Guide to MCSE 70-290, Enhanced
14-1
Chapter 14: Windows Server 2003 Security Features
Objectives
After reading the chapter and completing the exercises, students should be able to:



Identify the various elements and techniques that can be used to secure a Windows Server 2003 system
Use Security Configuration and Analysis tools to configure and review security settings
Audit access to resources and review Security log settings
Teaching Tips
Securing Your Windows 2003 System
Teaching
Tip
1.
This chapter includes a number of different security features and capabilities, many of which
have been introduced in earlier chapters.
Briefly introduce to students the five broad categories of security features that will be discussed in this
section: authentication, access control, encryption, security policies, and service packs and hot fixes.
Authentication
1.
2.
3.
Note that the most basic and universal form of authentication is requiring a user to submit a valid user id
and password to log on to some system.
Remind students that in a domain environment, domain controllers handle authentication in a centralized
manner. In contrast, in workgroups, authentication is handled through a local database (SAM). These
issues are discussed in Chapter 3.
Note that specific Windows Server 2003 services provide additional authentication. For example, IIS can
authenticate Internet users in addition to network users (see Chapter 13).
Access Control
1.
2.
3.
Explain that access control security is used to protect resources such as files and printers. Access control
refers to both the ability to access a resource at all and the level of access that is allowed.
Note that various forms of permissions are part of access control. Examples of this are NTFS and shared
folder permissions from Chapter 5, printer access control permissions from Chapter 8, and Active Directory
object access permissions from Chapter 10.
Introduce the “principle of least privilege” and discuss the advantages and problems associated with
implementing this principle.
Guide to MCSE 70-290, Enhanced
14-2
Encryption
1.
2.
3.
Remind students about the Encrypting File System (EFS) that was looked at in Chapter 7. Note that this
system is used to encrypt files stored locally on NTFS partitions and volumes.
Discuss with students why it is sometimes necessary to encrypt files that will be traversing a TCP/IP
network. Note that it is possible for third parties to monitor network traffic. Sensitive data should be
protected using some security protocol.
Explain that Windows Server 2003 environments use the IPSec protocol. Note the two modes (transport
and tunnel) that are described.
Teaching
Tip
Tell students that the IPSec protocol is beyond the scope of Microsoft exam 70-290.
Security Policies
1.
2.
Note that security policies are used on Windows Server 2003, Windows 2000, and Windows XP standalone
and domain systems. In domains, policies are usually applied via Group Policy. Tools used to configure
security policies are the Group Policy Object Editor MMC snap-in and the Local Security Policy snap-in.
Introduce the Security Configuration and Analysis MMC snap-in and the command-line SECEDIT utility.
Service Packs and Hot Fixes
1.
2.
Remind students about the Microsoft notions of “hot fixes” and “service packs”.
Reiterate that with Windows Server 2003, Windows 2000, and Windows XP, the use of an update utility
such as Microsoft Software Update Services (SUS) can be very beneficial in automating and controlling the
distribution of updates.
Using Security Configuration Manager Tools
1.
2.
Discuss some of the problems that were inherent in administering security configurations in Windows NT.
Introduce the Security Configuration Manager tools and the concept of a Security Policy template. Note
that the tools can be used to both configure and analyze security settings. Introduce each of the components
of the Security Configuration Manager tools.
Security Templates
1.
2.
Explain that security templates are the first of the Security Configuration Manager tools and are used to set
up and maintain a consistent organizational security standard.
Note that security templates are stored in text files but should only be created and edited using the Security
Templates MMC snap-in.
Guide to MCSE 70-290, Enhanced
14-3
Activity 14-1: Browsing Security Templates
1.
2.
In this activity, students browse some of the default security templates included with Windows Server 2003
to explore the various settings that can be configured with them.
Students open the MMC utility and add the Security Templates snap-in as directed. They then open the
hisecdc template to explore the various configurations associated with that template. They also open a
second template to browse and compare.
Analyzing the Pre-configured Security Templates
1.
2.
Remind students that only computers running Windows Server 2003, Windows XP, and Windows 2000
can use security templates.
Discuss sorting computers into workstations, servers, and domain controllers to match up with preconfigured templates.
The Default Template
1.
Introduce the Setup Security.inf template and note that it is applied upon the installation of Windows
Server 2003.
Teaching
Tip
Be sure to note that the default template should not be applied using Group Policy since it can
seriously degrade processing performance.
Incremental Templates
1.
2.
3.
Explain to students that incremental templates are to be applied on top of the default security settings.
Go over the list of incremental templates and their intended uses.
Note that you can create custom templates if necessary or you can modify and save an existing template as
a custom template.
Applying Security Templates
1.
2.
3.
This section discusses how to apply the settings configured in a security template to either a local machine
or to a domain.
Explain to students how to apply settings locally using the Local Security Settings MMC snap-in.
Note that to apply settings to a domain, they should use a Group Policy Object. Discuss the effective
settings when there are both local and domain settings. Go over the refresh policies for GPOs.
Guide to MCSE 70-290, Enhanced
14-4
Activity 14-2: Creating a Security Template
1.
2.
This activity is designed to familiarize students with the process of creating a custom security template.
With the MMC Security Templates snap-in, students create a new template as directed. They browse the
possible settings and configure designated settings as explained. They then save the new template.
Activity 14-3: Applying Security Template Settings to Group
Policy Objects
1.
2.
In this activity, students import the security template created earlier into an existing GPO to be deployed in
the domain.
Students begin by opening Active Directory Users and Computers and the Properties of the domain. Next
they edit the Default Domain Policy and import the template created in Activity 14-2. They then browse
the settings to verify that the imported settings are configured as desired. Finally, they close the Group
Policy Object Editor.
Security Configuration and Analysis
1.
2.
Referring back to the components of the Security Configuration Manager tools, so far security templates
and the security settings in Group Policy objects have been presented. In this section, the Security
Configuration and Analysis tool is discussed.
Explain that Security Configuration and Analysis is an MMC snap-in that allows administrators to compare
current system settings to a security template on a setting-by-setting basis.
Activity 14-4: Analyzing Security Settings Using Security
Configuration and Analysis
1.
2.
3.
In this activity, students try using the Security Configuration and Analysis tool to compare their current
system settings with the settings configured in a pre-existing template.
They first add the Security Configuration and Analysis snap-in to an MMC console and open a new
database. They import the hisecdc.inf built-in template and compare this template to the current settings.
Students next review the analysis that is created.
SECEDIT Command-Line Tool
1.
2.
This is the last of the Security Configuration Manager tools and is used to create, apply, and analyze
security settings. Note that this can be used for workgroup configurations where Group Policy cannot be
applied.
Go over the main switches and their uses.
Guide to MCSE 70-290, Enhanced
14-5
Quick Quiz
1.
What are the four components of the Security Configuration Manager tools?
Answer: Security templates, Security settings in Group Policy objects, Security Configuration and Analysis
tool, and the SECEDIT command-line tool
2.
What are the five different categories of security-related features available to an administrator in Windows
Server 2003?
Answer: authentication, access control, encryption, security policies, and service packs and hot fixes
3.
The set of security templates that can be used to apply various additional security configurations on top of
the baseline settings are called ____________________ templates.
Answer: incremental
4.
True or False: The Security Configuration and Analysis tool is an MMC snap-in.
Answer: True
Auditing Access to Resources and Analyzing Security Logs
1.
2.
3.
4.
Note that monitoring network events is an important administrative task and give examples of particular
events that can be monitored. Introduce auditing and explain that audited events are logged in security
logs.
Describe an audit entry in a security log and note that events are logged on the computer upon which the
event occurs.
Note that Event Viewer is used to view security logs.
Define an audit policy and what the choices are for tracking various events.
Activity 14-5: Exploring Default Auditing Settings
1.
2.
3.
The purpose of this activity is for students to explore auditing settings of the default domain controller
Group Policy object.
Students open Active Directory Users and Computer and edit the Default Domain Controllers Policy as
explained. They open the Audit Policy node and explore the policy settings and their values.
Go over the different types of events that can be monitored as described in Table 14-1.
Configuring Auditing
1.
Introduce the process of configuring an audit policy. Note that the role of the computer on the network
determines how policy settings are implemented.
Requirements
1.
Describe the requirements that must be met to configure an audit policy regarding group membership and
permissions and file and folder residence on an NTFS volume.
Guide to MCSE 70-290, Enhanced
14-6
Configuring an Audit Policy
1.
Explain the choices to be made in configuring an audit policy for event auditing.
Activity 14-6: Configuring and Testing New Audit Policy Settings
1.
2.
3.
In this activity, students change the default auditing policy on their system.
Students first open Active Directory Users and Computers to edit the Default domain Controllers Policy
GPO auditing settings. They change the current settings as directed and refresh the Group Policy manually.
To verify that events are being logged as expected, students logon with an incorrect password to generate a
failed logon attempt and then logon correctly. They open Event Viewer and view the contents of the
Security log.
Teaching
Tip
Note that Windows Server 2003 automatically refreshes audit policy settings every 90 minutes
with a maximum 30-minute offset on a workstation or server and every five minutes on a
domain controller as per Group Policy processing. To update audit policy manually, you can
restart the computer or issue the GPUPDATE.EXE command.
Auditing Object Access
1.
2.
3.
4.
Be sure to mention that you can only monitor object access for files and folders residing on NTFS volumes.
Give examples of why you might wish to monitor object access.
Explain that you must first configure audit policy to audit object access as in Activity 14-6 and then
configure the settings on individual objects. Describe how to configure audit settings for specific files and
folders by using the Advanced Security Settings on the particular resource. Note that you should audit
access by the Everyone group to catch access attempts by unauthenticated users.
Mention that Active Directory objects can also be audited individually as for files and folders.
Activity 14-7: Configuring Auditing on an NTFS Folder
1.
2.
3.
The purpose of this activity is to familiarize students with configuring auditing on objects. Specifically, in
this case, students configure auditing successful and failed attempts to access an NTFS folder.
Students create a new folder with specific permissions as described in the activity. They configure auditing
for the folder as directed.
Students log off and then log back on under a different account and try to access and delete the folder to
create failed attempts. They log off this account and log back on under an administrator account to open
Event Viewer and check the Security log.
Best Practices
1.
This section describes the process of planning an audit policy that provides needed security. Discuss with
students the ultimate goal: to audit those events and objects that are important and that will provide useful
information and not to audit things that will simply increase overhead for both the system and the
administrator. A number of guidelines are provided to help with the planning process.
Guide to MCSE 70-290, Enhanced
14-7
Analyzing Security Logs
1.
2.
3.
4.
Reiterate that any event covered by an audit policy will generate an entry into a Security log. The log is
then viewed using Event Viewer.
Go over the Event Viewer display and how to use the summary and detailed contents.
Note that Event Viewer shows the local security log by default but that it can also be used to look at the
security log on a remote computer.
Explain the Find and Filter options of Event Viewer.
Activity 14-8: Configuring Event Viewer Log Properties
1.
2.
In this activity, students explore the use of the find and filter features in Event Viewer to manage the
potentially large number of entries.
Students open Event Viewer and view the Security log. They use the Find command to find instances of
particular events. They then use the Filter command to display only those events. They browse the events
to ensure that they meet the criteria provided and, finally, they reset Event Viewer to display all events
again.
Configuring Event Viewer
1.
2.
3.
Discuss with students the need to configure properties of a security log to ensure that enough information is
kept without allowing the log to become too large.
Describe how to configure properties on a security log through Event Viewer.
Go over the list of Security log configuration options in Table 14-2.
Activity 14-9: Editing Security Log Settings and Saving Events
1.
2.
3.
This activity is designed to allow students to manage a security log configuration and to archive security
log files.
Students open Event Viewer and the Properties of the Security log as directory. They configure several of
the settings as desired.
Next students save the current security log and clear all the old events. Finally, students open the saved log
to verify that it was saved as expected.
Quick Quiz
1.
What tool is normally used to view a security log?
Answer: Event Viewer
2.
True or False: In the default Audit Policy, Audit account logon events is configured to log successful and
failed logon attempts.
Answer: False, it is configured to audit only successful events by default.
3.
True or False: To audit file and folder access on a FAT volume, you must be a member of the
Administrators group.
Answer: False, file and folder access can only be audited when they reside on an NTFS volume.
Guide to MCSE 70-290, Enhanced
4.
14-8
To have Event Viewer display only the events in a Security log that meet specific criteria chosen by the
user, you would use the ____________________ feature.
Answer: Filter
Class Discussion Topics
1.
2.
3.
Since it is possible to allow users access to a network without authentication, are there times when this
might be useful? What are the advantages and disadvantages of allowing this?
Why were significant changes made in how security configurations can be maintained between Windows
NT and Windows Server 2003?
Discuss why it is important to monitor network events. Why can only administrators and users who have
the Manage Auditing and Security log user right view the contents of a security log?
Additional Projects
1.
Develop a specific network and resource-auditing plan for an organization. Describe the organization and
the particular organizational characteristics that drive the features of the auditing plan. Note what events
and objects are to be audited and the specific criteria for auditing them and describe how you will use the
resulting logs.
2.
Research the use of the SECEDIT command-line tool. When might SECEDIT be particularly useful? Try
using the tool to analyze a database setting and compare it to a current configuration. Explore using some
of the other options. Do you prefer SECEDIT or the other Security Manager tools that can be used to
accomplish the same tasks?
3.
Using the Internet, do some research on packet sniffing. What does this mean, is it common, is it
detectable? Given what you learn, how important is it to use a security protocol like IPSec? As an
organizational administrator, how do you think you would use encryption for network traffic?
Solutions to Additional Projects
1.
The auditing plan that is developed should be reasonably motivated by the type of organization for which it
is designed. It should follow the guidelines specified in the Best Practices section by auditing only events
and objects for which a reason is given, by auditing the Everyone and Administrators groups and the use of
user rights assignment, and by specifying a schedule for reviewing the security logs.
2.
SECEDIT can be called from a batch file or from the automatic task scheduler to run at off-peak times or
on multiple computers, which makes it a useful administrative tool. Student activities will vary depending
on which options they choose. Information about SECEDIT switches and parameters is available on the
Microsoft site.
3.
Packet sniffing is a technique for copying packets as they travel across a network. It is very easy to do and
there are many software packages available for it. Much network traffic is not encrypted and the stolen
information is easy to access. Some sniffers can be detected but some cannot. Generally, in any type of
organization that has sensitive information traveling on a network, an administrator should consider
encrypting the information.