Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

MCSE: Windows Server 2003 Active Directory Planning

MCSE: Windows Server 2003 Active
Directory Planning, Implementation,
and Maintenance Study Guide,
Second Edition (70-294)
Chapter 6: Planning Security for Active
Directory
© Wiley Inc. 2006. All Rights Reserved.
Active Directory Security
• Permissions are assigned to AD
objects.
• Through the use of permissions,
you can control all aspects of
network security.
© Wiley Inc. 2006. All Rights Reserved.
2
Security Principals
• User accounts
• Groups
• Computer accounts
© Wiley Inc. 2006. All Rights Reserved.
3
Types of Groups
• Security groups – considered security
principals; can contain user accounts
• Distribution groups – not considered
security principals; used only for sending
e-mail
• In Windows 2000 native or Server 2003
functional level domains, you can convert
security groups to or from distribution
groups
© Wiley Inc. 2006. All Rights Reserved.
4
Group Scope
• Domain local – extends as far as
the local machine
• Global – limited to a single domain
• Universal – can contain users from
any domain within an AD forest
© Wiley Inc. 2006. All Rights Reserved.
5
Limitations on Group
Functionality in Mixed Level
• Universal security groups are not
available.
• Changing the scope of groups is not
allowed.
• Group nesting is limited.
© Wiley Inc. 2006. All Rights Reserved.
6
Native Mode Scope Changes
• A domain local group can be changed to a
universal group (only if the domain local
group does not contain any other domain
local groups)
• A global group can be changed to a
universal group (only if the global group is
not a member of any other global groups)
© Wiley Inc. 2006. All Rights Reserved.
7
Built-in Local Groups
•
•
•
•
•
Account Operators
Administrators
Backup Operators
Guests
Print Operators
• Replicator
• Server Operators
• Users
© Wiley Inc. 2006. All Rights Reserved.
8
Predefined Global Groups
•
•
•
•
•
Cert Publishers
Domain Computers
Domain Admins
Domain Controllers
Domain Guests
• Domain Users
• Enterprise Admins
• Group Policy
Creator Owners
• Schema Admins
© Wiley Inc. 2006. All Rights Reserved.
9
Foreign Security Principles
• Allow you to grant permissions to
users who reside in domains that
are not part of the same forest
• Process is automatic and does not
require intervention of systems
administrators
© Wiley Inc. 2006. All Rights Reserved.
10
Active Directory Object
Permissions
•
•
•
•
•
•
•
•
Control Access
Create Child
Delete Child
Delete Tree
List Contents
List Object
Read
Write
© Wiley Inc. 2006. All Rights Reserved.
11
ACLs and ACEs
• Access Control Lists (ACLs) exist for
each object in Active Directory
• Access Control Entries (ACEs) exist
for each ACL, define what a user or
group can actually do with the
resource
© Wiley Inc. 2006. All Rights Reserved.
12
Delegating Control
• Delegation is the process by which a
higher-level security administrator
assigns permissions to other users
• The Delegation of Control Wizard
walks through the steps for selecting
objects to delegate their permissions,
and specifying the allowed
permissions and the users who have
them
© Wiley Inc. 2006. All Rights Reserved.
13
Group Policy Security Setting
Sections
• Account Policies > Password Policy
• Account Policies > Account Lockout
Policy
• Local Policies > Security Options
© Wiley Inc. 2006. All Rights Reserved.
14
Smart Card Authentication
• Smart cards store user certificate
information in a magnetic strip
• Provide the system with a doubleverification secure logon (smart card
and accompanying PIN)
© Wiley Inc. 2006. All Rights Reserved.
15
Security Configuration and
Analysis Utility
• Simplifies creation and application of
security settings
• Can be used to create, modify, and
apply security settings in the Registry
through the use of security templates
© Wiley Inc. 2006. All Rights Reserved.
16
Process for Security
Configuration and Analysis
1.
2.
3.
4.
5.
6.
7.
Open or create a security database file
Import the existing template file
Analyze the local computer
Make any setting changes
Save any template changes
Export the new template (optional)
Apply the changes (optional)
© Wiley Inc. 2006. All Rights Reserved.
17
Working with secedit.exe
Switches include:
• /analyze
• /configure
• /export
• /validate
• Has all the
functionality of the
Security
Configuration and
Analysis tool
© Wiley Inc. 2006. All Rights Reserved.
18
Windows Server 2003 Auditing
Steps
• Configure the size and storage
settings for the audit logs
• Enable categories of events to audit
• Specify which objects and actions
should be recorded in the audit log
© Wiley Inc. 2006. All Rights Reserved.
19
Main Auditing Categories
•
•
•
•
•
•
•
•
•
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
© Wiley Inc. 2006. All Rights Reserved.
20
Related documents
Probability Theory
Probability Theory
Wiley - 高雄第一科技大學圖書資訊館
Wiley - 高雄第一科技大學圖書資訊館
Factor pairs
Factor pairs
IE523_Fall 2015_Syllabus
IE523_Fall 2015_Syllabus
Research Methods in Sign Language Studies: A Practical Guide.
Research Methods in Sign Language Studies: A Practical Guide.
Download