Windows System Policy

Windows System Policy

Use security and system logs to record security events to track system and network activities to monitor

How can enable auditing  of security events and What all the categories of events?

Any changes to user account and resource permissions.
Any failed attempts for user logon.
Any failed attempts for resource access.
Any modification to the system files.

Account  enabled through settings under Security Settings\Account Policies

Password Policy
_______________
Enforce Password History :Use it max password range
Maximum Password Age      :Use it 30-45 days
Minimum Password Age      :Use it 1-3 days
Minimum Password Length   :Use it 8-16 Charactors
Password must meet complexity requirements    :Enable
Store password using reversible encryption for all users in the domain

Account lockout Policy
______________________
controls what happens when a user fails to remember their password.

Account lockout duration           : Set to low
Account lockout threshold          :Set 3-5
Reset account lockout counter after :Set Max

Security Auditing enabled through settings under Security Settings\Local Policies\Audit Policy.

Audit Policy (Audit Success or Failure Attempts)
____________
Determines whether to audit every incidence of a change to user rights assignment policies, audit policies, or trust policies.
By Default No auditing

Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events

By Default Audits are not generated for use of the following user rights, even if success audits or failure audits are specified for “Audit privilege use”:

Bypass traverse checking
Debug programs
Create a token object
Replace process level token
Generate security audits
Back up files and directories
Restore files and directories

Additional basic audit policy settings are under Security Settings\Local Policies\Security Options.

To set permissions on a Group Policy object
___________________________________________
Open the Group Policy snap-in.
In the console tree, right-click the icon or the name of the Group Policy object for which you want to set permissions, which appears as follows:
Group Policy object name [domain_name] Policy,
and then click Properties.
Click the Security tab, select the following options that you want, and then click OK:
Add: Opens the Select Users, Computers, or Groups dialog box, where you can specify the users and groups for whom you want to assign permissions.

Remove: In the Group or user names box, removes selected users or groups and their associated permissions from this object.

Permissions for Authenticated Users: Lists the standard permissions that you can allow or deny to users, for example, Full Control, Read, Write, and so on.

Advanced: Use this option to set special permissions, auditing information, and owner information for the selected object.

Notes:To open the Group Policy snap-in, see Related Topics.
You can only set permissions on a nonlocal Group Policy object.

To edit a security setting on a Group Policy object
___________________________________________________

To modify security settings for a Group Policy object on a workstation or server, which is joined to a domain

Click Start, point to Run, type mmc and click OK.
On the File menu, click Add/Remove Snap-in.
In Add/Remove Snap-in, click Add, and in Add Standalone Snap-in, double-click Group Policy.
In Select Group Policy Object, click Browse, navigate to and click the policy object you would like to modify, and then click Finish.
Click Close and then click OK.

On a domain controller and want to modify security settings for an organizational unit

Open Active Directory Users and Computers.
In the console tree, right-click the domain or organizational unit you want to set Group Policy for.
Click Properties, and then click the Group Policy tab.
Do one of the following:
To create a new Group Policy object, on the Filemenu, click New and then click Edit.
To change an existing Group Policy object, click the object you want to change, and on the File menu, click Edit.

In the console tree, click Security Settings.
Location
GroupPolicyObject [ComputerName] Policy > Computer Configuration
Windows Settings > Security Settings

In the console tree, do one of the following:
To edit Password Policy or Account Lockout Policy, double-click Account Policies and click Password Policy or Account Lockout Policy.
To edit Audit Policy, User Rights Assignment, or Security Options, double-click Local Policies and click Audit Policy, User Rights Assignment, or Security Options.
In the details pane, right-click the policy that you want to modify and click Properties.
Select the Define these policy settings check box.
Change the settings of this policy and click OK.

Notes:You must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings might also prevent you from completing this procedure.
Always test a newly-created policy on a test organizational unit before applying it to your network.
When you change a security setting, once you click OK, that change will take effect the next time the settings are refreshed.
The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes.

Audit directory service access
______________________________
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
By default, this value is set to no auditing in the Default Domain Controller Group Policy object (GPO), and it remains undefined for workstations and servers where it has no meaning.

Note that you can set a SACL on an Active Directory object by using the Security tab in that object’s Properties dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.

Default:
No auditing for domain controllers.
Undefined for a member computer.

Audit logon events
__________________
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Determines whether to audit each instance of a user logging on to, logging off from, or making a network connection to this computer.

Note:Only interactive and network logon attempts to the domain controller itself generate logon events. In short, “account logon events” are generated where the account lives; “logon events” are generated where the logon attempt occurs.

By Default: No auditing.

Audit account logon events
__________________________
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account.

If success auditing for account logon events is enabled on a domain controller, an entry is logged for each user who is validated against that domain controller, even though the user is actually logging on to a workstation that is joined to the domain.

By Default:
No auditing for domain controllers.
Undefined for a member computer.

Audit object access
___________________
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Determines whether to audit the event of a user accessing an object—for example, a file, folder, registry key, printer, and so forth—that has its own system access control list (SACL) specified.

Note that you can set a SACL on a file system object using the Security tab in that object’s Properties dialog box.

By Default: No auditing.

Audit process tracking
______________________
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.

By Default: No auditing.

Audit system events
___________________
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.

By Default: No

Audit account management
________________________
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Determines whether to audit each event of account management on a computer. Examples of account management events include the following:

A user account or group is created, changed, or deleted.
A user account is renamed, disabled, or enabled.
A password is set or changed.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To set this value to no auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

Default: No auditing.

Audit: Audit the use of Backup and Restore privilege
____________________________________________________
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the “Audit privilege use” policy is also enabled generates an audit event for every file that is backed up or restored.

If you enable this policy, and if the “Audit privilege use” policy is enabled and in effect, any instance of user rights being exercised is recorded in the security log.

If you disable this policy, when users use Backup or Restore privileges, those events are not audited, even when “Audit privilege use” is enabled.

Default: Disabled.

Audit: Shut down system immediately if unable to log security audits
____________________________________________________________________
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether the system shuts down if it is unable to log security events.

If this policy is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the retention method that is specified for the security log is either “Do Not Overwrite Events” or “Overwrite Events by Days.”

If the security log is full and an existing entry cannot be overwritten, and this security option is enabled, the following Stop error appears:

STOP: C0000244 {Audit Failed}
An attempt to generate a security audit failed.
To recover, an administrator must log on, archive the log (optional), clear the log, and reset this option as desired.

Default: Disabled.

Manage auditing and security log
________________________________
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.

This policy does not allow a user to enable file and object access auditing in general. For such auditing to be enabled, the Audit object access setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies must be configured.

You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.

Default: Administrators.

Audit: Audit the access of global system objects
________________________________________________
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether to audit the access of global system objects.

If this policy is enabled, it causes system objects, such as mutexes, events, semaphores, and DOS devices, to be created with a default system access control list (SACL). If the Audit object access audit policy is also enabled, access to these system objects is audited.

Default: Disabled.

Auditing filesystem policy using gp
___________________________________
create ou then add new gpo from mmc console go to computer configuration > winows settings > security seting > filesystem on the right side pan add file add a file or folder

another way create folder > properties > security > advanced > auditing > add > select user> select rights

Advertisements

Posted on April 17, 2011, in Uncategorized, Windows. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: