Similar to the security model in previous versions of Windows dating back to Windows NT, the domain remains the security boundary in a Windows Server 2003 network. Any security configurations that are made apply only to the domain that they were configured in; they do not automatically cross from one domain to another. Each domain will have its own security policies. In Windows Server 2003, the foundation of the Active Directory security model is the association of an Access Control List (ACL) with each object, attribute, and container to control access to these items by users and groups. In Chapter 4, "Managing and Maintaining Access to Resources," we briefly examined how the network administrator is able to assign individual users and groups varying levels of permissions for objects and their attributes, and even hide those attributes from certain groups of users. This type of security provides the network administrator with a high degree of control over individual objects and their attributes. As networks get larger and grow in scope, having this type of granular security control is more important. In addition, in the larger organization it is essential to be able to have this type of control to be able to implement a comprehensive organizational security plan. Because of the different needs of each department or location, there might need to be a distinct security plan for each separate entity. For example, the security needs for the accounting department will usually be far greater and more complex than those needed in the mailroom. As the complexity of the organizational security plan grows, there is a need to simplify the implementation of security as much as possible to ensure that the proper policies are implemented in the proper areas, and for the proper users. Fortunately, Active Directory comes with several tools that can be used to simplify the configuration and management of network security. We examine some of these tools and show you how to implement them in the Active Directory environment. Applying Security PoliciesIn Chapter 9, "Implementing Group Policy," we covered the use of Group Policies in a Windows Server 2003 network. In addition to creating Group policies that control users and computers, we can create Security policies that control the security configuration of Active Directory and its objects. The settings contained in these security policies are used to define the security behavior of the network. Windows Server 2003 uses the Group Policy Object to apply security permissions. Security configurations are created within the Group policy object to control various security areas of Windows Server 2003 clients. By default, Group Policies are applied when the computer starts up, and they are periodically refreshed to pick up any changes that are made to the policies. Configuring Security PoliciesSecurity policies can be found in two places in the Group Policy snap-in of the Active Directory Users and Computers console. The computer configuration policies are contained in the Computer Configuration container. These policies are used to control the security configuration of computers on the network. These policies will be applied to the computer as its operating system is initialized. The other security policy is used to enforce lockdown policies on users on the network. These policies are contained in the User Configuration container. These policies will be applied whenever a user logs on to the network. The Group Policy snap-in allows you to define security policies with the Security Settings extension. The Security Settings extension allows you to define the security configuration for local computers, the domain, and the site within a Group Policy Object. Using a group policy simplifies security administration by allowing the administrator to specify the security settings once, and then apply these settings to all the objects in a container as part of the Group Policy enforcement. Nine security areas can be configured. These settings are located in the Security Settings node of a Group Policy object, as shown in Figure 16.1. They are
Figure 16.1. Group Policy console showing Security Policy areas.Note: The Big Four We are going to cover only the top four items in the list, because they are the ones most likely to appear on the exam. For more information on Security Policies, especially the items we won't cover here, see Windows Server 2003 Security Policy Settings at http://technet2.microsoft.com/WindowsServer/en/Library/bcd7ea4c-f989-4cee-969a-920f62f555111033.mspx?mfr=true. Although most of the policy areas can be applied at the site, domain, or organizational unit (OU) level, there are some policy areas that apply only at the domain. For example, you cannot define different account or public key policies for different OUs in the same domain. All other policy areas can be specified at the level of the site or the OU. Unlike domain controllers, which receive their policies directly from Active Directory, workstations and member servers are allowed to define their own local policies. Account PoliciesAccount policies are used to configure the security attributes for the user accounts in the domain. This policy will be the default policy for any machines that are members of the domain. However, you can set an account policy at the OU level, but these settings will apply only to the local user accounts of the nondomain controller computers contained in that Organizational Unit (OU). These attributes are the following:
Note: Account Policies It is not necessary to apply an account policy to organization units that don't contain computers. The account policies that apply to the users in the organizational unit can only be applied as a domain policy. To modify the Account Policies, follow the procedure in Step by Step 16.1.
When configuring the account policies, it is best to balance the level of security desired with the overhead created by having security policies that are too restrictive. Although no one wants to have a network that is vulnerable to security breaches, having an overly restrictive lockout policy can create an excessive workload for the user help desk personnel. In addition, if the password format and length is too difficult to remember, most users will write down their passwords, potentially leaving them where an unauthorized user could find them. Usually, a password length of seven characters is optimum both for security exposure and user convenience. Remember that password, lockout, and Kerberos policies are applied at the domain level only. A Windows Server 2003 domain controller will ignore any policies defined at the OU or site level. Event Log PoliciesThe Event Log policies are used to configure the application, system, and security event logs on Windows Server 2003 computers. For example, you can specify the following:
The settings for the event logs can be controlled at the site, domain, or OU level. Generally, domain controllers should be configured with larger logs, and they should be retained longer than the logs on workstations. In addition, you might want to configure the access rights of the event logs on domain controllers so that they can be viewed only by administrators. Event and security logs will be covered at length later in the chapter. File System PoliciesFile system policies can be used to configure security for files and folders. For example, to ensure that only administrators can modify system files and folders on all the computers in the domain, you can configure a policy that will grant full control over system files and folders to administrators while giving users read permission only. In addition, file system policies can also be used to prevent users from being able to see certain files and folders. This type of security configuration can be specified once in the file system policy and then applied to all the computers in the domain. This can save the network administrator a lot of time and effort when locking down the file system on a large number of computers. File System policies can also be used to control the security auditing of user access to certain files and folders when auditing is enabled. You can specify which users and which user events are logged for both failed and successful events. We will look at this at greater length in the section on Audit Policy. Local Computer PoliciesLocal computer policies are used to control the security of the local computer. The policies that will affect the local computer and its users are stored in the \%systemroot%\system32\GroupPolicy folder. Local computer policies allow the administrator to control and audit a variety of events and tasks. These events and tasks can be broken down into three areas:
Local Computer Policies allow the network administrator to control the security of the individual computers from a central location. By applying this policy to a domain, site, or organizational unit it saves the administrator time and effort since there is no need to visit individual computers. By separating different types of computers such as domain controllers, member servers, and user workstations into different organizational units, the administrator can tailor the policies for each type of machine. In addition, by assigning different user rights to different user groups, this also allows the administrator to grant more extensive rights that might be needed in the Developers group while limiting the rights of users in the Warehouse group. Audit PolicyThe Audit policy is used to specify which security events will be logged in the Security log on the local computer. This can include events such as logons and user access of specified files and folders. You can audit successful attempts, unsuccessful attempts, or both. Auditing and audit policies will be covered at length later in this chapter. |