Group Scopes
Each group in Windows Server 2003 has a scope attribute, which determines which security principals can be members of the group and where you can use that group in a multidomain or multiforest environment. Windows Server 2003 supports the following group scopes Tip Security groups do everything distribution groups do, and more. However, distribution groups should be used whenever possible because they do not become part of a user's security token. This makes the authentication process quicker...
Scenario Jje
A user is attempting to use Web enrollment to install a certificate, using a certificate template that you recently created. After following the instructions you provided for enrollment, the user is receiving the error Your certificate request was denied, as shown in Figure 7.21. Microsoft Certificate Services - Microsoft Internet Explorer 1 File Edit View Favorites Tools Help QBack T O T 0 i Search Favorites Media lt Address http computer 1 certsrv certfnsh. asp 1 Microsoft Certificate...
Exporting Keys
The simplest method for backing up a key pair is to manually export the key, protect it with a password, and store the export media in a secure location. A PKI uses several formats for importing and exporting certificates, certificate chains, and private keys. When a user exports a certificate by using the Certificates console, the Certification Authority console, Certutil.exe, or Internet Explorer, the PKCS 7 and PKCS 12 export formats are available. The PKCS 7 format, also known as the...
Key Recovery
After a key is archived, a key recovery agent can use key recovery to recover a corrupted or lost key. At a high level, the certificate manager retrieves the encrypted file that contains the certificate and private key from the CA database. A KRA then decrypts the private key from the encrypted file and returns the certificate and private key to the user. At a more detailed level, key recovery performs the following process 1. A certificate manager for the CA that issued the certificate...
Questions and Answers Pao
1. Which of the following authentication methods would you use to protect a wireless network for an organization that has an existing PKI and in which all computers and users have been issued certificates with private keys Choose all that apply. b. Shared network authentication d. 802.1X EAP-TLS authentication e. 802.1X EAP-MD5 CHAP authentication a and d. To authenticate users and computers with certificates, you should use open network authentication and 802.1X EAP-TLS authentication. 2....
Design Activity Case Scenario Exercise Ltm
Page 1. Which of the following solutions will you recommend a. Deploy dial-up servers running Windows Server 2003. Configure the clients to dial directly in to the Fabrikam, Inc., headquarters and authenticate to the remote access servers by using MS-CHAP v2 authentication. b. Deploy dial-up servers running Windows Server 2003. Configure the clients to dial directly in to the Fabrikam, Inc., headquarters and authenticate to the remote access servers by using EAP authentication with public key...
Using Group Policy Object Editor
You can use the Group Policy Object Editor snap-in to immediately apply configuration settings to the Local Group Policy object on a computer. To do this, follow these steps 1. Open a blank MMC console by clicking Start and then clicking Run. Type mmc, and then click OK. 2. On the File menu, click Add Remove Snap-In. 3. Click Add, click Group Policy Object Editor, and then click Add. The Group Policy Wizard appears. The Local Computer GPO should be selected by default. 5. Expand Local Computer...
Info Uak
For additional support information regarding this book and the CD-ROM including answers to commonly asked questions about installation and use , visit the Microsoft Learning Support Web site at You can also e-mail tkinput microsoft.com or send a letter to Microsoft Learning, Attention MCSA MCSE Self-Paced Training Kit Exam 70-299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network Editor, One Microsoft Way, Redmond, WA 98052-6399.
Practice Superseding Certificate Templates
In this practice, you will supersede multiple existing certificate templates. Exercise Superseding Multiple Certificates In this exercise, you will supersede the User certificate template with a new version 2 certificate template. 1. Log on to the cohowinery.com domain on Computer1 using the Administrator account. 2. Click Start, click Run, type certtmpl.msc and then click OK. 3. Right-click the User template and then click Duplicate Template. 4. In the Properties Of New Template dialog box,...
Lesson Review Ttq
The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the Questions and Answers section at the end of this chapter. 1. Which of the following scenarios are appropriate for using client certificates Choose all that apply. a. To authenticate users returning to a public e-commerce site. b. To authenticate and authorize users...
Certificate Template Permissions
Certificate template permissions define the security principals that can read, modify, enroll, or autoenroll for certificates based on certificate templates. You must define the permissions for each certificate template to ensure that only authorized users, computers, or group members can obtain certificates based on a certificate template. Planning Be sure that you know the members of a group before you issue certificates to that group. Improper planning could lead to a security risk caused by...
Troubleshooting Problems with Applying Group Policy
When Group Policy fails to be applied to a system, the problem is usually related to network connectivity, incorrect system time, a policy being blocked, or insufficient user permissions. Figure 3.6 shows a flowchart that can be followed to troubleshoot problems relating to a Group Policy object that is not successfully applied to a system. Figure 3.6 Troubleshooting problems relating to failed Group Policy Figure 3.6 Troubleshooting problems relating to failed Group Policy The sections that...
Authentication Methods
Because dial-up, PPTP, and L2TP all use PPP for authentication, they all support the same authentication methods. There are several authentication methods available. Some you will already be familiar with because they are the same methods used for wireless networks or IPSec. Others are used primarily for authenticating remote access users. When choosing a remote access authentication method, you must first choose between authenticating users against a Remote Authentication Dial-In User Service...
Objective Questions Xiv
1. You are in charge of application and server support at a large multinational company named Contoso, Ltd., which is made up of two divisions. Within those divisions are two distinct network environments that you need to deal with. Division one is made up of a Windows 2000 Server native mode domain. Clients in division two all use Windows 2000 Professional and Microsoft Office 2000. Division two is made up of a Windows 2000 mixed-mode domain, with workstations running Windows NT 4.0 and Office...
Lesson Review 1
The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the Questions and Answers section at the end of this chapter. 1. Which of the following authentication methods should be chosen for a Web site on a public Internet with minimal security requirements, where administrators have no control over which browser a client uses...
Objective Questions Ibk
1. Your organization consists of three Active Directory forests running Windows Server 2003. The forests are all configured at the Windows Server 2003 functional level. Each of the three forests has a single domain tree. The first forest's root domain is ada-tum.com. The first forest hosts the child domains western.adatum.com and north-ern.adatum.com. The second forest's root domain is proseware.com. The second forest hosts the child domains sydney.proseware.com, adelaide.proseware.com, and...
Security Configuration And Analysis
The Security Configuration And Analysis snap-in gives you an immediate, detailed list of security settings on a computer that do not meet your security requirements. Recommendations are presented alongside current system settings, and icons or remarks are used to highlight any areas where the current settings do not match the proposed level of security. Security Configuration And Analysis uses a database to perform analysis and configuration functions. Using a database gives you the ability to...
Delegated Authentication
Figure 1.4 Typical delegated authentication architecture access to view and update specific rows and columns in the database that should not be accessible to all users. To delegate this right, assign the Enable Computer And User Accounts To Be Trusted For Delegation user right to the selected individuals. By default, Administrators have this right. Users who are assigned the right to enable delegated authentication can then edit the properties of computer accounts in the Active Directory Users...
Configuring ClientSide Authentication Protocols
You create a remote access connection by using the New Connection Wizard, as described in Lesson 2, Exercise 2. However, the New Connection Wizard does not allow you to configure the acceptable authentication or encryption settings for the connection. To view or modify the authentication protocols enabled for a remote access connection on the client, open the properties dialog box of the dial-up or VPN connection on the client, and then click the Security tab. Note This lesson describes the...
Key Terms Xia
Background Intelligent Transfer Service BITS A service that transfers data between from the Software Update Services or Windows Update server to the Automatic Updates client with minimal impact to other network services. slipstreaming The process of integrating a service pack into operating system setup files so that new computers immediately have the service pack installed. Page 1. By default, where do MBSA and MBSACLI store security reports 6-13 b. C Documents and Settings username c. C...
Deploying Certificate Services for IPSec
Although Kerberos is the simplest way to authenticate IPSec peers, certificates provide greater flexibility for authenticating non-Windows IPSec peers and other computers that are not members of an Active Directory domain. In Windows 2000 and Windows Server 2003, you can use Certificate Services to automatically manage computer certificates for IPSec authentication. IPSec also supports the use of a variety of non-Microsoft X.509 public key infrastructure PKI systems. Windows Server 2003 IKE has...
Methods for Updating a Certificate Template
In your CA hierarchy, you might have one certificate template for each job function, such as file encryption or code signing, or a few templates that cover functions for most common groups of subjects. You might have to modify an existing certificate template as a result of incorrect settings that were defined in the original certificate template, or you might want to merge multiple existing certificate templates into a single template. There are two methods for modifying a version 2...
Configuring the Certificate Infrastructure
Regardless of which authentication method you choose, you will need at least one computer certificate to use 802.1X authentication. This certificate must be installed on the IAS servers that will perform RADIUS services. For computer authentication with EAP-TLS, you must also install a computer certificate on the wireless client computers. A computer certificate installed on a wireless client computer is used to authenticate the wireless client computer so that the computer can obtain network...
Resultant Set Of Policy snapin
The Resultant Set Of Policy RSoP snap-in provides a familiar user interface that shows you the effective setting for each of the security template policies. It is an excellent way to verify that the settings you've configured in your security templates are applied to target systems as you expected. If a policy setting is not what you expected, RSoP identifies the Group Policy object responsible for defining the policy. Figure 3.10 shows RSoP displaying password policies. jj File Action View...
Types of trusts
Table 1.7 describes the types of trusts supported in Windows Server 2003. Table 1.7 Windows Server 2003 Trusts Trust type Description Parent child trust In Windows Server 2003, this is a default trust between all domains in the forest. This two-way transitive trust allows security principals to be authenticated in any domain in the forest. These trusts are created by default and cannot be removed. Tree root trust In Windows Server 2003, this is a default trust between all domain trees in the...
IP Security Monitor SnapIn
IP Security Monitor is a Windows XP and Windows Server 2003 snap-in used to monitor and troubleshoot IPSec. If an IPSec policy is active, you can use this console to examine the policy and its operations. Information in the IP Security Monitor snap-in is divided into three nodes Active Policy, Main Mode, and Quick Mode. The Active Policy node, as shown in Figure 9.4, displays information about the currently assigned policy. This information includes the policy's name, last modified date, and...
Troubleshooting SSL
Troubleshooting SSL-encrypted connections is difficult because, like IPSec connections, the traffic is encrypted. In some ways, troubleshooting SSL is even more difficult than troubleshooting IPSec because of the wide variety of Web browser clients that need to be able to analyze your public key certificate and establish an HTTPS connection to your Web server. Though the problems are much less frequent than they were in the late 1990s when the use of HTTPS was only beginning to gain popularity,...
Deploying IPSec Using Scripts
If a computer is not a member of a Windows 2000 domain or a Windows Server 2003 domain, it cannot retrieve IPSec policy from Active Directory. However, as Chapter 8 described, you can use the Netsh, Ipseccmd.exe, and Ipsecpol.exe command-line tools to create IPSec scripts. You can then include these scripts as startup scripts for each computer on your network. You can use Ipsecpol.exe only on computers running Windows 2000, Ipseccmd.exe only on computers running Windows XP, and the Netsh...
Quick Mode
Quick Mode also known as Phase 2 IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of SAs that are negotiated on behalf of the IPSec service, the SAs created during Quick Mode are called the IPSec SAs. Two SAs are established, each with its own Security Parameter Index SPI label. One IPSec SA is used for inbound traffic, and the other is used for outbound traffic. During Quick Mode, keying material is refreshed or,...
Exercise Creating a Certificate Using the Certificates Snapin
In this exercise, you will create a certificate by using the Certificates snap-in. To do so 1. Log on to the cohowinery.com domain on Computerl using the Administrator account. 2. Click Start, and then click Run. Type mmc, and then click OK. 3. Click File, and then click Add Remove Snap-In. 4. Click Add. In the Add Remove Snap-In dialog box, click Certificates, and then click Add. 5. Click My User Account, and then click Finish. Click Close, and then click OK. 6. Expand Certificates, and then...
Preshared key authentication
If both IPSec peers are not in the same domain and do not have access to a CA, a preshared key can be used. For example, a standalone computer on a network that does not connect to the Internet might need to use a preshared key, because neither Kerberos authentication through the computer's domain account nor access to a CA on the Internet is available. A preshared key is a shared secret key basically a password that has been agreed upon by administrators who want to secure the computers'...
Publishing CRLs
If you need to download a file from a server, you might access the file in several different ways. If you're logged onto the computer locally, you would use Windows Explorer to navigate to the folder containing the file. If you were on a different computer on the same network, you might map a drive to the server and download the file from a shared folder. If the server was behind a firewall and running IIS, you could open a Web browser to retrieve the file. Having multiple ways to retrieve a...
Practice Creating Groups and Assigning Rights
In this practice, you will create a restricted group and assign appropriate rights to the members of the group. To complete this practice, you must be logged in with an account that has permission to create and manage groups and GPOs in Active Directory. Complete this task from Computer1.cohowinery.com. You are the security administrator for the Coho Winery organization. Your organization recently hired several new staff members to support desktop computers. These staff members should have...
Manytoone client certificate mapping
Many-to-one certificate mapping uses wildcard matching rules that verify whether a client certificate contains specific information, such as the issuer or subject. This mapping does not identify individual client certificates it accepts all client certificates fulfilling the specific criteria. If a client gets another certificate containing all the same user information, the existing mapping will still work. Certificates do not need to be exported for use in many-to-one mappings. To add...
Using Secedit
Secedit.exe is a command-line tool that provides similar functionality to the graphical Security Configuration And Analysis snap-in. By calling the Secedit.exe tool at a command prompt from a batch file or an automatic task scheduler, you can use it to automatically create and apply templates and analyze system security. You can also run it dynamically from a command prompt. Secedit.exe is useful when you have multiple computers on which security must be analyzed or configured, and you need to...
Troubleshooting checklist
Use the following checklist to identify the source of unexpected Group Policy inheritance Verify that the intended policy is not being blocked. Verify that no overriding policy that is set at a higher level of Active Directory has been set to No Override. If Block and No Override are both used, No Override takes precedence. Verify that the user or computer is not a member of any security group for which the Apply Group Policy permission is set to Deny. Verify that the user or computer is a...
Practice Configuring a CA Hierarchy
In this practice, you will configure Computerl as a root CA and Computer2 as a subordinate CA. To complete these exercises, Computerl and Computer2 must both be domain controllers in the same domain, as described in the Before You Begin section of this chapter. In this exercise, you will install Certificate Services on Computerl and configure Computerl as an enterprise root CA. 1. Log on to the cohowinery.com domain on Computerl using the Administrator account. 2. Open Add Or Remove Programs in...
Troubleshooting CRL Publishing
You might occasionally discover a client that does not have a published CRL that the client should have retrieved. While publishing and retrieving CRLs is designed to be as automated as possible, you do have the ability to manually publish and retrieve CRLs for troubleshooting purposes. Certutil.exe is a command-line program that is installed along with Certificate Services. It provides a useful interface to a wide variety of Certificate Services functionality. To manually retrieve the latest...
Info Pqz
Off the Record There's one way to use multiple security policies on a single computer by using virtual machines. I use virtual machines extensively to run multiple instances of different operating systems on a single computer simultaneously. Enterprises often use virtual machines in servers to avoid conflicts between server applications, such as the limitation of having a single IPSec policy applied to a computer. I use Microsoft Virtual PC 2004. You can find information about this software at...
Authentication methods used with trusts in Windows Server
Because trusts allow you to facilitate access to resources in a multidomain environment, it is important that you use the most secure authentication protocol whenever possible when creating trusts between domains and realms. You also need to understand the various authentication types associated with each trust type. For example, if you have secured your authentication in your organization to accept only Kerberos authentication, an external trust to a Windows NT 4.0 domain will fail because a...
Certificate Revocation List Checking
As you learned in Chapter 7, certificate servers issue Certificate Revocation Lists CRLs to update clients when certificates are revoked. For a client computer to validate a certificate completely, it must check the CRL to verify that the certificate has not been revoked by the issuer. Because the standards for checking CRLs were still evolving when Windows 2000 was released, computers running Windows 2000 do not automatically check CRLs for certificates used in IPSec authentication. If you...
Lesson Review Hts
The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the Questions and Answers section at the end of this chapter. 1. Sam is a member of both the IT group and the Administrators group. Sam is attempting to access a file with the following permissions Administrators Grant Full Control What are Sam's effective privileges to...
Configuring IAS 1
IAS is a component of Windows Server 2003 that provides RADIUS services capable of authenticating users based on information contained within Active Directory. When configuring the security of a wireless network, you must configure the IAS server to use specific authentication methods and to grant access to authorized users. This configuration is done by using two types of policies Remote Access Policies RAP and Connection Request Policy CRP . See Also For more information about IAS, including...
Exercise Creating a Certificate Using Web Enrollment
In this exercise, you will create a Basic EFS certificate by using the manual Web enrollment process. To request a certificate by using the Web Enrollment Web site 1. Log on to the cohowinery.com domain on Computer1 using the Administrator account. 3. In the address bar of Internet Explorer, type http computer1 certsrv. Click Go. 4. If you are not automatically authenticated, provide your user name and password when prompted, and then click OK. The Web interface for manually enrolling for...