Securing Domain Controllers

The domain controller role introduces some security concerns that are not present in other roles. With other roles, much of the security configuration that we perform has to do with securing file systems and defining appropriate methods of authentication, followed by changes limiting local access to resources. These resources, of course, can be such things as files and folders, printers, and other resources we might choose to make available to the users from our organization or to the public,...

Chapter Managing Group Policy in Windows

You have created and linked a single GPO to your Windows Server 2003 domain to apply various security settings to your client workstations, as well as redirecting the contents of each user's C Documents and Settings username My Documents folder to a central server location of FILESERVER1 DOCS username My Documents.This server share is backed up every night no client systems are included in the backups.You have several users in a remote branch office that is connected to the corporate...

When to Use a Global Catalog

You have very little choice about having a global catalog. A global catalog is automatically created when you install the first domain controller in the root domain of a new forest. When you have multiple domains in the forest, the global catalog provides users a way of finding the resources within other domains. The global catalog also provides universal group membership information in processing logons so that a user's credentials can be accurately determined. You can, of course, choose how...

DNS Security Guidelines

Authority to an internal DNS server that will manage internal.widgets.zom. Of course, you could always take this a step further, as we did earlier in this chapter, and create an internal domain that does not directly comply with Internet standards, such as our widgets.home internal DNS namespace. Now, once the internal DNS server has been configured inside your network and the DNS database has been populated, you will want to have the two DNS servers possess the ability to communicate with one...

Delegation of RSoP Query Control

Click Start Administrative Tools Active Directory Users and Computers console. 2. Navigate in the directory tree to the OU where you will be delegating control so that the users you select will be able to run RSoP on this OU and below. 3. Right-click the OU and select Delegate Control from the context menu. 4. You will see the welcome screen of the Delegation of Control Wizard. Click Next. 5. The first dialog box is the Users or Groups page. Click Add. 6. Add the name(s) of the users or groups...

Configuring Conditional Forwarding for Internet Resolution

In this exercise, let's use our example of Widgets' partnership with Worldwide Distribution inc. You need to set up your DNs servers to forward DNs name resolution for Worldwide Distribution resources directly to the Worldwide DNs servers. Worldwide Distribution has three DNS servers (172.16.1.1) (172.16.1.2) in this exercise, we point the Elwood server directly to the three servers at Worldwide Distribution 1. Open the DNS management console on the Elwood server. 2. Right-click the Elwood...

Creating an Extensive Defense Model

Than relying solely on a hardware firewall and nothing else, defense in depth would also utilize strong passwords as well as other security mechanisms on local client PCs in the event that the firewall is compromised. The idea here is to create a series of security mechanisms so that if one of them is circumvented, other systems and procedures are already in place to help impede an attacker. Microsoft refers to this practice as an extensive defense model. The key points of this model are the...

Creating a Forest Trust Relationship

In order to create a forest trust relationship, you must have two forests whose root domains can communicate with each other. Both forests must be set to the Windows Server 2003 forest functional level, described in the following section. To create the forest trust 1. Click Start Administrative Tools Active Directory Domains and Trusts. 2. In the left pane, navigate to the root domain of the forest. 3. Right-click the root domain and select Properties from the popup menu. 5. Click New Trust to...

Creating an Issuer Policy Statement

We are discussing issuer policy statements as part of the installation process, but technically they need to be configured before certificate services is installed. By configuring your CA to present its policy statement, users can see the policy statement by viewing the CA's certificate and clicking Issuer Statement. However, for the policy statement to appear, the file CAPolicy.inf must be properly configured and placed in the systemroot directory (typically, C WINDOWS). Before you implement...

Using Ieee X Authentication

The IEEE 802.1X standard is still relatively new in relation to the IEEE 802.11 standard, and the security research community has only recently begun to seriously evaluate the security of this standard. One of the first groups to investigate the security of the 802.1X standard was the Maryland Information Systems Security Lab (MISSL) at the University of Maryland at College Park. This group, led by Dr. William Arbaugh, was the first to release a paper documenting flaws in the IEEE 802.1X...

Self Test

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix. 1. You are assigning the newest member of your staff responsibility for a new file server running Windows Server 2003. He will be an Administrator on the server, and you want him to be able to ask for help from his coworkers so that they can walk him through steps to resolve any...

Installing a Smart Card Reader

Most smart card readers are Plug-and-Play compatible under the Windows Server 2003 software family, so their actual installation is relatively straightforward. If you're using a reader that is not Plug-and-Play compatible or that has not been tested by Microsoft, you need to obtain installation instructions from the card reader's manufacturer. As of this writing, the smart card readers listed in Table 5.1 are supported by Windows XP and Windows Server 2003. The corresponding device drivers will...

Using the Resultant Set of Policy Wizard

For every object you want to assess, you need to add the RSoP snap-in and run through the Resultant Set of Policy Wizard. The wizard will prompt you for the information required to adequately assess the cumulative effect of the application of multiple Group Policies. Do the following 1. Start to configure RSoP through the wizard. Once the snap-in has been added, the Resultant Set of Policy Wizard launches automatically. The Welcome screen is displayed in Figure 9.20. Click Next to proceed....

Capicom

Microsoft describes CAPICOM as a new COM client that uses CryptoAPI and PKI to perform cryptographic operations such assigning data, verifying digital signatures, encrypting data for specific receivers, and managing digital certificates. In case you're unfamiliar with COM concepts, Component Object Model (COM) is a framework for providing interoperability in developing program component objects. COM provides a set of interfaces that allow clients and servers to communicate within the same...

DNS Footprinting

Unlike a DoS attack, DNS footprinting is a passive attack. DNS footprinting occurs when a hacker obtains DNS zone information from your DNS server in order to gather naming and IP information for resources within your network. Typically, host names represent the type of function of a particular resource. For instance, exchange.boston.us.na.widgets.home can easily be interpreted as the Microsoft Exchange e-mail server for the Boston office of Widgets Inc. In a footprinting attack, the attacker...

Passive Attacks

A passive attack occurs when someone listens to or eavesdrops on network traffic. Armed with a wireless network adapter that supports promiscuous mode, the eavesdropper can capture network traffic for analysis using easily available tools, such as Network Monitor in Microsoft products, tcpdump in Linux-based products, or AirSnort (developed for Linux and Windows). A passive attack on a wireless network might not be malicious in nature. In fact, many in the war-driving community claim their...

Planning for Disaster Recovery

If you follow current events, the widespread effects of any disaster will become clear to you rather quickly. Equipment, data, and personnel can be destroyed and staggering amounts of money lost by individual businesses, the economic after-effects of which can be felt internationally on a regular basis. Some companies can tolerate a certain amount of downtime, but some never recover and find themselves out of business. A disaster recovery plan identifies potential threats against your network,...

Contents

Chapter 1 Implementing DNS in a Windows Server 2003 Network 1 Introduction Reviewing the Domain Name System A Brief History of DNS DNS Namespaces The DNS Structure DNS in Windows Operating Systems 5 New Features in Windows Server 2003 DNS 6 Conditional Forwarders Stub Zones Active Directory Zone Replication 6 Enhanced Security Enhanced Round Robin Enhanced Logging DNSSEC EDNS0 Resource Registration Restriction 8 2.1 2.1.1 Planning a DNS Namespace 8 2.1.1 Resolution Strategies Choosing Your...

Chapter

Implementing PKI in a Windows Serve 2003 Network 5.1 Configure Active Directory directory services for certificate publication. 5.2 Plan a public key infrastructure (PKI) that uses Certificate Services. 5.2.1 Identify the appropriate type of certificate authority to support certificate issuance requirements. 5.2.2 Plan the enrollment and distribution of certificates. 5.2.3 Plan for the use of smart cards for authentication. 0 Exam Objectives Frequently Asked Questions

Certification Authority Backup and Recovery

In this example, we use one of our CA servers in the Wally's Tugboats domain to back up and restore the CA's private key, CA certificate, certification database, and database log 1. Open the Certification Authority management tool by clicking Start Administrative Tools Certification Authority. 2. Right-click the name of the CA. In our example, we use the certserv CA server. From the context menu, select All Tasks, and then choose Back up CA. 3. Click Next at the Welcome screen. 4. Next we need...

Configuring Autoenrollment

As we mentioned, you first need to configure your domain controller as a root CA or an enterprise subordinate CA. If you have not yet done this, you can refer back to Exercise 4.01 and install certificate services on your domain controller. Let's begin configuring our CA for autoenrollment 1. Click Start Administrative Tools Certification Authority. When the Certification Authority management tool opens, right-click Certificate Templates and click Manage (see Figure 4.20). The certificate...

Radio Frequency Communications

The obvious and primary difference between wired and wireless networks is that wireless networks use radio waves to transmit their data across an intermediate medium, instead of pushing electrons through a wired connection. Radio waves are created by applying alternating current (AC) to an antenna to produce an electromagnetic (EM) field. Devices use the resulting radio frequency (RF) field for broadcast and reception. In the case of wireless networks, the medium for communications is the EM...

Chapter Planning Security for a Wireless Network

You are opening an Internet caf and want to provide wireless access to your patrons. How would you configure your wireless network settings on your AP to make it easiest for your patrons to connect (Choose all that apply.) D. Set up the network in Infrastructure mode. E. Set up the network in Ad Hoc mode. 0 A, D.Answer A is correct because wireless clients will be able to scan for and detect the SSID when they start configuring their devices. Answer D is correct because infrastructure mode is...

Assigning and Processing Wireless Network Policies in Group Policy

Wireless Network Policies can be assigned from and stored in Active Directory, as part of Group Policy, or assigned and stored locally on a computer.When a computer is joined to an Active Directory domain, the domain-level Wireless Network Policy applies. If a computer is not joined to an Active Directory domain, the local Group Policy settings apply. Group Policy settings are contained in Group Policy objects (GPOs), which are linked with specific Active Directory objects (sites, domains, and...

Securing Application Servers

Installation or creation of the application server role in Windows Server 2003 installs IIS 6.0 on the server in its default security configuration. In the case of IIS 6.0, this means that it is installed in a much tighter configuration than was provided with IIS 5.0. IIS 6.0 is not part of the default installation ofWindows Server 2003 except in the Web Edition. Due to the fact that we are installing Web Services with this role configuration, we must be very cognizant of the changes that occur...

IP Security

IP security, and in particular the use of IPSec to provide that protection, has become a popular topic since the introduction ofWindows 2000. In Windows Server 2003, improvements have been made to the technology to make it even more usable and capable of protecting data transmitted over networks. IP security has allowed the network and system administrator to more fully secure the data between the server and host machines in the network, at the same time providing a framework for security that...

Securing DHCP Servers

Incorrectly configured and protected DHCP servers present a very real and potentially serious access point to your internal network and all the resources that are available within. At the least, the potential exists that network communications could be disrupted. DHCP servers respond to all requests for service from clients that they hear on their network segment or that are relayed from other subnets through routers that support such relaying, and they do not block requests or refuse...

Other Troubleshooting Techniques

The Windows Server 2003 Resource Kit provides additional tools to assist you in troubleshooting Group Policy and underlying infrastructure and replication issues.You can view the full syntax of each command by running them from the command line using the switch. Some of the available tools are listed here GPMonitor.exe The Windows Server 2003 Resource Kit includes a tool that collects information every time there is an update or a refresh to Group Policies, then forwards that information to a...

Removing a Trust

If you need to delete a trust relationship between two domains, you can do so in one of two ways. From the command line, you can use the netdom Support Tools utility with the following syntax netdom trust TrustingDomainName d TrustedDomainName remove UserD User PasswordD * UserD and PasswordD refer to a username and password, respectively, with administrative credentials for the domain that you're administering. To remove a trust using the Windows interface, follow these steps 1. Click Start...

Resetting a Local User Account

Follow these steps to reset a local user account 1. Log onto the workstation using the local administrator account or an account that is a member of the Domain Admins group on your Windows domain. 2. Open the Computer Management MMC console by clicking Start All Programs Administrative Tools Computer Management. 3. In the left-hand pane of the Computer Management console, click Computer Management System Tools Local Users and Groups Users. You'll see the screen shown in Figure 5.9. Figure 5.9...

Distributing Software

In order to distribute software to a user, you use the Software Settings in a Group Policy. When you use this capability, you are able to use any software that uses the Windows Installer natively. For all other applications that use a different installation method, you need to create a .ZAP file.A .ZAP file is simply a text file that states how to run the setup executable for an application. Many organizations use applications that are homegrown and do not conform to the Windows Installer...

Managing a Different Domain

If you have administrative rights to multiple Windows Server 2003 domains, you can manage all of them from a single desktop. For example, if you are the administrator for the airplanes.com domain, you can perform administrative functions for the fixed-wing.air-planes.com domain to cover for someone who is on vacation or on sick leave.You can also use the steps described in this section to manage any Windows 2000 domains that still exist within your Active Directory forest. To manage a different...

What Is Bdh Exam

RSoP queries can be generated through three methods command-line invocation of the RSoP console in Logging mode, right-clicking an object within Active Directory Users and Computers, and adding the RSoP snap-in to the MMC and then Generating RSoP Data for a selected location. Running queries on a computer account In order to run a query on a computer object, you can use the Active Directory Users and Computers console. Select the computer you want to see the policies for by browsing for it and...

Global Catalog Servers

Each forest uses a single global catalog across all its domains. This global catalog acts as an index because it contains a small amount of information about the objects that exist across the entire Active Directory forest. Another task that is relegated to the global catalog is the duty of processing logons in order to allow querying of universal groups. (The logon and authentication process should be able to discover access rights through the querying of a user's universal group memberships.)...

Using Web Enrollment to Request a Certificate

In this exercise, we create a request for a Web server certificate. In order to perform this exercise, you need to have a server running Windows Server 2003 with certificate services installed. You can perform the exercise from either the server itself or another client with network connectivity to the server. Let's begin the exercise by opening a Web browser window 1. In the Address window of your Web browser, type http localhost certsrv and press Enter if you are doing this exercise from the...

Defining Certificate Requirements

The first thing that needs to be thought out prior to implementation is to define your business requirements for the addition of a PKI. Is PKI being implemented to substantiate an overall business security policy, or does this involve a specific application need, user need, or business function This would be the time when you need to look at the location of the user base that needs to use PKI, specifically relating to link speed and IT resources. It also brings up a valid question that should...

S

Safe mode, booting in, 653-654 SAM (Security Accounts Manager) database, 249, 264 SASL (Simple Authentication Security Layer), 269 Schema snap-in module, 108, 150, 177 Schlumberger smart-card readers, 291 SCM Microsystems smart-card readers, 291-292 Scope of zone replication. see Zone replication Secret-key (symmetric) encryption, 186 Secure (Securedc.inf, Securews.inf) templates, 359 Secure Sockets Layer (SSL) encryption, 267-268 Secure updates, 7, 52-54, 62 Securedc.inf, Securews.inf (secure)...

Network Load Balancing

Although NLB works on any version of the Windows Server 2003 operating system, your server must meet certain hardware requirements. Besides the minimum requirements for a Windows Server 2003 server which you can find at you also need between 750KB and 2MB of additional RAM per network adapter. Although you can use just one network adapter for load balancing, you will get much better performance by using a second network adapter. When your servers are configured in this way, you can use the...

Using RSoP

The Resultant Set of Policy RSoP function is a new feature of Group Policy management that simplifies the implementation and troubleshooting of GPOs. RSoP can query existing policies that have been applied against a site, domain, OU, or individual computer so that the results of that query can be analyzed by an administrator. RSoP can provide information regarding all possible policy settings that have been configured by an administrator, including Internet Explorer Maintenance Group Policy...

Creating a Group Policy Modeling Report

Like the Group Policy Results report discussed in the previous section, the GPMC Modeling function uses the steps that you used to generate this report via the RSoP snap-in. Simply right-click the Group Policy Modeling node and select Group Policy Modeling Wizard. Specify the computer or computer user combination you want to investigate, just as you did in Exercise 7.03, Using Resultant Set of Policy in Planning Mode. The report that appears in your details pane will look similar to the one...

Chapter Managing and Maintaining an Active Directory Infrastructure

Your Windows Server 2003 Active Directory structure contains multiple domains and child domains, as shown in the following illustration. Many of your users need to work from different locations at various points throughout the week, and they are having difficulty remembering the information that they need to enter when logging onto different domains within the network. What is the most efficient way for you to make the login process simpler for your users when they are logging onto the...

Summary of Exam Objectives

In this chapter, we covered a variety of topics relating to disaster recovery planning and prevention. Early in the chapter, we talked about the various aspects of disaster recovery, including the tools that Microsoft offers in the Windows Server 2003 operating system. Each of these tools gives you a different method to recover your server from a potential disaster state. One of those tools that we covered in great depth was Windows Backup Utility. We examined the planning process for...

Remote Assistance

Remote Assistance Windows Server 2003

Remote Assistance provides the ability for a trusted expert, who could be located anywhere, to make a remote connection to and actively assist someone in need of technical support or instruction. During a Remote Assistance session, the expert can view the client's screen and offer advice or instruction or simply fix the problem. Experts can offer both solicited and unsolicited help, but the act of taking remote control of the client's desktop and addressing the issue or providing the...

Windows Disaster Recovery

As a Windows Server 2003 MCSE, you need to know the various methods of disaster recovery that Microsoft provides. Aside from Windows backup and restore which we talk about in the next section , several other options are available in Windows Server 2003 that can assist you in recovering a downed server.Three options that we discuss in this section are Let's start our discussion ofWindows disaster recovery tools with a look at the Windows startup options, a feature you're probably familiar with...

Exam Objectives Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com. Q What should be the first step in planning my DNS namespace A First, take a look at your company as a whole. Do you have remote offices Will they need to have DNS servers Will these...

New Features in Terminal Services

Several new features greatly enhance the experience and security of Terminal Services and Remote Desktop for Administration.The most prominent features are 1. Redirection of sounds from the server to the management workstation within the Remote Desktop for Administration session 2. Enhanced integration of Terminal Services in Group Policy 3. Display enhancements, including greater color depth and screen resolution Audio redirection enables the reproduction of system-generated sounds on a client...

Using GPResultexe

GPResult.exe is a command-line utility available with Windows 2000 and Windows Server 2003 that gathers and reports RSoP data for machines similar to what you'd see in a Group Policy Results report in the GPMC.The syntax and parameters for gpresult.exe are as follows gpresult s Computer u Domain User p Password user TargetUserName scope user computer v z s Computer Specifies the DNS name or IP address of the remote computer you want to analyze. Do not use a UNC name such as SERVER. If you do...

Exercise

Dounload 2000 Notes

Using MBSA to Analyze for Updates from the Command Line 1. Open a command prompt and change to the location of the MBSA tool. By default, the tool is located in Program Files Microsoft Baseline Security Analyzer. 2. Enter the following command to scan all computers in the domain mbsacli d domain_name see Figure 8.70 or simply enter mbsacli to scan only the local machine. Other options are available for scanning, as detailed in Table 8.4. Press Enter after you have entered your scan command....

Setting up a Smart Card for User Logon

Log onto your workstation with a user account that has rights to the Enrollment Agent Certificate template in the domain where the user's account is located. 2. Open Internet Explorer, and browse to http servername certsrv, where servername is the name of the CA on your network. 3. Click Request a certificate, then click Advanced Certificate Request. You need to choose one of the following options A Smart Card Logon certificate if you want to issue a certificate that will only be valid for...

Issuing Enrollment Agent certificates

To prepare your certification authority to issue smart card certificates, you'll first need to prepare the Enrollment Agent certificate. Before you begin, make sure that your user account has been granted the Read and Enroll permissions, as discussed in the preceding section. To create an Enrollment Agent certificate, follow the steps included here. 1. Open the Certificate Authority snap-in by clicking Start Programs Administrative Tools Certification Authority. 2. In the console tree, navigate...

Select the Data Encryption WEP enabled check box

Click OK twice to close the open dialog boxes. 11. Double-click the desired Wireless Connection. 12. Enter the network key that your APs are using in the Network Key box. 13. Enter the network key again in the Confirm Network Key box. 14. Click OK to accept the changes. There are two authentication methods in the 802.11 standard Open authentication is most precisely described as device-oriented authentication and can be considered a null authentication all requests are granted. Without WEP,...

Removing a Domain

In a number of situations, you might need to remove an Active Directory domain You might be restructuring your Active Directory environment, or reorganizing departments or locations within your company's business structure. The process of removing an Active Directory domain is relatively straightforward however, there are a number of considerations to keep in mind before you do so. First and most obvious, removing an Active Directory domain will permanently destroy any user, group, and computer...

Permissions on Active Directory Objects or Attributes

Your life as an administrator becomes much simpler when you can assign permissions to groups or OUs rather than to individual objects. For example, if Andrew from the marketing department needs to manage the printers in his department, you can set the necessary permissions on the individual printers in the Marketing OU or on the Marketing OU itself. In the case of the former, you'll need to manually specify Andrew's permissions every time you add a new printer to the Marketing OU. However, if...

Self Test Questions Answers and Explanations

This appendix provides complete Self Test Questions, Answers, and Explanations for each chapter. Chapter 1 Implementing DNS in a Windows Server 2003 Network 1. Stephen is creating a standard primary zone for his company on a Windows Server 2003 DNS server. Stephen wants to enable secure-only dynamic DNS updates on his standard primary zone for clients within his office. Stephen opens the DNS management console and opens the Properties window of the primary zone. He notices that the only options...

Figure Defining the Default Ssid Wep Settings and Network Mode

Network Properties IEEE 802.1 H Network name SSID Wireless network key WEP This network requires a key for the following W Data encryption WEP enabled r Network authentication Shared mode W T he key is provided automatically Network Properties IEEE 802.1 H Network name SSID Wireless network key WEP This network requires a key for the following W Data encryption WEP enabled r Network authentication Shared mode W T he key is provided automatically r This is a computer-to-computer ad hoc network...

Configuring Public Key Group Policy

In Windows 2000, you learned about the advantages of using Group Policy to administer your Windows 2000 network. One area that you might not be aware of in terms of Group Policy functionality is its tie-in with PKI. Although it is not necessary for you to use PKI Group Policy settings in your organization, they give you additional flexibility and control of CA trusts and certificate issuance. Three areas that we will discuss relation to Group Policy are Automatic Certificate Request Certificate...

Types of Trusts

There are several types of trusts in an Active Directory forest Implicit Kerberos trusts within the forest Explicit external trusts with Windows NT 4.0 domains, domains within other forests and Kerberos realms The standard trust relationship in an Active Directory forest is the implicit Kerberos trust. This type of trust is bi-directional and transitive. Bi-directional means that when Domain A trusts Domain B, Domain B also trusts Domain A. Transitive means that when Domain A trusts Domain B...

Planning a Global Catalog Implementation

The global catalog is integral to the logon process. Not only is it involved with any user principal name UPN logon, for which the user enters a UPN name in the form of user domain.com, but when a global catalog server is not available to a user, the users' universal group memberships cannot be resolved and the user's actual permissions are not available. Global catalog servers are also accessed whenever a user or application queries Active Directory to search for objects such as printers....

Managing the Schema

Similarly to the previous release of the operating system, the Windows Server 2003 Active Directory schema contains the definitions for all objects within Active Directory.Whenever you create a new directory object such as a user or group, the new object is validated against the schema to determine which attributes the object should possess. A printer object should have very different attributes than a user object for example. In this way,Active Directory validates every new object that you...

Universal Group Membership Caching

Global catalog servers have a heavy impact on network traffic during replication. Allowing users to log on and query the network across WAN links can create even more load, so there is a tradeoff when you place global catalog servers at sites around the network.When users attempt to log on to the network, a global catalog server is contacted so that the user's membership within any universal groups can be resolved. This allows the logon attempt to determine the user's full rights and...

Defining a Password Policy

Using Active Directory, you can create a policy to enforce consistent password standards across your entire organization.Among the criteria that you can specify are how often passwords must be changed, how many unique passwords a user must utilize when changing his or her password, and the complexity level of passwords that are acceptable on your network. Additionally, you can specify an account lockout policy that will prevent users from logging in after a certain number of incorrect login...

Integrating DNS with Active Directory

In this exercise, we integrate the boston.us.na.widgets.home domain into Active Directory. This exercise requires you to install Active Directory onto your server. As mentioned, you might want to wait until after you read Chapters 2 and 3 to perform this exercise. If not, you can run dcpromo from a command prompt and follow the defaults. In this example, let's assume that the widgets.home parent domain is hosted in the Boston headquarters and the Elwood DNS server supports name resolution for...

Creating an External Trust With the Windows Interface

You'll create an external trust to form a nontransitive trust with a domain that exists outside your Windows Server 2003 forest. External trusts can be one-way or two-way and should be employed when users need access to resources located in a Windows NT 4.0 domain or in an individual domain located within a separate Windows 2000 or 2003 forest with which you haven't established a forest trust.You'll use an external trust instead of a forest trust if the trusting domain is running Windows NT 4.0...

Chapter Managing User Authentication

You have created an e-commerce Web application that allows your customers to purchase your company's products via the Internet. Management is concerned that customers will not feel comfortable providing their credit card information over the Internet. What is the most important step to secure this application so that your customers will feel confident that they are transmitting their information securely and to the correct Web site A. Use IP restrictions so that only your customers' specific...

Chapter Remote Management

You are assigning the newest member of your staff responsibility for a new file server running Windows Server 2003. He will be an Administrator on the server, and you want him to be able to ask for help from his coworkers so that they can walk him through steps to resolve any issues that arise. How would you have the new server configured so that this new administrator can request Remote Assistance A. Check the Remote Assistance box on the Remote tab in System Properties, and enable remote...

Raising the Forest Functional Level

Similar to the domain functional level,Windows Server 2003 has created differing forest functional levels that can enable new Active Directory features that will apply to every domain within an Active Directory forest. When you first create a Windows Server 2003 Active Directory forest, its forest functionality level will be set to Windows 2000. Depending on your environment, you can consider raising the forest functional level to Windows Server 2003 however, just like the domain functional...

Exam Warning

There are too many Group Policy settings to memorize them all. However, you should be able to identify the types of Group Policies by sight. Not only should you be able to navigate to the correct location to apply Group Policies such as password policies, but you should be able to identify the dialog screens for software distribution, Password Policy, Account Lockout Policy, Certificate Autoenrollment, and Folder Redirection. Within the Windows Settings of the user configuration node, you can...

Using Security Filtering in GPMC

Security Filtering Gpo

Before the introduction of the Group Policy Management console, applying security to a GPO involved accessing the Security tab and adding the Read and Apply Group Policy permissions for any relevant groups.This process is greatly simplified with the introduction of the GPMC. Select the Scope tab of a GPO, and click Add or Remove in the Security Filtering section to control which users, groups, and computers that a given GPO will apply to.You can see an example of this process in Figure 7.22....

Deleting Extinct Domain Metadata

If one of your Windows Server 2003 domain controllers suffers a catastrophic failure and you are unable to remove it from the domain in a graceful manner, you can use the following steps to delete the Active Directory metadata associated with that domain controller. Metadata here refers to information within Active Directory that keeps track of the information that is housed on each one of your domain controllers. If a DC fails before you can remove it from the domain, its configuration...

Interactive Logon

A network user performs an interactive logon when he presents his network credentials to the operating system of the physical computer that he is attempting to log into usually his desktop workstation.The logon name and password can either be a local user account or a domain account. When logging on using a local computer account, the user presents credentials that are stored in the SAM database stored on the local machine. Any workstation or member server can store local SAM-based accounts,...

Configuring Load Balancing

In this exercise, we put two servers, SERVER1 and SERVER2, together in a Network Load Balancing cluster. The first thing we need to do to enable and configure our Load Balancing cluster is to start the Network Load Balancing Manager. 1. To start Network Load Balancing Manager, click Start Run, and type NLBMGR. 2. When the Network Load Balancing Manager see Figure 11.15 opens, right-click Network Load Balancing Clusters and select New Cluster. Figure 11.15 The Network Load Balancing Manager...

Using GPMC as a Troubleshooting Tool

GPMC can greatly assist you in troubleshooting GPO behavior on your network, because it provides a well-organized view of all GPOs present on your network and how they are linked to the sites, domains, and OUs within Active Directory.You can also easily determine which GPO links are enabled or disabled for a container, as well as viewing the properties and settings of a specific GPO. Group Policy Results reports are similar to using RSoP in logging mode they gather information from a network...

Planning for Smart Card Support

Like any device or technology used to enhance network security, smart cards require you to make plans to educate your users on how to use them as well as providing administrative tools to support their ongoing use. First, make sure that your users understand the purpose of deploying smart cards you'll receive a much better response if they comprehend the importance of the added security, rather than if they're simply handed a smart card and told to use it. Emphasize that the smart card is a...

Starting the Recovery Console

In this exercise, we restart a Windows Server 2003 computer using the Recovery Console. Start this process by inserting the Windows Server 2003 CD into your CD-ROM drive. In addition, ensure that your server is set to boot from the CD-ROM as the primary device. 2. During the boot process, you may be prompted to press a key to boot to the CD. Press any key. 3. Windows begins running through the Windows Server 2003 installation process, then prompts you to make a decision on how to proceed. 4....

Planning a DNS Namespace

0 The first step to planning your DNS namespace is to get a snapshot of your entire organization. 0 Choose a parent domain name that represents your organization but isn't overly difficult for you and your users to understand or use. 0 Often it's better to separate internal DNS namespaces from external DNS namespaces. 0 A standard set of characters is permitted for use in DNS host naming, as defined in RFC 1123. 0 In Windows Server 2003, Microsoft has expanded DNS character support to include...

Managing Applications

As we discussed in Chapter 6, you can use Group Policy to manage the distribution, installation, and maintenance of Active Directory-aware applications on your corporate network. The scope of these management functions can extend from the initial deployment of an application through the installation of any upgrades, patches, or fixes.You can use the Software Installation function of Group Policy to maintain consistent versions of an application, replace a deployed application with a new...

Policy Management Console

Before the release ofWindows Server 2003, network administrators needed to use several different applications and utilities to manage Group Policy settings on their networks. Depending on the specific function, you might have needed to use Active Directory Users and Computers,Active Directory Sites and Services, or the RSoP snap-in to access the various pieces of Group Policy functionality. The Group Policy Management Console GPMC brings together existing Group Policy functions into a single...

Creating a Differential Backup

In this exercise, we create a Differential backup set using the Windows Server 2003 Backup utility. Let's begin by opening the Backup Utility 1. Click Start All Programs Accessories System Tools Backup. 2. When the Backup or Restore Wizard see Figure 11.7 opens, click Figure 11.7 The Backup or Restore Wizard Figure 11.7 The Backup or Restore Wizard 3. From the Backup Utility menu see Figure 11.8 , select Tools, and click the Backup Wizard Advanced option. 668 Chapter 11 Disaster Recovery...

Active Attacks

Once a potential intruder has gained sufficient information from a passive type of attack, he or she has enough ammunition to launch an active attack against the network. However, you should be aware that a passive attack is not a prerequisite for an active attack. There are a potentially large number of active attacks that an intruder can launch against a wireless network without first performing a reconnaissance passive attack. For the most part, these active attacks are identical to the...

In a Windows Server Network

You have installed certificate services on a Windows Server 2003 server named CA101.somecompany.com.Your boss has decided that he wants to change all the servers to a naming convention that is more descriptive to the organization. He wants to rename CA101.somecompany.com to certserver.somecompany.com.You explain to your boss that renaming a server with certificate services is not a good idea.Which of the following answers best describes the reason that you should not rename the server A....

Spoofing and Unauthorized Access

The combination of weaknesses in WEP and the nature of wireless transmission have highlighted the art of spoofing, or interception, as a real threat to wireless network security. Some well-publicized weaknesses in user authentication using WEP have made authentication spoofing just one of an equally well-tested number of exploits by attackers. One definition of spoofing is an attacker's ability to trick the network equipment into thinking that the address from which a connection is coming is...

Deploying and Managing Updates

Identifying the updates that your computers need might seem like the toughest part of this task however, that's not the case. Deploying updates, which includes testing them thoroughly before deployment, is in most cases the most time-consuming and problematic part of the update process. After you have thoroughly tested the updates in a safe environment, usually a lab or an isolated section of the network, you then face the task of actually getting them deployed to the computers that require...

Performing a Primary Restore

You'll perform a primary restore when the server you are trying to restore contains the only existing copy of any replicated data in this case the SYSVOL directory and the Active Directory data. Using a primary restore allows you to return the first replica set to your network do not use this option if you've already restored other copies of the data being restored. Typically, you'll perform a primary restore only when you have lost all the domain controllers in your domain and are rebuilding...

Configuring Stub Zones

Centralized management is typically the preferred way to ease the administrative burden. However, it can be helpful from time to time to delegate authority to others while still retaining overall authority. With this in mind, Microsoft has developed a third type of DNS zone that is new in Windows Server 2003, called a stub zone. A stub zone contains only certain resource records that are required in order to locate the DNS server that is authoritative for a particular zone. Using stub zones,...

Creating a Realm Trust Using the Windows Interface

Click Start Programs Administrative Tools Active Directory Domains and Trusts. Enter the appropriate username and password to access the utility. 2. Right-click the domain that you want to administer, and select Properties. 3. Click the Trusts tab, click New Trust, and then click Next. You'll see the window shown in Figure 3.18. 4. On the Trust Name page, type the name of the Kerberos realm that you want to establish a trust relation ship with, and then click Next. 5. On the Trust Type page,...

Changing Replication Scope

Server 2000 Replication Scope

In this exercise, we change the replication scope from all DNS servers in an Active Directory domain to domain controllers within an Active Directory domain on the Elwood server. The Elwood server must be able to replicate with Windows 2000 DNS servers while the rest of the company is being converted from Windows 2000 to Windows Server 2003. Do the following 1. Open the DNS management console on your DNS server in our case, Elwood. 2. Right-click the widgets.home zone, and click Properties. 3....

Child Domains

The next task in your plan is to determine whether to have child domains and then determine their placement and their names. The domain plan will follow the DNS namespace, which means that you should have a good idea of the namespace you intend to use. Although there is a trust relationship between the parent and the child domain, the administrator of the parent domain does not have automatic authority over the child domain, nor does the child domain's administrator have authority over the...

DNS Spoofing

DNS spoofing occurs when a DNS server uses information from a host that has no authority to pass along that information. DNS spoofing is a form of cache poisoning, in which intentionally incorrect data is added to the cache of a DNS server. Spoofing attacks can cause users to be directed to an incorrect Internet site or e-mail servers to route emails to mail servers other than that for which they were originally intended. DNS query packets have a 16-bit ID associated with them that is used to...

Using Secure Updates

Dns Allow Unsecured Updates

Since you are a Windows 2000 MCSE, you should certainly familiar with the concept of dynamic DNS updates. Dynamic DNS updates allow a computer on your network to register and update its DNS resource records whenever a change occurs, such as a change of computer name. Dynamic DNS updates were intended to reduce the amount of administrative work in terms of updating DNS databases each time a machine was brought online, moved, or renamed. In Windows Server 2003, Microsoft has taken the concept of...

Enabling Universal Group Membership Caching

In order to configure universal group membership caching, you enable it for the site rather than for a domain controller within the site. To do so 1. Open the Active Directory Sites and Services console. 2. In the left pane, navigate to the site where universal group membership caching will be enabled. 4. In the right pane, right-click the NTDS Site Settings object. 5. Select Properties from the popup menu. 6. Check the box to Enable Universal Group Membership Caching, as Figure 2.16 Enabling...

DHCP Servers

DHCP server roles can be created on any Windows Server 2003 platform.The requirements for establishing a DHCP server role are primarily the same as existed in the Windows 2000 installation platform. In an Active Directory domain, the DHCP server must be authorized in Active Directory before its service will start and grant address leases to clients. A standalone DHCP server running either Windows 2000 or Windows Server 2003 will not grant addresses to clients if it detects that Active Directory...

Adding Attributes to Customize the Global Catalog

Before you add attributes to the global catalog, keep in mind that doing so will have a negative impact on replication. Each new attribute increases the size of the global catalog, which increases the time it takes for replication to completely synchronize all the global catalog servers.You should only replicate attributes in the global catalog that must be indexed for queries or applications. In order to add an attribute to the global catalog, you must use the Active Directory Schema snap-in,...

Reviewing the Domain Name System

DNS is a great place to start the coverage of objectives for the 70-296 exam, simply because it is the lifeline of the Windows networking environment. As with Windows 2000, Active Directory cannot function without DNS installed somewhere in your environment. Some things have changed in Windows Server 2003 from previous versions ofWindows, but the basic functionality of DNS has remained the same. Before we step through the exam objectives, let's review how DNS came into existence, the basic...

Creating a Smart Card Certificate Enrollment Station

Log onto the machine as the user who will be installing the certificates. 2. Create a blank MMC console by clicking Start Run, then type mmc and click OK. 3. From the console window, click File Add Remove Snap-in, then select Add. 4. Double-click the Certificates snap-in. Click Close and then click OK. You'll see the Certificates snap-in shown in Figure 5.26. Figure 5.26 The Certificates Management Console Figure 5.26 The Certificates Management Console 5. In the right-hand pane, click...

Zone Storage

In a standard zone configuration, DNS zones are stored in the c windows system32 dns folder inside a .dns file. Each .dns zone file corresponds to a zone that is stored on a particular DNS server. For example, the zone file for the Beijing office ofWidgets Inc would be beijing.ci.as.widgets.home.dns. Active Directory integrated zones, on the other hand, store their zone data in the Active Directory tree under the domain or application directory partition. Each zone is stored in a container...

Creating a Domain Password Policy

From the Windows Server 2003 desktop, open Active Directory Users and Computers. Right-click the domain that you want to set a password policy for, and select Properties. 2. Click the Group Policy tab, as shown in Figure 5.4. You can edit the default domain policy, or click New to create a new policy. In this case, click Edit to apply changes to the default policy. 3. Navigate to the Password Policy Node by clicking Computer Configuration Windows Settings Security Settings Account Policies...

Zone Replication

Before we begin discussing DNS zone replication, let's take a step back to define DNS zones. The DNS system is a collection of zone files that are spread throughout the Internet as well as private networks. Internet zone files break up the DNS namespace into smaller pieces that can be easily managed. Zones allow for the distribution of data but also for the management of localized DNS databases. By managing local DNS databases, you can manage your own zone files by defining your own zone...

Implementing Stub Networks for Secure Wireless Networks

Stub Network

According to The Free Online Dictionary of Computing http foldoc.doc.ic.ac.uk , a stub network is a network that only carries packets to and from local hosts. Even if it has paths to more than one other network, it does not carry traffic for other networks. In technical terms, a stub network is an IP-based network segment that uses a subset of an existing parent network address. A router or bridge separates the parent network and the stub network. An example is a parent network with an address...

Creating a New Domain Tree

Like Windows 2000, a Windows Server 2003 Active Directory forest can contain one or more domain trees.You'll create a new domain tree when you need to create a domain whose DNS namespace is not related to the other domains in the forest but whose schema, security boundaries, and configuration need to be at least somewhat centrally managed. A good example of this is the acquisition of a company whose IT management functions will be taken over by the new parent company. In this case, the DNS name...

User Security

There are different types of user security settings to configure in Group Policies. Usually, a password or account lockout policy will come to mind. However, these are actually computer configuration settings that you would set for an entire domain at the domain level. The remaining options that you have within Group Policy for securing a user's resources, or even securing computer and network resources from a user, are considerable. To edit the domain's Password Policy and Account Lockout...