BETA COURSEWARE EXPIRES 4/18/2011 Lab B: M
Exercise 3: Use Security Configuration and Analysis
In this exercise, you will analyze the configuration of NYC-DC1 by using the DC Remote Desktop security template to identify discrepancies between the server’s current configuration and the desired configuration defined in the template. You will then create a new security template.
The main tasks for this exercise are as follows:
1. Add the Security Configuration and Analysis snap-in to a custom console.
2. Create a security database and import a security template.
3. Analyze the configuration of a computer by using the security database.
4. Configure security settings by using a security database.
f
Task 1: Add the Security Configuration and Analysis snap-in to a custom console.• Add the Security Configuration and Analysis snap-in to a custom console and save the change to the console.
f
Task 2: Create a security database and import a security template.• Create a new security database called NYC-DC1Test.
• Import the DC Remote Desktop security template.
f
Task 3: Analyze the configuration of a computer by using the security database.1. In the console tree, right-click Security Configuration and Analysis, and then click Analyze Computer Now.
2. Click OK to confirm the default path for the error log.
The snap-in performs the analysis.
3. In the console tree, expand Security Configuration and Analysis and Local Policies, and then click User Rights Assignment.
Notice that the Allow log on through Remote Desktop Services policy is flagged with a red circle and an X. This indicates a discrepancy between the database setting and the computer setting.
B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1
Managing Enterprise Security and Configuration with Group Policy Settings 7-55
4. Double-click Allow log on through Remote Desktop Services.
Notice the discrepancies. The computer is not configured to allow the SYS_DC Remote Desktop Users group to log on through Remote Desktop Services.
Notice also that the Computer setting currently allows Administrators to log on through Remote Desktop Services. This is an important setting that should be incorporated into the database.
5. Confirm that the Define this policy in the database check box is selected.
6. Select the Administrators check box, under Database Setting.
This will add the right for Administrators to log on through Remote Desktop Services to the database. It does not change the template, and it does not affect the current configuration of the computer.
7. Click OK.
8. In the console tree, select Restricted Groups.
9. In the details pane, double-click CONTOSO\SYS_DC Remote Desktop.
10. Click the Member Of tab.
Notice that the database specifies that the SYS_DC Remote Desktop group should be a member of Remote Desktop Users, but the computer is not currently in compliance with that setting.
11. Confirm that the Define this group in the database check box is selected.
12. Click OK.
13. Right-click Security Configuration and Analysis, and then click Save.
This saves the security database, which includes the settings imported from the template plus the change you made to allow Administrators to log on through Terminal Services.
The hint displayed on the status bar when you hover over the Save command suggests that you are saving the template. That is incorrect. You are saving the database.
B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1
7-56 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services
14. Right-click Security Configuration and Analysis, and then click Export Template.
The Export Template To dialog box appears.
15. Select DC Remote Desktop, and then click Save.
You have now replaced the template created in Exercise 2 with the settings defined in the database of the Security Configuration and Analysis snap-in.
f
Task 4: Configure security settings by using a security database.1. Close your Security Management console. If you are prompted to save your settings, click Yes.
Closing and reopening the console is necessary to refresh fully the settings shown in the Security Templates snap-in.
2. Run C:\Security Management.msc with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.
3. In the console tree, expand Security Templates,
C:\Users\Pat.Coleman_Admin\Documents\Security\Templates, DC Remote Desktop, Local Policies, and then click User Rights Assignment.
4. In the details pane, double-click Allow log on through Remote Desktop Services.
Notice that both the Administrators and SYS_DC Remote Desktop groups are allowed to log on through Remote Desktop Services in the security template.
5. Click OK.
6. Right-click Security Configuration and Analysis, and then click Configure Computer Now.
7. Click OK to confirm the error log path. The settings in the database are applied to the server. You will now confirm that the change to the user right was applied.
8. Run Local Security Policy with administrative credentials. Use the account Pat.Coleman_Admin with the password Pa$$w0rd.
9. In the console tree expand Local Policies, and then click User Rights Assignment.
10. Double-click Allow Log On Through Remote Desktop Services.
B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1
Managing Enterprise Security and Configuration with Group Policy Settings 7-57
The Allow log on through Remote Desktop Services Properties dialog box opens.
11. Confirm that both Administrators and SYS_DC Remote Desktop are listed.
The Local Security Policy console displays the actual, current settings of the server.
12. Close the Local Security Policy console.
13. Close your custom Security Management console.
Results: In this exercise, you created and applied a security template that gives the SYS_DC Remote Desktop the right to log on through Terminal Services and adds the group as a member of the Remote Desktop Users group.
B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1
7-58 Configuring and Troubleshooting Windows Server® 2008 Active Directory® Domain Services