Before using the windows server backup, I have setup a Hyper-V virtual machine on target computer and install the software of Windows Server Backup on both domain controller and domain member computer.

First, created a virtual hard disk on a Hyper-V virtual machine, these steps are strict forward, just created a virtual hard disk and used diskpart to prepare the disk storage for the backup. Then install the windows server backup on both computers. By the command below:

Add-WindowsFeature Windows-Server-Backup -IncludeManagementTools

After finished all the preparations for the server backup, I have created a scheduled backup for the server. To do so, I have used the backup schedule wizard to complete the setup. The configuration all user defines following setting:

1. backup target (which data you want to backup)
2. backup time (you can back up your data more than once a day or select daily backup time)
3. Backup destination type (you can backup your data to hard disk, volume or shared network folder)

The backup not only restricted to create a schedule; you can also create a backup once by using the windows server Backup and select backup once from the manual. The backup wizard is similar with the schedule one but without selecting the time only.

Windows Server Backup also provide a way to restore the back while you needed. On the manual, select recover and select the data of the backup you want to restore. Also, the type and location are need be specified during the restore process. Finally enter the password to recover the backup.

Windows server backup is a very powerful tool for server administrators to backup and recover a full server, include the data, the state of the system. It gives the admin flexibility to select a specific volume of the hard disk or even files or folder.  So, in case of the hardware amount the server get damage, the software can the server admin to protect the one of most valuable assets in the server, the data and setting.

And the software allows a continuous schedule backup on the hold system or specific, this setting give help admin reduce a tone of workload, at the same time it can proved a high level of protection of the data.  

In the lab, I establish an encrypted drive on the computer by using bitlocker. First, using group policy management to create GPO in the domain computer, plabwin810, this can set the security filtering on the target computer. After enable the functionality of bitlocker on the target computer, I have created a new partition on the computer for storing the recovery key.

After all the preparation jobs was finished, I have enabled the bitlocker on the target drive. To turn on the bitlocker, I have right clicked the target drive and select ‘Turn on BitLocker’ to enable the bitlocker. After that, a window pops up for you to enter the password to unlock the drive. Also, the password procedure allow user to creature a recovery key to unlock the drive while the password is forgotten. As the recover key should be saved on a different location, not  on the encrypted drive. I have selected the new created diver, also we can save on the USB flash drive.

Considering the security issue, saving the recover on the same computer is not a good idea. People using bitlocker to encrypt the drive is for protecting the data on the drive could not be viewed or copy. In other words, it protects the data from unauthorized access in case of lost of computer or the computer being stolen. If we save the recover key on the same computer, people can easily to get the key to unlock the drive and get access of the data. So, saving the key on a USB drive or different computer could have a better security protection of the data.

After creating the recovery key, we can start the encrypting process. White the it was finished, a opened key shown on the drived icon which means the drive still not locked, a restart was required. After the restart, a locked key was shown on the target drive icon which means the drive is locked.

Now bitlocker encrypted the contend of the target partition. It use the integrity checking in the boot process to check that the drive content have not been altered and it is still in the original computer. If the check of the integrity is failed, the computer can not boot up to prevent data copy to another computer.

There are two ways to unlock the drive:

1. use the password
2. use the recover key

In normal use, double click the encrypted drive to allow a pop-up window for you to enter the password. However, if you forget the password, in the option, you can select using recover key to unlock the drive. Just find the recover key and copy and paste to the text area to unlock the drive.

Finally, to remove the encryption on the target drive, you can in the commend of:

manage-bde -off D:

to decrypted the target drive.

The Domain Name System Security Extensions (DNSSEC) is using public key cryptography to increase the security during user requesting IP address for a server for the DNS name space. It allows DNS zone to be digitally singed to protects it from attacks and improve the security of the DNS environment.

In the DNSSEC, it involves a trust anchors which is authoritative that store the public key. Also involve a authoritative server that contain the master set of DNS data which will be updated when there is any changes. And a non-authoritative sever is a cache server so the data may not be updated.

In the lab, before any configuration of the DNSSEC a DNS is required. So, I have used DNS manager to create a DNS zone which can be connected by any client. Using these as a foundation, by power shell we can resolve the IP address by the DNS name space. The output is simple in the stage because we have not setup any security at this moment, the result is just an IP address without any security like signed time or signature.

First, I have used DNS Manager to create zone, sample resource record and nonauthoritative DNS server for later use.

Next, a detail setting of DNSSEC is start by singing the zone to DNSSEC. It includes the default setting of the signing option and it produced lot of files for security such as RR signature and DNS KEY. The setup of the DNSSEC is in the trust anchor (TA) which means that all files need to be share to the Non-Authoritative DNS which I have created previously.

After sharing, both computers contain the secure file for DNSSEC which located in the ‘Trust Points’ folder under the servers.

Now, query of the DNSSEC show the DNSSEC information specific of the key information. However the DNSSEC validation is not yet required now.

To validate the DNS require a public key which store in the DNSKEY resource file and turn on the validation can be done by configure the support for DNSSEC in GPO.

After that, using the same command shown below:

Get-DnsClientNrptPolicy

The validation required state will change to Ture.

Other continuation of the DNSSEC is unsign the secure zone for example change the security causing the mismatch of the key and need to be redo. During the lab, using the DNS manager I have unsigned the zone by a simple step.

In the lab exercise, I have used the network policy server to setup the Radius clients for implementing a network policy server. During the setup process, I have come across several step, one of them are selecting the authentication methods. As the default setting of the authentication method are extensible authentication protocol (EAP)and Microsoft encrypted authentication version 2 (MS-CHAP V2). EAP is frequently used in point to point connection which provide some common functions and negotiation for authentication and able to support multiple authentication.  MS-CHAP is a challenge-Handshake authentication, it also supports point to point protocol.

The security policy used in the lab is custom policy which specify the condition of a windows groups condition which should be belong to one of the specific groups. The group I have defined as the condition is PRACTICELABS\GlobalIT, and there is pre-defined policy already exited in the network policies. I have disabled the pre-exited policy so the only enabled policy is the one I have defined.

For the accounting configuration, I have changed the log file format as IAS(Legacy) which is stand for Internet Authentication Service. It is specially design for (RADIUS) server and proxy by micorsoft.

Also changed the new log file created in daily. Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy.

Introduction

Network security is very important every organization to provide a safe, stable and reliable for internet connection by wireless network. The level of security varies in different organization by the way they use the network and the number of users in the organization.

The most comment are needed to consider for Wi-Fi network security are authentication, authorization and encryption. In this blog, I will cover most import security and access management in term of those three areas.

Authentication

Device or User Authentication and Authorisation

Two type for method for authentication to accessing Wi-Fi network which is device authentication and user authentication.

When a wireless network is using WPA2 Encryption Techniques, device authentication is easy to configure. Under WPA2, school can provide sufficient security to control the access of the Wi-Fi network by only allow school owned device to access the network.

However, if the school prefer staff or student use their own device, user authentication would be more suitable for this situation. User this setting, school is usually using 802.1x protocol and proved authorized user  a username and password for login to the network. The user who want to access the network just need to enter the username and password, the network will check whether the user have the authentication to access the network or not. In some cases, the organize can also provided a unique per user pre-shared keys as a addition al method for authentication. This is suitable for small networks or staff owned device. Because the password should be changed in a regular period and notifying all user could be a problem.

Beside the above two method, Media Access Control (MAC) address filtering is also a common technique for  authentication. If the device have a pre-authenticated MAC address could access the network. However, this is not an recommended method for authentication because, in theory, the MAC address is unique for each device but there are possible for people using some method to make a new MAC to bypass the authentication of the network. In some cases, such as small device like bar code scanner, MAC would be useful because the device do not need high secure and only have specific need only.

Encryption

The first commonly used encryption techniques is wired equivalent privacy technique (WEP) which used a static key at layer based. It is outdated now and no longer accepted as a security encryption method because tools can easily decrypt, he encryption.

In 2004, Wi-Fi protected access (WPA) was used and for a new encryption technique, it has a more security lever and support RC4 and TKIP dynamic key management. However, WPA has a number of security vulnerabilities and not preferable as an encryption method now.

WPA2 is the most comment encryption technique now, it is using advance encryption standard (AES) which using CCMP encryption method. There are two modes under WPA2, which are WPA2-Personal and WPA2-Enterpirie

WPS2-Personal use PSK authentication which suitable of small Wi-Fi network such as home or small school. And WPA2 Enterprises is suitable for medium and large size school.

WPA2 using 802.1x/EAP for user authentication and authorization. The basic step of user accessing the network is:

1. Client request for an access of the network by the access point with the identity of the client
2. Access point collect the client packet which contain authentic criteria and send to the authentication server.
3. The authentication server replies the access request as accept or deny of the request and send back to the access point.
4. The access point allows the user connect to that network as the reply is accepted form the server.

Captive portal is another authentication technique for user can access to the WIFI network without any authentication at first. After the connection, the user redirected to a special web page called Captive web Portal (CWP) for inputting the password and username for access other webpages and services.

For the medium or large size school, WPA2-EAP with 802.1x is the most suitable WIFI security setting. It supports user authentication and authorization and support larger number of user login with a good encryption security to protect the data. And it is user friendly, as most of the device support it and do not need further setting of the device, only need to input the username and password. In term of administration cost, it is one of the easiest options and with the high security level.

After the Wi-Fi network have setup, there are more common security issues we need to take care for maintaining secure and reliable Wi-Fi network services. The most common issue using common or easily guessed username and password, to minimize the risk, changing the default setting of every access point is a must and change the password regularly can help maintain the security of the network. Another issue is the access of school network in non-necessary time or the signal wider than the school area. To mitigate the issue, we could use directional antenna to focus on the necessary school area and set the time period for the available time of the Wi-Fi network.

While visiting website, Hypertext Transfer Protocol (HTTP) is used to send and receive data from the server. The general port used for HTTP is port number 80. An extension version of HTTP is Hypertext Transfer Protocol Secure (HTTPS). The data during commutation is a encrypted to increase the security and usually using port number 443. So, the firewall setting should be allowed access of port 80 and 443

FTP is stand for File Transfer Protocol which is used for transferring computer files between computer. To secure the data during the process, SSL and TLS often used for encryption. The port 20 and 21 usually for FTP and SSH usually using 22. So, the firewall setting should be allowed access of port 20, 21 and 22.

Simple Mail Transfer Protocol (SMTP) is for sending emails which a kind of FTP but specific for sending message, send and receive mail. TCP port for SMTP is number 25 so the firewall should allow access of port 25.

Remote administration is establish connection for controlling the computer remotely. It require TCP/IP for the connection and the port number usually is 8080. So the firewall should  allow access of port 8080.

MariaDB and Microsoft SQL (MSSQL) are most popular databased servers in the world. MariaDB is MySQL, in 2008 Sun bought MySQL and in 2010 oracle bought Sun, so the code is some kind base on MySQL. MSSQL is a relational database management system developed by Microsoft.

The port they are using is different, for MariaDB using 3306 and MSSQL using 1433. For the admin connections for database, port 1434 often used by default. So, for the database firewall setting should be allowed access of port 3306 for MariaDB and 1433 for MSSQL and port 1434 for Remote Administration.

Network Address Translation (NAT) translate internet address to private address. Because there are limited number of internet TCP/IP addresses, so many devices on the private network can use only one access point to connect to the internet. In this is setting, all the devices will have a single public IP address and usually the router will have the function of the NAT and translate the same public IP address to unique private IP address.

A firewall is a protection form the internet which may have some unnecessary request to connect or communicate to our device amount our network.

Firewall provided security device service to monitor the network communication between internal network and external network (normally is outside, such as internet). In the previous version firewall, called stateless firewall, it protects the networks connection base on the actually destination where the data going to. It checks the information base on the filtering rule which match the destination or context and perform the action, for example blocking the connection. If the filtering rule do not match, there are not action will be taken for preventing any attack. So, stateless firewalls is consider as less rigourse

Another firewall is stateful firewall which will monitor the stat of the connection amount the network. Base on the context, the firewall will analysis the packet and traffic to apply the filtering rules. Like the handshake process, if the outside only request the handshake but not complete the request, the request will be filtered out.

Application firewall is a more complex way to filter protect out system by actually investigate the detail of the conversation. It distinguishes the type of connection/ traffic, such as a web type traffic only communicate from the source and the destination. Compare other traffic like malicious traffic have a complete different patent.

Secure Shell is a protocol for sending data for one computer to another computer in a secure way. There several similar protocols doing the same thing such as telnet and FTP but the different between ssh with other is that SSH is secure. Because other protocol sending data through internet without any encryption of the data, so if you are entering password or any importing information, they will send it in plaintext over the internet and could be stolen by the other and get your password. SSH can secure the connection to reduce the risk of your password being stolen.

First step of using SSH is install the software and setup a proper firewall to make sure can be establish.

The normal setting of SSH is using port 22, but it is to comment to recognize, some people may use 2222 or 12222 to protect the connection. After the setup process, setup account in both computer and setup the connection by just inputting the username and password.

The first amazing thing SSH can do is knowing what program is running on the other computer,(the one we have connected with) and try to kill it. For example a calculator programm is running on the another computer and we would like to kill it. We can search what is running on the computer by command like this: ps aux | grep calc

It grep all the information of tool names with ‘calc’ and we can also know the process ID which we need to know for killing it by using command:

Kill -9 XXXX

It will kill the program by using SSH.

Another function of using SSH is transferring data form one computer to another computer. The data could be an entire file you need to send or transferring command line to control another form another place in different platform. There are sever different SSH client and server available in different such as Linux and windows.

Reference:

NAT Firewall

openssh in linux

To maintain secure network connection, public key infrastructure (PKI) usually used to maintain the security of the data transfer by the network and very useful in many commerce areas such as e-commerce and internet banking and sending email.

In the PKI involve different roles, software and digital certificates need to be created, distributed and stored by different computer(server). Active Directory Certificate Services in windows server is for the Server Manager create digital certificates, public key cryptography and digital signature capabilities for the organization.

After establishing the service of AD Certificate Services, digital certificates can be issued and managed by the server manager for making authentication of computer, different user and establish account on the network. All different kind of digital certificates have different purposes, and all share common function are making encryption for public key and providing digital signatures, also providing authentication by confirming certificate key with different user, device and account.

Certification Authority Web Enrollment is a role providing different web pages by using web browser for the user connecting to the CA for requesting certificates or CA’s certificate.

As the server issued several certificates, backup must be setup for keeping the certificated safe and recoverable in case of any accident such as theft of smart card or accidental reformat of the server.

Key archival and key recovery agent play an import role to doing the back up of certificates. In order to making a key archival, a key recovery agent must be set up first by using the MMC Dashboard to create a certificate under the name of “key recovery agent”. This will create a Key Recovery Agent Certificate for the server manager to enroll as a key recovery agent to obtain Key Recovery Agent certificate.

After that the manager can use mms for creating copy of all issued certificated by enabling key archival.

User Certificate can be used in different situation so there are so many different types of certificate template to fulfill different purpose. For example, “Code Signing certificate” is for the programmer to sign application code for testing the software for make user that the management system and end user can be sure of the software is trusted. Also “Smartcard Logon” certificates are for the issuing the smart card. Authenticate the card from the active directory and provide the login identity..

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831740(v%3Dws.11)

https://en.wikipedia.org/wiki/Public_key_infrastructure

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831649(v%3Dws.11)

https://www.sciencedirect.com/topics/computer-science/user-certificate