| About This Book |
xxix |
| Intended Audience |
xxx |
| Prerequisites |
xxx |
| Reference Materials |
xxxi |
| About the Supplemental Course Materials CD-ROM |
xxxi |
| Features of This Book |
xxxii |
| Notes |
xxxii |
| Conventions |
xxxii |
| Chapter and Appendix Overview |
xxxiii |
| Finding the Best Starting Point for You |
xxxvi |
| Where to Find Specific Skills in This Book |
xxxvi |
| Getting Started |
xl |
| Hardware Requirements |
xl |
| Software Requirements |
xl |
| Setup Instructions |
xli |
| About the Online Book |
xlviii |
| Sample Readiness Review Questions |
xlviii |
| The Microsoft Certified Professional Program |
xlix |
| Microsoft Certification Benefits |
xlix |
| Requirements for Becoming a Microsoft Certified Professional |
li |
| Technical Training for Computer Professionals |
lii |
| Technical Support |
liv |
| CHAPTER 1 Introduction to Microsoft Windows 2000 Security |
1 |
| About This Chapter |
1 |
| Before You Begin |
1 |
| Chapter Scenario: Lucerne Publishing |
2 |
| Current Network |
2 |
| Account Management |
2 |
| Expansion Plans |
3 |
| Online Ordering |
3 |
| Security Issues |
3 |
| Lesson 1: Microsoft Windows 2000 Security Services Overview |
4 |
| Security Subsystem Components |
5 |
| LSA Functionality |
7 |
| Windows 2000 Security Protocols |
8 |
| The Security Support Provider Interface (SSPI) |
9 |
| Lesson Summary |
9 |
| Lesson 2: Designing Security Business Requirements |
10 |
| Determining Business Requirements |
10 |
| Making the Decision |
12 |
| Applying the Decision |
13 |
| Lesson Summary |
14 |
| Lesson 3: Designing Security to Meet Technical Requirements |
15 |
| Determining Technical Requirements |
15 |
| Making the Decision |
16 |
| Applying the Decision |
17 |
| Lesson Summary |
19 |
| Review |
20 |
| CHAPTER 2 Designing Active Directory for Security |
21 |
| About This Chapter |
21 |
| Before You Begin |
22 |
| Chapter Scenario: Wide World Importers |
23 |
| The Existing Network |
23 |
| User Account Management |
23 |
| Application Support |
23 |
| Client Desktops |
24 |
| Lesson 1: Designing Your Forest Structure |
25 |
| Active Directory Design Basics |
25 |
| Deploying a Single Forest |
26 |
| Making the Decision |
27 |
| Applying the Decision |
28 |
| Deploying Multiple Forests |
28 |
| Making the Decision |
30 |
| Applying the Decision |
31 |
| Lesson Summary |
32 |
| Lesson 2: Designing Your Domain Structure |
33 |
| Deploying a Single Domain |
33 |
| Making the Decision |
33 |
| Applying the Decision |
34 |
| Deploying Multiple Domains |
34 |
| Understanding Account Policies |
34 |
| Making the Decision |
37 |
| Applying the Decision |
38 |
| Lesson Summary |
39 |
| Lesson 3: Designing an OU Structure |
40 |
| Planning for Delegation of Administration |
40 |
| Delegating Control to an Organizational Unit |
40 |
| Making the Decision |
42 |
| Applying the Decision |
44 |
| Planning for Group Policy Deployment |
45 |
| Making the Decision |
49 |
| Applying the Decision |
49 |
| Lesson Summary |
51 |
| Lesson 4: Designing an Audit Strategy |
52 |
| Configuring Audit Settings |
52 |
| Making the Decision |
53 |
| Applying the Decision |
54 |
| Lesson Summary |
55 |
| Activity: Designing an Audit Strategy |
56 |
| Lab 2-1: Designing Active Directory for Security |
57 |
| Lab Objectives |
57 |
| About This Lab |
57 |
| Before You Begin |
57 |
| Scenario: Contoso Ltd. |
57 |
| Exercise 1: Determining the Number of Forests |
59 |
| Exercise 2: Determining the Number of Domains |
60 |
| Exercise 3: Designing an OU Structure |
60 |
| Review |
62 |
| CHAPTER 3 Designing Authentication for a Microsoft Windows 2000 Network |
63 |
| About This Chapter |
63 |
| Before You Begin |
64 |
| Chapter Scenario: Market Florist |
65 |
| The Existing Network |
65 |
| Market Florist Active Directory Design |
66 |
| Market Florist Server Configuration |
66 |
| Lesson 1: Designing Authentication in a Microsoft Windows 2000 Network |
68 |
| Determining Business and Technical Requirements |
68 |
| Lesson Summary |
69 |
| Lesson 2: Designing Kerberos Authentication |
70 |
| Designing Kerberos Authentication |
71 |
| Understanding the Kerberos Message Exchanges |
72 |
| Analyzing Kerberos Authentication |
73 |
| Initial Authentication with the Network |
73 |
| Network Authentication |
76 |
| Smart Card Authentication |
77 |
| Multiple Domain Authentication |
79 |
| Delegation |
80 |
| Making the Decision |
82 |
| Applying the Decision |
83 |
| Lesson Summary |
84 |
| Lesson 3: NTLM Authentication |
85 |
| Designing NTML Authentication |
85 |
| Making the Decision |
86 |
| Applying the Decision |
87 |
| Lesson Summary |
87 |
| Lesson 4: Authenticating Down-Level Clients |
88 |
| Analyzing Standard Authentication |
88 |
| Analyzing the Directory Services Client |
89 |
| Making the Decision |
92 |
| Applying the Decision |
92 |
| Lesson Summary |
93 |
| Lesson 5: Planning Server Placement for Authentication |
94 |
| Determining Server Placement for Authentication |
94 |
| Planning DNS Server Placement |
94 |
| Making the Decision |
95 |
| Applying the Decision |
95 |
| Planning DC Placement |
97 |
| Making the Decision |
97 |
| Applying the Decision |
97 |
| Planning Global Catalog Server Placement |
97 |
| Making the Decision |
98 |
| Applying the Decision |
99 |
| Planning PDC Emulator Placement |
99 |
| Making the Decision |
99 |
| Applying the Decision |
100 |
| Lesson Summary |
100 |
| Activity: Analyzing Authentication Network Infrastructure |
101 |
| Lab 3-1: Designing Authentication for the Network |
102 |
| Lab Objectives |
102 |
| About This Lab |
102 |
| Before You Begin |
102 |
| Scenario: Contoso Ltd. |
102 |
| Exercise 1: Designing Windows 2000 Client Authentication |
104 |
| Exercise 2: Designing Down-Level Client Authentication |
105 |
| Review |
106 |
| CHAPTER 4 Planning a Microsoft Windows 2000 Administrative Structure |
107 |
| About This Chapter |
107 |
| Before You Begin |
107 |
| Chapter Scenario: Hanson Brothers |
108 |
| The Existing Network |
108 |
| Hanson Brothers' Active Directory Design |
109 |
| Hanson Brothers' Administrative Needs |
109 |
| The Central Administration Team |
110 |
| Hanson Brothers' Current Issues |
110 |
| Lesson 1: Planning Administrative Group Membership |
111 |
| Designing Default Administrative Group Membership |
111 |
| The Default Windows 2000 Administrative Groups |
111 |
| Assessing Administrative Group Membership Design |
114 |
| Making the Decision |
116 |
| Applying the Decision |
117 |
| Designing Custom Administrative Groups |
118 |
| Determining When to Create Custom Groups |
119 |
| Making the Decision |
120 |
| Applying the Decision |
121 |
| Lesson Summary |
122 |
| Lesson 2: Securing Administrative Access to the Network |
123 |
| Designing Secure Administrative Access |
123 |
| Making the Decision |
124 |
| Applying the Decision |
125 |
| Designing Secondary Access |
126 |
| Understanding the RunAs Service |
127 |
| Making the Decision |
129 |
| Applying the Decision |
129 |
| Designing Telnet Administration |
129 |
| Making the Decision |
130 |
| Applying the Decision |
130 |
| Designing Terminal Services Administration |
131 |
| Assessing Terminal Services Administration |
131 |
| Making the Decision |
132 |
| Applying the Decision |
132 |
| Lesson Summary |
133 |
| Activity: Administering the Network |
134 |
| Lab 4-1: Designing Administration for a Microsoft Windows 2000 Network |
136 |
| Lab Objectives |
136 |
| About This Lab |
136 |
| Before You Begin |
136 |
| Scenario: Contoso Ltd. |
136 |
| Exercise 1: Designing Preexisting Administration Groups |
138 |
| Exercise 2: Designing Administrative Access |
140 |
| Review |
142 |
| CHAPTER 5 Designing Group Security |
143 |
| About This Chapter |
143 |
| Before You Begin |
143 |
| Chapter Scenario: Hanson Brothers |
144 |
| The Microsoft Exchange 2000 Server Deployment |
144 |
| Deployment of Microsoft Outlook 2000 |
144 |
| User Rights Requirements |
145 |
| Lesson 1: Designing Microsoft Windows 2000 Security Groups |
146 |
| Windows 2000 Groups |
146 |
| Assessing Group Usage |
149 |
| Making the Decision |
152 |
| Applying the Decision |
152 |
| Lesson Summary |
154 |
| Activity: Reviewing Group Memberships |
155 |
| Lesson 2: Designing User Rights |
158 |
| Defining User Rights with Group Policy |
158 |
| User Rights Within Windows 2000 |
158 |
| Assessing Where to Apply User Rights |
162 |
| Making the Decision |
163 |
| Applying the Decision |
164 |
| Lesson Summary |
165 |
| Lab 5-1: Designing Security Groups and User Rights |
166 |
| Lab Objectives |
166 |
| About This Lab |
166 |
| Before You Begin |
166 |
| Scenario: Contoso Ltd. |
166 |
| The Human Resources Application |
166 |
| Exercise 1: Designing Security Groups |
168 |
| Exercise 2: Designing User Rights |
170 |
| Review |
171 |
| CHAPTER 6 Securing File Resources |
173 |
| About This Chapter |
173 |
| Before You Begin |
173 |
| Chapter Scenario: Wide World Importers |
174 |
| Planning Security for Software Deployment |
174 |
| Print Security |
176 |
| Planning for Protection of Confidential Data |
176 |
| Lesson 1: Securing Access to File Resources |
177 |
| Designing Share Security |
177 |
| Configuring Share Permissions |
177 |
| Making the Decision |
179 |
| Applying the Decision |
180 |
| Planning NTFS Security |
180 |
| Changes in the Windows 2000 NTFS File System |
181 |
| Assessing NTFS Permissions |
181 |
| Making the Decision |
183 |
| Applying the Decision |
184 |
| Combining Share and NTFS Security |
185 |
| Making the Decision |
187 |
| Applying the Decision |
188 |
| Lesson Summary |
188 |
| Activity: Evaluating Permissions |
189 |
| Lesson 2: Securing Access to Print Resources |
191 |
| Assessing Printer Security |
191 |
| Making the Decision |
192 |
| Applying the Decision |
193 |
| Lesson Summary |
193 |
| Lesson 3: Planning EFS Security |
194 |
| Overview of the EFS Process |
194 |
| Designating an EFS Recovery Agent |
197 |
| The Initial EFS Recovery Agent |
197 |
| Configuring a Custom EFS Recovery Agent |
198 |
| Configuring an Empty Encrypted Data Recovery Agent Policy |
199 |
| Making the Decision |
199 |
| Applying the Decision |
200 |
| Recovering Encrypted Files |
200 |
| Assessing Recovery of Encrypted Files |
200 |
| Making the Decision |
202 |
| Applying the Decision |
202 |
| Lesson Summary |
202 |
| Lab 6-1: Securing File and Print Resources |
203 |
| Lab Objectives |
203 |
| About This Lab |
203 |
| Before You Begin |
203 |
| Scenario: Contoso Ltd. |
203 |
| Exercise 1: Planning File Security |
206 |
| Exercise 2: Planning Print Security |
207 |
| Exercise 3: Planning EFS for Laptops |
208 |
| Review |
210 |
| CHAPTER 7 Designing Group Policy |
211 |
| About This Chapter |
211 |
| Before You Begin |
211 |
| Chapter Scenario: Wide World Importers |
212 |
| Proposed OU Structure |
212 |
| Existing Site Definitions |
213 |
| Application Installation Requirements |
213 |
| Engineering Requirements |
213 |
| The New Employee |
214 |
| Lesson 1: Planning Deployment of Group Policy |
215 |
| Group Policy Overview |
215 |
| Planning Group Policy Inheritance |
215 |
| Assessing Group Policy Application |
217 |
| Block Policy Inheritance |
218 |
| Configuring No Override |
219 |
| Making the Decision |
219 |
| Applying the Decision |
220 |
| Filtering Group Policy by Using Security Groups |
221 |
| Making the Decision |
223 |
| Applying the Decision |
224 |
| Lesson Summary |
224 |
| Lesson 2: Troubleshooting Group Policy |
225 |
| Assessing Group Policy Troubleshooting |
225 |
| Making the Decision |
227 |
| Applying the Decision |
228 |
| Lesson Summary |
228 |
| Activity: Troubleshooting Group Policy Application |
229 |
| Lab 7-1: Planning Group Policy Deployment |
230 |
| Lab Objectives |
230 |
| About This Lab |
230 |
| Before You Begin |
230 |
| Scenario: Contoso Ltd. |
230 |
| Exercise 1: Applying Group Policy |
233 |
| Exercise 2: Designing Group Policy Filtering |
233 |
| Exercise 3: Troubleshooting Group Policy Application |
234 |
| Review |
237 |
