Section 7: Implementing Security Using Group Policy Exploring the Windows Security Architecture...
-
Upload
irma-shelton -
Category
Documents
-
view
218 -
download
1
Transcript of Section 7: Implementing Security Using Group Policy Exploring the Windows Security Architecture...
Section 7: Implementing Security Using Group Policy
Exploring the Windows Security Architecture Securing User Accounts Exploring Security Policies Hardening Windows Environments Implementing Domain Security New Security Policy Options for Windows 8
Client and Windows Server 2012
Managing Windows Environments with Group Policy
© 2013 Global Knowledge Training LLC. All rights reserved.
Section Objectives
After completing this section, you will be able to:Describe the Windows security architectureExplain how to secure user accounts with
Group PolicyDescribe the purpose of local policies Explain how to harden computer accountsExplain how to control the domain security policy
with a GPO
7-2
© 2013 Global Knowledge Training LLC. All rights reserved.
Exploring the Windows Security Architecture
The main security components of a Windows 2000 and later operating system are: Security principals Access control lists Security groups NTUSER.DAT The registry
7-3
© 2013 Global Knowledge Training LLC. All rights reserved.
Security Principles are objects within Active Directory that are assigned SIDs for access control purposes.
Security Principles
7-4
Users Groups Computers
© 2013 Global Knowledge Training LLC. All rights reserved.
Access Control Lists
Access control lists are permissions granted to objects within a Windows environment.
ACLs are available on: Files and folders Registry keys Printers Active Directory objects Group Policy objects
7-5
© 2013 Global Knowledge Training LLC. All rights reserved.
Security Groups
Groups Membership From Access to Resources
Local groups From any trusted domainTo the local computer
only
Domain local groups
From any trusted domain To the local domain only
Global groupsFrom the local domain
onlyTo any trusted domain
Universal groups From any trusted domain To any trusted domain
7-6
© 2013 Global Knowledge Training LLC. All rights reserved.
NTUSER.DAT: The User Profile
Group Policy information is stored in specific policy folders in either the user or system hives of the registry.
7-7
© 2013 Global Knowledge Training LLC. All rights reserved.
The Registry
The registry is the ultimate storage location for many Group Policy settings.
The SECURITY hive contains the bulk of the security settings for users and groups.
7-9
© 2013 Global Knowledge Training LLC. All rights reserved.
Securing User Accounts
Authentication protocolsPassword securityAccount lockout settingsKerberos Policy
Users
Domain Controller
7-11
© 2013 Global Knowledge Training LLC. All rights reserved.
Authentication Protocols
NT LAN Manager NTLMv1 NTLMv2 Uses 56-bit DES
Kerberos 128 bit 256 bit AES Smart-card logon
7-12
© 2013 Global Knowledge Training LLC. All rights reserved.
Password Security
Password strengthConfiguring the Default Domain Policy Implementing fine-grained password policies
Ctrl Alt Delete
7-14
© 2013 Global Knowledge Training LLC. All rights reserved.
Password Strength
Complex is not always stronger.Frequent changing encourages written passwords.Password length is the key to greater security.The ultimate goal would be smart cards instead of
passwords.
Password123
MyP@$$w0rd2008
this is a very strong password
7-15
© 2013 Global Knowledge Training LLC. All rights reserved.
Configuring the Default Domain Policy
Basic password policies are configured at the domain level. All operating systems understand domain password policies.
7-17
© 2013 Global Knowledge Training LLC. All rights reserved.
Implementing Fine-Grained Password Policies
Understanding fine-grained password policiesCreating fine grained password policiesApplying policies to users and groupsViewing policy results
7-18
© 2013 Global Knowledge Training LLC. All rights reserved.
Understanding Fine-Grained Password Policies
Fine-grained password policies allow for many different password guidelines within a single domain.
Two new object classes: Password Settings Container Password Settings
PSOs are applied to groups or users, not OUs.
Create PSOs with: Active Directory Administrative Center PowerShell ADSIEdit
7-19
© 2013 Global Knowledge Training LLC. All rights reserved.
Creating Fine-Grained Password Policies
Password Settings objects are created
using a single window containing
all settings.
7-20
© 2013 Global Knowledge Training LLC. All rights reserved.
Applying Policies to Users and Groups
PSOs can be assigned to
users or groups.
7-21
© 2013 Global Knowledge Training LLC. All rights reserved.
Viewing Policy Results
The resultant password
settings that affect a user
can be viewed at any time.
7-22
© 2013 Global Knowledge Training LLC. All rights reserved.
Account Lockout Settings
Account Lockout Threshold Sets the number of allowed invalid logon attempts Larger numbers reduce support calls
Account Lockout Duration Sets the amount of time before the account can be used
again A value of 0 means the account will remain locked until it
is unlocked by an administrator
Account Lockout Reset Configures the amount of time before the
number of attempted logons will reset
7-23
© 2013 Global Knowledge Training LLC. All rights reserved.
Kerberos policies govern the length of time that ticket-granting and service tickets will be cached.
Kerberos Policy
7-24
© 2013 Global Knowledge Training LLC. All rights reserved.
Exploring Security Policies
Important Security Policy Settings:
Audit Policy User Rights Assignment
Security Options
7-26
Advanced Audit Policy
© 2013 Global Knowledge Training LLC. All rights reserved.
Audit Policy
Audit who is logging on and accessing files.
7-27
© 2013 Global Knowledge Training LLC. All rights reserved.
Advanced Audit Policy
Audit at a more granular level with Advanced Audit Policies:
7-28
© 2013 Global Knowledge Training LLC. All rights reserved.
User Rights Assignments
User rights assignments can be used to define the special abilities that some users will have within the operating system.
7-31
© 2013 Global Knowledge Training LLC. All rights reserved.
Security Options
Security Options can be used to configure access to the system both locally and over the network.
7-33
© 2013 Global Knowledge Training LLC. All rights reserved.
Security Settings Spreadsheet
Microsoft provides a downloadable spreadsheet that details many of the default settings that are configured in the operating system.
7-36
© 2013 Global Knowledge Training LLC. All rights reserved.
Hardening Windows Environments
7-37
What Is Hardening?
Security Configuration Wizard Microsoft Security Compliance Manager
© 2013 Global Knowledge Training LLC. All rights reserved.
What Is Hardening?
Hardening is the strengthening of the default levels of security.
For Windows 2000 and later, computer account security is broken down into three subgroups:
Account Policies Account Lockout Policies Kerberos Policies
By default, you can increase the default security levels at the domain level.
The default values already enabled are merely starting points.
Only one domain account policy is allowed.
7-37
© 2013 Global Knowledge Training LLC. All rights reserved.
Security Configuration Wizard
The Security Configuration Wizard builds a single security-related GPO.
Configurationdetail is saved asan XML file.
Can be applied toan individualcomputer.
Convert to a GPOto apply to morethan one computer.
7-39
© 2013 Global Knowledge Training LLC. All rights reserved.
Converting an SCW XML File to a GPO
Use the Security Configuration Wizard to create and save the settings to an XML file.
Use scwcmd transform to convert the file.The converted GPO will contain both security settings
and administrative templates settings.The GPO can then be linked to an appropriate OU.
7-39
© 2013 Global Knowledge Training LLC. All rights reserved.
Microsoft Security Compliance Manager
The Security Compliance Manager is a free download that can help you assess security and implement a hardened environment.
7-40
© 2013 Global Knowledge Training LLC. All rights reserved.
Implementing Domain Security
7-41
Security Levels
Controlling File Security through the ACL Managing Registry Security Using ACLs Controlling Network Services with
Group Policy Enforcing an Audit Policy Restricting Security Group Membership
© 2013 Global Knowledge Training LLC. All rights reserved.
Security Levels
Microsoft recommends three levels of security:
Domain
Assigned server role
Baseline
7-42
© 2013 Global Knowledge Training LLC. All rights reserved.
Controlling File Security through the ACL
The File System setting can centrally define ACLs. Group Policy refresh keeps the ACL at the specified values.
7-43
© 2013 Global Knowledge Training LLC. All rights reserved.
Managing Registry Security Using ACLs
You can use ACLs to update registry security in the following ways:
Locking down registry permissions so users cannot change local settings
Adding user permissions to a key to allow Windows software that was written before Windows 2000 to work
Adding or modifying permissions that are required in your environment for older software applications
7-44
© 2013 Global Knowledge Training LLC. All rights reserved.
Controlling Network Services with Group Policy
Examples of network services to control are:Windows TimeAutomatic UpdatesHelp and SupportRemote RegistryTelnet
7-45
© 2013 Global Knowledge Training LLC. All rights reserved.
Enforcing an Audit Policy
Audit policy can be defined at the site, domain, or OU GPO.
Administrators can monitor user and system activity for many security-related activities, including:
Account logon Account management Directory service access Object access
Events that are triggered by the audit are stored in the Event Viewer security log.
7-46
© 2013 Global Knowledge Training LLC. All rights reserved.
Restricting Security Group Membership
With the Restricted Groups option, you can centrally configure the membership of a group on a local computer. The Group Policy refresh cycle sets the membership back to this value even if it is changed locally.
7-47
© 2013 Global Knowledge Training LLC. All rights reserved.
New Security Policy Options for Windows 8 Client and Windows Server 2012
Several new policy options have been added to the security section in Windows 8 Client and Windows Server 2012:
7-48
Accounts: Block Microsoft accounts
Interactive logon: Machine account lockout threshold
Interactive logon: Machine inactivity limit Microsoft network server: Attempt S4U2Self to
obtain claim information
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary
The main security components of a Windows 2000 and later operating system are:Security principals: The operating system assigns a
SID to every user, group, or computer object on a standalone Windows computer system or one that is a member of a domain. Some security principals are created by default by the operating system.
7-52
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Access control lists: Every object and process created on an NTFS file-system partition can be controlled using file and folder permissions. Permissions are assigned using ACLs that contain a list of security principals. DACL, discretionary ACL, is the specific allow and/or deny privilege given to each security principal. SACLs, system ACLs, are used to audit selected users and groups if you want to monitor the assigned level of permissions on any object or process.
Security groups: Used to assign rights and permissions to processes and objects using the ACLs, DACLs, and SACLs.
7-52
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
NTUSER.DAT: Used to hide part of each user profile and is loaded when the user successfully logs on to a Windows client. This user profile registry hive is mapped to the HKEY_CURRENT_USER section of the registry after the user is logged on.
The registry: Many Group Policy settings update the registry database on the local computer, even if the settings are deployed through Active Directory. The hives that apply to Group Policy are:
HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_CLASSES_ROOT HKEY_USERS HKEY_CURRENT_CONFIG
7-52
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
To secure user accounts, you must consider the following:
Authentication protocols Password security Account Lockout settings Kerberos policy settings
Local policies are policy settings that can be configured on a per-machine basis with the Group Policy Management Editor. These settings are useful when the machine is in a workgroup or is being staged for deployment.
7-52
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Computer account security is divided into three subgroups: Account policies, account lockout policies, and Kerberos policies. You can use two tools to harden computer accounts, the GPOAccelerator and the Security Configuration Wizard. The GPOAccelerator tool builds a series of preconfigured GPOs with a security emphasis. The Security Configuration Wizard builds a single security-related GPO.
7-52
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
To control domain security policy with a GPO, configure the different security policy settings in a GPO for the domain. You can do the following:Control the file and registry securityRestrict the network servicesConfigure the public key policiesEnforce auditingRestrict group membership
7-52
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check
1. Which Windows security component is used to assign rights and permissions to processes and objects using the ACLs, DACLs, and SACLs?a. Security groups
b. Security principals
c. Access control lists
d. The registry
7-53
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
2. What do you have to consider when you secure user accounts with Group Policy? (Choose all that apply.) a. Password security
b. Account lockout settings
c. How often the user logs on
d. Authentication protocols
7-53
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
3. What is the purpose of local policies?Local policies are policy settings that can be configured on a per-machine basis. They are useful when the machine is in a workgroup or is being staged for deployment.
4. Briefly explain how to harden computer accounts.Increase the default security level of Windows by using the GPOAccelerator to provide sample, hardened templates. Use the Security Configuration Wizard to display the current security settings and configure a more secure template to apply to other systems.
7-53
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
5. List the things that you can do to control the domain security policy with a GPO.Control the file and registry security
Restrict the network services
Configure the public key policies
Enforce auditing
Restrict group membership
7-53