Que.MCSA.MCSE.10070.100270.Exam.Prep.2.Windows.XP.Professional [Electronic resources] نسخه متنی

Configuring, Managing, and Troubleshooting Security

The exam may touch on two things about Encrypting File Service (EFS): The file system must be set to NTFS if you want to use EFS. In addition, no file can be both encrypted and compressed at the same time.

NTFS is required for EFS.

A user must have a file encryption certificate before another user can grant him the right to open a shared encrypted file.

Data recovery agents are users with file encryption certificates who have been designated the right to decrypt users' encrypted files in case the user's file encryption certificate is damaged or lost.

Public keys are stored in the My Certificates folder of a user's profile in plain text.

Private keys are encrypted in the RSA folder in a user's profile.

Cipher.exe is the command used to manage EFS encrypted files. Cipher /e encrypts, and cipher /d decrypts.

A security template is created as an .inf file. This file is imported into a database with an extension of .sdb. If you use Secedit.exe, secedit /configure /db path\database.sdb is the command used to apply the security settings to overwrite existing security settings.

Account policies set in an Active Directory Group Policy object (GPO) for passwords and account lockouts are applicable to only a domain.

Table 24 describes password policies and their default values.

Table 24. Password Policies

Policy

Meaning

Default Value

Enforce Password history

Number of unique passwords that the computer can remember

Maximum Password age

Number of days after first being set until the user is forced to change the password

42 days

Minimum Password age

Number of days after first being set until the user is allowed to change the password

0 days

Minimum Password length

Number of characters required for any password

Password Must Meet Complexity Requirements

Requires that the password not contain the user name or real name, is at least six characters long, must be a combination of letters, numbers, and symbols

Disabled

Store password using Reversible Encryption

Allows user's passwords to be stored in reversible encryption, which is not much more secure than plain text

Disabled

Table 25 describes account lockout policies and their suggested values.

Table 25. Account Lockout Policies

Policy

Meaning

Account Lockout Duration

Number of minutes after being locked out before account is allowed to log on. Suggested value 30 minutes.

Account Lockout Threshold

Number of bad passwords that are accepted before the user account is locked out. Suggested value 3 attempts.

Reset Account Lockout Counter After

Number of minutes after submitting a bad password that the computer "forgets" that there was a failed logon attempt. Suggested value 30 minutes.

The sequence of application of GPO settings is

Windows NT 4 system policies found in NTConfig.pol

Local policies

Site group policies

Domain group policies

OU group policies

Child OU group policies (applied after the group policies of the top-level OUs and flow down the hierarchy of the Active Directory)

To configure the security settings for an Internet zone, click the zone to select it and then click the Custom Level button. The zones are Internet, Local Intranet, Trusted Sites, and Restricted.