lecture 4: enterprise security and configuration with...
TRANSCRIPT
Lecture 4:
Enterprise Security and
Configuration with Group
Policy Settings
Agenda
• Overview of Windows Security
• Managing Enterprise Security and Configuration with Group Policy Settings
• Improving the Security of Authentication in an AD DS Domain
Module 1
Overview of Windows Security
Module Overview
• Overview of Windows Security
• Overview of Defense-in-Depth
Lesson 1: Overview of Windows Security
• What Are Authentication and Authorization?
• What Is UAC?
• File and Folder Permissions
• Account Lockout and Password Policies
• Fine-Grained Password Policies
• Auditing Features
• Data Encryption Features
What Are Authentication and Authorization?
User Resource
Who are you?
Authentication: Verifying the identity of something or someone
Are you on the list?
Authorization: Determining whether something or someone has permission to access a resource
What Is UAC?
UAC is a security feature that simplifies the ability of users to run as standard users and perform all necessary daily tasks
• UAC prompts the user for an administrative user’s credentials if the task requires administrative permissions
File and Folder Permissions
NTFS file and folder permissions:
Shared folder permissions:
• Define local access rights for files and folders
• Always apply
• Define network access rights for folder contents
• Only apply when files and folders are accessed over the network
Account Lockout and Password Policies
Account and password policies help to mitigate the threat of unauthorized account access
Policies Default Settings
Password
Controls complexity and lifetime of passwords
• Complex Password: enabled
• Enforce password history: 24
• Maximum password age: 42 days
• Minimum password age: 1 day
• Minimum password length: 7 characters
• Store password using reversible encryption: disabled
Account Lockout
Controls how many incorrect attempts can be made
• Lockout threshold: 0 invalid logon attempts
• Lockout duration: not defined
• Reset account lockout after: not defined
Fine-Grained Password Policies
Fine-grained password policies allow for:
Fine-grained password policy components:
• Assigning multiple password and account lockout policies to individual Active Directory users or groups within the same domain
• Password Settings Container
• Password Settings objects
Auditing Features
Auditing tracks user and operating system activities, and records selected events in security logs, such as:
Enable auditing to:
• What occurred?
• Who did it?
• When?
• What was the result?
• Detect threats and attacks
• Determine damages
• Prevent further damage
Data Encryption Features
BitLocker Functionality EFS Functionality
Encrypts volumes (the entire operating system volume, including Windows system files)
Encrypts files
Does not require user certificates
Requires user certificates
Lesson 2: Overview of Defense-in-Depth
• What Is Defense-in-Depth?
• Policies, Procedures, and Awareness
• Physical Layer Security
• Perimeter Layer Security
• Internal Network Layer Security
• Host Layer Security
• Application Layer Security
• Data Layer Security
Applying Defense-In-Depth to Increase Security
Policies, Procedures, & Awareness
Physical Security
Hardening, authentication, update management, HIDS
Firewalls, Network Access Quarantine Control
Guards, locks, tracking devices
Network segments, IPSec, NIDS
Application hardening, antivirus
ACLs, encryption, EFS, DRM
Security documents, user education
Perimeter
Internal Network
Host
Application
Data
Defense-in-depth uses a layered approach to security, which:
• Reduces an attacker’s chance of success
• Increases an attacker’s risk of detection
Defense-in-depth provides multiple layers of defense to protect a networking environment
Policies, Procedures, and Awareness
Sources of compromise include:
• Users unaware of rules
• Users viewing rules as unnecessary
• Social engineering
Policies, procedures, and awareness refers to an organization's formalized, agreed upon commitment to help prevent security incidents from occurring, and to address security issues in the event of a security incident
Physical Layer Security
Physical access to systems allows:
• Physical destruction
• Software installation
• Data modification
• Theft
Physical layer security refers to helping prevent unauthorized physical access to IT infrastructure, especially as it may result in damaged equipment as well as compromised data
Perimeter Layer Security
Perimeter layer compromise includes:
• Attacks on resources in a perimeter network
• Attacks on remote clients
• Attacks on business partners
Perimeter layer security refers to connectivity between your network and other untrusted networks
Internal Network Layer Security
Internal Network layer compromise includes:
• Unauthorized network communication
• Unauthorized network hosts
• Unauthorized packet sniffing
• Unchanged default network device configurations
Internal network layer security refers to safeguarding the infrastructure that is directly managed and controlled by your organization, including WAN end points
Host Layer Security
Host layer compromise can be:
• Exploiting operating system flaws
• Exploiting default operating system configurations
• Accomplished by a virus
The host layer refers to the individual infrastructure devices such as computers, switches, and routers on your network
Application Layer Security
Application layer compromise can be:
• Exploiting application flaws
• Exploiting application default configurations
• Viruses introduced by a user
The application layer refers to the specialized software running on the hosts
Data Layer Security
Data layer compromise can be:
• Unauthorized access to data files
• Unauthorized access to AD DS
• Modification of application files
The data layer refers to the information stored onyour computers
Best Practices for Increasing Security
Some best practices for increasing security are:
Apply all available security updates quickly
Follow the principle of least privilege
Restrict console login
Restrict physical access
Security Configuration Wizard
SCW analyzes your server and providesrecommendations for:
• Network Security including firewall rules
Registry settings
Services to enable or disable
• Audit Policy
The Security Configuration wizard or the SCW is a wizard-based tool that allows an administrator to manage the surface attack
area of a server and disable unneeded WindowsServer 2008 R2 functionality
SCW policies can be created, modified and redeployed to other servers within your infrastructure
What Is the Microsoft Baseline Security Analyzer?
MBSA Features:
• Assesses current state of OS and application updates
• Targeted to small and medium-sized businesses
• Wizard-based interface
• Includes command-line tool for automation
The Microsoft Baseline Security Analyzer or MBSA is a tool used to assess the current security state of a server based on
Microsoft’s security recommendations
• Provide formatted recommendation reports
Module 2
Managing Enterprise Security and Configuration with Group Policy Settings
Module Overview
•Manage Group Membership by using Group Policy Settings
•Manage Security Settings
•Auditing
•Software Restriction Policy and Applocker
Lesson 1: Manage Group Membership by Using Group Policy Settings
• What Are Restricted Groups?
• Define Group Membership with Group Policy Preferences
What Are Restricted Groups?
• Restricted Groups policies enable you to manage the membership of groups
Members• Policy is for a local group• Specify its members
(groups and users)• Authoritative
Member Of• Policy is for a domain group• Specify its membership in a
local group• Cumulative
Demonstration: Delegate Administration by Using Restricted Groups Policies
In this demonstration, you will see how to:
• Add a domain support group to the local Administrators group of client computers
• Define the authoritative membership of the local Administrators group of client computers
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Define Group Membership with Group Policy Preferences
• Create, delete, or replace a local group
• Rename a local group
• Change the Description
• Modify group membership
• Local Group preferencesare available in bothComputer Configuration andUser Configuration
Lesson 2: Manage Security Settings
• What Is Security Policy Management?
• Configure the Local Security Policy
• Manage Security Configuration with Security Templates
• Demonstration: Create and Deploy Security Templates
• Security Configuration Wizard
• Settings, Templates, Policies, and GPOs
What Is Security Policy Management?
• Enterprise IT Security Policy security configuration
settings
• Manage security configuration
Create the security policy
Apply the security policy to one or more systems
Analyze security settings against the policy
Update the policy, or correct the discrepancies in the system
• Tools
Local Group Policy and Domain Group Policy
Security Templates snap-in
Security Configuration Wizard
Local Security Policy Domain Group Policy
Configure the Local Security Policy
Manage Security Configuration with Security Templates
• Settings are a subset of domain GPO settingsbut different than local GPO
• Security Templates
Plain text files
Can be applied directly to a computer
• Security Configuration and Analysis
• Secedit.exe
Can be deployed with Group Policy
Can be used to analyze a computer'scurrent security settings against thesecurity template's
Demonstration: Create and Deploy Security Templates
In this demonstration, you will see how to:
• Build a custom MMC with the Security Templates snap-in
• Create a security template
• Import the template into the Security Settings nodeof a GPO
Security Configuration Wizard
• Security policy: An .xml file that configures
Role-based service configuration
Network security, including firewall rules
Registry values
Audit policy
Can incorporate a security template (.inf)
• Create the policy
• Edit the policy
• Apply the policy
• Roll back the policy
• Transform the policy into a GPO
scwcmd transform /p:"MySecurity.xml" /g:"My New GPO”
Settings, Templates, Policies, and GPOs
• Direct configuration of security-related settings
• Local Security Policy
• Security templates
.inf files that define a wide variety of security settings
Security Templates, Security Configuration and Analysis
Import into a GPO
• Security policies
Are .xml files that define role-based service startup, firewall rules, audit policies, and registry settings
Can include security templates
Security Configuration Wizard or scwcmd.exe
Transform into a GPO by using scwcmd
• Modify GPO
Lesson 3: Auditing
• Overview of Audit Policies
• Specify Auditing Settings on a File or a Folder
• Enable Audit Policy
• Evaluate Events in the Security Log
Overview of Audit Policies
• Audit events in a category of activities
Access to NTFS files/folders
Account or object changes in Active Directory
Logon
Assignment or use of user rights
• By default, domain controllers audit success events for most categories
• Goal: Align audit policies with corporate security policies and reality
Over-auditing: Logs are too big to find the events that matter
Under-auditing: Important events are not logged
Tools that help you consolidate and crunch logs can be helpful
Specify Auditing Settings on a File or a Folder
• Modify the system access control list (SACL)
Properties
Advanced
Auditing
Edit
Enable Audit Policy
• Enable auditing for Object Access: Success and/or Failure
• GPO must be scoped to the server
• Success/Failure policy setting must match auditing settings (success/failure)
Evaluate Events in the Security Log
• Security Log
• Summary
Audit Object Access policy must be enabled to audit Success or Failure
• GPO must be scoped to the server
SACL must be configured to audit successful or failed access
Security Log must be examined
Lesson 4: Software Restriction Policy and Applocker
• What Is a Software Restriction Policy?
• Overview of Application Control Policies
• Compare Applocker and Software Restriction Policies
What Is a Software Restriction Policy?
SRPs allow administrators to identify which applications are allowed to run on client computers
SRPs can be based on the following:
• Certificate
• Path
• Hash
• Zone
SRPs are applied through Group Policy
Overview of Application Control Policies
Application Control Policies are applied in Windows Server 2008 R2 and Windows 7 by using AppLocker
Benefits of AppLocker:
• Controls how users can access and run all types of applications
AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as .exe files, scripts, Windows Installer files (.msi and .msp files), and DLLs
• Allows the definition of rules based on a wide variety of variables
• Provides for importing and exporting entire AppLocker policies
AppLocker Rules
Rules provide the foundation for an AppLocker-based application management policy
The AppLocker Rules structure allows an administrator to:
• Identify applications by publisher, path or file hash
• Create multiple rules to comprehensively manage applications
AppLocker Rules apply only to Windows Server 2008 R2 and Windows 7 computers
• Assign rules to individual users or groups
• Provide for exceptions to rules
Compare Applocker and Software Restriction Policies
Feature SRP AppLocker
Rule scope Specific user or group (per GPO)
Specific users or groups (per rule)
Rule conditions provided File hash, path, certificate, registry path, Internet zone
File hash, path, publisher
Rule types provided Allow and Deny Allow and Deny
Default Rule action Allow and deny Implicit Deny
Audit only mode No Yes
Wizard to create multiple rules at one time
No Yes
Policy import or export No Yes
Rule collection No Yes
Windows PowerShell support No Yes
Custom error messages No Yes
Demonstration: How to Configure Application Control Policies
In this demonstration, you will see how to:
• Create a GPO to enforce the default AppLocker Executable rules
• Apply the GPO to the domain
• Test the AppLocker rule
Module 3
Improving the Security of Authentication in an
AD DS Domain
Module Overview
• Configure Password and Lockout Policies
• Audit Authentication
• Configure Read-Only Domain Controllers
Lesson 1: Configure Password and Lockout Policies
• Understand Password Policies
• Understand Account Lockout Policies
• Configure the Domain Password and Lockout Policy
• Fine-Grained Password and Lockout Policy
• Understand Password Settings Objects
• PSO Precedence and Resultant PSO
Understand Password Policies
• Implemented via Default Domain GPO
• Determine password requirements for the whole domain
• Password policies consist of :
Enforce password history: 24 passwords
Maximum password age: 42 days
Minimum password age: 1 day
Minimum password length: 7 characters
Password must meet complexity requirements: Enabled
Store password using reversible encryption: Disabled
Understand Account Lockout Policies
• Helps mitigate the threat of brute force attacks on user accounts
• Account lockout policies consist of
Account lockout duration: Not defined
Account lockout threshold: 0 invalid logon attempts
Reset account lockout counter after: Not defined
• Unlock
A user who is locked out can be unlocked by an administrator
The Reset account lockout policy can specify a "timeout" period after which the account is automatically unlocked
Configure the Domain Password and Lockout Policy
• Domain password policies are defined by the precedent GPO scoped to domain controllers
Default Domain Policy GPO
• Best practices
Modify the settings in the Default Domain GPO for password, lockout, and Kerberos policies
Do not use the Default Domain GPO to deploy any other policy settings
Do not define password, lockout, or Kerberos settings for the domain in any other GPO
• Policy settings are overridden by options in user account
Password never expires
Store passwords using reversible encryption
Demonstration: Configure Domain Account Policies
In this demonstration, you will see how to configure the domain account policies for Contoso, Ltd, according to their password requirements
Fine-Grained Password and Lockout Policy
Administrative accounts
Service Accounts
Finance users
Length: 15
Max age: 45
Lockout: 5 in 60 min
Reset: 1 day
Password Never Expires
Length: 64
Lockout: None
Length: 15
Max age: 60
Lockout: 5 in 30 min
Reset: 30 min
Fine-grained password and lockout policies allow multiple password and lockout policies to exist in the same domain
Domain Policy:
Length: 10
Max age: 90
Lockout: 5 in 30 min
Reset: 30 min
Understand Password Settings Objects
A PSO has the following settings available:
• Password policies
• Account lockout policies
• PSO Link
• Precedence
Considerations when implementing PSOs:
PSOs can only be applied to users or global security groups
PSOs can be created through ADSI Edit or LDIFDE
The Password Settings Container (PSC) and PSOs are new object classes defined by the AD DS schema
Windows Server 2008 domain functional level required
Demonstration: Configure Fine-Grained Password Policy
In this demonstration, you will see how to configure a fine-grained password policy to enhance the security of accounts in the Domain Admins group
PSO Precedence and Resultant PSO
• A PSO can be linked to more than one group or user
• A group or user can have more than one PSO linked to it
• Only one PSO prevails—the Resultant PSO
Precedence: Lower value (closer to 1) has higher precedence
Global group PSO with highest precedence prevails
Any PSOs linked to user override all global group PSOs. User-linked PSO with highest precedence prevails
• msDS-ResultantPSO attribute of user in Attribute Editor
Click the Filter button and ensure Constructed is selected
• If there are no PSOs, domain account policies apply
• Best Practices
Use only group-linked PSOs. Do not link to user objects.
Avoid having two PSOs with the same precedence value
• PSOs cannot be "linked" to an OU
Create a shadow group that contains all users in the OU
Lesson 2: Audit Authentication
• Account Logon and Logon Events
• Configure Authentication-Related Audit Policies
• Scope Audit Policies
• View Logon Events
• Account logon events
Registered by the system that authenticates the account
For domain accounts: Domain controllers
For local accounts: Local computer
• Logon events
Registered by the machine at which (or to which) a user logged on
Interactive logon: User's system
Network logon: Server
Account Logon and Logon Events
Logon Event
Account Logon Event
Logon Event
Configure Authentication-Related Audit Policies• Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
• Windows Server 2008 defaultis to audit Success eventsfor both account logon andlogon events
• Windows Server 2008 R2 has newand more detailed polices foraccount logon and logon events
• Advanced Audit Policies in Windows Server 2008 R2
Scoping Audit Policies
DomainControllers
RemoteDesktopServers
HR Clients
CustomGPO
LogonEvents
Default Domain
Controllers Policy
AccountLogonEvents
View Logon Events
• Security log of the system that generated the event
The domain controller that authenticated the user: Account logon
• Note: Not replicated to other domain controllers
The system to which the user logged on or connected: Logon
Lesson 3: Configure Read-Only Domain Controllers
• Authentication and Domain Controller Placement in a Branch Office
• What Are Read-Only Domain Controllers?
• Prerequisites for Deploying an RODC
• Installing an RODC
• Demonstration: Configure a Password Replication Policy
• Demonstration: Administer RODC Credentials Caching
• Administrative Role Separation
Authentication and Domain Controller Placement in a Branch Office
Data Center
• Personnel
• Secure facilities
• Authentication of branch users subject to availability and performance of WAN
Branch Office
• Few, if any, personnel
• Less secure facilities
• Improved authentication
• Security: Exposure of AD database
• Directory Service Integrity: Corruption at branch replicating to other DCs
• Administration: Administration requires domain Administrators membership
?
What Are Read-Only Domain Controllers?
Data Center
• Writeable Windows Server 2008 domain controller
• Password Replication Policy• Specifies which user (and
computer) passwords can be cached by the RODC
Branch Office
• RODC• All objects
• Subset of attributes
• No "secrets"
• Not writeable
• Users log on• RODC forwards
authentication
• Password is cached• If password replication
policy allows
• Has a local Administrators group
Prerequesites for Deploying an RODC
1. Ensure the forest functional level is Windows Server 2003 or higher
All domain controllers running Windows Server 2003 or later
All domains functional level of Windows Server 2003 or higher
Forest functional level set to Windows Server 2003 or higher
2. If the forest has any domain controllers running Windows Server 2003, run adprep /rodcprep
Windows Server 2008 CD:\sources\adprep folder
3. Ensure that there is at least one writeable domain controller running Windows Server 2008
Installing an RODC
Install the RODC
Active Directory Domain Services Installation Wizard (dcpromo)
Stage delegated installation of an RODC: Domain Controllers OU
Demonstration: Configure a Password Replication Policy
In this demonstration, you will see how to:
• View an RODC's password replication policy
Configure domain-wide password replication policy
Use the Allowed RODC Password Replication Groupand the Denied RODC Password Replication Group
The groups are added to all new RODCs password replication policies by default
• Configure RODC-specific password replication policy
Demonstration: Administer RODC Credentials Caching
In this demonstration, you will review:
• Policy Usage Reports
Accounts Whose Passwords Are Stored On This Read-Only Domain Controller
Accounts That Have Been Authenticated To This Read-Only Domain Controller
• Resultant Policy
• Prepopulating credentials in the RODC cache
Administrative Role Separation
• Allows performing local administrative tasks on the RODC
• Each RODC maintains a local security account manager (SAM) database of groups for specific administrative purposes
• DSMgmt command allows you to manage the local roles
dsmgmt [enter]
local roles [enter]
• ? [enter] for a list of commands
• List roles [enter] for a list of roles
add username administrators [enter]
©2009 Microsoft, Microsoft Dynamics, the Office logo, and Your potential. Our passion. are trademarks of the Microsoft group of companies. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.