![]() Security Options. The Security Options section of Group Policy configures computer security settings for digital data signatures, Administrator and Guest account names, access to floppy disk and CD drives, driver installation behavior, and logon prompts. You can configure the security options settings in the following location within the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. The Security Options item of Group Policy contains the following policies: Accounts: Administrator account status. This policy setting enables or disables the Administrator account for normal operational conditions. If you start a computer in Safe Mode, the Administrator account is always enabled, regardless of how you configure this policy setting. Possible values: Enabled. ![]() Disabled. Not Defined. Vulnerability. The built- in Administrator account cannot be locked out no matter how many failed logons it accrues, which makes it a prime target for brute force attacks that attempt to guess passwords. Also, this account has a well- known security identifier (SID), and there are non- Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute force attack by using the SID to log on. All other accounts that are members of the Administrator's group have the safeguard of locking the account out if it has exceeded the maximum number of failed logons. Countermeasure. Disable the Accounts: Administrator account status setting so that the built- in Administrator account cannot be used in a normal system startup. If it is very difficult to maintain a regular schedule for periodic password changes for local accounts, you may want to disable the built- in Administrator account instead of relying on regular password changes to protect it from attack. Potential impact. Maintenance issues can arise under certain circumstances if you disable the Administrator account. For example, if the secure channel between a member computer and the domain controller fails in a domain environment for any reason and there is no other local Administrator account, you must restart in Safe Mode to fix the problem that caused the secure channel to fail. If the current Administrator password does not meet the password requirements, you cannot re- enable the Administrator account after it is disabled. If this situation occurs, another member of the Administrators group must set the password on the Administrator account with the Local Users and Groups tool. Accounts: Guest account status. ![]() ![]()
This policy setting enables or disables the Guest account. Possible values: Enabled. Disabled. Not Defined. Vulnerability. The default Guest account allows unauthenticated network users to log on as Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network, which could lead to the exposure or corruption of data. Countermeasure. Disable the Accounts: Guest account status setting so that the built- in Guest account cannot be used. Potential impact. All network users will need to be authenticated before they can access shared resources. If you disable the Guest account and the Network Access: Sharing and Security Model option is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. ![]() When organizing your home network it’s easier to assign each computer it’s own IP address than using DHCP. Here we will take a look at doing it in XP, Vista. Wireless Network : Use this section to configure the wireless settings for your D-Link router. Please note that changes made on this section may also need to be. This policy setting should have little impact on most organizations because it is the default setting in Microsoft Windows. If you enable this policy setting, a local account must have a non- blank password to perform an interactive or network logon from a remote client. Possible values: Enabled. Disabled. Not Defined. Vulnerability. Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Windows Server 2. Active Directory. However, if users with the ability to create new accounts bypass your domain- based password policies, they could create accounts with blank passwords. For example, a user could build a stand- alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on. Countermeasure. Enable the Accounts: Limit local account use of blank passwords to console logon only setting. Potential impact. None. This is the default configuration. Accounts: Rename administrator account. This policy setting determines whether a different account name is associated with the SID for the Administrator account. Possible values: User- defined text. Not Defined. Vulnerability. The Administrator account exists on all computers that run the Windows 2. Windows Server 2. Windows XP Professional operating systems. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination. In Windows Vista, the person who installs the operating system specifies an account that is the first member of the Administrator group and has full rights to configure the computer. The account may not have the name Administrator, so this countermeasure is applied by default on new Windows Vista installations. If a computer is upgraded from a previous version of Windows to Windows Vista, the account with the name Administrator is retained with all rights and privileges that were defined for the account in the previous installation. The built- in Administrator account cannot be locked out, regardless of how many times an attacker might use a bad password. This capability makes the Administrator account a popular target for brute force attacks that attempt to guess passwords. The value of this countermeasure is lessened because this account has a well- known SID, and there are non- Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute force attack by using the SID to log on. Countermeasure. Specify a new name in the Accounts: Rename administrator account setting to rename the Administrator account. Potential impact. You need to provide users who are authorized to use this account with the new account name. Because the account name is well known it provides a vector for a malicious user to get access to network resources and attempt to elevate privileges or install software that could be used for a later attack on your system. Countermeasure. Specify a new name in the Accounts: Rename guest account setting to rename the Guest account. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Potential impact. There should be little impact, because the Guest account is disabled by default in Windows 2. Windows XP, Windows Vista, and Windows Server 2. Audit: Audit the access of global system objects. If you enable this policy setting, a default system access control list (SACL) is applied when the computer creates system objects such as mutexes, events, semaphores, and MS- DOS. If you also enable the Audit object access audit setting, access to these system objects is audited. Global system objects, also known as . These objects are most commonly used to synchronize multiple applications or multiple parts of a complex application. Because they have names, these objects are global in scope, and therefore visible to all processes on the computer. These objects all have a security descriptor but typically have a NULL SACL. If you enable this policy setting at startup time, the kernel will assign a SACL to these objects when they are created. Possible values: Enabled. Disabled. Not Defined. Vulnerability. A globally visible named object, if incorrectly secured, could be acted upon by malicious software that knows the name of the object. For instance, if a synchronization object such as a mutex had a poorly chosen discretionary access control list (DACL), then malicious software could access that mutex by name and cause the program that created it to malfunction. However, the risk of such an occurrence is very low. Countermeasure. Enable the Audit: Audit the access of global system objects setting. Potential impact. If you enable the Audit: Audit the access of global system objects setting, a large number of security events could be generated, especially on busy domain controllers and application servers. Such an occurrence could cause servers to respond slowly and force the Security log to record numerous events of little significance. This policy setting can only be enabled or disabled, and there is no way to choose which events are recorded. Even organizations that have the resources to analyze events that are generated by this policy setting would not likely have the source code or a description of what each named object is used for. Therefore, it is unlikely that most organizations would benefit by enabling this policy setting. Audit: Audit the use of Backup and Restore privilege. This policy setting enables or disables auditing of the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policy settings, an audit event is generated for every file that is backed up or restored. If you enable this policy setting in conjunction with the Audit privilege use setting, any exercise of user rights is recorded in the Security log. If you disable this policy setting, actions by users of Backup or Restore privileges are not audited, even if Audit privilege use is enabled. Tips to Troubleshoot Windows Vista Networking Issues. Introduction. In this article, I will cover 5 things you can do to troubleshoot your Windows Vista networking issues; including automated diagnoses, command line tools, and a strong troubleshooting methodology. Windows Vista is no different than any other operating system in that, sooner or later, you will have networking issues. This could be caused by the OS (Vista in this case), misconfiguration by the user or IT Admin, network issues, or other causes. Thus, it is not a question of if you will need to perform Vista network troubleshooting, it is a question of when will you need to perform Vista network troubleshooting. In this article, I will walk you through my 5 tips that I recommend you use to troubleshoot Windows Vista networking issues. Let us start with the first tip.#1: Use the Bottom Up Approach. I recall reading my first Cisco networking book and learning about the 3 different approaches to network troubleshooting (see my article How to use the OSI Model to Troubleshoot Networks). The 3 approaches to network troubleshooting are the bottom/up, top/down, and divide & conquer models. In the case of Vista Network troubleshooting, my #1 tip is to use the “bottom up approach” to network troubleshooting to attempt to solve your network issue prior to going into real “vista OS” troubleshooting. So what is the “bottom up approach”? If you look at the OSI Model, you will see that it is a layered model that represents all the different parts which make up a network. The “bottom” layer is usually the physical layer. Think of physical layer as the cabling, NIC interfaces, switches, and electric signals that go across the wire. If you start your troubleshooting at that bottom layer (the physical layer) and move up the OSI model you will go through the Data- Link layer (usually the Ethernet protocol), the Network Layer (usually the IP Network), Transport Layer (TCP), and all the way up to the Application layer (layer 1). My point is to start your troubleshooting by checking for physical connectivity. Here are some questions to ask yourself: Is my network cable connected? Do I have a link light on the NIC? Does Windows see my NIC and see it as connected? Does the Ethernet switch have power and show a link light? Whether you have a wired or wireless connection, the questions are the same (or similar). Take for example this Vista Wireless network connection status: Figure 1: Vista Wireless Connection Status. You want to look at the “media state”. In this case, the media is wireless but the important thing is that it is enabled. If you are attempting to connect to a wireless network, make sure that you are actually connected to a network. You can click on Connect to a Network to either connect or disconnect from a wireless or dialup network. On a computer with a physical Ethernet connection, you are going to look for the same thing. Take for example this Windows 2. Server with an Ethernet NIC: Figure 2: Windows 2. Media Stat. On this server, you can see that the Ethernet media on the wired LAN connection is enabled and you can see that the speed is 1. Gbps. If you can verify these things, more on up the OSI model until you find the issue. The old network admin joke about the OSI model is that the non- existent 8th layer of the model is the “end user” and that they are many time the issue. Many of these other things will fall into the category of testing various layers of the OSI model but, as with most networking tools, they apply to the testing of the Network & Transport layers which cover TCP/IP.#2: IP Addressing. Let us say that you checked your media state and your link light and you have physical network connectivity. Moving on up the OSI model, we will skip the datalink layer (layer 2) as Ethernet MAC addressing is usually not an issue and move to IP addressing (layer 3). At this point, you need to check your IP addressing in to ensure that: You have a real IP address (not an automatically assigned IP address)Your IP address is correct and matches your network & default gateway addresses. You have default gateway and DNS Server IP addresses defined. To do this, open the Network and Sharing Center and assuming you have a connection, click on the View Status for your connected network interface. Figure 3: Viewing the Status of your Connection. Then click on Details to see the IP address, subnet mask, default gateway, and DNS Servers. If you take a look at the details for the connection in Figure 4, notice that this connection has no default gateway or DNS servers. Figure 4: Connection without a default gateway or DNS Servers. Lack of these will certainly prevent you from really using your network connection as normal. Of course, neither of these are required but most of us want to communicate outside of our local LAN. A default gateway is required for that. Also, most of us want to communicate with servers by name (such as using www. DNS Server IP’s are required for that. Of course, you can also do an IPCONFIG /ALL to check all your IP settings, like this: Figure 5: Results of IPCONFIG /ALLPerhaps you did not receive these settings because your adaptor is not using DHCP. Even if you do have a valid IP address, default gateway, and DNS Servers, you should ping these to ensure that you can really communicate with them.#3: Windows Vista Diagnose and Repair. Fortunately for those who do not want to get into troubleshooting, Vista does offer the automatic Diagnose and Repair of network connections. Us IT Adminstrators can also use this as the “shotgun approach” to solving our problem quicker without getting into trying all sorts of things. To use diagnose and repair, just open the Network and Sharing Center and click on Diagnose and Repair. Figure 6: Diagnose and Repair. Note: Vista help also calls diagnose and repair “Network Diagnostics”. This tool will go through and check your network connection to identify problems. Firewalls are used to filter inbound and outbound network connections. Firewalls could be local on your Vista computer or they could be out on the network, filtering inbound or outbound connections to/from the Internet. Of course if the firewall is out on our LAN that is beyond the scope of this article. As for firewalls on your local Vista computer, you can even have more than one but the first one (if you installed a 3rd party firewall). However, the first thing that you want to check is the Windows Vista Firewall that is installed and enabled by default. It is unlikely that the Vista Firewall is blocking all network access. It is more likely that it is blocking just certain inbound or outbound network connections for specific applications. While it is risky on a public shared network to disable your firewall, one of the first things that I usually do when I get to this point is to just turn off the Vista Firewall to see if your problem is resolved. If it is, you can re- enable the Vista Firewall and then troubleshoot it to determine what port you need to allow your network traffic through. To disable or add exceptions for the Windows Firewall, just click on Windows Firewall inside the Network and Sharing Center. At this point, you can view its status. Figure 7: Checking the Windows Firewall. We can see that the Windows Firewall is enabled and that means that inbound connections that do not have an exception will be blocked. We can see that we should get a notification when a program is blocked. To try disabling the firewall or creating an exception, click Change Settings and you will see this: Figure 8: Changing Windows Firewall Settings. Here you can turn the firewall Off, view/modify exceptions with the Exceptions tab, or look at advanced features. Besides the Windows Firewall, if you are having trouble accessing computers on your local network, you need to check your Network Discovery settings. To do this, go to Network and Sharing. Center and scroll down to the Sharing and Discovery section. Check your settings for things like Network Discovery, File Sharing, and others. Figure 9: Sharing and Discovery#5: Use Common Sense Network Troubleshooting. While I have offered a number of technical troubleshooting tools, one of the things that more often than not is missed, is just using what I call “common sense” when it comes to troubleshooting network issues. Here are some common sense tips: Did you or someone else change something that could have caused this new networking issue? Are you even connected to the network? Are you assuming that all network connectivity is lost when really it is just one server or application that is not functioning? And if you change one thing that does not fix your issue, change that thing back to where it was before changing something else. Conclusion. You WILL be troubleshooting Vista Networking issues if you use Vista. It is not a matter of “if” but a matter of “when”. I recommend that you keep these 5 Tips to Troubleshoot Windows Vista Networking Issues handy for the next time you have a Vista networking issue.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |