|
S/MIME (Secure/Multipurpose Internet Mail Extensions), 881
SA. See Security association (SA)
SACL (system access control list), 783, 784
Safe Mode boot, 614
scalability, 16, 309
scale of nines, 618
scanning, 834
scavenging
of DNS records, 391–392
of WINS records, 446–447
schedule
deployment, 29
network planning and, 18–19
test, 34–35
schema
disabling objects, 89
function of, 60
securing, 790
Schema Admins group, 790
schema master, 60
Schlumberger smart cards, 899
scope
AD-integrated replication scope, 379–382
group scope, 792
of services, SLAs and, 27
SCSI-based controllers, 659
SCSI (Small Computer System Interface) interface, 565, 643–644
secedit /analyze command, 100–101, 828–829
secedit /configure command
function of, 100, 828
syntax for/parameters of, 101
secedit /export command
function of, 100, 828
syntax for/parameters of, 102
secedit /GenerateRollback command
function of, 100, 829
syntax for/parameters of, 102–103
secedit /import command
function of, 100, 828
syntax for/parameters of, 102
Secedit utility
for applying security settings, 139
commands, 100–103
function of, 99
for security templates, 828–829
for template settings, 140
secedit /validate command
function of, 100, 829
syntax for/parameter of, 102
second-generation (2G), 804
secondary server, 347–348, 373
secure dynamic updates
BIND support of, 397
enabling, 389
GSS-TSIG and, 391
Secure/Multipurpose Internet Mail Extensions (S/MIME), 881
Secure Password Authentication (SPA), 128–129
Secure Server IPSec policy, 733
securedc template, 97
securews template, 97
security
AD structure and, 44
CA, planning, 885
configurations, deploying, 134–136
of Connection Manager, 324–325
for DDNS and DHCP, 389–391
DNS namespace design and, 357–358
DNS security issues, 404–412, 463
IPSec, 761–764
with Layer 4 switches, 244
levels for IPSec, 727–728
NAT limitations, 215
network authentication and, 45
network planning and, 15–16
for NLB cluster, 690–691
with private root zone, 367
protocols and, 150
remote access security, 505–514, 531
reverse lookup zones and, 353
RSoP and, 766–767
of server clusters, 667–669
VPN encryption protocols, 307–308
of WINS, 449–451
wireless encryption and, 504–505
for zone replication, 382
See also authentication; baseline security; routing security; server security; wireless security
security, AD. See Active Directory (AD) security
Security association (SA)
data transit and, 714
defined, 713
IPSec, 258
IPSec driver and, 725–726
main mode, 714
overview of, 770
process, 713–714
Security Configuration and Analysis
analyzing computer with, 103–108
to apply security templates, 109
for custom security templates, 131, 140
for security templates, 827–828
tasks performed with, 98
security descriptors, 782–783
security framework, 782–847
Active Directory security, 782–800
change and configuration management framework, 830
monitoring/optimizing security, 817–829
security update infrastructure, 830–847
summary of, 848
wireless security, 801–816
security groups, 86–87
security identifier (SID)
filtering, 793
relative ID master and, 60
in user authentication, 800
Security log, 584
Security log settings, 823
Security Parameters Index (SPI), 720, 721
security policies
account lockout policies, 826
Kerberos policies, 825–826
password policies, 824–825
security templates, 827–829
setting, 823–824
settings, 134–135
user rights, 826–827
security principals, 60, 795
Security properties, IAS, 310–311
security requirements
configurations for, 93–94
identifying, 91–93
security settings, enforcing, 109–112
Security Settings extension to Group Policy, 827
Security tab, 254–255
security templates
applying, 109–112
custom, creating, 131–134
custom, tools for, 139–140
planning secure baseline installation parameters, 103–108
summary of, 137
tools for, 827–829
security templates and tools, 94–103
Group Policy Object Editor, 99
policies/settings, 94–95
predefined templates, 95–97
Secedit utility, 99–103
Security Configuration and Analysis tool, 98
Security Templates MMC snap-in
for creating/editing templates, 94–95
for custom security templates, 131–134, 140
security update infrastructure, 830–847
Microsoft Baseline Security Analyzer, 831–837
Microsoft Software Update Services, 837–847
Permcopy.exe, 830–831
security updates, importance of, 831
Subinacl.exe, 830
summary of, 850
segment switching, 242–243
segments, network, 149–150
sender authentication, 496–497
Sequence Number field, 720, 721
Serial Line Internet Protocol (SLIP), 488
server cluster
creating new, 653–654, 670–677
defined, 641
groups, resource types, 642–643
name resolution, 643
node failure, recovering from, 657
server cluster deployment options, 647–653
consideration of, 647
failover ring, 651–652
hot-standby server/N+1, 649–651
N-node failover pairs, 648–649
random, 652–653
server cluster models, 644–647
majority node set, 646–647
model most frequently used, 701
single node, 644–645
single quorum device, 645–646
server cluster nodes
described, 641–642
in failover ring, 651–652
failure, recovering from, 657
in hot-standby server/N+1 deployment option, 649–651
N-node failover pairs, 648–649
number of, 701
in random deployment option, 652–653
security of, 667–669
of single node model, 644–645
of single quorum device model, 645–646
server clustering, 641–677
administration, 653–656
cluster models, 644–647
cluster network configuration, 662–667
cluster node failure, recovering from, 657
creating new cluster, 670–677
deployment options, 647–653
hardware issues, 658–662
Network Load Balancing vs., 678
overview of, 640
questions/answers about, 701
relationship to NLB, 681–682
security, 667–669
summary of, 699–700
terminology/concepts, 641–644
Server IPSec policy, 733
server log files, 593
Server Message Block (SMB), 646
server principal name (SPN), 800
server roles, 54–77
application servers, 75–77
application servers, securing, 130
certificate authorities, 69–75
certificate authorities, securing, 129
database servers, 68
database servers, securing, 127–128
DHCP, DNS, WINS servers, 63–65
DHCP, DNS, WINS servers, securing, 125–126
domain controllers, 58–62
domain controllers, securing, 121–122
file and printer servers, 62–63
file servers, securing, 121–124
mail servers, 68–69
mail servers, securing, 128–129
Manage Your Server tool, 54–58
print servers, securing, 124–125
security issues of all server roles, 113–121
security requirements and, 93–94
summary of, 137
terminal servers, 78
terminal servers, securing, 130–131
Web servers, 65–68
Web servers, securing, 126–127
server room, 114
server security, customizing, 113–136
for application servers, 130
for certificate authorities, 129
custom security templates, 131–134
for database servers, 127–128
deploying security configurations, 134–136
for DHCP, DNS, WINS servers, 125–126
for domain controllers, 121–122
for file servers, 121–124
for mail servers, 128–129
for print servers, 124–125
security issues of all server roles, 113–121
summary of, 138
for terminal servers, 130–131
for Web servers, 126–127
server security strategy
configurations for security requirements, 93–94
in general, 78–79
operating system, choosing, 79–90
security requirements, identifying, 91–93
summary of, 137, 138
servers
for Internet Authentication Protocol, 309–310
monitoring with System Monitor tool, 570–580
placement/performance of, 197–198
smart cards and, 898
upgrades, 43
virtualization, 625
Service Level Agreement (SLA), 26–27
service locator record (SRV), 343, 362
service logs, 593
service packs, 115–117
service profiles
with CMAK, 320–323
options of, 328
preventing editing of, 324
secure distribution of, 325
service set identifier (SSID), 801–802, 814
Service Settings dialog box, 300
service ticket, 81, 825
services
adding custom service for ICS, 299–300
configuring for ICS, 298–299
disabling unneeded, 117
See also specific service
Services and Ports tab, 295
Session layer, OSI model, 238
session time, maximum, 525–527
setup security template, 97, 103
sever cluster node, 643–644
sexual harassment, 26
Shamir, Adi, 864
share permissions, 788, 789
shared cluster disks, 659
shared-key authentication, 807
shared secret, 312
shared secret key cryptographies, 864
SharePoint, 20–21
Shinder, Debra Littlejohn, 800
Shiva Corporation, 509
Shiva Password Authentication Protocol (SPAP)
disabling, 509–511
for IAS authentication, 314
shortest path first (SPF), 225
show helper command, 235
SID. See security identifier (SID)
signature files, 117
signatures. See digital signatures
Simple Mail Transport Protocol (SMTP), 66, 68–69
simple query test, 413
single host filtering mode, 679
single-instancing, 786
single node server cluster model, 644–645
single point of failure, 407
single quorum device server cluster model
described/illustrated, 645–646
N-node failover pairs deployment option, 648–649
SLA (Service Level Agreement), 26–27
slave drive, 565
sliding window, 198
SLIP (Serial Line Internet Protocol), 488
Small Computer System Interface (SCSI) interface, 565, 643–644
smart cards
authentication in PKI, 897
authentication, process of, 898
EAP-TLS supports, 317
implementing/using, 900–903
logon, deploying, 898–899
overview of, 897–898
PKI and, 908
readers, 899
for remote access strategy, 514
for remote access VPNs, 903–905
Terminal Server logon with, 906
Windows 2000 support of, 81
Windows logon with, 899
SMB (Server Message Block), 646
SMS (Systems Management Server), 4, 759
SMTP (Simple Mail Transport Protocol), 66, 68–69
SOA record. See Start of Authority (SOA) record
soft association, 764
software
network testing, 30–31
performance testing, 46–47
software router, 290
Software Update Services (SUS), 837–847
configuring clients with Group Policy, 844–845
configuring clients with Local Security Policy, 843–844
installing, 838–839
parts of, 852
setting options, 845–846
using, 839–843
Software Update Services (SUS) server component
downloading updates, 840–841
function of, 852
required for SUS, 838
setting options for, 845–847
synchronizing, 839–840
source address, 212
SPA (Secure Password Authentication), 128–129
spam, filtering, 17
SPAP. See Shiva Password Authentication Protocol (SPAP)
Special Permissions option, 789
speed-buffering bridge, 242
speed, wireless equipment, 501
SPF (shortest path first), 225
SPF tree, 231
SPI (Security Parameters Index), 720, 721
spindle count, 566
split-brain
majority node set and, 647
quorum resource to prevent, 644
split DNS configuration
described, 398–399
for DNS security, 411
split horizon, 229
split horizon with poison reverse, 229
split seek, 568
split WINS registrations, 444, 467
SPN (server principal name), 800
spoofing, 812
SQL Server
function of, 68
security features of, 127–128
username/password in, 128
SRV (service locator record), 343, 362
SSID. See service set identifier (SSID)
stack, protocol, 149
stand-alone CAs
CA security and, 885
overview of, 882–883
use of, 72
Start of Authority (SOA) record
of resource record, 343–344
in reverse lookup zone, 356
troubleshooting host name resolution and, 456
zone transfer and, 378–379
stateful filtering, 751
static access control, 782–784
static address pool, 490
static IP address, 666
static IP route, 251–252
static mappings
for redirection attack protection, 450
static WINS entries, 438–439, 467
summary of, 465
troubleshooting, 458
static router, 246–251
static routing, 220–222, 245
static WINS entries, 438–439
statistics, IPSec, 753–755
stealth servers, 374, 411
storage, data, 21–23
storage device
node connected to, 643
for server cluster, 659–662
single quorum device and, 645
streaming media server, 57
streaming media services, 26
striping. See RAID 0
striping with parity. See RAID 5
strong passwords
elements of, 118–119
Group Policy to enforce, 785
stub zone
for child domain authority, 347
for disjointed namespace, 365–366
zone replication planning and, 383
subdomain, 364–365
Subinacl.exe, 830
subnet masks
custom, 179–180
with private addressing, 214
standard, 178–179
subnets
ANDing/binary numbering, 175–177
CIDR and, 180–181
classful addressing, 173–175
schemes, creating, 173
subnetting networks, 177–180
subordinate CAs, 72, 872
subtype
defining on client computer, 809–810
defining on domain controller, 808–809
Success Audit event type, 585
superseded templates, 890
supplicant, 804–806
SUS. See Software Update Services (SUS)
switches
authenticating with IAS, 318
segment/port switching, 242–243
types of, 244
UPSs for, 625
switching hub, 240, 243
symmetric key encryption, 864
/sync parameter, 136
Synchronization Log, 841–842
syskey (System Key Utility), 786
system access control list (SACL), 783, 784
System Key Utility (syskey), 786
System log, Event Viewer, 584–585
System Monitor
console, creating, 580–584
described, 195, 196–197
log data, viewing, 576–578
to monitor IAS, 313
overview of, 626
Performance console for monitoring DNS server, 415–416
for servers, using, 570–580
System Overview counter log, 574–576
system performance comparisons with, 578–579
System Overview counter log, 574–576
system requirements, 79–80
System Services, 94
system state data, 600–601
Systems Management Server (SMS), 4, 759
|