Download MCITP Guide to Microsoft Windows Server 2008 Server Administration

Document related concepts

Computer security wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Games for Windows – Live wikipedia , lookup

Server Message Block wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Distributed firewall wikipedia , lookup

Hyper-V wikipedia , lookup

Lag wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Transcript
MCITP Guide to Microsoft
Windows Server 2008 Server
Administration (Exam #70-646)
Chapter 13
Securing Windows Server 2008
Learning Objectives
• Understand the security enhancements included in
Windows Server 2008
• Understand how Windows Server 2008 uses group
policies
• Understand and configure security policies
• Implement Active Directory Rights Management
Services
• Manage security using the Security Templates and
Security Configuration and Analysis snap-ins
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
2
Learning Objectives (cont’d.)
•
•
•
•
•
•
Configure security policies for client computers
Use the cipher command for encryption
Use BitLocker Drive Encryption
Configure Network Address Translation
Configure Windows Firewall
Implement Network Access Protection
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
3
Security Enhancements in Windows
Server 2008
• Reduced attack surface of the kernel through Server
Core
• Expanded group policy
• Windows Firewall
• Network Access Protection
• Security Configuration Wizard
• User Account Control
• BitLocker Drive Encryption
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
4
Security Enhancements in Windows
Server 2008 (cont’d.)
• Demilitarized zone (DMZ)
– Portion of a network that is between two networks
• New categories of group policy management
– Power management
– Assigning printers by location (particularly for mobile
users)
– Delegation of printer driver installation
– Security settings
– Internet Explorer settings
• Over 700 new policy settings
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
5
Security Enhancements in Windows
Server 2008 (cont’d.)
• User Account Control (UAC)
– Keep the user running in the standard user mode
– More fully insulate the kernel
• Administrator Approval Mode
• BitLocker Drive Encryption
– Prevents an intruder from bypassing ACL file and
folder protections
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
6
Introduction to Group Policy
• Group policy
– Standardize the working environment of clients and
servers by setting policies in Active Directory
• Set for many environments
• Defining characteristics of group policy
– Can be set for a site, domain, OU, or local computer
– Cannot be set for non-OU folder containers
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
7
Introduction to Group Policy (cont’d.)
• Defining characteristics of group policy (cont’d.)
–
–
–
–
Settings are stored in group policy objects (GPO)
GPOs can be local and nonlocal
Can be set up to affect user accounts and computers
When group policy is updated:
• Old policies are removed or updated for all clients
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
8
Securing Windows Server 2008 Using
Security Policies
• Security policies
–
–
–
–
–
Account Policies
Audit Policy
User Rights
Security Options
IP Security Policies
• Activity 13-1: Using the Group Policy Management
Snap-In
– Objective: Learn how to use the Group Policy
Management MMC snap-in
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
9
Establishing Account Policies
• Account policies
– Security measures set up in a group policy that
applies to all accounts or to all accounts in a
container
– Active Directory required
• Password Security
– First line of defense in Windows Server 2008
– Settings
• Expiration period
• Minimum length
• Other password security options that you can configure
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
10
Establishing Account Policies (cont’d.)
• Activity 13-2:
Configuring Password
Security
– Objective: Configure
the password security
in the default domain
security policy
Figure 13-3 Viewing security settings for
the default domain policy
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
11
Account Lockout
• Bar access to an account after a number of
unsuccessful tries
• Can be set to release
– After a specified period of time
– By intervention from the server administrator
• Parameters
– Account lockout duration
– Account lockout threshold
– Reset account lockout count after
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
12
Account Lockout (cont’d.)
• Activity 13-3: Configuring Account Lockout Policy
– Objective: Configure account lockout policy in the
default domain security policy
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
13
Account Lockout (cont’d.)
Figure 13-6 Configuring account lockout duration
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
14
Account Lockout (cont’d.)
• Kerberos security
– Use of tickets exchanged between the client and the
server or Active Directory
• Designate Windows Server 2008 as a Kerberos key
distribution center
• Service ticket
– Good for the duration of a logon session
– Enables the computer to access network services
beginning with the Logon service
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
15
Account Lockout (cont’d.)
• Advanced Encryption Standard (AES) encryption
– Deployed by the U.S. federal government
– More secure than DES
• Windows NT LAN Manager version 2 (NTLMv2)
– Default authentication
– Should change to Kerberos if possible
• Options for configuring Kerberos
– Enforce user logon restrictions
– Maximum lifetime for service ticket
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
16
Account Lockout (cont’d.)
• Options for configuring Kerberos (cont’d.)
– Maximum lifetime for user ticket
– Maximum lifetime for user ticket renewal
– Maximum tolerance for computer clock
synchronization
• Activity 13-4: Configuring Kerberos Security
– Objective: Configure Kerberos in the default domain
security policy
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
17
Figure 13-7 Configuring Kerberos Policy
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
18
Establishing Audit Policies
• Specify account auditing
– Track activity associated with accounts
• Examples of events an organization can audit
–
–
–
–
–
–
Account logon (and logoff) events
Account management
Directory service access
Logon (and logoff) events at the local computer
Object access
Policy change
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
19
Establishing Audit Policies (cont’d.)
• Examples of events an organization can audit
(cont’d.)
– Privilege use
– Process tracking
– System events
• Activity 13-5: Configuring Auditing
– Objective: Configure an audit policy
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
20
Establishing Audit Policies (cont’d.)
Figure 13-8 Configuring account logon
auditing
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
21
Configuring User Rights
• Ability to access a server
– Most basic right
• More advanced rights
• General categories of rights
– Privileges
• Relate to the ability to manage server or Active
Directory functions
– Logon rights
• Related to accessing accounts, computers, and
services
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
22
Configuring User Rights (cont’d.)
• Activity 13-6: Configuring User Rights
– Objective: Learn how to configure user rights
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
23
Configuring Security Options
• Over 78 specialized security options
• Categories:
–
–
–
–
–
–
–
–
Accounts
Audit
DCOM
Devices
Domain controller
Interactive logon
Microsoft network client
Network access
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
–
–
–
–
–
–
–
Network security
Recovery console
Shutdown
System cryptography
System objects
System settings
User Account Control
24
Configuring Security Options (cont’d.)
• Activity 13-7: Configuring Security Options
– Objective: Examine the Security Options and
configure an option
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
25
Figure 13-11 Accessing the Security Options
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
26
Using IP Security Policies
• IP Security (IPsec)
– IP-based secure communications and encryption
standards
– Computers first exchange certificates
– Next, data is encrypted at the NIC of the sending
computer as it is formatted into an IP packet
• Use Default Domain Policy to manage Information
Policies for a domain
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
27
Using IP Security Policies (cont’d.)
• Roles
– Client (Respond Only)
– Secure Server (Require Security)
– Server (Request Security)
• Activity 13-8: Configuring IPsec in the Default
Domain Policy
– Objective: Configure IPsec group policy elements
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
28
Active Directory Rights Management
Services
• Active Directory Rights Management Services
(AD RMS) server role
– Complements client applications that can take
advantage of Rights Management Services
safeguards
• Rights Management Services (RMS)
– Security rights that provide security for documents,
spreadsheets, e-mail, etc.
– Uses security capabilities such as encryption, user
authentication, and security certificates
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
29
Managing Security Using the Security
Templates and Security and
Configuration Analysis Snap-Ins
• Security Templates MMC snap-in
–
–
–
–
–
–
–
Account policies
Local policies
Event log tracking policies
Group restrictions
Service access security
Registry security
File system security
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
30
Managing Security Using the Security
Templates and Security and
Configuration Analysis Snap-Ins (cont’d.)
• Activity 13-9: Using the Security Templates Snap-In
– Objective: Learn to use the Security Templates snapin
• Activity 13-10: Using the Security Configuration and
Analysis Snap-In
– Objective: Explore the features of the Security
Configuration and Analysis snap-in
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
31
Figure 13-17 Log file contents
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
32
Configuring Client Security Using
Policies in Windows Server 2008
• Customize desktop and other settings for client
computers
• Configure policies on Windows Server 2008 server
• When the client logs on, policies are applied
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
33
Manually Configuring Policies for
Clients
• Manually configure policies that apply to clients
– To accomplish specific purposes
• Use the Group Policy Object Editor snap-in
– Or customized snap-in
• Activity 13-11: Configuring Policies to Apply to
Clients
– Objective: Learn how to configure a group policy to
apply to Windows Server 2008 clients
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
34
Table 13-1 Options for configuring administrative templates settings
under User Configuration
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
35
Publishing and Assigning Software
• Publishing applications
– Setting up software through a group policy
– Application is available for users to install from a
central application distribution server
• Assigning applications
– Application automatically represented on user’s
desktop
• Activity 13-12: Configuring Software Installation
– Objective: Learn where to set up software installation
in a group policy
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
36
Resultant Set of Policy
• Make implementation and troubleshooting of group
policies simpler for administrator
• Query existing policies
– Provide reports and the results of policy changes
• Supports two modes: planning and logging
• Activity 13-13: Using the Resultant Set of Policy
Tool
– Objective: Learn how to use the Resultant Set of
Policy tool
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
37
Using the cipher Command
• Use cipher command
– Encrypt files and folders
– Use parameters listed in Table 13-2
• Activity 13-14: Using the cipher Command
– Objective: Use the cipher command in the Command
Prompt window
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
38
Using BitLocker Drive Encryption
• BitLocker Drive Encryption
– Uses Trusted Platform Module security specification
– Hardware device used to secure information on a
different hardware device
• Security chip manufacturers
– Broadcom, Infineon, STMicroelectonics
• Can also be used with a USB flash drive containing
a personal identification number (PIN)
• Activity 13-15: Installing BitLocker Drive Encryption
– Objective: Set up BitLocker Drive Encryption
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
39
Configuring NAT
• NAT functions
– Automatically assign its own IP addresses on an
internal network
– Computers on external networks cannot identify
internal network computers’ true IP addresses
• Uses a pool of private addresses for its internal
network
• Acts like a firewall
– Outside world sees only one address
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
40
Configuring NAT (cont’d.)
• Activity 13-16: Configuring NAT
– Objective: Configure NAT for the VPN you set up in
Chapter 10
Figure 13-24 Selecting NAT
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
41
Windows Firewall
• Improvements compared with previous version
– Protects incoming and outgoing communications
– Merges firewall filters with IPsec settings to avoid
settings conflicts
– Includes the Windows Firewall with Advanced
Security MMC snap-in
– Has firewall exceptions or rules for several kinds of
managed objects
• Configure exceptions and advanced features
– Exceptions
• Programs allowed through the firewall in both directions
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
42
Windows Firewall (cont’d.)
• Use Control Panel for configuration
• Activity 13-17: Configuring Windows Firewall via
Control Panel
– Objective: Configure Windows Firewall from Control
Panel
• Activity 13-18: Configuring Windows Firewall Using
the Snap-In
– Objective: Use the Windows Firewall with Advanced
Security MMC snap-in
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
43
Figure 13-27 Managing Windows Firewall from Server Manager
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
44
Network Access Protection
• Network Access Protection (NAP)
– New feature of Windows Server 2008
• Keeps network healthy
– Identifies clients that do not comply with security
policies
– Limits access by noncompliant computers
– Automatically updates or configures a noncompliant
computer
– Continuously checks to ensure that computers remain
in compliance
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
45
IPsec
• When used with NAP, IPsec ensures that
noncompliant computers are quarantined
• Health Registration Authority (HRA)
– Network clients contact HRA server and submit
Statement of Health (SoH)
• HRA server configured through a Network Policy
Server (NPS)
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
46
VPN
• NAP works through VPN
– Enforces remote access policy configured for VPN
• When client attempts to connect
– Checked against the remote access policy configured
in the NPS server
– If the client properly verifies, access is granted
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
47
DHCP
• DHCP with NAP
– Secure the DHCP process
– Configured through a Network Policy Server
– Issues different information depending on compliance
• Remediation server
– Provides updates and security policy changes to the
client
– Brings client into compliance
• DHCP issues noncompliant computer IP address of
remediation server
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
48
TS Gateway
• Ensures secure access and communication when
Terminal Services used
• Uses the HRA server to ensure client compliant with
the health and security policies on a network
• Does not enable communications with remediation
server
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
49
802.1X
• 802.1X
– Wired and wireless authentication approach offered
by the IEEE
• Port-based form of authentication
– Network port allows unauthenticated communications
only until a client has been verified as NAP compliant
– Non-authenticated communications blocked
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
50
802.1X (cont’d.)
• Activity 13-19: Using Network Policy Server to
Configure NAP
– Objective: Learn about using Network Policy Server
for NAP configuration
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
51
Figure 13-28 Connection method options
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
52
Summary
• Many new or enhanced security features in
Windows Server 2008
• Group policy
– Standardize security across a domain, OU, site, or
local server
• Use audit policies to track how resources are
accessed
• Security options
– Specialized policies for accounts, auditing, devices,
domain controllers, logon, clients, network security,
system shutdown, system settings, and others
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
53
Summary (cont’d.)
• Use Resultant Set of Policy
– Plan and troubleshoot group policy settings
• BitLocker Drive Encryption
– Security measure for protecting entire hard drives
• Network Access Protection
– Keeps a network healthy
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
54