Configure

Security Overview

The object  of security is to protect data and it’s availability being compromised by malice or by accident.  In Windows there are two main strands to security – specific access permissions and authentication.  Specific permissions can be applied to users, groups, or resources.  Authentication confirms to the machine or network that a user has an account with permissions to log on.Individual servers and workstations need protection. As do the connections between them – especially if the connection is over the internet. In addition to making organisational precautions through software settings, attention should be given to the physical security of the system. The items illustrated can all be physically removed from a machine or indeed a building and therefore may require physical security.
A last theme of security is that of Auditing. This allows the administrator to view the history of who has attempted to access a resource and whether they succeeded.  Security can be set at the level of the individual machine or across a wider unit such as a domain. In each case the principles of securing the hardware, software and user access apply.

Security Considerations

Passwords are a principal device for restricting access to a machine or network. However, passwords can be guessed or stolen. To guard against theft or discovery, passwords should be changed frequently. Windows can enforce a password changing policy upon its users.  To counter guessing, quite simply, the passwords need to be made as long and as complex as is practicable.
A single letter password chosen from a…z might be guessed after 26 attempts. A two – letter password  has 26 times more possibilities (676). The following table shows this sequence of increasing complexity:

1 – 26 possibilities
2 – 676 possibilities
4 – 456976 possibilities
8 – 208827064576 possibilities

For passwords using a…z
Windows permits passwords of up to 127 characters, but recommends at least 7 for a password.
A single letter password chosen from a to z gives a base of 26 elements, but if the choice of elements includes upper-case letters and other symbols, thus the complexity level is increased significantly, and the password integrity is strengthened.  The length and the composition of a user’s password can be specified in a security policy, either for an individual machine or for a domain.  The lifetime of a password can also be set by this policy and the reuse of old passwords may also be prevented.
In summary, for a password to be strong and difficult to crack, it should:

• Be at least seven characters long.
• Be significantly different from your previous passwords.
• Not contain your own name or user name. (Nor the name of spouse, children, pets etc.)
• Not be a common word or name.
• Have at least one symbol character in the second through sixth positions.
• Contain Letters a-z, A-Z, Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 and Symbols` ~ ! @ # $ % ^ & * ( ) _ + – = { } | [ ] \ : ” ; ‘ < > ? , . /

There are many facets of computer operation which need protection from unwarranted interference.
Files
Files need to be read by some users, modified by other users, backed up by yet other users, encrypted by owners and hidden from most! This is apart from needing to create files, delete files and share them across a network. Each of these is possible simultaneously in Windows because of the facility to set individual detailed permissions.
Granting Permissions
There is a permission for viewing and changing permissions on files and folders. When new resources are created, this permission needs to be configured carefully.
Domains And Sites
Permissions for access to larger units  such as  a domain are separate from those granted for local resources. Changes to one aren’t reflected in the other. For example if a user’s account is disabled for a local resource, the domain account may still be active.
Configuration
Settings for users or sites can be made so that such things as Control Panel and Administrative Tools are not available to a user or range of users. This is used to enhance security, but it can also be used to enforce corporate themes and identities across users’ desktops.
Installing Applications
The facility to install applications should not be distributed lightly. Non-standard, unsupported or defective applications can be a drain upon available technical support time, and interfere with multi-layer processes. This facility can be controlled quite closely with Windows.
Network Access
Rogue servers and users can attach themselves to a network, pretending to be something they’re not and gain access to private data. Long cable runs and internet links are weak points for the monitoring of traffic – hence a need for encryption.

Kerberos v5

Kerberos V5 is the primary security protocol for authentication within a domain. (Windows can use others such as SSL, TLS & NTLM.) The Kerberos V5 protocol verifies both the identity of the user to the network services and the service to the user. This form of verification is known as mutual authentication. Kerberos is named after the legendary 3-headed hound which guarded the gateway to Hades, the ancient Greek version of Hell.
The Kerberos V5 authentication mechanism issues tickets for accessing network services. These tickets contain encrypted data, including a users encrypted password and unique SID  that confirms the user’s identity to the requested service. Except for possibly entering an additional password or smart card credentials, the entire authentication process is invisible to the user.  Kerberos v5 authentication is automatically enabled when you install Windows 2000/XP and Server 2003.  For Kerberos to work, both the client and the machine the resource resides upon must be running Windows 2000 or later.
Tickets that are successfully Authenticated against the records in Active Directory grants the user access to the various resources in the domain for which he has permission without him having to identify himself with a user name and password each time.  All this is invisible to the user and also largely, to the administrator. However, it is useful to be able to understand the authentication procedure Kerberos uses.

NTLM Authentication

Pre-Windows 2000 clients use a protocol called NTLM (NT LAN Manager) to authenticate on the network. For backward compatibility Windows Server 2003 continues to support NTLM authentication.  NTLM uses less secure authentication and is not as preferable as Kerberos however for NT 4.0 and Windows 9x/Me it is the only available authentication protocol.

Configure

Local Policies are set through the Local Security Policy MMC. This can be easily accessed from the Administrative Tools folder from the Start Menu.
Expand Account policies…
..then Password Policy…
Each of these options adds to the burden on the user logging in, but increases the security accordingly.
Password history can be set to prevent a user reusing the same set of passwords over and over, as these might be inadvertently disclosed or guessed. Up to 24 passwords can be remembered,
Passwords need to be changed regularly. How frequently they should change is determined by  these two settings. The maximum settings makes a user refresh a password after a set period of time, whilst the minimum age prevents a user changing his password too often.
The maximum value for both settings is 999 days.
A longer password is harder to crack. Therefore a user can be required to use a password of a minimum length.  7 characters is recommended for most networks. Up to 14 characters is the most that can be required by the security policy. A machine will accept a password of 127 characters
Although secure, very long passwords are a nuisance as users tend to forget passwords and assigning a very long password requiring varied characters is making a rod for your own back as you will have to reset them. For less critical data and functions, simpler passwords can be acceptable.
Password complexity rules prevent a user using, for example, a long string of zeroes or their name as a password.
Once enabled, an administrator might be warned that a new password doesn’t meet complexity rules, but it wouldn’t tell him what these are. Strangely, a user required to change a password at next login IS informed what the complexity rules are. ( See “Security Considerations”.)
The complexity rules are fixed in unless the Microsoft Software Development kit is installed. The Default rules are as follows.

Password Complexity Rules

Passwords must be at least 6 characters (regardless of minimum lengths set in security policy).  Passwords must contain characters from three of the following groups: capitals, lowercase letters, numerals, punctuation symbols.  Passwords must not include a login name, or any of a user’s real names.
Jo, JSmith, js1234, do not meet complexity rules
Joh?#n, JS2ith, Js1234, meet complexity rules
Connection to non-Windows machines requires CHAP authentication. For this, passwords are stored in an encrypted form so they can be more safely passed over a network.
To set one of these policies, right-click on it and choose Properties.
Set the number of characters required. 7 is recommended by Microsoft for most purposes. A user is free to use more.
Click OK to complete this.
The policy is now configured.

Account Policies

Malicious (or capricious) persons may occasionally attempt to guess at passwords, especially those for the administrator account. It is possible to deter this practice by locking out further attempts for a period of time.
If the Account Lockout Policy object is expanded, the pane of options is revealed.
Lockout Duration determines how long attempts at login are ignored after a specific number of failed logons. This can be anywhere between 1 and 99999 minutes (over two months) The 0 minute option locks the machine until an administrator unlocks it.
Lockout threshold determines how many wrong attempts at login are allowed before lockout. Up to 999 attempts can be allowed.  A figure of zero permits unlimited guesses at the login name and password.
The Reset Counter has its function in the following sort of scenario: A user mistypes her password a couple of times and, to avoid the inconvenience of being locked out for the next half hour, chooses to wait a shorter period of time before making another  hopefully correct attempt.
There is a logical connection between these three lockout policy settings, and a change in one has an implication for the others. By way of illustration, right-click on the Lockout Threshold item and select Properties.
Select a sensible figure for the number of invalid logon attempts, and see what happens when OK is clicked.
Whichever option is set, this dialogue box appears to suggest reasonable settings for the other two. Click OK to review all the settings which result.
The suggested selection of settings is usually entirely reasonable.

Local Policies

Expand Local Policies.
Expand Security Options.
These are some of the options that can be configured as part of a security policy.  Some, all or none of these options can be configured depending on your requirements.
For example If the security requirements of the local machine dictate that the last user’s name not be displayed in the logon screen then, Right click on this setting and select properties.
Enabling this setting is simply a matter of checking the radio button: …and clicking OK.
Now the security list has this setting listed as Enabled.

User Rights Assignment

User rights assignment determines which users or groups have logon or task privileges on the computer.  Using these is the best and most flexible way to secure a workstation, while still permitting access to a variety of users.  Remember that these can be set locally, but domain-wide settings can override these.
There’s a lot of them, and they each have their uses, depending upon the circumstances of the Company using the network.
For example users can be given Back up and restore rights by selecting this option.
Notice the default groups that have this privilege are the Administrators and Backup Operators group. Additional Users and Groups can easily be added from here by selecting the Add User or Group button.

Auditing and Audit Policies

Auditing allows you to log security related events on the local computer. These events can be anything from a user logging on, to a specific file being accessed.  Security events can be either audited for success or failure or both. You should only audit what is absolutely necessary as auditing can use up valuable disk space.
By default Windows Server 2003 has auditing already enabled. However a Windows XP or 2000 machine does not.  All auditing events are logged to the event viewer. The event viewer is covered in the Monitoring and Optimisation Module.
Selecting the Audit Policy folder reveals the options above.
The most common types of events that are audited apart from the default options are:

1. Access to objects, such as files and folders
2. Management of user and group accounts.

Account logon events relate to user accounts who are logging on to this computer over the network from another machine. This option is mainly used on Domain Controllers.
Every time a change is made to a user account an account management event is audited.
Directory Service is used to audit access to Active Directory Objects. Again, this is more useful on a Domain.
Auditing Logon events is a useful option because it allows you to log who is logging on to the local machine.
Object access can be used to audit access to resources on the local machine. As well as enabling it here the object will also need to be configured.
Policy Change audits will log anything relating to security policies being modified on the machine.
User’s who are using their privileges to perform tasks on the machines can be logged by enabling Audit privilege use.
Process tracking can be used to log which processes are running on the machine. This should be not be enabled unless absolutely necessary because of the large amount of entries it can create.
The Audit system events setting determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
Right-click on the item to be audited and select Properties.  (Alternatively, click on the Action button in the toolbar.)
Checking either or both of these boxes is all that’s required to enable auditing of logon events. Click OK to close this window.
confirm that auditing for this action has been enabled.
The event viewer contains a security log which shows audit events.
Double-click on an entry to view its contents.
This entry shows that someone attempted to login as an Administrator and failed to type the correct password. From here the date, time and the machine which was used to make the logon attempt can be seen.
Sometimes details need to be printed to a file. Clicking here copies the details to the clipboard.

Auditing Object Access

Auditing Object Access allows you to log when specific resources on the machine are accessed, e.g. A file. Auditing Object Access is a two stage process.  Object Access Auditing firstly needs to be enabled for either success, failure or success and failure and then the object needs to be configured.
Right-click on the object to be audited, e.g. a file on an NTFS partition.
Select the security tab and click Advanced.
Select the Auditing Tab.
Click on Add to add an audit entry.
Choose a user and click OK.
And then specify what you want auditing on the file.
If an attempt is made to delete this file by the user Ross Jackson an entry will be added to the security log.

Refreshing Policies

Security Policies aren’t immediately applied to the machine and often a restart is required. However a command line utility “gpupdate” can be used to refresh the computer’s security policy without a restart.  The command “gpupdate /target:computer” can be used to refresh the computer policy. The “gpupdate /target:user” policy is used when refreshing user group policy settings, which are covered later.

Configure

The MMC Console is called from START > RUN.
Add the group policy console from the Add/Remove Snap-ins Wizard.
Options here fall into two broad groups, namely settings for the machine as a whole, and settings for the users of the machine.
Software Settings is really only of use within a domain where programs are published or assigned.
Windows Settings is more relevant until the computer is joined to a domain.
This is a way to specify programs to run before the user begins to interact with Windows.
Double-click on the item to view its properties.
No script files have been selected, but one can be added now:
Browse to find a file in the Start-up folder.
One way to specify that all the scripts execute at the same time as far as possible is to use the Administrative Templates facility
expand System…
Then Scripts.
There is a bewildering array of options, here. Fortunately, there are explanations for each policy setting
Double-click on Run startup scripts asynchronously.
select the appropriate radio button.
The Explain tab gives a detailed explanation of the object’s function
The previous and next policy buttons allow the administrator to scroll through all the available policies until he finds one that fulfils his requirements
The quick scan facility is very useful in view of the enormous number of options available:
The best way to get familiar will all of these settings is to play around with them. Be careful not to lock yourself out of the machine.
There are as many options again for configuring users rights…
As can be seen from the panel on the left.
The foregoing configuration opportunities give an administrator a wide range of options for setting security. However, a basic list of essential security features might include disabling the following :

• Command Prompt,
• Control Panel,
• MMC,
• Installing programs from floppy, CD or DVD,
• Shutdown,
• Previous Login name,
• Registry editing tools

(You might also consider configuring a Web Home Page.)
Group Policy is applied to the machine and all users of it – including the Administrator.  He can permanently remove his own control.

Creating a Counter Log

To create a new log open the Performance Console and Expand Performance Logs and Alerts. Click on Counter Logs.
This shows that there is a sample log in place. If the log is in red then it indicates that the log is currently not running. To create a new log, right-click on Counter Logs.
Select New Log Settings. Type in a name for the new log. Click on OK.
To add a counter to log, click on Add Counters.
Choose the counter to log and click on Add.
Once all counters have been added, click on Close.
The Processor Time counter has been added. The Sample data every control allows you to specify how often the data is recorded. The value can be lowered if a more accurate log is required. Note. The shorter the sample interval and the more counters added the more load on the system.
Click on the Log Files tab next.
Here the location of the log file is specified.
The Log file type sets a format for displaying in Excel or Word.
Explore the Schedule Tab next.
The maximum log file size can also be set.
The Schedule tab specifies when the log should start. Click on Manually (using the shortcut menu) to start the log manually and select OK.
To start the log, right-click on the Processor Performance log.
Click on Start.
Green indicates that the log has started. The file is located inside the “PerfLogs” folder. The log file can be opened with an application such as Excel and displayed as a graph or chart or in system monitor.
Remember to add the correct counters to system monitor before you import the log.

Creating an Alert

To create a new alert, right-click on Alerts.
Select New Alert Settings.
Type in a name for the new alert.
Click on Add to add a counter.
Select the relevant counter and click Add.
Once all necessary counters have been added, click on Close.
Change the Alert value to over 60%.
Click on the Action tab.
The form of the alert can be set here. (Having a network message sent is perhaps the most fun…)
Type in the IP address or name of the machine to which the message should be sent.
Click on the Schedule Tab.
The schedule tab specifies when the alert should start. Click on Manually to start the alert manually.
Click on OK to create the alert.
To start the alert, right-click on the Processor alert.
Click on Start.
Green indicates that the alert has started, and is ready for the triggering event.
Every time the processor time goes above 60% a network message is sent to 10.0.0.219. The alert is also logged to the event viewer.

Creating a New Hardware Profile

Hardware profiles are created from the System applet in Control Panel.  If there is more than one hardware profile, you are given a choice as to which profile you desire as the machine boots into windows.  Device Manager can be used to enable or disable devices for each profile.  When you disable a device from within a hardware profile, that device will no longer be available and will not be loaded the next time you start your computer.

To create a Hardware Profile use the System Applet in Control Panel (or Right-click on My Computer and Select Properties)

Select the Hardware tab.

Click the Hardware Profiles button.

Select Properties.

From here any of the options can be selected.

To create a new hardware profile, you need to make a copy of the original.

Select Copy to copy the original Profile.

Choose a name and select OK to continue.

The New Profile has now been created. To disable devices in the new profile, restart the machine and select the new Hardware Profile

The Hardware Profile screen is displayed once the computer has been restarted. Select the New Profile.

The computer is now running in the second hardware profile. Device manager can disable any devices that won’t be used in this profile.

Right-Click on the Device to be disabled and select Properties.

Select Device usage.

Select Do not use this device in the current hardware profile (disable).

Select OK to continue.

The Modem has now been disabled. When the user logs on with this profile, there will be no Modem operational.