Microsoft Server 2008 R2

bunchlearnedNetworking and Communications

Oct 30, 2013 (3 years and 1 month ago)

83 views

Microsoft
Server 2008 R2

GROUP POLICIES & NETWORK POLICY AND ACCESS
SERVICES

Agenda


Group Policies


Network Policy and Access Services

Group Policies


Using Group Policies to harden
W
indows 7


The following will outline several methods to
secure a network environment using Group
Policies


Microsoft doc defining settings to harden Windows
7


http
://
www.microsoft.com/en
-
us/download/details.aspx?id=24373






Group Policies


Computer Configuration(CC)

Privacy settings


Interactive
logon: Do not display last user
name


CC

Security

Settings


Shutdown: Allow system to be shut down without
having to log on


Network security: Do not store LAN Manager hash
value on next password
change


This
security setting determines if, at the next password
change, the LAN Manager (LM) hash value for the new
password is stored. The LM hash is relatively weak and
prone to attack, as compared with the cryptographically
stronger Windows NT hash. Since the LM hash is stored on
the local computer in the security database the
passwords can be compromised if the security database
is attacked
.

Group Policies


Network access: Do not allow storage of credentials or
.NET Passports for network
authentication


This security setting determines whether Credential
Manager saves passwords and credentials for later use
when it gains domain
authentication. If
you enable this
setting, Credential Manager does not store passwords
and credentials on the computer.


Removable Disks: Deny write
access


Internet Explorer


Disable context menu


Ensures that users cannot access other features that have
been disabled


Disable customizing buttons


Disable Internet Options tabs


Group Policies


Control Panel Access


Prevent access


Windows Explorer


Do not move deleted files to the Recycle
Bin


Hide these specified drives in My Computer


Start menu and taskbar


Hide the notification
area


Lock the
Taskbar


System


Prevent
access to registry editing
tools


Prevent access to the command prompt





Group Policies


Controlling applications


Application Control Policies





Software Restriction Policies







Group Policies


Applocker

requirements


Works on Windows 7 and
newer


Only available on 7
Enterprise and Ultimate…not
Pro



Application Identity service
must be running.


Add default rules to prevent
stepping on “required”
services



Group Policies


Applocker


Add default
rules


Create new
rule


Group Policies


Software Restriction
Polices


Similar to
Applocker
,
works on XP and later

Network Policy and
Access Services


Routing and Remote Access Service(RRAS)
-
pronounced “
R
-
Razz”


Formerly Remote Access Service in NT 4.0


Bundled to compete with Novell's NetWare
Connect


Now included as a role in Network Policy and
Access Services



Network Policy and
Access Services


First we must know some routing information


TCP adds more to IP to allow they concepts of connection


Handshaking

3 way handshake. SYN, SYN/ACK, SYN


Sequencing

ensures that no two bytes are repeated or sent
out of sequence


Flow control

keeps traffic flowing w/out having to wait and
take up too much memory.


Error indication

an application that closes unexpectedly can
be signaled to its communicating partner with a reset


Ports

each IP address has 131,070 ports. Similar to extensions
for a phone number


Socket


Port (both local and foreign)


IP Address (both local and foreign)


Protocol (TCP/UDP)


Network Policy and
Access Services


Routing un
-
routable addresses?


NAPT

Network address/port translator.


One external IP address for several internal private IP
addresses. This router would look beyond the IP layer
into the TCP/UDP layer and use the IP address and
port to map connections.


This is also referred to as Port Address Translation (PAT)

Network Policy and
Access Services


Viewing and troubleshooting our routing tables


Route print



Network Policy and
Access Services


Viewing and troubleshooting our routing tables



Commands

add using route and
netsh

route

add 192.168.0.0 mask 255.255.0.0 10.0.0.1 metric 100

route

add 192.168.0.0/16 10.0.0.1 metric 100 (same as above)

Netsh

interface ipv4 add route 192.168.0.0/16 “Local Area
Connection” 10.0.0.1

Route del 192.168.0.0

Netsh

interface ipv4 delete route 129.0.0.0/8

“Local Area
Connection”

Network Policy and
Access Services


Two functions:


Accepting Inbound calls


Universal Gateway to your network


Same functionality as if they were attached to the
LAN, although slower.


Connecting one private network to another.


Placing Outbound calls (DUN)


Dial Up Networking


Internet Connectivity


Internet Gateway utilizing NAT (Network Address
Translation)


Poor
-
mans proxy server

Network Policy and
Access Services


Accepting VPN (virtual private network) from
remote clients


Running a secure private network over an insecure
public network (internet).


All clients need is an internet connection and a
valid IP address and then establishing a VPN session
to the RAS server.


Session is secure and encrytped.

Network Policy and
Access Services


Added as a Role in 2008 R2

Network Policy and
Access Services


Add supporting role features


Network Policy and
Access Services


After installed, you must Enable Routing and
Remote Access


Read carefully all options based on need

Network Policy and
Access Services


Determine how the remote uses will be assigned
IP addresses for internal network.

Network Policy and
Access Services


Network Policy and
Access Services


Configure client connection by adding a new
connection in Network and Sharing Center

Network Policy and
Access Services


Select connection option and complete wizard
on workstation

Things to consider


How will it be utilized?


What will be running on your DUN or VPN?


File
-
based apps versus client
-
server apps


Microsoft Access versus Microsoft SQL Server


Access requests continuously query the drive after each record search.


SQL a query is sent to the server from a client application and the query
is run at the server and results are then transmitted back to the client.


What connection will be required?


RRAS supports:


X.25: old “cloud” technology that typically tops out at 56
-
64k, although
reliable


Frame
-
Relay: same as x.25 but faster, single connection to cloud.


Modems


I SDN


Point to point…