Docstoc

ITPROADD-04 Demo Script

Document Sample
ITPROADD-04 Demo Script Powered By Docstoc
					Microsoft Confidential
– Microsoft Internal Use Only


TechNet
Q2 FY06 Content

ITPROADD-04
New Features of Microsoft® Windows® Server™
2003 Active Directory® - Feature Based


Level 200

Demo Script
Microsoft Confidential
– Microsoft Internal Use Only

CONTENTS

BEFORE YOU BEGIN ................................................................................................................................. 1
DEMO 1: RAISING FUNCTIONAL LEVELS .................................................................................................. 2
  RAISING DOMAIN AND FOREST FUNCTIONAL LEVELS ................................................................................................................................ 2

DEMO 2: CREATING A DOMAIN CONTROLLER FROM BACKUP MEDIA ........................................................ 4
  CREATING A DOMAIN CONTROLLER FROM BACKUP MEDIA .......................................................................................................................... 4

DEMO 3: ACTIVE DIRECTORY ADMINISTRATION...................................................................................... 7
  USING NEW COMMAND LINE TOOLS ................................................................................................................................................... 7
  DRAG AND DROP MANAGEMENT ....................................................................................................................................................... 10
  USING SAVED QUERIES................................................................................................................................................................. 11

DEMO 4: USING REPLICATION FEATURES .............................................................................................. 13
  UNIVERSAL GROUP MEMBERSHIP CACHING .......................................................................................................................................... 13

DEMO 5: USING GROUP POLICY MANAGEMENT ..................................................................................... 14
  USING GROUP POLICY MANAGEMENT ................................................................................................................................................. 14
  USING GROUP POLICY MODELING ..................................................................................................................................................... 15

DEMO 6: USING SOFTWARE RESTRICTION POLICIES ............................................................................. 17
  CREATING SOFTWARE RESTRICTION POLICIES ...................................................................................................................................... 17
  CREATING A PATH RULE ................................................................................................................................................................ 18

DEMO 7: USING GROUP POLICY RESTRICTIONS AND REPORTING ......................................................... 20
  IMPLEMENTING DESKTOP GROUP POLICY ............................................................................................................................................. 20
  USING GPMC REPORTING ............................................................................................................................................................. 21

DEMO 8: USING THE SECURITY CONFIGURATION WIZARD .................................................................... 24
  RUNNING THE SECURITY CONFIGURATION WIZARD ................................................................................................................................ 24



TechNet Field Event Content                                                         i                                                                              ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

Before you begin
1.   The password for the images is P@ssw0rd.
2.   Turn on LON-DC-01 and LON-DC-02.
3.   Log onto LON-DC-01 as CONTOSO\Administrator.
4.   Log onto LON-DC-02 as LON-DC-02\Administrator.




TechNet Field Event Content                           1   ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

Demo 1: Raising Functional Levels
This demonstration will show how to configure Domain and Forest functional levels.



Raising Domain and Forest Functional Levels
                             Speaker Script                                                                   Steps
You can use Active Directory Users and Computers to raise the domain           Perform these steps on LON-DC-01.
functional level. For a new installation or an upgrade from Windows NT
4.0, the default domain functional level is Windows® 2000 mixed.
                                                                                 1. On the desktop, double-click Active Directory Users and
It can be raised to Windows 2000 native or to the highest level, Windows            Computers.
Server™ 2003.
                                                                                 2. The Active Directory Users and Computers window appears.
                                                                                    Maximize the window.
                                                                                 3. In the console tree, right-click Contoso.com and then click Raise
                                                                                    Domain Functional Level.
If you upgrade from a Windows 2000 domain controller, the functional             4. The Raise Domain Functional Level dialog appears. Expand
level will match the domain mode of the upgraded domain, either                     the Select an available functional level drop-down menu and
Windows 2000 mixed or Windows 2000 native.                                          then click Windows Server 2003.
Once you have raised the functional level for a domain or forest, you can        5. Click Raise.
not revert to a lower functional level. Make sure that your organization is      6. A confirmation dialog appears. Click OK.
fully prepared for each domain and forest functional level increase.
                                                                                 7. A dialog appears letting you know that the functional level was
                                                                                    successfully raised. Click OK.
                                                                                 8. Minimize Active Directory Users and Computers.
You can also raise domain levels using the Active Directory Domains and          9. On the desktop, double-click Active Directory Domains and
Trusts tool.                                                                        Trusts.
                                                                                 10. The Active Directory Domains and Trusts window appears.
                                                                                     Maximize the window.
                                                                                 11. In the console tree, right-click Contoso.com and then point to
                                                                                     Raise Domain Functional Level.
This tool is also used to raise the forest functional level. By default,         12. In the console tree, right-click Active Directory Domains and
forests are created at the Windows 2000 functional level.                            Trusts and then click Raise Forest Functional Level.
                                                                                 13. The Raise Forest Functional Level dialog appears. Point to
                                                                                     Current forest functional level.
                                                                                 14. Click Raise.

TechNet Field Event Content                                                2                                                            ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

                                    15. A confirmation dialog appears. Click OK.
                                    16. A dialog appears letting you know that the functional level was
                                        successfully raised. Click OK.
                                    17. Close Active Directory Domains and Trusts.




TechNet Field Event Content     3                                                           ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

Demo 2: Creating a Domain Controller From Backup Media
This demonstration will show how to create a domain controller from backup media using the DCPromo /adv switch and a backup of
system state data.



Creating a Domain Controller from Backup Media
                            Speaker Script                                                                  Steps
Another new feature of Windows Server 2003 makes deploying domain             Perform these steps on LON-DC-02.
controllers to offices connected by a low speed WAN link much easier.
This process is called creating a domain controller from replica.
                                                                                1. Click Start | Run, type ―DCPromo /adv‖ and then click OK.
To perform this procedure you must first back up the system state of an
                                                                                2. The Active Directory Installation Wizard appears. Click Next.
existing domain controller; this backs up the Active Directory domain
database. You can then burn the data to CD or DVD and deliver it to the         3. The Operating System Compatibility page appears. Click
branch office. In this case, we are using the system state from                    Next.
LON-DC-01.
Instead of restoring the data to the original location, we used advanced
restore options to restore the system state to an alternate location. For
this demonstration it was restored to the C:\Restore folder on this server.
The DCPromo /adv command allows you to use this data to create a
domain controller replica.
Here we will specify that we wish to create an additional domain                4. The Domain Controller Type page appears. Click Additional
controller for an existing domain.                                                 domain controller for an existing domain and then click Next.
In both Windows NT® 4.0 and Windows 2000, adding a domain controller
over a low speed WAN link was a slow process because the replication of
the initial directory service data was considerable. This could saturate
the link, taking a long time to complete.
Next, we have the option of selecting where we will copy domain                 5. The Copying Domain Information page appears. Click From
information from – either the network or from restored backup files.               these restored backup files and then click Browse.
We will use restored backup files.                                              6. The Browse for Folder window appears. Browse to C:\Restore
This data includes all Active Directory objects for the domain at the time         and then click OK.
the backup was performed. You don‘t have to worry if the backup is a            7. Click Next.
few days old; replication will bring the new domain controller up-to-date.
The bandwidth required for this will be much less than if the entire
database was replicated.

TechNet Field Event Content                                            4                                                            ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

We also have the option of making this new domain controller a global              8. The Global Catalog page appears. Point to the configuration
catalog server. A global catalog stores a subset of all Active Directory              options as you discuss them.
objects in a forest. The global catalog stores a full copy of all objects in       9. Click Next.
the directory for its host domain and a partial copy of all objects for all
other domains in the forest. In a large forest with many domains, global
catalog databases can be significantly larger than regular domain
controller databases.
It is recommended that each physical site have a Global Catalog server.
However, in this scenario the branch office has a low speed link, and
global catalog replication could adversely affect network performance.
Later in this session, we will use a technique that will improve logon
performance without making the local domain controller a GC.
Now we need to enter the domain administrator credentials                          10. The Network Credentials page appears. For User name type
                                                                                       ―Administrator‖.
                                                                                   11. For Password type ―P@ssw0rd‖ and then click Next.
We will continue the installation with the default settings.                       12. The Database and Log Folders page appears. Click Next.
                                                                                   13. The Shared System Volume page appears. Click Next.
                                                                                   14. The Directory Services Restore Mode Administrator
                                                                                       Password page appears. Enter and confirm a password of
                                                                                       ―P@ssw0rd‖ and then click Next.
Finally, we will complete the installation and restart the computer when           15. The Summary page appears. Click Next.
prompted.                                                                       This process may take several minutes to complete. Return to the slide
While Active Directory is installed on the new server, let‘s review what we     deck and display the Recap Slide.
have covered.                                                                      16. The Completing the Active Directory Installation Wizard
                                                                                       page appears. Click Finish.
                                                                                   17. The Active Directory Installation Wizard page appears. Click
                                                                                       Restart Now.
This server is now a domain controller for the contoso.com domain.                 18. When the logon screen appears, log on as
                                                                                       CONTOSO\Administrator.
Now we will create a new site in the domain called BranchOffice and place          19. On the desktop, double-click Active Directory Sites and
this server in that site.                                                              Services.
This will provide additional replication control and allow us to schedule          20. The Active Directory Sites and Services window appears.
when replication will occur between domain controllers in this site and                Maximize the window.
other sites in the directory.                                                      21. In the console tree, right-click Sites and then click New Site.
Since this domain controller exists at a remote branch office, we will give        22. The New Object – Site dialog appears. For Name type
the site a descriptive name to reflect that. If you had multiple sites, you
TechNet Field Event Content                                                 5                                                              ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

may wish to be even more descriptive, for example, by including the city         ―BranchOffice‖.
name in which this office is located.
When you create a new site, you must manually define which site Active        23. Under Link Name, click DEFAULTIPSITELINK and then click
Directory will replicate from. In most cases, you should choose a site link       OK.
that has a good connection to your new site. Since this is the second site    24. A completion dialog appears. Click OK.
in our domain, we only have one option.
We can easily drag and drop LON-DC-02 from the default site to the            25. In the console tree, expand Sites | Default-First-Site-Name |
BranchOffice site.                                                                Servers.
                                                                              26. In the console tree, expand BranchOffice.
                                                                              27. Drag and drop LON-DC-02 to BranchOffice | Servers.
                                                                              28. An Active Directory dialog appears. Click Yes.
The ability to drag and drop objects in Active Directory administration       29. In the console tree, under BranchOffice, click Servers.
tools is also a new feature of Windows Server 2003.                           30. In the details pane, point to LON-DC-02.
                                                                              31. Close Active Directory Sites and Services.




TechNet Field Event Content                                               6                                                         ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

Demo 3: Active Directory Administration
This demonstration will show some new Active Directory features such as drag and drop functionality in Active Directory
Administration tools, as well as saved queries. We will also show how to automate common tasks using Active Directory command-
line tools.



Using New Command Line Tools
                             Speaker Script                                                                   Steps
Several new Active Directory command-line tools are included with             Perform these steps on LON-DC-01.
Windows Server 2003. These tools replace some of the tools previously
found in the Resource Kit. These tools have a consistent interface and
                                                                                1. On the desktop, double-click Command Prompt.
you can use them remotely.
                                                                                2. The Command Prompt window appears. Type ―dsadd | more‖,
They allow you to add, modify, and delete Active Directory objects such
                                                                                   and then press Enter.
as users, groups, and organizational units. With them, you can also
automate repetitive tasks and perform bulk changes quickly, efficiently,        3. Press Spacebar to scroll through the parameters as you discuss
and without error.                                                                 them.
First, let‘s look at the dsadd tool. It allows you to add specific types of     4. Minimize Command Prompt.
objects to Active Directory, including users, groups, and organizational
units.
Here we can see the standard list of default containers, organizational         5. Restore Active Directory Users and Computers.
units, users, and groups.                                                       6. In the console tree, select Contoso.com.
                                                                                7. In the details pane, point to the list of containers and
                                                                                   organizational units.
                                                                                8. In the console tree, expand Contoso.com, and then click Users.
                                                                                9. In the details pane, point to the list of users and groups.
                                                                                10. Minimize Active Directory Users and Computers.
We have prepared several scripts ahead of time for this demonstration.          11. On the desktop, double-click AD Command Line Tools.
                                                                                12. The AD Command Line Tools window appears. Maximize the
                                                                                    window.
This script creates two organizational units as well as several users,          13. Right-click addusers.bat and then click Edit.
groups, and computers, and then assigns the accounts to these new               14. The Notepad window appears. Maximize the window.
groups and OUs.
                                                                                15. Point to the list of dsadd commands.

TechNet Field Event Content                                               7                                                              ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

This file runs dsadd several times. The first parameter states the type of      16. Close Notepad.
object being created. Then the LDAP path is specified. This is where the
object will exist in the directory. For example OU=Marketing and
Finance, contoso.com, defines the Marketing and Finance OU under the
root of the domain.
You can run these commands from a batch file or from a Visual Basic             17. Double-click addusers.bat.
script.                                                                         18. Minimize the AD Command Line Tools window.

When we refresh the view, we can see that there are two new                     19. Restore Active Directory Users and Computers.
organizational units: Marketing and Finance, and Sales.                         20. In the console tree, right-click Contoso.com, and then click
                                                                                    Refresh.
                                                                                21. In the details pane, point to Marketing and Finance and Sales.
And here are the user and computer accounts just created in the                 22. In the console tree, click Marketing and Finance.
Marketing and Finance OU.                                                       23. In the details pane, point to the list of users and computers.
Notice that the user accounts are disabled.                                     24. Minimize Active Directory Users and Computers.
Two more Active Directory command-line tools are dsget and dsquery.             25. Restore Command Prompt.
Dsget can be used to retrieve basic information about a single account.         26. Type ―dsget /? | more‖ and then press Enter.
Dsquery is used to retrieve information about multiple accounts.                27. Press Spacebar to scroll through the parameters as you discuss
One of the options you could use is the –memberof switch, which tells               them.
you what groups a user belongs to. Your Help Desk can use this feature          28. Minimize Command Prompt.
to create reports about group membership, or to verify that users are
members of the correct groups.
This is the QueryUsers.bat batch file. This file uses the dsget and             29. Restore the AD Command Line Tools window.
dsquery tools to show which groups KimA belongs to and then show                30. Right-click queryusers.bat, and then click Edit.
which user accounts are in the Sales and Marketing and Finance OUs.
                                                                                31. The Notepad window appears. Maximize the window.
The output will be piped to a text file named UserInfo.txt.
                                                                             You may want to click Word Wrap on the Format menu to make this file
                                                                             easier to read.
                                                                                32. Point to the list of dsget and dsquery commands.
                                                                                33. Close Notepad.
Dsget returned the list of the groups that user KimA belongs to.                34. Double-click queryusers.bat.
Dsquery returned the list of the users in the Sales and Marketing and           35. The Notepad window appears. Maximize the window.
Finance OUs.                                                                    36. Point to the list of users.
                                                                                37. Close Notepad.
                                                                                38. Minimize the AD Command Line Tools folder.

TechNet Field Event Content                                             8                                                                ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

Let us take a closer look at one of the users that we just created.          39. Restore Active Directory Users and Computers.
                                                                             40. In the console tree, click Sales.
                                                                             41. In the details pane, right-click KimA, and then click Properties.
The KimA user is not required to change her password at next log on and      42. The KimA Properties dialog appears. Click the Account tab.
is currently only a member of the Domain Users group.                        43. Point to Account options.
                                                                             44. Click the Member Of tab.
                                                                             45. Point to the group this user is a member of.
                                                                             46. Click Cancel.
                                                                             47. Minimize Active Directory Users and Computers.
The dsmod command allows you to modify existing objects in the               48. Restore Command Prompt.
directory such as password options or group membership. You could use        49. Type ―dsmod /? |more‖, and then press Enter.
this to reset passwords, or add users to groups in bulk.
                                                                             50. Press Spacebar to scroll through the parameters as you discuss
                                                                                 them.
                                                                             51. Close Command Prompt.
This script will move the specified users to the Marketing and Finance OU.   52. Restore the AD Command Line Tools window.
                                                                             53. Right-click moveusers.bat, and then click Edit.
                                                                             54. The Notepad window appears. Maximize the window.
                                                                             55. Point to the dsmove commands.
                                                                             56. Close Notepad.
                                                                             57. Double-click moveusers.bat.
With this script, we will set the password for several users using the –     58. Right-click modifymembers.bat, and then click Edit.
pwd switch and then force the users to change their passwords at next        59. The Notepad window appears. Maximize the window.
logon using the -mustchpwd switch.
                                                                             60. Point to the dsmod commands.
                                                                             61. Close Notepad.
Now we will run the script to modify the password settings.                  62. Double-click modifymembers.bat.
                                                                             63. Close the AD Command Line Tools folder.
Let ‗s go back to the Active Directory Users and Computers console and       64. Restore Active Directory Users and Computers.
review these changes.                                                        65. In the console tree, right-click Contoso.com, and then click
                                                                                 Refresh.
As you can see, this user is now required to change his password at next     66. Click Marketing and Finance.
logon.                                                                       67. In the details pane, right-click KimA, and then click Properties.
                                                                             68. The KimA Properties dialog appears. Click the Account tab.

TechNet Field Event Content                                            9                                                             ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

                                                                             69. Point to Account options.
The user is also now a member of the Sales Users group.                      70. Click the Member Of tab.
                                                                             71. Point to the groups this user is a member of.
                                                                             72. Click Cancel.



Drag and Drop Management
                            Speaker Script                                                                 Steps
Drag and drop functionality has been added to many MMC consoles,             1. In Active Directory Users and Computers, on the View menu,
including Active Directory Users and Computers tool and Active Directory        click Users, Groups, and Computers as containers.
Sites and Services.
This can reduce the number of mouse clicks required to perform certain
management tasks.
If you view objects as containers, you can also drag and drop objects into
groups, so let‘s enable that view.
To demonstrate drag and drop, we will select a few of the user accounts      2. In the console tree, click Sales.
created earlier. Notice multiple accounts can be selected by holding         3. In the details pane, CTRL+click AndrewH and NeilC to select
down the CTRL key. Multiple object select is also a new feature in              them.
Windows Server 2003.
Now we will drag and drop the accounts into another OU.                      4. Drag and drop the accounts to the Marketing and Finance OU.
It‘s now very easy to move accounts.                                         5. A confirmation dialog appears. Click Yes.
                                                                             6. In the console tree, click Marketing and Finance.
                                                                             7. In the details pane, point to the AndrewH and NeilC accounts.
You can also add users to groups with drag and drop.                         8. In the console tree, expand Users.
Here we will add the AaronC account to the Domain Admins Group. You          9. In the details pane, drag AaronC from Marketing and Finance
can see the group exposed in the left navigation tree because we set            to the Domain Admins group in the console tree.
configuration to view users, groups, and computers as containers.            10. A dialog appears confirming the move was successful. Click OK.
A dialog appears letting us know that the move was successful.
If we look at the Domain Admins group properties, we can see that            11. In the console tree, right-click Domain Admins, and then click
AaronC is now a member.                                                          Properties.
                                                                             12. The Domain Admins Properties dialog appears. Click the
                                                                                 Members tab.
                                                                             13. Point to AaronC.


TechNet Field Event Content                                           10                                                            ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

                                                                               14. Click Cancel.
                                                                               15. In the details pane, collapse the Contoso.com domain.



Using Saved Queries
                            Speaker Script                                                                    Steps
Saved queries provide a quick and consistent way to access a common            1. In the console tree, click Saved Queries.
set of directory objects that you frequently manage.                           2. Point to the empty details pane.
You can create subfolders within this folder to organize saved queries if
you like.
Creating a query is easy, and you can create queries to help you locate        3. In the console tree, right-click Saved Queries, and then click
objects that are difficult to find.                                               New | Query.
So we will create a new query and give the query a name. This query will       4. The New Query dialog appears. For Name type "Disabled
locate disabled accounts.                                                         Accounts".
Notice the query root option. This allows you to specify a point in the        5. Point to Query root.
Active Directory tree where the query will start its search for objects        6. Click Browse.
specified. We could browse and select a specific container in order to
                                                                               7. The Browse window appears. Point to containers and OUs.
refine our search.
                                                                               8. Click Cancel.
Next we need to define the query. This determines what objects will be         9. Click Define Query.
displayed.                                                                     10. The Find Common Queries dialog appears. Expand the Find
We can choose the type of object to query, which will affect which options         drop-down menu.
will be available in constructing the query.
The common queries list provides a checkbox for displaying disabled            11. Click Common Queries.
accounts.                                                                      12. Select Disabled accounts and then click OK.
                                                                               13. Click OK.
The details pane displays the results of the query. Here we can see that       14. In the details pane, point to the list of accounts.
there are many user accounts in the domain that are currently disabled.        15. In the details pane, right-click AaronC, and then click
                                                                                   Properties.


These objects can give you direct access to the users in the query, just as    16. The AaronC Properties dialog appears. Click the Account tab.
if they were in their proper container.                                        17. Clear User must change password at next login.
                                                                               18. Scroll down and clear Account is disabled.
                                                                               19. Click OK.
TechNet Field Event Content                                               11                                                             ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

As objects change state, they saved query will dynamically update to            20. In the console tree, right-click Disabled Accounts, and then click
include the objects which fit the query criteria.                                   Refresh.
                                                                                21. Point to the details pane.
Let‘s create another saved query. This query will show all accounts that        22. In the console tree, right-click Saved Queries, and then click
have passwords that don‘t expire—a potential security issue.                        New | Query.
                                                                                23. The New Query dialog appears. For Name type "Non-Expiring
                                                                                    Password".
                                                                                24. Click Define Query.
Again, there is a check box under Common Queries to show these types            25. Select Non expiring passwords, and then click OK.
of accounts.                                                                    26. Click OK.
In the details pane, we can see the accounts that match this query.             27. In the details pane, point to the list of accounts.
Let us create one more query to identify abandoned accounts. These are          28. In the console tree, right-click Saved Queries, and then click
accounts that haven‘t been used in a long time - in this case 120 days.             New | Query.
These accounts should be disabled or deleted as they may pose a security        29. The New Query dialog appears. For Name type "Abandoned
risk if they continue to exist.                                                     Accounts".
                                                                                30. Click Define Query.
                                                                                31. Expand the Days since last logon drop-down menu, and then
                                                                                    click 120.
                                                                                32. Click OK.
                                                                                33. Click OK.
                                                                            If an error dialog appears referencing domain functional levels, close
                                                                            Active Directory Users and Computers, re-open it, and refresh the
                                                                            Abandoned Accounts query.
Currently there are no abandoned accounts. Once an account fits the             34. Point to the details pane.
criteria for a saved query, it will appear under that query.                    35. Close Active Directory Users and Computers.




TechNet Field Event Content                                            12                                                                 ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

Demo 4: Using Replication Features
This demonstration shows how to enable universal group membership caching.



Universal Group Membership Caching
                             Speaker Script                                                                     Steps
When we created the domain controller from backup media earlier, we              Perform these steps on LON-DC-01
mentioned a new feature that helps domain users in small and branch
offices that are connected by low-speed WAN links. This is called
                                                                                   1. On the desktop, double-click Active Directory Sites and
Universal Group Membership caching.
                                                                                      Services.
Universal groups are stored on global catalog, or GC, servers. When
                                                                                   2. The Active Directory Sites and Services window appears. In the
users log on, their universal group memberships must be retrieved from
                                                                                      console tree expand Sites, and then click BranchOffice.
a GC. If there is not a GC in the local site, GCs in other sites, across
potentially low-speed links, must be queried. This can delay user log on
while waiting for Universal Group memberships to be retrieved over the
low-speed WAN link.
By enabling Universal Group Membership Caching, you can speed up the
network logon process for users in the remote office.
This is enabled at the site level, in Active Directory Sites and Services.         3. In the details pane, right-click NTDS Site Settings, and then click
Once enabled, all domain controllers in the site will participate.                    Properties.
                                                                                   4. The NTDS Site Settings Properties dialog appears. Select
                                                                                      Enable Universal Group Membership Caching.
You can also select which other site you will retrieve updates from.               5. Expand the Refresh cache from drop-down menu, and then click
The first time a user logs on after this is enabled, a GC in the other site is        Default-First-Site.
queried, and the users‘ universal group memberships are obtained and               6. Click OK.
cached locally. From that point on, when users log on, they are logged             7. Close Active Directory Sites and Services.
on using the cached Universal Group information, speeding up the logon
process for users. Domain controllers will periodically refresh cached
Universal Group information so that it stays current.




TechNet Field Event Content                                               13                                                              ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

Demo 5: Using Group Policy Management
This demonstration shows how to use the Group Policy Management Console and then use the Group Policy Modeling Wizard to
see how policies will be applied. Finally, you will show how to back up and import a Group Policy from one forest to another.



Using Group Policy Management
                             Speaker Script                                                                    Steps
Active Directory Group Policy is a powerful, centralized way to manage          Perform these steps on LON-DC-01.
desktops, software, and configurations across the enterprise. In the
past, a variety of tools, some of them third-party, were required to plan,
                                                                                  1. On the desktop, double-click Group Policy Management.
deploy, and test Group Policy efficiently.
                                                                                  2. The Group Policy Management window appears. Maximize the
The Group Policy Management Console is a new tool that provides a
                                                                                     window.
single user interface in which to manage Group Policy across sites,
domains, and organizational units in multiple forests.
You can perform most Group Policy-related management functions with               3. In the console tree, expand Forest: Contoso.com | Domains |
this tool. You can even create OUs from within GPMC, but we will use the             Contoso.com, and then click Marketing and Finance.
Marketing and Finance OU to create a new policy for testing.
A Group Policy Object, or GPO, is not actually useful until it is linked to a     4. Right-click Marketing and Finance, and then click Create and
site, domain, or OU. This will be a test policy, linked to the Marketing             Link a GPO Here.
and Finance OU.                                                                   5. For Name enter ―Test Group Policy‖ and then click OK.
Settings that we define in this policy will apply to accounts in the OU.
Once we‘ve tested the policy we can link it to other OUs.
While the Group Policy Management Console alleviates many of the                  6. In the details pane, right-click Test Group Policy, and then click
complexities of Group Policy administration, you can still utilize many              Edit.
familiar tools such as the Group Policy Object Editor to edit group policy
settings.
Group Policy consists of a Computer Configuration portion and a User              7. The Group Policy Object Editor appears. Maximize the window.
Configuration Portion.                                                            8. In the console tree, point to Computer Configuration.
With Computer Configuration in Group Policy, you can set policies that            9. Point to User Configuration.
are applied to computers, regardless of who logs on to the computers,
whereas User Configuration allows you to set policies that apply to users
within a domain or OU, regardless of which computer they log on to.
You can create policy settings to manage client computer configuration,

TechNet Field Event Content                                                14                                                            ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

manage the user desktop environment, install software, or secure the
operating system.
Folder Redirection is a new feature available in Windows Server 2003.          10. Expand User Configuration | Windows Settings, and then click
This allows the My Documents and other user-specific folders to be                 Folder Redirection.
redirected to users‘ home folders or other locations. For example, you         11. In the details pane, right-click My Documents, and then click
can configure this setting such that when a user logs on, the                      Properties.
My Documents folder will be redirected to the home folder specified
                                                                               12. The My Documents Properties dialog appears. Expand the
on the Profile tab of the user account.
                                                                                   Setting drop-down menu, and then click Basic - Redirect
                                                                                   everyone’s folder to the same location.
                                                                               13. Expand the Target folder location drop-down menu, click
                                                                                   Redirect to the user’s home directory, and then click OK.
                                                                               14. Close the Group Policy Object Editor.



Using Group Policy Modeling
                            Speaker Script                                                                  Steps
We can simulate how this policy will affect users by using the Group           1. In Group Policy Management, in the console tree, right-click
Policy Modeling Wizard.                                                           Group Policy Modeling, and then click Group Policy Modeling
The Group Policy Modeling Wizard replaces the Resultant Set of Policies           Wizard.
(RSoP) – Planning mode tool. It can determine which policies will be           2. The Group Policy Modeling Wizard appears. Click Next.
applied to a particular container or user. This is an extremely useful tool    3. The Domain Controller Selection page appears. Click Next.
for Group Policy administrators of complex organizations, who can use it
to test the impact of new policy settings and show policy conflicts prior to
deployment.
You can also use the Group Policy Results to troubleshoot Group Policy
application when problems arise.
You can select a specific user or computer, or a container for both.           4. The User and Computer Selection page appears. Under User
We will model what happens when AaronC logs on to a computer that is              information, click User.
in the Workstations OU.                                                        5. Click Browse.
                                                                               6. The Select User dialog appears. Type ―AaronC‖, and then click
                                                                                  OK.
There is another organizational unit called Workstations where computer        7. Under Computer information, next to Container, click Browse.
accounts reside. A GPO called Workstations Group Policy is linked to this      8. Click Browse.
OU which contains computer policies that are applied to workstations.
                                                                               9. The Choose Computer Container dialog appears. Browse to
Using the modeling tool, we can see what effective policies will be applied       Workstations, and then click OK.

TechNet Field Event Content                                             15                                                            ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

to users whose accounts reside in the Test OU, when they log on to
computers in the Workstations OU.
Group Policy Modeling is valuable because it allows you to model different    10. Select Skip to the final page of this wizard without
policy combinations like this.                                                    collecting additional data, and then click Next.
                                                                              11. The Summary of Selections page appears. Click Next.
                                                                              12. Click Finish.
The Modeling Wizard generates an easy-to-read report. You can expand          13. The AaronC on Workstations summary appears. In the details
all applied policies by clicking show all.                                        pane, click the Settings tab.
                                                                              14. Click show all.
This tells you what policy settings will be applied if AaronC logs in to a    15. Point to Computer Configuration.
computer that belongs to the Workstation OU. If we examine the policy         16. Scroll down to Account Policies/Kerberos Policy
settings, wee will see some account and password policies that were
applied by the Default Domain Policy Group Policy GPO.
The Offline Files Group Policy setting is applied from the Group Policy in    17. Scroll down to the Administrative Templates section.
the Workstation OU that we modeled.                                           18. Under the Network/Offline Files section, point to Winning
                                                                                  GPO.
To get more information about a specific setting, you can click on it. This   19. Click Allow/Disallow use of the Offline Files Feature.
information is the same that is shown when you click the Explain tab for a    20. A Group Policy Management – Microsoft Internet Explorer window
policy setting in the Group Policy Object Editor.                                 appears. Point to the explanation.


You can even print this information if you wish.                              21. Point to the Print button.
                                                                              22. Click Close.
And here we can see that the Folder Redirection user configuration            23. Scroll down to the User Configuration section.
settings will be assigned by the Test Group Policy GPO that we just           24. Under Windows Settings | Folder Redirection | My
created.                                                                          Documents, point to Winning GPO.
If you wished, you could save this report to an HTML file and publish it on   25. In the console tree, right-click AaronC on Workstations and
your intranet for helpdesk personnel to use for troubleshooting Group             then point to Save Report.
Policy-related issues.                                                        26. Click a blank area to close the context menu.
                                                                              27. Minimize Group Policy Management.




TechNet Field Event Content                                             16                                                          ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

Demo 6: Using Software Restriction Policies
This demonstration shows how to configure Software Restriction Policies and then test the policy to see the effects of the applied
policy.



Creating Software Restriction Policies
                             Speaker Script                                                                       Steps
Windows Server 2003 supports a new feature called Software Restriction           Perform these steps on LON-DC-01.
Policies that can allow or restrict software applications and file types
associated with specific extensions. This can be used to prevent viruses
                                                                                   1. Restore Group Policy Management.
and to prohibit nonstandard software applications.
                                                                                   2. In the console tree, expand Group Policy Objects.
Since the computer we are using here is a domain controller, we will
configure software restriction policies in the Default Domain Controllers          3. Right-click Default Domain Controllers Policy, and then click
Policy.                                                                               Edit.
As you can see, there are no software restriction policies configured by           4. The Group Policy Object Editor Console appears. Maximize the
default.                                                                              window.
                                                                                   5. In the console tree, expand Computer Configuration |
                                                                                      Windows Settings | Security Settings, and then click
                                                                                      Software Restriction Policies.
                                                                                   6. In the details pane, point to No Software Restriction Policies
                                                                                      Defined.
So the first thing to do is to create a new software configuration policy.         7. In the console tree, right-click Software Restriction Policies
                                                                                      and then click New Software Restriction Policies.
Here we just want to verify that the default security level is set to              8. Expand Software Restriction Policies and then click Security
Unrestricted, rather than Disallowed. The check mark over Unrestricted                Levels.
indicates that it is the default setting.                                          9. In the details pane, point to Unrestricted and Disallowed.
A default setting of Unrestricted allows software to run by default, and
lets you define rules to prohibit specific applications.
A default setting of Disallowed prohibits all software from running, and
specific rules must be configured to explicitly allow software to run.
For review, these rules are created by default and ensure that the files           10. In the console tree, click Additional Rules.
and applications needed to properly run Windows are enabled.                       11. Point to the rules listed in the details pane.
You can create certificate rules that will verify that applications are signed     12. Right-click Additional Rules.
TechNet Field Event Content                                              17                                                               ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

with a valid digital certificate that is allowed in your organization.           13. Point to New Certificate Rule.
You might sign application files in your organization and then allow only
applications that are signed with the proper digital signature to be
launched.
A hash is a series of bytes with a fixed length that uniquely identifies a       14. Point to New Hash Rule.
software program or file. A hash rule allows you to identify a program
regardless of location or filename. If the executable is the same, the
hash will be the same.
Zone rules apply only to Windows Installer packages.                             15. Point to New Internet Zone Rule.
A zone rule can identify software from a zone that is specified through
Internet Explorer. These zones are Internet, Intranet, Restricted sites,
Trusted sites, and My Computer.
A path rule identifies software by its file path. For example, if you have a     16. Point to New Path Rule.
computer that has a default security level of Disallowed, you can still
grant unrestricted access to a specific folder for each user.
You can create a path rule by using the file path and setting the security
level of the path rule to Unrestricted.



Creating a Path Rule
                              Speaker Script                                                                   Steps
Let‘s create a rule to test Software Restriction Policies.                       1. Click New Path Rule.
This rule will apply to files in the C:\Public folder, disallowing access to a   2. The New Path Rule dialog appears. For Path type ―C:\Public‖.
file type we will specify in the next step.                                      3. Point to Security level.
For example, in a production environment, you could restrict known files         4. Click OK.
such as .vbs, .exe, or other types of script files that have propagated
viruses in your organization. You could apply this to folders where users
save their data.
Now we will specify a file type to disallow in the C:\Public directory.          5. In the console tree, click Software Restriction Policies.
As you can see, files with these extensions will not be allowed to execute       6. In the details pane, right-click Designated File Types, and then
in that directory. These default file types include .exe, .vbs, .cmd, and           click Properties.
others that are considered to be executable code.                                7. The Designated File Types Properties dialog appears. Point to
                                                                                    the list of designated file types.
The .txt extension is a text document (this extension is just being used         8. For File extension, type ―TXT‖ and then click Add.
for this demonstration- it‘s unlikely that you‘d ever restrict text files this   9. In the list of Designated file types, point to TXT Text
TechNet Field Event Content                                                18                                                            ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

way), and now this policy is configured to disallow files with that                 Document.
extension from being executed.                                                  10. Click OK.
Here, if you wish, you can configure the policy to enforce policies on all      11. In the details pane, right-click Enforcement, and then click
software files, or all except library files such as DLLs.                           Properties.
                                                                                12. The Enforcement Properties dialog appears. Point to All
                                                                                    software files except libraries (such as DLLs) and All
                                                                                    software files.
You can also specify whether to apply policies to all users or all users        13. Point to All users and All users except local administrators.
except local administrators.                                                    14. Click Cancel.
                                                                                15. Close the Group Policy Object Editor.
                                                                                16. Minimize Group Policy Management.
Now that the software restriction policy has been created and linked, we        17. Click Start | Run, type ―GPUpdate /force‖, and then click OK.
will test it out on the domain controller. Group Policy is refreshed
automatically at defined intervals, but you can force this to occur with the
GPUpdate utility.
As you can see, the Software Restriction Policies are doing their job; we       18. On the desktop, double-click My Computer.
are unable open the test.txt file. It is good to note that Group Policies can   19. Browse to C:\Public.
easily be assigned to the Administrator account. Take care that you do
                                                                                20. Double-click test.txt.
not lock yourself out of important administrative capabilities.
                                                                                21. An error dialog appears. Point to the description, and then click
                                                                                    OK.
                                                                                22. Close Windows Explorer.




TechNet Field Event Content                                                19                                                            ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

Demo 7: Using Group Policy Restrictions and Reporting
This demonstration shows how to lock down Desktop and Start Menu settings and utilize the reporting functions of the Group Policy
Management Console.



Implementing Desktop Group Policy
                            Speaker Script                                                                   Steps
Now that we are logged on to the BranchOffice server as a Marketing and       Perform these steps on LON-DC-02.
Finance user, let us look at the current user environment. There are
some parts of the desktop that we will change.
                                                                                1. Log off and then log back on as CONTOSO\AaronC.
                                                                                2. Manage Your Server appears. Select Don’t display this page at
                                                                                   logon.
                                                                                3. Close Manage Your Server.
As you can see, this user has normal access to the Run command and              4. Click Start, and then point to Run.
Control Panel. We will set policies to prevent Marketing and Finance            5. Click Control Panel, and then point the mouse at the Control
users them from accessing either. If you want to restrict some of these            Panel menu.
features, you can do so through Group Policy.
Let‘s go back to Group Policy Management to change some Windows               Perform these steps on LON-DC-01
Group Policy Settings.
                                                                                6. Restore Group Policy Management.
For this demonstration, we will create a new policy and link it to the          7. In the console tree, right-click Marketing and Finance, and then
Marketing and Finance OU.                                                          click Create and Link a GPO Here.
                                                                                8. The New GPO dialog appears. Type ―Marketing Desktop‖, and
                                                                                   then click OK.
With Group Policy, you can define the desktop environment for users or          9. In the console tree, expand Marketing and Finance.
computers in a site, domain, or OU. In this scenario, in an effort to           10. Right-click Marketing Desktop, and then click Edit.
reduce the number of user-initiated problems, we will lock down and
                                                                                11. The Group Policy Object Editor appears. Maximize the window.
remove certain desktop features that can get users into trouble.
For example, we will remove the Run command from the Start menu,                12. In the console tree, expand User Configuration |
forcing users to use shortcuts to run programs. Users will also be unable           Administrative Templates, and then click Start Menu and
to directly navigate to a local folder or UNC path.                                 Taskbar.
                                                                                13. In the details pane, double-click Remove Run menu from Start

TechNet Field Event Content                                              20                                                           ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

                                                                                       Menu.
                                                                                   14. The Remove Run menu from Start Menu Properties dialog
                                                                                       appears. Click Enabled, and then click OK.
We will configure a policy setting to prevent the user from accessing the          15. In the console tree, click Control Panel
Control Panel.                                                                     16. In the details pane, double-click Prohibit access to the Control
                                                                                       Panel.
                                                                                   17. The Prohibit access to the Control Panel Properties windows
                                                                                       appears. Click Enabled, and then click OK.
                                                                                   18. Close the Group Policy Object Editor.
Now we‘ll move back to the domain controller where AaronC is logged on.        Perform these steps on LON-DC-02.
Again we will use the GPUpdate utility to force a Group Policy refresh.            19. Click Start | Command Prompt.
We will have to log off and log back on before these settings will be              20. The Command Prompt window appears. Type ―GPUpdate
applied.                                                                               /force‖, and then press Enter.
                                                                                   21. Close the Command Prompt.
As we have discussed, user configuration policies are applied when the             22. Log off and then log back on as CONTOSO\AaronC.
user logs on. So, by logging off and logging back on, the policy will be       You may have to log off and log on twice for the settings to take effect. If
applied.                                                                       Group Policy still fails to enforce, restart the virtual machine.
First, by checking the Start menu, you see that the Run command is no              23. Click Start, and then point to near where the Run command used
longer present.                                                                        to be.
Also, the user can not open the control panel and modify settings.                 24. On the Start menu, point to where Control Panel used to be.



Using GPMC Reporting
                             Speaker Script                                                                       Steps
You can use the Group Policy Management Console to view Group Policy           Perform these steps on LON-DC-01.
object settings and generate reports for analysis or documentation on
those settings.
                                                                                   1. In the console tree, under Group Policy Objects, click Default
To show some of the reporting features, let‘s look at the Default Domain              Domain Policy.
Policy.
The Settings tab of the GPO or GPO link pane in GPMC shows an HTML                 2. In the details pane, click the Settings tab.
report that displays all the defined settings in the GPO. Clicking this tab
will generate a report of the settings in the GPO.
This is a typical report. It can be generated by any user with read access         3. Point to the report that appears in the details pane.
to the GPO. Without the GPMC, users without write access to a GPO
TechNet Field Event Content                                               21                                                                  ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

could not read and view the settings in that GPO. This is because the
Group Policy Object Editor requires the user to have read and write
permissions to the GPO to open it. Some examples of users that might
need to read and view but not edit a GPO include security audit teams
that need to read but not edit GPO settings, Help Desk personnel that are
troubleshooting a Group Policy issue, and OU administrators that may
need to read and view the settings from inherited GPOs. With the GPMC,
these users now have read access to the settings.
By glancing at this report, we can see that both the computer and user            4. Point to the Computer Configuration (Enabled) and User
configurations are enabled.                                                          Configuration (Enabled) portions of the report as you talk about
                                                                                     it.
You can also see that, under Computer Configuration, Windows settings,            5. Point to the Computer Configuration (Enabled) | Windows
some Security settings are applied.                                                  Settings | Security Settings section of the report.
You can expand a section individually to see which policy setting groups          6. Next to Security Settings, click show.
have been configured.                                                             7. Point to the list of policy setting groups in the details pane.
To see one of the specific settings applied, such as settings for Account         8. Next to Account Policies/Password Policy, click show.
Policies/Password Policy, click show next to that group of settings.              9. Point to the policy settings displayed under Account
You can see the settings for maximum password age, minimum password                  Policies/Password Policy.
age, password complexity requirements, among others.
If you want to see all the settings in a policy, click the show all link at the   10. Click show all.
top of the report. All of the rows fully expand, allowing you to see all          11. Scroll through the list of policy settings.
settings.
The GPMC fulfills some common reporting requirements. It gives you the            12. Right-click the details pane, and then point to the Print and Save
ability to document all the settings in a GPO to a file for printing or               Report menu options.
viewing. Just right-click the report and select to print or save the report.
You can save the file as either HTML or XML.                                      13. Click Save Report.
Note that saved reports include the contents of the Settings tab, as well         14. The Save GPO Report dialog appears. Expand the Save as type
as additional information that is shown on the Scope, Details, and                    drop-down, and then point to HTML file and XML file as you talk
Delegation pages in the UI.                                                           about them.
                                                                                  15. Click HTML file.
By default, reports are stored in My Documents. Of course you can                 16. Browse to the desktop and click Save.
choose a different location.                                                      17. Close Group Policy Management.
To view a saved report directly in a Web browser, you must use Internet           18. On the desktop, double-click Default Domain Policy.htm.
Explorer 6 or Netscape 7.                                                         19. The Microsoft Internet Explorer window appears. Maximize the
                                                                                      window.


TechNet Field Event Content                                                22                                                               ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

This is a report for all the settings in that GPO.                           20. Point to the show and hide links on the right side of the report.
Notice that we have the same sort of navigation available in this Web        21. Click show all in the upper right of the report.
page. You can selectively show or hide options.                              22. Scroll through the list of GPO settings.
You can also show all the settings in the GPO.
That gives you some idea of the reporting features available in the GPMC.    23. Close Internet Explorer.
The GPMC provides similar reports for Group Policy Modeling and Group
Policy Results.




TechNet Field Event Content                                             23                                                           ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

Demo 8: Using the Security Configuration Wizard
This demonstration shows the functionality of the Security Configuration Wizard.



Running the Security Configuration Wizard
                            Speaker Script                                                                   Steps
The Security Configuration Wizard enables you to deploy servers                Perform these steps on LON-DC-01.
configured specifically for their role on the network.
The wizard starts by informing you that all open inbound ports will be           1. On the desktop, double-click Security Configuration Wizard.
identified. All necessary applications should be running on the server           2. The Security Configuration Wizard appears. Point to the
when the wizard is run.                                                             warning regarding inbound ports.
                                                                                 3. Click Next.
The wizard takes into account the current configuration of the server, so        4. The Configuration Action page appears. Point to Create a new
it is important to make sure the server is configured as you would expect           security policy.
it to be in a production environment.
You can install the wizard using Add/Remove programs in the Control
Panel.
After the wizard is complete it provides an XML file that can be applied to      5. Point to Apply an existing security policy.
a server by selecting "Apply an existing security policy." You could create
one policy and then use this feature to make sure that all servers holding
the same roles are uniformly configured.
If you want to use an existing policy but modify it, you can choose ―Edit        6. Point to Edit an existing security policy.
an existing security policy.‖ Then load the XML file of that policy. You
can then use the wizard to change settings.
If you are having problems with your security settings, you can choose to        7. Point to Rollback to the last applied security policy.
roll back to the last security policy.                                           8. Click Next.
You can run the security configuration wizard for another server, but we         9. The Select Server page appears. Click Next.
will run it locally for this demonstration.
The security configuration database holds information relating to various        10. When the process is complete, click View Configuration
server roles. The stored data identifies the required services and ports for         Database.
each specific role.                                                              11. The SCW Viewer window appears. Maximize the window.
For each role, the SCW viewer will display the required roles, services,         12. Click Domain controller (Active Directory).
and ports for that role to function. The report also displays whether the
TechNet Field Event Content                                              24                                                           ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

role or service is installed and enabled.
The configuration database also lists the startup default of services.          13. Scroll down to the Services section.
                                                                                14. Click Background Intelligent Transfer Service.
You can also view the current status of enabled ports.                          15. Scroll down to the Ports section.
                                                                                16. Click 53 (DNS).
                                                                                17. Close SCW Viewer.
                                                                                18. Click Next.
The wizard allows you to select the roles that the server will perform and      19. The Role-Based Server Configuration page appears. Click
the client features that you require. Be sure that you are familiar with            Next.
the functions of this server before you use the SCW. Incorrect answers
could enable unwanted functionality or disable needed roles.
Here you can see the roles that SCW has identified on the server. You           20. The Select Server Roles page appears. Click Next.
can add or remove roles from the list that SCW will analyze.
In the same manner, you can identify client features on the server.             21. The Select Client Features page appears. Click Next.
Now we will look at other administrative options for the server. For            22. The Select Administration and Other Options page appears.
instance, if this computer receives applications from Group Policy, this            Click the arrow next to Application Installation from Group
administrative option must be enabled for SCW to leave that capability on           Policy.
the server.                                                                     23. Click Next.


You must then confirm that you do not want changes made to services             24. The Select Additional Services page appears. Click Next.
that have not been specifically identified. If it is required, these services
can be disabled here.
The wizard shows a list of services that have had changes made to them          25. The Handling Unspecified Services page appears. Click Next.
Now you can see what changes SCW will make.                                     26. The Confirm Service Changes page appears. Scroll through the
                                                                                    list.
                                                                                27. Click Next.
Now we will look at Network Security. The wizard provides the ability to        28. Click Next.
configure inbound communications for the Windows Firewall, including            29. The Network Security page appears. Click Next.
adding ports not in the list.
On this page SCW lists what ports are open on the server‘s firewall and         30. The Open Ports and Approve Applications page appears.
identifies what services they are associated with.                                  Click Next.
Now confirm the ports that will be opened.                                      31. The Confirm Port Configuration page appears. Click Next.
Now we will cover registry settings.                                            32. The Registry Settings page appears. Click Next.
The wizard enables configuration of the registry to enable SMB Signing          33. The Require SMB Security Signatures page appears. Click
TechNet Field Event Content                                               25                                                          ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

and outbound and inbound authentication, providing a summary at the                 Next.
end of the section.
LDAP signing, available on Windows 2000 Server SP3 and later, adds a            34. The Require LDAP signing page appears. Select Windows
layer of security for directory replication.                                        2000 SP3 or later, and then click Next.
Clear the check boxes for any authentication methods that are not in use.       35. The Outbound Authentication Methods page appears. Click
                                                                                    Next.
SCW covers a lot of security concerns that the average administrator can        36. The Outbound Authentication using Domain Accounts page
easily overlook. For instance, you can prevent NT servers that are not up           appears. Click Next.
to the latest service pack from connecting to this server.
Here is a summary of the changes made to the registry.                          37. The Registry Settings Summary page appears. Click Next.
The wizard then configures an audit policy.                                     38. The Audit Policy page appears. Click Next.
You can choose to audit successful changes to services, audit all attempts      39. The System Audit Policy page appears. Click Next.
to change services, or you can choose to not audit anything. We will
leave it at the default setting.
Here is a summary of the Audit changes that SCW will make. Keep in              40. The Audit Policy Summary page appears. Click Next.
mind that a high degree of auditing will provide you a lot of information
about your server, but it could affect performance.
When complete, the policy is saved as an XML file that contains the             41. The Save the Security Policy page appears. Click Next.
configured settings. If you run the wizard and the ‖apply an existing           42. The Security Policy File Name page appears. In the Security
security policy‖ setting is selected, you can choose a previously saved             policy file name text box, type ―TechNetDemo‖ at the end of the
security configuration.                                                             file path.
Click View Security Policy to see a summary of the changes that SCW will        43. Click View Security Policy.
make. The Security Policy includes changes to services, network                 44. The SCW Viewer appears. Maximize the window.
security, registry settings, audit policy, which SCW template to use, and
                                                                                45. Scroll through the list.
IIS.
You can apply the settings immediately, or later. Keep in mind that it will     46. Close the SCW Viewer.
be necessary to restart the computer.                                           47. Click Next.
                                                                                48. An SCW dialog appears. Click OK.
                                                                                49. Make sure that Apply later is selected, and then click Next.
The Security Configuration Wizard eases the configuration burden when           50. Click Finish.
building new production servers and securing existing servers.
In addition, the wizard includes a command line tool you can use to run
administrative scripts and other administrative utilities to apply a security
configuration and compliance analysis to groups of servers. The wizard
also integrates with Active Directory® directory service to support

TechNet Field Event Content                                               26                                                           ITPROADD-04
Microsoft Confidential
– Microsoft Internal Use Only

deployment of wizard-generated policy settings through Group Policy.




TechNet Field Event Content                                            27   ITPROADD-04

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:8/19/2011
language:English
pages:29