Microsoft Official Course

Module 12

Securing Windows Servers by

Using Group Policy Objects
Module Overview

• Security Overview for Windows Operating Systems

• Configuring Security Settings
• Restricting Software
• Configuring Windows Firewall with Advanced
Security
Lesson 1: Security Overview for Windows
Operating Systems

• Discussion: Identifying Security Risks and Costs

• Applying Defense-In-Depth to Increase Security
• Best Practices for Increasing Security
Discussion: Identifying Security Risks and Costs

• What are some of security risks in Windows-based

networks?

10 minutes
Applying Defense-In-Depth to Increase Security
Defense-in-depth uses a layered approach to security
• Reduces an attacker’s chance of success
• Increases an attacker’s risk of detection

Policies, procedures, Security documents, user education

and awareness
Physical security Guards, locks, tracking devices
Perimeter Firewalls, network access quarantine control
Networks Network segments, IPsec, Reverse proxy
servers
Host Hardening, authentication, update
management
Application Application hardening, antivirus
Data ACLs, EFS, BitLocker,
backup/restore procedures
Best Practices for Increasing Security

Some best practices for increasing security are:

• Apply all available security updates quickly
• Follow the principle of least privilege
• Use separate administrative accounts
• Restrict administrator console sign-in
• Restrict physical access
Lesson 2: Configuring Security Settings

• Configuring Security Templates

• Configuring User Rights
• Configuring Security Options
• Configuring User Account Control
• Configuring Security Auditing
• Configuring Restricted Groups
• Configuring Account Policy Settings
• What Is Security Compliance Manager?
Configuring Security Templates
Security Templates categories:
• Account policies
• Local policies
• Event log
• Restricted groups
• System services
• Registry
• File system
Security templates are distributed by using:
• The secedit command-line tool
• The Security Templates snap-in
• The Security Configuration and Analysis Wizard
• Group Policy
• The Security Compliance Manager
Configuring User Rights

User Rights Types:

• Privileges
• Logon rights

Examples of common user rights:

• Add workstations to domain
• Allow log on locally
• Allow log on through Remote Desktop Services
• Back up files and directories
• Change the system time
• Force shutdown from a remote computer
• Shut down the system
Configuring Security Options

Security options settings:

• Administrator and Guest account names
• Access to CD/DVD drives
• Digital data signatures
• Driver installation behavior
• Logon prompts
• UAC
Examples:
• Prompt user to change password before expiration
• Do not display last user name
• Specify a message to be displayed when users are
logging on
• Rename administrator account
Configuring User Account Control

• UAC is a security
feature that prompts
the user for an
administrative user’s
credentials if the task
requires administrative
permissions
• UAC enables users to
perform common
daily tasks as non-
administrators
Configuring Security Auditing
When using security auditing to log security-related events,
you can:
• Configure security auditing according to your company’s security
regulations
• Filter the Security Event Log in Event Viewer to find specific
security related events
Configuring Restricted Groups

Group Policy can control group membership:

• For any group on a domain-joined computer, by applying a
GPO to the OU that contains the computer account
• For any group in AD DS, by applying a GPO to the
domain controller’s OU
Be aware of problems that might arise from using policies
for domain-based groups, and refer to the student
handbook for more information
Configuring Account Policy Settings
Account policies reduce the threat of brute force
guessing of account passwords
Policies Default settings
Password • Controls complexity and lifetime of passwords
• Max password age: 42 days
• Min password age: 1 day
• Min password length: 7 characters
• Complex password: enabled
• Store password using reversible encryption: disabled
Account • Controls how many incorrect attempts can be made
lockout • Lockout duration: not defined
• Lockout threshold: 0 invalid logon attempts
• Reset account lockout after: not defined
Kerberos • Subset of the attributes of domain security policy
• Can only be applied at the domain level
What Is Security Compliance Manager?

SCM is a free tool from Microsoft that helps you secure

local, remote, or virtualized computers. It features:
• Baselines
• Security guides
• Support for standalone computers
• Support for import GPO backups

You can use SCM to:

• Validate that computers are configured for compliance
• Reduce the work involved in configuring computers for
compliance
• Move, compare and merge settings across two independent
environments
• Formulate and update your security policies
Lab A: Increasing Security for Server Resources

• Exercise 1: Using Group Policy to Secure Member

Servers
• Exercise 2: Auditing File System Access
• Exercise 3: Auditing Domain Logons

Logon Information
Virtual machines 20410D-LON-DC1
20410D-LON-SVR1
20410D-LON-SVR2
20410D-LON-CL1
User name Adatum\Administrator
Password Pa$$w0rd

Estimated Time: 50 minutes

Lab Scenario

Your manager has given you some security-related

settings that need to be implemented on all
member servers. You also need to implement file
system auditing for a file share used by the
Marketing department. Finally, you need to
implement auditing for domain logons.
Lab Review

• What happens if you configure the Computer

Administrators group, but not the Domain Admins
group, to be a member of the Local Administrators
group on all of a domain’s computers?
• Why do you need to restrict local logon to some
computers?
• What happens when an unauthorized user tries to
access a folder that has auditing enabled for both
successful and unsuccessful access attempts?
• What happens when you configure auditing for
domain logons for both successful and unsuccessful
logon attempts?
Lesson 3: Restricting Software

• What Are Software Restriction Policies?

• What Is AppLocker?
• AppLocker Rules
• Demonstration: Creating AppLocker Rules
What Are Software Restriction Policies?

• SRPs allow administrators to identify which apps are

allowed to run on client computers
• SRPs can be based on the following:
• Hash
• Certificate
• Path
• Zone
• SRPs are applied through Group Policy
What Is AppLocker?
AppLocker applies Application Control Policies in
Windows Server 2012 and Windows 8
AppLocker contains capabilities and extensions that:
• Reduce administrative overhead
• Help administrators control how users access and use files:
• .exe files • Windows Installer files
• scripts • Packaged apps
• DLLs

Benefits of AppLocker:
• Controls how users can access and run all types of apps
• Allows the definition of rules based on a wide variety of variables
• Provides for importing and exporting entire AppLocker policies
AppLocker Rules

AppLocker defines rules based on file attributes such as:

• Publisher name
• Product name
• File name
• File version

Rule actions
• Allow or Deny conditions
• Enforce or Audit Only policies
Demonstration: Creating AppLocker Rules

In this demonstration, you will see how to:

• Create a GPO to enforce the default AppLocker
Executable rules
• Apply the GPO to the domain
• Test the AppLocker rule
Lesson 4: Configuring Windows Firewall with
Advanced Security

• What Is Windows Firewall with Advanced Security?

• Discussion: Why Is a Host-Based Firewall
Important?
• Firewall Profiles
• Connection Security Rules
• Deploying Firewall Rules
• Demonstration: Implementing Secured Network
Traffic with Windows Firewall
What Is Windows Firewall with Advanced Security?
Windows Firewall is a stateful, host-based firewall that
allows or blocks network traffic according to its configuration
What Is Windows Firewall with Advanced Security?

The benefits of Windows Firewall include that it:

• Supports filtering for both incoming and outgoing traffic
• Integrates firewall filtering and IPsec protection settings
• Enables you to configure rules to control network traffic
• Provides network location-aware profiles
• Enables you to import or export policies
Discussion: Why Is a Host-Based Firewall Important?

• Why is it important to use a host-based firewall

such as Windows Firewall with Advanced Security?

10 minutes
Firewall Profiles

• Firewall profiles are a set of configuration settings

that apply to a particular network type
• The firewall profiles are:
• Domain
• Public
• Private
• Windows Server 2012 includes the ability to have
multiple active firewall profiles
Connection Security Rules

Connection security rules:

• Authenticate two computers before they begin
communications
• Secure information being sent between two computers
• Use key exchange, authentication, data integrity, and data
encryption (optionally)

How firewall rules and connection rules are related:

• Firewall rules allow traffic through, but do not secure that
traffic
• Connection security rules can secure the traffic, but only if a
firewall rule was previously configured
Deploying Firewall Rules
You can deploy Windows Firewall rules:
• Manually. Used during testing, troubleshooting, or for
individual computers.
• By using Group Policy. The preferred way. Create and test
the rules, and then deploy them to a large number of
computers.
• By exporting and importing. Uses Windows Firewall with
Advanced Security.
When you import rules, they replace all current rules.

Always test firewall rules in an

isolated, nonproduction
environment before you deploy
them in production.
Demonstration: Implementing Secured Network
Traffic with Windows Firewall

In this demonstration, you will see how to:

• Check to see if ICMP v4 is blocked
• Enable ICMP v4 from LON-CL2 to LON-SVR2
• Create a connection security rule so that traffic is
authenticated to the destination host
• Validate ICMP v4 after the connection security rule
is in place
Lab B: Configuring AppLocker and Windows Firewall

• Exercise 1: Configuring AppLocker Policies

• Exercise 2: Configuring Windows Firewall

Logon Information
Virtual machines 20410D-LON-DC1
20410D-LON-SVR1
20410D-LON-CL1
User name Adatum\Administrator
Password Pa$$w0rd

Estimated Time: 60 minutes

Lab Scenario

Your manager has asked you to implement

AppLocker to restrict nonstandard applications
from running. He also has asked you to create new
Windows Firewall rules for any member servers
running web-based applications.
Lab Review

• You configured an AppLocker rule that prevents

users from running software in a specified file
path. How can you prevent users from moving the
folder containing the software so that they can
circumvent the rule and still run it?
• You want to introduce a new application that
needs to use specific ports. What information do
you need to configure Windows Firewall with
Advanced Security, and from what source can you
get it?
Module Review and Takeaways

• Review Questions
• Best Practices
• Common Issues and Troubleshooting Tips
• Tools