(ITI310)

By Eng. BASSEM ALSAID

SESSION 2: Server Configuration & Administration Notes

SAT 31-Oct-2015

Session AbstractSystems running Windows Server 2008 provides services to different kinds of business. They consequently should be safe and distant.

Learning ObjectivesUpon completion of this part, the student will be able to:

– Manipulate BitLocker Drive Encryption– Manipulate Remote Desktop Administration– Manipulate GPT & MBR Disks

• BitLocker Drive Encryption is a security feature offered into all editions of Windows Server 2008.

• Basically, BitLocker encrypts disk volumes (OS files and Data files). These files will be inaccessible if the computer and/or drive are stolen. The encryption key is written to a USB flash drive during the BitLocker configuration process.

• In order to use BitLocker, the system should verify the following conditions:– A minimum of 1.5Gb of available unallocated disk space.– BIOS supporting clearing of system RAM on reboot.

• If we want to take advantages of all BitLocker features, the following requirements proposed by the Trusted Computing Group are necessary:– Trusted Platform Module (TPM) Chip.– Trusted Computing Group BIOS.

• The TCG consortium was founded in 1999. The main players and promoters (>200 members) are AMD, HP, IBM, Infineon, Intel, Lenovo, Microsoft, Sun and others.

• The main goal of this foundation is: “Offering protected (encrypted) hardware storage where only “authorized” software can decrypt data (by offering, for example, protecting key for decrypting file system)”.

Main TPM Chip vendors are: Atmel, Infineon, National, STMicro, Intel D875GRH motherboard

Systems containing TPM chips are:Lenovo (IBM) Thinkpads and desktops, Fujitsu lifebook, HP desktop and

notebooks, Acer, Toshiba, Panasonic, Gateway, Dell.

BitLocker Drive Encryption requires two partitions on the hard disk drive:• The system volume which contains the unencrypted boot information.

This volume must be at least 1.5 Gb in size and must be created before enabling BitLocker Drive Encryption feature.

• The operating system volume which will be encrypted and contains the operating system and user data.

PRACTICE I: Enabling BitLocker Drive Encryption feature• Open the Start menu and select Server manager.• Select the Features option.• Click on Add New Features to invoke New Features Wizard.• Select BitLocker Drive Encryption and click on the Next button.• Click on the Install button.• Upon Completion of the installation process it will be necessary to reboot

the system in order to implement the change.• After the restart has completed the Add Features Wizard will restart and

complete the final phases of the feature installation process.• Once completed, click on the Close button to exit from the wizard.

To Create Partitions for BitLocker Drive Encryption:Once the tool has been downloaded and installed it should appear in Start->Accessories->System Tools->BitLocker->BitLocker Drive Preparation

Tool.

The tool itself is installed as the executable:%ProgramFiles%\BitLocker\BdeHdCfg.exe

The tool may either be run as a graphical tool or run from a command prompt with a variety of command-line options to perform the required task.

To Perform Encryption:• Double click on the BitLocker Drive Encryption icon. If the system has TPM

support, the drives suitable for BitLocker encryption will be listed together with the option to activate the encryption. Otherwise, a warning message is displayed stating: A TPM was not found. A TPM is required to turn on BitLocker.

• Click on the Turn on BitLocker link beneath the drive to be encrypted.• Select Continue with BitLocker Drive Encryption.• When the screen Set BitLocker startup preferences appears, and if we

have a system without a TPM, the system provides only the option to using BitLocker with a USB flash drive containing a startup key.

• Insert a removable USB memory device into a USB port and click Save to save the Startup key to the device.

• When requiring the recovery key, do not save the recovery password on the same USB device as the startup key, but instead insert a different device.

Remote Desktop offers the possibility of administrating and using a remote Windows system while working on a local one. In fact, all I/O events issued by the local user on the local system are transmitted to the remote system. Consequently, the local user will be able to perform tasks on the remote system even if he was physically distant. Usually, the remote control is established in many ways: either over wide area networks (WAN), or local area networks (LAN) or over the internet.

RDS (Remote Desktop Service) is available in Standard, Enterprise & Datacenter editions of W2008, not in Core or Web Edition.

Remote desktop in Windows Server 2008, is provided by Terminal Services running on the remote systems and the Remote Desktop Connection (RDC) client on the local system. Terminal Services run in two different modes:•Administration Mode: Providing full control and administration functionality to the remote administrator. It is equivalent to the direct work on the system. However, a maximum of two administrators may be logged on a Windows 2008 Server at any one time, either two logged on remotely, or one local and one remote administrator.•Virtual Session Mode: where the user is subject to some limitations such as the ability to install applications and view console notification messages.

PRACTICE II: Enable Remote Desktop Administration• Go to Control Panel• Go to System icon or System and Maintenance• In the Task section in the top left hand corner of the System page select

Remote settings to display the System Properties window and the Remote.• Choose the second option: allows remote desktop connections from any

version of the Remote Desktop client.

When the configuration tasks are completed on the remote system, we can start Remote Desktop Client on the local system:

•To invoke the Remote Desktop Client in virtual session mode select:Start -> All Programs -> Accessories -> Remote Desktop Connection

•To start the Remote Desktop Client in administrator mode run the following command: mstsc /admin

MBR stands for Master Boot Record. It was introduced with IBM PC DOS 2.0 in 1983.The MBR is the first part of the hard disk. It stores the boot loader and the partition table. The MBR is 512 bytes. The first 446 bytes are for the boot loader, and the bytes from 446 to 512 are for the partition table.Thus, if we delete the full 512 bytes we will lose the boot loader and the partition table.When using MBR partition, two partition types are proposed:•Primary: Partition used to store boot records.•Extended: Partition that could be divided into one or more logical drives.In this case, a disk can support either 4 primary partitions or three primary partitions and one extended partition (which in turn can support multiple logical volumes).MBR works with disks up to 2 TB in size, but it can’t handle disks with more than 2 TB of space.

GUID Partition Table (Globally Unique IDentifier Partition Table) is a standard used to implement partitions within a physical hard disk. It is a part of a new standard proposed by Intel and called Extensible Firmware Interface (EFI). In fact, EFI is considered as a replacement for the traditional PC BIOS that uses a Master Boot Record (MBR).GPT uses modern Logical Block Addressing (LBA) instead of Cylinder/Head/Sector addressing used MBR:•LBA 0 contains the old MBR information.•LBA 1 contains the GPT header and the partition table itself. In 64-bit Windows operating systems, 16,384 bytes are reserved for the GPT. In this case, LBA 34 will be the first usable sector on the disk.•For more safety. GPT header and partition table are written at both the beginning and the end of the disk.

• From Start Menu -> All Programs -> Administration Tools -> Computer Management.

• Right click on the Free Space area of the appropriate drive in the graphical section of Drive Manager screen.

• Select New Simple Volume.• Using New Simple Volume Wizard, click Next on the initial screen to

proceed to the Specify Volume Size.• Enter the size of the volume to be created.• Click the Next button. You will get the Format Partition screen.• Many file system options appear:

– FAT: Maximum size of 4GB, file size limit of 2GB.– FAT32: Maximum size of 32 GB, file size limit of 4GB.– NTFS: up to 2TB on an MBR disk and 18 ExaBytes (EB) on GPT disks.

1. Back up or move the data on the basic master boot record (MBR) disk you want to convert into a GUID partition table (GPT) disk. If the disk does not contain any partitions or volumes, skip to next step.

2. Open Computer Management (Local).3. In the console tree, click Computer Management, click Storage, and then

click Disk Management.4. If the disk does not contain any partitions or volumes, skip to step 5.

Otherwise, right-click any volumes on the disk and then click Delete Partition or Delete Volume.

Right click the MBR disk that you want to change into a GPT disk, and then click Convert to GPT Disk.

1. Right-click My Computer and click Manage.2. Click Disk Management.3. Right-click the GPT disk you want to change into an MBR disk, and then

click Convert to MBR disk.

Q: BitLocker Drive Encryption is a security feature offered into all editions of Windows Server 2008; True or False?

A. TRUEB. FALSE

Q: BitLocker encrypts disk volumes (OS files and Data files). These files will be accessible if (choose correct answers).

A. A USB flash holding the correct encryption key is inserted on the computer at user logon in order to gain access to the system.B. A USB flash holding the correct encryption key is inserted on the computer at system startup in order to gain access to the system.C. A USB flash holding the correct decryption key is used by system administrator in order to decrypt the files.D. Move the hard disk(s) to another machine.

Date: SATURDAY 07-Nov-2015C2: 12:00C3: 13:30

Title: “Using RAID Technology in Windows 2008 Server”

THANK YOU