Microsoft specifies global groups as the primary container for user and computer objects.They call for grouping users according to role, function, responsibility, or depart- ment into global groups. In a Windows 2000 mixed functional level domain, a global group can contain users and computers from the same domain in which it exists.When the func- tional level of the domain is raised to Windows 2000 native or Windows Server 2003, a GG can also contain other global groups from its local domain. Unlike global and domain local groups, universal groups (UGs) are stored in the Global Catalog (GC).Adding or removing objects from a universal group triggers forest-wide replication.To minimize this, Microsoft recommends that other groups, and not individual user and computer accounts, be the primary members of a universal group. Universal secu- rity groups do not exist in a Windows 2000 mixed functional level domain.When the functional level of the domain is raised to Windows 2000 native or Windows Server 2003, universal security groups can contain domain users, computer accounts, and global groups from any trusted domain, as well as other universal groups. An administrator can change an existing group’s scope. Universal groups can be con- verted to global or domain local groups, and global and domain local groups can be con- verted to universal groups. However, global groups cannot be converted directly to domain local groups (and vice versa).You cannot convert from one group type to another if the current membership of the group that is being converted is not compatible with the mem- bership allowed for the target scope. Microsoft has a number of acronyms that describe how groups should be used in dif- ferent scenarios, including: ■ AGDLP Accounts (user and computer objects) are placed into Global groups, which are placed into Domain Local groups, which are added to access control lists (ACLs) and granted Permissions to a resource.This model is used in a single or multiple domain environment, when the Windows 2000 mixed domain func- tional level is in use. ■ AGGDLP Accounts are placed into Global groups that can be placed into other Global groups and/or Domain Local groups, which are added to ACLs and granted Permissions to resources.This model can only be used in domains that have a Windows 2000 native or Windows Server 2003 functional level. ■ AGGUDLP (or AGUDLP) Accounts should be placed into Global groups that can be placed into other Global groups and/or Universal groups, and then into Domain Local groups, which are added to ACLs and granted Permissions to resources.This model can only be used in domains that have a Windows 2000 native or Windows Server 2003 functional level. In addition, it is primarily used in a multiple domain environment. www.syngress.com Creating User and Group Strategies • Chapter 3 231 256_70-294_03.qxd 9/5/03 1:07 PM Page 231 Exam Objectives Fast Track Creating a Password Policy for Domain Users  According to Microsoft, complex passwords consist of at least seven characters, including three of the following four character types: uppercase letters, lowercase letters, numeric digits, and non-alphanumeric characters such as & $ * and !.  Password policies and account lockout policies are set at the domain level in Group Policy.  If a subset of your user base requires a different set of account policies and other security settings, you should create a separate domain to meet their requirements.  Be sure that you understand the implications of an account lockout policy before you enable one in a production environment. Creating User Authentication Strategies  Within a domain, Kerberos v5 is the default communication method between two machines that are running Windows 2000 or later.  Pre-Windows 2000 computers use NTLM (or NTLMv2) authentication in an Active Directory domain.  To provide authentication for Web applications, you can implement either SSL/TLS or Microsoft Digest. Planning a Smart Card Authentication Strategy  Microsoft Windows Server 2003 relies on its public key infrastructure (PKI) and Certificate Services to facilitate smart card authentication.  Smart card certificates are based on the following three certificate templates: Enrollment Agent, Smartcard Logon, and Smartcard User.  Several Group Policy settings are specific to smart card implementations; most other account policy settings will also affect smart card users. Planning a Security Group Strategy  There are two types of groups in a Windows Server 2003 domain: distribution and security.  Only security groups can be used to assign permissions. www.syngress.com 232 Chapter 3 • Creating User and Group Strategies 256_70-294_03.qxd 9/5/03 1:07 PM Page 232  There are three group scopes in a Windows Server 2003 domain: domain local, global, and universal.  Additional group nesting and universal security groups are only available at the Windows 2000 native and Windows Server 2003 domain functional levels.  Existing groups can have their scopes changed in Windows 2000 native and Windows Server 2003 functional level domains. Q: How can I configure a smart card user to be able to temporarily log on to the network if the user has forgotten his or her card? A: In the Properties of the user’s account within Active Directory Users and Computers, make the following changes on the Account tab: 1. Clear the check mark next to Smart card is required for interactive logon. 2. Place a check mark next to User must change password at next logon. Finally, right-click the user object and select Reset Password. Inform the user of the new password, and that it will need to be changed at next logon. Q: What are the advantages of implementing a “soft lockout” policy versus a “hard lockout”? A: A hard lockout policy refers to an account that must be manually unlocked by an administrator.This setting provides the highest level of security but carries with it the risk that legitimate users will be unable to access network resources. In some circum- stances, it can be used to effectively create a DoS attack against your own network. Hard lockouts place a greater burden on account administrators, because at least one must always be available for users to contact when they need their accounts unlocked. A soft lockout expires after a set amount of time and helps limit the effectiveness of password attacks against your network, while reducing the burden placed on adminis- trators in a hard lockout environment. www.syngress.com Creating User and Group Strategies • Chapter 3 233 Exam Objectives Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com. 256_70-294_03.qxd 9/5/03 1:07 PM Page 233 Q: My organization is in the planning stages of a smart card rollout.What are the security considerations involved in setting up a smart card enrollment station? A: Since a smart card enrollment station allows you to create certificates on behalf of any user within your Windows Server 2003 domain, you should secure these machines heavily in terms of both physical location and software patches. Imagine the damage that could be done if a malicious user were able to create a smart card logon certificate for a member of the Domain Admins group and use it to log on to your network at will. Q: How can I convince my users that the company’s new smart card rollout is something that is protecting them, rather than simply “yet another stupid rule to follow”? A: One of the most critical components of any network security policy is securing “buy- in” from your users. A security mechanism that is not followed is not much more useful than one that doesn’t exist.Try to explain the value of smart card authentication from the end-user’s perspective. If you work in a sales organization, ask your sales force how they would feel if their client contacts, price quotes, and contracts fell into the hands of their main competitor. In a situation like this, providing a good answer to “What’s in it for me?” can mean the difference between a successful security structure and a failed one. Q: All of my workstations run Windows 95. I know that these don’t support Kerberos for authentication. How can I configure the domain to use the NTLM protocol instead of the default of Kerberos protocol? A: You do not need to perform any configuration to support NTLM authentication. Windows Server 2003 supports not only basic NTLM but also NTLM version 2, by default, for pre-Windows 2000 computers. In addition, NTLMv2 is more secure than NTLM, and will be automatically used if the domain controller is able to ascertain that the client supports it. Q: I have a three-domain environment. All three of my domains have the same global groups. I’ve added the HR global group from two of the domains to an All_HR uni- versal group. I’ve also added the All_HR universal group to domain local groups in these same two domains.Why can’t I add the All_HR universal group to any domain local groups in my third domain? A: All three domains must be at a functional level that supports universal security groups. It is possible to have a forest environment in which some domains are at the appro- priate level and others are not. In this case, it sounds like two domains are at the Windows 2000 native or Windows Server 2003 functional level, but the third is at the Windows 2000 mixed functional level. Raise all domains to at least the Windows 2000 native level and try again. www.syngress.com 234 Chapter 3 • Creating User and Group Strategies 256_70-294_03.qxd 9/5/03 1:07 PM Page 234 Q: I’m in a single domain environment. My domain functional level is Windows Server 2003. I’m trying to convert a group from a global scope to a domain local scope.The group only contains users, but the option button is grayed out.What’s wrong? A: You cannot convert directly from a global group scope to a domain local group scope. You can only convert to and from a universal group scope.To accomplish this, you must first convert the global group to a universal group. Once this completes success- fully, convert the universal group to the domain local group scope. Creating a Password Policy for Domain Users 1. What is a potential drawback of creating a password policy on your network that requires user passwords to be 25 characters long? A. Users will be more likely to write down a password that is so difficult to remember. B. User passwords should be at least 30 characters long to guard against brute-force password attacks. C. There are no drawbacks; this solution creates network passwords that will be impossible for an unauthorized user to penetrate. D. Windows Server 2003 will not allow a password of more than eight characters. 2. You have recently started a new position as a network administrator for a Windows Server 2003 network. Shortly before the previous administrator left the company, the syskey utility was used on one of your domain controllers to create a password that needs to be entered when the machine is booted.You reboot the domain controller, only to discover that the password the previous administrator documented is incor- rect.You are unable to contact your predecessor to obtain the correct one. How can you return this DC to service as quickly as possible? A. Reformat the system drive on the server and reinstall Windows Server 2003. B. Boot the server into Directory Services Restore Mode and restore the DC from a point before the previous administrator ran the syskey utility. www.syngress.com Creating User and Group Strategies • Chapter 3 235 Self Test A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix. 256_70-294_03.qxd 9/5/03 1:07 PM Page 235 C. Boot the server into Safe Mode and run syskey again to change the password. D. Use ntdsutil to seize the PDC Emulator role and transfer it to another DC. 3. According to Microsoft, which of the following would be considered weak passwords for a user account named jronick? (Choose all that apply.) A. S#n$lUsN7 B. soprano C. ronickrj D. Oo!dIx2 E. new 4. You have implemented a password policy that requires your users to change their passwords every 30 days and retains their last three passwords in memory.While sitting in the lunch room, you hear someone advise his coworker that all she needs to do to get around that rule is to change her password four times so that she can go back to using the password that she is used to.What is the best way to modify your domain password policy to avoid this potential security liability? A. Increase the maximum password age from 30 days to 60 days. B. Enforce password complexity requirements for your domain users’ passwords. C. Increase the minimum password age to seven days. D. Increase the minimum password length of your users’ passwords. 5. You are a new network administrator for a Windows Server 2003 domain. In making user support calls, you have noticed that many users are relying on simplistic passwords such as their children’s or pets’ names. Passwords on the network are set to never expire, so some users have been using these weak passwords for years.You change the default Group Policy to require strong passwords. Several weeks later, you notice that the network users are still able to log on using their weak passwords.What is the most likely reason why the weak passwords are still in effect? A. You must force the users to change their passwords before the strong password settings will take effect. B. The Group Policy settings have not replicated throughout the network yet. C. Password policies need to be set at the organizational unit (OU) level, not the domain level. D. The users reverted back to their passwords the next time they were prompted to change them. www.syngress.com 236 Chapter 3 • Creating User and Group Strategies 256_70-294_03.qxd 9/5/03 1:07 PM Page 236 Creating User Authentication Strategies 6. You have created an e-commerce Web application that allows your customers to pur- chase your company’s products via the Internet. Management is concerned that cus- tomers will not feel comfortable providing their credit card information over the Internet.What is the most important step to secure this application so that your cus- tomers will feel confident that they are transmitting their information securely and to the correct Web site? A. Use IP restrictions so that only your customers’ specific IP addresses can connect to the e-commerce application. B. Issue each of your customers a smart card that they can use to authenticate to your e-commerce Web site. C. Place your company’s Web server behind a firewall to prevent unauthorized access to customer information. D. Install a Secure Sockets Layer (SSL) certificate on your Web server. 7. Your network environment consists of Windows 2000 Professional,Windows XP Professional, and Windows NT 4.0 Workstation computers.You have just upgraded all domain controllers to Windows Server 2003.The domain and forest functional levels are both set to Windows Server 2003.The company does not use any Web applica- tions or services.Which of the following authentication protocols will be used on the network? (Choose all that apply.) A. Digest B. NTLM C. Kerberos D. SSL 8. You’ve decided to implement Web-based authentication.You have a wide range of domains, domain controllers, and domain functional levels in your enterprise Windows Server 2003 forest. Because you are a homogenous Windows environment, you decide to implement digest authentication.Which of the following requirements must you keep in mind when planning to implement digest authentication? (Choose all that apply.) A. Digest authentication requires IE 5 or later on the clients. B. There must be at least one Windows Server 2003 DC in the IIS server’s domain. C. User passwords must be stored with reverse encryption. D. There must be at least one Windows 2000 or later DC in the IIS server’s domain. www.syngress.com Creating User and Group Strategies • Chapter 3 237 256_70-294_03.qxd 9/5/03 1:07 PM Page 237 Planning a Smart Card Authentication Strategy 9. Your network configuration includes a Terminal Server designed to allow users at remote branches to access network applications.The Terminal Server often becomes overloaded with client requests, and you have received several complaints regarding response times during peak hours.You have recently issued smart cards for the users located at your corporate headquarters and would like to prevent those users from using their smart cards to access the Terminal Server. How can you accomplish this goal in the most efficient manner possible? A. Enable auditing of logon/logoff events on your network to determine which smart card users are accessing the Terminal Server, and then speak to their super- visors individually. B. Create a separate OU for your Terminal Server. Create a global group containing all smart card users, and restrict the logon hours of this group for the Terminal Server’s OU. C. Enable the “Do not allow smart card device redirection” setting within Group Policy. D. Create a global group containing all smart card users, and deny this group the “Log on locally” right to the computers on your network. 10. You have attached a smart card reader to your Windows XP Professional workstation’s serial port.The reader is not detected when you plug it in and is not recognized when you scan for new hardware within Device Manager.The smart card reader is listed on the Microsoft Web site as a supported device, and you have verified that all cables are connected properly.Why is your workstation refusing to recognize the smart card reader? A. The manufacturer-specific installation routine is not compatible with Windows Server 2003. B. The workstation needs to be rebooted before it will recognize the card reader. C. Smart card readers are only supported on machines running Windows Server 2003. D. You are not logged on as a member of the Domain Admins group. 11. You have recently deployed smart cards to your users for network authentication.You configured the Smartcard Logon certificates to expire every six months. One of your smart card users has left the company without returning her smart card.You have dis- abled this user’s logon account, but management is concerned that she will still be able to use the smart card to access network resources. How can you be sure that the information stored on the former employee’s smart card cannot be used to continue to access network resources? www.syngress.com 238 Chapter 3 • Creating User and Group Strategies 256_70-294_03.qxd 9/5/03 1:07 PM Page 238 A. Monitor the security logs to ensure that the former employee is not attempting to access network resources. B. Use the smart card enrollment station to delete the user’s Smartcard Logon certificate. C. Deny the Autoenroll permission to the user’s account on the Smartcard Logon Certificate template. D. Add the user’s certificate to the CRL on your company’s CA, and publish the CRL. Planning a Security Group Strategy 12. One of your coworkers is trying to grasp the concept of distribution and security group types. He asks you what the two primary benefits are for the security group type.What do you tell him? (Choose two.) A. You tell him that they can have permissions and user rights assigned to them. B. You tell him that they can function for messaging just like a distribution group type. C. You tell him that they allow for quick and efficient delegation of administrative responsibility in Active Directory. D. You tell him that they can only be used for messaging and granting permissions to Active Directory, file system, Registry, and printer objects. 13. Your boss has been looking over marketing material from Microsoft. She asks you how you plan on using universal groups.You administer a single domain environment that is about to be upgraded to Windows Server 2003.What do you tell her? A. You tell her that because you will be using a Windows Server 2003 functional level domain, you will be using only universal groups. B. You tell her that because you will be using a Windows 2000 native functional level domain, you will be using only universal groups. C. You tell her that you will use universal groups to replace global groups, but will still be using domain local groups for resource access. D. You tell her that you will not be using universal groups. 14. Last night you finished configuring a complex set of groups for your new Windows Server 2003 Active Directory environment.You spent this morning adding users to their appropriate groups. Now that the Active Directory environment is configured, you are trying to add the groups into ACLs in the file system. For some reason, they aren’t showing up in the list of groups to select from.You can see all the default groups that the operating system and Active Directory installed.Why can’t you see the groups you created? www.syngress.com Creating User and Group Strategies • Chapter 3 239 256_70-294_03.qxd 9/5/03 1:07 PM Page 239 A. You don’t have permission. B. You didn’t activate the groups in Active Directory. C. You created distribution groups. D. You created security groups. 15. Your company has a single domain environment that will be upgraded to Windows Server 2003. One of the company’s existing Windows NT 4.0 BDCs must remain in place because a custom application requires it.This application will not be migrated until sometime next year.The company has many departments, each of which has sub-departments and teams.The company would like to take advantage of Windows Server 2003’s new group nesting capabilities.Which of the following group models is appropriate for this company? A. AGDLP B. AGGDLP C. AGGUDLP D. AGUDLP www.syngress.com 240 Chapter 3 • Creating User and Group Strategies 256_70-294_03.qxd 9/5/03 1:07 PM Page 240 [...]... domain 1.3.2 Create a child domain 1.3.3 Create and configure Application Data Partitions Summary of Exam Objectives Exam Objectives Fast Track Exam Objectives Frequently Asked Questions Self Test Self Test Quick Answer Key 243 256 _70-2 94 _ 04. qxd 244 9 /4/ 03 4: 28 PM Page 244 Chapter 4 • Working with Forests and Domains Introduction A Microsoft Active Directory network has both a physical and a logical... namespaces, how DNS zones are integrated into Active Directory, and how to configure DNS servers for use with Active Directory Understanding Forest and Domain Functionality A Windows Server 2003 domain is group of networked computers that share a common Active Directory database, and a common namespace.You can think of a domain as a limited boundary of network security and administrative control A namespace... 9/5/03 1:07 PM Page 242 256 _70-2 94 _ 04. qxd 9 /4/ 03 4: 28 PM Page 243 Chapter 4 MCSA /MCSE 70-2 94 Working with Forests and Domains Exam Objectives in this Chapter: 1.3.5 Set an Active Directory forest and domain functional level based on requirements 1.3 Implement an Active Directory directory service forest and domain structure 2.1 Manage an Active Directory forest and domain structure 1.3.1 Create the forest... geographical separation and unreliable WAN links I Maintaining a pre-existing NT domain structure The primary Active Directory partitions, also called naming contexts, are replicated among all DCs within a domain.These three partitions are the schema partition, the configuration partition, and the domain partition I The schema partition contains the classSchema and the attributeSchema objects that make... cannot be deactivated, and it is an operation that should always be performed with great care and planning Domain Rename This is a complex and sweeping modification to the namespace of a domain DNS names, and NetBIOS names of any child, parent, or forest-root domain can now be changed As far as Windows Server 2003 Active Directory is concerned, the identity of a domain rests in its domain Globally Unique... Active Directory in Application Mode (ADAM) stand-alone product that allows Windows Server 2003 web edition and other member servers and workstations to participate in a form of application partitions without being DCs It is maintained and replicated independent of the central Active Directory, although it interfaces with directory- enabled Kerberos and NTLM for authentication services One advantage with... Domain rename Dynamic auxiliary classes InetOrgPerson objectClass change Application groups 15-second intrasite replication frequency for Windows Server 2003 DCs upgraded from Windows 2000 Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Disabled Enabled Enabled Disabled Enabled Enabled Disabled Enabled Enabled... 40 ,000 Enabled Enabled 1,000,000 Disabled Disabled Disabled Enabled Disabled Enabled Disabled Enabled Enabled Enabled Enabled Enabled Disabled Disabled Disabled Enabled Enabled Enabled Disabled Disabled Disabled Enabled Enabled Enabled Disabled Disabled Disabled Disabled Disabled Disabled Enabled Enabled Disabled Disabled Disabled Enabled Continued www.syngress.com 261 256 _70-2 94 _ 04. qxd 262 9 /4/ 03 4: 28... regardless of the number of users at that location, because each DC contacts a GC server during a Windows 2000 native mode logon.The problem was that a GC generated a lot of replication traffic and required a lot of disk space, memory, and WAN bandwidth.The solution in Windows Server 2003 is Universal Group caching Universal Group caching is a new feature of the Windows Server 2003 DC, which caches a. .. additional forests across any available forest trusts Here is an example Refer to Figure 4. 2.You have two domains in different forests with NetBIOS names of CATS and DOGS Each domain contains a Global Group called Birdwatchers.To take advantage of this new capability, you add both of the Global Groups, CATS\Birdwatchers and DOGS\Birdwatchers, to a Universal Group you create called ALLBirdwatchers.The . that share a common Active Directory database, and a common namespace.You can think of a domain as a lim- ited boundary of network security and administrative control. A namespace is a hierarchical collection. and Domains • Chapter 4 249 Active Directory Application Partitions Can Exist on a Non-DC Another new type of application partition is the Active Directory in Application Mode (ADAM) stand-alone. deactivated, and it is an operation that should always be performed with great care and planning. Domain Rename This is a complex and sweeping modification to the namespace of a domain. DNS names, and