Exam 70-124: Objective 1.3: Security Template Application Issues

Troubleshooting security settings can sometimes become a difficult process. Because security settings can be applied by both direct template application and by Group Policy, it is important to accurately determine all Group Policy objects that have been applied to the particular computer of concern. Before we get into looking at some problems and their solutions, remember that security in Windows 2000 depends on Group Policy. Legacy clients that are not receiving Group Policy will require special considerations.

Upgrade Installations

When computers are upgraded from Windows NT 4.0 to Windows 2000, the Windows NT 4.0 Registry and File System ACLs are not changed. This issue can lead to numerous problems when attempting to apply security templates (and several other security configurations) to these upgraded Windows 2000 computers. Fortunately, there is a fairly easy workaround. If you are having a problem with a computer and you know that it was an upgrade installation from Windows NT 4.0, you have two choices:

  • Perform a clean installation of Windows 2000, which is always better than upgrading. User files and settings can be migrated using the User State Migration Tool located at www.microsoft.com/windows2000/techinfo/reskit/tools/new/usmt-o.asp.

  • Apply the Setup Security.inf security template using the Security Configuration and Analysis snap-in.

Exercise 2.09 walks through the process of applying the Setup Security.inf template to an upgraded Windows NT 4.0 computer to correct the issue with Registry and File System ACLs. After you have applied this template, you should no longer have problems applying security templates unless you have other issues at hand. If all else fails, consider performing a clean installation on upgraded computers to remove this and any other issues the upgrade could cause.

Exercise 2.09: Applying the Setup Security Template

start example
  1. Create a Security Console, as discussed in Exercise 1.01 of Chapter 1.

  2. Right-click Security Configuration and Analysis and select Open database from the context menu.

  3. Enter a name for the database and click Open.

  4. From the Import Template dialog box, select the Setup Security.inf security template, and then click Open.

  5. Right-click Security Configuration and Analysis and select Analyze computer now from the context menu.

  6. You can now look over the differences between the upgrade computers settings and those of the security template.

  7. Make any changes to the settings of the database that you desire.

  8. When you are ready to apply the database settings (the values of Setup Security.inf template and any changes you have made) to the upgraded computer, right-click Security Configuration and Analysis and select Configure computer now from the context menu.

end example

Legacy Client Issues

Legacy clients cannot receive Group Policy settings, and thus they cannot receive the security configurations you have so carefully crafted for them. The most integration that legacy clients can hope to achieve is realized by installing the Directory Services (DS) client. The client for Windows 95 and 98 is located on the Windows 2000 Server CD-ROM in the CLIENTS\WIN9X directory. The client for Windows NT 4.0 can be downloaded from www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp. The client is neither provided nor supported for Windows Millennium Edition.

Using the DS client, your legacy computer can achieve the following basic Active Directory capabilities:

  • Use NTLMv2, which provides for improved security and authentication. This also allows these clients to interact with Windows 2000 computers running a stronger security policy that enforces NTLMv2-only connections.

  • The ability to log into the closest Windows 2000 domain controller.

  • The ability to change network passwords on any Windows 2000 domain controller.

  • The ability to allow access to the Windows 2000 Distributed File System (DFS) fault-tolerant shares specified in Active Directory.

Should you need to apply a security (or any other custom) configuration to your legacy clients, you will need to use System Policies and the System Policy Editor. For more information on creating System Policies for your legacy clients, see http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q318753.

Using Gpresult.exe

You can also use of gpresult.exe tool that comes with the Windows 2000 Resource Kit to gather information on the Group Policy objects that have been applied to a specific computer, the security groups the computer is a part of, and where its security settings are coming from. The gpresult.exe tool can be quite useful in troubleshooting Group Policy issues, but working with it takes some time to get used to-as is true with most command-line tools. You can get the gpresult.exe tool at www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp.

Test Day Tip 

Although very useful, questions regarding tools from the Resource Kit are not likely to be found on your exam. Does this make learning how to use them less useful? No. These are the tools that you have at your disposal in real life when things go wrong. Just because they're not covered on the test should not weigh heavily in your decision to learn how to work with these tools.

Event Log Entries

By default, the Event Log records errors that occur on your Windows 2000 computers. If you attempt to track down issues with security applications through Group Policy but cannot find any problems, you can configure Active Directory diagnostic event logging to assist you in your search.

By default, only critical or error events are logged in the Event Log. You can, however, change these settings to suit your needs. Doing such requires editing the Registry and is not recommended for those who are unfamiliar with directly editing the Registry. A normal Event Log entry is shown in Figure 2.24. If all is well, this is the only type of entry you ever see in your Event Logs.

click to expand
Figure 2.24: Event ID 1704: All Is Well

Diagnostic logging of Active Directory events is controlled by the following Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics. Under this subkey, you can configure logging for the following 19 areas:

  • Knowledge Consistency Checker (KCC)

  • Security events

  • ExDS Interface events

  • MAPI events

  • Replication events

  • Garbage collection

  • Internal configuration

  • Directory access

  • Internal processing

  • Performance counters

  • Initialization/termination

  • Service control

  • Name resolution

  • Backup

  • Field engineering

  • LDAP interface events

  • Setup

  • Global Catalog

  • Intersite messaging

Each entry can be assigned a value from 0 through 5. The configured value determines the amount of detail that will be logged. The six logging levels are:

  • 0 (None)  This is the default level, where only critical events and errors events are logged.

  • 1 (Minimal)  You should use this setting to start an investigation into problems you are experiencing.

  • 2 (Basic)  This logging level adds more detailed information to the Event Logs but is not as extensive as the next levels.

  • 3 (Extensive)  At this level, much logging about an event occurs, such as the steps that are performed to complete a task. This level should be used when you have narrowed down your troubleshooting to a few specific areas.

  • 4 (Verbose)  This logging level provides more information than the previous level but not as much as the highest level of logging.

  • 5 (Internal)  This logging level records all events. This setting should be used only when you have narrowed down the problem to a specific area, because this level will produce a large number of entries in the Event Log.

Test Day Tip 

Don't expect to be tested on low-level diagnostic logging. It is presented here for your reference in the event you should need it if you have problems on your network.

The process of configuring diagnostic logging is presented in Exercise 2.10.

Exercise 2.10: Analyzing Security Issues with the Event Logs

start example
  1. Open the Registry Editor by clicking Start | Run and entering regedit in the Run box. Click OK.

  2. Expand to the following registry key (see Figure 2.25): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

    click to expand
    Figure 2.25: Editing the Registry to Increase Logging

  3. To change the logging level for a particular area, double-click the setting and enter the value representing the level of logging you want.

  4. Click File | Exit to close the Registry Editor after you have completed configuring the settings you require.

  5. Monitor the Event Log, looking for entries corresponding to the problem you are trying to track down.

end example

If you need more information on working with the Event Log, see http://support.microsoft.com/default.aspx?scid=kb;en-us;Q302542.

Last Thoughts on Security Templates

Before we move on to the next topic in this chapter, you need to bear in mind two last items concerning security templates when working with them. The first and most important is that you cannot export settings that you have directly configured in a Group Policy object to a template to be applied to other computers. Your best bet is to configure and test templates on a lab computer and then deploy them once you are satisfied they are configured correctly. The second issue that you need to be aware of is that when applied, security templates often make changes that cannot be easily unapplied-meaning that it's not simply a case of installing a software item and then easily uninstalling it. Should you change your mind about the net result after a template has been applied, you could find yourself doing a bit of manual cleanup if you later choose to remove it.



MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net