Clinic Security and Policy Enforcement in Windows Server 2008.
-
Upload
hugh-scot-hall -
Category
Documents
-
view
218 -
download
2
Transcript of Clinic Security and Policy Enforcement in Windows Server 2008.
![Page 1: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/1.jpg)
Clinic
Security and Policy Enforcement in Windows
Server 2008
![Page 2: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/2.jpg)
Introduction
Name
Company affiliation
Title/function
Job responsibility
Windows Server 2003, XP and Vista experience
Security Experience
Expectations
![Page 3: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/3.jpg)
Facilities
Class hours
Building hours
Parking
Restrooms
Meals
Phones
Messages
Smoking
Recycling
![Page 4: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/4.jpg)
About This Clinic
Description
Clinic Objectives
Audience
Prerequisites
![Page 5: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/5.jpg)
Clinic Outline
Security Enhancements in Windows Server 2008
Network Access Protection
![Page 6: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/6.jpg)
Technology Technology framework to help framework to help maximize the value maximize the value of your IT of your IT investmentsinvestmentsStructured way to Structured way to drive cost drive cost reduction, security reduction, security & efficiency gains & efficiency gains and boost agilityand boost agilityBased on industry Based on industry analyst and analyst and academic workacademic workProvides guidance Provides guidance and best practices and best practices for step-by-step for step-by-step implementationimplementation
Infrastructure Optimization
![Page 7: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/7.jpg)
Security Enhancements in Windows Server 2008
![Page 8: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/8.jpg)
Overview
Methods of Security and Policy Enforcement
Network Location Awareness
Network Access Protection
Windows Firewall with Advanced Security (WFAS)
Internet Protocol Security (IPSec)
Windows Server Hardening
Server and Domain Isolation
Active Directory Domain Services Auditing
Read-Only Domain Controller (RODC)
BitLocker Drive Encryption
Removable Device Installation Control
Enterprise PKI
Methods of Security and Policy Enforcement
Network Location Awareness
Network Access Protection
Windows Firewall with Advanced Security (WFAS)
Internet Protocol Security (IPSec)
Windows Server Hardening
Server and Domain Isolation
Active Directory Domain Services Auditing
Read-Only Domain Controller (RODC)
BitLocker Drive Encryption
Removable Device Installation Control
Enterprise PKI
![Page 9: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/9.jpg)
Technical Background
Windows Firewall with Advanced SecurityWindows Firewall with Advanced Security
Internet Security Protocol (IPSec)Internet Security Protocol (IPSec)
Active Directory Domain Services AuditingActive Directory Domain Services Auditing
Read-Only Domain Controller (RODC)Read-Only Domain Controller (RODC)
Enterprise PKIEnterprise PKI
BitLocker Drive EncryptionBitLocker Drive Encryption
![Page 10: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/10.jpg)
Windows Firewall with Advanced Security
![Page 11: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/11.jpg)
Demonstration: Windows Firewall with Advanced Security
• Creating Inbound and Outbound Rules
• Creating a Firewall Rule Limiting a Service
![Page 12: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/12.jpg)
IPSec
Integrated with WFAS
IPSec Improvements
Simplified IPSec Policy Configuration
Client-to-DC IPSec Protection
Improved Load Balancing and Clustering Server Support
Improved IPSec Authentication
Integration with NAP
Multiple Authentication Methods
New Cryptographic Support
Integrated IPv4 and IPv6 Support
Extended Events and Performance Monitor Counters
Network Diagnostics Framework Support
Integrated with WFAS
IPSec Improvements
Simplified IPSec Policy Configuration
Client-to-DC IPSec Protection
Improved Load Balancing and Clustering Server Support
Improved IPSec Authentication
Integration with NAP
Multiple Authentication Methods
New Cryptographic Support
Integrated IPv4 and IPv6 Support
Extended Events and Performance Monitor Counters
Network Diagnostics Framework Support
![Page 13: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/13.jpg)
Demonstration: Creating IPSec Policies
• Creating an IPSec Rule
• Specifying different Authentication Methods
• Activate and Deactivate Rules
![Page 14: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/14.jpg)
AD Domain Services Auditing
What changes have been made to AD DS auditing?
What changes have been made to AD DS auditing?
![Page 15: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/15.jpg)
Read-Only Domain Controller (RODC)
New Functionality
AD Database
Unidirectional Replication
Credential Caching
Password Replication Policy
Administrator Role Separation
Read-Only DNS
New Functionality
AD Database
Unidirectional Replication
Credential Caching
Password Replication Policy
Administrator Role Separation
Read-Only DNS
Requirements/Special ConsiderationsRequirements/Special Considerations
RODC
![Page 16: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/16.jpg)
BitLocker Drive Encryption (BDE)
Data Protection
Drive Encryption
Integrity Checking
Data Protection
Drive Encryption
Integrity Checking
BDE Hardware and Software RequirementsBDE Hardware and Software Requirements
![Page 17: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/17.jpg)
Enterprise PKI
Easier management through PKIView
Certificate Web Enrollment
Network Device Enrollment Service
Managing Certificate with Group Policy
Certificate Deployment Changes
Online Certificate Status Protocol (OCSP) Support
Cryptographic Next Generation
Easier management through PKIView
Certificate Web Enrollment
Network Device Enrollment Service
Managing Certificate with Group Policy
Certificate Deployment Changes
Online Certificate Status Protocol (OCSP) Support
Cryptographic Next Generation
![Page 18: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/18.jpg)
Implementation/Usage Scenarios
Enforce Security PolicyEnforce Security Policy
Improve Domain SecurityImprove Domain Security
Improve System SecurityImprove System Security
Improve Network Communications SecurityImprove Network Communications Security
![Page 19: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/19.jpg)
Recommendations
Implement Network Access ProtectionImplement Network Access Protection
Use Windows Firewall and Advanced Security to implement IPSecUse Windows Firewall and Advanced Security to implement IPSec
Deploy Read-Only Domain Controllers, where appropriateDeploy Read-Only Domain Controllers, where appropriate
Implement BitLocker Drive EncryptionImplement BitLocker Drive Encryption
Carefully test and plan all security policiesCarefully test and plan all security policies
Take advantage of PKI improvementsTake advantage of PKI improvements
![Page 20: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/20.jpg)
Summary
Windows Server 2008 includes a variety of new security initiatives and features:
• Network Access Protection• Windows Firewall and Advanced Security (WFAS)
enhancements• IPSec improvements• Windows Server Hardening• Server and Domain Isolation• Active Directory Domain Services Auditing• Read-Only Domain Controllers (RODCs)• BitLocker Drive Encryption• Removeable Device Installation Control• Improvements to Enterprise PKI capabilities
Windows Server 2008 includes a variety of new security initiatives and features:
• Network Access Protection• Windows Firewall and Advanced Security (WFAS)
enhancements• IPSec improvements• Windows Server Hardening• Server and Domain Isolation• Active Directory Domain Services Auditing• Read-Only Domain Controllers (RODCs)• BitLocker Drive Encryption• Removeable Device Installation Control• Improvements to Enterprise PKI capabilities
![Page 21: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/21.jpg)
Questions and Answers
![Page 22: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/22.jpg)
Network Access Protection in Windows Server 2008
![Page 23: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/23.jpg)
Overview
Network Access ProtectionNetwork Access Protection
Net work Access Protection Network Access Quarantine Control
Internal, VPN and Remote Access Client
Only VPN and Remote Access Clients
IPSec, 802.1X, DHCP and VPN DHCP and VPN
NAP NPS and Client included in Windows Server 2008 ; NAP client included in Vista
Installed from Windows Server 2003 Resource Kit
![Page 24: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/24.jpg)
Technical Background
NAP Platform ArchitectureNAP Platform Architecture
NAP Enforcement MethodsNAP Enforcement Methods
NAP InfrastructureNAP Infrastructure
NAP Client ArchitectureNAP Client Architecture
NAP Server ArchitectureNAP Server Architecture
Component CommunicationComponent Communication
![Page 25: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/25.jpg)
NAP Infrastructure
Health Policy ValidationHealth Policy Validation
Health Policy ComplianceHealth Policy Compliance
Automatic RemediationAutomatic Remediation
Limited AccessLimited Access
![Page 26: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/26.jpg)
NAP Platform Architecture
![Page 27: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/27.jpg)
NAP Enforcement Client
802.1X802.1X
VPNVPN
IPSecIPSec
DHCPDHCP
NPS RADIUSNPS RADIUS
![Page 28: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/28.jpg)
Demonstration: Network Access Protection
• Create a NAP Policy
• Using the MMC to Create NAP Configuration settings
• Create a new RADIUS Client
• Create a new System Health Validator for Windows Vista and Windows XP SP2
![Page 29: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/29.jpg)
How NAP Works
IPSec EnforcementIPSec Enforcement
IEEE 802.1XIEEE 802.1X
Logical NetworksLogical Networks
Remote Access VPNsRemote Access VPNs
DHCPDHCP
![Page 30: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/30.jpg)
IPSec Enforcement in Logical Networks
![Page 31: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/31.jpg)
Communication Initiation Process with IPSec Enforcement
![Page 32: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/32.jpg)
NAP Client Health Certificate Process
![Page 33: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/33.jpg)
IPSec Enforcement in NAP
![Page 34: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/34.jpg)
802.1x Authenticated Connections
![Page 35: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/35.jpg)
NAP Authentication Process Background
Network Access Protection SettingsNetwork Access Protection Settings
Authorization PoliciesAuthorization Policies
Authentication ProcessAuthentication Process
![Page 36: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/36.jpg)
Implementation/Usage Scenarios
Ensuring the Health of Corporate DesktopsEnsuring the Health of Corporate Desktops
Checking the Health and Status of Roaming LaptopsChecking the Health and Status of Roaming Laptops
Determining the Health of Visiting LaptopsDetermining the Health of Visiting Laptops
Verify the Compliance of Home ComputersVerify the Compliance of Home Computers
![Page 37: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/37.jpg)
Recommendations
Carefully test and verify all IPSec PoliciesCarefully test and verify all IPSec Policies
Use Quality of Service to improve bandwidthUse Quality of Service to improve bandwidth
When using IPSec – employ ESP with encryptionWhen using IPSec – employ ESP with encryption
Plan to Prioritize traffic on the networkPlan to Prioritize traffic on the network
Apply Network Access Protection to secure client computers Apply Network Access Protection to secure client computers
Consider Using Domain IsolationConsider Using Domain Isolation
![Page 38: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/38.jpg)
Summary
Network Access Protection:
Secures Remote Computers before accessing the Network
Has Client and Server Components
Can Use One or More of Several methods for Enforcement
IPSec
802.1X
VPN
DHCP
Provides Support for Third Party Software
Network Access Protection:
Secures Remote Computers before accessing the Network
Has Client and Server Components
Can Use One or More of Several methods for Enforcement
IPSec
802.1X
VPN
DHCP
Provides Support for Third Party Software
![Page 39: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/39.jpg)
Questions and Answers
![Page 40: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/40.jpg)
Lab: Network Access Protection
In this lab, you will:
Network Communications using WFAS
Enforcing network communication policy using Policy-based QoS
Network Access Protection with Windows Server 2008
![Page 41: Clinic Security and Policy Enforcement in Windows Server 2008.](https://reader038.fdocuments.net/reader038/viewer/2022110100/56649ddd5503460f94ad548f/html5/thumbnails/41.jpg)
What Next?
Windows Server 2008 Beta: https://connect.microsoft.com
Home Page: http://www.microsoft.com/windowsserver/longhorn/default.mspx
Webcasts: http://www.microsoft.com/windowsserver/longhorn/webcasts.mspx
Forums: http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17
Network Access Protection• Home Page: http://www.microsoft.com/nap
• Introduction to Network Access Protection: http://go.microsoft.com/fwlink/?LinkId=49884
• Network Access Protection Platform Architecture: http://go.microsoft.com/fwlink/?LinkId=49885
• Network Access Protection Frequently Asked Questions: http://go.microsoft.com/fwlink/?LinkId=49886
• IPSec: http://www.microsoft.com/ipsec
• Server and Domain Isolation: http://www.microsoft.com/technet/network/sdiso/default.mspx