Hands-On Microsoft

Windows Server 2003

Chapter 10
Securing Windows
Server 2003
Objectives
• Understand the use of Group Policy
• Secure Windows Server 2003 using
security policies
• Manage security by using the Security
Templates Snap-in
• Configure client security by using
Windows Server 2003 policies
• Configure the Encrypting File System
2
Introduction to Group Policy
• Group Policy in Windows Server 2003 allows a
standardized working environment for clients
and servers
• Evolved from the NT Server 4.0 system policy
concept
• Has more capabilities than system policy
– Can extend to cover multiple domains in one site
– Set for more environments
– More secure because users cannot modify policies
– Dynamically updates, and configured to reflect current
needs
3
Group Policy characteristics
• Can be set for a site, domain, OU, or local computer
• Cannot be set for non-OU folder containers
• Policy settings for groups are stored in Group Policy
objects (GPOs)
– Each GPO has a unique name and GUID
• There are local and nonlocal GPOs
– When there are multiple GPOs, their effect is incremental
– The ordering is local, default domain, site, OUs
• Group Policy can be set up to affect user accounts,
computers, or both
• When Group Policy is updated, old policies are removed
or updated for all clients
4
5
Securing Windows Server 2003
Using Security Policies
• Security policies are a subset of the Group Policy
• Some commonly used security policies
– Account policies
– Audit policy
– User rights
– Security options
– IP Security policies
• Can be configured with the following tools
– Domain Security Policy tool can be used for domain and local
computer
– Group Policy Object Editor Snap-in has the most functionality
– Active Directory Users and Computers tool can be used for
domain or OU

6
Establishing Account Policies
• Account policies are located in the
following Group Policy path:
– Computer Configuration, Windows Settings,
Security Settings
• Account policy options
– Password security
– Account Lockout
– Kerberos security

7
Password Security Options
• Enforce password history
– Requires users to choose new passwords when they make a
password change
• Maximum password age
– Sets maximum time before password expires
– Commonly 45 to 90 days
• Minimum password age
• Minimum password length
– A minimum of seven characters for a “strong password”
• Password must meet complexity requirements
– Filter of customized password requirements
• Store passwords using reversible encryption

8
9
Account Lockout Options
• Account lockout duration
– Permits you to specify in minutes how long the
system keeps an account locked out after reaching
the specified number of unsuccessful logon attempts
• Account lockout threshold
– Enables you to set a limit to the number of
unsuccessful attempts to log on to an account
• Reset account lockout counter after
– Enables you to specify the number of minutes
between two consecutive unsuccessful logon
attempts to make sure that the account is not locked
out too soon
10
Kerberos Security
• Involves the use of tickets that are exchanged between
the client who requests access and the server or Active
Directory that grants access
• A key distribution center (DC or server) stores user
accounts and passwords
• The client computer sends an account name and
password to the key distribution center
• The key distribution center issues a temporary ticket
granting access to the ticket-granting server
• The ticket-granting server issues a service ticket for the
duration of a logon session
11
Kerberos Security Options
• Enforce user logon restrictions
– Turns on Kerberos security, which is the default
• Maximum lifetime for a service ticket
– Maximum time in minutes that a ticket can access a particular
service in one service session
• Maximum lifetime for a user ticket
– Maximum time in hours that a ticket can be used in one
continuous session for access to a computer or domain
• Maximum lifetime for user ticket renewal
– Maximum number of days that the same Kerberos ticket can be
renewed each time a user logs on
• Maximum tolerance for computer clock synchronization
– Length in minutes a client waits until synchronizing its clock
12
13
Establishing Audit Policies
• Account management
• Directory service and object access
• Logon and logoff events for an account
and at the local computer
• Policy change and privilege use
• Process tracking and system events

14
15
Configuring User Rights
• User rights enable an account or group to
perform predefined tasks such as the following:
– Access a server
– Create accounts
– Manage server functions
• Assign user rights to groups instead of to
individual user accounts
– Members of a group inherit the user rights of the
group

16
17
Configuring Security Options
• Over 65 specialized security options in the
following categories
– Accounts
– Audit
– Devices
– Domain controller
– Domain member
– Interactive logon
– Microsoft network client
– Network access
18
Configuring Security Options
(cont.)
– Network security
– Recovery console
– Shutdown
– System cryptography
– System objects
– System settings
• Options in each category are specialized to the
category

19
20
Using IP Security Policies
• IPSec provides secure communications and
encryption standards for all TCP/IP- based
application and communications protocols
• IPSec process
– Computers exchange certificates to authenticate
receiver and sender
– Data is encrypted at the NIC of the sending computer
as it is formatted into an IP packet
• IPSec configuration tools
– Domain Security Policy tool
– IPSec Policies Management Snap-in
21
Using IP Security Policies (cont.)
• IPSec roles
– Client (Respond Only)
• When Windows Server 2003 is contacted by a client using
IPSec, it responds by using IPSec communication
– Server (Request Security)
• When Windows Server 2003 is contacted or initiates a
communication, it uses IPSec by default
• If the responding client does not support IPSec, the server
switches to clear mode
– Secure Server (Require Security)
• Windows Server 2003 only responds using IPSec
communication
22
23
Security Templates Snap-in
• Useful when there are multiple Group Policies or
multiple OUs that share the same Group Policy
• Sets up security for the following
– Account and local policies
– Event log tracking policies
– Group restrictions
– Service access security
– Registry security
– File system security

24
Creating a New Security
Template
• Make sure there is no default security template
that matches your needs
• Group Policy Object Editor Snap-in and Security
Templates Snap-ins should be installed
• Create a new template through the Security
Template’s Action menu
– Configure the settings
• Import the new template to a Group Policy by
using the Security Configuration and Analysis
Snap-in

25
Default Security Templates
• Provides compatible settings for Server 2003 and NT
– compatws
• Sets default security for DCs or root domains
– DC security, rootsec
• Sets maximum security for Windows Server 2003 DCs or
workstations accessing Windows Server 2003
– hisecdc, hisecws
• Provides recommended security on DCs or client
workstations
– securedc, securews
• Provides “out of the box” security
– setup security

26
Configuring Client Security
• Provides improvements in security
• Ensures a consistent working environment in an
organization
• When a client logs onto to the server or network,
the policies are applied to the client
• Examples of use:
– Folder redirection for sensitive data
– Desktop icon management to start applications the
same way for all clients

27
Manually Configuring Policies
for Clients
• Use the Group Policy Object Editor Snap-in

28
29
30
Using Preconfigured
Administrative Templates
• Multiple templates can be added to one Group Policy

31
32
Publishing and Assigning
Software
• Users can employ the same software with the same
software settings for the sake of productivity and security
• Publishing applications involves setting up software
through a Group Policy so that clients install the software
from a central distribution server
• Assigning applications involves configuring a policy so
that a particular software application is started
automatically through a desktop shortcut
• Use the Software Installation Properties dialog box under
User Configuration Software Settings

33
34
Resultant Set of Policy
• A new feature included with Windows Server
2003
• Used to make the implementation and
troubleshooting of Group Policies much simpler
for an administrator
• Two modes:
– Planning mode generates a report and provides the
result of proposed policy changes
– Logging mode generates a report based on the
current policies in place and provides the resulting
policy changes

35
36
Configuring the Encrypting File
System
• EFS configures a unique, private encryption key
that is associated with the user account that
encrypted the folder or file
– Protects data from unauthorized use
• Use the cipher command from the Command
Prompt windows to configure file or folder
encryption
– If no parameters are specified with the command, the
encryption status of the current folder is displayed

37
38
Summary
• A Group Policy enables you to standardize how people
use server and client computers on a network
• Security policies are part of a Group Policy and are
configured to protect users and resources
• Configure account policies to apply to OU, domains,
sites, or local computers
– Password policies, account lockout policies, and Kerberos
authentication policies
• Use audit policies to track how resources are accessed,
such as folders, files, or user accounts

39
Summary
• User rights policies enable you to create specific security
controls over privileges and logon access
• Security options are specialized policies for accounts,
auditing, devices, domain controllers, logon, clients,
network access, network security, and other activities
• Use the Security Templates Snap-in to apply default
security settings or to create different Group Policy
objects for different OUs, domains, or sites
• For better control over the activities of clients, manually
configure administrative templates or apply
preconfigured administrative templates (or both)

40
Summary
• Publish and assign applications to manage how clients
use them
• Use the Resultant Set of Policy Snap-in to plan and
troubleshoot Group Policies
• Fine-tune the use of the Encrypting File System by using
the cipher command in the Command Prompt window

41