Use the Security Configuration Wizard

In this exercise, you will use the Security Configuration Wizard to create a security policy for domain controllers in the contoso.com domain based on the

configuration of NYC-DC1. You will then convert the security policy into a GPO, which could then be deployed to all domain controllers by using Group Policy.

The main tasks for this exercise are as follows:

1. Create a security policy.

2. Transform a security policy into a Group Policy object.

f

1. Run the Security Configuration Wizard in the Administrative Tools folder, with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.

2. On the Welcome to the Security Configuration Wizard page, click Next.

3. On the Configuration Action page, select Create a new security policy, and then click Next.

4. On the Select Server page, accept the default server name, NYC-DC1, and click Next.

5. On the Processing Security Configuration Database page, you can optionally click View Configuration Database and explore the configuration that was discovered on NYC-DC1.

6. Click Next.

7. On the Role Based Service Configuration section introduction page, click Next.

8. On the Select Server Roles page, you can optionally explore the settings that were discovered on NYC-DC1, but do not change any settings. Click Next.

9. On the Select Client Features page, you can optionally explore the settings that were discovered on NYC-DC1, but do not change any settings. Click Next.

10. On the Select Administration and Other Options page, you can optionally explore the settings that were discovered on NYC-DC1, but do not change any settings. Click Next.

B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1

Managing Enterprise Security and Configuration with Group Policy Settings 7-59

11. On the Select Additional Services page, you can optionally explore the settings that were discovered on NYC-DC1, but do not change any settings.

Click Next.

12. On the Handling Unspecified Services page, do not change the default setting, Do not change the startup mode of the service. Click Next.

13. On the Confirm Service Changes page, in the View list, select All Services.

14. Examine the settings in the Current Startup Mode column, which reflect service startup modes on NYC-DC1, and compare them with the settings in the Policy Startup Mode column.

15. In the View list, select Changed Services.

16. Click Next.

17. On the Network Security section introduction page, click Next.

18. On the Network Security Rules page, you can optionally examine the firewall rules derived from the configuration of NYC-DC1. Do not change any settings.

Click Next.

19. On the Registry Settings section introduction page, click Next.

20. On each page of the Registry Settings section, examine the settings, but do not change any of them, and then click Next. When the Registry Settings Summary page appears, examine the settings and click Next.

21. On the Audit Policy section introduction page, click Next.

22. On the System Audit Policy page, examine but do not change the settings.

Click Next.

23. On the Audit Policy Summary page, examine the settings in the Current Setting and Policy Setting columns. Click Next.

24. On the Save Security Policy section introduction page, click Next.

25. In the Security Policy File Name text box, click at the end of the file path and type DC Security Policy.

26. Click Include Security Templates.

27. Click Add.

B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1

7-60 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services

28. Browse to locate the DC Remote Desktop template created in Exercise 3, located in the My Documents\Security\Templates folder. When you have located and selected the template, click Open.

Be careful that you add the Documents\Security\Templates\DC Remote Desktop.inf file and not the DC Security.inf default security template.

29. Click OK to close the Include Security Templates dialog box.

30. Click View Security Policy.

You are prompted to confirm the use of the ActiveX control.

31. Click Yes.

32. Examine the security policy. Notice that the DC Remote Desktop template is listed in the Templates section.

33. Close the window after you have examined the policy.

34. In the Security Configuration Wizard, click Next.

35. On the Apply Security Policy page, accept the Apply Later default setting, and then click Next.

36. Click Finish.

f

1. Run the Command Prompt as an administrator, with the user name Pat.Coleman_Admin and the password Pa$$w0rd.

2. Type cd c:\windows\security\msscw\policies, and then press Enter.

3. Type scwcmd transform /?, and then press Enter.

4. Use the scwcmd.exe command to transform the security policy named "DC Security Policy.xml" to a GPO named "DC Security Policy."

B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1

Managing Enterprise Security and Configuration with Group Policy Settings 7-61

5. Run Group Policy Management as an administrator, with the user name Pat.Coleman_Admin and the password Pa$$w0rd.

6. Examine the settings of the DC Security Policy GPO. Confirm that the BUILTIN\Administrators and CONTOSO\SYS_DC Remote Desktop groups are given the Allow log on through Terminal Services user right. Also, confirm that the CONTOSO\SYS_DC Remote Desktop group is a member of BUILTIN\Remote Desktop Users.

Results: In this exercise, you will have used the Security Configuration Wizard to create a security policy named DC Security Policy, and transformed the security policy to a Group Policy object named DC Security Policy.

Important: Do not shut down the virtual machine after you are finished with this lab because the settings you have configured here will be used in subsequent labs

B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1

7-62 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services

Lab Review Question

Question: Describe the relationship between security settings on a server, Local Group Policy, security templates, the database used in Security Configuration and Analysis, the security policy created by the Security Configuration Wizard, and domain-based Group Policy.