Security Chapter Download

8/6/2019 Security Chapter Download

1/53

Administrators Guide to

Windows Server 2003

Security


2/53

If youve ever deployed Windows NTServer or Windows 2000 Server, you prob-ably know that Microsoft designed those

products to be unsecure by default. AlthoughMicrosoft has provided many security mecha-nisms, its been up to you to implement them.But when Microsoft released Windows 2003Server, the company switched philosophies.The new philosophy is that the server shouldbe secure by default.

This is generally a good idea, but Microsoftdidnt take it quite far enough. While a default

Windows 2003 installation is certainly moresecure than a default Windows NT or Win-dows 2000 installation, it is still anything buttotally secure. Lets discuss some relatively easymeasures that you can take to make Windows2003 Server even more secure.

Know your roleUnderstanding the servers role (i.e., intendedpurpose) is absolutely critical to the securityprocess. There are many roles for which aWindows Server can be configured. For exam-

ple, a Windows 2003 Server can act as adomain controller, a member server, an infra-structure server, a file server, a print server, anIIS Server, an IAS server, a terminal server,and the list goes on. A server can even be con-figured to fill a combination of roles.

The problem with this is that each serverrole has its own security needs. For example, ifyour server is going to function as an IISserver, you need to enable the IIS services.However, if the server is going to functionsolely as a file and print server, enabling IISwould be a huge security risk.

The reason Im telling you this is to pointout that there is no way that I can just give youa set of steps to follow and expect those stepsto work in every situation. A servers securityneeds vary tremendously by the servers roleand by the servers environment.

Because there are many ways to harden aserver, Ill discuss the steps necessary for con-

figuring a server to act as a simple, but secure,file server. Ill try to point out some things thatyou might do differently if the server is fillingan alternate role. Just please understand thatthis isnt intended as a comprehensive guide tosecuring every type of server.

Physical securityTo achieve true security, your server must be ina secure location. Normally, this means placingthe server behind a locked door. Physical secu-rity is extremely important because many

administrative and disaster recovery tools existthat can double as hacker tools. Anyone withsuch tools and a minimal skill level can hack aserver in a matter of minutes once they havephysical access to the machine. Your only hopeagainst preventing such attacks is to place theserver in a secure area. This is true of anyWindows 2003 Server, regardless of its role.

Creating a baselineAside from establishing good physical security,the best advice that I can give you when

deploying a series of Windows 2003 Servers isto decide on your security requirements priorto deployment and to enforce those policiesimmediately after deployment.

The best way to do this is to create a secu-rity baseline. A security baseline is a list ofdocumented and accepted security settings. Inmost cases, your baseline settings will differconsiderably depending on the servers role. Sothe best thing to do is to create several differ-ent baselines that you can apply to various dif-ferent types of servers. For example, you

might have one baseline for file servers,another for domain controllers, and stillanother for IAS servers.

Windows 2003 contains a tool called theSecurity Configuration And Analysis Tool.This tool allows you to compare a servers cur-rent security policy against a baseline securitypolicy contained within a template file. Youcan either create these templates yourself oruse one of the included template files.

Best practices for securing WindowsServer 2003Oct. 20, 2003

By Brien M. Posey, MCSE

189Security


3/53

TechRepublic's Administrator's Guide to Windows Server2003gets you up to speed quickly on Microsoft's newestserver operating system. Each chapter is packed with theclear and concise how-to information you need to opti-

mize,troubleshoot and secure Windows Server 2003.

Tap field-tested solutions. Minimize your learning curve. Turn

to the Administrator's Guide to Windows Server 2003book andaccompanying CD to learn how to:

Plan for and deploy Windows Server 2003

Configure VPN connections

Fine-tune servers for optimum performance

Solve Group Policy problems

Troubleshoot Active Directory

Overcome DNS errors

Lock down servers

Secure wireless connections

Recover from disasters

And more

Eliminate guesswork. Leverage the proven expertise in TechRepublics

Administrators Guide to Windows Server 2003. Designed by IT pros for ITpros, this unique book and CD set provide you with the tools and informationrequired to become an effective Windows Server 2003 administrator.

Order now and receive free shipping!

Administrator's Guide toWindows Server 2003

Order now and

receive free

shipping!
http://techrepublic.com.com/5111-6242-26-23311.htmlhttp://techrepublic.com.com/5111-6242-26-23311.htmlhttp://techrepublic.com.com/5111-6242-26-23311.htmlhttp://techrepublic.com.com/5111-6242-26-23311.htmlhttp://techrepublic.com.com/5111-6242-26-23311.htmlhttp://techrepublic.com.com/5111-6242-26-23311.html


4/53

The security templates are a series of text-based INF files stored in the %SYSTEM-ROOT%\SECURITY|TEMPLATES folder.The easiest way to examine or modify the indi-vidual templates is through the MicrosoftManagement Console (MMC).

To open the console, enter theMMCcom-mand at the Run prompt. When the emptyconsole loads, select the Add/Remove Snap-incommand from the File menu. This will causeWindows to display the Add/Remove Snap-inproperties sheet. Click the Add button foundon the properties sheets Standalone tab andyou will see a list of all of the available consolesnap-ins. Select the Security Templates snap-infrom the list and then click the Add, Close,and OK buttons.

Once the Security Templates snap-in isloaded, you can view each of the security tem-plates. As you navigate through the consoletree, you will see that each template mimics thegroup policy structure. The template namesreflect each templates purpose. For example,the HISECDC template is a high-securitydomain controller template.

If youre trying to secure a file server, I rec-ommend starting with the SECUREWS tem-plate. As you look through all of the templatessettings, you will find that although the tem-

plate can be used to make the server moresecure than it currently is, it may not meet yourneeds. Certain security settings may be toostrict or too relaxed. I would recommendeither modifying the existing settings to meetyour needs or creating a brand new policy. Youcan easily create a new template by right-click-ing on the C:\WINDOWS\Security\Tem-plates folder within the console and selectingthe New Template command from the result-ing menu.

Once you have created a security template

that meets your needs, go back to theAdd/Remove Snap-in properties sheet andadd a snap-in called Security ConfigurationAnd Analysis. When the snap-in loads, right-click on the Security Configuration And Analy-sis container, then select the Open Databasecommand from the resulting menu. Since nodatabase currently exists, make up a name forthe security database. Click Open, and the nec-

essary database will be created using the namethat you provided.

Next, right-click on the Security Configura-tion And Analysis container and select theImport Template command from the shortcutmenu. Youll see a list of all of the available

templates. Select the template that containsyour security policy settings and click Open.After the template has been imported, right-click on the Security Configuration And Analy-sis container once again and select the AnalyzeComputer Now command from the shortcutmenu. Windows will prompt you for a locationto write the error log. Enter a file path andclick OK.

At this point, Windows will compare yourservers existing security settings against thosein the template file. You can see the results ofthe comparison by navigating through theSecurity Configuration And Analysis console.Each group policy setting displays both thecurrent setting and the template setting.

Once youve had a chance to look throughthe list of discrepancies, its time to enforcethe security policy based on the template. Todo so, right-click on the Security ConfigurationAnd Analysis container one last time and selectthe Configure Computer Now command fromthe shortcut menu. The tool will then modify

your computers security policy to match thetemplate policy.Group policies are hierarchical in nature. A

group policy may be applied at the local com-puter level, the site level, the domain level, orthe OU level. When you implement securitybased on a template, youre modifying thecomputer-level group policy. Other group poli-cies arent directly affected, although the finalpolicy may reflect a change due to a setting inthe computer policy being inherited by higherlevel policies.

Modifying built-in accountsFor years, Microsoft has been preaching thatyou need to rename the Administratoraccount and disable the Guest account toachieve good security. In Windows Server2003, the Guest account is disabled by default,but renaming the Administrator account isstill a good idea because its common for

192 Administrators Guide to Windows Server 2003


5/53

attackers to try to compromise the Adminis-trator account.

There are a number of hacker tools thatreveal the Administrator accounts real nameby examining the accounts SID. Unfortu-nately, you cant change this accounts SID

and there is really no way of preventing sucha tool from determining the Administratoraccounts real name. Even so, I encourageeveryone to rename the Administratoraccount and to change the accounts descrip-tion for two reasons.

First, less sophisticated hackers may notknow of the existence of such tools or haveaccess to them. Second, renaming the Admin-istrators account to a unique name makes iteasy for you to monitor attacks against theaccount.

Another tip pertains to member servers.Member servers have their own built-in localadministrative account that is completely sepa-rate from the domain Administrator account.You can configure every member server to usea different administrator account name andpassword. The idea is that if someone were tofigure out the local administrator accountname and password on one member server,you wouldnt want them to be able to use thosecredentials to hack your other servers too. Of

course, if you have good physical security inplace, no one should be able to gain access to aserver to be able to use a local account.

Service accountsWindows Server 2003 is designed in a way thatminimizes the need for service accounts. Evenso, some third-party applications absolutelyinsist on a traditional service account. If possi-ble, always use a local account as the serviceaccount instead of using a domain account,because if someone were to gain physical

access to the server, they could dump theservers LSA secrets and compromise the pass-word. If you use a domain password, the pass-word can be used from any computer withinthe forest to gain access to the domain. If alocal account is used, though, the password isuseless from anywhere other than the compro-mised machine and doesnt provide any accessto the domain.

System servicesThere is a fundamental law of computing thatstates that the more code running on a system,the greater the chance that the code will con-tain a security vulnerability. One of the pri-mary security strategies that you should focuson is to reduce the amount of code runningon your server. Doing so reduces security risksand will also improve the servers performance.

In Windows 2000, there were a lot of serv-ices that were running by default, but weretotally unnecessary in most environments. Infact, a default installation of Windows 2000even included a fully operational IIS server. InWindows Server 2003, Microsoft turned offmost of the services that arent absolutely nec-essary. Even so, there are some services that

are running by default, but are open to debate.One such service is the Distributed File Sys-tem (DFS) service. The DFS service was pri-marily designed to make a users life easier.DFS allows an administrator to create a logicalname space containing resources from multi-ple servers or partitions. To a user, all of thesedistributed resources appear to exist within asingle folder.

I personally like DFS, especially because ofits fault tolerance and scalability features.However, if you were to not use DFS, you

would force users to know the actual path to aspecific resource instead of being able toaccess all resources through a single path. Insome environments, this may translate to bet-ter security. In my opinion, though, therewards of DFS far outweigh the risks.

Another such service is the File ReplicationService (FRS). The FRS is used to replicatedata between servers. This is a mandatoryservice on domain controllers because itsresponsible for keeping the SYSVOL foldersynchronized. For member servers, however,

this service isnt mandatory unless you are run-ning DFS.

If you have a file server that isnt a domaincontroller and isnt using DFS, I recommenddisabling the FRS. Disabling the FRS decreasesan attackers ability to replicate a malicious fileacross multiple servers. The FRS is enabled bydefault.

193Security


6/53

Another service worth taking a look at isthe Print Spooler service. The Print Spoolermanages all local and network print queuesand controls all of the print jobs within thesequeues. The Print Spooler is required for allprinting operations and is enabled by default.

The flip side to this is that not every serverrequires printing capabilities. Unless a server isacting as a print server, you should disable theprint spooler. After all, why should a dedicatedfile server run the print spooler? Normally, noone should be sitting at the server consoleworking, so there should be no need to printlocally or from across the network.

I realize that often during disaster recoveryoperations, it might become necessary to print

an error message or an event log. However, Irecommend simply turning on the PrintSpooler Service when it is needed rather thanleaving it on all the time for non-print servers.

Believe it or not, the Print Spooler is one ofthe most heavily exploited Windows compo-

nents. There are countless Trojans that workby replacing the Print Spoolers executable file.The reason for such an attack is that the PrintSpooler operates as a system-level service and,therefore, has a high level of privileges. So anyTrojan posing as the Print Spooler can alsogain these high-level privileges. To protect yourserver from such an attack, just prevent thePrint Spooler service from running.


If I were to tell you that Windows NTServer 4.0 was a lot more secure than Win-

dows 2000 Server, you would probablythink that I had lost my mind. Sometimes,though, truth is stranger than fiction. In someways, Windows NT Server was more securethan Windows 2000 Server. However,Microsoft learned from their mistakes andimplemented a Windows NT-like securitystructure into Windows Server 2003s ActiveDirectory. Lets discuss these security issuesand learn some tips you can use to build asecure Active Directory (AD) environment.

Physical security is job 1When attempting to secure AD, its critical thatyou implement physical security first. If any-one you wouldnt trust with the Administrativepassword has physical access to a domain con-troller or to your DNS servers, you dont havea secure AD. Many administrative and disasterrecovery tools exist that can easily double ashacker tools.

Given physical access to the server, it is eas-ily possible for someone with minimal com-

puter knowledge to hack the server in a matterof minutes. So dont even bother trying tosecure AD until youve made sure that all ofyour servers are placed in a secure location.

Windows NT vs. Windows 2000Dont get me wrong. In many areas, Windows2000s security is far superior to that offered byWindows NT. However, there is a basic law ofcomputing that states that the more complex apiece of software is, the greater the chancethat it will contain a security hole or a major

bug that can be exploited. As we all know,Windows 2000 is a lot more complex thanWindows NT.

Perhaps the best example of simplicity andsecurity going hand-in-hand involves thedomain model implemented by each serveroperating system. In Windows NT, the domainwas pretty much the only organizational struc-ture that existed. A domain often contained all

Tips to help secure Windows Server 2003Active DirectoryOct. 27, 2003



7/53

195Security

of the users, groups, and computers for anentire organization. If an organization wasreally big, they could create multiple domainsand have the domains trust each other; but,each domain was an independent structure.

When Microsoft created Windows 2000,

they realized that the Windows NT domainmodel just didnt scale well into larger organi-zations. So, they based the AD on a structurecalled a forest. A forest is basically a collectionof domain trees. Within a forest, you can havemany different domains and can even useparent and child domain trees. Just as was thecase with Windows NT, each domain has itsown Administrator. This is where the similari-ties end, though.

In Windows 2000, Microsoft decided theyneeded to make the domains more manage-able. They created different levels of domainadministration. For example, a member of theDomain Admins group could typically admin-ister the current domain and any child domainsbeneath it. A member of the EnterpriseAdmins group had the ability to administerany domain within the entire forest. Hereinlies the problem.

The fatal flaw in the Windows 2000 ADmodel is that every domain completely trustsevery other domain within the forest. This

causes a couple of problems. First, if securityhas not been applied properly, administratorscan just add their accounts to the EnterpriseAdmins group to gain control over the entireforest. If the domain is a bit more secure,rogue administrators need only to tamper withthe SID history and launch an elevation ofprivileges attack against the forest. By manipu-lating the SID history, administrators couldgive themselves Enterprise Admin status.

There are other inherent weaknesses in theWindows 2000 AD security model as well. As

you probably know, each domain requires atleast one domain controller. Likewise, eachdomain controller contains information relat-ing not only to the domain but also to the for-est. Such information includes ADs schemaand some basic configuration.

Now, imagine you had an administratorwho wasnt being intentionally malicious butwho installed a malicious application or incor-

rectly modified an AD. If the change that theadministrator made was to a forest-level ADcomponent, the change would eventually bepropagated to every domain controller in theentire forest, thus corrupting every singlecopy of AD and potentially crashing the

entire network.Lets compare this situation to Windows

NT. Even if one domain trusts anotherdomain, both domains include a copy of theSecurity Accounts Manager pertaining totheir own domain only. In this way, rogueadministrators cant make a change to theSAM in their domain and then use thatchange to corrupt other domains. Likewise,there is no all-powerful group within Win-dows NT that a rogue administrator coulduse to gain control over every domain in theentire organization.

Another nice thing about the way that Win-dows NTs trust relationships worked was thattrust relationships could either be one-way ortwo-way, and they were never transitive innature. This meant that if you had a Usersdomain and an Admin domain, you couldeither allow both domains to trust each otheror you could configure the network so that theUsers domain trusted the Admin domain, butnot vice versa. It also meant that if Domain A

trusted domain B and domain B trusteddomain C, then domain A didnt trust domainC unless you told it to.

Windows Server 2003 securityYoure probably wondering what all of this hasto do with Windows Server 2003. I went intothe long comparison between Windows NTand Windows 2000 because in WindowsServer 2003, Microsoft incorporated the bestof both worlds. And so, to properly secureyour Windows Server 2003 network, you need

to understand the strengths and weaknesses ofboth security models.The biggest AD security weakness in Win-

dows 2000 is that all domains within a forestare linked together by a common administra-tive structure, the forest itself. In WindowsServer 2003, the forest structure still exists andworks almost identically to the way it did inWindows 2000.


8/53

What is different about the forest structurein Windows Server 2003 than that of Win-dows 2000 Server is that Windows Server 2003makes it relatively easy to establish trust rela-tionships between forests. Inter-forest trustswere possible in Windows 2000; but, in Win-

dows Server 2003, inter-forest trusts are actu-ally useful. When a trust relationship existsbetween forests, an administrator can grantaccess to a resource in a user from a foreignforest in the same manner that they would ifthe user existed within the local forest.

Single forest vs. multiple forestsA single forest environment is ideal for mostsmall to medium-sized companies. Single for-est environments are easy to manage. Butlarger companies often need each office or

each department to be able to have full admin-istrative capabilities over its own users andcomputers. In such environments, there isoften a high degree of distrust between thesevarious groups. In a situation like this, inter-connected forests are ideal because they giveeach group total autonomy.

At the same time, even though the adminis-trative burden is distributed, such a model usu-ally has a much higher administrative burdenthan a single forest environment, which resultsin higher administrative costs to the companyas a whole. My point is that, in a WindowsServer 2003 AD environment, there is a trade-off between cost and security.

Inter-forest trustsLets discuss the specifics behind using multipleforests as a mechanism for securing your orga-nizations AD. First, each forest has its own AD;there is no common thread of any kind tyingthe forests together. So, its possible to config-ure each forest to use a common DNS server.Assuming that the DNS server and backup

DNS server are managed by someone trustwor-thy, DNS server consolidation is a great way toreduce cost and lessen the administrative bur-den. On the flip side, sharing a common DNSserver can also be a single point of failure forthe network if no backup DNS server is used.

There are some prerequisites you must meetbefore you can establish a trust relationship

between forests in Windows Server 2003. Per-haps the most difficult of these is that any for-est involved in the trust must be running atWindows Server 2003 forest functional level.Windows 2000 allowed you to run AD ineither mixed mode or in native mode. The

functional level in Windows Server 2003 isvery similar to this. Setting a forest to Win-dows Server 2003 forest functional levelrequires every domain controller within theforest to be running Windows Server 2003.

Also, to create an inter-forest trust, youmust be a member of the Enterprise Adminsgroup. You must also have your DNS serverconfigured so that it can resolve the names ofdomains and servers within the forest withwhich youre establishing the trust relationship.

Finally, you may recall from Windows 2000,every forest has a root domain and all otherdomains fall beneath the root. Windows Server2003 can create an inter-forest trust only fromthe root domain, because inter-forest trusts aretransitive at the domain level. This means thatif you were to establish a trust between ForestA and Forest B, then every domain in Forest Awill trust every domain in Forest B, and viceversa. Forest trusts are not transitive at the for-est level, though.

For example, if Forest A trusts Forest B and

Forest B trusts Forest C, Forest A will not trustForest C unless you tell it to do so. As you cansee, the transitive nature of inter-forest trustsmakes them fairly powerful. If your forest hasmultiple domains, you dont want an adminis-trator of some lower-level domain creating aninter-forest trust without your knowledge orconsent. That would cause huge security prob-lems. This is why you can create an inter-foresttrust only at the forest root level.

Another interesting thing about creatingtrusts with Windows Server 2003 is that you

dont necessarily have to create a full inter-for-est trust. Suppose your business needs toestablish a trust relationship with a supplier.You probably need to establish a trust relation-ship with only one of the suppliers domains.You probably arent interested in the suppliershuman resources or marketing domains. Insuch a case, you can create whats called anexternal trust.



9/53

An external trust is a trust relationshipbetween domains, similar to the trust relation-ships that existed in Windows NT. An externaltrust can be established from any domainwithin your forest and links to a domain in aforeign forest. Aside from being able to estab-

lish the external trust at any domain level,there are other critical differences between anexternal trust and an inter-forest trust.

Unlike an inter-forest trust, an externaltrust is completely nontransitive, whichmeans the trust applies only to the domainsthat the trust is assigned to. Other domainswithin the two forests dont acknowledge thetrust relationship.

Whether you are forming an Inter-foresttrust or an external trust, you have the optionof creating a two-way trust, a one-way incom-ing trust, or a one-way outgoing trust. A two-way trust simply means that both domainstrust each other. A one-way incoming trustmeans that users in the current domain or for-est can be authenticated by the foreign domainor forest. Likewise, a one-way outgoing trustmeans that users in the foreign forest ordomain can be authenticated by the localdomain or forest.

Cross-forest authenticationWindows Server 2003 inter-forest trusts sup-port cross-forest authentications. Suppose auser who normally logged in to Forest A madea business trip to the company hosting ForestB. With forest authentication, users from For-est A could log in to Forest B just as thoughthey were logging in to Forest A.

This might seem strange at first since nei-ther the domain controllers nor the global cat-alog in Forest B would have any knowledge ofa user from Forest A. When the user tries tolog in, the computer checks the domain con-

troller and then the global catalog for the usersaccount. Because the account is not found, thesystem implements a cross-forest, name-matching function. This function comparesthe users credentials with those found withinall recognized namespaces (forests). The com-parison is made via Kerberos and NTLM, sothe process is secure.

Cross-forest authorizationAnother feature thats great about WindowsServer 2003 is cross-forest authorization. Thisallows you to assign permissions to userswithin both the local forest and trusted forestsdirectly through an Access Control List (ACL).This comes in handy for both granting anddenying permissions.

Suppose you were an administrator for yourcompanys research and development depart-ment and that your job was to keep all of thefiles on your server confidential. The forest-level administrator for your company didntknow what he was doing, and he created aninter-forest trust with a competitor. If youwanted to keep users at the competitors firmfrom being able to access your data, you could

give those users an explicit deny at the rootlevel of each of the servers in your domain.As nice as this capability sounds, though,

there is a catch. You must completely type inthe names of users or groups from trustedforests. Enumeration and wild cards arent sup-ported. This means that you cant just imple-ment a blanket policy that says dont let anyonefrom that other forest access any of my data.You could, however, get the names of each ofthe domains belonging to the other forest anddeny access to the Everyone group belonging

to each of those domains.

The best of both worldsEven though Windows 2000 is newer thanWindows NT, some of the improvementsactually decreased security in your organiza-tion. Windows Server 2003 gives you addedflexibility to restore that security. One way toachieve effective security within an organiza-tion is to implement multiple forests and cre-ate trust relationships between them. However,this isnt a process to be taken lightly, because

there are many prerequisites and the processtends to increase costs and the administrativeburden.

197Security


10/53

TechRepublic's Administrator's Guide to Windows Server2003gets you up to speed quickly on Microsoft's newestserver operating system. Each chapter is packed with the

clear and concise how-to information you need to opti-mize,troubleshoot and secure Windows Server 2003.

Tap field-tested solutions. Minimize your learning curve. Turnto the Administrator's Guide to Windows Server 2003book and

accompanying CD to learn how to:






Overcome DNS errors

Lock down servers



And more


Administrators Guide to Windows Server 2003. Designed by IT pros for ITpros, this unique book and CD set provide you with the tools and information

required to become an effective Windows Server 2003 administrator.


Administrator's Guide to

Windows Server 2003

Order now and

receive free

shipping!


11/53

Most companies go to great lengths toprotect data. All of your efforts tosecure files basically boil down to

how much you trust your employees. You havealways been able to control access to filesthrough authentication and permissions, butuntil now it has been impossible to control whatan authorized individual does with the files oncethey gain access. This is where Windows RightsManagement Services (RMS) comes in. RMSoffers persistent security that stays with a file,no matter where that file may go.

A practical exampleFor example, suppose that I had some super-secret Microsoft Word document explaininghow I was going to take over the world. Nor-mally, I would grant a couple of highly trustedpeople access to the document and pray thatthey didnt pass the document on to anyone else.

With Windows Rights Management, inaddition to the normal permissions on the fileserver where I keep my secret plans, I couldactually build permissions into the document

saying that only certain people are allowed toaccess the document. That way, if one of mytrusted staff members gave a copy of the doc-ument to someone else, that someone elsewould be unable to open the document.

Beyond passwordsAs you know, for years now it has been possi-ble to password protect Microsoft Office doc-uments. RMS goes way beyond passwordprotection. After all, its way too easy forsomeone to pass a document along to some-

one else along with an e-mail message that sayssomething like: Heres the document that Itold you about. The password to open the doc-ument is Scarab.

Speaking of e-mail messages, RMS can evenbe applied to an e-mail message. For example,years ago I worked for an insurance companythat was having some financial problems. Thepresident of the company sent out a confiden-

tial e-mail message to the managers tellingthem that 20 percent of the staff was to belaid off. Although the message was supposedto be confidential, one of the managers for-warded the e-mail to her entire staff, who inturn forwarded the message to a bunch ofother people. By the end of the day, prettymuch everyone in the company had seen thememo. Sure, the manager who leaked thememo was promptly fired, but the damagehad already been done.

If this situation were to occur today, thepresident could actually integrate WRM intothe e-mail message. This would prevent themessage from being forwarded to anyoneexcept for those people that he specificallydesignated. He could even go so far as to put atime bomb in the message so that the messagewould self destruct after a specific length oftime or after being opened.

Implementing Windows RightsManagement Services

Obviously, RMS is a very useful technology,but you are probably wondering how it works.There are two primary components to RMS.First, theres the RMS Service itself. This is aserver-level component that provides theauthentication services. Second, there is theclient component. Typically, the client compo-nent is embedded into an RMS-enabled appli-cation such as Microsoft Office 2003. There isalso a software developers kit that developerscan use to build RMS security into customapplications.

Although the RMS is designed to run onWindows Server 2003, it does not ship withWindows Server 2003. Instead, it is a down-loadable add-on. You can download the RMSservice from Microsofts Windows Server 2003Web site (http://www.microsoft.com/win-dowsserver2003/technologies/rightsmgmt/

default.mspx). The RMS setup file consists ofa 2.12 MB self-extracting executable file.

Securing information with WindowsRights Management ServicesApril 22, 2004




12/53

Although the RMS service is a free add-on,there are some licensing requirements that youneed to be aware of before you install it. As Iexplained earlier, RMS rides on top of Win-dows Server 2003. Therefore, everyone whouses RMS either to protect data or to access

protected data requires a Windows Server2003 client access license. Additionally, eachRMS user also requires an RMS Client AccessLicense (also called a RMS User CAL). Thislicense costs about $37 per user. As an alterna-tive, though, you can purchase device-specificRMS client access licenses instead of user spe-cific licenses.

The problem with this type of licensing isthat it makes it difficult to allow RMS securityto be used by those outside of your company.Because of this, Microsoft also offers an RMSexternal connector license. The RMS ExternalConnector license grants unlimited RMSaccess to anyone outside of your company.The price for an RMS External ConnectorLicense is $18,066 per RMS Server.

Although RMS does have some rather strin-gent license requirements, there is an upside.Up to two users may access an RMS serversimultaneously (for administrative purposes)without an RMS client access license.

The prep workBefore you can install RMS, you need to do alittle bit of prep work on your server. RMS isdependent on IIS, so you must verify that IISis installed. Furthermore, IIS must be given acertificate so that it can provide secure com-munications.

There really isnt much documentationavailable on RMS. When I began working onthis article, I had no idea that IIS required acertificate in order for RMS to work (althoughlooking back it makes sense). You can actually

make it all the way through the installation andconfiguration process without IIS having a cer-tificate. However, when you eventually try toattach an RMS client to the server, you will getan error message telling you that InternetExplorer is set to work offline.

It took me days to figure out the real causeof the problem. What was happening was thatthe RMS client was passing an HTTPS request

to the server. The server didnt have a certifi-cate and therefore could not support HTTPS.

Once IIS is installed, you must install theMessage Queuing service on your Windows2003 Server. To do so, open the servers Con-trol Panel and select the Add/Remove Pro-

grams option. When you do, you will see theAdd/Remove Programs dialog box. Click onthe Add/Remove Windows Components but-ton to display a list of the various Windowscomponents. Select the Application Serveroption and click the Details button. This willcause Windows to display a list of the variousApplication Server Components. Select thecheck box next to Message Queuing and clickOK. Click Next and Windows will copy thenecessary files. Click Finish when the file copyprocess completes.

One last bit of prep work that you mustperform is to open the Active Directory UsersAnd Computers console, right-click on eachusers account, and select the Properties com-mand from the resulting shortcut menu. Thiswill reveal the users properties sheet. Checkout the General tab and make sure that thee-mail address is filled in. Even if the userdoesnt actually have an e-mail address, RMSabsolutely will not work unless this field isfilled in for each user. In my test environment,

after I had deployed RMS, I kept receiving anerror message that said An Unexpected ErrorHas Occurred every time I would try to con-nect to the server with an RMS client. It tookme a week to figure out that the problem wasrelated to the fact that my Administratoraccount didnt have an e-mail address.

Installing RMSNow that the Message Queuing Service isinstalled, its time to install RMS. To do so,copy the RMS Setup file to your Windows

2003 Server and double-click on it. When youdo, Windows will extract the Setup files andwill display the Windows Rights ManagementServices Setup Wizard.

Click Next to bypass the Welcome screen,and you will see the end user license agree-ment. Accept the license agreement, clickNext, and you will be prompted for the path toinstall RMS to. Enter the desired path and click

201Security


13/53

Next, followed by Install, to begin the installa-tion process. After the necessary files arecopied, click Close to complete the installationprocess.

Provisioning

After you have installed RMS, the next thingthat you have to do is to provision it. The pro-visioning process creates the root certificationserver and configures all of the services and

resources necessary for RMS to support certi-fication. The provisioning process is donethrough IIS. You must select a Web site to actas the host for the provisioning process. Usingthe servers default Web site is fine becauseRMS simply borrows the site. After the provi-

sioning process is complete, RMS no longerneeds IIS.

To begin the provisioning process, click theStart button and then select the All Programs\Windows RMS\Windows RMS Administra-tion command. When you do, you will see ascreen similar to the one shown in Figure A.

Now, click the Provision RMS On This WebSite link next to the Default Web Site option.When you do, you will see the screen shown inFigure B. As you can see in the figure, you areasked whether you want RMS to use a localdatabase or a remote database. Just enter thename of a SQL server in your organization thatcan be used to store RMS data.

Next, you will be asked to specify the RMSservice account. The RMS Service accountmust be a different account than the one thatwas used to install RMS. If RMS will be run-ning only on a single server, you can use thelocal system account. However, the local sys-tem account has access to practically every-thing on the server, so there are some serious

security implications to using the local systemaccount in a production environment.After entering the service account creden-

tials, scroll down and you will see the fieldsshown in Figure C. The first thing that youmust enter on this portion of the screen isthe URL used by the root certification cluster.By default, http://servername/_WMCS willbe used.

Next, you must enter a password that willbe used to encrypt the RMS private key in thedatabase. After entering the encryption pass-

word, enter the server licensor certificatename. By default, this is the same as the servername. You also have the option of listing anadministrative contact.

If your network uses a proxy server, then youwill have to enter the proxy servers URL andthe IP address range for the local address table.

The final portion of the provisioning screenallows you to enter the name of a file that


Figure B

You must supply the name of a database server and the name for an RMS service account.

Figure A

You must use a Web interface to provision RMS.


14/53

contains a public key that can be used to signthe revocation list. This is useful in disasterrecovery situations. After you finish filling inall of the various fields, click Submit and thengo get yourself a cold drink because the provi-sioning process takes a while to complete.

When the provisioning process completes,you must specify the RMS service connectionpoint. To do so, go to http://servername/_wmcs/admin/default.aspx . Now, scroll tothe bottom of the page and click the link thatsays RMS Service Connection Point. Whenyou do, you will see a screen that allows you toset the RMS connection point by simply click-ing the Update button.

Installing the client componentBefore you will be able to use RMS to restrict

access to anything, including Microsoft Officedocuments, you must install the client compo-nent onto your workstations. To do so, you willneed to download the RMS client fromMicrosofts Windows Rights ManagementClient Web site (http://www.microsoft.com/downloads/details.aspx?familyid=3115A3

74-116D-4A6F-BEB2-D6EB6FA66EEC&

displaylang=en). The download consists ofa 3.59 MB self-extracting executable file.Microsoft Office 2003 also contains an optionfor downloading the latest RMS automaticallyfrom within Office.

After downloading the RMS client, copy itto the workstation (or access it through a net-work drive) and double-click on it. When youdo, Windows will extract the files from thesetup files in the RMS client file and willlaunch the Setup wizard. When the Setup wiz-ard begins, click Next to bypass the welcomescreen. You will then see the Windows RightsManagement Client Privacy Statement. This isbasically just a statement indicating that the

RMS client does not try to personally identifyyou to Microsoft or keep information aboutyour system on file for an extended period oftime. Click Next and you will be asked toaccept the end user license agreement. Afteraccepting the license agreement the installerwill copy the necessary files to the workstation.Click Close to complete the installation.

Once you have installed the client compo-nent, you can test it by opening Microsoft

Word 2003. Select the Permissions | RestrictPermission As command from Words Filemenu. When you do, Word will take a minuteor two to negotiate a connection with your

RMS server. After the negotiation processcompletes, you may see a screen asking you ifyou want to create the RMS permissions byusing a .NET Passport account or a MicrosoftWindows account. If you see this screen, itmeans that RMS didnt validate the users cre-dentials somewhere and you need to go backand figure out what went wrong.

What you should see instead is a screen ask-ing you which user account you want to use in

203Security

Figure C

You must enter a cluster URL, private key protection enrollment, and some RMS proxysettings.

Figure D

Enter the e-mail addresses of the users who are allowed to reador make changes to the document.


15/53

order to create or open restricted content.Select your account and click OK. At thispoint, you will see the screen shown in Figure D.This screen allows you to enter the e-mailaddresses of users who are allowed to read ormake changes to the document.

If you would prefer to have some slightlymore advanced configuration options, thenclick the More Options button and you will seethe screen shown in Figure E. As you can see inthe figure, this Permission dialog box allowsyou to set an expiration date for the document.

After the expiration date, the document selfdestructs. You can also control whether speci-fied users are allowed to print or copy the doc-uments content or access it programmatically.You can even allow users to browse a docu-ment with previous versions of Office and torequest additional permissions to a document.

Trust, but verifyAlthough you may go to great lengths to pro-tect the documents on your network, its tooeasy for an employee with authorized access to

a document to copy the document and pass iton to someone outside of the company. RMSwill prevent this type of information disclo-sure by limiting who can open the document,even if the file itself leaves your network.


Figure E

The Permission dialog box gives you greater control over adocuments permissions.


16/53

With the release of version 1.2 of theMicrosoft Baseline Security Ana-lyzer (MBSA 1.2), Microsoft has

vastly improved this already excellent proactivesecurity tool and turned it into a much morefull-featured utility. The MBSA includes apowerful graphical user interface that providesadministrators with a way to interactively scanthe local and remote servers and desktopmachines. From the reports generated, admin-istrators can take appropriate action to addresspotential security problems, such as installingrequired patches, enabling automatic updates,or turning on the Windows XP firewall.

Scripted scansOne area that the GUI does not address is theability to script a scanning session. Mostadministrators work normal business hours,which are times that heavy scans are usuallyavoided because of their potential impact onthe network, servers, and desktop computers.For this reason, the MBSA includes a com-mand-line utility that performs the same func-

tions as its GUI counterpart and can beincluded in nightly/weekly/monthly routinesto scan for vulnerabilities. From this scan, areport is generated from which an administra-tor can take proactive steps to protect theinfrastructure.

The executablesMBSA includes two executables: mbsa.exe andmbsacli.exe. The mbsa.exe executable powersthe GUI side of the utility, while, as you mightexpect, the mbsacli.exe executable is the com-

mand-line side. By default, both of these exe-cutables are stored in C:\Program Files\

Microsoft Baseline Security Analyzer. Pleasenote that if you have the GUI MBSA utilityopen, the command-line version will not run.

By default, the results of a scan are stored inthe C:\Documents and Settings\user name\SecurityScans folder and have names similar toWORKGROUP - W2K3 (5-20-2004 5-35PM), where the workgroup/domain is listedalong with the system name and the date andtime of the scan. This is true for both the GUIand the command line, but you dont usuallyhave to know this for the GUI, since the pro-gram handles the report display.

Using the command lineThere are two ways to run the command-lineversion of MBSA. The first syntax actuallyperforms scans, and the second one provides alisting of results from the most recent scan.So, its a two-pass process.

Running a basic local scanMbsacli.exe doesnt actually require any param-eters. If you omit them, the local computer is

simply scanned, assuming that you haveadministrative rights with the current logon.The results of a local scan from the commandline should look something like Listing A.

Viewing the results of the basic scanAs with the GUI version, the command-lineversion of MBSA produces very detailed resultsto help you pinpoint and address potential secu-rity weaknesses in your network. I like the factthat it doesnt just assume you want thingsfixed. Instead, it provides information so you

can make a decision about what to address orignore. To get the results, type the following,substituting the appropriate report name:

205Security

Run Microsoft Baseline Security Analyzer 1.2from the command lineJuly 6, 2004

By Scott Lowe ,MCSE

Listing A

Computer Name, IP Address, Assessment, Report Name

WORKGROUP\W2K3, 192.168.1.103, Severe Risk, WORKGROUP - W2K3 (6-1-2004 6-21 PM)


17/53

mbsacli /ld "WORKGROUP - W2K3

(6-1-2004 6-21 PM)"

When reports are generated using a com-mand-line scan, they can also be viewed withthe GUI at your leisure. Both the GUI and thecommand line store their files in the same loca-

tion, so each utility can use the scan results gen-erated from the other utility. Figure A displaysthe local scan showing up as an entry in theGUIs Pick A Security Report To View option.Figure B shows the first page of that scan.

Personally, I like to be able to script thiskind of stuff and view the results with a GUI.The command-line viewing option works, butits more difficult to interpret.

Full syntaxAs I mentioned, there are two syntaxes for

mbsacli.exe, depending on whether you want

to just run a scan or view the results of a pre-viously run scan. Heres the full syntax of thembsacli command:

mbsacli [/c|/i|/r|/d domain] [/n

option] [/o file] [/f file] [/qp]

[/qe] [/qr]

Switches you can use include:

/c domain\computerScan the computernamed in domain\computer.

/i IP_addrScan the computer identifiedby the IP address provided.

/r IP_addr-IP_addrScan the comput-ers in the range of IP addresses provided.

/d domainScan all computers in the tar-get domain.

/n optionBy default, MBSA performs all

scans against the targets. Use /n to removespecific scans. Valid options are OS, SQL,IIS, Updates, Password. To omit more thanone scan, separate the /n options with a +(plus sign).

/o fileSpecify the name of the file towhich to write the results. A default name ispresented above with the syntax %D% -%C% (%T%), where %D% is the domainor workgroup name, %C% is the name ofthe computer, and %T% is the date andtime of the scan.

/f fileWrite console output to the filespecified.

/qpDont display the progress of thecurrent scan.

/qeDont display errors present in thecurrent scan.

/qrDont display the list of reports.

/s 1Suppress security notes.

/s 2Suppress security notes and warnings.

/nvcBy default, MBSA always checks fora new version of itself when it runs. Use/nvc to skip this check.

/baselineCheck only for baseline secu-rity updates rather than all updates (defaultin GUI).

/nosumDo not verify checksums forsecurity updates. Use only if you need dif-ferent language versions of patches and


Figure B

The is the first page of the scan.

Figure A

The recent scan also shows up in the GUI.


18/53

need to rename them for a language sup-ported by MBSA (default in GUI).

/sus [susserver | susfilename]Get a listof approved updates from a SUS server.This option requires the URL of the SUSserver and will look for a file namedapproveditems.txt.

/hfRun in hfnetchk mode. Use mbsacli-hf /? for details. This mode allows you touse the extremely granular scanning andreporting functionality that was present inthe command-line hfnetchk utility. Notethat, unlike straight-up mbsacli, this doesnot produce XML output.

The report syntax and switches slightly vary.The report syntax is:

mbsacli [/e] [/l] [/ls] [/lr file]

[/ld file] [/unicode] [/hf] [/?]

Switches include:

/eShow the errors from the mostrecently run scan.

/lShow a list of all reports that are avail-able for viewing.

/lsList the reports available from themost recent scan. Remember that a report isgenerated for each system in a scan.

/lr fileDisplay the overview of the report

named by file.

/ld fileDisplay the complete details ofthe report named by file.

/UnicodeOutput Unicode only.

/vDisplay the reason codes for securityupdates.

/hfRun in hfnetchk mode. Use "mbsacli-hf /?" for details. This mode allows you touse the extremely granular scanning andreporting functionality that was present inthe command-line hfnetchk utility. Notethat, unlike straight-up mbsacli, this doesnot produce XML output.

More flexibility from thecommand lineNote that MBSA can scan up to 10,000machines simultaneously. If you need to scanmore, youll have to perform multiple scans.Scanning by IP address is limited to 256machines. If you want to scan off-hours or runscans regularly and view the results at yourleisure, mbsacli.exe is invaluable and is espe-cially useful when combined with the reportingfunctions of the GUI version of MBSA.

207Security


19/53










Overcome DNS errors

Lock down servers



And more





Windows Server 2003

Order now and

receive freeshipping!


20/53

Its a good bet youre familiar with grouppolicy, which enables administrators to

assert change control and set a broadrange of settings for the operating system,desktop and working environment, network,and much more for servers and workstations.You might also know that group policy can beapplied at different levels, which opens thepossibility for a policy at one level to overridethe policy set at another level. So, determiningthe resultant set of policy (RSoP) can some-times be difficult. At best, it can be confusing.To help administrators get a handle on grouppolicy, Microsoft introduced the Resultant Setof Policy MMC snap-in. Heres what the RSoPsnap-in does and how you can use it to get ahandle on your own policies.

How Group Policies are appliedUnderstanding how RSoP works requires thatyou first understand how group policy isapplied and the factors that affect policy appli-cation. Group policy can be applied at the site,domain, domain controller, organizational unit(OU), and local levels. Whether a particularpolicy is effective depends on the level atwhich it is applied and whether the same pol-icy is set differently at a level with higherprecedence. Group policy is applied in the fol-lowing order of precedence:

OU policy

Domain controller policy

Domain policy

Site policy

Local policy

In addition, you can set the No Override

attribute for a group policy object (GPO).When No Override is enabled, other GPOsthat set corresponding policies cannot overridethe ones set in the protected GPO. For exam-ple, assume you set a policy at the OU level,which gets applied first, and set the policy dif-ferently in a GPO that is assigned at thedomain level. At this point, the domain policywill overwrite the OU policy. However, you

enable the No Override attribute for the OU-based GPO. Now, even though the domain

GPO would be applied after the OU policyand therefore take precedence, the No Over-ride attribute on the OU GPO prevents its set-tings from being overwritten.

One other factor that determines whetherthe settings in a given GPO become effectiveis the permissions set on the GPO. For exam-ple, if you remove the Read Or Apply GroupPolicy permissions for a given security group,the GPOs policies will not be set for users inthat target group.

Whats the RSoP snap-in?The RSoP snap-in enables you to query cur-rent or planned policies and view the results ofthat query, which is the resultant set of poli-cies, for a specified target user and computer.In addition to group policies, RSoP includesadministratively assigned settings includingthose from administrative templates, folderredirection, Internet Explorer maintenance,security settings, scripts, and software installa-tion policies. By including these objects, RSoPprovides a complete view of the environmentresulting from all of these settings.

The RSoP snap-in operates in one of twomodes: Logging Mode or Planning Mode. InLogging Mode, the RSoP snap-in queries poli-cies and displays the resulting policy set for agiven user and computer. Logging Mode there-fore enables you to review the policy settingsthat are applied for the target user/computer.Logging Mode can be a valuable and effectivetool for troubleshooting policy applicationproblems and determining how security

groups affect policy settings.Planning Mode enables you to explore differ-ent policy scenarios. In Planning Mode youspecify several items of information about thedesired target including container or user, com-puter, site, security group membership, andother factors to determine the resultant set ofpolicy based on those selections. Planning Modeoffers an excellent means for determining the

Check Group Policy assignment with RSoPMarch 24, 2004

By Jim Boyce



21/53

results of planned policy deployment and testingthe deployment before actually rolling it out.

The RSoP snap-in is available with Win-dows XP as well as Windows Server 2003. Youdont need to run the snap-in on a domaincontroller to gather information about a user

or computer from the Active Directory inPlanning Mode. Instead, you can run it from aWindows XP workstation.

Both RSoP modes are useful in differentscenarios. Ill explore both, beginning withPlanning Mode. All examples assume you arerunning the RSoP snap-in on Windows Server2003, but its very similar on Windows XP.

Using RSoP in Logging ModeIf youll be querying policies from a remotecomputer, you must first log on as a member

of the Domain Admins or Enterprise Adminssecurity groups, or you must have been dele-gated Generate Resultant Set of Policy (log-ging) rights. (I cover delegation later in thisarticle.) For local querying and logging, anyuser can run a Logging Mode query on thelocal computer.

To begin using RSoP, you need to open theRSoP snap-in. Choose Start, Run, and enterMMC. When the MMC opens, choose File,Add/Remove Snap-In. On the Standalone tab,click Add to open the Add Standalone Snap-Indialog box. Scroll down, choose Resultant SetOf Policy, click Add, and then click Close.Click OK on the Standalone tab to close it andreturn to the MMC.

The RSoP snap-in at first doesnt look likemuch (Figure A) because you havent queriedfor any policies yet. To query policy, you needto run the Resultant Set Of Policy Wizard.Right-click the Resultant Set Of Policy branchin the left pane and choose Generate RSoPData to start the wizard. Click Next to get past

the obligatory splash screen and then chooseLogging Mode. When you click Next, the wiz-ard prompts you to select the computer to useas the target (Figure B). You can choose thelocal computer, specify the remote computername, or click Browse to look for the com-puter in the Active Directory.

The option at the bottom of the ComputerSelection dialog box lets you exclude computer

settings from the query. This is handy whenyou want to focus solely on user policies, suchas when you suspect a user setting is causingthe problem at hand. Using this optionexcludes half of the possibilities and simplifiesthe resulting policy set.

Next, the wizard prompts you to specifywhether to use the current user (the one underwhich you are logged on) or to select a specificuser (Figure C). What the user list displays in the

wizard depends on how you are logged on. Ifyou are logged on with a regular local account,youll see only that account. If you log on asthe local administrator, youll see the localadministrator account and all other localaccounts that have been used to log on at leastonce (accounts that have never logged on donot appear). Its necessary to log on with adomain user account prior to running RSoP if

211Security

Figure A

The RSoP MMC starts off empty.

Figure B

Select the computer to examine.


22/53

you want to view the policies for that domainaccount. Logging on with the domain adminis-trator account lets you choose that domainadministrator account or any local accountsthat have been used previously to log on.

You can also select an option here to exclude

the user settings and show only the computersettings. Again, this option is handy when youwant to focus solely on computer settings andsimplify the resulting query. The Summary dia-log box that appears when you click Nextshows the settings you have selected.

After the wizard finishes the query, theRSoP snap-in will probably look a little morefamiliar to you (Figure D ), particularly if youhave worked with the Group Policy Editor.The left pane provides a hierarchical tree ofsettings. When you click a branch in the left

pane, the policies under that branch appear inthe right pane. The columns in the right paneare essentially the same as in the Group PolicyEditor, but with the addition of a Source GPOcolumn that indicates the source for the policysetting. You can double-click a policy to open adialog box that shows more information aboutthe policy, including its value (Figure E) andprecedence (Figure F).

At this point you can browse through thepolicies as needed. If you need to view policiesfor a different computer or user, you can eitherclear the current query and reissue it, or openanother instance of the snap-in focused on thedesired target. To clear the query and start anew one, right-click the upper-most branch ofthe policy target in the left pane and chooseChange Query to start the Resultant Set OfPolicy Wizard. Follow the steps in the wizardto specify the information for the new query,just as you did for the old one.

Opening a new instance of the RSoP snap-in rather than clearing the existing query is

useful when you need to compare settingsbetween policy targets. Just add the snap-in asyou did for the first one, then right-click thenew instance in the left pane and choose Gen-erate RSoP Data.

Using RSoP in Planning ModeAs I mentioned at the beginning of this article,Planning Mode enables you explore differentpolicy scenarios. Essentially, Planning Modelets you play What if? with policies and canbe extremely useful for the following tasks:

Simulating the effects of policy changes atvarious levels

Viewing policies of new user accounts inthe Active Directory

Testing policy precedence when the com-puter and user are in different securitygroups or different OUs

Determining the effects of moving a com-puter to a new location


Figure C

Select what user to check policy on.

Figure D

Heres a completed RSoPMMC.


23/53

Simulating a slow network connection

Simulating a policy loopback scenario

Ill cover these in a moment. For now, letsget into Planning Mode. Start by adding theRSoP snap-in to an MMC console. Afteryouve added the snap-in, right-click the Resul-tant Set of Policy branch of the snap-in in theleft pane and choose Generate RSoP Data tostart the Resultant Set Of Policy Wizard. Inthe wizard, choose Planning Mode whenprompted to choose the mode and then clickNext. The wizard displays the User And Com-puter Selection page shown in Figure G. Hereyou choose either a user or a container in theAD. You also specify the container for thecomputer or choose a specific computer.

On the Advanced Simulation Options page(Figure H) you can specify some additionaloptions to test certain scenarios. For example,

choose the Slow Network Connection option ifyou want to test the effect of a slow networkconnection on the application of group policy.Why do that? A slow network connection canaffect policy application, causing some policiesnot to be applied. Choosing the option to simu-late a slow network connection causes the RSoPconsole to slow the data transfer, enabling youto see the effects on the resultant set of policies.

The Loopback Processing option lets yousimulate the effect of configuring the UserGroup Policy Loopback Processing Mode pol-icy for a GPO. Loopback provides a mecha-nism by which you can control the way grouppolicies are applied. This policy offers two val-ues when set to Enabled: Replace or Merge.

213Security

Figure E

You can view the value of a policy.

Figure F

You can also view the group policy precedence.

Figure G

Choose the container here.


24/53

When Replace is selected, the group policyobject list for the user is replaced entirely bythe list already obtained for the computer atstartup. When set to Merge, the group policylist is a concatenation of the computer listobtained at startup and the user list obtained

after logon. Setting this option in the RSoP

snap-in in Planning Mode has the same effectas setting the User Group Policy LoopbackProcessing Mode policy for the target GPO.

The Advanced Simulation Options page alsoallows you to choose a site for the scenario. Siteselection here enables you to analyze the effect

of settings based on startup or logon on a sub-net other than the one from which you arerunning the query. In the Alternate ActiveDirectory Paths page that follows in the wizard(Figure I), you specify the location in which thetarget policy is intended to be applied.

In the next two pages of the wizard you havethe capability to specify the security groups inwhich the user and the computer reside. Figure Jshows the User Security Groups page (theComputer Security Groups page is similar).You can add and remove groups to simulate theeffect of actually changing group membershipfor the target. However, youre changing onlythe simulated group membership, not the actualgroup membership. In this way you can testthe effects of membership changes before youactually make those changes.

The next two pages of the wizard promptyou to specify how WMI filters for the GPOare to be handled. WMI filters enable you tofilter the application of group policy based oncriteria such as hardware configuration. With

these two pages you can specify that all WMIfilters be applied or only selected filters beapplied for the user and/or computer. The finalpage of the wizard displays a summary of yourselections and allows you to choose the domaincontroller on which to process the simulation.

As with Logging Mode, Planning Mode gen-erates a policy set that you can navigate andview. Policies that have a setting other than NotDefined have a red circle and X icon. This helpsyou quickly identify policies that have been set.

Viewing error informationUnless you direct it not to do so, the RSoPsnap-in collects extended error information asit performs the query. You can view this errorinformation to determine if any problemsoccurred during the query. The availability ofthese error messages can help you not onlyidentify problems with the RSoP snap-in butalso identify network or Active Directory


Figure H

You can select additional options for the RSoP console.

Figure I

Choose a site for your test scenario.


25/53

problems that are causing policy applicationproblems.

To view the error information, right-clickthe Computer Configuration or User Configu-ration branch after the query is complete andchoose Properties. Click the Error Information

tab, which lists each group policy componentthat RSoP used to generate the policy report.The list indicates the success or failure for eachcomponent. Click on a component to view spe-cific error information for that component.

Delegating RSoPAs I hinted at earlier in this article, you can dele-gate permission to generate RSoP queries tohelp distribute administrative workload. A userwho has been delegated the necessary permis-sion can perform queries in either Logging

Mode or Planning Mode (as you designate) with-out having to log on as or be a member of theDomain Admins or Enterprise Admins groups.

To delegate RSoP, open the Active Direc-tory Users And Computers console. Right-click the OU and choose Delegate Control tostart the Delegation Of Control Wizard. ClickNext, add the user or group to which you wantto delegate, and click Next. In the Tasks ToDelegate page (Figure K), place a check besideGenerate Resultant Set of Policy (Logging)and / or Generate Resultant Set of Policy(Planning) and then click Next. Click Finish toapply the delegation.

215Security

Figure K

Using the Delegation Of Control Wizard, you can allow other users to run theRSoP MMC.

Figure J

You can simulate the effects on different groups.


26/53

Anyone who has ever administeredgroup policies in a Windows 2000Server environment knows that the

process can be both confusing and frustrating.Although Microsofts hierarchical approach togroup policy implementation makes sense at alogistical level, the management interface islacking, to say the least. Fortunately, this is oneof the major problems that Microsoft hasaddressed in Windows Server 2003. WhenMicrosoft releases Windows Server 2003, itplans to simultaneously release a brand-newGroup Policy Management console that pro-vides a single interface for managing grouppolicies across the entire enterprise.

What is the Group PolicyManagement Console?The Group Policy Management Console isMicrosofts all-in-one solution for workingwith group policy objects. It consists of aMicrosoft Management Console (MMC) Snap-In and a set of script interfaces for managing

group policies via script.To get an idea of why the Group PolicyManagement Console will be such a great tool,consider this: Administrators today use a vari-ety of different tools to implement group pol-icy settings. These tools include things such as:

Active Directory Users and Computers

Active Directory Sites and Services

The Resultant Set Of Policy Snap-In

The Access Control List (ACL) Editor

The Delegation Wizard

Each of these tools exposes some fragmentof the total group policy functionality. TheGroup Policy Management Console combinesall of the group policy functions currentlyavailable through these tools and combinesthem into a single interface. The utility alsoincludes things like backup, restore, copy, andimport functionality.

Just because the Group Policy ManagementConsole integrates functionality from all of thedifferent tools that I mentioned earlier, it isntintended as a replacement for these tools.Remember that group policies are designed tocontrol security. While security settings arecertainly available through tools like ActiveDirectory Users And Computers or ActiveDirectory Sites And Services, those tools pri-mary functions are related to administration,not security. Therefore, youll still use the toolsthat I listed in the same manner that youalways have.

In case youre wondering, the Group PolicySnap-In was replaced by the Group PolicyObject Editor in Windows Server 2003. How-ever, the Group Policy Management Consoledidnt overwrite the Group Policy Snap-In. Allof the Group Policy Object Editors function-ality has been rolled into the Group PolicyManagement Console, but that doesnt meanthat you cant still use the Group Policy Snap-In if you want. The Group Policy Manage-

ment Console is available for download athttp://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-

4B35-9272-DD3CBFC81887&display-

lang=en.

System requirementsThe Group Policy Management Consoles sys-tem requirements are a little strange to say theleast. For example, the product supports Win-dows 2000, but it wont run on Windows2000. The new Group Policy Management

Console can be used to manage group policiesin both the Windows 2000 and WindowsServer 2003 version of Active Directory. Thismeans that youll be able to take full advantageof the tools new management capabilitieseven if you arent planning to upgrade to Win-dows Server 2003.

The catch is that the utility wont run on theWindows 2000 operating system. Instead, you

New Windows Server 2003 tool boostsgroup-policy controlMarch 6, 2003




27/53

can run the Group Policy Management Con-sole only on machines running WindowsServer 2003 or Windows XP. If youre plan-ning on running the utility under Windows XP,there are some additional system requirementsthat you need to be aware of.

Youll be able to run the Group Policy Man-agement Console under Windows XP only ifyouve installed Service Pack 1 and theMicrosoft .NET Framework support. There isalso a post-Service Pack 1 hot fix that must beinstalled prior to installing the utility. The hotfix was previously available on the MicrosoftWeb site in Knowledgebase article Q326469.However, Microsoft has temporarily removedthe hot fix. According to the Web site, the nec-essary hot fix will be included with the GroupPolicy Management Console download.

In case youre wondering, the Group PolicyManagement Console will be localized. Whenthe product is complete, versions will be avail-able in English, Japanese, French, and Ger-man. The current beta release is available inEnglish and Japanese only. Additionally, theGroup Policy Management Console will befully supported by Microsoft Primer SupportService, once released.

Key features and capabilitiesThe Group Policy Management Consoleincludes an MMC Snap-In and a set of script-ing utilities. The main idea behind the MMCSnap-In is that it exposes group policy settingsin the way that users tend to use them ratherthan in the way that the technology is designed.For example, the group policy settings relatingto users are kept in a different area of theActive Directory from the group policy settingsrelated to Sites And Services. Therefore,Microsoft initially created two different tools(Active Directory Users And Computers and

Active Directory Sites And Services) to dealwith the two different areas of the ActiveDirectory. The new Group Policy ManagementConsole combines the security-related func-tionality found in both of these and other toolsand rolls it into a single snap-in.

The new utility will also feature backup andrestore capabilities. Previously, if you wantedto back up and restore group policy settings,

you had to perform an authoritative restore onthe entire Active Directory. This meant thatother things, like user accounts or printer defi-nitions, were also reverted to the time that thebackup was made. The new utility, however,allows you to restore only the group policy set-

tings for a domain.Yet another new feature is the generation of

HTML reports related to group policy settingsand the resultant set of policy data. You caneven save or print these reports.

Finally, import/export, copy/paste, andscripting features have been included in theGroup Policy Management Console. Althoughyou cant script individual group policy values,the scripting does have a definite purpose.The import/export, copy/paste, and scriptingfunctions all work together to allow you tomigrate group policies between domains.

Migrating group policy objectsto another domainThe new Group Policy Management Consoleallows you to migrate group policies from onedomain to another. There are lots of situationswhere such an operation is desirable. Forexample, if you perfected a new policy in a testdomain, it would usually be easier to migratethe policy than to manually re-create it in the

new location. Another possible situation is ifyour company adopted a new set of securitystandards, you wouldnt want to have to manu-ally implement those standards across everydomain. Instead, its now possible to create thenew policy in one domain and roll it out to allother domains.

There are a couple of reasons why migrat-ing group policy objects between domains issuch a big deal. The first reason is that a grouppolicy is a collection of security settingsapplied through various mechanisms to vari-

ous objects. Components of a group policymight exist in the registry, Active Directory,the file system, or just about anywhere else. Itisnt like all of a group policys componentsexist in a single folder that can easily be copiedfrom machine to machine.

The other issue that makes copying grouppolicy objects between domains difficult is thatcertain group policy settings contain data that

217Security


28/53

simply doesnt migrate well. The two maintypes of data that tend to cause problems aresecurity principles and Universal Naming Con-ventions (UNCs).

Security principles are often found in theform of security identifiers (SIDs). SIDs are

unique identification numbers that are appliedto each object. For example, objects such asusers, groups, and computers all have SIDsassociated with them. Because of the uniquenature of SIDs, a SID thats valid in onedomain wouldnt necessarily be valid inanother domain.

Just as SIDs can throw a monkey wrenchinto the process of migrating a group policyobject, so too can UNCs. A UNC refers to apath thats expressed in the \\servername\sharename format. The problem is that aserver name and share name that are valid inone domain may not be valid in anotherdomain.

The Group Policy Management Consoletakes a lot of the work out of migratinggroup policy objects to a new domain. How-

ever, doing so may still be a fairly involvedprocess. The Group Policy Management Con-

sole is capable of performing four functionsthat are related to policy archival. These func-tions are:

Backup

Restore

Copy

Import

Dont even try to use the Backup andRestore operations for migrations. Its impossi-ble to restore a policy backup to a differentdomain. You can use the Import function withthe Backup function as a technique for updat-ing a group policy objects existing settings, butto do so, a group policy object must already

exist in the destination directory, even if theexisting group policy object is empty. TheCopy function is almost always the tool ofchoice for migrations, because the Copyprocess doesnt require you to have a grouppolicy object thats already in place in the desti-nation domain.

As you can see, the two main problemsassociated with migrating group policy objectsbetween domains are the distributed nature ofthe policy settings and the fact that SIDs andUNCs would be mismatched if the policies

were to be copied directly. Fortunately, with alittle work, you can use the Group Policy Man-agement Console to overcome both of theseproblems. Overcoming the problem of distrib-uted information is easy and automatic. Sincethe Group Policy Management Consolealready knows where all of the group policysetting information is stored, you dont have toworry about tracking it down.

Overcoming the information mismatchproblem is a little more complicated though.In order to deal with SID and UNC mis-matches, you must create a migration table. Amigration table is an XML file that maps anold value to a new value. Im not going to getinto the specifics of creating migration tables,because it would be possible to write an entirearticle on this one step of the process. What Ican tell you though is that each entry in amigration table has three values: an objecttype, a source value, and a destination value.

WATCH OUT FOR THESE ITEMSThe following items contain security princi-

ples and can therefore cause problems

because they may reference SIDs:

Security policy settings found in userright assignments

Restricted groups

Services

The file system

The registry

Advanced folder redirection policies

The GPO DACL

The DACL applied to software installa-

tion objects

Also, UNC paths, which can lead to prob-lems with group policy object migrations as

well, can be found in:

Folder redirection policies

Software installation policies

Login scripts

Startup scripts



29/53

For example, if a particular group policywas applied to a global group called TestGroup in a domain called TEST, and youwanted the policy to apply to the Financegroup in the PRODUCTION domain, thenthe object type would be a global group, the

source value would be TEST\TEST GROUP,and the destination value would be PRODUC-TION\FINANCE.

After looking at my sample entry in a migra-tion table, the process of creating migrationtables may not seem that complicated. Theproblem is that in the Beta 2 release of theGroup Policy Management Console, there wasno user interface for creating migration tables.Therefore, if you need a migration table, youmust either write some raw XML code, or youcan use a script to generate the XML code andthen use a text editor to modify the code andfill in the appropriate values. Either way istedious and complicated.

As you can see, the process of migratinggroup policy objects from one domain to

another can be a real pain in the neck. Beforeyou criticize the Group Policy ManagementConsole too much though, remember that upuntil now there was no way of migrating agroup policy object to another domain.Migrating a group policy object through the

Group Policy Management Console is a crudeprocess, but this is first-generation softwarethats still in its beta testing phase. I think thatits likely for future versions to include a userinterface for creating migration tables.

Good things come to thosewho waitAs you can see, the Group Policy ManagementConsole should make life much easier forthose who manage group policies. Further-more, this utility could drive down Windowstotal cost of ownership since it will make themanagement process much easier and moreefficient.

219Security


30/53










Overcome DNS errors

Lock down servers



And more





Windows Server 2003

Order now and

receive free

shipping!


31/53

Managing Group Policies in Windowshas typically required a bit of a jug-gling act, especially in large corpo-

rate environments with a complex ActiveDirectory (AD) structure. But those days aregone, thanks to the Group Policy Manage-ment Console (GPMC), a free tool thatMicrosoft has made available for downloadat http://www.microsoft.com/windowsserver2003/gpmc/default.mspx .

Without GPMC, you have to employ a vari-ety of different toolssuch as Active Direc-

tory Users And Computers, AD Sites AndServices, Access Control List Editor, theResultant Set of Policy (RSoP) snap-in, andDelegation Wizardsto tame the many-headed beast of Group Policies in ActiveDirectory. GPMC brings the functionality ofall those tools neatly together into a single,powerful management console that enablesyou to manage multiple domains and forestswith ease, thanks to a unified interface.

What GPMC can doIn addition to the features mentioned above,GPMC has the ability to back up and restoreGroup Policy objects (GPOs); import/exportand copy/paste GPOs and Windows Manage-ment Instrumentation (WMI) filters; provide

HTML reporting of GPO settings and RSoPdata. Whats more, most of these operationsare scriptable. Using these operations, you canplan, create, test, and migrate Group Policies.

GPMC can be used to manage WindowsServer 2003 and Windows 2000 domains. Ofcourse, Active Directory must already beenabled. The GPMC console itself can beinstalled on a workstation running WindowsServer 2003, Windows XP Professional withService Pack 1 (plus an additional post-SP1 hotfix that is included with GPMC), and the

Microsoft .NET Framework (http://www.microsoft.com/downloads/details.aspx?

FamilyID=262d25e3-f589-4842-8157-

034d1e7cf3a3&Di