MCITP Chapt

Guide to er 13
Microsof Securi
ng
t
Windo
Window ws
s Server Server
2008 2008
Server
Adminis
tration
(Exam
#70-
646)
 Learning Objectives
• Understand the security enhancements included in
Windows Server 2008
• Understand how Windows Server 2008 uses group
policies
• Understand and configure security policies
• Implement Active Directory Rights Management
Services
• Manage security using the Security Templates and
Security Configuration and Analysis snap-ins

MCITP Guide to Microsoft Windows Server 2008, 2

Server Administration (Exam #70-646)
 Learning Objectives (cont’d.)
• Configure security policies for client computers
• Use the cipher command for encryption
• Use BitLocker Drive Encryption
• Configure Network Address Translation
• Configure Windows Firewall
• Implement Network Access Protection

MCITP Guide to Microsoft Windows Server 2008, 3

Server Administration (Exam #70-646)
 Security Enhancements in Windows
Server 2008
• Reduced attack surface of the kernel through Server
Core
• Expanded group policy
• Windows Firewall
• Network Access Protection
• Security Configuration Wizard
• User Account Control
• BitLocker Drive Encryption

MCITP Guide to Microsoft Windows Server 2008, 4

Server Administration (Exam #70-646)
 Security Enhancements in Windows
Server 2008 (cont’d.)
• Demilitarized zone (DMZ)
– Portion of a network that is between two networks
• New categories of group policy management
– Power management
– Assigning printers by location (particularly for mobile
users)
– Delegation of printer driver installation
– Security settings
– Internet Explorer settings
• Over 700 new policy settings

MCITP Guide to Microsoft Windows Server 2008, 5

Server Administration (Exam #70-646)
 Security Enhancements in Windows
Server 2008 (cont’d.)
• User Account Control (UAC)
– Keep the user running in the standard user mode
– More fully insulate the kernel
• Administrator Approval Mode
• BitLocker Drive Encryption
– Prevents an intruder from bypassing ACL file and
folder protections

MCITP Guide to Microsoft Windows Server 2008, 6

Server Administration (Exam #70-646)
 Introduction to Group Policy
• Group policy
– Standardize the working environment of clients and
servers by setting policies in Active Directory
• Set for many environments
• Defining characteristics of group policy
– Can be set for a site, domain, OU, or local computer
– Cannot be set for non-OU folder containers

MCITP Guide to Microsoft Windows Server 2008, 7

Server Administration (Exam #70-646)
 Introduction to Group Policy (cont’d.)
• Defining characteristics of group policy (cont’d.)
– Settings are stored in group policy objects (GPO)
– GPOs can be local and nonlocal
– Can be set up to affect user accounts and computers
– When group policy is updated:
• Old policies are removed or updated for all clients

MCITP Guide to Microsoft Windows Server 2008, 8

Server Administration (Exam #70-646)
 Securing Windows Server 2008 Using
Security Policies
• Security policies
– Account Policies
– Audit Policy
– User Rights
– Security Options
– IP Security Policies
• Activity 13-1: Using the Group Policy Management
Snap-In
– Objective: Learn how to use the Group Policy
Management MMC snap-in

MCITP Guide to Microsoft Windows Server 2008, 9

Server Administration (Exam #70-646)
 Establishing Account Policies
• Account policies
– Security measures set up in a group policy that
applies to all accounts or to all accounts in a container
– Active Directory required
• Password Security
– First line of defense in Windows Server 2008
– Settings
• Expiration period
• Minimum length
• Other password security options that you can configure

MCITP Guide to Microsoft Windows Server 2008, 10

Server Administration (Exam #70-646)
 Establishing Account Policies (cont’d.)
• Activity 13-2:
Configuring Password
Security
– Objective: Configure
the password security
in the default domain
security policy

Figure 13-3 Viewing security settings for

the default domain policy
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008, 11
Server Administration (Exam #70-646)
 Account Lockout
• Bar access to an account after a number of
unsuccessful tries
• Can be set to release
– After a specified period of time
– By intervention from the server administrator
• Parameters
– Account lockout duration
– Account lockout threshold
– Reset account lockout count after

MCITP Guide to Microsoft Windows Server 2008, 12

Server Administration (Exam #70-646)
 Account Lockout (cont’d.)
• Activity 13-3: Configuring Account Lockout Policy
– Objective: Configure account lockout policy in the
default domain security policy

MCITP Guide to Microsoft Windows Server 2008, 13

Server Administration (Exam #70-646)
 Account Lockout (cont’d.)

Figure 13-6 Configuring account lockout duration

Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, 14

Server Administration (Exam #70-646)
 Account Lockout (cont’d.)
• Kerberos security
– Use of tickets exchanged between the client and the
server or Active Directory
• Designate Windows Server 2008 as a Kerberos key
distribution center
• Service ticket
– Good for the duration of a logon session
– Enables the computer to access network services
beginning with the Logon service

MCITP Guide to Microsoft Windows Server 2008, 15

Server Administration (Exam #70-646)
 Account Lockout (cont’d.)
• Advanced Encryption Standard (AES) encryption
– Deployed by the U.S. federal government
– More secure than DES
• Windows NT LAN Manager version 2 (NTLMv2)
– Default authentication
– Should change to Kerberos if possible
• Options for configuring Kerberos
– Enforce user logon restrictions
– Maximum lifetime for service ticket

MCITP Guide to Microsoft Windows Server 2008, 16

Server Administration (Exam #70-646)
 Account Lockout (cont’d.)
• Options for configuring Kerberos (cont’d.)
– Maximum lifetime for user ticket
– Maximum lifetime for user ticket renewal
– Maximum tolerance for computer clock
synchronization
• Activity 13-4: Configuring Kerberos Security
– Objective: Configure Kerberos in the default domain
security policy

MCITP Guide to Microsoft Windows Server 2008, 17

Server Administration (Exam #70-646)
 Figure 13-7 Configuring Kerberos Policy
Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, 18

Server Administration (Exam #70-646)
 Establishing Audit Policies
• Specify account auditing
– Track activity associated with accounts
• Examples of events an organization can audit
– Account logon (and logoff) events
– Account management
– Directory service access
– Logon (and logoff) events at the local computer
– Object access
– Policy change

MCITP Guide to Microsoft Windows Server 2008, 19

Server Administration (Exam #70-646)
 Establishing Audit Policies (cont’d.)
• Examples of events an organization can audit
(cont’d.)
– Privilege use
– Process tracking
– System events
• Activity 13-5: Configuring Auditing
– Objective: Configure an audit policy

MCITP Guide to Microsoft Windows Server 2008, 20

Server Administration (Exam #70-646)
 Establishing Audit Policies (cont’d.)

Figure 13-8 Configuring account logon

auditing
Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, 21

Server Administration (Exam #70-646)
 Configuring User Rights
• Ability to access a server
– Most basic right
• More advanced rights
• General categories of rights
– Privileges
• Relate to the ability to manage server or Active
Directory functions
– Logon rights
• Related to accessing accounts, computers, and
services

MCITP Guide to Microsoft Windows Server 2008, 22

Server Administration (Exam #70-646)
 Configuring User Rights (cont’d.)
• Activity 13-6: Configuring User Rights
– Objective: Learn how to configure user rights

MCITP Guide to Microsoft Windows Server 2008, 23

Server Administration (Exam #70-646)
 Configuring Security Options
• Over 78 specialized security options
• Categories:
– Accounts – Network security
– Audit – Recovery console
– DCOM – Shutdown
– Devices – System cryptography
– Domain controller – System objects
– Interactive logon – System settings
– Microsoft network client – User Account Control
– Network access
MCITP Guide to Microsoft Windows Server 2008, 24
Server Administration (Exam #70-646)
 Configuring Security Options (cont’d.)
• Activity 13-7: Configuring Security Options
– Objective: Examine the Security Options and
configure an option

MCITP Guide to Microsoft Windows Server 2008, 25

Server Administration (Exam #70-646)
 Figure 13-11 Accessing the Security Options
Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, 26

Server Administration (Exam #70-646)
 Using IP Security Policies
• IP Security (IPsec)
– IP-based secure communications and encryption
standards
– Computers first exchange certificates
– Next, data is encrypted at the NIC of the sending
computer as it is formatted into an IP packet
• Use Default Domain Policy to manage Information
Policies for a domain

MCITP Guide to Microsoft Windows Server 2008, 27

Server Administration (Exam #70-646)
 Using IP Security Policies (cont’d.)
• Roles
– Client (Respond Only)
– Secure Server (Require Security)
– Server (Request Security)
• Activity 13-8: Configuring IPsec in the Default
Domain Policy
– Objective: Configure IPsec group policy elements

MCITP Guide to Microsoft Windows Server 2008, 28

Server Administration (Exam #70-646)
 Active Directory Rights Management
Services
• Active Directory Rights Management Services
(AD RMS) server role
– Complements client applications that can take
advantage of Rights Management Services
safeguards
• Rights Management Services (RMS)
– Security rights that provide security for documents,
spreadsheets, e-mail, etc.
– Uses security capabilities such as encryption, user
authentication, and security certificates

MCITP Guide to Microsoft Windows Server 2008, 29

Server Administration (Exam #70-646)
 Managing Security Using the Security
Templates and Security and
Configuration Analysis Snap-Ins
• Security Templates MMC snap-in
– Account policies
– Local policies
– Event log tracking policies
– Group restrictions
– Service access security
– Registry security
– File system security

MCITP Guide to Microsoft Windows Server 2008, 30

Server Administration (Exam #70-646)
 Managing Security Using the Security
Templates and Security and
Configuration Analysis Snap-Ins (cont’d.)
• Activity 13-9: Using the Security Templates Snap-In
– Objective: Learn to use the Security Templates snap-
in
• Activity 13-10: Using the Security Configuration and
Analysis Snap-In
– Objective: Explore the features of the Security
Configuration and Analysis snap-in

MCITP Guide to Microsoft Windows Server 2008, 31

Server Administration (Exam #70-646)
 Figure 13-17 Log file contents
Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, 32

Server Administration (Exam #70-646)
 Configuring Client Security Using
Policies in Windows Server 2008
• Customize desktop and other settings for client
computers
• Configure policies on Windows Server 2008 server
• When the client logs on, policies are applied

MCITP Guide to Microsoft Windows Server 2008, 33

Server Administration (Exam #70-646)
 Manually Configuring Policies for
Clients
• Manually configure policies that apply to clients
– To accomplish specific purposes
• Use the Group Policy Object Editor snap-in
– Or customized snap-in
• Activity 13-11: Configuring Policies to Apply to
Clients
– Objective: Learn how to configure a group policy to
apply to Windows Server 2008 clients

MCITP Guide to Microsoft Windows Server 2008, 34

Server Administration (Exam #70-646)
 Table 13-1 Options for configuring administrative templates settings
under User Configuration
MCITP Guide to Microsoft Windows Server 2008, 35
Server Administration (Exam #70-646)
 Publishing and Assigning Software
• Publishing applications
– Setting up software through a group policy
– Application is available for users to install from a
central application distribution server
• Assigning applications
– Application automatically represented on user’s
desktop
• Activity 13-12: Configuring Software Installation
– Objective: Learn where to set up software installation
in a group policy

MCITP Guide to Microsoft Windows Server 2008, 36

Server Administration (Exam #70-646)
 Resultant Set of Policy
• Make implementation and troubleshooting of group
policies simpler for administrator
• Query existing policies
– Provide reports and the results of policy changes
• Supports two modes: planning and logging
• Activity 13-13: Using the Resultant Set of Policy Tool
– Objective: Learn how to use the Resultant Set of
Policy tool

MCITP Guide to Microsoft Windows Server 2008, 37

Server Administration (Exam #70-646)
 Using the cipher Command
• Use cipher command
– Encrypt files and folders
– Use parameters listed in Table 13-2
• Activity 13-14: Using the cipher Command
– Objective: Use the cipher command in the Command
Prompt window

MCITP Guide to Microsoft Windows Server 2008, 38

Server Administration (Exam #70-646)
 Using BitLocker Drive Encryption
• BitLocker Drive Encryption
– Uses Trusted Platform Module security specification
– Hardware device used to secure information on a
different hardware device
• Security chip manufacturers
– Broadcom, Infineon, STMicroelectonics
• Can also be used with a USB flash drive containing
a personal identification number (PIN)
• Activity 13-15: Installing BitLocker Drive Encryption
– Objective: Set up BitLocker Drive Encryption

MCITP Guide to Microsoft Windows Server 2008, 39

Server Administration (Exam #70-646)
 Configuring NAT
• NAT functions
– Automatically assign its own IP addresses on an
internal network
– Computers on external networks cannot identify
internal network computers’ true IP addresses
• Uses a pool of private addresses for its internal
network
• Acts like a firewall
– Outside world sees only one address

MCITP Guide to Microsoft Windows Server 2008, 40

Server Administration (Exam #70-646)
 Configuring NAT (cont’d.)
• Activity 13-16: Configuring NAT
– Objective: Configure NAT for the VPN you set up in
Chapter 10

Figure 13-24 Selecting NAT

Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, 41

Server Administration (Exam #70-646)
 Windows Firewall
• Improvements compared with previous version
– Protects incoming and outgoing communications
– Merges firewall filters with IPsec settings to avoid
settings conflicts
– Includes the Windows Firewall with Advanced
Security MMC snap-in
– Has firewall exceptions or rules for several kinds of
managed objects
• Configure exceptions and advanced features
– Exceptions
• Programs allowed through the firewall in both directions
MCITP Guide to Microsoft Windows Server 2008, 42
Server Administration (Exam #70-646)
 Windows Firewall (cont’d.)
• Use Control Panel for configuration
• Activity 13-17: Configuring Windows Firewall via
Control Panel
– Objective: Configure Windows Firewall from Control
Panel
• Activity 13-18: Configuring Windows Firewall Using
the Snap-In
– Objective: Use the Windows Firewall with Advanced
Security MMC snap-in

MCITP Guide to Microsoft Windows Server 2008, 43

Server Administration (Exam #70-646)
 Figure 13-27 Managing Windows Firewall from Server Manager
Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, 44

Server Administration (Exam #70-646)
 Network Access Protection
• Network Access Protection (NAP)
– New feature of Windows Server 2008
• Keeps network healthy
– Identifies clients that do not comply with security
policies
– Limits access by noncompliant computers
– Automatically updates or configures a noncompliant
computer
– Continuously checks to ensure that computers remain
in compliance

MCITP Guide to Microsoft Windows Server 2008, 45

Server Administration (Exam #70-646)
 IPsec
• When used with NAP, IPsec ensures that
noncompliant computers are quarantined
• Health Registration Authority (HRA)
– Network clients contact HRA server and submit
Statement of Health (SoH)
• HRA server configured through a Network Policy
Server (NPS)

MCITP Guide to Microsoft Windows Server 2008, 46

Server Administration (Exam #70-646)
 VPN
• NAP works through VPN
– Enforces remote access policy configured for VPN
• When client attempts to connect
– Checked against the remote access policy configured
in the NPS server
– If the client properly verifies, access is granted

MCITP Guide to Microsoft Windows Server 2008, 47

Server Administration (Exam #70-646)
 DHCP
• DHCP with NAP
– Secure the DHCP process
– Configured through a Network Policy Server
– Issues different information depending on compliance
• Remediation server
– Provides updates and security policy changes to the
client
– Brings client into compliance
• DHCP issues noncompliant computer IP address of
remediation server
MCITP Guide to Microsoft Windows Server 2008, 48
Server Administration (Exam #70-646)
 TS Gateway
• Ensures secure access and communication when
Terminal Services used
• Uses the HRA server to ensure client compliant with
the health and security policies on a network
• Does not enable communications with remediation
server

MCITP Guide to Microsoft Windows Server 2008, 49

Server Administration (Exam #70-646)
 802.1X
• 802.1X
– Wired and wireless authentication approach offered
by the IEEE
• Port-based form of authentication
– Network port allows unauthenticated communications
only until a client has been verified as NAP compliant
– Non-authenticated communications blocked

MCITP Guide to Microsoft Windows Server 2008, 50

Server Administration (Exam #70-646)
 802.1X (cont’d.)
• Activity 13-19: Using Network Policy Server to
Configure NAP
– Objective: Learn about using Network Policy Server
for NAP configuration

MCITP Guide to Microsoft Windows Server 2008, 51

Server Administration (Exam #70-646)
 Figure 13-28 Connection method options
Courtesy Course Technology/Cengage Learning

MCITP Guide to Microsoft Windows Server 2008, 52

Server Administration (Exam #70-646)
 Summary
• Many new or enhanced security features in
Windows Server 2008
• Group policy
– Standardize security across a domain, OU, site, or
local server
• Use audit policies to track how resources are
accessed
• Security options
– Specialized policies for accounts, auditing, devices,
domain controllers, logon, clients, network security,
system shutdown, system settings, and others
MCITP Guide to Microsoft Windows Server 2008, 53
Server Administration (Exam #70-646)
 Summary (cont’d.)
• Use Resultant Set of Policy
– Plan and troubleshoot group policy settings
• BitLocker Drive Encryption
– Security measure for protecting entire hard drives
• Network Access Protection
– Keeps a network healthy

MCITP Guide to Microsoft Windows Server 2008, 54

Server Administration (Exam #70-646)