Chapter 11, Microsoft Windows 2000 Security
Chapter 11, Lesson 1
Public Key Infrastructure
|1| 1. Security
Properties
A. Authentication is the process of reliably
determining the genuine identity of the communicating computer or user.
1. Based on cryptography
2. Ensures that an attacker eavesdropping on
the network cannot gain the information needed to impersonate a valid user or
identity
B. Integrity is the correctness of data as it
was originally sent.
C. Confidentiality ensures that data is disclosed
only to intended recipients.
D. Anti-replay ensures that datagrams are not
retransmitted.
|2| 2. Cryptography
A. Cryptography is a set of mathematical
techniques for encrypting and decrypting data so it can be transmitted securely
and not be interpreted by unauthorized parties.
B. Cryptography uses keys in conjunction with
algorithms to secure data.
C. The algorithm provides the infrastructure
in which the key is applied.
D. A number of well-known cryptographic
algorithms support security operations.
1. Rivest, Shamir, Adleman (RSA)
2. Digital Signature Standard (DSA)
3. Diffie-Hellman
4. Hash Message Authentication Code (HMAC)
5. HMAC-Message Digest function 5 (MD5)
6. HMAC-Secure Hash Algorithm (SHA)
7. Data Encryption Standard-Cipher Block
Chaining (DES-CBC)
|3| E. Microsoft Windows 2000 supports public key
cryptography.
1. Overview
a. Public key cryptography is an asymmetric
scheme that uses a pair of keys for encryption.
b. To use public key encryption, an object
must generate a public and a private key pair.
c. Objects obtain public keys in one of two
ways.
(1) The owner of the private key sends the
receiver the matching public key.
(2) The receiver obtains the key from a
directory service.
2. Data encryption
a. Data encryption provides confidentiality
by ensuring that only the intended recipient is able to decrypt and view the
original data.
b. When secure data must be transmitted, the
sender obtains the recipient’s public key.
3. Digital message signing
a. Digital signing provides authentication
and integrity but does not provide confidentiality.
b. Digital signing allows a recipient to be
certain of the identity of the sender and verifies that the content has not
been modified during transit.
c. When a sender signs a message, a message
digest is created.
d. A message digest is a representation of
the message and is similar to a cyclic redundancy check.
e. Authentication is provided through the key
pair.
|4| F. A secret key is used in much the same way
as a public key.
1. Overview
a. There is only one key that provides
security.
b. Secret keys are generally used only for a
particular session or for a short period of time.
c. In order to get the shared secret key to
both parties, there must exist a mechanism for doing so without compromising
security.
2. Secret key exchange
a. A common solution to providing the secret
key to both parties is to use public keys, which make it possible to encrypt
the secret key as it is sent across the network.
b. Public keys ensure confidentiality,
authentication, and integrity.
3. Data encryption
a. The data must be encrypted by using the
shared secret key.
b. The sender encrypts the data with the
shared secret key, and the receiver decrypts the data with the shared secret
key.
3. Certificates
|5| A. Introduction to certificates
1. Public key encryption assumes that the
identity of the key pair owner is established beyond doubt.
2. A digital certificate is a set of data
that completely identifies an entity.
3. When the sender of a message signs the
message with a private key, the recipient of the message can use the sender’s
public key to verify that the sender is legitimate.
|6| B. X.509
1. The term X.509 refers to the ITU-T
standard for certificate syntax and format.
2. The Windows 2000 certificate-based
processes use the X.509 standard.
3. At a minimum, certifications should
contain certain specific attributes.
a. Version
b. Serial number
c. Signature algorithm ID
d. Issuer name
e. Validity period
f. Subject (user) name
g. Subject public key information
h. Issuer unique identifier
i. Subject unique identifier
j. Extensions
k. Signature on the above fields
|7| C. Certificate revocation lists (CRLs)
1. Certificates can expire and become
invalid.
2. The Certificate Authority (CA) can revoke
a certificate for any reason.
3. The CA maintains a CRL.
|8| D. CA hierarchy
1. CAs can certify other CAs.
2. The chaining of CAs provides several
benefits.
a. Flexibility
b. Distributed administration
c. Different security policies
3. The CA at the top of the chain is
referred to as the root CA.
4. Microsoft Certificate Services
|9| A. Overview of Certificate Services
1. Enables an organization to manage the
issuance, renewal, and revocation of digital certificates
2. Allows an organization to control the
policies associated with issuing, managing, and revoking certificates
3. Logs all transactions
|10| B. Certificate Services features
1. Policy independence
a. In order to obtain a certificate,
requestors must meet certain criteria, which is defined in certificate
policies.
b. Policies are implemented in policy
components that can be written in Java, Microsoft Visual Basic, or Microsoft
C/C++.
2. Transport independence
a. Certificate Services can request and
distribute certificates through any transport mechanism.
b. Transport mechanisms can include HTTP,
RPC, disk file, or custom transport.
3. Adherence to standards
a. Certificate Services can perform several
services.
(1) Accept standard Public Key Cryptography
Standards (PKCS) #10 requests
(2) Support PKCS #7 cryptographically signed
data
(3) Issue X.509 version 1.0 and 3.0
certificates
b. Support for additional certificate formats
can be added to Certificate Services.
4. Key management
a. The security of a certification system
depends on the protection of private keys.
b. Certificate Services relies on Microsoft
CryptoAPI to provide key management functionality and other cryptographic
capabilities for building a secure store.
|11| C. Certificate Services architecture
1. Server engine
a. The server engine is the core component of
Certificate Services.
b. The engine acts as a broker for all
requests, driving the flow of information between components.
2. Intermediary
a. The intermediary is the architectural component
that receives new certificate requests from clients and submits them to the
server engine.
b. The intermediary is composed of two parts.
(1) The intermediary application that performs
actions on behalf of clients
(2) The Certificate Services Client Interface
that handles communications between the intermediary application and the server
engine
3. Server database
a. The server log provides various types of
storage functions.
(1) Stores all certificates and CRLs issued by
the server
(2) Used by the server engine to store pending
revocations before they are published to the CRL
(3) Stores recent certificate requests for a
configurable period
b. The server queue maintains status
information as the server processes a certificate request.
4. Policy module
a. Contains the set of rules governing the
issuance, renewal, and revocation of certificates
b. Used to parse any supplemental information
provided within a request and set properties on the certificate
5. Extension handlers
a. Work in tandem with the policy module to
set custom extensions on a certificate
b. Act as templates for the custom extensions
that should appear in certificates
6. Exit modules
a. Exit modules publish completed
certificates and CRLs.
b. The server notifies each exit module
installed on the server whenever a certificate or CRL is published.
D. Processing certificate requests
|12| 1. Processing a certificate request
a. The certificate request is sent by the
client to an intermediary application. The intermediary application formats it
into a PKCS #10 format request and submits it to the server engine.
b. The server engine calls the policy module,
which queries request properties, decides whether or not the request is
authorized, and sets optional certificate properties.
c. If the request is approved, the server
engine takes the request and builds a complete certificate.
d. The server engine stores the completed
certificate in the certificate store and notifies the intermediary application
of the request status. If the exit module has so requested, the server engine
will notify it of a certificate issuance event. This allows the exit module to
perform further operations, such as publishing the certificate to a directory
service.
e. The intermediary gets the published
certificate from the certificate store and passes it back to the client.
|13| 2. Enrolling certificates
a. The process of obtaining a digital
certificate is called certificate enrollment.
b. The enrollment control and its forms are
accessed through the Certificate Services Enrollment Page.
|14| E. CA certificates
1. The CA validates the identity of the
individual requesting the certificate and then signs the certificate with its
own private key.
2. A client application checks the CA
signature before accepting a certificate.
3. The CA certificate is a signature
certificate that contains a public key used to verify digital signatures.
4. A self-signed CA certificate is also
called a root certificate.
5. CA certificates can be distributed and
installed.
a. The CA certificate does not require
issuance upon demand.
b. The CA certificate is created once and
then made readily available to all servers or clients who request certificates
from the CA.
|15| F. Installing Certificate Services
1. You can install Certificate Services by
using Add/Remove Programs in Control Panel.
2. Certificate Services supports four
Certificate Authority types.
a. Enterprise
root CA
b. Enterprise
subordinate CA
c. Stand-alone root CA
d. Stand-alone subordinate CA
3. You must supply information about the
initial CA that is created when you install Certificate Services.
4. The advanced configuration contains
options for the type of cryptography algorithms to be used for the CA that you
are creating.
|16| G. Administering Certificate Services
1. The main tool used to administer
Certificate Services is the Certification Authority snap-in, which allows you
to perform a number of tasks.
2. You can use the Certification Authority
snap-in to administer a certification authority on the local computer or on
another computer.
3. Certutil.exe is a command-line utility
used for administering Certificate Services.
4. To set security for the CA Web pages, use
the Internet Information Services snap-in.
Chapter 11, Lesson 2
Public Key Technologies
|17| 1. Secure
Channel (SChannel) Authentication Package
A. An SChannel authentication package is
located below the Security Support Provider Interface (SSPI).
B. SChannel implements the Secure Sockets
Layer (SSL) 3.0 protocol and the Transport Layer Security (TLS) 1.0 protocol.
C. TLS is based on SSL and moves forward as
the Internet Engineering Task Force (IETF) standard.
D. SSL and TLS provide secure data
communication through data encryption and decryption.
E. SSL and TLS
include several benefits.
1. Authentication that assures the client
that data is sent to the correct server and that the server is secure
2. Encryption that assures that nothing
other than the secure target server can read the data
3. Data integrity that assures that the
transferred data has not been altered
|18| 2. Smart
Cards
A. Smart cards can be used to store a user’s
public key, private key, and certificate.
B. To use a smart card, a computer must have
a smart card reader.
C. A smart card contains an embedded
microprocessor, a cryptography coprocessor, and local storage that includes
1. 6 to 24 KB ROM for the smart card
operating system and applications
2. 128 to 512 bytes of RAM for run-time data
3. 1 to 16 KB EEPROM for user data
D. Windows 2000 supports PK-based smart card
logon as an alternative to passwords for domain authentication.
1. The authentication process makes use of
the PKINIT protocol.
2. The system recognizes a smart card
insertion event as an alternative to the standard Ctrl+Alt+Delete secure
attention sequence.
|19| 3. Authenticode
A. Ensures accountability and authenticity
for software components on the Internet
B. Verifies that the software hasn’t been
tampered with and identifies the publisher of the software
C. Allows software publishers to digitally
sign any form of active content
4. Encrypting File System (EFS)
|20| A. Overview of EFS
1. EFS is an extension of NTFS that provides
strong data protection and encryption for files and folders.
2. The encryption technology is based on use
of public keys and runs as an integrated system service.
3. The encrypting user’s public key is used
in the encryption process.
4. Encryption and decryption are done
transparently during the I/O process.
5. EFS supports encryption and decryption of
files stored on remote NTFS volumes.
|21| B. Data protection
1. EFS uses a combination of the user’s
public key and private keys as well as a file encryption key.
2. Windows 2000 uses the Data Encryption
Standard X (DESX) algorithm to encrypt files.
|22| C. Data recovery
1. The Encrypted Data Recovery Policy is
used to specify who can recover data in case a user’s private key is lost.
2. For security, recovery is limited to the
encrypted data; it is not possible to recover users’ keys.
|23| D. Encrypted backup and restoration
1. Members of the Backup Operators group do
not have the keys necessary for decryption.
2. Encrypted data is read and stored in the
backup as an opaque stream of data.
|24| E. Fault tolerance
1. The processes of encryption and
decryption are automatic and transparent to users and applications.
2. You can encrypt a file or folder in
Windows Explorer and from the command prompt.
|25| F. EFS encryption
1. The EFS service opens the file for
exclusive access.
2. All data streams in the file are copied
to a temporary file.
3. A file key is randomly generated and used
to encrypt the file according to the DES encryption scheme.
4. A Data Decryption Field (DDF) is created
that contains the file key, which is encrypted with the user’s public key.
5. A Data Recovery Field (DRF) is created
that contains the file key, this time encrypted with the recovery agent’s
public key. The recovery agent’s public key is obtained from the Encrypted Data
Recovery Policy (EDRP).
6. The EFS server writes the encrypted data,
along with the DDF and DRF, back to the file.
|26| G. EFS decryption
1. When an application accesses an encrypted
file, NTFS recognizes the file as encrypted and sends a request to the EFS
driver.
2. The EFS driver retrieves the DDF and
passes it to the EFS service.
3. The EFS service decrypts the DDF with the
user’s private key to obtain the file key.
4. The EFS service passes the file key back
to the EFS driver.
5. The EFS driver uses the file key to
decrypt the file.
6. The EFS driver returns the decrypted data
to NTFS, which then completes the file request, and sends the data to the
requesting application.
|27| H. EFS recovery
1. NTFS sends a request to the EFS driver.
2. The EFS driver retrieves the DRF and
passes it to the EFS service.
3. The EFS service recovers the DRF by using
the recovery agent’s private key to obtain the file key.
4. The EFS service passes the file key back
to the EFS driver.
5. The EFS driver uses the file key to
recover the file.
6. The EFS driver returns the recovered data
to NTFS, which then completes the file request, and sends the data to the
requesting application.
|28| I. Cipher command-line utility
1. The cipher command-line utility allows
you to encrypt and decrypt files from a command prompt.
2. The cipher command includes a number of
parameters.
5. IP Security (IPSec)
|29| A. Overview of IPSec
1. IPSec protects sensitive data on a TCP/IP
network.
2. The computer initiating communication
transparently decrypts the data by using IPSec.
3. The destination computer transparently
decrypts the data before passing it to the destination process.
4. IPSec ensures that any TCP/IP-based
communication is secure from network eavesdropping.
|30| B. IPSec policies
1. Negotiation policies
a. Negotiation policies determine the
security services used during network communication.
b. You can set multiple security methods for
each negotiation policy.
2. IP filters
a. IP filters direct actions based on the
destination of an IP packet, what protocol is in effect, and the related ports
that the protocol uses.
b. Each IP packet is checked against the IP
filter.
3. Security policies
a. Security policies are used to configure
IPSec attributes.
b. A computer logging on to a domain
automatically obtains the properties of the default domain and local policies,
including the IPSec policy.
|31| C. IPSec components
1. IPSec Policy Agent service
2. ISAKMP/Oakley (IKE) protocols
3. IPSec driver
|32| D. Example of IPSec communication
1. User 1 launches an application that
communicates on the network by using TCP/IP to send data to User 2. The
security policies assigned to Computer A and Computer B determine the level of
security for the network communication.
2. The IPSec Policy Agent service retrieves
the policies and passes them to the ISAKMP/Oakley (IKE) protocols and IPSec
driver.
3. The ISAKMP/Oakley (IKE) protocols on each
computer use the negotiation policies associated with the assigned security
policy to establish the key and a common negotiation method, or Security
Association (SA). The results of the policy negotiation are passed between the
two computers to the IPSec driver, which uses the key to encrypt the data.
4. Finally, the IPSec driver sends the
encrypted data to Computer B. The IPSec driver on Computer B decrypts the data
and passes it on to the receiving application.
Chapter 11, Lesson 3
The Kerberos Protocol in Windows 2000
1. Overview of the Kerberos Protocol
|33| A. Introduction
1. Kerberos is the default authentication
provider in Windows 2000 and the primary security protocol.
2. Kerberos verifies the identity of the
user and the integrity of the session data.
3. Kerberos operates as a trusted third
party to generate session keys and grant tickets for specific client/server
sessions.
4. When the Kerberos service issues a
ticket, it contains a number of components.
a. Session key
b. Name of the user to whom the session key
was issued
c. Expiration period of the ticket
d. Any additional data fields or settings
that may be required
5. The expiration period of a ticket is
defined by the domain policy.
|34| B. Kerberos protocol terms
1. A principal
is a uniquely named user, client, or server that participates in a network
communication.
2. A realm
is an authentication boundary, which can be compared to a Windows 2000 domain.
3. A secret
key is an encryption key that is shared by a client or a server and a
trusted third party to encrypt the information that is to be moved between
them. In the case of Kerberos, the trusted third party is the Kerberos service.
4. The session
key is a temporary encryption key used between two principals, with a
lifetime limited to the duration of a single login session.
5. An authenticator
is a record that is used to verify that a request originated from the expected
principal.
6. The key
distribution center (KDC) provides two functions: the authentication server
(AS) and the ticket granting service (TGS). The TGS distributes tickets to
clients that wish to connect to services on the network.
7. The privilege
attribute certificate (PAC) is a structure that contains the user’s
security identifier (SID).
8. A ticket
is a record that allows a client to authenticate itself to a server; it is
simply a certificate issued by the Kerberos service. The ticket will be
encrypted so that only the target server will be able to decrypt and read it.
9. A ticket
granting ticket (TGT) is a request for a ticket and a random session key to
be used with the TGS portion of the Kerberos service. After obtaining the
ticket, the user can contact a service at any time; the requested ticket does
not come from the AS, but from the TGS.
|35| C. Features of the Kerberos protocol
1. Kerberos supports mature open standard.
a. The Windows 2000 implementation of
Kerberos can interoperate with other implementations of Kerberos, such as UNIX.
b. Windows 2000 Kerberos attempts to match
the principal name in the ticket either to a Windows 2000 user account or to a
default account created for this purpose.
2. Kerberos provides faster connection
authentication.
a. When using Kerberos, servers do not need
to do pass-through authentication.
b. A Windows 2000 Server computer can verify
the client credentials by using the client-supplied ticket, without having to
query the Kerberos service.
3. Kerberos provides mutual authentication.
a. Kerberos provides mutual authentication of
both the client and the server.
b. Mutual authentication of both client and
server is an important foundation for secure networks.
4. Delegation of authentication allows users
to connect to an application server, which in turn can connect to additional
servers by using the client’s credentials.
5. Authentication credentials issued by one
Kerberos service are accepted by all Kerberos services within the domain, which
is known as a transitive trust relationship.
|36| D. Kerberos authentication process
1. The client sends an initial AS request to
the AS portion of the Kerberos service.
2. The Kerberos service generates an AS
reply and sends it to the client.
3. The client generates and sends a TGS
request that contains the client’s and target server’s principal names, realms,
and the TGT that identifies the client.
4. The TGS portion of the Kerberos service
generates and sends a TGS reply to the client.
5. The client then extracts the session key
for the target server and generates a request for the server.
6. The target server decrypts the ticket by
using its secret key to obtain the session key.
|37| E. Kerberos
delegation
1. The client requests and receives a ticket
for target Server A from the Kerberos service.
2. The client sends the ticket directly to
Server A.
3. Server A sends a request, impersonating
the client, to the Kerberos service for a ticket for target Server B. The
Kerberos service responds with a ticket that allows the client to access Server
B.
4. Server A can then send the ticket to
Server B, accessing Server B as the client.
2. Kerberos Logon Processes
|38| A. Local interactive logon
1. When the Graphical Identification and Authentication
DLL (GINA) receives the logon request, it forwards the request to the Local
Service Authority (LSA). This request specifies Kerberos as the authentication
package to use because this is the default package in Windows 2000.
2. LSA processes the request and sends it to
the Kerberos authentication package.
3. When Kerberos receives the logon request,
it returns an error because Kerberos is used only when authenticating logon
requests for domain user accounts, not local user accounts.
4. LSA receives the error and returns an
error to the GINA.
5. The GINA resubmits the logon request to
LSA specifying the “MSV1_0” authentication package. The logon process then
occurs as it would for a local interactive logon under Windows NT 4.0.
|39| B. Domain interactive logon
1. When the logon request reaches the LSA,
the LSA passes the request to the Kerberos authentication package. The client
sends an initial AS request to the Kerberos service, providing the user name
and domain name.
2. The Kerberos service generates an AS
reply containing a TGT (encrypted with the Kerberos secret key) and a session
key for the TGS exchanges (encrypted with the client’s secret key). This
response is sent back to the client.
3. The client then generates and sends a TGS
request containing the client’s principal name and realm, the TGT to identify
the client, and the local workstation name as the target server.
4. The Kerberos service generates and sends
a TGS reply. This reply contains a ticket for the workstation and other information,
including the session key (encrypted by using the session key from the TGT).
5. The Kerberos authentication package
returns the list of SIDs to the LSA.
Chapter 11, Lesson 4
Security Configuration Tools
1. Security Configuration and Analysis Snap-In
|40| A. Security configuration
1. The Security Configuration and Analysis
snap-in can be used to directly configure local system security.
2. You can import security templates and
apply them to the group policy object (GPO) for the local computer.
|41| B. Security analysis
1. The state of the operating system and
applications is dynamic.
2. Regular analysis enables an administrator
to track and ensure an adequate level of security.
3. The Security Configuration and Analysis
snap-in enables quick review of security analysis results.
4. You can use the Secedit command-line
utility to analyze a large number of computers.
|42| C. Using the Security Configuration and
Analysis snap-in
1. The Security Configuration and Analysis
snap-in reviews and analyzes your system settings and recommends modifications
to the current system settings.
2. The Security Configuration and Analysis
snap-in allows you to perform a variety of tasks.
a. Set a working database
b. Import a security template
c. Analyze system security
d. Review security analysis results
e. Configure system security
f. Edit the base security configuration
g. Export a security template
|43| 2. Security
Templates Snap-In
A. A security template is a physical
representation of a security configuration.
B. The security template is a file in which a
group of security settings may be stored.
C. Using the Security Templates snap-in
1. The Security Templates snap-in allows you
to create and assign security templates for one or more computers.
2. The template is a physical file
representation of a security configuration.
3. When you import a security template to a
GPO, Group Policy processes the template and makes the corresponding changes to
the members of that GPO.
4. The Security Templates snap-in allows you
to perform a variety of tasks.
a. Customize a predefined security template
b. Define a security template
c. Delete a security template
d. Refresh the security template list
e. Set a description for a security template
|44| 3. Group
Policy Snap-In
A. Through the use of GPOs in Active
Directory services, administrators can centrally apply the security levels
required to protect enterprise systems.
B. The Group Policy snap-in allows you to
configure security centrally in the Active Directory store.
C. The security settings allow group policy
administrators to set policies.
Chapter 11, Lesson 5
Windows 2000 Auditing
|45| 1. Overview
of Windows 2000 Auditing
A. Auditing is the process of tracking both
user activities and Windows 2000 activities on a computer.
B. An audit entry in the Security log
contains several types of information.
1. The action that was performed
2. The user who performed the action
3. The success or failure of the event and
when the event occurred
C. You can use an audit policy to define
security events.
1. An audit policy defines the types of
security events that Windows 2000 records in the security log on each computer.
2. Windows 2000 writes events to the
security log on the computer where the event occurs.
3. You can set up an audit policy for a
computer to perform a couple of tasks.
a. Track the success and failure of events,
such as logon attempts by users, an attempt by a particular user to read a
specific file, changes to a user account or to group memberships, and changes
to your security settings.
b. Eliminate or minimize the risk of
unauthorized use of resources.
4. You can use Event Viewer to view events
that Windows 2000 has recorded in the Security log.
|46| 2. Planning
an Audit Policy
A. When you plan an audit policy, you must
determine the computers on which to set up auditing.
B. Auditing is turned off by default.
C. You can audit a number of events.
1. Access to files and folders
2. Users logging on and off
3. Shutting down and restarting a computer
running Windows 2000 Server
4. Changes to user accounts and groups
5. Attempts to make changes to Active
Directory objects
D. After you have determined the types of
events to audit, you must determine whether to audit the successes and failures
of events.
E. Follow the recommended guidelines when
determining an audit policy.
1. Determine if you need to track trends of
system usage. If so, plan to archive event logs.
2. Review security logs frequently. You
should set a schedule and regularly review security logs because configuring
auditing alone does not alert you to security breaches.
3. Define an audit policy that is useful and
manageable. Always audit sensitive and confidential data. Audit only those
events that will provide you with meaningful information about your network
environment.
4. Audit resource access by the Everyone
group instead of the Users group.
3. Implementing an Audit Policy
|47| A. Configuring auditing
1. You can implement an audit policy based
on the role of the computer in the Windows 2000 network.
a. For member or stand-alone servers or
computers running Windows 2000 Professional, an audit policy is set for each
individual computer.
b. For domain controllers, an audit policy is
set for all domain controllers in the domain.
2. You must follow specific requirements to
set up auditing.
a. You must have the Manage Auditing and
Security Log permission for the computer where you want to configure an audit
policy or review an audit log.
b. The files and folders to be audited must
be on NTFS volumes.
3. Setting up auditing is a two-part
process.
a. The
audit policy enables auditing of objects but does not activate auditing of
specific objects.
b. You identify the specific events to audit
for files, folders, printers, and Active Directory objects. Windows 2000 then
tracks and logs the specified events.
|48| B. Setting an audit policy
1. The first step in implementing an audit
policy is selecting the types of events that Windows 2000 audits.
2. Windows 2000 can audit several types of
events.
3. To set an audit policy on a computer that
is not a domain controller, create a custom MMC console and add the Group
Policy snap-in.
4. Changes that you make to your computer’s
audit policy take effect when certain events occur.
a. You initiate policy propagation by using
the secedit command.
b. You restart your computer.
c. Policy propagation occurs.
|49| C. Auditing access to files and folders
1. You can set up auditing for files and
folders on NTFS partitions.
2. Once you set up an audit policy, you
enable auditing for specific files and folders and specify which types of
access, by which types of users or groups, to audit.
|50| D. Auditing access to Active Directory
objects
1. You must configure an audit policy and
then set auditing for specific objects.
2. To enable auditing of access to Active
Directory objects, enable the appropriate policy in the Group Policy snap-in.
3. To enable auditing for specific Active
Directory objects, use the Active Directory Users and Computers snap-in.
|51| E. Auditing access to printers
1. Enable the Audit Object Access policy,
and then enable auditing for the specific printer.
2. You can set up auditing on a printer in
the properties for that printer.
4. Using Event Viewer
|52| A. Using Windows 2000 logs
1. Application log
2. Security log
3. System log
|53| B. Viewing the Security log
1. The Security log contains information
about events that are monitored by an audit policy.
2. You can view the Security log in the Event
Viewer snap-in.
3. Successful events appear with a key icon,
and unsuccessful events appear with a lock icon.
4. Windows 2000 records events in the
Security log on the computer where the event occurred.
|54| C. Locating events
1. When you first start Event Viewer, it
automatically displays all events that are recorded in the selected log.
2. You can use the Find command to search
for specific events.
|55| D. Managing audit logs
1. You can archive event logs and compare
logs from different periods.
2. You can configure the properties of
individual audit logs.
|56| E. Archiving logs
1. Archiving Security logs allows you to
maintain a history of security-related events.
2. You can use Event Viewer to save a log
file, clear all events, or open a log file.