Copyrighted Material

Index

Note to the Reader: Throughout this index boldfaced page numbers indicate primary discussions of a topic. Italicized page numbers indicate illustrations.

IUSR_computername account, 274–275 Numbers disabling, 61 mapping certificates to, 283–286 3DES, 125–126, 416, 494 user accounts, configuring for 802.1x standard (IEEE), 181–184, 494 delegation, 46 authentication for, 182 ACEs (Access Control Entries) combining VPNs with, 190 authentication for clients, 494 802.11a standard (IEEE), 494 in Discretionary Access Control List, 7 vs. 802.11b, 170 Active Directory (AD), 3, 494 802.11b standard (IEEE), 494 assigning GPO to container in, 28 for certificate store, 404 Configuration container for certificate templates, 360 A mapping certificates to accounts, 283–286 Access Control Entries (ACEs), 494 in mixed mode, 324 in Discretionary Access Control List, 7 publishing certificates through, 404–409 Access Control List (ACL), 494 in child domain, 406–409 Access Control Settings dialog box, 16 from standalone online CA, 404–406 Auditing tab, 16, 440 to view published certificates and CRLs, “Access Is Denied” error message, 420 358–359 access point, 494. See also wireless access Active Directory domain controller point (WAP) client security to traffic, 226–229 access token, 260, 494 testing, 227–229 account lockout policy, in security Active Directory domains templates, 9 Properties dialog box, General tab, 228 account logon events, tracking, 15, 445 trust relationships, 271–273, 272 account management events, tracking, 15, Active Directory object, auditing, 18 445–446 Active Directory Properties dialog box, 228 Account Policies Active Directory Sites and Services (ADSS), security template configuration, 12, 5, 494 12–14, 13 configuration, 407–408 in security templates, 9 Active Directory Users and Computers (ADUC), accountability trail, 14 COPYRIGHTED5, MATERIAL494 accounts Active Server Pages (ASP), SUS and, 111 Administrator account, renaming, 55, 56 AD. See Active Directory (AD) Anonymous user account Add IP Filter dialog box, 311 disabling, 61 Add/Remove Snap-In dialog box, 7 real world scenario, 64–65 Add Standalone Snap-In dialog box, 7, 8 restrictions in Windows 2000 domain Administrative Templates settings in GPOs, 3 controller, 52–54, 53 Administrator account, renaming, 55, 56 built-in accounts, securing, 55 Administrator certificate template, 360 guest account for IIS, 274 Administrator Properties dialog box, Dial-in Guest account, renaming, 55 tab, 324, 325

512 ADSS (Active Directory Sites and Services) – authentication method in IPSec rule

ADSS (Active Directory Sites and Services), attribute, 495 5, 494 for Encrypting File System, 397 configuration, 407–408 Audit Policies ADUC (Active Directory Users and Computers), blocking inheritance, 18, 442–444 5, 494 security template configuration, 14–18, 16 AH (Authentication Header), 139 in security templates, 9 AIA (authority information access), 343, 495 auditing, 432, 437–450, 495 AirSnort, 187 enabling, 438–444 Anonymous authentication, 274–276, 494 for resources, 439–444 IIS configuration for, 275–276 logs for RRAS troubleshooting, 313 Anonymous user account Authenticated Session certificate template, 360 disabling, 61 Authenticated users entries, in Discretionary real world scenario, 64–65 Access Control List, 7 restrictions in Windows 2000 domain authentication, 256, 495 controller, 52–54, 53 in business communications, 340 anti-spam filters, on SMTP gateway, 49 configuration in extranet scenarios, antireplay, 125 269–271, 270 antivirus software, and encrypted files, 419 exam essentials, 292–293 Apple Standard Encryption, 69 Kerberos interoperability with Unix, application log, 432 267–269 archive keys, in EFS troubleshooting, 419 LAN protocols, 257–261 archived certificates, 403 Kerberos protocol, 259–261 archiving files, during service pack NT LAN Manager (NTLM), 257–259 installation, 83 logon process, 261–263 ASCII character set, restricting URL to, 63 multifactor, with smart cards and EAP, ASP (Active Server Pages), SUS and, 111 290–291 association in wireless networks, 176 protocol configuration to support mixed asymmetric, 494 Windows client-computer environ- asymmetric encryption, 395 ments, 264–267 asymmetric keys, 203, 495 for Windows 95 and Windows 98, asynchronous processing, of Group Policy 265–266 Objects, 5 for Windows NT 4, 266–267 ATM (Automatic Teller Machine), 291 in RRAS troubleshooting, 309 attacks for secure remote access, 286–290 auditing attempts, 438 by Secure Sockets Layer, 202 countermeasures, 481–483 troubleshooting, 263–264 Denial of Service (DoS) attacks, 54, 125, troubleshooting protocols, 319 477–478, 498 trust relationships, 271–273, 272 exam essentials, 484 one-way trust creation, 272–273 hackers, 475–476 for Web users, 274–286 ping use by, 453 anonymous authentication, and service account, 45 274–276, 494 indicators of, 472 Basic authentication, 276–278 isolating and containing, 479–480 with client certificate mapping, preserving chain of evidence, 480–481 283–286 restoring services after, 483 Digest authentication, 278–281, 499 Trojan Horse, 478, 507 Integrated Windows authentication, viruses, 476–477, 508 281–283, 501 e-mail risk of, 49 Authentication Header (AH), 139, 495 worms, 478–479, 509 authentication method in IPSec rule, 131, 133 written policies for, 472–473 troubleshooting, 145

authentication methods – certificates in SSL 513

authentication methods, 495 certificate enrollment and renewal, 367–370 Authentication Methods dialog box (IIS), 276, auto-enrollment, 370 277, 287 Certificates MMC Snap-in, 368–369 Authentication Mode dialog box (SQL manual enrollment, 367–369 Server 2000), 45 certificate templates for enterprise CAs, authenticator, 495 360–361 authority information access (AIA), 343, 495 exam essentials, 379 auto-enrollment, 370, 496 Group Policies for certificate for Encrypting File System, 394 distribution, 361 of user certificates, 413–414 prerequisites, 362–367 Automatic Certificate Request Setup Wizard, hierarchy of, 341 140, 140 intermediate CAs, 342 Automatic Teller Machine (ATM), 291 installing and configuring, 347–353 Automatic Updates, 97 issuing CAs, 342 installing and configuring, 353–360 viewing published certificates and CRLs, 358–360 B managing, 370–378 backup, 374–376 backup editing certificates, 373 of certificate, 207 managing CRLs, 373–374 of certificate authority, 374–376 restoring backup, 376–378 of EFS certificate, 397 revoking certificates, 372–373 of IIS Metabase, 104–105 viewing certificates, 370–372 Base64 Encoded X.509 (.cer), 398, 496 root CA, 341 Basic authentication, 276–278 configuring publication of CRLs, Basic EFS certificate template, 360 345–347 basicdc template, 11 installing and configuring, 342–345 basicsv template, 11 for wireless communications, 66 basicwk template, 11 Certificate dialog box, 371, 371–372 beacon, 175, 496 Certificate Export Wizard, 400 biometric devices, 291 Certificate Import Wizard, 402 blocking inheritance, 18, 442–444 Certificate Properties dialog box, 373, 374 boot process. See rebooting Certificate Purpose view, 403 branch offices, VPNs to connect, 304 certificate revocation list (CRL), 343, 496 brute force attack, 55 Active Directory to view, 358–359 built-in accounts, securing, 55 configuring publication of, 345–347 BulkAdmin role, in SQL Server 2000, 48 managing, 373–374 Certificate Signing Request (CSR), 206, 206, 496 C certificate store, 402–404, 496 certificate templates for enterprise CAs, canonicalization, 496 360–361, 496 canonicalization attacks, 62–63 certificate trust list (CTL), 496 CAs. See certificate authorities (CAs) certificates, 340, 496 CDP (CRL distribution point), 343, 497 in IPSec, 139–141 creating for stand-alone offline root CA, renewing, 141 345–347 certificates in SSL, 204–219 certificate authorities (CAs), 51, 340, 496. backup of, 207 See also client certificates installing on SQL server, 223–224

514 Certificates MMC Snap-in – Computer Security Incident Response Team (CSIRT)

mapping to Active Directory accounts, recovering KMS-issued, 414–415 283–286 Secure MIME, 388–394 private, 213–219 to sign and seal e-mail, 390–393 renewing, 218–219 storage, 402–404 public Client (Response Only) policy for IPSec, 129 installation, 211 Client Services for NetWare, 68 obtaining, 205–213 clients renewing, 211–213 adding to trusted root certificates list, 342 Certificates MMC Snap-in, 218, 367, authentication 368–369, 370 for Windows 95 and Windows 98, to edit certificates, 373 265–266 to enroll certificates, 410–411 for Windows NT 4, 266–267 for importing certificate, 401 configuration for Remote Access security, to view certificates, 370–372 322–330 Certification Authority Backup Wizard, 375 Connection Manager Administration Certification Authority MMC snap-in, 370, Kit, 326–330 372, 372 Remote Access Service Policies, 322–326 to backup Certification Services, 375 operating systems, 67–69 to revoke certificate, 372–373 Macintosh, 69 certreq.exe, 370 NetWare, 68–69 certutil.exe, 342, 370, 496 Unix, 67 to backup database and log files, 375 securing to Active Directory domain to restore Certificate Services, 376–378 controller traffic, 226–229 CGI pages, URLScan tool and, 61 testing, 227–229 chalk marks, 186–187 securing to e-mail server traffic, 229–231 Challenge Handshake Authentication Protocol securing with IPSec, 142–143 (CHAP), 288, 497 service packs and hotfixes for, 94–96 challenge phrase, 207 troubleshooting mixed environments, 33 child domain, certificates in, 406–409 for virtual private networks (VPNs) child server, 497 configuration, 314–318 for SUS, 105 troubleshooting, 319 CIFS (Common Internet File System), 67, 146, CMAK. See Connection Manager 147–148, 497 Administration Kit cipher.exe, 418, 497 Code Signing certificate template, 360 clear-text passwords, security for, 67 Common Internet File System (CIFS), 67, 146, client certificates, 388–404 147–148, 497 Encrypting File System (EFS), 394–397, 395 Comodo InstantSSL, public certificate from, enrolling, 410–414 207–210 auto-enrollment, 413–414 compatible template, 12 with Certificates MMC snap-in, 410–411 compatws template, 12 with Web Enrollment pages, 411–413 Compromised-key attack, 125 exam essentials, 420–421 Computer certificates exporting, 398–400 Group Policy for automatic enrollment, with Outlook Express, 394 362–363 importing, 401–402 requesting, 369, 411 mapping, 497 template, 360 authentication with, 283–286 computer Properties dialog box, General tab, 47 publishing through Active Directory, Computer Security Incident Response Team 404–409 (CSIRT), 473 in child domain, 406–409 creating, 474–475 from standalone online CA, 404–406 Incident Response Plan, 473–474 computer settings of GPO, processing – DNS (Domain Name System) 515

computer settings of GPO, processing, 5 decryption, 498 computers dedicated SMTP virtual servers, 232 configuration settings on, 4 default policy for RRAS, 323 roles, exam essentials, 69 default security templates, 10–11 condition, 497 default store for certificates, 404 confidentiality Default Web Site Properties dialog box in business communications, 340 Directory Security tab, 275, 285 IPSec and, 125 Web Site tab, 452 Configure Automatic Updates Properties dialog Delegation Authentication, 45, 498 box, 102, 102 Delegation of Control Wizard, 409 Configure Membership dialog box, 25, 25 delegation, Trust computer for, 46–47 Connect VPN ServerName dialog box, 316 deleting certificate templates, 361 Connection Manager Administration Kit Denial of Service (DoS) attacks, 54, 125, (CMAK), 326–330, 328, 497 477–478, 498 client deployment and testing, 330 countermeasure for, 482 installation, 327 DER Encoded Binary X.509 (.cer), 398, 498 containers, linking GPOs to, 4 DES (Data Encryption Standard), 125–126, 498 content distribution point for SUS, 105 desktop.ini file, 419, 498 copy command, for EFS files, 419 DHCP (Dynamic Host Configuration Protocol) countermeasures for attacks, 497 in RRAS troubleshooting, 309 implementing, 481–483 server registration for work stations, 24–25 Critical Update Notification service, 104 troubleshooting in VPN client, 319 CRL. See certificate revocation list (CRL) for wireless networks, 172 CRL distribution point (CDP), 343, 497 dial-in users, verifying permissions for, 319 creating for stand-alone offline root CA, Diffie-Hellman (DH) algorithm, 126, 498 345–347 Digest authentication, 278–281, 499 Cryptographic Message Syntax Standard - digital certificates. See certificates PKCS #7 Certificates, 398, 497 digital signatures, 125, 389, 499. See also SMB Cryptographic Service Provider (CSP), signing 390, 497 for Windows 2000 domain controller CSIRT (Computer Security Incident Response communication, 51–52 Team), 473 Directory Services, 499 CSR (Certificate Signing Request), 206, access events tracking, 15, 446–447 206, 496 client installation, 265–266 cyclic redundancy check, 480 log, 432 disaster recovery, Software Update Services and, 104–105 disconnecting from VPN connection, 316 D Discretionary Access Control List (DACL), DACL (Discretionary Access Control List), 6–7, 499 6–7, 499 Distinguished Encoding Rules (DER), 398 data decryption field (DDF), 394–395, 497 Distributed Denial of Service attack, 478 Data Encryption Standard (DES), DMZ (De-Militarized Zone), 50, 498 125–126, 498 DNS (Domain Name System) data loss, countermeasure for, 482 restrictions, 61 data modification by attacker, 124 in RRAS troubleshooting, 309 data recovery field (DRF), 395, 498 troubleshooting in VPN client, 319 DC security template, 12 updates for Windows 2000 domain DDF (data decryption field), 497 controller, 52 De-Militarized Zone (DMZ), 50, 498 using multiple names, 210 516 DNS Server log – Event IDs

DNS Server log, 432 EAP-MD5 (Extensible Authentication Protocol Domain Admins, Enterprise Admins, and Message Digest 5), 289–290, 500 SYSTEM entries, in Discretionary EAP-TLS (Extensible Authentication Protocol Access Control List, 7 with Transport Layer Security), 181, 184, domain container, Group Policy Objects 290, 500 linked to, 3 EAPOL (Extensible Authentication Protocol domain controllers Over LANs), 181, 500 default domain policy for, 28 eavesdropping, 124 refreshing policies, 6 Edit Dial-in Profile dialog box, 324, 325 security for passwords, 281 Edit Rule Properties dialog box SMB signing and, 145–151 Authentication Methods tab, 132 sysvol folder on, 4 Connection Type tab, 132 for Windows 2000, 50–55 Filter Action tab, 135, 136 Anonymous access restrictions, Tunnel Setting tab, 129 52–54, 53 editing certificates, 373 auto generation of 8.3 filenames EFS. See Encrypting File System (EFS) disablement, 55 EFS Recovery Agent certificate template, 360 built-in accounts security, 55 emergency information, offline storage, 473 digital signatures for communication, Encapsulating Security Payload (ESP), 139, 499 51–52 encrypted web pages, 220–221 DNS updates, 52 Encrypting File System (EFS), 394–397, 395, LmHash, disabling creation, 55 415–420, 499 NTLMv2 for legacy clients, 54 disabling, 418–419 TCP/IP stack hardening, 54–55 encryption for domain members, 417 domain member servers, EFS encryption implementing, 415–416 for, 417 and SQL Server 2000, 48 domain name ownership, proof of, 205–206 troubleshooting, 419–420 DoS (Denial of Service) attacks, 54, 125, 498 and workgroup members, 417–418 DRF (data recovery field), 498 encryption, 499 dsstore.exe, 370 by Secure Sockets Layer, 202 Dynamic Host Configuration Protocol (DHCP), for wireless networks, using 802.1x, for wireless networks, 172 181–184, 182 dynamic rekeying, 126, 499 enterprise CAs, 353 advantages, 405 installation, 354–358 placement of servers, 354 E Enterprise Trust list, Group Policy to configure, 364–367 e-mail. See also specific protocols error log messages, for Software Update countermeasure for flood, 482 Services, 108 methods for, 230, 231 Error message type in event log, 434, 435 real world scenario, 242 error messages S/MIME to sign and seal, 390–393 for Encrypting File System, 419–420 testing secured, with Outlook Express, “HTTP 403 Access Denied”, 275 239–242 “Network name is no longer valid”, 150 virus risk from, 49, 477 resources for, 263 e-mail servers ESP (Encapsulating Security Payload), 139, 499 client security to traffic, 229–231 event, 432, 499. See also Windows events securing with IPSec, 142 Event IDs, 435 EAP (Extensible Authentication Protocol), 308 512 error, 449 authentication methods for wireless 513 error, 449 networks, 184–185

event logs – file extensions, denying URL requests based on 517

517 error, 449 computer roles, 69 529 error, 445 IPSec (Internet Protocol Security), 530s error, 445 151–152 534 error, 445 Secure Sockets Layer (SSL), 245 539 error, 445 security templates, 34 560 error, 446 Software Update Services, 113 562 error, 446 virtual private networks (VPNs), 331–332 563 error, 446 Windows events, 462 564 error, 446 wireless networks security, 191–192 565 error, 446, 447 Exchange 5.5, key recovery capability, 414 576 error, 448 Exchange 2000 Server, 49–50 577 error, 448 securing IMAP4 on, 234–236 578 error, 448 securing POP3 on, 237–238 592 error, 448 securing SMTP on, 233–234 593 error, 448 Exchange Installable File System (ExIFS), 594 error, 448 49, 500 595 error, 448 expiration of certificate, 211 608 error, 449 exporting 609 error, 449 client certificates, 398–400 610 error, 449 with Outlook Express, 394 611 error, 449 Extensible Authentication Protocol 624 error, 445 (EAP), 308 626 error, 445, 446 authentication methods for wireless 627 error, 445 networks, 184–185 628 error, 445 Extensible Authentication Protocol Message 629 error, 446 Digest 5 (EAP-MD5), 289–290, 500 630 error, 446 Extensible Authentication Protocol Over LANs 675 error, 445 (EAPOL), 181, 500 677 error, 445 Extensible Authentication Protocol with 1010 errors, 363 Transport Layer Security (EAP-TLS), 181, event logs 290, 500 object in security templates, 10 extranets, 500 for RRAS troubleshooting, 313 authentication configuration in, security template configuration, 269–271, 270 26–27, 27 Event Viewer, 433, 433–437, 435 filtering in, 437, 437 EventComb, 457–461, 499 F .txt files from, 459, 460 failed attempts to access resource, tracking, downloading, 457 440–441 opening screen, 458 Failure Audit message type in Security log, real world scenario, 461 434, 435 to search for domain controller restarts, farm of SUS servers, 105 460–461 FAT (File Allocation Table) partitions, security Everyone security group, 440 templates and, 10 evidence of attack, preserving, 480–481 FE/BE (front-end/back-end) architecture, 50 exam essentials FEK (file encryption key), 500 attacks, 484 File and Print Services for NetWare, 69 authentication, 292–293 file encryption key (FEK), 394, 500 certificate authorities (CAs), 379 file extensions, denying URL requests client certificates, 420–421 based on, 62 518 file format, for exporting certificate – hard Security Association

file format, for exporting certificate, 398 Group Policies, 2–7 File Replication log, 432 applying, 5–6 file server, EFS encryption by, 417 to automatically request certificates, File Services for Macintosh, 69 139–140, 140 File System object, in security templates, 10 for certificate auto-enrollment, 413–414 filenames, auto generation of 8.3, for certificate distribution, 361 disabling, 55 prerequisites, 362–367 Filter Properties dialog box for clear-text authentication, 68 Addressing tab, 134 configuring, 3–5 Protocol tab, 134, 135 for digital signature requirement, 51 filtering, in Event Viewer, 437, 437 to enable auditing, 438–439 fingerprint scanners, 291 Enterprise Trust list configuration with, firewall servers, with virtual private networks 364–367 (VPNs), 321–322 inheritance modification, 6–7 firewalls, 50, 500 for IPSec implementation, 127, 127 configuration issues in IPSec, 145 to rename built-in accounts, 55, 56 log files, 453 for security template deployment, for wireless connections, 188, 188–189 27–29 Flexible Single Master Operations (FSMO) Trusted Root Certification Authorities list role, 5 configuration with, 364 Folder Redirection settings in GPOs, 3 Group Policy-applied templates, folders, auditing options for, 17 troubleshooting, 32 front-end/back-end (FE/BE) architecture, 50 Group Policy Container (GPC), 3, 500 FrontPage server extensions, URLScan tool Group Policy Objects (GPOs), 2, 500 and, 62 to apply client security, 67–69 FSMO (Flexible Single Master Operations) configuring for automated certificate role, 5 distribution, 226–227 linking to containers, 4 objects assigned to, 31 processing, 5 G for SUS client configuration, 102 Group Policy template (GPT), 3, 4, 500 gateway groups performing dead detection, 54 adding Domain Administrators global in RRAS troubleshooting, 309 security group to, 26 Gateway Services for NetWare, 68 restricting members in, 25 Gemplus smart card, 404 GSSAPI (Generic Security Service Application Generic Routing Encapsulation (GRE), Program Interface), 268, 500 322, 500 Guest account, 274 Generic Security Service Application Program renaming, 55 Interface (GSSAPI), 268, 500 GINA (Graphical Identification and Authenti- cation dynamic link library), 257, 262 GPC (Group Policy Container), 3, 500 H GPOs. See Group Policy Objects (GPOs) gpresult resource kit utility, 31, 31 hackers, 475–476 GPT (Group Policy template), 3, 4, 500 ping use by, 453 Graphical Identification and Authentication and service account, 45 dynamic link library (GINA), 257, 262 handheld devices, Windows CE configuration GRE (Generic Routing Encapsulation), as wireless client, 8–9 322, 500 hard Security Association, 126

Hash Message Authentication Codes – Internet Security & Acceleration Server 519

Hash Message Authentication Codes input filters for PPTP, 310, 311–312 (HMAC), 138 installation. See also service packs installation HFNetChk tool, 85, 90–92 of Directory Services client, 265–266 high security templates, 11 of intermediate CAs, 347–353 hisecdc template, 11 of issuing CAs, 353–360 hisecws template, 11 of MBSA tool, 85–88, 86 HMAC (Hash Message Authentication of root CA, 342–345 Codes), 138 of SSL certificate, 211 honeypot, 482–483, 501 of SUS client, 102–104 hotfixes, 501. See also service packs Integrated Windows authentication, deployment troubleshooting, 111–112 281–283, 501 determining current status, 80 integrity QChain to install, 109–110 in business communications, 340 HTR (hard-return) mappings, SUS and, 111 of packet, IPSec and, 125 “HTTP 403 Access Denied” error message, 275 intermediate CAs, 342 installing and configuring, 347–353 Internet Authentication Service (IAS) server, 65–66, 181 I Internet Data Query (IDQ), SUS and, 111 Internet Database Connector (IDC), SUS IAS (Internet Authentication Service) server, and, 111 65–66, 81 Internet Explorer Maintenance settings in IDC (Internet Database Connector), SUS GPOs, 3 and, 111 Internet Information Server, 56–65 identity spoofing, 124 Anonymous access idle connections, keeping alive, 55 configuration, 275–276 IDQ (Internet Data Query), SUS and, 111 disabling, 61 IEEE (Institute of Electrical and Electronics Basic authentication, enabling, 277–278 Engineers), 181 Digest authentication, enabling, 279–280 IFS (Exchange Installable File System), 49, 500 enforcing SSL on, 221 IIS metabase, 375, 501 Integrated Windows authentication, backup, 376 enabling, 282–283 restoring backup, 377–378 IP address/DNS restrictions, 61 IISLockdown tool, 56–61, 57, 58, 59, 64 logs, 450–453, 451 IKE (Internet Key Exchange), 126 Metabase, backup, 104–105 IMAP4 (Internet Messaging Access Protocol), SUS and, 111 230, 234–236 Trusted Root Certification Authorities list, testing secured, with Outlook Express, 224–225 239–242 URLScan tool, 61–64 impersonation, 124, 501 Internet Information Service MMC console, for Import Template dialog box, 30 IIS 5 metabase backup, 375–376 importing, 501 Internet Key Exchange (IKE), 126 client certificates, 401–402 Internet Messaging Access Protocol (IMAP4), incremental security templates, 11–12 230, 234–236 Index Server, URLScan tool and, 62 testing secured, with Outlook Express, .inf files, 2 239–242 Information message type in event log, 433 Internet printing, URLScan tool and, 62 inheritance Internet Protocol Security (IPSec). See IPSec blocking, 18, 442–444 (Internet Protocol Security) of Group Policy, modifying, 6–7 Internet Security & Acceleration Server, logs for initialization vector (IV), 176, 178–179, 501 packet filters, 453 520 Internet service providers – logon events, tracking

Internet service providers, 501 and CIFS, 148 connections, 303 for Integrated Windows authentication, 281 and virtual private networks (VPNs), interoperability with Unix, 267–269 302–304 policy in security templates, 9 IP addresses for trust relationship authentication, 271 restrictions, 61 for Unix client authentication, 67 for RRAS pool, 308 Kerberos delegation, 417 IP filter list in IPSec rule, 133–134 Key Distribution Center (KDC), 67, IP Security Monitor, 137, 138 260–261, 502 IPSec certificate template, 360 KMS (key management server), 502 IPSec (Internet Protocol Security), 50, 124–145, recovering certificates, 414–415 318, 501 authentication configuration and administration, 127–138 custom MMC for management, 128 L rule configuration, 131–137, 132 L2TP (Layer 2 Tunneling Protocol), 502 testing policy assignments, 137 ports for RRAS, 306 tunnel mode vs. transport mode, 129–131 L2TP/IPSec, 318, 502 benefits, 125–126 Network Address Translation and, 320 certificate deployment and management, LAN Manager, 257, 502 139–141 disabling, 258–259 certificate renewal, 141 LAN protocols exam essentials, 151–152 authentication, 257–261 phases of process, 126–127 Kerberos protocol, 259–261 protocol configuration and encryption NT LAN Manager (NTLM), 257–259 levels, 138–139 laptop computers, Encrypting File System (EFS) secure communication between server types, for, 416 142–143 last logged-on username, 18 troubleshooting, 143–145 preventing display in Logon dialog box, authentication issues, 145 20–21 certificate configuration, 144–145 Layer 2 Tunneling Protocol (L2TP), 502 firewalls and routers, 145 ports for RRAS, 306 rule configuration, 143–144 LDAP (Lightweight Directory Access Protocol), IPX (Internetwork Packet Exchange), PPTP 226, 502 encapsulation of, 318 testing secured, 228–229 isolated networks, updates for, 94 lifetime of DNS security context, 52 ISP. See Internet service providers Lightweight Directory Access Protocol (LDAP), issuing CAs, 342, 501 226, 502 installing and configuring, 353–360 testing secured, 228–229 viewing published certificates and CRLs, LmHash, disabling creation, 55 358–360 Local Area Connection Properties dialog IUSR_computername account, 274–275 box, 310 disabling, 61 General tab, 310 IV (initialization vector), 176, 178–179, 501 Local Policies, in security templates, 9 Local Security Authority (LSA), 257, 262, 502 K Location Information dialog box, 315 Logical Certificate Stores view, 403–404 KeepAlive packet, 55 Logon dialog box, preventing display of last Kerberos, 259–261, 502 logged-on username, 20–21 authentication, 45 logon events, tracking, 15, 444–445 logon process – My Computer, Properties 521

logon process Microsoft Baseline Security Analyzer, 80, authentication, 261–263 84–85 security risk for Basic authentication, configuration for scan, 89 276–277 opening menu screen, 88 logon scripts, 5 results, 89–90 logs, 432, 450–456, 502 Microsoft Challenge-Handshake Authentication Application, 432 Protocol (MS-CHAP), 288–289, 503 Directory Service, 432 Microsoft Challenge-Handshake Authenti- DNS Server, 432 cation Protocol version 2 (MS-CHAP v2), Event Viewer to display message in, 433, 184, 289, 503 433–437, 435 Microsoft Directory Synchronization File Replication, 432 Services, 68 firewall log files, 453 Microsoft File Migration Utility, 68 IIS logs, 450–453, 451 Microsoft Graphical Identification and Network Monitor logs, 453–455 Authentication (MSGINA), 503 RAS logs, 455–456 Microsoft Management Console (MMC) retention management, 456 Certificates snap-in, 218, 367, 368–369, 370 for Software Update Services, 106, 107 to edit certificates, 373 SQL Server for storing events, 451–453 to enroll certificates, 410–411 Security, 432 for importing certificate, 401 System, 432 to view certificates, 370–372 from URLScan tool, 63 Certification Authority MMC snap-in, 370, LSA (Local Security Authority), 257, 262, 502 372, 372 to backup Certification Services, 375 to revoke certificate, 372–373 for IP Security Policy Management node, M 127, 127–128 MAC. See Media Access Control (MAC) Security Template snap-in, 7 address Microsoft Security Bulletin Service, 96 machine certificates, 388, 502. See also client Microsoft Software Update Services Setup certificates Wizard, 99 Macintosh clients, 69 Microsoft User Authentication Module, 69 “man-in-the-middle” attacks, 51, 148 MIME (Multipart Internet Mail Extension) Management and Monitoring Tools dialog Secure, 388–394 box, 327 to sign and seal e-mail, 390–393 MAPI (Messaging Application Programming mirror image for chain of evidence Interface), 230 preservation, 480 MBSA tool. See Microsoft Baseline Security missing event, 432–433, 503 Analyzer Mixed Mode (SQL Server 2000), 45 MD5 (Message Digest 5), 139, 502 mobile communications. See wireless Media Access Control (MAC) address, 502 communications filtering for wireless networks, MS-CHAP (Microsoft Challenge-Handshake 179–181, 180 Authentication Protocol), 288–289, 503 Message Digest 5 (MD5), 139, 502 MS-CHAPv2 (Microsoft Challenge-Handshake Message Integrity Code (MIC), 138 Authentication Protocol version 2), 184, message types in event logs, 433–434 289, 503 Messaging Application Programming Interface MSGINA (Microsoft Graphical Identification (MAPI), 230 and Authentication), 503 metabase, 503. See also IIS metabase mutual authentication, 260 MIC (Message Integrity Code), 138 My Computer, Properties, 80

522 natural disasters – PKCS file

operating system upgrades, troubleshooting N after, 33 Outlook Express natural disasters, 475 adding received certificates, 393 NetBEUI (NetBIOS Enhanced User to install certificate, 392 Interface), 318 to send signed e-mail, 393 NetStumbler, 187 for testing secured e-mail, 239–242 NetWare clients, 68–69 Outlook Web Access (OWA), 49, 50, 230, 503 Network Address Translation (NAT), 503 securing, 242–244 virtual private networks (VPNs) and, output filters for PPTP, 310, 312–313 320–321, 321 overlap of wireless zones, 174 Network Connection Wizard, 317 network interface cards (NICs), wireless, 169–170 Network Load Balancing, and SUS P configuration, 105–106 Network Monitor logs, 453–455, 454 packet traces, 453, 454 “Network name is no longer valid” error between dial-up connection and RAS message, 150 server, 456 network type in IPSec rule, 131 running, 454–455 newsgroups, for HFNetChk tool, 92 parent server, 503 No Terminal Server SID (notssid) template, 11 for SUS, 105 nonrepudiation, 125 partitions, file system for, and security in business communications, 340 templates, 10 NT LAN Manager (NTLM), 45, 257–259, 503 Password Authentication Protocol (PAP), disabling, 258–259 288, 504 for Integrated Windows authentication, password policy, in security templates, 9 281–282 passwords for legacy clients, for Windows 2000 domain attacks on, 124 controller, 54 for Certificate Signing Request, 207 for trust relationship authentication, 271 for Macintosh clients, 69 version 2, 503 security for clear-text, 67 NTFS (New Technology File System) patches, 80. See also hotfixes partitions, security templates and, 10 PDAs (personal digital assistants), Windows CE permissions fo Exchange 2000 Server, 49 configuration as wireless client, 168–169 permissions for public folders, 50 PEAP (Protected Extensible Authentication Protocol), 181, 184, 504 Perfect Forward Secrecy (PFS), 135, 504 performance, SMB signing and, 52 O permissions for Registry keys, 23–24 object access events in SUS troubleshooting, 112 tracking, 15, 446 for Users group, in Windows 2000 vs. NT, enabling, 16 10–11 ocfiles templates, 11 personal certificate, 393, 504 ODBC (Open Database Connectivity) Personal Information Exchange - PKCS #12 application, to test SQL server (.pfx), 398–399, 504 encryption, 225–226 PFS (Perfect Forward Secrecy), 135, 504 offline files, 503 Physical Certificate Stores, 403, 404 encryption, 416 ping (Packet Internet Groper) command, to test one-way trust creation, 272–273 IPSec policy assignments, 137 Open Database dialog box, 30 PKCS file, 412 PKI (Private Key Infrastructure), for 802.1x standard – recovery agent 523

PKI (Private Key Infrastructure), for 802.1x obtaining, 205–213 standard, 181 renewing, 211–213 PKI (Public Key Infrastructure), 204, 340–370, public folders, securing information, 50 505. See also certificate authorities (CAs) public key, 396, 504 Point-to-Point Tunneling Protocol (PPTP), 504 public key cryptography, 203, 504 filtering, 310–313, 504 Public Key Infrastructure (PKI), 204, 340–370, enabling or disabling, 309 505. See also certificate authorities (CAs) ports for RRAS, 306 public-private key pairs, 389, 396, 505 .pol files, 33 public wireless LAN configuration policy change events, tracking, 15, 449 for Windows 2000 Professional client, polymorphic virus, 477 164–165 POP3. See Post Office Protocol (POP3) for Windows XP Professional client, ports 163–164 for IPSec, 143 port 25, hackers use of, 49 port 80, 56 for RRAS, 306 Q for SLL, 204 QChain, 94, 109–110 for VPNs, creating and deleting, 306–307 Query Analyzer tool, to test SQL server Post Office Protocol (POP3), 230, 236–239 encryption, 225–226 testing secured, with Outlook Express, 239–242 Potential Scripting Violation message, 390, 391 PPTP. See Point-to-Point Tunneling R Protocol (PPTP) PPTP filtering, 504 radio interference, 187 private certificate authorities, 204, 504 RADIUS (Remote Authentication Dial-In User private certificates in SSL, 213–219 Service), 65, 505 obtaining RAS Properties dialog box, Event Logging using online certificate authority, 217 tab, 509 using web interface, 214–216 RC4 ciphers, 178 renewing, 218–219 real world scenario private key, 203, 504 Anonymous user account, 64–65 Private Key Infrastructure (PKI), for 802.1x e-mail, 242 standard, 181 EventComb, 461 private wireless LAN configuration, 165–168 multiple DNS names, 210 with Windows 2000 Professional client, security policies for DNS dynamic updates 167–168 configuration, 24–25 with Windows XP Professional client, slipstreaming, 108 166–167 SUS to deploy workstation updates, 108–109 privilege use events, tracking, 447–448 VPNs to connect branch offices, 304 privileges, auditing use, 15 web site security with Anonymous account, process tracking events, tracking, 15, 448 64–65 profile, 504 rebooting for RAS connections, 324 after service pack install, 83 Protected Extensible Authentication Protocol QChain to minimize, 109–110 (PEAP), 181, 184, 504 receiving e-mail, 230 proxy server, configuration for SUS, 105 recovery agent, 505 public certificate authorities, 204, 389, 504 account for, 397 public certificates in SSL for Encrypting File System, 394 installation, 211 in workgroup environment, 417 524 Registry – Schlumberger smart card

Registry Restricted Groups, security template HKEY_CURRENT_USER entries, 7 configuration, 10, 25–26 HKEY_LOCAL_MACHINE entries, 7 retention of logs, 456 HKEY_LOCAL_MACHINE\ retinal scanners, 291 Software\Microsoft\Windows\ reverse polarity threaded naval connectors CurrentVersion (RP-TNCs), 169, 505 \Explorer, 416 Reversible Encryption, 279 \WindowsUpdate\CriticalUpdate, 104 revoking certificates, 372–373 HKEY_LOCAL_MACHINE\ RFC 1510, 267 Software\Microsoft\WindowsNT\ roaming profile, 505 CurrentVersion and certificates, 404 \EFS, 419 rogue APs, 185–186 \Hotfix\Q###, 85 root CA, 341, 505 HKEY_LOCAL_MACHINE\System\ CDP (CRL distribution point) creation for, CurrentControlSet 345–347 \Control\FileSystem, 55 configuring publication of CRLs, 345–347 \Control\LSA, 55, 266, 267 installing and configuring, 342–345 \Services\LanManServer\Parameters, 149 rootsec template, 12 \Services\Rdr\Parameters, 149–150 routers, configuration issues in IPSec, 145 \Services\RemoteAccess\Parameters\ Routing and Remote Access Server (RRAS), Account Lockout, 66 287, 304–313, 505 \Services\TCPIP\Parameters, 54 authentication protocols configuration, \Services\VxD\VNetsup, 150 287–288 SUS changes to, 111 configuration for VPN, 304–307 Registry and File System Permissions, security enabling EAP on, 289–290 template configuration, 22–24, 23 steps for connecting to, 326 Registry Editor, 414 troubleshooting, 308–313 Registry object, in security templates, 10 auditing and event logs, 313 remote access, authentication for, PPTP filtering, 310–313 286–290 Routing and Remote Access Server Setup Remote Access server, logs, 455–456 Wizard, 305, 305–306 Remote Access Service Policies, 322–326, RP-TNCs (reverse polarity threaded naval 323, 505 connectors), 169, 505 Remote Authentication Dial-In User Service RRAS. See Routing and Remote Access Server (RADIUS), 65, 505 (RRAS) remote clients, IPSec and, 143 RRAS (local) Properties dialog box Remote Installation Services, 93 Event Logging tab, 314 settings in GPOs, 3 IP tab, 308 renewing certificates, 369 rules for IPSec, 131–137 in Secure Sockets Layer components, 131 private, 218–219 public, 211–213 replay, 505 SSL and, 204 S Request Security (Optional) Properties dialog box, 136 S/MIME (Secure Multipurpose Internet Mail resident viruses, 477 Extension), 505 resources, auditing, 15, 439–444 SACL (System Access Control List), 507 restoring backup SAD (Security Account Delegation), 506 of certificate authority, 376–378 SAM (System Account Manager), 257–258, 506 testing, 473 Schlumberger smart card, 404 scripts – security templates 525

scripts for Web server to SQL Server traffic, for hotfixes and service packs, 93–94 222–226 for security template deployment, certificates on SQL Server, 223–224 29–31 encryption, 224–225 Scripts settings in GPOs, 3 testing connection encryption, seal, 505 225–226 SeAssignPrimaryTokenPrivilege assigned right secure templates, 11 name, 450 securedc template, 11 SeBackupPrivilege assigned right name, 449 securews template, 11 secedit.exe, 506 Security Account Delegation (SAD), 45, 506 for security template deployment, 29 Security Association, 126, 506 SeChangeNotifyPrivilege assigned right security breach. See attacks name, 449 Security Configuration and Analysis tool SeCreatePermanentPrivilege assigned right (secedit.exe), 506 name, 450 for security template deployment, 29 Secure Communications dialog box, Security Configuration Tool Set, 25 221, 221 Security dialog box (Exchange), 236 Secure Hash Algorithm (SHA), 139 security log, 432, 437 Secure HTM (SHTM), SUS and, 111 Security Log Properties dialog box Secure Hypertext Markup Language (SHTML), Filter tab, 436, 437 SUS and, 111 General tab, 436, 436 Secure MIME, 388–394, 505 security options policy, in security templates, Base64 Encoded X.509 (.cer) format 9, 68 for, 398 Security Options, security template to sign and seal e-mail, 390–393 configuration, 20–21 Secure Server (Require Security) policy for Security Parameter Index (SPI) messages, IPSec, 129 receiving bad, 143 Secure Sockets Layer (SSL), 50, 506 security principle, 506 Basic authentication with, 278 Security settings in GPOs, 3 basics, 202–204, 203 Security Support Provider Interface (SSPI), for client machine to Active Directory 262, 506 domain controller traffic, 226–229 Security Template snap-in (MMC), 7 testing, 227–229 security templates, 2, 7–12, 506 for client machine to e-mail server traffic, configuration 229–231 Account Policies, 12, 12–14, 13 client security for web server traffic, Audit Policies, 14–18, 16 219–222 Event Logs, 26–27, 27 enforcing on IIS, 221 Registry and File System Permissions, exam essentials, 245 22–24, 23 IMAP4 (Internet Messaging Access Restricted Groups, 25–26 Protocol), 234–236 Security Options, 20–21 Outlook Express for testing, 239–242 System Services, 21, 21–22 Outlook Web Access (OWA), 242–244 User Rights Assignment, 18–20, 19 POP3 (Post Office Protocol), 236–239 default, 10–11 private certificates, 213–219 deployment, 27–31 public certificates, 205–213 with Group Policies, 27–29 installation, 211 with scripts, 29–31 renewing, 211–213 exam essentials, 34 SMTP (Simple Mail Transfer Protocol), incremental, 11–12 231–234 objects in, 9–10 standard vs. secure web page, 220 troubleshooting, 31–33 526 SeDebugPrivilege assigned right name – Software Update Services (SUS)

SeDebugPrivilege assigned right name, 450 share point for CDP, 345–346 SeIncreaseBasePriorityPrivilege assigned right SHTM (Secure HTM), SUS and, 111 name, 450 SHTML (Secure Hypertext Markup Language), SeMachineAccountPrivilege assigned right SUS and, 111 name, 449 shutdown scripts, 5 sending e-mail, methods for, 230 sign, 506 SeRemoteShutdownPrivilege assigned right Simple Mail Transfer Protocol (SMTP), 142, name, 450 230, 231–234, 389 SeRestorePrivilege assigned right name, 450 testing secured, with Outlook Express, server header, removing from response, 63 239–242 Server Message Blocks (SMBs), 49, 506 single-factor authentication, 290 Server (Request Security) policy for IPSec, 129 single sign-on, 506 server side includes, URLScan tool and, 62 single sign-on environment, 267–268 service packs installation, 81–96 site container, Group Policy Objects linked to, 3 determining current status, 80 slipstreaming, 92–96, 507 MBSA tool for, 84–92 on isolated networks, 94 slipstreaming, 92–96 on new clients and servers, 94–96 on isolated networks, 94 real world scenario, 108 on new clients and servers, 94–96 Remote Installation Services for, 93 Remote Installation Services for, 93 scripts for, 93–94 scripts for, 93–94 Smart Card Logon certificate template, 360 service packs management, 96–97 Smart Card User certificate template, 360 deployment troubleshooting, 111–112 Smart cards QChain, 109–110 for certificates, 404 Software Update Services, 97–108 EAP-TLS authentication for, 290–291 client installation, 102–104 SMB (Server Message Block), 49, 506 configuration, 100–101 SMB signing, 51, 507 deployment in enterprise, 105–106 CIFS (Common Internet File System), and disaster recovery, 104–105 147–148 home page for administration, 100 commands, 146–147 Set Options page, 101 configuration, 147 SUS server creation, 98–99 domain controllers and, 145–151 troubleshooting, 106–108, 107 enabling, 148–151 Systems Management Server, 109 and performance, 52 Service Set Identifier (SSID), 506 SMTP (Simple Mail Transfer Protocol), 142, for wireless networks, 172–175 230, 231–234, 389 service ticket, 261 anti-spam filters on gateway, 49 Services for NetWare, 68–69 testing secured, with Outlook Express, Services for Unix, 67 239–242 SeSecurityPrivilege assigned right name, 450 SMTP service, 49 SeSystemtimePrivilege assigned right SMTP virtual servers, dedicated, 232 name, 450 soft Security Association, 126 SeTakOwnershipPrivilege assigned right Software Installation settings in GPOs, 3 name, 450 Software Update Services (SUS), 94, SetShutdownPrivilege assigned right name, 450 97–108, 507 SetTcbPrivilege assigned right name, 449 client installation, 102–104 setup security template, 12 configuration, 100–101 Setup Wizard for service pack installation, 82 deployment in enterprise, 105–106 Select Options screen, 82, 82–83 and disaster recovery, 104–105 Updating System screen, 83 error log messages and error codes, 108 SHA (Secure Hash Algorithm), 139 exam essentials, 113 spam, filters for – troubleshooting 527

home page for administration, 100 System Account Manager (SAM), 257–258, 506 notifications from, 96 system events, tracking, 15, 448–449 Set Options page, 101, 106 system log, 432 SUS server creation, 98–99 System Properties dialog box, General tab, troubleshooting, 106–108, 107 80, 81 spam, filters for, 49 System Services Specify Intranet Microsoft Update Service security template configuration, 21, 21–22 Location Properties dialog box, 103, in security templates, 10 103–104 Systems Management Server, 109 SPI (Security Parameter Index) messages, sysvol folder, on domain controllers, 4 receiving bad, 143 spoofing MAC addresses, 180 SQL Server, 44–48 BulkAdmin role, 48 T Encrypting File System and, 48 security features, 45 TCP/IP for storing log events, 451–453 in RRAS troubleshooting, 309 Web server securing to traffic, 222–226 troubleshooting in VPN client, 319 certificates on SQL Server, 223–224 TCP/IP stack hardening, for Windows 2000 encryption, 224–225 domain controller, 54–55 testing connection encryption, Template Security Policy Setting dialog box, 225–226 22–23, 23 Windows 2000 security and, 45–47 templates. See certificate templates for SSID (Service Set Identifier), 506 enterprise CAs; security templates for wireless networks, 172–175 TGT (Ticket-Granting Ticket), 260, 507 security concerns, 175–176 third-party applications, compatibility issues SSL (Secure Sockets Layer). See Secure Sockets with SUS, 111–112 Layer (SSL) thumbprint, 417, 507 SSPI (Security Support Provider Interface), Ticket-Granting Ticket (TGT), 260, 507 262, 506 TLS (Transport Layer Security) Channel, station (STA), 66 creating, 184 statistics server, 103–104 TLS (Transport Layer Security) protocol, 507 stealth virus, 477 for Exchange 2000, 229 STM (Server-side include file), SUS and, 111 tokens, 291 Subordinate Certification Authority certificate transactional file system, 397, 507 template, 360 Transport Layer Security (TLS) protocol, 507 Success Audit message type in event log, 434 for Exchange 2000, 229 SUS. See Software Update Services (SUS) Transport mode, 507 sussetup.msi file, 98 for IPSec, 129–131 symmetric, 507 Trojan Horse, 478, 507 symmetric encryption, 395 countermeasure for, 482 symmetric key, 396 troubleshooting for Encrypting File System, 394 after operating system upgrade, 33 SYN attack, 54 authentication, 263–264 synchronization log, for Software Update Encrypting File System (EFS), 419–420 Services, 106, 107 Group Policy-applied templates, 32 synchronization schedule, in Software Update IPSec (Internet Protocol Security), 143–145 Services, 101 authentication issues, 145 synchronous processing, of Group Policy certificate configuration, 144–145 Objects, 5–6 firewalls and routers, 145 System Access Control List (SACL), 507 rule configuration, 143–144 528 Trust List Signing certificate template – war chalking

mixed client environments, 33 Routing and Remote Access Server (RRAS), V 308–313 security templates, 31–33 version conflicts, in service pack installs and service packs and hotfixes deployment, hotfixes, 112 111–112 View Options dialog box, for certificates, 403 Software Update Services, 106–108, 107 viewing certificates, 370–372 Trust List Signing certificate template, 365 virtual directory for CDP, 346 trust relationships, 271–273, 272, 507 virtual private networks (VPNs), 508. See also one-way trust creation, 272–273 Routing and Remote Access Server (RRAS) Trusted Root Certification Authorities list authentication protocols configuration, adding CA to, 224–225 307–308 Group Policy to configure, 364 client configuration for Remote Access tunnel endpoint, 131 security, 322–330 Tunnel mode, 508 Connection Manager Administration tunnel mode for IPSec, 130–131 Kit, 326–330 two-factor authentication, 291 Remote Access Service Policies, 322–326 client systems configuration, 314–318 troubleshooting, 319 U to connect branch offices, 304 exam essentials, 331–332 unattended installation, 93 firewall servers with, 321–322 uninstalling, IISLockdown tool, 61 and Internet service providers, 302–304 Unix Network Address Translation and, clients, 67 320–321, 321 interoperability of Kerberos authentication popular uses, 302 with, 267–269 RRAS configuration for, 304–307 update.exe, command-line switches, 93–94 ports creation and deletion, 306–307 upgrades to operating system, troubleshooting for wireless networks protection, 189, after, 33 189–190 URL normalization, 63. See also combining with 802.1x, 190 canonicalization virtual servers, 508 URLScan tool, 61–64 dedicated SMTP, 232 urlscan.ini file, 62, 62–64 on Exchange Server, 231 urlscan.log file, 63 viruses, 476–477, 508 user accounts, configuring for delegation, 46 countermeasure for, 482 User certificate e-mail risk of, 49 requesting, 369, 411 VMware, 343 template, 360 VPN ServerName Properties dialog box user Properties dialog box, Account tab, 46 General tab, 320 User Rights Assignment, security template Networking tab, 318 configuration, 18–20, 19 VPNs. See virtual private networks (VPNs) user rights policy, in security templates, 9 users configuration settings on, 4 Group Policy Objects for, 3 W permissions for EFS encrypted files and folders, 416 W3C Extended Log File Format, 453 Users group, Windows 2000 vs. Windows NT, WAP. See wireless access point (WAP) permissions, 10–11 war chalking, 186–187

war driving – Windows .NET Server, IAS (RADIUS) implementation 529

war driving, 186, 508 Windows 2000 domain controller, 50–55 Warning message type in event log, 434, 435 Anonymous access restrictions, 52–54, 53 web enrollment, 508 auto generation of 8.3 filenames, Web Enrollment pages disabling, 55 for certificate enrollment, 411–413 built-in accounts security, 55 for manual certificate enrollment, 367–368 digital signatures for communication, 51–52 web folders, 508 DNS updates, 52 encrypted files in, 416 LmHash, disabling creation, 55 web interface, to obtain private certificate, NTLMv2 for legacy clients, 54 214–216 TCP/IP stack hardening, 54–55 Web server. See also Internet Information Server Windows 2000 Professional client securing to SQL Server traffic, 222–226 configuration for VPN, 316–317 certificates on SQL Server, 223–224 public wireless LAN configuration for, encryption, 224–225 164–165 testing connection encryption, 225–226 Windows 2000 Server securing with IPSec, 142 Remote Access Account Lockout, 66 Web Server certificate template, 360 for RRAS, 304 Web users running packet trace, 454–455 authentication for, 274–286 Windows BugTraq, 96, 96 anonymous authentication, 274–276 Windows CE, configuration as wireless client, Basic authentication, 276–278 168–169 with client certificate mapping, Windows Components Wizard 283–286 CA Certificate Request screen, 349, 355 Digest authentication, 278–281 CA Identifying Information screen, 344, 349 Integrated Windows authentication, Certification Authority Type screen, 344, 281–283 348, 355 WebDAV, URLScan tool and, 61 Windows events, 432–456 WEP (Wired Equivalent Privacy), 65, 509 enabling auditing for, 438–444 attacks on, 187 Event Viewer, 433, 433–437, 435 for wireless networks encryption level, EventComb to manage distributed audit 176–179 logs, 457–461, 459 basics, 176–177 real world scenario, 461 enabling, 177–179, 178 exam essentials, 462 WEP (Wireless Equivalent Privacy), 509 logs, 450–456 Windows firewall log files, 453 MBSA tool to scan, 84–85 IIS logs, 450–453, 451 mixed client environments, authentication Network Monitor logs, 453–455 configuration for, 264–267 RAS logs, 455–456 network logon, 261 retention management, 456 Windows 9x types, 444–450 authentication for clients, 265–266 account logon events, 445 manual certificate enrollment, 367–368 account management events, 445–446 Web enrollment, 412–413 Directory Service access events, 446–447 Windows 2000 logon events, 444–445 Group Policies to remove standard programs object access events, 446 from, 3 policy change events, 449 order for policies processing, 28 privilege use events, 447–448 recovery policy configuration, 418 process tracking events, 448 refreshing policies, 6 system events, 448–449 security, and SQL Server, 45–47 Windows .NET Server, IAS (RADIUS) trust relationships, 271 implementation, 185 530 Windows NT – xcopy command, for EFS files

Windows NT Wireless Network Properties dialog box, manual certificate enrollment, 367–368 178, 178 Web enrollment, 412–413 Authentication tab, 183 Windows NT 4, authentication for clients, wireless networks, basics, 166 266–267 wireless networks security, 65–66, 162 Windows NT Authentication Mode, 45 configuration, 171–185 Windows NT Challenge/Response DHCP (Dynamic Host Configuration authentication, 281 Protocol), 172 Windows Update server, 96, 97 EAP authentication methods, 184–185 Windows Update Synchronization Service, encryption levels using 802.1x, 98, 508 181–184, 182 Windows XP Professional MAC filtering, 179–181, 180 client SSID security concerns, 175–176 and 802.1x, 191 SSID (Service Set Identifier), 172–175 configuration for VPNs, 314–316 WEP for encryption levels, 176–179 public wireless LAN configuration for, DMZ (De-Militarized Zone) for, 188 163–164 exam essentials, 191–192 configuration for third-party Kerberos LAN configuration, 162–171 implementation, 268–269 private wireless, 165–168 Encrypting File System (EFS) public wireless, 163–165 features, 416 levels, 191 WinLogon errors, 363 problems and attacks, 185–187 WINS radio interference, 187 in RRAS troubleshooting, 309 rogue APs, 185–186 troubleshooting in VPN client, 319 war chalking, 186–187 Wired Equivalent Privacy (WEP), 65, 509 war driving, 186 attacks on, 187 WEP attacks, 187 for wireless networks encryption level, VPNs (virtual private networks) for, 189, 176–179 189–190 basics, 176–177 Windows CE configuration as client, 168–169 enabling, 177–179, 178 workgroup members, and Encrypting File wireless access point (WAP), 163, System (EFS), 417–418 169–170, 509 workstations moving to DMZ, 188, 188 determining current status of many, 80 rogue APs, 185–186 SUS to deploy updates to, real world sample office layout, 174, 174 scenario, 108–109 SSIDs as part, 172–173 worms, 478–479, 509 wireless communications countermeasure for, 482 components, 169–171 wuau22.msi file, 102 security, real world scenario, 171 Wireless Equivalent Privacy (WEP), 509 wireless LANs, 509 Wireless Network Connection Properties X dialog box, Wireless Networks tab, 173 xcopy command, for EFS files, 419