Access Control in 2008 R2 Flashcards
NPS
Network Policy Server
apply the hsared secret clients template to the a radius client
- Open NPS
- Access the radius clients and server nodes
- Select Radius clients
- Access the properties for server
- Apply the Shared Secret template to radius client
- save the changes
Match ea phase of authentication mechanism assurance implementation with its key procedure
configure the group claims to map to the corrrect group in AD DS - Config Federation Servers
- Configure the settings for certificate templates - Create Certificates
- Verify addtl group membership - Download and test certs
- Ensure group memberships are correct on the claims-aware app
- Setup AD module cmdlets - link cert policies to groups
AppLocker 2008 R2
enables to stop the installation and execution of unauthorized software while allowing authorized applications, installations and scripts
how users access and use apps ie: exe, scripts, etc.
can stipulate exactly what is allowed to run on all users desktop pc’s
- prevent specified apps from executing( whitelist or blacklist them)
- access apps properties
- define rules based on file attributes
- define rules based on file attributes
- assign a rule to a group or an indivual user
- Create exceptions for .exe files
- identify unavailable fiels
Applocker benefits
- enables greter control ov erht # and type of files allowed to run, keep viruses down
lowers cost of ownership, standardized workstations and run only approved apps
reduces risk of sensitive info being accessed under flaws in unauthorized software
only works on windows 7 or higher
by default applocker will not allow apps to open or run unless specified - need to maintain an updated list
need to inform users what is allowed or blocked so aviod unneeded service requests
Can be applied local or domain GPO
local on to that machine, domain - all computers
can use the audit specific actions to test in a log.
app locker console has 3 sections
getting started - warnings listed
Configure Rule Enforcement, what will be enforced and app identity service msut be running, can learn more about the feature
Overview - access each rule collection manely executable rules, windows installer rules and Script Rules
app locker properites - enforcement tab
has 3 parts:
Executable rules
Windows Installer rules
Script rules
app rules are not configured by default by simply creating on it will be enforced even if you don’t have the configured checkbox selected for it.
When creating - best practice to check box and then from the drop down pick audit only so you don’t lock yourself out of windows
enforcement will occur if Enforce Rules or Not configured is choosen
should enable default rules first but keep you from locking your self out of windows - r. click the rule and choose Create Default Rules
BitLocker
drive encryption
security feature
prevents sensitive data accessed by unathorized users who get hold of lost, stolen or improperly decommissioned computers
prevents hdd from offline attacks
must have password or smart card to read or write data to a fixed or removable hdd and must read the data on a bitlocker computer with the correct keys
OS with it,
2 factor authentication,
single factor authentication by storing key on a usb flash drive or using a TPM (trusted platform Module and a pin or startup keY)
TPM
computers that run it must have a compatible TPM microchip and Bios
ensures secure bootup and integrity,
behind the scenes, users are not aware
If info changes bitlocker goes into recovery mode and you need the password for access
to unlock you get 3 options:
fixed drive, automatically unlock the encrypted OS driver
Unlock after a password is given
unlock after a smart card is inserted.
before the drive is encrypted
wizard suggetst methods to store the recovery key. flash drive, network drive or location or print it
bitlocker to go
bit level, full volume encryption on usb keys
creates a system volume info folder on drive
unlock password
unlock with smartcard
takes a while to encrypt since it is volume driven and not data size driven
bitlocker and to go prevent loss or data theft by
- protecting your data - encryption
- facilitating mgmt - GPO
- Facilitating Setup - internal hdd by auto creating hidden root partition to protect the OS
AD DS new feature
Authentication Mechanism Assurance
when activated a admin defined universal group membership is added to ausers access token. Activated when a user enters credentials during a cert based logon event
controlling access to resources, ea user logon determines if there is access and restrictions
different cert policies can be linked to same user/single accts, admin is able to determine what ea user has used at login
without it, not enabled there is no distinction of type of login
can be used with AD FS for further restrictions
min implementation req for authentication mechanism
One or more AD DS DCs
Clients or server
smart card reader
logon certs from a cert issuance policy
smart card reader
can use ADFSClient instead
virtual if you have virtual smart cards and readers you can use ADFSClient, connect to client virtual or physical computer to the domain
install the 3rd part smart card reader, can use several different ones with different levels of Access or certs rewrites