Hardening Servers in VB.NET

Printing Data Matrix ECC200 in VB.NET Hardening Servers

9

To create a baseline installation for your member servers only, the best practice is to create a new organizational unit in your domain, then move the computer objects rep resenting the member servers into it, as shown with the Members object in Figure 9-2. This way, you can associate a GPO containing your security baseline with the member servers organizational unit and all the objects in that container will inherit the baseline security settings.

Figure 9-2 A container object for member servers in the Active Directory Users And Computers console

Tip Do not put the computer objects for other types of systems, such as domain controllers or workstations, in your member servers organizational unit unless you want them to have the same baseline configuration as your member servers. Workstations do not need most of the configuration settings discussed in this lesson, and domain controllers have their own require ments. As a rule, you should place each type of computer that requires a different configura tion in its own organizational unit.

Auditing is an important part of a secure baseline installation because it enables you to gather information about the computer s activities as they happen. If a security incident occurs, you want to have as much information about the event as possible, and auditing specific system elements makes the information available. The problem with audit ing is that it can easily give you an embarrassment of riches. You can t have too much information when a security breach occurs, but most of the time your servers will be operating normally. If you configure the system to audit too many events, you can end up with enormous log files consuming large amounts of disk space and making it dif ficult to find the information you need. The object of an audit configuration is to achieve a balance between enough auditing information and too much.

When you configure Windows Server 2003 to audit events, the system creates entries in the Security log that you can see in the Event Viewer console (see Figure 9-3). Each audit entry contains the action that triggered the event, the user and computer objects involved, and the event s date and time.

Figure 9-3

A GPO s audit policies are located in the Group Policy Object Editor console in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy container, as shown in Figure 9-4. Each policy creates an audit entry in response to the following events:

Figure 9-4

9

Audit Account Logon Events A user logging on to or off another computer. The policy uses this computer to authenticate the account. This policy is intended primarily for domain controllers, which authenticate users as they log on to other computers. There is typically no need to activate this policy on a member server. Audit Account Management Each account management event that occurs on the computer, such as creating, modifying, or deleting a user object, or changing a password. On a member server, this policy only applies to local account man agement events. If your network relies on Active Directory for its accounts, administrators seldom have to work with local accounts. However, activating this policy can detect unauthorized users who are trying to gain access to the local computer. Audit Directory Service Access A user accessing an Active Directory object that has its own system access control list (SACL). This policy only applies to domain controllers, so there is no need for you to enable it on your member servers. Audit Logon Events Users logging on to or off the local computer when the local computer or a domain controller authenticates them. You use this policy to track user logons and logoffs, enabling you to determine which user was access ing the computer when a specific event occurred. Audit Object Access A user accesses an operating system element such as a file, folder, or registry key. To audit elements like these, you must enable this policy and you must enable auditing on the resource that you want to monitor. For example, to audit user accesses of a particular file or folder, you display its Properties dialog box with the Security tab active, navigate to the Auditing tab in the Advanced Security Settings dialog box for that file or folder (see Figure 9-5), and then add the users or groups whose access to that file or folder you want to audit. Audit Policy Change Someone changes one of the computer s audit policies, user rights assignments, or trust policies. This policy is a useful tool for tracking changes administrators make to the computer s security configuration. For exam ple, an administrator might disable a policy temporarily to perform a specific task and then forget to reenable it. Auditing enables you to track the administrator s activities and notice the oversight. Audit Privilege Use A user exercises a user right. By default, Windows Server 2003 excludes the following user rights from auditing because they tend to gener ate large numbers of log entries: Bypass Traverse Checking, Debug Programs, Cre ate A Token Object, Replace Process Level Token, Generate Security Audits, Backup Files And Directories, and Restore Files And Directories.