Communications and Security in Windows Server 2008 Flashcards
Secure and Organizations AD and install an IPSec Policy on a network and an RODC on a domain
Steps for securing authentication are
- Design an authentication strategy
- Create Accounts
- Secure the authentication process
- Educate users
Guidelines for OU organization and structure design
Identify and create admin groups ot which rights need to be delegated
Idnetify users or groups to which rights need to be delegated in the OU and place them in the adminstrative group
Create objects that need to be controlled and place them in the OU
In the administrative group, delegate administrative tasks to the OU
to hide OU objects set it for list content permission for the users you want to see and remove this permission from others
To create an OU to hide objects
modify the ACL of the OU - the list of permissions that are attached to an object
Command Line Utility for setting an SPN
setspn
2 local server 2008 accounts
Administrator
Guest
DC default accounts
Administrator
Guest Account
HelpAssistant Account
PA
Protected Administrator Account - in admin group with the lowest rights available to an admin
PasswordReplicationAllowed for a RODC means
The credentials for the specified groups are replicated to the RODC from the writable DC configured as its replication source
IPSec
2008 Internet protocol security (IPSec)enforces secure communication between systems on an IP network. provides a stronger access security model than the firewall mechanism without require complex configurations
use ipsec snap in to create, edit and assign policies local and network
Rules it uses:
Filter list Filter action Authentication method Tunnel endpoint Connection type
delete policy before deleting the attached GPO or it will continue to run
computers, OUs, Domains and sites
includes policy’s name and description
cryptographic key exchange settings
IPSEc policy ports
allow requests are
POrt 80 - default http
Port 20 - default for FTP file Transfer Protocol
3 steps to creating a policy
- Creating filter lists
- Setting Filter Actions
- Creating a policy and adding rules to it
go to security node in gpme
choose IP Security Policies on Active Directory
ReplicaDomainDNSName =
Have to have [DCINSTALL] at top of answer file for installing an RODC
DNS name of Domain where RODC will be
DCAccountName
RODC
name of the RODC Account
PasswordReplicationDenied
RODC
specifies the credentials of the securty principals that cannot be replicated to the RODC from the writable DC
By default this is applied only to the Denied RODC Password Replication security group
PasswordReplicationAllowed=brodacdero.com"Allowed RODC Password Replication Group”
RODC
All the security principals to the Password Replication policy need to have this line done ie: guestuser, admin, mark, etc
