1 / 94

Security Configuration and Auditing: Best Practices and Tools

Learn how to set up security policies, configure auditing, and troubleshoot security configuration issues. Explore various security templates, account policies, and security settings using the Security Configuration and Analysis console.

clenz
Download Presentation

Security Configuration and Auditing: Best Practices and Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Goals • Introduce security configuration • Introduce auditing • Set audit policy on a domain controller • Set audit policy on a stand-alone server or computer • View the Security log • Audit user access to Active Directory objects • Assign user rights to users and groups

  2. Goals (2) • Implement account policy • Implement security templates • Use the Security Configuration and Analysis console • Use the Security Configuration and Analysis console to configure security • Troubleshoot security configuration issues

  3. (Skill 1) Introducing Security Configuration • Security configurationis the process of setting up a security policy • For an individual system • For a network • Security policies are required • Guard against unauthorized internal users • Protect from external threats

  4. (Skill 1) Introducing Security Configuration (2) • Use security configuration • To set up security policies • Account • Local • To create access control policies • Services • Registry • Files

  5. (Skill 1) Introducing Security Configuration (3) • Use security configuration • To define event logs settings • To determine group membership settings (restricted groups) • To create public key policies • To set Internet Protocol (IP) security policies

  6. (Skill 1) Introducing Security Configuration (4) • Factors to consider while designing security policies • Physical distribution of the network • Business model of the organization • Network load due to inter-computer dataflow and access • Overall computer usage

  7. (Skill 1) Introducing Security Configuration (5) • Windows Server 2003 Security Configuration tools • Group Policy Object Editor is used to apply security settings centrally for the computers in a domain. • Use the Security Settings extension in the Group Policy Object Editor to apply different categories of security policies

  8. (Skill 1) Figure 12-1 Security extension of the Group Policy Object Editor

  9. (Skill 1) Introducing Security Configuration (6) Categories of security policies • Account policies • Can only be set for the entire domain • Password policy • Account lockout policy • Kerberos policy

  10. (Skill 1) Figure 12-2 Password Policy settings

  11. (Skill 1) Introducing Security Configuration (7) Categories of security policies • Local policies • Audit policy • User rights assignment • Security options

  12. (Skill 1) Introducing Security Configuration (8) Categories of security policies • Event log allows you to specify security log settings • Maximum size of the event log file • Logging options • Event log access rights

  13. (Skill 1) Introducing Security Configuration (9) Categories of security policies • Restricted Groups allows you to define additional control over the membership of key groups • Defining a group as a restricted group • Setting the membership for the group • Configuring member groups and users for the restricted group

  14. (Skill 1) Introducing Security Configuration (10) • Categories of security policies • System Services allows you to configure the startup settings for services on a computer • Startup mode settings: Automatic, Manual, and Disabled • Can specify which security group or user can modify a service’s properties (start, stop, or pause)

  15. (Skill 1) Figure 12-3 System Services security settings

  16. (Skill 1) Introducing Security Configuration (11) Categories of security policies • Registry • Registry security settings allow you to set permissions for users to read, modify, and add new keys to the Registry • File System • Allows you to set access permissions for folders and files on the computer • Settings only apply to computers with NTFS drives

  17. (Skill 1) Figure 12-4 Files and Folders permissions settings

  18. (Skill 1) Introducing Security Configuration (12) Categories of security policies • Wireless Network (IEEE 802.11) Policies control network security settings for supported wireless networking devices • Public Key Policies are used to configure the public key encryption • IP Security Policies are used to configure IP security for TCP/IP-based communication between servers, clients, and domain controllers using Microsoft’s version of IPSec

  19. (Skill 2) Introducing Auditing • Auditing is used to track user activities and object access on the computers on a network • Regular auditing ensures security of network resources • Auditing can discover security breaches • Auditing can help in resource planning for the computers on the network

  20. (Skill 2) Introducing Auditing (2) • Steps in setting up a security audit • Determine carefully the events to be audited on each computer • Security events that can be tracked • Who logged on to a computer and when? • What files were accessed or folders were created? • What printers were used? • What Registry keys were accessed when, and by whom? • What actions the users attempted to perform on them?

  21. (Skill 2) Introducing Auditing (3) • Steps in setting up a security audit • Decide the computers, users, or groups to be tracked • Activate the audit object access policy.

  22. (Skill 2) Introducing Auditing (4) • Activating the audit object access policy • Configure the audit object access policy in the Properties dialog box and the System ACL editor for the object • Select who you are going to audit • Choose what file system actions you want to monitor in the SACL editor for the file or folder

  23. (Skill 2) Introducing Auditing (5) • Monitoring a particular event • Define an audit policy in the Audit Policy folder • The audit policy tells the operating system what to record in the Security event log on each computer • On a domain controller, modify the default domain policy by using the Group Policy Management console • Only Domain Administrators and Enterprise Administrators can configure auditing at the domain level

  24. (Skill 2) Figure 12-5 Audit policy

  25. (Skill 2) Introducing Auditing (6) • Audited events are stored in the Security event log • Success and failure can both be recorded • Security log can be viewed using the Event Viewer • The Security log entries allow identification of existing security problems in the overall network, as well as on individual computers

  26. (Skill 2) Figure 12-6 The Security Event log

  27. (Skill 3) Setting Audit Policy on a Domain Controller • Unauthorized access to a domain must be monitored • Set up an audit policy on a domain controller by configuring Group Policy • Link the GPO to the default Domain Controllers OU • You must have the Manage auditing and security log right on the system to configure auditing

  28. (Skill 3) Setting Audit Policy on a Domain Controller (2) • Setting up auditing is a two-step process • Step 1 • Configure the audit policy to track particular events, for success, for failure or both • Step 2 • Open the specific resource you wish to audit • Enable auditing by selecting the type of event you want to track and the user group or groups for which you want to track that event

  29. (Skill 3) Figure 12-7 Creating a GPO

  30. (Skill 3) Figure 12-8 The Audit account logon events Properties dialog box

  31. (Skill 3) Figure 12-9 The Audit object access Properties dialog box

  32. (Skill 3) Figure 12-10 Advanced Security Settings for Annual Reports

  33. (Skill 3) Figure 12-11 Selecting the actions to be audited

  34. (Skill 3) Figure 12-12 A Security warning dialog box

  35. (Skill 4) Setting Audit Policy on a Stand-Alone Server or Computer • Problems auditing stand-alone servers and workgroup computers running Windows 2000 or XP Professional • They do not belong to a domain • A domain controller-based audit policy cannot be applied to them • Stand-alone computers and the network computers may be able to access each other and hence require monitoring

  36. (Skill 4) Setting Audit Policy on a Stand-Alone Server or Computer (2) • Audit policy should be set for stand-alone computers • To monitor network access attempts • To monitor local security events

  37. (Skill 4) Figure 12-13 Audit Policy in the Local Security Settings console

  38. (Skill 4) Figure 12-14 Enabling auditing for local logon attempts

  39. (Skill 4) Figure 12-15 Updating local security policy

  40. (Skill 5) Viewing the Security Log • Problems with implementation of audit policies • Increases the overhead on a computer • Slows down CPU performance • Security event log can become inundated with entries • Solutions • Set a schedule for checking the Security log regularly • Specify a maximum file size for Security log

  41. (Skill 5) Viewing the Security Log (2) • Be aware when the Security log reaches the maximum file size • You may lose data if the log becomes full before you archive it • Archiving is the process of saving a history of events so you can track trends in resource usage • When the log is full, the operating system will stop recording events

  42. (Skill 5) Figure 12-16 The Security Log Properties dialog box

  43. (Skill 5) Viewing the Security Log (3) • Set filters to control what is recorded in the log • Event type: Information, Warning, Error, or Success or Failure audit • Event source: Choose a particular source, such as Spooler, LSA (Local Security Authority), or SC (Service Control) Manager • Category: Account Logon, Account Management, Directory Service Access, Privilege Use, Object Access events, and so on • Event ID • User • Computer • Specific time periods

  44. (Skill 5) Figure 12-17 The Filter tab in the Security Properties dialog box

  45. (Skill 5) Figure 12-18 The Security log

  46. (Skill 5) Figure 12-19 Filtering the Security log

  47. (Skill 5) Figure 12-20 Viewing event details box

  48. (Skill 6) Auditing User Access to Active Directory Objects • Active Directory objects • Are the essential building blocks of a Windows Server 2003 network • Include users, computers, OUs, groups, published printers, and so on • Audit policies for Active Directory objects • Are set based explicitly on their functionality • An audit policy set for an Active Directory object is inherited by its child object through Policy Inheritance by default

  49. (Skill 6) Figure 12-21 The Auditing tab

  50. (Skill 6) Figure 12-22 Setting printer audit policy

More Related