CREATING AN ORGANIZATIONAL UNIT HIERARCHY IN THIS PROCEDURE, YOU CREAT...

Question

2.  In an effort to cooperate with your company’s new emphasis on security, you have used GPOs to enable all the available audit policies on the computers that are running Windows Server 2003. A few days after making these changes, you unlock the data center to find that your domain controller has shut down during the night. Which of the following modifications might prevent this from happen­ing again? (Choose all correct answers.) a.  Revoke the Administrators group’s Debug Programs user right. b.  Increase the default value specified in the Maximum Security Log Size policy. c.  Disable the Shutdown: Allow System To Be Shut Down Without Having To Log On security option. d.  Disable the Audit: Shut Down System Immediately If Unable To Log Security Audits security option. Chapter Summary ■ A Group Policy Object (GPO) is a collection of configuration parameters that you can use to secure a Windows Server 2003 installation. To deploy a GPO, you asso­ciate it with an Active Directory container, and all the objects in the container inherit the GPO configuration settings. ■ Audit and Event Log policies enable you to specify what types of information a computer logs, how much information the computer retains in the logs, and how the computer behaves when the logs are full. ■ Windows Server 2003 loads many services by default that a member server usually doesn’t need. You can use a GPO to specify the startup types for the services on a computer. ■ The domain controller role is the only one that has its own default GPO assigned by Windows Server 2003. To create your own policy settings for domain control­lers, you can modify the existing GPO or create a new one. ■ Infrastructure servers run network support services such as DNS, DHCP, and WINS. ■ DNS servers using Active Directory-integrated zones use the directory service to secure their data, but for servers that use file-based zones, you must take steps to secure the DNS database and log files. ■ On NTFS drives other than the system drive on computers running Windows Server 2003, the operating system assigns the Full Control permission to the Everyone group by default. You can use a GPO to protect the files on your server drives by assigning your own file systems permissions. ■ An Active Directory object can receive policy settings from multiple GPOs and apply them in a particular order. ■ Active Directory objects do not contain GPOs; they are only linked to them. You can link a single GPO to multiple objects and make global changes by modifying that single GPO. ■ Organizational unit objects inherit policy settings from the GPOs applied to their parent objects. Policy settings from a GPO linked directly to an object take prece­dence over settings inherited from a parent object’s GPO. Exam Highlights Before taking the exam, review the key points and terms that are presented below to help you identify topics you need to review. Return to the lessons for additional prac­tice, and review the “Further Reading” sections in Part 2 for pointers to more informa­tion about topics covering the exam objectives. Key Points ■ To create a secure baseline installation for computers that are running Windows Server 2003, you can use Group Policy Objects (GPOs) to deploy a wide variety of configuration settings. ■ Servers on a network usually perform specific roles that have their own security requirements. You can accommodate these roles by creating GPOs that build on your secure baseline. ■ Different server roles can require modifications to the baseline policy settings, new policy settings, or protection provided by other security features in the oper­ating system or application. ■ You can apply multiple GPOs to a single Active Directory object, with the policy settings that the system applies last taking precedence. ■ Group policies flow downward through the Active Directory tree, much like file system permissions. A parent container with a GPO linked to it passes the policy settings down to its child containers. Key Terms Group Policy Object (GPO)  An Active Directory object that contains a hierarchy of policies that represent configuration parameters for users and computers. When you link a GPO to an Active Directory container object, Active Directory applies the policies in the GPO to all the objects in that container. Infrastructure server  A server that provides network support services, such as DNS, DHCP, and WINS. Organizational unit  A type of Active Directory object you can use to create a direc­tory service hierarchy. Creating organizational units enables you to delegate administrative responsibility for parts of the Active Directory database and use inheritance to disseminate properties downward through the Active Directory tree. Questions and Answers Page Lesson 1 Review

CREATING AN ORGANIZATIONAL UNIT HIERARCHY IN THIS PROCEDURE, YOU CREAT...

2. In an effort to cooperate with your company’s new emphasis on security, you

have used GPOs to enable all the available audit policies on the computers that

are running Windows Server 2003. A few days after making these changes, you

unlock the data center to find that your domain controller has shut down during

the night. Which of the following modifications might prevent this from happen­

ing again? (Choose all correct answers.)

a. Revoke the Administrators group’s Debug Programs user right.

b. Increase the default value specified in the Maximum Security Log Size policy.

c. Disable the Shutdown: Allow System To Be Shut Down Without Having To

Log On security option.

d. Disable the Audit: Shut Down System Immediately If Unable To Log Security

Audits security option.

Chapter Summary

A Group Policy Object (GPO) is a collection of configuration parameters that you

can use to secure a Windows Server 2003 installation. To deploy a GPO, you asso­

ciate it with an Active Directory container, and all the objects in the container

inherit the GPO configuration settings.

Audit and Event Log policies enable you to specify what types of information a

computer logs, how much information the computer retains in the logs, and how

the computer behaves when the logs are full.

Windows Server 2003 loads many services by default that a member server usually

doesn’t need. You can use a GPO to specify the startup types for the services on

a computer.

The domain controller role is the only one that has its own default GPO assigned

by Windows Server 2003. To create your own policy settings for domain control­

lers, you can modify the existing GPO or create a new one.

Infrastructure servers run network support services such as DNS, DHCP, and WINS.

DNS servers using Active Directory-integrated zones use the directory service to

secure their data, but for servers that use file-based zones, you must take steps to

secure the DNS database and log files.

On NTFS drives other than the system drive on computers running Windows

Server 2003, the operating system assigns the Full Control permission to the

Everyone group by default. You can use a GPO to protect the files on your server

drives by assigning your own file systems permissions.

An Active Directory object can receive policy settings from multiple GPOs and

apply them in a particular order.

Active Directory objects do not contain GPOs; they are only linked to them. You

can link a single GPO to multiple objects and make global changes by modifying

that single GPO.

Organizational unit objects inherit policy settings from the GPOs applied to their

parent objects. Policy settings from a GPO linked directly to an object take prece­

dence over settings inherited from a parent object’s GPO.

Exam Highlights

Before taking the exam, review the key points and terms that are presented below to

help you identify topics you need to review. Return to the lessons for additional prac­

tice, and review the “Further Reading” sections in Part 2 for pointers to more informa­

tion about topics covering the exam objectives.

Key Points

To create a secure baseline installation for computers that are running Windows

Server 2003, you can use Group Policy Objects (GPOs) to deploy a wide variety of

configuration settings.

Servers on a network usually perform specific roles that have their own security

requirements. You can accommodate these roles by creating GPOs that build on

your secure baseline.

Different server roles can require modifications to the baseline policy settings,

new policy settings, or protection provided by other security features in the oper­

ating system or application.

You can apply multiple GPOs to a single Active Directory object, with the policy

settings that the system applies last taking precedence.

Group policies flow downward through the Active Directory tree, much like file

system permissions. A parent container with a GPO linked to it passes the policy

settings down to its child containers.

Key Terms

Group Policy Object (GPO) An Active Directory object that contains a hierarchy of

policies that represent configuration parameters for users and computers. When

you link a GPO to an Active Directory container object, Active Directory applies

the policies in the GPO to all the objects in that container.

Infrastructure server A server that provides network support services, such as

DNS, DHCP, and WINS.

Organizational unit A type of Active Directory object you can use to create a direc­

tory service hierarchy. Creating organizational units enables you to delegate

administrative responsibility for parts of the Active Directory database and use

inheritance to disseminate properties downward through the Active Directory tree.

Questions and Answers

Lesson 1 Review

Bạn đang xem 2. - MICROSOFT PRESS MCSA MCSE SELF PACED TRAINING KIT EXAM 70 293 PHẦN 6 PPTX

the night. Which of the following modifications might prevent this from happen

can use to secure a Windows Server 2003 installation. To deploy a GPO, you asso

by Windows Server 2003. To create your own policy settings for domain control

parent objects. Policy settings from a GPO linked directly to an object take prece

help you identify topics you need to review. Return to the lessons for additional prac

tice, and review the “Further Reading” sections in Part 2 for pointers to more informa

new policy settings, or protection provided by other security features in the oper

Organizational unit A type of Active Directory object you can use to create a direc