Search icon Close icon
Search icon
Subscription
0
Cart icon
Close icon
You have no products in your basket yet
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
Mastering Windows Server 2022 - Fourth Edition

You're reading from  Mastering Windows Server 2022 - Fourth Edition

Product type Book
Published in May 2023
Publisher Packt
ISBN-13 9781837634507
Pages 720 pages
Edition 4th Edition
Languages
Concepts
Author (1):
Jordan Krause Jordan Krause
Profile icon Jordan Krause
LinkedIn
Jordan Krause has been an IT professional for more than 20 years and has received 9 Microsoft MVP awards for his work with Microsoft server and networking technologies. One of the world's first experts on Microsoft DirectAccess, he has a passion for helping companies find the best ways to enable a remote workforce. Committed to continuous learning, Jordan holds certifications as an MCSE, MCSA, and MCITP Enterprise Administrator, and has authored numerous books on Microsoft technologies. Jordan lives in beautiful West Michigan (USA), but works daily with companies around the world.
See other products by Jordan Krause

Table of Contents (20) Chapters

Preface 1. Getting Started with Windows Server 2022 2. Installing and Managing Windows Server 2022 3. Active Directory 4. DNS and DHCP 5. Group Policy 6. Certificates 7. Networking with Windows Server 2022 8. Remote Access 9. Hardening and Security 10. Server Core 11. PowerShell 12. Redundancy in Windows Server 2022 13. Containers 14. Hyper-V 15. Remote Desktop Services 16. Troubleshooting 17. Other Books You May Enjoy
18. Index
Appendix: Answers to the End-of-Chapter Questions

Policy vs preference

There is an important distinction that every Group Policy administrator needs to understand about GPO settings. There are two different types of policy settings, and they behave very differently. Now that we understand the differences between Computer Configuration and User Configuration, the next tier you'll notice inside Group Policy Management Editor are sub-folders titled Policies and Preferences.

Policies

Managed policies, the items listed under the Policies section of both computer and user configurations, generally behave like true gentlemen. These are settings that you put into place and expect results, forcing the setting into place, and nothing the user tries to do can change them. When reversing course and removing a GPO from a system, they happily comply. What do I mean by that? When you plug some policy settings into a GPO and then link that GPO to a location, you expect those settings to be put into place on the machines or users to which you have...

Default Domain Policy

Throughout this chapter, we have bounced in and out of the Group Policy Management Console a number of times, and now that you know what a GPO looks like and how to identify GPO links, you have probably noticed a GPO linked to the root of the domain called Default Domain Policy. This GPO comes built-in with Group Policy, every environment has one unless an admin has taken steps to delete it, which I would not recommend.

The Default Domain Policy applies to every user and computer that is part of your domain directory. Since this GPO is completely enabled right off the bat and applies to everyone, it is commonplace for companies to enforce global password policies or security rules that need to apply to everyone. In fact, many who are unfamiliar with Group Policy and uncomfortable with creating, linking, and filtering their own GPOs will just continually throw more and more settings inside Default Domain Policy. All of these settings will apply successfully, of course...

Administrative Templates

Go ahead and edit a GPO, any GPO, so that you have the Group Policy Management Editor open in front of you. Expand the Policies folder for either Computer Configuration, User Configuration, or both, and you will notice a folder inside each called Administrative Templates. Most of us generally think of Administrative Templates the same as any other GPO configuration setting, simply a collection of items with which you can manipulate users or computers, right? Sort of, but while Software Settings and Windows Settings are built into Group Policy and are basically the same for any domain environment, Administrative Templates are customizable.

Administrative Templates showcase the flexibility of Group Policy. Each setting within Administrative Templates is being pulled from template files that reside on your domain controller servers. These template files are ADMX files. All of the information needed to display the setting inside Group Policy Management Editor is contained...

Central Store

When opening up the Group Policy Management Console and creating or editing a GPO, the settings available within your console session are settings pulled from ADMX/ADML files that are on the hard drive of the computer or server from which you are using GPMC. When implementing new settings via ADMX files, it would be a huge chore to have to copy those new files into place on every one of your domain controllers, in addition to all of the client computers where you might have the RSAT tools installed. Thankfully, there is a solution to automate this for you!

The Central Store is something that can be enabled in Active Directory that allows the replication of ADMX/ADML files. Once you enable the Central Store, all of your Group Policy management machines, such as domain controllers, will look to the store as its repository for these template files.

Enable the Central Store

All that it takes to enable the Central Store in Active Directory is the creation of two folders inside...

Summary

Group Policy is an incredibly powerful tool to have at your disposal when working within a domain environment. Many pre-built configurations and settings exist, and since we can manipulate the registry on client machines, the sky is pretty much the limit on what you can manage on your client computers via GPOs.

As is the case with many topics inside Windows Server, there is so much information related to Group Policy that it warrants a book of its own. Thankfully, I had the opportunity to do exactly that! If you are interested in discovering more about Group Policy and all of the ways that it can be used to secure your infrastructure, check out my title Mastering Windows Group Policy (https://www.packtpub.com/networking-and-servers/mastering-windows-group-policy).

Questions

  1. Are screensaver settings computer or user configuration? (Answer: User configuration)
  2. Do domain-level or OU-level links process first? (Answer: Domain-level links process before OU-level links, meaning that OU-level links will overwrite domain-level links when in conflict.)
  3. What is the special GPO setting that forces user settings to apply to any user on a given computer? (Answer: Group Policy loopback processing)
  4. What type of GPO filtering do you configure inside the GPO itself, such as with a mapped network drives policy? (Answer: Item-level targeting)
  5. True or false – It is possible for a user to override a Group Policy preference. (Answer: True)
  6. What is the default timer between Group Policy background refresh cycles? (Answer: 90 minutes)
  7. What kind of GPO filtering could be utilized to assign settings only to laptop computers? (Answer: WMI Filtering)
  8. If you find a USB stick on the ground labeled “CEO financials”, what should you do with it? (Answer:...

Exporting and importing certificates

I often find myself needing to use the same SSL certificate on multiple servers. This might happen in the case where I have more than one IIS server serving up the same website and I am using some form of load balancing to split the traffic between them. This need may also arise when working with any form of hardware load balancer, as you sometimes need to import certificates onto not only the webservers themselves but also the load balancer box. Another example is when using wildcard certificates; when you purchase a wildcard, you typically intend to install it onto multiple servers.

Does this mean that you need to generate a new CSR from each server, and request a new copy of the same certificate multiple times? Definitely not, and in fact, doing so could cause you other problems: remember that when a public CA re-keys a certificate—in other words, if you have already requested a certificate with a particular name and then come back...

OpenSSL for Linux webservers

This chapter should give you all the information needed to protect websites with SSL certificates issued from a public CA…on a Windows webserver. While this is obviously a Microsoft-centric book, the majority of webservers out there are not running on Microsoft webserver platforms. Alas, you will likely run into just as many Linux-based webservers as you do instances of IIS, and it will be very helpful to your role as server administrator to be able to install certificates onto these webservers as well.

One significant difference between Windows and Linux webservers is the types of files used for certificates. IIS hides away the private key; you don’t really deal with it at all. When downloading certificate files for IIS, those are usually CER or CRT files. A Linux webserver, however, expects something else. On most Linux webservers, the certificate file and the private key are each individual files that are quite visible right on the...

Summary

Certificates often get a bad rep, and I believe this is because people think they are a headache to deal with. I see their point. Without knowing how to navigate through the various administrative consoles that deal with your certificate infrastructure, it would be difficult to make even the simplest items function. By walking through the most common certificate-related tasks that any server admin will eventually have to tackle within their own networks, I hope that you have now found some comfort and confidence to progress with those projects that might be currently sitting on hold, waiting for the certificate infrastructure to be built. In the next chapter, we will study networking with Windows Server 2022.

Questions

  1. What is the name of the role inside Windows Server 2022 that allows you to issue certificates from your server?
  2. What kind of CA server is typically installed first in a domain environment?
  3. Should you install the certification authority role onto a domain controller?
  4. After creating a new certificate template, what next step needs to be taken before you can issue certificates to your computers or users from that new template?
  5. What is the general name of the GPO setting that forces certificates to be issued without manual intervention by an administrator?
  6. An SSL certificate will only be able to validate traffic properly if it shares key information with the webserver.
  7. What is the primary piece of information that a public certification authority needs in order to issue you a new SSL certificate (hint: you generate this from your webserver)?
  8. What kind of file contains both a certificate and a private key?

Join our community...

lock icon The rest of the chapter is locked
arrow left Previous Chapter
Chapter 1 of 20
Next Chapter arrow right
You have been reading a chapter from
Mastering Windows Server 2022 - Fourth Edition
Published in: May 2023 Publisher: Packt ISBN-13: 9781837634507
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime}

Authors (1)

Profile icon Jordan Krause
LinkedIn
Jordan Krause has been an IT professional for more than 20 years and has received 9 Microsoft MVP awards for his work with Microsoft server and networking technologies. One of the world's first experts on Microsoft DirectAccess, he has a passion for helping companies find the best ways to enable a remote workforce. Committed to continuous learning, Jordan holds certifications as an MCSE, MCSA, and MCITP Enterprise Administrator, and has authored numerous books on Microsoft technologies. Jordan lives in beautiful West Michigan (USA), but works daily with companies around the world.
Read more
See other products by Jordan Krause

Personalised recommendations for you

Based on your interests and search pattern
Left arrow icon
Attacking and Exploiting Modern Web Applications
Attacking and Exploiting Modern Web Applications
Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.
Aug 2023 11 hours 16 minutes
Automotive Cybersecurity Engineering Handbook
Automotive Cybersecurity Engineering Handbook
This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.
Oct 2023 13 hours 4 minutes
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.
Aug 2023 16 hours 32 minutes
Cloud Penetration Testing for Red Teamers
Cloud Penetration Testing for Red Teamers
The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.
Nov 2023 9 hours 56 minutes
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.
Sep 2023 10 hours 32 minutes
Burp Suite Cookbook
Burp Suite Cookbook
Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.
Oct 2023 15 hours 0 minutes
Building and Automating Penetration Testing Labs in the Cloud
Building and Automating Penetration Testing Labs in the Cloud
This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.
Oct 2023 18 hours 44 minutes
Ethical Hacking Workshop
Ethical Hacking Workshop
As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.
Oct 2023 7 hours 20 minutes
Windows Forensics Analyst Field Guide
Windows Forensics Analyst Field Guide
This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.
Oct 2023 10 hours 36 minutes
Implementing DevSecOps Practices
Implementing DevSecOps Practices
This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.
Dec 2023 8 hours 36 minutes
Right arrow icon