Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

KrisKennyJulieGroupPolicy

advertisement 
MS Windows 2000 Group Policy:
Security Configuration Toolset
Presented by
Kris Daley, Julie Evans and Kenneth Fitch
Security Configuration
Toolset - Outline
• Security Templates
• NSA Guidelines
–
–
–
–
–
–
–
–
Account Policy
Local Policy
Event Log
Restricted Groups
System Services
Registry Security Services
File System Security
Security Configuration and Analysis
Copyright, University of Tulsa, 2002
Points to Consider
• Do not attempt to install any of the settings in
this guide without first testing in a nonoperational environment
• These recommendations are not meant to replace
well-structured policy or sound judgment
• These settings are specific to Windows 2000 and may
work differently on other Windows platforms
• Currently, no Undo function exists for deletions made
within the Windows 2000 registry – make sure that
Confirm On Delete is selected from the options
menu to avoid accidental deletion
• Care should be taken when applying this document’s
recommended settings to on Exchange 2000 servers
(see the NSA Exchange 2000 security guide)
Copyright, University of Tulsa, 2002
The Security
Configuration Toolset
• The tool set allows system administrators to
consolidate many security-related system
settings into a single configuration file (called
a template or an inf file)
• The toolset consists of two MMC snap-ins
– Security Templates
– Security Configuration and Analysis
Copyright, University of Tulsa, 2002
Templates
• Templates
– are files containing a set of security
configurations
– provide an easy way to standardize
security across a platform or domain
– can be applied by
• importing into a Group Policy Object (GPO)
• directly applying to the local computer policy
Copyright, University of Tulsa, 2002
Templates, the MMC,
and You
• Viewing/Configuring Templates
– In the MMC, use the Security Templates snap-in
• Adding Templates
– The default template directory is
C:\WINDOWS\security\templates
– New templates can be added by placing them in
this directory
• Creating Templates
– Right-click on the template folder in the MMC and
select New Template…
Copyright, University of Tulsa, 2002
Templates, the MMC,
and You
• Microsoft Default Security Templates
– Defltdc.inf – Windows 2000 Server/Advanced
Server Domain Controller Default
– Defltsv.inf – Windows 2000 Server/Advanced
Server Default
– Defltwk.inf – Windows 2000 Professional Default
– basicwk/dc/sv.inf – Basic workstation/domain
controller/server
– securedc/ws.inf – Secure domain
controller/workstation
– hisecdc/ws.inf – High Security domain
controller/workstation
Copyright, University of Tulsa, 2002
Templates Checklist
• When installing the NSA security
templates, it is recommended to follow
the checklist available in the NSA Guide
to Securing Microsoft Windows 2000
Group Policy: Security Configuration
Tool Set (pp. 19-20)
Copyright, University of Tulsa, 2002
NSA Security
Configuration Templates
• The NSA has released a set of templates containing
recommended security settings for workstations,
servers, and domain controllers
• They include
–
–
–
–
–
–
SCEReglV.INF
W2KDC.INF
W2K Domain Policy.INF
W2K Server.INF
W2K Workstation.INF
ISA.INF
• They can be downloaded at
http://nsa1.www.conxion.com/win2k/download.htm
Copyright, University of Tulsa, 2002
Chapter 3
Account Policy
• Account policy consists of
– Password Policy
– Lockout Policy
– Kerberos Policy
• In Windows 2000 domains, account policy is set and
enforced in the domain’s Group Policy
• Attempts to configure domain account policies in
other GPOs are ignored
• Configuring account policies directly on workstations
and member servers only impacts the local password
or lockout policy on the machine
Copyright, University of Tulsa, 2002
Account Policy –
Password Policy
Enforce password history
Prevents users from toggling between their favorite passwords
24 passwords
Maximum password age
The period of time that a user is allowed to have a password before being
required to change it
90 days
Minimum password age
Prevents more clever users from toggling between their favorite passwords
1 day
Minimum password length
Longer password are more difficult to guess
12 characters
Passwords must meet complexity requirements
Passwords must contain three of the following four: upper case letters, lower
case letters, numbers, and punctuation
Enabled
Store passwords using reversible encryption for all users in the
domain
Exists to provide password information to certain applications and is similar to
storing clear-text passwords - do NOT do it
Disabled
Copyright, University of Tulsa, 2002
Account Policy –
Lockout Policy
Account lockout duration
Number of minutes an account will be locked out
15 minutes
Account lockout threshold
Prevents brute-force password cracking
3 invalid login
attempts
Reset account lockout counter
Sets the number of minutes before the invalid login count is reset
15 minutes
Copyright, University of Tulsa, 2002
Account Policy –
Kerberos Policy
Enforce user logon restrictions
Enabled
Maximum lifetime for service ticket
600 minutes
Maximum lifetime for user ticket
10 hours
Maximum lifetime for user ticket renewal
7 days
Maximum tolerance for computer clock synchronization
5 minutes
Copyright, University of Tulsa, 2002
Chapter 4
Local Policy
• Local policy includes
– Auditing Policy
– User Rights Assignment
– Security Options
Copyright, University of Tulsa, 2002
Local Policy –
Auditing Policy
Audit account logon events
Success, Failure
Audit account management
Success, Failure
Audit directory service access
Audits users’ access to AD objects that have their system access control list
defined. Has no meaning on workstations and member servers
No auditing (workstations
and member servers)
Failure (domain controllers)
Audit logon events
Differs from ‘Audit account logon events’ in that it records where the logon
occurred versus where the logged-on account lives
Success, Failure
Audit object access
Audits directory, file, printer, etc… access - individual object auditing is not
automatic and must be enabled in the object’s properties
Failure
Audit policy change
Success, Failure
Audit privilege use
Failure
Audit process tracking
Can be used when system is believed to be under attack
No auditing
Audit system events
Success, Failure
Copyright, University of Tulsa, 2002
Local Policy – User
Rights Assignment
Workstations
Domain Controllers and
Member Servers
Access this computer from network
Administrators
Users
Administrators
Authenticated Users (DCs only)
ENTERPRISE DOMAIN
CONTROLLERS (DCs only)
Users (Member Servers only)
Act as part of the operating system
(No one)
(No one)
Add workstations to domain
(No one)
(No one)
Backup files and directories
Administrators
Administrators
Bypass traverse checking
Users
Authenticated Users (DCs)
Users (Member servers)
Change the system time
Administrators
Administrators
Create a pagefile
Administrators
Administrators
Create a token object
(No one)
(No one)
Create permanent shared objects
(No one)
(No one)
Copyright, University of Tulsa, 2002
Local Policy – User
Rights Assignment
Workstations
Domain Controllers and
Member Servers
Debug programs
(No one)
(No one)
Deny access to this computer from the
network
(No one)
(No one)
Deny logon as batch job
(No one)
(No one)
Deny logon as service
(No one)
(No one)
Deny logon locally
(No one)
(No one)
Enable computer and user accounts to be
trusted for delegation
(No one)
Administrators (domain controllers)
(No one) (member servers)
Force shutdown from a remote system
Administrators
Administrators
Generate security audits
(No one)
(No one)
Increase quotas
Administrators
Administrators
Increase scheduling priority
Administrators
Administrators
Load and unload device drivers
Administrators
Administrators
Copyright, University of Tulsa, 2002
Local Policy – User
Rights Assignment
Workstations
Domain Controllers and
Member Servers
Lock pages in memory
(No one)
(No one)
Log on as batch job
(No one)
(No one)
Log on as a service
(No one)
(No one)
Log on locally
Administrators
Users
Administrators
Manage auditing and security log
Administrators
Administrators
Modify firmware environment variables
Administrators
Administrators
Profile single process
Administrators
Administrators
Profile system performance
Administrators
Administrators
Remove computer from docking station
Administrators
Users
(No one)
Replace a process-level token
(No one)
(No one)
Restore files and directories
Administrators
Administrators
Copyright, University of Tulsa, 2002
Local Policy – User
Rights Assignment
Workstations
Domain Controllers and
Member Servers
Shutdown the system
Administrators
Users
Administrators
Synchronize directory service data
(No one)
(No one)
Take ownership of files or other objects
(No one)
(No one)
Copyright, University of Tulsa, 2002
Local Policy –
Security Options
Workstations
Domain Controllers and
Member Servers
Additional restrictions on anonymous
access
No access without
specific anonymous
permissions
No access without specific
anonymous permissions
Allow automatic administrator logon
Disabled
Disabled
Allow system to be shut down without
having to log on
Disabled
Disabled
Allowed to eject removable NTFS
media
Administrators
Administrators
Amount of idle time allowed before
disconnecting session
30 minutes
30 minutes
Audit the access of global system
objects
Enabled
Enabled
Audit use of backup and restore
privledge
Enabled
Enabled
Copyright, University of Tulsa, 2002
Local Policy –
Security Options
Workstations
Domain Controllers
and Member Servers
Automatically log off users when
logon time expires (local)
Enabled
Enabled
Clear virtual memory page file when
system shuts down
Enabled
Enabled
Disable CRTL+ALT+DEL requirement
for login
Disabled
Disabled
Disable Media Autoplay
All Drives
All Drives
Do not display last user name in logon
screen
Enabled
Enabled
LAN Manager authentication level
Send NTLMv2
response only/refuse
LM & NTLM
Send NTLMv2
response only/refuse LM
& NTLM
Copyright, University of Tulsa, 2002
Chapter 5
Event Log Settings
Maximum application log size
Maximum security log size
Maximum system log size
4194240 Kbytes
Restrict guest access to application Log
Restrict guest access to security Log
Restrict guest access to system Log
Enabled
Retain application log
Retain security log
Retain system log
It is not recommended that any event logs be
overwritten when they become full
Not defined
Retention method for application log
Retention method for security Log
Retention method for system Log
Manually
Shut down the computer when the security
audit log is full
Enabled
Copyright, University of Tulsa, 2002
Event Log Settings
• Managing the Event Logs
– Use the Event Viewer to clear and reset audit logs
– If the system halts as a result of a full log, an
administrator must restart the system and clear
the log
– After clearing the logs, set the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Lsa\CrashOnAuditFail to 1 to return the
system to normal status
Copyright, University of Tulsa, 2002
Chapter 6
Restricted Groups
• Restricted groups allow the administrator to
manage the membership of sensitive groups
• For example:
– Add the Administrators group to the list of
Restricted Groups and the Administrator account to
Members of Administrators to disallow any other
accounts from gaining Administrator privileges
• It is recommended that only sensitive groups
be configured through security templates
Copyright, University of Tulsa, 2002
Chapter 7
System Services
• Allows the configuration of startup modes and access
control lists for all system services
• Permissions include
–
–
–
–
–
–
–
read
execute
write to
delete
start
pause
stop
• Because of the broad nature of this area, system
service configuration is environment specific and is
not configured in the NSA templates
Copyright, University of Tulsa, 2002
Chapter 8
Registry Security Settings
• Tool set can be used to configure
discretionary access control lists for registry
keys
• WARNING: Incorrectly denying access to
registry keys can make a system unusable
and even unrecoverable
• Regedt32.exe can also be used to modify
registry key access lists
• See guide for specific key recommendations
Copyright, University of Tulsa, 2002
Registry Security Settings
– Key Permissions
Query Value
Allows querying the registry for a specific value
Set Value
Allows new values to be created for a key and old values to
be overwritten
Create Subkey
Allows the creation of subkeys
Enumerate
Subkeys
Allows viewing of a list of subkeys under a registry key
Notify
Allows registration of a callback function that is triggered
when the value changes
Create Link
Allows the creation of a link to a specific key
Delete
Allows deletion of a value or key
Write DAC
Allows modification of access controls on the key
Write Owner
Allows a user to take ownership of a key
Read Control
Allows reading of the key’s access control list
Copyright, University of Tulsa, 2002
Chapter 9
File System Security Settings
• Allows setting permissions for specific files
and folders
• This could also be accomplished by setting the
permissions for each file individually, but
would be much less convenient
• Specific files/folder can be excluded from
inheriting the template permissions
• See NSA guidelines for recommended settings
Copyright, University of Tulsa, 2002
Chapter 10
Security Configuration and Analysis
• Once the appropriate security templates have
been modified, security analysis and
configuration can and should be performed
before applying a security configuration to the
local system
• This is accomplished by adding the Security
Configuration and Analysis snap-in
Copyright, University of Tulsa, 2002
Security Configuration and
Analysis - Databases
• The Security Configuration and Analysis snapin uses a database to store settings for an
analysis or configuration
• Databases can be opened and templates
applied through this snap-in
Copyright, University of Tulsa, 2002
Security Configuration and
Analysis - Analysis
• A security analysis is performed against a database,
which acts as a baseline for the analysis
• Security settings within the configuration file(s) are
compared to the current system security settings, and
the results are stored back into a database
• To perform an analysis
– Create a database
– Select Analyze Computer Now…
– The results will be displayed with the current value compared
to the database value
Copyright, University of Tulsa, 2002
Security Configuration and
Analysis - Configuration
• Configuring a system consists of applying a
template to the current configuration
• To configure a system
– From the Database node select Configure
Computer Now…
– A log file containing resulting changes can be
specified
– NOTE: When a system is configured using the
MMC, only the entire template can be applied
Copyright, University of Tulsa, 2002
Group Policy Tools
(Microsoft)
• GPResult
• GPOTool
• Secedit
Copyright, University of Tulsa, 2002
GPResult
• This command-line tool displays information
about the result Group Policy has had on the
current computer and logged-on user.
• GPResult provides the following general
information:
–
–
–
–
Operating System
User Information
Computer Information
Group Policy Information
Copyright, University of Tulsa, 2002
GPResult
• Operating System
– Type (Professional, Server, Domain Controller).
– Build number and Service Pack details.
– Whether Terminal Services is installed and, if so, the mode it is using.
• User Information
–
–
–
–
–
User name and location in Active Directory (if applicable).
Domain name and type (Windows 2000 or Windows NT).
Site name.
Whether the user has a local or roaming profile and location of the profile.
Security group membership.
– Security privileges.
• Computer Information
– Computer name and location in Active Directory (if applicable).
– Domain name and type (Windows 2000 or Windows NT).
– Site name.
Copyright, University of Tulsa, 2002
GPResult
• Group Policy Information
– The last time policy was applied and the domain controller that
applied policy, for the user and computer.
– The complete list of applied Group Policy objects and their details,
including a summary of the extensions that each Group Policy object
contains.
– Registry settings that were applied and their details.
– Folders that are re-directed and their details.
– Software management information detailing assigned and published
applications.
– Disk quota information.
– IP Security settings.
– Scripts.
Copyright, University of Tulsa, 2002
GPResult Report
D:\Resource Kit\GPResult>gpresult /v
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Saturday, October 19, 2002 at 3:04:59 PM
Operating System Information:
Operating System Type:
Professional
Operating System Version:
5.3.2915.Service Pack 3
Terminal Server Mode:
Not supported
###############################################################
User Group Policy results for:
OCENIA\julie
Domain Name:
OCENIA
Domain Type:
Windows NT v4
Roaming profile:
(None)
Local profile:
C:\WINNT\Profiles\julie.OCENIA
The user is a member of the following security groups:
•
OCENIA\Domain Users
•
\Everyone
•
BUILTIN\Users
•
BUILTIN\Administrators
•
BUILTIN\Power Users
•
OCENIA\Domain Admins
•
\LOCAL
•
NT AUTHORITY\INTERACTIVE
•
NT AUTHORITY\Authenticated Users
Copyright, University of Tulsa, 2002
GPResult Report (cont.)
The
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
user has the following security privileges:
Bypass traverse checking
Shut down the system
Remove computer from docking station
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Increase quotas
•
•
###############################################################
Last time Group Policy was applied: Saturday, October 19, 2002 at 1:55:04 PM
Copyright, University of Tulsa, 2002
GPOTool
• This command-line tool allows you to
check the health of the Group Policy
objects on domain controllers.
Copyright, University of Tulsa, 2002
GPOTool can:
1. Check Group Policy object consistency.
2. Check Group Policy object replication.
3. Display information about a particular Group
Policy object, including properties that can't
be accessed through the Group Policy snapin such as functionality version and
extension GUIDs.
4. Browse Group Policy objects.
5. Provide cross-domain support.
6. Run in verbose mode.
Copyright, University of Tulsa, 2002
secedit
• The secedit.exe command line tool,
when called from a batch file or
automatic task scheduler, can be used
to automatically create and apply
templates and analyze system security.
It can also be run dynamically from a
command line.
Copyright, University of Tulsa, 2002
secedit Syntax
secedit /analyze [/DB filename ] [/CFG filename ] [/log logpath] [/verbose] [/quiet]
•
/DB filename
– Provides the path to a database that contains the stored configuration against which the
analysis will be performed. This is a required argument. If filename specifies a new
database, the CFG filename argument must also be specified.
•
/CFG filename
– This argument is only valid when used with the /DB parameter. It is the path to the
security template that will be imported into the database for analysis. If this argument is
not specified, the analysis is performed against any configuration already stored in the
database.
•
/log logpath
– The path to the log file for the process. If this is not provided, the default file is used.
•
/verbose
– Requests more detailed progress information during the analysis.
•
/quiet
– Suppresses screen and log output. You will still be able to view analysis
results using Security Configuration and Analysis.
Copyright, University of Tulsa, 2002
Group Policy Tools
(3rd Party)
• Comprehensive Group Policy Management
with FAZAM 2000 (by Full Armor) –
http://www.fullarmor.com/solutions/group
• BV-Admin for Windows 2000 (by Bindview) –
http://www.bindview.com/products/Admin/wi
n2000.cfm
• Fastlane ActiveRoles (by Quest Software) –
http://www.quest.com/fastlane/activeroles/
Copyright, University of Tulsa, 2002
Fazam 2000 Highlights
• Life-Cycle Management for Group Policy
– 4 Ws of GPO Change: Version history for any
GPO is available on-line and shows who made the
change, what was changed, when the change was
made, and why the change was made. For any
entry in the GPO history, FAZAM 2000 can produce
a full report of the GPO as it existed at that point
in time. The report may be viewed online, printed,
saved as an HTML file or saved as a MS Access
file.
Copyright, University of Tulsa, 2002
Fazam 2000 Highlights
– Delegation: Authority to create and change GPOs can
be limited precisely so that GPO administration can be
delegated with reduced risk.
– Rollback: GPO rollback allows a prior version of a GPO
can be put back in production.
– Replication and Synchronization: GPOs can be easily
replicated and synchronized from domain to domain and
across forests - even disconnected forests - for
consistency.
– GPO Health: Administrators can determine the health of
their Group Policy environment by running reports to
discover GPO corruptions and replication problems.
Copyright, University of Tulsa, 2002
Fazam 2000 Highlights
– GPO Reporting: Allows IT Administrators to view detailed reports
on GPOs in Active Directory through the MMC console or Web
Browser.
– Resultant Set of Policies: Provides the set of effective policies that
apply to a user when logging on to a machine. Also allows for
enhanced 'What/if' Scenarios.
– Policy-centric view of AD: Provides a view of Active Directory with
Group Policy links and filters.
– Backup/Restore: Allows administrators to backup and restore
individual GPOs on a domain including filters and links.
– Troubleshooting and Diagnostics: Provides administrators with
the ability to perform remote diagnostics from a central administrator
console.
– Search: Provides searching for GPOs and settings within GPOs.
– Scripting: Provides scripting of the backup, import, andCopyright,
reporting
of
University of Tulsa, 2002
GPOs.
Free Fazam Software
• The Windows Resource Kit provides a limited version of Fazam. This
reduced-function version of the tool offers the following features:
– Central user interface for managing Group Policy objects (GPOs) that provides
a hierarchical view of policies associated with organizational units (OUs) and
domains.
– Resultant Set of Policies (RSoP) feature that enables the display of applicable
policies for software installation, registry settings, folder redirection, and scripts.
– Simulation of scenarios in which a computer or a user moves from one OU to
another and analysis of the RSoPs.
– Diagnostics that show the histories of applied GPOs.
– Search feature for GPOs based on the globally unique identifier (GUID) and
GPO name.
– Backup and Restoration of GPO settings for a single domain.
– Partial reporting of registry settings.
This version of FAZAM 2000 is designed for small enterprises, Windows 2000 deployment test labs,
Copyright, University of Tulsa, 2002
and single domains with fewer than 500 users or computers.
Group Policy Management
Console (GMPC)
• What is the GPMC?
– New admin tool for managing Group Policy:
• Set of scriptable objects for managing GP
• MMC Snap-in, built on these objects
• GPMC Design goals
–
–
–
–
Unify management of Group Policy
Address key deployment issues
Provide better UI for visualization
Enable programmatic access to GP
Copyright, University of Tulsa, 2002
GMPC Features
• New User Interface for managing GPOs
• Reporting:
– HTML view of GPO settings and RSoP data
– Enables read-only access to GPO settings
• Search capabilities
• Backup/Restore of GPOs
• Import/Export, Copy/Paste
– For GPOs and WMI Filters
• Resultant Set of Policy (RSoP) Integration
• Scripting of GPO operations
– Note: not settings within GPO
Copyright, University of Tulsa, 2002
GPMC Notes
• GPMC is in beta testing now.
• Due for shipping sometime in December.
• There is a powerpoint by Microsoft that
describes its features in detail at
http://msruniv.corp.bcentral.com/Shared%20Documents/GPMC_TechEd_Europe.ppt
• Will be comparable in features to the Group
Policy Fazam 2000 Tool
Copyright, University of Tulsa, 2002
Group Policy
Reference
• Guide published by the NSA to inform
the reader about the available settings
in Group Policy in an Active Directoryenabled domain updated with Service
Pack 1.
• Is a map-like reference to help the
reader locate specific policies within the
Group Policy Snap-in for a given Active
Directory container.
Copyright, University of Tulsa, 2002
Group Policy
Reference Structure
• The organization of each Policy Explanation is
as follows:
– The Policy Title as it appears in the Microsoft
Management Console Group Policy snap-in.
– Next, the default configuration, or default settings
of the policy are listed, followed by all possible
settings available to the administrator.
– Finally, an explanation of the policy is provided.
In many instances this is taken directly from the
Explanation Tab for the policy itself. Additional
comments have been provided for policies where
the MMC explanation was determined lacking.
Copyright, University of Tulsa, 2002
Group Policy Reference
Document Contents
• Chapter 1, “Computer Configuration,” delineates
policy settings available for computers within an
Active Directory-enabled domain, including Software
Settings, Windows Settings, Administrative Templates
and all respective sub-nodes.
• Chapter 2, “User Configuration,” delineates policy
settings available for users within an Active
Directory-enabled domain, including Software
Settings, Windows Settings, Administrative Templates
and all respective sub-nodes.
• Index, a collection of the most useful/common
keywords in the Group Policy snap-in.
and ……….
Copyright, University of Tulsa, 2002
Should remind you of:
Copyright, University of Tulsa, 2002
Table of Contents
Copyright, University of Tulsa, 2002
Group Policy Ref
Contents Example
Copyright, University of Tulsa, 2002
Group Policy Ref
Contents Example
Copyright, University of Tulsa, 2002
Group Policy Ref
Contents Example
Copyright, University of Tulsa, 2002
Summary
• Security Configuration Toolset - Outline
– Security Templates
– NSA Guidelines
•
•
•
•
•
•
•
•
Account Policy
Local Policy
Event Log
Restricted Groups
System Services
Registry Security Services
File System Security
Security Configuration and Analysis
• Group Policy Tools by Microsoft and 3rd Parties
• Group Policy Reference Document by the NSA
Copyright, University of Tulsa, 2002
The End
I dare you to ask a
question.
Copyright, University of Tulsa, 2002
Related documents
Appeal/Comment Form
Appeal/Comment Form
Tulsa Model Walk-Through Form
Tulsa Model Walk-Through Form
Jo Bob Hille Memorial Scholarship
Jo Bob Hille Memorial Scholarship
course name - Tulsa Tech
course name - Tulsa Tech
TULSA COMMUNITY COLLEGE
TULSA COMMUNITY COLLEGE
GCSA SPECIAL BOARD MEETING February 10, 2001 PRESENT
GCSA SPECIAL BOARD MEETING February 10, 2001 PRESENT
Download
advertisement