VTC (Virtual Training Company) Microsoft Windows Server 2003 (70-290) Administrating, Implementing and Maintaining (Eng) This VTC instruction module wage students with the noesis and skills to verify and transfer the Microsoft Windows® Server 2003 70-290 exam. The instruction focuses on administrating, implementing and maintaining a Microsoft Windows Server 2003 Network Infrastructure. Included in this instruction are topics much as: brass and security, managing individual and assemble permissions, managing and maintaining printers, indicant drivers and indicant permissions and far administration. Certified MCT, MCSE pedagogue Bill Ferguson shows you both actual concern solutions for your meshwork and scholarly solutions to support you transfer the 70-290 exam.
You can use several methods to determine the operations master role
holders of the forest and domain. For example, you can query these roles using the Replication Monitor (Replmon.exe), Netdom, and Ntdsutil. You can also use the Windows Script Host (WSH) to query the Active Directory Services Interface (ADSI) to find the operations masters, as documented in Microsoft Knowledge Base article 235617, "How to Find the FSMO Role Owners Using ADSI and WSH" (available from http://support.microsoft.com).
Practice: Viewing and Transferring Operations Master Role Assignments
In this practice, you manage operations master role assignments.
Note To complete this practice, you must have successfully completed the practice in Lesson 1.
Exercise 1: Viewing Operations Master Role Assignments
In this exercise, you view operations master role assignments.
To view operations master role assignments
1. Log on to Server 1 and Server2 as Administrator.
2. Use the procedure provided earlier in this lesson to view the RID master, the PDC
emulator, and the infrastructure master role assignments for the contoso.com
domain.
3. Use the procedure provided earlier in this lesson to view the domain naming mas¬
ter role assignment for the contoso.com domain.
4. Use the procedure provided earlier in this lesson to view the schema master role
assignment for the contoso.com domain.
Exercise 2: Transferring an Operations Master Role Assignment
In this exercise, you transfer the domain naming master role assignment from Serverl to Server2.
To transfer an operations master role assignment
1. Use the procedure provided earlier in this lesson to transfer the domain naming master role assignment from Serverl (contoso.com domain) to Server2 (chi.contoso.com domain).
2. When you have finished viewing the domain naming master role assignment on
Server2, transfer the domain naming master role assignment back to Server 1.
3. Demote Server2 so it becomes a member server for the contoso.com domain and
the cbi.contoso.com domain no longer exists.
A set of default properties is associated with each domain user account that you create. For domain user accounts, these account properties equate to object attributes. You can use the properties that you define for a domain user account to search for users in the directory, or the properties can be used in other applications as object attributes. For this reason, you should provide detailed definitions for each domain user account that you create. For example, if a user knows a person's last name and wants to find the person's telephone number, the user can use the last name to search for the telephone number.
The tabs in the Properties dialog box for a user, shown in Figure 7-5, contain information about each user account. Table 7-5 describes the tabs in the Properties dialog box.
Documents the user's first name, initials, last name, display name, description, office location, telephone number(s), e-mail address, and Web page(s)
Documents the user's street address, post office box, city, state or province, ZIP code or postal code, and country or region
Documents the user's account properties, including user logon name, logon hours, computers permitted to log on to, account options, and account expiration
Sets a profile path, logon script path, and home folder
Documents the user's home, pager, mobile, fax, and Internet Protocol (IP) telephone numbers, and contains space for notes
Documents the user's title, department, company, manager, and direct reports
Configures Terminal Services remote control settings Configures the Terminal Services user profile
Documents the COM+ partition set of which the user is a member
Documents the list of X. 509 certificates for the user account
Documents the groups to which the user belongs Documents the dial-in properties for the user Configures the Terminal Services startup environment
Sets the Terminal Services timeout and reconnection settings
Documents the fully qualified domain name (FQDN), object class, create and modified dates, the original update sequence number (USN), and the current USN Sets permissions on the user object
To seize an operations master role is to move it without the cooperation of its current owner. You seize an operations master role assignment when a server that is holding a role fails and you do not intend to restore it. The operations master role assignment is seized (reassigned) to a domain controller you select to act as a standby operations master. Some operations master roles are crucial to the operation of your network. Others can be unavailable for quite some time before their absence becomes a problem. Generally, you will notice that a single master operations role holder is unavailable when you try to perform some function controlled by the particular operations master.
Before seizing the operations master role, determine the cause and expected duration of the computer or network failure. If the cause is a networking problem or a server failure that will be resolved soon, wait for the role holder to become available again. If the domain controller that currently holds the role has failed, you must determine if it can be recovered and brought back online. You must also determine which domain controller can effectively serve as a standby operations master. In general, seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again. The decision depends upon the role and how long the particular role holder will be unavailable. The impact of various role holder failures is discussed in the following topics.
The process for managing administrative risk is as follows:
1. Recognize the vulnerabilities introduced by network administration.
2. Establish security boundaries. Understanding the security boundaries provided by
the operating system is essential in determining the scope of authority that administrators have. In addition to understanding where these boundaries are, you must
also understand when to apply them. To do so, you need to know the key concepts of isolation and autonomy as they relate to service administration and data
administration.
3. Reduce the administration attack surface. Reducing the attack surface is a sound
security design principle that can be applied to any part of your security design. If
you can reduce the number of things that can be attacked or the avenues that can
be used to attack them, the network will be more secure. Reducing the attack surface can take many forms, but one of the easiest things to do is to eliminate things
that are not needed. To reduce the ability of attackers to use administrative
accounts and channels to attack networks, reduce the number of things in total
that administrators must manage and reduce or partition the scope of their management by delegating authority. While these actions are also examples of least
privilege, they illustrate a reduction in the attack surface quite nicely. If the administrator's account were to be compromised, the attacker would have less ability to
do damage because the surface or range of things that can be attacked has been
reduced.
4. Evaluate and carefully judge your administrators. The people who are trusted
"with the administration of your network must be trustworthy. Although you can
limit authority, every bit of authority can be used to destroy important parts of
your systems and data. In addition, at some point, someone must have absolute
authority to keep systems running, correct errors introduced by others, trouble-
shoot problems, and so on. Checking the backgrounds of potential administrators
and repeating the process periodically is crucial to the survival of your information
systems.
5. Monitor and audit administrative work. Administrators are people: they make
mistakes, they have needs and desires, they face temptations, and they are as
likely to want to harm systems as any other employee. The difference is that
administrators have the power and authority to harm systems easily. Often
because an administrator has unlimited privileges, an attacker with administrative
credentials or a malicious administrator can prevent operations from being audited
or can delete the audit record of his activity by deleting the security log.
The following topics provide the information and guidelines you need to complete most of these tasks.
Note Evaluating the trustworthiness of administrators is beyond the scope of this book, but it must be done. It is a topic for the legal and human resources departments of your organization to pursue. You can, however, protect your network from untrustworthy administrators by ensuring sound security principles are practiced, by designing an Active Directory infrastructure that meets your autonomy and isolation needs, and by auditing the actions of administrators. Auditing is discussed in Chapter 9.
Specifies attributes to be returned from search. This option is used only if the comparison option /t is set to FALSE. Valid option values are: LDAPattributes, which displays any LDAP attribute; ObjectCloss, which specifies that no attributes be displayed; auto, which specifies that only attributes replicated to the global catalog be displayed; and All, which specifies that all attributes con-tained in an object be displayed.
The user name to use for the query.
Password for authenticating the user name. Must be used with the /u parameter.
The domain to use for authenticating the user name. Must be used with the /u parameter.
Troubleshooting Active Directory Replication
Some of the common problems you might encounter with Active Directory replication include the following:
• New users are not recognized.
• Directory information is out-of-date.
• Service requests are not handled in a timely fashion.
• Domain controllers are unavailable.
Active Directory Replication Troubleshooting Scenarios
Table 5-5 describes some Active Directory replication troubleshooting scenarios. Table 5-5 Active Directory Replication Troubleshooting Scenarios
Cause
Solution
Problem Replication of directory information has stopped.
Create a site link from the current site to a site that is connected to the rest of the sites in the network.
The sites containing the clients and domain controllers are not connected by site links to domain controllers in other sites in the network, resulting in a failure to exchange directory information between sites.
Problem: Replication of directory information has slowed but not stopped.
Note that polling and pull replication, rather than notification and push replication, are used between bridgehead servers during intersite replication. Pull replication is more efficient for intersite replication because the destination domain controller knows which replication data to request. In contrast, notification and push replication are more efficient for intrasite replication, when domain controllers are well connected and not restrained by site link schedules.
Lesson Review
The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the "Questions and Answers" section at the end of this chapter.
1. What is a site?
2. Which directory partition replica type must be replicated to all domain controllers within the domain?
3. Which type of replication compresses data to save WAN bandwidth?
4. What is the difference between a site link and a connection object?
5. Which of the following actions does not trigger replication?
a. Accessing an object
b. Creating an object
c. Deleting an object
d. Modifying an object
e. Moving an object
Border controls are controls that sit at the junction between trusted and less trusted segments of a network. They can be firewalls, remote access servers, intrusion detection systems (IDSs), packet filtering routers, VPN servers, or a combination of these things that are located on a border between the internal private network and an external network such as the Internet, They can be the same controls used to protect gateways between geographically dispersed segments of a single organization's network or to link partner networks into an extranet. They can also be the same devices used to segment internal networks into areas of trust.
Note Most IT professionals are familiar with IDSs—security screening devices that alert the administrator to potential attacks on the network. Recently, a new type of device known as an intrusion protection system (IPS), which is built to react to and stop an attack without administrative intervention, has emerged on the market. These products detect attacks and can be programmed to respond to them. For example, the device might immediately block all traffic from the identified interloper. In addition, specific types of packets, such as those that are improperly formed (empty, inconsistent, too short, too long, arriving on the wrong ports, and so on) are dropped. Examples of these systems are Jasomi Networks' PeerPoint Intrusion Prevention System (http://www.jasomi.com/peerpointintrusion.html), Psynapse Technologies' Checkmate Intrusion Protection System (http://www.psynapsetech.com/.)
Some capabilities of these new products have been featured in firewalls and IDSs in the past. For example, some IPSs will proactively block data from an IP address or IP address range that appears to be being used in an attack. The difference with these products is the extent to which the product can and does go and the fact that the product is a separate device. The IPS idea is catching on—even the IDS manufacturers are now also touting new IPS features on their IDSs. Read about Cisco's efforts in this area at http://www.cisco.com/en/US /products/sw/secursw/ps2113/ and Internet Security System's efforts at http://www.iss.net /products_serw'ces/enterprise_protect/on/.
Firewall Considerations
Many types of firewalls are available. Most, such as Microsoft Internet Acceleration and Security server, start with the premise that all traffic should be blocked by default and require that the administrator configure access rules. Many provide additional services such as intrusion detection/protection and VPNs. Several issues reduce the effectiveness of firewalls as border controls:
<!-- /* Font Definitions */ @font-face font-family:宋体; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-alt:SimSun; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 135135232 16 0 262145 0; @font-face font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0; @font-face font-family:"\@宋体"; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 135135232 16 0 262145 0; /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal mso-style-parent:""; margin:0cm; margin-bottom:.0001pt; text-align:justify; text-justify:inter-ideograph; mso-pagination:none; font-size:10.5pt; mso-bidi-font-size:11.0pt; font-family:Calibri; mso-fareast-font-family:宋体; mso-bidi-font-family:"Times New Roman"; mso-font-kerning:1.0pt; /* Page Definitions */ @page mso-page-border-surround-header:no; mso-page-border-surround-footer:no; @page Section1 size:612.0pt 792.0pt; margin:72.0pt 90.0pt 72.0pt 90.0pt; mso-header-margin:36.0pt; mso-footer-margin:36.0pt; mso-paper-source:0; div.Section1 page:Section1; -->
/* Style Definitions */
table.MsoNormalTable
mso-style-name:普通表格;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;
See Also For more information about the certificate chaining process in Windows, see the "Troubleshooting Certificate Status and Revocation" white paper on the TechNet page of the Microsoft Web site at /technet/security/prodtech/pubkey /tshtcrl.asp.
3. When a certificate is presented that cannot be chained back to one of the trusted root CAs, the chain is considered broken, and strictly speaking, the certificate won't be trusted. However, an application could be written that does not check the chain, accepts a chain that does not extend back to a trusted root, or allows the user to accept a certificate regardless of the state of the chain. To understand what will happen in each case requires understanding these elements for the application. Indeed, there are other factors that will also come into play such as CRL checking.
Certificate Chaining on the Internet
The certificate chaining process is managed across the Internet by including the root CA certificate in the certificate store of the browser, and hence, on Windows systems, in the certificate store of the computer. When the browser is first installed, the certificate store includes the root CA certificates of public CAs. When the browser connects to any site that has a certificate that can be chained back to a certificate in its certificate store and then authenticated, a secure channel can be negotiated. If an untrusted certificate (that is, the root CA certificate is not in the store) is presented, it is rejected. However, if the root CA is not present in the Trusted Root or Untrusted Root containers, the user will be prompted to select whether to trust the certificate. The user, in many cases, can accept the certificate without proof of trust, but that is another story.
Every network has a security infrastructure. Every network has rules about who can use what resource and what they can use it for. The difference between most networks and a network in which the logic of security has been designed is that the network with designed security has a strong foundation on which to build its controls. Each piece of the security puzzle can be snapped into place with minimum disruption to the network. To build this strong foundation, you must first understand certain key concepts. This lesson teaches those concepts.
After this lesson, you will be able to
• Describe the pillars of information security.
• Apply the pillars of information security to your designs.
• Build a logical security infrastructure by using certificate services.
• Identify the components of a public key infrastructure.
Estimated lesson time: 60 minutes
The Pillars of Information Security
To create a logical design, the vague notion of "secure" must be replaced with concrete maxims. These, in turn, must be explained and interpreted so that you can use them as you create your designs. The pillars of information security include authentication, authorization, confidentiality, integrity, and nonrepudiation. These pillars are described in Table 2-1. Your ability to express each one of these concepts is a part of the foundation on which network security rests.
Tip When you develop a logical design, think of the things that are available to fulfill these needs. Remember, however, that technologies change, as do the ways they are expressed.
| Advertisement |
|
|
 |