Windows 2003 Server
Windows 2003 Security Features
At the end of this chapter you should be able to:
Securing Your Windows 2003 System
Windows Server 2003 has features that allow you to secure your network. We will be some of them in this chapter.
Authentication is the process of providing a username and password in order to gain access to a resource. This was discussed in more detail in chapter 3, and IIS authentication was discussed in chapter 13.
Access control allows you to control what level of permissions a user has on a resource. NTFS Permissions were discussed in chapter 5, printer access was discussed in chapter 8, and Active Directory object permissions were discussed in chapter 10.
Encryption allows you to secure your data and is a feature of NTFS. If you want to secure data going between the server and the client you can use IPSec. IPSec is beyond the scope of the 70-290 test.
Windows Server 2003 includes tools to easily change the security settings in your server. We will be looking at these in this chapter.
Service Packs and Hot Fixes
Service packs are a collection of hot fixes. These fix problems in your operating system. You can use Software Update Services, or Windows Update Services. Both were covered briefly in chapter 10.
Using Security Configuration Manager Tools
You can use the Security Configuration Manager tools to create a Security Policy template. This template can be used to apply settings in the policy to a computer. Using the templates you can make sure all your servers, workstations, and domain controllers have the same security settings.
Security templates are text files that contain the settings of a security policy. These files should not be edited with a text editor, they should only be edited with the Security Templates snap in.
LAB ACTIVITY - Do the lab on page 589. (10 Minutes)
Analyzing the Pre-configured Security Templates
The default template is called Setup Security.inf. All of the other templates are incremental templates. They only change some of the settings.
Applying Security Templates
You can apply a template to the computer at the local security policy, or with a group policy. The local policy can be opened by running SECPOL.MSC.
LAB ACTIVITY - Do the lab on page 593. (10 Minutes)
LAB ACTIVITY - Do the lab on page 595. (10 Minutes)
Security Configuration and Analysis
You can use the Security Configuration and Analysis snap in to compare the setting in a template against the settings on the computer.
LAB ACTIVITY - Do the lab on page 596. (15 Minutes)
SECEDIT.EXE is a command line tool that you can use to change security settings.
Auditing Access to Resources and Analyzing Security Logs
You can audit resources in Windows Server 2003. This can be useful if you want to find out if a user has tried to delete a file or folder, and other items on your computer. In order to use auditing you have to turn it on at the group policy level then turn it on at the resource. You can choose to monitor successful or failure events.
LAB ACTIVITY - Do the lab on page 600. (10 Minutes)
On a Domain Control you would change the audit settings in the Default Domain Controller Policy. For a member server you would make the change in the group policy applied to the OU that contained the server. In a stand alone server you would make the change in the Local Security Policy.
LAB ACTIVITY - Do the lab on page 603. (10 Minutes)
Once you have turned on auditing in the policy, you have to turn it on at the resource.
LAB ACTIVITY - Do the lab on page 606. (10 Minutes)
Analyzing Security Logs
Once you are auditing a resource you can go to the Security event viewer to see any events.
LAB ACTIVITY - Do the lab on page 611. (10 Minutes)
Configuring Event Viewer
With Windows Server 2003 there is some auditing already turned on by default. If you have a lot of security events it can become difficult to find the ones you want. You can configure the event log to assist you in finding events.
LAB ACTIVITY - Do the lab on page 614. (10 Minutes)
Click Here to download the slides for this chapter