1 / 26

Windows Server 2008 Roles & Features

Windows Server 2008 Roles & Features. Presented By: Imad Awwad Systems Engineer. Outline. Identify the key new AD DS features in WS08 Explain the value of deploying these features Demonstrate these features in real life scenarios Understand when and how to deploy the key new AD DS features.

ruby
Download Presentation

Windows Server 2008 Roles & Features

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Server 2008Roles & Features Presented By: Imad Awwad Systems Engineer

  2. Outline • Identify the key new AD DS features in WS08 • Explain the value of deploying these features • Demonstrate these features in real life scenarios • Understand when and how to deploy the key new AD DS features

  3. Key Investments areas Branch Office Manageability Security

  4. Key Investments areas Branch Office Manageability Security

  5. Windows 2008 Branch Office Benefits • Security • Bit Locker • Server Core • Read-Only Domain Controller • Admin Role Separation • Optimization • Sysvol Replication • DFS Replication • Protocol • Administration • Print Management Console • PowerShell, WinRS, WinRM • Virtualization • Restartable Active Directory Hub Site Branch Office

  6. Branch Office Dilemma HQ Data Center Hub Network Branch Office • Small Number of Employees • WAN: Congested, Unreliable • Security: Not Sure • Admin Proficiency: Generalist

  7. Branch Office Dilemma HQ Data Center Hub Network Option 2: Put full DC in branch Either give branch admin privilege or manage remotely Branch DC being compromised jeopardizes security of corporate AD!!! Branch Office Option 1: Consolidate and remove DCs from branch Branch authentication & authorization fails when WAN goes down

  8. So how can we deploy a Domain Controller in this environment?!

  9. Read-Only Domain Controller 1-Way Replication Admin Role Separation No replication from RODC to Full-DC RODC Server Admin does NOT need to be a Domain Admin Prevents Branch Admin from accidentally causing harm to the AD Delegated promotion • Attack on RODC does not propagate to the AD RODC Passwords not cached by-default Policy to configure caching branch specific passwords (secrets) on RODC Policy to filter schema attributes from replicating to RODC

  10. RODC – Attacker “experience” Damn! I have a Read-Only database. Also, no other DC in the enterprise replicates data from me. Let’s steal this RODC By default I do not have any secrets cached. I do not hold any custom app specific attributes either. Let’s tamper data on this RODC and use its identity Let’s intercept Domain Admin credentials sent to this RODC With Admin role separation, the Domain Admin doesn’t need to log-in to me.  RODC Attacker RODC

  11. RODC Mitigates “Stolen DC” Hub Admin Perspective

  12. RODC Password Replication • Real Life Senario

  13. Read-Only Domain ControllerHow it works? Branch HUB Logon request sent to RODC RODC • RODC: Looks in DB "I don't have the users secrets" Full DC Forwards Request to Full DC Full DC authenticates user Returns authentication response and TGT back to the RODC RODC gives TGT to User and Queues a replication request for the secrets Hub DC checks Password Replication Policy to see if Password can be replicated

  14. Read-Only Domain ControllerRecommended Deployment Models • No accounts cached (default) • Pro: Most secure, still provides fast authentication and policy processing • Con: No offline access for anyone • Most accounts cached • Pro: Ease of password management. Manageability improvements of RODC and not security. • Con: More passwords potentially exposed to RODC • Few accounts (branch-specific accounts) cached • Pro: Enables offline access for those that need it, and maximizes security for other • Con: Fine grained administration is new task

  15. Read-Only Domain ControllerUpgrade path from Windows 2003 Domain • Deployment steps: • ADPREP /ForestPrep • ADPREP /DomainPrep • Promote a Windows Server 2008 DC • Verify Forest Functional Mode is Windows 2003 • ADPREP /RodcPrep • Promote RODC • Test RODCs for application compatibility in your environment Not RODC specific RODC Specific task

  16. Key Investments areas Branch Office Manageability Security

  17. Directory Service AuditingNew Directory Service Changes Events • Event logs tell you exactly: • Who made a change • When the change was made • What object/attribute was changed • The beginning & endvalues • Auditing controlled by • Global audit policy • SACL • Schema

  18. Fine-Grained Password PoliciesExample Resultant PSO = PSO1 Precedence = 10 Password Settings Object PSO 1 Applies To Resultant PSO = PSO1 Applies To Precedence = 20 Password Settings Object PSO 2 Applies To

  19. Key Investments areas Branch Office Manageability Security

  20. Restartable AD DS • Without a reboot you can now perform offline defragmentation • DS stopped similar to member server: • NTDS.dit is offline • Can log on locally with DSRM password Server Core Fewer reboots for servicing Restartable AD DS

  21. ADUC: Prevent Object Deletion Existing Object/OU New Organizational Unit

More Related