Windows Server 2003Security Enhancements
In Chapter 4, I considered what happens when you merge two environments, including how tocreate secure forest trusts and deploy new Windows Server 2003 (Windows 2003) DNS features tomake a merged environment workable. Although I discussed some security concerns – particularly,how to keep all but those you choose from accessing the resources you need to protect – Windows2003 brings much more to the table for your protection effort.In this chapter, I cover some of the new security enhancements that you can use to ensure amore secure environment day to day. I review improvements in securing file shares and in ACL viewing and editing for better control of file permissions. I discuss the InetOrgPerson object and theease of new schema modification functions that can help you take better advantage of AD. I alsoinclude a tip or two about how to shore up different parts of your Active Directory (AD) to makethem a bit more secure.
Securing the Wire
Microsoft has a history of being burned by the vulnerability of its internetworking protocols. Theprotocol tradeoff is easy to understand: If you make protocols fast, light, and only cursorily secure,they’re speedier on the wire – and you can deploy them more quickly and widely. However,unsecure protocols on your network can compromise your company’s resources. With that in mind, Windows 2003 introduces both new restrictions and new options for somefamiliar scenarios. The changes in Windows 2003 means that you must better understand availablesecurity functions such as Server Message Block (SMB) signing, secure channel signing, LightweightDirectory Access Protocol (LDAP) signing, and password authentication methods.
Shoring Up with SMB Signing
Not all users can drop their deployed desktops and switch to Windows XP Professional or Windows2000 Professional. Legacy (aka “downlevel”) clients are all too familiar to IT staff. In fact, some orga-nizations include clients that have not only different Windows OSs but also different service packsapplied, which can make it especially difficult to ensure a baseline of protection across the network. Wherever it can, Windows 2003 endeavors to make things more secure than its predecessor. One way in which it attempts greater security is by using SMB connections. The SMB protocol comes intoplay when clients connect to shares. When you performed your first Dcpromo to Windows 2003, yousaw the Active Directory Installation Wizard screen that Figure 5.1 shows.
Brought to you by
Windows & .NET Magazine