Module 13: Managing Network Security

Using Group Policy to Secure the User Environment Applying security policies Select the Security Settings node Select the Security Settings node By configuring security settings Configur

Examining Service Packs, Hotfixes, and

Review 31

Module 13: Managing Network Security

Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, places or events is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2001 Microsoft Corporation All rights reserved

Microsoft, MS-DOS, Windows, Windows NT, <plus other appropriate product names or titles

The publications specialist replaces this example list with the list of trademarks provided by the copy editor Microsoft, MS-DOS, Windows, and Windows NT are listed first, followed by all other Microsoft trademarks listed in alphabetical order > are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

<The publications specialist inserts mention of specific, contractually obligated to, third-party trademarks, provided by the copy editor>

The names of actual companies and products mentioned herein may be the trademarks of their respective owners

Instructor Notes

This module provides students with an appreciation of the challenges that are

involved in maintaining a secure and reliable system

After completing this module, students will be able to:

! Use Group Policy to apply security policies to secure the user environment

! Use Group Policy to configure password and logon account policies

! Analyze security log files to detect security breaches

! Secure the logon process by using smart cards

! Apply service packs, hotfixes, and antivirus software

Materials and Preparation

This section provides the materials and preparation tasks that you need to teach this module

Required Materials

To teach this module, you need the following materials:

! Microsoft® PowerPoint® file 2126A_13.ppt

Preparation Tasks

To prepare for this module:

! Read all of the materials for this module

! Complete the labs

! Enable auditing and generate each of the events that are discussed in the Analyzing Security Log Files to Detect Security Breaches

Presentation:

30 Minutes

Lab:

60 Minutes

Module Strategy

Use the following strategy to present this module:

! Using Group Policy to Secure the User Environment

In this topic, you will introduce the procedure for implementing security policies Emphasize that a preconfigured security template ensures duplication of desired settings that already exist for a computer, and can be tested before security settings are applied to multiple computers

Demonstrate how to use Group Policy to apply security policies Emphasize that you can define a security setting once and apply it in many places

! Using Group Policy to Configure Account Policies

In this topic, you will introduce account policies and their purpose You will describe how to configure account policies, particularly the account

password and lockout policy settings Emphasize that tight security depends

on these policy settings as they enable you to control the complexity of passwords themselves and the locking of an account in response to the entering of an incorrect password

! Analyzing Security Log Files to Detect Security Breaches Throughout this topic, use Event Viewer to illustrate the events that are discussed You should have previously enabled auditing and purposely generated each of the events that are discussed in the text before beginning this module

! Securing the Logon Process

In this topic, you will discuss the use of smart cards as a strategy for increasing the security of the logon process The configuration of smart cards is simple, so focus on the smart card features, the advantages of using smart cards, and considerations for smart card policies

! Examining Service Packs, Hotfixes, and Antivirus Software Emphasize the importance of keeping servers current with security updates because security threats arise frequently as systems become more complex and are exposed to public networks

Overview

! Using Group Policy to Secure the User Environment

! Using Group Policy to Configure Account Policies

! Analyzing Security Log Files to Detect Security Breaches

! Securing the Logon Process

! Examining Service Packs, Hotfixes, and Antivirus Software

As an administrator, you must manage network security by implementing various security measures You use Group Policy to secure the user environment and configure account policies You can audit security breaches by analyzing security log files You can use smart card technology to secure the logon process You will also be required to evaluate and apply service packs and hotfixes, and maintain antivirus software to ensure your network environment is as safe as current software allows

After completing this module, you will be able to:

! Use Group Policy to apply security policies to secure the user environment

! Use Group Policy to configure password and logon account policies

! Analyze security log files to detect security breaches

! Secure the logon process by using smart cards

! Apply service packs, hotfixes, and antivirus software

In this module, you will learn

about managing network

security

Using Group Policy to Secure the User Environment

Applying security policies

Select the Security Settings node

Select the Security Settings node

By configuring security settings

Configure the security setting

By importing the security template

Identify or create a security template

Identify or create a security template

Import the security template into a Group Policy object

Import the security template into a Group Policy object

Analyze the security settings

Group Policy security settings are often configured to represent an organization’s security policy The security policy is enforced on users’ systems

by using Group Policy to prevent unauthorized access to the organization network and users’ computers

The process of defining and implementing a standardized set of Group Policies

is facilitated by using security templates A security template is a collection of

security settings that can be imported into a Group Policy object or used for analysis After it is refined to meet the organization’s needs, the template can be applied to the Group Policy object, which will then apply to other systems according to your design

Topic Objective

To illustrate how to apply

security Group Policy to

secure the user

organizational unit level by

using Group Policy

Delivery Tip

Demonstrate how to import

a security template by using

Import security templates

into Security Settings in

Group Policy to apply

consistent and tested

security policies to

computers in an Active

Directory container

" Using Group Policy to Configure Account Policies

! What Are Account Policies?

! Configuring Password Policy Settings

! Configuring Account Lockout Policy Settings

In Microsoft® Windows® 2000, you can configure account policies that prevent unauthorized persons from logging on to the network and gaining access to network resources These enhanced network security measures include setting a password policy and a user account lockout policy that make it more difficult to guess a password, and they also limit the number of attempts that an

unauthorized person can make to determine a password These measures help prevent unauthorized persons from gaining access to your network

Topic Objective

To introduce using Group

Policy to configure account

policies

Lead-in

You configure account

policies to prevent

unauthorized persons from

logging on to the network

What Are Account Policies?

Use account policies to prevent unauthorized persons from gaining

access to the network

Must set Group Policy at domain level

Must set Group Policy at domain level

Set password requirements to

Set password requirements to

Domain controller does not authenticate

Domain controller does not authenticate

Domain controller locks out user account

Domain controller locks out user account

Set failed logon attempts limit to

Set failed logon attempts limit to

Ensure passwords are difficult to guess

Ensure passwords are difficult to guess

Stop brute force hacking programs

Stop brute force hacking programs

Account policies for user accounts can be used to reduce the possibility of unauthorized persons gaining access to the network When you set account policies in Active Directory, Windows 2000 allows policies to be set at the domain level and at the organizational unit level The domain account policy becomes the account policy of any Windows 2000–based workstation or server that is a member of the domain

The account policy settings for the organizational unit affect the local policy on any computers contained in the organizational unit This means that the account policies set at the domain level always apply when logging on using an account that exists in the domain The local policy settings apply only when logging on using an account that is local to the computer that you are logging on to The account policy settings that you can configure with Group Policy are:

! Password policies Password policies establish restrictions that require users

to periodically change passwords and to use complex passwords Password complexity includes the minimum length and the characters to use,

including alphanumeric, symbols, and upper- and lower-case letters By forcing users to use complex passwords, you make it more difficult for

unauthorized persons to use brute force hacking programs to gain access to your network Brute force hacking programs try to log on repeatedly by

providing different passwords, for example, by attempting to use each word

in a dictionary as the password

! Account lockout policies Account lockout policies ensure that a user

account is locked after a predetermined number of failed logon attempts Setting a limit for failed logon attempts makes it difficult for unauthorized persons to log on by using brute force algorithms to determine a password After a domain controller locks out a user account, the user account cannot

be used for authentication until the account is unlocked You can configure the lockout duration

unauthorized users from

gaining access to your

network

Delivery Tip

Explain what a brute force

hacking program is

Mention to students that the

most common password

used is password Explain

why it is important to

implement a password

account policy so that users

have complex passwords

Key Points

Administrators must set

Group Policy for account

policies at the domain level

to affect domain logons

Setting password

restrictions and a limit of

failed logon attempts makes

it more difficult for an

unauthorized person to gain

access to the network

Configuring Password Policy Settings

!Password settings apply to the domain

!The settings to configure are:

Group Policy

Action View Passwords [LONDON.NWTraders.msft Computer Configuration Software Settings Windows Settings Security Settings Account Policies Account Lockout Poli Kerberos Policy Local Policies

Allow storage of passwords under reversibl…

Enforce password uniqueness by remem…

Maximum Password Age

Minimum Password Age

Minimum Password Length Passwords must meet complexity require…

User must logon to change password

Attribute Stored Template Settin

Note that when you modify password settings, they do not apply to existing passwords They apply the next time that a user changes his or her password, or when you create or reset a user account

The following list describes the password settings you must configure:

! Enforce password uniqueness by remembering Use this setting to prevent

users from reusing a previous password Windows 2000 will remember the number of passwords that you indicate, ranging from 0 to 24 passwords In a high-security environment, consider setting this value to 24 remembered passwords In a medium-security environment, set this value to six remembered passwords

! Maximum Password Age This setting forces users to change their

passwords after a specified period of time so that they do not continually use the same password In a high-security network, set this value to 30 days In

a medium-security network, set the value to 42 days

! Minimum Password Length This setting determines the required minimum

length of users’ passwords In a high-security environment, set this to at least eight characters

In a multiple-domain network, you can link the same Group Policy object

to each domain container, or you can use different settings in each domain

There are several critical

Group Policy password

settings that you must

configure

Delivery Tip

Demonstrate configuring the

password settings in Group

Policy

Key Points

Group Policy password

settings apply to all user

accounts in the domain

When you configure

password settings, the

settings do not apply to

existing passwords Domain

controllers enforce the

password requirements

when an administrator

creates a user account or

resets a password, or when

a user changes a password

If there is conflict between

the minimum length of a

password setting and the

length determined by the

complex passwords setting,

the most restrictive setting

prevails

Note

Note

! Passwords must meet complexity requirements This setting requires

passwords to comply with the following complexity rules:

• The minimum password length must be six characters If there are conflicts between these settings and the password length setting, the more restrictive setting prevails

• The password cannot contain sections of the user’s full name

• The password must contain characters from at least three of the following four categories

Description Example

English uppercase letters A, B, C, D, … Y, Z English lowercase letters a, b, c, d, … y, z Westernized Arabic numerals 0, 1, 2, … 9 Non-alphanumeric characters !, ?, (, …

! User must log on to change a password This setting forces users to log on

to their accounts before they can change their passwords This setting also disables user accounts that have exceeded the maximum password age Only

an administrator can enable the user account again This prevents unauthorized persons from attempting to log on by using unauthorized user accounts

To configure Password Policy settings, perform the following steps:

1 Open Active Directory User and Computers, create a Group Policy object at the domain level or select an existing Group Policy object that is linked to

the domain, and then click Edit

2 In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Account Policy, and then expand Password Policy

Configuring Account Lockout Policy Settings

!Account lockout policy settings apply to domains

!You must configure all account lockout policy settings

or none

Group Policy

Action View Account Lockout [LONDON.NWTraders.msft Computer Configuration

Software Settings Windows Settings Security Settings Account Policies Password Policy Account Lockout Policy Kerberos Policy Local Policies

Account Lockout Policy

Attribute Stored Template Settin

Account lockout control Lockout account for Reset account lockout count after

5 Invalid logon attempts Forever

Limit on failed logon attempts

Limit on failed logon attempts

Amount of time that the lockout is in effect

Like password settings, account lockout policy settings apply to all user accounts in a domain Link the Group Policy object for account lockout policy settings to the domain or domains in the network

Domain controllers start enforcing the requirements during user authentication after the Group Policy object is applied to the domain controllers You must configure all three of the account lockout policy settings to set up an account lockout policy

The following list describes the account lockout settings that you must configure:

! Account lockout count This setting determines the allowed number of failed

logon attempts before Windows 2000 locks the account The number of failed logon attempts must match the security level that your network requires In a high-security network, set this value to five logon attempts

! Lockout account for This setting determines the amount of time that the

lockout is effective In a high-security network, select Forever This means

that an administrator must manually unlock the user account In a security network, set this value to 30 minutes to prevent the effective use of automated methods to guess a password

medium-! Reset account lockout count after This setting determines the amount of

time after which the counter for failed attempts returns to zero In a security network, set this value to one day (1,440 minutes) In a medium-security network, set this value to 30 minutes

Account lockout policy

works well with password

policy by limiting the number

of times that a person can

attempt to log on

Delivery Tip

Demonstrate configuring the

account lockout settings in

Group Policy

Key Points

An administrator can only

set Group Policy account

lockout settings at the

domain level

An administrator must

configure all three settings

or none

The number of logon

attempts that are allowed

must match the security

required in the network

To configure Account Lockout Policy settings, perform the following steps:

1 Open Active Directory User and Computers, create a Group Policy object at the domain level or select an existing Group Policy object linked to the

domain, and then click Edit

2 In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Account Policy, and then expand Account Lockout Policy

Lab A: Using Group Policy to Secure the Desktop

Lab Setup

# Log on to your domain as

Administrator with a

password of password

a Press CTRL+ALT+DEL to open the logon screen

b In the User Name box, type Administrator

c In the Password box, type password

d In the Domain box, ensure that your domain is listed

e Click OK

Exercise 1

Implementing Security Policy

In this exercise, you will create a new GPO, which is linked to the Domain Controllers

organizational unit and named Additional Security Settings Policy, to implement the required

security settings

Scenario

You are a domain administrator for a domain in the Northwind Traders organization, and are

required to implement the following security settings on your domain controllers:

! Passwords must be at least six characters

! A dialog box should appear during the logon process, informing users that unauthorized access is not allowed

! Domain Admins should have only the Administrator account as a member

! Telnet, which is set to start manually, should be disabled

1 Create a new GPO linked to

the Domain Controllers

organizational unit Name

this new GPO Additional

Security Settings Policy

a On the Administrative Tools menu, open Active Directory Users and

2 Modify the Additional

Security Settings Policy

GPO to implement the

following security setting:

Passwords must be at least

six characters

a With the Additional Security Settings Policy GPO selected, click Edit

b Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Account Policies, and then click Password Policy

c In the details pane, double-click Minimum password length

d In the Security Policy Setting dialog box, select the Define this policy setting check box, change the value for the minimum password

length to 6, and then click OK

3 Modify the Additional

Security Settings Policy

GPO to implement the

following security setting:

Display a dialog box at

logon that warns users that

unauthorized access is not

(continued)

4 Modify the Additional

Security Settings Policy

GPO to implement the

following security setting:

Domain Admins should

have only the Administrator

account as a member

a In the console tree, click Restricted Groups

b Right-click Restricted Groups, and then click Add Group

c In the Add Group dialog box, click Browse,

d In the Select Groups dialog box, under Name, click Domain Admins

click Add, and then click OK

e Click OK to close the Add Group dialog box

f In the details pane, double-click Domain\Domain Admins

g In the Configure Membership for Domain\Domain Admins dialog

box, click Add to the right of Members of this group

h In the Add Member dialog box, click Browse

i In the Select Users or Groups dialog box, under Name, select Administrator, click Add, and then click OK

j Click OK to close the Add Member dialog box

k Click OK to close the Configure Membership for Domain\Domain

Admins dialog box

5 Modify the Additional

Security Settings Policy

GPO to implement the

following security setting:

The Telnet service should be

disabled

a In the console tree, click System Services

b In the details pane, double-click Telnet

c In the Security Policy Setting dialog box, click the Define this policy setting check box

Notice that the Security for Telnet security editor appears

System services need to be properly secured, so this dialog box appears for any service in the list

d Select Everyone, and then click Remove

e Click Add and in the Select Users, Computers, or Groups dialog box

verify that domain.nwtraders.msft displays (where domain is your

domain) and then double-click Domain Admins and click OK

f Select the Allow check box beside Full Control, and then click OK

g In the Security Policy Setting dialog box, ensure that Disabled is

selected, and then click OK

h Close all open windows, and then restart the computer

6 Verify that the modifications

to the Additional Security

Settings Policy GPO are

being applied correctly

a Log on as Administrator with a password of password

Did the warning message appear when you tried to log on?

Yes

(continued)

6 (continued) b Change your password from password to 123

Did the minimum password length Group Policy setting of six characters prevent you from changing your password to one that contained only three characters? Why or why not?

No, the password was changed successfully Password Group Policy is only enforced when it is set at the domain level

6 (continued) c Change your password back to password

d Add the Guest user account to the Domain Admins group

e Force a refresh of Group Policy by opening a command prompt, typing

secedit /refreshpolicy machine_policy /enforce and then pressing

ENTER

Is the Guest user account still listed as a member of the Domain Admins group? Why or why not?

No The membership of Domain Admins is restricted to the Administrator account When Group Policy was refreshed, the Guest account was removed

6 (continued) f Open Services from the Administrative Tools menu

What is the value in the Startup Type column for the Telnet service?

Disabled

6 (continued) g Close all open windows

7 Run the Delpol.cmd batch

file in the

C:\Moc\2155\Labfiles\Lab1

4A folder This batch file

removes all GPOs created in

the labs in this module

a Open the D:\Moc\2155\Labfiles\Lab14A folder

b Double-click Delpol.cmd to remove the log on and log off messages in

the GPOs created during the labs in this module

c Restart your computer

d Click OK to close the VBScript message

Analyzing Security Log Files to Detect Security Breaches

! Security Logs and Event Viewer

! Common Security Events

In many cases, such as denial-of-service attacks, security breaches have obvious consequences However, often the consequences of a security breach are more subtle For example, if an unauthorized user attempts to gain access to another user’s account by guessing the password, the attempt will not cause a service failure The unauthorized user may guess the correct password and gain access, even if the user account is locked

Some breaches exploit security loopholes and configuration errors For example, if a mistake has been made in the permissions of a security-sensitive file and a user notices this mistake, the user can access the file without mounting any kind of attack

An organization can detect these kinds of events by using the security log, which exists on all Windows 2000 computers If you are responsible for network security, you must know how to detect these events by using the logs

It is assumed here that the security Audit policy has already been planned and implemented by the top-level administrators in your organization This topic concentrates on analyzing the resulting log files For more information

about configuring auditing, see the topic “Security” in the Microsoft Windows

2000 Server Manual

Topic Objective

To equip the students with

the ability to identify

common security-related

events in the Security Log

Lead-in

If your responsibilities

include security protection,

you must be able to

recognize a security breach

Key Points

It has been assumed here

that the Audit policy has

already been defined and

implemented in your

organization and that the

students’ role will be to

monitor the resulting logs,

not change the