This document discusses various security features in Windows networks including authentication methods like NTLM, Kerberos, and RADIUS. It covers access control using permissions and privileges as well as encryption methods like EFS, IPSec, and VPN. The document also discusses security policies, patch management, security templates, auditing, and several related acronyms. Security templates define security settings that can be applied through Group Policy to multiple machines. Auditing is used to track security events and access in logs but can consume significant disk space if used extensively.

1. Network Implementation &
Support
Chapter 14
Security Features
Eric Vanderburg © 2006

2. Authentication
• Logon authentication done by the DC or in a
workgroup by the local SAM database
– NTLM
– Kerberos
• IIS Authentication
– Basic
– Digest
– Integrated
• RADIUS (Remote Authentication Dial In User
Service) – Centralized authentication for
wireless, dial in, or VPN connections.
Eric Vanderburg © 2006

3. Access Control
• Permissions (File, Print, GPO)
• Principal of Least Privilege – only as many
permissions as are needed.
• User rights – actions that can be taken.
– Delegation of control
Eric Vanderburg © 2006

4. Encryption
• EFS
• VPN (Virtual Private Network)
• IPSec (IP Security)
– Set up policies
– Transport on the LAN, Tunnel on the WAN
Eric Vanderburg © 2006

5. Security
• Security Policy
– Security Configuration and Analysis MMC snap-in
– Command-line SECEDIT utility
• Patch Management
– Patch – fixes an issue and is tested
– Hot fix – less tested than a patch
– Service Pack – Group of patches together. The entire
group is tested together for stability.
– MBSA (Microsoft Baseline Security Analyzer)
– SUS
– SMS (Systems Management Server)
Eric Vanderburg © 2006

6. Analysis
•
Use Security configuration and analysis to see the difference
between current settings and what a policy would apply. Once a
policy or multiple policies are applied, analysis can then show the
RSoP.
• Security Templates
– Setup Security - default security settings.
– Compatible (compatws.inf) - members of the Users group can run
applications that are not a part of the Designed for Windows Logo
Program.
– Secure (securedc.inf / securews.inf) - modifies security settings that
impact the operating system and network protocols such as the
password policy, account policy, and various Registry settings. It also
removes all members from the Power Users group.
– Highly Secure (hisecdc.inf / hisecws.inf) - This template increases
the security of the parameters defined within the secure template. This
template also removes all members from the Power Users group.
– Internet Explorer (lesacls.inf) – locks down IE
– Reset file permissions (rootsec.inf) – reset permissions starting from
the root.
Eric Vanderburg © 2006

7. Security Templates
• Security templates act as local policies
– Applied through Local Security Settings
(secpol.msc)
• Templates are set up similar to an ini file
– [Heading]
– Values (something=10)
• Import into a GPO in order to apply at
another level or to multiple machines
– Computer  Windows  Security  Import
Policy
Eric Vanderburg © 2006

8. Auditing
• File Access (configure in auditing tab in
advanced on the security properties of an object)
• Privilege Use
• Account creation
• Logon/Logoff
• Process tracking
• System events – restart, crash, ect.
• Stored in Security log
• Success or Failure
• Auditing can take up a lot of log space. Use
sparingly.
Eric Vanderburg © 2006

9. Acronyms
•
•
•
•
VPN (Virtual Private Network)
IPSec (IP Security)
SMS (Systems Management Server)
MBSA (Microsoft Baseline Security
Analyzer)
• RADIUS (Remote Authentication Dial In
User Service)
Eric Vanderburg © 2006

10. Acronyms
•
•
•
•
VPN (Virtual Private Network)
IPSec (IP Security)
SMS (Systems Management Server)
MBSA (Microsoft Baseline Security
Analyzer)
• RADIUS (Remote Authentication Dial In
User Service)
Eric Vanderburg © 2006