Clinic

Security and Policy Enforcement in Windows

Server 2008

Introduction

Name

Company affiliation

Title/function

Job responsibility

Windows Server 2003, XP and Vista experience

Security Experience

Expectations

Facilities

Class hours

Building hours

Parking

Restrooms

Meals

Phones

Messages

Smoking

Recycling

About This Clinic

Description

Clinic Objectives

Audience

Prerequisites

Clinic Outline

Security Enhancements in Windows Server 2008

Network Access Protection

Technology Technology framework to help framework to help maximize the value maximize the value of your IT of your IT investmentsinvestmentsStructured way to Structured way to drive cost drive cost reduction, security reduction, security & efficiency gains & efficiency gains and boost agilityand boost agilityBased on industry Based on industry analyst and analyst and academic workacademic workProvides guidance Provides guidance and best practices and best practices for step-by-step for step-by-step implementationimplementation

Infrastructure Optimization

Security Enhancements in Windows Server 2008

Overview

Methods of Security and Policy Enforcement

Network Location Awareness

Network Access Protection

Windows Firewall with Advanced Security (WFAS)

Internet Protocol Security (IPSec)

Windows Server Hardening

Server and Domain Isolation

Active Directory Domain Services Auditing

Read-Only Domain Controller (RODC)

BitLocker Drive Encryption

Removable Device Installation Control

Enterprise PKI

Methods of Security and Policy Enforcement

Network Location Awareness

Network Access Protection

Windows Firewall with Advanced Security (WFAS)

Internet Protocol Security (IPSec)

Windows Server Hardening

Server and Domain Isolation

Active Directory Domain Services Auditing

Read-Only Domain Controller (RODC)

BitLocker Drive Encryption

Removable Device Installation Control

Enterprise PKI

Technical Background

Windows Firewall with Advanced SecurityWindows Firewall with Advanced Security

Internet Security Protocol (IPSec)Internet Security Protocol (IPSec)

Active Directory Domain Services AuditingActive Directory Domain Services Auditing

Read-Only Domain Controller (RODC)Read-Only Domain Controller (RODC)

Enterprise PKIEnterprise PKI

BitLocker Drive EncryptionBitLocker Drive Encryption

Windows Firewall with Advanced Security

Demonstration: Windows Firewall with Advanced Security

• Creating Inbound and Outbound Rules

• Creating a Firewall Rule Limiting a Service

IPSec

Integrated with WFAS

IPSec Improvements

Simplified IPSec Policy Configuration

Client-to-DC IPSec Protection

Improved Load Balancing and Clustering Server Support

Improved IPSec Authentication

Integration with NAP

Multiple Authentication Methods

New Cryptographic Support

Integrated IPv4 and IPv6 Support

Extended Events and Performance Monitor Counters

Network Diagnostics Framework Support

Integrated with WFAS

IPSec Improvements

Simplified IPSec Policy Configuration

Client-to-DC IPSec Protection

Improved Load Balancing and Clustering Server Support

Improved IPSec Authentication

Integration with NAP

Multiple Authentication Methods

New Cryptographic Support

Integrated IPv4 and IPv6 Support

Extended Events and Performance Monitor Counters

Network Diagnostics Framework Support

Demonstration: Creating IPSec Policies

• Creating an IPSec Rule

• Specifying different Authentication Methods

• Activate and Deactivate Rules

AD Domain Services Auditing

What changes have been made to AD DS auditing?

What changes have been made to AD DS auditing?

Read-Only Domain Controller (RODC)

New Functionality

AD Database

Unidirectional Replication

Credential Caching

Password Replication Policy

Administrator Role Separation

Read-Only DNS

New Functionality

AD Database

Unidirectional Replication

Credential Caching

Password Replication Policy

Administrator Role Separation

Read-Only DNS

Requirements/Special ConsiderationsRequirements/Special Considerations

RODC

BitLocker Drive Encryption (BDE)

Data Protection

Drive Encryption

Integrity Checking

Data Protection

Drive Encryption

Integrity Checking

BDE Hardware and Software RequirementsBDE Hardware and Software Requirements

Enterprise PKI

Easier management through PKIView

Certificate Web Enrollment

Network Device Enrollment Service

Managing Certificate with Group Policy

Certificate Deployment Changes

Online Certificate Status Protocol (OCSP) Support

Cryptographic Next Generation

Easier management through PKIView

Certificate Web Enrollment

Network Device Enrollment Service

Managing Certificate with Group Policy

Certificate Deployment Changes

Online Certificate Status Protocol (OCSP) Support

Cryptographic Next Generation

Implementation/Usage Scenarios

Enforce Security PolicyEnforce Security Policy

Improve Domain SecurityImprove Domain Security

Improve System SecurityImprove System Security

Improve Network Communications SecurityImprove Network Communications Security

Recommendations

Implement Network Access ProtectionImplement Network Access Protection

Use Windows Firewall and Advanced Security to implement IPSecUse Windows Firewall and Advanced Security to implement IPSec

Deploy Read-Only Domain Controllers, where appropriateDeploy Read-Only Domain Controllers, where appropriate

Implement BitLocker Drive EncryptionImplement BitLocker Drive Encryption

Carefully test and plan all security policiesCarefully test and plan all security policies

Take advantage of PKI improvementsTake advantage of PKI improvements

Summary

Windows Server 2008 includes a variety of new security initiatives and features:

• Network Access Protection• Windows Firewall and Advanced Security (WFAS)

enhancements• IPSec improvements• Windows Server Hardening• Server and Domain Isolation• Active Directory Domain Services Auditing• Read-Only Domain Controllers (RODCs)• BitLocker Drive Encryption• Removeable Device Installation Control• Improvements to Enterprise PKI capabilities

Windows Server 2008 includes a variety of new security initiatives and features:

• Network Access Protection• Windows Firewall and Advanced Security (WFAS)

enhancements• IPSec improvements• Windows Server Hardening• Server and Domain Isolation• Active Directory Domain Services Auditing• Read-Only Domain Controllers (RODCs)• BitLocker Drive Encryption• Removeable Device Installation Control• Improvements to Enterprise PKI capabilities

Questions and Answers

Network Access Protection in Windows Server 2008

Overview

Network Access ProtectionNetwork Access Protection

Net work Access Protection Network Access Quarantine Control

Internal, VPN and Remote Access Client

Only VPN and Remote Access Clients

IPSec, 802.1X, DHCP and VPN DHCP and VPN

NAP NPS and Client included in Windows Server 2008 ; NAP client included in Vista

Installed from Windows Server 2003 Resource Kit

Technical Background

NAP Platform ArchitectureNAP Platform Architecture

NAP Enforcement MethodsNAP Enforcement Methods

NAP InfrastructureNAP Infrastructure

NAP Client ArchitectureNAP Client Architecture

NAP Server ArchitectureNAP Server Architecture

Component CommunicationComponent Communication

NAP Infrastructure

Health Policy ValidationHealth Policy Validation

Health Policy ComplianceHealth Policy Compliance

Automatic RemediationAutomatic Remediation

Limited AccessLimited Access

NAP Platform Architecture

NAP Enforcement Client

802.1X802.1X

VPNVPN

IPSecIPSec

DHCPDHCP

NPS RADIUSNPS RADIUS

Demonstration: Network Access Protection

• Create a NAP Policy

• Using the MMC to Create NAP Configuration settings

• Create a new RADIUS Client

• Create a new System Health Validator for Windows Vista and Windows XP SP2

How NAP Works

IPSec EnforcementIPSec Enforcement

IEEE 802.1XIEEE 802.1X

Logical NetworksLogical Networks

Remote Access VPNsRemote Access VPNs

DHCPDHCP

IPSec Enforcement in Logical Networks

Communication Initiation Process with IPSec Enforcement

NAP Client Health Certificate Process

IPSec Enforcement in NAP

802.1x Authenticated Connections

NAP Authentication Process Background

Network Access Protection SettingsNetwork Access Protection Settings

Authorization PoliciesAuthorization Policies

Authentication ProcessAuthentication Process

Implementation/Usage Scenarios

Ensuring the Health of Corporate DesktopsEnsuring the Health of Corporate Desktops

Checking the Health and Status of Roaming LaptopsChecking the Health and Status of Roaming Laptops

Determining the Health of Visiting LaptopsDetermining the Health of Visiting Laptops

Verify the Compliance of Home ComputersVerify the Compliance of Home Computers

Recommendations

Carefully test and verify all IPSec PoliciesCarefully test and verify all IPSec Policies

Use Quality of Service to improve bandwidthUse Quality of Service to improve bandwidth

When using IPSec – employ ESP with encryptionWhen using IPSec – employ ESP with encryption

Plan to Prioritize traffic on the networkPlan to Prioritize traffic on the network

Apply Network Access Protection to secure client computers Apply Network Access Protection to secure client computers

Consider Using Domain IsolationConsider Using Domain Isolation

Summary

Network Access Protection:

Secures Remote Computers before accessing the Network

Has Client and Server Components

Can Use One or More of Several methods for Enforcement

IPSec

802.1X

VPN

DHCP

Provides Support for Third Party Software

Network Access Protection:

Secures Remote Computers before accessing the Network

Has Client and Server Components

Can Use One or More of Several methods for Enforcement

IPSec

802.1X

VPN

DHCP

Provides Support for Third Party Software

Questions and Answers

Lab: Network Access Protection

In this lab, you will:

Network Communications using WFAS

Enforcing network communication policy using Policy-based QoS

Network Access Protection with Windows Server 2008

What Next?

Windows Server 2008 Beta: https://connect.microsoft.com

Home Page: http://www.microsoft.com/windowsserver/longhorn/default.mspx

Webcasts: http://www.microsoft.com/windowsserver/longhorn/webcasts.mspx

Forums: http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17

Network Access Protection• Home Page: http://www.microsoft.com/nap

• Introduction to Network Access Protection: http://go.microsoft.com/fwlink/?LinkId=49884

• Network Access Protection Platform Architecture: http://go.microsoft.com/fwlink/?LinkId=49885

• Network Access Protection Frequently Asked Questions: http://go.microsoft.com/fwlink/?LinkId=49886

• IPSec: http://www.microsoft.com/ipsec

• Server and Domain Isolation: http://www.microsoft.com/technet/network/sdiso/default.mspx