A system configured with the Default security template or not configured with any security modifications will send LAN Manager and NTLM responses. Workstations do not have a defined configuration, meaning they will follow the server requests. Implementing security templates affects the use of LAN Manager and NTLM authentication used by the systems. Security settings deter- mine which authentication protocol is used for network logons.The security settings determine the authentication protocol used by clients, the level of security negotiated, and the level of authentica- tion accepted by servers. Figure 4.2 shows the options available through the Network security: LAN Manager authentication level security configuration setting. The Network security: LDAP client signing requirements security setting establishes the degree of data signing used in LDAP BIND requests. Digital signing is a method used to validate data integrity.This method uses keys to generate a hash of the actual data.This method of hashing, or encrypting the data, provides a mechanism to verify data integrity. If the data is modified in any way, the hash will not match.This ensures that data received by a client is the actual data sent by the server.The default setting is Negotiate signing. The three levels of LDAP client signing are: ■ None Options are specified by the caller. ■ Negotiate signing If Transport Layer Security/Secure Sockets Layer (TLS\SSL) is not being used, LDAP BIND requests occur with the LDAP data signing option set along with the options specified by the caller. If TLS\SSL is used, the LDAP BIND requests occur with the options that are specified by the caller.This is the default. ■ Require signature If the client and server configurations do not match in this case, the client will receive an LDAP BIND request failed and the client will be unable to connect to the server. The Network security: Minimum session security for NTLM SSP-based (including secure RPC) clients security setting provides message confidentiality, message integrity, 128-bit encryption, and NTLMv2 security connection requirements for client connections. In the default configuration, no options are set.The following options are available: 86 Chapter 4 • Security Templates and Software Updates Figure 4.2 Setting the Network Security: LAN Manager Authentication Level Options 301_BD_w2k3_04.qxd 5/12/04 10:57 AM Page 86 ■ Require message integrity Message integrity must be negotiated to continue the con- nection. Message integrity is verified through message signing.The signature ensures that the message has not been tampered with. ■ Require message confidentiality Encryption must be negotiated to continue the con- nection. Encryption converts data into an unreadable format until decrypted. ■ Require NTLMv2 session security NTLMv2 protocol must be negotiated or the connection will fail. ■ Require 128-bit encryption Without negotiating strong encryption (128-bit) the con- nection will fail. Figure 4.3 demonstrates the available options for Network security: Minimum session security for NTLM SSP-based (including secure RPC) clients configuration. The Network security: Minimum session security for NTLM SSP-based (including secure RPC) servers security setting provides message confidentiality, message integrity, 128-bit encryption, and NTLMv2 security connection requirements for server connections. By default, no requirements are set.The following options (the same as those available for clients) are available: ■ Require message integrity Message integrity must be negotiated to continue the con- nection. Message integrity is verified through message signing.The signature ensures the message has not been tampered with. ■ Require message confidentiality Encryption must be negotiated to continue the con- nection. Encryption converts data into an unreadable format until decrypted. ■ Require NTLMv2 session security NTLMv2 protocol must be negotiated or the connection will fail. Security Templates and Software Updates • Chapter 4 87 Figure 4.3 Setting Minimum Session Security for NTLM SSP-based (Including Secure RPC) Clients 301_BD_w2k3_04.qxd 5/12/04 10:57 AM Page 87 ■ Require 128-bit encryption Without negotiating strong encryption (128-bit) the con- nection will fail. Figure 4.4 illustrates the available options for Network security: Minimum session security for NTLM SSP-based (including secure RPC) servers configuration. As mentioned previously, Microsoft provides several security templates to simplify basic security configurations to match common scenarios. In the next section, you will see how a predefined secu- rity template can be used to compare existing system security settings with the settings provided by the template. Analyzing Baseline Security In most types of analysis, the first step is to determine a baseline. If you want to measure network performance and determine how much difference certain modifications make, you have to start from a baseline or existing performance level.This approach also applies to security. If we want to tighten security on our network or on an individual system, we should first determine the baseline. Using the Microsoft Security Configuration and Analysis management console, you can com- pare existing security settings to one of the predefined templates or to a custom template.The base- line analysis is conducted through the following steps: 1. A baseline storage location is determined by creating a database file where the configura- tion information and comparison information will be saved. 2. A template is selected to compare the current configuration against. 3. To finish the analysis, you run an analysis between the selected template and the current configuration. 4. The analysis will display different icons depending on the comparison results. Table 4.2 displays the possible results from a security analysis. 88 Chapter 4 • Security Templates and Software Updates Figure 4.4 Setting Minimum Session Security for NTLM SSP-based (Including Secure RPC) Servers 301_BD_w2k3_04.qxd 5/12/04 10:57 AM Page 88 Table 4.2 Possible Security Analysis Results Visual flag Meaning Red X The entry is defined in the analysis database and on the system, but the security setting values do not match. Green check The entry is defined in the analysis database and on the system and the setting values match. Question mark The entry is not defined in the analysis database and, therefore, was not analyzed. (No flag) If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have suffi- cient permission to perform analysis on a specific object or area. Exclamation point This item is defined in the analysis database, but does not exist on the actual system. A comparison between the securedc.inf template file and a standard domain controller is dis- played in Figure 4.5. As an example, use the following steps to import and compare the hisecdc.inf security template to a standard installation Windows Server 2003 domain controller. 1. We will customize a Microsoft Management Console (MMC) with the Security Configuration and Analysis snap-in. Open the Microsoft Management Console (MMC) click Start | Run | MMC.exe | and click OK. 2. To add the Security Configuration and Analysis snap-in, click File | Add Remove Snap-in… to open the Add/Remove Snap-in pop-up window as shown in Figure 4.6. Security Templates and Software Updates • Chapter 4 89 Figure 4.5 Comparing the securedc.inf Template to a Standard Domain Controller 301_BD_w2k3_04.qxd 5/12/04 10:57 AM Page 89 3. Click Add… and scroll down and select the Security Configuration and Analysis snap-in as shown in Figure 4.7. 4. Click Add then click Close to return to the Add/Remove Snap-in dialog box as shown in Figure 4.8. 90 Chapter 4 • Security Templates and Software Updates Figure 4.6 Adding Snap-ins to the MMC Figure 4.7 Adding the Security Configuration and Analysis Snap-in Figure 4.8 The Security Configuration and Analysis Snap-in Is Added 301_BD_w2k3_04.qxd 5/12/04 10:57 AM Page 90 5. Click OK to move on to the analysis stage. 6. Click Security Configuration and Analysis in the left pane of the MMC to view instructions for importing and analyzing the templates as seen in Figure 4.9. 7. Right-click the Security and Configuration Analysis folder in the left pane of the MMC and select Open database…. 8. Type Exercise1 in the filename dialog box and click OK. 9. Select the hisecdc.inf security template as shown in Figure 4.10 and click Open. 10. You will be returned to the blank Security Configuration and Analysis snap-in. Right- click the Security Configuration and Analysis folder in the left pane of the MMC and select Analyze Computer Now. A Perform Analysis dialog box will be displayed requesting the location for the Error log file path: as shown in Figure 4.11. Security Templates and Software Updates • Chapter 4 91 Figure 4.9 The MMC before Importing Templates Figure 4.10 Selecting the hisecdc.inf Template 301_BD_w2k3_04.qxd 5/12/04 10:57 AM Page 91 11. Click OK to begin the analysis. A progress screen like the one in Figure 4.12 will be displayed. 12. When the analysis is complete, you will see several new items listed below Security Configuration and Analysis in your MMC as shown in Figure 4.13. 13. Browse through each category to see how the template will affect the configuration of your computer. Each item marked with a red X represents a discrepancy in the policy. Figure 4.14 illustrates an example of several discrepancies between the computer configu- ration and the template configuration. Each red X represents an increase in security, in this particular situation. 92 Chapter 4 • Security Templates and Software Updates Figure 4.11 Specifying the Error Log File Path Figure 4.12 Analysis Progress Screen Figure 4.13 Completed Analysis 301_BD_w2k3_04.qxd 5/12/04 10:57 AM Page 92 Applying Security Templates There are multiple methods available for applying security templates in Windows Server 2003.The following tools provide mechanisms for applying security templates: ■ Secedit.exe ■ Group policy ■ Security Configuration and Analysis Secedit.exe The secedit.exe command line tool provides a command line interface to analyze, modify, and apply security templates.The secedit.exe command works with the following switches: ■ secedit /analyze ■ secedit /configure ■ secedit /export ■ secedit /validate ■ secedit /import ■ secedit /GenerateRollback The syntax used to apply a security template using the secedit.exe command is secedit /con- figure /db FileName [/cfg FileName ] [/overwrite][/areas area1 area2 ] [/log FileName] [/quiet]. The FileName attribute used with the /db switch specifies the filename of the database con- taining the security template to be applied.The FileName attribute used with the /cfg switch is an optional parameter specifying the security template to be imported into the database.This option is valid only when used in conjunction with the /db switch.The /overwrite switch specifies to over- write any information stored in the database instead of appending to the database.The /areas switch Security Templates and Software Updates • Chapter 4 93 Figure 4.14 Discrepancies in the Analysis between the Current Configuration and the Template 301_BD_w2k3_04.qxd 5/12/04 10:57 AM Page 93 specifies which areas of the template should be applied to the system. If no area is specified, all areas will be applied.The areas are the same categories discussed earlier in this chapter where we dissected the security template.Table 4.3 lists each area with a description of the configuration parameters provided. Table 4.3 /areas Switch Options Area Name Description SECURITYPOLICY Local policy and domain policy for the system, including account policies, audit policies, and so on GROUP_MGMT Restricted group settings for any groups specified in the security template USER_RIGHTS User logon rights and granting of privileges REGKEYS Security on local registry keys FILESTORE Security on local file storage SERVICES Security for all defined services The FileName parameter used with the /log switch sets the filename and path for the log file. If this switch is not specified, the log file is stored in the default location.The /quiet switch sup- presses output to the screen. Group Policy Group policy provides several configuration options for systems within your enterprise environ- ment.You can install software packages, configure desktop options, configure Internet Explorer set- tings, and configure security settings just to name a few. Group policy settings are applied through Active Directory Users and Computers for Domains and Organizational Units and through Active Directory Sites and Services for sites within your enterprise. Group policy is discussed in more detail in “Working with Group Policy in an Active Directory Environment” as well as in “Deploying Software via Group Policy.” The security settings within Group Policy are identical to the configuration options in the Security Configuration and Analysis management console. When Group Policy is used, each area application of policy is applied in a cumulative fashion.The order of application is: ■ local ■ site ■ domain ■ organizational unit. First, locally configured security policies are applied to the system. Next, if a site-based security policy is configured, it will be applied on top of the local policy.This policy will overwrite the set- tings in the local policy.The domain policy is applied next, again overwriting previously applied policies. Finally, the organizational unit policy is applied.This policy also overwrites any previously 94 Chapter 4 • Security Templates and Software Updates 301_BD_w2k3_04.qxd 5/12/04 10:57 AM Page 94 written policies. If multiple (nested) organizational units hold the user or computer account, the nearest organizational unit to the user or computer account is applied last.This means that the nearest organizational unit-based policy will be the final policy applied and consequently, the set- tings from that policy will be the last ones written to the cumulative security settings. Security Configuration and Analysis The Security Configuration and Analysis management console provides local security policy appli- cation to your system. As discussed in the previous section, the security settings applied by this type of policy are overwritten by site, domain, and organizational unit-based policies used in Group Policy application.The advantage of the Security Configuration and Analysis tool is that it provides analysis capabilities to determine cumulative affects from new policies.You can run the analysis por- tion of the Security Configuration and Analysis utility to determine what portion of your settings will change by applying a new template or to see where a template might not provide additional benefits to your configuration. Software Updates Information technology is a dynamic industry with constant change. Currently, security and cost of ownership are two of the hottest topics in IT.To maintain a secure, consistent environment requires keeping up-to-date on security patches and hot fixes. As new vulnerabilities are discovered, as new services are implemented, the onus is on the IT department to keep systems up-to-date and secure. Most people are now familiar with Windows Update. Using Windows Update, your computer polls Microsoft servers to determine whether your system is up-to-date with hot fixes and security patches.This process simplifies administration but creates a couple of other dilemmas. Running Windows Update in a large network environment poses a number of questions: ■ How do you provide consistency? ■ How do you ensure that all systems are being updated? ■ How do you make sure that the update will not cause problems with a software package installed on your client systems? ■ What about the bandwidth consumed by all of your clients connecting over your expen- sive WAN links to retrieve the same information over and over again? There must be a better way to keep clients consistently updated. Enter the Software Update Service. The Software Update Service (SUS) provides a centralized, LAN-based solution for the Windows Update service. Using SUS, clients connect to a server within your network infrastructure to receive updates.This allows you to centrally control which updates are deployed and which updates are not deployed. In this manner, you are able to test updates before deploying them to clients.This process provides greater control over software updates for your clients while also cutting down on WAN traffic.Your SUS server connects to Microsoft’s servers to keep up-to-date with current security patches and hot fixes. Now, instead of having multiple clients connecting through the WAN link to Microsoft’s servers to each retrieve the same updates, your server connects once and the clients Security Templates and Software Updates • Chapter 4 95 301_BD_w2k3_04.qxd 5/12/04 10:57 AM Page 95 . logons .The security settings determine the authentication protocol used by clients, the level of security negotiated, and the level of authentica- tion accepted by servers. Figure 4.2 shows the. with the LDAP data signing option set along with the options specified by the caller. If TLSSSL is used, the LDAP BIND requests occur with the options that are specified by the caller.This is the. signature If the client and server configurations do not match in this case, the client will receive an LDAP BIND request failed and the client will be unable to connect to the server. The Network