BACK
Information Assurance: Security, Fault Tolerance,
Windows Clustering, Windows NLB, Backup and Recovery
Security:
Windows 2003 security features: http://www.activewin.com/reviews/software/operating-sys/win2003serv/security.shtml
A Technical Comparison of TTLS and PEAP:
http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html
According to the (default) password complexity policy, a valid
password cannot contain any of the user's account name, and it must be at least
six characters long. The password must also contain characters from three of
the four categories: uppercase letters, lowercase letters, numbers, and non-alphanumeric
characters.
Sites and links:
- securitytracker.com
- cert.org
- cve.mitre.org
- securityfocus.com
- isc.sans.org (Internet Storm Center)
The Microsoft Baseline Security Analyzer (MBSA)
- Cannot be used to scan computers running Windows 98 SE.
- It can only be used to scan computers running Windows NT 4.0 SP4, Windows
2000, Windows XP, and Windows Server 2003.
- Computers can only be scanned remotely if they have the File and Printer
service, the Server service, and the Remote Registry service started.
- A computer running either Windows 2000, Windows XP, or Windows Server 2003
can be used to remotely scan other computers, so there is no need to upgrade
the computer that will be used to perform the scan.
Certificates:
- A Smart Card User certificate can be used both for logon and for securing
e-mail.
- Smart Card User certificates can only be issued by enterprise CAs.
- An offline root CA cannot be an enterprise CA.
- An Enrollment Agent certificate must be issued to someone so that he or
she can issue smart cards to other users.
- Enrollment Agent certificates can only be issued by enterprise CAs.
- A Smart Card Logon certificate can be used for authentication, but not for
secure e-mail.
- Certificate Manager is a role on the CA that allows users to approve enrollment
requests and revoke certificates - it is not a certificate type.
- You can prevent the Certificate Authority (CA) name from being sent as part
of the payload. This is an important security precaution to keep data about
the company's CA or the company's internal CA structure private from interlopers.
When the CA name is sent, it is sent prior to negotiating security, so it
is sent in clear text.
- Diffie-Hellman Group 1 is less secure than Diffie-Hellman Group 2048 because
Diffie-Hellman Group 2048 uses a 2048-bit key. Diffie-Hellman Group 1 uses
only a 768-bit key.
Fault Tolerance:
Fault Tolerance = FT
Automated System Recovery (ASR) is a part of
Backup that you can use to recover a system that will not start. With ASR, you
can create ASR sets on a regular basis as part of an overall plan for system
recovery in case of system failure. You should use ASR as a last resort in system
recovery, only after you have exhausted other options such as the startup options
Safe Mode and Last Known Good Configuration.
ASR is a recovery option that has two parts: ASR backup and ASR restore. You
can access the backup portion through the Automated System Recovery Preparation
Wizard located in Backup. The Automated System Recovery Preparation Wizard creates
an ASR set, which is a backup of the System State data, system services, and
all disks associated with the operating system components. It also creates a
floppy disk, which contains information about the backup, the disk configurations
(including basic and dynamic volumes), and how to restore your system.
You can access the restore part of ASR by pressing F2 when prompted in the
text mode portion of Setup. ASR reads the disk configurations from the floppy
disk and restores all of the disk signatures, volumes and partitions on the
disks that are required to start your computer (at a minimum). It will attempt
to restore all of the disk configurations, but under some circumstances it might
not be able to. ASR then installs a simple installation of Windows and automatically
starts to restore from backup using the backup ASR set.
ASR Notes
- ASR does not include data files. You should back up data files separately
on a regular basis and restore them after the system is working.
- ASR only supports FAT16 volumes up to 2.1 gigabytes (GB). ASR does not
support 4-GB FAT16 partitions that use a cluster size of 64 K. If your system
contains 4-GB FAT16 partitions, convert them from FAT16 to NTFS before using
ASR.
Cluster / NLB stuff
Cluster / load balancing options:
- DNS round robin: This is you original and still viable
load balance tool. On by default with DNS - just set two (or more) A records
for the same FQDN but with different IPs. DNS will alternate between the various
A records. Great for stateless load balancing. Not aware of any hosts failure,
so not so great for FT. (Can script removal of records, but then may have
DNS cache related FT delays.) Clustering and NLB are more "mature"
dynamic systems.
- Clusters: multiple machines intended to share the load
and take over for one another. Quick fail-over. More expensive, more to administer,
more "wasted" CPU cycles. (NT4 had clustering marketed as wolf
pack, but as the max cluster size was two it was AKA wolf pair.)
- NLB: Network Load Balancing. Bunch of machines offering
same service. Clients spread over them. Can add boxes as load increases.
Statefullness - Data or situation unique to the particular
client / server session. Something about the session that necessitates that
the client continue to communicate with the same server over time. Statefullness
can be handled by client-side cookies, or unique statefull strings in URLs.
Client state specific data can be stored in a central storage area outside of
server host and shared by all the servers. Or, clients can be made to maintain
a specific server for the length of the session. An IE to Exchange cluster OWA
session is statefull - if the target Exchange server node goes down the client
would reconnect to a different node and reopen windows and have to reset things
like sort order, sizing, etc..An on-line banking session failing over from one
node to anther wouldn't know what check detail you were looking at, for example.
However, if the data was a static website were all server nodes had the exact
same data, there is no state and thus failover is automatically transparent
and stateless.
Cluster / NLB comparison:
| CLUSTER |
NLB |
| 2003 Enterprise or Data Center |
all 2003 versions |
| 8 nodes max |
32 nodes max |
| cluster aware applications |
any application |
| application and server failure aware |
server failure aware only |
Windows Cluster
Servers:
Requires shared storage:
- SAN
- Shared SCSI
- Fiber Channel (preferred)
Quarum: ???
Windows Server 2003 Clustering whitepaper
http://www.microsoft.com/windowsserver2003/techinfo/overview/bdmtdm/default.mspx
Windows Network Load
Balancing - NLB :
Network Load Balancing (NLB) from 2003 TechCenter:
- Network Load Balancing supports up to 32 computers in a single cluster.
Hosts can be added and removed without interrupting cluster availability.
- Network Load Balancing is a driver, Wlbs.sys, which you must load on each
host in the cluster. Wlbs.sys includes a statistical mapping algorithm that
the hosts of the cluster collectively use to determine which host handles
each incoming request./
- You install the driver on each of the cluster hosts, and you configure the
cluster to present a virtual IP address to client requests. The client requests
go to all of the hosts in the cluster, but only the mapped host accepts and
handles the request. All of the other hosts in the cluster drop the request.
- After the driver is installed, it must be configured before the host can
join a cluster. You must configure three groups of information about each
host: cluster parameters, host parameters, and port rules, before it is possible
to create or join a cluster.
NLB Fundamentals - FAQ:
http://technet2.microsoft.com/WindowsServer/en/library/b098ca89-c162-4a60-bf47-eab85203d7f41033.mspx?mfr=true
Backup and Recovery:
Microsoft names for types of backups:
- Normal backup
The normal backup is normal. (Surprised?) So, what does this mean?
It simply means that it copies all the files you have marked to be backed
up, and marks the files as having been backed up. You also only need the most
recent copy of the backup file (other types of backups requires several files,
see below) to restore. This type is usually what you use the first time you
backup files.
- Incremental backup
The incremental backup backs up only those files that have been
created or changed since last incremental or normal backup. It also marks
the files as having been backed up. A combination of Normal backups and Incremental
backups is common, and also a very good combination. It also requires the
least amount if storage space and is fast for backing up the data. The disadvantage
of this is that it's time-consuming to recover files, simply because you need
the last normal backup set and all incremental backup sets, which can be stored
on several backup drives or tapes.
- Differential backup
The differential backup is similar to the incremental backup and
only copies files that have been created or changed since the last normal
or incremental backup. No, it wasn't a typo, it doesn't check if a differential
backup has been run. This is because differential backups does not mark files
as having been backed up. A combination of differential backups and normal
backups is more time-consuming concerning the backup part then the incremental
+ normal backups are. But on the other hand it is faster to restore data because
all you need is the last normal backup and the last differential backup.
- Copy backup
A copy backup copies all the files you have selected, but does not
mark the files as having been backed up. This backup type is useful when you
must backup single files between normal and incremental backups because it
does not affect these operations.
- Daily backup
The daily backup copies all the files that you have selected that
have been modified on the day, without marking the files as having been backed
up.
To reset the Directory Services password before you restart in DS restore
mode:
- ntdsutil (from cmd line)
- set dsrm password
- reset password on server null
- quit
- quit
- (Getting there and what this is for lead to a whole
plethora of other critical information...)
System state data:
You can choose to do a System State backup, and this is very important if you
want to be able to get a functional system in the event of a crash. This table
shows which components that are backed up on a System State backup.
| Component |
Included in System State Backup |
| Boot files and system files |
Yes |
| Registry |
Yes |
| COM+ |
Yes |
| System files under Windows File Protection |
Yes |
| Active Directory, directory service |
If it's a domain |
| SYSVOL directory |
If it's a domain controller |
| IIS Metadirectory |
If it's installed |
| Certificate Services database |
If it's a Certificate Services server |
| Cluster Service information |
If it's within a cluster |
Nice backup EARL: http://www.ilopia.com/Articles/WindowsServer2003/Backup.aspx
BACK