Which of the following is a collection of security-related configuration settings on a computer

Using Security Configuration and Analysis to Apply Templates a Local Computer

The Security Configuration and Analysis tool allows you to configure local computers by applying the settings in a security template to the local policy. The settings will apply only to the computer on which Security Configuration and Analysis is being run. They will not affect other machines in the domain.

The initial steps for configuring a local computer are similar to the steps involved in running an analysis. In the Security Configuration and Analysis console, select the Security Configuration and Analysis node in the left pane and click Action | Open Database. As described earlier in the “Using Security Configuration and Analysis to Analyze a Computer” section, use the Open database dialog box (see Figure 2.18) to either open an existing database or create a new one. If you are opening an existing database, you will be returned to the Security Configuration and Analysis tool. If you are creating a new database, the Import Template dialog box (see Figure 2.19) appears. In the Import Template dialog box, select the security template that will be applied to the local machine and click Open. The template is imported into the database, and you’re returned to the Security Configuration and Analysis tool. You can add other templates by selecting the Security Configuration and Analysis node again and clicking Action | Import Template. Check the Clear this database before importing check box if you want only the settings in the template being imported to be used in the database.

After you’ve added the templates to the database, you return to the Security Configuration and Analysis tool. You can apply the template by selecting the Security Configuration and Analysis node again and clicking Action | Configure Computer Now. In the dialog box that appears (see Figure 2.20), specify the filename and path of the error log file created for this process. Clicking OK in this dialog box will begin the configuration of the computer.

Logical Security Configurations

☑

Logical security configurations are documents that interpret written security policy requirements and define configuration requirements for a specific type of enforcement device, like a firewall or VPN product.

Unlike a device configuration for a specific vendor’s product or version, logical security configurations are written to common feature sets found in the target enforcement devices.

Logical security configurations are developed for a type or group of enforcement devices versus one for each device in your environment.

A specific written policy requirement or item is commonly used by many logical security configuration documents across the enterprise.

Baselining

Standardizing a security configuration is certainly important, but there is an additional consideration with respect to security baselines. Security baselining is the process of capturing a point-in-time understanding of the current system security configuration. Establishing an easy means for capturing the current system security configuration can be extremely helpful in responding to a potential security incident. Assuming that the system or device in question was built from a standardized security baseline and that strong change control measures (see the Change Management section below) are adhered to, then there would be little need to capture the current security configuration. In the real world, however, unauthorized changes can and will occur in even the most strictly controlled environment, which necessitates the monitoring of a system's security configuration over time. Further, even authorized system modifications that adhere to the change management procedures need to be understood and easily captured. Another reason to emphasize continual baselining is because there may be systems that were not originally built to an initial security baseline. A common mistake that organizations make regarding system security is focusing on establishing a strong system security configuration, but failing to quickly and easily appreciate the changes to a system's security configuration over time.

Understanding Security Configuration and Remediation

Security configuration and maintenance at the server level can be a very demanding and time consuming task, even for a small environment. Many organizations have adopted the Information Technology Infrastructure Library (ITIL) methodology for IT management. ITIL is a collection of guidelines and techniques for managing IT infrastructure, development, and operations, shown in Figure 4.8. ITIL covers areas such as configuration management, change management, and security. Implementation of this initiative can prove to be invaluable for your organization. To help implement some of the recommendations presented in ITIL there are many third-party tools that can assist with security configuration compliance scanning, security compliance remediation, configuration management, etc. We have listed just a few software packages and their descriptions that can support the parts of the ITIL methodology.

BladeLogic Operations Manager performs, among other things, patch management, compliance measurement, enforcement, and reporting.

HP Data Center Automation Center is a suite of products that can perform patching, configuration management, script execution, compliance assurance, incident resolution, change orchestration, and many other tasks in a standardized and documented manner to enforce ITIL and compliance.

BMC Performance Manager for Servers provides server monitoring, process monitoring, log file monitoring, and Windows event log monitoring. (BMC has a product specifically for Citrix called BMC Performance Manager for Citrix Presentation Server, but this product deals primarily with Citrix performance monitoring and optimization.)

IBM Tivoli products such as Compliance Insight Manager that provides effective, automated user activity monitoring through high-level dashboard and compliance reporting, Risk Manager that manages security incidents and vulnerabilities, Security Compliance Manager that identifies security vulnerabilities and security policy violations, Security Information and Event Manager that provides a centralized security and compliance management solution, and Security Operations Manager that is designed to improve security operations and information risk management.

Requirements Engineering

This PoSecCo application offers a Web-based environment for the specification, management, and monitoring of hierarchically organized security requirements (business policies in terms of PoSecCo). Requirements can be linked to various stakeholders within an organization to express responsibility, accountability, or interest, which allows the hierarchy of requirements to be tied to the organizational structure. Different fulfillment models allow specifying under which conditions a requirement is considered fulfilled, partially fulfilled, or not fulfilled, and whether such state changes can happen in an automated fashion or require human confirmation (which is limited in time to force the continuous revalidation of requirements). Furthermore, different reporting views allow users to monitor requirements, to see the compliance rate of organizational units with given laws or regulations.

Security Configuration Wizard

The Security Configuration Wizard (SCW) is a handy tool that was released as a part of the tool suite for Windows 2003 SP1. Its purpose is to allow you to create role-based security policies that can then be applied to any server in your organization. It allows for the repeatable configuration of security settings across multiple servers in an organization while maintaining consistency and reduction of administrative overhead; basically, all the characteristics administrators look for in a tool!

SCW comes in two flavors, the first is a GUI-based wizard-driven tool, while the second is a command prompt tool called scwcmd. One thing to keep in mind with both of these tools is that they do not perform any configuration changes related to installation and can only manipulate what already exists on the system. They are analysis tools that will examine the current state of your system and report on the findings. They will perform certain configuration-related actions on the local system, such as editing Windows Firewall settings and unused disabling services, but no new software installations can be performed with these tools. It is recommended that before you run the SCW you determine what applications will exist on the server for the particular role you are trying to secure. Then install and run those applications on the server where you are running SCW. This will ensure that SCW takes into consideration any ports and services required for those local applications when creating the security file.

So, the first thing SCW will do when executed is that it will prompt you for what action you are trying to perform. The choices vary between creating a new policy, editing an existing policy, applying a policy, and rolling back the last applied policy. These options are shown in Figure 10.12. Previously, rolling back was a task performed with the command line Scwcmd tool. With Windows Server R2, it is an available GUI-based option.

When selecting to create a new policy, the wizard will walk through analyzing your local system. It will allow you to review its findings of locally installed roles and features, and add or remove as appropriate. Part of the display will include a list of services that would be impacted if the new security policy were to be deployed to the local server. It will also allow you to select if you would like to evaluate and configure additional system settings such as network settings, registry settings, and auditing settings.

Once you complete the configuration settings, the last screen in the wizard will allow you to save your new security configuration file. However, before doing so, you will have the option to add Security Templates into the file if you would like. To save the file, you must choose a name and a file path. The file extension will be .xml. Once you have saved your new security file, you will be prompted to apply it to the local machine, but be aware that applying the file through the wizard imports the settings into the Local Computer Security Policy. These settings are always overridden by domain-based policies; however, it is a great idea to apply the policy locally anyway. Why? Well, by applying the policy to the local machine, you will be able to test to see if the computer has been impacted in the desired fashion. If there are problems with the machine after the policy has been applied, you then use the wizard to rollback the policy and then edit your .xml file to make the appropriate adjustments.

Once you are ready to deploy your policy on a larger scale, it is recommended to utilize Group Policy to target the appropriate machines. The Scwcmd command line tool will allow you to convert an SCW .xml security file to a GPO by issuing the scwcmd transform command. This will allow you to utilize the security file within AD and deploy it to multiple servers of the same role simultaneously. Before rolling out a new SCW security file through Group Policy, it is highly recommended that you test thoroughly.

Baselining

Standardizing on a security configuration is certainly important, but there is an additional consideration with respect to security baselines. Security baselining is the process of capturing a point in time understanding of the current system security configuration. Establishing an easy means for capturing the current system security configuration can be extremely helpful in responding to a potential security incident. Assuming that the system or device in question was built from a standardized security baseline, and also that strong change control measures are adhered to, then there would be little need to capture the current security configuration. However, in the real world, unauthorized changes can and will occur in even the most strictly controlled environment, which necessitates the monitoring of a system’s security configuration over time. Further, even authorized system modifications that adhere to the change management procedures need to be understood and easily captured. Another reason to emphasize continual baselining is because there may be systems that were not originally built to an initial security baseline. A common mistake that organizations make regarding system security is focusing on establishing a strong system security configuration, but failing to quickly and easily appreciate the changes to a system’s security configuration over time.

Baselining

Standardizing on a security configuration is certainly important, but there is an additional consideration with respect to security baselines. Security baselining is the process of capturing a point in time understanding of the current system security configuration. Establishing an easy means for capturing the current system security configuration, can be extremely helpful in responding to a potential security incident. Assuming that the system or device in question was built from a standardized security baseline, and also that strong change control measures (see Change Management section below) are adhered to, then there would be little need to capture the current security configuration. However, in the real world, unauthorized changes can and will occur in even the most strictly controlled environment, which necessitates the monitoring of a system's security configuration over time. Further, even authorized system modifications that adhere to the change management procedures need to be understood and easily captured. Another reason to emphasize continual baselining is because there may be systems that were not originally built to an initial security baseline. A common mistake that organizations make regarding system security is focusing on establishing a strong system security configuration, but failing to quickly and easily appreciate the changes to a system's security configuration over time.

Noninteractive Access

The security configuration of noninteractive services can vary quite significantly. Especially popular network services, such as LDAP, HTTP, or Windows File Shares (CIFS), can use a wide variety of authentication and authorization mechanisms that do not even need to be provided by the operating system. For example, an Apache Web server or a MySQL database server might use its own user database, without relying on any operating system services such as passwd files or LDAP directory authentication.

Monitoring how noninteractive authentication and authorization are performed is critically important since most users of Unix systems will only utilize them in noninteractive ways. To ensure the most comprehensive control over the system, it is highly recommended that the suggestions presented in this chapter be followed to minimize the attack surface and verify that the system makes only a clearly defined set of services available on the network.

Noninteractive Access

The security configuration of noninteractive services can vary significantly. In particular, popular network services, such as LDAP, Hypertext TransferProtocol (HTTP), or Windows File Shares, can use a wide variety of authentication and authorization mechanisms that do not even need to be provided by the OS. For example, an Apache Web server or a MySQL database server might use its own user database without relying on any OS services such as passwd files or LDAP directory authentication.

Monitoring how noninteractive authentication and authorization is performed is critically important because most users of UNIX systems will use them in only noninteractive ways. To ensure the most comprehensive control over the system, it is highly recommended to follow the suggestions in Sections 7 and 8 of this chapter to minimize the attack surface and verify that the system makes only a clearly defined set of services available on the network.