This chapter covers a range of topics that Microsoft’s preparation guide for exam 70-642 groups under network access. From installing and configuring different role services available with the Network Policy and Access Services server role to configuring wireless access and the Windows Firewall with Advanced Security. Some of the tools and management techniques presented in this chapter are typically associated with client computers rather than servers however everything here is listed as part of the exam in the preparation guide.

You will learn how to implement more secure network access by deploying Network Access Protection (NAP), strong authentication, and encryption of data-in-transit on wireless networks. You will see how to more effectively protect computers that you manage from exposure to malicious network worms accidentally introduced into the environment by mobile employees and visitors using NAP and the firewall. You will find out how to lower the risk of intruders breaking into wireless networks or eavesdropping on wireless traffic by implementing the network security technologies included with Windows Server 2008. In this chapter you will be taught to:

• Configure Remote Access
• Configure Network Access Protection (NAP)
• Configure Network Authentication
• Configure Wireless Access
• Configure Firewall Settings

 

Configure Remote Access

Remote access refers to a service provided to employees who need to connect to the internal network while away from the office. There are many forms of remote access available. Using a modem to connect directly to a server which hosts a pool of modems was the most popular remote access solution for many years. Traditional virtual private networks (VPN) in which a remote client establishes an encrypted tunnel with the VPN server grew in popularity as Internet connectivity became ubiquitous. A more recent approach that simplifies or in some cases eliminates the need to deploy client software is to deploy a Secure Sockets Layer (SSL) VPN. Microsoft calls its implementation of SSL VPN the Secure Socket Tunneling Protocol (SSTP), it’s a feature included in Windows Server 2008 and Intelligent Application Gateway (IAG) 2007. As with many other technologies included with Windows Server 2008 remote access settings are configured on both clients and servers.

Configuring Remote Access Clients

To configure a new dial-up or VPN connection open Network and Sharing Center from Control Panel then click on Set up a connection or network in the Tasks list. You can see three connection options: the Internet, dial-up, and workplace. When configuring servers you would normally only use the third option in order to connect one server to another. The first one, Connect to the Internet, is a consumer-oriented wizard to help people connect their computer to a wireless network, Digital Subscriber Line (DSL), or a cable modem. The second is also designed for home users to help them configure a dial-up connection to their Internet Service Provider (ISP). When you chose the third option and click Next you can choose either a VPN or dial-up connection.

Configuring a VPN Connection

If you choose Use my Internet connection (VPN) you will be prompted to enter the address of the VPN server as shown in figure 1. You can enter the fully qualified domain name (FQDN) or IP address of the VPN server. The other settings are optional. It’s a good idea to enter something descriptive for the destination name. Allowing other people to use the connection has security implications, especially if you decide to save the username and password. When you click Next you have the option of entering the username, password, and domain name; click Create when finished.

Figure 1: Creating a VPN Connection.

To connect to the VPN click Connect to a network in Network and Sharing Center. Select the desired connection from the list and click Connect. You may be prompted to specify a username or password depending on whether you saved that information with the connection. To modify a connection click Manage network connections in Network and Sharing Center, right-click on the desired connection, and click Properties. Click on the Security tab, then enable Advanced and click Settings, as shown in figure 2.

Figure 2: Configuring Connection Security.

You use the Advanced Security Settings dialog box to configure data encryption and authentication security, as shown in figure 3. Here you can specify whether to refuse to encrypt, offer to encrypt, or require encryption for the connection. You can specify authentication protocols such as Challenge Handshake Authentication Protocol (CHAP) and Microsoft CHAP Version 2 (MS-CHAP v2). These authentication settings are discussed later in this chapter, in the section called Configure Network Authentication.

Figure 3: Configuring Advanced Security for a Connection.

Configuring a Dial-Up Connection

If you choose Use my Internet connection (VPN) you will be prompted to enter the telephone number of the remote access server as shown in figure 4. The rest of the optional settings are identical to those available for VPN connections as described above.

Figure 4: Creating a Dial-Up Connection.

Like a VPN connection, you can modify the properties of a dial-up connection after creating it. Many of the same options are available, but there are additional ones specific to dial-up networking such as prompting for the phone number and showing a terminal window after the initial connection to allow the user to interact directly with the remote access server. If you choose to run a script as part of the connection, as shown in figure 5, you can customize how the client will interact with the server. Windows Server 2008 includes a couple of demonstration scripts, one for connecting to CompuServ (cis.scp) and another for negotiating a Point-to-Point Protocol (PPP) menu presented by the server (pppmenu.scp). I do not think that you need to memorize the syntax used in the scripts for the exam, but you should understand how they can be used.

Figure 5: Configuring a Script for a Dial-Up Connection.

 Connecting to a Remote Network Using a Command Prompt

Use the rasdial utility to manage dial-up and VPN connections from a command prompt.

profilename – The profile name for the connection.

 user name, password – The user name and password for the connection, if an asterisk is specified for the password the user will be prompted to provide the password.

/domain: – The domain where the account is located.

 /phone: – The phone number, FQDN, or IP address of the remote access server.

/callback: – If callback numbers are required for the connection use this option to specify it, this option is only used for dial-up connections.

 /phonebook: – The path and name for the file that contains the profile.

 /prefixsuffix – Use this option to apply the dialing location rules to the phone number, these are optional settings configured in Phone and Modem Options in Control Panel. This option is only used for dial-up connections.

Configuring Internet Connection Sharing

I was surprised to see that Microsoft included Internet Connection Sharing (ICS) in the list of exam objectives because ICS is a consumer-oriented technology. ICS can be useful for small offices in order to allow the users to share a single broadband connection. I suppose some sysadmin somewhere in the world has used ICS on a corporate network, but I cannot imagine why and I would never suggest doing so. Using Routing and Remote Access as a router is more flexible, scalable, and robust. Nevertheless, to ensure you are prepared for the exam, here’s a quick overview.

ICS allows a host computer to share its Internet connection with other computers. The host computer must be dual-homed, that is, it must have two separate network connections. One is connected to the Internet via a dial-up connection, DSL, wireless service, or some other technology. The second connection is for the internal network where all of the other computers are located. To enable ICS right-click on the desired local area network connection, select Properties, select the Sharing tab, and then enable Allow other network users to connect through this computer’s Internet connection Click the Settings button to customize what services the users can access via ICS.

When a VPN connection is used by the host computer and ICS is enabled for it all ICS users can access the corporate network. This has potentially serious security implications and for this reason most administrators disable ICS and bridging for VPN connections. You can restrict these features using group policy or the Connection Manager Administration Kit (CMAK). CMAK is discussed in the next section. The two relevant group policy settings can be found at Computer Configuration\Administrative Templates\Network\Network Connections, they are:

• Prohibit use of Internet Connection Sharing on your DNS domain network
• Prohibit installation and configuration of Network Bridge on your DNS domain network

 Configuring Remote Access Servers

Windows Server 2008 can be configured to provide remote access by installing Routing and Remote Access Services (RRAS). RRAS is a role service that is part of the Network Policy and Access Services server role. To function as a router or VPN server the computer needs at least two network interfaces. To provide dial-up remote access the server needs a modem. If your test computer only has a single network adapter you can install a virtual loopback adapter to ensure that RRAS can be configured for VPN access by doing the following:

1. Open Device Manager, right-click on the server name and select Add legacy hardware.
2. Click Next, select Install the hardware that I manually select from a list (Advanced), and click Next.
3. Select Network adapters and click Next.
4. Select Microsoft in the Manufacturer list, then select Microsoft Loopback Adapter in the Network Adapter list, and click Next.
5. Complete the wizard.

Installing the virtual loopback adapter will allow you to perform exercises presented later in this section if your practice server only has one network interface. If your test computer does not have a modem installed you can forcibly install the drivers for one. To install the drivers for a legacy modem do the following:

1. Open Device Manager, right-click on the server name and select Add legacy hardware.
2. Click Next, select Install the hardware that I manually select from a list (Advanced), and click Next.
3. Select Modem and click Next.
4. Enable Don’t detect my modem, I will select it from a list and click Next.
5. Select Standard 56000 bps Modem and click Next.
6. Select COM1 and click Next.
7. Complete the wizard and reboot the server.

Installing RRAS was discussed in Configuring IP Addressing and Services, in the section called Using DHCP Relay Agents. For the purposes of this section you should configure RRAS for remote access by opening Routing and Remote Access and doing the following:

1. Right-click on the server in the navigation tree and select Configure and Enable Routing and Remote Access.
2. Click Next when the first page of the Routing and Remote Access Server Setup Wizard appears.
3. Verify Remote access (dial-up or VPN) is selected and click Next.
4. Enable both VPN and Dial-up then click Next
5. Make sure that the internally facing network interface is not selected, select either the loopback adapter or the external interface in the Network interface list, click Next two times and click Finish to complete the wizard.

 Selecting Appropriate Remote Access Protocols

Remote access protocols are the communication technologies used for establishing and maintaining a VPN. RRAS includes support for three standards-based VPN protocols: Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol with Internet Protocol Security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP).

PPTP uses Point-to-Point Protocol (PPP) for user authentication and 128 bit Microsoft Point-to-Point Encryption (MPPE) with for data encryption. For backwards compatibility you can enable the use of 40-bit and 56-bit encryption by setting the value of HKLM\System\CurrentControlSet\Services\RAsman\Parameters\AllowPPTPWeakCrypto registry setting to 1 and restarting the computer. I do not recommend doing this, instead you should configure your Windows XP and Windows Server 2003 systems to support 128-bit MPPE. PPTP clients can traverse Network Address Translation (NAT) devices that include a PPP-capable NAT editor. NAT is a technology that allows multiple computers on a private network to share a single public IP address. NAT helps to reduce the rate at which the supply of IPv4 addresses is consumed, however it presents challenges to client-server applications hence the constraints NAT imposes on some of the VPN protocols.

L2TP/IPsec uses PPP for user authentication and IPsec for machine authentication. IPsec is configured to use Triple-Data Encryption Standard (3DES) for and Secure Hash Algoritdhm-1 (SHA-1) hashed message authentication code (HMAC). You can configure RRAS to use the less secure DES encryption and Message Digest 5 (MD5) HMAC authentication protocols by setting the value of HKLM\System\CurrentControlSet\Services\RAsman\Parameters\AllowL2TPWeakCrypto registry setting to 1 and restarting the computer, again, I do not recommend this. L2TP/IPsec clients only work when behind a client when both the client and server understand NAT Traversal (NAT-T).

SSTP uses PPP for user authentication and Hypertext Transfer Protocol (HTTP) over SSL for the authentication, integrity, and encryption of the data. The unique strength of SSTP is that it works in a wider range of challenging scenarios than the other VPN protocols. Since SSTP clients only require outbound TCP port 443, the port used for SSL communications, its able to traverse firewalls, NAT, and proxy servers more reliably. The only versions of Windows which currently support SSTP are Windows Server 2008 and Windows Vista.

In RRAS vernacular each VPN client requires an available port, by default 128 ports of each of the three types are available. Open Routing and Remote Access from the Administrative Tools folder on the Start Menu and click on Ports in the navigation pane, you can view the status, reset, or disconnect any of the ports in the right-hand pane. Right-click on Ports in the navigation pane, and select Properties to adjust the configuration of these protocols as well as any modems installed and the PPP over Ethernet (PPPOE) protocol, as shown in figure 6. Double-click on any of the items to view and adjust its properties, for the VPN protocols you can enable or disable inbound and outbound connections, configure a telephone number for the device, and adjust the number of available ports. Change the maximum ports value to 0 to disable the protocol.

 

Figure 6: Configuring RRAS Ports.

 

Configuring RRAS Packet Filters

You can configure inbound and outbound packet filters for each network interface on the RRAS server. You can restrict traffic based on both its source and destination port or address, this type of filtering is not as sophisticated as what you can do with the Windows Firewall with Advanced Security discussed later in this chapter, but it can provide an additional layer of protection. To configure RRAS packet filters open Routing and Remote Access, navigate to either IPv4 or IPv6, select the General container, and then do the following:

1. Right-click on a network interface in the General pane and select Properties.
2. Click either Inbound Filters or Outbound Filters as shown in figure 7.

Figure 7: Configuring Network Interface Properties.

3. The Filters table shows the currently active filters including the source and destination address and network mask, the IP protocol, and the source and destination port or type, as shown in figure 8.

Figure 8: Examining Inbound Packet Filters

4. You can click on New, Edit, or Delete to manage the filters, for practice click on New.
5. The Add IP Filter dialog box allows you to define the rule based on the characteristics in step 3. If you do not enable the checkbox for the source or destination network then all traffic will be affected and the word Any will appear in the corresponding column.
6. Enable the Destination network checkbox.
7. Enter an IP address of a server on your lab network and a subnet mask of 255.255.255.255. The subnet mask should be this specific because the filter will only apply to a single server.
8. Select different protocols, notice how additional fields appear below: source and destination ports for the TCP and UDP protocols; protocol number when Other is selected, and ICMP type and code when the ICMP protocol is selected, as shown in figure 9.

Figure 9: Editing an IP Filter.

You can click Cancel or if you have already saved the filter select it from the list and click Delete to remove it. For the purposes of the exam you need to understand how IP filters can cause specific features and applications to fail. For example, configuring all inbound traffic to be blocked except what is specifically listed in the filters means that all sorts of problems will arise if the filters are not correctly implemented. If the necessary ports and protocols are not allowed between VPN clients and the domain controllers (DC) then the clients may be able to authenticate and connect to the VPN but then be unable to authenticate with a DC or download group policy.

Configuring Network Policy Server

Things can get a little confusing here, please be patient and reread this paragraph until it makes sense. Network Policy Server (NPS) is an optional role service for Network Policy and Access Services, if you followed my instructions about installing and configuring RRAS then you have not installed NPS yet. Nevertheless, you need to use it in order to create and manage remote access policies and you can do so even if the only role service you installed is RRAS. Open Routing and Remote Access, right-click on Remote Access Logging & Policies in the navigation pane and select Launch NPS. See! I don’t make this stuff up, even in Windows Server 2008 Microsoft developers find new ways to confuse hard-working sysadmins! Now that you have opened Network Policy Server right-click on Network Policies and select New to launch the New Network Policy wizard. Walk through the entire wizard and note the large selection of options available, you can configure very precise policies that control VPN access based on authentication methods, encryption protocols, time of day, and many other factors.

What is installed with RRAS appears to be a limited version of NPS, it does not include the ability to provide Internet Authentication Service (IAS) authentication. IAS replaces Remote Authentication Dial-In User Service (RADIUS) that was in Windows Server 2003. The exam tends to use the term RADIUS while other Microsoft documentation uses them interchangeably, for simplicity I will use RADIUS. To add RADIUS you need to add the NPS role service from Server Manager. Once you do so the Network Policy Server management console will become available in the Administrative Tools folder and when you open the console you will see two new parent containers in the navigation pane: RADIUS Clients and Servers and Network Access Protection. RADIUS is a core component of Network Access Protection (NAP), which is discussed later in this chapter.

You can also configure NPS as a RADIUS proxy, in which NPS forwards authentication requests to another RADIUS server. To do so complete the following steps:

1. Configure the proxy as a RADIUS client on the other NPS server by right-clicking on RADIUS Clients in the navigation pane, selecting New RADIUS Client, and using the wizard.
2. Configure the proxy next, right-click on Remote RADIUS Server Groups and click New, complete the wizard to create a remote server group which includes the other NPS server. Make sure that the ports and shared secrets match on both servers.
3. On the proxy use the New Connection Request Policy Wizard to create a policy to forward connection requests and accounting information to the other NPS server.
4. Register both NPS servers in Active Directory.

 Using Connection Manager

Connection Manager Administration Kit (CMAK) is an optional feature in Windows Server 2008 that makes it easier for employees to connect to the organization’s network while away from the office. To install CMAK from Server Manager click Features in the navigation pane, then click Add Features, and follow the wizard to complete the installation. After installation is complete a new shortcut, Connection Manager Administration Kit, will be visible in the Administrative Tools folder. CMAK is a great tool for creating customized phonebooks and network connections for mobile employees.

When you open Connection Manager Administration Kit the CMAK wizard launches, it guides you through the process of creating new profile or modifying an existing one. A Connection Manager profile can contain all the information mobile employees need to connect to the corporate network via dial-up or VPN. It can include a list of phone numbers organized by geographic location to facilitate finding the closest dial-in number. It can include a list of VPN servers to simplify finding the closest one. In other words, instead of having to manage multiple network connection objects the Connection Manager can contain information about all of the ways mobile employees can connect in a single shortcut. You can even add your own branding by providing digital images of your organization’s logo, a feature that tends to be utilized most often by Internet Service Providers (ISPs). You should walk through the wizard a few times to familiarize yourself with the options. 

Configure Network Authentication

Windows Server 2008 supports a myriad of authentication protocols. You will need to understand the capabilities and relative strength of each. User authentication for local area network (LAN) users include NT LAN Manger version 2 (NTLMv2) and Kerberos. NTLMv2 is password-based whereas Kerberos supports both passwords and certificates. Certificates are required for smartcard logon of LAN users.

User authentication for RAS users include MS-CHAPv2, Extensible Authentication Protocol-MS-CHAPv2 (EAP-MS-CHAPv2), and Protected EAP-MS-CHAPv2 (PEAP-MS-CHAPv2). These are all password-based protocols and provide strong mutual authentication between the client and server. Windows Server 2003 and Windows XP are only compatible with MS-CHAPv2. Support for weaker protocols was removed from Windows Server 2008 and Windows Vista. EAP-Transport Layer Security (EAP-TLS) and PEAP-TLS are also available, they are certificate-based protocols in that EAP and PEAP are encapsulated in TLS. For TLS to function machine certificates must be installed before the clients can connect.

Computer authentication for wireless LAN (WLAN) and LAN connections is based on 802.1X with PEAP-MS-CHAPv2, EAP-TLS, or PEAP-TLS. The latter two protocols are certificate based protocols, machine certificates must be installed while the computer is connected to a network that doesn’t require 802.1X, once the certificate is installed the computer is able to connect to the 802.1X network.

Configure Network Access Protection

Network Access Protection (NAP) is a new technology that enables administrators to automatically inspect client computers to see whether or not they meet the organization’s system health requirements. Clients that meet the requirements can be granted full access. Clients that do not meet the requirements, are not a managed computer, or are unable to act as a NAP client can be completely isolated from the corporate network; granted limited access to remediation servers, or be granted complete access depending upon how you configure NAP and the enforcement technologies.

NAP Requirements and Capabilities

NAP requires Windows Server 2008 servers to provide infrastructure services. Windows Server 2008, Windows Vista, Windows XP with Service Pack 3, and Windows Server 2003 with Service Pack 2 can all be NAP clients. Entire books focused on NAP have been published, there are many components and a wide range of configuration options, but NAP is only a small part of the exam so this section only provides a brief introduction. NAP can be enforced using four different methods:

• IPsec enforcement – IPsec is a robust enforcement method, every managed systems can be configured to drop incoming traffic if its sent by an unmanaged system or by a system that has not met the health system requirements. Only after proving compliance can NAP clients communicate normally with other managing systems.
• 802.1X enforcement – 802.1X is a strong way to prevent non-compliant systems from gaining full access to the network. Network infrastructure devices such as Ethernet switches and wireless access points use access control lists (ACLs) or virtual LANs (VLANs) to isolate systems until they have proven they meet the system health requirements.
• VPN enforcement – A VPN is also a strong enforcement method, the VPN server uses IP filters to block the client until compliance has been demonstrated. The drawback to this approach is that its only suitable for managing remote clients.
• DHCP enforcement – DHCP enforcement is the least robust method because the DHCP server issues a DHCP lease that includes routing information to restrict the client’s access until compliance is proven. The issue is that a user with administrative privileges can easily configure their IP address, subnet mask, and default gateway manually to bypass DHCP enforcement. This method is relatively easy to deploy and many organizations use it for their initial NAP development and testing.

Note: A fifth method is available, you can use a Terminal Services gateway server as an enforcement method for Remote Desktop Protocol (RDP) clients, however Microsoft has not been marketing this approach as strongly as the others. Using TS gateway servers in this way is not listed as a topic in the exam study guide. If you are interested in learning more about this method see the TS Gateway Step-by-Step Guide.

NAP involves many components, figure 10 illustrates how they fit together at a high level. Note that the diagram shows several enforcement methods, it often makes sense to deploy VPN enforcement along with one of the LAN-based methods, for the highest level of protection you even can combine IPsec, 802.1X, and VPN enforcement. A list of the components with a brief description of each appears below the diagram.

Figure 10: NAP Components

• NAP infrastructure include the following server roles:
  • Health policy server – Sometimes referred to as the Network Policy Server (NPS), the health policy server is a Windows Server 2008 server running IAS. Regardless of enforcement method this server evaluates the statements of health submitted by clients and determines what access to allow.
  • Health requirement server – Also called the NAP Administration Server, this Windows Server 2008 server
  • Health registration authority – This server must be running Windows Server 2008, it receives health certificates from a certificate authority (CA) and forwards them to clients that meet the system health requirements.
  • Active Directory Domain Services (AD DS) – AD DS provides user authentication and other services, its required for IPsec, 802.1X, and VPN enforcement.
  • Remediation Servers – These are servers accessible to non-compliant clients on the restricted network. NAP clients can access the remediation servers to retrieve operating system updates, up-to-date antivirus signatures, or other resources in order to become compliant with the health requirement policies.
• One or more of the four enforcement methods must be implemented, they can be:
  • IPsec – IPsec does not appear on the diagram because when its used as the enforcement method all of the managed systems have IPsec policies that limit access for systems that have not demonstrated compliance.
  • 802.1X – These are Ethernet switches or wireless access points that support 802.1X authentication.
  • VPN – This is a server running Windows Server 2008 and RRAS, it provides remote access to clients.
  • DHCP – This is a server running Windows Server 2008 and the DHCP service.
• Clients include managed NAP clients that are either compliant or not compliant; NAP-capable computers that are not managed by the organization such as those used by a suppliers sales force; computers running older versions of Windows or other operating systems that do not support NAP; and other devices connected to the network that are not NAP-capable such as smartphones or network printers. The NAP client includes a NAP agent that scans the computer to see how it is configured, what malware protection software is installed, and what patches are installed, it submits the results to the health requirement server.

Installing and Configuring NAP

It appears that for the purposes of the exam you merely require a high-level understanding of how to configure NAP health policies, I will explain briefly how to install the required NAP infrastructure components that are included with Windows Server 2008 and then show you how to create a NAP health policy. For a deeper understanding of this powerful technology please utilize the resources noted in the References section at the end of the chapter. To continue with the exercises in this section your test server requires both the NPS role service, which you installed earlier, and the Health Registration Authority role service, which you can install using Server Manager. For a full test environment or a production employment you also need to deploy Active Directory Certificate Services, you can skip doing that and still configure NAP policies but you will be unable to implement and test NAP clients.

You configure health requirement policies for NAP using the Network Policy Server management tool. Open this tool and expand both the Policies and Network Access Protection containers in the navigation pane. Windows Server 2008 ships with a System Health Validator (SHV) for Windows, you configure the SHV with the settings required for NAP clients. Click on Windows Security Health Validator and select Properties. You specify how different types of errors should be handled in the Windows Security Health Validator Properties dialog box. Click on Configure. For Windows Vista clients you can specify whether to require a firewall, antivirus, antispyware, and automatic updating, as shown in figure 11. The options for Windows XP clients are the same, except you cannot require spyware protection.

Figure 11: Configuring the Windows Security Health Validator.

You configure remediation servers by right-clicking on Remediation Server Group, clicking New, and entering the appropriate information in the dialog box including a name for the group and the addresses of the remediation servers. To configure a health policy right-click on Health Policies in the navigation pane and select New. For each health policy you can specify what is checked, e.g. the client passes all checks or the client passes one or more of them. You need to add the NPS server as a RADIUS client, right-click on RADIUS Clients in the navigation pane, select New RADIUS Client and complete the wizard. In your practice lab this the RADIUS client and the server where you are configuring this setting are probably the same computer. You then configure NAP network policies by doing following:

1. Click on NPS in the navigation pane and click Configure NAP.
2. Specify the enforcement method from the drop-down list, update the policy name if desired, and click Next. For your practice lab you can select IPsec with Health Registration Authority.
3. The NPS server should automatically appear as one of the RADIUS clients in the Specify NAP Enforcement Servers Running HRA page, if it does not add it, click Next when you complete this page. Note that a different page will appear if you specified a different enforcement method in step 2.
4. You can limit the groups to which the policy will apply by clicking Add Machine, if you do not specify any then the policy will apply to all users.
5. On the Define NAP Health Policy page you select which SHV are enforced with the policy and specify whether or not clients will be remediated automatically, click Next and then click Finish to complete the wizard.

Now click on the Network Policies folder, you should see two new policies, you can configure these just like you did for remote access earlier in the Configuring Network Policy Server section. Right-click on one of the NAP policies and select Properties, you should see a dialog box similar to figure 12. Be sure to examine each of the tabs and all of the settings available on each tab.

Figure 12: Configuring a Health Policy.

Caution: This has been a brief introduction to NAP, it should be sufficient to help you succeed when you sit for the exam but it’s nowhere near what you need to know if you are considering deploying NAP in a production environment. Hopefully this section has piqued your interest though. I think NAP has tremendous potential to help protect networks from malware and malicious users. I encourage you to explore this promising feature in much more depth.

Configure Wireless Access

The process of selecting a wireless network by specifying the Set Service Set Service Identifier (SSID) is is the same in Windows Server 2008 as in Windows Vista. So is entering the Wired Equivalent Privacy (WEP) key and configuring other settings for a wireless connection.

Understanding Wireless Network Security

One misconception about wireless network security is that you should not configure your access points to broadcast their SSID. If you turn off broadcasts all you have done is made it harder for legitimate users to connect to the network. Malcontents use tools that do not depend on SSID broadcasts. Whether or not the SSID is being broadcast all other wireless communications are and an attacker can easily monitor this traffic to determine the SSID and other information. The most effective way to improve the security of wireless networks is to implement encryption using protocols such as WEP, Wi-Fi Protected Access (WPA), and WPA2. Additional protection can be attained by adding other security technologies such as IPsec, NAP, and the Windows Firewall with Advanced Security. These encryption protocols have distinct strengths and weaknesses:

• WEP – Introduced in 1994, WEP relies on shared keys for authentication, that is, you must configure the access point and all clients with the WEP key for the clients to be able to use the network. WEP encrypts data using the stream cipher Rivest Cipher 4 (RC4) and ensures the integrity of data with Cyclic Redundancy Check 32 (CRC-32). Cryptographic researches demonstrated significant flaws in RC4 in 2001 that make cracking the encryption key relatively easy. Furthermore, CRCs were never intended to protect against malicious attack, merely to ensure that data has not been accidentally changed while in transit. Thus WEP is the weakest of the three.
• WPA -  WPA can be configured to use digital certificates for authentication by deploying 802.1X, pre-shared keys can also be used for small networks. WPA also relies on RC4, however it’s a significantly better implementation than found in WEP because new keys are generated dynamically. This means that by the time an attacker breaks a WPA key she may not be able to access the network because the key will no longer be valid. WPA also uses message integrity code (MIC) for data integrity, a huge improvement over CRC-32.
• WPA2 – WPA is much better than WEP, but compromises had to be made in order to ensure compatibility with some older wireless network cards. WPA was developed as an intermediate solution to the flaws in WEP, a protocol to use until WPA2 was completed in 2004. WPA2, formally known as Institute of Electrical and Electronics Engineers 802.11i-2004 (IEEE 802.11i-2004), trades compatibility for a higher degree of protection. 802.1X is used for authentication with a four-way handshake in which the access point and the computer validate one another using a long-living session key followed by the exchange of a transient key that will be used for a short time. New transient keys are generated periodically to reduce the risk of an attacker compromising the network. Robust Security Network (RSN) is utilized to track key associations. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) provides confidentiality and integrity. The combination of these technologies means that WPA2 is a robust protocol with strong protections against a wide range of attacks. Support for WPA2 is built into Windows Vista, Windows Server 2008, Windows XP with Service Pack 3, and Windows Server 2003 with Service Pack 2.

 Managing Wireless Network Settings with Group Policy

You create new wireless network policies using the Group Policy Editor in the following location: Computer Configuration\Windows Settings\Security Settings\Wireless Network (802.11) Policies. To get started, Right-click on this folder in the navigation pane and select Create a New Windows Vista Policy. The dialog box in figure 13 will appear.

Figure 13: Creating a new Vista Wireless Network Policy.

Click the Add button to create a new profile. Each wireless profile includes SSID, encryption, and authentication settings. You add SSIDs on the Connection tab of the New Profile properties dialog box. Click on the Security tab. You select authentication and encryption security methods for the network using the drop-down lists at the top, as shown in figure 14.

Figure 14: Configuring Network Profile Security.

You specify network authentication method and mode using the next pair of drop-down lists. Click Properties to enter information about PEAP or certificate authentication such as what servers are trusted and what authentication method is required. Click the Advanced button to configure IEEE 802.1X, single sign on, and fast roaming, as shown in figure 15.

Figure 15: Configuring Advanced Security Settings.

Note that you can also export and import wireless network profiles. For the purposes of the exam, you do not need to know every setting available on each of these dialog boxes and what their default values are, but you should understand the process of configuring these policies and profiles within them. You should also be familiar with the relative strength and weakness of the wireless protocols. Finally, you should understand the authentication and encryption methods. For your production networks, you should study WPA2 in depth and deploy it as quickly as is feasible! Even at home, you can use shared keys with WPA2 so you do not need to install a Certificate Authority.

Configure Firewall Settings

In Windows Vista and Windows Server 2008 the Microsoft Windows Firewall has evolved into the Windows Firewall with Advanced Security. The firewall includes important capabilities not available in earlier versions. It supports outbound filtering, in most situations I believe that outbound filtering has little value because if an attacker or malware has taken control of the system how is outbound filtering going to prevent the compromised computer from being used for mischief? Traffic can still be sent out through some ports, so the attacker could use them or simply reconfigure the firewall. Nevertheless, this is an important capability because outbound filtering rules are applied to Windows system services that do not need to initiate network communications with other hosts. Additionally, those services do not have the privileges needed to reconfigure the firewall rules. This means that if a service is compromised the attacker will not immediately be able use that service to attack other systems. The new firewall also has a much improved interface that combines management of IPv6 policies and firewall rules. It also supports more detailed settings within rules such as IP protocol numbers, ICMP types, and AD DS accounts. The new firewall also understands IPv6, an important feature as the new protocol becomes more widespread.

Configuring Firewall Rules

Open Windows Firewall with Advanced Security from the Administrative Tools folder. Make note of the four containers in the navigation pane. The purpose of Inbound Rules and Outbound Rules should be self-evident, Connection Security Rules is where you configure IPsec and NAP policies. The Monitoring container is for tracking the status of the firewall, we will discuss it in a moment. Click on Outbound Rules, notice the large number of built-in rules. They are all allow rules designed to ensure the operating system is able to initiate connections with remote hosts, however the default configuration is to allow all outbound traffic so these rules will have normally have no impact.

Caution: Blocking all outbound traffic may sound like a great idea to some people. There certainly are some purported security experts who insist its required to properly lock down a computer. Do not listen to them, they are wrong. If you block all outbound traffic you will spend hours if not days figuring out what ports and applications to allow so that you can use the computer. As I noted earlier, if an attacker takes control of your computer they will simply allow outbound traffic again and go about their nefarious business.

Click on Inbound Rules, there are several dozen built-in rules that allow the computer to receive traffic from other hosts. Different rules will be enabled and disabled depending upon the server roles and role services present on the system. The installation wizards will automatically enable the appropriate rules when you install components and disable them when you remove components. To create a new rule right-click on Inbound Rules, select New Rule and do the following:

1. First you must specify the type of rule that you want to create, the first three choices help you to quickly configure the rule by focusing on a small part of what is available. Select Custom and click Next so that you can see every option.
2. You can configure the rule to apply to all applications, to only a specific one, or to a system service. If you were to select This Program Path and click Browse you could select an application, only that application would then be affected by the rule.
3. Click Customize to select which services the rule should apply to, as shown in figure 16.

Figure 16: Customizing Service Settings

4. Make sure Apply to all programs and services is selected then click OK.
5. Select All programs and click Next.
6. The Protocol and Ports page is where you specify with IP-based protocol the rule should apply to. For example, L2TP is IP protocol number 115 while TCP is number 6. Select TCP, now you can select specific local and remote ports for the rule, as shown in figure 17. Click Next.

Figure 17:Configuring TCP Ports.

7. Use the Scope page to specify which IP addresses the rule impacts. If you click Customize you can select which types of network interfaces are affected, LAN, remote access, or wireless. Make sure Any IP address is selected for both local and remote address and click Next.
8. The Action page is where you define what the rule does when traffic that meets the criteria specified in the rule. You can allow or block the connection but you can also require IPsec by selecting Allow the connection if it is secure. I know I said you can configure IPsec rules in the Connection Security Rules container, you can also configure inbound and outbound rules to require IPsec. You can also restrict traffic to specific computer and user accounts stored in Active Directory. Click Next.
9. Finally, you specify which network profiles to apply the rule, Domain, Private, or Public and you assign a name to the rule. Complete the wizard.
10. Right-click on the rule and select Disable Rule to make sure that this practice rule does not cause any unexpected problems when you are doing lab exercises later on.

The exam topics do not indicate that you need to know how to manage the firewall from a command prompt, nevertheless you do need to know that you can use netsh to do so. Open a command prompt with administrative privileges and enter netsh, then enter advfirewall to switch to the Windows Firewall with Advanced Security context. You can use commands to perform various tasks, such as consec to configure connection security rules or reset to reconfigure the firewall to the default settings present when you first installed the operating system.

  Other Firewall Management Tasks

You can export the local firewall policy by right-clicking Windows Firewall with Advanced Security on Local Computer in the navigation pane and selecting Export Policy. This can be useful when you are managing multiple computers that are not members of an AD DS domain because you can import the policy on other computers running Windows Server 2008 and Windows Vista. Right-click on Windows Firewall with Advanced Security on Local Computer and select Properties. You use this dialog box to configure settings for each of the three network profiles such as the default behavior (block or allow) and logging. You can also configure IPsec default settings and IPsec exemptions from the IPsec Settings tab.

There is a lot of useful troubleshooting information visible when you click the Monitoring node in the navigation pane. You can see which network profile is active and how the firewall is configured for each profile. You can click on child nodes to see which firewall rules are being enforced, which connection security rules are in effect, and what IPsec security associations are active. Oddly, monitoring the firewall does not appear to be a important topic for the exam as its not listed as a topic.

You should also familiarize yourself with the Windows Firewall tool located in Control Panel. It’s a much simpler management tool that only allows you to perform a few tasks such as enabling and disabling the firewall or granting a program access. Click on Allow a program through the firewall to see the firewall rules and other configuration options. Although the Control Panel tool is not likely to be covered by the exam you should know a little about it. Why? Because the fact that there are multiple places to manage the firewall is likely to confuse some of your colleagues, for example, if you are on the phone helping someone to configure a connection security rule and they claim they are unable to see any such rules it probably means they are using this tool rather than the one located in the Administrative Tools folder.

A Few More Words about Network Profiles

There are three network profiles available in Windows Vista and Windows Server 2008. Windows keeps track of previously used networks by monitoring information about them such as the Media Access Controller (MAC) address of the default gateway or whether a domain controller was present. The profiles are a simple way to tighten security on mobile computers when they leave the office, but they may cause confusion for some users.

• Domain – The operating system automatically uses this profile when it detects a domain controller. You cannot configure the system to use this profile.
• Private – When you connect a computer running Windows Vista to a new network and no domain controllers are detected a dialog box appears asking you to select a network. If you select Work or Home the private profile is applied, however to either choice requires administrative privileges.
• Public – You should select this profile when connected directly to the Internet, for example, when you are using the wireless service at a coffee shop or hotel.

Configuring the Firewall Using Group Policy

In order to support the new capabilities Microsoft had to redesign the group policy interface for managing the Windows Firewall with Advanced Security. In the Group Policy Editor you can find the settings at Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security. Settings configured here will be ignored by versions of Windows that precede Windows Vista. For backwards compatibility you can still configure firewall settings in the old location, Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall. Settings configured in the old location will affect Windows Vista and Windows Server 2008 as well as Windows XP and Windows Server 2008. This is important to remember when troubleshooting firewall behavior, make sure all of the group policy administrators in your organization understand this behavior and that they consistently use the same locations. The user interface for configuring the Windows Firewall with Advanced Security in group policy is identical to the local management tool, there’s no reason to discuss it since it was covered earlier in this section.

 Summary

This chapter showed you how to configure remote access clients and servers, it also introduced you to Network Access Protection (NAP) and the technologies related to it. Configuring wireless security through group policy was illustrated, and the details of the authentication and encryption capabilities of the various wireless protocols was discussed. Finally, the chapter showed you how to manage the Windows Firewall with Advanced Security both locally and through group policy.

 Chapter Review

This section presents a list of review questions designed to help reinforce the knowledge presented earlier in the chapter. To persuade you to explore the management tools more deeply a few questions may require you to examine those tools further rather than rereading the chapter.

Questions

1. Which of the following authentication protocols is generally considered to be the least secure?
   1. MS-CHAP v2
   2. CHAP
   3. PEAP
   4. EAP- MS-CHAP v2
2. You need to configure a server that is running Windows Server 2008 Core to periodically initiate a connection using a telephone line so that a script can automatically post updated files from an application running on the server. What tool should you use while logged into the server?
   1. rasdial
   2. netsh
   3. Network and Sharing Center
   4. RRAS
3. You have installed RRAS, a role service of the Network Policy and Access Services server role on a computer running Windows Server 2008 Enterprise Edition. You have configured a VPN for remote users however you need to ensure that they can only connect between 6 a.m. and 10 p.m., what should you do?
   1. Install the Network Policy Server (NPS) and then configure a network policy for RRAS.
   2. Use the Task Scheduler to schedule two daily tasks to run two different scripts: one that stops the Routing and Remote Access system service at 10 pm and another that restarts the server at 6 am.
   3. Use NPS to configure a network policy for RRAS.
   4. Use Group Policy to configure a network policy.
4. Your organization has just signed contracts with several national ISPs to provide dial-up Internet access to mobile employees so that they can connect to the VPN when no other options are available. Between them these ISPs have hundreds of points-of-presence (POP) with thousands of telephone numbers, how should you make the information available to the mobile employees so that they can take advantage of this new connectivity option?
   1. Write a script to create all of the necessary dial-up connections, execute the script on each client computer.
   2. Use Group Policy to publish the information.
   3. Use the Connection Manager Administration Kit to create a CMAK profile and phonebook, install the profile on each client computer.
   4. Publish the information on a publicly accessible web server so that employees can access the information while away from the office.
5. Which of the following authentication protocols involve digital certificates? (pick 2)
   1. EAP-TLS
   2. NTLMv2
   3. MS-CHAPv2
   4. PEAP-TLS
6. Which of the following technologies can be used as a NAP enforcement method? (Pick 3)
   1. IPsec
   2. 802.11g
   3. 802.11b
   4. 802.1X
   5. DHCP
   6. TLS
   7. RADIUS
7. Your network consists of Windows Server 2008 servers, Windows Vista clients, and AD DS. You use 802.1X security for the wireless LAN. You have deployed all of the necessary infrastructure components including an Active Directory-integrated Certificate Authority Certificate (CA). Existing clients are able to utilize the secure wireless network. An employee receives a new laptop computer and reports that he is not able to access the wireless network with the new machine but he still can with his old one. What two steps should you take to resolve this?
   1. Download and install the latest drivers for the wireless network card in the laptop computer.
   2. Create a new certificate on the CA server, manually copy it to the laptop computer and add it to the machine certificate store.
   3. Connect the computer to the wired network.
   4. Join the computer to the domain and reboot it.
   5. Reinstall Windows Vista because the original installation may be corrupt.
   6. Reboot the laptop computer.
8. Which of the following technologies would significantly increase the security of a new wireless network? (pick 3)
   1. WEP
   2. 802.11g
   3. WPA2
   4. TLS
   5. NAP
   6. IPsec
9. Why should you be hesitant to configure the default rule for outbound filtering to block with the Windows Firewall with Advanced Security?
   1. It is difficult to determine what applications require outbound access.
   2. Many rules that grant outbound access will have to be created and managed.
   3. Outbound filtering only provides a small amount of security compared to other potential countermeasures.
   4. All of the above.
10. Which of the following cannot be used to specify an inbound rule for allowing traffic through the Windows Firewall with Advanced Security?
    1. Program path.
    2. Service name.
    3. Service short name.
    4. Time and date.
    5. Protocol type.
    6. TCP or UDP port.
    7. IP address.
    8. Active Directory account name.

Answers

1. The correct answer is B, Challenge-Handshake Authentication Protocol (CHAP) is the least secure of the 4 options. Password Authentication Protocol (PAP) is even less secure CHAP because it requires sending the password across the network in plaintext.
2. A is the correct answer, using the command line tool rasdial would be the simplest solution. Although netsh is very powerful it does not have the ability to initiate dial-up connections. The Network and Sharing Center is a graphical tool not available on computers running a core installation of Windows Server 2008. RRAS could do the job however its overkill for a simple scenario.
3. C is correct, although the NPS role service has not been installed a limited version of it is included with the RRAS role service so that you can configure remote access policies. B is an amusing idea, but it is unnecessarily complex when you can easily create the network policy.
4. C is correct, CMAK is the best way to accomplish this from both administrator and user points of view.
5. A and D are correct, certificates are used to encrypt data via TLS.
6. A, D, and E are the correct answers. B and C refer to wireless technologies but they do not include any sort of authentication capabilities that could be used to enforce NAP policies. F is incorrect because TLS is an encrypted network communications protocol and G is wrong because RADIUS is an authentication and accounting technology designed to control remote access.
7. C and D are correct, the computer needs to be joined to the domain so that it can automatically retrieve the digital certificate required for using the wireless LAN. This can only be done while connected to the wired network since the laptop does not have the required certificate.
8. C, D, and F are correct. A is wrong because WEP was shown to have major security flaws in 2001. B is incorrect because 802.11g in and of itself is not a security technology. D is wrong because TLS is a technology for encrypting network communications. A plausible argument could be made that D is a valid answer since TLS can be used with EAP or PEAP for 802.1X authentication but the way the other 3 answers can increase security is more obvious. You may encounter questions such as this on the exam where an answer is almost correct, when you do you should select the answer that is most correct or easiest to implement rather than one where you would have to somehow combine the technology specified in the answer with other technologies.
9. D is correct. Do not use outbound filtering!
10. D is correct, all of the other answers are valid components of firewall rules.

References

Using Network and Sharing Center.

Connection Manager Administration Kit.

Network Access Protection homepage.

Introduction to Network Access Protection.

Chapter 14, “Network Access Protection Overview” in Windows Server 2008 Networking and Network Access Protection, ISBN-13 978-0735624221. Also available as part of the Windows Server 2008 Resource Kit, ISBN-13 978-0735623613.

Chapter 15, “Preparing for Network Access Protection” in Windows Server 2008 Networking and Network Access Protection, ISBN-13 978-0735624221. Also available as part of the Windows Server 2008 Resource Kit, ISBN-13 978-0735623613.

Chapter 5, “Firewall and Network Access Protection” in Windows Server 2008 Security Resource Kit, ISBN-13 978-0735625044. Also available as part of the Windows Server 2008 Resource Kit, ISBN-13 978-0735623613.

Wireless LAN Technologies and Microsoft Windows.