Setting Event Log Policies
The Event Log is an
essential tool for Windows Server 2003 administrators, and the Event Log
policies control various aspects of the log’s performance, including
the maximum size of the logs, who has access to them, and how the logs
behave when they reach their maximum size. The Event Log policies in a
GPO are located in the Computer Configuration \ Windows Settings
\Security Settings\Event Log container, as shown in Figure 6.
For each of the following, there are three policies, one for each of the logs: application, security, and system.
Maximum log size
Specifies the maximum size the system permits, in kilobytes. Values
must be in 64 KB increments, and the maximum value is 4,194,240 (4
gigabytes).
Prevent local guests group from accessing log Specifies whether members of the local Guests group on the computer are permitted to view the log file.
Retain log Specifies the number of days for which the log should retain information.
Retention method for log Specifies the behavior of the log when it reaches its maximum size, using the following options:
Overwrite Events By Days—
The log retains the number of days of entries specified by the retain
log policy. Once the log grows to the specified number of days, the
system erases the oldest day’s entries each day.
Overwrite Events As Needed—
The log erases the oldest individual entries as needed once the log
file has reached the size specified in the maximum log size policy.
Do Not Overwrite Events (Clear Log Manually)— The system stops creating new entries when the log reaches the size specified in the maximum log size policy.
Creating an event
logging configuration for a member server usually requires some
experimentation. The best way to proceed is to configure the events and
resources that you want to audit, and then let the logs accrue for
several days. Calculate the average number of entries for each log per
day and then decide how many days of history you want to retain. This
enables you to determine a suitable maximum size for your logs.
Before setting the
retain log and retention method for log policies, you should decide how
often someone is going to review the logs and clear or archive them when
necessary. If it is essential to retain all log information, you can
specify a maximum size for the log and then enable the Security Options
policy, Audit: Shut Down System Immediately If Unable To Log Security
Audits, which forces you to manage the logs regularly.
Configuring Services
Windows Server 2003
installs a great many services with the operating system, and configures
quite a few with the Automatic startup type, so that these services
load automatically when the system starts. Many of these services are
not needed in a typical member server configuration, and it is a good
idea to disable the ones that the computer doesn’t need. Services are
programs that run continuously in the background, waiting for another
application to call on them. For this reason, services are also
potential points of attack, which intruders might be able to exploit.
Instead
of controlling the services manually, using the Services console, you
can configure service parameters as part of a GPO. Applying the GPO to a
container object causes the services on all the computers in that
container to be reconfigured. To configure service parameters in the
Group Policy Object Editor console, you browse to the Computer
Configuration \ Windows Settings\Security Settings\System Services
container and select the policies corresponding to the services you want
to control (see Figure 7).
Tip
When
a service policy is left undefined, the service retains the default
status that the Windows Server 2003 Setup program assigned it during the
operating system installation. For example, even if you do not
configure a particular service with the Automatic startup type, Windows
Server 2003 itself might configure that service to load automatically.
If you want to be certain that a service is disabled, you must activate
the System Services policy and choose the Disabled option. |
Table 1
contains the services that Windows Server 2003 typically installs on a
member server. The Automatic column contains the services that Windows
Server 2003 requires for basic system management and communications. The
Manual column contains services that do not have to be running all the
time, but which must be available so that other processes can activate
them. The Disabled column contains services that the typical member
server does not need, and which you can permanently deactivate, unless
the computer has a specific need for them.
Table 1. Typical Member Server Service Assignments
| Automatic | Manual | Disabled |
|---|
| Automatic Updates | Background Intelligent Transfer Service | Alerter |
| Computer Browser | COM+ Event System | Application Management |
| DHCP Client | Logical Disk Manager Administrative Service | ClipBook |
| Distributed Link Tracking Client | Network Connections | Distributed File System |
| DNS Client | NT LM Security Support Provider | Distributed Transaction Coordinator |
| Event Log | Performance Logs And Alerts | Fax Service (only present when a modem is installed) |
| IPSEC Services | Terminal Services | Internet Service |
| Logical Disk Manager | Windows Installer | Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) |
| Net Logon | Windows Management Instrumentation Driver Extensions | License Logging |
| Plug And Play | | Messenger |
| Protected Storage | | NetMeeting Remote Desktop Sharing |
| Remote Procedure Call (RPC) | | Network (DDE) |
| Remote Registry | | Network DDE DSDM |
| Security Accounts Manager | | Print Spooler |
| Server | | Remote Access Auto Connection Manager |
| System Event Notification | | Remote Access Connection Manager |
| TCP/IP NetBIOS Helper | | Removable Storage |
| Windows Management Instrumentation | | Routing And Remote Access |
| Windows Time | | Secondary Logon |
| Workstation | | Smart Card |
| | | Task Scheduler |
| | | Telephony |
| | | Telnet |
| | | Uninterruptible Power Supply |
In
a default Windows Server 2003 member server installation, the Setup
program has already configured many of the services listed in Table 9-1
with the startup type values listed there. However, controlling service
configurations with a GPO enables you to be sure that only the services
you need are running.
Caution
Member
servers might need other services to perform certain functions. You can
create and apply additional GPOs to configure the services that servers
performing particular roles need. Before deploying a server in a live
environment, be sure to test the configuration thoroughly, to ensure
that the modifications to the default setup do not interfere with the
server’s operation. |
Configuring Security Options
The Security Options
container in the Group Policy Object Editor console contains a long list
of policies that you can use to secure specific server elements. Almost
all these policies are undefined in a default member server
installation, but you can activate them and use them to secure your
servers against a wide variety of accidents and threats. To configure
these policies, browse to the Computer Configuration \ Windows Settings \
Security Settings \ Local Policies \ Security Options container in the
Group Policy Object Editor console, as shown in Figure 8.
Because these policies are widely divergent in their functions, the
Properties dialog box for each one has different configuration options.
Some of the most useful Security Options policies are as follows:
Accounts: Administrator Account Status Enables or disables the computer’s local Administrator account.
Accounts: Guest Account Status Enables or disables the computer’s local Guest account.
Accounts: Rename Administrator Account Specifies an alternative name for the security identifier (SID) associated with the local Administrator account.
Accounts: Rename Guest Account Specifies an alternative name for the SID associated with the local Guest account.
Audit: Audit The Use Of Backup And Restore Privilege
Causes the computer to audit all user privileges when the Audit
Privilege Use policy is enabled, including all file system backups and
restores.
Audit: Shut Down System Immediately If Unable To Log Security Audits
Causes the computer to shut down if the system is unable to add
auditing entries to the security log because the log has reached its
maximum size.
Devices: Allowed To Format And Eject Removable Media Specifies which local groups are permitted to format and eject removable NTFS file system media.
Devices: Restrict CD-ROM Access To Locally Logged-on User Only Prevents network users from accessing the computer’s CD-ROM drives.
Devices: Restrict Floppy Access To Locally Logged-on User Only Prevents network users from accessing the computer’s floppy disk drive.
Domain Member: Maximum Machine Account Password Age Specifies how often the system changes its computer account password.
Interactive Logon: Do Not Require CTRL+ALT+DEL Select the Disable option to protect users against Trojan attacks that attempt to intercept users’ passwords.
Interactive Logon: Require Domain Controller Authentication To Unlock Workstation
Prevents unlocking the computer using cached credentials. The computer
must be able to use a domain controller to authenticate the user
attempting to unlock the system for the process to succeed.
Microsoft Network Client: Digitally Sign Communications (Always) The computer requires packet signatures for all Server Message Block (SMB) client communications.
Microsoft Network Server: Digitally Sign Communications (Always) The computer requires packet signatures for all Server Message Block (SMB) server communications.
Network Access: Do Not Allow Anonymous Enumeration Of SAM Accounts And Shares
Prevents anonymous users from determining the names of local user
accounts and shares. This prevents potential intruders from gathering
information about the computer without being authenticated.
Network Access: Remotely Accessible Registry Paths And Sub-paths Specifies which registry paths and subpaths qualified users can access over the network.
Network Access: Shares That Can Be Accessed Anonymously Specifies which shares anonymous users are permitted to access.
Network Security: Force Logoff When Logon Hours Expire Causes the computer to terminate existing local user connections when they reach the end of their specified logon time.
Shutdown: Allow System To Be Shut Down Without Having To Log On Activates the Shut Down button in the Log On To Windows dialog box.
