|
|
Armed now with our understanding of how Active Directory works and what tools are available to us as administrators for configuring and implementing basic security measures, we need to now take a look at using the security settings available in the security templates or Group Policy security consoles.
Account Policies define aspects of security that relate primarily to passwords. The Password Policy contains entries related to password aging and password length. The Account Lockout Policy determines how many failed tries a person gets before the account is locked out. The Kerberos Policy applies only to domain logons, since local logons do not use Kerberos. Entries include maximum lifetimes for various tickets, such as user tickets and user renewal. Figure 1.12 shows the expanded Account Policies node. Table 1.3 presents the configurable options available within the Account Policies node.
Figure 1.12: Account Policies
Option | Description |
---|---|
Password Policies | |
Enforce password history | Remembers users' passwords. Requires that users cannot use the same password again until it has left the password history. Values range from 0 passwords remembered to 24 passwords remembered. The default is 0 passwords remembered. |
Maximum password age | Defines the maximum amount of time that a user can keep a password without having to change it. Values range from the password never expires to password expires every 999 days. The default is 42 days. |
Minimum password age | Defines the minimum amount of time that a user can keep a password without having to change it. Values range from password can be changed immediately to password can be changed after 998 days. The default is 0 days. |
Minimum password length | Defines the minimum number of characters required for a user's password. Value ranges from no password required to at least 14 characters required. The default is 0 characters. |
Passwords must meet complexity requirements | Requires that the user's password have a mix of uppercase, lowercase, and numbers. Value is either enabled or disabled. The default is disabled. |
Store password using reversible encryption for all users in the domain | Stores a copy of the user's password in Active Directory using reversible encryption. This is required for the message digest authentication method to work. Value is either enabled or disabled. The default is disabled. |
Account Lockout Policies | |
Account lockout duration | Defines the time in minutes that an account will remain locked out. Value ranges from account is locked out until administrator unlocks it to 99,999 minutes (69 days, 10 hours, and 39 minutes). The default is not defined. |
Account lockout threshold | Defines how many times a user can enter an incorrect password before the user's account is locked. Value ranges from the account will not lock out to 999 invalid logon attempts. The default is 5 attempts. |
Reset account lockout counter after | Defines how long to keep track of unsuccessful logons. Value ranges from 1 minute to 99,999 minutes. The default is not defined. |
Kerberos Policies | |
Enforce user logon restrictions | This forces the KDC to validate every request for a session ticket by examining the user rights policy on the target computer to make sure that the user has the right to either log on locally or access the computer across the network. This policy additionally checks to see that the requesting account is still valid. These checks are optional and, when enabled, could result in slower network access to services. The default setting is enabled. |
Maximum lifetime for service ticket | Defines the maximum amount of time in minutes that a service ticket is valid. Value ranges from tickets don't expire to 99,999 minutes. The default is 600 minutes (10 hours). |
Maximum lifetime for user ticket | Defines the maximum amount of time in hours that a user ticket is valid. Value ranges from tickets don't expire to 99,999 hours. The default is 10 hours. |
Maximum lifetime for user ticket renewal | Defines the maximum lifetime of a ticket (Ticket Granting Ticket or session ticket). No ticket can be renewed after this lifetime has passed. The default is seven days. |
Maximum tolerance for computer clock synchronization | Specifies the amount of time in minutes that computers' clocks can be skewed. Value ranges from 0 minutes to99,999 minutes. The default is 5 minutes. |
Exam Warning | Password policies can only be set at the domain level. Be attentive to questions that could suggest that policies can be set at the local, site, or OU levels. |
Although setting a minimum password age is usually a good thing, in at least one instance it can actually provide a security breach in your organization. Say, for example, that you have configured the minimum password age to five days (before a user is allowed to change the password). If that password were compromised, the only way the security breach could be rectified would be through administrator intervention, by resetting the password for the user from Active Directory Users and Computers.
Likewise, setting the minimum password age to 0 days and also configuring 0 password remembered allows users to circumvent the password rotation process by allowing them to use the same password over and over. The key to configuring effective policies, password policies or any other, is to first analyze your needs, then test your configuration, and finally apply it once testing has proved that it meets or exceeds your requirements. Don't be the administrator who mistakenly opens the door to attackers while attempting to secure the network.
Local policies include the Audit Policy, User Rights Assignment, and Security Options. Some Audit Policy selections include auditing logon events, use of user privileges, systems events, and object access. The User Rights Assignment node includes the ability to grant or deny user rights such as the rights to add workstations to the domain, change the system time, log on locally, and access the computer from the network.
The most profound improvements to the program are represented in the Security Options node, where you can make changes that could be made only via direct Registry edits in Windows NT 4.0. Examples of such security options include clearing the pagefile when the system shuts down, message text during logon, number of previous logons kept in cache, and shut down system immediately if unable to log security audits.
Figure 1.13 shows the expanded Local Policies node. Table 1.4 presents the configurable options available within the Local Policies node. The improvements in local policy management are numerous with the addition of the configurable objects available in the Security Options node.
Figure 1.13: Local Policies
Option | Description |
---|---|
Audit Policies | |
Audit account logon events | Audits when an account is authenticated to the database. The default is not defined. |
Audit account management | Audits when a user account or group is created, deleted, or modified. The default is not defined. |
Audit directory service access | Audits when access is gained to an Active Directory object. The default is not defined. |
Audit logon events | Audits when a user logs on or off a local computer and when a user makes a network connection to a machine. The default is not defined. |
Audit object access | Audits when files, folders, or printers are accessed. The default is not defined. |
Audit policy change | Audits when security options, user rights, or audit policies are modified. The default is not defined. |
Audit privilege use | Audits when a user right is utilized. The default is not defined. |
Audit process tracking | Audits when an application performs an action. The default is not defined. |
Audit system events | Audits when a security-related event, such as rebooting the computer, occurs. The default is not defined. |
User Rights Assignment | |
Access this computer from the network | Allows a user or group to connect to the computer over the network. The default is not defined. |
Act as part of the operating system | Allows a process to gain access to resources operating system under any user identity. The default is not defined. |
Add workstations to the domain | Allows user or group to add a computer to the domain. The default is not defined. |
Back up files and directories | Allows a user or group to bypass file and directory permissions to back up the system. The default is not defined. |
Bypass traverse checking | Allows a user or group to pass through directories without having access while navigating an object path in any Windows file system. The default is not defined. |
Change the system time | Allows a user or group to set the time for the computer's internal clock. The default is not defined. |
Create a pagefile | Allows a user or group to create and change the size of a pagefile. The default is not defined. |
Create a token object | Allows a process to create a token to get access to any local resources. The default is not defined. |
Create permanent shared objects | Allows a process to create a directory object in the object manager. The default is not defined. |
Debug programs | Allows a user or group to attach a debugger to any process. The default is not defined. |
Deny access to this computer from the network | Denies the ability to connect to the computer over the network. The default is not defined. |
Deny logon as a batch job | Denies the ability to log on using a batch-queue facility. The default is not defined. |
Deny logon on as a service | Denies the ability to log on as a service. The default is not defined. |
Deny logon locally | Denies a user or group the ability to log on to the local machine. The default is not defined. |
Enable computer and user accounts to be trusted for delegation | Allows a user or group to set the Trusted for Delegation setting on a user or computer object. The default is not defined. |
Force shutdown from a remote system | Allows a user or group to shut down a remote system computer remotely. The default is not defined. |
Generate security audits | Allows a process to make entries in the security log. The default is not defined. |
Increase quotas | Allows a process to increase the processor quota for any processes to which it has write property access. The default is not defined. |
Increase scheduling priority | Allows a process to increase the execution priority for any processes to which it has write property access. The default is not defined. |
Load and Unload device drivers | Allows a user or group to install and uninstall Plug and Play device drivers. The default is not defined. |
Lock pages in memory | Allows a process to keep data in physical memory. The default is not defined. |
Log on as a batch job | Allows a user or group to log on using a batch-queue facility. The default is not defined. |
Log on as a service | Allows logging on as a service. The default is not defined. |
Log on locally | Allows a user or group to log on to the local machine. The default is not defined. |
Manage auditing and security log | Allows a user or group to configure object access auditing. The default is not defined. |
Modify firmware environment | Allows changing the system environment values variables. The default is not defined. |
Profile single process | Allows a user or group to use performance monitoring tools to monitor the performance of nonsystem processes. The default is not defined. |
Profile system performance | Allows a user or group to use performance-monitoring tools to monitor the performance of system processes. The default is not defined. |
Remove computer from docking station | Allows a user or group to undock a laptop within Windows 2000. The default is not defined. |
Replace a process level token | Allows a process to replace the default token associated with a subprocess that has been started. The default is not defined. |
Restore files and directories | Allows a user or group to bypass file and directory permissions when restoring backed-up files and directories. The default is not defined. |
Shut down the system | Allows a user or group to shut down the local computer. The default is not defined. |
Synchronize directory service data | Allows a process to provide directory synchronization services. The default is not defined. |
Take ownership of files or other objects | Allows a user or group to take ownership of any securable system object. The default is not defined. |
Security Options | |
Additional restrictions for anonymous connections | Adds restrictions for anonymous connections. Choices include none, do not allow enumeration of SAM accounts and share, and no access without explicit anonymous permissions. The default is not defined. |
Allow server operators to schedule tasks (domain controllers only) | Gives members of the Server Operators group the right to schedule tasks. The default is not defined. |
Allow system to be shut down without having to log on | Enables the shutdown tab on the Ctrl + Alt + Del logon screen. The default is not defined. |
Allowed to eject removable NTFS media | Defines the groups that are allowed to eject removable NTFS media. The default is not defined. |
Amount of time required before disconnecting session | Defines how long a user can be connected in an idle state before the user is disconnected. The default is not defined. |
Audit the access of global system objects | Audits when a system object is accessed. The default is not defined. |
Audit use of Backup and Restore privilege | Audits when the Backup and Restore privileges are used. The default is not defined. |
Automatically log off users when time expires | Disconnects users who are connected across the network when their time expires. The default setting is disabled. |
Automatically log off users when time expires (local) | Disconnects users who are logged in locally when their time expires. The default is not defined. |
Clear virtual memory pagefile when system shuts down | Empties the pagefile on shutdown. The default is not defined. |
Digitally sign client communications (always) | Requires the computer to sign its communications when functioning as a client, whether or not the server supports signing. Unsigned communications are not allowed. The default is not defined. |
Digitally sign client communications (when possible) | Configures the computer to request signed communications when functioning as a client to a server that supports signing. Unsigned communications will be allowed, but they are not preferred. The default is enabled. |
Digitally sign server communications (always) | Configures the computer to require that all connecting clients sign their communications. Unsigned communications are not allowed. The default is not defined. |
Digitally sign server communications (when possible) | Configures the computer to request that all connecting clients sign their communications. Unsigned communications will be allowed, but they are not preferred. The default is not defined. |
Disable Ctrl + Alt + Del requirement for logon | Forces smartcard logon. The default is not defined. |
Do not display last user name in logon screen | Does not display the name of the last user to log on to the system. The default is not defined. |
LAN Manager authentication level | Controls the level of authentication supported for down level clients. The default is not defined. |
Message text for users attempting to log on | The text to be displayed in a window presented to all users logging on. The default is not defined. |
Message title for users attempting to log on | The title of the window presented to all users logging on. The default is not defined. |
Number of previous logons to cache (in case domain controller is not available) | Determines how many times users can log on with their cached credentials. The default is not defined. |
Prevent system maintenance of computer account password | Prevents the system from changing the computer account password. The default is not defined. |
Prevent users from installing printer drivers | Keeps users from installing printers. The default is not defined. |
Recovery console: Allow | Automatically logs the administrator on with the |
automatic administrative logon | recovery console administrator account when booting to the recovery console. The default is not defined. |
Recovery console: Allow floppy copy and access to all drives and all folders | Allows copying from a diskette when booted into the recovery console. Also allows access to the entire hard drive in recovery mode. The default is not defined. |
Rename administrator account | Renames the administrator account to the name specified here. The default is not defined. |
Rename guest account | Renames the guest account to the name specified here. The default is not defined. |
Restrict CD-ROM access to locally logged on user only | Restricts network access to the CD-ROM. The default is not defined. |
Restrict floppy access to locally logged-on user only | Restricts network access to the diskette drive. The default is not defined. |
Secure channel: Digitally encrypt or sign secure channel data (always) | Requires the machine to encrypt or sign secure channel data. The default is not defined. |
Secure channel: Digitally encrypt secure channel data (when possible) | Configures the machine to encrypt secure channel data when communicating with a machine that supports digital encryption. The default is not defined. |
Secure channel: Digitally sign secure channel data(when possible) | Configures the machine to sign secure channel data when communicating with a machine that supports digital signing. The default is not defined. |
Secure channel: Require strong (Windows 2000 or later) session key | Requires the use of a Windows 2000 session key. The default is not defined. |
Secure system partition (for RISC platforms only) | Secures the system partition. The default is not defined. |
Send unencrypted password to connect to third-party SMB servers | Sends a clear text to password to SMB servers that don't support SMB signing. The default is not defined. |
Shut down system immediately if unable to log security audits | Shuts down the computer when the security log becomes full. The default is not defined. |
Smartcard removal behavior | Determines what will take place when a smartcard is removed from the system. Choices include no action, lock workstation, and force logoff. The default is not defined. |
Strengthen default permissions of global system objects (e.g., Symbolic Links) | Strengthens the default permissions of global system objects. The default is not defined. |
Unsigned driver installation behavior | Controls what happens when the installation of an unsigned driver is attempted. Choices include silently succeed, warn but allow installation, and do not allow installation. The default is not defined. |
Unsigned nondriver installation behavior | Controls what happens when the installation of an unsigned nondriver is attempted. Choices include silently succeed, warn but allow installation, and do not allow installation. The default is not defined. |
One of the simplest means of gaining access to protected system resources is by a brute-force attack, which consists of trying to guess or crack passwords by attempting all possible combinations. Brute-force attacks can be performed by users themselves or by the use of specialized software utilities designed for this purpose. Brute-force hacking differs from dictionary hacking in that dictionary hacking tries to guess passwords by comparing them to a large list of common words and phrases. By configuring for strong passwords, you can defeat dictionary hacking-but protecting against brute-force hacking is nearly impossible.
Your only line of defense when it comes to brute-force attacks (or even social hacking by your own users) comes down to configuring and implementing good auditing policies and also configuring account lockout policies with lockout durations that are appropriate for the sensitivity of the information contained within your network.
The Event Log node allows you to configure settings specifically for Event Logs, as shown in Figure 1.14. Event Log Configuration settings allow you to configure the length of time logs are retained as well as the size of the Event Logs. You can also configure that the system should shut down if the security log becomes full. Table 1.5 presents the configurable options available within the Event Log Policies node.
Figure 1.14: Event Log Policies
Option | Description |
---|---|
Maximum Application Log size | Controls how large the Application log can grow. The default is 512 KB. |
Maximum Security Log size | Controls how large the Security Log can grow. The default is 512 KB. |
Maximum System Log size | Controls how large the System Log can grow. The default is 512 KB. |
Restrict guest access to Application Log | Prevents guest access from reading the Application log. The default is disabled. |
Restrict guest access to Security Log | Prevents guest access from reading the Security Log. The default is disabled. |
Restrict access to System Log | Prevents guest access from reading the System Log. The default is disabled. |
Retain Application Log | Tells the Event Log not to overwrite events in the Application Log that are older than the number of days defined. The default is seven days. |
Retain Security Log | Tells the Event Log not to overwrite events in the Security Log that are older than the number of days defined. The default is seven days. |
Retain System Log | Tells the Event Log not to overwrite events in the System Log that are older than the number of days defined. The default is seven days. |
Retention method for Application Log | Tells the event log what to do when the Application Log becomes full. Choices include overwrite events by days, overwrite events as needed, and do not overwrite events (clear logs manually). The default is by days. |
Retention method for Security Log | Tells the event log what to do when the Security Log becomes full. Choices include overwrite events by days, overwrite events as needed, and do not overwrite events (clear logs manually). The default is by days. |
Retention method for System Log | Tells the event log what to do when the System Log becomes full. Choices include overwrite events by days, overwrite events as needed, and do not overwrite events (clear logs manually). The default is by days. |
Shut down the computer when the security audit log is full | Instructs the computer to shut down when the Security Log is filled. The default is not defined. |
Configuring servers to shut down the computer when the Security Log is full makes good sense. If you implement auditing and pay careful attention to the log files, clearing them out every day as required, you can benefit from having Windows automatically shut down a server when its Security Log is full. Common sources of full Security Logs (when carefully tended to by the administrator) usually come from unsuccessful attempts to gain access to the server or gained access to the server that is followed up by privilege use and abuse. Odds are that you've probably got enough information about the nature and source of the attack by the time the server shuts down-why leave it exposed any more than you need to? Of course, this practice requires careful pruning and the daily attention of the administrator. Don't configure this setting if you plan to leave the server to run unattended.
The Restricted Groups node lends something new to the security configuration options available in Windows 2000. You can define, as part of security policy, the members of a group. At times, the administrator needs to temporarily add users to groups with a higher classification than the users' typical group memberships. This might be the case when an administrator goes on vacation and another member of the team is assigned full administrative rights.
However, often the "temporary" promotion ends up being an inadvertently permanent one, and the user remains in the Administrators group. Groups can also become members of other groups even though it is not part of the company security plan. By defining Restricted Group membership rules, you can return group membership to that defined by your security policy. Figure 1.15 shows the Restricted Groups node. Exercise 1.02 walks you through configuring restricted groups.
Figure 1.15: The Restricted Groups Node
Exercise 1.02: Configuring Restricted Groups
Navigate to the Restricted Groups section of either your Security Configuration and Analysis snap-in console or the Domain Security Policies console. Then do the following:
Right-click Restricted Groups, and choose Add Group from the context menu. You will see the window shown in Figure 1.16.
Figure 1.16: The Add Groups Window
You can type the name of the group that you want to restrict, or click Browse to pick the group from a list. In this case, click Browse. You will see the window shown in Figure 1.17. Select the group that you want to restrict, click Add, and then click OK.
Figure 1.17: The Select Groups Window
Right-click the group you just added from the right pane of the Restricted Groups node, and select Security. You will now see the window shown in Figure 1.18.
Figure 1.18: The Configure Membership for Administrators Window
In the Configure Membership window, you can restrict the members of your restricted group (in our case, the Administrators group) or you can restrict the other groups of which your restricted group can be a member. Add your restrictions, and click OK to save your changes.
The System Services node allows you to control security and startup policy on all the services defined in the template. Controlling the startup behavior of system services can save the administrator many headaches over time. Consider the situation of users starting up their own RAS or DHCP services haphazardly. This type of situation creates a large security risk for any network.
You can set restrictive networking services startup properties and assign all computers that require certain services to an OU that does have the right to start up particular networking services. Figure 1.19 shows some of the content of the Services node. Exercise 1.03 walks you through configuring System Services Security.
Figure 1.19: Content of the Services Node
Exercise 1.03: Configuring System Services Security
Navigate to the System Services section of either your Security Configuration and Analysis snap-in console or the Domain Security Policies console.
Right-click the service that you want to secure, and choose Security from the context menu. You will see the Security Policy Setting window shown in Figure 1.20.
Figure 1.20: The Security Policy Setting Window
In the Security Policy Setting window, check the box next to Define this policy setting in the template. After you choose to define the policy, you will immediately be given the window shown in Figure 1.21.
Figure 1.21: Configuring Security for a Service
Configure the permissions desired, and click OK to return to the Security Policy Setting window shown in Figure 1.20.
Choose the startup mode for the service, and click OK to save your changes.
Registry keys can also be protected by policy. You can define a security policy for a Registry key or value in the database and then customize the propagation of the setting using the Key Properties dialog box. Exercise 1.04 walks you through configuring Registry security.
Exercise 1.04: Configuring Registry Security
Navigate to the Registry section (see Figure 1.22) of either your Security Configuration and Analysis snap-in console or the Domain Security Policies console.
Figure 1.22: The Registry Security Node
Right-click Registry and choose Add Key from the context menu. You will see the Select Registry Key window shown in Figure 1.23.
Figure 1.23: The Select Registry Key Window
Navigate to the key that you want to secure. In this example, we are using the MACHINE\SOFTWARE key. Click OK to continue.
After clicking OK, you will automatically see the Database Security window shown in Figure 1.24. Use this window to choose the permissions that will be assigned to the secured Registry key. After customizing the permissions, click OK.
Figure 1.24: The Database Security Window
Now you see the window shown in Figure 1.25. Use this window to tell Windows what to do with the permissions you set in Step 4. The choices are:
Figure 1.25: The Template Security Policy Setting Window
Configure the selected key and propagate inheritable permissions to all subkeys. This will set permissions at the selected key and all keys below it, merging these permissions with whatever permissions are already set at each subkey.
Configure the selected key and replace all existing permissions on all subkeys with inheritable permissions. This will replace the permissions on each subkey with the permissions set at the selected key.
Do not allow permissions on this key to be replaced.
Choose one of the settings, and click OK.
To edit the Security Policy Setting of an already existing Registry key, simply right-click it and select Security to bring up the window shown in Figure 1.25.
The File System Security node allows you to configure NTFS permission for all local drives. It is common for a number of administrators to get into Windows Explorer and customize the NTFS permissions on files and folders throughout the file system. File and folder security should be part of a well-planned and well-implemented security plan.
This security plan can be realized by setting File System Policy in the templates (as shown in Figure 1.26). You can then periodically audit the status of the file system to look for inconsistencies between the plan and the actual state of NTFS permissions in the local environment. Exercise 1.05 walks you through the process of using file system security.
Figure 1.26: The File System Security Node
Exercise 1.05: Configuring File System Security
Navigate to the File System section of either your Security Configuration and Analysis snap-in console or the Domain Security Policies console.
Right-click the File System node, and select Add File from the context menu. You will see the File or Folder window shown in Figure 1.27.
Figure 1.27: Adding a File or Folder
Navigate to the file or folder that you want to secure. In this example, we use the root of the C: drive. Click OK to continue.
After you click OK, you will automatically be given the Database Security window shown in Figure 1.28. Use this window to choose the permissions that will be assigned to the secured file or folder. After customizing the permissions, click OK.
Figure 1.28: The Database Security Window
Now that you have set the permissions, you have to tell Windows how to propagate them. Figure 1.29 shows the Template Security Policy Setting window. Use this window to tell Windows what to do with the permissions you just configured. The choices are:
Figure 1.29: The Template Security Policy Window
Configure this file or folder, then propagate inheritable permissions to all subfolders and files. This choice sets permissions at the selected file or folder and all subfolders and files below it, merging these permissions with whatever permissions are already set at each subfolder or file.
Configure this file or folder then replace existing permissions on all subfolders and files with inheritable permissions. This choice replaces the permissions on each subfolder and file with the permissions set at the selected file or folder.
Do not allow permissions on this file or folder to be replaced.
Choose the appropriate setting, and click OK.
To edit the Security Policy Setting of an already existing File System entry, simply right-click it and select Security to bring up the window shown in Figure 1.29.
|
|