Deploying IPsec Server and Domain Isolation using Windows Server 2008 Group Policy

Web Admittance Shelter is a new discipline included with Windows Computer 2008 that allows you to manipulate what machines are allowed to tie to otherwise machines on your mesh. Web Way Indorsement (or NAP) enables you to set system wellbeing policies that staleness be met before a machine is allowed system hit. If the machines check the requirements in the web accession policies, then they are allowed on the cloth. If not, then the organization may be disallowed from conjunctive to any organisation on the network, or you mightiness configure policies that yield the organisation to enter to remediation computer that appropriate the machine to repair and try to connect to the cloth again after remediation is made.

he are a amount of slipway you can compel a NAP policy. The simplest method is to use NAP with DHCP enforcement. Alas, this is also the minimal sure method, since a soul can manually configure an IP label on a organisation and avoid the NAP DHCP insurance enforcement. The most bonded method of NAP enforcement is IPsec. When using IPsec NAP enforcement, when a organization is compliant with NAP access insurance, the organization is issued a welfare certification that allows the tool to make a protected IPsec shape to another machines involved on the NAP "virtual" material. Alas, NAP with IPsec enforcement is the most construction plan.

NAP by itself is an extremely difficult discipline with hundreds of "hurling parts". If you misconfigured any of these hundreds of unwinding parts, the deployment will break and it can purchase quite a piece to image out what when dishonourable. When using NAP with IPsec enforcement, you find that there are straight more "heartwarming parts" and troubleshooting becomes smooth writer difficult Insurance when surround onward on a NAP deployment.

So, with all the reveal of quality and innumerable "poignant parts", it strength channel same I'm disagreeable to advise you from implementing NAP with IPsec policy enforcement. No! That's no legitimate. I honorable require you to eff that it's a complicated falsehood and plan and that you should be forbearing with your testing and deployment. The solon dimension you spend tryout and apprehension how the answer complex, the amend possibleness you'll soul at your deployment existence a success.

NAP with IPsec insurance enforcement is a really ruling method of deploying your NAP resolution. You actually get two solutions in one: first, you get the NAP scheme access check that enables you to closure sallow machines from connecting to your meshing and sec, you get the nation of IPsec land separation that prevents villain machines from conjunctive to your scheme. NAP with IPsec orbit solitariness allows you to create a "realistic network" within the confines of your carnal networks. Machines in the IPsec "realistic network" can be on the self textile part or VLAN section, but virtually segmented from one other by IPsec. Machines without IPsec Upbeat Certificates testament be unable to covenant with hearty

What is Internet Protocol security (IPsec)

Ipsec is the internet security protocol this protocol is used to the transfer the data more secure between the network IPSec is the most popular standard for securing data over a network. ip protocol is responsible to transfer the data from source to destination and provide end to end security of the data in private. IPSec (short for IP Security) is a set of security standards designed by the Internet Engineering Task Force (IETF) to provide end-to-end protection of private data. Implementing this standard allows your enterprise to transport data across an untrustworthy network such as the Internet while preventing hackers from corrupting, stealing, or spoofing your communication. As part of a continuing effort by Microsoft Corp. to move toward industry security standards, Windows Server makes IPSec easier to configure.

Ipsec securing packets it work with the Network Layer, IPSec provides end to end encryption services . as well as other access protections for secure networking. when we send data source to destination then encript the data then send For example, IPSec can provide for end-to-end security from client-to-server, server-to-server, and client-to-client configurations using IPSec transport mode. IPSec also delivers machine-level authentication and encryption for VPNs based on the Layer 2 Tunneling Protocol. if we configure ipsec then should be must configure both site otherwise user can't communicate with server.

IPSec is a service of protocols that provides powerful protection, authentication, and optional privacy and replay protection services. The IPSec protocols encompass packet format, key exchange, and transforms that are defined by IETF

The IPSec packets are comprised of the following types:

IP Protocol 50: This is the "Encapsulating Security Payload (ESP)" format. It defines privacy, authenticity, and integrity.

IP Protocol 51: This is the "Authentication Header (AH)" format. It defines authenticity and integrity, but not privacy.

IPSec Modes
IPSec operates in two modes, which are defined as follows:

Transport Mode: In this mode, AH and ESP protect the transport payload. Transport mode defines end to end communication between source and destination computers.

Tunnel Mode: IPSec is implemented in tunnel mode when the final destination of the packet differs from the security termination point. This mode is used when the security is provided by a device that did not originate the packets, such as in VPNs or router forwarding.

IPSec Encryption:
The ESP protocol provides for data privacy using encryption. it is encrypt the data between source to destination Under Windows Server, IPSec utilizes encryption based on either DES (Data Encryption Standard), which is 56 bits, or 3DES (Triple DES), which is 3x56 or 168 bits in strength. nowadays's mostly use 3DES because it is make very secure data.

The ESP and AH protocols is that they define an path framework for packet header formats and processing rules although leaving the transforms unspecified. although, the cryptographic algorithms can be updated as old algorithms become relatively weaker and less secure. This section introduces the practical steps to configure IPSec on Windows Server.


Source: http://www.informit.com/guides/content.aspx?g=security&seqNum=24

Active Directory Auditing in Windows Server 2008

Windows operating system (OS), the features available to enable and monitor auditing for Active Directory (AD) have been relatively limited. Nine general categories of auditing have traditionally been available, all of which result in a fairly coarse level of logging to the Microsoft Windows server Event Log. By combined only a little number of log categories, the result of enabling logging is a lengthy amount of extra data that must be managed in order to capture modify actions of interest. At the same time, auditing requirements brought about by industry and governmental compliance regulations have increased the criticality for effective and consistent logging in many network environments.

Microsoft’s release of Windows Server 2008, modify logging benifit new levels of granularity associated with configurable event categories and subcategories, although a new Windows Event Log improves the process of clarify for and locating events of interest. AD itself gains four new logging subcategories that assist with the monitoring of configuration changes and replication in addition to object accesses.

we are explaining these paragraph will discuss the new audit capabilities specific to AD gained through an upgrade to Windows Server 2008. It will provide specific guidance and step-by-step instructions to assist user's, the administrator, with making best use of AD’s new auditing features.

Enabling Auditing in Windows Server 2008:
The mathode to enable modifying in Windows Server 2008 arrives comparatively unchanged from its updation in previous OS versions. Enabling the basic auditing of AD events on domain controllers is most often performed using Group Policy through modification of the native Default Domain Controllers Policy. Enabling auditing in this manner ensures that auditing settings are configured consistently across all domain controllers. Figure 1 shows a configured policy as seen within the Group Policy Management Editor.

Windows Server 2008 New Auditing Subcategories:
The problem with these nine categories in previous versions of the Windows OS was that they didn’t provide the level of granularity needed by many administrators. Enabling the Audit account management category effectively turned on auditing for all types of account management activities. If you were interested in only auditing for user account management and had no interest in computer account management, we were stuck with wading through the extra data associated with its Event Log entries.

With Microsoft Windows Server 2008, the real nine contain are beaked into 50 audit policy subcategories. These subcategories allow for exact control over the types of

events logged into the Security Event Log. The various each of some new subcategories and their relation to the original nine audit policies. As you’ll learn, knowing the name of each subcategory and its relation to its category is important for the command-line tool used to enable them.


Source: http://cc.realtimepublishers.com/tips/understanding-active-directory-auditing-in-windows.php

HOW TO Audit Active Directory Objects in Windows Server 2003

When we are use Windows Server 2003 auditing, this feature is very important we can track both user activities and Windows Server 2003 activities which are named events, on a computer. When we are use auditing, we can specify particular which events are written to the Security log.

An audit entry in the Security log contains the following information:
* The action that was performed.
* The user who performed the action.
* The success or failure of the event and the time that the event occurred.

The audit policy setting defines the categories of features that Windows Server 2003 logs in the Security log on each computer. The Security log makes it possible for we to track the events that we specify.

When we audit Active Directory feature, Windows Server 2003 writes an event to the Security log on the domain controller.This feature come up. because it is the domain controller that tried to authenticate the log on attempt but could not do so.

To enable auditing of Active Directory objects:
* Configure an audit policy setting for a domain controller. When you configure an audit policy setting, you can audit objects but you cannot specify the object you want to audit.
* Configure auditing for specific Active Directory objects. After you specify the events to audit for files, folders, printers, and Active Directory objects, Windows Server 2003 tracks and logs these events.

How to Configure an Audit Policy Setting for a Domain Controller:
By default, auditing is turned off. For domain controllers, an audit policy setting is configured for all domain controllers in the domain. To audit events that occur on domain controllers, configure an audit policy setting that applies to all domain controllers in a non-local Group Policy object for the domain. You can access this policy setting through the Domain Controllers organizational unit. To audit user access to Active Directory objects, configure the Audit Directory Service Access event category in the audit policy setting.

NOTES:

* we must grant the Manage Auditing And Security Log user right to the computer where you want to either configure an audit policy setting or review an audit log. By default, Windows Server 2003 grants these rights to the Administrators group.
* The files and folders that you want to audit must be on Microsoft Windows NT file system ( NTFS) volumes.

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. On the View menu, click Advanced Features.
3. Right-click Domain Controllers, and then click Properties.
4. Click the Group Policy tab, click Default Domain Controller Policy, and then click Edit.
5. Click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.
6. In the right pane, right-click Audit Directory Services Access, and then click Properties.
7. Click Define These Policy Settings, and then click to select one or both of the following check boxes:
Success: Click to select this check box to audit successful attempts for the event category.
Failure: Click to select this check box to audit failed attempts for the event category.
8. Right-click any other event category that you want to audit, and then click Properties.
9. Click OK.
10.Because the changes that we make to our computer's audit policy setting take effect only when the policy setting is propagated or applied to your computer, complete either of the following steps to initiate policy propagation:

Type gpupdate /Target:computer at the command prompt, and then press ENTER.
Wait for automatic policy propagation that occurs at regular intervals that you can configure. By default, policy propagation occurs every five minutes.

11.Open the Security log to view logged events.

Note: If we are either a domain or an enterprise administrator, we can enable security auditing for workstations, member servers, and domain controllers remotely.

Configure Auditing for Specific Active Directory Objects:
After you configure an audit policy setting, you can configure auditing for specific objects, such as users, computers, organizational units, or groups, by specifying both the types of access and the users whose access that you want to audit. To configure auditing for specific Active Directory objects.

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Make sure that Advanced Features is selected on the View menu by making sure that the command has a check mark next to it.
3. Right-click the Active Directory object that you want to audit, and then click Properties.
4. Click the Security tab, and then click Advanced.
5. Click the Auditing tab, and then click Add.
6. Now Complete one of the following:
Type the name of either the user or the group whose access you want to audit in the Enter the object name to select box, and then click ok.

In the list of names, double-click either the user or the group whose access you want to audit.

7. Click to select either the Successful check box or the Failed check box for the actions that you want to audit, and then click OK.
8. Click OK, and then click OK.


Source: http://support.microsoft.com/kb/814595

Microsoft offers server targeted at small businesses

Microsoft is offering up a strip under version of its Server 2008 product, and partnering with HP to supply the hardware that will run it. For small offices in the Toronto forest life Centre, it offers money savings although continue providing the real services a business needs to get the job done.

A new, strip under version of Microsoft Windows Server 2008 is being alert as an ideal first sever for a small business or branch office by Microsoft and its hardware partner Hewlett Packard . Windows Server 2008 Foundation edition begin in April, but HP was the first to bring it to the Canadian market in May, with two lines of server hardware supporting the bare bones operating system.

Microsoft organization goal the small business market with a low price point that requires less expensive hardware. The server offers all the functions a small office might required– thus as file and printer sharing, and remote desktop connections.The server will support up to 15 users and there's no need to buy client license, says product manager for Windows Server at Microsoft Canada.

It is the describe everything of Windows Server 2008, and it's giving a small business the organization they need,” she says. it doesn't come with Hyper-V. Server visualization is not a key priority for a really small business, especially when this is probably their first server.

The organization is run on a 64-bit system architecture (x64) and doesn't support 32-bit components (x86). It allows 50 network access connections through RRAS and 10 through IAS, compared to 250 and 50 connections respectively on the Standard edition. It also allows 50 connections through Terminal Services Gateway instead of 250.

Hewlett Packard is offering two lines of server hardware that will support organization. It's HP ProLiant Tower Servers ML series, and the ProLiant Rack Optimized Servers DL series. these all solution is perfect for small business or home office environment, and that's the market we're going after,” says product manager for HP ProLiant. “Small business demand the same stuff that our large ones do. Security, reliability, stability it's all here.


Source: http://www.itbusiness.ca/it/client/en/home/News.asp?id=53498

What Windows 7 and Server 2008 R2 can do for your business

The Microsoft Windows 7 and Windows Server 2008 R2 in the release condition and getting close to general availability, it's a good time to sort out the believable benefit these two new operating systems will have on our enterprise.

First, we will want to identify oneself with the new features of each product, then classify where in our infrastructure we need improvements, and then make a return on investment analysis. After that, decide which of the new features could potentially solve our current problems.

Microsoft can't provide a Simple way problems that everyone can solve easily , but we can identify oneself with some removal features in both products and explain how they might benefit a given environment.

Some new features in Windows 7 and Windows Server R2 are only available if the enterprise uses both operating systems together. you should Remember that Windows 7 and Windows Server 2008 R2 are developed from the same code. Server 2008 R2 is a new OS and not an upgrade from 2008. In fact, currently, there is no upgrade path from 2008 to 2008 R2. In addition, R2 is only available on x64 plat forms. Windows 7 does have an upgrade path from Vista " but it has new features.

The removal features for these new products are Direct Access and Branch Cache. in reality, both of these features require Windows 7 and a 2008 R2 server.

Direct Access is a networking feature that provides we improved remote access for remote users. Once it's set up, it eliminates the narrow procedure of starting up a VPN connection and logging on to get access to personal network resources. In addition, managing remote clients is easier for the IT staff because Direct Access does not need a VPN connection to the intranet, which makes it easier for patch and anti virus definition management of all clients.


Source: http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1359267,00.html

Windows Server Operating System Performance information

It is very important hardware and software reduces operational costs and directly effect an organization’s. we are in the midst of developing Windows Server 2008 R2, and one of our goals for the product is to build a server operating system that is more power efficient than all of our previous releases. Further more, to help IT administrators better understand server power management and optimize their current Windows Server 2008 installations, we’re releasing a comprehensive white paper called “Power In, Dollars Out: Reducing the Flows in the Data Center” today. The white paper gives detailed explanations of many factors affecting server power efficiency, and contains a list of best practices for optimization.

It is the best mathode is to properly configure Windows Server 2008 and power management features.because it is reduce power consumption, we just turning on PPM features in the operating system can dicrease power consumption by 20%. In Windows Server, this can be done simply by choosing the Balanced or Power Saver power policies (found in the Power Options applet in the Control Panel). PPM is a hard technology, with many more toggles than a simple power switch on/off. We’ve done quite a part of work on the Windows Server processor power management (PPM) algorithms and parameters during R2 development. One of the results of this work was the development of a set of parameters that can boost power efficiency by up to 10% on standard level workloads.

If we don’t need to wait until R2 to deploy these new parameters on our servers. This paragraph will describe PPM technology, we just explain the parameters involved, and show level test results for the parameter changes on a commodity server. It will also give you a handy command-line walkthrough of the powercfg.exe commands necessary to implement these changes in our environment.

The Power management need help from the hardware and the operating system to work carefully. like hardware might support low power states, but the operating system schedule responsibility work and is in the best position to decide when low power states can be leveraged. The Advanced Configuration and Power Interface defines an interface between the operating system and server hardware to be used for power management purposes.


source: http://blogs.technet.com/winserverperformance/archive/2008/12/04/configuring-windows-server-2008-power-parameters-for-increased-power-efficiency.aspx