1
00:00:03,050 --> 00:00:05,960
In this demonstration, we will work with gentlemen.

2
00:00:06,800 --> 00:00:10,760
You will look at how you can audit Intel and usage in the server environment.

3
00:00:11,660 --> 00:00:17,240
Following this, you will configure Intel M security to make sure that Intel in version two is enforced

4
00:00:18,110 --> 00:00:20,030
when it comes to working with Intel Elm.

5
00:00:20,060 --> 00:00:25,160
It's important to note that many old devices in your environment could still use those old authentication

6
00:00:25,160 --> 00:00:25,880
protocols.

7
00:00:26,780 --> 00:00:29,910
Some of those devices might support Intel ARM Version two.

8
00:00:30,770 --> 00:00:34,340
However, it might only support it after you actually configure it.

9
00:00:35,240 --> 00:00:40,580
So a word of caution don't simply disable intel and version one without knowing which devices are using

10
00:00:40,580 --> 00:00:40,730
it.

11
00:00:41,600 --> 00:00:44,060
And how would you know which devices are using it?

12
00:00:44,960 --> 00:00:47,630
Well, the first step is to perform auditing.

13
00:00:48,410 --> 00:00:53,330
When you enable and tlm auditing, you have the ability to look at your audit logs and look for event

14
00:00:53,330 --> 00:00:54,980
ID 4624.

15
00:00:55,850 --> 00:00:59,510
You'll see a sample of event ID 4624 on your screen.

16
00:01:00,350 --> 00:01:04,070
In the sample, you'll notice that the log on type is logged on type three.

17
00:01:04,940 --> 00:01:09,650
This means that the user computer has logged on to the destination computer from the network.

18
00:01:10,520 --> 00:01:13,700
The next piece that's highlighted is the authentication package.

19
00:01:14,600 --> 00:01:18,320
Here we can see that anti alarm was used as the authentication method.

20
00:01:19,220 --> 00:01:22,710
The next section to look at is the package name and TLM only.

21
00:01:23,570 --> 00:01:27,170
In this example you'll notice that in tlm version two was used.

22
00:01:28,040 --> 00:01:33,140
However, if it showed L, M, or NTL and V one, then you know that either the land manager or in tlm

23
00:01:33,140 --> 00:01:34,280
version one was used.

24
00:01:35,180 --> 00:01:39,380
Now you'll go ahead and enable the deepest level of intial auditing possible.

25
00:01:40,220 --> 00:01:43,670
And to do this, you're going to navigate to group policy management.

26
00:01:44,550 --> 00:01:49,620
And since we want to enable this in tlm auditing across the domain, you will go ahead and edit the

27
00:01:49,620 --> 00:01:51,000
default domain policy.

28
00:01:51,850 --> 00:01:56,680
And within the default domain policy, you're going to navigate to policies, slash windows settings,

29
00:01:56,680 --> 00:02:00,610
slash security settings, slash local policies, slash security options.

30
00:02:01,480 --> 00:02:06,010
Within security options, there are three group policy settings that we are going to look at.

31
00:02:06,880 --> 00:02:09,970
The first one is the ordered incoming intel and traffic.

32
00:02:10,860 --> 00:02:17,730
Then we will look at Audit Elm authentication in this domain and we will look at outgoing intel traffic

33
00:02:17,730 --> 00:02:18,810
to remote servers.

34
00:02:19,680 --> 00:02:23,430
So let's start with the first one audit incoming intel m traffic.

35
00:02:24,310 --> 00:02:29,530
In this setting, you have three possible values to define the first being disable, which of course

36
00:02:29,530 --> 00:02:30,880
disables the policy.

37
00:02:31,750 --> 00:02:34,870
The second one, which is enable auditing for domain accounts.

38
00:02:34,930 --> 00:02:39,790
When this is enabled, events will be logged for Intel and pass through authentication requests only.

39
00:02:40,640 --> 00:02:46,280
The next setting, which is enable auditing for all accounts, will log events for all anti alarm authentication

40
00:02:46,280 --> 00:02:46,850
requests.

41
00:02:47,780 --> 00:02:53,300
Since we want to enable the deepest level of TLM auditing to ensure that we don't break any collectivity.

42
00:02:53,330 --> 00:02:55,790
We will select enable auditing for all accounts.

43
00:02:56,690 --> 00:02:57,920
You'll click on okay.

44
00:02:58,730 --> 00:03:03,680
And now you'll move on to the next setting, which is audit and TLM authentication in this domain.

45
00:03:04,520 --> 00:03:08,990
And within this setting we're going to enable all since you need to ensure that you are auditing all

46
00:03:08,990 --> 00:03:10,520
and tlm authentication.

47
00:03:11,390 --> 00:03:17,780
You'll click on okay, now let's move on to the next setting which is outgoing in tlm traffic to remote

48
00:03:17,780 --> 00:03:18,290
servers.

49
00:03:19,160 --> 00:03:24,350
And this group policy allows you to deny or audit outgoing inter-island traffic from a computer running

50
00:03:24,350 --> 00:03:28,670
Windows seven or later to any remote server that runs a Windows operating system.

51
00:03:29,540 --> 00:03:31,070
So you will click on okay.

52
00:03:31,880 --> 00:03:35,090
And now you have successfully enabled nt tlm auditing.

53
00:03:35,960 --> 00:03:40,850
Now in a real world scenario, you would leave this group policy active for some time, perform auditing

54
00:03:40,850 --> 00:03:45,740
on the event logs, and ensure that you have a clear picture of what devices in your organization uses

55
00:03:45,740 --> 00:03:51,830
anti tlm version one once you have isolated the ones that use in tlm version one and if they cannot

56
00:03:51,830 --> 00:03:56,540
be upgraded, you can then use a different group policy to specifically target those devices that can

57
00:03:56,540 --> 00:03:58,190
work within TLM version two.

58
00:03:59,000 --> 00:04:04,160
So once you have audited your log on events and found that there are no devices that are using old authentication

59
00:04:04,160 --> 00:04:10,520
protocols, you are then ready to enforce in TLM Version two in order to enforce in tlm version two,

60
00:04:10,520 --> 00:04:15,590
you need to modify one policy which is network security LAN manager authentication level.

61
00:04:16,490 --> 00:04:19,610
This setting has six levels and they are counted from zero.

62
00:04:20,450 --> 00:04:23,900
So at zero one, two, three, four, five.

63
00:04:24,770 --> 00:04:29,900
So when this is hardcoded on the registry, you would see a registry security level starting from zero

64
00:04:29,900 --> 00:04:32,720
and zero being sent Elm and Intel and responses.

65
00:04:33,650 --> 00:04:35,540
So what do each of these settings mean?

66
00:04:36,380 --> 00:04:41,360
While the first one is obvious in which you are only hard coding your authentication level to work with

67
00:04:41,360 --> 00:04:47,840
LAN manager and into Elm, the second one enables the use of Intel and V two session security only if

68
00:04:47,840 --> 00:04:48,710
it's negotiated.

69
00:04:49,580 --> 00:04:53,510
The next one drops LAN manager and only uses Intel M version one.

70
00:04:54,350 --> 00:04:57,410
The one after that starts to introduce Intel and version two.

71
00:04:57,530 --> 00:05:02,510
However, the domain controller will still accept Elm and Intel in version one authentication.

72
00:05:03,350 --> 00:05:09,740
The next setting starts to completely refuse LAN manager and the most secure settings starts to refuse

73
00:05:09,740 --> 00:05:15,830
LAN Manager and Intel Version one Best practices dictate that you should start with a security level

74
00:05:15,830 --> 00:05:19,160
of three, so that would be zero one, two and three.

75
00:05:20,060 --> 00:05:25,070
So the authentication level to start with as you start to enforce in TLM version two is the setting

76
00:05:25,190 --> 00:05:27,590
which is send Intel and V two response only.

77
00:05:28,460 --> 00:05:34,040
What this does is it enables Intel and V two as default, but still allows a fallback to LAN manager

78
00:05:34,040 --> 00:05:35,330
in Intel m version one.

79
00:05:36,170 --> 00:05:41,120
Once you configure this, you'll notice that there is a warning which will take you to a microsoft article

80
00:05:41,120 --> 00:05:44,450
which dictates the possible impact of configuring this setting.

81
00:05:45,290 --> 00:05:49,970
Since you need to ensure that Intel and V two is starting to be used as a default, you will accept

82
00:05:49,970 --> 00:05:52,310
this change and allow the setting to be configured.

83
00:05:53,180 --> 00:05:58,850
The next step from here would be to perform auditing again, and the reason for performing additional

84
00:05:58,850 --> 00:06:03,890
auditing is to see which devices are still using LAN manager and eliminate them from the environment.

85
00:06:04,790 --> 00:06:09,350
If there are no devices that are using LAN manager anymore, you can then move to the next level of

86
00:06:09,350 --> 00:06:14,180
four and perform auditing again and pretty much repeat the same process until you get to the most secure

87
00:06:14,180 --> 00:06:14,990
level of five.

88
00:06:15,850 --> 00:06:17,680
And that is when the system refuses.

89
00:06:17,680 --> 00:06:19,450
Land Manager and anti elm.

90
00:06:20,320 --> 00:06:24,040
So what if you wanted to remove anti Elm authentication completely?

91
00:06:24,880 --> 00:06:30,190
Well, the two settings that are defined here under restrict into elm incoming into elm traffic and

92
00:06:30,190 --> 00:06:31,330
restrict into Elm.

93
00:06:31,330 --> 00:06:36,280
And TLM authentication in this domain is what you could configure to completely stop into Elm.

94
00:06:37,120 --> 00:06:41,770
But again, a word of caution is to make sure that you have audited the environment to ensure that your

95
00:06:41,770 --> 00:06:47,080
devices can support another authentication protocol such as Kerberos instead of 90 Elm.

96
00:06:47,950 --> 00:06:52,450
These settings are extremely powerful and if they are configured incorrectly, you could pretty much

97
00:06:52,450 --> 00:06:56,500
break your environment and have endless issues with devices that do not authenticate.

98
00:06:57,370 --> 00:07:01,780
So best practice is to make sure that you perform a deep level of auditing to ensure that you have a

99
00:07:01,780 --> 00:07:06,460
clear picture of any impacted devices as you define the settings for restricting into ELM.