Microsoft Windows Server 2003 provides many security features to protect data on your network. We looked at share and NTFS permissions in this chapter. Using user groups to provide different access levels to network shares is discussed as part of the security overview that is provided in Chapter 20, "A Network Security Primer".
Windows Server 2003 provides a tool named the Group Policy snap-in that allows you to control a number of security features, including strong password protection and Kerberos Authentication. The Kerberos protocol (which supplies Kerberos Authentication) uses a system of tickets to authenticate users logging on and requesting services on the .NET network. Each domain controller in the Windows Server 2003 domain acts as a key distribution center. When the user logs on they are provided a ticket-granting ticket by the domain controller that authenticates their client account.
When the client wishes to access a particular resource on the network, such as a file server, the client presents its ticket-granting ticket to a key distribution center (any of the domain controllers) and requests that it be provided a ticket-granting service ticket to access a particular resource.
Once the ticket-granting service ticket has been provided to the client by the key distribution center, the client supplies the ticket-granting service ticket to the resource server it wishes to access. The resource server then grants access to the resource. All of this ticket action, of course, is at the machine level and is not something that users or administrators will actually see taking place.
Group Policy is definitely an advanced feature of Windows Server 2003 and teaching you all the ins and outs of Group Policy is beyond the purpose of this book; however, I mention it to let you know that all the network operating systems that you work with (including Windows Server 2003) have been strengthened over the years to provide protection against network hackers and attacks.
The Group Policy feature secures a particular property using a policy. For example, if the strong password policy is enabled, passwords must meet the following minimum requirements:
All the Group Policy settings for a domain can be viewed using Group Policy Management, which is shown in Figure 9.12. Individual policy objects such as the password policy have been discussed in this section.
Figure 9.12. Group Policy Management allows you to view the policies affecting domain security and other features.
To actually edit the policies for the domain (such as the strong password policy), you right-click on the Domain policy in Group Policy Management and then select edit.
Figure 9.13 shows the Group Policy Object Editor. It would be used to enable the password policy. This would affect all the computers in the domain since it is a domain policy.
Figure 9.13. The Group Policy Object Editor allows you to enable policies that affect network computers.
Administering a network operating system such as Windows Server 2003 requires an understanding of all the tools and features provided by the NOS. Being able to configure group policies is as important as being able to add users and configure file and print servers. A good way to learn a particular NOS is to set up a test network that allows you to configure servers so that the mistakes and changes that you make while learning don't actually affect a production network. Another good way to learn about a particular network operating system is to pursue a certification for that NOS.