Chapter 11, Microsoft Windows 2000 Security
Chapter 11, Lesson 1
Public Key Infrastructure
|1|
1.
Security Properties
A.
B.
C.
D.
|2|
2.
Cryptography
A.
B.
C.
D.
|3|
Authentication is the process of reliably determining the genuine identity
of the communicating computer or user.
1.
Based on cryptography
2.
Ensures that an attacker eavesdropping on the network cannot gain the
information needed to impersonate a valid user or identity
Integrity is the correctness of data as it was originally sent.
Confidentiality ensures that data is disclosed only to intended
recipients.
Anti-replay ensures that datagrams are not retransmitted.
E.
Cryptography is a set of mathematical techniques for encrypting and
decrypting data so it can be transmitted securely and not be interpreted
by unauthorized parties.
Cryptography uses keys in conjunction with algorithms to secure data.
The algorithm provides the infrastructure in which the key is applied.
A number of well-known cryptographic algorithms support security
operations.
1.
Rivest, Shamir, Adleman (RSA)
2.
Digital Signature Standard (DSA)
3.
Diffie-Hellman
4.
Hash Message Authentication Code (HMAC)
5.
HMAC-Message Digest function 5 (MD5)
6.
HMAC-Secure Hash Algorithm (SHA)
7.
Data Encryption Standard-Cipher Block Chaining (DES-CBC)
Microsoft Windows 2000 supports public key cryptography.
1.
Overview
a.
Public key cryptography is an asymmetric scheme that uses a pair of
keys for encryption.
b.
To use public key encryption, an object must generate a public and a
private key pair.
c.
Objects obtain public keys in one of two ways.
(1) The owner of the private key sends the receiver the matching
public key.
(2) The receiver obtains the key from a directory service.
2.
Data encryption
a.
Data encryption provides confidentiality by ensuring that only the
intended recipient is able to decrypt and view the original data.
b.
F.
|4|
3.
Certificates
|5|
A.
|6|
B.
2
When secure data must be transmitted, the sender obtains the
recipient’s public key.
3.
Digital message signing
a.
Digital signing provides authentication and integrity but does not
provide confidentiality.
b.
Digital signing allows a recipient to be certain of the identity of the
sender and verifies that the content has not been modified during
transit.
c.
When a sender signs a message, a message digest is created.
d.
A message digest is a representation of the message and is similar to
a cyclic redundancy check.
e.
Authentication is provided through the key pair.
A secret key is used in much the same way as a public key.
1.
Overview
a.
There is only one key that provides security.
b.
Secret keys are generally used only for a particular session or for a
short period of time.
c.
In order to get the shared secret key to both parties, there must exist a
mechanism for doing so without compromising security.
2.
Secret key exchange
a.
A common solution to providing the secret key to both parties is to
use public keys, which make it possible to encrypt the secret key as it
is sent across the network.
b.
Public keys ensure confidentiality, authentication, and integrity.
3.
Data encryption
a.
The data must be encrypted by using the shared secret key.
b.
The sender encrypts the data with the shared secret key, and the
receiver decrypts the data with the shared secret key.
Introduction to certificates
1.
Public key encryption assumes that the identity of the key pair owner is
established beyond doubt.
2.
A digital certificate is a set of data that completely identifies an entity.
3.
When the sender of a message signs the message with a private key, the
recipient of the message can use the sender’s public key to verify that
the sender is legitimate.
X.509
1.
The term X.509 refers to the ITU-T standard for certificate syntax and
format.
2.
The Windows 2000 certificate-based processes use the X.509 standard.
3.
At a minimum, certifications should contain certain specific attributes.
a.
Version
b.
Serial number
c.
Signature algorithm ID
Outline, Chapter 11
Microsoft Windows 2000 Server
|7|
C.
|8|
D.
4.
d.
Issuer name
e.
Validity period
f.
Subject (user) name
g.
Subject public key information
h.
Issuer unique identifier
i.
Subject unique identifier
j.
Extensions
k.
Signature on the above fields
Certificate revocation lists (CRLs)
1.
Certificates can expire and become invalid.
2.
The Certificate Authority (CA) can revoke a certificate for any reason.
3.
The CA maintains a CRL.
CA hierarchy
1.
CAs can certify other CAs.
2.
The chaining of CAs provides several benefits.
a.
Flexibility
b.
Distributed administration
c.
Different security policies
3.
The CA at the top of the chain is referred to as the root CA.
Microsoft Certificate Services
|9|
A.
|10|
B.
Overview of Certificate Services
1.
Enables an organization to manage the issuance, renewal, and revocation
of digital certificates
2.
Allows an organization to control the policies associated with issuing,
managing, and revoking certificates
3.
Logs all transactions
Certificate Services features
1.
Policy independence
a.
In order to obtain a certificate, requestors must meet certain criteria,
which is defined in certificate policies.
b.
Policies are implemented in policy components that can be written in
Java, Microsoft Visual Basic, or Microsoft C/C++.
2.
Transport independence
a.
Certificate Services can request and distribute certificates through
any transport mechanism.
b.
Transport mechanisms can include HTTP, RPC, disk file, or custom
transport.
3.
Adherence to standards
a.
Certificate Services can perform several services.
(1) Accept standard Public Key Cryptography Standards (PKCS)
#10 requests
(2) Support PKCS #7 cryptographically signed data
(3) Issue X.509 version 1.0 and 3.0 certificates
Outline, Chapter 11
Microsoft Windows 2000 Server
3
b.
|11|
4
C.
Support for additional certificate formats can be added to Certificate
Services.
4.
Key management
a.
The security of a certification system depends on the protection of
private keys.
b.
Certificate Services relies on Microsoft CryptoAPI to provide key
management functionality and other cryptographic capabilities for
building a secure store.
Certificate Services architecture
1.
Server engine
a.
The server engine is the core component of Certificate Services.
b.
The engine acts as a broker for all requests, driving the flow of
information between components.
2.
Intermediary
a.
The intermediary is the architectural component that receives new
certificate requests from clients and submits them to the server
engine.
b.
The intermediary is composed of two parts.
(1) The intermediary application that performs actions on behalf
of clients
(2) The Certificate Services Client Interface that handles
communications between the intermediary application and the
server engine
3.
Server database
a.
The server log provides various types of storage functions.
(1) Stores all certificates and CRLs issued by the server
(2) Used by the server engine to store pending revocations before
they are published to the CRL
(3) Stores recent certificate requests for a configurable period
b.
The server queue maintains status information as the server processes
a certificate request.
4.
Policy module
a.
Contains the set of rules governing the issuance, renewal, and
revocation of certificates
b.
Used to parse any supplemental information provided within a
request and set properties on the certificate
5.
Extension handlers
a.
Work in tandem with the policy module to set custom extensions on a
certificate
b.
Act as templates for the custom extensions that should appear in
certificates
6.
Exit modules
a.
Exit modules publish completed certificates and CRLs.
b.
The server notifies each exit module installed on the server whenever
a certificate or CRL is published.
Outline, Chapter 11
Microsoft Windows 2000 Server
D.
|12|
|13|
|14|
E.
|15|
F.
Processing certificate requests
1.
Processing a certificate request
a.
The certificate request is sent by the client to an intermediary
application. The intermediary application formats it into a PKCS #10
format request and submits it to the server engine.
b.
The server engine calls the policy module, which queries request
properties, decides whether or not the request is authorized, and sets
optional certificate properties.
c.
If the request is approved, the server engine takes the request and
builds a complete certificate.
d.
The server engine stores the completed certificate in the certificate
store and notifies the intermediary application of the request status. If
the exit module has so requested, the server engine will notify it of a
certificate issuance event. This allows the exit module to perform
further operations, such as publishing the certificate to a directory
service.
e.
The intermediary gets the published certificate from the certificate
store and passes it back to the client.
2.
Enrolling certificates
a.
The process of obtaining a digital certificate is called certificate
enrollment.
b.
The enrollment control and its forms are accessed through the
Certificate Services Enrollment Page.
CA certificates
1.
The CA validates the identity of the individual requesting the certificate
and then signs the certificate with its own private key.
2.
A client application checks the CA signature before accepting a
certificate.
3.
The CA certificate is a signature certificate that contains a public key
used to verify digital signatures.
4.
A self-signed CA certificate is also called a root certificate.
5.
CA certificates can be distributed and installed.
a.
The CA certificate does not require issuance upon demand.
b.
The CA certificate is created once and then made readily available to
all servers or clients who request certificates from the CA.
Installing Certificate Services
1.
You can install Certificate Services by using Add/Remove Programs in
Control Panel.
2.
Certificate Services supports four Certificate Authority types.
a.
Enterprise root CA
b.
Enterprise subordinate CA
c.
Stand-alone root CA
d.
Stand-alone subordinate CA
3.
You must supply information about the initial CA that is created when
you install Certificate Services.
Outline, Chapter 11
Microsoft Windows 2000 Server
5
4.
G.
|16|
The advanced configuration contains options for the type of
cryptography algorithms to be used for the CA that you are creating.
Administering Certificate Services
1.
The main tool used to administer Certificate Services is the Certification
Authority snap-in, which allows you to perform a number of tasks.
2.
You can use the Certification Authority snap-in to administer a
certification authority on the local computer or on another computer.
3.
Certutil.exe is a command-line utility used for administering Certificate
Services.
4.
To set security for the CA Web pages, use the Internet Information
Services snap-in.
Chapter 11, Lesson 2
Public Key Technologies
|17|
1.
Secure Channel (SChannel) Authentication Package
A.
B.
C.
D.
E.
|18|
2.
Smart Cards
A.
B.
C.
D.
6
An SChannel authentication package is located below the Security
Support Provider Interface (SSPI).
SChannel implements the Secure Sockets Layer (SSL) 3.0 protocol and
the Transport Layer Security (TLS) 1.0 protocol.
TLS is based on SSL and moves forward as the Internet Engineering
Task Force (IETF) standard.
SSL and TLS provide secure data communication through data
encryption and decryption.
SSL and TLS include several benefits.
1.
Authentication that assures the client that data is sent to the correct
server and that the server is secure
2.
Encryption that assures that nothing other than the secure target server
can read the data
3.
Data integrity that assures that the transferred data has not been altered
Smart cards can be used to store a user’s public key, private key, and
certificate.
To use a smart card, a computer must have a smart card reader.
A smart card contains an embedded microprocessor, a cryptography
coprocessor, and local storage that includes
1.
6 to 24 KB ROM for the smart card operating system and applications
2.
128 to 512 bytes of RAM for run-time data
3.
1 to 16 KB EEPROM for user data
Windows 2000 supports PK-based smart card logon as an alternative to
passwords for domain authentication.
1.
The authentication process makes use of the PKINIT protocol.
2.
The system recognizes a smart card insertion event as an alternative to
the standard Ctrl+Alt+Delete secure attention sequence.
Outline, Chapter 11
Microsoft Windows 2000 Server
|19|
3.
Authenticode
A.
B.
C.
4.
Ensures accountability and authenticity for software components on the
Internet
Verifies that the software hasn’t been tampered with and identifies the
publisher of the software
Allows software publishers to digitally sign any form of active content
Encrypting File System (EFS)
|20|
A.
|21|
B.
|22|
C.
|23|
D.
|24|
E.
|25|
F.
Overview of EFS
1.
EFS is an extension of NTFS that provides strong data protection and
encryption for files and folders.
2.
The encryption technology is based on use of public keys and runs as an
integrated system service.
3.
The encrypting user’s public key is used in the encryption process.
4.
Encryption and decryption are done transparently during the I/O process.
5.
EFS supports encryption and decryption of files stored on remote NTFS
volumes.
Data protection
1.
EFS uses a combination of the user’s public key and private keys as well
as a file encryption key.
2.
Windows 2000 uses the Data Encryption Standard X (DESX) algorithm
to encrypt files.
Data recovery
1.
The Encrypted Data Recovery Policy is used to specify who can recover
data in case a user’s private key is lost.
2.
For security, recovery is limited to the encrypted data; it is not possible
to recover users’ keys.
Encrypted backup and restoration
1.
Members of the Backup Operators group do not have the keys necessary
for decryption.
2.
Encrypted data is read and stored in the backup as an opaque stream of
data.
Fault tolerance
1.
The processes of encryption and decryption are automatic and
transparent to users and applications.
2.
You can encrypt a file or folder in Windows Explorer and from the
command prompt.
EFS encryption
1.
The EFS service opens the file for exclusive access.
2.
All data streams in the file are copied to a temporary file.
3.
A file key is randomly generated and used to encrypt the file according
to the DES encryption scheme.
4.
A Data Decryption Field (DDF) is created that contains the file key,
which is encrypted with the user’s public key.
Outline, Chapter 11
Microsoft Windows 2000 Server
7
5.
|26|
G.
|27|
H.
|28|
I.
5.
IP Security (IPSec)
|29|
A.
|30|
B.
8
A Data Recovery Field (DRF) is created that contains the file key, this
time encrypted with the recovery agent’s public key. The recovery
agent’s public key is obtained from the Encrypted Data Recovery Policy
(EDRP).
6.
The EFS server writes the encrypted data, along with the DDF and DRF,
back to the file.
EFS decryption
1.
When an application accesses an encrypted file, NTFS recognizes the
file as encrypted and sends a request to the EFS driver.
2.
The EFS driver retrieves the DDF and passes it to the EFS service.
3.
The EFS service decrypts the DDF with the user’s private key to obtain
the file key.
4.
The EFS service passes the file key back to the EFS driver.
5.
The EFS driver uses the file key to decrypt the file.
6.
The EFS driver returns the decrypted data to NTFS, which then
completes the file request, and sends the data to the requesting
application.
EFS recovery
1.
NTFS sends a request to the EFS driver.
2.
The EFS driver retrieves the DRF and passes it to the EFS service.
3.
The EFS service recovers the DRF by using the recovery agent’s private
key to obtain the file key.
4.
The EFS service passes the file key back to the EFS driver.
5.
The EFS driver uses the file key to recover the file.
6.
The EFS driver returns the recovered data to NTFS, which then
completes the file request, and sends the data to the requesting
application.
Cipher command-line utility
1.
The cipher command-line utility allows you to encrypt and decrypt files
from a command prompt.
2.
The cipher command includes a number of parameters.
Overview of IPSec
1.
IPSec protects sensitive data on a TCP/IP network.
2.
The computer initiating communication transparently decrypts the data
by using IPSec.
3.
The destination computer transparently decrypts the data before passing
it to the destination process.
4.
IPSec ensures that any TCP/IP-based communication is secure from
network eavesdropping.
IPSec policies
1.
Negotiation policies
a.
Negotiation policies determine the security services used during
network communication.
Outline, Chapter 11
Microsoft Windows 2000 Server
|31|
C.
|32|
D.
b.
You can set multiple security methods for each negotiation policy.
2.
IP filters
a.
IP filters direct actions based on the destination of an IP packet, what
protocol is in effect, and the related ports that the protocol uses.
b.
Each IP packet is checked against the IP filter.
3.
Security policies
a.
Security policies are used to configure IPSec attributes.
b.
A computer logging on to a domain automatically obtains the
properties of the default domain and local policies, including the
IPSec policy.
IPSec components
1.
IPSec Policy Agent service
2.
ISAKMP/Oakley (IKE) protocols
3.
IPSec driver
Example of IPSec communication
1.
User 1 launches an application that communicates on the network by
using TCP/IP to send data to User 2. The security policies assigned to
Computer A and Computer B determine the level of security for the
network communication.
2.
The IPSec Policy Agent service retrieves the policies and passes them to
the ISAKMP/Oakley (IKE) protocols and IPSec driver.
3.
The ISAKMP/Oakley (IKE) protocols on each computer use the
negotiation policies associated with the assigned security policy to
establish the key and a common negotiation method, or Security
Association (SA). The results of the policy negotiation are passed
between the two computers to the IPSec driver, which uses the key to
encrypt the data.
4.
Finally, the IPSec driver sends the encrypted data to Computer B. The
IPSec driver on Computer B decrypts the data and passes it on to the
receiving application.
Chapter 11, Lesson 3
The Kerberos Protocol in Windows 2000
1.
|33|
Overview of the Kerberos Protocol
A.
Introduction
1.
Kerberos is the default authentication provider in Windows 2000 and the
primary security protocol.
2.
Kerberos verifies the identity of the user and the integrity of the session
data.
3.
Kerberos operates as a trusted third party to generate session keys and
grant tickets for specific client/server sessions.
4.
When the Kerberos service issues a ticket, it contains a number of
components.
a.
Session key
b.
Name of the user to whom the session key was issued
Outline, Chapter 11
Microsoft Windows 2000 Server
9
|34|
B.
|35|
C.
10
c.
Expiration period of the ticket
d.
Any additional data fields or settings that may be required
5.
The expiration period of a ticket is defined by the domain policy.
Kerberos protocol terms
1.
A principal is a uniquely named user, client, or server that participates in
a network communication.
2.
A realm is an authentication boundary, which can be compared to a
Windows 2000 domain.
3.
A secret key is an encryption key that is shared by a client or a server
and a trusted third party to encrypt the information that is to be moved
between them. In the case of Kerberos, the trusted third party is the
Kerberos service.
4.
The session key is a temporary encryption key used between two
principals, with a lifetime limited to the duration of a single login
session.
5.
An authenticator is a record that is used to verify that a request
originated from the expected principal.
6.
The key distribution center (KDC) provides two functions: the
authentication server (AS) and the ticket granting service (TGS). The
TGS distributes tickets to clients that wish to connect to services on the
network.
7.
The privilege attribute certificate (PAC) is a structure that contains the
user’s security identifier (SID).
8.
A ticket is a record that allows a client to authenticate itself to a server; it
is simply a certificate issued by the Kerberos service. The ticket will be
encrypted so that only the target server will be able to decrypt and read
it.
9.
A ticket granting ticket (TGT) is a request for a ticket and a random
session key to be used with the TGS portion of the Kerberos service.
After obtaining the ticket, the user can contact a service at any time; the
requested ticket does not come from the AS, but from the TGS.
Features of the Kerberos protocol
1.
Kerberos supports mature open standard.
a.
The Windows 2000 implementation of Kerberos can interoperate
with other implementations of Kerberos, such as UNIX.
b.
Windows 2000 Kerberos attempts to match the principal name in the
ticket either to a Windows 2000 user account or to a default account
created for this purpose.
2.
Kerberos provides faster connection authentication.
a.
When using Kerberos, servers do not need to do pass-through
authentication.
b.
A Windows 2000 Server computer can verify the client credentials by
using the client-supplied ticket, without having to query the Kerberos
service.
3.
Kerberos provides mutual authentication.
Outline, Chapter 11
Microsoft Windows 2000 Server
a.
|36|
D.
|37|
E.
2.
|38|
Kerberos provides mutual authentication of both the client and the
server.
b.
Mutual authentication of both client and server is an important
foundation for secure networks.
4.
Delegation of authentication allows users to connect to an application
server, which in turn can connect to additional servers by using the
client’s credentials.
5.
Authentication credentials issued by one Kerberos service are accepted
by all Kerberos services within the domain, which is known as a
transitive trust relationship.
Kerberos authentication process
1.
The client sends an initial AS request to the AS portion of the Kerberos
service.
2.
The Kerberos service generates an AS reply and sends it to the client.
3.
The client generates and sends a TGS request that contains the client’s
and target server’s principal names, realms, and the TGT that identifies
the client.
4.
The TGS portion of the Kerberos service generates and sends a TGS
reply to the client.
5.
The client then extracts the session key for the target server and
generates a request for the server.
6.
The target server decrypts the ticket by using its secret key to obtain the
session key.
Kerberos delegation
1.
The client requests and receives a ticket for target Server A from the
Kerberos service.
2.
The client sends the ticket directly to Server A.
3.
Server A sends a request, impersonating the client, to the Kerberos
service for a ticket for target Server B. The Kerberos service responds
with a ticket that allows the client to access Server B.
4.
Server A can then send the ticket to Server B, accessing Server B as the
client.
Kerberos Logon Processes
A.
Local interactive logon
1.
When the Graphical Identification and Authentication DLL (GINA)
receives the logon request, it forwards the request to the Local Service
Authority (LSA). This request specifies Kerberos as the authentication
package to use because this is the default package in Windows 2000.
2.
LSA processes the request and sends it to the Kerberos authentication
package.
3.
When Kerberos receives the logon request, it returns an error because
Kerberos is used only when authenticating logon requests for domain
user accounts, not local user accounts.
4.
LSA receives the error and returns an error to the GINA.
Outline, Chapter 11
Microsoft Windows 2000 Server
11
5.
B.
|39|
The GINA resubmits the logon request to LSA specifying the
“MSV1_0” authentication package. The logon process then occurs as it
would for a local interactive logon under Windows NT 4.0.
Domain interactive logon
1.
When the logon request reaches the LSA, the LSA passes the request to
the Kerberos authentication package. The client sends an initial AS
request to the Kerberos service, providing the user name and domain
name.
2.
The Kerberos service generates an AS reply containing a TGT
(encrypted with the Kerberos secret key) and a session key for the TGS
exchanges (encrypted with the client’s secret key). This response is sent
back to the client.
3.
The client then generates and sends a TGS request containing the
client’s principal name and realm, the TGT to identify the client, and the
local workstation name as the target server.
4.
The Kerberos service generates and sends a TGS reply. This reply
contains a ticket for the workstation and other information, including the
session key (encrypted by using the session key from the TGT).
5.
The Kerberos authentication package returns the list of SIDs to the LSA.
Chapter 11, Lesson 4
Security Configuration Tools
1.
Security Configuration and Analysis Snap-In
|40|
A.
|41|
B.
|42|
C.
12
Security configuration
1.
The Security Configuration and Analysis snap-in can be used to directly
configure local system security.
2.
You can import security templates and apply them to the group policy
object (GPO) for the local computer.
Security analysis
1.
The state of the operating system and applications is dynamic.
2.
Regular analysis enables an administrator to track and ensure an
adequate level of security.
3.
The Security Configuration and Analysis snap-in enables quick review
of security analysis results.
4.
You can use the Secedit command-line utility to analyze a large number
of computers.
Using the Security Configuration and Analysis snap-in
1.
The Security Configuration and Analysis snap-in reviews and analyzes
your system settings and recommends modifications to the current
system settings.
2.
The Security Configuration and Analysis snap-in allows you to perform
a variety of tasks.
a.
Set a working database
b.
Import a security template
c.
Analyze system security
Outline, Chapter 11
Microsoft Windows 2000 Server
d.
e.
f.
g.
|43|
2.
Security Templates Snap-In
A.
B.
C.
|44|
3.
Review security analysis results
Configure system security
Edit the base security configuration
Export a security template
A security template is a physical representation of a security
configuration.
The security template is a file in which a group of security settings may
be stored.
Using the Security Templates snap-in
1.
The Security Templates snap-in allows you to create and assign security
templates for one or more computers.
2.
The template is a physical file representation of a security configuration.
3.
When you import a security template to a GPO, Group Policy processes
the template and makes the corresponding changes to the members of
that GPO.
4.
The Security Templates snap-in allows you to perform a variety of tasks.
a.
Customize a predefined security template
b.
Define a security template
c.
Delete a security template
d.
Refresh the security template list
e.
Set a description for a security template
Group Policy Snap-In
A.
B.
C.
Through the use of GPOs in Active Directory services, administrators
can centrally apply the security levels required to protect enterprise
systems.
The Group Policy snap-in allows you to configure security centrally in
the Active Directory store.
The security settings allow group policy administrators to set policies.
Chapter 11, Lesson 5
Windows 2000 Auditing
|45|
1.
Overview of Windows 2000 Auditing
A.
B.
C.
Auditing is the process of tracking both user activities and Windows
2000 activities on a computer.
An audit entry in the Security log contains several types of information.
1.
The action that was performed
2.
The user who performed the action
3.
The success or failure of the event and when the event occurred
You can use an audit policy to define security events.
1.
An audit policy defines the types of security events that Windows 2000
records in the security log on each computer.
Outline, Chapter 11
Microsoft Windows 2000 Server
13
2.
3.
4.
|46|
2.
Planning an Audit Policy
A.
B.
C.
D.
E.
3.
|47|
14
Windows 2000 writes events to the security log on the computer where
the event occurs.
You can set up an audit policy for a computer to perform a couple of
tasks.
a.
Track the success and failure of events, such as logon attempts by
users, an attempt by a particular user to read a specific file, changes
to a user account or to group memberships, and changes to your
security settings.
b.
Eliminate or minimize the risk of unauthorized use of resources.
You can use Event Viewer to view events that Windows 2000 has
recorded in the Security log.
When you plan an audit policy, you must determine the computers on
which to set up auditing.
Auditing is turned off by default.
You can audit a number of events.
1.
Access to files and folders
2.
Users logging on and off
3.
Shutting down and restarting a computer running Windows 2000 Server
4.
Changes to user accounts and groups
5.
Attempts to make changes to Active Directory objects
After you have determined the types of events to audit, you must
determine whether to audit the successes and failures of events.
Follow the recommended guidelines when determining an audit policy.
1.
Determine if you need to track trends of system usage. If so, plan to
archive event logs.
2.
Review security logs frequently. You should set a schedule and regularly
review security logs because configuring auditing alone does not alert
you to security breaches.
3.
Define an audit policy that is useful and manageable. Always audit
sensitive and confidential data. Audit only those events that will provide
you with meaningful information about your network environment.
4.
Audit resource access by the Everyone group instead of the Users group.
Implementing an Audit Policy
A.
Configuring auditing
1.
You can implement an audit policy based on the role of the computer in
the Windows 2000 network.
a.
For member or stand-alone servers or computers running Windows
2000 Professional, an audit policy is set for each individual computer.
b.
For domain controllers, an audit policy is set for all domain
controllers in the domain.
2.
You must follow specific requirements to set up auditing.
Outline, Chapter 11
Microsoft Windows 2000 Server
a.
|48|
B.
|49|
C.
|50|
D.
|51|
E.
4.
You must have the Manage Auditing and Security Log permission for
the computer where you want to configure an audit policy or review
an audit log.
b.
The files and folders to be audited must be on NTFS volumes.
3.
Setting up auditing is a two-part process.
a.
The audit policy enables auditing of objects but does not activate
auditing of specific objects.
b.
You identify the specific events to audit for files, folders, printers,
and Active Directory objects. Windows 2000 then tracks and logs the
specified events.
Setting an audit policy
1.
The first step in implementing an audit policy is selecting the types of
events that Windows 2000 audits.
2.
Windows 2000 can audit several types of events.
3.
To set an audit policy on a computer that is not a domain controller,
create a custom MMC console and add the Group Policy snap-in.
4.
Changes that you make to your computer’s audit policy take effect when
certain events occur.
a.
You initiate policy propagation by using the secedit command.
b.
You restart your computer.
c.
Policy propagation occurs.
Auditing access to files and folders
1.
You can set up auditing for files and folders on NTFS partitions.
2.
Once you set up an audit policy, you enable auditing for specific files
and folders and specify which types of access, by which types of users or
groups, to audit.
Auditing access to Active Directory objects
1.
You must configure an audit policy and then set auditing for specific
objects.
2.
To enable auditing of access to Active Directory objects, enable the
appropriate policy in the Group Policy snap-in.
3.
To enable auditing for specific Active Directory objects, use the Active
Directory Users and Computers snap-in.
Auditing access to printers
1.
Enable the Audit Object Access policy, and then enable auditing for the
specific printer.
2.
You can set up auditing on a printer in the properties for that printer.
Using Event Viewer
|52|
A.
|53|
B.
Using Windows 2000 logs
1.
Application log
2.
Security log
3.
System log
Viewing the Security log
Outline, Chapter 11
Microsoft Windows 2000 Server
15
1.
|54|
C.
|55|
D.
|56|
E.
16
The Security log contains information about events that are monitored
by an audit policy.
2.
You can view the Security log in the Event Viewer snap-in.
3.
Successful events appear with a key icon, and unsuccessful events
appear with a lock icon.
4.
Windows 2000 records events in the Security log on the computer where
the event occurred.
Locating events
1.
When you first start Event Viewer, it automatically displays all events
that are recorded in the selected log.
2.
You can use the Find command to search for specific events.
Managing audit logs
1.
You can archive event logs and compare logs from different periods.
2.
You can configure the properties of individual audit logs.
Archiving logs
1.
Archiving Security logs allows you to maintain a history of securityrelated events.
2.
You can use Event Viewer to save a log file, clear all events, or open a
log file.
Outline, Chapter 11
Microsoft Windows 2000 Server