MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

Windows 2000 Active Directory Review

• Active Directory in an X.500-compatible directory service utilizes the LDAP protocol.

• Active Directory is organized in a hierarchical structure modeling the Domain Naming System arrangement.

• Domains at the root of the forest automatically establish two-way transitive trusts between them, unlike previous versions of Windows NT.

• Child domains and their parent domain automatically establish two-way transitive trusts between them as well.

• Group Policy applied to an object is processed in the following order (by default): local, site, domain, organizational unit.

The Basic Windows 2000 Security Tools

• The key components of the Security Configuration tool set are Security templates, Group Policy security configuration objects, the Security Configuration and Analysis snap-in, and command-line tools.

• The Security Configuration and Analysis snap-in creates, configures, and tests security scenarios. You can create text-based .inf files that contain security settings. You can apply these files to the computer or save them for later use.

• Microsoft provides templates for configuring security. Default and incremental templates are available. Default templates are applied during a fresh install only. The incremental templates provide additional security above the defaults.

• Secedit.exe allows us to configure security from the command prompt.

• The Security Templates snap-in allows us to view and customize the template files stored in %windir%\security\templates.

Configuring Basic Windows 2000 Security with Templates

• Account policies define password policy, account lockout policy, and Kerberos policy.

• Local policies include the audit policy, user rights assignment, and security options.

• Event Log Configuration settings allow you to configure the length of time logs are retained as well as the size of the Event Logs.

• The Restricted Groups setting configures group membership and group nesting.

• Registry Policy sets permissions on Registry keys.

• The File System Security setting configures NTFS permission for all local drives.

• The System Services setting controls the startup policy for all local services.

Deploying Security Templates

• The Security Configuration and Analysis snap-in can be used to deploy a security template to a local machine.

• Security settings can be deployed to a domain or OU via the security settings in a Group Policy object.

• You can deploy security templates across the network using the secedit.exe tool in a script or batch file.

Analyzing Your Security Configuration

• Compare security policies in the template with the actual state of the local machine. This practice allows administrators to see the differences before they apply the policy.

• Use Security Configuration and Analysis to view the results of an analysis in a graphical format.

• Use the secedit.exe tool to analyze security settings from the command prompt. This tool can be useful if combined with a script or batch file to automatically scan large numbers of computers.

• After differences in settings have been identified, you can determine the next course of action.