Module 8: Implementing Security in a Windows 2000 Network Contents Overview Introduction to Securing a Windows 2000 Network Windows 2000 Security Policies Implementing Security Policies Implementing an Audit Policy 13 Recovering Encrypted Files 21 Lab A: Implementing Security in a Windows 2000 Network Best Practices 25 46 Review 47 Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transm itted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document es not give you any license to these patents, trademarks, copyrights, or other intellectual property ? ?1999 Microsoft Corporation All rights reserved Microsoft, Active Directory, PowerPoint, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Other product and company names mentioned herein may be the trademarks of their respective owners Project Lead and Instructional Designer: Mark Johnson Instructional Designers : Aneetinder Chowdhry (NIIT Inc.), Kathryn Yusi (Independent Contractor) Lead Program Manager: Ryan Calafato Program Manager: Joern Wettern (Wettern Network Solutions) Graphic Artist: Julie Stone (Independent Contractor) Editing Manager: Tina Tsiakalis Substantive Editor: Kelly Baker (Write Stuff) Copy Editor: Wendy Cleary (S&T OnSite) Online Program Manager: Nikki McCormick Online Support: Arlo Emerson (MacTemps) Compact Disc Testing: Data Dimensions, Inc Production Support: Arlene Rubin (S&T OnSite) Manufacturing Manager: Bo Galford Manufacturing Support: Mimi Dukes (S&T OnSite) Lead Product Manager, Development Services: Elaine Nuerenberg Lead Product Manager: Sandy Alto Group Product Manager: Robert Stewart Module 8: Implementing Security in a Windows 2000 Network Introduction Presentation: 60 Minutes This module provides students with the necessary knowledge and skills to implement security in a Microsoft® Windows® 2000 network by using security policies and auditing and by recovering encrypted files Lab: 75 Minutes In the lab in this module, students will have a chance to create a customized Microsoft Management Console (MMC) console for configuring security settings and creating a new security template Then they will analyze and configure the security settings for a computer They will also plan and implement audit settings in a domain Finally, they will recover an encrypted file Materials and Preparation This section provides you with the materials and preparation needed to teach this module Materials To teach this module, you need the following materials: ?? Microsoft PowerPoint® file 1558A_08.ppt Preparation To prepare for this module, you should: ?? Read all the materials for this module ?? Complete the lab ?? Study the review questions and prepare alternative answers to discuss ?? Anticipate questions that students may ask Write out the questions and provide the answers ?? On the course 1558A, Advanced Administration for Microsoft Windows 2000, Student Materials compact disc ?? Read the white paper, Secure Networking Using Windows 2000 Distributed Security Services ?? Read the white paper, Security Configuration Tool Set ?? Read the white paper, Encrypting File System for Windows 2000 ?? Read the technical walkthrough, Encrypting File System ?? Read the technical walkthrough, Using the Security Configuration Tool Set iii iv Module 8: Implementing Security in a Windows 2000 Network Module Strategy Use the following strategy to present this module: ?? Introduction to Securing a Windows 2000 Network In this topic, you will introduce the purpose of securing a Windows 2000 network Emphasize that you use Group Policy to establish and enforce security policies for network computers ?? Windows 2000 Security Policies In this topic, you will introduce the different types of security policies in Windows 2000 Show students the security settings that they can configure in Group Policy ?? Implementing Security Policies In this topic, you will introduce the procedure for implementing security policies Emphasize that a preconfigured security template ensures duplication of desired settings that are already existing for a computer, and can be tested before security settings are applied to multiple computers Explain the purpose of a security template and demonstrate how to create a security template Emphasize that you can define a security setting once and apply it in many places Explain the purpose of Security Configuration and Analysis and demonstrate how to configure and analyze the security settings of a computer Illustrate how to use Group Policy to apply security policies ?? Implementing an Audit Policy In this topic, you will introduce the procedure for implementing an Audit policy Explain the purpose of auditing Tell students that auditing is used to track user events An event shows the action that was performed, the user who performed the action, and the date and time of the action Show the events that Windows 2000 can audit and explain what the event indicates Explain how to plan an audit strategy and determine which events to audit Illustrate how to set up an Audit policy Explain how to audit access to file system, Active Directory™ directory service, and printer objects, and list the guidelines to be followed for auditing each resource ?? Recovering Encrypted Files In this topic, you will introduce recovering encrypted files Briefly discuss the purpose and the process of encrypting and decrypting files and folders Discuss the purpose of a recovery policy Emphasize that the first administrator to log on to a stand-alone computer is the recovery agent for that computer, and the first administrator to log on to the domain after the first domain controller is created is the recovery agent for the domain Illustrate how to recover files and folders Point out that recovering files and folders is the same as decrypting files and folders ?? Lab A: Implementing Security in a Windows 2000 Netw ork Prepare students for the lab in which they will create a customized MMC console and a new security template for configuring security settings Next, they will analyze and configure the security settings for a computer by using Security Configuration and Analysis They will also plan and implement audit settings in a domain Finally, if time permits, they will configure the Group Policy security settings for a computer by using a security template Make sure that students run the command file for the lab and tell them that they will work with their partner’s computers After students have completed the lab, ask them if they have any questions Module 8: Implementing Security in a Windows 2000 Network ?? Best Practices Present best practices for implementing security in Windows 2000 network Emphasize the reason for each best practice Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or cus tomizing Microsoft Official Curriculum (MOC) courseware Important The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for course 1558A, Advanced Administration for Microsoft Windows 2000 Lab Setup The following list describes the setup requirements for the labs in this module Setup Requirement The labs in this module require a regular user account for the student To prepare student computers to meet this requirement, create the user account manually Setup Requirement The labs in this module require the Log on locally right for domain controllers to be assigned to the Everyone group To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab08\Setup\Lab08.cmd ?? Assign the right manually Setup Requirement The labs in this module require that a shortcut for Active Directory Domains and Trusts, Active Directory Users and Computers, and Active Directory Sites and Services exists on the desktop of the regular user account To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab08\Setup\Lab08.cmd ?? Create the shortcuts manually and place them in C:\Winnt\Profiles\All Users\Desktop Setup Requirement The labs in this module require the following organizational units (OUs) in the student’s domain This OU In this organizational unit East Domain Controllers West Domain Controllers v vi Module 8: Implementing Security in a Windows 2000 Network To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab08\Setup\Lab08.cmd ?? Create the OUs and user accounts manually Setup Requirement The labs in this module require a printer called Color Printer on each student computer To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab08\Setup\Lab08.cmd ?? Create the printer manually Setup Requirement The labs in this module require a user account named StefanK in each student domain with a password of password To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab08\Setup\Lab08.cmd ?? Create the account manually Lab Results Performing the labs in this module introduces the following configuration changes: ?? Students move their domain controllers to the East OU or West OU if they have not been moved already ?? Students configure their computers by using a security template that they create ?? Students create a Group Policy object (GPO) linked to the East OU or West OU in their domains that contains security template and Audit policy settings ?? Students remove GPOs linked to the East OU or West OU in their domains ?? Students move their domain controllers to the Domain Controllers OU ?? Students run a command file to reset their computer’s security configuration to default values ?? Students encrypt and decrypt files Important You can run C:\MOC\Win1558A\Labfiles\Lab08\Setup\Lab08rm.cmd to remove most configuration changes introduced during the labs in the module Remove the Log on locally right from the Everyone group manually Manually delete the GPOs created by students Module 8: Implementing Security in a Windows 2000 Network Overview Slide Objective To provide an overview of the module topics and objectives Lead-in In this module, you will learn to create and configure security policies and implement security in a Windows 2000 network ? Introduction to Securing a Windows 2000 Network ? Windows 2000 Security Policies ? Implementing Security Policies ? Implementing an Audit Policy ? Recovering Encrypted Files ? Best Practices Microsoft® Windows® 2000 provides policies and utilities to monitor security settings for computers throughout a network, a set of templates to create and deploy standard security settings throughout an enterprise, and an auditing function for determining how resources are accessed Windows 2000 also provides administrators with the ability to recover Encrypting File System (EFS) encrypted files, enabling the management of user encrypted files At the end of this module, you will be able to: ?? Identify the purpose of securing a Windows 2000 network ?? Identify the Windows 2000 security policies ?? Implement security policies by using Security Templates, Security Configuration and Analysis, and Group Policy ?? Plan and implement an Audit policy ?? Recover encrypted files ?? Apply best practices for implementing security in a Windows 2000 network Module 8: Implementing Security in a Windows 2000 Network Introduction to Securing a Windows 2000 Network Slide Objective ? To identify the purpose of securing a Windows 2000 network Lead-in A secure network provides users with all of the information and resources that they need and protects the information and resources from damage and unauthorized access Ask students how they secure their networks Key Points Use Group Policy to establish and enforce security policies for network computers Use Audit policy to monitor various security -related events in Windows 2000 Only administrators are able to recover an encrypted file if users lose their keys ? Implementing Security in a Network ? Confirms the identity of users attempting to gain access to resources ? Protects against inappropriate access to specific resources To Secure a Network: ? Use Group Policy to establish and enforce security policies ? Use Audit policy to monitor various security-related events in Windows 2000 ? Use EFS to encrypt files so that only the persons who encrypted the files and administrators can access them To implement a secure network, you need to create a network that provides users with all of the information and resources that they need, while protecting the information and resources from damage and unauthorized access Implementing security in a network provides the following benefits: ?? Confirms the identity of users attempting to gain access to resources This prevents unauthorized users from accessing, stealing, or damaging system resources, such as sensitive data or mission-critical applications ?? Protects against inappropriate access to specific resources, for example, ensuring that only corporate management personnel can gain access to employee payroll information When implementing security in a Windows 2000 network, you can use the following methods for securing a network: ?? Group Policy Use Group Policy to establish and enforce security policies for network computers by ensuring that settings are applied consistently over the network and that they can be centrally managed ?? Audit policy Use Audit policy to monitor various security-related events in Windows 2000 Monitoring security events is necessary to detect intruders and attempts to compromise data on the system ?? Encrypting File System Use EFS to encrypt files so that only the user who encrypted the file and administrators are able to access it, regardless of the NTFS file system permissions assigned Module 8: Implementing Security in a Windows 2000 Network Windows 2000 Security Policies Account Account Account policies policies Slide Objective To identify the different types of security policies in Windows 2000 Configure Configurepassword passwordand andaccount accountpolicies policies Local Local policies policies Configure Configureauditing, auditing,user user rights, rights, and and security security options options Event Event log log Lead-in You can use security policies to establish and enforce security on your network Restricted Restricted group group System System System services services services Registry Registry Registry Configures Configuressettings settingsfor forapplication applicationlogs, logs,system systemlogs, logs,and andsecurity securitylogs logs Configures Configuresgroup groupmemberships memberships for for security security sensitive sensitive groups Configure Configuresecurity securityand andstartup startupsettings settingsfor forservices servicesrunning running on onaa computer computer Configures Configuressecurity securityon onregistry registry keys keys File Filesystem system Configures Configures security security on on specific specific file file paths paths Public Publickey key policies policies Configure Configureencrypted encrypteddata datarecovery recoveryagents, agents,domain domainroots, roots, trusted trustedcertificate certificate authorities, authorities, and and so so on on IPSec policies IPSecpolicies policies Configure ConfigureIP IPsecurity securityon onaanetwork network Delivery Tip Show students the security settings that can be configured in Group Policy In Windows 2000, you can use the Security Settings extension in Group Policy to define the security settings for various local and domain security policy attributes The following list describes the security settings that you can configure in Group Policy: ?? Account policies Account policy settings allow you to configure password policies and account lockout policies for the domain The account policy for a domain defines the password history, the lifetime of account lockouts, and more These policies are effective only when they are applied at the domain level ?? Local policies Local policy settings allow you to control settings that affect individual computers rather than domain-specific settings Local policies include auditing policies, the assignment of user rights and privileges, and other security options that are applied to and affect the local computer ?? Event log Event log settings allow you to configure the size, access, and retention parameters for application logs, system logs, and security logs ?? Restricted group Restricted group settings allow you to manage the membership of selected groups as part of security policy Restricted group policies also track and control reverse membership of each restricted group ?? System services System services settings allow you to configure security and startup settings for services running on a Windows 2000-based computer ?? Registry The registry settings allow you to configure security on registry keys ?? File system The file system settings allow you to configure security for specific local file paths on network computers These settings set consistent NTFS permissions for static files and folders on domain computers Module 8: Implementing Security in a Windows 2000 Network ?? Public key policies The public key policy settings allow you to configure encrypted data recovery agents, domain roots, and trusted certificate authorities ?? Internet Protocol Security (IPSec) policies on Active Directory IPSec policies allow you to configure network Internet Protocol (IP) security options for computers on the network ... templates and analyzing again ?? Making manual changes to settings and saving the computer’s current configuration as a new template 10 Module 8: Implementing Security in a Windows 2000 Network. .. that you want to modify Module 8: Implementing Security in a Windows 2000 Network What Is Security Configuration and Analysis? Security SecurityConfiguration Configurationand andAnalysis Analysisisisaautility... files ?? Apply best practices for implementing security in a Windows 2000 network 2 Module 8: Implementing Security in a Windows 2000 Network Introduction to Securing a Windows 2000 Network Slide