35. AUDITING NTFS OBJECT ACCESS Chapter 14: CONFIGURING AND MANAGING COMPUTER SECURITY Amy Rusko will be audited for attempts to take ownership, change permissions, or delete objects in this folder.
This chapter covers policy-based security management. Students will learn how to manage security with Local Security Policy and security templates, how to create and copy templates, and how to apply template settings using the Security Configuration and Analysis snap-in or Secedit.exe. We will also cover auditing and its use to detect security breaches.
This section introduces Local Security Policy and Domain Security Policy. Emphasize the relationship between these policies, with the domain policy overriding the local policy.
This slide shows the major security policy areas discussed in the textbook. As you discuss each frame, point out specific policies and explain what they do.
Continue the discussion of settings, referring to the textbook for descriptions of policies in each policy area. Account policy and user rights assignment should be familiar to the students from Chapter 13.
This slide depicts the Domain Security Policy console on a Windows Server 2003 system. Point out that even though there are additional settings that apply to domains or Windows Server 2003, the familiar account policies and local policies are still present. Describe the role of domain security in managing security for workstations in the domain. Be sure to emphasize that domain policy overrides local policy, and mention that even domain policy can be overridden by security policies created for an OU within the domain.
This section covers managing security with security templates. Templates are collections of security settings that make it easy to define local or domain security policies. We will discuss the built-in security templates as well as how to create and use custom templates. We will then discuss importing, analyzing, and exporting templates using the Security Configuration and Analysis snap-in and Secedit.exe.
This slide lists the workstation templates included with Windows XP. Two other built-in templates—Securedc.inf and Hisecdc.inf—are used to configure security for domain controllers. Discuss each template’s intended purpose and use. You can refer to the textbook for descriptions of each template.
This slide lists the workstation templates included with Windows XP. Two other built-in templates—Securedc.inf and Hisecdc.inf—are used to configure security for domain controllers. Discuss each template’s intended purpose and use. You can refer to the textbook for descriptions of each template.
This slide lists the workstation templates included with Windows XP. Two other built-in templates—Securedc.inf and Hisecdc.inf—are used to configure security for domain controllers. Discuss each template’s intended purpose and use. You can refer to the textbook for descriptions of each template.
This slide lists the workstation templates included with Windows XP. Two other built-in templates—Securedc.inf and Hisecdc.inf—are used to configure security for domain controllers. Discuss each template’s intended purpose and use. You can refer to the textbook for descriptions of each template.
This slide lists the workstation templates included with Windows XP. Two other built-in templates—Securedc.inf and Hisecdc.inf—are used to configure security for domain controllers. Discuss each template’s intended purpose and use. You can refer to the textbook for descriptions of each template.
This slide depicts the creation of a custom Security Policy Management console. You can step through the screen shots or build the console in class. This is a good time to make sure students are familiar with customizing Microsoft Management Console (MMC). Point out the inclusion of the default security templates in the Security Templates snap-in.
This slide depicts the creation of a new security template. Discuss the steps taken to create, modify, and save the template. If time permits, open some of the built-in templates and discuss their settings. Encourage students to familiarize themselves with templates and their configuration.
This slide shows the first screen of the Security Configuration and Analysis snap-in. If possible, walk through the next few slides on a classroom system to demonstrate how to import, analyze, and configure security settings using templates.
This slide depicts the creation of a security analysis database. This is the first step in analyzing or configuring security with Security Configuration and Analysis. Step through the frames, explaining what is being done in each frame. You can also demonstrate this on a classroom system.
This slide shows the use of the custom template we created earlier to analyze security on a system. Once again, step through the procedure using the slides or a classroom system. Point out the green check mark icons for settings that are consistent with the template and the red X for settings that are not.
This slide shows a security template being used to configure security. Emphasize that this is a one-way process. To revert to the original settings, you have to import settings from the Setup Security template or use System Restore to revert to a restore point prior to the configuration.
This slide shows the export of security settings to a template file. The new template (New Base.inf) can be used to configure security on other systems/domains/OUs.
You can use Secedit.exe to perform the tasks of the Security Configuration and Analysis snap-in from the command prompt. Type Secedit /? at a command prompt, and browse the help file to show students the complete syntax for this utility.
Security auditing is an important part of ensuring that security policies and procedures are effective. Without auditing, you really cannot tell when unauthorized access occurs, how it occurs, and who is responsible. This section covers planning and implementing an audit policy. We also discuss the use of Event Viewer to monitor security audits.
This slide shows the Audit Policy section of Local Security Policy. It lists the audit types you can implement. The textbook describes each type in detail and presents three other audit-related settings found in Security Settings. Describe each one and discuss when each might be used. Audit The Access Of Global System Objects Audit The Use Of Backup And Restore Privilege Shut Down The System Immediately If Unable To Log Security Audits
This slide lists the three steps in planning an audit policy. Discuss the tasks you would perform at each juncture and why it is important to begin this process with a plan.
This slide depicts the Security Properties dialog box in Event Viewer. Demonstrate the configuration options of the Security log in class, if possible. For students not familiar with log settings, explain how to configure log size and the settings for actions to be taken when the log reaches the maximum size.
This slide shows the use of Local Security Policy to enable auditing of object access on a system. Emphasize that you can also enable auditing on multiple systems by using Domain Security Policy. Also point out that enabling auditing is only half the job. You also have to configure SACLs for each object to be audited (next slide).
This slide depicts the configuration for auditing a user on the C:\\Deploy folder. Amy Rusko will be audited for attempts to take ownership, change permissions, or delete objects in this folder. If time permits, enable auditing on objects in another area such as System Events on a classroom system.
This slide shows an administrator monitoring events in the Security log. It also demonstrates the use of Find and Filter to locate specific events. Step through this slide or demonstrate these steps on a classroom system.
Emphasize key points of the lecture, tailored to your class’s level of comprehension. Stress the importance of proper planning of security configuration and monitoring.
Stress the importance once again of proper planning for successful auditing.