Professional Documents
Culture Documents
Lu hnh ni b 2010
MC LC
STAND-ALONE ROOT CA............................................................................................................. 2 ENTERPRISE CERTIFICATE AUTHORITY & KEY RECOVERY AGENT .................................. 12 SECURE SOCKET LAYER & IP SECURITY ............................................................................... 38 EFS trn WORKGROUP .............................................................................................................. 63 EFS trn DOMAIN ........................................................................................................................ 72 TRUST RELATIONSHIP ............................................................................................................... 75 SECURITY TEMPLATES ............................................................................................................. 87 MOVE ACTIVE DIRECTORY DATABASE ................................................................................... 91 PASSWORD SYSKEY.................................................................................................................. 96 MICROSOFT SECURITY BASELINE ANALYZER & SOFTWARE UPDATE SERVICE ............. 98 RADIUS ...................................................................................................................................... 111
Trang 1
Stand-alone root CA
STAND-ALONE ROOT CA
I. Ni dung Dng Certificate m ho email II. Chun b - Mt my Windows Server 2003 (standalone) c thng tin nh sau: + IP Address: 192.168.0.1 + Subnet mask: 255.255.255.0 + DNS: 192.168.0.1 - To 2 local user account l U1 v U2 - Ci t Mdaemon (chng trnh mail server) + domain name: congty.com + to 2 mailbox c username/password l U1/123 v U2/123 - Logon U1 Setup Outlook Express gi mail cho chnh mnh - Logon U2 Setup Outlook Express gi mail cho chnh mnh Hng dn ci t MDaemon v cu hnh c bn cho chng trnh qun l email trn server a. Ci t Mdaemon6 - Cho a CD-ROM SoftsQTM.iso vo a CD - Tm n th mc MDaemon6 chy file Mdaemon6.exe ci t chng trnh qun l email
Trang 2
Stand-alone root CA
c. Khai bo thng tin ngi qun tr chng trnh Mdaemon bao gm: Full name: tn y Mailbox: tn hp th Password: mt khu ngi qun tr nhn Next Next Sau nh chy file keygen.exe ly s serial.
d. Thit lp thng tin domain cho MDaemon: nhn menu Setup Primary Domain chnh sa thng tin mc Domain name v Domain IP nh hnh bn Apply OK
Trang 3
Stand-alone root CA
e. To mailbox cho U1: vo menu Account New Account khai bo thng tin Full Name, Mailbox name, Account Password OK Th xem Hp mail ca U1 lu u bng cch nhn vo tab Mailbox, ghi nh ng dn ny.
III. Thc hin 1. U1 gi mail cho U2 (khng m ha), admin sa mail ca U2, U2 khng pht hin a. Logon U1, U1 gi mail cho U2
b. Administrator sa mail ca U2 - Logon Administrator - Dng Windows Explorer C:\Mdaemon\Users\congty.com\U2 - Sa file md5xxxxxxxxxxxx.msg (thm dng ch 123 vo phn body ca email)
Trang 4
Stand-alone root CA
2. Ci t Stand-alone Root CA a. Ci ASP.NET: - Logon Administrator - Click menu Start Control Panel Add or Remove Programs Add/Remove Windows Components Application Server Details ASP.NET OK Next.
Trang 5
Stand-alone root CA
b. Install Stand-alone root CA: Click menu Start Control Panel Add or Remove Programs Add/Remove Windows Components Certificate Services Next Stand-alone root CA Next Common Name for this CA: CongTy chp nhn cc gi tr mc nh chn Yes khi c hi: Do you want to enable Active Server Page now?
3. Cc User xin certificate m ho email U1 xin certificate a. User U1 xin certificate: - Logon U1 - M IE dng Address g http://localhost/certsrv Request a certificate E-mail Protection Certificate Name: U1, Email: u1@congty.com Click Submit
- Chn Yes
Trang 6
Stand-alone root CA
b. U2 xin certificate - Logon U2 - Lm tng t nh trn c. Administrator cp certificate cho U1 v U2 - Logon Administrator - Click menu Start Administrative Tools Certification Authority CongTy Pending Requests chn 2 certificate click nt phi chut All Tasks Issue
Trang 7
Stand-alone root CA
- Double click certificate ca U1 c li cc thng - c cc thng tin trong tab Details tin trong tab General
Trang 8
Stand-alone root CA
d. Install certificate ca U1 - Logon U1 - Click menu Start Run g http://localhost/certsrv View the status of a pending certificate request E-Mail Protection Certificate Install this certificate
f. U2 mail cho U1 c Signing - M Outlook Express - Son mail mi To: u1@congty.com - Click Sign, click Send
Trang 9
Stand-alone root CA
g. Administrator sa mail ca U1 - Logon Administrator - M Windows Explorer C:\Mdaemon\Users\congty.com\U1 - Sa file md5xxxxxxxxxxxx.msg (thm dng ch 123 vo phn body ca email)
- Click Open Message U1 vn c c mail nhng bit mail b sa. - U1 nhn chut phi vo sender U2 trong mc From v chn Add to Adress Book lu thng tin U2 vo Contact List ca mnh
Trang 10
Stand-alone root CA
i. U1 gi mail cho U2 c Sign v Encrypt - Chy Outlook Express - Son mail mi, click biu tng Address Book - Click U2 click To OK
j. Administrator sa mail ca U1 gi cho U2 - Logon Administrator - M Windows Explorer C:\Mdaemon\Users\congty.com\U2 - Sa file md5xxxxxxxxxxxx.msg k. U2 check mail - Logon U2 - M Outlook Express U2 khng c c mail
Trang 11
Trang 12
d. Cho user U1 lm thnh vin ca group Print Operators ( U1 c quyn logon locally vo domain controller)
2. Ci t v cu hnh mail server (nh hng dn bi Lab trc) a. Ci MDaemon6 b. Khai bo domain: Trong ca s MDaemon6 menu Setup Primary domain Nhp domain name v HELLO domain (VD: congty.com) Nhp Domain IP: 192.168.0.1 c. To mail box cho user U1: Trong ca s MDaemon6 menu Accounts New account Nhp Full name: Doremon, Mailbox name: U1, Password: 123
3. To, kim tra v cu hnh mail account ca U1: Logon U1 a. To mail account cho U1 trong chng trnh Outlook Express. Nhp Full name: Doremon, Email addresss: U1@congty.com, Password: 123. Lu dng a ch IP ca my ch 192.168.0.1 khai bo
c. Cu hnh lu bn sao mail ca U1 trn mail server: trong Outlook Express menu Tools Accounts tab Mail chn mail box ca U1 Properties tab Advanced nh du chn mc Leave a copy
Trang 14
b. Ci Enterprise Root CA CongTy: Click menu Start Settings Control Panel Add or Remove Programs Add/Remove Windows Components chn Certificate Services. (Lu chn Enterprise Root CA v Enable Active Server Page)
2. Cp Certificate cho user. User dng Certificate signing, encrypt mail: a. Logon U1, xin certificate: M chng trnh IE, nhp a ch: http://localhost/certsrv Request a certificate User certificate Submit Install this certificate Yes
Trang 15
Trang 16
Trang 17
b. Kim tra certificate ca U1: Start Run g mmc Trong console, chn menu File Add/Remove Snap-in Add chn Certificates Add Close. Lu console trn desktop vi tn U1_Cert.msc
Trang 18
3. User export key M Console U1_Cert.msc lu bc 2b. Click phi chut trn Certificate ca U1 chn All Task Export
Trong hp thoi Certificate Export Wizard, chn Yes, Export Private key Next chn Personal Info v Enable Strong Next nhp password: 123, confirm password: 123 Next nhn nt Browse, to folder C:\CertKey, t tn file l doremon.pfx Next chn Place all certificates: Personal Next Finish
Trang 19
4. Gi lp key b tht lc a. Logon Administrator Xo profile ca user U1 - Nhn chut phi My Computer Properties Advanced trong mc User Profiles, nhn Settings chn profile ca U1 v chn Delete. b. Logon U1 xem li mail signing v encrypt trc
Trang 20
5. User import key a. Log on U1, to li console U1_cert (xem 2b), dng console certificate import key t file pfx.
Nhn Next v nhp password 123, nhn Next v Finish khi phc li certificate
Trang 21
Trang 22
II. Chun b: tng t phn 1 III. Thc hin 1. Ci t Enterprise Root CA: tng t phn 1 2. Administrator to Key Recovery Agent (KRA) a. To certificate template mi: bng cch iu chnh mt certificate template c sn v gn quyn s dng cho user. - Logon Administrator
GV: ThS. o Quc Phng Trang 23
- Nhn Start Programs Administrative Tools Certification Authority click nt phi chut trn Certificate Template Manage
Trong tab General, nhp Template display name v Trong tab Request handling, chn option Template name: UserVersion2 Archive subjects encryption private key
Trang 24
Trong tab Security, cp cho 2 group Authentcated Users and Domain Users cc quyn: Read, Enroll v Autoenroll Apply OK. ng chng trnh Certificate Template
b. Pht hnh certificate template mi: KRA v UserVersion2 Tr li chng trnh Certificate Authority. Click nt phi chut trn Certificate Template New Certificate Template to Issue. Chn 2 template Key Recovery Agent v UserVersion2 OK
Trang 25
c. To KRA: M chng trnh IE, nhp a ch : http://localhost/certsrv Request a certificate advanced certificate request Create and submit a request to this CA
Trang 26
Trang 27
Cp Certificate cho KRA: Start Programs Administrative Tools Certification Authority m mc Pending Requests chn certificate nhn phi chut All Tasks Issue v xem kt qu trong mc Issued Certificates
Trang 28
d. KRA install certificate: M chng trnh IE, nhp a ch: http://localhost/certsrv View the status of a pending certificate request Key Recovery Agent Certificate Install this certificate Yes
Trang 29
Start Programs Administrative Tools Certification Authority nhn chut phi chn Properties ca root CA
trong tab Recovery Agents, chn option Archive the key, chn nt Add
Trang 30
3. User dng certificate sign & encrypt mail a. User xin enterprise certificate: - Logon U1, thc hin tng t phn 1 nhng chn certificate template UserVersion2 do Admin mi to. - M chng trnh IE, nhp a ch : http://localhost/certsrv Request a certificate advanced certificate request Create and submit a request to this CA
Trang 31
Trang 32
b. User dng certificate signing, encrypt mail (tng t 2c trong phn 1) - U1 gi th cho chnh mnh c sigining v encrypt
Trang 33
4. Gi lp certificate b tht lc a. Logon Administrator. Xo profile ca user U1 b. Logon U1 xem li mail signing v encrypt trc
5. Key Recovery Agent phc hi key cho user - Logon Administrator a. Copy s serial certificate ca user U1 cn lu ti root v paste vo mt file text. Loi b cc khong trng ri copy vo clipboard mt ln na. Start Programs Administrative Tools Certification Authority m mc Issued Certificates chn certificate ca U1 nhn phi chut Open
Trang 34
Chn tab Detail chn mc Serial number qut khi dng s pha di v copy vo mt file text, loi b khong trng v copy mt ln na vo clipboard.
b. Lu archived key ca user U1 vo file *.pfx: - Nhp dng lnh trong ca s command line: certutil getkey [s serial] abc.pfx (Paste s serial vo)
Trang 35
c. Phc hi key ca user U1 vo file *.pfx: - Nhp dng lnh trong ca s command-line: certutil recoverkey abc.pfx doremon.pfx (khng cn nhp password)
Trang 36
d. User import key: - Logon U1 - Dng console certificate import key t file pfx v xem li mail signing v encrypt trc .
Trang 37
b. Ci Enterprise Root CA CongTy: Click menu Start Settings Control Panel Add or Remove Programs Add/Remove Windows Components chn Certificate Services. (Lu chn Enterprise Root CA v Enable Active Server Page)
Trang 38
<html> <head> <title>Welcome to My Web page ^_^</title> </head> <body> <marquee> <h1>My name is Quoc Phuong</h1> <marquee> </body> </html>
III. Thc hin 1. Kim chng: ln lt truy cp web default bng HTTP v HTTPS - Nhp a ch trong IE: http://localhost: trang web hin th bnh thng. - Nhp a ch trong IE: https://localhost: trang web khng th hin th.
Trang 39
a. M Properties ca IIS: - Start Programs Administrative Tools Internet Information Services (IIS) Manager click phi chut vo Default Web Site Properties
Trang 40
b. Xin certificate: - Trong tab Directory Security chn Server Certificate Next chn Create a new certificate Next chn Send the request immediately Next Nhp cc thng tin theo yu cu chn port SSL l 443 Finish
Trang 41
Trang 42
3. Truy cp web default bng HTTPS: - Nhp a ch trong IE: https://localhost, h thng cnh bo chn Yes trang Web hin th bnh thng
Trang 43
PHN 2: IP SECURITY
I. Ni dung - Dng Certificate lm key m ho d liu trn ng truyn II. Chun b - Yu cu h thng: 02 my Windows Server 2003 Enterprise - Kim tra ng truyn bng lnh PING IP card LAN - 2 my i password administrator thnh 123 - My l (PC1): + IP Address: 192.168.5.1 + Subnet mask: 255.255.255.0 - My chn (PC2): + IP Address: 192.168.5.2 + Subnet mask: 255.255.255.0 - My chn ci ASP.NET & Stand-alone root CA
III. Thc hin 1. Xin certificate cho 2 computer: a. My l b sung danh sch trusted site: - Trong chng trnh IE chn menu Tools Internet Options
Trang 44
nhp vo mc Add this Web site to the zone: http://[IP ca my chn]/certsrv b chn Require server certification chn nt Add Close OK
b. Hai my xin certificate - My l: trong IE, nhp a ch: http://[IP ca my chn]/certsrv - My chn: trong IE, nhp a ch: http://localhost/certsrv
Trang 45
- C 2 my: chn Request a certificate Advanced certificate request Create and submit a request to this CA in cc thng tin cn thit
Trang 46
- Ch : ti mc Type of Certificate Needed, chn Client Authentication Ceritficate; nh du chn Store certificate in the local computer certificate store - Submit
Trang 47
- My chn: Start Programs Administrative Tools Certification Authority. Trong ca s Certification Authority, chn mc Pending Request ln lt click phi chut vo tng request All Tasks Issue
d. Hai my install certificate: - Hai my m li trang web xin certificate chn View the status of a pending request click Authentication Certificate Install this certificate
Trang 48
e. Hai my to console PC_cert: - Start Run mmc menu File Add / remove snap-in Add Certificates chn Computer account chn Local computer - Trong console, chn menu File Save as lu console ln Desktop vi tn PC_Cert
Trang 49
Lu certificate ca my l ang b li
Trang 50
- Trong console PC_Cert (to phn e): chn Trusted Root Certificate Authorities click phi chut vo Certificates All Tasks Import
Trang 51
Trang 52
chn Place all certificates in the following stores: Trusted Root Certificate Authorities Finish
Trang 53
2. To IPSec Policy cho 2 my: (2 my thc hin nh nhau) a. To console IPSec: - Start Run g mmc Add / Remove snap-in Add ln lt chn IP Security Policy Management cho Local Computer v Services cho Local Computer Lu console ln Desktop vi tn IPSec.msc.
Trang 54
b. To policy IPSec mi: - Trong console IPSec click phi chut vo IP Security Policy Management Create IP Security Policy Next t tn policy: IPSec by Cert Next b chn Activate the default Next b chn Edit properties Finish
Trang 55
Trang 56
trong hp thoi Tunnel Endpoint chn This rule does not specify a tunnel Next
Trang 57
Trang 58
Trang 59
quay v hp thoi Authentication Method Next Finish quay v IPSec by Cert Properties OK
Trang 60
d. Assgin Policy v restart services - Trong console IPSec click phi chut vo IPSec by Cert Assign - Cng trong console IPSec chn Services click phi chut vo IPSec Services Restart
Trang 61
3. Kim chng qu trnh m ha: - Trong command-line ca my chn, nhp dng lnh PING [IP my l] -t
Trang 62
II. Chun b - 1 my chy Windows XP - To 1 username v password l u1/123 - Logon bng user ny, to th mc C:\TestEFS
Trang 63
d. Trong mn hnh TestEFS Properties Advanced Trong mn hnh Advanced Attributes nh du chn Encrypt contents to secure data OK Apply OK
Trang 64
f. Double click biu tng Certificate_u1 trn desktop Lc ny trong Certificates ca Personal c 1 certificate ca U1
Trang 65
3. Admin to Recovery Agent a. Logon Administrator, vo Start Run cmd b. Ti mn hnh Command Prompt, g cc lnh sau: CD\ MD ABC CD ABC Trong ABC, nh lnh cipher /r:filename (vd:
cipher /r:local_recover) v
Enter Chng trnh s to ra 2 file .CER v .PFX
4. p policy Recovery Agent c kh nng c cc file b m ho a. Logon Administrator, vo Start Run g gpedit.msc OK
b. Chn Computer Configuration Windows Settings Security Settings Public Key Policies click nt phi chut trn Encrypting File System chn Add Data Recovery Agent
Trang 66
c. Mn hnh Welcome xut hin Next. Trong mn hnh Select Recovery Agents chn Browse Folders
e. Trong mn hnh Select Recovery Agents Next f. Trong mn hnh Completing the Add Recovery Agent Wizard Finish - Thot ra Command Prompt, g lnh gpupdate /force
Trang 67
g. Vo Start Run g mmc OK Trong mn hnh Console1 menu File Add / Remove Snap-in Add Certificates chn My user account Finish OK
Trang 68
j. Mn hnh Welcome xut hin Next. Ch n th mc C:\ABC chn file c biu tng cha kho (c phn m rng l *.pfx)
Trang 69
l. Trong mn hnh Password, chn Mark this key as exportable Next Finish
Trang 70
6. Kim tra chc nng Recovery Agent a. Admin m file u2.txt m c b. Admin m file u1.txt khng m c c. Logon U1, m file u1.txt, ri ng li d. Logon Administrator, m li file u1.txt
Trang 71
To file C:\TestEFS\u2.txt
Trang 72
b. Sau khi m ho file xong, click nt phi chut trn u2.txt Properties Advanced Details
c. Trong mn hnh Encrypt Detail, trong phn Data Recovery Agents For This File As Defined By Recovery Policy c Administrator Admin s c c file m u2 m ho (Default). Nhn OK thot ra
Trang 73
d. Vo Administrative Tools chut phi trn Certification Authority chn Run as Username/password: Administrator/123
e. Trong th mc Issued Certificates ch thy u2 t xin 1 certificate dng cho vic m ho Thot ra khi mn hnh Certificate Authority khng cn lu li
2. Logon Administrator, m file C:\TestEFS\u2.txt m c kt lun trong h thng Domain, Administrator mc nhin l Recovery Agent
Trang 74
Trust Relationship
TRUST RELATIONSHIP
I. Mc ch - Gip cc domain khng thuc cng forest c kh nng tha hng qu trnh chng thc ca nhau. II. Chun b - 2 my lm Domain Controller v c a ch IP c cho nh bng di y - My l (PC1) lm domain: saigon.vn. To 1 alias tn www.saigon.vn - My chn (PC2) lm domain: hanoi.vn. To 1 alias tn www.hanoi.vn - i password Administrator ca 2 my. - Trn my l (PC1), to username: doremon password: 123 - Trn my chn, to v share th mc C:\Public Folder - Chnh thi gian trn 2 my ging nhau PC1 (saigon.vn) IP: 192.168.5.1/24 DNS: 192.168.5.1 PC2 (hanoi.vn) IP: 192.168.5.2/24 DNS: 192.168.5.2
1. Thit lp cu hnh DNS Forwarder hai domain c th phn gii tn ca nhau. Thc thi cc bc sau trn my PC1 (domain saigon.vn)
Trang 75
Trust Relationship
a. Start Administrative Tools DNS Trong DNS console click nt phi chut trn computer name (PC1) Properties
Trang 76
Trust Relationship
d. Trong mn hnh ny, vn im sng trn hanoi.vn, nhp vo a ch IP ca domain trong Selected domain: 192.168.5.2 Add OK
Trang 77
Trust Relationship
f. Sau khi hon tt vic cu hnh trn domain hanoi.vn, v my PC1, chy nslookup kim tra s phn gii tn qua li gia cc domain (xem hnh bn)
Trang 78
Trust Relationship
a. Vn ang trn my PC1, vo Administrative Tools Active Directory Domain and Trusts, mn hnh nh hnh bn xut hin. Click nt phi chut trn domain (saigon.vn) Properties
Trang 79
Trust Relationship
c. Mn hnh Welcome xut hin Next. Trong mn hnh Trust Name, nhp NETBIOS name ca domain bn kia (VD: hanoi.vn). Sau nhn Next
Trang 80
Trust Relationship
Trong mn hnh Sides of Trusts, chn Both this domain and the specifier domain Next
f. Trong mn hnh Trust Selection Complete Next g. Trong mn hnh Trust Creation Complete Next
Trang 81
Trust Relationship
h. Trong mn hnh Confirm Outgoing Trust, chn Yes, confirm the outgoing trust Next
i. Trong mn hnh Confirm Incoming Trust, chn Yes, confirm the incoming trust Next
Trang 82
Trust Relationship
l. Lu : 2 my domain cng
restart my li
Trang 83
Trust Relationship
3. Kim tra: - Cp quyn cho user trn domain saigon.vn c s dng share folder trn domain hanoi.vn
a. M Windows Explorer, chn drive C:, click nt phi chut trn Public Folder chn tab Security Add
Trang 84
Trust Relationship
Trang 85
Trust Relationship
Trang 86
Security Templates
SECURITY TEMPLATES
I. Ni dung - p t cc Security Template vo tng Server, OU tng ng lm gia tng bo mt ca ton b h thng mng my tnh. II. Chun b - 1 my Win2K3 nng cp domain controller. + IP Address: 192.168.0.1 + Subnet mask: 255.255.255.0 + DNS: 192.168.0.1 + Domain name: congty.com - Copy file Windows Server 2003 Security Guide.rar v a C:\ v gii nn III. Thc hin 1. To cu trc OU, ph hp tng loi hnh Server
Start Run g vo dsa.msc click nt phi chut trn congty.com New Organizational Unit.
To ln lt cc OU nh hnh bn
Trang 87
Security Templates
2. To Group Policy v p security template trn Domain Root a. Vo Start Programs Administrative Tools M Active Directory Users and Computers
b. Trong Active Directory Users and Computers click nt phi chut trn CongTy.com chn Properties vo tab Group Policy chn New t tn cho Group Policy mi to l Domain Policy
d. Trong ca s Group Policy Object Editor vo Computer Configuration Windows Settings Security Settings click phi chut trn Security Settings chn Import Policy Trong ca s Import Policy From, trong Look in ch ng dn vo C:\Windows Server 2003 Security Guide\Tools and Templates\Securiry Guide\Security Templates chn file Enterprise Client Domain Open
Trang 88
Security Templates
b. Trong Active Directory Users and Computers click nt phi chut trn OU Domain Controller chn Properties vo tab Group Policy chn New t tn cho Group Policy mi to l Domain Controller Policy
c. Trong ca s Domain Controller Properties chn Domain Controller Policy chn Edit
Trang 89
Security Templates
d. Trong ca s Group Policy Object Editor vo Computer Configuration Windows Settings Security Settings click phi chut trn Security Settings chn Import Policy Trong ca s Import Policy From, trong Look in ch ng dn vo C:\Windows Server 2003 Security Guide\Tools and Templates\Securiry Guide\Security Templates chn file Enterprise Client Domain Controller Open
Trang 90
Trang 91
b. Trong ca s Welcome to the Backup or Restore Wizard b du chn ti Always start in wizard mode chn Advanced Mode
c. Trong ca s Backup Utility nh du chn vo System State g E:\SSD.bkf vo Backup media or file name ( lu file backup SSD vi a E:\) chn Start Backup trong ca s Backup Job Information chn Start Backup.
d. Sau khi kt thc qu trnh Backup vo E:\ kim tra c file SSD.bkf
Trang 92
3. Tin hnh di chuyn Database ca AD a. Khi ng my li, nhn F8, chn ch khi ng l Directory Service Restore Mode (nu my c nhiu bn Windows th chn Windows cn Move Directory Logon vo)
Trang 93
d. Trong CMD xut hin dng file maintenance g lnh move DB to C:\SecureDATA Enter (h thng bt u chuyn
Trang 94
e. Sau khi hon tt trong CMD s xut hin dng file maintence: g lnh quit
4. Kim tra li ng dn cha Active Directory Database a. Sau khi hon tt phn 3 Restart my vo Windows ch bnh thng b. Logon Administrator vo C:\SecureDATA Kim tra c cc file edb.chk; ntds.dit; temb.edb c. Vo C:\WINDOWS\NTDS khng thy cc file edb.chk; ntds.dit; temb.edb
Trang 95
Password Syskey
PASSWORD SYSKEY
I. Ni dung - To password cho h thng my tnh Workstation hoc Active Directory Database ca Domain Controller, nhm tng cng bo mt, phng trnh cc tools chng trnh on password Administrator theo c ch Bruteforce
Trang 96
Password Syskey
b. Khi ng my li khi my khi ng s thy 1 ca s yu cu nhp vo password ca Syskey nhp password l 123
Trang 97
+ My PC1 lm SUS Server, my PC2 lm Client (My PC02 c th s dng Windows XP) + 2 file SUS10SP1.exe v MBSASetup-en.msi nm trong a SoftsQTM.iso
III. Thc hin 1. Ci t MSBA: (thc hin trn PC1) - B a SoftsQTM.iso vo CDROM
Trang 98
a. Chy file MBSASetupen.msi Trong ca s Welcome chn Next Trong ca s License Agreement chn I accept the license agreement Next
Trang 99
b. Trong ca s Destination Folder mc nh chn Next trong ca s Start Installation chn Install Finish
Trang 100
c. M biu tng Microsoft Baseline Securtity Analyzer 1.2 trn desktop trong ca s Microsoft Baseline Securtity Analyzer chn Scan more than one computer
d. Trong ca s Pick mutiple computers to scan trong IP address range nhp vo a ch IP ca PC1 to IP ca PC2 (vd: 192.168.5.1 to 192.168.5.2) chn Start Scan chng trnh s bt u d li bo mt
Trang 101
e. Sau khi qu trnh scan hon tt trong ca s View security report nhng mc no nh du cho mu l nhng phn b li bo mt mun xem chi tit th chn How to correct this
Trang 102
a. Vo Control Panel Add or Remove Programs Add / Remove Windows Components Trong Add / Remove Windows Components, vo Detail ca mc Application Server trong Application Server, nh du chn vo Internet Information Services (IIS) OK Next Finish
Trang 103
Trang 104
c. Trong ca s EndUser License Agreement chn I accept the License Agreement Next trong ca s Choose setup type chn Typical
Trang 105
d. Trong ca s Ready to install chn Install Sau khi qu trnh ci t hon tt chn Finish trong ca s Software Update Service chn mc Set option trong ca s bn tri.
Trang 106
e. Trong ca s set options bn phi trong mc Select which server to synchronize content from chn Synchronize directly from the Microsoft Windows Services servers trong mc Select Where you want to store updates chn Save the updates to a local folder trong cc ngn ng, b trng tt c cc ch chn English chn Apply
Trang 107
f. Trong Software Update Services chn mc Synchronize server Trong ca s Synchronize server chn Synchronization Now h thng s bt u qu trnh ng b d liu vi trang Micrsoft Update
a. Vo Start Run g gpedit.msc trong ca s Group Policy Object Editor vo Computer Configuration Administrative Templates Windows Update
Trang 108
b. Trong Windows Update M policy Configure Automatic Updates Trong ca s Configure Automatic Updates Properties chn Enabled Trong Configure Automatic Updating chn 4 Auto download and schedule the install OK
Trang 109
c. M policy Specify intranet Microsoft update service location chn Enable trong nhp http://a ch IP my PC1 (vd: http://192.168.5.1) vo 2 Set the intranet update service for detecting updates v Set intranet statistics server OK ng tt c cc ca s ang c vo Start Run g gpupdate /force
Trang 110
Radius
RADIUS
I. Mc ch - Dng RADIUS authenticate cho remote user s dng VPN II. Chun b - M hnh 3 my: a ch IP cc khai bo nh bng di y - My PC2 join domain bng card mng CROSS - To group VPN_group, to user vpn_client (password: 123). Cho user ny c php s dng remote access (allow access) v l thnh vin ca VPN_group My Domain (PC1) (RADIUS Server) IP: 172.16.2.16/24 P.DNS: 172.16.2.16 VPN Server (PC2) (RADIUS Client) IP: 172.16.2.15/24 P.DNS: 172.16.2.16 IP: 192.168.2.15/24 VPN Client (PC3) IP: 192.168.2.14/24
III. Thc hin 1. Install IAS, sau cu hnh RADIUS Server v cc phn lin quan (Register IAS trong AD, Remote access policy)
Trang 111
Radius
a. Install IAS - Vo Control Panel Add or Remove Programs Add / Remove Windows Components Networking Services nhn Details nh du Internet Authentication Service OK.
Trang 112
Radius
d. Mn hnh IAS xut hin. Chut phi trn Internet Authentication Serivice (Local) chn Register Server in Active Directory.
e. Nhn OK
Trang 113
Radius
f. Nhn OK
g. Khai bo RADIUS Client (VPN Server). - Chut phi trn RADIUS Clients New RADIUS Client
h. Trong Friendly-name, nhp vo VPN Server. Trong Client address (IP or DNS): nhp vo IP ca VPN Server. Trong trng hp ny l 172.16.2.15. Sau nhn Verify
Trang 114
Radius
j. Trong mn hnh ny, trong Client Vendor, click vo mi tn, chn Microsoft. Trong Shared secret v Confirm shared secret g vo 123 Sau nhn Finish
Trang 115
Radius
k. Cu hnh Remote Access Policy Chut phi trn Remote Access Policies New Remote Access Policy
l. Mn hnh Welcomexut hin, nhn Next. Trong mn hnh k tip ny, gi nguyn option ang chn. Trong Policy name, nhp vo tn ca policy (vd: VPNRADIUS). Sau nhn Next.
Trang 116
Radius
Trang 117
Radius
Trang 118
Radius
r. Trong mn hnh Policy Encryption Level, ch gi li Strongest encryption Nhn Next v Finish
Trang 119
Radius
s. M Windows Explorer, vo drive C:, to 1 folder tn Public Folder. Sau share folder ny.
a. Logon ln my PC2 bng Administrator. Vo Start Administrative Tools Routing and Remote Access
Trang 120
Radius
b. Trong mn hnh Routing and Remote Access. Chut phi trn compute rname (VD: PC2), chn Configure and Enable Routing and Remote Access
Trang 121
Radius
f. Trong mn hnh VPN connection chn card LAN v b chn Enable security on the selected Nhn Next
Trang 122
Radius
g. Trong mn hnh IP Address Assignment chn From a specified range of address Next
Trang 123
Radius
k. Trong mn hnh Managing Mutiple Remote Access Server chn Yes, setup this server to work with a RADIUS server. Nhn Next
Trang 124
Radius
l. Nhp vo IP address ca RADIUS Server. Trong trng hp ny l 172.16.2.16 Trong Shared secret, nhp v 123. Xong, nhn Next.
m. Trong qu trnh install, chng trnh c hin th 1 s thng bo. Nhn OK b qua
Chng ta va hon tt vic cu hnh PC2 thnh VPN Server (RADIUS Client) 3. To VPN Connection kt ni n VPN Server vi username v password c cung cp bi PC1 a. Chut phi trn icon My Network Places (trn Desktop) Properties, double click trn Create a New Connection. Mn hnh Welcome toxut hin. Nhn Next
Trang 125
Radius
b. Trong mn hnh ny, chn Connect to the network at my workplace. Nhn Next
c. Trong mn hnh ny, chn Virtual Private Network connection, nhn Next.
Trang 126
Radius
d. Trong Company Name, nhp vo 1 tn tng trng, VD: VPN client. Nhn Next
e. Trong mn hnh VPN Server Selection, nhp vo a ch ca VPN Server l 192.168.2.15. Nhn Next
Trang 127
Radius
g. Trong mn hnh ny, nh du chn Add a shortcut to this connection to my desktop. Nhn Finish
Trang 128
Radius
h. Kim tra IP trc khi connect n VPN Server Vo Start Run cmd Nhp vo ipconfig Chng ta thy 1 a ch IP ca card mng m thi
i. Test Connection Double click trn icon mi to trn desktop Trong Username, nhp vo: vpn_client Trong Password, nhp vo 123 nh du Save this Sau cng click Connect
j. Mn hnh ln lt s nh hnh bn
Trang 129
Radius
k. Sau khi vic kt ni thnh cng, bn s thy 1 icon (hnh 2 my tnh) na xut hin gc phi di ca mn hnh l. Kim tra IP sau khi connect: Vo Start Run cmd Nhp vo ipconfig Lc ny ngoi a ch IP ca card LAN, cn c a ch IP c VPN Server cp na
Trang 130