uninstall AVG from VistaBiz

Reboot all clients

VistaBiz gets restricted due to health policy set.
Windows Security Health Agent failed to apply remediation.
Anti-Virus not found.

Reinstall AVG

Same alert shown as above.

Restart VistaBiz

Created new domain user

Log into VistaBiz with new domain user. Check if same alert still showing despite installation of anti-virus

Alert for Windows Security Health Agent still appears. But is slightly different this time

Checked online about fixing anti-virus updates. Found out here that setting Auto-remediation will not install software for you unless system health agent (SHA) is specifically designed to do installation. and Windows SHA does not do auto-remediation for all anti-viruses. In this case, us using a third party software. And in some cases, using a third party SHA may allow auto-remediation to change settings in the application to initiate download of a newer version, execute some other update, and perhaps even reboot the computer if needed.

Started on creating powerpoint for mid term presentation.

Network Access Protection

Reconfigured and renamed Domain Server to ADS for easier reference.

Set static addresses to ADS

IPv4 IP Address: 192.168.145.141

IPv4 Subnet: 255.255.255.0

IPv4 Default Gateway: 192.168.145.2

IPv4 DNS Server: 192.168.145.2

Tested internet connection. Successful

Run dcpromo on ADS to configure it as Domain Controller.
FQDN of forest root domain: nypfypj.com

Forest functional level: Windows Server 2008

Added in a new member server (named: NAP) to be used as a Network Policy Server

Set static addresses to NAP

IPv4 IP Address: 192.168.145.142

IPv4 Subnet: 255.255.255.0IPv4

Default Gateway: 192.168.145.2

IPv4 DNS Server: 192.168.145.141

Tested internet connection. Successful

Join NAP to nypfypj.com

Set static addresses to VistaBiz

IPv4 IP Address: 192.168.145.143

IPv4 Subnet: 255.255.255.0

IPv4 Default Gateway: 192.168.145.2

IPv4 DNS Server: 192.168.145.141

Tested internet connection. Successful

Join VistaBiz to nypfypj.com

Configured DHCP Server and Network Policy and Access Services role to NAP server. After installing, configured NPS (Network Policy Server) to use DHCP.

Back on ADS Server

Created new Group Policy named NAP Client Settings. Configured NAP Client Settings to enable Network Access Protection Agent and DHCP Quarantine Enforcement Client. Set this group policy to be used on the (Users) group NAP Enforced Computers. Added VistaBiz to the NAP Enforced Computers group so that the Group Policy is applied to that computer.

Rebooted all the clients (2 servers and vista client)

run gpupdate /force on VistaBiz to force update group policies

Tested auto-remediation feature by turning VistaBiz firewall off. Test successful. Firewall was automatically turned back on and alert was shown

Now that we know this works, we can modify it to fit our requirements on having a anti-virus software installed and updated.

Continued from yesterday

Group Policy Management
Right click Group Policy Objects -> New -> New GPO
Name: NAP Client Settings

After GPO created, right click NAP Client Settings -> Edit
Expand Computer Configuration, Policies, Windows Settings, Security Settings -> System Services

Double click Network Access Protection Agent, check Define this policy setting, select Automatic option [ok]

Expand Computer Configuration, Windows Settings, Network Access Protection, NAP Client Configuration -> Enforcement Clients
Right click DHCP Quarantine Enforcement Client, click Enable

Click on NAP Client Configuration, right click NAP Client Configuration, click Apply. (Make sure NAP Client Configuration is Enabled)

Group Policy Management, expand Forest, Domains, click on NAP Client Settings GPO
Security Filtering, click Authenticated Users, click Remove
You will see a Group Policy Management dialog box asking if Do you want to remove this delegation privilege? Click OK.

Click Add, enter NAP Enforced Computers (Check names) [ok]

Active Directory Users and Computers -> Users
Double click NAP Enforced Computers -> Members tab -> Add
Tried to add LH-P61NQL342ZDZ to NAP Enforced Computers group. Failed to add (refer to image)

Computer was found under Domain Computers but still not found via adding.

Went to the Domain Computers and selected LH-P61NQL342ZDZ and added it to Member of NAP Enforced Computers instead.


Rename LH-P61NQL342ZDZ to VistaBiz (for easier reference)

Restart both server and workstation

ipconfig settings

print route settings

test auto-remediation feature by turning VistaBiz firewall off.
test failed. ideal situation, Firewall is automatically turned back on. Discrepancy also found in example and actual test. Difference being our settings showing as Public domain instead of private domain.

Tried to install Norton Antivirus 10.1.6 (from R drive) on Vista Business (TESTING\samantha account)
Failed to install: This version of Symantec AntiVirus does not support Windows Vista platforms.
Log out. Log back in using Local\Administrator account
Removed static ip addresses to access internet.
Download AVG Anti-Virus Free Edition 8.5
Stopped updates (so that able to test out health policy later)

Put back IP address for domain logon.

Was reading online about how to deploy Health policies properly. Came across this that made me think of not using static ip to connect to server. but getting an ip address from the server (which will probably allow me access to internet instead of domain only)

Removed static IP on workstation.
Sucessful log in to domain using domain user (on workstation)
Check that account was able to go to the internet (so that able to recieve anti virus updates)





















http://blogs.technet.com/nap/archive/2007/07/28/network-access-protection-deployment-planning.aspx

NOTE: Address leases not appearing in server when workstation is logged into domain

Delete all reference to existing NAP DHCP under Network Policy Server

Steps from http://www.windowsecurity.com/articles/Using-Group-Policy-Filtering-Part1.html
Configure NAP Server
Network Policy Server -> Configure NAP
Network Connection Method: DHCP
Policy Name: NAP DHCP
RADIUS clients [next]
DHCP scopes [next]
Machine group [next]
Remediation Server Group
New group
Group name: DC
IP add: 192.168.145.100
Friendly name: VM-2008 [ok] [next]
Define NAP Health Policy [next] [finish]

DHCP
Scope options -> right click Scope Options -> Advance tab
User class: Default Network Access Protection Class
check 006 DNS Servers
Add 192.168.145.2 to IP addresses

check 015 DNS Domain Name
String value: restricted.testing.fyp.com [ok]

Right click on Scope -> Scope Properties -> Network Access Protection tab
Check enable for this scope, use default network access protection profile [ok]

STOP AT http://www.windowsecurity.com/articles/Using-Group-Policy-Filtering-Part4.html
CONFIGURE NAP SETTINGS IN GROUP POLICY


Some things to take note about using DHCP:
- DHCP enforcement is for IPv4 currently
- DHCP enforcement requires a NAP-enabled DHCP server
- DHCP enforcement can be overriden by assigning static IP to client computer. Because DHCP
enforcement is based on entries in the IPv4 routing table, it cannot prevent a malicious user who is a local administrator from manually changing the IPv4 routing table and gaining access to the
protected network, thus bypassing NAP policy enforcement.
- not the most secure method

Had to recreate Vista Business. Because after all the updates, ran out of machine space. Downloaded and installed updates.

Tried out some NAP stuff to configure health policys following the StepByStep found here.

Installed new server role, (DHCP and Network Policy and Access Services) so that able to configure System Health Validators to make sure that Anti Virus is enabled/updated. Had to do slightly different from the step by step because in my test system, We're only using one server and one work station.

Welcome!

Mr Waigo came to surprise us today. He brought our new supervisor to meet us and to introduce us.

Welcome Mr Kravitz.

Quick one before log out for the day. Still have yet to test out RMS.

Check that server has AD RMS, Internet Information Services (IIS) 7.0, World Wide Web Publishing Service, and Message Queuing, Active Directory, Domain Name System (DNS)

Currently Installed
- AD RMS
- IIS 6.0 (with WWW Publishing Service)
- DNS

Running windows update to get IIS 7.0

(This are the things needed that we read from the internet before to set up rms.)

To do list!

Test connectivity of workstation
Test logging into domain with newly created user account tomorrow
Try out RMS
Check on those nasty warnings on the server.

Tested to log in with new account created on server terminal. Successfully managed to log into domain with account created through server.

Tested for internet connectivity. Connected to network but not connected to internet.

Installed Microsoft Office 2007 for testing out of RMS

PS: running 3 os on a computer is very slow :(

Rights Management Service Part I

Created new user/group for Rights Management Service.

Added new server role, Active directory rights management service. While doing installation of active directory rights management service, ran into some errors during specifying of service account. had an error that said password could not be validated.

Checked out user account that was newly created. Tested that it could log into the machine. Failed to log in. Logged back into administrator account and joined new user account to group that allows login to server terminal.

Tried to install active directory rights management service again. able to install properly this time.

Checked with Mr Wagio regarding the testing of rights management service, told us we were supposed to test it out with the vista os and microsoft office.

Went to Helpdesk to get Microsoft office 2007. Vincent said he'll come down to the lab tomorrow morning to install office for us.

Played with the ip settings on win server 08 so that we'll be able to connect to the internet.
Changed IP settings
IPv4: 192.168.145.100
Subnet: 255.255.255.0
Default Gateway: 192.168.145.2
DNS Server: 192.168.145.2

Successful connection to internet. Loaded www.google.com

Changed IP settings on Windows Vista to enable connectivity to internet
IPv4: 192.168.145.105
Subnet: 255.255.255.0
Default Gateway: 192.168.145.100
DNS Server: 192.168.145.100

Time to clock out! Will need to test connectivity + logging into domain with newly created user account tomorrow + RMS and check on those nasty warnings on the server.

Active Directory Domain Service

We tried out what Mr Wagio asked us to do today.

First thing we did was to set up active directory domain service on the windows server 2008 and run the domain service installation wizard to set up a new domain. Had to make sure static ip was set as the machine was meant for server use, as well as the administrator account had to have a strong password before the installation wizard was run.

IP settings used
IPv4: 192.168.1.100
Subnet Mask: 255.255.255.0

While doing installation of active directory. ran into a bit of a problem regarding some warning regarding ip address not set to static (Windows Server 2008 has both IPv4 and IPv6) We had only set the static ip address for IPv4. Fixed the warning by disabling IPv6.

After successfully managing to install active directory, the next thing to do was to join the work station to the domain created. Had to set the vista business to have static ip and to change the computer domain to testing.fyp.com.

IP settings used
IPv4: 192.168.1.105
Subnet Mask: 255.255.255.0
DNS server: 192.168.1.100

in the afternoon Mr Wagio talked to us regarding our progress of our project. He also asked us to try out the installation of active directory and domain service and try out Rights Management System to be simulated using server + workstation (vista).

Found out from Mr Wagio what exactly happened to our actual server. The CNC staff shutdown the port to the server hence cutting off the connectivity from our network as well as the staff's network to the server. and now the server is isolated without any connectivity. So now what they're going to do is to create a separate VLAN between our computers and the server so that we'll be able to have access again.

Before we left for the day, I installed a new vista os for testing out of RMS to be done.

Network Access Protection

Here's some things that we've read about Network Access Protection

Network Access Protection (NAP) is a new Microsoft technology for controlling network access of a computer host based on the system health of the host It is also able to control access to network resources based on a client computer's identity and compliance with corporate governance policy.

NAP allows network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access.

Here are some additional information for your reading
Network Access Protection Policies in Windows Server 2008

Network Access Protection Step by Step guides

Windows Server 2008 and Microsoft virtualization blog

Windows Server Administration

Just thoughts.

Are the Win 08 Server's domain servers?
What kind of network storage to be used for failover?
When will the server be back up? >.<

High-availability clusters

Been reading up on the high-availability clusters feature that we're using in Windows Server 2008.

Failover Clustering is a feature which gives high-availability to services and applications.

High-availability clusters (also known as HA Clusters or Failover Clusters) are computer clusters that are implemented primarily for the purpose of providing high availability of services which the cluster provides. They operate by having redundant computers or nodes which are then used to provide service when system components fail. Normally, if a server with a particular application crashes, the application will be unavailable until someone fixes the crashed server. HA clustering remedies this situation by detecting hardware/software faults, and immediately restarting the application on another system without requiring administrative intervention, a process known as Failover. As part of this process, clustering software may configure the node before starting the application on it. For example, appropriate file systems may need to be imported and mounted, network hardware may have to be configured, and some supporting applications may need to be running as well.

HA Clusters are used in:
- critical databases
- file sharing on a network
- business applications
- customer services such as electronic commerce websites

Steps to install failover cluster feature
1. If you recently installed Windows Server 2008, the Initial Configuration Tasks interface is displayed. Under Customize This Server, click Add features. Then skip to step 3.
2. If the Initial Configuration Tasks interface is not displayed and Server Manager is not running, click Start, click Administrative Tools, and then click Server Manager. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.)
In Server Manager, under Features Summary, click Add Features.
3. In the Add Features Wizard, click Failover Clustering, and then click Install.
4. Follow the instructions in the wizard to complete the installation of the feature. When the wizard finishes, close it.
5. Repeat the process for the second server.

Some additional information about failover clusters:
Requirements for failover clusters:
http://technet.microsoft.com/en-us/library/cc771404.aspx

Hyper-V Step-by-Step Guide: Hyper-V and Failover Clustering:
http://technet.microsoft.com/en-us/library/cc732181.aspx