Installing and Implementing Security


The Security Configuration and Analysis MMC snap-in component, which is built in to Windows Server 2003, enables you to quickly review security analysis results. Using a personal database to store the security analysis results, the Security Configuration and Analysis tool compares your present security settings with custom or built-in security templates settings. Recommendations are presented alongside your current system baseline settings along with visual flags and remarks highlighting areas that do not match your proposed level of security. The Security Configuration and Analysis utility can also resolve or fix any security policy discrepancies.

graphics/tip_icon.gif

You might be tempted to use the Security Templates' MMC snap-in module for applying templates. However, the Security Templates Console is used to view and create security templates. The Security Configuration and Analysis tool is the preferred tool to use for applying the security template you created. Note that you could also use Active Directory Users and Computers to apply a security template to a policy linked to the appropriate container.


The components of the Security Configuration and Analysis tool and a brief description of each are listed in Table 7.1.

Table 7.1. Security Configuration and Analysis Components

Components

Description

Security Templates

Predefined, built-in security policies. Templates can be applied to your local computer or to Group Policy Objects.

Security Settings Extensions to Group Policy

Used for editing security settings on a domain, site, or organizational unit.

Local Security Policy

Used for editing security settings on you local computer.

secedit commands

Command-line tool used to automate security settings.

All security policies are computer-based policies. The built-in predefined security templates are provided to get you started building you own custom security template for your company's security policies. Using the Security Templates tool, select the template that comes closest to meeting your company's policy objectives, copy and save it with a different name , and then customize it to meet your company's security needs. The custom template can serve as a security baseline for analyzing future security discrepancies or policy violations. The original template you copied is still available for future use, if needed.

To install the Security Templates and the Security Configuration and Analysis MMC snap-in, follow these steps:

  1. Click Start, Run and type mmc in the Run text box. An empty console and console window open .

  2. From the File menu, select Add/Remove Snap-in.

  3. In the Add/Remove Snap-in dialog box, select Security Templates and then click the Add button.

  4. In the Add/Remove Snap-in dialog box, select Security Configuration and Analysis, click Add, and click Close.

  5. Click the OK button again to return to Console1. Notice that both Security Templates and Security Configuration and Analysis are displayed in the left pane.

  6. From the menu, choose File, Save As, and type a meaningful name, such as Security , to save the file. Figure 7.1 shows the Security Templates and Security Configuration and Analysis snap-ins.

    Figure 7.1. Security console showing Security Templates and Security Configuration and Analysis snap-ins.

    graphics/07fig01.gif

Using Security Templates

Before beginning to create and import your security template, you need some knowledge of what each predefined security template contains and what its primary security use is. By default, the built-in security templates are located in the systemroot\Security\Templates directory on your Windows Server 2003.

Table 7.2 lists Windows Server 2003's built-in security templates along with a brief description of each.

Table 7.2. Built-in Security Templates and Descriptions

Security Template

Description

Default Security

setup security.inf

Default computer security settings that were applied during the installation, including file permissions for the root directory. Member servers and clients can use this template, but not domain controllers (DCs).

DC Default Security

DC Security.inf

Created during the installation of Active Directory (AD), when the server is promoted to a DC. It contains the DC's Registry, file, and system service default security settings.

Compatible

Compatws.inf

Relaxes default file and Registry permissions for users so that users can run applications that lack the Windows Logo Program for Software Approval.

Secure

secure*.inf

*ws-workstations

*dc-domain controllers

Medium-level security settings with minimal impact to application compatibility. Also used to limit the use of LAN Manager (NTLM) authentication protocols and for enabling Server Message Block (SMB) packet signing. Packet signing will be negotiated between client computers and servers at a secure level. Best used in pristine computer environments (no down-level clients).

Highly Secure

hisec*.inf

*ws-workstations

*dc-domain controllers

Highly secure templates require strong encryption and signing for a secure channel. To use highly secure settings, domain controllers must use Windows 2000 or Windows Server 2003. Users can use only Windows Logoapproved application software. Use of logon cache data is limited. The Power Users group is removed and only domain admins and the local Administrator account are members of the local Administrators group.

System Root Security

rootsec.inf

Specifies root-level permissions. Use this template to reapply and restore default root directory settings or to apply setting to other disk volumes .

No Terminal Server

User SID

notssid.inf

Removes Windows Terminal Server security identifiers (SIDs) from Registry and file locations when Terminal Server is idle.

graphics/alert_icon.gif

The default security template, setup security.inf , should not be applied using Group Policy because it contains a large amount of data that can degrade network performance due to periodic refreshing of the policy. The Setup Security template should not be applied through Group Policy.

The Compatible template, compatws.inf , should not be applied to domain controllers. In other words, do not import the Compatible template into the default domain policy or the default domain controller policy.


To create a new security template based on a predefined template:

  • In the Security console tree, right-click the predefined template that comes closest to meeting your company's security policy needs, and choose Save As.

  • Type a name for the template in the Name text box and then click the Save button. In the left pane listed under Security Templates, Figure 7.2 displays the securedc template, saved as test securedc .

    Figure 7.2. Security console showing test securedc security template.

    graphics/07fig02.gif

Applying Security Templates

To configure your company's computers for domainwide security, begin by importing the custom security template that you created into the Security Configuration and Analysis MMC snap-in and saving this template as a new database file. Choose Analyze Now from the menu to analyze the imported security templates settings with your local Windows Server 2003. Columns are displayed in the right pane after analysis is completed. Compare your server's present security settings with the imported security template and make adjustments, as necessary, to conform to your company's security policies. When completed, choose Configure Computer Now to complete the operation and apply the security policy settings. Use the View Log File menu action to review any errors or problems. Make changes as necessary.

To import your custom security template and create a security database file:

  1. Open your security console containing the Security Templates and the Security Configuration and Analysis snap-ins.

  2. Right-click Security Configuration and Analysis and choose Open Database.

  3. Type a meaningful name for your database file in the File Name text box, and then click Open.

  4. Click the custom company security template you created earlier and then click Open to import your company's custom security template entries into the database file.

  5. Leave the security console open for the next section.

Analyzing Security Templates

To analyze your system security settings:

  1. In the security console, right-click Security Configuration and Analysis and choose Analyze Computer Now.

  2. In the Perform Analysis dialog box, accept the default location for the error log file path and click the OK button to continue.

  3. When the analysis completes, expand all nodes in the left pane under Security Configuration and Analysis. Make sure to expand the Registry and file system last because they contain complex hierarchies. In the right pane, view and compare your security database policy settings with the current settings on your local Windows Server 2003.

When you analyze security settings, no changes are made to your system. The results of the security analysis show the differences in your custom security template as compared to your actual computer system settings. Figure 7.3 depicts the Local Policies, Security Options Policies analysis, in the right pane, using the test securedc template default settings.

Figure 7.3. Security console showing the Local Policies, Security Options Policies analysis in the right pane.

graphics/07fig03.jpg

Notice that entries in the right pane have various icons indicating their status. These icon symbols are defined as follows :

  • Red X Security values in the analysis database do not match computer system settings.

  • Green check mark Security values in analysis database match computer system settings.

  • Question mark Security value in analysis database is not defined and was not analyzed .

  • Exclamation point Security value in analysis database is defined but does not exist in computer system settings.

  • No symbol Security value in analysis database is not defined.

If a setting is not defined in your database, you can add it. To add a setting to your database:

  1. Right-click the nondefined entry and choose Properties.

  2. Click the Define This Policy in a Database check box, and then click other appropriate check boxes and then OK.

  3. To apply your new settings, right-click Security Configuration and Analysis in the left pane and choose Save.

The red flag icon displays differences in your security settings database when compared to your local computer settings. If security policy settings need changing in your database file, you can modify them. To edit a setting in your security policy database file:

  1. Right-click the entry to be edited and choose Properties.

  2. Make sure that the Define This Policy in a Database check box is checked, and then click the appropriate attribute you want to change and then OK. Figure 7.4 shows the Digitally Encrypt or Sign Secure Data Channel enabled on the local system computer. Select the Enabled radio button to define the policy in your database.

    Figure 7.4. The Analyzed Security Policy Setting tab showing the Digitally Encrypt or Sign Secure Data Channel enabled on the local system computer.

    graphics/07fig04.jpg

  3. To apply your settings, right-click Security Configuration and Analysis in the left pane and choose Save.

graphics/tip_icon.gif

If you make mistakes and need to revert to your original default security settings on your Windows Server 2003 domain controller, right-click Security Configuration and Analysis in the left pane, choose Import Template, and then click DC Security. Select the Clear This Database Before Importing check box and click Open. Right-click Security Configuration and Analysis in the left pane and choose configure Computer Now. Accept the default error log file path. When the analysis completes, right-click Security Configuration and Analysis in the left pane and choose View Log File. Review any errors or problems you find.


graphics/note_icon.gif

You must be a member of Domain Admins or Enterprise Admins or have been delegated appropriate authority to use the Security Configuration and Analysis console on a domain controller.

For creating, modifying, or viewing security settings using the Security Templates console, you must be a member of the local Administrators group or have been delegated appropriate authority.


Changes you make to the analysis database are made to the stored template security settings in the database file, not to the security template file itself. You need to use the Security Templates snap-in component to make changes to your security policy templates.

graphics/alert_icon.gif

The Configure Computer Now option and the Save option accessed by right-clicking Security Configuration and Analysis in the left pane perform the same actions. They both write changes to your database file. When using the Configure Computer Now option, make sure to modify only areas not affected by Group Policy settings because Group Policy settings take precedence over local computer settings.


graphics/note_icon.gif

If you analyze large numbers of computers in your domain infrastructure, use the secedit command-line tool instead of the Security Templates console. Then view your results using the Security Configuration and Analysis snap-in console.


Auditing and Implementing Security Settings

The Security Templates console can also be used to audit and track potential security problems, create an audit baseline of computer and network performance, ensure user accountability, and to provide evidence in the event of a security breach. Effective audits can detect attacks and threats, and determine as well as prevent future damage. To audit events effectively, you have to establish an audit policy based on the security needs of your company.

Auditing tracks user and network activities and records events in your server's Event Viewer security log. Figure 7.5 shows the Event Properties dialog (left side) of a logon/ logoff failure audit in Event Viewer security (right side). The Event Properties dialog box results show the reason for the failure (bad username or password), who the user was, and the date and time the logon failure occurred. The end result, logon failure, is displayed in the Event Viewer security log.

Figure 7.5. Event properties of a logon/logoff failure (left side) and Event Viewer security log, audit failure (right side).

graphics/07fig05.gif

graphics/note_icon.gif

Be careful what you audit because auditing events can quickly build up in Event Viewer. For example, auditing user logon success events for large companies would create hundreds or even thousands of success log entries in the security log of Event Viewer.


If you need to change only a few security audit settings on one or several computers, use the Local Security Policy utility. Use Group Policy and the Security Configuration and Analysis snap-in to implement an audit policy for your domain. Figure 7.6 shows the securedc -defined audit policies listed under Security Templates. You need to create, modify, and save audit policy settings using the Security Templates snap-in. Then import them and apply the settings to a Group Policy Object (GPO) using the Security Configuration and Analysis snap-in.

Figure 7.6. Security Templates showing securedc audit policies.

graphics/07fig06.jpg

graphics/tip_icon.gif

Remember, you need to modify and save the audit policy settings using the Security Templates snap-in and then import them and apply the settings to a Group Policy Object (GPO) using the Security Configuration and Analysis snap-in.

The account policy must be defined in either the Default or new Domain GPO. There is only one account policy per domain. If other account policies are defined elsewhere, the default domain policy overwrites them.


Common events to audit include the following:

  • Account logon events User logon and logoff events, which when enabled, records results in the Event Viewer security log.

  • Account management Computer account events such as creating, modifying, and deleting user accounts and setting and changing passwords.

  • Object access Any object that contains an access control list (ACL) that users access, such as files, folders, and printers.

graphics/alert_icon.gif

For multiple security policy settings defined by several policies, the order of precedence, from highest to lowest , is

  • Organization unit policy

  • Domain policy

  • Site policy

  • Local computer policy




MCSA.MCSE Managing and Maintaining a Windows Server 2003 Environment Exam Cram 2
MCSA/MCSE Managing and Maintaining a Windows Server 2003 Environment Exam Cram 2 (Exam Cram 70-292)
ISBN: 0789730111
EAN: 2147483647
Year: 2006
Pages: 132

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net