Here's the book you need to prepare for the Implementing and Administering Security in a Microsoft Windows Server 2003 Network exam (70-299). This Study Guide was developed to meet the exacting requirements of today's certification candidates. In addition to the consistent and accessible instructional approach that earned Sybex the "Best Study Guide" designation in the 2003 CertCities Readers Choice Awards, this book provides:
- Clear and concise information on administering a secure Windows Server 2003 network
- Practical examples and insights drawn from real-world experience
- Leading-edge exam preparation software, including a testing engine and electronic flashcards for your Palm
You'll also find authoritative coverage of key exam topics, including:
- Implementing, Managing, and Troubleshooting Security Policies
- Implementing, Managing, and Troubleshooting Patch Management Infrastructure
- Implementing, Managing, and Troubleshooting Security for Network Communications
- Planning, Configuring, and Troubleshooting Authentication, Authorization, and PKI
Note: CD-ROM/DVD and other supplementary materials are not included as part of eBook file.
|Product dimensions:||7.50(w) x 9.00(h) x 1.25(d)|
About the Author
Bill English, MCSE, MCT, is President of Networknowledge, a training and consulting firm located in Minnesota. He has written numerous books, including the Administrator's Guide to SharePoint Portal Server 2001. Russ Kaufmann, MCSE, MCT, has over 11 years' IT experience, most recently with the Root Group as a Microsoft Practice Manager.
Read an Excerpt
MCSA/MCSE: Windows Server 2003 Network Security Administration Study Guide
By Russ Kaufman
John Wiley & SonsISBN: 0-7821-4332-6
Chapter OneConfiguring, Deploying, and Troubleshooting Security Templates
THE MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:
* Configure registry and file system permissions.
* Configure account policies.
* Configure .pol files.
* Configure audit policies.
* Configure user rights assignment.
* Configure security options.
* Configure system services.
* Configure restricted groups.
* Configure event logs.
* Plan the deployment of security templates.
* Deploy security templates by using Active Directory- based Group Policy Objects (GPOs).
* Deploy security templates by using command-line tools and scripting.
* Troubleshoot security templates in a mixed operating system environment.
* Troubleshoot security policy inheritance.
* Troubleshoot removal of security template settings.
Windows Server 2003 provides a rich set of security features that enable administrators to secure information and activity on their Windows Server 2003-based networks. Through the use of Group Policy Objects (GPOs), you can push configurations out to each Windows-based machine on the network to help ensure network-wide security. You can quickly create GPOs to perform this task by applying a template. A template is a preconfigured set of values that can be used to create a GPO. Security templates are text-based.inf files that allow the administrator to create security configurations once and then apply those configurations to multiple servers. Templates also reduce the amount of administrative effort required to secure a group of Windows Server 2003 servers, Windows 2000 workstations and servers, and Windows XP Professional workstations. These templates are administered through the Microsoft Management Console (MMC) and are applied to multiple servers using one or more Group Policies.
Because this exam emphasizes the use of GPOs, we are going to spend some time going over how GPOs work and how you can deploy them effectively. We understand that this may be a review for many of you. If you are comfortable and confident in your GPO skills and depth of understanding, you can skip this section and start with the "Working with Security Templates" section later in this chapter.
This book jumps right in with the specific information you will need to pass the exam. If you need to get up to speed with the basics, try Network Security JumpStart by Matt Strebe (Sybex, 2002). For more information on general networking theory and concepts, try Mastering Network Security, 2nd Edition by Chris Brenton and Cameron Hunt (Sybex, 2002).
However, if you feel you need a refresher on Group Policies, read this section. You will need this information to do well on the exam and to better understand how to implement security in a Windows Server 2003 environment.
Group Policy Objects and Windows 2003 Server
Policies are not new to Microsoft products. Since the release of Windows 95, policies have been a way to ensure that Registry settings are configured correctly across multiple computers with a single administrative act. In previous versions of Windows, policies were difficult to configure and did not meet the needs of most businesses when they were configured. Policies did not address as many configurable settings in earlier versions.
You can use GPOs to define a user's work environment and then implement changes to that environment without the user needing to reboot their workstation. In almost every case, you can deploy a GPO without users even knowing that it has been deployed. The only way that users will know that there is a GPO deployed is if its settings conflict with a configuration that the user is trying to set. User and computer settings are defined once in a GPO, and then the object is used to push those settings out to the computers and user accounts you designate. Windows Server 2003 continually enforces the settings in the GPO. As updates to the settings in the GPO are configured, these updates are pushed out to the Windows Server 2003 and Windows XP Professional computers on your network.
In addition to handling security concerns, you can use Group Policies to reduce lost productivity-which is often due to user error-by removing unnecessary programs and abilities that ship standard with the Windows Server 2003 plat- form. This also can lower the overall total cost of ownership (TCO).
GPOs are linked to a site, a domain, or an organizational unit (OU) container. When linked to a site or a domain container, GPOs allow you to centralize settings for an entire organization. When GPOs are linked to an OU container, you can apply different settings to different sets of user and/or computer accounts. In both cases, GPOs can be filtered to prevent some users and computers from having the GPO applied to them.
GPOs also ensure that users have the desktop environment necessary to perform their job effectively. You can configure settings to ensure that certain shortcuts, drive mappings, and other configurations exist whenever the user is logged on. Furthermore, you can automate software installations, negating the need to send a technician to the desktop to install or update software packages.
Corporate security and business policies can also be enforced through the use of GPOs. For example, you can ensure that security requirements for all users match the security required by corporate policy.
Configuring Group Policies
When a GPO is first opened, you'll find several types of settings that you can configure:
Administrative Templates These are Registry-based settings for configuring application and user desktop environments. For example, these settings can be used to configure which shortcuts and objects will appear on the user's desktop environment. They can also be used to redirect the My Documents location to the user's home directory on a remote file server.
Security Your choices here are local computer, domain, and network settings. These settings control user access to the network, account and audit policies, and user rights. For example, these settings can be used to configure the account policies, manage the event logs, and even manage client behavior when there are multiple wireless networks available to the client computer.
Software Installation These settings centralize software management and deployment. Applications can be either published or assigned. Applications can also be deployed based upon security group memberships as well as to individuals.
Scripts These settings specify when Windows computers run a specific script. Scripts can be run at four different times using GPOs:
* Computer startup: Startup scripts are run as the operating system boots up. All scripts will run, and when they are complete, the user will be prompted with the security window to press Ctrl+Alt+Delete.
* User logon: Logon scripts are run after the user submits their username and password to the network. Once all scripts have been completed, the user desktop appears and the user is able to start interacting with the interface.
* User logoff: Logoff scripts are run after the user has logged off the computer. Once all logoff scripts are complete, the computer will prompt the user with the security window to press Ctrl+Alt+Delete.
* Computer shutdown: Shutdown scripts are run when the computer is being shut down or restarted. Once the scripts and the other shutdown processes are complete, the user will be prompted with the "It is now safe to turn off your computer" message. If the computer has the proper power configuration components, it will automatically shut down and power itself off. If the user was restarting the computer, all shutdown scripts must run before the server will prompt for the power to turn off the power.
Remote Installation Services These settings control the options available to users when running the Client Installation Wizard by Remote Installation Services (RIS). RIS can be configured with several options for client computer installations. For example, a client computer using RIS can automatically be supplied with a computer name or the user can be allowed to select their own computer name.
Internet Explorer Maintenance These settings let you administer and customize Internet Explorer (IE) configurations on Windows Server 2003, Windows 2000, and Windows XP computers. IE can be configured for all users, or select network users, with a standard home page for the browser and standard favorites lists. GPOs can also be used to provide security configuration information and other important information such as the proxy settings.
Folder Redirection These settings store specific user profile information and take a shared folder on a server and make it look like a local folder on the desktop of the computer. The Folder Redirection option in a GPO is very important, because now network users can be forced to use network storage locations instead of local storage locations on their computers. By forcing storage to centralized server locations, the data can be properly backed up and scanned for viruses on a regular basis. The data can be protected more efficiently if it is stored on a server.
Now, a GPO comprises two elements: the Group Policy Container (GPC) and the Group Policy Template (GPT). The GPC is located in Active Directory (AD) and provides version information used by the domain controllers to discern which GPO is the most recent version. If a domain controller (DC) does not have the most recent version, it relies on replication with other DCs to obtain the latest GPO and thereby update its own GPC.
The GPT is a folder hierarchy in the shared Sysvol folder on domain controllers. The GPT contains the settings that are applied to the computers on your network. Computers connect to the sysvol folder on the DC to read the settings in the GPT before applying them to their local Registry. The GPT is named after the Globally Unique Identifier (GUID) of the GPO. When the GPO is created, it is assigned a new GUID, and the GPT name is the GUID of the GPO.
Each GPO has two sets of configuration settings: one for computers and the other for users. This basic architecture has not changed since Windows 95, which used user.dat and system.dat as the basis for forming the policy file. This was also the case in Windows 98, but many additional configuration settings are available in Windows 2000 and Windows Server 2003.
The configuration settings for computers specify the following:
* Operating system behavior
* Desktop behavior
* Security settings
* Computer startup and shutdown scripts
* Application assignments, options, and settings
The configuration settings for users specify the following:
* Operating system behavior
* User-specific desktop settings
* User-specific security settings
* Assigned and published applications
* Folder redirection options
* User logon and logoff scripts
When a GPO is linked to a site, a domain, or an OU container, the user and computer accounts hosted in that object are affected by the policy. GPOs can be linked to more than one container such that the following statements are true:
* You can link one GPO to multiple sites, domains, and/or OUs.
* Linking at the site or domain level gives you centralized administrative abilities.
* Linking at the OU level decentralizes your administration, yet maintains uniformity for those objects affected by the GPO.
* You can link multiple GPOs to a single site, domain, and/or OU.
* Creating multiple GPOs allows you to easily administer each group of settings you want to apply.
* Link inheritance is maintained in AD; lower-level objects inherit the upper-level settings from a GPO. For example, all OUs in a domain inherit the settings of a GPO linked to the domain object.
* You cannot link GPOs to default AD containers, including the Users, Computers, and Builtin containers.
After a GPO is created, it is not required to be linked to an object. GPOs can simply be created and then linked later to the desired object when the GPO's settings are needed. In addition, when you work on GPOs from a domain controller, by default, you work in the memory space of the domain controller that has been assigned the Flexible Single Master Operations (FSMO) role of primary domain controller (PDC) emulator. The PDC emulator looks and feels like a PDC to Windows NT backup domain controllers (BDC) and Windows NT workstations. The FSMO role of PDC emulator is implemented for legacy compatibility purposes. You will use Active Directory Users and Computers (ADUC) to link a GPO to a domain or an OU. You will Use Active Directory Sites and Services (ADSS) to link a GPO to a site. You must be a member of the Enterprise Admins security group to link a GPO to a site object.
If you would like to learn more about the PDC and BDC roles in Windows NT 4.0, please consult Mastering Windows NT Server 4, 7th Edition by Mark Minasi (Sybex, 2000).
Applying Group Policies
To be successful in the real world, as well as on the exam, you'll need to understand how GPOs are applied in AD. GPO inheritance constitutes the order in which policies are applied. GPOs are first applied to the site container, then to the domain container, and then to the OU container. As policies are applied, they override the previous policy, meaning that a policy setting at the OU level overrides the policy setting at the domain level and policy settings at the domain level override policy settings at the site level. In other words, the most recently applied policy, the one that is applied last, has the greatest priority in setting the final configurations for objects hosting in the linked container.
However, bear in mind that inheritance is at work too. An OU could be inheriting multiple policies that have been linked to the site, domain, and upper-level OU objects. The policies are applied, even though no policy has been directly linked to the OU.
You'll also need to understand how GPOs are processed, which is different from how they are inherited or linked. When we talk about policies being processed, we are talking about the order in which policies are applied when multiple policies are linked to the same container. And because there are two parts to every GPO, it is important to understand which part of the GPO is processed first.
The computer settings of a GPO are processed and applied before the user settings. When the Windows computer processes computer settings, the startup scripts run. When a user logs on, the logon scripts are processed. The reverse happens when a user cleanly shuts down a workstation; logoff scripts run first, and then shutdown scripts run.
If multiple polices are linked to the same container, the default setting is to process all policies synchronously. You can change the processing of a GPO to asynchronous by using a Group Policy setting for both computers and users. In asynchronous processing, all policies are processed simultaneously using multiple threads. In synchronous processing, one policy must finish processing before the next policy can begin processing. Also in synchronous processing, the desktop for the user does not appear until all policies are processed and applied. If you decide to use asynchronous processing, you might possibly sacrifice reliability in each policy being enforced correctly system-wide. Best practice is to leave policy processing at the default of synchronous.
Excerpted from MCSA/MCSE: Windows Server 2003 Network Security Administration Study Guide by Russ Kaufman Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Table of Contents
Chapter 1 Configuring, Deploying, and Troubleshooting Security Templates.
Chapter 2 Configuring Security Based on Computer Roles.
Chapter 3 Installing, Managing, & Troubleshooting Hotfixes & Service Packs.
Chapter 4 Configuring IPSec and SMB Signing.
Chapter 5 Implementing Security for Wireless Networks.
Chapter 6 Deploying, Managing, and Configuring SSL Certificates.
Chapter 7 Configuring, Managing, and Troubleshooting Authentication.
Chapter 8 Configuring and Troubleshooting Virtual Private Network Protocols.
Chapter 9 Installing, Configuring, and Managing Certificate Authorities.
Chapter 10 Managing Client-Computer and Server Certificates and EFS.
Chapter 11 Configuring & Managing Groups, Permissions, Rights, & Auditing.
Appendix A Responding to Security Incidents.