Module 8 - Managing Enterprise Security and Configuration With Group Policy Settings

07/06/13
Module 8: Managing Enterprise Security and Configuration with Group Policy Settings
Module8:ManagingEnterpriseSecurityand ConfigurationwithGroupPolicySettings
Contents: Lesson1: LabA: Lesson2: LabB: Lesson3: LabC: Lesson4: LabD: ManageGroupMembershipbyUsingGroupPolicySettings UseGroupPolicytoManageGroupMembership ManageSecuritySettings ManageSecuritySettings Auditing AuditFileSystemAccess SoftwareRestrictionPolicyandAppLocker ConfigureApplicationControlPolicies
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe
1/105
07/06/13
GroupPolicycanbeusedtomanagetheconfigurationofavarietyofcomponents andfeaturesofWindows.Inthepreviousmodule,youlearnedhowtoconfigurea GroupPolicyinfrastructure.Inthismodule,youwilllearntoapplythatinfrastructure tomanageseveraltypesofconfigurationsettingsrelatedtosecurity.Youwilldiscover toolssuchastheSecurityConfigurationWizardthatmakeiteasiertodetermine whichsettingsshouldbeconfiguredbasedonaserversroles.Youwillalsolearnhow toconfigureauditingoffilesandfolders.Inthefinalsectionsofthemodule,youwill learnhowtodeployapplicationsbyusingGroupPolicy,andhowtorestrictaccessto applicationsbyusingapplicationcontrolpolicies.
Objectives
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=10&FontSize=3&FontType=segoe 2/105
07/06/13
Aftercompletingthismodule,youwillbeableto: ManagegroupmembershipbyusingGroupPolicySettings. Managesecuritysettings. Describethepurposeandfunctionalityofauditing DescribethepurposeofSoftwareRestrictionPolicyandAppLocker.
Lesson 1: Manage Group Membership by Using Group Policy Settings
3/105
07/06/13
Manyenterpriseshaveoneormorepeoplededicatedtosupportingendusers.They areoftenreferredtoasthehelpdesk,desktopsupport,orjustsupport.Helpdesk personnelneedtotroubleshoot,configure,orperformothersupporttasksonclient computers,andthesetasksoftenrequireadministrativeprivileges.Therefore,the credentialsusedbysupportpersonnelmustbeatthelevelofamemberofthelocal Administratorsgrouponclientcomputers.However,desktopsupportpersonneldo notneedthehighlevelofprivilegegiventotheDomainAdminsgroup,sodonot placetheminthatgroup.Instead,configureclientsystemssothatagroup representingsupportpersonnelisaddedtothelocalAdministratorsgroup.Restricted groupspoliciesenableyoutodojustthat,andinthislesson,youwilllearnhowto userestrictedgroupspoliciestoaddthehelpdeskpersonneltothelocal Administratorsgroupofclientsand,thereby,delegatesupportofthosecomputersto
07/06/13
thehelpdesk.Thesameapproachcanbeusedtodelegatetheadministrationofany scopeofcomputerstotheteamresponsibleforthosesystems.
Objectives
Aftercompletingthislesson,youwillbeableto: Describerestrictedgroups. UseRestrictedGroupspoliciestomodifyorenforcethemembershipofgroups. UseGroupPolicyPreferencestomodifythemembershipofgroups.
What Are Restricted Groups?
5/105
07/06/13
WhenyoueditaGroupPolicyobject(GPO)andexpandtheComputerConfiguration node,thePoliciesnode,theWindowsSettingsnode,andtheSecuritySettingsnode, youwillfindtheRestrictedGroupspolicynode,asshowninthefollowingscreen shot.
RestrictedGroupspolicysettingsenableyoutomanagethemembershipofgroups.
07/06/13
Therearetwotypesofsettings:thisgroupisamemberof(theMemberOfsetting) andMembersofthisgroup(theMemberssetting).
Itsveryimportanttounderstandthedifferencebetweenthesetwosettings.A MemberOfsettingspecifiesthatthegroupspecifiedbythepolicyisamemberof anothergroup.Ontheleftofthepreviousscreenshot,youcanseeatypical example:TheCONTOSO\HelpDeskgroupisamemberoftheAdministratorsgroup. Whenacomputerappliesthispolicysetting,itensuresthattheHelpDeskgroupfrom thedomainbecomesamemberofitslocalAdministratorsgroup.Ifthereismore thanoneGPOwithrestrictedgroupspolicies,eachMemberOfpolicyisapplied.For example,ifaGPOlinkedtotheClientComputersorganizationalunit(OU)specifies CONTOSO\HelpDeskasamemberofAdministrators,andasecondGPOlinkedtothe SEAOU(asubOUoftheClientComputersOU)specifiesCONTOSO\NYCSupportas amemberofAdministrators,acomputerintheNYCOUwilladdboththeHelpDesk andNYCSupportgroupstoitsAdministratorsgroupinadditiontoanyexisting
07/06/13
membersofthegroup,suchasDomainAdmins.Thisexampleisillustratedinthe followingscreenshot.
Asyoucansee,restrictedgroupspoliciesthatusetheMemberOfsettingare cumulative.ThesecondtypeofrestrictedgroupspolicysettingistheMembers setting,whichspecifiestheentiremembershipofthegroupspecifiedbythepolicy. Thedialogboxontherightofthesidebysidedialogboxesshownearlierisatypical example:TheAdministratorsgroupsMemberslistisspecifiedasCONTOSO\Help Desk.Whenacomputerappliesthispolicysetting,itensuresthatthelocal AdministratorsgroupsmembershipconsistsonlyofCONTOSO\HelpDesk.Any membersnotspecifiedinthepolicyareremoved,includingDomainAdmins.The Memberssettingistheauthoritativepolicyitdefinesthefinallistofmembers.If

07/06/13
thereismorethanoneGPOwithrestrictedgrouppolicies,theGPOwiththehighest priorityprevails.Forexample,ifaGPOlinkedtotheClientComputersOUspecifies theAdministratorsgroupmembershipasCONTOSO\HelpDesk,andanotherGPO linkedtotheNYCOUspecifiestheAdministratorsgroupmembershipas CONTOSO\NYCSupport.ThecomputersintheNYCOUhaveonlytheNYCSupport groupintheirAdministratorsgroup.Thisexampleisillustratedinthefollowingscreen shot.
IfyouusebothMembersandMemberOfrestrictedgroupspolicies,theprecedent Memberspolicysettingsetstheauthoritativebaselinemembershipforthegroup,and thenthecumulativemembershipsofMemberOfpoliciesaugmentthatbaseline.

07/06/13
Inyourenterprise,becarefultodesignandtestyourrestrictedgroupspoliciesto ensurethattheyachievethedesiredresult.
Demonstration: Delegate Administration by Using Restricted Groups Policies
YoucanuserestrictedgroupspolicieswiththeMemberofsettingtomanagethe delegationofadministrativeprivilegesforcomputersbyfollowingthesesteps:
Demonstration Steps
1. Start6425CNYCDC1andlogonasPat.Colemanwiththepassword
10/105
07/06/13
Pa$$w0rd. 2. OnNYCDC1clickStart,pointtoAdministrativeToolsandrunGroupPolicy Managementwithadministrativecredentials.Usetheaccount Pat.Coleman_AdminwiththepasswordPa$$w0rd. 3. Intheconsoletree,expandForest:contoso.com,Domainsand contoso.com,andthenclicktheGroupPolicyObjectscontainer. 4. 5. 6. RightclicktheGroupPolicyObjectscontainer,andthenclickNew. IntheNamebox,typeCorporateHelpDesk,andthenclickOK. Inthedetailspane,rightclickCorporateHelpDesk,andthenclickEdit. TheGroupPolicyManagementEditorappears. 7. InGroupPolicyManagementEditor,gotoComputer Configuration\Policies\WindowsSettings\SecuritySettings\Restricted Groups. 8. 9. RightclickRestrictedGroupsandclickAddGroup. ClickBrowseand,intheSelectGroupsdialogbox,typethenameofthe groupyouwanttoaddtotheAdministratorsgroupforexample, CONTOSO\HelpDeskandclickOK. 10. ClickOKtoclosetheAddGroupdialogbox.
11/105
07/06/13
APropertiesdialogboxappears. 11. ClickAddnexttotheThisgroupisamemberofsection. 12. TypeAdministrators,andclickOK. ThePropertiesgrouppolicysettingshouldlooksimilartothedialogboxonthe leftofthesidebysidedialogboxesshownearlier. 13. ClickOKagaintoclosethePropertiesdialogbox.
DelegatingthemembershipofthelocalAdministratorsgroupinthismanneraddsthe groupspecifiedinstep9tothatgroup.Itdoesnotremoveanyexistingmembersof theAdministratorsgroup.TheGroupPolicysettingsimplytellstheclient,Makesure thisgroupisamemberofthelocalAdministratorsgroup.Thisallowsforthe possibilitythatindividualsystemscouldhaveotherusersorgroupsintheirlocal Administratorsgroup.Thisgrouppolicysettingisalsocumulative.IfmultipleGPOs configuredifferentsecurityprincipalsasmembersofthelocalAdministratorsgroup, allwillbeaddedtothegroup. TotakecompletecontrolofthelocalAdministratorsgroup,followthesesteps:
Demonstration Steps
1. InGroupPolicyManagementEditor,gotoComputer
12/105
07/06/13
Configuration\WindowsSettings\SecuritySettings\RestrictedGroups. 2. 3. RightclickRestrictedGroups,andclickAddGroup. TypeAdministrators,andclickOK. APropertiesdialogboxappears. 4. 5. ClickAddnexttotheMembersofthisgroupsection. ClickBrowseandenterthenameofthegroupyouwanttomakethesole memberoftheAdministratorsgroupforexample,CONTOSO\HelpDeskand clickOK. 6. ClickOKagaintoclosetheAddMemberdialogbox. ThegrouppolicysettingPropertiesshouldlooksimilartothedialogboxonthe leftofthesidebysidedialogboxesshownearlier. 7. ClickOKagaintoclosethePropertiesdialogbox.
WhenyouusetheMemberssettingofarestrictedgroupspolicy,theMemberslist definesthefinalmembershipofthespecifiedgroup.Thestepsjustlistedresultina GPOthatauthoritativelymanagestheAdministratorsgroup.Whenacomputerapplies thisGPO,itaddsallmembersspecifiedbytheGPOandremovesallmembersnot specifiedbytheGPO,includingDomainAdmins.OnlythelocalAdministratoraccount willnotberemovedfromtheAdministratorsgroupbecauseAdministratorisa

07/06/13
permanentandirremovablememberofAdministrators.
Define Group Membership with Group Policy Preferences
GroupPolicyPreferencescanalsobeusedtodefinethemembershipofgroups. LocalGrouppreferencesareavailableinbothComputerConfigurationandUser Configuration.ThesettingsforaLocalGrouppreferenceareshownbelow.
14/105
07/06/13
Thethreeoptionsrelatedto"currentuser"areavailableonlyintheLocalGroup preferenceinUserConfiguration. Youhavetheabilitytocreate,delete,replace,ormodify(update)alocalgroup.As youcanseeinthepreviousscreenshot,youcanrenamethegroup,changeits description,ormakemodificationstothegroup'smembership. LocalGrouppreferencescannotremovemembersfromagroupifthosemembers wereaddedtoagroupbyusingarestrictedgroupspolicysetting.Additionally,ifa restrictedgroupspolicysettingusestheMembersmethodtodefinetheauthoritative membershipofagroup,preferencescanneitheraddnorremovemembers.

07/06/13
TheinteractionsbetweenMembersrestrictedgroupspolicysettings,MemberOf restrictedgroupspolicysettings,LocalGrouppreferencesscopedascomputer settings,andLocalGrouppreferencesscopedasusersettingscanbecomplexto understand.Besuretothoroughlytesttheresultsifyouchoosetoimplement multiplemethodsofmanaginggroupmembershipwithGroupPolicy.
Discussion Questions
1. Whymightyouwanttoaddthecurrentlyloggedonuser? Answer:Whileitisnotthebestpracticeforausertobeloggedonasa memberofthelocalAdministratorsgroup,therearestillapplicationsand functionsthatrequireadministrativeprivilegestofunctionproperly.Inthese situations,youmightwanttoallowausertobeamemberofthelocal Administratorsgrouponcomputerstowhichtheuserlogson.Asatip,you canimplementtheDeleteAllMembersUsersoptionandtheAtTheCurrent Useroption.Whenthepreferenceisprocessed,allexistinguseraccounts areremovedfromthegroupfirst,andthenthecurrentuserisadded.The usermustthenlogoffandlogon,atwhichpointtheuserbecomesa memberofAdministrators.Duringthenextlogonpolicyrefresh,theDelete AllMemberUserssettingremovestheuser'saccount,andthenreaddsit. So,theuserremainsamemberofAdministratorsaslongastheuseris withinthemanagementscopeoftheGPO.
2.
Inwhatscenariomightyouwanttomodifythemembershipofthelocal
16/105
07/06/13
AdministratorsgroupofacomputerbyusingaLocalGrouppreferenceinthe UserConfigurationnodeofaGPOthatscopesthepreferencenottospecific computers,buttospecificusers? Answer:Answerswillvary.Thisisafairlyadvancedquestion,buthere's thescenario:Thereisasupportorganizationdedicatedtohelpingspecific users,suchasanExecutiveSupportteamthatisoncalltosupport executivesofanorganization.Inthisadministrativemodel,whenan executivehasaproblem,theExecutiveSupportteamshouldbeamember oftheAdministratorsgrouponwhichevermachinetheexecutiveislogged on.So,thedefinitionofwhoshouldbeintheAdministratorsgroup (ExecutiveSupport)should"follow"theexecutiveusersratherthanbe locked(scoped)toaspecificsetofcomputers.
Lab A: Use Group Policy to Manage Group Membership
17/105
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. 4. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials:
18/105
07/06/13
Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso
Lab Scenario
Youhavebeenaskedbythecorporatesecurityteamtolockdownthemembershipof theAdministratorsgrouponclientcomputers.However,youneedtoprovidethe centralizedhelpdeskwiththeabilitytoperformsupporttasksforusersthroughout theorganization.Additionally,youmustempowerthelocalsitedesktopsupportteam toperformadministrativetasksforclientcomputersinthatsite.
Exercise 1: Configure the Membership of Administrators by Using Restricted Groups Policies

Inthisexercise,youwilluseGroupPolicytodelegatethemembershipof theAdministratorsgroup.YouwillfirstcreateaGPOwitharestricted groupspolicysettingthatensuresthattheHelpDeskgroupisamemberof theAdministratorsgrouponallclientsystems.YouwillthencreateaGPO thataddstheSEASupportgrouptoAdministratorsonclientsintheSEAOU. Finally,youwillconfirmthatintheSEAOU,bothHelpDeskandSEA Supportgroupsareadministrators.
07/06/13
Themaintasksforthisexerciseareasfollows: 1. 2. 3. 4. Delegatetheadministrationofallclientsinthedomain. CreateaSeattleSupportgroup. Delegatetheadministrationofasubsetofclientsinthedomain. ConfirmthecumulativeapplicationofMemberOfpolicies.
Task 1: Delegate the administration of all clients in the domain.
1.
OnNYCDC1,runGroupPolicyManagementasanadministrator,withthe usernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2.
CreateaGPOnamedCorporateHelpDesk,scopedtoallcomputersinthe ClientComputersOU.
3.
ConfigureaRestrictedGroupspolicysettingthatensuresthattheHelpDesk groupisamemberoftheAdministratorsgrouponallclientsystemslocatedin theClientComputersOU.
Task 2: Create a Seattle Support group.
20/105
07/06/13
1.
RunActiveDirectoryUsersandComputersasanadministrator,withthe usernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2. 3.
IntheGroups\RoleOU,createaglobalsecuritygroupcalledSEASupport. CloseActiveDirectoryUsersandComputers.
Task 3: Delegate the administration of a subset of clients in the domain.
1.
RunGroupPolicyManagement,createaGPOnamedSeattleSupport, scopedtoallcomputersintheClientComputers\SEAOU.
2.
ConfigureaRestrictedGroupspolicysettingthatensuresthattheSEA SupportgroupisamemberoftheAdministratorsgrouponallclientsystemsin theSEAOU.
Task 4: Confirm the cumulative application of Member Of policies.
UseGroupPolicyModelingtoconfirmthatacomputerintheSEAOUwill includebothHelpDeskandSEASupportgroupsinitsAdministratorsgroup.
Results:Inthisexercise,youcreatedaCorporateHelpDeskGPOthatensures
07/06/13
thattheHelpDeskgroupisamemberofthelocalAdministratorsgrouponall computersintheClientComputersOU.Additionally,youcreatedaSeattleSupport GPOthataddstheSeattleSupportgrouptothelocalAdministratorsgrouponall clientcomputersintheSEAOU.
ImportantDonotshutdownthevirtualmachineafteryoufinishthislab becausethesettingsyouhaveconfiguredherewillbeusedinsubsequent labs.
Lab Review Question Question:Usingonlyrestrictedgroupspolicies,whatshouldyoudotoensure thattheonlymembersofthelocalAdministratorsgrouponaclientcomputer aretheHelpDeskinthesitespecificSupportgroupandtoremoveanyother membersfromthelocalAdministratorsgroup?
Lesson 2: Manage Security Settings
22/105
07/06/13
SecurityisaprimaryconcernforallWindowsadministrators.WindowsServer2008 includesseveralsettingsthataffecttheservicesthatarerunning,theopenports,the networkpacketsthatareallowedintooroutofthesystem,therightsand permissionsofusers,andtheauditedactivities.Thereisanenormousnumberof settingsthatcanbemanaged.Theappropriatesecurityconfigurationforaserver dependsontherolesthattheserverplays,themixofoperatingsystemsinthe environment,andthesecuritypoliciesoftheorganization,whichthemselvesdepend oncomplianceregulationsenforcedfromoutsidetheorganization. Therefore,youmustdetermineandconfigurethesecuritysettingsthatarerequired forserversinyourorganization,andyoumustbepreparedtomanagethosesettings inawaythatcentralizesandoptimizessecurityconfiguration.WindowsServer2008
07/06/13
providesseveralmechanismswithwhichtoconfiguresecuritysettingsononeormore systems.Inthislesson,youwilldiscoverthesemechanismsandtheirinteractions.
Objectives
Aftercompletingthislesson,youwillbeableto: ConfiguresecuritysettingsonacomputerbyusingtheLocalSecuritypolicy. Createandapplysecuritytemplatestomanagesecurityconfiguration. Analyzesecurityconfigurationbasedonsecuritytemplates. Create,edit,andapplysecuritypoliciesbyusingtheSecurityConfigurationWizard. DeploysecurityconfigurationwithGroupPolicy.
What Is Security Policy Management?
24/105
07/06/13
Securitypolicymanagementinvolvesdesigning,deploying,managing,analyzing,and revisingsecuritysettingsforoneormoreconfigurationsofWindowssystems.A typicalenterpriseislikelytohaveseveralconfigurations:desktopsandlaptops, servers,anddomaincontrollers.Mostenterprisesendupdefiningevenmore configurations,suchasbydelineatingvarioustypesorrolesofservers. Beforeyoueventouchthetechnology,youneedtounderstandwhatyourenterprise securitypolicyrequiresandifyoudonotyethaveawrittensecuritypolicy,beginby creatingone. Thesecuritypolicy,andtherequirementsitcontains,willlikelyrequiremultiple customizationstothedefault,outofboxsecurityconfigurationofWindowsclientand
07/06/13
serveroperatingsystems. Tomanagesecurityconfiguration,youwillneedto: CreateasecuritypolicyforanewapplicationorserverrolenotincludedinServer Manager. Usesecuritypolicymanagementtoolstoapplysecuritypolicysettingsthatare uniquetoyourenvironment. Analyzeserversecuritysettingstoensurethatthesecuritypolicyappliedtoa serverisappropriatefortheserverrole. Updateaserversecuritypolicywhentheserverconfigurationismodified.
Thislessoncoversthetools,concepts,andprocessesrequiredtoperformthesetasks. Thetoolsyouwillencounterinthislessoninclude: LocalGroupPolicy SecurityConfigurationWizard SecurityTemplatessnapin DomainGroupPolicy
26/105
07/06/13
Configure the Local Security Policy
EachserverrunningWindowsServer2008maintainsacollectionofsecuritysettings thatcanbemanagedbyusingthelocalGPO.YoucanconfigurethelocalGPOby usingtheGroupPolicyObjectEditorsnapinortheLocalSecurityPolicyconsole.The availablepolicysettingcategoriesareshownonthenextpage.
27/105
07/06/13
Thislessonfocusesonthemechanismswithwhichtoconfigureandmanagesecurity settingsratherthanonthedetailsofthesettingsthemselves.Manyofthesettings includingaccountpolicies,auditpolicy,anduserrightsassignmentarediscussed elsewhereinthiscourse. Becausedomaincontrollersdonothavelocaluseraccountsandhaveonlydomain accounts,thepoliciesintheAccountPoliciescontainerofthelocalGPOonDCs cannotbeconfigured.Instead,accountpoliciesforthedomainshouldbeconfigured aspartofadomainlinkedGPOsuchastheDefaultDomainPolicyGPO.Account policiesarediscussedinfurtherdetailinModule10. ThesettingsfoundinthelocalSecuritySettingspoliciesareasubsetofthepolicies thatcanbeconfiguredbyusingdomainbasedGroupPolicy,shownbelow:
07/06/13
AsyoulearnedinModule6,itisabestpracticetomanageconfigurationbyusing domainbasedGroupPolicyratherthanonamachinebymachinebasisbyusinglocal GroupPolicy.Thisisparticularlytruefordomaincontrollers.TheDefaultDomain ControllersPolicyGPOiscreatedwhenthefirstdomaincontrollerispromotedfora newdomain.ItislinkedtotheDomainControllersOUandshouldbeusedtomanage baselinesecuritysettingsforalldomaincontrollersinthedomainsothatDCsare consistentlyconfigured.
Manage Security Configuration with Security Templates
29/105
07/06/13
Thesecondmechanismformanagingsecurityconfigurationisthesecuritytemplate. Asecuritytemplateisacollectionofconfigurationsettingsstoredasatextfilewith the.infextension.Asyoucanseeinthefollowingscreenshot,asecuritytemplate containssettingsthatareasubsetofthesettingsavailableinadomainbasedGPO butasomewhatdifferentsubsetthanthosemanagedbythelocalGPO.
30/105
07/06/13
Thetoolsusedtomanagesecuritytemplatespresentsettingsinaninterfacethat enableyoutosaveyoursecurityconfigurationsasfilesanddeploythemwhenand wheretheyareneeded.Youcanalsouseasecuritytemplatetoanalyzethe complianceofacomputerscurrentconfigurationagainstthedesiredconfiguration. Thereareseveraladvantagestostoringsecurityconfigurationinsecuritytemplates. Becausethetemplatesareplaintextfiles,youcanworkwiththemmanuallyaswith anytextfile,cuttingandpastingsectionsasneeded.Second,templatesmakeiteasy tostoresecurityconfigurationsofvarioustypessothatyoucaneasilyapplydifferent levelsofsecuritytocomputersperformingdifferentroles. Securitytemplatesenableyoutoconfigureanyofthefollowingtypesofpoliciesand settings: AccountPolicies:Enableyoutospecifypasswordrestrictions,accountlockout policies,andKerberospolicies.
07/06/13
LocalPolicies:Enableyoutoconfigureauditpolicies,userrightsassignments,and securityoptionspolicies. EventLogPolicies:Enableyoutoconfiguremaximumeventlogsizesandrollover policies. RestrictedGroups:Enableyoutospecifytheuserswhoarepermittedtobe membersofspecificgroups. SystemServices:Enableyoutospecifythestartuptypesandpermissionsfor systemservices. RegistryPermissions:Enableyoutosetaccesscontrolpermissionsforspecific registrykeys. FileSystemPermissions:EnableyoutospecifyaccesscontrolpermissionsforNTFS filesandfolders.
YoucandeploysecuritytemplatesinavarietyofwaysbyusingActiveDirectory GroupPolicyObjects,Secedit.exe,oratemplatecanbeattachedtoapolicycreated bytheSecurityConfigurationWizard.Whenyouassociateasecuritytemplatewithan ActiveDirectoryGPO,thesettingsinthetemplatebecomepartoftheGPO.Youcan alsoapplyasecuritytemplatedirectlytoacomputer,inwhichcase,thesettingsin thetemplatebecomepartofthecomputerslocalpolicies.
Secedit.exe
07/06/13
Secedit.exeisacommandlineutilitythatcanbeusedtomanagesecuritytemplates. TheadvantageofSecedit.exeisthatyoucancallitfromscriptsandbatchfiles, enablingyoutoautomateyoursecuritytemplatedeployments.Anotherbigadvantage ofSecedit.exeisthatyoucanuseittoapplyonlypartofasecuritytemplatetoa computer,andthisissomethingyoucannotdowithGPOs.Forexample,ifyouwant toapplythefilesystemspermissionsfromatemplatebutleavealltheothersettings alone,Secedit.exeistheonlywaytodoit. TouseSecedit.exe,youruntheprogramfromthecommandpromptwithoneofthe followingsixmainparametersandadditionalparametersforeachfunction: Configure.Appliesallorpartofasecuritydatabasetothelocalcomputer.You canalsoconfiguretheprogramtoimportasecuritytemplateintothespecified databasebeforeapplyingthedatabasesettingstothecomputer. Analyze.Comparesthecomputerscurrentsecuritysettingswiththoseina securitydatabase.Youcanconfiguretheprogramtoimportasecuritytemplateinto thedatabasebeforeperformingtheanalysis.Theprogramstorestheresultsofthe analysisinthedatabaseitself,whichyoucanviewlaterbyusingtheSecurity ConfigurationandAnalysissnapin. Import.Importsallorpartofasecuritytemplateintoaspecificsecuritydatabase. Export.Exportsallorpartofthesettingsfromasecuritydatabasetoanew securitytemplate.
07/06/13
Validate.Verifiesthatasecuritytemplateisusingthecorrectinternalsyntax. Generaterollback.Createsasecuritytemplateyoucanusetorestoreasystem toitsoriginalconfigurationafterapplyinganothertemplate.
Forexample,toconfigurethemachinebyusingatemplatecalledBaselineSecurity, usethefollowingcommand.
s e c e d i t/ c o n f i g u r e/ d bB a s e l i n e S e c u r i t y . s d b/ c f g B a s e l i n e S e c u r i t y . i n f/ l o gB a s e l i n e S e c u r i t y . l o g
TocreatearollbacktemplatefortheBaselineSecuritytemplate,usethefollowing command.
s e c e d i t/ g e n e r a t e r o l l b a c k/ c f gB a s e l i n e S e c u r i t y . i n f/ r b k B a s e l i n e S e c u r i t y R o l l b a c k . i n f/ l o g B a s e l i n e S e c u r i t y R o l l b a c k . l o g
Demonstration: Create and Deploy Security Templates
34/105
07/06/13
Toworkwithsecuritytemplates,youusetheSecurityTemplatessnapin.Windows Server2008doesnotincludeaconsolewiththeSecurityTemplatessnapin,soyou havetocreateoneyourselfbyusingtheMMCAdd/RemoveSnapincommand.The snapincreatesafoldercalledSecurityandasubfoldercalledTemplatesinyour Documentsfolder,andtheDocuments\Security\Templatesfolderbecomesthe templatesearchpath,whereyoucanstoreoneormoresecuritytemplates. Tocreateanewsecuritytemplate: Rightclickthenodethatrepresentsyourtemplatesearchpath C:\Users\Documents\Administrator\Security\Templates,forexampleandclick NewTemplate.
07/06/13
Youcanalsocreateatemplatethatreflectsthecurrentconfigurationofaserver youlllearnhowtodothatlaterinthislesson. Settingsareconfiguredinthetemplateinthesamewaythatsettingsareconfigured inaGPO.TheSecurityTemplatessnapinisusedtoconfiguresettingsinasecurity template.Itisjustaneditoritdoesnotplayanyroleinactuallyapplyingthose settingstoasystem.ConfiguresecuritysettingsinatemplatebyusingtheSecurity Templatessnapin.Althoughthetemplateitselfisatextfile,thesyntaxcanbe confusing.Usingthesnapinensuresthatsettingsarechangedthroughtheproper syntax. TheexceptiontothisruleisaddingRegistrysettingsthatarenotalreadylistedinthe LocalPolicies\SecurityOptionportionofthetemplate.Asnewsecuritysettings becomeknown,iftheycanbeconfiguredbyusingaRegistrykey,youcanaddthem toasecuritytemplate.Todoso,youaddthemtotheRegistryValuessectionofthe template. NoteBesuretosaveyourchangestoasecuritytemplatebyrightclickingthe templateandclickingsave.
Whenyouinstallaserverorpromoteittoadomaincontroller,adefaultsecurity
07/06/13
templateisappliedbyWindows.Youcanfindthattemplateinthe %SystemRoot%\Security\Templatesfolder.Onadomaincontroller,thetemplateis calledDCsecurity.inf.Youshouldnotmodifythistemplatedirectly,butyoucancopy ittoyourtemplatesearchpathandmodifythecopy. NoteInpreviousversionsofWindows,anumberofsecuritytemplateswere availabletomodifyandapplytoacomputer.Thenewrolebased configurationofWindowsServer2008andtheimprovedSecurity ConfigurationManagerhavemadethesetemplatesunnecessary.
Deploying Security Templates by Using Group Policy Objects

Creatingandmodifyingsecuritytemplatesdoesnotimprovesecurityunlessyouapply thosetemplates.Toconfigureanumberofcomputersinasingleoperation,youcan importasecuritytemplateintotheGPOforadomain,site,orOUobjectinActive Directory. ToimportasecuritytemplateintoaGPO: RightclicktheSecuritySettingsnodeandclickImportPolicy.
IntheImportPolicyFromdialogbox,ifyouselecttheClearThisDatabase BeforeImportingcheckbox,allsecuritysettingsintheGPOwillbeerasedpriorto
07/06/13
importingthetemplatesettings.Therefore,theGPOssecuritysettingswillmatchthe templatessettings.IfyouleavetheClearThisDatabaseBeforeImportingcheck boxcleared,theGPOssecuritypolicysettingswillremainandthetemplatessettings willbeimported.AnysettingsdefinedintheGPOthatarealsodefinedinthe templatewillbereplacedwiththetemplatessetting.
Demonstration Steps
1. 2. 3. Start6425CNYCDC1. LogontoNYCDC1asPat.ColemanwiththepasswordPa$$w0rd. ClickStartandinthesearchbox,typemmc.exeandpressEnter.When prompted,supplyadministrativecredentials.Usetheaccount Pat.Coleman_AdminwiththepasswordPa$$w0rd. 4. 5. 6. 7. ClickFile,andthenclickAdd/RemoveSnapin. IntheAvailablesnapinslist,selectSecurityTemplates,thenclickAdd. ClickOK. ClickFile,andthenclickSave. TheSaveAsdialogboxappears. 8. TypeC:\SecurityManagement,andthenpressEnter.
38/105
07/06/13
9.
Intheconsoletree,expandSecurityTemplates.
10. RightclickC:\Users\Pat.Coleman_Admin\Documents\Security \Templates,andthenclickNewTemplate. 11. TypeDCRemoteDesktop,andthenclickOK. 12. ClickStart,pointtoAdministrativeToolsandrunGroupPolicy Managementwithadministrativecredentials.Usetheaccount Pat.Coleman_AdminwiththepasswordPa$$w0rd. 13. Intheconsoletree,expandForest:contoso.com,Domains,and contoso.com,andthenclicktheGroupPolicyObjectscontainer. 14. Inthedetailspane,rightclicktheCorporateHelpDesk,andthenclickEdit. TheGroupPolicyManagementEditorappears. 15. Intheconsoletree,expandComputerConfiguration,Policies,Windows Settings,andthenclickSecuritySettings. 16. RightclickSecuritySettings,andthenclickImportPolicy. 17. SelecttheDCRemoteDesktoptemplate,andthenclickOpen.
Security Configuration Wizard

07/06/13
TheSecurityConfigurationWizardcanbeusedtoenhancethesecurityofaserverby closingportsanddisablingservicesnotrequiredfortheserversroles. TheSecurityConfigurationWizardcanbelaunchedfromthehomepageofServer Manager,intheSecurityInformationsection,orfromtheAdministrativeToolsfolder. Thereisalsoacommandlineversionofthetool,scwcmd.exe.Typescwcmd.exe/?at thecommandprompt.Forhelponthecommand,visit: http://go.microsoft.com/fwlink/?LinkId=168678. TheSecurityConfigurationWizardisrolebasedinaccordancewiththenewrole basedconfigurationofWindowsServer2008.TheSecurityConfigurationWizard

07/06/13
createsasecuritypolicyan.xmlfilethatconfigures: Services Networksecurityincludingfirewallrules Registryvalues Auditpolicy Othersettingsbasedontherolesofaserver
Thatsecuritypolicycanthenbemodified,appliedtoanotherserver,ortransformed intoaGPOfordeploymenttomultiplesystems.
Creating a Security Policy

Tocreateasecuritypolicy,performthefollowingsteps: 1. LaunchtheSecurityConfigurationWizardfromtheAdministrativeTools folderortheSecurityInformationsectiononthehomepageofServer Manager. YoucanopentheSecurityConfigurationWizardHelpfilebyclickingtheSecurity ConfigurationWizardlinkonthefirstpageofthewizard.
41/105
07/06/13
2. 3.
ClickNext. OntheConfigurationActionpage,clickCreateaNewSecurityPolicy,and thenclickNext.
4.
Enterthenameoftheservertoscanandanalyze,andthenclickNext. Thesecuritypolicywillbebasedontherolesbeingperformedbythespecified server.Youmustbeanadministratorontheserverfortheanalysisofitsrolesto proceed.EnsurealsothatallapplicationsusinginboundIPportsarerunning priortorunningtheSecurityConfigurationWizard.
TheSecurityConfigurationWizardbeginstheanalysisoftheselectedserversroles.It usesasecurityconfigurationdatabasethatdefinesservicesandportsrequiredfor eachserverrolesupportedbytheSecurityConfigurationWizard.Thesecurity configurationdatabaseisasetof.xmlfilesinstalledin %SystemRoot%\Security\Msscw\Kbs. NoteInanenterpriseenvironment,centralizethesecurityconfiguration databasesothatadministratorsusethesamedatabasewhenrunningthe SecurityConfigurationWizard.Copythefilesinthe %SystemRoot%\Security\Msscw\Kbsfoldertoanetworkfolder.Then,launch theSecurityConfigurationWizardwiththeScw.execommandbyusingthe syntaxscw.exe/kbDatabaseLocation.Forexample,thecommandscw.exe /kb\\NYCSVR1\scwkblaunchestheSecurityConfigurationWizardbyusing thesecurityconfigurationdatabaseinthesharedfolderscwkbonNYCSVR1.
07/06/13
TheSecurityConfigurationWizardusesthesecurityconfigurationdatabasetoscan theselectedserverandidentifiesthefollowing: Rolesthatareinstalledontheserver Roleslikelybeingperformedbytheserver Servicesinstalledontheserverbutnotdefinedinthesecurityconfiguration database IPaddressesandsubnetsconfiguredfortheserver
TheinformationdiscoveredabouttheserverissavedinafilenamedMain.xml.This serverspecificfileiscalledtheconfigurationdatabase.Thisisnottobeconfusedwith thesecurityconfigurationdatabaseusedbytheSecurityConfigurationWizardto performtheanalysis. Todisplaytheconfigurationdatabase: ClickViewConfigurationDatabaseontheProcessingSecurity Configurationpage.
43/105
07/06/13
Theinitialsettingsintheconfigurationdatabasearecalledthebaselinesettings.After theserverhasbeenscannedandtheconfigurationdatabasehasbeencreated,you canmodifythedatabase,whichwillthenbeusedtogeneratethesecuritypolicyto configureservices,firewallrules,registrysettings,andauditpolicies.Thesecurity policycanthenbeappliedtotheserverortootherserversplayingsimilarroles.The SecurityConfigurationWizardpresentseachofthesefourcategoriesofthesecurity policyinasectionaseriesofwizardpages: Rolebasedserviceconfiguration Networksecurity Registrysettings Auditpolicy
Security Policy
Youcanskipanyofthelastthreesectionsyoudonotwanttoincludeinyour securitypolicy.
44/105
07/06/13
Whenalltheconfigurationsectionshavebeencompletedorskipped,theSecurity ConfigurationWizardpresentstheSecurityPolicysection.TheSecurityPolicyFile Namepage,shownintheprecedingscreenshot,enablesyoutospecifyapath,a name,andadescriptionforthesecuritypolicy. Toexaminethesettingsofthesecuritypolicy: ClickViewSecurityPolicy.
ThesettingsareverywelldocumentedbytheSecurityConfigurationWizard.
45/105
07/06/13
Toimportasecuritytemplateintothesecuritypolicy. ClickIncludeSecurityTemplates.
Securitytemplates,discussedearlierinthislesson,containsettingsthatarenot providedbyManagingSecurityConfigurationwithSecurityTemplates,including restrictedgroups,granulareventlogpolicies,andfilesystemandregistrysecurity policies.Byincludingasecuritytemplate,youcanincorporatearichercollectionof configurationsettingsinthesecuritypolicy.Ifanysettingsinthesecuritytemplate conflictwiththeSecurityConfigurationWizard,thesettingsintheSecurity ConfigurationWizardtakeprecedence.WhenyouclickNext,youaregiventhe optiontoapplythesecuritytemplatetotheserverimmediatelyortoapplythepolicy later.
Editing a Security Policy

Toeditasavedsecuritypolicy: 1. 2. 3. OpentheSecurityConfigurationWizard. OntheConfigurationActionpage,clickEditanExistingSecurityPolicy. ClickBrowsetolocatethepolicy.xmlfile.Whenpromptedtoselectaserver, selecttheserverthatwasusedtocreatethesecuritypolicy.
07/06/13
Applying a Security Policy

Toapplyasecuritypolicytoaserver: 1. 2. 3. 4. OpentheSecurityConfigurationWizard. OntheConfigurationActionpage,clickApplyanExistingSecurityPolicy. ClickBrowsetolocatethepolicy.xmlfile. OntheSelectServerpage,selectaservertowhichtoapplythepolicy.
Manyofthechangesspecifiedinasecuritypolicy,includingtheadditionoffirewall rulesforapplicationsalreadyrunningandthedisablingofservicesrequirethatyou restarttheserver.Therefore,asabestpractice,restartaserverwheneveryouapplya securitypolicy.
Rolling Back an Applied Security Policy

Ifasecuritypolicyisappliedanditcausesundesirableresults,youcanrollbackthe changes.Torollbackanappliedsecuritypolicy: 1. 2. OpentheSecurityConfigurationWizard. OntheConfigurationActionpage,selectRollbacktheLastApplied SecurityPolicy.
07/06/13
WhenasecuritypolicyisappliedbytheSecurityConfigurationWizard,arollbackfile isgeneratedthatstorestheoriginalsettingsofthesystem.Therollbackprocess appliestherollbackfile.
Modifying Settings of an Applied Security Policy

Alternatively,ifanappliedsecuritytemplatedoesnotproduceanidealconfiguration, youcanmanuallychangesettingsbyusingtheLocalSecurityPolicyconsole discussedatthebeginningofthislessonintheConfiguringtheLocalSecurityPolicy section.
Deploying a Security Policy Using Group Policy

YoucanapplyasecuritypolicycreatedbytheSecurityConfigurationWizardtoa serverbyusingtheSecurityConfigurationWizarditself,byusingtheScwcmd.exe command,orbytransformingthesecuritypolicyintoaGPO. TotransformasecuritypolicyintoaGPO: LogonasadomainadministratorandrunScwcmd.exewiththetransform command. Forexample:
48/105
07/06/13
s c w c m dt r a n s f o r m/ p : " C o n t o s oD CS e c u r i t y . x m l / g : " C o n t o s o D CS e c u r i t yG P O
ThiscommandwillcreateaGPOcalledContosoDCSecurityGPOwithsettings importedfromtheContosoDCSecurity.xmlsecuritypolicyfile.TheresultingGPOcan thenbelinkedtoanappropriatescopesite,domain,orOUbyusingtheGroup PolicyManagementconsole.Besuretotypescwcmd.exetransform/?forhelpand guidanceaboutthisprocess.
Settings, Templates, Policies, and GPOs
49/105
07/06/13
Assuggestedintheintroductiontothelesson,thereareanumberofmechanisms withwhichtomanagesecuritysettings.YoucanusetoolssuchastheLocalSecurity Policyconsoletomodifysettingsonanindividualsystem.Youcanusesecurity templates,whichhaveexistedsinceWindows2000Server,tomanagesettingson oneormoresystemsandtocomparethecurrentstateofasystemsconfiguration againstthedesiredconfigurationdefinedbythetemplate.Securitypoliciesgenerated bytheSecurityConfigurationWizardarethemostrecentadditiontothesecurity configurationmanagementtoolset.Theyarerolebased.xmlfilesthatdefineservice startupmodes,firewallrules,auditpolicies,andsomeregistrysettings.Security policiescanincorporatesecuritytemplates.Bothsecuritytemplatesandsecurity policiescanbedeployedbyusingGroupPolicy. Theplethoraoftoolsavailablecanmakeitdifficulttoidentifythebestpracticefor managingsecurityononeormoresystems.PlantouseGroupPolicywhenever possibletodeploysecurityconfiguration.YoucangenerateaGPOfromarolebased securitypolicyproducedbytheSecurityConfigurationWizard,whichitself incorporatesadditionalsettingsfromasecuritytemplate.AftertheGPOhasbeen generated,youcanmakeadditionalchangestotheGPObyusingtheGroupPolicy ManagementEditorsnapin.SettingsnotmanagedbyGroupPolicycanbeconfigured onaserverbyserverbasisbyusingthelocalGPOsecuritysettings.
Lab B: Manage Security Settings
50/105
07/06/13
Lab Setup
Forthislab,youwillusethesamevirtualmachinesthatwereusedforLabA.If required,completethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. 4. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials:
51/105
07/06/13
Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso
Lab Scenario
Youareanadministratorofthecontoso.comdomain.Tosecurethedirectoryservice, youwanttoestablishasecurityconfigurationtoapplytodomaincontrollersthat, amongotherthings,specifieswhocanlogontodomaincontrollersbyusingRemote Desktoptoperformadministrativetasks.
Exercise 1: Manage Local Security Settings

Inthisexercise,youwillcreateagroupthatallowsyoutomanagewhois allowedtologontoNYCDC1,adomaincontroller,byusingRemote Desktop.YouwilldosobyconfiguringsecuritysettingsdirectlyonNYC DC1. Themaintasksforthisexerciseareasfollows: 1. EnableRemoteDesktoponNYCDC1.
52/105
07/06/13
2. 3. 4.
CreateaglobalsecuritygroupnamedSYS_DCRemoteDesktop. AddSYS_DCRemoteDesktoptotheRemoteDesktopUsersgroup. ConfiguretheLocalSecurityPolicytoallowremotedesktopconnectionsby SYS_DCRemoteDesktop.
5.
Revertthelocalsecuritypolicytoitsdefaultsetting.
Task 1: Enable Remote Desktop on NYC-DC1.
1.
OnNYCDC1,runServerManagerasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2.
IntheServerSummarysection,clickConfigureRemoteDesktop,andthen clickAllowconnectionsonlyfromcomputersrunningRemoteDesktop withNetworkLevelAuthentication(moresecure).
3.
CloseServerManager.
Task 2: Create a global security group named SYS_DC Remote Desktop.
1.
RunActiveDirectoryUsersandComputersasanadministrator,withthe usernamePat.Coleman_AdminandthepasswordPa$$w0rd.
53/105
07/06/13
2.
IntheAdmins\AdminGroups\ServerDelegationOU,createaglobal securitygroupnamedSYS_DCRemoteDesktop.
Task 3: Add SYS_DC Remote Desktop to the Remote Desktop Users group.
ToconnectbyusingRemoteDesktop,ausermusthavetheuserlogonrighttolog onthroughRemoteDesktopServices,whichyouwillgranttotheSYS_DCRemote Desktopgroupinthenexttask.
Additionally,theusermusthavepermissiontoconnecttotheRDPTcpconnection. Bydefault,theRemoteDesktopUsersgroupandtheAdministratorsgrouphave permissiontoconnecttotheRDPTcpconnection.Therefore,youshouldaddthe user(ortheSYS_DCRemoteDesktopgroupinthiscase)totheRemoteDesktop Usersgroup.
1.
AddtheSYS_DCRemoteDesktopgrouptotheRemoteDesktopUsers group,foundintheBuiltincontainer.
2.
CloseActiveDirectoryUsersandComputers.
NoteInsteadofaddingthegrouptoRemoteDesktopUsers,youcould addtheSYS_DCRemoteDesktopgrouptotheaccesscontrollist(ACL) oftheRDPTcpconnectionbyusingtheRemoteDesktopSessionHost

07/06/13
Configurationconsole.RightclickRDPTcpandclickProperties.Then, clicktheSecuritytab,clicktheAddbutton,andtypeSYS_DCRemote Desktop.ClickOKtwicetoclosethedialogboxes.
Task 4: Configure the Local Security Policy to allow remote desktop connections by SYS_DC Remote Desktop. Onadomainmember(workstationorserver),theRemoteDesktopUsersgrouphas permissiontoconnecttotheRDPTcpconnectionandhasuserrightstologon throughRemoteDesktopServices.Therefore,onadomainmemberserveror workstation,theeasiestwaytomanageboththeuserrightsandthepermissionon RDPTcpconnectionistoaddauserorgroupdirectlytotheRemoteDesktopUsers group.
BecauseNYCDC1isadomaincontroller,onlyAdministratorshavetherighttologon withRemoteDesktopServices.Therefore,youmustexplicitlygranttheSYS_DC RemoteDesktopgrouptheuserlogonrighttologonthroughRemoteDesktop Services.
1.
RunLocalSecurityPolicyasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
55/105
07/06/13
2.
Modifytheconfigurationoftheuserrightspolicysetting,AllowLogon throughRemoteDesktopServices,andaddSYS_DCRemoteDesktop.
Task 5: Revert the local security policy to its default setting.
Youwillnowrevertthepolicytoitsdefaultinpreparationforthefollowingexercises.
1.
Modifytheconfigurationoftheuserrightspolicysetting,Allowlogon throughRemoteDesktopServices,andthenremoveSYS_DCRemote Desktop.
2.
CloseLocalSecurityPolicy.
Results:Inthisexercise,youconfiguredeachofthelocalsettingsnecessaryto allowSYS_DCRemoteDesktoptologontoNYCDC1byusingremotedesktop.
Exercise 2: Create a Security Template

Inthisexercise,youwillcreateasecuritytemplatethatgivestheSYS_DC RemoteDesktopgrouptherighttologonbyusingRemoteDesktop.
07/06/13
Themaintasksforthisexerciseareasfollows: 1. 2. CreateacustomMMCconsolewiththeSecurityTemplatessnapin. Createasecuritytemplate.
Task 1: Create a custom MMC console with the Security Templates snap-in.
1.
Runmmc.exeasanadministrator,withtheusernamePat.Coleman_Admin andthepasswordPa$$w0rd.
2. 3.
AddtheSecurityTemplatessnapin. SavetheconsoleasC:\SecurityManagement.msc.
Task 2: Create a security template.
1.
IntheSecurityTemplatessnapin,createanewsecuritytemplatenamedDC RemoteDesktop.
2.
Modifytheconfigurationoftheuserrightspolicysetting,Allowlogon throughRemoteDesktopServices,andthenaddSYS_DCRemote Desktop.
57/105
07/06/13
3.
UsingaRestrictedGroupssetting,configurethetemplatetoaddSYS_DC RemoteDesktoptotheRemoteDesktopUsersgroup.
4.
Savethechangesyoumadetothetemplate.
Results:Inthisexercise,youconfiguredasecuritytemplatenamedDCRemote DesktopthataddstheSYS_DCRemoteDesktopgrouptotheRemoteDesktop UsersgroupandgivestheSYS_DCRemoteDesktopgrouptheuserlogonrightto logonthroughRemoteDesktopServices
Exercise 3: Use the Security Configuration Wizard

Inthisexercise,youwillusetheSecurityConfigurationWizardtocreatea securitypolicyfordomaincontrollersinthecontoso.comdomainbasedon theconfigurationofNYCDC1.Youwillthenconvertthesecuritypolicyinto aGPO,whichcouldthenbedeployedtoalldomaincontrollersbyusing GroupPolicy. Themaintasksforthisexerciseareasfollows: 1. 2. Createasecuritypolicy. TransformasecuritypolicyintoaGroupPolicyobject.
58/105
07/06/13
Task 1: Create a security policy.
1.
RuntheintheAdministrativeToolsfolder,withadministrativecredentials.Use theaccountPat.Coleman_AdminwiththepasswordPa$$w0rd.
2. 3.
OntheWelcometotheSecurityConfigurationWizardpage,clickNext. OntheConfigurationActionpage,selectCreateanewsecuritypolicy,and thenclickNext.
4.
OntheSelectServerpage,acceptthedefaultservername,NYCDC1,and clickNext.
5.
OntheProcessingSecurityConfigurationDatabasepage,youcan optionallyclickViewConfigurationDatabaseandexploretheconfiguration thatwasdiscoveredonNYCDC1.
6. 7.
ClickNext. OntheRoleBasedServiceConfigurationsectionintroductionpage,click Next.
8.
OntheSelectServerRolespage,youcanoptionallyexplorethesettingsthat werediscoveredonNYCDC1,butdonotchangeanysettings.ClickNext.
9.
OntheSelectClientFeaturespage,youcanoptionallyexplorethesettings thatwerediscoveredonNYCDC1,butdonotchangeanysettings.ClickNext.
59/105
07/06/13
10. OntheSelectAdministrationandOtherOptionspage,youcanoptionally explorethesettingsthatwerediscoveredonNYCDC1,butdonotchangeany settings.ClickNext. 11. OntheSelectAdditionalServicespage,youcanoptionallyexplorethe settingsthatwerediscoveredonNYCDC1,butdonotchangeanysettings.Click Next. 12. OntheHandlingUnspecifiedServicespage,donotchangethedefault setting,Donotchangethestartupmodeoftheservice.ClickNext. 13. OntheConfirmServiceChangespage,intheViewlist,selectAllServices. 14. ExaminethesettingsintheCurrentStartupModecolumn,whichreflect servicestartupmodesonNYCDC1,andcomparethemwiththesettingsinthe PolicyStartupModecolumn. 15. IntheViewlist,selectChangedServices. 16. ClickNext. 17. OntheNetworkSecurityintroductionpage,clickNext. 18. OntheNetworkSecurityRulespage,youcanoptionallyexaminethefirewall rulesderivedfromtheconfigurationofNYCDC1.Donotchangeanysettings. ClickNext. 19. OntheRegistrySettingssectionintroductionpage,clickNext.
07/06/13
20. OneachpageoftheRegistrySettingssection,examinethesettings,butdo notchangeanyofthem,andthenclickNext.WhentheRegistrySettings Summarypageappears,examinethesettingsandclickNext. 21. OntheAuditPolicysectionintroductionpage,clickNext. 22. OntheSystemAuditPolicypage,examinebutdonotchangethesettings. ClickNext. 23. OntheAuditPolicySummarypage,examinethesettingsintheCurrent SettingandPolicySettingcolumns.ClickNext. 24. OntheSaveSecurityPolicysectionintroductionpage,clickNext. 25. IntheSecurityPolicyFileNametextbox,clickattheendofthefilepathand typeDCSecurityPolicy. 26. ClickIncludeSecurityTemplates. 27. ClickAdd. 28. BrowsetolocatetheDCRemoteDesktoptemplatecreatedinExercise2, locatedintheMyDocuments\Security\Templatesfolder.Whenyouhavelocated andselectedthetemplate,clickOpen. BecarefulthatyouaddtheDocuments\Security\Templates\DCRemote Desktop.inffileandnottheDCSecurity.infdefaultsecuritytemplate. 29. ClickOKtoclosetheIncludeSecurityTemplatesdialogbox.
07/06/13
30. ClickViewSecurityPolicy. YouarepromptedtoconfirmtheuseoftheActiveXcontrol. 31. ClickYes. 32. Examinethesecuritypolicy.NoticethattheDCRemoteDesktoptemplateis listedintheTemplatessection. 33. Closethewindowafteryouhaveexaminedthepolicy. 34. IntheSecurityConfigurationWizard,clickNext. 35. OntheApplySecurityPolicypage,accepttheApplyLaterdefaultsetting, andthenclickNext. 36. ClickFinish.
Task 2: Transform a security policy into a Group Policy object.
1.
RuntheCommandPromptasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2. 3.
Typecdc:\windows\security\msscw\policies,andthenpressEnter. Typescwcmdtransform/?,andthenpressEnter.
62/105
07/06/13
4.
Usethescwcmd.execommandtotransformthesecuritypolicynamed"DC SecurityPolicy.xml"toaGPOnamed"DCSecurityPolicy."
5.
RunGroupPolicyManagementasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
6.
ExaminethesettingsoftheDCSecurityPolicyGPO.Confirmthatthe BUILTIN\AdministratorsandCONTOSO\SYS_DCRemoteDesktopgroupsare giventheAllowlogonthroughTerminalServicesuserright.Also,confirm thattheCONTOSO\SYS_DCRemoteDesktopgroupisamemberof BUILTIN\RemoteDesktopUsers.
Results:Inthisexercise,youwillhaveusedtheSecurityConfigurationWizardto createasecuritypolicynamedDCSecurityPolicy,andtransformedthesecurity policytoaGroupPolicyobjectnamedDCSecurityPolicy.
Lab Review Question Question:Describeasituationwhereyouwouldusebothsecuritytemplates andtheSecurityConfigurationWizardtosecureaserver.

07/06/13
Lesson 3: Auditing
Auditingisanimportantcomponentofsecurity.Auditinglogsspecifiedactivitiesin yourenterprisetotheWindowsSecuritylog,whichyoucanthenmonitorto understandthoseactivitiesandidentifyissuesthatwarrantfurtherinvestigation. Auditingcanlogsuccessfulactivitiestoprovidedocumentationofchanges.Itcanalso logfailedandpotentiallymaliciousattemptstoaccessenterpriseresources.Auditing involvesuptothreemanagementtools:auditpolicy,auditingsettingsonobjects,and theSecuritylog.Inthislesson,youwilllearnhowtoconfigureauditingtoaddress severalcommonscenarios.

07/06/13
Objectives
Aftercompletingthislesson,youwillbeableto: Configureauditpolicy. Configureauditingsettingsonfilesystemobjects. ViewtheSecuritylogusingtheEventViewersnapin.
Overview of Audit Policies
65/105
07/06/13
AuditPolicyconfiguresasystemtoauditcategoriesofactivities.IfAuditPolicyisnot enabled,aserverwillnotauditthoseactivities.Thefollowingscreenshotshowsthe AuditPolicynodeofaGPOexpanded:
Toconfigureauditing,youmustdefinethepolicysetting.Doubleclickanypolicy settingandselecttheDefineThesePolicySettingscheckbox.Then,select whethertoenableauditingofSuccessevents,Failureevents,orboth. ThefollowingtabledefineseachauditpolicyanditsdefaultsettingsonaWindows Server2008domaincontroller.
Audit Policies
AuditPolicy DefaultSettingfor
66/105
07/06/13
Setting
Explanation
WindowsServer 2008 DomainControllers
AuditAccount LogonEvents
Createsaneventwhenauserorcomputerattempts toauthenticatebyusinganActiveDirectoryaccount. Forexample,whenauserlogsontoanycomputer inthedomain,anaccountlogoneventisgenerated.
Successfulaccountlogonsare audited.
AuditLogonEvents
Createsaneventwhenauserlogsoninteractively (locally)toacomputeroroverthenetwork (remotely).Forexample,ifaworkstationanda serverareconfiguredtoauditlogonevents,the workstationauditsauserloggingondirectlytothat workstation.Whentheuserconnectstoashared folderontheserver,theserverlogsthatremote logon.Whenauserlogson,thedomaincontroller recordsalogoneventbecauselogonscriptsand policiesareretrievedfromthedomaincontroller.
Successfullogonsareaudited.
AuditAccount Management
Auditsevents,includingthecreation,deletion,or modificationofuser,group,orcomputeraccounts andtheresettingofuserpasswords.
Successfulaccount managementactivitiesare audited. Successfuldirectoryservice accesseventsareaudited,but fewobjectsSACLsspecify auditsettings.
AuditDirectory ServiceAccess
AuditseventsthatarespecifiedinthesystemACL (SACL),whichisseeninanActiveDirectoryobjects PropertiesAdvancedSecuritySettingsdialogbox.In additiontodefiningtheauditpolicy withthissetting,youmustalsoconfigureauditing forthespecificobjectorobjectsbyusingtheSACL oftheobjectorobjects.Thispolicyissimilartothe AuditObjectAccesspolicyusedtoauditfilesand
67/105
07/06/13
folders,butthispolicyappliestoActiveDirectory objects. AuditPolicyChange Auditschangestouserrightsassignmentpolicies, auditpolicies,ortrustpolicies. AuditPrivilegeUse Auditstheuseofaprivilegeoruserright.Seethe explanatorytextforthispolicyintheGroupPolicy ManagementEditor(GPME). AuditSystem Events AuditProcess Tracking Auditssystemrestart,shutdown,orchangesthat affectthesystemorsecuritylog. Auditseventssuchasprogramactivationand processexit.Seetheexplanatorytextforthispolicy intheGPME. AuditObjectAccess Auditsaccesstoobjectssuchasfiles,folders,registry keys,andprintersthathavetheirownSACLs.In additiontoenablingthisauditpolicy,youmust configuretheauditingentriesinobjectsSACLs. Noeventsareaudited. Successfulsystemeventsare audited. Noeventsareaudited. Successfulpolicychangesare audited. Noauditingisperformedby default.
Asyoucansee,mostmajorActiveDirectoryeventsarealreadyauditedbydomain controllers,assumingthattheeventsaresuccessful.Therefore,thecreationofauser, theresettingofauserspassword,thelogontothedomain,andtheretrievalofa userslogonscriptsarealllogged. However,notallfailureeventsareauditedbydefault.Youmightneedtoimplement additionalfailureauditingbasedonyourorganizationsITsecuritypoliciesand requirements.Auditingfailedaccountlogonevents,forexample,exposesmalicious

07/06/13
attemptstoaccessthedomainbyrepeatedlytryingtologonasadomainuser accountwithoutyetknowingtheaccountspassword.Auditingfailedaccount managementeventscanrevealsomeoneattemptingtomanipulatethemembershipof asecuritysensitivegroup. Oneofthemostimportanttasksyoumustperformistobalanceandaligntheaudit policywithyourcorporatepoliciesandreality.Yourcorporatepolicymightstatethat allfailedlogonsandsuccessfulchangestoActiveDirectoryusersandgroupsmustbe audited.ThatseasytoachieveinActiveDirectory.Buthow,exactly,areyougoingto usethatinformation?Verboseauditinglogsareuselessifyoudontknowhowor donthavethetoolstomanagethoselogseffectively.Toimplementauditing,you musthavethebusinessrequirementtoauditawellconfiguredauditpolicyandthe toolswithwhichtomanageauditedevents.
Specify Auditing Settings on a File or a Folder
69/105
07/06/13
Manyorganizationselecttoauditfilesystemaccesstoprovideinsightintoresource usageandpotentialsecurityissues.WindowsServer2008supportsgranularauditing basedonuserorgroupaccountsandthespecificactionsperformedbythose accounts.Toconfigureauditing,youmustcompletethreesteps:specifyauditing settings,enableauditpolicy,andevaluateeventsinthesecuritylog. Youcanauditaccesstoafileorfolderbyaddingauditingentriestoitssystemaccess controllist(SACL). 1. Openthepropertiesdialogboxofthefileorfolder,andthenclicktheSecurity tab.

07/06/13
2. 3.
ClickAdvanced. ClickAuditing. TheAdvancedSecuritySettingsdialogboxofafoldernamedConfidential Dataisshowninthefollowingscreenshot:
4. 5. 6.
Toaddanentry,clickEdittoopentheAuditingtabinEditmode. ClickAddtoselecttheuser,group,orcomputertoaudit. IntheAuditingEntrydialogboxshowninthefollowingscreenshot, indicatethetypeofaccesstoaudit:
71/105
07/06/13
Youcanauditforsuccesses,failures,orbothasthespecifieduser,group,or computerattemptstoaccesstheresourcebyusingoneormoreofthegranular accesslevels. Youcanauditsuccessesforthefollowingpurposes: Tologresourceaccessforreportingandbilling. Tomonitoraccessthatwouldsuggestusersareperformingactionsgreaterthan

07/06/13
whatyouhadplanned,indicatingthatpermissionsaretoogenerous. Toidentifyaccessthatisoutofcharacterforaparticularaccount,whichmightbea signthatauseraccounthasbeenbreachedbyahacker.
Auditingfailedeventsenablesyou: Tomonitorformaliciousattemptstoaccessaresourcetowhichaccesshasbeen denied. Toidentifyfailedattemptstoaccessafileorfoldertowhichauserdoesrequire access.Thiswouldindicatethatthepermissionsarenotsufficienttoachievea businessrequirement.
AuditingentriesdirectsWindowstoauditthesuccessfulorfailedactivitiesofa securityprincipal(user,group,orcomputer)touseaspecificpermission.The exampleinthescreenshotoftheAuditingEntrydialogbox,shownpreviously, auditsforunsuccessfulattemptsbyusersintheConsultantsgrouptoaccessdatain theConfidentialDatafolderatanylevel.Itdoesthatbyconfiguringanauditingentry forFullControlaccess.FullControlincludesallindividualaccesslevels,sothisentry coversanytypeofaccess.IfaConsultantgroupmemberattemptsaccessofanykind andfails,theactivitywillbelogged.
73/105
07/06/13
Typically,auditingentriesreflectthepermissionentriesfortheobject.Inotherwords, youwouldconfiguretheConfidentialDatafolderwithpermissionsthatprevent Consultantsfromaccessingitscontents.Youwouldthenuseauditingtomonitor Consultantswhononethelessattempttoaccessthefolder.Keepinmind,ofcourse, thatamemberoftheConsultantsgroupcanalsobelongtoanothergroupthatdoes havepermissiontoaccessthefolder.Becausethataccesswillbesuccessful,the activityisnotlogged.Therefore,ifyoureallyareconcernedaboutkeepingusersout ofafolderandmakingsuretheydonotaccessitinanyway,monitorfailedaccess attempts.However,youshouldalsoauditsuccessfulaccesstoidentifysituationsin whichauserisaccessingthefolderthroughanothergroupmembershipthatis potentiallyincorrect. ImportantAuditlogshavethetendencytogetquitelargerapidly.Therefore, agoldenruleforauditingistoconfigurethebareminimumrequiredto achievethebusinesstask.Specifyingtoauditthesuccessesandfailuresonan activedatafolderfortheEveryonegroupbyusingFullControl(all permissions)generatesenormousauditlogsthatcouldaffecttheperformance oftheserverandmakelocatingaspecificauditedeventalmostimpossible.
Enable Audit Policy
74/105
07/06/13
Configuringauditingentriesinthesecuritydescriptorofafileorfolderdoesnot,in itself,enableauditing.AuditingmustbeenabledbydefiningtheAuditobjectaccess settingshownonthefollowingpage:
75/105
07/06/13
Afterauditingisenabled,thesecuritysubsystembeginstopayattentiontotheaudit settingsandlogaccessasdirectedbythosesettings. Thepolicysettingmustbeappliedtotheserverthatcontainstheobjectbeing audited.YoucanconfigurethepolicysettingintheserverslocalGPOoruseaGPO scopedtotheserver. YoucandefinethepolicythentoauditSuccessevents,Failureevents,orboth.The policysetting(shownabove)mustspecifyauditingofSuccessorFailureattempts thatmatchthetypeofauditingentryintheobjectsSACL(shownintheprevious topic).Forexample,tologafailedattemptbyConsultantstoaccesstheConfidential Datafolder,youmustconfiguretheAuditobjectaccesspolicytoauditfailures,and youmustconfiguretheSACLoftheConfidentialDatafoldertoauditfailures.Ifthe auditpolicyauditssuccessesonly,thefailureentriesinthefoldersSACLwillnot
07/06/13
triggerlogging. NoteRememberthataccessthatisauditedandloggedisthecombinationof theauditentriesonspecificfilesandfoldersandthesettingsinAuditpolicy.If you'veconfiguredauditentriestologfailures,butthepolicyenablesonly loggingforsuccesses,yourauditlogswillremainempty.
Evaluate Events in the Security Log
AfteryouhaveenabledtheAuditobjectaccesspolicysettingandspecifiedtheaccess youwanttoauditbyusingobjectSACLs,thesystembeginstologaccessaccording totheauditentries.YoucanviewtheresultingeventsintheSecuritylogofthe

07/06/13
server.OpentheEventViewerconsolefromAdministrativeTools.ExpandWindows Logs\Security.
Lab C: Audit File System Access
Lab Setup
Forthislab,youwillusethesamevirtualmachineenvironmentusedinpreviouslabs. Ifrequired,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen
78/105
07/06/13
clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. 4. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso 5. Repeatsteps2and3for6425CNYCSVR1.Donotlogontothemachine untildirectedtodoso.
Lab Scenario
Inthislab,youwillconfigureauditingsettings,enableauditpoliciesforobjectaccess, andfilterforspecificeventsintheSecuritylog.Thebusinessobjectiveistomonitora foldercontainingconfidentialdatathatshouldnotbeaccessedbyusersinthe Consultantsgroup.
Exercise 1: Configure Permissions and Audit Settings

07/06/13
Inthisexercise,youwillconfigurepermissionsontheConfidentialData foldertodenyaccesstoconsultants.Youwillthenenableauditingof attemptsbyconsultantstoaccessthefolder. Themaintasksforthisexerciseareasfollows: 1. 2. Createandsecureasharedfolder. Configureauditingsettingsonafolder.
Task 1: Create and secure a shared folder.
1. 2.
SwitchtoNYCDC1. RunActiveDirectoryUsersandComputersasanadministrator,withthe usernamePat.Coleman_AdminandthepasswordPa$$w0rd.
3.
IntheGroups\RoleOU,createanewglobalsecuritygroupnamed Consultants.
4. 5. 6.
AddMike.DansegliototheConsultantsgroup. Createanewfolderin\\NYCSVR1\c$\datacalledConfidentialData. ConfigureNTFSpermissionsthatdenytheConsultantsgroupallaccesstothe folder.
80/105
07/06/13
Task 2: Configure auditing settings on a folder.
ConfigureauditingsettingsontheConfidentialDatafoldertoauditforanyfailed accessbytheConsultantsgroup.
Results:Inthisexercise,youconfiguredpermissionsandauditsettingsfora folder.
Exercise 2: Configure Audit Policy

Inthisexercise,youwillenableauditingoffilesystemaccessonfile serversbyusingGroupPolicy. Themaintasksforthisexerciseareasfollows: EnableauditingoffilesystemaccessbyusingGroupPolicy.
Task 1: Enable auditing of file system access by using Group Policy.
1.
RunGroupPolicyManagementasanadministrator,withtheusername
81/105
07/06/13
Pat.Coleman_AdminandthepasswordPa$$w0rd. 2. 3. 4. CreateanewGPOnamedFileServerAuditing. ConfiguretheGPOtoauditforfailedobjectaccess. LinktheGPOtotheServers\FileOU.
Results:Inthisexercise,youconfiguredforauditingoffailedaccesstofile systemobjectsonserversintheServers\FileOU.
Exercise 3: Examine Audit Events

Inthisexercise,youwillgenerateauditfailureeventsandthenexamine theresultingsecurityeventlogmessages. Themaintasksforthisexerciseareasfollows: 1. 2. Generateauditevents. Examineauditeventlogmessages.
Task 1: Generate audit events.

07/06/13
1. 2.
LogontoNYCSVR1asPat.ColemanwiththepasswordPa$$w0rd. RuntheCommandPromptasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
3.
RefreshGroupPolicytoapplythenewauditingsettingsbyexecutingthe commandgpupdate.exe/forcecommand.
4. 5. 6.
LogoffofNYCSVR1. LogontoNYCCL1asMike.DansegliowiththepasswordPa$$w0rd. Attempttoopen\\NYCSVR1\data\ConfidentialData.Youwillreceivean AccessDeniedmessage.
Task 2: Examine audit event log messages.
1. 2.
SwitchtoNYCSVR1. RunEventViewerasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
3.
LocatetheauditfailureeventsrelatedtoMikeDanseglio'saccesstothe ConfidentialDatafolder. Question:WhatistheTaskCategoryfortheevent?WhatistheEventID? Whattypeofaccesswasattempted?
83/105
07/06/13
Results:Inthisexercise,youvalidatedtheauditingoffailedaccesstothe ConfidentialDatafolderbymembersoftheConsultantsgroup.
Lab Review Questions Question:Whatarethethreemajorstepsrequiredtoconfigureauditingoffile systemandotherobjectaccess? Question:Whatsystemsshouldhaveauditingconfigured?Isthereareason nottoauditallsystemsinyourenterprise?Whattypesofaccessshouldbe audited,andbywhomshouldtheybeaudited?Isthereareasonnottoauditall accessbyallusers?
Lesson 4: Software Restriction Policy and Applocker
84/105
07/06/13
Inalargenetworkenvironment,oneofthechallengesofnetworksecurityis preventingaccesstounauthorizedsoftwareonworkstations.Softwarerestriction policiesandapplicationcontrolpolicescanbeusedtocontrolaccesstosoftware installedonworkstations.
Objectives
Aftercompletingthislesson,youwillbeableto: DescribeSoftwareRestrictionPolicy. DescribehowtocontrolaccesstoapplicationsbyusingApplicationControlPolicies.
07/06/13
CompareApplockerandSoftwareRestrictionPolicies ConfigureApplocker.
What Is a Software Restriction Policy?
Aprimarysecurityconcernforclientcomputersisthecurrentapplicationsavailableon eachcomputer.Todotheirjobs,usersneedaccesstotheapplicationsthatmeettheir specificneeds.Thereisthepossibility,however,thatunneededorunwanted applicationsgetinstalledontheclientcomputers,whetherunintentionallyorfor maliciousornonbusinesspurposes.

07/06/13
IntroducedintheWindowsXPoperatingsystemandtheWindowsServer2003 operatingsystem,SoftwareRestrictionPolicies(SRPs)allowanadministratorto identifyandspecifywhichapplicationsarepermittedtorunonclientcomputers.SRP settingsareconfiguredanddeployedtoclientsbyusingGroupPolicy.AnSRPset comprisesthefollowingkeycomponents.
Rules
RulesgovernhowanSRPrespondstoanapplicationbeingrunorinstalled.Rulesare thekeyconstructswithinanSRP,andagroupofrulestogetherdeterminehowan SRPwillrespondtoapplicationsbeingrun.Rulescanbebasedononeofthe followingcriteriathatapplytotheprimaryexecutablefilefortheapplicationin question. Hash.Acryptographicfingerprintofthefile. Certificate.Asoftwarepublishercertificateusedtodigitallysignafile. Path.ThelocalorUniversalNamingConvention(UNC)pathofwherethefileis stored. Zone.TheInternetzone.
Security Levels
EachappliedSRPisassignedasecuritylevelthatgovernsthewaytheoperating
07/06/13
systemreactswhentheapplicationthatisdefinedintheruleisrun.Thethree availablesecuritylevelsareasfollows. Disallowed.Thesoftwareidentifiedintherulewillnotrun,regardlessoftheaccess rightsoftheuser. BasicUser.Allowsthesoftwareidentifiedintheruletorunasastandard, nonadministrativeuser. Unrestricted.AllowsthesoftwareidentifiedintheruletorununrestrictedbySRP.
Default Security Level

ThewayasystembehavesingeneralisdeterminedbytheDefaultSecurityLevel, whichgovernshowtheoperatingsystemreactstoapplicationswithoutanySRPrules defined.Thefollowingthreepointsoutlineasystemdefaultbehavior,basedonthe DefaultSecurityLevelappliedintheSRP: Disallowed.NoapplicationswillbeallowedtorununlessanSRPruleiscreatedthat allowseachspecificapplicationorasetofapplicationstorun. BasicUser.Allapplicationswillrununderthecontextofabasicuser,regardlessof thepermissionsoftheuserwhoisloggedon,unlessanSRPruleiscreatedto modifythisbehaviorforaspecificapplicationorasetofapplications. Unrestricted.AllapplicationswillrunasifSRPwasnotenabled,unlessspecifically
07/06/13
definedbyanSRPrule.
Basedonthesethreecomponents,therearetwoprimarywaystouseSRPs: Ifanadministratorknowsallthesoftwarethatshouldbeallowedtorunonclients, theDefaultSecurityLevelcanbesettoDisallowed.Allapplicationsthatshouldbe allowedtoruncanbeidentifiedinSRPrulesthatwouldapplyeithertheBasicUser orUnrestrictedsecurityleveltoeachindividualapplication,dependingonthe securityrequirements. Ifanadministratordoesnothaveacomprehensivelistofthesoftwarethatshould beallowedtorunonclients,theDefaultSecurityLevelcanbesettoUnrestrictedor BasicUser,dependingonsecurityrequirements.Anyapplicationsthatshouldnot beallowedtoruncanthenbeidentifiedbyusingSRPrules,whichwouldusea securitylevelsettingofDisallowed.
SoftwareRestrictionPolicysettingscanbefoundinGroupPolicyatthefollowing location:ComputerConfiguration\WindowsSettings\SecuritySettings\Software RestrictionPolicies. NoteSoftwareRestrictionPoliciesarenotenabledbydefaultinWindows Server2008R2.

07/06/13
Overview of Application Control Policies
NoteThecontentinthissectiononlyappliestoWindowsServer2008R2.
ApplicationControlPoliciesrepresentthenextevolutionofcontrolovertheoperations ofapplicationswithinyourdomainenvironment.ApplicationControlPoliciesare controlledbyAppLocker. Applocker,whichwasintroducedintheWindows7operatingsystemandWindows Server2008R2,providesanumberofenhancementsthatimproveuponthe functionalitypreviouslyprovidedbySRP.AppLockerprovidesadministratorswitha

07/06/13
varietyofmethodsforquicklyandconciselydeterminingtheidentityofapplications towhichtheymaywanttorestrictorpermitaccess. AppLockerisappliedthroughGroupPolicytocomputerobjectswithinan organizationalunit.Inaddition,individualAppLockerrulescanbeappliedtoindividual ADDSusersorgroups. AppLockeralsocontainsoptionsformonitoringorauditingtheapplicationofrules, bothasrulesarebeingenforcedandinanauditonlyscenario. AppLockercanhelporganizationspreventunlicensedormalicioussoftwarefrom running,andcanselectivelyrestrictActiveXcontrolsfrombeinginstalled.Itcanalso reducethetotalcostofownershipbyensuringthatworkstationsarestandardized acrosstheirenterpriseandthatusersarerunningonlythesoftwareandapplications thatareapprovedbytheenterprise. Specifically,thefollowingscenariosprovideexamplesofwhereAppLockercanbe usedtoprovidesomelevelofapplicationmanagement: Yourorganizationimplementsapolicytostandardizetheapplicationsusedwithin eachbusinessgroup,soyouneedtodeterminetheexpectedusagecomparedwith theactualusage. Thesecuritypolicyforapplicationusagehaschanged,andyouneedtoevaluate
07/06/13
whereandwhenthosedeployedapplicationsarebeingaccessed. Yourorganization'ssecuritypolicydictatestheuseofonlylicensedsoftware,so youneedtodeterminewhichapplicationsarenotlicensedorpreventunauthorized usersfromrunninglicensedsoftware. Anapplicationisnolongersupportedbyyourorganization,andyouneedto preventitfrombeingusedbyeveryone. Anewapplicationoranewversionofanapplicationisdeployed,andyouneedto allowcertaingroupstouseit. Specificsoftwaretoolsarenotallowedwithintheorganization,oronlyspecific usershaveaccesstothosetools. Asingleuserorasmallgroupofusersneedstouseaspecificapplicationthatis deniedforallothers. Somecomputersinyourorganizationaresharedbypeoplewhohavedifferent softwareusageneeds.
AppLockerisavailableinthefollowingeditionsofWindows: WindowsServer2008R2Standardoperatingsystem WindowsServer2008R2Enterpriseoperatingsystem

07/06/13
WindowsServer2008R2Datacenteroperatingsystem WindowsServer2008R2forItaniumbasedSystemsoperatingsystem Windows7Ultimateoperatingsystem Windows7Enterpriseoperatingsystem
NoteApplockerisnotenabledbydefaultinWindowsServer2008R2.
Compare Applocker and Software Restriction Policies
93/105
07/06/13
WhenimplementingSRPsinpreviousWindowsversions,itwasparticularlydifficultto createpoliciesthatweresecureandremainedfunctionalaftersoftwareupdateswere applied.Thiswasduetothelackofgranularityofcertificaterulesandthefragilityof hashrulesthatbecameinvalidwhenanapplicationbinarywasupdated.Toresolve thisissue,AppLockerenablesyoutocreatearulethatcombinesacertificateanda productname,filename,andfileversion.Thissimplifiesyourabilitytospecifythat anythingsignedbyaparticularvendorforaspecificproductnamecanrun. CertificaterulesinSRPallowyoutotrustallsoftwaresignedbyaspecificpublisher however,AppLockergivesyougreaterflexibility.Whencreatingpublisherrules,you cantrustthepublisher,andalsodrilldowntotheproductlevel,theexecutablelevel, andeventheversion.
07/06/13
Forexample,withSRP,youcancreatearulethateffectivelyreadsTrustallcontent signedbyMicrosoft.WithAppLocker,youfurtherrefinetheruletospecify:Trust theMicrosoftOffice2007SuiteifitissignedbyMicrosoftandtheversionisgreater than12.0.0.0. TheAppLockerenhancementsovertheSRPfeaturecanbesummarizedasfollows: Theabilitytodefinerulesbasedonattributesderivedfromafilesdigitalsignature, includingthepublisher,productname,filename,andfileversion.SRPsupports certificaterules,buttheyarelessgranularandmoredifficulttodefine. AmoreintuitiveenforcementmodelonlyafilethatisspecifiedinanAppLocker ruleisallowedtorun. Anew,moreaccessibleuserinterfacethatisaccessedthroughanewMicrosoft ManagementConsole(MMC)snapinextensiontotheGroupPolicyManagement Consolesnapin. Anauditonlyenforcementmodethatallowsadministratorstodeterminewhichfiles willbepreventedfromrunningifthepolicywereineffect.
ThefollowingtableoutlinesotherkeydifferencesbetweenAppLockerandSRPs.
Feature
SRP
AppLocker
95/105
07/06/13
Rulescope
Specificuserorgroup(per GroupPolicyobject [GPO])
Specificusersorgroups(perrule)
Ruleconditionsprovided
Filehash,path,certificate, registrypath,Internet zone
Filehash,path,publisher
Ruletypesprovided DefaultRuleaction Auditonlymode Wizardtocreatemultiple rulesatonetime Policyimportorexport Rulecollection WindowsPowerShell support Customerrormessages
AllowandDeny Allowanddeny No No
AllowandDeny ImplicitDeny Yes Yes
No No No
Yes Yes Yes
No
Yes
Implementing AppLocker and SRPs

PriortoWindowsServer2008R2andWindows7,Windowsoperatingsystemswere onlyabletouseSRPrules.InWindowsServer2008R2andWindows7,youcan applySRPorAppLockerrules,butnotboth.Thisallowsyoutoupgradeanexisting implementationtoWindows7andstilltakeadvantageoftheSRPrulesdefinedin
07/06/13
grouppolicies. However,ifWindowsServer2008R2orWindows7havebothAppLockerandSRP rulesappliedinagrouppolicy,onlytheAppLockerrulesareenforcedandtheSRP rulesareignored. WhenyouaddasingleAppLockerruleinWindowsServer2008R2orWindows7,all processingofSRPrulesstops.Therefore,ifyouarereplacingSRPruleswith AppLockerrules,youmustimplementallAppLockerrulesthatyourequireatone time.IfyouimplementtheAppLockerrulesincrementally,youwilllosethe functionalityprovidedbySRPrulesthathavenotyetbeenreplacedwith correspondingAppLockerrules. NoteSRPisstillthestandardmethodtorestrictsoftwareusageinversionsof WindowspriortoWindowsServer2008andWindows7.
Demonstration: How to Configure Application Control Policies
97/105
07/06/13
Inthisdemonstration,youwillseehowto: CreateaGPOtoenforcethedefaultAppLockerExecutablerules. ApplytheGPOtothedomain. TesttheAppLockerrule.
Demonstration Steps
1. OpentheGroupPolicyManagementConsole.
98/105
07/06/13
2. 3. 4. 5. 6.
CreateanewGPO. ConfiguretheAppLockerdefaultrulesintheGPO. LinktheGPOtotheContoso.comdomain SwitchtoNYCCL1. AttempttoopenWordPad.
Lab D: Configure Application Control Policies
99/105
07/06/13
Lab Setup
Forthislab,youwillusethesamevirtualmachineenvironmentusedinpreviouslabs. Ifrequired,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. 4. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso 5. Repeatsteps2and3for6425CNYCCL1.Donotlogontothemachineuntil directedtodoso.
Lab Scenario
Youhavebeenaskedtoensurethatawidelyusedapplicationintheenvironmentthat hasbeenrecentlyreplacedbyanewsoftwaresuiteisnolongerusedatContoso,Ltd.
07/06/13
Exercise 1: Configure Application Control Policies

Scenario MicrosoftOffice2007hasrecentlybeeninstalledintheResearchdepartmentat Contoso,Ltdonallclientcomputers.Previously,WordPadwasusedforword processingtasksintheResearchdepartment.Toencourageuserstousethenew wordprocessingcapabilitiesofOfficeWord2007,youhavebeenaskedtorestrict usersintheResearchdepartmentfromrunningWordPadontheircomputers. Themaintasksforthisexerciseareasfollows: 1. 2. 3. CreateaGPOtoenforcethedefaultAppLockerExecutablerules. ApplytheGPOtotheContoso.comdomain. TesttheAppLockerrule.
Task 1: Create a GPO to enforce the default AppLocker Executable rules.
1.
OnNYCDC1,intheGroupPolicyManagementconsole,createanewGPO entitled,WordpadRestrictionPolicy.Ifnecessary,usetheaccount Pat.Coleman_AdminwiththepasswordPa$$w0rd.
101/105
07/06/13
2.
EditthenewGPOwiththefollowingsettings: ApplicationControlPolicy:UnderExecutableRules,createanewexecutable publisherruleforC:\ProgramFiles\WindowsNT \Accessories\wordpad.exethatdeniesEveryoneaccesstorunany versionofwordpad.exe. ConfigureExecutablerulestobeenforced. ConfiguretheApplicationIdentityservicetorunandsetittoAutomatic.
Task 2: Apply the GPO to the Contoso.com domain.
ApplytheWordPadRestrictionPolicyGPOtotheContoso.comdomain container.
Task 3: Test the AppLocker rule.
1.
RestartandthenlogontoNYCCL1asContoso\Alan.brewerwiththe password,Pa$$w0rd.
2. 3.
RefreshGroupPolicybyrunninggpudate/forcefromthecommandprompt. TrytorunStartAllProgramsAccessoriesWordPad.
102/105
07/06/13
NoteTheAppLockerpolicyshouldrestrictyoufromrunningthis application.Iftheapplicationruns,logofffromNYCCL1andlogon again.ItmaytakeafewminutesforthepolicysettingtoapplytoNYC CL1.Afterthepolicysettingisapplied,theapplicationwillberestricted.
Results:Inthisexercise,yourestrictedanapplicationbyusingAppLocker.
To prepare for the next module
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
Onthehostcomputer,startHyperVManager. Rightclick6425CNYCDC1intheVirtualMachineslist,andthenclick Revert.
3. 4.
IntheRevertVirtualMachinedialogbox,clickRevert. Repeatthesestepsfor6425CNYCSVR1and6425CNYCCL1.
103/105
07/06/13
Lab Review Question Question:Howcanyoupermitaccesstoonlyaspecificsetofapplicationsfora setofcomputersinyourenvironment?
Module Review and Takeaways
Review Questions
1. 2. Describetheprocedureusedtoapplyasecuritytemplatetoacomputer. WhymustAppLockerrulesbedefinedinaGPOseparatefromSRPrules?
104/105
07/06/13
Windows Server 2008 R2 Features Introduced in This Module

WindowsServer2008 R2feature
AppLocker Usedtocontrolhowuserscanaccessanduseapplications
Description
105/105

Module 8 - Managing Enterprise Security and Configuration With Group Policy Settings

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 8 - Managing Enterprise Security and Configuration With Group Policy Settings

Uploaded by

Copyright:

Available Formats

07/06/13

Aftercompletingthismodule,youwillbeableto: ManagegroupmembershipbyusingGroupPolicySettings. Managesecuritysettings. Describethepurposeandfunctionalityofauditing DescribethepurposeofSoftwareRestrictionPolicyandAppLocker.

Lesson 1: Manage Group Membership by Using Group Policy Settings

What Are Restricted Groups?

WhenyoueditaGroupPolicyobject(GPO)andexpandtheComputerConfiguration node,thePoliciesnode,theWindowsSettingsnode,andtheSecuritySettingsnode, youwillfindtheRestrictedGroupspolicynode,asshowninthefollowingscreen shot.

IfyouusebothMembersandMemberOfrestrictedgroupspolicies,theprecedent Memberspolicysettingsetstheauthoritativebaselinemembershipforthegroup,and thenthecumulativemembershipsofMemberOfpoliciesaugmentthatbaseline.

Demonstration: Delegate Administration by Using Restricted Groups Policies

APropertiesdialogboxappears. 11. ClickAddnexttotheThisgroupisamemberofsection. 12. TypeAdministrators,andclickOK. ThePropertiesgrouppolicysettingshouldlooksimilartothedialogboxonthe leftofthesidebysidedialogboxesshownearlier. 13. ClickOKagaintoclosethePropertiesdialogbox.

Define Group Membership with Group Policy Preferences

GroupPolicyPreferencescanalsobeusedtodefinethemembershipofgroups. LocalGrouppreferencesareavailableinbothComputerConfigurationandUser Configuration.ThesettingsforaLocalGrouppreferenceareshownbelow.

Lab A: Use Group Policy to Manage Group Membership

Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso

Exercise 1: Configure the Membership of Administrators by Using Restricted Groups Policies

Themaintasksforthisexerciseareasfollows: 1. 2. 3. 4. Delegatetheadministrationofallclientsinthedomain. CreateaSeattleSupportgroup. Delegatetheadministrationofasubsetofclientsinthedomain. ConfirmthecumulativeapplicationofMemberOfpolicies.

Task 1: Delegate the administration of all clients in the domain.

ConfigureaRestrictedGroupspolicysettingthatensuresthattheHelpDesk groupisamemberoftheAdministratorsgrouponallclientsystemslocatedin theClientComputersOU.

Task 2: Create a Seattle Support group.

Task 3: Delegate the administration of a subset of clients in the domain.

ConfigureaRestrictedGroupspolicysettingthatensuresthattheSEA SupportgroupisamemberoftheAdministratorsgrouponallclientsystemsin theSEAOU.

Task 4: Confirm the cumulative application of Member Of policies.

thattheHelpDeskgroupisamemberofthelocalAdministratorsgrouponall computersintheClientComputersOU.Additionally,youcreatedaSeattleSupport GPOthataddstheSeattleSupportgrouptothelocalAdministratorsgrouponall clientcomputersintheSEAOU.

ImportantDonotshutdownthevirtualmachineafteryoufinishthislab becausethesettingsyouhaveconfiguredherewillbeusedinsubsequent labs.

Lab Review Question Question:Usingonlyrestrictedgroupspolicies,whatshouldyoudotoensure thattheonlymembersofthelocalAdministratorsgrouponaclientcomputer aretheHelpDeskinthesitespecificSupportgroupandtoremoveanyother membersfromthelocalAdministratorsgroup?

Lesson 2: Manage Security Settings

What Is Security Policy Management?

Thislessoncoversthetools,concepts,andprocessesrequiredtoperformthesetasks. Thetoolsyouwillencounterinthislessoninclude: LocalGroupPolicy SecurityConfigurationWizard SecurityTemplatessnapin DomainGroupPolicy

Configure the Local Security Policy

EachserverrunningWindowsServer2008maintainsacollectionofsecuritysettings thatcanbemanagedbyusingthelocalGPO.YoucanconfigurethelocalGPOby usingtheGroupPolicyObjectEditorsnapinortheLocalSecurityPolicyconsole.The availablepolicysettingcategoriesareshownonthenextpage.

Manage Security Configuration with Security Templates

Validate.Verifiesthatasecuritytemplateisusingthecorrectinternalsyntax. Generaterollback.Createsasecuritytemplateyoucanusetorestoreasystem toitsoriginalconfigurationafterapplyinganothertemplate.

Demonstration: Create and Deploy Security Templates

Deploying Security Templates by Using Group Policy Objects

Security Configuration Wizard

createsasecuritypolicyan.xmlfilethatconfigures: Services Networksecurityincludingfirewallrules Registryvalues Auditpolicy Othersettingsbasedontherolesofaserver

Creating a Security Policy

ClickNext. OntheConfigurationActionpage,clickCreateaNewSecurityPolicy,and thenclickNext.

Editing a Security Policy

Applying a Security Policy

Manyofthechangesspecifiedinasecuritypolicy,includingtheadditionoffirewall rulesforapplicationsalreadyrunningandthedisablingofservicesrequirethatyou restarttheserver.Therefore,asabestpractice,restartaserverwheneveryouapplya securitypolicy.

Rolling Back an Applied Security Policy

WhenasecuritypolicyisappliedbytheSecurityConfigurationWizard,arollbackfile isgeneratedthatstorestheoriginalsettingsofthesystem.Therollbackprocess appliestherollbackfile.

Modifying Settings of an Applied Security Policy

Deploying a Security Policy Using Group Policy

ThiscommandwillcreateaGPOcalledContosoDCSecurityGPOwithsettings importedfromtheContosoDCSecurity.xmlsecuritypolicyfile.TheresultingGPOcan thenbelinkedtoanappropriatescopesite,domain,orOUbyusingtheGroup PolicyManagementconsole.Besuretotypescwcmd.exetransform/?forhelpand guidanceaboutthisprocess.

Settings, Templates, Policies, and GPOs

Lab B: Manage Security Settings

Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso

Exercise 1: Manage Local Security Settings

CreateaglobalsecuritygroupnamedSYS_DCRemoteDesktop. AddSYS_DCRemoteDesktoptotheRemoteDesktopUsersgroup. ConfiguretheLocalSecurityPolicytoallowremotedesktopconnectionsby SYS_DCRemoteDesktop.

Task 1: Enable Remote Desktop on NYC-DC1.

IntheServerSummarysection,clickConfigureRemoteDesktop,andthen clickAllowconnectionsonlyfromcomputersrunningRemoteDesktop withNetworkLevelAuthentication(moresecure).

Task 2: Create a global security group named SYS_DC Remote Desktop.

ToconnectbyusingRemoteDesktop,ausermusthavetheuserlogonrighttolog onthroughRemoteDesktopServices,whichyouwillgranttotheSYS_DCRemote Desktopgroupinthenexttask.

Additionally,theusermusthavepermissiontoconnecttotheRDPTcpconnection. Bydefault,theRemoteDesktopUsersgroupandtheAdministratorsgrouphave permissiontoconnecttotheRDPTcpconnection.Therefore,youshouldaddthe user(ortheSYS_DCRemoteDesktopgroupinthiscase)totheRemoteDesktop Usersgroup.

NoteInsteadofaddingthegrouptoRemoteDesktopUsers,youcould addtheSYS_DCRemoteDesktopgrouptotheaccesscontrollist(ACL) oftheRDPTcpconnectionbyusingtheRemoteDesktopSessionHost

Configurationconsole.RightclickRDPTcpandclickProperties.Then, clicktheSecuritytab,clicktheAddbutton,andtypeSYS_DCRemote Desktop.ClickOKtwicetoclosethedialogboxes.

BecauseNYCDC1isadomaincontroller,onlyAdministratorshavetherighttologon withRemoteDesktopServices.Therefore,youmustexplicitlygranttheSYS_DC RemoteDesktopgrouptheuserlogonrighttologonthroughRemoteDesktop Services.

Task 5: Revert the local security policy to its default setting.

Modifytheconfigurationoftheuserrightspolicysetting,Allowlogon throughRemoteDesktopServices,andthenremoveSYS_DCRemote Desktop.

Exercise 2: Create a Security Template

Themaintasksforthisexerciseareasfollows: 1. 2. CreateacustomMMCconsolewiththeSecurityTemplatessnapin. Createasecuritytemplate.

Task 2: Create a security template.