This one is for you. This is a surprisingly effective front against persistent password-cracking attempts. Essentially, the climate of the Internet has degenerated into a situation where even innocent users that get penetrated are used as attack vectors against other innocent but open servers. You can also make use of the Microsoft Baseline Security Analyzer, covered elsewhere in this book, to ensure that your system meets a secure configuration foundation. System administrators all around the world know the Internet is a hostile environment. Get personal data off, verify the integrity of that data, and then reformat and reinstall the machine.
Open the Microsoft Management Console and navigate to the Local Computer Policy snap-in. This is a disturbing trend that is on the one hand disappointing but, on the other, more reasonable hand, understandable. To take this one step further, you may decide to build on the basic policy settings provided by the basic and incremental templates shipped with Windows 2000. Recommended User Policy Settings There are several critical policy settings that you should immediately define, as shown in Tables 2-1 and 2-2. Other Security Considerations Although the earlier sections discussed policy modifications that will harden a Windows 2000 installation, there are other facets of the operating system that do require attention. Use Runas for Administrative Work. I hope this book helps you to do just that, and I hope you consider it a worthwhile investment.
A new chapter has been added on Windows SoftwareUpdate Services. The connection attempt matches the configured quarantine policy. Also thanks to Oris Orlando for his timely and helpful comments upon reviewing the manuscript. You can manage the Indexing Service using the Microsoft Management Console snap-in ciadv. On the Ready to Install Windows Server Update Services screen, confirm your selections, and then click Next.
The New Custom Action dialog box is displayed, as shown in Figure 8-2. The approval process makes it easy to withhold patches until further testing is done, which partly assuages the general fear accompanying the installation of patches that are suspected of causing more problems than they fix. To set these restrictions, do the following: 1. However, without Group Policy and Active Directory, you need to take advantage of the File Replication Service, which is included with Windows 2000. Enables you to send and receive faxes.
Select Find from the Edit menu. You may now make any policy modifications you wish in any one of the policy areas supported by the tool: account policies, local policies, the event log, restricted groups, system services, the Registry, and the file system. Advanced rights are those that sparingly need to be changed from their default settings. When you replace Everyone with Authenticated Users, only those who identify themselves to the computer with credentials that pass the checks of the local system authority are allowed access. When updates have finished downloading, the notification bubble will appear in the system-tray area of the machine, and an administrative user can double-click the bubble to open the Ready to Install dialog box, shown in Figure 7-4. This allows you to use existing machines to host the quarantined resources, but you also have to create individual packet filters for quarantined sessions for each of these existing machines. Discuss computer and network security issues here.
Make the policy changes for that group as necessary. Click the Group Policy tab, select Default Domain Policy in the details box, and then click the Edit button. Creating a Custom Security Template You may wish to make your own customized policy modifications that go further than those made in the templates shipped with Windows 2000. The quickest ways to mitigate this risk are either to disable these types of hashes via Group Policy, or to mandate 15-character or longer passwords. Recommended State 54 Table 4-1. Instead, it will notify the user to restart the computer to complete the installation. In the System Policy Editor window, select Add Group from the Edit menu.
Select New Template from the context menu that appears. A controlled but steady deployment is your best bet for success. Find the application you want to use in Windows Explorer. An approved update is available for distribution to each client machine. Because the operating system is vital to a computer's functioning, and because it's the only layer between the machine's available resources and its users, it's critical that the System administrators know the Internet is a hostile environment.
You install a lock on the front door of your house. These tend to be very restrictive, thereby reducing the surface through which a data attack could take place. Though most users tend to change their passwords on a regular basis when encouraged by administrators, some accounts—namely the Administrator and Guest accounts—often have the same password for life, which makes them an easy target for attack. In any case, Windows depends as much on external hardware devices for security as it does on its own internal mechanisms. From the Control Panel, open Security Center. There are two ways you can specify and use a quarantined resource. Please note that this chapter primarily covers Exchange Server 2003.
Group Policy allows you to define boundaries for security, management, and software distribution based on the structure of your enterprise Active Directory. To use the tool, enter and run hfnetchk from the command line. These apply to all computers and all users in a domain, whereas more specific policies can apply to certain users and groups of users, as well as individual computers for instance, 11 5394. Save the file, and then exit Notepad. The update installation process proceeds depending on what you select in the boxes. Companies lose millions of dollars and suffer damage to computer systems. This will not, however, uninstall the patches from the client machines.
And finally, but certainly not least important, my significant other, Lisa, had the patience of a saint during this process and made the entire experience a lot easier on me. Once the remote computer is in quarantine mode, the baseline script is run. If no specific computer policy part is available, the Default Computer policy is used. Requiring the Three-Keystroke Salute at Logon The logon screen is one of the most trusted aspects of a computer to a normal user. Type the command-line switches and their arguments in the Parameters box. This tool periodically checks the Windows Update catalog for new updates and alerts you to their presence. This tool is versatile and can perform many tasks that you might want to automate using scripts or batch files.