essential security tips.pdf

(835 KB) Pobierz
Aelita.Exchange.01_
Tr icks
& Tr a p s
eBook Series
Security
Tips
By Randy Franklin Smith
and John Savill
®
Security
Essential
104590051.003.png 104590051.004.png
i
Books
®
Contents
Chapter 1 Passwords and Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Tip 6: Resetting the Directory Service Restore Mode Administrator Password . . . . . . . 6
Tip 8: Specifying Spooler Permissions on Just One DC . . . . . . . . . . . . . . . . . . . . . . 7
Tip 12: Changing a Domain User’s Password from the Command Line . . . . . . . . . . . 11
Tip 15: Enabling Debug Logging for IP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Tip 16: Using Log Parser to Audit Domain Logons . . . . . . . . . . . . . . . . . . . . . . . . . 14
Tip 21: Deciphering Security Event ID 529 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Tip 26: Using Windows Update with Security Policies . . . . . . . . . . . . . . . . . . . . . . . 29
Tip 27: Using One GPO to Control Both Windows XP and Windows 2000 Settings . . 30
Tip 31: Understanding Group Policy’s Block Policy Inheritance and
104590051.005.png
ii Essential Security Tips
Tip 32: Defining IP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Tip 33: Stopping and Restarting the IP Security Policy Agent . . . . . . . . . . . . . . . . . . 35
Tip 39: Defining the IP Security/Layer Two Tunneling Protocol NAT-T Update . . . . . . 43
Tip 40: Disabling IP Security on a VPN Connection that Uses Layer
Tip 42: Defining Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Tip 44: Distributing a Long-Term Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Tip 47: Changing the Ticket Lifetime Used by Kerberos . . . . . . . . . . . . . . . . . . . . . . 49
Tip 49: Windows NT LAN Manager Versus Kerberos Use . . . . . . . . . . . . . . . . . . . . . 51
104590051.006.png
iii
Authors
John Savill (john@savilltech.com) is chief Microsoft architect for Geniant, a Dallas-based Microsoft
Gold Certified Partner. He is an MCSE on Windows Server 2003 and a five-time MVP. He is the
author of The Windows XP/2000 Answer Book (Addison-Wesley Professional).
Randy Franklin Smith (randy@winsecanswers.com) is a contributing editor for Windows IT Pro ,
an information security consultant, and CEO of Monterey Technology Group. He teaches Monterey
Technology Group’s Ultimate Windows Security course and is an SSCP.
104590051.001.png
1
Chapter 1
Passwords and Permissions
Tip 1: Safeguarding FTP Files
Internet. Our only option is FTP, and we can’t use VPNs, IP Security (IPSec), or FTP over
Secure Sockets Layer (SSL). We’ve thought about encrypting the file, but we also realize FTP
authentication is weak because the password is sent in clear text. We don’t want an attacker
who manages to capture our password to be able to wait for the transfer to complete, then
log on and download or delete the file. Can we set up the transfer so that attackers between
us and our partner firm can’t benefit should they capture our FTP password?
implementing proper user permissions. First, create a user account for the business partner—for
demonstration purposes, I’ll call the account Acme-FTP. To properly limit the new account, remove
Acme-FTP from the Users group to which Windows automatically adds all new accounts. Create a
folder in your FTP server’s root folder called AcmeFileDrop. Open the folder’s Properties page, click
the Security tab, then click Advanced and clear the check box that lets the folder inherit permissions
from the parent folder. When Windows asks whether to copy or remove the permissions, select
Remove. Then, add the Administrators and SYSTEM groups to the folder and give them Full Control.
Add any other groups that need to be able to access the files that Acme delivers, and grant those
groups Modify or Read access, as appropriate.
Next, add the Acme-FTP account and give it the specialized set of permissions that Figure 1-1
shows.
Brought to you by Microsoft and Windows IT Pro eBooks
Q We have a business partner who regularly needs to send a file to our server over the
A Yours is an interesting challenge, but you can meet it by using an encryption utility and
104590051.002.png

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin