In this lesson, you learn about the wireless technologies Windows clients and servers support, how you can confi gure secure authentication and encryption for wireless network connection
Trang 1before You begin
To complete the lessons in this chapter, you must have done the following:
n Installed and confi gured the evaluation edition of Windows Server 2008 Enterprise Edition in accordance with the instructions listed in the Introduction
REAL WORLD
Orin Thomas
One of the biggest shifts in thinking that has gone on since I became an IT professional is the shift in thinking about the LAN as a protected network environment When I started out, fi rewalls were placed only at the border between
a protected network environment and the Internet Today’s thinking is different
in that it recognizes that the LAN is also potentially hostile to the health of tems This shift of thinking is evident in the features shipped with Windows Vista and Windows Server 2008, namely the improved fi rewall and technologies such as Network Access Protection (NAP) Despite our best intentions, not every host that connects to the network we are responsible for managing is entirely under our control Nothing is stopping a member of the sales team who has been overseas at trade shows for the past three months from connecting his or her laptop computer
sys-to the company network upon return This is not problematic if the member of the sales team has ensured that antivirus protection, antispyware, and Windows Updates have been applied to that computer while he or she was away from the network But what if, when the laptop computer was away from an environment in which harmful Web content is automatically fi ltered by Microsoft Internet Secu- rity and Acceleration (ISA) Server 2006, that laptop became infected? Without the technologies in Windows Server 2008, the act of connecting that computer to the LAN might activate a virulent worm As IT professionals, we always need to be able
to shift our thinking Today, if we want to remain secure, we must consider the local area network as potentially hostile as we consider the Internet
REAL WORLD
Orin Thomas
One of the biggest shifts in thinking that has gone on since I became an IT professional is the shift in thinking about the LAN as a protected network environment When I started out, fi rewalls were placed only at the border between
a protected network environment and the Internet Today’s thinking is different
in that it recognizes that the LAN is also potentially hostile to the health of tems This shift of thinking is evident in the features shipped with Windows Vista and Windows Server 2008, namely the improved fi rewall and technologies such as Network Access Protection (NAP) Despite our best intentions, not every host that connects to the network we are responsible for managing is entirely under our control Nothing is stopping a member of the sales team who has been overseas at trade shows for the past three months from connecting his or her laptop computer
sys-to the company network upon return This is not problematic if the member of the sales team has ensured that antivirus protection, antispyware, and Windows Updates have been applied to that computer while he or she was away from the network But what if, when the laptop computer was away from an environment in which harmful Web content is automatically fi ltered by Microsoft Internet Secu- rity and Acceleration (ISA) Server 2006, that laptop became infected? Without the technologies in Windows Server 2008, the act of connecting that computer to the LAN might activate a virulent worm As IT professionals, we always need to be able
to shift our thinking Today, if we want to remain secure, we must consider the local area network as potentially hostile as we consider the Internet.
Trang 2Lesson 1: Wireless access
In the past decade, wireless network speeds have grown from painfully slow to fast enough
that wireless technology is an acceptable replacement for traditional cabling As wireless
net-working technology has matured, so have the methods through which administrators manage
wireless clients in Windows Server network environments Windows Server 2008 Group Policy
gives you a way to automate the confi guration of wireless network connections, ensuring that
the people who use mobile computers within your organization can do so in a seamless and
secure manner In this lesson, you learn about the wireless technologies Windows clients and
servers support, how you can confi gure secure authentication and encryption for wireless
network connections, and how to deploy connection information automatically to clients
through Group Policy
After this lesson, you will be able to:
n Understand wireless network concepts
n Understand the difference between ad hoc and infrastructure modes
n Confi gure Group Policy related to wireless networks
n Understand the difference between wireless authentication methods
n Confi gure wireless local area network (WLAN) authentication, using 802 1x
Estimated lesson time: 40 minutes
Wireless Network Components
The fi rst part of this lesson covers the basic concepts behind WLANs If you are an
experi-enced administrator and already know the most commonly used IEEE 802 11 standards, what
a service set identifi er (SSID) does, the difference between ad hoc and infrastructure modes,
and what a wireless access point (WAP) is, you should move forward to the section titled,
“Wireless LAN Authentication ”
IEEE 802.11 Standards
IEEE 802 11 is a collection of standards for WLANs developed by the Institute of Electronic
and Electrical Engineers (IEEE), a professional organization that develops industry standards
related to information technology, electricity, and electronics The standards you are most
likely to encounter in a modern network environment are as follows:
n 802.11b This is an older wireless networking standard that has a maximum
theoreti-After this lesson, you will be able to:
n Understand wireless network concepts
n Understand the difference between ad hoc and infrastructure modes
n Confi gure Group Policy related to wireless networks
n Understand the difference between wireless authentication methods
n Confi gure wireless local area network (WLAN) authentication, using 802 1x
Estimated lesson time: 40 minutes
Trang 3n 802.11g This is a newer standard than 802 11b and has a maximum theoretical work throughput of 64 Mbps and an approximate range of 35 meters WAPs that use this standard can be configured to work in mixed mode, which supports both 802 11b and 802 11g clients at the cost of reduced network throughput
net-n 802.11n Although this standard is awaiting formal approval, vendors sell ucts that use a draft version of the standard It has a maximum theoretical network throughput of 300 Mbps and an approximate range of 70 meters (about 200 feet) and
prod-is backward compatible with 802 11b and 802 11g Thprod-is means that clients that support the older standards can connect to an 802 11n wireless network
When considering the purchase of WAPs, remember that access points that support the
802 11n standard will be able support connections from clients that use 802 11b and 802 11g
as well as 802 11n Purchasing a WAP that is not compatible with existing wireless client ware will mean that you have to replace that hardware for it to work with the new WLAN
hard-WAPs
WAPs are hardware devices that allow wireless clients, such as laptop computers, to access wireless networks directly and, through routing and switching, to access traditional physi-cal networks, as shown in Figure 4-1 In many small businesses, a single hardware device functions as an external firewall, internal switch, and wireless access point In most larger organizations, WAPs function as a bridge that allows wireless computers, such as laptops and Tablet PCs, to access resources such as servers that are connected to traditional wired networks
Laptop computer
wireless client
Tablet PCwireless client
Wireless access point allows wireless clients to connect to resources
on wire networks
Traditional clients connected to wired network
Traditional serversconnected to wired network
FIGUre 4-1 A basic WLAN
Trang 4NOTE 802.11 WIreLeSS tO 3G/hSpDa
Although WAPs have been defi ned earlier as connecting to traditional wired networks,
some new-model mobile phones have software that can function as WAPs connecting to
3G/HSPDA data networks This technology enables multiple 802.11 wireless clients to
con-nect to a mobile phone WAP and to share the mobile phone’s data concon-nection
SSID
SSID (service set identifi er) is a wireless network name that can be up to 32 characters in
length You assign SSIDs to WAPs when you run a WAP’s confi guration utility Some WAPs
enable you to confi gure multiple SSIDs, with each SSID assigned to a different wireless
net-work It is customary to confi gure access points to broadcast SSIDs so that wireless clients can
detect which wireless networks are available in a particular location As with creating names
for servers and client workstations, in large organizations it is essential to have a coherent and
meaningful naming scheme for SSIDs It is far easier for staff to locate a malfunctioning WAP
named “CONTOSO-RM435-WAVERLEY” than it is to locate “ORINS-NEW-WIRELESS-ROUTER ”
With 32 characters, you can be descriptive, so there is no need to be cryptic when deploying
SSIDs in your organization
Although it is possible to confi gure WAPs not to broadcast SSIDs, Microsoft does not
recommend this as a form of security because even when SSIDs are not broadcast, it is
pos-sible to detect a hidden SSID by using an appropriate set of tools You should secure wireless
networks by confi guring strong authentication methods, not by hiding the network ID and
hoping that an attacker is not profi cient enough to fi gure it out
MORE INFO MOre ON NONbrOaDCaSt WIreLeSS NetWOrKS
To learn more about why Microsoft recommends broadcasting SSIDs, consult the following
article on TechNet: http://technet.microsoft.com/en-au/library/bb726942.aspx
AD Hoc Mode vs Infrastructure Mode
Wireless networks in most Windows Server 2008 network environments will function in what
is known as infrastructure mode as opposed to what is termed ad hoc mode An
infra-structure mode network has a wireless access point that manages communication between
wireless clients Ad hoc networks are created between wireless clients themselves and do
not pass through a WAP Infrastructure mode WLANs are more prevalent in business
envi-ronments and typically connect wireless clients to traditional wired networks Because the
70-648 and 70-649 exams concentrate on the server rather than on client operating
sys-NOTE 802.11 WIreLeSS tO 3G/hSpDa
NOTE 802.11 WIreLeSS tO 3G/hSpDa
NOTE
Although WAPs have been defi ned earlier as connecting to traditional wired networks,
some new-model mobile phones have software that can function as WAPs connecting to
3G/HSPDA data networks This technology enables multiple 802.11 wireless clients to
con-nect to a mobile phone WAP and to share the mobile phone’s data concon-nection.
MORE INFO MOre ON NONbrOaDCaSt WIreLeSS NetWOrKS
To learn more about why Microsoft recommends broadcasting SSIDs, consult the following
article on TechNet: http://technet.microsoft.com/en-au/library/bb726942.aspx http://technet.microsoft.com/en-au/library/bb726942.aspx http://technet.microsoft.com/en-au/library/bb726942.aspx
Trang 5NOTE WIreLeSS NetWOrKING ON WINDOWS SerVer 2008
By default, WLAN service is not installed on Windows Server 2008 You can add it through
the Features node of the Server Manager console
WLAN Authentication
You can restrict access to a wireless network by confi guring WAPs to authenticate clients before allowing connections It is also possible to protect wireless network traffi c through encryption The strength of WLAN encryption depends on the wireless standard used, although it is possible to use other network traffi c encryption technologies in conjunction with WLAN encryption Ensure that you encrypt wireless traffi c because anyone within range
of the WAP is able to capture all network communication between the access point and the client Windows clients support the following wireless security standards:
n Unsecured Unsecured wireless access points allow connections from any client with compatible hardware When connecting to an unsecured wireless network, Windows Vista and Windows Server 2008 will warn users that it is possible for third parties to access transmissions sent to the WAP from the client SSL and IPsec-encrypted traffi c transmitted across networks with no security remains encrypted because this encryp-tion is occurring at a higher layer of the Open Systems Interconnection (OSI) model
n Wired equivalent protection (Wep) WEP is an older wireless security standard that has vulnerabilities in its cryptographic design WEP can be confi gured to use either 64-bit or 128-bit encryption Tools are available that enable attackers to learn a WAP’s WEP key by intercepting and analyzing existing wireless traffi c WEP is often used to deter people from casually connecting to an access point without authorization but will not deter a sophisticated attacker who is determined to get access The WAP per-forms authentication when WEP is in use
n Wi-Fi protected access with preshared Key (Wpa-pSK/Wpa2-pSK, Wpa-personal /Wpa2-personal) This standard uses a preshared key similar to WEP Although the cryptography behind WPA-PSK is more sophisticated, making it more diffi cult to compromise than WEP, it is possible to calculate WPA-PSK preshared keys by using brute-force techniques, given enough time With WPA-PSK, the access point performs authentication WPA2-PSK (802 11i) uses stronger cryptography and is more secure than WPA-PSK, but the preshared key can still be calculated, given enough time and data
n Wi-Fi protected access with extensible authentication protocol (Wpa-eap/Wpa 2-eap, Wpa-enterprise/Wpa2-enterprise) When this standard is used, the WAP for-wards authentication requests to a RADIUS server On computers confi gured with the Windows Server 2008 operating system, the Network Policy Server (NPS) role provides RADIUS authentication functionality You can learn more about RADIUS by reviewing Chapter 3, “Network Access Confi guration ” WPA2-Enterprise supports smart-card,
NOTE WIreLeSS NetWOrKING ON WINDOWS SerVer 2008
NOTE WIreLeSS NetWOrKING ON WINDOWS SerVer 2008
NOTE
By default, WLAN service is not installed on Windows Server 2008 You can add it through
the Features node of the Server Manager console.
Trang 6certifi cate-based, and password-based authentication WPA2-Enterprise (802 11i) is
more cryptographically secure than WPA-Enterprise; deploy WPA2-Enterprise if all
clients in your network environment support this protocol
When comparing these protocols from a security standpoint, Microsoft recommends
deploying the WPA2-Enterprise or WPA-Enterprise authentication methods ahead of others
that are available These wireless standards are much more diffi cult to compromise than
stan-dards that use preshared keys If a preshared key is compromised, it is necessary to update all
clients and access points with new preshared keys to re-secure the network If you are going
to deploy WPA2-Enterprise and WPA-Enterprise in a Windows Server 2008 environment, you
must deploy a Public Key Infrastructure (PKI) as well as enable auto-enrollment within Group
Policy Chapter 7, “Active Directory Certifi cate Services,” covers these topics in detail
MORE INFO WIreLeSS NetWOrKING teChCeNter
To fi nd out more about wireless networking in Microsoft operating systems, consult the
wireless networking TechCenter on TechNet at: http://technet.microsoft.com/en-us
/network/bb530679.aspx
quick Check
1 Which wireless authentication protocol is the most secure out of the following:
WPA2-EAP, WPA-EAP, WPA2-PSK, WPA-PSK, and WEP?
2 Which wireless authentication protocols do not use a preshared key to
authenti-cate the client to the WAP?
quick Check answers
1 WPA2-EAP is more cryptographically secure than EAP, WPA2-PSK,
WPA-PSK, and WEP
2 WPA2-Enterprise (WPA2-EAP) and WPA-Enterprise (WPA-EAP) do not use
pre-shared keys to authenticate the client to the access point
Wireless Group Policy
Wireless network (IEEE 802 11) policies enable clients within your organization to connect
to wireless networks with a minimum amount of end-user intervention and enable you
to confi gure properties for specifi c access point identifi ers, called SSIDs, in your
organiza-tion A wireless network policy consists of a collecorganiza-tion of profi les A profi le addresses how
the client should address specifi c SSIDs in your organization A single profi le can address
MORE INFO WIreLeSS NetWOrKING teChCeNter
To fi nd out more about wireless networking in Microsoft operating systems, consult the
wireless networking TechCenter on TechNet at: http://technet.microsoft.com/en-us
/network/bb530679.aspx.
/network/bb530679.aspx
quick Check
1 Which wireless authentication protocol is the most secure out of the following:
WPA2-EAP, WPA-EAP, WPA2-PSK, WPA-PSK, and WEP?
2 Which wireless authentication protocols do not use a preshared key to
authenti-cate the client to the WAP?
quick Check answers
1 WPA2-EAP is more cryptographically secure than EAP, WPA2-PSK,
WPA-PSK, and WEP.
2 WPA2-Enterprise (WPA2-EAP) and WPA-Enterprise (WPA-EAP) do not use
pre-shared keys to authenticate the client to the access point.
Trang 7authentication method, and the AES encryption algorithm You might create another profile for SSID WAP4 that specifies the WPA2-Personal authentication method and the TKIP encryp-tion algorithm
When you select the WPA/WPA2-Enterprise authentication method, you must also specify a network authentication method, as shown in Figure 4-2 It is necessary to specify the network authentication method because authentication occurs against an NPS/RADIUS server rather than against the WAP Four basic authentication modes are available: Computer Authentication, User Re-authentication, User Authentication, and Guest Authentication When the computer-only authentication mode is selected, the computer account authenticates the WAP connection prior to logon, allowing users transparent access to the network, similar
to using a wired network When the User Authentication mode is selected, authentication occurs after the users log on to their computers You should not select this option unless the Single Sign On option is enabled in Advanced Properties because errors can occur during the authentication process if logon details are not cached
FIGUre 4-2 Wireless authentication policy
When you select the User Re-authentication option, authentication is performed using computer credentials when a user is not logged on and user credentials when a user is logged
on You can configure this method so that a computer has limited access to the network until user credentials are provided It is not necessary for a network authentication method to be specified when the WPA/WPA2-Personal method is selected because no network authentica-tion is required, due to the use of preshared keys The advanced security settings, shown in Figure 4-3, enable you to enforce advanced cryptography settings, enable Single Sign On, enable Fast Roaming, and use only cryptography that uses the FIPS 140-2 certified stan-dard Enable Single Sign On if you have chosen to implement the User Authentication mode because this will allow sign-on when a user’s credentials have not been cached
Trang 8FIGUre 4-3 Advanced Security Settings
Wireless network policies are configured on a per-client–operating system basis You can
configure a wireless network policy for Windows Vista or for Windows XP It is important to
note that computers running Windows XP are not influenced by the Windows Vista policy
and vice versa Although you can apply policies for both client operating systems in the same
GPO, many network administrators find it simpler to separate client computers into
differ-ent organizational units (OUs) and to apply separate policies if the settings for one operating
system are significantly different from the settings for the other
Wireless authentication policies also enable you to restrict wireless clients from connecting
to either infrastructure or ad hoc mode networks It is also possible to configure policies that
allow users to view networks that they are denied access to, to use Group Policy profiles only
for allowed networks, and to allow any user to create a wireless network profile You
config-ure some of these settings in the practice at the end of this lesson
If it is necessary to troubleshoot wireless network policies, the commands available when
netsh is in the wlan context are useful It is also possible to use the netsh wlan commands to
examine currently applied Group Policy settings The netsh wlan commands enable you to
configure wireless clients by using commands or scripts rather than through Group Policy
The command that provides the most information is netsh wlan show all, and you can use this
command as a starting point to debug problems with wireless access policies
Trang 9MORE INFO MOre ON NETSH WLAN
To fi nd more detailed information on using netsh wlan to confi gure wireless connectivity and security settings, consult the following TechNet document: http://technet2
.microsoft.com/windowsserver2008/en/library/f435edbe-1d50-4774-bae2 -0dda33eaeb2f1033.mspx?mfr=true
Confi guring Network Policy and Access Services for
Wireless Authentication
You can confi gure the Network Policy and Access Services role in Windows Server 2008 as a RADIUS server to authenticate WPA2-Enterprise and WPA-Enterprise connections to WAPs Although NPS as a RADIUS server for remote access connections is covered in Chapter 3, this lesson focuses specifi cally on using NPS to support the WPA/WPA2-Enterprise protocols on WAPs
You must add each access point as a RADIUS client Confi guring an access point as a RADIUS client involves setting up a shared secret password that you confi gure on both the access point and the RADIUS server This shared secret can be generated automatically, as shown in Figure 4-4 The practice at the end of this lesson involves setting up a hypothetical access point as a RADIUS client
FIGUre 4-4 Configuring an access point as a RADIUS client
After you add each WAP in your organization as a RADIUS client, you can select from the following authentication methods:
MORE INFO MOre ON NETSH WLAN
To fi nd more detailed information on using netsh wlan to confi gure wireless connectivity and security settings, consult the following TechNet document: http://technet2
.microsoft.com/windowsserver2008/en/library/f435edbe-1d50-4774-bae2 -0dda33eaeb2f1033.mspx?mfr=true.
Trang 10n Microsoft: Smart Card Or Other Certifi cate This method requires a user to provide
a certifi cate by using a smart card The user is prompted to insert the smart card when
he or she attempts to connect to the wireless network
n Microsoft: protected eap (peap) This method requires the installation of a
com-puter certifi cate on both the RADIUS/NPS server and the installation of a comcom-puter
or user certifi cate on all wireless clients Clients must trust the certifi cation authority
(CA) that issued the certifi cate on the RADIUS/NPS server, and the RADIUS/NPS server
must trust the CA that issued the client certifi cates You accomplish this most easily by
deploying certifi cates issued by Active Directory Certifi cate Services (AD CS)
n Microsoft: Secured password (eap-MSChap v2) This method requires a computer
certifi cate to be installed on the RADIUS/NPS server and the issuing CA to be trusted
by all wireless clients Clients authenticate by using domain logon and password
These authentication methods should be the same as those you specifi ed in the profi les
for each access point’s SSID when confi guring 802 11 wireless access Group Policy Check the
WAP documentation for details on how to confi gure the device to forward authentication
information to a RADIUS server
MORE INFO WINDOWS SerVer 2008 aND 802.1X
To learn more about Windows Server 2008 and 802.1x wireless authentication, consult
the following article on TechNet: http://technet2.microsoft.com/windowsserver2008/en
/library/710a912a-0377-414a-91d1-47698e4629361033.mspx?mfr=true
EXAM TIP
Remember that if an authentication method relies on a preshared key, you will not need a
RADIUS server, but if you are pairing an access point with a RADIUS server, you will need a
shared secret
In this practice, you perform tasks similar to those you would perform when confi guring a
Windows Server 2008 network environment to support wireless access by client computers
running Windows Vista The fi rst exercise confi gures NPS for wireless access; the second
exer-cise confi gures Group Policy to support wireless access
ExErcisE 1 Confi gure NPS for Wireless Access
In this exercise, you confi gure server Glasgow to function as a Network Policy/RADIUS server
MORE INFO WINDOWS SerVer 2008 aND 802.1X
To learn more about Windows Server 2008 and 802.1x wireless authentication, consult
the following article on TechNet: http://technet2.microsoft.com/windowsserver2008/en
/library/710a912a-0377-414a-91d1-47698e4629361033.mspx?mfr=true.
Trang 111. Log on to server Glasgow with the Kim_Akers user account
2. Open the Server Manager console, right-click the Roles node If you have already
installed the Network Policy and Access Services role in a prior practice, proceed to step 8; otherwise, select Add Roles
This starts the Add Roles Wizard
3. Click Next on the Before You Begin page
4. Select the Network Policy And Access Services check box and click Next
5. Click Next on the Introduction To Network Policy And Access Services page
6. On the Role Services page, ensure that the Network Policy Server and Routing And Remote Access Services check boxes are selected, as shown in Figure 4-5, and then click Next
7. On the Confirm Installation Selections page, click Install When the installation process finishes, click Close
FIGUre 4-5 Selecting roles
8. Open a command prompt and issue the command:
dnscmd /recordadd contoso.internal wap1 A 10.50.0.1
9. Close the command prompt
10. Open the Network Policy Server console from the Administrative Tools menu
11. Select the NPS (Local) node Use the drop-down menu in the Standard Configuration
section of the Getting Started pane to select RADIUS Server For 802 1X Wireless Or
Trang 12Wired Connections, as shown in Figure 4-6, and then click Configure 802 1X This will
open the Configure 802 1X Wizard
FIGUre 4-6 Getting started on configuring wireless authentication
12. On the Select 802 1X Connections Type page, select Secure Wireless Connections, as
shown in Figure 4-7, and then click Next
FIGUre 4-7 Configuring NPS wireless authentication
Trang 1314. In the New RADIUS Client dialog box, enter a friendly name for the access point, such
as WAP-ONE In the Address (IP or DNS) area, enter wap1.contoso.internal
15. Select Generate, and then click the Generate button
This generates the shared secret that is entered on the WAP to bind it to the RADIUS server
16. Click OK to close the dialog box Click Next
17. On the Configure An Authentication Method page, select Microsoft: Secured password (EAP-MSCHAP v2) from the drop-down list, and then click Next
18. On the Specify User Groups page, click Next On the Configure A Virtual LAN (VLAN) page, click Next
19. Click Finish to close the Configure 802 1X Wizard
20. Expand the RADIUS Clients And Servers node, and then select RADIUS Clients Verify
that WAP-ONE appears, as shown in Figure 4-8, and then close the Network Policy Server console
FIGUre 4-8 Wireless access point configured as RADIUS client
ExErcisE 2 Configure Wireless Access Policies
In this exercise, you configure Wireless Access Group Policy and apply it to an OU in which you could then place the computer accounts of computers that have wireless cards
1. Log on to server Glasgow, using the Kim_Akers user account
2. From the Administrative Tools menu, open the Group Policy Management console
Expand the Forest: contoso.internal node and the domain node Right-click the contoso
internal domain, and then select New Organizational Unit Enter the organizational
unit name as Wireless_Computers, and then click OK
3. Right-click the new Wireless_Computers OU, and then select Create A GPO In This Domain And Link It Here In the New GPO dialog box, enter the GPO name as
Wireless_Computer_policy, and then click OK
4. Select the Wireless_Computers OU, right-click the Wireless_Computer_Policy GPO, and then select Edit
This opens the Group Policy Management Editor
Trang 145. Right-click the Computer Configuration\Policies\Windows Settings\Security Settings
\Wireless network (IEEE 802.11) Policies node, and then select Create A New Windows
Vista Policy
This opens the New Windows Vista Network Policy Properties dialog box, shown in
Figure 4-9
FIGUre 4-9 Vista wireless policy
6. Click Add, and then select Infrastructure
This opens the New Profile properties dialog box
7 In the Profile Name area, enter Wap-ONe In the Network Name(s) (SSID) text box,
enter Wap-ONe, and then click Add
8. Click the Security tab Verify that the settings on the Security tab match those of Figure
4-10, and then click OK
Trang 159. Click the Network Permissions tab Ensure that the settings on the Network sions tab match those in Figure 4-11, and then click OK
Permis-FIGUre 4-11 Wireless network permissions
10. Close the Group Policy Management Editor, and then close the Group Policy ment console
n WEP is an older wireless security standard that uses a preshared key but is vulnerable
to attack WPA-Personal/WPA2-Personal uses preshared keys Enterprise forwards authentication requests to RADIUS servers It supports smart card-, certificate-, and password-based authentication
WPA-Enterprise/WPA2-n Wireless Network (IEEE 802 11) Group Policy allows clients within your organization
to connect to wireless networks with a minimum of end-user intervention Wireless network policies enable you to configure properties for specific access point identifiers
A single profile can address multiple SSIDs and addresses the specific authentication methods and encryption technologies each access point supports
Trang 16Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Wireless Access ” The questions are also available on the companion DVD if you prefer to
review them in electronic form
NOTE aNSWerS
Answers to these questions and explanations of why each answer choice is right or wrong
are located in the “Answers” section at the end of the book
1. Which of the following authentication protocols enables you to deny access to wireless
networks based on an Active Directory user or computer account?
a. WPA2-Enterprise
b. WEP
C. WPA-PSK
D. WPA2-Personal
2. You are confi guring Network Policy and Access Services on a computer running
Windows Server 2008 so that it responds to authentication traffi c forwarded from
WAPs in your organization Which of the following must you do as part of this process?
a. Confi gure WAPs as RADIUS servers
b Confi gure wireless clients as RADIUS clients
C. Confi gure WAPs as RADIUS clients
D. Confi gure wireless clients as RADIUS proxies
3. Which of the following must you ensure when confi guring a wireless access policy that
uses EAP-MSCHAP v2 as an authentication method?
a. That the CA that issued the computer certifi cate to the NPS server is trusted by the
Answers to these questions and explanations of why each answer choice is right or wrong
are located in the “Answers” section at the end of the book
Trang 174. All the clients at your organization use the Windows Vista Enterprise edition operating system The Wireless_Clients OU hosts the computer accounts of those computers that have wireless network adapters A group of executives is planning to have a weekly morning informal strategy meeting in the basement, where there is currently no WAP The executives want to use the Windows Meeting Space application, included with Windows Vista, to set up a temporary network so that they can share documents They are currently unable to do this Which of the following configuration changes should you make to the GPO applied to the Wireless_Clients OU to enable them to meet their goals?
a. Configure the policy to allow users to view denied networks
b Configure the policy to allow connections to infrastructure networks
C. Configure the policy to allow everyone to create wireless profiles
D. Configure the policy to allow connections to ad hoc networks
5. When configuring wireless network Group Policy profiles for specific SSIDs, which of the following WAP authentication protocols require you also to specify a network authentication method?
a. WEP
b WPA2-Personal
C. Open
D. WPA2-Enterprise
Trang 18Lesson 2: Windows Firewall with advanced Security
Windows Server 2008 ships with a fi rewall enabled by default In this lesson, you learn about
Windows Firewall with Advanced Security and the features it includes that differentiate it
from earlier fi rewall software included with Microsoft Windows operating systems such as
Microsoft Windows Server 2003 You learn how to create inbound and outbound fi rewall
rules, confi gure rule scope, and confi gure connection security rules, a technology that is new
to Windows Vista and Windows Server 2008
After this lesson, you will be able to:
n Confi gure incoming and outgoing traffi c fi ltering
n Confi gure Active Directory account integration
n Identify common ports and protocols
n Understand the difference between Microsoft Windows Firewall and Windows
Firewall with Advanced Security
n Confi gure fi rewalls by using Group Policy
n Manage isolation policies
Estimated lesson time: 40 minutes
Windows Firewall and Windows Firewall with Advanced
Security
Windows Server 2008 uses two fi rewalls that work in concert, Windows Firewall and Windows
Firewall with Advanced Security The primary difference between these two fi rewalls is the
complexity of the rules you can apply Windows Firewall, accessible through Control Panel
and shown in Figure 4-12, allows the application of only basic rules When creating a rule,
you can specify an exception based on program or port, but you cannot create advanced
exceptions that work based on network location awareness, individual network interfaces, or
specifi c incoming or outgoing addresses With its limited ability to allow for the refi nement
of exceptions, Windows Firewall is a blunt instrument when compared to Windows Firewall
with Advanced Security As a server administrator, you are more likely to be interested in the
expanded functionality of Windows Firewall with Advanced Security, and the rest of this
lesson concentrates on this more complicated technology
After this lesson, you will be able to:
n Confi gure incoming and outgoing traffi c fi ltering
n Confi gure Active Directory account integration
n Identify common ports and protocols
n Understand the difference between Microsoft Windows Firewall and Windows
Firewall with Advanced Security
n Confi gure fi rewalls by using Group Policy
n Manage isolation policies
Estimated lesson time: 40 minutes
Trang 19FIGUre 4-12 The Exceptions tab of Windows Firewall
Network Location Awareness
Before covering Windows Firewall with Advanced Security, it is important to come to terms with the concept of network location awareness Network location awareness, also known
as network profiles, is a technology included in Windows Vista and Windows Server 2008 that enables network-aware applications and services to alter behavior, depending on how a computer is connected to the network Whenever you connect a computer running Windows Server 2008 to a new network, you are queried as to whether the network is public, private,
or domain based Depending on how you classify the network, Windows Server 2008 will assign the following network location categories:
n public The public network category is set by default When set or configured, all inbound traffic is dropped Outgoing connections are allowed when the public profile
is active Any untrusted network, including the Internet, should be classified as a public network
n private A user can select the private network category manually and use it for a network that is not directly accessible to public networks such as the Internet Private networks are segmented from public networks by firewall or NAT devices This does not include Windows Firewall or Windows Firewall with Advanced Security on the host itself If a computer running Windows Server 2008 is configured as a standalone server on a protected network, assign the network connection the private network designation
n Domain Select the domain network category when a computer has authenticated
to an Active Directory domain This category is selected automatically after domain authentication through a network interface has occurred and a domain controller is available
Trang 20When multiple interfaces are connected to network locations that have different
cat-egories, the least secure category will be assigned to the computer Hence, if one network
interface is connected to the Internet and another connects to a protected network with a
domain controller, the Public category will be set, and the fi rewall will block incoming
net-work connections
MORE INFO NetWOrK LOCatION aWareNeSS
For more information about network location awareness, consult the following TechNet
Article
Confi guring WFAS Rules
Windows Firewall with Advanced Security (WFAS) enables you to confi gure fi rewall rules that
are applied based on which network location-awareness profi le is active (Domain, Public, or
Private) and whether a connection is a secure network interface You can also confi gure fi
re-wall rules based on a protocol, port, source, and destination IP address as well as apply rules
based on specifi c user and computer accounts The WFAS console can import and export
fi rewall confi gurations This is very useful if you are responsible for managing a large number
of standalone computers running Windows Server 2008 and need to replicate the same WFAS
confi guration quickly
Confi guring Inbound Rules
Inbound rules allow a specifi c type of traffi c specifi ed by the rule When the fi rewall intercepts
an incoming packet, it evaluates the packet against the list of inbound rules If the packet
matches any one of those inbound rules, it is processed according to that rule If it matches
no inbound rules, the packet is dropped Windows Server 2008 automatically enables
appropriate inbound rules when you install or enable a role or feature that requires
incom-ing connections For example, if you enable the Web Server (IIS) role, WFAS is automatically
confi gured to allow inbound HTTP traffi c on port 80 and inbound HTTPS traffi c on port 443
Windows Server 2008 ships with a set of preconfi gured inbound rules, or you can use the
Inbound Rules Wizard to create your own
The fi rst page of the Inbound Rules Wizard, shown in Figure 4-13, enables you to select
which type of rule you create Your options are Program, Port, Predefi ned, and Custom The
list of predefi ned rules is extensive and covers almost every type of feature or role service
you can install on a computer running Windows Server 2008 Custom rules enable you to
defi ne all aspects of a rule, and you can add both programs and ports as well as scope If you
want to block connections on a specifi c port to a specifi c program from a particular range
MORE INFO NetWOrK LOCatION aWareNeSS
For more information about network location awareness, consult the following TechNet
Article.
Trang 21FIGUre 4-13Inbound Rules Wizard
If you decide to create a rule for a program, you must specify the path of the program on the server If multiple versions of the program are installed on the server, you must create a separate program rule for each location If you create a port rule, you must specify whether the rule applies to TCP or UDP connections and the specifi c ports the rule covers You can specify multiple ports, separating each port by a comma You create an inbound rule in one
of the exercises at the end of this lesson
port Numbers
As a holder of the MCSA certifi cation, MCSE certifi cation, or both, it is likely that you are already familiar with the TCP port numbers of the most common net- working protocols In case you have forgotten some, remember that FTP uses ports
20 and 21, SSH uses port 22, Telnet uses port 23, SMTP uses port 25, DNS uses port
53, HTTP uses port 80, Kerberos uses port 88, POP3 uses port 110, IMAP uses port
143, LDAP uses port 389, and HTTPS uses port 443 You can fi nd a list of all
regis-tered port numbers at http://www.iana.org/assignments/port-numbers
The Action page of the New Inbound Rule Wizard enables you to confi gure how WFAS responds after a traffi c match is found As Figure 4-14 shows, the options are to allow the connection, to allow the connection if it is secure, and to block the connection Allowing the connection is straightforward If the traffi c matches the rule, the traffi c passes across WFAS When you select the Allow The Connection If It Is Secure option, an extra page is added—on which you can specify users and computers using Active Directory—to the wizard It is also
port Numbers
As a holder of the MCSA certifi cation, MCSE certifi cation, or both, it is likely that you are already familiar with the TCP port numbers of the most common net- working protocols In case you have forgotten some, remember that FTP uses ports
20 and 21, SSH uses port 22, Telnet uses port 23, SMTP uses port 25, DNS uses port
53, HTTP uses port 80, Kerberos uses port 88, POP3 uses port 110, IMAP uses port
143, LDAP uses port 389, and HTTPS uses port 443 You can fi nd a list of all
regis-tered port numbers at http://www.iana.org/assignments/port-numbers.
Trang 22possible to require that the connection be encrypted using IPsec and to override any existing
block rules By default, block rules have precedence over allow rules Enabling the Override
Block Rules option is the only way to bypass an existing block rule
FIGUre 4-14 Configuring a rule action
Although you can confi gure an inbound rule to block a specifi c sort of traffi c, this is
gener-ally not necessary because Windows Firewall with Advanced Security automaticgener-ally blocks any
traffi c that does not match an allow rule by default anyway The main reason to implement
block rules is to allow a certain type of traffi c from specifi c hosts but block it from all other
hosts You can accomplish the same thing by confi guring the scope of a rule Confi guring rule
scope is covered later in this lesson
After you have specifi ed a rule action, you must specify to which profi les the rule will
apply You can apply the rule to one, two, or all available domain profi les The last step in the
New Inbound Rule Wizard is to provide a rule name and description The information that
you enter here should be meaningful because another administrator might need to inspect
your confi guration in the future; that administrator should not have to examine each custom
rule’s properties to fi gure out exactly what the rule is supposed to do
Trang 23quick Check answers
1 Windows Firewall enables you to specify exceptions based on program or port, but you cannot specify exceptions based on network location awareness, indi- vidual network interfaces, specifi c incoming or outgoing addresses, or protocol
2 The domain network location profi le is set when a computer’s network interface
is connected to an Active Directory domain and a domain controller is accessible
Confi guring Outbound Rules
Outbound rules apply to traffi c leaving the computer for a remote host The default
con-fi guration of WFAS allows all outbound trafcon-fi c Blocking all outbound trafcon-fi c will stop many built-in Windows features and applications from communicating with other hosts on the net-work This can have unintended side effects; for example, a computer cannot retrieve updates from a local WSUS server when all outbound communication is blocked unless a rule related
to this type of traffi c is enabled If you do decide to block all outbound traffi c and then create exceptions for approved programs and services, you must carefully test your deployment prior to putting the server into a production environment because you might miss one or more vital services and applications you should allow
Outbound rules and Viruses
A common argument for applying outbound rules is that it can stop worms and viruses from replicating out from an infected computer Unfortunately,
if a virus or worm has infected a computer, it most likely has enough privileges
in the operating system to confi gure its own fi rewall rules, hence bypassing any outbound fi lters If fi rewalls are properly implemented on other computers in your environment, malicious worm traffi c from an infected host will have minimal impact anyway Where outbound rules can be useful is in specifi cally blocking unapproved programs that users might install on their computers, such as instant messaging cli- ents or peer-to-peer programs In a controlled desktop environment, ordinary users would not be able to install these programs in the fi rst place
To create an outbound rule, perform the following steps:
1. Open the Windows Firewall With Advanced Security console, and then select and
right-click the Outbound Rules node Select New Rule
The New Outbound Rule Wizard starts
quick Check answers
1 Windows Firewall enables you to specify exceptions based on program or port, but you cannot specify exceptions based on network location awareness, indi- vidual network interfaces, specifi c incoming or outgoing addresses, or protocol.
2 The domain network location profi le is set when a computer’s network interface
is connected to an Active Directory domain and a domain controller is accessible.
1
2
Outbound rules and Viruses
A common argument for applying outbound rules is that it can stop worms and viruses from replicating out from an infected computer Unfortunately,
if a virus or worm has infected a computer, it most likely has enough privileges
in the operating system to confi gure its own fi rewall rules, hence bypassing any outbound fi lters If fi rewalls are properly implemented on other computers in your environment, malicious worm traffi c from an infected host will have minimal impact anyway Where outbound rules can be useful is in specifi cally blocking unapproved programs that users might install on their computers, such as instant messaging cli- ents or peer-to-peer programs In a controlled desktop environment, ordinary users would not be able to install these programs in the fi rst place
Trang 242. Select the Rule type from Program, Port, Predefined Or Custom, and then click Next
3. If you select Program, browse to the program’s path If you select Port, select the
pro-tocol type (TCP/UDP) and type the appropriate port or port range
4. On the Action page, choose between Allow The Connection, Allow The Connection If It
Is Secure, and Block The Connection
5. On the Profile page, select the network profile or profiles to which th e rule should
apply
6. Finish the wizard by entering a name for the rule
Rule Scope
When you configure an inbound or an outbound firewall rule, you are unable to configure the
scope of the rule The scope of the rule enables you to apply a rule based on the IP address of
the source or destination host For example, in Figure 4-15, a firewall rule is given the scope
of 10 0 0 1–10 10 10 254 Scope can enable you to fine-tune a rule For example, you might
use the scope option to configure a rule to block outbound SMTP traffic except to a specific
SMTP server’s IP address When applying multiple rules to the same type of traffic, remember
that a block rule always overrides an allow rule Hence, if you wanted to block access to all
Web servers except those on subnet 10 10 10 0 /24, you would need to configure the scope
of the rule to apply to remote IP addresses 0 0 0 1-10 10 9 255 and 10 10 11 0-255 255 255 255
rather than configuring a block of all port 80 traffic and another rule allowing it for subnet
10 10 10 0 /24
FIGUre 4-15 Configure Rule Scope
Trang 25Connection Security Rules
Connection security rules define how and under what conditions computers are able to municate with each other Connection security rules generally involve a list of computers, whether the connection will request or require authentication, and the methods of authen-tication the connection can use Each category of connection security rule is appropriate to
com-a specific type of scencom-arios As with Inbound com-and Outbound rules, you ccom-an com-apply connection
security rules by using the WFAS console, netsh in the advfirewall firewall context, or Group
Policy The next few pages cover the different types of connection security rules
Isolation Policies
Through isolation policies, you can partition sets of computers on the network by using network authentication and encryption policies Only computers that meet a specific set of criteria are able to communicate with computers subject to isolation policies Although it is possible to configure isolation policies on a computer-by-computer basis, using either the
WFAS console or netsh in the advfirewall consec context because isolation policies usually
apply to multiple computers, it is best to configure and enforce them through the application
of Group Policy
The simplest form of isolation policy is the server isolation policy, which requires all communication with a server to be authenticated and encrypted As shown in Figure 4-16, authentication can occur, using Kerberos V5, for computer and user accounts if the server is a member of a domain, through a computer certificate or a system health certificate issued by
a trusted certificate authority (CA) By selecting Advanced Authentication, it is also possible to enable authentication by using the NTLMv2 protocol or a preshared key
FIGUre 4-16 Isolation rule authentication options
Trang 26MORE INFO SerVer ISOLatION
To learn more about server isolation on Windows Server 2008 networks, consult
the following TechNet link: http://technet2.microsoft.com/windowsserver2008/en
/library/13e8dad2-c99f-415b-a38a-669418d765c61033.mspx?mfr=true
Domain isolation restricts contact to computers on the basis of domain membership
When strictly applied, computers and users that are members of a specifi ed domain or forest
are able to perform successful authentication under a domain isolation rule Domain isolation
policies apply to all computers that are members of the domain rather than to a select set of
computers, as is the case with a server isolation policy When domain isolation policies are in
effect, traffi c can be protected using IPsec You learned about confi guring IPsec in
conjunc-tion with connecconjunc-tion security policies in Chapter 2, “Confi guring IP Services ”
MORE INFO DOMaIN ISOLatION
To learn more about domain isolation on Windows Server 2008 networks, consult
the following TechNet link: http://technet2.microsoft.com/windowsserver2008/en
/library/135110b6-23ab-45f2-8cd1-8b76b2e38b3d1033.mspx?mfr=true
Authentication Exemption
Authentication exemptions enable you to specify a group of computers, either through their
Active Directory computer account name or IP address, to which existing connection security
rules do not apply Administrators primarily use authentication exemptions to ensure
com-munication with infrastructure servers the computer must communicate with prior to the
completion of the authentication process Examples of such infrastructure servers include
Dynamic Host Confi guration Protocol (DHCP) servers, DNS servers, and domain controllers
(DCs) To create an authentication exemption, perform the following steps:
1. Start the New Connection Security Rule Wizard
2. Select the Authentication Exemption rule type and click Next
3. On the Exempt Computers page, click Add
4. In the IP Address dialog box, enter a single IP address or subnet address or an IP
address range or select from a predefi ned set of computers in the drop-down list Click
OK, and then click Next
5. Select the network profi les the authentication exemption applies to, and then click
Next
6. Give the exemption a name, and then click Finish
MORE INFO SerVer ISOLatION
To learn more about server isolation on Windows Server 2008 networks, consult
the following TechNet link: http://technet2.microsoft.com/windowsserver2008/en
/library/13e8dad2-c99f-415b-a38a-669418d765c61033.mspx?mfr=true.
MORE INFO DOMaIN ISOLatION
To learn more about domain isolation on Windows Server 2008 networks, consult
the following TechNet link: http://technet2.microsoft.com/windowsserver2008/en
/library/135110b6-23ab-45f2-8cd1-8b76b2e38b3d1033.mspx?mfr=true.
Trang 27FIGUre 4-17 Server-to-server rule
After you have specified the connection authentication request requirements, you must specify how authentication occurs for connections that match this rule The options are a computer certificate issued by a commonly trusted CA; a preshared key; or a combination
of authenticating computer accounts using Kerberos V5, NTLMv2, computer certificate, or preshared key It is possible when choosing the computer certificate option to limit computer certificates to health certificates, such as those issued as part of the NAP process
Tunnel
Tunnel rules are similar to server-to-server rules except that they allow you to specify lists of computers at different ends of a tunnel and addresses of local and remote gateways These gateways are usually the beginning and endpoints of a virtual private network (VPN) or L2TP /IPsec connection across the Internet When creating a tunnel rule, you specify which com-puters are located behind endpoint 1 and which computers are located behind endpoint
2 In a way, a tunnel rule works like a routing table that allows two groups of computers to communicate through a specifically defined set of gateway endpoints Figure 4-18 shows groups of computers, specified as IP address ranges, at each end of a hypothetical tunnel The
Trang 28authentication request requirements and the authentication options are the same as those
available for the server-to-server rule type
FIGUre 4-18 Configuring a tunnel rule
NOTE CUStOM
The custom rule type enables you to mix and match components of the preceding rule
types For example, you could create an authentication exemption rule that uses tunnel
endpoints
WFAS Command Line
You can also manipulate Windows Firewall with Advanced Security from the command line
This can be important if you are confi guring a standalone computer running Windows Server
2008 that is confi gured using the Server Core installation option You can use the netsh
fi rewall and netsh advfi rewall commands to create rules and show current confi gurations as
well as to import and export those confi gurations You can use the import and export
func-tionality to quickly confi gure multiple standalone computers running Windows Server 2008
Server Core Although complete coverage of the netsh advfi rewall commands is beyond the
scope of this book, some examples of commands that you can use to confi gure WFAS include:
n Netsh advfi rewall show allprofi les Displays the properties of all advanced fi rewall
NOTE CUStOM
NOTE CUStOM
NOTE
The custom rule type enables you to mix and match components of the preceding rule
types For example, you could create an authentication exemption rule that uses tunnel
endpoints.
Trang 29n Netsh advfi rewall reset Returns a fi rewall to the default confi guration
n Netsh advfi rewall consec Switches to the connection security context, enabling the creation of connection security rules
n Netsh advfi rewall fi rewall add rule Can create an advanced fi rewall rule, using all the categories available for creating a rule by using the GUI
MORE INFO CONFIGUrING WFaS For more information on confi guring WFAS by using the netsh command, consult the fol- lowing article on the Microsoft Web site: http://support.microsoft.com/kb/947709
EXAM TIP
Keep clear in your mind the differences between Windows Firewall and WFAS
In this practice, you create a Windows Firewall with Advanced Security policy that involves enabling the fi rewall for all profi les, confi guring a rule for a specifi c type of traffi c, and confi g-uring a connection security rule
ExErcisE 1 Create and Apply a WFAS Policy
In this exercise, you create a policy to enable WFAS for all network location profi les and confi gure the policy to enable IPsec encryption if any connection security rules are enforced Finally, you create a rule that allows inbound HTTP and HTTPS traffi c when the Domain profi le
is active
1. Log on to Glasgow, using the Kim_Akers user account
2. Open the Group Policy Management console from the Administrative Tools menu
3. Under the contoso.internal domain, create a new organizational unit called
Firewall_Clients
4. Right-click the Firewall_Clients OU, and then select Create a GPO In This Domain And
Link it Here Name the GPO WFaS_policy and click OK Verify that the Group Policy
Management console window on Glasgow resembles Figure 4-19
MORE INFO CONFIGUrING WFaS For more information on confi guring WFAS by using the netsh command, consult the fol-
lowing article on the Microsoft Web site: http://support.microsoft.com/kb/947709.
Trang 30FIGUre 4-19 Creating a GPO
5. Right-click WFAS_Policy in the Linked Group Policy Objects window, and then select
Edit
The Group Policy Management Editor opens
6. Navigate to the Computer Configuration\Policies\Windows Settings\Security Settings\
Windows Firewall with Advanced Security\Windows Firewall With Advanced Security
node
7. Click the Windows Firewall Properties link in the Overview pane to open the Windows
Firewall With Advanced Properties dialog box On the Domain Profile tab, set Firewall
State to On, set Inbound Connections to Block (Default), and the Outbound
connec-tions to Allow (Default), as shown in Figure 4-20, and then click Apply
Trang 31FIGUre 4-20 Domain profile settings
8. Repeat step 7 on the Private Profile and Public Profile tabs
9. Click Customize on the IPsec Settings tab In the Customize IPsec Settings dialog box, shown in Figure 4-21, in the Data Protection (Quick Mode) section, select Advanced, and then click the Customize button Select the Require Encryption For All Connection Security Rules That Use These Settings check box and click OK
FIGUre 4-21 Customizing IPsec settings
Trang 3210. Click OK twice to close all open dialog boxes
11. In the Group Policy Management Editor, under the Windows Firewall With Advanced
Security node, select and then right-click Inbound Rules Select New Rule
The New Inbound Rule Wizard opens
12. On the Rule Type page, select Port, and then click Next
13 On the Protocols And Ports page, select Specific Local Ports Type 80, 443 in the ports
text box, as shown in Figure 4-22, and then click Next
FIGUre 4-22 Select protocols and ports
14. On the Action page, select Allow The Connection and click Next
15. On the Profile page, ensure that only the Domain profile check box is selected, and
then click Next
16. On the Name page, enter Domain Web Traffic Rule, and then click Finish
17. Verify that the Domain Web Traffic rule is listed when the Inbound Rules pane has
focus, and then close Group Policy Management Editor
ExErcisE 2 Create an Isolation Policy
In this exercise, you create a connection security policy, which forms the backbone of an
isola-tion policy Isolaisola-tion policies ensure that only computers that have performed a specified type
of authentication are able to communicate with each other
Trang 332. Right-click the WFAS_Policy GPO located in the Linked Group Policy Objects pane of the Group Policy Management console, and then select Edit
The Group Policy Management Editor opens
3. Expand the Computer Configuration\Policies\Windows Settings\Security Settings
\Windows Firewall with Advanced Security\Windows Firewall With Advanced Security
node
4. Select and then right-click Connection Security Rules, and then select New Rule This launches the New Connection Security Rule Wizard, as shown in Figure 4-23
5. Ensure that the Isolation item is selected, and then click Next
FIGUre 4-23 Select rule type
6. On the Requirements page, select Require Authentication For Inbound And Outbound Connections and click Next
7. On the Authentication Method page, select Computer (Kerberos V5), as shown in Figure 4-24, and then click Next
Trang 34FIGUre 4-24 Configure authentication method
8. Verify that the rule applies to all profiles, and then click Next
9. On the Name page, enter Domain Isolation Policy, and then click Finish
10. Verify that the Connection Security Rule Domain Isolation Policy is present and
enabled in the Group Policy Management Editor Close the Group Policy Management
Editor and the Group Policy Management Console
Lesson Summary
n If the packet matches any inbound rules, it is processed according to that rule If it
matches no inbound rules, the packet is dropped
n Windows Server 2008 will automatically enable appropriate inbound rules when you
install or enable a role or feature that requires incoming connections
n Enabling the Override Block Rules option is the only way to bypass an existing block
rule
n The default configuration of WFAS allows all outbound traffic
n The scope of the rule enables you to apply a rule based on the IP address of the source
or destination host
n Connection security rules define how and under what conditions computers are able to
communicate with each other
Trang 35n Authentication exemptions enable you to specify a group of computers to which ing connection security rules do not apply
exist-n Server-to-server rules enable you to confi gure authentication for two different groups
of computers
n Tunnel rules are similar to server-to-server rules except that they enable you to specify lists of computers at different ends of a tunnel and addresses of local and remote gateways
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 2,
“Windows Firewall with Advanced Security ” The questions are also available on the ion DVD if you prefer to review them in electronic form
compan-NOTE aNSWerS Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book
1. Which of the following should you confi gure if you want to ensure that all the
Windows Server 2008 fi le servers in your organization will respond only to network traffi c initiated by hosts that are members of the domain?
a. Inbound fi rewall rule
b Outbound fi rewall rule
C. Isolation rule
D. Authentication exemption
2. You want to ensure that only computers that have authenticated to the domain are able to communicate with your organization’s fi le servers Which of the following would you confi gure in a GPO linked to the OU that hosts the fi le server’s computer accounts?
a. Isolation connection security rule
b Server-to-server connection security rule
C. Authentication exemption connection security rule
D. Tunnel connection security rule
Trang 363. An organization has two branch offices Each branch office has an Internet connection
An L2TP/IPsec VPN connects these two branch offices Which type of connection
secu-rity rule would you create so that all computers in the first branch office can connect
to all computers in the second branch office by using a computer certificate issued by
a common CA as an authentication mechanism?
a. Authentication exemption
b Isolation rule
C. Server-to-server rule
D. Tunnel rule
4. You are preparing the deployment of 30 computers running Windows Web Server
2008 Each of these computers will be configured as a standalone computer and will
not be a member of a domain Each computer will be connected to the Internet and
will need an identical WFAS configuration Which of the following options should you
employ to provide each computer with the same set of WFAS rules? (Choose two Each
correct answer presents part of a complete solution )
a. Place all the Windows Web Server 2008 computer accounts in the same OU
b Configure all WFAS rules on one computer running Windows Web Server 2008
Export the firewall policy by using the WFAS console
C. Import the firewall policy into a Group Policy object and apply it to the OU
D. Configure all WFAS rules on one computer running Windows Web Server 2008
Use the netsh firewall dump command to export the firewall configuration
e. Import the firewall policy by using the WFAS console on each of the other 29
computers running Windows Web Server 2008
5. You must configure firewall rules on a computer running Windows Server 2008 to
allow DNS, HTTPS, and SMTP traffic Which of the following ports correspond to these
protocols? (Choose three Each correct answer presents part of a complete solution )
Trang 37Lesson 3: Network access protection
Network Access Protection (NAP) is a new Windows Server 2008 technology you can use to limit network access based on whether a client computer has up-to-date antivirus defi nitions
as well as the most recent updates installed As an experienced administrator, you are aware that most viruses and worms rely on operating system and application vulnerabilities for which vendors have already released patches NAP enables you to block computers that are not up to date from joining your network, either by denying VPN access, by allowing DHCP leases to healthy computers only, or by using technologies such as VLANs or IPsec In this les-son, you learn about NAP and the steps you must take to deploy and manage this technology
in your own environment
After this lesson, you will be able to:
n Describe how NAP works
n Install and confi gure NAP infrastructure
n Confi gure NAP enforcement methods
Estimated lesson time: 40 minutes
Introduction to Network Access Protection
NAP enables you to restrict access to the organizational network based on whether a client computer meets a set of predefi ned health standards You can use several NAP methods to restrict access to the LAN Each method has benefi ts and drawbacks The simplest method, DHCP enforcement, requires no special infrastructure other than Windows Server 2008 DHCP servers The 802 1X method requires network hardware that supports 802 1X authentication The IPsec method requires no special hardware but does require complex Certifi cate Services and Group Policy confi guration NAP can also restrict VPN access and access to Terminal Ser-vices (TS) Gateway servers This lesson begins by covering the core components of NAP and then moves on to cover each available enforcement method
Confi guring Health Policies
One of the fi rst steps you must perform when rolling out NAP in your environment is mining your criteria for a healthy host You do this by confi guring health policies that use System Health Agents (SHAs) and System Health Validators (SHVs) SHAs are installed on a client computer and generate statements of health, which are forwarded to the NAP health policy server Windows Vista, Windows Server 2008, and Windows XP with Service Pack
deter-After this lesson, you will be able to:
n Describe how NAP works
n Install and confi gure NAP infrastructure
n Confi gure NAP enforcement methods
Estimated lesson time: 40 minutes
Trang 383 include a default SHA that monitors Windows Security Center settings This allows the
forwarding of data to health policy servers This data indicates whether the latest updates
are installed and whether antivirus and antispyware software are installed and up to date
Third-party vendors can also create their own SHAs that allow the assessment of other
ele-ments of client health
SHVs are a configurable set of standards against which the NPS server assesses the
state-ment of health forwarded by the client Figure 4-25 shows the default Windows Security
Health Validator for Windows Vista An administrator can set options that determine how
strictly health standards are enforced For example, some administrators can simply choose
to require an antivirus application to be active on the client computer; other administrators
might allow clients to connect only when the antivirus application is enabled and up to date
FIGUre 4-25 Security Health Validator
Although Windows Vista, Windows Server 2008, and Windows XP with Service Pack 3
support NAP, the NAP client must be enabled, and the NAP Agent service must be
config-ured to start automatically The most common way of configuring client computers for NAP
is through GPO settings in the Computer Configuration\Policies\Windows Settings\Security
Settings\Network Access Protection\NAP Client Configuration node From there, you can
con-figure the NAP interface, Health Registration settings, and which NAP enforcement method is
enabled Figure 4-26 shows the DHCP Quarantine Enforcement Client enabled
Trang 39FIGUre 4-26DHCP Quarantine Enforcement Client enabled
Health Registration Authority
Install the Health Registration Authority (HRA) role service when the IPsec enforcement method is to be deployed The HRA manages the issuance of system health certifi cates, digital certifi cates that are used for connection authentication when you deploy the IPsec enforcement method Deploy your PKI prior to installing the HRA If your organization’s PKI is based on Windows Server 2003 rather than on Windows Server 2008, you must create some custom certifi cate templates to support NAP with IPsec Alternatively, you can upgrade your certifi cate servers to Windows Server 2008
MORE INFO hOSt CreDeNtIaL aUthOrIZatION prOtOCOL Health Credential Authorization Protocol (HCAP) enables NAP to be integrated with Cisco’s Network Admission Control You can fi nd out more about this technology by consulting
the following document: http://www.microsoft.com/presspass/events/ssc/docs
/Cisco MSNACWP.pdf.
Remediation Server Groups
A remediation server group, shown in Figure 4-27, is a collection of servers, usually defi ned
by IP address, that noncompliant computers can access These servers should provide noncompliant client computers with all the resources they need to become compliant This usually includes servers from which the latest software updates can be downloaded, such as
a Windows Software Update Services (WSUS) server as well as servers hosting the latest virus and antispyware software and defi nitions You can create multiple remediation server groups—for example, remediation server groups for each site your company has—and then confi gure different NAP policies to direct noncompliant clients to these groups if the need arises
anti-MORE INFO hOSt CreDeNtIaL aUthOrIZatION prOtOCOL Health Credential Authorization Protocol (HCAP) enables NAP to be integrated with Cisco’s Network Admission Control You can fi nd out more about this technology by consulting
the following document: http://www.microsoft.com/presspass/events/ssc/docs
/Cisco MSNACWP.pdf.
/Cisco MSNACWP.pdf
Trang 40FIGUre 4-27Remediation server groups
quick Check
1 NAP uses SHAs and SHVs Which of these do you confi gure on an NPS server?
2 What type of group should you confi gure on the NPS server to direct
noncom-pliant computers so that they can become comnoncom-pliant?
quick Check answers
1 You confi gure an SHV (System Health Validator) on the NPS server.
2 Remediation server groups are listings of server addresses through which
noncompliant computers can obtain the necessary fi les and updates to become
compliant.
NAP Enforcement
Although Windows Vista and Windows XP SP3 clients already have basic SHA and NAP
clients installed, you still have to confi gure the NAP client before the NAP process will work
You confi gure the NAP enforcement client through Group Policy It is possible to enable an
enforcement client on a computer that is not managed by Group Policy by using the netsh
nap client set enforcement command and specifying the enforcement client ID, but confi
gur-ing NAP through Group Policy is easier The appropriate node in Group Policy is Computer
Confi guration\Policies\Windows Settings\Security Settings\Network Access Protection Under
this node, you can confi gure an enforcement client, as shown in Figure 4-28 It is also possible
to confi gure a user interface for NAP so you can create both a text and an image that are
quick Check
1 NAP uses SHAs and SHVs Which of these do you confi gure on an NPS server?
2 What type of group should you confi gure on the NPS server to direct
noncom-pliant computers so that they can become comnoncom-pliant?
quick Check answers
1 You confi gure an SHV (System Health Validator) on the NPS server.
2 Remediation server groups are listings of server addresses through which
noncompliant computers can obtain the necessary fi les and updates to become