Index_A | MCSE Designing Security for a Windows Server 2003 Network: Exam 70-298

A

AAA (authentication, authorization, accounting) Model, 639

ABR (area border routers), 419

Acceptable Use Policy (AUP), 45

access

anonymous, 109110

default IIS options, 377

Deny Access to This Computer from the Network right, 466

group strategy for accessing resources, 490495

Network Access Quarantine Control and, 670

registry, securing, 615

removable media, 108

user , securing, 615

wireless using IAS, 669

access control. see also data access control

audit requirement analysis, 534541

domain local groups and, 520

files/folders design strategy, 617

registry access control, 541553

access control entries (ACEs), 513514

Access Control List Editor, 533

Access Control Lists (ACLs)

NTFS/share permissions, 455457, 496

data access and, 509

overview of, 513

access control strategy

account security policies, 463474

administrative and service accounts, 460462

auditing user account activity, 480486

delegation strategy, 487490

for directory services, designing, 454457, 499

important points about, 496

password policies, designing, 462

password security, 474480

rights/permissions, assigning, 458460

risks to directory services, 457458

access design strategy, 455

access mask, 514

access request, 514

Access This Computer from the Network right, 464

accidental network access, 317, 343

account group, 515

Account Group/ACL (AG/ACL), 517518, 621622

Account Group/Resource Group (AG/RG), 518

account groups, 619

Account lockout duration setting, 479

Account Lockout policy

creating, 478480

duration, 68

password security and, 477

Restricted groups, 470472

scenario, 503504

user rights assignments, 463470

Account lockout threshold setting, 479

account logon event, 537538

account management, 481

account policies, 6769, 145

account security policies

implementing via Group Policy, 463

Kerberos policy, creating, 472474

Restricted groups, 470472

user rights assignments, 463470

accounts

administrator, 645

local system, 512

naming conventions, securing, 646

user, securing, 645646

ACEs (access control entries), 513514

ACL. see Access Control Lists

Act as Part of the Operating System right, 464

Active Directory (AD)

certificate temples and, 188

DNS RR in, 302303

domains, 133

IAS servers and, 666

IPSec policy stored in, 273274

for network infrastructure security, 246

role-based delegation with, 198

WLAN network infrastructure requirement, 322

Active Directory Client Services extensions, 7475

Active Directory security

access control strategy for directory services, 454457

account security policies, 463474

administrative and service accounts, 460462

auditing user account activity, 480486

delegation strategy, 487490

group strategy for accessing resources, 490495

overview of, 454

password policies, designing, 462

password security, 474480

rights/permissions, assigning, 458460

risks to directory services, 457458

Active Directory Users and Computers Snap-in

Account Lockout policy creation with, 479480

Audit policy creation with, 482

setting Password Complexity policy with, 477478

Active Directory-Integrated zones, 300301

ad hoc wireless network

described, 315

scenario, 347

when to use, 343

Add Workstations to the Domain right, 464

Adjust Memory Quotas for a Process right, 464

administration delegation strategy, 487490

Administrative account, 461462

administrative credentials, 283

administrative policies, 4

administrator accounts, 645, 646

administrators

authority delegation for, 197199

credentials restriction of, 195196, 231

delegation strategy, 487490

securing tools for, 197199

security policies for administrators/IT personnel, 197

advanced digest authentication, 385386

Advanced Digest Security, 407

AG/ACL (Account Group/ACL), 517518, 621622

AG/RG (Account Group/Resource Group), 518

AGDLP

defined, 454

described, 491, 498, 512

nesting groups, 493494

user rights and, 513

AGUDLP strategy, 491492, 498

AH. see Authentication Header

AIA (Authority Information Access) 168-169. see Authentication Header

All ICMP Traffic filter list, 269

All IP Traffic filter list, 269

Allow automatic administrative logon, 611, 612

Allow floppy copy and access to all drivers and all folders, 612

Allow Log On Locally right, 464465

Allow Log On through Terminal Services right, 465

/analyze, 9091

anonymous access restriction, 109110

anonymous authentication, 362364

anti-virus protection, 630

anti-virus software, 485

APIPA (Automatic Private IP Addressing), 421

Application log, 396

Application server mode, Terminal Services, 202

application servers, 129, 131

application sharing security, 250251

application-layer attack, 248

Apply Group Policy permissions, 215

area border routers (ABR), 419

/areas, 89

AS boundary router (ASBR), 420

ASP.NET

404 errors and, 406

IIS 6 authorization options, 388389

IIS hardening and, 382

ASR. see Automated System Recovery

assets risk analysis, 23

asymmetric encryption, 153154. see also public key cryptography

asymmetric keys, 304

ATM (Automatic Teller Machine), 153

attack vectors, 629630

attacks. see also specific type of attack

analysis of, 623

combating network, 18

external, motivations for, 22

network infrastructure security and, 247249

nontechnical, 20

overview of, 39

recognizing indicators of, 27

risk analysis and, 510511

threat to wireless networks, 317318

Audit account logon events setting, 480

Audit account management setting, 481

Audit directory service access setting, 481

audit events, domain controller, 108

Audit logon events policy, 482483

Audit logon events setting, 481

Audit object access setting, 481, 484485

Audit policy

creating, 482

Group Policy for, 497

Manage Auditing and Security Log right, 468

on Web server, 501

what to include in, 503

Audit policy change setting, 481

Audit privilege use setting, 481

Audit process tracking setting, 481

audit requirement analysis, 534541

Audit system events setting, 481

auditing

of account logon events, 537538

attack indicators and, 27

of Directory Service access events, 538

enabling in IIS, 392396

enabling on CA server, 181183, 187

of logon events, 535537

of object access events, 539

overview of, 615

of policy change events, 540

policy for, 620

practices for data security, 511

of privilege use events, 538539

of process tracking events, 540

requirements analysis, 534535

of system events, 539

auditing data analysis, 485486

auditing user account activity

analyzing auditing data, 485486

Audit policy, creating, 482

Auditing settings, 480481

logon events, 482484

object access, 484485

AUP (Acceptable Use Policy), 45

authentication

anonymous, 362364

basic, 364365

client design strategy, 639640

client requirements analysis, 640641

digest, 366367

DLL for IIS security incident detection, 399

with EAP, 316

IEEE 802.1x, 347348

IIS 6.0, 401

IIS certificate, 362369, 400

IIS hardening and, 382

IIS RADIUS, 369375

IIS user, 353356

IIS Windows logon, 362369

logical authentication strategy, designing, 165167, 186187

multifactor , 645

mutual, 647

network, 641645

protocols for client access, 646651

protocols overview, 671

protocols supported by IAS, 663665

remotely managing wireless network, 348

selecting scope for users in trusts, 223224

strategy for clients , 672

strong, 127

via SSL/TLS, 304, 305

for wireless networks, 328336, 340

authentication data header, 261

Authentication Data, ESP authentication trailer, 263

authentication firewall, 224

Authentication Header (AH)

with ESP, 343

ESP vs. , 259

function of, 339

IPSec modes and, 256257, 260261

IPSec packet protection with, 257258

no confidentiality with, 263

authentication methods , 118, 254255

authentication profiles, 658

authentication traffic digital signatures, 110112

Author Mode, MMC, 201

authority delegation, 197199

Authority Information Access (AIA), 168169

authorization framework, IIS 6.0, 388389

Authorization Manager snap-in, 533

authorization rules, role-based, 519

authorization, role-based, 519

auto-enrollment, CA, 181

Automated System Recovery (ASR)

vs. Emergency Management Console/Recovery Console, 621

when to use, 625

backup set, creating, 596598

backup set, described, 595

automatic mode, IPSec driver, 279

Automatic Private IP Addressing (APIPA), 421

Automatic Teller Machine (ATM), 153

Automatic Updates, SUS, 632633

autonomous system (AS), 420

autonomy, 488, 497498

auto-static updates, 416