Introducing Network Security Protocols
Network
security protocols are used to manage and secure authentication,
authorization, confidentiality, integrity, and nonrepudiation. In a
Windows Server 2003 network, the major protocols used are Kerberos, New
Technology Local Area Network Manager (NTLM), Internet Protocol Security
(IPSec), and their various subprotocols. Other network communication
protocols support these protocols, and other security settings support
and protect the use of these security protocols. Table 1 lists the security paradigms and the protocols that support them.
Table 1. Network Security Protocols| Paradigm | Purpose | Protocols |
|---|
| Authentication | To prove you are who you say you are | Kerberos and NTLM (The NT LAN Manager [LM] protocol is not available by default, but can be configured.) | | Authorization | To determine what you can do on the network after you have authenticated | Kerberos and NTLM | | Confidentiality | To keep data secret | Encryption components of Kerberos, NTLM, and IPSec (to secure communications other than authentication) | | Integrity | To ensure that the data received is the same data that is sent | Components of Kerberos, NTLM, and IPSec | | Nonrepudiation | To determine exactly who sent and received the message | Kerberos and IPSec |
Using Security Templates to Administer Network Security
The task of
implementing server security configurations in a Windows network is
threefold. First, you must understand what constitutes good security.
Second, you must be able to implement security for the organization’s
information systems for the equipment you manage. Finally, you must make
sure the tools and methodologies are available for quickly applying a
security configuration, and you must understand how to use and maintain
them.
Ultimately,
management must determine the most appropriate security policies, but
the discussion here gives you sound reasons for specific security
settings. In the past, many tools and low-level Registry adjustments
were necessary to fulfill a security policy. Today, however, security
templates, and especially their global application through Group Policy,
can address the third task: quick enterprisewide application and
maintenance. The first piece of that solution is knowing what to do with
the templates.
Security Templates Snap-In
You load the
Security Templates snap-in in an MMC. By default, several templates are
available, you can add more templates, and you can modify settings or
develop new templates. The recommended methods of using the templates
include the following:
Design a
security baseline for each computer role. Computer roles include domain
controllers, file and print servers, mail servers, database servers,
network services servers (DHCP, Domain Name System [DNS], Windows
Internet Name Service [WINS], and so on), Web servers, remote access
servers, desktop systems, and so forth. Design
security baselines for major server roles. Security configuration that
is common to all baselines can be implemented as master baselines.
Specifics for unique roles are implemented as supplemental baselines. In
a typical Windows Server 2003 network, two master baselines are usually
defined, one for domain controllers and one for all other computers. Implement master and additional baselines in security templates. Apply
the master templates to all machines and supplemental templates to
appropriate machines using deployment tools. You can deploy security
templates in several ways, including using batch files that apply the
templates directly and Group Policy.
Designing Master and Supplemental Security Baselines for Security Templates
The first step in
designing the security baseline is to understand what the organization’s
security policy requires. After you have that information, the next
step is to determine which security measures can be fulfilled by using
the security templates. You should assign to the master template items
that are common to all computer roles, and assign to individual
supplemental templates those items that mark the difference between
roles.
You will have to
determine your organization’s security policy, but this section
describes the security settings that you can implement through security
templates. You must implement additional security policy with other
tools. Table 2
lists each section and subsection of the template and describes how you
can use them to implement security policy. You should examine sample
templates available in the Security Templates snap-in to see the
hundreds of possible security settings. You should understand that you
can add and manage additional elements in the templates and that you can
apply additional security settings using other Windows Server 2003
tools.
Table 2. Security Template Sections| Section | Subsection | Description |
|---|
| Account Policies | Password Policy | The configuration for passwords, including minimum length, history, complexity, and frequency of change. | | | Account Lock-out Policy | The
number of failed attempts before the account is locked out. How it is
reset, and the amount of time between attempts that triggers the failed
logon account to start over again. | | | Kerberos Policy | The ticket lifetime, ticket renewal time, whether user logon restrictions are honored, and clock skew time. | | Local Policies | Audit Policy | The
types of audit events that are logged. Options include account logon,
account management, object auditing, processing auditing, privilege use,
and policy change. | | | User Rights | What users can do on the system. Rights include logon rights, backup and restore, and so on. | | | Security Options | The
implementation of various security settings through Registry settings. A
default listing includes items that affect authentication, narrow
choices, prevent connection, and so on. The section “Understanding
Security Template Settings That Affect Network Security” gives examples.
Also, you can implement any Registry setting you make by adding it to a
security template and applying the template. | | Event Log | | The ability to change size. Defines when logs are overwritten, how long records are retained, or both. | | Restricted Groups | | The
ability to manage the memberships of any Windows group. Groups managed
here can be added to and accounts removed in the normal manner, but if
the template application is refreshed, the group membership is replaced
by the membership listed here. | | System Services | | The
ability to change the startup setting (Disabled, Automatic, or Manual)
for individual services. Also, you can change security for services by
determining who can stop, start, and modify startup settings for each
service. | | Registry | | The
security permissions for Registry keys. Settings in a template, if the
template is applied, overwrite current permissions settings. Using the
Registry Sections section of the security template is a good way to
manage secured keys because the settings can be uniform throughout the
domain and can be quickly reset should they be changed. Note that you
cannot add new Registry keys here nor change their values. You can add
management of security on existing Registry keys. | | File System | | The security permissions for files and folders. |
Note Browsing
the Security Templates snap-in, even changing settings on the
templates, does not change the security policy of any computer. To
change security, you must apply the template. The exercises that follow
provide complete instructions for loading, browsing, modifying,
creating, and applying security templates. |
The Security
Templates snap-in links by default to the WINDOWS\Security\Templates
folder where available templates are stored. You can add the default
templates from the WINDOWS\Inf folder to the default template location
so that they can be viewed. You can also create a folder and add
templates from other sources.
See Also The
“Windows Server 2003 Security” white paper is an excellent source of
security templates and describes how to use them to implement a strategy
like the one defined here. (Go to http://go.microsoft.com/fwlink/?Linkld=14846.) |
Table 3 describes the templates that come with Windows Server 2003.
Table 3. Security Templates| Template | Location | Description |
|---|
| Compatws | Security\Templates | Applies file and Registry permissions that might allow legacy applications to work. The Compatws template decreases security. | | DC security | Security\Templates | Applies default security settings for a domain controller (DC). | | Hisecdc | Security\Templates | Further
secures a DC, includes increased security for NTLM, disables additional
services, applies additional Registry and file security. Removes any
members in the Power Users group. (Hisecdc is a stronger, more secure
setting than Securedc.) | | Hisecws | Security\Templates | Further
secures a workstation, includes increased security for NTLM, removes
any members in the Power Users group. Limits membership in the local
Administrators group to Domain Admins and Administrator. Hisecws is a
stronger, more secure setting than Securews. | | Iesacls | Security\Templates | Applies
Registry permissions on keys integral to Microsoft Internet Explorer.
This template sets the Registry permissions to Everyone Full Control and
Read. | | Rootsec | Security\Templates | Applies root permission to the system drive. | | Securedc | Security\Templates | Limits account policies. Applies LAN Manager restrictions. | | Securews | Security\Templates | Enhances local account policies. Applies LAN Manager restrictions. | | Setup security | Security\Templates | Represents the security applied to the current machine on installation. | | Defltsv | WINDOW\Inf | Applies the default server template used during installation. | | Defltdc | WINDOW\Inf | Applies the default DC template used during Dcpromo. |
Using the Security Templates Snap-In to Define the Baselines
You can
configure baseline templates using the Security Templates snap-in. To
configure a baseline template, complete the following steps:
1. | Create a Security Templates snap-in.
| 2. | Add a folder for organization templates.
| 3. | Copy a template to create a new organization baseline template.
| 4. | Modify a template.
| 5. | Save a template.
| 6. | If necessary, modify a template by editing its Inf file.
|
Tip You
should add most template settings using the Security Templates snap-in.
The template file is a text file, but the required syntax might be
confusing, and using the snap-in ensures that settings are changed using
the proper syntax. However, the exception to this rule is adding
Registry settings that are not already listed in the Security Option
portion of the template. As new security settings become known, if they
can be configured using a Registry key, you can add them to a security
template. To do so, you add them to the [Registry Values] section of the
template. The article “How to Add Custom Registry Settings to Security
Configuration Editor” helps you understand how to perform this task. You
can find it at http://support.microsoft.com/?kbid=214752. |
Using the Security Configuration And Analysis Snap-In to Apply a Template and Monitor Security Policy Compliance
Creating and modifying
templates does not improve security unless you apply the templates. You
can use the Security Configuration And Analysis snap-in to apply a
template to the local machine. You can also use the tool to compare the
settings in any template with the settings that exist on the computer.
This process is extremely useful. When an analysis is performed, the
variations between the existing security implementation and those in the
selected template are indicated in the interface by a red x. This type of comparison shows you the effect of applying a template.
However, even more
useful is the ability to monitor security on a computer by periodically
comparing the security configuration to the baseline template.
Variations are evidence of policy noncompliance and need to be
investigated and reset. (The exercises at the end of this section
provide instructions for using the Security Configuration And Analysis
snap-in to apply the template and to analyze security compliance.)
If you apply
additional templates, you must decide whether to clear the database. If
the database is cleared, only the settings in the new template will be
applied. However, if the old template settings were previously applied
to the machine, clearing the template from the database does not remove
these settings. If the database is not cleared, adding an additional
template means the following:
If the new
template setting is not defined and the old template setting is defined,
the setting remains the way it is in the old template. If
a setting in the new template is defined and the setting is not defined
in the old template, the setting changes to the setting in the new
template. If a setting is defined in both the old template and the new template, the new template setting is applied.
Using Secedit to Apply Security Templates
Secedit
is a command-line version of the Security Configuration And Analysis
snap-in and offers some additional functionality. The following
statement indicates the Secedit syntax, and Table 4 defines each setting.
Table 4. Secedit Syntax| Setting | Description | Comments |
|---|
| Configure | Applies security settings from a template. | Never
use this setting without creating a rollback. A rollback can return
most of the security configuration to the way it was, should you find
that your template is not correct or causes problems. | | Analyze | Compares settings in a database template to those set on the machine. | Use this setting to audit security settings for compliance. | | Import | Imports a template into a database. | Use
this setting to create the database to be used in a future
configuration or analysis. You can also import and configure or analyze
at the same time. | | Export | Exports a template from a database. | Use
this setting to build a new template by combining two or more
templates. Simply add each template in the order you want into the
database, and then use the Export command to produce an Inf template
file. | | Validate | Validates syntax of a template. | Use this setting if you have added settings directly to the Inf file. | | Generate rollback | Makes a reverse template, that is, a template that removes most of the settings applied with a template. | Always
make one rollback before applying a new template. However, be aware
that it does not change access control lists (ACLs) on files and in the
Registry that might have been set with the template. | | Db | Specifies the name of the database file to create or to use. | You might need to enter the whole path.
| | Cfg | Specifies the name of the template to use. | You might need to enter the whole path. | | Overwrite | Overwrites any existing template in the file with another. | Use
this setting if you do not want a combined effect when applying a
template. If the old template in the file has already been applied,
using this setting will not change security settings on the computer
that are not overwritten by the new template. | | Log | Specifies a log file to record errors. | This setting always records errors. By default, if no log file is specified, the system uses WINDOWS\Security\Logs\Scesrv.log. | | Quiet | Specifies that no data should appear on the screen, and no comments on progress should be provided to the user. | When you use this setting in a script, the logged-on user does not need to know that the program is running. | | Areas | Applies only the settings as listed in a specific area of the template. Other settings are ignored. | The areas are SECURITYPOLICY, GROUP_MGMT (restricted groups), USER_RIGHTS, REGKEYS, FILESTORE, and SERVICES. | | Mergedpolicy | Merges and exports domain and local policy. | This setting captures all security settings. | | RBK | Specifies the name of the security template to be created. | This setting is available only with the /generaterollback setting. |
Secedit [\configure /db filename.sdb / [/areas, area name, areaname][/cfg filename]
[/log filename][/quiet][ | \analyze db filename.sdb / [/cfg filename][/log filename]
[/quiet] | \import /db filename.sdb /mergedpolicy [/areas area name, areanname]
[/cfg filename][/log filename][/quiet]| \export db filename.sdb /overwrite
[/areas area name, areanname][/cfg filename][/log filename]|validate filename
[/quiet]| | [\genereate rollback [/cfg] [/RBK ][/logfile][/quiet]]
Following are some example Secedit commands:
To configure the machine using the XYZ template secedit /configure /db xyz.sdb /cfg xyz.inf /log xyz.log To create a rollback template for the XYZ template secedit /generaterollback /cfg xyz.inf /rbk xyzrollback.inf /log xyzrollback.log
For more information about Secedit, refer to the Windows Server 2003 Help and Support Center.
|
