Файловый архив студентов. Файловый архив студентов.
1269 вузов, 4660 предметов.
/ Регистрация
FAQ Обратная связь Вопросы и предложения
Добавил:
Upload Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз:
Алматинский университет энергетики и связи
Предмет:
[НЕСОРТИРОВАННОЕ]
Файл:

20411B-ENU-TrainerHandbook

.pdf
Скачиваний:
237
Добавлен:
01.05.2015
Размер:
16.48 Mб
Скачать

Administering Windows Server® 2012 9-23

Lab: Implementing NAP

MCT

Scenario

 

A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT office and data center in London support head office and other locations. A. Datum has recently deployed

a Windows Server 2012 server and client infrastructure.

USE

To help increase security and compliance requirements, A. Datum is required to extend their VPN

 

 

solution to include NAP. You need to establish a way to verify and, if required, automatically bring client

computers into compliance whenever they connect remotely by using the VPN connection. You will

.ONLY

accomplish this goal by using NPS to create system health-validation settings, network and health

policies, and configuring NAP to verify and remediate client health.

Objectives

 

After completing this lab, you will be able to:

 

Configure NAP components.

 

 

 

 

Configure VPN access.

 

 

 

• Configure the client settings to support NAP.

 

 

 

Lab Setup

 

 

 

Estimated Time: 60 minutes

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Virtual Machines

20411B-LON-DC1

 

 

 

 

20411B-LON-RTR

 

 

 

 

20411B-LON-CL2

 

 

 

 

 

 

 

 

User Name

Adatum\Administrator

STUDENT

 

 

 

1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V ManagerUSE.

2.In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start. PROHIBITED

3.In the Actions pane, click Connect. Wait until the virtual machine starts.

4.Sign in using the following credentials: o User name: Adatum\Administrator o Password: Pa$$w0rd

5.Perform steps 2 through 4 for 20411B-LON-CL2 and 20411B-LON-RTR.

9-24 Implementing Network Access Protection

Exercise 1: Configuring NAP Components

MCT

Scenario

 

As the first step in implementing compliance and security, you should configure NAP components, such as

certificate requirements, health and network policies, and connection-request policies.

USE

The main tasks for this exercise are as follows:

1.

Configure server and client certificate requirements.

ONLY

2.

Configure health policies.

3.

Configure network policies.

4.

Configure connection request polices for VPN.

Task 1: Configure server and client certificate requirements

1.

Switch to the LON-DC1 virtual server.

.

2.

Open the Certification Authority tool.

STUDENT

3.

In the Certificate Templates Console, open the properties of the Computer certificate template.

4.

On the Security tab, grant the Authenticated Users group the Allow Enroll permission.

5.

Restart the Certification Authority.

6.

Close the Certification Authority tool.

Task 2: Configure health policies

1.

Switch to the LON-RTR computer.

2.

Create a management console by running mmc.exe.

3.

Add the Certificates snap-in with the focus on the local computer account.

 

 

 

4.

Navigate to the Personal certificate store and Request New Certificate.

USE

5.

On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy, and

 

then click Next.

6.

Enroll the Computer certificate that is listed.

7.

Close the console, and do not save the console settings.

PROHIBITED

8.

Using Server Manager, install the NPS Server with the following role services:

 

o

Network Policy Server

9.

Open the Network Policy Server console.

10.

Under Network Access Protection, open the Default Configuration for the Windows Security

 

Health Validator.

11.

On the Windows 8/Windows 7/Windows Vista tab, clear all check boxes except A firewall is

 

enabled for all network connections.

12.

Create a health policy with the following settings:

 

o

Name: Compliant

 

o

Client SHV checks: Client passes all SHV checks

 

 

o SHVs used in this health policy: Windows Security Health Validator

Administering Windows Server® 2012

MCT

9-25

 

13.Create a health policy with the following settings: o Name: Noncompliant

o Client SHV checks: Client fails one or more SHV checks

o SHVs used in this health policy: Windows Security Health Validator

Task 3: Configure network policies

USE

 

1.

Disable all existing network policies.

.ONLY

2. Configure a new network policy with the following settings:

 

 

o Name: Compliant-Full-Access

 

 

o Conditions: Health Policies, Compliant

 

 

o Access permissions: Access granted

 

 

o Settings: NAP Enforcement, Allow full network access

 

3.

Configure a new network policy with the following settings:

STUDENT

 

o Name: Noncompliant-Restricted

 

 

 

o Conditions: Health Policies, Noncompliant

 

 

o Access permissions: Access granted

 

 

o Settings: NAP Enforcement, Allow limited access is selected and Enable auto-remediation of

 

client computers is not selected.

 

 

o IP Filters: IPv4 input filter

 

 

Destination network: 172.16.0.10/255.255.255.255

 

 

IPv4 output filter:

 

 

 

Source network: 172.16.0.10/255.255.255.255

 

1.Disable existing connection request policies. USE

2.Create a new Connection Request Policy with the following settings: o Policy name: VPN connections

o Type of network access server: Remote Access Server (VPN-Dial up)

o Conditions, Tunnel type: L2TP, SSTP, and PPTP PROHIBITED o Authenticate requests on this server: Enabled

o On the Specify Authentication Methods page, perform the following:

a.Select Override network policy authentication settings.

b.Add Microsoft: Protected EAP (PEAP).

c.Add Microsoft: Secured password (EAP-MSCHAP v2).

d.Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection is enabled.Task 4: Configure connection request polices for VPN

9-26 Implementing Network Access Protection

MCT

 

 

 

 

 

Exercise 2: Configuring VPN Access

 

 

Scenario

USE

After configuring NAP, you will configure a VPN server, and then enable the PING protocol through the

firewall for testing purposes.

 

 

The main tasks for this exercise are as follows:

 

 

1. Configure a VPN server.

 

 

2. Allow PING for testing purposes.

 

 

1.On LON-RTR, open Routing and Remote Access. ONLY

2.Disable Routing and Remote Access.

3.Select Configure and Enable Routing and Remote Access.

4.Use the following settings to complete configuration: .

a.Select Remote access (dial-up or VPN). STUDENT

b.Select the VPN check box.

c.Select the interface called Public, and clear the Enable security on the selected interface by setting up static packet filters check box.

d.Under IP Address Assignment, From a specified range of addresses: 172.16.0.100 to

172.16.0.110

e.Complete the process by accepting defaults when you receive a prompt, and by clicking OK to confirm any messages.

5.In the Network Policy Server, click the Connection Request Policies node, and verify that the

Microsoft Routing and Remote Access Service Policy is disabled. This was created automatically when Routing and Remote Access was enabled.

6.Close Network Policy Server management console, and then the Routing and Remote Access console.USE

2.Create an inbound rule with the following properties: o Type: Custom

o All programs

o Protocol type: Choose ICMPv4 and then click Customize o Specific ICMP types: Echo Request

o Default scope

o Action: Allow the connection o Default profile

o Name: ICMPv4 echo request

3.Close the Windows Firewall with Advanced Security console.

Results: After this exercise, you should have created a VPN server and configured inbound communications.

PROHIBITED

Administering Windows Server® 2012 9-27

Exercise 3: Configuring the Client Settings to Support NAP

MCT

Scenario

 

In this exercise, you will enable a client VPN to connect to the Adatum network. You then will enable and

configure the required client-side NAP components.

USE

The main tasks for this exercise are as follows:

1.

Enable a client NAP enforcement method.

 

 

2.

Establish a VPN connection.

 

1.Switch to the LON-CL2 computer. ONLY

2.Run the NAP Client Configuration tool (napclcfg.msc).

3.Under Enforcement Clients, enable the EAP Quarantine Enforcement Client.

4.Close the NAP Client Configuration tool. .

5.Run services.msc, and then configure the Network Access Protection Agent service for automaticSTUDENT startup.

6.Start the service.

7.Close the services console.

8.Open the Local Policy Editor (gpedit.msc), and then enable the Local Computer Policy

/Computer Configuration/Administrative Templates/Windows Components /Security Center/Turn on Security Center (Domain PCs only) setting.

9.Close the Local Group Policy Editor.

1.On LON-CL2, create a new VPN connection with the following properties:

o Internet address to connect to: 10.10.0.1 USE o Destination name: Adatum VPN

o Allow other people to use this connection: Enable

2.After you have created the VPN, modify its settings by viewing the properties of the connection, and

then selecting the Security tab. Use the following settings to reconfigure the VPN: PROHIBITED o Authentication type: Microsoft: Protected EAP (PEAP) (encryption enabled)

o Properties of this authentication type:

Validate server certificate: Enable

Connect to these servers: Disable

Authentication method: Secured password (EAP-MSCHAP v2)

Enable Fast Reconnect: Disable

Enforce Network Access Protection: Enable

9-28 Implementing

3.

Test the VPN connection:

MCT

 

o In the Network Connections window, connect Adatum VPN connection.

 

o View the details of the Windows Security Alert. Verify that the correct certificate information is

USE

 

displayed, and then click Connect.

 

 

 

4.

At the command prompt, run ipconfig /all to verify that the System Quarantine State is Not

 

 

 

Restricted.

 

 

5.

Ping 172.16.0.10.

 

 

6.

Disconnect the Adatum VPN.

 

 

7.

Switch to LON-RTR.

 

 

8.

Open Network Policy Server.

 

 

9.

In the Default Configuration of the Windows Security Health Validator, enable the Restrict access for

 

clients that do not have all available security updates installed option on the Windows

ONLY.

 

8/Windows 7/Windows Vista page.

10.

Switch back to LON-CL2, and then reconnect the VPN.

STUDENT

 

 

11.

Run the ipconfig /all command to verify that the System Quarantine State is Restricted.

 

 

12.

Disconnect the VPN.

 

 

 

 

 

 

 

 

 

 

1.On the host computer, start Hyper-V Manager.

2.In the Virtual Machines list, right-click 20411B-LON-CL2, and then click Revert.

3.In the Revert Virtual Machines dialog box, click Revert.

4.Repeat steps 2 and 3 for 20411B-LON-RTR and 20411B-LON-DC1.

PROHIBITED USE

Administering Windows Server® 2012 9-29

Module Review and Takeaways

 

MCT

 

 

 

 

 

Review Questions

 

USE

 

Question: What are the three main client configurations that you need to configure for most

 

NAP deployments?

 

 

Question: You want to evaluate the overall health and security of the NAP enforced

 

network. What do you need to do to start recording NAP events?

 

Question: On a client computer, what steps must you perform to ensure that its health is

 

 

 

assessed?

 

 

 

 

 

Tools

 

 

 

 

 

 

 

 

 

 

 

Tool

Use For

Where to find it

 

 

 

 

 

 

 

 

 

 

 

 

Services

Enable and configure the NAP

Click Start, click Control Panel, click System

 

 

 

service on client computers.

and Maintenance, click Administrative

ONLY.

 

 

 

Tools, and then double-click Services.

 

 

 

 

 

 

 

 

 

 

 

Netsh nap

Using netsh, you can create scripts

Open a command window with administrative

 

 

to configure a set of NAP

rights, and then type netsh –c nap. You can

 

 

 

 

automatically, and display the

type help to get a full list of available

 

 

 

 

configuration and status of the NAP

commands.

 

 

 

 

client service.

 

 

 

 

 

 

 

 

 

 

Group

Some NAP deployments that use

Enable the Turn on Security Center

STUDENT

 

Policy

Windows Security Health Validator

(Domain PCs only) setting in the Computer

 

 

require that Security Center is

Configuration/Administrative Templates

 

 

enabled.

/Windows Components/Security Center

 

 

 

sections of Group Policy.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

PROHIBITED USE

MCT USE ONLY. STUDENT USE PROHIBITED

Objectives
After completing this module, you will be able to:
This module introduces you to File Server Resource Manager (FSRM) and Distributed File System (DFS), two technologies that you can use to address and manage these issues.

 

 

10-1

 

 

 

 

 

Module 10

 

MCT

 

USE

Optimizing File Services

 

Contents:

 

 

.ONLY

Module Overview

10-1

Lesson 1: Overview of FSRM

10-2

Lesson 2: Using FSRM to Manage Quotas, File Screens, and Storage Reports

10-7

Lesson 3: Implementing Classification and File Management Tasks

10-16

Lab A: Configuring Quotas and File Screening Using FSRM

10-22

Lesson 4: Overview of DFS

10-26

 

 

Lesson 5: Configuring DFS Namespaces

10-33

 

 

Lesson 6: Configuring and Troubleshooting DFS-R

10-37

 

 

Lab B: Implementing DFS

10-41

 

 

Module Review and Takeaways

10-45

 

 

Module Overview

The files on your servers are constantly changing with content being added, removed, and modified. STUDENT The Windows Server® 2012 File and Storage Services server role is designed to help administrators in an

enterprise environment manage the continually growing and changing amount of data. When storage

larger and complex storage infrastructure. Therefore, to meet the needs of your organization, you need understand and control how the existing storage resources are used.

requirements change and the data being stored changes as well, you need to manage an increasingly

USE

 

Describe FSRM.

PROHIBITED

 

• Use FSRM to manage quotas, file screens, and storage reports.

 

• Implement classification and file management tasks.

 

Describe DFS.

 

Configure DFS namespaces.

 

• Configure and troubleshoot DFS Replication.

10-2 Optimizing File Services

Lesson 1

Overview of FSRM

FSRM is a set of tools that allow you to understand, control, and manage the quantity and type of data stored on your servers. Using FSRM, you can place quotas on storage volumes, screen files and folders, generate comprehensive storage reports, control the file classification infrastructure, and use file management tasks to perform scheduled actions on sets of files. These tools help you monitor existing storage resources, and aid in planning and implementing future policy changes.

Lesson Objectives

After completing this lesson, you will be able to:

Describe common capacity management challenges.

Describe the features available within FSRM.

Explain how to install and configure the FSRM role service.

Understanding Capacity Management Challenges

Capacity management is a proactive process of determining the current and future capacity needs for your enterprise's storage environment. As the size and complexity of the data increases, the need for capacity management also increases.

To effectively meet the storage needs of your organization, you need to track how much storage capacity is available, how much storage space you need for future expansion, and how you are using the environment’s storage.

Key Capacity Management Challenges

Capacity management brings with it the following key challenges:

Determining existing storage use. To manage your storage environment and ensure that you can perform the simplest capacity management task, you need to understand your environment’s current storage requirements. Knowing how much data is being stored on your servers, what types of data is being stored, and how that data is currently being used is the benchmark for measuring the various aspects of capacity management in your environment.

Establishing and enforcing storage use policies. Capacity management includes ensuring that your storage environment is being used to its full potential. Managing growth is important to ensure that your storage environment is not overwhelmed by unplanned or unauthorized data storage on your servers. Modern media data such as audio, video, and graphic files consume a large amount of storage space and, if left unchecked, the unauthorized storage of these types of files can consume the storage space that is required for legitimate business use.

Anticipating future requirements. Storage requirements are constantly changing. New projects and new organizational initiatives require increased storage. New applications and imported data require additional storage. If you are not able to anticipate or prepare for events like these, your storage environment may not be able to meet the storage requirements.

PROHIBITED USE STUDENT .ONLY USE MCT

Соседние файлы в предмете [НЕСОРТИРОВАННОЕ]
Помощь Обратная связь Вопросы и предложения Пользовательское соглашение Политика конфиденциальности