Perimeter networks and Remote access strategy

In Windows Server 2008, to provide secure remote connectivity, you need to design access through a perimeter network. Therefore, to configure remote access strategy, you need to design a secure perimeter network and decide which services will reside within it.

There are three types of Perimeter Network Architecture:

·         Border network provides a direct connection to the external environment through a router. The border router can offer some protective features, such as access lists to manage specific unwanted traffic from Internet Control Message Protocol (ICMP). An example of such unwanted traffic are the echo requests associated with pinging. A perimeter firewall along with associated security devices and services provides protection for the border network.

·         Perimeter network is a semi-protected area secured by a perimeter firewall and an internal firewall. Services located in this area include Web servers for public access that connect to internal SQL servers along with many other application servers.

·         Internal network is the location of the secure environment. It includes the corporate user and server environments. The security designs in this type of network include another firewall service separating the internal user network from the server farms.

You can use the following services and security features when designing the perimeter network.

·         NAT – Uses private IP addresses that have significant meaning when used within your organization. When traffic is sent out to the Internet, these addresses require translation to an acceptable public IP address. One of the benefits of using NAT in your firewall design is that your internal addressing structure is hidden from outside attackers.

·         Stateful inspection firewalls – Provide an accounting of all traffic that originated on an interface in a state table. When the connection traffic is returned, the state table determines whether the traffic originated on that interface.

·         Circuit-level firewalls – Provide a more in-depth inspection of traffic than does a stateful firewall. Circuit-level firewalls provide session maintenance and enable the use of protocols that require secondary connections such as FTP.

·         Proxy servers – Provide security by functioning as intermediaries and requesting a service on behalf of a client. The client is not directly connected to the service. The proxy service can inspect all headers involved in the transaction, providing an extra layer of protection. Frequently requested content can be cached and reused to reduce bandwidth. Proxy servers can also provide authenticated requests, NAT, and authentication request forwarding.

·         Application-layer firewall – Inspects all the incoming and outgoing packet headers and state tables maintained. It also inspects the data streams  to provide security against attacks hidden in the data payloads of ordinary Web service packets such as HTTP, other Web-related request and data packets, and many ot her application- specific request and response packets.

Remote access Strategy

In designing remote access, an enterprise administrator must consider all required avenues of access. For example, let us consider designing a VPN Protocol Solution. Deciding which VPN protocols to use for your remote access policies depends on several issues, such as:

:

·         Which security requirements exist regarding encrypted communications?

·         Which security policies exist to secure communication through your corporate firewall?

·         Which authentication mechanisms are acceptable?

·         Whether a need exists to deploy a PKI to support the VPN infrastructure?

·         What are the security requirements for encrypted communications?

·         Which security policies exist to secure communication through your corporate firewall?

·         Which authentication mechanisms are acceptable?

·         Is there a need to deploy a PKI to support the VPN infrastructure?

VPN Tunneling Protocols

Windows Server 2008 provides support for three tunneling protocols when configuring remote access connections:

·         Point-to-Point Tunneling Protocol (PPTP) – PPTP provides a high level of security as a VPN tunneling protocol.  It is well supported by several Microsoft operating systems, including Windows 2000 Professional, Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

·         Layer 2 Tunneling Protocol (L2TP) – L2TP provides a more secure connection than PPTP due to several aspects. L2TP provides the same user authentication that PPTP provides as well a computer authentication using IPsec authentication. L2TP with IPsec uses 168-bit triple DES (3DES) encryption for the data and provides per-packet data origin authentication, proving the identity of the user and providing data integrity and replay protection while providing a high level of confidentiality.

·         Secure Socket Tunneling Protocol (SSTP)  – SSTP is a new VPN tunnel supported by Windows Vista SP1 and Windows Server 2008. It uses SSL-encrypted HTTP connections for the VPN connection. More specifically, Point-to-Point Protocol (PPP) sessions are encrypted by SSL and transferred over an HTTP connection. Another advantage is that SSTP is quite secure. An SSL tunnel is initially formed prior to the transfer of user credentials. SSTP also supports Extensible Authentication Protocol (EAP) types for user authentication, including Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol-Transport Layer (PEAP-TLS), as well as the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) v2 authentication methods.

An additional rule is needed only to ensure the passage of TCP port 443 from the border network into the perimeter network to the VPN server perimeter interface.

Authentication Protocols

Windows Server 2008 provides support for a few authentication protocols:

·         PAP

·         MS-CHAP

·         MS-CHAP v2

·         PEAP-MSCHAP v2/EAP-MSCHAP v2

·         EAP-TLS

·         PEAP-TLS

Read more »

Disk Setup Management & Disk Management Tools.

Disk Management is a useful built-in Windows 7 partition manager that makes hard disk partitioning quick and simple. Windows 7 Disk Management includes:

·     A built-in partition manager .

·     Graphical user interface

·     Ability to create new disk partitions within Windows 7

·     Ability to shrink existing disk partitions

With Disk Management, you can initialize disks, create volumes, format volumes with file systems FAT, exFAT,

FAT32 or NTFS. You can also extend a disk, reduce a disk, check if a disk is healthy or unhealthy, create partitions, delete partitions, or change a drive letter.

To access Disk management, follow these steps:

1. Right-click Computer and click Manage.

2. From the left pane click Disk Management.

Windows 7 and the Graphical Partition Manager

Windows 7 Disk Management features a graphical user interface. The Disk Management console lists each volume in alphabetical order. Each hard disk is then broken down into: Type, File System, Status, Capacity, and Free Space. In the second horizontal column, Each logical drive is labeled by its letter and given a color. Right-clicking on each drive opens a menu where users can extend volumes, shrink volumes or create new logical drive

Creating New partition on Windows 7:

1.  On Windows 7, click start, right click My Computer, and click Manage.
2. Click Disk Management from the left pane. You can now view the current partitioning scheme on you system.
3. Right-click the unallocated space and select New Simple Volume, and click Next.
4. Select the size for the new volume or partition in MB.
5. Assign the drive letter to the new partition.
6. Format the partition with appropriate filesystem and select the check box Perform a Quick Format. To enable compression, select the checkbox Enable File and Folder compression.
7. Click Finish.

Follow these steps to resize an existing partition in your current hard disk drive to create a new partition:

1. On Windows 7, click start, right click My Computer, and click Manage.
2. Click Disk Management from the left pane. You can now view the current partitioning scheme on you system.
3. Right-click on the partition, which you want to resize. This would present you with drive capacity information as well as the option to enter an amount you'd like to “shrink” your partition by then click Shrink.
4. You can now see unallocated space on your hard drive in the capacity you specified, situated just after your now resized original partition.
5. Right-Click the unallocated volume, and select New Simple Volume, assign it a drive letter, quick format the volume using the NTFS file system and default allocation unit size.

Extending a Partition:

1. On Windows 7, click start, right click My Computer, and click Manage.
2. Click Disk Management from the left pane. You can now view the current partitioning scheme on you system.
3. Right-Click the partition that you want to extend and select Extend Volume.
4. Click Next, and this would present you with drive capacity information as well as the option to enter an amount you'd like to extend your partition by. Click Next.
5. Click Finish.

Deleting a partition:

1. On Windows 7, click start, right click My Computer, and click Manage.
2. Click Disk Management from the left pane. You can now view the current partitioning scheme on you system.
3. Right-Click the partition that you want to delete and select Delete Volume.
4. Click Yes to continue the deletion process.
5. Click Yes to delete the partition.

Change Drive Letter

1. On Windows 7, click start, right click My Computer, and click Manage.
2. Click Disk Management from the left pane. You can now view the current partitioning scheme on you system.
3. Right-click on a partition and select "Change drive letters and paths.

4. The current drive letter will display. The Add button typically allows the partition to be placed inside an existing NTFS folder.
5. Click Change to assign a new drive letter.

Windows 7 will disallow any changes if the partition is currently used as a system, boot, or page file drive.

Tasks that can be performed with the Properties tab:

1. On Windows 7, click start, right click My Computer, and click Manage.
2. Click Disk Management from the left pane. You can now view the current partitioning scheme on you system.
3. Right-click a partition and select Properties.
4. With Security tab, permissions for various groups of users can be assigned or changed on the partition.
5. General tab presents you with options to enable compression and indexing on the partition. It also allows you to clean the disk using Disk Cleanup.
6. Hardware tab provides you to manage the hardware properties.
7. You can enable File and Folder sharing with the Sharing Tab.
8. With Quota tab, you can enable Quota services on the partition. To enable quota select the checkbox Enable Quota Management. Set the limits for quota and you can also select quota logging options for this volume.
9. To make any changes in the default partition properties click Apply and then click OK.

Read more »

Capture, Prepare, and Deploy a System Image

System Image

A system image is a copy of the current state of your computer’s hard disk. It includes all the system settings, files, and the Windows configuration. You can use a system image to recover your data and computer settings in the case of failure of your hard disk drive. But you cannot restore individual files or settings with this process, and all of your current programs, system settings, and files are replaced with the contents of the system image.

Creating a system image on Windows 7 computer

1.       Click Start and type back up in the start search bar. Click Back up your computer from the search results.

2.       In the left pane of the Backup and Restore Center window, click Create a system image.

3.       Choose a medium to store the system image. You can back up the system image on an external drive, on DVDs, or on a different computer in the network.

4.       Select the drives you want to back up. Click Next.

5.       On the Confirm your settings page, select Start backup.

6.       After the process is complete, you get the option to create a system repair disc. Click Yes to create the system repair disk. Insert a blank CD or DVD to create the image.

You can now find the system image folder named WindowsImageBackup.

Recovering your computer using System Image

You can only do a system image recovery to a hard disk drive that is the same size or larger than the one the system image was created from. You will not be able to do a system image recovery to a smaller hard disk drive. If your backup image is on an external device, then connect the external drive before starting. A system image recovery will format everything on each hard drive that was included in the system image, and will only restore what is in the system image. To start the recovery of the system, perform these steps:

1. Connect the external drive on which you have stored the system image.
2. Click Start, then click Control Panel, and then click Back up your computer.
3. Click Recover system settings on your computer.
4. Click Advanced recovery methods.
5. Select Use a system image you created earlier to recover your computer.
6. If you want to create the backup immediately, select Back up now, or click Skip  and continue the system image recovery without backing up any of your current files. Click Restart.
7. Select a language to be used for your keyboard input and click Next. 
8. Select the system image for recovery using either of the two options:

• To use a latest system image for recovery, select Use the latest available system image and click Next.
• To select a system image for recovery, select the location of the backup image for the computer you want to restore from the list, and click Next. Then select the date and time of the system image to restore, and click Next.

9. After selecting the system image, select the Format and repartition disks box.
10. If you want to recover only those drives that are required to run Windows, select the check box Only restore system drives. Click Next.
11. Click Finish and then click Yes.
12. Windows will now start restoring your computer from the system image. Once the restoration is complete, click Restart Now.
13. If you chose to create the backup immediately in step 6, you will see the option Restore my file after the computer restarts. Select this option to restore the files.

Read more »

Configuring a VHD

Windows 7 has a new feature called VHD Boot. This feature allows you to boot your entire Windows from a Virtual Hard Disk (VHD) file. There are various advantages of this feature, like:

• The configurations and settings of your entire system are included in one file – .VHD file.
• One VHD file can be based on another one. So if you have different systems, create a base copy of Windows 7 on a VHD and make all others incremental. This saves a lot of disk space.

But this feature can only be used on Windows 7, Windows Server 2008 R2, or later operating systems. The operating systems which came earlier then Windows 7 do not support VHD. With VHD your system suffers a performance decrease of about 3%. Windows hibernate function and BitLocker configurations are not supported by VHD. BitLocker can be used within the guest VHD, but not on the volume where the VHD resides. Also, with VHD, features like Aero don’t work because the Windows Experience index is not supported.

Types of Virtual Hard Disks

Three types of VHD files can be created using the disk-management tools:

• Fixed hard-disk image. A fixed hard-disk image is a file that is allocated to the size of the virtual disk. For example, if you create a virtual hard disk that is 2 gigabytes (GB) in size, the system will create a host file approximately 2 GB in size. Fixed hard-disk images are used for production servers and working with customer data.
• Dynamic hard-disk image. A dynamic hard-disk image is a file that is as large as the actual data written to it at. As more data is written, the file dynamically increases in size. For example, the size of a file backing a virtual 2 GB hard disk is initially around 2 megabytes (MB) on the host file system. As data is written to this image, it grows with a maximum size of 2 GB.
  
  Dynamic hard-disk images are beneficial for development and testing environments. Dynamic VHD files are smaller, easier to copy, and expand after mounting.
• Differencing hard-disk image. A differencing hard-disk image describes a modification of a parent image. This type of hard-disk image is not independent, and it depends on another hard-disk image to be fully functional. The parent hard-disk image can be any of the above mentioned hard-disk image types, including another differencing hard-disk image.

Creating a VHD

Perform these steps to create a VHD file on your Windows 7-based computer:

1. Click Start and then right-click Computer.
2. Click Manage, then in the left pane, right-click Disk Management, and then click Create VHD.
3. Select a location to save your VHD file.  Select the maximum size for your VHD file. You can also choose from either of the two options – Dynamically Expanding, where the size of the VHD expands dynamically to a fixed maximum size, or Fixed Size, where the virtual hard disk uses a fixed amount of space regardless of the size of data stored on it.
4. The new disk will show in the right pane as unallocated space. Right-click the new unallocated VHD Disk number and click Initialize Disk.
5. You need to choose if you want the new VHD to have Master Boot Record (MBR) or GUID Partition Table (GPT) partition, and click OK.
6. Right-click again on the new unallocated VHD and click New Simple Volume.
7. Type how much of the maximum disk space you want to use for this VHD partition, and click Next.
8. Select the file system for your VHD from either FAT or NTFS, and enter a name for your VHD. Select the Perform a quick format check box, and click Next.

Click Finish. The system creates a new simple volume on your VHD, which is already attached.

Installing a VHD-Boot Machine

Perform these steps to install Windows 7 with VHD file:

1. Boot the system with a Windows 7 setup DVD or any other boot media.
2. On the setup screen, don’t choose Install Now, but press Shift-F10 to get into command line mode.
3. Type diskpart on the command line mode to start the partitioning utility.
4. You need to create a new VHD file.  Type the following command to create this file:

create vdisk file=”D:\pathToVhd.vhd” type=expandable maximum=maxsizeInMegabyte 

5. Select the new VHD and attach it as a physical disk. Use the following commands to perform this task:

select vdisk file=”D:\pathToVhd.vhd” 
attach vdisk 

6. Proceed with the normal setup and make sure that you install your Windows to the correct disk. You may receive a warning Windows cannot install to this disk. Ignore this warning.

7. At next startup, you’ll see Windows 7 in the boot menu. If you want to add a VHD manually to the boot menu, use this command:

bcdedit /copy {originalguid} /d "New Windows 7 Installation"

bcdedit /set {newguid} device vhd=[D:]\Image.vhd

bcdedit /set {newguid} osdevice vhd=[D:]\Image.vhd

bcdedit /set {newguid} detecthal on

8. Click Start, right-click Computer, and select Manage.

9. To attach an existing VHD File, in the left pane, right-click Disk Management and then click Attach VHD.

10. Click Browse, navigate to the VHD file location, select the file, and then click Open. If you want the VHD to be read-only, select the check box. Click OK.

Read more »

Configuring Backup in Windows 7

The Windows 7 Backup and Restore utility enables you to create and restore backups.

Perform these steps to configure the backup on your computer:

1. Click Start, and then click Computer.

2. Right-click the drive which you want to backup and select Properties.

3. Click the Tools tab and then click Back up now.

4. The Backup and Restore utility opens. In the Back up or restore your files window, click the link to setup a backup.

5. Windows will search for an appropriate drive to store the backup.You can also choose a location on your network.  To backup to a network location, you also require the password.

6. To back up specific files and folders, click Let me choose, and to back up the whole drive and create a system image, click Let Windows Choose.For this procedure, we will select Let me choose.

7. Select the files and folders to be included in the backup.  You can also create an image of your local drive by selecting the checkbox Include a system image of drives System Reserver (C:).

8. Review the backup job to ensure that the backup includes all the required files and folders.  You can also schedule the days and times for the backup.

9. Save the backup settings and initialize your first backup. You can monitor the progress of the backup as it initializes.

10. When the backup is complete, you can find the backup files and image folder that you created.

 11.  Double-click the backup file. From this window, you can restore files or manage the size of the backup folder.

Managing Backup Size

Sometimes you may need to recover some disk space. Windows 7 allows you to manage the size of your backups. Perform these steps to manage the backup size:

1. In the Backup and Restore window, click the Manage Space link. 
2. A summary of the backup location is displayed, with data about which files and folders are acquiring how much space from the backup. 

·         Click the View backups button to check the backups of different dates. You can delete older ones if needed.

·         You can also change the settings, like the way Windows retains older system images.

Read more »

Using Windows 7 Tools to Discover System Information

Using Windows 7 Tools to Discover System Information

Windows 7 contains many other tools to discover system information about your computer. Some of the tools are as follows:

• System Information
• Task Manager
• Performance Information and Tools

System Information

You can use the System Information utility to show information about your hardware, software, and resources. Type msinfo32 in the Windows 7 search box to launch this utility.

Configure Performance settings

By analyzing data, you can determine whether any resources are placing an excessive load on your computer, resulting in a system slowdown. The following are some of the causes of poor system presentation:

• A resource is insufficient to handle the load that is being located upon it, and the component might need to be upgraded, or additional components might be required.
• If a resource has many instances, the resources might not be evenly balancing the workload, and the workload might need to be balanced over the multiple instances more efficiently.
• A resource might be malfunctioning. In this case, the resource should be repaired or replaced.
• A specific program might be allocating resources improperly or inefficiently, in which case the program needs to be rewritten or another application should be used.
• A resource might be configured improperly and causing excessive resource usage, and need to be reconfigured.

There are four main subsystems that you should check. You should systematize counters in your data collector set for each of these subsystems:

• The memory subsystem
• The processor subsystem
• The disk subsystem
• The network subsystem

Monitoring and Optimizing Memory

When the operating system wants a program or process, the first place it looks is in the physical memory. If the required program or process is not in the physical memory, the system looks in the logical memory (the page file). If the program or process is not in the logical memory, the system must then retrieve the program or process from the hard disk. It takes very long to access information from the hard disk than to get it from the physical RAM. If your computer is using excessive paging, that is an indication that your computer does not have enough physical memory. Insufficient memory is the most likely cause of system performance degradation. To determine how much memory is being used, you need to look at the next two areas:

Physical memory – The physical RAM you have installed on your computer.

Page File Logical memory– This memory exists on your hard drive. If you are using excessive paging (swapping between the page file and physical RAM) or hard page faults, it indicates that you need to add more memory.

The next three counters are most important for monitoring memory:

Memory, Available MBytes Memory, Available MBytes– This counter measures the amount of physical memory that is available to run processes on the computer. If this number is fewer than 20 percent of your installed memory, it indicates that you might have an overall shortage of physical memory for your computer, or you possibly have an application that is not releasing memory correctly. You should think adding more memory or evaluating application memory usage.

Memor, Pages/Sec Memory , Pages/Sec– This counter shows the number of times the requested  page was not in memory and had to be retrieved from the disk. This counter’s value is supposed to be under 20; for optimal performance, it should be 4 or 5. If the number is more than 20, you should add memory. Sometimes a high Pages/Sec counter is indicative of a program that is using a memory-mapped file.

Paging File, % Usage Paging File, % Usage– This counter shows the percentage of the allocated page file that is currently in use. If this percentage is consistently more than 70 percent, either you need to add more memory or increase the size of the page file.

Managing Processor Performance:Processor problems can increase when the threads of a process require more processingcycles than are at present obtainable. In this case, the process will wait in a processor queue, and system responsiveness will be slower than if process requests could be immediatelyserved. The most common causes of processor bottlenecks are processor-intensive applicationsand other subsystem components that generate excessive processor interrupts(for example, disk or network subsystems).However, you should  monitor this subsystem to make sure that processor utilization isat an efficient level.

Key Counters to Track for the Processor

You can track processor utilization through the Processor and System objects to determine whether a processor bottleneck exists. The next three counters are the most important for monitoring the system processor:

Processor, % Processor Time Processor, % Processor Time– This counter measures the time that the processor spends responding to system requests. If this value is consistently above an average of 85 percent, you might have a processor bottleneck.

The Processor, %User Time and Processor, % Privileged Time– These counter merge to show the total % Processor Time counter. You can also monitor these counters independently for more detail.

Processor, Interrupts/Sec Processor, Interrupts/Sec– This counter shows the average number of hardware interrupts received by the processor each second. If this value is more than 3,000, you might have a problem with a program or hardware that is generating spurious interrupts.

System, Processor Queue Length System, Processor Queue Length is used to determine whether a processor bottleneck is due to high levels of demand for processor time. If a queue of two or more items exists for an extended period of time, a processor bottleneck might be indicated. If you suspect that a processor bottleneck is due to excessive hardware I/O requests, then you are supposed to also monitorthe System, File Control Bytes/Sec counter.

Tuning and Upgrading the Processor

If you think that you have a processor bottleneck, you can try these solutions:

• Use applications that are less processor-intensive.
• Upgrade your processor.
• If your computer supports multiple processors, add a processor.

The Memory and Processor subsystem objects are important counters to evaluate in determining your Windows 7 performance.

Managing the Disk Subsystem

Disk access can be defined as the amount of time your disk subsystem takes to retrieve data that is requested by the operating system. The two factors that determine how quickly your disk subsystem will respond to system requests are the average disk access time on your hard drive and the speed of your disk controller.

Key Counters to Track for the Disk Subsystem

You can monitor the Physical Disk object, which is the sum of all logical drives on a single physical drive, or you can monitor the Logical Disk object, which represents a specific logical disk. The important counters for monitoring the disk subsystem are as follows:

Physical Disk,% Disk Time and Logical Disk, % Disk Time Physical Disk, % Disk Time and Logical Disk , % Disk Time– These counters show the amount of time the disk is busy becauseit is servicing read or write requests. If your disk is busy more than 90 percent of the time,you can improve presentation by adding another disk channel and splitting the disk I/Orequests between the channels.

Physical Disk, Current Disk Queue Length and Logical Disk, Current Disk Queue Length Physical Disk, Current Disk Queue Length and Logical Disk, Current Disk Queue Length–These counters indicate the number of outstanding disk requests that are waiting to beprocessed. On average, this value should be less than 2.

Logical Disk, % Free Space Logical Disk,% Free Space – These counters specify how much free disk space is available. This counter should indicate at least 15 percent.

Tuning and Upgrading the Disk Subsystem

When a disk subsystem bottleneck occurs, then first check your memory subsystem. Insufficient physical memory can cause excessive paging, which in turn affects the disk subsystem. If you do not have a memory problem, then you can use the following solutions to improve disk presentation:

·         Use faster disks and controllers.

·         Confirm that you have the latest drivers for your disk adapters.

·         Use disk striping to take advantage of multiple I/O channels.

·         Balance heavily used files on multiple I/O channels.

·         Add another disk controller for load balancing.

·         Use Disk Defragmenter to consolidate files so that disk space and data access are optimized.

Optimizing the Network Subsystem

Windows 7 does not have a built-in mechanism to monitor the network. But only that traffic can be monitored and optimized which is generated on your Windows 7 computer. You can monitor the network interface and the network protocols that have been installed on your computer.

Network bottlenecks occur when network traffic exceeds the maximum capacity of the local area network (LAN).

Key Counters to Track for the Network Subsystem

Local network traffic can be monitored with the Performance Monitor utility.The following two counters are useful for monitoring the network subsystem:

A Network Interface, Bytes Total/Sec Network Interface, Bytes Total/Sec measure– This counter measures the total number of bytes sent or received from the network interface and includes all network protocols.

TCPv4 > Segments/Sec TCPv4 Segments/Sec– This counter measures the number of bytes sent or received from the network interface and includes only the TCPv4 protocol.

Tuning and Upgrading the Network Subsystem

You can use these measures to optimize and `enhance network performance on your system:

• Install and assemble only those protocols are required.
• Use faster network cards, like 100 Mbps Ethernet or 1 Gbps. 

Read more »