Understanding the Elements of a Remote Access Policy
Remote access policies consist of the following elements conditions, permissions, and profiles. We'll discuss each of these elements in turn, and list how each can be used to control remote access attempts by your network clients. Remote access conditions consist of one or more attributes that can be compared against a connection attempt by a remote user. A remote access policy can specify one or more of these attributes that should be checked before allowing access. If a policy specifies...
Exam Objectives Fast Track Gjn
Designing Security for Communication between Networks RRAS is used to configure Windows Server 2003 as a router for internetwork communications. The route can be configured with either a dedicated connection or with a demand dial connection, and the design and implementation of a routing protocol is a key to good security. RIP version 2, OSPF, and static routes can be made secure if implemented properly. This can include using password-based router authentication, route filtering, and peer...
X and Extensible Authentication Protocol
The 802.1X standard uses EAP for message exchange during the authentication process, to protect the contents of the authentication process. Remember that EAP is an extension of the PPP protocol that provides arbitrary authentication mechanisms to be used for the validation of a connection. Thus, with EAP, arbitrary authentication mechanisms such as certificates, smart cards, or passwords can be used to authenticate the wireless connection. There are three authentication methods available using...
Using Group Policy to Deploy Software Updates
Group Policy is another great way you can deploy software in general and patches and updates in particular. Using GPOs, you can even customize who gets which updates and can thereby exert more granular control over the software distribution process, allowing you to prioritize updates based on importance. As we discussed in the last section, this is something that SUS will not allow you to do. For example, let's say that a security patch has just been released that addresses a particularly...
secedit analyze
The analyze switch causes secedit to analyze security for whichever element is selected.The parameters for the analyze switch are shown in Table 2.8.This switch allows you to analyze current database settings against other settings typically baseline settings and store the results in a log file.You can view the results in the Security Configuration and Analysis snap-in. The result will show you the difference between the current settings and the baseline settings, allowing you to see and...
Self Test Vdb
A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix. 1. Your forest is structured according to the illustration in Figure 4.15.You have a group of developers in the east.fixed-wing.airplanes.com domain who need to access files in the domain on a regular basis. The users are complaining that accessing the files in the development...
Impersonate a Client After Authentication
This right allows a service or program to impersonate the user after logon, which means that the service or program can use the credentials that the user used to log in to perform an action, rather than the credentials the service or the program used to launch itself. This is a great security enforcer that was not available with Windows 2000 SP3 and earlier, but was introduced with SP4, and of course is available by default in Windows Server 2003. Prior to Windows 2000 SP4, any service or...
secedit export
The secedit command also allows you to export security settings contained in a specified database.Table 2.10 shows the required and optional parameters for the export function.This function is typically used for two primary purposes. First, if you want to preserve the current settings on a system, you can export them. This can be useful if you want to experiment with various settings but want to bring the system back to its original known state. It's also commonly used to export customized...
Self Test Qar
A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix. Designing Security for Communication between Networks 1. Your network consists of Windows Server 2003 domain controllers DCs , Windows 2003 DNS servers, and Windows XP clients.You have recently added a firewall to the network to provide security for the network from attack from the...
Setting Registry Access Permissions via Group Policy
In this exercise, we'll step through how to set Registry permissions via Group Policy. For the purposes of this exercise, we'll select the default domain policy. However, in practice, you might apply these settings to an OU, a site, or a domain. 1. Click Start Run, type mmc in the Open text box, and then click OK to launch the Microsoft MMC. 2. Click File Add Remove Snap-in. 3. In the Add Remove Snap-in dialog, click Add. Scroll through the list until you locate Group Policy Object Editor....
secedit refreshpolicy Replaced by gpupdate
In Windows 2000, the secedit command used the refreshpolicy switch to refresh local Group Policy settings and Group Policy settings stored in the Active Directory. This command is replaced in Windows Server 2003 by the command gpupdate.exe.This command-line tool does what the refreshpolicy switch in the secedit command did in Windows 2000.Table 2.12 shows the parameters for the gpupdate command. If you'd like to view help options for the gpupdate command, use the following command line string...
Using URLScan and IISLockdown
The URLScan tool restricts the types of HTTP request that an IIS server will process. URLScan 2.5 is not included with IIS 6.0 because IIS 6.0 has built-in features that provide security functionality that is equal to or better than the features of URLScan 2.5. However, if you are not running IIS 6.0, you should consider using URLScan 2.5. You can download the URLScan utility from Microsoft's Web site at default.asp. The IIS Lockdown tool can be downloaded from URLScan allows the administrator...
Setting Password Complexity Requirements
You might have noticed that there is a big emphasis on passwords in this section, and the reason is that the password remains an important factor in security. No matter what security precautions you take, if someone guesses your password then that person has complete access to your protected files and resources. To set up a Password Complexity policy like the one we just discussed, follow these steps 1. Launch an MMC console by clicking on Start Run. Type MMC and press Enter. 2. Add the Active...
Designing VPN Connectivity
So far in this chapter, we have discussed how to use Windows Server 2003 as a router between subnets in the same office, or between subnets in different geographical locations.You can also use Windows Server 2003 as a remote access server for end users to dial directly in to. Assuming you have the budget to pay for dedicated lines, these types of connectivity are superior both in terms of efficiency and security. However, with the proliferation of the Internet, companies have begun discovering...
Integrating UNIX DNS with Windows Server
The Microsoft DNS service has been designed in compliance with most industry standards for the DNS protocol. This means that you have the option to operate DNS using only Windows Server 2003, or integrating your name resolution services with any new or existing third-party DNS solutions. The most common of these is the UNIX Berkeley Internet Name Domain BIND DNS implementation. Windows Server 2003 DNS has been tested against the following versions of BIND with varying degrees of...
Implementing EFS on the Local Computer
In this exercise, we'll step through encrypting a folder and file on the local computer. You'll see this process is transparent to the user and is relatively fast. We'll also add other users to the file to share the encrypted file. 1. On your desktop, create a folder called EFSTest. 2. Right-click the folder and select Properties. 3. In the EFSTest Properties dialog, the General tab is selected by default. Click the Advanced button on the General tab. 4. The Advanced Attributes dialog is...
Configuring IAS on a Domain Controller
1. From the Windows Server 2003 desktop, open the Control Panel by clicking on Start Programs Control Panel. Double-click on Add Remove Programs. 2. Click Add Remove Windows Components. When the Windows Components Wizard appears, click Networking Services, and then Details. You'll see the screen shown in Figure 10.10. Figure 10.10 Installing the Internet Authorization Service To add or remove a component, click the check box. A shaded box means that only part of the component will be installed....