1 / 20

Goals

Goals. Specify account policies and security Design security groups Use shortcut trusts. (Skill 1). Specifying Account Policies and Security. Specifying account security Define optimal settings Authentication mechanisms Account properties Account policies. (Skill 1).

coligny
Download Presentation

Goals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Goals • Specify account policies and security • Design security groups • Use shortcut trusts

  2. (Skill 1) Specifying Account Policies and Security • Specifying account security • Define optimal settings • Authentication mechanisms • Account properties • Account policies

  3. (Skill 1) Specifying Account Policies and Security (2) • Authentication mechanisms • LM (LAN Manager) • NTLM (NT LAN Manager) • NTLM2 (NT LAN Manager version 2) • Kerberos

  4. (Skill 1) Specifying Account Policies and Security (3) • LM (LAN Manager) • Used by Windows NT and Windows 9x clients simultaneously with NTLM • Low security • NTLM (NT LAN Manager) • Used by Windows NT and Windows 9x clients • Used by Windows 2000, 2003, and XP clients in certain situations, such as when logging on to a Windows NT domain • Moderate security

  5. (Skill 1) Specifying Account Policies and Security (4) • NTLM2 (NT LAN Manager version 2) • Used by Windows NT SP4 clients • Used by Windows 9x clients with Directory Services Client installed • Used by Windows 2000, 2003, and XP clients in certain situations • High security • Kerberos • Used by Windows 2000, 2003, and XP when logging on to a Windows 2000 or Windows Server 2003 domain • Optimal security

  6. (Skill 1) Specifying Account Policies and Security (5) • Account properties • Settings required depend on environment and level of security required • Rules of thumb • Always configure passwords to expire • Properly specify logon restrictions • Correctly specify account expiration settings for temporary employees • Properly specify remote access and Terminal Services permissions settings

  7. (Skill 1) Specifying Account Policies and Security (6) • Account policies • Used to set user account properties that control the logon process • Three types • Account Lockout • Password • Kerberos • All are configured using the Group Policy Object Editor snap-in or the Group Policy Management Console (GPMC)

  8. (Skill 1) Specifying Account Policies and Security (7) • Account Lockout policies • Prevent users from guessing passwords by automatically locking out the user account according to specifications that have been set • Configured by setting three policies • Account lockout threshold • Account lockout duration • Reset account lockout counter after

  9. (Skill 1) Specifying Account Policies and Security (8) • Account lockout threshold: Specifies the number of invalid logon attempts a user can make, after which the account is locked and the user is prevented from making further logon attempts • Account lockout duration: Sets the time duration during which the account is disabled • Reset account lockout counter after: Sets the time duration that must elapse after an invalid logon attempt before the account lockout counter is reset to 0

  10. (Skill 1) Specifying Account Policies and Security (9) • Password policies • Allow you to specify how passwords are managed • Policy options (Table 8-2) • Enforce password history • Maximum and minimum password age • Minimum password length • Passwords must meet complexity requirements • Store password using reversible encryption for all users in the domain

  11. (Skill 1) Specifying Account Policies and Security (10) • Kerberos policies • Used in connection with Kerberos authentication protocol • Apply only to domain user accounts or computer accounts • Default Kerberos policy values set by Default Domain Policy are generally suitable for most networks and do not need to be changed

  12. (Skill 1) Specifying Account Policies and Security (11) • Kerberos policies • Enforce user logon restrictions • Maximum lifetime for service ticket • Maximum lifetime for user ticket • Maximum lifetime for user ticket renewal • Maximum tolerance for computer clock synchronization

  13. (Skill 1) Figure 8-1 Account settings to configure for increased security

  14. (Skill 1) Figure 8-2 Kerberos Policy in the Group Policy Object Editor

  15. (Skill 2) Designing Security Groups (2) • Microsoft rule is the preferred strategy for building and using groups • A-G-DL-P: User Accounts go into Global groups, which go into Domain Local groups, which are assigned Permissions • Benefits of Microsoft rule • Modularity • Ease of modification • Reduction in the size of the global group list

  16. (Skill 2) Designing Security Groups (3) • Using universal groups • Before creating universal groups, make sure membership of those groups will not change frequently • Never add a user account as a member of a universal group; instead add global groups • Universal groups are designed for one specific situation – when you need multiple users in multiple domains to have the same access to multiple resources in multiple domains • Modification to Microsoft rule for universal groups: A-G-U-DL-P

  17. (Skill 2) Figure 8-3 Using the Microsoft rule

  18. (Skill 2) Figure 8-4 The use of universal groups

  19. (Skill 3) Using Shortcut Trusts • Shortcut trust • A trust established to reduce the normal Kerberos trust resolution path between domains • When a shortcut trust should be used • Domain design is at least part geographically-based • Many users access resources from another domain to which they do not have a direct trust relationship • A faster resolution path can be created by using a shortcut trust

  20. (Skill 3) Figure 8-5 Use of shortcut trusts

More Related