What are advance audit policy settings?

In Windows 7 and Windows Server 2008 R2, the number of audit settings for which success and failure can be tracked has increased to 53. Previously, there were nine basic auditing settings under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy. These 53 new settings allow you to select only the behaviors that you want to monitor and exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because Windows 7 and Windows Server 2008 R2 security audit policy can be applied by using domain Group Policy, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.

Please read this article for more details

Read More

Can you roll back Forest functional level of Windows 2008 R2?

After you set the forest functional level to a certain value in Windows Server 2008 R2, you cannot roll back or lower the forest functional level, with one exception: when you raise the forest functional level to Windows Server 2008 R2 and if the Active Directory Recycle Bin is not enabled, you have the option of rolling the forest functional level back to Windows Server 2008. For more information about the Active Directory Recycle Bin, see What's New in AD DS: Active Directory Recycle Bin (http://go.microsoft.com/fwlink/?LinkId=141392). You can lower the forest functional level only from Windows Server 2008 R2 to Windows Server 2008. If the forest functional level is set to Windows Server 2008 R2, it cannot be rolled back to Windows Server 2003, for example.

For more details on forest Functional Level Please read this article.

Read More

What are Group Policy preferences in Windows 2008?

Group Policy preferences that are new in Windows Server 2008 and how to enable down-level computers to process these new items. Group Policy preferences are made up of more than 20 new Group Policy client-side extensions (CSEs) that expand the range of configurable settings in a Group Policy object (GPO). These new preference extensions are included in the Group Policy Management Editor window of the Group Policy Management Console (GPMC). The kinds of preference items that can be created by using each extension are listed when New is selected for the extension. Examples of the new Group Policy preference extensions include the following:

• Folder Options
• Drive Maps
• Printers
• Scheduled Tasks
• Services
• Start Menu

For more details please read this KB Article.

Download the Microsoft Doc file from here.

Read More

Explain Managed Service Accounts in Active Directory.

A new feature to manage service accounts in Windows 7 and Windows Server 2008 R2 to help you maintain and secure your IT environment.

Managed service accounts in Windows Server 2008 R2

Background
One of the security challenges for critical network applications is selecting the appropriate type of account for the application to run as:

• On a local computer, an administrator can configure the application to run as Local Service, Network Service, or Local System. These service accounts are simple to configure and use, but they are typically shared among multiple applications and services and cannot be managed on a domain level.
• If you configure the application to use a domain account, you can isolate the privileges for the application. However, you need to manually manage passwords or create a custom solution for managing these passwords.

Overview of the managed service account
The managed service account is designed to provide applications such as SQL Server or Exchange with:

• Automatic password management, which can better isolate these services from other services on the computer.
  
  

  Important

  The default password refresh behavior for the managed service account is to be automatically updated every 30 days. However, this can cause a failed authentication attempt because the NTLM and Kerberos security support providers will not recognize the new password. To rectify this problem permanently, install the hot fix as described in the knowledge base article “Managed service account authentication fails after its password is changed in Windows 7 or in Windows Server 2008 R2 (KB 2494158).”

• Simplified service principal name (SPN) management, which allows service administrators to set SPNs on these accounts. In addition, SPN management can be delegated to other administrators.

Management
To configure and manage these accounts for a service running on Windows 7 or Windows Server 2008 R2, you will need to use Windows PowerShell cmdlets. There is no UI support for creating and managing these accounts.
Service accounts are also supported on Windows Server 2003 and Windows Server 2008 domain controllers. For information about these requirements and additional configuration steps, see Managed Service Accounts Step-by-Step Guide.

Resources for managed service accounts

For information about how to set up managed service accounts, see Managed Service Accounts Step-by-Step Guide.

Read More

What is NTLM Blocker in Active Directory in Windows 2008?

Q. What is NTLM Blocker in Windows 2008 R2 and Windows 7?
Q. How does it work?
Q. Can we have any kind of exclusion?



New Group Policy settings in Windows 7 and Windows Server 2008 R2 permit the restriction of NTLM protocol usage on clients, servers, and domain controllers. These policies can be configured on computers running Windows 7 and Windows Server 2008 R2, which can affect NTLM usage on computers running earlier versions of Windows.
The following Security Option settings can be configured to help you restrict NTLM usage in your environment.

• Network Security: Restrict NTLM: Incoming NTLM Traffic
• Network Security: Restrict NTLM: NTLM authentication in this domain
• Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers

To know more click here

Read More