Session Start: Wed Nov 20 17:48:38 2002 Session Ident: #gottit * Logging #gottit to 'logs\#gottit.zoite.log' i'm the onsite EE EE? And please don't flood the channel with questions until i finish oh nm penfold's starting shhhhhhh lol This lecture will be a brief overun of the Microsoft Management Console and how to use it effectively to increase security on your Microsoft Windows XP Machine. My experience with the Microsoft Management Console (which i will refer to as MMC) is primarly based on Microsft Windows Xp Professional. I shall outline how to use MMC to set policies such as account lockout prodecures, Auditing resources & events and how to actively set local security policies. Any questions regarding my lecture should be kepy until the end and i will answer accordanly. I will compensate with delays to ensure you follow along... Firstly please forgive any typos i make in this lecture as my keyboard is generally typo prone *cough*. My aim here is to take you through Local Security Policy Computer Configuration via MMC and how to overall increase local security. The first thing we will do is open our MMC by running 'MMC' from our command or runline. A Console window should popup and should be called Console1 by default. You should also see a sub-window called Console Root which is where our policy headings will list. Go to file and run 'Add/Remove Snap in'. You will now see another window with an add button on the bottom left. Click this and you will see a snap in listing. We will select Group Policy. ( example @ http://penfold.systemloop.net/mmc-lecture/group-snap.jpg ). Click add and with this being a locally based security policy we leave the default of 'Loc al Computer' and click finish. We will then click close on the 'Standalone Snap-in' Window. We should now see that we have a Local Security Policy Snap-in added to our Console Root. ( example @ http://penfold.systemloop.net/mmc-lecture/console-root.jpg ). We can then click ok where we will now see a local security policy tab in our console root listing. I will give you a moment to briefly look over my screenshots to ensure you are still with me. And also to taste this wonderful brew of tea :) Providing you are still with me i will move on to some basic security by using our drop down list and editing our local security policies. If we click the Local Security Policy tab we will see a drop down list consisting of two items. We want to go to our Computer Configuration :: Windows Settings :: Security Settings. To Start some brief security settings i will take you through a simple Password Policy. Now that we are in the Security Settings tab, we can click on our Password Policy where we can change the values of each policy that we desire. Take a look at Maximum password age. Defaulty it should be set to 42 days as far as i recollect. Should you be maintaining a large network it would be wise to enforce your users to change their passwords at least once a month. This increases overall security and ensures that your users do not use the same password all year round which could be easily reverse engineered over a long period of time. Now that we have ensured constant chaning of user passwords we can also change our account logon attempt lockout policy. If we go back to our tablist, we will see right under our Password policy, An Account Lockout Policy. To keep away any standard person who could throw a random dictionary list to login, we can set our lockout Threshold to 3 - 5 attempts. This will stop all chances of a Brute Force attack on your system and once again increase local security. You can also set the account lockout duration. This is purely up to you on how long you wish for the account to be locked out. Defaulty it will be set to 30 minutes unless you specify otherwise. ALso you can set the duration of the lockout counter which you should set to the same duration of the account lockout duration. Otherwise it may cause unwanted complications by a user making a typo while logging in. Now that we have grasped the basic concept of MMC we can move onto our Audit Policy. Before we move on to enable auditing of files and folders, they must be held of NT File System (NTFS) volumes. If we look at our Audit Policy we will see such listings as Audit Logon Events. We can set it purely for demonstration purposes to success & failure by right clocking the Audit Logon Event line and selecting the values in the properties. We will now hav e to restart our machine for our effects to take place. Now once we attempt to login i want you to put in an incorrect password on purpose and then login as normal. Upon logging in go to Control Panel :: Adminstrative Tools :: Event Viewer. On our left nav bar we can click on Event Viewer (Local) :: Security and then right click properties in the oposite window with the event listings. We can then go to filter and change the event ID to 537 (ID of an invalid logon). We will then see an event list of all invalid logons and it will now show our latest invalid logon attempt ( example @ http://penfold.systemloop.net/mmc-lecture/537.jpg ). We now have a logging of all the invalid login attempts. We can also click properties of the event and read through more details of Failure Audit. It should give you details of the username of the invalid login, the domain name and the time ( which may come in very handy for narrowing down a culprit ). You will also see the event ID in the event listing of the Audit, you will in due time remember common IDs so you can use your filter to filter them out very rapidly. While you are in your event viewer you can also check your Application and System Tab but that is beyond the scope of this le cture. We can also use Auditing on objects rather than events. We can use events of an object to trigger an audit log. For example, if we gave a Delete Audit to A File or folder, it would be added to the Security event Viewer we previously used for the invalid logon attempt. To enable auditing of an object we simply right click the object and go to properties :: security :: advanced :: auditing and go to add. We can then add auditing for a user or group, in my example i will add dcuser17 for auditing events. ( example @ http://penfold.systemloop.net/mmc-lecture/dcuser17.jpg ). We can then apply our attributes accordanly for what events we wish to view. Given we add an audit of delete for dcuser17, anytime that user deletes a file from that folder or subfolders ( which is by default but can be changed in the same attributes window from a dropdown list ) it will trigger an audit event and will be added to our security event viewer with the same information as our above logon failure. This can be very handy for tracking down people reading or attempting to delete certain system logs or files on our system which we need to keep secure. This came in very handy on a network in class for when a member of the network was caught editing a server log. Time and User information will be stored in the security event viewer and it will sometime in your career as a network admin come in very useful for hunting down network annoyances :) Like an event can trigger and be logged and viewed in the event viewer, an action to an object can also trigger a log to be added to the event viewer. There are many more security policies which can be modified in your Microsoft Management Console ( MMC ) but they are beyond the scope of this lecture. I suggest you read through the details of each policy and read each description for increased local security. With this being the end of my *brief* lecture on the Microsoft Management Console & Auditing, i hope you have all learned from this. The NT family may be bashed from time to time but for anybody who can utilise local security effectivly it can be one of the most secure operating system families commercially available. If i get time i will go more indepth in a second lecture but as for now this is all i could put together with the time i had. Any questions regarding MMC or Auditing i'll take now but please don't stray from the topic :) 404 on console-root.jpg, 404 on 537.jpg, 404 on dcuser17.jpg, i think my browser has gone insane =) haha sorel sorel it may be case sensitivity on my server let me fix mm. got the first pic ok tho =) go just to the directory i apologise, i should of check firsthand. penfold, that was a great lecture, thx ty morph. Session Close: Wed Nov 20 17:58:21 2002