Exam Objectives Frequently Asked Questions


The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com.

1.

I have a legacy application that requires anonymous access, and some users cannot access the application. What can I do?

it is possible that your application requires you to grant access to the anonymous users group, which is not part of the everyone group. if you need to grant access to the anonymous group, you must explicitly add the anonymous logon security group and its permissions.

2.

I have multiple domains that need access to resources located in other domains. How can this be set up?

if users in one domain need access to resources in another domain within the same forest, you do not need to do anything special. this is because, by default, a two-way transitive trust exists between the root domains of every domain tree in the forest so users in any domain in the forest can access resources in any other domain in that forest (if they have the proper permissions). however, to speed up the authentication process between domains, you can create a shortcut trust. if the users in one domain need access to resources in a domain that is in a different forest, you can either create a forest trust between the two forests (which is transitive and will allow all domains in each forest to access all domains in the other) or you can create an external nontransitive trust directly between the two domains.

3.

I want to keep my domain Administrator account under wraps for security reasons. What can I do to accomplish this?

you can disable the built-in administrator account, since all hackers know the default account name and that is half the information they need to take control of your server. then you can give administrative privileges to another account. when the administrator account is disabled, it can still be used in safe mode for troubleshooting and repairing problems. alternatively, you can rename the built-in administrator account so hackers won t be able to recognize it so easily. you should not log on as administrator for performing everyday tasks. instead, use the run as command when you need to perform administrative tasks.

4.

I am trying to audit folder access by a particular user, and I cannot see any information in the event log. What could be the problem?

although you can set other types of auditing and they will start immediately, when you want to audit access to objects such as folders, object auditing must be enabled. then you need to set auditing properties on the object you want to audit (in this case, the folder). to enable object auditing, edit group policy for the local computer or the domain policy. in the left pane of the gpo editor, click computer configuration | windows settings | security settings | local policies | audit policies and in the right pane, double-click enable object auditing. then select to audit successes, failures, or both.

5.

I need to apply password policies to all clients. How can I do this?

password policies are configured in the security settings | account policies node of group policy on a local or domain gpo. password policies cannot be set at the site or ou level. you can configure group policy to enforce password history, set a maximum and minimum password age, set a minimum password length, enforce complexity requirements, or enable storage of passwords using reversible encryption. the latter should be done only if necessary for compatibility purposes, since it decreases security instead of increasing it.

6.

How can I centrally manage security and provide updates for my client machines?

if client computers are running windows xp, windows 2000 professional or server, or windows server 2003, you can use the microsoft baseline security analyzer ( mbsa ) to scan for security problems and use a microsoft software update services ( sus ) server to apply security updates. both of these tools can be downloaded from the microsoft web site. sus consists of two parts: the sus server component and the client automatic update feature. the sus server component synchronizes with the windows update site and downloads critical updates, security updates, and security rollups to the sus server. client machines need the automatic update feature installed so they can connect to the sus server and download the updates that you have approved for distribution.

7.

I’ve just installed a WAP on our company network so employees can roam with their laptops and stay connected to the network (for example, when they attend meetings in conference rooms). Is there anything I need to be aware of in regard to security issues?

wireless networking is inherently less secure than traditional wired networks because data is transmitted via radio frequency (rf) signals, which are out there in the air, vulnerable to capture by anyone who is within range and has the proper equipment. although you might think within range means within the 300 feet or so that wireless manufacturers specify for their devices, a hacker with a high-gain yagi antenna can connect to your network from much farther away. this situation is exacerbated by the fact that default settings for most waps leave the network wide open, with ssid broadcasting enabled and wep disabled. even if you have turned off ssid broadcasting and enabled wep, that doesn t mean you re safe. a hacker can still use commonly available tools to capture packets sent between legitimate users and determine the ssid from them. then they can break wep encryption, which has numerous vulnerabilities, using wepcrack or other hacker tools. it is best to treat a wireless network as an untrusted network; however, you can make it more secure by using technologies such as 802.1x and 802.11i, by incorporating other mechanisms such as mac filtering along with wep, and by implementing secure authentication methods such as radius/ias and using higher-level protocols such as ipsec to protect wireless traffic.

Answers

1.

It is possible that your application requires you to grant access to the Anonymous Users group, which is not part of the Everyone group. If you need to grant access to the Anonymous group, you must explicitly add the Anonymous Logon security group and its permissions.

2.

If users in one domain need access to resources in another domain within the same forest, you do not need to do anything special. This is because, by default, a two-way transitive trust exists between the root domains of every domain tree in the forest so users in any domain in the forest can access resources in any other domain in that forest (if they have the proper permissions). However, to speed up the authentication process between domains, you can create a shortcut trust. If the users in one domain need access to resources in a domain that is in a different forest, you can either create a forest trust between the two forests (which is transitive and will allow all domains in each forest to access all domains in the other) or you can create an external nontransitive trust directly between the two domains.

3.

You can disable the built-in Administrator account, since all hackers know the default account name and that is half the information they need to take control of your server. Then you can give administrative privileges to another account. When the Administrator account is disabled, it can still be used in Safe Mode for troubleshooting and repairing problems. Alternatively, you can rename the built-in Administrator account so hackers won’t be able to recognize it so easily. You should not log on as Administrator for performing everyday tasks. Instead, use the Run as command when you need to perform administrative tasks.

4.

Although you can set other types of auditing and they will start immediately, when you want to audit access to objects such as folders, object auditing must be enabled. Then you need to set auditing properties on the object you want to audit (in this case, the folder). To enable object auditing, edit Group Policy for the local computer or the domain policy. In the left pane of the GPO Editor, click Computer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policies and in the right pane, double-click Enable object auditing. Then select to audit successes, failures, or both.

5.

Password policies are configured in the Security Settings | Account Policies node of Group Policy on a local or domain GPO. Password policies cannot be set at the site or OU level. You can configure Group Policy to enforce password history, set a maximum and minimum password age, set a minimum password length, enforce complexity requirements, or enable storage of passwords using reversible encryption. The latter should be done only if necessary for compatibility purposes, since it decreases security instead of increasing it.

6.

If client computers are running Windows XP, Windows 2000 Professional or Server, or Windows Server 2003, you can use the Microsoft Baseline Security Analyzer (MBSA) to scan for security problems and use a Microsoft Software Update Services (SUS) server to apply security updates. Both of these tools can be downloaded from the Microsoft Web site. SUS consists of two parts: the SUS server component and the client Automatic Update feature. The SUS server component synchronizes with the Windows Update site and downloads critical updates, security updates, and security rollups to the SUS server. Client machines need the Automatic Update feature installed so they can connect to the SUS server and download the updates that you have approved for distribution.

7.

Wireless networking is inherently less secure than traditional wired networks because data is transmitted via radio frequency (RF) signals, which are “out there in the air,” vulnerable to capture by anyone who is within range and has the proper equipment. Although you might think “within range” means within the 300 feet or so that wireless manufacturers specify for their devices, a hacker with a high-gain Yagi antenna can connect to your network from much farther away. This situation is exacerbated by the fact that default settings for most WAPs leave the network wide open, with SSID broadcasting enabled and WEP disabled. Even if you have turned off SSID broadcasting and enabled WEP, that doesn’t mean you’re safe. A hacker can still use commonly available tools to capture packets sent between legitimate users and determine the SSID from them. Then they can break WEP encryption, which has numerous vulnerabilities, using WEPCrack or other hacker tools. It is best to treat a wireless network as an untrusted network; however, you can make it more secure by using technologies such as 802.1x and 802.11i, by incorporating other mechanisms such as MAC filtering along with WEP, and by implementing secure authentication methods such as RADIUS/IAS and using higher-level protocols such as IPSec to protect wireless traffic.




MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure. Exam 70-293 Study Guide and DVD Training System
MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System
ISBN: 1931836930
EAN: 2147483647
Year: 2003
Pages: 173

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net