Index_S

S

S/MIME (Secure/Multipurpose Internet Mail Extensions), 881

SA. See Security association (SA)

SACL (system access control list), 783, 784

Safe Mode boot, 614

scalability, 16, 309

scale of nines, 618

scanning, 834

scavenging

of DNS records, 391–392

of WINS records, 446–447

schedule

deployment, 29

network planning and, 18–19

test, 34–35

schema

disabling objects, 89

function of, 60

securing, 790

Schema Admins group, 790

schema master, 60

Schlumberger smart cards, 899

scope

AD-integrated replication scope, 379–382

group scope, 792

of services, SLAs and, 27

SCSI-based controllers, 659

SCSI (Small Computer System Interface) interface, 565, 643–644

secedit /analyze command, 100–101, 828–829

secedit /configure command

function of, 100, 828

syntax for/parameters of, 101

secedit /export command

function of, 100, 828

syntax for/parameters of, 102

secedit /GenerateRollback command

function of, 100, 829

syntax for/parameters of, 102–103

secedit /import command

function of, 100, 828

syntax for/parameters of, 102

Secedit utility

for applying security settings, 139

commands, 100–103

function of, 99

for security templates, 828–829

for template settings, 140

secedit /validate command

function of, 100, 829

syntax for/parameter of, 102

second-generation (2G), 804

secondary server, 347–348, 373

secure dynamic updates

BIND support of, 397

enabling, 389

GSS-TSIG and, 391

Secure/Multipurpose Internet Mail Extensions (S/MIME), 881

Secure Password Authentication (SPA), 128–129

Secure Server IPSec policy, 733

securedc template, 97

securews template, 97

security

AD structure and, 44

CA, planning, 885

configurations, deploying, 134–136

of Connection Manager, 324–325

for DDNS and DHCP, 389–391

DNS namespace design and, 357–358

DNS security issues, 404–412, 463

IPSec, 761–764

with Layer 4 switches, 244

levels for IPSec, 727–728

NAT limitations, 215

network authentication and, 45

network planning and, 15–16

for NLB cluster, 690–691

with private root zone, 367

protocols and, 150

remote access security, 505–514, 531

reverse lookup zones and, 353

RSoP and, 766–767

of server clusters, 667–669

VPN encryption protocols, 307–308

of WINS, 449–451

wireless encryption and, 504–505

for zone replication, 382

See also authentication; baseline security; routing security; server security; wireless security

security, AD. See Active Directory (AD) security

Security association (SA)

data transit and, 714

defined, 713

IPSec, 258

IPSec driver and, 725–726

main mode, 714

overview of, 770

process, 713–714

Security Configuration and Analysis

analyzing computer with, 103–108

to apply security templates, 109

for custom security templates, 131, 140

for security templates, 827–828

tasks performed with, 98

security descriptors, 782–783

security framework, 782–847

Active Directory security, 782–800

change and configuration management framework, 830

monitoring/optimizing security, 817–829

security update infrastructure, 830–847

summary of, 848

wireless security, 801–816

security groups, 86–87

security identifier (SID)

filtering, 793

relative ID master and, 60

in user authentication, 800

Security log, 584

Security log settings, 823

Security Parameters Index (SPI), 720, 721

security policies

account lockout policies, 826

Kerberos policies, 825–826

password policies, 824–825

security templates, 827–829

setting, 823–824

settings, 134–135

user rights, 826–827

security principals, 60, 795

Security properties, IAS, 310–311

security requirements

configurations for, 93–94

identifying, 91–93

security settings, enforcing, 109–112

Security Settings extension to Group Policy, 827

Security tab, 254–255

security templates

applying, 109–112

custom, creating, 131–134

custom, tools for, 139–140

planning secure baseline installation parameters, 103–108

summary of, 137

tools for, 827–829

security templates and tools, 94–103

Group Policy Object Editor, 99

policies/settings, 94–95

predefined templates, 95–97

Secedit utility, 99–103

Security Configuration and Analysis tool, 98

Security Templates MMC snap-in

for creating/editing templates, 94–95

for custom security templates, 131–134, 140

security update infrastructure, 830–847

Microsoft Baseline Security Analyzer, 831–837

Microsoft Software Update Services, 837–847

Permcopy.exe, 830–831

security updates, importance of, 831

Subinacl.exe, 830

summary of, 850

segment switching, 242–243

segments, network, 149–150

sender authentication, 496–497

Sequence Number field, 720, 721

Serial Line Internet Protocol (SLIP), 488

server cluster

creating new, 653–654, 670–677

defined, 641

groups, resource types, 642–643

name resolution, 643

node failure, recovering from, 657

server cluster deployment options, 647–653

consideration of, 647

failover ring, 651–652

hot-standby server/N+1, 649–651

N-node failover pairs, 648–649

random, 652–653

server cluster models, 644–647

majority node set, 646–647

model most frequently used, 701

single node, 644–645

single quorum device, 645–646

server cluster nodes

described, 641–642

in failover ring, 651–652

failure, recovering from, 657

in hot-standby server/N+1 deployment option, 649–651

N-node failover pairs, 648–649

number of, 701

in random deployment option, 652–653

security of, 667–669

of single node model, 644–645

of single quorum device model, 645–646

server clustering, 641–677

administration, 653–656

cluster models, 644–647

cluster network configuration, 662–667

cluster node failure, recovering from, 657

creating new cluster, 670–677

deployment options, 647–653

hardware issues, 658–662

Network Load Balancing vs., 678

overview of, 640

questions/answers about, 701

relationship to NLB, 681–682

security, 667–669

summary of, 699–700

terminology/concepts, 641–644

Server IPSec policy, 733

server log files, 593

Server Message Block (SMB), 646

server principal name (SPN), 800

server roles, 54–77

application servers, 75–77

application servers, securing, 130

certificate authorities, 69–75

certificate authorities, securing, 129

database servers, 68

database servers, securing, 127–128

DHCP, DNS, WINS servers, 63–65

DHCP, DNS, WINS servers, securing, 125–126

domain controllers, 58–62

domain controllers, securing, 121–122

file and printer servers, 62–63

file servers, securing, 121–124

mail servers, 68–69

mail servers, securing, 128–129

Manage Your Server tool, 54–58

print servers, securing, 124–125

security issues of all server roles, 113–121

security requirements and, 93–94

summary of, 137

terminal servers, 78

terminal servers, securing, 130–131

Web servers, 65–68

Web servers, securing, 126–127

server room, 114

server security, customizing, 113–136

for application servers, 130

for certificate authorities, 129

custom security templates, 131–134

for database servers, 127–128

deploying security configurations, 134–136

for DHCP, DNS, WINS servers, 125–126

for domain controllers, 121–122

for file servers, 121–124

for mail servers, 128–129

for print servers, 124–125

security issues of all server roles, 113–121

summary of, 138

for terminal servers, 130–131

for Web servers, 126–127

server security strategy

configurations for security requirements, 93–94

in general, 78–79

operating system, choosing, 79–90

security requirements, identifying, 91–93

summary of, 137, 138

servers

for Internet Authentication Protocol, 309–310

monitoring with System Monitor tool, 570–580

placement/performance of, 197–198

smart cards and, 898

upgrades, 43

virtualization, 625

Service Level Agreement (SLA), 26–27

service locator record (SRV), 343, 362

service logs, 593

service packs, 115–117

service profiles

with CMAK, 320–323

options of, 328

preventing editing of, 324

secure distribution of, 325

service set identifier (SSID), 801–802, 814

Service Settings dialog box, 300

service ticket, 81, 825

services

adding custom service for ICS, 299–300

configuring for ICS, 298–299

disabling unneeded, 117

See also specific service

Services and Ports tab, 295

Session layer, OSI model, 238

session time, maximum, 525–527

setup security template, 97, 103

sever cluster node, 643–644

sexual harassment, 26

Shamir, Adi, 864

share permissions, 788, 789

shared cluster disks, 659

shared-key authentication, 807

shared secret, 312

shared secret key cryptographies, 864

SharePoint, 20–21

Shinder, Debra Littlejohn, 800

Shiva Corporation, 509

Shiva Password Authentication Protocol (SPAP)

disabling, 509–511

for IAS authentication, 314

shortest path first (SPF), 225

show helper command, 235

SID. See security identifier (SID)

signature files, 117

signatures. See digital signatures

Simple Mail Transport Protocol (SMTP), 66, 68–69

simple query test, 413

single host filtering mode, 679

single-instancing, 786

single node server cluster model, 644–645

single point of failure, 407

single quorum device server cluster model

described/illustrated, 645–646

N-node failover pairs deployment option, 648–649

SLA (Service Level Agreement), 26–27

slave drive, 565

sliding window, 198

SLIP (Serial Line Internet Protocol), 488

Small Computer System Interface (SCSI) interface, 565, 643–644

smart cards

authentication in PKI, 897

authentication, process of, 898

EAP-TLS supports, 317

implementing/using, 900–903

logon, deploying, 898–899

overview of, 897–898

PKI and, 908

readers, 899

for remote access strategy, 514

for remote access VPNs, 903–905

Terminal Server logon with, 906

Windows 2000 support of, 81

Windows logon with, 899

SMB (Server Message Block), 646

SMS (Systems Management Server), 4, 759

SMTP (Simple Mail Transport Protocol), 66, 68–69

SOA record. See Start of Authority (SOA) record

soft association, 764

software

network testing, 30–31

performance testing, 46–47

software router, 290

Software Update Services (SUS), 837–847

configuring clients with Group Policy, 844–845

configuring clients with Local Security Policy, 843–844

installing, 838–839

parts of, 852

setting options, 845–846

using, 839–843

Software Update Services (SUS) server component

downloading updates, 840–841

function of, 852

required for SUS, 838

setting options for, 845–847

synchronizing, 839–840

source address, 212

SPA (Secure Password Authentication), 128–129

spam, filtering, 17

SPAP. See Shiva Password Authentication Protocol (SPAP)

Special Permissions option, 789

speed-buffering bridge, 242

speed, wireless equipment, 501

SPF (shortest path first), 225

SPF tree, 231

SPI (Security Parameters Index), 720, 721

spindle count, 566

split-brain

majority node set and, 647

quorum resource to prevent, 644

split DNS configuration

described, 398–399

for DNS security, 411

split horizon, 229

split horizon with poison reverse, 229

split seek, 568

split WINS registrations, 444, 467

SPN (server principal name), 800

spoofing, 812

SQL Server

function of, 68

security features of, 127–128

username/password in, 128

SRV (service locator record), 343, 362

SSID. See service set identifier (SSID)

stack, protocol, 149

stand-alone CAs

CA security and, 885

overview of, 882–883

use of, 72

Start of Authority (SOA) record

of resource record, 343–344

in reverse lookup zone, 356

troubleshooting host name resolution and, 456

zone transfer and, 378–379

stateful filtering, 751

static access control, 782–784

static address pool, 490

static IP address, 666

static IP route, 251–252

static mappings

for redirection attack protection, 450

static WINS entries, 438–439, 467

summary of, 465

troubleshooting, 458

static router, 246–251

static routing, 220–222, 245

static WINS entries, 438–439

statistics, IPSec, 753–755

stealth servers, 374, 411

storage, data, 21–23

storage device

node connected to, 643

for server cluster, 659–662

single quorum device and, 645

streaming media server, 57

streaming media services, 26

striping. See RAID 0

striping with parity. See RAID 5

strong passwords

elements of, 118–119

Group Policy to enforce, 785

stub zone

for child domain authority, 347

for disjointed namespace, 365–366

zone replication planning and, 383

subdomain, 364–365

Subinacl.exe, 830

subnet masks

custom, 179–180

with private addressing, 214

standard, 178–179

subnets

ANDing/binary numbering, 175–177

CIDR and, 180–181

classful addressing, 173–175

schemes, creating, 173

subnetting networks, 177–180

subordinate CAs, 72, 872

subtype

defining on client computer, 809–810

defining on domain controller, 808–809

Success Audit event type, 585

superseded templates, 890

supplicant, 804–806

SUS. See Software Update Services (SUS)

switches

authenticating with IAS, 318

segment/port switching, 242–243

types of, 244

UPSs for, 625

switching hub, 240, 243

symmetric key encryption, 864

/sync parameter, 136

Synchronization Log, 841–842

syskey (System Key Utility), 786

system access control list (SACL), 783, 784

System Key Utility (syskey), 786

System log, Event Viewer, 584–585

System Monitor

console, creating, 580–584

described, 195, 196–197

log data, viewing, 576–578

to monitor IAS, 313

overview of, 626

Performance console for monitoring DNS server, 415–416

for servers, using, 570–580

System Overview counter log, 574–576

system performance comparisons with, 578–579

System Overview counter log, 574–576

system requirements, 79–80

System Services, 94

system state data, 600–601

Systems Management Server (SMS), 4, 759