3. Enabling which of the following audit policies is likely to require changing the
Maximum Security Log Size value as well?
a. Audit Process Tracking
b. Audit Policy Change
c. Audit Account Logon Events
d. Audit Directory Service Access
Lesson Summary
■ The domain controller role is only assigned its own default GPO by Windows
Server 2003. To create your own policy settings for domain controllers, you can
modify the existing GPO or create a new one.
■ Domain controllers require more security than any other server role. You should
secure the server physically, and then use group policies to specify auditing and
Event Log settings, user rights assignments, and the services the computer
should run.
■ Infrastructure servers run network support services such as DNS, DHCP, and WINS.
■ DNS servers using Active Directory-integrated zones use the directory service to
secure their data, but for servers that use file-based zones, you must take steps to
secure the DNS database and log files.
■ For NTFS drives other than the system drive on computers running Windows
Server 2003 the Full Control permission is assigned to the Everyone group by
default. You can use a GPO to protect the files on your server drives by assigning
your own file systems permissions.
Lesson 3: Deploying Role-Specific GPOs
The function of the secure baseline configuration for member servers discussed in
Lesson 1 is to implement a general form of security for all your network servers. Most,
if not all, of the configuration settings in your baseline should apply to all your servers.
However, you undoubtedly also have servers that perform specific roles and that have
different security requirements. The best way to accommodate these servers is to create
Group Policy Objects that build on the baseline configuration you have already created.
After this lesson, you will be able to ■ Assign multiple GPOs to one object
■ Understand group policy inheritance rules
Estimated lesson time: 20 minutes Combining GPO Policies
To modify the security configuration for a group of servers performing a particular role,
without altering your baseline configuration, you can create a separate GPO for a
server role and, after these computers receive the GPO containing the baseline config
uration, you can apply the role-specific GPO to them. The settings in the role-specific
GPO override those in the baseline. You can use the role-specific GPO to do any of the
following:
■ Modify settings you configured in the baseline
■ Configure settings that are not defined in the baseline
■ Leave the baseline settings for specific parameters unchanged
Because a GPO assigned to an Active Directory container affects all the objects in that
container, you must create separate organizational units for the servers running the
Windows operating system on your network that are performing different roles. You
can deploy your server GPOs in two ways: by creating role-specific organizational
units anywhere in the Active Directory tree and assigning multiple GPOs to each orga
nizational unit, or by creating a hierarchy of organizational units and letting group pol-
icy inheritance do some of the work for you.
Applying Multiple GPOs
When you create a GPO, you must associate it with a specific Active Directory domain,
site, or organizational unit object. However, once you have created the GPO, you can
link it to as many other objects as you want. Therefore, if servers running Windows
Server 2003 on your network are performing different roles, you can create separate
organizational units for them at the same level, as shown in Figure 9-12.
Figure 9-12 Organizational units for server roles
In the figure, you see the Domain Controllers organizational unit that the Windows
Server 2003 creates by default when you create the domain, as well as new organiza
tional units for member servers (named Members), infrastructure servers (named InfSvrs),
file and print servers (named FilePrint), and application servers (named Web). To cre
ate a separate security configuration for each server role, you would use a procedure
like the following:
Bạn đang xem 3. - MICROSOFT PRESS MCSA MCSE SELF PACED TRAINING KIT EXAM 70 293 PHẦN 6 PPTX