940 likes | 953 Views
Learn how to set up security policies, configure auditing, and troubleshoot security configuration issues. Explore various security templates, account policies, and security settings using the Security Configuration and Analysis console.
E N D
Goals • Introduce security configuration • Introduce auditing • Set audit policy on a domain controller • Set audit policy on a stand-alone server or computer • View the Security log • Audit user access to Active Directory objects • Assign user rights to users and groups
Goals (2) • Implement account policy • Implement security templates • Use the Security Configuration and Analysis console • Use the Security Configuration and Analysis console to configure security • Troubleshoot security configuration issues
(Skill 1) Introducing Security Configuration • Security configurationis the process of setting up a security policy • For an individual system • For a network • Security policies are required • Guard against unauthorized internal users • Protect from external threats
(Skill 1) Introducing Security Configuration (2) • Use security configuration • To set up security policies • Account • Local • To create access control policies • Services • Registry • Files
(Skill 1) Introducing Security Configuration (3) • Use security configuration • To define event logs settings • To determine group membership settings (restricted groups) • To create public key policies • To set Internet Protocol (IP) security policies
(Skill 1) Introducing Security Configuration (4) • Factors to consider while designing security policies • Physical distribution of the network • Business model of the organization • Network load due to inter-computer dataflow and access • Overall computer usage
(Skill 1) Introducing Security Configuration (5) • Windows Server 2003 Security Configuration tools • Group Policy Object Editor is used to apply security settings centrally for the computers in a domain. • Use the Security Settings extension in the Group Policy Object Editor to apply different categories of security policies
(Skill 1) Figure 12-1 Security extension of the Group Policy Object Editor
(Skill 1) Introducing Security Configuration (6) Categories of security policies • Account policies • Can only be set for the entire domain • Password policy • Account lockout policy • Kerberos policy
(Skill 1) Figure 12-2 Password Policy settings
(Skill 1) Introducing Security Configuration (7) Categories of security policies • Local policies • Audit policy • User rights assignment • Security options
(Skill 1) Introducing Security Configuration (8) Categories of security policies • Event log allows you to specify security log settings • Maximum size of the event log file • Logging options • Event log access rights
(Skill 1) Introducing Security Configuration (9) Categories of security policies • Restricted Groups allows you to define additional control over the membership of key groups • Defining a group as a restricted group • Setting the membership for the group • Configuring member groups and users for the restricted group
(Skill 1) Introducing Security Configuration (10) • Categories of security policies • System Services allows you to configure the startup settings for services on a computer • Startup mode settings: Automatic, Manual, and Disabled • Can specify which security group or user can modify a service’s properties (start, stop, or pause)
(Skill 1) Figure 12-3 System Services security settings
(Skill 1) Introducing Security Configuration (11) Categories of security policies • Registry • Registry security settings allow you to set permissions for users to read, modify, and add new keys to the Registry • File System • Allows you to set access permissions for folders and files on the computer • Settings only apply to computers with NTFS drives
(Skill 1) Figure 12-4 Files and Folders permissions settings
(Skill 1) Introducing Security Configuration (12) Categories of security policies • Wireless Network (IEEE 802.11) Policies control network security settings for supported wireless networking devices • Public Key Policies are used to configure the public key encryption • IP Security Policies are used to configure IP security for TCP/IP-based communication between servers, clients, and domain controllers using Microsoft’s version of IPSec
(Skill 2) Introducing Auditing • Auditing is used to track user activities and object access on the computers on a network • Regular auditing ensures security of network resources • Auditing can discover security breaches • Auditing can help in resource planning for the computers on the network
(Skill 2) Introducing Auditing (2) • Steps in setting up a security audit • Determine carefully the events to be audited on each computer • Security events that can be tracked • Who logged on to a computer and when? • What files were accessed or folders were created? • What printers were used? • What Registry keys were accessed when, and by whom? • What actions the users attempted to perform on them?
(Skill 2) Introducing Auditing (3) • Steps in setting up a security audit • Decide the computers, users, or groups to be tracked • Activate the audit object access policy.
(Skill 2) Introducing Auditing (4) • Activating the audit object access policy • Configure the audit object access policy in the Properties dialog box and the System ACL editor for the object • Select who you are going to audit • Choose what file system actions you want to monitor in the SACL editor for the file or folder
(Skill 2) Introducing Auditing (5) • Monitoring a particular event • Define an audit policy in the Audit Policy folder • The audit policy tells the operating system what to record in the Security event log on each computer • On a domain controller, modify the default domain policy by using the Group Policy Management console • Only Domain Administrators and Enterprise Administrators can configure auditing at the domain level
(Skill 2) Figure 12-5 Audit policy
(Skill 2) Introducing Auditing (6) • Audited events are stored in the Security event log • Success and failure can both be recorded • Security log can be viewed using the Event Viewer • The Security log entries allow identification of existing security problems in the overall network, as well as on individual computers
(Skill 2) Figure 12-6 The Security Event log
(Skill 3) Setting Audit Policy on a Domain Controller • Unauthorized access to a domain must be monitored • Set up an audit policy on a domain controller by configuring Group Policy • Link the GPO to the default Domain Controllers OU • You must have the Manage auditing and security log right on the system to configure auditing
(Skill 3) Setting Audit Policy on a Domain Controller (2) • Setting up auditing is a two-step process • Step 1 • Configure the audit policy to track particular events, for success, for failure or both • Step 2 • Open the specific resource you wish to audit • Enable auditing by selecting the type of event you want to track and the user group or groups for which you want to track that event
(Skill 3) Figure 12-7 Creating a GPO
(Skill 3) Figure 12-8 The Audit account logon events Properties dialog box
(Skill 3) Figure 12-9 The Audit object access Properties dialog box
(Skill 3) Figure 12-10 Advanced Security Settings for Annual Reports
(Skill 3) Figure 12-11 Selecting the actions to be audited
(Skill 3) Figure 12-12 A Security warning dialog box
(Skill 4) Setting Audit Policy on a Stand-Alone Server or Computer • Problems auditing stand-alone servers and workgroup computers running Windows 2000 or XP Professional • They do not belong to a domain • A domain controller-based audit policy cannot be applied to them • Stand-alone computers and the network computers may be able to access each other and hence require monitoring
(Skill 4) Setting Audit Policy on a Stand-Alone Server or Computer (2) • Audit policy should be set for stand-alone computers • To monitor network access attempts • To monitor local security events
(Skill 4) Figure 12-13 Audit Policy in the Local Security Settings console
(Skill 4) Figure 12-14 Enabling auditing for local logon attempts
(Skill 4) Figure 12-15 Updating local security policy
(Skill 5) Viewing the Security Log • Problems with implementation of audit policies • Increases the overhead on a computer • Slows down CPU performance • Security event log can become inundated with entries • Solutions • Set a schedule for checking the Security log regularly • Specify a maximum file size for Security log
(Skill 5) Viewing the Security Log (2) • Be aware when the Security log reaches the maximum file size • You may lose data if the log becomes full before you archive it • Archiving is the process of saving a history of events so you can track trends in resource usage • When the log is full, the operating system will stop recording events
(Skill 5) Figure 12-16 The Security Log Properties dialog box
(Skill 5) Viewing the Security Log (3) • Set filters to control what is recorded in the log • Event type: Information, Warning, Error, or Success or Failure audit • Event source: Choose a particular source, such as Spooler, LSA (Local Security Authority), or SC (Service Control) Manager • Category: Account Logon, Account Management, Directory Service Access, Privilege Use, Object Access events, and so on • Event ID • User • Computer • Specific time periods
(Skill 5) Figure 12-17 The Filter tab in the Security Properties dialog box
(Skill 5) Figure 12-18 The Security log
(Skill 5) Figure 12-19 Filtering the Security log
(Skill 5) Figure 12-20 Viewing event details box
(Skill 6) Auditing User Access to Active Directory Objects • Active Directory objects • Are the essential building blocks of a Windows Server 2003 network • Include users, computers, OUs, groups, published printers, and so on • Audit policies for Active Directory objects • Are set based explicitly on their functionality • An audit policy set for an Active Directory object is inherited by its child object through Policy Inheritance by default
(Skill 6) Figure 12-21 The Auditing tab
(Skill 6) Figure 12-22 Setting printer audit policy