Lessons 03: Windows Security – Part I

Computer Security Module

Kushan Sharma
[email protected]
 Authentication
◼ Process by which people prove they are who they say they are.
◼ It’s composed of two parts:
◼ A public statement of identity (usually in the form of a username)
◼ A private response to a challenge (such as a password).
◼ It is a combination.

◼ The secret response to the authentication challenge can be based on

one or more factors:
◼ Something you know (a secret word, number, or passphrase for example)
◼ Something you have (such as a smartcard, ID tag, or code generator)
◼ Something you are (like a biometric factor like a fingerprint or retinal print)

◼ Single-factor authentication not considered to be a strong

authentication method, because a password can be intercepted (i.e.
MiMA) or stolen (i.e. Keyloggers).

Prepared by: Kushan Sharma 2

 Use Alternatives to Passwords
◼ Multifactor authentication refers to using
two or more methods of checking identity.

◼ Two factor authentication enhance security

with a combination of:
◼ Something you know
◼ Something you have
◼ Something you are

◼ Tokens, biometrics, smart cards, and third-

party products can be smoothly integrated
into a Windows enterprise.
◼ Smart Cards can be integrated with CA.

Prepared by: Kushan Sharma 3

 Authentication
◼ Early computer systems did not require passwords. Whoever physically
possessed the system could use it.
◼ Often, passwords were stored in the database in plaintext format
(unencrypted), because protecting them wasn’t really a high priority.
◼ Later these passwords were stored in encrypted format.
◼ Later used a one-way function to convert password in to hash and store
them securely.
◼ Today, many off-the-shelf applications now use the central
authentication system already in use by the organization, such as
Lightweight Directory Access Protocol (LDAP).

Prepared by: Kushan Sharma 4

 Exercise 01:
◼ What are the differences between LDAP (Lightweight Directory Access
Protocol) and Active Directory (AD)?
◼ LDAP is an application protocol for querying and modifying items in
directory service providers like Active Directory.
◼ AD is a directory services database, and LDAP is one of the protocols you
can use to talk to it.
◼ LDAP is a standard, AD is Microsoft's (proprietary) implementation (and
more).
◼ Directory Service is a software system that stores, organises, and provides
access to information in a computer operating system's directory. In
software engineering, a directory is a map between names and values. It
allows the lookup of named values, similar to a dictionary.

Prepared by: Kushan Sharma 5

 CHAP and MS-CHAP
◼ Challenge Handshake Authentication Protocol (CHAP).
◼ Cannot easily intercept and replay.
◼ Password is never sent on the line in such a way that an eavesdropper can
obtain it.
◼ CHAP uses encryption (With oneway function - MD5) to protect the
password.

◼ Note that the use of a random string is critical to CHAP’s successful

operation.
◼ CHAP does not provide mutual authentication.

Prepared by: Kushan Sharma 6

 Exercise 02:
◼ CHAP is susceptible to a person-in-the-middle attack. Briefly explain?
◼ Suppose an eavesdropper were to insert themselves between the client and
the server. The eavesdropper would pass all of the messages shown on the
visual to the intended receiver (either client or server), but then kick the
“real” client off as soon as the login was successful. Most users would
merely think that the line had dropped, would then dial-in again.

Prepared by: Kushan Sharma 7

 CHAP and MS-CHAP
◼ With CHAP client does not verify the authenticity of the server.
◼ Version 2 of MS-CHAP (MS-CHAPv2) requires mutual authentication.
◼ The user must authenticate to the server, and the server must also
prove its identity.
◼ The server encrypts a challenge sent by the client.

◼ MS-CHAPv2 has been found to be vulnerable to brute force attacks.

◼ MS-CHAPv2 is now completely brocken.
◼ https://github.com/moxie0/chapcrack
Prepared by: Kushan Sharma 8
 Microsoft Network Authentication Protocols
◼ To provide a method to authenticate a user or computer against a
remote credentials store.
◼ Many remote authentication protocols are based on a challenge-
response mechanism. i.e. MS-CHAP
◼ Other network authentication protocols use a trusted third-party
system, which is the architecture for Microsoft's current core
authentication protocol. i.e. Kerberos.
◼ Native Microsoft network authentication protocols:
◼ LM (Lan Manager) Challenge-Response
◼ NTLM Challenge-Response
◼ NTLMv2 Challenge-Response
◼ Kerberos

Prepared by: Kushan Sharma 9

 LM & NTLM Challenge-Response
◼ LM was the primary remote authentication protocol for Windows
versions prior to Windows NT.
◼ The answer (response) that a client provides to the server challenge is
generated from the weak LM hash.
◼ LM passwords are limited to 14 characters.
◼ With LM, passwords themselves are not stored by the operating system.
◼ Instead, the passwords are encrypted with the LAN Manager one-way
function (OWF)
◼ With NTLM the primary difference was the inclusion of a second
response using the NT hash.
◼ If the account's password supports an LM hash, the NTLM response
from the client will include 2 answers:
◼ An answer based on the LM hash
◼ Another based on the NT hash.
◼ If the password is a strong password that breaks the LM hashing
algorithm, only an answer based on the NT hash will be provided.

Prepared by: Kushan Sharma 10

 Lack of Mutual Authentication with LM & NTLM
◼ LM and NTLM challenge-response protocols only authenticate the client.
◼ Possible to reveal sensitive authentication information to a rogue
server.
◼ How the LMv1/NTLMv1 challenge-response process works?
◼ A logon request is made to authenticate to the server.
◼ Just answer this challenge based on your password hash.
◼ The client has the password hash (LM hash for LM challenge-response as
well as NT hash for NTLM challenge-response), so it computes the response
to the challenge based on the password hashes.

Prepared by: Kushan Sharma 11

 Resolve Mutual Auth with NTLMv2 & LMv2

◼ NTLMv2 & LMv2 provides mutual authentication.

◼ NTLMv2 use only the NT hash to calculate the response to the server.
◼ Steps 1 & 2 are the same as with LM & NTLM.
◼ Step 3, the client returns an answer to the server that is based on the
server's challenge AND a challenge provided by the client.
◼ If the server is legitimate, it can easily verify the answer using the
hash, its challenge, and the client's challenge.

Prepared by: Kushan Sharma 12

 Reflective & Relay Attacks
◼ Reflective Attack:
◼ The rogue server effectively turns the tables on the client and forces the
client to inadvertently provide the authentication answer to the rogue
server which allows it to connect right back to the client machine.

◼ This particular issue has been resolved with Microsoft patch MS08-068.
◼ The patch prevents an SMB client from answering challenges that its own
SMB server service has recently issued.
Prepared by: Kushan Sharma 13
 Reflective & Relay Attacks
◼ Relay Attack:
◼ The Relay Attack still co-opts the client to answer a challenge, but this time
the rogue server passes the answer to a 3rd machine in order to gain
access.

◼ Relaying tools have been around for a while.

◼ The solution for reflective attack will not help with relay attack. It would not
be feasible for all clients in a particular domain to keep track of each other's
challenges.
◼ The protection against the relay attack is a feature called "Extended
Protection for Authentication" (EPA)

Prepared by: Kushan Sharma 14

 The Big Problem: Poor Design of LM & NTLM
◼ Difficult to secure in a domain environment as this protocols use "pass-
through" authentication.
◼ This allows a rogue server to be "man-in-the-middle" of the
authentication exchange, as shown here:

◼ The problem is that the answer is still sensitive, and when the server is
compromised, the domain credentials are at risk by exposing the
answer.

Prepared by: Kushan Sharma 15

 The Big Fix: Kerberos to the Rescue
◼ Trusted third party architecture is in place.
◼ The authentication happens directly between the client and the authentication
store (the DC).
◼ Upon successful authentication, a ticket is granted to the client, who then
presents it to the server for access.

Prepared by: Kushan Sharma 16

 Steps of Kerberos
◼ Step 1: The user logs on to the workstation and requests service on the host. The workstation sends
a message to the Authorization Server requesting a ticket granting ticket (TGT).
◼ Step 2: The Authorization Server verifies the user’s access rights in the user database and creates a
TGT and session key. The Authorization Sever encrypts the results using a key derived from the user’s
password and sends a message back to the user workstation.
The workstation prompts the user for a password and uses the password to decrypt the incoming
message. When decryption succeeds, the user will be able to use the TGT to request a service ticket.
◼ Step 3: When the user wants access to a service, the workstation client application sends a request to
the Ticket Granting Service containing the client name, realm name and a timestamp. The user proves
his identity by sending an authenticator encrypted with the session key received in Step 2.
◼ Step 4: The TGS decrypts the ticket and authenticator, verifies the request, and creates a ticket for
the requested server. The ticket contains the client name and optionally the client IP address. It also
contains the realm name and ticket lifespan. The TGS returns the ticket to the user workstation. The
returned message contains two copies of a server session key – one encrypted with the client
password, and one encrypted by the service password.
◼ Step 5: The client application now sends a service request to the server containing the ticket received
in Step 4 and an authenticator. The service authenticates the request by decrypting the session key.
The server verifies that the ticket and authenticator match, and then grants access to the service.
◼ Step 6: If mutual authentication is required, then the server will reply with a server authentication
message.

Prepared by: Kushan Sharma 17

 Exercise 04:
◼ Can you just use Kerberos and completely disable LM/NTLM protocols in
your organization’s IT infrastructure?

The following situations still require NTLM:

◼ The client is authenticating to a server using an IP address. Example:
◼ When use a specific IP address while connecting to a host.
◼ Windows reverts to NTLM when the IP address is used, because "Kerberos is
based on host names.
◼ The client is authenticating to a server that belongs to a different Active
Directory forest that has a legacy NTLM trust instead of a transitive inter-
forest trust
◼ When the client authenticates to a server that doesn't belong to a domain.
◼ Where a firewall would otherwise restrict the ports required by Kerberos (of
which there are quite a few)

Prepared by: Kushan Sharma 18

 Local Security Policy
◼ View and modify local security policy such as user rights and audit
policies.
◼ Go to: Start menu -> Control Panel -> Administrative Tools -> Local
Security Policy.

Prepared by: Kushan Sharma 19

 Recommendations
◼ Enable the feature to block NTLM authentication where possible.
◼ In situations where you must use NTLM, make sure to enforce NTLMv2
and refuse LM & NTLM, as shown here:

◼ If you must further lower your setting:

◼ Be sure that you are using a password greater than 14 to prevent the
storage of the LM hash and therefore the worst you can do is NTLMv1,
rather than LMv1.
◼ It makes a Rainbow Table or brute-force attack against your NTLMv1
challenge/response difficult

Prepared by: Kushan Sharma 20

 Recommendations
◼ Enforce the use of Kerberos whenever possible.
◼ Here is an example policy which denies outgoing NTLM authentication
to all servers, with the configured exception of 192.168.6.12.

◼ Please refer the below article to find more configurations:

◼ https://blogs.technet.microsoft.com/askds/2009/10/08/ntlm-blocking-and-
you-application-analysis-and-auditing-methodologies-in-windows-7/

Prepared by: Kushan Sharma 21

 Exercise 05:
◼ How do you quickly apply a security configuration, maintain it, transfer
it to another computer, and analyze either its impact or the current
computer’s compliance with an existing security policy?

Prepared by: Kushan Sharma 22

 Security Configuration and Analysis
◼ Tools can be used together to flexibly and automatically configure
security for the standalone Windows XP Professional, Windows Server
2003, or Windows Server 2008 computer.
◼ Security Templates and Security Configuration and Analysis provide a
flexible and easy platform to work with policy configuration.
◼ Security Templates: are simply configuration files that provide settings
(or mark them “undefined”) for major security configuration choices. You
use the Security Templates console to copy default templates, modify
settings, and create your own templates.
◼ Microsoft provides the default templates and additional downloadable ones.
◼ Many other templates are provided free of charge by various third-party
organizations.

Prepared by: Kushan Sharma 23

 Security Configuration and Analysis
◼ MMC Snap-In provides the ability to load any template into its
database and then either “apply” the security configuration to the local
computer or compare the database settings with the actual settings on
the local machine.
◼ Add, Remove, and Organize Snap-ins and Extensions in MMC 3.0
◼ Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows
Server 2012, Windows Vista

◼ A command-line tool included with Windows, secedit, can also be

used to analyze or configure the machine.
# secedit /analyze /db filename [/cfg filename ]
[/overwrite] [/log filename] [/quiet]

Prepared by: Kushan Sharma 24

 Security Configuration and Analysis
◼ The configuration choices exposed in a template include the following:
◼ Account policies Password Policy, Account Lockout Policy, and, for domain
controllers, Kerberos Policy
◼ Local policies Audit Policy, Security Options (registry settings that harden
the system), User Rights
◼ Event log Configure event log size and retention methods
◼ Restricted groups Restrict group membership
◼ System services Set service startup or disable services; also, specify who
can start and stop them
◼ Registry Permission settings on registry keys
◼ File system Permission settings on files and folders

Prepared by: Kushan Sharma 25

 Security Configuration & Analysis: Snap In

Prepared by: Kushan Sharma 26

 Security Configuration & Analysis: Snap In

Prepared by: Kushan Sharma 27

 Do Not Configure Non-File Servers to Use File and Printer Sharing

◼ Desktop systems do not need to share folders on the network.

◼ To enable or disable the File and Printer Sharing exception
◼ Using the graphical user interface

◼ Using the command prompt

Prepared by: Kushan Sharma 28

 Don’t Allow Remote Connections
◼ Disable Remote Desktop
in System Properties
unless you plan to use it
for support, and disable
startup and shutdown
sounds.

Prepared by: Kushan Sharma 29

 Disable Windows Services That Are Unnecessary
◼ The best way to turn off an unwanted service is to set its “Startup
Type” to “Disabled.”
◼ Some services can’t be stopped when they have already started.
◼ Thus, setting them to Disabled and rebooting the system is the best way to
turn them off.
◼ Can do this within the Services Management interface, services.msc, or
within the service security portion of Group Policy Management
(computer configuration\window settings\security
settings).
◼ Another option is to start the Security Templates MMC snap-in, set the
Startup Types you want in a security template file, and import that
template into a Group Policy Object (GPO).
◼ Before getting rid of all of these, you should test first to make sure that any
needed functionality is retained.

Prepared by: Kushan Sharma 30

 Disable Windows Services That Are Unnecessary

Prepared by: Kushan Sharma 31

 Securely Configure Remaining Software
◼ Take the following actions on all computers:
◼ Apply the latest approved service pack and ensure any newly installed
software is fully updated with the latest patches.
◼ Rename the default Administrator account.
◼ This way attackers and malware will have a harder time trying to break in.
Having to guess the name and password makes their job harder.
◼ Disable the built-in Guest Account. It’s not needed for anything, and it’s
commonly exploited by attackers and malware.
◼ In Windows Explorer folder options, select Display Full Path in the Title Bar
and uncheck Hide Extensions for Known File Types.
◼ These settings help the end user confirm that they are working with the correct
files and applications.
◼ Set strong permissions on Windows shares. Shares are connection points to
Windows file systems and a necessary part of Windows networks.
◼ Eliminate or reduce anonymous access.

Prepared by: Kushan Sharma 32

Lessons 03: Windows Security – Part II

Computer Security Module

Kushan Sharma
[email protected]
 Exercise 01:
◼ What is directory service?
◼ A way to store, manage, and access information about many different
network objects
◼ Integrate different NOS (Network Operating Systems) into one system that
can be centrally administered and accessed
◼ The directory database contains entries that store information about
network objects in containers organized into a hierarchical tree structure
and provides information to network services and clients

Prepared by: Kushan Sharma 34

 Active Directory
◼ Active Directory is a network protocol that provides an organization
with a mechanism by which it can organize it’s people into sub-
organizations or organization units (OU).

Prepared by: Kushan Sharma 35

 Active Directory Facilitates
◼ Identity and Access (IDA)
◼ Integrate people, processes, and technology in an organization.
◼ An effective IDA infrastructure ensures that the right people have access to
the right resources at the right time.

◼ Beyond Identity and Access

◼ Policy-based administration eases the management burden of even the
largest, most complex networks by providing a single point at which to
configure settings that are then deployed to multiple systems.
◼ Replication services distribute directory data across a network. This
includes both the data store itself as well as data required to implement
policies and configuration, including logon scripts.

Prepared by: Kushan Sharma 36

 Directory Service Tree
◼ Using standards
minimizes confusion as:
◼ More servers,
◼ More users,
◼ New directory tree
objects appear

◼ Design approaches
involve reflecting:
◼ The actual
organizational structure
◼ Based on geographic
locations
◼ Or using a combination
of the two approaches

Prepared by: Kushan Sharma 37

 AD DOMAIN VS DNS NAME
◼ AD domain name is NOT the same as the DNS name.
◼ AD Domain names are mainly used within AD operations, mostly LDAP
queries for AD functionality.
◼ DNS is rather a network level solution for name resolution.
◼ The difference allows you to use a 'internal', private AD domain name
and use a public, registered DNS.
◼ For example:
◼ AD Domain name: CORP
◼ DNS name: corp.example.org

Prepared by: Kushan Sharma 38

 Configure Active Directory Domain Controller

Prepared by: Kushan Sharma 39

 Components of an Active Directory Infrastructure
◼ Domain: A domain is an
administrative unit within which
certain capabilities and
characteristics are shared.

◼ Forest: A collection of one or more

Active Directory domains. The first
domain installed in a forest is called
the forest root domain.

◼ Tree: The DNS namespace of

domains in a forest creates trees
within the forest.
◼ If a domain is a sub domain of
another domain, the two domains are
considered a tree.

◼ Functional Level: The functional

level is an AD DS setting that enables
advanced domain-wide or forest-
wide AD DS features.

Prepared by: Kushan Sharma 40

 The Windows Forest
◼ Windows 2000 introduced the
concept of the forest and later
version followed the tradition.
◼ Forest is a collection of domains.

◼ Each domain in a Windows forest

has:
◼ Its own database of user accounts.
◼ Its own groups.
◼ Its own sets of privileges.
◼ Database is managed by DC.
◼ Each DC supports a live DB (AD).
◼ Changes can be made at any DC in
the domain.
◼ Replication is multi-master.

Prepared by: Kushan Sharma 41

 The Windows Forest
◼ Global Catalog:
◼ Forest-wide data is not replicated to every domain controller in every domain;
instead, a special role, that of Global Catalog (GC), is assigned to at least one DC in
the forest.
◼ First DC installed in a forest automatically designed as a global catalog server.
◼ Facilitates logon across domains, user can logon to computers in any domain by
using their user principle name.
◼ Hold universal group membership information.

Prepared by: Kushan Sharma 42

 The Windows Forest
◼ Multi-master update:
◼ Any domain controller to which you can connect can be updated, even if that domain
controller becomes disconnected from the network.
◼ When network connectivity is restored, updates are replicated throughout the forest.

Prepared by: Kushan Sharma 43

 The Windows Forest
◼ Conflict Resolution
◼ If two people simultaneously make conflicting updates, each set of updates
is replicated.
◼ However, even in the presence of conflicting updates, all domain controllers
eventually converge to the same value.

◼ Flexible Single Master Operation:

◼ Active Directory performs schema updates in a single master fashion to
prevent conflicts.
◼ Domain controller holding the schema master role, accepts updates to
schema objects.
◼ An administrator can shift the schema master role from one domain
controller to another as the need arises
◼ At any moment only one domain controller holds the schema master role.

Prepared by: Kushan Sharma 44

 Crossing Boundaries: The Windows Trust
◼ As the numbers of Windows NT systems increased in an enterprise, the number
of domains did as well.
◼ The architecture of a large number of Windows networks was not planned, it
just proliferated.
◼ Trust: The way in domains can be joined.
◼ A simple trust relationship between domain A and domain B.

Joe, who has an account

in domain A, is granted
access to a folder on a
server in domain B.

Prepared by: Kushan Sharma 45

 Forest Trust
◼ Type of trusts:
◼ One way trusts – When one domain trust other, but reverse is not true.
◼ When domain A trusts domain B, users in B can access A.

◼ Two way trusts – Users from both domain can be given access.

◼ Forest trusts – One way or two way transitive trusts between forests that
allow security principles in one forest to access resources in any domain in
another forest.
◼ They are transitive in the sense that all domain in one forest trust all domain in
another forest, but the trust is not transitive from one forest to another.

Prepared by: Kushan Sharma 46

 Forest Trust
◼ Type of trusts:
◼ Transitive trusts – If A trusts
B and B trusts C, then A trusts
C.
◼ In order to authenticate a user,
a referral must be made to a
domain in the path to the
destination.

◼ Shortcut trusts – Shortcut

trusts are configured manually
to bypass the normal referral
process.

Prepared by: Kushan Sharma 47

 Complete Forest Trust
◼ Going beyond creating
external trusts between
domains in different forests,
create forest trusts.
◼ Provide complete Kerberos-
style transitive trust between
the two forests.
◼ The shaded areas, all domains
in both forests, represent the
breadth of this trust.
◼ Every account in every
domain in every forest can
be given access to every
resource in every domain
in every forest.

Prepared by: Kushan Sharma 48

 External Trust
◼ Create trust relationships
between domains in separate
Windows forests.
◼ Trusts between domains from
different forests, called external
trusts.
◼ Trust between domain
c.Mydomain.local in one
forest and domain
1.yourdomain.local in
another forest only provides
access for users in one domain
to resources in the other
domain.

Prepared by: Kushan Sharma 49

 Windows Logical Boundaries
◼ First Security Boundary - Individual servers or workstations
◼ Each stand-alone system has its own account database.
◼ Degrees of administration and access are controlled by membership in
permitted groups.

◼ Secondly with Windows NT 4.0 DCs was the boundary.

◼ Windows 2003 or higher domain, is not a security boundary.

◼ There are forest-wide groups - A member of the Schema Admins group can
modify the schema of the forest, a change that can affect every domain in
the forest.
◼ A member of the Enterprise Admins group has administrative privileges in
all, domains in the forest.

Prepared by: Kushan Sharma 50

 Windows Boundaries
◼ Users and groups from one
domain can be granted access
to resources and privileges in
another.
◼ Peter, who has an account in
mydomain.local, is given
access to resources in
west.mydomain.local and
east.mydomain.local.
◼ Mary, with an account at
east.mydomain.local, is
given access to resources in
west.mydomain.local.
◼ The access is granted by
administrators in the
respective domains.

Prepared by: Kushan Sharma 51

 Key Terms
◼ Security Identifier (SID) Structure:
◼ SIDs are composed of domain identifiers and RID (Relative Identifiers)
◼ RID identifies a particular account or group relative to a domain.
◼ Each user and computer account and each Windows group has its own SID.
◼ Within the system, SIDs are used to identify security principals (users, groups,
computers).
◼ Access privileges and permissions can be granted on domain member
computers to domain accounts and groups.

Prepared by: Kushan Sharma 52

 Selective Authentication and SID Filtering
◼ Malicious administrators in someone else’s forest may be able to
elevate their privileges in yours. How can you prevent this?

◼ SID filtering is turned on:

◼ By default, in forest trusts. This means a malicious administrator in one
forest can’t spoof possession of SIDs from another forest and thus gain
some advantage in the other forest.

◼ Limit the access provided by a trust between two Windows Server 2003
or higher domains in different forests.
◼ This is done by Selective Authentication.
◼ Administrators in the trusting domain must provide users from the other
domain with “permission to authenticate” for each server in the domain.
◼ Administrators can actually grant the other domain users read permission
on a file, but if the users don’t have permission to authenticate to that file
server, they can’t read the file.

Prepared by: Kushan Sharma 53

 Use Group Policy to Manage Settings
◼ Evaluate the entire list of Group Policy settings.

◼ Group Policy Manager

Prepared by: Kushan Sharma 54

 Group Policy
◼ Group Policy can be used to set literally hundreds of security and general
administrative settings for diverse machines and users.

◼ Individually crafted Group Policy Objects (GPOs) can be defined and, when
linked to containers in the Active Directory, automatically and periodically apply
these settings.
◼ Windows Server 2003 introduced the Group Policy Management Console (GPMC)
◼ Windows Server 2008 introduced Advanced Group Policy Management (AGPM)

◼ When properly designed and implemented:

◼ Group Policy can effectively set and maintain security for an entire network
of Windows computers.
◼ Take care when applying GPOs to the domain level. It is a good practice to
reserve this location for GPOs that enforce written policy.
◼ The goal of a GPO is a mechanism to centrally enforce security policies in
an automated fashion.

Prepared by: Kushan Sharma 55

 Group Policy Effective Range
◼ GPOs can be linked to the site, domain, and OU objects.

◼ Domains are logical collections of computers and users.

◼ A GPO linked to a domain object in AD will be applied to every computer and user
with an account in the domain.

◼ Organizational units (OUs) are subdivisions of domains that can themselves

contain user and computer accounts.
◼ If a GPO is linked to an OU, its settings apply to those user and computer accounts.

Prepared by: Kushan Sharma 56

 Application and Conflict
◼ Group Policy Inheritance (local, site, domain, OU):
◼ A user with an account in the Marketing OU of the domain
mydomain.local, who logs on from the computer Computer26, which
also has its account in the Marketing domain, will have his security
configured by the:
◼ Local Group Policy
◼ Site GPO
◼ Domain GPO
◼ GPO linked to the Marketing OU.

Prepared by: Kushan Sharma 57

 Computer Policies
◼ These policies apply to the entire computer, regardless of which user is logged
in to it.
◼ Network\DNS Client—Update Security Level (Enabled, Only
Secure)
◼ Automatic updates to DNS to be done securely, with authentication and encryption.
◼ Prevents unauthorized tampering with DNS, which is required to protect the integrity of DNS
information.

◼ Network\Network Connections—Prohibit Use of Internet

Connection Sharing on Your DNS Domain Network (Enabled)
◼ Routing of network connections is a risk to the network and should be blocked.

Prepared by: Kushan Sharma 58

 Computer Policies
◼ System\System Restore—Turn Off System Restore (Enabled)
◼ Malware writers discovered that System Restore provides an easy way to reinfect
Windows systems after a virus, Trojan, or worm has been cleaned.
◼ System Restore is dangerous and should be avoided.

◼ Windows Components\Task Scheduler—Hide Property Pages

(Enabled)

Prepared by: Kushan Sharma 59

 Computer Policies
◼ Windows Components\Internet Information Services—Prevent
IIS Installation (Enabled)
◼ IIS has a high attack surface and should not be used except in protected security
zones.

◼ Many more Computer Configuration policies.

Prepared by: Kushan Sharma 60

 User Policies
◼ These policies apply to all users in the container to which they are
applied.
◼ Different groups of users can have different policies that apply when
using the same workstation.
◼ Control Panel\Display—Screen Saver (Enabled)
Control Panel\Display—Screen Saver Executable Name (Enabled)
Control Panel\Display—Password Protect the Screen Saver (Enabled)
Control Panel\Display—Screen Saver Timeout (5–15 minutes)

◼ Desktop\Active Desktop—Disable Active Desktop (Enabled)

◼ Many more User Configuration policies.

Prepared by: Kushan Sharma 61
 Group Policy Settings
◼ GPO capability varies with the operating system
◼ Software settings: Software can be installed and uninstalled via this container.
◼ Scripts Startup, shutdown, logon, and logoff: scripts can be applied by placing
them in this container.
◼ Security settings: All of the security settings that are in security templates plus
those in GPOs reside in this container.
◼ Wireless Network policies: Wireless network configuration settings (in Windows
Server 2003 and XP) can be configured via this container.
◼ Public Key policies: EFS recovery policy and other PKI-related policies can be set
via this container.
◼ IP security policies on Active Directory: This container houses IPSec policies
that apply communications security to computers.
◼ Administrative Templates: These templates include hundreds of configuration
settings, many of them security related, that can be set via Group Policy.
◼ Remote Installation Services: This container includes settings that control
operation of the RIS service.
◼ Folder Redirection: The settings in this container redirect My Documents and
others to a specified network location.
◼ Internet Explorer maintenance: This container includes security settings for IE.

Prepared by: Kushan Sharma 62

 Evaluating Group Policy, Troubleshooting
◼ The value of well-designed and well-applied Group Policy vs the
damage that carelessness or misunderstanding can cause.
◼ For example a rogue administrator can use it to their own benefit.
◼ When a user logs on locally to the Administrator account, the Group Policy
previously applied to the local computer will still control all activities on the
computer and on the network, but no new user portion of Group Policy will
be applied.
◼ If the user removes the computer from domain membership, reboots, and
then modifies its security policy, there are no longer any restrictions on
what the computer can do.
◼ When a user has a domain user account and password, that account can be
used to access shares on the network and perform other activities.

Prepared by: Kushan Sharma 63

 Resultant Set of Policy (RSoP)
◼ Questions to answer by admins:
◼ If a GPO doesn’t seem to be working, how can you tell what’s going on?
◼ Is the policy being applied at all?
◼ Or is it just not working as you might expect?
◼ Are other GPOs, inheritance modifications, or other factors such as DNS or
network connectivity the cause?

◼ RSoP is a tool:
◼ To predict the effects of applying a group policy.
◼ To actually determine what policies and which parts of them are effective
on a specific machine for a specific user.

Prepared by: Kushan Sharma 64

 Resultant Set of Policy (RSoP)

Prepared by: Kushan Sharma 65

 Application Whitelisting
◼ The old method of producing giant lists of “what’s bad” just isn’t a
scalable approach any more.
◼ Antivirus and anti-malware works this way.
◼ They send you an ever-growing list of signatures of known bad things that
they block.
◼ With whitelisting administrators can then produce a relatively short list
of allowed applications, and anything else, regardless of its intent, is
considered bad and not allowed to run.
◼ Extremely effective as it is not vulnerable to zero-day events that are
too new for signatures to be available.

Prepared by: Kushan Sharma 66

 Application Whitelisting: How It Works?

Prepared by: Kushan Sharma 67

 AppLocker & Software Restriction Policies (SRP)
◼ AppLocker is an enhanced version of Windows Server 2003’s Software
Restriction Policies.
◼ SRPs and AppLocker tackle the problem of execution of malicious
code on Windows platforms.
◼ SRPs and AppLocker can be used to block user access to games such as
Minesweeper, or to prohibit the startup of a browser that isn’t standard in the
organization.
◼ The protection program blocks everything except the files that are on its
whitelist.
◼ The default SRP configuration uses blacklisting.
◼ AppLocker uses whitelisting by default.
◼ Group Policy Object (GPO) can be used to configure and enforce AppLocker
rules.
◼ PowerShell cmdlets can also be used to configure AppLocker rules.

Prepared by: Kushan Sharma 68

 AppLocker

Prepared by: Kushan Sharma 69

 AppLocker
◼ AppLocker supports three rule types:
◼ Executable Rules can allow or prevent *.exe and *.com files from
running.
◼ Windows Installer Rules can allow or prevent the execution of *.msi
(Windows Installer) and *.msp (Windows Installer patching) files.
◼ Script Rules can allow or prevent the execution of different script file
types (*.ps1, *.bat, *.cmd, *.vbs, *.js).

◼ These rule types are grouped in rule collections and appear as

subcontainers of the AppLocker container in the GPO settings

Prepared by: Kushan Sharma 70

 Security Best Practices
◼ Security Best Practices used for Unix are applied here also.
◼ Below practices will secure the Windows OS:
◼ Disable unneeded services and remove unnecessary software to reduce the
attack surface.
◼ IIS – When it is not needed
◼ Address Book, WordPad
◼ Tour Windows XP, Synchronize
◼ NetMeeting, Program Compatibility Wizard
◼ Windows Movie Maker, Remote Assistance (unless you’re planning to use it for
support)
◼ Games
◼ Configure secure settings on remaining software.
◼ Strengthen authentication processes – Avoid using LM/NTML
◼ Segment the network into zones of trust and place Windows systems into
those zones based on their communication needs and Internet exposure.

◼ Use Add/Remove Windows Components to uninstall the following:

Prepared by: Kushan Sharma 71

 Apply Technology and Physical Controls
◼ If an attacker has physical possession of,
or even physical access to, the machine,
it is much easier to compromise.
◼ Read Only Domain Controllers (RODC).
◼ Configuring it to cache only account
information for the local users
◼ By default, the highest privilege accounts
can never be cached on an RODC
◼ If an RODC is logically removed from
Active Directory, the directory knows the
list of all user accounts that were cached
on the removed RODC and offers to flag
all such accounts to “Must Change
Password at Next Logon” to quickly
remove the risk of the RODC’s password
cache being cracked.

Prepared by: Kushan Sharma 72

 Role-Based Administration
◼ Based on the principle of least privileges
◼ Default groups are loosely arranged around roles that a user might play in a
network.
◼ Custom groups can be created for specific functionality.

◼ Default Groups (Not All):

◼ Administrators: Members of the local Administrators group have all privileges and
rights of access on the local system.
◼ Domain Admins: All-powerful in the domain, members in this group can administer
all domain member computers as well as domain policy.
◼ Domain Users: Ordinary folk, they have simple, basic rights such as the right to log
on to a network or to shut down a workstation, which are granted via membership in
the local Users group.
◼ Print Operators: These folks manage printers.

◼ Each new version of Windows adds new groups and users.

◼ Dynamic groups are groups created by an Active Directory query.

Prepared by: Kushan Sharma 73

 Limit Number/Privileges of Admin Accounts
◼ Administrative groups, grants enormous privileges:
◼ Windows systems have various default
administrative groups built in.
◼ Can build new administrative roles.
◼ But these feature are not been used properly.

◼ Individuals should not be given membership in

administrative groups unless all other attempts at
empowering them to do their jobs are not
successful.

Prepared by: Kushan Sharma 74

 More Controls
◼ Elevated Privileges Are Required:
◼ Use default groups that have been assigned the privileges required.
◼ Create custom groups and assigning appropriate user rights to the groups.
◼ Delegation of Authority with Windows 2003 and higher domains - This utility can be
used to give granular control over objects in the Active Directory.

◼ Programmers as Administrators:
◼ When programmers are granted with admin privilages, they produce programs that
can't be run by non-administrators.
◼ Programmers can and should do most programming as ordinary users.

◼ Requiring Administrators to Use runas:

◼ Every holder of a privileged account should have an ordinary account as well.
◼ Many e-mail-born attacks are harmless or less damaging if the account used to run
them does not have administrative privileges.
◼ Built-in runas command allows a user to run a program with elevated privileges.

Prepared by: Kushan Sharma 75

[email protected]