Perimeter networks and Remote access strategy

In Windows Server 2008, to provide secure remote connectivity, you need to design access through a perimeter network. Therefore, to configure remote access strategy, you need to design a secure perimeter network and decide which services will reside within it.

There are three types of Perimeter Network Architecture:

·         Border network provides a direct connection to the external environment through a router. The border router can offer some protective features, such as access lists to manage specific unwanted traffic from Internet Control Message Protocol (ICMP). An example of such unwanted traffic are the echo requests associated with pinging. A perimeter firewall along with associated security devices and services provides protection for the border network.

·         Perimeter network is a semi-protected area secured by a perimeter firewall and an internal firewall. Services located in this area include Web servers for public access that connect to internal SQL servers along with many other application servers.

·         Internal network is the location of the secure environment. It includes the corporate user and server environments. The security designs in this type of network include another firewall service separating the internal user network from the server farms.

You can use the following services and security features when designing the perimeter network.

·         NAT – Uses private IP addresses that have significant meaning when used within your organization. When traffic is sent out to the Internet, these addresses require translation to an acceptable public IP address. One of the benefits of using NAT in your firewall design is that your internal addressing structure is hidden from outside attackers.

·         Stateful inspection firewalls – Provide an accounting of all traffic that originated on an interface in a state table. When the connection traffic is returned, the state table determines whether the traffic originated on that interface.

·         Circuit-level firewalls – Provide a more in-depth inspection of traffic than does a stateful firewall. Circuit-level firewalls provide session maintenance and enable the use of protocols that require secondary connections such as FTP.

·         Proxy servers – Provide security by functioning as intermediaries and requesting a service on behalf of a client. The client is not directly connected to the service. The proxy service can inspect all headers involved in the transaction, providing an extra layer of protection. Frequently requested content can be cached and reused to reduce bandwidth. Proxy servers can also provide authenticated requests, NAT, and authentication request forwarding.

·         Application-layer firewall – Inspects all the incoming and outgoing packet headers and state tables maintained. It also inspects the data streams  to provide security against attacks hidden in the data payloads of ordinary Web service packets such as HTTP, other Web-related request and data packets, and many ot her application- specific request and response packets.

Remote access Strategy

In designing remote access, an enterprise administrator must consider all required avenues of access. For example, let us consider designing a VPN Protocol Solution. Deciding which VPN protocols to use for your remote access policies depends on several issues, such as:

:

·         Which security requirements exist regarding encrypted communications?

·         Which security policies exist to secure communication through your corporate firewall?

·         Which authentication mechanisms are acceptable?

·         Whether a need exists to deploy a PKI to support the VPN infrastructure?

·         What are the security requirements for encrypted communications?

·         Which security policies exist to secure communication through your corporate firewall?

·         Which authentication mechanisms are acceptable?

·         Is there a need to deploy a PKI to support the VPN infrastructure?

VPN Tunneling Protocols

Windows Server 2008 provides support for three tunneling protocols when configuring remote access connections:

·         Point-to-Point Tunneling Protocol (PPTP) – PPTP provides a high level of security as a VPN tunneling protocol.  It is well supported by several Microsoft operating systems, including Windows 2000 Professional, Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

·         Layer 2 Tunneling Protocol (L2TP) – L2TP provides a more secure connection than PPTP due to several aspects. L2TP provides the same user authentication that PPTP provides as well a computer authentication using IPsec authentication. L2TP with IPsec uses 168-bit triple DES (3DES) encryption for the data and provides per-packet data origin authentication, proving the identity of the user and providing data integrity and replay protection while providing a high level of confidentiality.

·         Secure Socket Tunneling Protocol (SSTP)  – SSTP is a new VPN tunnel supported by Windows Vista SP1 and Windows Server 2008. It uses SSL-encrypted HTTP connections for the VPN connection. More specifically, Point-to-Point Protocol (PPP) sessions are encrypted by SSL and transferred over an HTTP connection. Another advantage is that SSTP is quite secure. An SSL tunnel is initially formed prior to the transfer of user credentials. SSTP also supports Extensible Authentication Protocol (EAP) types for user authentication, including Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol-Transport Layer (PEAP-TLS), as well as the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) v2 authentication methods.

An additional rule is needed only to ensure the passage of TCP port 443 from the border network into the perimeter network to the VPN server perimeter interface.

Authentication Protocols

Windows Server 2008 provides support for a few authentication protocols:

·         PAP

·         MS-CHAP

·         MS-CHAP v2

·         PEAP-MSCHAP v2/EAP-MSCHAP v2

·         EAP-TLS

·         PEAP-TLS

Read more »

Disk Setup Management & Disk Management Tools.

Disk Management is a useful built-in Windows 7 partition manager that makes hard disk partitioning quick and simple. Windows 7 Disk Management includes:

·     A built-in partition manager .

·     Graphical user interface

·     Ability to create new disk partitions within Windows 7

·     Ability to shrink existing disk partitions

With Disk Management, you can initialize disks, create volumes, format volumes with file systems FAT, exFAT,

FAT32 or NTFS. You can also extend a disk, reduce a disk, check if a disk is healthy or unhealthy, create partitions, delete partitions, or change a drive letter.

To access Disk management, follow these steps:

1. Right-click Computer and click Manage.

2. From the left pane click Disk Management.

Windows 7 and the Graphical Partition Manager

Windows 7 Disk Management features a graphical user interface. The Disk Management console lists each volume in alphabetical order. Each hard disk is then broken down into: Type, File System, Status, Capacity, and Free Space. In the second horizontal column, Each logical drive is labeled by its letter and given a color. Right-clicking on each drive opens a menu where users can extend volumes, shrink volumes or create new logical drive

Creating New partition on Windows 7:

1.  On Windows 7, click start, right click My Computer, and click Manage.
2. Click Disk Management from the left pane. You can now view the current partitioning scheme on you system.
3. Right-click the unallocated space and select New Simple Volume, and click Next.
4. Select the size for the new volume or partition in MB.
5. Assign the drive letter to the new partition.
6. Format the partition with appropriate filesystem and select the check box Perform a Quick Format. To enable compression, select the checkbox Enable File and Folder compression.
7. Click Finish.

Follow these steps to resize an existing partition in your current hard disk drive to create a new partition:

1. On Windows 7, click start, right click My Computer, and click Manage.
2. Click Disk Management from the left pane. You can now view the current partitioning scheme on you system.
3. Right-click on the partition, which you want to resize. This would present you with drive capacity information as well as the option to enter an amount you'd like to “shrink” your partition by then click Shrink.
4. You can now see unallocated space on your hard drive in the capacity you specified, situated just after your now resized original partition.
5. Right-Click the unallocated volume, and select New Simple Volume, assign it a drive letter, quick format the volume using the NTFS file system and default allocation unit size.

Extending a Partition:

1. On Windows 7, click start, right click My Computer, and click Manage.
2. Click Disk Management from the left pane. You can now view the current partitioning scheme on you system.
3. Right-Click the partition that you want to extend and select Extend Volume.
4. Click Next, and this would present you with drive capacity information as well as the option to enter an amount you'd like to extend your partition by. Click Next.
5. Click Finish.

Deleting a partition:

1. On Windows 7, click start, right click My Computer, and click Manage.
2. Click Disk Management from the left pane. You can now view the current partitioning scheme on you system.
3. Right-Click the partition that you want to delete and select Delete Volume.
4. Click Yes to continue the deletion process.
5. Click Yes to delete the partition.

Change Drive Letter

1. On Windows 7, click start, right click My Computer, and click Manage.
2. Click Disk Management from the left pane. You can now view the current partitioning scheme on you system.
3. Right-click on a partition and select "Change drive letters and paths.

4. The current drive letter will display. The Add button typically allows the partition to be placed inside an existing NTFS folder.
5. Click Change to assign a new drive letter.

Windows 7 will disallow any changes if the partition is currently used as a system, boot, or page file drive.

Tasks that can be performed with the Properties tab:

1. On Windows 7, click start, right click My Computer, and click Manage.
2. Click Disk Management from the left pane. You can now view the current partitioning scheme on you system.
3. Right-click a partition and select Properties.
4. With Security tab, permissions for various groups of users can be assigned or changed on the partition.
5. General tab presents you with options to enable compression and indexing on the partition. It also allows you to clean the disk using Disk Cleanup.
6. Hardware tab provides you to manage the hardware properties.
7. You can enable File and Folder sharing with the Sharing Tab.
8. With Quota tab, you can enable Quota services on the partition. To enable quota select the checkbox Enable Quota Management. Set the limits for quota and you can also select quota logging options for this volume.
9. To make any changes in the default partition properties click Apply and then click OK.

Read more »

Capture, Prepare, and Deploy a System Image

System Image

A system image is a copy of the current state of your computer’s hard disk. It includes all the system settings, files, and the Windows configuration. You can use a system image to recover your data and computer settings in the case of failure of your hard disk drive. But you cannot restore individual files or settings with this process, and all of your current programs, system settings, and files are replaced with the contents of the system image.

Creating a system image on Windows 7 computer

1.       Click Start and type back up in the start search bar. Click Back up your computer from the search results.

2.       In the left pane of the Backup and Restore Center window, click Create a system image.

3.       Choose a medium to store the system image. You can back up the system image on an external drive, on DVDs, or on a different computer in the network.

4.       Select the drives you want to back up. Click Next.

5.       On the Confirm your settings page, select Start backup.

6.       After the process is complete, you get the option to create a system repair disc. Click Yes to create the system repair disk. Insert a blank CD or DVD to create the image.

You can now find the system image folder named WindowsImageBackup.

Recovering your computer using System Image

You can only do a system image recovery to a hard disk drive that is the same size or larger than the one the system image was created from. You will not be able to do a system image recovery to a smaller hard disk drive. If your backup image is on an external device, then connect the external drive before starting. A system image recovery will format everything on each hard drive that was included in the system image, and will only restore what is in the system image. To start the recovery of the system, perform these steps:

1. Connect the external drive on which you have stored the system image.
2. Click Start, then click Control Panel, and then click Back up your computer.
3. Click Recover system settings on your computer.
4. Click Advanced recovery methods.
5. Select Use a system image you created earlier to recover your computer.
6. If you want to create the backup immediately, select Back up now, or click Skip  and continue the system image recovery without backing up any of your current files. Click Restart.
7. Select a language to be used for your keyboard input and click Next. 
8. Select the system image for recovery using either of the two options:

• To use a latest system image for recovery, select Use the latest available system image and click Next.
• To select a system image for recovery, select the location of the backup image for the computer you want to restore from the list, and click Next. Then select the date and time of the system image to restore, and click Next.

9. After selecting the system image, select the Format and repartition disks box.
10. If you want to recover only those drives that are required to run Windows, select the check box Only restore system drives. Click Next.
11. Click Finish and then click Yes.
12. Windows will now start restoring your computer from the system image. Once the restoration is complete, click Restart Now.
13. If you chose to create the backup immediately in step 6, you will see the option Restore my file after the computer restarts. Select this option to restore the files.

Read more »

Configuring a VHD

Windows 7 has a new feature called VHD Boot. This feature allows you to boot your entire Windows from a Virtual Hard Disk (VHD) file. There are various advantages of this feature, like:

• The configurations and settings of your entire system are included in one file – .VHD file.
• One VHD file can be based on another one. So if you have different systems, create a base copy of Windows 7 on a VHD and make all others incremental. This saves a lot of disk space.

But this feature can only be used on Windows 7, Windows Server 2008 R2, or later operating systems. The operating systems which came earlier then Windows 7 do not support VHD. With VHD your system suffers a performance decrease of about 3%. Windows hibernate function and BitLocker configurations are not supported by VHD. BitLocker can be used within the guest VHD, but not on the volume where the VHD resides. Also, with VHD, features like Aero don’t work because the Windows Experience index is not supported.

Types of Virtual Hard Disks

Three types of VHD files can be created using the disk-management tools:

• Fixed hard-disk image. A fixed hard-disk image is a file that is allocated to the size of the virtual disk. For example, if you create a virtual hard disk that is 2 gigabytes (GB) in size, the system will create a host file approximately 2 GB in size. Fixed hard-disk images are used for production servers and working with customer data.
• Dynamic hard-disk image. A dynamic hard-disk image is a file that is as large as the actual data written to it at. As more data is written, the file dynamically increases in size. For example, the size of a file backing a virtual 2 GB hard disk is initially around 2 megabytes (MB) on the host file system. As data is written to this image, it grows with a maximum size of 2 GB.
  
  Dynamic hard-disk images are beneficial for development and testing environments. Dynamic VHD files are smaller, easier to copy, and expand after mounting.
• Differencing hard-disk image. A differencing hard-disk image describes a modification of a parent image. This type of hard-disk image is not independent, and it depends on another hard-disk image to be fully functional. The parent hard-disk image can be any of the above mentioned hard-disk image types, including another differencing hard-disk image.

Creating a VHD

Perform these steps to create a VHD file on your Windows 7-based computer:

1. Click Start and then right-click Computer.
2. Click Manage, then in the left pane, right-click Disk Management, and then click Create VHD.
3. Select a location to save your VHD file.  Select the maximum size for your VHD file. You can also choose from either of the two options – Dynamically Expanding, where the size of the VHD expands dynamically to a fixed maximum size, or Fixed Size, where the virtual hard disk uses a fixed amount of space regardless of the size of data stored on it.
4. The new disk will show in the right pane as unallocated space. Right-click the new unallocated VHD Disk number and click Initialize Disk.
5. You need to choose if you want the new VHD to have Master Boot Record (MBR) or GUID Partition Table (GPT) partition, and click OK.
6. Right-click again on the new unallocated VHD and click New Simple Volume.
7. Type how much of the maximum disk space you want to use for this VHD partition, and click Next.
8. Select the file system for your VHD from either FAT or NTFS, and enter a name for your VHD. Select the Perform a quick format check box, and click Next.

Click Finish. The system creates a new simple volume on your VHD, which is already attached.

Installing a VHD-Boot Machine

Perform these steps to install Windows 7 with VHD file:

1. Boot the system with a Windows 7 setup DVD or any other boot media.
2. On the setup screen, don’t choose Install Now, but press Shift-F10 to get into command line mode.
3. Type diskpart on the command line mode to start the partitioning utility.
4. You need to create a new VHD file.  Type the following command to create this file:

create vdisk file=”D:\pathToVhd.vhd” type=expandable maximum=maxsizeInMegabyte 

5. Select the new VHD and attach it as a physical disk. Use the following commands to perform this task:

select vdisk file=”D:\pathToVhd.vhd” 
attach vdisk 

6. Proceed with the normal setup and make sure that you install your Windows to the correct disk. You may receive a warning Windows cannot install to this disk. Ignore this warning.

7. At next startup, you’ll see Windows 7 in the boot menu. If you want to add a VHD manually to the boot menu, use this command:

bcdedit /copy {originalguid} /d "New Windows 7 Installation"

bcdedit /set {newguid} device vhd=[D:]\Image.vhd

bcdedit /set {newguid} osdevice vhd=[D:]\Image.vhd

bcdedit /set {newguid} detecthal on

8. Click Start, right-click Computer, and select Manage.

9. To attach an existing VHD File, in the left pane, right-click Disk Management and then click Attach VHD.

10. Click Browse, navigate to the VHD file location, select the file, and then click Open. If you want the VHD to be read-only, select the check box. Click OK.

Read more »