 Can you hear me now? Do I have to have this thing pretty much pressed to my lips? Okay. Okay, before I begin, I want to point something out that's very important to keep in mind for the next hour and a half that I'm going to be talking or the next however long I'm going to be talking. I do not work for Microsoft. I'm not a representative of Microsoft. I'm sitting here telling you what I know about locking down your Windows 2000 box. You just installed Windows 2000 server. Now what? Okay, this is not the Microsoft official slant. I'm not... I just want to really emphasize I don't work for Microsoft and I'm in no way trying to indicate that I represent them in any way, shape, or form. Okay, this is one man's opinion. A little bit background. First of all, my name is Keith Nugent. I didn't put that on the slide, but my name is Keith Nugent. I work in Chicago, Illinois as a trainer. I train people how to set up Windows 2000, NT, Cisco, that sort of stuff. I'm the type of person that when your boss tells you you're going to a class, I'm the guy standing in front of you. I teach everybody from people that don't even know what a computer is. They have to learn how to turn it on all the way up to they've been doing this for 20 years and now they just need to learn the next operating system or how to configure the Cisco router that they just had shipped in. The topic, how to lock down your Windows 2000 boxes. Again, you just ordered a server or you just installed the server. You just threw Windows 2000 on there. What are some of the options you have to lock things down to kind of secure things and what can we do to lock them down even further? By default, Windows 2000, NT, the whole product line has never been ultimately secure. You can't just install Windows 2000, walk away. You couldn't install NT and just walk away and expect that nobody is going to be able to access any of your data. We do have some options. We can lock things down and keep people out. You have to have the operating system plus a little bit of intelligence and just go in and work with it. So we're going to take a look at default NTFS permissions. We're going to talk briefly about what NTFS is, how it works, what you need to have installed. I imagine everybody here already knows what NTFS is, but I'm going to just give a brief recap for those of you who may have some misgivings about it or who may not know about it. We're then going to talk about what are the default settings as far as the security templates and locking down of settings on Windows 2000 Professional. Then we'll talk about default server and we'll talk about server, server advanced server data center server. They're all just different capabilities. The security is going to be the same on them as far as the default settings and the default domain controller settings. You may be surprised at security by default on a domain controller. I'm sorry. I'll make the slides available. I'll talk to the guys that are running this store. I'll put them up on my website. I'll figure out some way to make them available, but to be honest with you, I've only got like 10 slides. There's going to be a lot of demonstrations with actually showing you, rather than doing with slides. Starting off with NTFS permissions, by default, NTFS gives everyone full control of almost every file on the operating system. The C drive, at the root of C, everyone full control. If you take a look at the properties of C, it's just everyone full control. Anybody can do whatever they want by default at the C drive. Obviously, this isn't a great idea. Well, maybe that's an understatement, but that's the default. That's where we start off. Nobody's saying that this is the most secure way of doing things. It's just that start off with a blank slate and then you can lock things down from there. Here we see everyone full control. First of all, how many people are working with NT right now, or have worked with NT in the past? How many people are working with 2,000 already? How many people have been working with 2,000 for over a year? You probably know a lot of what I'm going to be talking about if you've been working with it for over a year, but maybe I've got some stuff that you don't know. This is the Windows 2,000 properties dialog box, security dialog box. A couple things about security. With 2,000, now we have allow or deny. You can either allow or deny the specific types of permissions and of course, NTFS permissions. NTFS permissions, there's about 15 or 20 actual permissions. These are accumulated into the cumulative permissions or the standard permissions. So the ones that we're seeing here are actually standard permissions. These are cumulative of the actual NTFS permissions. If I click on advance here and go in and edit the everyone group here, we can see we have a bunch of other permissions as well. Another cool thing about 2,000 was kind of new about NTFS is now you can say, okay, where do I want this to apply to? Do I want this to apply to this folder only? This folder, subfolders and files, which is the default for everything. Any subset of there, subfolder and subfolders, folder and files, subfolders and files, just subfolders, just files, etc. You can specify, I want this to propagate to a certain extent. I'm going to leave it with that. You can see here, if I go back on apologies, this mouse is kind of difficult to control with one hand. If I want to give somebody permission, add in. Now the first thing you're going to do, how many people have everyone full control still on their machines now, on their servers? Yeah, I didn't think so. First thing you're going to do is remove the everyone full control. At the very least, if you still want to give everybody full control, go in and there's a group called authenticated users. That's people that you have allowed to authenticate against this machine or against this domain, if you're operating in a domain environment, which you probably will be with a number of servers, go in and specify authenticated users and give them full control. Then somebody can't just walk in with a box, plug into your network and start looking at the files. Everyone is just anybody that has access to the server. Everyone means everyone. So I'm going to go in and I'll just add in guests here for this demonstration because it doesn't really matter. I'm going to give the everyone by default to get read and execute, list, I'm just going to give them read permission. We'll see what read permission is when we go in a little bit further. Also, as I go along here, if you have any questions, feel free to ask questions throughout or of course reserve some time at the end for questions, but I know oftentimes I get a question in my head and I don't remember it an hour later when it's time for questions. So here we see the default permissions are going to actually be or the cumulative permission of read gives us list, folder, read data, read attributes, read extended attributes, read permissions and I believe that's it. Yeah, that's it. So anytime you add in a permission or anytime you give somebody permission what you're actually doing here is giving them a group of actual NTFS permissions. You'll also notice on this advanced box down here there's a recent permission and all child doctors enable propagation of permissions. What this means is when I set these permissions, I want this to inherit down to all of the child objects. So if I go in and I set permission on the C drive under NT4, what happened? I had that permission set on the C drive right? Now if I go in and set something on the C drive, let me drill down a little bit here on my C drive we'll go to program files just for fun and we'll see if we click on everyone here where the heck is it, there's no everyone okay everyone's not on the program files, that was a bad choice of example. Okay here we see everyone and I don't know if you guys can, yeah it shows that pretty well there. These are grayed out. I can't uncheck these boxes, these are inherited permissions so anytime you see a gray check box and they're pissing you off because you can uncheck them, they're inherited from a parent folder, you have to go back and find the parent folder. If you don't want the parent information to be inherited down just uncheck that and it's going to give you a dialogue box. Do you want to copy these permissions? In other words, right now what we have is the C drive is where the permissions are set and they're being inherited at the project level. I'll get you in just one second they're being inherited at the project level, the project's folder level. Do I want to copy those and have those applied directly at the project level or do I want to remove them or did I accidentally click on that check box and cancel. So I'm going to go ahead and say remove here and I will see that we don't have anything. If I click on add here then I'm going to add in permission and I'm going to cancel out of this so that doesn't actually apply. Yeah, go ahead and speak up if you want. I'm deaf. Authenticated users is going to be at the domain level. Users is sort of a backward compatibility. It's still there from NT4. Authenticated users indicates user that currently has the credentials authenticated doesn't just present the credentials at the time of access. I don't know if I explained that very well. Basically authenticated users is the Windows 2000 version of users. It's a little more secure because that user has a session or an authenticated token. Thank you. Okay. Yeah, go ahead. Okay. That's a good question. You've got allow and deny. If you check allow, you're explicitly allowing them to have that permission. If you uncheck allow and you do not check deny, you're implicitly denying them that permission. Okay. What that means is that because you're not allowing them, then you're denying them. Okay. However, if they have permission somewhere else that allows them, then it will be allowed. So implicit denial by not checking that just means if nowhere else says that they have permission, then they don't have permission. If you allow them anywhere else, then they're allowed. If you check the deny check box, then you're explicitly denying them. Even if they have allow somewhere else, they're not going to be able to get in because deny overrides allow every time. It's the way that the access control is a set of the denies are up at the top and it parses through. It finds a deny and says, okay, yeah, never mind. Does that answer your question? Great. Okay. That was a good question. So getting back to the slides, everyone full control by default. You need to be using NTFS to set permissions at all. Now that may seem a little basic, but I've had people come up to me and, oh, you know, my server is pissing me off because everybody can go in and modify files and they go and they're running fat. And I'm like, well, what about your NTFS? I asked them about NTFS permissions. Yeah, I went in and changed the permissions. They were changing their share folder permissions and didn't understand why somebody sitting at that box was able to modify the information. So you have to be using the NTFS file system in order to be able to use NTFS permissions. Okay. We just took a look at how to set NTFS permissions. You can go into my computer or into Windows Explorer. You right click, you go to property security, add the user and then specify what level of permission you have. You can specify the permission either at the cumulative level or the standard permission saying read and that's going to give them the actual NTFS permissions or you can go into advanced and specify the individual permissions that you want to grant them. Okay. And then what's new about NTFS permissions? They're inheritable. I can go in and specify everyone full control, the C drive and that's going to propagate down to everybody else. If I uncheck that it's going to, at a lower level, if I say do not allow inheritable permissions, then I apply those permissions directly at that sub directory. Go ahead. I'm sorry? Yes, that's true. Yeah. That sounds right to me. I've not done much with a no user account. I generally do training so that's quite possibly the actual answer. Okay. This is just showing you the same screens that I already showed you. You can either allow deny, if it's a white check box with a check mark in there, it's inherited. I'm sorry, it's allowed. If it's a white check box without the check mark in there then it's not specified. If it's gray, that means that it's inherited from a higher level. Okay. From a parent directory of some sort. I click on advanced and you can go in, you can click on edit, view edit to look at these or you can add in here. So you can either add at the previous screen or add somebody in and add in with the standard permissions or you can go to this screen, add in and add that user in with specific NTFS permissions, the actual permissions. And then when you click on that, you can go in and specify where you want that to apply. This folder, sub-folder, files or any combination thereof. Okay. Getting into default security settings. Default security settings are actually pretty lax permissions. I'm not really going to go into, but basically everyone full control of the C drive, the WinNT, the program files are a little bit less wide open. They go to authenticated users, administrators are the only ones that can do real modification under WinNT. You've got a 42-day password expiration for local accounts. Does everybody understand the difference between a local account and a domain account? Does anybody not understand the difference there? Okay. A local account is on the local machine, on, it's stored in the SAM database, Security Accounts Manager database on that local machine. If I have an account on machine A and I want to access resource on machine B, if I'm using my account from machine A I can't get that resource on machine B. That account is stored locally on that machine. A domain account is stored at a domain control. It's actually stored in Active Directory for Windows 2000. It's in, and you authenticate from your local machine against the domain controller so you have domain credentials. If you want to access a resource on machine B, if you're using a domain account, basically both machines are trusting that domain controller for authentication so therefore you can access a resource there. Okay. For the local account, for the one that only applies to this machine, you've got a 42-day password expiration. It's going to, by default, send LM and NTLM responses. Not going to go to NTLM V2 or Carabras by default. And most of the settings, when you look at the security templates, are either not defined or they're disabled. It's pretty wide open. You have to they're relying on you to go in and actually secure these things. Server is still pretty wide open. It's going to do basically the same thing. 42-day password. LM and NTLM responses, most settings not defined or disabled. It's not real different from 2000 professional. Now, you'd expect when we go to the domain controller, you'd expect that domain controller security would be higher, but it's actually lower. Okay. The machine-specific settings are even more lax than server and professional. There's no password restrictions as far as the 42-day password length. It's not going to specify to send, or actually it does specify LM and NTLM only. Most everything is defined for a domain controller at the group policy level. We'll talk about group policy in just a couple minutes here. Okay. So security for domain controllers is not controlled at the actual machine. It's controlled for all the domain controllers in general and Active Directory specified in group policy. Okay. So now we're going to take a look at the security settings. Where do you set these security settings? How can you enhance the security settings? How can you increase the level of security using default security templates? These can be applied to individual machines or applied to group policy. Microsoft provides you with a group of templates that are pretty general use, but they're a good way to get started. And then you can also create your custom security templates by either taking those default security templates and modifying them, saving them as your own template, or you can create a brand new template all your own. We're going to take a look at these templates, how to create them, and how to use them. Okay. The security templates, what you do is you go into an MMC, and I'm not going to go into the MMC right now. I've already created one. Does everybody know how to open up MMC and add in Snap-ins? Okay. I mean, not know how to do that? Okay. If I get a chance later on, I'll go through how to add in the MMC. But for right now, let me just show you the one that I created. And I apologize for everything running low. This is a really old laptop. I think it's like a 200 with 32 Mega RAM, and I've got an advanced server running in here, so things will be a little bit slow. So here, I added in the security template Snap-in. The templates are after stored under C1NT Security templates. You can go into your directory and find those. And here we just have basic templates. I'm going to take a look at the basic domain controller template. The way these templates work is that you have all of the settings. You can go in and modify in the group policy or on the local security on the machine. All these different settings. The idea here is we've taken a database and we've applied these settings to that database. You can then take and apply that database and say, okay, take all the settings from this database and apply them to the group policy or apply them to the local machine. So you can set all the settings independent of the machine and then apply that template over and over and over again to different machines or to multiple group policies so that you get the exact same level of security across everywhere. So I'm going to take a look at the basic DC. I'm going to walk over and point at this one. For those of you that see that, you may want to divert your eyes over here. You've got basic domain controller, basic server, and basic work station. Those are roughly equivalent to the default security that's applied when you first install a professional server or you upgrade to a domain controller. Okay? They're not exactly identical. There's a couple things that are different that are important right now. But basically if you have really gone in and hosed your security you can apply these basic temples and that'll bring you back to the way it was roughly the day you installed the operating system. Go ahead. Actually if you are, yeah, you can do that and if you upgrade from NT to 2000 in other words you don't do a fresh install when you upgrade it's going to presume that you already have the security in place that you want and therefore will not apply the default security templates. In that case if you want to bring those up to the default Windows 2000 level then you'd also have to apply these basic templates. Okay? So either A, you've just gone over to NTFS from FAT or FAT32 and you want to apply it or you've really hosed your security or you've upgraded from NT to 2000. Yeah, go ahead. I'm sorry, could you repeat that? In other words, you go in and modify your security and you want to make that into a template? Yes. Yes. If you've gone in and modified it from the basic from the default, if you've made any changes to your security you can then export that to a template so you can always go back to that level wherever you got yourself to. Okay? So we've got a basic server, workstation and domain controller. We then have secure workstation and server and high sec DC and high sec WC or WS workstation. Okay? And we'll cover each of those in a little bit of detail here. But let me just take a look at basic DC to see we'll take a look at how these are set. Pastored policy, not defined for anything. Count lockout policy, not defined for anything. Kerberos policy, not defined for anything. You guys see in a pattern here? Okay. If we go in and expand high sec DC, these are the default templates that are included. And again, you can modify these, create your own templates and then apply your own templates. In fact, if anybody goes in and installs Windows 2000 and then just says, okay, well I'm just going to install the high sec DC and that'll do everything that I need. I'll be really disappointed in you. Okay? Everybody has different needs. Everybody has different requirements for their server. Yeah, go ahead. I'm sorry? That's a good question. I don't know the specific answer. However, it has to include all of those? Okay. Two of three. Okay. I knew that it had to do uppercase, lowercase, alpha numeral characters. What's that? It's out of four? Okay. It has to have three out of four of uppercase, lowercase, numeric and special characters. Okay. So it has to have three out of the four, so that you don't have users using password for their password. Okay. Or if they do, they've got like capital P, password, then a number and then a special character, I guess. Which is still a lot more secure than just the word password. So, I always tell people when I'm telling users how to create passwords or when I'm telling my friends how to create passwords, I tell them to think of their favorite song, think of the first letter from each word in the lyric of that song, and then throw a number in the middle. Okay. That way they're going to remember the password real easy, but it's not going to be as crackable as you know, the name of their dog or whatever. Okay. But password requirements and good password guidelines are the subject of an entirely different speaker. So, I'll leave those alone for right now. Okay. So password policy for ASSEC DC, we can see it's going to remember 24 passwords, meaning that you can't just change your password back to the exact same password. You have to go through 24 passwords before you can reuse a password. It still has a 42 days. Minimum password age, two days. So you can't change it and then change it right again. Minimum password length is eight characters. Passwords must meet complexity requirements enabled. And so our password using reversible encryption is disabled. Okay. No, if the help desk changes it, what you're going to do is you're going to give them permission to go in and reset password. That doesn't account against the user's changing of their password. Right. You can check that they can go in and reset the password and then check the checkbox that says user must change the password in the next logon, in which case they'll be forced to change the password to something different than that. So that's not a concern as far as I've seen. I haven't seen that error, but if you are seeing that error, then yeah, I guess you'd have to go in and disable that ability. Okay. What's that? He was asking if we set the password so you can't change. You have to wait two days before you change it. What happens if the help desk goes in and changes the password? And then the user has to change their password. Again, the user can't just go in and change your password from what the help desk set it to because they've got to wait two days. Okay. I'm pretty sure if you set it to the checkbox, but I may be wrong. Yeah. He was saying that it gives them an error when the user goes in and tries to change the password after help desk has set it. What was that? Is it a Win 9 next box? No. Yeah. I'm not sure what's causing that. I'm sorry. You can see this is a little bit more secure than the basic DC. It's setting some actual passwords account lockout policy, still a little bit lax. Five invalid logon attempts. The account lockout duration is zero, though. The reset account lockout counter after 30 minutes. So if you try five times and you get it wrong, it's going to lock you out for zero seconds. And if you try four times, it's going to wait 30 minutes and then give you another five tries. So still not the most secure, but it's better than nothing. Okay. Caribou's policy is not defined because you actually have to have it using Caribou's across the whole system before Caribou's policies would really make much sense. I'm not going to go through the settings on all of these. This is something that you can just sit down at your server and walk through the MMC snap in and look at the different settings. However, if I have high sec DC and I like that, I'm going to go in to my password policy and say 40 few days just doesn't sit well with me. So I'm going to go in and change this to 41 days, because that's all right. Okay. Obviously you'd make a lot more dramatic change than that, but this is just for demonstration purposes. I can then go in and say save as. I can either say save, and if I specify save right there, then what that's going to do is save high sec DC with these new settings. So it's going to modify my default template. If I don't want to modify the default template, if I want to leave that alone, I can say save as and just give it a different name. Okay, so I'll name this high sec DC2. Now, if I want to apply that template, I can apply either one of those high sec DC or high sec DC2 and they've got different settings. So I can go in and modify basically, okay, I've got this template. It's doing most of what I want, but I want to make a couple changes. You can go in and do that. Or you can go to security templates. I think we've got to click here and right click. I hate these context menus. Say new template, give it a name. I'll name it lock everyone out. I can put in a description there if I want to. It'll appear, the description appears over here on the side. I would recommend putting a description in there. Even if you know what it's for, it's good to have a description because then everybody else knows what it's for too. Okay, now it's creating a template and this template is going to be absolutely blank. So I go into my lock everyone out. Everything is disabled or everything is not set. Not defined. So you've got to go in and set every setting there. So you can either create a brand new template, absolutely fresh, and go in and set the settings that you want, or you can take a template that already exists, either a Microsoft e-sport template, or one that you've created in the past and modify that and then save that as a new template. So you can create these new templates. Now how do we actually apply these templates? Well, there's a couple different ways. If you want to apply it directly to the machine, then you can go into local security policy on the machine, import policy. Click on import policy. It asks me which template I want to import the policy from. I'll specify one and then I'll import it. Okay, I'm not going to do that right now because I would screw up the security on the machine, although it wouldn't really matter and I'll explain why it wouldn't matter in just a moment here. But I can go in and just click on open here. It would apply this template to the local machine. Okay. The other way to do this is go into a group policy and apply the group policy or you can go into our tool and in the MMC you can add in security configuration and analysis. There's a command line version of security configuration and analysis tool. The command line version is called SecEdit. Okay, so you can use SecEdit. It's a command line version of this tool. It actually gives you greater functionality than the graphical tool. But for the most part, day to day operations, the graphical tool will do you pretty good. Okay, so you've got security configuration and analysis. What we're going to do here is we're going to go in and say, okay, I've got my current security. I want to take a look at how this template is going to affect that. Okay, how many people think that just applying everything without testing is a good idea? Yeah, me neither. So you want to test this. You want to see what's going to happen beforehand. This isn't actually testing. It's just configuration or it's just analysis. So I'm going to say open database. Say open. This is an empty database. The next thing it's going to do is ask me which template I want to apply. Okay, down here at the bottom, if I've already used this template before, I can say clear this database before importing. So wipe everything fresh or I can take an already existing database that I've applied one template to and apply another template on top of that. Because this is a brand new database, I don't have to clear it because it's already clear. So I'll add in highsecdc2, the one that we just modified. And what's going to happen here is just about nothing. You can't really see any difference, but now what it allows us to do is go in and say analyze computer now or configure computer now. I'm going to analyze computer now. Ask me where do I want to store the log by default. It's going to store it in the local administrator or the person that's logged on, template location. So I'll say okay, it goes in and creates it pretty quickly. And now I can breeze through here, take a look at account policies, password policy, and here I have a whole bunch of red Xs. Red X means they don't match. This isn't going to tell you whether it's a good idea or a bad idea, just hey, it doesn't match. So enforce password history, database setting, 24 passers remember, the computer is one password. So obviously that's going to be much more secure when we add in this template. Maximum password age, 41 days versus 42 days, they don't match. Actual computer setting is theoretically more secure, or actually less secure, I guess, because it's 42 days as opposed to 41 days. Minimum password age, we can see why we have the red Xs. Down here with the green check mark, they're both disabled. Green check mark means they match. So red X means they don't match, they do match, and then if you don't have a red X or a green check mark, then that means that one of them is not set. One of them is not defined. So we've come down here to Kerberos Policy where the database is not defined, but the computer already has things defined. We don't see anything here as far as a red X or a green check mark. So you've got to watch out for the red Xs and something that doesn't have anything, because this one's not defined. So it's not actually going to apply anything over this, so you'll still have this. But if the database had some settings that you didn't like, but you were already not defined on your machine, it wouldn't show you a red X. It would just be a blue, so don't just go breezing through here looking for red Xs. You need to look at each setting by itself. But the red X, the green check mark, or nothing covering the little blue bits on the white page all indicate how the settings are. So you can look at it at glance and know how they're going to match up. The next thing that I could do here is if I went in and right click on here, I could now say configure computer now. This is now going to apply this template to the system. It's now going to put these settings in effect on the system. Now here's the thing. If I go in and configure the computer now, it's still not going to do a darn thing to my system. The reason for that is that this is a domain controller in my own little domain. Domain controllers don't get their security or don't get their final security from the local settings. They get it from a group policy. How many people have worked with group policy before this point? Okay. Group policy takes what we had in NT4 with our policies, our security policies in NT4 and kind of jacks them up a little bit. You can do a lot more in here. So I'm going to take a look at Active Directory users and computers. As you know, let me get through some of these slides first. So we've got our security templates that we already took a look at that. Group policy. We'll take a look at order of processing. How does group policy process? The order of the containers and then modifying the default application of group policy. Group policy may not apply the way you want by default. You can go in and modify a lot of this. A lot of chance to modify how things go in Windows 2000. So let's take a look at Active Directory users and computers. I'm going to look at my domain controller OU and click on group policy. Everybody see how I got there? Active Directory users and computers tool. I went to the domain controllers OU and then properties. Now I'm going to group policy and now I'm going to edit this group policy. Now I'm looking at the domain controller default group policy. This is what's applied by default. All I've done in this machine, I installed Windows 2000. I installed PowerPoint so I could show the slides and I promoted it to a domain controller. I installed DNS too so it could be a domain controller. So this is basic default out of the box server configuration. If we go into computer Windows settings, under security settings this is where I'm going to apply my security. This is where we're going to find our account policies, our local policies such as password policy and account lockout, local policies such as audit, user rights assignment. This is something that really screwed me up about two years ago, a year and a half or two years ago when I was first figuring out Windows 2000 is that you used to just go in and assign somebody their right to log on locally in NT4. You just go to user manager, go to user rights and then set it up. This is buried within the domain controller group policy under Windows settings, security settings local policies, user rights assignment. This is where you go in and give somebody the ability to log on locally. And as we can see here we've got TS Internet user, iUser Freedom 1. Freedom 1 is the name of my computer. Administrators, backup operators, account operators most of the default administration security groups and then our internet users. So by default on the domain controller all of our internet users, our internet guest accounts have the right to log on locally to the computer. This is because double IS is installed on Windows 2000 by default but you would think that domain controllers really shouldn't have that ability. Yeah, go ahead. I'm sorry? Oh right, yeah, the care bureau settings for the domain controller by default are stronger than the default template, the basic template. Okay. Okay. So for double IS you have to have the ability to log on locally for your temp accounts but you may want to go in and remove these on your domain controllers because you're probably running your web server off your domain controller. Alright, at least I hope you're not. Okay, so that's one thing that you want to take a look at for log on locally. They can also log on as a batch job because that's what they need to be able to do. Okay. This is where you assign your user rights within the domain. To assign user rights on a local machine you go to a similar setting user rights assignment under local policies on the local security policy. Okay, so this goes in and sets your user rights for the domain and they have to be set at the domain if you're a member of the domain. So if you want to be able to log on to a domain controller you go to the domain controller in order to log on locally. Okay. Generally you don't want a lot of people being able to log on locally to the domain controller though, right? I mean you're not going to have everybody working on domain controllers that should be locked away and just a couple of the administrators going in working on that. Okay, so this is our domain controller security settings set in the group policy for the domain controller. Group policy objects. A group policy object in Windows 2000 is stored in Active Directory. It's actually made up of two different components. Group policy object is made up of the group policy container and the group policy template. The group policy container is the actual object in the Active Directory database. This is basically the pointer provides version information, etc., etc. Your group policy template is stored in the sysvol directory and it has all the actual settings of the group policy. Okay, so with your group policies, your group policy information, the meat of it is stored in the sysvol directory, whereas a pointer is stored in Active Directory so you can link the group policy, the actual settings, to specific users, specific computers, etc., within the domain. Okay, so if you drill down through your sysvol directory under the name of your domain, you'll find the group policy template. The group policy template is named after the 128-bit GUI-D that recognizes it as a unique object. So when you drill down, you're not going to have domain control or GPO as the name. It's going to be a 128 character GUI-D as the name. The way the group policy happens or the way the group policy is applied is first, it's furthest from the exception of the computer. So first, any computer settings are applied when the machine is booting up. It's then going to look for a site-based group policy to any group policies that are applied at the site, are applied next to this. It then moves down to the domain level. Anything that's applied at the domain will apply to this user or computer and then it moves down to the OU. Within the OU, the organizational units can be nested within each other. If the organizational units are nested within each other, then the parent OU applies and then moves down down the line until you get to the OU nearest to the user or computer that's applying to. For this reason, the local security that's set on your domain controllers, when you go and set it locally on each individual machine, that's applied first and then the site generally doesn't matter. You're not going to apply a lot of group policies at the site level but anything that's set at the domain level will apply next and then the set at the domain controllers OU will override those settings. So by the time you get down to the domain controllers OU, a lot of your settings have been modified from whatever you set on the local machine. Therefore if you go in and modify settings on the local machine and then you don't see them actually pop up on the machine, this is why because group policy security settings are overriding the local security settings. Okay. Now group policy is going to apply differently over a slow network connection. It can detect a slow network link. It uses an algorithm. If you want to know about that algorithm you can go to the Microsoft website. They have a white paper that details how that algorithm is used. Basically it sends different size packets and sees looks for the response time. Determine whether a link should be considered slow. If it's considered slow, then all that's going to be applied is the security and the administrative templates. So even if you've got a slow link, any security that you set at the group policy level is still going to be processed over that slow network connection. Okay. This is good because the security is always going to be applied to the users. This is bad because it's going to take them an hour and a half to log in if you're not careful with how you set how many GPOs you apply to an individual user or computer and how slow their link is. Okay. Group policy is going to set a flag that will indicate this slow link to the client side extensions. The client side extensions will then only process the security and the administrative templates. Only the things that are turned on by default over a slow network connection. Okay. Now what happens if you have a conflict between group policy settings? Actually, I talked about that briefly in this slide here, but all group policy settings apply unless there are conflicts. So if I have a group policy that says the run command should not be allowed on the user desktop and then I have another group policy that says that password complexity should be enforced or should be enabled, then both of those are going to apply because there's no conflict. There are two different settings. So you don't have to have, it's not like one group policy overwrites everything about the other group policy. It will only if there's a conflict between the same setting between two different group policies. The last setting process applies in the way that they're applied in order is from bottom to top within the container. So first the computer's local security is going to be applied then the site. If there's more than one group policy at the site, bottom to top and how they're listed at the site level. You'll then move on to the domain bottom to top as they're listed at the domain container and then each OU bottom to top within each OU if you have more than one GPO. If you don't have more than one GPO obviously it's the only one so it's the one that's going to be applied. The reason for that is the one that's on top is the one that's actually going to have the final say. So it processes them bottom to top. You can reorder those in the way that they're linked. Let me show you that real quick. If you go into who's asking, even if there's one that's more restrictive, why is it going to process bottom to top? Here I've got multiple. I'll create a new OU here or GPO, I'm sorry. So I've got my two GPOs here. This new one doesn't have any settings in it. The default domain controller has some settings in it. What it's going to do is process this one first and when it's done processing this one it'll move to the one right above it. The reason for this is the one that's on top is the one that's going to be final. If I wanted to change the order of these, I could just click on up here and reorder them. Let me close out of this. At any time there's a conflict for a setting. I'm sorry, go ahead. No. You've got to have your security settings or your group policies for a 9x and then you've got to have the ones for a 2000. If you're using NT, 9x and 2000 clients, you still have to use the policy editor for a 95, the one for NT and then group policy for 2000. Now, the cool thing is the 2000 will apply or will process the ones for NT so you don't have to go in and do group policy right away if you've just got a couple of 2000 clients. They'll still process the NT stuff. It's just that if you want to go to group policy, we need to slowly move everything over as you move your clients over to 2000. But if you're still going to have 95 and 98 clients, a lot of people are probably going to still stay with the policy editor, the group policy from 9x and NT. Go ahead. Then you're still going to use the NT policies. Yeah. Unless you've got a 2000 domain controller, you can't use group policy. Okay. And if there's any any time there's a conflict between a setting that's intended for a computer and a setting intended for a user, then the computer setting is going to apply. There's some things that you can apply to both users and computers with group policy. The computer setting is going to win over the user setting any time there's any conflict. Before we move on to questions, there's a couple other things that I wanted to demonstrate. Okay. I told you the slides were short. Okay. And actually here, let me... I'm demonstrating this on the default machine controller GPO. But these sort of settings are available in every GPO. You can go into your computer setting under administrative templates, your security settings or you can really lock things down. You can specify account lockout policy. You can specify your audit policy. Auditing is covered in group policies now. It's got to be enabled on the local machine. It's got to be enabled by an administrator. User rights and security options are where you're going to do a lot of your settings. We've already pointed out the logon locally. You can deny logon locally. So if somebody had this allow logon locally set at a different GPO that applied to them, you can specifically deny logon locally to a group of users. So you can specifically allow the administrators you want to be able to logon to a machine and allow them and then specifically deny everybody else if that's your bag. You can logon locally. You can allow things to logon as a best job logon as a service. Under security options here I'm just going through these briefly. Additional restrictions for anonymous connections. You can go in and specify do not allow enumeration of SAM accounts and shares. That's kind of a good idea. No access without explicit anonymous permissions. Not so bad either. So you can set that sort of thing. You can say allow server operators to schedule tasks on domain controllers. Allow systems to be shut down without having to logon. Generally you don't want that allowed on your domain controllers or most of your servers. Auditing access for a user to change password before expiration. You can specify how long they're going to do or how long before expiration they're going to get a notification. Secure channel using digitally encrypted secure channels, SMBs that have a digital signature. One of the things that I like is that you can restrict groups. How many times do you want to add somebody into a security group? You give them administrative permission, give them the ability to do something and then you forget about it. You can create restricted groups where you specify who's allowed or who's in a specific group. You want to give them the ability to do something and add them to that group. The next time this group policy is processed they're kicked out of the group. So you can boot people out of a group based on just how the system can control that. These are the people that are allowed to be in the group. If somebody else gets added to the group, I want you to remove them right away. You can specify how system services are going to apply. You can specify how system services are going to start up and who's going to define this permission and specify which user is going to be used and select the service startup mode, automatic, manual, or disabled. So you can set those. These will override the local settings. So you can set these on a group policy that's going to apply to all of your user clients, say at the domain level and have services start up the same across all of your client machines or all of your servers or both. Specify control over the registry. You can add in registry keys and specify the permissions. We can add in a registry key here and have that added for everybody. File system permissions. You can specify a specific directory on the machine and what permissions are set there. So add a file to this GPO. I'm saying, okay, for documents and settings, for example, I want everyone to have just read permission. What's that? By default, the administrator of the local machine or domain administrators can write to the registry for most of the keys. HKEY local machine and HKEY current user can be written. Certain sub-trees can be written by applications and by the system account applications and the local user. So that the user changes their desktop and that's written to the registry. Things like that. Public key policies, how you're going to use your set of your PKI and then IP SAC policies. You can specify new IP SAC policies and have them applied and enforced across multiple machines. So a lot of things that you can do on the local machine, you can set in group policy and have that applied across the board to a number of users. On top of all the security, the things that we used to see in NT4 when we went into the policy editor are administrative templates. We can do things like first of all for Windows components, we can lock down that meeting, specify to disable remote desktop sharing, Internet Explorer tests, etc. Nothing really exciting in there. You can set settings on some default applications. Logon, how to run logon scripts, delete cache copies of roaming profiles, and how often timeout for dialogue boxes for a user when a slow link is detected, things like that. Disc quotas which is new for NTFS in Windows 2000, you can lock down by partition by the C drive, the D drive, etc. on a specific machine who has what amount of space on that. DNS client, whether or not to specify the primary DNS suffix. Group policy, how the group policy is going to be applied. This is going to be important once you set up group policy. How do you want group policy to be applied? How do you want it to be processed? Windows file protection, something new for Windows 2000. We have Windows file protection if you delete or try to modify specific files from the operating system from system files, then it will go in and try to restore them for you. This is where you can set how this is going to be handled. Okay, there we go. Set Windows file protection scanning on or off. Hide the file scan progress window so the user doesn't see it happening. Limit Windows file protection cache size. How much of a cache is it going to allow? Specify Windows file protection cache location where you're going to use it. One of the great things under administrative or under administrative templates is that every policy has an explain tab. And unlike previous versions, it's not like one sentencing this is how you specify Windows file protection cache. Okay, it gives you a couple paragraphs. Some of these are good, some of them you know, some are more detail, some are less detailed, but it actually gives you an explanation of what the heck you're just about to do. Okay, administrative templates administrative templates are even more powerful for users where you can do things like start menu and task bar, remove the user's folders from the start menu, disable and remove links to Windows update. This is one I really like. I don't like my users going into trying to do the Windows update all the time. Remove common program groups from start menu, remove documents from start menu, remove the run command, remove help, add log off to the start menu. Under NT4 you can specify which applications users were allowed to run with 2000, you can specify okay, they are allowed to run these applications, but more importantly you can now say they're not allowed to run these. So you can put things like command.exe and cmd.exe on the do not run list. Once you remove the run prompt, users try to get in and run the command.exe or cmd to get a command prompt or whatever they try to do, you say okay, well you can't run that, you can't use that. Okay, disable personalized menus. How many people are really glad personalized menus have been added to the operating system? Yeah, you can disable those for all of your users. There's nothing like a user calling you up and saying well I was using it yesterday or I saw it yesterday, but now it's not on my menu. I think somebody was messing with my computer. Well no, you have personalized menus. Click on the little chevrons at the bottom and they're all amazed. Oh wow, there it is. I found it. So you can disable the personalized menus if you are starting to see any sort of problems with the personalized menus. Add the run in separate memory space to the run box if you've got some older applications and grade the unavailable windows and solar programs, ceremony shortcuts, etc. Desktop, you can specify what you're going to do with the desktop. Hide the internet explorer icon on the desktop so that they don't go out browsing the web as easily. Hide my network places and don't go and accidentally find something on the network or accidentally remove something from the network. Remove my documents. Do not add shares of recently opened documents. Disable adding, dragging, dropping and closing the desktop toolbars. Disable adjusting desktop toolbars. This is a godsend for anybody that's had somebody accidentally lose their taskbar. You go down, they've lost it somewhere. Well they've got it set to auto hide and it's up on the top or over on the right or what have you. Control underneath desktop, we can also go into active desktop and specify what they're allowed to do with active desktop and what they're allowed to do with Active Directory. Hide the Active Directory folder and enable find or enable filter in the find.log box of active directory searches. In Windows 2000, Active Directory isn't just where you keep your security information. Theoretically it's going to be where you save all of your information on users and objects that exist in your domain. Theoretically you want your users searching Active Directory for when they're looking for a printer, when they're looking for a shared folder, when they're looking for another user's email address, they can search Active Directory. We may want to lock that down a little bit. Control panel, you can control what people are allowed to do. First of all disable control panel for your users. Hide specified control panel applets, so only specified control panel applets. What they can do with add-remove and what they can do with the display. Real fun trick to play with your users. Go in and disable all of the tabs but not the display icon. That way they can open it up but they don't get any tabs. They can't actually do anything, but they still see the icon. I'm not recommending that you torture your users. I'm just saying if you wanted to that's one way you could. Printers, you can disable the deletion of printers, disable the addition of printers. Default Active Directory path when searching for printers already want them to look. This way you can put all of your printers in one OU and then have the users look. I'm looking for a printer, it pops up all the printers. And browse a common website to find printers. We now have IPP, the Internet Printing Protocol allows your print servers to publish to their printers on the web and allows your users to find them that way as well. Under Network you can specify network and dial connections and offline files. That's something that you want to get into. Log on and log off. How you log on should and log off should run. Disable task manager, disable lock computer, disable change password on their security dialog box, disable log off. Run log on scripts synchronously, legacy hidden, run log on scripts visible, log off scripts visible. Basically how do you want this stuff to run? Okay, then group policy, how should group policy be applied for this specific user? Okay. Does anybody have any questions so far? Yeah, go ahead. I'm sorry, could you just discuss the okay, you mean the anonymous enumeration of the SAM database? Okay, hold on a second. Let me get back into that. Do you remember or is that? This one here, digital restrictions for anonymous connections. They do not allow enumeration of SAM accounts and shares. Basically don't allow somebody to come in over the network and get the SAM database. Read the SAM database off of this server. Okay, there's a number of from what I understand, there are a number of attacks where you just go in, get the SAM database and then run whatever sort of password cracking, brute force attack or whatever you want to do on the SAM database. So not allowing the enumeration of the SAM accounts and shares not showing what SAM accounts and what shares are available on the server. And then the one below that, no access without explicit anonymous permissions. Basically, unless you have given an anonymous account permission to the resource, then don't just provide the the access. Does anyone else have any questions? Are you in the blue hat? Go over IPsec, hold on a second. By default IPsec, there are three default settings. You've got client which is respond only, secure server and server. Server means it's going to request IPsec communication between itself and another system. Secure server or require security means it will not communicate unless they're using IPsec. Okay, what you want to do is you want to say client or respond only on all of your clients. If you're going to be using IPsec on your servers, you want to set all of your clients to respond only. If you don't have one of these set, then it's not going to know what to do with IPsec and therefore it's not going to respond. Okay, so by default, your Windows 2000 clients are not going to respond to an IPsec request. It's not going to understand it and therefore all communications from a server that's requiring IPsec are not going to occur. Or if it's just requesting IPsec, then IPsec will never be used between the two. So you need to set respond only. Basically that means if I have a server asking me to use IPsec, then I'll respond. Okay, looking at the more detailed properties of this setting. It's the default response rule. Go ahead and edit this. We can see that it'll use using triple does, SHA-1 and D5. Default response rule simply replies to if nothing else applies, then apply this one. And this one basically says yeah, but you've got to use some sort of security. Looking at your journal information it's going to check for policy changes every 180 minutes. Let me get back to the rules. I can add a new rule. Okay. Everything under 2000 is a wizard and this is no exception. So it's a security rule wizard. Now you can go in and add something in addition to the default response. We've got two different types of tunnels with IPsec. We've got end-to-end and point-to-point or tunnel mode and transfer mode. Tunnel mode means that from this server to this server, this IPsec rule applies to between these two servers. If I specify this tunnel endpoint is specified by this IP address, then that means that if you use this rule you have to be communicating with the server that has this IP address. So I'll put in some IP address here. Say 10.9.8.7, just any random IP address. Now it's going to ask the network type, is this for LAN? Is this for remote access? Or all connections? I'm going to leave it with all connections. The authentication method. Do you want to use care boroughs? Do you want to use a certificate from a specific CA that has already been issued to you? Or do you want to use a pre-shared key? The least secure of these is the pre-shared key. Basically you both type in the same string of characters and as long as you both have the same string of characters then you can communicate. How do you share those characters? Well, you send them over email or you write them down in a piece of paper and tell them to the person which one they're here or whatever. You both have to have the same string. The reason that this is less secure is that if you have the pre-shared key from one end then you have the key for both ends. Care boroughs, you have to be using either Windows 2000 servers or some unix operating in a care boroughs realm. You have to be able to use care boroughs for authentication. Or you can use a certificate from a specific CA. We don't have any certificates on here. I haven't installed this as a CA so we don't have any certificates. Let's go ahead and use a pre-shared key. Again, this is the least secure so I wouldn't recommend this and a pre-shared key will say hi. Really not secure. Two characters. Then the filter list. What protocols are we going to filter based on? Do I want to go with all ICMP traffic and allow or deny it? Do I want to go with all IP traffic? I'm going to actually go with all IP traffic. Based on all IP traffic I'm going to request security. Those are my two rules. I've got the all IP traffic which means I'm going to request security and then my dynamic. Now I've modified my client default policy. So we'll go ahead and say close and now it's not actually just going to respond, it's got a rule in there that's going to request security. If I want to create a new policy of my own, I just directly create IP security policy and it gives me another one. It gives me the wizard that allows me to walk through there. I'm going to cancel out of that. You have to enable one of these in order to have IP stack working. You have to at least assign client which is respond only. These are very vague, very general policies. If you want to lock things down a little bit further go in and create your own policy or modify these. A client is just going to respond to anything that asks for IP stack communication. If you ask me for IP stack, I'll respond I can use IP stack. I know how to do that. Server is going to request security. That means every communication is going to say hey how about we use IP stack. It's going to propose the idea. If it doesn't get a response as far as yes or no I'll just say okay well we're not going to use IP stack and we'll go ahead and communicate. If it says yes I'll use IP stack and they're not compatible then they'll go ahead and communicate with IP stack. If it says yes I'll use IP stack and they're compatible then they can communicate. Secure server which is require security is going to it's just that. It requires security. It's going to say hey let's use IP stack. If the respond or the destination says no I don't want to use IP stack or no I don't understand what IP stack is or yes let's use IP stack but here's my I want to use a pre shared key. Then it's going to say sorry no I can't communicate unless we have IP stack unless we can use IP stack then we're not going to communicate. Secure server is going to be the least compatible with everybody else because it has to use IP stack in order to communicate. Server is going to try it's going to make the best effort but it's not going to require it. Client side is respond only it's going to say yeah if you want to use IP stack I'm happy to but otherwise I'm happy not to as well. Does that answer your question any in IP stack? Does anybody else have any questions? Go ahead. Yes. Yes, Microsoft is using the standard with IP stack. You can use any sort of care brush whether you're working with a care brush realm you can also use certificates or pre shared key and it will work with IP stack or other implementations it's not a Microsoft specific or proprietary version of IP stack. Yeah, go ahead. I'm sorry say that again. I don't know. I'm imagining it's the I user or I WM but I don't know that specifically. Yeah, go ahead. Those are installed with double is those allow anonymous access so when you go to the web server with your client it's basically coming in using one of those accounts depending on the type of access that you're asking for from the double IS server. Go ahead. Are there any command line you choose for what? For group policy modification that you can modify your group policy using command line. I think there's a tool in the resource kit that allows you to go in and create a group policy. You can do a lot of things with Active Directory. You can modify a lot of things in Active Directory using basic LDAP queries and LDAP modification. And there's a number of tools in the resource kit, the 2000 resource kit that help you to do. They're trying to get everything to be as far as I can tell. They're trying to get it to the point where you can use a command line to do a lot of this stuff. So, yeah. Yeah. Any other questions? Yeah, go ahead. One thing I would do, I would go in and create a security template and then apply that to all of your workstations. That's going to save you a little bit of time because now you can just say, okay, this is the level of security you want and it's like stamping it on every workstation and it'll save you some time from having to go in and modify it. Without Active Directory, there are a lot of the capabilities of what is 2000, one of the new great stuff is because Active Directory allows you to do blah, blah, blah. Hardware compatibility, plug and play, be aware that doing this 2000 is plug and play compatible and NT for it wasn't and all the implications of that. As far as best practices, I would treat them mostly like NT workstations with the compatibility of hardware and applications of 98. Know that 2000 out of the box is more secure and more restrictive than NT was. Applications that worked under NT may not work under 2000. For the most part, if you're on the dice and it's 95 or NT, it's going to be a lot more compatible with applications that were compatible under NT. There's just some applications that wrote to other registry keys that 2000 is not going to allow any more sub-trees or sub-keys of HKLM and HKCurrentUser that 2000 is not going to allow. So just be careful with that. Have you done testing yet with your applications? I'd get a 2000 box and do testing and see how the applications run. You're most likely going to be able to run most of your applications with 2000 for not all of them but just be aware that there are some differences, so it's not going to be as smooth as you'd like it to be or it may not be. What's that? There's problems with CAD tools with 2000. Do you have any specific CAD tools? AutoCAD? So do you use AutoCAD at all? No? You may want to be aware of that. Yeah, go ahead. With what? Yeah, that's another thing is that if you're managing your 2000 professional clients, you can get the administration tools off the CD and install them on your NT box. If you're running NT on your workstation, you can throw the administration tools on there and still administer the different desktops around your client you can add in. You can create an MMC and have computer management and disk management for all of your client desktops. Yeah, go ahead. Yeah, he was saying that as an administrator you install an application, the user goes in to use it and it won't run because you installed it under administrative credentials. Is that what you're asking? And how do you get around that? You can make the user, a member of the administrator's group, temporarily log on as them, install the application. A lot of times it's just user account mapping that is a problem. If it's, if that doesn't work for you, obviously editing the registry, which is a big pain in the tail side. Yeah, go ahead. The group policy management. Yeah, you can install Active Directory users and computers. Basically go to the Windows 2000 server city, server advanced server city and there's an admin pack that MSI in the I-386 directory install that and that'll give you all of the tools. All the MMC Snap-ins plus a number of other tools that aren't specifically Snap-ins. Go ahead. Yeah, you. Yeah. That's a good point. It's easier if you need to edit the registry for a number of users. If you're looking at the group at GPO, you can actually modify the registry in the GPO and then apply that GPO to a number of users. You can actually go out and download GPOs that will give you compatibility with legacy applications. Thank you. That's a good point. Go ahead. I don't know. Sorry. I don't see any reason not to. As long as, I mean, just traffic and workload. I mean, if you're running 20 applications and switching between them and you're also using that as your only domain controller, then obviously you can run into issues. But, oh yeah, I mean other than licensing issues, it's going to cost you more. And having the, you'll have the tools available just by take the install professional on your machine, take the tools from the CD and throw them on there. You can have all the tools. If you really need to work directly on the server, then throw a terminal server on some of your file and print servers under administrative control mode. You go in and you can, you have two sessions that can only be used by an administrator. And then just open up a terminal session and you've got the server desktop on your desktop. So, as far as it's going to cost you more to have server on your desktop. But if that's not an issue, then go ahead and try it. But you get all the tools on a professional machine or even on an NT machine theoretically. So there's not really a need to, but if you find a need to, I don't see any downside to it other than the cost. Any other questions? Yeah. Right. For the page file, yeah. Right. You'll also run into problems if you've already, if you already have, he was saying that he's running into problems. He removed the everyone full control from C and then it wouldn't give him permission to the page file. And he had to go in and add a system. You'll also run into problems if you already have users who've logged into that machine under documents and settings. If you remove the everyone full control, they may not be able to access the system because they are losing access to the documents and settings, which is where their profile starts, so they can't log on because of that. So when you remove the everyone full control from C drive, you need to go in and do a little bit of tweaking, add a system account to a couple of places, and add authenticated users to a couple of places to give access that way. Yeah, go ahead. So what you're saying is that you created the policy, it applied just fine, you modified the policy and the modifications didn't go down. I've heard of that happening before. I've also heard of it not happening, so I'm not sure. Does anybody know what he's running into there? Yeah, I'd be happy to. He was saying that what he's, okay. Okay, anybody else have any questions? No other questions? Anything else you guys want to know about Windows 2000? Any curiosities, questions? I mean we've got another 20 minutes here. Yeah, go ahead. He asked, what's my experience with the encrypted file system? I've used it a little bit and to be honest with you, it scares me a little bit because users can just go in and encrypt a file. Theoretically, the domain administrator is the recovery agent, the default recovery agent for the encrypted file system. I've had 2000 professional machines where I've gone in and set it up and the local administrator account was not the recovery agent, but I was still able to, I just had a random user account and I was able to encrypt the files. The local administrator account was not the default recovery agent. I went and looked for that. I couldn't find that anywhere, so I'm not sure how that was working. I've also heard people talk about using EFS, user leaves, you delete their account. Yeah, the administrator account is by default the recovery agent and the recovery agent can go in and recover it, but it's sort of a technically possible but logistically hell to go in and recover files that a user has encrypted and then you can't recover from that. As far as working, I have yet to find a file that I wasn't able to recover when working with it. I've not heard of anybody talking about they couldn't recover a file. Eventually it's just more of a logistically doesn't work as well as you'd like it to. Any other questions? Yeah, go ahead. For locking down a Windows 2000 system, not specifically for locking down a Windows 2000 system, I would recommend if you're just starting out with the 2000 server or even if you've been working with it for a while, Mark Manassi wrote a book Mastering Windows 2000 Server. I think it's in like fifth edition now. He basically just goes through and goes, okay, listen, this is how it is, this is how it works as far as I understand it. He's been doing this since I believe NT351, even possibly before that. He did a version for NT4. He's got a newsletter. He can go to www.manassi.com and find out all sorts of updates of little security holes that people have found, problems people have found with Advanced Server, I'm sorry, not with Advanced Server, but with Active Directory and things like that. And it's sort of a plain language, hey, this is how I see it with 2000 and it's from somebody that's been working with this stuff, understands it at a much more molecular level than most and so therefore has some pretty good insights from what I've seen. He's pointed things out that I haven't found elsewhere, so I'm sorry www.manassi.com M-I-N-A-S-I .com and it's by Mark Manasse You can also a little hint, if you go to l-c-i-s .booksonline.com you can order, he's got a, it's called the Mark Manasse Resource Kit and it's got Mastering 2000 Advanced Server Mastering Active Directory, Mastering Professional you can get that as a kit for 10 bucks and then you have to order one more book and then you can quit the club. So you get it's like a $140 set of books and you get it for 10 bucks order another book for 20 bucks. What's that? It's l-c-i-s library computer information services or library of computer information science.booksonline.com and then you can order the, there's a couple different sets of books that you can get for 10 bucks to join the club. It's sort of like a Columbia house type of thing where you order the books and then they keep sending you update cards. They screwed you? Okay so be careful because they always screw you because they screwed that guy. They sent me my kit real quick and then they keep sending me the cards. They just keep saying no thank you right now. I eventually have to buy a book and quit the club because I don't really want these cards coming every month but I haven't gotten around to that yet. So I haven't actually ordered anything from beyond that but I got the kit and it was pretty good. You got to yell though. Any problems with replication? Do bear shit in the woods? Yeah. There's talk of with 2002 there's talk of limiting it to I think two domain controllers per location or something like that. They lifted that because it was going to cause all sorts of other problems. As far as compared to 2000 the file replication service from in Windows 2000 is a lot better than replication in NT4. The domain controllers replicate pretty well unless you have a slow link between them or unless you go and try screwing around with a replication topology. There's something called the KCC, the Knowledge Consistency Checker goes in and checks the replication, make sure that every domain controller replicates with every other domain controller within three hops. It's not always perfect but it's a lot better than if you go in and create a whole bunch of connections yourself because you create those connections yourself and then things change. It's not going to challenge that. Go ahead. Hold on one second, I can't hear you. How do you replace your switch with a hub? He says when he set his, Microsoft had him replace the switch with a hub. If anything I think they would have you go the opposite direction. I it's Microsoft. I'm sure they knew what they were doing and they had logical reason for doing it. Any other questions? What's that? It's a 3? Really? Yeah. Yeah, NT is further up I knew but I thought I had Did it? Okay, I must be thinking of something else because I thought I had 3 and I thought they had 2 more. Maybe I had 1 and they came out with 2 more after that. Go ahead. To be honest with you, I just got lucky and it worked. Yeah. Now it took me a while and you got to have patience and actually I didn't have a crossover cable or a terminated cable and in order to install active directory it has to recognize network as being there. It doesn't actually have to be able to communicate with anything but it has to recognize that network is there and so what I did is I created a VPN to itself set it up a VPN server, a VPN client had a VPN into itself to 127.001 then it had a network and then I was able to install active directory just fine. So if you're ever setting that up on a laptop and you want to do that, that's something I figured out like Friday night when I was on the plane or Thursday night when I was on the plane. Any other questions? Take you through what? The network address translation? Okay, I was just wondering if you were saying NAT or DAT so yeah, that's no problem. Let me get out of all of this. It's actually pretty easy to install NAT in 2000. I don't have two network connections so I'm not going to be able to walk you all the way through it but let's see how far we can get. We're going to go into routing and remote access. What we're doing is we're installing a network address translation services. Specify the server and just for fun I'm going to do this a long way. We'll go and configure and enable routing and remote access. Now I could just say set it up as an internet connection server. I'm going to start to walk through this and then I'm going to back out. Set it up as a NAT server. Here I'll do it both ways. Set up the router with network address translation. Specify the internet connection. Actually here I'll create a new demand-dollar internet connection. You chose to create a demand-dollar internet connection. You chose to create a demand-dollar connection to start the demand-dollar interface wizard. Blah blah blah. Let's see if I can create this. I love that everything in Windows 2000 can be done with a wizard because you don't have to think so much and that way you can think about other things like how to surf or where to surf. Just kidding. What's that? Also if anybody knows how to repair an internal modem I busted mine. So dialog credentials. This is the best account to use for this. Now I've got a NAT server set up that way. Go into routing NAT. Here we see our remote router is the internet and the local area connection is my local. That's the easy way if you're not using anything else. But if you're already using a server you can't just walk through that wizard as easily. So I'm going to set it up as if we already have it set up as a general router and then I'll show you how to set up NAT. It's actually really easy. It's just a little bit different. Configure and enable a routing remote access server. Manually configure server there. There we go. Finish. It's not going to have anything. Start the service. By the way, if you have a laptop and you don't like the mouse on there this thing is really cool. It's a handheld mouse. The roller ball is on top of your thumb and then your trigger finger is the left click. Then you've got a left click and right click on there. I like it so I figured I'd tell you guys about it. I don't even know who makes it. I got mine at cyberguys.com I think. It's like 10 bucks or 20 bucks. It's not even that bad as far as my concerns about the cost of the mouse. So we go into IP routing here. Go to general say new routing protocol. Everybody with me so far? Okay, so new routing protocol network address translation. I'll say okay. I then go into NAT. Say new interface. Specify the local area connection and say okay, this is my private interface for the private network. I would then this is the part I'm not going to be able to do. I would then go in say new interface and select my external interface is going out to the internet. Once I have that actually let me change this to my public interface. I'm going to translate TCP UDP headers and I'm going to specify the address pool from which it can choose. This is the external addresses. Any reservations? Need to have a range before you have a reservation. Okay, so I'll go in. Okay, so these are the range. On the Class C for example 1 through 254 reservations I can reserve. I'm saying okay 192, 168 76. 10 maps to one specific computer on the internal networks. I'll say 10. 9.8.7 allow incoming access to this address. That means anything that you receive on the NAT server for this specific IP address will be redirected to this specific internal server. So you can redirect an entire address from your address pool or if you only have one address or if you have multiple addresses but you only want to redirect one port you can go in and say special ports. I want to redirect say TCP port 80 to this port on this server. So your NAT server can handle your incoming SMTP, your POP3 I map your HTTP requests and redirect those to a specific internal server without exposing its port or more importantly its internal IP address to the external network or to the internet. Any other questions? Go ahead. It's really easy to set up on your home machine if you're running 2000 in your home machine you go into settings to network and dialogue connections make new connection and it will just walk you through and it's a wizard again. So connect to a private network this is again if you're running 2000 if you're running another operating system then obviously it wouldn't be the same. Specify how you're going to connect whether you're dialing up or whether you're going over the internet specify an IP address specify a host name there. For all users only for myself it's for all users then anybody that logs on then only I can use it when I log on. Enable internet connection sharing this enables other computers on my homeland to connect to the network through me. If I don't enable that then I'm the only one that can use this connection. If you do it's going to ask you if you want to enable on-demand dialing and it'll reset the port your local interface to 192.168.0.1 and then hand out IP addresses it'll try to hand out IP addresses to everybody else on your network. You can go in and just disable that change it back to whatever you had it but it'll do that by default and then it'll try to dial. Set up a VVN server through router remote access at work very straightforward. I haven't done it from home to work yet because I don't have anything to do at work I'm a teacher I'm in the classroom all the time but I've set it up in classroom environments and in test labs and it was real simple. Yeah I believe so. Yeah. The browser service might not work as well that way in other words you wouldn't be able to use a network neighborhood but if you knew the path then you'd be able to use a UNC path. Any other questions? Absolutely I don't. You can I do have an email address but it's my I don't think. You can email me at dodask at rocketmail.com if you have any comments or questions or as a matter of fact if anybody that wants a copy of my slide presentation again it was kind of brief so you may not but if you do want a copy of it send me an email again at don'task at rocketmail like rocket like mail.com and I'll be happy to email you this slide presentation or effectively thereof if I lose it I'll recreate it real quick. Go ahead. The built-in packet filtering you can just go in and set up. I'm not sure how robust it is or how reliable it is I haven't had any opportunity to really put it through its paces I know when I've set up filtering in the past it hasn't in somebody's port scan against me it still shows those ports is available but they haven't been able to connect over them I'm sorry I didn't notice such but we were just playing around with it I haven't had a chance to really put it through its paces so I decided to just go into advanced TCPIP properties to TCPIP filtering the properties and specify what you're going to filter how do you mean right now for my only yeah you can't block just like one part using this your best pet if you just want to block ports just fire well there's a ton of you can get a what's that one that's free zone alarm you can get zone alarm for free and it works pretty well you can just there's a button on there you click and say block everything it's not the absolute most secure firewall but it's better than what you've got now if you don't have anything any other questions okay let's all flee oh yeah go ahead go through net if you're using ipsec you have to go to net to the net server and then you can have net up to the server and a separate or ipsec up to the net server and a separate ipsec connection from the net server on but ipsec won't go through net because it can't do the translation go ahead okay there's probably products out there it won't go through Microsoft's implementation of net but again you can go up to the net server and then ipsec from there but that can be kind of a hassle any other questions okay let's all flee for the air conditioning of the indoors thank you again if you have any questions or