20411B-ENU-TrainerHandbook
.pdf
|
|
|
Administering Windows Server® 2012 |
|
MCT |
||
|
|
|
6-23 |
|
|
||
Module Review and Takeaways |
|
|
|
|
|||
|
Best Practices Related to Group Policy Management |
|
USE |
||||
|
• |
Include comments on GPO settings |
|
|
|||
|
|
|
|
|
|
||
|
• Use a central store for Administrative Templates when having clients with Windows Vista, Windows 7, |
||||||
|
|
and Windows 8 |
|
|
|
|
|
|
• Use Group Policy preferences to configure settings that are not available in the Group Policy set of |
.ONLY |
|||||
|
|
settings |
|
|
|||
|
• |
|
|
|
|||
|
Use Group Policy software installation to deploy packages in .msi format to a large number of users |
||||||
|
|
or computers |
|
|
|
|
|
|
Common Issues and Troubleshooting Tips |
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
Common Issue |
Troubleshooting Tip |
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
You have configured folder redirection for |
|
|
STUDENT |
||
|
|
an OU, but none of the user’s folders are |
|
|
|||
|
|
being redirected to the network location. |
|
|
|||
|
|
|
|
|
|
|
|
|
|
When you look in the root folder, you |
|
|
|
|
|
|
|
observe that a subdirectory named for |
|
|
|
|
|
|
|
each user has been created, but they are |
|
|
|
|
|
|
|
empty. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You have assigned an application to an |
|
|
|
|
|
|
|
OU. After multiple logons, users report that |
|
|
|
|
|
|
|
no one has installed the application. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You have a mixture of Windows XP and |
|
|
USE |
||
|
|
Windows 8 computers. After configuring |
|
|
|||
|
|
|
|
|
|
|
|
|
|
several settings in the Administrative |
|
|
|
|
|
|
|
Templates of a GPO, users with Windows |
|
|
|
|
|
|
|
XP operating system report that some |
|
|
|
|
|
|
|
settings are being applied and others are |
|
|
|
|
|
|
|
not. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Group Policy preferences are not being |
|
|
PROHIBITED |
||
|
|
|
|
|
|
|
|
|
|
applied. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7-1 |
|
|
|
|
|
|
|
Module 7 |
|
MCT |
||
|
USE |
|||
Configuring and Troubleshooting Remote Access |
||||
Contents: |
|
|||
|
.ONLY |
|||
Module Overview |
7-1 |
|||
Lesson 1: Configuring Network Access |
7-2 |
|||
Lesson 2: Configuring VPN Access |
7-10 |
|||
Lesson 3: Overview of Network Policies |
7-19 |
|||
Lesson 4: Troubleshooting Routing and Remote Access |
7-25 |
|||
Lab A: Configuring Remote Access |
7-30 |
|||
|
|
|||
Lesson 5: Configuring DirectAccess |
7-34 |
|
|
|
Lab B: Configuring DirectAccess |
7-47 |
|
|
|
Module Review and Takeaways |
7-56 |
|
|
Module Overview
Most organizations have users that work remotely, perhaps from home or maybe from customer sites. |
|
||
To facilitate and support these remote connections, you must implement remote access technologies to |
|||
support this distributed workforce. You must become familiar with the technologies that enable remote |
STUDENT |
||
|
|||
users to connect to your organization’s network infrastructure. These technologies include virtual private |
|||
networks (VPNs), and DirectAccess, a feature of the Windows® 7 and Windows 8 operating systems. It is |
|
||
important that you understand how to configure and secure your remote access clients by using network |
|||
policies. This module explores these remote access technologies. |
USE |
||
Objectives |
|||
After completing this module, you will be able to: |
|||
PROHIBITED |
|||
• |
Configure network access. |
||
• Create and configure a VPN solution. |
|||
• Describe the role of network policies. |
|||
• Troubleshoot routing and remote access. |
|||
• |
Configure DirectAccess. |
||
|
|
7-4 Configuring and Troubleshooting Remote Access |
MCT |
|
|
|
|
|
|
|
• DirectAccess. DirectAccess enables seamless remote access to intranet resources without the user first |
|
|
establishing a VPN connection. DirectAccess ensures seamless connectivity to the application |
|
|
infrastructure for both internal users and remote users. |
|
|
•DirectAccess and VPN Remote Access Service (RAS). Using DirectAccess and VPN RAS, you can enableUSE and configure:
o DirectAccess solutions for your organization.
o VPN connections to provide end users with remote access to your organization’s network. ONLY
•Routing. This provides a full-featured software router and an open platform for routing and Internet working. It offers routing services to businesses in LAN and wide area network (WAN) environments.
When you choose routing, Network Address Translation (NAT) is also installed. When you deploy NAT, the server that is running Remote Access is configured to share an Internet connection with
computers on a private network, and to translate traffic between its public address and the private
network. By using NAT, the computers on the private network gain some measure of protection .
because the router on which you configure NAT does not forward traffic from the Internet into the
private network unless a private network client requests it or traffic is explicitly allowed. STUDENT
When you deploy VPN and NAT, you configure the server that is running Remote Access to provide NAT for the private network, and to accept VPN connections. Computers on the Internet will not be able to determine the IP addresses of computers on the private network. However, VPN clients will be able to connect to computers on the private network as if they were physically attached to the same
network.NetworkThe
authorization is important in understanding why |
USE |
||
connection attempts are accepted or denied: |
|||
|
|||
• Authentication is the verification of the |
|
||
connection attempt’s credentials. This process |
|
||
consists of sending the credentials from the |
|
||
remote access client to the Remote Access |
PROHIBITED |
||
server in either plaintext or encrypted form |
|||
by using an authentication protocol. |
|||
|
|||
• Authorization is the verification that the |
|
||
connection attempt is allowed. Authorization |
|
|
|
|
|
||
occurs after successful authentication. |
|
||
For a connection attempt to be accepted, the connection attempt must be authenticated and authorized. |
|
||
It is possible for the connection attempt to be authenticated by using valid credentials, but not |
|
||
authorized; in this case, the connection attempt is denied. |
|
||
If you configure a Remote Access server for Windows Authentication, the security features of Windows |
|
||
Server 2012 verify the authentication credentials, while the user account’s dial-in properties and locally |
|
||
stored remote access policies authorize the connection. If the connection attempt is both authenticated |
|
||
and authorized, then the connection attempt is accepted. |
|
Administering Windows Server® 2012 7-5
If you configure the Remote Access server for RADIUS authentication, the connection attempt’s |
MCT |
|||
credentials are passed to the RADIUS server for authentication and authorization. If the connection |
||||
attempt is both authenticated and authorized, the RADIUS server sends an accept message back to the |
||||
USE |
||||
Remote Access server and the connection attempt is accepted. If the connection attempt is either not |
||||
authenticated or not authorized, the RADIUS server sends a reject message back to the Remote Access |
||||
server and the connection attempt is rejected. |
||||
|
|
|||
Authentication Methods |
|
.ONLY |
||
The authentication of access clients is an |
|
|
||
|
|
|||
important security concern. Authentication |
|
|
||
methods typically use an authentication |
|
|
||
protocol that is negotiated during the connection |
|
|
||
establishment process. The following methods |
|
|
||
are supported by the Remote Access role. |
|
|
||
|
|
|
||
PAP |
|
|
|
|
Password Authentication Protocol (PAP) uses |
|
|
|
|
plaintext passwords and is the least secure |
|
|
|
|
authentication protocol. It typically is negotiated if |
|
|
|
|
the remote access client and Remote Access server |
|
|
|
|
|
|
|
||
cannot negotiate a more secure form of |
|
|
||
validation. PAP is included in Microsoft Windows Server 2012 to support older client operating systems |
|
|
||
than support no other authentication method. |
|
|
CHAP
The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication |
|
|
protocol that uses the industry-standard MD5 hashing scheme to encrypt the response. Various vendors |
||
|
STUDENT |
|
of network access servers and clients use CHAP. Because CHAP requires the use of a reversibly encrypted |
||
password, you should consider using another authentication protocol, such as Microsoft® Challenge |
USE |
|
Handshake Authentication Protocol (MS-CHAP) version 2. |
||
MS-CHAP V2 |
||
|
MS-CHAP v2 is a one-way, encrypted password, mutual-authentication process that works as follows:
1.The authenticator (the Remote Access server or the computer that is running NPS) sends a challenge
to the remote access client. The challenge consists of a session identifier and an arbitrary challenge PROHIBITED string.
2.The remote access client sends a response that contains a one-way encryption of the received challenge string, the peer challenge string, the session identifier, and the user password.
3.The authenticator checks the response from the client and sends back a response containing an indication of the success or failure of the connection attempt and an authenticated response based on the sent challenge string, the peer challenge string, the client’s encrypted response, and the user password.
4.The remote access client verifies the authentication response and, if correct, uses the connection. If the authentication response is not correct, the remote access client terminates the connection.
Administering Windows Server® 2012 7-7
• CRLs and Online Responders. |
|
||
o Certificate revocation lists (CRLs) are complete, digitally signed lists of certificates that have beenMCT |
|||
|
revoked. These lists are published periodically and can be retrieved and cached by clients, based |
||
|
on the configured lifetime of the CRL. The lists are used to verify a certificate’s revocation status. |
||
o Online Responders are part of the Online Certificate Status Protocol (OCSP) role service in |
|
||
|
Windows Server 2008 and Windows Server 2012. An Online Responder can receive a request to |
||
|
check for revocation of a certificate without requiring the client to download the entire CRL. This |
||
|
|
USE |
|
|
speeds up certificate revocation checking, and reduces the network bandwidth. It also increases |
||
|
scalability and fault tolerance by allowing for array configuration of Online Responders. |
|
|
• Public key–based applications and services. This relates to applications or services that support public |
|||
key encryption. In other words, the application or services must be able to support public key |
ONLY. |
||
implementations to gain the benefits from it. |
|||
• Certificate and CA management tools. Management tools provide command-line and GUI-based |
|||
tools to: |
|||
o |
Configure CAs. |
||
|
|||
o Recover archived private keys. |
|
||
o Import and export keys and certificates. |
|
||
o Publish CA certificates and CRLs. |
|
||
o |
Manage issued certificates. |
|
• Authority information access (AIA) and CRL distribution points (CDPs). AIA points determine the location where CA certificates can be found and validated, and CDP locations determine the points where certificate revocation lists can be found during certificate validation process. Because CRLs can become large, (depending on the number of certificates issued and revoked by a CA), you can also publish smaller, interim CRLs called delta CRLs. Delta CRLs contain only the certificates revoked since
the last regular CRL was published. This allows clients to retrieve the smaller delta CRLs and more |
STUDENT |
|
|
||
quickly build a complete list of revoked certificates. The use of delta CRLs also allows revocation data |
||
to be published more frequently, because the size of a delta CRL means that it usually does not |
USE |
|
require as much time to transfer as a full CRL. |
||
• Hardware security module (HSM). A hardware security module is an optional secure cryptographic |
||
hardware device that accelerates cryptographic processing for managing digital keys. It is a high |
||
security, specialized storage that is connected to the CA for managing the certificates. An HSM is |
||
|
||
typically attached to a computer physically. This is an optional add-on in your PKI, and is most widely |
||
|
PROHIBITED |
used in high security environments where there would be a significant impact if a key were compromised.