Chapter 11 “Maintaining Windows Server 2008 File Services”

Thursday, April 18, 2013

Shadow Copies of Share Folders is a very useful tool that creates point in time copies of the files that you have stored on a Windows Server 2003 or Windows Server 2008 file share.  Users can have access to previous versions of the files they are working on without needing administrator intervention.  Some of the ways that Shadow Copies can be useful are recovering files that were accidentally deleted, recovering files that were accidentally overwritten, and comparing previous versions of a file to the current version and if necessary retrieving the previous version.  The File Server Resource Manager (FSRM) is an additional role service that is available when you install the File Services server role.  This role service was first introduced in Server 2003 R2 and provides tools that help administrators monitor and regulate their server storage.  Some of the tasks that FRSM can perform are establishing quotas that limit the amount of storage space that each user is allowed, create screens that prevent users from storing specific types of files on server drives, create templates that simplify the process of applying quotas and screens, automatically send email to users or administrators when quotas are exceeded or nearly exceeded, and generate reports detailing the storage activities of users.  There are two types of quotas that can be configured, hard quotas and soft quotas.  Hard quotas are strict limits; a user cannot store data to a server drive beyond the hard limit set in the quota without first removing data to create the space needed.  A soft quota has a more relaxed limit, the user may be able to store data but will receive emails that tell him or her that the quota limit has been reached and action is required.  One of the most important duties of an administrator is performing backups of all the critical data on the server.  Windows Server Backup must be installed in order to back up the data and operating system on your server.  You will also need to install Windows PowerShell if you intend to do the backups from the command line.  There are two types of backups, manual and scheduled.  Either the Administrators group or the Backup Operators group can start a manual backup by using Server Backup or the Wbadmin.exe from the command line.  Scheduled backups can be performed by the local administrators group using Server backup or the Wbadmin.exe command.  They must be performed on a local physical drive that has no critical data on it because they will reformat the drive.

Chapter 10 “Maintaining Network Health”

Thursday, April 11, 2013

There are two different types of Certificate Authority (CA) computers that can be deployed using a Windows based Public Key Infrastructure (PKI).  A standalone CA is not used with Active Directory and requires an administrator to respond to certificate requests.  A standalone CA can be both a root and a subordinate CA in any PKI.  In a standalone environment the root CA can be taken offline for added security.  An enterprise CA works with Active Directory and can be both the root and subordinate CA.  Enterprise CAs can use certificate templates to allow auto enrollment of digital certificates, as well as storing certificates themselves within the Active Directory database.  With Windows Server 2008 you can configure Online Responders to make revocation information available for other CAs.  Using Active Directory in the Windows Server 2008 environment you can automate the distribution of certificates by using features like certificate templates using Full Control Access Control Lists (ACL), Read ACLs, Write ACLs, Enroll ACLs, and Autoenroll ACLs.  You can also use Group Policy to enroll certificates automatically or to not enroll certificates automatically.  In a non-Active Directory environment clients can enroll manually using either the Certificate Request Wizard or the Certification Authority Web Enrollment.  When using Network Access Protection (NAP) there are a number of built-in enforcement methods, for example, DHCP enforcement, IPSec enforcement, VPN enforcement, 802.1X enforcement, and Terminal Services Gateway enforcement.  In the lab for this class we used DHCP enforcement which will provide a DHCP configuration to the client that will limit access to the network until the issues are resolved.  The client side components include the Enforcement Client (EC), System Health Agents (SHA), Client-side API for third party vendors, and the NAP agent.  NAP Server-side components include the Enforcement Server (ES), System Health Validators (SHV), a NAP health policy server, a NAP administrator server, a Health requirement server, and a Remediation server.

Chapter 9 “Securing Data Transmission and Authentication”

Thursday, April 04, 2013

IPSec is a suite of protocols that provide a series of cryptographic algorithms that can be used to provide security for all TCP/IP hosts at the Internet layer, regardless of the application that is used for data transmission.  There are three scenarios that IPSec can use to protect data transmissions, a Local Area Network (Client/Server and peer-to-peer LANs), Wide Area Network (Router-to-Router and Gateway-to-Gateway WANs), and Remote Access (Dial-up clients and Internet access from private networks).  Both sides require a shared configuration (called an IPSec policy) to establish security settings that will enable two computers to transmit secured data between them.  IPSec policies are security rules that define the desired security level, hashing algorithms, and length of the key.  There are four options for managing IPSec policies.  The “Local Computer” option is used to manage IP Security on the computer that is running the MMC IPSec console.  The “Active Directory Domain Of Which This Computer Is A Member” option is used when you want to manage policies that apply to the entire local Active Directory domain.  The “Another Active Directory Domain (Use The Full DNS Name Of IP Address)” option is used when you want to manage policies that apply to a remote Active Directory domain.  Finally, the “Another Computer” option is used to manage policies stored locally on another computer.  IPSec policies are organized in a hierarchical form starting with each policy consisting of one or more IP Security Rules, each IP Security Rule includes a single IP Security action that is applied to one or more IP Filter Lists, and each IP Filter List contains one or more IP Filters.  Windows Server 2008 was the driving force behind combining administration of the Windows Firewall with IPSec policies to streamline network administration.  Windows Firewall With Advanced Security allows the configuration of many default settings for IPSec rules that can be configured.  There are four pre-configured Connection Security Rule templates that come with Windows Server 2008, the Isolation rule, the Authentication exemption rule, the Server-to-server rule, and the Tunnel rule.