Chapter 5

You are trying to explain to your CIO why using security templates to configure security is a better idea than directly configuring a GPO. What are some reasons that you might present to him to support your position?

You are the systems administrator of a large campus-wide community college network. Your network is comprised of computers running every version of Windows from Windows 95 to Windows Server 2003. Is WSUS a good solution for your network, to ensure that all computers are up-to-date with the latest security patches?

You have instructed your assistant administrator to configure auditing on the network. The next morning you come in and attempt to examine the security log on a DC, only to find out that it has shut down over night. What is the most likely reason for this situation?

You have configured WSUS for your network, but now several client computers are not getting updates. You determine that these computers are running a Japanese localized version of Windows XP Professional. What should you do to allow them to get updates from your WSUS server?

Your CIO has instructed you to implement a WSUS solution for your corporate network. He is concerned, however, about making unsecured connections to the WSUS server. What can be done to provide connection security?

By using security templates, you can perform configuration and testing on a computer that will not result in changes being applied across the network until they are ready. In addition, by using a security template, you are in effect using a script: You can ensure that all changes will be identical to all computers to which they are applied, even if they are in different OUs or domains. For more information, see the section "The Security Configuration and Analysis Snap-in."

If you have large numbers of pre-Windows 2000 computers (that is, legacy clients), WSUS is probably not the best solution for your updating needs. In this situation, you would most likely want to examine a solution such as SMS or a third-party solution that provides the same type of functionality. For more information, see the section "Implementing Windows Server Update Services (WSUS)."

Your assistant most likely caused this problem through the combination of two acts. First, he most likely enabled too much auditing, which created a flood of audit entries into the security log. Second, he most likely configured Group Policy to shut down the computer when the security log was full. This security option is designed to limit and contain the amount of damage an attacker can do. Shutting down a system when the security log fills up removes the system, and thus the target of opportunity, from the network when its security log has been filled to maximum capacity. In this case, the overzealous decision to audit too many things has created the same type of event flood condition. For more information, see the section "Configuring Auditing."

This is a relatively easy problem to solve: You simply enable support for the languages that you will be supporting from the WSUS Synchronization Options page. In this case, you should select the Japanese language option. For more information, see the section "Implementing Windows Server Update Services (WSUS)."

You can enable SSL support on the WSUS Web site and thus require that all connections be SSL secured. For more information, see the section "Implementing Windows Server Update Services (WSUS)."