Index - MCSE Designing Security for a Windows Server 2003 Network [Electronic resources] : Exam 70-298 Study Guide نسخه متنی

Index

S

S/MIME, Secure/Multipurpose Internet Mail Extensions

SA (Security Association), 252–256, 286

SAC (Special Administration Console) environment, 605–606, 625

SACL. see system access control list

safeguards, 8, 25

SAM (Security Account Manager), 641

scalability, Windows Server 2003 PKI, 161

scheduling priority, 468

scopes, DHCP, 326

scripts, 95–96

SEA (Spokesman Election Algorithm), 315

secedit.exe

described, 51, 140

registry objects permissions and, 552–553

overview of, 138–139

in scripts, 95–96

for settings reset, 139

streaming media servers and, 148

USER_RIGHTS and, 144–145

using, 88–95

secret data, 26

secure boundaries, 243–244

Secure cache against pollution option, 298

secure dynamic updates, 300

Secure Hash Algorithm 1 (SHA1), 190, 253, 254, 304

secure mode, IPSec driver, 279

Secure Shell (SSH), 607

Secure Sockets Layer (SSL)

security certificates, 404

configuring IIS to use, 306–308

in IIS, 356

NNTP security and, 384

Secure Sockets Layer/Transport Layer Security (SSL/TLS)

configuring, 305–308

described, 303–304

firewalls and, 309

pros/cons of, 305

server-gated cryptography and, 386–387

overview of, 650–651

secure templates, 57–59

secure*.inf template

hisec*.inf comparison, 62

IIS 6.0 and, 130–131

modifying, 142

overview of, 57–59

server roles and, 131

SMB signing required in, 309

Secure/Multipurpose Internet Mail Extensions (S/MIME)

for e-mail security, 308, 309

PKI and, 156

securedc.inf template

for domain controllers, 107, 130

Kerberos and, 144

registry objects permissions and, 552

security. see also Active Directory security; network infrastructure security

best practices, 8–9, 140

for CA servers, 166–171, 185

deployment with scripts, 95–96

for interoperability, 226–228

logical authentication strategy, 165–167

vs. privacy, 4–5

update infrastructure, designing, 210–217

vs. usability, 6, 141

security access token buffer, 520

Security Account Manager (SAM), 641

Security Association (SA), 252–256, 286

security awareness, 12–13

security boundary, 221

Security Configuration and Analysis snap-in

adding, 64–66

described, 140

function of, 142–143

overview of, 51, 138

registry objects permissions and, 552–553

for review of settings, 85–88

secure*.inf and, 144

Windows NT 4.0 and, 143

Security Configuration Manager. see Security Configuration Tool Set

Security Configuration Tool Set

described, 140

overview of, 51–52, 138

Security Configuration Manager and, 142

Security Extensions to Group Policy

described, 140

overview of, 51, 138–139

security groups. see groups, security

security incidents, responding to

attack indicators, recognizing, 27

network services, recovering, 31

overview of, 26

response plan, creating, 28–30

Security log

event types, 396–397

Generate Security Audits right and, 467

logon events in, 483

security negotiation, 270–271

Security Parameter Index (SPI), 261, 262

security policies, 245–246. see also policies

Security Policy Editor, 205

security principal, 454

Security Template snap-in, 310

adding, 64–66

overview of, 138

secure*.inf template and, 142

security templates

application on domain controllers, 80–82

applying, 141

best practices for, 52–53

configuring, 66–74

and console, saving, 67

defining baseline, 50–52

deployment overview, 75–76

described, 140

incremental, 102

modifying baseline according to server roles, 129–137

overview of, 139

predefined, 140, 141

recommended for server roles, 130–132

secure, overview of, 57–59

SMB signing and, 309–310

security templates, deploying

overview of, 75–76

using Group Policy, 76–80

on DCs, 80–82

result of, 82

using RSoP MMC snap-in, 83–85

using secedit.exe, 88–95

using Security Configuration and Analysis, 85–88

security threats

predicting network, 13–15

recognizing external, 15–21

recognizing internal, 12–13

security updates, 41. see also Software Update Services

security*.inf, 55–57

SECURITYPOLICY, 89

segmented namespace, DNS, 296

segmented networks, 313

Selectable Cryptographic Service Provider, 387–388, 407

Selective Authentication, 224, 233

Sequence Number, 261, 262

Server (Request Security) policy

described, 265–266

as high security default policy, 284

properties of, 287, 288

as standard security policy, 284

viewing, 267–269

Server (Require Security) policy, 266

server authentication settings, 60–61

server certificates, 400, 404

Server Message Block (SMB)

signing, 309–312, 346

EFS and, 557

secure*.inf and, 59

server roles

common, 100–101

defining/implementing/securing, 101–102

described, 141

overview of, 99–100

server security, function based

best practices for, 102–106, 141

default settings, reapplying, 56–66

DHCP servers, 120

DNS servers, 120–122

domain controllers configuration, 106–112

down-level clients, configuring, 74–75

file/print/member servers, 123

high-profile servers, 141

IIS role, 112–116

modifying baseline templates according to role, 129–132

multiple OSs and GPMC, 97–98

network infrastructure servers, 118–119

overview of, 50

policy settings, reviewing result of, 82–85

POP3 mail servers configuration, 116–118

RAS servers, 125–127

security application across enterprise, 132–137

security deployment with scripts, 95–96

security settings review, 85–88

Server 2003 templates, 53–56

server roles, 99–102

streaming media servers, 128

template application on domain controllers, 80–82

template deployment overview, 75–76

templates, best practices for, 52–53

templates, configuring, 66–74

templates, defining baseline, 50–52

terminal servers, 123–125

using Group Policy to deploy settings, 76–80

using secedit.exe, 88–95

WINS servers, 122–123

server setting, SMB signing, 310–312

Server-Gated Cryptography (SGC), 386–387

servers

headless, 607

IIS, risks to/hardening, 381–383

security of, 501–502

SUS, 213–214

service accounts, 460–461, 497

Service Administrators, 487, 497

service processor, 604, 610

service ticket, 472

SERVICES, 89

services, clients, 629–630, 672

session ticket, 472

settings, security

deploying with Group Policy, 76–80

reapplying default, 56–66

review of, 85–88

Setup security.inf template

described, 140

IIS 6.0 and, 130

overview of, 55–56, 139

server roles and, 131

SGC (Server-Gated Cryptography), 386–387

SHA1. see Secure Hash Algorithm 1

share permissions, 455–456, 496

shared key authentication, 328

Shiva Password Authentication Protocol (SPAP), 653

shortcut trusts, 225–226, 234–235, 236

Shut Down the System right, 469

shut down, CA server, 168

shutdown, 467

signature algorithm, 154

Simple Mail Transport Protocol (SMTP), 116, 385

single namespace, 295

single-session policy, 206

Single Sign-on, 640, 643

smart cards

for CA authentication strategy, 166

for CA security, 171, 185

enterprise CAs and, 160

wireless network authentication and, 348

SMB. see Server Message Block

SMS (Systems Management Server), 216, 633–634

SMTP (Simple Mail Transport Protocol), 116, 385

sniffer attack, 248

social engineering attacks, 20, 43–44, 196, 248–249

software

GPOs for deployment of, 213–215

of network infrastructure, 243

restriction policies for Terminal Services, 206

for security updates, 211–213

vulnerabilities, network security threats and, 19–20

Software Update Services (SUS)

application updates and, 673

design overview, 210–211, 232

identifying non-current clients, 215–217

for patch management, 632–633

rebooting and, 236

server requirements, 674

vs. SMS, 634

for software, 211–213

for software, using GPOs for deployment, 213–215

Solicited Remote Assistance, 207

SPAP (Shiva Password Authentication Protocol), 653

Special Administration Console (SAC) environment, 605–606, 625

special identities, 512

SPI (Security Parameter Index), 261, 262

Spokesman Election Algorithm (SEA), 315

spoofing

identity described, 14

recognizing indicators of, 41

threat to wireless networks, 317

SQL access, 308

SSH (Secure Shell), 607

SSL. see Secure Sockets Layer

SSL/TLS. see Secure Socket Layer/Transport Layer Security

stand-alone CAs

certificate template in, 188

certificates and, 160

issue certificates, 186

as root CA, 168

scalability of, 161

securing, 170–171

defining, 158

standard security policies

based on risk, 245–246

when to use, 284

startrom.com, 605

startup and recovery options

disaster recovery and, 600

for safeguarding data, 591, 592

startup options, 612–614

stateful filtering, 282

stateful mode, 279

static routes, 415–416

Store passwords using reversible encryption setting, 475–476

Streaming Media servers

configuring, 128

and internal users, 148

summary of services for, 129

template for, 132

STRIDE, 14–15

striped set with parity. see RAID-5

strong authentication, RAS, 127

sub-authentication component, 364, 404

subordinate CA, 159

summarization routes, 415–416, 449–450

SUS. see 312

symmetric encryption, 153

symmetric keys, 304

SYN flood, 15

/sync, 95

Synchronize Directory Service Data right, 469

Syskey utility, 634–637

system access control list (SACL)

described, 513

auditing setting for, 481

vs. DACL, 619

object access events and, 539

system clock, 465, 472

system events auditing, 481, 539

System log, 396

System Management Server (SMS), 216, 633–634

system root security template, 62–63

System Services Policies, 72

system state, 594