Configuring Network Access Protection (NAP)

How do you protect yourself from computers that do not meet your health requirements on your network?

Network Access Protection (NAP) with Windows Server 2008:

• A feature of Windows server 2008 that enforces health-requirement policies on client computers running:
  • Windows XP (SP3)
  • Vista
  • Windows 7
  • Windows server 2008
  • Windows server 2008 R2
• Ensures client computers are compliant with policies such as anti-virus and security policies on a granular level, based on who the client is and the group to which the client belongs.
• Remediation servers can offer support for computers not meeting health requirements, and to automatically bring the client back into compliance and dynamically increase its level of network access.
• You are able to integrate NAP’s features with software from other vendors or with custom programs.
• You can customize your health enforcement solutions. NAP includes an application programming interface (API) for developers and vendors that allows them to create customized solutions for health-requirements, network-access, and ongoing compliance.

About Network Policy Server Role Service

Installing and Configuring a Network Policy Server

The Network Policy Server (NPS) role in Windows Server 2008 replaces the Internet Authentication Service (IAS). Windows Server 2008 R2 can authenticate clients using Network Policy Server (NPS). NPS provides an additional layer of security for your network.

• NPS provides support for the Remote Authentication Dial-in User Service protocol and can be configured as a RADIUS server or proxy. 
• NPS also provides functionality that is essential for implementation of Network Access Protection (NAP). 
• NPS is used for enforcement for:
•  IPsec traffic
•  802.1X wired and wireless
•  DHCP
•  VPN

About Routing and Remote Access in Server 2008

Components of a Network Access Services Infrastructure

In Windows Server 2008, Network Access Service includes the following:

• VPN Server
• Active Directory Domain services (AD DS)
• IEEE 802.1X Devices – provides port based authentication of users
• Dynamic Host Configuration Protocol (DHCP) Server – Responsible for leasing IP addresses
• NAP Health Policy Server – Provides authentication services for other network access components
• Health Registration Authority – Obtains health certificates for clients passing the health policy verification
• Remediation Servers – A new server for Windows Server 2008 on a limited network, designed to treat machines that do not have the latest antivirus or Windows updates, by pushing the updates down to the NAP client sitting in the restricted network before the client accesses the main network

Network Policy and Access Services

About IPv6 TCP/IP and Windows Server 2008

Overview

Web Running Out of Addresses

In the mid 1990s, we started to run into an ever shrinking pool of IPv4 addresses. According to the Wall Street Journal, February 1, 2011, was the week the last batch of Internet addresses was doled out.

IPv4_address_exhaustion

Because of the growing proliferation of network devices and the expanding Internet, Internet Protocol version 6 (Ipv6), is built into Windows Server 2008. Ipv6 is a new suite of protocols developed to ensure growing Internet client needs. The IPv4 scalability will no longer meet the challenges ahead.

Configuring and Troubleshooting DHCP

Overview of the DHCP Server Role

One of the major problems in networks when the move was made to the TCP/IP protocol, was getting the IP address input onto each machine.

The solution is DHCP (Dynamic Host Configuration Protocol). The DHCP server maintains a pool of IP addresses and DHCP leases out an IP address for a period of time to DHCP-enabled host machines on the network. DHCP provides the IP address along with the subnet mask and default gateway (router). The IP addresses are returned to the pool to be reallocated, when they are no longer in use. DHCP waits for the client to request an IP address using network Broadcasts.

WINS and Server 2008

Overview of the Windows Internet Name Service 

WINS is a NetBIOS Name Server (NBNS). Windows hosts support two types of names, host names and NetBIOS names. 

In a Windows OS, network services can be requested using Windows Sockets, Winsock Kernel, or NetBIOS. If Windows Sockets or Winsock Kernel is requested, the host name is used. Windows Sockets is used to access network services in many applications. The newer applications that were designed for Windows 7 and Windows Server 2008 R2 use Winsock Kernel.  If NetBIOS is used, the application uses a NetBIOS name.

Troubleshooting tips for DNS

Time to Live, Aging, and Scavenging

Feature	Description
Time to Live (TTL)	How long a DNS record will be valid
Aging	When records inserted into the DNS server reach expiration and are removed
Scavenging	Remove old DNS records

Time to Live – TTL depends on the type of DNS record. MX records have a longer TTL than a host A record, for example. The TTL can be modified.
Resource Record Types

Aging – DNS record removal helps to keep DNS accurate and using less disk space.

Scavenging – If DNS records have not been aged, we can force a database cleanup by removing stale records. This can be done by scavenging DNS records. Stale resource records can slow down DNS lookups and cause errors.

Tips on How to Configure DNS Zones

DNS zones allow domains to be logically configured and managed in a structured way. A zone hosts all of a domain or parts of a domain and its subdomains.

Take for example, pcrepairnorthshore.com. Imagine pcrepairnorthshore.com is divided into two zones. The first zone hosts www.pcrepairnorthshore.com and ftp.pcrepairnorthshore.com.  Let’s pretend we have a site called offsite.pcrepairnorthshore.com. We delegate it to a new zone that hosts the offsite.pcrepairnorthshore.com and its subdomains ftp.offsite.pcrepairnorthshore.com and www.offsite.pcrepairnorthshore.com.

Configure the DNS Server Role

Components of a DNS Solution

• DNS Clients. Windows, Unix, Linux, Macs operating systems. Windows systems also maintain a local DNS Resolver cache.
• DNS Servers. Host a distributed heirarchical database of resource records stored by the DNS zone and include:

Installing a DNS Server Role in Windows Server 2008

DNS recognizes computers by alphanumeric names and translates the names to the numerical IP addresses recognized by computers and networking equipment. DNS resolves the computer names to the IP addresses.

DNS is installed as a role in Windows Server 2008. It can be installed with Server Manager and with the DNS Server command from the command prompt. The preferred way is to install the DNS Server Role when Active Directory Domain Services is installed, if you want to integrate the DNS domain namespace with the AD DS domain namespace. In addition, Server Core can act as a DNS Server.

Overview of Server Roles and Features in Windows Server 2008

Server Roles describe the primary functions of a server in Windows Server 2008. On a server, there can be one or more server roles. For example, you can have a DNS server or a Web server, or a server comprising multiple roles.

Installing Windows Server 2008

Installing Windows Server 2008 is different from previous installs of Windows Server platforms. There is no text-based phase. The installation is now done in a GUI and the install process is very similar to Windows Vista.

Windows Server 2008 Editions

Edition	Server Core
Windows Server 2008 Standard (small offices or workgroups)	Yes
Windows Server 2008 Enterprise (greater scalability, failover clustering, AD Fed Services)	Yes
Windows Server 2008 DataCenter (larger orgs and server consolidation projects, greater memory and processing power, unlimited virtual image use rights)	Yes
Windows Web Server 2008 (standalone server for IIS)	No
Windows Server 2008 for Itanium-based Systems (highest level of performance and scalabiity, leading rival platform for Risc-based UNIX servers, requires Intel Itanium CPU)	No

The Precision Guide to Windows Server 2008 Active Directory Configuration Review

Kurt Dillard's Study Guide for the 70-640 Exam helped me to pass and obtain the Microsoft MCTS Active Directory 2008, Configuring certification. After studying several Microsoft reference materials and practice tests, and still having trouble in a couple of areas, I picked up Kurt's Study Guide. Kurt explains the relevant facts to focus on for the certification test and presents it in a simple to understand format. At the end of each chapter, Kurt has questions and answers for you to check your comprehension. This is a great value and will surely help you to achieve your next certification! I look forward to referencing Kurt's other study guides.

Disk Management for Windows 7

Partitioning Disks

Master Boot Record (MBR) Disk:

• Contains the partition table for the disk and a small amount of executable code called the master boot code.
• The computer BIOS examines the MBR to determine which partition on the disks is marked as active and returns the information so you can boot up.
• 2 terabyte (TB) limit.
• You can have four partitions for each hard drive. The boot.ini contains the the list of operating systems and points to the one you want to boot (‘multi-boot’ systems). Virtualization does away with ‘multi-boot’, not needed.
• Active partition contains the OS startup files.

Overview of Disk Management

Prepare to Install Windows 7

Editions

Windows 7 Starter – System Builders Only, 32bit only, 2GB only

Windows 7 Home Basic/Value Edition - Emerging Markets, 32-bit, 64-bit, 4GB, 8GB


Windows 7 Home Premium (Aero) multi-media - Retail, System Builders, 32-bit, 64-bit, 4GB, 8GB

Windows 7 Professional – Business edition for small, lower mid-market, 32-bit, 64-bit, 4GB, 192 GB

Windows 7 Enterprise – Business edition for large enterprises, volume licensing, 32-bit, 64-bit, 4GB, 192 GB

Windows 7 Ultimate – Retail + System Builders, All features, 32-bit, 64-bit, 4GB, 192 GB 

Windows 7 N Editions* (as above but without Media Player) - European Union Only, 32-bit, 64-bit, 4GB, 16GB, 192 GB

*Windows N Editions include Windows 7 Home Premium N, Professional N, and Ultimate N