quan tri mang 2
TRANSCRIPT
-
7/28/2019 Quan Tri Mang 2
1/131
Sinh vin: ..............................................................................................................
Lp:.......................................................................................................................
... Khng c vic g khCh s lng khng bn
o ni v lp binQuyt ch t lm nn.
QuAn tr mAng 2
Lu hnh ni b 2010
-
7/28/2019 Quan Tri Mang 2
2/131
Ti liu tham kho Qun tr mngWindows
GV: ThS. o Quc Phng Trang 1
MC LC
STAND-ALONE ROOT CA ............................................................................................................. 2
ENTERPRISE CERTIFICATE AUTHORITY & KEY RECOVERY AGENT .................................. 12
SECURE SOCKET LAYER & IP SECURITY ............................................................................... 38
EFS trn WORKGROUP .............................................................................................................. 63
EFS trn DOMAIN ........................................................................................................................ 72
TRUST RELATIONSHIP ............................................................................................................... 75
SECURITY TEMPLATES ............................................................................................................. 87
MOVE ACTIVE DIRECTORY DATABASE ................................................................................... 91
PASSWORD SYSKEY .................................................................................................................. 96
MICROSOFT SECURITY BASELINE ANALYZER & SOFTWARE UPDATE SERVICE ............. 98
RADIUS ...................................................................................................................................... 111
-
7/28/2019 Quan Tri Mang 2
3/131
Stand-alone root CA Qun tr mngWindows
GV: ThS. o Quc Phng Trang 2
STAND-ALONE ROOT CA
I. Ni dung
Dng Certificate m ho email
II. Chun b
- Mt my Windows Server 2003 (standalone) c thng tin nh sau:
+ IP Address: 192.168.0.1
+ Subnet mask: 255.255.255.0
+ DNS: 192.168.0.1
- To 2 local user account l U1 v U2
- Ci t Mdaemon (chng trnh mail server)
+ domain name: congty.com
+ to 2 mailbox c username/password l U1/123 v U2/123- Logon U1 Setup Outlook Express gi mail cho chnh mnh
- Logon U2 Setup Outlook Express gi mail cho chnh mnh
Hng dn ci t MDaemon v cu hnh c bn cho chng trnh qun l email trn server
a. Ci t Mdaemon6
- Cho a CD-ROM SoftsQTM.iso vo
a CD
- Tm n th mcMDaemon6
chy file Mdaemon6.exe ci t
chng trnh qun l email
-
7/28/2019 Quan Tri Mang 2
4/131
Stand-alone root CA Qun tr mngWindows
GV: ThS. o Quc Phng Trang 3
b. Khai bo thng tin DNSNext
c.Khai bo thng tin ngi qun tr
chng trnh Mdaemon bao gm:
Full name: tn y
Mailbox: tn hp th
Password: mt khu ngi qun tr
nhn NextNextSau nh
chy file keygen.exe ly s serial.
d. Thit lp thng tin domain cho
MDaemon: nhn menu Setup
PrimaryDomain chnh sa thngtin mc Domain name v Domain IP
nh hnh bn ApplyOK
-
7/28/2019 Quan Tri Mang 2
5/131
Stand-alone root CA Qun tr mngWindows
GV: ThS. o Quc Phng Trang 4
e. To mailbox cho U1: vo menu
AccountNewAccount khai
bo thng tin FullName, Mailbox
name,AccountPassword OKTh xem Hp mail ca U1 lu u
bng cch nhn vo tab Mailbox, ghi
nh ng dn ny.
Lm tng t to mailbox cho U2
III. Thc hin
1. U1 gi mail cho U2 (khng m ha), admin sa mail ca U2, U2 khng pht hin
a. Logon U1, U1 gi mail cho U2
b. Administrator sa mail ca U2- LogonAdministrator
- Dng WindowsExplorerC:\Mdaemon\Users\congty.com\U2
- Sa file md5xxxxxxxxxxxx.msg (thm dng ch 123 vo phn body ca email)
-
7/28/2019 Quan Tri Mang 2
6/131
Stand-alone root CA Qun tr mngWindows
GV: ThS. o Quc Phng Trang 5
c. U2 check mail
- Logon U2, check mail
Mail b sa m U2 khng bit
2. Ci t Stand-alone Root CA
a. Ci ASP.NET:
- Logon Administrator
- Click menu StartControlPanel
Add or Remove Programs
Add/Remove Windows
Components
Application ServerDetailsASP.NETOK
Next.
Lu: hon tt bc vic ci t
ASP.NETtrc khi sang bc tip theo
-
7/28/2019 Quan Tri Mang 2
7/131
Stand-alone root CA Qun tr mngWindows
GV: ThS. o Quc Phng Trang 6
b. Install Stand-alone root CA:
Click menu StartControlPanel
Add or Remove Programs
Add/Remove Windows
ComponentsCertificate
ServicesNextStand-alone
root CANext Common Name
for this CA: CongTy chp nhn cc
gi tr mc nh chn Yes khi
c hi: Do you want to enable
Active Server Page now?
3. Cc User xin certificate m ho email U1 xin certificate
a. User U1 xin certificate:
- Logon U1
- M IE dng Address g
http://localhost/certsrvRequest a
certificateE-mail Protection
Certificate Name: U1, Email:
[email protected] ClickSubmit
- ChnYes
-
7/28/2019 Quan Tri Mang 2
8/131
Stand-alone root CA Qun tr mngWindows
GV: ThS. o Quc Phng Trang 7
b. U2 xin certificate
- Logon U2
- Lm tng t nh trn
c. Administrator cp certificate cho U1 v U2
- LogonAdministrator
- Click menu StartAdministrativeToolsCertificationAuthorityCongTyPending
Requests chn 2 certificate click nt phi chutAllTasksIssue
-
7/28/2019 Quan Tri Mang 2
9/131
Stand-alone root CA Qun tr mngWindows
GV: ThS. o Quc Phng Trang 8
-Chn IssuedCertificates thy 2 certificate cp cho U1 v U2
- Double click certificate ca U1c li cc thng
tin trong tab General
- c cc thng tin trong tab Details
Lu: 2 dng Subject v Public key
-
7/28/2019 Quan Tri Mang 2
10/131
Stand-alone root CA Qun tr mngWindows
GV: ThS. o Quc Phng Trang 9
d. Install certificate ca U1
- Logon U1
- Click menu StartRun g http://localhost/certsrvView the status of a pending certificate
requestE-Mail Protection CertificateInstall this certificate
e. Install certificate ca U2
- Logon U2
- Lm tng t nh trn
f. U2 mail cho U1 c Signing
- M OutlookExpress
- Son mail mi
- ClickSign, clickSend
-
7/28/2019 Quan Tri Mang 2
11/131
Stand-alone root CA Qun tr mngWindows
GV: ThS. o Quc Phng Trang 10
g. Administrator sa mail ca U1
- LogonAdministrator
- M WindowsExplorerC:\Mdaemon\Users\congty.com\U1
- Sa file md5xxxxxxxxxxxx.msg (thm dng ch 123 vo phn body ca email)
h. U1 check mail
- Logon U1
- Chy Outlook Express nhn mail
- ClickOpenMessage U1 vn
c c mail nhng bit mail b
sa.
- U1 nhn chut phi vo sender U2
trong mc From v chnAdd to
Adress Book lu thng tin U2
vo Contact List ca mnh
-
7/28/2019 Quan Tri Mang 2
12/131
Stand-alone root CA Qun tr mngWindows
GV: ThS. o Quc Phng Trang 11
i. U1 gi mail cho U2 c Sign v Encrypt
- Chy OutlookExpress
- Son mail mi, click biu tng
Address Book
- ClickU2 clickToOK
- ClickSign
- ClickEncrypt
- ClickSend
j. Administrator sa mail ca U1 gi cho U2
- LogonAdministrator
- M Windows Explorer C:\Mdaemon\Users\congty.com\U2
- Sa file md5xxxxxxxxxxxx.msg
k. U2 check mail
- Logon U2
- M OutlookExpress
U2 khng c c mail
-
7/28/2019 Quan Tri Mang 2
13/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 12
ENTERPRISE CERTIFICATE AUTHORITY
& KEY RECOVERY AGENT
PHN 1: ENTERPRISE CERTIFICATE AUTHORITY
I. Ni dung
- Ci t EnterpriseRootCA
- Cp Certificate cho user. User dng certificate signing v encrypt mail
- User exportkey
- Khi key b hng hoc tht lc, user khng th c c cc mail signing, encrypt.
- User importkey. Kh nng c v m ho d liu ca user c phc hi nh c.
II. Chun b
- Yu cu h thng: 01 my Windows Server 2003 lm Domain Controller (Enterprise version)
+ IP Address: 192.168.0.1
+ Subnet mask: 255.255.255.0
+ DNS: 192.168.0.1
+ Domain: congty.com
1. To cc object trong Active Directory
LogonAdministrator
a. Chnh Password Policy (gi :
vo Domain Security Policy)
b. To OU TestCA. Trong OU
TestCA, to user U1 (Display
name: Doremon, password: 123)
-
7/28/2019 Quan Tri Mang 2
14/131
-
7/28/2019 Quan Tri Mang 2
15/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 14
c. Cu hnh lu bn sao mail ca U1 trn mail
server: trong Outlook Express menu Tools
Accounts tab Mail chn mail box ca U1
Properties tabAdvancednh du chn
mc Leave a copy
III. Thc hin
1. Ci t Enterprise Root CA
a.Ci ASP.NET: (nh hng dn
trong bi Lab trc)
LogonAdministrator
Click menu StartSettings
ControlPanelAdd or Remove
ProgramsAdd/Remove
Windows Components
Application ServerDetails
ASP.NETOKNext.
-
7/28/2019 Quan Tri Mang 2
16/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 15
b.Ci Enterprise Root CA CongTy:
Click menu StartSettingsControlPanelAdd or Remove ProgramsAdd/Remove
Windows Components chn Certificate Services.
(Lu chnEnterprise Root CA vEnable Active Server Page)
2. Cp Certificate cho user. User dng Certificate signing, encrypt mail:
a. Logon U1, xin certificate: M chng trnh IE, nhp a ch: http://localhost/certsrvRequest a
certificateUser certificateSubmitInstall this certificateYes
-
7/28/2019 Quan Tri Mang 2
17/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 16
-
7/28/2019 Quan Tri Mang 2
18/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 17
-
7/28/2019 Quan Tri Mang 2
19/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 18
b.Kim tra certificate ca U1:
StartRun g mmc
Trong console, chn menu File
Add/Remove Snap-inAdd
chn CertificatesAdd
Close. Lu console trn desktop
vi tn U1_Cert.msc
c. Logon U1, gi mail c signingv encrypt (cho chnh mnh)
-
7/28/2019 Quan Tri Mang 2
20/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 19
3. User export key
M Console U1_Cert.msc lu bc 2b. Click phi chut trn Certificate ca U1 chnAll Task
Export
Trong hp thoi Certificate Export Wizard, chn Yes, Export Private keyNext chn
Personal Info v Enable StrongNext nhp password: 123, confirm password: 123
Next nhn nt Browse, to folder C:\CertKey, t tn file l doremon.pfxNext chn Place
all certificates: Personal NextFinish
-
7/28/2019 Quan Tri Mang 2
21/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 20
4. Gi lp key b tht lc
a. Logon Administrator
Xo profile ca user U1
- Nhn chut phi My Computer
PropertiesAdvanced trong mc User
Profiles, nhn Settings chn profile ca
U1 v chn Delete.
b. Logon U1 xem li mail signing v encrypt trc
-
7/28/2019 Quan Tri Mang 2
22/131
-
7/28/2019 Quan Tri Mang 2
23/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 22
b. Xem li mail signing v encrypt trc
-
7/28/2019 Quan Tri Mang 2
24/131
-
7/28/2019 Quan Tri Mang 2
25/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 24
- Nhn StartProgramsAdministrative
ToolsCertificationAuthority click nt phi
chut trn CertificateTemplateManage
click nt phi trn Template UserDuplicate
Trong tab General, nhp Template display name v
Template name: UserVersion2
Trong tab Request handling, chn option
Archive subjects encryption private key
-
7/28/2019 Quan Tri Mang 2
26/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 25
Trong tab Security, cp cho 2 groupAuthentcatedUsers and DomainUsers cc quyn: Read,
Enroll vAutoenrollApplyOK. ng chng trnh Certificate Template
b.Pht hnh certificate template mi:KRA v UserVersion2
Tr li chng trnh Certificate Authority. Click nt phi chut trn Certificate TemplateNewCertificate Template to Issue. Chn 2 template Key Recovery Agent v UserVersion2OK
-
7/28/2019 Quan Tri Mang 2
27/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 26
c. To KRA:
M chng trnh IE, nhp a ch : http://localhost/certsrvRequest a certificateadvanced
certificate requestCreate and submit a request to this CA
-
7/28/2019 Quan Tri Mang 2
28/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 27
chn Certificate template Key Recovery AgentSubmit
Thng bo kt qu sau khi gi yu cu
-
7/28/2019 Quan Tri Mang 2
29/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 28
Cp Certificate cho KRA:StartProgramsAdministrative ToolsCertification Authority
m mc Pending Requests chn certificate nhn phi chutAllTasksIssue v xem ktqu trong mc IssuedCertificates
-
7/28/2019 Quan Tri Mang 2
30/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 29
d. KRA install certificate:
M chng trnh IE, nhp a ch: http://localhost/certsrvView the status of a pending certificate
requestKey Recovery Agent CertificateInstall this certificateYes
-
7/28/2019 Quan Tri Mang 2
31/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 30
e. Cu hnh thuc tnh archive the key cho KRA:
StartPrograms
AdministrativeTools
CertificationAuthority
nhn chut phi chn
Properties ca root CA
trong tab Recovery
Agents, chn option
Archive the key, chn nt
Add
-
7/28/2019 Quan Tri Mang 2
32/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 31
chn KRAcertificate
OKYes restart
Certificates Services
3. User dng certificate sign & encrypt mail
a. User xin enterprise certificate:
- Logon U1, thc hin tng t phn 1 nhng chn certificate template UserVersion2 do Admin mi to.
- M chng trnh IE, nhp a ch : http://localhost/certsrvRequest a certificateadvanced
certificate requestCreate and submit a request to this CA
-
7/28/2019 Quan Tri Mang 2
33/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 32
chn Certificate template UserVersion2Submit Yes Install this certificate
-
7/28/2019 Quan Tri Mang 2
34/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 33
b.User dng certificate signing, encrypt mail (tng t 2c trong phn 1)
- U1 gi th cho chnh mnh c sigining v encrypt
-
7/28/2019 Quan Tri Mang 2
35/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 34
4. Gi lp certificate b tht lc
a. LogonAdministrator.Xo profile ca user U1
b. Logon U1 xem li mail signing v encrypt trc
5. Key Recovery Agent phc hi key cho user
- LogonAdministrator
a. Copy s serial certificate ca user U1 cn lu ti root v paste vo mt file text. Loi b cc
khong trng ri copy vo clipboard mt ln na.
StartPrograms
Administrative Tools
Certification Authority mmc IssuedCertificates
chn certificate ca U1 nhn
phi chutOpen
-
7/28/2019 Quan Tri Mang 2
36/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 35
Chn tab Detail chn mc Serial
number qut khi dng s pha di
v copy vo mt file text, loi b khong
trng v copy mt ln na vo clipboard.
b. Lu archived key ca user U1 vo file *.pfx:
- Nhp dng lnh trong ca s command line: certutilgetkey [s serial] abc.pfx (Paste s serial vo)
-
7/28/2019 Quan Tri Mang 2
37/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 36
c. Phc hi key ca user U1 vo file *.pfx:
- Nhp dng lnh trong ca s command-line:
certutilrecoverkeyabc.pfxdoremon.pfx (khng cn nhp password)
-
7/28/2019 Quan Tri Mang 2
38/131
Enterprise CA & Key recovery agent Qun tr mngWindows
GV: ThS. o Quc Phng Trang 37
d. User import key:
- Logon U1
- Dng console certificate import key t file pfx v xem li mail signing v encrypt trc .
-
7/28/2019 Quan Tri Mang 2
39/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 38
SECURE SOCKET LAYER & IP SECURITY
PHN 1: SECURE SOCKET LAYER
I. Ni dung
- Xin Certificate cho WebServer user truy cp bng HTTPS (HTTP Secure)
II. Chun b
- Yu cu h thng: 01 my Domain Controller Windows Server 2003 Enterprise
+ IP Address: 192.168.0.1
+ Subnet mask: 255.255.255.0
+ DNS: 192.168.0.1
+ Domain: congty.com
1. Ci t Enterprise Root CA
a.Ci ASP.NET: (nh hng dn
trong bi Lab trc)
LogonAdministrator
Click menu StartSettings
ControlPanelAdd or Remove
ProgramsAdd/Remove
Windows Components
Application ServerDetails
ASP.NETOKNext.
b.Ci Enterprise Root CA CongTy:
Click menu StartSettingsControlPanelAdd or Remove ProgramsAdd/Remove
Windows Components chn Certificate Services.
(Lu chnEnterprise Root CA vEnable Active Server Page)
-
7/28/2019 Quan Tri Mang 2
40/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 39
2. To trang web default: \Intepub\wwwroot\default.htm
Welcome to My Web page ^_^
My name is Quoc Phuong
III. Thc hin
1. Kim chng: ln lt truy cp web default bng HTTP v HTTPS
- Nhp a ch trong IE: http://localhost: trang web hin th bnh thng.
- Nhp a ch trong IE: https://localhost: trang web khng th hin th.
-
7/28/2019 Quan Tri Mang 2
41/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 40
2. Xin certificate cho webserver:
a. M Properties ca IIS:
- StartPrograms
AdministrativeTools
Internet Information
Services (IIS) Manager
click phi chut vo Default
Web SiteProperties
-
7/28/2019 Quan Tri Mang 2
42/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 41
b. Xin certificate:
- Trong tab Directory Security chn ServerCertificateNext chn Create a new
certificateNext chn Send the request immediatelyNext Nhp cc thng tin theo yu
cu chn port SSL l 443Finish
-
7/28/2019 Quan Tri Mang 2
43/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 42
-
7/28/2019 Quan Tri Mang 2
44/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 43
3. Truy cp web default bng HTTPS:
- Nhp a ch trong IE: https://localhost, h thng cnh bo chnYes trang Web hin th bnh
thng
-
7/28/2019 Quan Tri Mang 2
45/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 44
PHN 2: IP SECURITY
I. Ni dung
- Dng Certificate lm key m ho d liu trn ng truyn
II. Chun b
- Yu cu h thng: 02 my Windows Server 2003 Enterprise
- Kim tra ng truyn bng lnh PING IP card LAN
- 2 my i password administrator thnh 123
- My l (PC1):
+ IP Address: 192.168.5.1
+ Subnet mask: 255.255.255.0
- My chn (PC2):
+ IP Address: 192.168.5.2+ Subnet mask: 255.255.255.0
- My chn ciASP.NET &Stand-alone root CA
III. Thc hin
1. Xin certificate cho 2 computer:
a. My l b sung danh sch trusted site:
- Trong chng trnh IE chn menu Tools
InternetOptions
-
7/28/2019 Quan Tri Mang 2
46/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 45
trong tab Security, chn zone
Trusted sites chn nt Sites
nhp vo mc Add this Web site to
the zone: http://[IP ca my
chn]/certsrv b chn Require
server certification chn ntAdd
CloseOK
b. Hai my xin certificate
- My l: trong IE, nhp a ch: http://[IP ca my chn]/certsrv
- My chn: trong IE, nhp a ch: http://localhost/certsrv
-
7/28/2019 Quan Tri Mang 2
47/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 46
- C 2 my: chn Requesta certificateAdvancedcertificaterequestCreateandsubmita
request to this CAin cc thng tin cn thit
-
7/28/2019 Quan Tri Mang 2
48/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 47
- Ch :ti mc Type of Certificate Needed, chn Client Authentication Ceritficate; nh du
chn Store certificate in the local computer certificate store
- Submit
c. Cp certificate cho 2 computer:
-
7/28/2019 Quan Tri Mang 2
49/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 48
- Mychn: StartProgramsAdministrativeToolsCertificationAuthority. Trong ca s
CertificationAuthority, chn mc PendingRequest ln lt click phi chut vo tng request
AllTasksIssue
d. Hai my install certificate:
- Hai my m li trang web xin certificate chnView the status of a pending request click
AuthenticationCertificate Installthiscertificate
-
7/28/2019 Quan Tri Mang 2
50/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 49
e. Hai my to console PC_cert:
- StartRun mmc menu FileAdd / remove snap-inAddCertificates chn
Computeraccount chn Localcomputer
- Trong console, chn menu FileSaveaslu console ln Desktop vi tn PC_Cert
-
7/28/2019 Quan Tri Mang 2
51/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 50
Lu certificate ca my l ang b li
-
7/28/2019 Quan Tri Mang 2
52/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 51
f. My l import certificate root CA:
- Trong console PC_Cert
(to phn e): chn
TrustedRoot
CertificateAuthorities
click phi chut vo
CertificatesAll
TasksImport
Trong hp thoi
CertificateImport
Wizard chn nt
BrowseMyNetwork
Places
-
7/28/2019 Quan Tri Mang 2
53/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 52
CerConfigonPCxx
Pcxx_Congty.crt
OpenNext
-
7/28/2019 Quan Tri Mang 2
54/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 53
chn Place all
certificates in the
following stores:
Trusted Root
Certificate Authorities
Finish
-
7/28/2019 Quan Tri Mang 2
55/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 54
2. To IPSec Policy cho 2 my: (2 my thc hin nh nhau)
a. To console IPSec:
- StartRun g mmc
Add / Remove snap-inAdd
ln lt chn IP Security
Policy Management cho Local
Computer v Services cho Local
Computer Lu console lnDesktop vi tn IPSec.msc.
-
7/28/2019 Quan Tri Mang 2
56/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 55
b. To policy IPSec mi:
- Trong console IPSec click phi chut vo IP Security Policy Management Create IP Security Policy
Nextt tn policy: IPSec by CertNext b chn ActivatethedefaultNext b chn Edit
propertiesFinish
-
7/28/2019 Quan Tri Mang 2
57/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 56
c. Cu hnh policy IPSec by Cert:
- Trong console IPSec
click phi chut vo IPSec
by CertProperties
trong tab Rules ca
IPSec by Cert Properties
chn ntAddNext
-
7/28/2019 Quan Tri Mang 2
58/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 57
trong hp thoi Tunnel
Endpoint chn This rule
does not specify a
tunnelNext
trong hp thoi
NetworkType chn All
network connections
Next
-
7/28/2019 Quan Tri Mang 2
59/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 58
trong hp thoi IP
Filter Listnh du chn
All IP TrafficNext
trong hp thoi Filter
Actionnh du chn
RequireSecurity
Next
-
7/28/2019 Quan Tri Mang 2
60/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 59
trong hp thoi
AuthenticationMethod
nh du chn: Usea
certificate chn nt
Browse
trong hp thoi Select
Certificate chn CA
CongTyOK
-
7/28/2019 Quan Tri Mang 2
61/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 60
quay v hp thoi
AuthenticationMethod
NextFinish quay
v IPSec by Cert Properties
OK
-
7/28/2019 Quan Tri Mang 2
62/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 61
d. Assgin Policy v restart services
- Trong console IPSec click phi chut vo IPSec by Cert Assign
- Cng trong console IPSec chn Services click phi chut vo IPSec ServicesRestart
-
7/28/2019 Quan Tri Mang 2
63/131
Secure Socket Layer & IP Security Qun tr mngWindows
GV: ThS. o Quc Phng Trang 62
3. Kim chng qu trnh m ha:
- Trong command-line ca my chn, nhp dng lnh PING [IP my l] -t
-
7/28/2019 Quan Tri Mang 2
64/131
EFS trn Workgroup Qun tr mngWindows
GV: ThS. o Quc Phng Trang 63
EFS trn WORKGROUP
I. Mc ch
- Dng Certifcate m ho h thng file (Encrypt File System)
- To RecoveryAgent phc hi d liu khi user b mt Certificate
II. Chun b
- 1 my chy Windows XP
- To 1 username v password l u1/123
- Logon bng user ny, to th mc C:\TestEFS
III. Thc hin
1. M ho th mc TestEFS, sau to file u1.txt
a. Logon U1. StartRun
g mmcOK
b. Chn menu FileAdd /
Remove snap-in
CertificatesAddCloseOK
Hin titrong Personal cha
c g c !!!
Chn menu FileSave
Desktop. t tn file l
Certificate_u1
-
7/28/2019 Quan Tri Mang 2
65/131
EFS trn Workgroup Qun tr mngWindows
GV: ThS. o Quc Phng Trang 64
c. M WindowsExplorer
to th mc C:\TestEFS
Click nt phi chut trn th
mc TestEFSProperties
d. Trong mn hnh TestEFS PropertiesAdvanced
Trong mn hnhAdvancedAttributesnh du chn Encrypt contents to secure dataOK
ApplyOK
-
7/28/2019 Quan Tri Mang 2
66/131
EFS trn Workgroup Qun tr mngWindows
GV: ThS. o Quc Phng Trang 65
e.Trong th mc TestEFS to
1 file u1.txt vi ni dung l
Day la file cua U1
f. Double click biu tng
Certificate_u1 trn desktop
Lc ny trong Certificates
ca Personal c 1 certificate
ca U1
Y L CERTIFICATE SELF
SIGNING CA U1
2. Administrator khng m c file ny
- LogonAdministrator, m file
C:\TestEFS\u1.txt khng m c
-
7/28/2019 Quan Tri Mang 2
67/131
EFS trn Workgroup Qun tr mngWindows
GV: ThS. o Quc Phng Trang 66
3. Admin to Recovery Agent
a. LogonAdministrator,
vo StartRuncmd
b. Ti mn hnh Command
Prompt, g cc lnh sau:
CD\
MD ABC
CD ABC
Trong ABC, nh lnh
cipher /r:filename (vd:
cipher /r:local_recover) v
EnterChng trnh s to ra 2
file .CERv .PFX
4. p policy Recovery Agent c kh nng c cc file b m ho
a. LogonAdministrator, vo StartRun g gpedit.mscOK
b. Chn ComputerConfigurationWindows
SettingsSecurity
SettingsPublic Key
Policies click nt phi chut
trn Encrypting File System
chnAdd Data Recovery
Agent
-
7/28/2019 Quan Tri Mang 2
68/131
EFS trn Workgroup Qun tr mngWindows
GV: ThS. o Quc Phng Trang 67
c. Mn hnh Welcome xut
hinNext.
Trong mn hnh Select
Recovery Agents chn
Browse Folders
d. Tm n th mcC:\ABC
chn file local_recover.cer
Open
(Lu: chnfile *.cer)
e. Trong mn hnh Select Recovery AgentsNext
f. Trong mn hnh Completing the Add Recovery Agent WizardFinish
- Thot ra Command Prompt, g lnh gpupdate /force
-
7/28/2019 Quan Tri Mang 2
69/131
EFS trn Workgroup Qun tr mngWindows
GV: ThS. o Quc Phng Trang 68
g. Vo StartRun g
mmcOK Trong mn hnh
Console1 menu FileAdd
/ Remove Snap-inAdd
Certificates chn My user
accountFinish OK
h. trong Personal cha
c g
-
7/28/2019 Quan Tri Mang 2
70/131
EFS trn Workgroup Qun tr mngWindows
GV: ThS. o Quc Phng Trang 69
i. Click nt phi chut trn
PersonalAll Tasks
Import
j. Mn hnh Welcome xut
hin Next. Ch n th mc
C:\ABC chn file c biu
tng cha kho (c phn mrng l *.pfx)
-
7/28/2019 Quan Tri Mang 2
71/131
EFS trn Workgroup Qun tr mngWindows
GV: ThS. o Quc Phng Trang 70
k. Trong mn hnh File to
Import, nhn Next
l. Trong mn hnh Password,
chn Mark this key as
exportable Next
Finish
-
7/28/2019 Quan Tri Mang 2
72/131
EFS trn Workgroup Qun tr mngWindows
GV: ThS. o Quc Phng Trang 71
m. Kt qu sau khi import
certificate nh hnh bn
5. U1 to file mi: Logon U1, to file mi C:\TestEFS\u2.txt
6. Kim tra chc nng Recovery Agent
a. Admin m file u2.txt m c
b. Admin m fileu1.txt khng mc
c. Logon U1, m file u1.txt, ri ng li
d. LogonAdministrator, m li file u1.txt
-
7/28/2019 Quan Tri Mang 2
73/131
EFS trn Domain Qun tr mngWindows
GV: ThS. o Quc Phng Trang 72
EFS trn DOMAIN
I. Mc ch
- Tng t EFS trn WorkGroup
II. Chun b
- 1 my lm DomainController
- Install Enterprise Root CA
- t password choAdministrator l 123
- To User c username/password l u2/123
- Cho u2 quyn logon locally
- To th mc C:\TestEFS
III. Thc hin
1. Logon bng user U2. To 1 file u2.txt. Encrypt file ny
a. Logon U2, t thuc tnh Encryptcho th mc C:\TestEFS
(Tng t trn XP)
To file C:\TestEFS\u2.txt
-
7/28/2019 Quan Tri Mang 2
74/131
EFS trn Domain Qun tr mngWindows
GV: ThS. o Quc Phng Trang 73
b. Sau khi m ho file xong, click nt
phi chut trn u2.txt
PropertiesAdvanced
Details
c. Trong mn hnh Encrypt
Detail, trong phn Data
Recovery Agents For This File As
Defined By Recovery Policy c
Administrator Admin s c
c file m u2 m ho (Default).
Nhn OK thot ra
-
7/28/2019 Quan Tri Mang 2
75/131
EFS trn Domain Qun tr mngWindows
GV: ThS. o Quc Phng Trang 74
d. VoAdministrativeTools
chut phi trn Certification
Authority chn Runas
Username/password:
Administrator/123
e.Trong th mc Issued
Certificates ch thy u2 t xin
1 certificate dng cho vic m ho
Thot ra khi mn hnh Certificate
Authority khng cn lu li
2. LogonAdministrator, m file C:\TestEFS\u2.txt m c kt lun trong h thng Domain,
Administrator mc nhin l RecoveryAgent
-
7/28/2019 Quan Tri Mang 2
76/131
Trust Relationship Qun tr mngWindows
GV: ThS. o Quc Phng Trang 75
TRUST RELATIONSHIP
I. Mc ch
- Gip cc domain khng thuc cng forest c kh nng tha hng qu trnh chng thc ca nhau.
II. Chun b
- 2 my lm DomainController v c a ch IP c cho nh bng di y
- My l (PC1) lm domain: saigon.vn. To 1 alias tn www.saigon.vn
- My chn (PC2) lm domain: hanoi.vn. To 1 alias tn www.hanoi.vn
- i password Administrator ca 2 my.
- Trn my l (PC1), to username:doremon password: 123
- Trn my chn, to v share th mc C:\Public Folder
- Chnh thi gian trn 2 my ging nhau
PC1
(saigon.vn)
PC2
(hanoi.vn)
IP: 192.168.5.1/24
DNS: 192.168.5.1
IP: 192.168.5.2/24
DNS: 192.168.5.2
III. Thc hin
Lu:tt c thao tc trn 2 my u s dng quyn caAdministrator.
1. Thit lp cu hnh DNS Forwarder hai domain c th phn gii tn ca nhau.
Thc thicc bc sau trn my PC1 (domain saigon.vn)
-
7/28/2019 Quan Tri Mang 2
77/131
Trust Relationship Qun tr mngWindows
GV: ThS. o Quc Phng Trang 76
a.StartAdministrativeTools
DNS
Trong DNS console click nt phi
chut trn computer name (PC1)
Properties
b. Trong mn hnh PC1 Properties
chn tab Forwarders clickNew
-
7/28/2019 Quan Tri Mang 2
78/131
Trust Relationship Qun tr mngWindows
GV: ThS. o Quc Phng Trang 77
c. Trong New Forwarder, ti DNS
Domain, g vo tn domain bn kia.
VD: hanoi.vnOK
d. Trong mn hnh ny, vn im
sng trn hanoi.vn, nhp vo a chIP ca domain trong Selected
domain: 192.168.5.2 AddOK
-
7/28/2019 Quan Tri Mang 2
79/131
Trust Relationship Qun tr mngWindows
GV: ThS. o Quc Phng Trang 78
e. Click nt phi
chut trn DNS
Server All Tasks
Restart
Thc hin tng t trn PC2 (domain hanoi.vn)
f. Sau khi hon tt vic cu hnh trn domain
hanoi.vn, v my PC1, chy nslookup
kim tra s phn gii tn qua li gia cc
domain (xem hnh bn)
-
7/28/2019 Quan Tri Mang 2
80/131
Trust Relationship Qun tr mngWindows
GV: ThS. o Quc Phng Trang 79
2. Cu hnh Trust Relationship:
a. Vn ang trn my PC1,
voAdministrativeTools
Active Directory Domain
and Trusts, mn hnh nh
hnh bn xut hin. Click nt
phi chut trn domain
(saigon.vn)Properties
b. Chn New Trust
-
7/28/2019 Quan Tri Mang 2
81/131
Trust Relationship Qun tr mngWindows
GV: ThS. o Quc Phng Trang 80
c. Mn hnh Welcome xut
hin Next.
Trong mn hnh TrustName,
nhp NETBIOS name ca
domain bn kia (VD:
hanoi.vn). Sau nhn Next
d. Trong mn hnh Direction
of Trust, chn Two way
Next
-
7/28/2019 Quan Tri Mang 2
82/131
Trust Relationship Qun tr mngWindows
GV: ThS. o Quc Phng Trang 81
Trong mn hnh Sides of
Trusts, chn Both this
domain and the specifier
domainNext
e. Nhp vo username v
password administrator ca
domain bn kia Next
f. Trong mn hnh Trust Selection CompleteNext
g. Trong mn hnh Trust Creation CompleteNext
-
7/28/2019 Quan Tri Mang 2
83/131
Trust Relationship Qun tr mngWindows
GV: ThS. o Quc Phng Trang 82
h. Trong mn hnh Confirm
Outgoing Trust, chnYes,
confirm the outgoing trust
Next
i. Trong mn hnh Confirm
Incoming Trust, chnYes,
confirm the incoming trust
Next
-
7/28/2019 Quan Tri Mang 2
84/131
Trust Relationship Qun tr mngWindows
GV: ThS. o Quc Phng Trang 83
j. Trong mn hnh Complete
the New Trust Wizard
FinishOK
k. Sau khi nhn OK, bn nhn
c mn hnh sau. Nhn OK
l.Lu: 2 my domain cng
restartmy li
-
7/28/2019 Quan Tri Mang 2
85/131
Trust Relationship Qun tr mngWindows
GV: ThS. o Quc Phng Trang 84
m. Sau khi restart my li, mn
hnh logon ca 2 my s nh
hnh bn
3. Kim tra:
- Cp quyn cho user trn domain saigon.vn c s dng share folder trn domain hanoi.vn
a. M Windows Explorer,
chn drive C:, click nt
phi chut trn Public
Folder chn tab
SecurityAdd
-
7/28/2019 Quan Tri Mang 2
86/131
Trust Relationship Qun tr mngWindows
GV: ThS. o Quc Phng Trang 85
b. Trong SelectUsers,
Computers, or Groups
clickLocation
c. Trong Locations
chn saigon.vnOK
-
7/28/2019 Quan Tri Mang 2
87/131
Trust Relationship Qun tr mngWindows
GV: ThS. o Quc Phng Trang 86
d. Find now chn
user doremonOK
e. Mn hnh nhn c
s nh sau. OKOK
-
7/28/2019 Quan Tri Mang 2
88/131
Security Templates Qun tr mngWindows
GV: ThS. o Quc Phng Trang 87
SECURITY TEMPLATES
I. Ni dung
-p t cc Security Template vo tng Server, OU tng ng lm gia tng bo mt
ca ton b h thng mng my tnh.
II. Chun b
- 1 my Win2K3 nng cpdomain controller.
+ IP Address: 192.168.0.1
+ Subnet mask: 255.255.255.0
+ DNS: 192.168.0.1
+ Domain name: congty.com
- Copy file Windows Server 2003 Security Guide.rar v a C:\ v gii nn
III. Thc hin1. To cu trc OU, ph hp tng loi hnh Server
StartRun g vo dsa.msc click
nt phi chut trn congty.comNew
Organizational Unit.
To ln lt cc OU nh hnh bn
-
7/28/2019 Quan Tri Mang 2
89/131
Security Templates Qun tr mngWindows
GV: ThS. o Quc Phng Trang 88
2. To Group Policy v p security template trn Domain Root
a. Vo StartProgramsAdministrative
Tools MActive Directory Users and
Computers
b. TrongActive Directory Users and Computers
click nt phi chut trn CongTy.com chn
Properties vo tab Group Policy chn New
t tn cho Group Policy mi to l Domain
Policy
c. Trong ca s congty.com Properties chn
Domain Policy chn Edit
d. Trong ca s Group Policy Object Editor vo ComputerConfigurationWindowsSettings
SecuritySettings click phi chut trn Security Settings chn ImportPolicy Trong ca s Import Policy
From, trong Look in ch ng dn vo C:\Windows Server 2003 Security Guide\Tools and
Templates\Securiry Guide\Security Templates chn file Enterprise Client DomainOpen
-
7/28/2019 Quan Tri Mang 2
90/131
Security Templates Qun tr mngWindows
GV: ThS. o Quc Phng Trang 89
3. To Group Policy v Add Security template trn OU Domain Controller
a. Vo StartProgramsAdministrative
Tools MActive Directory Users and
Computers.
b. TrongActive Directory Users and
Computers click nt phi chut trn OU
Domain Controller chn Properties vo
tab GroupPolicy chn Newt tn cho
Group Policy mi to l Domain Controller
Policy
c. Trong ca s Domain ControllerProperties chn Domain Controller
Policy chn Edit
-
7/28/2019 Quan Tri Mang 2
91/131
Security Templates Qun tr mngWindows
GV: ThS. o Quc Phng Trang 90
d. Trong ca s Group Policy Object Editor vo ComputerConfigurationWindowsSettings
SecuritySettings click phi chut trn SecuritySettings chn ImportPolicy Trong ca s
ImportPolicyFrom, trong Lookin ch ng dn vo C:\Windows Server 2003 Security
Guide\Tools and Templates\Securiry Guide\Security Templates chn file Enterprise Client
Domain ControllerOpen
4. To Group Policy v Add Security template trn OU cn li
- Li lm tng t nh bc 4
Lu: phi p cc file security template vo cc OU tng ng
-
7/28/2019 Quan Tri Mang 2
92/131
Move Active Directory Database Qun tr mngWindows
GV: ThS. o Quc Phng Trang 91
MOVE ACTIVE DIRECTORY DATABASE
I. Ni dung
- Thng thng khi xy dng mt DomainController, file database ca Active Directory l
ntds.dit nm v tr mc nh l %systemroot%\NTDS (vd: c:\windows\ntds.dit). gia tng an
ton, ta s di di database ny sang v tr khc.
II. Chun b
- Gn thm cng E:\dung lng 1GB vo my tnh, nh dng NTFS
- Thc hin bi Lab vi my ang l DomainController
+ IP Address: 192.168.0.1
+ Subnet mask: 255.255.255.0
+ DNS: 192.168.0.1
+ Domain name: congty.comIII. Thc hin
1. Kim tra ng dn mc nh:
- Logon bngAdministrator vo C:\WINDOWS\NTDS
- Kim tra xem c cc file: edb.chk, ntds.dit, temb.edb(y chnh l ci cn chuyn)
2. Backup System State Data phng trnh trong qua trnh move database b tht bi
a. Vo StartPrograms
AccessoriesSystemToolsBackup
-
7/28/2019 Quan Tri Mang 2
93/131
Move Active Directory Database Qun tr mngWindows
GV: ThS. o Quc Phng Trang 92
b. Trong ca s Welcome to the Backup
or Restore Wizard b du chn ti
Always start in wizard mode chn
Advanced Mode
c. Trong ca s BackupUtilitynh
du chn vo SystemState g
E:\SSD.bkfvo Backup media or file
name ( lu file backup SSD vi aE:\)
chn StartBackup trong ca s
Backup Job Information chn Start
Backup.
d. Sau khi kt thc qu trnh Backup vo
E:\ kim tra c file SSD.bkf
-
7/28/2019 Quan Tri Mang 2
94/131
Move Active Directory Database Qun tr mngWindows
GV: ThS. o Quc Phng Trang 93
3. Tin hnh di chuyn Database ca AD
a. Khi ng my li, nhn F8, chn ch khi ng l Directory Service Restore Mode (nu my c
nhiu bn Windows th chn Windows cn Move Directory Logon vo)
b. LogonAdministrator
vo command-line g
lnh ntdsutilEnter
-
7/28/2019 Quan Tri Mang 2
95/131
Move Active Directory Database Qun tr mngWindows
GV: ThS. o Quc Phng Trang 94
c. Trong CMD xut hin
dng ntdsutil g lnh
filesEnter
d. Trong CMD xut hin
dng file maintenance
g lnh move DB to
C:\SecureDATA
Enter
(h thng bt u chuyn
AD Database qua thmc
C:\Secure\DATA)
-
7/28/2019 Quan Tri Mang 2
96/131
Move Active Directory Database Qun tr mngWindows
GV: ThS. o Quc Phng Trang 95
e. Sau khi hon tt trong
CMD s xut hin dng file
maintence: g lnh
quit
f. Trong dng ntdsutil:
g lnh quit g lnh
exit
4. Kim tra li ng dn cha Active Directory Database
a. Sau khi hon tt phn 3 Restart my vo Windows ch bnh thng
b. LogonAdministrator vo C:\SecureDATA Kim tra c cc file edb.chk; ntds.dit; temb.edb
c. Vo C:\WINDOWS\NTDSkhng thycc file edb.chk; ntds.dit; temb.edb
-
7/28/2019 Quan Tri Mang 2
97/131
Password Syskey Qun tr mngWindows
GV: ThS. o Quc Phng Trang 96
PASSWORD SYSKEY
I. Ni dung
- To password cho h thng my tnh Workstation hoc Active Directory Database ca Domain
Controller, nhm tng cng bo mt, phng trnh cc tools chng trnh on password
Administrator theo c ch Bruteforce
II. Chun b
- Thc hin trn bt k my no
III. Thc hin
a. LogonAdministrator Vo StartRun
g syskey
trong ca s Securing the Windows
Account Database chn Update
-
7/28/2019 Quan Tri Mang 2
98/131
Password Syskey Qun tr mngWindows
GV: ThS. o Quc Phng Trang 97
trong ca s Startup Key chn
PasswordStartup g 123 vo Password
v ConfirmOK
trong ca s Success chn OK
b. Khi ng my li khi my khi ng s
thy 1 ca s yu cu nhp vo password ca
Syskey nhp password l 123
Lu: sau khi nhp c password ca syskey ta mi vo c mn hnh Welcome to Windows.
-
7/28/2019 Quan Tri Mang 2
99/131
MSBA & SUS Qun tr mngWindows
GV: ThS. o Quc Phng Trang 98
MICROSOFT SECURITY BASELINE ANALYZER
&
SOFTWARE UPDATE SERVICE
I. Ni dung
- Ci t MicrosoftSecurityBaselineAnalyzer r sot, thng k cc l hng ca h thng,
nhm a ra gii php khc phc.
- Ci t SUS cho h thng, nhm tng cng tnh an ton, n nh cho cc server bng vic cp
nht lin tc cc bn v li ca h iu hnh v cc software Microsoft. Nhng vn m bo khng lm
nghn lu lng ra Internet.
II. Chun b
- M hnh lab gm 2 my Windows Server 2003
+ My PC1 lm SUSServer, my PC2 lm Client (My PC02 c th s dng Windows XP)
+ 2 file SUS10SP1.exe v MBSASetup-en.msi nm trong a SoftsQTM.iso
III. Thc hin
1. Ci t MSBA: (thc hin trn PC1)
- B a SoftsQTM.iso vo CDROM
-
7/28/2019 Quan Tri Mang 2
100/131
MSBA & SUS Qun tr mngWindows
GV: ThS. o Quc Phng Trang 99
a. Chy file MBSASetup-
en.msi Trong ca s
Welcome chn Next
Trong ca s License
Agreement chn I
accept the license
agreementNext
-
7/28/2019 Quan Tri Mang 2
101/131
MSBA & SUS Qun tr mngWindows
GV: ThS. o Quc Phng Trang 100
b. Trong ca s
Destination Folder
mc nh chn Next
trong ca s Start
Installation chn
InstallFinish
-
7/28/2019 Quan Tri Mang 2
102/131
MSBA & SUS Qun tr mngWindows
GV: ThS. o Quc Phng Trang 101
c. M biu tng
Microsoft Baseline
Securtity Analyzer 1.2
trn desktop trong
ca s Microsoft Baseline
Securtity Analyzer chn
Scan more than one
computer
d. Trong ca s Pick
mutiple computers to
scan trong IP
address range nhp vo
a ch IP ca PC1 to
IP ca PC2
(vd: 192.168.5.1 to
192.168.5.2) chn
StartScanchng
trnh s bt u d li bomt
-
7/28/2019 Quan Tri Mang 2
103/131
MSBA & SUS Qun tr mngWindows
GV: ThS. o Quc Phng Trang 102
e. Sau khi qu trnh scan
hon tt trong ca s
Viewsecurityreport
nhng mc no nh du
cho mu l nhng
phn b li bo mt
mun xem chi tit th
chn How to correct
this
Xem cc li m MBSA qut ra c, tm gii php khc phc.
-
7/28/2019 Quan Tri Mang 2
104/131
MSBA & SUS Qun tr mngWindows
GV: ThS. o Quc Phng Trang 103
2. Ci SUS trn my PC1
a. Vo ControlPanel
Add or Remove
ProgramsAdd /
Remove Windows
Components Trong
Add / Remove Windows
Components, vo
Detail ca mc
ApplicationServer
trong Application Server,nh du chn vo
Internet Information
Services (IIS)OK
NextFinish
-
7/28/2019 Quan Tri Mang 2
105/131
MSBA & SUS Qun tr mngWindows
GV: ThS. o Quc Phng Trang 104
b. Chy file
SUS10SP1.exe ci
SUS trong ca s
WelcomeNext
-
7/28/2019 Quan Tri Mang 2
106/131
MSBA & SUS Qun tr mngWindows
GV: ThS. o Quc Phng Trang 105
c. Trong ca s End-
User License
Agreement chn Iaccept the License
AgreementNext
trong ca s Choose
setup type chn Typical
-
7/28/2019 Quan Tri Mang 2
107/131
MSBA & SUS Qun tr mngWindows
GV: ThS. o Quc Phng Trang 106
d. Trong ca s Ready
to install chn Install
Sau khi qu trnh cit hon tt chn Finish
trong ca s Software
Update Service chn
mc Set option trong
ca s bn tri.
-
7/28/2019 Quan Tri Mang 2
108/131
MSBA & SUS Qun tr mngWindows
GV: ThS. o Quc Phng Trang 107
e. Trong ca s set
options bn phi
trong mc Select whichserver to synchronize
content from chn
Synchronize directly
from the Microsoft
Windows Services
servers trong mc
Select Where you want
to store updates chn Save the updates to a
local folder trong cc
ngn ng, b trng tt
c cc ch chn English
chnApply
-
7/28/2019 Quan Tri Mang 2
109/131
MSBA & SUS Qun tr mngWindows
GV: ThS. o Quc Phng Trang 108
f. Trong Software
UpdateServices
chn mc Synchronize
server Trong ca s
Synchronizeserver
chn Synchronization
Now h thng s bt
u qu trnh ng b d
liu vi trang Micrsoft
Update
3. Cu hnh cho my PC2 update t my PC1
a. Vo StartRun g gpedit.msc trong
ca s Group Policy Object Editor vo Computer
ConfigurationAdministrativeTemplates
WindowsUpdate
-
7/28/2019 Quan Tri Mang 2
110/131
MSBA & SUS Qun tr mngWindows
GV: ThS. o Quc Phng Trang 109
b. Trong WindowsUpdate
M policy ConfigureAutomatic
Updates Trong ca sConfigure Automatic Updates
Properties chn Enabled
Trong Configure Automatic
Updating chn 4 Auto
download and schedule the
installOK
-
7/28/2019 Quan Tri Mang 2
111/131
MSBA & SUS Qun tr mngWindows
GV: ThS. o Quc Phng Trang 110
c. M policy Specify intranet
Microsoft update service
location chn Enabletrong nhp http://a ch IP
my PC1
(vd: http://192.168.5.1) vo 2
Set the intranet update
service for detecting updates
v Set intranet statistics
serverOKng tt c cc
ca s ang c vo Start
Run g gpupdate /force
-
7/28/2019 Quan Tri Mang 2
112/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 111
RADIUS
I. Mc ch
- Dng RADIUS authenticate cho remote user s dngVPN
II. Chun b
- M hnh 3 my: a ch IP cc khai bo nhbng di y
- My PC2 join domain bng card mng CROSS
- To groupVPN_group, to user vpn_client (password: 123). Cho user ny c php s dng
remoteaccess (allow access) v l thnh vin caVPN_group
My Domain (PC1)(RADIUS Server)
VPN Server (PC2)(RADIUS Client)
VPN Client(PC3)
IP: 172.16.2.16/24
P.DNS: 172.16.2.16
IP: 172.16.2.15/24
P.DNS: 172.16.2.16
IP: 192.168.2.15/24 IP: 192.168.2.14/24
III. Thc hin
1. Install IAS, sau cu hnh RADIUS Server v cc phn lin quan (Register IAS trong AD,
Remote access policy)
-
7/28/2019 Quan Tri Mang 2
113/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 112
a. Install IAS
- Vo ControlPanelAdd
or Remove ProgramsAdd
/ Remove Windows
ComponentsNetworking
Services nhn Details
nh du Internet
Authentication Service
OK.
b. Sau cng nhn Finishkhi
hon tt
-
7/28/2019 Quan Tri Mang 2
114/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 113
c. Cu hnh RADIUS Server.
- Vo StartAdministrative
ToolsInternet
Authentication Service
d. Mn hnh IAS xut hin.
Chut phi trn Internet
AuthenticationSerivice
(Local) chn Register
Serverin Active Directory.
e. Nhn OK
-
7/28/2019 Quan Tri Mang 2
115/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 114
f. Nhn OK
g. Khai bo RADIUS Client
(VPN Server).
- Chut phi trn RADIUS
ClientsNew RADIUS
Client
h. Trong Friendly-name,
nhp voVPN Server.
Trong Client address (IP or
DNS): nhp vo IP caVPN
Server. Trong trng hp ny
l 172.16.2.15. Sau nhn
Verify
-
7/28/2019 Quan Tri Mang 2
116/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 115
i. Trong mn hnh ny, nhn
Resolve. Sau nhn OK
j. Trong mn hnh ny, trong
ClientVendor, click vo mi
tn, chn Microsoft.
Trong Sharedsecret v
Confirm shared secret g
vo 123
Sau nhn Finish
-
7/28/2019 Quan Tri Mang 2
117/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 116
k. Cu hnh Remote Access
Policy
Chut phi trn Remote
Access PoliciesNew
Remote Access Policy
l. Mn hnh Welcomexut
hin, nhn Next.
Trong mn hnh k tip ny, gi
nguyn option ang chn.Trong Policy name, nhp vo
tn ca policy (vd: VPN-
RADIUS). Sau nhn Next.
-
7/28/2019 Quan Tri Mang 2
118/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 117
m. TrongAccessMethod,
chnVPN. Nhn Next
n. Trong User or Group
Access. Chn Group nhn
Add
-
7/28/2019 Quan Tri Mang 2
119/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 118
o. Tm groupVPN_Group. Sau
nhn OK
p. Mn hnh User or Group
Access xut hin li, nhn
Next
-
7/28/2019 Quan Tri Mang 2
120/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 119
q. Trong mn hnh
AuthenticationMethods,
gi nguyn tu chn, nhn
Next
r. Trong mn hnh Policy
Encryption Level, ch gi liStrongestencryption
Nhn Next v Finish
-
7/28/2019 Quan Tri Mang 2
121/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 120
s. M WindowsExplorer, vo
drive C:, to 1 folder tn
PublicFolder. Sau share
folder ny.
2. Cu hnh VPN Server (dng RRAS)
a. Logon ln my PC2 bng
Administrator. Vo Start
AdministrativeTools
Routing and Remote
Access
-
7/28/2019 Quan Tri Mang 2
122/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 121
b. Trong mn hnh Routing
and Remote Access. Chut
phi trn compute rname (VD:
PC2), chn Configureand
Enable Routing and
Remote Access
c. Mn hnh Welcome xut
hin. Nhn Next
d. Trong mn hnh
Configuration, chn
Remote access (dial-up or
VPN)Next
-
7/28/2019 Quan Tri Mang 2
123/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 122
e. Trong mn hnh Remote
access chnVPNNext
f. Trong mn hnhVPN
connection chn card LAN
v b chn Enable security
on the selected Nhn
Next
-
7/28/2019 Quan Tri Mang 2
124/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 123
g. Trong mn hnh IP
Address Assignment chn
From a specified range of
addressNext
h. Trong mn hnhAddress
Range AssignmentNew
i. Trong mn hnh New
Address Range, nhp vo
172.16.2.100 172.16.2.179
Xong ri, nhn OK.
-
7/28/2019 Quan Tri Mang 2
125/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 124
j. Quay tr li mn hnh
AddressRange
AssignmentNext
k. Trong mn hnh Managing
Mutiple Remote Access
Server chnYes, setup
this server to work with a
RADIUS server. Nhn Next
-
7/28/2019 Quan Tri Mang 2
126/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 125
l. Nhp vo IP address ca
RADIUSServer.
Trong trng hp ny l
172.16.2.16
Trong Sharedsecret, nhp
v 123.
Xong, nhn Next.
Chng trnh s bt u install
m. Trong qu trnh install,
chng trnh c hin th 1 s
thng bo. Nhn OK b
qua
Chng ta va hon tt vic cu hnh PC2 thnh VPN Server (RADIUS Client)
3. To VPN Connection kt ni n VPN Server vi username v password c cung cp bi PC
a. Chut phi trn icon My
NetworkPlaces (trn
Desktop)Properties,double click trn Create a
New Connection. Mn hnh
Welcome toxut hin. Nhn
Next
-
7/28/2019 Quan Tri Mang 2
127/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 126
b. Trong mn hnh ny, chn
Connect to the network at
my workplace. Nhn Next
c. Trong mn hnh ny, chn
VirtualPrivateNetworkconnection, nhn Next.
-
7/28/2019 Quan Tri Mang 2
128/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 127
d. Trong CompanyName,
nhp vo 1 tn tng trng,
VD: VPN client. Nhn Next
e. Trong mn hnhVPN
ServerSelection, nhp vo
a ch caVPNServer l
192.168.2.15. Nhn Next
-
7/28/2019 Quan Tri Mang 2
129/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 128
f. Trong mn hnh ny, chn
Myuseonly. Nhn Next
g. Trong mn hnh ny, nh
du chn Add a shortcut
to this connection to mydesktop.
Nhn Finish
-
7/28/2019 Quan Tri Mang 2
130/131
Radius Qun tr mngWindows
GV: ThS. o Quc Phng Trang 129
h. Kim tra IP trc khi
connect n VPN Server
Vo StartRuncmd
Nhp vo ipconfig
Chng ta thy 1 a ch IP ca
card mng m thi
i. Test Connection
Double click trn icon mi to
trn desktop
Trong Username, nhp vo:
vpn_client
Trong Password, nhp vo
123nh du Save this
Sau cng clickConnect
j. Mn hnh ln lt s nh
hnh bn
-
7/28/2019 Quan Tri Mang 2
131/131
Radius Qun tr mngWindows
k. Sau khi vic kt ni thnh
cng, bn s thy 1 icon
(hnh 2 my tnh) na xut
hin gc phi di ca mn
hnh
l. Kim tra IP sau khi
connect:
Vo StartRuncmd
Nhp vo ipconfig
Lc ny ngoi a ch IP ca
card LAN, cn c a ch IP
c VPN Server cp na
m. Truy cp ln my PC1
ly d liu
Vo StartRun g vo
\\172.16.2.16, mn hnh nhn
c s nh hnh bn