CYSE 1005 -Implementing

security policies in
operating systems

Week 12 – lab: securing WS 2016

Presented by Catalin Bobe

Introduction to group policy
Group policy in Windows Server 2016
◦ Enables you to standardize the working environment of clients and
servers by setting policies in Active Director
Defining characteristics of Group Policy:
◦ Group Policy can be set for a site, domain, OU, or local computer
◦ Group Policy cannot be set for non-OU folder containers
◦ Group Policy settings are stored in Group Policy Objects
◦ GPOs can be local and nonlocal
◦ Group Policy can be set up to affect user accounts and computers
◦ When Group Policy is updated, old policies are removed or updated for
all clients
Secure WS 2016 using security policies
Security policies are a subset of individual policies
◦ Within a larger group policy for a site, domain, OU, or local
computer
Security policies include:
◦ Account Policies
◦ Audit Policy
◦ User Rights
◦ Security Options
◦ IP Security Policies
Establishing account policies
 Account policies
◦ Security measures set up in a Group Policy that applies to all accounts or to all
accounts in a container when Active Directory is installed
 Theaccount policy options that you can configure affect three main
areas:
◦ Password security
◦ Account lockout
◦ Kerberos security
 Password security
◦ One option is to set a password expiration period, requiring users to change
passwords at regular intervals
◦ Some organizations require that all passwords have a minimum length
Assignment
Change specific password security options:
◦ Enforce password history = 20 passwords remembered
◦ Maximum password age = 60 days
◦ Minimum password age = 2 days
◦ Minimum password length = 8 characters
◦ Passwords must meet complexity requirements
◦ Store password using reversible encryption
Provide screenshot
Assignment
 Account Lockout
◦ The operating system can employ account lockout to bar access to an account
(including the true account owner) after a number of unsuccessful tries
 The lockout can be set to release after a specified period of time = 240
minutes
◦ Or by intervention from the server administrator = enabled
 A common policy is to have lockout go into effect after five to 10
unsuccessful logon attempts
◦ Administrator can set lockout to release after a designated time
 Account lockout parameters
◦ Account lockout duration
◦ Account lockout threshold
◦ Reset account lockout count after
 Provide screenshot
Establishing account policies
 Kerberos security
◦ Involves the use of tickets that are exchanged between the client who
requests logon and network services access and the server or Active
Directory that grants access
◦ When Active Directory is used, each DC is a key distribution center
◦ Once a user is authenticated, the Kerberos ticket-granting service grants
a permanent ticket (called a service ticket) to that computer
◦ A service ticket is good for the duration of the logon session
 Enhancements on Windows Server 2016 and Windows 10
◦ The use of Advanced Encryption Standard (AES) encryption
◦ When Active Directory is installed, the account policies enable Kerberos
 When Active Directory is not installed, the default authentication is through
Windows NT LAN Manager version 2 (NTLMv2)
Establishing account policies
Options available for configuring Kerberos:
◦ Enforce user logon restrictions = enabled
◦ Maximum lifetime for service ticket = 720 minutes
◦ Maximum lifetime for user ticket = 12 hours
◦ Maximum lifetime for user ticket renewal = 10 days
◦ Maximum tolerance for computer clock synchronization = 2
minutes
Provide screenshot
Establishing audit policies
Examples of events that an organization can audit are as
follows:
◦ Account logon (and logoff) events = enabled (success/failure)
◦ Account management
◦ Directory service access
◦ Logon (and logoff) events at the local computer
◦ Object access
◦ Policy change
◦ Privilege use
◦ Process tracking
◦ System events
Provide screenshot
Configuring user rights
User rights enable an account or group to perform
predefined tasks
The most basic right is the ability to access a server
◦ More advanced rights give privileges to create accounts and
manage server functions
Two general categories of rights:
◦ Privileges – generally relate to the ability to manage server or
Active Directory functions
◦ Logon rights – are related to how accounts, computers, and
services are accessed
Configuring user rights
Some examples of privileges include the following:
◦ Add workstations to domain
◦ Back up files and directories – for one user
◦ Change the system time
◦ Create permanent shared objects
◦ Generate security audits
◦ Load and unload device drivers
◦ Perform volume maintenance tasks
◦ Shut down the system
Provide screenshot
Configuring user rights
Examples of logon rights are as follows:
◦ Access this computer from the network
◦ Allow logon locally
◦ Allow logon through Remote Desktop Services
◦ Deny access to this computer from the network
◦ Deny logon as a service
◦ Deny logon locally
◦ Deny logon through Remote Desktop Services
Configuring security options
 Thereare many specialized security options that are divided into the
following categories:
◦ Accounts
◦ Audit
◦ DCOM
◦ Devices: Allowed to format and eject removable media – Administrators and Power
users
◦ Domain controller
◦ Interactive logon
◦ Microsoft network client
◦ Network access
◦ Network security
 Provide screenshot
Configuring security options
There are many specialized security options that are
divided into the following categories (cont’d):
◦ Recovery console
◦ Shutdown
◦ System cryptography
◦ System objects
◦ System settings
◦ User Account Control
Assignment
Last screenshot should be:
Run the following command in PowerShell under your ID
(NOT administrator):
get-gpo –name “map network drives”