windows nt security management: extending windows nt 5.0 security management tools, part 2 praerit...
DESCRIPTION
Customer Questions How do we easily… Implement security recommendations? Duplicate settings to every new system added? Track security measures on a regular basis? Enforce similar security measures across large number of systems in the enterprise?TRANSCRIPT
Windows NTWindows NT®® Security Security Management: Extending Management: Extending Windows NT 5.0 Security Windows NT 5.0 Security Management Tools, Part 2Management Tools, Part 2
Praerit GargPraerit GargProgram ManagerProgram ManagerWindows NT SecurityWindows NT SecurityMicrosoft CorporationMicrosoft Corporation
Today’s AgendaToday’s Agenda What is Security What is Security
Configuration Tool Set ?Configuration Tool Set ? What problems does it solve?What problems does it solve? As a developer, how can you As a developer, how can you
leverage this framework?leverage this framework? Finally, some guidelinesFinally, some guidelines
Customer QuestionsCustomer QuestionsHow do we easily…How do we easily…
Implement security recommendations?Implement security recommendations? Duplicate settings to every new Duplicate settings to every new
system added?system added? Track security measures on a Track security measures on a
regular basis?regular basis? Enforce similar security measures across Enforce similar security measures across
large number of systems in the large number of systems in the enterprise?enterprise?
Security Configuration Security Configuration Tool SetTool Set Security Configuration EditorSecurity Configuration Editor
Define the security configurationsDefine the security configurations Predefined configurations includedPredefined configurations included
Security Configuration ManagerSecurity Configuration Manager Apply configurations and analyzeApply configurations and analyze
Group Policy Editor Security ExtensionGroup Policy Editor Security Extension Propagate configurations to Propagate configurations to
multiple systemsmultiple systems SecEdit.exe - command line toolSecEdit.exe - command line tool
Security Configuration EditorSecurity Configuration Editor
Define Security ConfigurationsDefine Security Configurations Edit and Save to configurations filesEdit and Save to configurations files
A Security ConfigurationA Security Configuration Covers various security areasCovers various security areas
Account policies - password, account Account policies - password, account lockout and kerberoslockout and kerberos
Local policies - auditing, user rights…Local policies - auditing, user rights… Restricted groups - Administrators, Restricted groups - Administrators,
Power Users…Power Users… Registry and File System - object Registry and File System - object
security descriptorssecurity descriptors Services - startup mode and Services - startup mode and
security descriptorssecurity descriptors
Security Configuration Security Configuration ManagerManager
Analyze current configurationAnalyze current configuration Compare to stored configurationCompare to stored configuration Reconfigure to fix problemsReconfigure to fix problems
Single machine onlySingle machine only
Database drivenDatabase driven Import Import
configurationsconfigurations Multiple Multiple
configurationsconfigurations Apply/Edit stored configurationsApply/Edit stored configurations
Group Policy EditorGroup Policy Editor Hierarchical set of group policy objectsHierarchical set of group policy objects
DomainDomainPolicy Objects (GPO's)Policy Objects (GPO's)
Organizational unitOrganizational unitPolicy Objects (GPO's)Policy Objects (GPO's)
Computers in the same OU have the Computers in the same OU have the same security policy settingssame security policy settings DCs, desktops, application serversDCs, desktops, application servers
Group Policy Editor Group Policy Editor Security extensionSecurity extension
Computer settings, security settingsComputer settings, security settings Define or import a security configuration Define or import a security configuration
as part of Group Policy objectas part of Group Policy object Applied as part Applied as part
of Group Policy of Group Policy enforcement in enforcement in the enterprisethe enterprise Policy from Policy from
multiple scopes multiple scopes accumulatedaccumulated
DemonstrationDemonstration Editing configurations with Editing configurations with
Security Configuration EditorSecurity Configuration Editor Applying configurations and Applying configurations and
performing analysis with Security performing analysis with Security Configuration ManagerConfiguration Manager
Configuring security policies Configuring security policies using Group Policy Security using Group Policy Security Settings ExtensionSettings Extension
Answer To Problem #1Answer To Problem #1 How do we easily implement How do we easily implement
security recommendations?security recommendations? Use the provided secure configurationsUse the provided secure configurations Customize them for your environmentCustomize them for your environment
E.g., new name for admin accountE.g., new name for admin account Import configuration to system Import configuration to system
database and select “Configure”database and select “Configure”
Answer To Problem #2Answer To Problem #2 How do we easily duplicate How do we easily duplicate
security configuration?security configuration? ““Export” configuration from the system Export” configuration from the system
of choice and save itof choice and save it Copy the configuration to a shareCopy the configuration to a share Apply the configuration to large number Apply the configuration to large number
of machinesof machines ManuallyManually Using Systems Management ServerUsing Systems Management Server Group Policy…Group Policy…
Answer To Problem #3Answer To Problem #3 How do I track security on regular basis?How do I track security on regular basis?
Analyze using the Security Analyze using the Security Configuration ManagerConfiguration Manager Reconfigure to fix deviationsReconfigure to fix deviations Edit to implement new settingsEdit to implement new settings
Systems Management Server + Security Systems Management Server + Security Configuration ManagerConfiguration Manager secedit.exe to collect analysis via secedit.exe to collect analysis via
Systems Management Server Systems Management Server Manager to locate/fix problemsManager to locate/fix problems
Answer To Problem #4Answer To Problem #4 How do I enforce similar security How do I enforce similar security
measures across large number of measures across large number of systems in the enterprisesystems in the enterprise Use Group Policy to define a Use Group Policy to define a
configuration at a scopeconfiguration at a scope Propagated to all systems in Propagated to all systems in
that scopethat scope Use Systems Management Server to apply Use Systems Management Server to apply
configurations using “secedit.exe” configurations using “secedit.exe” command linecommand line
How Does This All Work?How Does This All Work?
Tool Set ArchitectureTool Set Architecture Client/server basedClient/server based
Server - scesrv.exeServer - scesrv.exe Client Interface - scecli.dllClient Interface - scecli.dll
ClientsClients Security Configuration EditorSecurity Configuration Editor Security Configuration ManagerSecurity Configuration Manager Security Extension to GPESecurity Extension to GPE Winlogon Security Policy GP ExtensionWinlogon Security Policy GP Extension NT SETUP, Setup APIs and DC PromotionNT SETUP, Setup APIs and DC Promotion LSA Downlevel Policies FilterLSA Downlevel Policies Filter
Engine Server (scesrv.exe)Engine Server (scesrv.exe) Configure SystemConfigure System Analyze SystemAnalyze System Persist state in databasePersist state in database
InspectionInspectiondatabasedatabase
Engine Client (scecli.dll)Engine Client (scecli.dll) Communicate with ServerCommunicate with Server Edit Configuration FilesEdit Configuration Files ConfigurationConfiguration
filesfiles
Core InfrastructureCore Infrastructure
ConfigurationConfigurationfilesfiles
Engine Client (scecli.dll)Engine Client (scecli.dll) Communicate with ServerCommunicate with Server Edit Configuration FilesEdit Configuration Files
Security Security Configuration Configuration EditorEditor
Security Security Settings Settings
Extension to Extension to Group Policy Group Policy
EditorEditor
Working With Working With Configuration FilesConfiguration Files
Engine Server (scesrv.exe)Engine Server (scesrv.exe)
InspectionInspectiondatabasedatabase
Engine Client (scecli.dll)Engine Client (scecli.dll)
NT SetupNT Setup DC PromotionDC Promotion Setup APIsSetup APIs
DefaultDefaultconfigurationconfiguration
WinlogonWinlogonSecurity Security GP Ext.GP Ext.
Group Group PoliciesPolicies
Working With OSWorking With OS
Engine Client (scecli.dll)Engine Client (scecli.dll)
LSALSA
DC?DC? YESYES
Backward CompatibilityBackward Compatibility
Engine Server (scesrv.exe)Engine Server (scesrv.exe)
InspectionInspectiondatabasedatabase
NONO
Enterprise Policy Enterprise Policy EnforcementEnforcement Group Policy enforced via ZAW frameworkGroup Policy enforced via ZAW framework
Client pulls policies and applies themClient pulls policies and applies them Security policies includedSecurity policies included Integrity protected, low network trafficIntegrity protected, low network traffic
How Can This Be Extended How Can This Be Extended To Support Application Or To Support Application Or Service Specific Security?Service Specific Security?
An Infrastructure An Infrastructure To Build On…To Build On… ProblemsProblems
Security is very broadSecurity is very broad Customer configurations and concerns varyCustomer configurations and concerns vary The system is ever improving and growingThe system is ever improving and growing
Solution - service attachment modelSolution - service attachment model Provide an extensibility frameworkProvide an extensibility framework
Fit security of your servicesFit security of your services You can build custom solutionsYou can build custom solutions
Engine Server (scesrv.exe)Engine Server (scesrv.exe) Configure SystemConfigure System Analyze SystemAnalyze System Persist state in databasePersist state in database
Engine Client (scecli.dll)Engine Client (scecli.dll) Communicate with ServerCommunicate with Server Edit Configuration FilesEdit Configuration Files
AttachmentAttachmentenginesengines
Extension snap-ins Extension snap-ins for attachmentsfor attachments
Extension FrameworkExtension Framework
Attachment ModelAttachment Model Two pieces to implementTwo pieces to implement
Attachment engine DLLAttachment engine DLL MMC extension snap-in DLLMMC extension snap-in DLL
Attachment engineAttachment engine A DLL which implements well A DLL which implements well
defined interfacesdefined interfaces Registers at install timeRegisters at install time Interfaces invoked by SCTS during Interfaces invoked by SCTS during
configuration and inspectionconfiguration and inspection
Core engineCore engine
Snap-inSnap-inExtensionExtensionsnap-inssnap-ins
AttachmentAttachmentenginesengines
Attachment ModelAttachment Model MMC extension snap-inMMC extension snap-in
Populated under individual templatesPopulated under individual templates Populated under inspection for analysisPopulated under inspection for analysis
Well defined interfaces providedWell defined interfaces provided No direct communication with templates No direct communication with templates
or databaseor database
Win32Win32®® Helper APIs - sddl.h Helper APIs - sddl.h ConvertSecurityDescriptorTo ConvertSecurityDescriptorTo
StringSecurityDescriptorStringSecurityDescriptor Converts a self relative security descriptor Converts a self relative security descriptor
into a string representationinto a string representation ConvertStringSecurityDescriptorTo ConvertStringSecurityDescriptorTo
SecurityDescriptorSecurityDescriptor Converts a string security descriptor to a Converts a string security descriptor to a
self relative binary formself relative binary form
Data Structures Data Structures And FunctionsAnd Functions Callback structureCallback structure
Context handleContext handle PFSCE_QUERY_INFO callbackPFSCE_QUERY_INFO callback PFSCE_SET_INFO callbackPFSCE_SET_INFO callback PFSCE_FREE_INFO callbackPFSCE_FREE_INFO callback PFSCE_LOG_INFO callbackPFSCE_LOG_INFO callback
Configuration structureConfiguration structure Modified configuration informationModified configuration information
Attachment InterfacesAttachment InterfacesSCESTATUSSCESTATUSSceSvcAttachmentConfig(SceSvcAttachmentConfig(
IN PSCESVC_CALLBACK_INFOIN PSCESVC_CALLBACK_INFOpSceCbInfopSceCbInfo
);); SCESTATUSSceSvcAttachmentAnalyze(
IN PSCESVC_CALLBACK_INFOpSceCbInfo
);SCESTATUSSceSvcAttachmentUpdate(
IN PSCESVC_CALLBACK_INFOpSceCbInfo,
IN PSCESVC_CONFIGURATION_INFO ServiceInfo);
Attachment Interface 1Attachment Interface 1 SceSvcAttachmentConfigSceSvcAttachmentConfig
Called duringCalled during SCM “Configure”SCM “Configure” GP “Refresh Policy”GP “Refresh Policy”
Configure attachment specific Configure attachment specific security informationsecurity information
Use callback functionsUse callback functions Code sampleCode sample
Attachment Interface 2Attachment Interface 2 SceSvcAttachmentAnalyzeSceSvcAttachmentAnalyze
Called during SCM “Analyze”Called during SCM “Analyze” Inspect attachment specific Inspect attachment specific
security settingssecurity settings Use callback functionsUse callback functions Code sampleCode sample
Attachment Interface 3Attachment Interface 3 SceSvcAttachmentUpdateSceSvcAttachmentUpdate
Called duringCalled during SCE SaveSCE Save SCM SaveSCM Save
To support in place editing ofTo support in place editing of ConfigurationsConfigurations Database configurationDatabase configuration
Code sampleCode sample
SecuritySecurityconfigurationconfiguration
editor editor snap-insnap-in
AttachmentAttachmentextensionextension
snap-insnap-in
IDataObjectIDataObjectClipboardClipboard
FormatFormat
Extension Snap-InExtension Snap-In Implement required MMC Interfaces for an Implement required MMC Interfaces for an
extension snap-inextension snap-in Register as extension to security Register as extension to security
configuration editorconfiguration editor Additionally, implement another interface Additionally, implement another interface
Use SeCEdit Use SeCEdit provided provided interface interface as requiredas required
Supplied COM InterfaceSupplied COM Interface ISceSvcAttachmentDataISceSvcAttachmentData
Provided by SCTS Snap-insProvided by SCTS Snap-ins Call Initialize() to setup contextCall Initialize() to setup context Call GetData() to get Attachment Call GetData() to get Attachment
specific dataspecific data Call FreeBuffer() to release memoryCall FreeBuffer() to release memory Call FreeHandle() to release contextCall FreeHandle() to release context
Code sampleCode sample
COM Interface To ImplementCOM Interface To Implement ISceSvcAttachment PersistInfoISceSvcAttachment PersistInfo
Implemented by Extension snapinImplemented by Extension snapin SCTS snapins callSCTS snapins call
IsDirty() to check user edits in IsDirty() to check user edits in the extensionthe extension
Save() to get the data that needs Save() to get the data that needs to be savedto be saved
FreeBuffer() to let extension FreeBuffer() to let extension memory it allocatedmemory it allocated
Code sampleCode sample
And Finally…And Finally…
If You Are A Developer…If You Are A Developer… Think SECURE!!Think SECURE!! Evaluate your registry keys, filesEvaluate your registry keys, files
Do you secure them?Do you secure them? Are they security sensitive?Are they security sensitive?
Plug in security attachments for your Plug in security attachments for your applications and servicesapplications and services Build an engine attachmentBuild an engine attachment Build a MMC extension snap-inBuild a MMC extension snap-in
Use Setup APIs to setup securelyUse Setup APIs to setup securely
If You Are A Tester…If You Are A Tester… Think SECURE!!Think SECURE!! Stop running your tests under Stop running your tests under
administrator accountadministrator account Use a normal user accountUse a normal user account
Test your components on Test your components on secure systemssecure systems Use predefined configurationsUse predefined configurations Use the Editor to build custom Use the Editor to build custom
configurations if neededconfigurations if needed
AvailabilityAvailability Windows NTWindows NT®® 4.0 Service Pack 4 4.0 Service Pack 4
Security Configuration EditorSecurity Configuration Editor With built-in analysis toolWith built-in analysis tool No Group Policy supportNo Group Policy support
Use secedit.exe with Systems Use secedit.exe with Systems Management ServerManagement Server
Windows NT 5.0Windows NT 5.0 Complete tool setComplete tool set
Use Service Pack release today!Use Service Pack release today! Provide us feedback to make it Provide us feedback to make it
more useful…more useful…
Call To ActionCall To Action Use Security Configuration EditorUse Security Configuration Editor
Define your own or customize Define your own or customize existing configurationsexisting configurations
Use Group Policy Security ExtensionUse Group Policy Security Extension Enforce security on large number Enforce security on large number
of systemsof systems Use Security Configuration ManagerUse Security Configuration Manager
Track, analyze and reconfigure Track, analyze and reconfigure system securitysystem security
For More Information…For More Information… White papersWhite papers
Windows NT Security Configuration Windows NT Security Configuration Tool SetTool Set
Guide to Securing Windows NT Guide to Securing Windows NT InstallationsInstallations
Group PolicyGroup Policy Windows NT 5.0 Beta2 walkthroughsWindows NT 5.0 Beta2 walkthroughs Microsoft Security AdvisorMicrosoft Security Advisor
http://www.microsoft.com/securityhttp://www.microsoft.com/security
