The Best Damn Windows Server 2003 Book Period- P48 ppsx

10 226 0
The Best Damn Windows Server 2003 Book Period- P48 ppsx

Đang tải... (xem toàn văn)

Thông tin tài liệu

to comply with the new policy, you can set the User must change password at next logon option in the properties of the user accounts you administer. Applying an Account Lockout Policy In addition to setting password policies, you can configure your network so that user accounts will be locked out after a certain number of incorrect logon attempts.This can be a soft lockout, in which the account will be re-enabled after an administrator-specified period of time.Alternatively, it can be a hard lockout in which user accounts can only be re-enabled by the manual intervention of an administrator. Before implementing an account lockout policy, you need to understand the potential implications for your network. Create an account lockout policy 1. From the Windows Server 2003 desktop, click Start | Administrative Tools | Active Directory Users and Computers. 2. Right-click the domain you want to administer, and then select Properties. 3. Select the Default Domain Policy, and click the Edit button. 4. Navigate to the account lockout policy by clicking Computer Configuration | Windows Settings | Security Settings | Account Policies | Account Lockout Policy. You’ll see the screen shown in Figure 11.4. Using Account Lockout Policy, you can configure the following settings: ■ Account lockout duration This option determines the amount of time that a locked-out account will remain inaccessible. Setting this option to 0 means that the account will remain locked out until an administrator manually unlocks it. ■ Account lockout threshold This option determines the number of invalid logon attempts that can occur before an account will be locked out. Setting this option to 0 means that accounts on your network will never be locked out. 436 Chapter 11 • Creating User and Group Strategies Figure 11.4 Account Lockout Policy Objects 301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 436 ■ Reset account lockout counter after This option defines the amount of time in minutes after a bad logon attempt that the “counter” will reset. 5. For each item that you want to configure, right-click the item and select Properties.To illustrate, we create an Account lockout threshold of three invalid logon attempts. In the screen shown in Figure 11.5, place a check mark next to Define this policy setting, and then enter the appropriate value. Creating User Authentication Strategies Any well-formed security model needs to address the following three topics: authentication, autho- rization, and accounting (or auditing). Authentication deals with who a person is, authorization centers around what an authenticated user is permitted to do, and accounting/auditing is concerned with tracking who did what to a file, service, or other resource. Windows Server 2003 addresses all three facets of this security model. Regardless of which protocol or technical mechanism is used, all authentication schemes need to meet the same basic requirement of verifying that a user or other network object is in fact who or what it claims to be. Windows Server 2003 offers several protocols and mechanisms to perform this verification, including (but not limited to) the following: ■ Kerberos ■ NT LAN Manager (NTLM) ■ Secure Sockets Layer/Transport Security Layer (SSL/TLS) ■ Digest authentication ■ Smart cards The following sections cover the details of each authentication mechanism available with Windows Server 2003, and the appropriate use for each.The most common authentication mechanism dates back to mainframe computing, password authentication. Concerns regarding password authentica- tion have largely been connected with ensuring that user passwords are not transmitted in an easily intercepted and decipherable form over a network connection. In fact, many modern password authentication schemes, such as NTLM and Kerberos, never transmit the actual user password at all. Creating User and Group Strategies • Chapter 11 437 Figure 11.5 Configuring the Account Lockout Threshold 301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 437 Need for Authentication User authentication is a necessary first step within any network security infrastructure because it establishes the identity of the user. Keep in mind as we go along that a fully functional authentica- tion strategy will almost certainly involve a combination of the methods and protocols.Your goal as a network administrator is to create an authentication strategy that provides the optimum security for your users while allowing you to administer the network as efficiently as possible. Single Sign-On A key feature of Windows Server 2003 is support for single sign-on, an authentication mechanism that allows your domain users to authenticate with any computer in the domain, while only pro- viding their logon credentials one time. Whether your network authentication relies on single sign- on or not, any authentication scheme is a two-step process. At the very least, the user must perform an interactive logon in order to access the local computer. If network access is required, network authen- tication will allow the user to access needed network services and resources. In this section, we’ll review both of these processes briefly. Interactive Logon A network user performs an interactive logon when presenting valid network credentials to the operating system of the physical computer the user is attempting to logon to—usually a desktop workstation.The logon name and password can either be a local user account or a domain account. Accounts stored in a SAM database can only be used for access to that specific computer. When using a domain account, the user’s logon information is authenticated against the Active Directory database.This allows the user to gain access to not only the local workstation but also to all resources he or she has been granted permission to use in the domain and any trusting domains. Network Authentication Once a user has gained access to a physical workstation, it’s almost inevitable that the user will require access to files, applications, or services hosted by other machines on the LAN or WAN. Network authentication is the mechanism that confirms the user’s identity to whatever network resource the user attempts to access. Windows Server 2003 provides several mechanisms to enable this type of authentication, including Kerberos and NTLM. The mechanism used depends on the configuration of the network and the operating systems involved. Because this happens in the background, the network authentication process is transparent to users in an Active Directory environment.The network operating system handles everything behind the scenes without the need for user intervention.This feature provides the foundations for single sign-on in a Windows Server 2003 environment by allowing users to access resources in their own domains as well as other trusted domains. 438 Chapter 11 • Creating User and Group Strategies 301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 438 Authentication Types Windows Server 2003 offers several different authentication types to meet the needs of a diverse user base.The default authentication protocol for a homogeneous Windows 2000 or later environ- ment is Kerberos version 5.This protocol relies on a system of tickets to verify the identity of net- work users, services, and devices. For Web applications and users, you can rely on the standards-based encryption offered by the SSL/TLS security protocols as well as Microsoft Digest. To provide backward compatibility for earlier versions of Microsoft operating systems, Windows Server 2003 provides support for the NTLM protocol. In this section, we examine the various authentication options available to you as a Windows administrator. Kerberos Within a Windows Server 2003 domain, the primary authentication protocol is Kerberos version 5. Kerberos provides thorough authentication by verifying not only the identity of network users but also the validity of the network services themselves.This latter feature was designed to prevent users from attaching to “dummy” services created by malicious network attackers to trick users into revealing their passwords or other sensitive information.The process of verifying both the user and the service that the user is attempting to use is referred to as mutual authentication. Only network clients and servers that are running the Windows 2000, Windows Server 2003, or Windows XP Professional operating system will be able to use the Kerberos authentication protocol. When these operating systems are members of a domain, Kerberos will be enabled as their default authentication mechanism for domain-based resources. In a Windows 2000 or later Active Directory environment, pre-Windows 2000 computers that attempt to access a “Kerberized” resource will be directed to use NTLM authentication. The Kerberos authentication mechanism relies on a Key Distribution Center (KDC) to issue tickets that allow client access to network resources. Each domain controller in a Windows Server 2003 domain functions as a KDC. Network clients use DNS to locate the nearest available KDC so that they can acquire a ticket. Kerberos tickets contain cryptographic information that confirms the user’s identity to the requested service. These tickets remain resident on the client computer system for a specific amount of time, usu- ally 10 hours.This ticket lifetime keeps the Kerberos system from being overwhelmed, and is config- urable by an administrator. If you set the threshold lower, you must ensure that your domain controllers can handle the additional load that will be placed on them. It is also important, however, not to set them too high. A ticket is good until it expires, which means that if it becomes compro- mised it will be valid until expiration. Understanding the Kerberos Authentication Process When a user enters his or her network credentials on a Kerberos-enabled system, the following steps take place.These transactions occur entirely behind the scenes.The user is only aware that he or she has entered the password or PIN number (if using a smart card) as part of a normal logon process. The following steps occur in a single domain environment: Creating User and Group Strategies • Chapter 11 439 301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 439 1. Using a smart card or a username/password combination, a user authenticates to the KDC. The KDC issues a ticket-granting ticket (TGT) to the client system.The client retains this TGT in memory until needed. 2. When the client attempts to access a network resource, it presents its TGT to the ticket- granting service (TGS) on the nearest available Windows Server 2003 KDC. 3. If the user is authorized to access the service that it is requesting, the TGS issues a service ticket to the client. 4. The client presents the service ticket to the requested network service.Through mutual authentication, the service ticket proves the identity of the user as well as the identity of the service. The Windows Server 2003 Kerberos authentication system can also interact with non-Microsoft Kerberos implementations such as UNIX-based Kerberos realms. In Kerberos, a realm is similar to the concept of a domain.This “realm trust” feature allows a client in a Kerberos realm to authenti- cate against Active Directory to access resources, and vice versa.This interoperability allows Windows Server 2003 domain controllers to provide authentication for client systems running other types of Kerberos, including clients that are running operating systems other than Windows. It also allows Windows-based clients to access resources within a non-Windows Kerberos realm. Secure Sockets Layer/Transport Layer Security Any time you visit a Web site that uses an https:// prefix instead of http://, you’re seeing Secure Sockets Layer (SSL) encryption in action. SSL provides encryption for other protocols such as HTTP, LDAP, and IMAP, which operate at higher layers of the protocol stack. SSL provides three major functions in encrypting TCP/IP-based traffic: ■ Server authentication Allows a user to confirm that an Internet server is really the machine that it is claiming to be. It’s difficult to think of anyone who wouldn’t like the assurance of knowing that he or she is looking at the genuine Amazon.com site, and not a duplicate created by a hacker, before entering any credit card information. ■ Client authentication Allows a server to confirm a client’s identity during the exchange of data. For example, this might be important for a bank that needs to transmit sensitive financial information to a server belonging to a subsidiary office. Combining server and client authentication provides a means of mutual authentication. ■ Encrypted connections Allow all data that is sent between a client and server to be encrypted and decrypted, allowing for a high degree of confidentiality.This function also allows both parties to confirm that the data was not altered during transmission. The Transport Layer Security (TLS) protocol is currently under development by the Internet Engineering Task Force (IETF). It will eventually replace SSL as a standard for securing Internet traffic while remaining backward compatible with earlier versions of SSL. RFC 2712 describes the way to add Kerberos functionality to the TLS suite, which will potentially allow Microsoft and other vendors to extend its use beyond LAN/WAN authentication, to use on the Internet as a whole. 440 Chapter 11 • Creating User and Group Strategies 301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 440 SSL and TLS can use a wide range of ciphers (authentication, encryption, and/or integrity mechanisms) to allow connections with a diverse client base.You can edit the Registry in Windows Server 2003 to restrict the ciphers allowed. Within the Registry Editor on the server, browse to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANN EL\Ciphers, as shown in Figure 11.6. Each available cipher has two potential values: ■ 0xffffffff (enabled) ■ 0x0 (disabled) NT LAN Manager Versions of Windows earlier than Windows 2000 used NT LAN Manager (NTLM) to provide net- work authentication. In a Windows Server 2003 environment, NTLM is used to communicate between two computers when one or both of them is running a pre-Windows 2000 operating system. NTLM will also be used by Windows Server 2003 computers that are not members of a domain. NTLM encrypts user logon information by applying a mathematical function (or hash) to the user’s password. A user’s password isn’t stored in the SAM or Active Directory database. Rather, the value of a hash that is generated when the user’s account is first created or the user’s password is changed, is stored. If the password is less than 15 characters long, two hashes are actually stored: an NT hash and a LM hash.The LM (or LAN Manager) hash is weak and can easily be broken by password crackers. Because of this it is recommended that you configure the Network security: Do not store LAN Manager hash value on next password change Group Policy setting. During logon, the domain controller sends a challenge to the client.This is a simple string of characters that the client mathematically applies to the hash value of the user’s password.The result of this mathematical algorithm is a new hash that is then transmitted to the domain controller. In this way, the user’s password is never actually transmitted across the network. Creating User and Group Strategies • Chapter 11 441 Figure 11.6 Editing SSL/TLS Ciphers 301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 441 The domain controller also has the hash for the user’s password. Moreover, it knows the chal- lenge it sent, so it is able to perform the same calculation. It compares the hash that it mathemati- cally calculated with the one received from the client. If they match, logon is permitted. The NTLM hash function only exists in Windows Server 2003 for backward compatibility with earlier operating systems. Windows Server 2003 domains support both NTLM and NTLM version 2. If your network environment is exclusively running Windows 2000 or later, you might want to consider standardizing on a stronger form of authentication such as Kerberos. Using NTLM is preferable to sending authentication information using no encryption whatsoever, but NTLM has several known vulnerabilities that do not make it the best choice for network authentication if your operating system supports more advanced schemes. Digest Authentication Microsoft provides digest authentication as a means of authenticating Web applications that are running on IIS. Digest authentication uses the Digest Access Protocol, which is a simple challenge-response mech- anism for applications that are using HTTP or Simple Authentication Security Layer (SASL) based com- munications. When Microsoft Digest authenticates a client, it creates a session key that is stored on the Web server and used to authenticate subsequent authentication requests without needing to contact a domain controller for each authentication request. Similar to NTLM, digest authentication sends user credentials across the network as an encrypted hash so that the actual password information cannot be extracted in case a malicious attacker is attempting to “sniff ” the network connection. Passport Authentication Any business that wants to provide the convenience of single sign-on to its customers can license and use Microsoft Passport authentication. Passport authentication enables your company to provide a convenient means for customers to access and transact business on a given Web site. Sites that rely on Passport authentication use a centralized Passport server to authenticate users, rather than hosting and maintaining their own authentication systems. From a technical perspective, Passport authenti- cation relies on standards-based Web technologies, including SSL, HTTP redirects, and cookies. Educating Users The more highly publicized network security incidents always seem to center on a technical flaw: an overlooked patch that led to a global denial-of-service (DoS) attack, a flaw that led to the world- wide propagation of an e-mail virus, or something similar. However, many network intrusions are caused by a lack of knowledge among corporate employees. For this reason, user education is a crit- ical component of any security plan. Make sure that your users understand the potential dangers of sharing their logon credentials with anyone else or leaving that information in a location where others could take note of it.Your users will be far more likely to cooperate and comply with corpo- rate security standards if they understand the reasons behind the policies and the damage that they can cause by ignoring security measures. By combining user education with technical measures, such as password policies and strong network authentication, you will be well on your way to cre- ating multiple layers of protection for your network and the data it contains. 442 Chapter 11 • Creating User and Group Strategies 301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 442 Smart Card Authentication Smart cards provide a portable method of providing security on a network for tasks like client authen- tication and securing user data. Smart cards and smart card authentication are discussed in detail in the chapter “Planning, Implementing, Maintaining Public Key Infrastructure, later in this book. Using a smart card for network logons provides extremely strong authentication because it requires two factors: something the user knows (the PIN), and something the user has (the smart card itself ).This system provides stronger authentication than a password alone, since a malicious user would need to have access to both the smart card and the PIN in order to impersonate a legitimate user. It’s also difficult for an attacker to perform a smart card attack undetected, because the user would notice that his or her smart card was physically missing. Planning a Security Group Strategy As discussed in Chapter 10, a set of default groups is created during the installation of Windows Server 2003 on a computer.These groups reside in the local SAM database of the stand-alone or member server, and can only be granted rights and permissions on that computer. Domain con- trollers also have a set of default groups.These groups reside within the Active Directory database structure and can be used throughout the domain. You aren’t limited to using the default groups. Windows Server 2003 allows you to create your own groups both at the SAM and Active Directory database levels.This book deals with Active Directory, so we will assume that you are working in a Windows Server 2003 Active Directory environment when we discuss planning group strategy. Security Group Best Practices Microsoft has a number of different recommended methods for using groups in a domain environ- ment.You should expect to be asked a number of complex questions about the appropriate use of groups. Most of their recommendations fall into one of two models: ■ A single domain forest ■ A multiple domain forest Designing a Group Strategy for a Single Domain Forest AGDLP.This simple acronym sums up everything you need to remember for the use of groups in a single domain forest environment. Each of the letters has a specific meaning: ■ A Accounts ■ G Global groups ■ DL Domain local groups ■ P Permissions Creating User and Group Strategies • Chapter 11 443 301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 443 The acronym can be read as: Accounts (user and computer objects) are placed into Global groups, which are placed into Domain Local groups, which are added to ACLs and granted Permissions to a resource. Consider this scenario:You have a new employee who is joining the benefits team within a company.The new user needs to access to both benefits-related resources and all general HR resources.Therefore, you add the user into both the Benefits and HR global groups.These global groups are themselves members of domain local groups, one of which is illustrated in Figure 11.7. The HR global group is a member of the HR_Print domain local group.This group is used to grant access to the general printers that all members of the HR department are allowed to use. When the domain functional level is elevated to Windows 2000 native or Windows Server 2003, Microsoft specifies a new group model, AGGDLP.The meaning of the letters does not change.Therefore, this model means: Accounts are placed into Global groups that can be placed into other Global groups and/or Domain Local groups, which are added to ACLs and granted Permissions to resources.This can make a huge difference, because it allows you to potentially reduce the number of groups that you have to add a new user to. Consider the example used previously. If you nest the Benefits global group into the HR global group, you gain a tremendous advantage. When a new user joins the benefits team, you only have to add that user’s account to a single user group, Benefits. Because this group is also a member of the HR global group, the user will receive all of the permissions and rights assignments associated with both groups. Figure 11. 8 shows the AGGDLP model. 444 Chapter 11 • Creating User and Group Strategies Figure 11.7 AGDLP in a Single Domain Forest Syngress.com HR global group Benefits global group New User HR_Print domain local group Printer 301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 444 Designing a Group Strategy for a Multiple Domain Forest These existing models can also be extended to a multiple domain forest. In a Windows 2000 mixed functional level domain, it takes quite a few resource assignments to grant permissions across domains. Extending the previous example, two additional domains will be added. Each domain is for a different region of the world, and each has an HR department.The company needs all HR employees to be able to access files that are located in the North America office. Because the domain is at the Windows 2000 mixed functional level, the AGDLP model is used. Again, a new user joins the benefits team, this time in the Europe domain.The user is added to the Benefits and HR global groups in the Europe domain.The HR global group in each domain has also been added to the Global_HR_Resources domain local group in the North America Domain.The Global_HR_Resources DLG has been granted the necessary permissions on the ACL for the files. Because all HR employees are (directly or indirectly) members of the HR global group in their domain, and each HR global group is a member of the Global_HR_Resources domain local group, they all have permission to access the required files.These complex relationships are shown in Figure 11.9. Creating User and Group Strategies • Chapter 11 445 Figure 11.8 AGGDLP in a Single Domain Forest Syngress.com HR global group Benefits global group New User HR_Print domain local group Printer 301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 445 . authentication ■ Smart cards The following sections cover the details of each authentication mechanism available with Windows Server 2003, and the appropriate use for each .The most common authentication. hosted by other machines on the LAN or WAN. Network authentication is the mechanism that confirms the user’s identity to whatever network resource the user attempts to access. Windows Server 2003 provides. 438 Authentication Types Windows Server 2003 offers several different authentication types to meet the needs of a diverse user base .The default authentication protocol for a homogeneous Windows

Ngày đăng: 04/07/2014, 23:20

Từ khóa liên quan

Mục lục

  • The Best Damn Windows Server 2003 Book Period

    • Cover

  • Contents

  • Foreword

  • Chapter 1 Overview of Windows Server 2003

    • Introduction

      • Windows XP/Server 2003

    • What's New in Windows Server 2003?

      • New Features

        • New Active Directory Features

        • Improved File and Print Services

        • Revised IIS Architecture

        • Enhanced Clustering Technology

        • New Networking and Communications Features

        • Improved Security

        • Better Storage Management

        • Improved Terminal Services

        • New Media Services

        • XML Web Services

    • The Windows Server 2003 Family

      • Why Four Different Editions?

      • Members of the Family

        • Web Edition

        • Standard Edition

        • Enterprise Edition

        • Datacenter Edition

    • Licensing Issues

      • Product Activation

    • Installation and Upgrade Issues

      • Common Installation Issues

      • Common Upgrade Issues

    • Windows Server 2003 Planning Tools and Documentation

    • Overview of Network Infrastructure Planning

      • Planning Strategies

      • Using Planning Tools

      • Reviewing Legal and Regulatory Considerations

      • Calculating TCO

    • Developing a Windows Server 2003 Test Network Environment

      • Planning the Test Network

        • Exploring the Group Policy Management Console (GMPC)

    • Documenting the Planning and Network Design Process

      • Creating the Planning and Design Document

  • Chapter 2 Using Server Management Tools

    • Introduction

    • Recognizing Types of Management Tools

      • Administrative Tools Menu

      • Custom MMC Snap-Ins

        • MMC Console Modes

      • Command-Line Utilities

      • Wizards

      • Windows Resource Kit

      • The Run As command

    • Managing Your Server Remotely

      • Remote Assistance

      • Using Web Interface for Remote Administration

      • Remote Desktop for Administration

      • Administration Tools Pack (adminpak.msi)

      • Windows Management Instrumentation (WMI)

      • Using Computer Management to Manage a Remote Computer

      • Which Tool To Use?

    • Using Emergency Management Services

    • Managing Printers and Print Queues

      • Using the Graphical Interface

        • Creating a Printer

        • Sharing a Printer

        • Adding Printer Drivers for Earlier Operating Systems

        • Setting Permissions

        • Managing Print Queues

        • Managing Printer Pools

        • Scheduling Printers

        • Setting Printing Priorities

      • Using New Command-Line Tools

      • The Printer Spooler Service

      • The Internet Printing Protocol

      • Using the Graphical Interface

      • Using New Command-Line Utilities

        • Sc.exe

        • Schtasks.exe

        • Setx.exe

        • Shutdown.exe

        • Tasklist.exe

        • Taskkill.exe

    • Using Wizards to Configure and Manage Your Server

      • Using the Configure Your Server Wizard and Manage Your Server

  • Chapter 3 Planning Server Roles and Server Security

    • Introduction

    • Understanding Server Roles

    • Domain Controllers (Authentication Servers)

      • Active Directory

      • Operations Master Roles

    • File and Print Servers

      • Print Servers

      • File Servers

    • DHCP, DNS, and WINS Servers

      • DHCP Servers

      • DNS Servers

      • WINS Servers

    • Web Servers

      • Web Server Protocols

      • Web Server Configuration

    • Database Servers

    • Mail Servers

    • Certificate Authorities

      • Certificate Services

    • Application Servers and Terminal Servers

      • Application Servers

      • Terminal Servers

    • Planning a Server Security Strategy

      • Choosing the Operating System

        • Security Features

      • Identifying Minimum Security Requirements for Your Organization

      • Identifying Configurations to Satisfy Security Requirements

    • Planning Baseline Security

    • Customizing Server Security

      • Securing Servers According to Server Roles

        • Security Issues Related to All Server Roles

        • Securing Domain Controllers

        • Securing File and Print Servers

        • Securing DHCP, DNS, and WINS Servers

        • Securing Web Servers

        • Securing Database Servers

        • Securing Mail Servers

        • Securing Certificate Authorities

        • Securing Application and Terminal Servers

  • Chapter 4 Security Templates and Software Updates

    • Introduction

    • Security Templates

      • Types of Security Templates

      • Network Security Settings

      • Analyzing Baseline Security

      • Applying Security Templates

        • Secedit.exe

        • Group Policy

        • Security Configuration and Analysis

    • Software Updates

      • Install and Configure Software Update Infrastructure

      • Install and Configure Automatic Client Update Settings

      • Supporting Legacy Clients

      • Testing Software Updates

  • Chapter 5 Managing Physical and Logical Disks

    • Introduction

      • Working with Microsoft Disk Technologies

        • Physical vs Logical Disks

        • Basic vs Dynamic Disks

        • Partitions vs Volumes

        • Partition Types and Logical Drives

        • Volume Types

    • Using Disk Management Tools

      • Using the Disk Management MMC

      • Using the Command-Line Utilities

        • Using Diskpart.exe

        • Using Fsutil.exe

        • Using Rss.exe

    • Managing Physical and Logical Disks

      • Managing Basic Disks

        • When to Use Basic Disks

        • Creating Partitions and Logical Drives

        • Formatting a Basic Volume

        • Extending a Basic Volume

      • Managing Dynamic Disks

        • Converting to Dynamic Disk Status

        • Creating and Using RAID-5 Volumes

    • Optimizing Disk Performance

      • Defragmenting Volumes and Partitions

        • Using the Graphical Defragmenter

        • Using Defrag.exe

        • Defragmentation Best Practices

      • Configuring and Monitoring Disk Quotas

        • Brief Overview of Disk Quotas

        • Enabling and Configuring Disk Quotas

        • Monitoring Disk Quotas

        • Exporting and Importing Quota Settings

        • Disk Quota Best Practices

        • Using Fsutil to Manage Disk Quotas

      • Implementing RAID Solutions

        • Understanding Windows Server 2003 RAID

        • Hardware RAID

        • RAID Best Practices

    • Understanding and Using Remote Storage

      • What is Remote Storage?

      • Storage Levels

      • Relationship of Remote Storage and Removable Storage

      • Setting Up Remote Storage

        • Installing Remote Storage

        • Configuring Remote Storage

        • Using Remote Storage

        • Remote Storage Best Practices

    • Troubleshooting Disks and Volumes

    • Troubleshooting Basic Disks

      • New Disks Are Not Showing Up in the Volume List View

      • Disk Status is Not Initialized or Unknown

      • Disk Status is Failed

    • Troubleshooting Dynamic Volumes

      • Disk Status is Foreign

      • Disk Status is Online (Errors)

      • Disk Status is Offline

      • Disk Status is Data Incomplete

    • Troubleshooting Fragmentation Problems

      • Computer is Operating Slowly

      • The Analysis and Defragmentation Reports Do Not Match the Display

      • My Volumes Contain Unmovable Files

    • Troubleshooting Disk Quotas

      • The Quota Tab is Not There

      • Deleting a Quota Entry Gives you Another Window

      • A User Gets an "Insufficient Disk Space" Message When Adding Files to a Volume

    • Troubleshooting Remote Storage

      • Remote Storage Will Not Install

      • Remote Storage Is Not Finding a Valid Media Type

      • Files Can No Longer Be Recalled from Remote Storage

    • Troubleshooting RAID

      • Mirrored or RAID-5 Volume's Status is Data Not Redundant

      • Mirrored or RAID-5 Volume's Status is Failed Redundancy

      • Mirrored or RAID-5 Volume's Status is Stale Data

  • Chapter 6 Implementing Windows Cluster Services and Network Load Balancing

    • Introduction

    • Making Server Clustering Part of Your High-Availability Plan

      • Terminology and Concepts

        • Cluster Nodes

        • Cluster Groups

        • Failover and Failback

        • Cluster Services and Name Resolution

        • How Clustering Works

      • Cluster Models

        • Single Node

        • Single Quorum Device

        • Majority Node Set

      • Server Cluster Deployment Options

        • N-Node Failover Pairs

        • Hot-Standby Server/N+I

        • Failover Ring

        • Random

      • Server Cluster Administration

        • Using the Cluster Administrator Tool

        • Using Command-Line Tools

      • Recovering from Cluster Node Failure

      • Server Clustering Best Practices

        • Hardware Issues

        • Cluster Network Configuration

        • Security

    • Making Network Load Balancing Part of Your High-Availability Plan

      • Terminology and Concepts

        • Hosts/Default Host

        • Load Weight

        • Traffic Distribution

        • Convergence and Heartbeats

        • How NLB Works

      • Relationship of NLB to Clustering

      • Managing NLB Clusters

        • Using the NLB Manager Tool

        • Remote Management

        • Command-Line Tools

        • NLB Error Detection and Handling

      • Monitoring NLB

        • Using the WLBS Cluster Control Utility

      • NLB Best Practices

        • Multiple Network Adapters

        • Protocols and IP Addressing

        • Security

  • Chapter 7 Planning, Implementing, and Maintaining a High-Availability Strategy

    • Introduction

    • Understanding Performance Bottlenecks

      • Identifying System Bottlenecks

        • Memory

        • Processor

        • Disk

        • Network Components

      • Using the System Monitor Tool to Monitor Servers

        • Creating a System Monitor Console

      • Using Event Viewer to Monitor Servers

      • Using Service Logs to Monitor Servers

    • Planning a Backup and Recovery Strategy

      • Understanding Windows Backup

        • Types of Backups

        • Determining What to Back Up

      • Using Backup Tools

        • Using the Windows Backup Utility

        • Using the Command-Line Tools

      • Selecting Backup Media

      • Scheduling Backups

      • Restoring from Backup

        • Create a Backup Schedule

    • Planning System Recovery with ASR

      • What Is ASR?

      • How ASR Works

      • Alternatives to ASR

        • Safe Mode Boot

        • Last Known Good Boot Mode

        • ASR As a Last Resort

      • Using the ASR Wizard

      • Performing an ASR Restore

    • Planning for Fault Tolerance

      • Network Fault-Tolerance Solutions

      • Internet Fault-Tolerance Solutions

      • Disk Fault-Tolerance Solutions

      • Server Fault-Tolerance Solutions

  • Chapter 8 Monitoring and Troubleshooting Network Activity

    • Introduction

    • Using Network Monitor

      • Installing Network Monitor

        • Install Network Monitor

      • Basic Configuration

      • Network Monitor Default Settings

      • Configuring Monitoring Filters

      • Configuring Display Filters

      • Interpreting a Trace

        • Perform a Network Trace

    • Monitoring and Troubleshooting Internet Connectivity

      • NAT Logging

      • Name Resolution

        • NetBIOS Name Resolution

        • Using IPConfig to Troubleshoot Name Resolution

      • IP Addressing

        • Client Configuration Issues

        • Network Access Quarantine Control

        • DHCP Issues

    • Monitoring IPSec Connections

      • IPSec Monitor Console

      • Network Monitor

      • Netsh

      • Ipseccmd

      • Netdiag

      • Event Viewer

  • Chapter 9 Active Directory Infrastructure Overview

    • Introduction

    • Introducing Directory Services

      • Terminology and Concepts

        • Directory Data Store

        • Protecting Your Active Directory Data

        • Policy-Based Administration

        • Directory Access Protocol

        • Naming Scheme

        • Installing Active Directory to Create a Domain Controller

        • Install Active Directory

    • Understanding How Active Directory Works

      • Directory Structure Overview

      • Sites

      • Domains

      • Domain Trees

      • Forests

      • Organizational Units

      • Active Directory Components

      • Logical vs Physical Components

        • Domain Controllers

        • Schema

        • Global Catalog

        • Replication Service

    • Using Active Directory Administrative Tools

      • Graphical Administrative Tools/MMCs

        • Active Directory Users and Computers

        • Active Directory Domains and Trusts

        • Active Directory Sites and Services

      • Command-Line Tools

        • Cacls

        • Cmdkey

        • Csvde

        • Dcgpofix

        • Dsadd

        • Dsget

        • Dsmod

        • Dsmove

        • Ldifde

        • Ntdsutil

        • Whoami

    • Implementing Active Directory Security and Access Control

      • Access Control in Active Directory

        • Set Permissions on AD Objects

        • Role-Based Access Control

        • Authorization Manager

      • Active Directory Authentication

      • Standards and Protocols

        • Kerberos

        • X.509 Certificates

        • LDAP/SSL

        • PKI

    • What's New in Windows Server 2003 Active Directory?

      • New Features Available Only with Windows Server 2003 Domain/Forest Functionality

        • Domain Controller Renaming Tool

        • Domain Rename Utility

        • Forest Trusts

        • Dynamically Links Auxiliary Classes

        • Disabling Classes

        • Replication

        • Raise Domain and Forest Functionality

  • Chapter 10 Working with User, Group, and Computer Accounts

    • Introduction

    • Understanding Active Directory Security Principal Accounts

      • Security Principals and Security Identifiers

        • Tools to View and Manage Security Identifiers

      • Naming Conventions and Limitations

    • Working with Active Directory User Accounts

      • Built-In Domain User Accounts

        • Administrator

        • Guest

        • HelpAssistant

        • SUPPORT_388945a0

      • InetOrgPerson

      • Creating User Accounts

        • Creating Accounts Using Active Directory Users and Computers

        • Create a User Object in Active Directory

        • Creating Accounts Using the DSADD Command

      • Managing User Accounts

        • Personal Information Tabs

        • Account Settings

        • Terminal Services Tabs

        • Security-Related Tabs

    • Working with Active Directory Group Accounts

      • Group Types

        • Security Groups

        • Distribution Groups

      • Group Scopes in Active Directory

        • Universal

        • Global

        • Domain Local

      • Built-In Group Accounts

        • Default Groups in Builtin Container

        • Default Groups in Users Container

      • Creating Group Accounts

        • Creating Groups Using Active Directory Users and Computers

        • Creating Groups Using the DSADD Command

      • Managing Group Accounts

    • Working with Active Directory Computer Accounts

      • Creating Computer Accounts

        • Creating Computer Accounts by Adding a Computer to a Domain

        • Creating Computer Accounts Using Active Directory Users and Computers

        • Creating Computer Accounts Using the DSADD Command

        • Managing Computer Accounts

      • Managing Multiple Accounts

      • Implementing User Principal Name Suffixes

        • Add and Use Alternative UPN Suffixes

      • Moving Account Objects in Active Directory

        • Moving Objects with Active Directory Users and Computers

        • Moving Objects with the DSMOVE Command

        • Moving Objects with the MOVETREE Command

        • Install MOVETREE with AD Support Tools

      • Troubleshooting Problems with Accounts

  • Chapter 11 Creating User and Group Strategies

    • Introduction

    • Creating a Password Policy for Domain Users

      • Creating an Extensive Defense Model

        • Strong Passwords

        • System Key Utility

      • Defining a Password Policy

        • Create a domain password policy

        • Modifying a Password Policy

        • Applying an Account Lockout Policy

        • Create an account lockout policy

    • Creating User Authentication Strategies

      • Need for Authentication

      • Single Sign-On

        • Interactive Logon

        • Network Authentication

    • Authentication Types

      • Kerberos

        • Understanding the Kerberos Authentication Process

      • Secure Sockets Layer/Transport Layer Security

      • NT LAN Manager

      • Digest Authentication

      • Passport Authentication

      • Educating Users

    • Smart Card Authentication

    • Planning a Security Group Strategy

      • Security Group Best Practices

      • Designing a Group Strategy for a Single Domain Forest

      • Designing a Group Strategy for a Multiple Domain Forest

  • Chapter 12 Working with Forests and Domains

    • Introduction

    • Understanding Forest and Domain Functionality

      • The Role of the Forest

        • New Forestwide Features

        • New Domainwide Features

      • Domain Trees

      • Forest and Domain Functional Levels

        • Domain Functionality

        • Forest Functionality

      • Raising the Functional Level of a Domain and Forest

        • Domain Functional Level

        • Verify the domain functional level

      • Raise the domain fuctional level

      • Forest Functional Level

      • Verify the forest functional level

      • Raise the forest functional level

      • Optimizing Your Strategy for Raising Functional Levels

    • Creating the Forest and Domain Structure

      • Deciding When to Create a New DC

      • Installing Domain Controllers

        • Creating a Forest Root Domain

        • Creating a New Domain Tree in an Existing Forest

        • Create a new domain tree in an existing forest

        • Creating a New Child Domain in an Existing Domain

        • Creating a New DC in an Existing Domain

        • Create a new domain controller in an existing domain using the conventional across-the-network method

        • Create a new domain controller in an existing domain using the new system state backup method

        • Assigning and Transferring Master Roles

        • Locate the Schema Operations Master

        • Transfer the Schema Operations Master Role

        • Locate the Domain Naming Operations Master

        • Transer the Domain Naming Master Role

        • Locate the Infrastructure, RID and PDC Operations Masters

        • Transfer the Infrastructure, RID and PDC Master Roles

        • Seize the FSMO Master Roles

        • Using Application Directory Partitions

        • Administer Application Directory Partitions

      • Establishing Trust Relationships

        • Direction and Transitivity

        • Types of Trusts

      • Restructuring the Forest and Renaming Domains

        • Domain Rename Limitations

        • Domain Rename Limitations in a Windows 2000 Forest

        • Domain Rename Limitations in a Windows Server 2003 Forest

        • Domain Rename Dependencies

        • Domain Rename Conditions and Effects

        • Rename a Windows Server 2003 Domain Controller

    • Implementing DNS in the Active Directory Network Environment

      • DNS and Active Directory Namespaces

      • DNS Zones and Active Directory Integration

      • Configuring DNS Servers for Use with Active Directory

        • Integrating an Existing Primary DNS Server with Active Directory

        • Creating the Default DNS Application Directory Partitions

        • Using dnscmd to Administer Application Directory Partitions

      • Securing Your DNS Deployment

  • Chapter 13 Working with Trusts and Organizational Units

    • Introduction

    • Working with Active Directory Trusts

      • Types of Trust Relationships

        • Default Trusts

        • Shortcut Trust

        • Realm Trust

        • External Trust

        • Forest Trust

      • Creating,Verifying, and Removing Trusts

        • Create a transitive, one-way incoming realm trust

      • Securing Trusts Using SID Filtering

      • Understanding the Role of Container Objects

      • Creating and Managing Organizational Units

        • Create an Organizational Unit

        • Applying Group Policy to OUs

        • Delegating Control of OUs

    • Planning an OU Structure and Strategy for Your Organization

      • Delegation Requirements

        • Delegate authority for an OU

      • Security Group Hierarchy

  • Chapter 14 Working with Active Directory Sites

    • Introduction

    • Understanding the Role of Sites

      • Replication

      • Authentication

      • Distribution of Services Information

    • Relationship of Sites to Other Active Directory Components

      • Relationship of Sites and Domains

        • Physical vs Logical Structure of the Network

      • The Relationship of Sites and Subnets

    • Creating Sites and Site Links

      • Site Planning

        • Criteria for Establishing Separate Sites

        • Creating a Site

        • Create a new site

        • Renaming a Site

        • Rename a new site

        • Creating Subnets

        • Create subnets

        • Associating Subnets with Sites

        • Associate subnets with sites

        • Creating Site Links

        • Create site links

        • Configuring Site Link Cost

        • Configure site link costs

    • Site Replication

      • Types of Replication

      • Intra-site Replication

      • Inter-site Replication

      • Planning, Creating, and Managing the Replication Topology

        • Planning Replication Topology

        • Creating Replication Topology

        • Managing Replication Topology

      • Configuring Replication between Sites

        • Configuring Replication Frequency

        • Configuring Site Link Availability

        • Configuring Site Link Bridges

        • Configuring Bridgehead Servers

      • Troubleshooting Replication Failure

        • Troubleshooting Replication

        • Using Replication Monitor

        • Using Event Viewer

        • Using Support Tools

  • Chapter 15 Working with Domain Controllers

    • Introduction

    • Planning and Deploying Domain Controllers

      • Understanding Server Roles

      • Function of Domain Controllers

      • Determining the Number of Domain Controllers

      • Using the Active Directory Installation Wizard

      • Creating Additional Domain Controllers

      • Upgrading Domain Controllers to Windows Server 2003

      • Placing Domain Controllers within Sites

    • Backing Up Domain Controllers

      • Restoring Domain Controllers

    • Managing Operations Masters

  • Chapter 16 Working with Global Catalog Servers and Schema

    • Introduction

    • Working with the Global Catalog and GC Servers

      • Functions of the GC

        • UPN Authentication

        • Directory Information Search

        • Universal Group Membership Information

      • Customizing the GC Using the Schema MMC Snap-In

        • Setup Active Directory Schema MMC Snap-in

      • Creating and Managing GC Servers

      • Understanding GC Replication

        • Universal Group Membership

        • Attributes in GC

      • Placing GC Servers within Sites

        • Bandwidth and Network Traffic Considerations

        • Universal Group Caching

      • Troubleshooting GC Issues

    • Working with the Active Directory Schema

      • Understanding Schema Components

        • Classes

        • Attributes

        • Naming of Schema Objects

      • Working with the Schema MMC Snap-In

      • Modifying and Extending the Schema

      • Deactivating Schema Classes and Attributes

        • Create and deactivate classes or attributes

      • Troubleshooting Schema Issues

  • Chapter 17 Working with Group Policy in an Active Directory Environment

    • Introduction

    • Understanding Group Policy

      • Terminology and Concepts

        • Local and Non-Local Policies

        • User and Computer Policies

        • Group Policy Objects

        • Scope and Application Order of Policies

      • Group Policy Integration in Active Directory

      • Group Policy Propagation and Replication

    • Planning a Group Policy Strategy

      • Using RSoP Planning Mode

        • Opening RSoP in Planning Mode

        • Reviewing RSoP Results

      • Strategy for Configuring the User Environment

      • Strategy for Configuring the Computer Environment

        • Run an RSoP Planning Query

    • Implementing Group Policy

      • The Group Policy Object Editor MMC

      • Creating, Configuring, and Managing GPOs

        • Creating and Configuring GPOs

        • Naming GPOs

        • Managing GPOs

      • Configuring Application of Group Policy

        • General

        • Links

        • Security

        • WMI Filter

      • Delegating Administrative Control

      • Verifying Group Policy

        • Delegate Control for Group Policy to a Non-Administrator

    • Performing Group Policy Administrative Tasks

      • Automatically Enrolling User and Computer Certificates

      • Redirecting Folders

      • Configuring User and Computer Security Settings

        • Computer Configuration

        • User Configuration

        • Redirect the My Documents Folder

      • Using Software Restriction Policies

        • Setting Up Software Restriction Policies

        • Software Policy Rules

        • Precedence of Policies

        • Best Practices

    • Applying Group Policy Best Practices

    • Troubleshooting Group Policy

      • Using RSoP

      • Using gpresult.exe

        • Run an RSoP Query in Logging Mode

  • Chapter 18 Deploying Software via Group Policy

    • Introduction

    • Understanding Group Policy Software Installation Terminology and Concepts

      • Group Policy Software Installation Concepts

        • Assigning Applications

        • Publishing Applications

        • Document Invocation

        • Application Categories

        • Group Policy Software Deployment vs SMS Software Deployment

      • Group Policy Software Installation Components

        • Windows Installer Packages (.msi)

        • Transforms (.mst)

        • Patches and Updates (.msp)

        • Application Assignment Scripts (.aas)

        • Deploying Software to Users

        • Deploying Software to Computers

    • Using Group Policy Software Installation to Deploy Applications

      • Preparing for Group Policy Software Installation

        • Creating Windows Installer Packages

      • Using .zap Setup Files

        • Publish Software Using a .ZAP File

        • Creating Distribution Points

      • Working with the GPO Editor

      • Opening or Creating a GPO for Software Deployment

      • Assigning and Publishing Applications

        • Assign Software to a Group

      • Configuring Software Installation Properties

        • The General Tab

        • The Advanced Tab

        • The File Extensions Tab

        • The Categories Tab

      • Upgrading Applications

        • Configuring Required Updates

      • Removing Managed Applications

      • Managing Application Properties

      • Categorizing Applications

      • Adding and Removing Modifications for Application Packages

        • Apply a Transform to a Software Package

    • Troubleshooting Software Deployment

      • Verbose Logging

      • Software Installation Diagnostics Tool

  • Chapter 19 Ensuring Active Directory Availability

    • Introduction

    • Understanding Active Directory Availability Issues

      • The Active Directory Database

      • Data Modification to the Active Directory Database

      • The Tombstone and Garbage Collection Processes

      • System State Data

      • Fault Tolerance and Performance

    • Performing Active Directory Maintenance Tasks

      • Defragmenting the Database

        • The Offline Defragmentation Process

        • Perform an Offline Defragmentation of the Active Directory Database

      • Moving the Database or Log Files

      • Monitoring the Database

        • Using Event Viewer to Monitor Active Directory

        • Using the Performance Console to Monitor Active Directory

        • Use System Monitor to Monitor Active Directory

    • Backing Up and Restoring Active Directory

      • Backing Up Active Directory

        • Backing Up at the Command Line

      • Restoring Active Directory

        • Directory Services Restore Mode

        • Normal Restore

        • Authoritative Restore

        • Primary Restore

    • Troubleshooting Active Directory Availability

      • Setting Logging Levels for Additional Detail

      • Using Ntdsutil Command Options

        • Using the Integrity Command

        • Using the recover Command

        • Using the Semantic Database Analysis Command

        • Using the esentutl Command

      • Changing the Directory Services Restore Mode Password

  • Chapter 20 Planning, Implementing, and Maintaining a Name Resolution Strategy

    • Introduction

    • Planning for Host Name Resolution

      • Install Windows Server 2003 DNS Service and Configure Forward and Reverse Lookup Zones

      • Designing a DNS Namespace

        • Host Naming Conventions and Limitations

        • Supporting Multiple Namespaces

      • Planning DNS Server Deployment

        • Planning the Number of DNS Servers

        • Planning for DNS Server Capacity

        • Planning DNS Server Placement

        • Planning DNS Server Roles

      • Planning for Zone Replication

        • Active Directory-integrated Zone Replication Scope

        • Security for Zone Replication

        • General Guidelines for Planning for Zone Replication

      • Planning for Forwarding

        • Conditional Forwarding

        • General Guidelines for Using Forwarders

      • DNS/DHCP Interaction

        • Security Considerations for DDNS and DHCP

        • Aging and Scavenging of DNS Records

      • Windows Server 2003 DNS Interoperability

        • BIND and Other DNS Server Implementations

        • Zone Transfers with BIND

        • Supporting AD with BIND

        • Split DNS Configuration

        • Interoperability with WINS

      • DNS Security Issues

        • Common DNS Threats

        • Securing DNS Deployment

        • DNS Security Levels

        • General DNS Security Guidelines

      • Monitoring DNS Servers

        • Testing DNS Server Configuration with the DNS Console Monitoring Tab

        • Debug Logging

        • Event Logging

        • Monitoring DNS Server Using the Performance Console

        • Command-line Tools for Maintaining and Monitoring DNS Servers

    • Planning for NetBIOS Name Resolution

      • Understanding NETBIOS Naming

        • NetBIOS Name Resolution Process

        • Understanding the LMHOSTS File

        • Understanding WINS

        • What's New for WINS in Windows Server 2003

      • Planning WINS Server Deployment

        • Server Number and Placement

      • Planning for WINS Replication

      • Replication Partnership Configuration

      • Replication Models

    • WINS Issues

      • Static WINS Entries

      • Multihomed WINS Servers

      • Client Configuration

      • Preventing Split WINS Registrations

      • Performance Issues

      • Security Issues

      • Planning for WINS Database Backup and Restoration

    • Troubleshooting Name Resolution Issues

      • Troubleshooting Host Name Resolution

        • Issues Related to Client Computer Configuration

        • Issues Related to DNS Services

      • Troubleshooting NetBIOS Name Resolution

        • Issues Related to Client Computer Configuration

        • Issues Related to WINS Servers

  • Chapter 21 Planning, Implementing, and Maintaining the TCP/IP Infrastructure

    • Introduction

    • Understanding Windows 2003 Server Network Protocols

      • The Multiprotocol Network Environment

      • What's New in TCP/IP for Windows Server 2003

        • IGMPv3

        • IPv6

        • Alternate Configuration

        • Automatic Determination of Interface Metric

    • Planning an IP Addressing Strategy

      • Analyzing Addressing Requirements

      • Creating a Subnetting Scheme

      • Troubleshooting IP Addressing

        • Client Configuration Issues

        • DHCP Issues

      • Transitioning to IPv6

        • IPv6 Utilities

        • Install TCP/IP Version 6

        • 6to4 Tunneling

        • IPv6 Helper Service

        • The 6bone

        • Teredo (IPv6 with NAT)

    • Planning the Network Topology

      • Analyzing Hardware Requirements

      • Planning the Placement of Physical Resources

    • Planning Network Traffic Management

      • Monitoring Network Traffic and Network Devices

        • Using System Monitor

      • Determining Bandwidth Requirements

      • Optimizing Network Performance

  • Chapter 22 Planning, Implementing, and Maintaining a Routing Strategy

    • Introduction

    • Understanding IP Routing Basics

      • Routing Tables

      • Static versus Dynamic Routing

      • Gateways

      • Routing Protocols

      • Using Netsh Commands

    • Evaluating Routing Options

      • Selecting Connectivity Devices

      • Switches

      • Routers

    • Windows Server 2003 As a Router

      • Configure a Windows Server 2003 Computer As a Static Router

      • Configure RIP Version 2

    • Security Considerations for Routing

      • Analyzing Requirements for Routing Components

      • Simplifying Network Topology to Provide Fewer Attack Points

        • Minimizing the Number of Network Interfaces and Routes

        • Minimizing the Number of Routing Protocols

      • Router-to-Router VPNs

        • Install and Enable Windows Server 2003 VPN Server

        • Set Up Windows Server 2003 As Router-to-Router VPN Server

      • Packet Filtering and Firewalls

      • Logging Level

    • Troubleshooting IP Routing

      • Identifying Troubleshooting Tools

      • Common Routing Problems

        • Interface Configuration Problems

        • RRAS Configuration Problems

        • Routing Protocol Problems

        • TCP/IP Configuration Problems

        • Routing Table Configuration Problems

  • Chapter 23 Planning, Implementing, and Maintaining Internet Protocol Security

    • Introduction

    • Understanding IP Security (IPSec)

      • How IPSec Works

        • Securing Data in Transit

        • IPSec Cryptography

      • IPSec Modes

        • Tunnel Mode

        • Transport Mode

      • IPSec Protocols

        • Determine IPSec Protocol

        • Additional Protocols

      • IPSec Components

        • IPSec Policy Agent

        • IPSec Driver

      • IPSec and IPv6

    • Deploying IPSec

      • Determining Organizational Needs

      • Security Levels

    • Managing IPSec

      • Using the IP Security Policy Management MMC Snap-in

      • Install the IP Security Policy Management Console

      • Using the netsh Command-line Utility

      • Default IPSec Policies

      • Client (Respond Only)

      • Server (Request Security)

      • Secure Server (Require Security)

      • Custom Policies

        • Customize IP Security Policy

        • Using the IP Security Policy Wizard

        • Create an IPSec Policy with the IP Security Policy Wizard

        • Defining Key Exchange Settings

        • Managing Filter Lists and Filter Actions

      • Assigning and Applying Policies in Group Policy

      • Active Directory Based IPSec Policies

      • IPSec Monitoring

        • Using the netsh Utility for Monitoring

        • Using the IP Security Monitor MMC Snap-in

      • Troubleshooting IPSec

        • Using netdiag for Troubleshooting Windows Server 2003 IPSec

        • Viewing Policy Assignment Information

        • Viewing IPSec Statistics

        • Using Packet Event Logging to Troubleshoot IPSec

        • Using IKE Detailed Tracing to Troubleshoot IPSec

        • Using the Network Monitor to Troubleshoot IPSec

        • Disabling TCP/IP and IPSec Hardware Acceleration to Solve IPSec Problems

    • Addressing IPSec Security Considerations

      • Strong Encryption Algorithm (3DES)

      • Firewall Packet Filtering

      • Diffie-Hellman Groups

      • Pre-shared Keys

        • Advantages and Disadvantages of Pre-shared Keys

        • Considerations when Choosing a Pre-shared Key

      • Soft Associations

      • Security and RSoP

  • Chapter 24 Planning, Implementing, and Maintaining a Public Key Infrastructure

    • Introduction

    • Planning a Windows Server 2003 Certificate-Based PKI

      • Understanding Public Key Infrastructure

        • The Function of the PKI

        • Components of the PKI

      • Understanding Digital Certificates

        • User Certificates

        • Machine Certificates

        • Application Certificates

      • Understanding Certification Authorities

        • CA Hierarchy

        • How Microsoft Certificate Services Works

        • Install Certificate Services

    • Implementing Certification Authorities

      • Configure a Certification Authority

      • Analyzing Certificate Needs within the Organization

      • Determining Appropriate CA Type(s)

        • Enterprise CAs

        • Stand-Alone CAs

        • Planning the CA Hierarchy

        • Planning CA Security

        • Certificate Revocation

    • Planning Enrollment and Distribution of Certificates

      • Certificate Templates

      • Certificate Requests

      • Auto-Enrollment Deployment

      • Role-Based Administration

    • Implementing Smart Card Authentication in the PKI

      • How Smart Card Authentication Works

      • Deploying Smart Card Logon

        • Smart Card Readers

        • Smart Card Enrollment Station

      • Using Smart Cards To Log On to Windows

        • Implement and Use Smart Cards

      • Using Smart Cards for Remote Access VPNs

      • Using Smart Cards To Log On to a Terminal Server

  • Chapter 25 Planning, Implementing, Maintaining Routing and Remote Access

    • Introduction

    • Planning the Remote Access Strategy

      • Analyzing Organizational Needs

      • Analyzing User Needs

      • Selecting Remote Access Types To Allow

        • Dial-In

        • VPN

        • Wireless Remote Access

    • Addressing Dial-In Access Design Considerations

      • Allocating IP Addresses

        • Static Address Pools

        • Using DHCP for Addressing

        • Using APIPA

      • Determining Incoming Port Needs

        • Multilink and BAP

      • Selecting an Administrative Model

        • Access by User

        • Access by Policy

    • Configuring the Windows 2003 Dial-up RRAS Server

    • Configuring RRAS Packet Filters

      • RRAS Packet Filter Configuration

    • Addressing VPN Design Considerations

      • Selecting VPN Protocols

        • Client Support

        • Data Integrity and Sender Authentication

        • PKI Requirements

      • Installing Machine Certificates

      • Configuring Firewall Filters

    • PPP Multilink and Bandwidth Allocation Protocol (BAP)

      • PPP Multilink Protocol

      • BAP Protocols

    • Addressing Wireless Remote Access Design Considerations

      • The 802.11 Wireless Standards

      • Using IAS for Wireless Connections

      • Configuring Remote Access Policies for Wireless Connections

        • Create a Policy for Wireless Access

      • Multiple Wireless Access Points

      • Placing CA on VLAN for New Wireless Clients

      • Configuring WAPs as RADIUS Clients

    • Planning Remote Access Security

      • Domain Functional Level

      • Selecting Authentication Methods

        • Disallowing Password-Based Connections (PAP, SPAP, CHAP, MS-CHAP v1)

        • Disable Password-Based Authentication Methods

        • Using RADIUS/IAS vs.Windows Authentication

      • Selecting the Data Encryption Level

      • Using Callback Security

      • Managed Connections

      • Mandating Operating System/File System

      • Using Smart Cards for Remote Access

    • Configuring Wireless Security Protocols

      • Configure Wireless Networking

    • RRAS NAT Services

      • Configure NAT and Static NAT Mapping

    • ICMP Router Discovery

      • Configure ICMP Router Discovery

    • Creating Remote Access Policies

      • Policies and Profiles

      • Authorizing Remote Access

        • Authorizing Access By Group

      • Restricting Remote Access

        • Restricting by User/Group Membership

        • Restricting by Type of Connection

        • Restricting by Time

        • Restricting by Client Configuration

        • Restricting Authentication Methods

        • Restricting by Phone Number or MAC Address

      • Controlling Remote Connections

        • Controlling Idle Timeout

        • Controlling Maximum Session Time

        • Controlling Encryption Strength

        • Controlling IP Packet Filters

        • Controlling IP Address for PPP Connections

    • Troubleshooting Remote Access Client Connections

    • Troubleshooting Remote Access Server Connections

    • Configuring Internet Authentication Services

      • Configure IAS

  • Chapter 26 Managing Web Servers with IIS 6.0

    • Introduction

    • Installing and Configuring IIS 6.0

      • Pre-Installation Checklist

        • Internet Connection Firewall

      • Installation Methods

        • Using the Configure Your Server Wizard

        • Using the Add or Remove Programs Applet

        • Using Unattended Setup

      • Installation Best Practices

    • What's New in IIS 6.0?

      • New Security Features

        • Advanced Digest Authentication

        • Server-Gated Cryptography (SGC)

        • Selectable Cryptographic Service Provider (CSP)

        • Configurable Worker Process Identity

        • Default Lockdown Status

        • New Authorization Framework

      • New Reliability Features

        • Health Detection

        • New Request Processing Architecture: HTTP.SYS Kernel Mode Driver

      • Other New Features

        • ASP.NET and IIS Integration

        • Unicode Transformation Format-8 (UTF-8)

        • XML Metabase

    • Managing IIS 6.0

      • Performing Common Management Tasks

        • Site Setup

        • Common Administrative Tasks

        • Enable Health Detection

      • Managing IIS Security

        • Configuring Authentication Settings

    • Troubleshooting IIS 6.0

      • Troubleshooting Content Errors

        • Static Files Return 404 Errors

        • Dynamic Content Returns a 404 Error

        • Sessions Lost Due to Worker Process Recycling

        • Configure Worker Process Recycling

        • ASP.NET Pages are Returned as Static Files

      • Troubleshooting Connection Errors

        • 503 Errors

        • Extend The Queue Length of An Application Pool

        • Extend The Error Count and Timeframe

        • Clients Cannot Connect to Server

        • 401 Error-Sub Authentication Error

        • Client Requests Timing Out

      • Troubleshooting Other Errors

        • File Not Found Errors for UNIX and Linux Files

        • ISAPI Filters Are Not Automatically Visible as Properties of the Web Site

        • The Scripts and Msadc Virtual Directories Are Not Found in IIS 6.0

    • Using New IIS Command-Line Utilities

      • iisweb.vbs

      • iisvdir.vbs

      • iisftp.vbs

      • iisftpdr.vbs

      • iisback.vbs

      • iiscnfg.vbs

  • Chapter 27 Managing and Troubleshooting Terminal Services

    • Introduction

    • Understanding Windows Terminal Services

      • Terminal Services Components

        • Remote Desktop for Administration

        • Remote Assistance

        • The Terminal Server Role

    • Using Terminal Services Components for Remote Administration

      • Configuring RDA

      • Enabling RDA Access

      • Remote Desktop Security Issues

      • Using Remote Assistance

        • Configuring Remote Assistance for Use

        • Asking for Assistance

        • Managing Open Invitations

        • Remote Assistance Security Issues

    • Installing and Configuring the Terminal Server Role

      • Install the Terminal Server Role

      • Install Terminal Server Licensing

    • Using Terminal Services Client Tools

      • Installing and Using the Remote Desktop Connection (RDC) Utility

        • Installing the Remote Desktop Connection Utility

        • Launching and Using the Remote Desktop Connection Utility

        • Configuring the Remote Desktop Connection Utility

      • Installing and Using the Remote Desktops MMC Snap-In

        • Install the Remote Desktops MMC Snap-In

        • Configure a New Connection in the RD MMC

        • Configure a Connection's Properties

        • Connecting and Disconnecting

      • Installing and Using the Remote Desktop Web Connection Utility

        • Install the Remote Desktop Web Connection Utility

        • Using the Remote Desktop Web Connection Utility from a Client

    • Using Terminal Services Administrative Tools

      • Use Terminal Services Manager to Connect to Servers

        • Manage Users with the Terminal Services Manager Tool

        • Manage Sessions with the Terminal Services Manager Tool

        • Manage Processes with the Terminal Services Manager Tool

      • Using the Terminal Services Configuration Tool

        • Understanding Listener Connections

        • Modifying the Properties of an Existing Connection

        • Terminal Services Configuration Server Settings

      • User Account Extensions

        • The Terminal Services Profile Tab

        • The Sessions Tab

        • The Environment Tab

        • The Remote Control Tab

      • Using Group Policies to Control Terminal Services Users

      • Using the Terminal Services Command-Line Tools

        • Use Terminal Services Manager to Reset a Session

    • Troubleshooting Terminal Services

      • Not Automatically Logged On

      • "This Initial Program Cannot Be Started"

      • Clipboard Problems

      • License Problems

  • Index

  • Team DDU

Tài liệu cùng người dùng

  • Đang cập nhật ...

Tài liệu liên quan