Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







Computer Accounts and Authentication Controls


Computer accounts are also security principals. Therefore, no study of Windows authentication or Windows administrator should ignore them. You should understand how computer accounts are created, how their passwords are modified, and what you can do to affect account processing.

Computer Account Creation and Passwords


If a computer account has not been prestaged (created in the Active Directory prior to the computer joining the domain), an account is created for the computer when a Windows NT 4.0, Windows 2000, Windows XP Professional, or Windows Server 2003 computer is joined to a Windows domain. The computer account is placed by default in the computer's Organizational Unit (OU) but can be moved to another OU. (Windows 95 and Windows 98 computers cannot join a domain, although users with valid domain accounts can log on to the domain from these computers.) The domain controller creates a password for the computer account, provides it to the computer, and places its hash in the Active Directory database. At all future restarts, these credentials are used to authenticate the computer to the domain and download its security policy. The password is ordinarily changed every 30 days by the computer and sent to the domain controller.

Computer account passwords are very strong. They are created and managed by the operating system. You cannot directly modify them. However, I also have not found an application that can crack or otherwise deduce them, and even if you could determine a computer account password, you could not use this credential to "log on."

Computer Account Processing Manipulation


You can manipulate three controls that affect the computer account processing. First, by default, domain users have the right to join up to 10 computers to the domain. This user right can be extended in Group Policy by giving a group of specific users the right to join any number of computers to the domain. Second, by prestaging computer accounts, you can restrict which users can join which computers. By moving computer accounts to specific OUs, you control the security settings for the computer. Finally, you can prevent computer account passwords from changing. Although this is not a good security practice, if you have computers that are not in constant communication with their domain controllers, the computers may eventually find that they no longer have a valid password and cannot authenticate to the domain.

In addition to manipulating controls, you can affect computer account processing by placing the computer account in an OU. The computer account OU location determines the GPO that will apply to it. GPOs set specific security policies for the objects within the container that the GPO is linked to.

To manage the right to join computers to the domain, you add or remove user groups from the Group Policy-based User Right: Add Computers to a Domain. User rights are located in the Computer Configuration, Windows Settings, Security Settings, Local policy section. This change should be made in the Default Domain Controller Policy for each domain you want to manage.

To prestage computer accounts, follow these steps:

Choose Active Directory Users And Computers from the Administrative Tools menu.

Navigate to the container (OU or Computer) where the computer account should reside.

Right-click the container and select Add Computer Account.

Type the Computer Name and the User Or Group account that is allowed to add this computer to the domain, as shown in Figure 2-10, and click OK.

Figure 2-10. Prestaged accounts provide greater control over who is authorized to join the computer to the domain.


To prevent computer passwords from changing, perform these steps:

Open the Group Policy Object linked to the container that manages this computer account.

Change the security option Domain Member: Disable Machine Account Password Change to Enabled. The computer will not attempt to change its password.


WARNING: Don't Disable the Machine Account Password Change Security Option

Ordinarily, you should not change this option! It is a good security practice to ensure that computer account passwords are frequently changed. If you have issues with password synchronization, you should first try to resolve the issue by modifying the number of days between password changes using the Domain Member: Maximum Machine Account Password Age security option.

TIP: Don't Be Confused

The language used in many security settings can be confusing. Make sure that you read them and understand them in context. For example, if you want to use the security option Domain Member: Disable Machine Account Password Change to prevent computer account passwords from being automatically changed, you might think you should select Disabled. However, if you read the Security Option statement carefully, you'll see that this isn't the case. Instead, you enable the disablement of computer account password change. If you disable a disable, you would be enabling account maintenance. This is awkward, but this is the way it is.


/ 194