Lecture 4: Enterprise Security and Configuration with...
Transcript of Lecture 4: Enterprise Security and Configuration with...
![Page 1: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/1.jpg)
Lecture 4:
Enterprise Security and
Configuration with Group
Policy Settings
![Page 2: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/2.jpg)
Agenda
• Overview of Windows Security
• Managing Enterprise Security and Configuration with Group Policy Settings
• Improving the Security of Authentication in an AD DS Domain
![Page 3: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/3.jpg)
Module 1
Overview of Windows Security
![Page 4: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/4.jpg)
Module Overview
• Overview of Windows Security
• Overview of Defense-in-Depth
![Page 5: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/5.jpg)
Lesson 1: Overview of Windows Security
• What Are Authentication and Authorization?
• What Is UAC?
• File and Folder Permissions
• Account Lockout and Password Policies
• Fine-Grained Password Policies
• Auditing Features
• Data Encryption Features
![Page 6: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/6.jpg)
What Are Authentication and Authorization?
User Resource
Who are you?
Authentication: Verifying the identity of something or someone
Are you on the list?
Authorization: Determining whether something or someone has permission to access a resource
![Page 7: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/7.jpg)
What Is UAC?
UAC is a security feature that simplifies the ability of users to run as standard users and perform all necessary daily tasks
• UAC prompts the user for an administrative user’s credentials if the task requires administrative permissions
![Page 8: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/8.jpg)
File and Folder Permissions
NTFS file and folder permissions:
Shared folder permissions:
• Define local access rights for files and folders
• Always apply
• Define network access rights for folder contents
• Only apply when files and folders are accessed over the network
![Page 9: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/9.jpg)
Account Lockout and Password Policies
Account and password policies help to mitigate the threat of unauthorized account access
Policies Default Settings
Password
Controls complexity and lifetime of passwords
• Complex Password: enabled
• Enforce password history: 24
• Maximum password age: 42 days
• Minimum password age: 1 day
• Minimum password length: 7 characters
• Store password using reversible encryption: disabled
Account Lockout
Controls how many incorrect attempts can be made
• Lockout threshold: 0 invalid logon attempts
• Lockout duration: not defined
• Reset account lockout after: not defined
![Page 10: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/10.jpg)
Fine-Grained Password Policies
Fine-grained password policies allow for:
Fine-grained password policy components:
• Assigning multiple password and account lockout policies to individual Active Directory users or groups within the same domain
• Password Settings Container
• Password Settings objects
![Page 11: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/11.jpg)
Auditing Features
Auditing tracks user and operating system activities, and records selected events in security logs, such as:
Enable auditing to:
• What occurred?
• Who did it?
• When?
• What was the result?
• Detect threats and attacks
• Determine damages
• Prevent further damage
![Page 12: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/12.jpg)
Data Encryption Features
BitLocker Functionality EFS Functionality
Encrypts volumes (the entire operating system volume, including Windows system files)
Encrypts files
Does not require user certificates
Requires user certificates
![Page 13: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/13.jpg)
Lesson 2: Overview of Defense-in-Depth
• What Is Defense-in-Depth?
• Policies, Procedures, and Awareness
• Physical Layer Security
• Perimeter Layer Security
• Internal Network Layer Security
• Host Layer Security
• Application Layer Security
• Data Layer Security
![Page 14: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/14.jpg)
Applying Defense-In-Depth to Increase Security
Policies, Procedures, & Awareness
Physical Security
Hardening, authentication, update management, HIDS
Firewalls, Network Access Quarantine Control
Guards, locks, tracking devices
Network segments, IPSec, NIDS
Application hardening, antivirus
ACLs, encryption, EFS, DRM
Security documents, user education
Perimeter
Internal Network
Host
Application
Data
Defense-in-depth uses a layered approach to security, which:
• Reduces an attacker’s chance of success
• Increases an attacker’s risk of detection
Defense-in-depth provides multiple layers of defense to protect a networking environment
![Page 15: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/15.jpg)
Policies, Procedures, and Awareness
Sources of compromise include:
• Users unaware of rules
• Users viewing rules as unnecessary
• Social engineering
Policies, procedures, and awareness refers to an organization's formalized, agreed upon commitment to help prevent security incidents from occurring, and to address security issues in the event of a security incident
![Page 16: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/16.jpg)
Physical Layer Security
Physical access to systems allows:
• Physical destruction
• Software installation
• Data modification
• Theft
Physical layer security refers to helping prevent unauthorized physical access to IT infrastructure, especially as it may result in damaged equipment as well as compromised data
![Page 17: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/17.jpg)
Perimeter Layer Security
Perimeter layer compromise includes:
• Attacks on resources in a perimeter network
• Attacks on remote clients
• Attacks on business partners
Perimeter layer security refers to connectivity between your network and other untrusted networks
![Page 18: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/18.jpg)
Internal Network Layer Security
Internal Network layer compromise includes:
• Unauthorized network communication
• Unauthorized network hosts
• Unauthorized packet sniffing
• Unchanged default network device configurations
Internal network layer security refers to safeguarding the infrastructure that is directly managed and controlled by your organization, including WAN end points
![Page 19: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/19.jpg)
Host Layer Security
Host layer compromise can be:
• Exploiting operating system flaws
• Exploiting default operating system configurations
• Accomplished by a virus
The host layer refers to the individual infrastructure devices such as computers, switches, and routers on your network
![Page 20: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/20.jpg)
Application Layer Security
Application layer compromise can be:
• Exploiting application flaws
• Exploiting application default configurations
• Viruses introduced by a user
The application layer refers to the specialized software running on the hosts
![Page 21: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/21.jpg)
Data Layer Security
Data layer compromise can be:
• Unauthorized access to data files
• Unauthorized access to AD DS
• Modification of application files
The data layer refers to the information stored onyour computers
![Page 22: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/22.jpg)
Best Practices for Increasing Security
Some best practices for increasing security are:
Apply all available security updates quickly
Follow the principle of least privilege
Restrict console login
Restrict physical access
![Page 23: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/23.jpg)
Security Configuration Wizard
SCW analyzes your server and providesrecommendations for:
• Network Security including firewall rules
Registry settings
Services to enable or disable
• Audit Policy
The Security Configuration wizard or the SCW is a wizard-based tool that allows an administrator to manage the surface attack
area of a server and disable unneeded WindowsServer 2008 R2 functionality
SCW policies can be created, modified and redeployed to other servers within your infrastructure
![Page 24: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/24.jpg)
What Is the Microsoft Baseline Security Analyzer?
MBSA Features:
• Assesses current state of OS and application updates
• Targeted to small and medium-sized businesses
• Wizard-based interface
• Includes command-line tool for automation
The Microsoft Baseline Security Analyzer or MBSA is a tool used to assess the current security state of a server based on
Microsoft’s security recommendations
• Provide formatted recommendation reports
![Page 25: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/25.jpg)
Module 2
Managing Enterprise Security and Configuration with Group Policy Settings
![Page 26: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/26.jpg)
Module Overview
•Manage Group Membership by using Group Policy Settings
•Manage Security Settings
•Auditing
•Software Restriction Policy and Applocker
![Page 27: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/27.jpg)
Lesson 1: Manage Group Membership by Using Group Policy Settings
• What Are Restricted Groups?
• Define Group Membership with Group Policy Preferences
![Page 28: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/28.jpg)
What Are Restricted Groups?
• Restricted Groups policies enable you to manage the membership of groups
Members• Policy is for a local group• Specify its members
(groups and users)• Authoritative
Member Of• Policy is for a domain group• Specify its membership in a
local group• Cumulative
![Page 29: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/29.jpg)
Demonstration: Delegate Administration by Using Restricted Groups Policies
In this demonstration, you will see how to:
• Add a domain support group to the local Administrators group of client computers
• Define the authoritative membership of the local Administrators group of client computers
![Page 30: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/30.jpg)
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
![Page 31: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/31.jpg)
Define Group Membership with Group Policy Preferences
• Create, delete, or replace a local group
• Rename a local group
• Change the Description
• Modify group membership
• Local Group preferencesare available in bothComputer Configuration andUser Configuration
![Page 32: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/32.jpg)
Lesson 2: Manage Security Settings
• What Is Security Policy Management?
• Configure the Local Security Policy
• Manage Security Configuration with Security Templates
• Demonstration: Create and Deploy Security Templates
• Security Configuration Wizard
• Settings, Templates, Policies, and GPOs
![Page 33: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/33.jpg)
What Is Security Policy Management?
• Enterprise IT Security Policy security configuration
settings
• Manage security configuration
Create the security policy
Apply the security policy to one or more systems
Analyze security settings against the policy
Update the policy, or correct the discrepancies in the system
• Tools
Local Group Policy and Domain Group Policy
Security Templates snap-in
Security Configuration Wizard
![Page 34: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/34.jpg)
Local Security Policy Domain Group Policy
Configure the Local Security Policy
![Page 35: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/35.jpg)
Manage Security Configuration with Security Templates
• Settings are a subset of domain GPO settingsbut different than local GPO
• Security Templates
Plain text files
Can be applied directly to a computer
• Security Configuration and Analysis
• Secedit.exe
Can be deployed with Group Policy
Can be used to analyze a computer'scurrent security settings against thesecurity template's
![Page 36: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/36.jpg)
Demonstration: Create and Deploy Security Templates
In this demonstration, you will see how to:
• Build a custom MMC with the Security Templates snap-in
• Create a security template
• Import the template into the Security Settings nodeof a GPO
![Page 37: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/37.jpg)
Security Configuration Wizard
• Security policy: An .xml file that configures
Role-based service configuration
Network security, including firewall rules
Registry values
Audit policy
Can incorporate a security template (.inf)
• Create the policy
• Edit the policy
• Apply the policy
• Roll back the policy
• Transform the policy into a GPO
scwcmd transform /p:"MySecurity.xml" /g:"My New GPO”
![Page 38: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/38.jpg)
Settings, Templates, Policies, and GPOs
• Direct configuration of security-related settings
• Local Security Policy
• Security templates
.inf files that define a wide variety of security settings
Security Templates, Security Configuration and Analysis
Import into a GPO
• Security policies
Are .xml files that define role-based service startup, firewall rules, audit policies, and registry settings
Can include security templates
Security Configuration Wizard or scwcmd.exe
Transform into a GPO by using scwcmd
• Modify GPO
![Page 39: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/39.jpg)
Lesson 3: Auditing
• Overview of Audit Policies
• Specify Auditing Settings on a File or a Folder
• Enable Audit Policy
• Evaluate Events in the Security Log
![Page 40: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/40.jpg)
Overview of Audit Policies
• Audit events in a category of activities
Access to NTFS files/folders
Account or object changes in Active Directory
Logon
Assignment or use of user rights
• By default, domain controllers audit success events for most categories
• Goal: Align audit policies with corporate security policies and reality
Over-auditing: Logs are too big to find the events that matter
Under-auditing: Important events are not logged
Tools that help you consolidate and crunch logs can be helpful
![Page 41: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/41.jpg)
Specify Auditing Settings on a File or a Folder
• Modify the system access control list (SACL)
Properties
Advanced
Auditing
Edit
![Page 42: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/42.jpg)
Enable Audit Policy
• Enable auditing for Object Access: Success and/or Failure
• GPO must be scoped to the server
• Success/Failure policy setting must match auditing settings (success/failure)
![Page 43: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/43.jpg)
Evaluate Events in the Security Log
• Security Log
• Summary
Audit Object Access policy must be enabled to audit Success or Failure
• GPO must be scoped to the server
SACL must be configured to audit successful or failed access
Security Log must be examined
![Page 44: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/44.jpg)
Lesson 4: Software Restriction Policy and Applocker
• What Is a Software Restriction Policy?
• Overview of Application Control Policies
• Compare Applocker and Software Restriction Policies
![Page 45: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/45.jpg)
What Is a Software Restriction Policy?
SRPs allow administrators to identify which applications are allowed to run on client computers
SRPs can be based on the following:
• Certificate
• Path
• Hash
• Zone
SRPs are applied through Group Policy
![Page 46: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/46.jpg)
Overview of Application Control Policies
Application Control Policies are applied in Windows Server 2008 R2 and Windows 7 by using AppLocker
Benefits of AppLocker:
• Controls how users can access and run all types of applications
AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as .exe files, scripts, Windows Installer files (.msi and .msp files), and DLLs
• Allows the definition of rules based on a wide variety of variables
• Provides for importing and exporting entire AppLocker policies
![Page 47: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/47.jpg)
AppLocker Rules
Rules provide the foundation for an AppLocker-based application management policy
The AppLocker Rules structure allows an administrator to:
• Identify applications by publisher, path or file hash
• Create multiple rules to comprehensively manage applications
AppLocker Rules apply only to Windows Server 2008 R2 and Windows 7 computers
• Assign rules to individual users or groups
• Provide for exceptions to rules
![Page 48: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/48.jpg)
Compare Applocker and Software Restriction Policies
Feature SRP AppLocker
Rule scope Specific user or group (per GPO)
Specific users or groups (per rule)
Rule conditions provided File hash, path, certificate, registry path, Internet zone
File hash, path, publisher
Rule types provided Allow and Deny Allow and Deny
Default Rule action Allow and deny Implicit Deny
Audit only mode No Yes
Wizard to create multiple rules at one time
No Yes
Policy import or export No Yes
Rule collection No Yes
Windows PowerShell support No Yes
Custom error messages No Yes
![Page 49: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/49.jpg)
Demonstration: How to Configure Application Control Policies
In this demonstration, you will see how to:
• Create a GPO to enforce the default AppLocker Executable rules
• Apply the GPO to the domain
• Test the AppLocker rule
![Page 50: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/50.jpg)
Module 3
Improving the Security of Authentication in an
AD DS Domain
![Page 51: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/51.jpg)
Module Overview
• Configure Password and Lockout Policies
• Audit Authentication
• Configure Read-Only Domain Controllers
![Page 52: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/52.jpg)
Lesson 1: Configure Password and Lockout Policies
• Understand Password Policies
• Understand Account Lockout Policies
• Configure the Domain Password and Lockout Policy
• Fine-Grained Password and Lockout Policy
• Understand Password Settings Objects
• PSO Precedence and Resultant PSO
![Page 53: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/53.jpg)
Understand Password Policies
• Implemented via Default Domain GPO
• Determine password requirements for the whole domain
• Password policies consist of :
Enforce password history: 24 passwords
Maximum password age: 42 days
Minimum password age: 1 day
Minimum password length: 7 characters
Password must meet complexity requirements: Enabled
Store password using reversible encryption: Disabled
![Page 54: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/54.jpg)
Understand Account Lockout Policies
• Helps mitigate the threat of brute force attacks on user accounts
• Account lockout policies consist of
Account lockout duration: Not defined
Account lockout threshold: 0 invalid logon attempts
Reset account lockout counter after: Not defined
• Unlock
A user who is locked out can be unlocked by an administrator
The Reset account lockout policy can specify a "timeout" period after which the account is automatically unlocked
![Page 55: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/55.jpg)
Configure the Domain Password and Lockout Policy
• Domain password policies are defined by the precedent GPO scoped to domain controllers
Default Domain Policy GPO
• Best practices
Modify the settings in the Default Domain GPO for password, lockout, and Kerberos policies
Do not use the Default Domain GPO to deploy any other policy settings
Do not define password, lockout, or Kerberos settings for the domain in any other GPO
• Policy settings are overridden by options in user account
Password never expires
Store passwords using reversible encryption
![Page 56: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/56.jpg)
Demonstration: Configure Domain Account Policies
In this demonstration, you will see how to configure the domain account policies for Contoso, Ltd, according to their password requirements
![Page 57: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/57.jpg)
Fine-Grained Password and Lockout Policy
Administrative accounts
Service Accounts
Finance users
Length: 15
Max age: 45
Lockout: 5 in 60 min
Reset: 1 day
Password Never Expires
Length: 64
Lockout: None
Length: 15
Max age: 60
Lockout: 5 in 30 min
Reset: 30 min
Fine-grained password and lockout policies allow multiple password and lockout policies to exist in the same domain
Domain Policy:
Length: 10
Max age: 90
Lockout: 5 in 30 min
Reset: 30 min
![Page 58: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/58.jpg)
Understand Password Settings Objects
A PSO has the following settings available:
• Password policies
• Account lockout policies
• PSO Link
• Precedence
Considerations when implementing PSOs:
PSOs can only be applied to users or global security groups
PSOs can be created through ADSI Edit or LDIFDE
The Password Settings Container (PSC) and PSOs are new object classes defined by the AD DS schema
Windows Server 2008 domain functional level required
![Page 59: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/59.jpg)
Demonstration: Configure Fine-Grained Password Policy
In this demonstration, you will see how to configure a fine-grained password policy to enhance the security of accounts in the Domain Admins group
![Page 60: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/60.jpg)
PSO Precedence and Resultant PSO
• A PSO can be linked to more than one group or user
• A group or user can have more than one PSO linked to it
• Only one PSO prevails—the Resultant PSO
Precedence: Lower value (closer to 1) has higher precedence
Global group PSO with highest precedence prevails
Any PSOs linked to user override all global group PSOs. User-linked PSO with highest precedence prevails
• msDS-ResultantPSO attribute of user in Attribute Editor
Click the Filter button and ensure Constructed is selected
• If there are no PSOs, domain account policies apply
• Best Practices
Use only group-linked PSOs. Do not link to user objects.
Avoid having two PSOs with the same precedence value
• PSOs cannot be "linked" to an OU
Create a shadow group that contains all users in the OU
![Page 61: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/61.jpg)
Lesson 2: Audit Authentication
• Account Logon and Logon Events
• Configure Authentication-Related Audit Policies
• Scope Audit Policies
• View Logon Events
![Page 62: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/62.jpg)
• Account logon events
Registered by the system that authenticates the account
For domain accounts: Domain controllers
For local accounts: Local computer
• Logon events
Registered by the machine at which (or to which) a user logged on
Interactive logon: User's system
Network logon: Server
Account Logon and Logon Events
Logon Event
Account Logon Event
Logon Event
![Page 63: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/63.jpg)
Configure Authentication-Related Audit Policies• Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
• Windows Server 2008 defaultis to audit Success eventsfor both account logon andlogon events
• Windows Server 2008 R2 has newand more detailed polices foraccount logon and logon events
• Advanced Audit Policies in Windows Server 2008 R2
![Page 64: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/64.jpg)
Scoping Audit Policies
DomainControllers
RemoteDesktopServers
HR Clients
CustomGPO
LogonEvents
Default Domain
Controllers Policy
AccountLogonEvents
![Page 65: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/65.jpg)
View Logon Events
• Security log of the system that generated the event
The domain controller that authenticated the user: Account logon
• Note: Not replicated to other domain controllers
The system to which the user logged on or connected: Logon
![Page 66: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/66.jpg)
Lesson 3: Configure Read-Only Domain Controllers
• Authentication and Domain Controller Placement in a Branch Office
• What Are Read-Only Domain Controllers?
• Prerequisites for Deploying an RODC
• Installing an RODC
• Demonstration: Configure a Password Replication Policy
• Demonstration: Administer RODC Credentials Caching
• Administrative Role Separation
![Page 67: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/67.jpg)
Authentication and Domain Controller Placement in a Branch Office
Data Center
• Personnel
• Secure facilities
• Authentication of branch users subject to availability and performance of WAN
Branch Office
• Few, if any, personnel
• Less secure facilities
• Improved authentication
• Security: Exposure of AD database
• Directory Service Integrity: Corruption at branch replicating to other DCs
• Administration: Administration requires domain Administrators membership
?
![Page 68: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/68.jpg)
What Are Read-Only Domain Controllers?
Data Center
• Writeable Windows Server 2008 domain controller
• Password Replication Policy• Specifies which user (and
computer) passwords can be cached by the RODC
Branch Office
• RODC• All objects
• Subset of attributes
• No "secrets"
• Not writeable
• Users log on• RODC forwards
authentication
• Password is cached• If password replication
policy allows
• Has a local Administrators group
![Page 69: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/69.jpg)
Prerequesites for Deploying an RODC
1. Ensure the forest functional level is Windows Server 2003 or higher
All domain controllers running Windows Server 2003 or later
All domains functional level of Windows Server 2003 or higher
Forest functional level set to Windows Server 2003 or higher
2. If the forest has any domain controllers running Windows Server 2003, run adprep /rodcprep
Windows Server 2008 CD:\sources\adprep folder
3. Ensure that there is at least one writeable domain controller running Windows Server 2008
![Page 70: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/70.jpg)
Installing an RODC
Install the RODC
Active Directory Domain Services Installation Wizard (dcpromo)
Stage delegated installation of an RODC: Domain Controllers OU
![Page 71: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/71.jpg)
Demonstration: Configure a Password Replication Policy
In this demonstration, you will see how to:
• View an RODC's password replication policy
Configure domain-wide password replication policy
Use the Allowed RODC Password Replication Groupand the Denied RODC Password Replication Group
The groups are added to all new RODCs password replication policies by default
• Configure RODC-specific password replication policy
![Page 72: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/72.jpg)
Demonstration: Administer RODC Credentials Caching
In this demonstration, you will review:
• Policy Usage Reports
Accounts Whose Passwords Are Stored On This Read-Only Domain Controller
Accounts That Have Been Authenticated To This Read-Only Domain Controller
• Resultant Policy
• Prepopulating credentials in the RODC cache
![Page 73: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/73.jpg)
Administrative Role Separation
• Allows performing local administrative tasks on the RODC
• Each RODC maintains a local security account manager (SAM) database of groups for specific administrative purposes
• DSMgmt command allows you to manage the local roles
dsmgmt [enter]
local roles [enter]
• ? [enter] for a list of commands
• List roles [enter] for a list of roles
add username administrators [enter]
![Page 74: Lecture 4: Enterprise Security and Configuration with ...rsmt.it.fmi.uni-sofia.bg/microsoft/Lecture_04.pdf · ACLs, encryption, EFS, DRM Security documents, user education Perimeter](https://reader030.fdocuments.us/reader030/viewer/2022040408/5eba616b9a760f4c5944c704/html5/thumbnails/74.jpg)
©2009 Microsoft, Microsoft Dynamics, the Office logo, and Your potential. Our passion. are trademarks of the Microsoft group of companies. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.