Guide to MCSE 70-290, Enhanced 14-1 Chapter 14: Windows Server 2003 Security Features Objectives After reading the chapter and completing the exercises, students should be able to: Identify the various elements and techniques that can be used to secure a Windows Server 2003 system Use Security Configuration and Analysis tools to configure and review security settings Audit access to resources and review Security log settings Teaching Tips Securing Your Windows 2003 System Teaching Tip 1. This chapter includes a number of different security features and capabilities, many of which have been introduced in earlier chapters. Briefly introduce to students the five broad categories of security features that will be discussed in this section: authentication, access control, encryption, security policies, and service packs and hot fixes. Authentication 1. 2. 3. Note that the most basic and universal form of authentication is requiring a user to submit a valid user id and password to log on to some system. Remind students that in a domain environment, domain controllers handle authentication in a centralized manner. In contrast, in workgroups, authentication is handled through a local database (SAM). These issues are discussed in Chapter 3. Note that specific Windows Server 2003 services provide additional authentication. For example, IIS can authenticate Internet users in addition to network users (see Chapter 13). Access Control 1. 2. 3. Explain that access control security is used to protect resources such as files and printers. Access control refers to both the ability to access a resource at all and the level of access that is allowed. Note that various forms of permissions are part of access control. Examples of this are NTFS and shared folder permissions from Chapter 5, printer access control permissions from Chapter 8, and Active Directory object access permissions from Chapter 10. Introduce the “principle of least privilege” and discuss the advantages and problems associated with implementing this principle. Guide to MCSE 70-290, Enhanced 14-2 Encryption 1. 2. 3. Remind students about the Encrypting File System (EFS) that was looked at in Chapter 7. Note that this system is used to encrypt files stored locally on NTFS partitions and volumes. Discuss with students why it is sometimes necessary to encrypt files that will be traversing a TCP/IP network. Note that it is possible for third parties to monitor network traffic. Sensitive data should be protected using some security protocol. Explain that Windows Server 2003 environments use the IPSec protocol. Note the two modes (transport and tunnel) that are described. Teaching Tip Tell students that the IPSec protocol is beyond the scope of Microsoft exam 70-290. Security Policies 1. 2. Note that security policies are used on Windows Server 2003, Windows 2000, and Windows XP standalone and domain systems. In domains, policies are usually applied via Group Policy. Tools used to configure security policies are the Group Policy Object Editor MMC snap-in and the Local Security Policy snap-in. Introduce the Security Configuration and Analysis MMC snap-in and the command-line SECEDIT utility. Service Packs and Hot Fixes 1. 2. Remind students about the Microsoft notions of “hot fixes” and “service packs”. Reiterate that with Windows Server 2003, Windows 2000, and Windows XP, the use of an update utility such as Microsoft Software Update Services (SUS) can be very beneficial in automating and controlling the distribution of updates. Using Security Configuration Manager Tools 1. 2. Discuss some of the problems that were inherent in administering security configurations in Windows NT. Introduce the Security Configuration Manager tools and the concept of a Security Policy template. Note that the tools can be used to both configure and analyze security settings. Introduce each of the components of the Security Configuration Manager tools. Security Templates 1. 2. Explain that security templates are the first of the Security Configuration Manager tools and are used to set up and maintain a consistent organizational security standard. Note that security templates are stored in text files but should only be created and edited using the Security Templates MMC snap-in. Guide to MCSE 70-290, Enhanced 14-3 Activity 14-1: Browsing Security Templates 1. 2. In this activity, students browse some of the default security templates included with Windows Server 2003 to explore the various settings that can be configured with them. Students open the MMC utility and add the Security Templates snap-in as directed. They then open the hisecdc template to explore the various configurations associated with that template. They also open a second template to browse and compare. Analyzing the Pre-configured Security Templates 1. 2. Remind students that only computers running Windows Server 2003, Windows XP, and Windows 2000 can use security templates. Discuss sorting computers into workstations, servers, and domain controllers to match up with preconfigured templates. The Default Template 1. Introduce the Setup Security.inf template and note that it is applied upon the installation of Windows Server 2003. Teaching Tip Be sure to note that the default template should not be applied using Group Policy since it can seriously degrade processing performance. Incremental Templates 1. 2. 3. Explain to students that incremental templates are to be applied on top of the default security settings. Go over the list of incremental templates and their intended uses. Note that you can create custom templates if necessary or you can modify and save an existing template as a custom template. Applying Security Templates 1. 2. 3. This section discusses how to apply the settings configured in a security template to either a local machine or to a domain. Explain to students how to apply settings locally using the Local Security Settings MMC snap-in. Note that to apply settings to a domain, they should use a Group Policy Object. Discuss the effective settings when there are both local and domain settings. Go over the refresh policies for GPOs. Guide to MCSE 70-290, Enhanced 14-4 Activity 14-2: Creating a Security Template 1. 2. This activity is designed to familiarize students with the process of creating a custom security template. With the MMC Security Templates snap-in, students create a new template as directed. They browse the possible settings and configure designated settings as explained. They then save the new template. Activity 14-3: Applying Security Template Settings to Group Policy Objects 1. 2. In this activity, students import the security template created earlier into an existing GPO to be deployed in the domain. Students begin by opening Active Directory Users and Computers and the Properties of the domain. Next they edit the Default Domain Policy and import the template created in Activity 14-2. They then browse the settings to verify that the imported settings are configured as desired. Finally, they close the Group Policy Object Editor. Security Configuration and Analysis 1. 2. Referring back to the components of the Security Configuration Manager tools, so far security templates and the security settings in Group Policy objects have been presented. In this section, the Security Configuration and Analysis tool is discussed. Explain that Security Configuration and Analysis is an MMC snap-in that allows administrators to compare current system settings to a security template on a setting-by-setting basis. Activity 14-4: Analyzing Security Settings Using Security Configuration and Analysis 1. 2. 3. In this activity, students try using the Security Configuration and Analysis tool to compare their current system settings with the settings configured in a pre-existing template. They first add the Security Configuration and Analysis snap-in to an MMC console and open a new database. They import the hisecdc.inf built-in template and compare this template to the current settings. Students next review the analysis that is created. SECEDIT Command-Line Tool 1. 2. This is the last of the Security Configuration Manager tools and is used to create, apply, and analyze security settings. Note that this can be used for workgroup configurations where Group Policy cannot be applied. Go over the main switches and their uses. Guide to MCSE 70-290, Enhanced 14-5 Quick Quiz 1. What are the four components of the Security Configuration Manager tools? Answer: Security templates, Security settings in Group Policy objects, Security Configuration and Analysis tool, and the SECEDIT command-line tool 2. What are the five different categories of security-related features available to an administrator in Windows Server 2003? Answer: authentication, access control, encryption, security policies, and service packs and hot fixes 3. The set of security templates that can be used to apply various additional security configurations on top of the baseline settings are called ____________________ templates. Answer: incremental 4. True or False: The Security Configuration and Analysis tool is an MMC snap-in. Answer: True Auditing Access to Resources and Analyzing Security Logs 1. 2. 3. 4. Note that monitoring network events is an important administrative task and give examples of particular events that can be monitored. Introduce auditing and explain that audited events are logged in security logs. Describe an audit entry in a security log and note that events are logged on the computer upon which the event occurs. Note that Event Viewer is used to view security logs. Define an audit policy and what the choices are for tracking various events. Activity 14-5: Exploring Default Auditing Settings 1. 2. 3. The purpose of this activity is for students to explore auditing settings of the default domain controller Group Policy object. Students open Active Directory Users and Computer and edit the Default Domain Controllers Policy as explained. They open the Audit Policy node and explore the policy settings and their values. Go over the different types of events that can be monitored as described in Table 14-1. Configuring Auditing 1. Introduce the process of configuring an audit policy. Note that the role of the computer on the network determines how policy settings are implemented. Requirements 1. Describe the requirements that must be met to configure an audit policy regarding group membership and permissions and file and folder residence on an NTFS volume. Guide to MCSE 70-290, Enhanced 14-6 Configuring an Audit Policy 1. Explain the choices to be made in configuring an audit policy for event auditing. Activity 14-6: Configuring and Testing New Audit Policy Settings 1. 2. 3. In this activity, students change the default auditing policy on their system. Students first open Active Directory Users and Computers to edit the Default domain Controllers Policy GPO auditing settings. They change the current settings as directed and refresh the Group Policy manually. To verify that events are being logged as expected, students logon with an incorrect password to generate a failed logon attempt and then logon correctly. They open Event Viewer and view the contents of the Security log. Teaching Tip Note that Windows Server 2003 automatically refreshes audit policy settings every 90 minutes with a maximum 30-minute offset on a workstation or server and every five minutes on a domain controller as per Group Policy processing. To update audit policy manually, you can restart the computer or issue the GPUPDATE.EXE command. Auditing Object Access 1. 2. 3. 4. Be sure to mention that you can only monitor object access for files and folders residing on NTFS volumes. Give examples of why you might wish to monitor object access. Explain that you must first configure audit policy to audit object access as in Activity 14-6 and then configure the settings on individual objects. Describe how to configure audit settings for specific files and folders by using the Advanced Security Settings on the particular resource. Note that you should audit access by the Everyone group to catch access attempts by unauthenticated users. Mention that Active Directory objects can also be audited individually as for files and folders. Activity 14-7: Configuring Auditing on an NTFS Folder 1. 2. 3. The purpose of this activity is to familiarize students with configuring auditing on objects. Specifically, in this case, students configure auditing successful and failed attempts to access an NTFS folder. Students create a new folder with specific permissions as described in the activity. They configure auditing for the folder as directed. Students log off and then log back on under a different account and try to access and delete the folder to create failed attempts. They log off this account and log back on under an administrator account to open Event Viewer and check the Security log. Best Practices 1. This section describes the process of planning an audit policy that provides needed security. Discuss with students the ultimate goal: to audit those events and objects that are important and that will provide useful information and not to audit things that will simply increase overhead for both the system and the administrator. A number of guidelines are provided to help with the planning process. Guide to MCSE 70-290, Enhanced 14-7 Analyzing Security Logs 1. 2. 3. 4. Reiterate that any event covered by an audit policy will generate an entry into a Security log. The log is then viewed using Event Viewer. Go over the Event Viewer display and how to use the summary and detailed contents. Note that Event Viewer shows the local security log by default but that it can also be used to look at the security log on a remote computer. Explain the Find and Filter options of Event Viewer. Activity 14-8: Configuring Event Viewer Log Properties 1. 2. In this activity, students explore the use of the find and filter features in Event Viewer to manage the potentially large number of entries. Students open Event Viewer and view the Security log. They use the Find command to find instances of particular events. They then use the Filter command to display only those events. They browse the events to ensure that they meet the criteria provided and, finally, they reset Event Viewer to display all events again. Configuring Event Viewer 1. 2. 3. Discuss with students the need to configure properties of a security log to ensure that enough information is kept without allowing the log to become too large. Describe how to configure properties on a security log through Event Viewer. Go over the list of Security log configuration options in Table 14-2. Activity 14-9: Editing Security Log Settings and Saving Events 1. 2. 3. This activity is designed to allow students to manage a security log configuration and to archive security log files. Students open Event Viewer and the Properties of the Security log as directory. They configure several of the settings as desired. Next students save the current security log and clear all the old events. Finally, students open the saved log to verify that it was saved as expected. Quick Quiz 1. What tool is normally used to view a security log? Answer: Event Viewer 2. True or False: In the default Audit Policy, Audit account logon events is configured to log successful and failed logon attempts. Answer: False, it is configured to audit only successful events by default. 3. True or False: To audit file and folder access on a FAT volume, you must be a member of the Administrators group. Answer: False, file and folder access can only be audited when they reside on an NTFS volume. Guide to MCSE 70-290, Enhanced 4. 14-8 To have Event Viewer display only the events in a Security log that meet specific criteria chosen by the user, you would use the ____________________ feature. Answer: Filter Class Discussion Topics 1. 2. 3. Since it is possible to allow users access to a network without authentication, are there times when this might be useful? What are the advantages and disadvantages of allowing this? Why were significant changes made in how security configurations can be maintained between Windows NT and Windows Server 2003? Discuss why it is important to monitor network events. Why can only administrators and users who have the Manage Auditing and Security log user right view the contents of a security log? Additional Projects 1. Develop a specific network and resource-auditing plan for an organization. Describe the organization and the particular organizational characteristics that drive the features of the auditing plan. Note what events and objects are to be audited and the specific criteria for auditing them and describe how you will use the resulting logs. 2. Research the use of the SECEDIT command-line tool. When might SECEDIT be particularly useful? Try using the tool to analyze a database setting and compare it to a current configuration. Explore using some of the other options. Do you prefer SECEDIT or the other Security Manager tools that can be used to accomplish the same tasks? 3. Using the Internet, do some research on packet sniffing. What does this mean, is it common, is it detectable? Given what you learn, how important is it to use a security protocol like IPSec? As an organizational administrator, how do you think you would use encryption for network traffic? Solutions to Additional Projects 1. The auditing plan that is developed should be reasonably motivated by the type of organization for which it is designed. It should follow the guidelines specified in the Best Practices section by auditing only events and objects for which a reason is given, by auditing the Everyone and Administrators groups and the use of user rights assignment, and by specifying a schedule for reviewing the security logs. 2. SECEDIT can be called from a batch file or from the automatic task scheduler to run at off-peak times or on multiple computers, which makes it a useful administrative tool. Student activities will vary depending on which options they choose. Information about SECEDIT switches and parameters is available on the Microsoft site. 3. Packet sniffing is a technique for copying packets as they travel across a network. It is very easy to do and there are many software packages available for it. Much network traffic is not encrypted and the stolen information is easy to access. Some sniffers can be detected but some cannot. Generally, in any type of organization that has sensitive information traveling on a network, an administrator should consider encrypting the information.