Microsoft Study Bible

August 31, 2009

Visual Web Developer Express vs Visual Studio 2008?

Filed under: Developer tools and applications — Tags: , , , , , , , , , , , , , — Jackson @ 4:29 am

I am currently reading Beginning ASP.NET with C# and it recommended using Visual Web Developer Express(VWD).But ,I have a battery of questions.Could I use Visual Web Developer Express for all the projects I am planning to do in Visual Studio 2008?Can the Free Express edition satisfy my needs?Or, Is there a need to buy Visual Studio even though I have a VWD?Could you tell me What I can do or can not when I just use the Visual Web developer Express 2008?

If you read this ,do you still recommended me to use UWDE,or any reasons ?
However,I was just thinking about what the Express version lacks ,compared with the Visual Studio.

1.Not Extensibile with other add-ons or third party tools.If I use Visual Web Developer 2008 Express Edition ,I can’t install and use Web Application Projects ,CSS Properties Window,HTML/ASP.net Spell Spell Checker, ReSharper etc like the third party tools.
2.Can not add a Class Library project. If you want to add a Class Library project or a Web Controls Library project to the solution,to be surprised ( Class libraries are popular way to sharing business logic code or any other utility code. ),you can not manage it . Because VWD Express 2008 only supports a single type of project: Web site.Also,VWD 2008 SP1 allows Web Application and Class Library Projects in the solution.
3.Lack of Source Code Control,while a good Source Code Control system can provide us with change history ,branches ,merges ,etc.SCC is key for a professional developer in team development.
4. no Accessibility checker.It is indispensible for you to develop Web sites that must be accessible.
5.Lack of the ability for automatic generation of resources for localization.This means that your Web can not be localized in multiple languages.
6.You want to attach debugger to a process in VWD Express ,sorry you can’t.For example,when you need to step through code in existing classic ASP pages in order to understand how it works or you have to maintain classic ASP pages, you need ASP debugging which requires ability to attach debugger to a running process, the Visual Web Developer Express Edition can not help you .
7. No Native code debugging.For example ,some legacy code, especially in classic ASP code may be using COM objects written in C++. Mixed mode debugging is not supported in Express.
8.Not support opening or editing SharePoint Web sites.
So much you can not do ,maybe you will give up the free Express edition.You will find Visual Studio 2008 more favorable.

However,VWD Express 2008 still has its merits.
The obvious advantage of VWD over VS2008 is that it is free and if you can work smart with it given the missing features, it may be the more pragmatic option for you. If those are features that you can’t live without, VS2008 may be a wise investment - you also get all of the features missing from other Express products (Visual Basic 2008, Visual C# 2008, etc).

In addition,Visual Web Developer Express 2008 is a free web tool that allows you to build CSS, HTML ASP.NET, C#, VB, and JavaScript and supports additional frameworks like ASP.NET MVC, AJAX, Silverlight and jQuery.

So,what should I choose ?Or,I can have a cake and eat it too ?

Share This

August 28, 2009

errors happen when Visual C++ on a 64-bit Windows OS

Filed under: Developer tools and applications — Tags: , , , , , — Jackson @ 4:47 am

I got an error when I attempt to configure a project to target a 64-bit platform using Visual C++ Express Edition.I don’t know any other have these problems .My friends told me I did not Configure Visual C++ Projects to Target 64-Bit Platforms. To develop 64-bit applications I must install Visual C++64-bit compliers.To enable 64-bit tools on Visual C++ Express Edition,I should install the Windows Software Development Kit (SDK) in addition to Visual C++ Express Edition.
If you are new to Visual C++ on a 64-bit Windows operating system .you should know these below when you use Visual C++ to create applications to run on a 64-bit Windows operating system,otherwise ,errors will occur at any time .
1.Assign pointers to 64-bit variables and not 32-bit ones on 64-bit platforms, otherwise ,it will truncate the pointer value.

2.Had to recognize these values is 32-bit or 64- bit on 64-bit Windows Operating system .
32-bit value:int,long.
64-bit value:size_t,time_t,and ptrdiff_t.

3.
You couldn’t mistake where your code takes an int value and processes it as a size_t or time_t value. It is possible that the number could grow to be larger than a 32-bit number and data will be truncated when it is passed back to the int storage.

The %x (hex int format) printf modifier will only operate on the first 32 bits of the value that is passed to it.So you should pay attention to these:
1.Use %I32x to display an integer on a Windows 32-bit operating system.

2.Use %I64x to display an integer on a Windows 64-bit operating system.

3.The %p (hex format for a pointer) will work as expected on a 64-bit Windows operating system.

Above these ,I summed up the situations I knew.
If you find any other issues ,please share yours.

Share This

August 24, 2009

The Open-source Code Review tools

Filed under: Developer tools and applications — Tags: , , , , , , , , , , , , , , , , , , , , , , , , — Jackson @ 9:10 pm

When the developers had written the codes, we need the Code review Tools to find the BUG out. So, we can review the style, logic,……., and find the problems ,and modify the code. The Code Review is the key in coding. There are five Open-source Code Review tools below:
1. Review board :
Review board is a tool based on web,which was primarily designed to those who like to use Python Programming Language and Django .Review could help to trace the change of the pending code and make the Code-Review more easily and simply. Although Review board was originally designed to the VMware, it could be universal. At present, it can support such management soft wares as SVN,CVS, Perforce, Git ,Bazaar, Mercurial.Yahoo is one of the review-board users.
“Review board has changed the way to review code, which could be a mentor to the programmer .When you access the site ww.search.yahoo.com, all of the codes are reviewed by the Review board tools.”These words you will see :”We’re great fans of your work!” – Yahoo! Web Search”.
13
2. Codestrike:
Codestrike is also a Web-based tool, which was chiefly used to review the online code the GCI-Perl script supported. Traditional document reviews are supported, as well as reviewing diffs generated by an SCM (Source Code Management) system and plain unidiff patches. Codestriker could be integrated in CVS, Subversion, ClearCase, Perforce and Visual SourceSafe.
Codestriker is written in Perl, and runs on all of the major platforms and browsers, and is licensed under the GPL.
View an example code review:
2
3. Groogle
Groogle is a web based peer code review tool providing a range of features aimed at easing the code review process. Features include:
• Subversion integration, working against live repositories.
• Syntax highlighting for a wide variety of languages.
• Comparisons of entire repository trees to find added, removed and modified files and directories.
• Diffing of individual files and a graphical representation of modifications.
• E-mail notifications to notify review participants when a reviews status changes.
• Optional integration against a wide range of existing authentication mechanisms.
3

4.Rietveld: Code Review for Subversion, hosted on Google App Engine .It was based on Mondrian, which was similar to Review board. But it used django that was the most popular web development frame, and supported the Subversion. At present, All who used Google Code can use Rietveld and Python Subversion server, too.
4

5. JCR
JCR (or jcodereview as it’s known on Sourceforge) is a web application for performing and managing formal code reviews. It can be used for reviews of any type of source code, although it has some special smarts for reviewing Java projects. It has special features to make large-scale reviews not only practical but easy and fast. JCR is intended to assist:
• Reviewers. All changes to code are highlighted, and syntax highlighting works for most languages. Code extracts are shown for context when adding comments. If reviewing Java code, references to other classes within the file are clickable, so that you can drill into the detail if required. After review comments have been made, those comments can themselves be reviewed, and the required actions decided on and tracked
• Project owners. Review projects are easy to create and configure, and support (but don’t require) integration with your source code management (SCM) system
• Process bigots. Details of all comments are held in the database, along with any actions required, and whether they’ve been completed. Status reports can be viewed at any time, and also show how much review activity took place on each file (to make sure they were all reviewed)
• Architects and developers. As well as viewing the comments made for a project, it’s possible to see details of all review projects and comments for a specified file - good for finding code that would benefit from refactoring.
JCR is generally targeted at larger-scale and more formal code reviews than other review tools.
5

Share This

How to install PHP on ISS7 in Vista/Windows Server 2008?

Filed under: Developer tools and applications, Server technologies, Windows — Tags: , , , , , , , , , , , — Jackson @ 2:57 am

At present, many websites were written primarily in PHP. But the server environments on which the websites run may not be FreeBSD, Linux. Many PHP websites run on Windows 2000, Windows 2003, and Windows Server 2008.According as many tests; PHP on Windows Server 2008 has advantages. Now, we’ll show how easy it is to get PHP up and configured on your IIS7 webserver.
The system environment: Vista/Windows Server 2008.
Firstly, install IIS7 such as control panels\programmers and features, windows, by default; remember to choose the two options of ISAPI.

The next step is to install PHP.
Download PHP and Windows binaries. Unzip the php…zip file to your drive. I usually unzip it to D:\php.In this catalog, find php.ini-dist and rename it php.ini. Open php.ini :at first, find extension_dir=”./”,and replace it with extension_dir=”d:\php”; and then find Windows Extensions ,do the following modifications:   extension=php_mbstring.dll
  extension=php_gd2.dll
 extension=php_MySQL.dll
and then save the modifications, copy the file to the system windows directory .

The third step is to create the application pool, whose type is .net which is set as “unmanaged type”.
After all of these steps, you create a new Web site and start “Read” and “Run script” permissions, and then add ISAPI Filters and Handler Mapping.
Finally,add D:\PHP\php5isapi.dl into Handler Mapping.
Now, successfully, you have installed PHP on ISS7.

Share This

August 23, 2009

Unable to install vs 2008 in Windows Vista??

Filed under: Developer tools and applications, Server technologies — Tags: , , , , — Jackson @ 10:25 pm

Microsoft declared Visual studio 2008 was able to run under Vista operation system. However, many of us failed to do that .Today, we will discuss these problems.

Symptoms: After you installed vs2008 beta under vista, you could not run setup.exe.
Cause: 1.something wrong with your OS.
2. CPU frequency is too low; the internal memory capacity is not enough, and insufficient disk space and so on.
3. Improperly install
Resolution: Reinstalling the system; Hardware upgrades.

Symptoms 2: unable to install VS 2008 with Virtual Drive and you fail to double click the Setup.exe, though you tried kinds of versions Vista。 And there may be is wrong with the Virtual Drive. Previous versions of Vista treat most of Virtual Drive as Physical CD-ROM.
While Vista system would distinguish strictly between Virtual Drive and Physical CD-ROM and some of Physical CD-ROMs would not be listed in Logical Disk Manager, for example the Virtual CD of UltraISO was not listed. Maybe the Virtual Drive is not completely compatible with Vista.
Resolution:Unzip image files into the hard disk.

Share This

How to make Active Directory Secure? (Part 2)

Filed under: Server technologies — Tags: , , , , , , , , , , , , , — Jackson @ 9:07 pm

1. Enforce Strong Password Rules

By now, you all know the benefits of strong passwords, but it’s probably too much to expect your users to use them willingly. To help them along, you really should enforce strong password rules in your domain (see “Enabling Strong Password Functionality in Windows 2000″). You can help your users by suggesting strategies such as the use of passphrases instead of confusing word/number/character combinations.

2. Protect the Service Account’s Password

As you know, service accounts are another sore subject. The nature of service accounts—used on application servers for the application’s service—makes a low-impact password change very difficult, and so the password is usually set to never expire. Because the account controls an important service (often on many servers), compromising the service account’s password is not something you want to happen.

Though it may be difficult to solve the password change problem, you can take steps to mitigate the risk of attack or accidental changes. Give the accounts a naming convention that identifies them as service accounts and suggests what they’re used for. Put all of these accounts into a group named something like “Service Accounts” and apply a policy to your application servers to deny the “Log on Locally” policy but allow “Log on as a Service”. Keep them in their own OU so you can apply GPOs unique to their requirements.

3. Make Sure that Each DC is Physically Secure

Domain controllers make up the physical aspect of Active Directory. Distributed throughout your enterprise, each DC has its own copy of the Active Directory database NTDS.DIT. This means that one of your paramount security concerns is to make sure that each DC is physically secure. If one of them grows legs and walks off, the thief will have physical access to the directory information tree (DIT) and can run cracking programs against it to obtain usernames and passwords. Therefore, you must have a reaction plan in place to change all passwords in a domain if one of its DCs is stolen.

A proposed feature of the forthcoming version of Windows Server (code-named “Longhorn”) aims to mitigate the risk from this scenario dramatically with the read-only domain controller (RODC), a DC whose DIT contains no user passwords. Users are logged on via a Kerberos referral from a full DC; you can configure the RODC to cache the passwords of users who use it for authentication. In a branch office scenario, only the branch office’s users will have their passwords cached on the RODC so if it’s compromised they’re the only passwords that must be changed immediately. The RODC caching configuration is very flexible; it even includes a way to determine who had their password cached on it. As with all discussion of prerelease software, though, this is subject to change.

4. Minimize Unnecessary Services and Open Ports

The Windows Server 2003 SP1 Security Configuration Wizard can quickly harden your DCs in this aspect by stepping you through a wizard to lock it down.

One attack to be wary of—a denial of service of sorts—fills the available disk space on a DC. There are two ways this attack can be executed. The first is by attempting to flood Active Directory with objects. Because Active Directory is hugely scalable, it is unlikely to crash in this scenario, but flooding Active Directory with objects will increase the size of the database until it fills the disk partition. Besides ensuring the DIT is on a partition with lots of free space, consider implementing directory quotas via DSMOD PARTITION or DSMOD QUOTA. This will prevent any one security principal from adding too many objects to the directory.

Another denial of service attack has to do with flooding the SYSVOL folder with files, causing it to fill up the boot partition, and crashing the DC. You can’t use a quota system in this case, but you can create a simple reserve file or files to take up existing free disk space. If you encounter this type of disk-filling situation, simply erase reserve files, one at a time, to maintain free disk space until you resolve the root cause. You can easily create reserve files with the FSUTIL FILE CREATENEW command.

5. Make the DC Time Source Secure

Because Active Directory depends on Kerberos, it’s very sensitive to time variations between its DCs. This is especially true in trusts between forests because they may rely on different time hierarchies. By default, the PDC operations master in the root domain is the reference to which all other DCs in the forest look for accurate time. What time source does this DC look to for accurate time? Is it secure?

6. Audit Important Events

You must enable auditing in a domain-level GPO, with no override, to ensure every system in your domain is tracking important events. You should audit failed logons, successful and failed account management, object access, and policy change. Use the same GPO to boost the security log size, because with the increased auditing you’ll need it.
7. Use IPsec

Many organizations have dragged their feet on the implementation of IPsec because of the complex rules you must build, but it’s relatively easy to implement for inter-DC communication only. For communications from DCs to clients, there are a number of options to consider. Windows Server 2003 DCs by default have SMB signing enabled, which means they sign all their communications to the client to prevent spoofing. Its policy is listed as “Microsoft network server: Digitally sign communications (always)”. Be aware of this change when you upgrade, and don’t disable it if you don’t have to.

8. Don’t Store LAN Manager Hash Values
You should try to rid yourself of LM (Lan Manager) password hashes if possible; many password crackers attack the weak LM hash and then deduce the stronger NTLM hash. The policy you need is “Do Not Store LAN Manager Hash Value on Next Password Change”. Also consider enabling “Send NTLM v2 response only, refuse LM and NTLM”. Most down-level clients can be configured to use NTLMv2. This may not be possible for Active Directory installations in factory environments or other installations where embedded Windows is used. Test these settings carefully because they can break down-level clients. It’s important to remember that these clients not only include Windows NT 4.0 and Windows Me, but also other Server Message Block (SMB)-enabled network clients like network attached storage (NAS) devices, UNIX clients running Samba, or embedded Windows devices like factory station controllers. The Knowledge Base article “Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments” lists recommendations for most DC security settings and user rights.

9. Don’t Forget Your Business Practices
Handle emergencies and document procedures for facing situations like compromised passwords, general Active Directory attacks, and Active Directory disaster recovery. Microsoft has done much of this work for you in “Best Practice Guide for Securing Active Directory Installations”, and “Best Practices: Active Directory Forest Recovery”.
More information you can via :http://blog.csdn.net/yjz0065/archive/2006/08/02/1011224.aspx

Share This

August 21, 2009

How to use PasswordBox in WPF

Filed under: Server technologies — Tags: , , , , , — Jackson @ 10:01 pm

There are two common ways to use the control PasswordBOx in WPF.

1. With the Binding, the value of PasswordBox is related with one attribute of the back-end data object.

2. use the “SecurePassword” attribute in PasswordBox.

The first way is annoying and not recommended .The “SecurePassword” was a new attribute in .net 3.5 SP1.So, this article chiefly introduce how to use “SecurePassword “.

Since the data type of “SecurePassword ” is “SecureString”, it is easily writeable and uneasily readable. Especially to be noted, when you call the method “ToString()” in the instance of SecurePassword, the value you always get is “System.Security.SecureString”.

The codes bellowing would show you how to obtain the password in passwordBoxPassword.
view plaincopy to clipboardprint?

/*1.use a value of IntPtr type to store the start-point of the Encrypted string*/
IntPtr p = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(this.passwordBoxPassword.SecurePassword);
/*2. Use .net internal algorithms to convert the characters that the InPtr is pointed to into the string.*/
string password = System.Runtime.InteropServices.Marshal.PtrToStringBSTR(p);
//3. to verify the password.
if (string.IsNullOrEmpty(password) || password!=”123456″)
{
MessageBox.Show(”please input the password”, “”, MessageBoxButton.OK, MessageBoxImage.Asterisk);
return;
}

Share This

How to backup and recover database in C#??

Filed under: Developer tools and applications — Tags: , , , , , — Jackson @ 9:49 pm

Here, we well introduce a way to backup and recover database in C#: use SQL DMO.

Most SQL Server administrative tasks are programmable thanks to a set of objects known as SQL-DMO. Distributed Management Objects (DMO) is a set of programmable objects that come with SQL Server that make it easy to programmatically administer your databases. SQL-DMO is actually the foundation of Enterprise Manager, so you can pretty much do anything programmatically that you can do in the management tools. Some of these tasks include:
•1. Scripting Objects
•2. Backing up databases
•3. Creating jobs
•4. Altering tables
5. Recover database
… … much more.
SQLDMO is from SQL.DLL of Microsoft SQL Server. Because SQL.DLL is a com object, we had to add the reference to SQL.DLL in .net before it was used.
So, we start to introduce a class written in C#, which is used to backup and recover the Microsoft SQL Server:
using System;
namespace DbService
{
///
/// DbOper Object , primarily use SQLDMO to backup and recover Microsoft SQL Server database ///
public sealed class DbOper
{
///
/// the constructor of the object DbOper
///
private DbOper()
{
}
///
/// backup database
///
public static void DbBackup()
{
SQLDMO.Backup oBackup = new SQLDMO.BackupClass();
SQLDMO.SQLServer oSQLServer = new SQLDMO.SQLServerClass();
try
{
oSQLServer.LoginSecure = false;
oSQLServer.Connect(”localhost”, “sa”, “1234″);
oBackup.Action = SQLDMO.SQLDMO_BACKUP_TYPE.SQLDMOBackup_Database;
oBackup.Database = “Northwind”;
oBackup.Files = @”d:Northwind.bak”;
oBackup.BackupSetName = “Northwind”;
oBackup.BackupSetDescription = “Recover Database”;
oBackup.Initialize = true;
oBackup.SQLBackup(oSQLServer);
}
catch
{
throw;
}
finally
{
oSQLServer.DisConnect();
}
}
///
/// Recover Database
///
public static void DbRestore()
{
SQLDMO.Restore oRestore = new SQLDMO.RestoreClass();
SQLDMO.SQLServer oSQLServer = new SQLDMO.SQLServerClass();
try
{
oSQLServer.LoginSecure = false;
oSQLServer.Connect(”localhost”, “sa”, “1234″);
oRestore.Action = SQLDMO.SQLDMO_RESTORE_TYPE.SQLDMORestore_Database;
oRestore.Database = “Northwind”;
oRestore.Files = @”d:Northwind.bak”;
oRestore.FileNumber = 1;
oRestore.ReplaceDatabase = true;
oRestore.SQLRestore(oSQLServer);
}
catch
{
throw;
}
finally
{
oSQLServer.DisConnect();
}
}
}
}

Share This

August 17, 2009

IS Microsoft AD IN SERVER 2008 PERFECT ?

Filed under: Server technologies — Tags: , , , , , , , , , — Jackson @ 9:49 pm

It was impossible that Microsoft wanted to make AD in Windows Server 2008 a universal prescription for all problems. On the contrary, the Active Directory was overstaffing in the structure, unreliable and particularly unhelpful, and poor in performance. For example, the deployment of the vast majority of the AD could be compared to a car, and what the enterprise wanted to get from AD is a radio in the car. So, when the enterprise wanted to listen to the radio, they had to spend a lot of money in car and a lot of time in keeping the car running.
So, when AD was regarded as a radio, is it perfect??
1. Relying too heavily on DNS. It is known that AD was built on DNS.
A strong and reliable DNS instance is bed stone of AD.DNS enabled AD manage a huge and complicated networking environment. It is common knowledge that AD can only be deployed on DNS of Windows, which integrated many non-standard definitions and records of DNS, while DNS in windows is a service of which the reliability and loading capability are poor. However, on the internet, no ISP used Windows DNS. Once Windows DNS go wrong, all of Active directory will break down. For example, the update of DNS records failed, and many of S zones transfer failed, and DNS need relocating, all of which would make AD in excessive risks. In another word, a large building is based on a fragile foundation.
2. Too complicated LDAP protocol. LDAP in AD was known as a simple protocol. In fact, it was very complicated and uneasy to understand. Microsoft hopes in AD environment, the users do not contact directly with the protocol. Because of the complexity of LDAP, once it went wrong, there would be no error report and Emulation Module and debug for users. TO resolve this problem, the Microsoft had to supply a LDAP debug, which was located in the install directory of CD. Even so, almost no SA could be good at this “freak” debug.
3. Little value of Group Policy (GP). GP is the most popular function in AD.GPO could be used by the users to control the client cluster, which is the wish of Microsoft. However, such has not been the case. Firstly, most of the GP functions need the modification of Client Registry and, few need running script, which make the real-time, capacity of resisting disturbance of GP terrible. What is worse, when the deployment of GP was completed, the administrator didn’t know whether a policy had been in operation in each computer. Once it went wrong, the administrator had to analysis the problems in clients with the simple tools like GPRESULT. Besides, there are terrible design flaws in the function of GPO.
4. The completely enclosed database. In the official materials of MCSE, the Active Directory database and SYVOL were often mentioned. The SA know AD is the key point of the database, many kinds of information in AD. But what are stored in the database can not be known, and manipulated in a SQL Statement .So, what a nightmare to backup and restore AD. Would you backup AD? Sorry, Microsoft couldn’t help you. The only way is to use NTBCAKUP .Would you restore the database? Would like to do regular incremental synchronous data? Sorry, the NTBACKUP could not help you, either. What you could do only is to restore AD and other system information of Windows together, whether they are good or bad. Would you like to improve the reliability of this AD? You do have two DC to make it.

Share This

How to make Active Directory Secure in windows Server 2003?

Filed under: Server technologies — Tags: , , , , , , , , , — Jackson @ 9:39 pm

The very first step you need to take is to document your Active Directory configuration. A good place to start is with the high-level structures like forest and domain configuration, organizational unit (OU) structure, top-level directory security, and existing trust relationships. Document your site topology by listing the sites, configuration settings for each site, site links and their settings, the list of subnets and their settings, and any manually created connection objects and their settings. Document your Group Policy Objects (GPOs) with a Group Policy utility like the Group Policy Management Console (GPMC), available from Microsoft downloads and included in Windows Server™ 2003 R2. The documentation you create should include password and audit policies, and don’t forget to include what the GPOs are linked to and who has rights on them. Be sure you have a list of all changes you’ve made to the Active Directory schema, preferably in the form of a Lightweight Directory Interchange Format (LDIF) file. There’s even a GPMC script included in the download to help you get started. It is located in the %programfiles%\gpmc\scripts directory and is called GetReportsForAllGPOs.wsf.

While you’re at it, also list your domain controllers and their names, their OS versions, and virus scanning software and their versions. Record the backup methods you’re using and how often they run, along with how long you keep the backups. If you use disk-based backups, record where you securely keep the backup files. If you use Windows® DNS, use DNSCMD and DNSLINT to document its configuration. Note whether it’s integrated with Active Directory, whether you use application partitions, and how they are configured.

2. Controlling your administration is the single most important step in securing your forest and it’s also probably the hardest. Everyone wants to own a piece of Active Directory, but a well-secured forest model can’t allow this. If your company’s installation is like most, your logical Active Directory design is already set, so you have to work within its constraints. If not, you have the opportunity to build Active Directory from the start.
The forest is the only true security boundary within Active Directory. Domains should be used to facilitate your company’s IT support infrastructure and replication, and OUs should be used to delegate administration within a domain. If you have hard security constraints between two parts of your company, consider implementing another forest. See “Multiple Forest Considerations in Windows 2000 and Windows Server 2003″ for recommendations. If necessary, add a security-filtered forest trust to communicate with your first forest (see “Planning and Implementing Federated Forests in Windows Server 2003″ for more information). If your domains are already administered by different groups, realize that administrative access to any domain controller in the forest can jeopardize the entire forest. As a result, you need to work closely with the administrative teams of the other domains to ensure you have a uniform domain controller (DC) administration model across the forest. For more detail on this topic, read “Design Considerations for Delegation of Administration in Active Directory”.
3. Limit the Number of Administrators
Within your forest, you need to do everything you can to limit the number of administrators. Though the Active Directory security model is much better than it was in Windows NT® 4.0, it still has a weakness: you can’t fully administer a domain controller without being an administrator of the domain. This means that in a basic Active Directory implementation, computer operators in locations that contain DCs are usually members of Domain Admins so they can perform all maintenance functions on these servers. Don’t do this! You’ve handed the keys to your Active Directory forest to a potentially large number of employees with unknown backgrounds and security qualifications. Instead, follow the time-honored practice of determining requirements first and then creating a solution based on these requirements. Meet with operations management to figure out exactly what tasks they need to perform on DCs. Then, design a solution using a combination of Group Policy and third-party tools to grant them as many rights as possible without elevating them to Domain Admins.
Finally, your administration team must assume the tasks you can’t securely delegate to operations. This is a very touchy area because you’re taking away responsibilities from operations, but you’ll have the big stick of information security on your side.
4. Test Group Policy Settings
This is a good opportunity to say a few words about Group Policy. It’s the single most powerful tool for controlling your forest’s security. Precisely because it’s so powerful, however, you need to make sure you test these settings in a controlled environment before rolling them out. You can use a duplicate test-bed environment, be it physical or virtual (through the use of virtualization software such as Virtual Server 2006). You can implement these policies in stages by first linking new security-focused GPOs to individual OUs, then to the entire domain.
5. Use Separate Administrative Accounts
Once you’ve limited the number of administrators, make sure all employees who perform operations with elevated privileges use separate administrative accounts. These accounts should have a naming convention that’s different from standard accounts and should reside in their own OU so you can apply unique GPOs to them. You can group these accounts by the roles they perform and assign rights to these groups rather than to individuals. For example, helpdesk members responsible for account management should have their administrative accounts in a group named ” Account Admins”, and this group should be added to the Account Operators built-in group.
6. Restrict Elevated Built-In Groups
If your security model follows the recommendations I just outlined, it’s relatively easy to put all elevated built-in groups into Group Policy’s Restricted Groups feature. This will ensure that the group’s membership is enforced every five minutes, limiting the chance that a rogue administrator will inject their account into it. Use Restricted Groups to keep groups like Schema Admins empty and to keep Enterprise Admins very small.
7. Use a Dedicated Terminal Server for Administration
Service administrators (responsible for running core Active Directory services like DCs, sites, and the schema) should perform all their tasks from dedicated terminal server administration points (TSAPs) rather than from their desktops. This is a much more secure practice that minimizes any leaking of desktop malware, makes working with a separate administrative account much less cumbersome and provides a locked-down, customized administration point. Keep these TSAPs in their own OU, and use GPOs to prevent Internet access, restrict logon locally to administrative accounts only, increase auditing procedures, and implement a password-protected screen saver. Upgrading your TSAP to Windows Server 2003 will cause its Active Directory administration tools to sign and encrypt Lightweight Directory Access Protocol (LDAP) traffic between itself and your Windows Server 2003 DCs.
8. Disable Guest and Rename Administrator
Basic account security measures are to disable the guest account and rename the administrator account. You may have already done this. Either way, don’t forget to also remove the default description of these accounts, since that’s easy for bad guys to search for. Most programmatic attacks use the administrator account’s well-known Security Identifier (SID) rather than its name, so renaming Administrator is really of limited use. It does show that you’re using due diligence for security audits, however. The rename policy also can be useful for creating a honeypot Administrator account. This is an account named Administrator (after you’ve renamed the real account) that has a high level of auditing enabled. If anyone attempts to log onto this account by guessing the password, the attempt will be logged. If you have an event log monitoring utility, you can also trigger an alert.
9. Limit Access to the Administrator Account
You should severely limit the number of people who have access to the real Administrator account and password. For the highest level of security, consider the nuclear password option: two (or more) administrators generate two (or more) eight-digit, random, strong passwords separate from each other; then each admin enters his password into the password field. The account now has a password that is 16-digits or longer and that requires at least two administrators to log on; one administrator can’t do it alone.
10. Watch the DSRM Password
An often overlooked but important password is the Directory Service Restore Mode (DSRM) password on domain controllers. The DSRM password, unique to each DC, is used to log onto a DC that has been rebooted into DSRM mode to take its copy of Active Directory offline. You need to update the DSRM password regularly because with this password a local operator can copy NTDS.DIT (the Active Directory database) off the server and reboot before anyone noticed. In early builds of Windows 2000, the only way to change the password was to log on and change it manually—impractical if you have more than two DCs. Windows 2000 Service Pack 2 introduced the SETPWD command (see the Knowledge Base article “Configure Your Server Wizard sets a blank recovery mode password”) to remotely update the DSRM password. The NTDSUTIL command in Windows 2003 has the ability to change it remotely (see “How To Reset the Directory Services Restore Mode Administrator Account Password in Windows Server 2003″). Create a script to run this operation against your DCs, and run it regularly.
(From: http://blog.csdn.net/yjz0065/archive/2006/08/02/1011224.aspx)

Share This

Older Posts »

Powered by WordPress

Close
E-mail It