Practice: Using the Security Templates Snap-in
In this practice, you use the Security Templates snap-in to create a new security template from one of the existing ones and modify it to provide a customized security level.
Exercise 1: Creating a Security Templates Console
Windows Server 2003 includes the Security Templates snap-in, but the operating system does not include a shortcut to a console containing the snap-in. In this procedure, you use Microsoft Management Console to create a Security Templates console.
1. Log on to Windows Server 2003 as Administrator.
2. Click Start and then click Run. The Run dialog box appears.
3. In the Open text box, type mmc and then click OK. The Console1 window appears.
4. From the File menu, select Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears with the Standalone tab selected.
5. Click Add. The Add Standalone Snap-in dialog box appears.
6. Scroll down in the Available Standalone Snap-ins list and select Security Templates.
7. Click Add and then click Close. Security Templates appears in the Add/Remove Snap-in dialog box.
8. Click OK. A Security Templates entry appears in the Console Root window.
9. From the File menu, select Save As. The Save As dialog box appears.
10. In the File Name text box, type Security Templates.msc and then click Save. The name of the console shown in the title bar changes to Security Templates.
11. Leave the Security Templates console open for the next procedure.
Exercise 2: Modifying an Existing Template
In this procedure, you create a copy of one of the pre-defined Windows Server 2003 security templates and modify its policies to create a more secure environment.
1. In the Security Templates console, expand the Security Templates heading and the C:\Windows\Security\Templates subheading.
2. Click the Securews template in the scope pane and, from the Action menu, select Save As. The Save As dialog box appears.
3. In the File Name text box, type Custom.inf and then click Save. The Custom template appears in the scope pane of the console.
4. Expand the Custom template and Account Policies container. Click the Password Policy subheading.
5. In the details pane, double-click the Maximum Password Age policy. The Maximum Password Age Properties dialog box appears.
6. Change the Password Will Expire In selector value to 7 days and then click OK.
7. Click the Account Lockout Policy subheading and change the selector values of the account lockout policies to the following settings:
❑ Account Lockout Duration—0 Minutes
Account Lockout Threshold—3 Invalid Logon Attempts
Reset Account Lockout Counter After—180 Minutes
8. Expand the Local Policies container and then click the Security Options subheading.
9. Modify the values of the following security options as shown:
Devices: Restrict CD-ROM Access To Locally Logged-on User Only—Enabled
Interactive Logon: Prompt User To Change Password Before Expiration—1 Day
Shutdown: Allow System To Be Shut Down Without Having To Log On— Disabled
10. Click the File System subheading and, from the Action menu, click Add File. The Add A File Or Folder dialog box appears.
11. In the Folder text box, type D:\ and then click OK. The Database Security For D:\ dialog box appears.
12. Click the Users group and, in the Permissions For Users box, select the Modify and Write check boxes in the Allow column. Then click OK. The Add Object dialog box appears.
13. Accept the default option button by clicking OK. The D:\ drive appears in the File System list.
14. Close the Security Templates console. A Microsoft Management Console dialog box appears asking whether you want to save the console settings to Security Templates.msc. Click Yes.
15. A Save Security Templates dialog box appears, prompting you to save the changes you made. Click Yes.
Deploying Security Templates Using Group Policies
To deploy a security template using group policies, you select an Active Directory object that has a GPO and import the template into the GPO. The template’s settings then become part of the GPO, overwriting any existing values.
The importation process proceeds as follows:
1. Open the Active Directory Users And Computers console.
2. Select the domain or organizational unit object to which you want to apply the template and, from the Action menu, choose Properties. The Properties dialog box for that object appears.
3. Click the Group Policy tab, select a Group Policy Object from the Group Policy Object Links list, and then click Edit. The Group Policy Object Editor console appears. Tip Instead of using an existing Group Policy Object, you can also create a new one by clicking New and then supplying a name for the GPO.
4. Under Computer Configuration, expand the Windows Settings subheading, and then click Security Settings.
5. From the Action menu, select Import Policy. The Import Policy From dialog box appears.
6. Select the security template file you want to import, and then click Open. The settings
in the template are imported into the Group Policy Object.
7. Close the Group Policy Object Editor console, and then click OK in the Properties dialog box for the object you selected.
8. Close the Active Directory Users And Computers console.
Using the Security Configuration And Analysis Tool
Security Configuration And Analysis is an MMC snap-in that you can use to apply a security template to the local computer interactively. However, in addition to configuring the security settings for the computer, the snap-in also provides the ability to analyze the current system security configuration and compare it to a baseline saved as a security template. This enables you to quickly determine whether someone has changed a computer’s security settings and whether the system conforms to your organization’s security policies. As with the Security Templates snap-in, Windows Server 2003 does not include a shortcut to a Security Configuration And Analysis console, so you must add the snap-in to a console yourself. When you do this for the first time, the console contains nothing but the Security Configuration And Analysis heading.
Analyzing a System To use the Security Configuration And Analysis snap-in, you must first create a database that will contain a collection of security settings. The database is the interface between the actual security settings on the computer and the settings stored in your security templates. After you create a database (or open an existing one), you then import a security template of your choice. Once you have imported a template you can proceed to apply the settings in that template to the computer or analyze the computer’s current settings. When you begin the analysis by selecting Analyze Computer Now from the Action menu, the system prompts you for the location of its error log file, and then proceeds to compare the settings in the template to the computer’s current settings. Once the analysis is complete, the console produces a display similar to that of the Security Templates snap-in, containing all the standard security settings found in a template. The contents of a security database The big difference between the Security Templates console and this display, however, is that the policies listed in the details pane have columns containing the database settings and the computer settings. The Database Settings column contains the values imported from the template you selected, while the Computer Settings column contains the system’s current settings. The comparison of the two values for each policy is reflected in the flag on each policy name.
The meanings of the flags are as follows:
■ X in a red circle Indicates that the policy is defined in both the database and on the computer, but that the configured values do not match
■ Green check mark in a white circle Indicates that the policy is defined in both the database and on the computer, and that the configured values do match
■ Question mark in a white circle Indicates that the policy is not defined in the database and therefore was not analyzed, or that the user running the analysis did not have the permissions needed to access the policy on the computer
■ Exclamation point in a white circle Indicates that the policy is defined in the
database, but does not exist on the computer
■ No flag Indicates that the policy is not defined in the database or on the computer
Changing Security Settings
As you examine the elements of the database and compare the template values with those of the computer, you might find discrepancies and want to make changes to the computer’s configuration. There are several ways in which you can do this, such as the following:
■ Apply the database settings to the computer If you want to use the exact settings from the template that you imported into the database, you can simply select Configure Computer Now from the Action menu to apply them to the computer.
■ Modify the database settings You can double-click any policy in the console
tree to display its Properties dialog box and modify its value in the database.
Caution: Modifying a policy value in the Security Configuration And Analysis snap-in changes the database value only, not the actual computer setting. For the changes you make to take effect on the computer, you must either apply the database settings to the computer using the Configure Computer Now command or export the database to a new template and apply it to the computer using any of the standard methods.
■ Create a new template You can select Export Template from the Action menu
to create an entirely new template from the settings currently in the database, and then apply the template to the computer using any of the standard methods.
Important The Export Template feature creates a new template from the current database settings at the time you execute the command, not from the computer’s current settings.
■ Modify the computer’s settings manually You can always modify the computer’s security settings directly by using a member server’s Local Security Settings console (open the console by selecting Local Security Policy from the Administrative Tools menu), by modifying the appropriate Group Policy Object, or by manually manipulating file system or registry permissions.
Using Secedit.exe
Secedit.exe is a command prompt utility that can perform the same functions as the Security Configuration And Analysis snap-in. The advantage of Secedit.exe is that you can call it from scripts and batch files, enabling you to automate your security template deployments. Another big advantage of Secedit.exe is that you can use it to apply only part of a security template to a computer, something that you cannot do with the Security Configuration And Analysis snap-in or with Group Policy Objects. For example, if you want to apply the file system’s permissions from a template, but leave all the other settings alone, Secedit.exe is the only way to do it.
To use Secedit.exe, you run the program from the command prompt with one of the following six main parameters, plus additional parameters for each function:
■ Configure Applies all or part of a security database to the local computer. You
can also configure the program to import a security template into the specified
database before applying the database settings to the computer.
■ Analyze Compares the computer’s current security settings with those in a security database. You can configure the program to import a security template into the
database before performing the analysis. The program stores the results of the
analysis in the database itself, which you can view later using the Security Configuration And Analysis snap-in.
■ Import Imports all or part of a security template into a specific security database
■ Export Exports all or part of the settings from a security database to a new security template
■ Validate Verifies that a security template is using the correct internal syntax
■ Generaterollback Creates a security template that you can use to restore a system to its original configuration after applying another template.
Practice: Using the Security Configuration And Analysis Snap-in
In this practice, you add the Security Configuration And Analysis snap-in to the Security Templates console you created in the practice for Lesson 2 of this chapter, and then use the snap-in to analyze the computer in relation to one of the pre-defined security templates included with Windows Server 2003.
Exercise 1: Adding the Security Configuration And Analysis Snap-in
In this procedure, you create a comprehensive security template management tool by adding the Security Configuration And Analysis snap-in to the Security Templates console.
1. Log on to your computer running Microsoft Windows Server 2000 as Administrator.
2. Click Start, point to All Programs, point to Administrative Tools, and then click
Security Templates.msc. The Security Templates console you created in the practice for Lesson 2 of this chapter appears.
3. From the File menu, select Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.
4. Click Add. The Add Standalone Snap-in dialog box appears.
5. Scroll down in the Available Standalone Snap-ins list and select Security Configuration And Analysis.
6. Click Add and then click Close. Security Configuration And Analysis appears in the Add/Remove Snap-in dialog box, along with the Security Templates snap-in that you added in the Lesson 2 practice.
7. Click OK. A Security Configuration And Analysis entry appears in the Console
Root window.
8. From the File menus, select Save. Leave the console open for the next exercise.
Exercise 2: Analyzing a Computer
In this procedure, you use the Security Configuration And Analysis snap-in to compare the computer’s current configuration with that of a security template.
1. In the Security Templates console you created, click the Security Configuration
And Analysis heading in the scope pane.
2. From the Action menu, select Open Database. The Open Database dialog box
appears.
3. In the File Name text box, type Windb.sdb, and then click Open. The Import
Template dialog box appears.
4. Click the Hisecdc.inf template, and then click Open.
5. From the Action menu, select Analyze Computer Now. The Perform Analysis dialog box appears.
6. Click OK to accept the default log file name. An Analyzing System Security message box appears to show a progress indicator as the snap-in performs the analysis.
7. When the analysis is complete, expand the Security Configuration And Analysis heading and the Account Policies heading in the console’s scope pane.
8. Click the Password Policy subheading in the scope pane.
Notice that the console has flagged three of the six password policies with a red
X, indicating that the database settings for those policies do not match the template settings.
9. Double-click the Minimum Password Age policy in the details pane. The Minimum Password Age Properties dialog box appears.
10. Modify the Password Can Be Changed After selector value from 2 to 1, and then click OK.
Notice that the red X next to the Minimum Password Age policy has changed to a
green check mark. This is because you have changed the setting in the database
to match that of the computer.
11. Click the Security Configuration And Analysis header in the scope pane.
12. From the Action menu, select Configure Computer Now. The Configure System dialog box appears.
13. Click OK to accept the default log file path. A Configuring Computer Security message box displays to show a progress indicator as the snap-in configures the computer using the settings in the database.
14. From the Action menu, select Analyze Computer Now a second time. The Perform Analysis dialog box appears.
15. Click OK to accept the default log file path. An Analyzing System Security message box appears to show a progress indicator as the snap-in performs the analysis.
16. When the analysis is complete, expand the Security Configuration And Analysis heading and the Account Policies heading in the console’s scope pane.
17. Click the Password Policy subheading in the scope pane.
Notice that all the password policies are now flagged with green check marks,
indicating that the computer settings match the database settings. This is because you have just applied the database settings to the computer. Notice also that the Minimum Password Age value is 1 day, instead of the 2 days specified in the Hisecdc.inf template. This is because you changed the value of this policy in the database prior to applying the database to the computer.
18. Close the Security Templates console. A Microsoft Management Console dialog box appears asking whether you want to save the console settings to Security Templates.msc. Click Yes.
Lesson Review
The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.
1. Why is it not common practice to apply security templates to Active Directory
domain objects?
2. Name two security template deployment tasks that the Secedit.exe utility can perform, which group policies and the Security Configuration And Analysis snap-in cannot.
3. When you use the Security Configuration And Analysis snap-in to export a template, where do the settings in the new template come from?
a. From the computer’s current security settings
b. From the snap-in’s currently loaded database
c. From the security template you imported into the database
d. From a Group Policy Object you specify
Lesson Summary
■ You can use group policies to deploy security templates on multiple computers,
but you must be aware that the GPO applies the template settings to all the computers in the container to which the GPO is linked.
■ You should not use group policies to deploy large security templates, because of the burden they create on the network and on the domain controllers.
■ You can use the Security Configuration And Analysis snap-in to deploy security
templates on the local computer.
■ The Security Configuration And Analysis snap-in can also analyze the computer’s security configuration by comparing its current security settings to those of a security template and flagging the discrepancies.
■ Secedit.exe is a command line tool that performs the same functions as the Security Configuration And Analysis snap-in, and can also apply specific parts of templates to the computer. You can use Secedit.exe in scripts and batch files to
automate security template deployments.
Computer Hardware Software and Networking
No comments:
Post a Comment