0505 Windows Server 2008 一日精華營 Part II
32
Module 3 Windows Server 2008 Branch Office Scenario
-
Upload
timothy-chen -
Category
Technology
-
view
1.662 -
download
0
description
Transcript of 0505 Windows Server 2008 一日精華營 Part II
Module 3
Windows Server 2008
Branch Office Scenario
Clinic Outline
Branch Office Server Deployment and Administration
Branch Office Security
Branch
CorpRODC
Branch Office Server Deployment and Administration
Domain Name System (DNS) Server Role
Background zone loading
Read-only domain controller support
Global Names zone
DNS client changes
Link-Local multicast name resolution (LLMNR)
Domain controller location
Background zone loading
Read-only domain controller support
Global Names zone
DNS client changes
Link-Local multicast name resolution (LLMNR)
Domain controller location
AD Domain Services
New AD MMC Snap-In Features
Find Command
New Options for Unattended Installs
New AD MMC Snap-In Features
Find Command
New Options for Unattended Installs
Restartable AD Domain Services (AD DS)
3 Possible States:
AD DS Started
AD DS Stopped
Active Directory Restore Mode
3 Possible States:
AD DS Started
AD DS Stopped
Active Directory Restore Mode
Demonstration: Branch Office Server Deployment and Administration
AD DS Installation Wizard
Stopping and restarting AD DS
AD Domain Services Auditing
What changes have been made to AD DS auditing?
What changes have been made to AD DS auditing?
AD Domain Services Backup and Recovery
ConsiderationsConsiderationsWhat’s New?What’s New?
General RequirementsGeneral Requirements
Improved Server Deployment (Windows Server Virtualization)
Addresses the following challenges:
Server Consolidation
Development and Testing
Business Continuity/Disaster Recovery
Addresses the following challenges:
Server Consolidation
Development and Testing
Business Continuity/Disaster Recovery
64-bit Next Generation technology64-bit Next Generation technology
Server Core as a host systemServer Core as a host system
File Services
DFS
Names Spaces
Replication
SYSVOL
DFS
Names Spaces
Replication
SYSVOL
Server Message Block (SMB) 2.0Server Message Block (SMB) 2.0
Next Generation TCP/IP Stack
Receive Windows Auto-Tuning
Compound TCP
Throughput Optimization in High-Loss Environments
Neighbor Unreachability Detection
Changes in Dead Gateway Detection
Receive Windows Auto-Tuning
Compound TCP
Throughput Optimization in High-Loss Environments
Neighbor Unreachability Detection
Changes in Dead Gateway Detection
Changes in PTMU Black Hole Router Detection
Routing Compartments
ESTATS Support
Network Diagnostics Framework Support
New Packet Filtering Model with Windows Filtering Platform
Changes in PTMU Black Hole Router Detection
Routing Compartments
ESTATS Support
Network Diagnostics Framework Support
New Packet Filtering Model with Windows Filtering Platform
Read-Only Domain Controller (RODC)
New Functionality
AD Database
Unidirectional Replication
Credential Caching
Password Replication Policy
Administrator Role Separation
Read-Only DNS
New Functionality
AD Database
Unidirectional Replication
Credential Caching
Password Replication Policy
Administrator Role Separation
Read-Only DNS
Requirements/Special ConsiderationsRequirements/Special Considerations
RODC
Read-only DC, RODCRead-only DC, RODC
管理員的處置方式管理員的處置方式入侵者看到的資訊入侵者看到的資訊
Implementation/Usage Scenarios
Maintain physical security of data at the branch officeMaintain physical security of data at the branch office
Maintain physical security of servers at the branch officeMaintain physical security of servers at the branch office
Provide secure IP-based communications with the branch officeProvide secure IP-based communications with the branch office
Control which computers can communicate on the branch office network Control which computers can communicate on the branch office network
Recommendations
Implement a Password Replication PolicyImplement a Password Replication Policy
Deploy a Read-Only Domain Controller at the branch officeDeploy a Read-Only Domain Controller at the branch office
Implement administrator role separationImplement administrator role separation
Implement BitLocker Drive Encryption; do not require a PIN or USB device if no local adminImplement BitLocker Drive Encryption; do not require a PIN or USB device if no local admin
Implement Network Access ProtectionImplement Network Access Protection
Use IPSec for network communicationsUse IPSec for network communications
Module 4
Security and Policy Enforcement in Windows
Server 2008
Overview
Methods of Security and Policy Enforcement
Network Location Awareness
Network Access Protection
Windows Firewall with Advanced Security (WFAS)
Internet Protocol Security (IPSec)
Windows Server Hardening
Server and Domain Isolation
Active Directory Domain Services Auditing
Read-Only Domain Controller (RODC)
BitLocker Drive Encryption
Removable Device Installation Control
Enterprise PKI
Methods of Security and Policy Enforcement
Network Location Awareness
Network Access Protection
Windows Firewall with Advanced Security (WFAS)
Internet Protocol Security (IPSec)
Windows Server Hardening
Server and Domain Isolation
Active Directory Domain Services Auditing
Read-Only Domain Controller (RODC)
BitLocker Drive Encryption
Removable Device Installation Control
Enterprise PKI
Technical Background
Windows Firewall with Advanced SecurityWindows Firewall with Advanced Security
Internet Security Protocol (IPSec)Internet Security Protocol (IPSec)
Active Directory Domain Services AuditingActive Directory Domain Services Auditing
Read-Only Domain Controller (RODC)Read-Only Domain Controller (RODC)
Enterprise PKIEnterprise PKI
BitLocker Drive EncryptionBitLocker Drive Encryption
Windows Firewall with Advanced Security
Demonstration: Windows Firewall with Advanced Security
• Creating Inbound and Outbound Rules
• Creating a Firewall Rule Limiting a Service
IPSec
Integrated with WFAS
IPSec Improvements
Simplified IPSec Policy Configuration
Client-to-DC IPSec Protection
Improved Load Balancing and Clustering Server Support
Improved IPSec Authentication
Integration with NAP
Multiple Authentication Methods
New Cryptographic Support
Integrated IPv4 and IPv6 Support
Extended Events and Performance Monitor Counters
Network Diagnostics Framework Support
Integrated with WFAS
IPSec Improvements
Simplified IPSec Policy Configuration
Client-to-DC IPSec Protection
Improved Load Balancing and Clustering Server Support
Improved IPSec Authentication
Integration with NAP
Multiple Authentication Methods
New Cryptographic Support
Integrated IPv4 and IPv6 Support
Extended Events and Performance Monitor Counters
Network Diagnostics Framework Support
BitLocker Drive Encryption (BDE)
Data Protection
Drive Encryption
Integrity Checking
Data Protection
Drive Encryption
Integrity Checking
BDE Hardware and Software RequirementsBDE Hardware and Software Requirements
Implementation/Usage Scenarios
Enforce Security PolicyEnforce Security Policy
Improve Domain SecurityImprove Domain Security
Improve System SecurityImprove System Security
Improve Network Communications SecurityImprove Network Communications Security
Recommendations
Implement Network Access ProtectionImplement Network Access Protection
Use Windows Firewall and Advanced Security to implement IPSecUse Windows Firewall and Advanced Security to implement IPSec
Deploy Read-Only Domain Controllers, where appropriateDeploy Read-Only Domain Controllers, where appropriate
Implement BitLocker Drive EncryptionImplement BitLocker Drive Encryption
Carefully test and plan all security policiesCarefully test and plan all security policies
Take advantage of PKI improvementsTake advantage of PKI improvements
Network Access Protection in Windows Server 2008
Overview
Network Access ProtectionNetwork Access Protection
Net work Access Protection Network Access Quarantine Control
Internal, VPN and Remote Access Client
Only VPN and Remote Access Clients
IPSec, 802.1X, DHCP and VPN DHCP and VPN
NAP NPS and Client included in Windows Server 2008 ; NAP client included in Vista
Installed from Windows Server 2003 Resource Kit
NAP Infrastructure
Health Policy ValidationHealth Policy Validation
Health Policy ComplianceHealth Policy Compliance
Automatic RemediationAutomatic Remediation
Limited AccessLimited Access
NAP Enforcement Client
802.1X802.1X
VPNVPN
IPSecIPSec
DHCPDHCP
NPS RADIUSNPS RADIUS
Demonstration: Network Access Protection
• Create a NAP Policy
• Using the MMC to Create NAP Configuration settings
• Create a new RADIUS Client
• Create a new System Health Validator for Windows Vista and Windows XP SP2
Implementation/Usage Scenarios
Ensuring the Health of Corporate DesktopsEnsuring the Health of Corporate Desktops
Checking the Health and Status of Roaming LaptopsChecking the Health and Status of Roaming Laptops
Determining the Health of Visiting LaptopsDetermining the Health of Visiting Laptops
Verify the Compliance of Home ComputersVerify the Compliance of Home Computers
Recommendations
Carefully test and verify all IPSec PoliciesCarefully test and verify all IPSec Policies
Use Quality of Service to improve bandwidthUse Quality of Service to improve bandwidth
When using IPSec – employ ESP with encryptionWhen using IPSec – employ ESP with encryption
Plan to Prioritize traffic on the networkPlan to Prioritize traffic on the network
Apply Network Access Protection to secure client computers Apply Network Access Protection to secure client computers
Consider Using Domain IsolationConsider Using Domain Isolation
