Chapter 11 “Maintaining Windows Server 2008 File Services”

Thursday, April 18, 2013

Shadow Copies of Share Folders is a very useful tool that creates point in time copies of the files that you have stored on a Windows Server 2003 or Windows Server 2008 file share.  Users can have access to previous versions of the files they are working on without needing administrator intervention.  Some of the ways that Shadow Copies can be useful are recovering files that were accidentally deleted, recovering files that were accidentally overwritten, and comparing previous versions of a file to the current version and if necessary retrieving the previous version.  The File Server Resource Manager (FSRM) is an additional role service that is available when you install the File Services server role.  This role service was first introduced in Server 2003 R2 and provides tools that help administrators monitor and regulate their server storage.  Some of the tasks that FRSM can perform are establishing quotas that limit the amount of storage space that each user is allowed, create screens that prevent users from storing specific types of files on server drives, create templates that simplify the process of applying quotas and screens, automatically send email to users or administrators when quotas are exceeded or nearly exceeded, and generate reports detailing the storage activities of users.  There are two types of quotas that can be configured, hard quotas and soft quotas.  Hard quotas are strict limits; a user cannot store data to a server drive beyond the hard limit set in the quota without first removing data to create the space needed.  A soft quota has a more relaxed limit, the user may be able to store data but will receive emails that tell him or her that the quota limit has been reached and action is required.  One of the most important duties of an administrator is performing backups of all the critical data on the server.  Windows Server Backup must be installed in order to back up the data and operating system on your server.  You will also need to install Windows PowerShell if you intend to do the backups from the command line.  There are two types of backups, manual and scheduled.  Either the Administrators group or the Backup Operators group can start a manual backup by using Server Backup or the Wbadmin.exe from the command line.  Scheduled backups can be performed by the local administrators group using Server backup or the Wbadmin.exe command.  They must be performed on a local physical drive that has no critical data on it because they will reformat the drive.

Chapter 10 “Maintaining Network Health”

Thursday, April 11, 2013

There are two different types of Certificate Authority (CA) computers that can be deployed using a Windows based Public Key Infrastructure (PKI).  A standalone CA is not used with Active Directory and requires an administrator to respond to certificate requests.  A standalone CA can be both a root and a subordinate CA in any PKI.  In a standalone environment the root CA can be taken offline for added security.  An enterprise CA works with Active Directory and can be both the root and subordinate CA.  Enterprise CAs can use certificate templates to allow auto enrollment of digital certificates, as well as storing certificates themselves within the Active Directory database.  With Windows Server 2008 you can configure Online Responders to make revocation information available for other CAs.  Using Active Directory in the Windows Server 2008 environment you can automate the distribution of certificates by using features like certificate templates using Full Control Access Control Lists (ACL), Read ACLs, Write ACLs, Enroll ACLs, and Autoenroll ACLs.  You can also use Group Policy to enroll certificates automatically or to not enroll certificates automatically.  In a non-Active Directory environment clients can enroll manually using either the Certificate Request Wizard or the Certification Authority Web Enrollment.  When using Network Access Protection (NAP) there are a number of built-in enforcement methods, for example, DHCP enforcement, IPSec enforcement, VPN enforcement, 802.1X enforcement, and Terminal Services Gateway enforcement.  In the lab for this class we used DHCP enforcement which will provide a DHCP configuration to the client that will limit access to the network until the issues are resolved.  The client side components include the Enforcement Client (EC), System Health Agents (SHA), Client-side API for third party vendors, and the NAP agent.  NAP Server-side components include the Enforcement Server (ES), System Health Validators (SHV), a NAP health policy server, a NAP administrator server, a Health requirement server, and a Remediation server.

Chapter 9 “Securing Data Transmission and Authentication”

Thursday, April 04, 2013

IPSec is a suite of protocols that provide a series of cryptographic algorithms that can be used to provide security for all TCP/IP hosts at the Internet layer, regardless of the application that is used for data transmission.  There are three scenarios that IPSec can use to protect data transmissions, a Local Area Network (Client/Server and peer-to-peer LANs), Wide Area Network (Router-to-Router and Gateway-to-Gateway WANs), and Remote Access (Dial-up clients and Internet access from private networks).  Both sides require a shared configuration (called an IPSec policy) to establish security settings that will enable two computers to transmit secured data between them.  IPSec policies are security rules that define the desired security level, hashing algorithms, and length of the key.  There are four options for managing IPSec policies.  The “Local Computer” option is used to manage IP Security on the computer that is running the MMC IPSec console.  The “Active Directory Domain Of Which This Computer Is A Member” option is used when you want to manage policies that apply to the entire local Active Directory domain.  The “Another Active Directory Domain (Use The Full DNS Name Of IP Address)” option is used when you want to manage policies that apply to a remote Active Directory domain.  Finally, the “Another Computer” option is used to manage policies stored locally on another computer.  IPSec policies are organized in a hierarchical form starting with each policy consisting of one or more IP Security Rules, each IP Security Rule includes a single IP Security action that is applied to one or more IP Filter Lists, and each IP Filter List contains one or more IP Filters.  Windows Server 2008 was the driving force behind combining administration of the Windows Firewall with IPSec policies to streamline network administration.  Windows Firewall With Advanced Security allows the configuration of many default settings for IPSec rules that can be configured.  There are four pre-configured Connection Security Rule templates that come with Windows Server 2008, the Isolation rule, the Authentication exemption rule, the Server-to-server rule, and the Tunnel rule.

Chapter 8 “Maintaining and Updating Windows Server 2008”

Thursday, March 21, 2013

Monitoring a Windows Server 2008 network can be accomplished with the use of three tools that give you the ability to proactively troubleshoot network problems, the Reliability and Performance Monitor, Windows Server 2008 Event Viewer, and Network Monitor.  The Reliability and Performance Monitor allows you to collect real time information on your local computer or from a specific computer that you have the proper permissions to access.  There are three types of information that can be monitored to judge the performance of a Windows Server 2008 computer.  Performance counters, specific processes or events that you want to track, event trace data, data that is collected over time to provide a real-time view into the behavior and performance of the server operating systems and applications running on it, and configuration information, using the Reliability and Performance monitor to query the Windows Registry for specific configuration data to determine how a server is configured and whether changes to that configuration are affecting performance.  The Event Viewer shows logs for informational messages as well as error messages.  Some of the logs that can be viewed in Event Viewer are Windows logs which include application logs, security logs, setup logs, system logs, and forwarded events.  It is important to monitor for events that can give you information about the overall health of the system.  The Network Monitor is not included with Windows Server 2008 but you can download and install the latest version from the Microsoft Web site.  Network monitor can isolate and view the network traffic that is being sent to or from the server. It can tell you if a client application is failing or if a malicious user or virus is attempting to access the computer over the network.  Finally, Windows Server Update Services (WSUS)  is a Web based tool that Microsoft offers as a free download for managing and distributing software updates that resolve known security issues or otherwise improve performance of Windows XP, Vista, 7, Server 2003, and Server 2008 operating systems.  Using WSUS gives you the ability to download and test updates before they are installed on all computers throughout your organization and then release the approved updates to be automatically installed on all client machines.

Chapter 7 “Configuring Print Services”

Thursday, March 14, 2013

The four components involved in the printing process using Microsoft Windows are the Print Device, the Printer, the Print Server, and the Printer Driver.  A print device is the actual hardware that produces the hard copy documents on paper or other printable material.  The printer is the software interface that the computer uses to communicate with the print device.  A print server is a computer or other standalone device that receives print jobs from clients and sends them to print devices.  The printer driver is a device driver that converts the print job generated by applications into an appropriate string of commands for a specific print device.  Print devices can be locally attached to a computer and used on that computer only or shared by that computer over a network.  They can also be attached directly to the network and made available to all computers throughout the entire network.  Printer security is somewhat like folder share security, clients must have the correct permissions in order to access the shared print device.  The standard print permissions are print, manage printers, and manage documents.  The print permission allows users to print documents, pause, resume, restart, and cancel the user’s own documents.  Manage printers allows a user to cancel all documents, share a printer, change printer properties, delete a printer, and change printer permissions.  Manage documents allows a user to pause, resume, restart, and cancel all user’s documents as well as control job settings for all documents.  Installing the print services role and using the print management console provides additional administrative tools that can consolidate the controls for the printing components throughout the entire enterprise into a single console.  You can access print queues and properties sheets for all of the networked printers, deploy printers to client computers using group policy, and create custom views that simplify the process of detecting print devices that need attention.