Defining Group Policy Links for a Site Domain or Organizational Unit

As we have said before, administrators can configure Group Policy for sites, domains, or organizational units. Using the Active Directory tools and setting properties for the specified site, domain, or OU does this. The Group Policy tab in the SDOU's Properties page allows the administrator to specify which Group Policy objects are linked to this site, domain, or OU. This property page stores the user's choices in two Active Directory properties called gPLink and gPOptions. The gPLink property...

SSL and SSO

Earlier in the chapter, we mentioned SSL. When we talked about SSL, it was to highlight the way people access your corporate Web page. That is not the only way it can be used, because not all enterprise computer users enter a network by means of network-to-network connections. Some people have to be different, meaning that you must also support users who access your corporate network through intranets. These users can include people who are mobile users and who access the corporate network via...

Certificate Types

Earlier in the chapter, we briefly discussed the fact that there could be different types of certificates, but we didn't take the time to explore those types. Table 9.1 outlines the types of certificates and the roles they fulfill. The administrator certificate is used for authenticating clients and for the encrypted file system (EFS), secure mail, for certificate trust list (CTL) signing, and finally for code signing. The authenticated session certificate is used to authenticate clients. The...

Proxy Server Basics

One way that you can protect yourself and your company is with the use of a proxy server. Now, some people confuse a proxy server with a firewall. As a matter of fact, some large companies had been hawking a proxy server as a firewall, but according to the latest word we heard from Microsoft, the company is now saying it really isn't. Take a look at Figure 14.1. FIGURE 14.1 Diagram of a proxy server For an explanation, let's start with the fact that this drawing is way oversimplified. In the...

Authentication across Domain Boundaries

This breaks down to the fact that the KDC provides two different types of services. The first is an authentication service whose job it is to issue Ticket Granting Tickets. Then there is the ticket-granting service. That service is the one that issues the session tickets. Because of this division, Kerberos can operate across domain boundaries. In other words, a client can get a TGT from the authentication service in one domain, and then take that TGT to get a session ticket from a...

The Pyramid Approach Management Model

If you have taken any of the Microsoft Official Courseware on Windows 2000, you have run into the proper way to design an ADS implementation. It all starts out with the pyramid approach. Just in case you think Microsoft has come up with a new and groundbreaking concept, take a look at Figure 2.1. If this were a management class, the diagram would be called the scenario for Management 101. That would give it a fancy name to hide the fact that it is pretty much made up on the spot. FIGURE 2.1...

Data Recovery

This is one of those steps that is really obvious Data recovery is very important when you need to be able to recover data encrypted by an employee after the employee leaves, or when the user's private key is lost. When we first heard about this feature in Windows 2000, we thought about all the damage a disgruntled employee could do. Imagine the problems if someone could go out to the Accounting area and encrypt all the data files so no one could read them Without proper planning, that could be...

Mandatory Recovery Policy

EFS provides for built-in data recovery by enforcing a recovery policy requirement. The requirement is that a recovery policy must be in place before users can encrypt files. The recovery policy provides for a person to be designated as the recovery agent. Again, this is a transparent process. The default recovery policy is automatically put in place when the administrator logs on to the system for the first time (during installation), making the administrator the recovery agent. What is the...

Types of Recovery Policies

Administrators can define one of three kinds of policies no recovery policy, empty recovery policy, or recovery-agent policy with one or more recovery agents. No recovery policy When an administrator deletes the recovery policy on the first domain controller, a no recovery policy at the domain level is in effect. Because there is no domain recovery policy, the default local policy on individual computers is used for data recovery. This means that local administrators control the recovery of...

Modifying the Recovery Policy

To modify the default recovery policy for a domain, you must log on to the first domain controller as an administrator. Then, start the Group Policy MMC through the Active Directory Users and Computers snap-in, right-click the domain whose recovery policy you wish to change, and click Properties. At this point, you click the recovery policy you wish to change and click Edit. In the console tree, click Encrypted Data Recovery Agents. Finally, you right-click the details pane and click the...

Designating Alternate Recovery Agents

You can configure Encrypted Data Recovery Agents policy to designate alternative recovery agents. For example, you may want to distribute the administrative workload in your organization, so you can designate alternative EFS recovery accounts for categories of computers grouped by organizational units. You might also configure Encrypted Data Recovery Agents settings for portable computers so that they use the same recovery agent certificates when they are connected to the domain and when they...

Disabling EFS for a Set of Computers

If you want to disable EFS for a domain, organizational unit, or stand-alone computer, you can do it by simply applying an empty Encrypted Data Recovery Agents policy setting. Until Encrypted Data Recovery Agents settings are configured and applied through Group Policy, there is no policy and the default recovery agents are used by EFS. However, EFS must use the recovery agents that are listed in the Encrypted Data Recovery Agents Group Policy. If the policy that is applied is empty, there is...

Proactive Risk Management

Since security and risk assessment is an ongoing, never-ending process, there should be a way to be somewhat proactive. To be proactive you have to assess risks continuously and use these assessments whenever decisions have to be made. When decisions are made, the risks are carried forward and dealt with until they are resolved or until they turn into actual problems and are handled. The proactive risk management process is shown graphically in Figure 4.7. FIGURE 4.7 Proactive risk management...

Prerequisites for Implementing EFS

To implement EFS, a Public Key Infrastructure must be in place and at least one administrator must have an EFS Data Recovery certificate so the file can be decrypted if anything happens to the original author. The author of the file must have an EFS certificate. The files and folders to be encrypted must be stored on the version of NTFS included with Windows 2000. Once the PKI has been established, to implement EFS, you would open Windows Explorer and right-click a folder or a file. Select...

Figure Tunnel Setting tab

The tunnel endpoint is the tunneling computer closest to the IP traffic destination, as specified by the associated IP Filter List. It takes two rules to describe an IPSec Tunnel. The tunnel endpoint is the tunneling computer closest to the IP traffic destination, as specified by the associated IP Filter List. It takes two rules to describe an IPSec Tunnel. (* This rule does not specify an IPSec tunnel. f- The tunnel endpoint is specified by this IP Address You would need to use the Tunnel...

Assessment Test

What constitutes a domain restructure A. Domain restructure is sometimes referred to as domain consolidation. B. Domain restructure is sometimes referred to as resource domain elimination. C. Domain restructure is sometimes referred to as an administrative domain elimination. D. The sum total of all the transitive trusts serviced by Kerberos v5. 2. If you find that a CA has been compromised, what must you do A. When a CA has been compromised, you must revoke the CA's certificate and create a...

Controlling Update Access to Zones and Names

As we said before, access to the secure DNS names and zones is controlled through the Active Directory and through the ACLs. These ACLs can be specified for either an entire zone or they can be modified to suit some specific names. The way Windows 2000 is set up, by default, any user that is authenticated can create the A or PTR RRs in any zone. But once an owner name has been created (regardless of type of record), only the users or the groups that are specified in the ACL for that name, and...

Common VPN Problems

According to Microsoft, VPN problems typically fall into the following categories Your connection attempt is rejected, when it really should be accepted. Your connection attempt is accepted, when it really should be rejected. The user in question can't reach locations beyond the VPN server. The user in question can't establish a tunnel. Keep the following troubleshooting tips close They may help you to isolate the configuration or infrastructure problem causing these common VPN problems. The...

Envisioned System

Overview Several of the management team have input on this project, including the CEO, the CFO, the General Managers of the Orlando office, and the General Manager of the Athens Office. At this stage, we have also begun to hear from the Sales Manager. CEO As the new network was designed, the CEO is looking closely at the IS department and saying things like, Okay, people, you wanted the Windows 2000 network because of its flexibility and now you have it. This is where the rubber hits the road....

Defining Registry Policies

Registry policies can be used to configure the security audit policy. Because Windows 2000 can record a range of security event types, this can be a useful way of detecting intrusion. These policies are summarized in Table 8.7. TABLE 8.7 Defining Registry Policies In this case, you are controlling security auditing for registry keys and their subkeys. For example, to make sure that only administrators can change certain information in the registry, you can use registry policies to grant...

SMB Signing and Performance

In the scenario above, what is the performance hit Obviously, there is going to be some. Because requests from Microsoft networking clients are processed through the gateway, access is slower than direct access from the client to the NetWare network. If performance is an issue, then clients that require frequent access to NetWare resources should run Windows 2000 Professional with Client Services for NetWare, or Windows 95 and Windows 98 with their NetWare client software, to achieve higher...

Impact of End User Security Requirements

Another of the buzzwords for Windows 2000 is distributed security. Distributed security is the coordination of many security features on a computer network to implement an overall security policy. It allows users to access appropriate computer systems, get the information they need, and use that information. It also involves making sure the users who access the information have the appropriate levels of access. Many may be able to read the data, but few may be able to alter it. By the same...

Answers to Review Questions

The three tasks in the Implementation phase are test pilot design, installation, and configuration. This puts the new system or process in place. 2. A, D, E, G. The four design criteria are functionality, security, availability, and performance. These four items should be uppermost in your mind as you begin to analyze your company's business model. 3. C. A customer-focused project is one where the project actions are determined by the goal of solving a particular business problem rather...

Microsoft Exam Objectives Covered In This Chapter

S Evaluate the company's existing and planned technical environment. Analyze company size and user and resource distribution. Assess the available connectivity between the geographic location of work sites and remote sites. Assess the net available bandwidth. Analyze performance requirements. Analyze the method of accessing data and systems. Analyze network roles and responsibilities. Roles include administrative, user, service, resource ownership, and application. m 1 4 Mr-Copyright 2000...