Presentation is loading. Please wait.

Presentation is loading. Please wait.

12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure."— Presentation transcript:

1 12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Introduce security configuration  Introduce auditing  Set audit policy on a domain controller  Set audit policy on a stand-alone server or computer  View the Security log  Audit user access to Active Directory objects  Assign user rights to users and groups Goals

2 12.2 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Implement account policy  Implement security templates  Use the Security Configuration and Analysis console  Use the Security Configuration and Analysis console to configure security  Troubleshoot security configuration issues Goals (2)

3 12.3 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Security configuration is the process of setting up a security policy  For an individual system  For a network  Security policies are required  Guard against unauthorized internal users  Protect from external threats (Skill 1) Introducing Security Configuration

4 12.4 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Use security configuration  To set up security policies  Account  Local  To create access control policies  Services  Registry  Files Introducing Security Configuration (2) (Skill 1)

5 12.5 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Use security configuration  To define event logs settings  To determine group membership settings (restricted groups)  To create public key policies  To set Internet Protocol (IP) security policies Introducing Security Configuration (3) (Skill 1)

6 12.6 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Factors to consider while designing security policies  Physical distribution of the network  Business model of the organization  Network load due to inter-computer dataflow and access  Overall computer usage Introducing Security Configuration (4) (Skill 1)

7 12.7 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Windows Server 2003 Security Configuration tools  Group Policy Object Editor is used to apply security settings centrally for the computers in a domain.  Use the Security Settings extension in the Group Policy Object Editor to apply different categories of security policies Introducing Security Configuration (5) (Skill 1)

8 12.8 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-1 Security extension of the Group Policy Object Editor (Skill 1)

9 12.9 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Categories of security policies  Account policies  Can only be set for the entire domain  Password policy  Account lockout policy  Kerberos policy Introducing Security Configuration (6) (Skill 1)

10 12.10 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-2 Password Policy settings (Skill 1)

11 12.11 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Categories of security policies  Local policies  Audit policy  User rights assignment  Security options Introducing Security Configuration (7) (Skill 1)

12 12.12 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Categories of security policies  Event log allows you to specify security log settings  Maximum size of the event log file  Logging options  Event log access rights Introducing Security Configuration (8) (Skill 1)

13 12.13 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Categories of security policies  Restricted Groups allows you to define additional control over the membership of key groups  Defining a group as a restricted group  Setting the membership for the group  Configuring member groups and users for the restricted group Introducing Security Configuration (9) (Skill 1)

14 12.14 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Categories of security policies  System Services allows you to configure the startup settings for services on a computer  Startup mode settings: Automatic, Manual, and Disabled  Can specify which security group or user can modify a service’s properties (start, stop, or pause) Introducing Security Configuration (10) (Skill 1)

15 12.15 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-3 System Services security settings (Skill 1)

16 12.16 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Categories of security policies  Registry  Registry security settings allow you to set permissions for users to read, modify, and add new keys to the Registry  File System  Allows you to set access permissions for folders and files on the computer  Settings only apply to computers with NTFS drives Introducing Security Configuration (11) (Skill 1)

17 12.17 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-4 Files and Folders permissions settings (Skill 1)

18 12.18 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Categories of security policies  Wireless Network (IEEE 802.11) Policies control network security settings for supported wireless networking devices  Public Key Policies are used to configure the public key encryption  IP Security Policies are used to configure IP security for TCP/IP-based communication between servers, clients, and domain controllers using Microsoft’s version of IPSec Introducing Security Configuration (12) (Skill 1)

19 12.19 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Auditing is used to track user activities and object access on the computers on a network  Regular auditing ensures security of network resources  Auditing can discover security breaches  Auditing can help in resource planning for the computers on the network Introducing Auditing (Skill 2)

20 12.20 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Steps in setting up a security audit  Determine carefully the events to be audited on each computer  Security events that can be tracked  Who logged on to a computer and when?  What files were accessed or folders were created?  What printers were used?  What Registry keys were accessed when, and by whom?  What actions the users attempted to perform on them? Introducing Auditing (2) (Skill 2)

21 12.21 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Steps in setting up a security audit  Decide the computers, users, or groups to be tracked  Activate the audit object access policy. Introducing Auditing (3) (Skill 2)

22 12.22 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Activating the audit object access policy  Configure the audit object access policy in the Properties dialog box and the System ACL editor for the object  Select who you are going to audit  Choose what file system actions you want to monitor in the SACL editor for the file or folder Introducing Auditing (4) (Skill 2)

23 12.23 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Monitoring a particular event  Define an audit policy in the Audit Policy folder  The audit policy tells the operating system what to record in the Security event log on each computer  On a domain controller, modify the default domain policy by using the Group Policy Management console  Only Domain Administrators and Enterprise Administrators can configure auditing at the domain level Introducing Auditing (5) (Skill 2)

24 12.24 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-5 Audit policy (Skill 2)

25 12.25 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Audited events are stored in the Security event log  Success and failure can both be recorded  Security log can be viewed using the Event Viewer  The Security log entries allow identification of existing security problems in the overall network, as well as on individual computers Introducing Auditing (6) (Skill 2)

26 12.26 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-6 The Security Event log (Skill 2)

27 12.27 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Unauthorized access to a domain must be monitored  Set up an audit policy on a domain controller by configuring Group Policy  Link the GPO to the default Domain Controllers OU  You must have the Manage auditing and security log right on the system to configure auditing Setting Audit Policy on a Domain Controller (Skill 3)

28 12.28 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Setting up auditing is a two-step process  Step 1  Configure the audit policy to track particular events, for success, for failure or both  Step 2  Open the specific resource you wish to audit  Enable auditing by selecting the type of event you want to track and the user group or groups for which you want to track that event Setting Audit Policy on a Domain Controller (2) (Skill 3)

29 12.29 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-7 Creating a GPO (Skill 3)

30 12.30 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-8 The Audit account logon events Properties dialog box (Skill 3)

31 12.31 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-9 The Audit object access Properties dialog box (Skill 3)

32 12.32 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-10 Advanced Security Settings for Annual Reports (Skill 3)

33 12.33 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-11 Selecting the actions to be audited (Skill 3)

34 12.34 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-12 A Security warning dialog box (Skill 3)

35 12.35 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Problems auditing stand-alone servers and workgroup computers running Windows 2000 or XP Professional  They do not belong to a domain  A domain controller-based audit policy cannot be applied to them  Stand-alone computers and the network computers may be able to access each other and hence require monitoring Setting Audit Policy on a Stand-Alone Server or Computer (Skill 4)

36 12.36 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security  Audit policy should be set for stand-alone computers  To monitor network access attempts  To monitor local security events Setting Audit Policy on a Stand-Alone Server or Computer (2) (Skill 4)

37 12.37 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-13 Audit Policy in the Local Security Settings console (Skill 4)

38 12.38 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-14 Enabling auditing for local logon attempts (Skill 4)

39 12.39 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-15 Updating local security policy (Skill 4)

40 12.40 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Viewing the Security Log  Problems with implementation of audit policies  Increases the overhead on a computer  Slows down CPU performance  Security event log can become inundated with entries  Solutions  Set a schedule for checking the Security log regularly  Specify a maximum file size for Security log (Skill 5)

41 12.41 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Viewing the Security Log (2)  Be aware when the Security log reaches the maximum file size  You may lose data if the log becomes full before you archive it  Archiving is the process of saving a history of events so you can track trends in resource usage  When the log is full, the operating system will stop recording events (Skill 5)

42 12.42 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-16 The Security Log Properties dialog box (Skill 5)

43 12.43 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Viewing the Security Log (3)  Set filters to control what is recorded in the log  Event type: Information, Warning, Error, or Success or Failure audit  Event source: Choose a particular source, such as Spooler, LSA (Local Security Authority), or SC (Service Control) Manager  Category: Account Logon, Account Management, Directory Service Access, Privilege Use, Object Access events, and so on  Event ID  User  Computer  Specific time periods (Skill 5)

44 12.44 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-17 The Filter tab in the Security Properties dialog box (Skill 5)

45 12.45 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-18 The Security log (Skill 5)

46 12.46 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-19 Filtering the Security log (Skill 5)

47 12.47 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-20 Viewing event details box (Skill 5)

48 12.48 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Auditing User Access to Active Directory Objects  Active Directory objects  Are the essential building blocks of a Windows Server 2003 network  Include users, computers, OUs, groups, published printers, and so on  Audit policies for Active Directory objects  Are set based explicitly on their functionality  An audit policy set for an Active Directory object is inherited by its child object through Policy Inheritance by default (Skill 6)

49 12.49 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-21 The Auditing tab (Skill 6)

50 12.50 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-22 Setting printer audit policy (Skill 6)

51 12.51 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Assigning User Rights to Users and Groups  User rights are different from permissions  Permissions allow a user access to certain resources  User rights allow the user to perform certain restricted actions, such as shutting down the system or logging on locally (Skill 7)

52 12.52 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Assigning User Rights to Users and Groups (2)  User Rights Assignment policy is used to grant users rights  Rights should be assigned to groups for ease of administration  Users can be added to the group to grant them the same level of user rights  Assign user rights to allow particular users to carry out specific functions  This increases the security of the system (Skill 7)

53 12.53 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-23 User rights assignments (Skill 7)

54 12.54 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-24 Adding a group to assign user rights (Skill 7)

55 12.55 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-25 The Access this computer from the network Properties dialog box (Skill 7)

56 12.56 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Implementing Account Policy  Account policies  Used to set the user account properties that control the logon process  Types of policies  Account lockout policies  Password policies  Kerberos policies (Skill 8)

57 12.57 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Implementing Account Policy (2)  Configuring account policies  Group Policy Object Editor snap-in  Group Policy Management console (GPMC) (Skill 8)

58 12.58 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Implementing Account Policy (3)  Account lockout policy  Objective of the policy is to prevent users from guessing passwords  There is immediate replication of Active Directory data between Windows Server 2003 domain controllers when an account is locked out (Skill 8)

59 12.59 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Implementing Account Policy (4)  Account Lockout policy is configured by setting following policies  Account lockout threshold: Specify the number (0 to 999) of allowed invalid logon attempts  Account lockout duration: Specify the time duration (0 to 99999 minutes) during which the account remains disabled  Reset account lockout counter after: Set the time (1 and 99999 minutes) duration that must elapse after an invalid logon attempt before the account lockout counter is reset to 0 (Skill 8)

60 12.60 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Implementing Account Policy (5)  Password policy  Allows you to specify how users must manage their passwords  Factors to be considered  Password history  Password age  Password length  Complexity requirements  Encryption and storage methods (Skill 8)

61 12.61 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Implementing Account Policy (6)  Kerberos policies  The Kerberos V5 authentication protocol is implemented through a Key Distribution Center (KDC)  They are applicable to domain user accounts or computer accounts only  They define settings such as ticket lifetimes and logon restriction enforcement (Skill 8)

62 12.62 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-26 The Kerberos policies (Skill 8)

63 12.63 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Implementing Account Policy (7)  Kerberos policy settings  Enforce user logon restrictions policy: If enabled, the KDC performs certain checks before issuing a session ticket  Validity of the user account  User rights policy on the target computer  Maximum lifetime for service ticket: Sets the maximum length of time for a Logon Session Ticket  Maximum lifetime for user ticket: Sets the maximum length of time that the Ticket Granting Ticket (TGT) will be valid  Maximum lifetime for user ticket renewal: Sets the maximum lifetime for both the Ticket Granting Ticket (TGT) and the Logon Session Ticket (Skill 8)

64 12.64 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Implementing Account Policy (8)  Kerberos policy settings  Maximum tolerance for computer clock synchronization  Sets the maximum number of minutes that the clock on the KDC can be different from the clock on the Kerberos client  This acts as a deterrent in replay attacks (Skill 8)

65 12.65 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-27 The Account lockout threshold Properties dialog box (Skill 8)

66 12.66 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-28 The Suggested Value Changes dialog box (Skill 8)

67 12.67 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-29 The Enforce password history Properties dialog box (Skill 8)

68 12.68 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-30 The Minimum password length Properties dialog box (Skill 8)

69 12.69 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-31 The Maximum lifetime for service ticket Properties dialog box (Skill 8)

70 12.70 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-32 The Suggested Value Changes dialog box for Maximum lifetime for user ticket (Skill 8)

71 12.71 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Implementing Security Templates  Security template  A group of security settings used to implement security in computers running Windows 2000 or later operating systems  A text-based file with an.inf file extension  You can import these templates into GPOs, and apply the set of common security settings to multiple computers with similar functionality  You can use them to save and restore security settings of a computer (Skill 9)

72 12.72 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Implementing Security Templates (2)  Windows Server 2003 provides several predefined security templates located in the folder %Systemroot%\Security\Templates  The predefined security templates have four standard security levels  Basic  Compatible  Secure  Highly Secure (Skill 9)

73 12.73 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-33 The predefined security templates (Skill 9)

74 12.74 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Implementing Security Templates (3)  Implementing security templates consists of five steps 1. Accessing the Security Templates console  You can access the Security Templates console in an existing console by adding the Security Templates snap-in to it  You can also create a new Microsoft Management Console (MMC), and add the Security Templates snap-in to it (Skill 9)

75 12.75 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Implementing Security Templates (4)  Implementing security templates consists of five steps 2. Customizing a predefined security template  You can edit a predefined security template  Save the modified template as a new template 3. Defining a new security template  You can define security settings in a new customized security template according to the specific security requirements of your organization (Skill 9)

76 12.76 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Implementing Security Templates (5)  Implementing security templates consists of five steps 4. Importing a security template to a GPO  To apply the same security settings to multiple objects using a GPO, you can import an appropriate security template into the GPO (Skill 9)

77 12.77 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Implementing Security Templates (6)  Implementing security templates consists of five steps 5. Exporting security settings to a security template  You can export the initial security configuration for a computer to a security template.  Similarly, the effective security settings (the security settings currently applied on the computer) for a computer can be exported to a security template  The initial security template can be used to restore the settings (Skill 9)

78 12.78 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-34 Creating a new security template (Skill 9)

79 12.79 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-35 Exporting policy settings to a template (Skill 9)

80 12.80 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-36 Importing a security template (Skill 9)

81 12.81 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Using the Security Configuration and Analysis Console  Use the Security Configuration and Analysis snap-in to configure the local security settings on a computer  Importing a security template  Comparing the template to the currently configured computer settings  Performing a “what-if” analysis (Skill 10)

82 12.82 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-37 The Security Configuration and Analysis snap-in (Skill 10)

83 12.83 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Using the Security Configuration and Analysis Console (2)  Analyzing the comparisons  The security settings that match are marked by a green check mark icon  The security settings that do not match are marked with a red x icon  Action  Update the security settings on the computer that do not match the database settings (Skill 10)

84 12.84 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-38 Importing a template (Skill 10)

85 12.85 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-39 The Analyzing System Security window (Skill 10)

86 12.86 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-40 System security analysis results (Skill 10)

87 12.87 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Using the Security Configuration and Analysis Console to Configure Security  Use the Security Configuration and Analysis tool to configure security on individual computers  Set security settings by removing or updating any inconsistencies discovered in the analysis  You can construct a composite database security template by importing templates (either predefined or customized) into the database (Skill 11)

88 12.88 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-41 The Configure System dialog box (Skill 11)

89 12.89 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-42 Configuring Computer Security (Skill 11)

90 12.90 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-43 Editing a configuration setting (Skill 11)

91 12.91 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-44 The edited security settings (Skill 11)

92 12.92 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Troubleshooting Security Configuration Issues Improving the success rate for network security  Examine the level of security requirements for the network  High level of security  Reduces efficiency  Increases cost and administrative effort  Low level security leads to unauthorized access, which can have serious repercussions  Identify existing and potential problems in the Security event log and update the security settings accordingly (Skill 12)

93 12.93 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Troubleshooting Security Configuration Issues (2) Improving the success rate for network security  Determine network usage for certain resources that may cause problems in the future  Identify security patterns that may cause problems in the future (Skill 12)

94 12.94 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure Lesson 12: Configuring Active Directory Security Figure 12-45 Security audit event details (Skill 12)

Download ppt "12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure."

Similar presentations

Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.

Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.
Chapter 13 Securing Windows Server 2008

Chapter 13 Securing Windows Server 2008
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
11.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

11.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Administering Active Directory

Administering Active Directory
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Similar presentations

Ads by Google