Archive for the ‘Server’ Category

Smart Card Deployment Considerations

Posted: June 1, 2011 in Active Directory, Server, Server 2003, System Information
Tags: , ,
0

Smart card logon is supported for Windows 2000 and Windows Server 2003. To implement smart cards, you must deploy an enterprise certification authority rather than a stand-alone or third-party certification authority to support smart card logon to Windows Server 2003 domains. Windows Server 2003 supports industry standard Personal Computer/Smart Card (PC/SC)–compliant smart cards and readers and provides drivers for commercially available plug and play smart card readers. Windows Server 2003 does not support non-PC/SC-compliant or non–plug and play smart card readers. Some manufacturers might provide drivers for non–plug and play smart card readers that work with Windows Server 2003; however, it is recommended that you purchase only plug and play PC/SC-compliant smart card readers.

The cost of administering a smart card program depends on several factors, including:

■ The number of users enrolled in the smart card program and their location.

■ Your organization’s practices for issuing smart cards to users, including the requirements for verifying user identities. For example, will you require users to simply present a valid personal identification card or will you require a back-ground investigation? Your policies affect the level of security provided as well as the actual cost.

■ Your organization’s practices for users who lose or misplace their smart cards. For example, will you issue temporary smart cards, authorize temporary alternate logon to the network, or make users go home to retrieve their smart cards? Your policies affect how much worker time is lost and how much help desk support is needed.

Your smart card authentication strategy must describe the network logon and authentication methods you use, including:

■ Identify network logon and authentication strategies you want to deploy.

■ Describe smart card deployment considerations and issues.

■ Describe PKI certificate services required to support smart cards.

In addition to smart cards, third-party vendors offer a variety of security products to provide two-factor authentication, such as “security tokens” and biometric accessories. These accessories use extensible features of the Windows Server 2003 graphical logon user interface to provide alternate methods of user authentication.

Virtual Private Networking (VPN)

Posted: March 4, 2011 in Networking, Server, Server 2008, System Information
Tags:
0

Virtual private networking (VPN) provides a way of making a secured, private connection from the client to the server over a public network such as the Internet. Unlike dial-up networking, in which a connection is made directly between client and server, a VPN connection is logical and tunneled through another type of connection. Typically, a remote user would connect to an Internet service provider (ISP) using a form of dial-up networking (particularly good for users with high-speed connections).

The Routing And Remote Access server would also be connected to the Internet (probably via a persistent, or permanent, connection) and would be configured to accept VPN connections. Once the client is connected to the Internet, it then establishes a VPN connection over that dial-up connection to the Routing and Remote Access server.

 

Cisco ASA5505 Firewall

Posted: March 4, 2011 in Firewall, Networking, Server, Server 2003, Server 2008, System Information
Tags: , , ,
0

Cisco ASA5505 Firewall overview

Cisco ASA5505 firewall is a small box with the following layout:

It has eight Ethernet ports marked 0 to 7 and one Console port marked blue.

–  Connect the Console port to the local server or any computer from which you will configure the box: the Console      cable must be connected to Serial port of the computer. Note: it is needed for configuration only; later this    connection can be removed.

–  Port 0 of the ASA must be attached to Internet Provider’s equipment: connect it to the ISP modem.

–  Port 2 of the ASA must be attached to the local Ethernet switch.

–  Connect the Server and computers to the Ethernet switch.

 

CONFIGURATION

In order to configure the firewall, you will need a configuration template (not included in this document, supplied as a separate file). Follow the instructions inside the configuration template in order to adjust it to the profile of your site and use the following configuration sequence:

–  Log in to the server or a computer that was connected to ASA box;

–  Open up the HyperTerminal program (Start à Programs à Accessories à Communications). Set up a new connection to COM1 port.

–  Clear any existing configuration from the firewall using the following set of commands:

Devicename> enable

Devicename# config terminal

Devicename(config)# clear configure all

Devicename(config)# write memory

–  While in configuration mode, copy-paste the configuration file that you prepared earlier.

–  Save the configuration of the firewall:

Devicename(config)# write memory

 

Having this done, your firewall is set up for operation. Verify if your internet are working.

 

 

Review of Active Directory in Server 2008

Posted: January 5, 2011 in Active Directory, Server, Server 2008, System Information
Tags: , ,
3

 

Active Directory is Microsoft’s implementation of a directory service. A directory service holds information about resources within the domain. Resources are stored as objects and include users, computers, groups, printers, and more.

In Windows Server 2008, five different server roles support Active Directory:

 

>Active Directory Domain Services

>Active Directory Certificate Services

>Active Directory Federation Services

>Active Directory Lightweight Directory Services

>Active Directory Rights Management Services

 

The primary role is Active Directory Domain Services. The other roles add to the capabilities of Active Directory. Objects include users, computers, groups, and more. The Active Directory database is stored only on servers holding the role of domain controllers.

 

A significant benefit of using Active Directory Domain Services is that it enables you as an administrator to manage desktops, network servers, and applications all from a centralized location.

 

Read-Only Domain Controllers in Server 2008

Posted: January 5, 2011 in Active Directory, Server, Server 2008, System Information
Tags: , ,
2


A read-only domain controller (RODC) hosts a read-only copy of the Active Directory database. This is somewhat of an untrue, because changes can be made to the database. However, the changes can come only from other domain controllers, and the entire database isn’t replicated; instead, only a few select objects are replicated.

 

Usually, domain controllers are considered peers where they are all equal (with a few exceptions). Any objects can be added or modified such as adding a user or a user changing their password on any domain controller. These changes are then replicated to other domain controllers. However, with RODCs, changes to the domain controller can come only from other domain controllers. Moreover, the changes are severely restricted to only a few select objects.

 

The huge benefit of the RODC is that credentials of all users and computers in Active Directory are not replicated to the RODC. This significantly improves the security of domain controllers that are placed at remote locations.

 

Outlook Anywhere

Posted: September 19, 2010 in Active Directory, Exchange Server, Outlook, Server, Server 2003, Server 2008, System Information
Tags: , ,
2


Outlook Anywhere uses the HTTP protocol to encapsulate RPC information for sending

between the Outlook client (version 2003 and 2007) and the Exchange Server 2010 server. For

this service to run properly the RPC over HTTP Proxy service has to be installed on the Client

Access Server. This can be achieved either by adding this as a feature via the Server Manager,

or by entering the following command on a PowerShell Command Prompt:

ServerManagerCmd.exe -i RPC-over-HTTP-proxy

When the RPC over HTTP Proxy is installed use the following steps

to configure Outlook Anywhere:

1. Open the Exchange Management Console;

2. In the navigation pane, expand “Microsoft Exchange On-Premises”;

3. In the navigation pane, expand “Server Configuration”;

4. Click on “Client Access” and select your Client Access Server;

5. In the Actions pane, click on “Enable Outlook Anywhere”.

6. On the Enable Outlook Anywhere page enter the External host name. Make sure that

this name is also available in the certificate you created on the previous Paragraph. Select

the authentication methods used by clients, i.e. Basic Authentication or NTLM authentication.

For now leave these settings on default and click Enable to continue;

7. This will activate the Outlook Anywhere service on this service, and it may take up to 15

minutes before the service is actually useable on the Client Access Server. Click Finish to

close the wizard

Email Address Policies

Posted: September 19, 2010 in Active Directory, Exchange Server, Server, Server 2003, Server 2008, System Information
Tags: , , , ,
1


Exchange recipients clearly need an email address for receiving email. For receiving email

from the Internet, recipients need an email address that corresponds to an accepted domain.

Recipients are either assigned an email address using an Email Address Policy, or it is also

possible to manually assign e-mail addresses to recipients.

To configure Email Address Policies follow these steps:

1. Logon to an Exchange Server 2010 server with domain administrator credentials and

open the Exchange Management Console;

2. Expand the “Microsoft Exchange On-Premises”;

3. Expand the Organization Configuration;

4. Click on Hub Transport in the left pane;

5. In the middle pane there are eight tabs, click on the on labelled E-Mail Address Policies;

6. There will be one default policy that will be applied to all recipients in your organization.

For now the default policy will be changed so that recipients will have the E-mail address

corresponding to your Accepted Domain. Click on New E-mail Address policy to create a

new policy;

7. On the Introduction page enter a new Friendly Name. Click the Browse button to select

a container or Organizational Unit in Active Directory where you want to apply the

filter. Select the Users container. Click Next to continue;

8. On the Conditions page you can select conditions on how the recipients in the container

will be queried, for example on State, Province, Department, Company etc. Do not select

anything for this demonstration, and click Next to continue;

9. On the E-mail Addresses tab click the Add button, the SMTP E-mail Address pop-up

will be shown. Leave the local part default (Use Alias) and select the “Select the accepted

domain for the e-mail address” option and click Browse;

10. Select the Accepted Domain you entered earlier , click OK twice and

click Next to continue;

11. On the Schedule page you have the option to apply the policy immediately or schedule

a deploy during, for example, non-office hours. This is useful when you have to change

thousands of recipients. For now leave it on Immediately and click Next to continue;

12. Review the settings, and if everything is ok then click New to create the policy and apply

it immediately;

13. When finished successfully click the Finish button.

You can check the E-mail address on a recipient through the EMC to confirm your policy

has been correctly applied. Expand the Recipient Configuration in the left pane of the

Exchange Management Console and click on ‘Mailbox’. In the middle pane a list of recipients

should show up, although right after installation only an administrator mailbox should be

visible. Double click on the mailbox and select the E-mail Addresses tab. The Administrator@

yourdomain.com should be the primary SMTP address.

Configuring Edge Transport Synchronization

Posted: September 19, 2010 in Exchange Server, Server, Server 2003, Server 2008, System Information
Tags: ,
0


The Exchange Server 2010 Edge Transport Server is not part of the internal

Active Directory and Exchange organization, and is typically installed in the network’s

DMZ. A mechanism obviously needs to be in place for keeping the server up to date with

information.

For example, for the recipient filtering in the Edge Transport Server to take place, the server

needs to know which recipients exist in the internal Exchange environment. The Edge

Transport Server also needs to have knowledge about the existing Hub Transport Server in

the internal Exchange organization, where the Edge Transport Server has to deliver its SMTP

messages to.

This information is pushed from an internal Hub Transport Server to the Edge Transport

Server by a process called “Edgesync”. Please note that for a successful synchronization from

the Hub Transport Server to the Edge Transport Server, you have to open port 50636 on the

internal firewall. This port has to be opened from the internal network to the DMZ and not

vice versa.

To setup an Edge Synchronization, a special XML file has to be created on the Edge Transport

Server. This XML fi le has to be imported to a Hub Transport Server on the internal network

creating a relationship between the Edge Transport Server and the respective Hub Transport

Server. Once that relationship is created, the Edgesync service can be started. To setup the

Edgesync service, please follow these steps:

1. Logon to the Edge Transport Server using an administrator account and open an

Exchange Management Shell;

2. Enter the following command:

New-EdgeSubscription –Filename <<filename.xml>>

Copy the <<filename.xml>> to a directory on the Hub Transport Server.

3. Logon to the Hub Transport Server using an administrator account and open an

Exchange Management Shell command prompt.

4. Enter the following command:

New-EdgeSubscription –Filename <<filename.xml>> -CreateInternetSe

ndConnector:$TRUE –Site “Default-First-Site-Name”

When successfully finished on the Exchange Management Shell command prompt, enter the

following command:

Start-EdgeSynchronization

The Edge Synchronization process should now successfully start.

5. On the Edge Transport Server, open the Exchange Management Shell and check if the

settings are identical to the settings on the Hub Transport Server.

When making changes to the internal Exchange organization, these changes will

automatically replicate to the Edge Transport Server in the DMZ.

Types of Recovery from System Failures in Server 2003

Posted: May 23, 2010 in Active Directory, Server, Server 2003, System Information
Tags: ,
0

Here are some of the new features:

  • Automated System Recovery (ASR). This feature simplifies the restoration of the operating system partition.
  • Goodbye, Emergency Repair Disk. There is no more ERD in Windows Server 2003. The only repair options are the Recovery Console or ASR.
  • Emergency Management Services (EMS). If a server cannot be reached via the network, EMS provides an out-of-band connection to the server via a serial port.
  • Online Crash Analysis. The kernel-mode debugging utilities in Windows Server 2003 can now run on the same machine as the operating system they are monitoring. This permits running a variety of debugging chores at the console.
  • Volume Shadow. Locked files create problems for backup programs. Users get irate when you tell them that you can’t restore a file because it was locked during the backup while they were working from home. The Volume Shadow service takes a snapshot of a locked file so that the backup program can save the snapshot.
  • System Restore. This feature, only present on XP, periodically takes snapshots of the system configuration that you can use as checkpoints for rolling back the system to a previous configuration.
  • Online event tracking. If an application fails or otherwise causes a system error, the system collects information about the failure and sends that information to Microsoft, where it is compiled and analyzed for trends.
  • Shutdown Event Tracker. This “feature,” if you want to call it that, requires that you specify a reason each time you shut down a system. This reason is put in the Event log. If the system crashes, you must specify a reason when the system restarts.

How to View Personal Certificates via the Certificates Snap-In

Posted: May 23, 2010 in Active Directory, Server, Server 2003, Server 2008, System Information
Tags: , ,
0
  1. Open an empty MMC console using START | RUN | MMC.
  2. From the console menu, select CONSOLE | ADD/REMOVE SNAP-IN. The Add/Remove Snap-in window opens.
  3. Click Add. The Add Standalone Snap-in window opens.
  4. Double-click Certificates to load the snap-in. If you are logged on with an account that does not have administrator privileges, the only option is to load the your own personal certificates. Otherwise, you get additional choices of computer and service certificates.
  5. With the snap-in loaded, save the console with a descriptive name, such as Cert.msc. You may want to save it in \WINNT\System32 along with the rest of the console files so that another administrator can use it. The console does not point at your specific certificate. It loads the certificates of the user who launches the console.
  6. Expand the tree to CertificatesCurrent User | Personal | Certificates. Certificates issued to you are listed in the right pane. The Intended Purposes column lists the certificate’s function. If you have ever encrypted a file, you will have at least one EFS certificate. The domain Administrator account will have two certificates, one for EFS and one for File Recovery (FR).
  7. Double-click a certificate to view the contents.

You can use the Certificates snap-in to obtain new certificates. This is not generally necessary for EFS certificates because the EFS service obtains the certificate automatically when you encrypt a file. If you want to designate more Data Recovery Agents, though, you’ll need to obtain File Recovery (FR) certificates for them. You can request them using the Certificates snap-in.

EFS only issues one self-signed FR certificate. In a domain, it is issued to the domain Administrator account. For a local machine, it is issued to the first user who logs on to the machine following Setup. You’ll need a Certification Authority (CA) to issue any further FR certificates.

Older Entries
Newer Entries