0505 Windows Server 2008 一日精華營 Part II

1,382 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,382
On SlideShare
0
From Embeds
0
Number of Embeds
47
Actions
Shares
0
Downloads
45
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 0505 Windows Server 2008 一日精華營 Part II

    1. 1. Module 3 Windows Server 2008 Branch Office Scenario
    2. 2. Clinic Outline <ul><li>Branch Office Server Deployment and Administration </li></ul><ul><li>Branch Office Security </li></ul>Branch Corp RODC
    3. 3. Branch Office Server Deployment and Administration
    4. 4. Domain Name System (DNS) Server Role <ul><li>Background zone loading </li></ul><ul><li>Read-only domain controller support </li></ul><ul><li>Global Names zone </li></ul><ul><li>DNS client changes </li></ul><ul><ul><li>Link-Local multicast name resolution (LLMNR) </li></ul></ul><ul><ul><li>Domain controller location </li></ul></ul>
    5. 5. AD Domain Services <ul><li>New AD MMC Snap-In Features </li></ul><ul><ul><li>Find Command </li></ul></ul><ul><li>New Options for Unattended Installs </li></ul>
    6. 6. Restartable AD Domain Services (AD DS) <ul><li>3 Possible States: </li></ul><ul><ul><li>AD DS Started </li></ul></ul><ul><ul><li>AD DS Stopped </li></ul></ul><ul><ul><li>Active Directory Restore Mode </li></ul></ul>
    7. 7. Demonstration: Branch Office Server Deployment and Administration <ul><li>AD DS Installation Wizard </li></ul><ul><li>Stopping and restarting AD DS </li></ul>
    8. 8. AD Domain Services Auditing <ul><li>What changes have been made to AD DS auditing? </li></ul>
    9. 9. AD Domain Services Backup and Recovery <ul><li>Considerations </li></ul><ul><li>What’s New? </li></ul><ul><li>General Requirements </li></ul>
    10. 10. Improved Server Deployment (Windows Server Virtualization) <ul><li>Addresses the following challenges: </li></ul><ul><ul><li>Server Consolidation </li></ul></ul><ul><ul><li>Development and Testing </li></ul></ul><ul><ul><li>Business Continuity/Disaster Recovery </li></ul></ul><ul><li>64-bit Next Generation technology </li></ul><ul><li>Server Core as a host system </li></ul>
    11. 11. File Services <ul><li>DFS </li></ul><ul><ul><li>Names Spaces </li></ul></ul><ul><ul><li>Replication </li></ul></ul><ul><ul><ul><li>SYSVOL </li></ul></ul></ul><ul><li>Server Message Block (SMB) 2.0 </li></ul>
    12. 12. Next Generation TCP/IP Stack <ul><li>Receive Windows Auto-Tuning </li></ul><ul><li>Compound TCP </li></ul><ul><li>Throughput Optimization in High-Loss Environments </li></ul><ul><li>Neighbor Unreachability Detection </li></ul><ul><li>Changes in Dead Gateway Detection </li></ul><ul><li>Changes in PTMU Black Hole Router Detection </li></ul><ul><li>Routing Compartments </li></ul><ul><li>ESTATS Support </li></ul><ul><li>Network Diagnostics Framework Support </li></ul><ul><li>New Packet Filtering Model with Windows Filtering Platform </li></ul>
    13. 13. Read-Only Domain Controller (RODC) <ul><li>New Functionality </li></ul><ul><ul><li>AD Database </li></ul></ul><ul><ul><li>Unidirectional Replication </li></ul></ul><ul><ul><li>Credential Caching </li></ul></ul><ul><ul><li>Password Replication Policy </li></ul></ul><ul><ul><li>Administrator Role Separation </li></ul></ul><ul><ul><li>Read-Only DNS </li></ul></ul><ul><li>Requirements/Special Considerations </li></ul>RODC
    14. 14. Read-only DC, RODC 管理員的處置方式 入侵者看到的資訊
    15. 15. Implementation/Usage Scenarios <ul><li>Maintain physical security of data at the branch office </li></ul><ul><li>Maintain physical security of servers at the branch office </li></ul><ul><li>Provide secure IP-based communications with the branch office </li></ul><ul><li>Control which computers can communicate on the branch office network </li></ul>
    16. 16. Recommendations <ul><li>Implement a Password Replication Policy </li></ul><ul><li>Deploy a Read-Only Domain Controller at the branch office </li></ul><ul><li>Implement administrator role separation </li></ul><ul><li>Implement BitLocker Drive Encryption; do not require a PIN or USB device if no local admin </li></ul><ul><li>Implement Network Access Protection </li></ul><ul><li>Use IPSec for network communications </li></ul>
    17. 17. Module 4 Security and Policy Enforcement in Windows Server 2008
    18. 18. Overview <ul><li>Methods of Security and Policy Enforcement </li></ul><ul><ul><li>Network Location Awareness </li></ul></ul><ul><ul><li>Network Access Protection </li></ul></ul><ul><li>Windows Firewall with Advanced Security (WFAS) </li></ul><ul><li>Internet Protocol Security (IPSec) </li></ul><ul><li>Windows Server Hardening </li></ul><ul><li>Server and Domain Isolation </li></ul><ul><li>Active Directory Domain Services Auditing </li></ul><ul><li>Read-Only Domain Controller (RODC) </li></ul><ul><li>BitLocker Drive Encryption </li></ul><ul><li>Removable Device Installation Control </li></ul><ul><li>Enterprise PKI </li></ul>
    19. 19. Technical Background <ul><li>Windows Firewall with Advanced Security </li></ul><ul><li>Internet Security Protocol (IPSec) </li></ul><ul><li>Active Directory Domain Services Auditing </li></ul><ul><li>Read-Only Domain Controller (RODC) </li></ul><ul><li>Enterprise PKI </li></ul><ul><li>BitLocker Drive Encryption </li></ul>
    20. 20. Windows Firewall with Advanced Security
    21. 21. Demonstration: Windows Firewall with Advanced Security <ul><li>Creating Inbound and Outbound Rules </li></ul><ul><li>Creating a Firewall Rule Limiting a Service </li></ul>
    22. 22. IPSec <ul><li>Integrated with WFAS </li></ul><ul><li>IPSec Improvements </li></ul><ul><ul><li>Simplified IPSec Policy Configuration </li></ul></ul><ul><ul><li>Client-to-DC IPSec Protection </li></ul></ul><ul><ul><li>Improved Load Balancing and Clustering Server Support </li></ul></ul><ul><ul><li>Improved IPSec Authentication </li></ul></ul><ul><ul><li>Integration with NAP </li></ul></ul><ul><ul><li>Multiple Authentication Methods </li></ul></ul><ul><ul><li>New Cryptographic Support </li></ul></ul><ul><ul><li>Integrated IPv4 and IPv6 Support </li></ul></ul><ul><ul><li>Extended Events and Performance Monitor Counters </li></ul></ul><ul><ul><li>Network Diagnostics Framework Support </li></ul></ul>
    23. 23. BitLocker Drive Encryption (BDE) <ul><li>Data Protection </li></ul><ul><ul><li>Drive Encryption </li></ul></ul><ul><ul><li>Integrity Checking </li></ul></ul><ul><li>BDE Hardware and Software Requirements </li></ul>
    24. 24. Implementation/Usage Scenarios <ul><li>Enforce Security Policy </li></ul><ul><li>Improve Domain Security </li></ul><ul><li>Improve System Security </li></ul><ul><li>Improve Network Communications Security </li></ul>
    25. 25. Recommendations <ul><li>Implement Network Access Protection </li></ul><ul><li>Use Windows Firewall and Advanced Security to implement IPSec </li></ul><ul><li>Deploy Read-Only Domain Controllers, where appropriate </li></ul><ul><li>Implement BitLocker Drive Encryption </li></ul><ul><li>Carefully test and plan all security policies </li></ul><ul><li>Take advantage of PKI improvements </li></ul>
    26. 26. Network Access Protection in Windows Server 2008
    27. 27. Overview <ul><li>Network Access Protection </li></ul>Net work Access Protection Network Access Quarantine Control Internal, VPN and Remote Access Client Only VPN and Remote Access Clients IPSec, 802.1X, DHCP and VPN DHCP and VPN NAP NPS and Client included in Windows Server 2008 ; NAP client included in Vista Installed from Windows Server 2003 Resource Kit
    28. 28. NAP Infrastructure <ul><li>Health Policy Validation </li></ul><ul><li>Health Policy Compliance </li></ul><ul><li>Automatic Remediation </li></ul><ul><li>Limited Access </li></ul>
    29. 29. NAP Enforcement Client <ul><li>802.1X </li></ul><ul><li>VPN </li></ul><ul><li>IPSec </li></ul><ul><li>DHCP </li></ul><ul><li>NPS RADIUS </li></ul>
    30. 30. Demonstration: Network Access Protection <ul><li>Create a NAP Policy </li></ul><ul><li>Using the MMC to Create NAP Configuration settings </li></ul><ul><li>Create a new RADIUS Client </li></ul><ul><li>Create a new System Health Validator for Windows Vista and Windows XP SP2 </li></ul>
    31. 31. Implementation/Usage Scenarios <ul><li>Ensuring the Health of Corporate Desktops </li></ul><ul><li>Checking the Health and Status of Roaming Laptops </li></ul><ul><li>Determining the Health of Visiting Laptops </li></ul><ul><li>Verify the Compliance of Home Computers </li></ul>
    32. 32. Recommendations <ul><li>Carefully test and verify all IPSec Policies </li></ul><ul><li>Use Quality of Service to improve bandwidth </li></ul><ul><li>When using IPSec – employ ESP with encryption </li></ul><ul><li>Plan to Prioritize traffic on the network </li></ul><ul><li>Apply Network Access Protection to secure client computers </li></ul><ul><li>Consider Using Domain Isolation </li></ul>

    ×