Lab02.docx

  • Uploaded by: Chris Arana
  • 0
  • 0
  • November 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Lab02.docx as PDF for free.

More details

  • Words: 3,379
  • Pages: 16
Administración de Sistemas Operativos Avanzado

Laboratorio 2: Implementación de NAP Alumno: Objetivos: Al finalizar el laboratorio el estudiante será capaz de:  Configurar componentes NAP.  Configurar el acceso VPN.  Configurar el cliente para soportar NAP.

Seguridad:   

Ubicar maletines y/o mochilas en el gabinete al final de aula de Laboratorio o en los casilleros asignados al estudiante. No ingresar con líquidos, ni comida al aula de Laboratorio. Al culminar la sesión de laboratorio apagar correctamente la computadora y la pantalla, y ordenar las sillas utilizadas.

Equipos y Materiales: 

Una computadora con:  Windows 7 o superior  VMware Workstation 10+ o VMware Player 7+  Conexión a la red del laboratorio



Máquinas virtuales:



DVD:  De Windows Server 2012

Guía de Laboratorio

Pág. 1

Administración de Sistemas Operativos Avanzado

Procedimiento: Nota:

En el siguiente laboratorio se realizarán las siguientes actividades:  Configurar componentes NAP  Configurar el acceso a la VPN  Configurar el cliente para soportar NAP

Escenario A. Datum es una empresa de manufactura e ingeniería que tiene su oficina principal en Londres, Reino Unido. Una oficina de TI está ubicada en Londres y da soporte a la oficina de Londres y otras sucursales. A. Datum ha implementado un infraestructura basada en Windows Server 2012. Para ayudar a incrementar la seguridad y que cumpla con sus requerimientos. A. Datum está requiriendo extender la solución VPN para que incluya NAP. Necesita establecer una forma de verificarlo y, si fuese necesario, automáticamente traer las computadoras en el cumplimiento cuando ellas se conecten remotamente utilizando la conexión VPN. Cumplirá este objetivo utilizando NPS para crear un sistema de validación de la salud del sistema validar la salud del sistema, la red y las directivas, de igual manera debe configurar NAP para verificar y remediar la salud del cliente. Lab Setup 1. Abrir VMware Workstation y crear un “snapshot” de las máquinas virtuales: LON-DC1, LON-RTR y LON-CL2. 2. Encender las máquinas virtuales: LON-DC1, LON-RTR y LON-CL2.

Guía de Laboratorio

Pág. 2

Administración de Sistemas Operativos Avanzado EJERCICIO 1: Configuración de componentes NAP Escenario Usted debería configurar los componentes NAP, tales como los requerimientos de certificados, salud y directivas de red y directivas de requerimiento de conexión como el primer paso en la implementación del cumplimiento y seguridad. Las principales tareas para este ejercicio son las siguientes:  Configurar el servidor y cliente de requerimientos de certificados  Configurar las directivas de salud  Configurar las directivas de red  Configurar las directivas de requerimiento de conexión para VPN ►

Task 1: Configure Server and Client Certificate Requirements

1.

On LON-DC1, in Server Manager, click Tools, and then click Certification Authority.

2.

In the certsrv management console, expand AdatumCA, right-click Certificate Templates, and then select Manage on the context menu.

3.

In the Certificate Templates Console details pane, right-click Computer, and then click Properties.

4.

Click the Security tab in the Computer Properties dialog box, and then select Authenticated Users.

5.

In the Permissions for Authenticated Users, select the Allow check box for the Enroll permission, and then click OK.

6.

Close the Certificate Templates Console.

7.

In certsrv - [Certification Authority (Local)], right-click AdatumCA, point to All Tasks, and then click Stop Service.

8.

Right-click AdatumCA, point to All Tasks, and then click Start Service.

9.

Close the certsrv management console.

Guía de Laboratorio

Pág. 3

Administración de Sistemas Operativos Avanzado



Task 2: Configure Health Policies

1.

Switch to the LON-RTR computer.

2.

Sign in as Adatum\Administrator with the password Pa$$w0rd.

3.

Right-click Start, click Run, type mmcexe, and then press Enter.

4.

On the File menu, click Add/Remove Snap-in.

5.

In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish.

6.

In the Add or Remove Snap-ins dialog box, click OK.

7.

In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate.

8.

The Certificate Enrollment dialog box opens. Click Next.

9.

On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy, and

then click Next. 10. Select the Computer check box, and then click Enroll. 11. Verify the status of certificate installation as Succeeded, and then click Finish. 12. Close the Console window. 13. Click No when prompted to save console settings. 14. On LON-RTR, switch to Server Manager. 15. In Server Manager, in the details pane, click Add Roles and Features. Click Next. 16. On the Select installation type page, click Next. 17. On the Select destination server page, click Next. 18. On the Select server roles page, select the Network Policy and Access Services check box. 19. Click Add Features, and then click Next twice. 20. On the Network Policy and Access Services page, click Next. 21. On the Select Role Services page, click Next. 22. Click Install. 23. Verify that the installation was successful, and then click Close. 24. Close the Server Manager window. 25. Click Start, and then click Administrative Tools. 26. In Administrative Tools, double-click Network Policy Server. 27. Expand Network Access Protection, expand System Health Validators, expand Windows

Security Health Validator, and then click Settings. 28. In the right pane under Name, double-click Default Configuration. 29. On the Windows 8/Windows 7/Windows Vista tab, clear all check boxes except the A firewall

is enabled for all network connections check box, and then click OK. 30. In the navigation pane, expand Policies. 31. Right-click Health Policies, and then click New. 32. In the Create New Health Policy dialog box, in the Policy name box, type Compliant.

Guía de Laboratorio

Pág. 4

Administración de Sistemas Operativos Avanzado

33. In the Client SHV checks box, verify that Client passes all SHV checks is selected. 34. In the SHVs used in this health policy box, select the Windows Security Health Validator

check box. 35. Click OK. 36. Right-click Health Policies, and then click New. 37. In the Create New Health Policy dialog box, in the Policy Name box, type Noncompliant. 38. In the Client SHV checks box, select Client fails one or more SHV checks. 39. In the SHVs used in this health policy area, select the Windows Security Health Validator

check box. 40. Click OK.

Entregable 1. Capture la pantalla que muestre el resultado de las directivas creadas.

Guía de Laboratorio

Pág. 5

Administración de Sistemas Operativos Avanzado

► Task 3: Configure Network Policies 1.

In the navigation pane, under Policies, click Network Policies. Note: Important: Disable the two default policies found under Policy Name by rightclicking the policies, and then clicking Disable.

2.

Right-click Network Policies, and then click New.

3.

On the Specify Network Policy Name and Connection Type page, in the Policy name box, type Compliant-Full-Access, and then click Next.

4.

On the Specify Conditions page, click Add.

5.

In the Select condition dialog box, double-click Health Policies.

6.

In the Health Policies dialog box, in the Health policies box, type Compliant, and then click OK.

7.

On the Specify Conditions page, click Next.

8.

On the Specify Access Permission page, click Next.

9.

On the Configure Authentication Methods page, clear all check boxes, select the Perform machine health check only check box, and then click Next.

10. Click Next again. 11. On the Configure Settings page, click NAP Enforcement. Verify that Allow full network access is

selected, and then click Next. 12. On the Completing New Network Policy page, click Finish. 13. Right-click Network Policies, and then click New. 14. On the Specify Network Policy Name And Connection Type page, in the Policy name box,

type Noncompliant-Restricted, and then click Next. 15. On the Specify Conditions page, click Add. 16. In the Select condition dialog box, double-click Health Policies. 17. In the Health Policies dialog box, in the Health policies box, type Noncompliant, and then click

OK. 18. On the Specify Conditions page, click Next. 19. On the Specify Access Permission page, verify that Access granted is selected, and then click

Next. 20. On the Configure Authentication Methods page, clear all check boxes, select the Perform

machine health check only check box, and then click Next. 21. Click Next again. 22. On the Configure Settings page, click NAP Enforcement. Click Allow limited access. 23. Clear the Enable auto-remediation of client computers check box. 24. In the Configure Settings window, click IP Filters. 25. In the IPv4 section, click Input Filters, and then click New. 26. In the Add IP Filter dialog box, select Destination network. 27. In the IP address box, type 172.16.0.10, 28. In the Subnet mask box, type 255.255.255.255, and then click OK.

Guía de Laboratorio

Pág. 6

Administración de Sistemas Operativos Avanzado

29. Click Permit only the packets listed below, and then click OK. 30. Under IPv4, click Output Filters, and then click New. 31. In the Add IP Filter dialog box, select Source network. 32. In the IP address box, type 172.16.0.10. 33. In the Subnet mask box, type 255.255.255.255, and then click OK. 34. Click Permit only the packets listed below, and then click OK. 35. On the Configure Settings page, click Next. 36. On the Completing New Network Policy page, click Finish.

Entregable 2. Capture la pantalla que muestre las directivas creadas.

Guía de Laboratorio

Pág. 7

Administración de Sistemas Operativos Avanzado

► Task 4: Configure Connection Request Polices for VPN 1.

Click Connection Request Policies.

2.

Disable both of the default Connection Request policies that are found under Policy Name by right-clicking each of the policies, and then clicking Disable.

3.

Right-click Connection Request Policies, and then click New.

4.

On the Specify Connection Request Policy Name And Connection Type page, in the Policy name box, type VPN connections.

5.

Under Type of network access server, select Remote Access Server (VPN-Dial up), and then click Next.

6.

On the Specify Conditions page, click Add.

7.

In the Select Condition dialog box, double-click Tunnel Type, and then select PPTP, SSTP, and L2TP. Click OK, and then click Next.

8.

On the Specify Connection Request Forwarding page, verify that Authenticate requests on this server is selected, and then click Next.

9.

On the Specify Authentication Methods page, select the Override network policy authentication settings check box.

10. In the EAP Types area, click Add. 11. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP

(PEAP), and then click OK. 12. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click

Microsoft: Secured password (EAP-MSCHAP v2), and then click OK. 13. Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit. 14. Verify that Enforce Network Access Protection is selected, and then click OK. 15. Click Next twice, and then click Finish.

Guía de Laboratorio

Pág. 8

Administración de Sistemas Operativos Avanzado

Entregable 3. Capture la pantalla que muestre las directivas de solicitud de conexión.

Results: After this exercise, you should have installed and configured the required Network Access Protection (NAP) components, created the health and network policies, and created the connection request policies.

Guía de Laboratorio

Pág. 9

Administración de Sistemas Operativos Avanzado EJERCICIO 2: Configurar el acceso VPN Escenario Después de configurar NAP, debe configurar un servidor VPN y entonces habilitar que el protocolo ICMP atraviese el firewall para propósitos de prueba. Las principales tareas para este ejercicio son las siguientes:  Configurar un servidor VPN  Permitir el uso de PING para propósitos de prueba



Task 1: Configure a VPN Server

1.

On LON-RTR, click Start.

2.

Click Administrative Tools, and then double-click Routing and Remote Access. If prompted, at the Enable DirectAccess Wizard dialog box, click Cancel, and then click OK.

3.

In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable Routing and Remote Access.

4.

In the Disable Routing and Remote Access dialog box, click Yes.

5.

In the Routing and Remote Access console, right-click LON-RTR (local), and then click Configure and Enable Routing and Remote Access.

6.

Click Next, ensure that the Remote access (dial-up or VPN) option is selected, and then click Next.

7.

Select the VPN check box, and then click Next.

8.

Click the network interface named Internet. Clear the Enable security on the selected interface by setting up static packet filters check box, and then click Next.

9.

On the Network Selection page, click Next.

10. On the IP Address Assignment page, select From a specified range of addresses, and then

click Next. 11. On the Address Range Assignment page, click New. Type 172.16.0.100 next to Start IP

address, and 172.16.0.110 next to End IP address, and then click OK. Verify that 11 IP addresses were assigned for remote clients, and then click Next. 12. On the Managing Multiple Remote Access Servers page, verify that No, use Routing and

Remote Access to authenticate connection requests is selected, and then click Next. 13. Click Finish. 14. Click OK three times, and then wait for the Routing and Remote Access Service to start. 15. Switch to Network Policy Server. 16. In the Network Policy Server, click Connection Request Policies, and, in the results pane,

verify that the Microsoft Routing and Remote Access Service Policy is Disabled. Note: Click Action, and then click Refresh. If the Microsoft Routing and Remote Access Service Policy is enabled, right-click it, and then click Disable. 17. Close the Network Policy Server management console.

Guía de Laboratorio

Pág. 10

Administración de Sistemas Operativos Avanzado

18. Close the Routing and Remote Access console.

Guía de Laboratorio

Pág. 11

Administración de Sistemas Operativos Avanzado



Task 2: Allow PING for Testing Purposes

1.

On LON-RTR, click Start.

2.

Click Administrative Tools, and then double-click Windows Firewall with Advanced Security.

3.

Click Inbound Rules, right-click Inbound Rules, and then click New Rule.

4.

Select Custom, and then click Next.

5.

Verify that All programs is selected, and then click Next.

6.

Next to Protocol type, select ICMPv4, and then click Customize.

7.

Select Specific ICMP types, select the Echo Request check box, click OK and then click Next.

8.

Click Next to accept the default scope.

9.

In the Action window, verify that Allow the connection is selected, and then click Next.

10. Click Next to accept the default profiles. 11. In the Name window, in the Name box, type ICMPv4 echo request, and then click Finish. 12. Close the Windows Firewall with Advanced Security console.

Entregable 4. Capture la pantalla que muestre la regla creada.

Results: After this exercise, you should have created a VPN server and configured inbound communications.

Guía de Laboratorio

Pág. 12

Administración de Sistemas Operativos Avanzado EJERCICIO 3: Configuración del cliente para soportar NAP Escenario Debe habilitar un cliente VPN para conectarse a la red Adatum. Necesita habilitar y configurar los requerimientos del cliente NAP. Las principales tareas para este ejercicio son las siguientes:  Habilitar un cliente NAP con método de esfuerzo  Establecer una conexión VPN ► Task 1: Enable a Client NAP Enforcement Method 1.

Switch to the LON-CL2 computer.

2.

Right-click Start, and then click Command Prompt.

3.

At the command prompt, type MMC, and then press Enter.

4.

In the MMC labeled Console1, click File, and then click Add/Remove Snap-in.

5.

In the Add or Remove Snap-ins window, click NAP Client Configuration, click Add, and then click OK.

6.

In the Add or Remove Snap-ins window, click OK.

7.

In Console1, in the navigation pane, click Enforcement Clients.

8.

In the results pane, right-click EAP Quarantine Enforcement Client, and then click Enable.

9.

Close Console1.

10. Switch to the Command Prompt window, type Services.msc, and then press Enter. 11. In Services, in the results pane, double-click Network Access Protection Agent. 12. In the Network Access Protection Agent Properties (Local Computer) dialog box, in the

Startup type list, click Automatic. 13. Click Start, and then click OK. 14. Press the Windows key, and then press the R key to display the Run windows. 15. In the Run window, type gpedit.msc, and then press Enter. 16. In the console tree, expand Local Computer Policy, expand Computer Configuration, expand

Administrative Templates, expand Windows Components, and then click Security Center. 17. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK. 18. Close the console window. 19. Close the Services console, and then dose the Administrative Tools and System and Security

windows.

Guía de Laboratorio

Pág. 13

Administración de Sistemas Operativos Avanzado ► Task 2: Establish a VPN Connection 1.

On LON-CL2, right-click the Start menu, click Control Panel, and then click Network and Internet.

2.

Click Network and Sharing Center.

3.

Click Set up a new connection or network.

4.

On the Choose a connection option page, click Connect to a workplace, and then click Next.

5.

On the How do you want to connect page, click Use my Internet connection (VPN).

6.

Click I'll set up an Internet connection later.

7.

On the Type the Internet address to connect to page, in the Internet address box, type 10.10.0.1.

8.

In the Destination name box, type Adatum VPN.

9.

Select the Allow other people to use this connection check box, and then click Create.

10. In the Network and Sharing Center window, click Change adapter settings. 11. Right-click the Adatum VPN connection, click Properties, and then click the Security tab. 12. Under Authentication, click Use Extensible Authentication Protocol (EAP). 13. In the Use Extensible Authentication Protocol (EAP) list, select Microsoft: Protected EAP

(PEAP) (encryption enabled), and then click Properties. 14. Clear the Verify the server's identity by validating the certificate check box. 15. Clear the Enable Fast Reconnect check box, and then select the Enforce Network Access

Protection check box. 16. Click OK twice to accept the settings. 17. In the Network Connections window, right-click the Adatum VPN connection, and then click

Connect/Disconnect. 18. In the Networks list on the right, click Adatum VPN, and then click Connect. 19. In Network Authentication, in the User name box, type AdatumVAdministrator. 20. In the Password box, type Pa$$w0rd, and then click OK. 21. Right-click Start, click Run, type cmd.exe, and then press Enter. 22. At the command prompt, type ipconfig /all, and then press Enter. View the IP configuration.

System Quarantine State should be Not Restricted. 23. At the command prompt, type ping 172.16.0.10, and then press Enter. This should be successful.

The client now meets the requirement for virtual private network (VPN) full connectivity. 24. Switch to Network Connections. 25. Right-click Adatum VPN, and then click Connect/Disconnect. 26. In the Networks list on the right, click Adatum VPN, and then click Disconnect 27. Switch to LON-RTR. 28. In Administrative Tools, double-click Network Policy Server.

Guía de Laboratorio

Pág. 14

Administración de Sistemas Operativos Avanzado

29. Expand Network Access Protection, expand System Health Validators, expand Windows

Security Health Validator, and then click Settings. 30. In the right pane, under Name, double-click Default Configuration. 31. On the Windows 8/Windows 7/WindowsVista tab, select the Restrict access for clients that

do not have all available security updates installed check box, and then click OK. 32. Switch to LON-CL2. 33. Right-click Adatum VPN, and then click Connect/Disconnect. 34. In the Networks list on the right, click Adatum VPN, and then click Connect. 35. Switch to the command prompt. 36. Type ipconfig /all, and then press Enter. View the IP configuration. System Quarantine State

should be Restricted. 37. Switch to Network Connections. 38. Right-click Adatum VPN, and then click Connect/Disconnect. 39. In the Networks list on the right, select Adatum VPN, and then click Disconnect.

Entregable 5. Capture la pantalla que muestre el resultado de las pruebas realizadas.

Guía de Laboratorio

Pág. 15

Administración de Sistemas Operativos Avanzado

Results: After this exercise, you should have created a new VPN connection on LON-CL2, and have enabled and tested NAP on LON-CL2. Task 3: To Prepare for the Next Module 1.

Volver el estado de las máquinas virtuales al “snapshot” creado antes de iniciar el laboratorio.

Conclusiones: Indicar las conclusiones que llegó después de los temas tratados de manera práctica en este laboratorio.

Concluimos que podemos usar el servicio de DHCP en NAP el cual brinda seguridad y protección a nuestra red, el cual permite la restricción del acceso a computadoras externas o ataques a la red. Configurando las políticas, accesos, etc.

Guía de Laboratorio

Pág. 16

More Documents from "Chris Arana"