View
215
Download
1
Embed Size (px)
Citation preview
12.1 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Introduce security configuration
Introduce auditing
Set audit policy on a domain controller
Set audit policy on a stand-alone server or computer
View the Security log
Audit user access to Active Directory objects
Assign user rights to users and groups
Goals
12.2 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implement account policy
Implement security templates
Use the Security Configuration and Analysis console
Use the Security Configuration and Analysis console to configure security
Troubleshoot security configuration issues
Goals (2)
12.3 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Security configuration is the process of setting up a security policy
For an individual system
For a network
Security policies are required
Guard against unauthorized internal users
Protect from external threats
(Skill 1)
Introducing Security Configuration
12.4 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Use security configuration
To set up security policies
Account
Local
To create access control policies
Services
Registry
Files
Introducing Security Configuration (2)
(Skill 1)
12.5 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Use security configuration
To define event logs settings
To determine group membership settings (restricted groups)
To create public key policies
To set Internet Protocol (IP) security policies
Introducing Security Configuration (3)
(Skill 1)
12.6 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Factors to consider while designing security policies
Physical distribution of the network
Business model of the organization
Network load due to inter-computer dataflow and access
Overall computer usage
Introducing Security Configuration (4)
(Skill 1)
12.7 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Windows Server 2003 Security Configuration tools
Group Policy Object Editor is used to apply security settings centrally for the computers in a domain.
Use the Security Settings extension in the Group Policy Object Editor to apply different categories of security policies
Introducing Security Configuration (5)
(Skill 1)
12.8 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-1 Security extension of the Group Policy Object Editor
(Skill 1)
12.9 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Categories of security policies
Account policies
Can only be set for the entire domain
Password policy
Account lockout policy
Kerberos policy
Introducing Security Configuration (6)
(Skill 1)
12.10 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-2 Password Policy settings
(Skill 1)
12.11 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Categories of security policies
Local policies
Audit policy
User rights assignment
Security options
Introducing Security Configuration (7)
(Skill 1)
12.12 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Categories of security policies
Event log allows you to specify security log settings
Maximum size of the event log file
Logging options
Event log access rights
Introducing Security Configuration (8)
(Skill 1)
12.13 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Categories of security policies
Restricted Groups allows you to define additional control over the membership of key groups
Defining a group as a restricted group
Setting the membership for the group
Configuring member groups and users for the restricted group
Introducing Security Configuration (9)
(Skill 1)
12.14 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Categories of security policies
System Services allows you to configure the startup settings for services on a computer
Startup mode settings: Automatic, Manual, and Disabled
Can specify which security group or user can modify a service’s properties (start, stop, or pause)
Introducing Security Configuration (10)
(Skill 1)
12.15 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-3 System Services security settings
(Skill 1)
12.16 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Categories of security policies
Registry
Registry security settings allow you to set permissions for users to read, modify, and add new keys to the Registry
File System
Allows you to set access permissions for folders and files on the computer
Settings only apply to computers with NTFS drives
Introducing Security Configuration (11)
(Skill 1)
12.17 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-4 Files and Folders permissions settings
(Skill 1)
12.18 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Categories of security policies
Wireless Network (IEEE 802.11) Policies control network security settings for supported wireless networking devices
Public Key Policies are used to configure the public key encryption
IP Security Policies are used to configure IP security for TCP/IP-based communication between servers, clients, and domain controllers using Microsoft’s version of IPSec
Introducing Security Configuration (12)
(Skill 1)
12.19 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Auditing is used to track user activities and object access on the computers on a network
Regular auditing ensures security of network resources
Auditing can discover security breaches
Auditing can help in resource planning for the computers on the network
Introducing Auditing
(Skill 2)
12.20 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Steps in setting up a security audit
Determine carefully the events to be audited on each computer
Security events that can be tracked
Who logged on to a computer and when?
What files were accessed or folders were created?
What printers were used?
What Registry keys were accessed when, and by whom?
What actions the users attempted to perform on them?
Introducing Auditing (2)
(Skill 2)
12.21 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Steps in setting up a security audit
Decide the computers, users, or groups to be tracked
Activate the audit object access policy.
Introducing Auditing (3)
(Skill 2)
12.22 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Activating the audit object access policy
Configure the audit object access policy in the Properties dialog box and the System ACL editor for the object
Select who you are going to audit
Choose what file system actions you want to monitor in the SACL editor for the file or folder
Introducing Auditing (4)
(Skill 2)
12.23 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Monitoring a particular event
Define an audit policy in the Audit Policy folder
The audit policy tells the operating system what to record in the Security event log on each computer
On a domain controller, modify the default domain policy by using the Group Policy Management console
Only Domain Administrators and Enterprise Administrators can configure auditing at the domain level
Introducing Auditing (5)
(Skill 2)
12.24 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-5 Audit policy
(Skill 2)
12.25 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Audited events are stored in the Security event log
Success and failure can both be recorded
Security log can be viewed using the Event Viewer
The Security log entries allow identification of existing security problems in the overall network, as well as on individual computers
Introducing Auditing (6)
(Skill 2)
12.26 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-6 The Security Event log
(Skill 2)
12.27 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Unauthorized access to a domain must be monitored
Set up an audit policy on a domain controller by configuring Group Policy
Link the GPO to the default Domain Controllers OU
You must have the Manage auditing and security log right on the system to configure auditing
Setting Audit Policy on a Domain Controller
(Skill 3)
12.28 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Setting up auditing is a two-step process
Step 1
Configure the audit policy to track particular events, for success, for failure or both
Step 2
Open the specific resource you wish to audit
Enable auditing by selecting the type of event you want to track and the user group or groups for which you want to track that event
Setting Audit Policy on a Domain Controller (2)
(Skill 3)
12.29 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-7 Creating a GPO
(Skill 3)
12.30 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-8 The Audit account logon events Properties dialog box
(Skill 3)
12.31 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-9 The Audit object access Properties dialog box
(Skill 3)
12.32 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-10 Advanced Security Settings for Annual Reports
(Skill 3)
12.33 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-11 Selecting the actions to be audited
(Skill 3)
12.34 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-12 A Security warning dialog box
(Skill 3)
12.35 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Problems auditing stand-alone servers and workgroup computers running Windows 2000 or XP Professional
They do not belong to a domain
A domain controller-based audit policy cannot be applied to them
Stand-alone computers and the network computers may be able to access each other and hence require monitoring
Setting Audit Policy on a Stand-Alone Server or Computer
(Skill 4)
12.36 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Audit policy should be set for stand-alone computers
To monitor network access attempts
To monitor local security events
Setting Audit Policy on a Stand-Alone Server or Computer (2)
(Skill 4)
12.37 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-13 Audit Policy in the Local Security Settings console
(Skill 4)
12.38 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-14 Enabling auditing for local logon attempts
(Skill 4)
12.39 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-15 Updating local security policy
(Skill 4)
12.40 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Viewing the Security Log
Problems with implementation of audit policies
Increases the overhead on a computer
Slows down CPU performance
Security event log can become inundated with entries
Solutions
Set a schedule for checking the Security log regularly
Specify a maximum file size for Security log
(Skill 5)
12.41 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Viewing the Security Log (2)
Be aware when the Security log reaches the maximum file size
You may lose data if the log becomes full before you archive it
Archiving is the process of saving a history of events so you can track trends in resource usage
When the log is full, the operating system will stop recording events
(Skill 5)
12.42 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-16 The Security Log Properties dialog box
(Skill 5)
12.43 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Viewing the Security Log (3)
Set filters to control what is recorded in the log Event type: Information, Warning, Error, or Success or
Failure audit
Event source: Choose a particular source, such as Spooler, LSA (Local Security Authority), or SC (Service Control) Manager
Category: Account Logon, Account Management, Directory Service Access, Privilege Use, Object Access events, and so on
Event ID
User
Computer
Specific time periods
(Skill 5)
12.44 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-17 The Filter tab in the Security Properties dialog box
(Skill 5)
12.45 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-18 The Security log
(Skill 5)
12.46 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-19 Filtering the Security log
(Skill 5)
12.47 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-20 Viewing event details box
(Skill 5)
12.48 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Auditing User Access to Active Directory Objects
Active Directory objects Are the essential building blocks of a Windows Server 2003
network
Include users, computers, OUs, groups, published printers, and so on
Audit policies for Active Directory objects Are set based explicitly on their functionality
An audit policy set for an Active Directory object is inherited by its child object through Policy Inheritance by default
(Skill 6)
12.49 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-21 The Auditing tab
(Skill 6)
12.50 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-22 Setting printer audit policy
(Skill 6)
12.51 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Assigning User Rights to Users and Groups
User rights are different from permissions
Permissions allow a user access to certain resources
User rights allow the user to perform certain restricted actions, such as shutting down the system or logging on locally
(Skill 7)
12.52 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Assigning User Rights to Users and Groups (2)
User Rights Assignment policy is used to grant users rights
Rights should be assigned to groups for ease of administration
Users can be added to the group to grant them the same level of user rights
Assign user rights to allow particular users to carry out specific functions
This increases the security of the system
(Skill 7)
12.53 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-23 User rights assignments
(Skill 7)
12.54 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-24 Adding a group to assign user rights
(Skill 7)
12.55 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-25 The Access this computer from the network Properties dialog box
(Skill 7)
12.56 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implementing Account Policy
Account policies
Used to set the user account properties that control the logon process
Types of policies
Account lockout policies
Password policies
Kerberos policies
(Skill 8)
12.57 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implementing Account Policy (2)
Configuring account policies
Group Policy Object Editor snap-in
Group Policy Management console (GPMC)
(Skill 8)
12.58 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implementing Account Policy (3)
Account lockout policy
Objective of the policy is to prevent users from guessing passwords
There is immediate replication of Active Directory data between Windows Server 2003 domain controllers when an account is locked out
(Skill 8)
12.59 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implementing Account Policy (4)
Account Lockout policy is configured by setting following policies
Account lockout threshold: Specify the number (0 to 999) of allowed invalid logon attempts
Account lockout duration: Specify the time duration (0 to 99999 minutes) during which the account remains disabled
Reset account lockout counter after: Set the time (1 and 99999 minutes) duration that must elapse after an invalid logon attempt before the account lockout counter is reset to 0
(Skill 8)
12.60 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implementing Account Policy (5)
Password policy
Allows you to specify how users must manage their passwords
Factors to be considered
Password history
Password age
Password length
Complexity requirements
Encryption and storage methods
(Skill 8)
12.61 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implementing Account Policy (6)
Kerberos policies
The Kerberos V5 authentication protocol is implemented through a Key Distribution Center (KDC)
They are applicable to domain user accounts or computer accounts only
They define settings such as ticket lifetimes and logon restriction enforcement
(Skill 8)
12.62 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-26 The Kerberos policies
(Skill 8)
12.63 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implementing Account Policy (7) Kerberos policy settings
Enforce user logon restrictions policy: If enabled, the KDC performs certain checks before issuing a session ticketValidity of the user account
User rights policy on the target computer
Maximum lifetime for service ticket: Sets the maximum length of time for a Logon Session Ticket
Maximum lifetime for user ticket: Sets the maximum length of time that the Ticket Granting Ticket (TGT) will be valid
Maximum lifetime for user ticket renewal: Sets the maximum lifetime for both the Ticket Granting Ticket (TGT) and the Logon Session Ticket
(Skill 8)
12.64 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implementing Account Policy (8)
Kerberos policy settings
Maximum tolerance for computer clock synchronization
Sets the maximum number of minutes that the clock on the KDC can be different from the clock on the Kerberos client
This acts as a deterrent in replay attacks
(Skill 8)
12.65 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-27 The Account lockout threshold Properties dialog box
(Skill 8)
12.66 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-28 The Suggested Value Changes dialog box
(Skill 8)
12.67 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-29 The Enforce password history Properties dialog box
(Skill 8)
12.68 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-30 The Minimum password length Properties dialog box
(Skill 8)
12.69 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-31 The Maximum lifetime for service ticket Properties dialog box
(Skill 8)
12.70 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-32 The Suggested Value Changes dialog box for Maximum lifetime for user ticket
(Skill 8)
12.71 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implementing Security Templates
Security template
A group of security settings used to implement security in computers running Windows 2000 or later operating systems
A text-based file with an .inf file extension
You can import these templates into GPOs, and apply the set of common security settings to multiple computers with similar functionality
You can use them to save and restore security settings of a computer
(Skill 9)
12.72 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implementing Security Templates (2)
Windows Server 2003 provides several predefined security templates located in the folder
%Systemroot%\Security\Templates
The predefined security templates have four standard security levels
Basic
Compatible
Secure
Highly Secure
(Skill 9)
12.73 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-33 The predefined security templates
(Skill 9)
12.74 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implementing Security Templates (3)
Implementing security templates consists of five steps
1. Accessing the Security Templates console
You can access the Security Templates console in an existing console by adding the Security Templates snap-in to it
You can also create a new Microsoft Management Console (MMC), and add the Security Templates snap-in to it
(Skill 9)
12.75 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implementing Security Templates (4)
Implementing security templates consists of five steps
2. Customizing a predefined security template
You can edit a predefined security template
Save the modified template as a new template
3. Defining a new security template
You can define security settings in a new customized security template according to the specific security requirements of your organization
(Skill 9)
12.76 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implementing Security Templates (5)
Implementing security templates consists of five steps
4. Importing a security template to a GPO
To apply the same security settings to multiple objects using a GPO, you can import an appropriate security template into the GPO
(Skill 9)
12.77 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Implementing Security Templates (6)
Implementing security templates consists of five steps
5. Exporting security settings to a security template
You can export the initial security configuration for a computer to a security template.
Similarly, the effective security settings (the security settings currently applied on the computer) for a computer can be exported to a security template
The initial security template can be used to restore the settings
(Skill 9)
12.78 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-34 Creating a new security template
(Skill 9)
12.79 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-35 Exporting policy settings to a template
(Skill 9)
12.80 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-36 Importing a security template
(Skill 9)
12.81 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Using the Security Configuration and Analysis Console
Use the Security Configuration and Analysis snap-in to configure the local security settings on a computer
Importing a security template
Comparing the template to the currently configured computer settings
Performing a “what-if” analysis
(Skill 10)
12.82 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-37 The Security Configuration and Analysis snap-in
(Skill 10)
12.83 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Using the Security Configuration and Analysis Console (2)
Analyzing the comparisons
The security settings that match are marked by a green check mark icon
The security settings that do not match are marked with a red x icon
Action
Update the security settings on the computer that do not match the database settings
(Skill 10)
12.84 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-38 Importing a template
(Skill 10)
12.85 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-39 The Analyzing System Security window
(Skill 10)
12.86 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-40 System security analysis results
(Skill 10)
12.87 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Using the Security Configuration and Analysis Console to Configure Security
Use the Security Configuration and Analysis tool to configure security on individual computers
Set security settings by removing or updating any inconsistencies discovered in the analysis
You can construct a composite database security template by importing templates (either predefined or customized) into the database
(Skill 11)
12.88 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-41 The Configure System dialog box
(Skill 11)
12.89 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-42 Configuring Computer Security
(Skill 11)
12.90 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-43 Editing a configuration setting
(Skill 11)
12.91 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-44 The edited security settings
(Skill 11)
12.92 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Troubleshooting Security Configuration Issues
Improving the success rate for network security
Examine the level of security requirements for the network
High level of security
Reduces efficiency
Increases cost and administrative effort
Low level security leads to unauthorized access, which can have serious repercussions
Identify existing and potential problems in the Security event log and update the security settings accordingly
(Skill 12)
12.93 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Troubleshooting Security Configuration Issues (2)
Improving the success rate for network security
Determine network usage for certain resources that may cause problems in the future
Identify security patterns that may cause problems in the future
(Skill 12)
12.94 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Figure 12-45 Security audit event details
(Skill 12)