I'm hoping that the fact the snake didn't reject the meds we gave her yesterday is a good sign. I got her a new heat lamp to keep the cage nice and toasty and really hope that helps.

sadly my Clamp no Kisaki didn't sell on ebay. anyone know any lj coms that i could sell these buggers on? i have 5, 7, & 8



Member server Baseline


Trusted Computing Base
Make sure you not only secure but document it
-document hard ware and what's physically on it
--services
--partitions
--ect
-procedures
--flow chart of what users need to do to work on a comp

Secure Baseline Elements
anything that could be a security issue
-files
-services
-members
User rights vs User permissions
-restrict to the bare min needed
NTFS
-also restrict to the bare min (least priveldge)
-take away what they don't need(ie full control)



Server Configeration
Auditting
-see when services are used/stopped/terminated/ect
-doesn't make system more secure but it lets you see who's changing thing
-too much auditting slows server, is inversly proportaionate

Predefined Security Templates
prebuilt;
always reboot into safe mode

Domain Controller Default Security(CD security.inf)
-specifies default security settings updates from Setup security.inf for a domain controller
Compatible(Compatws.inf)
-Modifies permsissions and registry settings for a Users group to enable maximum application compatiblity(don't run legacy apps on domain server)
Secure (Securedc.inf and Securews.inf)
-enhances security settings that are least lieky to affect compatibilty
High Secure (Hisecdc,inf and Hisecws.inf)
-increases the restrictions on security settings



Security Enviroments in Server 2003
Windows 95
Windows 98
Windows NT 4.0
Windows 2000
Windows XP

where to get templates?
check google, mircosoft, ect
don't pay for them

Storeing Security Templates
limit amount of people that have asscess
stored on the security template at the consol root(mmc snap in)
is not an OU




Addition Security settings
rename admin account(something not admin)
copy admin account, remove permissions(so it says its admin when its not)
admin account has a -500 SID, rename thru group policy
disable guest account or rename


Time Synchonization
Fismo-Flexible single master operation
pdc emu;ator is responsible for being the master time server for each domain
How do we sync everything up?
-
what does the pdc emulator do?
-master password database
-down level clients

is time stamps are off users can't log in via kerberos

building a time
first open notepad
-list all time servers(public only)
-www.ntp.org for time servers(exp; ntp.nasa.gov, time-b.nist.gov)
-save so you can open thru cmd

second
-open cmd
-type in; w32tm /config /snycfromflags:manual /manualpeerlist:timeservers.txt

-enter and it will, if done right, sync




ok going good today, one section down hopefully i'll whack off atleast 1/2 of this next one before lunch and then a 3rd one after lunch. rinse repeat for thursday excpect we might leave early that day for the vet appt. really hate there are no written notes in this module... i have to keep pausing and rewinding to ctach what he says



Configuring and Implementing Secure Baselines for Server Roles
Planning and configuring Domain Control
ntdsutil-not easy to use
syskey-configure system and make it require password








Security Threats to Domain Controllers
Threats?
-users; scripts that request kerberos authentications
-Physical access
-piggy backing
-social engineering


Active Directory database and log files
Ntds.dit
NT Directory Services.directory information
-the Active Directory database that stores all the Active Directory objects on the domain controller
Edb*.log
Exchange Database logs
-a transaction log file. the default transaction log filr name is Edb.log
Edb.chk
-a checkpoint file used by the database engine to track the data not yet written to the Active Directory database file

Res1.log and Res2.log
the resevered transaction log file
-the resevered disk space provides the tranaction log files sufficient room to shut down if all other disk space is being used



useful links
www.eventid.net-
-help id unknown id messages



SYSKEY
SYSKEY modes;
-Mode1 Obuscated Key

-Mode2 Console Password

-Mode3 Floppy Storage of SYSKEY Password





infrasturture servers
Enabling DHCP event logging
-select the Enabe DHCP Audit Logging option
Restricting access to the DHCP Logs
-remove the Server Operators and Authenticated users groups from the ACL of the %systemroot%\system32\dhcp\folder





mhh mac&cheese while watching Dr.Horrible on my new iTouch. really nice pic quality. might debate getting 1hr-ish long show a week and jog while watching at the gym. would keep me more entertained then listening to music....

great source blog/site for Mac updates->http://www.tuaw.com
i'm only interested in the Touch but hey is good t keep up on stuff

was highly amused by the article about the santa app that got pull from the itunes store. it was agreat idea, each day kids got to see a different xmas song/animation counting down to the 25th, however parents didn't seem to like song for the 5th,after which they had to explain to little ones why grandma was killed by renegade horned ungulants.

more i see what these thing can do the more i want one, not a MAC mind you I can't handle learning a new GUI, but i'm now leaning towards tempted to an iPhone when my contract runs out in april.