Visit Derek’s web site dedicated to Windows Auditing and Security Tools, articles, books, forums, and more…
www.auditingwindows.com
We can all agree that Group Policy Objects are the de facto method for deploying security to all Windows computers in the enterprise. Not only do Group Policy Objects deploy security settings, but they can enforce the settings, making sure that the settings are reapplied without the computer needing to be restarted.
In addition to providing you with the keys for adding security settings to a Group Policy Object, I will also provide examples of security settings that you might have considered before. These additional examples will do more than provide you with an arsenal for securing computers in the domain. They will also provide an excellent resource for helping track down the security settings that you need to implement.
What is a security setting?
I must first indicate what I mean by security setting in this context. The security settings within a Group Policy Object (GPO) dictate particular security controls on clients, servers, and domain controllers within the Active Directory domain. The specific section in the GPO is actually referred to as “security options.” The security settings range in scope from removing access to drives, displaying a computer security message, and dictating the control over which authentication protocols are supported.
Although there are security settings in a GPO that direct the behavior and security of Internet Explorer, Windows Firewall, networking, and applications, customization of security settings does not deal with these areas. To get a better idea of what a security setting might encompass, here is a list of some of the more common security settings in a standard GPO:
- Digitally sign client communications
- Do not display the last user name in logon screen
- LAN Manager Authentication level
- Message text for users attempting to log on
- Number of previous logons to cache
- Allow anonymous SID/Name translation
- Let Everyone permissions apply to anonymous users
- Do not store LAN Manager hash value on next password change
Where can I find the security options?
There are many areas of a Group Policy Object (GPO) that deal with security. However, I am focusing on a single area of the GPO dealing with security. If you crack open a GPO and go to the Computer Configuration\Security Settings node, you will almost be there. You need to also expand the Local Policies\Security Options nodes. Figure 1 illustrates what you should be looking at when you get to the Security Options node.
Figure 1: GPO showing Security Options section under Computer Configuration
Linking security settings with security templates
You can see in Figure 1 that there is a section of the GPO that is named Security Settings. This entire section of the GPO can be configured by importing a security template into the GPO. The security template is a method to configure a suite of security settings in a controlled environment. After the security settings are configured in security templates for the different computers in the environment, they can be imported into the appropriate GPOs for automatic deployment to the computers.
To get a run down on what is included in a security template, refer to the article on Understanding Security Templates. To get information on how to configure the security templates and deploy them efficiently, refer to the article on Baselining with Security Templates.
What creates the security template structure?
The security portion of a GPO (Computer Configuration\Security Settings) is controlled mainly by the sceregvl.inf file. This file creates the interface and associated control points in the computer to control security. This file is located in the C:\Windows\inf folder on Windows Server 2003 computers and C:\Winnt\inf folder on Windows 2000 Server computers.
The security templates have a standard format for each entry that creates the interface in the security template. Figure 2 shows you a portion of the file, which might seem a bit confusing at first glance.
Figure 2: Portion of the sceregvl.inf file
Each of the entries follows the same format and syntax. There are four main fields to enter for a setting in the file.
- Field 1 – This is the full path to the Registry value. An example would be: MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
- Field 2 – This is the Registry value type. There are 5 different types, which will have a code associated with it in the setting entry. These are the 5 different types and their code.
1 – REG_SZ (string value)
2 – REG_EXPAND_SZ (expandable string value)
3 – REG_BINARY (binary value)
4 – REG_DWORD (4 byte long number)
7 – REG_MULTI_SZ (multiple string value) - Field 3 – This is the display name that shows up in the security template.
- Field 4 – This is the display type, which includes four possible values.
0 – Boolean
1 – Number
2 – String
3 – Choices
4 – Multivalued
5 – Bitmask
Note
If field 4 is “choices” or “bitmask”, then the range of values needs to be specified in the format of value|displaystring. An example would be:
3,0|LM,1|NTLM,2|NTLMv2,3|Kerberos
Here are some examples of entries in the standard sceregvl.inf file:
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail,4,%CrashOnAuditFail%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount,
1,%CachedLogonsCount%,1,%Unit-Logons%MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText,
1,%LegalNoticeText%,2MACHINE\Software\Microsoft\Driver Signing\Policy,3,%DriverSigning%,
3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2%
Note
The %name% entries are variables taken care of in the [Strings] section of the sceregvl.inf file. You can either use these variables, or use the text within the entry.
For the last example of the Driver Signing Policy, figure 3 illustrates what the security template interface shows for this entry.
Figure 3: Security template interface for an entry in the sceregvl.inf file
Customizing the sceregvl.inf file
The sceregvl.inf file can include any Registry entry. You just need to follow the format that is outlined in the section above. As I mentioned in the note above, you don’t need to use the [Strings] section, you can instead just put the text that will show up in the security template interface directly in the entry. This file can be changed to include other modifications within the computer, as long as you know the correct syntax and location of the setting.
Here is an example of a custom entry to the sceregvl.inf file:
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\
SynAttackProtect,4,”Syn Attack Protection against DoS”,3,0|”No additional protection”,1|”Time out sooner if Syn Attack is detected”
Here, the security entry will update the SynAttackProtect Registry entry with an entry of 0 or 1, depending on whether you want to keep the default setting (don’t protect against a Syn attack) or 1, which is to have the connection time out sooner if there is a Syn attack detected.
Making the new security entry stick
After you have made your change to the sceregvl.inf file, you now need to register the new entry with the computer. There is a DLL that dictates that the changes in the sceregvl.inf file take affect. This DLL is the scecli.dll, which stands for the security configuration editor client. To get the change to take for all new security templates, you need to register this DLL. You will use the following syntax from a command prompt on the computer where you are editing the GPOs.
Regsvr32 c:\windows\system32\scecli.dll
You should get confirmation that the registration succeeded. Now, after you open up the security template, or GPO from the computer where you registered the scecli.dll you will see the new entry, as shown in Figure 4.
Figure 4: New entry in the security template
Summary
If you now think about all of the security settings you would like to implement in a GPO, your problems are all solved! The security templates provide an excellent way to expand and control almost any security setting on a Windows computer. The steps are really not that hard to implement, it just takes a while to make sure the syntax is correct, then you need to register the DLL each time you make an update. There is one final step that is quite difficult, which is to track down all of the Registry entries for each security setting. That does take some research and effort. However, Microsoft has provided you with a good starting point on their Web site. If you just go to http://www.microsoft.com/technet/security/guidance/secmod57.mspx, you will find a list of security entries that Microsoft has created for you, which will get you started and provide an excellent means for continuing your research and implementation of custom security settings.
