Windows Server 2003 Security: A Technical ReferenceBy
Table of Contents
| Index
If you''''re a working Windows administrator, security is your #1
challenge. Now there''''s a single-source reference you can rely on
for authoritative, independent help with every Windows Server
security feature, tool, and option: Windows Server 2003
SecurityRenowned Windows security expert Roberta Bragg has brought
together information that was formerly scattered through dozens of
books and hundreds of online sources. She goes beyond facts and
procedures, sharing powerful insights drawn from decades in IT
administration and security. You''''ll find expert implementation tips
and realistic best practices for every Windows environment, from
workgroup servers to global domain architectures. Learn how to:
Reflect the core principles of information security throughout
your plans and processes
Establish effective authentication and passwords
Restrict access to servers, application software, and
data
Make the most of the Encrypting File System (EFS)
Use Active Directory''''s security features and secure Active
Directory itself
Develop, implement, and troubleshoot group policies
Deploy a secure Public Key Infrastructure (PKI)
Secure remote access using VPNs via IPSec, SSL, SMB
signing,
LDAP signing, and more
Audit and monitor your systems, detect intrusions, and respond
appropriately
Maintain security and protect business continuity on an ongoing
basis"Once again, Roberta Bragg proves why she is a leading authority
in the security field! It''''s clear that Roberta has had a great deal
of experience in real-world security design and implementation. I''''m
grateful that this book provides clarity on what is often a
baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical
Hacker
James@accusource.net"Full of relevant and insightful information. Certain to be a
staple reference book for anyone dealing with Windows Server 2003
security. Roberta Bragg''''s Windows Server 2003 Security is a
MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation
phil.cox@systemexperts.com"Few people in the security world understand and appreciate
every aspect of network security like Roberta Bragg. She is as
formidable a security mind as I have ever met, and this is
augmented by her ability to communicate the concepts clearly,
concisely, and with a rapier wit. I have enjoyed working with
Roberta more than I have on any of the other 20 some odd books to
which I have contributed. She is a giant in the field of network
security."Bob Reinsch
bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do
things and then tells you how to do it! It is a comprehensive guide
to Windows security that provides the information you need to
secure your systems. Read it and apply the information."Richard Siddaway, MCSE
rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically
accurate. It will be a valuable resource for network administrators
and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT
mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg
writes and I have ''''always'''' found her writing to be perfectly
focused on issues I ''''need'''' to know in my workplace when dealing
with my users. Her concise writing style and simple solutions bring
me back to her columns time after time. When I heard she had
written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding
common pitfalls, and her easy to follow guidelines on how to lock
down my network and user environments (those darned users!) has me
(and my clients) much more comfortable with our Win2k3 Server
deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra
Vista
AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows
Security Information Technology Consultant
harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more
than just lucid coverage of how things work, but also offers sound
advice on how to make them work better."Chris Quirk; MVP Windows shell/user
cquirke@mvps.org"This book is an invaluable resource for anyone concerned about
the security of Windows Server 2003. Despite the amount and
complexity of the material presented, Roberta delivers very
readable and clear coverage on most of the security-related aspects
of Microsoft''''s flagship operative system. Highly recommended
reading!"Valery Pryamikov, Security MVP, Harper Security Consulting
valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have
four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel
Corp.
bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized, with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron
CPCU, CCP, AAI Microsoft MVPWindows Security Information
Technology Consultant
Group Policy in Forest and Multiforest ScenariosGroup Policy is primarily a domain-centric process. That is, Group Policy Objects (GPOs) are created to control users and computers that have accounts in specific domains. The GPOs are linked to the domain or the domain's OUs. The exception to this is the Site GPO, a rare beast that can impact users in multiple domains depending on the location of domain users and computer accounts and where they log on. However, site policies only affect computers and users whose accounts reside in that site. The site GPO is limited to a single forest. There is no Group Policy mechanism for managing users forest-wide, and there is no mechanism for implementing a single GPO that can impact multiple forests.However, it is still necessary to manage Group Policy across multiple domains in a forest to ensure consistency of policy. It may also be useful to be able to manage Group Policy across forest boundaries. The tedious practice of inspection, reviewing, querying, using, and understanding Group Policies in the forest can be alleviated by using the Group Policy Management Console (GPMC). Using GPMC in a Multidomain Forest and with Multiple ForestsGPMC was introduced in Chapter 8, and its functionality was described for use by a single domain. In a multidomain forest, you can use these same functions to view GPOs for a domain, and you can use GPO planning and logging mode for each domain in the forest. Remember: There is no such thing as a GPO that is created at the forest level. If you understand and have practiced with GPMC in a single domain, you have most of the knowledge needed to use it in a multiple-domain forest or with multiple forests. However, there is one major issue with using GPMC in this environment. When GPMC is used to copy a GPO from one domain to another, you must be aware of domain-specific information and make adjustments accordingly.Most of the information in a GPO is not domain-specific, and copying this part of the GPO to another domain does not cause a problem. Other information, such as user and Group SIDs, is domain-specific, and URLs may be, too. Leaving these items as they are in the original GPO may interfere with proper functioning of the new GPO at its new location. For example, if a group of user rights is assigned to domain A's groups, and the GPO is copied for use in domain B, what will it mean? Users from domain A will have access to domain B rightsis this what you wanted? Users from domain B will not have the rights they expected. Even the SIDs of built-in domain groups will vary from one domain to another.Because this domain-specific information cannot be changed automatically, GPMC provides a tool called migration tables to assist you in using a copy of a GPO in another domain. Before making the copy, you prepare a migration table. The table is used during the copy to translate or replace one domain's domain-specific information with the appropriate information from the other domain.Working with multiple forests in GPMC is similar to working with one forest. Each forest has its own root. Adding a forest to GPMC is a simple process:
Using Migration TablesUser- and group-related information varies among domains in a forest and between forests. When a GPO is copied between two forests, the GPO may not function, or may not function as designed. To ensure that the GPO does its job, use migration tables to map users and groups from one domain to another.To create the migration table, follow these steps:
To copy a GPO from a domain in one forest to a domain in another trusted forest follow these steps:
After the GPO has been copied to its new domain, it must be linked to the domain or OU before it will have any effect on users or computers. To link the GPO to a domain or OU:
Finally, check the GPO to ensure that names were migrated. For comparison, Figure 8-45 shows the details of the copied GPO, while Figure 8-46 shows the GPO implementation in the new domain. As you can see, the appropriate domain and group names were changed. Figure 8-45. Viewing the copied GPO.[View full size image]  Figure 8-46. Comparing the new result.[View full size image]  |
لطفا منتظر باشید ...
