Transcript Microsoft Server 2008 R2 - Northeast Wisconsin Technical

Microsoft Server 2008 R2
Group Policies & Network Policy and Access Services
Agenda
• Group Policies
• Network Policy and Access Services
Group Policies
• Using Group Policies to harden Windows 7
• The following will outline several methods to secure a network environment
using Group Policies
• Microsoft doc defining settings to harden Windows 7
• http://www.microsoft.com/en-us/download/details.aspx?id=24373
Group Policies
• Computer Configuration(CC)Privacy settings
• Interactive logon: Do not display last user name
• CCSecurity Settings
• Shutdown: Allow system to be shut down without having to log on
• Network security: Do not store LAN Manager hash value on next password change
• This security setting determines if, at the next password change, the LAN Manager (LM) hash
value for the new password is stored. The LM hash is relatively weak and prone to attack, as
compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored
on the local computer in the security database the passwords can be compromised if the
security database is attacked.
Group Policies
• Network access: Do not allow storage of credentials or .NET Passports for network
authentication
• This security setting determines whether Credential Manager saves passwords and
credentials for later use when it gains domain authentication. If you enable this setting,
Credential Manager does not store passwords and credentials on the computer.
• Removable Disks: Deny write access
• Internet Explorer
• Disable context menu
• Ensures that users cannot access other features that have been disabled
• Disable customizing buttons
• Disable Internet Options tabs
Group Policies
• Control Panel Access
• Prevent access
• Windows Explorer
• Do not move deleted files to the Recycle Bin
• Hide these specified drives in My Computer
• Start menu and taskbar
• Hide the notification area
• Lock the Taskbar
• System
• Prevent access to registry editing tools
• Prevent access to the command prompt
Group Policies
• Controlling applications
• Application Control Policies
• Software Restriction Policies
Group Policies
• Applocker requirements
• Works on Windows 7 and newer
• Only available on 7 Enterprise and
Ultimate…not Pro 
• Application Identity service must
be running.
• Add default rules to prevent
stepping on “required” services
Group Policies
• Applocker
• Add default rules
• Create new rule
Group Policies
• Software Restriction Polices
• Similar to Applocker, works
on XP and later
GPO Questions
Network Policy and Access Services
• Routing and Remote Access Service(RRAS)-pronounced “R-Razz”
• Formerly Remote Access Service in NT 4.0
• Bundled to compete with Novell's NetWare Connect
• Now included as a role in Network Policy and Access Services
Network Policy and Access Services
• First we must know some routing information
• TCP adds more to IP to allow they concepts of connection
• Handshaking—3 way handshake. SYN, SYN/ACK, SYN
• Sequencing—ensures that no two bytes are repeated or sent out of sequence
• Flow control—keeps traffic flowing w/out having to wait and take up too much
memory.
• Error indication—an application that closes unexpectedly can be signaled to its
communicating partner with a reset
• Ports—each IP address has 131,070 ports. Similar to extensions for a phone number
• Socket
• Port (both local and foreign)
• IP Address (both local and foreign)
• Protocol (TCP/UDP)
Network Policy and Access Services
• Routing un-routable addresses?
• NAPT—Network address/port translator.
• One external IP address for several internal private IP addresses. This router would look
beyond the IP layer into the TCP/UDP layer and use the IP address and port to map
connections.
• This is also referred to as Port Address Translation (PAT)
Network Policy and Access Services
• Viewing and troubleshooting our routing tables
• Route print
Network Policy and Access Services
• Viewing and troubleshooting our routing tables
Commands add using route and netsh
route add 192.168.0.0 mask 255.255.0.0 10.0.0.1 metric 100
route add 192.168.0.0/16 10.0.0.1 metric 100 (same as above)
Netsh interface ipv4 add route 192.168.0.0/16 “Local Area Connection” 10.0.0.1
Route del 192.168.0.0
Netsh interface ipv4 delete route 129.0.0.0/8 “Local Area Connection”
Network Policy and Access Services
• Two functions:
• Accepting Inbound calls
• Universal Gateway to your network
• Same functionality as if they were attached to the LAN, although slower.
• Connecting one private network to another.
• Placing Outbound calls (DUN)
• Dial Up Networking
• Internet Connectivity
• Internet Gateway utilizing NAT (Network Address Translation)
• Poor-mans proxy server
Network Policy and Access Services
• Accepting VPN (virtual private network) from remote clients
• Running a secure private network over an insecure public network (internet).
• All clients need is an internet connection and a valid IP address and then establishing a
VPN session to the RAS server.
• Session is secure and encrytped.
Network Policy and Access Services
• Added as a Role in 2008 R2
Network Policy and Access Services
• Add supporting role features
Network Policy and Access Services
• After installed, you must Enable Routing and Remote Access
• Read carefully all options based on need
Network Policy and Access Services
• Determine how the remote uses will be assigned IP addresses for internal
network.
Network Policy and Access Services
Network Policy and Access Services
• Configure client connection by adding a new connection in Network and Sharing
Center
Network Policy and Access Services
• Select connection option and complete wizard on workstation
Things to consider
• How will it be utilized?
• What will be running on your DUN or VPN?
• File-based apps versus client-server apps
• Microsoft Access versus Microsoft SQL Server
• Access requests continuously query the drive after each record search.
• SQL a query is sent to the server from a client application and the query is run at the server and
results are then transmitted back to the client.
• What connection will be required?
• RRAS supports:
•
•
•
•
•
X.25: old “cloud” technology that typically tops out at 56-64k, although reliable
Frame-Relay: same as x.25 but faster, single connection to cloud.
Modems
ISDN
Point to point…