480 likes | 871 Views
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features. Objectives. Identify the various elements and techniques that can be used to secure a Windows Server 2003 system
E N D
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 EnvironmentChapter 14:Windows Server 2003 Security Features
Objectives • Identify the various elements and techniques that can be used to secure a Windows Server 2003 system • Use Security Configuration and Analysis tools to configure and review security settings • Audit access to resources and review Security log settings 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Securing Your Windows 2003 System • Five broad categories of security-related features: • Authentication • Access control • Encryption • Security policies • Service packs and hot fixes 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Authentication • Most basic level is requiring a user id and password to log on to some system • In a domain environment, authentication is centralized on the network while in a workgroup environment, authentication is local • In a domain environment, a single authentication can provide access to multiple domains and forests • Additional authentication methods can apply to other services (e.g., IIS) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Access Control • Access control is used to secure resources such as files, folders, and printers • Common types of access control are NTSF and shared folder permissions, printer permissions, Active Directory object permissions • The “principle of least privilege” implies that users should only have the access that they really need 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Encryption • Confidential files can be encrypted using the Encrypting File System (EFS) for local files stored on NTFS volumes • EFS uses a combination of public and private keys • The IPSec protocol can encrypt the contents of packets sent across a TCP/IP network • There are two IPSec modes: transport and tunnel • IPSec is used to make it difficult for hackers to intercept sensitive network data 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Security Policies • Security policy settings can be configured from the Local Security Policy and Group Policy Object Editor MMC snap-ins • Security policies control a range of security settings • Windows Server 2003 includes tools that analyze policy settings compared to pre-configured security templates • Security Configuration and Analysis MMC snap-in • Command-line SECEDIT utility 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Service Packs and Hot Fixes • Many critical updates and patches are related to security issues • Hot fixes address a specific identified issue • A service pack is a cumulative collection of hot fixes and updates • Service packs and hot fixes can be downloaded and installed from Microsoft • Software Update Services can assist in automating and managing the distribution of updates 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Using Security Configuration Manager Tools • Windows Server 2003 provides tools specifically designed to help configure and manage security settings (Security Configuration Manager tools) • These tools plus Group Policies can be used to set up a Security Policy template which is administered centrally 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Using Security Configuration Manager Tools (continued) • The Security Configuration and Analysis tool will compare a security template to existing settings • The Security Configuration Manager tools include these components: • Security templates • Security settings in Group Policy objects • Security Configuration and Analysis tool • SECEDIT command-line tool 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Security Templates • Templates help ensure consistency and ease maintenance across multiple machines • Templates are text-based files • Should not be edited or changed using a text-based editor • There are a number of pre-defined templates for various settings 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Security Templates (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Activity 14-1: Browsing Security Templates • Objective: To become familiar with built-in security templates • Start Run type mmc OK File Add/Remove Snap-in Add • Locate and view the available templates as directed • Browse through the available templates and the specific policies associated with them 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Analyzing the Pre-configured Security Templates • Network computers can be categorized as: • Workstations • Servers • Domain controllers • Pre-configured templates are applicable to a specific category of computer • Only Windows Server 2003, Windows XP, and Windows 2000 can use security templates 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
The Default Template • The Setup Security.inf template contains default security settings applied when Windows Server 2003 is installed • Contents depend upon the original configuration of computer (fresh install, upgrade, etc.) • Allows an administrator to return to original settings easily • Should not be applied using Group Policy 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Incremental Templates • Modify security configurations incrementally • Can only be applied on top of default security settings because they do not specify baseline configurations • Templates include: compatws.inf, securews.inf, securedc.inf, hisecws.inf, hisecdc.inf, iesacls.inf, dc security.inf, rootsec.inf • Custom templates can also be created 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Applying Security Templates • Security templates can be applied to local machine or a domain • For local machine • Open Local Security Setting MMC snap-in and import a policy • For domain • Use Group Policy Objects • Security settings from GPOs override local settings 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Applying Security Templates (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Activity 14-2: Creating a Security Template • Objective: to explore the creation of a custom security template • Open a New Template from the MMC Security Templates snap-in as directed • Configure settings for the new template as specified • Save the template • View the template file 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Activity 14-3: Applying Security Template Settings to Group Policy Objects • Objective: to use Group Policy to deploy security template settings • Start Administrative Tools Active Directory Users and Computers • Open the Default Domain Policy from the Properties of the domain • Import the previously created template as directed • Verify settings 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Security Configuration and Analysis • The Security Configuration and Analysis snap-in permits the comparison of current system settings to those configured in templates • The comparison identifies changes and potential weaknesses • Multiple templates can be compared at once • Multiple templates can be combined and saved • Changes can be made directly within the snap-in by selecting the desired configuration 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Security Configuration and Analysis (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Activity 14-2: Creating a Security Template (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Activity 14-4: Analyzing Security Settings Using Security Configuration and Analysis • Objective: To use the Security Configuration and Analysis snap-in to compare current configuration with security template settings • Open the Security Configuration and Analysis snap-in as directed and open a new database • Import the hisecdc.inf template for comparison • Perform the analysis • Review and compare the settings as directed 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Activity 14-4 (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
SECEDIT Command-Line Tool • SECEDIT is a command-line tool used to create and apply security templates and analyze settings • Can be used where Group Policy cannot be applied • Six main switches • Analyze • Configure • Export • Import • Validate • GenerateRollback 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Auditing Access to Resources and Analyzing Security Logs • Auditing is used to track events on a network • An audit policy defines which events should be recorded • and whether successes and/or failures should be recorded • Audited events are written into a security log which can be viewed with Event Viewer 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Activity 14-5: Exploring Default Auditing Settings • Objective: to explore the auditing settings of the default domain controller GPO • Open the Properties of the Domain Controllers OU in Active Directory Users and Computers • Edit the Default Domain Controllers Policy on the Group Policy tab as directed • Open the Audit Policy node and browse through the various policy settings 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Activity 14-5 (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Activity 14-5 (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Configuring Auditing • The role of a computer on the network influences how an audit policy is configured • For member servers or workstations • Audit policies are implemented using GPOs assigned to the domain or OUs • For domain controllers • Audit policies are implemented via the Default Domain Controllers Policy applied to Domain Controllers OU • For standalone workstations and servers • Audit policies defined using Local Security Policy tool 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Requirements and Configuring an Audit Policy • Requirements • You must have proper permissions (Administrators Group or Manage auditing and security log user right) • Auditing files and folders can only be done on NTFS volumes • Configuring an audit policy • Configure auditing on events to be monitored and if logging occurs on success and/or failure • Configure auditing on specific resource objects such as files, folders, printers, and Active Directory objects 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Configuring an Audit Policy (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Activity 14-6: Configuring and Testing New Audit Policy Settings • Objective: to become familiar with changing and testing the configuration of audit policy settings • Open the Default Domain Controllers Policy GPO auditing settings • Reconfigure the settings as directed • Manually refresh the Group Policy settings • Test the new settings and view results using Event Viewer 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Auditing Object Access • When files and folders reside on an NTFS volume, you can monitor attempted and successful accesses of these objects • Caution -- this can result in a large number of events being logged • Object auditing is configured through the Advanced Security Settings on the resource • Auditing is also possible for Active Directory objects 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Auditing Object Access (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Activity 14-7: Configuring Auditing on an NTFS Folder • Objective: to log failed and successful accesses to an NTFS folder • Create and configure NTFS permissions for a new folder • Configure auditing settings for the folder • Test the auditing settings and permissions by attempting to access and delete the folder • Use Event Viewer to verify correct auditing 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Activity 14-7 (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Best Practices • Plan carefully before implementing an audit policy • General guidelines: • Only audit events that provide truly useful information • Review entries in the security log regularly • Audit sensitive and confidential information • Audit the Everyone group – it includes unauthenticated users • Audit the assignment of user rights • Audit the Administrators group 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Analyzing Security Logs • For each event defined in an audit policy, an entry is written in the Security log if that event occurs • Use Event Viewer to examine the Security log • The log provides a summary of the date and time of each event, and the user performing the action • More details by double-clicking the entry • Event Viewer provides find and filter options to assist in managing the Security log 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Analyzing Security Logs (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Analyzing Security Logs (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Activity 14-8: Configuring Event Viewer Log Properties • Objective: to use the find and filter features in Event Viewer to manage log files • Open Event Viewer and view local Security log • Use the Find feature to locate specific types of events as directed • Next, use the Filter feature to manage the log, displaying only events meeting specified criteria • Redisplay all records in the log as directed 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Configuring Event Viewer • There are a number of configurable settings that determine the size, number of entries, and overwrite policy in a security log • Default initial security log size is 16 MB in Windows Server 2003 (up from 512 KB in 2000) • Settings are configured from the Properties of the Security log in Event Viewer 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Configuring Event Viewer (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Activity 14-9: Editing Security Log Settings and Saving Events • Objective: to configure properties of the Security log and save event entries for archiving purposes • Open the Properties of the Security log through Event Viewer • Reconfigure the Security log size and overwrite properties as directed • Save and clear the Security log as noted • Open the saved log to verify 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Summary • Windows Server 2003 offers security-related features in five categories: authentication, access control, encryption, security policies, and service packs and hot fixes • Windows Server 2003 offers a package of Security Configuration Manager tools: • Security templates, security settings in GPOs, Security Configuration and Analysis tool, SECEDIT command-line tool 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Summary (continued) • Auditing is used to log specific events within a Windows Server 2003 configuration • An audit policy defines the events to be monitored • Specific resources and objects can be configured for auditing access attempts • A Security log contains record of audited events • Event Viewer is used to display and manage Security logs 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment