Section 7: Implementing Security Using Group Policy Exploring the Windows Security Architecture...

Section 7: Implementing Security Using Group Policy

Exploring the Windows Security Architecture Securing User Accounts Exploring Security Policies Hardening Windows Environments Implementing Domain Security New Security Policy Options for Windows 8

Client and Windows Server 2012

Managing Windows Environments with Group Policy

© 2013 Global Knowledge Training LLC. All rights reserved.

Section Objectives

After completing this section, you will be able to:Describe the Windows security architectureExplain how to secure user accounts with

Group PolicyDescribe the purpose of local policies Explain how to harden computer accountsExplain how to control the domain security policy

with a GPO

7-2


Exploring the Windows Security Architecture

The main security components of a Windows 2000 and later operating system are: Security principals Access control lists Security groups NTUSER.DAT The registry

7-3


Security Principles are objects within Active Directory that are assigned SIDs for access control purposes.

Security Principles

7-4

Users Groups Computers


Access Control Lists

Access control lists are permissions granted to objects within a Windows environment.

ACLs are available on: Files and folders Registry keys Printers Active Directory objects Group Policy objects

7-5


Security Groups

Groups Membership From Access to Resources

Local groups From any trusted domainTo the local computer

only

Domain local groups

From any trusted domain To the local domain only

Global groupsFrom the local domain

onlyTo any trusted domain

Universal groups From any trusted domain To any trusted domain

7-6


NTUSER.DAT: The User Profile

Group Policy information is stored in specific policy folders in either the user or system hives of the registry.

7-7


The Registry

The registry is the ultimate storage location for many Group Policy settings.

The SECURITY hive contains the bulk of the security settings for users and groups.

7-9


Securing User Accounts

Authentication protocolsPassword securityAccount lockout settingsKerberos Policy

Users

Domain Controller

7-11


Authentication Protocols

NT LAN Manager NTLMv1 NTLMv2 Uses 56-bit DES

Kerberos 128 bit 256 bit AES Smart-card logon

7-12


Password Security

Password strengthConfiguring the Default Domain Policy Implementing fine-grained password policies

Ctrl Alt Delete

7-14


Password Strength

Complex is not always stronger.Frequent changing encourages written passwords.Password length is the key to greater security.The ultimate goal would be smart cards instead of

passwords.

Password123

MyP@$$w0rd2008

this is a very strong password

7-15


Configuring the Default Domain Policy

Basic password policies are configured at the domain level. All operating systems understand domain password policies.

7-17


Implementing Fine-Grained Password Policies

Understanding fine-grained password policiesCreating fine grained password policiesApplying policies to users and groupsViewing policy results

7-18


Understanding Fine-Grained Password Policies

Fine-grained password policies allow for many different password guidelines within a single domain.

Two new object classes: Password Settings Container Password Settings

PSOs are applied to groups or users, not OUs.

Create PSOs with: Active Directory Administrative Center PowerShell ADSIEdit

7-19


Creating Fine-Grained Password Policies

Password Settings objects are created

using a single window containing

all settings.

7-20


Applying Policies to Users and Groups

PSOs can be assigned to

users or groups.

7-21


Viewing Policy Results

The resultant password

settings that affect a user

can be viewed at any time.

7-22


Account Lockout Settings

Account Lockout Threshold Sets the number of allowed invalid logon attempts Larger numbers reduce support calls

Account Lockout Duration Sets the amount of time before the account can be used

again A value of 0 means the account will remain locked until it

is unlocked by an administrator

Account Lockout Reset Configures the amount of time before the

number of attempted logons will reset

7-23


Kerberos policies govern the length of time that ticket-granting and service tickets will be cached.

Kerberos Policy

7-24


Exploring Security Policies

Important Security Policy Settings:

Audit Policy User Rights Assignment

Security Options

7-26

Advanced Audit Policy


Audit Policy

Audit who is logging on and accessing files.

7-27


Advanced Audit Policy

Audit at a more granular level with Advanced Audit Policies:

7-28


User Rights Assignments

User rights assignments can be used to define the special abilities that some users will have within the operating system.

7-31


Security Options

Security Options can be used to configure access to the system both locally and over the network.

7-33


Security Settings Spreadsheet

Microsoft provides a downloadable spreadsheet that details many of the default settings that are configured in the operating system.

7-36


Hardening Windows Environments

7-37

What Is Hardening?

Security Configuration Wizard Microsoft Security Compliance Manager


What Is Hardening?

Hardening is the strengthening of the default levels of security.

For Windows 2000 and later, computer account security is broken down into three subgroups:

Account Policies Account Lockout Policies Kerberos Policies

By default, you can increase the default security levels at the domain level.

The default values already enabled are merely starting points.

Only one domain account policy is allowed.

7-37


Security Configuration Wizard

The Security Configuration Wizard builds a single security-related GPO.

Configurationdetail is saved asan XML file.

Can be applied toan individualcomputer.

Convert to a GPOto apply to morethan one computer.

7-39


Converting an SCW XML File to a GPO

Use the Security Configuration Wizard to create and save the settings to an XML file.

Use scwcmd transform to convert the file.The converted GPO will contain both security settings

and administrative templates settings.The GPO can then be linked to an appropriate OU.

7-39


Microsoft Security Compliance Manager

The Security Compliance Manager is a free download that can help you assess security and implement a hardened environment.

7-40


Implementing Domain Security

7-41

Security Levels

Controlling File Security through the ACL Managing Registry Security Using ACLs Controlling Network Services with

Group Policy Enforcing an Audit Policy Restricting Security Group Membership


Security Levels

Microsoft recommends three levels of security:

Domain

Assigned server role

Baseline

7-42


Controlling File Security through the ACL

The File System setting can centrally define ACLs. Group Policy refresh keeps the ACL at the specified values.

7-43


Managing Registry Security Using ACLs

You can use ACLs to update registry security in the following ways:

Locking down registry permissions so users cannot change local settings

Adding user permissions to a key to allow Windows software that was written before Windows 2000 to work

Adding or modifying permissions that are required in your environment for older software applications

7-44


Controlling Network Services with Group Policy

Examples of network services to control are:Windows TimeAutomatic UpdatesHelp and SupportRemote RegistryTelnet

7-45


Enforcing an Audit Policy

Audit policy can be defined at the site, domain, or OU GPO.

Administrators can monitor user and system activity for many security-related activities, including:

Account logon Account management Directory service access Object access

Events that are triggered by the audit are stored in the Event Viewer security log.

7-46


Restricting Security Group Membership

With the Restricted Groups option, you can centrally configure the membership of a group on a local computer. The Group Policy refresh cycle sets the membership back to this value even if it is changed locally.

7-47


New Security Policy Options for Windows 8 Client and Windows Server 2012

Several new policy options have been added to the security section in Windows 8 Client and Windows Server 2012:

7-48

Accounts: Block Microsoft accounts

Interactive logon: Machine account lockout threshold

Interactive logon: Machine inactivity limit Microsoft network server: Attempt S4U2Self to

obtain claim information


Summary

The main security components of a Windows 2000 and later operating system are:Security principals: The operating system assigns a

SID to every user, group, or computer object on a standalone Windows computer system or one that is a member of a domain. Some security principals are created by default by the operating system.

7-52


Summary (cont.)

Access control lists: Every object and process created on an NTFS file-system partition can be controlled using file and folder permissions. Permissions are assigned using ACLs that contain a list of security principals. DACL, discretionary ACL, is the specific allow and/or deny privilege given to each security principal. SACLs, system ACLs, are used to audit selected users and groups if you want to monitor the assigned level of permissions on any object or process.

Security groups: Used to assign rights and permissions to processes and objects using the ACLs, DACLs, and SACLs.

7-52


Summary (cont.)

NTUSER.DAT: Used to hide part of each user profile and is loaded when the user successfully logs on to a Windows client. This user profile registry hive is mapped to the HKEY_CURRENT_USER section of the registry after the user is logged on.

The registry: Many Group Policy settings update the registry database on the local computer, even if the settings are deployed through Active Directory. The hives that apply to Group Policy are:

HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_CLASSES_ROOT HKEY_USERS HKEY_CURRENT_CONFIG

7-52


Summary (cont.)

To secure user accounts, you must consider the following:

Authentication protocols Password security Account Lockout settings Kerberos policy settings

Local policies are policy settings that can be configured on a per-machine basis with the Group Policy Management Editor. These settings are useful when the machine is in a workgroup or is being staged for deployment.

7-52


Summary (cont.)

Computer account security is divided into three subgroups: Account policies, account lockout policies, and Kerberos policies. You can use two tools to harden computer accounts, the GPOAccelerator and the Security Configuration Wizard. The GPOAccelerator tool builds a series of preconfigured GPOs with a security emphasis. The Security Configuration Wizard builds a single security-related GPO.

7-52


Summary (cont.)

To control domain security policy with a GPO, configure the different security policy settings in a GPO for the domain. You can do the following:Control the file and registry securityRestrict the network servicesConfigure the public key policiesEnforce auditingRestrict group membership

7-52


Knowledge Check

1. Which Windows security component is used to assign rights and permissions to processes and objects using the ACLs, DACLs, and SACLs?a. Security groups

b. Security principals

c. Access control lists

d. The registry

7-53


Knowledge Check (cont.)

2. What do you have to consider when you secure user accounts with Group Policy? (Choose all that apply.) a. Password security

b. Account lockout settings

c. How often the user logs on

d. Authentication protocols

7-53



3. What is the purpose of local policies?Local policies are policy settings that can be configured on a per-machine basis. They are useful when the machine is in a workgroup or is being staged for deployment.

4. Briefly explain how to harden computer accounts.Increase the default security level of Windows by using the GPOAccelerator to provide sample, hardened templates. Use the Security Configuration Wizard to display the current security settings and configure a more secure template to apply to other systems.

7-53



5. List the things that you can do to control the domain security policy with a GPO.Control the file and registry security

Restrict the network services

Configure the public key policies

Enforce auditing

Restrict group membership

7-53

Section 7: Implementing Security Using Group Policy Exploring the Windows Security Architecture...

Documents

Transcript of Section 7: Implementing Security Using Group Policy Exploring the Windows Security Architecture...