0505 windows server 2008 一日精華營 part ii
DESCRIPTION
TRANSCRIPT
![Page 1: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/1.jpg)
Module 3
Windows Server 2008
Branch Office Scenario
![Page 2: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/2.jpg)
Clinic Outline
Branch Office Server Deployment and Administration
Branch Office Security
Branch
CorpRODC
![Page 3: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/3.jpg)
Branch Office Server Deployment and Administration
![Page 4: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/4.jpg)
Domain Name System (DNS) Server Role
Background zone loading
Read-only domain controller support
Global Names zone
DNS client changes
Link-Local multicast name resolution (LLMNR)
Domain controller location
Background zone loading
Read-only domain controller support
Global Names zone
DNS client changes
Link-Local multicast name resolution (LLMNR)
Domain controller location
![Page 5: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/5.jpg)
AD Domain Services
New AD MMC Snap-In Features
Find Command
New Options for Unattended Installs
New AD MMC Snap-In Features
Find Command
New Options for Unattended Installs
![Page 6: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/6.jpg)
Restartable AD Domain Services (AD DS)
3 Possible States:
AD DS Started
AD DS Stopped
Active Directory Restore Mode
3 Possible States:
AD DS Started
AD DS Stopped
Active Directory Restore Mode
![Page 7: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/7.jpg)
Demonstration: Branch Office Server Deployment and Administration
AD DS Installation Wizard
Stopping and restarting AD DS
![Page 8: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/8.jpg)
AD Domain Services Auditing
What changes have been made to AD DS auditing?
What changes have been made to AD DS auditing?
![Page 9: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/9.jpg)
AD Domain Services Backup and Recovery
ConsiderationsConsiderationsWhat’s New?What’s New?
General RequirementsGeneral Requirements
![Page 10: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/10.jpg)
Improved Server Deployment (Windows Server Virtualization)
Addresses the following challenges:
Server Consolidation
Development and Testing
Business Continuity/Disaster Recovery
Addresses the following challenges:
Server Consolidation
Development and Testing
Business Continuity/Disaster Recovery
64-bit Next Generation technology64-bit Next Generation technology
Server Core as a host systemServer Core as a host system
![Page 11: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/11.jpg)
File Services
DFS
Names Spaces
Replication
SYSVOL
DFS
Names Spaces
Replication
SYSVOL
Server Message Block (SMB) 2.0Server Message Block (SMB) 2.0
![Page 12: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/12.jpg)
Next Generation TCP/IP Stack
Receive Windows Auto-Tuning
Compound TCP
Throughput Optimization in High-Loss Environments
Neighbor Unreachability Detection
Changes in Dead Gateway Detection
Receive Windows Auto-Tuning
Compound TCP
Throughput Optimization in High-Loss Environments
Neighbor Unreachability Detection
Changes in Dead Gateway Detection
Changes in PTMU Black Hole Router Detection
Routing Compartments
ESTATS Support
Network Diagnostics Framework Support
New Packet Filtering Model with Windows Filtering Platform
Changes in PTMU Black Hole Router Detection
Routing Compartments
ESTATS Support
Network Diagnostics Framework Support
New Packet Filtering Model with Windows Filtering Platform
![Page 13: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/13.jpg)
Read-Only Domain Controller (RODC)
New Functionality
AD Database
Unidirectional Replication
Credential Caching
Password Replication Policy
Administrator Role Separation
Read-Only DNS
New Functionality
AD Database
Unidirectional Replication
Credential Caching
Password Replication Policy
Administrator Role Separation
Read-Only DNS
Requirements/Special ConsiderationsRequirements/Special Considerations
RODC
![Page 14: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/14.jpg)
Read-only DC, RODCRead-only DC, RODC
管理員的處置方式管理員的處置方式入侵者看到的資訊入侵者看到的資訊
![Page 15: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/15.jpg)
Implementation/Usage Scenarios
Maintain physical security of data at the branch officeMaintain physical security of data at the branch office
Maintain physical security of servers at the branch officeMaintain physical security of servers at the branch office
Provide secure IP-based communications with the branch officeProvide secure IP-based communications with the branch office
Control which computers can communicate on the branch office network Control which computers can communicate on the branch office network
![Page 16: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/16.jpg)
Recommendations
Implement a Password Replication PolicyImplement a Password Replication Policy
Deploy a Read-Only Domain Controller at the branch officeDeploy a Read-Only Domain Controller at the branch office
Implement administrator role separationImplement administrator role separation
Implement BitLocker Drive Encryption; do not require a PIN or USB device if no local adminImplement BitLocker Drive Encryption; do not require a PIN or USB device if no local admin
Implement Network Access ProtectionImplement Network Access Protection
Use IPSec for network communicationsUse IPSec for network communications
![Page 17: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/17.jpg)
Module 4
Security and Policy Enforcement in Windows
Server 2008
![Page 18: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/18.jpg)
Overview
Methods of Security and Policy Enforcement
Network Location Awareness
Network Access Protection
Windows Firewall with Advanced Security (WFAS)
Internet Protocol Security (IPSec)
Windows Server Hardening
Server and Domain Isolation
Active Directory Domain Services Auditing
Read-Only Domain Controller (RODC)
BitLocker Drive Encryption
Removable Device Installation Control
Enterprise PKI
Methods of Security and Policy Enforcement
Network Location Awareness
Network Access Protection
Windows Firewall with Advanced Security (WFAS)
Internet Protocol Security (IPSec)
Windows Server Hardening
Server and Domain Isolation
Active Directory Domain Services Auditing
Read-Only Domain Controller (RODC)
BitLocker Drive Encryption
Removable Device Installation Control
Enterprise PKI
![Page 19: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/19.jpg)
Technical Background
Windows Firewall with Advanced SecurityWindows Firewall with Advanced Security
Internet Security Protocol (IPSec)Internet Security Protocol (IPSec)
Active Directory Domain Services AuditingActive Directory Domain Services Auditing
Read-Only Domain Controller (RODC)Read-Only Domain Controller (RODC)
Enterprise PKIEnterprise PKI
BitLocker Drive EncryptionBitLocker Drive Encryption
![Page 20: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/20.jpg)
Windows Firewall with Advanced Security
![Page 21: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/21.jpg)
Demonstration: Windows Firewall with Advanced Security
• Creating Inbound and Outbound Rules
• Creating a Firewall Rule Limiting a Service
![Page 22: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/22.jpg)
IPSec
Integrated with WFAS
IPSec Improvements
Simplified IPSec Policy Configuration
Client-to-DC IPSec Protection
Improved Load Balancing and Clustering Server Support
Improved IPSec Authentication
Integration with NAP
Multiple Authentication Methods
New Cryptographic Support
Integrated IPv4 and IPv6 Support
Extended Events and Performance Monitor Counters
Network Diagnostics Framework Support
Integrated with WFAS
IPSec Improvements
Simplified IPSec Policy Configuration
Client-to-DC IPSec Protection
Improved Load Balancing and Clustering Server Support
Improved IPSec Authentication
Integration with NAP
Multiple Authentication Methods
New Cryptographic Support
Integrated IPv4 and IPv6 Support
Extended Events and Performance Monitor Counters
Network Diagnostics Framework Support
![Page 23: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/23.jpg)
BitLocker Drive Encryption (BDE)
Data Protection
Drive Encryption
Integrity Checking
Data Protection
Drive Encryption
Integrity Checking
BDE Hardware and Software RequirementsBDE Hardware and Software Requirements
![Page 24: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/24.jpg)
Implementation/Usage Scenarios
Enforce Security PolicyEnforce Security Policy
Improve Domain SecurityImprove Domain Security
Improve System SecurityImprove System Security
Improve Network Communications SecurityImprove Network Communications Security
![Page 25: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/25.jpg)
Recommendations
Implement Network Access ProtectionImplement Network Access Protection
Use Windows Firewall and Advanced Security to implement IPSecUse Windows Firewall and Advanced Security to implement IPSec
Deploy Read-Only Domain Controllers, where appropriateDeploy Read-Only Domain Controllers, where appropriate
Implement BitLocker Drive EncryptionImplement BitLocker Drive Encryption
Carefully test and plan all security policiesCarefully test and plan all security policies
Take advantage of PKI improvementsTake advantage of PKI improvements
![Page 26: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/26.jpg)
Network Access Protection in Windows Server 2008
![Page 27: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/27.jpg)
Overview
Network Access ProtectionNetwork Access Protection
Net work Access Protection Network Access Quarantine Control
Internal, VPN and Remote Access Client
Only VPN and Remote Access Clients
IPSec, 802.1X, DHCP and VPN DHCP and VPN
NAP NPS and Client included in Windows Server 2008 ; NAP client included in Vista
Installed from Windows Server 2003 Resource Kit
![Page 28: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/28.jpg)
NAP Infrastructure
Health Policy ValidationHealth Policy Validation
Health Policy ComplianceHealth Policy Compliance
Automatic RemediationAutomatic Remediation
Limited AccessLimited Access
![Page 29: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/29.jpg)
NAP Enforcement Client
802.1X802.1X
VPNVPN
IPSecIPSec
DHCPDHCP
NPS RADIUSNPS RADIUS
![Page 30: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/30.jpg)
Demonstration: Network Access Protection
• Create a NAP Policy
• Using the MMC to Create NAP Configuration settings
• Create a new RADIUS Client
• Create a new System Health Validator for Windows Vista and Windows XP SP2
![Page 31: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/31.jpg)
Implementation/Usage Scenarios
Ensuring the Health of Corporate DesktopsEnsuring the Health of Corporate Desktops
Checking the Health and Status of Roaming LaptopsChecking the Health and Status of Roaming Laptops
Determining the Health of Visiting LaptopsDetermining the Health of Visiting Laptops
Verify the Compliance of Home ComputersVerify the Compliance of Home Computers
![Page 32: 0505 Windows Server 2008 一日精華營 Part II](https://reader036.vdocuments.net/reader036/viewer/2022081716/54632096b4af9f711c8b4a66/html5/thumbnails/32.jpg)
Recommendations
Carefully test and verify all IPSec PoliciesCarefully test and verify all IPSec Policies
Use Quality of Service to improve bandwidthUse Quality of Service to improve bandwidth
When using IPSec – employ ESP with encryptionWhen using IPSec – employ ESP with encryption
Plan to Prioritize traffic on the networkPlan to Prioritize traffic on the network
Apply Network Access Protection to secure client computers Apply Network Access Protection to secure client computers
Consider Using Domain IsolationConsider Using Domain Isolation