Friday, October 24, 2014
4. Configure a Network Policy Server (NPS) Infrastructure 4.3 Configure Network Access Protection (NAP)
NAP components
client-side: NAP-supported version of Windows(XP SP3+) as well as 3rd party NAP clients for MAC and Linux
NAP enforcement points: 80.2.1x device, DHCP server enforcement, HRA, RAS
NAP Health Policy Server - NPS server with Health policies
System Health Agents (SHA) - monitors health of NAP client
Statement of Health (SoH) - produced by SHA to send to NAP agent
NAP agent - maintains health of of NAP client computer and communicates with NAP enforcement and SHA
Health Registration Authority(HRA) - server that obtains health certificates for compliant computers
Health requirements server - such as AV, WSUS, etc, provides current health state to NPS server
Remediation server - can update non-compliant computers
NAP connection process
NAP client connects to NAP network - each SHA validates system health and generates SoH
Nap client combines multiple SoH into SSoH and sends to NAP health policy server defined in the enforcement point
NAP health policy server uses the SHVs and health policies to determine client conformity
NAP HPS combines multiple SoH from the SHVS into SSoHR and sends back to client
If compliant, enforcement point allows connection. Noncompliant may be connected to remediation network
If status change, process repeats.
Note: NAP requires a Health Registration Authority(NPAS-Health) server and configured with Tools/Health Registration Authority in Server Manager.
4.3.1 Configure System Health Validators (SHVs)
NPS - NAP - System Health Validators - Windows Security Health Validator
Settings:
Windows 8/7/vista: Firewall enabled, AV on/up to date, Spyware on/up to date, Automatic Updating enabled, Restrict access that do not have all security updates installed based on minimum severity. Minimum number of hours since update has been checked. Force WU and/or WSUS usage.
XP has same settings except spyware
Error Codes:
Select how SHV reacts to certain error scenarios - compliant or noncompliant
SHV unable to contact required services
SHA unable to contact required services
SHA not responding to NAP client
SHV not responding
Vendor specific error code
4.3.2 configure health policies
Since health policies can be configured as network policy conditions, they can be created either for compliance or non-compliance
Select an existing template
Policy Name
Client SHV Checks:
Client passes all SHV Checks
Client fails all SHV Checks
Client passes one of more SHV Checks
Client fails one or more SHV CHecks
Client reported as transitional by one or more SHA
Client reported as infected by one or more SHA
Client report as unknown by one or more SHA
Check which SHVs are considered in this health policy. Default is Windows Security Health Validator.
Extra Note: I had trouble with getting the WSHV to work with a configuration other than using the Default Configuration. Also, it doesn't seem like you can use 2008 or 2012 as a client because of the lack of Security/Action Center.
4.3.3 configure NAP enforcement using DHCP and VPN
DHCP configuration:
If the DHCP server is remote, you must install NPS and configure it to radius proxy to the target NPS server and add the DHCP server as a radius client.
NAP must be enabled on all scopes on the dhcp server or individual scopes.
You then must create Connection/Network/and Health policies using DHCP as source "network access server".
NAP agent must be running and DHCP enforcement client must be enabled on the clients that will be enforced. See 4.3.5
VPN configuration:
Similar to DHCP config except you must configure the VPN/RRAS as a radius server.
NAP agent must be running and EAP enforcement should be configured on the client for Windows 7+. For XP/Vista you should use the Remote Access enforcement. Security Center/Action Center should be running on the client.
PEAP must be used, which will require setting up certificates(I recommend setting up autoenroll using Workstation authentication for clients and RAS and IAS for servers. The NPS server must also have a certificate). This will require configuration on the client VPN connection for using PEAP to connect and configured for "Network Access Protection" enabled. Also, on the NPS server you must use the Connection Request Policy to override Network policy for Authentication Methods. The PEAP type must be configured for "Network Access Protection" enabled.
4.3.4 configure isolation and remediation of non-compliant computers using DHCP and VPN
Isolation is configured in your noncompliant Network policies under Settings tab/NAP enforcement. Here you can set "Allow Limited Access" in combination with a Remediation Server group and/or troubleshooting url. The remediation group should contain system resources that would need to be accessed to update components including any dependent dhcp/dns/etc servers that would be needed.
4.3.5 configure NAP client settings
Enforcement clients can be configured with the napclcfg.msc tool or by using GP or netsh:
netsh commands used to troubleshoot:
determind local policy configuration of nap on the client
netsh nap client show config
determine group policy configuration of nap on the client(overrides local policy config):
netsh nap client show group
show state of client:
netsh nap client show state
Friday, September 26, 2014
4. Configure a Network Policy Server (NPS) Infrastructure 4.2 Configure NPS policies
4.2.1 Configure connection request policies
When receiving an Access-Request message, connection policies are considered.
Overview - Enable policy, Choose Access server type or vendor specific.
Conditions -
to match for this policy to be processed
HCAP Location Groups
User Name
Access Server IPV4 address - (on behalf of client)
Access Server IPv6 address
Framing Protocol
Service Type - VPN, 802.1x, other
Tunnel Type - GRE, ESP, L2TP, PPTP, SSTP, 8021.X VLAN, other
Day and Time Restrictions
Identity Type - NAP Machine Health check identity.
Calling Station ID
Client Friendly Name
Client IPv4 address
Client IPv6 address
Client Vendor Name
Called Station ID(of the NAS server)
NAS id
NAS ipv4
NAS ipv6
NAS port type - VPN, Ethernet, 802.11 wireless, Other
Settings -
Authentication Methods. - Can be used to override the network policy authentication settings
Includes EAP types Smart Card, PEAP, EAP-MSCHAP v2 as well as MS-CHAPv2, MS-CHAP, CHAP, PAP/SPAP, and unauthenticated connections.
Authentication - Used to determine whether requests are handled locally, forwarded to radius group, or accepting without credentials.
Accounting - determine if Accounting requests are forwarded to a radius group
Attribute - Manipulate attributes : Called-Station-ID, Calling-Station-ID, User-Name
Standard - Add additional standard attributes that are sent to clients
Vendor Specific - Add addition vendor specific attributes
4.2.2 configure network policies for VPN clients (multilink and bandwith allocation, IP filters, encryption, IP addressing)
Overview
Policy name
Enabled
Grant or Deny access.
"Ignore user account dial-in properties"
Access server type or vendor specific
Conditions for processing this policy
Windows Groups
Machine Groups
User Groups
HCAP Location Groups
HCAP User Groups
Day and Time Restrictions
Identity Type - NAP Machine Health check identity.
MS-Service Class - Must use a defined DHCP scope
Health Policies - meets a health policy criteria
NAP-Capable Computers
Operating System - OS version, SP, OS role, Architecture, OS Build
Policy Expiration
Access Client IPv4
Access Client IPv6
Authentication Type- Includes CHAP, EAP, Ext, MS-Chap v1/CPW, v2/CPW, PAP, PEAP, unauthenticated.
Allowed EAP types - Smart Card, PEAP-Smart card, PEAP-MSCHAP-V2, EAP-MSCHAP-v2
Framed Protocol
Service Type - VPN, 802.1x, other
Tunnel Type - GRE, ESP, L2TP, PPTP, SSTP, 8021.X VLAN, other
Calling Station ID
Client Friendly Name
Client IPv4 address
Client IPv6 address
Client Vendor name
MS-RAS Vendor -
Called Station ID
NAS ID
NAS Ipv4
NAS IPv6
NAS port type - VPN, Ethernet, 802.11 wireless, Other
Constraints - If these aren't matched, connection is denied.
Authentication Methods - unless overridden by Connection Policy
Includes EAP types Smart Card, PEAP, EAP-MSCHAP v2 as well as MS-CHAPv2, MS-CHAP, CHAP, PAP/SPAP, and unauthenticated connections.
Idle Timeout
Session Timeout
Called Station ID
Day and time restrictions
NAS Port Type
Settings - Settings applied if Condition and Constraints match
Standard - Add additional standard attributes that are sent to clients
Vendor Specific - Add addition vendor specific attributes
NAP Enforcement - Full network, Full network time restricted, limited access (Remediation Group). Enabled auto-remediation for computers that do not meet health requirements
Extended State - Transistional, Infected, Unknown
Multilink BAP - how to handle multilink connections. BAP usage settings - drop connections in the multilink if they use less than percentage over a period of time (ie 50% over 2 mins default). Require BAP for dynamic multilink
IP filters
Encryption - Basic MPPE 40 bit(56 bit DES), MPPE 56(56 bit DES), MPPE 128(168 bit DES), No Encryption
IP Settings - Server must supply IP, Client request IP, Server settings determine IP, Assign static IP.
4.2.3 import and export NPS policies
netsh nps export filename="c:\nps.xml" exportPSK=yes
export-npsconfiguration -path c:\nps.xml
netsh nps import filename="c:\nps.xml"
import-npsconfiguration -path c:\nps.xml
When receiving an Access-Request message, connection policies are considered.
Overview - Enable policy, Choose Access server type or vendor specific.
Conditions -
to match for this policy to be processed
HCAP Location Groups
User Name
Access Server IPV4 address - (on behalf of client)
Access Server IPv6 address
Framing Protocol
Service Type - VPN, 802.1x, other
Tunnel Type - GRE, ESP, L2TP, PPTP, SSTP, 8021.X VLAN, other
Day and Time Restrictions
Identity Type - NAP Machine Health check identity.
Calling Station ID
Client Friendly Name
Client IPv4 address
Client IPv6 address
Client Vendor Name
Called Station ID(of the NAS server)
NAS id
NAS ipv4
NAS ipv6
NAS port type - VPN, Ethernet, 802.11 wireless, Other
Settings -
Authentication Methods. - Can be used to override the network policy authentication settings
Includes EAP types Smart Card, PEAP, EAP-MSCHAP v2 as well as MS-CHAPv2, MS-CHAP, CHAP, PAP/SPAP, and unauthenticated connections.
Authentication - Used to determine whether requests are handled locally, forwarded to radius group, or accepting without credentials.
Accounting - determine if Accounting requests are forwarded to a radius group
Attribute - Manipulate attributes : Called-Station-ID, Calling-Station-ID, User-Name
Standard - Add additional standard attributes that are sent to clients
Vendor Specific - Add addition vendor specific attributes
4.2.2 configure network policies for VPN clients (multilink and bandwith allocation, IP filters, encryption, IP addressing)
Overview
Policy name
Enabled
Grant or Deny access.
"Ignore user account dial-in properties"
Access server type or vendor specific
Conditions for processing this policy
Windows Groups
Machine Groups
User Groups
HCAP Location Groups
HCAP User Groups
Day and Time Restrictions
Identity Type - NAP Machine Health check identity.
MS-Service Class - Must use a defined DHCP scope
Health Policies - meets a health policy criteria
NAP-Capable Computers
Operating System - OS version, SP, OS role, Architecture, OS Build
Policy Expiration
Access Client IPv4
Access Client IPv6
Authentication Type- Includes CHAP, EAP, Ext, MS-Chap v1/CPW, v2/CPW, PAP, PEAP, unauthenticated.
Allowed EAP types - Smart Card, PEAP-Smart card, PEAP-MSCHAP-V2, EAP-MSCHAP-v2
Framed Protocol
Service Type - VPN, 802.1x, other
Tunnel Type - GRE, ESP, L2TP, PPTP, SSTP, 8021.X VLAN, other
Calling Station ID
Client Friendly Name
Client IPv4 address
Client IPv6 address
Client Vendor name
MS-RAS Vendor -
Called Station ID
NAS ID
NAS Ipv4
NAS IPv6
NAS port type - VPN, Ethernet, 802.11 wireless, Other
Constraints - If these aren't matched, connection is denied.
Authentication Methods - unless overridden by Connection Policy
Includes EAP types Smart Card, PEAP, EAP-MSCHAP v2 as well as MS-CHAPv2, MS-CHAP, CHAP, PAP/SPAP, and unauthenticated connections.
Idle Timeout
Session Timeout
Called Station ID
Day and time restrictions
NAS Port Type
Settings - Settings applied if Condition and Constraints match
Standard - Add additional standard attributes that are sent to clients
Vendor Specific - Add addition vendor specific attributes
NAP Enforcement - Full network, Full network time restricted, limited access (Remediation Group). Enabled auto-remediation for computers that do not meet health requirements
Extended State - Transistional, Infected, Unknown
Multilink BAP - how to handle multilink connections. BAP usage settings - drop connections in the multilink if they use less than percentage over a period of time (ie 50% over 2 mins default). Require BAP for dynamic multilink
IP filters
Encryption - Basic MPPE 40 bit(56 bit DES), MPPE 56(56 bit DES), MPPE 128(168 bit DES), No Encryption
IP Settings - Server must supply IP, Client request IP, Server settings determine IP, Assign static IP.
4.2.3 import and export NPS policies
netsh nps export filename="c:\nps.xml" exportPSK=yes
export-npsconfiguration -path c:\nps.xml
netsh nps import filename="c:\nps.xml"
import-npsconfiguration -path c:\nps.xml
4. Configure a Network Policy Server (NPS) Infrastructure 4.1 Configure Network Policy Server
Radius is used for authentication, authorization, and accounting.
Install NPS:
Server Manager -> Add Roles and Features
Server role - Network policy and access services
install-windowsfeature npas-policy-server -includemanagementtools
3.4.1 Configure a RADIUS Server, including Radius proxy
Server Manager - Tools - Network Policy Server (nps.msc)
You can use one of the standard configuration wizards that will create clients, connection request policies, network policies, and health policies as needed: Network Access Protection, Radius server for dialup/VPN connections, Radius server for 802.1x wireless or wired connections.
You can also use some of the advanced setup tools
Finally, you can just manually configure the server using the appropriate menu items. Menu breakdown:
Radius Clients and Servers -
Radius clients
Remote Radius Server groups (proxy setup)
Policies
Connection Request Policies - used to determine whether requests are handled locally or forwarded to a radius group, as well as some other connection related settings.
Network policies - Network authorization policies, such as auth methods, idle/session timeouts, usage restrictions, IP filters, encryption
Health Policies - Used with NAP System Health Validations to define requirements for clients to connect
NAP
System Health Validators - SHV - settings such as AV and firewall status required for clients
Remediation Server Groups - used to provide updates and services for noncompliant clients
Accounting - Auditing using SQL server or text files
Template Management - save or create configurations to reuse locally or import to other NPS servers
Proxy setup:
http://technet.microsoft.com/en-us/library/dd197525%28v=ws.10%29.aspx
Although clients can be configured with a primary and alternate radius server, a radius proxy server can be used to forward messages to radius servers. A connection policy is configured to forward authentication to a radius server group on the Settings/Authentication menu item of the policy.
A proxy is setup by clicking on "Radius Clients and Servers", "Remote RADIUS Server Group", and creating a new group for a connection policy to use.
Add a radius server
Select an existing template or None
Enter the IP or server name or FQDN for the radius server. Click verify and resolve to choose the correct IP to use for the dns server if it has multiple.
Authentication-Accounting
Choose authentication port(default 1812)
Choose an existing shared secrets template or none
Enter a shared secret for authentication with the radius server
If not using EAP, check the request must contain the message authenticator attribute for extra security.
Accounting-
choose accounting port (1813 default)
Configure shared secret to use same as accounting, or manually configure template and secret as above
Forward network access server start and stop notifications
Load balancing.- lowest priority is preferred. when priorities are the same, weight controls frequency sent to this server
Advanced settings
number of seconds without a response to drop a request.
max number of drop requests before server considered unavailable
number of seconds between requests when a server is identified as unavailable.
3.4.2 configure RADIUS clients
Clients are configured on the "Radius Clients and Servers", "Radius Clients" menu item. These can be manually created or as part of the standard/advanced configuration tools.
Properties -
Settings
Enable this Radius client
Select an existing template
Friendly Name
Address (IP or DNS)
Shared Secret Template
Manual Template creation or use the Generate tool to create a random one.
Advanced - Select the vendor type from the vendor name or use the standard
Access-Request messages must contain the Message-Authenticator attribute - for non-EAP
Radius is NAP-capable - for NAP usage.
3.4.3 configure NPS templates
Simplistic templates that can be exported and imported into other NPS servers to make configuration easier when configuring multiple NPS servers.
Templates -
Shared Secrets
Radius Clients
Remote Radius Servers
IP filters - Ipv4 and Ipv6 input and output
Health Policies
Remediation Server Groups
Templates are exported or imported by right clicking Template Management and selecting Import Templates from a Computer(Another NPS Server), Import Templates from a File, Export Templates to a File
3.4.4 configure RADIUS accounting
NPS server generates an Accounting-Start message to Radius accounting, and accounting sends back an acknowledgement to the client. Client sends Accounting-Stop message when service has been delivered.
Accounting is configured on the Accounting menu by using the "Configure Accounting" wizard.
Logging options:
Log to a SQL server, Log to a text file, Log to SQL and text, Log to SQL and use text as failover.
SQL server logging:
Configure a SQL server to log to
Choose what to log: Accounting, Authentication, Periodic accounting status, Periodic authentication status
Logging failure action: If logging is failing, you can choose to discard connections.
Text logging:
Choose what to log: Accounting, Authentication, Periodic accounting status, Periodic authentication status
Choose the location for the logfiles to be stored
Logging failure action: If logging is failing, you can choose to discard connections.
3.4.5 configure certificates
http://technet.microsoft.com/en-us/library/cc772401%28v=ws.10%29.aspx
Certificates can be used for authentication.
Certificates are required when using Smart card logons , PEAP-MS-CHAPv2, PEAP-TLS, EAP-TLS.
Both Client and Server should have the appropriate CA cert
Client may need Workstation Auth Cert and Servers the RAS and IAS cert. Both templates need to be enabled on the CA if using auto-enrollment.
Smart card may need a smart card user cert
Certificates can be created with a CA or auto-enrolled via GP.
Install NPS:
Server Manager -> Add Roles and Features
Server role - Network policy and access services
install-windowsfeature npas-policy-server -includemanagementtools
3.4.1 Configure a RADIUS Server, including Radius proxy
Server Manager - Tools - Network Policy Server (nps.msc)
You can use one of the standard configuration wizards that will create clients, connection request policies, network policies, and health policies as needed: Network Access Protection, Radius server for dialup/VPN connections, Radius server for 802.1x wireless or wired connections.
You can also use some of the advanced setup tools
Finally, you can just manually configure the server using the appropriate menu items. Menu breakdown:
Radius Clients and Servers -
Radius clients
Remote Radius Server groups (proxy setup)
Policies
Connection Request Policies - used to determine whether requests are handled locally or forwarded to a radius group, as well as some other connection related settings.
Network policies - Network authorization policies, such as auth methods, idle/session timeouts, usage restrictions, IP filters, encryption
Health Policies - Used with NAP System Health Validations to define requirements for clients to connect
NAP
System Health Validators - SHV - settings such as AV and firewall status required for clients
Remediation Server Groups - used to provide updates and services for noncompliant clients
Accounting - Auditing using SQL server or text files
Template Management - save or create configurations to reuse locally or import to other NPS servers
Proxy setup:
http://technet.microsoft.com/en-us/library/dd197525%28v=ws.10%29.aspx
Although clients can be configured with a primary and alternate radius server, a radius proxy server can be used to forward messages to radius servers. A connection policy is configured to forward authentication to a radius server group on the Settings/Authentication menu item of the policy.
A proxy is setup by clicking on "Radius Clients and Servers", "Remote RADIUS Server Group", and creating a new group for a connection policy to use.
Add a radius server
Select an existing template or None
Enter the IP or server name or FQDN for the radius server. Click verify and resolve to choose the correct IP to use for the dns server if it has multiple.
Authentication-Accounting
Choose authentication port(default 1812)
Choose an existing shared secrets template or none
Enter a shared secret for authentication with the radius server
If not using EAP, check the request must contain the message authenticator attribute for extra security.
Accounting-
choose accounting port (1813 default)
Configure shared secret to use same as accounting, or manually configure template and secret as above
Forward network access server start and stop notifications
Load balancing.- lowest priority is preferred. when priorities are the same, weight controls frequency sent to this server
Advanced settings
number of seconds without a response to drop a request.
max number of drop requests before server considered unavailable
number of seconds between requests when a server is identified as unavailable.
3.4.2 configure RADIUS clients
Clients are configured on the "Radius Clients and Servers", "Radius Clients" menu item. These can be manually created or as part of the standard/advanced configuration tools.
Properties -
Settings
Enable this Radius client
Select an existing template
Friendly Name
Address (IP or DNS)
Shared Secret Template
Manual Template creation or use the Generate tool to create a random one.
Advanced - Select the vendor type from the vendor name or use the standard
Access-Request messages must contain the Message-Authenticator attribute - for non-EAP
Radius is NAP-capable - for NAP usage.
3.4.3 configure NPS templates
Simplistic templates that can be exported and imported into other NPS servers to make configuration easier when configuring multiple NPS servers.
Templates -
Shared Secrets
Radius Clients
Remote Radius Servers
IP filters - Ipv4 and Ipv6 input and output
Health Policies
Remediation Server Groups
Templates are exported or imported by right clicking Template Management and selecting Import Templates from a Computer(Another NPS Server), Import Templates from a File, Export Templates to a File
3.4.4 configure RADIUS accounting
NPS server generates an Accounting-Start message to Radius accounting, and accounting sends back an acknowledgement to the client. Client sends Accounting-Stop message when service has been delivered.
Accounting is configured on the Accounting menu by using the "Configure Accounting" wizard.
Logging options:
Log to a SQL server, Log to a text file, Log to SQL and text, Log to SQL and use text as failover.
SQL server logging:
Configure a SQL server to log to
Choose what to log: Accounting, Authentication, Periodic accounting status, Periodic authentication status
Logging failure action: If logging is failing, you can choose to discard connections.
Text logging:
Choose what to log: Accounting, Authentication, Periodic accounting status, Periodic authentication status
Choose the location for the logfiles to be stored
Logging failure action: If logging is failing, you can choose to discard connections.
3.4.5 configure certificates
http://technet.microsoft.com/en-us/library/cc772401%28v=ws.10%29.aspx
Certificates can be used for authentication.
Certificates are required when using Smart card logons , PEAP-MS-CHAPv2, PEAP-TLS, EAP-TLS.
Both Client and Server should have the appropriate CA cert
Client may need Workstation Auth Cert and Servers the RAS and IAS cert. Both templates need to be enabled on the CA if using auto-enrollment.
Smart card may need a smart card user cert
Certificates can be created with a CA or auto-enrolled via GP.
Thursday, September 25, 2014
3. Configure network services and access 3.4 Configure DirectAccess
Directaccess uses IPv6 and IPsec to create direct connections to a company's network via a DirectAccess server. 6to4, Teredo, IP-HTTPS.
http://technet.microsoft.com/en-us/library/dn636118.aspx
3.4.1 Implement server requirements
Server must be a part of an AD domain
Server must be running 2008R2, 2012, 2012R2
Server published through MF-TMG or MF-UAG, a single nic is needed. If it is connected directly, it requires two nics.
Two Public IP addresses unless using NAT via IP over HTTPS
2012 can use NLB up to eight nodes
2012 introduces single IPSEC tunnel but it does not support certain other capabilities, which can be restored by configuring the dual IPSEC tunnel model of 2008R2 (1 Infrastructure, 1 Intranet)
2008R2 functional level
ISATAP requires dns server supporting DNS messaging over ISATAP.
ISATAP name removed from DNS global query block list
Ipsec policies
Teredo requires ICMPv6 functionality
Server setup:
Install the remoteaccess windowsfeature on the DirectAccess server
Run Remote Access Management tool from Server Manager. (ramgmtui.exe)
Run "Getting Started Wizard"
Deploy "Directaccess and VPN" or "Directaccess"
Choose your network topology - Edge server, behind two nice edge device, behind single adapter edge device
Enter IP address to be used to reach this server. (Public IP if edge)
Click edit for other settings. Some of these can be configured after the wizard using the four step component configuration.
GPO names
-lets you select specific GPOs for Client and Server. These will be created in the domain.
Remote Clients - Step 1Client configuration
-You can uncheck the "Enable directaccess for mobile computers only", which uses the WMI filter to detect mobile computers in the listed groups. Then you can specify specific groups that will contain DA_Clients.
-Network Connectivity Assistant contains settings used on the client for connectivity info, diagnostics, and support.
Remote Access Server - Step 2 Server Configuration
-network settings for the DA server
Infrastructure setup - Step 3 Infrastructure configuration (NLS, DNS, DNS suffix for clients, Management servers)
-an NLS server is an internal server that, if the DA client can HTTPS to it, it assumes it is on the intranet and disables DA.
-used to setup DNS suffixes that will be used for internal resolution. Other suffixes will use client's DNS server if configuration allows to do so.
Step 4 - Application confiuration
require end-to-end authentication and encryption to specific application servers
Check Operation Status of the DA server is in "Working" state.
Extra Note: 2012 introduced DNS64 and NAT64 for backwards compatibility, allowing access to internal corporate resources via IPv4. 2008R2 requires MF-UAG for this functionality.
3.4.2 implement client configuration
Clients must be WIndows 7 Enterprise, Ultimate, Windows 8 Enterprise, 2008R2,2012, 2012R2
Client must be joined to the domain
Windows 7 and 2008R2 uses DirectAccess Connectivity Assistant (DCA)
Windows 8, 2012 uses Network Connectivity Assistant (NCA)
Domain clients are auto-configured according to the GPO assigned. As noted before, WMI filter for mobile computers can be enforced in addition to specific security groups.
3.4.3 configure DNS for Direct Access
directaccess requires two external DNS A records - one is for the DirectAccess server, the second is for a Certificate Revocation List. Internal DNS requires the NLS server and CRL.
There is DNS setup in Infrastructure Configuration(Step 3).
-Set the suffixes that are used for name resolution via DA.
-Configure the behaviour of DNS resolution for a DA client while connected
- Use local name resolution if name does not exist
- Use local name if name does not exist or DNS servers are unreachable
- Use local name resolution due to any DNS resolution error.
- Configure addition DA client suffix search list
To determine client's dns "location" use
netsh dnsclient show state
Effective NRPT settings:
netsh dnsclient show effectivepolicy
Name Resolution Policy Table (NRPT) is used to determine behavior of the DNS clients when issuing queries.
To view the NRPT settings on the client as defined via GP:
netsh namespace show policy
ISATAP note: When using ISATAP you must remove ISATAP from the global query block list:
dnscmd /config /globalqueryblocklist isatap
3.4.4 configure certificates for Direct Access
2012 and 2012R2 no longer require a PKI certificate setup.
This is done by by implementing an HTTPS based Kerberos proxy. Client authentication requests are sent to a Kerberos proxy service running on the DirectAccess server. The Kerberos proxy then sends Kerberos requests to Domain Controllers on behalf of the client.
The DA server can have a server auth certificate installed, which can be from a public CA. Otherwise
it will configure its own IP-HTTPS and KDC proxy certificates as self-signed. This is done during setup wizard.
http://technet.microsoft.com/en-us/library/dn636118.aspx
3.4.1 Implement server requirements
Server must be a part of an AD domain
Server must be running 2008R2, 2012, 2012R2
Server published through MF-TMG or MF-UAG, a single nic is needed. If it is connected directly, it requires two nics.
Two Public IP addresses unless using NAT via IP over HTTPS
2012 can use NLB up to eight nodes
2012 introduces single IPSEC tunnel but it does not support certain other capabilities, which can be restored by configuring the dual IPSEC tunnel model of 2008R2 (1 Infrastructure, 1 Intranet)
2008R2 functional level
ISATAP requires dns server supporting DNS messaging over ISATAP.
ISATAP name removed from DNS global query block list
Ipsec policies
Teredo requires ICMPv6 functionality
Server setup:
Install the remoteaccess windowsfeature on the DirectAccess server
Run Remote Access Management tool from Server Manager. (ramgmtui.exe)
Run "Getting Started Wizard"
Deploy "Directaccess and VPN" or "Directaccess"
Choose your network topology - Edge server, behind two nice edge device, behind single adapter edge device
Enter IP address to be used to reach this server. (Public IP if edge)
Click edit for other settings. Some of these can be configured after the wizard using the four step component configuration.
GPO names
-lets you select specific GPOs for Client and Server. These will be created in the domain.
Remote Clients - Step 1Client configuration
-You can uncheck the "Enable directaccess for mobile computers only", which uses the WMI filter to detect mobile computers in the listed groups. Then you can specify specific groups that will contain DA_Clients.
-Network Connectivity Assistant contains settings used on the client for connectivity info, diagnostics, and support.
Remote Access Server - Step 2 Server Configuration
-network settings for the DA server
Infrastructure setup - Step 3 Infrastructure configuration (NLS, DNS, DNS suffix for clients, Management servers)
-an NLS server is an internal server that, if the DA client can HTTPS to it, it assumes it is on the intranet and disables DA.
-used to setup DNS suffixes that will be used for internal resolution. Other suffixes will use client's DNS server if configuration allows to do so.
Step 4 - Application confiuration
require end-to-end authentication and encryption to specific application servers
Check Operation Status of the DA server is in "Working" state.
Extra Note: 2012 introduced DNS64 and NAT64 for backwards compatibility, allowing access to internal corporate resources via IPv4. 2008R2 requires MF-UAG for this functionality.
3.4.2 implement client configuration
Clients must be WIndows 7 Enterprise, Ultimate, Windows 8 Enterprise, 2008R2,2012, 2012R2
Client must be joined to the domain
Windows 7 and 2008R2 uses DirectAccess Connectivity Assistant (DCA)
Windows 8, 2012 uses Network Connectivity Assistant (NCA)
Domain clients are auto-configured according to the GPO assigned. As noted before, WMI filter for mobile computers can be enforced in addition to specific security groups.
3.4.3 configure DNS for Direct Access
directaccess requires two external DNS A records - one is for the DirectAccess server, the second is for a Certificate Revocation List. Internal DNS requires the NLS server and CRL.
There is DNS setup in Infrastructure Configuration(Step 3).
-Set the suffixes that are used for name resolution via DA.
-Configure the behaviour of DNS resolution for a DA client while connected
- Use local name resolution if name does not exist
- Use local name if name does not exist or DNS servers are unreachable
- Use local name resolution due to any DNS resolution error.
- Configure addition DA client suffix search list
To determine client's dns "location" use
netsh dnsclient show state
Effective NRPT settings:
netsh dnsclient show effectivepolicy
Name Resolution Policy Table (NRPT) is used to determine behavior of the DNS clients when issuing queries.
To view the NRPT settings on the client as defined via GP:
netsh namespace show policy
ISATAP note: When using ISATAP you must remove ISATAP from the global query block list:
dnscmd /config /globalqueryblocklist isatap
3.4.4 configure certificates for Direct Access
2012 and 2012R2 no longer require a PKI certificate setup.
This is done by by implementing an HTTPS based Kerberos proxy. Client authentication requests are sent to a Kerberos proxy service running on the DirectAccess server. The Kerberos proxy then sends Kerberos requests to Domain Controllers on behalf of the client.
The DA server can have a server auth certificate installed, which can be from a public CA. Otherwise
it will configure its own IP-HTTPS and KDC proxy certificates as self-signed. This is done during setup wizard.
Wednesday, August 13, 2014
3. Configure network services and access 3.3 Configure VPN and routing
3.3.1 Install and configure the Remote Access role
Installing the remote access role provides for multiple Routing and Remote Access(RRAS) options:
VPN: Virtual Private Network - client to server and site to site.
DRAS: Dialup Remote Access Server
NAT: Network Address Translation
Basic router functionality -
Web application proxy (R2)
Install from Add Roles and Features Wizard:
Add server role: Remote Access(RemoteAccess)
Under role services you can specify any of the sub-feature options:
DirectAccess/VPN(DirectAccess-VPN)
Routing(Routing)
Web Application Proxy(Web-Application-Proxy)
Installing Routing will also install DirectAccess-VPN. Installing DirectAccess-VPN does not install Routing.
In addition, installing the Routing and/or DirectAccess-VPN role services on R2 will also install IIS(Web-Server) and a number of it's sub-components, as well as the Windows-Internal-Database(WID). If you include management tools, Web-Mgmt-Console will also be installed.
Including the Management tools with any of the role services will also install Group Policy Management Console(GPMC), Connection Manager Administration Kit(CMAK), RSAT-RemoteAccess, RSAT-RemoteAccess-Mgmt, and RSAT-RemoteAccess-Powershell
After installing a sub-feature(s), you can run the configuration wizard from the server manager or pull up the Remote Access Management Console and run the wizard from there.
Run the Remote Access Console from Server Manager under "Remote Access Management Console"(RAMgmtUI.exe)
DirectAccess and VPN/Routing - Two wizards are presented:
Getting Started Wizard - configures with default recommended settings
Remote Access Setup Wizard - configure with custom settings
With either wizard, you have the option to deploy both DireactAccess, VPN, or both.
Note that to configure VPN/NAT will open the Routing and Remote Access Management MMC snap-in (rrasmgmt.msc)
You can also launch the RRAS Management from the right hand side of the RRAS Management Console under VPN/Open RRAS Management. Or launch from command line using (rrasmgmt.msc)
Web Application Proxy also has it's own configuration wizard.
Powershell:
Install all features:
install-windowsfeature remoteaccess -includeallsubfeature -includemanagementtools
Install routing and directaccess/vpn:
install-windowsfeature routing -includemanagementtools
Install only directaccess/vpn:
install-windowsfeature directaccess-vpn -includemanagementtools
Extra Note: The full set of web-server features that are installed with Routing and DirectAccess-VPN include Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Loggin, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-IP-Security, Web-Mgmt-Tools, Web-Scripting-Tools
Note that this only applies to R2, as 2012 only installed Web-IP-Security and also did not install WID.
Extra Note: R2 adds router BGP support for multi-tenant deployments. This is configurable via Powershell only.
3.3.2 implement Network Address Translation (NAT)
Requires at least 2 network interfaces. Routing should be installed
In the RRAS Management snap-in, right click the Server and select either of the NAT wizards, or just custom configuration as in the following example.
After clicking customer configuration and Next, choose NAT, then Next. The service will start and click Finish. Note that if Routing is not installed, you can do this step but you will not see NAT in the list of options under IPv4 in the next step.
Expand the tree from the RRAS server in RRAS snap-in, IPv4. Right click NAT and "New Interface" to configure an interface that will participate in NAT. If the Interface faces the internal network, choose Private Interface. Otherwise, choose the Public interface and if you want to do NAT translation on this interface, choose Enable NAT.
Once you have at least one public interface and one private, any packets that come in on the private will be out the public by translating to the interace IP.
By right clicking on the public interface, you can use "Show mappings" to view current NAT mappings. Or by selecting Properties, you can click on the "Address Pool" tab to add a pool of addresses that can be used by internal computers, and have the option to reserve some of those ips to private computers, as a 1-to-1 mapping, using the "Reservations" button. You can also setup port redirection from the outside public interface on the "Services and Ports" tab. This allows you to redirect ports on the interface ip or address pool, to an internal private server, such as a web server.
The DHCP allocator and DNS Proxy are for simple SOHO deployments. DHCP allocator is a very simple DHCP server for a single scope of addresses. DNS proxy will act as a simple DNS server to forward requests from the internal network.
Extra Note: When an address pool is configured on a public interface, outbound requests will use each public address unless otherwise reserved for 1-to-1 mapping.
Extra Note: On 2012, I have not found a way to add NAT after an RRAS server has been initially configured without it, unless you disable and reconfigure.
Extra Note: In R2, there is a new powershell module, "NetNat", with cmdlets that appear to be for setting up NAT. However, these are for the new multi-tenant VPN feature for setting up NAT with a NVGRE network, and is not related to the RRAS NAT feature.
3.3.3 configure VPN settings
http://technet.microsoft.com/en-us/library/dd469817%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/dd469733.aspx
Types of VPN scenarios:
Client to Server - Clients connect to RRAS server to get on the network.
Site-to-Site - Two VPN servers create a connection to each other.
VPN protocols supported by RRAS:
Point-to-Point Tunneling Protocol (PPTP) - uses TCP for tunnel management and encapsulates PPP datagrams in GRE protocol. Microsoft encrypts via Microsoft Point-to-Point Encryption(MPPE) using MsChapv2 or EAP-TLS. PPTP uses TCP port 1723 and IP protocol 47.
Layer 2 Tunneling Protocol (L2TP) with IPSEC - L2TP encapsulates in a UDP packet over port 1701. IPSec is first used to set up a secure channel using IKE on UDP port 500 via shared key or certificate, then sets up the tunnel, and encapsulates the L2TP datagrams, using ESP(IP protocol 50). UDP port 4500 may be used for IPSec NAT Traversal Encryption is either AES or 3DES. .
IKEv2 : Encapsulates using IPSec. Ipsec sets up secure channel using IKE on UDP port 500(or 4500) via shared key or certificate, then sets up the tunnel using ESP(IP protocol 50). UDP port 4500 may be used for IPSec NAT Traversal. Encrypted with one of AES 256, AES 192, AES 128, or 3DES. It supports MOBIKE and VPN Reconnect. Supported on Windows 7, Windows 2008R2, and newer versions.
SSTP : Encapsulates PPP datagrams over SSL(port 443), and encrypted via SSL. Note that SSTP is not configurable for site-to-site vpn connections.
GUI install:
There are multiple ways to configure VPN functionality on the RRAS server. In the RRAS Management snap-in, right click the Server and select one of the VPN options: "Remote access","Virtual private network access and NAT", "Secure connection between two private networks", or just use a custom configuration and select VPN, as well as dialup-access and/or demand-dial as needed.
If you want to disable VPN after using the wizard, right click the server in the RRAS MMC snap-in, selecting properties, and unchecking "IPv4 Remote access server".
Powershell:
Configure only the VPN feature:
install-remoteaccess -vpntype vpn
Client-to-Server. Configuring Servers.
For the minimum to configure the RRAS server for clients to connect to your server, you only have to select custom configuration and then VPN.
Using "Remote access(dial-up or VPN) wizard:
Check VPN.
Select Interface that faces the internet and will be used for incoming VPN connections.
(Note that configuring this does not specifically prevent other interfaces from being used as VPN endpoints, unless otherwise firewalled/filtered)
If you check "Enable security on the selected interface by setting up static packet filters", then the wizard will setup some filters for the interface and ports allowed for VPN.
Next, select an interface for a network that VPN clients can use for addresses.
(Note that this interface will be used to obtain DHCP addresses for the VPN clients, and will not necessarily limit clients to accessing only this interface)
Select whether DHCP will be used to assign IPs to the clients, or add a range of addresses that clients can use. The next option is to decide whether to use RADIUS authentication
Custom configuration:
To create a similar configuration as using the wizard above:
Static packet filters:
In the RRAS MMC snap-in, expand IPv4, General, then right click on the interface. On the general tab, add applicable filters to the Inbound Filters option.
To configure which interface to use for DHCP or configure static addresses, right click on the RRAS server and select properties. Click IPv4 tab. If you choose DHCP, you can also which interface to use to obtain DHCP addresses from.This setting will assign addresses to both server and client VPN interfaces, unless otherwise the client is otherwise configured with a static IP(for example, through dial-in settings)
View connected clients:
Under RRAS server, click on Remote Access Clients.
You can also sort the Ports by Active and see ports being used.
Powershell:
get-remoteaccessconnectionstatistics
get-remoteuseractivity 'rrasserver\clientuser'
disconnect-vpnuser 'rrasserver\clientuser'
Client-to-Server. Configuring Clients.
Then in Windows 8 or 2012, you configure clients by going to "Network and Sharing Center" in Control Panel, choose "Set up a new connection or network"
Split-Tunnel configuration:
By default the client will route all traffic to the vpn connection. You can change this behavior in the client's VPN connection properties - go into the Network and Sharing Center on the client, clicking the VPN connection, click properties, Networking tab, properties for IPv4 or IPv6, Advanced, uncheck "Use default gateway on remote network"
Site-to-Site configuration:
A minimum configuration for a site-to-site vpn connection requires only selecting custom configuration and then VPN and demand-dial.
In the RRAS MMC, click "Network Interfaces". Right click the view and select "New demand-dial interface".
Enter the remote server name as "Interface Name".
Select "Connect using VPN". Select type of VPN, for example "PPTP".
Enter IP address of remote server.
"Route IP Packets should be checked". If this server will only dial the remote server, and not vice versa, then you do not need to select "Add a user account"(Optional: You can manually setup a user account later).
Add a static route for the remote network. (Optional: you can setup routing later as needed).
Dial-out credentials: You have to put this in, but it is only needed if this server will call the remote server.
Note: If using a local account on the remote server, set the DOMAIN to the remote server name.
From the dialing server - right click the "Network Interface" and Connect.
You can change credentials by right clicking the server and "St Credentials".
Demand-Dial vs. Persistant:
You can configure a connection to only come up and connect when it receives traffic destined for certain networks. In Properties, be sure Options tab is set to Demand-Dial. You can also decide how long the connection is idle before it closes. Right-click on the interface connection and select "Set IP Demand-dial filters". Here you can decide what traffic will start the connection.
For a persistent connection, you only need to select "Persistent connection" in Properties/Options tab. Now the connection will stay up once connected.
Extra Note: Use "netsh ras diag set trace enable" to turn on detailed logging, which is stored in %systemdrive%\tracing. Turn off logging with "netsh ras diag set tracedisable"
Extra Note: The default dial-in setting for a user in 2012 is "Control access through NPS Network Policy". However, if you let the demand-dial interface wizard create a user for you, it will set the dial-in setting to "Allow Access" for that user.
3.3.4 configure remote dial-in settings for users
You can configure some specific dial-in settings for users by using the "Dial-in" tab in the user profile properties. For local users using the Local Users and Groups in computer management, and for domain users by using the ADUC.
Network Access Permission:Determines if this user can remotely connect to this server. Allow, Deny, or Control Access through NPS Network Policy. Default setting is "Control Access through NPS Network Policy"
Note that NPS can override this setting.
Verify Caller-ID:
Device(s) must support caller-id and caller's id must match this setting if checked and filled out.
Callback Options:
No Callback, Set by Caller (RRAS only), Always callback to ____. Default is No Callback
Assign Static IP Addresses:
Defaults to assigning these IP(v4 and/or v6) addresses to this user's connections
Apply Static Routes:
Can be used to define static routes when using a one-way on-demand dialer.This is not meant to setup routes for a single user/client.
Extra Note: The use of the "Apply Static Routes" setting is fairly confusing. See the following articles for more information: http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc736311%28v=ws.10%29.aspx
3.3.5 configure routing
Viewing route table in RRAS - Right click static routes under IPv4 or IPv6 and select "Show Ip Routing Table".
route print
get-netroute
Static routes:
In RRAS, right click the Static Routes and select "New static route"
Select which interface this route will go out.
Enter the destination, network mask, gateway, and metric.
Note: static routes added through RRAS are persistent by default in that they will be readded to the routing table automatically when the service starts, and removed if it is stopped.
route add -p 192.168.100.0 mask 255.255.255.0 10.0.0.1
new-netroute -destinationprefix '192.168.101.0/24' -interfacealias 'ethernet' -nexthop '10.0.0.1'
route change 192.168.101.0 mask 255.255.255.0 10.0.0.2
set-netroute -destinationprefix '192.168.101.0/24' -nexthop '10.0.0.2'
route delete 192.168.101.0
remove-netroute '192.168.101.0/24'
RIP configuration:
in RRAS mgmt, expand IPv4 under the RAS server. Choose "New Routing Protocol" , "RIP version 2..."
On RIP menu or in view, right click and select "New Interface". Select an interface that will carry RIP advertisements.
General tab:
Operation mode:
Auto-static updates are sent when another router requests. Routes are marked as static.
Peridoic Update Mode - updates are sent out at intervals set by the "Periodic announcement
interval" (default 30 seconds)
Outgoing packet protocol:
RIP 1 broadcasts, RIP 2 broadcasts
RIP 2 multicast - sent on 224.0.0.9
Silent RIP - router will not send out advertisements on this interface, but will listen and record routes.
Incoming Packet Protocol - which advertisements to accept on this interface
RIP 1, RIP 2, RIP v1 & 2, Ignore RIP advertisements
Added cost for route - This number is added to a route for path cost purposes. Higher is worse.
Tag for announced routes - can be used to distinguish RIP routes from other routing protocols
Security tab:
This tab can be used to filter outgoing and incoming routes
Neighbors tab -
neighbors can be configured for unicast advertisements. You can configure the interface to advertise using broadcast/multicast, both neighbors and broadcast/multicast, or neighbors(unicast) only.
Advanced tab:
Periodic announcement interval - default 30 seconds
Time before routes expire - default 180 seconds
Time before route is removed - default 120 seconds. after expiration, route remains in routing table for this time so neighbors can be notified that route is no longer valid..
Enable split-horizon - To prevent loops, routes learned from Neighbor A are not sent back to neighbor A
Enable poison-reverse - Better prevention of loops at the cost of larger advertisements - routes learned from Neighbor A are sent back to A with infinity metric(16).
Enable triggered updates - Changes in the routing table are sent immediately
Send clean-up updates when stopped - when stopped, router sends advertisements to let other routers know that it is no longer valid for those routes.
Process host routes - handle incoming host route announcements
Include host routes -
Process default routes - accept default routes (0.0.0.0)
include default routes - include default route
Disable subnet summarization - summarization supernets subnets to make advertisements smaller.
Extra Note: RIP advertisements are sent over UDP port 520.RIPv2 includes optional multicast, including subnet mask in advertisements(CIDR), route tagging, simple password authentication.
3.3.6 (R2) configure web application proxy in passthrough mode
http://technet.microsoft.com/en-us/library/dn383639.aspx
Web Application Proxy replaces the functionality of ADFS Proxy 2.0. Installing Web Application Proxy requires having an ADFS server and a certificate for the ADFS server, as well as a certificate for each application that will be published.
Passthrough applications do not require authentication to ADFS, although the application on the back-end may require it's own authentication.
On an already installed web-proxy server, configuring an application in passthrough mode is done in the Remote Access Management Console(ramgmtui.exe), which is accessible from Server Manager.
Select Configuration, Web Application Proxy.
Click Publish.
Select preauthentication method: Pass-through.
Publishing Settings - enter a name. external URL, external certificate, internal url.
Powershell:
see link above for example.
Add-webapplicationproxyapplication -externalpreauthentication passthrough
Installing the remote access role provides for multiple Routing and Remote Access(RRAS) options:
VPN: Virtual Private Network - client to server and site to site.
DRAS: Dialup Remote Access Server
NAT: Network Address Translation
Basic router functionality -
Web application proxy (R2)
Install from Add Roles and Features Wizard:
Add server role: Remote Access(RemoteAccess)
Under role services you can specify any of the sub-feature options:
DirectAccess/VPN(DirectAccess-VPN)
Routing(Routing)
Web Application Proxy(Web-Application-Proxy)
Installing Routing will also install DirectAccess-VPN. Installing DirectAccess-VPN does not install Routing.
In addition, installing the Routing and/or DirectAccess-VPN role services on R2 will also install IIS(Web-Server) and a number of it's sub-components, as well as the Windows-Internal-Database(WID). If you include management tools, Web-Mgmt-Console will also be installed.
Including the Management tools with any of the role services will also install Group Policy Management Console(GPMC), Connection Manager Administration Kit(CMAK), RSAT-RemoteAccess, RSAT-RemoteAccess-Mgmt, and RSAT-RemoteAccess-Powershell
After installing a sub-feature(s), you can run the configuration wizard from the server manager or pull up the Remote Access Management Console and run the wizard from there.
Run the Remote Access Console from Server Manager under "Remote Access Management Console"(RAMgmtUI.exe)
DirectAccess and VPN/Routing - Two wizards are presented:
Getting Started Wizard - configures with default recommended settings
Remote Access Setup Wizard - configure with custom settings
With either wizard, you have the option to deploy both DireactAccess, VPN, or both.
Note that to configure VPN/NAT will open the Routing and Remote Access Management MMC snap-in (rrasmgmt.msc)
You can also launch the RRAS Management from the right hand side of the RRAS Management Console under VPN/Open RRAS Management. Or launch from command line using (rrasmgmt.msc)
Web Application Proxy also has it's own configuration wizard.
Powershell:
Install all features:
install-windowsfeature remoteaccess -includeallsubfeature -includemanagementtools
Install routing and directaccess/vpn:
install-windowsfeature routing -includemanagementtools
Install only directaccess/vpn:
install-windowsfeature directaccess-vpn -includemanagementtools
Extra Note: The full set of web-server features that are installed with Routing and DirectAccess-VPN include Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Loggin, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-IP-Security, Web-Mgmt-Tools, Web-Scripting-Tools
Note that this only applies to R2, as 2012 only installed Web-IP-Security and also did not install WID.
Extra Note: R2 adds router BGP support for multi-tenant deployments. This is configurable via Powershell only.
3.3.2 implement Network Address Translation (NAT)
Requires at least 2 network interfaces. Routing should be installed
In the RRAS Management snap-in, right click the Server and select either of the NAT wizards, or just custom configuration as in the following example.
After clicking customer configuration and Next, choose NAT, then Next. The service will start and click Finish. Note that if Routing is not installed, you can do this step but you will not see NAT in the list of options under IPv4 in the next step.
Expand the tree from the RRAS server in RRAS snap-in, IPv4. Right click NAT and "New Interface" to configure an interface that will participate in NAT. If the Interface faces the internal network, choose Private Interface. Otherwise, choose the Public interface and if you want to do NAT translation on this interface, choose Enable NAT.
Once you have at least one public interface and one private, any packets that come in on the private will be out the public by translating to the interace IP.
By right clicking on the public interface, you can use "Show mappings" to view current NAT mappings. Or by selecting Properties, you can click on the "Address Pool" tab to add a pool of addresses that can be used by internal computers, and have the option to reserve some of those ips to private computers, as a 1-to-1 mapping, using the "Reservations" button. You can also setup port redirection from the outside public interface on the "Services and Ports" tab. This allows you to redirect ports on the interface ip or address pool, to an internal private server, such as a web server.
The DHCP allocator and DNS Proxy are for simple SOHO deployments. DHCP allocator is a very simple DHCP server for a single scope of addresses. DNS proxy will act as a simple DNS server to forward requests from the internal network.
Extra Note: When an address pool is configured on a public interface, outbound requests will use each public address unless otherwise reserved for 1-to-1 mapping.
Extra Note: On 2012, I have not found a way to add NAT after an RRAS server has been initially configured without it, unless you disable and reconfigure.
Extra Note: In R2, there is a new powershell module, "NetNat", with cmdlets that appear to be for setting up NAT. However, these are for the new multi-tenant VPN feature for setting up NAT with a NVGRE network, and is not related to the RRAS NAT feature.
3.3.3 configure VPN settings
http://technet.microsoft.com/en-us/library/dd469817%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/dd469733.aspx
Types of VPN scenarios:
Client to Server - Clients connect to RRAS server to get on the network.
Site-to-Site - Two VPN servers create a connection to each other.
VPN protocols supported by RRAS:
Point-to-Point Tunneling Protocol (PPTP) - uses TCP for tunnel management and encapsulates PPP datagrams in GRE protocol. Microsoft encrypts via Microsoft Point-to-Point Encryption(MPPE) using MsChapv2 or EAP-TLS. PPTP uses TCP port 1723 and IP protocol 47.
Layer 2 Tunneling Protocol (L2TP) with IPSEC - L2TP encapsulates in a UDP packet over port 1701. IPSec is first used to set up a secure channel using IKE on UDP port 500 via shared key or certificate, then sets up the tunnel, and encapsulates the L2TP datagrams, using ESP(IP protocol 50). UDP port 4500 may be used for IPSec NAT Traversal Encryption is either AES or 3DES. .
IKEv2 : Encapsulates using IPSec. Ipsec sets up secure channel using IKE on UDP port 500(or 4500) via shared key or certificate, then sets up the tunnel using ESP(IP protocol 50). UDP port 4500 may be used for IPSec NAT Traversal. Encrypted with one of AES 256, AES 192, AES 128, or 3DES. It supports MOBIKE and VPN Reconnect. Supported on Windows 7, Windows 2008R2, and newer versions.
SSTP : Encapsulates PPP datagrams over SSL(port 443), and encrypted via SSL. Note that SSTP is not configurable for site-to-site vpn connections.
GUI install:
There are multiple ways to configure VPN functionality on the RRAS server. In the RRAS Management snap-in, right click the Server and select one of the VPN options: "Remote access","Virtual private network access and NAT", "Secure connection between two private networks", or just use a custom configuration and select VPN, as well as dialup-access and/or demand-dial as needed.
If you want to disable VPN after using the wizard, right click the server in the RRAS MMC snap-in, selecting properties, and unchecking "IPv4 Remote access server".
Powershell:
Configure only the VPN feature:
install-remoteaccess -vpntype vpn
Client-to-Server. Configuring Servers.
For the minimum to configure the RRAS server for clients to connect to your server, you only have to select custom configuration and then VPN.
Using "Remote access(dial-up or VPN) wizard:
Check VPN.
Select Interface that faces the internet and will be used for incoming VPN connections.
(Note that configuring this does not specifically prevent other interfaces from being used as VPN endpoints, unless otherwise firewalled/filtered)
If you check "Enable security on the selected interface by setting up static packet filters", then the wizard will setup some filters for the interface and ports allowed for VPN.
Next, select an interface for a network that VPN clients can use for addresses.
(Note that this interface will be used to obtain DHCP addresses for the VPN clients, and will not necessarily limit clients to accessing only this interface)
Select whether DHCP will be used to assign IPs to the clients, or add a range of addresses that clients can use. The next option is to decide whether to use RADIUS authentication
Custom configuration:
To create a similar configuration as using the wizard above:
Static packet filters:
In the RRAS MMC snap-in, expand IPv4, General, then right click on the interface. On the general tab, add applicable filters to the Inbound Filters option.
To configure which interface to use for DHCP or configure static addresses, right click on the RRAS server and select properties. Click IPv4 tab. If you choose DHCP, you can also which interface to use to obtain DHCP addresses from.This setting will assign addresses to both server and client VPN interfaces, unless otherwise the client is otherwise configured with a static IP(for example, through dial-in settings)
View connected clients:
Under RRAS server, click on Remote Access Clients.
You can also sort the Ports by Active and see ports being used.
Powershell:
get-remoteaccessconnectionstatistics
get-remoteuseractivity 'rrasserver\clientuser'
disconnect-vpnuser 'rrasserver\clientuser'
Client-to-Server. Configuring Clients.
Then in Windows 8 or 2012, you configure clients by going to "Network and Sharing Center" in Control Panel, choose "Set up a new connection or network"
Split-Tunnel configuration:
By default the client will route all traffic to the vpn connection. You can change this behavior in the client's VPN connection properties - go into the Network and Sharing Center on the client, clicking the VPN connection, click properties, Networking tab, properties for IPv4 or IPv6, Advanced, uncheck "Use default gateway on remote network"
Site-to-Site configuration:
A minimum configuration for a site-to-site vpn connection requires only selecting custom configuration and then VPN and demand-dial.
In the RRAS MMC, click "Network Interfaces". Right click the view and select "New demand-dial interface".
Enter the remote server name as "Interface Name".
Select "Connect using VPN". Select type of VPN, for example "PPTP".
Enter IP address of remote server.
"Route IP Packets should be checked". If this server will only dial the remote server, and not vice versa, then you do not need to select "Add a user account"(Optional: You can manually setup a user account later).
Add a static route for the remote network. (Optional: you can setup routing later as needed).
Dial-out credentials: You have to put this in, but it is only needed if this server will call the remote server.
Note: If using a local account on the remote server, set the DOMAIN to the remote server name.
From the dialing server - right click the "Network Interface" and Connect.
You can change credentials by right clicking the server and "St Credentials".
Demand-Dial vs. Persistant:
You can configure a connection to only come up and connect when it receives traffic destined for certain networks. In Properties, be sure Options tab is set to Demand-Dial. You can also decide how long the connection is idle before it closes. Right-click on the interface connection and select "Set IP Demand-dial filters". Here you can decide what traffic will start the connection.
For a persistent connection, you only need to select "Persistent connection" in Properties/Options tab. Now the connection will stay up once connected.
Extra Note: Use "netsh ras diag set trace enable" to turn on detailed logging, which is stored in %systemdrive%\tracing. Turn off logging with "netsh ras diag set tracedisable"
Extra Note: The default dial-in setting for a user in 2012 is "Control access through NPS Network Policy". However, if you let the demand-dial interface wizard create a user for you, it will set the dial-in setting to "Allow Access" for that user.
3.3.4 configure remote dial-in settings for users
You can configure some specific dial-in settings for users by using the "Dial-in" tab in the user profile properties. For local users using the Local Users and Groups in computer management, and for domain users by using the ADUC.
Network Access Permission:Determines if this user can remotely connect to this server. Allow, Deny, or Control Access through NPS Network Policy. Default setting is "Control Access through NPS Network Policy"
Note that NPS can override this setting.
Verify Caller-ID:
Device(s) must support caller-id and caller's id must match this setting if checked and filled out.
Callback Options:
No Callback, Set by Caller (RRAS only), Always callback to ____. Default is No Callback
Assign Static IP Addresses:
Defaults to assigning these IP(v4 and/or v6) addresses to this user's connections
Apply Static Routes:
Can be used to define static routes when using a one-way on-demand dialer.This is not meant to setup routes for a single user/client.
Extra Note: The use of the "Apply Static Routes" setting is fairly confusing. See the following articles for more information: http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc736311%28v=ws.10%29.aspx
3.3.5 configure routing
Viewing route table in RRAS - Right click static routes under IPv4 or IPv6 and select "Show Ip Routing Table".
route print
get-netroute
Static routes:
In RRAS, right click the Static Routes and select "New static route"
Select which interface this route will go out.
Enter the destination, network mask, gateway, and metric.
Note: static routes added through RRAS are persistent by default in that they will be readded to the routing table automatically when the service starts, and removed if it is stopped.
route add -p 192.168.100.0 mask 255.255.255.0 10.0.0.1
new-netroute -destinationprefix '192.168.101.0/24' -interfacealias 'ethernet' -nexthop '10.0.0.1'
route change 192.168.101.0 mask 255.255.255.0 10.0.0.2
set-netroute -destinationprefix '192.168.101.0/24' -nexthop '10.0.0.2'
route delete 192.168.101.0
remove-netroute '192.168.101.0/24'
RIP configuration:
in RRAS mgmt, expand IPv4 under the RAS server. Choose "New Routing Protocol" , "RIP version 2..."
On RIP menu or in view, right click and select "New Interface". Select an interface that will carry RIP advertisements.
General tab:
Operation mode:
Auto-static updates are sent when another router requests. Routes are marked as static.
Peridoic Update Mode - updates are sent out at intervals set by the "Periodic announcement
interval" (default 30 seconds)
Outgoing packet protocol:
RIP 1 broadcasts, RIP 2 broadcasts
RIP 2 multicast - sent on 224.0.0.9
Silent RIP - router will not send out advertisements on this interface, but will listen and record routes.
Incoming Packet Protocol - which advertisements to accept on this interface
RIP 1, RIP 2, RIP v1 & 2, Ignore RIP advertisements
Added cost for route - This number is added to a route for path cost purposes. Higher is worse.
Tag for announced routes - can be used to distinguish RIP routes from other routing protocols
Security tab:
This tab can be used to filter outgoing and incoming routes
Neighbors tab -
neighbors can be configured for unicast advertisements. You can configure the interface to advertise using broadcast/multicast, both neighbors and broadcast/multicast, or neighbors(unicast) only.
Advanced tab:
Periodic announcement interval - default 30 seconds
Time before routes expire - default 180 seconds
Time before route is removed - default 120 seconds. after expiration, route remains in routing table for this time so neighbors can be notified that route is no longer valid..
Enable split-horizon - To prevent loops, routes learned from Neighbor A are not sent back to neighbor A
Enable poison-reverse - Better prevention of loops at the cost of larger advertisements - routes learned from Neighbor A are sent back to A with infinity metric(16).
Enable triggered updates - Changes in the routing table are sent immediately
Send clean-up updates when stopped - when stopped, router sends advertisements to let other routers know that it is no longer valid for those routes.
Process host routes - handle incoming host route announcements
Include host routes -
Process default routes - accept default routes (0.0.0.0)
include default routes - include default route
Disable subnet summarization - summarization supernets subnets to make advertisements smaller.
Extra Note: RIP advertisements are sent over UDP port 520.RIPv2 includes optional multicast, including subnet mask in advertisements(CIDR), route tagging, simple password authentication.
3.3.6 (R2) configure web application proxy in passthrough mode
http://technet.microsoft.com/en-us/library/dn383639.aspx
Web Application Proxy replaces the functionality of ADFS Proxy 2.0. Installing Web Application Proxy requires having an ADFS server and a certificate for the ADFS server, as well as a certificate for each application that will be published.
Passthrough applications do not require authentication to ADFS, although the application on the back-end may require it's own authentication.
On an already installed web-proxy server, configuring an application in passthrough mode is done in the Remote Access Management Console(ramgmtui.exe), which is accessible from Server Manager.
Select Configuration, Web Application Proxy.
Click Publish.
Select preauthentication method: Pass-through.
Publishing Settings - enter a name. external URL, external certificate, internal url.
Powershell:
see link above for example.
Add-webapplicationproxyapplication -externalpreauthentication passthrough
Thursday, April 24, 2014
3. Configure network services and access 3.2 Configure DNS records
3.2.1 Create and configure DNS Resource Records (RR) including A, AAAA, PTR,
SOA, NS, SRV, CNAME, and MX records
SOA - Start of Authority - specifies primary name server, e-mail of domain admin, domain serial, timers
NS - identifies an authoritative name server
A - host record
AAAA - ipv6 host record
CNAME - alias
PTR - ip address to domain or host name
MX - mail server host
SRV - service record, used for AD.
fields of an SOA record:
Serial number - version of zone, to determine when to zone transfer
primary authoritative server
responsible person - zone admin
refresh interval - how often secondary servers check for updates
retry interval - how long to wait before a secondary server sends another request
expires after - after zone transferring, secondary server will hold that date until this time if it's not renewed.
minimum TTL - default time an RR remains in a DNS cache after a query. a RR TTL overrides this setting.
MX records - specify a priority when you have multiple records. The lower priority MX records are preferred.
dnscmd /recordadd contoso.com myworkstation A 192.168.134.30
dnscmd /recordadd contoso.com myworkstation AAAA fc00::199:45
dnscmd /recordadd contoso.com myalias CNAME myworkstation.contoso.com
dnscmd /recordadd contoso.com . MX 10 mymailserver.contoso.com
dnscmd /recordadd contoso.com . NS nameserver.contoso.com
dnscmd /recordadd 134.168.192.in-addr.arpa 30 PTR myworkstation.contoso.com
dnscmd /recorddelete contoso.com myworkstation A
Add-DnsServerResourceRecordA -name "myworkstation" -zonename "contoso.com" -IPv4Address "192.168.134.30"
Add-DnsServerResourceRecordAAAA -name "myworkstation" -zonename "contoso.com" -IPv6Address "fc00::199:45"
Add-DnsServerResourceRecordCNAME -name "myalias" -hostnamealias "myworkstation.contoso.com" -zonename "contoso.com"
Add-DnsServerResourceRecordMX -name "." -MailExchange "mymailserver.contoso.com" -Zonename "contoso.com" -preference 20
Add-DnsServerResourceRecordPTR -name "30" -zonename "134.168.192.in-addr.arpa" -ptrdomainname "myworkstation.contoso.com"
Remove-DnsServerResourceRecord -zonename "contoso.com" -RRtype -"A" -name "myworkstation"
Get-DnsServerResourceRecord -zonename "contoso.com" -rrtype "A"
3.2.2 configure zone scavenging
Zone scavenging removes "stale", old, records. Aging is the process of timing out records.
Scavenging is disabled by default, so it must be enabled to work.
RRs must be added dynamically or manually modified in order to be aged/scavenged.
In order to manually modify scavenging settings on records, go to View and select advanced in the DNS Manager. Now you can right click a record and check "Delete this record when it becomes stale" Hitting apply adds a timestamp, rounded from the current hour, used in scavenging.
Dynamic records will attempt to update themselves every 24 hours by default. These records are automatically set to scavenge
Scavenging settings on a zone:
right click zone, properties. Hit Aging button.Check the "Scavenge stale resource records".
No-refresh interval & refresh interval - both must expire before record will be scavenged.
No-refresh - record cannot be "refreshed", which is when a dynamic update does not change the host/ip record but tries to change the timestamp. A client changing the IP address will be exempt from this interval
After a record goes beyond "record timestamp + no-refresh interval", it enters refresh interval. During this time, refreshes to timestamp are allowed. If the timestamp is updated by a client, the no-refresh interval begins again. If it does not get updated, the record is eligible for scavenging.
You can also create a default scavenging settings, for any zone created on this dns server, by right clicking the DNS server and selecting "Set Aging/Scavenging for All Zones". Note that this will not update current zones, only future zones that are created on this specific server. However, there is an option after you click ok, "Apply these settings to the existing AD-integrated zones". This will update current AD-integrated zones with these settings.
The final thing to do to setup scavenging is to set it on the DNS server, under properties/Advanced. Check the "Enable automatic scavenging of stale records". This controls when scavenging will be done. Note that if a record is still in no-refresh/refresh intervals, it will not be scavenged when this process runs. When scavenging is run it creates event id 2501/2502 in event logs.
Set-DnsServerResourceRecordAging -nodename myserver.contoso.com. -zonename contoso.com
Get-DnsServerResourceRecord -zonename contoso.com -name myserver
Get-DnsServerZoneAging contoso.com
Set-DnsServerZoneAging contoso.com -aging $true -norefreshinterval (New-TimeSpan -days 3) -refreshinterval (New-TimeSpan -days 3)
Set default scavenging settings on a DNS server:
Set-DnsServerScavenging -scavengingstate $true -norefreshinterval (New-TimeSpan -days 3) -refreshinterval (New-TimeSpan -days 3)
(Note that -scavengingstate $true will apply to new zones created on this server. You can use -applyonallzones to update all current zones)
Only enable scavenging on a dns server and set the interval between scavengings (this does not affect other default DNS server scavenging settings as the above command.)
Set-DnsServerScavenging -scavenginginterval (New-TimeSpan -days 3)
Get-DnsServerScavenging
3.2.3 configure record options including Time To Live (TTL) and weight
In order to see TTL and change in the gui, you need to go to View/Advanced. Now you can double-click a RR and change the TTL in the properties.
Weight could have multiple meanings. MX records can be set with a priority to determine which mail server is preferred. Lower is preferred.
SRV records also have a weight in addition to a priority. Lower priorities are preferred. However, if multiple SRV records have equal priority, the weight determines how often(%) a SRV resource will be used in relation to others with the same priority. This is a basic load balance.
Powershell/dnscmd
3.2.4 configure round robin
Round robin is used by DNS by default to return resource records with the same name and same type. Round robin can be disabled on a server by right clicking on the DNS server and properties, clicking the advanced tab, and unselecting "Enable round robin option"
Get-DnsServerSetting -all | select roundrobin | ft -auto
3.2.5 configure secure dynamic updates
Secure dynamic updates are set per zone. Right click the zone and properties. Then on General, you have a dropdown for none, nonsecure and secure, and secure only. You can also setup secure updates when creating a new zone.
By default in an AD domain, authenticated users and computers can create new dnsNode records in dnsZones. You can alter specific permissions on the Security tab in the properties of a Zone. You can also set security on individual dnsNode records. ACLs are set on records by name so two records pointing to the same FQDN will have the same ACL.
SOA - Start of Authority - specifies primary name server, e-mail of domain admin, domain serial, timers
NS - identifies an authoritative name server
A - host record
AAAA - ipv6 host record
CNAME - alias
PTR - ip address to domain or host name
MX - mail server host
SRV - service record, used for AD.
fields of an SOA record:
Serial number - version of zone, to determine when to zone transfer
primary authoritative server
responsible person - zone admin
refresh interval - how often secondary servers check for updates
retry interval - how long to wait before a secondary server sends another request
expires after - after zone transferring, secondary server will hold that date until this time if it's not renewed.
minimum TTL - default time an RR remains in a DNS cache after a query. a RR TTL overrides this setting.
MX records - specify a priority when you have multiple records. The lower priority MX records are preferred.
dnscmd /recordadd contoso.com myworkstation A 192.168.134.30
dnscmd /recordadd contoso.com myworkstation AAAA fc00::199:45
dnscmd /recordadd contoso.com myalias CNAME myworkstation.contoso.com
dnscmd /recordadd contoso.com . MX 10 mymailserver.contoso.com
dnscmd /recordadd contoso.com . NS nameserver.contoso.com
dnscmd /recordadd 134.168.192.in-addr.arpa 30 PTR myworkstation.contoso.com
dnscmd /recorddelete contoso.com myworkstation A
Add-DnsServerResourceRecordA -name "myworkstation" -zonename "contoso.com" -IPv4Address "192.168.134.30"
Add-DnsServerResourceRecordAAAA -name "myworkstation" -zonename "contoso.com" -IPv6Address "fc00::199:45"
Add-DnsServerResourceRecordCNAME -name "myalias" -hostnamealias "myworkstation.contoso.com" -zonename "contoso.com"
Add-DnsServerResourceRecordMX -name "." -MailExchange "mymailserver.contoso.com" -Zonename "contoso.com" -preference 20
Add-DnsServerResourceRecordPTR -name "30" -zonename "134.168.192.in-addr.arpa" -ptrdomainname "myworkstation.contoso.com"
Remove-DnsServerResourceRecord -zonename "contoso.com" -RRtype -"A" -name "myworkstation"
Get-DnsServerResourceRecord -zonename "contoso.com" -rrtype "A"
3.2.2 configure zone scavenging
Zone scavenging removes "stale", old, records. Aging is the process of timing out records.
Scavenging is disabled by default, so it must be enabled to work.
RRs must be added dynamically or manually modified in order to be aged/scavenged.
In order to manually modify scavenging settings on records, go to View and select advanced in the DNS Manager. Now you can right click a record and check "Delete this record when it becomes stale" Hitting apply adds a timestamp, rounded from the current hour, used in scavenging.
Dynamic records will attempt to update themselves every 24 hours by default. These records are automatically set to scavenge
Scavenging settings on a zone:
right click zone, properties. Hit Aging button.Check the "Scavenge stale resource records".
No-refresh interval & refresh interval - both must expire before record will be scavenged.
No-refresh - record cannot be "refreshed", which is when a dynamic update does not change the host/ip record but tries to change the timestamp. A client changing the IP address will be exempt from this interval
After a record goes beyond "record timestamp + no-refresh interval", it enters refresh interval. During this time, refreshes to timestamp are allowed. If the timestamp is updated by a client, the no-refresh interval begins again. If it does not get updated, the record is eligible for scavenging.
You can also create a default scavenging settings, for any zone created on this dns server, by right clicking the DNS server and selecting "Set Aging/Scavenging for All Zones". Note that this will not update current zones, only future zones that are created on this specific server. However, there is an option after you click ok, "Apply these settings to the existing AD-integrated zones". This will update current AD-integrated zones with these settings.
The final thing to do to setup scavenging is to set it on the DNS server, under properties/Advanced. Check the "Enable automatic scavenging of stale records". This controls when scavenging will be done. Note that if a record is still in no-refresh/refresh intervals, it will not be scavenged when this process runs. When scavenging is run it creates event id 2501/2502 in event logs.
Set-DnsServerResourceRecordAging -nodename myserver.contoso.com. -zonename contoso.com
Get-DnsServerResourceRecord -zonename contoso.com -name myserver
Get-DnsServerZoneAging contoso.com
Set-DnsServerZoneAging contoso.com -aging $true -norefreshinterval (New-TimeSpan -days 3) -refreshinterval (New-TimeSpan -days 3)
Set default scavenging settings on a DNS server:
Set-DnsServerScavenging -scavengingstate $true -norefreshinterval (New-TimeSpan -days 3) -refreshinterval (New-TimeSpan -days 3)
(Note that -scavengingstate $true will apply to new zones created on this server. You can use -applyonallzones to update all current zones)
Only enable scavenging on a dns server and set the interval between scavengings (this does not affect other default DNS server scavenging settings as the above command.)
Set-DnsServerScavenging -scavenginginterval (New-TimeSpan -days 3)
Get-DnsServerScavenging
3.2.3 configure record options including Time To Live (TTL) and weight
In order to see TTL and change in the gui, you need to go to View/Advanced. Now you can double-click a RR and change the TTL in the properties.
Weight could have multiple meanings. MX records can be set with a priority to determine which mail server is preferred. Lower is preferred.
SRV records also have a weight in addition to a priority. Lower priorities are preferred. However, if multiple SRV records have equal priority, the weight determines how often(%) a SRV resource will be used in relation to others with the same priority. This is a basic load balance.
Powershell/dnscmd
3.2.4 configure round robin
Round robin is used by DNS by default to return resource records with the same name and same type. Round robin can be disabled on a server by right clicking on the DNS server and properties, clicking the advanced tab, and unselecting "Enable round robin option"
Get-DnsServerSetting -all | select roundrobin | ft -auto
3.2.5 configure secure dynamic updates
Secure dynamic updates are set per zone. Right click the zone and properties. Then on General, you have a dropdown for none, nonsecure and secure, and secure only. You can also setup secure updates when creating a new zone.
By default in an AD domain, authenticated users and computers can create new dnsNode records in dnsZones. You can alter specific permissions on the Security tab in the properties of a Zone. You can also set security on individual dnsNode records. ACLs are set on records by name so two records pointing to the same FQDN will have the same ACL.
3. Configure network services and access 3.1 Configure DNS Zones
Review from 70-410 4.3:
DNS Basics
DNS namespace, Name Servers, Resolver(client that sends dns queries)
Recursive query: Resolver clients send recursive queries to their dns servers. This tells the DNS server to query the hierarchy of dns servers until it gets resolution from the authoritative server(s)
Iterative query: a single request respond between dns servers. The only time dns servers will send recursive query to other dns servers is when they are querying a forwarder.
DNS forwarders are set up to do the full recursive queries on behalf of other dns servers
reverse name resolution: resolves a name from an ip address
Zones:
Primary: master copy of the zone. If not integrated with AD, a local database file holds the zone.
Secondary: duplicate of the primary. replicates the zone file using zone transfer. read-only
Stub: copy of primary zone that forwards or refers requests.
Zones that are not ad-integrated are saved in a "zone file" in %systemroot%\system32\dns
AD-integrated
RR = resource records
top-level domains, second-level domains, hosts
nslookup
udp/tcp port 53
install DNS - Server Roles DNS Server(DNS), includemanagementtools = RSAT-DNS-SERVER
MMC=dnsmgmt.msc, PS module=DNSServer, command line=dnscmd.exe
dnscmd dc.contoso.com /enumzones
PS:
get-dnsserverzone
3.1.1 Configure primary and secondary zones
Primary Zone:
Forward Lookup
DNS Managet(dnsmgmt.msc)
right click forward lookup zones, right click Forward Lookup Zones and New Zone. Choose primary. Enter a zone name, which includes the portion of the dns namespace for which the server will be authoritative. (such as contoso.com, or onezone.contoso.com)
Create a new zone file.
Dynamic Update - secure updates are for AD integrated
dnscmd /zoneadd bartledoo.contoso.com /primary
dnscmd /zoneinfo bartledoo.contoso.com
dnscmd /zonedelete bartledoo.contoso.com
add-dnsserverprimaryzone -name "bartledoo.contoso.com" -zonefile "bartledoo.contoso.com.dns"
get-dnsserverzone -name bartledoo.contoso.com
remove-dnsserverzone -name bartledoo.contoso.com
Reverse v4 primary:
right click Reverse Lookup Zones-> New Zone
Ipv4 reverse lookup zone
Type in Network id or specify the reverse lookup zone name manually. Entering the network id will auto update the reverse lookup name(network ID backwards+.in-addr.arpa)
Create a new zone file
Choose Dynamic update setting(Do not allow for non-AD)
dnscmd /zoneadd 10.168.192.in-addr.arpa /primary
add-dnsserverprimaryzone -networkid 192.168.10.0/24 -zonefile "10.168.192.in-addr.arpa.dns"
Reverse v6 primary:
Reverse Lookup Zones -> New Zone
select Primary zone
Ipv6 Reverse Lookup
Enter network prefix for ipv6 zone(ie. fe80:0:3891:0405:::/64)
dnscmd /zoneadd 5.0.4.0.1.9.8.3.0.0.0.0.0.8.e.f.ip6.arpa /primary
add-dnsserverprimaryzone -networkid fe80:0:3891:0405::/64 -zonefile "5.0.4.0.1.9.8.3.0.0.0.0.0.8.e.f.ip6.arpa.dns"
Secondary Zone:
Forward Lookup zone-> New Zone
Secondary zone
in the zone name, enter the dns namespace name
master DNS Servers, enter the IP address of the primary zone server(s)
dnscmd /zoneadd bartledoo.contoso.com /secondary 192.168.10.8
add-dnsserversecondaryzone -name "bartledoo.contoso.com" -zonefile "bartledoo.contoso.com.dns" -masterservers 192.168.10.8
AD-integrated:
When choosing Primary, Secondary, Stub, "Store the zone in AD" option(AD-integrated) is available if the DNS server is a read-write Domain Controller. See 3.1.4.
3.1.2 configure stub zones
A stub zone only contains basic RR's: SOA, NS, certain "glue" A records and points to the authoritative NS.
Right click Forward Lookup Zone-> New Zone. Choose Stub zone. Enter domain namespace. On master DNS servers, enter primary zone dns server(s).
If you integrate the stub zone into Active Directory Domain Services(AD DS), you have the option to specify that the DNS server hosting the stub zone uses a local list of master servers when it updates the stub zone's resource records, rather than having the DNS server use the master servers list that is stored in AD DS
Caching-only server:Install DNS but do not configure a zone. in DNS Manager, Click on DNS in the menu, select New Server, and type in the IP address of your computer where you have installed DNS.
dnscmd /zoneadd stubby.contoso.com /stub 192.168.10.9
dnscmd /zonedelete stubby.contoso.com
dnscmd /zoneadd stubby.contoso.com /dsstub 192.168.10.9 /dp /domain
dnscmd /zonedelete stubby.contoso.com /dsdel
add-dnsserverstubzone -name "stubby.contoso.com" -zonefile "stubby.contoso.com.dns" -masterservers 192.168.10.9
add-dnsserversstubzone -name "stubby.contoso.com" -replicationscope domain -masterservers 192.168.10.9
3.1.3 configure conditional forwards
Forwarding:
Right click DNS server and properties, Forwarders tab. Click edit, Add DNS servers to forward to.
Conditional forwarding: You can forward DNS requests for certain domain names.
Expand the server and right click Condition Forwarders->New conditional forwarder
Enter the domain to forward
Add the IP address(es) of the servers to forward this domain to.
Check to store this forwarder in AD. Set timeout on forward queries for this conditional forwarder.
dnscmd /zoneadd google.com /forwarder 8.8.8.8
/timeout /slave
add-dnsserverconditionalforwarderzone -name "google.com" -masterservers 8.8.8.8
3.1.4 configure zone and conditional forward storage in Active Directory
Zones are only stored in AD on AD-integrated DNS servers.
1.To all DNS on DC in forest, stored in the following application partition in AD:
cn=microsoftdns,dc=forestdnszones,dc=contoso,dc=com
2.To all DNS on DC in domain, stored in the following application partition in AD:
cn=microsoftdns,dc=domaindnszones,dc=contoso,dc=com
3.To all domain controllers(Windows 2000 compatibility).
In 2000, DNS was stored in the domain partition(cn=microsoftdns,cn=system,dc=contoso,dc=com)
4.To all domain controllers in the score of this directory partition.
Conditional forward storage:
By default stores in domain partition.
/DP switch with dnscmd to choose partition (or fqdn of custom partition)
========
dnscmd /zoneadd bartledoo.contoso.com /dsprimary /dp /domain
/dp forest
/dp legacy
dnscmd /zonedelete bartledoo.contoso.com /dsdel
PS:
just add -replicationscope domain|forest|legacy|FQDN
add-dnsserverprimaryzone -name "bartledoo.contoso.com" -replicationscope domain
Conditional forwarder:
dnscmd /zoneadd google.com /dsforwarder 8.8.8.8 /dp /domain
add-dnsserverconditionalforwarderzone -name "google.com" -masterservers 8.8.8.8 -replicationscope domain
3.1.5 configure zone delegation
When you want another dns server to be authoritative for a subdomain, you have to delegate the permission for the zone to it.
Create a primary zone on the target dns server for the subdomain space it will host.
On the master server, right click the parent zone and select new delegation
enter the full dns name with child name.
Enter the ip address or FQDN of the dns server that will be authoritative for the child namespace
dnscmd /recordadd contoso.com child NS 192.168.10.119
add-dnsserverzonedelegation -name "contoso.com" -childzonename "one" -nameserver "server2" -ipaddress 192.168.10.119
3.1.6 configure zone transfer settings
zone transfers can transfer full or partial dns data from one zone to another.
Zone transfer causes:
Initial transfer when a secondary zone is created and pointed at a primary
zone refresh interval expires
DNS server service startup on secondary server
Primary master notifies secondary server(s) that changes have been made and need to be replicated.
Manual zone transfer initiated.
Types of transfers:
Full(AXFR) - copies the entire zone. Used for initial transfer.
Incremental(IXFR) Secondary requests updated records from primary. Only sends RR's that have changed. Serial number field in the SOA on each server are compared. If primary is higher, replication is needed.
DNS Notify: primary tells secondary it needs to update. secondary initiates IXFR.
Right click forward or reverse zone to configure, properties, zone transfers tab. Check allow zone transfers, then set:
to any server
to servers listed on NS tab
to specific servers
dnscmd /zoneresetsecondaries contoso.com
/nonsecure
/securens
/securelist
/noxfr (no transfer)
set-dnsserverprimaryzone -name contoso.com -securesecondaries
transferanyserver
transfertozonenameserver
transfertosecureservers -secondaryservers
notransfer
3.1.7 configure notify settings
Also on zone transfer settings tab, click Notify. Check "Automatically notify" then set:
Servers listed on NS tab
Specific servers
dnscmd /zoneresetsecondaries contoso.com /securens
/notify
/notifylist (ip addresses)
/nonotify
set-dnsserverprimaryzone -name contoso.com -securesecondaries -notify
notify
notifyservers -notifyservers
nonotify
DNS Basics
DNS namespace, Name Servers, Resolver(client that sends dns queries)
Recursive query: Resolver clients send recursive queries to their dns servers. This tells the DNS server to query the hierarchy of dns servers until it gets resolution from the authoritative server(s)
Iterative query: a single request respond between dns servers. The only time dns servers will send recursive query to other dns servers is when they are querying a forwarder.
DNS forwarders are set up to do the full recursive queries on behalf of other dns servers
reverse name resolution: resolves a name from an ip address
Zones:
Primary: master copy of the zone. If not integrated with AD, a local database file holds the zone.
Secondary: duplicate of the primary. replicates the zone file using zone transfer. read-only
Stub: copy of primary zone that forwards or refers requests.
Zones that are not ad-integrated are saved in a "zone file" in %systemroot%\system32\dns
AD-integrated
RR = resource records
top-level domains, second-level domains, hosts
nslookup
udp/tcp port 53
install DNS - Server Roles DNS Server(DNS), includemanagementtools = RSAT-DNS-SERVER
MMC=dnsmgmt.msc, PS module=DNSServer, command line=dnscmd.exe
dnscmd dc.contoso.com /enumzones
PS:
get-dnsserverzone
3.1.1 Configure primary and secondary zones
Primary Zone:
Forward Lookup
DNS Managet(dnsmgmt.msc)
right click forward lookup zones, right click Forward Lookup Zones and New Zone. Choose primary. Enter a zone name, which includes the portion of the dns namespace for which the server will be authoritative. (such as contoso.com, or onezone.contoso.com)
Create a new zone file.
Dynamic Update - secure updates are for AD integrated
dnscmd /zoneadd bartledoo.contoso.com /primary
dnscmd /zoneinfo bartledoo.contoso.com
dnscmd /zonedelete bartledoo.contoso.com
add-dnsserverprimaryzone -name "bartledoo.contoso.com" -zonefile "bartledoo.contoso.com.dns"
get-dnsserverzone -name bartledoo.contoso.com
remove-dnsserverzone -name bartledoo.contoso.com
Reverse v4 primary:
right click Reverse Lookup Zones-> New Zone
Ipv4 reverse lookup zone
Type in Network id or specify the reverse lookup zone name manually. Entering the network id will auto update the reverse lookup name(network ID backwards+.in-addr.arpa)
Create a new zone file
Choose Dynamic update setting(Do not allow for non-AD)
dnscmd /zoneadd 10.168.192.in-addr.arpa /primary
add-dnsserverprimaryzone -networkid 192.168.10.0/24 -zonefile "10.168.192.in-addr.arpa.dns"
Reverse v6 primary:
Reverse Lookup Zones -> New Zone
select Primary zone
Ipv6 Reverse Lookup
Enter network prefix for ipv6 zone(ie. fe80:0:3891:0405:::/64)
dnscmd /zoneadd 5.0.4.0.1.9.8.3.0.0.0.0.0.8.e.f.ip6.arpa /primary
add-dnsserverprimaryzone -networkid fe80:0:3891:0405::/64 -zonefile "5.0.4.0.1.9.8.3.0.0.0.0.0.8.e.f.ip6.arpa.dns"
Secondary Zone:
Forward Lookup zone-> New Zone
Secondary zone
in the zone name, enter the dns namespace name
master DNS Servers, enter the IP address of the primary zone server(s)
dnscmd /zoneadd bartledoo.contoso.com /secondary 192.168.10.8
add-dnsserversecondaryzone -name "bartledoo.contoso.com" -zonefile "bartledoo.contoso.com.dns" -masterservers 192.168.10.8
AD-integrated:
When choosing Primary, Secondary, Stub, "Store the zone in AD" option(AD-integrated) is available if the DNS server is a read-write Domain Controller. See 3.1.4.
3.1.2 configure stub zones
A stub zone only contains basic RR's: SOA, NS, certain "glue" A records and points to the authoritative NS.
Right click Forward Lookup Zone-> New Zone. Choose Stub zone. Enter domain namespace. On master DNS servers, enter primary zone dns server(s).
If you integrate the stub zone into Active Directory Domain Services(AD DS), you have the option to specify that the DNS server hosting the stub zone uses a local list of master servers when it updates the stub zone's resource records, rather than having the DNS server use the master servers list that is stored in AD DS
Caching-only server:Install DNS but do not configure a zone. in DNS Manager, Click on DNS in the menu, select New Server, and type in the IP address of your computer where you have installed DNS.
dnscmd /zoneadd stubby.contoso.com /stub 192.168.10.9
dnscmd /zonedelete stubby.contoso.com
dnscmd /zoneadd stubby.contoso.com /dsstub 192.168.10.9 /dp /domain
dnscmd /zonedelete stubby.contoso.com /dsdel
add-dnsserverstubzone -name "stubby.contoso.com" -zonefile "stubby.contoso.com.dns" -masterservers 192.168.10.9
add-dnsserversstubzone -name "stubby.contoso.com" -replicationscope domain -masterservers 192.168.10.9
3.1.3 configure conditional forwards
Forwarding:
Right click DNS server and properties, Forwarders tab. Click edit, Add DNS servers to forward to.
Conditional forwarding: You can forward DNS requests for certain domain names.
Expand the server and right click Condition Forwarders->New conditional forwarder
Enter the domain to forward
Add the IP address(es) of the servers to forward this domain to.
Check to store this forwarder in AD. Set timeout on forward queries for this conditional forwarder.
dnscmd /zoneadd google.com /forwarder 8.8.8.8
/timeout /slave
add-dnsserverconditionalforwarderzone -name "google.com" -masterservers 8.8.8.8
3.1.4 configure zone and conditional forward storage in Active Directory
Zones are only stored in AD on AD-integrated DNS servers.
1.To all DNS on DC in forest, stored in the following application partition in AD:
cn=microsoftdns,dc=forestdnszones,dc=contoso,dc=com
2.To all DNS on DC in domain, stored in the following application partition in AD:
cn=microsoftdns,dc=domaindnszones,dc=contoso,dc=com
3.To all domain controllers(Windows 2000 compatibility).
In 2000, DNS was stored in the domain partition(cn=microsoftdns,cn=system,dc=contoso,dc=com)
4.To all domain controllers in the score of this directory partition.
Conditional forward storage:
By default stores in domain partition.
/DP switch with dnscmd to choose partition (or fqdn of custom partition)
========
dnscmd /zoneadd bartledoo.contoso.com /dsprimary /dp /domain
/dp forest
/dp legacy
dnscmd /zonedelete bartledoo.contoso.com /dsdel
PS:
just add -replicationscope domain|forest|legacy|FQDN
add-dnsserverprimaryzone -name "bartledoo.contoso.com" -replicationscope domain
Conditional forwarder:
dnscmd /zoneadd google.com /dsforwarder 8.8.8.8 /dp /domain
add-dnsserverconditionalforwarderzone -name "google.com" -masterservers 8.8.8.8 -replicationscope domain
3.1.5 configure zone delegation
When you want another dns server to be authoritative for a subdomain, you have to delegate the permission for the zone to it.
Create a primary zone on the target dns server for the subdomain space it will host.
On the master server, right click the parent zone and select new delegation
enter the full dns name with child name.
Enter the ip address or FQDN of the dns server that will be authoritative for the child namespace
dnscmd /recordadd contoso.com child NS 192.168.10.119
add-dnsserverzonedelegation -name "contoso.com" -childzonename "one" -nameserver "server2" -ipaddress 192.168.10.119
3.1.6 configure zone transfer settings
zone transfers can transfer full or partial dns data from one zone to another.
Zone transfer causes:
Initial transfer when a secondary zone is created and pointed at a primary
zone refresh interval expires
DNS server service startup on secondary server
Primary master notifies secondary server(s) that changes have been made and need to be replicated.
Manual zone transfer initiated.
Types of transfers:
Full(AXFR) - copies the entire zone. Used for initial transfer.
Incremental(IXFR) Secondary requests updated records from primary. Only sends RR's that have changed. Serial number field in the SOA on each server are compared. If primary is higher, replication is needed.
DNS Notify: primary tells secondary it needs to update. secondary initiates IXFR.
Right click forward or reverse zone to configure, properties, zone transfers tab. Check allow zone transfers, then set:
to any server
to servers listed on NS tab
to specific servers
dnscmd /zoneresetsecondaries contoso.com
/nonsecure
/securens
/securelist
/noxfr (no transfer)
set-dnsserverprimaryzone -name contoso.com -securesecondaries
transferanyserver
transfertozonenameserver
transfertosecureservers -secondaryservers
notransfer
3.1.7 configure notify settings
Also on zone transfer settings tab, click Notify. Check "Automatically notify" then set:
Servers listed on NS tab
Specific servers
dnscmd /zoneresetsecondaries contoso.com /securens
/notify
/notifylist (ip addresses)
/nonotify
set-dnsserverprimaryzone -name contoso.com -securesecondaries -notify
notify
notifyservers -notifyservers
nonotify
2. Configure file and print services 2.4 Configure advanced audit policies
2.4.1 Implement auditing using Group Policy and AuditPol.exe
http://technet.microsoft.com/en-us/library/dd772623
Group policy auditing:
Computer Configuration\Policies\Windows Settings\Security settings\Local Policies\Audit policy
gpedit.msc local:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
Note: The GP setting "Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings" prevents the application of category-level audit policy in favor of Advanced Auditing. This policy is enabled by default, so if you want to use the following auditing policies, you must disable this policy setting. http://technet.microsoft.com/en-us/library/jj852246.aspx
Success or Failure:
Audit account logon events -Audits when a computer validates credentials for an account for which it is authoritative.
Audit account management - audit's account management on a computer, including changing passwords
Audit directory service access - audits access AD objects
Audit logon events - audits actual logon/logoff of user accounts on the computer
Audit object access - audit non-AD objects such as files, folders, printers, etc.
Audit policy change - audit user rights assignments, auditing, account policies, trust policies
Audit privilege use - audits user rights usage
Audit process tracking - process-related events.
Audit system events - system access such as time change, startup/shutdown, extensible authentication components, loss of auditing events, security log size beyond threshold
Be selective on what to audit, as high levels can affect performance, cause too many security event entries, and quickly fills the log.
Object Access:
After enabling the appropriate policy, you can setup auditing on specific objects(such as a file), by going to the security tab of the object, advanced, Auding tab.
Advanced Auditing Policy:
First introduced in Vista and Windows 2008 via auditpol, advanced auditing became available to configure in GP in Windows 2008 R2. Advanced auditing configured in GP will only apply to 2008R2 and later, and Windows 7 and later clients. As of 2012, there are 56 settings.
Setup in GP:
Computer Configuration\Policies\Windows Settings\Security settings\Advanced Audit Policy Configuration
gpedit.msc locally:
Computer Configuration\Windows Settings\Security settings\Advanced Audit Policy Configuration
Categories-
Account Logon - credential validation, kerberos authentication, kerberos service ticket ops, other account logon events
Account Management - application group management, computer account management, distribution group management, other account management, security group management, user account mgmt.
Detailed Tracking - DPAPI activity(encryption/decryption into DPAPI), process creation, process termination, RPC events(inbound)
DS Access - detailed DS replication, DS access, DS Changes, DS replication
Logon/Logoff - account lockout, user/device claims, ipsec extended mode, ipsec main mode, ipsec quick mode, logoff, logon, network policy server(RADIUS, NAP), other logon/logoff, special logon
Object Access(may require appropriate SACL set on object) - application generated(Windows auditing API usage), certification services(ADCS), detailed file share, file share, file system(must match SACL), filtering platform connection(firewall/WFP), WFP packet drop, handle manipulation(open/close depends on SACL), kernel object access(based on SACL usage), other object access(task scheduler, COM+, etc), registry, removable storage, SAM, central access policy staging
Policy Change - policy change, authentication policy change, authorization policy change, WFP policy change(IPSEC, WFP), MPSSVC Rule-Level policy change(Microsoft Protection Service(MPSSVC.exe) also used by Firewall), other policy change events(TPM, cryptographic ops, etc)
Privilege Use - non-sensitive privilege use, sensitive privilege use
System - IPSec driver, other system events, security state change, security system extension, system integrity.
Global Object Access Auditing - see 2.4.2
Auditpol.exe
Note: auditing set with auditpol will not show up in the local gpedit/secpol settings and also do not save between reboots.
auditpol /list category
auditpol /list subcategory:*
auditpol /set /subcategory:"Account Lockout" /success:enable
auditpol /set /subcategory:"Account Lockout" /failure:enable
auditpol /get subcategory:"Account Lockout"
auditpol /set /subcategory:"Account Lockout" /success:disable
auditpol /set /user:contoso\ajolie /subcategory:"Logon" /success:enable
auditpol /get /user:contoso\ajolie /subcategory:"Logon"
auditpol /remove /user:contoso\ajolie
removes all user auditing, on all policies, for contoso\ajolie
auditpol /remove /allusers
auditpol /clear - clears all auditing policies
auditpol /backup /file:"c:\auditpol.csv"
auditpol /restore /file:"c:\auditpol.csv"
2.4.2 create expression-based audit policies
2012 advanced policy:
Global Object Access Auditing - applies global SACL's for file system and/or registry. Must enable appropriate Object Access policy first(Advanced Audit Policy\System Audit Policies\Object Access) . You can also specify defined properties or attributes to audit on using expression-based auditing.
Note: If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global SACL. This means that an audit event is generated if an activity matches either the file or folder SACL or the global SACL.
You can choose what permissions a user should be audited for, and whether that affects success, fail, or both.
The conditions you can add are called expression-based audit policies. This is a new feature of Windows 8 and 2012. For instance, you could choose a principal of Everyone or Authenticated Users. Then add a condition User-Group-Member of each-Value- then "Add items" and select a group. For example, Accounting. Now, any user affected by this policy, who is a member of the group "Accounting" will be audited for whichever permission and type settings you configured.
These properties are set in AD using Dynamic Access Control(covered in 70-412).
Extra Note: You can set /resourcesacl through auditpol, but setting a condition can be cryptic. for instance, the user-group setting is set with the SID as in the following example. Also, File in /type:File is actually case-sensitive:
auditpol /resourcesacl /set /type:File /user:"NT AUTHORITY\Authenticated Users" /success /failure /access:FW /condition:"(Member of {SID(S-1-5-21-1477645170-1045419550-4197897434-12603)})"
auditpol /resourcesacl /type:File /view
2.4.3 create removable device audit policies
Auditing removable devices is now configured under the advanced auditing as seen in 2.4.1, Object Access/Audit Removable Storage.
auditpol /set /subcategory:"Removable Storage" /success:enable
Event 4663 is for success and event 4656 logs failed
http://technet.microsoft.com/en-us/library/dd772623
Group policy auditing:
Computer Configuration\Policies\Windows Settings\Security settings\Local Policies\Audit policy
gpedit.msc local:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
Note: The GP setting "Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings" prevents the application of category-level audit policy in favor of Advanced Auditing. This policy is enabled by default, so if you want to use the following auditing policies, you must disable this policy setting. http://technet.microsoft.com/en-us/library/jj852246.aspx
Success or Failure:
Audit account logon events -Audits when a computer validates credentials for an account for which it is authoritative.
Audit account management - audit's account management on a computer, including changing passwords
Audit directory service access - audits access AD objects
Audit logon events - audits actual logon/logoff of user accounts on the computer
Audit object access - audit non-AD objects such as files, folders, printers, etc.
Audit policy change - audit user rights assignments, auditing, account policies, trust policies
Audit privilege use - audits user rights usage
Audit process tracking - process-related events.
Audit system events - system access such as time change, startup/shutdown, extensible authentication components, loss of auditing events, security log size beyond threshold
Be selective on what to audit, as high levels can affect performance, cause too many security event entries, and quickly fills the log.
Object Access:
After enabling the appropriate policy, you can setup auditing on specific objects(such as a file), by going to the security tab of the object, advanced, Auding tab.
Advanced Auditing Policy:
First introduced in Vista and Windows 2008 via auditpol, advanced auditing became available to configure in GP in Windows 2008 R2. Advanced auditing configured in GP will only apply to 2008R2 and later, and Windows 7 and later clients. As of 2012, there are 56 settings.
Setup in GP:
Computer Configuration\Policies\Windows Settings\Security settings\Advanced Audit Policy Configuration
gpedit.msc locally:
Computer Configuration\Windows Settings\Security settings\Advanced Audit Policy Configuration
Categories-
Account Logon - credential validation, kerberos authentication, kerberos service ticket ops, other account logon events
Account Management - application group management, computer account management, distribution group management, other account management, security group management, user account mgmt.
Detailed Tracking - DPAPI activity(encryption/decryption into DPAPI), process creation, process termination, RPC events(inbound)
DS Access - detailed DS replication, DS access, DS Changes, DS replication
Logon/Logoff - account lockout, user/device claims, ipsec extended mode, ipsec main mode, ipsec quick mode, logoff, logon, network policy server(RADIUS, NAP), other logon/logoff, special logon
Object Access(may require appropriate SACL set on object) - application generated(Windows auditing API usage), certification services(ADCS), detailed file share, file share, file system(must match SACL), filtering platform connection(firewall/WFP), WFP packet drop, handle manipulation(open/close depends on SACL), kernel object access(based on SACL usage), other object access(task scheduler, COM+, etc), registry, removable storage, SAM, central access policy staging
Policy Change - policy change, authentication policy change, authorization policy change, WFP policy change(IPSEC, WFP), MPSSVC Rule-Level policy change(Microsoft Protection Service(MPSSVC.exe) also used by Firewall), other policy change events(TPM, cryptographic ops, etc)
Privilege Use - non-sensitive privilege use, sensitive privilege use
System - IPSec driver, other system events, security state change, security system extension, system integrity.
Global Object Access Auditing - see 2.4.2
Auditpol.exe
Note: auditing set with auditpol will not show up in the local gpedit/secpol settings and also do not save between reboots.
auditpol /list category
auditpol /list subcategory:*
auditpol /set /subcategory:"Account Lockout" /success:enable
auditpol /set /subcategory:"Account Lockout" /failure:enable
auditpol /get subcategory:"Account Lockout"
auditpol /set /subcategory:"Account Lockout" /success:disable
auditpol /set /user:contoso\ajolie /subcategory:"Logon" /success:enable
auditpol /get /user:contoso\ajolie /subcategory:"Logon"
auditpol /remove /user:contoso\ajolie
removes all user auditing, on all policies, for contoso\ajolie
auditpol /remove /allusers
auditpol /clear - clears all auditing policies
auditpol /backup /file:"c:\auditpol.csv"
auditpol /restore /file:"c:\auditpol.csv"
2.4.2 create expression-based audit policies
2012 advanced policy:
Global Object Access Auditing - applies global SACL's for file system and/or registry. Must enable appropriate Object Access policy first(Advanced Audit Policy\System Audit Policies\Object Access) . You can also specify defined properties or attributes to audit on using expression-based auditing.
Note: If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global SACL. This means that an audit event is generated if an activity matches either the file or folder SACL or the global SACL.
You can choose what permissions a user should be audited for, and whether that affects success, fail, or both.
The conditions you can add are called expression-based audit policies. This is a new feature of Windows 8 and 2012. For instance, you could choose a principal of Everyone or Authenticated Users. Then add a condition User-Group-Member of each-Value- then "Add items" and select a group. For example, Accounting. Now, any user affected by this policy, who is a member of the group "Accounting" will be audited for whichever permission and type settings you configured.
These properties are set in AD using Dynamic Access Control(covered in 70-412).
Extra Note: You can set /resourcesacl through auditpol, but setting a condition can be cryptic. for instance, the user-group setting is set with the SID as in the following example. Also, File in /type:File is actually case-sensitive:
auditpol /resourcesacl /set /type:File /user:"NT AUTHORITY\Authenticated Users" /success /failure /access:FW /condition:"(Member of {SID(S-1-5-21-1477645170-1045419550-4197897434-12603)})"
auditpol /resourcesacl /type:File /view
2.4.3 create removable device audit policies
Auditing removable devices is now configured under the advanced auditing as seen in 2.4.1, Object Access/Audit Removable Storage.
auditpol /set /subcategory:"Removable Storage" /success:enable
Event 4663 is for success and event 4656 logs failed
2. Configure file and print services 2.3 Configure file and disk encryption
Examples of encryption algorithms:
Symmetric: uses a single key to encrypt and decrypt data
Asymmetric key: uses mathematically-related keys. This allows one key to be public, so it could be published in a certificate.
Hash: one-way encryption
EFS encryption: used to encrypt files on NTFS volume.
Bitlocker drive encryption(BDE): encrypt an entire volume.
EFS encryption: http://technet.microsoft.com/en-us/library/cc749610%28v=WS.10%29.aspx
EFS creates a certificate for the user encrypting the files, thus allowing only that user to automatically decrypt the files upon use. An encryption certificate can be added to the file in order to share it with other users.
To encrypt a folder or file, click properties on the object, Advanced, then check Encrypt contents to secure data. When you encrypt a folder, you have the option to apply changes to this folder only, or to this folder, subfolders, and files.
To decrypt a folder or file, you just uncheck the Encrypt contents.
You cannot both compress and encrypt an NTFS file
encrypted files are decrypted when moved to a non-NTFS volume
files are automatically encrypted when put in a folder that has encryption enabled. However, moving one out does not automatically decrypt it
Files that are set to System or in the root directory cannot be encrypted
cipher.exe /e c:\home\flintstones
cipher.exe /d c:\home\flintstones
to allow another user to decrypt a file, right click properties on the encrypted file, advanced, click Add under "users who can access this file". Click the user to select their EFS certification
EFS and group policy:
Computer configuration\policies\windows settings\security settings\public key policies\encrypting file system
Choose Allow or Don't Allow EFS
Allow, Require, or Don't allow Elliptic Curve Cryptography
Check on uncheck:
Encrypt the contents of the user's Documents folder
Require a smart card for EFS
Create caching-capable user key from smart card
Display key backup notifications when user key s created or changed
Certificates tab allows you to set key size. You can also enable or disable EFS from creating it's own certificates when a certificate authority is not available.
2.3.1 Configure Bitlocker encryption
http://technet.microsoft.com/en-us/library/jj612864.aspxhttp://technet.microsoft.com/en-us/library/hh831713.aspx
http://technet.microsoft.com/en-us/library/hh831412.aspx
http://technet.microsoft.com/en-us/library/jj649829%28v=wps.620%29.aspx
http://download.microsoft.com/download/F/4/1/F41E0BFA-8F1B-44E3-91F0-8AF84908DCC7/Understand_and_Troubleshoot_BitLocker_in_Windows_Server_8_Beta.docx
Bitlocker requires Trusted Platform Module 1.2 or 2.0, or USB access to save a startup key to a removable device.
Hard disk must be partitioned with at least two drives:
OS/boot drive contains operating system and its support files. Must be NTFS.
System drive contains files needed to load Windows after firmware has readied the hardware. Bitlocker is not enabled on this drive.
Windows automatically creates the partitions required for Bitlocker.
Bitlocker uses AES-128 or AES-256
Startup modes:
TPM: Bitlocker encryption key stored on TPM
PIN: user must supply a numeric pre-boot PIN
Enhanced PIN: alphanumeric PIN
USB key: A startup key is stored on a USB
Network key: a key provided by a WDS server.
For drives that are not OS volumes, you can choose to use a password or a smart card or have it automatically unlock. If you choose password or smart card, you can save a recovery key
Installing bitlocker:
Add roles and Features
select Bitlocker Drive Encryption(Bitlocker)
Installing Bitlocker will also install the feature Enhanced Storage(EnhancedStorage) to support hard drives that support hardware encryption
Including the management tools will also install Bitlocker Drive Encryption Administration(RSAT-Feature-Tools-Bitlocker), Bitlocker Drive Encryption Tools(RSAT-Feature-Tools-Bitlocker-RemoteAdminTool), Bitlocker Recovery Password Viewer(RSAT-Feature-Tools-Bitlocker-BdeAducExt), AD DS & AD LDS Tools(Rsat-AD-Tools), AD DS Tools(RSAT-ADDS) and AD DS Snap-ins and command-line(RSAT-ADDS-Tools), the manage-bde command line tool, and the PS module Bitlocker
install-windowsfeature bitlocker -includemanagementools
You can check whether your computer has TPM installed by running the TPM management(tpm.msc) snap-in. (You can also get to this mmc via the Bitlocker option in control panel). The TPM must be initialized here before using Bitlocker.
Enable Bitlocker for a drive or removable drive that's not the OS volume:
go to control panel, Bitlocker Drive Encryption.
Click Turn on Bitlocker for the volume you want to encrypt
You can select a Password or Smart card to unlock the drive. You can also allow it to auto unlock. Next you will be prompted with options for backing up your recovery key: Save to USB, Save to file, print the key.
You will be prompted with whether you want to use:
"Encrypt used disk space only": This will encrypt as space is used
"Encrypt entire drive"
Once you have encrypted the volume, you have the option to go back and backup the recovery key again, change or remove password, add or remove a smart card, turn on auto-unlock, or disable bitlocker.
Note: You can also use a certificate as a protector on a data volume using manage-bde
Bitlocker to Go
Allows encryption of removable usb drives. Once the drive is plugged in, you can Turn on Bitlocker in the bitlocker control panel
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft account online, or printed.
Bitlocker Recovery:
http://technet.microsoft.com/en-us/library/dn383583.aspx
Bitlocker allowed recovery options should be set in group policy (see 2.2.3)
1. Use a recovery password
2. A designated Data Recover Agent(DRA) can supply a certificate (configured by GP see 2.2.3)
3. An ADDS administrator can retrieve the recovery key from AD.
manage-bde - command line utility to manage bitlocker on a client.
A few parameters:
manage-bde -status to show bitlocker status
manage-bde -protectors -add c: -tpmandpin
manage-bde -on c: -password
-off, -lock, -unlock, -autounlock, -changepassword, -changepin, changekey
Powershell
http://technet.microsoft.com/en-us/library/jj649829.aspx
A few commands:
get-bitlockervolume
enable-bitlocker
disable-bitlocker
add-bitlockerkeyprotector
remove-bitlockerkeyprotector
lock-bitlocker
unlock-bitlocker
enable-bitlockerautolock
Extra Note: In an Enterpries, you may want to use the Microsoft Bitlocker Administration and Monitoring tool (MBAM),included with the Microsoft Desktop Optimization Pack(MDOP), for bitlocker administration. This can be used in standalone mode or integrated into SCCM.
2.3.2 configure the Network Unlock feature
http://technet.microsoft.com/en-us/library/jj574173.aspx
requirements:
Windows 8 or 2012 with UEFI DHCP drivers
Bitlocker Network Unlock feature installed on 2012
a 2012 WDS server
a DHCP server, separate from WDS
If you already have a WDS server in your environment, you can leverage it by installing the network unlock feature. Otherwise, whichever server you install Network Unlock on will install the WDS service. It doesn't have to be configured beyond the initial WDS configuration(to allow the wdsserver service to run)
Install the Network Unlock feature by going to Server Manager. Skip to Features and click on Bitlocker Network Unlock(bitlocker-networkunlock). If WDS is not installed, WDS(WDS), WDS Deployment(wds-deployment) and Transport(wds-transport) will be installed. If you check "include management tools", the WDS Tools(wds-adminpack) will also be installed.
install-windowsfeature bitlocker-networkunlock
The wdsserver service must be running.
If you have a CA, request a new certificate
Use the "Network Unlock on the Domain controller" template
Create the certificate
Export the public key certificate to create a .cer - Select DER encoded X.509 and do not export private key
Export the public key with private key to create a .pfx - Select Yes to export private key
Ot you can create a self-signed certificate and use certreq to create a new certificate. Import into certmgr, then export the .pfx
On the WDS server, go to certmgr.msc and right click certificates - Bitlocker Drive Encryption Network Unlock, and Import. Choose the PFX file.
Now you need to setup group policy to deploy the public key certificate to clients:
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Bitlocker Drive Encryption Network Unlock Certificate
Add Netwok Unlock Certificate. Import the .CER file.
It's recommended you require TPM + startup pin on client computers: See 2.3.3
You can use a subnet access list to specify that only clients from certain subnets can network unlock. On the WDS server, create a bde-network-unlock.ini file in the same folder as the network unlock provider dll (nkpprov.dll in c:\windows\system32)
Extra Note: Client certificates for network unlock are stored in HKLM\Software\Policies\Microsoft\SystemCertificates\FVE_NKP
Extra Note: The first NIC on a compatible client must be configured for DHCP to use with network unlock
2.3.3 configure Bitlocker policies
add a Data Recovery agent for recovery - A DRA is an account who is authorized to recover Bitlocker drives with a certificate.
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Bitlocker Drive Encryption
There are a number of other bitlocker policies that can be configured in
Computer Configuraton\Administrative Templates\Bitlocker Drive Encryption
Some good ones to know:
Bitlocker Drive Encryption:
Store Bitlocker recovery information in AD DS
Choose how users can recover Bitlocker-protected drives
Choose drive encryption method and cipher strength
Operating System Drives:
Allow network unlock at startup
Require additional authentication at startup
Allow Enhanced PINS for startup
Choose how Bitlocker-protected operating system drives can be recovered
Fixed Data Drives:
Configure use of passwords for fixed data drives
Choose how Bitlocker-protected fixed drives can be recovered
Removable Data Drives:
Control use of Bitlocker on removable drives
Configure use of passwords for removable data drives
Choose how Bitlocker-protected removable drives can be recovered.
2.3.4 configure the EFS recovery agent
EFS data recovery agent is configured through GP:
Computer\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System
2.3.5 manage EFS and Bitlocker certificates including backup and restore
certificates can be exported using certmgr.msc from Personal
Export with private key.
.PFX - Give it a password
To restore, just import the PFX file to Personal and supply the password
Bitlocker certs can also be exported using certmgr.msc
They can also be stored in ADDS with the"Store Bitlocker recovery information in AD DS" GP option.
Symmetric: uses a single key to encrypt and decrypt data
Asymmetric key: uses mathematically-related keys. This allows one key to be public, so it could be published in a certificate.
Hash: one-way encryption
EFS encryption: used to encrypt files on NTFS volume.
Bitlocker drive encryption(BDE): encrypt an entire volume.
EFS encryption: http://technet.microsoft.com/en-us/library/cc749610%28v=WS.10%29.aspx
EFS creates a certificate for the user encrypting the files, thus allowing only that user to automatically decrypt the files upon use. An encryption certificate can be added to the file in order to share it with other users.
To encrypt a folder or file, click properties on the object, Advanced, then check Encrypt contents to secure data. When you encrypt a folder, you have the option to apply changes to this folder only, or to this folder, subfolders, and files.
To decrypt a folder or file, you just uncheck the Encrypt contents.
You cannot both compress and encrypt an NTFS file
encrypted files are decrypted when moved to a non-NTFS volume
files are automatically encrypted when put in a folder that has encryption enabled. However, moving one out does not automatically decrypt it
Files that are set to System or in the root directory cannot be encrypted
cipher.exe /e c:\home\flintstones
cipher.exe /d c:\home\flintstones
to allow another user to decrypt a file, right click properties on the encrypted file, advanced, click Add under "users who can access this file". Click the user to select their EFS certification
EFS and group policy:
Computer configuration\policies\windows settings\security settings\public key policies\encrypting file system
Choose Allow or Don't Allow EFS
Allow, Require, or Don't allow Elliptic Curve Cryptography
Check on uncheck:
Encrypt the contents of the user's Documents folder
Require a smart card for EFS
Create caching-capable user key from smart card
Display key backup notifications when user key s created or changed
Certificates tab allows you to set key size. You can also enable or disable EFS from creating it's own certificates when a certificate authority is not available.
2.3.1 Configure Bitlocker encryption
http://technet.microsoft.com/en-us/library/jj612864.aspxhttp://technet.microsoft.com/en-us/library/hh831713.aspx
http://technet.microsoft.com/en-us/library/hh831412.aspx
http://technet.microsoft.com/en-us/library/jj649829%28v=wps.620%29.aspx
http://download.microsoft.com/download/F/4/1/F41E0BFA-8F1B-44E3-91F0-8AF84908DCC7/Understand_and_Troubleshoot_BitLocker_in_Windows_Server_8_Beta.docx
Bitlocker requires Trusted Platform Module 1.2 or 2.0, or USB access to save a startup key to a removable device.
Hard disk must be partitioned with at least two drives:
OS/boot drive contains operating system and its support files. Must be NTFS.
System drive contains files needed to load Windows after firmware has readied the hardware. Bitlocker is not enabled on this drive.
Windows automatically creates the partitions required for Bitlocker.
Bitlocker uses AES-128 or AES-256
Startup modes:
TPM: Bitlocker encryption key stored on TPM
PIN: user must supply a numeric pre-boot PIN
Enhanced PIN: alphanumeric PIN
USB key: A startup key is stored on a USB
Network key: a key provided by a WDS server.
For drives that are not OS volumes, you can choose to use a password or a smart card or have it automatically unlock. If you choose password or smart card, you can save a recovery key
Installing bitlocker:
Add roles and Features
select Bitlocker Drive Encryption(Bitlocker)
Installing Bitlocker will also install the feature Enhanced Storage(EnhancedStorage) to support hard drives that support hardware encryption
Including the management tools will also install Bitlocker Drive Encryption Administration(RSAT-Feature-Tools-Bitlocker), Bitlocker Drive Encryption Tools(RSAT-Feature-Tools-Bitlocker-RemoteAdminTool), Bitlocker Recovery Password Viewer(RSAT-Feature-Tools-Bitlocker-BdeAducExt), AD DS & AD LDS Tools(Rsat-AD-Tools), AD DS Tools(RSAT-ADDS) and AD DS Snap-ins and command-line(RSAT-ADDS-Tools), the manage-bde command line tool, and the PS module Bitlocker
install-windowsfeature bitlocker -includemanagementools
You can check whether your computer has TPM installed by running the TPM management(tpm.msc) snap-in. (You can also get to this mmc via the Bitlocker option in control panel). The TPM must be initialized here before using Bitlocker.
Enable Bitlocker for a drive or removable drive that's not the OS volume:
go to control panel, Bitlocker Drive Encryption.
Click Turn on Bitlocker for the volume you want to encrypt
You can select a Password or Smart card to unlock the drive. You can also allow it to auto unlock. Next you will be prompted with options for backing up your recovery key: Save to USB, Save to file, print the key.
You will be prompted with whether you want to use:
"Encrypt used disk space only": This will encrypt as space is used
"Encrypt entire drive"
Once you have encrypted the volume, you have the option to go back and backup the recovery key again, change or remove password, add or remove a smart card, turn on auto-unlock, or disable bitlocker.
Note: You can also use a certificate as a protector on a data volume using manage-bde
Bitlocker to Go
Allows encryption of removable usb drives. Once the drive is plugged in, you can Turn on Bitlocker in the bitlocker control panel
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft account online, or printed.
Bitlocker Recovery:
http://technet.microsoft.com/en-us/library/dn383583.aspx
Bitlocker allowed recovery options should be set in group policy (see 2.2.3)
1. Use a recovery password
2. A designated Data Recover Agent(DRA) can supply a certificate (configured by GP see 2.2.3)
3. An ADDS administrator can retrieve the recovery key from AD.
manage-bde - command line utility to manage bitlocker on a client.
A few parameters:
manage-bde -status to show bitlocker status
manage-bde -protectors -add c: -tpmandpin
manage-bde -on c: -password
-off, -lock, -unlock, -autounlock, -changepassword, -changepin, changekey
Powershell
http://technet.microsoft.com/en-us/library/jj649829.aspx
A few commands:
get-bitlockervolume
enable-bitlocker
disable-bitlocker
add-bitlockerkeyprotector
remove-bitlockerkeyprotector
lock-bitlocker
unlock-bitlocker
enable-bitlockerautolock
Extra Note: In an Enterpries, you may want to use the Microsoft Bitlocker Administration and Monitoring tool (MBAM),included with the Microsoft Desktop Optimization Pack(MDOP), for bitlocker administration. This can be used in standalone mode or integrated into SCCM.
2.3.2 configure the Network Unlock feature
http://technet.microsoft.com/en-us/library/jj574173.aspx
requirements:
Windows 8 or 2012 with UEFI DHCP drivers
Bitlocker Network Unlock feature installed on 2012
a 2012 WDS server
a DHCP server, separate from WDS
If you already have a WDS server in your environment, you can leverage it by installing the network unlock feature. Otherwise, whichever server you install Network Unlock on will install the WDS service. It doesn't have to be configured beyond the initial WDS configuration(to allow the wdsserver service to run)
Install the Network Unlock feature by going to Server Manager. Skip to Features and click on Bitlocker Network Unlock(bitlocker-networkunlock). If WDS is not installed, WDS(WDS), WDS Deployment(wds-deployment) and Transport(wds-transport) will be installed. If you check "include management tools", the WDS Tools(wds-adminpack) will also be installed.
install-windowsfeature bitlocker-networkunlock
The wdsserver service must be running.
If you have a CA, request a new certificate
Use the "Network Unlock on the Domain controller" template
Create the certificate
Export the public key certificate to create a .cer - Select DER encoded X.509 and do not export private key
Export the public key with private key to create a .pfx - Select Yes to export private key
Ot you can create a self-signed certificate and use certreq to create a new certificate. Import into certmgr, then export the .pfx
On the WDS server, go to certmgr.msc and right click certificates - Bitlocker Drive Encryption Network Unlock, and Import. Choose the PFX file.
Now you need to setup group policy to deploy the public key certificate to clients:
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Bitlocker Drive Encryption Network Unlock Certificate
Add Netwok Unlock Certificate. Import the .CER file.
It's recommended you require TPM + startup pin on client computers: See 2.3.3
You can use a subnet access list to specify that only clients from certain subnets can network unlock. On the WDS server, create a bde-network-unlock.ini file in the same folder as the network unlock provider dll (nkpprov.dll in c:\windows\system32)
Extra Note: Client certificates for network unlock are stored in HKLM\Software\Policies\Microsoft\SystemCertificates\FVE_NKP
Extra Note: The first NIC on a compatible client must be configured for DHCP to use with network unlock
2.3.3 configure Bitlocker policies
add a Data Recovery agent for recovery - A DRA is an account who is authorized to recover Bitlocker drives with a certificate.
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Bitlocker Drive Encryption
There are a number of other bitlocker policies that can be configured in
Computer Configuraton\Administrative Templates\Bitlocker Drive Encryption
Some good ones to know:
Bitlocker Drive Encryption:
Store Bitlocker recovery information in AD DS
Choose how users can recover Bitlocker-protected drives
Choose drive encryption method and cipher strength
Operating System Drives:
Allow network unlock at startup
Require additional authentication at startup
Allow Enhanced PINS for startup
Choose how Bitlocker-protected operating system drives can be recovered
Fixed Data Drives:
Configure use of passwords for fixed data drives
Choose how Bitlocker-protected fixed drives can be recovered
Removable Data Drives:
Control use of Bitlocker on removable drives
Configure use of passwords for removable data drives
Choose how Bitlocker-protected removable drives can be recovered.
2.3.4 configure the EFS recovery agent
EFS data recovery agent is configured through GP:
Computer\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System
2.3.5 manage EFS and Bitlocker certificates including backup and restore
certificates can be exported using certmgr.msc from Personal
Export with private key.
.PFX - Give it a password
To restore, just import the PFX file to Personal and supply the password
Bitlocker certs can also be exported using certmgr.msc
They can also be stored in ADDS with the"Store Bitlocker recovery information in AD DS" GP option.
2. Configure file and print services 2.2 Configure File Server Resource Manager (FSRM)
http://technet.microsoft.com/en-us/library/hh831746.aspx
http://technet.microsoft.com/en-us/library/cc770989%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc732431.aspx
http://technet.microsoft.com/en-us/library/jj900651.aspx
FSRM allows you to:
Quota Management-
Create quotes for a volume or folder tree, including notifications for thresholds
File Screening Management-
Create file filters to control what can be saved, including notifications for those trying to save blocked files
Storage Reports Management-
Generate or schedule storage reports for disk usage
Classification Management-
File classification - based on certain properties, apply policies such as restricting access, encrypting, expiration.
File Management Tasks-
Extra note: File classification is covered more in 70-412.
Extra note: In Windows Server 2012, the File Server Resource Manager command-line tools (dirquota.exe, filescrn.exe, and storrept.exe) are deprecated. They're still available but are meant to be replaced by the FSRM powershell cmdlets.
2.2.1 Install the FSRM role
Add Roles and Features in Server Manager, File Server Resource Manager(FS-Resource-Manager) found under File and ISCSI Services(File Services) and File and Storage Services(FileAndStorage-Services). Including the management tools will also install RSAT-FSRM-Mgmt with fsrm.msc and the PS module FileServerResourceManager
install-windowsfeature fs-resource-manager -includemanagementtools
FSRM server options:
right click the "File Resource Manager item" and select Configure Options:
Email notifications
set the SMTP server name/ip
specify default admin recipients
set the default "from" address
send a test e-mail
send-fsrmtestemail
Notification limits
set e-mail notification limits, event log notification limits, command notification limits, report notification limits
Storage reports
configure default canned report properties
Report locations
set folder locations for Incident, Scheduled, and Interactive(On-Demand) reports
File screen audit
Automatic classification
Access-Denied Assistance
Setup messages/e-mails for access-denied assistance when users are denied access to folders/files
get-fsrmadrsetting
set-fsrmadrsetting
Powershell for all of the above configuration settings:
get-fsrmsetting
set-fsrmsetting
2.2.2 configure quotas
Hard quota: stops users from saving anything that would go beyond the quota threshold
Soft Quota: used for notifications and monitoring. Will not stop files from being saved over the threshold.
Create a quota
Create a quota by clicking the Quotas tab under Quota Management, and right clicking the task area and "Create Quota".
Choose a folder in a path to create a quota on
Select "Create quota on path" will create a total quota on all existing and future subfolders and their nested subs. So if you put a 100 MB on a parent folder, you can only store 100 total MB in all folders below it.
You can choose to use a quota template, or create a custom quota.
If you create a custom quota, you are given the option of copying properties from an existing template, adding a description, setting your limit, choosing hard or soft quota, creating notification thresholds, and enable/disable quota after adding it. Click OK.
Once you hit Create, if you chose "custom quota", you are prompted with the option to save it as a template, unless the "Do not ask me to save as a template" option has been checked before.
Powershell:
Create a new basic 100MB quota:
new-fsrmquota -path "c:\quotaparent1" -size 100MB
Use a template:
new-fsrmquota -path "c:\quotaparent1" -template "100 MB Limit"
You can specify -disabled to create it disabled,-softlimit for soft quota, -description, and -threshold to add threshold notifcations(see below)
Create an auto apply quota
The next option only allows you to use a template. You cannot create a custom quota.
Selecting "Auto apply template and create quotas on existing and new subfolders" creates individual quotas for each subfolder that resides in the parent folder, but those quotas also include the total from the nested subs of each subfolder(as if you created an individual "Create quota on path" on each subfolder.) However, the parent folder is not affected; only it's subs and their nested subs.
Note that if you delete the auto-apply quota from the parent folder, the auto-applied quotas on the current subs will still exist.
Also note that you can place a quota on any nested subfolder whose parent(s) already have a quota applied. But it must be more restrictive than the parent, allowing you to place a quota deeper into the directory structure while maintaining the quotas of the parents. You cannot place a less restrictive quota, as the parent's quota is still enforced on all folders below it.
If you right click an applied quota you can edit it's settings. Even if you used a template to create the quota, you can customize the settings further. However, it will still be displayed under the Source templates expanded display.
Powershell:
new-fsrmautoquota -path "c:\quotaparent2" -template "100 MB Limit"
Since you can only choose template for auto quotas, the only other option to note here is -disabled
Quota Template
Creating a quota template is similar to the custom quota process outlined above.
Powershell:
Also similar to creating a quota
new-fsrmquotatemplate -name "Tiny" -size 10MB
-description, -softlimit, -threshold
get-fsrmquotatemplate -name "Tiny"
Display quotas:
You can view quota usage %'s in the Quotas menu, and filter by templates applied, applied quotas, auto apply quotas, as well as specific quota paths.
You can also use the Quota Usage storage report to view quotas that exceed a percentage.
Powershell
get-fsrmquota
get-fsrmquota -path "c:\quotaparent1"
get-fsrmautoquota
With an auto quota, you can still use get-fsrmquota to see all the auto-set quotas below the parent.
You can remove a quota with
remove-fsrmquota -path "c:\quotaparent1"
remove-fsrmautoquota -path "c:\quotaparent2"
Configuring notifications:
While creating or editing an applied quota, or creating/editing a template, you have the option to configure notifications
Adding or editing a notification gives you the following options:
The % of the threshold that triggers this notification
E-mail message:Send an e-mail to a specific address, and/or to the user who exceeded the threshold.
Event Log: Log this notification in the event log.
Command: Run a specific command or script
Report: Generate a report(See 2.2.4)
Powershell:
First you must create an Action object using new-fsrmaction. Then you create a threshold object using new-fsrmquotathreshold. Note that actions and thresholds are not saved independently, so you must use them other ways, such as storing in variables or creating inline when applying to quotas or quota templates. Example of inline:
set-fsrmquota -path "c:\quotaparent1" -threshold (new-fsrmquotathreshold -percentage 85 -action (new-fsrmaction -type emaill -mailto:"admin@contoso.com" -subject "Threshold" -body "Too much stuff"))
Other Quota cmdlets:
set-fsrmautoquota
set-fsrmquotatemplate
update-fsrmquota
update-fsrmautoquota
(update is used to scan a path in order to resync usage reports for the path)
reset-fsrmquota
(update a quota with a template)
2.2.3 configure file screens
Using File Screening Management node in FSRM mmc:
File Groups:
Right click, create file group. Give the group a name then add file extensions or file name patterns that can be included or excluded for this group
Powershell:
new-fsrmfilegroup -name "Various" -includepattern @("*.mp3","*.exe","*.vbs")
Other parameters: -description, -excludepattern
get-fsrmfilegroup -name "Various"
set-fsrmfilegroup -name "Various" -includepattern @("*.exe","*.vbs")
remove-fsrmfilegroup -name "Various"
File Screens:
Right click, create File screen. Enter a path for the screen. Choose a template, or custom file screen properties. Defining custom properties allows the following options:
Settings tab:
Copy settings from a template
Choose:
Active Screening: Do not allow users to save unauthorized files
Passive Screening: Allow users to save. This is for monitoring those unauthorized files.
Select the file groups to block
E-mail message:
Choose "Send e-mail to administrators" and/or "Send e-mail to user"
Event Log
Create a log entry for the event log.
Command
Run a command or script
Report
Generate reports
Powershell:
new-fsrmfilescreen -path "c:\home" -includegroup "Various" -active
new-fsrmfilescreen -path "c:\screenme" -template "Block Image Files"
-description to add a description
-notification adds a notification created using new-fsrmaction
set-fsrmfilescreen -path "c:\home" -includegroup @("Various","E-mail files")
get-fsrmfilescreen
remove-fsrmfilescreen
File screen exceptions
An exception can be applied to a subfolder whose parent has a file screen applied and it needs to be overridden for this sub.
Powershell:
new-fsrmfilescreenexception
get-fsrmfilescreenexception
set-fsrmfilescreenexception
remove-fsrmfilescreenexception
File screening templates
Creating file screen templates is similar to creating a custom property file screen as listed above
new-fsrmfilescreentemplate -name "Various files" -includegroup "Various" -active
get-fsrmfilescreentemplate
set-fsrmfilescreentemplate
remove-fsrmfilescreentemplate
Other File screen cmdlets:
reset-fsrmfilescreen - reset a file screen to the default settings of a specified template
2.2.4 configure reports
To create, and schedule a report, right click the Storage Reports area and select "Schedule a new report task". This task will be saved for reuse
To create a report and run it now, right click and select Generate Reports now. This task will not be saved.
Settings tab:
If you are scheduling a task, you must give it a name. If you're just generating one, the name will be chosen for you as "Interactive Report Task" with the date/time.
Choose reports to include, and choose their parameters
Available canned reports:
Duplicate files - finds files with same size and modified date
File Screening Audit - Use to monitor screening policies. You can configure min number of days in past events occured, as well as pick specific users
File by File Group: List files that match file groups, in order to find those that take up lots of space.
File by Owner: Pick all owners or selected owners. You can include a file matching pattern as well
Files by Property: Used by classification to find files by property value
Folders by property: Used by classification
Large files: You can set the min file size, as well as a file name pattern to match.
Least recently accessed files: Choose min days since last accessed, as well as a file name pattern
Most recently accessed files: Choose max days since last accessed, as well as a file name pattern
Quota usage: Set minimum % quota usage. This checks all quotas.
Select the format(s) you want to save the report as: DHTML, HTML, XML, CSV, Text
Scope tab:
Select the file data groups to include(these are not the same as the File Screen file groups. If you don't select any of them, the report(s) will default to all files):
Application Files
Backup and Archival Files
Group Files
User Files
Choose the volume(s)/folders to check. Note that the reports will recursively check all subfolders below the one you choose.
Delivery tab:
Allows you to enter e-mail addresses to send the report to.
Schedule tab(only available if you chose Schedule a new report taks):
Choose a time, and the days to run the report on. You can choose to limit the max time the report will be able to run(in hours).
If you chose "Generate reports now", once you click OK you are given the option to Generate reports in the background to view later, or to generate now and view after they finish.
Reports are saved in the location set in the FSRM server options. Default is "c:\storagereports"
new-fsrmstoragereport -name "large" -interactive -namespace @("c:\home","c:\storage") -reporttype "LargeFiles" -largefileminimum 50MB -reportformat @("csv","text")
scheduledreport:
Use new-fsrmscheduledtask to create a schedule object.
new-fsrmstoragereport -name "Large Files" -namespace @("c:\home","c:\storage") -reporttype "LargeFiles" -largefileminimum 50MB -reportformat @("csv","text") -schedule (new-fsrmscheduled task -time (get-date "1:30am") -weekly "Monday)
get-fsrmstoragereport
unless you specify -name, in addition to schedule reports, this will show currently queued/running interactive and incident reports. The interactive and schedule properties tell you which it is.
set-fsrmstoragereport -name "Large Files" -namespace "c:\home"
remove-fsrmstoragereport -name "Large Files"
other commands:
start-fsrmstoragereport, stop-fsrmstoragereport, wait-fsrmstoragereport
Extra note: one more option available in Storage Reports: Add or Remove Reports for a report task just allows you to see all the report tasks and quickly configure the reports they use, instead of editing each report task individually.
2.2.5 (R2) Configure file management tasks
Right-click "File Management Tasks" under FSRM menu and select "Create File Management Task"
General tab: name the task. Check or uncheck Enable
Scope: Choose type of data to include and the folders to include.
Action: Choose a type of task.. If custom, you will need to provide a path to an executable and command line arguments, as well as working directory. Choose the account to run the task as.
Notification: Add an FSRM notification.
Report: Add an FSRM report to generate
Condition: Include conditions for the task
Schedule: Schedule when the task will run.
This task will be added to Task scheduler under Task Scheduler Library->Microsoft->Windows->File Server Resource Manager
http://technet.microsoft.com/en-us/library/cc770989%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc732431.aspx
http://technet.microsoft.com/en-us/library/jj900651.aspx
FSRM allows you to:
Quota Management-
Create quotes for a volume or folder tree, including notifications for thresholds
File Screening Management-
Create file filters to control what can be saved, including notifications for those trying to save blocked files
Storage Reports Management-
Generate or schedule storage reports for disk usage
Classification Management-
File classification - based on certain properties, apply policies such as restricting access, encrypting, expiration.
File Management Tasks-
Extra note: File classification is covered more in 70-412.
Extra note: In Windows Server 2012, the File Server Resource Manager command-line tools (dirquota.exe, filescrn.exe, and storrept.exe) are deprecated. They're still available but are meant to be replaced by the FSRM powershell cmdlets.
2.2.1 Install the FSRM role
Add Roles and Features in Server Manager, File Server Resource Manager(FS-Resource-Manager) found under File and ISCSI Services(File Services) and File and Storage Services(FileAndStorage-Services). Including the management tools will also install RSAT-FSRM-Mgmt with fsrm.msc and the PS module FileServerResourceManager
install-windowsfeature fs-resource-manager -includemanagementtools
FSRM server options:
right click the "File Resource Manager item" and select Configure Options:
Email notifications
set the SMTP server name/ip
specify default admin recipients
set the default "from" address
send a test e-mail
send-fsrmtestemail
Notification limits
set e-mail notification limits, event log notification limits, command notification limits, report notification limits
Storage reports
configure default canned report properties
Report locations
set folder locations for Incident, Scheduled, and Interactive(On-Demand) reports
File screen audit
Automatic classification
Access-Denied Assistance
Setup messages/e-mails for access-denied assistance when users are denied access to folders/files
get-fsrmadrsetting
set-fsrmadrsetting
Powershell for all of the above configuration settings:
get-fsrmsetting
set-fsrmsetting
2.2.2 configure quotas
Hard quota: stops users from saving anything that would go beyond the quota threshold
Soft Quota: used for notifications and monitoring. Will not stop files from being saved over the threshold.
Create a quota
Create a quota by clicking the Quotas tab under Quota Management, and right clicking the task area and "Create Quota".
Choose a folder in a path to create a quota on
Select "Create quota on path" will create a total quota on all existing and future subfolders and their nested subs. So if you put a 100 MB on a parent folder, you can only store 100 total MB in all folders below it.
You can choose to use a quota template, or create a custom quota.
If you create a custom quota, you are given the option of copying properties from an existing template, adding a description, setting your limit, choosing hard or soft quota, creating notification thresholds, and enable/disable quota after adding it. Click OK.
Once you hit Create, if you chose "custom quota", you are prompted with the option to save it as a template, unless the "Do not ask me to save as a template" option has been checked before.
Powershell:
Create a new basic 100MB quota:
new-fsrmquota -path "c:\quotaparent1" -size 100MB
Use a template:
new-fsrmquota -path "c:\quotaparent1" -template "100 MB Limit"
You can specify -disabled to create it disabled,-softlimit for soft quota, -description, and -threshold to add threshold notifcations(see below)
Create an auto apply quota
The next option only allows you to use a template. You cannot create a custom quota.
Selecting "Auto apply template and create quotas on existing and new subfolders" creates individual quotas for each subfolder that resides in the parent folder, but those quotas also include the total from the nested subs of each subfolder(as if you created an individual "Create quota on path" on each subfolder.) However, the parent folder is not affected; only it's subs and their nested subs.
Note that if you delete the auto-apply quota from the parent folder, the auto-applied quotas on the current subs will still exist.
Also note that you can place a quota on any nested subfolder whose parent(s) already have a quota applied. But it must be more restrictive than the parent, allowing you to place a quota deeper into the directory structure while maintaining the quotas of the parents. You cannot place a less restrictive quota, as the parent's quota is still enforced on all folders below it.
If you right click an applied quota you can edit it's settings. Even if you used a template to create the quota, you can customize the settings further. However, it will still be displayed under the Source templates expanded display.
Powershell:
new-fsrmautoquota -path "c:\quotaparent2" -template "100 MB Limit"
Since you can only choose template for auto quotas, the only other option to note here is -disabled
Quota Template
Creating a quota template is similar to the custom quota process outlined above.
Powershell:
Also similar to creating a quota
new-fsrmquotatemplate -name "Tiny" -size 10MB
-description, -softlimit, -threshold
get-fsrmquotatemplate -name "Tiny"
Display quotas:
You can view quota usage %'s in the Quotas menu, and filter by templates applied, applied quotas, auto apply quotas, as well as specific quota paths.
You can also use the Quota Usage storage report to view quotas that exceed a percentage.
Powershell
get-fsrmquota
get-fsrmquota -path "c:\quotaparent1"
get-fsrmautoquota
With an auto quota, you can still use get-fsrmquota to see all the auto-set quotas below the parent.
You can remove a quota with
remove-fsrmquota -path "c:\quotaparent1"
remove-fsrmautoquota -path "c:\quotaparent2"
Configuring notifications:
While creating or editing an applied quota, or creating/editing a template, you have the option to configure notifications
Adding or editing a notification gives you the following options:
The % of the threshold that triggers this notification
E-mail message:Send an e-mail to a specific address, and/or to the user who exceeded the threshold.
Event Log: Log this notification in the event log.
Command: Run a specific command or script
Report: Generate a report(See 2.2.4)
Powershell:
First you must create an Action object using new-fsrmaction. Then you create a threshold object using new-fsrmquotathreshold. Note that actions and thresholds are not saved independently, so you must use them other ways, such as storing in variables or creating inline when applying to quotas or quota templates. Example of inline:
set-fsrmquota -path "c:\quotaparent1" -threshold (new-fsrmquotathreshold -percentage 85 -action (new-fsrmaction -type emaill -mailto:"admin@contoso.com" -subject "Threshold" -body "Too much stuff"))
Other Quota cmdlets:
set-fsrmautoquota
set-fsrmquotatemplate
update-fsrmquota
update-fsrmautoquota
(update is used to scan a path in order to resync usage reports for the path)
reset-fsrmquota
(update a quota with a template)
2.2.3 configure file screens
Using File Screening Management node in FSRM mmc:
File Groups:
Right click, create file group. Give the group a name then add file extensions or file name patterns that can be included or excluded for this group
Powershell:
new-fsrmfilegroup -name "Various" -includepattern @("*.mp3","*.exe","*.vbs")
Other parameters: -description, -excludepattern
get-fsrmfilegroup -name "Various"
set-fsrmfilegroup -name "Various" -includepattern @("*.exe","*.vbs")
remove-fsrmfilegroup -name "Various"
File Screens:
Right click, create File screen. Enter a path for the screen. Choose a template, or custom file screen properties. Defining custom properties allows the following options:
Settings tab:
Copy settings from a template
Choose:
Active Screening: Do not allow users to save unauthorized files
Passive Screening: Allow users to save. This is for monitoring those unauthorized files.
Select the file groups to block
E-mail message:
Choose "Send e-mail to administrators" and/or "Send e-mail to user"
Event Log
Create a log entry for the event log.
Command
Run a command or script
Report
Generate reports
Powershell:
new-fsrmfilescreen -path "c:\home" -includegroup "Various" -active
new-fsrmfilescreen -path "c:\screenme" -template "Block Image Files"
-description to add a description
-notification adds a notification created using new-fsrmaction
set-fsrmfilescreen -path "c:\home" -includegroup @("Various","E-mail files")
get-fsrmfilescreen
remove-fsrmfilescreen
File screen exceptions
An exception can be applied to a subfolder whose parent has a file screen applied and it needs to be overridden for this sub.
Powershell:
new-fsrmfilescreenexception
get-fsrmfilescreenexception
set-fsrmfilescreenexception
remove-fsrmfilescreenexception
File screening templates
Creating file screen templates is similar to creating a custom property file screen as listed above
new-fsrmfilescreentemplate -name "Various files" -includegroup "Various" -active
get-fsrmfilescreentemplate
set-fsrmfilescreentemplate
remove-fsrmfilescreentemplate
Other File screen cmdlets:
reset-fsrmfilescreen - reset a file screen to the default settings of a specified template
2.2.4 configure reports
To create, and schedule a report, right click the Storage Reports area and select "Schedule a new report task". This task will be saved for reuse
To create a report and run it now, right click and select Generate Reports now. This task will not be saved.
Settings tab:
If you are scheduling a task, you must give it a name. If you're just generating one, the name will be chosen for you as "Interactive Report Task" with the date/time.
Choose reports to include, and choose their parameters
Available canned reports:
Duplicate files - finds files with same size and modified date
File Screening Audit - Use to monitor screening policies. You can configure min number of days in past events occured, as well as pick specific users
File by File Group: List files that match file groups, in order to find those that take up lots of space.
File by Owner: Pick all owners or selected owners. You can include a file matching pattern as well
Files by Property: Used by classification to find files by property value
Folders by property: Used by classification
Large files: You can set the min file size, as well as a file name pattern to match.
Least recently accessed files: Choose min days since last accessed, as well as a file name pattern
Most recently accessed files: Choose max days since last accessed, as well as a file name pattern
Quota usage: Set minimum % quota usage. This checks all quotas.
Select the format(s) you want to save the report as: DHTML, HTML, XML, CSV, Text
Scope tab:
Select the file data groups to include(these are not the same as the File Screen file groups. If you don't select any of them, the report(s) will default to all files):
Application Files
Backup and Archival Files
Group Files
User Files
Choose the volume(s)/folders to check. Note that the reports will recursively check all subfolders below the one you choose.
Delivery tab:
Allows you to enter e-mail addresses to send the report to.
Schedule tab(only available if you chose Schedule a new report taks):
Choose a time, and the days to run the report on. You can choose to limit the max time the report will be able to run(in hours).
If you chose "Generate reports now", once you click OK you are given the option to Generate reports in the background to view later, or to generate now and view after they finish.
Reports are saved in the location set in the FSRM server options. Default is "c:\storagereports"
new-fsrmstoragereport -name "large" -interactive -namespace @("c:\home","c:\storage") -reporttype "LargeFiles" -largefileminimum 50MB -reportformat @("csv","text")
scheduledreport:
Use new-fsrmscheduledtask to create a schedule object.
new-fsrmstoragereport -name "Large Files" -namespace @("c:\home","c:\storage") -reporttype "LargeFiles" -largefileminimum 50MB -reportformat @("csv","text") -schedule (new-fsrmscheduled task -time (get-date "1:30am") -weekly "Monday)
get-fsrmstoragereport
unless you specify -name, in addition to schedule reports, this will show currently queued/running interactive and incident reports. The interactive and schedule properties tell you which it is.
set-fsrmstoragereport -name "Large Files" -namespace "c:\home"
remove-fsrmstoragereport -name "Large Files"
other commands:
start-fsrmstoragereport, stop-fsrmstoragereport, wait-fsrmstoragereport
Extra note: one more option available in Storage Reports: Add or Remove Reports for a report task just allows you to see all the report tasks and quickly configure the reports they use, instead of editing each report task individually.
2.2.5 (R2) Configure file management tasks
Right-click "File Management Tasks" under FSRM menu and select "Create File Management Task"
General tab: name the task. Check or uncheck Enable
Scope: Choose type of data to include and the folders to include.
Action: Choose a type of task.. If custom, you will need to provide a path to an executable and command line arguments, as well as working directory. Choose the account to run the task as.
Notification: Add an FSRM notification.
Report: Add an FSRM report to generate
Condition: Include conditions for the task
Schedule: Schedule when the task will run.
This task will be added to Task scheduler under Task Scheduler Library->Microsoft->Windows->File Server Resource Manager
Subscribe to:
Posts (Atom)