Contents
Overview 1
Using Group Policy to Secure the User
Environment 2
Using Group Policy to Configure Account
Policies 3
Lab A: Using Group Policy to Secure the
Desktop 9
Analyzing Security Log Files to Detect
Security Breaches 14
Securing the Logon Process 19
Examining Service Packs, Hotfixes, and
Antivirus Software 24
Lab B: Monitoring Security 26
Review 31

Module 13: Managing
Network Security



Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, places or events is intended or should be inferred. Complying with all applicable

copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2001 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, <plus other appropriate product names or titles.
The publications specialist replaces this example list with the list of trademarks provided by the
copy editor. Microsoft, MS-DOS, Windows, and Windows NT are listed first, followed by all
other Microsoft trademarks listed in alphabetical order. > are either registered trademarks or
trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

<The publications specialist inserts mention of specific, contractually obligated to, third-party
trademarks, provided by the copy editor>

The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.


Module 13: Managing Network Security iii


Instructor Notes
This module provides students with an appreciation of the challenges that are

involved in maintaining a secure and reliable system.
After completing this module, students will be able to:
!
Use Group Policy to apply security policies to secure the user environment.
!
Use Group Policy to configure password and logon account policies.
!
Analyze security log files to detect security breaches.
!
Secure the logon process by using smart cards.
!
Apply service packs, hotfixes, and antivirus software.

Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the following materials:
!
Microsoft® PowerPoint® file 2126A_13.ppt

Preparation Tasks
To prepare for this module:
!
Read all of the materials for this module.
!
Complete the labs.
!
Enable auditing and generate each of the events that are discussed in the
Analyzing Security Log Files to Detect Security Breaches.


Presentation:
30 Minutes

Lab:
60 Minutes
iv Module 13: Managing Network Security


Module Strategy
Use the following strategy to present this module:
!
Using Group Policy to Secure the User Environment
In this topic, you will introduce the procedure for implementing security
policies. Emphasize that a preconfigured security template ensures
duplication of desired settings that already exist for a computer, and can be
tested before security settings are applied to multiple computers.
Demonstrate how to use Group Policy to apply security policies. Emphasize
that you can define a security setting once and apply it in many places.
!
Using Group Policy to Configure Account Policies
In this topic, you will introduce account policies and their purpose. You will
describe how to configure account policies, particularly the account
password and lockout policy settings. Emphasize that tight security depends
on these policy settings as they enable you to control the complexity of
passwords themselves and the locking of an account in response to the
entering of an incorrect password.
!
Analyzing Security Log Files to Detect Security Breaches
Throughout this topic, use Event Viewer to illustrate the events that are

discussed. You should have previously enabled auditing and purposely
generated each of the events that are discussed in the text before beginning
this module.
!
Securing the Logon Process
In this topic, you will discuss the use of smart cards as a strategy for
increasing the security of the logon process. The configuration of smart
cards is simple, so focus on the smart card features, the advantages of using
smart cards, and considerations for smart card policies.
!
Examining Service Packs, Hotfixes, and Antivirus Software
Emphasize the importance of keeping servers current with security updates
because security threats arise frequently as systems become more complex
and are exposed to public networks.

Module 13: Managing Network Security 1


Overview
!
Using Group Policy to Secure the User Environment
!
Using Group Policy to Configure Account Policies
!
Analyzing Security Log Files to Detect Security
Breaches
!
Securing the Logon Process
!
Examining Service Packs, Hotfixes, and Antivirus

Software


As an administrator, you must manage network security by implementing
various security measures. You use Group Policy to secure the user
environment and configure account policies. You can audit security breaches by
analyzing security log files. You can use smart card technology to secure the
logon process. You will also be required to evaluate and apply service packs
and hotfixes, and maintain antivirus software to ensure your network
environment is as safe as current software allows.
After completing this module, you will be able to:
!
Use Group Policy to apply security policies to secure the user environment.
!
Use Group Policy to configure password and logon account policies.
!
Analyze security log files to detect security breaches.
!
Secure the logon process by using smart cards.
!
Apply service packs, hotfixes, and antivirus software.

Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about managing network
security.

2 Module 13: Managing Network Security


Using Group Policy to Secure the User Environment
Applying security policies
Applying security policies
Applying security policies
Select the Security Settings
node
Select the Security Settings
node
By configuring security settings
individually
By configuring security settings
By configuring security settings
individually
individually
Select the security setting to
configure
Select the security setting to
configure
Configure the security setting
Configure the security setting
By importing the security template
By importing the security template
By importing the security template
Identify or create a security
template
Identify or create a security
template

Import the security template
into a Group Policy object
Import the security template
into a Group Policy object
Analyze the security settings
Analyze the security settings


Group Policy security settings are often configured to represent an
organization’s security policy. The security policy is enforced on users’ systems
by using Group Policy to prevent unauthorized access to the organization
network and users’ computers.
The process of defining and implementing a standardized set of Group Policies
is facilitated by using security templates. A security template is a collection of
security settings that can be imported into a Group Policy object or used for
analysis. After it is refined to meet the organization’s needs, the template can be
applied to the Group Policy object, which will then apply to other systems
according to your design.
Topic Objective
To illustrate how to apply
security Group Policy to
secure the user
environment.
Lead-in
Security policies can be
implemented on a per-
computer basis or on the
site, domain, or
organizational unit level by
using Group Policy.

Delivery Tip
Demonstrate how to import
a security template by using
Group Policy.
Demonstrate how to apply
security policies by
individually configuring each
security setting.
Key Points
Use Group Policy to
standardize security
settings.

Import security templates
into Security Settings in
Group Policy to apply
consistent and tested
security policies to
computers in an Active
Directory container.
Module 13: Managing Network Security 3


"
""
"

Using Group Policy to Configure Account Policies
!
What Are Account Policies?

!
Configuring Password Policy Settings
!
Configuring Account Lockout Policy Settings


In Microsoft
®
Windows
®
2000, you can configure account policies that prevent
unauthorized persons from logging on to the network and gaining access to
network resources. These enhanced network security measures include setting a
password policy and a user account lockout policy that make it more difficult to
guess a password, and they also limit the number of attempts that an
unauthorized person can make to determine a password. These measures help
prevent unauthorized persons from gaining access to your network.
Topic Objective
To introduce using Group
Policy to configure account
policies.
Lead-in
You configure account
policies to prevent
unauthorized persons from
logging on to the network.
4 Module 13: Managing Network Security


What Are Account Policies?

Use account policies to prevent unauthorized persons from gaining
access to the network
Must set
Group Policy at
domain level
Must set
Group Policy at
domain level
Set password
requirements to
Set password
Set password
requirements to
requirements to
Domain controller
does not authenticate
Domain controller
does not authenticate
Domain controller
locks out user account
Domain controller
locks out user account
Set failed logon
attempts limit to
Set failed logon
Set failed logon
attempts limit to
attempts limit to
Ensure passwords
are difficult to guess

Ensure passwords
are difficult to guess
Stop brute force
hacking programs
Stop brute force
hacking programs


Account policies for user accounts can be used to reduce the possibility of
unauthorized persons gaining access to the network.. When you set account
policies in Active Directory, Windows 2000 allows policies to be set at the
domain level and at the organizational unit level. The domain account policy
becomes the account policy of any Windows 2000–based workstation or server
that is a member of the domain.
The account policy settings for the organizational unit affect the local policy on
any computers contained in the organizational unit. This means that the account
policies set at the domain level always apply when logging on using an account
that exists in the domain. The local policy settings apply only when logging on
using an account that is local to the computer that you are logging on to.
The account policy settings that you can configure with Group Policy are:
!
Password policies. Password policies establish restrictions that require users
to periodically change passwords and to use complex passwords. Password
complexity includes the minimum length and the characters to use,
including alphanumeric, symbols, and upper- and lower-case letters. By
forcing users to use complex passwords, you make it more difficult for
unauthorized persons to use brute force hacking programs to gain access to
your network. Brute force hacking programs try to log on repeatedly by
providing different passwords, for example, by attempting to use each word
in a dictionary as the password.

!
Account lockout policies. Account lockout policies ensure that a user
account is locked after a predetermined number of failed logon attempts.
Setting a limit for failed logon attempts makes it difficult for unauthorized
persons to log on by using brute force algorithms to determine a password.
After a domain controller locks out a user account, the user account cannot
be used for authentication until the account is unlocked. You can configure
the lockout duration.

Topic Objective
To describe which account
policies to configure.
Lead-in
You can use account
policies to prevent
unauthorized users from
gaining access to your
network.
Delivery Tip
Explain what a brute force
hacking program is.

Mention to students that the
most common password
used is password. Explain
why it is important to
implement a password
account policy so that users
have complex passwords.
Key Points

Administrators must set
Group Policy for account
policies at the domain level
to affect domain logons.

Setting password
restrictions and a limit of
failed logon attempts makes
it more difficult for an
unauthorized person to gain
access to the network.
Module 13: Managing Network Security 5


Configuring Password Policy Settings
!
Password settings apply to the domain
!
The settings to configure are:
Group Policy
A
ction View
Passwords [LONDON.NWTraders.msft
Computer Configuration
Software Settings
Windows Settings
Security Settings
Account Policies
Account Lockout Poli
Kerberos Policy

Local Policies
Allow storage of passwords under reversibl…
Enforce password uniqueness by remem…
Maximum Password Age
Minimum Password Age
Minimum Password Length
Passwords must meet complexity require…
User must logon to change password
Not Configured
24 Passwords
30 Days
30 Days
8 Characters
Enabled
Enabled
Attribute Stored Template Settin
Password Policy
The number of previous passwords
Windows 2000 records
The number of previous passwords
Windows 2000 records


The password settings apply to all user accounts in a domain. Domain
controllers start enforcing the policy requirements during user authentication
after the Group Policy object is applied to the domain controllers.

Note that when you modify password settings, they do not apply to
existing passwords. They apply the next time that a user changes his or her
password, or when you create or reset a user account.


The following list describes the password settings you must configure:
!
Enforce password uniqueness by remembering. Use this setting to prevent
users from reusing a previous password. Windows 2000 will remember the
number of passwords that you indicate, ranging from 0 to 24 passwords. In a
high-security environment, consider setting this value to 24 remembered
passwords. In a medium-security environment, set this value to six
remembered passwords.
!
Maximum Password Age. This setting forces users to change their
passwords after a specified period of time so that they do not continually use
the same password. In a high-security network, set this value to 30 days. In
a medium-security network, set the value to 42 days.
!
Minimum Password Length. This setting determines the required minimum
length of users’ passwords. In a high-security environment, set this to at
least eight characters.

In a multiple-domain network, you can link the same Group Policy object
to each domain container, or you can use different settings in each domain.

Topic Objective
To explain where to
configure password settings
in Group Policy.
Lead-in
There are several critical
Group Policy password
settings that you must

configure.
Delivery Tip
Demonstrate configuring the
password settings in Group
Policy.
Key Points
Group Policy password
settings apply to all user
accounts in the domain.

When you configure
password settings, the
settings do not apply to
existing passwords. Domain
controllers enforce the
password requirements
when an administrator
creates a user account or
resets a password, or when
a user changes a password

If there is conflict between
the minimum length of a
password setting and the
length determined by the
complex passwords setting,
the most restrictive setting
prevails.
Note
Note

6 Module 13: Managing Network Security


!
Passwords must meet complexity requirements. This setting requires
passwords to comply with the following complexity rules:
• The minimum password length must be six characters. If there are
conflicts between these settings and the password length setting, the
more restrictive setting prevails.
• The password cannot contain sections of the user’s full name.
• The password must contain characters from at least three of the
following four categories.
Description Example

English uppercase letters A, B, C, D, … Y, Z
English lowercase letters a, b, c, d, … y, z
Westernized Arabic numerals 0, 1, 2, … 9
Non-alphanumeric characters !, ?, (, …

!
User must log on to change a password. This setting forces users to log on
to their accounts before they can change their passwords. This setting also
disables user accounts that have exceeded the maximum password age. Only
an administrator can enable the user account again. This prevents
unauthorized persons from attempting to log on by using unauthorized user
accounts.

To configure Password Policy settings, perform the following steps:
1. Open Active Directory User and Computers, create a Group Policy object at
the domain level or select an existing Group Policy object that is linked to

the domain, and then click Edit.
2. In Group Policy, expand Computer Configuration, expand Windows
Settings, expand Security Settings, expand Account Policy, and then
expand Password Policy.

Module 13: Managing Network Security 7


Configuring Account Lockout Policy Settings
!
Account lockout policy settings apply to domains
!
You must configure all account lockout policy settings
or none
Group Policy
A
ction View
Account Lockout [LONDON.NWTraders.msft
Computer Configuration
Software Settings
Windows Settings
Security Settings
Account Policies
Password Policy
Account Lockout Policy
Kerberos Policy
Local Policies
Account Lockout Policy
Attribute
Stored Template Settin

Account lockout control
Lockout account for
Reset account lockout count after
5 Invalid logon attempts
Forever
1440 Minutes
The amount of time before the
lockout counter returns to zero
The amount of time before the
lockout counter returns to zero
Limit on failed logon attempts
Limit on failed logon attempts
Amount of time that the lockout is in effect
Amount of time that the lockout is in effect


Like password settings, account lockout policy settings apply to all user
accounts in a domain. Link the Group Policy object for account lockout policy
settings to the domain or domains in the network.
Domain controllers start enforcing the requirements during user authentication
after the Group Policy object is applied to the domain controllers. You must
configure all three of the account lockout policy settings to set up an account
lockout policy.
The following list describes the account lockout settings that you must
configure:
!
Account lockout count. This setting determines the allowed number of failed
logon attempts before Windows 2000 locks the account. The number of
failed logon attempts must match the security level that your network
requires. In a high-security network, set this value to five logon attempts.

!
Lockout account for. This setting determines the amount of time that the
lockout is effective. In a high-security network, select Forever. This means
that an administrator must manually unlock the user account. In a medium-
security network, set this value to 30 minutes to prevent the effective use of
automated methods to guess a password.
!
Reset account lockout count after. This setting determines the amount of
time after which the counter for failed attempts returns to zero. In a high-
security network, set this value to one day (1,440 minutes). In a medium-
security network, set this value to 30 minutes.

Topic Objective
To describe how to
configure account lockout
settings.
Lead-in
Account lockout policy
works well with password
policy by limiting the number
of times that a person can
attempt to log on.
Delivery Tip
Demonstrate configuring the
account lockout settings in
Group Policy.
Key Points
An administrator can only
set Group Policy account
lockout settings at the

domain level.

An administrator must
configure all three settings
or none.

The number of logon
attempts that are allowed
must match the security
required in the network.
8 Module 13: Managing Network Security


To configure Account Lockout Policy settings, perform the following steps:
1. Open Active Directory User and Computers, create a Group Policy object at
the domain level or select an existing Group Policy object linked to the
domain, and then click Edit.
2. In Group Policy, expand Computer Configuration, expand Windows
Settings, expand Security Settings, expand Account Policy, and then
expand Account Lockout Policy.

Module 13: Managing Network Security 9


Lab A: Using Group Policy to Secure the Desktop


Objectives
After completing this lab, you will be able to implement security settings by
using Group Policy.


Estimated time to complete this lab: 15 minutes
Topic Objective
To introduce the lab.
Lead-in
In this lab, you will be able
to implement security
settings by using Group
Policy
Explain the lab objectives.
10 Module 13: Managing Network Security


Lab Setup

Tasks Detailed steps
#
Log on to your domain as
Administrator with a
password of password.
a.
Press CTRL+ALT+DEL to open the logon screen.
b.
In the User Name box, type Administrator.
c.
In the Password box, type password.
d.
In the Domain box, ensure that your domain is listed.
e.
Click OK.