Windows Server 2008 Security

Transcription

1 UT 11 indows erver ecurity 5-1

2 hat is Group Policy? A group of policies applied directly to Active irectory bjects Policies can be linked to: ites omains Us Policies are applied by assigning them to the objecta do they apply to specific users or groups 5-1

3 Group Policy Functions Control the user environment. Manipulate tart menu options, wallpaper, colors, and so on. Prevent users from using the Control Panel. Control the computer settings. Configure client settings. Configure the time server client computers use. istribute software. Force software installation. Allow for easy optional software installation through Add/emove Programs. 5-1

4 Group Policy ettings egistry-based control the user environment that are stored in HKY_CUT_U and HKY_LCAL_MACH oftware installations and repairs to keep patches up to date and fix broken apps Folder redirection and offline storage force use of network drive for backup isk quotas can enforce quotas ffline file storage works with folder redirection to provide the ability to cache files locally. This allows files to be available even when the network is inaccessible 5-1

5 Group Policy un cripts ncluding logon, logoff, startup, and shutdown scripts indows eployment ervices () rebuilding or deploying workstations quickly and efficiently Microsoft nternet xplorer settings Provide quick links and bookmarks for user accessibility nforce browser options such as proxy use, acceptance of cookies, and caching options ecurity settings Protect resources on computers in the enterprise. 5-1

6 Group Policy Benefits Company benefits educe Total Cost of wnership (TC) mprove eturn on nvestment () User benefits Access to files either offline or online. Consistent environment. Files are centrally backed up. Administrator benefits Centralized management of computer and user settings. Centralized application distribution. Centralized backup. Centralized security enforcement. 5-1

7 efault Group Policies Two efault group policies are created when active directory is installed efault omain Policy - affects all users and computers in the domain efault omain Controllers Policy - affects all domain controllers within this object As domain controllers are added to the domain, they are automatically placed in this U and are affected by any settings 5-1

8 Group Policy bjects (GPs) Contain all of the Group Policy settings that you wish to implement to user and computer objects within a site, domain, or U Must be associated (linking) with the container to which it is applied There are three types of GPs: Local GPs omain GPs tarter GPs 5-1

9 Group Policy bjects (GPs) Local GP Gpedit.msc (Local Computer Policy) Local ecurity Policy on-local Group Policy bjects ot inherited from the domain tored in ysvol Linked to sites, domains, or Us Applied to all users and computers in the container f conflict with local A based group policies, non-local take precedence 5-1

10 Group Policies in Active irectory Linked to site Affects all users and computers in the site to which the policy is linked, regardless of domain membership Linked to domain Affects all users and computers in the domain to which the policy is linked Linked to U Affects all users and computers in the U to which the policy is linked 5-1

11 Group Policy Group Policies can be linked to sites, domains, or Us (not groups) to apply those settings to all users and computers within these Active irectory containers You can use security group filtering, which allows you to apply GP settings to specific users or groups within a container by selectively granting the Apply Group Policy permission to one or more users or security groups 5-1

12 Local GP The local GP settings are stored on the local computer in the %systemroot%/ystem3/grouppolicy folder Local GPs contain fewer options They do not support folder redirection or Group Policy software installation Fewer security settings are available hen a local and a nonlocal (Active irectory based) GP have conflicting settings, the local GP is overwritten by the nonlocal GP 5-1

13 onlocal GPs onlocal GPs are created in Active irectory They are linked to sites, domains, or Us. nce linked to a container, the GP is applied to all users and computers within that container by default GPs are stored in two places: Group Policy container (GPC) An Active irectory object that stores the properties of the GP Group Policy template (GPT) Located in the Policies subfolder of the YL share, the GPT is a folder that stores policy settings, such as security settings and script files 5-1

14 tarter GPs A new feature in indows erver Used as GP templates within Active irectory Allow you to configure a standard set of items that will be configured by default in any GP that is derived from a starter GP 5-1

15 Creating & Managing Group Policies The Group Policy Management Console (GPMC) is the Microsoft Management Console (MMC) snap-in that is used to create and modify Group Policies and their settings hen you configure a GP, you will use the Group Policy Management ditor, which can be accessed through the GPMC or through Active irectory Users and Computers 5-1

16 Group Policy ettings Configuring Group Policy settings enables you to customize the configuration of a user s desktop, environment, and security settings. The actual settings are divided into two subcategories: Computer Configuration User Configuration 5-1

17 Group Policy ettings The Computer Configuration and the User Configuration nodes contain three subnodes oftware ettings Used to install software indows ettings Used for define security settings and scripts Administrative Templates ncludes thousands of Administrative Template policies, which contain all registry-based policy settings They are used to generate the user interface for the Group Policy setting 5-1

18 GP nheritance You link a GP to a domain, site, or U or create and link a GP to one of these containers in a single step The settings within that GP apply to all child objects within the object 5-1

19 How Group Policies are Used uring computer startup, a list of GPs for the computer is obtained. Computer settings are applied during startup. tartup scripts are run. indows Logon prompt appears when step 3 completes. Upon successful validation of user, the user profile loads. A list of GPs for the user is obtained. Logon scripts are run. The user interface appears. At log off and shutdown any log off and shutdown scripts are run 5-1

20 Processing Group Policy Processing rder 1. Local Policies. ite Policies 3. omain Policies 4. U Policies Multiple policies at the same level applied bottom up f there is a conflict on a particular setting By default, the last policy applied wins xceptions: o verride, Block Policy nheritance, and User Group Policy loopback processing mode 5-1

21 o verride nsures policy is applied, regardless of priority, hierarchy, inheritance blocking, or conflicting settings Configured on a per-policy basis 5-1

22 Block Policy nheritance Prevents policies from being inherited from higher levels in the Active irectory hierarchy Can be used at the omain or U level only not per policy Cannot stop a policy marked as o verride 5-1

23 ecurity ettings Account password and account lock out and user authentication) for the domain Local audit, user rights and security for the local Machine vent Log Policy size, history and accessibility estricted Groups control the members and members of properties in security groups (used to populate local machines groups with the domain values) ystem ervices control service startup mode and access permissions 5-1

24 ecurity ettings egistry & File ystem access permissions and audit setting per key or per file system object ireless network preferred networks, authentication types, etc. Public Key - ncrypted File ystem, automatic request certificate request, trusted root certificates, and an enterprise trust list oftware estriction allow or disallow application redirection for specific applications, folder redirection, offline files control and disk quotas Pec for A assign policies based on P address 5-1

25 Account Policies Account policies influence how a user interacts with a computer or a domain By default, they are linked to the efault omain Policy This account policy is applied to all accounts throughout the domain by default, unless you create one or more Fine-Grained Password Policies (FGPP) that override the domainwide policy. These Fine-Grained Password Policies can be applied 5-1

26 Fine-Grained Password Policy Prior to indows erver Active irectory domain you were only able to configure a single Password Policy Account Lockout Policy The only choice was configuring a separate domain or forcing all users within the domain to conform to a single password policy Beginning in indows erver, you can configure Fine-Grained Password Policies, which allow you to define multiple password policies within a single domain 5-1

27 Kerberos Policy Kerberos is the default mechanism for authenticating domain users in indows erver, indows erver 3, and Microsoft indows Kerberos is a ticket-based system that allows domain access by using a Key istribution Center (KC) These tickets have a finite lifetime and are based in part on system time clocks ote that Kerberos has a 5-minute clock skew tolerance between the client and the domain controller f the clocks are off by more than 5 minutes, the client will not be able to log on 5-1

28 Kerberos Policy nforce User Logon estrictions tells indows erver to validate each request for a session ticket against the rights associated with the user account Although this process can slow the response time for user access to resources, it is an important security feature that should not be overlooked or disabled nforce User Logon estrictions is enabled by default 5-1

29 Local Policies Allow administrators to set user privileges on the local computer that govern what users can do on the computer and determine if these actions are tracked within an event log (auditing): User ights Assignment. ecurity ptions. Audit Policy. 5-1

30 Audit Policy ystem events vents that trigger a log entry include system startups and shutdowns system time changes system event resources exhaustion, such as when an event log is filled and can no longer append entries security log cleaning any event that affects system security or the security log n the efault omain Controllers GP, this setting is set to log successes by default 5-1

31 Policy Change vents By default, this policy is set to audit successes in the efault omain Controllers GP. Policy change audit log entries are triggered by user rights assignment changes establishment or removal of trust relationships Pec policy agent changes grants or removals of system access privileges 5-1

32 Account Management vents This policy setting is set to audit successes in the efault omain Controllers GP This setting triggers an event based on changes to account and group properties user or group account creation eletion enaming nabling isabling 5-1

33 Logon vents This setting logs events related to successful user log-ons on a computer The event is logged on the computer that processes the request The default setting is to log successes in the efault omain Controllers GP. 5-1

34 Audit Policy Audit irectory ervice Access logs user access to Active irectory objects, such as other user objects or Us Audit bject Access logs user access to files, folders, registry keys, and printers, etc. You MUT enable Audit bject Access Then specify what objects you want to audit Audit results are written to the vent iewer security log 5-1

35 Configuring bject Access Auditing ight-click the file or folder you want to audit. elect Properties n the ecurity tab, click Advanced n the Advanced ecurity ettings dialog box, select the Auditing tab elect the appropriate user or group 5-1

36 estricted Groups Policy Allows an administrator to specify group membership lists You can control membership in important groups, such as the local Administrators 5-1

37 Folder edirection Policy Folder redirection redirects the contents of certain folders to a network location or to another location on the user s local computer Contents of folders on a local computer located in the ocuments and ettings folder can be redirected Basic edirects veryone's Folder To The ame Location and you must specify the Target folder location in the ettings dialog box Advanced can pecify Locations For arious User Groups and you must specify the target folder location for each group that you add in the ettings dialog box 5-1

38 ffline Files Policy Can allow files to be available to users, even when the users are disconnected from the network. The ffline Files feature works well with Folder edirection hen ffline Files is enabled, users can access necessary files as if they were connected to the network hen the network connection is restored, changes made to any documents are automatically updated to the server Folders can be configured so that either all files or only selected files within the folder are available for offline use hen it is combined with Folder edirection, users have the benefits of being able to redirect files to a network location and still have access to the files when the network connection is not present 5-1

39 Limit the amount of space available on the server for user data Can be enforce on all users domain wide isk Quotas 5-1

40 Group Policy efresh Computer configuration group policies are refreshed every 9 minutes (+/- 3 minutes) by default omain controller group policies are refreshed every minutes You can force group policies by using the gpupdate command: gpupdate /force 5-1

41 GPUpdate Command f you make changes to a group policy, users may not see changes take effect until They log off or log back in They eboot the computer They wait 9 minutes (+/- 3 minutes) for stand-alone servers/workstations and minutes for domain controllers To manually push group policies, you need to use the gpupdate command Gpupdate /force 5-1

42 A ights Management A new feature that allows users to provide better security for Microsoft applications Basically a second level of protection beyond the normal access list permission restrictions t chief advantage is the ability to block document forwarding and printing 5-1

43 Feature Attests to the identity of the publisher ifferentiates permissions by a user A M ecure/multipurp ose nternet Mail xtension (/MM) igning /MM ncryption Access control lists (ACLs) ncrypting File ystems (F) Prevents unauthorized viewing ncrypts protected content ffers content expiration Controls content reading Modifying, or printing by user xtends protection beyond initial publication 5-1

44 oftware Lifecycle 5-1

45 Group Policy oftware Management Group Policy can be used to nstall Upgrade Patch remove software applications Under the following conditions when a computer is started when a user logs on to the network when a user accesses a file associated with a program that is not currently on the user s computer Group Policy can be used to fix problems associated with applications 5-1

46 indows nstaller ervice.m File s a relational database file that is copied to the target computer system with the program files it deploys Assists in the self-healing process for damaged applications and clean application removal Consists of external source files that may be required for the installation or removal of software ncludes summary information about the software and the package ncludes reference point to the path where the installation files are located is responsible for automating the installation and configuration of the designated software 5-1

47 .MT File You may need to modify indows nstaller files to better suit the needs of your corporate network. Modifications to.msi files require transform files, which have an.mst extension 5-1

48 Patch file (.msp) Patch files are used to apply service packs and hot fixes to installed software nstead, it contains, at minimum, a database transform procedure that adds patching information to the target installation package database.msp files should be located in the same folder as the original.msi file when you want the patch to be applied as part of the Group Policy software installation This allows the patch file to be applied to the original package or.msi file 5-1

49 oftware istribution Point Before deploying software using Group Policy, you must create a distribution share/oftware distribution point Users who are affected by the Group Policy assignment should be assigned TF ead permission to the folder containing the application and package files 5-1

50 Assigning and Publishing oftware Assigning oftware f you assign the program to a user, it is installed when the user logs on to the computer f you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer hen a user first runs the program, the installation is finalized. Publishing oftware You can publish a program distribution to users. hen the user logs on to the computer, the published program is displayed in the Add or emove Programs dialog box, and it can be installed from there 5-1

51 oftware estrictions Policies Provides methods to control the use of software applications through Group Policy trategy Unrestricted - Allow all except explicitly denied (default) isallowed - eny all except explicitly allowed Basic User block applications that require administrative rights, but allows programs that are accessible by normal users efault oftware estriction Policy - Unrestricted 5-1

52 oftware estrictions Policies Four types of software restriction exist Hash rule - attaches hash that governs whether it can run Certificate rule allows execution to specific file types Path rule - can bypass default security setting for specific files etwork zone rule determine if the application is allowed to be installed (.msi only) 5-1

53 F ncrypting File ystem (F) sets up a unique, private encryption key associated with the user account that encrypted the folder or file hen you move an encrypted fi le to another folder on the same computer, that file remains encrypted, even if you rename it The cipher command line utility can encrypt or decrypt folders and files 5-1

54 BitLocker Trusted Platform Module (TPM) must be available (chip or controller on motherboard) transparent to user Can also use a UB drive with the necessary identification info to access hard disks You must create an operating system partition no less than 1.5 GB in size A second primary partition for bitlocker Bit locker has it own control panel 5-1

55 etwork Access Protection psec - can prevent non-co,pliant computers from communication with complient computers using a network policy server AT prevents outsiders from knowing a computer s P address P secure encrypted network access through the internet HCP configured through the network policy server Terminal ervices Gateway uses a network policy server.1x verifies client and provides a secure port 5-1

56 Case tudy You are a computer consultant The Park Publishing network consists of a single Active irectory domain with four domain controllers running indows erver, three file servers, and 3 clients that are evenly divided between indows XP Professional and indows 7 ecently, data was lost when an employee's laptop was stolen and other data was lost during a fire sprinkler system incident in which the employee's computer was destroyed 5-1

57 Case tudy (cont) mployees typically store documents in their My ocuments folder All client computers have P drive mappings that are supposed to be used for storing files ditors frequently work on sensitive documents that should not be accessible to anyone else Given Park Publishing's concerns, answer the following questions: 5-1

58 Case tudy (cont) 1. How would you assure that employees store their data on the server in the future?. How can you address the situation concerning the sensitive data editors use? 3. How would you address the users with mobile computers so that they could work on their files while traveling while keeping the files safe on the server? 4. hat could you do about the existing data in employees My ocuments folder? 5-1

59 ummary Microsoft provides several security options to protect both protect data nad monitor who is accessing it Group Policies can be assigned to sites, domains, and us By default, there is one local policy per computer and a efault omain Policy and a efault omain Controller Policy 5-1

60 ummary Group Policy processing order Local ite omain U Group Policies applied to parent containers are inherited by all child containers and objects nheritance xceptions o veride, Block Policy nheritance, or Loopback settings 5-1

61 ummary Auditing object access and user rights Account policies bject auditing Bit Locker A ights management (A M) ffline file protection isk quotas etwork Access Protection 5-1

62 Lab 11 o all the activities in chapter 13 of the text book Take a screen shot of the results of each activity and paste it into a word document titles Lab 11 mail you completed lab 11 document to donna.warren@comcast.net 5-1