|
|
 |
|
|
|
Microsoft® Windows® Security Resource Kit
|
|
|
Author |
|
Ben Smith and Brian Komar with the Microsoft Security Team
|
|
|
Pages |
720
|
|
Disk |
1 Companion CD(s)
|
|
Level |
Int/Adv
|
|
Published |
03/12/2003
|
|
ISBN |
9780735618688
|
|
ISBN-10 |
0-7356-1868-2
|
|
Price(USD) |
$49.99
To see this book's discounted price, select a reseller below.
|
|
|
|
|
|
|
|
|
Index
Numbers and Symbols
3DES algorithm, 157, 235, 236
A
abstract classes, 85
acceptable use policy (AUP), 568-69
acceptance, as risk management strategy, 6
access
controlling in role-based security structure, 64-67
defining policies to support incident response, 569
role of DACLs in controlling, 90
Access, as safe harbor tenet, 617
access control entries (ACEs)
adding to organizational units, 93-94
as DACL elements, 87-88, 136
explicit deny and allow, 90, 140-41
generic deny and allow, 87, 88, 89, 136
inherited deny and allow, 90, 141
object-specific, 88, 89, 90, 93-94
access control lists (ACLs). See also discretionary access control lists; system access control lists
laptops and, 343
moving or copying files and folders, results, 142-43
access tokens
list of contents, 36-37
overview, 36
role in access control, 90
account logon events, 310-14
account management events, 315-17
Account Operators group, 61, 62
account SIDs, in access tokens, 36
accounts. See also administrative accounts; Administrator account; user accounts
Active Directory and, 364-65
configuring security options, 38-42
defining security policies, 269, 270-73
Kerberos policy settings, 272-73
list of common logon events, 313-14
list of common management events, 316-17
list of security template settings, 271-73
lockout policy settings, 272
making secure, 33-49
password policy settings, 271
ACEs. See access control entries
Acldiag.exe program, 95
ACLs. See access control lists
Active Directory
auditing changes to directory service access, 317-18
autonomy of authority, 115-16
best practices, 96-97, 128-30
configuring default DACLs on objects and attributes from command line, 94-96
configuring default DACLs on objects and attributes using MMC, 91-93
data administrators, 116, 123, 127-28
delegating authority, 126-28
designing DNS to support, 123-26
designing domains, 121-23
designing forests, 116-21
DNS resource records and, 373
domain-level password policies, 43-49
integrated zones, 126
isolation of authority, 115-16
object attributes, 84
object classes, 84-85
protecting built-in groups and user accounts, 364-66
protecting stored passwords, 360-61
role in creating customer contact systems, 648-49
schema control, 117-18
schema overview, 83-86
schema security, 86
securing communications, 366-69
securing individual user accounts, 38-40
securing objects and attributes, 91-96
service administrators, 116, 122, 127
service administrators vs. data administrators, 116
Service (SRV) resource records, 374, 375
threats to security, 358
Active Directory Services Interface (ADSI), 94, 95
active security systems, for laptops, 340
Active Server Pages (ASP), 459, 460
ActiveX controls
configuring in Internet Explorer, 252-54
configuring in Office XP, 263-65
Windows Update and, 498
activism, as attacker motive, 25
ad hoc networks, 346
Address Resolution Protocol (ARP), 208
.adm files, 101, 102
administrative accounts
configuring security options, 40-42
invalid options, 39
limiting number, 41
requiring smart cards, 41, 43, 120
restricting to certain computers, 41-42
role of auditing, 315-17
administrative templates, 101-2, 103
Administrative Tools, installing, 128
Administrator account, 39, 117, 120-21, 365
administrators. See network administration
Administrators group (domain), 61, 120-21, 365
Administrators group (local), 58, 174, 365, 498, 525
ADSIEdit.exe program, 127
Advapi, 312
advocates, privacy, 623-24
Afd.sys driver, 220
AH. See Authentication Header protocol
alarms, for securing laptops, 340
Alerter service, 181
Altchar.vbs script, 47
anonymity vs. privacy, 11
anonymous access
to FTP sites, 468
to Web servers, 443-44
anonymous authentication, 448-49
anonymous connections, disabling on domain controllers, 367-68
Anonymous Logon group, 55
anonymous permissions, 443, 444
anonymous users, 461, 468, 469
antivirus software, 11, 266
Append Data permission, 139
Application Layer Gateway service, 181
Application Management service, 181
Application Security Tool (Appsec), 391
applications. See also Internet Explorer; Microsoft Office; Microsoft Outlook
deploying to users, 103
MBSA security check, 530
privacy considerations, 645-46
Apply Group Policy permission, 105, 109-10, 111, 112
Appsec.exe program, 391
ARP (Address Resolution Protocol), 206, 208
The Art of War, 15
Asia, privacy legislation, 620
ASP pages, 459, 460
assessment. See security assessments
assets
identifying, 4
monitoring, 5
valuing, 4
assumptions, avoiding, 8-9
asymmetric encryption, 157
attachments, Outlook security settings for, 266
attack surface, reducing, 8
attackers
activism as motive, 25
advanced, 20
advantages over defenders, 27-29
challenge as motive, 24-25
contacting, 576-77
vs. defenders, 27-29
employees as, 20-21
espionage as motive, 25-26
external, 19-20
financial gain as motive, 23-24
intermediate, 20
internal, 20-21
motives, 21-26
notoriety as motive, 22-23
novice, 19
prosecuting, 566-67
revenge as motive, 25
tracking, 590-91
understanding, 17-21
attacks. See also denial-of-service attacks; incident response
assessing scope, 600-601
deciding whether or not to stop, 567
port scan threat, 212-14
spoofing threat, 214-15
types of threats to TCP/IP, 212-15
attributes, Active Directory
configuring default DACLs from command line, 94-96
configuring default DACLs using MMC, 91-93
default, 117-18
list of contents, 84
making secure, 91-96
overview, 84
audit policies
for account logon events, 310-14
for account management events, 315-17
baseline list, 327
configuring, 310-28
for directory service access, 317-18
enabling, 326-28
list of security event categories, 310
local policy settings, 273-74
for logon events, 318-20
monitoring security events, 305, 328-33
for object access, 320-22
for privilege use, 323-24
for process tracking, 324-25
for system events, 325-26
tracking policy changes, 322-23
auditing
account logon events, 310-14
account management events, 315-17
common account logon events, 313-14
common account management events, 316-17
common logon events, 320
common object access events, 322
common policy change events, 323
common privilege use events, 324
common process tracking events, 325
common system events, 326
configuring Event Viewer, 307-9
deciding which events to record, 306-7
directory service access, 317-18
enabling in default domain controller, 366
logon events, 318-20
monitoring security events, 305, 328-33
object access, 320-22
policy changes, 322-23
privilege use, 323-24
process tracking, 324-25
reasons for enabling, 305
system events, 325-26
Australia, privacy legislation, 620-21
Authenticated Users group, 55, 109, 110, 174
authentication
anonymous, 448-49
best practices, 80-81
cached credentials for, 79-80
certificate-based, 415, 429, 450-51
in Internet Explorer, 260-61
IPSec, 230-31, 234, 235, 236
Kerberos protocol, 73-77
list of protocols, 414-15
methods for configuring IIS security, 447-51
MS-CHAPv2 vs. EAP-TLS, 429
mutual, 415
open system type, 348
requiring multiple factors, 41
role of operating system, 67-68
shared key type, 348-50
threats posed by remote access, 418-21
Authentication Header (AH) protocol, 226-27, 367, 379
Authentication Service Exchange, 75
Authority Information Access (AIA), 437
Auto Logon, 525
Automatic Updates service, 181, 500-502. See also Microsoft Software Update Services
avoidance, as risk management strategy, 7
awareness campaigns, 573
B
Background Intelligent Transfer Service, 181
backlog, dynamic vs. static, 220-21
Backup Operators group, 50, 58, 61
BAD_ADDRESS DHCP entries, 403
banner grabbing, as threat, 213
Baseline Security Analyzer (MBSA), 509-13
Basic security template, 296
Batch group, 56
best practices
Active Directory domains, 128-30
Active Directory objects, 96-97
authentication, 80-81
certificate authorities, 438
Certificate Services, 438
DHCP, 404-5
DNS servers, 381-82
domain controllers, 369-70
Group Policy, 113
hotfixes, 491-92
incident response, 578-79, 603-4
Internet Explorer, 267
Internet Information Services, 469-70
IPSec, 240
laptops, 352
log files, 333-34
Microsoft Office, 267
passwords, 80-81
patches, 491-92
permissions, 96-97, 169
privacy, 625-26, 643-44, 650-51
remote access, 430-31
security assessments, 540-41, 559-60
security event log, 333-34
security templates, 301-2
service packs, 491-92
services, 202-3
TCP/IP, 240
Terminal Services, 393-94
updates, 516-17
user accounts, 80-81
Web servers, 469-70
WINS servers, 411-12
binary XOR operations, 349
BIOS, passwords for, 341-42
Block Inheritance option, 108-9
Bluetooth, 338
Boot Information Negotiation Layer (BINL), 182
boot passwords, 341-42
built-in groups
domain, 61-62, 64, 65
global, 62-63, 64, 65, 66, 443
local, 57-60, 65
universal, 63-64, 66
business enterprises. See enterprises
business partners, privacy protection, 646
C
.cab files, 495
cable locks, 339-40
cache pollution, 381
cached credentials, 79-80
Cacls.exe program, 143, 144
Canada, privacy legislation, 618-19
catalogs
Global Catalog, 64, 118
Security Patch Bulletin Catalog, 494-97
Windows Update Catalog, 482-84
cell phones. See mobile devices
CERT (Computer Emergency Response Team), 480
Cert Publishers group, 436, 437
certificate authorities (CAs)
best practices, 438
compromising key pairs, 434
compromising trusted root store, 435
making secure, 436-37
threats to security, 434-35
certificate revocation lists (CRLs), 434, 437
Certificate Services, 182
best practices, 438
logical security measures, 436-37
making secure, 433-37
physical security measures, 436
threats to security, 433-35
ways to make secure, 435-37
certificate templates, 434, 437
certificate-based authentication, 415, 429, 450-51
certificates
computer vs. user, 425, 426-27
deploying in remote access, 429-30
false, publishing to Active Directory, 435
installing for Web servers, 453-55
public key policy settings, 290-91
role in EFS, 158
role in remote access, 425-26
selecting, 256-57
challenge, as attacker motive, 24-25
Challenge Handshake Authentication Protocol (CHAP), 414. See also MS-CHAP protocol
Change permission, 156
Change Permissions permission, 64, 87, 135, 136, 139
for services, 179
Change Template permission, 178
CHAP (Challenge Handshake Authentication Protocol), 414. See also MS-CHAP protocol
Chief Privacy Officer, 622-23
children, collecting personal information from, 636
Children's Online Privacy Protection Act (COPPA), 617-18
Choice, as safe harbor tenet, 615-16
Cipher.exe program, 160-62
classes, Active Directory
abstract, 85
attributes, 84
auxiliary, 85
categories of, 85
configuring default DACLs from command line, 94-96
configuring default DACLs using MMC, 91-93
default, 117-18
overview, 84
structural, 85
clear GIFs, as privacy issue, 636
Client (Respond Only) policy, 231
Client/Server Authentication Exchange, 75
client-side caching (CSC), 163
ClipBook, 182
Cluster Service, 182
CMAK (Connection Manager Administration Kit), 416, 429
COM+ Event System, 182
COM+ System Application, 182
command-line tools
Cacls.exe, 143, 144
Cipher.exe, 160-62
for controlling file and folder permissions, 143-47
for EFS, 159-62
Efsinfo.exe, 159-60
overview, 143
Robocopy.exe, 143, 147
Secedit.exe program, 108, 295, 523-24
Subinacl.exe, 137-38, 143, 146-47, 173, 178, 179, 597
Xcacls.exe, 143, 144-45
Xcopy.exe program, 143
commercial software vulnerabilities, 24
communications
companywide, 575-76
creating incident response plans, 571-76
during incidents, 573-76
internal awareness campaigns, 573
with law enforcement, 575
new employee orientation, 572
preincident, 571-73
refresher courses, 572
training, 572
Compatible security template, 296-97
Computer Browser service, 183
computer certificates, 290, 425
Computer Emergency Response Team (CERT), 480
Computer Fraud and Abuse Act (CFAA), 618
computer local groups, 57-60, 65
computer-related group policies
list of security options, 101
list of settings, 101
overview, 100
refreshing manually, 108
role of administrative templates, 101-2
for software installation, 101
for Windows settings, 101
computers. See laptops
confidential data, 552
Connection Manager Administration Kit (CMAK), 416, 429
Connection Point Server (CPS), 416
containers, Group Policy, 104-6
cookies
as privacy issue, 636
ways to handle in Internet Explorer, 245-47
Windows Update and, 498
COPPA (Children's Online Privacy Protection Act), 617-18
copying files and folders, avoiding security risks, 142-43
corporations. See enterprises
countermeasures, security incident, 599-602
CPS (Connection Point Server), 416
CPU utilization, excessive, as attack indicator, 585-86
Create Files permission, 139
Create Folders permission, 139
Create Link registry permission, 168
Create Subkey registry permission, 168
Creator group, 55
Creator Owner group, 56
credentials, cached, 79-80
Credentials Manager, 79-80
credit card information, stealing, 23
Critical Infrastructure Protection Board, 26
CRLs (certificate revocation lists), 434, 437
Cryptographic Services, 183
Culp, Scott, 9, 11
customers
creating centralized contact systems, 648-50
inappropriate contact and tracking, 611-12
protecting privacy, 611-12, 646, 647
cyber-terrorism, 26
D
DACLs. See discretionary access control lists
data
protecting customer privacy, 646, 647
tools for collecting information, 596-97
volatile vs. nonvolatile, 594-96
data administrators, Active Directory, 116
Data Encryption Standard. See DES
Data Integrity, as safe harbor tenet, 617
Data Protection API, 79, 162
data recovery agents (DRAs), 165-66
data sources, accessing, 256
databases, for centralized customer contact systems, 648, 650
decision tables, 15
decryption keys, need for protecting, 11
Default Domain Controllers Policy, 105-6
Default Domain Policy, 105
Default Security template, 298
defenders vs. attackers, 27-29
Delegation of Control Wizard, 127
Delete permission, 139, 169, 179
Delete Subfolders and Files permission, 139
denial-of-service attacks
against DNS servers, 376
hardening TCP/IP protocol stack against, 217-21
overview, 215, 358
remote access vulnerability, 420
Department of Commerce, Safe Harbor Principles, 614, 615-17
deploying patches, 486
DES (Data Encryption Standard), 18, 157, 235, 236
desktop, installing items from Web pages, 257
desktop applications. See applications
Destination Unreachable ICMP message, 208-9
DH. See Diffie-Hellman group
DHCP (Dynamic Host Configuration Protocol)
avoiding installation on domain controllers, 401-2
best practices, 404-5
enabling auditing, 404
reviewing database for BAD_ADDRESS entries, 403
DHCP Administrators group, 403
DHCP Client service, 183
DHCP clients, 397-98, 400
DHCP Server service, 183
DHCP servers
exchange with DHCP clients, 397-98
making secure, 400-404
monitoring Administrators group, 403
threats to security, 398-400
unauthorized, 398-99
vulnerabilities, 398-400
DHCPINFORM process, 398-99
Dialup group, 56
Dial-Up Networking, 416
Diffie-Hellman (DH) group, 235, 236
digest authentication, 449
Digital Millennium Copyright Act (DCMA), 24
Directory Browsing permission, 452
directory service, auditing changes to access, 317-18
directory transversal attacks, 444
DirectX, downloading, 485
discretionary access control lists (DACLs)
ACE elements, 87-88, 136
in Active Directory, 90
adding ACEs to organization units, 93
assigning to files and folders at creation, 141-42
configuring for services, 178-80
configuring from command line, 94-96
configuring to secure Active Directory objects, 86-91
configuring using MMC, 91-93
elements, 87-88, 136
example, 88-89, 136
group SID, 87, 136
header element, 87, 136
laptops and, 343
moving or copying files and folders, results, 142-43
on NTFS partitions, 140-41
overview, 86, 87, 136
user SID, 87, 136
Web content and, 445-46
Distribute Software Updates Wizard, 515
Distributed File System (DFS), 183
Distributed Link Tracking (DLT) Client service, 184
Distributed Link Tracking (DLT) Server service, 184, 362
Distributed Transaction Coordinator, 184
DNS Client service, 184
DNS clients
vs. DNS servers, 379-80
role of IPSec, 379-80
DNS log, 583
DNS registration, 217
DNS Server service, 185, 373-74
DNS servers
accepting updates, 373, 375
best practices, 381-82
denial-of-service attacks, 376
vs. DNS clients, 379-80
implementing Active Directory-implemented zones, 376-77
internal vs. external, 377-78
making secure, 373-81
Microsoft Access, 376-81
new Windows 2000 features, 373-74
penetration testing and, 556
protecting cache, 381
restricting traffic at firewalls, 380
restricting zone transfers, 378-79
role of DNSAdmins group, 381
role of IPSec, 379-80
threats to security, 374-76
ways to implement security, 376-81
zone data, 373, 375
DNSAdmins group, 381
DNSUpdateProxy group, 401, 402
documentation, network, 16-17
domain accounts
cached credentials, 79-80
overview, 34
password policies, 43-49
as type of user account, 34
Domain Admins group, 63, 112, 117, 121-22, 123, 365
domain built-in groups, 61-62, 64, 65
domain controllers
applying security settings to all, 363
audit settings for, 366
auditing account logon events, 310-14
best practices, 369-70
denial-of-service attacks, 358
disabling anonymous connections, 367-68
enabling auditing, 366
exploiting, 359
FSMO role, 83
implementing IPSec encryption, 368-69
implementing security measures, 359-69
isolating, 119
making secure, 357-69
MBSA security checks, 526, 527
nonessential services and, 361-62
physical security, 359-60
preventing replication between, 358
protecting against failure, 363-64
protecting forest root domain, 121
protecting passwords, 360-61
recommended service configuration, 361-62
running DHCP and DNS on, 402
securing Active Directory communications, 366-69
threats to security, 357-59
domain Group Policy objects (GPOs), 105-6
Domain Guests group, 443
domain local groups, 62, 64, 65
Domain Name System (DNS)
delegated namespace design, 125
designing for Active Directory security, 123-26
internal namespace design, 125
name resolution function, 123
namespace definition function, 123
segmented namespace design, 125
service locator function, 123
single namespace design, 125
Domain Name System (DNS) registration, 217. See also DNS Client service; DNS Server service
Domain Users group, 443
domains, Active Directory
account policies for, 122-23
best practices, 128-30
designing, 121-23
DoS. See denial-of-service attacks
downloading files and fonts in Internet Explorer 6, 255
DPAPI, 79
Dr. Watson log, 585
DRAs. See data recovery agents
drivers
downloading, 485
new, as evidence of attacks, 587
Drivers.exe program, 596
drives, making forensic images, 592-93
Dsacls.exe program, 94, 95, 127
Dump Event Log tool, 329
Dumpel.exe program, 329, 582
DumpSec tool, 597
dynamic backlog, 220-21
Dynamic Host Configuration Protocol. See DHCP; DHCP clients; DHCP servers
E
EAP (Extensible Authentication Protocol), 415, 426, 429
EAP-TLS (Extensible Authentication Protocol-Transport Layer Security), 415, 429
Echo Reply ICMP message, 208, 214
Echo Request ICMP message, 208, 212, 214
eEye Retina Network Security Scanner, 536
Efsinfo.exe program, 159-60
ego, as attacker motive, 22-23
Electronic Frontier Foundation (EFF), 18
e-mail, protecting against viruses in HTML-formatted messages, 266-67
employee orientation, 572
employees
as attackers, 20-21
incident response awareness, 571-73
privacy protection, 646
empty recovery policy, 166
Encapsulating Security Payload (ESP) protocol, 227-29, 379-80
EnCase tool, 597
encrypting file system (EFS)
command-line tools, 159-62
how it works, 157-59
laptop use, 343-44
local account use, 162
and offline files, 162-63
overview, 156-57
remote encryption, 163-64
Windows XP features, 162-64
encryption
implementing in Terminal Services, 392
need for protecting decryption keys, 11
options for user accounts, 38-40
reversible, 38-39, 47
Enforcement, as safe harbor tenet, 617
Enterprise Admins group, 63, 117, 120-21, 365
Enterprise Domain Controllers group, 57
enterprises. See also network administration
deploying privacy, 645-50
protecting customer privacy, 646, 647
protecting employee privacy, 646
support for network security, 17
Enumerate Dependents permission, 178
Enumerate Subkeys registry permission, 168
ESP. See Encapsulating Security Payload protocol
espionage, as attacker motive, 25-26
Europe, privacy legislation, 620
Event Comb tool, 329-33, 582
Event Log service, 185
event logs. See log files
Event Reporting service, 185
Event Viewer
configuring, 307-9
default settings, 307
monitoring events, 328-29
overview, 328-29
Eventlog.pl script, 329
Eventquery.pl script, 329
events
auditing account logon events, 310-14
auditing account management events, 315-17
auditing directory service access, 317-18
auditing logon events, 318-20
auditing object access, 320-22
auditing policy changes, 322-23
auditing privilege use, 323-24
auditing process tracking, 324-25
auditing system events, 325-26
deciding which ones to audit, 306-7
common account logon events, 313-14
common account management events, 316-17
common logon events, 320
common object access events, 322
common policy change events, 323
common privilege use events, 324
common process tracking events, 325
common system events, 326
failure reason codes, 314
monitoring by using Event Comb, 329-33
monitoring by using Event Viewer, 328-29
monitoring by using scripts, 329
monitoring methods, 328
reasons for monitoring, 305
ways to monitor, 328-33
Everyone group, 56, 174, 367
evidence, collecting, 594-99
Execute File permission, 138-39
explicit ACEs, 90, 140-41
Extended Key Usage (EKU) attribute, 450
Extensible Authentication Protocol (EAP), 415, 426, 429
extortion, as attacker motive, 24
F
failure audits
account logon events, 311-14
account management events, 315-16
directory service access, 317-18
logon events, 319
policy changes, 323
privilege use, 324
system events, 325
Fair Information Practices, FTC, 614
Fast-User Switching Compatibility, 185
Fax Service, 185
feature packs, 477, 513-16
Federal Trade Commission, Fair Information Practices, 614
File And Object Auditing, 320. See also object auditing
File and Printer Sharing for Microsoft Networks setting, 216
file encryption key (FEK), 157
File Replication service, 185
File Server for Macintosh, 186
file systems
irregular activity as attack indicator, 586-87
MBSA security check, 526
security template policy settings, 270, 290
Web servers and, 444-46
File Transfer Protocol. See FTP servers, making secure
Filemon, role in data collection, 596
files
assigning DACLs at creation, 141-42
auditing access, 320-22
command-line tools for controlling permissions, 143-47
defining NTFS permissions, 138-40
downloading options, 255
encrypting on remote servers, 163-64
encryption overview, 156-59
how EFS works, 157-59
security issues when copying or moving, 142-43
share permissions, 155-56
sharing when encrypted, 164
table of recommended permissions, 148-55
filter list. See IP filter list
filter rules, IPSec, 231-35
filtering
Group Policy objects, 109-10
role in TCP/IP security, 221-22
financial gain, as attacker motive, 23-24
firewalls, 380. See also Internet Connection Firewall
flexible single-master operation (FSMO), 83
folders
assigning DACLs at creation, 141-42
command-line tools for controlling permissions, 143-47
defining NTFS permissions, 138-40
security issues when copying or moving, 142-43
table of recommended permissions, 148-55
fonts, downloading options, 255
footprinting, 554
forensics, 592-93, 596
forests, Active Directory
and Active Directory schema control, 117-18
best practices, 128-30
as boundary of enterprise administration, 117
default permissions, 117-18
designing, 116-21
domain trust requirements, 118-19
and Global Catalog, 118
as management unit, 116
protecting, 119-21
root domain Administrator account, 117, 120-21
securing domain controllers, 121
forwarders, 380
Foundstone, 540, 596, 597
Fport tool, 597
FSMO (flexible single-master operation), 83
FTP Publishing Service, 186, 442
FTP servers, making secure, 441, 442, 468-69
Full Control permission
for DACLs, 87, 91
for files and folders, 135, 136, 138
for Group Policy, 111, 112
overview, 64
for services, 178
for shares, 156
G
games, downloading updates, 485
generic ACEs, 87, 88, 89, 136
GET command, 163
GLBA (Gramm-Leach-Billey Act), 618
Global Catalog, 64, 118
global groups, 62-63, 64, 65, 66, 443
gPLink permission, 111, 112
gPOptions permission, 111, 112
GPOs. See Group Policy objects
Gpupdate command, 108
Gramm-Leach-Billey Act (GLBA), 618
Group Policy. See also Group Policy objects
altering structure, 108-11
applying security settings across domain controllers, 363
applying security templates by using, 295-96
best practices, 113
computer-related group policies, 100-102
configuring Automatic Updates settings, 507
configuring privacy and security settings in Internet Explorer, 262-63
defined, 99
list of permissions, 111
list of security options, 101
loopback mode, 110-11
managing, 111-12
overview, 99-100
process order, 104-5
refreshing, 107-8
role of administrative templates, 101-2, 103
for software installation, 101, 103
user-related group policies, 102-4
for Windows settings, 101, 103
Group Policy Creator Owners group, 63, 112
Group Policy objects (GPOs)
altering default processing, 108-11
Block Inheritance option, 108-9
Default Domain Controllers Policy, 105-6
Default Domain Policy, 105
deploying to users, 103, 104
domain, 105-6
filtering, 109-10
local, 104-5
No Override option, 109
organization units, 106
overview, 99-100
policies vs. preferences, 102
processing, 106-8
site, 105
group SIDs
in access tokens, 36
as DACL element, 87, 136
groups
adding to object class DACLs, 92
computer local, 57-60, 65
domain built-in, 61-62, 64, 65
domain local, 62, 64, 65
global, 62-63, 64, 65, 66, 443
global vs. universal, 66
local built-in, 57-60, 65
naming, 65
protecting, 364-65
rights and permissions overview, 49-50, 55
in role-based security structure, 64-67
special, 55-57
universal, 63-64, 66
Guest account, 526
Guests group, 59, 443
Next
Last Updated: February 26, 2003
|
