CREATING A GROUP POLICY OBJECT IN THIS PROCEDURE, YOU CREATE A NEW GPO...

Question

3.  Enabling which of the following audit policies is likely to require changing the Maximum Security Log Size value as well? a.  Audit Process Tracking b.  Audit Policy Change c.  Audit Account Logon Events d.  Audit Directory Service Access Lesson Summary ■ The domain controller role is only assigned its own default GPO by Windows Server 2003. To create your own policy settings for domain controllers, you can modify the existing GPO or create a new one. ■ Domain controllers require more security than any other server role. You should secure the server physically, and then use group policies to specify auditing and Event Log settings, user rights assignments, and the services the computer should run. ■ Infrastructure servers run network support services such as DNS, DHCP, and WINS. ■ DNS servers using Active Directory-integrated zones use the directory service to secure their data, but for servers that use file-based zones, you must take steps to secure the DNS database and log files. ■ For NTFS drives other than the system drive on computers running Windows Server 2003 the Full Control permission is assigned to the Everyone group by default. You can use a GPO to protect the files on your server drives by assigning your own file systems permissions. Lesson 3: Deploying Role-Specific GPOs The function of the secure baseline configuration for member servers discussed in Lesson 1 is to implement a general form of security for all your network servers. Most, if not all, of the configuration settings in your baseline should apply to all your servers. However, you undoubtedly also have servers that perform specific roles and that have different security requirements. The best way to accommodate these servers is to create Group Policy Objects that build on the baseline configuration you have already created. After this lesson, you will be able to ■ Assign multiple GPOs to one object ■ Understand group policy inheritance rules Estimated lesson time: 20 minutes Combining GPO Policies To modify the security configuration for a group of servers performing a particular role, without altering your baseline configuration, you can create a separate GPO for a server role and, after these computers receive the GPO containing the baseline config­uration, you can apply the role-specific GPO to them. The settings in the role-specific GPO override those in the baseline. You can use the role-specific GPO to do any of the following: ■ Modify settings you configured in the baseline■ Configure settings that are not defined in the baseline■ Leave the baseline settings for specific parameters unchangedBecause a GPO assigned to an Active Directory container affects all the objects in that container, you must create separate organizational units for the servers running the Windows operating system on your network that are performing different roles. You can deploy your server GPOs in two ways: by creating role-specific organizational units anywhere in the Active Directory tree and assigning multiple GPOs to each orga­nizational unit, or by creating a hierarchy of organizational units and letting group pol-icy inheritance do some of the work for you. Applying Multiple GPOs When you create a GPO, you must associate it with a specific Active Directory domain, site, or organizational unit object. However, once you have created the GPO, you can link it to as many other objects as you want. Therefore, if servers running Windows Server 2003 on your network are performing different roles, you can create separate organizational units for them at the same level, as shown in Figure 9-12. Figure 9-12 Organizational units for server roles In the figure, you see the Domain Controllers organizational unit that the Windows Server 2003 creates by default when you create the domain, as well as new organiza­tional units for member servers (named Members), infrastructure servers (named InfSvrs), file and print servers (named FilePrint), and application servers (named Web). To cre­ate a separate security configuration for each server role, you would use a procedure like the following:

CREATING A GROUP POLICY OBJECT IN THIS PROCEDURE, YOU CREATE A NEW GPO...

3. Enabling which of the following audit policies is likely to require changing the

Maximum Security Log Size value as well?

a. Audit Process Tracking

b. Audit Policy Change

c. Audit Account Logon Events

d. Audit Directory Service Access

Lesson Summary

The domain controller role is only assigned its own default GPO by Windows

Server 2003. To create your own policy settings for domain controllers, you can

modify the existing GPO or create a new one.

Domain controllers require more security than any other server role. You should

secure the server physically, and then use group policies to specify auditing and

Event Log settings, user rights assignments, and the services the computer

should run.

Infrastructure servers run network support services such as DNS, DHCP, and WINS.

DNS servers using Active Directory-integrated zones use the directory service to

secure their data, but for servers that use file-based zones, you must take steps to

secure the DNS database and log files.

For NTFS drives other than the system drive on computers running Windows

Server 2003 the Full Control permission is assigned to the Everyone group by

default. You can use a GPO to protect the files on your server drives by assigning

your own file systems permissions.

Lesson 3: Deploying Role-Specific GPOs

The function of the secure baseline configuration for member servers discussed in

Lesson 1 is to implement a general form of security for all your network servers. Most,

if not all, of the configuration settings in your baseline should apply to all your servers.

However, you undoubtedly also have servers that perform specific roles and that have

different security requirements. The best way to accommodate these servers is to create

Group Policy Objects that build on the baseline configuration you have already created.

Assign multiple GPOs to one object

Understand group policy inheritance rules

Combining GPO Policies

To modify the security configuration for a group of servers performing a particular role,

without altering your baseline configuration, you can create a separate GPO for a

server role and, after these computers receive the GPO containing the baseline config­

uration, you can apply the role-specific GPO to them. The settings in the role-specific

GPO override those in the baseline. You can use the role-specific GPO to do any of the

following:

Modify settings you configured in the baseline

Configure settings that are not defined in the baseline

Leave the baseline settings for specific parameters unchanged

Because a GPO assigned to an Active Directory container affects all the objects in that

container, you must create separate organizational units for the servers running the

Windows operating system on your network that are performing different roles. You

can deploy your server GPOs in two ways: by creating role-specific organizational

units anywhere in the Active Directory tree and assigning multiple GPOs to each orga­

nizational unit, or by creating a hierarchy of organizational units and letting group pol-

icy inheritance do some of the work for you.

Applying Multiple GPOs

When you create a GPO, you must associate it with a specific Active Directory domain,

site, or organizational unit object. However, once you have created the GPO, you can

link it to as many other objects as you want. Therefore, if servers running Windows

Server 2003 on your network are performing different roles, you can create separate

organizational units for them at the same level, as shown in Figure 9-12.

Organizational units for server roles

In the figure, you see the Domain Controllers organizational unit that the Windows

Server 2003 creates by default when you create the domain, as well as new organiza­

tional units for member servers (named Members), infrastructure servers (named InfSvrs),

file and print servers (named FilePrint), and application servers (named Web). To cre­

ate a separate security configuration for each server role, you would use a procedure

like the following:

Bạn đang xem 3. - MICROSOFT PRESS MCSA MCSE SELF PACED TRAINING KIT EXAM 70 293 PHẦN 6 PPTX

server role and, after these computers receive the GPO containing the baseline config

units anywhere in the Active Directory tree and assigning multiple GPOs to each orga

Server 2003 creates by default when you create the domain, as well as new organiza

file and print servers (named FilePrint), and application servers (named Web). To cre