Chapter 6: Configuring Security

Options for Managing Security Configurations LGPO (Local Group Policy Object) –Used if Computer is not part of a domain environment –Set of security configuration settings that are created and stored on the local computer Users Computers Stored in \systemroot\System32\GroupPolicyUsers GPO (Group Policy Objects) –Used if Computer is part of an Active Directory domain –Allows for remote and centrally managed security –Has a more levels of security structure, and thus more granular control 2/22

Group Policy and LGPO (Local Group Policy Objects) Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts Printers Security Settings Policy-based QOS Administrative Templates Folder Redirection not available with LGPOs Internet Explorer Configuration 3/22

GPO Inheritance Order of Inheritance –Local –Site (physical location) –Domain –Organizational Unit (OU) Containers higher are called parents and lower are called children. Children inherit from the parent and non- conflicting settings are additive. If settings conflict, then the child overrides the parent. Two types of Policy Settings –Computer Settings –User Settings If a conflict occurs than the Computer setting is applied. 4/22

GPO Inheritance Special Options, for overriding the default behavior of GPO execution. –No Override Used to specify that a child can not override the policy settings of a parent higher level container. –Block Inheritance Used to allow a child container to be able to block the inheritance of a policy from a parent container. If a conflict occurs between “No Override” and “Block Inheritance” than “No Override” would win and be applied. 5/22

Group Policy Result Tool Because of the overlapping nature of Group Policies, Vista provides a tool to help determine what policies will applied. –Tool is accessed through the GPResult.exe command-line utility. –GPResult displays the Resultant Set of Policy (RSOP) for the computer and the user who is currently logged in. C:/>GPResult.exe /r 6/22

Using Local Group Policies Used to manage configuration settings for workstations in a workgroup environment without an Active Directory domain Created and assigned through the Local Group Policy snap-in in MMC –Microsoft Management Console Two types of policies: –Computer Configuration –User Configuration 7/22

Multiple Local Group Policy Objects (MLGPOs) New to Windows Vista Enables Vista to apply LGPOs to specific users rather than apply them to every user on a computer Applied in the following order: –Local Computer Policy (User and Computer) –Administrators and Non-Administrators Local Group Policy (User only ) –User-Specific Group Policy (User only) Again, GPO settings applied lower will override parent settings in the event of a conflict. AD GPO will override conflicting LGPO 8/22

Setting Computer Configuration Policies Three folders within the Computer Configuration folder: –Software Settings –Windows Settings –Administrative Templates Scripts and Security Settings are found within the Windows Settings folder. 9/22

Windows Settings Scripts –Logon – Startup –Logoff – Shutdown Security Settings –Account Policies –Local Policies –Windows Firewall with Advanced Security –Public Key Policies –Software Restriction Policies –IP Security Policies Policy-based QOS 10/22

Account Policies Password Policy –Enforce Password History No repeated passwords –Maximum Password Age Time until password change –Minimum Password Age Keeps user from immediately changing password back to what it was –Minimum Password Length If not set, then no password is required –Password Must Meet Complexity Requirements Must be 6 characters or longer, can not contain the username or any part of the full name, and must contain 3 of the following –English Upper Case Character –English Lower Case Character –Decimal Digit –Symbols –Store Passwords Using Reversible Encryption Higher level of Encryption security – 11/22

Account Policies Account Lockout Policy –Account Lockout Duration How long the account will remain locked if Threshold is reached. –Account Lockout Threshold Specifies how many invalid attempts can be made before the account is locked. –Reset Account Lockout Counter After How many minutes the counter will remember unsuccessful login attempts. 12/22

Local Policies After Login Audit Policy (Too many will degrade performance) –Used to track success or failure of user actions. Login Attempts Object Access User Rights Assessment –User rights as they apply to the system, not file permissions Change System Time Add workstations to the Domain Backup files and directories Security Options –Security as it relates to the computer, not the user. –Contains new policies relating to User Account Control (UAC) Require approval for administrative operations Specifies the method of approval –Prompt for Consent –Prompt for Credentials 13/22

User Account Control New to Windows Vista Protects computers by requiring privilege elevation for all users including local Administrators (except the built-in Administrator account) –Local Administrative users act as standard users, until doing something which requires administrative privileges –Standard users, will be prompted for the credentials of an admin user. Privilege escalation is required whenever the four-color shield icon is present: 14/22

Windows Security Center Used to monitor and configure critical settings through a centralized dialogue box for: –Windows Firewall –Automatic Updating –Malware Protection –Other Security Settings Will list whether the security feature is enabled and whether it is up to date. 15/22

Windows Firewall Protects computer from unauthorized users or malicious software. It does not allow unsolicited traffic to pass that was not requested. Configuration –General Tab On or Off, as well as Block all Incoming –Exceptions Tab Define which programs and services can pass through the firewall –Advanced Tab Specify firewall settings at a more granular level by reducing control to the specific connection. Windows Firewall with Advanced Security is used to configure advanced settings, including inbound and outbound rules 16/22

Windows Defender Formerly Microsoft AntiSpyware Protects computer from spyware threats Tools and Settings –Options: Default Actions Automatic Scans Realtime Protection –Microsoft SpyNet Online Community for such things as what to do with non-classified software –Quarantined Items Allowed recovery of software found to be ok –Allowed Items List of trusted applications –Software Explorer Lists installed software and it’s classification –Windows Defender website 17/22

BitLocker Drive Encryption Included with Vista Enterprise and Vista Ultimate Used to encrypt the system drive –The security key is stored on the systems TPM (Trusted Platform Module) chip. If no TPM is present, it can be store on a thumb drive. The USB thumb drive will be required each time you boot the system. –The 48 digit BitLocker recovery password, must not be lost so as to recover from a lost or corrupted USB drive. Files on other drives must be encrypted with another method, such as Encrypting File System (EFS), as BitLocker only does the System Drive 18/22

File and Folder Access Security 19/22 Vista allows you to very easily share and secure files and folders. A user’s access rights to specific folders will be based on their logon name and group associations by applying NTFS (New Technology File System) permissions.

NTFS Permissions If permissions are not explicitly granted in NTFS, then they are implicitly denied. Explicitly denied, overrides explicitly granted permissions Six levels of permissions –Full Control –Modify –Read & Execute –List Folder Contents –Read –Write 20/22

Controlling Inheritance By default, subfolders and files inherit the permissions assigned to the parent folder. Prevent permissions from propagating to subfolders and files by clearing the Include Inheritable Permissions from This Object’s Parent check box. 21/22

Determining Effective Permissions To determine a user’s effective rights to a file or folder: –Add all the permissions that are allowed to the user to all permissions granted to the groups of which the user is a member. –Subtract any permissions similarly denied to the user or the user’s groups. 22/22

Determining NTFS Permissions for Copied and Moved Files Move File Copy File Same Partition Retains original NTFS permissions Inherits permissions from destination folder Different Partition Inherits permissions from destination folder 23/22

Managing Network Access Share folders that contain files you want to be accessible over the network Configure sharing from the Sharing tab of the folder properties dialog box 24/22

Configuring Share Permissions Permissions can be assigned to users and groups –Full Control Allows full access to the folder –Change Allows users to change data in files or to delete files –Read Allows users to view and execute files 25/22

NTFS Permissions + Shared Permissions NTFS security and shared folder security work together The most restrictive permissions are the effective permissions: –NTFS security more restrictive than shared folder security = NTFS permissions are effective –Shared folder security more restrictive than NTFS security = Shared folder permissions are effective 26/22