite the local GPO. If more than one site-level GPO exists, the administrator can specify the order in which they are applied, thus determining the GPOs that will be overwritten should a conflict occur.
Domain Domain-level GPOs are applied to all objects within the domain and overwrite site-level GPOs. As with site GPOs, the administrator can specify the order in which domain-level GPOs are applied, should more than one exist.
Organizational Unit OU GPOs are processed last, with the GPO linked to the highest OU processed first, followed by the GPOs linked to each successive child OU. OU GPOs overwrite all GPOs that have come before them and therefore provide the most granular level of security configuration available of all the levels of Group Policy. Again, should more than one OU level GPO exist, the GPOs are processed in the order the administrator specifies.

Test Day Tip

You should ensure that you have a complete and total understanding of the four levels at which Group Policy is applied. This understanding should include the order in which the levels are applied. This information will prove valuable for not only this exam, but for just about any Windows 2000 exam you take—not to mention the practical benefit to you in working within your own organization.

You apply security through Group Policy using different tools for each level, as you might expect. At the local level, using the Local Security Settings console (see Figure 1.6) allows you to configure and implement the local GPO. Any changes you make here will be implemented in the local GPO. Note that you could also make these same changes using a local GPO console if you desired from the Computer Configuration | Windows Settings | Security Settings node.

click to expand
Figure 1.6: Using the Local Security Settings Console

Applying security configurations to the site-level GPO is done using the Active Directory Sites and Services console (see Figure 1.7). Right-click the site name, select Properties, change to the Group Policy tab of the Properties page, and from there you can create or edit Group Policy to apply at the site level. Security settings are not typically applied at the site level, however, which could explain the lack of a tool specifically for this purpose.

click to expand
Figure 1.7: Accessing Security Configuration Settings at the Site Level

The process of applying security settings at the domain level has been simplified, thanks in part to the existence of the Domain Security Policy console (see Figure 1.8). This console allows you to configure security settings for all objects in the domain, including child domains within that domain. Applying security at the domain is the most common method of Group Policy security application and is discussed further later in this chapter, in the "Configuring Basic Windows 2000 Security with Templates" section.

click to expand
Figure 1.8: Configuring the Domain-Level Security Policy

It is of interest that certain security configurations can only be made at the domain level, such as those dealing with Account Policies and Registry security. This limitation is due to the fact that Active Directory only allows one domain account policy per domain. For more information this topic (and an exception to the rule), see the Knowledge Base article located at http://support.microsoft.com/default.aspx?scid=KB;en-us;255550.

Alternatively, you can work with domain-level Group Policy from the Active Directory Users and Computers console by right-clicking the domain, selecting Properties, and then switching to the Group Policy tab.

Configuring OU Group Policy and security settings requires you to use the Active Directory Users and Computers console, shown in Figure 1.9. To configure settings for a specific OU, right-click it, select Properties, change to the Group Policy tab, and have at it. As mentioned previously, you can work with domain-level Group Policy security settings by right-clicking the domain and selecting Properties (see Figure 1.10).

click to expand
Figure 1.9: Using the Active Directory Users and Computers Console to Configure Security Settings

click to expand
Figure 1.10: Managing Domain Security from Active Directory Users and Computers

By applying one of the preconfigured templates and then performing customization using the tools outlined here, you can quickly create custom security template solutions that meet your needs without the burden of starting completely from scratch. In the next section, "Configuring Basic Windows 2000 Security with Templates," we examine each of the major areas that make up a security template.

Head of the Class…
Group Policy Security Versus Security Templates

By now it might seem that using Group Policy to configure security settings and using security templates are two ways to accomplish the same task. This is indeed true. The key difference comes when you consider what each was designed for.

Security templates are designed to allow you to quickly apply a preconfigured security solution to a specific computer or group of computers. These templates were designed to be a starting location for further customization. This is where Group Policy comes into play. Should you happen to apply a security template and then later decide you want to further enhance security in a specific area, using one of the aforementioned tools to edit the appropriate Group Policy object is the way to go. In short, look at security templates as a well-defined starting point that can be customized to meet the requirements of the situation by using Group Policy settings.

One key point to remember: Any settings you configure directly in Group Policy cannot be exported into a template for use on another computer. By the same token, settings applied via a template can sometimes be very difficult to remove should you later change your mind about the template application.

Security Configuration and Analysis

The Security Configuration and Analysis console snap-in can be used on a local computer to compare its current security configuration settings to those defined by a template. The template to which you're comparing can be either one of the preconfigured templates supplied with Windows 2000 or a custom-created template that is in use in your organization.

Test Day Tip

The key to working with Security Configuration and Analysis is to never forget that it is used only on the local computer, never on a domain or OU scale. This limitation hampers its utility but does not prevent you from using it to develop and deploy robust security templates to your organization on a large scale. Importing templates into a domain or OU is discussed later in this chapter.

Using Security Configuration and Analysis does not cause any settings to be added to the existing security configuration. The Security Configuration and Analysis snap-in database contains the administrator's security preferences. The database is populated with entries derived from security templates. You have the choice to import multiple templates and merge the contents of those templates, or you can import templates in their entirety after the previous database entries have been cleared.

The database is central to the security analysis process. The administrator can initiate a security analysis after configuring the entries in the database to meet the organization's perceived needs. The security analysis compares the settings in the database with the actual settings implemented on the local computer. Individual security settings are flagged by an icon that changes depending on whether the actual security settings are the same as or different from those included in the database. You will also be informed if there are settings that have not been configured at all and thus might require your attention. Figure 1.11 shows the results of a security analysis.

click to expand
Figure 1.11: The Results of a Security Analysis in the Security Configuration and Analysis Snap-In

Prior to the security analysis, the administrator configured the preferred security settings in the database. After the database was populated with an ideal security scenario, it was tested against the current machine settings. A green check mark indicates that the current machine settings are the same as those set in the database; a red X indicates that there is a conflict; and a generic icon indicates that the setting was not defined in the database. After the analysis is performed, the administrator can make changes to the database as desired and rerun the analysis. When the database matches the precise security configuration required, the administrator can then apply the database settings to the local machine's security policy.

The formulation of a well-planned security policy is a time-consuming process. To add a measure of fault tolerance, the database entries can be exported to a text file, which can be saved for later use on the same machine or applied to another machine, domain, or OU. The exported template is saved as an .inf file and can be imported to other computers, domains, and OUs. In this way, the security parameters can be reproduced exactly from one machine to another.

The following areas can be configured and analyzed using the Security Configuration and Analysis snap-in:

Account Policies The Account Policies node includes those configuration variables that you formerly manipulated in the User Manager for Domains applet in NT 4.0. The two subnodes of the Account Policies node include the Password Policy node and the Account Lockout Policy node. In the Password Policy node, you can set the minimum and maximum password ages and password lengths. The Account Lockout Policy allows you to set lockout durations and reset options.
Local Policies Local policies apply to the local machine. Subnodes of the Local Polices node include Audit Policy, User Rights Policy, and Security Options. Audit and User Rights policies look familiar to users of NT 4.0. The Security Options node offers the administrator many options that formerly were available only by manipulating the Windows NT 4.0 Registry or through the Policy Editor (poledit). Examples include the ability to set the message text and message title during logon, restricting the use of diskettes, and the "Do not display last username at logon" option.
Event Log The Event Log node allows you to configure security settings for the Event Log. These settings include maximum log sizes, configuring guest access to the Event Log, and whether or not the computer should shut down when the security log is full.
Restricted Groups You can centrally control the members of groups. At times, an administrator adds someone temporarily to a group, such as the Backup Operators group, and then neglects to remove that user when the user no longer needs to be a member of that group. These lapses represent a potential hole in network security. You can configure a group membership list in the Restricted Groups node and then configure an approved list of members by reapplying the security template you have created.
System Services You can define the security parameters of all system services in the database via the System Services Node. You can define whether a service startup should be automatic, manual, or disabled. You also can configure which user accounts have access to each service.
Registry The Registry node allows you to set access restrictions on individual Registry keys.
File System The File System node allows you to set folder and file permissions. This is a great aid to the administrator who might have been experimenting with access permissions on a large number of files or folders and then later cannot recall the original settings. You can apply a security template to restore all file and folder permissions to their original settings.

Each of these areas is examined in the next section, "Configuring Basic Windows 2000 Security with Templates." The use and configuration of the Security Configuration and Analysis snap-in is examined later, in the "Analyzing Your Security Configuration" portion of this chapter.

Exam Warning

Knowing and understanding the configurable areas and the roles they play in the overall security process are important for this exam. Don't worry so much about memorizing each configurable item in these areas. (We discuss these items later in this chapter.) You should instead be aware that these different areas exist and what they are used for.

The Command-Line Tools

Although the GUI has replaced the computer tools of old, when all work was done from a text-based command line, command-line tools still play a large role in a network administrator's life. Many jobs have been made easier with the introduction of the functional GUI front for them, whereas others still require the power and control that only the command line can give. Some GUI-based utilities also have command-line alternatives that provide for scripting and automated accomplishment of management tasks. Three tools are presented here: secedit.exe, which comes with Windows 2000, and gpresult.exe and gpotool.exe, which are part of the Windows 2000 Server Resource Kit.

Secedit.exe

The secedit.exe command-line tool offers much of the functionality of the Security Configuration and Analysis snap-in from the command line. This tool allows the administrator to script security analyses for many machines across the enterprise and save the results for later analysis.

The secedit.exe tool's reporting capabilities are limited. Although you can perform a security analysis from the command line, you cannot view the results of the analysis with secedit.exe. You must view the analysis results from the graphic Security Configuration and Analysis snap-in interface.

Additionally, the secedit.exe tool can be used to configure, refresh, and export security settings as well as validate security configuration files. We work with the secedit.exe tool later in this chapter, in the "Analyzing Your Security Configuration" section.

Gpresult.exe and Gpotool.exe

The gpresult.exe and gpotool.exe utilities are part of the Windows 2000 Server Resource Kit. Users without access to the Resource Kit CD can download the utilities from www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp.

The gpresult.exe tool can be used to quickly display the net Group Policy settings for a computer. These settings can be used to help you determine which GPOs have been applied.

The gpotool.exe tool can be used to check the validity of GPOs across multiple domains. This can be helpful in cases in which you are experiencing unexplained difficulties applying Group Policy (i.e., security) settings in your network.

Although neither of these tools is directly related to security, they both have some value to you during times of troubleshooting Group Policy application. Since security settings are commonly deployed via Group Policy, these utilities should be in your toolbox.

Test Day Tip

Don't expect to see any questions about gpresult.exe and gptool.exe on your exam. Information in this chapter pertaining to these two tools is more for your reference, because they can prove to be quite useful when you're trying to track down problems with Group Policy application.

Creating the Security Configuration Tool Set User Interface

Two user interfaces are available to configure system security settings: the graphical interface and the secedit.exe command-line interface. You should do most of your work from the graphical interface—design your security scenarios, test them against extant security settings, and then apply scenarios stored in the security database after testing.

After you customize security scenarios to suit your needs, you can export the scenario to a plaintext file, which you can save for later use. You can edit the exported text file by hand using any available text editor. However, Microsoft recommends that users confine themselves to the graphical interface so as not to introduce random elements into the file's structure and inadvertently corrupt the file contents. Your interaction with the Security Tools set will occur via these interfaces (in order of usage preference):

Security Configuration and Analysis snap-in
Group Policy security configuration objects
The secedit.exe command-line tool

Oddly enough, and despite its power and usefulness, the Security Configuration and Analysis snap-in does not come as a preconfigured MMC console such as the Computer Management or Active Directory Users and Computers consoles. You must create your own custom MMC in order to use the Security Configuration and Analysis snap-in. Exercise 1.01 provides the procedure to create your own "security console."

Exercise 1.01: Creating the Security Console

Choose Start | Run, enter mmc in the text box, and click OK.
From the MMC menu, click Add/remove snap-in, and then click the Add button.
Select and add the following snap-ins:
- Security Configuration and Analysis
- Security Templates
Click Close in the Add Standalone Snap-in window.
Click OK in the Add/Remove Snap-in window.
Save your MMC by clicking the console drop-down menu and choosing Save As.
In the filename box, type Security Tool Set or any other name you want. This step automatically saves your MMC into the Administrative Tools folder.