Post on 01-Jan-2016
Module 8:Manage and
Configure Security
Module 8: Manage and Configure Security
• Best Practices for Securing the Microsoft® Windows® Small Business Server 2008 Environment
• Windows Server Update Services (WSUS)
• Microsoft Small Business Server Best Practices Analyzer 2008
• Creating and Managing Shared Folders on the Network
• Configuring Windows Firewall with Advanced Security
Lesson 1: Best Practices for Securing the Windows Small Business Server 2008 Environment
• Implementing the best technological defenses
• Active security management processes
• Features and technologies in Windows Server 2008
Windows Small Business Server was Designed as an Integrated Solution with Security in Mind
Active Directory®
Server
Mail Server
Web Services Server
FileServer
DatabaseServer
PrintServer
Catch-allServer
Small Business Server
Small- and Medium-sized Business (SMB) Security Check List
What other guidelines can you recommend?
Additional Technological Defenses
Why should an SMB consider these technological defenses?
Security for SMB
Active security management process
Windows Server® 2008 Security and Protection
User Account Control (UAC) Architecture
Explorer.exe
Explorer.exe
Standard user logon
Administrator in adminapproval mode
Standard user access token
Standard user access token
Full administratoraccess token
New Functionality in Encrypting FileSystem (EFS)
Windows BitLocker Drive Encryption
Internet Protocol Security (IPsec)
Smart Cards
SBS Setting to Harden Network Security
Lesson 2: Windows Server Update Service
• Manage Windows Server Update Services
Centralized vs. Decentralized Updates
MicrosoftUpdate
Windows®
ServerUpdate Services 3.0
• The bandwidth challenge
Windows Server Update Services 3.0
WSUS 3.0 Management Tasks WSUS 3.0 Management Tasks
Configure WSUS Updates in the SBS Console
Microsoft update
Default Client Schedule: Every day at 3.00 AM
Update Levels
Demonstration: Windows Server Update Services
• In this demonstration you will learn how to configure Windows Server Update Services in the SBS Console
Lesson 3: Windows Small Business Server 2008 Best Practices Analyzer
• Key features of the Windows Small Business Server 2008 Best Practices Analyzer 2008
What is the SBS Best Practices Analyzer? (BPA)
Demonstration: SBS 2008 Best Practices Analyzer
• In this demonstration you will learn how to configure a scan using the Windows Small Business Server 2008 Best Practices Analyzer
Lesson 4: Creating and Managing Shared Folders on the Network
• Configure a shared folder controlling user access permissions
• Configure blocking unwanted content in the shared folder
File Sharing Essentials
Configure Share Permissions
Configure NTFS Permissions
Add a New Shared Folder Task
Add a New Shared Folder Task
Server message block protocol
Add a New Shared Folder Task
What is File Server Resource Manager (FSRM)?
Add a New Shared Folder Task
Additional Considerations
Additional Considerations
Demonstration: Adding a Shared Folder
• In this demonstration you will learn how to add a shared folder using the Shared Folder Wizard
Lesson 5: Configuring Windows Firewall with Advanced Security
• Configure Windows Firewall with Advanced Security settings and rules for network security
Network Location-aware Host Firewall
WFAS Order of Rules Evaluation
Group policy 1
Group policy 2
Group policy 3
Ord
er
of
Evalu
ati
on
• Local rule merge is configurable via Group Policy• Default rules come from the highest precedence GPO
Why Should SMBs use IPsec to ProtectNetwork Traffic?
• Protects IT assets
• Computers and data
• Malware (viruses, Trojan horses, spyware)
• To comply with government regulations
• Finance (Sarbanes-Oxley)
• Health (HIPAA)
• Privacy regulations (state privacy regulations)
• Protects intellectual property
Connection Security and IPsec
IPSec Authentication Methods
IPsec Modes
IPsec Methods
Basic Firewall Policy Design
Default behavior
Domain Isolation Policy Design
Isolated domain
LOB Servercritical
client data
Boundary Zone
SBS
Distrustednon-domain members
Authenticated IPsec connectionsNon-IPSec connections
Trusted non-domain members
Domain Isolation
• Protects the Small Business Server domain from unmanaged, rogue, and guest PCs
• Provides ability to identify and control communications with critical client or server PCs
• Allows host to facilitate communication that is limited to domain members (managed computers)
• Requires IPsec authentication and protection for any communication with domain members (managed computers)
• Managed computers can initiate communication with managed and unmanaged computers
• Unmanaged computers cannot initiate communication with managed computers
Lab: Securing the Windows Small Business Server using Best Practices
• Exercise 1: Configure Distribution of Updates and Hotfixes Using Microsoft Windows Server Update Services
• Exercise 2: Create a Shared Folder
• Exercise 3: Design an Isolation Policy
• Exercise 4: Configure Windows Firewall Settings
Logon information
Virtual machineSBS 2008 Server
Vista Office
User name Gregory
Password Pa$$w0rd
Estimated time: 60 minutes
Lab Scenario
• You will configure patch management in the SBS 2008 Server to download at a schedule time and configure distribution options for domain joined clients
• You need to configure a new volume and provision shared folders, configure permission, and enable file screening for shared folders. You will then test access to the shared folders.
• A.Datum would like you to design a secure domain isolation policy that complies with government regulations
• You need to configure the Windows Firewall rules to request authentication for inbound network traffic, and test the isolation policy
Lab Review
• When configuring WSUS for SBS, where are the updates stored?
• Can individual client computers be excluded from receiving updates?
• What tool should be used to create a new shared folder?
• What files can be configured using the file screen policy?
• What authentication methods are available when configuring an IPsec policy?
Module Summary
• In this module, you have learned about:
• Security components that are installed by default in Microsoft Windows Small Business Server 2008, as well as security features available in Windows Server 2008 and available for download from TechNet (SBS 2008 BPA), which will allow the implementation of important security elements into the IT infrastructure.
• Group policies that define user and computer configurations for groups of users and computers, and enforce these settings on and off the network.
• Accessing and using these features to manage specific aspects of the overall security design.
• Managing the protection of the server using a host firewall and IPSec combination.
Module Review and Takeaways
• Review questions
• Common issues and troubleshooting tips
• Real-world issues and scenarios
• Best practices
• Tools