Access Control in 2008 R2

Question 1

NPS

Answer 1

Network Policy Server

Question 2

apply the hsared secret clients template to the a radius client

Answer 2

1. Open NPS
2. Access the radius clients and server nodes
3. Select Radius clients
4. Access the properties for server
5. Apply the Shared Secret template to radius client
6. save the changes

Question 3

Match ea phase of authentication mechanism assurance implementation with its key procedure

Answer 3

configure the group claims to map to the corrrect group in AD DS - Config Federation Servers

2. Configure the settings for certificate templates - Create Certificates
3. Verify addtl group membership - Download and test certs
4. Ensure group memberships are correct on the claims-aware app
5. Setup AD module cmdlets - link cert policies to groups

Question 4

AppLocker 2008 R2

Answer 4

enables to stop the installation and execution of unauthorized software while allowing authorized applications, installations and scripts

how users access and use apps ie: exe, scripts, etc.

can stipulate exactly what is allowed to run on all users desktop pc’s

1. prevent specified apps from executing( whitelist or blacklist them)
2. access apps properties
3. define rules based on file attributes
4. define rules based on file attributes
5. assign a rule to a group or an indivual user
6. Create exceptions for .exe files
7. identify unavailable fiels

Question 5

Applocker benefits

Answer 5

1. enables greter control ov erht # and type of files allowed to run, keep viruses down

lowers cost of ownership, standardized workstations and run only approved apps

reduces risk of sensitive info being accessed under flaws in unauthorized software

only works on windows 7 or higher
by default applocker will not allow apps to open or run unless specified - need to maintain an updated list

need to inform users what is allowed or blocked so aviod unneeded service requests

Can be applied local or domain GPO
local on to that machine, domain - all computers

can use the audit specific actions to test in a log.

Question 6

app locker console has 3 sections

Answer 6

getting started - warnings listed
Configure Rule Enforcement, what will be enforced and app identity service msut be running, can learn more about the feature

Overview - access each rule collection manely executable rules, windows installer rules and Script Rules

Question 7

app locker properites - enforcement tab

Answer 7

has 3 parts:

Executable rules
Windows Installer rules
Script rules

app rules are not configured by default by simply creating on it will be enforced even if you don’t have the configured checkbox selected for it.

When creating - best practice to check box and then from the drop down pick audit only so you don’t lock yourself out of windows

enforcement will occur if Enforce Rules or Not configured is choosen

should enable default rules first but keep you from locking your self out of windows - r. click the rule and choose Create Default Rules

Question 8

BitLocker

Answer 8

drive encryption
security feature
prevents sensitive data accessed by unathorized users who get hold of lost, stolen or improperly decommissioned computers

prevents hdd from offline attacks

must have password or smart card to read or write data to a fixed or removable hdd and must read the data on a bitlocker computer with the correct keys

OS with it,

2 factor authentication,
single factor authentication by storing key on a usb flash drive or using a TPM (trusted platform Module and a pin or startup keY)

Question 9

TPM

Answer 9

computers that run it must have a compatible TPM microchip and Bios

ensures secure bootup and integrity,
behind the scenes, users are not aware

If info changes bitlocker goes into recovery mode and you need the password for access

to unlock you get 3 options:

fixed drive, automatically unlock the encrypted OS driver
Unlock after a password is given
unlock after a smart card is inserted.

Question 10

before the drive is encrypted

Answer 10

wizard suggetst methods to store the recovery key. flash drive, network drive or location or print it

Question 11

bitlocker to go

Answer 11

bit level, full volume encryption on usb keys

creates a system volume info folder on drive
unlock password
unlock with smartcard

takes a while to encrypt since it is volume driven and not data size driven

Question 12

bitlocker and to go prevent loss or data theft by

Answer 12

1. protecting your data - encryption
2. facilitating mgmt - GPO
3. Facilitating Setup - internal hdd by auto creating hidden root partition to protect the OS

Question 13

AD DS new feature

Authentication Mechanism Assurance

Answer 13

when activated a admin defined universal group membership is added to ausers access token. Activated when a user enters credentials during a cert based logon event

controlling access to resources, ea user logon determines if there is access and restrictions

different cert policies can be linked to same user/single accts, admin is able to determine what ea user has used at login

without it, not enabled there is no distinction of type of login

can be used with AD FS for further restrictions

Question 14

min implementation req for authentication mechanism

Answer 14

One or more AD DS DCs
Clients or server
smart card reader
logon certs from a cert issuance policy

Question 15

smart card reader

Answer 15

can use ADFSClient instead
virtual if you have virtual smart cards and readers you can use ADFSClient, connect to client virtual or physical computer to the domain

install the 3rd part smart card reader, can use several different ones with different levels of Access or certs rewrites

Question 16

implementation phases for authentication mechanism

Answer 16

1. Create Certs
2. link cert policies to groups
3. Download and test certs
4. Configure the Federation servers
5. Access the sample application from the client computer

Must have 2008R2 domain function level
AD certificate services installed and configured to create certs
Create and enable new certificate templates

Question 17

Link certificate policies to group

phase 3

Answer 17

Create test user accounts (2 accounts)
prepare the scripts - 2 AD module cmdlts
a. show which issuance policies are available on the CA
b. setups a group and an OU and links the cert issuance plicies to them
link certificate policies to groups
must be logged in as admin - sets up groups and maps them to the policy that applies (groups are stored in the OU)

link them - see powershell cmds

ends 2nd phase

Question 18

default setting for AD module prompt is

created cmdets are stored here as well

Answer 18

%userprofile%

Question 19

Powershell cmds

Answer 19

specify cert are linked to policies & groups:

.\get-IssuancePolicy.psl -LinkedToGroup:All
(not yet linked)

Create the link

.\set-IssuancePolicyToGroupLink.psl IssuancePolicyDisplayName:”HIgh Assurance” -groupOU: “Auth MechAssurance Groups” -groupName: “High Level Access”

Question 20

Download and test certificates

Answer 20

must config computer to have smart card reader with 2 different smart cards, download the necessary certs from the CA

to complete this phase 3,
obtain the certs
verify addtl group membersip
verify admin credentials

Question 21

4th Phase

config FS

Answer 21

setup # of organization group claims in the AD FS

config mapping group claims to AD DS groups

Create client mappings in ea organization to asscociate with the claims you’ve already completed.

Question 22

Access Sample application from the client computer

Answer 22

open claims aware apps, can view group membership to ensure setup.

accept the sample application without smart card which is low assurance access, then with medium access, finally high access

Question 23

2008R2 NPS and NAP

Answer 23

Network Policy Server - remote authentication dial in user service or RADIUS that maintains and enforces network secuirty by regulating the access of remote clients

NPS can authorize and anthenticae remote connection requests and evaluate client computers agains NAP health policies
Network Access Protection - health policies

Question 24

NPS enhance Functionality

Answer 24

1. IMprovements in the logging of NPS accounting data - can log to file or SQL db or both and as a failover option
2. Multiple config of a NAP SHV
3. template configuration
4. Migration of IAS server settings
5. Automated NPS SQL Logging

NPS is only applied when when template is applied is the clients NPS change the server

Question 25

SQL server logging capabilitiy enabled NPS benefits

Answer 25

1. MUltiple NPS servers can log, store db
2. Dynamic data views can be created using queries and reportgs
3. High speed optimization for lg db
4. multiple bulk operations can be performed at high speed.
5. Can log user and authentication
6. RADIUS requests from client can be
   logged
   accounting-on when online and ready to accept connections
   accounting off when going offline
   accounting-start to start a user session
   accounting-stop to end session
   accounting interm, periodically sent during a user session

Question 26

IAS

Answer 26

Internet Authentication Service used in 2003

Question 27

6 NPS templates

Answer 27

1. Shared Secrets
2. Radius clients
3. Remote radius Servers
4. Health Policies
5. Remediation Server Groups
6. IP Filters

Question 28

NAP WSHV

action center only in 2008R2 on windows 7
and are colored coated for levels of urgency

Answer 28

Windows Security Health Validator which requires that security precautions are enabled for NAP Clients

Firewall
virus protection
spyware protection
auto updates
security patch updates

Question 29

phase 1

Answer 29

domain function level 2008 R2
AD CA is installed
CAs config on the DC ADFSAccount
Config certs that can be assigned to users or smart card holders

Question 30

Phase 2

Answer 30

setup user accts and test the user access token differences
AD module cmdlets
Activate AD module cmdlets
Map the 1st cert to 1st policy