Implementing Windows Security with Group Policy by Derek Melber MCSE, MVP

Transcription

1 1 Implementing Windows Security with Group Policy by Derek Melber MCSE, MVP

2 2 Copyright Notice The information contained in this document ( the Material ) is believed to be accurate at the time of printing, but no representation or warranty is given (express or implied) as to its accuracy, completeness or correctness. Avecto Ltd, its associated companies and the publisher accept no liability whatsoever for any direct, indirect or consequential loss or damage arising in any way from any use of or reliance placed on this Material for any purpose. Copyright in the whole and every part of this document belongs to Avecto Ltd ( the Owner ) and may not be used, sold, transferred, copied or reproduced in whole or in part in any manner or form or in or on any media to any person other than in accordance with the terms of the Owner s Agreement or otherwise without the prior written consent of the Owner. Trademarks Microsoft Windows, Windows Vista, Windows Server, Windows PowerShell, ActiveX, Visual C++ and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

3 3 Contents Introduction... 4 Security within Group Policy... 5 Key Security Settings Section... 6 Application Control with Software Restriction Policy and AppLocker... 7 User Account Control (UAC)... 9 IE Security Settings Misc Security Settings Custom Registry Entries Controlling Shared Folders ODBC Connection Settings and Credentials Local User and Group Management Scheduling Tasks Controlling Services Security Settings References Using Security Templates with Group Policy Configuring Security Templates Deploying Security Templates Manually Deploying Security Templates Deploying Security Templates with a Command Line Tool Deploying Security Templates with GPOs Using Security Configuration Wizard Accessing the Security Configuration Wizard Working with Security Policies Configuring the Security Policy Role-Based Service Configuration Network Security Registry Settings Audit Policy Internet Information Services Using the Security Compliance Manager SCM Approach Auditing and SCM Limitations of Group Policy, Security Templates, SCW, and SCM Reducing User Privileges Difficulty in Reducing User Privileges Group Policy Extensions and Implementing Least Privilege Group Policy Extensions Implementing Least Privilege with a Group Policy Extension Summary... 35

4 4 Introduction There is no question that the proper and efficient method for securing a Windows desktop, server, or environment is to use Group Policy. Group Policy is the proven way to secure nearly every aspect of a Windows computer. Microsoft has continued to leverage Group Policy over the years, now providing well over 5000 settings in a single Group Policy Object. In addition to Group Policy as a stand-alone solution, Microsoft has provided many tools that can help a company deploy security settings to the myriad of desktops and servers that need special security settings for a standard corporate network. Most of the tools that Microsoft provides to help deploy security settings are available by default in the operating system. Therefore, the administrator does not need to download or install anything special; the administrator only needs the knowledge on how to use the tools. Although this may sound obvious, not all of the tools are well known to system administrators. Many of the tools have been around since Windows NT 4.0, but with the breadth of knowledge that a routine Windows administrator must know, many of these tools go underutilized and seldom used. As you will see, the majority of all Windows based security tools interface with Group Policy at some level. The reasons for this are obvious. Group Policy is the way to secure a Windows network and using it takes the overall total cost of ownership and securing your environment down to a manageable level. One area that standard Microsoft tools and Group Policy does not solve is that of least privilege. This paper will also introduce a solution to this omission by Microsoft, which is to leverage the extensibility of Group Policy with Privilege Guard by Avecto. The combination of Microsoft security tools in conjunction with Privilege Guard provides the only end-to-end Group Policy solution that configures, monitors, and audits what a user is allowed to do with their privileges.

5 5 Security within Group Policy Group Policy is by far the most important aspect when it comes to securing your Windows desktops, servers, and domain controllers. There is no question that Microsoft has been putting emphasis on Group Policy ever since it was first introduced with Windows Over the past 10 years, Microsoft has added thousands of settings, including hundreds of security related areas to configure, and made Group Policy the most important security control mechanism within an Active Directory enterprise. Group Policy itself is a technology that provides control over nearly every aspect of the desktop experience, environment, and structure. As of 2009, there were over 5000 individual settings in a single Group Policy Object (GPO). With the ability to create thousands of GPOs (I have seen over 5000 in one Active Directory domain alone!), you can control nearly every part of the user desktop. There is a local GPO on each desktop that can be configured and utilized, but for the purposes of this white paper I am going to ignore it. Most of the readers of this paper will be working for organizations that have hundreds, thousands, or maybe hundreds of thousands of desktops, and using local GPO to configure them is not a feasible option. A GPO is not just for security, however, there are thousands of settings that are geared toward controlling other aspects of the desktop. The following gives an idea of some of the non-security areas that are included in a GPO: Software installation and management Logon, Logoff, Startup, and Shutdown scripts Control Panel and applet management Network communication, services, and connections Printer management Device and driver management Disk Quotas Power management System restore and backup Various Windows components Environment variables File and folder management Registry keys and values Shares Shortcuts Scheduled Tasks Drive mappings Folder redirection Start menu

6 6 As you can see, there are plenty of areas that Group Policy can tackle. To be honest, as a Group Policy MVP, the one area that Group Policy fails miserably at is controlling applications. Of course, Group Policy can install your application (usually), but management of it, inventory, upgrades, interoperability and privilege management is poor. Key Security Settings Section Over the years, one of the most important areas within Group Policy has been security. Security has grown from a mere few areas of configuration to literally hundreds, if not thousands of settings in a single GPO. I refer to security as a buffet line, you have so many areas that you need to secure and you just have to pick and choose what is best for you and your environment. Finding the security settings within a GPO is not all that obvious, however. To be honest, finding any setting in a GPO can be a task upon itself. Here, I plan on giving you a tour of the most important security settings to make it easier for you to find them. To start, consider that most security settings for the operating system will fall under the computer portion of the GPO. Not to say that there are not security settings for the user portion, it is just that most of the important security settings are for computers. To find these settings, you will edit a GPO, and then open up Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, which can be seen in Figure 1. Figure 1. Illustrates where security settings are listed in a GPO.

7 7 There are over 75 individual settings listed here, many of these settings are essential for you and your organization. Notice that the settings are categorized, with categories such as: Accounts Audit Domain controller Network Access User Account Control You will find that many of these security settings are leveraged in the tools that are provided. The reason is quite obvious, as these settings are very important in the overall approach to securing desktops and servers. Application Control with Software Restriction Policy and AppLocker Another important security area within Group Policy for many companies is the ability to control which applications the user is able to run. The security settings that control applications are called Software Restriction Policy (SRP) and AppLocker. SRP was first introduced with Windows XP and is valid up through Windows Vista. In Windows 7 Microsoft updated SRP and replaced it with AppLocker. AppLocker only works with Windows 7 desktops and it not backward compatible with SRP. In essence, SRP and AppLocker provide similar capabilities. They either allow or deny specified applications from running. The administrator is able to define which applications are able to run, based on the criteria the administrator wants to rely on. SRP and AppLocker do have some differences, with AppLocker providing more granular options to identify applications. SRP provides three levels of security control: Disallowed, Basic User, and Unrestricted. You can see these options in Figure 2. Figure 2. SRP provides three levels of security control.

8 8 The most common of these security settings for SRP is Disallowed and Unrestricted. The result of each of these settings is to Deny or Allow, respectively, the application from running on the target computer. The main difference with AppLocker over SRP is that there are more granular controls of the application. The granular controls over the application are in terms of how the application is defined for the target computer. AppLocker allows you to define the application based on: publisher, product name, file name, file version, file path, folder path, or file hash. NOTE: Both SRP and AppLocker provide control over whether an application is allowed to run or not on the target computer. However, neither technology provides control over the elevation of privileges for the application. If the user of the target computer is not an administrator, yet the application requires administrative privileges, no setting in SRP or AppLocker can allow this application to run successfully.

9 9 User Account Control (UAC) UAC is one of the most contested, yet powerful, security features for Windows Vista and Windows 7. UAC is a technology that does not rely on Group Policy, but Group Policy can control the behavior of UAC. In short, UAC is a technology that controls the local computer privilege for every user that logs in. There are two scenarios to consider. First, when a user logs in who has local administrative rights, the user s administrative rights are dropped and all applications will run with standard user rights by default. If an application or operating system task requires administrative privileges then UAC will trigger, presenting a dialog box for the user to confirm the privileged elevation. The behavior of UAC is slightly different when a standard user is logged in. In this scenario, when an application or operating feature requires administrative privileges, UAC will prompt the user for alternate administrative credentials. Since the user logged in does not have any administrative privileges, there is no way for UAC to allow the application or operating system feature to run with the current credentials. Prompting for alternate credentials is the only way UAC can allow this behavior. UAC within Group Policy has fairly granular control. There are many options for controlling both the user that is logged in with administrative privileges and the user that is logged in as a non-administrator. Although you can remove all prompts for both administrative and non-administrative users, while still having UAC functioning, this can cause issues. If you remove the prompt for administrators then the user will never know that an application required elevation. Even worms, viruses, and malware will be allowed to function without prompting the user. On the other hand, if you just silently deny a standard user from running an application, the user will be confused as to why the application did not run, leading to increased helpdesk calls. NOTE: UAC does not provide control over the elevation of privileges for applications running under a standard user account. If the user of the target computer is not an administrator, yet the application requires administrative privileges, no setting can allow this application to run successfully. The user must provide the credentials of an administrator to perform the action.

10 10 IE Security Settings As we all know, upgrades to IE come at you quicker than you can blink some times. There are many companies that are still running versions of IE back to IE 5. Although that is not recommended, it is something that needs to be addressed when it comes to securing a desktop that runs this version of IE. The good thing is that Group Policy can handle this, as there are general settings that can go back to older versions of IE, as well as specific settings for IE 5. To find all of the areas for Internet Explorer, you will need to look under both the computer and user portion of the Group Policy. To start, let s go to the computer portion of the GPO. If you expand the GPO in the editor to Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer, you will find many settings here, as shown in Figure 3. Figure 3. Internet Explorer settings under Computer Configuration. When you look under the user portion, you will find many more settings for IE, as well as the specific settings for each version of IE. To start, go to User Configuration\Policies\Windows Settings\Internet Explorer Maintenance. This area allows you to import IE settings into the GPO from the computer where you are managing the GPO. Figure 4 shows you the areas that can be configured, and Figure 5 shows you the interface for importing the security zones and content ratings from the local computer into the GPO.

11 11 Figure 4. Internet Explorer maintenance settings under User Configuration. Figure 5. Security zone and content ratings import dialog box.

12 12 There is a similar section for the user at the same location as the computer for controlling some portions of IE which can be found at User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer. There are fewer settings in the user section, but this still gives you some great control over IE. The settings for this area of the GPO can be seen in Figure 6. Figure 6. Internet Explorer settings under User Configuration. Finally, there is an area of the GPO that controls specific versions of IE. You can find this section under User Configuration\Preferences\Control Panel Settings\Internet Settings. For this node in the GPO, you will right click on the Internet Settings node and then select the version of IE that you want to control. As long as you are editing the GPO on a Windows 7 or Windows Server 2008 R2 computer, you will see control for versions 5, 6, 7, and 8, which can be seen in Figure 7.

13 13 Figure 7. Group Policy Preference settings for Internet Explorer. Misc Security Settings Although Group Policy provides a slew of settings for general OS security and IE, there are even more settings available for securing your Windows desktop and server. Below is a list of security settings and where you can find them in a GPO. Custom Registry Entries Computer Configuration\Preferences\Windows Settings\Registry User Configuration\Preferences\Windows Settings\Registry Controlling Shared Folders Computer Configuration\Preferences\Windows Settings\Network Shares ODBC Connection Settings and Credentials Computer Configuration\Preferences\Control Panel Settings\Data Sources User Configuration\Preferences\ Control Panel Settings\Data Sources

14 14 Local User and Group Management Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups User Configuration\Preferences\ Control Panel Settings\Local Users and Groups Scheduling Tasks Computer Configuration\Preferences\Control Panel Settings\Scheduled Tasks User Configuration\Preferences\ Control Panel Settings\Scheduled Tasks Controlling Services Computer Configuration\Preferences\Control Panel Settings\Services Security Settings References As you can clearly see, there are many areas within a GPO that control security, and some might say too many settings. That is understandable, especially for a new administrator that is not familiar with Group Policy. There is, however, an amazing set of reference documents that are available to help you find your setting and get information on what that setting does. The documents that I am referring to can be downloaded from the Microsoft Web site at: ff24cc2030fb&displaylang=en Note that these are Excel spreadsheets and they give you some amazing information about the security settings within a GPO. There is a limitation in that they don t cover the Group Policy Preferences, but to be honest, those settings are so well presented in the interface that there is not much need for any guidance on what they provide.

15 15 Using Security Templates with Group Policy Security templates have been around since Active Directory was first introduced. Security templates, like the name implies, are files that allow an administrator the luxury of configuring security settings before deployment. Security templates contain a large chunk of settings that are also found in the security related area of the Computer Configuration portion of the GPO, which we covered earlier. Security templates contain the following areas of configuration: Account Policies Audit Policies User Rights Security settings Event log settings Restricted groups System Services Registry permissions File and folder permissions The overall goal of a security template is to create a security baseline of settings in each security template that you create. So, for example, you could have security templates for each of the different type of desktop and server that you have. Examples might include: IT desktops HR desktops Developer desktops Executives desktops The above types of computers may have similar security settings, but each type might vary slightly. A security template can be generated for each type and then the security template will only target computers that meet the appropriate criteria.

16 16 Configuring Security Templates After you have decided how many security templates you need, based on the security baselines of the different types of computers in your organization, you are ready to start creating the templates. To create and configure security templates, you will use the Security Templates snap-in within the MMC. To access the Security Templates snap-in from the MMC, follow these steps: 1. Click the Start button. 2. Select the Run menu option. 3. Type MMC into the text box and click the OK button. 4. Select Console from the Toolbar to get the menu options. 5. Select the Add-Remove snap-in menu option. 6. Click the Add button. 7. Select Security Templates from the Snap-ins list, and then click the Add button. 8. Click the Close button, and then click the OK button. 9. Expand the Security Templates node, and then expand the C:\Users\<username>\Documents\Security\Templates node to see the list of security templates, as shown in Figure 8. Figure 8. Security templates snap-in showing the security templates. Depending on the operating system that you are using to create the security templates, you might see some predefined security templates. You can use any Windows system to create and configure your security templates. A great tip in the creation of the security templates is to use Excel to generate the raw settings. Then, take the Excel spreadsheets that were mentioned above, which define all of the security settings, as the foundation for the settings that are in the security template. This creates documentation for what should be configured in each security template for future reference.

17 17 To create security templates you will right-click on the C:\Users\<username>\Documents\Security\Templates node and select New Template. This will create a new, completely blank, template in this folder. I suggest giving the template a good name, such as HRSecurity or something appropriate, as well as a good description. After you have created the new security template, you need to go down through each section of the security template configuring the different settings to match your security baseline. One method of streamlining the security template creation process is to use the spreadsheet of all of the security template baselines that you created. First, create a security template that consists of the common settings across all security templates. Once this security template is created, you can right click on it in the Security Templates snap-in and copy it. Once copied, you can just configure the small differences that make up the other templates. Deploying Security Templates Now that you have the baselines established for the different computers and you have each of the security templates configured for each baseline, you are ready to deploy the settings to your computers. There are three methods to accomplish this task. The first option is to manually deploy the security template to each computer. The second option is to use a command line tool to deploy the security template. The third option is to use Group Policy Objects to deploy the security template. Manually Deploying Security Templates I will initially stress that we are talking about establishing baselines on all of the computers in your environment, so this option is not recommended. However, I wanted to ensure that you were made aware this option existed. Here, you will use the Security Configuration and Analysis (SCA) snap-in. The snap-in is accessed similar to the Security Templates snap-in, except that you will add the different snap-in into the MMC. SCA can only work on the local computer, where you are working. It can t remotely configure a computer with the security template information. To configure the computer with the security template settings, you first need to create a database to hold the security template settings. To do this, just right click on the Security Configuration and Analysis node and select Open Database. This will provide you with an interface to select a name for the database and a security template. Select the security template that corresponds to the server baseline that you desire. After the database is created, you just need to configure the computer. To do this, right click on the SCA node and select the Configure Computer Now option.

18 18 Deploying Security Templates with a Command Line Tool Another option for deploying your security baseline is to use the command line tool version of the SCA. The tool that you will run is the SECEDIT.EXE command line tool. You can run this tool at a command prompt on each computer, but this would be as time consuming as using the SCA itself. Another option is to put the command in a script and deploy the script to all of the computers. The deployment can be via login scripts, startup scripts, or your management program such as SMS. The command that you will run is: SECEDIT /configure /db db1.sdb /cfg sectemplatename.inf /log logname.log This will configure the local computer using a database name of db1.sdb, a security template name of sectemplatename.inf, and a log file of logname.log. All three of these names are variables. NOTE: The current directory will be used if no path is specified for each of the three filenames. Deploying Security Templates with GPOs Even though the first two options work, they are not scalable to an entire network of computers. The time and effort involved can negate the benefit of using the security template for establishing the baselines on the computers. Instead of these options, you can use GPOs to deploy the security templates. This does require a good Active Directory design, with organizational units (OUs) for each type of computer baseline. Once there are specific OUs in place, the computer accounts for the target computers need to be located in the correct OUs. Then, a GPO needs to be created for each security template and linked to the appropriate OU. Finally, the security template can be deployed. The steps of creating OUs and moving computer accounts into them should be a task that every administrator is familiar with, and no auditor should be concerned about. As for working with the security template in the GPO, this also falls outside of the bounds of the auditor, but I will add the key steps in here, to illustrate the simplicity of the task and to show any administrator not familiar with how this is achieved. To get the security template into the GPO, you will edit the GPO using either the Active Directory Users and Computers console or the Group Policy Management Console. Once you find the desired GPO in the console, you will edit the properties of the GPO. You should see an interface that looks something like Figure 9 when you are editing the GPO and importing a security template.

19 19 Figure 9. Typical GPO for importing a security template. To access the menu shown in Figure 9, just right click on the Security Settings node. This will open up a browse list, allowing you to select the required security template. Once the security template is imported, just quit the group policy editor. The security template will deploy to the target computer in approximately 90 minutes or less. If it is domain controller that is the target, it will receive the new settings in just a few minutes. The true benefit to this method is the ease of deployment, the breadth of the target computers, and the persistence. Using GPOs also ensures that the settings are not altered using the local GPO. The GPOs at the OU level will supersede the local GPOs, so even the local administrator can t override these settings.

20 20 Using Security Configuration Wizard In an effort to increase security on servers, as well as make the configurations of the security settings easier, Microsoft released the Security Configuration Wizard (SCW) in Windows Server 2003 SP1 and continues to make the tool available. In Windows Server 2008, SCW is a default tool available in the Administrative Tools list. SCW generates what are referred to as security policies. These policies contain the resulting security settings that you define when running the SCW tool. The policies can only be applied to servers, not to desktops. The goal of the SCW tool is to create security policies that can be applied to like servers, creating a consistent and stable security environment for all servers in the environment. In the end, there will be numerous security policies, similar to what we had in the above section of security templates. SCW uses concepts such as roles and features, which have become very prevalent in Windows Server Roles are responsibilities that the server will undertake. Typically, roles are one or more Windows services that the server will have installed. Roles include Domain Controller, DNS Server, DHCP server, etc. Features are more like capabilities of the server. Features might include AD replication, Windows Update, DNS client, etc. SCW is a fairly involved tool, providing you with many areas of security configuration. You can generate new security policies or work with existing security policies that have previously been created. The areas of configuration include services, network security, registry settings, administration and other server responsibilities. Accessing the Security Configuration Wizard For Windows Server 2003 SP1, the Security Configuration Wizard is not installed by default. You will need to go through the Add/Remove Windows Components applet in the Control Panel to install the Wizard. For Windows Server 2008, SCW is already installed when you install the server. You can find SCW in the Administrative Tools list. Once the tool is launched you will be presented with the screen shown in Figure 10.

21 21 Figure 10. Security Configuration Wizard welcome screen. You should note the message that is highlighted with the yellow yield sign. The message indicates that the wizard will detect inbound ports that are being used by this server. This requires that all applications that use inbound ports be running before you run the Wizard and create the security policy. This is important because SCW takes the existing environment from the local server as the foundation for the starting point of the security policy. Ideally, you will either run this from a server image or test server in your environment. Working with Security Policies Most likely you will start by creating a new security policy. You have full control over which option you want to choose when you move from the Welcome Screen. Figure 11 shows you that you can create a new policy, edit an existing policy, apply an existing policy, or rollback the last applied policy.

22 22 Figure 11. You need to make an initial decision as to what you need to do with the security policy. Security policies are created as XML files, stored in the C:\Windows\Security\msscw\policies folder by default. Since you will have numerous security policies, it is best to provide a good descriptive name for your policies. The initial creation of a security policy is determined by the local server where you run SCW. SCW categorizes the different security configuration areas into different sections. These sections are organized and referenced within the Security Configuration Wizard interface using a security configuration database structure. You can view the security configuration database using the SCW Viewer, which can be seen in Figure 12.

23 23 Figure 12. The SCW Viewer allows you to see all of the settings that are configured in the security policy, without viewing the native XML. Configuring the Security Policy Once the security configuration database is generated, you will work within the Security Configuration Wizard to make the security settings that you desire for a server or group of servers. The Wizard will walk you gently through an assortment of sections related to that server s roles and functions. The following is a summary of the different sections that you will encounter as you configure the security policy. Role-Based Service Configuration This section provides a way to configure the services that are installed and available, based on the server s role and other features. The Wizard is not designed to install components or setup a server to perform specific roles. Instead, it is designed to enable services and open ports based on a list of server roles and client features. NOTE: To install components or setup a server for a role, run the Configure Your Server Wizard or use the Server Manager in Windows Server 2008.

24 24 This section is broken down into subsections, which allow you to select server roles, client functions, services, etc. Here is a list of the subsections that you will encounter for the Role- Based service configuration section: Select Server Roles Select Client Features Select Administration and Other Options Select Additional Services Handling Specific Services Confirm Service Changes When you have completed your selection of services, features, and other changes, you will be presented with a summary page. The summary page is key, as you will see the service name, the current startup mode, and the policy startup mode. Make sure that you are setting the correct services before moving on. Network Security This section is designed to configure inbound and outbound ports using Windows Firewall. The configurations will be based on the roles and administration options that were selected in the previous section, as well as custom settings you set at this point. You will also be able to restrict access to ports and configure port traffic to be signed or encrypted using IPSec. The selection of the ports are based on ports and applications that use specific ports, as can be seen in Figure 13.

25 25 Figure 13. Network Security is controlled by configuring the ports on the server. If you select the View drop down list, you will see that you can narrow down your selection, as the options might be a bit overwhelming at first. By choosing the View option, you can narrow the list by Rules by Selected Role, Rules Added by the User in SCW, Rules Auto- Generated by SCW, and Rules with Additional Restrictions. Registry Settings This section is designed to configure protocols used to communicate with computers on the network. Security for communication protocols is important due to legacy Windows operating systems requiring protocols that are vulnerable to password cracking and man-inthe-middle attacks. The key areas that are targeted in this section include: Require SMB Security Signatures Require LDAP Signing Outbound Authentication Methods Outbound Authentication using Domain Accounts

26 26 I will give a warning here. First, an errant configuration at this point could prevent your server from communicating with any other computer on the network. Second, testing all settings is crucial, as some applications that might be running on your server(s) could fail to function properly after you modify network and other signing settings. Third, some clients might fail to communicate with the server if you modify the settings too strictly. Finally, if modifying a domain controller, be sure to test with all servers, clients, and applications before putting it into production. Make sure you read all Learn more about links on each page thoroughly before making any final decisions for these settings. Audit Policy This section will configure the auditing of the server based on your auditing objectives. The audit policy within the Wizard can be configured to not audit any events, audit only successful events, or audit both successful and unsuccessful events. The audit policy will allow you to configure all aspects of auditing, and not just the new Windows Server 2008 R2 Advanced auditing capabilities. Figure 14 illustrates what the audit policy will be for a server that should be auditing both successful and unsuccessful events. Figure 14. Audit policy settings.

27 27 Internet Information Services This section will only display if you selected the server to run the Web server role. This section is designed to configure the security aspects of Internet Information Services (IIS). The subsections that you will be shown for this section include: Select Web Service Extensions for Dynamic Content Select Virtual Directories to Retain Prevent Anonymous Users from Accessing Content Files

28 28 Using the Security Compliance Manager SCM is the newest of the security tools produced by Microsoft. SCM is designed to help administrators meet the demands of internal and external security auditors and regulations for their Windows computers. SCM is a tool that will include most of the required security settings to meet regulatory compliance mandates. SCM is not as complex as it might seem, compared to what it accomplishes. SCM was developed based on industry standards for what secure means, especially focusing on the key, high risk, areas of security for the Windows operating system. The big picture of SCM is the following: 1. SCM will allow you to categorize your Windows computers. Examples would be laptops, desktops, high secure desktops, servers, DMZ servers, domain controllers, etc. 2. Next SCM will allow an administrator to create configuration files within SCM which target the key security settings on each of the computer categories defined in step After SCM creates the configuration files, the files can then be converted to Group Policy Objects. These Group Policy Objects will not be associated with the configuration files after they are created, but documentation can help keep track of which Group Policy Object was created from the associated configuration file. 4. Using Active Directory Organizational Units (OUs) the Group Policy Objects can be configured to just target the computers that meet the category related to the configuration settings. 5. Since Group Policy automatically updates computers after being linked to the OU, the settings in the Group Policy Object will configure the target computer(s) within a few hours of being linked to the OU. 6. SCM comes with Desired Configuration Management (DCM) packs which contain information about what the original security settings were. 7. Using System Center Configuration Manager (SCCM) an audit report can be created that keeps track of the computer security settings, tying back to the original security file created by SCM. There has also been a promise that this task can be done manually, without SCCM, but not enough testing has been done to prove this capability exists.

29 29 SCM Approach SCM differs from all of the other security tools mentioned in this paper. The primary difference is that SCM is built on compliance regulations and the required security settings they mandate, such as SOX, HIPAA, GLBA, ITIL, FDCC, and more. It is these industry standards that all security professionals and auditors must adhere to, so it only makes sense that SCM leverages them. Another difference of SCM to the other solutions is that SCM has a complete list of security settings that are defined in these industry standards, where the others were based on the existing Group Policy Object structure or some security settings defined internally by Microsoft. Finally, one of the most impressive differences is that SCM has built-in capabilities to create Group Policy Objects from the security settings you define in SCM. This means that you don t need to use a command line, a different tool, or create the Group Policy Object from some other mechanism, as it is all built-in to SCM. Auditing and SCM One of the most important portions of the SCM solution is auditing. The DCM packs that come with SCM toolkit are immediately useable with SCCM. SCCM is not free and does require a bit of higher level knowledge beyond what SCM requires. SCCM is the replacement to MMS, which is an awesome tool! You just need someone in the environment that knows how to install, configure, troubleshoot and maintain SCCM.

30 30 Limitations of Group Policy, Security Templates, SCW, and SCM Based on the last few sections of this paper, you can clearly see that there are many options available to configure security in a Windows environment. Some of the tools were for servers only and some were able to utilize Group Policy. Regardless of how the tool functioned or how it was implemented, one key factor is whether or not it implemented the full set of security settings that you desired. Clearly, if you wanted to secure major areas of your Windows desktop and server, these tools could do a very good job. These are the security areas that most companies are concerned about and the tools we have covered control: Data protection File and folder management Network attacks Malware, adware, viruses Registry keys and values Registry permissions Local SAM Local applications Anonymous Authentication protocols Windows updates Control Panel and applet management Network communication, services, and connections Device and driver management System restore and backup Environment variables Scheduled Tasks Folder redirection Account Policies Audit Policies User Rights Security settings Event log settings Restricted groups System Services File and folder permissions Require SMB Security Signatures Require LDAP Signing Outbound Authentication Methods Outbound Authentication using Domain Accounts

31 31 Reducing User Privileges The above list is rather impressive from a security standpoint. A novice or even seasoned professional might look at the list and think that there is not much left. However, there is one area that isn t covered, which is the ability to reduce user privileges and implement least privilege. The reduction of user privileges is one of the most difficult and troublesome areas in most corporations today. Figure 15 illustrates the coverage of Windows security options by Group Policy and the various tools, and highlights what is missing, in terms of managing applications that require administrative privileges. Figure 15. Existing security tools don t allow for configuration of applications requiring administrative privileges. The fact that any user outside of the IT department has local administrative privileges is a major issue, as that desktop cannot be controlled effectively by the IT staff. Difficulty in Reducing User Privileges The reduction in user privileges is difficult due to the complexity of what a user needs to perform in their day to day role. If you make a list of what a user typically needs on a regular basis, you will see the list is quite broad. Here is a list of some of the common tasks that a user may perform on a regular basis: Run privileged applications Run basic admin tasks (disk defrag, system clock, network configurations, etc) Install approved software Install devices and device drivers Install Active X Controls Most companies are forced to place user accounts in the local Administrators group in order to grant users the ability to perform their daily activities. Once this is configured, the IT department has given the end user complete and ultimate control over the desktop.

32 32 Group Policy Extensions and Implementing Least Privilege Group Policy Extensions If a user is granted anything but least privilege to their desktop, the desktop becomes a security issue and will not meet any regulatory requirement. Group Policy is designed to be extensible, which allows for new settings to be included in your existing Group Policy Objects. There are a number of third party vendors who extend Group Policy in this way. Group Policy Preferences is a good example of an extension to Group Policy that Microsoft introduced in recent years. As long as you run Windows XP SP2, Windows Server 2003 SP1 or greater, you can take advantage of Group Policy Preferences. Imagine you want to control local user accounts, local group membership, system service user accounts, files, folders, map drives, and more with Group Policy? Now you can! With over 3000 individual settings that control over 20 different areas of a Windows computer, Group Policy Preferences has proven to be an amazing Group Policy extension. To read more about Group Policy Preferences, you can look at the following links: Kit/dp/ X/ref=tag_tdp_ptcn_edpp_url/ Running-Today.html Implementing Least Privilege with a Group Policy Extension Privilege Guard by Avecto provides a solution to least privilege, which is implemented as an extension to Group Policy. Privilege Guard gives control back to the IT department by providing a solution that enables all users to perform their daily activities, but without granting them any local administrative privileges. Privilege Guard provides policy settings to determine which applications should be elevated, and then assigns the relevant privileges to individual applications as they launch. The experience is seamless to the end user, does not require the user to have any local administrative privileges, as well as running all elevated applications under the context of the logged on user. Privilege Guard is configured using the Group Policy Management Console and Group Policy Editor and extends both the Computer Configuration and User Configuration nodes, as illustrated in Figure 16.

33 33 Figure 16 Privilege Guard provides centralized management of least privilege through the Group Policy Editor. Standard Microsoft tools and Group Policy do not provide a solution for least privilege. Figure 17 shows how Privilege Guard allows individual applications, tasks and software installations to be granted the privileges they require, all under a standard user account. Figure 17. Privilege Guard allows administrative tasks to run for standard users.

34 34 In addition to allowing applications to be elevated, Privilege Guard also provides comprehensive end user messaging, auditing of privileged applications and detailed monitoring of privileged operations. The latter can also be used to discover the applications that require administrative rights prior to implementing the least privilege solution. Here is a complete list of the features available with Privilege Guard: Centralized management through Active Directory Group Policy Elevation or revocation of privileges for individual applications Application control enables whitelisting of trusted applications Comprehensive application support: Executables Control panel applets Management console snap-ins Windows installer packages Windows Scripting Host scripts Batch files Registry settings PowerShell scripts ActiveX controls Application templates, for easy configuration of common Windows tasks, ActiveX controls and software updaters Flexible and secure application identification options: File path matching Command line matching File hashing (SHA-1) Trusted publisher (including support for the Windows security catalog) Optional shell extension enables users to elevate applications on demand Fully customizable and multi-lingual end user messaging Granular privilege control through custom access tokens Privilege Monitoring identifies applications that require admin rights to run Auditing of privileged and blocked applications

35 35 Summary Securing a Windows network, servers and desktops is not the easiest task. Taking the time to learn all about each of the security areas, where to configure them and the options that are available is not trivial. Each company must make calculated decisions on which settings and levels of security will be established. There are many tools available to help you make decisions on which security settings should be configured and their optimal settings. These tools range in scope, as some control many aspects of security, where others only focus on key areas. Most security tools in the Windows space utilize Group Policy to help deploy the settings, as Group Policy is a centralized mechanism that ensures these settings are deployed to all desktops. The one major area of security that is not addressed by the standard Microsoft tools and Group Policy is least privilege. Allowing end users to have local administrative privileges introduces serious security concerns. Avecto Privilege Guard provides a solution to least privilege, which leverages Group Policy. This solution does not require any additional Active Directory updates, schema changes, or alterations to your domain controllers, as it is implemented as a Group Policy extension. Using the Microsoft provided tools and Privilege Guard provides a complete Group Policy based solution for fully securing the desktop, while allowing users to perform their day to day tasks under a standard user account.