Presentation is loading. Please wait.

Presentation is loading. Please wait.

Section 7: Implementing Security Using Group Policy Exploring the Windows Security Architecture Securing User Accounts Exploring Security Policies Hardening.

Published byIrma Shelton Modified over 8 years ago

Similar presentations

Presentation on theme: "Section 7: Implementing Security Using Group Policy Exploring the Windows Security Architecture Securing User Accounts Exploring Security Policies Hardening."— Presentation transcript:

1 Section 7: Implementing Security Using Group Policy Exploring the Windows Security Architecture Securing User Accounts Exploring Security Policies Hardening Windows Environments Implementing Domain Security New Security Policy Options for Windows 8 Client and Windows Server 2012 Managing Windows Environments with Group Policy

2 © 2013 Global Knowledge Training LLC. All rights reserved. Section Objectives After completing this section, you will be able to: Describe the Windows security architecture Explain how to secure user accounts with Group Policy Describe the purpose of local policies Explain how to harden computer accounts Explain how to control the domain security policy with a GPO 7-2

3 © 2013 Global Knowledge Training LLC. All rights reserved. Exploring the Windows Security Architecture The main security components of a Windows 2000 and later operating system are: Security principals Access control lists Security groups NTUSER.DAT The registry 7-3

4 © 2013 Global Knowledge Training LLC. All rights reserved. Security Principles are objects within Active Directory that are assigned SIDs for access control purposes. Security Principles 7-4 UsersGroups Computers

5 © 2013 Global Knowledge Training LLC. All rights reserved. Access Control Lists Access control lists are permissions granted to objects within a Windows environment. ACLs are available on: Files and folders Registry keys Printers Active Directory objects Group Policy objects 7-5

6 © 2013 Global Knowledge Training LLC. All rights reserved. Security Groups GroupsMembership FromAccess to Resources Local groupsFrom any trusted domain To the local computer only Domain local groups From any trusted domainTo the local domain only Global groups From the local domain only To any trusted domain Universal groupsFrom any trusted domainTo any trusted domain 7-6

7 © 2013 Global Knowledge Training LLC. All rights reserved. NTUSER.DAT: The User Profile Group Policy information is stored in specific policy folders in either the user or system hives of the registry. 7-7

8 © 2013 Global Knowledge Training LLC. All rights reserved. The Registry The registry is the ultimate storage location for many Group Policy settings. The SECURITY hive contains the bulk of the security settings for users and groups. 7-9

9 © 2013 Global Knowledge Training LLC. All rights reserved. Securing User Accounts Authentication protocols Password security Account lockout settings Kerberos Policy Users Domain Controller 7-11

10 © 2013 Global Knowledge Training LLC. All rights reserved. Authentication Protocols NT LAN Manager NTLMv1 NTLMv2 Uses 56-bit DES Kerberos 128 bit 256 bit AES Smart-card logon 7-12

11 © 2013 Global Knowledge Training LLC. All rights reserved. Password Security Password strength Configuring the Default Domain Policy Implementing fine-grained password policies CtrlAltDelete 7-14

12 © 2013 Global Knowledge Training LLC. All rights reserved. Password Strength Complex is not always stronger. Frequent changing encourages written passwords. Password length is the key to greater security. The ultimate goal would be smart cards instead of passwords. 7-15

13 © 2013 Global Knowledge Training LLC. All rights reserved. Configuring the Default Domain Policy Basic password policies are configured at the domain level. All operating systems understand domain password policies. 7-17

14 © 2013 Global Knowledge Training LLC. All rights reserved. Implementing Fine-Grained Password Policies Understanding fine-grained password policies Creating fine grained password policies Applying policies to users and groups Viewing policy results 7-18

15 © 2013 Global Knowledge Training LLC. All rights reserved. Understanding Fine-Grained Password Policies Fine-grained password policies allow for many different password guidelines within a single domain. Two new object classes: Password Settings Container Password Settings PSOs are applied to groups or users, not OUs. Create PSOs with: Active Directory Administrative Center PowerShell ADSIEdit 7-19

16 © 2013 Global Knowledge Training LLC. All rights reserved. Creating Fine-Grained Password Policies Password Settings objects are created using a single window containing all settings. 7-20

17 © 2013 Global Knowledge Training LLC. All rights reserved. Applying Policies to Users and Groups PSOs can be assigned to users or groups. 7-21

18 © 2013 Global Knowledge Training LLC. All rights reserved. Viewing Policy Results The resultant password settings that affect a user can be viewed at any time. 7-22

19 © 2013 Global Knowledge Training LLC. All rights reserved. Account Lockout Settings Account Lockout Threshold Sets the number of allowed invalid logon attempts Larger numbers reduce support calls Account Lockout Duration Sets the amount of time before the account can be used again A value of 0 means the account will remain locked until it is unlocked by an administrator Account Lockout Reset Configures the amount of time before the number of attempted logons will reset 7-23

20 © 2013 Global Knowledge Training LLC. All rights reserved. Kerberos policies govern the length of time that ticket-granting and service tickets will be cached. Kerberos Policy 7-24

21 © 2013 Global Knowledge Training LLC. All rights reserved. Exploring Security Policies Important Security Policy Settings: Audit PolicyUser Rights Assignment Security Options 7-26 Advanced Audit Policy

22 © 2013 Global Knowledge Training LLC. All rights reserved. Audit Policy Audit who is logging on and accessing files. 7-27

23 © 2013 Global Knowledge Training LLC. All rights reserved. Advanced Audit Policy Audit at a more granular level with Advanced Audit Policies: 7-28

24 © 2013 Global Knowledge Training LLC. All rights reserved. User Rights Assignments User rights assignments can be used to define the special abilities that some users will have within the operating system. 7-31

25 © 2013 Global Knowledge Training LLC. All rights reserved. Security Options Security Options can be used to configure access to the system both locally and over the network. 7-33

26 © 2013 Global Knowledge Training LLC. All rights reserved. Security Settings Spreadsheet Microsoft provides a downloadable spreadsheet that details many of the default settings that are configured in the operating system. 7-36

27 © 2013 Global Knowledge Training LLC. All rights reserved. Hardening Windows Environments 7-37 What Is Hardening? Security Configuration Wizard Microsoft Security Compliance Manager

28 © 2013 Global Knowledge Training LLC. All rights reserved. What Is Hardening? Hardening is the strengthening of the default levels of security. For Windows 2000 and later, computer account security is broken down into three subgroups: Account Policies Account Lockout Policies Kerberos Policies By default, you can increase the default security levels at the domain level. The default values already enabled are merely starting points. Only one domain account policy is allowed. 7-37

29 © 2013 Global Knowledge Training LLC. All rights reserved. Security Configuration Wizard The Security Configuration Wizard builds a single security-related GPO. Configuration detail is saved as an XML file. Can be applied to an individual computer. Convert to a GPO to apply to more than one computer. 7-39

30 © 2013 Global Knowledge Training LLC. All rights reserved. Converting an SCW XML File to a GPO Use the Security Configuration Wizard to create and save the settings to an XML file. Use scwcmd transform to convert the file. The converted GPO will contain both security settings and administrative templates settings. The GPO can then be linked to an appropriate OU. 7-39

31 © 2013 Global Knowledge Training LLC. All rights reserved. Microsoft Security Compliance Manager The Security Compliance Manager is a free download that can help you assess security and implement a hardened environment. 7-40

32 © 2013 Global Knowledge Training LLC. All rights reserved. Implementing Domain Security 7-41 Security Levels Controlling File Security through the ACL Managing Registry Security Using ACLs Controlling Network Services with Group Policy Enforcing an Audit Policy Restricting Security Group Membership

33 © 2013 Global Knowledge Training LLC. All rights reserved. Security Levels Microsoft recommends three levels of security: Domain Assigned server role Baseline 7-42

34 © 2013 Global Knowledge Training LLC. All rights reserved. Controlling File Security through the ACL The File System setting can centrally define ACLs. Group Policy refresh keeps the ACL at the specified values. 7-43

35 © 2013 Global Knowledge Training LLC. All rights reserved. Managing Registry Security Using ACLs You can use ACLs to update registry security in the following ways: Locking down registry permissions so users cannot change local settings Adding user permissions to a key to allow Windows software that was written before Windows 2000 to work Adding or modifying permissions that are required in your environment for older software applications 7-44

36 © 2013 Global Knowledge Training LLC. All rights reserved. Controlling Network Services with Group Policy Examples of network services to control are: Windows Time Automatic Updates Help and Support Remote Registry Telnet 7-45

37 © 2013 Global Knowledge Training LLC. All rights reserved. Enforcing an Audit Policy Audit policy can be defined at the site, domain, or OU GPO. Administrators can monitor user and system activity for many security-related activities, including: Account logon Account management Directory service access Object access Events that are triggered by the audit are stored in the Event Viewer security log. 7-46

38 © 2013 Global Knowledge Training LLC. All rights reserved. Restricting Security Group Membership With the Restricted Groups option, you can centrally configure the membership of a group on a local computer. The Group Policy refresh cycle sets the membership back to this value even if it is changed locally. 7-47

39 © 2013 Global Knowledge Training LLC. All rights reserved. New Security Policy Options for Windows 8 Client and Windows Server 2012 Several new policy options have been added to the security section in Windows 8 Client and Windows Server 2012: 7-48 Accounts: Block Microsoft accounts Interactive logon: Machine account lockout threshold Interactive logon: Machine inactivity limit Microsoft network server: Attempt S4U2Self to obtain claim information

40 © 2013 Global Knowledge Training LLC. All rights reserved. Summary The main security components of a Windows 2000 and later operating system are: Security principals: The operating system assigns a SID to every user, group, or computer object on a standalone Windows computer system or one that is a member of a domain. Some security principals are created by default by the operating system. 7-52

41 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Access control lists: Every object and process created on an NTFS file-system partition can be controlled using file and folder permissions. Permissions are assigned using ACLs that contain a list of security principals. DACL, discretionary ACL, is the specific allow and/or deny privilege given to each security principal. SACLs, system ACLs, are used to audit selected users and groups if you want to monitor the assigned level of permissions on any object or process. Security groups: Used to assign rights and permissions to processes and objects using the ACLs, DACLs, and SACLs. 7-52

42 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) NTUSER.DAT: Used to hide part of each user profile and is loaded when the user successfully logs on to a Windows client. This user profile registry hive is mapped to the HKEY_CURRENT_USER section of the registry after the user is logged on. The registry: Many Group Policy settings update the registry database on the local computer, even if the settings are deployed through Active Directory. The hives that apply to Group Policy are: HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_CLASSES_ROOT HKEY_USERS HKEY_CURRENT_CONFIG 7-52

43 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) To secure user accounts, you must consider the following: Authentication protocols Password security Account Lockout settings Kerberos policy settings Local policies are policy settings that can be configured on a per-machine basis with the Group Policy Management Editor. These settings are useful when the machine is in a workgroup or is being staged for deployment. 7-52

44 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) Computer account security is divided into three subgroups: Account policies, account lockout policies, and Kerberos policies. You can use two tools to harden computer accounts, the GPOAccelerator and the Security Configuration Wizard. The GPOAccelerator tool builds a series of preconfigured GPOs with a security emphasis. The Security Configuration Wizard builds a single security-related GPO. 7-52

45 © 2013 Global Knowledge Training LLC. All rights reserved. Summary (cont.) To control domain security policy with a GPO, configure the different security policy settings in a GPO for the domain. You can do the following: Control the file and registry security Restrict the network services Configure the public key policies Enforce auditing Restrict group membership 7-52

46 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check 1.Which Windows security component is used to assign rights and permissions to processes and objects using the ACLs, DACLs, and SACLs? a.Security groups b.Security principals c.Access control lists d.The registry 7-53

47 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 2.What do you have to consider when you secure user accounts with Group Policy? (Choose all that apply.) a.Password security b.Account lockout settings c.How often the user logs on d.Authentication protocols 7-53

48 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 3.What is the purpose of local policies? Local policies are policy settings that can be configured on a per-machine basis. They are useful when the machine is in a workgroup or is being staged for deployment. 4.Briefly explain how to harden computer accounts. Increase the default security level of Windows by using the GPOAccelerator to provide sample, hardened templates. Use the Security Configuration Wizard to display the current security settings and configure a more secure template to apply to other systems. 7-53

49 © 2013 Global Knowledge Training LLC. All rights reserved. Knowledge Check (cont.) 5.List the things that you can do to control the domain security policy with a GPO. Control the file and registry security Restrict the network services Configure the public key policies Enforce auditing Restrict group membership 7-53

Download ppt "Section 7: Implementing Security Using Group Policy Exploring the Windows Security Architecture Securing User Accounts Exploring Security Policies Hardening."

Similar presentations

Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Chapter 13 Securing Windows Server 2008

Chapter 13 Securing Windows Server 2008
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Administering Active Directory

Administering Active Directory
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Understanding Active Directory

Understanding Active Directory
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

Similar presentations

Ads by Google