262 Chapter 5 Managing Security Performing a Security Analysis The next step is to perform a security analysis. To run the analysis, simply right- click the Security Configuration and Analysis utility and select the Analyze Computer Now option from the pop-up menu. You will see a Perform Analysis dialog box that allows you to specify the location and filename for the error log file path that will be created during the analysis. After this information is con- figured, click the OK button. When the analysis is complete, you will be returned to the main MMC window. From there, you can review the results of the security analysis. Reviewing the Security Analysis and Resolving Discrepancies The results of the security analysis are stored in the Security Configuration and Analysis snap-in, under the configured security item (see Table 5.8). For example, to see the results for password policies, double-click the Security Configuration and Analysis snap-in, double-click Account Policies, and then double-click Password Policy. Figure 5.16 shows an example of security analysis results for password policies. FIGURE 5.16 Viewing the results of a security analysis Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com Using the Security Configuration and Analysis Tool 263 The policies that have been analyzed will have an × or a next to each policy, as shown in Figure 5.16. An × indicates that the template specification and the actual policy do not match. A indicates that the template specification and the policy do match. If any security discrep- ancies are indicated, you should use the Group Policy snap-in to resolve the security violation. In Exercise 5.8, you will use the Security Configuration and Analysis util- ity to analyze your security configuration. This exercise assumes that you have completed all of the previous exercises in this chapter. EXERCISE 5.8 Using the Security Configuration and Analysis Tool In this exercise, you will add the Security and Configuration Analysis snap-in to the MMC, specify a security database, create a security tem- plate, import the template, perform an analysis, and review the results. Adding the Security and Configuration Analysis Snap-in 1. Select Start Programs Administrative Tools Security. 2. Select Console Add/Remove Snap-in. 3. In the Add/Remove Snap-In dialog box, click the Add button. High- light the Security Configuration and Analysis snap-in and click the Add button. Then click the Close button. 4. In the Add/Remove Snap-In dialog box, click the OK button. Specifying the Security Database 1. In the MMC, right-click Security Configuration and Analysis and select Open Database. 2. In the Open Database dialog box, type sampledb in the File Name text box. Then click the Open button. 3. In the Import Template dialog box, select the template basicsv and click the Open button. Creating the Security Template 1. In the MMC, select Console Add/Remove Snap-in. 2. In the Add/Remove Snap-In dialog box, click the Add button. High- light the Security Templates snap-in and click the Add button. Then click the Close button. 3. In the Add/Remove Snap-In dialog box, click the OK button. Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com 264 Chapter 5 Managing Security 4. Expand the Security Templates snap-in, then expand the WINNT\Security\Templates folder. 5. Double-click the basicsv file. 6. Select Account Policies, then Password Policy. 7. Edit the password policies as follows: Set the Enforce Password History option to 10 passwords remembered. Enable the Passwords Must Meet Complexity Requirements option. Set the Maximum Password Age option to 30 days. 8. Highlight the basicsv file, right-click, and select the Save As option. 9. In the Save As dialog box, place the file in the default folder and name the file servertest. Click the Save button. Importing the Security Template 1. Highlight the Security Configuration and Analysis snap-in, right- click, and select the Import Template option. 2. In the Import Template dialog box, highlight the servertest file and click the Open button. Performing and Reviewing the Security Analysis 1. Highlight the Security Configuration and Analysis snap-in, right- click, and select the Analyze Computer Now option. 2. In the Perform Analysis dialog box, accept the default error log file path and click the OK button. 3. When you return to the main MMC window, double-click the Secu- rity Configuration and Analysis snap-in. 4. Double-click Account Policies, and then double-click Password Policy. You will see the results of the analysis for each policy, indicated by an × or a next to the policy. EXERCISE 5.8 (continued) Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com Summary 265 Summary In this chapter, you learned about the security features of Windows 2000 Server. We covered the following topics: Security settings, which can be applied at the local or domain level. To manage local security policies, use Group Policy with the Local Com- puter Group Policy object. To manage domain security policies, use Group Policy with the Domain Controllers Group Policy object. Account policies, which control the logon process. The three types of account policies are password, account lockout, and Kerberos policies. Local policies, which control what a user can do at the computer. The three types of local policies are audit, user rights assignment, and security options policies. System policies, which are used to define a user’s Desktop environment. In Windows 2000, system policies are mainly used for backward com- patibility with Windows 9x and Windows NT clients. The Security and Analysis Configuration utility, which is used to ana- lyze your security configuration. You run this utility to compare your existing security settings to a security template configured with your desired settings. Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com 266 Chapter 5 Managing Security Key Terms Before you take the exam, be sure you’re familiar with the following key terms: account lockout policies account policies audit policies domain policies Kerberos Kerberos policies key distribution center (KDC) local policies mutual authentication password policies Security Configuration and Analysis tool security options system policies user rights Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com Review Questions 267 Review Questions 1. Which password policy specifies that a higher level of encryption be used to store all user passwords? A. Passwords Must Meet the Complexity Requirements B. Store Password Using Reversible Encryption for All Users in the Domain C. Require C2/E2 Encryption Standards D. All Passwords Must Use High Level Encryption Standards 2. Which account lockout policy specifies how long an account will remain locked if the account lockout counter is exceeded? A. Account Lockout Counter B. Account Lockout Time C. Account Lockout Duration D. Account Lockout Specified Period 3. Which audit policy tracks when a user logs on, logs off, or makes a network connection? A. Audit Object Access B. Audit Logon Events C. Audit Account Logon Events D. Audit Process Tracking 4. Which user right allows a user to pass through and traverse the directory structure even if that user does not have permission to list the contents of the directory? A. Traverse the Directory Structure B. See Directory Structure C. Manage Directory Structure D. Bypass Traverse Checking Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com 268 Chapter 5 Managing Security 5. Which user right allows a user to log on to the local computer? A. Log on Locally B. Log on Interactively C. Log on Natively D. Log on as a Local User 6. Which user right allows a user to manage the Security log that is generated when auditing has been enabled? A. Manage Auditing and Security Log B. Process Auditing Log C. Profile Auditing and Security Log D. Modify Firmware Environment Variables 7. What type of policy is Disable CTRL+ALT+DEL Requirement for Logon? A. User rights assignment policy B. Audit policy C. Security option D. User management policy 8. Which utility is used to perform analysis and to help configure the computer’s local security settings? A. Security Configuration and Analysis B. LAN Analyzer C. Security Manager and Analyzer D. W2K Security Analyzer 9. Which security protocol is used with Windows 2000 Server to authenticate users and network services? A. Kerberos version 5 B. C2\E2 Security C. KDS Security D. MS-CHAP Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com Review Questions 269 10. Which password policy specifies that users cannot reuse passwords until they have cycled through a specified number of unique passwords? A. Enforce Password History B. Use Unique Passwords C. Require C2/E2 Encryption Standards D. All Passwords Must Use High Level Standards 11. Which account lockout policy specifies the number of invalid attempts allowed before an account will be locked out? A. Account Lockout Counter B. Account Lockout Threshold C. Account Lockout Duration D. Account Lockout Specified Period 12. Which audit policy tracks when a user or group is created, deleted, or has management actions generated? A. Audit Object Access B. Audit Logon Events C. Audit Account Management D. Audit Process Tracking 13. Marc needs to monitor the system processes of three servers through the Performance Logs and Alerts utility. What user right should Marc be assigned so that he can accomplish this task? A. Profile System Performance B. Monitor System Performance C. Manage System Monitoring D. Monitor Performance Logs and Alerts Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com 270 Chapter 5 Managing Security 14. Scott’s Windows 2000 Server computer also acts as an IIS server that allows anonymous access. He wants to minimize security risks as much as possible. Which of the following security options will allow him to specify additional restrictions for anonymous connections? A. Additional Restrictions for Anonymous Users B. Impose Additional Security for Anonymous Users C. Tight Security for Anonymous Users D. Audit Access of Anonymous Users 15. Scott has recently applied security options for his Windows 2000 Server computer. When he attempts to verify the security settings, they appear as if they have not been applied. What command-line utility can Scott use to force an update of the new security policies? A. secupdate B. secedit C. secrefresh D. secpol 16. What is the path and name that should be used to save a system policy file? A. \Windir\System32\Repl\Import\Scripts\CONFIG.POL B. \Windir\System32\Repl\Import\Scripts\NTCONFIG.POL C. \Windir\Sysvol\Sysvol\domain\Scripts\CONFIG.POL D. \Windir\Sysvol\Sysvol\domain\Scripts\NTCONFIG.POL 17. Marilyn is creating a system policy through System Policy Editor. When she edits objects that will have system policies applied, which object is not valid? A. User B. Group C. Printer D. Computer Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com Review Questions 271 18. Kevin is planning on running a security analysis on his Windows 2000 Server computer. The MIS department has given him a template called MISServer.inf to use. Which of the following MMC snap-in utilities should Kevin use to import this template? A. Security Templates B. Security Configuration and Analysis C. Security Manager D. Template Manager 19. Kaitlin is viewing the system policies on her Windows 2000 Server computer to attempt to troubleshoot a problem for user Lars. Lars has a white check box next to the restriction Remove Run Command from Start Menu. What does this check box indicate? A. No policy is in effect, use existing settings B. The policy should be applied C. The policy should not be applied D. This value does not exist 20. Which command-line utility is used to create and manage system policies in Windows 2000 Server? A. POLEDITOR B. SYSPOLED C. POLEDIT D. EDITPOL Copyright ©2000 SYBEX , Inc., Alameda, CA www.sybex.com [...]... management is choosing how your physical drives are configured Windows 2000 Server supports basic storage and dynamic storage When you install Windows 2000 or upgrade from Windows NT, the drives are configured as basic storage Dynamic storage is new to Windows 2000 Server and allows you to create simple, spanned, striped, mirrored, and RAID -5 volumes Once you decide how your disks should be configured,... both Windows 2000 Server and Professional The main difference is that Windows 2000 Professional does not support mirrored volumes or RAID -5 volumes Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com Configuring File Systems 277 Configuring File Systems File systems are used to store and locate the files you save on your hard drive As explained in Chapter 1, “Getting Started with Windows 2000 Server, ”... Operating system support Most Windows 95 OSR2, Windows 98, and Windows 2000 Windows NT and Windows 2000 Long filename support? Yes Yes Yes Efficient use of disk space? No Yes Yes Compression support? No No Yes Quota support? No No Yes Encryption support? No No Yes Local security support? No No Yes Network security support? Yes Yes Yes Maximum volume size 2GB 32GB 2TB Copyright 2000 SYBEX , Inc., Alameda,... support only basic storage Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com 280 Chapter 6 Managing Disks Dynamic Storage Dynamic storage is a new Windows 2000 feature that consists of a dynamic disk divided into dynamic volumes Dynamic volumes cannot contain partitions or logical drives, and they are only accessible through Windows 2000 systems Windows 2000 Server dynamic storage supports five... configure disk quotas Recover from disk failures Encrypt data on a hard disk by using Encrypting File System (EFS) Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com W hen you install Windows 2000 Server, you choose how your disks are initially configured Through Windows 2000 Server s utilities and features, you can change your configuration and perform disk-management tasks For your file system configuration,... if you have three 5GB drives in a RAID -5 volume set, 5GB of the volume set is used to store parity information, and the remaining 10GB can store data If your volume set contained five 5GB drives, you could use 20GB for data and 5GB for storing parity information The main disadvantage of a RAID -5 volume is that once a drive fails, system performance suffers until you rebuild the RAID -5 volume This is... can be used to rebuild the data on the failed drive RAID -5 volumes require at least three physical drives (up to a maximum of 32 drives), using an equal size of free space on all of the drives, as illustrated in Figure 6 .5 Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com 284 Chapter 6 Managing Disks FIGURE 6 .5 A RAID -5 volume set RAID -5 Volume Set Physical Disk 0 Primary Physical Disk 0 Secondary... information must be recalculated through memory to reconstruct the missing drive If more that one drive fails, the RAID -5 volume becomes inaccessible At that point, you must restore your data from your backup media The RAID -5 offered through Windows 2000 Server is software RAID Most hardware server vendors offer hardware RAID The features of hardware RAID are far superior to software RAID The only advantage... to the volume set on each physical drive This means that you could combine a 50 0MB partition on one physical drive with two 750 MB partitions on other dynamic drives, as shown in Figure 6.2 FIGURE 6.2 A spanned volume set Data Written Sequentially Physical Disk 0 1GB Physical Disk 1 50 0MB Physical Disk 2 750 MB Physical Disk 3 750 MB Spanned Volume Set D:\ Because data is written sequentially, you do not... Yes Yes Yes Maximum volume size 2GB 32GB 2TB Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com 278 Chapter 6 Managing Disks Windows 2000 Server also supports CDFS (Compact Disk File System) However, CDFS cannot be managed It is only used to mount and read CDs Windows 2000 provides the CONVERT command-line utility for converting a FAT16 or FAT32 partition to NTFS The syntax for the CONVERT command . (EFS). Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com W hen you install Windows 2000 Server, you choose how your disks are initially configured. Through Windows 2000 Server s utilities. Feature FAT16 FAT32 NTFS Operating system support Most Windows 95 OSR2, Win- dows 98, and Windows 2000 Windows NT and Windows 2000 Long filename support? Yes Yes Yes Efficient use of disk. policy. EXERCISE 5. 8 (continued) Copyright 2000 SYBEX , Inc., Alameda, CA www.sybex.com Summary 2 65 Summary In this chapter, you learned about the security features of Windows 2000 Server. We covered