12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure

12.1 © 2004 Pearson Education, Inc.

Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure

Lesson 12: Configuring Active Directory Security

Introduce security configuration

Introduce auditing

Set audit policy on a domain controller

Set audit policy on a stand-alone server or computer

View the Security log

Audit user access to Active Directory objects

Assign user rights to users and groups

Goals




Implement account policy

Implement security templates

Use the Security Configuration and Analysis console

Use the Security Configuration and Analysis console to configure security

Troubleshoot security configuration issues

Goals (2)




Security configuration is the process of setting up a security policy

For an individual system

For a network

Security policies are required

Guard against unauthorized internal users

Protect from external threats

(Skill 1)

Introducing Security Configuration




Use security configuration

To set up security policies

Account

Local

To create access control policies

Services

Registry

Files

Introducing Security Configuration (2)

(Skill 1)




Use security configuration

To define event logs settings

To determine group membership settings (restricted groups)

To create public key policies

To set Internet Protocol (IP) security policies


(Skill 1)




Factors to consider while designing security policies

Physical distribution of the network

Business model of the organization

Network load due to inter-computer dataflow and access

Overall computer usage


(Skill 1)




Windows Server 2003 Security Configuration tools

Group Policy Object Editor is used to apply security settings centrally for the computers in a domain.

Use the Security Settings extension in the Group Policy Object Editor to apply different categories of security policies


(Skill 1)




Figure 12-1 Security extension of the Group Policy Object Editor

(Skill 1)




Categories of security policies

Account policies

Can only be set for the entire domain

Password policy

Account lockout policy

Kerberos policy


(Skill 1)




Figure 12-2 Password Policy settings

(Skill 1)





Local policies

Audit policy

User rights assignment

Security options


(Skill 1)





Event log allows you to specify security log settings

Maximum size of the event log file

Logging options

Event log access rights


(Skill 1)





Restricted Groups allows you to define additional control over the membership of key groups

Defining a group as a restricted group

Setting the membership for the group

Configuring member groups and users for the restricted group


(Skill 1)





System Services allows you to configure the startup settings for services on a computer

Startup mode settings: Automatic, Manual, and Disabled

Can specify which security group or user can modify a service’s properties (start, stop, or pause)


(Skill 1)




Figure 12-3 System Services security settings

(Skill 1)





Registry

Registry security settings allow you to set permissions for users to read, modify, and add new keys to the Registry

File System

Allows you to set access permissions for folders and files on the computer

Settings only apply to computers with NTFS drives


(Skill 1)




Figure 12-4 Files and Folders permissions settings

(Skill 1)





Wireless Network (IEEE 802.11) Policies control network security settings for supported wireless networking devices

Public Key Policies are used to configure the public key encryption

IP Security Policies are used to configure IP security for TCP/IP-based communication between servers, clients, and domain controllers using Microsoft’s version of IPSec


(Skill 1)




Auditing is used to track user activities and object access on the computers on a network

Regular auditing ensures security of network resources

Auditing can discover security breaches

Auditing can help in resource planning for the computers on the network

Introducing Auditing

(Skill 2)




Steps in setting up a security audit

Determine carefully the events to be audited on each computer

Security events that can be tracked

Who logged on to a computer and when?

What files were accessed or folders were created?

What printers were used?

What Registry keys were accessed when, and by whom?

What actions the users attempted to perform on them?

Introducing Auditing (2)

(Skill 2)




Steps in setting up a security audit

Decide the computers, users, or groups to be tracked

Activate the audit object access policy.


(Skill 2)




Activating the audit object access policy

Configure the audit object access policy in the Properties dialog box and the System ACL editor for the object

Select who you are going to audit

Choose what file system actions you want to monitor in the SACL editor for the file or folder


(Skill 2)




Monitoring a particular event

Define an audit policy in the Audit Policy folder

The audit policy tells the operating system what to record in the Security event log on each computer

On a domain controller, modify the default domain policy by using the Group Policy Management console

Only Domain Administrators and Enterprise Administrators can configure auditing at the domain level


(Skill 2)




Figure 12-5 Audit policy

(Skill 2)




Audited events are stored in the Security event log

Success and failure can both be recorded

Security log can be viewed using the Event Viewer

The Security log entries allow identification of existing security problems in the overall network, as well as on individual computers


(Skill 2)




Figure 12-6 The Security Event log

(Skill 2)




Unauthorized access to a domain must be monitored

Set up an audit policy on a domain controller by configuring Group Policy

Link the GPO to the default Domain Controllers OU

You must have the Manage auditing and security log right on the system to configure auditing

Setting Audit Policy on a Domain Controller

(Skill 3)




Setting up auditing is a two-step process

Step 1

Configure the audit policy to track particular events, for success, for failure or both

Step 2

Open the specific resource you wish to audit

Enable auditing by selecting the type of event you want to track and the user group or groups for which you want to track that event

Setting Audit Policy on a Domain Controller (2)

(Skill 3)




Figure 12-7 Creating a GPO

(Skill 3)




Figure 12-8 The Audit account logon events Properties dialog box

(Skill 3)




Figure 12-9 The Audit object access Properties dialog box

(Skill 3)




Figure 12-10 Advanced Security Settings for Annual Reports

(Skill 3)




Figure 12-11 Selecting the actions to be audited

(Skill 3)




Figure 12-12 A Security warning dialog box

(Skill 3)




Problems auditing stand-alone servers and workgroup computers running Windows 2000 or XP Professional

They do not belong to a domain

A domain controller-based audit policy cannot be applied to them

Stand-alone computers and the network computers may be able to access each other and hence require monitoring

Setting Audit Policy on a Stand-Alone Server or Computer

(Skill 4)




Audit policy should be set for stand-alone computers

To monitor network access attempts

To monitor local security events

Setting Audit Policy on a Stand-Alone Server or Computer (2)

(Skill 4)




Figure 12-13 Audit Policy in the Local Security Settings console

(Skill 4)




Figure 12-14 Enabling auditing for local logon attempts

(Skill 4)




Figure 12-15 Updating local security policy

(Skill 4)




Viewing the Security Log

Problems with implementation of audit policies

Increases the overhead on a computer

Slows down CPU performance

Security event log can become inundated with entries

Solutions

Set a schedule for checking the Security log regularly

Specify a maximum file size for Security log

(Skill 5)




Viewing the Security Log (2)

Be aware when the Security log reaches the maximum file size

You may lose data if the log becomes full before you archive it

Archiving is the process of saving a history of events so you can track trends in resource usage

When the log is full, the operating system will stop recording events

(Skill 5)




Figure 12-16 The Security Log Properties dialog box

(Skill 5)




Viewing the Security Log (3)

Set filters to control what is recorded in the log Event type: Information, Warning, Error, or Success or

Failure audit

Event source: Choose a particular source, such as Spooler, LSA (Local Security Authority), or SC (Service Control) Manager

Category: Account Logon, Account Management, Directory Service Access, Privilege Use, Object Access events, and so on

Event ID

User

Computer

Specific time periods

(Skill 5)




Figure 12-17 The Filter tab in the Security Properties dialog box

(Skill 5)




Figure 12-18 The Security log

(Skill 5)




Figure 12-19 Filtering the Security log

(Skill 5)




Figure 12-20 Viewing event details box

(Skill 5)




Auditing User Access to Active Directory Objects

Active Directory objects Are the essential building blocks of a Windows Server 2003

network

Include users, computers, OUs, groups, published printers, and so on

Audit policies for Active Directory objects Are set based explicitly on their functionality

An audit policy set for an Active Directory object is inherited by its child object through Policy Inheritance by default

(Skill 6)




Figure 12-21 The Auditing tab

(Skill 6)




Figure 12-22 Setting printer audit policy

(Skill 6)




Assigning User Rights to Users and Groups

User rights are different from permissions

Permissions allow a user access to certain resources

User rights allow the user to perform certain restricted actions, such as shutting down the system or logging on locally

(Skill 7)




Assigning User Rights to Users and Groups (2)

User Rights Assignment policy is used to grant users rights

Rights should be assigned to groups for ease of administration

Users can be added to the group to grant them the same level of user rights

Assign user rights to allow particular users to carry out specific functions

This increases the security of the system

(Skill 7)




Figure 12-23 User rights assignments

(Skill 7)




Figure 12-24 Adding a group to assign user rights

(Skill 7)




Figure 12-25 The Access this computer from the network Properties dialog box

(Skill 7)




Implementing Account Policy

Account policies

Used to set the user account properties that control the logon process

Types of policies

Account lockout policies

Password policies

Kerberos policies

(Skill 8)




Implementing Account Policy (2)

Configuring account policies

Group Policy Object Editor snap-in

Group Policy Management console (GPMC)

(Skill 8)





Account lockout policy

Objective of the policy is to prevent users from guessing passwords

There is immediate replication of Active Directory data between Windows Server 2003 domain controllers when an account is locked out

(Skill 8)





Account Lockout policy is configured by setting following policies

Account lockout threshold: Specify the number (0 to 999) of allowed invalid logon attempts

Account lockout duration: Specify the time duration (0 to 99999 minutes) during which the account remains disabled

Reset account lockout counter after: Set the time (1 and 99999 minutes) duration that must elapse after an invalid logon attempt before the account lockout counter is reset to 0

(Skill 8)





Password policy

Allows you to specify how users must manage their passwords

Factors to be considered

Password history

Password age

Password length

Complexity requirements

Encryption and storage methods

(Skill 8)





Kerberos policies

The Kerberos V5 authentication protocol is implemented through a Key Distribution Center (KDC)

They are applicable to domain user accounts or computer accounts only

They define settings such as ticket lifetimes and logon restriction enforcement

(Skill 8)




Figure 12-26 The Kerberos policies

(Skill 8)




Implementing Account Policy (7) Kerberos policy settings

Enforce user logon restrictions policy: If enabled, the KDC performs certain checks before issuing a session ticketValidity of the user account

User rights policy on the target computer

Maximum lifetime for service ticket: Sets the maximum length of time for a Logon Session Ticket

Maximum lifetime for user ticket: Sets the maximum length of time that the Ticket Granting Ticket (TGT) will be valid

Maximum lifetime for user ticket renewal: Sets the maximum lifetime for both the Ticket Granting Ticket (TGT) and the Logon Session Ticket

(Skill 8)





Kerberos policy settings

Maximum tolerance for computer clock synchronization

Sets the maximum number of minutes that the clock on the KDC can be different from the clock on the Kerberos client

This acts as a deterrent in replay attacks

(Skill 8)




Figure 12-27 The Account lockout threshold Properties dialog box

(Skill 8)




Figure 12-28 The Suggested Value Changes dialog box

(Skill 8)




Figure 12-29 The Enforce password history Properties dialog box

(Skill 8)




Figure 12-30 The Minimum password length Properties dialog box

(Skill 8)




Figure 12-31 The Maximum lifetime for service ticket Properties dialog box

(Skill 8)




Figure 12-32 The Suggested Value Changes dialog box for Maximum lifetime for user ticket

(Skill 8)




Implementing Security Templates

Security template

A group of security settings used to implement security in computers running Windows 2000 or later operating systems

A text-based file with an .inf file extension

You can import these templates into GPOs, and apply the set of common security settings to multiple computers with similar functionality

You can use them to save and restore security settings of a computer

(Skill 9)




Implementing Security Templates (2)

Windows Server 2003 provides several predefined security templates located in the folder

%Systemroot%\Security\Templates

The predefined security templates have four standard security levels

Basic

Compatible

Secure

Highly Secure

(Skill 9)




Figure 12-33 The predefined security templates

(Skill 9)





Implementing security templates consists of five steps

1. Accessing the Security Templates console

You can access the Security Templates console in an existing console by adding the Security Templates snap-in to it

You can also create a new Microsoft Management Console (MMC), and add the Security Templates snap-in to it

(Skill 9)






2. Customizing a predefined security template

You can edit a predefined security template

Save the modified template as a new template

3. Defining a new security template

You can define security settings in a new customized security template according to the specific security requirements of your organization

(Skill 9)






4. Importing a security template to a GPO

To apply the same security settings to multiple objects using a GPO, you can import an appropriate security template into the GPO

(Skill 9)






5. Exporting security settings to a security template

You can export the initial security configuration for a computer to a security template.

Similarly, the effective security settings (the security settings currently applied on the computer) for a computer can be exported to a security template

The initial security template can be used to restore the settings

(Skill 9)




Figure 12-34 Creating a new security template

(Skill 9)




Figure 12-35 Exporting policy settings to a template

(Skill 9)




Figure 12-36 Importing a security template

(Skill 9)




Using the Security Configuration and Analysis Console

Use the Security Configuration and Analysis snap-in to configure the local security settings on a computer

Importing a security template

Comparing the template to the currently configured computer settings

Performing a “what-if” analysis

(Skill 10)




Figure 12-37 The Security Configuration and Analysis snap-in

(Skill 10)




Using the Security Configuration and Analysis Console (2)

Analyzing the comparisons

The security settings that match are marked by a green check mark icon

The security settings that do not match are marked with a red x icon

Action

Update the security settings on the computer that do not match the database settings

(Skill 10)




Figure 12-38 Importing a template

(Skill 10)




Figure 12-39 The Analyzing System Security window

(Skill 10)




Figure 12-40 System security analysis results

(Skill 10)




Using the Security Configuration and Analysis Console to Configure Security

Use the Security Configuration and Analysis tool to configure security on individual computers

Set security settings by removing or updating any inconsistencies discovered in the analysis

You can construct a composite database security template by importing templates (either predefined or customized) into the database

(Skill 11)




Figure 12-41 The Configure System dialog box

(Skill 11)




Figure 12-42 Configuring Computer Security

(Skill 11)




Figure 12-43 Editing a configuration setting

(Skill 11)




Figure 12-44 The edited security settings

(Skill 11)




Troubleshooting Security Configuration Issues

Improving the success rate for network security

Examine the level of security requirements for the network

High level of security

Reduces efficiency

Increases cost and administrative effort

Low level security leads to unauthorized access, which can have serious repercussions

Identify existing and potential problems in the Security event log and update the security settings accordingly

(Skill 12)




Troubleshooting Security Configuration Issues (2)

Improving the success rate for network security

Determine network usage for certain resources that may cause problems in the future

Identify security patterns that may cause problems in the future

(Skill 12)




Figure 12-45 Security audit event details

(Skill 12)

Documents

12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure