![](/user_photo/2706_HbeT2.jpg)
20411B-ENU-TrainerHandbook
.pdf![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd321x1.jpg)
Administering Windows Server® 2012 9-23
Lab: Implementing NAP |
MCT |
|
Scenario |
||
|
A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT office and data center in London support head office and other locations. A. Datum has recently deployed
a Windows Server 2012 server and client infrastructure. |
USE |
||||
To help increase security and compliance requirements, A. Datum is required to extend their VPN |
|||||
|
|
||||
solution to include NAP. You need to establish a way to verify and, if required, automatically bring client |
|||||
computers into compliance whenever they connect remotely by using the VPN connection. You will |
.ONLY |
||||
accomplish this goal by using NPS to create system health-validation settings, network and health |
|||||
policies, and configuring NAP to verify and remediate client health. |
|||||
Objectives |
|
||||
After completing this lab, you will be able to: |
|
||||
• |
Configure NAP components. |
|
|||
|
|
|
|||
• |
Configure VPN access. |
|
|
|
|
• Configure the client settings to support NAP. |
|
|
|
||
Lab Setup |
|
|
|
||
Estimated Time: 60 minutes |
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Virtual Machines |
20411B-LON-DC1 |
|
|
|
|
|
20411B-LON-RTR |
|
|
|
|
|
20411B-LON-CL2 |
|
|
|
|
|
|
|
|
|
|
User Name |
Adatum\Administrator |
STUDENT |
||
|
|
|
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V ManagerUSE.
2.In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start. PROHIBITED
3.In the Actions pane, click Connect. Wait until the virtual machine starts.
4.Sign in using the following credentials: o User name: Adatum\Administrator o Password: Pa$$w0rd
5.Perform steps 2 through 4 for 20411B-LON-CL2 and 20411B-LON-RTR.
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd322x1.jpg)
9-24 Implementing Network Access Protection
Exercise 1: Configuring NAP Components |
MCT |
|||
Scenario |
||||
|
||||
As the first step in implementing compliance and security, you should configure NAP components, such as |
||||
certificate requirements, health and network policies, and connection-request policies. |
USE |
|||
The main tasks for this exercise are as follows: |
||||
1. |
Configure server and client certificate requirements. |
|||
ONLY |
||||
2. |
Configure health policies. |
|||
3. |
Configure network policies. |
|||
4. |
Configure connection request polices for VPN. |
|||
Task 1: Configure server and client certificate requirements |
||||
1. |
Switch to the LON-DC1 virtual server. |
|||
. |
||||
2. |
Open the Certification Authority tool. |
|||
STUDENT |
||||
3. |
In the Certificate Templates Console, open the properties of the Computer certificate template. |
|||
4. |
On the Security tab, grant the Authenticated Users group the Allow Enroll permission. |
|||
5. |
Restart the Certification Authority. |
|||
6. |
Close the Certification Authority tool. |
|||
Task 2: Configure health policies |
||||
1. |
Switch to the LON-RTR computer. |
|||
2. |
Create a management console by running mmc.exe. |
|||
3. |
Add the Certificates snap-in with the focus on the local computer account. |
|||
|
|
|
||
4. |
Navigate to the Personal certificate store and Request New Certificate. |
USE |
||
5. |
On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy, and |
|||
|
then click Next. |
|||
6. |
Enroll the Computer certificate that is listed. |
|||
7. |
Close the console, and do not save the console settings. |
|||
PROHIBITED |
||||
8. |
Using Server Manager, install the NPS Server with the following role services: |
|||
|
o |
Network Policy Server |
||
9. |
Open the Network Policy Server console. |
|||
10. |
Under Network Access Protection, open the Default Configuration for the Windows Security |
|||
|
Health Validator. |
|||
11. |
On the Windows 8/Windows 7/Windows Vista tab, clear all check boxes except A firewall is |
|||
|
enabled for all network connections. |
|||
12. |
Create a health policy with the following settings: |
|||
|
o |
Name: Compliant |
||
|
o |
Client SHV checks: Client passes all SHV checks |
||
|
|
o SHVs used in this health policy: Windows Security Health Validator
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd323x1.jpg)
Administering Windows Server® 2012 |
MCT |
|
9-25 |
|
13.Create a health policy with the following settings: o Name: Noncompliant
o Client SHV checks: Client fails one or more SHV checks
o SHVs used in this health policy: Windows Security Health Validator
Task 3: Configure network policies |
USE |
|||
|
||||
1. |
Disable all existing network policies. |
.ONLY |
||
2. Configure a new network policy with the following settings: |
||||
|
||||
|
o Name: Compliant-Full-Access |
|
||
|
o Conditions: Health Policies, Compliant |
|
||
|
o Access permissions: Access granted |
|
||
|
o Settings: NAP Enforcement, Allow full network access |
|
||
3. |
Configure a new network policy with the following settings: |
STUDENT |
||
|
o Name: Noncompliant-Restricted |
|||
|
|
|||
|
o Conditions: Health Policies, Noncompliant |
|
||
|
o Access permissions: Access granted |
|
||
|
o Settings: NAP Enforcement, Allow limited access is selected and Enable auto-remediation of |
|||
|
client computers is not selected. |
|
||
|
o IP Filters: IPv4 input filter |
|
||
|
|
Destination network: 172.16.0.10/255.255.255.255 |
|
|
|
|
IPv4 output filter: |
|
|
|
|
Source network: 172.16.0.10/255.255.255.255 |
|
1.Disable existing connection request policies. USE
2.Create a new Connection Request Policy with the following settings: o Policy name: VPN connections
o Type of network access server: Remote Access Server (VPN-Dial up)
o Conditions, Tunnel type: L2TP, SSTP, and PPTP PROHIBITED o Authenticate requests on this server: Enabled
o On the Specify Authentication Methods page, perform the following:
a.Select Override network policy authentication settings.
b.Add Microsoft: Protected EAP (PEAP).
c.Add Microsoft: Secured password (EAP-MSCHAP v2).
d.Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection is enabled.Task 4: Configure connection request polices for VPN
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd324x1.jpg)
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd325x1.jpg)
Administering Windows Server® 2012 9-27
Exercise 3: Configuring the Client Settings to Support NAP |
MCT |
||
Scenario |
|||
|
|||
In this exercise, you will enable a client VPN to connect to the Adatum network. You then will enable and |
|||
configure the required client-side NAP components. |
USE |
||
The main tasks for this exercise are as follows: |
|||
1. |
Enable a client NAP enforcement method. |
||
|
|
||
2. |
Establish a VPN connection. |
|
1.Switch to the LON-CL2 computer. ONLY
2.Run the NAP Client Configuration tool (napclcfg.msc).
3.Under Enforcement Clients, enable the EAP Quarantine Enforcement Client.
4.Close the NAP Client Configuration tool. .
5.Run services.msc, and then configure the Network Access Protection Agent service for automaticSTUDENT startup.
6.Start the service.
7.Close the services console.
8.Open the Local Policy Editor (gpedit.msc), and then enable the Local Computer Policy
/Computer Configuration/Administrative Templates/Windows Components /Security Center/Turn on Security Center (Domain PCs only) setting.
9.Close the Local Group Policy Editor.
1.On LON-CL2, create a new VPN connection with the following properties:
o Internet address to connect to: 10.10.0.1 USE o Destination name: Adatum VPN
o Allow other people to use this connection: Enable
2.After you have created the VPN, modify its settings by viewing the properties of the connection, and
then selecting the Security tab. Use the following settings to reconfigure the VPN: PROHIBITED o Authentication type: Microsoft: Protected EAP (PEAP) (encryption enabled)
o Properties of this authentication type:
Validate server certificate: Enable
Connect to these servers: Disable
Authentication method: Secured password (EAP-MSCHAP v2)
Enable Fast Reconnect: Disable
Enforce Network Access Protection: Enable
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd326x1.jpg)
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd327x1.jpg)
Administering Windows Server® 2012 9-29
Module Review and Takeaways |
|
MCT |
|||
|
|
|
|
||
|
Review Questions |
|
USE |
||
|
Question: What are the three main client configurations that you need to configure for most |
||||
|
NAP deployments? |
|
|||
|
Question: You want to evaluate the overall health and security of the NAP enforced |
||||
|
network. What do you need to do to start recording NAP events? |
||||
|
Question: On a client computer, what steps must you perform to ensure that its health is |
|
|
||
|
assessed? |
|
|
|
|
|
Tools |
|
|
|
|
|
|
|
|
|
|
|
Tool |
Use For |
Where to find it |
|
|
|
|
|
|||
|
|
|
|
|
|
|
Services |
Enable and configure the NAP |
Click Start, click Control Panel, click System |
|
|
|
|
service on client computers. |
and Maintenance, click Administrative |
ONLY. |
|
|
|
|
Tools, and then double-click Services. |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
Netsh nap |
Using netsh, you can create scripts |
Open a command window with administrative |
||
|
|
to configure a set of NAP |
rights, and then type netsh –c nap. You can |
|
|
|
|
automatically, and display the |
type help to get a full list of available |
|
|
|
|
configuration and status of the NAP |
commands. |
|
|
|
|
client service. |
|
|
|
|
|
|
|
|
|
|
Group |
Some NAP deployments that use |
Enable the Turn on Security Center |
STUDENT |
|
|
Policy |
Windows Security Health Validator |
(Domain PCs only) setting in the Computer |
||
|
|
require that Security Center is |
Configuration/Administrative Templates |
||
|
|
enabled. |
/Windows Components/Security Center |
||
|
|
|
sections of Group Policy. |
||
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
PROHIBITED USE |
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd328x1.jpg)
MCT USE ONLY. STUDENT USE PROHIBITED
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd329x1.jpg)
|
|
10-1 |
|
|
|
|
|
|
|
Module 10 |
|
MCT |
||
|
USE |
|||
Optimizing File Services |
|
|||
Contents: |
|
|||
|
.ONLY |
|||
Module Overview |
10-1 |
|||
Lesson 1: Overview of FSRM |
10-2 |
|||
Lesson 2: Using FSRM to Manage Quotas, File Screens, and Storage Reports |
10-7 |
|||
Lesson 3: Implementing Classification and File Management Tasks |
10-16 |
|||
Lab A: Configuring Quotas and File Screening Using FSRM |
10-22 |
|||
Lesson 4: Overview of DFS |
10-26 |
|||
|
|
|||
Lesson 5: Configuring DFS Namespaces |
10-33 |
|
|
|
Lesson 6: Configuring and Troubleshooting DFS-R |
10-37 |
|
|
|
Lab B: Implementing DFS |
10-41 |
|
|
|
Module Review and Takeaways |
10-45 |
|
|
Module Overview
The files on your servers are constantly changing with content being added, removed, and modified. STUDENT The Windows Server® 2012 File and Storage Services server role is designed to help administrators in an
enterprise environment manage the continually growing and changing amount of data. When storage
larger and complex storage infrastructure. Therefore, to meet the needs of your organization, you need understand and control how the existing storage resources are used.
requirements change and the data being stored changes as well, you need to manage an increasingly |
USE |
|
• |
Describe FSRM. |
PROHIBITED |
|
||
• Use FSRM to manage quotas, file screens, and storage reports. |
|
|
• Implement classification and file management tasks. |
|
|
• |
Describe DFS. |
|
• |
Configure DFS namespaces. |
|
• Configure and troubleshoot DFS Replication.
![](/html/2706/383/html_UaxXd3m6r2.KJDF/htmlconvd-MvOjWd330x1.jpg)