Module 8:Manage and

Configure Security

Module 8: Manage and Configure Security

• Best Practices for Securing the Microsoft® Windows® Small Business Server 2008 Environment

• Windows Server Update Services (WSUS)

• Microsoft Small Business Server Best Practices Analyzer 2008

• Creating and Managing Shared Folders on the Network

• Configuring Windows Firewall with Advanced Security

Lesson 1: Best Practices for Securing the Windows Small Business Server 2008 Environment

• Implementing the best technological defenses

• Active security management processes

• Features and technologies in Windows Server 2008

Windows Small Business Server was Designed as an Integrated Solution with Security in Mind

Active Directory®

Server

Mail Server

Web Services Server

FileServer

DatabaseServer

PrintServer

Catch-allServer

Small Business Server

Small- and Medium-sized Business (SMB) Security Check List

What other guidelines can you recommend?

Additional Technological Defenses

Why should an SMB consider these technological defenses?

Security for SMB

Active security management process

Windows Server® 2008 Security and Protection

User Account Control (UAC) Architecture

Explorer.exe

Explorer.exe

Standard user logon

Administrator in adminapproval mode

Standard user access token

Standard user access token

Full administratoraccess token

New Functionality in Encrypting FileSystem (EFS)

Windows BitLocker Drive Encryption

Internet Protocol Security (IPsec)

Smart Cards

SBS Setting to Harden Network Security

Lesson 2: Windows Server Update Service

• Manage Windows Server Update Services

Centralized vs. Decentralized Updates

MicrosoftUpdate

Windows®

ServerUpdate Services 3.0

• The bandwidth challenge

Windows Server Update Services 3.0

WSUS 3.0 Management Tasks WSUS 3.0 Management Tasks

Configure WSUS Updates in the SBS Console

Microsoft update

Default Client Schedule: Every day at 3.00 AM

Update Levels

Demonstration: Windows Server Update Services

• In this demonstration you will learn how to configure Windows Server Update Services in the SBS Console

Lesson 3: Windows Small Business Server 2008 Best Practices Analyzer

• Key features of the Windows Small Business Server 2008 Best Practices Analyzer 2008

What is the SBS Best Practices Analyzer? (BPA)

Demonstration: SBS 2008 Best Practices Analyzer

• In this demonstration you will learn how to configure a scan using the Windows Small Business Server 2008 Best Practices Analyzer

Lesson 4: Creating and Managing Shared Folders on the Network

• Configure a shared folder controlling user access permissions

• Configure blocking unwanted content in the shared folder  

File Sharing Essentials

Configure Share Permissions

Configure NTFS Permissions

Add a New Shared Folder Task

Add a New Shared Folder Task

Server message block protocol

Add a New Shared Folder Task

What is File Server Resource Manager (FSRM)?

Add a New Shared Folder Task

Additional Considerations

Additional Considerations

Demonstration: Adding a Shared Folder

• In this demonstration you will learn how to add a shared folder using the Shared Folder Wizard

Lesson 5: Configuring Windows Firewall with Advanced Security

• Configure Windows Firewall with Advanced Security settings and rules for network security

Network Location-aware Host Firewall

WFAS Order of Rules Evaluation

Group policy 1

Group policy 2

Group policy 3

Ord

er

of

Evalu

ati

on

• Local rule merge is configurable via Group Policy• Default rules come from the highest precedence GPO

Why Should SMBs use IPsec to ProtectNetwork Traffic?

• Protects IT assets

• Computers and data

• Malware (viruses, Trojan horses, spyware)

• To comply with government regulations

• Finance (Sarbanes-Oxley)

• Health (HIPAA)

• Privacy regulations (state privacy regulations)

• Protects intellectual property

Connection Security and IPsec

IPSec Authentication Methods

IPsec Modes

IPsec Methods

Basic Firewall Policy Design

Default behavior

Domain Isolation Policy Design

Isolated domain

LOB Servercritical

client data

Boundary Zone

SBS

Distrustednon-domain members

Authenticated IPsec connectionsNon-IPSec connections

Trusted non-domain members

Domain Isolation

• Protects the Small Business Server domain from unmanaged, rogue, and guest PCs

• Provides ability to identify and control communications with critical client or server PCs

• Allows host to facilitate communication that is limited to domain members (managed computers)

• Requires IPsec authentication and protection for any communication with domain members (managed computers)

• Managed computers can initiate communication with managed and unmanaged computers

• Unmanaged computers cannot initiate communication with managed computers

Lab: Securing the Windows Small Business Server using Best Practices

• Exercise 1: Configure Distribution of Updates and Hotfixes Using Microsoft Windows Server Update Services

• Exercise 2: Create a Shared Folder

• Exercise 3: Design an Isolation Policy

• Exercise 4: Configure Windows Firewall Settings

Logon information

Virtual machineSBS 2008 Server

Vista Office

User name Gregory

Password Pa$$w0rd

Estimated time: 60 minutes

Lab Scenario

• You will configure patch management in the SBS 2008 Server to download at a schedule time and configure distribution options for domain joined clients

• You need to configure a new volume and provision shared folders, configure permission, and enable file screening for shared folders. You will then test access to the shared folders.

• A.Datum would like you to design a secure domain isolation policy that complies with government regulations

• You need to configure the Windows Firewall rules to request authentication for inbound network traffic, and test the isolation policy

Lab Review

• When configuring WSUS for SBS, where are the updates stored?

• Can individual client computers be excluded from receiving updates?

• What tool should be used to create a new shared folder?

• What files can be configured using the file screen policy?

• What authentication methods are available when configuring an IPsec policy?

Module Summary

• In this module, you have learned about:

• Security components that are installed by default in Microsoft Windows Small Business Server 2008, as well as security features available in Windows Server 2008 and available for download from TechNet (SBS 2008 BPA), which will allow the implementation of important security elements into the IT infrastructure.

• Group policies that define user and computer configurations for groups of users and computers, and enforce these settings on and off the network.

• Accessing and using these features to manage specific aspects of the overall security design.

• Managing the protection of the server using a host firewall and IPSec combination.

Module Review and Takeaways

• Review questions

• Common issues and troubleshooting tips

• Real-world issues and scenarios

• Best practices

• Tools