Troubleshooting Troubleshooting Security IssuesSecurity Issues
Lesson 6
Skills MatrixSkills Matrix
Technology Skill Objective Domain Skill Domain #Monitoring and Troubleshooting with Event Viewer
Troubleshoot security configuration issues• Run Event Viewer tool
2.2
Getting Started with Event Viewer
Run Event Viewer tool 2.2
Sorting and Grouping Events
Run Event Viewer tool 2.2
Viewing Events Run Event Viewer tool 2.2
Skills MatrixSkills Matrix
Technology Skill Objective Domain Skill Domain #Creating Filters and Custom Views
Run Event Viewer tool 2.2
Centralizing Event Data by Using Subscriptions
Run Event Viewer tool 2.2
Using the Security Configuration and Analysis Snap-in
Run the Security Configuration and Analysis tool
2.2
Skills MatrixSkills Matrix
Technology Skill Objective Domain Skill Domain #Using the Security Configuration and Analysis Snap-in to Analyze Settings
Run the Security Configuration and Analysis tool
2.2
Using the Security Configuration and Analysis Snap-in to Configure Security Policy
Run the Security Configuration and Analysis tool
2.2
Skills MatrixSkills Matrix
Technology Skill Objective Domain Skill Domain #Understanding, Configuring, and Troubleshooting Software Restriction Policies
Troubleshoot software restrictions
5.2
How Software Restriction Policies Work
Troubleshoot software restrictions
5.2
Understanding Additional Rules
Digital signing 5.2
Configuring Software Restriction Policies
Digital signing 5.2
Software restriction policies provide a Group Policy mechanism by which the running of programs can be restricted.
Understanding Software Restriction Policies
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Common reasons for implementing software restriction policies
Fight malicious software (malware)
Regulate what Microsoft ActiveX controls can be installed
Restrict running of scripts to digitally signed only
Allow only approved software to be installed or executed
Understanding Software Restriction Policies (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Common reasons for implementing software restriction policies (cont.)
Reduce the chance of software being installed or run that might conflict with other applications
Restrict users from adding untrusted publishers
Understanding Software Restriction Policies (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
The default security level can be one of three security levels
Unrestricted – The user is not prevented from running the software.
Disallowed – The user is prevented from running the software.
Understanding Software Restriction Policies (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
The default security level can be one of three security levels
Basic User – The user is not prevented from running the software, but is prevented from elevating the software from running with standard user privileges to running with administrator privileges.
Understanding Software Restriction Policies (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Understanding Software Restriction Policies (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Additional rules are used to identify software for the purpose of assigning a security level when that software is run that is other than the security level defined by the default.
Understanding Additional Rules
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Additional rules
Hash rules – Identify programs using a cryptographic hash
Certificate rules – Identify programs by digitally signed certificates
Understanding Additional Rules (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Additional rules
Path rules – Identify programs by either their local file paths, universal naming convention (UNC) paths, or registry paths
Network Zone rules – Identify programs according to which network zone to which they belong
Understanding Additional Rules (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Hash rules use hashes to identify program files so that the identified programs can be excepted in some way using additional rules or the default rule in a software restriction policy.
Understanding Hash Rules
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
In Windows Vista, a new hash rule will contain two hashes.
MD5 (Message-Digest algorithm) or SHA-1 (Secure Hash Algorithm)
SHA-256
Understanding Hash Rules (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Hash types are determined according to the following rules:
Files that are digitally signed will use the MD5 or SHA-1 hash according to which one is in their signature.
Files that are not digitally signed and are on non-Windows Vista computers will use the MD5 hash.
Understanding Hash Rules (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Hash types are determined according to the following rules:
Files that are not digitally signed and are on Windows Vista will use both the MD5 hash and the SHA-256 hash for compatibility reasons.
Understanding Hash Rules (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Certificate rules use certificates to identify program files so that the identified programs can be excepted in some way using additional rules or the default rule in a software restriction policy.
Windows Vista does not enable certificate rules by default.
Certificate rules can only assign a security level of Unrestricted or Disallowed.
Understanding Certificate Rules
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Path rules use file paths or registry paths to identify program files so that the identified programs can be excepted in some way using additional rules or the default rule in a software restriction policy.
Understanding Path Rules
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
There are two types of path rules.
File path rules – Can specify a folder or a fully qualified path to a program file. In the case of a folder, file path rules identify all software in the folder and subfolders recursively.
Registry path rules – Identify programs according to the paths that the programs specify in the registry as their install locations. Not all programs create such an entry in the registry.
Understanding Path Rules (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Network zone rules use the network zone from where you downloaded the software as criteria for creating software restriction policies.
Understanding Network Zone Rules
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
There are five network zones.
Internet
Local Intranet
Restricted Sites
Trusted Sites
Local Computer
Understanding Network Zone Rules (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Additional rules enable you to configure non-default behavior for software restriction policies. In other words, additional rules are the exceptions to a default rule.
Using Additional Rules
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
The most specific SRP takes precedence.
Any ties are resolved according to the following precedence:
Hash rule
Certificate rule
Path rule
Internet zone rule
Default security level
Understanding Additional Rules Precedence
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Configuring Software Restriction Policies Through Group Policy
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Group Policy object with the Software Restriction Policies node expanded
Open the GPO that you want to edit in the Group Policy Object Editor.
In the console tree of the Group Policy Object Editor, expand Software Restriction Policies.
Under Software Restriction Policies, select Security Levels.
Setting the Default Security Level
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Right-click the security level that you want to designate as the default security level, and then click Properties.
Click Set as Default.
Setting the Default Security Level (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
If you are moving to a more restrictive default security level, a message box will ask you to confirm the change. Click Yes.
Click OK to close the Security Level Properties dialog box.
Set the Default Security Level(cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Configuring Enforcement Options
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Enforcement Properties
Open the GPO that you want to edit in the Group Policy Object Editor.
In the Group Policy Object Editor, select Software Restriction Policies.
In the details pane, right-click Designated File Types, and then click Properties.
Adding or Removing Designated File Types
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
To add a designated file type, key the extension in the File extension text box, and then click Add.
To remove a designated file type, select it in the Designated file types list box, and then click Remove.
Adding or Removing Designated File Types (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
A Software Restriction Policies warning box appears. Click Yes.
Click OK to close the Designated File Types Properties dialog box.
Adding or Removing Designated File Types (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Open the GPO that you want to edit in the Group Policy Object Editor.
In the Group Policy Object Editor under Software Restriction Policies, right-click Additional Rules, and then click New Certificate Rule.
Creating a Certificate Rule
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Click Browse. The Open dialog box appears.
Click Browse to. Select the certificate that you want to base the rule on, and then click Open.
Creating a Certificate Rule (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
In the New Certificate Rule dialog box, in the Security level drop-down list, select one of the following:
Unrestricted – Select to allow the user to run the software. The user can elevate the software from running with standard user privileges to running with administrator privileges.
Disallowed – Select to prevent the user from running the software.
Creating a Certificate Rule (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
• In the Description text box, you can optionally type a description for the purpose of the rule.
• Click OK to close the New Certificate Rule dialog box.
Creating a Certificate Rule (cont.)
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
Creating a Hash Rule
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
New Hash Rule dialog box
Creating a Network Zone Rule
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
New Network Zone Rule dialog box
Creating a Path Rule
Understanding Software Restriction Understanding Software Restriction PoliciesPolicies
New Path Rule dialog box
Event Viewer enables you to view recorded events in an organized way so that you can troubleshoot a wide range of issues by investigating related events.
Monitoring and Troubleshooting with Event Viewer
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Starting Event Viewer
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Event Viewer console
Summary of Administrative Events – This section contains a custom view of events in which the events are grouped according to event type.
Starting Event Viewer (cont.)
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
There are five common event types.
Error
Warning
Information
Audit Success
Audit Failure
Starting Event Viewer (cont.)
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Starting Event Viewer (cont.)
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Summary of Administrative Events section of Event Viewer with the Audit Failure node expanded
Starting Event Viewer (cont.)
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Event Viewer console tree with the Windows Logs node expanded
You can sort and group events around many pivots to more easily find the events that you are looking for.
Level
Date and Time
Source
Event ID
Task Category
Sorting and Grouping Events
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Sorting by and Configuring Column Headings
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Add/Remove Columns dialog box
Viewing Event Data in Event Viewer
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
General tab of the Event Properties dialog box
Open Event Viewer.
In Event Viewer, right-click an example of the event to which you want to attach a task, and then click Attach Task to this Event.
Follow the instructions in the wizard to create the task.
Attaching a Task to an Event
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Select the event levels that you want to include in the event list.
Critical – There is a serious problem and you should take action immediately.
Warning – There may be a problem.
Verbose – Informational only
Filtering a Log
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Select the event levels that you want to include in the event list.
Error – There is an error. You most likely should address the error.
Information
Filtering a Log (cont.)
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Creating and Saving a Custom View
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Create Custom View dialog box
New in Windows Vista is the ability to centralize event data by creating subscriptions between a collector computer and forwarders.
Centralizing Event Data Using Subscriptions
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Configure the forwarding computers by using the winrm quickconfig command, which does the following:
Sets the startup type for the Windows Remote Management (WinRM) service to Automatic (Delayed Start)
Starts the WinRM service
Enables an exception in Windows Firewall for Windows Remote Management
Centralizing Event Data Using Subscriptions (cont.)
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
When the winrm quickconfig command has completed:
Add the collector’s MACHINE account to the Even Log Readers group on the forwarders.
Configure the subscription on the collector computer.
Centralizing Event Data Using Subscriptions (cont.)
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Configuring the Forwarding Computers
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Selecting Event Log Readers in the Add New User Wizard
Configuring the Collector Computer
Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer
Subscription Properties dialog box
The Security Configuration and Analysis Snap-in is used to:
Compare your security configuration settings to those contained in a security template
Export settings that you configure in a database to a security template
Apply the security settings in a database to the local computer
Using the Security Configuration and Analysis Snap-in
Using the Security Configuration and Using the Security Configuration and Analysis Snap-inAnalysis Snap-in
The Security Configuration and Analysis Snap-in uses the following icons in its reports.
Red X – Setting is defined in the database and on the system, but the values between the two do not match.
Green check mark – Setting is defined in the database and on the system, and the values match.
Using the Security Configuration and Analysis Snap-in (cont.)
Using the Security Configuration and Using the Security Configuration and Analysis Snap-inAnalysis Snap-in
Question mark – Setting is not defined in the database and was therefore not analyzed, or the user does not have sufficient permissions to perform the analysis.
Exclamation point – Setting is defined in the database, but not on the system.
No icon – Setting is not defined in the database or on the system.
Using the Security Configuration and Analysis Snap-in (cont.)
Using the Security Configuration and Using the Security Configuration and Analysis Snap-inAnalysis Snap-in
Creating a New Database and Analyzing Security Settings
Using the Security Configuration and Using the Security Configuration and Analysis Snap-inAnalysis Snap-in
Add the Security Configuration and Analysis Snap-in
Open the Security Configuration and Analysis Snap-in.
In the details pane, double-click the policy setting that you want to configure.
If you don’t want the policy defined in the database, clear the Define this policy in the database check box, and then click OK.
Configuring an Analyzed Policy
Using the Security Configuration and Using the Security Configuration and Analysis Snap-inAnalysis Snap-in
• If you want the policy defined in the database, ensure that the Define this policy in the database check box is selected.
• Configure the Database Setting and the Computer Setting as desired.
• When you are finished, click OK to close the policy’s dialog box.
Configuring an Analyzed Policy (cont.)
Using the Security Configuration and Using the Security Configuration and Analysis Snap-inAnalysis Snap-in
Open the Security Configuration and Analysis Snap-in, load a database, and make any desired modifications to the security policies in the database.
Right-click Security Configuration and Analysis, and then click Configure Computer Now.
Specify an alternate location for the log file if desired, and then click OK.
Configuring Security Policy Based on Database Policy Settings
Using the Security Configuration and Using the Security Configuration and Analysis Snap-inAnalysis Snap-in
Open the Security Configuration and Analysis Snap-in, and ensure that there is a database loaded from which to export settings to a template.
Right-click Security Configuration and Analysis, and then click Export Template.
Exporting Database Security Settings to a Security Template
Using the Security Configuration and Using the Security Configuration and Analysis Snap-inAnalysis Snap-in
• Browse to the location where you want to save the template.
• In the File Name text box, key a name for the template and then click Save.
• Close the console.
Exporting Security Settings to a Security Template (cont.)
Using the Security Configuration and Using the Security Configuration and Analysis Snap-inAnalysis Snap-in
SummarySummary
Software restriction policies provide a Group Policy mechanism by which the running of programs can be restricted.
Additional rules in software restriction policies are exceptions to a default rule and come in four varieties: hash rules, certificate rules, path rules, and network zone rules.
Hash rules use hashes to identify program files in software restriction policies.
You Learned
SummarySummary
Certificate rules use certificates to identify program files in software restriction policies.
Path rules use file paths or registry paths to identify program files in software restriction policies.
Network zone rules use locations from where you downloaded the software to identify program files in software restriction policies.
You Learned (cont.)
SummarySummary
Software restriction policies can be configured for both users and computers.
You learned how to set the default security level for software restriction policies.
You learned how to configure enforcement options for software restriction policies.
You learned how to add or remove designated file types for software restriction policies.
You Learned (cont.)
SummarySummary
You learned how to create certificate, hash, network zone, and path rules for software restriction policies.
Event Viewer enables you to view recorded events in an organized way so that you can troubleshoot a wide range of issues by investigating related events.
You Learned (cont.)
SummarySummary
You learned how to use Event Viewer to view events on the local computer and on remote computers.
You learned how to sort and group events around pivots to more easily find the events that you are looking for.
Event details are stored in XML and can be viewed in XML or in a more readable format.
You Learned (cont.)
SummarySummary
Filters and custom views enable you to filter large amounts of events according to custom criteria.
You learned how to filter a log and how to create and save a custom view.
You learned how to centralize event data by creating subscriptions between a collector computer and forwarders.
You Learned (cont.)
SummarySummary
The Security Configuration and Analysis Snap-in is used to compare your security configuration settings to those contained in a security template, export settings that you configure in a database to a security template, and apply the security settings in a database to the local computer.
You Learned (cont.)
SummarySummary
You learned how to create a new database and analyze your system’s security settings using the Security Configuration and Analysis Snap-in.
You learned how to apply security settings using the Security Configuration and Analysis Snap-in to the local computer.
You learned how to export database security settings to a security template using the Security Configuration and Analysis Snap-in.
You Learned (cont.)
Top Related