MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security Policy

Guide to MCDST Objectives Understand the local security policy Understand group policies Use the Security Configuration and Analysis tool and secedit Perform troubleshooting for group policy

Guide to MCDST Local Security Policy Windows XP Professional is only subject to security restrictions of local security policy when it is a stand-alone system or member of a workgroup Group policy object –A collection of Registry settings that are applied to the system upon startup and user logon

Guide to MCDST Local Security Policy (continued) Contents of local security policy –Determined during installation Custom policies –Can be created through the use of.adm files.adm files used by group policy editors –Reside in the \inf subfolder of the main Windows XP directory

Guide to MCDST Local Security Policy (continued)

Guide to MCDST Local Security Policy (continued)

Guide to MCDST Password Policy Defines the restrictions on passwords Items in policy include: –Enforce password history: 0 passwords –Maximum password age: 42 days –Minimum password age: 0 days –Minimum password length: 0 characters

Guide to MCDST Account Lockout Policy Defines conditions that result when a user account is locked out Used to prevent brute force attacks against user accounts Items in policy include –Account lockout duration –Account lockout threshold: 0 invalid logon attempts –Reset account lockout counter after: Not Applicable

Guide to MCDST Account Lockout Policy (continued)

Guide to MCDST Audit Policy Defines events recorded in the Security log of the Event Viewer Auditing –Used to track resource usage Items in policy include: –Audit account logon events: No auditing –Audit account management: No auditing –Audit directory service access: No auditing

Guide to MCDST User Rights Assignment Defines which groups or users can perform the specific privileged action Troubleshooting user rights –A process of test, reconfigure, and retest

Guide to MCDST User Rights Assignment (continued)

Guide to MCDST Security Options Defines and controls various security features, functions, and controls Items in this policy include: –Accounts―Administrator account status: Enabled –Accounts―Guest account status: Disabled –Devices―Allow undock without having to logon: Enabled

Guide to MCDST Security Options (continued)

Guide to MCDST Public Key Policies Used to: –Offer additional controls over the Encrypting File System (EFS) –Enable the issuing of certificates –Allow you to establish trust in a certificate authority

Guide to MCDST Public Key Policies (continued)

Guide to MCDST Software Restriction Policies Used to restrict the programs and applications allowed to execute on a system Software restriction policies can be one of these: –“Deny all but the exceptions” method –“Allow all but the exceptions” method

Guide to MCDST Software Restriction Policies (continued)

Guide to MCDST IP Security Policies on Local Computer Used to define policies that control the function of IPSec Negotiates a secure encrypted communications link between a client and server through public and private encryption key management

Guide to MCDST IP Security Policies on Local Computer (continued) IPSec offers protection against: –Eavesdropping –Data modification –Identity spoofing –Password attacks –Denial-of-service attacks –Man-in-the-middle attacks

Guide to MCDST IP Security Policies on Local Computer (continued) Predefined IPSec policies –The Client (Respond Only) policy –The Server (Request Security) policy –The Secure Server (Require Security) policy Authentication methods –Kerberos version 5 –Public key certificate authentication –Preshared key

Guide to MCDST Group Policies An expanded version of the local security policy Divisions –Computer Configuration –User Configuration

Guide to MCDST Group Policies (continued)

Guide to MCDST Computer Configuration Used to define and regulate security-related features and functions Subnodes –Software Settings –The Windows Settings folder –The Administrative Templates folder

Guide to MCDST User Configuration Subfolders –Software Settings―empty by default –The Windows Settings folder―contains Internet Explorer Maintenance, Scripts (Logon/Logoff), and Security Settings –The Administrative Templates folder―contains a multilevel collection of user-specific, Registry- based controls

Guide to MCDST Application of Group Policies Applied in the following order: –Any existing legacy Windows NT 4.0 ntconfig.pol files are applied –Any unique local security policy is applied –Any site group policies are applied –Any domain group policies are applied –Any organizational units (OUs) group policies are applied

Guide to MCDST Security Configuration and Analysis Tool An MMC snap-in that can be used to analyze, configure, export, and validate system security based on a security template Security template –A predefined group policy file with specific levels of security Predefined security templates –compatws –hisecdc –hisecws

Guide to MCDST Using Secedit Used to analyze, configure, export, and validate security based on a security template Parameters of secedit –analyze –db FileName –cfg FileName –log FileName

Guide to MCDST Troubleshooting Policies If change does not seem to take effect on a system –Log out then back on –Reboot the system –If change still fails to take effect, examine the RSoP for the local system or access the Help and Support Center

Guide to MCDST Summary Local Security Policy tool –Used to manage passwords, account lockout parameters, audits, user rights Group policies –Domain-level versions of the local security policy Local computer policy (RSoP of applied GPOs) –Controls many aspects of the security system Troubleshooting GPOs includes discovering the RSoP