Read an Excerpt

Windows 2012 Server Network Security

Securing Your Windows Network Systems and Infrastructure

Elsevier Science

Excerpt

CHAPTER 1

Introduction

CONTENTS

Intro to Windows 8
and Windows
Server 20121
Server Manager 1
Dashboard 2
Local Server 2
Add Roles and Features 2
Notifications 4
Manage 6
Tools 6
Powershell 6
Intro to IPv66
IPv6 Architecture 7
IPv6Addressing 7
IPv6AddressTypes 8
IPv6 Special Addresses 8
IPv6 Addressing 9
Summary 10

INFORMATION IN THIS CHAPTER

* Intro to Windows 8 and Windows Server 2012

* Intro to IPv6

Networking is a key component of any environment. Windows 8 and Windows Server 2012 offer a wide range of networking features and functionality. It's important that you understand these features and functionality so that you can properly secure them. But, before we get into those, we will start with some more general information. In this chapter, we will start with an overview of some of the key components of Windows 8 and Windows Server 2012 that will help you as we go through the rest of the chapters. Then we will move into a discussion of IPv6, and how it's implemented in Windows 8 and Windows Server 2012.

INTRO TO WINDOWS 8 AND WINDOWS SERVER 2012

When you look at Windows 8 and Windows Server 2012, the first thing you will notice is a big difference in the UI. But, that's not the only difference. There are some important differences in the management of the operating systems. There is a new Server Manager console that offers new management functionality and there has been increased functionality built into Powershell.

Server Manager

In Windows Server 2012, Server Manager has been enhanced to provide greater management and monitoring functionality. It's your starting point for a lot of general administrative functions you will need to perform. You can access event and performance information. You can also install new roles and services from here.

Dashboard

When you log into Windows Server 2012, Server Manager will open. You will be presented with the Dashboard view, as seen in Figure 1.1. The Dashboard view allows you to access information about different roles and services that have been installed on the system. You can view information on manageability, events, performance, and BPA results.

Local Server

The Local Server section, as seen in Figure 1.2, will give you detailed information about the server to which you are currently connected. You can view server properties, events, services, Best Practices Analyzer information, performance information, and roles and features information.

Add Roles and Features

Server Manager is where you go to Add Roles and Features to your server. In upcoming chapters, we will be installing different roles and features. Most of these installs will be launched from Server Manager. The first few steps of all the installs will be the same. So, instead of repeating these steps multiple times, we will go through these steps now:

1. In the Server Manager Dashboard, select Add Roles and Features. This will launch the Add Roles and Features Wizard. First, you will be presented with the Before You Begin screen, as seen in Figure 1.3. This screen describes what can be done using the wizard. It also gives configuration suggestions to follow before you continue with the wizard. Click Next.

2. Next, you will see the Installation Type screen, as seen in Figure 1.4. You have two options. You can install roles or features on the system; or you can install VDI (Virtual Disk Infrastructure) services on the system. Select Role-based or feature-based installation, and click Next.

3. Next you will see the Server Selection screen, as seen in Figure 1.5. Here, you can choose to install to a server or to a VHD (virtual hard disk). If you choose a VHD, you have the option to install to a VHD attached to an online server, or to install to an offline VHD. Select Select a server from the server pool. Then choose the server you want to install onto, and click Next.

Config Export

One useful feature of the Roles and Features Wizard is the ability to export an installation configuration. After you have finished configuring the settings for an installation, you have the option to save the configuration to an XML file. You can then use Powershell to script an install with the same settings on a different server. This not only makes it easier to install multiple servers, but it also helps to ensure consistent installations. The command you would use to perform the install is as follows:

Install-WindowsFeature-ConfigurationPathFile <exportedconfig.xml>.

Notifications

The Notifications section of Server Manager, as seen in Figure 1.6, will provide notification and alert messages. For example, after you install a role, a notification will be posted letting you know that the install was successful. You will also get a notification after an install, if there is post-install configuration that needs to be done.

Manage

The Manage menu provides you the ability to add and remove roles and features. You can add servers to be managed by Server Manager. You can also create server groups.

Tools

The Tools menu brings up a list of various tools that you can use to manage your server. There are entries for Local Security Policy, Performance Monitor, Resource Monitor, the Security Configuration Wizard, and many other options. Some of these security-related tools will be covered later in this book.

Powershell

Powershell is a very powerful management language used with Windows system. Windows Powershell is a combination command-line shell and scripting language. Powershell allows access to COM and WMI management components. This greatly expands the potential of the Powershell language.

Powershell is one of the main tools used for managing Windows systems. In fact, many Windows management consoles are actually built on top of Powershell. Powershell includes a hosting API that can be used by GUI applications to access Powershell functionality. Powershell commands can be executed as cmdlets, Powershell scripts, Powershell functions, and standalone executables. The Powershell process will launch cmdlets within the Powershell process. Standalone executables will be launched as a different process. As Windows moves forward, there will be an increasing reliance on Powershell. It's important that you understand how to use it to manage and administer your systems. As we go through this book we will periodically reference different Powershell commands than may be useful to you.

INTRO TO IPv6

IPv6 is the newest version of the IP protocol. It was designed to replace IPv4, which is the version used throughout most of the Internet. The problem was that there weren't enough IPv4 addresses to satisfy the needs of the growing Internet. IPv6 has been long talked about, but it is just now picking up steam. More and more Internet Service Providers are supporting the protocol. World IPv6 Launch Day was June 6, 2012. This was the day many ISPs and vendors permanently enabled IPv6 on for their products and services.

IPv6 Architecture

The IPv6 architecture is very different from the IPv4 architecture. These architecture differences are what make IPv6 the choice for the future. IPv6 is scalable, secure, and relatively easy to set up.

IPv6 Addressing

IPv6 addresses are 128 bits long. Compare that to IPv4 addresses which are 32 bits. This means there are 3.4 × 10³⁸ addresses. That's approximately 4.8 × 1028 addresses for each person on earth. There is almost no way we will ever use anywhere near that many addresses. The main benefit of having that many addresses available is that you can waste addresses. With IPv4 addresses, there was no room for waste. You had to make sure you made the most efficient use of addresses possible. With IPv6, that's no longer a concern. You should make sure you come up with a scheme that is best for your organization, but it's ok if you waste addresses.

IPv6 Notation

IPv6 addresses consist of eight groups of 16-bit numbers, separated by colons. The 16-bit numbers are represented as hex digits:

abcd:1234:1234:abcd:0230:0bcd:1234:a0cd

As you can see IPv6 addresses can be quite long and very hard to remember. To make things a little bit easier, IPv6 addresses can be abbreviated. There are two ways IPv6 addresses which can be abbreviated. The abbreviations are based on the existence of zeros. First of all you can remove one or more leading zeros from a group of 4 hex digits:

abcd:1234:0000:abcd:0230:0bcd:1234:a0cd

becomes

abcd:1234:0:abcd:230:bcd:1234:a0cd

Also, you can remove an entire section of zeros and replace with a double colon (::). The double colon can only be used once in an address:

0000:0000:abcd:1234: abcd:1234:abcd:1234

becomes

::abcd:1234: abcd:1234:abcd:1234

or

abcd:1234:0000:0000:0000:abcd:1234:abcd

becomes

abcd:1234::abcd:1234:abcd

In IPv4 you had the network portion of the address and the host portion of the address. The subnet mask is used to tell you which portion of the address is which. There are two ways to write IPv4 subnet masks. You can use the traditional form, 255.255.255.0, for example. Or you can use the CIDR format, /24. In IPv6, the network portion of the address is called the prefix. The prefix is also denoted by the subnet mask. But, IPv6 subnet masks are only written using the CIDR format.

IPv6 Address Types

There are three types of addresses used with IPv6: unicast, multicast, and anycast. Unicast addresses are what you would call regular addresses. They are the addresses usually bound to your network card. Unicast addresses should be unique on a network, meaning a single unicast address should only represent a single system. Multicast addresses are used to make a one-to-many connection. Multiple systems can listen on the same multicast address. So, when a system sends out a message using a multicast address, multiple systems may respond. Multicast addresses will start with FF0 or FF1. FF02::2 is the multicast address used by routers. IPv6 uses multicast addresses to accomplish a lot of the functionality performed by broadcast addresses in IPv4. Anycast addresses are addresses that are shared by multiple system. Anycast addresses are generally used to find network devices like routers. When a message is sent out via an anycast address, any system using that address may respond.

Unicast addresses come in four flavors: global, site-local, link-local, and unique local. Global addresses are routable throughout the Internet. Global IPv6 addresses start with 001. Site-local addresses are only routable within a specified site within an organization. Link-local and unique local addresses will be covered in the next section on special addresses.

Note: The concept of sites has been deprecated in IPv6, so site-local addresses are no longer used.

IPv6 Special Addresses

There are several special addresses in IPv6. These addresses or groups of addresses serve very specific function. We will cover the loopback address, link-local addresses, and unique local addresses.

Loopback Address

The loopback address, also called localhost, is probably familiar to you. It is an internal address that routes back to the local system. The loopback address in IPv4 is 127.0.01. In IPv6, the loopback address is 0:0:0:0:0:0:0:1 or ::1.

Link-Local Addresses

Link-local addresses are intended to only be used on a single network segment or subnet. Routers will not route link-local addresses. Link-local addresses also existed in IPv4. They existed in the address block 169.254.0.0/16. These addresses were used by the DHCP autoconfiguration service on a system when a DHCP address could not be obtained. Link-local addresses allow you to have network connectivity until another more suitable address can be obtained. In IPv6, the address block fe80::/64 has been reserved for link-local addresses. The bottom 64 bits used for the address are random. In IPv6 link-local addresses may be assigned by the stateless address autoconfiguration process. IPv6 system must have a link-local address in order for some of internal protocol functions to work properly. So, during a normal startup process, an IPv6 system will obtain a link-local address before it receives a regular, routable IP address.

Unique Local Address

Unique local addresses are a set of addresses that are intended for use in internal networks. They are similar to "private" IPv4 addresses. These addresses can only be used within a specified organization. They are not routable on the global Internet. Using unique local addresses can help prevent external systems from having direct access to your internal systems. The address block fc00::/7 has been reserved to use for unique local addresses.
(Continues...)

---

Excerpted from Windows 2012 Server Network Security by Derrick Rountree. Copyright © 2013 by Elsevier Inc.. Excerpted by permission of Elsevier Science.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---