Thursday, April 22, 2010

Lesson 11

Maintaining Windows Server 2008 File Services

Shadow Copies of Shared Folders is based on the Volume Shadow Copy Service (VSS) and allows users to access and recover previous versions of files in the event that they are accidentally deleted or overwritten. Shadow Copies of Shared Folders is enabled at a volume level and affects all shared folders on a particular volume. A maximum of 64 shadow copies can be stored on a particular volume. The Restore Previous Versions functionality lessons the dependant on admin to recover files allowing users to access and restore their own Shared Copies of Shared Folders snapshots without requiring administrative intervention.

Disk Quota is a limit on the disk space a user is permitted to consume in a particular volume or folder. These quotas are based on file ownership. Windows automatically makes a user the owner of all files that he or she creates and tracks this and adds up all their sizes. When the total size of a given user’s files reaches the quota specified by the server administrator, the system takes action.

The three types are as follows:
• Hard quota stops the user from creating past their quota.
• Soft quota sends a notification to Admin.
• Threshold quota sends notifications when a certain percentage has been reached prior to the hard quota.

Windows Server Backup is new in Windows Server 2008 which uses VSS to back up servers at the volume level. It supports two types of backups:
• Manual backup
• Scheduled backup

Restore Windows 2008 can be performed by using the Windows Server Backup MMC snap-in, as well as the wbadmin command-line utility. You can also perform a bare-metal restore of a server that has experienced a hardware failure by using the Windows Recovery Environment (WinRE), a special boot mode that provides a centralized platform for operating system recovery.

Lesson 10

Maintaining Network Health

Active Directory Certificate Services The Active Directory Certificate Services (AD CS) role in Windows Server 2008 is a component within Microsoft's larger Identity Lifecycle Management (ILM) strategy. The role of AD CS in ILM is to provide services for managing a Windows Public Key Infrastructure( PKI) for authentication and authorization of users and devices.

PKI allows two parties to communicate securely without ever having communicated with one another before in any previous communication through the use of a mathematical algorithm called public key cryptography.

PKI certificates are managed through Certificate Authorities that are hierarchical, which means that you can have many subordinate CAs within an organization that chain upward to a single root CA.

The Public Key Infrastructure
• CA (Certification Authority) is an entity, that issue and manage digital certificates for use in a PKI.
• Digital certificate contains information about a particular user along with public key, digital signatures and expiration dates.
• Digital signature is an electronic signature to prove the identity of the entity has a signed doc with a private key.
• CPS (Certificate Practice Statement) is how the CA manages certificates and keys.
• CRL(Certificate Revocation List) A Certificate Revocation List (CRL) identifies certificates that have been revoked or terminated.
• Certificate templates used by Admin to simplify management and issuing certificates.
• Smart cards are physical devices containing the digital certificate.
• Self-enrollment gives the user the ability to request their own PKI certificates.
• Autoenrollment is only available in 2003 or later server installations.
• Recovery agent is used to recover keys were a hard drive has crashed and the user does not have a back up of the certificate.
• Key archival most commercial CAs do not allow it at all.

AD CS (Active directory Certificate Services) server role consists of the following services and features:

• CAs(Certification Authorities)
• Web enrollment allows users to connect to a Windows Server 2008 CA through a Web browser to request certificates and obtain an up-to-date Certificate Revocation List.
• Online responder
• NDES (Network Device Enrollment Service) The Network Device Enrollment Service (NDES) allows network devices to enroll for certificates within a Windows Server 2008 PKI using the Simple Certificate Enrollment Protocol (SCEP).

When deploying a Windows-based PKI, two different types of CAs can be deployed: enterprise CAs and standalone CAs.

• Stand alone ca A standalone CA is not integrated with Active Directory and relies on administrator intervention to respond to certificate requests.
• Enterprise CA integrates with an AD Active Directory domain and it can be use templates to allow autoenrollment of digital certificates, as well as storing the certificates themselves within the AD database.

Managing Certificate Enrollments in the Windows 2008 server you can manage it in a number of ways depending on your needs.

In an Active Directory environment you can automate the distribution of PKI certificates by using the following features:
• Certificate templates can be used to automate the deployment of PKI certificates by controlling the security associated with each template:
o The Full Control ACL Admin reserved
o The Read ACL
o The Write ACL should be set up as Admin reserved
o The Enroll ACL manually request certificates
o The Autoenroll ACL users are automatically issued certificates.

• Group Policy can be used to establish autoenrollment settings for an Active Directory Domain. The Certificate Services Client-Autoenrollment node includes the following settings:
o Enroll certificates automatically
o Do not enroll certificates automatically.
o If you select the option to enroll certificates automatically, you can also select one or more of the following settings:
 Renew expired certificates, update pending certificates and remove revoked certificates.
 Update certificates that use certificate templates.
 Expiry notification to notify when a certificate has only a certain percentage of its lifetime remaining.

In a Non Active Directory environment clients can enroll manually for certificates using either of the following: Certificate Request Wizard or the Certification Authority Web Enrollment where users manually create a certificate request.

CA Server Settings

• Key archival and recovery

• Maintainers of a Windows Server 2008 CA
o CA administrator has the overall management of a CA.
o Certificate managers managed and issue certificates.
o Backup operators are able to back up and restore the operating system files and folders.
o Auditors are able to read security logs.

Introducing Network Access Protection (NAP) is a policy enforcement mechanism that is used to allow or reject access to Windows network resources on the basis of policy decisions, such as whether the Windows Firewall is turned on or if anti-virus signatures are up to date.

NAP can be configured with one of five built-in enforcement mechanisms:
• DHCP enforcement
• IPSec enforcement
• VPN enforcement
• 802.1x enforcement
• Terminal Services Gateway enforcement

The NAP client includes one or more System Health Agents (SHAs), which map to System Health Validators(SHVs) within the NAP server architecture.

Wednesday, April 21, 2010

Lesson 9

Securing Data Transmission and Authentication

Securing Network Traffic with IPSec

Whether you have a public or private presents on the internet securing your organizations data is a core requirement. We deploy measures to secure the network perimeter and secure access to resources; however, securing the actual IP (Internet Protocol) is often overlooked. Both the TPC and UDP contain a checksum in the header of each packet, which is a mathematical value to provide the integrity of each packet. However because this is a well know algorithm a malicious user can intercept these packet, view and modify its contents, recomputed the checksums and then forward the packet to its destination without the sender or receiver knowing.

The IPSec suite of protocols was developed and is now the standard method of providing security services for IP packets. It has two principle goals Proper protection of the content of IP packets and provides a defense against network attacks through packet filtering and the enforcement of trusted communication. Both of these goals are met through the use of cryptography-based protection services, security protocols, and dynamic key management.

IPSec has a number of features that can significantly reduce or prevent the following attacks:
• Packet Sniffing – IPSec includes mechanisms that provide data confidentiality by encrypting the payload of IP packets.
• Data Modification – IPSec uses cryptography-based keys that are shared only by the sender and receivers to create a cryptographic checksum for each IP packet that is secured using IPSec to protect the integrity of the data.
• Identity Spoofing – IPSec allows the exchange and verification of entities without exposing that information to interpretation by the attacker. This process is known as mutual authentication is used to establish trust between the communicating systems.
• Man in the middle attacks – IPSec protects against these through a combinations of mutual authentication and the use of shared cryptography-based keys to confirm the integrity of each packet as well as the identity of the sender and receiver.
• Denial of service attacks – IPSec uses IP packet filtering methodology as the basis for determining whether communications is allowed, secured, or blocked. This is determination is based on the IP address ranges, IP protocols, or even specific TCP and UDP ports.

IPSec is an architectural framework the provided cryptographic security services for IP packets. It is and end-to-end security technology. This meaning that the only nodes aware of the presence of IPSec are the two hosts using IPSec to communicate with each other.

IPSec can be deployed to protect data transmissions in the following scenarios:
• LAN –Client/server and peer-to-peer.
• WAN – Router to Router and gateway to gateway.
• Remote Access – Dial-up clients and Internet access from private networks.

IPSec has many security features the following are some of these:
• Automatic security associations
• IP Packet Filtering
• Network Layer security
• Peer Authentication
• Data origin Authentication
• Data integrity
• Data confidentiality
• Anti-reply
• Key management

You can configure IPSec to use the following two modes:
• Transport mode – Used when you require packet filtering and when you require end to end security. Both host must support IPSec using the same authentication protocols and must have compatible IPSec filters.
• Tunnel mode - Used for site-to-site communications that cross the internet (or other public networks). Tunnel mode provides gateway-to-gateway protection.
IPSec Protocol suite provides security using a combination of individual protocols. The following are the protocols work independently or in tandem, depending on the need for confidentiality and authentication:
• AH (Authentication Header) provides authentication, integrity and anti-reply for the entire packet. It doesn’t provide confidentiality and doesn’t encrypt the data. Therefore the data can be read however it can’t be modified. It uses keyed hash algorithms to sign the packet.
• ESP (Encapsulating Security Payload) provides confidentiality (in addition to authentication, integrity and anti-reply) for the IP payload.

IPSEC Security Associations (SAS) is the combination of security services, protection mechanisms, and cryptographic keys mutually agreed to by communicating peers. The association determines how the traffic is to be secured and with which secrete keys. The following are the two types of associations:
• ISAKMP SA (Main Mode) is used to protect IPSec security negotiations.
• IPSec SA (Quick Mode) is used to protect data sent between the IPSec peers.

When an IPSec session is established between two hosts the following must be tracked by the three different associations (SA):
• ISAKMP SA
• Inbound IPSec SA
• Outbound IPSec SA

To identify a specific SA for tracking purposes, a 32-bit number known as the SPI (Security Parameters Index) is used.

IKE (Internet Key Exchange) is a standard that defines a mechanism to establish SAs.

IKE Combines ISAKMP and the Oakley Key Determination Protocol to generate secret key material.

IPSec Policies are the security rules defining security levels, hashing and encryption algorithms and key length. These rules also define the addresses, protocols, DNS names, subnets, or connection types. These policies can be configures to meet the security requirements at the user, group, application, domain, site or for the entire network (organization).

These components of the IPSec policy are as follows:
• Tunnel setting – The IP address of the endpoint.
• Network type – The type of connection affected by the IPSec policy.
• IP filter – A subset of network traffic based on IP address, port and transport protocols.
• IP filter list – The concatenation of one or more IP filters, which define a range of network traffic.
• Filter action – how the IPSec should secure network traffic.
• Authentication method – One of the security algorithms and types used for authentication and key exchange.

Windows Server 2008 the following are the four pre-configured Connections Security Roles or you can create a customized set of security:
• Isolation rule allows you to restrict inbound and outbound connections based on certain sets of criteria, such as membership in a particular AD domain.
• Authentication Exception rule allows you to specify one or more computers that do not need to be authenticated in order to pass traffic: for example, defining a DHCP server that should not have and Isolation connection security rule applied to it.
• Server-to-Server rule secures traffic between two servers or two groups of servers.
• Tunnel rule is similar to the server-to-server rule; however it will secure traffic only between tunnel end points, not between the actual hosts that will be sending and receiving secured traffic.
The IPSEC Driver stores all current quick mode SAs in a database. The IPSec uses the SPI field to match the correct SA with the correct packet.

The Security Negotiation Process this process is divided into the two following types of negotiations:

Main mode negotiation is used to establish the ISAKMP SA, which is used to protect future main mode and all quick mode negotiations.
Quick mode negotiation must occur to determine the type of traffic to be secured and how it will be secured. A quick mode negotiation is also done when a quick mode SA expires.

The IPSEC Policy Agent Service purpose is to retrieve information about the IPSecs policies and to pass this information to other IPSec components that require it in order to perform security functions.

Deploying IPSec can be deployed using local policies, AD or both. Each method has its advantages and disadvantages.

Managing and Monitoring IPSec Windows Server 2008 provides several tools to manage and monitor IPSec, including IP Security Monitor, RSoP, Event Viewer, and the netsh command line utility.

Network Authentication is another common issue while securing the network authentication process. By default Kerberos v5 is the protocol used in AD, however there are situations in which the NTLM authentication protocols come into play. The following are the available versions of NTLM authentication and their strength:

• LM Authentication is the weakest form used in the earliest days of windows networking Windows NT, 95 and 98. Passwords were easily hatched through the use of packet sniffers.
• NTLM Authentication is the middle of the road that improved upon the security of LM authentication.
• NTLMv2 Authentication is the strongest and further improved and required additional software to be installed on 95 and 98 workstations. Windows 2000 and later this is built in by default.

Windows Firewall

The Windows Firewall with Advanced Security MMC snap-in allows you to control inbound and outbound traffic on a Windows Server 2008 computer, as well as integrate Windows Firewall configuration with IPSec through the use of Connection Security rules.

Sunday, April 18, 2010

Lesson 8

Maintaining and Updating Windows Server 2008

Monitoring a Windows Server Network

There are three tools to help you proactively monitor and troubleshoot networks issues. Reliability and Performance Monitor, Windows 2008 Event Viewer and Network monitor.
Reliability and Performance Monitor in Windows Server 2008 allows you to collect real-time information. This information can be viewed in a number of different formats that include charts, graphs, and histograms. It uses performance objects, or categories, and performance counters to organize performance information. It collects the following three types of information on Windows 2008 Server:

• Performance counters are the specific processes and events you want to monitor. As you add roles and services performance monitors are exposed for these new roles and services.
• Event Trace data is data collected over time to provide a real-time view into the behavior and performance of the server operating systems and any applications it is running.
• Configuration Information is available via queries to the registry from the Reliability and performance Monitor.

The follow are the three views you can choose:

• Resource View is the default view and gives you a quick overview of the four major performance components of a server: CPU, Disk, and Network & Memory.
• Performance Monitor is the view that provides a visual display of performance counters, in real-time or historical.
• Reliability Monitor is the view providing information about system events that can affect a server’s stability, including software un-install or install, as well application, OS, or hardware failures.

Performance Monitor is probably the most viewed and can be opened easily form the start menu and key perfom.exe. You can add performance counters however the following are what is installed by default:
• Browser

o Announcements Domains/sec - the rate at which a domain has announced itself to the network.
o Election Packet/sec – the rate at which browser election packets have been received by the local computer.
• Memory
o Available bytes - the amount of physical memory available for allocation to a particular process.
o Committed bytes – the amount of committed virtual memory.
• Processor
o % Processor Time – the amount of time the processor spends executing a non-idle thread.

Data Collector Sets were introduced into Windows 2008 server. Rather than manually adding individual performance counters anytime you want to monitor on a 2008 server, Data Collector Sites allow you to organize a set of performance counters, event traces and system configuration data in a single “object” that you can reuse on one or more servers. The following are the three built-in Data Collector Sets: LAN Diagnostics, System Diagnostics and System performance.

Securing Access to Performance Data Windows server 2008 includes a number of built-in group objects that grant limited access to performance data. These are User Group, Performance monitor Users, and Performance Log User.

Windows Event Viewer to monitor the health of Windows Server 2008, you can examine the Window Event Viewer to obtain information. By default, it logs informational events such as service start and stop messages, errors, and warnings. Additional diagnostic logging can be achieved by modifying the registry. When using the event viewer you will see the following items:

Custom views is a “New” feature of Windows in Server 2008 giving you the ability to setup views that will only give you information such as Critical errors

Windows logs Traditional View which includes Application, Security, System logs along Setup log and Forward Events, which both are “New” in Server 2008.

Applications and Services provide various collections of Event viewer entries associated with server hardware, Internet Explorer, and other windows components.

Windows Event Collector Service is also another “New” feature in windows server 2008. It allows you to configure a single server as a repository of events from multiple computes. It creates and manages subscriptions from one or more remote computers. It then uses the WS-Management protocol to communicate for communication with the remote subscribers. Subscriptions are either setup as collector or source computer initiated.

Network Monitor (Gathering Network Data) server 2008 does not include a built-in network monitoring however Microsoft has a free download available. This version is a powerful tool however, there is a more powerful tool available SCOM (Server Center Operations Manager) which can not only capture traffic sent to it from its own interface it but it can also run in promiscuous mode and capture 100 percent of the network traffic available to the network interface. It also gives you central managing point where you can see other instances where network monitoring.

Windows Server Update Services (WUSU) is a tool used to manage and distribute software updates that fix known security vulnerabilities or otherwise improve the performance of Microsoft operating systems. Updates can include items such as security fixes, critical updates, and critical drivers. The following are the categories for the windows operating system: Critical updates, Recommended down loads, Windows tools, Internet and Multimedia updates, Additional Windows downloads, Multilanguage features and Documentation.

WSUS has three main components:
• A content synchronization service
• An internal Windows Update server
• Automatic Updates on computers (desktops or servers)

WSUS server performs two primary functions:
• Synchronizing content with the public Windows Update site.
• Approving content for distribution to your organization.

Windows Updates and Automatic Updates are two separate components designed to work together to keep Windows operating system updated and secure. Windows Update is a Microsoft Web site that works with Automatic Updates to provide timely, critical and noncritical system updates. Automatic Updates enables you to automatically interact with the Windows Update Web site.

WSUS Software and Hardware requirements
• A server running the IIS(Internet Information Service) server role including the following components:
o Windows Authentication
o ASP.NET
o 6.0 Management Compatibility
o IIS Metabase Compatibility
• Microsoft Report Viewer Redistributable 2005
• Microsoft SQL Server 2005 Service Pack 1
• A minimum of 1 GB free Space on the system partition
• 20 GB Minimum space on a volume used to store downloaded content.
• 2 GB Free Space on the volume where WSUS stores the Windows Internal Database.

WSUS server management includes reviewing and changing configuration options, automatically or manually synchronizing the server, viewing update status, and backing up and restoring the server.

WSUS Clients you can configure Automatic Updates through the Automatic Updates configuration page, Group Policy, and by configuring registry entries.

Monday, April 12, 2010

Lesson 7

Deploying a Print Server

FYI: Printing is usually the number one helpdesk request. Note the last paragraph of current printing devices being used at my current employment.

Printing typically involves the following four components: print device, printer, print server, and print driver.

The simplest form of print architecture consists of a locally attached print device. The printer then can be shared with other users on the same network.

XML Paper Specification (XPS) is a new, platform-independent document format used in Windows Server 2008 and Windows Vista in which print job files use a single XPS format to the print device rather than being converted first to EMS and then later to PCL.

With network-attached print devices, the primary deployment decision that the administrator must make is which computer will function as the print server.

Printer permissions are much simpler than NTFS permissions. They basically dictate whether users are allowed to merely use the printer, manage documents submitted to the printer, or manage the properties of the printer itself.

The Print Management snap-in for MMC is an administrative tool that consolidates the controls for the printing components throughout the enterprise into a single console.

Currently coming from a Novell network to a Microsoft network we purchase printers with a NIC cards and set the printer to a static IP address. Then when adding a printer we create a port o the workstation to point to the IP address on the printers then select the most current print drivers for a local network share. As we have progressed we have move Multi Function Printers that fax, scan to PDF, store user print jobs until they release it at the printer. These also add security putting password on accounts so someone can’t just walk up and print from the HR Directors mailbox. These printers are administered via a webpage point to the device.

In the future I see this more and more the norm along with the reduction of printing hard copies.

Saturday, April 10, 2010

Lesson 6

Configuring File Services

Planning a File Server Deployment

Scalability – Be thinking about current and future needs how much are you going to need 3 to 5years from now. Do you have any archiving policy set into practice?

Navigation – How are user going to be able to locate the files they need access to.

Protection – Who needs access and how are you going to manage it?

Abuse – How are you going to control users from using up too much space on the file servers?

Diversity – How to provide access for users who are not running Windows operating sytems?

Fault tolerance – How quickly can you recover from failure of a hard drive, server or entire facility?

Availability – How can you make sure that users have continuous access to critical files across you complete network even if it is remote?

The following is Windows 2008 Storage Limitations.

Storage Characteristic
Maximum Basic Volume - Limitation: 2 Terabytes

Maximum dynamic Volume size(simple and mirrored volumes)- Limitation: 2 Terabytes
Maximum dynamic Volume size(spanned and striped volumes)- Limitation: 64 terabytes (2 terabytes per disk with the max on 32 discs)

Maximum dynamic Volume size(RAID-5 volumes)- Limitation: 64 terabytes (2 terabytes per disk with the max on 32 discs and 2 terabytes reserved for parity info.)

Maximum NTFS Volume size - Limitation: 2 to the power of 32 clusters minus 1 cluster (using the default 4 kilobyte cluster size, the max volume size is 16 terabytes minus 64 kilobytes. Using the max 64 kilobytes cluster size, the max vol. size is 256 terabytes minus 64 kilobytes. )

Maximum number of clusters on a NTFS Volume - Limitation: 2 to the power of 32

Maximum NTFS file size - Limitation: 2 to the power of 44 (16 terabytes) minus 64 kilobytes

Maximum number of files on an NTFS Volume - Limitation: 2 to the power of 32 minus one file.

Maximum Number of Volumes on a server - Limitation: Approx 2000(1000 dynamic and the rest basic)

When installing additional storage you must address the following tasks:

Select a partitioning style – there are two types supported MBR (Master Boot Record) and GUID(Global Unique Identifier). You will need to choose one or the other not both.

Select a disc type – there are two types supported basic and dynamic. You can use both disk types on the same disk, but you can not mix disk types on the same computer.

Divide the disk into partitions or volumes – You create partitions on basic disks and volumes on dynamic disks.

Format the partitions or volumes with a file system – the two file systems that are support are NTFS and FAT ( Fat 16 & Fat 32)

During installation two partitions are created system and a boot partition. The System partition contains hardware related files that the computer uses to boot. The boot partition contains the operating system files which are stored in the windows directory. You can create up to four primary partitions.
Volume Types

Simple volume – Is a single disk and once you have created a simple volume you can later extend it to multiple disks to create a spanned or a stripped volume as long as it is not a system or boot volume.

Spanned volume – Consists of space from 2 to 32 physical disks, all of which must be dynamic disks. A spanned volume is essentially a method for combining the space for multiple disks into a single large volume.

Striped volume – Consists of space from 2 to 32 physical disks, all of which must be dynamic disks. The difference between a striped volume and and spanned volume is that is a striped volume, the system writes data one stripe at a time to each successive disk in the volume.

Mirrored volume – Consists of an identical amount of space on two physical disks, both of which must be dynamic. The system then performs all read and write operations on both disk simultaneously, so they contain duplicate copies of the data.

RAID-5 volume – Consists of space on three or more physical disks, all of which must be dynamic disk. The system stripes data and parity information across all of the disks, so that is on disk fails, the missing data then can be recreated using the parity information on the other disks.

File Sharing and Permissions

Now that you have the volumes set up you will need to set up a file structure and a sharing strategy following a basic Structure set the root of organizations public and private shares.

Public
Accounting
Customer service
General Access
Human Resources
Information Systems
Marketing
Purchasing
Sales
Private
Bob Johnson
Cindy Johnsen
Dan Mann
Nick Nickleson
Paul Pusher
Steven Sales

Permissions then can be set at the individual level to the private directories on as groups on the public directories. The following are the four different types of permissions:
• Share permissions
• NTFS permissions
• Registry permissions
• Active Directory permissions

All of these permissions can operate independently of each other and sometime combine to increase protection of a specific resource. NTFS permissions enable you to control access to files and folders by specifying just what tasks individual users can perform on them. Share permissions provide rudimentary access control for all of the files on a network share. Network users must have the proper share and NTFS permissions to access file server shares.

The File Services role includes several role services that you can choose to install, including Distributed File System and Services for Network File System. Selecting individual role services can add extra configuration pages to the Add Roles Wizard.

The Distributed File System (DFS) includes two technologies: DFS Namespaces and DFS Replication, which can simplify the process of locating files, control the amount of traffic passing over WAN links, provide users at remote sites with local file server access, configure the network to survive a WAN link failure, and facilitate consistent backups.

DFS is a virtual namespace technology that enables you to create a single directory tree containing references to shared folders located on various file servers all over the network.

A namespace server functions just like a file server except that when a user requests access to a file in the DFS directory tree, the namespace server replies—not with the file itself, but with a referral specifying the file’s actual location.

Sunday, April 4, 2010

Lesson 5

Configuring Routing and Remote Access (RRAS) and Wireless Networking
Routing is the process of transferring data across an internetwork from one LAN to another using the internet and the TCP/IP protocol s between multiple organizations. Routing and Remote Access service, Windows Server 2008 is a software-based router that can be configured as a router and remote access server. A significant advantage of using Windows Server 2008 in this manner is that it is integrated with Windows features, such as Group Policy and the Active Directory service. The Routing and Remote Access console is the principal tool used for configuring and managing this service.

The following are some common routing protocols:

• RIP (Routing Information Protocol) and RIP v2, RIP will broad cast information about available on a regular basis, as well as when the network topology changes. RIP v2 increases the security and the information provided. Without dynamic routing protocols, such as RIPv2, network administrators must add static routes to connect to non-neighboring subnets when those subnets do not lie in the same direction as the default route.

• OSPF (Open Shortest Path First) designed to address scalability limitations of RIP. Rather than using broadcasts to transmit data, each router maintains a database of router to all destinations that it knows of; when it receives network traffic destined for one of these destinations, it routes the traffic using the shortest path/route.

Routers read the destination addresses of received packets and route those packets using the routing tables. These routing tables in Windows Server 2008, can be viewed using the Routing and Remote Access console or through the Route Print command.

The following are the five columns that are displayed in the routing table:
• Network destination as the name suggests, this indicates the destination network.
• Netmask refers to the subnet mask of the destination network.
• The Gateway indicates the value for each routing table entry.
• Interface value specified in that it determines which local network interface card is used to forward the packet to the correct gateway.
• Metric is the cost of using this route to transfer the data.
Four types of routes found in a routing table are:
• Directly attached Network routes
• Remote Network routes
• Host routes
• Default route

Demand-Dial Routing AKA (Dial-On-Demand routing) also is included within Routing and Remote Access, which is a low cost solution for low traffic situations.

Remote Access
Remote Access DUN (Dial-Up Networking) or VPN (Virtual Private Network) . When you are providing connectivity for remote access clients the client will use one of the two. DUN use a POTS line to dial directly into the remote access server. Since it is a dedicated physical connection it is often unencrypted traffic. VPN connectivity creates a secure point-to-point connection across either a private network or a public network (internet). VPN uses TCP/IP tunneling protocols to create a secured VPN connection.

The following are several other options available when configuring Remote Access:
• Remote Access (Dial-Up or VPN)
• Network Address Translation (NAT)
• Virtual Private Network (VPN) Access and NAT
• Secure Connection between two Private Networks
• Custom Configuration
A VPN connection consists of the following components:
• VPN server
• VPN client
• VPN connection(the data is encrypted)
• VPN tunnel(the data is encapsulated)
The Two tunneling protocols that provide this service are PPTP(Point-to-Point Tunneling Protocol) and L2TP (Layer Two Tunneling Protocol). PPTP supports only the 128-bit RC4 encryption and L2TP supports Advanced Encryption Standard (AES)256-bit, AES 192-bit, AES 128-bit, and 3DES encryption by default on Windows Server 2008.

Network Access Translation (NAT) enables private networks to connect to the internet. The NAT protocol translates internal, private IP addresses to external, public IP addresses and Vice versa.
Here’s how it works. The user’s IP on the client computer creates an IP packet with specific values in the IP and Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) headers. The client computer then forwards the IP packet to the computer running NAT. The computer running NAT changes the outgoing packet header to indicate that the packet originated from the NAT computer’s external address. However, the computer running NAT does not change the destination. It then sends the remapped packet over the Internet to the Web server. The external Web server receives the packet and sends a reply to the computer running NAT. The computer running NAT receives the packet and checks its mapping information to determine the destination client computer. The computer running NAT changes the packet header to indicate the private address of the destination client and then sends the packet to the client.

NPS Network Policy Server
The remote access connection must be authorized by a Windows 2008 server running NPS RRAS role service or a RADIUS(Remote Authentication Dial-In Service) server. Use a RADIUS server to centralize remote access authentication, authorization, and logging. When you implement RADIUS, on multiple Windows Server 2008 computers running the Routing and Remote Access service forward access requests to the RADIUS server. The RADIUS server then queries the domain controller for authentication and applies remote access policies to the connection requests.

Keep in mind the AAA:
• Authentication proves the user is who they claim to be.
• Authorization controls what resources an authorized user can or can not access
• Accounting keeps track of what resources a user has accessed or attempted to access.

NPS which is a rule for evaluating remote connections consists of three components: conditions, constraints and settings. Here’s how it works: A user attempts to initiate a remote access connection. The Remote Access server checks the conditions in the first configured NPS Network Policy. If the conditions of this NPS Network Policy do not match, the Remote Access server checks any remaining configured NPS Network Policies until it finds a match. Once the Remote Access Server finds an NPS Network Policy with conditions that match the incoming connection attempt, the Remote Access server checks any constraints that have been configured for the policy. If the connection attempt does not match any configured constraints (time of day, minimum encryption level), the remote access server denies the connection. If the connection attempt matches both the conditions and the constraints of a particular NPS Network Policy, the remote access server will allow or deny the connection based on the Access permissions configured for that policy.

Authentication Protocols the following is a list on these (in order of most secure t least secure):
• EAP-TLS
• MS-CHAP v2
• MS-CHAP v1
• Extensible Authentication Protocol-Message Digest 5 Challenge Handshake Authentication Protocol (EAP-MD5 CHAP)
• Challenge Handshake Authentication Protocol (CHAP)
• Shiva Password Authentication Protocol (SPAP)
• Password Authentication Protocol (PAP)
• Unauthenticated access

Wireless Access

The 802.1X IEEE standard allows for port-level network access control of both wired and wireless connections. A Windows Server 2008 server running the NPS role can also secure 802.1X connectivity for 802.1X-capable network switched and wireless access ports. The 802.1X standard provides port based security by using the following components:
• Supplicant which is the device that is seeking access to the network.
• Authenticator which is the component that requests authentication credentials for the supplicant (commonly the port on the switch or the wireless access point).
• Authentication Server (AS) is the server that verifies the supplicant’s authentication credentials, and informs the authenticator whether to allow or disallow access to the 802.1x secured network port.

Saturday, April 3, 2010

Lesson 4

Configuring and Managing the DNS Server Role

DNS Domain Name System

Windows Server 2008 includes both DNS and Windows Internet Naming System (WINS) name resolution services to allow 2008 computers to translate between human-readable names, which are easier for us humans to understand and remember then IP addresses but they are necessary for TCP/IP communications.
The DNS namespace is hierarchical and based on a unique root that can have any number of subdo-mains. A Fully Qualified Domain Name (FQDN) is the name of a DNS host in this namespace indicating the host’s location relative to the root of the DNS domain tree. An example of an FQDN is host1.subdomain.microsoft.com. The top level is com The Second level domain is microsoft.com which are registered to individuals or organizations. Then second level domains have many subdomains and any domain can have hosts. A host is a specific computer or network device with in a domain such as a computer.
DNS names and the DNS protocol are required for Active Directory domains and for compatibility with the Internet.
A DNS zone is a contiguous portion of a namespace for which a server is authoritative. A server can be authoritative for one or more zones, and a zone can contain one or more contiguous domains. A DNS server is authoritative for a zone if it hosts the zone, either as a primary or secondary DNS server. Each DNS zone contains the resource records it needs to answer queries for its portion of the DNS namespace.

There are several types of DNS servers: primary, secondary, master name, and caching-only.

• A DNS server that hosts a primary DNS zone is said to act as a primary DNS server. Primary DNS servers store original source data for zones. With Windows Server 2003, you can implement primary zones in one of two ways: as standard primary zones (zone data is stored in a text file) or as an Active Directory–integrated zone (zone data is stored in the Active Directory database).
• A DNS server that hosts a secondary DNS server is said to act as a secondary DNS server. Secondary DNS servers are authoritative backup servers for the primary server. The servers from which secondary servers acquire zone information are called masters.
• A caching-only server forwards requests to other DNS servers and hosts no zones, but builds a cache of frequently requested records.

A DNS zone is a collection of host name-to-IP address mappings for hosts in a contiguous portion of the DNS namespace. Contiguous meaning that is, connected by a parent child relationship. For each DNS domain name included in a zone, the zone becomes the authoritative source for information about that domain. These zones are stored in text files or within active directory. Recommended is to have a primary and secondary zone to provide fault tolerance if one of the servers fail. There are four Standard Zones, Standard primary, Standard secondary, Reverse lookup and Stub zones.

• The Standard primary zone hosts a read/write copy of the DNS zone in which resource records are created and managed.
• The Standard secondary zone is a copy of the Standard primary zone. These are copied from the in what is called a zone transfer which can be a full zone transfer (called an AXFR) or an incremental zone transfer (called an IXFR) which only sends updates from the Standard primary zone.
• The reverse zone is a zone which gives the ability to lookup either by IP address or DNS name.
• The Stub zone is a pointer the DNS server that is authoritative for that zone, and it is used to maintain or improve DNS resolution efficiency.

Active Directory – Integrated zones has the following benefits:

• Fault tolerances keeping redundant copies stored on multiple servers.
• Security DNS stored in active directory you can modify the discretionary access control list (DACL). DACL enables you on specify which users and groups may modify the DNS zones.
• These Zones are multi-master meaning that zones can be updated in more than one location.
• Replication is efficient zone transfers are replaced by more efficient Active Directory replication.
• Maintain the use of secondary zones by transferring which can also be transferred in to secondary zones similar to the way file-backed secondary zones are transferred.

DNS Resource Record is the information that is related to the DNS Domain; the host record defining a host IP address and are represented in binary form in packets. Typical Resource record fields are Owner, TTL(time to live), Class, Type and RDATA(Resource Record Data). The following are the different types of resource records:

• SOA(Start of Authority) This record indicates the starting point of the authority for information stored in a zone. It is the first record created when creating a zone and contains zone specific information used for maintaining the zone. It’s RDATA fields are, Authoritative Server, Responsible Person, Serial Number, Refresh, Retry, Expire, and Minimum TTL.
• A(Host) Record maps FQDN to an IPv4 IP address and AAAA(Host) Record maps FQDN to an IPv6 IP address.
• PTR Record performs the reverse function of the A resource record by mapping an IP address to FQDN.
• NS (Name Server) Record identifies a DNS server that is authoritative for a zone; that is, a DNS server that hosts a primary or secondary copy of the DNS zone in questions.
• MX(Mail Exchanger) Record specifies a server that is configured to act as a mail server for a DNS name.
• CNAME (Canonical Name/Alias) Record creates an alias for a specified FQDN. You ca use CNAME records to hide the implementation details of your network from the clients connecting to it.
• SRV (Service Locator) Record enables you to specify the locations of servers that provide a specific network server over a specific protocol and in a specific domain.

The DNS Name Resolution Process starts and passes the query to h the local DNS resolver client service for resolution. If the query cannot be resolved locally it is sent to the preferred DNS server as configured in the clients TCP/IP properties. IF the query does not match an entry in cache the resolution process continues with the client querying a DNS server to resolve the name.

When a query is sent to a DNS the following are the most common responses:

• Authoritative answer is a positive answer returned to the client and delivered with the authority bit set in the DNS message to indicate the answer was obtained from a server with direct authority for the queried name.
• Positive answer can consist of the queried resource record or a list of featured records that fits the queried DNS domain name and record type specified in the query message.
• Referral answer contains additional resource records not specified by the name or type in the query.
• Negative answer is where an authoritative server reported that the queried name exsists but no records of the specified type exist for that name.

Root hints contain the names and IP addresses of the DNS servers authoritative for the root zone. By default, DNS Servers use root hints file, called cache.dns on MS Servers. The DNS Server service must be configured with root hints to resolve queries for names that it is not authoritative for or for which it contains no delegations.

Recursion is one of the two process types for DNS name resolution. A DNS client will request that a DNS server provide a complete answer to a query that does not include pointers to other DNS servers, effectively shifting the workload of resolving the query from the client to the DNS server. The iterative type of query keeps the workload on the client going from one server to the next to get it name resolution. For the DNS server to perform recursion properly, the server needs to know where to begin searching for names in the DNS namespace. This information is provided by the root hints file, cache.dns, which is stored on the server computer.

A DNS server on a network is designated as a forwarder by having the other DNS servers in the network forward the queries they cannot resolve locally to that DNS server. Conditional forwarding enables a DNS server to forward queries to other DNS servers based on the DNS domain names in the queries.