Transcript Document 7837632

Chapter 6: Configuring
Security
Options for Managing Security
Configurations
• LGPO (Local Group Policy Object)
– Used if Computer is not part of a domain
environment
– Set of security configuration settings that are
created and stored on the local computer
• Users
• Computers
• Stored in
\systemroot\System32\GroupPolicyUsers
• GPO (Group Policy Objects)
– Used if Computer is part of an Active Directory
domain
– Allows for remote and centrally managed
security
– Has a more levels of security structure, and
thus more granular control
2/22
Group Policy and LGPO (Local Group
Policy Objects) Setting Options
• Software Installation
• not available with LGPOs
•
•
•
•
•
•
•
Remote Installation Services
Scripts
Printers
Security Settings
Policy-based QOS
Administrative Templates
Folder Redirection
• not available with LGPOs
• Internet Explorer Configuration
3/22
GPO Inheritance
• Order of Inheritance
– Local
– Site (physical location)
– Domain
– Organizational Unit (OU)
• Containers higher are called parents and
lower are called children.
• Children inherit from the parent and nonconflicting settings are additive. If settings
conflict, then the child overrides the parent.
• Two types of Policy Settings
– Computer Settings
– User Settings
• If a conflict occurs than the Computer
setting is applied.
4/22
GPO Inheritance
• Special Options, for overriding the default
behavior of GPO execution.
– No Override
• Used to specify that a child can not
override the policy settings of a
parent higher level container.
– Block Inheritance
• Used to allow a child container to be
able to block the inheritance of a
policy from a parent container.
• If a conflict occurs between “No Override”
and “Block Inheritance” than “No Override”
would win and be applied.
5/22
Group Policy Result Tool
• Because of the overlapping nature
of Group Policies, Vista provides a
tool to help determine what policies
will applied.
– Tool is accessed through the
GPResult.exe command-line utility.
– GPResult displays the Resultant Set of
Policy (RSOP) for the computer and the
user who is currently logged in.
• C:/>GPResult.exe /r
6/22
Using Local Group Policies
• Used to manage configuration
settings for workstations in a
workgroup environment without an
Active Directory domain
• Created and assigned through the
Local Group Policy snap-in in MMC
– Microsoft Management Console
• Two types of policies:
– Computer Configuration
– User Configuration
7/22
Multiple Local Group Policy
Objects (MLGPOs)
• New to Windows Vista
• Enables Vista to apply LGPOs to specific
users rather than apply them to every user
on a computer
• Applied in the following order:
– Local Computer Policy (User and Computer)
– Administrators and Non-Administrators
Local Group Policy (User only)
– User-Specific Group Policy (User only)
• Again, GPO settings applied lower will
override parent settings in the event of a
conflict.
• AD GPO will override conflicting LGPO
8/22
Setting Computer Configuration
Policies
• Three folders within the
Computer Configuration folder:
– Software Settings
– Windows Settings
– Administrative Templates
• Scripts and Security Settings
are found within the Windows
Settings folder.
9/22
Windows Settings
• Scripts
– Logon
– Logoff
– Startup
– Shutdown
• Security Settings
– Account Policies
– Local Policies
– Windows Firewall with Advanced
Security
– Public Key Policies
– Software Restriction Policies
– IP Security Policies
• Policy-based QOS
10/22
Account Policies
•
Password Policy
– Enforce Password History
• No repeated passwords
– Maximum Password Age
• Time until password change
– Minimum Password Age
• Keeps user from immediately changing password back
to what it was
– Minimum Password Length
• If not set, then
– no password is required
– Password Must Meet Complexity Requirements
• Must be 6 characters or longer, can not contain the
username or any part of the full name, and must
contain 3 of the following
– English Upper Case Character
– English Lower Case Character
– Decimal Digit
– Symbols
– Store Passwords Using Reversible Encryption
• Higher level of Encryption security
11/22
Account Policies
• Account Lockout Policy
– Account Lockout Duration
• How long the account will remain locked if Threshold is
reached.
– Account Lockout Threshold
• Specifies how many invalid attempts can be made
before the account is locked.
– Reset Account Lockout Counter After
• How many minutes the counter will remember
unsuccessful login attempts.
12/22
Local Policies
After Login
•
•
•
Audit Policy (Too many will degrade performance)
– Used to track success or failure of user actions.
• Login Attempts
• Object Access
User Rights Assessment
– User rights as they apply to the system, not file
permissions
• Change System Time
• Add workstations to the Domain
• Backup files and directories
Security Options
– Security as it relates to the computer, not the user.
– Contains new policies relating to User Account
Control (UAC)
• Require approval for administrative operations
• Specifies the method of approval
– Prompt for Consent
13/22
– Prompt for Credentials
User Account Control
• New to Windows Vista
• Protects computers by requiring privilege
elevation for all users including local
Administrators (except the built-in
Administrator account)
– Local Administrative users act as
standard users, until doing something
which requires administrative privileges
– Standard users, will be prompted for
the credentials of an admin user.
• Privilege escalation is required whenever
the four-color shield icon is present:
14/22
Windows Security Center
• Used to monitor and configure critical
settings through a centralized dialogue
box for:
– Windows Firewall
– Automatic Updating
– Malware Protection
– Other Security Settings
• Will list whether the security feature is
enabled and whether it is up to date.
15/22
Windows Firewall
• Protects computer from unauthorized
users or malicious software. It does not
allow unsolicited traffic to pass that was
not requested.
• Configuration
– General Tab
• On or Off, as well as Block all Incoming
– Exceptions Tab
• Define which programs and services can
pass through the firewall
– Advanced Tab
• Specify firewall settings at a more granular
level by reducing control to the specific
connection.
• Windows Firewall with Advanced Security
is used to configure advanced settings,
including inbound and outbound rules
16/22
Windows Defender
• Formerly Microsoft AntiSpyware
• Protects computer from spyware threats
• Tools and Settings
– Options:
• Default Actions
• Automatic Scans
• Realtime Protection
– Microsoft SpyNet
• Online Community for such things as what to do with
non-classified software
– Quarantined Items
• Allowed recovery of software found to be ok
– Allowed Items
• List of trusted applications
– Software Explorer
• Lists installed software and it’s classification
– Windows Defender website
17/22
BitLocker Drive Encryption
• Included with Vista Enterprise and Vista Ultimate
• Used to encrypt the system drive
– The security key is stored on the systems TPM
(Trusted Platform Module) chip. If no TPM is
present, it can be store on a thumb drive. The
USB thumb drive will be required each time you
boot the system.
– The 48 digit BitLocker recovery password, must
not be lost so as to recover from a lost or
corrupted USB drive.
• Files on other drives must be encrypted with
another method, such as Encrypting File System
(EFS), as BitLocker only does the System Drive
18/22
File and Folder Access
Security
• Vista allows you to very easily
share and secure files and
folders.
• A user’s access rights to
specific folders will be based on
their logon name and group
associations by applying NTFS
(New Technology File System)
permissions.
19/22
NTFS Permissions
• If permissions are not explicitly
granted in NTFS, then they are
implicitly denied. Explicitly denied,
overrides explicitly granted
permissions
• Six levels of permissions
– Full Control
– Modify
– Read & Execute
– List Folder Contents
– Read
– Write
20/22
Controlling Inheritance
• By default, subfolders and files
inherit the permissions assigned
to the parent folder.
• Prevent permissions from
propagating to subfolders and
files by clearing the Include
Inheritable Permissions from
This Object’s Parent check box.
21/22
Determining Effective
Permissions
• To determine a user’s effective
rights to a file or folder:
– Add all the permissions that are
allowed to the user to all
permissions granted to the groups
of which the user is a member.
– Subtract any permissions similarly
denied to the user or the user’s
groups.
22/22
Determining NTFS Permissions
for Copied and Moved Files
Move File
Same
Partition
Retains original
NTFS
permissions
Copy File
Inherits
permissions from
destination folder
Different Inherits
Inherits
Partition permissions from permissions from
destination folder destination folder
23/22
Managing Network Access
• Share folders that
contain files you want
to be accessible over
the network
• Configure sharing
from the Sharing tab
of the folder properties
dialog box
24/22
Configuring Share Permissions
• Permissions can be
assigned to users and
groups
– Full Control
• Allows full access to the
folder
– Change
• Allows users to change data
in files or to delete files
– Read
• Allows users to view and
execute files
25/22
NTFS Permissions +
Shared Permissions
• NTFS security and shared folder
security work together
• The most restrictive permissions are
the effective permissions:
– NTFS security more restrictive than
shared folder security = NTFS
permissions are effective
– Shared folder security more restrictive
than NTFS security = Shared folder
permissions are effective
26/22