1 / 32

Module 3

Module 3. Windows Server 2008 Branch Office Scenario. Clinic Outline. Branch Office Server Deployment and Administration Branch Office Security. Branch. RODC. Corp. Branch Office Server Deployment and Administration. Domain Name System (DNS) Server Role. Background zone loading

vasanti
Télécharger la présentation

Module 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 3 Windows Server 2008 Branch Office Scenario

  2. Clinic Outline • Branch Office Server Deployment and Administration • Branch Office Security Branch RODC Corp

  3. Branch Office Server Deployment and Administration

  4. Domain Name System (DNS) Server Role • Background zone loading • Read-only domain controller support • Global Names zone • DNS client changes • Link-Local multicast name resolution (LLMNR) • Domain controller location

  5. AD Domain Services • New AD MMC Snap-In Features • Find Command • New Options for Unattended Installs

  6. Restartable AD Domain Services (AD DS) • 3 Possible States: • AD DS Started • AD DS Stopped • Active Directory Restore Mode

  7. Demonstration: Branch Office Server Deployment and Administration • AD DS Installation Wizard • Stopping and restarting AD DS

  8. AD Domain Services Auditing • What changes have been made to AD DS auditing? Auditpol /set /subcategory:”目錄服務變更”/Success:enable

  9. AD Domain Services Backup and Recovery • What’s New? • Considerations • General Requirements

  10. Improved Server Deployment (Windows Server Virtualization) • 64-bit Next Generation technology • Addresses the following challenges: • Server Consolidation • Development and Testing • Business Continuity/Disaster Recovery • Server Core as a host system

  11. File Services • Server Message Block (SMB) 2.0 • DFS • Names Spaces • Replication • SYSVOL

  12. Next Generation TCP/IP Stack • Receive Windows Auto-Tuning • Compound TCP • Throughput Optimization in High-Loss Environments • Neighbor Unreachability Detection • Changes in Dead Gateway Detection • Changes in PTMU Black Hole Router Detection • Routing Compartments • ESTATS Support • Network Diagnostics Framework Support • New Packet Filtering Model with Windows Filtering Platform

  13. Read-Only Domain Controller (RODC) • New Functionality • AD Database • Unidirectional Replication • Credential Caching • Password Replication Policy • Administrator Role Separation • Read-Only DNS RODC • Requirements/Special Considerations

  14. Active Directory 安裝精靈 Read-only DC, RODC 入侵者看到的資訊 管理員的處置方式

  15. Implementation/Usage Scenarios • Maintain physical security of servers at the branch office • Maintain physical security of data at the branch office • Provide secure IP-based communications with the branch office • Control which computers can communicate on the branch office network

  16. Recommendations • Deploy a Read-Only Domain Controller at the branch office • Implement a Password Replication Policy • Implement administrator role separation • Implement BitLocker Drive Encryption; do not require a PIN or USB device if no local admin • Implement Network Access Protection • Use IPSec for network communications

  17. Module 4 Security and Policy Enforcement in Windows Server 2008

  18. Overview • Methods of Security and Policy Enforcement • Network Location Awareness • Network Access Protection • Windows Firewall with Advanced Security (WFAS) • Internet Protocol Security (IPSec) • Windows Server Hardening • Server and Domain Isolation • Active Directory Domain Services Auditing • Read-Only Domain Controller (RODC) • BitLocker Drive Encryption • Removable Device Installation Control • Enterprise PKI

  19. Technical Background • Windows Firewall with Advanced Security • Internet Security Protocol (IPSec) • Active Directory Domain Services Auditing • Read-Only Domain Controller (RODC) • BitLocker Drive Encryption • Enterprise PKI

  20. Windows Firewall with Advanced Security

  21. Demonstration: Windows Firewall with Advanced Security • Creating Inbound and Outbound Rules • Creating a Firewall Rule Limiting a Service

  22. IPSec • Integrated with WFAS • IPSec Improvements • Simplified IPSec Policy Configuration • Client-to-DC IPSec Protection • Improved Load Balancing and Clustering Server Support • Improved IPSec Authentication • Integration with NAP • Multiple Authentication Methods • New Cryptographic Support • Integrated IPv4 and IPv6 Support • Extended Events and Performance Monitor Counters • Network Diagnostics Framework Support

  23. BitLocker Drive Encryption (BDE) • Data Protection • Drive Encryption • Integrity Checking • BDE Hardware and Software Requirements

  24. Implementation/Usage Scenarios • Enforce Security Policy • Improve Domain Security • Improve System Security • Improve Network Communications Security

  25. Recommendations • Carefully test and plan all security policies • Implement Network Access Protection • Use Windows Firewall and Advanced Security to implement IPSec • Deploy Read-Only Domain Controllers, where appropriate • Implement BitLocker Drive Encryption • Take advantage of PKI improvements

  26. Network Access Protection in Windows Server 2008

  27. Overview • Network Access Protection

  28. NAP Infrastructure • Automatic Remediation • Health Policy Validation • Health Policy Compliance • Limited Access

  29. NAP Enforcement Client • IPSec • 802.1X • VPN • DHCP • NPS RADIUS

  30. Demonstration: Network Access Protection Create a NAP Policy Using the MMC to Create NAP Configuration settings Create a new RADIUS Client Create a new System Health Validator for Windows Vista and Windows XP SP2

  31. Implementation/Usage Scenarios • Checking the Health and Status of Roaming Laptops • Ensuring the Health of Corporate Desktops • Determining the Health of Visiting Laptops • Verify the Compliance of Home Computers

  32. Recommendations • When using IPSec – employ ESP with encryption • Carefully test and verify all IPSec Policies • Consider Using Domain Isolation • Use Quality of Service to improve bandwidth • Plan to Prioritize traffic on the network • Apply Network Access Protection to secure client computers

More Related