Overview

1
Module 3
Windows Server 2008 Branch Office Scenario
2
Clinic Outline

• Branch Office Server Deployment and
  Administration
• Branch Office Security

3
Branch Office Server Deployment and Administration
4
Domain Name System (DNS) Server Role

• Background zone loading
• Read-only domain controller support
• Global Names zone
• DNS client changes
• Link-Local multicast name resolution (LLMNR)
• Domain controller location

5
AD Domain Services

• New AD MMC Snap-In Features
• Find Command
• New Options for Unattended Installs

6
Restartable AD Domain Services (AD DS)

• 3 Possible States
• AD DS Started
• AD DS Stopped
• Active Directory Restore Mode

7
Demonstration Branch Office Server Deployment
and Administration

• AD DS Installation Wizard
• Stopping and restarting AD DS

8
AD Domain Services Auditing

• What changes have been made to AD DS auditing?

Auditpol /set /subcategory??????
/Successenable
9
AD Domain Services Backup and Recovery

• Whats New?

• Considerations

• General Requirements

10
Improved Server Deployment (Windows Server
Virtualization)

• 64-bit Next Generation technology

• Addresses the following challenges
• Server Consolidation
• Development and Testing
• Business Continuity/Disaster Recovery

• Server Core as a host system

11
File Services

• Server Message Block (SMB) 2.0

• DFS
• Names Spaces
• Replication
• SYSVOL

12
Next Generation TCP/IP Stack

• Receive Windows Auto-Tuning
• Compound TCP
• Throughput Optimization in High-Loss Environments
• Neighbor Unreachability Detection
• Changes in Dead Gateway Detection

• Changes in PTMU Black Hole Router Detection
• Routing Compartments
• ESTATS Support
• Network Diagnostics Framework Support
• New Packet Filtering Model with Windows Filtering
  Platform

13
Read-Only Domain Controller (RODC)

• New Functionality
• AD Database
• Unidirectional Replication
• Credential Caching
• Password Replication Policy
• Administrator Role Separation
• Read-Only DNS

RODC

• Requirements/Special Considerations

14
Active Directory ????
Read-only DC, RODC
????????
????????
15
Implementation/Usage Scenarios

• Maintain physical security of servers at the
  branch office

• Maintain physical security of data at the branch
  office

• Provide secure IP-based communications with the
  branch office

• Control which computers can communicate on the
  branch office network

16
Recommendations

• Deploy a Read-Only Domain Controller at the
  branch office

• Implement a Password Replication Policy

• Implement administrator role separation

• Implement BitLocker Drive Encryption do not
  require a PIN or USB device if no local admin

• Implement Network Access Protection

• Use IPSec for network communications

17
Module 4
Security and Policy Enforcement in Windows Server
2008
18
Overview

• Methods of Security and Policy Enforcement
• Network Location Awareness
• Network Access Protection
• Windows Firewall with Advanced Security (WFAS)
• Internet Protocol Security (IPSec)
• Windows Server Hardening
• Server and Domain Isolation
• Active Directory Domain Services Auditing
• Read-Only Domain Controller (RODC)
• BitLocker Drive Encryption
• Removable Device Installation Control
• Enterprise PKI

19
Technical Background

• Windows Firewall with Advanced Security

• Internet Security Protocol (IPSec)

• Active Directory Domain Services Auditing

• Read-Only Domain Controller (RODC)

• BitLocker Drive Encryption

• Enterprise PKI

20
Windows Firewall with Advanced Security
21
Demonstration Windows Firewall with Advanced
Security

• Creating Inbound and Outbound Rules
• Creating a Firewall Rule Limiting a Service

22
IPSec

• Integrated with WFAS
• IPSec Improvements
• Simplified IPSec Policy Configuration
• Client-to-DC IPSec Protection
• Improved Load Balancing and Clustering Server
  Support
• Improved IPSec Authentication
• Integration with NAP
• Multiple Authentication Methods
• New Cryptographic Support
• Integrated IPv4 and IPv6 Support
• Extended Events and Performance Monitor Counters
• Network Diagnostics Framework Support

23
BitLocker Drive Encryption (BDE)

• Data Protection
• Drive Encryption
• Integrity Checking

• BDE Hardware and Software Requirements

24
Implementation/Usage Scenarios

• Enforce Security Policy

• Improve Domain Security

• Improve System Security

• Improve Network Communications Security

25
Recommendations

• Carefully test and plan all security policies

• Implement Network Access Protection

• Use Windows Firewall and Advanced Security to
  implement IPSec

• Deploy Read-Only Domain Controllers, where
  appropriate

• Implement BitLocker Drive Encryption

• Take advantage of PKI improvements

26
Network Access Protection in Windows Server 2008
27
Overview

• Network Access Protection

28
NAP Infrastructure

• Automatic Remediation

• Health Policy Validation

• Health Policy Compliance

• Limited Access

29
NAP Enforcement Client

• IPSec

• 802.1X

• VPN

• DHCP

• NPS RADIUS

30
Demonstration Network Access Protection

• Create a NAP Policy
• Using the MMC to Create NAP Configuration
  settings
• Create a new RADIUS Client
• Create a new System Health Validator for Windows
  Vista and Windows XP SP2

31
Implementation/Usage Scenarios

• Checking the Health and Status of Roaming Laptops

• Ensuring the Health of Corporate Desktops

• Determining the Health of Visiting Laptops

• Verify the Compliance of Home Computers

32
Recommendations

• When using IPSec employ ESP with encryption

• Carefully test and verify all IPSec Policies

• Consider Using Domain Isolation

• Use Quality of Service to improve bandwidth

• Plan to Prioritize traffic on the network

• Apply Network Access Protection to secure client
  computers