Presentation is loading. Please wait.

Presentation is loading. Please wait.

4.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

Published byAsher Boone Modified over 8 years ago

Similar presentations

Presentation on theme: "4.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security."— Presentation transcript:

1 4.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Goals  Introduce Public Key Infrastructure  Identify the features of public key cryptography  Work with IPSec  Introduce Certification Authorities  Authenticate user identity using Kerberos protocol  Implement account policy

2 4.2 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Goals (2)  Diagnose and resolve account lockouts  Implement security options  Configure user rights assignments  Configure client security  Work with security tools and templates

3 4.3 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Public Key Infrastructure  Enables users of unsecured networks to securely exchange data  Supports and enhances authentication and encryption  Key security concepts  Public key cryptography  Certificates  Certification Authorities (CAs)  Encrypting File System (EFS)  Internet Protocol Security (IPSec) Introducing Public Key Infrastructure (Skill 1)

4 4.4 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  Public key cryptography  Uses a key pair called a public key and a private key  The keys are mathematically related so that messages encrypted with the public key can be decrypted with the corresponding private key  The public key is widely disseminated  The private key is issued only to an authorized user and must be kept secure  A certificate is a digitally signed document that functions as a component of PKI  Certification Authority (CA) signs the certificate confirming that the private key linked to the public key in the certificate is owned by the subject named in the certificate  EFS (Encrypting File System) uses certificate/key pairs to encrypt files on NTFS volumes and partitions Introducing Public Key Infrastructure (2) (Skill 1)

5 4.5 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-1 Public key cryptography (Skill 1)

6 4.6 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-2 Digital signatures (Skill 1)

7 4.7 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  Symmetric key encryption  Uses the same key for both encryption and decryption  It semi-public and less secure  In EFS, files are encrypted using a file encryption key (FEK), which is a randomly generated symmetric key  IPSec  Works similarly to EFS, but instead of file encryption, IPSec secures traffic at the Network layer  IPSec services  Authentication  Integrity  Anti-replay protection  Confidentiality Introducing Public Key Infrastructure (3) (Skill 1)

8 4.8 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-3 IPSec (Skill 1)

9 4.9 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  Uses public key cryptography as one of the main techniques for securing network data  Symmetric key cryptography, which uses a single key (often referred to as a secret key) to both encrypt and decrypt data, is commonly used on hard drives  To further enhance secret key security, you can encrypt a secret key with a public key Identifying the Features of Public Key Cryptography (Skill 2)

10 4.10 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  The public and private key pair technology uses two processes to encrypt user data  Encryption and decryption  Converts data at the sender’s end with a combination of a public key and an algorithm  Converts the data back to its original form using the private key and the same algorithm  Digital message signing  Authenticates a sender and receiver  Ensures data integrity Identifying the Features of Public Key Cryptography (2) (Skill 2)

11 4.11 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-4 The data encryption process (Skill 2)

12 4.12 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  Windows Server 2003 includes digital code signing, which is used to digitally sign drivers and system files  Ways to protect digitally signed files  The Windows File Protection utility prevents the replacement of system files in protected folders  The System File Checker utility scans and verifies the versions of all protected system files  The File Signature Verification utility identifies unsigned files on your computer and displays related information such as the file’s name, location, last modification date, file type, and the file’s version number Identifying the Features of Public Key Cryptography (3) (Skill 2)

13 4.13 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-5 The System File Checker (Skill 2)

14 4.14 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-6 The File Signature Verification utility (Skill 2) Click to scan all Windows Server 2003 system files Click to open the Advanced File Signature Verification Settings dialog box to configure searches for unsigned files

15 4.15 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 IP Security (IPSec) policies  Use both asymmetric and symmetric encryption to secure data transmitted across a network  Use two main security mechanisms  Authentication Header (AH) is used for authentication and data integrity purposes; does not provide encryption  Encapsulating Security Payload (ESP) is used to transmit encrypted data IPSec  Can be used on an intranet and to secure Internet communications  Performs three main functions  Authentication  Packet filtering  Tunneling (encapsulation) Working with IPSec (Skill 3)

16 4.16 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-7 The IP Security Policies on Local Computer node in the Group Policy snap-in (Skill 3)

17 4.17 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-8 The IP Security Policies snap-in (Skill 3) The IP Security Policies snap-in configured to manage the Active Directory domain of which the computer is a member

18 4.18 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-9 The predefined IPSec policies (Skill 3) Clients will be requested to provide security using authentication mechanisms, but communication with unsecured clients will not be denied The client does not request a secure session, but it will provide one if asked Unsecured communications with untrusted computers will be blocked

19 4.19 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  IPSec can only be configured by administrators  IPSec policies can apply to the local computer or can be configured for a site, OU, or domain  Preconfigured policy templates  Client (Respond Only): Client does not request a secure session, but will provide one if asked  Server (Request Security): Always attempts to provide secure communication by requesting security using Kerberos trust from other computers  Secure Server (Require Security): Ensures that all communication is encrypted, which may minimize the number of client computers with which you can communicate over a network, because all communications must be secured Working with IPSec (2) (Skill 3)

20 4.20 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-10 Editing an existing IP security rule (Skill 3) Click to open the Edit Rule Properties dialog box and edit the IP security rule

21 4.21 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-11 The Edit Rule Properties dialog box (Skill 3)

22 4.22 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-12 The New Authentication Method Properties dialog box (Skill 3) Kerberos is the default authentication method, but you can also use a certificate from a trusted CA or a pre-shared key

23 4.23 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  IPSec operates in either tunnel mode or transport mode  Tunnel mode  Used to create a secure IPSec tunnel through which data can travel from one end to the other  The message, message header, and routing information are all encrypted  Transport mode  The default mode  Only the data itself is encrypted  Not as secure as tunnel mode  You configure rules for IPSec policies to regulate how they will be applied and under what circumstances. Examples:  Tunnel Setting  Authentication Methods: Kerberos (default), certificates from a trusted CA, or pre-shared key  Connection Type  IP Filter List is used to designate to what type of traffic the rule applies  Filter Action is security method that is applied when the traffic matches on of the three main policies Working with IPSec (3) (Skill 3)

24 4.24 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Security cycle for IPSec communications  IPSec Policy Agent service  Receives the policies from Active Directory  Passes the policies to the Registry, IPSec network driver, and the Internet Key Exchange protocol  Internet Key Exchange (IKE) protocol  Negotiates and establishes a Security Association between computers using the configured authentication method for the computers  Sends the Security Association and key information to the IPSec driver  IPSec driver checks the IP Filter criteria Working with IPSec (4) (Skill 3)

25 4.25 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-13 The Filter Action tab (Skill 3)

26 4.26 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-14 The Require Security Properties dialog box (Skill 3) Select to negotiate security for the connection

27 4.27 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  When you install Microsoft Certificate Services on a Windows Server 2003 computer, you create the first Certification Authority (CA)  CAs issue and revoke certificates  CAs generally belong to a hierarchical system in which one CA certifies another CA to manage certificates over a part of a network  Certificates  Contain a unique public key and other identifying data about the entity to which it is being issued  Can be issued to user accounts, computers, and services Introducing Certification Authorities (Skill 4)

28 4.28 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  Hierarchical system based on trust relationships, which are also referred to as CA chaining  Root CA  The most highly trusted CA  Has authority to issue certificates to other CAs (subordinate CAs)  CA classes  Enterprise: requires Active Directory  Stand-alone: does not require Active Directory  Within each class, there are root CAs and subordinate CAs  CA functions also include revoking certificates and keeping a record of them in the Certificate Revocation List (CRL) (Skill 4) Introducing Certification Authorities (2)

29 4.29 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-15 Creating a certificate (Skill 4)

30 4.30 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-16 IE-trusted CAs (Skill 4)

31 4.31 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  Kerberos is generally used when a user wants to access a network service on a network server and the service is set up to require verification of the client’s identity for security reasons  The ticket is the identifying data used to authenticate a user  The ticket is a key component of Kerberos  Kerberos uses an authentication system with three parties:  The client or party that needs to be authenticated (security principal)  The party that has the resource or service (the server)  The party that stores the credentials for the others Authenticating User Identity Using Kerberos Protocol (Skill 5)

32 4.32 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  The Key Distribution Center (KDC) is the ticket issuer and has two services  The Authentication Service (AS)  The Ticket Granting Service (TGS)  Authentication process  The AS must verify the credentials of any security principal that is requesting a ticket  AS then issues a Ticket Granting Ticket (TGT)  The TGT verifies the identify of the user and grants admission to the Ticket Granting Service  The TGS issues a ticket which will be used in all communications between the party and the KDC in the future Authenticating User Identity Using Kerberos Protocol (2) (Skill 5)

33 4.33 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Validation Server  The TGS also issues tickets to arrange communication sessions between a security principal and a Validation Server  The Validation Server is the server that the security principal wants to access  The Validation Server must be in the same domain (realm) as the KDC Authenticating User Identity Using Kerberos Protocol (3) (Skill 5)

34 4.34 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-17 Primary components of Kerberos (Skill 5)

35 4.35 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  The Kerberos protocol does not communicate directly with the client  The client interacts with the Kerberos protocol through the Local Security Authority (LSA) using the Kernel Mode Security Support Provider Interface on the Windows Server 2003 computer Authenticating User Identity Using Kerberos Protocol (4) (Skill 5)

36 4.36 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-18 The Kerberos Authentication process (Skill 5)

37 4.37 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  Account policies are used to set the user account properties that control the logon process  Account Lockout policies  Prevent users from trying to guess passwords  Configuration settings  Account lockout threshold  Account lockout duration  Reset account lockout counter after  Password policies  Specify how users manage their passwords  Options include requiring passwords to follow complexity rules or defining when a password needs to be changed Implementing Account Policy (Skill 6)

38 4.38 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  Kerberos policies  Applicable to domain user accounts or computer accounts  Policy settings  Enforce user logon restrictions  Maximum lifetime for service ticket  Maximum lifetime for user ticket  Maximum lifetime for user ticket renewal  Maximum tolerance for computer clock synchronization Implementing Account Policy (2) (Skill 6)

39 4.39 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-19 The Kerberos policies (Skill 6)

40 4.40 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-20 The Account lockout threshold Properties dialog box (Skill 6) Set the number of unsuccessful logon attempts that will be allowed

41 4.41 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-21 The Suggested Value Changes dialog box (Skill 6)

42 4.42 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-22 The Enforce password history Properties dialog box Figure 12-23 The Minimum password length Properties dialog box (Skill 6)

43 4.43 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-24 The Maximum lifetime for service ticket Properties dialog box (Skill 6)

44 4.44 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-25 The Suggested Value Changes dialog box (Skill 6)

45 4.45 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  Make sure you apply the latest service packs and hot fixes to all domain controllers and client computers  Configure auditing at the domain level for Account Logon Events (Failure), Account Management (Success), and Logon Events (Failure)  Configure Kerberos and Netlogon logging to track both Kerberos logon attempts and NTLM authentication attempts  Analyze the Security and System event logs for all computers involved to check the computers on which lockouts are occurring for programs and service accounts that cache credentials Diagnosing and Resolving Account Lockouts (Skill 7)

46 4.46 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-26 Enabling Netlogon logging (Skill 7)

47 4.47 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-27 Netlogon.log startup (Skill 7) The Netlogon.log file is created in %systemroot%\Debug

48 4.48 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-28 Adding the LogLevel Registry value (Skill 7) To enable Kerberos event logging on a computer, add a Registry value named LogLevel to the HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet \Control\Lsa\Kerberos\Parameters Registry key; it must be the REG_DWORD Value type with a Value data of 0x1

49 4.49 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  You use group of tools in the ALTools.exe package to diagnose and troubleshoot account lockouts  LockoutStatus.exe displays information about a locked out account that it has obtained from Active Directory  ALockout.dll  A logging tool identifies the program or process that is sending incorrect credentials  Use it after you have enabled Netlogon and Kerberos logging and logon auditing on the local computer  AcctInfo.dll adds a new property page to user objects when you display them in the Active Directory Users and Computers console Diagnosing and Resolving Account Lockouts (2) (Skill 7)

50 4.50 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-29 The Stored User Names and Passwords dialog box (Skill 7)

51 4.51 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-30 The Select Target & Credentials dialog box (Skill 7)

52 4.52 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-31 Displaying information with the LockoutStatus.exe tool (Skill 7) LockoutStatus.exe displays information about a locked out account that it has obtained from Active Directory

53 4.53 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-32 Alockout.txt (Skill 7)

54 4.54 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-33 The Additional Account Info tab (Skill 7) The new Additional Account Info property page provides detailed information about a user account that can be used to isolate and troubleshoot account lockouts Click the Domain PW Info button on the Additional Account Info tab to view the password policy for the domain

55 4.55 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-34 The Domain Password Policy dialog box (Skill 7)

56 4.56 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  ALoInfo.exe  Determines which users’ passwords are about to expire  Use it when you have determined that account lockouts are often occurring on your network after users have been forced to change their passwords  EventCombMT.exe is a tool with specific built-in search categories to collect events from the event logs of several different computers  NLParse.exe parses Netlogon log files, which can grow to up to 20 MB in size, to locate specific data Diagnosing and Resolving Account Lockouts (3) (Skill 7)

57 4.57 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-35 The Change Password On a DC In The Users Site dialog box (Skill 7)

58 4.58 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-36 EventCombMT (Skill 7) Add an event number to search for additional account lockout events

59 4.59 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-37 Results from EventCombMT (Skill 7) Event 644 indicates that an account is locked out

60 4.60 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  FindStr.exe  A command line tool you can also use to parse Netlogon log files  It is more versatile because it can parse several Netlogon.log files at the same time  You can also use the Replmon and Repadmin utilities to verify that Active Directory replication is taking place  In the Replication Monitor, you can view the “low-level” status of Active Directory replication between all domain controllers in a single site Diagnosing and Resolving Account Lockouts (4) (Skill 7)

61 4.61 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-38 Netlogon-Parse (Skill 7) The return codes specific to account lockouts are 0xC000006A and 0xC0000234

62 4.62 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Security Options  Used to set over 65 types of security policy settings for a computer, OU, domain, or site  Are divided into 14 categories depending on their function Implementing Security Options (Skill 8)  Accounts  Audit  Devices  Domain controller  Domain member  Interactive logon  Microsoft network client  Network access  Network security  Recovery Console  Shutdown  System cryptography  System objects  System settings

63 4.63 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-39 Security Options (Skill 8)

64 4.64 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-40 The Accounts: Rename guest account Properties dialog box (Skill 8)

65 4.65 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-41 The Interactive logon: Do not display last user name Properties dialog box (Skill 8)

66 4.66 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-42 The Shutdown: Allow system to be shut down without having to log on Properties dialog box (Skill 8)

67 4.67 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  User rights assignments are configured to designate the tasks a user or group is allowed to perform either on an individual system or on a domain  User rights are divided into two categories  Logon rights are assigned to designate who can log on to a computer and how they can log on  Privileges permit users to interact with the operating system and with system-wide resources Configuring User Rights Assignments (Skill 9)

68 4.68 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-43 User Rights Assignment (Skill 9)

69 4.69 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-44 The Select Users, Computers, or Groups dialog box (Skill 9)

70 4.70 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-45 The Access this computer from the network Properties dialog box (Skill 9)

71 4.71 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  Administrative Template policy settings customize the settings used by the clients that access a Windows Server 2003 network  Advantages of using Administrative Template policy settings  To improve security  To supply a consistent working environment for all clients Configuring Client Security (Skill 10)

72 4.72 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  The settings available in the Administrative Templates node are based on.adm template files  These settings designate Registry entry modifications that change aspects of the user environment  The preconfigured Administrative Templates, stored in the %systemroot%\inf file, determine the groups of configurable settings Configuring Client Security (2) (Skill 10)

73 4.73 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-46 The User Configuration\Administrative Templates node (Skill 10)

74 4.74 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-47 Display changing history settings Properties dialog box-Explain tab (Skill 10)

75 4.75 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-48 Display changing history settings Properties dialog box-Setting tab (Skill 10)

76 4.76 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-49 Prohibit access to the Control Panel Properties dialog box (Skill 10)

77 4.77 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-50 The Policy Templates dialog box (Skill 10) The preconfigured administrative templates determine the collections of configurable settings and are stored in %systemroot% \inf

78 4.78 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  Security templates can include password and account lockout policies, local security policies, user rights assignments, Registry key security, group memberships, and permissions for the local file system  On a domain-based network, you can apply a security template to a Group Policy object so that all of the settings are put into operation on a site, domain or OU  All security attributes, except IPSec and Public Key policies, can be stored in a security template Working with Security Tools and Templates (Skill 11)

79 4.79 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  Uses of the Security and Configuration Analysis snap-in  To compare the current security configuration of the computer to one of the security templates  To create custom templates  To apply a template to either the local computer or a Group Policy object  When you install the operating system, a template file, Setup Security.inf, is created in the folder, %systemroot%\security\templates, to store the default security settings for the computer Working with Security Tools and Templates (2) (Skill 11)

80 4.80 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-51 The Add Standalone Snap-in dialog box (Skill 11)

81 4.81 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-52 The default security templates in the Security Templates snap-in (Skill 11)

82 4.82 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-53 Analyzed Password Policy (Skill 11) Policies with a green check mark meet the requirements for a secure server; policies with a red X do not

83 4.83 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-54 The Minimum password length Properties dialog box (Skill 11) Use to change the database setting for the template

84 4.84 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-55 The Configure System dialog box (Skill 11)

85 4.85 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003  Secedit tool  Performs most of the same functions as the Security Template and Security Configuration and Analysis snap-ins  It is particularly useful on a domain-based system to perform analyses on a large number of computers at the same time  Security templates can be applied only to Windows 2000, XP Professional, and Windows Server 2003 computers as some of the security settings are not compatible with earlier versions of the operating system, particularly those related to encryption Working with Security Tools and Templates (3) (Skill 11)

86 4.86 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security in Windows Server 2003 Figure 12-56 The configured Security Options policies (Skill 11)

Download ppt "4.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Similar presentations

Ads by Google