Posts Tagged ‘In the Trenches’

In the Trenches » Another Tech Chat – Affects of zotab and patch management

Monday, August 22nd, 2005

In the Trenches » Another Tech Chat – Affects of zotab and patch management

Particapated in another tech chat!

Havnt been blogging much cause I cant blog from work, and evenings are WoW..

ITT: Using Security Templates and the SCW in Windows Server 2003

Friday, August 12th, 2005

I finally got my nerve together and recorded an Admin-to-Admin segment for the In The Trenches podcast

Article here: http://kevindevin.com/?p=156
Listen to the episode here: http://libsyn.com/media/inthetrenches/ITT-20050811.mp3

Here are the notes for my segment:

Using Security Templates

Uses

  • Enforcing security policy onto a Workstation or Server
  • Setting software restriction policy (name, hash, path)
  • Setting secured groups
  • Enforcing NTFS permissions
  • Enforcing Registry Permissions
  • Enforcing the status of Services

Pre-defined Security Templates:

C:windowssecuritytemplates

  • Compatws.inf – This is required by older applications that need to have weaker security to access the Registry and the file system.
  • DC security.inf – This is used to configure security of the Registry and File system of a computer that was upgraded from Windows NT to Windows 2000/2003.
  • Hisecdc.inf – This is used to increase the security and communications with the domain controllers.
  • Hisecws.inf – This is used to increase security and communications for the client computers and member servers.
  • Notssid.inf – This is used to weaken security to allow older applications to run on Windows Terminal Services.
  • Ocfiless.inf – This is for optional components that are installed after the main operating system is installed. This will support services such as Terminal Services and Certificate Services.
  • Securedc.inf – This is used to increase the security and communications with the domain controllers, but not to the level of the High Security DC security template.
  • Securews.inf – This is used to increase security and communications for the client computers and member servers.
  • Setup security.inf – This is used to reapply the default security settings of a freshly installed computer.

More security templates can be downloaded with the Windows Serverv2003 Security Guide: http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx

Add your own registry settings:

All security settings are in fact just registry settings. Add your own by editing the Sceregvl.inf file.

See the link to the MS article in show notes.

Group Policy:

Import into GPO’s Remember when modeling security settings, that Domain controller have their own local security settings set, like SMB signing.

MMC Snap ins:

  • Security Templates

Always make copies of the predefined templates to a different location

  • Security Configuration and Analysis

The Security “Database” , importing security Templates, and analyzing against the local system

Other usefull snapins for working on security templates with Group Policy:

  • Group Policy Management Console
  • Resultant Set of Policy
  • Local Policy

Service Pack 1 Security Configuration Wizard

Why did we need it?

Before we had Seperate management interfaces for:

  • Security settings and all the things the Templates covered
  • IIS Security
  • Windows Firewall Settings
  • Registry settings (required you to make your own ADM files and security template)
  • IP Security policy (GPO-centric)

SCW combined all these things, and adds advantages:

  • Everything combined into a single XML file ( easy to read and edit )
  • Can export to GPO or apply directly locally and remotely.
  • Import Security Templates
  • Can scan current system comfig and create baseline

Overlap in functionality:

  • CWS doesnt support NTFS and registry security
  • Templates dont cover IIS, IP Sec? or Firewall.

Neither SCW nor Security Templates cover the other features of Group or Local policy: Administrative Templates

You will need them BOTH to create a secure enviroment… use GPO’s as the end-result. Inport Security Templates into CWS files during creation, CWS settings take presedence. If used seperately, then you have to keep an eye on GPO presedence.

Links:

How to apply predefined security templates in Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;816585

HOW TO: Analyze System Security in Windows Server 2003 http://support.microsoft.com/kb/816580/EN-US/

HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003 http://support.microsoft.com/kb/816297/EN-US/

How to Add Custom Registry Settings to Security Configuration Editor http://support.microsoft.com/default.aspx?scid=214752

Group Policy Home http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx

Security Configuration Wizard for Windows Server 2003 http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx

Windows Server 2003 Security Guide http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx

In the Trenches – Tech Chat – Corperate Collaboration Technologies

Sunday, February 6th, 2005

kevindevin.com » In the Trenches – Tech Chat – 02-04-2005

At 4am on Saterday morning I participated in a tech chat..  this time we had Jeremy Wright from ensight.com on board, as well as Kregge Steppe and Gerard Hickey. I especially wanted Jeremy on board, cause of his experience with corperate blogging, and his blogging experience in general. Jeremy as of course also set up a consulting company to facilitate companies in blogging and other colaborative technologies.

We discusses all manner of IT commication and collaboration technologies.

Had a great time as usual.

Another Tech-Chat @ In The Trenches

Saturday, January 15th, 2005

Just finished up on another tech chat for In The Trenches

Its really is so cool, I never get tired of participating in this stuff.  Originally we had Chuck Tomasi on board for the chat, but he had to leave, so we continued on with me, Kevin and Dave Johnson (Edave.org) on Security as the topic of focus, but ended up talking about all kinds of other stuff aswell. The tech chat when edited will be on the security stuff though..

A New tech chat @ In The Trenches

Sunday, December 5th, 2004

In The Trenches (The Podcast for sysadmins and IT professionals) has a new tech chat up, which I took part in again.

We talked far longer than we originally planned to, so we covered a bunch of topics;

Podcasting via Bittorrent

IE vs Firefox At home vs  corperate enviroments, pro’s and cons, managability, features, etc.

UK Department of Pensions crash 60K computers How it could happen, project management, procedures, and attituted towards IT security and robustness.

Itt-menu-small