Presentation is loading. Please wait.

Presentation is loading. Please wait.

Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.

Published byLee Hill Modified over 8 years ago

Similar presentations

Presentation on theme: "Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer."— Presentation transcript:

1 Troubleshooting Security Issues Lesson 6

2 Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer Troubleshoot security configuration issues Run Event Viewer tool 2.2 Getting Started with Event Viewer Run Event Viewer tool2.2 Sorting and Grouping Events Run Event Viewer tool2.2 Viewing EventsRun Event Viewer tool2.2

3 Skills Matrix Technology SkillObjective Domain SkillDomain # Creating Filters and Custom Views Run Event Viewer tool2.2 Centralizing Event Data by Using Subscriptions Run Event Viewer tool2.2 Using the Security Configuration and Analysis Snap-in Run the Security Configuration and Analysis tool 2.2

4 Skills Matrix Technology SkillObjective Domain SkillDomain # Using the Security Configuration and Analysis Snap-in to Analyze Settings Run the Security Configuration and Analysis tool 2.2 Using the Security Configuration and Analysis Snap-in to Configure Security Policy Run the Security Configuration and Analysis tool 2.2

5 Skills Matrix Technology SkillObjective Domain SkillDomain # Understanding, Configuring, and Troubleshooting Software Restriction Policies Troubleshoot software restrictions 5.2 How Software Restriction Policies Work Troubleshoot software restrictions 5.2 Understanding Additional Rules Digital signing5.2 Configuring Software Restriction Policies Digital signing5.2

6 Software restriction policies provide a Group Policy mechanism by which the running of programs can be restricted. Understanding Software Restriction Policies

7 Common reasons for implementing software restriction policies  Fight malicious software (malware)  Regulate what Microsoft ActiveX controls can be installed  Restrict running of scripts to digitally signed only  Allow only approved software to be installed or executed Understanding Software Restriction Policies (cont.) Understanding Software Restriction Policies

8 Common reasons for implementing software restriction policies (cont.)  Reduce the chance of software being installed or run that might conflict with other applications  Restrict users from adding untrusted publishers Understanding Software Restriction Policies (cont.) Understanding Software Restriction Policies

9 The default security level can be one of three security levels  Unrestricted – The user is not prevented from running the software.  Disallowed – The user is prevented from running the software. Understanding Software Restriction Policies (cont.) Understanding Software Restriction Policies

10 The default security level can be one of three security levels  Basic User – The user is not prevented from running the software, but is prevented from elevating the software from running with standard user privileges to running with administrator privileges. Understanding Software Restriction Policies (cont.) Understanding Software Restriction Policies

11 Understanding Software Restriction Policies (cont.) Understanding Software Restriction Policies

12 Additional rules are used to identify software for the purpose of assigning a security level when that software is run that is other than the security level defined by the default. Understanding Additional Rules Understanding Software Restriction Policies

13 Additional rules  Hash rules – Identify programs using a cryptographic hash  Certificate rules – Identify programs by digitally signed certificates Understanding Additional Rules (cont.) Understanding Software Restriction Policies

14 Additional rules  Path rules – Identify programs by either their local file paths, universal naming convention (UNC) paths, or registry paths  Network Zone rules – Identify programs according to which network zone to which they belong Understanding Additional Rules (cont.) Understanding Software Restriction Policies

15 Hash rules use hashes to identify program files so that the identified programs can be excepted in some way using additional rules or the default rule in a software restriction policy. Understanding Hash Rules Understanding Software Restriction Policies

16 In Windows Vista, a new hash rule will contain two hashes.  MD5 (Message-Digest algorithm) or SHA-1 (Secure Hash Algorithm)  SHA-256 Understanding Hash Rules (cont.) Understanding Software Restriction Policies

17 Hash types are determined according to the following rules:  Files that are digitally signed will use the MD5 or SHA-1 hash according to which one is in their signature.  Files that are not digitally signed and are on non- Windows Vista computers will use the MD5 hash. Understanding Hash Rules (cont.) Understanding Software Restriction Policies

18 Hash types are determined according to the following rules:  Files that are not digitally signed and are on Windows Vista will use both the MD5 hash and the SHA-256 hash for compatibility reasons. Understanding Hash Rules (cont.) Understanding Software Restriction Policies

19 Certificate rules use certificates to identify program files so that the identified programs can be excepted in some way using additional rules or the default rule in a software restriction policy. Windows Vista does not enable certificate rules by default. Certificate rules can only assign a security level of Unrestricted or Disallowed. Understanding Certificate Rules Understanding Software Restriction Policies

20 Path rules use file paths or registry paths to identify program files so that the identified programs can be excepted in some way using additional rules or the default rule in a software restriction policy. Understanding Path Rules Understanding Software Restriction Policies

21 There are two types of path rules.  File path rules – Can specify a folder or a fully qualified path to a program file. In the case of a folder, file path rules identify all software in the folder and subfolders recursively.  Registry path rules – Identify programs according to the paths that the programs specify in the registry as their install locations. Not all programs create such an entry in the registry. Understanding Path Rules (cont.) Understanding Software Restriction Policies

22 Network zone rules use the network zone from where you downloaded the software as criteria for creating software restriction policies. Understanding Network Zone Rules Understanding Software Restriction Policies

23 There are five network zones.  Internet  Local Intranet  Restricted Sites  Trusted Sites  Local Computer Understanding Network Zone Rules (cont.) Understanding Software Restriction Policies

24 Additional rules enable you to configure non- default behavior for software restriction policies. In other words, additional rules are the exceptions to a default rule. Using Additional Rules Understanding Software Restriction Policies

25 The most specific SRP takes precedence. Any ties are resolved according to the following precedence:  Hash rule  Certificate rule  Path rule  Internet zone rule  Default security level Understanding Additional Rules Precedence Understanding Software Restriction Policies

26 Configuring Software Restriction Policies Through Group Policy Understanding Software Restriction Policies Group Policy object with the Software Restriction Policies node expanded

27 Open the GPO that you want to edit in the Group Policy Object Editor. In the console tree of the Group Policy Object Editor, expand Software Restriction Policies. Under Software Restriction Policies, select Security Levels. Setting the Default Security Level Understanding Software Restriction Policies

28 Right-click the security level that you want to designate as the default security level, and then click Properties. Click Set as Default. Setting the Default Security Level (cont.) Understanding Software Restriction Policies

29 If you are moving to a more restrictive default security level, a message box will ask you to confirm the change. Click Yes. Click OK to close the Security Level Properties dialog box. Set the Default Security Level (cont.) Understanding Software Restriction Policies

30 Configuring Enforcement Options Understanding Software Restriction Policies Enforcement Properties

31 Open the GPO that you want to edit in the Group Policy Object Editor. In the Group Policy Object Editor, select Software Restriction Policies. In the details pane, right-click Designated File Types, and then click Properties. Adding or Removing Designated File Types Understanding Software Restriction Policies

32 To add a designated file type, key the extension in the File extension text box, and then click Add. To remove a designated file type, select it in the Designated file types list box, and then click Remove. Adding or Removing Designated File Types (cont.) Understanding Software Restriction Policies

33 A Software Restriction Policies warning box appears. Click Yes. Click OK to close the Designated File Types Properties dialog box. Adding or Removing Designated File Types (cont.) Understanding Software Restriction Policies

34 Open the GPO that you want to edit in the Group Policy Object Editor. In the Group Policy Object Editor under Software Restriction Policies, right-click Additional Rules, and then click New Certificate Rule. Creating a Certificate Rule Understanding Software Restriction Policies

35 Click Browse. The Open dialog box appears. Click Browse to. Select the certificate that you want to base the rule on, and then click Open. Creating a Certificate Rule (cont.) Understanding Software Restriction Policies

36 In the New Certificate Rule dialog box, in the Security level drop-down list, select one of the following:  Unrestricted – Select to allow the user to run the software. The user can elevate the software from running with standard user privileges to running with administrator privileges.  Disallowed – Select to prevent the user from running the software. Creating a Certificate Rule (cont.) Understanding Software Restriction Policies

37 In the Description text box, you can optionally type a description for the purpose of the rule. Click OK to close the New Certificate Rule dialog box. Creating a Certificate Rule (cont.) Understanding Software Restriction Policies

38 Creating a Hash Rule Understanding Software Restriction Policies New Hash Rule dialog box

39 Creating a Network Zone Rule Understanding Software Restriction Policies New Network Zone Rule dialog box

40 Creating a Path Rule Understanding Software Restriction Policies New Path Rule dialog box

41 Event Viewer enables you to view recorded events in an organized way so that you can troubleshoot a wide range of issues by investigating related events. Monitoring and Troubleshooting with Event Viewer

42 Starting Event Viewer Monitoring and Troubleshooting with Event Viewer Event Viewer console

43 Summary of Administrative Events – This section contains a custom view of events in which the events are grouped according to event type. Starting Event Viewer (cont.) Monitoring and Troubleshooting with Event Viewer

44 There are five common event types.  Error  Warning  Information  Audit Success  Audit Failure Starting Event Viewer (cont.) Monitoring and Troubleshooting with Event Viewer

45 Starting Event Viewer (cont.) Monitoring and Troubleshooting with Event Viewer Summary of Administrative Events section of Event Viewer with the Audit Failure node expanded

46 Starting Event Viewer (cont.) Monitoring and Troubleshooting with Event Viewer Event Viewer console tree with the Windows Logs node expanded

47 You can sort and group events around many pivots to more easily find the events that you are looking for.  Level  Date and Time  Source  Event ID  Task Category Sorting and Grouping Events Monitoring and Troubleshooting with Event Viewer

48 Sorting by and Configuring Column Headings Monitoring and Troubleshooting with Event Viewer Add/Remove Columns dialog box

49 Viewing Event Data in Event Viewer Monitoring and Troubleshooting with Event Viewer General tab of the Event Properties dialog box

50 Open Event Viewer. In Event Viewer, right-click an example of the event to which you want to attach a task, and then click Attach Task to this Event. Follow the instructions in the wizard to create the task. Attaching a Task to an Event Monitoring and Troubleshooting with Event Viewer

51 Select the event levels that you want to include in the event list.  Critical – There is a serious problem and you should take action immediately.  Warning – There may be a problem.  Verbose – Informational only Filtering a Log Monitoring and Troubleshooting with Event Viewer

52 Select the event levels that you want to include in the event list.  Error – There is an error. You most likely should address the error.  Information Filtering a Log (cont.) Monitoring and Troubleshooting with Event Viewer

53 Creating and Saving a Custom View Monitoring and Troubleshooting with Event Viewer Create Custom View dialog box

54 New in Windows Vista is the ability to centralize event data by creating subscriptions between a collector computer and forwarders. Centralizing Event Data Using Subscriptions Monitoring and Troubleshooting with Event Viewer

55 Configure the forwarding computers by using the winrm quickconfig command, which does the following:  Sets the startup type for the Windows Remote Management (WinRM) service to Automatic (Delayed Start)  Starts the WinRM service  Enables an exception in Windows Firewall for Windows Remote Management Centralizing Event Data Using Subscriptions (cont.) Monitoring and Troubleshooting with Event Viewer

56 When the winrm quickconfig command has completed:  Add the collector’s MACHINE account to the Even Log Readers group on the forwarders.  Configure the subscription on the collector computer. Centralizing Event Data Using Subscriptions (cont.) Monitoring and Troubleshooting with Event Viewer

57 Configuring the Forwarding Computers Monitoring and Troubleshooting with Event Viewer Selecting Event Log Readers in the Add New User Wizard

58 Configuring the Collector Computer Monitoring and Troubleshooting with Event Viewer Subscription Properties dialog box

59 The Security Configuration and Analysis Snap-in is used to:  Compare your security configuration settings to those contained in a security template  Export settings that you configure in a database to a security template  Apply the security settings in a database to the local computer Using the Security Configuration and Analysis Snap-in

60 The Security Configuration and Analysis Snap-in uses the following icons in its reports.  Red X – Setting is defined in the database and on the system, but the values between the two do not match.  Green check mark – Setting is defined in the database and on the system, and the values match. Using the Security Configuration and Analysis Snap-in (cont.) Using the Security Configuration and Analysis Snap-in

61  Question mark – Setting is not defined in the database and was therefore not analyzed, or the user does not have sufficient permissions to perform the analysis.  Exclamation point – Setting is defined in the database, but not on the system.  No icon – Setting is not defined in the database or on the system. Using the Security Configuration and Analysis Snap-in (cont.) Using the Security Configuration and Analysis Snap-in

62 Creating a New Database and Analyzing Security Settings Using the Security Configuration and Analysis Snap-in Add the Security Configuration and Analysis Snap-in

63 Open the Security Configuration and Analysis Snap-in. In the details pane, double-click the policy setting that you want to configure. If you don’t want the policy defined in the database, clear the Define this policy in the database check box, and then click OK. Configuring an Analyzed Policy Using the Security Configuration and Analysis Snap-in

64 If you want the policy defined in the database, ensure that the Define this policy in the database check box is selected. Configure the Database Setting and the Computer Setting as desired. When you are finished, click OK to close the policy’s dialog box. Configuring an Analyzed Policy (cont.) Using the Security Configuration and Analysis Snap-in

65 Open the Security Configuration and Analysis Snap-in, load a database, and make any desired modifications to the security policies in the database. Right-click Security Configuration and Analysis, and then click Configure Computer Now. Specify an alternate location for the log file if desired, and then click OK. Configuring Security Policy Based on Database Policy Settings Using the Security Configuration and Analysis Snap-in

66 Open the Security Configuration and Analysis Snap-in, and ensure that there is a database loaded from which to export settings to a template. Right-click Security Configuration and Analysis, and then click Export Template. Exporting Database Security Settings to a Security Template Using the Security Configuration and Analysis Snap-in

67 Browse to the location where you want to save the template. In the File Name text box, key a name for the template and then click Save. Close the console. Exporting Security Settings to a Security Template (cont.) Using the Security Configuration and Analysis Snap-in

68 Summary Software restriction policies provide a Group Policy mechanism by which the running of programs can be restricted. Additional rules in software restriction policies are exceptions to a default rule and come in four varieties: hash rules, certificate rules, path rules, and network zone rules. Hash rules use hashes to identify program files in software restriction policies. You Learned

69 Summary Certificate rules use certificates to identify program files in software restriction policies. Path rules use file paths or registry paths to identify program files in software restriction policies. Network zone rules use locations from where you downloaded the software to identify program files in software restriction policies. You Learned (cont.)

70 Summary Software restriction policies can be configured for both users and computers. You learned how to set the default security level for software restriction policies. You learned how to configure enforcement options for software restriction policies. You learned how to add or remove designated file types for software restriction policies. You Learned (cont.)

71 Summary You learned how to create certificate, hash, network zone, and path rules for software restriction policies. Event Viewer enables you to view recorded events in an organized way so that you can troubleshoot a wide range of issues by investigating related events. You Learned (cont.)

72 Summary You learned how to use Event Viewer to view events on the local computer and on remote computers. You learned how to sort and group events around pivots to more easily find the events that you are looking for. Event details are stored in XML and can be viewed in XML or in a more readable format. You Learned (cont.)

73 Summary Filters and custom views enable you to filter large amounts of events according to custom criteria. You learned how to filter a log and how to create and save a custom view. You learned how to centralize event data by creating subscriptions between a collector computer and forwarders. You Learned (cont.)

74 Summary The Security Configuration and Analysis Snap-in is used to compare your security configuration settings to those contained in a security template, export settings that you configure in a database to a security template, and apply the security settings in a database to the local computer. You Learned (cont.)

75 Summary You learned how to create a new database and analyze your system’s security settings using the Security Configuration and Analysis Snap-in. You learned how to apply security settings using the Security Configuration and Analysis Snap-in to the local computer. You learned how to export database security settings to a security template using the Security Configuration and Analysis Snap-in. You Learned (cont.)

Download ppt "Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer."

Similar presentations

Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Guide to MCSE 70-290, Enhanced 1 Activity 14-1: Browsing Security Templates Objective: To become familiar with built-in security templates Start  Run.

Guide to MCSE , Enhanced 1 Activity 14-1: Browsing Security Templates Objective: To become familiar with built-in security templates Start  Run.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Configuring Windows Internet Explorer 7 Security Lesson 5.

Configuring Windows Internet Explorer 7 Security Lesson 5.
Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.

Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.
1 Routing and Remote Access Service (Week 15, Friday 4/21/2006) © Abdou Illia, Spring 2006.

1 Routing and Remote Access Service (Week 15, Friday 4/21/2006) © Abdou Illia, Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Using the Windows Event Viewer and Task Scheduler Chapter 5.

Using the Windows Event Viewer and Task Scheduler Chapter 5.
Performing Software Installation with Group Policy

Performing Software Installation with Group Policy
Ch 9 Managing Active Directory User Accounts. Objectives Create Organizational Unit Creating User Accounts in Active Directory Disabling, Enabling, and.

Ch 9 Managing Active Directory User Accounts. Objectives Create Organizational Unit Creating User Accounts in Active Directory Disabling, Enabling, and.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

Similar presentations

Ads by Google