|
|
Active Directory in an X.500-compatible directory service utilizes the LDAP protocol.
Active Directory is organized in a hierarchical structure modeling the Domain Naming System arrangement.
Domains at the root of the forest automatically establish two-way transitive trusts between them, unlike previous versions of Windows NT.
Child domains and their parent domain automatically establish two-way transitive trusts between them as well.
Group Policy applied to an object is processed in the following order (by default): local, site, domain, organizational unit.
The key components of the Security Configuration tool set are Security templates, Group Policy security configuration objects, the Security Configuration and Analysis snap-in, and command-line tools.
The Security Configuration and Analysis snap-in creates, configures, and tests security scenarios. You can create text-based .inf files that contain security settings. You can apply these files to the computer or save them for later use.
Microsoft provides templates for configuring security. Default and incremental templates are available. Default templates are applied during a fresh install only. The incremental templates provide additional security above the defaults.
Secedit.exe allows us to configure security from the command prompt.
The Security Templates snap-in allows us to view and customize the template files stored in %windir%\security\templates.
Account policies define password policy, account lockout policy, and Kerberos policy.
Local policies include the audit policy, user rights assignment, and security options.
Event Log Configuration settings allow you to configure the length of time logs are retained as well as the size of the Event Logs.
The Restricted Groups setting configures group membership and group nesting.
Registry Policy sets permissions on Registry keys.
The File System Security setting configures NTFS permission for all local drives.
The System Services setting controls the startup policy for all local services.
The Security Configuration and Analysis snap-in can be used to deploy a security template to a local machine.
Security settings can be deployed to a domain or OU via the security settings in a Group Policy object.
You can deploy security templates across the network using the secedit.exe tool in a script or batch file.
Compare security policies in the template with the actual state of the local machine. This practice allows administrators to see the differences before they apply the policy.
Use Security Configuration and Analysis to view the results of an analysis in a graphical format.
Use the secedit.exe tool to analyze security settings from the command prompt. This tool can be useful if combined with a script or batch file to automatically scan large numbers of computers.
After differences in settings have been identified, you can determine the next course of action.
|
|