Lecture 4:

Enterprise Security and

Configuration with Group

Policy Settings

Agenda

• Overview of Windows Security

• Managing Enterprise Security and Configuration with Group Policy Settings

• Improving the Security of Authentication in an AD DS Domain

Module 1

Overview of Windows Security

Module Overview

• Overview of Windows Security

• Overview of Defense-in-Depth

Lesson 1: Overview of Windows Security

• What Are Authentication and Authorization?

• What Is UAC?

• File and Folder Permissions

• Account Lockout and Password Policies

• Fine-Grained Password Policies

• Auditing Features

• Data Encryption Features

What Are Authentication and Authorization?

User Resource

Who are you?

Authentication: Verifying the identity of something or someone

Are you on the list?

Authorization: Determining whether something or someone has permission to access a resource

What Is UAC?

UAC is a security feature that simplifies the ability of users to run as standard users and perform all necessary daily tasks

• UAC prompts the user for an administrative user’s credentials if the task requires administrative permissions

File and Folder Permissions

NTFS file and folder permissions:

Shared folder permissions:

• Define local access rights for files and folders

• Always apply

• Define network access rights for folder contents

• Only apply when files and folders are accessed over the network

Account Lockout and Password Policies

Account and password policies help to mitigate the threat of unauthorized account access

Policies Default Settings

Password

Controls complexity and lifetime of passwords

• Complex Password: enabled

• Enforce password history: 24

• Maximum password age: 42 days

• Minimum password age: 1 day

• Minimum password length: 7 characters

• Store password using reversible encryption: disabled

Account Lockout

Controls how many incorrect attempts can be made

• Lockout threshold: 0 invalid logon attempts

• Lockout duration: not defined

• Reset account lockout after: not defined

Fine-Grained Password Policies

Fine-grained password policies allow for:

Fine-grained password policy components:

• Assigning multiple password and account lockout policies to individual Active Directory users or groups within the same domain

• Password Settings Container

• Password Settings objects

Auditing Features

Auditing tracks user and operating system activities, and records selected events in security logs, such as:

Enable auditing to:

• What occurred?

• Who did it?

• When?

• What was the result?

• Detect threats and attacks

• Determine damages

• Prevent further damage

Data Encryption Features

BitLocker Functionality EFS Functionality

Encrypts volumes (the entire operating system volume, including Windows system files)

Encrypts files

Does not require user certificates

Requires user certificates

Lesson 2: Overview of Defense-in-Depth

• What Is Defense-in-Depth?

• Policies, Procedures, and Awareness

• Physical Layer Security

• Perimeter Layer Security

• Internal Network Layer Security

• Host Layer Security

• Application Layer Security

• Data Layer Security

Applying Defense-In-Depth to Increase Security

Policies, Procedures, & Awareness

Physical Security

Hardening, authentication, update management, HIDS

Firewalls, Network Access Quarantine Control

Guards, locks, tracking devices

Network segments, IPSec, NIDS

Application hardening, antivirus

ACLs, encryption, EFS, DRM

Security documents, user education

Perimeter

Internal Network

Host

Application

Data

Defense-in-depth uses a layered approach to security, which:

• Reduces an attacker’s chance of success

• Increases an attacker’s risk of detection

Defense-in-depth provides multiple layers of defense to protect a networking environment

Policies, Procedures, and Awareness

Sources of compromise include:

• Users unaware of rules

• Users viewing rules as unnecessary

• Social engineering

Policies, procedures, and awareness refers to an organization's formalized, agreed upon commitment to help prevent security incidents from occurring, and to address security issues in the event of a security incident

Physical Layer Security

Physical access to systems allows:

• Physical destruction

• Software installation

• Data modification

• Theft

Physical layer security refers to helping prevent unauthorized physical access to IT infrastructure, especially as it may result in damaged equipment as well as compromised data

Perimeter Layer Security

Perimeter layer compromise includes:

• Attacks on resources in a perimeter network

• Attacks on remote clients

• Attacks on business partners

Perimeter layer security refers to connectivity between your network and other untrusted networks

Internal Network Layer Security

Internal Network layer compromise includes:

• Unauthorized network communication

• Unauthorized network hosts

• Unauthorized packet sniffing

• Unchanged default network device configurations

Internal network layer security refers to safeguarding the infrastructure that is directly managed and controlled by your organization, including WAN end points

Host Layer Security

Host layer compromise can be:

• Exploiting operating system flaws

• Exploiting default operating system configurations

• Accomplished by a virus

The host layer refers to the individual infrastructure devices such as computers, switches, and routers on your network

Application Layer Security

Application layer compromise can be:

• Exploiting application flaws

• Exploiting application default configurations

• Viruses introduced by a user

The application layer refers to the specialized software running on the hosts

Data Layer Security

Data layer compromise can be:

• Unauthorized access to data files

• Unauthorized access to AD DS

• Modification of application files

The data layer refers to the information stored onyour computers

Best Practices for Increasing Security

Some best practices for increasing security are:

Apply all available security updates quickly

Follow the principle of least privilege

Restrict console login

Restrict physical access

Security Configuration Wizard

SCW analyzes your server and providesrecommendations for:

• Network Security including firewall rules

Registry settings

Services to enable or disable

• Audit Policy

The Security Configuration wizard or the SCW is a wizard-based tool that allows an administrator to manage the surface attack

area of a server and disable unneeded WindowsServer 2008 R2 functionality

SCW policies can be created, modified and redeployed to other servers within your infrastructure

What Is the Microsoft Baseline Security Analyzer?

MBSA Features:

• Assesses current state of OS and application updates

• Targeted to small and medium-sized businesses

• Wizard-based interface

• Includes command-line tool for automation

The Microsoft Baseline Security Analyzer or MBSA is a tool used to assess the current security state of a server based on

Microsoft’s security recommendations

• Provide formatted recommendation reports

Module 2

Managing Enterprise Security and Configuration with Group Policy Settings

Module Overview

•Manage Group Membership by using Group Policy Settings

•Manage Security Settings

•Auditing

•Software Restriction Policy and Applocker

Lesson 1: Manage Group Membership by Using Group Policy Settings

• What Are Restricted Groups?

• Define Group Membership with Group Policy Preferences

What Are Restricted Groups?

• Restricted Groups policies enable you to manage the membership of groups

Members• Policy is for a local group• Specify its members

(groups and users)• Authoritative

Member Of• Policy is for a domain group• Specify its membership in a

local group• Cumulative

Demonstration: Delegate Administration by Using Restricted Groups Policies

In this demonstration, you will see how to:

• Add a domain support group to the local Administrators group of client computers

• Define the authoritative membership of the local Administrators group of client computers

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Define Group Membership with Group Policy Preferences

• Create, delete, or replace a local group

• Rename a local group

• Change the Description

• Modify group membership

• Local Group preferencesare available in bothComputer Configuration andUser Configuration

Lesson 2: Manage Security Settings

• What Is Security Policy Management?

• Configure the Local Security Policy

• Manage Security Configuration with Security Templates

• Demonstration: Create and Deploy Security Templates

• Security Configuration Wizard

• Settings, Templates, Policies, and GPOs

What Is Security Policy Management?

• Enterprise IT Security Policy security configuration

settings

• Manage security configuration

Create the security policy

Apply the security policy to one or more systems

Analyze security settings against the policy

Update the policy, or correct the discrepancies in the system

• Tools

Local Group Policy and Domain Group Policy

Security Templates snap-in

Security Configuration Wizard

Local Security Policy Domain Group Policy

Configure the Local Security Policy

Manage Security Configuration with Security Templates

• Settings are a subset of domain GPO settingsbut different than local GPO

• Security Templates

Plain text files

Can be applied directly to a computer

• Security Configuration and Analysis

• Secedit.exe

Can be deployed with Group Policy

Can be used to analyze a computer'scurrent security settings against thesecurity template's

Demonstration: Create and Deploy Security Templates

In this demonstration, you will see how to:

• Build a custom MMC with the Security Templates snap-in

• Create a security template

• Import the template into the Security Settings nodeof a GPO

Security Configuration Wizard

• Security policy: An .xml file that configures

Role-based service configuration

Network security, including firewall rules

Registry values

Audit policy

Can incorporate a security template (.inf)

• Create the policy

• Edit the policy

• Apply the policy

• Roll back the policy

• Transform the policy into a GPO

scwcmd transform /p:"MySecurity.xml" /g:"My New GPO”

Settings, Templates, Policies, and GPOs

• Direct configuration of security-related settings

• Local Security Policy

• Security templates

.inf files that define a wide variety of security settings

Security Templates, Security Configuration and Analysis

Import into a GPO

• Security policies

Are .xml files that define role-based service startup, firewall rules, audit policies, and registry settings

Can include security templates

Security Configuration Wizard or scwcmd.exe

Transform into a GPO by using scwcmd

• Modify GPO

Lesson 3: Auditing

• Overview of Audit Policies

• Specify Auditing Settings on a File or a Folder

• Enable Audit Policy

• Evaluate Events in the Security Log

Overview of Audit Policies

• Audit events in a category of activities

Access to NTFS files/folders

Account or object changes in Active Directory

Logon

Assignment or use of user rights

• By default, domain controllers audit success events for most categories

• Goal: Align audit policies with corporate security policies and reality

Over-auditing: Logs are too big to find the events that matter

Under-auditing: Important events are not logged

Tools that help you consolidate and crunch logs can be helpful

Specify Auditing Settings on a File or a Folder

• Modify the system access control list (SACL)

Properties

Advanced

Auditing

Edit

Enable Audit Policy

• Enable auditing for Object Access: Success and/or Failure

• GPO must be scoped to the server

• Success/Failure policy setting must match auditing settings (success/failure)

Evaluate Events in the Security Log

• Security Log

• Summary

Audit Object Access policy must be enabled to audit Success or Failure

• GPO must be scoped to the server

SACL must be configured to audit successful or failed access

Security Log must be examined

Lesson 4: Software Restriction Policy and Applocker

• What Is a Software Restriction Policy?

• Overview of Application Control Policies

• Compare Applocker and Software Restriction Policies

What Is a Software Restriction Policy?

SRPs allow administrators to identify which applications are allowed to run on client computers

SRPs can be based on the following:

• Certificate

• Path

• Hash

• Zone

SRPs are applied through Group Policy

Overview of Application Control Policies

Application Control Policies are applied in Windows Server 2008 R2 and Windows 7 by using AppLocker

Benefits of AppLocker:

• Controls how users can access and run all types of applications

AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as .exe files, scripts, Windows Installer files (.msi and .msp files), and DLLs

• Allows the definition of rules based on a wide variety of variables

• Provides for importing and exporting entire AppLocker policies

AppLocker Rules

Rules provide the foundation for an AppLocker-based application management policy

The AppLocker Rules structure allows an administrator to:

• Identify applications by publisher, path or file hash

• Create multiple rules to comprehensively manage applications

AppLocker Rules apply only to Windows Server 2008 R2 and Windows 7 computers

• Assign rules to individual users or groups

• Provide for exceptions to rules

Compare Applocker and Software Restriction Policies

Feature SRP AppLocker

Rule scope Specific user or group (per GPO)

Specific users or groups (per rule)

Rule conditions provided File hash, path, certificate, registry path, Internet zone

File hash, path, publisher

Rule types provided Allow and Deny Allow and Deny

Default Rule action Allow and deny Implicit Deny

Audit only mode No Yes

Wizard to create multiple rules at one time

No Yes

Policy import or export No Yes

Rule collection No Yes

Windows PowerShell support No Yes

Custom error messages No Yes

Demonstration: How to Configure Application Control Policies

In this demonstration, you will see how to:

• Create a GPO to enforce the default AppLocker Executable rules

• Apply the GPO to the domain

• Test the AppLocker rule

Module 3

Improving the Security of Authentication in an

AD DS Domain

Module Overview

• Configure Password and Lockout Policies

• Audit Authentication

• Configure Read-Only Domain Controllers

Lesson 1: Configure Password and Lockout Policies

• Understand Password Policies

• Understand Account Lockout Policies

• Configure the Domain Password and Lockout Policy

• Fine-Grained Password and Lockout Policy

• Understand Password Settings Objects

• PSO Precedence and Resultant PSO

Understand Password Policies

• Implemented via Default Domain GPO

• Determine password requirements for the whole domain

• Password policies consist of :

Enforce password history: 24 passwords

Maximum password age: 42 days

Minimum password age: 1 day

Minimum password length: 7 characters

Password must meet complexity requirements: Enabled

Store password using reversible encryption: Disabled

Understand Account Lockout Policies

• Helps mitigate the threat of brute force attacks on user accounts

• Account lockout policies consist of

Account lockout duration: Not defined

Account lockout threshold: 0 invalid logon attempts

Reset account lockout counter after: Not defined

• Unlock

A user who is locked out can be unlocked by an administrator

The Reset account lockout policy can specify a "timeout" period after which the account is automatically unlocked

Configure the Domain Password and Lockout Policy

• Domain password policies are defined by the precedent GPO scoped to domain controllers

Default Domain Policy GPO

• Best practices

Modify the settings in the Default Domain GPO for password, lockout, and Kerberos policies

Do not use the Default Domain GPO to deploy any other policy settings

Do not define password, lockout, or Kerberos settings for the domain in any other GPO

• Policy settings are overridden by options in user account

Password never expires

Store passwords using reversible encryption

Demonstration: Configure Domain Account Policies

In this demonstration, you will see how to configure the domain account policies for Contoso, Ltd, according to their password requirements

Fine-Grained Password and Lockout Policy

Administrative accounts

Service Accounts

Finance users

Length: 15

Max age: 45

Lockout: 5 in 60 min

Reset: 1 day

Password Never Expires

Length: 64

Lockout: None

Length: 15

Max age: 60

Lockout: 5 in 30 min

Reset: 30 min

Fine-grained password and lockout policies allow multiple password and lockout policies to exist in the same domain

Domain Policy:

Length: 10

Max age: 90

Lockout: 5 in 30 min

Reset: 30 min

Understand Password Settings Objects

A PSO has the following settings available:

• Password policies

• Account lockout policies

• PSO Link

• Precedence

Considerations when implementing PSOs:

PSOs can only be applied to users or global security groups

PSOs can be created through ADSI Edit or LDIFDE

The Password Settings Container (PSC) and PSOs are new object classes defined by the AD DS schema

Windows Server 2008 domain functional level required

Demonstration: Configure Fine-Grained Password Policy

In this demonstration, you will see how to configure a fine-grained password policy to enhance the security of accounts in the Domain Admins group

PSO Precedence and Resultant PSO

• A PSO can be linked to more than one group or user

• A group or user can have more than one PSO linked to it

• Only one PSO prevails—the Resultant PSO

Precedence: Lower value (closer to 1) has higher precedence

Global group PSO with highest precedence prevails

Any PSOs linked to user override all global group PSOs. User-linked PSO with highest precedence prevails

• msDS-ResultantPSO attribute of user in Attribute Editor

Click the Filter button and ensure Constructed is selected

• If there are no PSOs, domain account policies apply

• Best Practices

Use only group-linked PSOs. Do not link to user objects.

Avoid having two PSOs with the same precedence value

• PSOs cannot be "linked" to an OU

Create a shadow group that contains all users in the OU

Lesson 2: Audit Authentication

• Account Logon and Logon Events

• Configure Authentication-Related Audit Policies

• Scope Audit Policies

• View Logon Events

• Account logon events

Registered by the system that authenticates the account

For domain accounts: Domain controllers

For local accounts: Local computer

• Logon events

Registered by the machine at which (or to which) a user logged on

Interactive logon: User's system

Network logon: Server

Account Logon and Logon Events

Logon Event

Account Logon Event

Logon Event

Configure Authentication-Related Audit Policies• Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

• Windows Server 2008 defaultis to audit Success eventsfor both account logon andlogon events

• Windows Server 2008 R2 has newand more detailed polices foraccount logon and logon events

• Advanced Audit Policies in Windows Server 2008 R2

Scoping Audit Policies

DomainControllers

RemoteDesktopServers

HR Clients

CustomGPO

LogonEvents

Default Domain

Controllers Policy

AccountLogonEvents

View Logon Events

• Security log of the system that generated the event

The domain controller that authenticated the user: Account logon

• Note: Not replicated to other domain controllers

The system to which the user logged on or connected: Logon

Lesson 3: Configure Read-Only Domain Controllers

• Authentication and Domain Controller Placement in a Branch Office

• What Are Read-Only Domain Controllers?

• Prerequisites for Deploying an RODC

• Installing an RODC

• Demonstration: Configure a Password Replication Policy

• Demonstration: Administer RODC Credentials Caching

• Administrative Role Separation

Authentication and Domain Controller Placement in a Branch Office

Data Center

• Personnel

• Secure facilities

• Authentication of branch users subject to availability and performance of WAN

Branch Office

• Few, if any, personnel

• Less secure facilities

• Improved authentication

• Security: Exposure of AD database

• Directory Service Integrity: Corruption at branch replicating to other DCs

• Administration: Administration requires domain Administrators membership

?

What Are Read-Only Domain Controllers?

Data Center

• Writeable Windows Server 2008 domain controller

• Password Replication Policy• Specifies which user (and

computer) passwords can be cached by the RODC

Branch Office

• RODC• All objects

• Subset of attributes

• No "secrets"

• Not writeable

• Users log on• RODC forwards

authentication

• Password is cached• If password replication

policy allows

• Has a local Administrators group

Prerequesites for Deploying an RODC

1. Ensure the forest functional level is Windows Server 2003 or higher

All domain controllers running Windows Server 2003 or later

All domains functional level of Windows Server 2003 or higher

Forest functional level set to Windows Server 2003 or higher

2. If the forest has any domain controllers running Windows Server 2003, run adprep /rodcprep

Windows Server 2008 CD:\sources\adprep folder

3. Ensure that there is at least one writeable domain controller running Windows Server 2008

Installing an RODC

Install the RODC

Active Directory Domain Services Installation Wizard (dcpromo)

Stage delegated installation of an RODC: Domain Controllers OU

Demonstration: Configure a Password Replication Policy

In this demonstration, you will see how to:

• View an RODC's password replication policy

Configure domain-wide password replication policy

Use the Allowed RODC Password Replication Groupand the Denied RODC Password Replication Group

The groups are added to all new RODCs password replication policies by default

• Configure RODC-specific password replication policy

Demonstration: Administer RODC Credentials Caching

In this demonstration, you will review:

• Policy Usage Reports

Accounts Whose Passwords Are Stored On This Read-Only Domain Controller

Accounts That Have Been Authenticated To This Read-Only Domain Controller

• Resultant Policy

• Prepopulating credentials in the RODC cache

Administrative Role Separation

• Allows performing local administrative tasks on the RODC

• Each RODC maintains a local security account manager (SAM) database of groups for specific administrative purposes

• DSMgmt command allows you to manage the local roles

dsmgmt [enter]

local roles [enter]

• ? [enter] for a list of commands

• List roles [enter] for a list of roles

add username administrators [enter]

©2009 Microsoft, Microsoft Dynamics, the Office logo, and Your potential. Our passion. are trademarks of the Microsoft group of companies. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.