Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép LOI CAM ON Sau mét thoi gian thye hign, d& tai nghén etru’” Trién Khai, quan tr, duy tri & nang cdp hé thing mang doanh nghiép” da phan nao hoan thanh, Ngoai su cé ging cita ban thin em con nhan duge su giip do nhiét tinh tir thay ¢6, ban be, anh, chi noi em thue tip. Trude hét em xin cm on cdc thay cd gido bé m6n céng nghé thong tin truong dai hoe Kinh té Quée din da gitip do em trong qué trinh hoe tip. Bae bigt 1 Giang vién, PGS — TS Dang Minh At da tin tinh gitip do em trong sudt qua trinh thue hién dé tai, Xin cm on ban gidm déc cing céc anh chi em lam vige tai cong ty Vinapay a tgo diéu kign cho em duge thyc tap va hgc hoi cac kinh nghiém dé hoan thanh dé tai nay. Em xin chan thanh cam on!Gi6i thigu Chuong I : Trién khai hé thong mang 1. Cc khéi nigm co bin 1.1. Dinh nghia mét mang may tinh co ban 1.2. Cac thinh phan cia mang(Network Component) 1.3. Cac logi mang may tinh 1.4. H@ théng domain quan li mang LAN- Local Area Network 2. Corséli thuyét 2.1. Dich vu DNS 2.2. Windows Internet Name Service 2.3. Dich vu DHCP 2.4. Active Directory 3. Hign trang hé thong 4. Cie cong vige trién khai & két qua 4.1 Cac yéu clu cdu trie mang méi 4.2. Céng vige trién Khai vao mang cng ty Chuong I: Quan li va duy ¢ thong mang 1. Cie khdi nigm co bin 1.1 MOt sé khai nigm vé kién tric Administrators 1.2. Khai ém vé backup va restore 2. Corsé li thuyét 2.1 Thy hign duy tri bao mt Domain Controller vi Active Directoryministrative WorkstationTrién khai, q uy tri & nding céip ing mang doanh nghiép 2.2Thiét lp chién luge sao hu va khdi phyc domain controller 2.3Quan ly tai khoan Backup Operators 3. Hién trang hé thong 4. Cong vite trién khai va két qué 4,1C4u hinh backup cho domain 4.2Quan tri hé théng Active Directory Chuong ITT: Nang cp hé théng v6i ISA Firewall 2004 1. Clic khdi nigm co bin Cac khdai niém co ban vé ISA 2004 2. Co'sé li thuyét 2.1. Cae Network Templates 2.2Cac cau hinh Network template 2.3Cdu hinh ISA Server 2004 SecureNat, FireWall va Web Proxy Clients 2.4Céu hinh cac chinh sach truy cap trén ISA Server -ISA Server 2004 Access Policy 3. Hién trang hé thing 4. Cong viée trién khai va két qué 4.1 Lya chon hé thing Firewall(Proxy) 4.2Cai dat ISA Server 2004 trén Windows Server 2003 4.3MO6 hinh cdu hinh ISA vao mang céng ty két Luan Phy Iye 1: Tai ligu tham khao Phy lye 2: Mét sé tir chuyén nganhTrién khai, quén tri, duy ti & ning cap hé thong mang doanh nghiép GIOI THIEU tinh va internet d3 duge phé bién rong rai, c: Nay nay, mé cae nhan déu cé nhu cau sie dyng may tinh va mang may tinh dé tinh toan, leu tri, qung ba thong tin hay sir dyng cac giao dich tryc tuyén trén mang. Nhung déng thai véi nhimg co hdi duge mé ra lai co nhimg nguy co khi mang may tinh khong duge quan li sé dé dang bi tn cong, gay hiu qui nghiém trong. Céng ty Cé phin Cong nghé Thanh ton Vigt Nam (Vinapay) - dug chinh thite thinh lip vao thing 2 nam 2007 béi nhitng nha dau tur nude ng hang dau trén thé gidi la Tap doan Céng nghé Net 1; Quy dau tu IDG Venture va Tap doan MK. Vigt Nam. Mue u cia Vinapay 1d gdp pl dumg tai Vigt Nam mot ha ting thanh todn an ton cho thong mai di dong. ‘San xudt va phat trién cdc loai thé dit ligu cong nghé cao (bao gdm thé thong minh cé gin chip, thé cao c6 ménh gid tra truce, thé quan ly tai khodin, thé SIM phyc vu dich vy thong mai dign tt, ...) - Nghién ciru, phat trién va thye hign cac dich vy céng nghé cao lién quan dén thanh toan thurong mai dign tir (e-commerce), thong mai di déng (m-commerce), thé tra truge, thé thong minh; ~ Sain xudt va phat trién phdn mém img dung cng nghé cao; = Van hanh céng dign tit, chuyén mach dé thyc hién két néi cac hé théng thanh ton the ngin hang, thé thanh tos, thé tra trude ea ede don vi phat hanh thé, cho phép ngudi str dung dign thoai di dng nap tién, tra cube théng qua di déng hoge internet;Trién khai, quén tri, duy ti & ning cap hé thong mang doanh nghiép = Lip dat, bio tri, cho thué cde hé théng thiét bj phat hanh thé, cde loai may chap nhin thanh toan nh ATM, my doc va chap nhan thanh toan dau cudi (POS). Vi cOng viée 14 thanh ton qua céng dién tit va cae giao dich true tuyén, you cdu an toan dit ligu ciia Vinapay Igi cng ddi hdi cao, Nhung do 1a m6t doanh, nghigp tré (2-2007)Vinapay van chua ¢6 durge mét hé thong mang céng ty hoan thign, tinh bio mat khéng duoc dim bio. Cig vi li do dé trong thai gian thye tip 6 edng ty VINAPAY em da chon dé tai “Trigm khai, quan tri, duy tri & nang cdp hé thing mang doanh nghiép” . Trén co si thy té mang cia Vinapay, em da nghién citu cde vin dé vé mang Lan va bao mat mang Lan ca doanh Dé tai duge thyc hign véi myc dich tim hiéu hé théng va cac céng cy duge cung cap dé qua dé cé thé van hanh thanh thao cae cong cu nay, biét céch cau hinh va thye hign, qua d6 trinh nhiing 15 hong kh6ng ding c6. Dong thoi con dua ra mét sé cdu hinh da duoc ap dung hode mét sé dé xudt vé céu hinh. Hi ‘vong né sé gitp ich cho nhimg ngudi quan tri mang co thé ap dung vao mang minh quan IiTrién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép CHUONG I TRIEN KHAI HE THONG MANG 1 Cac khai niém co ban inh nghia mOt mang may tinh co bin Mang may tinh (computer network) la tap hgp cia 2 hay nhiéu may tinh két 6i (thiét bj ké , song v6 tuyén,...) dé chia sé cdc tai nguyén. Vige két noi gitta néi véi nhau thng qua cae phurong tign két ndi ~ Switch, hub, day 4 cac may tinh tuan theo cae chun vé mang may tinh (network standard), cdc céng nghé mang va cde giao thite (Protocol). Cae may tinh trong mang c6 thé goi la nit mang. Viéc sir dung mang may tinh gitip cdc t6 chite, doanh nghiép dé dang trong vige chia sé céc tai nguyén cho ngudi diing. Cac tai nguyén chia sé bao gdm cac file, thu muc, may in, két ndi Internet, img dung ding chung, 1.2 Cac thanh phiin mang (Network Component) M&i mang méy tinh bao gdm cde may tinh, thiét bi mang, méy in,... ching durge goi la cc thanh phan mang (network component) bao gdm cac thanh phan chinh sau May chii (server): La may tinh e6 ede tai nguyén, dich vu, tmg dung chia sé dé cho céc may tinh khée truy nhap ti va sit dung. May chit chay hé diéu hanh may chi (Windows Server, Linux, Unix) va cai cde phin mém chuyén dung dinh cho may chi. Tuy thuge vio chic nang va nhigm vy ma ‘may chit ¢6 cdc tén goi khéc nhau nhw may chit dit ligu (data server), may chii thur dign ti (mail server), may chii img dung (application server), May tram (client): La cdc may tinh trong mang cé thé két néi dén cdc may chti dé sir dung céc tdi nguyén ma may chit chia sé. May tram chay hg diéu hanh may tram va cde phan mém may tram,Trién khai, q uy tri & nding céip ing mang doanh nghiép Phuong tign truyén dan (media): La cac thanh phan chuyén dan vat ly gitta cic may tinh nhu day cap (cable), séng radio,... Tai nguyén (resources): La ede tng dung, dit ligu, cde phan eéing chuyén dung,... duge cung cap boi cdc may chit trén mang cho ngudi ding thong qua ede may tram (files, may in,...) Card mang (network adapter): La m6t thiét bj chuyén dung git ic may tinh c6 thé giti dir liu t6i cde may tinh théng qua phuong tién truyén din. Cac thiét bi két néi nhu HUB, SWITCH, ROUTER Giao thire mang (network protocol): La tap hyp ede quy Iuét, quy dinh gitip cic mdy tinh cé thé giao tiép véi nhau (hiéu duge nhau — giéng nhu ng6n ngir ma con ngu6i sir dyng). Topo mang (network topology): La cau tric vat ly cia mang (bus, star, ring,...) né due phan loai dira vao loai phuong tién truyén din (media type), giao thite mang (protocol), card mang,...(Trong khuén khé dé tai nay sé chi nghién ciru vé cde thinh phan quan li va bao mat mang, cdc thiét bi ngoai vi hay cac phan cimg vé may sé khong duge dé cap dén). 1.3 Cac loai mang may tinh Mang miy tinh cé thé duge phan loai theo mét sé cach khac nhau: phan loai theo pham vi (scope), theo kign tric (architecture), theo hé diéu hanh ding trong mang,... Phan logi theo pham vi Mang ni bd (LAN — local area network): La mang may tinh trong 46 cde may tinh két néi truc tiép voi nhau, trong mt pham vi dia ly nhé (phong, toa nha,...). Viée gidi han nay phy thude vio phuong tign trayén din ma mang néi b6 str dung.Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép Mang dign rong (WAN — wide area network): La mang cé thé trai trén cac pham vi dia ly réng Ién, ndi cc khu vue trong mét quéc gia hode cae vi tri 6 cde quéc gia khdc nhau véi nhau. Cac phuong tién két ndi cé thé str dung nhir cp quang (fiber optic cable), qua vé tinh (sateline), gidy dign thoai (telephone line), cde két néi danh riéng (lease line). Tuy nhién gid thanhh ciia céc két néi nay tuong di cao. Mang Internet: La m6t loai hinh mang dc thit cia mang dién réng, ngay nay mang Internet da tre thanh mét loai hinh mang phé bién nhat. Muc dich ctia mang Internet la dap img lai cac két ni cua nguii ding 6 bat ky dau trén thé gidi, gitip cae t6 chit, doanh nghiép cé thé dé ding quang ba cdc thong ti ip cac dich vu chia sé dé dang véi gia thanh hgp ly. Mot , cung loai mang khac: Mang ngi dé (MAN — metropolitan area network), Mang hru tri dit ligu (SAN — storage area network), mang riéng 40 (VPN — virtual private network), mang khéng gidy (wireless network), Trong pham vi ctia dé tai, véi mét cong ty c& vita va nhé bao gdm cae may chi quan tri sir dung Windows Server 2003 va mot s6 may client(50- 100 may) ta chi xét pham vi may tinh dang Local Area Network (LAN) 1.4 Hé théng domain quan li mang LAN Cau tric (6 chite co bin cia mé hinh mang Windows Server 2003 i domain. Mot domain dai dign cho mot dung bign quan tri. Cée may tinh, ngudi diing, va cde déi tuong khée trong mét domain chia sé mot co sé dtr ligu bao mat chung, Sir dung domain cho phép ede nha quan tr phdn chia mang thinh cae ranh giéi bio mat khae nhau. Thém vio 46, cde nh quan trj tir ede domain khac nhau cé thé thiét lap cac mé hinh bao mat riéng cua ho; bao mat trong mot domain la rigng bigt dé khdng anh hudng dén cde m6 hinh bao mét eta cic domain khie. Chit yéu domain cung cip mot phuong phip dé phin chiaTrién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép mang mét cach logic theo té chite. Cac 16 chite dii lén cé hon mot domain luén luén duge phan chia dé chiu trach nhiém duy tri va bao mat cdc nguén rigng cia ho, M6t domai Windows Server 2003 ciing dai dign cho mét khong gian t8n tuong tng voi mot cdu tric ten, Mét domain Khi tao, né s& cung cép mot sé dich vu co ban cho hé théng mang nhu: DNS(Domain Name System): day la Dich vu phan giai tén mién durge sit dung dé phan giai cdc tén host tuan theo chudn dat tén FQDN thanh cdc dia chi IP tong tg. DHCP(Dynamie Host Configuration Protoco ~Giao tite edu hinh dia chi déng ): day 1a dich vu quan ly va edp dia chi IP cho cae miy tram, Nho dich vu nay dja chi IP cia céc may trong céng ty tro lén dé quan li hon. Windows: Cau hinh hé diéu hanh va quan ly server c6 cai dat cde dich vu hé thong Active Directory: Quan ly va diéu hanh hoat dng cia domain controller cung cap dich vy Active Directory Windows Internet Name Service(WINS):cung cap kha ning phan giai ia chi IP tén may tinh bang cach phan gidi tén NetBIOS sang Ng may chit chii img dung(ISS, ASP.NET), may chu thu dign ti(POP3, MSTP), may chi dau cudi(Termilal ), miy chi VPN, may chit WINS, ra Windows Server 2003 con cung rit nhiéu tinh nang dang ing khae nhu: may chit in An(print server), may chi File, may 2. Corse li thuyét. Dé xay dung mt mang miy tinh sit dung Microsoft Windows Server 2003 ta céin nam 16 vé cae dich vy ciia né cung cap, diéu nay sé giup cho vige edu hinh mang tré nén dé ding va khoa hoc hon, Khi dé cae c6ng vige 9Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép str dung cing nhu nang cap sé nhanh va hiéu qua hon. M6t sé céng cu quan tri hé théng mang, 2.1 Djch vy DNS —Khéng gian tén ndi b6 (sit dung trong hé théng Intranet Local) va khong gian tén Internet duge thiét ké nhu sau: KhOng gian tén DNS ndi b6: Local. Vinapay.com.vn Khdng gian tén DNS Internet: Vinapay.com.vn Dich vu DNS trén Windows Server 2003 la mét dich vy DNS dong (Dynamic DNS). Né cho phép cdc may tram xae thue ty déng dang ky ban ghi vi dich vy DNS. Tit ca cde tai khodin my tinh s@ ¢6 eae ban ghi tuong mg dang ky trong pham vi mién DNS tich hgp dich vu Active Directory ma né trye thuge. Diéu nay cho phép cdc yéu cau ndi bd ddi vai cdc déi trong nay duge cée may chi DNS ni 1) phuc vu. Véi hé thing Intranet Vinapay, dit liu DNS cho mdi domain con chi durge nhan bin dén cde DC trong domain 46 chir khong phai to’n b@ forest. May chi DC tai cac tinh mién Bac (Hanoi. Vinapay.com.vn) hog mién Nam (HCM. Vinapay.com.vn) sé nim giit domain Active Directory ciia ting mién dng thai ciing nam gitt mién DNS ciia chinh domain dé. Do cae hoat dng mang 2 mién la déc lip do dé khéng can thiét sir dung thém m6t may cha DNS trung tim dé két ndi 2 mang. HE théng may chii DNS nhu 6 trén da ndi c6 vai trd quan trong trong host dong eita hé théng mang, Chinh béi vai trd quan trong nay ma ta edn phai e6 th thich hop dé dim bao cho dich vu DNS luén ¢6 tinh sin sang cao, sao ru phuc hdi tét. chinh sich quan tri mot Ciing do tinh chat quan trong ciia hé théng may chii DNS ma trong chinh sdch quan trj déi voi may chu nay, ching ta nén han ché dén mite tdi thiéu s6 ngudi duge phép dang nhép va van hanb thao tac trén ede may chii nay, 10Trién khai, q uy tri & nding céip ing mang doanh nghiép béi chi can mét thao tac chinh stra sai hoic tt dot ngét may chu sé din toi vigc hé théng Intranet khéng thé hoat dong duge. 2.2 Windows Internet Name Service (WINS) Bing viée trién khai WINS, ngudi quan tri cung cdp viéc phan gidi tén NetBIOS cho cée client trén hé théng mang Intranet, WINS thye hign m6t co s6 dtr ligu phan tan cho ic tén NetBIOS va hi tuong img cia ching. Cae WINS client dang ic ky tén cita ching tai mét local WINS server va WINS server do sé trao ddi cae myc dé véi cde WINS server khéc, Né dim bao tinh duy nhat cia tén NetBIOS. Microsoft da str dung giao tiép NetBIOS dé thiét ké cac thanh phan mang ctia minh vi thé ¢6 nhiéu dich vu mang va tng dung phy thude vao NetBIOS. Hé théng mang ci cla VINAPAY van con dang sir dung cac hé diéu hanh nhu Windows 98, Win NT, Microsoft® Windows® 2000 do dé cn thiét han giai tén NetBIOS tw d6ng. Tham chi khi hé théng Intranet cia VINAPAY a nang cap tat ca cde trién khai WINS trén Windows Server 2003 may tinh Ién cac hé diéu hanh Windows XP1 , Windows XP2 thi hé théng vin yéu cdu phan giai tén NetBIOS cho céc ting dung dang chay trén hé théng. 2.3. Dich vy DHCP: cdu khdi Iuong thoi gian va mat rat nhiéu cong site DHCP. V6i mang Microsoft Windows 2003, ban cé thé dinh dia chi IP dong sit dung Giao thite edu hinh may chii ding Dynamic Host Configuration +c quan ly va cdp dia chi IP cho cde may tram yéu khong ¢6 dich vu Protocol (DHCP) dé tr dong cap va quan ly cde dia chi IP mang. Ngoai ra thi dich vy DHCP con cung cap cho cac may tram cac théng tin vé hé thong nhu subnet mask, Gateway. Nhé dé cic may tram ¢6 thé trinh duge vigeTrién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép xung dt dia chi IP; tranh duge cac Idi c6 thé xay ra khi thiét lap tha céng cae thong sé lign quan TCP/IP nhu dinh dia chi Subnet mask sai. Loi ich 16n nhat d6i véi hé théng Intranet VINAPAY khi trién khai dich vu DHCP chinh 1a viée gidm chi phi cho vige quan tri IP va dam bao cde may tram luén nhan duge dja chi IP ding, Dé quan tri dich vu DHCP trén hé théng mang Intranet VINAPAY cin dp dung ec chinh sch quan ly trén ea may cht DHCP vi may tram DHCP. Cée chinh sich nay duge thye hign théng qua viée phin quyén quan tri va gidm sat ede tdi khoan thuge nhém quan tr DHCP. Theo chinh sach quan tri chung cho cdc dich vu hé théng, can han ché lung cc thinh vién cua nhhém DHCP Administrator. Boi vi cdc thanh vién cia nhém nay duge phan quyén dé cdu hinh mgt DHCP Server, xac dinh cac Iya chon céu hinh DHCP, va tao ra cdc DHCP reservation. Bat ky su thay 46i nao ciia dich vu DHCP cé thé khién cdc may tram khéng thé nhan duge dia chi IP tir céc may chit DHCP. Dang thai né cé thé tao ra 16 héng bao mat Gi hé théng Intranet. Vige gidm sat cac thanh vién trong nhém DHCP Administrator nhu la thinh vin trong nhém local administrator, céc nhhém Domain Admin va céc nhém Enterprise Admin — dé xac dinh nhiing ngudi can cé quyén quan ly cdc dich vu DHCP, Céc thanh vign trong cae nhom nay cho phép quin ly tat ca cae DHCP Server trong domain, Cha ¥: Thinh vién cia nhém DHCP Administrator khong thé cp phép cho m6t DHCP Server trong mét Active Directory. Chi cde thinh vién ctia nhom Enterprice Admin ¢6 thé thye hign nhigm vu nay. Tuy nhién déi vai cac may chi trong hé thong Intranet, can duge gan dia chi IP tinh dé dim bao chang khong nhan cdc thong tin cdu hinh TCP/IP khong chinh xée tir mt DHCP server trai phép. Ngoai ra, mot s6 may tram e6 vai 12Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép trd quan trong cling nén duge sit dung dia chi IP tinh, Vige danh dia chi tinh cho cdc may ch va mét sé my tram sé gitip cho hé théng Intranet VINAPAY vin hoat dng khi dich vy DHCP 6 2.4 Dich vy Domain controller(Active Directory ) MGi trudng forest cho VINAPAY sé chifa m6t forest don. Tén domain gdc cua forest li VINAPAY.COM.VN. M6t forest don c6 thé chita t6i hang trigu cae d6i tugng khée nhau (tai khosin ngudi sit dung, cae nhém, tii khoan may tinb,.....) va duge thiét ké dim bao vige quan tri dé ding nhat, Trén hg thing Intranet VINAPAY, nhém ngudi quan tri mite forest sé khie nhém ngudi quin tr) tit ed cdc hoat dng khdc thong thudng trén dich vu thur mye Active Directory. Chinh vi thé, phuong phap tét nhat la tao ra mot domain géc cia forest va cdc chinh séch quan trj phai tuan theo yéu cau nay. Domain nay sé nim gitt hai vai tro FSMO mite forest dé la: Schema Master va Domain Naming Master, Day la hai vai tro rét quan trong trong hogt dong, chung téng thé cia dich vy Active Directory trén toan hé théng. Cac tai Khoan quan tri domain nay sé rat han ché nhm dam bao tinh bao mat cing nhu tinh 6n dinh cua hé théng. Vi vay, domain nay sé nm git cac tai khoan mite toan hé théng nhu Enterprise Admins va Schema Admins ching han, Cae nhém ngudi quan tri cae hoat dng trén Active Directory duge gan cho mot hoe nhiéu cde domain con. Diéu dé cho phép cdc nhém quan tri IT nay 6 thé quan ly céc dich vu trén domain cla hg mt eich déc lip nhung khong thé digu khién duge cde thinh vign cia cde nhém Enterprise Admins va Schema Admins trong domain goc ctia forest. Nhu vay domain géc sé nm giit tat ca cdc tai khodin c6 quyén trén toan forest voi quyén han e6 thé thu hign thay d6i dit Tigu mite forest nh: thay 46i schema, cau hinh site, xc thy dich vu hé théng,... nhhém quan tri hé 13Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép thong VINAPAY hoan toan cé thé kiém soat duge van dé nay. Vi du: dé cd thé cai dat duge phan mém Exchange Server 2003 edn phai cé su chap thuan cia nhém quan tri cp cao nhat do phan mém nay phai mé rong schema ciia forest truée khi cai dat. Trong cdc domain con, nhom quan tri domain admin sé chiu trach nhiém quan tr toan bo ¢ miy chi Active Directory trong pham vi domain dé, Déng thoi nhiing ngudi quan tri cdp trung wong ( nhitng ngudi thuge nhom Enterprise Admins) cing c6 quyén quan tri va gidm sat cae hoat dong va chinh sch trén cde my chi nay. 3. ‘n trang hé thong mang Cau tric Router/modem:192,168.2.1 6 vai trd ld gateway ctia hé thing May chit DCserverlP:192.168.2.2 6 vai tro: Y DHCP server: Cap dai dia chi tir :192.168.2.5-}192.168.2.100 cho client trong céng ty Y — Déng vai tro la DNS server : LangHa. Vinapay.com.vn Y FTP server: IP 222.252.28.10 Cae may client chwra cing mét domain, dia chi IP do modem eung cp Chua cé méy chit in an, méy DHCP, DNS riéng biét. 4. C&e céng vide trién khai & két qua 4.1 Cae yéu cu edu trie mang moi > Router/modem:192,168.2.1 c6 vai tro li gateway ciia hé thing May chi DCserverlP: 192.168.2.2 DHCP server : v v 14Trién khai, q uy tri & nding céip ing mang doanh nghiép Cap dai :192.168.2.100-192.168.2.150 cap déng cho client trong c6ng ty. Danh dai 192.168.2.5-192.168.2.49 dé cap tinh cho mét s6 may 66 > Modem cép tinh dia chi 10.0.0.3 cho mang Lan ¢6 day trong cong ty. Cép d6ng dai 10.0.0.5-10.0.0.25 cho cae may Laptop truy cap vio nhd access point ciia cong ty. > FPT Server e6 dia chi: 222.252.28.10 > Thiét lap tinh dia chi ciia may chit DHCP, DNS, Printting server, may chi backup, Tién hanh cai dat edie may chi nay, > Thiét lap hé thong Active Directory, dua cic may client vio domain. 4.2 Céng vige ean trién khai Trién khai céc cng viéc theo céu tric mang méi. Duroc bit dau tir vige cai dat server va nang cp céc thinh phan ciia server theo yéu cau durge dé ra: 4.2.1 Cai djt Windows Server 2003 Cach thie cai dt mot server tuong ty véi cach edi dB ede phién ban Windows thudng ding(XP1, XP2, Windows 2000). Nhung ¢ diém edn lu y sau: > Khi cai dat cin lu y cae CD key dinh cho cde phién ban, Bai vi mét s6 phan cig may cao cap thuge dong Intel Itanium hd trg vige dénh dia chi 64 bit, trong khi hau hét cde dong edn Iai chi hé tro viée danh dia chi 32 bit. (Déi véi mgt doanh nghiép vira thi thuring gap cic may chi hd tre 32 bit) 15Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép > Can chi y dén cac théng s6, & muc listensing modes trong qua trinh cai dat, sé Iuong két ndi duge Khai bao chinh li sé Iugng gidy phép ban quyén ma ta c6 khi sir dung server. eer) SSS "Yavcan custome Wado lr ifwerttegens end languages. rr eae) Region! and arguageDptne alm youto change the my ruber, des, eens cuerces and th te are loed Yu can ao 24d supp for onal laraubges. ad change you econ cling. Thest ors ating isto Eth (Unted Sater athe lecabons st toUnted Stale, Tochange teresting, clk Cute. Cote Seraatema Tes pit Lananoe ao out ere etin mary deen roe, sing coats abt pet thts we nce “es ea ot rguge ad neta i US keboaout To vw change your curer coniutin. hk Deas Hinh 1.4.1 Bude thém théng sé khi cai dat Windows Server 2003 Déi v6i mdi trudng kinh doanh, vi dy mang doanh nghigp vira va Jon(cé thé 4p dung vio Vinapay), ngudsi quan tri mang ngoai vige edi dat hé diéu hanh cho server déng théi cn thyc hién cai dat rit nhiéu may client kha. Dé giai quyét van dé nay c6 thé thye hign theo nhiéu phutong én, Windows Server 2003 cung cap cho ta m6t s6 gidi phap sa > File tra loi: M6t file tra lai la mt kich ban (script), nd chita tat ca théng tin cdc tiy chon trong khi cai dat Windows. > Nhan anh dia: khi trién khai mét s6 lrgng lén cae may giéng nhau ta cé thé sir dyng phuong phap ny. Mot anh dia la mot 16Trién khai, q uy tri & ning ciip_hé thong mang doanh nghiép ban sao cia mét dia cig da duge cai dat hé digu hinh. Vige chuyén anh dia tir mt may tinh nay sang mt may tinh khéc ¢6 cdu hinh phan cting tong duong cho phép cé thé sir dung ngay hé diéu hanh da duge chuyén ma khéng can cai lai. Khi ap dung can chat y cae thong sé khéng thé tring nhau 1a tn may va dia chi IP ca cdc mAy trong cling m6t mang LAN. 4.2.2. CAu hinh Windows Server 2003 Dé khdi tao cae edu hinh mdy chi ma Windows Server 2003 cung cp ta c6 thé thy hign theo cae thao tac: * Vio Start > Manage Your Server >Add and Remove a role > Configure Your Server Winzard ‘© Hodc cé thé ding cau lénh Run > depromo dé truc tigp vao cita s6 Configure Your Server Winzard ene ac ecu 4 ‘Adding Roles to Your Server = STERIC Gaiiemneen — | Atesemnerne een dati caret rr tantly gy i 3 Managing Your Server Roles miyeamese Summation Seer see tose stn Taide ve mts Tote coe en Hinh 1.4.2 Cita s6 Manage Your Server 7Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép > Tao may chit quan trj mién Active Directory Tir cita sé Configure Your Server Winzard chon Domain controller va tiép tue dién cae théng sé tén domain, ‘Néu la may chi gée ciia domain ta chon Domain Controller for a New Domain, sau 6 theo tién trinh cau dat tén domain (Vinapay.com.vn). Tiép theo 1a cdc yéu clu dudng din va cdc yéu cau cai thém dich vu(DNS). Server Role ‘au can setup ths ever t ere ene r more spells You wank to ad mere than ene ro oti server, youcan nats ard an, Sidect are therlohas ot ben ded, youca a ths steady been eed youcan ove the le you nore adi or ronve set ted ope ier Rena Paes. ‘Domain Contraller (active Brecon? Danan cael store decry data ‘manage usr logon processes and Grocery seaches dat dai conters Bese oo Baan) mem) Hinh 1.4.1.3 Cai dit Active Directory Cae tién trinh cai dit duge tiép tuc cho dén khi nhan duge théng bao may chii da tré thanh Domain Controller. 18This Server is Now a Domain Controller ‘Yuhave acently set up the server ac 9 oman conto. 70a or ‘moe ater eof Cai Yau Srv tard pa vente nas tenets thera For aracrdof your changes, soe the Conta Ya Seve oa Sen] ee Hinh 1.4.4 Thang cap Active Directory thanh céng Chi y: céc trdng trong dia chi IP etia may can phai duge dién day du > Tao may chit DNS Khi cai Active Directory sé nhan duge théng béo cai cing dich vu DNS, néu ta chua tién hanh cai khi nang cAp Active Directory hay muén thém chife nang nay c6 thé tién hanh Tir ctra sé Configure Your Server Winzard chon DNS Server va tiép tue dién cac théng s6 cia may chu DNS nhu cac Zone, cdc dai IP cia may cha DNS... 19DNS Registration Diagnostics Vetty DNS supper cr istallDNS onthe computer. [The SOA quewy for _idap_tep.de._msdes Vinzpay.com vn to fd the pinay DNS | © Ihave conected the problem, Pesto the DNS agnostic test again. Ingtal ane cortigue the ONS server on this compute. and st this compute to use thes DNS server a ts preeed DNS serves, © ‘wll conect the pecbem ater by corfguing DNS manual (Advanced) Tao may cha DHCP Tir ctra s6 Configure Your Server Winzard chon DHCP Server 23‘Server Role "ca et ths server to ef ner more spc. ¥you wnt oa mere thn one tab othe server, youcon ants mead span Select ra. the oe sot een ad youn a tha akeady teen aie, You can revel. F her you mane aha tenave so ite, en Adar se Peas [eta OCP server Pinecone Ne Popa sever (5, ASP.NET Ne (He (Oya Host Conga alse (3, sm) te Protec servers gn eres ‘ena sven te (Deter Rants acess | VN server te Darah Cercle ce Owes) Ye aaa DS ere xserver ve SR ever ncecaececes aaa y Steanngreda saver no ew the coir or Sv cts _[Tug] _coet_ | Hinh 1.4.8 Chon cai DHCP May cht DHCP duge cau hinh : Dia chi 192.168.2.1 durge danh cho router, dia chi 192.168.2.2 duge danh rigng cho miy chi DNS nhu hinh dudi, 24Hinh 1.4.9 May chii DHCP v6i phan gidi 192.168.2.0(100-150) Dé chinh sch quan tri cho dich vu DHCP hoan thign, ngudi quan tri cin dura ra m6t chinh sich sao lu dir ligu DHCP phi hgp. Window server 2003 dura ra giai phip dé thye hign sao hu va phy hdi dit ligu ( Ntbackup). 25Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép PHAN II QUAN TRI VA DUY TRi HE THONG Khi mét t6 chite trién khai c4e Windows 2000 domain controller cla ho phi hop voi nhiing thiét lap bao mat dugc néi dén trong phan mét ctia tai ligu nay , diéu can thiét 14 mire bao mat domain controller duge duy tri hose thim chi duge ning cp. Vige méi trudng cé duy tri duge sy an toan hay khéng dugc quyét dinh phan Ién béi cac thi tuc thao tac IT cua t6 chute. Phan I cia dé an nay gidi thigu vé viée trién khai Administratorsan toan ciing nhu x4y dung va cdu hinh cdc domain controller. Phan II cung cAp nhiing dé xuat dé duy tri Administratorsan ton véi cdc thao tae nhur thye hign kiém dinh mt cdch dinh ky cdc edu hinh domain controller dé dim bio ring vige thay d6i tréi phép khéng xuét hién. 1, Khai niém co ban 1.1 Mét s6 khai niém vé kién trac Administrators Céc thanh phan logic trong kién tric Administrators. gom cé: > Cée déi tugng > Cie domain Ss Cae tree > Cée forest ((khong xét trong dé an)) » Cac OU tugng tugng thye ra la cée tai nguyén duge luru tris trén Active Directory. Day duge coi la thanh phan co ban nhat trong dich vu thu muc Active Directory. Cac déi tugng duge luu trit trén Administratorstheo mot kién trac phan cdp bao gém cdc khoang chita cha va cdc khoang chira con 26Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép véi mye dich d8 dang hon trong vige tim kiém, truy cp va quin ly ching, Kién tric nay tuong ty nhu viée té chite file va thu myc. Cae lop déi tugng Mét déi twong la tip hgp ctia cae dc tinh, Cac dae tinh tg0 nén mot déi tugng duge dinh nghia la mot lop d6i tugng. Khi tao mot d6i tuong méi, né sé ty dng thira hudng eae dc tinh tir lop ma n6 tre thudc. Va tit nhién ching ta c6 thé thay déi cdc lop d6i trong cing nhu ac tinh ctia ching sao cho phi: hop véi cdc yéu cau ctia t6 chite, AdministratorsSchema Cée lop va cdc dc tinh sé tao nén mot khai nigm AdministratorsSchema. Vé mat co so dit ligu, schema 1a mét cu tric bao g6m cae bang, cae truéng va méi lin quan gitta ching véi nhau. Vi vay Administrators Schema rit quan trong déi véi hoat d6ng cua dich vy thu muc. N6 duge bao vé bai danh sach diéu khién truy cép ACL chi cho phép cic user va cfc ting dung vai quyén thich hop durge thyc hign cae thao téc nhat dinh trén 46. Viée thay d6i schema can rat can trong. 1.1.2. Cae domain CAu tric t6 chive co ban cla mé hinh mang Windows Server 2003 la domain, Mét domain dai dign cho m6t during bién quan tri. Cée may tinh, ngudi ding, va cac déi tugng khac trong m6t domain chia sé m6t co sé dit ligu bio mat chung. 1.1.3 Céc tee Ce domain khéc nhau duoc t6 chite theo céu trie ¢6 phan edp goi la cay. Thim chi néu ban chi cé mét domain trong t6 chite cua ban, ban vin cé mét cfy. Domain dau tién tao ra trong mét cay duge goi la root domain. Domain duge tao tigp theo sé la domain con eta root domain dé. Domain e6 kha nang mé rng thanh nhiéu domain trong mét cay. Tat ca cde domain trong mot cay chia sé mét schema chung va mét khdng gian tén ké nhau. L.L4 Cie OU 27Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép OU cung c4p mét phuong phap dé tao ra mét bién quan tri trong mot domain, Cha yéu, né cho phép ban iy nhigm ede nhigm vy quan tr} trong mét domain, OU hoat déng ging nhu mét container chtta ede t&i nguyén trong, domain, Ban cé thé ap dat cdc quyén quan tri trong mot OU. Mét dae thi chinh 1a cdu ic OU theo mét cdu trie chiie ning howe céng vige trong mot t6 chite. Vi dy, trong mét t6 chire nhé voi m6t domain cé thé tao ra cdc OU rigng bigt tuong tmg véi cdc phong ban trong t6 chite dé. C6 thé ling cae OU (tao cae OU bén trong m6t OU). Tuy nhién, cdu trie OU phite tap trong mt domain c6 thé 1a mét tré ngai. Khi edu trie ctia ban cang don gidn, thi thyc thi vi quan ly né cang dé ding. Khi thyee hign léng OU lén qua 12 mite OU, ban sé gap van dé ding 1.2 Khai niém vé backup va restore higu nang Backup va Retore hé théng la mét chire nang khéng thé thiéu trong bat ki hé théng nao. Tai ligu nay nhiim mé ta so b6 céng viée backup hé théng cai at trén hg diéu hanh Windows 2003 Server, Né cho phép cae System Engineer dura ra gidi phap va chinh séch backup hé théng mt cach c6 higu qua lon nat. C6 5 kiéu backup mi: thé sir dung, né phy thudc vao su quan trong ciia dir ligu edn backup va chinh sich ma ban muén khdi phuc dit ligu d6 nhur thé nao. > Daily:Backup nhiing file thay déi tir daily backup cudi cing. Néu mot file sita ddi trén cung ngiy véi backup , thi nd sé duge backup, Thude tinh Iuu tri cia file 1a khOng di. > Incremental: Backup nhiing file thay déi tir normal hoc incremental backup. Néu thuge tinh hu tri due hién thi thi né c6 nghia 1a file vila stra déi ~ chi nhimng files véi thude tinh nay duge backup. Mét 28Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép file vita duge backup, thi thuge tinh liu trir duge xod va chi thiét dat Jai khi dir ligu duge thay > Full(Normal): backup nhiing file duge Iya chon, khéng quan tim én in nia, thiét dinh ca thude tinh Iuu trir nhu thé nao. Mét file via duge backup, thi thude tinh luu tri duge x04 cho dén Kkhi file dé duge thay d6i. Khi thuéc tinh Iwu tri duge thiét dinh lai, thi né biéu thi ring file 46 can duge backup, v Differential: Backup nhimng file ma thay di tir Full backup cudi cing. Néu thuge tinh hu tri duge hién thi, né 6 nghia li dit ligu vita duge thay ddi va file e6 thuge tinh tinh nay duge thiét dat sé duge back up. Tuy nhién, v6i trudng hyp backup nay thuge tinh lu trir khong bj xod vi vay cho phép cic loai backup khéc sir dung cing dit ligu d6 & giai doan sau. > Copy: Backup tit ca nhiing file ma duge chon, khong quan tam thude tinh Iuu tri, Thuge tinh hun tri khong thay d6i, vi vay nhiing loai backup khée c6 thé thue hign trén dit ligu tuong tu. 2. Co'séli thuyét. Mac dit bao mit li m6t viée quan trong can duge can nhac déi voi ca cdc thanh phan ctia hé théng mang trong té chite, déi véi cde may chit e6 mite bao mat cao thi béo mat 14 mt phan dec bigt quan trong. Mite “ high security” ( bio mat cao) xudt phat tir yéu cdu bao mat cao cila cae tién trinh dang chay trén cée server. Xie dinh may chit trong t6 chite cia ban lA mot high-security server khi n > Chay mot dich vu trong ngdt cdnh eiia mOt tai khodn service Active Directoryministrator-level > Duoc tin ting dé uy quyén (trusted for delegation) 29Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép > Khi mét may chu duge coi la tin tuéng dé tty ty quyén, thi khi phyc vy mét yéu cdu cia client may chi sé e6 kha nding dura ra yéu cu t6i cde dich vu chay trén may chii khée dudi ngtr anh bao mat cua client. Vi client dua ra yéu cdu c6 cae dic quyén bao mat cao, nén may chu cting cé thé chiém ldy duge cae die quyén bao mat cao. Vi thé, tit ic may chi [a “trusted for delegation” bén trong rimg cé thé duge thiét ké la cde may chi. bao mat cao (high-security). Trén co sé nhimng tiéu chuan nay, thém cdc domain controller c6 thé ki cde server cé mire bio mit cao trong mang cia ban ma né sé can hoat dong dic bigt ngiy nay qua ngay khic dé duy tri bio vé. Bao v¢ tat ca céic my chii 6 mirc bao mat cao bang cae nguyén tic chung cho viée van hanh may cha an ton 24 ‘Thye hign duy tri bao mat Domain Controller va Active Directoryministrative Workstation Khi t6 chite eta ban thye hign céu hinh domain controller va Active Directoryministrative workstation an toan theo nhiing dé xuat trong phan I ctia tai ligu nay thi ban bat dau cdc hoat déng, Trong mét méi trong thye té, nhimg ngudi quan tr] thye hign ngay ny qua ngiy kha inh thoaing dudng cae domain controller vi Active Directoryministrative workstation, Céch cae nhigm vy nay duge thye hign anh hudng truc tiép t6i mire bao mat cia domain controller va Active Directoryministrative workstation ma to chite cia ban c6 thé duy tri. Cfe chinh sch duge viét ra va ce thi tue sé tn tai cho tit cd cdc hoat d6ng duy tri domain controller, bao gom: > Sao hu va khéi phyc cho domain controller 30Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép > Thay thé phan cimg cho domain controller va Active Directoryministrative workstation > Quét virut trén Domain controller va Active Directoryministrative workstation 22 ‘Thiét lap chién luge sao lwu va khOi phuc domain controller ch Nhiing ngudi quan tri lip ké hoach sao luu syst te tren cé domain controller dé khéi phuc khi dit ligu Administratorsbj mat va mot domain controller bj hong. Domain controller bi Idi c6 thé do mét Idi nghiém trong trong dich vy. Nhur mot phan ciia vige quan ly an toan va cée hoat dng khdi phuc, domain controller backups phai duge thye hign an toan va tin edy. Sao lau trang thai hé théng ( System state) trén domain controller Khéng gidng cac dang sao hru va khdi phyc trén cdc may chit & mots > Khong thé thyc hign Incremental backup > Khéng phai tat ca domain controller sé durgc sao hru > Sao liu tir mGt domain controller khong thé durge sir dyng dé khdi phuc trén mét domain controller khae o Kh6i phue 6 ca hai dang authoritative hoe non-authoritative > Cac domain controller 6 mite bao mat cao, cn dén cac thao tac dic bigt Do yéu cau bao mat 6 mite cao, mot chinh sach sao lu va khdi phye an toan bao gém céc thao téc béo mat ma khong duge can dén cho vige sao lu may chi cu thé, Chién luge sao hu va khoi phyc domain controller an toain s& bao gém céc thao tée chinh sau: > Trdnh sir dung m6t tii khodin chung cho toan céng ty dé thue hign sao how > Han ché phan cimg sao Iuu domain controller dé cac ching duge bao mit 31Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép > Ké hoach sao lu domain controller théng thudng va huy cic phuong tign sao hu khi chiing khéng edn str dung > Bao vé cde tdi khoin Backup Operators > Thao téc khdi phuc dinh ky céc domain controller tir phuong tign sao heru, Thue thi mt chinh sach sao luu va kh6i phuc di dua ra dé xc dinh domain controller nao sé durge sao hru, ai cd quyén thue hign chitc ning nay, céch cic domain controller s¢ duge sao lu va cach phurong tign sao hu sé duge sir dung, 2.3 Quan ly tai khodn Backup Operators Administratorschita mt nhém ¢6 sin tén la Backup Operators. Cie thanh vién ciia nhém nay duge coi nhu nhing ngudi quan tri dich vu, bai vi cac thanh vién ctia nhém nay c6 quyén khdi phue céc file, bao g6m cac file hg thdng trén cic domain controller. Thinh vign cia nhém Backup Operators trong Administratorssé duge gidi han bao g6m nhiing cé nhan thyc hign sao luru va khdi phye cate domain controller. ‘Tit ca cae may chit thanh vién ciing chira mOt nhém ¢6 sin duge goi la Backup Operators 6 trén méi may chi d6, Cac ca nhan nhiing ngudi chiu trach nhigm cho vige sao lu cac img dung trén mdi may chi thanh vién s8 1 thanh vign cia nhém Backup Operators trén may chi d6 chir khng phai 14 thinh vién nhém Backup Operators trong Active Directory. ‘Trén m6t domain controller rigng, ban c6 thé gidm s6 Iugng thanh vign cua nhém Backup Operators. Khi mét domain controller duge str dung dé chay cde tg dung khac, ede ca nhan chiu trich nhigm cho vige sao lu cae img dung trén cc domain controller ciing phai duge tin cdy nhur ngudi quan trj dich vy, boi vi ho sé cé quyén can thiét dé khéi phuc file, bao gm cae hé thng file trén cic domain controller. 32Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép Boi mac dinh, nhém Backup Operators rng. Cc thanh vién cia né cé thé duge thay déi béi ede thanh vién ctia cdc nhém administrators, Domain Administrators, and Enterprise Administrators. Cac quyén duge ligt ké trong bang I.1 Bang II.1_ Ki higu bao mat dé bio vé nhém Backup Operators trong Active Directory Quyén Ap Dang |Tén dung Allow | Administrators | List Contents Chi doi ReAdministratorsAll tugng Properties nay Write All Properties Delete ReAdministratorsPermissions Modify Permi ify Owner All Validated Writes All Extended Rights Create All Child Objects Delete All Child Objects ions Allow [Authenticated [List Contents Chi doi Users ReAdministratorsAll tugng Properties nay ReAdministratorsPermissions 33Dang |Tén dung t6i Allow |Domain List Contents Chi d6i Admins ReAdministratorsAll tugng, Properties nay Write All Properties ReAdministratorsPermissions Modify Permissions Modify Owner All Validated Writes All Extended Rights Create All Child Objects Delete All Child Objects ‘Allow [Enterprise [List Contents Chi di admins ReAdministratorsAll tugng Properties nay Write All Properties ReAdministratorsPermissions Modify Permissions Modify Owner All Validated Writes All Extended Rights Create All Child Objects Delete All Child Objects 34Dang |Tén dung 161 Allow [Everyone [Change Password [Chi dai | tugng nay Allow |Pre~ List Contents Die Windows 2000 | ReAdministratorsAll bigt Compatible | Properties Access ReAdministratorsPermissions Allow [SYSTEM |Full Control Chi doi tugng nay Ghi cin: cde tit chuyén nganh khé hidu sé duege chi thich trong plu luc 3. Hign trang hé thong Cée tai khoan cua nhan vién chua duge sap xép, phan quyén cu thé. Cée user chua déu cé ede quyén co ban va ngang nhau, Chua cé cde mau policy nao ap dung hay chinh séch nao sir dung cho hé théng Active Directory. Hé théng c6ng ty mdi duoc xay dung do d6 chua hé cé mét chinh sich Update va backup. Do dé dé dam bao hé théng hoat dong mot edch binh thudng va an toan thi mét co ché backup tét ld mot doi hoi t4i quan trong, 4. Cae cong viée trién khai & két qua 4.3 Quan tri hé théng Active Directory 35Trién khai, q uy tri & ning ciip_hé thong mang doanh nghiép Cai dit Windows Server 2003 trén may chu rdi cau hinh né nhu mét domain, Thang cp may chii dé thinh Domain Controler. Thiét ké Active Directory dam bao tong tac tét hat véi cdc dich vu khac trén hé théng Intranet nhu: email, truy cép Internet, chat, SharePoint Portal, Mot hé théng Active Directory duge danh gia t5t khi né théa man duge cac yéu cu ve cdc dich vu déng théi phai cé mét chinh sach tét vé ngudi ding. Hinh dudi cho chung ta thay giao dién quan tri cla Active Directory. (fle feton Yew Won Ho “aiel~| +7 SS 8 FOR em efarae ee ol | Siglo Serves es os ro eee eee faees.. eee. Scag |eecocnnenenh Game” Mehmanr ire tac. Crum bed cnt foo 2a ete mast cored sg wesesan cone Beene comand Sarna = ieee. Crt Sig wocepten omit 3 gnertarn croton Sora conus Whe il Hinh I1.4.1Giao dién digu khién ACTIVE DIRECTORY Lua chon mé hinh hé thong cho VINAPAY 1a mét céng viée rit quan trong, M6 hinh cdn phai phan anh duge cau tric t6 chite cia VINAPAY déng thai thuan tign cho céng viée quan trj ma khéng lam anh huong dén higu suat cia dich vu thu muc. Dé giai quyét vin dé nay, trong Active Directory, Microsoft chia cc domain thinh céc OU. V6i vige Iya chon OU 4é chira cic phong ban sé dap bao durge vat Hinh sau cho chting ta thay mot OU 36Hinh 1.4.2 Mot OU trong ACTIVE DIRECTORY Tinh nang xéc the cua Active Directory sé dam bao durge cée yéu cau sau: > Cho phép cae nhém quan tri quan ly thong tin mgt céch d6c Lip > Cé kha ning trao quyén quan tri cho cdc nhém quan tri khac nhau > Cac tinh nang bio mat trong Active Directory nhu GPO, két hgp véi nhimg tinh ning IPSec, NAT cia hé digu hinh Windows Server 2003 ching s@ tgo ra mot moi truéng an toan dam bao ngudi sit dung chi c6 thé truy cp dén cac tai nguyén véi quyén duge cép phat. Dé dam bao duge yéu ciu nay cdc Active Directory sé quan li theo nhidu tiéu chi nhu: quan li may tinh(compuer), quan Ii ngudi ding(user), nhm ngudi dig. ADMINISTRATORS ép dung cdc chinh sich (policy) cho ede ngudi dig va tig nhém ngudi ding. 37Trién khai, quén tri, duy tri & nang céip_hé thong mang doanh nghié Tenant ssceGan IeeteReEaey ie CSD crime Ober Fea a cae ‘ou Pa Dict ight vet ie cy ‘hab caredon Svlcmpie apy can tev | aie | us cece | tc esse | aC Bch Paley mace aes oan mel a Hinh 11.4.3 M6t Group Policy Cu thé dé dé quan li, co cau cia Vinapay duge chia nho thanh 10 nhom tai khoan voi ting chinh sach riéng biét. Khi co m6t nguéi sir dung mdi ta chi can thém ngwi sit dung dé vao nhém phi hop ma khéng can tim ting quyén hay cau hinh ting ngudi, Chinh sach Policy mang tinh ké thira, quyén dimg trén c6 thé phi nhan quyén 6 dudi, dé mot sé quyén khéng bi ké thira, ta c6 thé kick vao 6 Iya chon Block Policy inheritance. Dui day 14 nhiing tiéu chi ma m6 hinh domain can phai dam bao: > Cho phép cée nhém quan tri quin ly thong tin mot cach doe lip > C6 kha ning trao quyn quan tri cho cde nhém quan tri khée nhaw > Tao ra mét méi trudng an toan dim bao nguéi sir dung chi co thé truy cp dén céc tai nguyén voi quyén duge cp phat 4.2. Cau hinh backup cho domain 4.2.1 Lap bang biéu Backup Job 38Trién khai, q uy tri & ning ciip_hé thong mang doanh nghiép Ban phai backup cho dit ligu c6 nguy co cho céng ty ctia ban va bay gid ban can chic ring dit ligu tiép tuc duge backup trén mét khodng thoi gian eo ban, Thay vi thye hign backup bing tay, ban cé thé lap bang biéu ching dé thue hign ty dong. Lap bang biéu backup dam bao viéc backup 6 hign tai, né duge thuc hign 6 mot thoi diém dac bigt hodc trong mot chu ki thdi gian hoc thurc hign vari cée su kign hé théng duge Iya chon dé phit hop véi cdc kiéu hu tru dit ligu trong céng ty ciia ban, hode lay trung binh céc trang thai cua thoi diém mang khong hoat dong. Cée Phuong thite Lap bang biéu Backup, ¢6 thé lip bang biéu theo 3 cach sau: > Khi ban tao mét backup méi trong Windows Backup. > Bing vige sir dung Scheduled Jobs tab trong Windows Backup dé lap bang biéu cho mt céng viée dang ton tai > Tao ra mot goi cng vige véi ntbackup command, va chay né trong Windows commnAdministratorsline Cac Iya chon Lap bang biéu Backup Ban c6 mét vai Iya chon cho phép lap bang éu cho viée backup: [Schedule Option Execute the Job i “Thy hign o mot thoi diém dae bigt tren mot ngay Ine : “ac bigt : ‘Thue hign & mét thai diem dic bigt mdi ngay “dae bigt hang tuin 1 Thue hign mot thoi diém dae bist trong mot thing, 39khoi dong [Rf Symtem star “At logon Avhenidie | Khi hg théng nhan roi “4.2.2 M@t phong php vay dyng backup va restore dir ligu (dure ip dyng vao vinapay) Khi xy dug ké hoach cho backup va recovery, ban phai hdi chinh minh bang m6t s6 cau héi dé cé thé quyét dinh duoc backup thé nao, khi nao va dif ligu la gi. Nhiing cau hoi dé bao gam: > Khi nao thudn tién nhdt dé thee hién backup job? Backup dit ligu thue hién ngoai gié cao diém hé théng 1a ly tuéng, la khi hé théng sw dung tai nguyén thap. > Ban sé lu trit cic backups 6 ving ngoai? Backup duge dé xudt ring nén backup qua phuong tién truyén thong nao d6, 14 mt kho hru trtt bén ngoai ving dit ligu phong tring hgp ciia mot tai hoa ty nhién, ita, 10 ri thong tin, ... N6 efing s® khuyén nén gitt mgt ban sao ciia phan mém dugc yéu cdu dé install va khdi phuc hé diéu hanh, database server, backup recovery, > Dit ligu quan trong nine thé nao véi hé théng cia ban dang ding? Phan loai theo tinh quan trong cia dit ligu sé gitip ban quyét dinh dir igu cn dé backup, né sé backup nhu thé nao va khi nao duge backup. Dir ligu c6 nguy co (nhw la dir ligu tai chinh, database, ...) sé dat giai doan backup va nh thé sé c6 mét loat ede backup dur ra, trong khi dit ligu it quan trong hon sé duge backup hang ngiy va duge khéi phye don gin > Khéi phuc dit liéu nhanh nlue thé ndo tir backup cén thiét? 40Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép Nghia la dua hé théng c6 nguy co’tré Iai lam vige binh thudng sém nhu c6 thé. Thi ké ho{e Backup cia ban phy thudc nhiéu vao théi gian ma né lay ra dé khéi phue mét hé théng. Va dit ligu st duge phan loai theo giai doan va day khdi phyc. > Dik ligu thay d6i theo giai doan nhue thé no? Dit ligu ma thay ddi hang ngay s& duoc backup hang ngay. Téc 46 ma dir ligu cia ban thay d6i sé phan chiéu quyét dinh tan xuat backup backup cua hé thong. > Dit ligu 6 trén hé thing ciia ban bao gém nhitng loai thang tin gi? Phai nim duge dit ligu ctia ban gém nhiing théng tin gi, tir dé ban co thé xe dinh nguy co, va tinh bao mit, v.v... trén d6, xée dinh sy quan trong cia n6. Diéu nay sé gidp ban xéc dinh duge dit ligu duge backup khi nao va nhur thé nao. ¥ Ban cé nhung thic can thiét dé backup khong? Dé chic chan rang ban c6 phan etmng tét va di cae phuong tién truyén théng can thiét dé thyc hién mét backup. Chon backup trén phurong tign truyén théng la m6t nhan t6 quan trong trong viée backup va khéi phuc dir ligu, Cae backup tape 1a mét dang phé bién cia phuong tién truyén thong, dl ving c6 thé luu trit lrgng ln data va gia ré, nhung chim hon so véi lua chon khéc, 4.2.3. Gidi han dich vy sao luu vA phuong tign lu trir vio ede vi tré an todn, Cung cap phuong tién sao lru domain controller véi cing mire bio m§t vé mat vat ly nhur chinh cde domain controller. Boi vi phuong tign sao hu chita tit ea cae théng tin trong co so dit ligu Active Directory, vige dinh cap cdc ban sao liu nay cing nguy hiém nhu viée danh cap mot domain 41controller hoc mét 6 dia tir mét domain controller. Ké tan céng cé thé khéi phyc cde thdng tin 6 trong va truy cap vao dit ligu Active Directory. Dé ngin chin cde ca nhan truy cp trai phép phuong tign sao lu: > Thao cac phuong tign tir 6 cig sao lu ngay khi quy trinh sao luu hoan thign. > Liru cde phuong tign sao Iau trong mot noi an ton, noi truy cAp duge theo doi. v Luu mét ban sao luu dy phong & noi khac > Thiét lap cc quy trinh va tha tue yéu cau chit ky ctia nguéi quan tri khi cae thiét bj sao hru dir phong duge mang di. > Cac thiét bi sao luu can luén dugc siin sang 6 trang thai tot nhat. 4.2.4 Phwong an Backup cho VINAPAY: Dé Backup hé thing cia VinaPay thi c6 2 Iya chon theo mé hinh sau: Saaai@ ii & SG Ba @ wf & Hinh 114.6 Hai cach backup d8 nghi cho mé hinh céng ty vinapay 42Trién khai, q uy tri & nding céip ing mang doanh nghiép IL1 MG hinh | Day IMG ta [Full backup (normal): Backup toan b6 dit ligu trén Sunday 12.00 PM ifile va fodler hién tai. incremental: chi backup céc file va folder duge [Monday 12.00 PM 7 ‘ thay di trén tir normal backup cudi cing. Incremental: chi backup cdc file va folder duge [Tuesday 12.00 PM : thay d6i trén tir normal backup cudi cing. incremental: chi backup eae file va folder durge Wednesday 12.00PM : : thay di trén tir normal backup cudi cing. incremental: chi backup cdc file va folder dugc [Thursday 12.00 PM : thay d6i trén tir normal backup cudi cing, incremental: chi backup eae file va folder duge [Friday 12.00 PM : thay d6i trén tir normal backup cuéi cing. incremental: chi backup cdc file va folder duoc’ [Saturday 12.00 PM z A Ithay déi trén tir normal backup cudi cing, 1.2 MG hinh 2 [Day [Mo ta [Full backup (normal): Backup toan b6 dir ligu trén] |Sunday 12.00 PM. Et " aan file va fodler hién tai, incremental: chi backup cdc file va folder durge [Monday 12.00 PM ; Ithay di trén tir normal backup cudi cing, [Tuesday 12.00 PM __ Incremental: chi backup cdc file va folder duge 43Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép [thay doi trén tir normal backup cudi cing. [Wednesday 12.00 ][Full backup (normal): Backup toan b@ dir ligu trén] PM file va fodler hién tai. incremental: chi backup cae file va folder durge [Thursday 12,00 PM . thay 46i trén tir normal backup eudi cing. incremental: chi backup cdc file va folder duoc [Friday 12.00 PM. : aie thay 46i trén ti normal backup cudi cing. incremental: chi backup céc file va folder duge [Saturday 12.00 PM |thay d6i trén tir normal backup cudi cing. 4.2.5 Quan ly vong dai ciia phn cing domain controller M6t t6 chite cé thé dinh ky b6 hod thye hign tai sir dung mét s6 lugng ding ké cic may chii, may tram va thiét bj sao luru, Céc domain controller, cae Active Directoryministrative workstation va thiét bi sao ru domain, controller chira céc théng tin nhay cm cn duge bio vg. Dé bao vé cae théng tin nhay cam nay khi thiét bj duge tai sir dung, ban sé cd mét chinh sich dé xée dinh cach thye hign trong qué trinh tai sir dung cic domain controller, cic Active Directoryministrative workstation, va cac thiét bj sao luu di kem, 44Trién khai, q uy tri & nding céip ing mang doanh nghiép PHAN III: NANG CAP HE THONG MANG CUA CONG TY VOL ISA SERVER 2004. Trong chuong nay chting ta sé tim hiéu bign phap bio mat cho hg théng mang ctia cong ty sir dung tuéng lira ISA 2004. Bang cach tim hiéu vé ISA cing nhu tac dung cia cac mé hinh co ban cia né(duge cung cap b6i cac template c6 sin trong phan trg gitip) ta cé thé tim ra mét cach céu hinh phir hop mang eta minh, 1, Khai nigm co ban ISA Server 2004 duge thiét ké dé bao vé mang,cl ng cée xam nhip tir bén ngoai Lin kiém soat cc truy cap tir bén trong cia mét mang ndi cia mét t6 chire.ISA Server 2004 firewall lam diéu nay thong qua co ché digu khién nhing duge phép qua firewall va nhimg gi bi n lai. ISA Server 2004 firewall chira nhigu tinh nang ma céc Security Active Directorymin ¢é thé dung cho vige dm bao an toan cho vige truy cap Internet, va ciing dm bao an ninh cho e4c tai nguyén trong mang n6i bd. Cac Network Services va nhiing tinh nang trén ISA Server 2004 sé duge cai dat va cdu hinh gm: > Cai dat va cdu hinh Microsoft Certificate Services (dich vu cung cdp cae chimg thu ki thuat sé phue vu nhan dang an toan khi giao dich trén mang). > Cai dat va cdu hinh Microsoft Internet Authentication Services(RACTIVE DIRECTORYIUS) dich vy xéc thye an toan cho cée truy ef tir xa thong qua cite remote connections(Dial-up hose VPN). > Cai dit va clu hinh Microsoft DHCP Services (dich vy eung cép cach xc Ip TCP/IP cho cac node trén mang) va WINS Services (dich vu 45Trién khai, q uy tri & nding céip ing mang doanh nghiép cung cap gidi phap truy van NETBIOS name ctia cée Computer trén mang) > Cau hinh ede WPADMINISTRATORSent es trong DNS dé hé tro: chire nang autodiscovery(ty dong khém pha) va autoconfiguration(tr déng cau hinh) cho Web Proxy va Firewall clients.Rat thudn Igi cho cic ISA Clientsents(Web vi Firewall Clients) trong mt 16 chite Khi ho phai mang Computer tir 1 Network (cé m6t ISA SERVER) dén Network khéc (¢6 ISA SERVER khic) ma van ty déng phat hiénh va lam vige duge voi Web Proxy Services va Firewall Service trén ISA SERVER niy. > Ci dat Microsoft DNS server trén Perimeter network server (Network chira cae Server cung cap tryc tuyén cho cdc Clients bén ngoai, nam sau Firewall, nhung cing tach bigt voi LAN). Cai dit ISA Server 2004 firewall software v > Back up va phye héi thong tin cdu hing cia ISA Server 2004 firewall. Ding cae m6 hinh mau ca ISA Server 2004(__ ISA Server 2004 Network Templates) dé cdu hinh Firewall. v > Cau hinh cdc loai ISA Server 2004 clients. > Tyo cic chinh sich tray cp (Access Policy) trén ISA Server 2004 firewall. Publish Web Server trén mot Perimeter network. > Ding ISA Server 2004 firewall déng vai tro 1 Spam filtering SMTP relay(tram trung chuyén e-mails. Cé chite nang ngin chan Spam v mails), > Publish Microsoft Exchange Server services (hé thing Mail va lam vige c6ng tie ctia Microsoft, twong ty Lotus Notes ciia IBM). > Cai dat ISA Server 2004 trén Windows Server 2003 46Trién khai, q uy tri & ning ciip_hé thong mang doanh nghiép 2. Corsi li thuyét 2.1. Cae Network Templates (mé hinh mau cdc théng sé céu hinh mang) ISA Server 2004 firewall voi sy hé tre théng qua _céc Templates, ching ta 6 thé cu hinh ty dong cdc théng s6 cho Networks, Network Rules va Access Rules. Network Templates duge thiét ké gitip ching ta nhanh chong tao ra duge | cu hinh nén tang cho nhimg gi ma ching ta cé thé sé xay dung...Céc Templates bao gsm Network Templates danh cho Edge Firewall, duge sir dung khi ISA Server 2004 firewall c6 | network interface duoc tryc tiép két ni dén Internet va 1 Network interface duge két n6i véi Internal network. Hinh III.1 M6 hinh Edge Firewall 2.1.2 3-Leg Perimeter ‘Network Templates dinh cho 3-Leg Perimeter duge sit dung véi Firewall gin 3 Network interface. Mét External interface (két ndi Internet), | Internal 47Tri interface (két néi mang n6 bd) va 1 DMZ interface ( két ndi dén Mang vanh dai-Perimeter Network).Template nay, cdu hinh cae dja chi va méi quan hé gitia cde Networks niy véi nhau, 3-Leg Perimeter Local Host Internal Network Hinh 111.2 M6 hinh 3-teg perimeter 2.1.3 Front Firewall Diing Front firewall Template khi ISA Server 2004 firewall déng vai tro 1 frontend firewall trong mé hinh back-to-back firewall. Bay la mé hinh két ni 2 Firewall cé thé la Internet, gitta Front va back firewall c6 thé la DMZ. network, va phia sau back firewall la Internal network. Template nay danh cho Front Firewall 1 “ BS Be fk brio Boe Frontend] jak eal Faewal Fava 48Trién khai, q uy tri & nding céip ing mang doanh nghiép Hinh IL.3 Mé hinh Front Firewall 2.1.4 Back Firewall Duge sir dung cho 1 ISA Server 2004 firewall nfim sau 1 ISA Server 2004 firewall khée phia trude né (hode 1 third-party firewall nio d6). Single Network Active Directoryapter: Template dang Single Network Active Directoryapter -La | cdu hinh kha dac bigt, ap dung dang template nay trén ISA Server 2004 cé nghia la loai ludn chite nang Firewall ewa né, Duge ding trong nhimg trudng hop ISA Server 2004 chi c6 duy nhat 1 Network Card ( unihomed), déng vai trd 1a hé théng uu gitt cache- Web caching server. 2.2 Cae edu hinh network template Trong dé an ta chi xét dén cach cdu hinh cia 2 dang Firewall thong gap va don gin la Edge Firewall va 3-Leg perimeter 2.2.1, Cau hinh cho Edge Firewall: Template cho Edge Firewall sé cdu hinh cho ISA Server 2004 firewall c6 | network interface gin truc tiép Internet va 1 Network interface thir 2 két vV6i Internal network. Network template nay cho phép Active Directorymin nhanh chéng ap dung cae nguyén tic truy cép thong qua chinh sich cia Firewall (Firewall policy Access control) gitta Internal network va Internet. Bang sau sé cho ta thay cde chinh sich ciia Firewall (firewall policies) da sin sang khi sir dung Edge Firewall Template, Méi chinh sinh trong Firewall policies chita sin cdc xac lap vé nhing nguyén tic truy cap. Tir xac lap tat ca cc hoat déng déu duge cho phép ( All Open Access Policy) gitta Internal network va Internet cho dén xc lap ngan chin tat ca ( Block All policy) hoat dng giita Internal network va Internet. 49Trién khai, q uy tri & ning ciip_hé thong mang doanh nghiép Nhiing Iya chon vé chinh sac ich cita Firewall khi ding Network Active Directoryge Firewall Template: Bang Il. I Chinh sich Edge Firewall Firewall Policy Mota Block all phép truy cp nao ngoai ngan chin tat ca cdc tray Ngin chin tat ca truy cp qua ISA server Lua chon nay khéng tao bit ki nguyén tic cho cap Block Internet Access, allow access to ISP Network services Nein chin tit ca cde truy cp qua ISA Server 2004 , ngoai trir cdc truy cap dén cdc Network services nhu DNS service. Lyra chon nay sé duge diing khi cic ISP cung cp nhiing dich vu nay. Ding Iya chon nay dé xée dinh chinh sich Firewall eiia ban, vi du nur sau: Allow DNS from Internal Network and Client Network to External Network (internet)-Cho phép Internal Network va VPN clients Network cho phép cac truy cdp dang HTTP, HTTPS,FTP tir Internal Network truy cap ra ngoai. Allow all protocol From VPN clients Network to Internal Network cho phép céc giao thite tir VPN clients Network (bén ngoai ) vio trong mang ndi bi. ‘Allow limited web access to ISP Network Cho phép truy efp web cd gidi han ding HTTP, HTTPS va FTP va cho phép truy cap t6i ISP 50Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép Services| Network services nhu DNS. Cdn lai ngin chin tit ca cde Network khéc. Cac nguyén tic truy cAp sau sé duoc tao: Allow Http, Hups, Ftp from Internal Network and VPN Client Network to External Network (Internet)- cho phép HTTP, HTTPS, FTP tir Internal Network va VPN Client Network ra External Network (internet) Allow DNS from Internal Network and VPN Client Network to External Network (internet)- cho phép Internal Network truy cip dich va DNS. giai quyét cdc hostnames bén ngoai(internet) Allow all protocols from VPN Clients Network to Internal Network — Cho phép tite ca cac giao thie tir VPN Client Network (bén ngoai VPN Client thu hién két néi vao mang ndi thong qua Internet), duge truy cp vio bén trong mang noi bo. Allow unrestricted access Cho phéptruy ep Khong gidi han ra internet qua ISA Server Cac nguyén tic truy cp sau sé duge tgo ra: Allow all protocols from Internal Network and VPN Client Network to External Network ~ Cho phép diing tat ca cae giao thite tir Internal Network va VPN Client Network téi External Network (mang ngoai) 51Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép Allow all protocols from VPN Client to Intemal Network to Internal Network — Cho phép tat ca cae giao thite VPN Client Network truy ep vao Internal Network. 2.2.2. Cu hinh 3-Leg Perimeter Cu hinh Firewall theo template dang 3-Leg Perimeter sé tgo ra cdc méi quan hé gitta céc Network : Internal, DMZ va Internet. Va trong img Firewall ciing tgo ra cc Access Rules dé hé trg cho Internal network segment va perimeter (DMZ) network segment, Perimeter network Segment DMZ la khu vue cé thé quan ly céc nguén tai nguyén cho phép ngudi ding Internet truy cp vio nhur : public DNS server ho&c 1 caching-only DNS server. Nhiing chon Iya tai 3-Leg Perimeter Firewall Template Firewall Policy Bang 111.2 Chinh séch 3-Leg Perimeter Firewall Policy Mo ta Block all Nein chin tit ca truy cp qua ISA server Lya chon niy khéng tao bat ki Rules nao khc ngoai Déault Rules ngin chan tat ca cdc tray cap Block Internet Access, | Nglin chin tat ef ede tray ep qua ISA Server allow access to Network | 2004 , ngoai trir cdc truy e@p dén cdc Network services onthe _| services nh DNS service. Cie Access rules sau Perimeter Network — | sé duge tao: Allow DNS traffic from Internal Network andClient Network to Perimeter Network)-Cho phéptruy nhip DNS tir Internal Network va VPN 52Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép Clients Network dén Perimeter Network Allow all protocol From VPN clients Network to Internal Network cho phép ed giao théte tir VPN clients Network (bén ngoai ) vao trong mang noi bo, Block Internal access, allow access to ISP Network Services Nalin chin tt ed cde truy cap mang qua Firewall ngoai trir ede Network services nh DNS. Lyra chon nay phit hgp khi nha cung cap dich vu mang co ban li Internet services Provider(ISP). Rules sau sé duge tgo: Allow DNS from Internal Network , VPN Client Network to External Network — Cho phép DNS tir Internal Network , VPN Client Network va Perimeter Network dén External Network ‘Allow limited web access, allow to access to Network services on Perimeter Network Cho phép truy cap web 6 giai han dang HTTP, HTTPS va FTP va cho phép truy céip toi Network services nhu DNS trén DMZ. Con lai ngan chan tat ca cdc Network khdc. Cac nguyén tic tray cap sau sé duge tao: Allow Http, Https, Ftp from Internal Network andVPN Client Network to Perimeter Network and External Network (Internet)- cho phép HTTP, HTTPS, FTP tir Internal Network vi VPN Client Network ra Perimeter Network va External Network (internet) Allow DNS traffic from Internal Network and 53Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép VPN Network to Perimeter Network Allow all protocols from VPN Clients Network tolnternal Network ~ Cho phép tite cd cdc giao thirtir VPN Client Network (bén ngoai VPN Clientthye hién két néi vao mang ndi thong qua Internet), duge truy ep vao bén trong mang ndi b6. Allow limited web access to ISP Network services. Cae Network services nh DNS 1a do ISP cia ta tgo ra, Tat ca cdc truy nhp mang khdc déu bi x6a, Cae nguyén tac truy cp sau sé duge tao ra: Allow Http, Https, FTP from Internal Network and VPN Client Network to External Network allow all protocols from VPN Clients Network to Internal Network. Allow unrestricted access Cho phép tat cf cdc Toai tray cp ra internet qua Firewall. Firewall sé chin cdc tray cp tir Internet vao cae Network duge bao vé tir chinh sach cho phép tat ca nayu d6 c6 thé ngan chan bét mét so tray cp khéng ph hgp véi chinh sach bao mat cia cong ty. Cac Rules sau s& duge tao: Allow all protocol from Internal Network and VPN Client Network to External Network and. Perimeter Network Allow all protocols from VPN Client to Internal 2.3. Cau hinh ISA Server 2004 SecureNat, FireWall va Web Proxy Clients 54Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép Mét ISA Server 2004 client la m6t may tinh két ndi dén cdc nguén tai nguyén khac théng qua mt ISA Server 2004 firewall. Nhin chung, eéc ISA Server 2004 client thudng duge dit trong m9t sé Internal hay perimeter network _DMZ va két néi ra Internet qua ISA Server 2004 Firewall. Ton tai 3 logi ISA Server 2004 client: > SecureNAT client > Web Proxy Client > Firewall Client SecureNat Client 1a may tinh duge cdu hinh véi théng sé chinh Default gateway giip dinh tuyén ra Internet thong qua ISA Server 2004 firewall. Néu SecureNat Client nim trén mang truc tiép két néi dén ISA Server 2004 firewall, thong sé default gateway ciia SecureNat Client chinh la IP Active Directorydress cita network card trén ISA Server 2004 firewall gan voi Network 46. Néu SecureNat Client nam trén mét Network & xa ISA Server 2004 firewall, khi dé SecureNat Client sé cau hinh thong sé default gateway la IP Active Directorydress ciia router gan né nhit. Router nay sé dinh tuyén thong tin tir SecureNat Client dén ISA Server 2004 firewall ra_internet M6t Web Proxy Client ki may cé trinh duyét_Internet (nhw Internet EZplorer ) duye c4u hinh dung ISA Server 2004 firewall nhur mot Web Proxy server ciia né web browser ¢6 thé cdu hinh sir dung IP Active Directorydress cita ISA Server 2004 firewall lim web brouser ciia né — edu hinh thi cng, hoa edu hinh ty déng thong qua cée Web Proxy Autoconfiguration script cia ISA Server 2004 firewall. Cae Autoconfiguration script nay cung cp mite dé tly bién cao trong viée diéu khién kim thé nao dé Web Proxy Client c6 thé két néi ra internet. Tén cia User durge ghi nhan trong cde Web Proxy Logs khi may tinh duge céu hinh theo Web Proxy Client 55Trién khai, q uy tri & ning ciip_hé thong mang doanh nghiép Firewall Client la may tinh cai Firewall Client software. Firewall Client software chin tt ca ce yéu cdu thude dang winsock application (thuéng li cic ting dung trén TCP va UDP) va day cae yéu cau niy dén Firewall service trén ISA Server 2004 firewall. User name ty déng duge dua vao_ firewall service log khi may tinh Firewall Client duge thyc hién két ndi internet théng qua ISA Server 2004 firewall. Bang III.3 Tinh nang ISA Server 2004 Client. Feature SecureNat Client Firewall Client Web Proxy Client Can cai dat Khong yeu cau, cn xac lap cac théng sé default gateway (Cin edi dit phan mém Firewall Client software Khong yéu edu, chi can cau hinh cae thong sé phit hop tai trinh duyét web HO tra cdc he dicu hanh Tit cf cic he digu hanh hé tro TCP/IP, Chi ho tro" Windows He diéu hanh ¢6 ‘ho try Web Application HO rg giao thie hi c6 69 loc mg dung ~ Application filters 06 thé hd tng cdc ting dung chay két hop nhiéu Protocols- multiconneetion protocol Tit ca cic ang dung winsock application. C6 nghia la hau hét cite img dung trén internet hign nay HTTP, Secure HTTP(HTTPS) va FTP 56Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép ‘Ho trg xde thye | Chi ho trg cho Co ho tre Co ho try ngudi dung, kiém | VPN client soait user truy edp ra ngoai Nhu vay ta da biét dén cac ISA Server 2004 client khac nhau va cae tinh ning rigng ctia c4c loai. Tiép theo ching ta sé tim hiéu thém cac thi tye 4& tgo hoe chinh stra ca quy tic trén chinh sach truy cap ra ngoai internet — outbound access policy rules théng qua céc Network Template. 2.4 Cdu hinh cde chinh sich truy cp trén ISA Server -ISA Server 2004 Access Policy ISA Server 2004 firewall diéu khién cdc duéng truyén di gitra ede Networks duge két néi véi nhau qua firewall. Theo mic dinh, ISA Server 2004 firewall s® nga chan tat ea ce hru thong. Cée phuong thite duge sir dung dé cho phép luu théng nay k Access Rules- Cac quy tie truy ep Publishing Rules — Cac quy tic xuat ban Access rules digu khién cdc truy cép ra ngoai tir mt Network duge bao vé nam trong dén mét Network khac khéng duge bao vé nim ngoai, ISA Server 2004 quan tam dén tit ea Networks khong namg ngoai External, Cén tat ea cdc Network duge xée dinh la external Network thi khéng durge bao vé. Cac Network duge bao vé bao gdm: VPN client Network, Quarantined VPN Client Network ~ mang VPN céch ly, Local Host Network — DMZ, mang vanh dai, chira cdc server phuc vu cho céc Internet User. ISA. s® bao vé internal client khi truy ep vao cée mang ngoai. Neue v ‘ess tules diéu khién cac truy cp ra thi Public Rusles lai danh 8 cho phép cdc Hosts namg 6 mang ngoai Externe! Network truy cp vao 87Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép cic tdi nguyén dang duge mang bio vé. Vi dy cdc server nhur web, mail, FTP server, Web and server public rules ¢6 thé cho phép External hosts truy cfp vao ede tai nguyén nay, 6 nhiing phan trude ta da ding cae Network Template dé tw d6ng tao ra cic méi lin hé gitta ce Network va cdc access rules. Quan hé dé cé thé thuc hién khi Access rules cho phép truy cp dén tit ca cdc side va protocol ra internet trong khi dé trén ISA Server 2004 firewall la giéi han céc user duge truy cp trén internet. Bang III.4.1 Mt Access rules bao gém cdc yéu t6 sau: Rules Element Mo ta Ther tyr (49 uu tién)- Firewall Access Policy la mot danh sic cae order Access Rules duge xir ly theo thir ty tir trén xudng dén khi gip | diéu kién cu thé duge quy dinh, khi dé sé ap dung theo quy dinh dy Quyét dinh— Acetion | “Chi e6 2 Togi quyét dinh duge dua ra la Allow- cho phép hose Deny — tir chdi Protocol Protocol bao gom tat ca cae TCP/IP protocol, TCP, UDP, ICMP, tat ca cdc giao thie duge cin ctr trén IP protocol number, Firewall hé trg tat ca TCP/P Protocols Ngudn — From/listener Ngudn giao tiep cd the tir 1 IP Active Directorydress, mot day IP Active Directorydress, m6t subnet, hay nhiéu subnet Dich, To Dich dén giao tiép 06 thé thuge 1 domain, tap hgp cic domain, mét URL hay mét tap cde URL, mt IP hay mét tip ca IP, m6t subnet hay 58Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép tp cdc subnet, hoe tip cdc Network Diu kign— Condition | Diu kign dua ra Ia can ci vao user hoe group nao sé duige rule ap dung Access Rules gitip tim duge phuong thite diéu khién truy cap kha don gian nhung lai rat higu qua, né the hién chit yéu trén User nao, duge phép truy nhap dén website nao, va sir dung protocols nao cho céng viée giao tiép dé. Vi du: Rules Element Gia Order(priority) T Aetion Allow Protocols HTTP & FIP From Internal Network To FTP.com Condition Limited web access(Group) DE cé thé sir dung durge cae Access rules diéu khién ngudi ding hay cac nhém ngudi ding trong vige truy cp ra ngoai — outbound access ching ta can cau hinh cac méy client tro thanh Firewall Client hoc Web Proxy Client. Chi cé client thude mét trong 2 loai dé thi moi c6 thé duge Firewall xac thc dua trén User. Néu sir dung SecureNat Client théng tin v nhhém ngudi diing sé khong duge xa thue, c6 nghia la ISA Server Firewall sé khéng tim duoc déi twong cin han ché. Viée diu khién vige truy cp cing 6 thé thy hign dya trén IP nguén. 59Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép Nhu vay ta thay ISA Server 2004 cé thé tao ra cde Access rules diéu khién vige truy cdp dén mét sé website va viée sir dung giao thire nao dé thyc hign céng vige nay, 3. Hién trang hé thong HG théng hign tai chu ¢6 chinh sich bio m§t qua Firewall, Cae may client tiép xtc truc tiép voi mang internet qua modem nén nguy co bi tn céng cao. Chua ngan chin duge vige tai file va vao cde trang web, dia chi, ludng thong tin khong cho phép. Cae Iudng di ligu trong eéng ty chwa duge phin chia, 4. Cae cong vide trién khai & két qua 4.1 Lira chon hé théng Firewall(Proxy) Sit dung 1 trong 2 cdch: > ISA 2004 > Linux IPcop Voi ISA Uu diés > Quan ly manh vé cac giao thite :http,pop3,https,smtp. > Chan web va tai file higu qua :*.bat,*.exe va ngan chin website mong muén > Ap dung cdc chinh sich Access Rule Policy From... To... cho cdc client :kiém soat duge cae két néi tir trong ra ngoai va tir ngdai vao trong higu qui Nhiéu tinh nang manh khéc > Cé thé tich hop thém cae phin mém security khae Surfcontrol : ngin chin trang web xéu Nhuge diém: 60Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép > Cau hinh cai fit cao, cai dit trong déi phite tap. > Gia thanh cao Véi Ipcop Uudiém: Gia thanh thip > Cai dat don giin iv > Yéu cau céu hinh thdp Nhuge diém > Kho tuong thich vo phan mém kha. > Dam bio an toan kém, Do nhiing wu, nhuge diém nhur vay nén dé nghj chon gidi phip sir dung ISA Server 2004. 4.2 Cai dt ISA Server 2004 trén Windows Server 2003 Khéng qua phite tap (phan phite tap nim phan cau hinh cac thong 86).Chi c6 mét vai yéu cau can xac nhfn tai qué trinh nay.Phan cau hinh quan trong nhat trong sudt qué trinh cai dt dé la xe dinh chinh xée ving dia chi IP n9i bg-Internal network IP Active Directorydress range(s).Khong gidng nh ISA Server 2000, ISA Server 2004 khéng sir dung bang Local Active Directorydress Table (LAT) dé xae dinh du Ki Mang ding tin cay (trusted Networks), va dau la mang khdng duge tin edy (untrusted Networks) .Thay vio d6 , ISA Server 2004 firewall cdc IP ndi b6 duge xdc nhin bén dudi Internal Network. Internal Network nhim xée dinh khu vye ¢6 ede Network Servers va ede Services quan trong nhu :Administratorsdomain controllers, DNS, WINS, RACTIVE DIRECTORYIUS, DHCP, céc tram quan ly Firewall,ect... Tat cd cic giao tigp gitta Internal network va ISA Server 2004 firewall durge diéu khién béi céc chinh sich cia Firewall (firewall’s System Policy). System 61Trién khai, q uy tri & ning ciip_hé thong mang doanh nghiép Policy la 1 tap hop céc nguyén tic truy cp duge xAc dinh trudc (pre-defined Access Rules), nhim xée dinh loai théng tin nao duge cho phép vao (inbound), ra (outbound) qua Firewall, ngay sau khi Firewall nay duge cai dat, System Policy 6 thé edu hinh, cho phép ede Security Active Directorymin, that chat hodc néi long tir cae Access Rules mac dinh ctia System Policy... 4.3 M6 hinh edu hinh ISA vao mang cong ty Dui day trinh bay cae so dd chinh sich Firewall duge dp dung vio cong ty vinapay, Céc chinh séch thi hanh ( Access Rule Policy ) trong ISA 2004 “Rule 1:0ho phepwser-angha.com.n ry ap ra ngosi Lan Extra veers ee Tasral —} Exar outs ara jangra.com.va)) (ites) Hinh III.4 Rule 1 Cho phép két néi tir mang Lan ra Internet. 62tri, duy tri & nang cip_hé thong mang doanh nj rién khai *Rule 2 Ket noi Client thuoc langha.com.yn vao Firewall langha.com.vn{intemat) Q _Seahing Accwes Poin Use Sind 8 |G somno tips ext nong || ia a ae, G Honsee sus Aco Fie aan : 1G ses tan 1 rer FP eerice cede! aa Teneesennncsssssennnsenensesnnnedl see Rule 3: Allow Firewall connect to External (Internet) Qa Tanghaconn Protcats Allowed Users , a & users oe re, cust tngh GAs Sie aes, Fit eve one To From ronal emat (ocal) (tert 63tri, duy tri & nang cip_hé thong mang doanh nj Hinh 11.5 Cho phép két néi tir Firewall ra internet “Rule 4 Preventing user from accessing unwanted websites Lengna com vreternat) Denied Seating Poe ped 8 users ‘outsite langhé Users ra 6 Biz Hitos: |G tes io an ecess Areas G sate 8 man From eee Q Fe enice Tangra cons Jorgome coms G ro L___3 ere Hinh 111.6 Ngan chan truy nh§p vio site 64tri, duy tri & ning ci hé thong mang doanh nj Rule 5:Prevent users from downloading executed file out Firewall reas Acooss Tangha comm | —Eemat Hinh IIL.7 Rule ngin vige downloAdministrators1 File 65Rus [=] ‘ose Acsoss rom] lw (| Fr server | Exemal Hinh IIL8 Cho phép tray nhap FTP server 4.3. Sao luu dy phong Ly do can sao hru > Qué trinh céu hinh nang cép ISA vé sau bj Idi ,khdng chinh xae va én. dinh > Viée xy dung hé thong ISA doi héi mat nhiéu théi gian céu hinh cac chinh séch eiia user. > Sweé vé phan cing > Sw pha hogi ciia hacker va ké xdu khi xim nh§p vio Firewall pha hoai Ké hoach xay dung hé théng dy phong Cée phuong An dy phong Trudng hop 1 Y Léi do cau hinh nang cap sai khién ISA khong én dinh 66Trién khai, q uy tri & nding céip ing mang doanh nghiép Y Do hacker tan céng vao Firewall ,lam sai Iéch cau hinh hé thong Cach khie phuc Sit dung tign ich backup véi lich sao luru nhur sau: Time Type of Backup Object Backup Monday Daily (17:59) C drive va System State Tuesday Daily (17:59) C drive va System State Wednesday Daily (17:59) C drive va System State Thursday Daily (17:59) C drive va System State Friday Daily (17:59) C drive va System State Saturday Daily (17:59) C drive va System State Sunday Normal (23:59) C drive va System State Backup cau hinh chinh sach cua ISA bang cach sir dung tign ich ctia ISA: Dé dim bao nhanh chéng héi phuc 4u hinh trong chinh sdch truy cp ngudi ding trong ISA ta cé thé backup trang thai hé thong : ¥ Backup : Sao Iuu trang thai hoat dng cua ISA 2004 ra file *.xml Y Export :xuit hinh cia ISA,chinh séch quan ly truy file *.xml Truong hop 2: Hong 6 cimg Y Cam thém 1 6 cting dé chay ché 4 RAID 1 Mirroring dé dam bao hé théng lam viée 6n dinh ké bj ngit quang do 18i 6 cig Truong hgp 3: hong toan b9 ISA server Y Ta thiét lap thém I may cha ISA tuong tw dé dy phong. Y Khi bj hong hogc Idi ta c6 thé thay thé cim sang may mdi dé khic phye syed 67Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép KET LUAN 1. Nhiing van dé dat duoc: Theo yéu cau ban dau eta dé tai la “Trién khai, quan tri, duy tri, nang cdp hé théng mang doanh nghi¢p ” thi cho dén thoi diém hién tai da dat duge nhiing ndi dung: > Khio sat va dua ra duge cu hinh mét mang Lan so bd cho doanh nghiép phuc vu cho viée trién khai mang. > Dua ra cdch thite mot ADMINISTRATOR Squan li cdc tai nguyén ela 1n6(compter, user, cdc OU..) > Phan tich va dua ra lich trinh backup dtr ligu cho domain va dit ligu cho timg may client ctia céng ty. > Tim hiéu va cdu hinh duge hé théng tung lita ISA cho doanh nghiép. 2. Hung phat trién cia dé tai > Mé rong mang Lan véi nhiéu may client va server. 7 M6 rong va dura ra mét s6 cau hinh cu thé dé quan Ii cdc tai nguyén mang higu qua hon > Nghién ctru chién hrc backup va restore str dung phan mém cua hang thir 3 dé c6 ee higu qua cao hon, > Tim hiéu cae mé hinh tuong lira va cac nha cung cap khac dé mé hinh mang tré lén dé str dung. 68Trién khai, q uy tri & nding céip ing mang doanh nghiép PHU LUC 1 Tai ligu tham khao: Microsoft Exchange Server 2003 Active Directoryministrator’s Companion (Microsoft Press, 2003) MCDST Self-Paced Training Kit (Exam 70-272): Supporting Users and lows XP Troubleshooting Desktop Applications on a Microsoft W Operating System (Microsoft Press, 2004) MCSE Self-Paced Training Kit (Exam 70-297): Designing a Microsoft Windows Server 2003 Administratorsand NetworkInfrastructure (Microsoft Press, 2003) Tai ligu CCNA. Tai ligu mang may tinh, M6t sé tai ligu khdc trén Internet. 69Trién khai, quén tri, duy tri & nang céip_hé théng mang doanh nghiép PHU LUC 2 Cae tir chuyén nganh sir dung trong dé tai: List Contents: danh sich trang thai (cé thé xem trang thai cdc user) ReAdministratorsAll Properties: quyén cé thé stra cac théng tin thuge tinh admin () Write All Properties: Viét duge tit ca cdc thudc tinh(bao gém tao va stra) Delete: Xéa (ké cic admin) ReAdministratorsPermissions: quyén thay ddi quyén cAc account administrator Modify Permissions: Chinh stra céc quyén Modify Owner: Ty thay di quyén All Validated Write All Extended Rights: Create All Child Objects: tao cdc Delete All Child Objects ‘ac thure tat ca cde quyén duge. bi tugng con(cac thude tinh con) 2 xa ede déi tugng con, 10