Exam 70-294 Planning, Implementing, and Maintaining
Download
Report
Transcript Exam 70-294 Planning, Implementing, and Maintaining
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Goals
Introduce security configuration
Introduce auditing
Set audit policy on a domain controller
Set audit policy on a stand-alone server or
computer
View the Security log
Audit user access to Active Directory objects
Assign user rights to users and groups
12.1
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
Goals (2)
Implement account policy
Implement security templates
Use the Security Configuration and Analysis console
Use the Security Configuration and Analysis console
to configure security
Troubleshoot security configuration issues
12.2
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Introducing Security Configuration
Security configuration is the process of setting up
a security policy
For an individual system
For a network
Security policies are required
Guard against unauthorized internal users
Protect from external threats
12.3
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Introducing Security Configuration (2)
Use security configuration
To set up security policies
Account
Local
To create access control policies
Services
Registry
Files
12.4
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Introducing Security Configuration (3)
Use security configuration
To define event logs settings
To determine group membership settings (restricted
groups)
To create public key policies
To set Internet Protocol (IP) security policies
12.5
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Introducing Security Configuration (4)
Factors to consider while designing security policies
Physical distribution of the network
Business model of the organization
Network load due to inter-computer dataflow and
access
Overall computer usage
12.6
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Introducing Security Configuration (5)
Windows Server 2003 Security Configuration tools
Group Policy Object Editor is used to apply security
settings centrally for the computers in a domain.
Use the Security Settings extension in the Group
Policy Object Editor to apply different categories of
security policies
12.7
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Figure 12-1 Security extension of the Group Policy Object Editor
12.8
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Introducing Security Configuration (6)
Categories of security policies
Account policies
Can only be set for the entire domain
Password policy
Account lockout policy
Kerberos policy
12.9
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Figure 12-2 Password Policy settings
12.10
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Introducing Security Configuration (7)
Categories of security policies
Local policies
Audit policy
User rights assignment
Security options
12.11
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Introducing Security Configuration (8)
Categories of security policies
Event log allows you to specify security log settings
Maximum size of the event log file
Logging options
Event log access rights
12.12
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Introducing Security Configuration (9)
Categories of security policies
Restricted Groups allows you to define additional
control over the membership of key groups
Defining a group as a restricted group
Setting the membership for the group
Configuring member groups and users for the
restricted group
12.13
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Introducing Security Configuration (10)
Categories of security policies
System Services allows you to configure the
startup settings for services on a computer
Startup mode settings: Automatic, Manual,
and Disabled
Can specify which security group or user
can modify a service’s properties (start, stop,
or pause)
12.14
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Figure 12-3 System Services security settings
12.15
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Introducing Security Configuration (11)
Categories of security policies
Registry
Registry security settings allow you to set
permissions for users to read, modify, and add new
keys to the Registry
File System
Allows you to set access permissions for folders
and files on the computer
Settings only apply to computers with NTFS drives
12.16
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Figure 12-4 Files and Folders permissions settings
12.17
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 1)
Introducing Security Configuration (12)
Categories of security policies
Wireless Network (IEEE 802.11) Policies control
network security settings for supported wireless
networking devices
Public Key Policies are used to configure the public
key encryption
IP Security Policies are used to configure IP security
for TCP/IP-based communication between servers,
clients, and domain controllers using Microsoft’s
version of IPSec
12.18
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 2)
Introducing Auditing
Auditing is used to track user activities and object
access on the computers on a network
Regular auditing ensures security of network
resources
Auditing can discover security breaches
Auditing can help in resource planning for the
computers on the network
12.19
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 2)
Introducing Auditing (2)
Steps in setting up a security audit
Determine carefully the events to be audited on each
computer
Security events that can be tracked
Who logged on to a computer and when?
What files were accessed or folders were created?
What printers were used?
What Registry keys were accessed when, and by whom?
What actions the users attempted to perform on them?
12.20
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 2)
Introducing Auditing (3)
Steps in setting up a security audit
Decide the computers, users, or groups to be tracked
Activate the audit object access policy.
12.21
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 2)
Introducing Auditing (4)
Activating the audit object access policy
Configure the audit object access policy in the
Properties dialog box and the System ACL editor for
the object
Select who you are going to audit
Choose what file system actions you want to monitor
in the SACL editor for the file or folder
12.22
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 2)
Introducing Auditing (5)
Monitoring a particular event
Define an audit policy in the Audit Policy folder
The audit policy tells the operating system what to
record in the Security event log on each computer
On a domain controller, modify the default domain
policy by using the Group Policy Management console
Only Domain Administrators and Enterprise
Administrators can configure auditing at the domain
level
12.23
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 2)
Figure 12-5 Audit policy
12.24
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 2)
Introducing Auditing (6)
Audited events are stored in the Security event log
Success and failure can both be recorded
Security log can be viewed using the Event Viewer
The Security log entries allow identification of
existing security problems in the overall network, as
well as on individual computers
12.25
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 2)
Figure 12-6 The Security Event log
12.26
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 3)
Setting Audit Policy on a Domain Controller
Unauthorized access to a domain must be
monitored
Set up an audit policy on a domain controller by
configuring Group Policy
Link the GPO to the default Domain Controllers OU
You must have the Manage auditing and security
log right on the system to configure auditing
12.27
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 3)
Setting Audit Policy on a Domain Controller (2)
Setting up auditing is a two-step process
Step 1
Configure the audit policy to track particular events,
for success, for failure or both
Step 2
Open the specific resource you wish to audit
Enable auditing by selecting the type of event you
want to track and the user group or groups for which
you want to track that event
12.28
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 3)
Figure 12-7 Creating a GPO
12.29
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 3)
Figure 12-8 The Audit account logon events Properties dialog box
12.30
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 3)
Figure 12-9 The Audit object access Properties dialog box
12.31
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 3)
Figure 12-10 Advanced Security Settings for Annual Reports
12.32
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 3)
Figure 12-11 Selecting the actions to be audited
12.33
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 3)
Figure 12-12 A Security warning dialog box
12.34
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 4)
Setting Audit Policy on a
Stand-Alone Server or Computer
Problems auditing stand-alone servers and
workgroup computers running Windows 2000 or XP
Professional
They do not belong to a domain
A domain controller-based audit policy cannot be
applied to them
Stand-alone computers and the network computers
may be able to access each other and hence require
monitoring
12.35
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 4)
Setting Audit Policy on a
Stand-Alone Server or Computer (2)
Audit policy should be set for stand-alone computers
To monitor network access attempts
To monitor local security events
12.36
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 4)
Figure 12-13 Audit Policy in the Local Security Settings console
12.37
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 4)
Figure 12-14 Enabling auditing for local logon attempts
12.38
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 4)
Figure 12-15 Updating local security policy
12.39
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 5)
Viewing the Security Log
Problems with implementation of audit policies
Increases the overhead on a computer
Slows down CPU performance
Security event log can become inundated with entries
Solutions
Set a schedule for checking the Security log regularly
Specify a maximum file size for Security log
12.40
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 5)
Viewing the Security Log (2)
Be aware when the Security log reaches the
maximum file size
You may lose data if the log becomes full before you
archive it
Archiving is the process of saving a history of events
so you can track trends in resource usage
When the log is full, the operating system will stop
recording events
12.41
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 5)
Figure 12-16 The Security Log Properties dialog box
12.42
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 5)
Viewing the Security Log (3)
Set filters to control what is recorded in the log
Event type: Information, Warning, Error, or Success or
Failure audit
Event source: Choose a particular source, such as Spooler,
LSA (Local Security Authority), or SC (Service Control)
Manager
Category: Account Logon, Account Management, Directory
Service Access, Privilege Use, Object Access events, and
so on
Event ID
User
Computer
Specific time periods
12.43
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 5)
Figure 12-17 The Filter tab in the Security Properties dialog box
12.44
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 5)
Figure 12-18 The Security log
12.45
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 5)
Figure 12-19 Filtering the Security log
12.46
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 5)
Figure 12-20 Viewing event details box
12.47
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 6)
Auditing User Access to
Active Directory Objects
Active Directory objects
Are the essential building blocks of a Windows Server 2003
network
Include users, computers, OUs, groups, published printers,
and so on
Audit policies for Active Directory objects
Are set based explicitly on their functionality
An audit policy set for an Active Directory object is inherited
by its child object through Policy Inheritance by default
12.48
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 6)
Figure 12-21 The Auditing tab
12.49
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 6)
Figure 12-22 Setting printer audit policy
12.50
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 7)
Assigning User Rights to Users and Groups
User rights are different from permissions
Permissions allow a user access to certain resources
User rights allow the user to perform certain restricted
actions, such as shutting down the system or logging
on locally
12.51
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 7)
Assigning User Rights to Users and Groups (2)
User Rights Assignment policy is used to grant
users rights
Rights should be assigned to groups for ease of
administration
Users can be added to the group to grant them the
same level of user rights
Assign user rights to allow particular users to carry out
specific functions
This increases the security of the system
12.52
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 7)
Figure 12-23 User rights assignments
12.53
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 7)
Figure 12-24 Adding a group to assign user rights
12.54
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 7)
Figure 12-25 The Access this computer from the network Properties dialog box
12.55
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Implementing Account Policy
Account policies
Used to set the user account properties that
control the logon process
Types of policies
Account lockout policies
Password policies
Kerberos policies
12.56
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Implementing Account Policy (2)
Configuring account policies
Group Policy Object Editor snap-in
Group Policy Management console (GPMC)
12.57
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Implementing Account Policy (3)
Account lockout policy
Objective of the policy is to prevent users from
guessing passwords
There is immediate replication of Active Directory
data between Windows Server 2003 domain
controllers when an account is locked out
12.58
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Implementing Account Policy (4)
Account Lockout policy is configured by setting
following policies
Account lockout threshold: Specify the number (0 to
999) of allowed invalid logon attempts
Account lockout duration: Specify the time duration (0
to 99999 minutes) during which the account remains
disabled
Reset account lockout counter after: Set the time (1
and 99999 minutes) duration that must elapse after an
invalid logon attempt before the account lockout
counter is reset to 0
12.59
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Implementing Account Policy (5)
Password policy
Allows you to specify how users must manage
their passwords
Factors to be considered
Password history
Password age
Password length
Complexity requirements
Encryption and storage methods
12.60
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Implementing Account Policy (6)
Kerberos policies
The Kerberos V5 authentication protocol is
implemented through a Key Distribution Center (KDC)
They are applicable to domain user accounts or
computer accounts only
They define settings such as ticket lifetimes and logon
restriction enforcement
12.61
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Figure 12-26 The Kerberos policies
12.62
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Implementing Account Policy (7)
Kerberos policy settings
Enforce user logon restrictions policy: If enabled, the KDC
performs certain checks before issuing a session ticket
Validity of the user account
User rights policy on the target computer
Maximum lifetime for service ticket: Sets the maximum
length of time for a Logon Session Ticket
Maximum lifetime for user ticket: Sets the maximum length
of time that the Ticket Granting Ticket (TGT) will be valid
Maximum lifetime for user ticket renewal: Sets the
maximum lifetime for both the Ticket Granting Ticket (TGT)
and the Logon Session Ticket
12.63
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Implementing Account Policy (8)
Kerberos policy settings
Maximum tolerance for computer clock
synchronization
Sets the maximum number of minutes that the clock on
the KDC can be different from the clock on the
Kerberos client
This acts as a deterrent in replay attacks
12.64
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Figure 12-27 The Account lockout threshold Properties dialog box
12.65
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Figure 12-28 The Suggested Value Changes dialog box
12.66
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Figure 12-29 The Enforce password history Properties dialog box
12.67
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Figure 12-30 The Minimum password length Properties dialog box
12.68
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Figure 12-31 The Maximum lifetime for service ticket Properties dialog box
12.69
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 8)
Figure 12-32 The Suggested Value Changes dialog box for
Maximum lifetime for user ticket
12.70
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 9)
Implementing Security Templates
Security template
A group of security settings used to implement security in
computers running Windows 2000 or later operating
systems
A text-based file with an .inf file extension
You can import these templates into GPOs, and apply the
set of common security settings to multiple computers with
similar functionality
You can use them to save and restore security settings of a
computer
12.71
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 9)
Implementing Security Templates (2)
Windows Server 2003 provides several predefined
security templates located in the folder
%Systemroot%\Security\Templates
The predefined security templates have four
standard security levels
Basic
Compatible
Secure
Highly Secure
12.72
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 9)
Figure 12-33 The predefined security templates
12.73
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 9)
Implementing Security Templates (3)
Implementing security templates consists of five steps
1. Accessing the Security Templates console
You can access the Security Templates console in an
existing console by adding the Security Templates snap-in
to it
You can also create a new Microsoft Management
Console (MMC), and add the Security Templates snap-in
to it
12.74
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 9)
Implementing Security Templates (4)
Implementing security templates consists of five steps
2. Customizing a predefined security template
You can edit a predefined security template
Save the modified template as a new template
3. Defining a new security template
You can define security settings in a new customized
security template according to the specific security
requirements of your organization
12.75
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 9)
Implementing Security Templates (5)
Implementing security templates consists of five steps
4. Importing a security template to a GPO
To apply the same security settings to multiple objects
using a GPO, you can import an appropriate security
template into the GPO
12.76
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 9)
Implementing Security Templates (6)
Implementing security templates consists of five steps
5. Exporting security settings to a security template
You can export the initial security configuration for a
computer to a security template.
Similarly, the effective security settings (the security
settings currently applied on the computer) for a computer
can be exported to a security template
The initial security template can be used to restore the
settings
12.77
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 9)
Figure 12-34 Creating a new security template
12.78
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 9)
Figure 12-35 Exporting policy settings to a template
12.79
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 9)
Figure 12-36 Importing a security template
12.80
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 10)
Using the Security Configuration
and Analysis Console
Use the Security Configuration and Analysis snap-in
to configure the local security settings on a computer
Importing a security template
Comparing the template to the currently configured
computer settings
Performing a “what-if” analysis
12.81
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 10)
Figure 12-37 The Security Configuration and Analysis snap-in
12.82
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 10)
Using the Security Configuration
and Analysis Console (2)
Analyzing the comparisons
The security settings that match are marked by a
green check mark icon
The security settings that do not match are marked
with a red x icon
Action
Update the security settings on the computer that do
not match the database settings
12.83
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 10)
Figure 12-38 Importing a template
12.84
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 10)
Figure 12-39 The Analyzing System Security window
12.85
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 10)
Figure 12-40 System security analysis results
12.86
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 11)
Using the Security Configuration and Analysis
Console to Configure Security
Use the Security Configuration and Analysis tool to
configure security on individual computers
Set security settings by removing or updating any
inconsistencies discovered in the analysis
You can construct a composite database security
template by importing templates (either predefined or
customized) into the database
12.87
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 11)
Figure 12-41 The Configure System dialog box
12.88
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 11)
Figure 12-42 Configuring Computer Security
12.89
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 11)
Figure 12-43 Editing a configuration setting
12.90
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 11)
Figure 12-44 The edited security settings
12.91
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 12)
Troubleshooting Security
Configuration Issues
Improving the success rate for network security
Examine the level of security requirements for the network
High level of security
Reduces efficiency
Increases cost and administrative effort
Low level security leads to unauthorized access, which
can have serious repercussions
Identify existing and potential problems in the Security event log
and update the security settings accordingly
12.92
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 12)
Troubleshooting Security
Configuration Issues (2)
Improving the success rate for network security
Determine network usage for certain resources that
may cause problems in the future
Identify security patterns that may cause problems in
the future
12.93
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft® Windows® Server 2003 Active Directory Infrastructure
Lesson 12: Configuring Active Directory Security
(Skill 12)
Figure 12-45 Security audit event details
12.94
© 2004 Pearson Education, Inc.