70-744: Securing Windows Server 2016 Chapter 9 - Securing The Network Infrastructure

70-744: Securing Windows Server 2016
Chapter 9 – Securing the Network

Infrastructure
Slide 1
 Agenda
o Using the Windows Firewall with Advanced Security
o Datacenter Firewall
o Utilizing IP Security
o Configuring Advanced DNS Settings
o Monitoring Network Traffic
o Securing SMB Traffic
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 2
 Using the Windows Firewall with Advanced Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 3
 Firewalls can be installed on network hosts such as Windows

operating systems or implemented as software in physical
devices such as routers and dedicated appliances
 Types of firewalls
o Application layer gateway
o Circuit-level gateway
o Packet filtering
o Stateful multilayer inspection
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 4
 Application traffic is designated by port numbers at the

transport layer
 Well-known ports
o HTTP – 80
o HTTP – 443
o FTP – 20,21
o FTPS – 989, 990
o DNS – 53
o SMTP – 25
o SSH – 22
o SNMP 161, 162
o Kerberos – 88
o DHCP – 67,68
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 5
 Windows firewall is a host-based firewall providing additional

default protection for the Windows Server 2016 and client
operating systems
 Features and Benefits

• Thwarts common attacks automatically
• Protects outgoing and incoming traffic
• Provides easy configuration using Control Panel
• Advanced configuration is available
• Automatic notifications
• Network profile aware
• IPSec integration
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 6
 In both client and server versions of Windows, the type of

network is chosen when you first connect to a network
 Three network profiles are available
o Domain
o Private
o Guest or public
 Windows Server 2016 supports the ability to have multiple
active profiles
 The list of rules can vary for each network profile
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 7
 The configuration of the firewall determines the traffic types

allowed inbound and outbound from the host
 Configuration options include

o Windows Firewall with Advanced Security
o Netsh command line utility
o Windows PowerShell
o Group Policy
 Types of rules
o Inbound
o Outbound
o Connection security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 8
 Datacenter Firewall
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 9
 Network Controller is a new server role introduced with

Windows Server 2016 that provides a centralized,
programmable point of automation to manage, configure,
monitor, and troubleshoot the virtual and physical network
infrastructure in your datacenter
o Provides automation of infrastructure configuration
o Installed on a single or multiple servers
o Deployed in a domain or non-domain environment
o Provides two APIs
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 10
 Datacenter Firewall is one of the new virtual appliances

included with Windows Server 2016 for use in a Hyper-V
environment
 A distributed multitenant firewall that is built in to the
Hyper-V environment
 Advantages
o Provides a software-based firewall integrated with SCVMM
o Firewall policies are assigned to virtual machines
o Provides protection features for tenant virtual machines independent
of guest operating systems
o Provides definition of
• Internet facing firewall rules
• Local protection on L2 virtual subnets
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 11
 NSGs allow you to define rules to segment your Hyper-V

environment into virtual subnets
 An NSG contains Access Control List (ACL) rules that either
allow or deny traffic to (or from) a virtual subnet or virtual
machine. These rules are applied at the virtual machine level,
with separate rules for inbound traffic and outbound traffic
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 12
 Segmenting an on-premises virtual network

 Segmenting a multitenant IaaS network
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 13
 Utilizing IP Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 14
 IPSec is a suite of protocols that allows secure encrypted

transmission between two computers over an unsecured
network
 Benefits
o Two primary goals are to protect IP packets and defend against
network attacks using a non-proprietary security mechanism
o Ensures that all traffic between two nodes is kept secure
o Security is accomplished using data signing and/or encryption of
packets
o IPSec policies on both nodes will determine the type of traffic that
will be protected by IPSec and how it will be secured and
encrypted
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 15
 The primary protocols that are a part of the IPSec suite are
responsible for data integrity, confidentiality, and
authentication across unsecure network transports such as
the Internet
o Encapsulating Security Payload (ESP) – responsible for both data

signatures (integrity) and data encryption (confidentiality)
o Authentication Headers (AH) – only provides data signatures for
integrity protection
o Internet Key Exchange (IKE) – responsible for setting up security
associations and handling the negotiation of authentication and
encryption protocols to be used in a communication session
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 16
 Recommended Uses
o Authenticating and encrypting host-to-host traffic
o Authenticating and encrypting traffic to specific servers
o L2TP/IPSec for VPN connections
o Site-To-Site tunneling
o Enforcing logical networks using network access protections
 IPSec Modes
o Transport mode enforced through connection security rules and
protecting traffic between hosts
o Tunnel mode identifies tunnel endpoints that will handle all
authentication and encryption (site-to-site)
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 17
 Tools for Configuring IPSec

o Windows Firewall with Advanced Security snap-in to the MMC is used
to configure connection security rules for Windows Vista, Windows 7,
and Windows Server 2008
o IP Security Policy MMC snap-in is used for mixed environments to
create policies that will apply to all versions of Windows
o Group Policy can be used to enforce consistent rules on domain
members
o Netsh command line tool provides automated configuration
capabilities
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 18
 Connection security rules are used to enforce security settings

for specific connections between this computer and others
 The Windows Firewall will use the rule to evaluate traffic and
determine whether that traffic should be protected using
IPSec
 The type of rule that you choose will be based on the specific
scenario and can be configured locally on each machine or
through Group Policy in Active Directory
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 19
 Rule Types
Rule Type Description

Isolation Restricts connections based on
credentials such as domain membership
or health policies
Authentication exemption Prevents certain computers or IP
addresses from being required to
authenticate
Server-to-Server Protects traffic between two specific
hosts
Tunnel Used when the server is acting as a
router
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 20
 The endpoints are the nodes that are involved in the secure
IPSec communication which depends on the specific mode in
use
 Tunnel mode
o The entire IP packet is protected by treating it as an AH or ESP payload
o Entire packet is encapsulated with an AH or ESP header and an
additional IP header
o Addresses on the outer IP header are the two endpoints, in many
cases firewalls or routers that connect to sites
 Transport mode
o Only the data portion is protected by ESP while the ESP header is
unprotected
o The endpoints are the individual hosts involved in communication
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 21
 When using the wizard to create connection security rules

there are three options for authentication
o Request authentication for all inbound and outbound connections
o Require authentication for inbound and request authentication for
outbound connections
o Require authentication for all inbound and outbound connections
 By default, authentication and encryption settings will apply

to all protocols and ports between the endpoints specified in
the rule
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 22
 Authentication Methods
o Default – uses the preconfigured method on the IPSec settings tab
o Computer and User (Kerberos v5) – requires domain membership
o Computer (Kerberos V5) – requires domain membership but does not
perform user authentication
o User (Kerberos V5) – domain membership required
o Computer certificate – request or require a valid certificate or require
health certificates which are used for IPSec NAP enforcement
o Advanced – allows the configuration of multiple authentication
methods
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 23
 Encryption Settings are configured using the IPSec Default

settings available from the Windows Firewall with Advanced
Security
o Authentication signing algorithms
• MD5 – provided for backward compatibility
• SHA-1 – default
• Various levels of AES
o Encryption algorithms
• DES – provided for backward compatibility
• 3DES – default
• Various levels of AES
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 24
 You can monitor connections using the Windows Firewall with

Advanced security console
o Connection security rules shows rules currently in use
o Main Mode shows methods used to establish IPSec sessions
o Quick mode shows protocols used in the IPSec session
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 25
 Configuring Advanced DNS Settings
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 26
 Delegation of administration can use the DNS Admins group

 DNS Logging is configured on the properties of the DNS server
o Standard logging
o Debug logging to provide additional information for troubleshooting
 DNS records can be managed using Aging and Scavenging
settings
o Aging is the process through which records are marked stale
o Scavenging is the process by which stale records are removed
 Backing up the DNS database depends on AD integration
o Non-integrated zones are single files that can be copied or backup up
o AD integrated zones are backed up using system state backups, the
dnscmd command or Windows PowerShell
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 27
 Several options exist on the Advanced property page of a DNS

zone which are applicable in various scenarios
o DNS Round Robin provides load balancing
o Netmask ordering provides localized name resolution
o Recursion settings control the types of queries that are issued
 Additional options
o Forwarding
o Conditional forwarding
o Stub zones
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 28
 The GlobalNames zone is used to provide single label name

resolution in a multiple domain environment
o When clients or applications are not aware of the FQDN of a host they
utilize their own domain name (zone) in the name query
o In multidomain environments this can fail if the host is in a separate
DNS domain
 The GlobalNames zone is created using
o Dnscmd command line utility
o Windows PowerShell
• Add-DNSServerPrimaryZone
• Get-DNSServerGlobalNameZone
• Set-DNSServerGlobalNameZone
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 29
 DNS is a critical service on the network and this warrants

additional security configurations
o DNS Cache locking
• Controls when cached information can be overwritten
• Prevents the malicious and intentional spoofing of DNS information
• Configured using DNSCMD or the Set-DNSServerCache cmdlet
o DNS Socket pool
• Uses source port randomization when issuing DNS queries
• Makes cache tampering attacks more difficult
• Enabled by default
o DNS-based authentication of Named Entities (DANE)
• New feature providing TLSA records to clients
• Prevents man-in-the-middle attacks
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 30
 An additional option is DNS Security Extensions (DNSSEC)

which enables a zone and all its records to be
cryptographically signed so clients can validate responses
 Provides protection against various attacks
o Spoofing
o Cache tampering
 Functions
o If a zone is digitally signed, query responses contain digital signatures
o Clients can validate the response and ensure it has not been altered in
transit
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 31
 Trust anchors
o An authoritative entry that is represented by a public key
o Stores information associated with protected zones in the DNSKEY or
DS resource records
o Must be configured for every zone
 Name Resolution Policy Table (NRPT)
o Contains rules that control DNS client behavior
o Configured locally or using Group Policy
 Implementation
o Use the DNSSEC Configuration Wizard to sign the zone
o Configure trust anchor distribution points
o Configure the NRPT on client computers
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 32
 DNS Policy is a new feature in Windows Server 2016 used to

manipulate how the server handles queries based on various
factors
 Scenarios for DNS Policy
o Application high availability
o Traffic management
o Split brain DNS
o Filtering
o Forensics
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 33
 DNS Policies are implemented using a series of Windows

PowerShell cmdlets
o Add-DnsServerClientSubnet
o Add-DnsServerZoneScope
o Add-DnsServerZoneScope
o Add-DnsServerResourceRecord
o Add-DnsServerQueryResolutionPolicy
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 34
 Windows Server 2016 provides a new feature known as RRL to help

protect against DNS amplification attacks
o Attacker forges the source IP address of the victim network or computer
and floods the DNS server with queries
o Without RRL the server responds back to the queries that it receives
o RRL helps prevent the abuse of DNS servers in this way by flagging
potentially malicious queries and taking immediate preventative action
 Enabled using Windows PowerShell
o Set-DNSServerRRL
• Responses per second
• Errors per second
• Window
• Leak rate
• TC rate
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 35
 Monitoring Network Traffic
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 36
 MMA is a tool used to capture network traffic and then

display and analyze that traffic
o Monitors live connections
o Imports and aggregates data for analysis
o Provides filtering mechanisms
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 37
 Securing SMB Traffic
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 38
 SMB 3.0.x provides for the encryption of SMB traffic which

helps to ensure the session is not tampered with
 SMB 3.1.1 adds preauthentication integrity
o Digitally hashes and signs the negotiate and session setup messages
o Tampering would result in a failed connection
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 39
 Windows 10 and Windows Server 2016

o SMB 3.1.1 with backward compatibility
 Windows 8.1 and Windows Server 2012 R2
o SMB 3.0.2 with backward compatibility
 Windows 8 and Windows Server 2012
o SMB 3.0 with backward compatibility
 Windows 7 and Windows Server 2008 R2
o SMB 2.1 with backward compatibility
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 40
 You can use Windows PowerShell to enable encrypted SMB

shares
o Existing share
• Set-SmbShare –Name <sharename> -EncryptData $true
o Encrypt all sharing on a file server
• Set-SmbServerConfiguration –EncryptData $true
o Create a new SMB file share and enable encryption
• New-SmbShare –Name <sharename> -Path <pathname> -EncryptData
$true
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 41
 You can disable SMB 1.x support using Windows PowerShell

o Vista through Server 2008 R2 require a registry edit
o Windows 8 and Server 2012 or later use
• Set-SmbServerConfiguration –EnableSMB1Protocol $false
 You can also completely uninstall SMB 1.x from Windows 8.1
and newer
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 42
 Using the Windows Firewall with Advanced Security

 Datacenter Firewall
 Utilizing IP Security
 Configuring Advanced DNS Settings
 Monitoring Network Traffic
 Securing SMB Traffic
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Review Questions:
1. Which of the following maintenance processes in DNS is important in order to
ensure the validity of records contained in the database as it relates to changing
IP addresses on DHCP clients?
A. Aging and scavenging
B. Debugging
C. Global Names zone
D. DNSSEC
2. Which of the following DNS options is used to enforce security ensuring that
saved query information on the server cannot be corrupted and/or modified?
A. Socket pool
B. DNSSEC
C. Cache Locking
D. Global Names
3. Which of the following advanced DNS options can be utilized in a multi-domain

environment to ensure that clients are able to resolve single label names
regardless of the location of the server?
A. DNSSEC
B. Client Resolver Cache
C. Stub Zones
D. Global Names zone
4. Which of the following components in a DNSSEC implementation is used in order

to configure the clients for DNSSEC and is usually configured via Group Policy in
Active Directory?
A. NRPT
B. KSK
C. ZSK
D. DNSKEY
5. Which of the following components in a DNSSEC implementation is used to

retrieve the public keys from a DNS Server that are required in order to decrypt
and verify the digital signature included in the DNS server response?
A. NRPT
B. DNSKEY
C. Trust Anchor
D. Digital Certificate
6. Which of the following represents the ability to integrate IPSec technologies with
the Windows Firewall using the Windows Firewall with Advanced Security?
A. Inbound rules
B. Outbound rules
C. Network profiles
D. Connection security rules
7. You need to capture packets from a machine on your network and analyze
whether or not encryption is working with a particular LOB application that is
running. Which of the following utilities can you use for this purpose?
A. IPSec Monitor
B. Windows Firewall with Advanced Security
C. NETSTAT
D. Microsoft Message Analyzer
8. You are planning to implement IPSec in Transport mode to secure application

traffic in your network. Which of the following rule types should you use to ensure
traffic to servers running LOB applications is secure?
A. Server-to-Server
B. Isolation
C. Authentication Exemption
D. Custom
9. You are implementing IPSec in your organization and want to ensure that the
highest level of security is implemented for the authentication process. Which
authentication method should you choose?
A. Kerberos v5 user and computer
B. Kerberos v5 computer
C. Pre-shared Key
D. Certificates
10. Which of the following IPSec protocols is responsible for the initial security
associations between systems on the network?
A. ESP
B. AH
C. IKE
D. L2TP
Answer Key:
1. A
The aging process is used to mark records as stale if a client hasn’t
communicated with the DNS server within a given period of time. After the record
is aged the scavenging process will remove old records maintaining the integrity
of the records in the database.
2. C
Cache locking is a setting on the DNS server which prevents cache from being
overwritten until the TTL expires or a certain percentage has been met.
3. D
Global Names zones can be created on the DNS server and will contain CNAME
records; these records will identify the FQDN of the requested resource. This
provides single label name resolution in a multi-domain environment.
4. A
NRPT is the Name Resolution Policy Table and is configured via Group Policy in
order to achieve consistency across multiple client computers. It defines the
domain names for which DNSSEC is enabled.
5. C
A Trust Anchor is an entity or configuration that represents the public key and
gives access to the ability to decrypt responses sent by the DNS server.
6. D
Connection security rules are used to secure traffic with IPSec and are used in
conjunction with firewall rules that allow traffic only if it’s secure.
7. D
You should use the Microsoft Message Analyzer in order to do this. This is the
successor to the Network Monitor utility that has traditionally been available.
8. A
You can use the Server-to-Server rule in order to ensure that all traffic, or specific
traffic between systems, is protected using IPSec.
9. D
Certificates provide the highest level of security when working with IPSec
implementations.
10. C
The Internet Key Exchange (IKE) is the protocol that is responsible for
establishing security associations between systems and exchanging session
keys.

70-744: Securing Windows Server 2016 Chapter 9 - Securing The Network Infrastructure

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

70-744: Securing Windows Server 2016 Chapter 9 - Securing The Network Infrastructure

Caricato da

Copyright:

Formati disponibili

70-744: Securing Windows Server 2016

Chapter 9 – Securing the Network

 Using the Windows Firewall with Advanced Security

 Firewalls can be installed on network hosts such as Windows

 Application traffic is designated by port numbers at the

 Windows firewall is a host-based firewall providing additional

 Features and Benefits

 In both client and server versions of Windows, the type of

 The configuration of the firewall determines the traffic types

 Configuration options include

 Network Controller is a new server role introduced with

 Datacenter Firewall is one of the new virtual appliances

 NSGs allow you to define rules to segment your Hyper-V

 Segmenting an on-premises virtual network

 IPSec is a suite of protocols that allows secure encrypted

o Encapsulating Security Payload (ESP) – responsible for both data

 Tools for Configuring IPSec

 Connection security rules are used to enforce security settings

Rule Type Description

 When using the wizard to create connection security rules

 By default, authentication and encryption settings will apply

 Encryption Settings are configured using the IPSec Default

 You can monitor connections using the Windows Firewall with

 Configuring Advanced DNS Settings

 Delegation of administration can use the DNS Admins group

 Several options exist on the Advanced property page of a DNS

 The GlobalNames zone is used to provide single label name

 DNS is a critical service on the network and this warrants

 An additional option is DNS Security Extensions (DNSSEC)

 DNS Policy is a new feature in Windows Server 2016 used to

 DNS Policies are implemented using a series of Windows

 Windows Server 2016 provides a new feature known as RRL to help

 Monitoring Network Traffic

 MMA is a tool used to capture network traffic and then

 Securing SMB Traffic

 SMB 3.0.x provides for the encryption of SMB traffic which

 Windows 10 and Windows Server 2016

 You can use Windows PowerShell to enable encrypted SMB

 You can disable SMB 1.x support using Windows PowerShell

 Using the Windows Firewall with Advanced Security

3. Which of the following advanced DNS options can be utilized in a multi-domain

4. Which of the following components in a DNSSEC implementation is used in order

5. Which of the following components in a DNSSEC implementation is used to

8. You are planning to implement IPSec in Transport mode to secure application

Potrebbero piacerti anche