11 security templates and planning chapter 7. chapter 7: security templates and planning2 overview ...

11

SECURITY TEMPLATES AND PLANNING

Chapter 7

Chapter 7: SECURITY TEMPLATES AND PLANNING 2

OVERVIEW

Understand the uses of security templates

Explain when it is appropriate to use default security templates

Describe how to modify security templates

Detail how to use Group Policy to deploy security templates


OVERVIEW (CONTINUED)

Specify how the Security Configuration And Analysis tool can be used to improve security practices

Understand the factors that influence the planning of a security framework

Explain how to create a testing environment

Describe the benefits of a pilot deployment plan


MANAGING THE SECURITY CONFIGURATION BY USING SECURITY TEMPLATES

Security templates consist of policies and settings that allow you to make configurations consistent across servers.

Security templates can be deployed by using a number of methods, including Group Policy.

Security templates can be applied to standalone computers by applying them to the local policy.


UNDERSTANDING SECURITY TEMPLATES

Security templates are a list of policies and settings you can use to control a computer’s security configuration by importing them into local or group policies.

They can be used to configure a range of settings including account policies, Event Log policies, System Services policies, registry permissions, and File System permissions.

They can be edited directly using a text editor.


USING THE SECURITY TEMPLATES SNAP-IN


DEFAULT SECURITY TEMPLATES

Nine security templates are supplied by default.

These templates can be edited as necessary.

New templates can be created as needed by copying existing templates.


MODIFYING SECURITY TEMPLATES

Security templates can be modified, copied, and saved to create custom baseline security configurations.

Security templates can also be edited with a text editor such as Microsoft Notepad, though a full understanding of the file syntax is required.


DEPLOYING SECURITY TEMPLATES USING GROUP POLICY OBJECTS

Security templates can be imported into GPOs for:

Domains

Sites

Organizational units (OUs)


GROUP POLICY DEPLOYMENT CAUTIONS

Configuration parameters imported into the GPO for a specific container are inherited by all the objects in that container, including other containers.

Complex templates with many configuration settings can create a large amount of network traffic when they are refreshed.


IMPORTING SECURITY TEMPLATES INTO GROUP POLICY OBJECTS


THE SECURITY CONFIGURATION AND ANALYSIS TOOL


ANALYZING A SYSTEM


CHANGING SECURITY SETTINGS

Once analysis is complete, you can make changes in the following ways: Apply the database settings to the computer.

Modify the database settings.

Create a new template.

Modify the computer’s settings manually.


SECEDIT

Command prompt utility that can perform the same functions as the Security Configuration And Analysis snap-in

Allows security configurations to be edited and updated through a script or batch file

Allows you to apply only part of a security template to a computer


PLANNING A SECURITY FRAMEWORK

A security framework is a logical, structured process by which your organization performs tasks such as the following: Estimating security risks

Specifying security requirements

Selecting security features

Implementing security policies

Designing security deployments

Specifying security management policies


CREATING A SECURITY DESIGN TEAM

The information technology (IT) function in an organization rarely has complete control over the IT security implementation.

A security design team should include people from all areas of an organization—executives, middle management, and employees.

In many cases, non-IT personnel will have a greater understanding of the risks posed to IT implementations, even though IT personnel will know how these risks can be mitigated.


MAPPING OUT A SECURITY LIFE CYCLE

A security life cycle typically consists of four basic phases: Designing a security infrastructure

Implementing security features

Enforcing security policies

Providing ongoing security management


CREATING A TESTING AND DEPLOYMENT PLAN

Before implementing security policies on your production network you must do the following: Ensure the settings you choose do not

interfere with the operation of your computer.

Verify that settings you configure will function properly.

Confirm that settings satisfy your organization’s security requirements.


CREATING A TESTING ENVIRONMENT

The testing process consists of the following five basic steps: Creating a test plan

Creating test cases

Building a lab

Conducting the tests

Evaluating the results


CREATING A TEST PLAN

The test plan specifies what you want to accomplish and how the testing process will proceed.

To achieve your testing objectives, your plan should specify elements such as the structure of the lab and the tools and testing procedures that will be used.


CREATING TEST CASES

A test case is a procedure that fully tests a particular feature or setting.

Creating detailed and complete test cases is critical because it provides a basis for comparative testing.

Once a test case is created, it can be altered to accommodate what-if scenarios.


BUILDING A LAB

The testing lab should be representative of the hardware and software configurations used in the organization.

The testing lab should be physically isolated from the live network.

Equipment in the lab should be subjected to some kind of change control procedure.


CONDUCTING THE TESTS

When testing security configurations, your two main objectives are as follows: Determine whether the parameter settings

you have chosen provide the security you need.

Determine whether the settings interfere with normal operation of the network.


EVALUATING THE RESULTS

The test plan should define who evaluates the test results and how that evaluation will be completed.

All results, both successful and unsuccessful, should be fully documented.


CREATING A PILOT DEPLOYMENT

A limited, or pilot, deployment allows you to do the following: Monitor the performance of the network

more closely and react quickly to any problems that arise

Refine the deployment process you will use on the entire network

Train the help desk and other support personnel who will troubleshoot problems when the configuration goes live


CREATING A PILOT DEPLOYMENT PLAN

Select users for a pilot deployment

Train users and support staff

Provide technical support

Create a rollback procedure


SUMMARY

Windows Server 2003 provides administrators the ability to configure server security settings using Group Policy and security templates.

Security templates are .inf files that configure security settings.

GPOs can also be used to deploy configurations defined by security templates.

Windows Server 2003 includes a number of predefined templates that enable you to restore the default security parameters created by the Windows installation.

Using the Security Configuration And Analysis snap-in and a security template, you can analyze a computer to determine whether settings match the template.


SUMMARY (CONTINUED)

Secedit enables you to apply all or part of a template to a computer from the command line.

Security is a concern throughout the entire process of network design and implementation.

Security mechanisms can include authentication, access control, encryption, firewalls, and auditing.


SUMMARY (CONTINUED)

After the design and implementation of the security strategy are completed, the team is still responsible for the ongoing management of the security mechanisms.

Testing is an essential part of any security configuration deployment.

A testing lab is a network that is isolated from the organization’s production network and is used to test specific network elements.

A pilot deployment is the implementation of lab-tested technologies or configuration parameters on a live production network on a limited basis.

11 security templates and planning chapter 7. chapter 7: security templates and planning2 overview ...

Documents

security templateschapter

security templatesdetail

security frameworkexplain

security practicesunderstand

new templates

complex templates

existing templates

configuration settings