14-1
Guide to MCSE 70-290, Enhanced
Chapter 14: Windows Server 2003 Security Features
Objectives
After reading the chapter and completing the exercises, students should be able to:
· Identify the various elements and techniques that can be used to secure a Windows Server 2003 system
· Use Security Configuration and Analysis tools to configure and review security settings
· Audit access to resources and review Security log settings
Teaching Tips
Securing Your Windows 2003 System
Teaching Tip / This chapter includes a number of different security features and capabilities, many of which have been introduced in earlier chapters.1. Briefly introduce to students the five broad categories of security features that will be discussed in this section: authentication, access control, encryption, security policies, and service packs and hot fixes.
Authentication
1. Note that the most basic and universal form of authentication is requiring a user to submit a valid user id and password to log on to some system.
2. Remind students that in a domain environment, domain controllers handle authentication in a centralized manner. In contrast, in workgroups, authentication is handled through a local database (SAM). These issues are discussed in Chapter 3.
3. Note that specific Windows Server 2003 services provide additional authentication. For example, IIS can authenticate Internet users in addition to network users (see Chapter 13).
Access Control
1. Explain that access control security is used to protect resources such as files and printers. Access control refers to both the ability to access a resource at all and the level of access that is allowed.
2. Note that various forms of permissions are part of access control. Examples of this are NTFS and shared folder permissions from Chapter 5, printer access control permissions from Chapter 8, and Active Directory object access permissions from Chapter 10.
3. Introduce the “principle of least privilege” and discuss the advantages and problems associated with implementing this principle.
Encryption
1. Remind students about the Encrypting File System (EFS) that was looked at in Chapter 7. Note that this system is used to encrypt files stored locally on NTFS partitions and volumes.
2. Discuss with students why it is sometimes necessary to encrypt files that will be traversing a TCP/IP network. Note that it is possible for third parties to monitor network traffic. Sensitive data should be protected using some security protocol.
3. Explain that Windows Server 2003 environments use the IPSec protocol. Note the two modes (transport and tunnel) that are described.
Teaching Tip / Tell students that the IPSec protocol is beyond the scope of Microsoft exam 70-290.Security Policies
1. Note that security policies are used on Windows Server 2003, Windows 2000, and Windows XP standalone and domain systems. In domains, policies are usually applied via Group Policy. Tools used to configure security policies are the Group Policy Object Editor MMC snap-in and the Local Security Policy snap-in.
2. Introduce the Security Configuration and Analysis MMC snap-in and the command-line SECEDIT utility.
Service Packs and Hot Fixes
1. Remind students about the Microsoft notions of “hot fixes” and “service packs”.
2. Reiterate that with Windows Server 2003, Windows 2000, and Windows XP, the use of an update utility such as Microsoft Software Update Services (SUS) can be very beneficial in automating and controlling the distribution of updates.
Using Security Configuration Manager Tools
1. Discuss some of the problems that were inherent in administering security configurations in Windows NT.
2. Introduce the Security Configuration Manager tools and the concept of a Security Policy template. Note that the tools can be used to both configure and analyze security settings. Introduce each of the components of the Security Configuration Manager tools.
Security Templates
1. Explain that security templates are the first of the Security Configuration Manager tools and are used to set up and maintain a consistent organizational security standard.
2. Note that security templates are stored in text files but should only be created and edited using the Security Templates MMC snap-in.
Activity 14-1: Browsing Security Templates
1. In this activity, students browse some of the default security templates included with Windows Server 2003 to explore the various settings that can be configured with them.
2. Students open the MMC utility and add the Security Templates snap-in as directed. They then open the hisecdc template to explore the various configurations associated with that template. They also open a second template to browse and compare.
Analyzing the Pre-configured Security Templates
1. Remind students that only computers running Windows Server 2003, Windows XP, and Windows 2000 can use security templates.
2. Discuss sorting computers into workstations, servers, and domain controllers to match up with pre-configured templates.
The Default Template
1. Introduce the Setup Security.inf template and note that it is applied upon the installation of Windows Server 2003.
Teaching Tip / Be sure to note that the default template should not be applied using Group Policy since it can seriously degrade processing performance.Incremental Templates
1. Explain to students that incremental templates are to be applied on top of the default security settings.
2. Go over the list of incremental templates and their intended uses.
3. Note that you can create custom templates if necessary or you can modify and save an existing template as a custom template.
Applying Security Templates
1. This section discusses how to apply the settings configured in a security template to either a local machine or to a domain.
2. Explain to students how to apply settings locally using the Local Security Settings MMC snap-in.
3. Note that to apply settings to a domain, they should use a Group Policy Object. Discuss the effective settings when there are both local and domain settings. Go over the refresh policies for GPOs.
Activity 14-2: Creating a Security Template
1. This activity is designed to familiarize students with the process of creating a custom security template.
2. With the MMC Security Templates snap-in, students create a new template as directed. They browse the possible settings and configure designated settings as explained. They then save the new template.
Activity 14-3: Applying Security Template Settings to Group Policy Objects
1. In this activity, students import the security template created earlier into an existing GPO to be deployed in the domain.
2. Students begin by opening Active Directory Users and Computers and the Properties of the domain. Next they edit the Default Domain Policy and import the template created in Activity 14-2. They then browse the settings to verify that the imported settings are configured as desired. Finally, they close the Group Policy Object Editor.
Security Configuration and Analysis
1. Referring back to the components of the Security Configuration Manager tools, so far security templates and the security settings in Group Policy objects have been presented. In this section, the Security Configuration and Analysis tool is discussed.
2. Explain that Security Configuration and Analysis is an MMC snap-in that allows administrators to compare current system settings to a security template on a setting-by-setting basis.
Activity 14-4: Analyzing Security Settings Using Security Configuration and Analysis
1. In this activity, students try using the Security Configuration and Analysis tool to compare their current system settings with the settings configured in a pre-existing template.
2. They first add the Security Configuration and Analysis snap-in to an MMC console and open a new database. They import the hisecdc.inf built-in template and compare this template to the current settings.
3. Students next review the analysis that is created.
SECEDIT Command-Line Tool
1. This is the last of the Security Configuration Manager tools and is used to create, apply, and analyze security settings. Note that this can be used for workgroup configurations where Group Policy cannot be applied.
2. Go over the main switches and their uses.
Quick Quiz
1. What are the four components of the Security Configuration Manager tools?
Answer: Security templates, Security settings in Group Policy objects, Security Configuration and Analysis tool, and the SECEDIT command-line tool
2. What are the five different categories of security-related features available to an administrator in Windows Server 2003?
Answer: authentication, access control, encryption, security policies, and service packs and hot fixes
3. The set of security templates that can be used to apply various additional security configurations on top of the baseline settings are called ______templates.
Answer: incremental
4. True or False: The Security Configuration and Analysis tool is an MMC snap-in.
Answer: True
Auditing Access to Resources and Analyzing Security Logs
1. Note that monitoring network events is an important administrative task and give examples of particular events that can be monitored. Introduce auditing and explain that audited events are logged in security logs.
2. Describe an audit entry in a security log and note that events are logged on the computer upon which the event occurs.
3. Note that Event Viewer is used to view security logs.
4. Define an audit policy and what the choices are for tracking various events.
Activity 14-5: Exploring Default Auditing Settings
1. The purpose of this activity is for students to explore auditing settings of the default domain controller Group Policy object.
2. Students open Active Directory Users and Computer and edit the Default Domain Controllers Policy as explained. They open the Audit Policy node and explore the policy settings and their values.
3. Go over the different types of events that can be monitored as described in Table 14-1.
Configuring Auditing
1. Introduce the process of configuring an audit policy. Note that the role of the computer on the network determines how policy settings are implemented.
Requirements
1. Describe the requirements that must be met to configure an audit policy regarding group membership and permissions and file and folder residence on an NTFS volume.
Configuring an Audit Policy
1. Explain the choices to be made in configuring an audit policy for event auditing.
Activity 14-6: Configuring and Testing New Audit Policy Settings
1. In this activity, students change the default auditing policy on their system.
2. Students first open Active Directory Users and Computers to edit the Default domain Controllers Policy GPO auditing settings. They change the current settings as directed and refresh the Group Policy manually.
3. To verify that events are being logged as expected, students logon with an incorrect password to generate a failed logon attempt and then logon correctly. They open Event Viewer and view the contents of the Security log.
Teaching Tip / Note that Windows Server 2003 automatically refreshes audit policy settings every 90 minutes with a maximum 30-minute offset on a workstation or server and every five minutes on a domain controller as per Group Policy processing. To update audit policy manually, you can restart the computer or issue the GPUPDATE.EXE command.Auditing Object Access
1. Be sure to mention that you can only monitor object access for files and folders residing on NTFS volumes.
2. Give examples of why you might wish to monitor object access.
3. Explain that you must first configure audit policy to audit object access as in Activity 14-6 and then configure the settings on individual objects. Describe how to configure audit settings for specific files and folders by using the Advanced Security Settings on the particular resource. Note that you should audit access by the Everyone group to catch access attempts by unauthenticated users.
4. Mention that Active Directory objects can also be audited individually as for files and folders.
Activity 14-7: Configuring Auditing on an NTFS Folder
1. The purpose of this activity is to familiarize students with configuring auditing on objects. Specifically, in this case, students configure auditing successful and failed attempts to access an NTFS folder.
2. Students create a new folder with specific permissions as described in the activity. They configure auditing for the folder as directed.
3. Students log off and then log back on under a different account and try to access and delete the folder to create failed attempts. They log off this account and log back on under an administrator account to open Event Viewer and check the Security log.
Best Practices
1. This section describes the process of planning an audit policy that provides needed security. Discuss with students the ultimate goal: to audit those events and objects that are important and that will provide useful information and not to audit things that will simply increase overhead for both the system and the administrator. A number of guidelines are provided to help with the planning process.
Analyzing Security Logs
1. Reiterate that any event covered by an audit policy will generate an entry into a Security log. The log is then viewed using Event Viewer.
2. Go over the Event Viewer display and how to use the summary and detailed contents.
3. Note that Event Viewer shows the local security log by default but that it can also be used to look at the security log on a remote computer.
4. Explain the Find and Filter options of Event Viewer.
Activity 14-8: Configuring Event Viewer Log Properties
1. In this activity, students explore the use of the find and filter features in Event Viewer to manage the potentially large number of entries.
2. Students open Event Viewer and view the Security log. They use the Find command to find instances of particular events. They then use the Filter command to display only those events. They browse the events to ensure that they meet the criteria provided and, finally, they reset Event Viewer to display all events again.
Configuring Event Viewer
1. Discuss with students the need to configure properties of a security log to ensure that enough information is kept without allowing the log to become too large.
2. Describe how to configure properties on a security log through Event Viewer.
3. Go over the list of Security log configuration options in Table 14-2.
Activity 14-9: Editing Security Log Settings and Saving Events
1. This activity is designed to allow students to manage a security log configuration and to archive security log files.
2. Students open Event Viewer and the Properties of the Security log as directory. They configure several of the settings as desired.