MCP 70-299 : Assessing and Deploying a Patch Management Infrastructure

Lesson 3: Deploying Updates on Existing Clients

Manually Applying Updates :

Microsoft distributes updates by using executable files that automatically install themselves when run. However, all Microsoft updates also support standardized commandline parameters to change the default installation behavior. Table 6.3 lists the parameters available for updates. The parameters listed in the New Parameter column can be used with updates released on or after September 17, 2003. You must use the parameters listed in the Old Parameter column for updates released prior to September 17, 2003. As of the time of this writing, new updates support the old parameters. However, backward compatibility with the old parameters might be dropped at some point, so you should always use the new parameters when possible.

Windows Update Web Site :

The quickest way to manually detect missing updates and install them on a computer is to directly access the Windows Update Web site. To update a computer with critical updates, security updates, and service packs by using Windows Update:
1. Click Start, point to All Programs, and then click Windows Update.
2. Click Scan For Updates.
3. Click Review And Install Updates.
4. Click Install Now. The updates will be downloaded and installed. You might be prompted to accept
a license agreement.
5. Restart the computer and return to step 1 until all critical updates and service packs have been installed.

Software Update Services :

SUS, a free download that can be installed on Windows 2000 Server–based and Windows Server 2003–based computers that have Internet Information Services (IIS) installed, provides administrators with a local alternative to the Microsoft Windows Update servers. Using the Automatic Updates client, computers on your network can automatically download and install updates from your SUS server.
The easiest way to install IIS is to use the Manage Your Server tool and add the Application Server role. For the purposes of installing Software Update Services, you can accept the default settings; neither Microsoft ASP.NET nor Microsoft FrontPage extensions are required. SUS will install itself into the Default Web Site, if it is available. Otherwise, SUS will create a new Web site.

Group Policy :

Group Policy objects can be configured to automatically install Windows Installer packages on computers. Service packs include a Windows Installer package, making it simple to use a Group Policy object to deploy a service pack.
Service packs, more than any other type of update, require extensive testing and pilot deployments because of the extensive changes they make. Although SUS is an excellent way to distribute frequently released security updates to a large number of client computers, you cannot use a single SUS server to stage a pilot deployment to a small number of computers in your organization. Fortunately, you can use Group Policy objects to distribute service packs directly.

After you assign the service pack package, Windows Installer installs the service pack automatically when users start their computers. Users are not presented with a choice to install the service pack. Only a network administrator or someone who is logged on to a local computer as a member of the Administrators group on that computer can remove the assigned software.
To distribute a service pack by using a Group Policy object:
1. Download the network install version of the service pack to a file server.
2. Extract the service pack files using the /x parameter. For example, to extract Service Pack 4 for Windows 2000, execute the command W2ksp4_en /x. Extract the files to a shared folder that both client computers and domain controllers can access. After the extraction completes, click OK.
3. Connect to the shared folder just as a client would. For example, if you extracted the files to the \\server\updates shared folder, map a network drive to \\server\updates. This will ensure that clients can locate the package after the GPO instructs the client to install it.
4. Create a new GPO or edit an existing GPO that you will use to distribute the service pack.
5. Using the Group Policy Object Editor snap-in, expand Computer Configuration, expand Software Settings, and then click Software Installation.
6. Right-click Software Installation, click New, and then click Package.
7. Navigate to the folder to which you extracted the service pack, and locate the Update.msi file. Though future service packs might place this file in a different location, recent service packs have stored it in the i386\update\ directory. Click the Update.msi file, and then click Open.
8. In the Deploy Software dialog box, click Assigned, and then click OK.

After a package has been added to the Software Installation node of a GPO, you can choose to remove or deploy it for troubleshooting purposes. If a service pack installation fails to deploy successfully, you can redeploy it by right-clicking the package, clicking All Tasks, and then clicking Redeploy Application.

MCP 70-299 : Assessing and Deploying a Patch Management Infrastructure

Lesson 2: Deploying Updates on New Clients
Security Considerations :

Computers are under attack from the moment they connect to the Internet. Worms and viruses are constantly active, probing every IP address for vulnerabilities. Microsoft Windows Server 2003 is much more resilient to attacks that might occur during the installation process than earlier versions of Windows because it adheres to the “secure by default” ideal. However, vulnerabilities have been discovered in unpatched computers running Windows Server 2003, and these vulnerabilities might be exploited during the setup process.
Although it is possible to update and secure a computer running Windows so that it can be connected directly to the Internet without becoming infected by a worm or a virus, a computer does not have the benefit of updates or security hardening during the installation process. If you attempt to install Windows on a computer while it is connected to the Internet, there is a high probability that it will be attacked, and possibly exploited.

Integrated Installation :

You can apply service packs, but not necessarily other types of updates, directly to Windows 2000, Windows XP, and Windows Server 2003 installation files. The process of integrating a service pack into the original setup files for an operating system is called slipstreaming. Slipstreaming creates an integrated installation—including the latest service pack—that can be used when installing the operating system on new computers. Using this process improves the security of new computers, and reduces the time required to apply updates after completing the initial installation. You can either perform the installation from a shared folder or create a CD with the integrated setup files.
Because the integrated installation replaces individual files, the space requirements for this installation type are almost identical to the space requirements for the base operating system. After you slipstream a service pack into the operating system setup files, you cannot remove the service pack.

Lesson Summary :

■ Computers should not be connected to the Internet or even to a private network with other hosts, until after the operating system and all updates have been installed.
■ Computers can be built while connected to the network if you create an isolated network segment with a minimal number of trusted computers that have been scanned for worms, viruses, and other malicious software.
■ You can reduce the time required to install new updates by slipstreaming a service pack into operating system installation files and configuring other updates to be automatically applied.

MCP 70-299 : Assessing and Deploying a Patch Management Infrastructure

Lesson 1: Assessing Patch Levels

The MBSA Console :

Microsoft Baseline Security Analyzer (MBSA), which was also discussed in Chapter 4, is used to analyze one or more computers for vulnerabilities in two categories: weak security configurations and missing security updates. This section focuses on using MBSA to scan for updates that should have been installed but have not been.
After installing MBSA, you can use it to scan all computers on your network or domain for which you have administrator access. To scan all computers on a specific subnet using your current user credentials:
1. Start MBSA by clicking Start, pointing to All Programs, and then clicking Microsoft Baseline Security Advisor.
2. On the Welcome To The Microsoft Baseline Security Analyzer page, click Scan More Than One Computer.
3. On the Pick Multiple Computers To Scan page, type the IP address range you want to scan. To speed up the scanning process, clear all check boxes except for Check For Security Updates. If you have a Software Update Services (SUS) server on your network, you can further speed up the process by selecting Use SUS and specify
4. Click Start Scan. As MBSA performs the scan, it will keep you updated on the progress,
5. After the scan is completed, the View Security Report page appears, listing the computers that were scanned.

MBSACLI :

Scanning a large network should be done on a regular basis to find computers that have not been properly updated. However, scanning a large network is a time-consuming process. While the MBSA console is the most efficient way to interactively scan a network, the Microsoft Baseline Security Analyzer command-line interface (MBSACLI) provides a way to script an analysis. By using scripts, you can schedule scanning to occur automatically, without your intervention. In this way, you can have MBSACLI generate a report that you can refer to on demand.
Another good reason to schedule scans by using MBSACLI is to scan from multiple points on your network. For example, if your organization has five remote offices, it is more efficient to scan each remote office by using a computer located in that office. This improves performance, reduces the bandwidth used on your wide area network, and allows you to scan computers even if a perimeter firewall blocks the ports that MBSACLI uses to scan.

Lesson Summary :

■ The graphical MBSA console is the most efficient way to scan a single computer or multiple computers for the presence of updates.
■ The graphical MBSA console can be configured to scan a single computer, a range of IP addresses, or all computers contained within a domain.
■ MBSA stores reports in XML format in the C:\Documents and Settings\username\SecurityScans folder by default. At any time, you can view these reports by using MBSA.
■ MBSACLI provides a command-line interface to MBSA’s scanning functionality. MBSACLI functions in two modes: standard MBSA mode and the backward compatible HFNetChk mode.
■ Scanning a large number of computers can take several hours and consumes significant network resources. Therefore, you should schedule the scanning to occur after business hours by using the command-line tools.

MCP 299 : Planning an Update Management Infrastructure

Lesson 3 : Updating Process

Discovering Updates :
The security updating process starts when Microsoft releases or updates a security bulletin.Reissued bulletins that have a higher severity rating should be evaluated again to determine if an already scheduled security release should be reprioritized and accelerated. You might also initiate the security updating process when a new service pack is released.
You can be notified of Microsoft-related security issues and fixes by subscribing to the Microsoft Security Notification Services. You can register for this service from the following Web site: http://www.microsoft.com/technet/security/bulletin/notify.asp. If you subscribe to this service, you will receive automatic notification of security issues by e-mail. Note that you won’t ever receive the update as an attachment from Microsoft. E-mail is easy to spoof, so Microsoft includes a digital signature that can be verified. However, it’s generally easier to simply check the Microsoft Web site to ensure that the bulletin is officially listed.

Evaluating Updates :

After you learn of a security update, you need to evaluate the update to determine which computers at your organization, if any, should have the update applied. Read the information that accompanies the security bulletin, and refer to the associated Knowledge Base article after it is released.
Next, look at the various parts of your environment to determine whether the vulnerability affects the computers on your network. You might not be using the software component that the update affects, or you might be protected from the vulnerability by other means, such as a firewall. For example, if Microsoft releases a security update for SQL Server and your company doesn’t use SQL Server, you don’t need to act. If Microsoft releases a security update for the Windows Messenger service, but you have blocked the vulnerable ports by using Internet Connection Firewall, you don’t necessarily need to apply the update. Alternatively, you might decide that applying the update is not the
best countermeasure for a security vulnerability. Instead, you might choose to add a firewall or adjust firewall filtering rules to limit the vulnerability’s exposure.

Retrieving Updates :

Once you have decided to test and/or deploy an update, you must retrieve it from Microsoft. If you are using Windows Update or SUS as your deployment mechanism, retrieving the update is taken care of by the Automatic Update client. If you are deploying updates by using another mechanism, you should download the update from a trusted Microsoft server.
When manually installing a service pack on a computer, you can choose between a network install and an express install. If you are deploying the service pack to more than one computer in the same location, you should always use the network install. This self-extracting package contains all of the files that are required for any computer running the operating system the service pack was released for. This option is designed for administrators who want to set up a shared network folder for deploying the service pack on multiple computers.

Testing Updates :

After applying a testing update or group of updates to your test computers, you should test all applications and functionality as described in Lesson 2. In addition to testing within the update test environment, large organizations should conduct at least one pilot deployment before deploying the update or updates into the production environment. When conducting a pilot, you deploy a limited number of computers in a controlled environment, evaluate the results, and fix problems. Deploy successive pilots until you determine that the update is ready for full deployment. Be sure to include a representative cross-section of the computers in your pilot group.

Installing Updates :

After you are comfortable that you have sufficiently tested an update, you can deploy it to your production environment. During the installation process, be sure to have sufficient support staff to handle problems that might arise. Have a method in place to monitor the progress of the updates, and have an engineer ready to resolve any problems that occur in the update deployment mechanism. Notify network staff that an update deployment is taking place, so that they are aware of the cause of the increased network utilization.

Auditing Updates :
After you have deployed an update, it is important to audit your work. Ideally, someone not responsible for deploying the update will perform the actual auditing. This reduces the possibility that the person or group responsible for deploying the update would unintentionally overlook the same set of computers during both update deployment and auditing, in addition to reducing the likelihood of someone covering up oversights or mistakes.
Auditing an update that resolves a security vulnerability can be done in one of two ways. The simplest way to audit is to use a tool such as MBSA to check for the presence of the update. This can also be done by checking the version of files that have been updated by an update, and verifying that the version matches the version of the file included with the update.

MCP 299 : Planning an Update Management Infrastructure

Lesson 2: Updating Infrastructure

The Updating Team :

Identifying individuals with the right mix of technical and project management skills for deploying updates is one of the first decisions that you, and your management, will make. Even before staffing can begin, however, you need to identify the team roles, or areas of expertise, required for update management. Microsoft suggests using the Microsoft Solutions Framework (MSF) team model, which is based on six interdependent multidisciplinary roles: product management, program management, development,testing, user experience, and release management.
■ Product management. Product management is responsible for identifying the organization’s business needs and the needs of the end users, and for making sure those needs are supported by the updating process.
■ Program management. The program management team’s goal is to deliver updates within project constraints. Program management is responsible for managing the updating schedule and budget, and for reporting status, managing project-related risk factors (such as staff illnesses), and managing the design of the updating process.

■ Development. The development team builds the updating infrastructure according to specification. The team’s responsibilities include specifying the features of the updating infrastructure, estimating the time and effort required to deploy the updating infrastructure, and preparing the infrastructure for deployment.
■ Testing. The testing team ensures that updates are released into the production environment only after all quality issues have been identified and resolved. The team’s responsibilities include developing the testing strategy, designing and building the updating lab, developing the test plan, and conducting tests.
■ User experience. The user experience team ensures that the updating process meets the users’ needs. The team gathers, analyzes, and prioritizes user requirements and complaints.
■ Release management. The release management team is responsible for deploying the updates. In large environments, the release management team also designs and manages a pilot deployment of an update to ensure that the update is sufficiently stable for deployment into the production environment.

Assessing Your Environment :

The first step in planning your strategy to deploy updates is to assess your current environment.
Specifically, you need to know what operating systems and applications you have installed in order to identify updates that need to be deployed. You also need to understand the security requirements for each computer system, including which computers store highly confidential information, which are connected to the public Internet, and which will connect to exterior networks.
For each computer in your environment, gather the following information:
■ Operating system. Document the operating system version and update level. Also document which optional components, such as IIS, are installed.
■ Applications. Document every application installed on the computer, including versions and updates.
■ Network connectivity. Document which networks the computer connects to,including whether the computer is connected to the public Internet, whether it connects to other networks across a VPN or dial-up connection, and whether it is a mobile computer that might connect to networks at other locations.
■ Vulnerability-limiting factors. Firewalls and virus checkers might protect a computer against a known vulnerability, making the update unnecessary. For firewalls,document which ports are open.
■ Site. If your organization has multiple sites, you can choose to deploy updates to computers from a server located at each site to optimize bandwidth usage. Knowing which site a computer is located in allows you to efficiently deploy the updates.
■ Bandwidth. Computers connected across low-bandwidth links have special requirements. You can choose to transfer large updates during nonbusiness hours. For dial-up users, it might be more efficient to bypass the network link and transfer updates on removable media, such as CD-ROMs.
■ Administrator responsibility. You must understand who is responsible for deploying the updates, and who will fix a problem if a computer fails during the updating process. If others are responsible for individual applications or services, make note of that as well.
■ Uptime requirements. Understand any service level agreements or service level guarantees that apply to a particular computer, and whether scheduled downtime counts against the total uptime. This will enable you to prioritize computers when troubleshooting and testing updates.
■ Scheduling dependencies. Applying updates requires planning systems to be offline. This can be a disruption for users, even if the computer only requires a quick reboot. Understand who depends on a particular computer so that you can clear downtime with them ahead of time.

Deploying Updates :

To meet the needs of various types of organizations, Microsoft provides several different methods for applying updates. The preferred method for deploying updates is Software Update Services (SUS). Large organizations currently using Group Policy objects to distribute software might prefer to use Group Policy objects for deploying updates as well, because it allows them to deploy the update to many systems simultaneously. Group Policy objects can be used to automatically install updates on computers, or to make them available to users through the Add/Remove Programs tool. Finally, enterprises that use Microsoft Systems Management Server (SMS) can use SMS to deploy updates. You can even avoid manually installing updates on new systems by integrating the update directly into the Windows Server 2003 setup files.

MCP 299 : Planning an Update Management Infrastructure

Lesson 1: Updating Fundamentals

Microsoft continually works to improve its software. As part of this effort, Microsoft develops updates to solve problems that are discovered in software after the software is released. These problems often constitute security vulnerabilities.
There are, however, many different types of security vulnerabilities. Some have known exploits that are propagating quickly, and it is critical that these vulnerabilities are quickly fixed. Exploits are worms, viruses, Trojan horses, or other tools that can be used by an attacker to compromise a vulnerable computer. Others are less critical, and the risk of them being exploited isn’t high enough to justify the cost of rapidly deploying an update. Vulnerabilities might only apply to a handful of computers on your network, or they might affect every system. To address the wide variety of vulnerabilities, Microsoft provides several different types of updates throughout the lifecycle of a supported product.

Introduction to Updates :

An update, also known as a patch, is a file or a collection of files that you can apply to a Windows-based computer to correct a specific problem. Microsoft packages updates in a single self-contained, self-installing executable file with an .exe extension. By default, all updates automatically back up files that they replace so that you have the option of removing the update later if you want to.
Updates for the Microsoft Windows Server 2003 family and Windows XP 64-Bit Edition Version 2003 are named according to specific conventions. For updates you install on 32-bit versions of the Windows Server 2003 family, the convention is WindowsServer2003-KB######-x86-LLL.exe. For updates you install on 64-bit versions of the Windows Server 2003 family or Windows XP 64-Bit Edition Version 2003, the convention is WindowsServer2003-KB######-ia64-LLL.exe.

Types of Updates :

There are many different types of problems that might need to be fixed in any piece of software, and various types of problems must be dealt with differently. When a security vulnerability is discovered in Windows, Microsoft must provide an update to customers quickly so that the vulnerability can be removed before the vulnerability is exploited on a large scale.

1 - Recommended updates :
A recommended update addresses a non-critical, non-security-related problem. For example, the “Update for Jet 4.0 Service Pack 8” recommended update, associated with Knowledge Base article 829558, makes a handful of improvements to a commonly used database engine included with Windows. It does not remove any security vulnerabilities, however, so it is not considered a critical update or a security update.

2 - Driver updates :
All versions of Windows come with a large number of drivers that enable support for a wide variety of hardware. The hardware vendors are generally responsible for the support of drivers, but Microsoft occasionally releases updated versions of drivers.
The fact that Microsoft occasionally releases updated versions of drivers does not relieve you of the responsibility of working with your hardware vendors to retrieve updated drivers. Microsoft does not release updated drivers until they have been officially signed by Microsoft, a process that delays the release of the software by days or weeks. Hardware vendors often release unsigned drivers to customers before they are officially released by Microsoft.

3 - Security updates :
Just about everyone who uses any variety of Windows is familiar with security updates. A security update is an update that the Microsoft Security Response Center (MSRC) releases to resolve a security vulnerability. Microsoft security updates are available for customers to download and are accompanied by two documents: a security bulletin and a Microsoft Knowledge Base article.
A Microsoft security bulletin notifies administrators of critical security issues and vulnerabilities.
Usually, but not always, the security bulletin is associated with a security update that can be used to patch the vulnerability. Security bulletins generally provide detailed information about who the bulletin concerns, the impact of the vulnerability, the severity of the vulnerability, and a recommended course of action for affected customers.

4 - Critical updates :
A critical update is released quickly to all customers, like a security update. However,critical updates are not related to security problems, and they do not have associated bulletins. A critical update will be associated with one or more Knowledge Base articles that describe the problem and the update in detail.

5 - Hotfixes :
A hotfix is a package that includes one or more files to address a problem for a specific customer. Generally, you receive a hotfix only when you have been working with Microsoft Product Support Services (PSS) and they determine that the problem you’re experiencing is caused by a bug in Microsoft software. They will probably release an update to the bug to the general customer population, but that might take several months. In the meantime, PSS provides you a hotfix to resolve the problem.

6 - Security rollup packages :
There have been times when Microsoft has released a significant number of security and critical updates between service packs. It is cumbersome to install a large number of updates separately, so Microsoft releases a security rollup package (SRP) to reduce the labor involved in applying updates. An SRP is a cumulative set of hotfixes, security updates, critical updates, and other updates that are packaged together for easy deployment. An update rollup generally targets a specific area of a product, such as security, or a component of a product, such as IIS. SRPs are always released with a
Knowledge Base article that describes the rollup in detail.

7- Feature packs :
Feature packs are not released to fix problems with existing software, but to add new features. In the past, Microsoft included new features with service packs, but customers were wary of installing updates that added new features that could potentially introduce new bugs. Now, service packs contain only updates to existing software, and Microsoft releases feature packs to add functionality. Feature packs are typically included with the next release of the product.

8 - Service packs :
A service pack is a cumulative set of all the hotfixes, security updates, critical updates,and other updates that have been created for a Microsoft product. A service pack also includes fixes for other problems that have been found by Microsoft since the release of the product. Service packs might also contain a limited number of customerrequested design changes or features. Like critical updates, service packs are available for download and are accompanied by Knowledge Base articles.

Lesson 3: Analyzing Security Configurations

Security Configuration And Analysis :

The Security Configuration And Analysis snap-in gives you an immediate, detailed list of security settings on a computer that do not meet your security requirements. Recommendations are presented alongside current system settings, and icons or remarks are used to highlight any areas where the current settings do not match the proposed level of security. Security Configuration And Analysis uses a database to perform analysis and configuration functions. Using a database gives you the ability to compare the current security settings against custom databases that are created by importing one or more security templates.
To analyze a computer’s security settings by comparing it to a security template:
1. Create a new Microsoft Management Console (MMC) console, and add the Security Configuration And Analysis snap-in.
2. Right-click Security Configuration And Analysis, and then click Open Database.
3. In the Open Database dialog box, type a name for the new database, and then click Open.
4. In the Import Template dialog box, select a security template to import. Click Open.
5. If you want to import more than one security template, right-click Security Configuration And Analysis, and then click Import Template. Select the template to import, and then click Open. Repeat this process for each security template you want to import.
6. Right-click Security Configuration And Analysis, and then click Analyze Computer Now.
7. In the Perform Analysis dialog box, click OK.
After the analysis is complete, examine the results by expanding the nodes contained within the Security Configuration And Analysis node.

Microsoft Baseline Security Analyzer—Graphical Interface :

MBSA includes graphical and command-line interfaces that can perform local or remote scans of Windows systems. MBSA runs on computers running Windows 2000, Windows XP, and Windows Server 2003 and will scan for common system misconfigurations in Microsoft Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS 4.0 and 5.0, SQL Server 7.0 and SQL Server 2000, Internet Explorer 5.01 and later, and Office 2000 and Office XP. MBSA will also scan for missing security updates for the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows
Server 2003, IIS 4.0 and 5.0, SQL Server 7.0 and SQL Server 2000, Internet Explorer 5.01 and later, Exchange Server 5.5 and Exchange 2000 Server, and Microsoft Windows Media Player 6.4 and later.
MBSA can determine which critical security updates are applied to a system by referring to an XML file that is continuously updated by Microsoft. The XML file contains information about which security updates are available for particular Microsoft products.
This file contains security bulletin names and titles, and detailed data about product-specific security updates, including the files in each update package and their versions and checksums, registry keys that were applied by the update installation package, information about which updates supersede others, related Microsoft Knowledge Base article numbers, and much more.

Lesson Summary

■ The Security Configuration And Analysis console can be used to apply settings from a security template. However, it is more commonly used to determine which active security settings do not match those specified in a security template.
■ MBSA identifies potential security vulnerabilities, including critical updates that have not been applied, on one or more systems.
■ Mbsacli provides a command-line interface with functionality that is similar to that of MBSA. Mbsacli can be used to create XML files that summarize security vulnerabilities on one or more systems.

Lesson 2: Tuning Security for Server Roles:

Security for DHCP Servers :

Dynamic Host Configuration Protocol (DHCP) is an IP standard designed to reduce the complexity of administering address configurations. DHCP servers enable an administrator to assign TCP/IP configurations to client computers automatically upon startup. When a client computer moves between subnets, its old IP address is freed for reuse. The client reconfigures its TCP/IP settings automatically when the computer is restarted in its new location.

Security for DNS Servers :

DNS is the TCP/IP name resolution service that is used on the Internet. The DNS service enables client computers on your network to register and resolve user-friendly DNS names. It also allows network services to resolve IP addresses to host names, a common, but unreliable, method of filtering requests. Most network applications rely on DNS, and, as a result, a successful attack against DNS can have serious consequences.

Configuring the DNS Server role
You can install DNS by clicking Add/Remove Windows Components in the Add Or Remove Programs dialog box, clicking Networking Services, clicking the Details button, and then selecting Domain Name System. However, the simplest way to install and configure DNS is to install the DNS Server role by using the Manage Your Server window. To install the DNS Server role:
1. Click Start, and then click Manage Your Server.
2. Click Add Or Remove A Role. The Configure Your Server Wizard appears.
3. Click Next, click DNS Server, and then click Next again. Follow the prompts to configure the new role.

Securing DNS servers

If a DNS zone is not stored in Active Directory, secure the DNS zone file by modifying permissions on the DNS zone file or on the folder in which the zone files are stored. The zone file or folder permissions should be configured to allow Full Control only to the System group. By default, zone files are stored in the %systemroot%\System32\Dns folder. Also secure the DNS registry keys.

The DNS registry keys can be found in the registry under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS.

Security considerations for Active Directory–integrated DNS

Safeguarding DNS servers is essential to any environment with Active Directory because clients use DNS to find their Active Directory servers. When a DNS server is attacked, one possible goal of the attacker is to control the DNS information being returned in response to DNS client queries. In this way, clients can be misdirected to computers controlled by the attacker. Cache poisoning is an example of this type of attack. To use cache poisoning in an attack, an attacker inserts false information into the cache of a DNS server. This results in a legitimate DNS server returning incorrect
results, thereby redirecting clients to unauthorized computers.
The Windows Server 2003 DNS client service supports Dynamic DNS updates, which allow client systems to add DNS records directly into the database. Dynamic DNS (DDNS) servers can receive malicious or unauthorized updates from an attacker using a client that supports the DDNS protocol if the server is configured to accept unsecured updates. At a minimum, an attacker can add bogus entries to the DNS database; at worst, the attacker can overwrite or delete legitimate entries in the DNS database. Using secure DDNS updates guarantees that registration requests are processed only if they are sent from valid clients in an Active Directory forest. This greatly limits the opportunity for an attacker to compromise the integrity of a DNS server.

Lesson Summary :

■ There are two major types of firewalls: host-based firewalls and network firewalls. Host-based firewalls, such as Internet Connection Firewall, protect a single system. Network firewalls, such as Microsoft Internet Security And Acceleration Server, can protect an entire network.
■ Perimeter networks are used to provide multiple layers of network security for computers exposed to the public Internet. Internet-facing services such as mail servers and Web servers should be placed on a perimeter network, with a firewall protecting the systems from the Internet and a second firewall protecting the internal network from the perimeter network.
■ Server roles that are often connected to the Internet, such as Web servers, DNS servers, and e-mail servers, are frequently subject to attacks. Security configuration is particularly important for these types of infrastructure servers.
■ The security of DHCP and DNS servers is closely related because DHCP servers are often relied upon to register DNS names for clients. Both DHCP and DNS servers are vulnerable to denial-of-service attacks because they must accept requests from clients without authentication.
■ Domain controllers store a map of the entire network and a complete set of user credentials. As a result, they are frequently the subject of attacks and must be protected at all costs. If a domain controller is compromised, the attacker might be able to gain access to many other resources on the network.
■ SQL Server and Exchange Server are not built into Windows Server 2003. Nevertheless, both applications are frequently deployed on Windows Server 2003 networks, and they both often contain a great deal of confidential information. No security initiative is complete unless database and messaging systems have been protected.

3 - Hardening Computers for Specific Roles :

Lesson 1: Tuning Security for Client Roles :

Planning Managed Client Computers :

When planning the requirements for managed client computers, start by identifying the baseline security level that is appropriate for users to have on their computers. The baseline user security level is specified by granting users membership to one of these groups: Users, Power Users, and Administrators. Membership in the Users group gives the most protection from a number of external threats, such as viruses, and it limits the damage that users can accidentally or intentionally cause to their computers. However, user level permissions have the most incompatibility problems with older applications. Take particular care before you give users privileged access to computers that they
share with other employees.
Next, identify the types of systems users need to interoperate with. Interoperability with earlier systems, such as Microsoft Windows NT 4.0–based servers and UNIX file servers, necessitates that some of the security you might use in a pure Windows Server 2003 environment must be relaxed.
Finally, consider the level of support users provide for their own computers. Users who use portable computers and provide their own support might require administrator rights on their computers. Other high-performance users, such as developers, might also need administrative rights.

Software Restriction Policies :

Software restriction policies are a feature in Windows XP and Windows Server 2003 that can be used to regulate unknown or untrusted software. Businesses that do not use software restriction policies put the burden of identifying safe and unsafe software on the users. Users who access the Internet must constantly make decisions about running unknown software. Malicious users intentionally disguise viruses and Trojans to trick users into running them. It is difficult for users to make safe choices about what software they should run.
With software restriction policies, you can protect your network from untrusted software by identifying and specifying the software that is allowed to run. You can define a default security level of Unrestricted or Disallowed for a Group Policy object (GPO) so that software is either allowed or not allowed to run by default. You can make exceptions to this default security level by creating software restriction policy rules for specific software. For example, if the default security level is set to Disallowed, you can create rules that allow specific software to run.

Security for Desktop Computers :

When a computer manufacturer delivers a new computer to an organization, the operating system is generally configured to provide the greatest flexibility to the typical user. Many organizations have additional software installed on top of the operating system, such as Microsoft Office. This provides power users with the tools they need to do their jobs.
However, many types of employees do not require much flexibility and will actually be more productive if the software on their computers is restricted. For example, a user in the accounts payable department might only need access to an e-mail client, accounting software, and a Web browser. For this type of user, restricting the applications they can run can make them more productive (for example, by removing Solitaire). Additionally, it can reduce the risk of malicious software, such as viruses and Trojans, infecting the computer.
In a typical restricted desktop computer role, the desktop and Start menu are significantly simplified. Users cannot make extensive customizations, other than a limited number of application-specific settings. Applications are typically allocated to users based on their job roles, and users cannot add or remove applications. This type of desktop configuration is appropriate in a marketing or finance department, for example.
In these areas, users require only a specific and limited set (typically three to five) of productivity and in-house applications to do their jobs.

Security for Mobile Computers :

Mobile computers require that you attend to several additional security considerations beyond those of desktop computers. Mobile users might use their computers while traveling, which might require them to perform administrative tasks that a member of the IT group would normally perform. For example, a mobile user might need to print a document using a different printer than the one installed in the office, and would need to install the correct printer driver. To allow this, disable the Devices: Prevent Users From Installing Printer Drivers security option. If you anticipate that users who work away from the office will need to install or reinstall applications while working remotely, you might want to enable the Always Install With Elevated Privileges setting in the Administrative Templates\Windows Components\Windows Installer node.
Mobile users might connect to foreign networks, such as a wireless hotspot at a coffee shop. These foreign networks won’t have the benefit of your organization’s network security, so mobile users have an elevated risk of being attacked across the network. To mitigate this risk, enable the Internet Connection Firewall (ICF, known in Service Pack 2 as Windows Firewall) on all network interfaces for mobile computers. Unfortunately, ICF cannot be configured by using Group Policy settings. Lesson 2 in this chapter contains more information about firewalls.

Lesson Summary

■ Software restriction policies can be applied to a GPO to restrict the applications that can run on a target system. Software restriction policies can restrict applications based on a hash of the executable file, the path in the file system, a certificate associated with the application, or the Internet zone from which the application is running.
■ You should create security templates for the various computer roles in your organizations, including desktop computers, mobile computers, and kiosks. Whenever possible, you should base these templates on a predefined security template.
■ Security templates are useful for creating GPOs, but they contain only a subset of the settings available when configuring a GPO. Therefore, after importing a security template into a GPO, you might have to use the Group Policy Object Editor to specify additional settings.
■ Mobile computers have different security considerations than desktop computers. Mobile computers are subject to a wider array of network attacks because they might connect to unprotected networks. Additionally, they are more likely to be stolen, so encryption of the disk’s physical contents might be necessary.
■ Kiosks require security settings that are tightly restricted to prevent abuse. GPOs allow an administrator to remove all major user interface elements and configure kiosk computers to log on a user and launch a single application automatically at startup.

MCP 70-299 : Planning and Configuring an Authentication Strategy

Lesson 1: Understanding the Components of an Authentication Model :

The Difference Between Authentication and Authorization :

The two processes are closely related and often confused. To understand the difference between authentication and authorization, consider an example in the physical world that most people are familiar with: boarding an airplane. Before you can board a plane, you must present both your identification and your ticket. Your identification, typically a driver’s license or a passport, enables the airport staff to determine who you are. Validating your identity is the authentication part of the boarding process. The airport staff also checks your ticket to make sure that the flight you are boarding is the correct one. Verifying that you are allowed to board the plane is the authorization process.

Storing User Credentials :

The server that authenticates the user must be able to determine that the user’s credentials are valid. To do this, the server must store information that can be used to verify the user’s credentials. How and where this information is stored are important decisions to make when designing an authentication model.

Lesson Summary :

■ Authentication is the process of proving your identity. In Windows networks, users frequently authenticate themselves using a user name and password pair. How the user name and password are communicated across the network has changed with different versions of Windows.
■ Earlier versions of Windows use LM authentication, which is still supported by Windows Server 2003 for backward compatibility but carries with it potential security vulnerabilities. LM authentication should be disabled whenever compatibility with Windows 95 or Windows 98 is not required.
■ If LM authentication cannot be disabled, the storage of the LMHash can be avoided for specific user accounts by using passwords greater than 14 characters or passwords that contain special ALT characters.
■ Newer versions of Windows use NTLMv1, NTLMv2, or Kerberos authentication. The Kerberos protocol is designed to be more secure and scalable than NTLM authentication.
■ Local passwords are stored and maintained by the Local Security Authority (LSA). The LSA is responsible for managing local security policies, authenticating users, creating access tokens, and controlling audit policies.
■ Windows Server 2003 and the Resource Kit include the Kerbtray.exe, Klist.exe, and CmdKey.exe tools for troubleshooting Kerberos authentication problems.

Lesson 2: Planning and Implementing an Authentication Strategy :

Considerations for Evaluating Your Environment :

When evaluating your environment, identify the following:

■ The number of domain controllers in your organization. Ensure that there are enough domain controllers to support client logon requests and authentication requests while meeting your redundancy requirements.

■ The type of network connectivity between site locations in your organization. Ensure that clients in remote sites are connected well enough to authenticate to domain controllers located in main sites.

■ The number of certification authorities (CAs) that are available in your organiza tion and their locations. Ensure that you have enough CAs to support the anticipated number of certificate requests.

What is a strong password?

A strong password is one that can be remembered by the user but that is also complex enough to be difficult to guess. For example, *&_I5y#<.h may appear to be a good password, but the user might be forced to write it down in order to remember it, creating a significant security vulnerability. Fortunately, there are techniques for creating strong passwords that the human brain can remember.

an easy-to-remember suffix to it to make it more secure: 99Butterflies@complexpass word.com. You now have a password that is 33 characters long, uses uppercase, lowercase, and symbols, is easy to remember, and that, because of the length, is harder than the *&_I5y#<.h password to crack.

Strong password policy :

When implementing and enforcing a password policy, consider the users’ inability to remember passwords that are too complex, change too often, and are too long. When passwords are too complex or too long, the eventuality that users will use other methods to remember their passwords, such as writing them down, is more likely.

Password Complexity is enforced by default in the Windows Server 2003 environment. The Password Complexity feature requires that passwords:
■ Do not contain all or part of the user’s account name.
■ Be at least six characters in length.
■ Contain characters from three of the following four categories:
❑ Uppercase characters (A through Z)
❑ Lowercase characters (a through z)
❑ Base 10 digits (0 through 9)
❑ Non-alphabetic characters (for example, !, $, #, %).

Windows 2003 Authentication Methods for Earlier Operating Systems :

Authentication protocols have improved over time and will continue to improve in the future. As a result, earlier operating systems support fewer and less secure authentication protocols than newer operating systems. By default, computers running Windows Server 2003 can accept all types of authentication protocols, including LM, NTLMv2, and Kerberos, to ensure compatibility with earlier operating systems. If your organization does not require this backward compatibility, you can you can configure security policy to support only the more secure protocols, such as NTLMv2 and Kerberos.

The Network Security LAN Manager Authentication Level policy defines which authentication protocols a computer sends and accepts. This policy is contained within the Local Policies\Security Options security policy node. Table 1.6 describes the options for this policy setting. The policy settings are listed in order from least to most secure. Increasing the security of this policy reduces compatibility with earlier clients and servers.

Enabling secure authentication for domain controllers :

To configure domain controllers to reject LM authentication:

1. On a domain controller, click Start, click Administrative Tools, and then click Domain Controller Security Policy.
2. Expand Local Policies and then select Security Options
3. Double-click Network Security: LAN Manager Authentication Level. The Network Security: LAN Manager Authentication Level Properties dialog box appears.
4. Select the Define This Policy Setting check box, if it is not already selected.
5. Select Send NTLMv2 Response Only\Refuse LM, and then click OK.
6. Close the Default Domain Controller Security Settings console.
7. Click Start, and then click Run. Type gpupdate.exe, and click OK. This causes the policy to take effect on the local domain controller immediately.

Lesson Summary :

■ Use security policy settings to configure authentication requirements.
■ Implement a strong password policy in your organization to reduce the likelihood that your users’ credentials will be compromised.
■ Although you can enforce complex passwords by using security policy in Windows Server 2003 Active Directory, employee education is the only way to keep users from writing down passwords or using discoverable personal information in passwords.
■ An account lockout policy prevents malicious attackers from logging on by continually guessing passwords; however, it enables malicious attackers to perform a denial-of-service attack that denies valid users from successful authentication.
■ Kerberos ticket lifetimes must be short enough to prevent attackers from cracking the cryptography that protects the ticket’s stored credentials, but long enough to minimize the number of tickets that clients request.
■ Use delegated authentication and constrained delegation as strategies for implementing supplemental authentication where required.
■ Any application that has the Certified for Windows Server 2003 logo has been tested to ensure that it will function in environments that require multifactor authentication.

Lesson 3: Configuring Authentication for Web Users :

Configuring Anonymous Access for Web Users :

Most public Web sites on the Internet allow anonymous access for at least a portion of the site. In other words, the general public can retrieve pages from the Web server without providing credentials. This does not mean that authentication is not taking place, however. Any user or process that accesses a file or other network resource must do so in the context of a security principal (a user, a computer, or a service account). When Internet Information Services (IIS) accesses files to be sent to an anonymous user, it uses a specified user account to access those files. When anonymous access is not allowed, users must provide their own credentials.

Configuring Web Authentication :

This chapter has already described three authentication protocols: LM, NTLM, and Kerberos.
However, none of these protocols can be used by a Web browser to authenticate a user to a Web server because Web browsers and Web servers can use only Hypertext Transfer Protocol (HTTP) to communicate. Web browsers must authenticate to Web servers using an authentication protocol that is contained within HTTP. Administrators configuring an IIS server have several authentication options that differ in how they pass the credentials to IIS and which browsers support them:

■ Basic Authentication. Selecting this option enables browsers to submit the user’s password in an encoded format that is equivalent to clear text. If the authentication traffic is intercepted, an attacker could easily determine the user’s password.
While this authentication method is vulnerable to being intercepted, it is supported by a wide range of browsers.
■ Digest Authentication For Windows Domain Servers. Selecting this option allows the Web browser to submit the user’s password in an MD5 hash. If digest authentication traffic is intercepted, an attacker would be able to easily determine the user’s password.
■ Integrated Windows Authentication. Selecting this option enables Kerberos v5 authentication and NTLM authentication within the Web requests. This allows the Web browser to send the user’s password in the form of a hash without requiring the user’s password to be stored using reversible encryption.
■ .NET Passport Authentication. Select this option if your organization is using the .NET Passport service for authentication. .NET Passport provides a central authentication service that many different organizations can use and allows users to authenticate themselves to many different, unrelated Web sites.

Module 5 : Résolution de noms d'hôtes à l'aide du système DNS :

Introduction :

DNS (Domain Name System) est une base de données distribuée hiérarchisée qui contient les mappages de noms d'hôtes DNS à des adresses IP. DNS permet de repérer des ordinateurs et des services en utilisant des noms alphanumériques faciles à retenir. DNS permet également de découvrir des services réseau comme des serveurs de messagerie et des contrôleurs de domaine dans le service d'annuaire Active Directory®.

Procédure d'installation du service Serveur DNS :

Pour installer un serveur DNS :

1. Ouvrez une session avec un compte d'utilisateur sans droits d'administration.

2. Cliquez sur Démarrer, puis sur Panneau de configuration.

3. Dans le Panneau de configuration, ouvrez Outils d'administration, cliquez avec le bouton droit sur Gérer votre serveur, puis sélectionnez Exécuter en tant que.

4. Dans la boîte de dialogue Exécuter en tant que, sélectionnez L'utilisateur suivant, entrez un compte d'utilisateur et un mot de passe bénéficiant des autorisations nécessaires à la réalisation de cette tâche, puis cliquez sur OK.

5. Dans la fenêtre Assistant Gérer votre serveur, cliquez sur Ajouter ou supprimer un rôle.

6. Dans la page Étapes préliminaires, cliquez sur Suivant.

7. Dans la page Rôle du serveur, sélectionnez Serveur DNS, puis cliquez sur Suivant.

8. Dans la page Aperçu des sélections, cliquez sur Suivant.

9. Si un message vous y invite, insérez le CD-ROM de Microsoft Windows Server 2003.

10. Dans la page Bienvenue dans l'Assistant Configurer un serveur DNS, cliquez sur Annuler.

Fonctionnement d'une requête récursive :

Le fonctionnement d'une requête récursive envoyée par un client à son serveur DNS configuré comprend les étapes suivantes :
1. Le client envoie une requête récursive au serveur DNS local.
2. Le serveur DNS local essaie de trouver une réponse dans la zone de recherche directe et dans le cache.
3. S'il trouve la réponse à la requête, le serveur DNS la renvoie au client.
4. S'il ne trouve pas de réponse, le serveur DNS utilise l'adresse d'un redirecteur ou des indications de racine pour chercher plus haut dans l'arborescence.

Procédure de configuration d'un serveur DNS pour utiliser un redirecteur :

Pour configurer un serveur DNS afin qu'il utilise un redirecteur :

1. Ouvrez la console DNS.

2. Dans la console DNS, sélectionnez le serveur approprié.

3. Dans le menu Action, cliquez sur Propriétés.

4. Sous l'onglet Redirecteurs, cliquez sur Nouveau.

5. Dans la boîte de dialogue Nouveau redirecteur, entrez le nom du domaine DNS pour lequel le serveur DNS va rediriger les requêtes, puis cliquez sur OK.

6. Sous l'onglet Redirecteurs, tapez dans le champ Liste d'adresses IP du transmetteur de domaine sélectionné l'adresse IP du serveur DNS qui jouera le rôle de redirecteur pour les requêtes situées dans le domaine DNS du serveur, puis cliquez sur Ajouter.

7. Sous l'onglet Redirecteurs, entrez une valeur dans la zone Délai d'expiration des requêtes de redirection (en secondes).

8. Sous l'onglet Redirecteurs, sélectionnez si nécessaire l'option Ne pas utiliser la récursivité pour ce domaine, puis cliquez sur OK.

9. Fermez la console DNS.

Procédure :

Pour modifier un type de zone DNS :

1. Ouvrez la console DNS.

2. Dans la console DNS, sélectionnez la zone à modifier.

3. Dans le menu Action, cliquez sur Propriétés.

4. Sous l'onglet Général, cliquez sur Modifier.

5. Dans la boîte de dialogue Modification du type de zone, sélectionnez l'une des options suivantes, puis cliquez sur OK.

• Zone principale si cette zone doit contenir une copie de la zone acceptant les mises à jour directes.

• Zone secondaire si cette zone doit contenir une copie d'une zone existante.

• Zone de stub si cette zone doit contenir une copie d'une zone contenant uniquement des enregistrements NS (serveur de noms), des enregistrements SOA (source de noms) et éventuellement des enregistrements de résolution par requêtes successives.

6. Dans la boîte de dialogue Propriétés de la zone, cliquez sur OK.

Module 2 ( 70-291) : Allocation de l'adressage IP à l'aide du protocole DHCP

Définition :

Le protocole DHCP est une norme IP permettant de simplifier la gestion de la configuration IP hôte. La norme DHCP permet d'utiliser les serveurs DHCP pour gérer l'allocation dynamique des adresses IP et des autres données de configuration IP pour les clients DHCP de votre réseau.

Pourquoi utiliser le protocole DHCP ?

Pour les réseaux basés sur le protocole TCP/IP, le protocole DHCP simplifie et réduit le travail administratif impliqué dans la reconfiguration des ordinateurs.

Pour comprendre en quoi le protocole DHCP simplifie la configuration du protocole TCP/IP sur des ordinateurs clients, il est utile de comparer les configurations manuelle et automatique du protocole TCP/IP, la configuration automatique utilisant le protocole DHCP.

Configuration manuelle du protocole TCP/IP :

Lorsque vous configurez les données de configuration IP pour chaque hôte en entrant manuellement les informations, telles que l'adresse IP, le masque de sous-réseau ou la passerelle par défaut, vous pouvez faire des erreurs typographiques. Ces erreurs peuvent créer des problèmes de communication ou des incidents liés aux adresses IP dupliquées. De plus, il en résulte des tâches administratives supplémentaires sur les réseaux où les ordinateurs sont souvent déplacés d'un sous-réseau à l'autre. De même, lorsque vous devez modifier une valeur IP pour plusieurs clients, il vous faut mettre à jour la configuration IP de chaque client.

Procédure 1 :

Pour ajouter un service Serveur DHCP, procédez comme suit :

1. Connectez-vous à l'aide d'un compte d'utilisateur non-administratif.

2. Cliquez sur Démarrer, puis sur Panneau de configuration.

3. Dans le Panneau de configuration, ouvrez Outils d'administration, cliquez avec le bouton droit sur Gérer votre serveur, puis sélectionnez Exécuter en tant que.

4. Dans la boîte de dialogue Exécuter en tant que, sélectionnez L'utilisateur suivant, entrez un compte d'utilisateur et un mot de passe ayant les autorisations adéquates pour exécuter la tâche, puis cliquez sur OK.

5. Dans la fenêtre Gérer votre serveur, cliquez sur Ajouter ou supprimer un rôle.

6. Dans la page Étapes préliminaires, cliquez sur Suivant.

7. Dans l'Assistant Configurer votre serveur, sélectionnez Serveur DHCP, puis cliquez sur Suivant.

8. Dans la page Aperçu des sélections, cliquez sur Suivant.
9. Dans l'Assistant Nouvelle étendue, cliquez sur Annuler pour interrompre la création d'une étendue à ce stade.
10. Dans l'Assistant Configurer votre serveur, cliquez sur Terminer.

Procédure 2 : configuration des étendues DHCP :

Pour configurer une étendue DHCP, procédez comme suit :

1. Ouvrez la console DHCP.

2. Dans l'arborescence de la console, cliquez sur le serveur DHCP concerné.

3. Dans le menu Action, cliquez sur Nouvelle étendue.

4. Dans l'Assistant Nouvelle étendue, cliquez sur Suivant.

5. Dans la page Nom de l'étendue, configurez les options Nom et Description.

6. Dans la page Plage d'adresses IP, configurez les options Adresse IP de début, Adresse IP de fin et Masque de sous-réseau.

7. Dans la page Ajout d'exclusions, configurez les options Adresse IP de début et Adresse IP de fin, le cas échéant. S'il n'existe qu'une seule exclusion d'adresse IP, configurez cette adresse IP comme l'adresse IP de début.

8. Dans la page Durée du bail, configurez les options Jours, Heures et Minutes.

9. Dans la page Configuration des paramètres DHCP, sélectionnez Non, je configurerai ces options ultérieurement.

10. Dans la page Fin de l'Assistant Nouvelle étendue, cliquez sur Terminer.

Procédure de configuration d'une réservation DHCP :

Pour configurer une réservation DHCP, procédez comme suit :

1. Ouvrez la console DHCP.

2. Dans l'arborescence de la console, cliquez sur Réservations.

3. Dans le menu Action, cliquez sur Nouvelle réservation.

4. Dans la boîte de dialogue Nouvelle réservation, renseignez les champs suivants :

a. Nom de réservation

b. Adresse IP

c. Adresse MAC (sans trait d'union)

d. Description

5. Sous Types pris en charge, sélectionnez l'une des options suivantes :

a. Les deux

b. DHCP seulement

c. BOOTP seulement

6. Dans la boîte de dialogue Nouvelles réservations, cliquez sur Ajouter, puis sur Fermer.

Procédure 3 : vérification d'une réservation DHCP :

Pour vérifier la réservation DHCP, procédez comme suit :

1. Sur l'ordinateur client, à l'invite de commandes, libérez l'adresse IP du clienà l'aide de la commande ipconfig /release.

2. Sur l'ordinateur serveur, dans la console DHCP, sous Baux d'adresse, vérifiez que la réservation s'affiche comme étant désactivée.

3. Sur l'ordinateur client, à l'invite de commandes, renouvelez l'adresse IP du client à l'aide de la commande ipconfig /renew.

4. Sur l'ordinateur serveur, dans la console DHCP, sous Baux d'adresse, vérifiez que la réservation s'affiche comme étant activée.

Procédure 4 : configuration des options de serveur DHCP :

Pour configurer une option de serveur DHCP, procédez comme suit :

1. Ouvrez la console DHCP.

2. Dans l'arborescence de la console, sous le nom du serveur, cliquez sur Options de serveur.

3. Dans le menu Action, cliquez sur Configurer les options.

4. Dans la boîte de dialogue Options Serveur, sélectionnez l'option à configurer dans la liste des Options disponibles.

5. Sous Entrée de données, entrez les informations requises pour configurcette option.

6. Dans la boîte de dialogue Options Serveur, cliquez sur OK.

Comment fonctionne un agent de relais DHCP :

Les procédures suivantes décrivent le fonctionnement d'un agent de
relais DHCP :
1. Le client DHCP diffuse un paquet DHCPDISCOVER.
2. L'agent de relais DHCP sur le sous-réseau du client envoie le message DHCPDISCOVER au serveur DHCP à l'aide de la monodiffusion.
3. Le serveur DHCP utilise la monodiffusion pour envoyer un message DHCPOFFER à l'agent de relais DHCP.
4. L'agent de relais DHCP diffuse le paquet DHCPOFFER au sous-réseau du client DHCP.
5. Le client DHCP diffuse un paquet DHCPREQUEST.
6. L'agent de relais DHCP sur le sous-réseau du client envoie le message DHCPREQUEST au serveur DHCP à l'aide de la monodiffusion.
7. Le serveur DHCP utilise la monodiffusion pour envoyer un message DHCPACK à l'agent de relais DHCP.
8. L'agent de relais DHCP diffuse le paquet DHCPACK au sous-réseau du client DHCP.

Procédure 4 : ajout d'un agent de relais DHCP :

Pour ajouter un agent de relais DHCP, procédez comme suit :

1. Ouvrez la console Routage et accès distant.

2. Cliquez avec le bouton droit sur le serveur, puis cliquez sur Configurer et activer le routage et l'accès distant.

3. Dans la page Bienvenue !, cliquez sur Suivant.

4. Dans la page Configuration, sélectionnez Configuration personnalisée, puis cliquez sur Suivant.

5. Dans la page Configuration personnalisée, sélectionnez Routage réseau, puis cliquez sur Suivant.

6. Dans la page Fin de l'Assistant Installation du serveur du routage et d'accès distant, cliquez sur Terminer.

7. Dans la boîte de dialogue d'avertissement Routage et accès distant, cliquez sur Oui pour démarrer le service.

8. Dans la page Ce serveur est maintenant un serveur d'accès distant et de réseau VPN, cliquez sur Terminer.

9. Dans l'arborescence de la console, développez successivement le serveur et Routage IP, puis sélectionnez Général.

10. Cliquez avec le bouton droit sur Général, puis cliquez sur Nouveau protocole de routage.

11. Dans la boîte de dialogue Nouveau protocole de routage, cliquez sur Agent de relais DHCP, puis sur OK.

Pratique MCP 3 : 70-291 Configuration du routage à l'aide du service Routage et accès distant

Introduction :

Les routeurs constituent un système intermédiaire au niveau de la couche réseau qui permet de connecter des réseaux grâce à un protocole de couche réseau commun. Les systèmes intermédiaires sont des périphériques réseau capables d'acheminer des paquets entre différents segments d'un réseau.

Rôle des routeurs :

Les routeurs vous permettent de faire évoluer votre réseau et d'en préserver la bande passante en segmentant le trafic. Par exemple, les ordinateurs de test d'une organisation peuvent se trouver sur un segment du réseau et les ordinateurs de production sur un autre segment. Un routeur permet de connecter ces deux segments distincts.

Procédure : Activation et configuration du service Routage et accès distant :

Pour activer et configurer le service Routage et accès distant :

1. Ouvrez une session en utilisant un compte d'utilisateur ne disposant pas de droits d'administration. 2. Cliquez sur Démarrer, puis sur Panneau de configuration.

3. Dans le Panneau de configuration, ouvrez Outils d'administration, cliquez avec le bouton droit sur Gérer votre serveur, puis sélectionnez Exécuter en tant que.

4. Dans la boîte de dialogue Exécuter en tant que, sélectionnez L'utilisateur suivant, entrez un compte d'utilisateur, avec le mot de passe approprié, qui a l'autorisation d'effectuer la tâche, puis cliquez sur OK.

5. Dans l'outil Gérer votre serveur, cliquez sur Ajouter ou supprimer un rôle.

6. Dans la page Étapes préliminaires, cliquez sur Suivant.

7. Dans la page Rôle du serveur, sélectionnez Serveur VPN / Accès distant, puis cliquez sur Suivant.

8. Dans la page Aperçu des sélections, cliquez sur Suivant.

9. Dans la page Bienvenue !, cliquez sur Suivant.

10. Dans la page Configuration, sélectionnez Configuration personnalisée, puis cliquez sur Suivant.

11. Dans la page Configuration personnalisée, sélectionnez l'option Routage réseau, puis cliquez sur Suivant.

12. Dans la page Fin de l'Assistant Installation du serveur du routage et d'accès distant, cliquez sur Terminer.

13. Dans la boîte de dialogue d'avertissement Routage et accès distant, cliquez sur Oui pour démarrer le service.

14. Dans la page Ce serveur est maintenant un serveur d'accès distant et de réseau VPN, cliquez sur Terminer.

Procédure 2 :

Pour configurer des filtres de paquets :

1. Dans l'arborescence de la console Routage et accès distant, développez successivement Nom_Ordinateur, Routage IP, puis cliquez sur Général.
2. Dans le volet d'informations, cliquez avec le bouton droit sur l'interface à laquelle vous souhaitez ajouter un filtre, puis cliquez sur Propriétés.
3. Sous l'onglet Général, cliquez sur Filtres d'entrée ou Filtres de sortie, puis cliquez sur Nouveau.
4. Dans la boîte de dialogue Ajouter le filtre IP, identifiez le réseau source en configurant les paramètres suivants :
a. Adresse IP : tapez l'ID réseau de l'adresse IP source ou une adresse IP source.
b. Masque de sous-réseau : tapez le masque de sous-réseau correspondant à l'ID du réseau source ou tapez 255.255.255.255 comme adresse IP source.

5. Dans la boîte de dialogue Ajouter le filtre IP, identifiez le réseau de destination en configurant les paramètres suivants :

a. Adresse IP : tapez l'ID réseau de l'adresse IP de destination ou une adresse IP de destination.

b. Masque de sous-réseau : tapez le masque de sous-réseau correspondant à l'ID du réseau de destination ou tapez 255.255.255.255 comme adresse IP de destination.

6. Dans la boîte de dialogue Ajouter le filtre IP, sélectionnez le protocole approprié.
a. TCP : sélectionnez cette option pour spécifier un port TCP source et un port TCP de destination.
b. TCP (établi) : sélectionnez cette option uniquement pour intégrer les paquets TCP qui font partie d'une connexion TCP précédemment établie.
c. UDP : sélectionnez cette option pour spécifier un port UDP source et un port UDP de destination.

d. ICMP : sélectionnez cette option pour spécifier un code ICMP et un type ICMP.

e. N'importe lequel : sélectionnez cette option pour que toute valeur de protocole IP soit applicable quelle qu'elle soit.
f. Autre : sélectionnez cette option pour spécifier tout protocole IP quel qu'il soit.

7. Dans la boîte de dialogue Ajouter le filtre IP, cliquez sur OK.

8. Dans la boîte de dialogue Filtres, sélectionnez l'une des actions de filtrage appropriées suivantes, puis cliquez sur OK.
a. Recevoir tous les paquets sauf ceux qui répondent aux critères suivants
b. Rejeter tous les paquets à l'exception de ceux qui répondent aux critères suivants

Préparation MCP 70-270 : Implémentation de Windows XP Professionnel

1. Planification de l'installation de Microsoft Windows XP Professionnel :

Vérification de la configuration système :

Identification des options de partitionnement :

Il est possible de créer à partir d'un seul disque dur, des partitions qui se présenterons comme des disques durs à part entière. Comme précisé plus haut, il est impératif de prévoir au moins 1,5 Go pour l'installation de Windows XP Professionnel. En fonction de l'état du disque hôte, et des partitions qui s'y trouvent, le menu d'installation de Windows XP Professionnel peut proposer les choix ci-dessous :
- Création d’une partition sur un disque non partitionné
- Création d’une nouvelle partition sur un disque déjà partitionné
- Installation sur une partition existante
- Suppression d’une partition

Mise à niveau vers Windows XP Professionnel :

Il est également possible de faire une mise à jour de votre version de Windows actuelle vers Windows XP. Cependant, seuls les systèmes suivants peuvent être mis à jour directement :
- Microsoft Windows 98
- Microsoft Windows Me
- Microsoft Windows NT4 SP5
- Microsoft Windows 2000 Professionnel

2. Automatisation de l’installation de Windows XP Professionnel :

Dans le cadre d'une installation de Windows XP Professionnel sur un nombre important de machines, il est préférable d'utiliser le processus d'automatisation d'installation. Cela se fait grâce à deux fichiers :
- Fichier de réponse
- Fichier UDF
Le premier fichier stocke toutes les informations qui seront communes aux installations (Domaine, options réionales, etc…) Le second fichier va lui stocker les informations spéifiques àchaque ordinateur (nom de l'ordinateur, configuration TCP/IP, etc…) Il faudra ensuite lancer l'installation en indiquant l'emplacement réeau de ces deux fichiers. Aucune intervention de la part de l'utilisateur ne sera ainsi requise pendant le processus d'installation.

Service d’installation à distance :

Le service RIS (Remote Installation Service) est un service de déploiement intégré à Active Directory permettant de déployer Windows XP Professionnel sans intervention de l'utilisateur. Ce service peut être utilisé sans pour autant savoir où se trouve l'iimage du système. Pour lancer le processus d'iinstallation, il suffit de taper F12 au démarrage des ordinateurs équipés de cartes réseaux compatibles PXE (pouvant démarrer à partir du réseau). Pour les machines n'étant pas équipées d'une carte réseau à la norme PXE, il suffit de créer une disquette de démarrage en exécutant rbfg.exe situé dans Sytem32\Reminst. Trois services doivent être présents sur le réseau en plus du service RIS pour envisager cette méthode de déploiement :
- Service DHCP (pour attribuer des adresses IP aux ordinateurs clients)
- Service DNS (pour localiser les serveurs)
- Serveur exécutant Active Directory (pour localiser le serveur RIS)

3- Configuration du matériel sur un ordinateur exécutant Windows XP Professionnel :

Installation et configuration de périphériques matériels :

Avant de débuter l'installation d'un nouveau périphérique sous Windows XP Professionnel, il est impératif de vérifier que celui-ci se trouve bien dans la dernière version de la HCL (Hardware Compatibility List).

S'il s'agit d'un périphérique Plug-and-Play, l'installation sera facilitée car Windows XP le détectera automatiquement, l'installera et le configurera.

Dans le cas d'un périphérique non Plug-and-Play, celui-ci nécessitera un pilote fourni par le fabriquant, qu'il faudra fournir à Windows XP Professionnel pendant la procédure d'installation.

Il est également important de noter qu'il faut disposer des droits d'administrateur pour installer un nouveau périphérique (sauf pour l'installation d'une imprimante locale). Il est possible de visualiser la liste des périphériques qui sont installés sur Windows XP Professionnel grâce au gestionnaire de périphériques.

Cet outil est accessible en faisant un clic droit sur le poste de travail, puis en sélectionnant Propriétés / Gestionnaire de périphériques. A partir du gestionnaire de périphériques, il est possible de supprimer, désactiver, mettre à jour tous les périphériques. Il suffit pour cela de faire un clic droit sur le périphérique en question, puis de faire son choix dans le menu contextuel qui apparaît.

Le plus souvent, les imprimantes étant des périphériques Plug-and-Play, leur installation est automatique dès leur connexion. Cependant, il est possible d „exécuter cette opération manuellement (si par exemple l'utilisateur désire utiliser un autre pilote que celui fournit par Microsoft). Pour se faire, il suffit d'ouvrir le panneau de configuration, puis de cliquer sur Imprimante et autres périphériques, puis sur Imprimantes et télécopieurs. Ensuite sous tâches d'impression, il faut cliquer sur Ajouter une imprimante et suivre les instructions.

Configuration de Microsoft Windows XP Professionnel pour fonctionner sur des réseaux Microsoft :

Etude des groupes de travail et des comptes d’utilisateur :

Un groupe de travail est un ensemble d'ordinateur connecté à un réseau qui partage des ressources. Chacun des comptes utilisateur voulant accéder aux ressources du réseau devra être recréer sur chacune des machines auxquels il voudra accéder (ex : 3 utilisateurs pour 3 machines = 9 comptes à créer ou 50 utilisateurs pour 50 machines = 2500).

Ce type de structure est envisageable dans le cas d'une petite entreprise ayant peu d'ordinateur mis en réseau. Cela évite de mettre en place un serveur.

On distingue trois types de compte utilisateur :
- Compte d’utilisateur local : Permet d’ouvrir une session localement sur un ordinateur. Il est stocké dans la base SAM de l’ordinateur.
- Compte d’utilisateur de domaine : Permet d’ouvrir une session sur le domaine, et par conséquent d’accéder aux ressources de ce dernier.Il est stocké dans l’annuaire Active Directory.
- Compte d’utilisateur prédéfini : Administrateur et Invité, on ne peut pas supprimer ces comptes. Le compte invité est désactivé par défaut. La compte Administrateur et les seul compte par défaut qui à TOUT les droits d’administration et de gestion sur l’ordinateur.

Création et authentification de comptes d’utilisateur locaux :

Pour créer un compte d'utilisateur local, il faut passer par la fenêtre Gérer (disponible via le menu contextuel du Poste de travail), puis choisir l'option Utilisateur et groupes locaux, puis choisir l'option Nouvel utilisateur en faisant un clic droit sur Utilisateur.

Il s'agit après d'entrer les informations relatives à cet utilisateur. Une fois le compte utilisateur créer, il faut savoir qu'il aura des droits limités, cela signifie que l'utilisateur qui utilisera ce compte pour se connecter à l'ordinateur ne pourra pas effectuer des taches administratives comme par exemple installer un nouveau pilote pour un périphérique.

La méthode la plus facile pour changer le rang du compte utilisateur consiste à passer par le Panneau de configuration et d'entrer dans le menu Compte d’utilisateurs, puis sélectionner le compte que l'on veux modifier, cliquer sur Propriété, choisir l'onglet Appartenance au groupe et enfin choisir le niveau daccès de l'utilisateur. Notez qu'il y a trois options et non deux (Administrateur, et limité). La dernière option, Autre, permet de personnaliser le niveau d'accès du compte en l'affectant à un groupe ayant des niveaux d'accès bien particuliers.

Il est important de comprendre que l'une des plus grandes caractéristiques d'un groupe de travail est l'authentification qui se fait à un niveau local. C'est-à-dire que c'est la machine où l'utilisateur se connecte qui validera ou non l'ouverture de session. Si celle-ci abouti, l'utilisateur obtiendra un jeton d’accès qui constituera l'indentification de l'utilisateur pour cet ordinateur local et contient les paramètres de sécurité de l'utilisateur (ex : la liste des groupes auxquels il appartient).