Windows Server 2003 Security: A Technical ReferenceBy
Table of Contents
| Index
If you''''re a working Windows administrator, security is your #1
challenge. Now there''''s a single-source reference you can rely on
for authoritative, independent help with every Windows Server
security feature, tool, and option: Windows Server 2003
SecurityRenowned Windows security expert Roberta Bragg has brought
together information that was formerly scattered through dozens of
books and hundreds of online sources. She goes beyond facts and
procedures, sharing powerful insights drawn from decades in IT
administration and security. You''''ll find expert implementation tips
and realistic best practices for every Windows environment, from
workgroup servers to global domain architectures. Learn how to:
Reflect the core principles of information security throughout
your plans and processes
Establish effective authentication and passwords
Restrict access to servers, application software, and
data
Make the most of the Encrypting File System (EFS)
Use Active Directory''''s security features and secure Active
Directory itself
Develop, implement, and troubleshoot group policies
Deploy a secure Public Key Infrastructure (PKI)
Secure remote access using VPNs via IPSec, SSL, SMB
signing,
LDAP signing, and more
Audit and monitor your systems, detect intrusions, and respond
appropriately
Maintain security and protect business continuity on an ongoing
basis"Once again, Roberta Bragg proves why she is a leading authority
in the security field! It''''s clear that Roberta has had a great deal
of experience in real-world security design and implementation. I''''m
grateful that this book provides clarity on what is often a
baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical
Hacker
James@accusource.net"Full of relevant and insightful information. Certain to be a
staple reference book for anyone dealing with Windows Server 2003
security. Roberta Bragg''''s Windows Server 2003 Security is a
MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation
phil.cox@systemexperts.com"Few people in the security world understand and appreciate
every aspect of network security like Roberta Bragg. She is as
formidable a security mind as I have ever met, and this is
augmented by her ability to communicate the concepts clearly,
concisely, and with a rapier wit. I have enjoyed working with
Roberta more than I have on any of the other 20 some odd books to
which I have contributed. She is a giant in the field of network
security."Bob Reinsch
bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do
things and then tells you how to do it! It is a comprehensive guide
to Windows security that provides the information you need to
secure your systems. Read it and apply the information."Richard Siddaway, MCSE
rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically
accurate. It will be a valuable resource for network administrators
and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT
mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg
writes and I have ''''always'''' found her writing to be perfectly
focused on issues I ''''need'''' to know in my workplace when dealing
with my users. Her concise writing style and simple solutions bring
me back to her columns time after time. When I heard she had
written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding
common pitfalls, and her easy to follow guidelines on how to lock
down my network and user environments (those darned users!) has me
(and my clients) much more comfortable with our Win2k3 Server
deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra
Vista
AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows
Security Information Technology Consultant
harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more
than just lucid coverage of how things work, but also offers sound
advice on how to make them work better."Chris Quirk; MVP Windows shell/user
cquirke@mvps.org"This book is an invaluable resource for anyone concerned about
the security of Windows Server 2003. Despite the amount and
complexity of the material presented, Roberta delivers very
readable and clear coverage on most of the security-related aspects
of Microsoft''''s flagship operative system. Highly recommended
reading!"Valery Pryamikov, Security MVP, Harper Security Consulting
valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have
four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel
Corp.
bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized, with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron
CPCU, CCP, AAI Microsoft MVPWindows Security Information
Technology Consultant
Miscellaneous Backup ToolsWhile you should create both system state backups and data backups, many functions and services provide tools for backing up their critical data, thus allowing recovery of their functions without restoring the entire computer. Some of these functions are user-oriented, such as the password reset disk and EFS import and export functions, whereas others are relevant to the user or computer, such as registry backup. Nevertheless, they may have meaning and use on servers when account profiles may be stored there or where standalone servers are used. Other backup functions are provided to assist in the recovery of network services, such as DHCP, DNS, and WINS. Backup Critical User FunctionsOn a standalone server, local accounts may be used for administration of the server and its services, or provided for special operations, such as database administration, or file backup and management. These accounts can be managed by local administrator accounts, and passwords can be reset using Computer Management. When local accounts on a standalone server are reset, it is possible to lose data (for example, if the local accounts have been used to encrypt files or if the server has recorded an Internet password). If the user of a local account forgets his or her password, instead of having an administrator reset the password, the user should use a password reset disk. The disk must be made before the password is reset.If an administrator has already reset the user's password, thus preventing them from accessing encrypted files, the user can use his backup of EFS keys to regain access to them. Password Reset DiskWhen a local account is created on a standalone server, a password reset disk should be made. (This option is also viable for Windows XP computers that will not be joined to a domain.) A public and private key pair is created when a password reset disk is created. The private key is stored on the password reset disk; the public key is used to encrypt the local user account password. If a user forgets their password, the password reset disk can be used. The Forgotten Password Wizard uses the private key on the disk to decrypt the local password, and the user is prompted to enter a new password.Password reset disks should be stored in a safe place, as an unauthorized individual could use them to gain access to the computer. In some environments, password reset disks should not be made in order to reduce risk. In these environments, the type of data that is at risk may also be disallowed or alternative recovery methods can be put into place.To create a password reset disk, follow these steps:
To use the password reset disk, follow these steps:
It is not necessary to create a new password disk after changing the account. EFS Import and Export FunctionsEFS encrypted files use a public/private key pair to protect the symmetric key used to encrypt the files. The public/private key pair is stored in the user's profile. If something happens to the keys, such as if the profile is destroyed or if a local computer account user's password is reset, it will not be possible for the user to decrypt the encrypted files. If the keys have been exported, they can be imported into a user profile, and the files can be accessed. Alternatively, if key archival has been configured, the keys can be recovered. (For more information on how EFS works and how to export and import keys, see Chapter 6, "EFS Basics," and for information on key archival, see Chapter 13, "Implementing a Secure PKI.")Backup and Restore Registry KeysThe registry is backed up when you back up the system state data. Nevertheless, when modifying registry keys, it is a good idea to back up or export the key that you are changing a value in before you change it.To export a registry key, follow these steps:
To restore the registry key, double-click the .reg file to which you exported the key. Backup Network Services and Other Server UtilitiesNetwork services information is backed up when a complete backup is made. In addition, much of the information may be duplicated on other servers of the same type that are established as secondary servers (DNS) or replication partners (WINS), and local back ups of configuration data may be made.DNS BackupDNS secondary servers are usually deployed to provide alternative and redundant sources of DNS databases. When DNS data is stored in the Active Directory, secondary servers can be established, but it is not necessary because each domain controller will have a copy of the data. A backup of the DNS zone file is saved the <%systemroot%>\ DNS\backup folder. If DNS is integrated with Active Directory, the backup files are not updated.To recover a zone from the backup, follow these steps:
DHCP BackupThe DHCP database is backed up automatically every 60 minutes to <%systemroot%>\DHCP\backup. You can also use the backup command from the DHCP console or the Backup program. (You do not need to stop the DHCP service to make a backup.) When the database is backed up from the DHCP console, all scopes, reservations, leases, options, registry keys, and other configuration settings, such as audit log settings and folder location settings if configured in DHCP property pages, are backed up. Dynamic update credentials, such as user name, domain, and password used when registering DHCP client computer with DNS, are not backed up.Changing DHCP BackupChange the default DHCP database backup interval at this registry location:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupIntervalTo restore the database, use the Restore command from the Action menu of the DHCP console.WINS BackupWINS database backups are not made by default. If you want to back up the database, you must set the database backup path and perform a backup.To change the WINS database backup path, follow these steps:
To back up the WINS database, follow these steps:
TIP: Database Location is ImportantThe WINS database must be restored from the same location it was backed up to.To restore the WINS database, follow these steps: Remote Storage DataWhen removable storage or remote storage is used, back up the following files on a regular basis. This makes it possible to restore remote storage and removable storage data:<%systemroot%>\System32\Ntmsdata<%systemroot%>\System32\remotestorageIf you need to restore remote-storage files, you cannot do so to a different folder. |
لطفا منتظر باشید ...
