programming4us
         
 
 
Applications Server

Active Directory 2008 : Managing Security Settings (part 1) - Configuring the Local Security Policy, Managing Security Configuration with Security Templates

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
7/17/2013 8:12:02 PM

Security is a primary concern for all Windows administrators. Windows Server 2008 R2 includes numerous settings that affect the services that are running, the ports that are open, the network packets that are allowed into or out of the system, the rights and permissions of users, and the activities that are audited. You can manage an enormous number of settings, and, unfortunately, there is no magic formula that applies the perfect security configuration to a server. The appropriate security configuration for a server depends on the roles that server plays, the mix of operating systems in the environment, and the security policies of the organization, which themselves depend on compliance regulations enforced from outside the organization.

Therefore, you must work to determine and configure the security settings that are required for servers in your organization, and you must be prepared to manage those settings in a way that centralizes and optimizes security configuration. Windows Server 2008 R2 provides several mechanisms with which to configure security settings on one or more systems. In this lesson, you discover these mechanisms and their interactions.

1. What Is Security Policy Management?

Security policy management involves designing, deploying, managing, analyzing, and revising security settings for one or more configurations of Windows systems. There are likely to be several system configurations in a typical enterprise: desktops and laptops, servers, and domain controllers. Most enterprises define even more configurations—for example, by delineating various types or roles of servers.

The first words are important: Security Policy. Before you even touch the technology, you need to understand what your enterprise security policy requires; if you do not yet have a written security policy, begin by creating one. After you know where you are heading, you are ready to start the journey.

Your security policy, and the requirements it contains, probably require multiple customizations to the default, out-of-box security configuration of Windows client and server operating systems. To manage security configuration, you need to:

  • Create a security policy for a new application or server role not included in Server Manager.

  • Use security policy management tools to apply security policy settings that are unique to your environment.

  • Analyze server security settings to ensure that the security policy applied to a server is appropriate for the server role.

  • Update a server security policy when the server configuration is modified.

This lesson covers the tools, concepts, and processes required to perform these tasks. The tools used in this lesson include:

  • Local Group Policy

  • Security Configuration Wizard

  • Security Templates snap-in

  • Security Configuration And Analysis snap-in

  • Domain Group Policy

2. Configuring the Local Security Policy

Each server running Windows Server 2008 R2 maintains a collection of security settings that can be managed by using the local GPO. You can configure the local GPO by using the Group Policy Object Editor snap-in or the Local Security Policy console. The available policy setting categories are shown in Figure 1.

The security settings available in the local GPO

Figure 1. The security settings available in the local GPO

This lesson focuses on the mechanisms with which to configure and manage security settings, rather than on the details of the settings themselves. Many of the settings—including account policies, audit policy, and user rights assignment—are discussed elsewhere in this training kit.

Because domain controllers (DCs) do not have local user accounts (only domain accounts), the policies in the Account Policies container of the local GPO on DCs cannot be configured. Instead, account policies for the domain should be configured as part of a domain-linked GPO such as the Default Domain Policy GPO. 

The settings found in the local Security Settings policies are a subset of the policies that can be configured using domain-based Group Policy, shown in Figure 2. The Default Domain Controllers Policy GPO is created when the first domain controller is promoted for a new domain. It is linked to the Domain Controllers OU and should be used to manage baseline security settings for all DCs in the domain so that DCs are consistently configured.

Security settings in a domain-based GPO

Figure 2. Security settings in a domain-based GPO

3. Managing Security Configuration with Security Templates

The second mechanism for managing security configuration is the security template. A security template is a collection of configuration settings stored as a text file with the .inf extension. As you can see in Figure 3, a security template contains settings that are a subset of the settings available in a domain-based GPO but a somewhat different subset than those managed by the local GPO. The tools used to manage security templates present settings in an interface that allows you to save your security configurations as files and deploy them when and where they are needed. You can also use a security template to analyze the compliance of a computer’s current configuration against the desired configuration.

Security settings in a security template

Figure 3. Security settings in a security template

Storing security configuration in security templates offers several advantages. For example, because the templates are plaintext files, you can work with them manually as with any text file, cutting and pasting sections as needed. Further, templates make it easy to store security configurations of various types so that you can easily apply different levels of security to computers performing different roles.

Security templates allow you to configure any of the following types of policies and settings:

  • Account Policies Specify password restrictions, account lockout policies, and Kerberos policies.

  • Local Policies Configure audit policies, user rights assignments, and security options policies.

  • Event Log Policies Configure maximum event log sizes and rollover policies.

  • Restricted Groups Specify the users permitted to be members of specific groups.

  • System Services Specify the startup types and permissions for system services.

  • Registry Permissions Set access control permissions for specific registry keys.

  • File System Permissions Specify access control permissions for NTFS files and folders.

You can deploy security templates in a variety of ways: by using Active Directory Group Policy Objects, the Security Configuration And Analysis snap-in, or Secedit.exe. When you associate a security template with an Active Directory Group Policy object, the settings in the template become part of the GPO. You can also apply a security template directly to a computer, in which case the settings in the template become part of the computer’s local policies. This lesson discusses each of these options. Remember to test security changes before deploying them in a production environment.

Using the Security Templates Snap-in

To work with security templates, you use the Security Templates snap-in. Windows Server 2008 R2 does not include a console with the Security Templates snap-in, so you have to create one yourself using the MMC Add/Remove Snap-in menu command. The snap-in creates a folder called Security and a subfolder called Templates in your Documents folder, and the resulting Documents\Security\Templates folder becomes the template search path, where you can store one or more security templates.

To create a new security template, right-click the node that represents your template search path—C:\Users\Administrator\Documents\Security\Templates, for example—and then click New Template. 

Settings are configured in the template in the same way that settings are configured in a GPO. The Security Templates snap-in configures settings in a security template. It is just an editor—it does not play any role in actually applying those settings to a system. Configure security settings in a template by using the Security Templates snap-in. Although the template itself is a text file, the syntax can be confusing. Using the snap-in ensures that settings are changed using the proper syntax.

The exception to this rule is adding registry settings that are not already listed in the Local Policies\Security Option portion of the template. As new security settings become known, if they can be configured using a registry key, you can add them to a security template. To do so, you add them to the Registry Values section of the template.

Note

SAVE YOUR SETTINGS

Be sure to save your changes to a security template by right-clicking the template and clicking Save.

When you install a server or promote it to a domain controller, a default security template is applied by Windows. You can find that template in the %SystemRoot%\Security\Templates folder. On a domain controller, the template is called DC security.inf. You should not modify this template directly, but you can copy it to your template search path and modify the copy.

Note

SECURITY TEMPLATES IN DIFFERENT VERSIONS OF WINDOWS

In previous versions of Windows, several security templates were available to modify and apply to a computer. The role-based configuration of Windows Server 2008 and later and the improved Security Configuration Manager have made these templates unnecessary.

Deploying Security Templates by Using Group Policy Objects

Creating and modifying security templates does not improve security until you apply those templates. To configure several computers in a single operation, you can import a security template into the Group Policy Object for a domain, site, or organizational unit object in Active Directory.

To import a security template into a GPO, right-click the Security Settings node and click Import Policy. In the Import Policy From dialog box, if you select the Clear This Database Before Importing check box, all security settings in the GPO will be erased prior to importing the template settings, so the GPO’s security settings will match the template’s settings.

If you leave the Clear This Database Before Importing check box cleared, the GPO’s security policy settings will remain and the template’s settings will be imported. Any settings defined in the GPO that are also defined in the template will be replaced with the template’s setting.

Security Configuration And Analysis Tool

You can use the Security Configuration And Analysis snap-in to apply a security template to a computer interactively. The snap-in also provides the ability to analyze the current system security configuration and compare it to a baseline saved as a security template. This helps you quickly determine whether someone has changed a computer’s security settings and whether the system conforms to your organization’s security policies.

As with the Security Templates snap-in, Windows Server 2008 R2 does not include a console with the Security Configuration And Analysis snap-in, so you must add the snap-in to a console yourself.

To use the Security Configuration And Analysis snap-in, you must first create a database that will contain a collection of security settings. The database is the interface between the actual security settings on the computer and the settings stored in your security templates.

To create a database (or open an existing one), right-click the Security Configuration And Analysis node in the console tree. You can then import one or more security templates. If you import more than one template, you must decide whether to clear the database. If the database is cleared, only the settings in the new template will be part of the database. If the database is not cleared, additional template settings that are defined will override settings from previously imported templates. If settings in newly imported templates are not defined, the settings in the database from previously imported templates will remain.

To summarize, the Security Configuration And Analysis snap-in creates a database of security settings composed of imported security template settings. The settings in the database can be applied to the computer or used to analyze the computer’s compliance and discrepancies with the desired state.

Warning

IMPORTANT DATABASE SETTINGS VS. THE COMPUTER’S SETTINGS

Settings in a database do not modify the computer’s settings or the settings in a template until that database is either used to configure the computer or exported to a template.

Applying Database Settings to a Computer

After you have imported one or more templates to create the database, you can apply the database settings to the computer.

To apply a database, right-click Security Configuration And Analysis and click Configure Computer Now. You are prompted for a path to an error log that will be generated during the application of settings. After applying the settings, examine the error log for any problems.

Analyzing the Security Configuration of a Computer

Before applying the database settings to a computer, you might want to analyze the computer’s current configuration to identify discrepancies.

To analyze the security configuration of a computer, right-click Security Configuration And Analysis and click Analyze Computer Now. The system prompts you for the location of its error log file and then proceeds to compare the computer’s current settings to the settings in the database. After the analysis is complete, the console produces a report such as the one shown in Figure 4.

The Security Configuration And Analysis snap-in displays an analysis of the computer’s configuration.

Figure 4. The Security Configuration And Analysis snap-in displays an analysis of the computer’s configuration.

Unlike the display of policy settings in the Group Policy Management Editor, Group Policy Object Editor, Local Security Policy, or Security Templates snap-ins, the report shows for each policy the setting defined in the database (which was derived from the templates you imported) and the computer’s current setting. The two settings are compared, and the comparison result is displayed as a flag on the policy name. For example, in Figure 4, the Allow Log On Locally policy setting shows a discrepancy between the database setting and the computer setting. The meanings of the flags are as follows:

  • X in a red circle Indicates that the policy is defined both in the database and on the computer but that the configured values do not match

  • Green check mark in a white circle Indicates that the policy is defined both in the database and on the computer and that the configured values do match

  • Question mark in a white circle Indicates that the policy is not defined in the database and, therefore, was not analyzed, or that the user running the analysis did not have the permissions needed to access the policy on the computer

  • Exclamation point in a white circle Indicates that the policy is defined in the database but does not exist on the computer

  • No flag Indicates that the policy is not defined in the database or on the computer

Correcting Security Setting Discrepancies

As you examine the elements of the database and compare its settings with those of the computer, you might find discrepancies and want to make changes to the computer’s configuration or to the database to bring the two settings into alignment. You can double-click any policy setting to display its Properties dialog box and modify its value in the database. 

Caution

APPLYING OR EXPORTING DATABASE CHANGES

Modifying a policy value in the Security Configuration And Analysis snap-in changes the database value only, not the actual computer setting. For the changes you make to take effect on the computer, you must either apply the database settings to the computer by using the Configure Computer Now menu command or export the database to a new template and apply it to the computer, using a GPO or the Secedit.exe command .

Alternately, you can modify the computer’s security settings directly by using the Local Security Policy console, by modifying the appropriate Group Policy object, or by manually manipulating file system or registry permissions. After making such changes, return to the Security Configuration And Analysis snap-in and click the Analyze Computer Now command to refresh the comparison of the database and computer’s settings.

Creating a Security Template

You can create a new security template from the database. To do so, right-click Security Configuration And Analysis and click Export Template. The template contains the settings in the database that have been imported from one or more security templates and that you have modified to reflect the current settings of the analyzed computer.

Warning

IMPORTANT EXPORTING THE DATABASE TO A TEMPLATE

The Export Template feature creates a new template from the current database settings at the time that you execute the command, not from the computer’s current settings.

Secedit.exe

Secedit.exe is a command-line utility that can perform the same functions as the Security Configuration And Analysis snap-in. The advantage of Secedit.exe is that you can call it from scripts and batch files, which allows you to automate your security template deployments. Another big advantage of Secedit.exe is that you can use it to apply only part of a security template to a computer, something you cannot do with the Security Configuration And Analysis snap-in or Group Policy Objects. For example, if you want to apply the file system’s permissions from a template but leave all the other settings alone, Secedit.exe is the only way to do so.

To use Secedit.exe, you run the program from Command Prompt with one of the following six main parameters, plus additional parameters for each function:

  • /Configure Applies all or part of a security database to the local computer. You can also configure the program to import a security template into the specified database before applying the database settings to the computer.

  • /Analyze Compares the computer’s current security settings with those in a security database. You can configure the program to import a security template into the database before performing the analysis. The program stores the results of the analysis in the database itself, which you can view later, using the Security Configuration And Analysis snap-in.

  • /Import Imports all or part of a security template into a specific security database.

  • /Export Exports all or part of the settings from a security database to a new security template.

  • /Validate Verifies that a security template is using the correct internal syntax.

  • /Generaterollback Creates a security template that you can use to restore a system to its original configuration after applying another template.

For example, to configure the machine by using a template called BaselineSecurity, use the following command:

secedit /configure /db BaselineSecurity.sdb
/cfg BaselineSecurity.inf /log BaselineSecurity.log

To create a rollback template for the BaselineSecurity template, use the following command:

secedit /generaterollback /cfg BaselineSecurity.inf
/rbk BaselineSecurityRollback.inf
/log BaselineSecurityRollback.log
Other -----------------
- Active Directory 2008 : Delegating the Support of Computers (part 2) - Delegating Administration Using Restricted Groups Policies with the Members Of This Group Setting
- Active Directory 2008 : Delegating the Support of Computers (part 1) - Understanding Restricted Groups Policies
- SharePoint 2010 : Virtual Machine Setup and SharePoint Configuration (part 3) - Security for the Services Dedicated to BI
- SharePoint 2010 : Virtual Machine Setup and SharePoint Configuration (part 2) - Set Up Your Own VMs on Windows 2008 R2
- SharePoint 2010 : Virtual Machine Setup and SharePoint Configuration (part 1) - Set Up a Pre-configured VM
- BizTalk Server 2010 : WCF SAP Adapter RFCs and BAPIs - Schema generation
- BizTalk Server 2010 : WCF SAP Adapter RFCs and BAPIs - Overview of SAP RFCs and BAPIs
- Exchange Server 2010 Administration Essentials : Understanding Exchange Server 2010 Organizations (part 2) - Using Configuration Containers Instead of Administrative Groups
- Exchange Server 2010 Administration Essentials : Understanding Exchange Server 2010 Organizations (part 1) - How Site-Based Routing Works
- Exchange Server 2010 Administration Essentials : Validating the Exchange Server Licensing
- Installing Configuration Manager 2007 : ConfigMgr Service Manager
- Installing Configuration Manager 2007 : Transfer Site Settings Wizard, Copy Packages Wizard
- Microsoft Dynamic AX 2009 : The Batch Framework (part 6) - Managing the Batch Server Execution Process - Manage Batch Jobs, Debug a Batch Task
- Microsoft Dynamic AX 2009 : The Batch Framework (part 5) - Managing the Batch Server Execution Process - Set Up Server Configuration, Create a Batch Group
- Microsoft Dynamic AX 2009 : The Batch Framework (part 4) - Creating a Batch Job - Using the Batch API
- Microsoft Dynamic AX 2009 : The Batch Framework (part 3) - Creating a Batch Job - From the Batch Job Form
- Microsoft Dynamic AX 2009 : The Batch Framework (part 2) - Batch-Enabling a Class
- Microsoft Dynamic AX 2009 : The Batch Framework (part 1) - Batch Processing in Dynamics AX, Common Uses of Batch Processing
- Using Non-Windows Systems to Access Exchange Server 2007 : Terminal Server Client for Mac
- Using Non-Windows Systems to Access Exchange Server 2007 : Configuring and Implementing Entourage for the Mac
 
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
Celebrity Style, Fashion Trends, Beauty and Makeup Tips.