List of Figures

Chapter 1: Planning and Configuring an Authentication Strategy

Figure 1.1: The Default Domain Controllers Security Settings console

Figure 1.2: Security policy settings

Figure 1.3: Account lockout warning

Figure 1.4: Typical delegated authentication architecture

Figure 1.5: Computer account properties dialog box

Figure 1.6: Authentication Methods dialog box

Figure 1.7: Internet Explorer prompt for credentials

Figure 1.8: A forest

Figure 1.9: Raising the domain functional level

Figure 1.10: The Trust Name page of the New Trust Wizard

Figure 1.11: The Direction Of Trust page of the New Trust Wizard

Figure 1.12: The User Name And Password page of the New Trust Wizard

Figure 1.13: Dialog box notifying you that SID filtering is enabled by default

Figure 1.14: Verifying an incoming trust

Figure 1.15: Enabling earlier applications to connect anonymously to shares

Chapter 2: Planning and Configuring an Authorization Strategy

Figure 2.1: Windows Server 2003 represents ACLs by listing the permissions assigned to users and groups

Figure 2.2: Permissions are inherited by default, but this behavior can be manually overridden

Figure 2.3: The ACEs assigned to Mary’s account, and her group memberships, will determine the effective permissions

Figure 2.4: Deny ACEs override all ACEs that grant permissions

Figure 2.5: Some group types can be nested within other group types

Figure 2.6: You can assign permissions to special groups that apply to users based on how they connect to the network

Figure 2.7: Use Restricted Groups to control group membership on domain members

Figure 2.8: Windows Server 2003 allows you to view the effective permissions for most object types

Figure 2.9: Use auditing to troubleshoot complex authorization problems

Figure 2.10: Auditing must be enabled for the system before it can be enabled for individual resources

Figure 2.11: Failure auditing causes events to be added to the event log when a user is denied access to a resource

Figure 2.12: Event Viewer reveals the object that the user lacked sufficient permissions to access

Chapter 3: Deploying and Troubleshooting Security Templates

Figure 3.1: The Security Templates snap-in

Figure 3.2: System Policy Editor on Windows NT 4.0

Figure 3.3: Modifying Group Policy precedence

Figure 3.4: Denying a security group access to a Group Policy object

Figure 3.5: Managing WMI filters

Figure 3.6: Troubleshooting problems relating to failed Group Policy

Figure 3.7: Help And Support Center Group Policy information

Figure 3.8: A Group Policy event

Figure 3.9: Troubleshooting problems related to unexpected inheritance

Figure 3.10: Resultant Set Of Policy

Figure 3.11: Group Policy information stored in the registry

Figure 3.12: Group order for system policies

Chapter 4: Hardening Computers for Specific Roles

Figure 4.1: Administrative Templates GPO settings

Figure 4.2: Software restrictions forbidding the execution of Notepad

Figure 4.3: Services placed in a single-layer perimeter network

Figure 4.4: Managing authorized DHCP servers

Figure 4.5: DHCP dynamic update options

Figure 4.6: Configuring Application Server options

Figure 4.7: Filtering IIS requests by network

Figure 4.8: Using shared secrets and the Message Authenticator attribute

Figure 4.9: Exchange TLS encryption

Figure 4.10: Configuring SQL Server authentication

Figure 4.11: SQL Server trace data

Figure 4.12: Microsoft Baseline Security Analyzer IIS results

Figure 4.13: Security Configuration And Analysis identifying deficient settings

Figure 4.14: Suggested perimeter network architecture

Chapter 5: Planning an Update Management Infrastructure

Figure 5.1: The Windows Server 2003 product lifecycle

Figure 5.2: The Automatic Update client configured to prompt the user to download

Figure 5.3: Approval of updates using Software Update Services

Figure 5.4: Tiered Software Update Services architecture

Figure 5.5: Selecting Uninstall This Application When It Falls Out Of The Scope Of Management

Figure 5.6: The core updating process

Figure 5.7: Notification settings for Automatic Updates

Figure 5.8: Using Add/Remove Programs for updates

Figure 5.9: Your company’s network architecture

Chapter 6: Assessing and Deploying a Patch Management Infrastructure

Figure 6.1: MBSA configured to scan a subnet

Figure 6.2: MBSA scanning a subnet

Figure 6.3: A private installation network for multiple computers

Figure 6.4: A private installation network for a single computer

Figure 6.5: A private installation network allowing for access to Windows Update

Figure 6.6: Slipstreaming a service pack

Figure 6.7: SUS synchronizing with the Windows Update server.

Figure 6.8: Automatic Updates configured using a Group Policy object

Figure 6.9: Scheduling updates that were skipped

Figure 6.10: MBSA identifies an unpatched computer

Chapter 7: Installing, Configuring, and Managing Certification Services

Figure 7.1: A CA hierarchy

Figure 7.2: Creating a subordinate CA

Figure 7.3: Backing up a CA

Figure 7.4: Specifying the common name for a CA

Figure 7.5: Requesting a subordinate CA certificate

Figure 7.6: Certificate template location

Figure 7.7: Certificate template permissions

Figure 7.8: Properties of New Template dialog box

Figure 7.9: Smart Card Logon policy added to the Application Policies list

Figure 7.10: CRL publishing list

Figure 7.11: Adding a CRL publishing location

Figure 7.12: Web interface for manual enrollment

Figure 7.13: Advanced Certificate Request using Web enrollment

Figure 7.14: Properties for a new certificate

Figure 7.15: Revoking a certificate

Figure 7.16: Publishing a CRL

Figure 7.17: Specifying key archival

Figure 7.18: Exporting a certificate

Figure 7.19: Importing a certificate

Figure 7.20: Key Recovery Agent Selection dialog box

Figure 7.21: Creating a subordinate CA

Chapter 8: Planning and Configuring IPSec

Figure 8.1: Transport mode IPSec

Figure 8.2: Remote access with IPSec

Figure 8.3: Tunnel mode IPSec

Figure 8.4: A site-to-site IPSec tunnel

Figure 8.5: Allowing the ISAKMP service through ICF

Figure 8.6: IP security policy components

Figure 8.7: The Manage IP Filter Lists And Filter Actions dialog box

Figure 8.8: Specifying custom data integrity, encryption, and session key settings

Figure 8.9: Editing IP security policy properties

Figure 8.10: Configuring an IP filter list for Web traffic

Chapter 9: Deploying and Troubleshooting IPSec

Figure 9.1: Local IPSec policy overridden by a domain policy

Figure 9.2: Configuring certificate-to-account mapping

Figure 9.3: Security association authenticated with certificates

Figure 9.4: The Active Policy node of the IP Security Monitor

Figure 9.5: Main Mode SA details

Figure 9.6: Event ID 541 showing a successful IKE SA established

Figure 9.7: Event ID 547 showing an IKE negotiation failure

Figure 9.8: Event ID 4290 showing dropped packets

Figure 9.9: Graphing IPSec performance statistics

Figure 9.10: Network Monitoring displaying ESP-encrypted packets

Figure 9.11: Ping permitted, but not secured

Figure 9.12: Event Viewer details about a dropped ICMP request

Figure 9.13: Configuring a policy to use the most common IKE security algorithms

Figure 9.14: Problematic IPSec architecture

Figure 9.15: Problematic IPSec architecture

Chapter 10: Planning and Implementing Security for Wireless Networks

Figure 10.1: Connecting to an 802.1X-authenticated wireless network

Figure 10.2: Sample user and group hierarchy for controlling wireless network authorization

Figure 10.3: Configuring policy conditions to apply the policy to wireless connections

Figure 10.4: Configuring authentication methods for a RAP

Figure 10.5: Configuring session timeout for WEP

Figure 10.6: Enabling IAS authentication auditing

Figure 10.7: Windows XP wireless network authentication configuration

Figure 10.8: The General tab of the wireless network policy properties dialog box

Figure 10.9: The Network Properties tab of the New Preferred Setting Properties dialog box

Figure 10.10: Configuring security on a WAP

Figure 10.11: Default IAS PEAP properties

Figure 10.12: The Protected EAP Properties dialog box

Figure 10.13: Wireless network architecture

Chapter 11: Deploying, Configuring, and Managing SSL Certificates

Figure 11.1: Internet Explorer’s trusted root CAs

Figure 11.2: Internet Explorer warning regarding an untrusted CA

Figure 11.3: Requiring HTTPS for a Web server

Figure 11.4: Configuring one-to-one certificate mapping

Figure 11.5: Editing rule properties for many-to-one client certificate mappings

Figure 11.6: The SSL Diagnostic Utility probing IIS

Figure 11.7: The SSL Diagnostic Utility monitoring client certificates

Figure 11.8: Exporting a SQL Server certificate

Figure 11.9: IIS configured to require SSL

Figure 11.10: The requested host name does not match the common name in the certificate

Figure 11.11: Network Monitor displaying the results of an unencrypted LDAP query

Figure 11.12: The subject field of a certificate containing the domain controller’s common name

Figure 11.13: Requiring messaging encryption

Figure 11.14: Creating an Address Book query

Figure 11.15: Configuring Address Book for encryption

Figure 11.16: Network Monitor attempting to analyze SSL-encrypted LDAP queries

Figure 11.17: Systems architecture for www.adventure-works.com

Chapter 12: Securing Remote Access

Figure 12.1: PPTP-tunneled data packet structure

Figure 12.2: L2TP-tunneled data packet structure

Figure 12.3: Configuring Routing And Remote Access to authenticate to a RADIUS server

Figure 12.4: Default server authentication and accounting settings

Figure 12.5: Default server authentication methods

Figure 12.6: Editing user dial-in properties

Figure 12.7: Configuring RAP encryption levels

Figure 12.8: Network architecture for testing VPN connectivity

Figure 12.9: Creating a new test VPN connection

Figure 12.10: Default client authentication settings

Figure 12.11: Advanced client authentication settings

Figure 12.12: Configuring VPN servers and security settings

Figure 12.13: Editing basic VPN security settings by using the CMAK wizard

Figure 12.14: Editing advanced VPN security settings by using the CMAK wizard

Figure 12.15: Editing EAP configuration settings

Figure 12.16: VPN destinations as specified in the VPN file

Figure 12.17: VPN connection details confirming security configuration

Figure 12.18: Dial-in properties of problematic user account