Archive for the ‘Active Directory’ Category

Windows Server 2008 Auditing Overview

Posted: June 21, 2011 in Active Directory, Server, Server 2008, System Information
Tags: , ,
0

Windows Server 2008 provides several categories of events that you can audit, as described in the following list:

 

■ Account Logon Events:  Track user logon and logoff via a user account.

■ Account Management:  Track when a user account or group is created, changed, or

deleted; a user account is renamed, enabled, or disabled; or a password is set or changed.

■ Directory Service Access:  Track access to Active Directory.

■ Logon Events:  Track nonlocal authentication events such as network use of a resource or a remote

service that is logging on by using the local system account.

■ Object Access:  Track when objects are accessed and the type of access performed—for example,

track use of a folder, file, or printer. Configure auditing of specific events through the object’s

properties (such as the Security tab for a folder or file).

■ Policy Change:  Track changes to user rights or audit policies.

■ Privilege Use:  Track when a user exercises a right other than those associated with logon and

logoff.

■ Process Tracking:  Track events related to process execution, such as program execution.

■ System Events:  Track system events such as restart, startup, shutdown, or events that affect

system security or the security log.

Data Source Name – DSNs

Posted: June 17, 2011 in Active Directory, Server 2008, System Information
Tags: , ,
0


You make data sources available to clients by creating a Data Source Name (DSN). Three types of DSNs exist:

 

> User.                    A user DSN is visible only to the user who is logged on when the DSN is created.

> System.              A system DSN is visible to all local services on a computer and all users who log on locally to the                                                       computer.

> File.                     A file DSN can be shared by all users who have the same drivers installed and who

have the necessary permissions to access the DSN. Unlike user and system DSNs, file

DSNs are stored in text files, rather than the registry.

 

The DSN identifies the data source, the driver associated with a data source, and other properties that define the interaction between the client and the data source, such as timeout, read-only mode, and so on. You use the same process to create a DSN for most database types. The exception is SQL Server, which provides a wizard for setting up a data source.

 

Defining a data source

To create a data source, you first open the ODBC Data Source Administrator. To do so, click Start _ All Programs _ Administrative Tools _ Data Sources (ODBC). In the ODBC Data Source Administrator, click the tab for the DSN type you want to create and then click Add. Select the desired data source type and click Finish. Except in the case of the SQL Server driver, ODBC prompts you for information, which varies according to the driver selected. Define settings as desired and click OK to create the DSN.

Blade Servers

Posted: June 3, 2011 in Active Directory, Server, Server 2003, Server 2008
Tags: ,
1

Blade computing introduces a new data center paradigm where various thin compute blades share centralized resources in a single chassis. Ablade server is a single circuit board populated with components such as memory, processors, I/O adapters, and network connections that are often found on multiple boards. Server blades are built to slide into existing servers. They are smaller, need less power, and are more cost-efficient than traditional box-based servers.

 

Managing these servers requires the following:

  • A virtualized view of the servers and resources it uses (such as storage)
  • A high level of security within the server and on the network devices
  • Dynamic resource provisioning that is automated as much as possible
  • A layout that is easy to scale to meet ever-increasing user demands

Data centers will realize a shift from box-based servers to densely packed racks of blade-based servers.

Smart Card Deployment Considerations

Posted: June 1, 2011 in Active Directory, Server, Server 2003, System Information
Tags: , ,
0

Smart card logon is supported for Windows 2000 and Windows Server 2003. To implement smart cards, you must deploy an enterprise certification authority rather than a stand-alone or third-party certification authority to support smart card logon to Windows Server 2003 domains. Windows Server 2003 supports industry standard Personal Computer/Smart Card (PC/SC)–compliant smart cards and readers and provides drivers for commercially available plug and play smart card readers. Windows Server 2003 does not support non-PC/SC-compliant or non–plug and play smart card readers. Some manufacturers might provide drivers for non–plug and play smart card readers that work with Windows Server 2003; however, it is recommended that you purchase only plug and play PC/SC-compliant smart card readers.

The cost of administering a smart card program depends on several factors, including:

■ The number of users enrolled in the smart card program and their location.

■ Your organization’s practices for issuing smart cards to users, including the requirements for verifying user identities. For example, will you require users to simply present a valid personal identification card or will you require a back-ground investigation? Your policies affect the level of security provided as well as the actual cost.

■ Your organization’s practices for users who lose or misplace their smart cards. For example, will you issue temporary smart cards, authorize temporary alternate logon to the network, or make users go home to retrieve their smart cards? Your policies affect how much worker time is lost and how much help desk support is needed.

Your smart card authentication strategy must describe the network logon and authentication methods you use, including:

■ Identify network logon and authentication strategies you want to deploy.

■ Describe smart card deployment considerations and issues.

■ Describe PKI certificate services required to support smart cards.

In addition to smart cards, third-party vendors offer a variety of security products to provide two-factor authentication, such as “security tokens” and biometric accessories. These accessories use extensible features of the Windows Server 2003 graphical logon user interface to provide alternate methods of user authentication.

Shutdown Event Tracker

Posted: March 29, 2011 in Active Directory, System Information, System Modifications, System Tricks
Tags: , ,
0

You have probably noticed that Windows Server 2003 has a new feature that requests a shutdown reason each time you restart the server. This feature is called the Shutdown Event Tracker.

You might choose to disable this feature to avoid the hassle of typing in a reason each time you restart.

To disable this feature, you can perform the following steps:

1. Click Start, click Run, and type gpedit.msc and press Enter.

2. Expand the Computer Configuration and then Administrative Templates objects. Click on the System object. In the right-hand pane you’ll see several settings appear.

3. Locate and double-click that Display Shutdown Event Tracker setting. The Display Shutdown Event Tracker Properties dialog box opens.

4. Click the Disabled radio button to disable the Shutdown Event Tracker. Click OK. Close the Group Policy Editor console. Now when you shut down this server, you won’t be asked to enter a reason.

 

← Back

Thank you for your response. ✨

Active Directory Naming and LDAP

Posted: March 4, 2011 in Active Directory, Exchange Server, Server 2003, Server 2008, System Information
Tags: , ,
1

 

The LDAP is a standardized protocol used by clients to look up information in a directory. An LDAP-aware directory service (such as Active Directory) indexes all the attributes of all the objects stored in the directory and publishes them. LDAP-aware clients can query the server in a wide variety of ways.

 

Every object in Active Directory is an instance of a class defined in the Active Directory

schema. Each class has attributes that ensure unique identification of every object in

the directory. To accomplish this, Active Directory relies on a naming convention that

lets objects be stored logically and accessed by clients by a standardized method. Both

users and applications are affected by the naming conventions that a directory uses. To

locate a network resource, you’ll need to know its name or one of its properties. Active

Directory supports several types of names for the different formats that can access

Active Directory.

 

These names include:

■ Relative Distinguished Names

■ Distinguished Names

■ User Principal Names

■ Canonical Names

 

Automatic Private IP Addressing (APIPA)

Posted: March 4, 2011 in Active Directory, Internet Protocol, Networking, System Basics, System Information
Tags: ,
1

Automatic Private IP Addressing

 

Automatic Private IP Addressing (APIPA) is a feature introduced with Windows 2000; it is also included in Windows XP and Windows Server 2003.

 

APIPA allows a computer that is configured to obtain an automatic IP address to assign itself an address from a private range should no DHCP server be available. APIPA assigns addresses in the range 169.254.0.1 through 169.254.255.255—a range reserved by Microsoft for just this purpose.

 

APIPA is really designed for small networks that don’t use a DHCP server. APIPA allows computers running Windows 2000, Windows Server 2003, or Windows XP to plug into a network and recognize one another with little configuration necessary. If your network uses a DHCP server and you see that a client has been assigned an address in the APIPA range, it means the client could not locate a DHCP server.

 

Review of Active Directory in Server 2008

Posted: January 5, 2011 in Active Directory, Server, Server 2008, System Information
Tags: , ,
3

 

Active Directory is Microsoft’s implementation of a directory service. A directory service holds information about resources within the domain. Resources are stored as objects and include users, computers, groups, printers, and more.

In Windows Server 2008, five different server roles support Active Directory:

 

>Active Directory Domain Services

>Active Directory Certificate Services

>Active Directory Federation Services

>Active Directory Lightweight Directory Services

>Active Directory Rights Management Services

 

The primary role is Active Directory Domain Services. The other roles add to the capabilities of Active Directory. Objects include users, computers, groups, and more. The Active Directory database is stored only on servers holding the role of domain controllers.

 

A significant benefit of using Active Directory Domain Services is that it enables you as an administrator to manage desktops, network servers, and applications all from a centralized location.

 

Read-Only Domain Controllers in Server 2008

Posted: January 5, 2011 in Active Directory, Server, Server 2008, System Information
Tags: , ,
2


A read-only domain controller (RODC) hosts a read-only copy of the Active Directory database. This is somewhat of an untrue, because changes can be made to the database. However, the changes can come only from other domain controllers, and the entire database isn’t replicated; instead, only a few select objects are replicated.

 

Usually, domain controllers are considered peers where they are all equal (with a few exceptions). Any objects can be added or modified such as adding a user or a user changing their password on any domain controller. These changes are then replicated to other domain controllers. However, with RODCs, changes to the domain controller can come only from other domain controllers. Moreover, the changes are severely restricted to only a few select objects.

 

The huge benefit of the RODC is that credentials of all users and computers in Active Directory are not replicated to the RODC. This significantly improves the security of domain controllers that are placed at remote locations.

 

Network Access Protection In Server 2008

Posted: January 5, 2011 in Active Directory, Server 2008
Tags: , ,
1


Network Access Protection (NAP) is an added feature that can help protect your network

from remote access clients. NAP helps you protect the network from the clients.

Within a local area network (LAN), you can control client computers to ensure they are safe and healthy. You can use Group Policy to ensure that it’s locked down from a security perspective and that it is getting the required updates. Antivirus and spyware software can be pushed out, regularly updated and run on clients. You can run scripts to ensure that all the corporate policies remain in place.

 

However, you can’t control a client accessing your network from a hotel or someone other Place. It’s entirely possible for a virus-ridden computer to connect to your network and cause significant problems. The solution is NAP, which is a set of technologies that can be used to check the health of a client. If the client is healthy, it’s allowed access to the network. If unhealthy, it’s quarantined and allowed access to remediation servers that can be used to bring the client into Compliance with the requirements. Health policies are determined and set by the administrator.

 

In the network you  use Windows Software Update Services (WSUS) to approve and  install the updates on clients. Since the VPN client isn’t in the network, they might not have the required updates. The client would be quarantined, and a WSUS server could be used as a remediation server to push the updates to the client. Once the updates are installed, the client could be rechecked and issued a health certificate and then granted access to the network.

 

Older Entries
Newer Entries