The Sybex Test Engine
These are a collection of multiple-choice questions that will help you prepare for your exam. There are three sets of questions Two bonus exams designed to simulate the actual live exam All the questions from the Study Guide, presented in a test engine for your review Here is a sample screen from the Sybex MCSE test engine Here is a sample screen from the Sybex MCSE test engine
Authenticating with Client Certificate Mapping
Client certificate mapping is the process of mapping certificates on client computers to Active Directory accounts. Certificates are used in many applications, including data encryption, signing of data, and providing authentication. A certificate includes an encrypted set of authentication credentials, which includes the digital signature from the issuing certificate authority CA . As you saw in Chapter 6, Deploying, Managing, and Configuring SSL Certificates, the process of obtaining a...
Troubleshooting RRAS
Once RRAS is properly configured, VPN connections through RRAS are dependable and secure. However, much can go wrong with RRAS, and you need to be ready to troubleshoot. Some basics steps for troubleshooting VPN connections from the RRAS server include the Test basic Internet connectivity from the RRAS server. Verify that IP addresses are available either through the static pool or through the DHCP server environment. If more IP addresses are needed, you can add them to the static pool by...
Installing MBSA
To install the MBSA tool, follow these steps MBSA will not install via Windows Terminal Services. 1. Download MBSA from Microsoft's website. 2. Double-click the mbsasetup.msi file to start Microsoft Baseline Security Analyzer Setup. 3. At the Welcome screen, click Next to open the licensing agreement screen. 4. Read the licensing agreement, agree to it, and then click Next to open the User Information screen 5. Enter your name and organization information, choose whether you want the tool...
Using SSL to Secure Client Machine to Active Directory Domain Controller Traffic
One of the big concerns with Windows NT, Windows 2000, and Windows Server 2003 is the way that hackers can capture packets during the logon process and then use brute force to get the usernames and passwords for user accounts. In security, it's important that you not give information to potential intruders. This information can easily be used against your systems. For example, to log in to the network, you need a user name and its associated password. With Active Directory and the Lightweight...
Back Up the CA
1. Choose Start gt Administrative Tools gt Certification Authority. 2. Right-click the CA and choose All Tasks gt Backup CA to start the Certification Authority Backup Wizard. 3. Click Next to open the Items To Back Up screen. 4. Select the Private Key And CA Certificate check box and then select the Certificate Database and Certificate Database Log check box. 5. In the Back Up To This Location field, enter the drive and path for the location where the backup will be stored. The wizard creates...
Restricted Groups
You use the Restricted Groups node to define who should and should not belong to a specific group. When a template with a restricted Group Policy is applied to a system, the Security Configuration Tool Set adds and deletes members from specified groups to ensure that the actual group membership coincides with the settings defined in the template. For example, you might want to add the Enterprise Admins to all Domain Admins security groups or to add the Domain Admins group to all Local...
Installing the Directory Services Client
In this exercise, you will install the Directory Services client on a Windows 98 computer and configure it to use NTLM version 2. For this exercise, you need a Windows 98 system and the Windows 2000 Server CD. This exercise assumes that Windows 98 is already installed and on the network and that the latest version of Internet Explorer is also installed. For Windows 95, you need to follow all these steps, plus install the Distributed File System DFS client, WinSock 2.0 Update, and the Microsoft...
Chapter Managing ClientComputer and Server Certificates and EFS FIGURE The EFS
1. User enables the encryption attribute 5. Recovery Agent s gt Public Key encrypts FEK 2. Symmetric encryption using the FEK Once the encrypted file is stored on the hard drive, the only user who can open the file and read its contents is the user who stored the file using their public key to encrypt the FEK or an account that has the recovery agent's certificate. In both cases, the private key from the certificate is required to decrypt the file using these steps 1. The user attempts to open...
Configuring and Publishing a Certificate from a StandAlone CA
In this exercise, you will configure the CA and set up certificate enrollment to properly publish certificate information in Active Directory. This requires that the stand-alone CA is online and 1. On the CA computer, choose Start gt Run to open the Run dialog box. In the Open box, enter cmd and press Enter to open the command console. 2. At the prompt, enter certutil -setreg exit publishcertflags exitpub_activedirectory and press Enter. 3. Choose Start gt All Programs gt Administrative Tools...
Viewing Certificates
You can view certificates if you are running Windows Server 2003, Windows 2000, or Windows XP Professional. Using the Certificates MMC snap-in, you can view certificates issued to you and to your computer. The process of installing the Certificates MMC snap-in was described in Exercise 9.11 earlier in this chapter. To view your personal certificates, open the console, expand the Certificates-Current User folder, expand the Personal folder, and then click Certificates to display all your user...
Anonymous Authentication
Web authentication takes place when the browser tries to access web server content. If Anonymous authentication is enabled and the proper file permissions are in place, all connections are allowed. This is the most common setting for web servers after all, can you imagine having to log in on every website that you visit That would drive everyone over the edge. So if you want others to have access to web servers that host public information, always configure those servers to use Anonymous...
Enforcing SSL on IIS
In this exercise, you will configure IIS 6 so that any browser connections to the website on which the SSL certificate has been installed must use SSL. 1. On your web server, run the IIS MMC snap-in. Choose Start gt Administrative Tools gt Internet Information Services IIS Manager to start the console. 2. Right-click the website on which you want to install the certificate and choose Properties from the shortcut menu to open the Properties dialog box for the website. 3. Click the Directory...
NT LAN Manager NTLM
NTLM is used by down-level operating systems such as Windows 95, Windows 98, and Windows NT 4. NTLM is also used by Windows 2000, Windows Server 2003, and Windows XP Professional when logging in to a Windows NT 4 domain and when logging in to the local computer accounts database not Active Directory domains . There are three versions of NTLM LAN Manager LM This form of NTLM is available in Windows 2000, Windows Server 2003, and Windows XP Professional so that computers running these operating...
Configuring Authentication Protocols to Support Mixed Windows ClientComputer
As we just mentioned, only two protocols are available when logging on to the domain. You can use Kerberos if you have an Active Directory domain environment, or you can use NTLM. As we discussed, only Windows 2000, Windows Server 2003, and Windows XP Professional can use Kerberos. Even if you are using only Windows 2000, Windows Server 2003, and Windows XP Professional, you need to use NTLM to avoid significant problems such as with clustering and RIS. As with any change, test it to the best...
Disabling LM and NTLM version
In this exercise, you will disable LM and NTLM version 1 so that any clients attempting to use these authentication protocols will be ignored 1. Choose Start gt Administrative Tools gt Active Directory Users And Computers. 2. If necessary, expand the MMC Microsoft Management Console , right-click the domain name, choose Properties from the shortcut menu to open the Properties dialog box for the domain, and then click the Group Policy tab. 3. Select Default Domain Policy and then click Edit to...
MAC Filtering
Yes, a Media Access Control MAC address is not exactly friendly and easy to use. Anyone who has done MAC filtering with other devices knows how difficult it is to configure. Just entering the MAC 12 hexadecimal numbers can be a pain all its own. It is easy to read the wrong number or mistype it. A MAC address is unique to the network device. At least it is supposed to be unique. Assuming that it is unique and that you can identify a single network device from its MAC address, this may have some...
Preserving the Chain of Evidence
If you intend to pursue criminal prosecution, the evidence that an investigator may need might reside in a Word document, on a spreadsheet, or in some other file. Evidence may also reside on erased files, file slack that area of a sector that is hosting a file but is not filled with any data , or even in a Windows swap file, all of which are volatile and easily changeable if not properly accessed. Sometimes, simply booting up a computer can alter and even destroy data fragments that can...
Installing an Intermediate CA
In this exercise, you will install an intermediate CA using the root CA installed in Exercise 9.1 as the basis of your new CA. The intermediate CA will be much like your root CA in that it will 1. Choose Start gt Control Panel to open the Control Panel. Select Add Or Remove Programs. 2. Click Add Or Remove Windows Components in the left pane. 3. Select the Certificate Services check box. Click Yes when you see the message stating that you cannot change the computer name or its domain...
Setting the Three Inbound Filters
1. Click the Inbound Filters button and then click New to open the Add IP Filter dialog box. 2. Select the Destination Network check box and then enter the IP address and the subnet mask for the external interface. 3. In the Protocol drop-down list box, select Other. In the Protocol Number box, type 47, and then click OK to close the Add IP Filter dialog box. 4. In the Inbound Filters window, click New. 5. Select the Destination Network check box and enter the IP address and the subnet mask for...
QChain
QChain.exe is a command-line utility that gives you the ability to install multiple hotfixes with only one reboot of the server, even if each individual hotfix would require a reboot on its own. The updates are chained together into a single installation, and then the server is rebooted only once. This allows more uptime for each server. If you try to install multiple hotfixes before rebooting a server without QChain, you can run into a situation in which one hotfix replaces a file in the...
FIGURE The Registry node in the Security Templates console
Jll Console 1 - Console Root Secui rty Ete Action Ben Favorites Hndow Help jsifiLj2 j i_j Console Root B Security Ternpiates B QH C WINDOW5 security templates 0 H3 compatws E Ja DC security B jj hiseede a w Account Pdides S J Local Policies Event Log C3 Restricted Groups Ql System Services File System a rj hiseews a iesads bTJ rootses a- secLredc i i securews lii 3 setup security There are no items to show n this view.
Passport Authentication
Passport authentication is a significant step for IIS 6 administration. Microsoft Passport provides another authentication method for IIS. However, with Passport, the administrators of the website do not have to maintain account information, and the users of the website do not have to remember a specific account name and password for the site. It is convenient for both the web administrator and the user. While there is increased convenience, there is also increased risk because web...
Configuring the Trusted Root Certification Authorities List Using Group Policy
In this exercise, you will add an offline root CA's certificate to the Trusted Root Certifications Authorities list using Active Directory Group Policies. 1. Choose Start gt Administrative Tools gt Active Directory Users And Computers to open Active Directory Users And Computers. 2. Right-click your domain and choose Properties from the shortcut menu. 4. Click the Default Domain Policy and then click the Edit button. 5. Expand the Computer Configuration folder, the Windows Settings folder, the...
Configuring Anonymous Authentication in IIS
In this exercise, you will configure an IIS 6 web server to use Anonymous authentication 1. On the IIS server, choose Start gt Administrative Tools gt Internet Information Services IIS Manager to open Internet Services Manager. 2. Expand Server to expose the sites, if necessary, and then right-click any site on which you want to use Anonymous authentication. For example, the Default Web Site will work just fine. Right-click the site and then choose Properties from the shortcut menu to open the...
Viewing Published Certificates and CRLs in Active Directory
In this exercise, you will go through the steps to properly view the published certificates and CRLs in Active Directory. 1. Choose Start gt Administrative Tools gt Active Directory Sites And Services to open the AD Sites And Services window. 2. Choose View gt Show Services Node. Expand the Services folder, expand the Public Key Services folder, and then click AIA to view the certificates that have their AIA information in Active Directory the root CA, the intermediate CA, and the enterprise CA...
Understanding Windows Events
When Windows Server 2003 boots up, logging begins automatically in several logs. A log is a file that holds event information for later review. Auditing is the process of extrapolating events from a log file to ascertain what has happened on the network. An event is a significant occurrence in the system or in an application that should be recorded for later review. Events can be recorded in the following logs Application The Application Log is the location where applications record their...
Using Multiple DNS Names
Let's say you are the network administrator for a company that uses Outlook Web Access so that many people can access their e-mail from outside the office without having to install Outlook or configure Outlook Express. The problem is that you have heard that many people in the company have been told to use https owa.companyname.com exchange to access their e-mail, and others have been told to use https email.companyname.com exchange. Because the certificate was purchased for the email....
User Rights Assignment
You use the User Rights Assignment node to assign user and or group rights to perform activities on the network see Figure 1.10 . To configure user rights, select the User Rights Assignment node and then double-click the right that you want to configure in the right pane. Select the Define The Policy Settings In The Template check box, and then add the users and or groups to the setting. Click OK to display the new settings next to the right in the Computer Setting column in the right pane. In...
FIGURE The Administrator Properties dialog box in mixed mode
Remote contid Terminal Services F'icjiile General Address I Account I Profile Telephones Organization Membe 0f Dial-in Envionment Sessions Remote Access Pe mission lDiat-in or VPN r Control access-tfncrctgh Remole Access alicy f Set by Cafe IRout'ng and Remote Access Service on j r Always Callback tcc r Assies a Static Address F Apply Stalfc outes - efrie icutes to enable for this Dial-in connection. FIGURE 8.11 The Administrator Properties dialog box in native mode FIGURE 8.11 The...
Add a Certificate with Trust List Signing Capabilities
To add the Trust List Signing certificate template, follow the steps in Exercise 9.6. Then follow these steps 1. Choose Start gt Run to open the Run dialog box, enter MMC in the Open box, and press Enter. 2. Choose File gt Add Remove Snap-In. 3. Click the Add button. Select the Certificates snap-in from the list and click Add. 4. Click the My User Account radio button and click Finish. 5. Click Close in the Add Standalone Snap-In window. Click OK in the Add Remove Snap-In window. 6. Expand the...
Incremental Templates
Windows Server 2003 ships with several templates that modify only existing security settings. When working with these templates, you'll need to first have a default template applied. These templates include only modifications. They do not include the default settings, and they elevate security settings from the default settings found in the default templates. Secure templates Two templates fall into this area securews workstations and servers and securedc domain controllers . These templates...
Managing Log Retention
In addition to ensuring that you have set each log's properties in Event Viewer correctly, you should be aware of some other best practices for auditing Be sure to schedule regular reviews of your event logs. This is the most often missed part of using the audit logs. It is one thing to set up the audit policy and enforce it. But if the logs are never read, they are of little value to you. Obviously, the more often you review logs, the faster you can detect vulnerabilities and patch them. If...
Enabling SMB Signing
SMB signing places a digital security signature into each SMB message, which is then verified by both the client and the server to deter impersonation and man-in-the-middle attacks. SMB signing will impose a 10 to15 percent overhead hit on each server and cli-J tote ent due to the additional processing required for each packet. Additional band width is not required, however, to implement SMB signing. SMB signing must be enabled on both the client and the server before it can be used. It is not...
Common IPSec Event Log Entries
IPSec utilizes the Windows 2000 and Windows Server 2003 event logs to record events as they occur. These events can be used to assist in troubleshooting IPSec. In particular, there are events in the system log and events in the application log that are very valuable in troubleshooting IPSec see Table 4.1 . Identifies that an IPSec policy is in use on the computer. Also provides the source of the IPSec policy local or domain and the polling interval. Also shows when a change to an IPSec policy...
Troubleshooting EFS
EFS, like many new technologies, requires that administrators get some experience with it so they can fix problems. Here are some guidelines Using copy and xcopy commands to copy EFS files to a non-EFS-capable volume, local or network, will fail with a message stating that the files cannot be copied or moved without losing their encryption. You do have the option of continuing the copy, though. Windows XP Professional, however, has some new switches for copy and xcopy that allow files to be...
Configuring GPO for Automated Certificate Distribution for Domain Controllers
In this exercise, you will set up the Group Policy Object GPO for the Domain Controllers organizational unit to distribute certificates to the domain controllers. 1. On an Active Directory domain controller, open the Active Directory Users And Computers MMC snap-in by choosing Start gt Administrative Tools gt Active Directory Users And Computers. 2. Right-click Domain Controllers and choose Properties from the shortcut menu to open the Default Domain Controller policy. Click the Group Policy...
Using QChain to Install a Series of Hotfixes
1. Place the hotfixes that need to be installed in the same folder location as the QChain utility. 2. Create a batch file that runs each hotfix as follows set
You secure FTP and Telnet traffic using IPSec You secure HTTP traffic using SSL
If your Unix clients need to use their native NFS Network File System for file services, you can design a secure resource topology in Windows by installing Services for Unix. In this scenario, the Unix clients authenticate to their own NIS Network Information Service server. In order for them to access files on the Windows server, you need to map the user identifier UID and group identifier GID from the NIS server to an account in AD. This mapping assigns the Unix account an SID from the domain...
Using Scripts to Deploy Templates
You can also use the command-line version of the Security Configuration and Analysis tool secedit.exe to deploy security templates. Specifically, you use secedit configure to apply a stored template to one or more computers. Here are the switches and what they mean db filename Use this switch, which is required, to specify the location of the database file that you want to use. The database referred to here is one that is created using the Security Configuration and Analysis tool SCA . We'll...