Professional Documents
Culture Documents
70-298: MCSE Guide To Designing Security For A Microsoft Windows Server 2003 Network
70-298: MCSE Guide To Designing Security For A Microsoft Windows Server 2003 Network
Exam Objectives
4.2 Design an access control strategy for files and folders 4.2.4 Analyze auditing requirements 4.3.2 Analyze auditing requirements 4.3 Design an access control strategy for the registry 4.3.1 Design a permission structure for registry objects
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network 2
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Introduction
Windows permissions are discretionary:
Design a permission scheme that provides sufficient access for end users to do their jobs But not unnecessary permissions that might affect the security of the overall network
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
Introduction (continued)
Common risks to file shares:
Data corruption caused by viruses Security breaches arising from incorrectly assigned permissions
Best practices for securing Windows Registry Encrypted File System (EFS) Design a secure backup and recovery strategy for network resources
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network 5
Objects are managed via access control lists (ACLs), which designate:
Which users and groups can access objects In what manner users and groups can access objects
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network 6
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
10
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
11
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
12
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
13
Groups
Security groups:
Created to manage access and other security-related functions Contain:
User accounts Computer accounts Other group accounts
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
14
Groups (continued)
Security groups
Scopes include:
Local Domain local Global Universal
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
15
Groups (continued)
Distribution groups:
Used for mailing lists only No security function
Account groups:
Members are user accounts or computer accounts that require the same permissions for a resource
Resource groups:
Security group added to the ACL of a resource that has been granted (or denied) specific permissions
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network 16
Access to Resources
Methods for controlling access:
User/ACL Account group/ACL Account group/resource group Role-based authorization
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
17
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
18
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
19
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
20
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
21
Local groups:
Must create groups on many different computers
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network 22
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
23
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
24
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
26
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
28
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
29
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
30
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
31
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
33
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
34
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
35
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
37
EFS
Certificate storage Certificate enrollment and renewal Use cipher.exe
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
38
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
39
Creating a Strategy for the Encryption and Decryption of Files and Folders
Increase user awareness
Department should identify which files or types of files are most sensitive
Creating a Strategy for the Encryption and Decryption of Files and Folders (continued)
Recover files Back up keys
Use Certificates snap-in in the MMC
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
42
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
43
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
44
Best practices for backups Create an Automated System Recovery backup set
Update the ASR every time significant changes occur Use the Automated System Recovery Wizard
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network 45
Include an assessment of the most likely risks to the business and its data
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
46
Out-of-band:
Refers to a connection that can be made when a remote computer is not working properly
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
47
Enable Emergency Management Services Configure headless servers Use terminal concentrators Use uninterruptible power supplies
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
49
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
50
Summary
User access can be managed via one of several different frameworks, including:
User/ACL Account group/ACL Account group/resource group Role-based permissions
Auditing events provides an additional measure of security and visibility Registry access is controlled via Group Policy
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network 51
Summary (continued)
EFS protects files and folders with encryption Last line of defense on any system:
Backup and recovery capabilities
70-298: MCSE Guide to Designing Security for a Microsoft Windows Server 2003 Network
52