Exam Objectives Fast Track

Hardening a desktop machine refers to the process of securing the default operating system installation to make the system more resilient against malicious or unintentional damage by end users or network attackers .

You can reduce the likelihood that your network clients will be targeted by attackers if you reduce the number of services that they are running; for example, disable the workstation version of IIS on any client computers that dont have a need to be running it.

With the proliferation of viruses and worms showing no signs of stopping, a client security strategy needs to include measures for consistent anti-virus protection, as well as a patch management strategy to keep all of your network clients up to date with critical software updates.

Windows 2000, XP, and Server 2003 machines operating in an Active Directory domain will use Kerberos version 5 as their default authentication protocol. Down-level clients and servers, or machines functioning in a workgroup environment, will use NTLM version 2.

You can use Group Policy Objects (GPOs) to mandate the authentication protocol in use on your network.

Digest Authentication will allow you to use Active Directory credentials for Web authentication, but password information needs to be stored using reversible encryption, which means that DCs need to be subject to tight physical security controls.

Remote access policies can be used to restrict RAS connections based on any number of factors, including Windows group memberships, day and time restrictions, connection type, and encryption strength.

Windows Server 2003 has improved L2TP/IPSec so that it can now perform NAT traversal natively for Server 2003, and with a free software update for Windows 2000 and XP machines.

Two new features that will help secure the remote access process are Network Access Quarantine Control and the Remote Access Lockout feature. Network Access Quarantine will restrict remote user connectivity until their computer configuration can be verified as secure and virus free, while Remote Access Lockout will prevent a malicious user from using RAS resources to perform a dictionary attack against Active Directory accounts.