1
|
|
2
|
- Set up groups, including local, domain local, global, and universal
groups, and convert Windows NT groups to Windows 2000 groups
- Manage objects, such as folders, through user rights, attributes
permissions, share permissions, auditing, and Web permissions
|
3
|
- Troubleshoot a security conflict
- Determine how creating, moving, and copying folders and files affect
security
|
4
|
- Three ways of managing resources and user accounts include:
- By individual user
- By resource
- By group
- Managing resources by groups is one effective way to reduce time spent
on management
|
5
|
- Scope of influence: The reach of a type of group, such as access to
resources in a single domain or access to all resources in all domains
in a forest
|
6
|
- Local: Used on standalone servers that are not part of a domain
- Domain local: Used in a single domain or to manage resources in a domain
so that global and universal groups can access those resources
|
7
|
- Global: Used to manage accounts from the same domain and to access
resources in the same and other domains
- Universal: Used to provide access to resources in any domain within a
forest
|
8
|
- Use local groups on a standalone server (Active Directory not
implemented), such as to manage multiple accounts in a small office
|
9
|
- Typically a domain local security group is on the ACLs of resources such
as folders, shared folders, printers, and other resources. Global
security groups in the same or in a different domain gain access to
those resources by becoming members of the domain local group.
- Domain local groups can contain accounts, but usually that is not the
best approach.
|
10
|
|
11
|
- Use global groups to contain accounts for accessing resources in the
same and in other domains via domain local groups
|
12
|
|
13
|
- Global groups can be nested to reflect the structure of OUs
|
14
|
|
15
|
- Plan nesting to take into account that you may want to later convert
specific global groups, because a global group cannot be converted if it
is a member of another global group
- Keep in mind that global groups can only be nested in native mode
domains
|
16
|
|
17
|
- Use universal groups to provide access to forest-wide resources (to be
included on the ACLs of resources such as servers, shared folders, and
printers)
- Universal groups enable the scope of influence to span domains and trees
|
18
|
|
19
|
- Use global groups to hold accounts as members. Give accounts access by
joining them to a global group and then placing that global group into a
domain local or universal group or both.
- Use domain local groups to provide access to resources in a specific
domain by adding them to the ACLs of those resources.
|
20
|
- Use universal groups to provide extensive access to resources, such as
when the Active Directory contains trees and forests. Make universal
groups members of ACLs for objects in any domain, tree, or forest.
Manage user account access by placing accounts in global groups and
joining those global groups to domain local or universal groups.
|
21
|
|
22
|
- To create a group:
- Click the container in which to create the group
- Click the Create a new group in current container icon
- Enter the name of the group
- Select the group scope
- Select the group type
- Click OK
|
23
|
|
24
|
- General: Used to enter a description, set the scope, and set the group
type
- Members: Used to add group members
- Member Of: Used to join another group
- Managed By: Establishes who will manage the group
- Object: Provides information about the group as an object (on newer
versions of Windows 2000)
- Security: Enables you to set up security (on newer versions of Windows
2000)
|
25
|
- Existing NT local groups on a PDC are converted to domain local groups
- Existing NT global groups on a PDC are converted to global groups
- If still running in mixed mode, universal groups are not recognized
- If running in native mode, but there are still Windows NT servers, the
NT servers treat Windows 2000 universal groups as NT global groups
|
26
|
|
27
|
|
28
|
|
29
|
|
30
|
|
31
|
|
32
|
|
33
|
|
34
|
- User rights: Enable an account or group to perform predefined tasks,
such as the right to access a server or to increase disk quotas
|
35
|
|
36
|
|
37
|
|
38
|
|
39
|
- Inherited rights: User rights that are assigned to a group and that
automatically apply to all members of that group
|
40
|
- To configure rights in a domain:
- Open the Active Directory Users and Computers tool
- Right-click a domain or OU, for example
- Click Properties, click the Group Policy tab, click the group policy,
and click Edit
- Double-click (if necessary) Computer Configuration,Windows Settings,
Security Settings, and Local Policies
- Double-click User Rights Assignment
- Double-click any policies to configure them
|
41
|
|
42
|
- Attributes: A characteristic associated with a folder or file used to
help manage access and backups
|
43
|
|
44
|
|
45
|
- Regular attributes
- Extended attributes
|
46
|
|
47
|
- If you configure the Index attribute, but indexing it is not working
check the following:
- Make sure that the Indexing Service is installed
- Makes sure that the Indexing Service is started and set to start
automatically
|
48
|
- Files that are compressed cannot be encrypted
|
49
|
- The encrypt attribute uses Microsoft Encrypting File System (EFS) that
sets a unique private encryption key that is associated with the user
account that encrypted the file or folder. Only that account has access
to the encrypted file or folder contents.
|
50
|
- De-encrypt an encrypted file or folder before you move it to another
location, or else the file or folder remains encrypted in the new
location
|
51
|
- Permissions: Privileges to access and manipulate resource objects, such
as folders and printers; for example, privilege to read a file, or to
create a new file
|
52
|
- Auditing: Tracking the success or failure of events associated with an
object, such as writing to a file, and recording the audited events in
an event log of a Windows 2000 server or workstation
|
53
|
- Ownership: Having the privilege to change permissions and to fully
manipulate an object. The account that creates an object, such as a
folder or printer, initially has ownership.
|
54
|
- If possible, set permissions on folders and not on individual files, so
you can minimize the number of permission exceptions to remember
- One variance from this recommendation is large database files that may
require individual security
|
55
|
|
56
|
- Inherited permissions: Permissions of a parent object that also apply to
child objects of the parent, such as to subfolders within a folder
|
57
|
|
58
|
|
59
|
|
60
|
|
61
|
|
62
|
|
63
|
|
64
|
|
65
|
- Protect the Winnt folder by allowing limited access, such as Read &
Execute
- Protect server utility folders, such as folders containing backup
software, with access for Administrators only
- Protect software application folders with access such as Read &
Execute (and Write if necessary for temporary or configuration files)
|
66
|
- Set up publicly used folders with Modify for broad user access
- Give users Full Control of their own home folders
- Remove groups such as Everyone and Users from confidential folders
|
67
|
- Err on the side of too much security at first, because it is easier to
give users more permissions later than to take away permissions after
users are used to having them
|
68
|
- Start by configuring a group policy for auditing
- Configure auditing on an as needed basis for particular objects, such as
a folder or file
|
69
|
|
70
|
|
71
|
- Guidelines for ownership:
- The account that creates an object is the initial owner
- Ownership is changed by first having permission to take ownership and
then by taking ownership
- Full Control permissions are required to take ownership (or the special
permission, Take Ownership)
|
72
|
- Share permissions: Limited permissions that apply to a particular shared
object, such as a shared folder or printer
|
73
|
|
74
|
- Read: Permits groups or users to read and execute files
- Change: Enables users to read, add, modify, execute, and delete files
- Full Control: Permits full access to the folder, including the ability
to take ownership control or change permissions
|
75
|
- Use the Caching button in the folder Properties dialog box on the the
Sharing tab to set up a folder for offline access via caching
- Caching a folder means that it can be accessed by a client even when the
client computer is not connected to the network
|
76
|
- Automatic Caching for Documents: Documents are cached without using
intervention – all files in the folder that are opened by the client are
cached automatically
- Manual Caching for Documents: documents are cached only per the user’s
request
- Automatic Caching of Programs: document and program files are
automatically cached when opened, but cannot be modified
|
77
|
- If the Sharing tab is not displayed, make sure that the Server service
is started
|
78
|
- Use the Web Sharing tab in a folder’s properties to configure that
folder for Web access
|
79
|
|
80
|
|
81
|
|
82
|
- Check the groups to which a user or group belongs
- Look for group permissions that conflict, particularly because the Deny
box is checked for a permission
|
83
|
- A newly created file inherits the permissions already set up in a folder
- A file copied from one folder to another on the same volume inherits the
permissions of the folder to which it is copied
- A folder that is moved from one folder to another on the same volume
takes with it the permissions it had in the original folder
|
84
|
- A file or folder that is moved or copied to a folder on a different
volume inherits the permissions of the folder to which it is moved or
copied
- A file or folder that is moved or copied from an NTFS volume to a shared
FAT folder inherits the share permissions of the FAT folder
- A file or folder moved from a FAT to an NTFS folder inherits the NTFS
permissions of that folder
|
85
|
- Without the Active Directory, use local groups to manage access to
resources
- With the Active Directory implemented, use domain local, global, and
universal groups to manage resources
|
86
|
- Windows 2000 Server objects are secured through ACLs, user rights,
permissions, inherited rights and permissions, share permissions, Web
permissions, auditing, and ownership
- Troubleshoot permissions conflicts by examining the security assigned to
all groups to which a user account or group belongs
|