Windows Server 2008 R2 Unleashed (208 page)

Server 2008 R2 contain three firewall profiles, including the domain profile, the private

profile, and the public profile. The domain profile remains the same, but the previous

standard profile has now been segmented into the private and public profiles. Any

network that is different from the domain network is initially categorized as an untrusted

network and the public firewall profile is activated. End users, with the appropriate rights,

can define a public network as a private network, which can then activate the private fire-

wall profile and the appropriate firewall rule set, which is likely to be less restrictive and

might allow the necessary traffic for the remote client to work correctly on the network

they are connected to. Windows Firewall design and configuration planning is a very

important task for Windows administrators to execute and should not be taken lightly.

Also, disabling firewalls in any profile is not recommended and is a poor approach to

enabling systems and applications to function on an organization’s network.

To allow Windows administrators to continue to manage and administer Windows server

and desktop systems remotely, certain firewall exceptions should be defined. Aside from

enabling Remote Desktop, as outlined in the previous section, remote administrators

might need to copy files to and from systems and utilize Microsoft Management Console

snap-ins such as Windows Server Backup, Event Viewer, Computer Management, and

many others from remote administrative workstations. To enable the Remote Desktop and

Remote Administration exceptions in the Windows Firewall using domain group policies,

perform the following steps:

Managing Computers with Domain Policies

1063

1. Log on to a designated Windows Server 2008 R2 administrative server.

2. If necessary, install the Group Policy Management Console on the system, as

detailed previously in this chapter.

3. After the tools are installed, click Start, click All Programs, click Administrative Tools,

and select Group Policy Management.

4. Add the necessary domains to the GPMC as required.

5. Expand the Domains node to reveal the Group Policy Objects container.

6. Either create a new GPO or edit an existing GPO.

7. After the GPO is opened for editing in the Group Policy Management Editor, expand

the Computer Configuration node, expand the Policies node, and select the

Administrative Templates.

8. Expand the Administrative Templates node, expand the Network node, expand the

Network Connections node, and select the Windows Firewall node. Configurations

made in this section apply to Windows XP, Windows Vista, Windows 7, Windows

Server 2003, Windows Server 2008, and Windows Server 2008 R2. However, for more

granular firewall configuration for Windows Vista and later operating systems, the

Windows Firewall with Advanced Security setting can be used.

9. In the tree pane, expand the Windows Firewall node to reveal the Domain Profile

ptg

node, and select it.

10. In the Settings pane, locate the setting named Windows Firewall: Allow Inbound

Remote Administration Exception, and double-click on it to open the setting for

editing.

11. In the Setting window, click the Enabled option button, and type in the network

27

from which inbound remote administration will be allowed. For this example,

consider an organization that utilizes the 10.0.0.0 network with a subnet mask of

255.0.0.0. This would be defined as 10.0.0.0/8 in the properties of this exception, as

shown in Figure 27.16. When finished, click OK to update the setting.

12. After the previous setting has been configured, back in the Settings pane, select the

Windows Firewall: Allow Inbound Remote Desktop Exceptions, and double-click on

it to open the setting for editing.

13. In the setting window, click the Enabled option button, and type in the network

from which inbound Remote Desktop connections will be allowed. When finished,

click OK to update the setting.

14. If necessary, repeat the process of configuring the inbound remote administration

and Remote Desktop exception in the standard profile to ensure that remote

management from the defined network will function regardless of which firewall

profile is currently activated on the client.

1064

CHAPTER 27

Group Policy Management for Network Clients

FIGURE 27.16

Enabling the Windows Firewall remote administration exception from the

ptg

10.0.0.0/8 network.

NOTE

If the network defined within a Windows Firewall exception is a common network, such

as 192.168.0.0/24, the configuration of these exceptions in the standard profile is

considered risky and should not be performed. Instead, work with the networking group

and VPN configurations to ensure that when users connect remotely to the network

from remote sites and through VPN connections, the system will always recognize and

apply the domain profile.

15. Back in the GPMC, link the new remote administration firewall exception GPO to an

OU with a computer that can be used to test the policy.

16. After the testing is completed, configure security filtering and possibly also WMI fil-

tering to limit the application scope of this policy and link it to the desired organiza-

tional unit(s).

Configuring Advanced Firewall Settings

Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 have a

new and improved firewall that enables administrators to define granular inbound and

outbound firewall rules and exceptions in the default firewall profiles. Even though the

Windows Firewall is enabled and active by default on Windows Server 2008 R2, when the

Add Roles Wizard is run and a role, role service, and/or feature is added to the Windows

Server 2008 R2 system, the necessary firewall exceptions are also configured as part of the

Managing Computers with Domain Policies

1065

process. This is a major advantage compared with what was included in Windows Server

2003. However, be aware that when adding additional applications or services (that are

not included with the product) to a Windows Server 2008 system, unless the installation

of that product also has a built-in feature to enable and configure the necessary exceptions

in the firewall, the exceptions will need to be defined and configured manually. When

custom firewall rules, exceptions, and changes to the default behavior and configuration

of the firewall profiles are required, the settings need to be defined using the Windows

Firewall with Advanced Security console. If these settings need to be defined using a

domain policy, access to these policy settings are included in the Computer

Configuration\Policies\Windows Security\Security Settings\Windows Firewall with

Advanced Security settings node. One advantage of using Windows Firewall with

Advanced Security is that when a system is configured manually and all of the necessary

exceptions and rules are defined within the firewall, these rules can be exported from the

firewall and imported into a domain policy and applied from the central location to all of

the desired servers. More information on the Windows Firewall is available in Chapter 13.

Configuring Windows Update Settings

Many organizations utilize the Internet services provided by Microsoft known as Windows

Update and Microsoft Update. The main difference between the two is that Microsoft

ptg

Update also includes updates for other products such as Microsoft Office, Microsoft

Exchange Server, Microsoft SQL Server, Microsoft Internet Security and Acceleration Server,

and many more. Starting with Windows XP and Windows Server 2003, all Windows

systems are now capable of downloading and automatically installing Windows updates

out of the box. To upgrade the Windows Update client to support updates for other

Microsoft applications through Microsoft Update, these machines might need to be

27

upgraded manually, upgraded using a GPO software installation, or upgraded using

Microsoft Windows Server Update Services (WSUS). A WSUS server can be configured to

update the client software automatically, which is the preferred approach. Depending on

whether the organization utilizes an internal WSUS server or wants to utilize the

Windows/Microsoft Internet-based services to configure these settings using group poli-

cies, the settings are located in the following sections:

. Computer Configuration\Policies\Administrative Templates\Windows

Components\Windows Update

. User Configuration\Policies\Administrative Templates\Windows

Components\Windows Update

For more information and recommendations on best practices for configuring Windows

Updates, please refer to the WSUS website located at www.microsoft.com/wsus and also

located at http://technet.microsoft.com/wsus.

Creating a Wireless Policy

Wireless networks are becoming more and more common in both public and private

networks. Many organizations are choosing to deploy secure wireless networks to allow for

flexible connections and communications for mobile users, vendors, and presentation

1066

CHAPTER 27

Group Policy Management for Network Clients

rooms. As a best practice, organizations commonly deploy wireless networks as isolated

network subnets with only Internet access or the ability to connect to the company

network via VPN. As wireless networks become more sophisticated and secure, the config-

uration of a wireless network on an end user’s machine becomes complicated. In an effort

to simplify this task, wireless network configurations can be saved on USB drives and

handed off to users to install and they can also be preconfigured and deployed to

Windows systems using domain policies. Group Policy wireless policies can be created for

Windows Vista or Windows XP compatible systems as each treats and configures wireless

networks differently. Windows 7 and Windows Server 2008 systems will use the Windows

Vista wireless policies. If defined in domain policies, these wireless network settings will

only be used if no third-party wireless network management software is installed and acti-

vated on the desired systems.

Wireless networks are commonly unique to each physical location, and the GPO-config-

ured wireless policies should be applied to systems in an Active Directory site or to a

specific location-based organizational unit that contains the desired computer accounts.

Furthermore, if the wireless policy GPO contains only Windows Vista workstations for the

wireless policy, WMI filtering should be applied to the GPO so that only Windows Vista,

Windows 7, and Windows Server 2008 systems process and apply the policy. To create a

wireless network for a Windows Vista, Windows 7, and Windows Server 2008 system using

a domain policy, perform the following steps:

ptg

1. Log on to a designated Windows Server 2008 R2 administrative server.

2. Click Start, click All Programs, click Administrative Tools, and select Group Policy

Management.

3. Add the necessary domains to the GPMC as required.

4. Expand the Domains node to reveal the Group Policy Objects container.

5. Create a new GPO called WirelessPolicyGPO and open it for editing.

6. After the WirelessPolicyGPO is opened for editing in the Group Policy Management

Editor, expand the Computer Configuration node, expand the Policies node and

select Windows Settings.

7. Expand Windows Settings, expand Security Settings and select Wireless Network

(IEEE 802.11) Policies.

8. Right-click Wireless Network (IEEE 802.11) Policies and select Create a New Wireless

Network Policy for Windows Vista and Later Releases. Because this is a new group

policy, this option appears, but if the group policy already has a wireless network

policy for Windows Vista and later releases, the Windows Vista policy will be avail-

able beneath the Wireless Network policy node.

9. When the New Wireless Network Policy window opens, type in an acceptable name

and description for the policy.

10. If Windows will manage the wireless network configuration and connection of the

Windows Vista systems, check the Use Windows WLAN AutoConfig Service for

Clients check box, if it is not already checked.