Module 13: Managing Network Security Contents Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies Lab A: Using Group Policy to Secure the Desktop Analyzing Security Log Files to Detect Security Breaches 14 Securing the Logon Process 19 Examining Service Packs, Hotfixes, and Antivirus Software 24 Lab B: Monitoring Security 26 Review 31 Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, places or events is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2001 Microsoft Corporation All rights reserved Microsoft, MS-DOS, Windows, Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners Module 13: Managing Network Security Instructor Notes Presentation: 30 Minutes This module provides students with an appreciation of the challenges that are involved in maintaining a secure and reliable system Lab: 60 Minutes After completing this module, students will be able to: ! Use Group Policy to apply security policies to secure the user environment ! Use Group Policy to configure password and logon account policies ! Analyze security log files to detect security breaches ! Secure the logon process by using smart cards ! Apply service packs, hotfixes, and antivirus software Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module Required Materials To teach this module, you need the following materials: ! Microsoft® PowerPoint® file 2126A_13.ppt Preparation Tasks To prepare for this module: ! Read all of the materials for this module ! Complete the labs ! Enable auditing and generate each of the events that are discussed in the Analyzing Security Log Files to Detect Security Breaches iii iv Module 13: Managing Network Security Module Strategy Use the following strategy to present this module: ! Using Group Policy to Secure the User Environment In this topic, you will introduce the procedure for implementing security policies Emphasize that a preconfigured security template ensures duplication of desired settings that already exist for a computer, and can be tested before security settings are applied to multiple computers Demonstrate how to use Group Policy to apply security policies Emphasize that you can define a security setting once and apply it in many places ! Using Group Policy to Configure Account Policies In this topic, you will introduce account policies and their purpose You will describe how to configure account policies, particularly the account password and lockout policy settings Emphasize that tight security depends on these policy settings as they enable you to control the complexity of passwords themselves and the locking of an account in response to the entering of an incorrect password ! Analyzing Security Log Files to Detect Security Breaches Throughout this topic, use Event Viewer to illustrate the events that are discussed You should have previously enabled auditing and purposely generated each of the events that are discussed in the text before beginning this module ! Securing the Logon Process In this topic, you will discuss the use of smart cards as a strategy for increasing the security of the logon process The configuration of smart cards is simple, so focus on the smart card features, the advantages of using smart cards, and considerations for smart card policies ! Examining Service Packs, Hotfixes, and Antivirus Software Emphasize the importance of keeping servers current with security updates because security threats arise frequently as systems become more complex and are exposed to public networks Module 13: Managing Network Security Overview Topic Objective To provide an overview of the module topics and objectives ! Using Group Policy to Secure the User Environment Lead-in ! Using Group Policy to Configure Account Policies ! Analyzing Security Log Files to Detect Security Breaches ! Securing the Logon Process ! Examining Service Packs, Hotfixes, and Antivirus Software In this module, you will learn about managing network security As an administrator, you must manage network security by implementing various security measures You use Group Policy to secure the user environment and configure account policies You can audit security breaches by analyzing security log files You can use smart card technology to secure the logon process You will also be required to evaluate and apply service packs and hotfixes, and maintain antivirus software to ensure your network environment is as safe as current software allows After completing this module, you will be able to: ! Use Group Policy to apply security policies to secure the user environment ! Use Group Policy to configure password and logon account policies ! Analyze security log files to detect security breaches ! Secure the logon process by using smart cards ! Apply service packs, hotfixes, and antivirus software Module 13: Managing Network Security Using Group Policy to Secure the User Environment Topic Objective To illustrate how to apply security Group Policy to secure the user environment Lead-in Security policies can be implemented on a percomputer basis or on the site, domain, or organizational unit level by using Group Policy Delivery Tip Demonstrate how to import a security template by using Group Policy Demonstrate how to apply security policies by individually configuring each security setting Key Points Use Group Policy to standardize security settings Import security templates into Security Settings in Group Policy to apply consistent and tested security policies to computers in an Active Directory container Applying Applying security security policies policies By By importing importingthe the security security template template By Byconfiguring configuringsecurity security settings settings individually individually Identify Identifyor orcreate create aasecurity security template template Select Select the theSecurity SecuritySettings Settings node node Import Import the thesecurity security template template into a Group into a Group Policy Policyobject object Select Select the thesecurity securitysetting setting to to configure configure Analyze Analyze the thesecurity securitysettings settings Configure Configurethe thesecurity securitysetting setting Group Policy security settings are often configured to represent an organization’s security policy The security policy is enforced on users’ systems by using Group Policy to prevent unauthorized access to the organization network and users’ computers The process of defining and implementing a standardized set of Group Policies is facilitated by using security templates A security template is a collection of security settings that can be imported into a Group Policy object or used for analysis After it is refined to meet the organization’s needs, the template can be applied to the Group Policy object, which will then apply to other systems according to your design Module 13: Managing Network Security " Using Group Policy to Configure Account Policies Topic Objective To introduce using Group Policy to configure account policies ! What Are Account Policies? Lead-in ! Configuring Password Policy Settings ! Configuring Account Lockout Policy Settings You configure account policies to prevent unauthorized persons from logging on to the network In Microsoft® Windows® 2000, you can configure account policies that prevent unauthorized persons from logging on to the network and gaining access to network resources These enhanced network security measures include setting a password policy and a user account lockout policy that make it more difficult to guess a password, and they also limit the number of attempts that an unauthorized person can make to determine a password These measures help prevent unauthorized persons from gaining access to your network Module 13: Managing Network Security What Are Account Policies? Topic Objective Use account policies to prevent unauthorized persons from gaining access to the network To describe which account policies to configure Must Must set set Group Group Policy Policy at at domain domain level level Lead-in You can use account policies to prevent unauthorized users from gaining access to your network Set password requirements to Ensure Ensure passwords passwords are aredifficult difficultto to guess guess Domain Domain controller controller does does not notauthenticate authenticate Stop Stop brute brute force force hacking hacking programs programs Domain Domain controller controller locks locks out outuser useraccount account Set failed logon attempts limit to Delivery Tip Explain what a brute force hacking program is Mention to students that the most common password used is password Explain why it is important to implement a password account policy so that users have complex passwords Key Points Administrators must set Group Policy for account policies at the domain level to affect domain logons Account policies for user accounts can be used to reduce the possibility of unauthorized persons gaining access to the network When you set account policies in Active Directory, Windows 2000 allows policies to be set at the domain level and at the organizational unit level The domain account policy becomes the account policy of any Windows 2000–based workstation or server that is a member of the domain The account policy settings for the organizational unit affect the local policy on any computers contained in the organizational unit This means that the account policies set at the domain level always apply when logging on using an account that exists in the domain The local policy settings apply only when logging on using an account that is local to the computer that you are logging on to The account policy settings that you can configure with Group Policy are: ! Password policies Password policies establish restrictions that require users to periodically change passwords and to use complex passwords Password complexity includes the minimum length and the characters to use, including alphanumeric, symbols, and upper- and lower-case letters By forcing users to use complex passwords, you make it more difficult for unauthorized persons to use brute force hacking programs to gain access to your network Brute force hacking programs try to log on repeatedly by providing different passwords, for example, by attempting to use each word in a dictionary as the password ! Account lockout policies Account lockout policies ensure that a user account is locked after a predetermined number of failed logon attempts Setting a limit for failed logon attempts makes it difficult for unauthorized persons to log on by using brute force algorithms to determine a password After a domain controller locks out a user account, the user account cannot be used for authentication until the account is unlocked You can configure the lockout duration Setting password restrictions and a limit of failed logon attempts makes it more difficult for an unauthorized person to gain access to the network Module 13: Managing Network Security Configuring Password Policy Settings Topic Objective Password settings apply to the domain ! The settings to configure are: ! To explain where to configure password settings in Group Policy The Thenumber numberof ofprevious previous passwords passwords Windows Windows 2000 2000 records records Lead-in There are several critical Group Policy password settings that you must configure Delivery Tip Demonstrate configuring the password settings in Group Policy Key Points Group Policy password settings apply to all user accounts in the domain When you configure password settings, the settings not apply to existing passwords Domain controllers enforce the password requirements when an administrator creates a user account or resets a password, or when a user changes a password If there is conflict between the minimum length of a password setting and the length determined by the complex passwords setting, the most restrictive setting prevails Group Policy Action View Passwords [LONDON.NWTraders.msft Computer Configuration Software Settings Windows Settings Security Settings Account Policies Password Policy Account Lockout Poli Kerberos Policy Local Policies Attribute Stored Template Settin Allow storage of passwords under reversibl… Not Configured Enforce password uniqueness by remem… 24 Passwords Maximum Password Age 30 Days Minimum Password Age 30 Days Minimum Password Length Characters Passwords must meet complexity require… Enabled User must logon to change password Enabled The password settings apply to all user accounts in a domain Domain controllers start enforcing the policy requirements during user authentication after the Group Policy object is applied to the domain controllers Note Note that when you modify password settings, they not apply to existing passwords They apply the next time that a user changes his or her password, or when you create or reset a user account The following list describes the password settings you must configure: ! Enforce password uniqueness by remembering Use this setting to prevent users from reusing a previous password Windows 2000 will remember the number of passwords that you indicate, ranging from to 24 passwords In a high-security environment, consider setting this value to 24 remembered passwords In a medium-security environment, set this value to six remembered passwords ! Maximum Password Age This setting forces users to change their passwords after a specified period of time so that they not continually use the same password In a high-security network, set this value to 30 days In a medium-security network, set the value to 42 days ! Minimum Password Length This setting determines the required minimum length of users’ passwords In a high-security environment, set this to at least eight characters Note In a multiple-domain network, you can link the same Group Policy object to each domain container, or you can use different settings in each domain Module 13: Managing Network Security ! Passwords must meet complexity requirements This setting requires passwords to comply with the following complexity rules: • The minimum password length must be six characters If there are conflicts between these settings and the password length setting, the more restrictive setting prevails • The password cannot contain sections of the user’s full name • The password must contain characters from at least three of the following four categories ! Description Example English uppercase letters A, B, C, D, … Y, Z English lowercase letters a, b, c, d, … y, z Westernized Arabic numerals 0, 1, 2, … Non-alphanumeric characters !, ?, (, … User must log on to change a password This setting forces users to log on to their accounts before they can change their passwords This setting also disables user accounts that have exceeded the maximum password age Only an administrator can enable the user account again This prevents unauthorized persons from attempting to log on by using unauthorized user accounts To configure Password Policy settings, perform the following steps: Open Active Directory User and Computers, create a Group Policy object at the domain level or select an existing Group Policy object that is linked to the domain, and then click Edit In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Account Policy, and then expand Password Policy ... returns to zero In a highsecurity network, set this value to one day (1,440 minutes) In a mediumsecurity network, set this value to 30 minutes 8 Module 13: Managing Network Security To configure... servers current with security updates because security threats arise frequently as systems become more complex and are exposed to public networks Module 13: Managing Network Security Overview Topic... message 14 Module 13: Managing Network Security Analyzing Security Log Files to Detect Security Breaches Topic Objective To equip the students with the ability to identify common security- related