Module 8: Implementing Security in a Windows 2000 Network

Overview ?Introduction to Securing a Windows 2000 Network ?Windows 2000 Security Policies ?Implementing Security Policies ?Implementing an Audit Policy ?Recovering Encrypted Files ?Best

Contents

Introduction to Securing a Windows 2000

Windows 2000 Security Policies 3

Implementing Security Policies 5

Implementing an Audit Policy 13

Lab A: Implementing Security in a

Module 8: Implementing Security in a

Windows 2000 Network

be reproduced or transm itted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document do es not give you any license to these patents, trademarks, copyrights, or other intellectual property

? ? 1999 Microsoft Corporation All rights reserved

Microsoft, Active Directory, PowerPoint, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted

Other product and company names mentioned herein may be the trademarks of their respective owners

Project Lead and Instructional Designer: Mark Johnson

Instructional Designers :Aneetinder Chowdhry (NIIT Inc.), Kathryn Yusi

(Independent Contractor)

Lead Program Manager: Ryan Calafato

Program Manager: Joern Wettern (Wettern Network Solutions)

Graphic Artist: Julie Stone (Independent Contractor)

Editing Manager: Tina Tsiakalis

Substantive Editor: Kelly Baker (Write Stuff)

Copy Editor: Wendy Cleary (S&T OnSite)

Online Program Manager: Nikki McCormick

Online Support: Arlo Emerson (MacTemps)

Compact Disc Testing: Data Dimensions, Inc

Production Support: Arlene Rubin (S&T OnSite)

Manufacturing Manager: Bo Galford

Manufacturing Support: Mimi Dukes (S&T OnSite)

Lead Product Manager, Development Services: Elaine Nuerenberg

Lead Product Manager: Sandy Alto

Group Product Manager: Robert Stewart

Introduction

This module provides students with the necessary knowledge and skills to implement security in a Microsoft® Windows® 2000 network by using security policies and auditing and by recovering encrypted files

In the lab in this module, students will have a chance to create a customized Microsoft Management Console (MMC) console for configuring security settings and creating a new security template Then they will analyze and configure the security settings for a computer They will also plan and implement audit settings in a domain Finally, they will recover an encrypted file

Materials and Preparation

This section provides you with the materials and preparation needed to teach this module

Materials

To teach this module, you need the following materials:

?? Microsoft PowerPoint® file 1558A_08.ppt

Preparation

To prepare for this module, you should:

?? Read all the materials for this module

?? Complete the lab

?? Study the review questions and prepare alternative answers to discuss

?? Anticipate questions that students may ask Write out the questions and provide the answers

?? On the course 1558A, Advanced Administration for Microsoft Windows 2000, Student Materials compact disc

?? Read the white paper, Secure Networking Using Windows 2000 Distributed Security Services

?? Read the white paper, Security Configuration Tool Set

?? Read the white paper, Encrypting File System for Windows 2000

?? Read the technical walkthrough, Encrypting File System

?? Read the technical walkthrough, Using the Security Configuration Tool Set

Presentation:

60 Minutes

Lab:

75 Minutes

Module Strategy

Use the following strategy to present this module:

?? Introduction to Securing a Windows 2000 Network

In this topic, you will introduce the purpose of securing a Windows 2000 network Emphasize that you use Group Policy to establish and enforce security policies for network computers

?? Windows 2000 Security Policies

In this topic, you will introduce the different types of security policies in Windows 2000 Show students the security settings that they can configure

in Group Policy

?? Implementing Security Policies

In this topic, you will introduce the procedure for implementing security policies Emphasize that a preconfigured security template ensures duplication of desired settings that are already existing for a computer, and can be tested before security settings are applied to multiple computers Explain the purpose of a security template and demonstrate how to create a security template Emphasize that you can define a security setting once and apply it in many places Explain the purpose of Security Configuration and Analysis and demonstrate how to configure and analyze the security settings

of a computer Illustrate how to use Group Policy to apply security policies

?? Implementing an Audit Policy

In this topic, you will introduce the procedure for implementing an Audit policy Explain the purpose of auditing Tell students that auditing is used to track user events An event shows the action that was performed, the user who performed the action, and the date and time of the action Show the events that Windows 2000 can audit and explain what the event indicates Explain how to plan an audit strategy and determine which events to audit Illustrate how to set up an Audit policy Explain how to audit access to file system, Active Directory™ directory service, and printer objects, and list the guidelines to be followed for auditing each resource

?? Recovering Encrypted Files

In this topic, you will introduce recovering encrypted files Briefly discuss the purpose and the process of encrypting and decrypting files and folders Discuss the purpose of a recovery policy Emphasize that the first

administrator to log on to a stand-alone computer is the recovery agent for that computer, and the first administrator to log on to the domain after the first domain controller is created is the recovery agent for the domain Illustrate how to recover files and folders Point out that recovering files and folders is the same as decrypting files and folders

?? Lab A: Implementing Security in a Windows 2000 Netw ork Prepare students for the lab in which they will create a customized MMC console and a new security template for configuring security settings Next, they will analyze and configure the security settings for a computer by using Security Configuration and Analysis They will also plan and implement audit settings in a domain Finally, if time permits, they will configure the Group Policy security settings for a computer by using a security template Make sure that students run the command file for the lab and tell them that they will work with their partner’s computers After students have

completed the lab, ask them if they have any questions

?? Best Practices Present best practices for implementing security in Windows 2000 network Emphasize the reason for each best practice

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or cus tomizing Microsoft Official Curriculum (MOC) courseware

The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at the

end of the Classroom Setup Guide for course 1558A, Advanced Administration for Microsoft Windows 2000

Setup Requirement 2

The labs in this module require the Log on locally right for domain controllers

to be assigned to the Everyone group To prepare student computers to meet this requirement, perform one of the following actions:

Important

The labs in this module require a user account named StefanK in each student

domain with a password of password To prepare student computers to meet

this requirement, perform one of the following actions:

?? Students remove GPOs linked to the East OU or West OU in their domains

?? Students move their domain controllers to the Domain Controllers OU

?? Students run a command file to reset their computer’s security configuration

to default values

?? Students encrypt and decrypt files

You can run C:\MOC\Win1558A\Labfiles\Lab08\Setup\Lab08rm.cmd to remove most configuration changes introduced during the labs in the module Remove the Log on locally right from the Everyone group manually Manually delete the GPOs created by students

Important

Overview

?Introduction to Securing a Windows 2000 Network

?Windows 2000 Security Policies

?Implementing Security Policies

?Implementing an Audit Policy

?Recovering Encrypted Files

?Best Practices

Microsoft® Windows® 2000 provides policies and utilities to monitor security settings for computers throughout a network, a set of templates to create and deploy standard security settings throughout an enterprise, and an auditing function for determining how resources are accessed Windows 2000 also provides administrators with the ability to recover Encrypting File System (EFS) encrypted files, enabling the management of user encrypted files

At the end of this module, you will be able to:

?? Identify the purpose of securing a Windows 2000 network

?? Identify the Windows 2000 security policies

?? Implement security policies by using Security Templates, Security Configuration and Analysis, and Group Policy

?? Plan and implement an Audit policy

?? Recover encrypted files

?? Apply best practices for implementing security in a Windows 2000 network

In this module, you will learn

tocreate and configure

security policies and

implement security in a

Windows 2000 network

Introduction to Securing a Windows 2000 Network

?Implementing Security in a Network

? Confirms the identity of users attempting to gain access

Implementing security in a network provides the following benefits:

?? Confirms the identity of users attempting to gain access to resources This prevents unauthorized users from accessing, stealing, or damaging system resources, such as sensitive data or mission-critical applications

?? Protects against inappropriate access to specific resources, for example, ensuring that only corporate management personnel can gain access to employee payroll information

When implementing security in a Windows 2000 network, you can use the following methods for securing a network:

?? Group Policy Use Group Policy to establish and enforce security policies

for network computers by ensuring that settings are applied consistently over the network and that they can be centrally managed

?? Audit policy Use Audit policy to monitor various security-related events in

Windows 2000 Monitoring security events is necessary to detect intruders and attempts to compromise data on the system

?? Encrypting File System Use EFS to encrypt files so that only the user who

encrypted the file and administrators are able to access it, regardless of the NTFS file system permissions assigned

A secure network provides

users with all of the

information and resources

that they need and protects

the information and

resources from damage and

unauthorized access

Ask students how they

secure their networks

Key Points

Use Group Policy to

establish and enforce

security policies for network

computers

Use Audit policy to monitor

various security -related

events in Windows 2000

Only administrators are able

to recover an encrypted file

if users lose their keys

Windows 2000 Security Policies

Account policies Account Account policies Local policies Local policies Local policies Event log Event log Restricted group Restricted Restricted group System services System System services services

Configure password and account policies Configure auditing, user rights, and security options

Configure auditing, user rights, and security options

Configures settings for application logs, system logs, and security logs

Configures settings for application logs, system logs, and security logs

Configures group memberships for security sensitive groups

Configures group memberships for security sensitive groups

Configure security and startup settings for services running

on a computer

Configure security and startup settings for services running

on a computer

Registry Registry Registry Configures security on registry keysConfigures security on registry keys

File system Configures security on specific file paths Configures security on specific file paths

Public key policies Public key Public key policies Configure encrypted data recovery agents, domain roots,trusted certificate authorities, and so onConfigure encrypted data recovery agents, domain roots,trusted certificate authorities, and so on

IPSec policies IPSec policies IPSec policies Configure IP security on a network

In Windows 2000, you can use the Security Settings extension in Group Policy

to define the security settings for various local and domain security policy attributes The following list describes the security settings that you can configure in Group Policy:

?? Account policies Account policy settings allow you to configure password

policies and account lockout policies for the domain The account policy for

a domain defines the password history, the lifetime of account lockouts, and more These policies are effective only when they are applied at the domain level

?? Local policies Local policy settings allow you to control settings that affect

individual computers rather than domain-specific settings Local policies include auditing policies, the assignment of user rights and privileges, and other security options that are applied to and affect the local computer

?? Event log Event log settings allow you to configure the size, access, and

retention parameters for application logs, system logs, and security logs

?? Restricted group Restricted group settings allow you to manage the

membership of selected groups as part of security policy Restricted group policies also track and control reverse membership of each restricted group

?? System services System services settings allow you to configure security

and startup settings for services running on a Windows 2000-based computer

?? Registry The registry settings allow you to configure security on

registry keys

?? File system The file system settings allow you to configure security for

specific local file paths on network computers These settings set consistent NTFS permissions for static files and folders on domain computers

Slide Objective

To identify the different

types of security policies in

Windows 2000

Lead-in

You can use security

policies to establish and

enforce security on

your network

Delivery Tip

Show students the security

settings that can be

configured in Group Policy

encrypted data recovery agents, domain roots, and trusted certificate authorities

?? Internet Protocol Security (IPSec) policies on Active Directory IPSec

policies allow you to configure network Internet Protocol (IP) security options for computers on the network

? Implementing Security Policies

?Introduction to Implementing Security Policies

?What Is a Security Template?

?Creating Security Templates

?What Is Security Configuration and Analysis?

?Using Configuration and Analysis

?Using Group Policy to Apply Security Policies

You can use security policies to manage a wide range of operating system, computer, and file system security settings for your network and its computers and users Security policies define an organization’s expectations of proper computer and network usage, as well as procedures to prevent and respond to security incidents Windows 2000 provides many utilities to analyze and configure security settings for your network These utilities are available as stand-alone snap-ins in Microsoft Management Console (MMC)

Introduction to Implementing Security Policies

Computer1User1

User2

OU2OU1

OU3

Computer2

Group Policy Group Policy

Group Policy Security

Template

Security Template

Implementing Security Policies Through Group Policy

Implementing Security Policies Through Group Policy

Implementing Security Policies by Importing Preconfigured Security Templates

Implementing Security Policies by Importing Preconfigured Security Templates

Through the use of Group Policy in Active Directory™ directory service, administrators can centrally apply the security settings required to protect enterprise systems You can implement security settings in two ways:

?? By using the Security Configuration and Analysis utility for a single computer or multip le computers

?? By manually configuring the security settings in Group Policy or importing

a preconfigured security template (which contains the security settings) for a single computer or multiple computers

A preconfigured security template ensures the duplication of desired settings that already exist for a computer Because the settings are preconfigured, you can test them on a single computer before applying them to other computers Doing this enables you to avoid making mistakes while applying the security settings

To import preconfigured security templates, first create and test the security template by using the Security Configuration and Analysis utility, and then import the security template into Group Policy

Slide Objective

To introduce how the

security settings are applied

to computers

Lead-in

You can implement security

policies by manually

configuring the security

settings in Group Policy or

Test the preconfigured

security settings on a single

computer before applying

them to other computers,

and then export the

tested settings to a

security template

What Is a Security Template?

Group Policy Group Policy

? A Security Template Is a Text File That Contains the Security Settings

? Apply Security Templates by:

? Using Security Configuration and Analysis to apply a security template

? Importing a Security Template into a Group Policy object

? Default Security Templates Are:

Security Template

Security Template

Basic

Compatible

Compatible Secure Secure High

Computer and User Accounts

Computer and User Accounts

A security template is a text file that contains security settings that you can use

to analyze computers and configure them with consistent settings

Instead of editing individual settings through local Group Policy, you can use security templates to apply preconfigured security settings to a computer There are two methods by which you can apply security templates:

?? Using the Security Configuration and Analysis utility to apply a security template to a single computer

?? Importing a security template into a Group Policy object (GPO) and applying Group Policy to an Active Directory container (site, domain, or organizational unit)

Windows 2000 includes several default security templates These predefined templates can be customized by using the Security Templates snap-in and can

be imported into the Security Settings extension of Group Policy These templates incrementally modify the default security settings They do not include the default security settings plus the modifications The following list describes the default security templates:

?? Basic The default security level for Windows 2000 These templates can be

used as a base configuration for security analysis and should be applied to configure the upgraded computer with the new Windows 2000 default

security settings

?? Compatible Provides a higher level of security but still ensures that all the

features of standard business applications will run

?? Secure Provides an additional level of security, but does not ensure that all

of the features of standard business applications will run

?? High Enforces the maximum security for Windows 2000 without

consideration for application functionality High security is primarily intended for testing and development of high security applications

Slide Objective

To explain the purpose of a

security template

Lead-in

A security template contains

all the security settings to be

applied to a computer

Show students the four

default security templates by

using Security Templates

Key Points

Using Security Templates,

you can define a security

setting once and then apply

it in many places

Creating Security Templates

?Use the Security Templates Snap-in to Create a Security Template

?Create a Security Template by:

? Defining a new template and modifying the defaults

? Editing an existing security template and then saving it

as a new template

Security Template

Security Template New

Security Template

Security Template Template Template Security Security

Save As Existing

Existing

You can use the Security Templates snap-in to create a security template The Security Templates snap-in is used for viewing, defining, or modifying existing security templates

You create a security template by using any one of the following methods:

?? Defining a new template and modifying the defaults

?? Editing an existing security template and then saving it as a new template

To create a new security template, perform the following steps:

1 In Security Templates, expand the Security Templates node, right-click

the path node where you want to store the new template, and then select

New Template

2 Type a name and description for the new security template

3 Expand the new security template node to display the security areas, and then expand the node for the security area that you want to configure

4 In the details pane, double-click the security attribute that you want

1 In Security Templates, expand the default path node, right-click the existing

template that you want to modify, click Save As , specify a name for the new security template, and then click OK

2 Perform steps 4 and 5 from the previous procedure to edit security settings

in the new template or edit the security settings that you want to modify

Slide Objective

To illustrate how to create a

security template

Lead-in

You can create a security

template by either defining a

new template or editing an

existing template

Delivery Tip

Demonstrate how to create

security templates by either

defining a new template and

modifying the defaults or

editing an existing template

and then saving it as a

new template

What Is Security Configuration and Analysis?

?Analyze System Security by:

? Creating a security database

? Applying a template to specify the settings to beanalyzed

?Configure System Security by:

? Importing security templates

? Applying the templates to local computer policy

?Import Additional Security Templates by:

? Merging settings or replacing previous templates

? Making manual changes to settings

Security Configuration and Analysis is a utility used to directly configure and analyze local system security

Security Configuration and Analysis is a utility used to

Security Configuration and Analysis is a utility used to

directly configure and analyze local system security

directly configure and analyze local system security

Security Configuration and Analysis is a MMC snap-in that is used to directly configure and analyze local system security This utility enables you to configure and analyze the security settings for a specific computer

?? Analyzing system security Analyzing system security compares the current

security settings for the computer with the settings specified in the security template and then displays the results Because the state of the operating system and applications on a computer is dynamic, regular analysis enables

an administrator to track and ensure an adequate level of security on each computer To analyze system security:

?? Create a security database in which to store the analysis results

?? Apply a template to specify the settings that should be analyzed and the expected configuration for those settings

Security Configuration and Analysis then populates the database with the current settings for the computer and marks settings that do not match the template

?? Configuring system security Windows 2000 enables you to import security

templates created with the Security Templates snap-in, and then apply these templates to local computer policy This immediately configures the local computer security settings with the values specified in the

applied template

After analyzing the system, you can import additional security templates by:

?? Merging the settings with or replacing the previously imported templates and analyzing again

?? Making manual changes to settings and saving the computer’s current configuration as a new template

Security Configuration and

Analysis is a snap-in that

you use to configure and

analyze the security settings

of a computer

Show students Security

Configuration and Analysis

Using Configuration and Analysis

Configuring and Analyzing System Security Configuring and Analyzing System Security

Set Up a Security Database

Analyze the Current Configuration

Configure the Computer with the Security Settings Contained in a Security Template

Configure the Computer with the Security Settings Contained in a Security Template

The Security Configuration and Analysis snap-in enables you to configure security, analyze security, view results, and resolve any discrepancies revealed

by analysis

To configure and analyze system security, perform the following tasks:

?? Set up a working (security) database

?? Analyze the current configuration

?? Configure the computer with the security settings contained in a security template

Setting Up a Working Database

To set up a working database, perform the following steps:

1 In Security Configuration and Analysis, right-click Security Configuration

and Analysis

2 To open or create a working database, click Open Database, and either

enter the name for an existing database or type a name for the new security

database, and then click OK

Analyzing the Current Configuration

You can use Security Configuration and Analysis to perform a security analysis

on a computer by comparing the computer’s security settings with those in a security template You can use a comparison of security settings against a baseline security template to quickly analyze whether a computer’s security settings comply with your organization’s security policy or whether security configuration settings were changed since the last time you reviewed the settings Security Configuration and Analysis also offers the ability to resolve any discrepancies revealed by analysis by allowing you to configure the local computer with the security template settings used for analysis

You configure and analyze

system security by setting

up a working database,

analyzing the current

configuration of the

computer, and then

configuring the computer

with security settings

Delivery Tip

Demonstrate how to use

Security Configuration and

Analysis to set up a working

database, configure a

computer, analyze current

configuration, and view

analysis results

To analyze system security, perform the following steps:

1 In Security Configuration and Analysis, set a working database, and then import security templates into the database

2 To begin the analysis, right-click Security Configuration and Analysis, and then click Analyze System Now

3 Click OK to use the default analysis log, or type a file name and valid path

to create a new analysis log

A progress dialog box indicates the different security areas being analyzed After this is complete, you can review the results

If frequent analysis of large numbers of computers is required, the Secedit.exe command-line utility may be used for batch analysis However, analysis results must still be viewed with Security Configuration and Analysis

For more information on Secedit.exe, see the white paper, Security Configuration Tool Set on the course 1558A, Advanced Administration for Microsoft Windows 2000, Student Materials compact disc

Configuring a the Computer with Security Settings

You can make configuration changes to the security settings that are not complying with the security template and then reconfigure the system with these settings

To configure security settings, perform the following steps:

1 In Security Configuration and Analysis, set a working database, and then import one or more security templates into the database

2 Right-click Security Configuration and Analysis, and then click

Configure System Now

The settings contained in the security database are applied to the computer

Note

Using Group Policy to Apply Security Policies

Applying Security Policies

Identify or create a security template

Identify or create a security template

Import the security template into

a GPO

Import the security template into

a GPO

Analyze the security settings

Analyze the security settings

You can use Group Policy to standardize security settings by applying the same security template to multiple computers in one step To apply security policies for a local computer or an Active Directory container, you import one or more security templates into Security Settings in Group Policy Importing a security template into Group Policy ensures that all members of the container will automatically receive the security template when Group Policy propagates

To import a security template into a GPO, perform the following tasks:

1 Identify an existing Windows 2000 security template that contains the required security configuration, or create a new security template

2 Import the security template into the GPO:

a Expand Computer Configuration, expand Windows Settings , and then expand Security Settings

b Right-click Security Settings , and then click Import Policy

c Select the security template that you want to import, and click OK

3 Analyze the security settings for each computer to determine if the current security settings should be modified to meet your organization’s security requirements

Slide Objective

To explain how to use

Group Policy to apply

security policies

Lead-in

You use Group Policy to

define a number of

configuration settings and to

apply them to multiple

computers in one step

Delivery Tip

Demonstrate how to import

a security template by using

Import security templates

into Security Settings in

Group Policy to apply

consistent and tested

security policies to

computers in an Active

Directory container

? Implementing an Audit Policy

?What Is Auditing?

?Events to Audit

?Planning an Audit Policy

?Setting Up an Audit Policy

?Auditing Access to Resources

Security auditing is a feature of Windows 2000 that monitors various related events Monitoring system events is necessary to detect intruder’s attempts to compromise data on the system

Implement auditing to track

specific events and to

maintain security

? View Security Logs in Event Viewer

Event Viewer

Event Viewer

User1 logon failed Access denied Printing successful

Use of Resources Use of Use of Resources Resources

Success or Failure Logged

Success or Success or Failure Logged

Auditing in Windows 2000 is the process of tracking user and operating system

activities (called events) on a computer When an audited event occurs,

Windows 2000 writes a record of the event to the security log

An audit entry in the security log contains the following information:

?? The action that was performed

?? The user who performed the action

?? The success or failure of the event and when the event occurred

An Audit policy defines the types of security events that Windows 2000 records

in the security log on each computer Windows 2000 writes events to the security log on the specific computer where the event occurs

You can set up an Audit policy for a computer to:

?? Track the success and failure of events, such as attempts to log on, attempts

by a particular user to read a specific file, changes to a user account or group membership, and changes to security settings

?? Minimize the risk of unauthorized use of resources

?? Maintain a record of user and administrator activity

You use Event Viewer to view events that Windows 2000 has recorded in the security log You can also archive log files to track trends over time This is useful to determine the usage of printers, access to files, or to verify attempts at unauthorized use of resources

Slide Objective

To explain the purpose

of auditing

Lead-in

Auditing is a feature used by

administrators for monitoring

network security

Key Point

Use auditing to track system

events An ev ent shows the

action that was performed,

the user who performed the

action, and the date and

time of the action

Accountmanagement Administrator creates, changes, or deletes a user account or groupAdministrator creates, changes, or deletes a user account or group

Directory serviceaccess

Directory serviceaccess User gains access to an Active Directory objectUser gains access to an Active Directory object

Logon User logs on or off a local computerUser logs on or off a local computer

Object access

Object access User gains access to a file, folder, or printerUser gains access to a file, folder, or printer

Policy change Change is made to the user security options, user rights, orAudit policiesChange is made to the user security options, user rights, orAudit policiesPrivilege use

Privilege use User exercises a right, such taking ownership of a fileUser exercises a right, such taking ownership of a file

Process tracking Application performs an action Application performs an action

System

System User restarts or shuts down the computerUser restarts or shuts down the computer

The first step in implementing an Audit policy is selecting the types of events that Windows 2000 should audit The following table describes the events that Windows 2000 can audit

Directory service access

A user gains access to an Active Directory object To log this type of access, you must configure specific Active Directory objects for auditing

Logon A user logs on or off a local computer, or a user makes or cancels a

network connection to the computer

Object access A user gains access to a file, folder, or printer You must configure

specific files, folders, or printers for auditing

Policy change A change is made to the user security options (password options,

account logon settings), user rights, or Audit policies

Privilege use A user exercises a user right, such as changing the system time (this

does not include rights that are related to logging on and logging off), or an administrator takes ownership of a file

Process tracking

An application performs an action This information is generally only useful for programmers who want to track details of application execution

System A user restarts or shuts down the computer, or an event has occurred

that affects Windows 2000 security or the security log

Slide Objective

To identify the events

that Windows 2000 can

audit and what the

event indicates

Lead-in

To implement an Audit

policy, you first select the

types of events that

Windows 2000 should audit

Planning an Audit Policy

Determine the Computers on Which to Set Up Auditing

Review Security Logs Frequently

Review Security Logs Frequently

Determine Whether to Audit the Success or Failure of Events,

or Both

Determine Whether to Audit the Success or Failure of Events,

or Both

Determine Which Events to Audit

Determine Which Events to Audit

Determine Whether You Need to Track Trends

When you plan an Audit policy, you need to determine what you want to audit and the computers on which to configure auditing For each event that you audit, the configuration settings can indicate whether Windows 2000 tracks successful or failed attempts, or both

Use the following guidelines when planning an Audit policy:

?? Determine the computers on which to set up auditing Plan what to audit for each computer, because Windows 2000 records audited events on each computer separately For example, you need to audit computers used to store sensitive or critic al data frequently, but you can infrequently audit client computers that are used solely for running productivity applications

?? Determine the types of events to audit:

?? Access to files and folders

?? Users logging on and off

?? Shutting down and restarting a computer running Windows 2000 Server

?? Changes to user accounts and groups

?? Attempts to make changes to Active Directory objects

?? Determine whether to audit the success or failure of events, or both

Tracking successful events can tell you how often Windows 2000 or users gain access to specific resources You can use this information for resource planning Tracking failed events can alert you to possible security breaches

?? Some organizations are required to maintain a record of resource and data access Determine whether you need to track trends of system usage If so, plan to archive event logs

Slide Objective

To explain how to plan an

audit strategy and determine

which events to audit

Lead-in

Before you set up an Audit

policy, you need to

determine what you want to

audit and whether to audit

successful or failed events

Delivery Tip

Show students the events

that Windows 2000

can audit

Point out to students that

even though Windows 2000

will track the events that

they configure, it is

necessary for the audit log

to be reviewed regularly for

that information to be of

value to an organization

?? Review security logs frequently Set a schedule and regularly review security logs Auditing alone does not alert you to security breaches

Auditing too many types of events creates excess overhead Audit only the events that provide information that is useful in your environment

Note

Setting Up an Audit Policy

Action View

Audit Account Logon events Audit Account Management Audit Directory Service Access Audit Logon Events Audit Object Access Audit Policy Change Audit Privilege Use Audit Process Tracking Audit System Events

Attribute Stored Template Setting

Group Policy

asa [DENVER1558.namerica1558.

Computer Configuration Software Settings Windows Settings Security Settings Account Policies Local Policies Audit Policy User Rights Assign Security Options

Success,Failure

No Auditing Not Configured Success,Failure Not Configured Success Failure Not Configured Not Configured

?First Column; Successful

?Second Column; Failed

?First Column; Successful

?Second Column; Failed

? Assign Security Settings to a Single Computer by Configuring the Settings

in Local Policies in Group Policy

? Assign Security Settings to Multiple Computers by Creating a Group Policy Object and Assigning It

Auditing offers a mechanism for tracking events that occur on computers in your organization You can implement auditing of file system objects, Active Directory objects, and printers after you set an Audit policy on a computer You can assign audit settings to a single computer or to multiple computers

?? To assign security settings to a single computer, configure the settings in Local Policies in Group Policy for the computer You can also configure audit settings as part of a security template and use Security Configuration and Analysis to apply audit settings or import the template into

Group Policy

?? To assign security settings to multiple computers, create a GPO and assign it

to the site, domain, or organizational unit (OU) that contains the computers

To set an Audit policy, perform the following steps:

1 In Group Policy, double-click Computer Settings , Security Settings,

Local Policies, and then click Audit Policy

The console displays the current Audit policy settings in the details pane

2 Select the type of event to audit On the Action menu, click Security

3 Select the Audit successful attempts or Audit failed attempts check box,

Before you set the events to

audit, you must set up an

Directory service access

enables auditing a user’s

access to specific Active

Directory objects Object

access enables auditing a

user’s access to files,

folders, and printers

Auditing Access to Resources

File System File System

?Set the Audit Policy to Audit Object Access

?Enable Auditing for Specific NTFS Files and Folders

?Record Success or Failure of an Event

?Set the Audit Policy to Audit Object Access

?Enable Auditing for Specific NTFS Files and Folders

?Record Success or Failure of an Event NTFS

NTFS

Printers

?Set the Audit Policy to Audit Object Access

?Enable Auditing for Specific Printers

?Record Success or Failure of an Event

?Set the Audit Policy to Audit Object Access

?Enable Auditing for Specific Printers

?Record Success or Failure of an Event

Active Directory Objects

Active Directory Objects ?Set the Audit Policy to Audit Directory Service Access

?Enable Auditing for Specific Objects

?Record Success or Failure of an Event

?Set the Audit Policy to Audit Directory Service Access

?Enable Auditing for Specific Objects

?Record Success or Failure of an Event

When auditing for security purposes, you will typically audit access to file system objects, Active Directory objects, and printers

Auditing Access to File System Objects

To audit user access to the file system, perform the following tasks:

?? Set the Audit policy to audit object access, which includes files and folders

?? Enable auditing for specific files and folders, and specify the types of access

to audit You can only audit access to files and folders that are located on NTFS volumes The file allocation table (FAT) file system does not support auditing

When you specify file system audit settings, use the following guidelines:

?? Record failure events for Read operations to determine when users are attempting to gain access to files for which they have no permissions

?? Record success and failure events for Delete operations when auditing confidential and archival files

?? Record success and failure events for Change Permissions and Take Ownership operations for confidential and personal user files These operations may indicate that someone is attempting to modify security in order to gain access to data for which they do not currently have

permissions If an Administrator takes ownership of a user’s file to assign him or herself access, this setting ensures that this event is recorded

?? Record success and failure events for all operations performed when auditing members of the Guests group This should be done especially on folders and files to which Guests should not be granted access

?? Audit file and folder access on all computers containing shared data that should be secured

Slide Objective

To explain the procedure for

auditing access to file

system, Active Directory,

and printer objects

Lead-in

To alert you to potential

security breaches, you can

set up auditing for files and

folders, Active Directory

objects, and printers

Delivery Tip

Demonstrate how to set up

auditing for files and folders,

Active Directory objects,

and printers

Key Point

You can audit only access

to files and folders that are

located on NTFS volumes

When you specify Active

Directory audit settings, be

sure to audit both success

and failure events for all

operations performed by

administrators

Auditing Access to Active Directory Objects

You can audit the access to Active Directory objects, such as a change in the properties on a user account To enable auditing of user access to Active Directory objects, perform the following tasks:

?? Set the Audit policy to track directory service access

?? Enable auditing for specific Active Directory objects, such as users, computers, OUs, or groups, by specifying the types of access to audit

When you specify Active Directory audit settings, be sure to audit both success and failure events for all operations performed by administrators This ensures that a record of administrative activities performed on Active Directory objects

is retained for later review

Auditing Access to Printers

You can audit access to printers to track users’ access to expensive printing materials To audit access to printers, perform the following tasks:

?? Set the Audit policy to audit object access, which includes printers

?? Enable auditing for specific printers and specify the types of access to audit When you specify printer audit settings, use the following guidelines:

?? Record failure events for Print operations on restricted printers, such as those dedicated to printing checks

?? Record success and failure events for Full Control operations to maintain a log of when administrative tasks were performed on a printer

?? Record success events for Delete operations on public printers to ensure that incomplete print jobs, or jobs that were deleted before being started, can be tracked as administrative actions rather than hardware error

?? Record success and failure events for Change Permissions and Take Ownership operations on restricted printers This ensures that a record of administrative activities is retained for consultation should a discrepancy in security arise

? Recovering Encrypted Files

?What Is EFS?

?What Is a Recovery Policy?

?Recovering Files and Folders

The Encrypting File System provides file- level encryption for NTFS files stored

on disk EFS encryption technology is public key-based, runs as an integrated system service, and enables file recovery by a designated EFS recovery agent It easy to manage because when it is necessary to access critical data that a user has encrypted, and the user or his or her key is unavailable, the EFS recovery agent (typically an administrator) can decrypt the file EFS is difficult to attack because the encrypted file is only available to those who encrypted it and the recovery agent, regardless of NTFS permissions If a user who has the private key attempts to gain access to an encrypted NTFS file, he or she can open the

file and work with it as a normal document A user without the private key is

simply denied access to the file

public key-based protection

at the file or folder level