266 Chapter 7 Managing Security FIGURE 7.9 Security Analysis Results dialog box The policies that have been analyzed will have an × or a √ next to each policy. An × indicates that the template specification and the actual policy do not match. A √ indicates that the tem- plate specification and the policy do match. If any security discrepancies are indicated, you should use the Group Policy snap-in to resolve the security violation. In Exercise 7.7, you will use the Security Configuration and Analysis tool to analyze your security configuration. This exercise assumes that you have completed all of the previous exercises in this chapter. EXERCISE 7.7 Using the Security Configuration and Analysis Tool In this exercise, you will specify a security database, create a security template, import the template, perform an analysis, and review the results. Specifying the Security Database 1. In the MMC, right-click Security Configuration and Analysis and select Open Database. 2. In the Open Database dialog box, type sampledb in the File Name text box. Then click the Open button. 3. In the Import Template dialog box, select the template securews and click the Open button. Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. COPYING PROHIBITED www.sybex.com Analyzing System Security 267 Creating the Security Template 4. In the MMC, select File Add/Remove Snap-in. 5. In the Add/Remove Snap-In dialog box, click the Add button. Highlight the Security Templates snap-in and click the Add button. Then click the Close button. 6. In the Add/Remove Snap-In dialog box, click the OK button. 7. Expand the Security Templates snap-in, then expand the WINDOWS\Security\Templates folder. 8. Double-click the securews file. 9. Select Account Policies, then Password Policy. 10. Edit the password policies as follows: Set the Enforce Password History option to 10 passwords remembered. Enable the Passwords Must Meet Complexity Requirements option. Set the Maximum Password Age option to 30 days. 11. Highlight the securews file, right-click, and select the Save As option. 12. In the Save As dialog box, place the file in the default folder and name the file xptest. Click the Save button. Importing the Security Template 13. Highlight the Security Configuration and Analysis snap-in, right-click, and select the Import Template option. 14. In the Import Template dialog box, highlight the xptest file and click the Open button. Performing and Reviewing the Security Analysis 15. Highlight the Security Configuration and Analysis snap-in, right-click, and select the Analyze Computer Now option. 16. In the Perform Analysis dialog box, accept the default error log file path and click the OK button. 17. When you return to the main MMC window, double-click the Security Configuration and Analysis snap-in. 18. Double-click Account Policies, and then double-click Password Policy. You will see the results of the analysis for each policy, indicated by an × or a √ next to the policy. EXERCISE 7.7 (continued) Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. COPYING PROHIBITED www.sybex.com 268 Chapter 7 Managing Security Summary In this chapter, you learned how to define security for Windows XP Professional. We covered the following topics: The difference between LGPOs, which are applied at the local level, and GPOs, which are applied through a Windows 2000 or Windows 2003 domain, and how they are applied. Account policies, which control the logon process. The two types of account policies are password and account lockout policies. Local policies, which control what a user can do at the computer. The three types of local policies are audit, user rights, and security options policies. How to manage security through the Security Configuration and Analysis tool. How to use the Group Policy Result Tool to analyze current configuration settings. Exam Essentials Understand how group policies are applied locally and through the Active Directory. Know how group policies can be applied either locally through LGPOs or through the Active Direc- tory with GPOs. Understand how group policy is applied through the order of inheritance. Be able to use the Group Policy Result Tool to view how group policy is currently configured for a specific computer. Set up a security configuration based on network requirements. Define the options that can be configured for secure network environments. Know where to configure each option. Know how to set local group policies. Understand the purpose of account policies and local policies. Understand the purpose and implementation of account policies for managing pass- word policies and account lockout policies. Understand the purpose and implementation of local policies and how they can be applied to users and groups for audit policies, user rights assignments, and security options. Know how to analyze security. Be able to analyze security through the Security Configura- tion and Analysis tool. Understand the use of templates and the function of the default tem- plates that are provided with Windows XP Professional. Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. COPYING PROHIBITED www.sybex.com Key Terms 269 Key Terms Before you take the exam, be certain you are familiar with the following terms: account lockout policies Local Group Policy snap-in account policies local policies Active Directory organizational units (OUs) audit policies password policies Group Policy Objects (GPOs) Security Configuration and Analysis tool Group Policy Result Tool security option policies Local Computer Policy snap-in user right policies Local Group Policy Objects (LGPOs) Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. COPYING PROHIBITED www.sybex.com 270 Chapter 7 Managing Security Review Questions 1. Your network’s security has been breached. You are trying to redefine security so that a user cannot repeatedly attempt user logon with different passwords. To accomplish this, which of the following items (in the Local Security Settings dialog box shown here) should you define? A. Password policy B. Account lockout policy C. Audit policy D. Security options 2. You are the network administrator for a Fortune 500 company. The Accounting department has recently purchased a custom application for running financial models. To run properly, the application requires that you make some changes to the computer policy. You decide to deploy the changes through the Group Policy setting. You create an OU called Sales and apply the policy settings. When you log on as a member of the Sales OU and run the application, it is still not run- ning properly. You suspect that the policy is not being applied properly because of a conflict somewhere with another Group Policy setting. What command should you run to see a listing of how the group policies have been applied to the computer and the user? A. GPResult.exe B. GPOResult.exe C. GPAudit.exe D. GPInfo.exe Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. COPYING PROHIBITED www.sybex.com Review Questions 271 3. You have a Windows XP Professional computer that is located in an unsecured area. You want to track usage of the computer by recording user logon and logoff events. To do this, which of the following auditing policies must be enabled? A. Audit Account Logon Events B. Audit Process Tracking C. Audit Logon Events D. Audit System Events 4. Bill is very good at troubleshooting hardware, installing new devices, and updating drivers. You want Bill to be able to add and remove hardware and install and update drivers on the Windows XP Professional computers in your network. What is the minimum assignment that will allow Bill to complete this task? A. Add Bill to the Administrators group. B. Add Bill to the Server Operators group. C. Add Bill to the Manage Devices group. D. Grant Bill the user right Load and Unload Device Drivers on each computer he will manage. 5. You are the network administrator of a small company. You have just decided to install the XYZ Virus Scanner application. The scanner runs as a service. You create a user account called VirScan that will be used to run the service. What user right must be granted for this account? A. Log On as a Batch Job B. Log On as a Service C. Process Service Requests D. Manage Services and Security 6. You are the system administrator for the ACME Corp. You have a computer that is shared by many users. You want to ensure that when users press Ctrl+Alt+Delete to log on, they do not see the name of the last user. What do you configure? A. Set the security option Clear User Settings When Users Log Off. B. Set the security option Do Not Display Last User Name in Logon Screen. C. Set the security option Prevent Users from Seeing Last User Name. D. Configure nothing; this is the default setting. 7. You are the network administrator of a medium-sized company. Due to recent security breaches, you have configured auditing so that you can track events such as account management tasks and system events. Where can you view the results of the audit? A. Audit Manager B. \Windir\audit.log C. Event Viewer System log D. Event Viewer Security log Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. COPYING PROHIBITED www.sybex.com 272 Chapter 7 Managing Security 8. You have recently hired Al as an assistant for network administration. You have not decided how much responsibility you want Al to have. In the meantime, you want Al to be able to restore files on Windows XP Professional computers in your network, but you do not want Al to be able to run the backups. What is the minimum assignment that will allow Al to complete this task? A. Add Al to the Administrators group. B. Grant Al the Read right to the root of each volume he will back up. C. Add Al to the Backup Operators group. D. Grant Al the user right Restore Files and Directories. 9. You are the network administrator of a medium-sized company. Your company requires a fair degree of security and you have been tasked with defining and implementing a security policy. You have configured password policies so that users must change their passwords every 30 days. Which password policy would you implement if you want to prevent users from reusing pass- words they have used recently? A. Passwords Must Be Advanced B. Enforce Password History C. Passwords Must Be Unique D. Passwords Must Meet the Complexity Requirements of the Installed Password Filters 10. Prioritize-a-list: As network administrator, you have configured GPOs for your local computers, domains, sites, and OUs. Your GPOs are not being applied as you had expected. You have not set any filter or inheritance settings. What is the default order of inheritance that will be applied to the GPOs? Local Computer Domain Site OU 11. A user in your San Jose domain is attempting to install an updated modem driver. They report that they can’t get the driver to update properly. You log on to the user’s computer with admin- istrative rights to the San Jose domain and attempt to update the driver. When you check the driver through Device Manager, you notice that the old driver is still installed. In Control Panel, you open the System icon and see that driver signing is configured with Ignore for the driver sign- ing verification. You suspect that the problem may be with the GPO’s configuration. Which of the following actions should you take that will make the least impact on the GPO for Active Directory? A. Configure the domain GPO for the Warn file signature verification, and then attempt to update the driver. B. For the Sales domain, set the No Override option. C. For the Sales domain, set the Block Inheritance option. D. Configure the local computer for the Warn file signature verification, and then attempt to update the driver. Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. COPYING PROHIBITED www.sybex.com Review Questions 273 12. Your Active Directory structure consists of a domain called CCCUSA, which is a part of a site called CCCCORP. There is an OU called Sales, and each computer within Sales has a local policy set. You have configured all of the GPOs with the No Override option. Which of the following policies will be applied in the event of conflict? A. Domain B. Site C. OU D. Local computer 13. You are the network administrator for the Wacky Widgets Corporation. Your network requires a high level of security. You evaluate the hisecws.inf security template and determine that the settings this template uses will meet the needs of your network. Which of the following two options can be used to deploy the hisecws.inf security template? A. Security Configuration and Analysis tool B. Secedit.exe C. RSOP.exe D. Security Templates MMC snap-in 14. You are the administrator of a medium-sized network. Your company requires that custom security settings be applied to all Windows XP Professional computers within the network. You define all of the security settings that should be applied. Which of the following utilities can be used to create a template with your custom security settings that can then be used for security analysis? A. Security Configuration and Analysis tool B. Secedit.exe C. RSOP.exe D. Security Templates MMC snap-in 15. You are the network administrator for a medium-sized company. You recently upgraded 10 Windows NT 4 Workstation computers to Windows XP Professional. Some of the applica- tions that worked properly under Windows NT 4 Workstation no longer work properly with Windows XP Professional. Which of the following security templates might correct the application compatibility issues? A. security.inf B. application.inf C. rootsec.inf D. compatws.inf Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. COPYING PROHIBITED www.sybex.com 274 Chapter 7 Managing Security Answers to Review Questions 1. B. Account lockout policies, a subset of account policies, are used to specify options that prevent a user from attempting multiple failed logon attempts. If the Account Lockout Threshold value is exceeded, the account will be locked. The account can be reset based on a specified amount of time, or through Administrator intervention. 2. A. The System Group Policy Result Tool is accessed through the GPResult.exe command-line utility. The GPResult.exe command displays the resulting set of policies that were enforced on the computer and the specified user during the logon process. 3. A. Audit Account Logon Events is used to track when a user logs on, logs off, or makes a network connection. You can configure auditing for success or failure and audited events can be tracked through Event Viewer. 4. D. The Load and Unload Device Drivers user right allows a user to dynamically unload and load Plug and Play device drivers. You could allow a user to complete this task through Administrator or Power User group membership, but by assigning user rights, you can better control security access. 5. B. The Log On as a Service user right allows a service to log on in order to run the specific service. This user right can be assigned to users or groups. 6. B. The security option Do Not Display Last User Name is used to prevent the last username in the logon screen from being displayed in the logon dialog box. This option is commonly used in environments where computers are used publicly. 7. D. Once auditing has been configured, you can see the results of the audit through the Security log in the Event Viewer utility. In order to view the security logs, you must be a member of the Administrators group or have appropriate user rights to view or manage the audit logs. 8. D. The Restore Files and Directories user right allows a user to restore files and directories, regardless of file and directory permissions. Assigning this user right is an alternative to making a user a member of the Backup Operators group. 9. B. The Enforce Password History policy allows the system to keep track of a user’s password history for up to 24 passwords. This prevents a user from using the same password over and over again. 10. Local Computer Site Domain OU By default, GPOs are applied in the order of local computer, site, domain, and OU. The policies will be combined unless conflicting settings are applied, in which case the last policy that is applied contains the effective setting. Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. COPYING PROHIBITED www.sybex.com Answers to Review Questions 275 11. A. You should just configure a specific GPO so that the file signature verification is set to Warn as opposed to Block, which will refuse upgrading of the driver if it is unsigned without any user notification. The last GPO applied is the domain’s, so you should edit the Sales domain’s GPO for this arrangement. 12. B. The No Override option is used to specify that child containers can’t override the policy settings of higher-level GPOs. In this case, the order of precedence would be as follows: Site would override Domain, and Domain would override OU. The No Override option can be used if you want to set corporate-wide policies and do not want to give administrators of lower-level containers the capability to override your settings. This option can be set on a per-container basis as needed. 13. A, B. The Security Configuration and Analysis tool and the Secedit command-line utility can be used to apply security templates. The Security Templates MMC snap-in is used to create and modify templates. 14. D. By default, Windows XP Professional ships with a variety of predefined security templates. You create security templates through the Security Templates snap-in in the MMC. 15. D. The compatws.inf template is used for backward compatibility. This template relaxes the security used by Windows XP so that applications that are not certified to work with Windows XP can still run. This template is typically associated with computers that have been upgraded and are having problems running applications that have run in the past. Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. COPYING PROHIBITED www.sybex.com [...]... needed If you are upgrading Windows NT Workstation 4 to Windows XP Professional or will dual-boot Windows XP Professional with any version of Windows NT 4, you will need to apply Service Pack 4 or higher to the Windows NT 4 operating system Windows NT 4 used a version of NTFS that is incompatible with Windows XP Professional The Service Pack updates the Ntfs.sys file, which makes Windows NT 4 compatible... in more detail in the following sections TABLE 8.1 File System Capabilities Feature FAT16 FAT32 NTFS Supporting operating systems Most Windows 95 OSR2, Windows 98, Windows Me, Windows 2000, Windows XP, and Windows Server 2003 Windows NT, Windows 2000, Windows XP, and Windows Server 2003 Long filename support Yes Yes Yes Efficient use of disk space No Yes Yes Compression support No No Yes Quota support... management is choosing the configuration for your physical drives Windows XP supports basic storage and dynamic storage When you install Windows XP Professional or upgrade from Windows NT Workstation 4, the drives are configured as basic storage Dynamic storage is supported by Windows 2000 (all versions), Windows XP Professional, and Windows Server 2003 and allows you to create simple volumes, spanned... disk-management tasks are the same for both Windows XP Professional, Windows 2000 (all versions) and Windows Server 2003 The main difference is that Windows 2000 Server and Windows Server 2003 also support mirrored and RAID -5 volumes Configuring File Systems Each partition (each logical drive that is created on your hard drive) you create under Windows XP Professional must have a file system associated... NTFS is that only the Windows NT, Windows 2000, Windows XP, and Windows Server 2003 operating systems recognize the NTFS file system If your computer dual-boots with other operating systems, such as Windows 98, the NTFS partition will not be recognized You should also be aware that there are several different versions of NTFS Windows 2000 (all versions) uses NTFS 3.0 Windows XP and Windows Server 2003... Wizard dialog box appears Click the Finish button Upgrading a Basic Disk to a Dynamic Disk When you install Windows XP Professional or upgrade your computer from Windows NT 4 to Windows XP Professional, your drives are configured as basic disks To take advantage of the features offered by Windows XP dynamic disks, you must upgrade your basic disks to dynamic disks Upgrading basic disks to dynamic disks... striped set Mirrored volumes and RAID -5 volumes are fault-tolerant dynamic disk configurations These options are available only with Windows 2000 Server and Windows Server 2003 If you created a multidisk volume—such as a spanned, mirrored, or striped set, or a striped set with parity—with Windows NT 4 or earlier, they are not supported by Windows XP Professional or Windows Server 2003 Using the Disk Management... troubleshoot Encrypting File System (EFS) Copyright ©2003 SYBEX Inc., 1 151 Marina Village Parkway, Alameda, CA 9 450 1 COPYING PROHIBITED www.sybex.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com When you install Windows XP Professional, you designate the initial configuration for your disks Through Windows XP Professional s utilities and features, you can change that configuration... retrieve the files stored on your hard drive One of the most fundamental choices associated with file management is the choice of your file system’s configuration As explained in Chapter 1, “Getting Started with Windows XP Professional, ” Windows XP Professional supports the FAT16, FAT32, and NTFS file systems You should choose FAT16 or FAT32 if you want to dual-boot your computer, because these file systems... \DosDevices\x: /FS:NTFS to autocheck autochk* Configuring Disk Storage Windows XP Professional supports two types of disk storage: basic storage and dynamic storage Basic storage is backward compatible with other operating systems and can be configured to support up to four partitions Dynamic storage is supported by Windows 2000, Windows XP, and Windows Server 2003 and allows storage to be configured as volumes . operating systems Most Windows 95 OSR2, Windows 98, Windows Me, Windows 2000, Windows XP, and Windows Server 2003 Windows NT, Windows 2000, Windows XP, and Windows Server 2003 Long filename. upgrading Windows NT Workstation 4 to Windows XP Professional or will dual-boot Windows XP Professional with any version of Windows NT 4, you will need to apply Service Pack 4 or higher to the Windows. Win- dows XP Professional, Windows 2000 (all versions) and Windows Server 2003. The main difference is that Windows 2000 Server and Windows Server 2003 also support mirrored and RAID -5 volumes.