Security is a primary concern for all Windows administrators.
Windows Server 2008 R2 includes numerous settings that affect the
services that are running, the ports that are open, the network packets
that are allowed into or out of the system, the rights and permissions
of users, and the activities that are audited. You can manage an
enormous number of settings, and, unfortunately, there is no magic
formula that applies the perfect security configuration to a server. The
appropriate security configuration for a server depends on the roles
that server plays, the mix of operating systems in the environment, and
the security policies of the organization, which themselves depend on
compliance regulations enforced from outside the organization.
Therefore, you must work to determine and configure the security
settings that are required for servers in your organization, and you
must be prepared to manage those settings in a way that centralizes and
optimizes security configuration. Windows Server 2008 R2 provides
several mechanisms with which to configure security settings on one or
more systems. In this lesson, you discover these mechanisms and their
interactions.
1. What Is Security Policy Management?
Security policy management involves designing, deploying,
managing, analyzing, and revising security settings for one or more
configurations of Windows systems. There are likely to be several
system configurations in a typical enterprise: desktops and laptops,
servers, and domain controllers. Most enterprises define even more
configurations—for example, by delineating various types or roles of
servers.
The first words are important: Security
Policy. Before you even touch the technology, you need to
understand what your enterprise security policy requires; if you do
not yet have a written security policy, begin by creating one. After
you know where you are heading, you are ready to start the
journey.
Your security policy, and the requirements it contains, probably
require multiple customizations to the default, out-of-box security
configuration of Windows client and server operating systems. To
manage security configuration, you need to:
-
Create a security policy for a new application or server
role not included in Server Manager.
-
Use security policy management tools to apply security
policy settings that are unique to your environment.
-
Analyze server security settings to ensure that the security
policy applied to a server is appropriate for the server
role.
-
Update a server security policy when the server
configuration is modified.
This lesson covers the tools, concepts, and processes required
to perform these tasks. The tools used in this lesson include:
-
Local Group Policy
-
Security Configuration Wizard
-
Security Templates snap-in
-
Security Configuration And Analysis snap-in
-
Domain Group Policy
2. Configuring the Local Security Policy
Each server running Windows Server 2008 R2 maintains a
collection of security settings that can be managed by using the local
GPO. You can configure the local GPO by using the Group Policy Object Editor snap-in or the Local Security Policy console. The available policy
setting categories are shown in Figure 1.
This lesson focuses on the mechanisms with which to configure
and manage security settings, rather than on the details of the
settings themselves. Many of the settings—including account policies,
audit policy, and user rights assignment—are discussed elsewhere in
this training kit.
Because domain controllers (DCs) do not have local user accounts
(only domain accounts), the policies in the Account Policies container
of the local GPO on DCs cannot be configured. Instead, account
policies for the domain should be configured as part of a
domain-linked GPO such as the Default Domain Policy GPO.
The settings found in the local Security Settings policies are a subset of the
policies that can be configured using domain-based Group Policy, shown in Figure 2. The Default
Domain Controllers Policy GPO is created when the first domain
controller is promoted for a new domain. It is linked to the Domain
Controllers OU and should be used to manage baseline security settings
for all DCs in the domain so that DCs are consistently
configured.
3. Managing Security Configuration with Security Templates
The second mechanism for managing security configuration is the
security template. A security template is a collection of
configuration settings stored as a text file with the .inf extension. As you can see in Figure 3, a security
template contains settings that are a subset of the settings available
in a domain-based GPO but a somewhat different subset than those
managed by the local GPO. The tools used to manage security templates present settings in an interface that
allows you to save your security configurations as files and deploy
them when and where they are needed. You can also use a security
template to analyze the compliance of a computer’s current
configuration against the desired configuration.
Storing security configuration in security templates offers
several advantages. For example, because the templates are plaintext
files, you can work with them manually as with any text file, cutting
and pasting sections as needed. Further, templates make it easy to
store security configurations of various types so that you can easily
apply different levels of security to computers performing different
roles.
Security templates allow you to configure any of the following
types of policies and settings:
-
Account Policies Specify
password restrictions, account lockout policies, and Kerberos
policies.
-
Local Policies
Configure audit policies, user rights assignments,
and security options policies.
-
Event Log Policies
Configure maximum event log sizes and rollover
policies.
-
Restricted Groups
Specify the users permitted to be members of
specific groups.
-
System Services
Specify the startup types and permissions for
system services.
-
Registry
Permissions Set access control permissions for specific
registry keys.
-
File System
Permissions Specify access control permissions for NTFS files
and folders.
You can deploy security templates in a variety of ways: by using Active
Directory Group Policy Objects, the Security Configuration And
Analysis snap-in, or Secedit.exe. When you associate a security
template with an Active Directory Group Policy object, the settings in
the template become part of the GPO. You can also apply a security
template directly to a computer, in which case the settings in the
template become part of the computer’s local policies. This lesson
discusses each of these options. Remember to test security changes
before deploying them in a production environment.
Using the Security Templates Snap-in
To work with security templates, you use the Security Templates snap-in. Windows Server 2008 R2
does not include a console with the Security Templates snap-in, so
you have to create one yourself using the MMC Add/Remove Snap-in
menu command. The snap-in creates a folder called Security and a
subfolder called Templates in your Documents folder, and the
resulting Documents\Security\Templates folder becomes the template
search path, where you can store one or more security
templates.
To create a new security template, right-click the node that
represents your template search
path—C:\Users\Administrator\Documents\Security\Templates, for
example—and then click New Template.
Settings are configured in the template in the same way that
settings are configured in a GPO. The Security Templates snap-in
configures settings in a security template. It is just an editor—it
does not play any role in actually applying those settings to a
system. Configure security settings in a template by using the
Security Templates snap-in. Although the template itself is a text
file, the syntax can be confusing. Using the snap-in ensures that
settings are changed using the proper syntax.
The exception to this rule is adding registry settings that
are not already listed in the Local Policies\Security Option portion
of the template. As new security settings become known, if they can
be configured using a registry key, you can add them to a security
template. To do so, you add them to the Registry Values section of the template.
Note
SAVE YOUR SETTINGS
Be sure to save your changes to a security template by
right-clicking the template and clicking Save.
When you install a server or promote it to a domain
controller, a default security template is applied by Windows. You
can find that template in the %SystemRoot%\Security\Templates
folder. On a domain controller, the template is called DC
security.inf. You should not modify this template directly, but you
can copy it to your template search path and modify the copy.
Note
SECURITY TEMPLATES IN DIFFERENT
VERSIONS OF WINDOWS
In previous versions of Windows, several security templates were available to modify and
apply to a computer. The role-based configuration of Windows
Server 2008 and later and the improved Security Configuration
Manager have made these templates unnecessary.
Deploying Security Templates by Using Group Policy
Objects
Creating and modifying security templates does not improve
security until you apply those templates. To configure several
computers in a single operation, you can import a security template
into the Group Policy Object for a domain, site, or organizational
unit object in Active Directory.
To import a security template into a GPO, right-click the
Security Settings node and click Import Policy. In the Import Policy From dialog box,
if you select the Clear This Database Before Importing check box, all
security settings in the GPO will be erased prior to importing the
template settings, so the GPO’s security settings will match the
template’s settings.
If you leave the Clear This Database Before Importing check
box cleared, the GPO’s security policy settings will remain and the
template’s settings will be imported. Any settings defined in the
GPO that are also defined in the template will be replaced with the
template’s setting.
Security Configuration And Analysis Tool
You can use the Security Configuration And Analysis snap-in to apply a
security template to a computer interactively. The snap-in also
provides the ability to analyze the current system security
configuration and compare it to a baseline saved as a security
template. This helps you quickly determine whether someone has
changed a computer’s security settings and whether the system
conforms to your organization’s security policies.
As with the Security Templates snap-in, Windows Server 2008 R2
does not include a console with the Security Configuration And Analysis snap-in, so you
must add the snap-in to a console yourself.
To use the Security Configuration And Analysis snap-in, you
must first create a database that will contain a collection of
security settings. The database is the interface between the actual
security settings on the computer and the settings stored in your
security templates.
To create a database (or open an existing one), right-click
the Security Configuration And Analysis node in the console tree.
You can then import one or more security templates. If you import
more than one template, you must decide whether to clear the
database. If the database is cleared, only the settings in the new
template will be part of the database. If the database is not
cleared, additional template settings that are defined will override
settings from previously imported templates. If settings in newly
imported templates are not defined, the settings in the database
from previously imported templates will remain.
To summarize, the Security Configuration And Analysis snap-in creates a
database of security settings composed of imported security
template settings. The settings in the database can be applied to
the computer or used to analyze the computer’s compliance and discrepancies with the
desired state.
Warning
IMPORTANT
DATABASE SETTINGS VS. THE COMPUTER’S SETTINGS
Settings in a database do not modify the computer’s settings
or the settings in a template until that database is either used
to configure the computer or exported to a template.
Applying Database Settings to a Computer
After you have imported one or more templates to create the
database, you can apply the database settings to the
computer.
To apply a database, right-click Security Configuration And
Analysis and click Configure Computer Now. You are prompted for a
path to an error log that will be generated during the application
of settings. After applying the settings, examine the error log for
any problems.
Analyzing the Security Configuration of a Computer
Before applying the database settings to a computer, you might
want to analyze the computer’s current configuration to identify
discrepancies.
To analyze the security configuration of a computer,
right-click Security Configuration And Analysis and click Analyze
Computer Now. The system prompts you for the location of its error
log file and then proceeds to compare the computer’s current
settings to the settings in the database. After the analysis is
complete, the console produces a report such as the one shown in
Figure 4.
Unlike the display of policy settings in the Group Policy
Management Editor, Group Policy Object Editor, Local Security
Policy, or Security Templates snap-ins, the report shows for each
policy the setting defined in the database (which was derived from
the templates you imported) and the computer’s current setting. The two settings are
compared, and the comparison result is displayed as a flag on the
policy name. For example, in Figure 4, the Allow Log
On Locally policy setting shows a discrepancy between the database
setting and the computer setting. The meanings of the flags are as
follows:
-
X in a red circle Indicates
that the policy is defined both in the database and on the
computer but that the configured values do not match
-
Green check mark in a white
circle Indicates that the policy is defined both in the
database and on the computer and that the configured values do
match
-
Question mark in a white
circle Indicates that the policy is not defined in the
database and, therefore, was not analyzed, or that the user
running the analysis did not have the permissions needed to
access the policy on the computer
-
Exclamation point in a white
circle Indicates that the policy is defined in the
database but does not exist on the computer
-
No flag Indicates that the
policy is not defined in the database or on the
computer
Correcting Security Setting Discrepancies
As you examine the elements of the database and compare its
settings with those of the computer, you might find discrepancies
and want to make changes to the computer’s configuration or to the
database to bring the two settings into alignment. You can
double-click any policy setting to display its Properties dialog box
and modify its value in the database.
Caution
APPLYING OR EXPORTING DATABASE
CHANGES
Modifying a policy value in the Security Configuration And
Analysis snap-in changes the database value only, not the actual
computer setting. For the changes you make to take effect on the
computer, you must either apply the database settings to the
computer by using the Configure Computer Now menu command or
export the database to a new template and apply it to the
computer, using a GPO or the Secedit.exe command .
Alternately, you can modify the computer’s security settings
directly by using the Local Security Policy console, by modifying the
appropriate Group Policy object, or by manually manipulating file
system or registry permissions. After making such changes, return to
the Security Configuration And Analysis snap-in and click the
Analyze Computer Now command to refresh the comparison of the
database and computer’s settings.
Creating a Security Template
You can create a new security template from the database. To
do so, right-click Security Configuration And Analysis and click
Export Template. The template contains the settings in the database
that have been imported from one or more security templates and that you have modified to reflect the
current settings of the analyzed computer.
Warning
IMPORTANT
EXPORTING THE DATABASE TO A TEMPLATE
The Export Template feature creates a new template from the
current database settings at the time that you execute the
command, not from the computer’s current settings.
Secedit.exe is a command-line utility that can perform the
same functions as the Security Configuration And Analysis snap-in.
The advantage of Secedit.exe is that you can call it from scripts
and batch files, which allows you to automate your security template
deployments. Another big advantage of Secedit.exe is that you can
use it to apply only part of a security template to a computer,
something you cannot do with the Security Configuration And Analysis
snap-in or Group Policy Objects. For example, if you want to apply
the file system’s permissions from a template but leave all the
other settings alone, Secedit.exe is the only way to do so.
To use Secedit.exe, you run the program from Command Prompt
with one of the following six main parameters, plus additional
parameters for each function:
-
/Configure Applies all or
part of a security database to the local computer. You can also
configure the program to import a security template into the
specified database before applying the database settings to the
computer.
-
/Analyze Compares the
computer’s current security settings with those in a security
database. You can configure the program to import a security
template into the database before performing the analysis. The
program stores the results of the analysis in the database
itself, which you can view later, using the Security
Configuration And Analysis snap-in.
-
/Import Imports all or part
of a security template into a specific security database.
-
/Export Exports all or part
of the settings from a security database to a new security
template.
-
/Validate Verifies that a
security template is using the correct internal syntax.
-
/Generaterollback
Creates a security template that you can use to
restore a system to its original configuration after applying
another template.
For example, to configure the machine by using a template
called BaselineSecurity, use the following command:
secedit /configure /db BaselineSecurity.sdb
/cfg BaselineSecurity.inf /log BaselineSecurity.log
To create a rollback template for the BaselineSecurity
template, use the following command:
secedit /generaterollback /cfg BaselineSecurity.inf
/rbk BaselineSecurityRollback.inf
/log BaselineSecurityRollback.log