Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)

Chapter 1: The Challenge of Trusted Security Infrastructures

Table 1.1: Authentication Infrastructure Solutions
Table 1.2: Public Key Infrastructure Solutions
Table 1.3: Directory Solutions
Table 1.4: Provisioning Solutions
Table 1.5: Extranet Access Management System Vendors
Table 1.6: Microsoft TSI Services Built into Windows Server 2003
Table 1.7: Other Microsoft Software Providing TSI Services

Chapter 2: Windows Security Authorities and Principals

Table 2.1: Domain Functionality Levels
Table 2.2: Forest Functionality Levels
Table 2.3: Functionality Level Requirements for Windows Server 2003 Features
Table 2.4: Overview of Domain Controller FSMO Roles
Table 2.5: SID Structure
Table 2.6: Predefined SID Layouts
Table 2.7: SID Top-Level Authorities
Table 2.8: Well-Known SIDs
Table 2.9: Well-Known RIDs
Table 2.10: Windows Server 2003 Password Quality-Related GPO Settings
Table 2.11: Machine Password Update Registry Hacks
Table 2.12: Account Lockout Policy Settings
Table 2.13: Account Lockout–Related Management Tools
Table 2.14: AD Security-Related Replication Mechanisms

Chapter 3: Windows Trust Relationships

Table 3.1: Trust Types and Default Properties
Table 3.2: Key AD TDO Object Trust-Related Attributes
Table 3.3: Secure Channel Security Registry Hacks
Table 3.4: Trust and Secure Channel Troubleshooting Tools
Table 3.5: Firewall Port Configuration for Multiforest Scenarios

Chapter 4: Introducing Windows Authentication

Table 4.1: Common IT Authentication Protocols
Table 4.2: Overview of Authentication Methods
Table 4.3: Strong and Multifactor Authentication Options for Windows
Table 4.4: LM Compatibility Level Settings
Table 4.5: Runas Switches
Table 4.6: Anonymous Access–Related Security Options in the GPO Settings
Table 4.7: Logon Process Field Values
Table 4.8: Authentication-Related Event IDs
Table 4.9: Logon Type Field Values
Table 4.10: Logon Process Field Values

Chapter 5: Kerberos

Table 5.1: Kerberos–NTLM Comparison
Table 5.2: Kerberos Ticket Delegation Flags
Table 5.3: Configuration of Different Components
Table 5.4: Windows Server 2003 Groups: Group Membership and Definition Storage Locations
Table 5.5: Kerberos Ticket Content
Table 5.6: Kerberos Encryption Types: Key Lengths in Bits
Table 5.7: Kerberos Authenticator Content
Table 5.8: Kerberos Ticket Flags
Table 5.9: Mapping the Standard Kerberos “Master Key” to the PKINIT “Public-Private Key”
Table 5.10: Kerberos-Related Ports
Table 5.11: Kerberos-Specific Event IDs
Table 5.12: Kerberos Error Messages and Meaning
Table 5.13: Kerberos Troubleshooting Tools
Table 5.14: Non-Windows Kerberos Implementations

Chapter 6: IIS Authentication

Table 6.1: SSL/TLS Crypto Accelerator Devices
Table 6.2: SChannel Caching Registry Parameters
Table 6.3: SSL and HTTP Proxy Approaches
Table 6.4: IIS Authentication Method Comparison

Chapter 7: Microsoft Passport

Table 7.1: Passport Cookie Types
Table 7.2: Passport User Data

Chapter 8: UNIX and Windows Authentication Interoperability

Table 8.1: Windows and UNIX Authentication Characteristics
Table 8.2: Common UNIX Naming Services
Table 8.3: Solution Overview
Table 8.4: Password Synchronization Solutions

Chapter 9: Single Sign-On

Table 9.1: Simple SSO Solutions (Nonexhaustive List)
Table 9.2: Token-Based SSO Solutions (Nonexhaustive List)
Table 9.3: PKI-Based SSO Solutions (Nonexhaustive List)
Table 9.4: Credential Synchronization-Based SSO Products (Nonexhaustive List)
Table 9.5: Secure Client-Side Cache SSO Products (Nonexhaustive List)
Table 9.6: Secure Server-Side Credential Caching SSO (Nonexhaustive List)
Table 9.7: Advantages and Disadvantages of Different SSO Architectures
Table 9.8: Comparing Federation Mechanisms
Table 9.9: Authentication APIs
Table 9.10: Windows Server 2003 and XP SSO Technologies
Table 9.11: IAS Authentication Methods

Chapter 10: Windows Server 2003 Authorization

Table 10.1: Typical Windows Access Masks and Their Meaning
Table 10.2: Windows Impersonation Levels
Table 10.3: New Windows 2000 Authorization Features
Table 10.4: Comparing NT4 and Windows 2000 Inheritance
Table 10.5: Inheritance Flags Corresponding to the File System ACL Apply Onto… Setting
Table 10.6: Windows Server 2003 Property Sets and the Objects to Which They Can Be Applied
Table 10.7: New Windows Server 2003 Extended Rights
Table 10.8: Windows Server 2003 Validated Writes
Table 10.9: Windows 2000/Windows Server 2003 Security Groups
Table 10.10: Effect of the Windows Domain Modes on Windows Group Features
Table 10.11: New Built-In Windows 2000 Groups
Table 10.12: New Built-In Windows Server 2003 Groups
Table 10.13: Well-Known Security Principal Groups: Windows Server 2003
Table 10.14: Well-Known Security Principals: Windows 2000
Table 10.15: Windows Administrator Groups
Table 10.16: Administrator Tasks That Require Enterprise Administrator Permissions
Table 10.17: New Windows 2000 User Rights
Table 10.18: New Windows Server 2003 User Rights
Table 10.19: Predefined Windows Server 2003 Delegation Tasks
Table 10.20: Administrative Delegation for Network Service Management–Related Tasks
Table 10.21: Third-Party AD Delegation Tools
Table 10.22: Authorization Administration and Troubleshooting Tools

Chapter 11: Malicious Mobile Code Protection

Table 11.1: CAS Policy Types
Table 11.2: CAS Evidence Types
Table 11.3: Predefined Code Groups and Code Group Hierarchies
Table 11.4: CAS Permission Resources
Table 11.5: Preconfigured Permission Sets
Table 11.6: SRP/CAS Comparison

Chapter 12: New Authorization Tracks: Role-Based Access Control and Digital Rights Management

Table 12.1: Comparing the DAC and RBAC Access Control Models
Table 12.2: WRM Objects
Table 12.3: RMS Enrollment Procedures

Chapter 13: Introducing Windows Server 2003 Public Key Infrastructure

Table 13.1: Windows Server 2003 Stand-Alone Versus Enterprise CA
Table 13.2: RA Software for Windows Server 2003 PKI
Table 13.3: Windows Server 2003 PKI Information Stored in AD
Table 13.4: Creation of PKI-Related Information in AD
Table 13.5: Windows Server 2003 and XP Cryptographic Service Providers (CSPs)
Table 13.6: Windows Server 2003 Certificate Templates
Table 13.7: Certificate Template Properties
Table 13.8: Logical and Physical Certificate Store Containers for User, Machine, and Service Principals
Table 13.9: Physical Store Details
Table 13.10: Hardware Devices for Private Key Storage: Solution and Vendor Overview

Chapter 14: Trust in Windows Server 2003 PKI

Table 14.1: Certificate Constraint Extensions
Table 14.2: Name Constraint Types and Their Meaning
Table 14.3: Predefined Windows Server 2003 PKI Issuance Policies and their Meaning
Table 14.4: Predefined Application Policy Constraints and Corresponding OIDs
Table 14.5: Which Trust Model for Which Environment: Overview
Table 14.6: User PKI Trust Management Mechanisms
Table 14.7: Overview of the PKI Trust Constraints That Can Be Configured Using the Properties of a Version 2 Certificate Template
Table 14.8: PKI Trust Constraints and Corresponding CAPolicy.inf and Policy.inf Section Header and Tags
Table 14.9: Trust Constraint Inheritance in a Hierarchical Trust Model
Table 14.10: CA Trust Definition Overview

Chapter 15: The Certificate Life Cycle

Table 15.1: Windows Server 2003 CA Web Interface Options
Table 15.2: PKA Revocation Checking Support
Table 15.3: CDPs Flags

Chapter 16: Building and Maintaining a Windows PKI

Table 16.1: Advantages and Disadvantages of Insourcing Versus Outsourcing
Table 16.2: CA Installation and Configuration Options
Table 16.3: CA Installation and Configuration Options
Table 16.4: Windows Certificate Server Database Files
Table Table: Table 16.5 Replaceable Parameter Syntax
Table 16.6: Windows Server 2003 PKI Administrative Roles
Table 16.7: Windows Server 2003 PKI Administrative Roles and Associated Tasks
Table 16.8: PKI-Related GPO Settings
Table 16.9: CA File System Level Data
Table 16.10: Certutil CA Backup and Restore-Related Switches
Table 16.11: CA Audit Categories
Table 16.12: Certificate Services Event IDs
Table 16.13: Important Certutil Switches
Table 16.14: Important Certreq Switches

Chapter 17: Windows Server 2003 PKI-enabled Applications

Table 17.1: Cipher Switches
Table 17.2: Comparison Between the Features of Remote EFS Operations on File Shares and Web Folders
Table 17.3: Password Change Scenarios and Their Effect on (a) the Password Hash Stored in the Local Security Database, (b) the Password Stored in the PRD Recovery Registry Folder, and (c) the Password Used to Secure the User’s Master Key
Table 17.4: File Encryption Products
Table 17.5: S/MIME Content Types and Services
Table 17.6: Outlook Client S/MIME Features
Table 17.7: Outlook 2003 S/MIME-Related Registry Settings
Table Table: Table 17.8 Smart Card Management Software

Chapter 18: Windows Server 2003 Security Management

Table 18.1: GPO Security Settings Containers and Equivalent NT4 Administration Tool
Table 18.2: New Windows Server 2003 Security Options
Table 18.3: Windows XP and Windows Server 2003 Security Templates
Table 18.4: Secedit Switches
Table 18.5: Third-Party Security Policy Management Tools (Nonexhaustive)
Table 18.6: Security Policy Management: Overview
Table 18.7: Automatic Update Registry Keys
Table 18.8: SUS Client Registry Keys
Table 18.9: Third-Party Security Patch Management Software
Table 18.10: Event Logging-Related Registry Hacks
Table 18.11: Event Logging-Related Registry Hacks Recommended Settings
Table 18.12: Audit Policy Categories
Table 18.13: Recommended Audit Policy for Domain Controllers and Members Servers

Appendix A: The ITU-T X.509 Standard for Certificate and CRL Formats

Table A.1: X.509 Certificate Format
Table A.2: x.509 CRL Format

Related

Категории