272_70-296_07.qxd 9/26/03 5:32 PM Page 387 Managing Group Policy in Windows Server 2003 • Chapter Summary of Exam Objectives Windows Server 2003 provides a number of tools and utilities to manage the Group Policy objects (GPOs) that you’ve created Individual GPOs can be managed using commands within the Active Directory Users & Computers utility that you’re quite familiar with, as well as Active Directory Sites and Services Since GPOs can be linked to a site, domain, or OU, you can manage Group Policy settings in either of these utilities, depending on the scope of the GPO You can use a number of utilities to monitor and troubleshoot Group Policy settings; some of these are included in the Windows Server 2003 operating system, and others are freely available via the Windows Server 2003 Resource Kit GPUpdate is an update to the secedit utility in Windows 2000; you’ll use it to force a client or server to update its Group Policy settings after you make a critical change.You’ll use GPResult, GPMonitor, and other Resource Kit utilities to monitor and troubleshoot Group Policy behavior from the command line, whereas WinPolicies provides a graphical interface to view monitoring and logging information The Resultant Set of Policies (RSoP) MMC snap-in allows you to analyze a specific user/computer combination to determine exactly which GPOs and settings are being applied to a given client.This information is invaluable in troubleshooting an environment with multiple (and potentially conflicting) GPOs that have been applied to various points within Active Directory.When you work with a Windows Server 2003 domain, RSoP also allows you to simulate changes to a given GPO to determine how client settings might change before applying a new policy to a production environment Finally, the Group Policy Management Console (GPMC) is a new feature of Windows Server 2003 that provides a unified reporting and troubleshooting interface for Group Policy settings across one or more Windows domains.You can use GPMC to manage multiple Windows 2000 and Windows Server 2003 forests across your enterprise GPMC provides easy access to all GPOs and GPO links on your network and can provide functions similar to those of the RSoP snap-in using improved HTML-formatted reporting GPMC also installs with many preconfigured command-line scripts to assist you in automating the maintenance of Group Policy operations Exam Objectives Fast Track Managing Applications Software Installation settings are only applied during startup (if applied to the Computer Configuration section of a GPO If Group Policy is being applied asynchronously, this might require multiple logons or reboots for a new software package to be properly applied Programs installed using ZAP packages cannot be managed, upgraded, or uninstalled via Group Policy; they need to be maintained manually www.syngress.com 387 272_70-296_07.qxd 388 9/26/03 5:32 PM Page 388 Chapter • Managing Group Policy in Windows Server 2003 You can use GPUpdate with the /Logoff or /Boot switch to force a client to log off or reboot after refreshing a GPO to which you’ve made Software Installation settings changes Be sure that any MSI packages and other relevant files are stored on a network share that is accessible to all users who need to have it installed Managing Security Policies Account policies, password policies, and account lockout policies can only be applied at the domain level If a group of your users have different security requirements from the remainder of the network, consider creating a a separate domain for them in the forest GPResult allows you to create a text file detailing exactly which security settings have been applied to a specific client and which GPOs applied those settings Unlike Software Installation settings that are only applied on startup or logon, security settings are updated whenever the GPO refreshes, which occurs every 90 minutes by default Troubleshooting Group Policies If Uninstall this application if the user falls out of the scope of management is applied, the application may uninstall if the user’s group memberships change or the user's computer object is moved to another OU, domain, or site Security templates allow you to quickly import a wide range of security settings into a GPO Use Enforce and Block Inheritance with care because they will change the default behavior of Group Policy inheritance within your Active Directory structure Using the Group Policy Management Console The GPMC can run from any Windows Server 2003 or Windows XP computer and can manage any combination of Windows 2000 and Windows Server 2003 domains The GPMC allows you to simplify the process of assigning permissions and delegating responsibility to GPOs on your network www.syngress.com 272_70-296_07.qxd 9/26/03 5:32 PM Page 389 Managing Group Policy in Windows Server 2003 • Chapter The Group Policy Results wizard creates an HTML-formatted report that organizes GPO settings in an easy-to-read format for reporting and troubleshooting Exam Objectives Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts You will also gain access to thousands of other FAQs at ITFAQnet.com Q: I am administering a network for a government office that requires unified and stringent security standards for all user desktops.What is the easiest way to accomplish this task? A: Use the Security Configurations and Analysis snap-in to apply and test the HISECWS.INF template on a representative workstation in your environment and make any necessary modifications.When you are satisfied that the template will still allow your users to perform their tasks, import the INF file into a GPO and apply it to a site, domain, or OU Q: Can I apply a different password policy to an individual OU than the one I’ve applied to the rest of my network? A: Password policies need to be implemented at the domain level If you have a specific subset of users who require different security settings from the rest of your network, consider creating a separate domain in the forest to accommodate their needs Q: Why are Software Installation policies only applied at system startup or user logon? A: This restriction exists by design and is intended to prevent a situation in which a GPO might attempt to install, upgrade, or uninstall a given application while a user is using it, which would create confusion, increased support calls, and the potential for data corruption and end-user downtime Q: I have a user who connects to the corporate network using a VPN client from her home PC running Windows XP Professional I have created a GPO to mandate security settings for remote users, but the policy is never applied.What is happening? A: In this situation, the GPO settings never reach the remote user because she has already logged onto her workstation before connecting to the VPN client.You can provide normal GPO processing by having the user connect to the corporate network via the initial Ctrl+Alt+Del logon prompt www.syngress.com 389 272_70-296_07.qxd 390 9/26/03 5:32 PM Page 390 Chapter • Managing Group Policy in Windows Server 2003 Q: Can I export information generated by the Group Policy Results or Group Policy Modeling reports to create a central reporting database? A: GPMC data can be exported to HTML or XML format, making it easily portable to other formats and applications Q: Can I use the Group Policy Management Console to replace Active Directory Users and Computers? A: No.The GPMC supplements Active Directory Users & Computers as well as Active Directory Sites & Services, it but does not replace either.The GPMC is strictly designed to handle Group Policy administration tasks, whereas the other two utilities are still necessary to perform tasks such as creating user and computer objects, managing sites and site links, and the like Self Test A Quick Answer Key follows the Self Test questions For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix You have created and linked a single GPO to your Windows Server 2003 domain to apply various security settings to your client workstations, as well as redirecting the contents of each user’s C:\Documents and Settings\%username%\My Documents folder to a central server location of \\FILESERVER1\DOCS\%username%\My Documents.This server share is backed up every night; no client systems are included in the backups.You have several users in a remote branch office that is connected to the corporate headquarters via a 128Kbps ISDN line One of your branch users calls the help desk needing a file in his My Documents folder restored from backup after he deleted it accidentally.You are dismayed to find that his information does not exist on the FILESERVER1 share Most other GPO settings have been applied to the client workstation, including event log auditing and account lockout settings.What is the most likely reason that the branch user’s files have not been redirected to the central file server? A Folder Redirection settings are not applied by default when a user logs onto the network using a slow link B The branch users not have the Apply Group Policy permission assigned to them for the GPO C You need to link the GPO to the OU that the user objects belong to, not just the domain D The GPO is being applied synchronously when the branch users log onto their workstations www.syngress.com 272_70-296_07.qxd 9/26/03 5:32 PM Page 391 Managing Group Policy in Windows Server 2003 • Chapter You have created an MSI installer package to distribute GPMC to your help desk.You have added the package information to the User Configuration | Software Settings section of the Default Domain GPO, and you have enabled the Apply Group Policy permission to the HelpDesk global group.You’ve saved the GPMC.MSI file to the E:\PACKAGES directory of the W2K-STD Windows Server 2003 file server, as shown in the following figure.Your help desk staff is reporting that the GPMC software has not been installed on their workstations, despite several reboots Each help desk staffer is a local administrator on his or her workstation and is able to access shared directories on this and other Windows Server 2003 file servers From the information shown in the figure, what is the most likely reason that the MSI package is not being distributed? A The Apply Group Policy permission can only be applied to individual user accounts, not to groups B You need to create a share for the E:\packages directory so that the help desk staff can access the MSI package over the network C MSI packages must be stored in the SYSVOL share on a domain controller D Software Installation settings need to be applied to the Computer Configuration section of a GPO, not the User Configuration section You have a test lab consisting of four Windows XP Professional workstations that you use to investigate new software packages and security settings before rolling them out to a production environment.This lab exists in a separate TEST domain with its own domain controller, DC1.TEST.AIRPLANES.COM.You are making many changes to security settings on the Default Domain Policy on DC1 and would like to test the results immediately so that you can implement the security setting on your production network as quickly as possible.What is the most efficient way to accomplish this goal? A Use GPOMonitor to indicate when the Group Policy objects perform a background refresh B Update the GPO to force Group Policies to refresh every 60 seconds www.syngress.com 391 272_70-296_07.qxd 392 9/26/03 5:32 PM Page 392 Chapter • Managing Group Policy in Windows Server 2003 C Reboot the test lab workstations after each change that you want to test D Run GPUpdate.exe from the command line on the test workstations after each change that you want to test You have a new accounting software package that you would like to install for the Payroll OU of your Windows Server 2003 domain.You would like this software to be available to any user who logs onto each Windows XP Professional workstation in the payroll department.You create a new GPO and assign the MSI package to the Computer Configuration section, and then link the new GPO to the Payroll OU with the appropriate security filtering permissions.You send an e-mail to the payroll department staff instructing them to log off their workstations and log back in to prompt the software installation to begin.Your help desk begins to receive calls from the users in the payroll department, saying that the accounting package has not been installed, even though they have logged off and onto their workstations several times What is the most likely reason that the software package has not been installed? A The workstations in the payroll department need to be rebooted before the software package will be installed B Software Installation packages can only be assigned at the domain level C The software can be installed using the Add New Programs section of the Add/Remove Programs Control Panel applet D Logon scripts are running asynchronously; they must be reconfigured to run synchronously You are the network administrator for a Windows Server 2003 network that has a corporate headquarters and several remote sales offices, each connected to the main office via 56K dialup modems After a recent bout of attempted hacker attacks at the remote sites, your firewall administrator has decided to block NetBIOS, ICMP, and IGMP traffic from entering or leaving any remote site Shortly after this solution is implemented, you receive several complaints from users at the remote sites that the logon times to their Windows XP Professional workstations have increased dramatically, often timing out and forcing them to reboot their machines.What is the most likely reason that this is occurring? A Each remote site should have its own domain controller to handle logon processing B Group Policy does not function in environments that include firewalls C Windows XP Professional requires NetBIOS to connect to a Windows Server 2003 domain controller D Group Policy is no longer able to detect slow network links www.syngress.com 272_70-296_07.qxd 9/26/03 5:32 PM Page 393 Managing Group Policy in Windows Server 2003 • Chapter You are a network administrator for an accounting firm with 200 employees that has been contracted to perform an audit of data stored in a proprietary 16-bit data entry application that was never upgraded to a 32-bit format.The application will only be used for the duration of this contract and does not have any option for a network or Terminal Services installation How can you install this application on each workstation most efficiently? A Use a ZAP file published via a GPO to automate the installation process B Contract a software developer to upgrade the application to an Active Directoryaware platform such as Visual Basic C Send a broadcast e-mail with installation instructions and the location of the setup files to all users who require the software D Install the software once on the domain controller and create a link to the program on each user’s desktop You have recently begun a new position as a network administrator for a Windows Server 2003 domain.Your predecessor created a number of GPOs, and it seems as if each network user has different policy settings applied to his or her account.You would like to simplify the GPO implementation on your network, and you want to begin by creating a baseline report of exactly which GPOs are in effect for the various users on the network.What is the most efficient means of accomplishing this goal? A Use the Resultant Set of Policy snap-in to view the GPO settings for each user/computer combination on the network B Use the Group Policy Results report in the GPMC to export the GPO settings of each user/computer combination to a single XML file for analysis C Use the GPResults.exe command-line utility to generate a report for all users on the domain D Export the Event Viewer Security logs from each workstation and collate the results for analysis You are the network administrator for a Windows Server 2003 domain with network resources from each department grouped into separate OUs: Finance, IT, Sales, Development, and Public Relations.You have assigned the MSI package shown in the following figure to the Development OU User EMandervile is a telecommuting user who is transferring from development to public relations.What is the most efficient way to remove this application from EMandervile’s workstation? www.syngress.com 393 272_70-296_07.qxd 394 9/26/03 5:32 PM Page 394 Chapter • Managing Group Policy in Windows Server 2003 A Visit EMandervile’s home office and manually uninstall the application from his home workstation B Redeploy the MSI package to the Development OU after moving EMandervile’s user account C Email EMandervile instructions to uninstall the application from his home office workstation D Since “Uninstall this application when it falls out of the scope of management” is selected, the application will automatically be uninstalled after you move EMandervile’s account from the Development OU to the Public Relations OU You have been reading about the new features offered by the GPMC and would like to use it to manage your Windows environment, shown in the following figure.Your administrative workstation is located in Domain A, and you have administrative control over Domain A, Domain B, and Domain C.Which of the following would allow you to use GPMC from your present location? (Choose all that apply.) www.syngress.com 272_70-296_07.qxd 9/26/03 5:32 PM Page 395 Managing Group Policy in Windows Server 2003 • Chapter Windows 2000 Server Domain Controllers 300 Windows 2000 Professional Workstations DomainA Windows Server 2003 Domain Controllers Windows 2000 Server Windows 2003 Server Domain Controllers 125 Windows 2000/ Windows XP Professional Workstations 200 Windows XP Professional Workstations DomainB Domain C A Install the GPMC on your existing Windows 2000 Professional workstation B Upgrade your administrative workstation to Windows XP Professional, SP1, and install the necessary hotfix from Microsoft before installing the GPMC C Install a Windows Server 2003 member server in Domain A, and install the GPMC on the member server D Install the GPMC onto a Windows 2000 Server in Domain A, and use the GPMC from the server console 10 Your Active Directory domain is configured like the one shown in the following figure.Which GPO settings would be applied to a computer located in the Marketing OU? (Choose all that apply.) www.syngress.com 395 272_70-296_07.qxd 396 9/26/03 5:32 PM Page 396 Chapter • Managing Group Policy in Windows Server 2003 Northeast Site HQ OU Default GPO Default GPO Marketing OU Security Settings GPO Payroll OU Marketing GPO Payroll OU AIRPLANES.COM Domain Marketing GPO Payroll GPO No run line Assign word processing software package Hide network connections Applet Complex passwords 10 character minimum password length Audit successful and failed logon events Enforce Assign desktop publishing package Block inheritance Assign accounting software package Security Settings GPO A The Network Connections applet will be hidden B Successful and failed logon events will be recorded to the event log C A desktop publishing software package will be assigned D The Run line will not be visible 11 You are the network administrator of the Windows Server 2003 forest shown in the following figure.Which of the following Password Policy values will be in effect for clients in the sales.north.biplanes.airplanes.com domain? www.syngress.com 272_70-296_08a.qxd 9/29/03 4:25 PM Page 457 Securing a Windows 2003 Network • Chapter Analysis and then select Configure Computer Now, as shown in Figure 8.44 Figure 8.44 The Configure Computer Now Selection Screen This process applies the contents of the template you created to the machine Figure 8.45 shows the progress of the configuration process Figure 8.45 Showing the Progress of the Application of the New Template 13 When the process is finished, verify the application by performing the analysis process again As shown in Figure 8.46, the template contents have been successfully applied www.syngress.com 457 272_70-296_08a.qxd 9/29/03 4:25 PM Page 458 Securing a Windows 2003 Network • Chapter Figure 8.46 A Final Analysis Verifies the Application of the Template The process for modification of a template is much the same as the process just demonstrated A template may be opened and modified, saved, and then analyzed prior to application to the machine to ensure that the conditions have been correctly configured TEST DAY TIP Remember that you should perform a thorough review of the test materials and study materials a number of days ahead of the examination Be sure to positively reinforce the areas you are comfortable with and practice working with consoles and tools to ensure that you’re able to think appropriately under pressure www.syngress.com 458 272_70-296_08b.qxd 9/29/03 4:34 PM Page 459 Securing a Windows 2003 Network • Chapter EXAM 70-296 OBJECTIVE Securing Data Transmission 4.3 After performing the security tasks that are required to secure the operating system and file 4.3.1 operations, many organizations have found that the data with which they are entrusted for 4.3.2 safekeeping is suddenly available to competitors, attackers, and others who were not authorized to view or obtain that information.This security breach is not necessarily because of a weakness in the file systems or authentication or authorization processes but could in fact result from insecure transmission of the data on the network.Through this section of the chapter, we review, discuss, and work with some ways to alleviate that condition to save the aggravation, embarrassment, and financial disasters that can arise from such problems occurring Need for Network Security Network and system administrators have been involved in blocking access to data and resources from external attack points for some time Unfortunately, many in the profession still not work proactively within their internal networks to provide the same isolation of resources to protect the information from those who are not entitled to use it.The proliferation of freely accessible tools, many of which were developed as legitimate analysis and diagnostic routines, has provided many users and attackers with automated tools to perform their explorations of our networks Some potential problems occur daily simply through user error, and often these are unpredictable Others, however, result from the use and misuse of the freely available tools in internal networks by unauthorized individuals A disgruntled employee or an employee who believes that they have a “need to know” has ample opportunity to probe your network, examine discovered vulnerabilities, and mount an attack that the system or network administrator might not have anticipated For this reason, it becomes paramount that we secure not only the physical machines that house the data but also the networks that carry that data from place to place EXAM 70-296 OBJECTIVE 4.3.1 Planning for Secure Data Transmission As we plan for secure data transmission, it is important to get input from the stakeholders of the organization and management to help define the types of information that need to be fully protected from view Many groups choose to implement plans that secure network transmissions between servers and clients involved with financial transactions Others choose to secure information transfer involving personnel records or private information about employees or employee relations Proprietary or developmental materials may be classified as needing protection as well Each of these types of information requires the implementation of a planning process to determine what needs to be protected and at what level of protection Generally, data that is public, such as human resources benefits information, or publicly disseminated information need not be protected on the wire Other considerations come into play as you begin to develop your plan for securing data It could be decided that access to POP3 mailboxes needs to be protected, and SPA www.syngress.com 459 272_70-296_08b.qxd 460 9/29/03 4:34 PM Page 460 Chapter • Securing a Windows 2003 Network might need to be enforced, or the use of a PKI infrastructure might be needed to provide encryption or digital signature capabilities for the transmission and verification of e-mail We could use SSL for authentication from a Web browser to reduce the chance that insecure information is transmitted between host and server Additionally, we might find that it is important to secure data transmission through the use of VPN technologies, which can include tunneling with PPTP or L2TP All these scenarios require our best efforts to plan adequately to secure the data being distributed via the network EXAM 70-296 IP Security OBJECTIVE 4.3.2 IP security, and in particular the use of IPSec to provide that protection, has become a popular topic since the introduction of Windows 2000 In Windows Server 2003, improvements have been made to the technology to make it even more usable and capable of protecting data transmitted over networks IP security has allowed the network and system administrator to more fully secure the data between the server and host machines in the network, at the same time providing a framework for security that is expandable and capable of handling many individual protection scenarios.The capability for multiple uses has proven invaluable in the overall planning and implementation of methods to protect data transmission from spoofing and other alterations and to limit or eliminate casual interception of data from the network media Additionally, the ability to protect the data has expanded the network’s scope from including only the original LAN environment to providing the method to secure data transmission on both trusted and untrusted networks in a global fashion.This, in turn, has allowed the expansion of the workplace to environments that were not able to be secured adequately in the past Overview IPSec in Windows Server 2003 has added a large number of new functions that have improved the performance and usability of the protocol to secure network data transmission New tools have been added, such as the IP Security Monitor MMC, discussed later in this section Security improvements have been made, including the use of a stronger cryptographic master key (Diffie-Hellman), better command-line management with the Netsh utility on Windows Server 2003 machines, and startup security for IPSec that better controls the function of IPSec during computer initialization Other new improvements include the removal of default traffic exemptions from filtering, functionality over NAT, integration with Network Load Balancing (NLB), and support for the new Resultant Set of Policy (RSoP) MMC in Windows Server 2003 Deploying IPSec Deploying IPSec in Windows Server 2003 installations involves creating appropriate IPSec policies with filters that are configured to permit, block, or negotiate security.The filters examine all inbound or outbound IP packets for compliance with the configured filter rules Once the filter settings have been configured, they are combined within a policy that www.syngress.com 272_70-296_08b.qxd 9/29/03 4:34 PM Page 461 Securing a Windows 2003 Network • Chapter defines the traffic that requires security and that which does not.This policy is then matched between the sending and receiving hosts to establish a security association (SA) using Internet Key Exchange (IKE).This establishes a relationship between the two computers, allowing for comparison of policy settings and processing of the defined rules and filters from the policies IPSec Management Tools Windows Server 2003 offers two management methods for performing IPSec configurations and maintenance.The first is a GUI interface available by creating an MMC console, and the second is a command-line extension of the netsh command that allows for configuration via scripting and automated functions EXERCISE 8.05 CREATING AN IPSEC POLICY In this exercise, we work through the creation of an IPSec policy Many options for configuring IPSec policies are available, from creating a policy for an Active Directory domain deployment to policies for a particular OU structure or individual machines Policies can be applied to either members of the domain or workgroup members In this exercise, we configure an IPSec policy for a standalone server The requirement is to allow Telnet communication for administrative purposes However, knowing the security risks inherent in the use of Telnet, the administrator wants to allow Telnet communication only when security is enforced, and the traffic using Telnet is protected To begin the exercise, open a blank MMC, and add the IP Security Policy Management snap-in, as shown in Figure 8.47 Figure 8.47 Selecting the IP Security Policy Management Snap-in for the MMC www.syngress.com 461 272_70-296_08b.qxd 462 9/29/03 4:34 PM Page 462 Chapter • Securing a Windows 2003 Network When you have selected the snap-in, you must decide on its scope For this exercise, choose Local computer and click Finish, as shown in Figure 8.48 Figure 8.48 Choosing the Scope of the Snap-in After you have made the choice for the scope of the snap-in, you will be returned to the MMC, which will allow you to begin to work with IPSec policies Before you move on, explore the Properties tabs of the three default sample policies, as shown in Figure 8.49 Figure 8.49 The IP Security Policies Snap-in Our next task is to begin creating the new policy Select IP Security Policies on Local Computer, right-click, and select Create IP Security Policy, as shown in Figure 8.50 www.syngress.com 272_70-296_08b.qxd 9/29/03 4:34 PM Page 463 Securing a Windows 2003 Network • Chapter Figure 8.50 Preparing to Create a New IP Security Policy This process will launch the IP Security Policy Wizard, as shown in Figure 8.51 Click Next to proceed Figure 8.51 The IP Security Policy Wizard Welcome Screen The next screen in the process requires an entry for the IP Security policy name and optionally a description of what the policy is for Enter the information as shown in Figure 8.52, and click Next www.syngress.com 463 272_70-296_08b.qxd 464 9/29/03 4:34 PM Page 464 Chapter • Securing a Windows 2003 Network Figure 8.52 Enter the Name and Description of the New Policy The next screen, shown in Figure 8.53, requires that a choice be made about the use of the default response rule If you deselect the check box, the machine will not communicate securely if other secure conditions have not been established Leave the rule selected for this exercise, and click Next Figure 8.53 Secure Communications Options Page Now that we’ve elected to use the default response rule, we have to choose the method of authentication to be used to secure the connection If the machine was in an Active Directory domain, we could select to use Kerberos v5 However, this is a standalone machine, so select Use a certificate from this certification authority (CA):, as shown in Figure 8.54, and then click Browse www.syngress.com 272_70-296_08b.qxd 9/29/03 4:34 PM Page 465 Securing a Windows 2003 Network • Chapter Figure 8.54 Choosing the Authentication Method for the Default Response Rule For purposes of the exercise, select the first Certification Authority on the list, as shown in Figure 8.55 (In a real-life implementation, it would be preferable to use the certificate provided by your own or a trusted CA.) Following your selection, click OK Figure 8.55 Selecting the Certification Authority 10 You will be returned to the MMC Select the newly created policy, and then select Properties to reach the Properties page illustrated in Figure 8.56 Click Add to launch the IPSec Rule Wizard www.syngress.com 465 272_70-296_08b.qxd 466 9/29/03 4:34 PM Page 466 Chapter • Securing a Windows 2003 Network Figure 8.56 The Secure Telnet Policy Properties Page 11 As the IPSec Rule wizard launches, read the information presented, and then click Next The following page asks about Tunnel Rules Accept the default No Tunnel selection, and again click Next Another screen will be presented to define the connections to which this policy will apply Again, select the default All Connections selection, and click Next This will launch the IP Filter List wizard, shown in Figure 8.57 Click Add to proceed to the next step Figure 8.57 The IP Filter List Wizard Screen 12 This will bring up the screen for defining the IP filter list Enter the name and description information as shown in Figure 8.58, and then click Add www.syngress.com 272_70-296_08b.qxd 9/29/03 4:34 PM Page 467 Securing a Windows 2003 Network • Chapter Figure 8.58 Creating the IP Filter List Entries 13 In the IP Filter wizard, enter the information about the filter, as shown in Figure 8.59 Leave the default mirrored selection as it is This provides for filter action in both directions Click Next to proceed Figure 8.59 Setting the IP Filter Description 14 After you enter this information, the next page asks for the source and destination information We want to have traffic from all IPs controlled by this policy, so select Any IP in both areas, and click Next to proceed The next page requests information about the protocol you wish to filter Select TCP and click Next again The final page in this portion of the configuration asks for port information Since we’re working with Telnet, enter port 23 in both boxes Accept the information, and you’ll be taken to the screen shown in Figure 8.60 In this screen, select the newly created Secure Telnet filter, and then click Next www.syngress.com 467 272_70-296_08b.qxd 468 9/29/03 4:34 PM Page 468 Chapter • Securing a Windows 2003 Network Figure 8.60 Selecting the Filter to Apply 15 Your selection will take you to the screen shown in Figure 8.61, where you will make a choice about the method of connection you want to enforce for this rule Select Require Security and click Next, as shown in Figure 8.61 Figure 8.61 Selecting the Filter Action for the Rule 16 You’ve created an IPSec policy to protect traffic to and from the local machine when Telnet is being used Your new policy will show up in the list of IPSec policies in the MMC, as shown in Figure 8.62, and can be applied to the machine if desired www.syngress.com 272_70-296_08b.qxd 9/29/03 4:34 PM Page 469 Securing a Windows 2003 Network • Chapter Figure 8.62 The Completed Policy Addition in the IPSec Policies MMC EXAM WARNING IPSec policy creation makes rules for what is allowed to pass and may include conditions such as when the traffic is allowed Be sure to study these and understand the ramifications of creating and ordering filter lists within the policies and how that affects the outcome of the policy’s application This area is fair game for exam scenarios EXAM 70-296 OBJECTIVE 5.3 Implementing and Maintaining Security During the course of the past few years, it has become much more important that each individual working within the network and system administration areas be well versed in the concepts and practices of security in relation to operating systems, various pieces of the network infrastructure, and application vulnerabilities that can affect how resources are accessed and protected Along with the need for a good understanding of the concepts of security, it is equally important that the system administrator, security professional, and technician all understand the methods used to implement the security infrastructure and rule sets and how to monitor the success and failure of the configurations that have been put in place to assure that the rules and conditions that are established are performing as expected Additionally, new vulnerabilities are disclosed on a regular basis, and the practitioners must have a working knowledge of the methodologies to detect and combat the weaknesses that are exposed when the vulnerability is announced www.syngress.com 469 272_70-296_08b.qxd 470 9/29/03 4:34 PM Page 470 Chapter • Securing a Windows 2003 Network A significant area of vulnerability occurs simply because the day-to-day operation of the system and network often leaves little time for the technician or administrator to adequately track and maintain the environment to accommodate the changes that occur during the disclosure of vulnerabilities For this reason, it is also important to have knowledge of the methods that should be used to implement change management and the procedures for effectively planning for this change to minimize the danger of unprotected systems.This requires that the individual have an exposure to the methodologies to accomplish this planning Finally, it is vitally important that once the processes are understood, the individuals responsible for maintenance of the security levels and equipment understand fully the methods that can be utilized to implement the required updates, service packs, and patches on the equipment that is in need of updating In the following sections, we explore methods to perform security monitoring and discuss ways to provide for the implementation of change and configuration management.We then explore various ways to accomplish the goal of being up to date with needed patches, service packs, and hotfixes EXAM 70-296 Security Monitoring OBJECTIVE 5.3.1 Security monitoring encompasses the use of a number of processes to assure the integrity of the system.The monitoring of the configurations we have applied must constantly be analyzed and checked to ensure that the defenses we have put in place are not breached Many of our day-to-day configurations can substantially affect the security of our enterprise resources as well as the resources that may be in use within the enterprise.We must consider a number of areas as sources of information as we begin to monitor security in our particular operation Among these, we should consider the use of the following technologies and methodologies to try to achieve the best security possible through constant vigilance: I Auditing should be enabled and used to monitor access to the systems through logon tracking and to track access to resources as appropriate to our needs Security logs should be regularly viewed for unusual activity and to compare actual access to configured access values I IPSec monitoring should be enabled to assure that the conditions of connection are being met and that the traffic being transmitted on the network is encrypted appropriately if we have configured it to protect the data on the network I Group Policy settings should be constantly reviewed for appropriate application and restrictions to access Group Policy management must be an ongoing process to assure that changes in applications, users, and delegations of authority are appropriate to the conditions that exist in the current environment I Network monitoring and analysis should be a continuing effort It is extremely important to know quickly if unauthorized traffic is occurring in your network www.syngress.com 272_70-296_08b.qxd 9/29/03 4:34 PM Page 471 Securing a Windows 2003 Network • Chapter This includes the necessity to properly encrypt and authenticate all traffic that is carried to and from your network via wireless connections I Encrypting File System in Windows Server 2003 domains can be enforced through Group Policy It is possible in Windows Server 2003 domains to allow sharing of EFS protected folders and files.The stronger encryption capability provided with Windows XP and Windows Server 2003 may be reduced through Group Policy configuration if needed for compatibility with the 168-bit key structure used for Windows 2000 machines I Wireless network encryption levels and authentication processes should be controlled through the use of Group Policy within the domain For instance, it is possible to enforce the use of Internet Connection Firewall (ICF) on wireless connections outside the domain network while not permitting ICF connections within the domain network environment (For further information, see the Windows Server 2003 Resource Kit at www.microsoft.com/windows/reskits/default.asp.) I Windows Server 2003 Event logs should be analyzed on an ongoing basis Depending on the server roles that you have configured, various logs will be added to the Event Viewer Security-related conditions can be tracked and documented through the use of the Event Viewer reports to further enhance the administrator’s ability to monitor security conditions in the domain and on the local machines The administrator could also find that it is appropriate to use third-party tools such as intrusion detection system (IDS) packages to monitor the internal network and firewall traffic for appropriate access levels and to report potential abuses.The overall need in this area is the need to maintain the principle of least privilege for access to resources and constant monitoring to assure that the intended controls are effective EXAM 70-296 OBJECTIVE 5.3.2 Change and Configuration Management Change and configuration management has also become an area of responsibility for the network administrator.This process involves participating with a team that is involved with planning updates to network configuration and managing the constant need for updates and patches involving the server and enterprise environment security It also involves the definition of the procedures for managing these updates and testing prior to application in the production environment Change management practices are developed and worked on in a number of different levels.To practice change management, we must be aware of a number of conditions in our operations, including the following: I We must have an awareness of why the change is needed.This can involve change that is occurring due to a newly discovered vulnerability in either software or www.syngress.com 471 ... www.syngress.com 399 272 _70-2 96_ 07.qxd 9/ 26/ 03 5:32 PM Page 400 272 _70-2 96_ 08a.qxd 9/29/03 4:25 PM Page 401 Chapter MCSA/ MCSE 70-2 96 Securing a Windows Server 2003 Network Exam Objectives in this... located in the Marketing OU? (Choose all that apply.) www.syngress.com 395 272 _70-2 96_ 07.qxd 3 96 9/ 26/ 03 5:32 PM Page 3 96 Chapter • Managing Group Policy in Windows Server 2003 Northeast Site HQ... earlier): www.syngress.com 425 272 _70-2 96_ 08a.qxd 4 26 9/29/03 4:25 PM Page 4 26 Chapter • Securing a Windows Server 2003 Network I Establish and implement good guidelines for the delegation of permission