Windows NT Windows NT ® Security Security Management: Extending Management: Extending Windows NT 5.0 Security Windows NT 5.0 Security Management Tools, Part 2 Management Tools, Part 2 Praerit Garg Praerit Garg Program Manager Program Manager Windows NT Security Windows NT Security Microsoft Corporation Microsoft Corporation
42
Embed
Windows NT Security Management: Extending Windows NT 5.0 Security Management Tools, Part 2 Praerit Garg Program Manager Windows NT Security Microsoft.
Customer Questions How do we easily… Implement security recommendations? Duplicate settings to every new system added? Track security measures on a regular basis? Enforce similar security measures across large number of systems in the enterprise?
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Windows NTWindows NT®® Security Security Management: Extending Management: Extending Windows NT 5.0 Security Windows NT 5.0 Security Management Tools, Part 2Management Tools, Part 2
Praerit GargPraerit GargProgram ManagerProgram ManagerWindows NT SecurityWindows NT SecurityMicrosoft CorporationMicrosoft Corporation
Today’s AgendaToday’s Agenda What is Security What is Security
Configuration Tool Set ?Configuration Tool Set ? What problems does it solve?What problems does it solve? As a developer, how can you As a developer, how can you
leverage this framework?leverage this framework? Finally, some guidelinesFinally, some guidelines
Customer QuestionsCustomer QuestionsHow do we easily…How do we easily…
Implement security recommendations?Implement security recommendations? Duplicate settings to every new Duplicate settings to every new
system added?system added? Track security measures on a Track security measures on a
regular basis?regular basis? Enforce similar security measures across Enforce similar security measures across
large number of systems in the large number of systems in the enterprise?enterprise?
Analyze current configurationAnalyze current configuration Compare to stored configurationCompare to stored configuration Reconfigure to fix problemsReconfigure to fix problems
Computers in the same OU have the Computers in the same OU have the same security policy settingssame security policy settings DCs, desktops, application serversDCs, desktops, application servers
Group Policy Editor Group Policy Editor Security extensionSecurity extension
Computer settings, security settingsComputer settings, security settings Define or import a security configuration Define or import a security configuration
as part of Group Policy objectas part of Group Policy object Applied as part Applied as part
of Group Policy of Group Policy enforcement in enforcement in the enterprisethe enterprise Policy from Policy from
DemonstrationDemonstration Editing configurations with Editing configurations with
Security Configuration EditorSecurity Configuration Editor Applying configurations and Applying configurations and
performing analysis with Security performing analysis with Security Configuration ManagerConfiguration Manager
Configuring security policies Configuring security policies using Group Policy Security using Group Policy Security Settings ExtensionSettings Extension
Answer To Problem #1Answer To Problem #1 How do we easily implement How do we easily implement
security recommendations?security recommendations? Use the provided secure configurationsUse the provided secure configurations Customize them for your environmentCustomize them for your environment
E.g., new name for admin accountE.g., new name for admin account Import configuration to system Import configuration to system
database and select “Configure”database and select “Configure”
Answer To Problem #2Answer To Problem #2 How do we easily duplicate How do we easily duplicate
security configuration?security configuration? ““Export” configuration from the system Export” configuration from the system
of choice and save itof choice and save it Copy the configuration to a shareCopy the configuration to a share Apply the configuration to large number Apply the configuration to large number
of machinesof machines ManuallyManually Using Systems Management ServerUsing Systems Management Server Group Policy…Group Policy…
Answer To Problem #3Answer To Problem #3 How do I track security on regular basis?How do I track security on regular basis?
Analyze using the Security Analyze using the Security Configuration ManagerConfiguration Manager Reconfigure to fix deviationsReconfigure to fix deviations Edit to implement new settingsEdit to implement new settings
Systems Management Server + Security Systems Management Server + Security Configuration ManagerConfiguration Manager secedit.exe to collect analysis via secedit.exe to collect analysis via
Systems Management Server Systems Management Server Manager to locate/fix problemsManager to locate/fix problems
Answer To Problem #4Answer To Problem #4 How do I enforce similar security How do I enforce similar security
measures across large number of measures across large number of systems in the enterprisesystems in the enterprise Use Group Policy to define a Use Group Policy to define a
configuration at a scopeconfiguration at a scope Propagated to all systems in Propagated to all systems in
that scopethat scope Use Systems Management Server to apply Use Systems Management Server to apply
configurations using “secedit.exe” configurations using “secedit.exe” command linecommand line
How Does This All Work?How Does This All Work?
Tool Set ArchitectureTool Set Architecture Client/server basedClient/server based
ClientsClients Security Configuration EditorSecurity Configuration Editor Security Configuration ManagerSecurity Configuration Manager Security Extension to GPESecurity Extension to GPE Winlogon Security Policy GP ExtensionWinlogon Security Policy GP Extension NT SETUP, Setup APIs and DC PromotionNT SETUP, Setup APIs and DC Promotion LSA Downlevel Policies FilterLSA Downlevel Policies Filter
Engine Server (scesrv.exe)Engine Server (scesrv.exe) Configure SystemConfigure System Analyze SystemAnalyze System Persist state in databasePersist state in database
InspectionInspectiondatabasedatabase
Engine Client (scecli.dll)Engine Client (scecli.dll) Communicate with ServerCommunicate with Server Edit Configuration FilesEdit Configuration Files ConfigurationConfiguration
filesfiles
Core InfrastructureCore Infrastructure
ConfigurationConfigurationfilesfiles
Engine Client (scecli.dll)Engine Client (scecli.dll) Communicate with ServerCommunicate with Server Edit Configuration FilesEdit Configuration Files
Engine Server (scesrv.exe)Engine Server (scesrv.exe)
InspectionInspectiondatabasedatabase
NONO
Enterprise Policy Enterprise Policy EnforcementEnforcement Group Policy enforced via ZAW frameworkGroup Policy enforced via ZAW framework
Client pulls policies and applies themClient pulls policies and applies them Security policies includedSecurity policies included Integrity protected, low network trafficIntegrity protected, low network traffic
How Can This Be Extended How Can This Be Extended To Support Application Or To Support Application Or Service Specific Security?Service Specific Security?
An Infrastructure An Infrastructure To Build On…To Build On… ProblemsProblems
Security is very broadSecurity is very broad Customer configurations and concerns varyCustomer configurations and concerns vary The system is ever improving and growingThe system is ever improving and growing
Solution - service attachment modelSolution - service attachment model Provide an extensibility frameworkProvide an extensibility framework
Fit security of your servicesFit security of your services You can build custom solutionsYou can build custom solutions
Engine Server (scesrv.exe)Engine Server (scesrv.exe) Configure SystemConfigure System Analyze SystemAnalyze System Persist state in databasePersist state in database
Engine Client (scecli.dll)Engine Client (scecli.dll) Communicate with ServerCommunicate with Server Edit Configuration FilesEdit Configuration Files
AttachmentAttachmentenginesengines
Extension snap-ins Extension snap-ins for attachmentsfor attachments
Extension FrameworkExtension Framework
Attachment ModelAttachment Model Two pieces to implementTwo pieces to implement
Attachment engineAttachment engine A DLL which implements well A DLL which implements well
defined interfacesdefined interfaces Registers at install timeRegisters at install time Interfaces invoked by SCTS during Interfaces invoked by SCTS during
configuration and inspectionconfiguration and inspection
Core engineCore engine
Snap-inSnap-inExtensionExtensionsnap-inssnap-ins
AttachmentAttachmentenginesengines
Attachment ModelAttachment Model MMC extension snap-inMMC extension snap-in
Populated under individual templatesPopulated under individual templates Populated under inspection for analysisPopulated under inspection for analysis
Well defined interfaces providedWell defined interfaces provided No direct communication with templates No direct communication with templates
Called duringCalled during SCE SaveSCE Save SCM SaveSCM Save
To support in place editing ofTo support in place editing of ConfigurationsConfigurations Database configurationDatabase configuration
Code sampleCode sample
SecuritySecurityconfigurationconfiguration
editor editor snap-insnap-in
AttachmentAttachmentextensionextension
snap-insnap-in
IDataObjectIDataObjectClipboardClipboard
FormatFormat
Extension Snap-InExtension Snap-In Implement required MMC Interfaces for an Implement required MMC Interfaces for an
extension snap-inextension snap-in Register as extension to security Register as extension to security
configuration editorconfiguration editor Additionally, implement another interface Additionally, implement another interface
Use SeCEdit Use SeCEdit provided provided interface interface as requiredas required
Supplied COM InterfaceSupplied COM Interface ISceSvcAttachmentDataISceSvcAttachmentData
Provided by SCTS Snap-insProvided by SCTS Snap-ins Call Initialize() to setup contextCall Initialize() to setup context Call GetData() to get Attachment Call GetData() to get Attachment
specific dataspecific data Call FreeBuffer() to release memoryCall FreeBuffer() to release memory Call FreeHandle() to release contextCall FreeHandle() to release context
Code sampleCode sample
COM Interface To ImplementCOM Interface To Implement ISceSvcAttachment PersistInfoISceSvcAttachment PersistInfo
Implemented by Extension snapinImplemented by Extension snapin SCTS snapins callSCTS snapins call
IsDirty() to check user edits in IsDirty() to check user edits in the extensionthe extension
Save() to get the data that needs Save() to get the data that needs to be savedto be saved
FreeBuffer() to let extension FreeBuffer() to let extension memory it allocatedmemory it allocated
Code sampleCode sample
And Finally…And Finally…
If You Are A Developer…If You Are A Developer… Think SECURE!!Think SECURE!! Evaluate your registry keys, filesEvaluate your registry keys, files
Do you secure them?Do you secure them? Are they security sensitive?Are they security sensitive?
Plug in security attachments for your Plug in security attachments for your applications and servicesapplications and services Build an engine attachmentBuild an engine attachment Build a MMC extension snap-inBuild a MMC extension snap-in
Use Setup APIs to setup securelyUse Setup APIs to setup securely
If You Are A Tester…If You Are A Tester… Think SECURE!!Think SECURE!! Stop running your tests under Stop running your tests under
administrator accountadministrator account Use a normal user accountUse a normal user account
Test your components on Test your components on secure systemssecure systems Use predefined configurationsUse predefined configurations Use the Editor to build custom Use the Editor to build custom
configurations if neededconfigurations if needed
AvailabilityAvailability Windows NTWindows NT®® 4.0 Service Pack 4 4.0 Service Pack 4
Security Configuration EditorSecurity Configuration Editor With built-in analysis toolWith built-in analysis tool No Group Policy supportNo Group Policy support
Use secedit.exe with Systems Use secedit.exe with Systems Management ServerManagement Server
Windows NT 5.0Windows NT 5.0 Complete tool setComplete tool set
Use Service Pack release today!Use Service Pack release today! Provide us feedback to make it Provide us feedback to make it
more useful…more useful…
Call To ActionCall To Action Use Security Configuration EditorUse Security Configuration Editor
Define your own or customize Define your own or customize existing configurationsexisting configurations
Use Group Policy Security ExtensionUse Group Policy Security Extension Enforce security on large number Enforce security on large number
of systemsof systems Use Security Configuration ManagerUse Security Configuration Manager
Track, analyze and reconfigure Track, analyze and reconfigure system securitysystem security
For More Information…For More Information… White papersWhite papers
Windows NT Security Configuration Windows NT Security Configuration Tool SetTool Set
Guide to Securing Windows NT Guide to Securing Windows NT InstallationsInstallations
Group PolicyGroup Policy Windows NT 5.0 Beta2 walkthroughsWindows NT 5.0 Beta2 walkthroughs Microsoft Security AdvisorMicrosoft Security Advisor