Secure ASP's Security Configuration tool
The ASP administrator should be familiar with the Security Configuration tool because it is essential to obtain information about all aspects of security related to the system.
These tools should make it very easy for you to answer the following questions: "Is my computer secure?" ", or" is My network secure? " ”。 These tools should allow you to configure and analyze all aspects of a defined security policy, such as:
Account policy. Set or change access policies, including domain or local password policies, domain or local account lockout policies, and Domain Kerberos policies (where applicable).
Local policy. Configure local audit policies, user rights assignments, and various security options, such as the control of floppy disks, CD-ROMs, and so on.
Restricted Groups. Specify or change group members (such as Administrators, Server Operators, Backup Operators, Power Users, and so on) for the built-in groups and any other specific groups that you want to configure. This should not be used as a general member management tool-only to control the members of a particular group (with the sensitive features assigned to them).
System services. Configure security for different services that are installed on your system, including network transport services such as TCP/IP, NetBIOS, CIFS file sharing, printing, and so on. If not used, services other than TCP/IP are stopped. For more information, see http://www.microsoft.com/technet/
File or folder sharing. Configure the settings for the file system and redirector service. This includes options for turning off anonymous access and enabling packet signing and security when accessing various network file shares.
System registry. Set or change security for the system registry key.
System storage. Sets or changes the security of the local System file volume and the directory tree.
Get ready. Prepare a secure environment for customers and ASPs to securely create users, files, and so on.
These tools should also help monitor all aspects of the security policy that have been defined, such as:
Account Policy-Password, lock, and Kerberos settings.
Local Policies-auditing, user rights, and security options. (Security options mainly include security-related registry values.) )
Event logs-settings for system, application, security, and directory service logs.
Restricted Groups-policies about group members.
System Services-startup mode and access control for system services.
Registry-access control for registry keys.
File system-access control for folders and files.
Physical access system-access to equipment, use of key-card, closed-loop video, etc.
These tools should also be able to analyze Group Policy and continue down to the user level. You can use other tools to analyze all the data that is collected during the monitoring process. These tools are often particularly dependent on statistical techniques.
The ASP administrator for Windows 2000 uses the following components of the Windows 2000 Security Configuration toolset to configure some or all of these security aspects.
The security Templates snap-in. The security Templates Snap-in is a stand-alone Microsoft management Console (MMC) snap-in that can create a text-based template file that contains all security-related security settings.
Security Configuration and Analysis snap-in. The Security configuration and Analysis Snap-in is a stand-alone MMC snap-in that can configure or analyze the security of the Windows 2000 operating system. The action is based on the contents of the security template created using the security Templates snap-in.
Secedit.exe. Secedit.exe is the command line version of the Security Configuration and Analysis snap-in. It enables security configuration and analysis to be performed without a graphical user interface (GUI).
The security settings for Group Policy are extended. The security Configuration toolset also includes an extension snap-in for the Group Policy Editor, which is used to configure the local security policy and the security policy for the domain or organizational unit (OU). The local security policy includes only the security coverage of the account policies and local policies mentioned above. Security policies defined for a domain or OU can include all security scopes.
Introduction to ASP security tasks and methods
Many policies, tasks, and methods are used when creating network security. The following is a brief introduction to them.
Secure Communications and concepts
Introducing and interpreting risk-oriented security policies in ASP's strategic planning
Provide background material on security concepts and vocabulary to familiarize readers with security planning
Determine the security risks of an ASP network. List and explain them in security planning
Perform all necessary security measures (do not forget physical methods)
Closely monitor security
Review, evaluate, improve, and train all the steps and policies
Defining access Control
Determine how the ASP's organization currently uses groups and the specification for group names, and how to use group types
Describes the top-level security group that is used for extensive security access to ASP-scoped resources. They may be customer universal groups
Describes access control policies, especially on how to use security groups in a consistent manner
Determine the steps to create a new group and who is responsible for managing group members
Identify the conditions that govern specific tasks on behalf of an administrator, describe what is the customer Administrator's task, and what is the task of the ASP administrator
Specify ASP policies to protect administrator accounts and management consoles
Review, evaluate, improve, and train all steps and strategies
Remote client or user access
Describes ASP policies that support client or user remote access
Establish a plan to pass remote access steps, including connection methods
Establish a policy for connecting to a customer network through a private connection
Review, evaluate, improve, and train all steps and strategies
Authentication Access
Ensure that all access to network resources requires authentication using a domain account
Determine which part of the user base (ASP internal and customer users) needs to use valid authentication for interactive or remote access logins
If a valid authentication is required, determine the plan for deploying public key security and/or for smart card logon
Define password length, change interval, and complexity requirements for user accounts
Identify an ASP policy to eliminate the transmission of plaintext passwords on any network and develop policies that support one-time logon or password transfer protection
Review, evaluate, improve, and train all steps and strategies
Code signing and software signing
Specify the level of security required for the downloaded code
Deploy internal ASP steps to implement code signing for all publicly distributed internal development software
Review, evaluate, improve, and train all steps and strategies
Deploying the Security Application policy
Establish a test plan and a separate test environment to verify that the ASP application is running properly under the properly configured security system
Determine what additional applications are needed to enhance security capabilities to meet the security objectives of the ASP
Make appropriate change management, including approval and security validation of changes prior to release
Review, evaluate, improve, and train all steps and strategies
Enable data protection
Determine ASP policies for identifying and managing sensitive or confidential customers and internal information, and determine the conditions for protecting these sensitive data
Identify an ASP server that stores sensitive customer (or internal) data that may require additional data protection to prevent theft
Establish a deployment plan that uses IPSEC to protect remote access to data or access to sensitive ASP data servers
Review, evaluate, improve, and train all steps and strategies
Encrypting File System
Describes the data recovery policy, including the role of the recovery agent
Describes the steps used to implement the data recovery process and verify that the process is valid
Review, evaluate, improve, and train all steps and strategies
Building trust relationships
Describes ASP domains, domain trees, and forests and explicitly establishes trust relationships between them
Determine policies for trusted customers and vendors and other external domains (trusting other domains means that you also trust security policies that are determined by the owner of the domain)
Review, evaluate, improve, and train all steps and strategies
Setting up a unified security policy
Use security templates to describe the level of security that is implemented for different computer classes
Identify domain-wide account policies and pass these policies and guidelines to customers and user groups
Identify local security policy requirements for systems that are not homogeneous on the network, such as desktops, file and print servers, and e-mail servers. Determine the Group Policy security settings that correspond to each category
Identify application servers where specific security templates can be used to manage security settings and to consider managing them throughout Group Policy
