Windows Vista Security GuideChapter 5: Specialized Security – Limited FunctionalityThe Specialized Security – Limited Functionality (SSLF) baseline in this guide addresses the demand to help create highly secure environments for computers running Windows Vista™. Concern for security is so great in these environments that a significant loss of functionality and manageability is acceptable. The Enterprise Client (EC) security baseline helps provide enhanced security that allows sufficient functionality of the operating system and applications for the majority of organizations.
Warning
The SSLF security settings are not intended for the majority of enterprise organizations. The configuration for these settings has been developed for organizations where security is more important than functionality. If you decide to test and deploy the SSLF configuration settings to the client computers in your environment, the IT resources in your organization may experience an increase in help desk calls related to the limited functionality that the settings impose. Although the configuration for this environment provides a higher level of security for data and the network, it also prevents some services from running that your organization may require. Examples of this include Terminal Services, which allows multiple users to connect interactively to desktops and applications on remote computers, and the Fax Service, which enables users to send and receive faxes over the network using their computers. It is important to note that the SSLF baseline is not an addition to the EC baseline: the SSLF baseline provides a distinctly different level of security. For this reason, do not attempt to apply the SSLF baseline and the EC baseline to the same computers running Windows Vista. Rather, for the purposes of this guide, it is imperative to first identify the level of security that your environment requires, and then decide to apply either the EC baseline or the SSLF baseline. To compare the setting differences between the EC baseline and SSLF baseline, see Appendix A, "Security Group Policy Settings." The Windows Vista Security Guide Settings.xls file that also accompanies this guide provides another resource that you can use to compare setting values. Important If you are considering whether to use the SSLF baseline for your environment, be prepared to exhaustively test the computers in your environment after you apply the SSLF security settings to ensure that they do not prohibit required functionality for the computers in your environment. On This PageSpecialized Security Environment Specialized Security EnvironmentOrganizations that use computers and networks, especially if they connect to external resources such as the Internet, must address security issues in system and network design, and how they configure and deploy their computers. Capabilities that include process automation, remote management, remote access, availability 24 hours a day, worldwide access, and software device independence enable businesses to become more streamlined and productive in a competitive marketplace. However, these capabilities also expose the computers of these organizations to potential compromise. In general, administrators take reasonable care to prevent unauthorized access to data, service disruption, and computer misuse. Some specialist organizations, such as those in the military, state and local government, and finance are required to protect some or all of the services, systems, and data that they use with a specialized security level. The SSLF baseline is designed to provide this level of security for these organizations. To preview the SSLF settings, see Appendix A, "Security Group Policy Settings." Top of page Limited Functionality EnvironmentThe specialized security that the SSLF baseline implements may reduce functionality in your environment. This is because it limits users to only the specific functions that they require to complete necessary tasks. Access is limited to approved applications, services, and infrastructure environments. There is a reduction in configuration functionality because the baseline disables many property pages with which users may be familiar. The following sections in this chapter describe the areas of higher security and limited functionality that the SSLF baseline enforces:
Restricted Services and Data AccessSpecific settings in the SSLF baseline can prevent valid users from accessing services and data if they forget or misspell passwords. In addition, these settings may lead to an increase in help desk calls. However, the security benefits that the settings provide help make it harder for malicious users to attack computers running Windows Vista in this environment. Setting options in the SSLF baseline that could potentially prevent users from accessing services and data include those that:
Note Setting details for both the EC and the SSLF baselines are available in Appendix A, "Security Group Policy Settings." The Windows Vista Security Guide Settings.xls file that also accompanies this guide provides another resource that you can use to compare setting values. Restricted Network AccessNetwork reliability and system connectivity is paramount for successful business. Microsoft operating systems provide advanced networking capabilities that help to connect systems, maintain connectivity, and repair broken connections. Although this capability is beneficial to maintaining network connectivity, attackers can use it to disrupt or compromise the computers on your network. Administrators generally welcome features that help to support network communications. However, in special cases, the primary concern is the security of data and services. In such specialized environments, some loss of connectivity is tolerated to help ensure data protection. Setting options in the SSLF baseline that increase network security but could potentially prevent users from network access include those that:
Strong Network ProtectionA common strategy to attack network services is to use a denial of service (DoS) attack. Such an attack prevents connectivity to data or services or over-extends system resources and degrades performance. The SSLF baseline protects access to system objects and the assignment of resources to help guard against this type of attack. Setting options in the SSLF baseline that help to prevent DoS attacks, include those that:
All of these security considerations contribute to the possibility that the security settings in the SSLF baseline may prevent applications in your environment from running or users from accessing services and data as expected. For these reasons, it is important to extensively test the SSLF baseline after you implement it and before you deploy it in a production environment. Implementing the Security PoliciesThe SSLF solution described in this guide uses the Group Policy Management Console (GPMC), and GPMC-based scripts. GPMC is integrated into the Windows Vista operating system, so you do not have to download and install the console each time you need to manage GPOs on a different computer. Important You must perform all of the procedures in this guide on a client computer running Windows Vista that is joined to a domain using the Active Directory® directory service. In addition, the user who performs the procedures must have Domain Administrator privileges. If you use the Microsoft Windows® XP or Windows Server® 2003 operating systems, the Windows Vista–specific security settings will not be visible in the GPMC. To implement the security design, there are three key tasks to complete:
This section of the chapter describes these tasks and procedures and the functionality of the GPOAccelerator.wsf script, which automatically creates the prescribed GPOs. The GPOAccelerator.wsf ScriptThe GPOAccelerator.wsf script that accompanies this guide will create all the GPOs you need. You do not need to spend a lot of time manually editing policy settings or applying templates. To establish the SSLF environment, the script creates the following four GPOs:
Important To successfully implement the security design for the SSLF environment, ensure that you thoroughly test the design before deploying it in your production environment. Use the GPOAccelerator.wsf script to:
Test the Design in a Lab EnvironmentThe GPOs provided with this guide have been thoroughly tested. However, it is important to perform your own testing in your own environment. To save time, you can use the GPOAccelerator.wsf script to create the prescribed GPOs and the sample OU structure, and then automatically link the GPOs to the OUs. The GPOAccelerator.wsf script is located in the Windows Vista Security Guide\GPOAccelerator Tool folder that the Microsoft Windows Installer (.msi) file creates. Note The GPOAccelerator Tool folder and subfolders for it must be present on the local computer for the script to run as described in the following procedure. To create the GPOs and link them to the appropriate OUs in a lab environment
You are now ready to link the domain GPO to the domain. The following instructions describe how to use the GPMC on a client computer running Windows Vista to link the VSG SSLF Domain Policy to the domain. To link the VSG SSLF Domain Policy
Important Ensure that the VSG SSLF Domain Policy has its Link Order set to 1. Failure to do this will cause other GPOs linked to the domain, such as the Default Domain Policy GPO, to overwrite the Windows Vista Security Guide settings. You can use the GPMC to check the results of the script. The following procedure describes how to use the GPMC on a client computer running Windows Vista to verify the GPOs and OU structure that the GPOAccelerator.wsf script creates for you. To verify the results of the GPOAccelerator.wsf script
All of the GPOs that the GPOAccelerator.wsf script creates are fully populated with the settings that this guide prescribes. You can now use the Active Directory Users and Computers tool to test the design by moving users and computers into their respective OUs. For details about the settings contained in each GPO, see Appendix A, "Security Group Policy Settings." Deploy the Design in a Production EnvironmentTo save time, you can use the GPOAccelerator.wsf script to create the GPOs for the SSLF environment. Then you can link the GPOs to the appropriate OUs in your existing structure. In larger domains with large numbers of OUs, you will need to consider how to use your existing OU structure to deploy the GPOs. In larger domains with large numbers of OUs, you will need to consider how to use your existing OU structure to deploy the GPOs. If possible, you should keep computer OUs distinct from user OUs. Laptop and desktop computers also should be organized in their own OUs. If such a structure is not possible in your environment, you may need to modify the GPOs. You can use the settings reference in Appendix A, "Security Group Policy Settings," to help you decide what modifications may be necessary. Note As discussed in the previous section, you can use the GPOAccelerator.wsf script with You create the SSLF GPOs described in this guide using the GPOAccelerator.wsf script. The GPOAccelerator.wsf script is located in the Windows Vista Security Guide\GPOAccelerator Tool folder that the Microsoft Windows Installer (.msi) file creates for you. Note You can also simply copy the GPOAccelerator Tool directory from a computer where the directory is installed to another computer that you want to use to run the script. The GPOAccelerator Tool folder and subfolders for it must be present on the local computer for the script to run as described in the following procedure. To create the GPOs in a production environment
You can use the GPMC to ensure that the script has successfully created all of the GPOs. The following procedure describes how to use the GPMC on a client computer running Windows Vista to verify the GPOs that the GPOAccelerator.wsf script creates for you. To verify the results of the GPOAccelerator.wsf script
You can now use GPMC to link each GPO to the appropriate OU. The final task in this process explains how to do this. The following procedure describes how to use the GPMC on a client computer running Windows Vista to accomplish this task. To link the GPOs in a production environment
Note You also can drag a GPO from under the Group Policy Objects node to an OU. However, you can only perform this drag-and-drop operation within the same domain. To confirm the GPO linkages using the GPMC
– Or –
Note You can use the GPMC to unlink the GPOs and, optionally, delete them. Then use the GPMC, or the Active Directory Users and Computers console, to delete any OUs that you no longer need. To completely undo all Active Directory modifications made by the GPOAccelerator.wsf script, you must manually delete the SSLF-VSGAuditPolicy.cmd file, the SSLF-ApplyAuditPolicy.cmd, and the SSLF-AuditPolicy.txt file from the NETLOGON share of one of your domain controllers. For additional details on these files, refer to the Audit Policy section in Appendix A, "Security Group Policy Settings." All of the GPOs that the GPOAccelerator.wsf script creates are fully populated with the settings that this guide prescribes. You can now use the Active Directory Users and Computers tool to test the design by moving users and computers into their respective OUs. For details about the settings contained in each GPO, see Appendix A, "Security Group Policy Settings." Migrating GPOs to a Different Domain (Optional)If you have modified the GPOs in this solution, or you have created your own GPOs and you want to use them across more than one domain, you will need to migrate the GPOs. Migrating a GPO that works in one domain to another domain requires some planning, but the basic procedure is fairly straightforward. There are two important data aspects of GPOs to consider during the planning process:
More information on GPO migration appears in the GPMC Help. The "Migrating GPOs Across Domains with GPMC" white paper also provides additional information on migrating GPOs between domains. Top of page The GPOAccelerator ToolThe tools and templates that accompany this guide include scripts and Security Templates. This section provides background information about these resources. The key tool that runs the core script for this security guidance is GPOAccelerator.wsf, which is located in the Windows Vista Security Guide\GPOAccelerator Tool\Security Group Policy Objects folder. This section includes information about how to modify the GPMC to view GPO settings, and the subdirectory structure and types of files that accompany this guide. The Windows Vista Security Guide Settings.xls file that also accompanies this guide provides another resource that you can use to compare setting values. GPMC and SCE ExtensionsThe solution presented in this guide uses GPO settings that do not display in the standard user interface (UI) for the GPMC in Windows Vista or the Security Configuration Editor (SCE) tool. These settings, which are all prefixed with MSS:, were developed by the Microsoft Solutions for Security group for previous security guidance. Important The SCE extensions, and the GPOAccelerator.wsf script, are designed for you to run them from a Windows Vista-based computer. These tools will not work correctly if you attempt to run them from a computer using Windows XP or Windows Server 2003. For this reason, you need to extend these tools so that you can view the security settings and edit them as required. To accomplish this, the GPOAccelerator.wsf script automatically updates your computer while it creates the GPOs. If you want to administer the Windows Vista Security Guide GPOs from another computer running Windows Vista, use the following procedure to update the SCE on that computer. To modify the SCE to display MSS settings
Important This script only modifies the SCE to display MSS settings; it does not create GPOs or OUs. The following procedure removes the additional MSS security settings, and then resets the SCE tool to the default settings in Windows Vista. To reset the SCE tool to the default settings in Windows Vista
Previous Security SettingsSecurity Templates are provided so that if you want to build your own policies, rather than use or modify the policies supplied with this guide, you can import the relevant security settings. Security Templates are text files that contain security setting values. They are subcomponents of the GPOs. You can modify the policy settings that are contained in the Security Templates in the MMC Group Policy Object Editor snap-in. Unlike previous versions of the Windows operating system, Windows Vista does not come with predefined Security Templates, although you can still use the existing Security Templates as required. Security Templates are included in the Windows Installer (.msi) file that accompanies this guide. The following templates for the EC environment are located in the GPOAccelerator Tool\Security Templates folder:
Important You do not need to use the Security Templates to deploy the solution described in this guide. The templates provide an alternative to the GPMC-based solution, and only cover computer security settings that appear under Computer Configuration\Windows Settings\Security Settings. For example, you cannot manage Internet Explorer or Windows Firewall settings in the GPOs using a Security Template, and user settings are not included. Using Security TemplatesIf you want to use the Security Templates you must first extend the SCE so that the custom MSS security settings display in the UI. See the procedure in the previous "GPMC and SCE Extensions" section in this chapter for details. When you can view the templates, you can use the following procedure to import them into the GPOs that you have created as needed. To import a Security Template into a GPO
You can also use the Security Templates supplied with this guide to modify the local security policy on stand-alone client computers running Windows Vista. The GPOAccelerator.wsf script simplifies the process to apply the templates. To apply the Security Templates to create local Group Policy on a stand-alone client computer running Windows Vista
To restore local Group Policy to the default settings in Windows Vista
Top of page More InformationThe following links provide additional information about Windows Vista security-related topics.
Top of page |
In This Article
|