Show
Publisher SummaryThe world has become digital, and companies are now spending more money developing their e-commerce strategies than ever before. Many companies do not even maintain a physical storefront; they do all their business online. Companies depend on their Web servers to present them to the Internet community. Securing a Web server can be very complicated. This chapter discusses methods to secure a Windows 2000 server running Internet Information Services (IIS) 5.0. IIS is Microsoft's Web server product and can only be installed on a computer running one of the Microsoft Server products (Server, Advanced Server, or Data Center Server). Windows 2000 Professional has its own version of IIS called Peer Web Services (PWS). A number of steps go into securing a Web server. First, one needs to secure the server physically. Next, one needs to secure the operating system. Finally, one can begin to secure the IIS component itself. This chapter shows how to configure the server to accommodate one's needs. It describes where to set all these options and discusses what each of these options mean and when they can be used. The chapter also focuses on some of the tools that Microsoft provides to make it easier to configure these settings. Cited by (0)Copyright © 2001 Elsevier Inc. All rights reserved. focusNode Didn't know it? Knew it? Embed Code - If you would like this activity on your web page, copy the script below and paste it into
your web page.
Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Administer security policy settings
In this articleApplies to
This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization. Security policy settings should be used as part of your overall security implementation to help secure domain controllers, servers, client devices, and other resources in your organization. Security settings policies are rules that you can configure on a device, or multiple devices, for protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in (Gpedit.msc) allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, and organizational units, and they enable administrators to manage security settings for multiple computers from any device joined to the domain. Security settings can control:
For info about each setting, including descriptions, default settings, and management and security considerations, see Security policy settings reference. To manage security configurations for multiple computers, you can use one of the following options:
What's changed in how settings are administeredOver time, new ways to manage security policy settings have been introduced, which include new operating system features and the addition of new settings. The following table lists different means by which security policy settings can be administered.
Using the Local Security Policy snap-inThe Local Security Policy snap-in (Secpol.msc) restricts the view of local policy objects to the following policies and features:
Policies set locally might be overwritten if the computer is joined to the domain. The Local Security Policy snap-in is part of the Security Configuration Manager tool set. For info about other tools in this tool set, see Working with the Security Configuration Manager in this topic. The secedit command-line tool works with security templates and provides six primary functions:
Using the Security Compliance ManagerThe Security Compliance Manager is a downloadable tool that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and for Microsoft applications. It contains a complete database of recommended security settings, methods to customize your baselines, and the option to implement those settings in multiple formats—including XLS, GPOs, Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP). The Security Compliance Manager is used to export the baselines to your environment to automate the security baseline deployment and compliance verification process. To administer security policies by using the Security Compliance Manager
Using the Security Configuration WizardThe Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy. SCW is a role-based tool: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles. For example, a server might be a file server, a print server, or a domain controller. The following are considerations for using SCW:
The SCW can be accessed through Server Manager or by running scw.exe. The wizard steps you through server security configuration to:
The Security Policy Wizard configures services and network security based on the server's role, as well as configures auditing and registry settings. For more information about SCW, including procedures, see Security Configuration Wizard. Working with the Security Configuration ManagerThe Security Configuration Manager tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain. For procedures on how to use the Security Configuration Manager, see Security Configuration Manager. The following table lists the features of the Security Configuration Manager.
Security Configuration and AnalysisSecurity Configuration and Analysis is an MMC snap-in for analyzing and configuring local system security. Security analysisThe state of the operating system and apps on a device is dynamic. For example, you may need to temporarily change security levels so that you can immediately resolve an administration or network issue. However, this change can often go unreversed. This unreversed state of the changes means that a computer may no longer meet the requirements for enterprise security. Regular analysis enables you to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. You can tune the security levels and, most importantly, detect any security flaws that may occur in the system over time. Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings don't match the proposed level of security. Security Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals. Security configurationSecurity Configuration and Analysis can also be used to directly configure local system security. Through its use of personal databases, you can import security templates that have been created with Security Templates and apply these templates to the local computer. These security templates immediately configure the system security with the levels specified in the template. Security templatesWith the Security Templates snap-in for Microsoft Management Console, you can create a security policy for your device or for your network. It's a single point of entry where the full range of system security can be taken into account. The Security Templates snap-in doesn't introduce new security parameters, it simply organizes all existing security attributes into one place to ease security administration. Importing a security template to a Group Policy Object eases domain administration by configuring security for a domain or organizational unit at once. To apply a security template to your local device, you can use Security Configuration and Analysis or the secedit command-line tool. Security templates can be used to define:
Each template is saved as a text-based .inf file. This file enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template. Security settings extension to Group PolicyOrganizational units, domains, and sites are linked to Group Policy Objects. The security settings tool allows you to change the security configuration of the Group Policy Object, in turn, affecting multiple computers. With security settings, you can modify the security settings of many devices, depending on the Group Policy Object you modify, from just one device joined to a domain. Security settings or security policies are rules that are configured on a device or multiple devices for protecting resources on a device or network. Security settings can control:
You can change the security configuration on multiple computers in two ways:
Local Security PolicyA security policy is a combination of security settings that affect the security on a device. You can use your local security policy to edit account policies and local policies on your local device With the local security policy, you can control:
If your local device is joined to a domain, you're subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you're a member of. If you're getting a policy from more than one source, conflicts are resolved in the following order of precedence.
If you modify the security settings on your local device by using the local security policy, then you're directly modifying the settings on your device. Therefore, the settings take effect immediately, but this effect may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts. Using the Security Configuration ManagerFor procedures on how to use the Security Configuration Manager, see Security Configuration Manager How To. This section contains information in this topic about:
Applying security settingsOnce you've edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object:
Precedence of a policy when more than one policy is applied to a computer For security settings that are defined by more than one policy, the following order of precedence is observed:
For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there's a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence. Note Use gpresult.exe to find out what policies are applied to a device and in what order. Persistence in security settings Security settings may still persist even if a setting is no longer defined in the policy that originally applied it. Persistence in security settings occurs when:
All settings applied through local policy or a Group Policy Object are stored in a local database on your device. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value doesn't exist in the database, then the setting doesn't revert to anything and remains defined as is. This behavior is sometimes called "tattooing." Registry and file settings will maintain the values applied through policy until that setting is set to other values. Filtering security settings based on group membership You can also decide what users or groups will or won't have a Group Policy Object applied to them regardless of what computer they've signed into by denying them either the Apply Group Policy or Read permission on that Group Policy Object. Both of these permissions are needed to apply Group Policy. Importing and exporting security templatesSecurity Configuration and Analysis enables import and export of security templates into or from a database. If you have made any changes to the analysis database, you can save those settings by exporting them into a template. The export feature enables saving the analysis database settings as a new template file. This template file can then be used to analyze or configure a system, or it can be imported to a Group Policy Object. Analyzing security and viewing resultsSecurity Configuration and Analysis performs security analysis by comparing the current state of system security against an analysis database. During creation, the analysis database uses at least one security template. If you choose to import more than one security template, the database will merge the various templates and create one composite template. It resolves conflicts in order of import; the last template that is imported takes precedence. Security Configuration and Analysis displays the analysis results by security area, using visual flags to indicate problems. It displays the current system and base configuration settings for each security attribute in the security areas. To change the analysis database settings, right-click the entry, and then click Properties.
If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis. To avoid continued flagging of settings that you've investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template. Resolving security discrepanciesYou can resolve discrepancies between analysis database and system settings by:
Automating security configuration tasksBy calling the secedit.exe tool at a command prompt from a batch file or automatic task scheduler, you can use it to automatically create and apply templates, and analyze system security. You can also run it dynamically from a command prompt. Secedit.exe is useful when you have multiple devices on which security must be analyzed or configured, and you need to perform these tasks during off-hours. Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local device or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop. FeedbackSubmit and view feedback for Which of the following is the best method for protecting data on removable storage such as USB drives?Win 7 Final Comp. Which part of the motherboard in your computer is used to store encryption keys and certificates?A Trusted Platform Module (TPM) is a hardware chip on the motherboard that stores cryptographic keys used for encryption.
What is Windows security policy?Windows Security Policies are a set of configurations that can be applied on desktops to enhance security. Security policies determine the various security restrictions that can be imposed on the users in a network.
What is the Secpol MSC utility used for?The Local Security Policy snap-in (Secpol. msc) restricts the view of local policy objects to the following policies and features: Account Policies. Local Policies.
|