Upload
hugh-scot-hall
View
218
Download
2
Tags:
Embed Size (px)
Citation preview
Clinic
Security and Policy Enforcement in Windows
Server 2008
Introduction
Name
Company affiliation
Title/function
Job responsibility
Windows Server 2003, XP and Vista experience
Security Experience
Expectations
Facilities
Class hours
Building hours
Parking
Restrooms
Meals
Phones
Messages
Smoking
Recycling
About This Clinic
Description
Clinic Objectives
Audience
Prerequisites
Clinic Outline
Security Enhancements in Windows Server 2008
Network Access Protection
Technology Technology framework to help framework to help maximize the value maximize the value of your IT of your IT investmentsinvestmentsStructured way to Structured way to drive cost drive cost reduction, security reduction, security & efficiency gains & efficiency gains and boost agilityand boost agilityBased on industry Based on industry analyst and analyst and academic workacademic workProvides guidance Provides guidance and best practices and best practices for step-by-step for step-by-step implementationimplementation
Infrastructure Optimization
Security Enhancements in Windows Server 2008
Overview
Methods of Security and Policy Enforcement
Network Location Awareness
Network Access Protection
Windows Firewall with Advanced Security (WFAS)
Internet Protocol Security (IPSec)
Windows Server Hardening
Server and Domain Isolation
Active Directory Domain Services Auditing
Read-Only Domain Controller (RODC)
BitLocker Drive Encryption
Removable Device Installation Control
Enterprise PKI
Methods of Security and Policy Enforcement
Network Location Awareness
Network Access Protection
Windows Firewall with Advanced Security (WFAS)
Internet Protocol Security (IPSec)
Windows Server Hardening
Server and Domain Isolation
Active Directory Domain Services Auditing
Read-Only Domain Controller (RODC)
BitLocker Drive Encryption
Removable Device Installation Control
Enterprise PKI
Technical Background
Windows Firewall with Advanced SecurityWindows Firewall with Advanced Security
Internet Security Protocol (IPSec)Internet Security Protocol (IPSec)
Active Directory Domain Services AuditingActive Directory Domain Services Auditing
Read-Only Domain Controller (RODC)Read-Only Domain Controller (RODC)
Enterprise PKIEnterprise PKI
BitLocker Drive EncryptionBitLocker Drive Encryption
Windows Firewall with Advanced Security
Demonstration: Windows Firewall with Advanced Security
• Creating Inbound and Outbound Rules
• Creating a Firewall Rule Limiting a Service
IPSec
Integrated with WFAS
IPSec Improvements
Simplified IPSec Policy Configuration
Client-to-DC IPSec Protection
Improved Load Balancing and Clustering Server Support
Improved IPSec Authentication
Integration with NAP
Multiple Authentication Methods
New Cryptographic Support
Integrated IPv4 and IPv6 Support
Extended Events and Performance Monitor Counters
Network Diagnostics Framework Support
Integrated with WFAS
IPSec Improvements
Simplified IPSec Policy Configuration
Client-to-DC IPSec Protection
Improved Load Balancing and Clustering Server Support
Improved IPSec Authentication
Integration with NAP
Multiple Authentication Methods
New Cryptographic Support
Integrated IPv4 and IPv6 Support
Extended Events and Performance Monitor Counters
Network Diagnostics Framework Support
Demonstration: Creating IPSec Policies
• Creating an IPSec Rule
• Specifying different Authentication Methods
• Activate and Deactivate Rules
AD Domain Services Auditing
What changes have been made to AD DS auditing?
What changes have been made to AD DS auditing?
Read-Only Domain Controller (RODC)
New Functionality
AD Database
Unidirectional Replication
Credential Caching
Password Replication Policy
Administrator Role Separation
Read-Only DNS
New Functionality
AD Database
Unidirectional Replication
Credential Caching
Password Replication Policy
Administrator Role Separation
Read-Only DNS
Requirements/Special ConsiderationsRequirements/Special Considerations
RODC
BitLocker Drive Encryption (BDE)
Data Protection
Drive Encryption
Integrity Checking
Data Protection
Drive Encryption
Integrity Checking
BDE Hardware and Software RequirementsBDE Hardware and Software Requirements
Enterprise PKI
Easier management through PKIView
Certificate Web Enrollment
Network Device Enrollment Service
Managing Certificate with Group Policy
Certificate Deployment Changes
Online Certificate Status Protocol (OCSP) Support
Cryptographic Next Generation
Easier management through PKIView
Certificate Web Enrollment
Network Device Enrollment Service
Managing Certificate with Group Policy
Certificate Deployment Changes
Online Certificate Status Protocol (OCSP) Support
Cryptographic Next Generation
Implementation/Usage Scenarios
Enforce Security PolicyEnforce Security Policy
Improve Domain SecurityImprove Domain Security
Improve System SecurityImprove System Security
Improve Network Communications SecurityImprove Network Communications Security
Recommendations
Implement Network Access ProtectionImplement Network Access Protection
Use Windows Firewall and Advanced Security to implement IPSecUse Windows Firewall and Advanced Security to implement IPSec
Deploy Read-Only Domain Controllers, where appropriateDeploy Read-Only Domain Controllers, where appropriate
Implement BitLocker Drive EncryptionImplement BitLocker Drive Encryption
Carefully test and plan all security policiesCarefully test and plan all security policies
Take advantage of PKI improvementsTake advantage of PKI improvements
Summary
Windows Server 2008 includes a variety of new security initiatives and features:
• Network Access Protection• Windows Firewall and Advanced Security (WFAS)
enhancements• IPSec improvements• Windows Server Hardening• Server and Domain Isolation• Active Directory Domain Services Auditing• Read-Only Domain Controllers (RODCs)• BitLocker Drive Encryption• Removeable Device Installation Control• Improvements to Enterprise PKI capabilities
Windows Server 2008 includes a variety of new security initiatives and features:
• Network Access Protection• Windows Firewall and Advanced Security (WFAS)
enhancements• IPSec improvements• Windows Server Hardening• Server and Domain Isolation• Active Directory Domain Services Auditing• Read-Only Domain Controllers (RODCs)• BitLocker Drive Encryption• Removeable Device Installation Control• Improvements to Enterprise PKI capabilities
Questions and Answers
Network Access Protection in Windows Server 2008
Overview
Network Access ProtectionNetwork Access Protection
Net work Access Protection Network Access Quarantine Control
Internal, VPN and Remote Access Client
Only VPN and Remote Access Clients
IPSec, 802.1X, DHCP and VPN DHCP and VPN
NAP NPS and Client included in Windows Server 2008 ; NAP client included in Vista
Installed from Windows Server 2003 Resource Kit
Technical Background
NAP Platform ArchitectureNAP Platform Architecture
NAP Enforcement MethodsNAP Enforcement Methods
NAP InfrastructureNAP Infrastructure
NAP Client ArchitectureNAP Client Architecture
NAP Server ArchitectureNAP Server Architecture
Component CommunicationComponent Communication
NAP Infrastructure
Health Policy ValidationHealth Policy Validation
Health Policy ComplianceHealth Policy Compliance
Automatic RemediationAutomatic Remediation
Limited AccessLimited Access
NAP Platform Architecture
NAP Enforcement Client
802.1X802.1X
VPNVPN
IPSecIPSec
DHCPDHCP
NPS RADIUSNPS RADIUS
Demonstration: Network Access Protection
• Create a NAP Policy
• Using the MMC to Create NAP Configuration settings
• Create a new RADIUS Client
• Create a new System Health Validator for Windows Vista and Windows XP SP2
How NAP Works
IPSec EnforcementIPSec Enforcement
IEEE 802.1XIEEE 802.1X
Logical NetworksLogical Networks
Remote Access VPNsRemote Access VPNs
DHCPDHCP
IPSec Enforcement in Logical Networks
Communication Initiation Process with IPSec Enforcement
NAP Client Health Certificate Process
IPSec Enforcement in NAP
802.1x Authenticated Connections
NAP Authentication Process Background
Network Access Protection SettingsNetwork Access Protection Settings
Authorization PoliciesAuthorization Policies
Authentication ProcessAuthentication Process
Implementation/Usage Scenarios
Ensuring the Health of Corporate DesktopsEnsuring the Health of Corporate Desktops
Checking the Health and Status of Roaming LaptopsChecking the Health and Status of Roaming Laptops
Determining the Health of Visiting LaptopsDetermining the Health of Visiting Laptops
Verify the Compliance of Home ComputersVerify the Compliance of Home Computers
Recommendations
Carefully test and verify all IPSec PoliciesCarefully test and verify all IPSec Policies
Use Quality of Service to improve bandwidthUse Quality of Service to improve bandwidth
When using IPSec – employ ESP with encryptionWhen using IPSec – employ ESP with encryption
Plan to Prioritize traffic on the networkPlan to Prioritize traffic on the network
Apply Network Access Protection to secure client computers Apply Network Access Protection to secure client computers
Consider Using Domain IsolationConsider Using Domain Isolation
Summary
Network Access Protection:
Secures Remote Computers before accessing the Network
Has Client and Server Components
Can Use One or More of Several methods for Enforcement
IPSec
802.1X
VPN
DHCP
Provides Support for Third Party Software
Network Access Protection:
Secures Remote Computers before accessing the Network
Has Client and Server Components
Can Use One or More of Several methods for Enforcement
IPSec
802.1X
VPN
DHCP
Provides Support for Third Party Software
Questions and Answers
Lab: Network Access Protection
In this lab, you will:
Network Communications using WFAS
Enforcing network communication policy using Policy-based QoS
Network Access Protection with Windows Server 2008
What Next?
Windows Server 2008 Beta: https://connect.microsoft.com
Home Page: http://www.microsoft.com/windowsserver/longhorn/default.mspx
Webcasts: http://www.microsoft.com/windowsserver/longhorn/webcasts.mspx
Forums: http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17
Network Access Protection• Home Page: http://www.microsoft.com/nap
• Introduction to Network Access Protection: http://go.microsoft.com/fwlink/?LinkId=49884
• Network Access Protection Platform Architecture: http://go.microsoft.com/fwlink/?LinkId=49885
• Network Access Protection Frequently Asked Questions: http://go.microsoft.com/fwlink/?LinkId=49886
• IPSec: http://www.microsoft.com/ipsec
• Server and Domain Isolation: http://www.microsoft.com/technet/network/sdiso/default.mspx