troubleshooting security issues lesson 6. skills matrix technology skillobjective domain skilldomain...

Troubleshooting Troubleshooting Security IssuesSecurity Issues

Lesson 6

Skills MatrixSkills Matrix

Technology Skill Objective Domain Skill Domain #Monitoring and Troubleshooting with Event Viewer

Troubleshoot security configuration issues• Run Event Viewer tool

2.2

Getting Started with Event Viewer

Run Event Viewer tool 2.2

Sorting and Grouping Events


Viewing Events Run Event Viewer tool 2.2


Technology Skill Objective Domain Skill Domain #Creating Filters and Custom Views


Centralizing Event Data by Using Subscriptions


Using the Security Configuration and Analysis Snap-in

Run the Security Configuration and Analysis tool

2.2


Technology Skill Objective Domain Skill Domain #Using the Security Configuration and Analysis Snap-in to Analyze Settings


2.2

Using the Security Configuration and Analysis Snap-in to Configure Security Policy


2.2


Technology Skill Objective Domain Skill Domain #Understanding, Configuring, and Troubleshooting Software Restriction Policies

Troubleshoot software restrictions

5.2

How Software Restriction Policies Work

Troubleshoot software restrictions

5.2

Understanding Additional Rules

Digital signing 5.2

Configuring Software Restriction Policies

Digital signing 5.2

Software restriction policies provide a Group Policy mechanism by which the running of programs can be restricted.

Understanding Software Restriction Policies

Understanding Software Restriction Understanding Software Restriction PoliciesPolicies

Common reasons for implementing software restriction policies

Fight malicious software (malware)

Regulate what Microsoft ActiveX controls can be installed

Restrict running of scripts to digitally signed only

Allow only approved software to be installed or executed

Understanding Software Restriction Policies (cont.)


Common reasons for implementing software restriction policies (cont.)

Reduce the chance of software being installed or run that might conflict with other applications

Restrict users from adding untrusted publishers



The default security level can be one of three security levels

Unrestricted – The user is not prevented from running the software.

Disallowed – The user is prevented from running the software.



The default security level can be one of three security levels

Basic User – The user is not prevented from running the software, but is prevented from elevating the software from running with standard user privileges to running with administrator privileges.



Additional rules are used to identify software for the purpose of assigning a security level when that software is run that is other than the security level defined by the default.

Understanding Additional Rules


Additional rules

Hash rules – Identify programs using a cryptographic hash

Certificate rules – Identify programs by digitally signed certificates

Understanding Additional Rules (cont.)


Additional rules

Path rules – Identify programs by either their local file paths, universal naming convention (UNC) paths, or registry paths

Network Zone rules – Identify programs according to which network zone to which they belong

Understanding Additional Rules (cont.)


Hash rules use hashes to identify program files so that the identified programs can be excepted in some way using additional rules or the default rule in a software restriction policy.

Understanding Hash Rules


In Windows Vista, a new hash rule will contain two hashes.

MD5 (Message-Digest algorithm) or SHA-1 (Secure Hash Algorithm)

SHA-256

Understanding Hash Rules (cont.)


Hash types are determined according to the following rules:

Files that are digitally signed will use the MD5 or SHA-1 hash according to which one is in their signature.

Files that are not digitally signed and are on non-Windows Vista computers will use the MD5 hash.



Hash types are determined according to the following rules:

Files that are not digitally signed and are on Windows Vista will use both the MD5 hash and the SHA-256 hash for compatibility reasons.



Certificate rules use certificates to identify program files so that the identified programs can be excepted in some way using additional rules or the default rule in a software restriction policy.

Windows Vista does not enable certificate rules by default.

Certificate rules can only assign a security level of Unrestricted or Disallowed.

Understanding Certificate Rules


Path rules use file paths or registry paths to identify program files so that the identified programs can be excepted in some way using additional rules or the default rule in a software restriction policy.

Understanding Path Rules


There are two types of path rules.

File path rules – Can specify a folder or a fully qualified path to a program file. In the case of a folder, file path rules identify all software in the folder and subfolders recursively.

Registry path rules – Identify programs according to the paths that the programs specify in the registry as their install locations. Not all programs create such an entry in the registry.

Understanding Path Rules (cont.)


Network zone rules use the network zone from where you downloaded the software as criteria for creating software restriction policies.

Understanding Network Zone Rules


There are five network zones.

Internet

Local Intranet

Restricted Sites

Trusted Sites

Local Computer

Understanding Network Zone Rules (cont.)


Additional rules enable you to configure non-default behavior for software restriction policies. In other words, additional rules are the exceptions to a default rule.

Using Additional Rules


The most specific SRP takes precedence.

Any ties are resolved according to the following precedence:

Hash rule

Certificate rule

Path rule

Internet zone rule

Default security level

Understanding Additional Rules Precedence


Configuring Software Restriction Policies Through Group Policy


Group Policy object with the Software Restriction Policies node expanded

Open the GPO that you want to edit in the Group Policy Object Editor.

In the console tree of the Group Policy Object Editor, expand Software Restriction Policies.

Under Software Restriction Policies, select Security Levels.

Setting the Default Security Level


Right-click the security level that you want to designate as the default security level, and then click Properties.

Click Set as Default.

Setting the Default Security Level (cont.)


If you are moving to a more restrictive default security level, a message box will ask you to confirm the change. Click Yes.

Click OK to close the Security Level Properties dialog box.

Set the Default Security Level(cont.)


Configuring Enforcement Options


Enforcement Properties


In the Group Policy Object Editor, select Software Restriction Policies.

In the details pane, right-click Designated File Types, and then click Properties.

Adding or Removing Designated File Types


To add a designated file type, key the extension in the File extension text box, and then click Add.

To remove a designated file type, select it in the Designated file types list box, and then click Remove.

Adding or Removing Designated File Types (cont.)


A Software Restriction Policies warning box appears. Click Yes.

Click OK to close the Designated File Types Properties dialog box.

Adding or Removing Designated File Types (cont.)



In the Group Policy Object Editor under Software Restriction Policies, right-click Additional Rules, and then click New Certificate Rule.

Creating a Certificate Rule


Click Browse. The Open dialog box appears.

Click Browse to. Select the certificate that you want to base the rule on, and then click Open.

Creating a Certificate Rule (cont.)


In the New Certificate Rule dialog box, in the Security level drop-down list, select one of the following:

Unrestricted – Select to allow the user to run the software. The user can elevate the software from running with standard user privileges to running with administrator privileges.

Disallowed – Select to prevent the user from running the software.



• In the Description text box, you can optionally type a description for the purpose of the rule.

• Click OK to close the New Certificate Rule dialog box.



Creating a Hash Rule


New Hash Rule dialog box

Creating a Network Zone Rule


New Network Zone Rule dialog box

Creating a Path Rule


New Path Rule dialog box

Event Viewer enables you to view recorded events in an organized way so that you can troubleshoot a wide range of issues by investigating related events.

Monitoring and Troubleshooting with Event Viewer

Monitoring and Troubleshooting with Monitoring and Troubleshooting with Event ViewerEvent Viewer

Starting Event Viewer


Event Viewer console

Summary of Administrative Events – This section contains a custom view of events in which the events are grouped according to event type.

Starting Event Viewer (cont.)


There are five common event types.

Error

Warning

Information

Audit Success

Audit Failure





Summary of Administrative Events section of Event Viewer with the Audit Failure node expanded



Event Viewer console tree with the Windows Logs node expanded

You can sort and group events around many pivots to more easily find the events that you are looking for.

Level

Date and Time

Source

Event ID

Task Category

Sorting and Grouping Events


Sorting by and Configuring Column Headings


Add/Remove Columns dialog box

Viewing Event Data in Event Viewer


General tab of the Event Properties dialog box

Open Event Viewer.

In Event Viewer, right-click an example of the event to which you want to attach a task, and then click Attach Task to this Event.

Follow the instructions in the wizard to create the task.

Attaching a Task to an Event


Select the event levels that you want to include in the event list.

Critical – There is a serious problem and you should take action immediately.

Warning – There may be a problem.

Verbose – Informational only

Filtering a Log


Select the event levels that you want to include in the event list.

Error – There is an error. You most likely should address the error.

Information

Filtering a Log (cont.)


Creating and Saving a Custom View


Create Custom View dialog box

New in Windows Vista is the ability to centralize event data by creating subscriptions between a collector computer and forwarders.

Centralizing Event Data Using Subscriptions


Configure the forwarding computers by using the winrm quickconfig command, which does the following:

Sets the startup type for the Windows Remote Management (WinRM) service to Automatic (Delayed Start)

Starts the WinRM service

Enables an exception in Windows Firewall for Windows Remote Management

Centralizing Event Data Using Subscriptions (cont.)


When the winrm quickconfig command has completed:

Add the collector’s MACHINE account to the Even Log Readers group on the forwarders.

Configure the subscription on the collector computer.

Centralizing Event Data Using Subscriptions (cont.)


Configuring the Forwarding Computers


Selecting Event Log Readers in the Add New User Wizard

Configuring the Collector Computer


Subscription Properties dialog box

The Security Configuration and Analysis Snap-in is used to:

Compare your security configuration settings to those contained in a security template

Export settings that you configure in a database to a security template

Apply the security settings in a database to the local computer

Using the Security Configuration and Analysis Snap-in

Using the Security Configuration and Using the Security Configuration and Analysis Snap-inAnalysis Snap-in

The Security Configuration and Analysis Snap-in uses the following icons in its reports.

Red X – Setting is defined in the database and on the system, but the values between the two do not match.

Green check mark – Setting is defined in the database and on the system, and the values match.

Using the Security Configuration and Analysis Snap-in (cont.)


Question mark – Setting is not defined in the database and was therefore not analyzed, or the user does not have sufficient permissions to perform the analysis.

Exclamation point – Setting is defined in the database, but not on the system.

No icon – Setting is not defined in the database or on the system.

Using the Security Configuration and Analysis Snap-in (cont.)


Creating a New Database and Analyzing Security Settings


Add the Security Configuration and Analysis Snap-in

Open the Security Configuration and Analysis Snap-in.

In the details pane, double-click the policy setting that you want to configure.

If you don’t want the policy defined in the database, clear the Define this policy in the database check box, and then click OK.

Configuring an Analyzed Policy


• If you want the policy defined in the database, ensure that the Define this policy in the database check box is selected.

• Configure the Database Setting and the Computer Setting as desired.

• When you are finished, click OK to close the policy’s dialog box.

Configuring an Analyzed Policy (cont.)


Open the Security Configuration and Analysis Snap-in, load a database, and make any desired modifications to the security policies in the database.

Right-click Security Configuration and Analysis, and then click Configure Computer Now.

Specify an alternate location for the log file if desired, and then click OK.

Configuring Security Policy Based on Database Policy Settings


Open the Security Configuration and Analysis Snap-in, and ensure that there is a database loaded from which to export settings to a template.

Right-click Security Configuration and Analysis, and then click Export Template.

Exporting Database Security Settings to a Security Template


• Browse to the location where you want to save the template.

• In the File Name text box, key a name for the template and then click Save.

• Close the console.

Exporting Security Settings to a Security Template (cont.)


SummarySummary

Software restriction policies provide a Group Policy mechanism by which the running of programs can be restricted.

Additional rules in software restriction policies are exceptions to a default rule and come in four varieties: hash rules, certificate rules, path rules, and network zone rules.

Hash rules use hashes to identify program files in software restriction policies.

You Learned

SummarySummary

Certificate rules use certificates to identify program files in software restriction policies.

Path rules use file paths or registry paths to identify program files in software restriction policies.

Network zone rules use locations from where you downloaded the software to identify program files in software restriction policies.

You Learned (cont.)

SummarySummary

Software restriction policies can be configured for both users and computers.

You learned how to set the default security level for software restriction policies.

You learned how to configure enforcement options for software restriction policies.

You learned how to add or remove designated file types for software restriction policies.

You Learned (cont.)

SummarySummary

You learned how to create certificate, hash, network zone, and path rules for software restriction policies.

Event Viewer enables you to view recorded events in an organized way so that you can troubleshoot a wide range of issues by investigating related events.

You Learned (cont.)

SummarySummary

You learned how to use Event Viewer to view events on the local computer and on remote computers.

You learned how to sort and group events around pivots to more easily find the events that you are looking for.

Event details are stored in XML and can be viewed in XML or in a more readable format.

You Learned (cont.)

SummarySummary

Filters and custom views enable you to filter large amounts of events according to custom criteria.

You learned how to filter a log and how to create and save a custom view.

You learned how to centralize event data by creating subscriptions between a collector computer and forwarders.

You Learned (cont.)

SummarySummary

The Security Configuration and Analysis Snap-in is used to compare your security configuration settings to those contained in a security template, export settings that you configure in a database to a security template, and apply the security settings in a database to the local computer.

You Learned (cont.)

SummarySummary

You learned how to create a new database and analyze your system’s security settings using the Security Configuration and Analysis Snap-in.

You learned how to apply security settings using the Security Configuration and Analysis Snap-in to the local computer.

You learned how to export database security settings to a security template using the Security Configuration and Analysis Snap-in.

You Learned (cont.)

troubleshooting security issues lesson 6. skills matrix technology skillobjective domain skilldomain...

Documents

approved software

chance of software

security issueslesson

security policyrun

security levelsunrestricted

analysis tool2

security levelsbasic

running of programs