200 likes | 384 Views
Goals. Specify account policies and security Design security groups Use shortcut trusts. (Skill 1). Specifying Account Policies and Security. Specifying account security Define optimal settings Authentication mechanisms Account properties Account policies. (Skill 1).
E N D
Goals • Specify account policies and security • Design security groups • Use shortcut trusts
(Skill 1) Specifying Account Policies and Security • Specifying account security • Define optimal settings • Authentication mechanisms • Account properties • Account policies
(Skill 1) Specifying Account Policies and Security (2) • Authentication mechanisms • LM (LAN Manager) • NTLM (NT LAN Manager) • NTLM2 (NT LAN Manager version 2) • Kerberos
(Skill 1) Specifying Account Policies and Security (3) • LM (LAN Manager) • Used by Windows NT and Windows 9x clients simultaneously with NTLM • Low security • NTLM (NT LAN Manager) • Used by Windows NT and Windows 9x clients • Used by Windows 2000, 2003, and XP clients in certain situations, such as when logging on to a Windows NT domain • Moderate security
(Skill 1) Specifying Account Policies and Security (4) • NTLM2 (NT LAN Manager version 2) • Used by Windows NT SP4 clients • Used by Windows 9x clients with Directory Services Client installed • Used by Windows 2000, 2003, and XP clients in certain situations • High security • Kerberos • Used by Windows 2000, 2003, and XP when logging on to a Windows 2000 or Windows Server 2003 domain • Optimal security
(Skill 1) Specifying Account Policies and Security (5) • Account properties • Settings required depend on environment and level of security required • Rules of thumb • Always configure passwords to expire • Properly specify logon restrictions • Correctly specify account expiration settings for temporary employees • Properly specify remote access and Terminal Services permissions settings
(Skill 1) Specifying Account Policies and Security (6) • Account policies • Used to set user account properties that control the logon process • Three types • Account Lockout • Password • Kerberos • All are configured using the Group Policy Object Editor snap-in or the Group Policy Management Console (GPMC)
(Skill 1) Specifying Account Policies and Security (7) • Account Lockout policies • Prevent users from guessing passwords by automatically locking out the user account according to specifications that have been set • Configured by setting three policies • Account lockout threshold • Account lockout duration • Reset account lockout counter after
(Skill 1) Specifying Account Policies and Security (8) • Account lockout threshold: Specifies the number of invalid logon attempts a user can make, after which the account is locked and the user is prevented from making further logon attempts • Account lockout duration: Sets the time duration during which the account is disabled • Reset account lockout counter after: Sets the time duration that must elapse after an invalid logon attempt before the account lockout counter is reset to 0
(Skill 1) Specifying Account Policies and Security (9) • Password policies • Allow you to specify how passwords are managed • Policy options (Table 8-2) • Enforce password history • Maximum and minimum password age • Minimum password length • Passwords must meet complexity requirements • Store password using reversible encryption for all users in the domain
(Skill 1) Specifying Account Policies and Security (10) • Kerberos policies • Used in connection with Kerberos authentication protocol • Apply only to domain user accounts or computer accounts • Default Kerberos policy values set by Default Domain Policy are generally suitable for most networks and do not need to be changed
(Skill 1) Specifying Account Policies and Security (11) • Kerberos policies • Enforce user logon restrictions • Maximum lifetime for service ticket • Maximum lifetime for user ticket • Maximum lifetime for user ticket renewal • Maximum tolerance for computer clock synchronization
(Skill 1) Figure 8-1 Account settings to configure for increased security
(Skill 1) Figure 8-2 Kerberos Policy in the Group Policy Object Editor
(Skill 2) Designing Security Groups (2) • Microsoft rule is the preferred strategy for building and using groups • A-G-DL-P: User Accounts go into Global groups, which go into Domain Local groups, which are assigned Permissions • Benefits of Microsoft rule • Modularity • Ease of modification • Reduction in the size of the global group list
(Skill 2) Designing Security Groups (3) • Using universal groups • Before creating universal groups, make sure membership of those groups will not change frequently • Never add a user account as a member of a universal group; instead add global groups • Universal groups are designed for one specific situation – when you need multiple users in multiple domains to have the same access to multiple resources in multiple domains • Modification to Microsoft rule for universal groups: A-G-U-DL-P
(Skill 2) Figure 8-3 Using the Microsoft rule
(Skill 2) Figure 8-4 The use of universal groups
(Skill 3) Using Shortcut Trusts • Shortcut trust • A trust established to reduce the normal Kerberos trust resolution path between domains • When a shortcut trust should be used • Domain design is at least part geographically-based • Many users access resources from another domain to which they do not have a direct trust relationship • A faster resolution path can be created by using a shortcut trust
(Skill 3) Figure 8-5 Use of shortcut trusts