5. Your Active Directory domain contains a mixture of Windows Server 2003,Windows 2000 Server, and Windows NT 4.0 domain controllers.Your clients are similarly hetero- geneous, consisting of Windows XP and Windows 2000 Professional along with NT 4.0 Workstation.What is the most secure network authentication method available to you in this environment? A. Password Authentication Protocol (PAP) B. NTLM C. NTLMv2 D. Kerberos version 5 6. According to Microsoft, which of the following would be considered weak passwords for a user account named jronick? (Choose all that apply.) A. S#n$lUsN7 B. soprano C. ronickrj D. Oo!dIx2 E. new 7. You are the network administrator for the Windows Server 2003 domain diagrammed in the following illustration.Your boss has been reading about Kerberos authentication and is concerned that your KDC represents a single point of failure for your company’s network authentication. How should you respond to this concern? www.syngress.com 302 Chapter 5 • Managing User Authentication Domain Controller1 Domain Controller3Domain Controller2 272_70-296_05.qxd 9/26/03 12:32 PM Page 302 A. Every Windows Server 2003 domain controller acts as a KDC. If your DC1 con- troller fails, DC2 and DC3 will still perform the KDC functions. B. Your network requires only one KDC to function since you are only using a single domain. C. The KDC function is a single master operations role. If the machine that houses the KDC role fails, you can use ntdsutil to assign the role to another server. D. If the KDC fails, your network clients will use DNS for authentication. 8. You have implemented a password policy that requires your users to change their pass- words every 30 days and retains their last three passwords in memory.While sitting in the lunch room, you hear someone advise his coworker that all she needs to do to get around that rule is to change her password four times so that she can go back to using the password that she is used to.What is the best way to modify your domain password policy to avoid this potential security liability? A. Increase the maximum password age from 30 days to 60 days. B. Enforce password complexity requirements for your domain users’ passwords. C. Increase the minimum password age to seven days. D. Increase the minimum password length of your users’ passwords. 9. You have created a Web application that relies on digest authentication.You check the account properties of one of the user accounts and see the following screen.What is the most likely reason that your users cannot authenticate? www.syngress.com Managing User Authentication • Chapter 5 303 272_70-296_05.qxd 9/26/03 12:32 PM Page 303 A. When you log on using digest authentication, the Windows username is case-sen- sitive. B. To use digest authentication, users must be running Internet Explorer version 6. C. Your users’ passwords are set to expire every 60 days, which is causing digest authentication to fail. D. You must enforce the “Store passwords using reversible encryption” setting for all users who need to authenticate using digest authentication. 10. A developer on your network uses a workstation that is not attached to the corporate domain. He phones the help desk to report that he has forgotten the password to his local user account. If he has not previously created a password reset disk, what infor- mation will he lose when the password for his local account is reset? (Choose all that apply.) A. Local files that the user has encrypted B. E-mail encrypted with his public key C. His Internet Explorer favorites and links D. The entries in the Recent Documents dialog box 11. You have attached a smart card reader to your Windows XP Professional workstation’s serial port.The reader is not detected when you plug it in and is not recognized when you scan for new hardware within Device Manager.The smart card reader is listed on the Microsoft Web site as a supported device, and you have verified that all cables are connected properly.Why is your workstation refusing to recognize the smart card reader? A. You need to run the manufacturer-specific installation routine. B. The workstation needs to be rebooted before it will recognize the card reader. C. Smart card readers are only supported on machines running Windows Server 2003. D. You are not logged on as a member of the Domain Admins group. 12. You are a new network administrator for a Windows Server 2003 domain. In making user support calls, you have noticed that many users are relying on simplistic passwords such as their children’s or pets’ names. Passwords on this network are set to never expire, so some people have been using these weak passwords for months or even years.You change the default Group Policy to require strong passwords. Several weeks later, you notice that the network users are still able to log on using their weak pass- words.What is the most likely reason that the weak passwords are still in effect? www.syngress.com 304 Chapter 5 • Managing User Authentication 272_70-296_05.qxd 9/26/03 12:32 PM Page 304 A. You must force the users to change their passwords before the strong password settings will take effect. B. The Group Policy settings have not replicated throughout the network yet. C. Password policies need to be set at the OU level, not the domain level. D. The users reverted back to their passwords the next time that they were prompted to change their passwords. 13. You were walking through your server room when you noticed that a contractor had plugged his laptop directly into one of your network switches and was using your company bandwidth to download pirated software onto his hard drive.You have recently upgraded your network switches and routers to the most up-to-date hard- ware available.What is the best way to prevent this sort of illegitimate access to your network in the future? A. Install smart card readers on all your users’ desktops. B. Implement the Internet Authentication Service’s ability to authenticate Ethernet switches on your network. C. Do not allow outside contractors to bring any hardware into your building. D. Disable the Guest account within Active Directory. 14. You have recently deployed smart cards to your users for network authentication.You configured the smart card Logon certificates to expire every six months. One of your smart card users has left the company without returning her smart card.You have dis- abled this user’s logon account and smart card, but management is concerned that she will still be able to use the smart card to access network resources. How can you be sure that the information stored on the former employee’s smart card cannot be used to continue to access network resources? A. Monitor the security logs to ensure that the former employee is not attempting to access network resources. B. Use the smart card enrollment station to delete the user’s smart card Logon certificate. C. Deny the Autoenroll permission to the user’s account on the smart card Logon Certificate template. D. Add the user’s certificate to the CRL on your company’s CA. www.syngress.com Managing User Authentication • Chapter 5 305 272_70-296_05.qxd 9/26/03 12:32 PM Page 305 15. The account lockout policy on your Windows Server 2003 domain is set up as shown in the following illustration.You come into work on a Monday morning and are informed that many of your users’ accounts were locked out over the weekend.Your company’s help desk staff have unlocked the user accounts in question, but they are now reporting that your Exchange server and Microsoft SQL databases are not accessible by anyone in the company. Network utilization is at normal levels.What is the most likely reason that these applications are not responding? A. An attacker has deleted the Exchange and SQL executables on your production servers. B. The accounts that Exchange and SQL use to start or connect to the network have been locked out and need to be manually unlocked. C. The users whose accounts were unlocked by the help desk need to reboot their workstations to access these applications. D. An attacker is perpetrating a DOS attack against your network. www.syngress.com 306 Chapter 5 • Managing User Authentication 272_70-296_05.qxd 9/26/03 12:32 PM Page 306 www.syngress.com Managing User Authentication • Chapter 5 307 Self Test Quick Answer Key For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix. 1. D 2. A 3. C 4. B 5. C 6. B, C, E 7. A 8. C 9. D 10. A, B 11. B 12. A 13. B 14. D 15. B 272_70-296_05.qxd 9/26/03 12:32 PM Page 307 272_70-296_05.qxd 9/26/03 12:32 PM Page 308 309 Developing and Implementing a Group Policy Strategy Exam Objectives in this Chapter: 9.1 Plan a Group Policy strategy. 9.1.1 Plan a Group Policy Strategy using Resultant Set of Policy (RSoP) Planning mode. 9.1.2 Plan a strategy for configuring the user environment using Group Policy. 9.1.3 Plan a strategy for configuring the computer environment using Group Policy. 9.2 Configure the user environment using Group Policy. 9.2.1 Distribute software using Group Policy. 9.2.2 Automatically enroll user certifications using Group Policy. 9.2.3 Redirect folders using Group Policy. 9.2.4 Configure user security settings using Group Policy. Chapter 6 MCSA/MCSE 70-296  Summary of Exam Objectives  Exam Objectives Fast Track  Exam Objectives Frequently Asked Questions  Self Test  Self Test Quick Answer Key 272_70-296_06.qxd 9/26/03 4:54 PM Page 309 Introduction One of the most powerful tools that you have at your disposal in a Windows Server 2003 environment is Group Policy. As with Windows 2000, you can use Group Policy to control users, computers, and groups of users from a centralized location.Through the use of Group Policy, you can control users’ desktops to create a standardized environment, making man- agement and administration that much easier for the IT staff that must support it. Group Policy also offers the ability to distribute software based on a particular Group Policy resource designation. Being able to offer your users software for their job functions without having to physically travel to or remotely connect to their computers reduces the amount of time you need to spend playing PC support technician. However, making sure that software doesn’t get into the wrong hands is also critical.You wouldn’t want a tempo- rary employee in data entry to be able to install your accounting department’s bookkeeping software, would you? Using Group Policy, you can distribute the software while limiting the audience that has access to particular packages. In this chapter, we plan and create a Group Policy strategy in Windows Server 2003, discussing the tools we have at our disposal for Group Policy.We then configure the user environment through the Group Policy tools and plans that we discussed. Let’s begin with a discussion of planning Group Policy through the use of Resultant Set of Policy (RSoP). Developing a Group Policy Strategy Group Policy is one of the administrative strengths of Active Directory. By simply invoking a Group Policy object (GPO) and configuring its contents, an administrator can lock down security for an entire domain, establish a consistent desktop environment, establish a roaming-friendly network, and distribute software. Under Windows 2000, the main tool for managing Group Policies was the Group Policy Editor. In fact, it took time, attention, and a little detective work to ferret out conflicts or plan the best application of a set of Group Policies. In Windows Server 2003 Active Directory, an administrator has the ability to use RSoP in addition to Group Policy Editor to help in both planning and troubleshooting Group Policies. When you are developing a Group Policy strategy, you should keep in mind that you always start with a blank slate. All policy settings are, by default, not configured.You can either enable a setting, which might also require you to provide specific configuration information, or you can disable it. Each GPO has two nodes: ■ User Configuration ■ Computer Configuration User objects inherit the User Configuration policies, and computer objects inherit the Computer Configuration policies. Both the user configuration and computer configuration nodes contain software settings, which are used to distribute software (and are most easily configured if the software uses Windows Installer). www.syngress.com 310 Chapter 6 • Developing and Implementing a Group Policy Strategy EXAM 70-296 OBJECTIVE 9.1 272_70-296_06.qxd 9/26/03 4:54 PM Page 310 www.syngress.com Problems and conflicts can occur with multiple GPOs, in which one GPO ends up overriding the settings of other GPOs. In addition, some Group Policies do not directly conflict but can cause the same result as a conflict. For example, if you disable the Windows Installer and Control Panel for a user in one GPO, the user will not be able to install any software that you publish in any other GPO. TEST D AY TIP Review the Group Policy inheritance pattern. Given a basic configuration, you should be able to identify which Group Policies would be inherited and which would not. In the following section, we look at Group Policy planning.This includes planning the environment for user objects as well as the environment for computer objects. One of the first things we review is how to use the new RSoP to develop a strategy for Group Policy. Planning Group Policy with RSoP The Resultant Set of Policy Wizard is a tool that helps you make sense of the myriad options available when you apply Group Policy.The tool is basically a query wizard for polling your existing Group Policies. In gathering the Group Policies that are attached to the site, the domain, and each of the OUs that eventually reach the user and/or computer object involved, RSoP is able to give you a clear picture of which Group Policies are applied, at which level, and which Group Policies are blocked from being applied. Even when you use RSoP to help plan Group Policies, you should have a clear under- standing of how Group Policies function. In the following sections we discuss Group Policy and traditional Group Policy planning processes, followed by the integration of RSoP into the Group Policy planning process and conducting RSoP queries in Planning mode. Group Policy Overview The power of administration with Active Directory lies in Group Policy, when it is effec- tively structured.The goal of using Group Policy for administration is to establish an envi- ronment that user objects and computer objects will maintain even if users attempt to make changes to their systems. Keep in mind that Group Policies: ■ Take advantage of the Active Directory domain, site, and OU structure ■ Can be secured, blocked, and enforced ■ Contain separate user environment and computer environment configurations Developing and Implementing a Group Policy Strategy • Chapter 6 311 EXAM 70-296 OBJECTIVE 9.1.1 272_70-296_06.qxd 9/26/03 4:54 PM Page 311 [...]... security group Continued www.syngress.com 3 25 272 _70-296_ 06.qxd 326 9/26/03 4 :54 PM Page 326 Chapter 6 • Developing and Implementing a Group Policy Strategy testing You can obtain these options only through Planning mode These are all “what if?” options, such as: What if you had a slow link? What if you had a security group membership that denied access to a GPO? EXAM 70-296 OBJECTIVE 9.1.2 Planning the User... Maintenance of that Package www.syngress.com 272 _70-296_ 06.qxd 9/26/03 4 :54 PM Page 3 35 Developing and Implementing a Group Policy Strategy • Chapter 6 TEST DAY TIP Know the difference between using Windows Installer packages and ZAP text files In addition, be able to explain when it is better to assign software than to publish it, and vice versa EXAM 70-296 OBJECTIVE 9.2.2 Autoenrolling User Certificates... involvement.These options are also shown in Figure 6.18 www.syngress.com 3 35 272 _70-296_ 06.qxd 336 9/26/03 4 :54 PM Page 336 Chapter 6 • Developing and Implementing a Group Policy Strategy Figure 6.18 Autoenrollment Options Provide Little or No Interaction Between Users and Certificates 3 When the process is complete, click OK to finish EXAM 70-296 Redirecting Folders OBJECTIVE 9.2.3 Folder Redirection is a user... computer www.syngress.com 272 _70-296_ 06.qxd 9/26/03 4 :54 PM Page 3 15 Developing and Implementing a Group Policy Strategy • Chapter 6 object, the software is available upon computer start up.When you distribute the software to a user object, the software is available only after the user logs on (Assigning software to users slows logons due to the time it takes to install.) EXAM WARNING GPOs and Group... www.syngress.com 329 272 _70-296_ 06.qxd 330 9/26/03 4 :54 PM Page 330 Chapter 6 • Developing and Implementing a Group Policy Strategy connected to your network is when they are linked at the domain level If you attempt to set these Group Policy settings in a GPO that is attached to an OU, they will have no effect on the computer when it is connected to the network EXAM WARNING If on the exam you are provided... Figure 6.13 The Group Policy Editor Contains the Unconfigured Settings for All User and Configuration Node Group Policies www.syngress.com 331 272 _70-296_ 06.qxd 332 9/26/03 4 :54 PM Page 332 Chapter 6 • Developing and Implementing a Group Policy Strategy EXAM 70-296 OBJECTIVE Distributing Software 9.2.1 In order to distribute software to a user, you use the Software Settings in a Group Policy When you... screen After you select the appropriate software installation package, you are presented with the dialog box shown in Figure 6. 15 www.syngress.com 333 272 _70-296_ 06.qxd 334 9/26/03 4 :54 PM Page 334 Chapter 6 • Developing and Implementing a Group Policy Strategy Figure 6. 15 You Can Publish, Assign, or Further Configure Each Software Package 4 Here you will select whether to publish or assign the software.You... organizing users and computers into an OU structure that www.syngress.com 3 15 272 _70-296_ 06.qxd 316 9/26/03 4 :54 PM Page 316 Chapter 6 • Developing and Implementing a Group Policy Strategy matches the organization’s needs, an administrator can use Group Policy to make network administration an easier task than it would otherwise be EXAM WARNING When you are shown a specific Group Policy setting, remember... you select the Planning mode option, click Next The following dialog screen, shown in Figure 6 .5, lets you select the OUs containing the user and computer objects that you want to test Figure 6 .5 Selecting the Containers for the User and Computer Objects to Simulate www.syngress.com 272 _70-296_ 06.qxd 9/26/03 4 :54 PM Page 321 Developing and Implementing a Group Policy Strategy • Chapter 6 The next set... computer and stays with that www.syngress.com 313 272 _70-296_ 06.qxd 314 9/26/03 4 :54 PM Page 314 Chapter 6 • Developing and Implementing a Group Policy Strategy computer regardless of which users are logging onto it.This concept can be confusing if you create a GPO with computer configuration information and apply it to an OU that contains only user objects For example, if you have two OUs named Users and Computers . 6 MCSA/ MCSE 70-296  Summary of Exam Objectives  Exam Objectives Fast Track  Exam Objectives Frequently Asked Questions  Self Test  Self Test Quick Answer Key 272 _70-296_ 06.qxd 9/26/03 4 :54 . Test Appendix. 1. D 2. A 3. C 4. B 5. C 6. B, C, E 7. A 8. C 9. D 10. A, B 11. B 12. A 13. B 14. D 15. B 272 _70-296_ 05. qxd 9/26/03 12:32 PM Page 307 272 _70-296_ 05. qxd 9/26/03 12:32 PM Page 308 309 Developing. company’s CA. www.syngress.com Managing User Authentication • Chapter 5 3 05 272 _70-296_ 05. qxd 9/26/03 12:32 PM Page 3 05 15. The account lockout policy on your Windows Server 2003 domain is set