ScenarioBased Solutions for Secure Windows Server 2003 Network Access - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

ScenarioBased Solutions for Secure Windows Server 2003 Network Access

Description:

Password protected screensaver. Securing Remote Access ... Free of charge to all Macau customers if you register today! www.microsoft.com/hk/teched2005 ... – PowerPoint PPT presentation

Number of Views:375
Avg rating:5.0/5.0
Slides: 46
Provided by: andrewl3
Category:

less

Transcript and Presenter's Notes

Title: ScenarioBased Solutions for Secure Windows Server 2003 Network Access


1
Scenario-Based Solutions for Secure Windows
Server 2003 Network Access
Nam NgSecurity ConsultantMicrosoft
2
What We Will cover
  • NAT (Network Address Translation), ICS (Internet
    Connection Sharing)
  • Windows Firewall and the RRAS Basic Firewall
  • Certificate based IPSEC (Internet Protocol
    Security)
  • Remote access quarantine
  • L2TP (Layer 2 Tunneling Protocol)
  • IAS (Internet Authentication Service)

3
Prerequisite Knowledge
  • TCP/IP
  • Active Directory
  • Windows Server Administration

Level 200
4
Agenda
  • Branch office Internet connectivity
  • Securing server communications
  • Securing remote access
  • Office to office VPN
  • IAS configuration

5
Business Scenario
Branch Office
Clients
Corporate Office
Windows Server 2003
Clients
Windows Server 2003
Servers
Internet
6
Branch Office Internet AccessBusiness Problem
  • You have a new branch office with the following
    needs
  • Internet access
  • Security from outside sources

7
Branch Office Internet AccessSolution NAT
Firewall
  • NAT (Network Address Translation) or ICS
    (Internet Connection Sharing)
  • Provides access to the Internet from a protected
    private address range
  • Basic Firewall or Windows Firewall
  • Provides packet filtering firewall capabilities

8
Branch Office Internet AccessSolution NAT or
ICS
  • NAT (Network Address Translation)
  • Translates IP address and port number for
    outgoing and incoming traffic
  • Hides private IP address range from the Internet
  • Can be used with DHCP or can be configured as a
    DHCP allocator
  • Can be configure to allow incoming connections to
    specified reservations
  • ICS (Internet Connection Sharing)
  • ICS is basically NAT that is easier to configure
    (Also available on Windows XP)

9
Branch Office Internet AccessNAT vs ICS
  • NAT requires manual configuration of DHCP, DNS
    and RRAS
  • ICS is auto configured and is best suited for a
    very small environment
  • Do not use ICS on a network that
  • Uses static IP addresses
  • Uses other DNS servers, gateways, or DHCP servers

10
NAT/ICS
Internet
Client Computers
Computer Running NATInternal IP
192.168.1.1External IP Public IP
Web ServerIP Public IP
IP 192.168.1.3
IP 192.168.1.4
  • The computer running NAT changes the packet
    header and sends the packet over the Internet to
    the Web server
  • The Web server sends a reply to the computer
    running NAT

IP 192.168.1.5
  • The computer running NAT determines the
    destination, changes the packet header, and sends
    the packet to the client

11
Branch Office Internet AccessBasic
Firewall/Windows Firewall
  • Basic Firewall
  • Configured through RRAS
  • Allows you to configure exceptions for IP
    protocols and ICMP traffic for both incoming and
    outgoing traffic
  • Server based firewall
  • Windows Firewall
  • Added feature in Windows Server 2003 SP1
  • Only allows you to configure TCP and UDP
    port-based exceptions for incoming traffic
  • Client based firewall

12
demonstration
  • NAT and Basic Firewall configuration
  • Configuring NAT and the RRAS Basic Firewall

13
Agenda
  • Branch office Internet connectivity
  • Securing server communications
  • Securing remote access
  • Office to office VPN
  • IAS configuration

14
Securing server communicationsBusiness Problem
  • You need to ensure that communications between
    your public web server and your SQL Server are
    secured
  • The web server is located in a screened subnet
    and connects to the SQL Server through a firewall
  • The web server is not a member of the internal
    Active Directory forest
  • Packet filters are already configured on the
    firewall but more security is needed

15
Securing server communications Certificate based
IPSec
  • Windows Server 2003 Certificate Services
  • Configure IPSec encryption to use certificate
    authentication
  • Customize IPSec policy to encrypt only the SQL
    traffic (optional but recommended)

16
Securing server communications Windows Server
2003 PKI
Certificates are an electronic credential that
authenticates a user on the Internet and intranets
Certificates
  • Securely bind a public key to the entity that
    holds the corresponding private key
  • Are digitally signed by the issuing certificate
    authority (CA)
  • Verify the identity of a user, computer, or
    service that presents the certificate
  • Contain details about the issuerand the subject

17
Securing server communications IPSec
Authentication Methods
  • Kerberos (default)
  • Works for machines that are members of trusted
    Active Directory domains
  • Certificate based
  • Works for machines that have certificates from a
    selected Certificate Authority
  • Preshared key
  • Not recommended because it is the least secure of
    the three methods

18
Securing server communications Custom IPSec
Policies
  • Default polices include
  • Client (Respond Only)
  • Server (Request Security)
  • Secure Server (Require Security)
  • Example of a custom policy
  • Edit the Secure Server policy filters to require
    security only for communications between the IIS
    server and the SQL Server.

19
demonstration
  • IPSec Configuration
  • Installing the IPSec computer certificates
  • Creating the custom IPSec policy

20
Agenda
  • Branch office Internet connectivity
  • Securing web server communications
  • Securing remote access
  • Office to office VPN
  • IAS configuration

21
Securing Remote Access Business Problem
  • You need to configure a secure remote access
    solution that ensures
  • Customizable control over user access
  • Prevention of invalid configurations from
    connecting

22
Securing Remote Access Remote Access Policies
and Quarantine
  • Remote Access Policies
  • Allow robust control of remote access
  • Network Access Quarantine Control
  • Delays a full remote access connection until the
    remote access client has been examined according
    to administrator provided scripts

23
Securing Remote Access Remote Access Policy
Evaluation
Remote Access Policy
  • Remote Access Conditions
  • Day and time
  • Group
  • Etc.

RAS Client
RAS Server
  • Remote Access Profile
  • Dial in Media restrictions
  • Multilink settings
  • Etc.
  • Account
  • Permissions
  • Allow
  • Deny

Windows 2000 Domain Controller
24
Securing Remote AccessRemote Access Policy
Evaluation
Remote Access Policy
  • Remote Access Conditions
  • Day and time
  • Group
  • Etc.

RAS Client
RAS Server
  • Remote Access Profile
  • Dial in Media restrictions
  • Multilink settings
  • Etc.
  • Account
  • Permissions
  • Allow
  • Deny
  • Control with RAP
  • Remote Access Permissions
  • Allow
  • Deny
  • (Only in Native mode)

Windows 2000 Domain Controller
25
Securing Remote Access Policy Behavior
  • Default Remote Access Policy
  • Essentially allows access to any user account
    that has been allowed access through their user
    account properties in Active Directory
  • Multiple policies
  • Policies are checked in priority order until the
    user matches the conditions of one of the
    policies
  • If a user matches the conditions of multiple
    policies the first policy that matches is used

26
Securing Remote Access Network Access Quarantine
  • Allows validation of the following on incoming
    remote access connections
  • Service pack version
  • Antivirus software and signatures
  • Local firewall configuration
  • Local routing disabled
  • Password protected screensaver

27
Securing Remote Access Network Access Quarantine
Quarantine Resources
Quarantine Policy
Intranet
Client executes quarantine script
X
OK
Quarantine Client with CM profile
Windows Server 2003 RAS
Windows Server 2003 DC
28
Securing Remote Access Quarantine configuration
  • To deploy Network Access Quarantine Control, the
    basic steps (in order) are as follows
  • 1. Create quarantine resources
  • 2. Create a script or program that validates
    client configuration
  • 3. Install Rqs.exe on remote access servers
  • NOTE This will be available through add/remove
    programs with Service Pack 1
  • 4. Create a new quarantine CM profile with
    Windows Server 2003 CMAK
  • 5. Distribute the CM profile for installation on
    remote access client computers
  • 6. Configure a quarantine remote access policy

29
demonstration
  • Configuring VPN Quarantine
  • Configuring the Remote Access Server
  • Creating the CMAK profile
  • Testing the connection

30
Agenda
  • Branch office Internet connectivity
  • Securing web server communications
  • Securing remote access
  • Office to office VPN
  • IAS configuration

31
Office to Office VPNBusiness Problem
  • You want to connect the branch office through
    site to site VPN and need to ensure high security

32
Office to Office VPNSolution L2TP VPN
  • Router to Router VPN
  • Cost effective solution when compared to leased
    lines
  • L2TP (Layer 2 Tunneling Protocol)
  • Utilizes IPSec encryption (DES or 3DES) and
    computer certificates for machine based
    authentication

33
Office to Office VPNWindows Server 2003 L2TP
  • Windows Server 2003 supports IPSec NAT-T which
    means that you could have your VPN servers behind
    a firewall that provides NAT
  • Windows Server 2003 also supports using preshared
    keys for authentication (not recommended for
    production use)

34
Office to Office VPNL2TP Connection Process

Internet
Windows Server 2003 VPN
Windows Server 2003 VPN
35
Office to Office VPNL2TP VPN Configuration
  • Install computer certificates on each of the VPN
    servers
  • Configure demand-dial interfaces
  • Configure dial-in account to be used
  • Configure packet filters on the VPN server or
    firewall depending on the environment

36
demonstration
  • Office to Office VPN using L2TP
  • Configuring the corporate router
  • Configuring the branch router
  • Testing the connection

37
Agenda
  • Branch office Internet connectivity
  • Securing web server communications
  • Securing remote access
  • Office to office VPN
  • IAS configuration

38
IAS ConfigurationBusiness Problem
  • You would like to configure a remote access
    server at the new branch office that is located
    in the DMZ and is not a member of the domain.
    Authentication needs to be from Active Directory

39
IAS ConfigurationSolution IAS
  • An IAS (Internet Authentication Service) server
    is Microsofts implementation of RADIUS (Remote
    Authentication Dial-In User Service)
  • Enables organizations to centralize remote access
    authentication, auditing, authorization, and
    accounting

40
IAS ConfigurationWhat is IAS?
  • IAS, a Windows Server 2003 component, is an
    industry-standard compliant RADIUS server. IAS
    performs centralized authentication,
    authorization, auditing, and accounting of
    connections for VPN, dial-up, and wireless
    connections

You can configure IAS to support
  • Dial-up corporate access
  • Extranet access for business partners
  • Internet access
  • Outsourced corporate access through service
    providers

RADIUS Server
41
IAS ConfigurationHow IAS Works
Domain Controller
Remote Access Server
Client
RADIUS Server
42
demonstration
  • Configuring IAS
  • Install and configure IAS
  • Configure the RADIUS client
  • Test and verify the configuration

43
Session Summary
  • Windows Server 2003 RRAS is a very capable
    solution to many networking problems
  • Network access quarantine is a great tool to help
    protect your network from unwanted threats
  • Certificates can be used with custom IPSec
    policies as well as L2TP VPN connections to
    greatly enhance security

44
For More Information
  • Visit TechNet at www.microsoft.com/technet
  • For the url below for additional information
    including
  • books and courses
  • community resources
  • streamed and downloadable media versions of this
    session

www.microsoft.com/technet/tnt1-158
45
  • TechEd Hong Kong 2005 is coming!
  • October 4-6, Hong Kong Convention Exhibition
    Centre
  • Free of charge to all Macau customers if you
    register today!
  • www.microsoft.com/hk/teched2005

46
http//jo-san.it
  • Hang out and meet other IT Professionals
  • Hear about the latest IT Professional news and
    gossip
  • Get tips and ideas
  • Share technical know-how with others
  • Blogs
Write a Comment
User Comments (0)
About PowerShow.com