Windows 2012 Server Network Security Save 30% on Syngress Books and Ebooks

Windows 2012 Server Network Security Save 30% on Syngress books and eBooks

n Save 30% on all Syngress books and eBooks at the Elsevier Store when you use promo code CW3013. n Free shipping on all orders. No minimum purchase. n Offer valid only on Syngress books sold by the Elsevier store until 31 December 2014.

Click here to order a copy of: Windows Server 2012 Server Network Security

How it works:

1. Choose a Syngress title. 2. Add the title to your shopping cart. 3. Click on “Enter Discount Code” in your shopping cart. 4. Enter code CW3013 to obtain your discount and click apply.

Windows 2012 Server Network Security

Securing Your Windows Network Systems and Infrastructure

Derrick Rountree Richard Hicks, Technical Editor

AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO

Syngress is an Imprint of Elsevier Acquiring Editor: Chris Katsaropoulos Editorial Project Manager: Heather Scherer Project Manager: Priya Kumaraguruparan Designer: Mark Rogers Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA Copyright © 2013 Elsevier Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrange- ments with organizations, such as the Copyright Clearance Center and the Copyright Licens- ing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Application submitted. British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN: 978-1-59749-958-3 Printed in the United States of America 13 14 15 10 9 8 7 6 5 4 3 2 1

Contents

DEDICATION ix ACKNOWLEDGMENTS xi ABOUT THE AUTHOR xiii ABOUT THE TECHNICAL EDITOR xv PREFACE xvii

CHAPTER 1 Introduction �� 1 Intro to Windows 8 and Windows Server 2012 ��1 Server Manager ��1 Powershell ��6 Intro to IPv6 ��6 IPv6 Architecture ��7 Summary ��10

CHAPTER 2 Network Infrastructure �� 11 Introduction ��11 DHCP ��11 DHCP Overview ��11 DHCP Installation and Initial Configuration ��12 Initial DHCP Configuration ��16 Protecting Your DHCP Environment ��18 DNS ��26 DNS Overview ��26 DNS Installation and Initial Configuration ��26 Protecting Your DNS Environment ��32 WINS ��37 WINS Overview ��38 WINS Feature Installation and Initial Configuration ��39 Protecting Your WINS Environment ��40 Summary ��44

CHAPTER 3 Securing Network Access...... 45 Introduction...... 45 v

vi Contents

General Network Settings...... 45 Network Discovery...... 45 Network Location...... 46 Wireless Security...... 47 Wireless Properties...... 47 Security Types...... 47 Wireless Encryption...... 48 Windows Firewall...... 49 Network Profiles...... 49 Windows Firewall Configuration...... 51 Windows Firewall with Advanced Security...... 53 IPSEC...... 64 IPSec Overview...... 65 Configuring IPSec...... 67 IPSec Monitoring in Windows Firewall with Advanced Security...... 72 Windows 8 Resource Sharing...... 74 HomeGroup...... 74 Advanced Sharing Settings...... 75 Windows Server 2012 Resource Sharing...... 80 Summary...... 87

CHAPTER 4 Secure Remote Access...... 89 Introduction...... 89 TELNET...... 90 Telnet Server...... 90 Telnet Client...... 91 Remote Desktop Services...... 92 Remote Desktop on Windows 8...... 92 Remote Desktop Services Role on Windows Server 2012...... 94 Remote Desktop Connection Client...... 99 Remote Access Role...... 107 Remote Access Role Installation and Configuration...... 107 DirectAccess...... 112 VPN...... 112 Network Policy and Access Services...... 114 NPAS Installation and Configuration...... 114 Network Policy Server...... 118 Health Registration Authority...... 120 Host Credential Authorization Protocol...... 121 Summary...... 121

Contents vii

CHAPTER 5 Internet Connection Security...... 123 Internet Explorer Security...... 123 Domain Highlighting...... 124 Frequently Visited Sites...... 124 Safety Features...... 125 Internet Options...... 130 General...... 132 Security...... 137 Privacy...... 155 Content...... 158 Connections...... 161 Programs...... 162 Advanced...... 165

CHAPTER 6 Network Diagnostics and Troubleshooting...... 167 Task Manager...... 167 Processes...... 168 Performance Tab...... 169 App History...... 172 Startup...... 172 Users...... 173 Services...... 173 Resource Monitor...... 173 Resource Monitor Overview Tab...... 175 Resource Monitor Network Tab...... 177 Performance Monitor...... 178 Data Collector Sets...... 178 Event Viewer...... 182 Windows Logs...... 182 Applications and Services Logs...... 184 Network Monitor...... 185 Summary...... 185

CHAPTER 7 Network Tools and Utilities...... 187 Introduction...... 187 Local Security Policy...... 187 Local Policies...... 188 Network List Manager Policies...... 192 IP Security Policies on the Local Computer...... 193 Advanced Audit Policy Configuration...... 196 Group Policy...... 199

viii Contents

Computer Configuration > Policies > Windows Settings...... 199 Computer Configuration > Policies > Administrative Templates: Policy Definitions (ADMX Files) Retrieved from the Local Computer...... 200 Computer Configuration > Preferences > Windows Settings...... 200 Computer Configuration > Preferences > Control Panel Settings...... 201 User Configuration > Policies > Windows Settings...... 201 User Configuration > Policies > Administrative Templates...... 201 Computer Configuration > Preferences > Windows Settings...... 201 Computer Configuration > Preferences > Control Panel Settings...... 201 Security Configuration Wizard...... 201 Using the Security Configuration Wizard...... 202 Command-Line Tools...... 219 Ipconfig...... 219 Ping...... 220 Tracert...... 220 Netstat...... 221 NBTStat...... 222 ARP...... 222 Getmac...... 222 NET...... 223 Pathping...... 224 Route...... 224 NETSH...... 225 PowerShell Commands...... 227 General Networking...... 227 Network Management...... 228 Other Relevant Tools...... 228 PortQry...... 228 Microsoft Security Compliance Manager...... 229 Microsoft Baseline Security Analyzer...... 229 Enhanced Mitigation Experience Toolkit...... 229 Attack Surface Analyzer...... 229 Summary...... 229

INDEX �� 231

Dedication

This book is dedicated to my daughter Riley, the most amazing two-year-old ever.

This page is intentionally left blank

Acknowledgments

I would like to thank my wife Michelle, my mother Claudine, and my sister Kanesha. I would also like to thank the Elsevier staff, especially Angelina Ward and Heather Scherer. It has truly been a pleasure working with you.

This page is intentionally left blank

About the Author

Derrick Rountree (CISSP, CASP, MCSE) has been in the IT field for almost 20 years. He has a Bachelor of Science degree in Electrical Engineering. Derrick has held positions as a network administrator, an IT consultant, a QA engineer, and an Enterprise Architect. He has experience in network security, operating system security, application security, and secure software development. Derrick has contributed to several other Syngress and Elsevier publications on Citrix, Microsoft, and Cisco technologies.

xiii

This page is intentionally left blank

About the Technical Editor

Richard Hicks is a network and information security expert specialized in Microsoft technologies, an MCP, MCSE, MCITP Enterprise Administrator, CISSP, and four-time Microsoft Most Valuable Professional (MVP). He has traveled around the world speaking to network engineers, security administrators, and IT professionals about Microsoft edge security and remote access solutions. A former information security engineer for a Fortune 100 financial services company in the US. He has nearly two decades of experience working in large-scale corporate computing environments. He has designed and deployed perimeter defense and secure remote access solutions for some of the largest companies in the world. Richard has served as a technical reviewer on several Windows networking and security books and is a contributing author for WindowsSecurity.com and ISAserver.org. He is an avid fan of Major League Baseball and in particular the Los Angeles Angels (of Anaheim!), and enjoys craft beer and single malt Scotch whisky. Born and raised in Southern California, he still resides there with Anne, the love of his life and wife of 27 years, along with their four children. You can keep up with Richard by visiting http://www.richardhicks.com/.

This page is intentionally left blank

Preface

Windows 8 and Windows Server 2012 are major releases for Microsoft. There are a lot of new networking features and improvements to old features. We will be looking at these features from a security perspective. We will cover general functionality where necessary, but our focus will be on security. We will discuss how to secure your general networking features. We will also discuss how to implement security-related features. You must keep in mind that security is not just about cryptography and virus protection. The basis of information security is the CIA triad. This includes confidentiality, integrity, and availability. We’re going to discuss ways of making your networked systems secure, stable, and highly available. This book is not an administrator’s guide. We won’t be going over where to find tools and utilities. We also won’t be going over general configuration information, unless we are configuring a security-related feature. If you need in-depth information about features and functionality, it’s recommended that you use supplemental reference material.

INTENDED AUDIENCE

This book is intended for anyone who will be using, administering, or securing Windows 8 or Windows Server 2012 systems and networks. In the past, security was just for security professionals. They were the only ones who cared about making sure systems were safe. Nowadays, we realize that everyone has a hand in making sure the environment is secure. A DNS Administrator, for example, must make sure that not only is the DNS infrastructure doing name resolution properly, but also that it’s available when needed and is protected against unauthorized requests. To get the full value from this book, an individual should have a good understanding of general networking concepts. You should also have a good understanding of how to administer Windows systems. Since the book will not xvii

xviii Preface Preface

be covering general Windows functionality, it’s important to have an understanding of how to navigate the new look and feel of Windows system.

WHY IS THIS INFORMATION IMPORTANT

Nowadays, we realize it’s everyone’s responsibility to make sure the system they use is secure. With the release of a new operating system comes a new set of attacks. It’s important that you have the right information needed to mitigate these attacks. This is what this book will provide you with. The cyber world is evolving. Companies not only have to worry about external threats, but also internal threats. Attacks are becoming more complex and more calculated. Attackers don’t always attack the system they want directly. They may compromise another system and use that system to attack their ulti- mate target. Even if you don’t want a certain system to have valuable information on it, it still needs to be protected. You don’t want that system to be the one used to compromise another system. New initiatives like BYOD (Bring Your Own Device) are allowing corporate users to bring their personal devices into the workplace. This has caused a blur in the line between corporate and personal systems. You have both types of devices on the network. So, it’s important that both types of devices be secured.

THE STRUCTURE OF THE BOOK

This book is broken down into seven chapters, including the Introduction. The chapters flow from infrastructure outward to Internet connectivity. Then it’s wrapped up with the tools you need to monitor and administer these environments.

Chapter 1: Introduction The Introduction will give you a general overview of the tools needed to manage Windows systems. We provide this overview to ensure that there is a good foundation for the concepts we cover later. We will also go over IPv6. The configuration and management of an IPv6 environment is different from an IPv4 environment. So we want to make sure you have a good understanding of some of the new concepts before we move forward.

Preface xix

Chapter 2: Network Infrastructure

This chapter will discuss how to securely deploy your network infrastructure. The infrastructure is what will provide the basis for the rest of your network connectivity. We will cover how to secure your DHCP, DNS, and WINS infrastructure.

Chapter 3: Securing Network Access This chapter will cover how to connect a system to network. We will cover both wired and wireless access. We will go over to basic connectivity and access as well as to more advanced concepts like Windows Firewall and IPSec.

Chapter 4: Secure Remote Access This chapter will cover remote access to your network and to individual systems. It’s important that this be done in a secure way to prevent unauthorized access and information leakage.

Chapter 5: Internet Connection Security In this chapter, we will discuss how to secure Internet Connections. We will start with Internet Explorer and then move to general Internet security settings.

Chapter 6: Network Diagnostics and Troubleshooting In this chapter, we will cover tools that can be used to monitor and troubleshoot your systems. They can be used to help ensure availability. They can also be used to detect unwanted or malicious activity.

Chapter 7: Network Tools and Utilities This chapter discusses some of the network tools and utilities that can be used to configure, manage, and secure Windows networking components. We will cover some simple command-line utilities as well as more robust tools.

This page is intentionally left blank CHAPTER 1

Introduction

INFORMATION IN THIS CHAPTER CONTENTS Intro to Windows 8 n Intro to Windows 8 and Windows Server 2012 and Windows n Intro to IPv6 Server 2012 ��1 Server Manager...... 1 Dashboard...... 2 Local Server...... 2 Add Roles and Features...... 2 Networking is a key component of any environment. Windows 8 and Windows Notifications...... 4 Server 2012 offer a wide range of networking features and functionality. It’s Manage...... 6 important that you understand these features and functionality so that you can Tools...... 6 properly secure them. But, before we get into those, we will start with some more Powershell...... 6 general information. In this chapter, we will start with an overview of some of Intro to IPv6...... 6 the key components of Windows 8 and Windows Server 2012 that will help you IPv6 Architecture...... 7 as we go through the rest of the chapters. Then we will move into a discussion of IPv6 Addressing...... 7 IPv6, and how it’s implemented in Windows 8 and Windows Server 2012. IPv6 Address Types...... 8 IPv6 Special Addresses...... 8 IPv6 Addressing...... 9 INTRO TO WINDOWS 8 AND WINDOWS Summary...... 10 SERVER 2012 When you look at Windows 8 and Windows Server 2012, the first thing you will notice is a big difference in the UI. But, that’s not the only difference. There are some important differences in the management of the operating systems. There is a new Server Manager console that offers new management functionality and there has been increased functionality built into Powershell.

Server Manager In Windows Server 2012, Server Manager has been enhanced to provide greater management and monitoring functionality. It’s your starting point for a lot of general administrative functions you will need to perform. You can access event and performance information. You can also install new roles and services from here. 1 Windows 2012 Server Network Security. http://dx.doi.org/10.1016/B978-1-59749-958-3.00001-7 © 2013 Elsevier Inc. All rights reserved. 2 CHAPTER 1: Introduction

FIGURE 1.1 Server Manager Dashboard View

Dashboard When you log into Windows Server 2012, Server Manager will open. You will be presented with the Dashboard view, as seen in Figure 1.1. The Dashboard view allows you to access information about different roles and services that have been installed on the system. You can view information on manageability, events, performance, and BPA results.

Local Server The Local Server section, as seen in Figure 1.2, will give you detailed information about the server to which you are currently connected. You can view server properties, events, services, Best Practices Analyzer information, performance information, and roles and features information.

Add Roles and Features Server Manager is where you go to Add Roles and Features to your server. In upcoming chapters, we will be installing different roles and features. Most of these installs will be launched from Server Manager. The first few steps of all the installs will be the same. So, instead of repeating these steps multiple times, we will go through these steps now: 1. In the Server Manager Dashboard, select Add Roles and Features. This will launch the Add Roles and Features Wizard. First, you will be presented with the Before You Begin screen, as seen in Figure 1.3. This screen describes what can be done using the wizard. It also gives configuration suggestions to follow before you continue with the wizard. Click Next. Intro to Windows 8 and Windows Server 2012 3

FIGURE 1.2 Server Manager Local Server View

FIGURE 1.3 Add Roles and Features Wizard Before You Begin Screen

2. Next, you will see the Installation Type screen, as seen in Figure 1.4. You have two options. You can install roles or features on the system; or you can install VDI (Virtual Disk Infrastructure) services on the system. Select Role-based or feature-based installation, and click Next. 4 CHAPTER 1: Introduction

FIGURE 1.4 Add Roles and Features Wizard Installation Type Screen

3. Next you will see the Server Selection screen, as seen in Figure 1.5. Here, you can choose to install to a server or to a VHD (virtual hard disk). If you choose a VHD, you have the option to install to a VHD attached to an online server, or to install to an offline VHD. SelectSelect a server from the server pool. Then choose the server you want to install onto, and click Next.

Config Export One useful feature of the Roles and Features Wizard is the ability to export an installation configuration. After you have finished configuring the settings for an installation, you have the option to save the configuration to an XML file. You can then use Powershell to script an install with the same settings on a different server. This not only makes it easier to install multiple servers, but it also helps to ensure consistent installations. The command you would use to perform the install is as follows: Install-WindowsFeature-ConfigurationPathFile .

Notifications The Notifications section of Server Manager, as seen inFigure 1.6, will provide notification and alert messages. For example, after you install a role, Intro to Windows 8 and Windows Server 2012 5

FIGURE 1.5 Add Roles and Features Server Selection Screen

FIGURE 1.6 Server Manager Notifications Sections 6 CHAPTER 1: Introduction

a notification will be posted letting you know that the install was successful. You will also get a notification after an install, if there is post-install configuration that needs to be done.

Manage The Manage menu provides you the ability to add and remove roles and features. You can add servers to be managed by Server Manager. You can also create server groups.

Tools The Tools menu brings up a list of various tools that you can use to manage your server. There are entries for Local Security Policy, Performance Monitor, Resource Monitor, the Security Configuration Wizard, and many other options. Some of these security-related tools will be covered later in this book.

Powershell Powershell is a very powerful management language used with Windows system. Windows Powershell is a combination command-line shell and scripting language. Powershell allows access to COM and WMI management components. This greatly expands the potential of the Powershell language. Powershell is one of the main tools used for managing Windows systems. In fact, many Windows management consoles are actually built on top of Powershell. Powershell includes a hosting API that can be used by GUI applications to access Powershell functionality. Powershell commands can be exe- cuted as cmdlets, Powershell scripts, Powershell functions, and standalone executables. The Powershell process will launch cmdlets within the Powershell process. Standalone executables will be launched as a different process. As Windows moves forward, there will be an increasing reliance on Powershell. It's important that you understand how to use it to manage and administer your systems. As we go through this book we will periodically reference different Powershell commands than may be useful to you.

INTRO TO IPv6 IPv6 is the newest version of the IP protocol. It was designed to replace IPv4, which is the version used throughout most of the Internet. The problem was that there weren’t enough IPv4 addresses to satisfy the needs of the growing Internet. IPv6 has been long talked about, but it is just now picking up steam. More and more Internet Service Providers are supporting the protocol. World IPv6 Launch Day was June 6, 2012. This was the day many ISPs and vendors permanently enabled IPv6 on for their products and services. Intro to IPv6 7

IPv6 Architecture The IPv6 architecture is very different from the IPv4 architecture. These architecture differences are what make IPv6 the choice for the future. IPv6 is scal- able, secure, and relatively easy to set up.

IPv6 Addressing IPv6 addresses are 128 bits long. Compare that to IPv4 addresses which are 32 bits. This means there are 3.4 1038 addresses. That’s approximately 4.8 1028 × × addresses for each person on earth. There is almost no way we will ever use anywhere near that many addresses. The main benefit of having that many addresses available is that you can waste addresses. With IPv4 addresses, there was no room for waste. You had to make sure you made the most efficient use of addresses pos- sible. With IPv6, that’s no longer a concern. You should make sure you come up with a scheme that is best for your organization, but it’s ok if you waste addresses.

IPv6 Notation IPv6 addresses consist of eight groups of 16-bit numbers, separated by colons. The 16-bit numbers are represented as hex digits: abcd:1234:1234:abcd:0230:0bcd:1234:a0cd As you can see IPv6 addresses can be quite long and very hard to remember. To make things a little bit easier, IPv6 addresses can be abbreviated. There are two ways IPv6 addresses which can be abbreviated. The abbreviations are based on the existence of zeros. First of all you can remove one or more leading zeros from a group of 4 hex digits: abcd:1234:0000:abcd:0230:0bcd:1234:a0cd becomes abcd:1234:0:abcd:230:bcd:1234:a0cd Also, you can remove an entire section of zeros and replace with a double colon (::). The double colon can only be used once in an address: 0000:0000:abcd:1234: abcd:1234:abcd:1234 becomes ::abcd:1234: abcd:1234:abcd:1234 or abcd:1234:0000:0000:0000:abcd:1234:abcd becomes abcd:1234::abcd:1234:abcd 8 CHAPTER 1: Introduction

In IPv4 you had the network portion of the address and the host portion of the address. The subnet mask is used to tell you which portion of the address is which. There are two ways to write IPv4 subnet masks. You can use the traditional form, 255.255.255.0, for example. Or you can use the CIDR format, /24. In IPv6, the network portion of the address is called the prefix. The prefix is also denoted by the subnet mask. But, IPv6 subnet masks are only written using the CIDR format.

IPv6 Address Types There are three types of addresses used with IPv6: unicast, multicast, and anycast. Unicast addresses are what you would call regular addresses. They are the addresses usually bound to your network card. Unicast addresses should be unique on a network, meaning a single unicast address should only represent a single system. Multicast addresses are used to make a one-to- many connection. Multiple systems can listen on the same multicast address. So, when a system sends out a message using a multicast address, multiple systems may respond. Multicast addresses will start with FF0 or FF1. FF02::2 is the multicast address used by routers. IPv6 uses multicast addresses to accomplish a lot of the functionality performed by broadcast addresses in IPv4. Anycast addresses are addresses that are shared by multiple system. Anycast addresses are generally used to find network devices like routers. When a message is sent out via an anycast address, any system using that address may respond. Unicast addresses come in four flavors: global, site-local, link-local, and unique local. Global addresses are routable throughout the Internet. Global IPv6 addresses start with 001. Site-local addresses are only routable within a specified site within an organization. Link-local and unique local addresses will be covered in the next section on special addresses. Note: The concept of sites has been deprecated in IPv6, so site-local addresses are no longer used.

IPv6 Special Addresses There are several special addresses in IPv6. These addresses or groups of addresses serve very specific function. We will cover the loopback address, link- local addresses, and unique local addresses.

Loopback Address The loopback address, also called localhost, is probably familiar to you. It is an internal address that routes back to the local system. The loopback address in IPv4 is 127.0.01. In IPv6, the loopback address is 0:0:0:0:0:0:0:1 or ::1. Intro to IPv6 9

Link-Local Addresses Link-local addresses are intended to only be used on a single network segment or subnet. Routers will not route link-local addresses. Link-local addresses also existed in IPv4. They existed in the address block 169.254.0.0/16. These addresses were used by the DHCP autoconfiguration service on a system when a DHCP address could not be obtained. Link-local addresses allow you to have network connectivity until another more suitable address can be obtained. In IPv6, the address block fe80::/64 has been reserved for link-local addresses. The bottom 64 bits used for the address are random. In IPv6 link-local addresses may be assigned by the stateless address autoconfiguration process. IPv6 system must have a link-local address in order for some of internal protocol functions to work properly. So, during a normal startup process, an IPv6 system will obtain a link-local address before it receives a regular, routable IP address.

Unique Local Address Unique local addresses are a set of addresses that are intended for use in internal networks. They are similar to “private” IPv4 addresses. These addresses can only be used within a specified organization. They are not routable on the global Internet. Using unique local addresses can help prevent external systems from having direct access to your internal systems. The address block fc00::/7 has been reserved to use for unique local addresses.

IPv6 Addressing When you look at the IP configuration on an IPv6 system, you will see multiple addresses. First you will see the public address. The public address is the address used by other systems to contact an IPv6 system. This is the address that would be registered in the DNS server. You will also see what is called a temporary address. It’s called temporary because it may change after a given interval. The temporary address is the address used when making connections to other systems, such as when you browse the Internet. This adds an additional layer of security because it would be very difficult to trace this temporary address back to the originating system. Note: On Windows systems, the public address is simply label IPv6 address. The third type of address you may see is a tentative address. After the system generates an address, it is considered tentative until the verification process to make sure the address does not exist elsewhere on the network completes. The verification process happens so quickly that you will probably never actually see an address labeled tentative.

Stateless Address Autoconfiguration IPv6 systems can automatically configure themselves when on a network with an IPv6 compliant router. The process is as follows: 10 CHAPTER 1: Introduction

1. The system boots up and generates a link-local address. 2. A message is sent to the multicast address FF02::2 to find a router. 3. The router sends back a link address or prefix. 4. The system uses the prefix as the beginning portion of the address and randomly generates the ending portion of the address.

SUMMARY

Windows 8 and Windows Server 2012 have many similarities to older versions of Windows, but there are also many new aspects. There are new features and improvements on old features. The new Server Manager offers an improved management interface. There are also improvements to Windows Powershell that greatly expand its effectiveness. IPv6 has been around for a while. It's also been supported in Windows systems for quite some time. But, as IPv6 grows in popularity, it’s essential that you have a good understanding of it and how it works on Windows systems.

IndexFM Header

A B ping command, 220 ping flood, 220 Active directory, 16, 25, 30, 32, 34, 37, Binary and script behaviors round-trip time, 220 49, 78, 188, 199–200, 229–230 COM components, 140 Route ActiveX Filtering, 128 HTML, 140 network routing table, 224 Additional services, 206 Windows Script Adding sites to the Internet zone, 148 components, 140 Tracert Address Resolution Protocol routers or hops, 220–221 (ARP), 23, 222 tracert command, 220–221 Advanced audit policy configuration C Windows version of configure basic system Command line tools traceroute, 220–221 auditing, 198 ARP Components of Windows Server DS access, 196 translate IP addresses DHCP, 11 granular audit control, 196–199 to MAC addresses, 222 DNS, 11 local group policy object Getmac WINS, 11 node, 196 query system MAC Computer certificates tracking, 196 addresses, 222–223 Kerberos v5, 70–71 Advanced Encryption Standard Ipconfig NTLMv2, 70–71 (AES), 48 display and manipulate IP Computer configuration policies Advanced sharing settings information, 219 administrative templates device sharing NET command, 223 local computer, 200 all networks, 79–80 NETSH network, 200 guest or public, 77–78 command-line network policy definitions (ADMX private network, 75–77 management utility, 225 Files) retrieved, 200 AES. See Advanced Encryption network management system, 200 Standard interface, 225 Windows components, 200 Audit policy NETSH Context Commands, 225 Windows settings audit object access, 188 NETSH Sub-Contexts name resolution policy, 199 audit policy change, 188 netshcommand, 226 policy-based QoS, 200 audit privilege use, 188 Netstat security settings, 199–200 audit process tracking, 188 current connection Computer configuration audit system events, 188 information, 221 preferences detect malicious network protocol information, 221 control panel setting activity, 188 TCP SYN attack, 221 configure preferences, 201 Applications and services logs Pathping Windows settings node, 200–201 network-related information source to destination Configuration database, 204 Internet Explorer, 184 computer, 224 Connection files Microsoft Windows Ping notepad, 106 nodes, 184 denial of service attack, 220 .rdp file, 106 ARP. See Address Resolution Protocol ICMP echo request Connect from anywhere Attack surface analyzer, 229 message, 220 credentials, 105 231

232 Index Index

RD gateway server setting, 105 malicious client system, 19 DNS settings Connection request policy DHCP installation, 12, 16 DNS registration nodep, 105 DHCP server, 12–13 DNS A, 24 Creating zones DHCP overview PTR records, 24 lookup zones broadcast messages, 11 name protection, 25 forward lookup zones, 30 DHCP server authorization DNSUPDATEPROXY reverse lookup zones, 30 DHCP management console, 23 secure dynamic updates, 25 name resolution rogue DHCP server attack, 22–23 Windows Active Directory domain name (FQDN), 26 DHCP server role environment, 25 IP address, 26 confirmation screen, 13, 15 DNS zone security feature screen, 13–14 DNS zone information, 35 server information screen, 13–14 Domain highlighting, 124 D server role screen, 13 Domain Name Service Data collector sets DHCP snooping (DNS), 24–26, 37–38 kernel trace setting, 179 ARP spoofing, 23 DOS. See Denial of service Downloads performance configuration, 179 layer 2 network switch, 23 file download, 141 performance counter, 179 rogue DHCP servers, 23 font download, 141 performance monitor, 178 DHCP unique identifier.See also DSCP. See Differentiated Services system diagnostics, 178 DUID Code Point system performance, 178 Differentiated Services Code Point Dynamic host configuration protocol user defined section, 179 (DSCP), 200–201 (DHCP), 11–26 Data settings DNS. See Domain Name Service caches and databases DHCP DNS environment bootstrap protocol, 11 application cache, 135 DNS cache, 34 indexed database caches, 135 hard disk configuration secure cache, 34 information, 11 history DNS forwarders, 34 listing of websites, 134–135 IP configuration DNS installation and initial information, 11, 20 temporary Internet files configuration view files button, 134 network configuration confirmation screen, 26, 28 view objects button, 134 information, 11 DNS server information DCM. See Desired Configuration proxy configuration screen, 26, 28 Management information, 11 feature screen, 26 Delete browsing history DUID, 21 installation complete, 26, 29 delete browsing history on Dynamic updates option post installation alert, 30 exit, 133 allow, 37 delete manually, 133 result screen, 26, 29 do not allow, 37 Denial of service (DOS), 220 server role screen only allow secure, 37 Desired Configuration Management DNS feature window, 27, 30 (DCM), 229 DNS name resolution services, 44 DHCP. See Dynamic Host DNSSEC E Configuration Protocol authenticated denial-of- EMET. See Enhanced Mitigation DHCP audit logging existence, 34 Experience Toolkit bootIP address, 24 digital signatures EMET DHCP management console, 23 response verification, 34 security vulnerabilities dynamic BOOTP request, 24 secure the DNS protocol, 34 prevention, 229 NAP policy trust anchors, 34 threat mitigation Microsoft NAP, 114 zone signing, 34 technologies, 229 packet dropped, 24 DNS server activity Enhanced Mitigation Experience scope address pool, 23 Logging Toolkit (EMET), 229 DHCP environment protection debug logging, 37, 39 Event viewer bogus IP address, 19 event logging, 37–38 event properties window, 183 design anonymous, 18 monitoring event viewer session, 182 MAC address generation automatic testing, 37 Windows system software, 19 manual testing, 37 application information, 182

Index 233

monitoring and logging, 182 DHCP, 44 authentication header, 65 system information, 182 DNS, 44 IP packet, 65–66 user information, 182 WINS, 44 replay attack, 65–66 External media player Initial DHCP configuration network-to-network, 65 controls media files active directory services IPSec ESP disable, 140 authorization screen, 16–18 confidentialty, 66 enable, 140 DHCP post-initial configuration encapsulation security server manager alert, 16 payload, 66 F wizard, 16–17 IPSec security association Forward lookup zones management console, 18 network flow dynamic update screen post-deployment authentication, 67 secured dynamic updates, 32 configuration, 16 network flow encrption, 67 unsecured dynamic summary screen, 18–19 IP security policies updates, 32 InPrivate, 158 IP filter list management, 193 newzones wizard, 30 Interface association identifier.See IPSec policies configuration, 193 welcome screen, 30 also IAID IP security policy name zone file screen, 32 Internet Explorer security, 123 screen, 195 zone name screen Internet options IP security policy screen, 195, 197 domain name, 30, 31 advanced, 165 local computer, 193 applet, 130–131 manage filter actions, 196, 198 G connections, 161 manage IP filter list tab, 195, 197 content, 158 name screen, 195 Group policy secure communications local security policy, 199 general browsing history, 132 screen, 195–196 multiple system configuration wizard welcome screen, settings, 199 home page, 132 privacy, 162 193–194 programs, 130–131 IPv4 H security, 137–155 CIDR format, 8 HCAP See Host Credential Internet Protocol security, 64 IPv4 network portion, 8 Authorization Policy Internet Service Provider (ISP), 6 IPv4 subnet mask, 8 HCAP IPSec. See Internet Protocol security prefix, 8 Cisco network access control IP address, 12, 18–26, 34 IPv6 server, 114 IPsec monitoring in Windows IP protocol, 6 connection request policy Firewall ISP, 6 node, 121 advanced security, 74 vendors, 6 Microsoft NAP solution, 114 connection security rules, 72 IPv6 addressing network policy server console, 121 security associations 128 bits long, 7 Health registration authority (HRA), security connection 3.4×1038 address, 7 114, 117, 120 information, 74 IP configuration Host credential authorization policy IPSec overview DNS server, 9 (HCAP), 114, 121 configuring IPSec multiple address, 9 HRA authentication exemption public address, 9 certification authority rules, 67 temporary address, 9 settings, 120 connection security rules tentative address console, 120 plug-in, 67 address labled tentative, 9 request policies custom rules, 67 verification process, 9 cryptographic policies, 120 isolation rules, 67 IPv6 architecture, 7–10 transport policies, 120–121 server-to-server rules, 67 IPv6 notation HRA, See Health Registration tunnel rules, 74 16-bit numbers, 7 Authority host-to-host network, 65 double colon (::), 7 host-to-network, 65 hex digits, 7 I Internet Protocol security leading zeros, 7 IAID, 21 (IPSec), 64 IPv6 address types Infrastructure IPSec AH multicast addresses, 8

234 Index Index

unicast addresses password configuration, 74 Network flooding, 176 global addresses, 8 Media sharing Network infrastructure, 11 link-local addresses, 8 file sharing connections Networking features, 1 regular address, 8 40-bit encrption, 79 Networking functionality, 1 site-local addresses, 8 56-bit encrpytion, 79 Network list manager policies unique local addresses, 8 128-bit encrption, 79 all networks, 192 IPv6 special addresses Media streaming unidentified networks, 192 link-local addresses options window, 79, 81 Network location DHCP autoconfiguration Microsoft Baseline Security domain administrator, 46–47 service, 9 Analyzer home network internal protocol functions, 9 command-line, 229 homegroup option, 46 routable IP address, 9 GUI interface, 229 trusted network option, 46 single network segment or vulnerability assessment, 229 network settings subnet, 9 Microsoft security compliance pre-list of settings, 46 stateless address auto- manager public network configuration process, 9 desired configuration untrusted network, 46 loopback address management, 229 work network localhost, address, 8 guide recommendations, 229 workplace, 46 unique local addresses Microsoft website, 229 Network management internal networks, 9 Microsoft Windows DHCP server, 228 ISP. See Internet Service Provider applications and DHCP server role, 228 services, 184–185 DNS reverse lookup zone, 228 K Microsoft node, 184–185 Network monitor Kernel trace settings, 179 Microsoft web site, 185 N network capture and analysis, 185 NAP. See Network Access Protection network interface, 185 L NAP network traffic filtering, 185 LAN. See Local area network drop client packet, 25 parsing options, 185 LAN restricted access, 25 Network name proxy server settings, 161 Navigate windows, 144 name section, 192–193 LDAP signing screen, 209 .NET Framework user permission section, Local Area Network (LAN), 61, 104, Loose XAML—disable, 146 192–193 161–162, 177, 191, 226 reliant components Network not broadcasting name Local devices and resources components with malicius users, 47 local resource usage manifests, 139 SSID, 47 clipboard, 103 XAML browser applications— Network Policy and Access Services drive, 103 disable, 146 (NPAS), 114–121 ports, 103 XPS documents—enable, 146 Network Policy Server (NPS), 25, printers, 103 Networking, 1, 227–228 114, 118–121 smart cards, 103, 105 Network access Network profiles Local security policy client-server, 45 domain networks account policies, 187 resource sharing, 45 active directory domain, 49 IPSec policies, 187 secure resource, 45 guest or public networks, 49 local policies Network Access Protection (NAP), private networks audit policy, 188 24–25, 70, 114, 118, 184, home network, 49 security option, 188 200, 226 private profile, 75–76 IP security policies, 187, 193–196 Network configuration, 45 workgroupmode, 49 Loose XAML Network discovery work network, 49 content rendering, 138 DNS client, 46 Windows Firewall configuration, 49 function discovery resource Network profile information M publication, 46 active network, 50 Malware try, 219 SSDP discovery, 46 incoming connections Media devices UPnP DeviceHost Service, 46 block all connections, 50

Index 235

block all connections PKU2U, 189 program path, 104 including apps, 50 Pop-up Blocker section, 104 notification state, 51 notifications and blocking Protected mode status information, 50–51 level, 158 security zones back to default Windows Firewall state, 50 PortQry levels, 138 Network properties windows PortQRYUI, 228 Proxy server, 12, 22 network icon, 193 port scanner, 228 PTR records, 24 network location, 193–194 Post-install configuration, 18, 16, 23 network name, 192–193 Powershell NPAS combination command-line shell Q deploy RADIUS, 114 and scripting language, 6 Quality of service, 200 installation and configuration COM management component, 6 QOS. See Quality of service authentication requirements hosting API, 6 screen, 114–118 Power management language, 6 R certification authority screen, Powershell functions, 6 Registry settings, 212 114, 117 Powershell scripts, 6 Remote audio, 102–103 confirmation screen, 118–119 Standalone executables, 6 Remote access health registration authority Windows management VPN settings role service, 114, 117 consoles, 6 routing and remote access information screen, 114, 116 Windows system, 6 console, 112–113 results screen, 118 WMI management components, 6 Remote access role role, 114–115 Powershell commands directaccess role services screen, 114, 116 configure a static IP address, 227 application servers, 112 server authentication screen, list IP Addresses, 227 configuration node, 112–113 118–119 management commands infrastructure server, 112 server roles screen, 114–115 to authorize a DHCP remote access management NPS server, 228 console, 112–113 configuration wizard, 118, 120 create a DNS reverse lookup remote access server, 112 RADIUS server for 802.1X Wire- zone, 228 remote client, 112 less /Wired Connections, 118 install DHCP Server role, 228 reporting node, 112 RADIUS server for Dial-up/VPN perform an install using an installation and configuration Connections, 118 exported configuration, 228 applying settings NPAS. See Network policy and access NetAdapter, 227 window, 112 services NetTCPIP configure remote access, NPS. See Network Policy Server TCP/IP protocol, 227 109–110 Network security Powershell module, 227 confirmation screen, 109–110 networking monitoring, 167 set DNS address, 228 getting started wizard, 109, 111 trouble-shooting, 167 show network adapter overview screen, 107–108 NULL session, 189 information, 227 results screen, 109 Windows system management, server manager notifications O 227 area, 109 Outbound authentication methods, Privacy server role screen, 107 212– 213 tracking information, 155 services screen, 109 Outbound rules, 62–63 Programs window, 107–108 local security policy, 105 VPN performance packet filtering, 112–113 P persistent bitmap caching, 104 PKI, 112–113 Packet Internet groper utility, 220 reconnect if the connection is remote access console, Password protection sharing, 80 dropped, 104 112–113 Performance counter, 178, 180 programs tab, 103 RRAS VPN, 107, 109 Peformance monitor, 178, 181 server authentication, 105 secure authentication Ping. See Packet Internet groper start a program method, 112–113 utility file name, 104 RRAS routing, 107

236 Index Index

RD. See Remote Desktop security-related suspicious activity, tracking, Remote access VPN, 112–113 configuration, 94 173–175 Remote assistance server roles screen , 94–95 Resource monitor network tab advanced button session-based desktop, 94 connection information, 177 settings window, 93–94 session host, 94 filtering option, 178 configure, 93 virtual desktop, 94 four section invitations, 93 virtualization host, 94 listening ports, 177–178 remote tab, 93 Remote system access network activity, 177–178 section, 93 computer room, 89 processes with network system Properties window, 93 data center, 89 activity, 177–178 Windows Vista, 93 Render legacy filters, 125 TCP connection, 177–178 Remote Desktop (RD), 92–107 Reserved IP address local LAN usage, 177 Remote desktop connection client DHCP reservation network activity, 177 GUI, 100 DHCP scope, 21–22 network usage information, 177 connection properties, 101 firewall entries, 20 number of TCP connections, 177 mstsc command, 100 IPv4 port information, 177 Remote Desktop Gateway Role IP address, 21 wireless network usage, 177 Service MAC address, 21 Report unsafe website, 130–131 installation and initial reservation name, 21 Rogue DHCP server configuration IPv6 denial of service attack, 22 confirmation screen, 97–98 DUID, 21 domain-based feature screen, 97 IAIA, 21 administrators, 22 results screen, 97 IPv6 address, 21 Role-based service, 204 role feature, 97–98 reservation, 21 remoteapp program, 97 MAC address, 20–21 secure remote access, 97 physical security S session-based desktops, 97 network entry point, 22 S4U2Self, 189 virtual desktops, 97 password protection, 22 Safety features, 125 Remote desktop services static IP address, 20 Scripting connections, 93–94 Resource monitor active scripting, 145 local administrators group, 94 overview tab Secure Cache Against network level CPU, 175–176 Pollution, 34 authentication, 93–94 disk, 175–176 name server record, 34 remote desktop general overview, 175–176 Security functionality, 93–94 memory, 175–176 the Internet zone, 137 Windows 8 network, 175–176 local intranet zone, 137 remote assistance, 93 troubleshooting, 173–175 restricted sites, 137 Remote desktop services role performance monitor trusted sites, 137 Web access configuration information Security configuration wizard remote session desktop, 99 setting, 178 additional services screen, session collection, 99 data, 179, 181 206, 208 start menu, 99 event trace data, 178 administration and other options web browser, 99 log statistics, 178 screen, 206–207 Windows Server 2012 performance counter, 178 apply security policy screen, connection broker, 94 real time statistics, 178 216, 218 features screen, 94 performance tab audit policy sections, 214 gateway, 94, 97–99 files window, 173–175 audit policy summary screen, information listening ports, 178 212, 215 screen, 94–95 network activity, completing screen, 216, 218 installation and configuration, process, 177 configuration action 94, 99 resmon.exe, 173–175 screen, 203 licensing, 94 run window, 173–175 configuration database remoteapp program, 94, 99 search programs, 173–175 screen, 204

Index 237

confirm service changes screen, server, 48 custom method, 70 206, 209 Server authentication, 105 screen, 70 domain accounts, 212–213 Server manager connection security rules, 68 include security templates button add roles and feature customize button window, 216–217 add roles and features wizard, add first authentication LDAP Signing screen, 209, 212 2–4 method window as seen, network security rules screen, before you begin screen, 2 70, 72 209–210 installation type screen, 3–4 customize advanced authen- network security section, 209–210 role-based or feature-based tication methods screen, outbound authentication installation, 3, 5 70–71 methods screen, 212 server manager dashboard, endpoints screen, 68–69 registry settings section, 209, 211 2–3 health certificate, 70 registry settings summary screen, VDI (Virtual Disk new connection security rule 212, 214 Infrastructure), 3 wizard, 68 role-based service configuration config export profile screen, 71, 73 wizard, 204–205 installation configuration, 4 requirements screen, 68–69 save security policy install-WindowsFeature- rule type screen, 68 section, 216 ConfigurationPathFile SMB security signatures, 209 security configuration wizard, , 4 Start of authority (SOA) 204–205 multiple servers, 4 master of record select client features screen, Powershell, 4 owns the records for the 205, 207 XML file, 4 zone, 35 security policy file name, 216–217 dashboard Stateless address autoconfiguration select server screen, 202–203 BPA results, 2 IPv6 compliant router, 9–10 select server roles screen, 204, 206 events, 2 Straightforward process, 202 SMB security signatures screen, manageability, 2 Subtle malicious activity 209, 211 performance, 2 logging system audit policy screen, local server debug logging, 37 event logging, 37 212, 215 best practices analyzer monitoring unspecified services screen, information, 2 provide real-time information, 206, 208 section, 2–3 37–38 welcome screen, 202 manage Security options manage menu-6 configured, 189–192 notifications T domain member, 189 alert messages, 4–6 Task manager Microsoft network client, 189 section, 5 Windows 8, 167 network access, 189 server selection screen, 4–5 Windows 2012, 167 network security, 190 server pool, 4 Task manager seven tabs incoming traffic, 191 VHD, 4 App history, 172 PKU2U authentication, 191 Server manager console Performance tab, 169–171, 175 registry key, 189–192 monitoring, 1 processes, 168 sign secure channel data performance, 1 services, 173 secure channel traffic, 189 services, 1 startup, 172–173 Security types, 47, 49 Server roles, 202–209 users, 173 802.1x authentication, 48 Server-to-server connection rule TELNET open authentication, 47 advanced certificate criteria client component WPA2, 48 properties window, 70–71, 73 command prompt, 91 WPA authentication advanced option escape character, 91 preshared key, 48 custom authentication NTLM authentication, 91– 92 WiFi protected access, 48 method, 70 only password WPA-Enterprise authentication method authentication, 91 central authentication computer certificate, 70 programs and features, 91–92

Oriyano

238 Index Index

security considerations, 92 network, 188 custom service setting, 58–59 Telnet Client prompt, 91–92 add workstations to the tab, 57–58 TELNET ENVIRON, 92 domain, 188 protocol and ports Telnet session switch, 91 allow log on through Remote ICMP protocol, 60, 62 Windows Server 2012, 90 Desktop Services, 188 local port, 60 security considerations deny access to this computer remote port, 60 Telnet traffic, 92 from the network, 188 tab, 60–61 server component deny log on through Remote remote computer tab, 58–60 configuring, 90–91 Desktop Services, 188 computer specific host system, 90 force shutdown from a remote condition, 58 installings, 90–91 system, 189 remote users Windows 8, 90 generate security audit, 189 tab, 58, 66 Tlntadmn command, 90–91 Use smartscreen filter, 145 scope Temporal key integrity protocol IP address, 60 (TKIP), 48 V subnet address, 60 TKIP. See Temporal key integrity VHD. See virtual hard disk tab, 60, 63 protocol Virtual hard disk, 4 Windows Internet Name Service Tools View objects button, 134 (WINS), 37–44 local security policy, 6 Windows Logs performance monitor, 6, 167 date and time, 183 task manager, 167 W event ID, 183 Webpage privacy policy, 128 tools menu five logs WEP. See wired equivalent privacy entries, 6 application, 183 WiFi Protected Access (WPA), 48 Tracking protection, 127–128 forwarded events, 184 Windows, 185 Turn off smartscreen filter, 130 security, 183–184 Windows 1, 8, 167, 189, 220, 228 Two versions of Internet Explorer setup, 184 Windows Firewall classic version, 123–124 system, 184 Protects network connections, 49 new Windows Store app version, level Protects systems Internet 123–124 logging level of event, 182 connections, 49 keywords Windows Firewall configuration U advanced settings, 53–64 audit failure, 183 UI, 1 change notification settings, 52 audit success, 183 Uniform resource locator, 201 restore defaults security log, 183 User authentication restore defaults button, 53–54 source anonymous logon, 146 trouble shooting my network, 51 task category, 183 automatic logon only in Intranet turn Windows Firewall Windows 8 resource sharing zone, 146 on-off, 53 homegroup automatic logon with current Windows Firewall rule properties homegroup screen, 74–75 username and password, 146 advanced home network, 74 prompt for username and advanced tab, 61, 64 PC settings, 74 password, 146 allow the connection, 55–56 secure password, 74 User configuration policies allow the connection if it is libraries and devices administrative templates secure, 55–56 documents, 74 network, 201 edge travesal, 61 music, 74 system, 201 interface type, 61 pictures, 74 Windows Components, 200 profile, 61 printers and devices, 74 Windows settings general tab, 55–56 read only acess, 74 differentiated services code local principles videos, 74 point, 201 local user, 61–62 Windows Server 2012 policy-based QoS, 201 tab, 61–62 anycast.addresses, 8 User rights assignment programs and services DHCP name protection policies control custom application package non-windows systems, 25 access this computer from the settings, 58–59 multicast addresses

Oriyano

Index 239

broadcast addresses, 8 confirmation screen, 39 AES FF0, 8 feature screen, 40 256-bit keys, 48 FF1, 8 result screen, 35 fedral government, 48 one-to-many connection, 8 burst handling FIPS complaint routers, 8 DOS attack, 42 environment, 48 operating system, 1 registration requests, 42 data transmission, 48 Powershell, 1 database verification, 42 TKIP, 48 resource sharing initial configuration, 38–39 WEP confirmation screen, 82, 86 malicious hosts, 38 encrption method, 48 file and storage service, 80–81 mapping Windows NetBIOS Wireless properties management properties screen, names, 38 active inbound firewall rule, 64 82, 85 NetBIOS, 39 wireless connection, 47 new share wizard, 80, 82–86 protection, 39 Wireless security other setting screen, 82, 84 server database verification, 40 configuring wireless permission screen, 82, 84 server logging network, 47 profile screen, 80 Windows event logging, 42 secure wireless network, 47 result screen, 82, 86 WINS replication WPA. See WiFi Protected Access server manager, 1, 80 consistency, 44 share location screen, 82–83 fault tolerance, 44 share name screen, 82–83 integrity, 44 X quota screen, 82, 85 replication partner node, 44 XAML browser applications, 138 WINS. See Windows Internet Name replication types Service pull replication, 44 WINS push replication, 44 additional feature installation Wired Equivalent Privacy (WEP), 48 Z add feature, 39 Wireless encryption Zone transfer, 36

Oriyano

This page is intentionally left blank