Chapter 8

Planning Server and Planning Server and Network SecurityNetwork Security

Lesson 8

Skills MatrixSkills Matrix

Technology Skill Objective Domain Objective #

Using BitLocker Plan server installations and upgrades

1.1

Securing Network Access Monitor and maintain security and policies

3.3

Lesson 8Lesson 8

Creating a Firewall Exception

Click Start, and then click Control Panel.

Double-click the Windows Firewall icon.

Click Allow a program through Windows Firewall.

Lesson 8Lesson 8

Creating a Firewall Exception (cont.)

To create a program exception, click Add Program.

Select the program for which you want to create an exception from the Programs list, or click Browse to locate the program.

Lesson 8Lesson 8

Creating a Firewall Exception (cont.)

Click Change Scope to limit the exception to a specific network or specific addresses.

Click OK to close the Add a Program dialog box.

To open a port, click Add Port to open the Add a Port dialog box.

Lesson 8Lesson 8

Creating a Firewall Exception (cont.)

Specify a name for the port, the port number, and whether you want to allow TCP or UDP traffic using that port through the firewall.

Click Change Scope to limit the exception to a specific network or specific addresses.

Click OK to close the Add a Port dialog box.

Click OK to close the Windows Firewall Settings dialog box.

Lesson 8Lesson 8

Installing BitLocker

Install the BitLocker Drive Encryption feature using the Server Manager console.

Open the Local Group Policy Editor console, browse to the Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption node, and open the Control Panel Setup: Enable advanced startup options policy.

Lesson 8Lesson 8

Installing BitLocker (cont.)

Select the Enabled option, and configure the listed settings to select an operational mode.

Open the BitLocker Drive Encryption control panel, and click Turn On BitLocker for the volume you want to encrypt.

Lesson 8Lesson 8

Installing BitLocker (cont.)

On the Set BitLocker startup preferences page, select an option that specifies the operational mode.

Lesson 8Lesson 8

Installing BitLocker (cont.)

On the Save the recovery password page, specify where you want to store the password needed to override a locked BitLocker volume.

On the Encrypt the volume page, click continue and restart the computer.

Lesson 8Lesson 8

Assigning Standard NTFS Permissions

Click Start > Administrative Tools > Share and Storage Management.

In the detail (middle) pane, click the Shares tab.

Select the share you want to modify and, in the actions pane, select Properties.

Click the Permissions tab, and then click NTFS Permissions.

Lesson 8Lesson 8

Assigning Standard NTFS Permissions (cont.)

Click Add.

In the Enter the object names to select text box, key the name of the user or group that you want to add, and click OK.

Lesson 8Lesson 8

Assigning Standard NTFS Permissions (cont.)

Select the user or group you just added and, in the Permissions box, select or clear the check boxes to Allow or Deny the user any of the standard permissions.

Click OK twice to close the Permissions dialog box and the Properties sheet.

Lesson 8Lesson 8

Assigning Special NTFS PermissionsOpen the Properties sheet for a file, folder, or

share on an NTFS drive using one of the following procedures:

Open Windows Explorer, right-click a file or folder and, from the context menu, select Properties. Then, click the Security tab.

Open the Share and Storage Management console, select a share, and click Properties. Click the Permissions tab, and then click the NTFS Permissions button.

Lesson 8Lesson 8

Assigning Special NTFS Permissions (cont.)

Click Advanced.

Click Edit.

Click Add.

Lesson 8Lesson 8

Assigning Special NTFS Permissions (cont.)

In the Enter the object names to select text box, key the name of the user or group you want to add, and click OK.

In the Apply To drop-down list, select which subordinate resources should receive the permissions you assign using this dialog box.

Lesson 8Lesson 8

Assigning Special NTFS Permissions (cont.)

In the Permissions list, select or clear the check boxes to Allow or Deny the user any of the special permissions.

Click OK four times to close all of the dialog boxes.

Lesson 8Lesson 8

You Learned

Before you consider any other security mechanisms or even operating system and application deployments, you should take steps to ensure that your servers are stored in a location that is physically secure.

Biometric identification is the process of establishing an individual’s identity based on biometric information, essentially asking the system to indicate who the person is.

Lesson 8Lesson 8

You Learned (cont.)

A firewall is a software program that protects a computer by allowing certain types of network traffic in and out of the system while blocking others. A firewall is essentially a series of filters that examines the contents of packets and the traffic patterns to and from the network to determine which packets it should allow to pass through the filter.

Lesson 8Lesson 8

You Learned (cont.)

The default rules preconfigured into the firewall are designed to admit the traffic used by standard Windows networking functions, such as file and printer sharing. For outgoing network traffic, Windows Firewall allows all traffic to pass the firewall except that which conforms to a rule.

Lesson 8Lesson 8

You Learned (cont.)

The Windows Firewall Settings dialog box is designed to enable administrators to create exceptions in the current firewall settings as needed. For full access to the Windows Firewall configuration settings, you must use the Windows Firewall With Advanced Security snap-in for the Microsoft Management Console.

Lesson 8Lesson 8

You Learned (cont.)

BitLocker Drive Encryption is a new feature, first released in Windows Vista, that makes it possible to encrypt an entire volume.

When you use Active Directory on an enterprise network, it becomes responsible for two of the most critical security concepts in computing: authentication and authorization.

Lesson 8Lesson 8

You Learned (cont.)

On most networks, users identify themselves with an account name or an email address. The proof of identity can vary, however, typically taking one of three forms: something you know, something you have, or something you are.

Lesson 8Lesson 8

You Learned (cont.)

To protect data stored on and transmitted over a network, computers use various types of encryption to encode messages and create digital signatures that verify their authenticity. For one computer to encrypt a message and another computer to decrypt it, both must possess a key.

Lesson 8Lesson 8

You Learned (cont.)

Windows Server 2008 provides a series of password settings that you can implement using Group Policy, either locally or through Active Directory. An effective combination of password policies compels users to select appropriate passwords and change them at regular intervals.

Lesson 8Lesson 8

You Learned (cont.)

Enterprise networks that use Active Directory authenticate their users with the Kerberos authentication protocol.

Authorization is the process of determining whether an authenticated user is allowed to perform a requested action.

Lesson 8Lesson 8

You Learned (cont.)

Files, folders, shares, registry keys, and Active Directory objects are all protected by permissions. To store the permissions, each of these resources has an access control list (ACL). An ACL is a collection of individual permissions in the form of access control entries (ACEs).

Lesson 8Lesson 8

You Learned (cont.)

Each ACE consists of a security principal (that is, the name of the user, group, or computer granted the permissions) and the specific permissions assigned to that security principal. When you manage permissions in any of the Windows Server 2008 permission systems, you are actually creating and modifying the ACEs in an ACL.