2. In an effort to cooperate with your company’s new emphasis on security, you
have used GPOs to enable all the available audit policies on the computers that
are running Windows Server 2003. A few days after making these changes, you
unlock the data center to find that your domain controller has shut down during
the night. Which of the following modifications might prevent this from happen
ing again? (Choose all correct answers.)
a. Revoke the Administrators group’s Debug Programs user right.
b. Increase the default value specified in the Maximum Security Log Size policy.
c. Disable the Shutdown: Allow System To Be Shut Down Without Having To
Log On security option.
d. Disable the Audit: Shut Down System Immediately If Unable To Log Security
Audits security option.
Chapter Summary
■ A Group Policy Object (GPO) is a collection of configuration parameters that you
can use to secure a Windows Server 2003 installation. To deploy a GPO, you asso
ciate it with an Active Directory container, and all the objects in the container
inherit the GPO configuration settings.
■ Audit and Event Log policies enable you to specify what types of information a
computer logs, how much information the computer retains in the logs, and how
the computer behaves when the logs are full.
■ Windows Server 2003 loads many services by default that a member server usually
doesn’t need. You can use a GPO to specify the startup types for the services on
a computer.
■ The domain controller role is the only one that has its own default GPO assigned
by Windows Server 2003. To create your own policy settings for domain control
lers, you can modify the existing GPO or create a new one.
■ Infrastructure servers run network support services such as DNS, DHCP, and WINS.
■ DNS servers using Active Directory-integrated zones use the directory service to
secure their data, but for servers that use file-based zones, you must take steps to
secure the DNS database and log files.
■ On NTFS drives other than the system drive on computers running Windows
Server 2003, the operating system assigns the Full Control permission to the
Everyone group by default. You can use a GPO to protect the files on your server
drives by assigning your own file systems permissions.
■ An Active Directory object can receive policy settings from multiple GPOs and
apply them in a particular order.
■ Active Directory objects do not contain GPOs; they are only linked to them. You
can link a single GPO to multiple objects and make global changes by modifying
that single GPO.
■ Organizational unit objects inherit policy settings from the GPOs applied to their
parent objects. Policy settings from a GPO linked directly to an object take prece
dence over settings inherited from a parent object’s GPO.
Exam Highlights
Before taking the exam, review the key points and terms that are presented below to
help you identify topics you need to review. Return to the lessons for additional prac
tice, and review the “Further Reading” sections in Part 2 for pointers to more informa
tion about topics covering the exam objectives.
Key Points
■ To create a secure baseline installation for computers that are running Windows
Server 2003, you can use Group Policy Objects (GPOs) to deploy a wide variety of
configuration settings.
■ Servers on a network usually perform specific roles that have their own security
requirements. You can accommodate these roles by creating GPOs that build on
your secure baseline.
■ Different server roles can require modifications to the baseline policy settings,
new policy settings, or protection provided by other security features in the oper
ating system or application.
■ You can apply multiple GPOs to a single Active Directory object, with the policy
settings that the system applies last taking precedence.
■ Group policies flow downward through the Active Directory tree, much like file
system permissions. A parent container with a GPO linked to it passes the policy
settings down to its child containers.
Key Terms
Group Policy Object (GPO) An Active Directory object that contains a hierarchy of
policies that represent configuration parameters for users and computers. When
you link a GPO to an Active Directory container object, Active Directory applies
the policies in the GPO to all the objects in that container.
Infrastructure server A server that provides network support services, such as
DNS, DHCP, and WINS.
Organizational unit A type of Active Directory object you can use to create a direc
tory service hierarchy. Creating organizational units enables you to delegate
administrative responsibility for parts of the Active Directory database and use
inheritance to disseminate properties downward through the Active Directory tree.
Questions and Answers
Page Lesson 1 Review
Bạn đang xem 2. - MICROSOFT PRESS MCSA MCSE SELF PACED TRAINING KIT EXAM 70 293 PHẦN 6 PPTX