The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com.
1. | I can t find the Security Configuration Manager, where is it? |
|
2. | Why can t I locate IIS on my newly installed Windows Server 2003? |
|
3. | The settings in the secure*.inf template don t provide for certain settings we need to use on our network. What s the best way to deal with this? |
|
4. | After I ve analyzed security settings in the Security Configuration and Analysis snap-in, I want to apply these settings to 35 computers on our domain. How can I specify which computers to configure? |
|
5. | I want to check three servers that we recently upgraded from Windows NT 4.0 SP6a against our current security settings. What s the best way to do that? |
|
6. | What s the best way to secure a server that is running as both a DC and a DHCP server? |
|
Answers
1. | The Security Configuration Manager is also known as the Security Configuration Tool Set and consists of a set of tools available in Windows Server 2003 for managing security. These tools include the Security Configuration and Analysis snap-in to the MMC, the Security Templates snap-in to the MMC, the secedit tool, Security Extensions to Group Policy, the secedit.exe command, and the downloadable Microsoft Baseline Security Analyzer. |
2. | IIS is no longer installed by default on Windows Server 2003. This provides much better baseline security. As a best practice, it is recommended you remove all unused installations of IIS on computers to reduce security risks. |
3. | In the Security Templates snap-in, you can open the secure*.inf template, save it with a different name (secure2.inf, for example), and make whatever modifications you need to the template. Make sure you thoroughly test the results, however, because the predefined templates are set to create the most secure environment possible, and modifications might expose your network to security problems. |
4. | The Security Configuration and Analysis snap-in is used to analyze and configure settings, but it cannot be used to apply settings to remote computers. You can use the secedit.exe command in a batch file or schedule task to automate the process, or you can apply the template via Security Extensions to Group Policy. Using the gpupdate command-line utility will force a refresh of policies without waiting for the specified refresh interval to elapse. |
5. | Since the computers were upgraded to Windows Server 2003, you can run the Security Configuration and Analysis snap-in to check security. You can use the Setup security.inf template for analysis to check current settings against the baseline settings. You could also download and use the Microsoft Baseline Security Analyzer, which will identify security misconfigurations and identify any patches, updates, or hotfixes that are available but not applied to the system. You could also use the secedit.exe command with the /analyze switch to analyze the servers in question. You could automate this task so it occurs during off-peak hours by running a scheduled task that calls the secedit.exe utility. |
6. | The DC security.inf template is applied to the server when it is promoted to a DC. You might also be able to apply the securedc.inf template to the server, depending on your down-level clients on the domain. In some cases, using the hisecdc.inf template might make sense in very sensitive network settings such as financial or medical, but again, down-level clients will determine the security settings you ll be able to implement. |