Академический Документы
Профессиональный Документы
Культура Документы
H)
a different type of network
Full Volume Encryption Key through TS Gateway. NAP can be run on the same machine as TS Gateway, or TS Delegated Web site configuration Groups Account
( So
NAP agent - Collects and manages access or communication. Status Code
Resource Access Policies (RAPs) Gateway can be configured to use an existing NAP NAP Agent
HTTP Time Taken for site owners and developers IIS_IUSRS
lt h
Home PCs health information For example, there is a NAP
Resource groups grant users access to multiple infrastructure running elsewhere. NAP
ea
o)
SSL certificates required for TS Gateway and each TS EC for DHCP configuration. Event Verbosity Built-in Group
s/N
Hypertext Transfer Protocol
fH
terminal servers. NAP can control access to a TS Gateway based on a client’s NAP Enforcement NAP EC - Passes the health status to a
server to ensure RDP protocol will be encapsulated in Capable Built-in user and group accounts
to
security update, antivirus, and firewall status.
( Ye
Client (NAP EC) NAP server that is providing the network
IIS Clients
en
IIS Manager and Delegation
HTTPS packets access dedicated to the Web server IUSR
se
tem
Control feature delegation
on
Internet Information Services Terminal Services Runtime State and Control Built-in User Client(s) User Token
Sta
e sp
Manage IIS manager users
Gateway Internal
Roaming
1 Client requests access to network and Manage site & application View real-time server state across: Enhanced Application Pool Isolation
HR
LOB Applications Home Firewall
SoH Response laptops presents current health state administrators Sites & Application Pools
So
1 2 Validate user access YES – Issue Health Certificate,
Application Domains
Line of Business Applications Enable Network Access
NAP Servers Remote Administration Worker Processes Built-in IIS7 request filtering
MMC Mobile
RDP over RPC/HTTPS AD / NAP NO – Remediation Instructions,
Limit Network Access
over HTTP Executing Requests Extensibility Filter requests on the fly based on
Network
Microsoft Management Console Business Policy Server
IPSEC VPN DHCP
SHVs and policy servers can Management Tools Extensible Powerful User Interface Extensibility verb, file extension, size, namespace, Active Directory Firewall
External RD P NAP ES NAP ES NAP ES sequences, and many more
be matched. For example, an Graphical – IIS Manager UI Forest
NAP T e r m p as s e
Extensible, modular architecture – add,
11 12 1
Firewall
10 2
Network Access Protection RPC/HTTPS removed S e rv A NAP Enforcement Server (NAP ES): HRA – Health Registration VPN 802.1X
to an antivirus signature
policy server.
Script - WMI
Branch er DHCP Managed Code - Microsoft.Web.Administration Schema-based extensibility for configuration
NAT 4 Allows some level of network access Authority Server Server and dynamic data
Network Address Translation
Office Internet DMZ Passes NAP client health status to NPS
Modular
Provides enforcement of network access limitation 2 NAP Servers relay health status to Network Architecture IIS7 configuration system based on distributed XML files that Internet Management
IIS 7.0 and ASP.NET components work seamlessly together as Extensible
NPS DC NAP ECs and NAP ESs are typically matched.
Policy Server (RADIUS) part of the brand new IIS 7.0 Integrated Pipeline Schema
hold the configuration settings for the entire Web server Console
Internet users can access TS RemoteApp NPS Server platform (e.g. IIS, ASP.NET)
Network Policy Server and TS Web Access via TS Gateway
Enable RemoteApp on Terminal
Services: Shared Configuration
Web Server System Health
RAPs Create Allow List (make (with TS Web Access) A Client SHA is matched to a System Health Validator (SHV) Certify declarations made by health agents
Configuration files can be stored on a back-end file server and
applications available to users) Terminal Server Requires IIS 7.0 Validator (SHV) on the server side of the NAP HttpCacheModule referenced from multiple front-end Web servers
Resource Access Policies Specify if application available Role service platform architecture NPS
TS Easy Print redirects all printing-related NAP Administration Restore
RDP work to the user’s local machine – no
via TS Web Access
Intranet
The corresponding SHV can return a Statement of
Health Response to the client, informing it of
3 IsapiFilterModule HttpLoggingModule IIS
7 ApplicationHost.config
server print drivers required. Policy Servers Backup Backup
Remote Desktop Protocol Server sends XPS file to client for printing.
what to do if the SHA is not in the required state
Policies that define
client computer health
Network Policy Server (NPS) validates Provide current system health
ProfileModule StaticFileModule IpRestrictionModule
IIS
7
UN
C Web.config
Wizards Server
SHA
PnP
redirection
of health against IT-defined health policy using Policy state for NPS ProtocolSupport
CustomErrorModule
RequestFiltering
OutputCacheModule Application Files
7
Servers if required Module Module IIS
System Health Agent 5
Same TS Session, multiple NAP client with full
SHV Terminal Services RemoteApp X Resizable RemoteApp programs possible network access 4 If not policy compliant, network access is restricted and client SessionStateModule
Windows If policy compliant, client CgiModule IIS7 enables configuration to be stored in a web.config file in the same directory
System Health Validator RemoteApp programs are accessed remotely through Terminal
Services and appear as if they are running on a user’s local computer.
Y allowed to update with patches, configurations, signatures, etc. Then as the site or application content, which can easily be copied from machine to
Terminal Services Web Access is granted full access to repeat steps 1 – 4 machine Domain Web Server
SoH Supports redirection of local drives and Plug and Play (PnP) devices Remote Desktop
IE Browser
corporate network
Client SHAs and remediation
servers can be matched. For Extensible, modular architecture (40+ Components)
Connection (RDC TS Web Access is a role service in the Terminal Services Xcopy Xcopy Controller
Statement of Health Single sign-on (SSO) can be configured for domain users 6.0) client installed role that allows users to launch remote desktops and Remediation Servers example, an antivirus SHA on the Enhanced ASP.NET integration
TPM Link to RemoteApp program: RDP 6.0 applications through a Web browser. Secure Corporate Install necessary patches, configurations, and client is matched to an antivirus Minimized surface area and patching Site/Application
signature remediation server.
A shortcut on the user’s desktop (includes new Network applications to ensure clients are healthy Improved performance and reliability with new FastCGI module Owner Test Server Production Server
Trusted Platform Module An application on the user’s Start menu
ActiveX) Less administrative overhead to deploy and 10
9
11 12 1
2
3
Server (Can be Server Core) Windows Server 2008 x86, Linux Kernel Aware Operating Quarantine 3 Changes Volume Restore Server Core installation requires a clean install.
Windows Server 2008 x64 System NAT Reformat and (Block Level Copy) Performance Monitor counters
Linux Windows Recovery
VSC repartition disks Environment
VSP VSC Hypercall Windows BitLocker Drive Encryption
Hardware
Adapter Scheduled (automatic) backups are not Backup can be saved to single or multiple
Drivers 4
supported for network shares DVDs, local disk, or network shares
Reboot server to
Cleartext BitLocker Disk Configuration
Data
VMBUS
Emulation
complete restore Accessing a BitLocker-enabled BitLocker Operational Overview authentication and system integrity verification must happen
Windows BitLocker Drive Encryption is a data protection feature outside of the encrypted operating system volume.
Bare Metal Recovery is not supported volume with TPM protection that provides enhanced protection against data theft or exposure
for restoring to different hardware System Partition (green, unencrypted, small, active)
1-Factor TPM-Only Protection Scenario on computers that are lost or stolen.
Data
Windows Operating System Volume (encrypted, blue)
Windows Hypervisor Server Manager Full Volume
Available
Authenticators
Encrypted Drive
BIOS must support reading USB devices in pre-OS environment
AMD-V or Encryption Key
Intel VT Decrypt data
FVEK (FVEK)
USB BitLocker Recovery Password Storage
Virtual Hard Disks TPM Appropriate recovery password storage is vital since the recovery
Ethernet “Designed for Windows” Server Hardware (VHD) Server Manager Functionality using FVEK
TPM + Pin password is needed if BitLocker locks the drive to prevent
Disk Configuring Roles & Features
AMD-V or Intel VT Processor with Data Execution Prevention enabled Install and configure roles and features using TPM + USB tampering.
VMK
USB (without TPM) used for recovery purposes (or non-TPM
Server role describes primary function View status and events for installed roles store BitLocker recovery passwords
Windows Hypervisor of server – e.g. File Services
computers)
Non-Domain-Joined Machines
Thin layer of software running on the hardware Identify missing/broken configuration for BitLocker assists in mitigating unauthorized data access
Partitions Server Features TPM unseals Store recovery password on physically secured USB drive
Supports creation/deletion of partitions Add/Remove installed roles VMK on lost or stolen computers by: Store recovery password printout in secured location
Each partition is a virtual machine Features provide supporting functions
Uses
Enforces memory access rules to servers – e.g. Failover Clustering Roles/Features Manage and configure roles installed on the Encrypting the entire operating system volume on the Burn recovery password to CD and store in secured location
Each partition has one or more virtual processors Wizards TPM hard disk
Enforces policy for CPU usage server Key
Partitions share hardware resources Servers can support single or multiple roles Checking the integrity of early startup components and startup Migrating Encrypted Drives
Virtual processors are scheduled on real processors Perform Initial Configuration Tasks Sealed VMK configuration data
Software running in partition is called a guest
Enforces ownership of other devices Computer name, Domain membership Windows Server 2008 also supports BitLocker encryption of
Moving a protected OS volume to another TPM-enabled machine
requires using a recovery password from the keyboard or a USB
Roles and features installed by using Server Manager are secure by default. No need Administrator password data volumes. BitLocker encrypts data volumes the same way
flash drive. VMK must be resealed to the new TPM.
to run Security Configuration Wizard following role installation or removal. TPM that it encrypts the operating system volume.
Network connections, Windows Firewall Encrypted Volume