Hands-On Microsoft Windows Server 2003

Chapter 10Securing Windows

Server 2003

2

Objectives

• Understand the use of Group Policy

• Secure Windows Server 2003 using security policies

• Manage security by using the Security Templates Snap-in

• Configure client security by using Windows Server 2003 policies

• Configure the Encrypting File System

3

Introduction to Group Policy

• Group Policy in Windows Server 2003 allows a standardized working environment for clients and servers

• Evolved from the NT Server 4.0 system policy concept

• Has more capabilities than system policy– Can extend to cover multiple domains in one site– Set for more environments– More secure because users cannot modify policies– Dynamically updates, and configured to reflect current

needs

4

Group Policy characteristics

• Can be set for a site, domain, OU, or local computer• Cannot be set for non-OU folder containers• Policy settings for groups are stored in Group Policy

objects (GPOs)– Each GPO has a unique name and GUID

• There are local and nonlocal GPOs– When there are multiple GPOs, their effect is incremental– The ordering is local, default domain, site, OUs

• Group Policy can be set up to affect user accounts, computers, or both

• When Group Policy is updated, old policies are removed or updated for all clients

5

6

Securing Windows Server 2003 Using Security Policies• Security policies are a subset of the Group Policy• Some commonly used security policies

– Account policies– Audit policy– User rights– Security options– IP Security policies

• Can be configured with the following tools– Domain Security Policy tool can be used for domain and local

computer– Group Policy Object Editor Snap-in has the most functionality– Active Directory Users and Computers tool can be used for

domain or OU

7

Establishing Account Policies

• Account policies are located in the following Group Policy path:– Computer Configuration, Windows Settings,

Security Settings

• Account policy options– Password security– Account Lockout– Kerberos security

8

Password Security Options

• Enforce password history– Requires users to choose new passwords when they make a

password change

• Maximum password age– Sets maximum time before password expires– Commonly 45 to 90 days

• Minimum password age• Minimum password length

– A minimum of seven characters for a “strong password”

• Password must meet complexity requirements– Filter of customized password requirements

• Store passwords using reversible encryption

9

10

Account Lockout Options

• Account lockout duration– Permits you to specify in minutes how long the

system keeps an account locked out after reaching the specified number of unsuccessful logon attempts

• Account lockout threshold– Enables you to set a limit to the number of

unsuccessful attempts to log on to an account

• Reset account lockout counter after– Enables you to specify the number of minutes

between two consecutive unsuccessful logon attempts to make sure that the account is not locked out too soon

11

Kerberos Security

• Involves the use of tickets that are exchanged between the client who requests access and the server or Active Directory that grants access

• A key distribution center (DC or server) stores user accounts and passwords

• The client computer sends an account name and password to the key distribution center

• The key distribution center issues a temporary ticket granting access to the ticket-granting server

• The ticket-granting server issues a service ticket for the duration of a logon session

12

Kerberos Security Options

• Enforce user logon restrictions– Turns on Kerberos security, which is the default

• Maximum lifetime for a service ticket– Maximum time in minutes that a ticket can access a particular

service in one service session

• Maximum lifetime for a user ticket– Maximum time in hours that a ticket can be used in one

continuous session for access to a computer or domain

• Maximum lifetime for user ticket renewal– Maximum number of days that the same Kerberos ticket can be

renewed each time a user logs on

• Maximum tolerance for computer clock synchronization– Length in minutes a client waits until synchronizing its clock

13

14

Establishing Audit Policies

• Account management

• Directory service and object access

• Logon and logoff events for an account and at the local computer

• Policy change and privilege use

• Process tracking and system events

15

16

Configuring User Rights

• User rights enable an account or group to perform predefined tasks such as the following:– Access a server– Create accounts– Manage server functions

• Assign user rights to groups instead of to individual user accounts– Members of a group inherit the user rights of the

group

17

18

Configuring Security Options

• Over 65 specialized security options in the following categories– Accounts– Audit– Devices– Domain controller– Domain member– Interactive logon– Microsoft network client– Network access

19

Configuring Security Options (cont.)

– Network security– Recovery console– Shutdown– System cryptography– System objects– System settings

• Options in each category are specialized to the category

20

21

Using IP Security Policies

• IPSec provides secure communications and encryption standards for all TCP/IP- based application and communications protocols

• IPSec process– Computers exchange certificates to authenticate

receiver and sender– Data is encrypted at the NIC of the sending computer

as it is formatted into an IP packet

• IPSec configuration tools– Domain Security Policy tool– IPSec Policies Management Snap-in

22

Using IP Security Policies (cont.)

• IPSec roles– Client (Respond Only)

• When Windows Server 2003 is contacted by a client using IPSec, it responds by using IPSec communication

– Server (Request Security)• When Windows Server 2003 is contacted or initiates a

communication, it uses IPSec by default • If the responding client does not support IPSec, the server

switches to clear mode

– Secure Server (Require Security)• Windows Server 2003 only responds using IPSec

communication

23

24

Security Templates Snap-in

• Useful when there are multiple Group Policies or multiple OUs that share the same Group Policy

• Sets up security for the following– Account and local policies– Event log tracking policies– Group restrictions– Service access security– Registry security– File system security

25

Creating a New Security Template• Make sure there is no default security template

that matches your needs• Group Policy Object Editor Snap-in and Security

Templates Snap-ins should be installed• Create a new template through the Security

Template’s Action menu– Configure the settings

• Import the new template to a Group Policy by using the Security Configuration and Analysis Snap-in

26

Default Security Templates

• Provides compatible settings for Server 2003 and NT– compatws

• Sets default security for DCs or root domains– DC security, rootsec

• Sets maximum security for Windows Server 2003 DCs or workstations accessing Windows Server 2003– hisecdc, hisecws

• Provides recommended security on DCs or client workstations– securedc, securews

• Provides “out of the box” security– setup security

27

Configuring Client Security

• Provides improvements in security• Ensures a consistent working environment in an

organization• When a client logs onto to the server or network,

the policies are applied to the client• Examples of use:

– Folder redirection for sensitive data– Desktop icon management to start applications the

same way for all clients

28

Manually Configuring Policies for Clients• Use the Group Policy Object Editor Snap-in

29

30

31

Using Preconfigured Administrative Templates• Multiple templates can be added to one Group Policy

32

33

Publishing and Assigning Software• Users can employ the same software with the same

software settings for the sake of productivity and security• Publishing applications involves setting up software

through a Group Policy so that clients install the software from a central distribution server

• Assigning applications involves configuring a policy so that a particular software application is started automatically through a desktop shortcut

• Use the Software Installation Properties dialog box under User Configuration Software Settings

34

35

Resultant Set of Policy

• A new feature included with Windows Server 2003

• Used to make the implementation and troubleshooting of Group Policies much simpler for an administrator

• Two modes:– Planning mode generates a report and provides the

result of proposed policy changes– Logging mode generates a report based on the

current policies in place and provides the resulting policy changes

36

37

Configuring the Encrypting File System• EFS configures a unique, private encryption key

that is associated with the user account that encrypted the folder or file– Protects data from unauthorized use

• Use the cipher command from the Command Prompt windows to configure file or folder encryption– If no parameters are specified with the command, the

encryption status of the current folder is displayed

38

39

Summary

• A Group Policy enables you to standardize how people use server and client computers on a network

• Security policies are part of a Group Policy and are configured to protect users and resources

• Configure account policies to apply to OU, domains, sites, or local computers– Password policies, account lockout policies, and Kerberos

authentication policies

• Use audit policies to track how resources are accessed, such as folders, files, or user accounts

40

Summary

• User rights policies enable you to create specific security controls over privileges and logon access

• Security options are specialized policies for accounts, auditing, devices, domain controllers, logon, clients, network access, network security, and other activities

• Use the Security Templates Snap-in to apply default security settings or to create different Group Policy objects for different OUs, domains, or sites

• For better control over the activities of clients, manually configure administrative templates or apply preconfigured administrative templates (or both)

41

Summary

• Publish and assign applications to manage how clients use them

• Use the Resultant Set of Policy Snap-in to plan and troubleshoot Group Policies

• Fine-tune the use of the Encrypting File System by using the cipher command in the Command Prompt window