70-410 Chapter 17
Fine-grained password policies enable you to configure
different password policies and lockout settings (as discussed previously) that can be applied to specific users or groups within a domain.
You can use Group Policy to enable auditing at ___controllers, member servers, and client computers.
domain
Account Logon events refer to the authentication of a
domain user account at a domain controller.
If you recall, previously password policies were applied to the entire
domain.
Within the Local Policies subnode of Security Settings, you have the user rights assignment already discussed, as well as audit policies, which are discussed later in this chapter. This section introduces you to the Security Options subnode, which includes a large set of policy options, as shown in Figure 17-3, that are important in controlling security aspects of the computers to which the GPO applies. Several of the more important options that you should be familiar with are as follows:
...
Strong passwords help protect accounts, especially administrative accounts, from being compromised by unauthorized users. In legacy versions of Windows Server, strong passwords could be enforced throughout the organization through a password policy that was applied to the entire
domain.
IP Security Policies on Active Directory
Controls the implementation of IP Security (IPsec) as used by the computer for encrypting communications over the network.
Expression-based audit policies are helpful in situations where you need to
minimize audit logs but still track the necessary data.
Fine-grained password policies are particularly helpful in the following scenarios:
-A group of users, such as administrators, require a different, perhaps more complex password policy than the rest of the users. -Different departments, such as Legal or Human Resources, require stronger password policies than the rest of the organization. -Your company has merged or acquired a new company with different password policy requirements.
A password policy could be applied to the domain using a domain-based GPO that specified password requirements for the domain. To configure strong passwords, Microsoft created the Passwords must meet complexity requirements Group Policy setting. The password complexity setting prevents users from employing simple, easy-to-guess passwords by enforcing the following requirements with respect to creating passwords:
-Passwords may not contain user account name or display name. -Passwords must contain characters from three of the following categories: --Uppercase letters A-Z --Lowercase letters a-z --Base 10 digits 0-9 --Non-alphanumeric characters, also known as special characters such as !,#,
Using Security Configuration wizard, you can configure security for the following items:
-Server roles, features, and administrative options -Background services running on the server, including their startup modes -Network security, including rules for the Windows Server Firewall with Advanced Security snap-in -Registry-based settings for configuring protocols used to communicate on the network -Audit policy settings
As with previous versions of Windows Server, domain controllers keep track of logon attempts. By configuring Account Lockout Policy settings, you can control what happens when unauthorized access attempts occur. Account Lockout Policy settings are configured under Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy. You can configure the following settings for the entire domain:
...
Available Auditing Categories Windows Server 2012 R2 enables you to audit the following types of events:
...
Know which types of actions to audit for different scenarios. For example, the exam might present a drag-and-drop interface in which you must select success and failure actions to achieve a given objective.
...
Password Policy settings are located and can be configured under Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy. When configuring a password policy, you should consider configuring the following settings:
...
The Security Options node also contains the following additional sets of security-related policies:
...
Windows Server 2008 introduced the command-line tool auditpol.exe as well as subcategories in the Audit Directory Service Access category. In addition, Windows Server 2008 R2 introduced an Advanced Audit Policy subnode in the Group Policy Management Editor. In previous versions of Windows Server, a single Directory Service Access category controlled the auditing of all directory service events. Windows Server 2012 expanded on this. Windows Server 2012 R2 continues to leverage four subcategories for auditing directory service access:
...
Windows Server 2012 R2 includes the following additional tools that are useful in configuring and maintaining the security of your AD DS network:
...
User rights consist of
privileges and logon rights.
This capability can assist you in modifying an object's ___to ensure that only the appropriate access is permitted.
ACL
Using these policies, you can even determine which access control entry (ACE) in an object's ___allowed access to an audited object.
ACL
Object access
Access by a user to an object such as a file, folder, or printer. You need to configure auditing in each object's SACL to track access to that object. Track success and failure to access important resources on your network.
Directory service access
Access to an AD DS object as specified by the object's SACL. This category includes the four subcategories mentioned earlier in this section; enabling directory service access from the Group Policy Management Editor enables all four subcategories. Enable this category for failures (if you record success, a large number of events will be logged).
Process tracking
Actions performed by an application. This category is primarily for application developers and does not need to be enabled in most cases.
Group Policy enables you to configure success or failure for several types of actions. In other words, you can choose to
record successful actions, failed attempts at performing these actions, or both. For example, if you are concerned about intruders that might be attempting to access your network, you can log failed logon events. You can also track successful logon events, which is useful in case the intruders succeed in accessing your network.
Event Log
Configuration options for the Event Viewer logs, including log sizes and action taken when an event log is full.
Account management
Creation, modification, or deletion of computer, user, or group accounts. Also included are enabling and disabling of accounts and changing or resetting passwords. You should track both success and failure.
To enable auditing on all domain controllers, configure the auditing settings in the ___GPO
Default Domain Controllers Policy
To enable auditing on other domain computers, configure the auditing settings in the ___GPO or in another GPO as required.
Default Domain Policy
Maximum password age
Defines the maximum period of time in days that a password can be used before the system requires the user to change it. This value must be greater than the minimum password age. The default value is 42 days. If set to 0, the password never expires.
Minimum password length
Defines the minimum number of characters (up to 14) a password must contain. The default value is 0, indicating no password is required.
Minimum password age
Defines the minimum period of time in days that a password can be used before the system requires the user to change it. The default value is 1 day.
Account lockout threshold
Defines the number of failed logon attempts that causes the user account to be locked out.
Enforce password history
Determines the number of unique new passwords the user must use before an old password can be reused. The default is 24 passwords remembered.
Restricted Groups
Determines who can belong to certain groups. We discussed group accounts in Chapter 15, "Active Directory Groups and Organizational Units (OUs)."
Advanced Audit Policy Configuration
First introduced in Windows Server 2008 R2 and continued in Windows Server 2012 R2, this node contains 53 new policy settings that enable you to select explicitly the actions you want to monitor and exclude actions that are of less concern. More information is provided later in this chapter.
Interactive logon: Do not display last user name
Enable this option to prevent the username of the last logged-on user from appearing in the logon dialog box, thus preventing another individual from seeing a username. This can also help to reduce lockouts.
File System
Enables you to configure permissions on folders and files and prevent their modification.
Windows Firewall with Advanced Security
Enables you to configure properties of Windows Firewall for domain, private, and public profiles. You can specify inbound and outbound connection rules as well as monitoring settings.
Public Key Policies
Enables you to configure public key infrastructure (PKI) settings. Certificate Services and PKI are discussed in the Cert Guide book for exam 70-412.
System Services
Enables you to configure system services properties, such as startup type, and restrict users from modifying these settings.
Network List Manager Policies
Enables you to control the networks that computers can access and their location types such as public and private (which automatically specifies the appropriate firewall settings according to location type). You can also specify to which networks a user is allowed to connect.
Registry
Enables you to control the permissions that govern who can access and edit portions of the Registry.
Wired Network (IEEE 802.3) Policies
Enables you to specify the use of IEEE 802.1X authentication for network access by Windows Vista, Windows 7, Windows 8, or Windows 8.1 computers and includes the protocol to be used for network authentication.
Software Restriction Policies
Enables you to specify which software programs users can run on network computers, which programs users on multiuser computers can run, and the execution of email attachments. You can also specify whether software restriction policies apply to certain groups such as administrators. We discuss software restriction policies in Chapter 18, "Configuring Application Restriction Policies."
Wireless Network (IEEE 802.11) Policies
Enables you to specify wireless settings, such as enabling 802.1X authentication and the preferred wireless networks that users can access.
You can then use___to view any computer's Security log by connecting to the required computer.
Event Viewer
System events
Events taking place on a computer such as an improper shutdown or a disk with very little free space remaining. Track success and failure events.
Auditing enables administrators to define computer ___per object type for the file system or registry.
system access control lists (SACLs)
Account logon
Logon or logoff by a domain user account at a domain controller. You should track both success and failure.
Logon events
Logon or logoff by a user at a member server or client computer. You should track both success and failure (success logging can record an unauthorized access that succeeded).
Security Templates snap-in
From this snap-in, you can save a custom security policy that includes settings from the various subnodes of the Security Settings node of Computer Configuration that we discussed in the preceding sections. It is most useful in defining a security configuration for standalone servers that are not members of a domain.
These policies enable an administrator to manage object access centrally. This concept is also known as ___under Windows Server 2012 R2.
Global Object Access
You can apply expression policies centrally through Group Policy using
Global Object Access Auditing.
One of the tasks you have is to define a password policy and account lockout policy, both of which are configured using
Group Policy Management console.
Password must meet complexity requirements
Indicates whether passwords must meet complexity requirements as described in the next section. The default value is Enabled in Windows Server 2012 R2.
These two snap-ins are not contained in any ___console by default; to use them you must open a blank console (type mmc from the Run dialog box or the Search charm) and add them using the Add or Remove Snap-ins dialog box shown in Figure 17-5.
MMC
Policy change
Modification of policies, including user rights assignment, trust, and audit policies. This category is not normally needed unless unusual events are occurring.
Network Access Protection
Network Access Protection (NAP) is a feature first introduced in Windows Server 2008. It enables you to define client health policies that restrict access to your network by computers that lack appropriate security configurations. The NAP policies enable you to specify settings for client user interface items, trusted servers, and servers used for enforcement of client computer security health status. We discuss NAP in the Cert Guide book for exam 70-411.
Password settings are stored in a ___located under the default System container in the domain.
Password Settings Container (PSC)
Accounts: Block Microsoft accounts
Prevents users from using Microsoft accounts to access the computer or creating new Microsoft accounts on the computer. This setting was new to Windows 8 and Windows Server 2012 and is continued in Windows 8.1 and Windows Server 2012 R2
Be aware that all auditing takes place at the local computer on which the events take place only and that these events are recorded on that computer's ___log.
Security
User Account Control
Several policy settings determine the behavior of the UAC prompt for administrative and nonadministrative users, including behavior by applications that are located in secure locations on the computer such as %ProgramFiles% or %Windir%.
Account lockout duration
Specifies the number of minutes an account is locked before automatically being unlocked by the system. A value of 0 specifies that the account will be locked until an administrator intervenes and unlocks the account. By default, account lockout durations are undefined.
Reset account lockout counter after
Specifies the number of minutes that must pass after the account is locked before the account logon counter is reset to 0. This setting is not defined by default. Fine-Grained Password Policy
Store password using reversible encryption
Stores encrypted passwords with information used to decrypt the password. This policy setting is typically associated with custom or in-house applications that require knowing the user's password for the authentication process. Applications decrypt the stored password and process logon requests. Due to the fact that passwords can be decrypted, it is recommended to keep the default setting of Disabled unless there is a specific need that outweighs the security risk.
The SACL is then applied to every object for that
type.
Application Control Policies
These are a set of software control policies first introduced with Windows 7 and Windows Server 2008 R2 that introduces the AppLocker feature. AppLocker provides new enhancements that enable you to specify exactly what users are permitted to run on their desktops according to unique file identities. We discuss application control policies in Chapter 18.
Accounts: Rename administrator account
This option renames the default administrator account to a value you specify. Intruders cannot simply look for "Administrator" when attempting to crack your network.
Security Configuration and Analysis
This snap-in enables you to analyze and configure local computer security. You can compare security settings on the computer to those in a database created from the Security Templates snap-in and view any differences that are found. You can then use this database to configure the computer's security so that it matches the database settings.
Security Configuration Wizard
This wizard assists you in maintaining the security of your servers and checks for vulnerabilities that might appear as server configurations change over time. You can access this wizard from the Search charm or the Administrative Tools tile on the Start screen. As shown in Figure 17-4, you can create a new security policy or perform actions on an existing security policy, including editing, applying, or rolling back the policy. This wizard is particularly useful in maintaining the security of servers hosting roles that are not installed using Server Manager, such as SQL Server and Exchange Server, as well as servers that host non-Microsoft applications. Microsoft also includes a command-line version, scwcmd.exe, which is useful in configuring Server Core computers.
Previous editions of Windows Server introduced the concept of strong passwords. A strong password is a password comprised of
at least eight characters including a combination of letters, numbers, and symbols.
Detailed Directory Service Replication
Tracks additional AD DS replication events, including the establishment, removal, or modification of an Active Directory replica source naming context; replication of attributes for an AD DS object; or removal of a lingering object from a replica.
Directory Service Access
Tracks all attempts at accessing AD DS objects whose SACLs have been configured for auditing. This includes deletion of objects.
Directory Service Changes
Tracks modifications to AD DS objects whose SACLs have been configured for auditing. The following actions are included: -When an attribute of an object has been modified, the old and new values of the attribute are recorded in the Security log. -When a new object is created, values of their attributes, including new attribute values, are recorded in the Security log. This includes objects moved from another domain. -When objects are moved from one container to another, the distinguished names of the old and new locations are recorded in the Security log. -When objects are undeleted, the location in which they are placed is recorded in the Security log. Any added, modified, or deleted attributes are also recorded.
Directory Service Replication
Tracks the beginning and end of the synchronization of a replica of an Active Directory naming context.
Privilege use
Use of a user right, such as changing the system time. Track failure events for this category.
Fine-grained password policies use an object class defined in the AD DS schema known as a Password Settings object (PSO). The PSO holds
attributes for the fine-grained password and account lockout policy settings.
Dynamic Access Control in Windows Server 2012/R2 allows you to create
audit policies by using expressions based on user, computer, or resource request.
The Auditpol.exe tool performs ___actions from the command line.
audit policy configuration
Auditing enables you to track actions performed by users across the domain such as logging on and off or accessing files and folders. When you create and apply an auditing policy, auditable events are recorded in the Security log of the ___at which they happen.
computer
Interactive logon: Do not require CTRL+ALT+DEL
When enabled, a user is not required to press Ctrl+Alt+Delete to obtain the logon dialog box. Disable this policy in a secure environment to require the use of this key combination. Its use prevents rogue programs such as Trojan horses from capturing usernames and passwords.
Interactive logon: Require smart card
When enabled, users must employ a smart card to log on to the computer.
This is the only tool you can use to
configure auditing on a Server Core computer or to configure directory service auditing subcategories.
User rights are defined as a
default set of capabilities assigned to built-in domain local groups that define what members of these groups can and cannot do on the network.
By default, UAC is ___under Windows Server 2012 R2
enabled
Windows Server 2012 introduces new ___-based audit policies, which are continued in Windows Server 2012 R2.
expression
The Advanced Audit Policy Configuration node in Windows Server 2012 R2 enables you to configure
granular auditing policies for the 10 subcategories shown in Figure 17-9.
Logon events refer to authentication of a
local user at a workstation or member server