Security Configuration, Management, and Troubleshooting

Security Configuration, Management, and Troubleshooting

Rating:

Windows XP is equipped with such tools and programs that offer privacy and security of your data, and help you get peak performance from your computer. In this article, you will learn how to configure and manage different types of security policies on your computer to prevent it from unauthorized access and to secure files and folders.

Local Security Policy

The policy configured on and for a local computer is called a local security policy. Local security policies can be divided into the following categories:

• Audit policies
• User Right assignment
• Security options

Local security policies define the rules about who can log on to a local computer and what types of functions the logged-on users can perform. These policies are generally configured for the computers that are in workgroups and for multiple users who use the same computer. These policies can also be applied to the computers in a domain, but in that case, the policies are overridden by any of the site policies, domain policies, and organizational policies that have been applied.

If you use local group policy settings initially and then make the computer a member of a domain that has group policy settings implemented, the local group policy settings are processed first and domain-based group policy settings are processed next. If there is a conflict between the settings, the domain group policy settings prevail. However, if a computer subsequently leaves the domain, the local group policy settings re-apply. A user can set local security policies from the Local Security Policy administrative tool located in Control Panel.

Exam Alert


The chief objective of Security Policy is to identify intrusive activities at the time they are occurring or soon after. Security policy is a set of rules associated with a set of permissions to reduce the risk on information resources by accidental or deliberate actions. The default security policy is applicable for most situations, however administrators can customize or modify the security policy of organizations. To track user accounts for file and object access, logon attempts, system shutdown, etc., auditing is used. This enhances the security of the network. Before enabling auditing, the type of events to be audited should be specified in the Audit Policy in User Manager for Domains.

Gothrough this question


Audit Policy: An audit is intended to ensure integrity, confidentiality and availability of information and resources. An audit policy defines the type of security events that will be logged for the servers in a domain or for an individual computer.

Before planning an audit policy, first determine what you want to audit, and on which computer you want to set up an audit policy. You can audit success of events, failure of events, or both.

Take the following steps to activate security auditing for failed logon attempts:

1. Run Console Root from the Start menu > Run > MMC.
2. In the Console Root window, click File > Add/Remove Snap-in from the drop-down menu.
3. In the Add/Remove Snap-in dialog box, click the Add button.
4. In the Add Standalone Snap-in dialog box, select Group Policy Object Editor in the Available Standalone Snap-ins section, and click the Add button.
5. On the Welcome to the Group Policy Wizard page, specify the Group Policy Object, and click the Finish button.
6. In the Add/Remove Snap-in dialog box, click the OK button.
7. In the Console Root window, click Local Computer Policy to expand the tree, expand Computer Configuration, expand Security Settings, expand Local Policies, and click Audit Policy. In the Details pane, double-click Audit logon events.
8. In the Audit logon events Properties dialog box, select the Failure check box under the Audit these attempts option in the Local Security Settings dialog box, and click the OK button.

Have a look


An Audit policy defines the type of security events that will be logged for the servers of a domain or for an individual computer. When you are planning an audit policy, you must determine the computer and also the events to audit on each computer. An audit policy is a part of a Group Policy object (GPO). The Group Policy snap-in is used to enable the Audit object access setting in an audit policy. For different roles of computers, a baseline audit policy is configured. A baseline audit policy is the minimum auditing that you have to perform on a computer.

Note: If you configure critical files on your server and want to track unauthorized access to them, you can configure SACLs (static access control lists) on those files to monitor unauthorized attempts.

Group policy: Group policies specify how programs, network resources, and the operating system work for users and computers in an organization. They are collections of user and computer configuration settings that are applied on the users and computers (not on groups). For better administration of group policies in the Windows environment, Group Policy objects (GPOs) are used.

Note: GPRESULT.EXE is a command line tool used to display information about the cumulative effects that the GPOs have on computers and users.

Group Policy object (GPO): The Group Policy object is a collection of group policy settings. It can be created using a Windows utility known as the Group Policy snap-in. The GPOs affect the user and computer accounts located in sites, domains, and organizational units (OUs). The Windows 2000/2003 operating systems support two types of GPOs: local and non-local (Active Directory-based) GPOs.

Local GPOs are used to control policies on a local server running Windows 2000/2003 Server. On each Windows 2000/2003 server, a local GPO is stored. The local GPO affects only the computer on which it is stored. By default, only Security Settings nodes are configured. The rest of the settings are either disabled or not enabled. The local GPO is stored in the %systemroot%SYSTEM32GROUPPOLICY folder.

Multiple GPOs

When multiple Group Policy objects are assigned, they are applied in the following order:

• The local Group Policy object is applied first.
• Then, the Group Policy objects linked to sites are applied.
• If multiple GPOs exist for a site, they are applied in the order specified by an administrator.
• The GPOs linked to the domains are applied in the specified order.
• Finally, the GPOs linked to OUs are applied.
• The OU group policy objects are set from the largest to the smallest organizational unit, i.e., first the parent OU and then the child OUs. By default, a policy applied later overrides the policy that was applied earlier. Hence, the settings in a child OU can override the settings in the parent OU.

When a user logs on, the computer policy is processed at startup, followed by the user policy. Although the computer policy is applied before the user policy, if the user and the computer policy settings specify different behaviors, the computer policy prevails.

Windows XP professional provides the following two options for changing the default processing:

No Override: This option is used to prevent child containers from overriding the settings in a higher-level GPO. This option is useful in enforcing a group policy that represents company-wide business rules. The No Override option is set on a per-GPO basis. You can set this option on one or more GPOs, as required. When there are more GPOs with the No Override option, the highest in the Active Directory hierarchy takes precedence.

Block Inheritance: This option is used to allow a child container to block policy inheritance from the parent container. This option is useful when an OU requires unique group policy settings. The Block Inheritance option applies to all the GPOs from the parent container. In case of a conflict, the No Override option always takes precedence over the Block Inheritance option.

Function of the Delegation of Control Wizard

The Delegation of Control Wizard enables Administrators to delegate other Administrators with the necessary permissions on specific Active Directory objects.

A user can join a computer to a domain if he has the Create Computer Objects privilege for the Computers container in Active Directory. There is no limit to the number of computers the user can add to the domain. No other privilege is required for it.

Encrypting File System

Encrypting File System (EFS) is used to encrypt sensitive data in files stored on the disks that are using the NTFS file system. EFS is easy to manage, difficult to hack, and transparent to the file owner and to applications because it runs as an integrated system service. Only the owner of a protected file can open the file and work on it. No administrative effort is required to use EFS, and most of the operations are transparent. You can disable EFS also by configuring the EFS recovery policy. EFS is designed to protect the privacy of sensitive data. However, besides the owner of the file, only the designated recovery agent can decrypt the encrypted file.

This following questions will help you to understand the EFS concept






To encrypt a file or folder, open Windows Explorer, then right-click the files or folders that you want to encrypt. On the the General tab page of the Properties dialog box, click the Advanced button, and then select the Encrypt contents to secure data check box. Compressed files and folders cannot be encrypted. If you encrypt a folder, all the files and subfolders residing there are encrypted.

EFS can be implemented from Windows Explorer or from the command prompt.

To encrypt a file or folder on a remote computer, all the processes are same as hitherto, but if you are encrypting a file from Windows Explorer, you have to go to the Tools menu, click Map Network Drive, and then follow the instructions there. However, in a domain environment, remote encryption is not enabled by default. You have to consult your network administrator.

Note: It is not possible to have encrypted files on FAT file systems. Taking backup on FAT32 volumes or placing files or folders on a floppy disk will have security lapses.



The EFS technology is similar to setting permissions on files and folders, and you can set encryption properties for files and folders just as you set permissions for them, such as read-only, compressed, or hidden permission. EFS prevents the files from unauthorized physical attacks by intruders. Moving unencrypted files into an encrypted folder will automatically encrypt the files.

Note: You can encrypt files and folders only on NTFS file system volumes.

You can set policies to recover EFS-encrypted data under Windows XP professional security policy. If the owner's private key is unavailable to recover the encrypted file, the recovery agent opens it from his own private key. There can be more than one recovery agent with different public keys. Recovery agent recovers the encrypted files when the associated private key is lost. The default recovery agent is the administrator of a stand-alone computer. In a domain, the domain administrator is issued the encryption certificate, and he is considered as the default recovery agent.

Certification Authority (CA): The Certification Authority in a network is an entity that manages security credentials and public keys for message encryption. It issues certificates that confirm the identity and other attributes of a certificate in relation to other entities. Depending on the public key infrastructure implementation, a certificate includes the owner's name, the owner's public key, information about the public key owner, and the expiry date of the certificate.

Decrypting: When you want to make a file sharable across the network, you need to decrypt the file. Once you decrypt the files or folders, they remain in that state until you select the Encrypt contents to secure data check box.

Windows XP Professional includes the CIPHER command that enables encryption or decryption of files and folders from the command prompt. You can use the CIPHER command in your script to encrypt multiple files and folders at a time.

Cipher [/e | /d] [/s:folder_name] [/a] [/i] [/f] [/q] [/h] [/k] [file_name [...]]

Switch	Description
/e	Encrypts the specified folders. All the files added to this folder are automatically encrypted.
/d	Decrypts the specified folders. All the files added to this folder are automatically decrypted.
/a	Performs the specified operation on files as well as folders.
/h	Displays hidden files and the files set with system attributes, which are not shown by default.
file_name	Specifies a file pattern or folder.

Exam Alert




Note: Files marked with the System attribute and those in the systemroot directory structure cannot be encrypted.

Systemroot: Systemroot is the path and folder name where the Windows system files are located. Typically, the path is C:Windows; but when you install Windows XP Professional, you can designate a different drive and folder name.

If you encrypt or decrypt files or folders over a network, the data that is transmitted by this process is not encrypted. To enable encryption or decryption process, some protocols, such as Single Sockets Layer (SSL), Transport Layer Security (TLS) or Internet protocol Security (IPSec) must be used.

To install an IP Security Policy Management snap-in:

1. Click Run from the Start menu that resides on the Taskbar.

2. Type mmc in the Open box, and then click the OK button.



3. On the File menu, click Add/Remove Snap-in.





4. Click Add, double-click IP Security Policy Management, and then follow the instructions on your screen.





Security Configuration and Analysis reviews and analyzes your system security settings and recommends modifications to the current system settings.

Predefined Security Templates

Predefined security templates are used to create security policies for a network or computer. These security templates can be used to configure an individual computer or a group of computers. By default, the predefined security templates are stored in the SYSTEMROOTSECURITYTEMPLATES folder.

The following predefined templates are available with the Windows XP and Windows Server 2003 operating systems to help administrators secure a network or computers based on the needs of their organizations:

• Default security (SETUP SECURITY.INF)
• Compatible (COMPATWS.INF)
• Secure (SECURE*.INF)
• Highly Secure (HISEC*.INF)
• System root security (ROOTSEC.INF)
• No Terminal Server user SID (NOTSSID.INF)

If users working on a Windows XP Professional computer complain that they are unable to use the Reports application on Windows XP Professional computers, it means that the default level of security is preventing them from doing so. Default security settings prevent the applications that have not been certified for Windows XP from running. You will have to modify the default security settings to relax security. To accomplish this goal, add the computer accounts to the XPPro OU and import the COMPATWS.INF security template to the Legacy GPO. The Compatible template (COMPATWS.INF) relaxes default file and registry permissions granted to users for running non-certified applications.

Administrators can configure individual computers with the Security Configuration and Analysis snap-in by using the SECEDIT.EXE command prompt tool, or by importing the template into local security policy.

The Add workstations to domain user right allows a user to add a workstation to a domain. It allows the workstation to recognize the user and global group accounts of a domain and trusted domains.

Administrative Group

The Administrators group is a built-in local group provided by the Windows XP operating system. It is the least restrictive group among all the available built-in groups. The members of the Administrators group can perform all the tasks that can be performed by the members of any other group. Besides, members of the Administrators group can also perform the following tasks:

1. Take ownership of files and folders.
2. Back up and restore system data.
3. Audit the network and manage logs.
4. Perform system repairs such as installing device drivers and system services.
5. Perform upgrades.
6. Install service packs and Windows updates.
7. Set local policies.

Event Viewer: Event Viewer maintains logs about programs, security, and system events on your computer. Event Viewer is an administrative utility that displays the event logs of a computer running Windows NT. You can manage event logs and monitor Windows security events. Event Viewer displays the following categories of events:

• Error: These events show significant issues, such as loss of data or loss of functionality.
• Warning: These events are not necessarily significant but indicate possible issues.
• Information: These events describe the successful operation of an application, driver, or service. Information includes the date and time of the event, the source (the Windows component in this case) of the event, the 'category', an event number, the user account in use when the event was logged, and the computer name.
• Success Audit: These events show successful audited security access attempts.
• Failure Audit: These events show failed audited security access attempts.

You can view Event Viewer from Control panel.

Event Viewer automatically displays all events. However, you can locate selected events using the FILTER command and can search and find specific events by using the FIND command.

Application Logs: The application log contains information about events registered by applications or programs. For example, a database program will record a file error in the application log. Application developers determine the events that have to be recorded in the application log. They can help in debugging, tracking, and remote troubleshooting.

Security Logs: The entries in the security log depend on the audit policy settings. Security log is limited in size. The maximum amount is defined in Event Viewer. You can check for security events happening on your computer, such as unauthorized users logging on to your computer, accesses to important files, failed logon attempts, security policy changes to your computer, and more.

System Logs: The system log is used to store events logged by the Windows NT/2000 system components. For example, events such as driver failure during startup are recorded in the system log. The event types logged by system components are predetermined by the Windows NT/2000 operating system.

Security Configuration Manager Tool

The Security Configuration Manager Tool can be used to configure security settings. Security settings are rules that are configured on a computer or multiple computers for protecting resources on the computer or network.

Security Area	Description
Account-Policies	Password Policy, Account Lockout policy, and Kerberos Policy
Local policies	Audit policy, User Rights Assignment, and Security options
Event Log	Application, System and Security Event Log Settings
Restricted Groups	Membership of security-sensitive groups
System Services	Startup and Permissions to system services
Registry	Permissions to registry keys

Windows XP Professional provides the following ways to configure and troubleshoot your computer security policy:

Stored User Names and Password: You have your user name and password when you log on to a computer or connect to a network. This username and password is needed at logon time, but you cannot access any desired resources with this. However, Stored User Names and Passwords, a feature available in Windows XP professional, allows you to access different resources with different user names and passwords. Windows XP professional stores these user names and passwords as part of your profile to those resources.

For instance, Stored User Names and Passwords allows users to connect to different Web servers using the supplied user names and passwords and store these for future reuse.

When you are away from your computer, you can lock your computer by pressing CTRL+ALT+DEL or can set up password protected screen in order to deny others to use your computer.

By using the General tab option in the Internet Properties dialog box, you can delete all the cookies and temporary Internet files stored on your computer.

Cookies: A cookie is a small bit of text that accompanies requests and pages as they move between Web servers and browsers. It contains information that is read by a Web application. Cookies are stored in the memory of client computers. Whenever a user visits a site, the Web site stores information, such as user preferences and settings in a cookie. This information helps in providing customized services to users. There is absolutely no way a Web server can access any private information about a user or his computer through cookies, unless the user himself provides the information. A Web server cannot access cookies created by other Web servers.

Third-party cookies: Cookies that originate from the domains other than the Web site being visited are known as third-party cookies. A Web site's privacy policy does not cover third-party cookies. Hence, they are a threat to security.

By using the Security tab option in the Internet Properties dialog box, you can assign Web sites to specified zones and customize the security settings for each zone. You can maintain a history of events for security purposes. Archive Logs keep record of security-related information.

You can lock out your account under the conditions specified in Account Lockout Policy and prevent unauthorized users from accessing your computer.

Account Lockout policy locks out a user after a specified number of failed logon attempts. It prevents potential intruders from repeatedly trying different passwords to guess the correct password for accessing a user account.

The following are the policies under Account Lockout:

• Account Lockout duration
• Account Lockout threshold
• Reset Account Lockout counter after

The Account lockout threshold setting determines the number of failed logon attempts that cause a user account to be locked out.

The Account lockout duration security setting determines the number of minutes a locked-out account remains locked before it is automatically unlocked. The available range is from 0 minutes to 99,999 minutes. If you set the account lockout duration to 0, the account will be locked until an administrator explicitly unlocks it.
Number of previous logons to cache policy enables Windows XP Professional to cache a specified number of previous logons. If a user's logon is cached earlier, he will be able to log on to the computer even if the domain controller is not available.

Note: Setting the Number of previous logons to cache policy to 0 will prevent users from accessing their computers without being authenticated by the domain controller.

In this article, you have looked many different security control method This article provided you the knowledge to track user activities and system events through log files. You have learnt to improve the security on your computer by using Windows XP Professional Group Policy, audit policy, several of log files security logs and Event Viewer.

Rating: