Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







Determining If the Policy Has Been Applied


Determining if the policy in question has been applied up front can save you hours of troubleshooting. After all, if a DNS problem prevents the policy from being applied at all, then there is no sense in analyzing policy hierarchy or the details of GPO configuration. Likewise, if everything's copasetic in the network, you'll need to evaluate the GPOs in question. Finally, a visual inspection of a complex Group Policy configuration and hierarchy can still leave you unsure of whether a specific GPO will be applied to a specific account. The answer is to determine if the policy has been applied. If the policy has been applied, you may still have to do some visual inspection to determine its effect. If the policy has not been applied, your quest to determine this may show the reason why. For example, a GPMC Group Policy Results scan may show why a GPO is not applied to a specific account.

To determine if a Group Policy has been applied, use GPMC. If GPMC is not available or cannot be used, the Resultant Set of Policy MMC snap-in can be used on Windows Server 2003 and Windows XP, and the GPResults Windows 2000 Resource Kit Tool can be used on Windows 2000.

Use GPMC


The easiest way to determine if a policy has been applied to a user or computer is to use the Group Policy Management Console (GPMC) to create a Resultant Set of Policy report using the Group Policy Results Wizard for the specific user or computer. In the report, select the Summary tab; then use the show statement next to Group Policy Objects to reveal the Group Policy Objects Applied and Group Policy Object Denied sections of the report, as shown in Troubleshooting Networking Problems" and "Troubleshooting Active Directory and FRS Replication" related problems sections of this chapter. If the GPO does appear in one of the lists, review the "Troubleshooting Group Policy Object Design" section of this chapter.

Figure 9-2. Determining GPO application.

[View full size image]

To create a Group Policy Results report, follow these steps:


1.

Click the Start, Administrative Tools, Group Policy Management console.

2.

Right-click on the Group Policy Results node and select the Group Policy Results Wizard.

3.

Click Next on the Welcome page.

4.

On the Computer Selection page, as shown in Figure 9-3, click to select Another computer. Then enter or browse to the other computer name and click Next.

Figure 9-3. Selecting the computer.

[View full size image]

5.

Select the user, as shown in Figure 9-4, and then click Next. Only those users who have logged in and for whom you have permission to view Group Policy will be displayed.

Figure 9-4. Selecting the user.

[View full size image]

6.

Review the summary of your selections and click Next. Then click Finish. The Report will be displayed in the GPMC, as shown in Figure 9-5.

Figure 9-5. Obtaining the report.

[View full size image]


If the GPOs that should be applied are being applied, you might be able to find the problem right away by looking for the use of a double negative. This happens when a setting starts with the word "disable." If you disable it, you have effectively enabled the setting. It's easy to misunderstand how a setting works when it starts with a negative word, and you should always scan the applied GPO settings in the report to see if any double negatives are the cause of your problem. Figure 9-6 shows an example of a setting that might be misapplied because it begins with the word "disable." The setting, Disable machine account password changes, can be used to prevent the automatic password change for computer accounts. By default, computer account passwords are periodically changed. If a computer is offline for a significant amount of time, its account password can be out-of-synch with that known to the Active Directory. To avoid this situation, this Group Policy setting is available. However, many administrators will disable the setting. They think they have stopped the automatic password change, but instead, they have just explicitly enabled it. They should have set this Group Policy setting to "enable."

Figure 9-6. Disable this setting, and you have enabled computer password changes.

Use Resultant Set of Policy


The Resultant Set of Policy Wizard is available as an MMC snap-in for both Windows Server 2003 and Windows XP. To run the wizard on Windows XP, follow these steps:


1.

Open a blank MMC.

2.

From the File menu, select Add/Remove Snap-in.

3.

Click the Add button. Then scroll the Add Standalone Snap-in windows and select Resultant Set of Policy. Click Add, and click Next twice.

4.

Select This computer or use the Browse button to select another computer.

5.

If only user policy settings are desired, check the box Do not display policy settings for the selected computer in the results (display user policy settings only).

6.

Click Next.

7.

Select Current user, or select Another user and then select one of the listed users.

8.

If only computer settings are desired, check the box Do not display user policy settings in the results (display computer policy settings only).

9.

Click Next, and review the summary. Then click Next, followed by Finish.

10.

Click Close. and then click OK.

11.

To view the results, expand the report in the console.


To run the wizard on Windows Server 2003, do the following:


1.

Open a blank MMC.

2.

From the File menu, select Add/Remove Snap-in.

3.

Click the Add button. Scroll the Add Standalone Snap-in windows and select Resultant Set of Policy; then click Add.

4.

Click Close, followed by OK.

5.

Right-click the Resultant Set of Policy node in the console and then select Generate RsoP Data.

6.

Click Next, select Logging mode, and then click Next.

7.

Select This computer, or select Another computer and Browse to locate the computer.

8.

If only user policy settings are desired, check the box Do not display policy settings for the selected computer in the results (display user policy settings only.).

9.

Click Next.

10.

Select Current user, or select Another user and then select one of the listed users.

11.

If only computer settings are desired, check the box Do not display user policy settings in the results (display computer policy settings only).

12.

Click Next, review the summary, and then click Next.

13.

When the processing is complete, click Finish.

14.

To view the results, expand the report in the console.

15.

Browse to an area the GPO should have applied results in and view details in the details pane. The source GPO is displayed in the Source GPO column. If the GPO in question is listed, then it has been applied. If it is not, and the item in question is definitely in the GPO, then the GPO has not been applied.


WARNING: Don't Limit Testing to One Item

If a single item that you believe should be applied by the GPO is not listed, do not assume that the GPO has not been applied. The problem could be with your assumption. The GPO could be configured incorrectly so that this one item is not showing up in the report. Check other items before assuming that the entire GPO has not been applied. Better still, install GPMC and use it whenever possible because it does indicate directly whether a GPO has been applied.

Use GPResult


GPResult is a native Windows Server 2003 command-line tool and a Windows 2000 Resource Kit tool that can be downloaded from the Microsoft site (http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp). The Windows 2000 version of GPResult must be run while locally logged on to the computer as the user to test. The following information can be obtained:

Computer-specific information such as OS and group memberships.

User-specific settings such as group membership and security privileges.

A list of GPOs and their details.

The last time policy was applied and from which domain controller the policy was downloaded. If this varies by user or computer, the information will be reported.

IP security settings.

Downloaded scripts.

Folder redirection settings.

Applied registry settings.


The Windows Server 2003 version of GPResult can be run against a remote computer. Table 9-2 lists the command syntax.

Table 9-2. GPResult Syntax

Switch

Purpose

/S

Specify the remote system to connect to.

/U

Specify the user context under which the command should execute. Use the domain\user format.

/P

The password for the user context.

/SCOPE

Specify whether user or computer policy information should be listed. The only valid values are USER or COMPUTER.

/USER

Specify the user to display the RSoP data for. Use the domain\user format.

/V

Display verbose information. Use this switch to obtain the security settings applied.

/Z

Displays super-verbose settings. This setting may help when settings are applied from more than one location.

Issuing the command GPResults without switches will provide minimal information for the currently logged on user on the local machine. The GPOs applied are listed, but not the settings applied. Use the /V switch to see the list of settings each GPO applies. The following command runs GPResult on the local computer and provides verbose results for the logged on user. The results will be logged to the GPResult1.txt file.


Gpresults /V > GPResult1.txt

The following listing is the first bit of the nine-page report generated:


Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 9/12/2004 at 2:58:39 PM
RSOP data for CHICAGO\Administrator on REGALINN : Logging Mode
---------------------------------------------------------------
OS Type:                     Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Remote Administration
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\Administrator
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=REGALINN,OU=Domain Controllers,DC=chicago,DC=local
Last time Group Policy was applied: 9/12/2004 at 2:57:35 PM
Group Policy was applied from:      regalinn.chicago.local
Group Policy slow link threshold:   500 kbps
Domain Name:                        CHICAGO
Domain Type:                        Windows 2000
Applied Group Policy Objects
-----------------------------
Default Domain Controllers Policy
Default Domain Policy


/ 194