Apply Your Knowledge
Exercises
4.1 Setting Up and Testing Account Policy
This exercise demonstrates how to set up domain account policy and then to test that it is functioning properly. This exercise requires that you have a domain controller machine and that the procedures outlined be performed on that machine. Initially, a new test user will be created.
Estimated Time: 10 minutes.
From the Start menu, choose Program Files, Administrative Tools (Common), User Manager for Domains.
Create a new user with a logon name of PolicyTest and a password of "password". Make sure that the user has to change the password at the next logon.
From the Policies menu, choose Account.
In the Account Policies dialog box, change the minimum password length to 8 and the password uniqueness to remember 2 passwords. Click OK to save this configuration.
Log on as PolicyTest with a password of "password". You will be prompted to change your password.
In the Change Password dialog box, enter the password "hello" and confirm it. Click OK to continue. You will get a message telling you that your password must be at least 8 characters long and must not be the same as your two previous passwords. (Your password failed because it had only 5 characters.) Click OK to clear the dialog box.
In the Change Password dialog box, enter the password "password" and confirm it. Click OK to continue. You will again get a message telling you that your password must be at least 8 characters long and must not be the same as your two previous passwords. (Your password failed because it repeated a password that was in the password history.) Click OK to clear the dialog box.
In the Change Password dialog box, enter the password "aardvark" and confirm it. Click OK to continue. This password will pass validation and you will be able to return to the desktop.
At the desktop, press Ctrl+Alt+Del to bring up the Security dialog box. Then click Change Password.
In the Change Password dialog box, type the old password ("aardvark") and then type the new password as "password" and confirm it. You will be told that your new password is invalid. Click OK to clear the dialog box.
In the Change Password dialog box, type the new password as "llamasrule" and confirm it. Click OK to continue. You will get a message that your password has changed. Click OK to clear the dialog box and return to the Security dialog box.
In the Security dialog box, click Change Password and try to change your password back to "password". In this case, you will be successful because the password history contains only "aardvark" and "llamasrule," and not "password". Clear the dialog boxes and return to the desktop.
Log on as someone with administrative privileges and open the Account Policies dialog box again.
In the Account Policies dialog box, change the Minimum Password Age to 10 days and close the dialog box.
Log on as PolicyTest (with a password of "password").
At the desktop, press Ctrl+Alt+Del to bring up the Security dialog box. Then click Change Password.
In the Change Password dialog box, change the password from "password" to "aardvark". When you try to accept this change, you will be told that you cannot change the password at this time. This is because the minimum password duration has been set to 10 days. Note that an administrator could change the password from User Manager for Domains in the case that you forget the current password.
Return to the desktop and log on as Administrator.
4.2 Using System Policy to Control a User's Desktop Environment.
This exercise walks you through the process of creating a system policy that will "lock down" the user's desktop. In addition, you also change computer settings to clear the name of the last person to log on and you create a logon banner.
Estimated Time: 10 minutes.
From the Start menu, choose Programs, Administrative Tools (Common), System Policy Editor.
In the System Policy Editor, select the File menu and choose New Policy.
In the new policy, double-click the Default Computer icon to enable you to make changes that will apply to every computer affected by this policy (all in the domain).
In the Default Computer Properties dialog box, expand the tree under Windows NT System, Logon.
Click in the gray box next to Logon Banner, and at the bottom make the following changes: Change caption to read "Stay away if you are bad," and change the text to "Unauthorized use of this machine will result in severe electric shock!".
Click in the gray box next to Do Not Display Last Logged On User Name.
Verify that there is now a check mark next to Logon Banner and Do Not Display Last Logged On User Name. Then click OK to exit this dialog box.
In the System Policy Editor dialog box, select the Edit menu and choose Add User.
In the Add User dialog box, type the name PolicyTest and click OK to confirm.
Double-click the icon labeled PolicyTest to enable you to make changes that affect only that user.
In the PolicyTest Properties dialog box, expand the tree Shell, Restrictions and click next to remove Run Command from Start Menu and Hide Network Neighborhood. Verify that check marks appear beside each of these entries and then collapse the Shell tree.
Expand the System, Restrictions tree and click beside Disable Registry Editing Tools. Verify that a check mark appears and then click OK to confirm the changes.
In the System Policy Editor dialog box, select the File menu and choose Save.
In the Save As dialog box, navigate to the path WINNT\Repl\Import\Scripts and save the file as NTCONFIG.POL.
Close the System Policy Editor and return to the desktop.
Log on as PolicyTest.
At the desktop, check that Network Neighborhood is missing and that the Start menu does not have a Run command.
From the Start menu, choose Programs, Command Prompt.
At the command prompt, attempt to invoke the Registry Editor by typing regedit and pressing Enter. You will be told that Registry editing tools have been disabled.
Log on as Administrator. When you do, notice that the logon banner now comes up and the username is no longer automatically filled in. Complete the logon as usual.
At the desktop, notice that the restrictions applied to PolicyTest do not apply here.
4.3 Configuring Auditing and Viewing Security Logs
This exercise walks you through the process of setting audit policy, configuring auditing on file and system resources, and viewing audit records in the security log. This exercise assumes that you have created the PolicyTest user in Exercise 4.1 and that C: is formatted NTFS.
Estimated Time: 10 minutes.
Start User Manager for Domains.
From the Policies menu, choose Audit.
In the Audit Policy dialog box, modify the settings so that they appear as in Figure 4.30. Click OK to continue.
Figure 4.30. Modify the audit policy to look like this.
Open My Computer and create the folder C:\AuditTest.
In the AuditTest folder, create a file called DELETEME.TXT.
Right-click DELETEME.TXT and, from the menu that appears, choose Properties.
From the Properties dialog box, choose the Security tab.
On the Security Property sheet, clear the check box at the bottom that reads Allow Inheritable Permissions from Parent to Propagate to This Object. When the Security dialog box appears, click Remove.
-
Click the Add button and add the Administrators group to the ACL. Modify the permissions for this group to allow Full Control. The ACL should look like Figure 4.31. Do not close this dialog box yet.
Figure 4.31. Modify the ACL so that it looks like this.
From the Properties dialog box, click the Advanced button and click the Auditing tab. At the bottom of the Auditing Property sheet, clear the check box that reads Allow Inheritable Auditing Entries to Propagate to This Object. (When the confirmation dialog box appears, click Remove.)
-
On the Auditing property sheet, click the Add button. When the Add User or Group dialog box appears, double-click Everyone and click OK. When the Audit Entry dialog box appears, choose to audit failed Delete attempts, as shown in Figure 4.32. Click OK until you return to the desktop.
Figure 4.32. Watch for failed attempts to delete
Log on as PolicyTest.
Navigate to the AuditTest folder, locate the DELETEME.TXT file, and attempt to delete it. You will get an error message telling you that you cannot delete the file because access is denied.
Log on as Administrator.
From the Start menu, choose Programs, Administrative Tools (Common), Event Viewer.
In the Event Viewer, select the Log menu and choose Security to view the security log.
-
Locate the first audit failure (it has a lock beside it) and double-click the entry to open it. Note that the event detail indicates that the user PolicyTest tried to delete DELETEME.TXT and that operation failed (see Figure 4.33). Click Close to close the Event Detail. Close the Event Viewer.
Figure 4.33. This event record indicates that PolicyTest tried to delete DELETME.TXT but was unsuccessful.
Log on as Administrator.
4.4 Using the Security Configuration Editor to Perform a Security Audit and Configure a System.
This exercise walks you through the process of creating a security configuration template and database, auditing your domain controller, and making configuration changes. This exercise assumes that you have downloaded and installed the SCE and that you have created a security console as per the step by steps outlined in the chapter.
Estimated Time: 10 minutes.
Start your security management console. (For information on how to set this up, consult Step by Step 4.11.)
Create a customized security template by doing the following:
Expand the tree Console Root, Security Configuration Manager, Configurations, C:\WINNT\Security\Templates.
Right-click the template called basicdc4 and, from the menu that appears, choose Save As.
In the Save As dialog box, type EnhancedDC4 and press Save.
Expand EnhancedDC4, Account Policies, and click Password Policies. (This will bring up a set of properties in the right pane.)
Locate the Attribute Passwords Must Meet Complexity Requirements option (in the right pane) and double-click it.
In the Passwords Must Meet Complexity Requirements dialog box, select Enabled and click OK.
Right-click EnhancedDC4, and choose Save in the menu that appears.
Right-click Database and choose Import Configuration from the menu that appears
In the Select Configuration to Import dialog box, double-click EnhancedDC4.
Analyze the Current DC to see whether it conforms to the EnhancedDC4 template by doing the following:
Right-click Database and choose Analyze System Now from the menu that appears.
In the Perform Analysis dialog box, click OK to accept the default log file path.
Expand the tree Database, Account Policy and click Password Policy. Note that, at least Passwords Must Meet Complexity Requirements has an "X" next to it. (It might be that other attributes do as well.)
Modify the configuration database to ensure that appropriate settings are being made by doing the following:
Expand Database, Local Policies, Security Options.
Double-click Message Text for Users Attempting to Log On and, in the dialog box that opens, select the check box that reads Exclude from Future Configurations and Analysis. (This will prevent the configuration database from changing your current settings.)
Repeat step B for Message Title for Users Attempting to Log On.
Right-click Database and choose Save from the menu that appears.
Configure your DC using the configuration database.
Right-click Database and, from the menu that appears, choose Configure System Now.
In the Configure System dialog box, click OK to accept the default log file path.
When the configuration is complete, close the SCM console.
Test the new Password restrictions by completing the following:
At the desktop, press Ctrl+Alt+Del to bring up the security dialog box.
In the Windows NT Security dialog box, click Change Password.
In the Change Password dialog box, type in the current password ("password") and then change it to "aardvark". Although this password conforms to the account policy, it does not meet with the password complexity requirements, and so it is rejected.
In the Change Password dialog box, type in the new password as "A1administrator". This password also is rejected because it contains the name of the current user.
-
In the Change Password dialog box, type in the new password as "A1". This password will be accepted.
In the Windows NT Security dialog box, click Cancel to exit to the desktop.
4.5 Establishing Trust Relationships.
This exercise walks you through the process of creating a one-way trust between two domains and then logging on using the account of one from a computer in the other. This exercise requires that you have two domains and a computer for each running simultaneously. In this exercise, the first (trusted) domain will be referred to as DOMZ and the second (trusting) will be referred to a DOMY. Change them to your domain names as you work through the exercise.
Estimated Time: 10 minutes.
Configure the trusted domain (DOMZ) as follows:
From an administrative workstation in DOMZ, open the User Manager for Domains.
In the User Manager for Domains, open the menu Policies, Trust Relationships.
In the Trust Relationships dialog box, click Add next to the Trusting Domains field.
In the Add Trusting Domain dialog box, type DOMY in the Trusting Domain field, and click OK.
In the Trust Relationships dialog box, click Close.
Configure the trusting domain (DOMY) as follows:
From an administrative workstation in DOMY, open the User Manager for Domains.
In the User Manager for Domains, open the menu Policies, Trust Relationships.
In the Trust Relationships dialog box, click Add next to the Trusted Domains field.
-
In the Add Trusted Domain dialog box, type DOMZ in the Trusted Domain field and click OK.
When the User Manager for Domains dialog box appears with the message indicating that the trust has been established, click OK to clear the box.
In the Trust Relationships dialog box, click Close.
Test the Trust relationship as follows:
From an administrative workstation in DOMY, log off.
B. -In the Logon Information dialog box, click the down arrow to the right of the Domain field and choose DOMZ.
Log on as the administrator of DOMZ. The domain controller for DOMZ will be contacted to authenticate the logon (using passthrough authentication).
Review Questions
Which two modes can the policy editor be operated in, and what are the functions of each mode?
What is the purpose of the minimum password age in the account policy?
What are the names for the policy files for Windows NT machines and non-NT machines respectively? Where do these files need to be stored to be applied properly?
How do the GUI and command-line installations of the Security Configuration Editor differ from each other?
What two steps need to be done to audit access to a specific file on a Windows NTFS partition?
What utility do you use to examine entries for auditing?
When configuring a trust relationship, which domain is trusted, the resource domain or the user domain?
What domain models were identified in this chapter? Which is most desirable administratively?
Exam Questions
-
You are the administrator of a Windows NT domain. You suspect that a user named John is attempting to gain access to folders that contain sensitive information. Which feature can you enable in Windows NT Server to create a log of attempted accesses?
-
You can use the System Option in Control Panel to enable the auditing feature of Windows NT.
-
You can use the Windows NT Accounting System.
-
You can use Directory Logging.
-
You can create an audit policy in User Manager for Domains and then enable auditing on the folder in question.
-
You are the administrator in a domain with trusts configured as per Figure 4.34.
-
DOMA
-
DOMB
-
DOMC
-
You cannot create accounts in this environment.
-
You are the administrator in the XYZ domain. You have installed the command-line version of the SCM on a Windows NT 4.0 Server. You want to audit this machine using a security configuration database called XYZDC. Which of the following would perform that task?
-
secedit /analyze /db XYZDC.sdb
-
secedit /audit /db XYZDC.sdb
-
secedit /analyze XYZDC.sdb
-
secedit /audit XYZDC.sdb
-
You are the administrator in an environment with both Windows 9x and Windows NT Workstation computers in it. You have just upgraded the operating system on Alexander's computer from Windows 95 to Window NT Workstation. However, the policy settings no longer seem to function, because the settings are now different than they were before the upgrade. How can you remedy this situation?
-
Configure Alexander's account in User Manager for Domains to use a different policy.
-
Modify NTCONFIG.POL so that its settings conform to CONFIG.POL.
-
Modify CONFIG.POL so that its settings conform to NTCONFIG.POL
-
Move the NTCONFIG.POL file from the Import folder to the Export folder.
-
You are the network administrator of the BanksRUs domain. You have implemented an account policy that permanently locks a user account after three failed attempts. You are concerned about computer vandals purposely failing logon on the Administrator account to lock you out. How can you configure your system to avoid this problem?
-
Ensure that the check box "Does Not Apply to Administrator Account" is selected in the Account Policy dialog box.
-
Ensure that the check box "Lockouts Do Not Apply Locally to Administrator Account" is selected in the Account Policy dialog box.
-
Ensure that the Registry setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lockout\ExemptAdministrator is set to 1.
-
There is no need to configure for this.
-
You are the new administrator of a multidomain structure. This structure consists of four domains configured with a complete trust model. Which of the following is true about your Windows NT domain environment? Choose 2.
-
A complete trust model provides maximum flexibility for the placement of users and resources.
-
A complete trust model provides you with an efficient structure that is easy to maintain.
-
A complete trust model ensures that all users can log on from all locations.
-
A complete trust model is preferred over a single master trust model because it is less complex.
-
You are the administrator in a multidomain Windows NT 4.0 environment. You currently have a single master trust relationship with DOMZ being the trusted domain and DOMX and DOMY being the trusting domains. You have just changed the name of DOMY to DOMA and now your trust relationships are no longer working. Given the Trust Management dialog box shown in Figure 4.35, what are the first two steps you must take here to reestablish the trust?
-
Remove DOMY from the trusting list and add DOMA to the trusting list.
-
Remove DOMY from the trusting list and add DOMA to the trusted list.
-
Remove DOMX from the trusting list and remove DOMY from the trusting list.
-
Remove DOMX and Y from the trusting list and add DOMA to the trusting list.
-
You are a help desk support person in a large organization. You get a call from Susan and determine that, to fix her Windows NT Professional machine, you must make a Registry change. What is the best way for you to do this?
-
Have Susan use Regedt32 to modify the Registry setting herself.
-
Use System Policy Editor in Policy mode to create a policy for her machine. Copy this file to Susan's machine and have her save this change as NTCONFIG.POL and then restart the machine.
-
Use the System Policy Editor in Registry mode to connect to her machine and make the Registry change remotely.
-
Use the System Policy Editor in Policy mode to create a policy for her machine. Save this file on the PDC as NTCONFIG.POL and have Susan restart her computer.
-
You are the administrator of a Windows NT network in a large manufacturing plant. You are finding that, lately, many users are staying past their shift to surf the Internet and check email (a practice that is beginning to cause resource shortages). You have configured valid logon times for your users, but they do not seem to force users to log off at their defined times. What must you do to fix this problem and make users log off when their valid logon time has expired.
-
Select the "Forcibly Disconnect Remote Users from Server When Logon Hours Expire" in the Account Policy.
-
Select the "Forcibly Disconnect Remote Users from Server When Logon Hours Expire" in the system policy.
-
Select the "Forcibly Disconnect Report Users from the Server When Logon Hours Expire" in the account properties.
-
Select the "Forcibly Disconnect Remote Users from Server When Logon Hours Expire" in the audit policy.
-
You are creating a security model for your domain controllers using the SCM. You want to copy the template that most closely resembles your needs before you modify it. In your environment, although you want good security, when forced to choose, you want to err on the side of application functionality. Which of the following templates most closely resembles your configuration needs?
-
basicdc.inf
-
compdc.inf
-
securdc4.inf
-
hisecdc4.inf
-
You are creating a system policy for the Crackers domain. Barney is a member of the Managers group and the Accountants group. In the system policy file, there are entries for Barney, Managers, and Accountants in addition to the default entry. Table 4.8 shows Barney's current configuration as well as the policy settings for Barney, Managers, Accountants, and Default.
-
Wallpaper: A.bmp; Hide Drives: No; Remove Run: No
-
Wallpaper: C.bmp; Hide Drives: No; Remove Run: No
-
Wallpaper: B.bmp; Hide Drives: No; Remove Run: Yes
-
Wallpaper: C.bmp; Hide Drives: Yes; Remove Run: Yes
-
You are the person responsible for file security in your IT department. To track access to sensitive information, you decided to turn on auditing for files and folders. Having turned on auditing for File and Object Access, you have been monitoring the security log but you do not see any audit activity, even after one of the files was deleted from the server. Which of the following must be done to complete your configuration of file auditing? Choose two.
-
You must log on as Administrator.
-
You must enable auditing in the system policy.
-
You must convert the host file system from FAT to NTFS.
-
You must enable auditing on the file objects that you want to monitor.
-
To provide consistent configuration of all the servers in your domain, you have created a security configuration template called MYDC.INF. Which syntax do you use if you want to use the command-line SCE to configure a server with this database?
-
secedit /configure /cfg MYDC.INF
-
secedit /configure /db MYDC.INF
-
secedit /configure /tmplt MYDC.INF
-
secedit /configure /load MYDC.INF
-
Mark is the administrator for a small board games manufacturer. Many of his 20 users are new to computers and have a difficult time understanding the need for security. Mark wants to set up an account policy to ensure that the users must change their passwords once a month and that they cannot reuse a password more than once a year. Which of the following will enable him to do that?
-
Set the password history to 12 and set the maximum password age to 30.
-
Set the password history to 12 and set the minimum password age to 30.
-
Set the maximum password age to 30 and the minimum password age to 28.
-
Set the password history to 12, the minimum password age to 28, and the maximum password age to 30.
-
You are the administrator of a Windows NT environment consisting of three domains: DOMA, DOMB, and DOMC. These domains are configured with trust relationships: DOMA trusts DOMB, and DOMB trusts DOMC. Which of the following describes the relationship between DOMA and DOMC.
-
DOMA trusts DOMC.
-
DOMC trusts DOMA.
-
DOMA trusts DOMC, and DOMC trusts DOMA.
-
DOMA and DOMC do not have a relationship.
Figure 4.34. This represents your domain model.
Into which domain should you add new user accounts to ensure the most flexibility in logon and resource access?
Figure 4.35. This is the content you currently see.
Table 4.8. Registry Settings for Barney and the Policy file.
Barney Current |
Barney Policy |
Managers Policy |
Accountants Policy |
Default Policy |
Wallpaper: A.bmp |
Wallpaper: B.bmp |
Wallpaper: Ignore |
Wallpaper: C.bmp |
Wallpaper: Ignore |
Hide Drives: No |
Hide Drives: Ignore |
Hide Drives: Ignore |
Hide Drives: Ignore |
Hide Drives: Yes |
Remove Run: No |
Remove Run: Yes |
Remove Run: Yes |
Remove Run: Yes |
Remove Run: No |
Answers to Review Questions
-
The System Policy Editor can be operated in Policy mode and Registry mode. Policy mode is used when you want to create a policy file (for Windows NT it is NTCONFIG.POL). Registry mode is used when you want to edit Registry settings on the local machine or a remote machine. See the section "The Policy Editor."
-
Minimum password age ensures that a password is kept for at least a minimum amount of time before it can be changed. This setting enables you to prevent users from changing their password back to a password they like (and always use) as soon as they have changed to a new one. See the section "Minimum Password Age."
-
Policy files are either NTCONFIG.POL (for Windows NT machines) or CONFIG.POL (for non-NT machines). It is important that if you have Windows 9x or ME machines, you set up a CONFIG.POL file because the NTCONFIG.POL file will not work for them. For these files to correctly be accessed by client machines, they need to be placed in the \<winnt_root>\System32\Repl\Import\Scripts folder of the domain controller's boot partition. (This folder is shared as Netlogon$ on the DC.) See the section "Policy File Mode."
-
The GUI and command-line installations of the SCM differ from each other in a number of ways. First (and most obviously) the GUI version is graphics-based whereas the command-line version is text-based. Second, the GUI version enables you to edit templates and databases, whereas the command-line version enables you only to create templates from databases but does not include a facility to edit either. See the section "Using the GUI Security Configuration Manager."
-
To set up file (object) auditing on an NTFS partition, you must first configure object auditing in the audit policy and then you must set up auditing on the specific file (or files) that you want to audit. This file-level configuration consists of a list of accounts (user or group) that you want to watch and the events that you are interested in tracking. See the section "Enabling Auditing of Files and Folders."
-
Audit entries are examined by looking at the security log using the Event Viewer. See the section "Monitoring the Security Log for Audit Entries."
-
In a trust relationship, the trusted domain is the domain with the users, and the trusting domain is the domain with the resources. In domains that are not pure (resources and users in a single domain), a specific domain may be both trusted and trusting but each trust relationship must involve one or the other roles. See the section "Maintaining Trust Relationships."
-
There were five domain models identified in this chapter: single domain, single master domain, multiple master domain, and complete trust domain. In terms of desirability, the model that is most desired is the one with the fewest trusts: the single-domain model. As the number of trusts increases, administrative overhead also increases, thus making the model less desirable. See the section "The Domain Models."
Answers to Exam Questions
-
D. Using the domain audit policy, you can configure observation of object access. Then, by specifically setting up the folder(s) in question to be audited, you can track John's (or anyone else's) access to the folder. See the section "Audit Policy and Auditing Object Access."
-
A. This diagram represents a single master model with multiple resource domains. Both DOMB and DOMC trust DOMA, which means that DOMA is the user domain. Therefore, you should add new users to DOMA to ensure that no additional trusts are needed. See the section "Maintaining Trust Relationships."
-
A. In this example, the first important switch is /analyze (not /audit) which indicates that the security of a Windows NT machine should be evaluated against a configuration database. The second switch /db indicates the name of the security configuration database. (In the absence of this switch, the default dataset is used.) See the section "Using the Command-Line Security Configuration Editor."
-
B. This problem arose because Alexander's computer is no longer using the CONFIG.POL file, because it is no longer a Windows 9x machine. To ensure that his settings remain the same, you need to modify NTCONFIG.POL to be the same as CONFIG.POL. See the section "System Policies and the Policy Editor."
-
D. There is no need to change configurations to prevent the Administrator account from being locked out because it is exempt from the lockout policy. See the section "Account Policies."
-
A, C. Although complete trusts are difficult to maintain (and therefore are undesirable), they do provide for maximum flexibility in placing users and resources in domains (anything can go anywhere). In addition, they also provide for any user logging on from anywhere. See the section "Maintaining Trust Relationships."
-
A. Once a trust is broken, it must be removed to reestablish it. As a result, you must first remove the entry for DOMY from the trusting list and then add DOMA to the trusting list. This would be followed by opening the Trust Properties in DOMA and removing DOMZ and then adding DOMZ again. See the section "Maintaining Trust Relationships."
-
C. The safest way for the Registry to be configured is for you to open Susan's Registry remotely from the System Policy Editor. It is not safe at all to teach Susan to edit the Registry herself, and creating policies for the purpose of changing the Registry settings for a single user is more work than is reasonable. See the section "System Policies and the Policy Editor."
-
A. In the account policy, there is a check box labeled "Forcibly Disconnect Remote Users from Server When Logon Hours Expire." This check box ensures that users are kicked off of the server when their log off time arrives. See the section "Account Policies."
-
B. The template designed with security in mind but which defers to program execution when forced to choose is COMPDC.INF. See the section "The Security Configuration Manager."
-
A. When policies are applied to users, the specific configuration for an individual user is first applied. If there is no explicit configuration for a specific user, the groups are applied in order (including default). If there is an explicit configuration for a user, the groups (including default) are ignored. See the section "System Policies and the Policy Editor."
-
C, D. To audit access to files or folders, the host partition must be formatted NTFS, you must enable auditing in the audit policy (a step not mentioned in the question), and you must enable auditing on the specific resource you want to audit. See the section "Enabling Auditing of Files and Folders."
-
A. To configure a server using command-line SCM, use the switch /configure. To use a template (which gets loaded into a database before configuration happens), you must provide the name of the template using the /cfg switch. You would use the /db switch if you were providing a security configuration database rather than a template. See the section "Using the Command-Line Security Configuration Editor."
-
D. To prevent a user from quickly changing between a couple of favorite passwords, you must configure both minimum and maximum ages. In addition, by specifying a password history of 12 you can ensure that the same password cannot be reused for 1 year. See the section "Account Policies."
-
D. Because trusts in Widows NT are not transitive, there is no implicit relationship between domains just because they trust or are trusted by a third domain. As a result, there is no relationship between DOMA and DOMC. See the section "Maintaining Trust Relationships."
Suggested Readings and Resources
The following are some recommended readings in the area of analyzing, configuring, and monitoring basic security:
-
MS Windows NT Server 4.0 Concepts and Planning Manual (Microsoft Press; also available on Microsoft TechNet CD/DVD)
-
Chapter 1 Managing Windows NT Server Domains
-
Chapter 3 Managing User Work Environments
-
MS Windows NT Server 4.0 Networking Guide (Microsoft Press; also available in the Windows NT Server Resource Kit)
-
Chapter 2 Network Security and Domain Planning