Exam 70-124: Objective 1.1: Configuring Basic Windows 2000 Security with Templates

Armed now with our understanding of how Active Directory works and what tools are available to us as administrators for configuring and implementing basic security measures, we need to now take a look at using the security settings available in the security templates or Group Policy security consoles.

Exam 70-124: Objective 1.1.2: Account Policies

Account Policies define aspects of security that relate primarily to passwords. The Password Policy contains entries related to password aging and password length. The Account Lockout Policy determines how many failed tries a person gets before the account is locked out. The Kerberos Policy applies only to domain logons, since local logons do not use Kerberos. Entries include maximum lifetimes for various tickets, such as user tickets and user renewal. Figure 1.12 shows the expanded Account Policies node. Table 1.3 presents the configurable options available within the Account Policies node.

click to expand
Figure 1.12: Account Policies

Table 1.3: Account Policies Security Options

Option

Description

Password Policies

Enforce password history

Remembers users' passwords. Requires that users cannot use the same password again until it has left the password history. Values range from 0 passwords remembered to 24 passwords remembered. The default is 0 passwords remembered.

Maximum password age

Defines the maximum amount of time that a user can keep a password without having to change it. Values range from the password never expires to password expires every 999 days. The default is 42 days.

Minimum password age

Defines the minimum amount of time that a user can keep a password without having to change it. Values range from password can be changed immediately to password can be changed after 998 days. The default is 0 days.

Minimum password length

Defines the minimum number of characters required for a user's password. Value ranges from no password required to at least 14 characters required. The default is 0 characters.

Passwords must meet complexity requirements

Requires that the user's password have a mix of uppercase, lowercase, and numbers. Value is either enabled or disabled. The default is disabled.

Store password using reversible encryption for all users in the domain

Stores a copy of the user's password in Active Directory using reversible encryption. This is required for the message digest authentication method to work. Value is either enabled or disabled. The default is disabled.

Account Lockout Policies

Account lockout duration

Defines the time in minutes that an account will remain locked out. Value ranges from account is locked out until administrator unlocks it to 99,999 minutes (69 days, 10 hours, and 39 minutes). The default is not defined.

Account lockout threshold

Defines how many times a user can enter an incorrect password before the user's account is locked. Value ranges from the account will not lock out to 999 invalid logon attempts. The default is 5 attempts.

Reset account lockout counter after

Defines how long to keep track of unsuccessful logons. Value ranges from 1 minute to 99,999 minutes. The default is not defined.

Kerberos Policies

Enforce user logon restrictions

This forces the KDC to validate every request for a session ticket by examining the user rights policy on the target computer to make sure that the user has the right to either log on locally or access the computer across the network. This policy additionally checks to see that the requesting account is still valid. These checks are optional and, when enabled, could result in slower network access to services. The default setting is enabled.

Maximum lifetime for service ticket

Defines the maximum amount of time in minutes that a service ticket is valid. Value ranges from tickets don't expire to 99,999 minutes. The default is 600 minutes (10 hours).

Maximum lifetime for user ticket

Defines the maximum amount of time in hours that a user ticket is valid. Value ranges from tickets don't expire to 99,999 hours. The default is 10 hours.

Maximum lifetime for user ticket renewal

Defines the maximum lifetime of a ticket (Ticket Granting Ticket or session ticket). No ticket can be renewed after this lifetime has passed. The default is seven days.

Maximum tolerance for computer clock synchronization

Specifies the amount of time in minutes that computers' clocks can be skewed. Value ranges from 0 minutes to99,999 minutes. The default is 5 minutes.

Exam Warning 

Password policies can only be set at the domain level. Be attentive to questions that could suggest that policies can be set at the local, site, or OU levels.

start sidebar
Damage & Defense…
Password Age Policies

Although setting a minimum password age is usually a good thing, in at least one instance it can actually provide a security breach in your organization. Say, for example, that you have configured the minimum password age to five days (before a user is allowed to change the password). If that password were compromised, the only way the security breach could be rectified would be through administrator intervention, by resetting the password for the user from Active Directory Users and Computers.

Likewise, setting the minimum password age to 0 days and also configuring 0 password remembered allows users to circumvent the password rotation process by allowing them to use the same password over and over. The key to configuring effective policies, password policies or any other, is to first analyze your needs, then test your configuration, and finally apply it once testing has proved that it meets or exceeds your requirements. Don't be the administrator who mistakenly opens the door to attackers while attempting to secure the network.

end sidebar

Exam 70-124: Objective 1.1.3, 1.1.4, 1.1.5: Local Policies

Local policies include the Audit Policy, User Rights Assignment, and Security Options. Some Audit Policy selections include auditing logon events, use of user privileges, systems events, and object access. The User Rights Assignment node includes the ability to grant or deny user rights such as the rights to add workstations to the domain, change the system time, log on locally, and access the computer from the network.

The most profound improvements to the program are represented in the Security Options node, where you can make changes that could be made only via direct Registry edits in Windows NT 4.0. Examples of such security options include clearing the pagefile when the system shuts down, message text during logon, number of previous logons kept in cache, and shut down system immediately if unable to log security audits.

Figure 1.13 shows the expanded Local Policies node. Table 1.4 presents the configurable options available within the Local Policies node. The improvements in local policy management are numerous with the addition of the configurable objects available in the Security Options node.

click to expand
Figure 1.13: Local Policies

Table 1.4: Local Policies Security Options

Option

Description

Audit Policies

Audit account logon events

Audits when an account is authenticated to the database. The default is not defined.

Audit account management

Audits when a user account or group is created, deleted, or modified. The default is not defined.

Audit directory service access

Audits when access is gained to an Active Directory object. The default is not defined.

Audit logon events

Audits when a user logs on or off a local computer and when a user makes a network connection to a machine. The default is not defined.

Audit object access

Audits when files, folders, or printers are accessed. The default is not defined.

Audit policy change

Audits when security options, user rights, or audit policies are modified. The default is not defined.

Audit privilege use

Audits when a user right is utilized. The default is not defined.

Audit process tracking

Audits when an application performs an action. The default is not defined.

Audit system events

Audits when a security-related event, such as rebooting the computer, occurs. The default is not defined.

User Rights Assignment

Access this computer from the network

Allows a user or group to connect to the computer over the network. The default is not defined.

Act as part of the operating system

Allows a process to gain access to resources operating system under any user identity. The default is not defined.

Add workstations to the domain

Allows user or group to add a computer to the domain. The default is not defined.

Back up files and directories

Allows a user or group to bypass file and directory permissions to back up the system. The default is not defined.

Bypass traverse checking

Allows a user or group to pass through directories without having access while navigating an object path in any Windows file system. The default is not defined.

Change the system time

Allows a user or group to set the time for the computer's internal clock. The default is not defined.

Create a pagefile

Allows a user or group to create and change the size of a pagefile. The default is not defined.

Create a token object

Allows a process to create a token to get access to any local resources. The default is not defined.

Create permanent shared objects

Allows a process to create a directory object in the object manager. The default is not defined.

Debug programs

Allows a user or group to attach a debugger to any process. The default is not defined.

Deny access to this computer from the network

Denies the ability to connect to the computer over the network. The default is not defined.

Deny logon as a batch job

Denies the ability to log on using a batch-queue facility. The default is not defined.

Deny logon on as a service

Denies the ability to log on as a service. The default is not defined.

Deny logon locally

Denies a user or group the ability to log on to the local machine. The default is not defined.

Enable computer and user accounts to be trusted for delegation

Allows a user or group to set the Trusted for Delegation setting on a user or computer object. The default is not defined.

Force shutdown from a remote system

Allows a user or group to shut down a remote system computer remotely. The default is not defined.

Generate security audits

Allows a process to make entries in the security log. The default is not defined.

Increase quotas

Allows a process to increase the processor quota for any processes to which it has write property access. The default is not defined.

Increase scheduling priority

Allows a process to increase the execution priority for any processes to which it has write property access. The default is not defined.

Load and Unload device drivers

Allows a user or group to install and uninstall Plug and Play device drivers. The default is not defined.

Lock pages in memory

Allows a process to keep data in physical memory. The default is not defined.

Log on as a batch job

Allows a user or group to log on using a batch-queue facility. The default is not defined.

Log on as a service

Allows logging on as a service. The default is not defined.

Log on locally

Allows a user or group to log on to the local machine. The default is not defined.

Manage auditing and security log

Allows a user or group to configure object access auditing. The default is not defined.

Modify firmware environment

Allows changing the system environment values variables. The default is not defined.

Profile single process

Allows a user or group to use performance monitoring tools to monitor the performance of nonsystem processes. The default is not defined.

Profile system performance

Allows a user or group to use performance-monitoring tools to monitor the performance of system processes. The default is not defined.

Remove computer from docking station

Allows a user or group to undock a laptop within Windows 2000. The default is not defined.

Replace a process level token

Allows a process to replace the default token associated with a subprocess that has been started. The default is not defined.

Restore files and directories

Allows a user or group to bypass file and directory permissions when restoring backed-up files and directories. The default is not defined.

Shut down the system

Allows a user or group to shut down the local computer. The default is not defined.

Synchronize directory service data

Allows a process to provide directory synchronization services. The default is not defined.

Take ownership of files or other objects

Allows a user or group to take ownership of any securable system object. The default is not defined.

Security Options

Additional restrictions for anonymous connections

Adds restrictions for anonymous connections. Choices include none, do not allow enumeration of SAM accounts and share, and no access without explicit anonymous permissions. The default is not defined.

Allow server operators to schedule tasks (domain controllers only)

Gives members of the Server Operators group the right to schedule tasks. The default is not defined.

Allow system to be shut down without having to log on

Enables the shutdown tab on the Ctrl + Alt + Del logon screen. The default is not defined.

Allowed to eject removable NTFS media

Defines the groups that are allowed to eject removable NTFS media. The default is not defined.

Amount of time required before disconnecting session

Defines how long a user can be connected in an idle state before the user is disconnected. The default is not defined.

Audit the access of global system objects

Audits when a system object is accessed. The default is not defined.

Audit use of Backup and Restore privilege

Audits when the Backup and Restore privileges are used. The default is not defined.

Automatically log off users when time expires

Disconnects users who are connected across the network when their time expires. The default setting is disabled.

Automatically log off users when time expires (local)

Disconnects users who are logged in locally when their time expires. The default is not defined.

Clear virtual memory pagefile when system shuts down

Empties the pagefile on shutdown. The default is not defined.

Digitally sign client communications (always)

Requires the computer to sign its communications when functioning as a client, whether or not the server supports signing. Unsigned communications are not allowed. The default is not defined.

Digitally sign client communications (when possible)

Configures the computer to request signed communications when functioning as a client to a server that supports signing. Unsigned communications will be allowed, but they are not preferred. The default is enabled.

Digitally sign server communications (always)

Configures the computer to require that all connecting clients sign their communications. Unsigned communications are not allowed. The default is not defined.

Digitally sign server communications (when possible)

Configures the computer to request that all connecting clients sign their communications. Unsigned communications will be allowed, but they are not preferred. The default is not defined.

Disable Ctrl + Alt + Del requirement for logon

Forces smartcard logon. The default is not defined.

Do not display last user name in logon screen

Does not display the name of the last user to log on to the system. The default is not defined.

LAN Manager authentication level

Controls the level of authentication supported for down level clients. The default is not defined.

Message text for users attempting to log on

The text to be displayed in a window presented to all users logging on. The default is not defined.

Message title for users attempting to log on

The title of the window presented to all users logging on. The default is not defined.

Number of previous logons to cache (in case domain controller is not available)

Determines how many times users can log on with their cached credentials. The default is not defined.

Prevent system maintenance of computer account password

Prevents the system from changing the computer account password. The default is not defined.

Prevent users from installing printer drivers

Keeps users from installing printers. The default is not defined.

Recovery console: Allow

Automatically logs the administrator on with the

automatic administrative logon

recovery console administrator account when booting to the recovery console. The default is not defined.

Recovery console: Allow floppy copy and access to all drives and all folders

Allows copying from a diskette when booted into the recovery console. Also allows access to the entire hard drive in recovery mode. The default is not defined.

Rename administrator account

Renames the administrator account to the name specified here. The default is not defined.

Rename guest account

Renames the guest account to the name specified here. The default is not defined.

Restrict CD-ROM access to locally logged on user only

Restricts network access to the CD-ROM. The default is not defined.

Restrict floppy access to locally logged-on user only

Restricts network access to the diskette drive. The default is not defined.

Secure channel: Digitally encrypt or sign secure channel data (always)

Requires the machine to encrypt or sign secure channel data. The default is not defined.

Secure channel: Digitally encrypt secure channel data (when possible)

Configures the machine to encrypt secure channel data when communicating with a machine that supports digital encryption. The default is not defined.

Secure channel: Digitally sign secure channel data(when possible)

Configures the machine to sign secure channel data when communicating with a machine that supports digital signing. The default is not defined.

Secure channel: Require strong (Windows 2000 or later) session key

Requires the use of a Windows 2000 session key. The default is not defined.

Secure system partition (for RISC platforms only)

Secures the system partition. The default is not defined.

Send unencrypted password to connect to third-party SMB servers

Sends a clear text to password to SMB servers that don't support SMB signing. The default is not defined.

Shut down system immediately if unable to log security audits

Shuts down the computer when the security log becomes full. The default is not defined.

Smartcard removal behavior

Determines what will take place when a smartcard is removed from the system. Choices include no action, lock workstation, and force logoff. The default is not defined.

Strengthen default permissions of global system objects (e.g., Symbolic Links)

Strengthens the default permissions of global system objects. The default is not defined.

Unsigned driver installation behavior

Controls what happens when the installation of an unsigned driver is attempted. Choices include silently succeed, warn but allow installation, and do not allow installation. The default is not defined.

Unsigned nondriver installation behavior

Controls what happens when the installation of an unsigned nondriver is attempted. Choices include silently succeed, warn but allow installation, and do not allow installation. The default is not defined.

start sidebar
Notes from the Underground…
Brute-Force Attacks

One of the simplest means of gaining access to protected system resources is by a brute-force attack, which consists of trying to guess or crack passwords by attempting all possible combinations. Brute-force attacks can be performed by users themselves or by the use of specialized software utilities designed for this purpose. Brute-force hacking differs from dictionary hacking in that dictionary hacking tries to guess passwords by comparing them to a large list of common words and phrases. By configuring for strong passwords, you can defeat dictionary hacking-but protecting against brute-force hacking is nearly impossible.

Your only line of defense when it comes to brute-force attacks (or even social hacking by your own users) comes down to configuring and implementing good auditing policies and also configuring account lockout policies with lockout durations that are appropriate for the sensitivity of the information contained within your network.

end sidebar

Exam 70-124: Objective 1.1.8: Event Log

The Event Log node allows you to configure settings specifically for Event Logs, as shown in Figure 1.14. Event Log Configuration settings allow you to configure the length of time logs are retained as well as the size of the Event Logs. You can also configure that the system should shut down if the security log becomes full. Table 1.5 presents the configurable options available within the Event Log Policies node.

click to expand
Figure 1.14: Event Log Policies

Table 1.5: Event Log Security Options

Option

Description

Maximum Application Log size

Controls how large the Application log can grow. The default is 512 KB.

Maximum Security Log size

Controls how large the Security Log can grow. The default is 512 KB.

Maximum System Log size

Controls how large the System Log can grow. The default is 512 KB.

Restrict guest access to Application Log

Prevents guest access from reading the Application log. The default is disabled.

Restrict guest access to Security Log

Prevents guest access from reading the Security Log. The default is disabled.

Restrict access to System Log

Prevents guest access from reading the System Log. The default is disabled.

Retain Application Log

Tells the Event Log not to overwrite events in the Application Log that are older than the number of days defined. The default is seven days.

Retain Security Log

Tells the Event Log not to overwrite events in the Security Log that are older than the number of days defined. The default is seven days.

Retain System Log

Tells the Event Log not to overwrite events in the System Log that are older than the number of days defined. The default is seven days.

Retention method for Application Log

Tells the event log what to do when the Application Log becomes full. Choices include overwrite events by days, overwrite events as needed, and do not overwrite events (clear logs manually). The default is by days.

Retention method for Security Log

Tells the event log what to do when the Security Log becomes full. Choices include overwrite events by days, overwrite events as needed, and do not overwrite events (clear logs manually). The default is by days.

Retention method for System Log

Tells the event log what to do when the System Log becomes full. Choices include overwrite events by days, overwrite events as needed, and do not overwrite events (clear logs manually). The default is by days.

Shut down the computer when the security audit log is full

Instructs the computer to shut down when the Security Log is filled. The default is not defined.

start sidebar
Damage & Defense…
Shutting Out Hackers

Configuring servers to shut down the computer when the Security Log is full makes good sense. If you implement auditing and pay careful attention to the log files, clearing them out every day as required, you can benefit from having Windows automatically shut down a server when its Security Log is full. Common sources of full Security Logs (when carefully tended to by the administrator) usually come from unsuccessful attempts to gain access to the server or gained access to the server that is followed up by privilege use and abuse. Odds are that you've probably got enough information about the nature and source of the attack by the time the server shuts down-why leave it exposed any more than you need to? Of course, this practice requires careful pruning and the daily attention of the administrator. Don't configure this setting if you plan to leave the server to run unattended.

end sidebar

Exam 70-124: Objective 1.1.7: Restricted Groups

The Restricted Groups node lends something new to the security configuration options available in Windows 2000. You can define, as part of security policy, the members of a group. At times, the administrator needs to temporarily add users to groups with a higher classification than the users' typical group memberships. This might be the case when an administrator goes on vacation and another member of the team is assigned full administrative rights.

However, often the "temporary" promotion ends up being an inadvertently permanent one, and the user remains in the Administrators group. Groups can also become members of other groups even though it is not part of the company security plan. By defining Restricted Group membership rules, you can return group membership to that defined by your security policy. Figure 1.15 shows the Restricted Groups node. Exercise 1.02 walks you through configuring restricted groups.

click to expand
Figure 1.15: The Restricted Groups Node

Exercise 1.02: Configuring Restricted Groups

start example

Navigate to the Restricted Groups section of either your Security Configuration and Analysis snap-in console or the Domain Security Policies console. Then do the following:

  1. Right-click Restricted Groups, and choose Add Group from the context menu. You will see the window shown in Figure 1.16.

    click to expand
    Figure 1.16: The Add Groups Window

  2. You can type the name of the group that you want to restrict, or click Browse to pick the group from a list. In this case, click Browse. You will see the window shown in Figure 1.17. Select the group that you want to restrict, click Add, and then click OK.

    click to expand
    Figure 1.17: The Select Groups Window

  3. Right-click the group you just added from the right pane of the Restricted Groups node, and select Security. You will now see the window shown in Figure 1.18.


    Figure 1.18: The Configure Membership for Administrators Window

  4. In the Configure Membership window, you can restrict the members of your restricted group (in our case, the Administrators group) or you can restrict the other groups of which your restricted group can be a member. Add your restrictions, and click OK to save your changes.

end example

Exam 70-124: Objective 1.1.6: System Services

The System Services node allows you to control security and startup policy on all the services defined in the template. Controlling the startup behavior of system services can save the administrator many headaches over time. Consider the situation of users starting up their own RAS or DHCP services haphazardly. This type of situation creates a large security risk for any network.

You can set restrictive networking services startup properties and assign all computers that require certain services to an OU that does have the right to start up particular networking services. Figure 1.19 shows some of the content of the Services node. Exercise 1.03 walks you through configuring System Services Security.

click to expand
Figure 1.19: Content of the Services Node

Exercise 1.03: Configuring System Services Security

start example
  1. Navigate to the System Services section of either your Security Configuration and Analysis snap-in console or the Domain Security Policies console.

  2. Right-click the service that you want to secure, and choose Security from the context menu. You will see the Security Policy Setting window shown in Figure 1.20.

    click to expand
    Figure 1.20: The Security Policy Setting Window

  3. In the Security Policy Setting window, check the box next to Define this policy setting in the template. After you choose to define the policy, you will immediately be given the window shown in Figure 1.21.

    click to expand
    Figure 1.21: Configuring Security for a Service

  4. Configure the permissions desired, and click OK to return to the Security Policy Setting window shown in Figure 1.20.

  5. Choose the startup mode for the service, and click OK to save your changes.

end example

Exam 70-124: Objective 1.1.1: Registry

Registry keys can also be protected by policy. You can define a security policy for a Registry key or value in the database and then customize the propagation of the setting using the Key Properties dialog box. Exercise 1.04 walks you through configuring Registry security.

Exercise 1.04: Configuring Registry Security

start example
  1. Navigate to the Registry section (see Figure 1.22) of either your Security Configuration and Analysis snap-in console or the Domain Security Policies console.

    click to expand
    Figure 1.22: The Registry Security Node

  2. Right-click Registry and choose Add Key from the context menu. You will see the Select Registry Key window shown in Figure 1.23.

    click to expand
    Figure 1.23: The Select Registry Key Window

  3. Navigate to the key that you want to secure. In this example, we are using the MACHINE\SOFTWARE key. Click OK to continue.

  4. After clicking OK, you will automatically see the Database Security window shown in Figure 1.24. Use this window to choose the permissions that will be assigned to the secured Registry key. After customizing the permissions, click OK.

    click to expand
    Figure 1.24: The Database Security Window

  5. Now you see the window shown in Figure 1.25. Use this window to tell Windows what to do with the permissions you set in Step 4. The choices are:

    click to expand
    Figure 1.25: The Template Security Policy Setting Window

    • Configure the selected key and propagate inheritable permissions to all subkeys. This will set permissions at the selected key and all keys below it, merging these permissions with whatever permissions are already set at each subkey.

    • Configure the selected key and replace all existing permissions on all subkeys with inheritable permissions.  This will replace the permissions on each subkey with the permissions set at the selected key.

    • Do not allow permissions on this key to be replaced.

  6. Choose one of the settings, and click OK.

end example

To edit the Security Policy Setting of an already existing Registry key, simply right-click it and select Security to bring up the window shown in Figure 1.25.

Exam 70-124: Objective 1.1.1: File System

The File System Security node allows you to configure NTFS permission for all local drives. It is common for a number of administrators to get into Windows Explorer and customize the NTFS permissions on files and folders throughout the file system. File and folder security should be part of a well-planned and well-implemented security plan.

This security plan can be realized by setting File System Policy in the templates (as shown in Figure 1.26). You can then periodically audit the status of the file system to look for inconsistencies between the plan and the actual state of NTFS permissions in the local environment. Exercise 1.05 walks you through the process of using file system security.

click to expand
Figure 1.26: The File System Security Node

Exercise 1.05: Configuring File System Security

start example
  1. Navigate to the File System section of either your Security Configuration and Analysis snap-in console or the Domain Security Policies console.

  2. Right-click the File System node, and select Add File from the context menu. You will see the File or Folder window shown in Figure 1.27.


    Figure 1.27: Adding a File or Folder

  3. Navigate to the file or folder that you want to secure. In this example, we use the root of the C: drive. Click OK to continue.

  4. After you click OK, you will automatically be given the Database Security window shown in Figure 1.28. Use this window to choose the permissions that will be assigned to the secured file or folder. After customizing the permissions, click OK.

    click to expand
    Figure 1.28: The Database Security Window

  5. Now that you have set the permissions, you have to tell Windows how to propagate them. Figure 1.29 shows the Template Security Policy Setting window. Use this window to tell Windows what to do with the permissions you just configured. The choices are:

    click to expand
    Figure 1.29: The Template Security Policy Window

    • Configure this file or folder, then propagate inheritable permissions to all subfolders and files. This choice sets permissions at the selected file or folder and all subfolders and files below it, merging these permissions with whatever permissions are already set at each subfolder or file.

    • Configure this file or folder then replace existing permissions on all subfolders and files with inheritable permissions. This choice replaces the permissions on each subfolder and file with the permissions set at the selected file or folder.

    • Do not allow permissions on this file or folder to be replaced.

  6. Choose the appropriate setting, and click OK.

end example

To edit the Security Policy Setting of an already existing File System entry, simply right-click it and select Security to bring up the window shown in Figure 1.29.



MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net