Pass4sure Microsoft 70-631 exam practice
Enabling anonymous authentication for earlier applications 70-643 156-215.1 642-444
Anonymous authentication allows users and network clients to be authenticated (but not necessarily authorized to access network resources) without providing any credentials. Unlike earlier Windows operating systems, in Windows Server 2003, anonymous users are not considered to be members of the Everyone group and therefore will not be authorized to use any network resources. However, there are some scenarios in which anonymous access needs to be granted to provide compatibility with systems prior to Windows 2000. Situations in which this access might be necessary include:
Remote Access Server (RAS) servers on Windows NT 4.0 use anonymous access to determine dial-in permissions.
Windows NT 4.0 might use anonymous access to enumerate shares or gather information from domain controllers.
Anonymous access might be used to enumerate shares and users in a one-way cross-forest trust.
Earlier operating systems might use anonymous access to change passwords in Active Directory. This is accomplished through the Pre–Windows 2000–compatible access group.
If you have earlier systems in your Windows Server 2003 domain, you will need to determine which resources need anonymous access. You can then enable anonymous access by performing one of the following tasks:
Add the Anonymous Logon security principal to the ACL that needs access. This is the preferred method for enabling anonymous access to resources because it is the most granular.
Enable the Network Access: Share That Can Be Accessed Anonymously security policy setting. This security policy setting contains a list of shares that can be accessed and is useful for enabling anonymous access to a specific share on multiple computers.
Enable the Network Access: Let Everyone Permissions Apply To Anonymous Users security policy setting. This setting causes unauthenticated users to be considered members of the Everyone group, which might authorize users to access network resources without being authenticated as valid users. This setting should only be enabled when absolutely necessary, because it creates a significant, exploitable vulnerability.
Caution Apply the Anonymous Logon, Network Access: Share That Can Be Accessed Anonymously, Network Access: Let Everyone Permissions Apply To Anonymous Users settings only to the OU or server that needs them. Enabling these settings at the domain level will decrease network security.
Using Multifactor Authentication
As described earlier in this chapter, multifactor authentication significantly increases authentication security. Windows Server 2003 supports multifactor authentication by using smart cards and can support a variety of other authentication mechanisms using non-Microsoft hardware and software.
Smart cards can be required for all users in an organization. However, because of the additional cost, smart cards are often assigned only for specific users. Often network administrators are required to use smart cards because their privileges on the network would provide an attacker significant opportunity. 70-631 MB7-515 642-811 70-643
To require a smart card for interactive logon, launch the Active Directory Users And Computers console. Double-click the user account to view the properties, and click the Account tab. In the Account Options list, select Smart Card Is Required For Interactive Logon.
Requiring smart cards for authentication can cause problems with existing applications. However, if an application includes the Certified for Windows Server 2003 logo, the application has been tested to ensure that it meets Microsoft security standards for Windows Server 2003. From a security perspective, an application that is identified as Certified for Windows Server 2003 meets the following criteria:
Support smart card logons. The application should work correctly with smart card authentication and will allow smart card authentication to a terminal service.
Provide secure credential management. Ensures that users will get appropriate prompting for credentials and storing credentials. Also means that the application can use Kerberos, NTLM, and Secure Sockets Layer (SSL) protocols. A user can also log on using a user principal name (UPN) format.
Can be run in a highly secure configuration. Applications can perform all primary functions in a highly secure configuration. In a highly secure configuration, applications cannot use the unsafe communication protocol NTLM; strong authentication and account policies are set; and group membership is restricted. A highly secure configuration is a system with a clean installation of Windows and with the predefined security template Hisecws.inf applied.
Provide secure network connections. Applications using network connections must not depend on protocols that are known to have vulnerabilities.
Practice: Adjusting Authentication Options
In this practice, you will secure authentication on a Windows 2003 Server by using security policy. You must be logged on to Computer1.cohowinery.com with an account that has administrative credentials to create and modify the default domain controller security policy. 642-061 70-526 MB7-517
Your company has recently updated its security policy. The new security policy specifically forbids using the LM authentication protocol to authenticate users in the cohowinery.com domain. To comply with the updated security policy, you will use the Domain Controller Security Policy console to ensure that LM authentication is not used on any cohowinery.com domain controller.