Windows Server 2003 Security: A Technical ReferenceBy
Table of Contents
| Index
If you''''re a working Windows administrator, security is your #1
challenge. Now there''''s a single-source reference you can rely on
for authoritative, independent help with every Windows Server
security feature, tool, and option: Windows Server 2003
SecurityRenowned Windows security expert Roberta Bragg has brought
together information that was formerly scattered through dozens of
books and hundreds of online sources. She goes beyond facts and
procedures, sharing powerful insights drawn from decades in IT
administration and security. You''''ll find expert implementation tips
and realistic best practices for every Windows environment, from
workgroup servers to global domain architectures. Learn how to:
Reflect the core principles of information security throughout
your plans and processes
Establish effective authentication and passwords
Restrict access to servers, application software, and
data
Make the most of the Encrypting File System (EFS)
Use Active Directory''''s security features and secure Active
Directory itself
Develop, implement, and troubleshoot group policies
Deploy a secure Public Key Infrastructure (PKI)
Secure remote access using VPNs via IPSec, SSL, SMB
signing,
LDAP signing, and more
Audit and monitor your systems, detect intrusions, and respond
appropriately
Maintain security and protect business continuity on an ongoing
basis"Once again, Roberta Bragg proves why she is a leading authority
in the security field! It''''s clear that Roberta has had a great deal
of experience in real-world security design and implementation. I''''m
grateful that this book provides clarity on what is often a
baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical
Hacker
James@accusource.net"Full of relevant and insightful information. Certain to be a
staple reference book for anyone dealing with Windows Server 2003
security. Roberta Bragg''''s Windows Server 2003 Security is a
MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation
phil.cox@systemexperts.com"Few people in the security world understand and appreciate
every aspect of network security like Roberta Bragg. She is as
formidable a security mind as I have ever met, and this is
augmented by her ability to communicate the concepts clearly,
concisely, and with a rapier wit. I have enjoyed working with
Roberta more than I have on any of the other 20 some odd books to
which I have contributed. She is a giant in the field of network
security."Bob Reinsch
bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do
things and then tells you how to do it! It is a comprehensive guide
to Windows security that provides the information you need to
secure your systems. Read it and apply the information."Richard Siddaway, MCSE
rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically
accurate. It will be a valuable resource for network administrators
and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT
mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg
writes and I have ''''always'''' found her writing to be perfectly
focused on issues I ''''need'''' to know in my workplace when dealing
with my users. Her concise writing style and simple solutions bring
me back to her columns time after time. When I heard she had
written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding
common pitfalls, and her easy to follow guidelines on how to lock
down my network and user environments (those darned users!) has me
(and my clients) much more comfortable with our Win2k3 Server
deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra
Vista
AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows
Security Information Technology Consultant
harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more
than just lucid coverage of how things work, but also offers sound
advice on how to make them work better."Chris Quirk; MVP Windows shell/user
cquirke@mvps.org"This book is an invaluable resource for anyone concerned about
the security of Windows Server 2003. Despite the amount and
complexity of the material presented, Roberta delivers very
readable and clear coverage on most of the security-related aspects
of Microsoft''''s flagship operative system. Highly recommended
reading!"Valery Pryamikov, Security MVP, Harper Security Consulting
valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have
four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel
Corp.
bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized, with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron
CPCU, CCP, AAI Microsoft MVPWindows Security Information
Technology Consultant
Windows Time ServiceMaintaining a correct computer time is important to security for two reasons. First, it is important that security events are recorded with the correct timestamp. If it is necessary to determine when something happened, or to match user logon times to events, it is important to be able to prove that the computer clock is accurate. Standalone Windows 2003 servers can be synchronized with an external timeserver using the Date and Time applet in the Control Panel or by using the net time command at the command line. (The time on Windows 2003 servers joined in a domain cannot be synchronized using this applet.) An external timeserver can be a reliable source on the network or a public timeserver on the Internet. If one Windows Server 2003 computer is synchronized with an external source, the rest of the Windows Server 2003 computers can be synchronized with it.To set the server to synchronize with an external time source, follow these steps:Open the Date and Time applet in the Control Panel.Select the Internet Time tab.Enter the Internet address for an accurate time source. The default is time.windows.com, a timeserver that is operated by Microsoft. You can change the timeserver name, but the timeserver must use NTP (RFC 1305). A timeserver that uses HTTP will not work. WARNING: A Local Hardware-Based Time Clock May Be RequiredIt may be possible to spoof timeservers on the Internet. If your time service obtains the time from a fraudulent timeserver, no time-based process on the machine can be depended upon. To lessen the possibility of this happening, a hardware clock on the local network can be used. These clocks receive their time synchronization via radio waves and can become the source for computer time on your network. A list of these clocks can be found at http://www.boulder.nist.gov/timefreq/general/receiverlist.The time service will attempt to synchronize once a week with the timeserver; however, if it is not connected to the Internet at this time, it will be unable to do so. To force synchronization of non-domain member Windows computers, click the Update Now button on the Internet Time tab of the Date and Time applet, as shown in Figure 2-9. (The Update Now button will not be available if your computer is a member of a domain.) Figure 2-9. The Internet Time tab. You can also use the net time command or the W32tm command to establish the use of a specific timeserver. In the following command, computername stands for the name of the computer and timeserverlist represents a list of timeservers that can be used to obtain the correct time: Here, computername specifies the name of the computer to synchronize with and timeserverlist is the list of IP addresses or fully qualified domain names (separated by spaces) of servers to be used. If multiple timeservers are listed, the list must be enclosed in quotes. A list of timeservers available on the Internet can be located at http://boulder.nist.gov/timefreq/service/time-serversl. Both IP address and computer name are listed. For best results, use the IP address instead of the computer name in your configuration.The following command, where domainname is the name of the domain, will synchronize the current computer with the time of the domain: The Windows Server 2003 time service is used to synchronize computer clock time for all computers in the forest. All computers in the forest will attempt to synchronize their clocks with the domain controller that holds the role of PDC emulator for their domain or with another domain controller. Domain controllers, in turn, attempt to synchronize with the PDC emulator in the root domain of the forest, although they can synchronize with other domain controllers. The PDC emulator in the root domain for the forest should be set to synchronize with an external time source or with a valid timeserver on the LAN.Group Policy can be used to configure the time service of domain computers to use an alternative timeserver and to use the Windows server as a timeserver. For more information on the time service, see the white paper "Using Windows Time Service in a Managed Environment" at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03mngd/26_s3wts.mspx. |
لطفا منتظر باشید ...
