Lesson 1 in Visual C#.NET

Generation QR in Visual C#.NET Lesson 1

13-9

enterprise certification authority and install the issued certificate. This is useful for ensuring that computers have the certificates that they need to perform public key cryptographic operations. This setting is available for the Computer Configuration node only.

Trusted Root Certification Authorities A certification authority (CA) is an entity responsible for establishing and vouching for the authenticity of public keys belonging to subjects (usually users or computers) or other CAs. The setting is used to establish common trusted root certification authorities. You can use this policy setting to establish trust in a root certification authority that is not a part of your organization. This setting is available for the Computer Configuration node only. Enterprise Trust This setting is used to create and distribute a certificate trust list (CTL). A certificate trust list is a signed list of root certification authority certif icates that an administrator considers reputable for designated purposes such as client authentication or secure e-mail. This setting is available for both the Com puter Configuration and the User Configuration nodes. Autoenrollment Settings In the Autoenrollment Settings Properties dialog box, shown in Figure 13-2, you can enable or disable the automatic enrollment of com puter and user certificates by using Group Policy. You can also use this dialog box to use autoenrollment to manage certificates and to request certificates based on certificate templates. The dialog box is available for both the Computer Configu ration and the User Configuration nodes by opening Autoenrollment Settings.

It is not necessary for you to use these public key policy settings in Group Policy to deploy a public key infrastructure in your organization. However, these settings give

13-10

13

you additional flexibility and control when you establish trust in certification authori ties, issue certificates to computers, and deploy the Encrypting File System (EFS) across a domain.

EFS can be controlled and disabled through Group Policy. If you choose to disable EFS for your domain, which prevents users from encrypting files, you can do so by set ting an empty recovery policy at the domain level. Specific directions on how to do this are listed in Microsoft Knowledge Base Article 222022, entitled HOW TO: Disable EFS for All Computers in a Windows 2000-Based Domain, available at http://support.microsoft.com.

The Software Restriction Policies security area is a new feature in Windows XP and Windows Server 2003 used to identify software running in a domain and to control its ability to execute. This feature can identify software that is hostile or unwanted and prevent it from executing on computers running Windows XP Professional and Windows Server 2003. Software restriction policies are discussed in detail in Lesson 2.

The IP Security Policies security area is used to configure network Internet Protocol (IP) security.

The following are the best practices for applying security settings:

Do not configure account policies for OUs that do not contain any computers because OUs that contain only users always receive account policy from the domain. When setting account policies in Active Directory, keep in mind that there can only be one domain account policy: the account policy applied at the root domain of a domain tree. Event log size and log wrapping should be defined to match your organization s business and security requirements. Consider implementing Event Log settings at the site, domain, or OU level to take advantage of Group Policy settings. Track the system services used on a computer. For performance optimization, set unnecessary or unused services to start only by manual intervention. If you choose to set the system service startup to Automatic, perform adequate testing to verify that the services can start without user intervention.

13-11

When security settings are imported to a GPO in Active Directory, they affect the local security settings of any computer accounts to which that GPO is applied. In either case, your user account rights might no longer apply if there is a local policy setting that overrides those privileges. If you create a Restricted Groups policy for a group, groups and users not speci fied in that policy are removed from the group specified. In addition, the reverse membership configuration option ensures that each restricted group is a member of only those groups specified. For these reasons, using Restricted Groups for security should be limited to primarily configuring membership of local groups on workstation or member servers.