11 security templates and planning chapter 7. chapter 7: security templates and planning2 overview ...
TRANSCRIPT
11
SECURITY TEMPLATES AND PLANNING
Chapter 7
Chapter 7: SECURITY TEMPLATES AND PLANNING 2
OVERVIEW
Understand the uses of security templates
Explain when it is appropriate to use default security templates
Describe how to modify security templates
Detail how to use Group Policy to deploy security templates
Chapter 7: SECURITY TEMPLATES AND PLANNING 3
OVERVIEW (CONTINUED)
Specify how the Security Configuration And Analysis tool can be used to improve security practices
Understand the factors that influence the planning of a security framework
Explain how to create a testing environment
Describe the benefits of a pilot deployment plan
Chapter 7: SECURITY TEMPLATES AND PLANNING 4
MANAGING THE SECURITY CONFIGURATION BY USING SECURITY TEMPLATES
Security templates consist of policies and settings that allow you to make configurations consistent across servers.
Security templates can be deployed by using a number of methods, including Group Policy.
Security templates can be applied to standalone computers by applying them to the local policy.
Chapter 7: SECURITY TEMPLATES AND PLANNING 5
UNDERSTANDING SECURITY TEMPLATES
Security templates are a list of policies and settings you can use to control a computer’s security configuration by importing them into local or group policies.
They can be used to configure a range of settings including account policies, Event Log policies, System Services policies, registry permissions, and File System permissions.
They can be edited directly using a text editor.
Chapter 7: SECURITY TEMPLATES AND PLANNING 6
USING THE SECURITY TEMPLATES SNAP-IN
Chapter 7: SECURITY TEMPLATES AND PLANNING 7
DEFAULT SECURITY TEMPLATES
Nine security templates are supplied by default.
These templates can be edited as necessary.
New templates can be created as needed by copying existing templates.
Chapter 7: SECURITY TEMPLATES AND PLANNING 8
MODIFYING SECURITY TEMPLATES
Security templates can be modified, copied, and saved to create custom baseline security configurations.
Security templates can also be edited with a text editor such as Microsoft Notepad, though a full understanding of the file syntax is required.
Chapter 7: SECURITY TEMPLATES AND PLANNING 9
DEPLOYING SECURITY TEMPLATES USING GROUP POLICY OBJECTS
Security templates can be imported into GPOs for:
Domains
Sites
Organizational units (OUs)
Chapter 7: SECURITY TEMPLATES AND PLANNING 10
GROUP POLICY DEPLOYMENT CAUTIONS
Configuration parameters imported into the GPO for a specific container are inherited by all the objects in that container, including other containers.
Complex templates with many configuration settings can create a large amount of network traffic when they are refreshed.
Chapter 7: SECURITY TEMPLATES AND PLANNING 11
IMPORTING SECURITY TEMPLATES INTO GROUP POLICY OBJECTS
Chapter 7: SECURITY TEMPLATES AND PLANNING 12
THE SECURITY CONFIGURATION AND ANALYSIS TOOL
Chapter 7: SECURITY TEMPLATES AND PLANNING 13
ANALYZING A SYSTEM
Chapter 7: SECURITY TEMPLATES AND PLANNING 14
CHANGING SECURITY SETTINGS
Once analysis is complete, you can make changes in the following ways: Apply the database settings to the computer.
Modify the database settings.
Create a new template.
Modify the computer’s settings manually.
Chapter 7: SECURITY TEMPLATES AND PLANNING 15
SECEDIT
Command prompt utility that can perform the same functions as the Security Configuration And Analysis snap-in
Allows security configurations to be edited and updated through a script or batch file
Allows you to apply only part of a security template to a computer
Chapter 7: SECURITY TEMPLATES AND PLANNING 16
PLANNING A SECURITY FRAMEWORK
A security framework is a logical, structured process by which your organization performs tasks such as the following: Estimating security risks
Specifying security requirements
Selecting security features
Implementing security policies
Designing security deployments
Specifying security management policies
Chapter 7: SECURITY TEMPLATES AND PLANNING 17
CREATING A SECURITY DESIGN TEAM
The information technology (IT) function in an organization rarely has complete control over the IT security implementation.
A security design team should include people from all areas of an organization—executives, middle management, and employees.
In many cases, non-IT personnel will have a greater understanding of the risks posed to IT implementations, even though IT personnel will know how these risks can be mitigated.
Chapter 7: SECURITY TEMPLATES AND PLANNING 18
MAPPING OUT A SECURITY LIFE CYCLE
A security life cycle typically consists of four basic phases: Designing a security infrastructure
Implementing security features
Enforcing security policies
Providing ongoing security management
Chapter 7: SECURITY TEMPLATES AND PLANNING 19
CREATING A TESTING AND DEPLOYMENT PLAN
Before implementing security policies on your production network you must do the following: Ensure the settings you choose do not
interfere with the operation of your computer.
Verify that settings you configure will function properly.
Confirm that settings satisfy your organization’s security requirements.
Chapter 7: SECURITY TEMPLATES AND PLANNING 20
CREATING A TESTING ENVIRONMENT
The testing process consists of the following five basic steps: Creating a test plan
Creating test cases
Building a lab
Conducting the tests
Evaluating the results
Chapter 7: SECURITY TEMPLATES AND PLANNING 21
CREATING A TEST PLAN
The test plan specifies what you want to accomplish and how the testing process will proceed.
To achieve your testing objectives, your plan should specify elements such as the structure of the lab and the tools and testing procedures that will be used.
Chapter 7: SECURITY TEMPLATES AND PLANNING 22
CREATING TEST CASES
A test case is a procedure that fully tests a particular feature or setting.
Creating detailed and complete test cases is critical because it provides a basis for comparative testing.
Once a test case is created, it can be altered to accommodate what-if scenarios.
Chapter 7: SECURITY TEMPLATES AND PLANNING 23
BUILDING A LAB
The testing lab should be representative of the hardware and software configurations used in the organization.
The testing lab should be physically isolated from the live network.
Equipment in the lab should be subjected to some kind of change control procedure.
Chapter 7: SECURITY TEMPLATES AND PLANNING 24
CONDUCTING THE TESTS
When testing security configurations, your two main objectives are as follows: Determine whether the parameter settings
you have chosen provide the security you need.
Determine whether the settings interfere with normal operation of the network.
Chapter 7: SECURITY TEMPLATES AND PLANNING 25
EVALUATING THE RESULTS
The test plan should define who evaluates the test results and how that evaluation will be completed.
All results, both successful and unsuccessful, should be fully documented.
Chapter 7: SECURITY TEMPLATES AND PLANNING 26
CREATING A PILOT DEPLOYMENT
A limited, or pilot, deployment allows you to do the following: Monitor the performance of the network
more closely and react quickly to any problems that arise
Refine the deployment process you will use on the entire network
Train the help desk and other support personnel who will troubleshoot problems when the configuration goes live
Chapter 7: SECURITY TEMPLATES AND PLANNING 27
CREATING A PILOT DEPLOYMENT PLAN
Select users for a pilot deployment
Train users and support staff
Provide technical support
Create a rollback procedure
Chapter 7: SECURITY TEMPLATES AND PLANNING 28
SUMMARY
Windows Server 2003 provides administrators the ability to configure server security settings using Group Policy and security templates.
Security templates are .inf files that configure security settings.
GPOs can also be used to deploy configurations defined by security templates.
Windows Server 2003 includes a number of predefined templates that enable you to restore the default security parameters created by the Windows installation.
Using the Security Configuration And Analysis snap-in and a security template, you can analyze a computer to determine whether settings match the template.
Chapter 7: SECURITY TEMPLATES AND PLANNING 29
SUMMARY (CONTINUED)
Secedit enables you to apply all or part of a template to a computer from the command line.
Security is a concern throughout the entire process of network design and implementation.
Security mechanisms can include authentication, access control, encryption, firewalls, and auditing.
Chapter 7: SECURITY TEMPLATES AND PLANNING 30
SUMMARY (CONTINUED)
After the design and implementation of the security strategy are completed, the team is still responsible for the ongoing management of the security mechanisms.
Testing is an essential part of any security configuration deployment.
A testing lab is a network that is isolated from the organization’s production network and is used to test specific network elements.
A pilot deployment is the implementation of lab-tested technologies or configuration parameters on a live production network on a limited basis.