Presentation is loading. Please wait.

Presentation is loading. Please wait.

8.1 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.

Published byAlfred Allison Modified over 8 years ago

Similar presentations

Presentation on theme: "8.1 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning."— Presentation transcript:

1 8.1 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy Goals  Specify account policies and security  Design security groups  Use shortcut trusts

2 8.2 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy  Specifying account security  Define optimal settings  Authentication mechanisms  Account properties  Account policies Specifying Account Policies and Security (Skill 1)

3 8.3 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy  Authentication mechanisms  LM (LAN Manager)  NTLM (NT LAN Manager)  NTLM2 (NT LAN Manager version 2)  Kerberos Specifying Account Policies and Security (2) (Skill 1)

4 8.4 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy  LM (LAN Manager)  Used by Windows NT and Windows 9x clients simultaneously with NTLM  Low security  NTLM (NT LAN Manager)  Used by Windows NT and Windows 9x clients  Used by Windows 2000, 2003, and XP clients in certain situations, such as when logging on to a Windows NT domain  Moderate security Specifying Account Policies and Security (3) (Skill 1)

5 8.5 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy  NTLM2 (NT LAN Manager version 2)  Used by Windows NT SP4 clients  Used by Windows 9x clients with Directory Services Client installed  Used by Windows 2000, 2003, and XP clients in certain situations  High security  Kerberos  Used by Windows 2000, 2003, and XP when logging on to a Windows 2000 or Windows Server 2003 domain  Optimal security Specifying Account Policies and Security (4) (Skill 1)

6 8.6 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy  Account properties  Settings required depend on environment and level of security required  Rules of thumb  Always configure passwords to expire  Properly specify logon restrictions  Correctly specify account expiration settings for temporary employees  Properly specify remote access and Terminal Services permissions settings Specifying Account Policies and Security (5) (Skill 1)

7 8.7 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy  Account policies  Used to set user account properties that control the logon process  Three types  Account Lockout  Password  Kerberos  All are configured using the Group Policy Object Editor snap-in or the Group Policy Management Console (GPMC) Specifying Account Policies and Security (6) (Skill 1)

8 8.8 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy  Account Lockout policies  Prevent users from guessing passwords by automatically locking out the user account according to specifications that have been set  Configured by setting three policies  Account lockout threshold  Account lockout duration  Reset account lockout counter after Specifying Account Policies and Security (7) (Skill 1)

9 8.9 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy  Account lockout threshold: Specifies the number of invalid logon attempts a user can make, after which the account is locked and the user is prevented from making further logon attempts  Account lockout duration: Sets the time duration during which the account is disabled  Reset account lockout counter after: Sets the time duration that must elapse after an invalid logon attempt before the account lockout counter is reset to 0 Specifying Account Policies and Security (8) (Skill 1)

10 8.10 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy  Password policies  Allow you to specify how passwords are managed  Policy options (Table 8-2)  Enforce password history  Maximum and minimum password age  Minimum password length  Passwords must meet complexity requirements  Store password using reversible encryption for all users in the domain Specifying Account Policies and Security (9) (Skill 1)

11 8.11 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy  Kerberos policies  Used in connection with Kerberos authentication protocol  Apply only to domain user accounts or computer accounts  Default Kerberos policy values set by Default Domain Policy are generally suitable for most networks and do not need to be changed Specifying Account Policies and Security (10) (Skill 1)

12 8.12 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy  Kerberos policies  Enforce user logon restrictions  Maximum lifetime for service ticket  Maximum lifetime for user ticket  Maximum lifetime for user ticket renewal  Maximum tolerance for computer clock synchronization Specifying Account Policies and Security (11) (Skill 1)

13 8.13 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy Figure 8-1 Account settings to configure for increased security (Skill 1)

14 8.14 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy Figure 8-2 Kerberos Policy in the Group Policy Object Editor (Skill 1)

15 8.15 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy  Microsoft rule is the preferred strategy for building and using groups  A-G-DL-P: User Accounts go into Global groups, which go into Domain Local groups, which are assigned Permissions  Benefits of Microsoft rule  Modularity  Ease of modification  Reduction in the size of the global group list Designing Security Groups (2) (Skill 2)

16 8.16 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy  Using universal groups  Before creating universal groups, make sure membership of those groups will not change frequently  Never add a user account as a member of a universal group; instead add global groups  Universal groups are designed for one specific situation – when you need multiple users in multiple domains to have the same access to multiple resources in multiple domains  Modification to Microsoft rule for universal groups: A-G-U-DL-P Designing Security Groups (3) (Skill 2)

17 8.17 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy Figure 8-3 Using the Microsoft rule (Skill 2)

18 8.18 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy Figure 8-4 The use of universal groups (Skill 2)

19 8.19 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy  Shortcut trust  A trust established to reduce the normal Kerberos trust resolution path between domains  When a shortcut trust should be used  Domain design is at least part geographically-based  Many users access resources from another domain to which they do not have a direct trust relationship  A faster resolution path can be created by using a shortcut trust Using Shortcut Trusts (Skill 3)

20 8.20 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning the Authentication Strategy Figure 8-5 Use of shortcut trusts (Skill 3)

Download ppt "8.1 © 2004 Pearson Education, Inc. Exam 70-297 Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning."

Similar presentations

Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.

Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Chapter 13 Securing Windows Server 2008

Chapter 13 Securing Windows Server 2008
Chapter 8 Chapter 8: Managing Accounts and Client Connectivity.

Chapter 8 Chapter 8: Managing Accounts and Client Connectivity.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
15.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

15.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.
5.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

5.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Resource Sharing Over a Network

Resource Sharing Over a Network

Similar presentations

Ads by Google