Transcript Overview

Module 3
Windows Server 2008
Branch Office Scenario
Clinic Outline
Branch Office Server Deployment and Administration
Branch Office Security
Branch
RODC
Corp
Branch Office Server
Deployment and
Administration
Domain Name System (DNS) Server Role
Background zone loading
Read-only domain controller support
Global Names zone
DNS client changes
Link-Local multicast name resolution (LLMNR)
Domain controller location
AD Domain Services
New AD MMC Snap-In Features
Find Command
New Options for Unattended Installs
Restartable AD Domain Services (AD DS)
3 Possible States:
AD DS Started
AD DS Stopped
Active Directory
Restore Mode
Demonstration: Branch Office Server Deployment
and Administration
AD DS Installation Wizard
Stopping and restarting AD DS
AD Domain Services Auditing
What
changes have
been made to
AD DS
auditing?
AD Domain Services Backup and Recovery
What’s New?
Considerations
General Requirements
Improved Server Deployment (Windows Server
Virtualization)
64-bit Next Generation technology
Addresses the following challenges:
Server Consolidation
Development and Testing
Business Continuity/Disaster Recovery
Server Core as a host system
File Services
Server Message Block (SMB) 2.0
DFS
Names Spaces
Replication
SYSVOL
Next Generation TCP/IP Stack
Receive Windows
Auto-Tuning
Compound TCP
Changes in PTMU
Black Hole Router
Detection
Throughput
Optimization in HighLoss Environments
Routing
Compartments
ESTATS Support
Neighbor
Unreachability
Detection
Network Diagnostics
Framework Support
Changes in Dead
Gateway Detection
New Packet Filtering
Model with Windows
Filtering Platform
Read-Only Domain Controller (RODC)
New Functionality
AD Database
Unidirectional Replication
Credential Caching
Password Replication Policy
Administrator Role Separation
Read-Only DNS
Requirements/Special Considerations
RODC
Read-only DC, RODC
入侵者看到的資訊
管理員的處置方式
Implementation/Usage Scenarios
Maintain physical security of servers at the branch
office
Maintain physical security of data at the branch
office
Provide secure IP-based communications with the
branch office
Control which computers can communicate on the
branch office network
Recommendations
Deploy a Read-Only Domain Controller at the
branch office
Implement a Password Replication Policy
Implement administrator role separation
Implement BitLocker Drive Encryption; do not
require a PIN or USB device if no local admin
Implement Network Access Protection
Use IPSec for network communications
Module 4
Security and Policy
Enforcement in Windows
Server 2008
Overview
Methods of Security and Policy Enforcement
Network Location Awareness
Network Access Protection
Windows Firewall with Advanced Security (WFAS)
Internet Protocol Security (IPSec)
Windows Server Hardening
Server and Domain Isolation
Active Directory Domain Services Auditing
Read-Only Domain Controller (RODC)
BitLocker Drive Encryption
Removable Device Installation Control
Enterprise PKI
Technical Background
Windows Firewall with
Advanced Security
Internet Security Protocol
(IPSec)
Active Directory Domain
Services Auditing
Read-Only Domain
Controller (RODC)
BitLocker Drive
Encryption
Enterprise PKI
Windows Firewall with Advanced Security
Demonstration: Windows Firewall with Advanced Security
•
Creating Inbound and Outbound Rules
•
Creating a Firewall Rule Limiting a Service
IPSec
Integrated with WFAS
IPSec Improvements
Simplified IPSec Policy Configuration
Client-to-DC IPSec Protection
Improved Load Balancing and Clustering Server Support
Improved IPSec Authentication
Integration with NAP
Multiple Authentication Methods
New Cryptographic Support
Integrated IPv4 and IPv6 Support
Extended Events and Performance Monitor Counters
Network Diagnostics Framework Support
BitLocker Drive Encryption (BDE)
Data Protection
Drive Encryption
Integrity Checking
BDE Hardware and Software Requirements
Implementation/Usage Scenarios
Enforce Security Policy
Improve Domain Security
Improve System Security
Improve Network Communications Security
Recommendations
Carefully test and plan all security policies
Implement Network Access Protection
Use Windows Firewall and Advanced Security to
implement IPSec
Deploy Read-Only Domain Controllers, where
appropriate
Implement BitLocker Drive Encryption
Take advantage of PKI improvements
Network Access Protection
in Windows Server 2008
Overview
Network Access Protection
Net work Access Protection
Network Access Quarantine
Control
Internal, VPN and Remote Access
Client
Only VPN and Remote Access
Clients
IPSec, 802.1X, DHCP and VPN
DHCP and VPN
NAP NPS and Client included in
Windows Server 2008 ; NAP client
included in Vista
Installed from Windows Server 2003
Resource Kit
NAP Infrastructure
Automatic Remediation
Health Policy Validation
Health Policy Compliance
Limited Access
NAP Enforcement Client
IPSec
802.1X
VPN
DHCP
NPS
RADIUS
Demonstration: Network Access Protection
•
Create a NAP Policy
•
Using the MMC to Create NAP
Configuration settings
•
Create a new RADIUS Client
•
Create a new System Health Validator for
Windows Vista and Windows XP SP2
Implementation/Usage Scenarios
Checking the Health and Status of Roaming
Laptops
Ensuring the Health of Corporate Desktops
Determining the Health of Visiting Laptops
Verify the Compliance of Home Computers
Recommendations
When using IPSec – employ ESP with encryption
Carefully test and verify all IPSec Policies
Consider Using Domain Isolation
Use Quality of Service to improve bandwidth
Plan to Prioritize traffic on the network
Apply Network Access Protection to secure client computers