0505 Windows Server 2008 一日精華營 Part II

Slide 1: Module 3 Windows Server 2008 Branch Office Scenario

Slide 2: Clinic Outline Branch Office Server Deployment and Administration Branch Office Security Branch RODC Corp

Slide 3: Branch Office Server Deployment and Administration

Slide 4: Domain Name System (DNS) Server Role Background zone loading Read-only domain controller support Global Names zone DNS client changes Link-Local multicast name resolution (LLMNR) Domain controller location

Slide 5: AD Domain Services New AD MMC Snap-In Features Find Command New Options for Unattended Installs

Slide 6: Restartable AD Domain Services (AD DS) 3 Possible States: AD DS Started AD DS Stopped Active Directory Restore Mode

Slide 7: Demonstration: Branch Office Server Deployment and Administration AD DS Installation Wizard Stopping and restarting AD DS

Slide 8: AD Domain Services Auditing What changes have been made to AD DS auditing?

Slide 9: AD Domain Services Backup and Recovery What’s New? Considerations General Requirements

Slide 10: Improved Server Deployment (Windows Server Virtualization) 64-bit Next Generation technology Addresses the following challenges: Server Consolidation Development and Testing Business Continuity/Disaster Recovery Server Core as a host system

Slide 11: File Services Server Message Block (SMB) 2.0 DFS Names Spaces Replication SYSVOL

Slide 12: Next Generation TCP/IP Stack Receive Windows Auto- Changes in PTMU Black Tuning Hole Router Detection Compound TCP Routing Compartments Throughput Optimization ESTATS Support in High-Loss Environments Network Diagnostics Framework Support Neighbor Unreachability Detection New Packet Filtering Model with Windows Changes in Dead Filtering Platform Gateway Detection

Slide 13: Read-Only Domain Controller (RODC) New Functionality RODC AD Database Unidirectional Replication Credential Caching Password Replication Policy Administrator Role Separation Read-Only DNS Requirements/Special Considerations

Slide 14: Read-only DC, RODC 入侵者看到的資訊 管理員的處置方式

Slide 15: Implementation/Usage Scenarios Maintain physical security of servers at the branch office Maintain physical security of data at the branch office Provide secure IP-based communications with the branch office Control which computers can communicate on the branch office network

Slide 16: Recommendations Deploy a Read-Only Domain Controller at the branch office Implement a Password Replication Policy Implement administrator role separation Implement BitLocker Drive Encryption; do not require a PIN or USB device if no local admin Implement Network Access Protection Use IPSec for network communications

Slide 17: Module 4 Security and Policy Enforcement in Windows Server 2008

Slide 18: Overview Methods of Security and Policy Enforcement Network Location Awareness Network Access Protection Windows Firewall with Advanced Security (WFAS) Internet Protocol Security (IPSec) Windows Server Hardening Server and Domain Isolation Active Directory Domain Services Auditing Read-Only Domain Controller (RODC) BitLocker Drive Encryption Removable Device Installation Control Enterprise PKI

Slide 19: Technical Background Windows Firewall with Advanced Security Internet Security Protocol (IPSec) Active Directory Domain Services Auditing Read-Only Domain Controller (RODC) BitLocker Drive Encryption Enterprise PKI

Slide 20: Windows Firewall with Advanced Security

Slide 21: Demonstration: Windows Firewall with Advanced Security • Creating Inbound and Outbound Rules • Creating a Firewall Rule Limiting a Service

Slide 22: IPSec Integrated with WFAS IPSec Improvements Simplified IPSec Policy Configuration Client-to-DC IPSec Protection Improved Load Balancing and Clustering Server Support Improved IPSec Authentication Integration with NAP Multiple Authentication Methods New Cryptographic Support Integrated IPv4 and IPv6 Support Extended Events and Performance Monitor Counters Network Diagnostics Framework Support

Slide 23: BitLocker Drive Encryption (BDE) Data Protection Drive Encryption Integrity Checking BDE Hardware and Software Requirements

Slide 24: Implementation/Usage Scenarios Enforce Security Policy Improve Domain Security Improve System Security Improve Network Communications Security

Slide 25: Recommendations Carefully test and plan all security policies Implement Network Access Protection Use Windows Firewall and Advanced Security to implement IPSec Deploy Read-Only Domain Controllers, where appropriate Implement BitLocker Drive Encryption Take advantage of PKI improvements

Slide 26: Network Access Protection in Windows Server 2008

Slide 27: Overview Network Access Protection Net work Access Protection Network Access Quarantine Control Internal, VPN and Remote Access Only VPN and Remote Access Client Clients IPSec, 802.1X, DHCP and VPN DHCP and VPN NAP NPS and Client included in Installed from Windows Server 2003 Windows Server 2008 ; NAP client Resource Kit included in Vista

Slide 28: NAP Infrastructure Automatic Remediation Health Policy Validation Health Policy Compliance Limited Access

Slide 29: NAP Enforcement Client IPSec 802.1X VPN DHCP NPS RADIUS

Slide 30: Demonstration: Network Access Protection • Create a NAP Policy • Using the MMC to Create NAP Configuration settings • Create a new RADIUS Client • Create a new System Health Validator for Windows Vista and Windows XP SP2

Slide 31: Implementation/Usage Scenarios Checking the Health and Status of Roaming Laptops Ensuring the Health of Corporate Desktops Determining the Health of Visiting Laptops Verify the Compliance of Home Computers

Slide 32: Recommendations When using IPSec – employ ESP with encryption Carefully test and verify all IPSec Policies Consider Using Domain Isolation Use Quality of Service to improve bandwidth Plan to Prioritize traffic on the network Apply Network Access Protection to secure client computers