1 To learn more about this book, visit Microsoft Learning at
2 Table of Contents Acknowledgments xxiii Introduction xxv Document Conventions xxv Reader Aids xxv About the Companion CD-ROM xxvi System Requirements xxvii Technical Support xxvii Part I Addressing and Packet Flow Infrastructure 1 IPv Concepts Network Layers IPv4 Addressing Private IPv4 Addresses Automatic Private IP Addressing (APIPA) Multicast Addresses Network Address Translation Layer 2 and Layer 3 Addressing Layer 4 Protocols: UDP and TCP Planning and Design Considerations Designing Your Internet Connection Creating an IPv4 Addressing Scheme Planning Host Addresses Using VPNs Planning Redundancy Using Multihomed Computers What do you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit: vii
3 viii Table of Contents Deployment Steps Manually Configuring IPv4 Clients Configuring Client Behavior When a DHCP Server Is Not Available Adding Routes to the Routing Table Ongoing Maintenance Troubleshooting ARP Ipconfig Netstat PathPing Performance Monitor Ping Task Manager Windows Network Diagnostics Chapter Summary Additional Information IPv Concepts Changes from IPv4 to IPv IPv6 Addressing IPv6 Autoconfiguration DHCPv Neighbor Discovery IPv6 Security IPv6 Transition Technologies Planning and Design Considerations Migrating to IPv Acquiring IPv6 Addresses Planning Network Infrastructure Upgrades Planning for IPv6 Transition Technologies Deployment Steps How to Disable IPv How to Manually Configure IPv How to Configure IPv6 from a Script How to Enable ISATAP
4 Table of Contents ix How to Enable 6to How to Enable Teredo How to Configure a Computer as an IPv6 Router Ongoing Maintenance Troubleshooting Netsh Ipconfig Nslookup Troubleshooting Teredo Chapter Summary Additional Information Dynamic Host Configuration Protocol Concepts The DHCP Address Assignment Process DHCP Life Cycle Planning and Design Considerations DHCP Servers DHCP Relay Agents DHCP Lease Durations Designing Scopes Server Clustering for DHCP Dynamic DNS Deployment Steps DHCP Servers DHCP Relay Agents DHCP Client Configuration Ongoing Maintenance Monitoring DHCP Servers Manually Backing Up and Restoring a DHCP Server Troubleshooting Troubleshooting DHCP Clients Troubleshooting DHCP Servers Using Audit Logging to Analyze DHCP Server Behavior Chapter Summary Additional Information
5 x Table of Contents 4 Windows Firewall with Advanced Security Concepts Filtering Traffic by Using Windows Firewall Protecting Traffic by Using IPsec Planning and Design Considerations Planning Windows Firewall Policies Protecting Communications with IPsec Deployment Steps Firewall Settings with Group Policy IPsec Connection Security Rules Ongoing Maintenance Troubleshooting Windows Firewall Logging Monitoring IPsec Security Associations Using Network Monitor Chapter Summary Additional Information Policy-Based Quality of Service Concepts The Causes of Network Performance Problems How QoS Can Help QoS for Outbound Traffic QoS for Inbound Traffic QoS Implementation Planning and Design Considerations Setting QoS Goals Planning DSCP Values Planning Traffic Throttling Hardware and Software Requirements Planning GPOs and QoS Policies QoS Policies for Mobile Computers Running Windows Vista Deployment Steps How to Configure QoS by Using Group Policy How to Configure System-Wide QoS Settings Ongoing Maintenance Removing QoS Policies
6 Table of Contents xi Editing QoS Policies Monitoring QoS Troubleshooting Analyzing QoS Policies Verifying DSCP Resilience Isolating Network Performance Problems Chapter Summary Additional Information Scalable Networking Concepts TCP Chimney Offload Receive-Side Scaling NetDMA IPsec Offload Planning and Design Considerations Evaluating Network Scalability Technologies Load Testing Servers Monitoring Server Performance Deployment Steps Configuring TCP Chimney Offload Configuring Receive-Side Scaling Configuring NetDMA Configuring IPsec Offload Ongoing Maintenance Troubleshooting Troubleshooting TCP Chimney Offload Troubleshooting IPsec Offload Chapter Summary Additional Information Part II Name Resolution Infrastructure 7 Domain Name System Concepts DNS Hierarchy DNS Zones DNS Records
7 xii Table of Contents Dynamic DNS Updates DNS Name Resolution Planning and Design Considerations DNS Zones DNS Server Placement DNS Zone Replication DNS Security The GlobalNames Zone Deployment Steps DNS Server Configuration DHCP Server Configuration DNS Client Configuration Configuring Redundant DNS Servers Ongoing Maintenance Adding Resource Records Maintaining Zones Automated Monitoring Promoting a Secondary Zone to a Primary Zone Troubleshooting Event Logs Using Nslookup Debug Logging at the Server Using DNSLint Using DCDiag Using Network Monitor Chapter Summary Additional Information Windows Internet Name Service Concepts History NetBIOS Names WINS Name Resolution WINS Client Registrations Planning and Design Considerations WINS Server Placement WINS Replication
8 Table of Contents xiii Deployment Steps Configuring a WINS Server Configuring WINS Replication WINS Client Configuration Ongoing Maintenance Backing Up the WINS Server Database Compacting the WINS Database Performing Consistency Checking Monitoring a WINS Server Adding a Static WINS Record Deleting a WINS Record Troubleshooting Troubleshooting WINS Servers Troubleshooting WINS Clients Chapter Summary Additional Information Part III Network Access Infrastructure 9 Authentication Infrastructure Concepts Active Directory Domain Services Public Key Infrastructure Group Policy RADIUS Planning and Design Considerations Active Directory PKI Group Policy RADIUS Deployment Steps Deploying Active Directory Deploying PKI Group Policy RADIUS Servers Using RADIUS Proxies for Cross-Forest Authentication Using RADIUS Proxies to Scale Authentications
9 xiv Table of Contents Ongoing Maintenance Active Directory PKI Group Policy RADIUS Troubleshooting Tools Active Directory PKI Group Policy RADIUS Chapter Summary Additional Information IEEE Wireless Networks Concepts Support for IEEE Standards Wireless Security Components of Wireless Networks Planning and Design Considerations Wireless Security Technologies Wireless Authentication Modes Intranet Infrastructure Wireless AP Placement Authentication Infrastructure Wireless Clients PKI X Enforcement with NAP Deploying Protected Wireless Access Deploying Certificates Configuring Active Directory for Accounts and Groups Configuring NPS Servers Deploying Wireless APs Configuring Wireless Clients Ongoing Maintenance Managing User and Computer Accounts Managing Wireless APs Updating Wireless XML Profiles
10 Table of Contents xv Troubleshooting Wireless Troubleshooting Tools in Windows Troubleshooting the Windows Wireless Client Troubleshooting the Wireless AP Troubleshooting the Authentication Infrastructure Chapter Summary Additional Information IEEE 802.1X Authenticated Wired Networks Concepts Components of Wired Networks With 802.1X Authentication Planning and Design Considerations Wired Authentication Methods Wired Authentication Modes Authentication Infrastructure Wired Clients PKI X Enforcement with NAP Deploying 802.1X-Authenticated Wired Access Deploying Certificates Configuring Active Directory for Accounts and Groups Configuring NPS Servers Configuring 802.1X-Capable Switches Configuring Wired Clients Ongoing Maintenance Managing User and Computer Accounts Managing 802.1X-Capable Switches Updating Wired XML Profiles Troubleshooting Wired Troubleshooting Tools in Windows Troubleshooting the Windows Wired Client Troubleshooting the 802.1X-Capable Switch Troubleshooting the Authentication Infrastructure Chapter Summary Additional Information
11 xvi Table of Contents 12 Remote Access VPN Connections Concepts Components of Windows Remote Access VPNs Planning and Design Considerations VPN Protocols Authentication Methods VPN Servers Internet Infrastructure Intranet Infrastructure Concurrent Intranet and Internet Access for VPN Clients Authentication Infrastructure VPN Clients PKI VPN Enforcement with NAP Additional Security Considerations Strong Link Encryption VPN Traffic Packet Filtering on the VPN Server Firewall Packet Filtering for VPN Traffic Multi-Use VPN Servers Blocking Traffic Routed from VPN Clients Concurrent Access Unused VPN Protocols Deploying VPN-Based Remote Access Deploying Certificates Configuring Internet Infrastructure Configuring Active Directory for User Accounts and Groups Configuring RADIUS Servers Deploying VPN Servers Configuring Intranet Network Infrastructure Deploying VPN Clients Ongoing Maintenance Managing User Accounts Managing VPN Servers Updating CM Profiles Troubleshooting Troubleshooting Tools Troubleshooting Remote Access VPNs
12 Table of Contents xvii Chapter Summary Additional Information Site-to-Site VPN Connections Concepts Demand-Dial Routing Overview Components of Windows Site-to-Site VPNs Planning and Design Considerations VPN Protocols Authentication Methods VPN Routers Internet Infrastructure Site Network Infrastructure Authentication Infrastructure PKI Deploying Site-to-Site VPN Connections Deploying Certificates Configuring Internet Infrastructure Configuring Active Directory for User Accounts and Groups Configuring RADIUS Servers Deploying the Answering Routers Deploying the Calling Routers Configuring Site Network Infrastructure Configuring Intersite Network Infrastructure Ongoing Maintenance Managing User Accounts Managing VPN Routers Troubleshooting Troubleshooting Tools Troubleshooting Site-to-Site VPN Connections Chapter Summary Additional Information Part IV Network Access Protection Infrastructure 14 Network Access Protection Overview The Need for Network Access Protection Malware and Its Impact on Enterprise Computing Preventing Malware on Enterprise Networks
13 xviii Table of Contents The Role of NAP Business Benefits of NAP Components of NAP System Health Agents and System Health Validators Enforcement Clients and Servers NPS Enforcement Methods IPsec Enforcement X Enforcement VPN Enforcement DHCP Enforcement How NAP Works How IPsec Enforcement Works How 802.1X Enforcement Works How VPN Enforcement Works How DHCP Enforcement Works Chapter Summary Additional Information Preparing for Network Access Protection Evaluation of Your Current Network Infrastructure Intranet Computers Networking Support Infrastructure NAP Health Policy Servers Planning and Design Considerations Deployment Steps Ongoing Maintenance Health Requirement Policy Configuration Components of a Health Requirement Policy How NAP Health Evaluation Works Planning and Design Considerations for Health Requirement Policies Remediation Servers Remediation Servers and NAP Enforcement Methods Planning and Design Considerations for Remediation Servers Chapter Summary Additional Information
14 Table of Contents xix 16 IPsec Enforcement Understanding IPsec Enforcement IPsec Enforcement Logical Networks Communication Initiation Processes with IPsec Enforcement Connection Security Rules for IPsec Enforcement Planning and Design Considerations Active Directory PKI HRAs IPsec Policies NAP Clients Deploying IPsec Enforcement Configuring Active Directory Configuring PKI Configuring HRAs Configuring NAP Health Policy Servers Configuring Remediation Servers on the Boundary Network Configuring NAP Clients IPsec Enforcement Deployment Checkpoint for Reporting Mode Configuring and Applying IPsec Policies Ongoing Maintenance Adding a NAP Client Adding a New SHA and SHV Managing NAP CAs Managing HRAs Troubleshooting Troubleshooting Tools Troubleshooting IPsec Enforcement Chapter Summary Additional Information X Enforcement Overview of 802.1X Enforcement Using an ACL Using a VLAN
15 xx Table of Contents Planning and Design Considerations Security Group for NAP Exemptions X Authentication Methods Type of 802.1X Enforcement X Access Points NAP Clients Deploying 802.1X Enforcement Configuring Active Directory Configuring a PEAP-Based Authentication Method Configuring 802.1X Access Points Configuring Remediation Servers on the Restricted Network Configuring NAP Health Policy Servers Configuring NAP Clients X Enforcement Deployment Checkpoint for Reporting Mode Testing Restricted Access Configuring the Network Policy for Noncompliant NAP Clients for Deferred Enforcement Configuring Network Policy for Enforcement Mode Ongoing Maintenance Adding a NAP Client Adding a New SHA and SHV Managing 802.1X Access Points Troubleshooting Troubleshooting Tools Troubleshooting 802.1X Enforcement Chapter Summary Additional Information VPN Enforcement Understanding VPN Enforcement Planning and Design Considerations Use of Network Access Quarantine Control Security Group for NAP Exemptions Types of Packet Filtering VPN Authentication Methods VPN Servers NAP Clients
16 Table of Contents xxi Deploying VPN Enforcement Configuring Active Directory Configuring VPN Servers Configuring a PEAP-Based Authentication Method Configuring Remediation Servers Configuring NAP Health Policy Servers Configuring NAP Clients VPN Enforcement Deployment Checkpoint for Reporting Mode Testing Restricted Access Configuring Deferred Enforcement Configuring Network Policy for Enforcement Mode Ongoing Maintenance Adding a NAP Client Adding a New SHA and SHV Troubleshooting Troubleshooting Tools Troubleshooting VPN Enforcement Chapter Summary Additional Information DHCP Enforcement Understanding DHCP Enforcement Planning and Design Considerations Security Group for NAP Exemptions DHCP Servers NAP Health Policy Servers Health Requirement Policies for Specific DHCP Scopes DHCP Options for NAP Clients DHCP Enforcement Behavior When the NAP Health Policy Server Is Not Reachable NAP Clients Deploying DHCP Enforcement Configuring Remediation Servers Configuring NAP Health Policy Servers Configuring NAP Clients Configuring DHCP Servers DHCP Enforcement Deployment Checkpoint for Reporting Mode
17 xxii Table of Contents Testing Restricted Access Configuring Deferred Enforcement Configuring Network Policy for Enforcement Mode Ongoing Maintenance Adding a NAP Client Adding a New SHA and SHV Troubleshooting Troubleshooting Tools Troubleshooting DHCP Enforcement Chapter Summary Additional Information Glossary Index What do you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:
18 Chapter 9 Authentication Infrastructure Concepts To deploy authenticated or protected network access, you must first deploy elements of a Microsoft Windows based authentication infrastructure consisting of Active Directory, Group Policy, Remote Authentication Dial-In User Service (RADIUS), and a public key infrastructure (PKI). The set of elements you need to deploy depends on the type of network access and the design choices you make with regard to security, central configuration, and other issues. This chapter provides information about how to design and deploy these elements of an authentication infrastructure that can be used for wireless, wired, remote access, and site-tosite connections. Once deployed, elements of this infrastructure can also be used for Network Access Protection (NAP). The following sections provide technical background on the following technologies that are used in the Windows-based authentication infrastructure: Active Directory Domain Services Group Policy PKI RADIUS Active Directory Domain Services Active Directory Domain Services in the Windows Server 2008 operating system stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information. Active Directory Domain Services can be installed on servers running Windows Server This data store, or directory, contains Active Directory objects. These objects typically include shared resources such as servers, volumes, printers, and the network user and computer accounts. Security is integrated with Active Directory through logon authentication and through access control to objects in the directory. With a single network logon, administrators can manage and organize directory data throughout their network, and authorized users can access resources anywhere on the network. Policy-based administration eases the management of even the most complex network. 231
19 232 Windows Server 2008 Networking and Network Access Protection (NAP) Active Directory also includes the following: A set of rules (or schema) that defines the classes of objects and attributes contained in the directory, the constraints and limits on instances of these objects, and the format of their names. A global catalog that contains information about every object in the directory. This catalog allows users and administrators to find directory information regardless of which domain in the directory actually contains the data. A query and index mechanism, which enables objects and their properties to be published and found by network users or applications. A replication service that distributes directory data across a network. All domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain. Any change to directory data is replicated to all domain controllers in the domain. User Accounts Active Directory user accounts and computer accounts represent a physical entity such as a person, computer, or device. User accounts can also be used as dedicated service accounts for some applications. User accounts and computer accounts (and groups) are also referred to as security principals. Security principals are directory objects that are automatically assigned security identifiers (SIDs), which can be used to access domain resources. A user or computer account is used to do the following: Authenticate the identity of a user or computer. A user account in Active Directory enables a user to log on to computers and domains with an identity that can be authenticated by the domain. Each user who logs on to the network should have his or her own unique user account and password. To maximize security, you should avoid multiple users sharing one account. Authorize or deny access to domain resources. When the user is authenticated, the user is authorized or denied access to domain resources based on the explicit permissions assigned to that user on the resource. Administer other security principals. Active Directory creates a foreign security principal object in the local domain to represent each security principal from a trusted external domain. Audit actions performed using the user or computer account. Auditing can help you monitor account security. You can manage user or computer accounts by using the Active Directory Users And Computers snap-in.
20 Chapter 9: Authentication Infrastructure 233 Each computer that is running the Windows Vista, Windows XP, Windows Server 2008, or Windows Server 2003 operating system and that participates in a domain has an associated computer account. Similar to user accounts, computer accounts provide a means for authenticating and auditing computer access to the network and to domain resources. User and computer accounts can be added, disabled, reset, and deleted using the Active Directory Users And Computers snap-in. A computer account can also be created when you join a computer to a domain. Dial-In Properties of an Account User and computer accounts in Active Directory contain a set of dial-in properties that can be used when allowing or denying a connection attempt. In an Active Directory based domain, you can set the dial-in properties on the Dial-In tab of the user and computer account properties dialog box in the Active Directory Users And Computers snap-in. Figure 9-1 shows the Dial-In tab for a user account in a Windows Server 2008 functional level domain. Figure 9-1 The Dial-In tab of a user account properties dialog box in a Windows Server 2008 functional level domain On the Dial-In tab, you can view and configure the following properties: Network Access Permission You can use this property to set network access permission to be explicitly allowed, denied, or determined through Network Policy Server (NPS) network policies. NPS network policies are also used to authorize the connection attempt. If access is explicitly allowed, NPS network policy conditions and settings and
THE NEXUS IDENTITY WHITE MANAGEMENT PAPER SYSTEM NEXUS The RSA Security Identity Management System A Technical Vision for Identity and Access Management WHITE PAPER The RSA Security Identity Management
PassTest Bessere Qualität, bessere Dienstleistungen! Q&A Exam : 70-640 Title : Windows Server 2008 Active Directory. Configuring Version : Demo 1 / 28 1.You have a single Active Directory domain. All domain
Windows Firewall with Advanced Security Design Guide and Deployment Guide Microsoft Corporation Published: October 2008 Author: Dave Bishop Editor: Allyson Adley Reviewers: Bilal Aijazi, Boyd Benson, Shalaka
RSA Authentication Manager 8.1 Help Desk Administrator s Guide Revision 1 Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm
SAS 9.4 Intelligence Platform Middle-Tier Administration Guide Third Edition SAS Documentation The correct bibliographic citation for this manual is as follows: SAS Institute Inc. 2015. SAS 9.4 Intelligence
Best Practice Guide for Securing Active Directory Installations Microsoft Corporation First published: October 2005 Updated and republished: January 2009 Abstract This guide contains recommendations for
Basic System Administration ESX Server 3.0 and VirtualCenter 2.0 Basic System Administration Revision: 20090213 Item: VI-ENG-Q206-219 You can find the most up-to-date technical documentation at: http://www.vmware.com/support/pubs
Symantec Encryption Management Server Administrator's Guide 3.3 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Getting Started with Zeus Web Server 4.3 Zeus Technology Limited - COPYRIGHT NOTICE Zeus Technology Limited 2004. Copyright in this documentation belongs to Zeus Technology Limited. All rights are reserved.
RSA Authentication Manager 8.1 Planning Guide Revision 1 Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm Trademarks
Barracuda Load Balancer Administrator s Guide Version 2.3 Barracuda Networks Inc. 3175 S. Winchester Blvd. Campbell, CA 95008 http://www.barracuda.com Copyright Notice Copyright 2004-2008, Barracuda Networks
Microsoft Exchange Server 2010 Microsoft William R. Stanek Author and Series Editor Administrator s Pocket Consultant Microsoft prepress is early content, straight from the source. What makes it prepress?
M86 MailMarshal Exchange USER GUIDE Software Version: 7.1 M86 MAILMARSHAL EXCHANGE USER GUIDE 2011 M86 Security All rights reserved. Published November 2011 for software release 7.1 No part of this Documentation
Pervasive PSQL v11 Advanced Operations Guide Procedures and References for Advanced Users Pervasive Software Inc. 12365 Riata Trace Parkway Building B Austin, TX 78727 USA Telephone: 512 231 6000 or 800
Windows Small Business Server 2011 Administrator s Companion Charlie Russel Sharon Crawford Copyright 2011 by Charlie Russel and Sharon Crawford All rights reserved. No part of the contents of this book
McAfee NGFW Reference Guide for Firewall/VPN Role 5.7 NGFW Engine in the Firewall/VPN Role Legal Information The use of the products described in these materials is subject to the then current end-user
Amazon Web Services: Overview of Security Processes May 2011 (Please consult http://aws.amazon.com/security for the latest version of this paper) 1 Amazon Web Services (AWS) delivers a scalable cloud computing
Configuration Guide BES12 Version 12.1 Published: 2015-04-22 SWD-20150422113638568 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12... 8 Product documentation...
SWsoft, Inc. Virtuozzo for Windows User's Guide Version 3.5 (c) 1999-2005 ISBN: N/A SWsoft Inc 13755 Sunrise Valley Drive Suite 325 Herndon, VA 20171 USA Tel: +1 (703) 815 5670 Fax: +1 (703) 815 5675 Copyright
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
SAS 9.3 Intelligence Platform Application Server Administration Guide SAS Documentation The correct bibliographic citation for this manual is as follows: SAS Institute Inc 2011. SAS SAS 9.3 Intelligence
AWS Security Best Practices Dob Todorov Yinal Ozkan November 2013 (Please consult http://aws.amazon.com/security for the latest version of this paper) Page 1 of 56 Table of Contents Abstract... 4 Overview...