','

'); } ?>

CONFIGURING SECURITY ACCESS-GPO(Group Policy Object) SECURITY TEMPLATES and Security Configuration and Analysis

local policy templates feature

CONFIGURING SECURITY ACCESS with GPO(Group Policy Object) SECURITY TEMPLATES and Security Configuration and Analysis

Monitoring events in the registry is called auditing. Auditing is consists of three steps. The first should include the Audit Policy. This can be done by GPO editor. Is to go to control panel (classic view) ->Administrative Tools -> Local Security Policy then click on Local Policies -> Audit Policy (on the left side of the window). In the right part of the window, double-click on Audit Object Access and Success and Failure check box. In this found the Audit Policy On.

local security policies-audit policy

After that needs to registry perform “audit” of individual keys and in the following manner: Locate the desired key in registry and right click on it -> Permissions -> Advanced tab “Auditing” -> Add -> location -> select desired component, or domain organization under whose users and user groups want to do mine audit. Then in the “Enter the object name ..” enter a name or user we want to add audit list, and then OK. In the “auditing entry for .. ” to access the list of check in and successful and failed for those activities you want to perform an audit of successful and unsuccessful attempts. after inclusion Audit Policy, it should be all good check over Event Viewer.

registry key autiting setting

event viewer auditing

In this posts above I talked about local access registry (ie protection of the same). Now I’ll explain it all just a “remote” (remote) registry approach. On Windows, users local administrator and backup operator group can access registry remotely. Since the Domain Admins group members of each local Administrator group, all domain Administrators are able to access registry to every computer who is involved in this domain. Windows XP and Windwos 7 inflicts much more restrictions on access registry compared to the previous version. In order to allow a group to access registry remotely it is necessary to create the main unit Administrators group for each organizational unit. This is done by this group is added to the ACL key: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurePipeServers \ winreg

SECURITY TEMPLATES

Security templates are used to make security policy for your boy or network. Backing up templates is much better and more efficiently than previously mentioned techniques because security templates make it possible more specific and complicated security adjustment for a large number of computers, which greatly simplifies and accelerates business compared to other security setup. In making their use different tools. First, we use security templates for creating and editing templates. That way we use the Security Configuration And Analysis and Group Policy console that would have applied templates. Over the templates we can adjust the following categories:

- Account Policies – Password Policy, Account Lockout Policy, and Kerberos Policy

- Local Policies – Audit Policy, User Rights Assignment, and Security Options

- Event Log – Application, System and Security Event Log Settings

- Restricted Groups – Membership of security-sensitive groups

- System Services – Startup and permissions for system services

- Registry – permissions for the registry key

- File system – Permissions for files and folders

Security templates are simple .Inf files. So .txt files with inf extensions and very similar to . ini files, which means that you can be relaxed copy and edit as needed. There is a possibility that you make your own security template “from scratch” that is, “from scratch”, but it is not recommended percent have a lot of work and the risk is too high, so it is better to edit already existing predefined Windows security template. It is noteworthy that only members of the Administrators group have the opportunity to change their default security template folder -% SystemRoot% \ Security \ Templates.

To work with security template best to use MMC (microsoft management console). The principle is as follows: in the run-in and enter mmc and hit enter in the new window, go to FileAdd / Remove Snap-in -> Add -> Select Security Templates and then add After that, click to select the Security Configuration And Analysis and again Add. Then Close the window and OK. Save Settings – File -> Save, and save it as MyMMCConsole.msc and the file will by default be stored in the Administrative Tools folder. To make it a quickie started operating, let Start -> All Programs -> Administrative Tools -> MyMMCConsole or that you have already named, or you can put that on the desktop as shorcut.

mmc-sec-template-console

In Windows but there are several predefined security template. Signs you do not need to create new template, but simply to edit existing as needed. Predefined templates are located at the following location: % SystemRoot% \ Security \ Templates including the following: 

- Default security (security.inf) – The default security settings, set when installing windows. Also contains system and registry permit. Since this template contains the default security settings,, In case something screw up, this template will allow you to restore the system to original windows security adjustment, by making this template load through the Security and Analysis console, not through Group Policy.

- Compatible (Compatws.inf) – This template “easier” restrictions that are Users given the group enough to be able to raise the legal applications. In this method is given the opportunity to make users switch from the Users group Power Users group or the Administrators group. This template also allows permit which user groups have the system files and applications so that they can be to manage applications and files that are not certified by windows. Through this template administrators shifted from users Power users group User group.

- DC Security (DC Secutity.inf) – This template is created when the server initiated by the domain controller. Affects files, and redistributive system services.

- Secure (Secure *. Inf) – This executes template finest adjustments. eg Securedc.inf for domain controllers, and Securews.inf for Workstation. Apply strong cipher, audit adjustment .. Restricts users LAN Manager and NTLM configuration of Windows that sends only NTLM v2 responses and configuration of servers to refuse LAN Manager responses. And finally, this template restricts anonymous users from enumerating account name, enumeration of Shares, and translating SID’s.

- Highly Secure (Hisec *. Inf) – This template is a collection of previous templates and inflicts even greater restrictions. Hisecdc.inf for domain controllers and Hisecws.inf for Workstation. This template sets level encryption and enter the windows needed for authentication and for transmission of data over secure channels and this need strong encryption and writing. At the end of this template removes all users from the Power Users group and verify whether the exclusive Domain Admins group and the local Administrators users are members of Admnistrator local groups.

- System root security (Rootsec.inf) – This describes template root permissions to win filesystem. Contains permissions that are not related to registry. acceptance permission for root% SystemDrive%’s.

No Terminal Server user SID (Notssid.inf) - This removes template unnecessary Terminal Server SID of the file system and when registry running Terminal Server in application compatibility mode. If this is possible, run Terminal Server in full security mode (the mode in which the terminal Server do not use).

There is a possibility to create their own template although not very advisable. This is done in the following way: In the Security Templates go right click on a folder within which you want to create new template and then click New Template. In the Template Name field Enter the name of the new template, and Description field, enter a useful Information for template who create. The left side of the window, double-click on newly created template to open it. Select the security field as is registry and then set it up security settings, in the right part of the window.

Another way, and much more preferably is to take some predefined template and to preserve it as a new file and then edit it as needed: Go to C: \ WINDOWS \ security \ templates, and right-click on the desired predefined template and save as and just enter the name of the new file (ie security template) and then just save. The left side of the window, double-click on newly created template to open it. Select the security field as is registry and then set up security settings, in the right part of the window.

Now let’s see how all this acting on registry key. The left side of the window, double-click on the desired template and then click on the Registry will appear and you list of reg keys in the right part of the window. To add key this list go right click on the registry and only Add Key. Percent rate already includes all HKLM is, we’ll create an exception which that template set for HKLM \ SOFTWARE and HKLM \ SYSTEM. To edit a key to go right click and selects one of the following options.

1 – Configure This Key Then

- Propagate Inheritable Permissions To All Subkeys – Key subkey succeed to key security settings, assuming that the security adjustment subkey not block inherit. In the event of conflict, permits subkey permissions replace permissions inherited by parent key

- Replace Existing Permissions On All Subkeys With Inheritable Permissions - License key to fully replace all licenses its subkey, which means that each subkey permit licenses to be identical to the parent key.

2 – Do Not Allow Permissions On This Key To Be Replaced – Select this option If you do not have to adjust the license key and subkey.

template registry add key

Security Configuration and Analysis – COMPUTER CONFIGURATION AND NEW SECURITY FEATURES

Security Configuration and Analysis enables you to compare the current state of security setting by adjusting the given security over template. This analysis can be an excellent indicator of the error and the initiator of resolving them. In the following manner to carry out security analysis by using Security Configuration Analysis and tools:

Let’s right click on the Security Configuration and Analysis (which we added Console 0x04b passage of potty) and click on Open Database. When we reached the Open Database window, we can do the following two things:

- To create a new Analysis database, the File Name field Enter name of the new database and go to the Open and then Import Template window selects template and click on Open.

- To open an existing Analysis database, we clicking on Analyse Computer Now and accept the default log file or specify a new one.

security configuration and analysis

In this way the Security Configuration and Analysis to compare the current security of computers with that obtained as a result of the analysis database. If you import large number of security templates in the database, They will all be combined into a single template. If it challenges some conflict last loaded template precedence (meaning ‘first template flying out, last remains). After completion of the analysis, the results of which will leave you are the same as the security templates. The difference is that the Security Configuration and Analysis shows the following indicators: 

- Red X – Settings are in the database for analysis , but these two versions do not do not correspond to each other.

- Green check – Settings are in at the base of analyzing and competences and others correspond to each other.

- Question mark – Setting not in the database for analysis and not analyzed. This happens probably because the user did not have a sufficient level of permits to execute the launch Security Configuration and Analysis.

- Exclamation mark – Settings are in the database for analysis, but not in computer. Registry key is in the database.

Database we can update by clicking on Edit Security and thus we update database and not the template . After we backed template and analyzed it should now to accept that is loaded into the comp, and we do it in the following way: Right-click the Security Configuration and Analysis, and go to the Open Database. In the Open Database window, we can do the following two things:

- To create a new database in the File Name field Enter name of the new database and go to the Open and then Import Template window selects template and click on Open.

- To open an existing database, we enter name of an existing database data in the File Name field, and then Open.

In the end, we go right click on the Security Configuration and Analysis, and we’re going to Configure Computer Now and then accept the default log file or specify a new one.

All this is mainly applicable for individual computer, but if you want to working with security templates on larger networks, you need to use Group policy – create a new GPO and then edit it. The GP editor go right click -> Security Settings -> Import Policy -> Highlight the desired template and Open.

GPEdit-security-import-policy

GPEdit-security-import-policy-template

That’s it for now about Group Policy templates. There are more detailed explanations about Group Policy settings in Domain Networks environment, but that is another story, maybe some other time.

banner