299 Study Notes
Psoasman
Member Posts: 2,687 ■■■■■■■■■□
Here are some study notes from 299 course. Hope they help!
Chapter 1:
1. Authentication is the process of proving your identity. In windows networks, users frequently authenticate themselves using a user name and password pair. This has changed with new versions of windows.
2. Earlier versions of windows used LM authentication, which is supported by 2k3 for backwards compatibility, but has security vulnerabilities. Disable, unless using 95,98 clients.
3. Use passwords longer than 14 characters to bypass the LM requirements.
4. Newer versions of windows use NTLM v1, v2 and Kerberos authentication.
5. Local passwords are stored by the local security authority (LSA) which is responsible for managing local security policies, authenticating users, creating access tokens, and controlling audit policies.
6. 2k3 server resource kit has the kerbtray.exe,klist.exe, and cmdkey.exe to troubleshoot kerberos issues.
7. Educate employees on using strong passwords.
8. Account lockout policies prevents malicious attackers from logging on by guessing passwords, but this can result in a DoS attack.
9. Kerberos ticket lifetimes must be short enough to prevent attackers from cracking the crytography that protects the tickets stored credentials, but long enough to minimize the number of tickets requested.
10. Use delegated authentication and constrained delegation as strategies for implementing supplemental authentication where required.
11. Certified for server 2k3 will function in multifactor environment.
12. Web users have special authentication considerations. Anonymous access? Account to be used to access resources for anonymous users?
13. There are 4 choices for web authentication: 1.) basic authentication, 2.) digest authentication for windows domain servers, 3.) integrated windows authentication, 4.) .NET passport authentication.
14. Use delegated authentication and the more granular constrained delegation where front-end servers must access back-end services on behalf of authenticated users.
15. A trust is a relationship between domains that enables security principals from 1 domain to be authenticated by DCs in another domain.
16. These are the trusts you can set up:
a.Parent/child- created automatically
b. Tree /root – created automatically
c. external – manually created.
d. realm – manually created.
e. forest – manually created.
f. shortcut – manually created.
17. these authentication protocols can be used between trusts: NTLM and Kerberos.
18. Use SID filtering to prevent SID spoofing. Admins can discard SIDs that may be used to spoof.
Chapter 2:
1. Files and folders, shared folders, printers, services, AD objects, Term services connections, WMI objects, and registry keys have similar, but not identical authentication methods.
2. Explicit permissions are assigned directly to an object, where inherited permissions propogate to an object from the parent object.
3. Use groups to simplify access to resources.
4. Server 2k3 supports local, global, domain local, and universal groups scopes, and they depend on the domain functional level.
5. User /access control method is best for smaller companies, you add the user to each ACL on each object.
6. To troubleshoot authorization problems, start by identifying the objects that are required by user. Auditing can be used to identify which objects the user is being denied access to. The logs will show access events due to insufficient privileges.
7. Know how to calculate effective permissions.
Chapter 3:
1. Most new security templates should be based on predefined templates.
2. Create templates for computer roles, not individual computers.
3. The security template snap-in is a graphical tool for creating and editing security templates.
4. Secedit is a command-line tool that is used to create templates basedon existing computers settings.
5. Security templates can be used to configure local policies, account policies, group memberships, event log settings, and permissions for folders, files, services, and registry.
6. Use GP to deploy security templates.
7. GP can be applies to sites, domains, and Ous.
8. You can further restrict which computers and users a GP applies to by restricting permissions to the GP object or using WMI filtering.
9. Use secedit to apply a template from command line. Can use this to deploy to computers that are not members of a domain.
10. You can manually apply a security template to a computer using the security configuration & analysis console.
11. Use GP to update after each change.
12. Can use advanced system information in Help and Support center – graphical tool – to provide a thorough description of GPOs applied to a user / pc.
13. Gpresult displays the most complete set of information about GPOs applied to a user /pc.
14. Server2k3 provides info about GPOs in the registry.
Chapter 1:
1. Authentication is the process of proving your identity. In windows networks, users frequently authenticate themselves using a user name and password pair. This has changed with new versions of windows.
2. Earlier versions of windows used LM authentication, which is supported by 2k3 for backwards compatibility, but has security vulnerabilities. Disable, unless using 95,98 clients.
3. Use passwords longer than 14 characters to bypass the LM requirements.
4. Newer versions of windows use NTLM v1, v2 and Kerberos authentication.
5. Local passwords are stored by the local security authority (LSA) which is responsible for managing local security policies, authenticating users, creating access tokens, and controlling audit policies.
6. 2k3 server resource kit has the kerbtray.exe,klist.exe, and cmdkey.exe to troubleshoot kerberos issues.
7. Educate employees on using strong passwords.
8. Account lockout policies prevents malicious attackers from logging on by guessing passwords, but this can result in a DoS attack.
9. Kerberos ticket lifetimes must be short enough to prevent attackers from cracking the crytography that protects the tickets stored credentials, but long enough to minimize the number of tickets requested.
10. Use delegated authentication and constrained delegation as strategies for implementing supplemental authentication where required.
11. Certified for server 2k3 will function in multifactor environment.
12. Web users have special authentication considerations. Anonymous access? Account to be used to access resources for anonymous users?
13. There are 4 choices for web authentication: 1.) basic authentication, 2.) digest authentication for windows domain servers, 3.) integrated windows authentication, 4.) .NET passport authentication.
14. Use delegated authentication and the more granular constrained delegation where front-end servers must access back-end services on behalf of authenticated users.
15. A trust is a relationship between domains that enables security principals from 1 domain to be authenticated by DCs in another domain.
16. These are the trusts you can set up:
a.Parent/child- created automatically
b. Tree /root – created automatically
c. external – manually created.
d. realm – manually created.
e. forest – manually created.
f. shortcut – manually created.
17. these authentication protocols can be used between trusts: NTLM and Kerberos.
18. Use SID filtering to prevent SID spoofing. Admins can discard SIDs that may be used to spoof.
Chapter 2:
1. Files and folders, shared folders, printers, services, AD objects, Term services connections, WMI objects, and registry keys have similar, but not identical authentication methods.
2. Explicit permissions are assigned directly to an object, where inherited permissions propogate to an object from the parent object.
3. Use groups to simplify access to resources.
4. Server 2k3 supports local, global, domain local, and universal groups scopes, and they depend on the domain functional level.
5. User /access control method is best for smaller companies, you add the user to each ACL on each object.
6. To troubleshoot authorization problems, start by identifying the objects that are required by user. Auditing can be used to identify which objects the user is being denied access to. The logs will show access events due to insufficient privileges.
7. Know how to calculate effective permissions.
Chapter 3:
1. Most new security templates should be based on predefined templates.
2. Create templates for computer roles, not individual computers.
3. The security template snap-in is a graphical tool for creating and editing security templates.
4. Secedit is a command-line tool that is used to create templates basedon existing computers settings.
5. Security templates can be used to configure local policies, account policies, group memberships, event log settings, and permissions for folders, files, services, and registry.
6. Use GP to deploy security templates.
7. GP can be applies to sites, domains, and Ous.
8. You can further restrict which computers and users a GP applies to by restricting permissions to the GP object or using WMI filtering.
9. Use secedit to apply a template from command line. Can use this to deploy to computers that are not members of a domain.
10. You can manually apply a security template to a computer using the security configuration & analysis console.
11. Use GP to update after each change.
12. Can use advanced system information in Help and Support center – graphical tool – to provide a thorough description of GPOs applied to a user / pc.
13. Gpresult displays the most complete set of information about GPOs applied to a user /pc.
14. Server2k3 provides info about GPOs in the registry.