MCSE Designing Security for a Windows Server 2003 Network: Exam 70-298

Chapter 1: Designing a Secure Network Framework

Figure 1.1: Generating RSoP Data

Figure 1.2: Computer Selection in the RSoP Query Wizard

Figure 1.3: Results of RSoP Query

Figure 1.4: Illustration of a DDoS Attack

Figure 1.5: ktpass Command-Line Descriptions

Chapter 2: Securing Servers Based on Function

Figure 2.1: Setup security.inf Viewed in Notepad

Figure 2.2: Network Security Settings: LAN Manager Authentication Level Security Settings Policy

Figure 2.3: Add/Remove Snap-In to the Microsoft Management Console

Figure 2.4: Viewing and Modifying Predefined Template Settings

Figure 2.5: Information Warning Regarding Down-Level Clients

Figure 2.6: Registry Policy Properties

Figure 2.7: Group Policy Wizard

Figure 2.8: Imported Policy or Template in Group Policy Editor

Figure 2.9: New Group Policy Object

Figure 2.10: Applied Group Policy to Domain or OU

Figure 2.11: Action Alert in Resultant Set of Policy Snap-In

Figure 2.12: Resultant Set of Policy Results

Figure 2.13: Group Policy Management ConsoleOrganizational Unit Management

Figure 2.14: Group Policy Management ConsoleManagement Options

Figure 2.15: Configure Your Server WizardSelect Server Role

Figure 2.16: Configure Your Server Summary of Selected Options

Figure 2.17: Installing Components and Server Role

Figure 2.18: Configure Your Server Wizard Complete

Figure 2.19: IIS Default Web Service Extensions

Figure 2.20: Creating a New Group Policy Link to OU

Figure 2.21: Import Policy Dialog

Figure 2.22: Security Analysis Results

Chapter 3: Designing a Secure Public Key Infrastructure

Figure 3.1: PKI Overview

Figure 3.2: Common Arrangements of the CA Hierarchy of an Enterprise

Figure 3.3: Example of Geographical Hierarchy

Figure 3.4: Example of Organizational Trust Hierarchy

Figure 3.5: Example of Network Trust Security

Figure 3.6: Example of a Three-Tiered CA Enterprise Hierarchy

Figure 3.7: Selecting Certificate Service to Install

Figure 3.8: Warning Screen before Installing Certificate Services

Figure 3.9: Selecting a CA Type

Figure 3.10: Selecting Public and Private Key Pairs

Figure 3.11: CA Identity Information

Figure 3.12: Configuring Database Settings

Figure 3.13: Select a Certificate Type

Figure 3.14: Enter the Users Details to Issue a Certificate

Figure 3.15: Confirmation Screen for a Certificate Request

Figure 3.16: Pending Queue of the CA

Figure 3.17: Approve a Certificate from Pending Queue

Figure 3.18: Auditing Tab of the CA Properties

Figure 3.19: Confirmation to Stop the Certificate Service

Figure 3.20: Confirmation to Generate New Keys

Chapter 4: Securing the Network Management Process

Figure 4.1: Using the Delegation of Control Wizard

Figure 4.2: Creating a Remote Desktop Connection

Figure 4.3: Configuring the Remote Desktop Connection

Figure 4.4: Activating Remote Assistance

Figure 4.5: Approving Critical Updates in SUS

Figure 4.6: Synchronizing Child SUS Servers

Figure 4.7: Configuring Software Installation Policies

Figure 4.8: Microsoft Baseline Security Analyzer

Figure 4.9: The One-Way Trust Relationship

Figure 4.10: The Two-Way Trust Relationship

Figure 4.11: Trust Transitivity in Domains

Figure 4.12: Transitivity of Forest Trusts

Figure 4.13: Realm Trusts

Figure 4.14: Using a Shortcut Trust

Figure 4.15: Figure for Question 1

Chapter 5: Securing Network Services and Protocols

Figure 5.1: IPSec Transport Mode with Authentication Header

Figure 5.2: IPSec Tunnel Mode with Authentication Header

Figure 5.3: IPSec Transport Mode with ESP

Figure 5.4: IPSec Tunnel Mode with ESP

Figure 5.5: Key Exchange Security Methods Dialog

Figure 5.6: Disabling Default Response Rule

Figure 5.7: Interaction of IPSec Components

Figure 5.8: IPSec Process

Figure 5.9: Export IPSec Policy via IP Security Policy Management Snap-In

Figure 5.10: Default Policies in Active Directory

Figure 5.11: Default Settings for Key Exchange Security Methods for Default IPSec Policy

Figure 5.12: Web Site Properties Dialog

Figure 5.13: Require Secure Channel (SSL) Configuration

Figure 5.14: Server Message Block Signing Options

Figure 5.15: Sample Domain Wireless Policy Properties Dialog

Figure 5.16: Adding a New Preferred Network

Figure 5.17: Wireless Policy Defined in Default Domain

Figure 5.18: IEEE 802.1X Properties in the Selected Preferred Network

Figure 5.19: Smart Card or Other Certificate Properties Options

Figure 5.20: Protected EAP Properties Options

Figure 5.21: Functional Diagram of Wireless Access Infrastructure

Figure 5.22: IPSec Settings

Figure 5.23: Network Configuration

Chapter 6: Securing Internet Information Services

Figure 6.1: IIS 6.0 Worker Process Model

Figure 6.2: IIS 5.0 Isolation Model

Figure 6.3: Directory Security Tab of IIS 6.0

Figure 6.4: Enable Secure Communication

Figure 6.5: One-to-One Mapping Screen

Figure 6.6: Select Credentials for Mapping

Figure 6.7: Add a Wildcard Rule

Figure 6.8: The Rules Window

Figure 6.9: Enter Rule Information

Figure 6.10: Enter Credentials for Many-to-One Mapping

Figure 6.11: Enable Anonymous Access

Figure 6.12: Basic Authentication Warning

Figure 6.13: Basic Authentication Settings

Figure 6.14: Digest Authentication Warning

Figure 6.15: RADIUS Architecture in Windows Server 2003

Figure 6.16: Select Network Services

Figure 6.17: Select Internet Authentication Service

Figure 6.18: IAS MMC Snap-In

Figure 6.19: Properties of Remote Access Policies

Figure 6.20: Edit the Default Policy Settings

Figure 6.21: Web Service Extensions View

Figure 6.22: Enabling the Internet Connection Firewall

Figure 6.23: Available Protocol Configuration Window

Figure 6.24: Entering Machine Name or IP Address to Configure the Firewall

Figure 6.25: Enable Logging for Default Web Site

Figure 6.26: Customizing Log Fields

Figure 6.27: Local Audit Policy Settings

Figure 6.28: Enable Success or Failure Audit Options

Figure 6.29: Enable Health Detection

Chapter 7: Securing VPN and Extranet Communications

Figure 7.1: Configuring Routing and Remote Access

Figure 7.2: Routing and Remote Access Server Setup Wizard

Figure 7.3: RRAS Custom Configuration Screen

Figure 7.4: Setting Up a New Routing Protocol

Figure 7.5: Choosing RIP

Figure 7.6: General Tab of the RIP Property Interface Sheet

Figure 7.7: Security Tab of the RIP Property Interface Sheet

Figure 7.8: Neighbors Tab of the RIP Property Interface Sheet

Figure 7.9: Two Sites Connected via VPN Tunnel

Figure 7.10: Diagram of a PPTP Packet

Figure 7.11: Configuration Screen of the Routing and Remote Access Setup Wizard

Figure 7.12: Remote Access Screen of the Routing and Remote Access Setup Wizard

Figure 7.13: VPN Connection Screen of the Routing and Remote Access Setup Wizard

Figure 7.14: IP Address Assignment Screen of the Routing and Remote Access Setup Wizard

Figure 7.15: DHCP Relay Agent Reminder

Figure 7.16: Setting Up a Demand Dial Interface

Figure 7.17: Connection Type Screen of the Demand Dial Wizard

Figure 7.18: VPN Type Screen of the Demand Dial Wizard

Figure 7.19: Destination Address Screen of the Demand Dial Wizard

Figure 7.20: Protocols and Security Screen of the Demand Dial Wizard

Figure 7.21: Dial In Credentials Screen of the Demand Dial Wizard

Figure 7.22: Dial Out Credentials Screen of the Demand Dial Wizard

Figure 7.23: Diagram of an L2TP Packet

Figure 7.24: Security Tab of the Answering Routers Properties Sheet

Figure 7.25: Authentication Methods Screen

Figure 7.26: Choosing Properties of a Demand Dial Interface

Figure 7.27: Security Tab of the Demand Dial Interface

Figure 7.28: Advanced Security Settings Screen of the Security Tab

Figure 7.29: Smart Card or Other Certificates Properties Screen

Figure 7.30: Setting Credentials on the Demand Dial Interface

Figure 7.31: Remote Access Policy Settings Screen

Figure 7.32: Authentication Tab of the Remote Access Profile Screen

Figure 7.33: Encryption Tab of the Remote Access Profile Screen

Figure 7.34: Dial-in Constraints Tab of the Remote Access Profile Screen

Figure 7.35: IP Tab of the Remote Access Profile Screen

Chapter 8: Securing Active Directory

Figure 8.1: NTFS Permissions Configuration Window

Figure 8.2: Setting Permissions on Folders via Group Policy

Figure 8.3: Files and Folder Permissions Configured in Group Policy

Figure 8.4: Changing the Account a Service Uses to Start

Figure 8.5: Account Policies Window in Group Policy

Figure 8.6: Configuring Restricted Groups in Group Policy

Figure 8.7: Kerberos Policy Configuration

Figure 8.8: Enabling Reversible Encryption on a Per-Account Basis

Figure 8.9: Configuring Password Complexity

Figure 8.10: Logon Events Registration Process

Figure 8.11: Setting Auditing on an Object

Figure 8.12: Advanced Auditing Settings

Figure 8.13: Delegation of Control Wizard

Chapter 9: Securing Network Resources

Figure 9.1: Access Control List with Access Control Entries

Figure 9.2: Access Mask Compared with Access Request

Figure 9.3: Nested Group Hierarchy

Figure 9.4: LDAP Query

Figure 9.5: Result of LDAP Query

Figure 9.6: Delegating Control of the Finance OU in Active Directory Users and Computers

Figure 9.7: Adding Users to Delegate Control

Figure 9.8: Selecting Tasks to Delegate

Figure 9.9: Completion of Delegation of Control Wizard

Figure 9.10: Shared Folder Permissions Access Control List

Figure 9.11: Modifying Default Permissions on Registry Key

Figure 9.12: Advanced Registry Settings for HKEY_CURRENT_USER

Figure 9.13: Auditing Tab Options

Figure 9.14: Effective Permissions Options

Figure 9.15: Registry Node in Group Policy Object Editor Snap-In

Figure 9.16: Adding Key to Registry Access

Figure 9.17: Selecting the Software Node

Figure 9.18: View or Modify Permissions for Registry Key

Figure 9.19: Users Permissions Set to Read Only by Default

Figure 9.20: Advanced Settings Options

Figure 9.21: Modifying Permissions for the RegEdt32 Registry Key

Figure 9.22: Default Domain Policy with RegEdt32 Permissions Specified

Figure 9.23: Advanced Attributes for EFS Folder Encryption

Figure 9.24: File Attribute Indicating Encryption

Figure 9.25: EFS File Sharing Dialog

Figure 9.26: Adding User for Shared EFS File

Figure 9.27: No User Certificate Available

Figure 9.28: cipher.exe Commands, Part 1

Figure 9.29: cipher.exe Commands, Part 2

Figure 9.30: cipher.exe /R to Create Recovery Agent Key and Certificate

Figure 9.31: Structure of an Encrypted File

Figure 9.32: Encrypting File System Properties Dialog

Figure 9.33: Select Recovery Agents Dialog

Figure 9.34: Importing Certificate for Recovery Agent

Figure 9.35: Windows Warning Regarding Certificate Status

Figure 9.36: Default Domain Policy Encrypting File System Node

Figure 9.37: Key Backup from Microsoft Management Console

Figure 9.38: Export File Format for Certificate Only (Excludes Private Key)

Figure 9.39: Export File Format Including Private Key with Certificate

Figure 9.40: Certificate Export Wizard Successful Completion

Figure 9.41: Export Successful Notice

Figure 9.42: Create Secure Printer

Figure 9.43: SpoolDirectory in Registry

Figure 9.44: Startup and Recovery Options for Local Computer via Control Panel

Figure 9.45: Startup and Recovery Options

Chapter 10: Securing Network Clients

Figure 10.1: Enabling Syskey Encryption

Figure 10.2: Selecting Syskey Encryption Options

Figure 10.3: Confirmation of Syskey Success

Figure 10.4: Interactive Logons Using Local vs. Domain Accounts

Figure 10.5: Passport Sign-On through www.ebay.com

Figure 10.6: Passport on www.expedia.com

Figure 10.7: Creating a Remote Access Policy

Figure 10.8: Remote Access Authentication Methods

Figure 10.9: Remote Access Policy Conditions

Figure 10.10: Installing the Internet Authorization Service

Figure 10.11: The IAS Administrative Console

Figure 10.12: Configuring Permissions for IAS

Figure 10.13: Question 1 Illustration

Figure 10.14: Administrator Properties Sheet

Appendix A: Self Test Questions, Answers, and Explanations

Figure 2.22: Security Analysis Results

Figure 4.15: Figure for Question 1

Figure 5.22: IPSec Settings

Figure 5.23: Network Configuration

Figure 10.13: Question 1 Illustration

Figure 10.14: Administrator Properties Sheet