Corso referenti S.I.R.A. – Modulo 2Corso referenti S.I.R.A. – Modulo 2

Local SecurityLocal Security

20/11 – 27/11 – 05/1220/11 – 27/11 – 05/12

11/12 – 13/12 (gruppo 1)11/12 – 13/12 (gruppo 1)

12/12 – 15/12 (gruppo 2)12/12 – 15/12 (gruppo 2)

Cristiano Gentili, Massimiliano Viola (CSIA)Cristiano Gentili, Massimiliano Viola (CSIA)

OverviewOverview

Securing Desktops Securing Desktops and Services by Using and Services by Using Security PoliciesSecurity Policies

Auditing Access to System ResourcesAuditing Access to System Resources

Securing Desktops and Services by Using Securing Desktops and Services by Using Security PoliciesSecurity Policies

Implementing Security PoliciesImplementing Security Policies

Modifying Security SettingsModifying Security Settings

Using Predefined Security TemplatesUsing Predefined Security Templates

Creating Custom Security TemplatesCreating Custom Security Templates

Analyzing SecurityAnalyzing Security

Configuring and Analyzing Security from a Configuring and Analyzing Security from a Command LineCommand Line

Implementing Security PoliciesImplementing Security PoliciesInternet Services Manager

Implementing Security Policies by Using Local Security Policy

Implementing Security Policies by Using Local Security Policy

Event Viewer

Licensing

PerformanceRouting and Remote AccessServer Extensions AdministratorServicesTelnet Server Administration

Local Security Policy

Accessories

StartupInternet ExplorerOutlook Express

Administrative Tools

Group PolicyGroup Policy

Implementing Security Policies by Using Group PolicyImplementing Security Policies by Using Group Policy

Modifying Security SettingsModifying Security SettingsAccount Account policiespolicies

Account Account policiespolicies

Local policiesLocal policiesLocal policiesLocal policies

Public key Public key policiespolicies

Public key Public key policiespolicies

IPSec policiesIPSec policiesIPSec policiesIPSec policies

Event logEvent logEvent logEvent log

Configure password and account policiesConfigure password and account policies

Configure auditing, user rights, and security optionsConfigure auditing, user rights, and security options

Configure encrypted data recovery agents, domain roots, trusted certificate authorities, etc.Configure encrypted data recovery agents, domain roots, trusted certificate authorities, etc.

Configure IP security on a networkConfigure IP security on a network

Configures settings for application logs, system logs, and security logsConfigures settings for application logs, system logs, and security logs

Restricted Restricted GroupsGroups

Restricted Restricted GroupsGroups Configures group memberships for security sensitive groupsConfigures group memberships for security sensitive groups

System System ServicesServicesSystem System ServicesServices

Configure security and startup settings for services runningon a computerConfigure security and startup settings for services runningon a computer

RegistryRegistryRegistryRegistry Configures security on registry keys Configures security on registry keys

File systemFile systemFile systemFile system Configures security on specific file pathsConfigures security on specific file paths

Using Predefined Security TemplatesUsing Predefined Security Templates

Define the default security level for Windows 2000.

Define the default security level for Windows 2000.

Provide an additional level of security than Compatible, but do not ensure that all of the features of standard business applications will run.

Provide an additional level of security than Compatible, but do not ensure that all of the features of standard business applications will run.

Provide a a higher level of security than Basic but still ensures that all the features of standard business applications will run.

Provide a a higher level of security than Basic but still ensures that all the features of standard business applications will run.

Enforce the maximum security for Windows 2000 without consideration for application functionality.

Enforce the maximum security for Windows 2000 without consideration for application functionality.

CompatibleCompatible

BasicBasic

SecureSecure

HighHigh

Creating Custom Security TemplatesCreating Custom Security Templates

To create a custom security template To create a custom security template To create a custom security template To create a custom security template

Add the Security Template snap-in to MMCAdd the Security Template snap-in to MMC

Select the template to customizeSelect the template to customize

Configure the new policy settingsConfigure the new policy settings

Save the new configurationSave the new configuration

Analyzing SecurityAnalyzing SecurityLocal Security Settings

Console

Favorites

Console Root

Policy

Security Options

Action View Favorites

Window Help

Tree Database Setting Computer Setting

Security Configuration and AAccount Policies

User Rights Assignme

Registry

MACHINECLASSES_ROOT

System ServicesRestricted Groups

Event Log

Local PoliciesAudit Policies

Additional restriction…

Allow server operato...

Allow system to be s...

Allowed to eject rem…

Amount of idle time r...

Audit the access of g...

Audit use of Backup…

Automatically log off…

Automatically log off…

Clear virtual memory...

Digitally sign client co...

Digitally sign client co…

Do not allow en…

Disabled

Disabled

Administrators

Enabled

15 minutes

Disabled

Disabled

Enabled

Enabled

Disabled

Disabled

None. Rely on …

Disabled

Disabled

Administrators

Enabled

15 minutes

Disabled

Disabled

Disabled

Enabled

Disabled

Disabled

CurrentCurrentComputer SettingsComputer Settings

Template(.inf file)

Analysis DatabaseAnalysis Database(.sdb file)(.sdb file)

Configuring and Analyzing Security from a Configuring and Analyzing Security from a Command LineCommand Line

/analyze/analyze

/configure/configure

/export/export

/refreshpolicy/refreshpolicy

/validate/validate

/areas/areas

FILESTORE

C:\WINNT\System32\cmd.exe

C:\>cd %windir%\security\database

C:\WINNT\security\Database>secedit /configure /db mysecure.sdb /areas FILESTORE /Log C:\WINNT\security\logs\MySecure.Log /verbose

Task is completed successfully.See log C:\WINNT\security\logs\MySecure.Log for detail info.

Auditing Access to System ResourcesAuditing Access to System Resources

Introduction to AuditingIntroduction to Auditing

Selecting Events to AuditSelecting Events to Audit

Planning an Audit PolicyPlanning an Audit Policy

Setting Up an Audit PolicySetting Up an Audit Policy

Auditing Access to ResourcesAuditing Access to Resources

Introduction to AuditingIntroduction to Auditing

Auditing Tracks User and Operating System Activities Auditing Tracks User and Operating System Activities

Audit Entries Contain Actions Performed, Users Who Performed the Audit Entries Contain Actions Performed, Users Who Performed the Actions, and Success or Failure of the Events Actions, and Success or Failure of the Events

Audit Policy Defines the Types of Security Events That Windows 2000 Audit Policy Defines the Types of Security Events That Windows 2000 Records Records

You Set Up an Audit Policy to Track Success or Failure of Events, You Set Up an Audit Policy to Track Success or Failure of Events, Identify Unauthorized Use of Resources, and Maintain a Record Activity Identify Unauthorized Use of Resources, and Maintain a Record Activity

You View Security Logs in Event ViewerYou View Security Logs in Event Viewer

Event ViewerEvent ViewerEvent ViewerEvent Viewer

User1 logon failed

Access denied

Printing successful

Use of Use of ResourcesResources

Use of Use of ResourcesResources

Success or Success or Failure Failure LoggedLogged

Success or Success or Failure Failure LoggedLogged

Selecting Events to AuditSelecting Events to AuditEventEventEventEvent ExampleExampleExampleExample

Account logonAccount logon Domain controller receives a request to validate a user accountDomain controller receives a request to validate a user account

Account management

Account management Administrator creates, changes, or deletes a user account or groupAdministrator creates, changes, or deletes a user account or group

Directory service access

Directory service access User gains access to an Active Directory objectUser gains access to an Active Directory object

LogonLogon User logs on or off a local computerUser logs on or off a local computer

Object accessObject access User gains access to a file, folder, or printerUser gains access to a file, folder, or printer

Policy changePolicy change Change is made to the user security options, user rights, or Audit policiesChange is made to the user security options, user rights, or Audit policies

Privilege usePrivilege use User exercises a right, such taking ownership of a file User exercises a right, such taking ownership of a file

Process trackingProcess tracking Application performs an actionApplication performs an action

SystemSystem User restarts or shuts down the computerUser restarts or shuts down the computer

Planning an Audit PolicyPlanning an Audit Policy

Determine the Computers on Which to Set Up AuditingDetermine the Computers on Which to Set Up Auditing

Review Security Logs FrequentlyReview Security Logs Frequently

Determine Whether to Audit the Success or Failure of Events, orBothDetermine Whether to Audit the Success or Failure of Events, orBoth

Determine Which Events to AuditDetermine Which Events to Audit

Determine Whether You Need to Track TrendsDetermine Whether You Need to Track Trends

Setting Up an Audit PolicySetting Up an Audit Policy

ConsoleConsole1 – [Console\Root\Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policie

Window Help

Action View

Tree

Console Root

Audit Policy

Audit account logon eventsAudit account managementAudit directory service accessAudit logon eventsAudit object accessAudit policy changeAudit privilege useAudit process tracking

Local Computer Policy

Favorites

Favorites Policy Local Setting Effective Setting

Audit system events

Computer ConfigurationSoftware SettingsWindow Settings

Scripts (Startup/Shutdown)Security Settings

Account PoliciesLocal Policies

User Rights AssignmeSecurity Options

Public Key PoliciesIP Security Policies on Lo

Success, FailureNo auditingNo auditingSuccess, FailureNo auditingSuccessFailureNo auditingNo auditing

No auditingNo auditingNo auditingNo auditingNo auditingNo auditingNo auditingNo auditingNo auditing

• Assign Security Settings to a Single Computer by Configuring Assign Security Settings to a Single Computer by Configuring the Settings in Local Policies in Group Policy the Settings in Local Policies in Group Policy

• Assign Security Settings to Multiple Computers by Creating a Assign Security Settings to Multiple Computers by Creating a Group Policy Object and Assigning ItGroup Policy Object and Assigning It

Auditing Access to ResourcesAuditing Access to Resources

File SystemFile System Set the Audit Policy to Audit Object Access Enable Auditing for Specific NTFS Files and Folders Record Success or Failure of an Event

Set the Audit Policy to Audit Object Access Enable Auditing for Specific NTFS Files and Folders Record Success or Failure of an Event

NTFSNTFS

PrintersPrinters Set the Audit Policy to Audit Object Access Enable Auditing for Specific Printers Record Success or Failure of an Event

Set the Audit Policy to Audit Object Access Enable Auditing for Specific Printers Record Success or Failure of an Event