12 Securing Windows Servers by Using Group Policy Objects.pptx

Editor's Notes

• #1: Presentation: 1:45 Lab A: 50 minutes Lab B: 60 minutes After completing this module, students should be able to: Describe Windows® Server operating-system security. Configure security settings by using Group Policy. Increase security for server resources. Restrict unauthorized software from running on servers and clients. Configure Windows Firewall with Advanced Security. Required Materials To teach this module, you need the Microsoft® Office PowerPoint® file 20410D_12.ppt. Important: We recommend that you use Office PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of Office PowerPoint, all the features of the slides might not display correctly. Preparation Tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance.
• #2: Introduce this module to students by giving a high-level overview of how security is important to information technology (IT). Present a high-level overview of this module’s lessons.
• #3: Mention that before students learn how to configure security settings, they first must learn to identify security risks and threats. Explain that risk-security assessment can be different for every organization and for different departments within the same organization.
• #4: Discussion Question: What are some of the security risks in Windows-based networks? Answer: Some of the security risks in Windows-based networks are: Malware (malicious software). Malware is one of the biggest risks to Windows-based networks. As a popular operating system, the Windows operating system is the frequent target of malware writers. Hackers can use malware to steal passwords and other useful information, or to take over an enterprise's computers to send out spam. The most sophisticated malware can specifically target organizations. Stolen data. Stolen data is a risk for students' organizations because competitors can use it or unauthorized individuals can use it to embarrass an organization. Legal issues. Legal issues are a concern if confidential or private data is stolen or made public. This is particularly true for customer data. Deleted data. Whether malware intentionally deletes data, or a user accidentally does, lost data can be expensive and time consuming to recover.
• #5: Briefly describe each layer of the defense‑in‑depth model. The key point is that creating multiple layers of security is inherently more secure than focusing on a single layer. Do not go into too much detail, because you will discuss increasing security for each of these layers further in the “Configuring Security Settings” lesson later in this module. Question How many layers of the defense‑in‑depth model should you implement in your organization? Answer You should implement all layers of the defense‑in‑depth model, to some extent. You should base the actual measures that you implement on your organization’s needs and budget.
• #6: You can use these best practices as a starting point for a discussion regarding other best practices for increasing security. For example, inform students that when applying updates, they should apply different strategies to client operating systems than they do for server operating systems. Stress that organizations and IT departments need to evaluate and update security best practices regularly. As technology evolves, security strategies change. Therefore, security best practices should evolve, too. For a more detailed list on Microsoft security best practices, refer students to the Additional Reading link in their Student Handbook.
• #7: Tell students that in this module, they will configure different security settings to protect their Windows operating-system environment. Additionally, they will use Group Policy to deploy security settings for multiple users and computers. Stress to students that they should assess security settings in a test environment before they deploy them throughout their organization. This is because some security settings might restrict users or cause applications to stop functioning.
• #8: Open a Microsoft Management Console (MMC), and then add the Security Templates snap‑in to the console. Display examples of the settings and configuration to students. Display each of the template-distribution tools that the slide lists, and briefly describe them to students.
• #9: Give a high-level overview of the user rights settings, and describe each of them briefly to students by demonstrating the settings in the Group Policy Management Console (GPMC). Stress to students that they should test settings before applying them in production. If you do not configure user rights properly, your network environment might be more vulnerable or might not work properly. For example, granting user rights to force a shut down from a remote system might cause critical business servers to shut down during busy working hours.
• #10: Give a high-level overview of the Security Options settings, and describe each of them briefly by demonstrating the settings in the GPMC. Explain some of the settings in this topic. For example: Interactive logon: Do not display last user name. When you enable this setting, the username of the person who last signed in to the computer does not appear. Therefore, the potential attacker has to guess or try to find out both the username and the password to obtain access to computer or network resources. If you disable this setting, the attacker would know the username, and would need only the password. Accounts: Rename administrator account. When enabled, this setting renames the local administrator account. The potential attacker would have to find out both the username and the password to obtain access to computer resources. If you disable this setting, the attacker would know the username, which is Administrator, and would need only the password.
• #11: Describe how Group Policy can control the membership of local or domain groups. Explain that using Group Policy is the most efficient way to control local built-in group memberships on clients and member servers, and that you can use restricted groups when configuring membership of local or domain groups. There are two options for restricted groups, including: Members of this group. Use this option to restrict the entire group membership to only what you configure for the restricted group. This enables you to remove existing group members if you did not include them in the group membership. This group is a member of. Use this option to add additional members to whatever groups already exist. Mention that students also can use Group Policy preferences to add local users or local groups to domain member computers.
• #12: Explain that account policies refer to the collection of settings that include password settings, account lockout settings, and Kerberos version 5 protocol-authentication policy settings. Explain that these settings apply to all domain users, unless you implement fine-grained passwords. Discuss the impact of complexity requirements that demand that users have three of these four types of characters in a password: uppercase, lowercase, numeric, and symbol. Mention that if you configure password history, you should configure minimum and maximum password ages. Mention that you should base the number of days in the Maximum Password Age setting upon the strength of the passwords. Therefore, you give lower-strength passwords a shorter maximum age, while you give higher-strength passwords a longer maximum age. Explain the purpose of the account lockout threshold, but do not spend a significant amount of time on this, and then briefly discuss Kerberos authentication settings.
• #13: Discuss some real-world uses of Security Compliance Manager, such as: Creating secure GPOs for enterprise-wide distribution. Locking down specialized computers, such as kiosks or terminal servers. Using it as a reference point for compliance and analysis needs.
• #14: Before students begin the lab, read the lab scenario and display the next slide. Before each exercise, read the scenario associated with the exercise to the class. The scenarios give context to the lab and exercises, and help to facilitate the discussion at the end of the lab. Remind students to complete the discussion questions after the last lab exercise. Exercise 1: Using Group Policy to Secure Member Servers A. Datum Corporation uses the Computer Administrators group to provide administrators with permissions to administer member servers. As part of the installation process for a new server, the Computer Administrators group from the domain is added to the local Administrators group on the new server. Recently, this important step was missed when configuring several new member servers. To ensure that the Computer Administrators group is always given permission to manage member servers, your manager has asked you to create a GPO that sets the membership of the local Administrators group on member servers to include Computer Server Administrators. This GPO also needs to enable Admin Approval Mode for UAC. Exercise 2: Auditing File System Access The manager of the Marketing department has concerns that there is no way to track who is accessing files that are on the departmental file share. Your manager has explained that only users with permissions are allowed to access the files. However, the manager of the Marketing department wants to try recording who is accessing specific files. Your manager has asked you to enable auditing for the file system that is on the Marketing department file share, and to review the results with the manager of the Marketing department. Exercise 3: Auditing Domain Logons After a security review, the IT policy committee has decided to begin tracking all user logons to the domain. Your manager has asked you to enable auditing of domain logons and verify that they are working.
• #15: Lab Review Questions Question What happens if you configure the Computer Administrators group, but not the Domain Admins group, to be a member of the Local Administrators group on all of a domain’s computers? Answer If you do not include the Domain Admins group in the Local Administrators group, Domain Admins will not be a member of the Local Administrators group on all of a domain’s computers. Question Why do you need to restrict local logon to some computers? Answer It is not a good security practice for every domain user to be able to log on to every domain computer. Typically, all servers, and some clients with sensitive local information or applications, should not allow all users to log on locally.. Question What happens when an unauthorized user tries to access a folder that has auditing enabled for both successful and unsuccessful access attempts? Answer An event is generated in the Event Viewer security log, with information about who has tried to access the folder and whether the attempt was successful. Question What happens when you configure auditing for domain logons for both successful and unsuccessful logon attempts? Answer Events are generated in the Event Viewer security log, with information about who has tried to log on to the domain and whether the attempt was successful.
• #16: Introduce this lesson by discussing with students their experiences in protecting computers from unwanted software installations. Discuss how to restrict users from installing or using unwanted software. Tell students that this lesson covers software restriction policies (SRPs) and using AppLocker®, a feature of Windows 7 and newer versions of Windows. Focus more on AppLocker technology than on SRPs, because AppLocker is a more efficient way to restrict software.
• #17: Introduce Software Restriction Policies (SRPs) as the legacy solution for managing application execution. Introduce their basic functionality and key components. This slide is intended only to define and explain SRPs. Do not go into much detail yet about the differences between SRPs and AppLocker®. Ensure that students understand the concept of applying security levels both at the default security level and to individual SRP rules. Explain how these two areas combine to provide to different environments: No applications can run unless allowed by SRP. All applications can run unless restricted by SRP.
• #18: Introduce AppLocker as the replacement for SRP in Windows Server 2008 R2 and Windows 7. Mention that AppLocker also is available in Windows Server 2012 and Windows 8. Introduce the benefits that AppLocker provides, and discuss, in a general way, how it is applied in a Windows Server 2012 and Windows 8 environment. Highlight AppLocker’s capability to define specific sets of rules based on user account or security group membership. Also, explain that students can create a definition of application variables when they create rules.
• #19: Explain how AppLocker rules work, and then demonstrate AppLocker rules. Discuss an example of using AppLocker; for example, students can use AppLocker to configure software that is no longer used in their company with a deny action so that users can no longer run the software. Explain that the next step is to remove the software. Discuss an example of auditing policies. For example, administrators can use auditing policies to retrieve information about software that employees are using. Discuss with students several scenarios in which it is beneficial to implement AppLocker, such as for: Licensing audits, software true-up, software license purchases, and enterprise agreements that can benefit from AppLocker to maintain compliance and to ensure that the organization is licensed properly. Software that is not allowed for use in the company. Mention an example of software that can disrupt employees’ business productivity, such as social networks, or software that streams video files or pictures or videos that can use a large amount of network bandwidth. Software that is no longer used. This is software that the enterprise no longer needs, so it is not maintained or licensed. Software that is no longer supported. This software is not updated with security updates, so it might pose a security risk.
• #20: Preparation Steps For this demonstration you need the virtual machines 20410D‑LON‑DC1 and 20410D‑LON‑CL1. They should be running after the previous lab. Demonstration Steps Create a GPO to enforce the default AppLocker Executable rules On LON‑DC1, in Server Manager, click Tools, and then click Group Policy Management. In GPMC, go to Forest: Adatum.com\Domains\Adatum.com. Click Group Policy Objects, right-click Group Policy Objects, and then click New. In the New GPO window, in Name, type WordPad Restriction Policy, and then click OK. Right-click WordPad Restriction Policy, and then click Edit. In the Group Policy Management Editor window, go to Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\AppLocker. Click Executable Rules, right-click Executable Rules, and then select Create New Rule. On the Before You Begin page, click Next. On the Permissions page, click Deny, and then click Next. On the Conditions page, click Publisher, and then click Next. On the Publisher page, click Browse, and then click Computer. On the Open page, double-click Local Disk (C:). On the Open page, double-click Program Files, double-click Windows NT, double-click Accessories, click wordpad.exe, and then click Open. Move the slider up to the File name position, and then click Next. Click Next again, and then click Create.
• #21: If prompted to create default rules, click Yes. In the Group Policy Management Editor window, go to Computer Configuration\Policies\Windows Settings\Security Settings. Expand Application Control Policies, right-click AppLocker, and then select Properties. On the Enforcement tab, under Executable rules, select the Configured check box, click Enforce rules, and then click OK. In the Group Policy Management Editor window, go to Computer Configuration\Policies\Windows Settings\Security Settings. Click System Services, and then double-click Application Identity. In the Application Identity Properties dialog box, above Select service startup mode, click Define this policy setting, then click Automatic, and then click OK. Close the Group Policy Management Editor window. Apply the GPO to the domain In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then expand Group Policy Objects. In the Group Policy Management Console, right-click Adatum.com, and then click Link an Existing GPO. In the Select GPO window, in the Group Policy Objects window, click WordPad Restriction Policy, and then click OK. Close the Group Policy Management Console. Switch to the Start screen, type cmd, and then press Enter. In the Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to update.
• #22: Test the AppLocker rule Sign in to LON‑CL1 as Adatum\Alan with the password Pa$$w0rd. Point to the lower-right corner of the screen, and then click the Search charm when it appears. In the Search box type cmd, and then press Enter. In the Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to update. In the lower-left corner of the screen, click the Start button. In the Search box type WordPad, and then press Enter. Notice that WordPad does not start. Leave the virtual machines running after you complete the demonstration.
• #23: Briefly review the topics that this lesson includes.
• #24: This is the first of two slides in this topic. Mention that the default Windows Firewall status is to block all incoming traffic unless it is solicited or it matches a configured rule, and to allow all outgoing traffic, unless it matches a configured rule. Mention the following rules: Password policies TCP port 20 blocks outbound Remote Desktop allows inbound Custom application TCP port 6543 allows inbound Mention that you can use the netsh command-line tool for configuring Windows Firewall with Advanced Security.
• #25: This is the second of two slides in this topic.
• #26: Discussion Question: Why is it important to use a host-based firewall, such as Windows Firewall with Advanced Security? Answer: Windows Firewall with Advanced Security is important because: Computers are protected from attacks on the internal network. This can prevent malware from moving through the internal network by blocking unsolicited inbound traffic. Inbound rules prevent network scanning to identify hosts on the network. The simplest network scanners ping hosts on a network in an attempt to identify them. Windows Firewall with Advanced Security prevents member servers from responding to ping requests. Domain controllers do respond to ping requests. When you enable outbound rules, it can prevent malware from spreading by preventing the malware from communicating on the network. In the case of a virus outbreak, you could configure computers with a specific outbound rule that prevents the virus from communicating over the network. Connection security rules allow you to create sophisticated firewall rules that use computer and user-authentication information to limit communication with high-security computers.
• #27: One of the key points that students need to understand is that domain members use the domain profile. Only objects that are not a domain member, such as hosts in a perimeter network, use other profiles.
• #28: Ensure that students understand the following points: To allow traffic, they must first create the firewall rules. Firewall rules define which ports, IP addresses, applications, or programs are allowed through the firewall, each defined separately for both directions: in and out. Connection security rules provide additional protection by requiring authenticating on the computers that initiate the traffic. They also secure that traffic by encrypting the data that is transmitted between computers. Connection security rules are applied between the computers that are the two endpoints. Emphasize that you can configure firewall rules to allow traffic, allow only authenticated traffic, or block all traffic. This means that you can use connection security rules to authenticate traffic, and you can configure the firewall to allow only authenticated traffic.
• #29: Explain to students that they should choose the deployment method for Windows Firewall rules based on how many computers will be affected. If they need to create a firewall rule on hundreds of computers, they should use Group Policy. For a single computer, they can configure it manually. Stress to students that they should be very careful when they use Group Policy to configure Windows Firewall. Some employees might use applications that need additional ports to be open on their computers, and improperly configured firewall rules might block those applications. We strongly recommend that you test firewall rules in an isolated, nonproduction environment before you deploy them in production.
• #30: Mention the different options that are available when you are securing connections, including: Securing connections for all communication Securing connections for a single protocol Using certificates for authentication Using Kerberos for authentication Securing traffic to or from specific hosts only, or securing traffic for an entire domain Also, mention the real-world situations where securing network traffic is valuable. These scenarios include an organization that has a security policy that prohibits communication between development computers and production computers, or a highly secure environment where compliance requires specific secure communications. Preparation Steps Start 20410D‑LON‑CL2, 20410D‑LON‑SVR2, and 20410D‑LON‑RTR. Demonstration Steps Check to see if ICMP v4 is blocked Sign in to LON‑CL2 as Adatum\Administrator with the password Pa$$w0rd. On LON‑CL2, click the Desktop tile, right-click the Windows Start menu, and then click Command Prompt. At the command prompt, type ping 10.10.0.11, and then press Enter. Notice that the ping times out.
• #31: Enable ICMP v4 from LON‑CL2 to LON‑SVR2 Sign in to LON‑SVR2 as Adatum\Administrator with the password Pa$$w0rd. On LON‑SVR2, right-click the Windows Start menu, and then click Control Panel. In Control Panel, click the View by drop-down menu, and then click Small icons. Click Windows Firewall. Click Advanced settings. In the left-hand pane, click Inbound Rules. In the right-hand pane, click New Rule. On the New Inbound Rule Wizard, on the Rule Type page, click Custom, and then click Next. On the Program page, click Next. On the Protocol and Ports page, click the Protocol type drop-down menu, click ICMPv4, and then click Next. In the Which remote IP addresses does this rule apply to section, click These IP addresses, and then click Add. In the IP Address window, type 10.10.0.50 in the This IP address or subnet box, click OK, and then click Next. On the Action page, click Next to accept the Allow the connection default action. On the Profile page, click Next to accept the application of the rule for all profiles. On the Name page, type ICMPv4-Allow-From-10.10.0.50, and then click Finish. Switch to LON‑CL2. At the command prompt, type ping 10.10.0.11, and then press Enter. Notice that the ping goes through successfully.
• #32: Create a connection security rule Switch to LON‑SVR2. In the Windows Firewall with Advanced Security window, in the left-hand pane, right-click Connection Security Rules, and then click New Rule. On the Rule Type page, click Next to accept the default of Isolation. On the Requirements page, click Require authentication for inbound connections and request authentication for outbound connections, and then click Next. On the Authentication Method page, click Advanced, and then click Customize. In the Customize Advanced Authentication Method dialog box, in the First authentication section, click Add. In the Add First Authentication Method dialog box, click Preshared key (not recommended), type Pa$$w0rd for the preshared key, and then click OK. Click OK again to close the dialog box. On the Authentication Method page, click Next. On the Profile page, click Next. On the Name page, in Name, type Require Inbound Authentication, and then click Finish. Repeat steps 2 through 10 on LON-CL2 before moving to the next demonstration section. Validate ICMP v4 Switch to LON‑CL2. At the command prompt, type ping 10.10.0.11, and then press Enter. Notice that the ping goes through successfully. After you complete the demonstration, revert the virtual machines.
• #33: Before students begin the lab, read the lab scenario and display the next slide. Before each exercise, read the scenario associated with the exercise to the class. The scenarios give context to the lab and exercises, and help to facilitate the discussion at the end of the lab. Remind students to complete the discussion questions after the last lab exercise. Exercise 1: Configuring AppLocker Policies Your manager has asked you to configure new AppLocker policies to control the use of applications on user desktops. The new configuration should allow applications to be run only from approved locations. All users must be able to run applications from C:\Windows and C:\Program Files. You also need to add an exception to run a custom-developed application that resides in a nonstandard location. The first stage of the implementation records from which locations applications are being run now. The second stage of implementation prevents unauthorized applications from running. Exercise 2: Configuring Windows Firewall Your manager has asked you to configure Windows Firewall rules for a set of new application servers. These application servers have a web-based program that is listening on a nonstandard port. You need to configure Windows Firewall to allow network communication through this port. You will use security filtering to ensure that the new Windows Firewall rules apply only to the application servers.
• #34: Lab Review Questions Question You configured an AppLocker rule that prevents users from running software in a specified file path. How can you prevent users from moving the folder containing the software so that they can circumvent the rule and still run it? Answer You can configure an AppLocker rule that is based on a file hash rather than a rule based on a file path. Question You want to introduce a new application that needs to use specific ports. What information do you need to configure Windows Firewall with Advanced Security, and from what source can you get it? Answer You need to know which ports and IP addresses you need so that the application can run while still being protected from security threats. You can get this information from the application vendor.
• #35: Module Review Questions Point students to the appropriate section in the course so that they are able to answer the questions that this section presents. Question Does the defense‑in‑depth model prescribe specific technologies that you should use to protect Windows Server operating system servers? Answer No, you use the defense‑in‑depth model to organize your plans for defense. It does not prescribe specific technologies. Question What setting must you configure to ensure that users are allowed only three invalid sign-in attempts? Answer The account lockout threshold setting ensures that users are allowed only three invalid sign-in attempts. Question You are creating a GPO with standardized firewall rules for the servers in your organization. You tested the rules on a stand-alone server in your test lab. The rules appear on the servers after the GPO is applied, but they are not taking effect. What is the most likely cause of this problem? Answer The firewall rules are most likely not being applied to the correct firewall profile. It is possible that you did not apply them to the domain profile as is required for member servers. To test rules on a stand-alone server, you have to apply the rules to either the public or private firewall profiles. Question Last year, your organization developed a security strategy that included all aspects of a defense‑in‑depth model. Based on that strategy, your organization implemented security settings and policies on the entire IT infrastructure environment. Yesterday, you read in an article that new security threats were detected on the Internet, but now you realize that your company strategy does not include a risk analysis and mitigation plan for those new threats. What should you do?
• #36: Answer You should immediately initiate a new risk assessment in your organization to help you develop a plan outlining how to address the new threats. Additionally, ensure that your organization’s security risk assessments and strategies are being evaluated and updated regularly. As technology evolves, security strategies change, so security best practices must also evolve. Organizations must be ready to protect their IT infrastructure from any new potential security threats. Best Practices The following are best practices: Always make a detailed security risk assessment before planning which security features your organization should deploy. Create a separate GPO for security settings that apply to different type of users in your organization, because each department might have different security needs. Ensure that the security settings that you configure are reasonably easy to use so that employees accept them. Frequently, very strong security policies are too complex or difficult for employees to adopt. Always test security configurations that you plan to implement with a GPO in an isolated, nonproduction environment. Only deploy policies in your production environment after you complete this testing successfully.
• #37: Common Issues and Troubleshooting Tips Ensure that you cover the common issues and the corresponding troubleshooting tips listed in this section. Encourage students to share tips from their own work environments.
• #38: Tools