Chapter 13: Implementing, Managing, and Troubleshooting Security Policies (1.0) | MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)

< Day Day Up >

Overview

The vast majority of security configuration on a Microsoft Windows Server 2003 network is carried out by applying security policies either through Active Directory directory service or by means of local Group Policy objects. Group Policy controls almost every aspect of the operation of a computer running Windows Server 2003, from the software installed to disk quotas and the appearance of the desktop. Of interest to the candidate for this exam is the Security Settings node located under Windows Settings in the Computer Configuration section of Group Policy Objects. The security settings node hosts almost all of the Windows Server 2003 security policies. Event logs, restricted groups, system services, and file system and registry permissions can be configured from this node.

How these policies are configured depends on the types of services the server to which they are applied is hosting. Although a domain controller and an Internet Information Services system will have many policy settings in common, there will be several policies, unique to the role of the server, that must be configured differently. Understanding the differences between the needs of each server is a critical part of performing well on this particular exam objective.

Security templates are text files that store configurations for all of the policies found under the security settings node. Security templates are the recommended way to make changes to Group Policy security settings. This is because templates are easily stored and provide a built-in record of the changes that have been made to Group Policy. Security templates can be created and edited in several ways. The easiest way to create and edit security templates is to use the Security Templates snap-in that can be added to any custom Microsoft Management Console (MMC). Performing this task by using the Security Templates snap-in enables you to use a simple visual interface to configure security. Creating and editing templates can also be performed by using a text editor such as Notepad.

After the security templates have been created, they need to be deployed. Deployment is generally done by putting the servers that will be the targets of the Group Policy object (GPO) into a separate organizational unit (OU), creating a new GPO, importing the template to the GPO, and then applying the GPO to the newly created OU. Security templates can also be imported and applied individually to servers at the local policy level.

Security templates are not the complete security solution for Windows Server 2003 or Microsoft Windows XP Professional. There are many Group Policy options that cannot be configured by using security templates. When a situation arises for which a policy must be set, and that cannot be done by using a template, these changes have to either be configured manually, if the system to which they are being applied does not fall under the influence of Group Policy, or have an appropriate policy applied if they do.

< Day Day Up >