1

Objectives• Audit Policies

• Update and maintain your clients using Windows Server Update Service

• Microsoft Baseline Security Analyzer

• Windows Firewalls

• Security Configuration and Security Templates

Understanding Auditing

• Auditing: The process of tracking both user activities and Windows activities, called events.

• Auditing is used to specify which events are written to the security log.

• An audit entry in the security log contains– The action that was performed.– The user who performed the action.– The success or failure of the event and when the

event occurred.

Configuring Auditing: Overview• An audit policy is implemented based on the role of the computer in

the Windows Network.

Computer Roles• For member or stand-alone servers and Client PCs (XP, Vista)

– An audit policy is set for each individual computer.

– Events are audited by configuring a local group policy for that computer.

– An audit policy of the Domain or OU the computers belong

• Domain controllers

– An audit policy is set for all domain controllers in the domain.

– Events are audited by configuring the audit policy in a nonlocal GPO for the domain, which applies to all DCs and is accessible through the Domain Controllers OU.

Setting Up Auditing -- Two Steps

• Step 1 - Set the audit policy: Enables auditing of objects but does not activate auditing of specific types

• Stept 2 - Enable auditing of specific resources: The specific events to track for files, folders, printers, and Active Directory objects must be identified– Windows then tracks and logs the specified events.

Step 1 - Setting Up an Audit Policy

• Select Categories of events that Windows audit.

• Configuration settings indicate whether to track successful or failed attempts for each event category to be audited.

• Audit policy is part of Group Policy and is configured via Group Policy Management.

• The security log is limited in size.

• The events to be audited must be selected carefully.

• The amount of disk space to devote to the security log must be considered.

Types of Events Audited by Windows

• Account logon

• Account management

• Directory service access

• Logon events

• Object access

• Policy change

• Privilege use

• Process tracking

• System events

New in Server 2008• 50 new Sub-Categories

– E.g. Object Access have 11 sub-categories:§ File System§ Registry§ Kernel Object§ SAM§ Certification Services§ Application Generated§ Handle Manipulation§ File Share§ Filtering Platform Packet Drop§ Filtering Platform Connection§ Other Object Access Events

• Enable Audit using Group Policy Management Console will enable all Sub-Categories and create a lot un-wanted auditing

• Use AuditPol.exe to manually enable sub-category

General Audit Policy Guidelines• Determine the computers on which to set up auditing.

– Auditing is turned off by default.

• Plan the events to audit on each computer.

• Determine whether to audit the success of events, failure of events, or both.– Tracking successful events identifies which users gained

access to specific files, printers, or objects, information that can be used for resource planning.

– Tracking failed events may alert the administrator of possible security breaches.

Other Policy Guidelines and Considerations

• Determine whether to track trends of system usage.

• Review security logs frequently.

• Define an audit policy that is useful and manageable.

• Audit resource access by the Everyone group instead of the Users group.

• Audit all administrative tasks by the administrative groups.

• The Manage Auditing And Security Log user right for the computer is necessary to configure an audit policy or review an audit log.

AUDIT POLICY

DEFAULT DOMAIN CONTROLLER AUDIT POLICY

Step 2 – Enable Auditing Specific Resources

• Files and folders to be audited must be on Microsoft Windows NTFS volumes.

• After Audit Object Access is set in the audit policy, auditing for specific files and folders is enabled, specifying which types of access to audit, either by users or by groups.

User Events

• Traverse Folder/Execute File

• List Folder/Read Data

• Read Attributes and Read Extended Attributes

• Create Files/Write Data

• Create Folders/Append Data

• Write Attributes and Write Extended Attributes

• Delete Subfolders And Files

• Read Permissions

• Change Permissions

• Take Ownership

Auditing Access to Printers

• Use auditing to track access to sensitive printers.

• Use the same procedure used to set up auditing on files and folders.

• Set the Audit Object Access event category in the audit policy, which includes printers.

Auditing Entry For Dialog Box

Enable auditing for specific printers and specify the types of access, and by whom, to audit.

Auditing Access to Active Directory Objects

• Similar to auditing file and folder access.

• An audit policy must be configured, and then auditing for specific objects must be set by specifying which types of access, and by whom, to audit.

Active Directory Object Events

• Full Control

• List Contents

• Read All Properties

• Write All Properties

• Create All Child Objects

• Delete All Child Objects

• Read Permissions

• Modify Permissions

• Modify Owner

Recommended Audit Events

Security Log Overview• The security log contains information on security events

specified in the audit policy.• Use the Event Viewer to view.• Events can be viewed from any computer with assigned

administrative privileges for the computer where the events occurred.

• Event Viewer also allows specific events within the log files to be found, the events shown in log files to be filtered, and archive security log files to be archived.

Event Viewer

The Find In Dialog Box

The Find command is used to search for specific events.

Options on the Find In Dialog Box

Configuring Security Logs

• Security logging begins when an audit policy is set

• Security logging stops when the security log becomes full and cannot overwrite itself; an error may be written to the application log.

• Log Properties can be configured.– E.g. Allow overwrite earliest records when log is full

• Manually clear the log and erase all events permanently.

Archiving Security Logs• Archived logs often are kept for a specified period, to

track security-related information over time and maintain a history of security-related events.

• The entire log is saved, regardless of filtering options.

• Logs saved as event logs (.evt) retain the binary data for each event recorded and can be viewed by Event Viewer

• Logs archived in text or comma-delimited format (.txt and .csv, respectively) can be reopened in other programs, such as word processing or spreadsheet programs. It will loose binary data.

• An archived log is removed from the system by deleting the file in Windows Explorer.

Updating Windows Server 2008• Windows Update (in Control Panel)

– Suite of tools and services for applying updates to systems– Responsible for download and install updates from Microsoft– Requires access to the Internet

25

Windows Server Update Services• Centralizes the updating tasks for client and server

• Benefits of WSUS– Centralizes update management– Minimizes effects on the WAN connection– Improves network security and reliability– Improves installation of relevant updates– Targets updates to specific computers and computer

groups

• Basic requirements before installing WSUS 3.0 SP1– Microsoft Internet Information Services (IIS) 7.0– Microsoft Report Viewer Redistributable 2005– Minimum of 6 GB of free space for storing downloaded

updates26

Working with WSUS– WSUS Administrative console allows you to:

• Generate reports

• Manage updates

• Monitor the computer through the console

27

28

Windows Server Update Services (continued)

• Configuring clients– After WSUS has been installed and configured in the

WSUS console• Your clients need to be configured to use the WSUS server

for updates

• Approving and deploying updates– Using the Update Services console, you can control

• Which updates are applied

• Which computers receive the updates

• When the updates are distributed

29

Microsoft Baseline Security Analyzer 2.1• A tool for beginning to analyze your current security

posture• MBSA scans for missing security updates for the

following products– Windows 2000 SP4 and later – Microsoft Office XP and later– Microsoft Exchange Server 2000 and later– Microsoft SQL Server 2000 SP4 and later

• MBSA– Free download from Microsoft – Can be used on a local computer or to connect to one or

more remote computers on your network• Options for running MBSA on remote computers

– Domain name and IP address range30

Microsoft Baseline Security Analyzer (Continue)

• When MBSA scans a computer, it creates a report that is organized into the following areas– Security Assessment– Security Update Scan Results– Windows Scan Results– Internet Information Services (IIS) Scan Results– SQL Server Scan Results– Desktop Application Scan Results

• Scanning a computer with MBSA– You can perform MBSA scans using:

• The GUI-based tool• The mbsacli.exe command- line tool

– One requirement of MBSA is Internet connectivity31

Basic Windows Firewall• By default, Windows

Firewall is turned on and allows exceptions for programs and ports

• Allows you to create exceptions for inbound traffic

• Exception– Instruction to open a

port briefly, allow a program or service to pass information, and then close the port

32

Windows Firewall with Advanced Security• Windows Firewall with Advanced Security

– Used to manage Windows Firewall based on port, services, applications, and protocols

33

Windows Firewall w/Advanced Security (continued)

• Configuring Network profiles– Public– Private– Domain

• Deploying Windows Firewall Settings via Group Policy– WFAS allows you to import or export firewall policies

34

Predefined Security Templates• Administrator may design a custom security template

Applying Security Templates

• Can be applied to either the local machine or the domain via GPOs

• To apply to a local machine, run secpol.msc

• To apply to several computers using GPO, use Group Policy Management.

• Settings applied using Group Policy will always override local settings

• Group policy security settings refreshed at reboot, at 90-minute intervals for servers and workstations, and every 5 minutes on domain controllers

Applying Security Templates

Using the Secedit Command-Line Tool• Used to create and apply security templates and analyze

security settings

• Main switches include:– /analyze

– /CFG filename

– /configure

– /DB filename

– /export

– /GenerateRollback

– /import

– /log filename

– /quiet

– /validate

– /verbose

Security Configuration Wizard

• Security Configuration Wizard (SCW)– Step-by-step wizard for hardening your network servers

• Security policies can be created for:– Role-based service configuration– Network security– Registry settings– Audit policy

39

Security Configuration and Analysis Tool

• Allows administrators to compare current system settings to a previously configured security template

Analyzing System Security using the Security Configuration and Analysis

Snap-in (continued)

• Configure Computer Now to apply settings to local computer• Analyze Computer Now to compare local computer setting

with the security template

Analyzing System Security using the Security Configuration and Analysis

Snap-in (continued)