Exam Objectives Fast Track

Configuring Role-Based Security

  • Each specific type of Windows 2000 server in your network can, and should be, configured with role-specific security settings. These settings can be implemented in various ways, such as security templates, the IIS Lockdown tool, or the URLScan tool.

  • The IIS Lockdown tool includes a variety of preconfigured templates that can be used to flexibly configure IIS settings on your Windows 2000 servers to prevent them from being easy attack targets.

Creating Secure Workstations

  • Workstations and portable computers should have their Data Recovery Agent certificate and private key exported to a secure location.

  • Portable computers should use the Encrypting File System on all sensitive files. Furthermore, the amount of sensitive material contained on a portable computer should be minimized as much as possible.

Security Template Application Issues

  • Problems with security templates (Group Policy) will usually appear in the Event Log.

  • Logging levels for Directory Service events can be increased to help track down problematic areas with Group Policy.

  • The gpresult.exe tool, available as part of the Windows 2000 Resource Kit, can be used to quickly get extremely detailed information about the security and Group Policy settings in effect on a specific computer.

  • Upgrade installations from Windows NT 4.0 to Windows 2000 can cause problems when applying security templates due to the differences in the Windows NT 4.0 and Windows 2000 Registry and File System ACLs. These are not updated during the operating system upgrade. To remedy this issue, you can either opt to perform a clean install (usually preferred over upgrades) or apply the setup security.inf security template to the upgraded computer using the Security Configuration and Analysis snap-in.

Securing Server Message Block Traffic

  • Server Message Block (SMB) traffic can be digitally signed to prevent man-in-the-middle attacks and message attacks.

  • Both client and server must be configured for at least the same minimum level of SMB signing in order for a session connection attempt to succeed.

  • SMB signing is configured from the Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options node of the Group Policy window. Additionally, you can configure this setting using the various security templates that are provided with Windows 2000.



MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net