The Importance of Time Synchronization
Sometimes it pays to be in a business for a long time. Recently, I was called in to resolve trust issues in a Windows Server 2003/NT 4.0 environment. Like many customers, my client could not afford to upgrade all Windows NT 4.0 domains at one time and required some trust relationships between Windows NT 4.0 domains and Windows Server 2003 domains. In most cases, this had not been an issue. Trust relationships were created, users were authorized to access resources, and so on. However, one stubborn Windows NT 4.0 domain refused to enter into a trust relationship with its Windows Server 2003 companion. Networking and name resolution issues had been eliminated, but still the trust could not be created.Figure 8-5, the user Peter in the trusted domain 3 is granted access to resources in the trusting domain B. Domain 3 is the trusted domain (Windows NT 4.0 naming convention) and has an incoming trust relationship (Windows Server 2003) with domain B. Domain B is the trusting domain (Windows NT 4.0 naming convention) and has an outgoing trust relationship (Windows Server 2003 naming convention) with domain 3.Figure 8-19. Trusting and trusted domains.
 Windows Server 2003 also makes it possible to limit authentication for users from trusted domains. During trust creation, the administrator can choose to restrict authentication. This means that until servers are approved for authentication, access cannot be assigned to their resources for accounts that exist in the trusted domain. An administrator of the servers in the trusting domain must configure them to allow authentication. Until servers are configured, access to resources on any servers in the trusting domain by trusted accounts in the trusted domain is not possible.External Trust Creation
To create an external trust, follow these steps:
| 1. | Log on as a domain administrator and open the Start, Administrative Tools, Active Directory Domains and Trusts console. | | 2. | Right-click the domain and select Properties from the context menu. | | 3. | Click the TRusts tab and then click New trust. | | 4. | On the Welcome page, click Next. | | 5. | Enter the DNS or NetBIOS name of the domain to create a trust with and click Next. If the other domain cannot be located and identified, Windows provides an opportunity to create a realm trust. (A realm trust is a trust created between a Windows domain and a non-windows Kerberos realm.) | | 6. | On the TRust page, click External trust, as shown in Figure 8-20, and then click Next.Figure 8-20. Selecting an external trust type.
 | | 7. | Select the Direction of Trust, as shown in Figure 8-21. In this example, a one-way outgoing trust is selected. A two-way trust will mean users in both domains can access resources in either domain. A one-way trust will either be incoming or outgoing.
 | | 8. | Select the Sides of Trust, as shown in Figure 8-22, and then click OK. In this example, Both this domain and the specified domain is selected. Note the terminology. "This domain" is the local domainthe domain from which the trust is being configured. The "specified" domain is the domain with which the trust is being created. Configuration of both sides of the trust will be done at the same time. (Credentials in both domains are necessary to do so.) If only one side of the trust is completed, an authorized administrator of the other domain must complete the trust.Figure 8-22. Selecting which sides of the trust will be created.
 | | 9. | Enter a username and password for an account in the specified domain with authority to create a trust. (This step is not necessary if only one side of the trust is created at a time.) | | 10. | Select the scope of authentication, either domain-wide or selective, as shown in Figure 8-23, and click Next.Figure 8-23. Selecting scope of authentication.
 | | 11. | Note the summary and then click Next. | | 12. | Note the trust completion message and click Next, as shown in Figure 8-24.Figure 8-24. Noting completion.
 | | 13. | Click Yes, confirm the outgoing trust box, as in Figure 8-25, and confirm the trust by clicking OK. (Do not attempt to confirm the trust if only one side of the trust is being created.)
 | | 14. | Click OK in the SID Filtering warning page. (SID Filtering is defined in the later section "SID FilteringCatching SID Spoofs.") | | 15. | In the Trusts property page, as shown in Figure 8-26, note that the domain now shows up in the proper category.Figure 8-26. Reviewing trust properties.
 |
External Trust Creation with a Windows NT 4.0 Domain
Creating a trust relationship with a Windows NT 4.0 domain is different from creating an external trust with a Windows 2003 or Windows 2000 domain because the Windows NT 4.0 domain only understands its own type of trust relationships. A Windows NT 4.0 trust can only be created by creating one side of the trust in Windows Server 2003 and one side of the trust from the Windows NT 4.0 PDC.The first step is to determine the direction of trust. Does the Windows Server 2003 domain trust Windows NT 4.0, or does the Windows NT 4.0 trust Windows Server 2003? Are two trusts to be created, one in each direction? For simplicity, the following example uses an outgoing trust in which the Windows Server 2003 domain trusts the Windows NT 4.0 domain.
| 1. | Log on to Windows Server 2003 as a domain administrator and click Start, Administrative Tools, Active Directory Domains and Trusts. | | 2. | Right-click the desired domain and select Properties from the context menu. | | 3. | Select the trusts tab, New trust, followed by Next. | | 4. | Enter the NetBIOS name of the Windows NT 4.0 domain and then click Next. | | 5. | Click One-way: outgoing Users in the specified domain, realm or forest can be authenticated in this domain for the Direction of Trust Window, and then click Next. Outgoing means that the Windows Server 2003 domain trusts the external domain. The users and groups in the Windows NT 4.0 external domain can be assigned access to resources in the Windows Server 2003 domain. | | 6. | Select the scope of authentication for users from the Windows NT 4.0 domain and then click Next. Two choices exist: Allow authentication for all resources in the local domain, or Allow authentication only for selected resources in the local domain. | | 7. | Enter a password for the trust in the Initial Password box, as shown in Figure 8-27. This password will be used when creating the NT 4.0 side of the trust. After trust creation, Active Directory updates the trust password periodically.Figure 8-27. Provide a password for the trust creation.
 | | 8. | Confirm the trust password by entering it again in the Confirm Password box and then click Next. | | 9. | Review the settings and then click Next. A confirmation message should appear. | | 10. | Click Next and then click Yes. Click Finish followed by OK. A warning will inform you that the trust will not be created until the other side is configured. | | 11. | Log on to the Windows NT 4.0 PDC as a domain administrator and open the Start, Programs, Administrative Tools, User Manager for Domains applet. | | 12. | From the Policies menu, select trust Relationships. | | 13. | Click the Add button in the TRusting domains box. | | 14. | In the Add Trusting Domains dialog box TRusting Domain box, enter the Windows Server 2003 NetBIOS domain name. | | 15. | In the Initial password box, enter the password used in step 8. Click OK. Then when the Windows Server 2003 domain name appears in the trusting Domains list, as shown in Figure 8-28, click Add.Figure 8-28. The trusting domain name is added to the Trusting Domains box.
 |
To create a trust in which Windows NT 4.0 trusts Windows Server 2003 follow these steps:
| 1. | Log on to the Windows NT 4.0 PDC as a domain administrator and open the Start, Programs, Administrative Tools, User Manager for Domains applet. | | 2. | From the Policies menu, select trust Relationships. | | 3. | Click the Add button in the trusted Domains box. | | 4. | In the Domain box, enter the Windows Server 2003 NetBIOS domain name. | | 5. | Enter a password for the trust, as shown in Figure 8-29, and click OK. Note that no confirmation password is entered.Figure 8-29. Enter the domain name and add a password for the trust.
 | | 6. | Read the message noting that the trust cannot be verified and click OK. | | 7. | Click Close. | | 8. | Log on to the Windows Server 2003 domain as an administrator and click Start, Administrative Tools, Active Directory Domains and Trusts. | | 9. | Right-click the desired domain and select Properties from the context menu. | | 10. | Select the trusts tab; then click New trust, followed by Next. | | 11. | Enter the NetBIOS name of the Windows NT 4.0 domain and click Next. | | 12. | Click One-way: incoming Users in this domain can be authenticated in the specified domain, realm or forest. Then click Next. | | 13. | Enter the password used in step 5 in the trust password box. | | 14. | Enter the password again in the Confirm trust password box and click Next. | | 15. | Review settings; then click Next. | | 16. | Read the message, as shown in Figure 8-30. Then click Next and click OK.
 | | 17. | The domain is represented in the Trust property pages, as shown in Figure 8-31.Figure 8-31. Configured trusts are shown in the Trust property pages.
 |
WARNING: Seeing Is Not BelievingIf a trust relationship is defined in the trust property pages, it does not mean that the trust is currently working. Validate that trusts are working by using the Trust property pages of Windows Server 2003 or the netdom utility.A two-way trust can be created between Windows Server 2003 domain and a Windows NT 4.0 domain. To create a two-way trust, follow these steps:
| 1. | Log on as a member of the Domain Admins group to the Windows Server 2003 domain controller. | | 2. | Open the Active Directory Domains and Trusts console and right-click the domain; then click Properties. | | 3. | Click the trusts tab, New trust, followed by Next. | | 4. | Enter the NetBIOS name of the Windows NT domain for the trust and then click Next. | | 5. | Select Two-way Users in this domain can be authenticated in the specified domain, realm or forest, and users in the specified domain, realm or forest can be authenticated in this domain. Then click Next. | | 6. | Select the scope of authentication, and then click Next. | | 7. | Enter a password for the trust. Then enter it again in the Confirm trust password box and click Next. | | 8. | Review settings; then click Next. | | 9. | Review the message, click Next, click Yes to confirm the outgoing trust, click Yes to confirm the incoming trust, and then click Next. | | 10. | Enter the user name and password of an account with administrative privileges for the specified domain and then click Next. | | 11. | The trust will fail because the NT domain does not support trust password verification. A Windows 2000 or a Windows Server 2003 domain does. Click OK in the warning message box that indicates that the trust must be completed at the other domain. | | 12. | Click Finish and then OK. | | 13. | Log on to the Windows NT 4.0 PDC as a domain administrator and open User Manager for Domains. | | 14. | Select TRust Relationships on the Policies menu. | | 15. | Click the Add button on the trusted Domains box. | | 16. | In the Domain box, enter the Windows Server 2003 NetBIOS domain name. | | 17. | In the Password box, enter the password for the trust from step 7 and click OK. | | 18. | Click the Add button on the TRusting Domains box. | | 19. | Enter the Windows Server 2003 NetBIOS name. | | 20. | Enter the password used in step 7; then click Close. |
TIP: Trust Creation ProblemsTrust creation may fail. Typically, you will see some indication while creating the trust. For example, networking problems or name resolution problems may prevent the connection with the other domain. In this case, a warning will appear. You must resolve these issues before you can proceed.One common error is the lack of name resolution. Each domain must be able to locate the other. If DNS is not correctly configured, this can be a problem. Lmhost files may be used to assist with name resolution, especially if Windows NT 4.0 domains are not listed in DNS. If you are unfamiliar with creating and using lmhosts files, see Knowledge Base articles 181171 (http://support.microsoft.com/default.aspx?scid=kb;en-us;181171) and 102725 (http://support.microsoft.com/default.aspx?scid=kb;en-us;102725). |
Windows Server 2003 Security: A Technical ReferenceBy
Table of Contents
| Index
If you''''re a working Windows administrator, security is your #1
challenge. Now there''''s a single-source reference you can rely on
for authoritative, independent help with every Windows Server
security feature, tool, and option: Windows Server 2003
SecurityRenowned Windows security expert Roberta Bragg has brought
together information that was formerly scattered through dozens of
books and hundreds of online sources. She goes beyond facts and
procedures, sharing powerful insights drawn from decades in IT
administration and security. You''''ll find expert implementation tips
and realistic best practices for every Windows environment, from
workgroup servers to global domain architectures. Learn how to:
Reflect the core principles of information security throughout
your plans and processes
Establish effective authentication and passwords
Restrict access to servers, application software, and
data
Make the most of the Encrypting File System (EFS)
Use Active Directory''''s security features and secure Active
Directory itself
Develop, implement, and troubleshoot group policies
Deploy a secure Public Key Infrastructure (PKI)
Secure remote access using VPNs via IPSec, SSL, SMB
signing,
LDAP signing, and more
Audit and monitor your systems, detect intrusions, and respond
appropriately
Maintain security and protect business continuity on an ongoing
basis"Once again, Roberta Bragg proves why she is a leading authority
in the security field! It''''s clear that Roberta has had a great deal
of experience in real-world security design and implementation. I''''m
grateful that this book provides clarity on what is often a
baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical
Hacker
James@accusource.net"Full of relevant and insightful information. Certain to be a
staple reference book for anyone dealing with Windows Server 2003
security. Roberta Bragg''''s Windows Server 2003 Security is a
MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation
phil.cox@systemexperts.com"Few people in the security world understand and appreciate
every aspect of network security like Roberta Bragg. She is as
formidable a security mind as I have ever met, and this is
augmented by her ability to communicate the concepts clearly,
concisely, and with a rapier wit. I have enjoyed working with
Roberta more than I have on any of the other 20 some odd books to
which I have contributed. She is a giant in the field of network
security."Bob Reinsch
bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do
things and then tells you how to do it! It is a comprehensive guide
to Windows security that provides the information you need to
secure your systems. Read it and apply the information."Richard Siddaway, MCSE
rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically
accurate. It will be a valuable resource for network administrators
and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT
mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg
writes and I have ''''always'''' found her writing to be perfectly
focused on issues I ''''need'''' to know in my workplace when dealing
with my users. Her concise writing style and simple solutions bring
me back to her columns time after time. When I heard she had
written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding
common pitfalls, and her easy to follow guidelines on how to lock
down my network and user environments (those darned users!) has me
(and my clients) much more comfortable with our Win2k3 Server
deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra
Vista
AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows
Security Information Technology Consultant
harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more
than just lucid coverage of how things work, but also offers sound
advice on how to make them work better."Chris Quirk; MVP Windows shell/user
cquirke@mvps.org"This book is an invaluable resource for anyone concerned about
the security of Windows Server 2003. Despite the amount and
complexity of the material presented, Roberta delivers very
readable and clear coverage on most of the security-related aspects
of Microsoft''''s flagship operative system. Highly recommended
reading!"Valery Pryamikov, Security MVP, Harper Security Consulting
valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have
four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel
Corp.
bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized, with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron
CPCU, CCP, AAI Microsoft MVPWindows Security Information
Technology Consultant
لطفا منتظر باشید ...
