|< Day Day Up >|
IP Security (IPSec) is a network layer technology that is used to secure communications. IPSec encrypts the information carried by Internet Protocol (IP) datagrams. This means that even if these packets are captured, the data contained within the packets exists only in an encrypted form and cannot be read by the interceptor. IPSec has been supported natively since Microsoft Windows 2000. Microsoft Windows Server 2003 ships with three default IPSec policies that can be applied by means of Group Policy objects (GPOs) or local policy. These policies are as
Client (Respond Only). When this policy is configured, the computer will use IPSec only if its communication partner
Server (Request Security). When this policy is configured, the computer will request that its communication partner use IPSec. If the communication partner is unable to service this request, communication will continue in an
Secure Server (Require Security). When this policy is configured, the computer will communicate only with
On top of this set of IPSec policies, specific policies can be created that are more specific. These policies can be restricted to specific
|< Day Day Up >|
|< Day Day Up >|
The skills that you need to successfully master the Implementing, Managing, and Troubleshooting Security for Network Communications objective domain on Exam 70-299: Implementing and Administering Security in a Microsoft Windows Server 2003 Network include:
Apply IPSec policies.
Practice 1: Requires two computers, both
Practice 2: Requires two computers, both members of the same domain. Configure one computer with the Secure Server (Require Security) local policy. Install an FTP server by means of IIS on this computer. Test that it works by connecting to the server from the local host. Configure a second computer without an IPSec security policy. Attempt to connect to the FTP server. When this does not work, edit the local policy on the second computer, and set the IPSec policy to Client (Respond Only). Attempt to connect to the FTP server from the second computer. This time the connection will work and traffic passing between the two systems will be encrypted.
Create individual IPSec policies.
Practice 1: Requires two computers, both members of the same domain. On the first computer, edit the local policy object. In the Computer Configuration\Windows Settings\Security Settings\IP Security policies node, create a new IPSec policy by using the wizard. Activate the default response rule, which uses Active Directory default authentication. Add a new security rule. Do not specify a tunnel. Then Set Network Type as All Network Connections. Set Authentication to Active Directory default. Set the rule for all IP traffic. Set the filter action to Require Security. Ensure that the second computer has no IPSec policy set. Try to ping the first computer. Now configure a Client (Respond Only) policy on the second computer. Try to ping the first computer again. You should meet with success.
Practice 2: Requires two computers. The two computers do not need to be members of the same domain. On the first computer, edit the local policy object. In the Computer Configuration\Windows Settings\Security Settings\IP Security policies node, create a new IPSec policy by using the wizard. When asked for the Default Response Rule Authentication Method, select Preshared Key. Enter a key with the value “Quis Custodiet Custodes”. Add a new security rule. Do not specify a tunnel. Set Network Type as All Network Connections. Set Authentication to Select Preshared Key. Enter a key with the value “Quis Custodiet Custodes”. Set the rule for all IP traffic. Set the filter action to Require Security. Configure a Client (Respond Only) policy on the second computer. Try to ping the first computer. Because the Client (Respond Only) defaults to Active Directory authentication, no authentication will be able to be negotiated. On the second computer, edit the properties of the Client (Respond Only) IPSec policy. Edit the <Dynamic> rule. On the Authentication Methods tab, select Add, and then add the preshared key “Quis Custodiet Custodes”. Apply the policy. Try to ping the first computer again. Now that both computers have the same shared key, you should meet with success.
Use the netsh ipsec utility.
Practice 1: Run a command prompt on a single computer running Windows Server 2003. Investigate the properties of the Secure Server (Require Security) policy by issuing the following commands:
show policy "Secure Server (Require Security)" verbose
Practice 2: Assign one of the default IPSec policies to the local policy by using the command line. Examine the default local policy and ensure that no IPSec policies are set. Assign the Secure Server (Require Security) policy by issuing the following command sequence at the command prompt:
Verify that this procedure has worked by using the default local policy Microsoft Management Console (MMC) and checking that the Secure Server (Require Security) policy has been set.
Practice 1: Open a Microsoft Management Console (MMC). Using the Add/ Remove snap-in feature, add the IP Security Monitor console. Configure an IPSec policy on the server on which you are running the console. Configure a similar policy on another computer within your test domain. In the IP Security Monitor console, view the Security Associations node under the Main Mode node. Enable some Transmission Control Protocol/Internet Protocol (TCP/IP) traffic to pass between the two computers within your test domain (and ensure that both are not using client-only policies). View information about the connections in the Security Associations node.
Practice 2: Run netsh from the command line on a computer running Windows Server 2003 and set the computer to the ipsec dynamic context. After you have done this, run the show config command to display config behavior. Run the show mmsas command to view the security associations.
Implement security for wireless networks.
Practice 1: Log on to a domain controller and create a new GPO. Navigate to the Computer Configuration\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies node. Right-click the node and then click Create A New Wireless Policy. This will launch the Welcome To The Wireless Network Policy Wizard. Continue to click Next until you reach the Properties tab. Set the Networks To Access to Access Point (Infrastructure) Networks Only.
Practice 2: Edit the properties of the wireless network policy you created in practice 1. Click the Preferred Networks tab. Click Add. View the WEP properties. Select the IEEE 802.1x key. View the different Extensible Authentication Protocol (EAP) types available by clicking the Settings button. It does not matter if you don’t actually have access to a wireless network; the purpose of this practice is to familiarize yourself with the options available in the policies.
Install and reenroll SSL certificates.
Practice 1: Install an enterprise root certification authority (CA) in your test domain. Log on to the CA by using the Web browser on another computer running Windows Server 2003. Use the URL http://enterprisecaname.domain /certsrv . Once you have logged on, select the Request A Certificate option. Then submit an Advanced Certificate Request. Next, select Create And Submit A Request To This CA. In the Advanced Certificate Request form, note the various types of certificates available. In this case, request a Server Authentication certificate.
Practice 2: On the enterprise root CA in your test domain, run the Certificate Templates console. This can be done by clicking Start, clicking Run, and then typing certtmpl.msc. After you have run the Certificate Templates console, right-click the Domain Controller Authentication certificate template and click Reenroll All Certificate Holders.
Configure remote access security.
Practice 1: Install Routing and Remote Access (RRAS) on one of your test computers running Windows Server 2003. This can be done from the Administrative Tools menu by running the Routing and Remote Access MMC. Right- click the server and then click Configure Routing and Remote Access to run the Routing And Remote Access Server Setup Wizard. Set up the RRAS server for remote access (dial-up or VPN); it doesn’t matter if you don’t have a modem installed on the server. Select the Dial-up check box. Set IP addresses to be assigned from a range, and choose a range of five free IP addresses on your network. Click Next. Let Routing and Remote Access authenticate connection
Practice 2: Install and run the Connection Manager Administration Kit (CMAK). The kit can be installed by running the Add/Remove Windows Components Wizard in Management And Monitoring tools. After the kit is installed, run it from the Administrative Tools menu. Create a new profile, click Next, and then give the profile the service name and file name test1. Click Next. Do not add a realm name. Click Next. Click Next again when you get to the Merging Profile Information page. Click Next on the VPN Support page. Clear the Automatically Download Phonebook Updates check box, and then click Next. On the Dial-up Networking Entries page, edit the test1<default> profile. On the Security tab, set the security setting to Use Advanced Security Settings. Configure the advanced security settings to require encryption. Clear the CHAP check box. Click OK. Click OK again to return to the Dial-up Networking Entries page. Continue to click Next until the service profile is built, taking note of the different options available.
|< Day Day Up >|
MCSE Self-Paced Training Kit (Exam 70-298): Designing Security for a Microsoftu00ae Windows Server(TM) 2003 Network
MCSA/MCSE Self-Paced Training Kit (Exam 70-270): Installing, Configuring, and Administering Microsoftu00ae Windowsu00ae XP Professional, Second Edition (Pro-Certification)
MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoftu00ae Windows Server(TM) 2003 Environment, Second Edition
MCTS Self-Paced Training Kit (Exam 70-680): Configuring Windowsu00ae 7