Windows Server 2003 Security: A Technical ReferenceBy
Table of Contents
| Index
If you''''re a working Windows administrator, security is your #1
challenge. Now there''''s a single-source reference you can rely on
for authoritative, independent help with every Windows Server
security feature, tool, and option: Windows Server 2003
SecurityRenowned Windows security expert Roberta Bragg has brought
together information that was formerly scattered through dozens of
books and hundreds of online sources. She goes beyond facts and
procedures, sharing powerful insights drawn from decades in IT
administration and security. You''''ll find expert implementation tips
and realistic best practices for every Windows environment, from
workgroup servers to global domain architectures. Learn how to:
Reflect the core principles of information security throughout
your plans and processes
Establish effective authentication and passwords
Restrict access to servers, application software, and
data
Make the most of the Encrypting File System (EFS)
Use Active Directory''''s security features and secure Active
Directory itself
Develop, implement, and troubleshoot group policies
Deploy a secure Public Key Infrastructure (PKI)
Secure remote access using VPNs via IPSec, SSL, SMB
signing,
LDAP signing, and more
Audit and monitor your systems, detect intrusions, and respond
appropriately
Maintain security and protect business continuity on an ongoing
basis"Once again, Roberta Bragg proves why she is a leading authority
in the security field! It''''s clear that Roberta has had a great deal
of experience in real-world security design and implementation. I''''m
grateful that this book provides clarity on what is often a
baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical
Hacker
James@accusource.net"Full of relevant and insightful information. Certain to be a
staple reference book for anyone dealing with Windows Server 2003
security. Roberta Bragg''''s Windows Server 2003 Security is a
MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation
phil.cox@systemexperts.com"Few people in the security world understand and appreciate
every aspect of network security like Roberta Bragg. She is as
formidable a security mind as I have ever met, and this is
augmented by her ability to communicate the concepts clearly,
concisely, and with a rapier wit. I have enjoyed working with
Roberta more than I have on any of the other 20 some odd books to
which I have contributed. She is a giant in the field of network
security."Bob Reinsch
bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do
things and then tells you how to do it! It is a comprehensive guide
to Windows security that provides the information you need to
secure your systems. Read it and apply the information."Richard Siddaway, MCSE
rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically
accurate. It will be a valuable resource for network administrators
and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT
mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg
writes and I have ''''always'''' found her writing to be perfectly
focused on issues I ''''need'''' to know in my workplace when dealing
with my users. Her concise writing style and simple solutions bring
me back to her columns time after time. When I heard she had
written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding
common pitfalls, and her easy to follow guidelines on how to lock
down my network and user environments (those darned users!) has me
(and my clients) much more comfortable with our Win2k3 Server
deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra
Vista
AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows
Security Information Technology Consultant
harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more
than just lucid coverage of how things work, but also offers sound
advice on how to make them work better."Chris Quirk; MVP Windows shell/user
cquirke@mvps.org"This book is an invaluable resource for anyone concerned about
the security of Windows Server 2003. Despite the amount and
complexity of the material presented, Roberta delivers very
readable and clear coverage on most of the security-related aspects
of Microsoft''''s flagship operative system. Highly recommended
reading!"Valery Pryamikov, Security MVP, Harper Security Consulting
valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have
four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel
Corp.
bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized, with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron
CPCU, CCP, AAI Microsoft MVPWindows Security Information
Technology Consultant
Active Directory RestorePart of a successful Active Directory restoration is the planning and fulfillment of adequate directory backup, the selection of the proper type of restore, and practice in a complete restore. Even the smallest Active Directory implementation cannot survive a complete operational failure or disaster without the availability of appropriate backup and planning. As detailed in the section "System State Backup," it is not enough to simply copy the database file ntds.dit. Instead, you must have a complete system state backup. To restore, you must restore the system components. System components must be restored in a specific order. When ntbackup is used to restore the system state files backed up by ntbackup, this order is followed. Do not assume that every backup product understands what files need to be backed up for a system state backup, nor the order in which they must be restored.Files must be restored in the following order:
In addition to running ntbackup to restore system state, you must determine what kind of Active Directory restore is necessary:Primary restore is necessary when restoring the first DC in a domain, or the only working server or a replicated data set. In this case, all the DCs in the domain are lost, and you are working from backup.Normal (non-authoritative) restore is done to restore a replica of the directory that does not need to propagate any of its differences at the time of restore to the other DCs. Instead, changes that occurred since the backup are replicated to the restored DC from other DCs in the domain.Authoritative restores a deleted object. A replica is restored from a backup created before the object was deleted, and this object in the restored replica is given precedence over the other domain replicas. That is, the object is replicated to the other DCs in the domain. (The restored replica receives all other changes from the existing DCs via replication.) The end result is simply that the deleted object is restored.Authoritatively restore an earlier version of Active Directory. A replica is restored from a backup, and the restored replica is given precedence over the other domain replicas. The end result is a return to the Active Directory state of the replica.Restore from backup older than the Active Directory tombstone lifetime. Although this is not recommended and will not be a complete solution, it may provide a better solution than reloading the entire domain or Active Directory infrastructure from scratch. Normal RestoreIn a normal restore, the restored DC's objects have their update sequence number, which is used to determine if an object needs replicating. Because objects in the Active Directory may have been changed since the backup was created, the objects that are not up-to-date in the restored replica will appear to be old, and the new changes will be replicated to the restored DC in the normal manner. If the reason for the restore is to undelete or recover from changes made to Active Directory, a normal restore will not work because this information will be changed during the next replication and never replicated to other DCs. To replace objects or recover from changes, an authoritative restore must be done. Authoritative RestoreDuring an authoritative restore, ntdsutil is used to change the update sequence number of an object to be higher than any other update sequence number in the Active Directory replication system. Objects and subtrees can be restored from an archived Active Directory database. The impact of authoritative restore depends on the type of object restored. For example, trust and computer account passwords are negotiated every 30 days by default. (Computer account password negotiation can be turned off by an administrator, but trust password negotiation cannot.) When performing a partial authoritative restore (only some objects will be restored), restore only the necessary objects. For example, rather than restoring the entire domain-naming context in which trust information, trust passwords, and computer passwords are stored, restore only those objects necessary. User accounts are another object that, if they must be restored, require additional work to return their status to the way it was. The section "Recovering Deleted User Accounts: An Example of a Complex Authoritative Restore" illustrates the authoritative restore process and details the impact the object to be restored can have on the process. Before performing an authoritative restore at the object level, you must understand the implications of such an object restore. Examples of issues that you may encounter during authoritative restore areResetting the offline administrator passwordRecovering from an authoritative restore's impact on computer accounts and trustsRecovering deleted user accountsRestoring using a backup older than the Active Directory tombstone lifetime Resetting the Offline Administrator Account PasswordThe offline administrator account is also referred to as the authoritative restore administrative account, and it is created and its password is entered during dcpromo. The password for this account can be reset using the setpwd command-line command on a DC in online mode on a Windows Server 2003 DC or a Windows 2000 DC Service Pack 2 and later. On Windows Server 2003, use the set dsrm password command in ntdsutil.To reset the offline administrators account, follow these steps:Recovering from the Impact of Authoritative Restore on Computer Accounts and TrustsIf the trust passwords that are restored do not match the current trust password, communication with domain controllers in the trusted domain will be blocked. If a computer account password is restored and no longer matches that known to the computer, the member computer will not be able to communicate with its domain. In either case, the solution is the same as that required if these passwords ever get out of synch. (Passwords might get out of synch, for example, if a member computer cannot communicate with the domain during the time at which the password should be renegotiated.) To recover a trust relationship, the trust should be removed from both sides and then recreated. If many trusts must be removed and recreated, use the Netdom utility and do them as a batch. To recover communications between a domain computer and its domain, the computer can be removed from the domain and then rejoined.Recovering Deleted User Accounts: An Example of a Complex Authoritative RestoreIf user accounts are accidentally deleted, there are many ways to recover them:New accounts can be added, but all previous group memberships and privileges will also have to be recreated. Accounts cannot simply be recreated as new users. If they are, they will receive a new SID, and therefore, any permissions granted to the old account will be invalid. If all permissions are assigned according to group membership, the old status can be recovered by adding the user account as a member of the appropriate groups. Any objects owned by the old account will not be owned by the new account. If it is necessary to return ownership of these objects to the user, an administrator can take ownership of the objects and give the user ownership privileges. In a small environment, if one or few accounts have been deleted, this may be an acceptable solution. In other cases, a more efficient way of recovering from deleted user accounts is to do an authoritative restore of the deleted account.Perform an authoritative restore of the deleted user account, and then the account can be manually added to the appropriate groups.Perform an authoritative restore of the deleted account and the groups the account was a member of. To do so, you must use a GC domain controller backup from the domain in which the account was deleted. This is because only this GC stores Universal group membership information. The drawback to this method is that if it is used, the additions to security groups prior to the backup used in the restore will be lost and must be manually entered.In a Windows Server 2003 Active Directory domain, you may be able to use the Repadmin method to authoritatively restore users, groups, and computers without having a backup. To do so, the following conditions must be true: You must have a latent global catalog DC (a GC that has not yet replicated and deleted the accounts); the forest must be at the Windows Server 2003 or Windows Server 2003 Interim forest functional level; only user or computer accounts must have been deleted; and the deleted accounts must have been added after the move to Windows Server 2003 level. If all these things are true, the group membership links can be rebuilt with the outbound replication after the authoritative restore.In a Windows Server 2003 domain, you may be able to reanimate deleted user accounts. When authoritative restore is used and the user account contains attributes such as managedBy and memberOf, you may need to do additional work after the restore. This is because these attributes are back links to other objects in the directory. Back links and forward links are attributes that link objects together; for example, the memberOf attribute is a back link in the user account that links the user account to a group account. The member attribute of the group is a forward link that links the group to user accounts. If you must restore an object with a forward link attribute, you must first make sure that the object containing its back link exists within Active Directory. If you must restore user accounts and groups, you cannot restore groups until all of its member accounts exist in Active Directory. (Member accounts may be user accounts, computer accounts, or the accounts of other groups.) This is why authoritative restore of user accounts and the groups they are members of must be done twiceonce to restore the accounts and once to restore the groups.The process of authoritative restore requires you to restore the most recent backup of the DC or stop the latent GC DC from replicating and then, in both cases, use ntdsutil to authoritatively restore the deleted objects. This is not a trivial undertaking, and your first attempt should be in a test forest. If you must restore deleted user accounts and group memberships, the Microsoft Knowledge Base article 840001, "How to Restore Deleted User Accounts and Their Group Memberships in Active Directory," provides detailed instructions on the process, including command syntax and pointers to more information. The process is outlined next.To restore user accounts, computer accounts, or security groups, follow these steps: Restore from Backup Older than Active Directory Tombstone LifetimeIf other DCs in the domain exist, restore the old backup, and the changes to Active Directory will replicate to the DC. You will have to make other system changes unique to this DC that are not integrated in Active Directory.If all DCs have been destroyed, restore one server from the old backup and create new DCs. The data from the old, restored DC will replicate to the new DCS. Manually Deleting Objects Restored from an Outdated BackupIf a backup older than the Active Directory tombstone lifetime must be used to restore Active Directory, objects may exist on the restored replica that do not exist on the other DCs in the domain. Although using such a backup is not recommended, it may still be preferable to recreate the domain from scratch. If the backup is used, these objects must be manually deleted. The deletion process will depend on the object that needs to be deleted. It may be possible to use one of the GUI administration tools to delete the object, or you may need to use the adsitedit.exe support tool or some combination of tools to complete the deletion.For example, if you must delete a DC object from Active Directory and the DC no longer exists, use the information in KB article 247393 (http://support.microsoft.com/default.aspx?scid=kb;en-us;247393). It may be possible to complete the deletion by removing the object from Active Directory Sites and Services, or you may have to use ntdiutil and Adsiedit as detailed in KB article 216498 (http://support.microsoft.com/kb/216498/EN-US/). |
لطفا منتظر باشید ...
