255_70-293_FM.qxd 9/10/03 2:40 PM Page i Syngress knows what passing the exam means to you and to your career And we know that you are often financing your own training and certification; therefore, you need a system that is comprehensive, affordable, and effective Boasting one-of-a-kind integration of text, DVD-quality instructor-led training, and Web-based exam simulation, the Syngress Study Guide & DVD Training System guarantees 100% coverage of exam objectives The Syngress Study Guide & DVD Training System includes: I Study Guide with 100% coverage of exam objectives By reading this study guide and following the corresponding objective list, you can be sure that you have studied 100% of the exam objectives I Instructor-led DVD This DVD provides almost two hours of virtual classroom instruction I Web-based practice exams Just visit us at www.syngress.com/ certification to access a complete exam simulation Thank you for giving us the opportunity to serve your certification needs And be sure to let us know if there’s anything else we can to help you get the maximum value from your investment We’re listening www.syngress.com/certification 255_70-293_FM.qxd 9/10/03 2:40 PM Page ii 255_70-293_FM.qxd 9/10/03 2:41 PM Page iii Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Martin Grasdal Laura E Hunter Michael Cross Laura Hunter Technical Reviewer Debra Littlejohn Shinder Technical Editor Dr Thomas W Shinder Technical Editor 255_70-293_FM.qxd 9/10/03 2:41 PM Page iv Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER TH33SLUGGY Q2T4J9T7VA 82LPD8R7FF Z6TDAA3HVY P33JEET8MS 3SHX6SN$RK CH3W7E42AK 9EU6V4DER7 SUPACM4NFH 5BVF3MEV2Z PUBLISHED BY Syngress Publishing, Inc 800 Hingham Street Rockland, MA 02370 Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System Copyright © 2003 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in the United States of America ISBN: 1-931836-93-0 Technical Editors: Debra Littlejohn Shinder Cover Designer: Michael Kavish Dr.Thomas W Shinder Page Layout and Art by: John Vickers Technical Reviewer: Laura E Hunter Copy Editor: Michelle Melani and Marilyn Smith Acquisitions Editor: Jonathan Babcock Indexer: Nara Wood DVD Production: Michael Donovan DVD Presenter: Laura Hunter 255_70-293_FM.qxd 9/10/03 2:41 PM Page v Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible Will Schmied, the President of Area 51 Partners, Inc and moderator of www.mcseworld.com for sharing his considerable knowledge of Microsoft networking and certification Karen Cross, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea Tetrick, Jennifer Pascal, Doug Reil, David Dahl, Janis Carpenter, and Susan Fryer of Publishers Group West for sharing their incredible marketing experience and expertise The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision remains worldwide in scope David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books Kwon Sung June at Acorn Publishing for his support Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada David Scott, Annette Scott, Delta Sams, Geoff Ebbs, Hedley Partis, and Tricia Herbert of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines A special thanks to Deb and Tom Shinder for going the extra mile on our core four MCSE 2003 guides.Thank you both for all your work Another special thanks to Daniel Bendell from Assurance Technology Management for his 24x7 care and feeding of the Syngress network Dan manages our book network in a highly professional manner and under severe time constraints, but still keeps a good sense of humor v 255_70-293_FM.qxd 9/10/03 2:41 PM Page vi Contributors Martin Grasdal (MCSE+I, MCSE/W2K MCT, CISSP, CTT+, A+) is an independent consultant with over 10 years experience in the computer industry Martin has a wide range of networking and IT managerial experience He has been an MCT since 1995 and an MCSE since 1996 His training and networking experience covers a number of products, including NetWare, Lotus Notes,Windows NT,Windows 2000,Windows 2003, Exchange Server, IIS, and ISA Server As a manager, he served as Director of Web Sites and CTO for BrainBuzz.com, where he was also responsible for all study guide and technical content on the CramSession.com Web sit Martin currently works actively as a consultant, author, and editor His recent consulting experience includes contract work for Microsoft as a Technical Contributor to the MCP Program on projects related to server technologies Martin lives in Edmonton, Alberta, Canada with his wife Cathy and their two sons Martin’s past authoring and editing work with Syngress has included the following titles: Configuring and Troubleshooting Windows XP Professional (ISBN: 1-928994-80-6), Configuring ISA Server 2000: Building Firewalls for Windows 2000 (ISBN: 1-928994-29-6), and Dr.Tom Shinder’s ISA Server & Beyond: Real World Security Solutions for Microsoft Enterprise Networks (ISBN: 1-931836-66-3) Van Varnell (Master CNE, MCSE, MCDBA) is a Senior Network Analyst for Appleton, Inc His areas of expertise are development and maintenance of high-availability systems, storage area networks and storage platforms, performance monitoring systems, and data center operations.Van has held highlevel positions in the industry over the 15 years of his career including that of Windows Systems Architect for Motorola and Senior Consultant for Integrated Information Systems.Van holds a bachelor’s degree in Computer Information Systems and currently resides in Wisconsin with his wife Lisa and five children (Brennan, Kyle, Katelyn, Kelsey, and Kevin) He wishes to thank his wife and kids for being his wife and kids, and Jon Babcock of Syngress for his patience and assistance vi 255_70-293_FM.qxd 9/10/03 2:41 PM Page vii Michael Cross (MCSE, MCP+I, CNA, Network+) is an Internet Specialist /Computer Forensic Analyst with the Niagara Regional Police Service He performs computer forensic examinations on computers involved in criminal investigations, and has consulted and assisted in cases dealing with computerrelated/Internet crimes In addition to designing and maintaining their Web site at www.nrps.com and Intranet, he has also provided support in the areas of programming, hardware, and network administration As part of an Information Technology team that provides support to a user base of over 800 civilian and uniform users, his theory is that when the users carry guns, you tend to be more motivated in solving their problems Michael also owns KnightWare (www.knightware.ca), which provides computer-related services like Web page design, and Bookworms (www.bookworms.ca), where you can purchase collectibles and other interesting items online He has been a freelance writer for several years, and has been published over three dozen times in numerous books and anthologies He currently resides in St Catharines, Ontario Canada with his lovely wife Jennifer and his darling daughter Sara Paul M Summitt (MCSE, CCNA, MCP+I, MCP) has a Masters degree in Mass Communication Currently the IT Director for the Missouri County Employees’ Retirement Fund, Paul has served as network, exchange, and database administrator as well as Web and application developer Paul has written previously on virtual reality and Web development and has served as technical editor for several books on Microsoft technologies Paul lives in Columbia, Missouri with his life and writing partner Mary.To the Syngress editorial staff, my thanks for letting me be a part of this project.To my kids, adulthood is just the beginning of all the fun you can have Rob Amini (MCSE, MCDBA, MCT) is currently a systems manager for Marriott International in Salt Lake City, Utah He has a Bachelor’s degree in computer science and has been breaking and fixing machines since the Atari 800 was considered state of the art In 1993 he began his professional career by fixing IBM mainframes and various unix-flavored boxes After a long stint as a technician and systems admin, he gained fabled notoriety as a vii 255_70-293_FM.qxd 9/10/03 2:41 PM Page viii pun-wielding Microsoft trainer Rob has continued as an instructor for more than three years and although teaching is his first love, he tends to enjoy technical writing more than a well-adjusted person should.When actually not working with and programming a variety of electronic gizmos, Rob enjoys spending every minute he can with his beautiful wife Amy and the rest of his supportive family Dan Douglass (MCSE+I, MCDBA, MCSD, MCT) is a software developer and trainer with a cutting edge medical software company in Dallas,Texas He currently provides software development skills, internal training and integration solutions, as well as peer guidance for technical skills development His specialties include enterprise application integration and design, HL7, XML, XSL,Visual Basic, database design and administration, Back Office and NET Server platforms, network design, Microsoft operating systems, and FreeBSD Dan is a former US Navy Submariner and lives in Plano,TX with his very supportive and understanding wife,Tavish Jada Brock-Soldavini is a MCSE and holds a degree in Computer Information Systems She has worked in the Information Technology Industry for over years She is working on her Cisco certification track currently and has contributed to over a dozen books and testing software for the Microsoft exam curriculum She works for the State of Georgia as a Network Services Administrator.When she is not working on her technical skills she enjoys playing the violin Jada is married and lives in the suburbs of Atlanta with her husband and children Michael Moncur is an MCSE and CNE He is the author of several bestselling books about networking and the Internet, including MCSE In a Nutshell:The Windows 2000 Exams (O’Reilly and Associates) Michael lives in Salt Lake City with his wife, Laura viii 255_70-293_FM.qxd 9/10/03 2:41 PM Page ix Technical Reviewer, DVD Presenter, and Contributor Laura E Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA, A+, Network+, iNet+, CNE-4, CNE-5) is a Senior IT Specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for various business units and schools within the University Her specialties include Microsoft Windows NT and 2000 design and implementation, troubleshooting and security topics As an “MCSE Early Achiever” on Windows 2000, Laura was one of the first in the country to renew her Microsoft credentials under the Windows 2000 certification structure Laura’s previous experience includes a position as the Director of Computer Services for the Salvation Army and as the LAN administrator for a medical supply firm She also operates as an independent consultant for small businesses in the Philadelphia metropolitan area and is a regular contributor to the TechTarget family of websites Laura has previously contributed to the Syngress Publishing’s Configuring Symantec Antivirus, Corporate Edition (ISBN 1-931836-81-7) She has also contributed to several other exam guides in the Syngress Windows Server 2003 MCSE/MCSA DVD Guide and Training System series as a DVD presenter, contributing author, and technical reviewer Laura holds a bachelor’s degree from the University of Pennsylvania and is a member of the Network of Women in Computer Technology, the Information Systems Security Association, and InfraGard, a cooperative undertaking between the U.S Government and other participants dedicated to increasing the security of United States critical infrastructures ix 255_70_293_ch01.qxd 44 9/10/03 1:42 PM Page 44 Chapter • Using Windows Server 2003 Planning Tools and Documentation A portion of your company’s organizational structure is shown in Figure 1.14.Thirdlevel department managers report to the second-level department managers directly above them in the organizational chart Second-level managers report to their corresponding vice presidents, who then report to the company CEO.Your company CEO would like a consistent security policy to be implemented across the entire network, but each subdepartment has specific desktop and application installation settings that you would like to be able to control and deploy centrally.What is the most efficient AD structure to design for this company? Figure 1.14 Organizational Structure Jon Smith CEO Accounting Jane Doe Mgr Payroll Mary Noxon Mgr Collections Peter White Mgr Accounts Payable A.J Tierney Mgr A Configure a single domain for the organization, and configure a series of nested OUs for each second-level and third-level department Configure the domain with a single security policy, and link a GPO to each OU to enable each specific department’s desired settings B Configure a parent domain for each second-level department, and configure a child domain for each third-level department Create and link a separate GPO to each domain to control security and application settings C Configure a single domain for the organization, and configure a global security group for each department Configure the domain with a single security policy, and link a GPO to each global group to enable each specific department’s desired settings D Create a separate forest for each second-level department, and create a child domain for each third-level department Configure a security policy for each forest, and configure a domain GPO for each third-level department www.syngress.com 255_70_293_ch01.qxd 9/10/03 1:42 PM Page 45 Using Windows Server 2003 Planning Tools and Documentation • Chapter You are the administrator for a network that supports a mixture of Windows NT Workstation,Windows 2000, and Windows XP Professional.You are preparing to upgrade your network servers from Windows NT Server to Windows Server 2003 What is the strongest level of network authentication that you can configure your Windows domain to use in its current configuration (without installing third-party software)? A Kerberos B LM C NTLM D NTLM version Analyzing Organizational Needs You are the administrator of a Windows 2000 network and are planning an upgrade to Windows Server 2003 As part of the upgrade process, you are attempting to determine whether you need to upgrade your network cabling from Token Ring cabling to 100MB Ethernet.What is the best way to go about making this determination? A Use Performance Monitor to capture a baseline of network utilization at several points during the day over the course of several weeks B Use Network Monitor to capture network frames being sent to and from your domain controller’s network adapter C Use the IPSec Monitoring utility to view network traffic being sent between your domain controllers and your Windows 2000 Professional clients D Use Performance Monitor to capture a single snapshot of network utilization when most users are in the office, such as mid-morning After returning from a two-day technology management seminar, your CEO tells you that he would like to create a fault-tolerant configuration for the company’s heavily trafficked Web and database servers.Your network is currently running the Standard Edition of Windows NT 4.0.You have recently proposed an upgrade to Windows Server 2003.What features offered by this proposed upgrade would provide an attractive option to meet your CEO’s request? A SMP processing B Volume Shadow Copy C Network Load Balancing D Server clustering www.syngress.com 45 255_70_293_ch01.qxd 46 9/10/03 1:42 PM Page 46 Chapter • Using Windows Server 2003 Planning Tools and Documentation You are the network administrator for a medium-sized company that consists of Sales, Customer Service, Accounting, Human Resources, and Data Entry departments.You have been receiving complaints that your company’s e-mail server has been performing more slowly than usual over the past several weeks Several users have mentioned that their e-mail clients have “frozen” in the middle of sending an e-mail message, forcing them to reboot their machines Upon investigating, you find that one user’s mailbox is roughly ten times the size of the second largest mailbox on the server, and this user is receiving approximately 1,000 messages per day, compared to a company average of 46.The user in question is a data-entry clerk who does not use e-mail for sales inquiries or other business-related contacts.When you ask the user about her e-mail usage, she reports that she has been surfing the Web signing up for Internet coupons and contests, and she has been deluged with spam as a result Since the user does not require e-mail access to perform her job function, you disable her email account, and server performance slowly returns to normal.What measures can you implement to prevent this sort of incident from recurring? (Select all that apply.) A Implement disk quotas on the e-mail server so that users’ inboxes cannot exceed a certain size B Increase the level of authentication security so that only Kerberos-authenticated users can access the e-mail server C Distribute an Acceptable Use Policy to your user base so that they understand what they can and cannot while using their office PCs D Use NTFS file permissions to restrict network access to personnel in your Sales and Customer Service department only Developing a Test Network Environment You are the network administrator for a law firm that has multiple locations throughout the United States.Your firm has purchased a customer relationship management (CRM) application that will be hosted in the firm’s main office in Key Biscayne, Florida, and accessed by other offices using dedicated WAN links.You would like to test the performance of this software over a WAN link before deploying it to the other offices in the firm Unfortunately, you only have access to test equipment in the Key Biscayne office location.What is the best way to test the performance of this application? A Use the average network bandwidth utilization in each office to estimate the performance of the application over the WAN B Install routers within the test lab to simulate the latency of the dedicated WAN links between offices www.syngress.com 255_70_293_ch01.qxd 9/10/03 1:42 PM Page 47 Using Windows Server 2003 Planning Tools and Documentation • Chapter C Access the CRM application from your home computer using your high-speed Internet connection D Test the application using production systems in each of the remote offices You are in the process of building a lab environment to test a new network application.You would like to isolate the test environment from your production equipment as much as possible to prevent any test changes from affecting your users’ daily tasks What can you to protect your production environment from changes performed in your test lab? (Select all that apply.) A Place a router or firewall between the network infrastructures connecting the test lab to your production machines B Keep the network cabling for the test lab physically separated from the network hardware that provides connectivity to your production environment C Contain the test lab in a separate OU D Use 100MB Ethernet for your production machines, but only 10MB Ethernet for the test lab 10 You are designing a lab environment to test a proposed upgrade to Windows Server 2003.You are in the process of creating a domain structure in the test lab to assess various features and functions of the upgrade process, including switching the domain from mixed mode to native mode and moving from a standard DNS zone to ADintegrated DNS At the same time that the Windows Server 2003 testing is taking place, you would also like to use the test lab to evaluate a new accounting package that will be implemented on the production network before the Windows Server 2003 upgrade takes place.You not want the two batteries of tests to interfere with each other.Which of the following would be good design choices for the domain structure of the test lab? (Select all that apply.) A Create two separate domains: one to test the accounting software and one to test the domain mode and DNS functionality of Windows Server 2003 B Create a single domain in the test lab to encompass the entire test environment C Create a separate OU to test the accounting software so that it will not be affected by the switch in domain mode D Create two separate forests: one to test the DNS configuration and the switch from mixed mode to native mode and one to perform the tests on the accounting software package www.syngress.com 47 255_70_293_ch01.qxd 48 9/10/03 1:42 PM Page 48 Chapter • Using Windows Server 2003 Planning Tools and Documentation 11 You have received a critical software update from the vendor of your accounting software suite.The software vendor has indicated that you should apply this patch as quickly as possible to correct a potential security breach As the administrator for your network, what should you when you receive this notice? A Install the patch on all production systems as quickly as possible B Install the patch in your network’s test lab to ensure that it functions properly and without any adverse side effects, and then apply it to all of your production systems as soon as possible C Install the patch on a single workstation on your production environment to see if there are any bugs or malfunctions.When you are satisfied, apply the patch to the remainder of your workstations D Send the software patch to Microsoft Product Support Services for testing before applying it to your network computers 12 You are the network administrator for a small company that is considering purchasing a Windows Server 2003 machine to replace an aging Windows NT Server machine The client workstations run a mix of Windows 98,Windows NT Workstation, and Windows XP Professional Each network client needs to be able to access the network server after it is upgraded, since the client workstations will be upgraded on a one-by-one basis over the course of several months.You have been informed that you will need to use the production server itself for testing, and that there is only sufficient budget to allot one representative workstation PC for test purposes.What is the best way for you to test client connectivity to Windows Server 2003? A Configure the test workstation with Windows Server 2003 Connect a production Windows 98,Windows NT 4, and Windows XP Professional workstation to the test server B Use a utility like VMware to simulate how each operating system on your network will function with the new Windows Server 2003 server C Check each client operating system one at a time, reformatting the test PC after you’ve finished testing each operating system D Connect a production Windows 98 and Windows NT Workstation to the Windows Server 2003 Configure the test workstation to use Windows XP Professional Documenting the Planning and Network Design Process 13 You have recently started working as a network administrator for a company whose network consists of multiple Windows Server 2003 domains.The previous network administrator left you with little documentation detailing how the network is configwww.syngress.com 255_70_293_ch01.qxd 9/10/03 1:42 PM Page 49 Using Windows Server 2003 Planning Tools and Documentation • Chapter ured, and you’ve discovered that many client workstations are behaving inconsistently—sometimes the Run line is unavailable, sometimes a user cannot access the Control Panel, and so on.You suspect that this is the result of Group Policy settings, and want to put together a list of all GPOs that are present within each domain on your network.What is the most efficient way of accomplishing this task? A View each domain’s settings within the Group Policy Management Console (GPMC) and take note of the values listed under the Group Policy node in each domain B Use a GPMC script to list all GPO objects within each domain C Load the Resultant Set of Policies (RSoP) snap-in to view the various GPOs that are causing client settings to be applied D Examine the Group Policy tab of each domain’s Properties sheet in Active Directory Users & Computers 14 A portion of your network is shown in the Figure 1.15.You are using Network Monitor from WorkstationB to capture network traffic for analysis.You suspect that there is an Internet Relay Chat (IRC) connection between WorkstationA and WorkstationC, but the Network Monitor trace does not show any sign of that connection.What is the most likely reason for this? Figure 1.15 Network Portion Ethernet Workstation A Workstation B Workstation C A Network Monitor captures broadcast traffic only on a Windows network B Windows workstations not support IRC connections C The version of Network Monitor that ships with Windows Server 2003 products does not operate in promiscuous mode D You need to use Performance Monitor to capture and analyze network traffic between machines on a Windows network www.syngress.com 49 255_70_293_ch01.qxd 50 9/10/03 1:42 PM Page 50 Chapter • Using Windows Server 2003 Planning Tools and Documentation 15 Your company, airplanes.com, has recently undergone a merger with southern-airplanes.com, and you have taken over the network management of both halves of the newly formed company Airplanes.com has a strict policy of desktop and software installation restrictions, while southern-airplanes.com has historically been more lenient with allowing users to customize their computers and install personal software Several of the users from southern-airplanes.com have complained about the policy restrictions that have been placed on their desktops.You have been asked to present a report to the management group detailing which restrictions are in place on various OUs.What is the most efficient way to present this information to the management group in an easily readable format? A Capture a screen shot of the Properties sheet of the various OUs’ Group Policy settings and save the screen shot using a desktop publishing software package B Export the GPO settings to a text file, then import the text file into an Excel spreadsheet C Demonstrate the use of the Group Policy Editor to apply GPO settings during the meeting with the management group D Use the Group Policy Management Console (GPMC) to present the various GPO settings in an organized HTML-formatted report www.syngress.com 255_70_293_ch01.qxd 9/10/03 1:42 PM Page 51 Using Windows Server 2003 Planning Tools and Documentation • Chapter Self Test Quick Answer Key For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix A, B A, B C 10 A, D A 11 B D 12 B A 13 B C, D 14 C A, C 15 D B www.syngress.com 51 255_70_293_ch01.qxd 9/10/03 1:42 PM Page 52 255_70_293_ch02.qxd 9/10/03 10:58 AM Page 53 Chapter MCSE 70-293 Planning Server Roles and Server Security Exam Objectives in this Chapter: Planning and Implementing Server Roles and Server Security 1.1 Configure security for servers that are assigned specific roles 1.4 Evaluate and select the operating system to install on computers in an enterprise 1.4.1 Identify the minimum configuration to satisfy security requirements 1.2 Plan a secure baseline installation 1.2.1 Plan a strategy to enforce system default security settings on new systems 1.2.2 Identify client operating system default security settings 1.2.3 Identify all server operating system default security settings 1.3 Plan security for servers that are assigned specific roles Roles might include domain controllers, Web servers, database servers, and mail servers 1.3.1 Deploy the security configuration for servers that are assigned specific roles 1.3.2 Create custom security templates based on server roles 53 255_70_293_ch02.qxd 54 9/10/03 10:58 AM Page 54 Chapter • Planning Server Roles and Server Security Introduction Planning an effective security strategy for Windows Server 2003 requires an understanding of the roles that different servers play on the network and the security needs of different types of servers based on the security requirements of your organization Securing the servers is an important part of any network administrator’s job In this chapter, we will first review server roles and ensure that you have an understanding of the many roles Windows Server 2003 can play on the network.We will discuss domain controllers; file and print servers; DHCP, DNS, and WINS servers;Web servers; database servers; mail servers; certification authorities; and terminal servers.Then we will delve into how to plan a server security strategy.We will examine how to choose the right operating system according to security needs, how to identify minimum security requirements for your organization, and how to identify the correct configurations to satisfy those security requirements Next, you will learn how to plan baseline security on both client and server machines We will cover planning the secure baseline installation parameters and enforcing default security settings on new computers.We will show you how to customize server security, securing your servers according to their roles.Then we will walk you through the process of creating custom security templates and show you how to deploy security configurations EXAM 70-293 OBJECTIVE Understanding Server Roles When Windows Server 2003 is installed on a computer, it provides a wide variety of tools and functionality However, additional features may still need to be installed on the server to bring clients the services they need.The server may need to supply file and print services, authenticate users, or support a local intranet Web site Until Windows Server 2003 is configured to supply these services, clients will be unable to use the server in a manner that is required by the organization Server roles are profiles that are used to configure Windows Server 2003 to provide specific functionality to the network.When you set up a server to use a specific role, various services and tools are enabled or installed, and the server is configured to provide additional services and resources to network clients Roles are applied to machines using the Configure Your Server Wizard and managed using the Manage Your Server tool As shown in Figure 2.1, Manage Your Server provides information about the roles that are currently configured for a server, and it provides the ability to add and remove roles from a server Depending on your server’s settings, this tool will start automatically upon logon If you’ve checked the Don’t display this page at logon check box at the bottom of this window, Manage Your Server will not start automatically.You can start it manually by selecting Start | Administrative Tools | Manage Your Server As shown in Figure 2.1, there are a variety of items in Manage Your Server’s main window.The left side of the window lists the roles currently configured for the server Beside each entry, there are buttons that relate to the corresponding role.These buttons www.syngress.com 255_70_293_ch02.qxd 9/10/03 10:58 AM Page 55 Planning Server Roles and Server Security • Chapter differ from role to role, and they are used to invoke other tools for managing the role or to view information on additional steps that can be taken to configure, administer, and maintain the role Figure 2.1 The Main Manage Your Server Window Near the top of the Manage Your Server window are three buttons.Two of these are used to obtain additional information about roles and remote administration.The other button, labeled Add or remove a role, is used to invoke the Configure Your Server Wizard.You can also start the Wizard by selecting Start | Administrative Tools | Configure Your Server When the Configure Your Server Wizard starts, it informs you of possible preliminary steps that need to be taken before a new role is added As shown in Figure 2.2, these steps include ensuring that network and Internet connections have been set up and are active for the server, peripherals are turned on, and your Windows Server 2003 installation CD is available.When you finish reading this information, click the Next button to have the Wizard test network connections and continue to the next step www.syngress.com 55 255_70_293_ch02.qxd 56 9/10/03 10:58 AM Page 56 Chapter • Planning Server Roles and Server Security Figure 2.2 Preliminary Steps of the Configure Your Server Wizard In the next window, shown in Figure 2.3, roles that are available to add and remove through the Wizard are listed in the Server Role column; the Configured column indicates whether the role has been previously installed If you want to install a role that isn’t listed here, click the Add or Remove Programs link to open the Add or Remove Programs applet (in the Windows Control Panel), where you can configure additional services Figure 2.3 Configuring Server Roles In Figure 2.3, you can see that there are 11 different roles that can be applied to Windows Server 2003 through the Configure Your Server Wizard.These roles are as follows: www.syngress.com 255_70_293_ch02.qxd 9/10/03 10:58 AM Page 57 Planning Server Roles and Server Security • Chapter I Domain controller This role is used for authentication and installs Active Directory on the server I File server This role is used to provide access to files stored on the server I Print server This role is used to provide network printing functionality I DHCP server This role allocates IP addresses and provides configuration information to clients I DNS server This role resolves IP addresses to domain names (and vice versa) I WINS server This role resolves IP addresses to NetBIOS names (and vice versa) I Mail server This role provides e-mail services I Application server This role makes distributed applications and Web applications available to clients I Terminal server This role provides Terminal Services for clients to access applications running on the server I Remote access/VPN server This role provides remote access to machines through dial-up connections and virtual private networks (VPNs) I Streaming media server This role provides Windows Media Services so that clients can access streaming audio and video New & Noteworthy After you select the role to add to the server, click Next to step through the process of setting up that role Each set of configuration windows is different for each server role Also, although multiple roles can be installed on Windows Server 2003, only one role at a time can be configured using the Configure Your Server Wizard.To install additional roles, you need to run the Wizard again Manage Your Server The Manage Your Server tool is new to Windows Server 2003 It is similar to the Configure Your Server utility in Windows 2000 and provides a centralized location for administrators to access tools, view information, and launch programs used to maintain specific roles In addition, servers with Internet access can benefit from this tool, because it can be used to invoke Windows Update to apply security patches, service packs, new drivers, and other updates Manage Your Server also provides links to Web pages located on Microsoft’s site, which can assist administrators in understanding how to deal with specific problems and obtaining the latest information Manage Your Server also provides a way to launch the Configure Your Server Wizard, where you can add roles to a server or remove existing ones Because the roles installed on a server can be modified at any time, administrators are able to change a server’s role on the network as needs within the organization change www.syngress.com 57 255_70_293_ch02.qxd 58 9/10/03 10:58 AM Page 58 Chapter • Planning Server Roles and Server Security Before setting up a server role (as we will in Exercise 2.1, later in this chapter), it is important to understand each of the roles that can be applied to Windows Server 2003 In the sections that follow, we will discuss these roles in greater detail and examine how they are installed with the Configure Your Server Wizard and other tools Domain Controllers (Authentication Servers) Domain controllers are a fundamental part of a Microsoft network because they are used to manage domains A domain is a logical grouping of network elements, including computers, users, printers, and other components that make up the network and allow people to perform their jobs.When a server is configured to be a domain controller (DC), it can be used to manage these objects and provide other capabilities for configuring and controlling your network An important function of a domain controller is user authentication and access control Authentication is used to verify the identity of an object such as a user, application, or computer For example, when a user logs on to a domain, he or she will enter a username and password, which is compared to information that is stored on the domain controller If the information provided by the user matches data in the user account, the domain controller considers the person to be authentic.The process continues by giving an appropriate level of access, so the user can utilize resources on the network Access control manages which services and resources users (or other objects) are permitted to use and how they can use them By combining authentication and access control, a user is permitted or denied access to network services and resources Active Directory To perform these functions, the domain controller must have information about users and other objects in a domain In Windows 2000 and Windows Server 2003, this data is stored in Active Directory (AD), which is a directory service that runs on domain controllers A directory serves as a structured source of information, containing data on objects and their attributes Objects in the directory represent elements of your network (including users, groups, and computers) Attributes are values that define an object (such as its name, location, security rights, and other features) Using tools that access AD, an administrator can manage an object’s attributes to provide information that is accessible to users and control security at a granular level By serving as a data store of information about a domain, AD is the means by which administrators achieve greater and more flexible control over a network When AD is installed, the server becomes a domain controller Until this time, it is a member server that cannot be used for domain authentication and management of domain users or other domain-based objects.This does not mean, however, that AD can be installed on every version of Windows Server 2003 It can be installed on Standard Edition, Enterprise Edition, and Datacenter Edition, but servers running the Web Edition of Windows Server 2003 cannot be domain controllers.Web Edition servers can be only stand-alone or member servers that provide resources and services to the network www.syngress.com ... Services Chapter Number 11 10 10 10 10 11 , 12 12 12 12 12 12 11 11 11 11 xv 255 _70-293_ Obj.qxd 9 /10 /03 6:28 PM Page xvi 255 _70-293_ TOC.qxd 9 /10 /03 8:53 PM Page xvii Contents Foreword xxxvii Chapter... 9 /10 /03 2: 41 PM Page iii Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Martin Grasdal Laura E Hunter Michael Cross Laura Hunter Technical Reviewer Debra Littlejohn... commands and Network Monitor Planning, Implementing, and Maintaining Server Availability Plan services for high availability Plan a high availability solution that uses clustering services Chapter