BIT_ITI310_C7_F14_S2_20150516110456234

Download Report

Transcript BIT_ITI310_C7_F14_S2_20150516110456234

SAT 02-May-2015
(ITI310)
SESSION 2:
Server Configuration & Administration Notes
By Eng. BASSEM ALSAID
SESSION 2
“Server Configuration & Administration Notes”
Session Abstract
Systems running Windows Server 2008 provides services to different kinds of
business. They consequently should be safe and distant.
Learning Objectives
Upon completion of this part, the student will be able to:
– Manipulate BitLocker Drive Encryption
– Manipulate Remote Desktop Administration
– Manipulate GPT & MBR Disks
BitLocker Drive Encryption
• BitLocker Drive Encryption is a security feature offered into all editions of
Windows Server 2008.
• Basically, BitLocker encrypts disk volumes (OS files and Data files). These
files will be inaccessible if the computer and/or drive are stolen. The
encryption key is written to a USB flash drive during the BitLocker
configuration process.
• In order to use BitLocker, the system should verify the following
conditions:
– A minimum of 1.5Gb of available unallocated disk space.
– BIOS supporting clearing of system RAM on reboot.
• If we want to take advantages of all BitLocker features, the following
requirements proposed by the Trusted Computing Group are necessary:
– Trusted Platform Module (TPM) Chip.
– Trusted Computing Group BIOS.
Trusted Computing Group
• The TCG consortium was founded in 1999. The main players and
promoters (>200 members) are AMD, HP, IBM, Infineon, Intel, Lenovo,
Microsoft, Sun and others.
• The main goal of this foundation is: “Offering protected (encrypted)
hardware storage where only “authorized” software can decrypt data (by
offering, for example, protecting key for decrypting file system)”.
Main TPM Chip vendors are:
Atmel, Infineon, National, STMicro, Intel D875GRH motherboard
Systems containing TPM chips are:
Lenovo (IBM) Thinkpads and desktops, Fujitsu lifebook, HP desktop and
notebooks, Acer, Toshiba, Panasonic, Gateway, Dell.
Enabling and creating partition using BitLocker Drive
Encryption
BitLocker Drive Encryption requires two partitions on the hard disk drive:
• The system volume which contains the unencrypted boot information.
This volume must be at least 1.5 Gb in size and must be created before
enabling BitLocker Drive Encryption feature.
• The operating system volume which will be encrypted and contains the
operating system and user data.
PRACTICE I: Enabling BitLocker Drive Encryption feature
• Open the Start menu and select Server manager.
• Select the Features option.
• Click on Add New Features to invoke New Features Wizard.
• Select BitLocker Drive Encryption and click on the Next button.
• Click on the Install button.
• Upon Completion of the installation process it will be necessary to reboot
the system in order to implement the change.
• After the restart has completed the Add Features Wizard will restart and
complete the final phases of the feature installation process.
• Once completed, click on the Close button to exit from the wizard.
To Create Partitions for BitLocker Drive Encryption:
Once the tool has been downloaded and installed it should appear in
Start->Accessories->System Tools->BitLocker->BitLocker Drive Preparation Tool.
The tool itself is installed as the executable:
%ProgramFiles%\BitLocker\BdeHdCfg.exe
The tool may either be run as a graphical tool or run from a command prompt
with a variety of command-line options to perform the required task.
To Perform Encryption:
• Double click on the BitLocker Drive Encryption icon. If the system has TPM
support, the drives suitable for BitLocker encryption will be listed together
with the option to activate the encryption. Otherwise, a warning message
is displayed stating: A TPM was not found. A TPM is required to turn on
BitLocker.
• Click on the Turn on BitLocker link beneath the drive to be encrypted.
• Select Continue with BitLocker Drive Encryption.
• When the screen Set BitLocker startup preferences appears, and if we have
a system without a TPM, the system provides only the option to using
BitLocker with a USB flash drive containing a startup key.
• Insert a removable USB memory device into a USB port and click Save to
save the Startup key to the device.
• When requiring the recovery key, do not save the recovery password on
the same USB device as the startup key, but instead insert a different
device.
Remote Desktop
Remote Desktop offers the possibility of administrating and using a remote
Windows system while working on a local one. In fact, all I/O events issued by
the local user on the local system are transmitted to the remote system.
Consequently, the local user will be able to perform tasks on the remote
system even if he was physically distant. Usually, the remote control is
established in many ways: either over wide area networks (WAN), or local
area networks (LAN) or over the internet.
RDS (Remote Desktop Service) is available in Standard, Enterprise &
Datacenter editions of W2008, not in Core or Web Edition.
Remote desktop in Windows Server 2008, is provided by Terminal Services
running on the remote systems and the Remote Desktop Connection (RDC)
client on the local system. Terminal Services run in two different modes:
• Administration Mode: Providing full control and administration
functionality to the remote administrator. It is equivalent to the direct
work on the system. However, a maximum of two administrators may be
logged on a Windows 2008 Server at any one time, either two logged on
remotely, or one local and one remote administrator.
• Virtual Session Mode: where the user is subject to some limitations such
as the ability to install applications and view console notification
messages.
PRACTICE II: Enable Remote Desktop Administration
• Go to Control Panel
• Go to System icon or System and Maintenance
• In the Task section in the top left hand corner of the System page select
Remote settings to display the System Properties window and the Remote.
• Choose the second option: allows remote desktop connections from any
version of the Remote Desktop client.
When the configuration tasks are completed on the remote system, we can
start Remote Desktop Client on the local system:
• To invoke the Remote Desktop Client in virtual session mode select:
Start -> All Programs -> Accessories -> Remote Desktop Connection
• To start the Remote Desktop Client in administrator mode run the
following command: mstsc /admin
MBR Disks
MBR stands for Master Boot Record. It was introduced with IBM PC DOS 2.0 in
1983.
The MBR is the first part of the hard disk. It stores the boot loader and the
partition table. The MBR is 512 bytes. The first 446 bytes are for the boot
loader, and the bytes from 446 to 512 are for the partition table.
Thus, if we delete the full 512 bytes we will lose the boot loader and the
partition table.
When using MBR partition, two partition types are proposed:
• Primary: Partition used to store boot records.
• Extended: Partition that could be divided into one or more logical drives.
In this case, a disk can support either 4 primary partitions or three primary
partitions and one extended partition (which in turn can support multiple
logical volumes).
MBR works with disks up to 2 TB in size, but it can’t handle disks with more
than 2 TB of space.
GPT: GUID Partition Table Disks
GUID Partition Table (Globally Unique IDentifier Partition Table) is a standard
used to implement partitions within a physical hard disk. It is a part of a new
standard proposed by Intel and called Extensible Firmware Interface (EFI). In
fact, EFI is considered as a replacement for the traditional PC BIOS that uses a
Master Boot Record (MBR).
GPT uses modern Logical Block Addressing (LBA) instead of
Cylinder/Head/Sector addressing used MBR:
• LBA 0 contains the old MBR information.
• LBA 1 contains the GPT header and the partition table itself. In 64-bit
Windows operating systems, 16,384 bytes are reserved for the GPT. In this
case, LBA 34 will be the first usable sector on the disk.
• For more safety. GPT header and partition table are written at both the
beginning and the end of the disk.
Creating Partitions on an MBR Basic Disk
• From Start Menu -> All Programs -> Administration Tools -> Computer
Management.
• Right click on the Free Space area of the appropriate drive in the graphical
section of Drive Manager screen.
• Select New Simple Volume.
• Using New Simple Volume Wizard, click Next on the initial screen to
proceed to the Specify Volume Size.
• Enter the size of the volume to be created.
• Click the Next button. You will get the Format Partition screen.
• Many file system options appear:
– FAT: Maximum size of 4GB, file size limit of 2GB.
– FAT32: Maximum size of 32 GB, file size limit of 4GB.
– NTFS: up to 2TB on an MBR disk and 18 ExaBytes (EB) on GPT disks.
Changing a MBR disk into a GUID Partition Table Disk
1. Back up or move the data on the basic master boot record (MBR) disk you
want to convert into a GUID partition table (GPT) disk. If the disk does not
contain any partitions or volumes, skip to next step.
2. Open Computer Management (Local).
3. In the console tree, click Computer Management, click Storage, and then
click Disk Management.
4. If the disk does not contain any partitions or volumes, skip to step 5.
Otherwise, right-click any volumes on the disk and then click Delete
Partition or Delete Volume.
Right click the MBR disk that you want to change into a GPT disk, and then
click Convert to GPT Disk.
Changing a GUID Partition Table Disk into a MBR disk
1. Right-click My Computer and click Manage.
2. Click Disk Management.
3. Right-click the GPT disk you want to change into an MBR disk, and then
click Convert to MBR disk.
Q: BitLocker Drive Encryption is a
security feature offered into all
editions of Windows Server 2008;
True or False?
EXERCISE I
A. TRUE
B. FALSE
Q: BitLocker encrypts disk volumes
(OS files and Data files). These files
will be accessible if (choose correct
answers).
EXERCISE II
A. A USB flash holding the correct encryption key is inserted on
the computer at user logon in order to gain access to the system.
B. A USB flash holding the correct encryption key is inserted on
the computer at system startup in order to gain access to the
system.
C. A USB flash holding the correct decryption key is used by
system administrator in order to decrypt the files.
D. Move the hard disk(s) to another machine.
NEXT SESSION
Date: SATURDAY 09-May-2015
C7: 13:30
C8: 15:00
Title: “Using RAID Technology in Windows 2008 Server”
THANKS