Quan Tri Mang 2

QuAn tr mAng 2
Sinh vin: .............................................................................................................. Lp: .......................................................................................................................
... Khng c vic g kh Ch s lng khng bn o ni v lp bin Quyt ch t lm nn.
Lu hnh ni b 2010
Ti liu tham kho
Qun tr mng Windows
MC LC
STAND-ALONE ROOT CA............................................................................................................. 2 ENTERPRISE CERTIFICATE AUTHORITY & KEY RECOVERY AGENT .................................. 12 SECURE SOCKET LAYER & IP SECURITY ............................................................................... 38 EFS trn WORKGROUP .............................................................................................................. 63 EFS trn DOMAIN ........................................................................................................................ 72 TRUST RELATIONSHIP ............................................................................................................... 75 SECURITY TEMPLATES ............................................................................................................. 87 MOVE ACTIVE DIRECTORY DATABASE ................................................................................... 91 PASSWORD SYSKEY.................................................................................................................. 96 MICROSOFT SECURITY BASELINE ANALYZER & SOFTWARE UPDATE SERVICE ............. 98 RADIUS ...................................................................................................................................... 111
GV: ThS. o Quc Phng
Trang 1
Stand-alone root CA
Qun tr mng Windows
STAND-ALONE ROOT CA
I. Ni dung Dng Certificate m ho email II. Chun b - Mt my Windows Server 2003 (standalone) c thng tin nh sau: + IP Address: 192.168.0.1 + Subnet mask: 255.255.255.0 + DNS: 192.168.0.1 - To 2 local user account l U1 v U2 - Ci t Mdaemon (chng trnh mail server) + domain name: congty.com + to 2 mailbox c username/password l U1/123 v U2/123 - Logon U1 Setup Outlook Express gi mail cho chnh mnh - Logon U2 Setup Outlook Express gi mail cho chnh mnh Hng dn ci t MDaemon v cu hnh c bn cho chng trnh qun l email trn server a. Ci t Mdaemon6 - Cho a CD-ROM SoftsQTM.iso vo a CD - Tm n th mc MDaemon6 chy file Mdaemon6.exe ci t chng trnh qun l email
GV: ThS. o Quc Phng
Trang 2
Stand-alone root CA
Qun tr mng Windows
b. Khai bo thng tin DNS Next
c. Khai bo thng tin ngi qun tr chng trnh Mdaemon bao gm: Full name: tn y Mailbox: tn hp th Password: mt khu ngi qun tr nhn Next Next Sau nh chy file keygen.exe ly s serial.
d. Thit lp thng tin domain cho MDaemon: nhn menu Setup Primary Domain chnh sa thng tin mc Domain name v Domain IP nh hnh bn Apply OK
GV: ThS. o Quc Phng
Trang 3
Stand-alone root CA
Qun tr mng Windows
e. To mailbox cho U1: vo menu Account New Account khai bo thng tin Full Name, Mailbox name, Account Password OK Th xem Hp mail ca U1 lu u bng cch nhn vo tab Mailbox, ghi nh ng dn ny.
Lm tng t to mailbox cho U2
III. Thc hin 1. U1 gi mail cho U2 (khng m ha), admin sa mail ca U2, U2 khng pht hin a. Logon U1, U1 gi mail cho U2
b. Administrator sa mail ca U2 - Logon Administrator - Dng Windows Explorer C:\Mdaemon\Users\congty.com\U2 - Sa file md5xxxxxxxxxxxx.msg (thm dng ch 123 vo phn body ca email)
GV: ThS. o Quc Phng
Trang 4
Stand-alone root CA
Qun tr mng Windows
c. U2 check mail - Logon U2, check mail
Mail b sa m U2 khng bit
2. Ci t Stand-alone Root CA a. Ci ASP.NET: - Logon Administrator - Click menu Start Control Panel Add or Remove Programs Add/Remove Windows Components Application Server Details ASP.NET OK Next.
Lu : hon tt bc vic ci t ASP.NET trc khi sang bc tip theo
GV: ThS. o Quc Phng
Trang 5
Stand-alone root CA
Qun tr mng Windows
b. Install Stand-alone root CA: Click menu Start Control Panel Add or Remove Programs Add/Remove Windows Components Certificate Services Next Stand-alone root CA Next Common Name for this CA: CongTy chp nhn cc gi tr mc nh chn Yes khi c hi: Do you want to enable Active Server Page now?
3. Cc User xin certificate m ho email U1 xin certificate a. User U1 xin certificate: - Logon U1 - M IE dng Address g http://localhost/certsrv Request a certificate E-mail Protection Certificate Name: U1, Email: u1@congty.com Click Submit
- Chn Yes
GV: ThS. o Quc Phng
Trang 6
Stand-alone root CA
Qun tr mng Windows
b. U2 xin certificate - Logon U2 - Lm tng t nh trn c. Administrator cp certificate cho U1 v U2 - Logon Administrator - Click menu Start Administrative Tools Certification Authority CongTy Pending Requests chn 2 certificate click nt phi chut All Tasks Issue
GV: ThS. o Quc Phng
Trang 7
Stand-alone root CA
Qun tr mng Windows
-Chn Issued Certificates thy 2 certificate cp cho U1 v U2
- Double click certificate ca U1 c li cc thng - c cc thng tin trong tab Details tin trong tab General
Lu : 2 dng Subject v Public key
GV: ThS. o Quc Phng
Trang 8
Stand-alone root CA
Qun tr mng Windows
d. Install certificate ca U1 - Logon U1 - Click menu Start Run g http://localhost/certsrv View the status of a pending certificate request E-Mail Protection Certificate Install this certificate
e. Install certificate ca U2 - Logon U2 - Lm tng t nh trn
f. U2 mail cho U1 c Signing - M Outlook Express - Son mail mi To: u1@congty.com - Click Sign, click Send
GV: ThS. o Quc Phng
Trang 9
Stand-alone root CA
Qun tr mng Windows
g. Administrator sa mail ca U1 - Logon Administrator - M Windows Explorer C:\Mdaemon\Users\congty.com\U1 - Sa file md5xxxxxxxxxxxx.msg (thm dng ch 123 vo phn body ca email)
h. U1 check mail - Logon U1 - Chy Outlook Express nhn mail
- Click Open Message U1 vn c c mail nhng bit mail b sa. - U1 nhn chut phi vo sender U2 trong mc From v chn Add to Adress Book lu thng tin U2 vo Contact List ca mnh
GV: ThS. o Quc Phng
Trang 10
Stand-alone root CA
Qun tr mng Windows
i. U1 gi mail cho U2 c Sign v Encrypt - Chy Outlook Express - Son mail mi, click biu tng Address Book - Click U2 click To OK
- Click Sign - Click Encrypt - Click Send
j. Administrator sa mail ca U1 gi cho U2 - Logon Administrator - M Windows Explorer C:\Mdaemon\Users\congty.com\U2 - Sa file md5xxxxxxxxxxxx.msg k. U2 check mail - Logon U2 - M Outlook Express U2 khng c c mail
GV: ThS. o Quc Phng
Trang 11
Enterprise CA & Key recovery agent
Qun tr mng Windows
ENTERPRISE CERTIFICATE AUTHORITY & KEY RECOVERY AGENT

PHN 1: ENTERPRISE CERTIFICATE AUTHORITY
I. Ni dung - Ci t Enterprise Root CA - Cp Certificate cho user. User dng certificate signing v encrypt mail - User export key - Khi key b hng hoc tht lc, user khng th c c cc mail signing, encrypt. - User import key. Kh nng c v m ho d liu ca user c phc hi nh c. II. Chun b - Yu cu h thng: 01 my Windows Server 2003 lm Domain Controller (Enterprise version ) + IP Address: 192.168.0.1 + Subnet mask: 255.255.255.0 + DNS: 192.168.0.1 + Domain: congty.com 1. To cc object trong Active Directory Logon Administrator a. Chnh Password Policy (gi : vo Domain Security Policy) b. To OU TestCA. Trong OU TestCA, to user U1 (Display name: Doremon, password: 123)
GV: ThS. o Quc Phng
Trang 12
Qun tr mng Windows
c. Khai bo Email address trong properties ca U1: U1@congty.com
d. Cho user U1 lm thnh vin ca group Print Operators ( U1 c quyn logon locally vo domain controller)
2. Ci t v cu hnh mail server (nh hng dn bi Lab trc) a. Ci MDaemon6 b. Khai bo domain: Trong ca s MDaemon6 menu Setup Primary domain Nhp domain name v HELLO domain (VD: congty.com) Nhp Domain IP: 192.168.0.1 c. To mail box cho user U1: Trong ca s MDaemon6 menu Accounts New account Nhp Full name: Doremon, Mailbox name: U1, Password: 123
3. To, kim tra v cu hnh mail account ca U1: Logon U1 a. To mail account cho U1 trong chng trnh Outlook Express. Nhp Full name: Doremon, Email addresss: U1@congty.com, Password: 123. Lu dng a ch IP ca my ch 192.168.0.1 khai bo
Incoming v Outgoing Mail Server.

b. Kim tra hot ng ca mail account: U1 gi mail cho chnh mnh
GV: ThS. o Quc Phng Trang 13
Qun tr mng Windows
c. Cu hnh lu bn sao mail ca U1 trn mail server: trong Outlook Express menu Tools Accounts tab Mail chn mail box ca U1 Properties tab Advanced nh du chn mc Leave a copy
III. Thc hin 1. Ci t Enterprise Root CA a. Ci ASP.NET: (nh hng dn
trong bi Lab trc)

Logon Administrator Click menu Start Settings Control Panel Add or Remove Programs Add/Remove Windows Components Application Server Details ASP.NET OK Next.
GV: ThS. o Quc Phng
Trang 14
Qun tr mng Windows
b. Ci Enterprise Root CA CongTy: Click menu Start Settings Control Panel Add or Remove Programs Add/Remove Windows Components chn Certificate Services. (Lu chn Enterprise Root CA v Enable Active Server Page)
2. Cp Certificate cho user. User dng Certificate signing, encrypt mail: a. Logon U1, xin certificate: M chng trnh IE, nhp a ch: http://localhost/certsrv Request a certificate User certificate Submit Install this certificate Yes
GV: ThS. o Quc Phng
Trang 15
Qun tr mng Windows
GV: ThS. o Quc Phng
Trang 16
Qun tr mng Windows
GV: ThS. o Quc Phng
Trang 17
Qun tr mng Windows
b. Kim tra certificate ca U1: Start Run g mmc Trong console, chn menu File Add/Remove Snap-in Add chn Certificates Add Close. Lu console trn desktop vi tn U1_Cert.msc
c. Logon U1, gi mail c signing v encrypt (cho chnh mnh)
GV: ThS. o Quc Phng
Trang 18
Qun tr mng Windows
3. User export key M Console U1_Cert.msc lu bc 2b. Click phi chut trn Certificate ca U1 chn All Task Export
Trong hp thoi Certificate Export Wizard, chn Yes, Export Private key Next chn Personal Info v Enable Strong Next nhp password: 123, confirm password: 123 Next nhn nt Browse, to folder C:\CertKey, t tn file l doremon.pfx Next chn Place all certificates: Personal Next Finish
GV: ThS. o Quc Phng
Trang 19
Qun tr mng Windows
4. Gi lp key b tht lc a. Logon Administrator Xo profile ca user U1 - Nhn chut phi My Computer Properties Advanced trong mc User Profiles, nhn Settings chn profile ca U1 v chn Delete. b. Logon U1 xem li mail signing v encrypt trc
GV: ThS. o Quc Phng
Trang 20
Qun tr mng Windows
5. User import key a. Log on U1, to li console U1_cert (xem 2b), dng console certificate import key t file pfx.
Nhn Next v nhp password 123, nhn Next v Finish khi phc li certificate
GV: ThS. o Quc Phng
Trang 21
Qun tr mng Windows
b. Xem li mail signing v encrypt trc
GV: ThS. o Quc Phng
Trang 22
Qun tr mng Windows
PHN 2: KEY RECOVERY AGENT

I. Ni dung - Ci t Enterprise Root CA - Issue enterprise certificate cho user. User dng certificate signing, encrypt mail. - Administrator to Key Recovery Agent (KRA) - Khi key b hng hoc tht lc, user khng th c c cc mail signing, encrypt - Key Recovery Agent phc hi key cho user.
II. Chun b: tng t phn 1 III. Thc hin 1. Ci t Enterprise Root CA: tng t phn 1 2. Administrator to Key Recovery Agent (KRA) a. To certificate template mi: bng cch iu chnh mt certificate template c sn v gn quyn s dng cho user. - Logon Administrator
GV: ThS. o Quc Phng Trang 23
Qun tr mng Windows
- Nhn Start Programs Administrative Tools Certification Authority click nt phi chut trn Certificate Template Manage
click nt phi trn Template User Duplicate
Trong tab General, nhp Template display name v Trong tab Request handling, chn option Template name: UserVersion2 Archive subjects encryption private key
GV: ThS. o Quc Phng
Trang 24
Qun tr mng Windows
Trong tab Security, cp cho 2 group Authentcated Users and Domain Users cc quyn: Read, Enroll v Autoenroll Apply OK. ng chng trnh Certificate Template
b. Pht hnh certificate template mi: KRA v UserVersion2 Tr li chng trnh Certificate Authority. Click nt phi chut trn Certificate Template New Certificate Template to Issue. Chn 2 template Key Recovery Agent v UserVersion2 OK
GV: ThS. o Quc Phng
Trang 25
Qun tr mng Windows
c. To KRA: M chng trnh IE, nhp a ch : http://localhost/certsrv Request a certificate advanced certificate request Create and submit a request to this CA
GV: ThS. o Quc Phng
Trang 26
Qun tr mng Windows
chn Certificate template Key Recovery Agent Submit
Thng bo kt qu sau khi gi yu cu
GV: ThS. o Quc Phng
Trang 27
Qun tr mng Windows
Cp Certificate cho KRA: Start Programs Administrative Tools Certification Authority m mc Pending Requests chn certificate nhn phi chut All Tasks Issue v xem kt qu trong mc Issued Certificates
GV: ThS. o Quc Phng
Trang 28
Qun tr mng Windows
d. KRA install certificate: M chng trnh IE, nhp a ch: http://localhost/certsrv View the status of a pending certificate request Key Recovery Agent Certificate Install this certificate Yes
GV: ThS. o Quc Phng
Trang 29
Qun tr mng Windows
e. Cu hnh thuc tnh archive the key cho KRA:
Start Programs Administrative Tools Certification Authority nhn chut phi chn Properties ca root CA
trong tab Recovery Agents, chn option Archive the key, chn nt Add
GV: ThS. o Quc Phng
Trang 30
Qun tr mng Windows
chn KRA certificate OK Yes restart Certificates Services
3. User dng certificate sign & encrypt mail a. User xin enterprise certificate: - Logon U1, thc hin tng t phn 1 nhng chn certificate template UserVersion2 do Admin mi to. - M chng trnh IE, nhp a ch : http://localhost/certsrv Request a certificate advanced certificate request Create and submit a request to this CA
GV: ThS. o Quc Phng
Trang 31
Qun tr mng Windows
chn Certificate template UserVersion2 Submit Yes Install this certificate
GV: ThS. o Quc Phng
Trang 32
Qun tr mng Windows
b. User dng certificate signing, encrypt mail (tng t 2c trong phn 1) - U1 gi th cho chnh mnh c sigining v encrypt
GV: ThS. o Quc Phng
Trang 33
Qun tr mng Windows
4. Gi lp certificate b tht lc a. Logon Administrator. Xo profile ca user U1 b. Logon U1 xem li mail signing v encrypt trc
5. Key Recovery Agent phc hi key cho user - Logon Administrator a. Copy s serial certificate ca user U1 cn lu ti root v paste vo mt file text. Loi b cc khong trng ri copy vo clipboard mt ln na. Start Programs Administrative Tools Certification Authority m mc Issued Certificates chn certificate ca U1 nhn phi chut Open
GV: ThS. o Quc Phng
Trang 34
Qun tr mng Windows
Chn tab Detail chn mc Serial number qut khi dng s pha di v copy vo mt file text, loi b khong trng v copy mt ln na vo clipboard.
b. Lu archived key ca user U1 vo file *.pfx: - Nhp dng lnh trong ca s command line: certutil getkey [s serial] abc.pfx (Paste s serial vo)
GV: ThS. o Quc Phng
Trang 35
Qun tr mng Windows
c. Phc hi key ca user U1 vo file *.pfx: - Nhp dng lnh trong ca s command-line: certutil recoverkey abc.pfx doremon.pfx (khng cn nhp password)
GV: ThS. o Quc Phng
Trang 36
Qun tr mng Windows
d. User import key: - Logon U1 - Dng console certificate import key t file pfx v xem li mail signing v encrypt trc .
GV: ThS. o Quc Phng
Trang 37
Secure Socket Layer & IP Security
Qun tr mng Windows
SECURE SOCKET LAYER & IP SECURITY

PHN 1: SECURE SOCKET LAYER
I. Ni dung - Xin Certificate cho WebServer user truy cp bng HTTPS (HTTP Secure) II. Chun b - Yu cu h thng: 01 my Domain Controller Windows Server 2003 Enterprise + IP Address: 192.168.0.1 + Subnet mask: 255.255.255.0 + DNS: 192.168.0.1 + Domain: congty.com
1. Ci t Enterprise Root CA a. Ci ASP.NET: (nh hng dn
trong bi Lab trc)

Logon Administrator Click menu Start Settings Control Panel Add or Remove Programs Add/Remove Windows Components Application Server Details ASP.NET OK Next.
b. Ci Enterprise Root CA CongTy: Click menu Start Settings Control Panel Add or Remove Programs Add/Remove Windows Components chn Certificate Services. (Lu chn Enterprise Root CA v Enable Active Server Page)
GV: ThS. o Quc Phng
Trang 38
Qun tr mng Windows
2. To trang web default: \Intepub\wwwroot\default.htm
<html> <head> <title>Welcome to My Web page ^_^</title> </head> <body> <marquee> <h1>My name is Quoc Phuong</h1> <marquee> </body> </html>
III. Thc hin 1. Kim chng: ln lt truy cp web default bng HTTP v HTTPS - Nhp a ch trong IE: http://localhost: trang web hin th bnh thng. - Nhp a ch trong IE: https://localhost: trang web khng th hin th.
GV: ThS. o Quc Phng
Trang 39
Qun tr mng Windows
2. Xin certificate cho webserver:
a. M Properties ca IIS: - Start Programs Administrative Tools Internet Information Services (IIS) Manager click phi chut vo Default Web Site Properties
GV: ThS. o Quc Phng
Trang 40
Qun tr mng Windows
b. Xin certificate: - Trong tab Directory Security chn Server Certificate Next chn Create a new certificate Next chn Send the request immediately Next Nhp cc thng tin theo yu cu chn port SSL l 443 Finish
GV: ThS. o Quc Phng
Trang 41
Qun tr mng Windows
GV: ThS. o Quc Phng
Trang 42
Qun tr mng Windows
3. Truy cp web default bng HTTPS: - Nhp a ch trong IE: https://localhost, h thng cnh bo chn Yes trang Web hin th bnh thng
GV: ThS. o Quc Phng
Trang 43
Qun tr mng Windows
PHN 2: IP SECURITY
I. Ni dung - Dng Certificate lm key m ho d liu trn ng truyn II. Chun b - Yu cu h thng: 02 my Windows Server 2003 Enterprise - Kim tra ng truyn bng lnh PING IP card LAN - 2 my i password administrator thnh 123 - My l (PC1): + IP Address: 192.168.5.1 + Subnet mask: 255.255.255.0 - My chn (PC2): + IP Address: 192.168.5.2 + Subnet mask: 255.255.255.0 - My chn ci ASP.NET & Stand-alone root CA
III. Thc hin 1. Xin certificate cho 2 computer: a. My l b sung danh sch trusted site: - Trong chng trnh IE chn menu Tools Internet Options
GV: ThS. o Quc Phng
Trang 44
Qun tr mng Windows
trong tab Security, chn zone Trusted sites chn nt Sites
nhp vo mc Add this Web site to the zone: http://[IP ca my chn]/certsrv b chn Require server certification chn nt Add Close OK
b. Hai my xin certificate - My l: trong IE, nhp a ch: http://[IP ca my chn]/certsrv - My chn: trong IE, nhp a ch: http://localhost/certsrv
GV: ThS. o Quc Phng
Trang 45
Qun tr mng Windows
- C 2 my: chn Request a certificate Advanced certificate request Create and submit a request to this CA in cc thng tin cn thit
GV: ThS. o Quc Phng
Trang 46
Qun tr mng Windows
- Ch : ti mc Type of Certificate Needed, chn Client Authentication Ceritficate; nh du chn Store certificate in the local computer certificate store - Submit
c. Cp certificate cho 2 computer:
GV: ThS. o Quc Phng
Trang 47
Qun tr mng Windows
- My chn: Start Programs Administrative Tools Certification Authority. Trong ca s Certification Authority, chn mc Pending Request ln lt click phi chut vo tng request All Tasks Issue
d. Hai my install certificate: - Hai my m li trang web xin certificate chn View the status of a pending request click Authentication Certificate Install this certificate
GV: ThS. o Quc Phng
Trang 48
Qun tr mng Windows
e. Hai my to console PC_cert: - Start Run mmc menu File Add / remove snap-in Add Certificates chn Computer account chn Local computer - Trong console, chn menu File Save as lu console ln Desktop vi tn PC_Cert
GV: ThS. o Quc Phng
Trang 49
Qun tr mng Windows
Lu certificate ca my l ang b li
GV: ThS. o Quc Phng
Trang 50
Qun tr mng Windows
f. My l import certificate root CA:
- Trong console PC_Cert (to phn e): chn Trusted Root Certificate Authorities click phi chut vo Certificates All Tasks Import
Trong hp thoi Certificate Import Wizard chn nt Browse My Network Places
GV: ThS. o Quc Phng
Trang 51
Qun tr mng Windows
CerConfig on PCxx Pcxx_Congty.crt Open Next
GV: ThS. o Quc Phng
Trang 52
Qun tr mng Windows
chn Place all certificates in the following stores: Trusted Root Certificate Authorities Finish
GV: ThS. o Quc Phng
Trang 53
Qun tr mng Windows
2. To IPSec Policy cho 2 my: (2 my thc hin nh nhau) a. To console IPSec: - Start Run g mmc Add / Remove snap-in Add ln lt chn IP Security Policy Management cho Local Computer v Services cho Local Computer Lu console ln Desktop vi tn IPSec.msc.
GV: ThS. o Quc Phng
Trang 54
Qun tr mng Windows
b. To policy IPSec mi: - Trong console IPSec click phi chut vo IP Security Policy Management Create IP Security Policy Next t tn policy: IPSec by Cert Next b chn Activate the default Next b chn Edit properties Finish
GV: ThS. o Quc Phng
Trang 55
Qun tr mng Windows
c. Cu hnh policy IPSec by Cert:
- Trong console IPSec click phi chut vo IPSec by Cert Properties
trong tab Rules ca IPSec by Cert Properties chn nt Add Next
GV: ThS. o Quc Phng
Trang 56
Qun tr mng Windows
trong hp thoi Tunnel Endpoint chn This rule does not specify a tunnel Next
trong hp thoi Network Type chn All network connections Next
GV: ThS. o Quc Phng
Trang 57
Qun tr mng Windows
trong hp thoi IP Filter List nh du chn All IP Traffic Next
trong hp thoi Filter Action nh du chn Require Security Next
GV: ThS. o Quc Phng
Trang 58
Qun tr mng Windows
trong hp thoi Authentication Method nh du chn: Use a certificate chn nt Browse
trong hp thoi Select Certificate chn CA CongTy OK
GV: ThS. o Quc Phng
Trang 59
Qun tr mng Windows
quay v hp thoi Authentication Method Next Finish quay v IPSec by Cert Properties OK
GV: ThS. o Quc Phng
Trang 60
Qun tr mng Windows
d. Assgin Policy v restart services - Trong console IPSec click phi chut vo IPSec by Cert Assign - Cng trong console IPSec chn Services click phi chut vo IPSec Services Restart
GV: ThS. o Quc Phng
Trang 61
Qun tr mng Windows
3. Kim chng qu trnh m ha: - Trong command-line ca my chn, nhp dng lnh PING [IP my l] -t
GV: ThS. o Quc Phng
Trang 62
EFS trn Workgroup
Qun tr mng Windows
EFS trn WORKGROUP

I. Mc ch - Dng Certifcate m ho h thng file (Encrypt File System) - To Recovery Agent phc hi d liu khi user b mt Certificate
II. Chun b - 1 my chy Windows XP - To 1 username v password l u1/123 - Logon bng user ny, to th mc C:\TestEFS
III. Thc hin 1. M ho th mc TestEFS, sau to file u1.txt
a. Logon U1. Start Run g mmc OK
b. Chn menu File Add / Remove snap-in Certificates Add Close OK
Hin ti trong Personal cha c g c !!!
Chn menu File Save Desktop. t tn file l Certificate_u1
GV: ThS. o Quc Phng
Trang 63
EFS trn Workgroup
Qun tr mng Windows
c. M Windows Explorer to th mc C:\TestEFS
Click nt phi chut trn th mc TestEFS Properties
d. Trong mn hnh TestEFS Properties Advanced Trong mn hnh Advanced Attributes nh du chn Encrypt contents to secure data OK Apply OK
GV: ThS. o Quc Phng
Trang 64
EFS trn Workgroup
Qun tr mng Windows
e. Trong th mc TestEFS to 1 file u1.txt vi ni dung l Day la file cua U1
f. Double click biu tng Certificate_u1 trn desktop Lc ny trong Certificates ca Personal c 1 certificate ca U1
Y L CERTIFICATE SELF SIGNING CA U1
2. Administrator khng m c file ny
- Logon Administrator, m file C:\TestEFS\u1.txt khng m c
GV: ThS. o Quc Phng
Trang 65
EFS trn Workgroup
Qun tr mng Windows
3. Admin to Recovery Agent a. Logon Administrator, vo Start Run cmd b. Ti mn hnh Command Prompt, g cc lnh sau: CD\ MD ABC CD ABC Trong ABC, nh lnh cipher /r:filename (vd:
cipher /r:local_recover) v
Enter Chng trnh s to ra 2 file .CER v .PFX
4. p policy Recovery Agent c kh nng c cc file b m ho a. Logon Administrator, vo Start Run g gpedit.msc OK
b. Chn Computer Configuration Windows Settings Security Settings Public Key Policies click nt phi chut trn Encrypting File System chn Add Data Recovery Agent
GV: ThS. o Quc Phng
Trang 66
EFS trn Workgroup
Qun tr mng Windows
c. Mn hnh Welcome xut hin Next. Trong mn hnh Select Recovery Agents chn Browse Folders
d. Tm n th mc C:\ABC chn file local_recover.cer Open (Lu : chn file *.cer)
e. Trong mn hnh Select Recovery Agents Next f. Trong mn hnh Completing the Add Recovery Agent Wizard Finish - Thot ra Command Prompt, g lnh gpupdate /force
GV: ThS. o Quc Phng
Trang 67
EFS trn Workgroup
Qun tr mng Windows
g. Vo Start Run g mmc OK Trong mn hnh Console1 menu File Add / Remove Snap-in Add Certificates chn My user account Finish OK
h. trong Personal cha c g
GV: ThS. o Quc Phng
Trang 68
EFS trn Workgroup
Qun tr mng Windows
i. Click nt phi chut trn Personal All Tasks Import
j. Mn hnh Welcome xut hin Next. Ch n th mc C:\ABC chn file c biu tng cha kho (c phn m rng l *.pfx)
GV: ThS. o Quc Phng
Trang 69
EFS trn Workgroup
Qun tr mng Windows
k. Trong mn hnh File to Import, nhn Next
l. Trong mn hnh Password, chn Mark this key as exportable Next Finish
GV: ThS. o Quc Phng
Trang 70
EFS trn Workgroup
Qun tr mng Windows
m. Kt qu sau khi import certificate nh hnh bn
5. U1 to file mi: Logon U1, to file mi C:\TestEFS\u2.txt
6. Kim tra chc nng Recovery Agent a. Admin m file u2.txt m c b. Admin m file u1.txt khng m c c. Logon U1, m file u1.txt, ri ng li d. Logon Administrator, m li file u1.txt
GV: ThS. o Quc Phng
Trang 71
EFS trn Domain
Qun tr mng Windows
EFS trn DOMAIN

I. Mc ch - Tng t EFS trn WorkGroup II. Chun b - 1 my lm Domain Controller - Install Enterprise Root CA - t password cho Administrator l 123 - To User c username/password l u2/123 - Cho u2 quyn logon locally - To th mc C:\TestEFS III. Thc hin 1. Logon bng user U2. To 1 file u2.txt. Encrypt file ny a. Logon U2, t thuc tnh Encrypt cho th mc C:\TestEFS (Tng t trn XP)
To file C:\TestEFS\u2.txt
GV: ThS. o Quc Phng
Trang 72
EFS trn Domain
Qun tr mng Windows
b. Sau khi m ho file xong, click nt phi chut trn u2.txt Properties Advanced Details
c. Trong mn hnh Encrypt Detail, trong phn Data Recovery Agents For This File As Defined By Recovery Policy c Administrator Admin s c c file m u2 m ho (Default). Nhn OK thot ra
GV: ThS. o Quc Phng
Trang 73
EFS trn Domain
Qun tr mng Windows
d. Vo Administrative Tools chut phi trn Certification Authority chn Run as Username/password: Administrator/123
e. Trong th mc Issued Certificates ch thy u2 t xin 1 certificate dng cho vic m ho Thot ra khi mn hnh Certificate Authority khng cn lu li
2. Logon Administrator, m file C:\TestEFS\u2.txt m c kt lun trong h thng Domain, Administrator mc nhin l Recovery Agent
GV: ThS. o Quc Phng
Trang 74
Trust Relationship
Qun tr mng Windows
TRUST RELATIONSHIP
I. Mc ch - Gip cc domain khng thuc cng forest c kh nng tha hng qu trnh chng thc ca nhau. II. Chun b - 2 my lm Domain Controller v c a ch IP c cho nh bng di y - My l (PC1) lm domain: saigon.vn. To 1 alias tn www.saigon.vn - My chn (PC2) lm domain: hanoi.vn. To 1 alias tn www.hanoi.vn - i password Administrator ca 2 my. - Trn my l (PC1), to username: doremon password: 123 - Trn my chn, to v share th mc C:\Public Folder - Chnh thi gian trn 2 my ging nhau PC1 (saigon.vn) IP: 192.168.5.1/24 DNS: 192.168.5.1 PC2 (hanoi.vn) IP: 192.168.5.2/24 DNS: 192.168.5.2
III. Thc hin
Lu : tt c thao tc trn 2 my u s dng quyn ca Administrator.
1. Thit lp cu hnh DNS Forwarder hai domain c th phn gii tn ca nhau. Thc thi cc bc sau trn my PC1 (domain saigon.vn)
GV: ThS. o Quc Phng
Trang 75
Trust Relationship
Qun tr mng Windows
a. Start Administrative Tools DNS Trong DNS console click nt phi chut trn computer name (PC1) Properties
b. Trong mn hnh PC1 Properties chn tab Forwarders click New
GV: ThS. o Quc Phng
Trang 76
Trust Relationship
Qun tr mng Windows
c. Trong New Forwarder, ti DNS Domain, g vo tn domain bn kia. VD: hanoi.vn OK
d. Trong mn hnh ny, vn im sng trn hanoi.vn, nhp vo a ch IP ca domain trong Selected domain: 192.168.5.2 Add OK
GV: ThS. o Quc Phng
Trang 77
Trust Relationship
Qun tr mng Windows
e. Click nt phi chut trn DNS Server All Tasks Restart
Thc hin tng t trn PC2 (domain hanoi.vn)
f. Sau khi hon tt vic cu hnh trn domain hanoi.vn, v my PC1, chy nslookup kim tra s phn gii tn qua li gia cc domain (xem hnh bn)
GV: ThS. o Quc Phng
Trang 78
Trust Relationship
Qun tr mng Windows
2. Cu hnh Trust Relationship:
a. Vn ang trn my PC1, vo Administrative Tools Active Directory Domain and Trusts, mn hnh nh hnh bn xut hin. Click nt phi chut trn domain (saigon.vn) Properties
b. Chn New Trust
GV: ThS. o Quc Phng
Trang 79
Trust Relationship
Qun tr mng Windows
c. Mn hnh Welcome xut hin Next. Trong mn hnh Trust Name, nhp NETBIOS name ca domain bn kia (VD: hanoi.vn). Sau nhn Next
d. Trong mn hnh Direction of Trust, chn Two way Next
GV: ThS. o Quc Phng
Trang 80
Trust Relationship
Qun tr mng Windows
Trong mn hnh Sides of Trusts, chn Both this domain and the specifier domain Next
e. Nhp vo username v password administrator ca domain bn kia Next
f. Trong mn hnh Trust Selection Complete Next g. Trong mn hnh Trust Creation Complete Next
GV: ThS. o Quc Phng
Trang 81
Trust Relationship
Qun tr mng Windows
h. Trong mn hnh Confirm Outgoing Trust, chn Yes, confirm the outgoing trust Next
i. Trong mn hnh Confirm Incoming Trust, chn Yes, confirm the incoming trust Next
GV: ThS. o Quc Phng
Trang 82
Trust Relationship
Qun tr mng Windows
j. Trong mn hnh Complete the New Trust Wizard Finish OK
k. Sau khi nhn OK, bn nhn c mn hnh sau. Nhn OK
l. Lu : 2 my domain cng
restart my li
GV: ThS. o Quc Phng
Trang 83
Trust Relationship
Qun tr mng Windows
m. Sau khi restart my li, mn hnh logon ca 2 my s nh hnh bn
3. Kim tra: - Cp quyn cho user trn domain saigon.vn c s dng share folder trn domain hanoi.vn
a. M Windows Explorer, chn drive C:, click nt phi chut trn Public Folder chn tab Security Add
GV: ThS. o Quc Phng
Trang 84
Trust Relationship
Qun tr mng Windows
b. Trong Select Users, Computers, or Groups click Location
c. Trong Locations chn saigon.vn OK
GV: ThS. o Quc Phng
Trang 85
Trust Relationship
Qun tr mng Windows
d. Find now chn user doremon OK
e. Mn hnh nhn c s nh sau. OK OK
GV: ThS. o Quc Phng
Trang 86
Security Templates
Qun tr mng Windows
SECURITY TEMPLATES
I. Ni dung - p t cc Security Template vo tng Server, OU tng ng lm gia tng bo mt ca ton b h thng mng my tnh. II. Chun b - 1 my Win2K3 nng cp domain controller. + IP Address: 192.168.0.1 + Subnet mask: 255.255.255.0 + DNS: 192.168.0.1 + Domain name: congty.com - Copy file Windows Server 2003 Security Guide.rar v a C:\ v gii nn III. Thc hin 1. To cu trc OU, ph hp tng loi hnh Server
Start Run g vo dsa.msc click nt phi chut trn congty.com New Organizational Unit.
To ln lt cc OU nh hnh bn
GV: ThS. o Quc Phng
Trang 87
Security Templates
Qun tr mng Windows
2. To Group Policy v p security template trn Domain Root a. Vo Start Programs Administrative Tools M Active Directory Users and Computers
b. Trong Active Directory Users and Computers click nt phi chut trn CongTy.com chn Properties vo tab Group Policy chn New t tn cho Group Policy mi to l Domain Policy
c. Trong ca s congty.com Properties chn Domain Policy chn Edit
d. Trong ca s Group Policy Object Editor vo Computer Configuration Windows Settings Security Settings click phi chut trn Security Settings chn Import Policy Trong ca s Import Policy From, trong Look in ch ng dn vo C:\Windows Server 2003 Security Guide\Tools and Templates\Securiry Guide\Security Templates chn file Enterprise Client Domain Open
GV: ThS. o Quc Phng
Trang 88
Security Templates
Qun tr mng Windows
3. To Group Policy v Add Security template trn OU Domain Controller
a. Vo Start Programs Administrative Tools M Active Directory Users and Computers.
b. Trong Active Directory Users and Computers click nt phi chut trn OU Domain Controller chn Properties vo tab Group Policy chn New t tn cho Group Policy mi to l Domain Controller Policy
c. Trong ca s Domain Controller Properties chn Domain Controller Policy chn Edit
GV: ThS. o Quc Phng
Trang 89
Security Templates
Qun tr mng Windows
d. Trong ca s Group Policy Object Editor vo Computer Configuration Windows Settings Security Settings click phi chut trn Security Settings chn Import Policy Trong ca s Import Policy From, trong Look in ch ng dn vo C:\Windows Server 2003 Security Guide\Tools and Templates\Securiry Guide\Security Templates chn file Enterprise Client Domain Controller Open
4. To Group Policy v Add Security template trn OU cn li - Li lm tng t nh bc 4
Lu : phi p cc file security template vo cc OU tng ng
GV: ThS. o Quc Phng
Trang 90
Move Active Directory Database
Qun tr mng Windows
MOVE ACTIVE DIRECTORY DATABASE

I. Ni dung - Thng thng khi xy dng mt Domain Controller, file database ca Active Directory l ntds.dit nm v tr mc nh l %systemroot%\NTDS (vd: c:\windows\ntds.dit). gia tng an ton, ta s di di database ny sang v tr khc. II. Chun b - Gn thm cng E:\ dung lng 1GB vo my tnh, nh dng NTFS - Thc hin bi Lab vi my ang l Domain Controller + IP Address: 192.168.0.1 + Subnet mask: 255.255.255.0 + DNS: 192.168.0.1 + Domain name: congty.com III. Thc hin 1. Kim tra ng dn mc nh: - Logon bng Administrator vo C:\WINDOWS\NTDS - Kim tra xem c cc file: edb.chk, ntds.dit, temb.edb (y chnh l ci cn chuyn) 2. Backup System State Data phng trnh trong qua trnh move database b tht bi
a. Vo Start Programs Accessories System Tools Backup
GV: ThS. o Quc Phng
Trang 91
Qun tr mng Windows
b. Trong ca s Welcome to the Backup or Restore Wizard b du chn ti Always start in wizard mode chn Advanced Mode
c. Trong ca s Backup Utility nh du chn vo System State g E:\SSD.bkf vo Backup media or file name ( lu file backup SSD vi a E:\) chn Start Backup trong ca s Backup Job Information chn Start Backup.
d. Sau khi kt thc qu trnh Backup vo E:\ kim tra c file SSD.bkf
GV: ThS. o Quc Phng
Trang 92
Qun tr mng Windows
3. Tin hnh di chuyn Database ca AD a. Khi ng my li, nhn F8, chn ch khi ng l Directory Service Restore Mode (nu my c nhiu bn Windows th chn Windows cn Move Directory Logon vo)
b. Logon Administrator vo command-line g lnh ntdsutil Enter
GV: ThS. o Quc Phng
Trang 93
Qun tr mng Windows
c. Trong CMD xut hin dng ntdsutil g lnh files Enter
d. Trong CMD xut hin dng file maintenance g lnh move DB to C:\SecureDATA Enter (h thng bt u chuyn
AD Database qua th mc C:\Secure\DATA)
GV: ThS. o Quc Phng
Trang 94
Qun tr mng Windows
e. Sau khi hon tt trong CMD s xut hin dng file maintence: g lnh quit
f. Trong dng ntdsutil: g lnh quit g lnh exit
4. Kim tra li ng dn cha Active Directory Database a. Sau khi hon tt phn 3 Restart my vo Windows ch bnh thng b. Logon Administrator vo C:\SecureDATA Kim tra c cc file edb.chk; ntds.dit; temb.edb c. Vo C:\WINDOWS\NTDS khng thy cc file edb.chk; ntds.dit; temb.edb
GV: ThS. o Quc Phng
Trang 95
Password Syskey
Qun tr mng Windows
PASSWORD SYSKEY
I. Ni dung - To password cho h thng my tnh Workstation hoc Active Directory Database ca Domain Controller, nhm tng cng bo mt, phng trnh cc tools chng trnh on password Administrator theo c ch Bruteforce
II. Chun b - Thc hin trn bt k my no
III. Thc hin
a. Logon Administrator Vo Start Run g syskey
trong ca s Securing the Windows Account Database chn Update
GV: ThS. o Quc Phng
Trang 96
Password Syskey
Qun tr mng Windows
trong ca s Startup Key chn Password Startup g 123 vo Password v Confirm OK
trong ca s Success chn OK
b. Khi ng my li khi my khi ng s thy 1 ca s yu cu nhp vo password ca Syskey nhp password l 123
Lu : sau khi nhp c password ca syskey ta mi vo c mn hnh Welcome to Windows.
GV: ThS. o Quc Phng
Trang 97
MSBA & SUS
Qun tr mng Windows
MICROSOFT SECURITY BASELINE ANALYZER & SOFTWARE UPDATE SERVICE

I. Ni dung - Ci t Microsoft Security Baseline Analyzer r sot, thng k cc l hng ca h thng, nhm a ra gii php khc phc. - Ci t SUS cho h thng, nhm tng cng tnh an ton, n nh cho cc server bng vic cp nht lin tc cc bn v li ca h iu hnh v cc software Microsoft. Nhng vn m bo khng lm nghn lu lng ra Internet.
II. Chun b - M hnh lab gm 2 my Windows Server 2003
+ My PC1 lm SUS Server, my PC2 lm Client (My PC02 c th s dng Windows XP) + 2 file SUS10SP1.exe v MBSASetup-en.msi nm trong a SoftsQTM.iso
III. Thc hin 1. Ci t MSBA: (thc hin trn PC1) - B a SoftsQTM.iso vo CDROM
GV: ThS. o Quc Phng
Trang 98
MSBA & SUS
Qun tr mng Windows
a. Chy file MBSASetupen.msi Trong ca s Welcome chn Next Trong ca s License Agreement chn I accept the license agreement Next
GV: ThS. o Quc Phng
Trang 99
MSBA & SUS
Qun tr mng Windows
b. Trong ca s Destination Folder mc nh chn Next trong ca s Start Installation chn Install Finish
GV: ThS. o Quc Phng
Trang 100
MSBA & SUS
Qun tr mng Windows
c. M biu tng Microsoft Baseline Securtity Analyzer 1.2 trn desktop trong ca s Microsoft Baseline Securtity Analyzer chn Scan more than one computer
d. Trong ca s Pick mutiple computers to scan trong IP address range nhp vo a ch IP ca PC1 to IP ca PC2 (vd: 192.168.5.1 to 192.168.5.2) chn Start Scan chng trnh s bt u d li bo mt
GV: ThS. o Quc Phng
Trang 101
MSBA & SUS
Qun tr mng Windows
e. Sau khi qu trnh scan hon tt trong ca s View security report nhng mc no nh du cho mu l nhng phn b li bo mt mun xem chi tit th chn How to correct this
Xem cc li m MBSA qut ra c, tm gii php khc phc.
GV: ThS. o Quc Phng
Trang 102
MSBA & SUS
Qun tr mng Windows
2. Ci SUS trn my PC1
a. Vo Control Panel Add or Remove Programs Add / Remove Windows Components Trong Add / Remove Windows Components, vo Detail ca mc Application Server trong Application Server, nh du chn vo Internet Information Services (IIS) OK Next Finish
GV: ThS. o Quc Phng
Trang 103
MSBA & SUS
Qun tr mng Windows
b. Chy file SUS10SP1.exe ci SUS trong ca s Welcome Next
GV: ThS. o Quc Phng
Trang 104
MSBA & SUS
Qun tr mng Windows
c. Trong ca s EndUser License Agreement chn I accept the License Agreement Next trong ca s Choose setup type chn Typical
GV: ThS. o Quc Phng
Trang 105
MSBA & SUS
Qun tr mng Windows
d. Trong ca s Ready to install chn Install Sau khi qu trnh ci t hon tt chn Finish trong ca s Software Update Service chn mc Set option trong ca s bn tri.
GV: ThS. o Quc Phng
Trang 106
MSBA & SUS
Qun tr mng Windows
e. Trong ca s set options bn phi trong mc Select which server to synchronize content from chn Synchronize directly from the Microsoft Windows Services servers trong mc Select Where you want to store updates chn Save the updates to a local folder trong cc ngn ng, b trng tt c cc ch chn English chn Apply
GV: ThS. o Quc Phng
Trang 107
MSBA & SUS
Qun tr mng Windows
f. Trong Software Update Services chn mc Synchronize server Trong ca s Synchronize server chn Synchronization Now h thng s bt u qu trnh ng b d liu vi trang Micrsoft Update
3. Cu hnh cho my PC2 update t my PC1
a. Vo Start Run g gpedit.msc trong ca s Group Policy Object Editor vo Computer Configuration Administrative Templates Windows Update
GV: ThS. o Quc Phng
Trang 108
MSBA & SUS
Qun tr mng Windows
b. Trong Windows Update M policy Configure Automatic Updates Trong ca s Configure Automatic Updates Properties chn Enabled Trong Configure Automatic Updating chn 4 Auto download and schedule the install OK
GV: ThS. o Quc Phng
Trang 109
MSBA & SUS
Qun tr mng Windows
c. M policy Specify intranet Microsoft update service location chn Enable trong nhp http://a ch IP my PC1 (vd: http://192.168.5.1) vo 2 Set the intranet update service for detecting updates v Set intranet statistics server OK ng tt c cc ca s ang c vo Start Run g gpupdate /force
GV: ThS. o Quc Phng
Trang 110
Radius
Qun tr mng Windows
RADIUS
I. Mc ch - Dng RADIUS authenticate cho remote user s dng VPN II. Chun b - M hnh 3 my: a ch IP cc khai bo nh bng di y - My PC2 join domain bng card mng CROSS - To group VPN_group, to user vpn_client (password: 123). Cho user ny c php s dng remote access (allow access) v l thnh vin ca VPN_group My Domain (PC1) (RADIUS Server) IP: 172.16.2.16/24 P.DNS: 172.16.2.16 VPN Server (PC2) (RADIUS Client) IP: 172.16.2.15/24 P.DNS: 172.16.2.16 IP: 192.168.2.15/24 VPN Client (PC3) IP: 192.168.2.14/24
III. Thc hin 1. Install IAS, sau cu hnh RADIUS Server v cc phn lin quan (Register IAS trong AD, Remote access policy)
GV: ThS. o Quc Phng
Trang 111
Radius
Qun tr mng Windows
a. Install IAS - Vo Control Panel Add or Remove Programs Add / Remove Windows Components Networking Services nhn Details nh du Internet Authentication Service OK.
b. Sau cng nhn Finish khi hon tt
GV: ThS. o Quc Phng
Trang 112
Radius
Qun tr mng Windows
c. Cu hnh RADIUS Server. - Vo Start Administrative Tools Internet Authentication Service
d. Mn hnh IAS xut hin. Chut phi trn Internet Authentication Serivice (Local) chn Register Server in Active Directory.
e. Nhn OK
GV: ThS. o Quc Phng
Trang 113
Radius
Qun tr mng Windows
f. Nhn OK
g. Khai bo RADIUS Client (VPN Server). - Chut phi trn RADIUS Clients New RADIUS Client
h. Trong Friendly-name, nhp vo VPN Server. Trong Client address (IP or DNS): nhp vo IP ca VPN Server. Trong trng hp ny l 172.16.2.15. Sau nhn Verify
GV: ThS. o Quc Phng
Trang 114
Radius
Qun tr mng Windows
i. Trong mn hnh ny, nhn Resolve. Sau nhn OK
j. Trong mn hnh ny, trong Client Vendor, click vo mi tn, chn Microsoft. Trong Shared secret v Confirm shared secret g vo 123 Sau nhn Finish
GV: ThS. o Quc Phng
Trang 115
Radius
Qun tr mng Windows
k. Cu hnh Remote Access Policy Chut phi trn Remote Access Policies New Remote Access Policy
l. Mn hnh Welcomexut hin, nhn Next. Trong mn hnh k tip ny, gi nguyn option ang chn. Trong Policy name, nhp vo tn ca policy (vd: VPNRADIUS). Sau nhn Next.
GV: ThS. o Quc Phng
Trang 116
Radius
Qun tr mng Windows
m. Trong Access Method, chn VPN. Nhn Next
n. Trong User or Group Access. Chn Group nhn Add
GV: ThS. o Quc Phng
Trang 117
Radius
Qun tr mng Windows
o. Tm group VPN_Group. Sau nhn OK
p. Mn hnh User or Group Access xut hin li, nhn Next
GV: ThS. o Quc Phng
Trang 118
Radius
Qun tr mng Windows
q. Trong mn hnh Authentication Methods, gi nguyn tu chn, nhn Next
r. Trong mn hnh Policy Encryption Level, ch gi li Strongest encryption Nhn Next v Finish
GV: ThS. o Quc Phng
Trang 119
Radius
Qun tr mng Windows
s. M Windows Explorer, vo drive C:, to 1 folder tn Public Folder. Sau share folder ny.
2. Cu hnh VPN Server (dng RRAS)
a. Logon ln my PC2 bng Administrator. Vo Start Administrative Tools Routing and Remote Access
GV: ThS. o Quc Phng
Trang 120
Radius
Qun tr mng Windows
b. Trong mn hnh Routing and Remote Access. Chut phi trn compute rname (VD: PC2), chn Configure and Enable Routing and Remote Access
c. Mn hnh Welcome xut hin. Nhn Next
d. Trong mn hnh Configuration, chn Remote access (dial-up or VPN) Next
GV: ThS. o Quc Phng
Trang 121
Radius
Qun tr mng Windows
e. Trong mn hnh Remote access chn VPN Next
f. Trong mn hnh VPN connection chn card LAN v b chn Enable security on the selected Nhn Next
GV: ThS. o Quc Phng
Trang 122
Radius
Qun tr mng Windows
g. Trong mn hnh IP Address Assignment chn From a specified range of address Next
h. Trong mn hnh Address Range Assignment New
i. Trong mn hnh New Address Range, nhp vo

172.16.2.100 172.16.2.179
Xong ri, nhn OK.
GV: ThS. o Quc Phng
Trang 123
Radius
Qun tr mng Windows
j. Quay tr li mn hnh Address Range Assignment Next
k. Trong mn hnh Managing Mutiple Remote Access Server chn Yes, setup this server to work with a RADIUS server. Nhn Next
GV: ThS. o Quc Phng
Trang 124
Radius
Qun tr mng Windows
l. Nhp vo IP address ca RADIUS Server. Trong trng hp ny l 172.16.2.16 Trong Shared secret, nhp v 123. Xong, nhn Next.
Chng trnh s bt u install
m. Trong qu trnh install, chng trnh c hin th 1 s thng bo. Nhn OK b qua
Chng ta va hon tt vic cu hnh PC2 thnh VPN Server (RADIUS Client) 3. To VPN Connection kt ni n VPN Server vi username v password c cung cp bi PC1 a. Chut phi trn icon My Network Places (trn Desktop) Properties, double click trn Create a New Connection. Mn hnh Welcome toxut hin. Nhn Next
GV: ThS. o Quc Phng
Trang 125
Radius
Qun tr mng Windows
b. Trong mn hnh ny, chn Connect to the network at my workplace. Nhn Next
c. Trong mn hnh ny, chn Virtual Private Network connection, nhn Next.
GV: ThS. o Quc Phng
Trang 126
Radius
Qun tr mng Windows
d. Trong Company Name, nhp vo 1 tn tng trng, VD: VPN client. Nhn Next
e. Trong mn hnh VPN Server Selection, nhp vo a ch ca VPN Server l 192.168.2.15. Nhn Next
GV: ThS. o Quc Phng
Trang 127
Radius
Qun tr mng Windows
f. Trong mn hnh ny, chn My use only. Nhn Next
g. Trong mn hnh ny, nh du chn Add a shortcut to this connection to my desktop. Nhn Finish
GV: ThS. o Quc Phng
Trang 128
Radius
Qun tr mng Windows
h. Kim tra IP trc khi connect n VPN Server Vo Start Run cmd Nhp vo ipconfig Chng ta thy 1 a ch IP ca card mng m thi
i. Test Connection Double click trn icon mi to trn desktop Trong Username, nhp vo: vpn_client Trong Password, nhp vo 123 nh du Save this Sau cng click Connect
j. Mn hnh ln lt s nh hnh bn
GV: ThS. o Quc Phng
Trang 129
Radius
Qun tr mng Windows
k. Sau khi vic kt ni thnh cng, bn s thy 1 icon (hnh 2 my tnh) na xut hin gc phi di ca mn hnh l. Kim tra IP sau khi connect: Vo Start Run cmd Nhp vo ipconfig Lc ny ngoi a ch IP ca card LAN, cn c a ch IP c VPN Server cp na
m. Truy cp ln my PC1 ly d liu Vo Start Run g vo \\172.16.2.16, mn hnh nhn c s nh hnh bn
GV: ThS. o Quc Phng
Trang 130

Quan Tri Mang 2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Quan Tri Mang 2

Uploaded by

Copyright:

Available Formats

QuAn tr mAng 2

Sinh vin: .............................................................................................................. Lp: .......................................................................................................................

... Khng c vic g kh Ch s lng khng bn o ni v lp bin Quyt ch t lm nn.

Ti liu tham kho

Qun tr mng Windows

GV: ThS. o Quc Phng

Qun tr mng Windows

GV: ThS. o Quc Phng

Qun tr mng Windows

b. Khai bo thng tin DNS Next

GV: ThS. o Quc Phng

Qun tr mng Windows

Lm tng t to mailbox cho U2

GV: ThS. o Quc Phng

Qun tr mng Windows

c. U2 check mail - Logon U2, check mail

Mail b sa m U2 khng bit

Lu : hon tt bc vic ci t ASP.NET trc khi sang bc tip theo

GV: ThS. o Quc Phng

Qun tr mng Windows

GV: ThS. o Quc Phng

Qun tr mng Windows

GV: ThS. o Quc Phng

Qun tr mng Windows

-Chn Issued Certificates thy 2 certificate cp cho U1 v U2

Lu : 2 dng Subject v Public key

GV: ThS. o Quc Phng

Qun tr mng Windows

e. Install certificate ca U2 - Logon U2 - Lm tng t nh trn

GV: ThS. o Quc Phng

Qun tr mng Windows

h. U1 check mail - Logon U1 - Chy Outlook Express nhn mail

GV: ThS. o Quc Phng

Qun tr mng Windows

- Click Sign - Click Encrypt - Click Send

GV: ThS. o Quc Phng

Enterprise CA & Key recovery agent

Qun tr mng Windows

ENTERPRISE CERTIFICATE AUTHORITY & KEY RECOVERY AGENT

GV: ThS. o Quc Phng

Enterprise CA & Key recovery agent

Qun tr mng Windows

c. Khai bo Email address trong properties ca U1: U1@congty.com

Incoming v Outgoing Mail Server.

Enterprise CA & Key recovery agent

Qun tr mng Windows

III. Thc hin 1. Ci t Enterprise Root CA a. Ci ASP.NET: (nh hng dn

trong bi Lab trc)

GV: ThS. o Quc Phng

Enterprise CA & Key recovery agent

Qun tr mng Windows

GV: ThS. o Quc Phng

Enterprise CA & Key recovery agent

Qun tr mng Windows

GV: ThS. o Quc Phng

Enterprise CA & Key recovery agent

Qun tr mng Windows

GV: ThS. o Quc Phng

Enterprise CA & Key recovery agent

Qun tr mng Windows

c. Logon U1, gi mail c signing v encrypt (cho chnh mnh)

GV: ThS. o Quc Phng

Enterprise CA & Key recovery agent

Qun tr mng Windows