Microsoft Server 2008 R2Group Policies & Network Policy and Access Services

Agenda• Group Policies

• Network Policy and Access Services

Group Policies• Using Group Policies to harden Windows 7

• The following will outline several methods to secure a network environment using Group Policies

• Microsoft doc defining settings to harden Windows 7• http://www.microsoft.com/en-us/download/details.aspx?id=24373

Group Policies• Computer Configuration(CC)Privacy settings

• Interactive logon: Do not display last user name

• CCSecurity Settings

• Shutdown: Allow system to be shut down without having to log on

• Network security: Do not store LAN Manager hash value on next password change• This security setting determines if, at the next password change, the LAN

Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.

Group Policies• Network access: Do not allow storage of credentials or .NET Passports

for network authentication• This security setting determines whether Credential Manager saves passwords

and credentials for later use when it gains domain authentication. If you enable this setting, Credential Manager does not store passwords and credentials on the computer.

• Removable Disks: Deny write access

• Internet Explorer

• Disable context menu• Ensures that users cannot access other features that have been disabled

• Disable customizing buttons

• Disable Internet Options tabs

Group Policies• Control Panel Access

• Prevent access

• Windows Explorer

• Do not move deleted files to the Recycle Bin

• Hide these specified drives in My Computer

• Start menu and taskbar

• Hide the notification area

• Lock the Taskbar

• System

• Prevent access to registry editing tools

• Prevent access to the command prompt

Group Policies• Controlling applications

• Application Control Policies

• Software Restriction Policies

Group Policies

• Applocker requirements

• Works on Windows 7 and newer

• Only available on 7 Enterprise and Ultimate…not Pro

• Application Identity service must be running.

• Add default rules to prevent stepping on “required” services

Group Policies

• Applocker

• Add default rules

• Create new rule

Group Policies

• Software Restriction Polices

• Similar to Applocker, works on XP and later

GPO Questions

Network Policy and Access Services• Routing and Remote Access Service(RRAS)-pronounced “R-Razz”

• Formerly Remote Access Service in NT 4.0

• Bundled to compete with Novell's NetWare Connect

• Now included as a role in Network Policy and Access Services

Network Policy and Access Services• First we must know some routing information

• TCP adds more to IP to allow they concepts of connection

• Handshaking—3 way handshake. SYN, SYN/ACK, SYN

• Sequencing—ensures that no two bytes are repeated or sent out of sequence

• Flow control—keeps traffic flowing w/out having to wait and take up too much memory.

• Error indication—an application that closes unexpectedly can be signaled to its communicating partner with a reset

• Ports—each IP address has 131,070 ports. Similar to extensions for a phone number

• Socket• Port (both local and foreign)

• IP Address (both local and foreign)

• Protocol (TCP/UDP)

Network Policy and Access Services• Routing un-routable addresses?

• NAPT—Network address/port translator.• One external IP address for several internal private IP addresses. This router

would look beyond the IP layer into the TCP/UDP layer and use the IP address and port to map connections.• This is also referred to as Port Address Translation (PAT)

Network Policy and Access Services• Viewing and troubleshooting our routing tables

• Route print

Network Policy and Access Services• Viewing and troubleshooting our routing tables

Commands add using route and netsh

route add 192.168.0.0 mask 255.255.0.0 10.0.0.1 metric 100

route add 192.168.0.0/16 10.0.0.1 metric 100 (same as above)

Netsh interface ipv4 add route 192.168.0.0/16 “Local Area Connection” 10.0.0.1

Route del 192.168.0.0

Netsh interface ipv4 delete route 129.0.0.0/8 “Local Area Connection”

Network Policy and Access Services• Two functions:

• Accepting Inbound calls• Universal Gateway to your network

• Same functionality as if they were attached to the LAN, although slower.

• Connecting one private network to another.

• Placing Outbound calls (DUN)• Dial Up Networking

• Internet Connectivity

• Internet Gateway utilizing NAT (Network Address Translation) • Poor-mans proxy server

Network Policy and Access Services• Accepting VPN (virtual private network) from remote clients

• Running a secure private network over an insecure public network (internet).

• All clients need is an internet connection and a valid IP address and then establishing a VPN session to the RAS server.

• Session is secure and encrytped.

Network Policy and Access Services• Added as a Role in 2008 R2

Network Policy and Access Services• Add supporting role features

Network Policy and Access Services• After installed, you must Enable Routing and Remote Access

• Read carefully all options based on need

Network Policy and Access Services• Determine how the remote uses will be assigned IP addresses for

internal network.

Network Policy and Access Services

Network Policy and Access Services• Configure client connection by adding a new connection in Network

and Sharing Center

Network Policy and Access Services• Select connection option and complete wizard on workstation

Things to consider• How will it be utilized?

• What will be running on your DUN or VPN?

• File-based apps versus client-server apps• Microsoft Access versus Microsoft SQL Server

• Access requests continuously query the drive after each record search.

• SQL a query is sent to the server from a client application and the query is run at the server and results are then transmitted back to the client.

• What connection will be required?• RRAS supports:

• X.25: old “cloud” technology that typically tops out at 56-64k, although reliable

• Frame-Relay: same as x.25 but faster, single connection to cloud.

• Modems

• ISDN

• Point to point…