When it comes to troubleshooting the security settings that you want to deploy or have deployed to your computers, the avenues for finding where the problem lies are plentiful. The problem might be caused by a service or port that you have inadvertently disabled, or the client might not even be receiving the security template setting via a GPO.
Problems can also range from the user not being able to authenticate on the network to a user not being able to boot successfully. With so many potential problem areas, it is imperative that you have a suite of tools to help you solve the possible issues that can arise. However, let’s first quickly go through the different areas of a security template and security policy to investigate where problems might originate.
Security templates and security policies are the primary ways to configure your clients and servers to be properly secured and hardened. Some of the security areas span both security templates and security policies, while other security areas are configured only in one location. You need to pay particular attention to the following security areas:
Account policies. Account policies are configured in the security templates only. Because account policies determine the restrictions on the password and logon attempts, users might have trouble changing their passwords or logging on if they have forgotten their passwords. It is important to couple user training with any changes that occur within this section of the security template. If password requirements change from simple (or nonexistent) to complex, users must know the parameters for establishing a new password. The error messages are fairly clear here, indicating when the password does not meet complexity requirements, as shown in Figure 5-9, or when the user account has been locked out (instead of just a wrong password), as shown in Figure 5-10.
Audit policies. Audit policies can be configured in security template or the security policy. An audit policy typically will not cause any visible problems. However, if the object access policy is set for both Success and Failure for many objects on a server, the performance of the server can degrade dramatically. This is especially true if object access has been configured for a domain controller, where auditing of the majority of the Active Directory objects has been configured. If you feel that auditing has caused a performance problem on a server or client, you can quickly disable the auditing and see if performance improves. Another option is to use the System Monitor to determine which application or service is causing the performance degradation.
User rights. User rights are configured only in security templates. Because user rights control what users can and can’t do on a client or server, many problems can originate here. Don’t forget that user rights not only affect user and group accounts, but they are also required for service accounts. If user rights are set too restrictively, or a user account is omitted from the policy, many problems with basic functionality of the server or client can occur. Applications can fail, backups can fail, and basic user authentication can fail. Depending on which area of functionality fails, you can use different methods to try and track down the problem. A good place to start is to use the event logs for either object access or privilege use. If you have configured privilege use for both success and failure, you should get good information that will help you track down which user right is incorrectly set so you can add the correct user or group to allow the access and privileges.
Security options. The security options are mainly set in security templates, but a few security settings can be configured using the Security Configuration Wizard. As we said earlier in this chapter, we cannot cover all of the security options here. However, some of the more common and powerful settings can lead to certain common problems if configured inappropriately for your environment. Be sure to check the SMB signing and anonymous access settings if you are having trouble with accessing resources directly or through an application. If you are having trouble authenticating, you might need to alter the LAN Manager settings to remove any restrictions for basic logon and authentication.
Event logs. Event log settings can be set only in security templates. If you set the log files too small, you will not be able to track down significant events because the logs will be overwritten so quickly. You should configure the log files to be large enough to store all of the data that is logged between archiving times. It is best to save Event log files periodically so that the log file can be reasonably sized and no data will be lost.
Restricted groups. Restricted groups can be configured only in security templates. Restricted groups must be thoroughly tested before they are implemented. Because existing groups and users may be removed when the new policy is applied, a number of problems can arise. If you forget to include a user or group in the policy that you implement, applications, services, or resource access might fail. One way to identify the cause of the problem is to configure object access auditing to track down the reason for the failed access.
System services. Services can be configured in both security templates and using the Security Configuration Wizard. Because the results of deploying a security policy without first testing it can be devastating, you should test your new configuration before you begin disabling services. You must not only be aware of the service you are disabling, but also of any services that depend on the service that you disable. This chain reaction of services is not always obvious. Ideally, you should use the Security Configuration Wizard to modify services. This approach offers two benefits. First, the wizard provides excellent descriptions of how various services depend on each other. Second, the wizard has a rollback feature, which is useful when the settings you deploy cause too many problems.
Registry. Both the security templates and policies can configure the registry on a target computer. Security templates can configure DACLs for registry keys, while the Security Configuration Wizard can configure important registry settings that govern how Windows computers communicate on your network. The results of an incorrect registry setting might not show up immediately. Problems with registry DACLs or specific settings can mask themselves very well. You can use auditing to help track down where the problem lies, but with thousands of registry settings on a single computer, trying to identify the problem will often be difficult. Your best bet for troubleshooting registry-based configurations is to document your configuration carefully and use the tools listed in the next section to verify that the registry settings and DACLs were set according to your documentation.
File system. File system permissions can be configured in security templates. Like registry DACLs, problems with file system DACLs can be difficult to troubleshoot if you have caused the issue through the deployment of a GPO. Your best resource is again to enable auditing for object access. You can configure both success and failure auditing for the file system object to see where a user or group is not being allowed to access it. Documentation and use of the tools described in the next section can also help ensure that your security template settings accomplish your desired goals.
Ports. Ports can controlled by both the GPOs and the Security Configuration Wizard. If you are using GPOs to control ports in Windows Firewall, see Chapter 11 for configuration and troubleshooting tips. If you are using the Security Configuration Wizard to control the ports, you must ensure that the ports you want to disable or enable are correctly set. You can manually check the firewall on the affected computer, or you can use the Netstat or Portqry tool (discussed earlier in this chapter).
When you create and deploy security settings to harden clients and servers, you hope that the settings will be applied properly and that you will not experience any negative repercussions from your design. However, sometimes the results will still not be what you anticipated. If you go through each section of the security template and still find that the settings are correct, you will need to use some tools to track down where the problem lies within your security implementation. The following sections describe some tools that can help you track down errant security configurations on a target computer or associated with GPOs stored in Active Directory.
The Secedit tool includes an analysis option that lets you compare the contents of a security template to the current security settings of a computer. More than one security template or GPO can affect a computer that is a member of a domain; this tool lets you to find out which settings comply with the desired security settings in your template.
The Security Configuration and Analysis snap-in is the GUI version of the secedit command. This tool graphically compares the settings in a security template to the existing settings on the computer you are analyzing. To run an analysis on a computer against a security template using the Security Configuration and Analysis snap-in, complete these steps:
Click Start, Run.
In the Run dialog box, type mmc and click OK.
From the menu bar, select File, Add-Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, select Security Configuration And Analysis from the Snap-ins list, and then click Add.
Click Close, and then click OK.
Right-click the node labeled Security Configuration and Analysis and select Open Database.
Type a name for the database and click Open.
Select the security template to use for the audit and click Open.
Once the database has been created, right-click the Security Configuration and Analysis node and select Analyze Computer Now.
Specify a log file path and name and click OK.
Once the analysis is complete, scan through the nodes to view the results.
The Gpresult tool has been around for quite some time, but it is still valuable for investigating and troubleshooting GPO settings. The tool is not security-specific, but it can provide you with information about which GPOs apply and the specific settings (including security settings) that exist on a computer.
In some instances, you will need to evaluate what the final GPO settings will be for a computer when the computer is not on the network or when you don’t have access to the computer. Resultant Set of Policy (RSoP) can help with this, which includes providing details about the security settings that will apply to the computer through GPOs.