212 Chapter 4 Designing Active Directory Administration and Group Policy Strategy Figure 4-21 Compatible IDs GUIDs A GUID defines a device setup class, which the device manufacturer assigns to a device in the device driver package. The device setup class groups devices that are installed and configured in the same way. For example, all CD drives belong to the CDROM device setup class and use the same co-installer. When Windows Server 2008 starts, it builds a tree structure in memory with the GUIDs for all the detected devices. In addition to the GUID for the device setup class of the device itself, Windows Server 2008 might need to insert the GUID for the device setup class of the bus to which the device is attached (for example, USB). When you use device setup classes to control users’ installation of device drivers, you must specify the GUIDs for all the device’s device setup classes, or you might not achieve the results you want. In addition, GUIDs are held in the HKLM\CurrentCon- trolSet\Control\Class\ClassGUID registry key and are not as easily obtained as hardware IDs. For these reasons, hardware IDs rather than GUIDs are typically used to specify the devices than can or cannot be installed. Figure 4-22 shows a hardware ID list specified for the Allow Installation Of Devices That Match Any Of These Device IDs setting. Lesson 2: Designing Enterprise-Level Group Policy Strategy 213 Figure 4-22 Specifying hardware IDs Exam Tip The most likely scenario to appear in the 70-647 examination is one in which users cannot install devices but administrators can. The settings for this scenario are shown in Figure 4-19. The next most likely scenario is that users can install only allowed devices although administrators can install any device. This requires the settings shown in Figure 4-19 plus enabling the Allow Installation Of Devices That Match Any Of These Device IDs setting and adding hardware IDs as shown in Figure 4-22. Planning Authentication and Authorization Authentication involves checking that users are who they say they are. It uses username and password or a security certificate installed on a smart card. Authorization determines whether a user has access to resources through permissions or administrative rights through group membership and delegation. Authorization can happen within a domain, across a domain tree, or between forests. It involves the SAM, access control lists (ACLs), and protocols such as Kerberos v5. MORE INFO Kerberos authentication For more information about Kerberos authentication, see http://technet2.microsoft.com /windowsserver/en/library/4a1daa3e-b45c-44ea-a0b6-fe8910f92f281033.mspx?mfr=true. Although this is a Windows Server 2003 article, it is valid for Windows Server 2008, as well. Multifactor Authentication and Authorization The network community is always happy to debate when a scenario involves multifactor authentication and when it involves multifactor authorization. Ignore such debates. You have an examination to pass. 214 Chapter 4 Designing Active Directory Administration and Group Policy Strategy Multifactor authentication occurs when you must use two or more distinct methods to authen- ticate an identity. For example, you are logged on to a domain with an administrative-level account. You need to access a standalone Berkley Internet Daemon (BIND) server through Remote Desktop. You are asked for credentials. They are the same credentials that you used to log on to the domain, but you need to enter them again. This is multifactor authentication. Multifactor authorization occurs when you need to authenticate two people to accomplish a stated aim. For example, you need to create a two-way forest trust between the contoso.internal and litware.internal forests. You create one end of the trust logged on to the contoso.internal for- est as Kim_Akers. To create the other end, you need to provide the credentials for Tom_Perry in the litware.internal forest. This is multifactor authorization. Using Password Authentication You can authenticate a user through a username and password. Before you plan a password policy, you need to know what the default settings are. Figure 4-23 shows the default settings for the contoso.internal domain. Figure 4-23 Default password settings As an experienced administrator, you should be familiar with password settings. However, you might not be aware of the fine-grained password policies in Windows Server 2008. This topic was discussed in the 70-646 TK. If you studied it for that examination, please treat this section as review. Lesson 2: Designing Enterprise-Level Group Policy Strategy 215 Configuring Fine-Grained Password Policies As a first step in planning fine-grained password and account lockout policies, decide how many password policies you need. Typically, your policy could include at least 3 but seldom more than 10 Password Settings Objects (PSOs). At a minimum, you would probably want to configure the following: ■ An administrative-level password policy with strict settings: for example, a minimum password length of 12, a maximum password age of 28 days, and password complexity requirements enabled. ■ A user-level password policy with, for example, a minimum password length of 6, a max- imum password age of 90 days, and password complexity requirements not enabled. ■ A service account password policy with a minimum password length of 32 characters and complexity requirements enabled. (Service account passwords are seldom typed in.) Because of their complexity, service account passwords can typically be set not to expire or to have very long password ages. You also need to look at your existing group structure. If you have existing Administrators and Users groups, there is no point creating new ones. Ultimately, you need to define a group and Active Directory structure that maps to your fine-grained password and account lockout policies. You cannot apply PSOs to OUs directly. If your users are organized into OUs, consider creating shadow groups for these OUs and then applying the newly defined fine-grained password and account lockout policies to them. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password and account lockout policy. Add OU users as members to the newly created shadow group and then apply the fine-grained pass- word and account lockout policy to this shadow group. If you move a user from one OU to another, you must update user memberships in the corresponding shadow groups. NOTE Shadow groups You will not find an Add Shadow Group command in Active Directory Users and Computers. A shadow group is simply an ordinary global security group that contains all the user accounts in one or more OUs. When you apply a PSO to a shadow group, you are effectively applying it to users in the corresponding OU. Microsoft applies PSOs to groups rather than to OUs because groups offer better flexibility for managing various sets of users. Windows Server 2008 AD DS creates various groups for administrative accounts, including Domain Admins, Enterprise Admins, Schema Admins, Server Operators, and Backup Operators. You can apply PSOs to these groups or nest them in a single global security group and apply a PSO to that group. Because you use groups rather than OUs, you do not need to modify the OU hierarchy to apply fine-grained passwords. Mod- ifying an OU hierarchy requires detailed planning and increases the risk of errors. 216 Chapter 4 Designing Active Directory Administration and Group Policy Strategy If you intend to use fine-grained passwords, you probably need to raise the functional level of your domain. To work properly, fine-grained password settings require a domain functional level of Windows Server 2008. Planning domain and forest functional levels is discussed in Chapter 2. Changing functional levels involves irreversible changes. You need to be sure, for example, that you will never want to add a Windows Server 2003 DC to your domain. By default, only members of the Domain Admins group can create PSOs and apply a PSO to a group or user. You do not, however, need to have permissions on the user object or group object to be able to apply a PSO to it. You can delegate Read Property permissions on the default security descriptor of a PSO to any other group (such as help desk personnel). This enables users who are not domain administrators to discover the password and account lock- out settings applied through a PSO to a security group. You can apply fine-grained password policies only to user objects and global security groups (or inetOrgPerson objects if they are used instead of user objects). If your plan identifies a group of computers that requires different password settings, consider techniques such as password filters. Fine-grained password policies cannot be applied to computer objects. If you use custom password filters in a domain, fine-grained password policies do not interfere with these filters. If you plan to upgrade Windows 2000 Server or Windows Server 2003 domains that currently deploy custom password filters on DCs, you can continue to use those password filters to enforce additional password restrictions. If you have assigned a PSO to a global security group, but one user in that group requires spe- cial settings, you can assign an exceptional PSO directly to that particular user. For example, the CEO of Northwind Traders is a member of the senior managers group, and company pol- icy requires that senior managers use complex passwords. However, the CEO is not willing to do so. In this case, you can create an exceptional PSO and apply it directly to the CEO’s user account. The exceptional PSO will override the security group PSO when the password set- tings (msDS-ResultantPSO) for the CEO’s user account are determined. Quick Check ■ By default, members of which group can create PSOs? Quick Check Answer ■ Domain Admins Finally, you can plan to delegate management of fine-grained passwords. When you have cre- ated the necessary PSOs and the global security groups associated with these PSOs, you can delegate management of the security groups to responsible users or user groups. For example, a human resources (HR) group could add user accounts to or remove them from the managers group when staff changes occur. If a PSO specifying fine-grained password policy is associated Lesson 2: Designing Enterprise-Level Group Policy Strategy 217 with the managers group, in effect the HR group is determining to whom these policies are applied. MORE INFO Fine-grained password and account lockout policy configuration For more information about fine-grained password and account lockout policies, see http://technet2.microsoft.com/WindowsServer2008/en/library/2199dcf7-68fd-4315- 87cc-ade35f8978ea1033.mspx#BKMK_7. Using Smart Card Authentication If you are using smart cards in your organization to provide additional security and control over user credentials, your users can use those smart cards with authentication credentials to obtain rights account certificates (RACs) and use licenses from an Active Directory Rights Management Services (AD RMS) server (or more commonly in the enterprise environment, an AD RMS cluster), provided a Secure Sockets Layer (SSL) certificate has already been installed. MORE INFO AD RMS cluster For more information about installing an AD RMS cluster, see http://technet2.microsoft.com /windowsserver2008/en/library/a65941cb-02ef-4194-95ce-7fd213b1e48c1033.mspx?mfr=true. To use smart card authentication, you must also add the Client Certificate Mapping Authenti- cation role service in Server Manager. This is part of the Web Server (IIS) server role. Your next step is to configure the authentication method in IIS. Perform these steps to do so. 1. In Internet Information Services (IIS) Manager, expand the server name in the console tree and, in the results pane of the server Home page, double-click Authentication to open the Authentication page. 2. In the results pane of the Authentication page, right-click Active Directory Client Certif- icate Authentication, and then choose Enable. 3. Enable client authentication for the Web site that is hosting AD RMS. In IIS Manager, expand the server name in the console tree, expand Sites, and then expand the Web site that is hosting AD RMS. By default, the Web site name is Default Web Site. 4. In the console tree, expand _wmcs, right-click either the certification virtual directory (to support RACs) or the licensing virtual directory (to support user licenses), and then choose Switch To Content View. 5. In the results pane, right-click certification.asmx or license.asmx as appropriate, and then choose Switch To Features View. 6. In the results pane on the Home page, double-click SSL Settings, and choose the appro- priate client certificates setting (Accept or Require). 218 Chapter 4 Designing Active Directory Administration and Group Policy Strategy Accept client certificates if you want clients to have the option to supply authentication credentials by using either a smart card certificate or a username and password. Require client certificates if you want only clients with client-side certificates such as smart cards to be able to connect to the service. 7. Click Apply. If you want to use client authentication for both certification and licensing, repeat this procedure but select the alternate virtual directory the second time. 8. Close IIS Manager. If you are using an AD RMS cluster, repeat the procedure for every other server in the cluster. Your next task is to force the authentication method to use Client Certificate Mapping Authen- tication for the AD RMS cluster. Before you do that, back up the applicationhost.config file in the %windir%\system32\inetsrv\config folder. 1. Open an elevated command prompt, and change the directory to %windir%\system32 \inetsrv\config. 2. Enter notepad applicationhost.config and locate the section similar to Default Web Site/_wmcs/certification/certification.asmx. 3. If you want to allow smart card authentication in addition to Windows authentication, change: access sslFlags="Ssl, SslNegotiateCert, SslRequireCert, Ssl128" to: access sslFlags="Ssl, SslNegotiateCert, Ssl128" 4. Add a new line under windowsAuthentication enabled="true." In this line, type: clientCertificateMappingAuthentication enabled="true" 5. If you want to allow only smart card authentication, ensure that SSL client authentica- tion with IIS is required. Add a new line under windowsAuthentication enabled="true.” In this line, type: clientCertificateMappingAuthentication enabled="true" 6. Change: windowsAuthentication enabled="true" to: windowsAuthentication enabled="false" 7. Click File, choose Save, and then close Notepad. 8. In the command prompt window, enter iisreset. Note that running iisreset from a command prompt will restart the services associated with IIS. Lesson 2: Designing Enterprise-Level Group Policy Strategy 219 Again, if you are using an AD RMS cluster, you repeat the procedure for every other server in the cluster. After you have configured these settings, a user who attempts to open rights-protected content published by the AD RMS server or cluster is prompted to provide authentication credentials before the server or cluster provides the user with an RAC or user license. PRACTICE Implementing Fine-Grained Password Policies To complete this practice, the domain functional level of the contoso.internal domain must be set to Windows Server 2008. If you are unsure how to do this, consult the Windows Server 2008 Help files.  Exercise Create a PSO In this exercise, you will create a PSO with password policies that are not the same as the default password policies for the contoso.internal domain. You associate this with a global secu- rity group called special_password that contains the user Don_Hall. Do not attempt this prac- tice until you have raised the domain functional level of the contoso.internal domain to Windows Server 2008. If you created a PSO while studying the 70-646 training kit, create another one but change some of the settings. 1. Log on to the Glasgow DC with the Kim_Akers account. 2. If necessary, create a user account for Don_Hall with a password of P@ssw0rd. Create a global security group called special_password. Make Don_Hall a member of special_password. If you are unsure how to do this, consult the Windows Server 2008 Help files. 3. In the Run box, type adsiedit.msc. 4. If this is the first time you have used the ADSI Edit console on your test network, right- click ADSI Edit, and then choose Connect To. Type contoso.internal in the Name box, and then click OK. 5. Double-click contoso.internal. 6. Double-click DC=contoso,DC=internal. 7. Double-click CN=System. 8. Right-click CN=Password Settings Container. Choose New. Choose Object, as shown in Figure 4-24. 220 Chapter 4 Designing Active Directory Administration and Group Policy Strategy Figure 4-24 Creating a password settings object 9. In the Create Object dialog box, ensure that msDS-PasswordSettings is selected. Click Next. 10. In the Value box for the CN attribute, type PasswdSettings01. Click Next. 11. In the Value box for the msDS-PasswordSettingsPrecedence attribute, type 10. Click Next. 12. In the Value box for the msDS-PasswordReversibleEncryptionEnabled attribute, type FALSE. Click Next. 13. In the Value box for the msDS-PasswordHistoryLength attribute, type 6. Click Next. 14. In the Value box for the msDS-PasswordComplexityEnabled attribute, type TRUE. Click Next. 15. In the Value box for the msDS-MinimumPasswordLength attribute, type 6. Click Next. 16. In the Value box for the msDS-MinimumPasswordAge attribute, type 1:00:00:00. Click Next. 17. In the Value box for the msDS-MaximumPasswordAge attribute, type 20:00:00:00. Click Next. 18. In the Value box for the msDS-LockoutThreshold attribute, type 2. Click Next. 19. In the Value box for the msDS-LockoutObservationWindow attribute, type 0:00:15:00. Click Next. 20. In the Value box for the msDS-LockoutDuration attribute, type 0:00:15:00. Click Next. 21. Click Finish. 22. Open Active Directory Users And Computers, choose View, and then choose Advanced Features. 23. Expand contoso.internal, expand System, and then select Password Settings Container. 24. In the details pane, right-click PSO1. Choose Properties. 25. On the Attribute Editor tab, select msDS-PSOAppliesTo, as shown in Figure 4-25. Lesson 2: Designing Enterprise-Level Group Policy Strategy 221 Figure 4-25 Selecting an attribute to edit 26. Click Edit. 27. Click Add Windows Account. 28. Type special_password in the Enter The Object Names To Select box. Click Check Names. 29. Click OK. The Multi-Valued Distinguished Name With Security Principal Editor dialog box should look similar to Figure 4-26. Figure 4-26 Adding the special_password global security group to PSO1 [...]... authentication NOTE MS-CHAP and SPAP support in Windows Server 2008 At the time of writing this book for the release to manufacturing of Windows Server 2008, MS-CHAP (also known as MS-CHAP v1) and SPAP were still included in the NPS and Routing and Remote Access Microsoft Management Consoles (MMCs) although EAP-MD5 is not available Documentation at http://technet .microsoft. com/en-us/library/bb7269 65. aspx#ECAA... 2008, EAP-MD5, MS-CHAP, and SPAP are no longer available as choices From a security perspective, do not choose Password Authentication Protocol (PAP) and MS-CHAP unless necessary to support an incompatible client MS-CHAP v2 should be used only when strong passwords are enforced Among the supported EAP types, EAP-TLS and PEAP-TLS use certificate-based authentication PEAP supports two EAP types, PEAP-TLS... Configuration Wizard Microsoft refers to this technique for securing ports and services as role-based security policies You can find more information about using this wizard to configure role-based security settings for an NPS server at http://technet2 .microsoft. com /windowsserver2008/en/library /52 a98d8a-882 3-4 98c-9be 3-3 637186e50e61033.mspx?mfr=true MORE INFO Manually configuring Windows Firewall To learn more... following link to download an entire document devoted to this topic: http://www .microsoft. com /downloads/details.aspx?FamilyId=DF192E1B-A92A-407 5- 9 F69-C12B7C54B52B&displaylang=en Centralized Management of VPN Access Clients accessing resources through VPN servers that are centrally located can still access resources anywhere within the enterprise Because a VPN connection to a VPN client essentially is offering... RADIUS infrastructure to the back-end user database, an enterprise administrator must carefully plot the location of each of these services Figure 5- 5 displays a real RADIUS design from a high-level overview From this overall design, you can see that RADIUS can support authentication for a variety of services and a variety of access client and access servers Users of Web-based applications from either... requires NAT Traversal (NAT-T) to pass through a NAT This means that an extra UDP port, UDP 450 0, must be open on the Lesson 1: Perimeter Networks and Remote Access Strategies 241 firewall The clients connecting to a VPN server behind a firewall using L2TP must also support NAT-T L2TP requires the filters in Table 5- 2 for the perimeter firewall’s Internet interface Table 5- 2 L2TP Filters on Firewall... Extensible Authentication Protocol (EAP) types, Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), and Protected Extensible Authentication Protocol-Transport Layer (PEAP-TLS) for user authentication as well as the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) v2 authentication methods 242 Chapter 5 Designing a Network Access Strategy There are some drawbacks to using SSTP... 2008 provides support for quite a few authentication protocols The list now includes: ■ PAP ■ MS-CHAP ■ MS-CHAP v2 ■ PEAP-MSCHAP v2/EAP-MSCHAP v2 ■ EAP-TLS ■ PEAP-TLS The list has dwindled a little because support for Shiva Password Authentication Protocol (SPAP) and the Extensible Authentication Protocol-Message Digest have been removed from Windows Server 2008 and Windows Vista VPNs as client choices... balancing Figure 5- 3 displays some of the roles that ISA Server can play when deployed in the perimeter network Internet Border Network External ISA Server Firewall Perimeter Network Internal ISA Server Firewall Internal Network Figure 5- 3 ISA Server deployed in a back-to-back design ISA Server 2004 and ISA Server 2006 support Network Access Quarantine Control as a complementary service to Microsoft Windows... service separating the internal user network from the server farms 232 Chapter 5 Designing a Network Access Strategy Figure 5- 1 displays the typical architecture of the three-zone network environment, using two firewall services Internet Border Network Perimeter Firewall Perimeter Network Internal Firewall Internal Network Figure 5- 1 Perimeter network design employing two firewall devices If the perimeter . right-click PSO1. Choose Properties. 25. On the Attribute Editor tab, select msDS-PSOAppliesTo, as shown in Figure 4-2 5. Lesson 2: Designing Enterprise- Level Group Policy Strategy 221 Figure 4-2 5. information about installing an AD RMS cluster, see http://technet2 .microsoft. com /windowsserver2008/en/library/a 659 41cb-02ef-419 4-9 5ce-7fd213b1e48c1033.mspx?mfr=true. To use smart card authentication,. as Kerberos v5. MORE INFO Kerberos authentication For more information about Kerberos authentication, see http://technet2 .microsoft. com /windowsserver/en/library/4a1daa3e-b45c-44ea-a0b6-fe8910f92f281033.mspx?mfr=true.