Troubleshooting Security Issues Lesson 6

Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer Troubleshoot security configuration issues Run Event Viewer tool 2.2 Getting Started with Event Viewer Run Event Viewer tool2.2 Sorting and Grouping Events Run Event Viewer tool2.2 Viewing EventsRun Event Viewer tool2.2

Skills Matrix Technology SkillObjective Domain SkillDomain # Creating Filters and Custom Views Run Event Viewer tool2.2 Centralizing Event Data by Using Subscriptions Run Event Viewer tool2.2 Using the Security Configuration and Analysis Snap-in Run the Security Configuration and Analysis tool 2.2

Skills Matrix Technology SkillObjective Domain SkillDomain # Using the Security Configuration and Analysis Snap-in to Analyze Settings Run the Security Configuration and Analysis tool 2.2 Using the Security Configuration and Analysis Snap-in to Configure Security Policy Run the Security Configuration and Analysis tool 2.2

Skills Matrix Technology SkillObjective Domain SkillDomain # Understanding, Configuring, and Troubleshooting Software Restriction Policies Troubleshoot software restrictions 5.2 How Software Restriction Policies Work Troubleshoot software restrictions 5.2 Understanding Additional Rules Digital signing5.2 Configuring Software Restriction Policies Digital signing5.2

Software restriction policies provide a Group Policy mechanism by which the running of programs can be restricted. Understanding Software Restriction Policies

Common reasons for implementing software restriction policies  Fight malicious software (malware)  Regulate what Microsoft ActiveX controls can be installed  Restrict running of scripts to digitally signed only  Allow only approved software to be installed or executed Understanding Software Restriction Policies (cont.) Understanding Software Restriction Policies

Common reasons for implementing software restriction policies (cont.)  Reduce the chance of software being installed or run that might conflict with other applications  Restrict users from adding untrusted publishers Understanding Software Restriction Policies (cont.) Understanding Software Restriction Policies

The default security level can be one of three security levels  Unrestricted – The user is not prevented from running the software.  Disallowed – The user is prevented from running the software. Understanding Software Restriction Policies (cont.) Understanding Software Restriction Policies

The default security level can be one of three security levels  Basic User – The user is not prevented from running the software, but is prevented from elevating the software from running with standard user privileges to running with administrator privileges. Understanding Software Restriction Policies (cont.) Understanding Software Restriction Policies

Understanding Software Restriction Policies (cont.) Understanding Software Restriction Policies

Additional rules are used to identify software for the purpose of assigning a security level when that software is run that is other than the security level defined by the default. Understanding Additional Rules Understanding Software Restriction Policies

Additional rules  Hash rules – Identify programs using a cryptographic hash  Certificate rules – Identify programs by digitally signed certificates Understanding Additional Rules (cont.) Understanding Software Restriction Policies

Additional rules  Path rules – Identify programs by either their local file paths, universal naming convention (UNC) paths, or registry paths  Network Zone rules – Identify programs according to which network zone to which they belong Understanding Additional Rules (cont.) Understanding Software Restriction Policies

Hash rules use hashes to identify program files so that the identified programs can be excepted in some way using additional rules or the default rule in a software restriction policy. Understanding Hash Rules Understanding Software Restriction Policies

In Windows Vista, a new hash rule will contain two hashes.  MD5 (Message-Digest algorithm) or SHA-1 (Secure Hash Algorithm)  SHA-256 Understanding Hash Rules (cont.) Understanding Software Restriction Policies

Hash types are determined according to the following rules:  Files that are digitally signed will use the MD5 or SHA-1 hash according to which one is in their signature.  Files that are not digitally signed and are on non- Windows Vista computers will use the MD5 hash. Understanding Hash Rules (cont.) Understanding Software Restriction Policies

Hash types are determined according to the following rules:  Files that are not digitally signed and are on Windows Vista will use both the MD5 hash and the SHA-256 hash for compatibility reasons. Understanding Hash Rules (cont.) Understanding Software Restriction Policies

Certificate rules use certificates to identify program files so that the identified programs can be excepted in some way using additional rules or the default rule in a software restriction policy. Windows Vista does not enable certificate rules by default. Certificate rules can only assign a security level of Unrestricted or Disallowed. Understanding Certificate Rules Understanding Software Restriction Policies

Path rules use file paths or registry paths to identify program files so that the identified programs can be excepted in some way using additional rules or the default rule in a software restriction policy. Understanding Path Rules Understanding Software Restriction Policies

There are two types of path rules.  File path rules – Can specify a folder or a fully qualified path to a program file. In the case of a folder, file path rules identify all software in the folder and subfolders recursively.  Registry path rules – Identify programs according to the paths that the programs specify in the registry as their install locations. Not all programs create such an entry in the registry. Understanding Path Rules (cont.) Understanding Software Restriction Policies

Network zone rules use the network zone from where you downloaded the software as criteria for creating software restriction policies. Understanding Network Zone Rules Understanding Software Restriction Policies

There are five network zones.  Internet  Local Intranet  Restricted Sites  Trusted Sites  Local Computer Understanding Network Zone Rules (cont.) Understanding Software Restriction Policies

Additional rules enable you to configure non- default behavior for software restriction policies. In other words, additional rules are the exceptions to a default rule. Using Additional Rules Understanding Software Restriction Policies

The most specific SRP takes precedence. Any ties are resolved according to the following precedence:  Hash rule  Certificate rule  Path rule  Internet zone rule  Default security level Understanding Additional Rules Precedence Understanding Software Restriction Policies

Configuring Software Restriction Policies Through Group Policy Understanding Software Restriction Policies Group Policy object with the Software Restriction Policies node expanded

Open the GPO that you want to edit in the Group Policy Object Editor. In the console tree of the Group Policy Object Editor, expand Software Restriction Policies. Under Software Restriction Policies, select Security Levels. Setting the Default Security Level Understanding Software Restriction Policies

Right-click the security level that you want to designate as the default security level, and then click Properties. Click Set as Default. Setting the Default Security Level (cont.) Understanding Software Restriction Policies

If you are moving to a more restrictive default security level, a message box will ask you to confirm the change. Click Yes. Click OK to close the Security Level Properties dialog box. Set the Default Security Level (cont.) Understanding Software Restriction Policies

Configuring Enforcement Options Understanding Software Restriction Policies Enforcement Properties

Open the GPO that you want to edit in the Group Policy Object Editor. In the Group Policy Object Editor, select Software Restriction Policies. In the details pane, right-click Designated File Types, and then click Properties. Adding or Removing Designated File Types Understanding Software Restriction Policies

To add a designated file type, key the extension in the File extension text box, and then click Add. To remove a designated file type, select it in the Designated file types list box, and then click Remove. Adding or Removing Designated File Types (cont.) Understanding Software Restriction Policies

A Software Restriction Policies warning box appears. Click Yes. Click OK to close the Designated File Types Properties dialog box. Adding or Removing Designated File Types (cont.) Understanding Software Restriction Policies

Open the GPO that you want to edit in the Group Policy Object Editor. In the Group Policy Object Editor under Software Restriction Policies, right-click Additional Rules, and then click New Certificate Rule. Creating a Certificate Rule Understanding Software Restriction Policies

Click Browse. The Open dialog box appears. Click Browse to. Select the certificate that you want to base the rule on, and then click Open. Creating a Certificate Rule (cont.) Understanding Software Restriction Policies

In the New Certificate Rule dialog box, in the Security level drop-down list, select one of the following:  Unrestricted – Select to allow the user to run the software. The user can elevate the software from running with standard user privileges to running with administrator privileges.  Disallowed – Select to prevent the user from running the software. Creating a Certificate Rule (cont.) Understanding Software Restriction Policies

In the Description text box, you can optionally type a description for the purpose of the rule. Click OK to close the New Certificate Rule dialog box. Creating a Certificate Rule (cont.) Understanding Software Restriction Policies

Creating a Hash Rule Understanding Software Restriction Policies New Hash Rule dialog box

Creating a Network Zone Rule Understanding Software Restriction Policies New Network Zone Rule dialog box

Creating a Path Rule Understanding Software Restriction Policies New Path Rule dialog box

Event Viewer enables you to view recorded events in an organized way so that you can troubleshoot a wide range of issues by investigating related events. Monitoring and Troubleshooting with Event Viewer

Starting Event Viewer Monitoring and Troubleshooting with Event Viewer Event Viewer console

Summary of Administrative Events – This section contains a custom view of events in which the events are grouped according to event type. Starting Event Viewer (cont.) Monitoring and Troubleshooting with Event Viewer

There are five common event types.  Error  Warning  Information  Audit Success  Audit Failure Starting Event Viewer (cont.) Monitoring and Troubleshooting with Event Viewer

Starting Event Viewer (cont.) Monitoring and Troubleshooting with Event Viewer Summary of Administrative Events section of Event Viewer with the Audit Failure node expanded

Starting Event Viewer (cont.) Monitoring and Troubleshooting with Event Viewer Event Viewer console tree with the Windows Logs node expanded

You can sort and group events around many pivots to more easily find the events that you are looking for.  Level  Date and Time  Source  Event ID  Task Category Sorting and Grouping Events Monitoring and Troubleshooting with Event Viewer

Sorting by and Configuring Column Headings Monitoring and Troubleshooting with Event Viewer Add/Remove Columns dialog box

Viewing Event Data in Event Viewer Monitoring and Troubleshooting with Event Viewer General tab of the Event Properties dialog box

Open Event Viewer. In Event Viewer, right-click an example of the event to which you want to attach a task, and then click Attach Task to this Event. Follow the instructions in the wizard to create the task. Attaching a Task to an Event Monitoring and Troubleshooting with Event Viewer

Select the event levels that you want to include in the event list.  Critical – There is a serious problem and you should take action immediately.  Warning – There may be a problem.  Verbose – Informational only Filtering a Log Monitoring and Troubleshooting with Event Viewer

Select the event levels that you want to include in the event list.  Error – There is an error. You most likely should address the error.  Information Filtering a Log (cont.) Monitoring and Troubleshooting with Event Viewer

Creating and Saving a Custom View Monitoring and Troubleshooting with Event Viewer Create Custom View dialog box

New in Windows Vista is the ability to centralize event data by creating subscriptions between a collector computer and forwarders. Centralizing Event Data Using Subscriptions Monitoring and Troubleshooting with Event Viewer

Configure the forwarding computers by using the winrm quickconfig command, which does the following:  Sets the startup type for the Windows Remote Management (WinRM) service to Automatic (Delayed Start)  Starts the WinRM service  Enables an exception in Windows Firewall for Windows Remote Management Centralizing Event Data Using Subscriptions (cont.) Monitoring and Troubleshooting with Event Viewer

When the winrm quickconfig command has completed:  Add the collector’s MACHINE account to the Even Log Readers group on the forwarders.  Configure the subscription on the collector computer. Centralizing Event Data Using Subscriptions (cont.) Monitoring and Troubleshooting with Event Viewer

Configuring the Forwarding Computers Monitoring and Troubleshooting with Event Viewer Selecting Event Log Readers in the Add New User Wizard

Configuring the Collector Computer Monitoring and Troubleshooting with Event Viewer Subscription Properties dialog box

The Security Configuration and Analysis Snap-in is used to:  Compare your security configuration settings to those contained in a security template  Export settings that you configure in a database to a security template  Apply the security settings in a database to the local computer Using the Security Configuration and Analysis Snap-in

The Security Configuration and Analysis Snap-in uses the following icons in its reports.  Red X – Setting is defined in the database and on the system, but the values between the two do not match.  Green check mark – Setting is defined in the database and on the system, and the values match. Using the Security Configuration and Analysis Snap-in (cont.) Using the Security Configuration and Analysis Snap-in

 Question mark – Setting is not defined in the database and was therefore not analyzed, or the user does not have sufficient permissions to perform the analysis.  Exclamation point – Setting is defined in the database, but not on the system.  No icon – Setting is not defined in the database or on the system. Using the Security Configuration and Analysis Snap-in (cont.) Using the Security Configuration and Analysis Snap-in

Creating a New Database and Analyzing Security Settings Using the Security Configuration and Analysis Snap-in Add the Security Configuration and Analysis Snap-in

Open the Security Configuration and Analysis Snap-in. In the details pane, double-click the policy setting that you want to configure. If you don’t want the policy defined in the database, clear the Define this policy in the database check box, and then click OK. Configuring an Analyzed Policy Using the Security Configuration and Analysis Snap-in

If you want the policy defined in the database, ensure that the Define this policy in the database check box is selected. Configure the Database Setting and the Computer Setting as desired. When you are finished, click OK to close the policy’s dialog box. Configuring an Analyzed Policy (cont.) Using the Security Configuration and Analysis Snap-in

Open the Security Configuration and Analysis Snap-in, load a database, and make any desired modifications to the security policies in the database. Right-click Security Configuration and Analysis, and then click Configure Computer Now. Specify an alternate location for the log file if desired, and then click OK. Configuring Security Policy Based on Database Policy Settings Using the Security Configuration and Analysis Snap-in

Open the Security Configuration and Analysis Snap-in, and ensure that there is a database loaded from which to export settings to a template. Right-click Security Configuration and Analysis, and then click Export Template. Exporting Database Security Settings to a Security Template Using the Security Configuration and Analysis Snap-in

Browse to the location where you want to save the template. In the File Name text box, key a name for the template and then click Save. Close the console. Exporting Security Settings to a Security Template (cont.) Using the Security Configuration and Analysis Snap-in

Summary Software restriction policies provide a Group Policy mechanism by which the running of programs can be restricted. Additional rules in software restriction policies are exceptions to a default rule and come in four varieties: hash rules, certificate rules, path rules, and network zone rules. Hash rules use hashes to identify program files in software restriction policies. You Learned

Summary Certificate rules use certificates to identify program files in software restriction policies. Path rules use file paths or registry paths to identify program files in software restriction policies. Network zone rules use locations from where you downloaded the software to identify program files in software restriction policies. You Learned (cont.)

Summary Software restriction policies can be configured for both users and computers. You learned how to set the default security level for software restriction policies. You learned how to configure enforcement options for software restriction policies. You learned how to add or remove designated file types for software restriction policies. You Learned (cont.)

Summary You learned how to create certificate, hash, network zone, and path rules for software restriction policies. Event Viewer enables you to view recorded events in an organized way so that you can troubleshoot a wide range of issues by investigating related events. You Learned (cont.)

Summary You learned how to use Event Viewer to view events on the local computer and on remote computers. You learned how to sort and group events around pivots to more easily find the events that you are looking for. Event details are stored in XML and can be viewed in XML or in a more readable format. You Learned (cont.)

Summary Filters and custom views enable you to filter large amounts of events according to custom criteria. You learned how to filter a log and how to create and save a custom view. You learned how to centralize event data by creating subscriptions between a collector computer and forwarders. You Learned (cont.)

Summary The Security Configuration and Analysis Snap-in is used to compare your security configuration settings to those contained in a security template, export settings that you configure in a database to a security template, and apply the security settings in a database to the local computer. You Learned (cont.)

Summary You learned how to create a new database and analyze your system’s security settings using the Security Configuration and Analysis Snap-in. You learned how to apply security settings using the Security Configuration and Analysis Snap-in to the local computer. You learned how to export database security settings to a security template using the Security Configuration and Analysis Snap-in. You Learned (cont.)