Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 13 Securing Windows Server 2008

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 13 Securing Windows Server 2008"— Presentation transcript:

1 Chapter 13 Securing Windows Server 2008
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 13 Securing Windows Server 2008

2 Learning Objectives Understand the security enhancements included in Windows Server 2008 Understand how Windows Server 2008 uses group policies Understand and configure security policies Implement Active Directory Rights Management Services Manage security using the Security Templates and Security Configuration and Analysis snap-ins MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

3 Learning Objectives (cont’d.)
Configure security policies for client computers Use the cipher command for encryption Use BitLocker Drive Encryption Configure Network Address Translation Configure Windows Firewall Implement Network Access Protection MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

4 Security Enhancements in Windows Server 2008
Reduced attack surface of the kernel through Server Core Expanded group policy Windows Firewall Network Access Protection Security Configuration Wizard User Account Control BitLocker Drive Encryption MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

5 Security Enhancements in Windows Server 2008 (cont’d.)
Demilitarized zone (DMZ) Portion of a network that is between two networks New categories of group policy management Power management Assigning printers by location (particularly for mobile users) Delegation of printer driver installation Security settings Internet Explorer settings Over 700 new policy settings MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

6 Security Enhancements in Windows Server 2008 (cont’d.)
User Account Control (UAC) Keep the user running in the standard user mode More fully insulate the kernel Administrator Approval Mode BitLocker Drive Encryption Prevents an intruder from bypassing ACL file and folder protections MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

7 Introduction to Group Policy
Standardize the working environment of clients and servers by setting policies in Active Directory Set for many environments Defining characteristics of group policy Can be set for a site, domain, OU, or local computer Cannot be set for non-OU folder containers MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

8 Introduction to Group Policy (cont’d.)
Defining characteristics of group policy (cont’d.) Settings are stored in group policy objects (GPO) GPOs can be local and nonlocal Can be set up to affect user accounts and computers When group policy is updated: Old policies are removed or updated for all clients MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

9 Securing Windows Server 2008 Using Security Policies
Account Policies Audit Policy User Rights Security Options IP Security Policies Activity 13-1: Using the Group Policy Management Snap-In Objective: Learn how to use the Group Policy Management MMC snap-in MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

10 Establishing Account Policies
Security measures set up in a group policy that applies to all accounts or to all accounts in a container Active Directory required Password Security First line of defense in Windows Server 2008 Settings Expiration period Minimum length Other password security options that you can configure MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

11 Establishing Account Policies (cont’d.)
Activity 13-2: Configuring Password Security Objective: Configure the password security in the default domain security policy Figure 13-3 Viewing security settings for the default domain policy Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

12 Account Lockout Bar access to an account after a number of unsuccessful tries Can be set to release After a specified period of time By intervention from the server administrator Parameters Account lockout duration Account lockout threshold Reset account lockout count after MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

13 Account Lockout (cont’d.)
Activity 13-3: Configuring Account Lockout Policy Objective: Configure account lockout policy in the default domain security policy MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

14 Account Lockout (cont’d.)
Figure 13-6 Configuring account lockout duration Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

15 Account Lockout (cont’d.)
Kerberos security Use of tickets exchanged between the client and the server or Active Directory Designate Windows Server 2008 as a Kerberos key distribution center Service ticket Good for the duration of a logon session Enables the computer to access network services beginning with the Logon service MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

16 Account Lockout (cont’d.)
Advanced Encryption Standard (AES) encryption Deployed by the U.S. federal government More secure than DES Windows NT LAN Manager version 2 (NTLMv2) Default authentication Should change to Kerberos if possible Options for configuring Kerberos Enforce user logon restrictions Maximum lifetime for service ticket MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

17 Account Lockout (cont’d.)
Options for configuring Kerberos (cont’d.) Maximum lifetime for user ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization Activity 13-4: Configuring Kerberos Security Objective: Configure Kerberos in the default domain security policy MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

18 Figure 13-7 Configuring Kerberos Policy
Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

19 Establishing Audit Policies
Specify account auditing Track activity associated with accounts Examples of events an organization can audit Account logon (and logoff) events Account management Directory service access Logon (and logoff) events at the local computer Object access Policy change MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

20 Establishing Audit Policies (cont’d.)
Examples of events an organization can audit (cont’d.) Privilege use Process tracking System events Activity 13-5: Configuring Auditing Objective: Configure an audit policy MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

21 Establishing Audit Policies (cont’d.)
Figure 13-8 Configuring account logon auditing Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

22 Configuring User Rights
Ability to access a server Most basic right More advanced rights General categories of rights Privileges Relate to the ability to manage server or Active Directory functions Logon rights Related to accessing accounts, computers, and services MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

23 Configuring User Rights (cont’d.)
Activity 13-6: Configuring User Rights Objective: Learn how to configure user rights MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

24 Configuring Security Options
Over 78 specialized security options Categories: Accounts Audit DCOM Devices Domain controller Interactive logon Microsoft network client Network access Network security Recovery console Shutdown System cryptography System objects System settings User Account Control MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

25 Configuring Security Options (cont’d.)
Activity 13-7: Configuring Security Options Objective: Examine the Security Options and configure an option MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

26 Figure 13-11 Accessing the Security Options
Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

27 Using IP Security Policies
IP Security (IPsec) IP-based secure communications and encryption standards Computers first exchange certificates Next, data is encrypted at the NIC of the sending computer as it is formatted into an IP packet Use Default Domain Policy to manage Information Policies for a domain MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

28 Using IP Security Policies (cont’d.)
Roles Client (Respond Only) Secure Server (Require Security) Server (Request Security) Activity 13-8: Configuring IPsec in the Default Domain Policy Objective: Configure IPsec group policy elements MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

29 Active Directory Rights Management Services
Active Directory Rights Management Services (AD RMS) server role Complements client applications that can take advantage of Rights Management Services safeguards Rights Management Services (RMS) Security rights that provide security for documents, spreadsheets, , etc. Uses security capabilities such as encryption, user authentication, and security certificates MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

30 Managing Security Using the Security Templates and Security and Configuration Analysis Snap-Ins
Security Templates MMC snap-in Account policies Local policies Event log tracking policies Group restrictions Service access security Registry security File system security MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

31 Managing Security Using the Security Templates and Security and Configuration Analysis Snap-Ins (cont’d.) Activity 13-9: Using the Security Templates Snap-In Objective: Learn to use the Security Templates snap-in Activity 13-10: Using the Security Configuration and Analysis Snap-In Objective: Explore the features of the Security Configuration and Analysis snap-in MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

32 Figure 13-17 Log file contents
Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

33 Configuring Client Security Using Policies in Windows Server 2008
Customize desktop and other settings for client computers Configure policies on Windows Server 2008 server When the client logs on, policies are applied MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

34 Manually Configuring Policies for Clients
Manually configure policies that apply to clients To accomplish specific purposes Use the Group Policy Object Editor snap-in Or customized snap-in Activity 13-11: Configuring Policies to Apply to Clients Objective: Learn how to configure a group policy to apply to Windows Server 2008 clients MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

35 Table 13-1 Options for configuring administrative templates settings under User Configuration
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

36 Publishing and Assigning Software
Publishing applications Setting up software through a group policy Application is available for users to install from a central application distribution server Assigning applications Application automatically represented on user’s desktop Activity 13-12: Configuring Software Installation Objective: Learn where to set up software installation in a group policy MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

37 Resultant Set of Policy
Make implementation and troubleshooting of group policies simpler for administrator Query existing policies Provide reports and the results of policy changes Supports two modes: planning and logging Activity 13-13: Using the Resultant Set of Policy Tool Objective: Learn how to use the Resultant Set of Policy tool MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

38 Using the cipher Command
Use cipher command Encrypt files and folders Use parameters listed in Table 13-2 Activity 13-14: Using the cipher Command Objective: Use the cipher command in the Command Prompt window MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

39 Using BitLocker Drive Encryption
Uses Trusted Platform Module security specification Hardware device used to secure information on a different hardware device Security chip manufacturers Broadcom, Infineon, STMicroelectonics Can also be used with a USB flash drive containing a personal identification number (PIN) Activity 13-15: Installing BitLocker Drive Encryption Objective: Set up BitLocker Drive Encryption MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

40 Configuring NAT NAT functions
Automatically assign its own IP addresses on an internal network Computers on external networks cannot identify internal network computers’ true IP addresses Uses a pool of private addresses for its internal network Acts like a firewall Outside world sees only one address MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

41 Configuring NAT (cont’d.)
Activity 13-16: Configuring NAT Objective: Configure NAT for the VPN you set up in Chapter 10 Figure Selecting NAT Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

42 Windows Firewall Improvements compared with previous version
Protects incoming and outgoing communications Merges firewall filters with IPsec settings to avoid settings conflicts Includes the Windows Firewall with Advanced Security MMC snap-in Has firewall exceptions or rules for several kinds of managed objects Configure exceptions and advanced features Exceptions Programs allowed through the firewall in both directions MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

43 Windows Firewall (cont’d.)
Use Control Panel for configuration Activity 13-17: Configuring Windows Firewall via Control Panel Objective: Configure Windows Firewall from Control Panel Activity 13-18: Configuring Windows Firewall Using the Snap-In Objective: Use the Windows Firewall with Advanced Security MMC snap-in MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

44 Figure 13-27 Managing Windows Firewall from Server Manager
Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

45 Network Access Protection
Network Access Protection (NAP) New feature of Windows Server 2008 Keeps network healthy Identifies clients that do not comply with security policies Limits access by noncompliant computers Automatically updates or configures a noncompliant computer Continuously checks to ensure that computers remain in compliance MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

46 IPsec When used with NAP, IPsec ensures that noncompliant computers are quarantined Health Registration Authority (HRA) Network clients contact HRA server and submit Statement of Health (SoH) HRA server configured through a Network Policy Server (NPS) MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

47 VPN NAP works through VPN When client attempts to connect
Enforces remote access policy configured for VPN When client attempts to connect Checked against the remote access policy configured in the NPS server If the client properly verifies, access is granted MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

48 DHCP DHCP with NAP Remediation server
Secure the DHCP process Configured through a Network Policy Server Issues different information depending on compliance Remediation server Provides updates and security policy changes to the client Brings client into compliance DHCP issues noncompliant computer IP address of remediation server MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

49 TS Gateway Ensures secure access and communication when Terminal Services used Uses the HRA server to ensure client compliant with the health and security policies on a network Does not enable communications with remediation server MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

50 802.1X 802.1X Port-based form of authentication
Wired and wireless authentication approach offered by the IEEE Port-based form of authentication Network port allows unauthenticated communications only until a client has been verified as NAP compliant Non-authenticated communications blocked MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

51 802.1X (cont’d.) Activity 13-19: Using Network Policy Server to Configure NAP Objective: Learn about using Network Policy Server for NAP configuration MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

52 Figure 13-28 Connection method options
Courtesy Course Technology/Cengage Learning MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

53 Summary Many new or enhanced security features in Windows Server 2008
Group policy Standardize security across a domain, OU, site, or local server Use audit policies to track how resources are accessed Security options Specialized policies for accounts, auditing, devices, domain controllers, logon, clients, network security, system shutdown, system settings, and others MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

54 Summary (cont’d.) Use Resultant Set of Policy
Plan and troubleshoot group policy settings BitLocker Drive Encryption Security measure for protecting entire hard drives Network Access Protection Keeps a network healthy MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

Download ppt "Chapter 13 Securing Windows Server 2008"

Similar presentations

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Chapter 8 Chapter 8: Managing Accounts and Client Connectivity.

Chapter 8 Chapter 8: Managing Accounts and Client Connectivity.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 6: Configuring Security. Options for Managing Security Configurations LGPO (Local Group Policy Object) –Used if Computer is not part of a domain.

Chapter 6: Configuring Security. Options for Managing Security Configurations LGPO (Local Group Policy Object) –Used if Computer is not part of a domain.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

Similar presentations

Ads by Google