Local Group Policy

Microsoft Vista: Update and Monitoring Services

In Microsoft Vista for IT Security Professionals, 2007

Decision-making WSUS Settings through Local Group Policy

We will be covering local Group Policy before delving into the Registry settings because the Registry key is created when the client auto contacts the local WSUS server for the first time and downloads and installs the AU client. The settings are located in Local Group Policy/Computer Configuration/Authoritative Templates/Windows Components/Windows Update. To control WSUS settings through local Grouping Policy, follow these steps:

1.

Go to Outset | Run, enter gpedit.msc in the box, and press Enter.

ii.

Become to Computer Configuration | Administrative Templates | Windows Components.

3.

Get to Windows Update.

4.

Select the Specify intranet Microsoft update service location Backdrop policy setting, and specify the location of your WSUS server (e.g., http://util1:8530 for both values).

v.

Next, select the Configure Automatic Updates policy setting and specify the type of automatic updating yous want. Call back to gear up the installation schedule if yous choose 4 – Auto download and schedule the install.

Note

If your WSUS server is installed on the default IIS Web site, you don't need to specify a port number. However, if WSUS was installed on anything other than the default IIS Web site, you must specify the port number in both values.

These are the only settings necessary to configure Windows Vista to operate with a WSUS server, but many other settings are available. Table 9.3 lists a few of these values and the outcome they take on the AU client.

Table ix.iii. Windows Update Group Policy Settings

Setting Description Enabled Disabled
Configure Automatic Updates This setting directly relates to the four bachelor settings on the Windows Update Change Settings window (refer to Figure ix.2). It specifies whether the figurer will use the AU mechanism to receive security and other of import updates, how the user will exist notified if updates are institute, and, if the updates are set to be automatically installed. when the installation will take place. When enabled, AU will cheque for updates every 22   hours. You will also need to set one of the following four choices:
2–Notify for download and notify for install.
3–Car download and notify for install.
four–Auto download and schedule install.
5–Allow local admin to choose setting.
If you cull option 4, you must gear up Scheduled install day and Scheduled install time to the desired installation schedule.
This is equivalent to disabling AU from the Windows Update Change Settings screen (refer to Figure nine.2).
Specify intranet Microsoft update service location This setting allows the administrator to specify the location of a WSUS server on the internal network. The AU client will contact this server to locate updates. This setting requires two server name values: The first is the server from which the AU client retrieves updates. and the second is the server to which the AU client reports update statistics. This setting, when enabled. requires that you set two values. The beginning is Set the intranet update service for detecting updates, and the second is Set the intranet statistics server. The format for these settings is http://servername , and you must prepare both settings to the aforementioned value for them to exist valid. The AU client will connect straight to the Windows Update site on the Net.
Enable client-side targeting This setting allows the administrator to specify the name of a computer grouping for this machine. This setting takes effect but when an intranet WSUS server is specified and the server is prepare to enable client-side targeting. The Target group proper name for this computer value specifies the target grouping information that is sent to the WSUS server. When this is set to Disabled or Not Configured, no target group information will be sent and the motorcar will exist placed in the Unassigned Computers group.
Allow non-administrators to receive update notifications This setting allows an ambassador to specify notifications whether nonadministrative users volition receive update notifications. AU will send notifications to nonadministrative users if they are logged on to the machine. This setting is useful because in most environments, y'all don't want to allow standard users to have authoritative privileges, merely if you lot have configured AU to notify before download or installation, the AU client cannot proceed with update download or installation until an administrative user logs on to the machine. The AU customer volition notify merely logged-on administrative users. This besides applies when ready to Non Configured.
Automated Updates detection frequency This setting specifies the duration of time that Windows will look before checking for available updates. The await time is determined by taking the value set and subtracting zero percent to 20 percent of the hours specified. Windows will cheque for bachelor updates using the specified wait time. Windows volition check for available updates using the default wait time, which is 22   hours.
Turn on recommended updates via Automatic Updates (Vista Only) This setting is specific to Windows Vista Group Policy and specifies whether the AU client volition deliver both important and recommended updates. The AU customer will install recommended besides as important updates. This is equivalent to the Recommended Updates checkbox available on the Windows Update Change Settings screen. The AU client will no longer evangelize recommended updates.
Enabling Windows Update Power Management to automatically wake up the organisation to install scheduled updates (Vista But) This setting allows the user to specify whether Windows Update will utilise Windows Power Management features to wake the system from hibernation to install scheduled updates. Windows will automatically wake the system if it is configured to automatically install updates and the arrangement is in hibernation during the scheduled install fourth dimension and updates are available. The system volition also wake upwardly if an install deadline occurs. The organization will wake upward from hibernation simply if in that location are updates to install. If the organisation is on battery ability, no updates will be installed and the system will automatically return to hibernation in two   minutes. If this is set to Disabled or Non Configured, Windows will not use the Windows Power Management feature to wake the organization.

Tools & Traps…

Incorporating Vista Policy Settings in a Windows 2003 Domain

The two "Vista Only" policy settings in Table 9.3 are new to Vista and do non accept any issue on other versions of Windows. If you would like to control these settings through a domain Group Policy Object, you volition either need to wait for Windows Server 2007 (codenamed Longhorn) to exist released then that you tin simply copy the new .ADMX policy template from Vista to Longhorn and load information technology into your domain Group Policy Object, or create a custom .ADM policy template and load information technology into the Group Policy Object on your existing domain controller. We have created a .ADM file named wuau2.ADM and accept included information technology on the accompanying CD for your use. To utilise the new .ADM file, follow these steps:

1.

Copy wuau2.ADM to an accessible location on your domain controller.

2.

Go to Offset | Authoritative Tools | Agile Directory Users and Computers.

3.

Right-click on your domain contoso.org and select Properties.

4.

Click the Group Policy tab and select your WSUS GPO. Ours is aptly named WSUS. You are using a separate Grouping Policy Object that holds merely Windows Update policy settings and not the Default Domain Policy; aren't you?

five.

Click Edit. This will open the Grouping Policy Object Editor.

6.

Correct-click on Administrative Templates under the Estimator Configuration section. Click Add together/Remove templates. This will open the Add/Remove templates dialog box.

7.

Select wuau and click Remove. This will remove the one-time wuau.adm file so that you don't have duplicate policy settings listed.

8.

Click Add and browse to where you put the wuau2.ADM file on your domain controller. Double-click wuau2.ADM.

9.

Click Shut. This will load the template. Now you tin can browse to Administrative Templates | Windows Components | Windows Update to view and edit the new policy settings.

Read full chapter

URL:

https://world wide web.sciencedirect.com/scientific discipline/article/pii/B9781597491396500133

Password Policies

In How to Cheat at Securing SQL Server 2005, 2007

The Solution

Initially, you lot should create the local policy on the machine. Each of the settings outlined in Table half dozen.1 is configurable through group policy.

Outset, with the Local group policy Microsoft Management Console (MMC) snap- in, create a local policy that meets the aforementioned criteria. For information near how to start the console, refer to the section titled "Using the Group Policies Console" earlier in this chapter. Effigy half dozen.12 shows how to select the password policy section.

Figure vi.12. The Countersign Policy Section

For each of the requirements outlined in Tabular array 6.ane, make the appropriate changes to the group policy using the group policy console. By double-clicking on a setting, a dialog box will be presented that will allow the setting to be inverse (see figure six.13).

Figure 6.13. Setting the Password History Parameter

Once each of the settings outlined in the table is changed in the local policy MMC snap-in, the Password Policies screen should look similar Figure 6.xiv.

Effigy 6.14. Countersign Policies Settings

Since the settings in the table besides affect the account lockout policies, they will demand to be changed likewise. Once the changes are completed, the Business relationship Lockout Policies screen should await like Figure 6.xv.

Figure half-dozen.15. Account Lockout Policies Settings

Next, the logins need to be created. The logins may be created using T-SQL or with the user interface. We will bear witness both methods.

Showtime, hither is the syntax for creating logins using T-SQL:

CREATE LOGIN [Marking]

WITH Password=N'ChangeMeNow$1234'

MUST_CHANGE,

DEFAULT_DATABASE=[caddyshack],

CHECK_EXPIRATION=ON,

CHECK_POLICY=ON

GO

CREATE LOGIN [Robby]

WITH Password=Due north'ChangeMeNow$5678'

MUST_CHANGE,

DEFAULT_DATABASE=[caddyshack],

CHECK_EXPIRATION=ON,

CHECK_POLICY=ON

Get

CREATE LOGIN [Debbie]

WITH Countersign=N'ChangeMeNow$3322'

MUST_CHANGE,

DEFAULT_DATABASE=[caddyshack],

CHECK_EXPIRATION=ON,

CHECK_POLICY=ON

Creating the logins with the aforementioned configuration options should meet the requirements for creating the user logins. To create the application login, the post-obit SQL could exist used:

CREATE LOGIN [MyCoolAppLogin]

With password=North'ThisIsaC0mpl3x$PassW3rd$0987'

DEFAULT_DATABASE=[caddyshack],

CHECK_EXPIRATION=OFF,

CHECK_POLICY=OFF

To produce the same result using the SQL Server Direction Server GUI, it will be necessary to add each user individually (see Figure 6.16).

Effigy half-dozen.16. Adding Users

Annotation that in Figure 6.16, the "Enforce password policy," "Enforce countersign expiration," and "User must change password at next login" options are all checked. This is necessary to see the requirements outlined in the requirements tabular array.

For the login used by the awarding, the settings are slightly different (run across Figure 6.17).

Figure 6.17. Application Login Account Creation

Notice that in Figure vi.17, the "Enforce password policy," "Enforce password expiration," and "User must alter password at adjacent login" options are all not checked. This is necessary to meet the requirements outlined in the requirements table. Over again, exist sure to exam everything first in a development surroundings.

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597491969500224

Securing Windows vii

Jorge Orchilles , in Microsoft Windows 7 Administrator'due south Reference, 2010

Auditing

This section has focused on setting user and group permissions to secure data. However, the permissions only act equally a control list of who has admission and who doesn't. The permissions do not log or indicate who accessed files or folders. Auditing tin be configured for files and folders to determine exactly who accessed what for a resource. This is important to do before a file or folder is mysteriously deleted or an incident occurs where data is stolen!

Auditing must commencement exist enabled in the Group Policy level for a local system through local group policy or enterprise policy. To enable auditing through Group Policy:

Local Group Policy – Open Local Security Policy and aggrandize Local Policies | Inspect Policy. Select Audit object access. Select to audit success and/or failure.

Group Policy Direction Editor – Expand Computer Configuration | Administrative Templates | Local Policies | Inspect Policy. Select Audit object access. Select to audit success and/or failure.

Now that auditing is enabled for object access an administrator must configure what objects to audit. To specify files and folders to be audited by users or groups:

ane.

Right-click the file or binder and select Properties.

two.

Click the Security tab and select Advanced.

3.

Click the Auditing tab.

4.

Click Continue.

5.

Click Add…

a.

Object type – This is the type of object, in this case Users, Groups, or Built-in security principals. On a domain, other objects may exist.

b.

Location – This tin exist the local computer expressed equally the computer name or a domain. Always double check this value as it will generally be the domain the user is logged in on.

c.

Object Names – Here you may blazon the username or group name and click Check Names to validate. To choose all users type Everyone or alternately specifically blazon each user or grouping to audit.

d.

Check Names – Validates the object names and underlines the user when right. If the object is not found, a Name Not Found prompt will enquire to ensure the object type, locations, and object name are right.

due east.

Advanced – This choice searches through locations for users and groups as shown in Effigy 8.sixteen.

f.

Click OK.

6.

In the Auditing entry shown in Figure 8.eighteen, cull what permissions to audit by checking Successful or Failed bank check boxes for the corresponding permissions.

seven.

Select the advisable Employ onto setting explained before in this section.

8.

Allow inheriting if required. The inheritance of objects works the same as in the avant-garde permissions referenced earlier in this department.

9.

Click OK.

FIGURE eight.xviii. Auditing Entry

The auditing logs may be viewed in the Event Viewer by expanding Windows Logs | Security. The Event Viewer is referenced in Chapter 10.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9781597495615000085

Managing the Windows 7 Desktop Surround

Jorge Orchilles , in Microsoft Windows 7 Ambassador'due south Reference, 2010

Summary

Windows 7 includes a variety of local direction tools. There is Control Console, the MMC, the Figurer Management Console, the Local Group Policy Editor, and the Windows Registry. Each of these direction tools provides a different function. They all come up together to provide a full management solution for your Windows 7 arrangement.

It'south important that your system hardware is properly installed and configured. Malfunctioning hardware tin can really exist a hassle to prepare. Windows seven includes applications like Device Manager and the Devices and Printers applet to help ensure that your hardware is properly installed. Device Manager and Windows Update can help ensure that your devices are configured with the most up-to-engagement drivers.

Everything in your system relies on your disks and file systems. This is where all of your files are stored. If your disks and file systems are not properly configured, you system may not run at all. Windows 7 volumes can provide convenience through disk spanning or fault tolerance through RAID v. You need to make sure that yous choose a configuration that best suits your needs.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B978159749561500005X

Servers

Jeremy Faircloth , in Enterprise Applications Administration, 2022

Group Policy

1 of the Windows features ofttimes used is its application of group policies. Group policies are Windows settings that are applied to Windows systems upon startup or login and control many aspects of the user feel inside the operating system. Group policies tin can exist practical either through local grouping policies stored on the Windows system itself or through domain group policies fabricated available in Active Directory. The domain group policy will always win if there is ever a disharmonize between local and domain grouping policy. Most corporate environments that implement group policies and have an Active Directory infrastructure choose to implement these policies through Active Directory.

Group policies are split into functions based on whether they are intended to affect the estimator's cadre functionality or the user'south experience. This means that many system-related settings can be controlled through group policies including networking, file organisation usage, and security. While it typically isn't the enterprise applications administrator who is setting upwards grouping policies, it is important to empathize what they are and the outcome they tin have on both the operating system and the application users.

Group policies do provide a convenient method of administering large numbers of Windows servers and workstations and can provide huge benefits to big enterprises. Many basic configuration tasks can exist automated and made consistent across many systems with very petty endeavor, which reduces authoritative workload and decreases troubleshooting time for Windows system administrators.

From an enterprise applications perspective, group policies can have an effect on the configuration of the servers hosting the awarding, the workstations being used to access it, and the users of the application. If yous, in the course of working with an enterprise application, need a setting added, changed, or removed to or from all servers/workstations/users, you might consider the use of grouping policies. While it is not within the scope of this book to walk through how to perform group policy modifications, keep this technology in heed as a potential option for helping you in your administration piece of work.

Read total affiliate

URL:

https://world wide web.sciencedirect.com/science/commodity/pii/B978012407773700003X

Windows Server 2008 R2 networking

Dustin Hannifin , ... Joey Alpern , in Microsoft Windows Server 2008 R2, 2010

Creating a Policy-based QoS GPO

In the below exercise, nosotros will create a new Policy-based QoS GPO for traffic destined for port 80 (http). This will give standard Web browsing traffic a higher value leaving the reckoner over other network traffic. If the network devices support the DSCP value provided by the policy, they volition as well give the traffic college priority.

one.

In our example, we will apply a local computer policy; withal, the same policy can be set upward in Ad. Open the grouping policy editor: Commencement | Run type gpedit.msc and click OK. The Local Group Policy Editor will open equally seen in Effigy 3.8.

Effigy 3.8. Local Group Policy Editor.

ii.

Expand the nodes Computer Configuration | Windows Settings and User Configuration | Windows Settings (see Figure iii.9). You volition notice that Policy-based QoS can be applied to the figurer or to the user. For our example, we will use a reckoner-based policy.

Effigy 3.ix. Computer and User Policy-Based QoS Options.

3.

Right click the Policy-based QoS node and choose Create New Policy.

4.

The Policy-based QoS Sorcerer will launch (come across Effigy 3.ten). Enter a descriptive name in the Policy Proper name field. Then employ the Specify DSCP value option to set a DSCP value. In our case, we volition non be throttling the traffic so leave this option unchecked. Click Next to continue.

Figure 3.ten. Policy Name and DSCP Value.

5.

We tin can assign the DSCP policy to specific applications past choosing the executable, or if this server is ready up as a Web application server, we can specify the URL of the awarding. For our example, we will leave the default of All Applications selected (run into Figure 3.eleven). Click Next to go along.

Figure iii.11. Policy-Based QoS Applications.

half-dozen.

We tin specify that this policy applies only to certain source or destination IP addresses (meet Figure three.12). We will leave both of these options equally the default for our example. Click Next.

Figure iii.12. Limit Policy-Based QoS to Listed Source or Destination IP Addresses.

7.

Nosotros now need to choose the protocol and port number or range that nosotros want the DSCP value to (run into Figure 3.13). For our testing purposes, allow us cull port 80 (http) as the destination port. This volition allow us to easily utilize a Web browser to test our policy. Click End to create the policy.

Figure 3.13. Policy-Based QoS Protocol and Port Number Options.

8.

You should now see the policy announced under the Policy-based QoS node in the Local Group Policy Editor window every bit seen in Figure 3.14.

Figure three.14. New Policy-Based QoS Policy.

ix.

Now let us test our new policy. To perform this exam, you will need to download and install Network Monitor. Network Monitor tin exist downloaded from Microsoft Download Centre at http://download.microsoft.com. After installing Network Monitor, open it past going to Get-go | All Programs | Network Monitor 3.3.

10.

The Network Monitor Start Page will be opened as seen in Figure 3.15. Click the link New Capture Tab to set up up a new network capture session.

Figure 3.15. Network Monitor Commencement Folio.

11.

A new capture tab volition exist opened. Click the Showtime button at the top of the Network Monitor window to start capturing traffic (encounter Figure 3.16).

Figure 3.xvi. New Capture Session.

12.

At present permit us create some outbound http traffic. Open Internet Explorer past going to Start | All Programs | Cyberspace Explorer.

13.

Scan a standard http Web site. Then close Internet Explorer.

14.

Go back to the Network Monitor window and click the Stop button. You should see that the utility has captured traffic in the frame summary pane (see Figure 3.17).

Figure three.17. Network Monitor Captured Traffic.

15.

Aggrandize the iexplorer.exe node in the network conversations pane.

16.

Locate 1 of the IPv4 sessions (see Figure three.eighteen) and select the session you desire to view.

Effigy three.18. Selected IPv4 Session frames.

17.

Afterward selecting an IPv4 session, notice the listing of frames in the frames summary pane as seen in Figure three.19. Select a frame that contains DstPort=HTTP(lxxx).

Effigy iii.19. The Frames Summary Pane.

18.

Expand the IPv4 department in the frame details pane (run into Figure 3.20). Discover the DifferentiatedServicesField subnode. You will notice that the frame has been given a DSCP value of 10. This shows that the policy is correctly applying a DSCP value to outbound port 80 traffic.

Figure iii.20. IPv4 Session Frame Details.

Test diverse QoS policies in your test lab during your Windows Server 2008 R2 deployment. You lot tin use them to help ensure that the disquisitional applications receive necessary network bandwidth to perform optimally.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781597495783000037

Security Guidance for Operating Systems and Terminal Services

Tariq Bin Azad , in Securing Citrix Presentation Server in the Enterprise, 2008

Set up Strongest Usable Concluding Server Permissions

Permissions for a particular action are disquisitional when attempting to understand how to assault and defend your Terminal Servers. If applied, the permissions for TS actions are determined in society of precedence past the settings listed here:

1

Organizational Unit of measurement Group Policy takes the highest precedence

2

Domain Group Policy

iii

Local Grouping Policy

4

RDP-Tcp Backdrop in TSCC

5

User Properties (specified on the Remote Desktop Connection [RDC] for Windows XP and Windows Server 2003)

And then basically, if you want to control Terminal Services settings for local organization administrators, yous would need to prepare them at the Domain or OU.

The following four screenshots show your options for setting permissions. Effigy ii.36 illustrates that Windows local grouping policies have precedence unless the Domain or OU specifies permissions.

Figure 2.36. Windows Local Group Policies

TSCC's RDP-Tcp Properties take precedence if local Group Policy is non configured (see Effigy 2.37).

Figure 2.37. TSCC's RDP-Tcp Properties

You tin run across in Figure 2.38 that user properties have the least clout when permission conflicts arise.

Figure ii.38. User Properties

Windows Server 2003 shows permission inheritance information (see Figure two.39).

Effigy 2.39. Windows Server 2003

Terminal Server Group Policies

Group Policy tin can be applied to an OU, local computers, and even individual users to secure Terminal Services in your Windows architecture. Additionally, yous can create group policy restrictions on Windows applications past choosing either Run But Allowed Windows Applications or Don't Run Specified Windows Applications. You should use Active Directory Users and Computers to create a new OU and implement Group Policy to restrict the ability of users and administrators. Microsoft recommends these settings to lock down a Windows 2003 Terminal Server session on their Spider web site at http://back up.microsoft.com/?kbid=278295.

I recommend that yous utilise these settings as a baseline, and then add together or remove settings based on whether or non yous allow users and administrators or but administrators. Some of the basics that can be disabled to increment security are the mapping of ports, printers, and drives. Randy Franklin Smith's article (the second role of four) gives recommendations for you to consider likewise at www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=19791.

Relocate Terminal Server to a Obscure Port

You lot can relocate Last Server to a new TCP port with a simple Registry modification. To do this, modify the PortNumber Value Name in the following key to a port of your liking (meet Figure 2.40).

Figure two.40. Modifying Concluding Server'due south Listening Port

HKLM\Arrangement\CCS\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber

Figure 2.41 shows a screenshot of connecting to the server by using the new port.

Figure 2.41. Connecting to the New Port

Implementing Bones Host-Level Security

If you lot are using Windows XP, Internet Connectedness Firewall is a bully option to consider for host-level access control. If you are using Windows 2000, you can use IPSec filters to cake access to dangerous ports. The following script should be modified based on your server's intended function:

@echo off

REM NSOFTINCIPSec.bat

REM you need to install IpSecPol,exe from the URL listed next

REM http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp

REM This batch file uses ipsecpol.exe to block inbound services not required

REM ICMP will exist blocked too

REM You should modify this based on the requirements of your TS

ipsecpol -ten -w REG -p "SpecOps3389" -r "block139" -n BLOCK -f *=0:139:TCP

ipsecpol -x -w REG -p "SpecOps3389" -r "block445" -n Cake -f *=0:445:TCP

ipsecpol -x -w REG -p "SpecOps3389" -r "block1433" -n BLOCK -f *=0:1433:TCP

ipsecpol -x -w REG -p "SpecOps3389" -r "block80" -n Cake -f *=0:80:TCP

ipsecpol -x -west REG -p "SpecOps3389" -r "block443" -n BLOCK -f *=0:443:TCP

ipsecpol -x -due west REG -p "SpecOps3389" -r "blockUDP1434" -n BLOCK -f *=0:1434:UDP

If withal not convinced, use this script to implement IPSec filters and then scan the server with SL.exe (www.foundstone.com). If y'all specify the bones options, you should receive no reply from the host. This time apply SL.exe with the –g choice set to 88 (Kerberos) and browse again. You should be able to come across all the ports that are blocked by IPSec filters.

How tin you lot stop this? You lot need to prepare the NoDefaultExempt key. This tin be configured by setting the NoDefaultExempt Proper noun Value to DWORD=1 in the Registry at HKLM\SYSTEM\ CurrentControlSet\Services\IPSEC.

Read full affiliate

URL:

https://www.sciencedirect.com/science/commodity/pii/B9781597492812000020

Windows Server 2008 R2 and Windows 7

Dustin Hannifin , ... Joey Alpern , in Microsoft Windows Server 2008 R2, 2010

Deploying BranchCache

After yous take properly designed your BranchCache solution, y'all will be ready to exam your pattern. In this section, nosotros will explore the process of setting up and testing BranchCache. In this lab, nosotros volition be using a central file server (LABFS1) and a hosted mode cache server (LABBC1).

First we demand to gear up up the file server to support BranchCache features. On LABFS1, perform the following:

1.

Open ServerManager.

2.

Select the Roles node then click the link Add Roles.

3.

Click Adjacent to outset the Add Roles Sorcerer.

4.

Select the File Services part. Then click Adjacent.

5.

On the File Services summary page, click Next.

vi.

Select the part services File Server and BranchCache for network files (meet Figure xiii.3). So click Side by side.

Figure 13.3. Installing BranchCache Function Service.

seven.

Verify the settings on the confirmation folio, and and then click Install.

8.

After the installation finishes, click Shut.

Note that BranchCache does not add an administrative node to the Server Manager interface.

Subsequently calculation the role service, yous will demand to configure hash publication. This can be done past creating an Active Directory group policy or by modifying the local grouping policy on the file server. In this exercise, we will configure hash publications, using the local policy on the file server. To configure hash publication, perform the following:

i.

Open the Local Group Policy Editor by opening Start | Run. Then type gpedit.msc and click OK.

2.

Aggrandize the nodes Reckoner Configuration | Authoritative Templates, Network, Lanman Server.

iii.

Select the node Lanman Server every bit seen in Figure thirteen.4.

Figure 13.4. Local Group Policy Editor.

4.

Open the policy object Hash Publication for BranchCache from the middle pane.

5.

Select the pick to Enable the policy. And then select the choice to Allow hash publication for all shared folders (see Figure 13.five). Then click OK.

Effigy xiii.v. Enable Hash Publication.

Afterwards enabling hash publication, you lot will demand to enable BranchCache on shared folder that you wish to be cached in the co-operative part. Perform the following to enable BranchCache on a shared folder:

1.

Open the Share and Storage Management console from Starting time | Authoritative Tools | Share and Storage Management.

two.

Correct click on the shared folder you want to enable BranchCache and choose Properties. This will open the shared folder properties window as seen in Figure 13.half dozen.

Figure 13.6. Shared Folder Properties.

iii.

Click Avant-garde to open the Advanced window. And then click the Caching tab as seen in Figure 13.7.

Figure 13.7. Shared Folder Advanced settings.

4.

Select the choice Enable BranchCache. Then click OK.

v.

Click OK to close the shared folder properties window.

Afterwards enabling shared folders for BranchCache, you need to enable the branch office hosted cache server for BranchCache. The first step to perform this is to install the BranchCache characteristic. This is washed by performing the following:

ane.

Open Server Manager.

2.

Select the Features node. Then click the Add Features link in the eye pane.

3.

Select the BranchCache feature as seen in Figure 13.eight. Then click Next.

Figure thirteen.8. Adding the BranchCache Feature.

iv.

Verify settings on the confirmation folio. Then click Install.

five.

When the installation is complete, click Close.

After adding the BranchCache characteristic, you volition need to enable the hosted cache fashion and open right firewall ports to allow this server to host buried files. This process is done via a command prompt, using the netsh command. Perform the post-obit to enable hosted cache style:

1.

Open a command prompt from Showtime | All Programs | Accessories | Command Prompt.

2.

Type the command: netsh branchcache set service mode=HOSTEDSERVER. And then hit Enter.

You should meet several success confirmations as seen in Effigy 13.ix. Afterward verifying whether the hosted cache has been enabled, shut the command prompt.

Figure thirteen.9. Enabled Hosted Cache mode.

I of the final steps to setting upwards BranchCache in hosted manner is to configure certificates on the co-operative office server hosting the cache. In our exercise, we will assume that a document say-so has already been deployed on the network. The showtime procedure we need to consummate is to configure the Spider web server certificate template and enable autoenrollment on the hosted cache server, using the following steps:

1.

Log on to the server with Active Directory Document Services installed and open Server Director.

2.

Select the node Roles | Active Directory Certificate Services | Templates.

three.

Locate and right click the Web Server template in the middle pane. Then cull Duplicate (encounter Effigy 13.10).

Figure 13.10. Duplicate Spider web Server template.

4.

Choose the selection Windows Server 2003 Enterprise as the version. And so click OK. The Backdrop of New Template window will open.

5.

On the General tab, give the new template enter a meaningful name every bit seen in Figure 13.11.

Figure 13.11. Naming New Certificate Template.

6.

Select the Subject Name tab and then select the option Build from this Active Directory Information.

7.

Select the pick Fully Distinguished Proper noun from the drop-downwards menu (see Effigy thirteen.12).

Figure 13.12. Select Discipline Name options.

8.

Select the Security tab. Add together the hosted cache server name equally seen in Figure 13.13.

Figure 13.13. New Template Security settings.

9.

Select the option to allow Enroll and AutoEnroll for the hosted cache server (run into Effigy xiii.14). Then click OK.

Figure 13.14. Allow Enroll and AutoEnroll for the Hosted Enshroud Server.

10.

In the left pane of the Server Manager window, expand the node of the certificate authorization and select the Certificate Templates node (meet Figure 13.15).

Figure 13.fifteen. Templates being issued by Selected Document Potency.

11.

Right click the Certificate Templates node and choose the option New | Document Template to Issue.

12.

Select the newly created template as seen in Figure 13.xvi. So click OK.

Figure 13.16. Allow Document Say-so to Issue Certificates From New Template.

Afterwards creating the new template, you will need to configure your domain for autoenrollment. If yous have already deployed Agile Directory Certificate Services for other PKI-dependent applications, yous may take already enabled this setting. If not, it tin can be done by performing the following:

i.

Log on to a domain controller and open Grouping Policy Management from Beginning | Administrative Tools | Group Policy Direction.

2.

Expand the nodes Woods | Domains | <your domain name> (come across Effigy xiii.17).

Effigy 13.17. Editing Default Domain Policy.

3.

Right click the Default Domain policy and select Edit.

4.

Select the node Calculator Configuration | Policies | Windows Settings | Security Settings | Public Key Policies.

v.

Open up the policy object Document Services ClientAutoEnrollment as seen in Figure thirteen.18.

Figure 13.18. Public Primal Policies.

6.

Select the option Enabled. Then select both Renew expired certificates, updating pending certificates, and remove revoked certificates and Update certificates that use certificate templates options (see Figure xiii.19). Then click OK.

Effigy thirteen.nineteen. AutoEnrollment Properties.

seven.

You tin can at present strength autoenrollment to occur on the hosted enshroud server by logging onto that server and running gpupdate from a control prompt.

After configuring certificates for the hosted cache server, yous need to link the certificate to BranchCache. This is washed past obtaining the SHA-1 hash from the server's certificate and then using the netsh command to link the document. To complete this process, perform the following:

1.

Open a new mmc console past opening a new dialog from Start | Run. Then type mmc in the run prompt and click OK (come across Figure 13.xx).

Effigy thirteen.20. Open new MMC console.

two.

From the new mmc panel, go to File | Add/Remove Snap-in….

iii.

Add together the Certificates snap-in from the options as seen in Figure thirteen.21.

Figure thirteen.21. Add Certificates snap-in.

4.

When prompted whether you would like to manage certificates for user, computer, or service, select the Reckoner choice and then choose Local Figurer.

5.

From the MMC panel, expand the nodes Certificates | Personal | Certificates. Then open up the server document as seen in Effigy 13.22.

Effigy 13.22. Certificates MMC console.

6.

Select the Details tab in the Document window.

vii.

Scroll through the fields in the details view and select the Thumbprint field as seen in Figure 13.23.

Figure 13.23. Server Certificate Thumbprint.

8.

Re-create the SHA-1 hash by selecting the hex-formatted number and using the Ctrl-C keystroke.

nine.

Open Notepad and paste the SHA-one hash to verify whether information technology has been copied correctly (see Figure xiii.24). Correct the formatting of the hash past removing all the spaces creating one long hexadecimal number. This is the number we will need to link the document to BranchCache.

Effigy 13.24. SHA-1 Hash.

ten.

Open a control prompt on the hosted cache server and enter the following command netsh command which includes the SHA-1 hash nosotros copied from Pace 9. netsh http add sslcert ipport=0.0.0.0:443 certhash=e8d749b788e9229c72bc672160499ccd265ae0ba appid={d673f5ee−a714−454d−8de2−494e4c1bd8f8}.

Yous have now successfully completed the process of setting upwardly the BranchCache hosted cache server. As clients begin caching files locally, they volition exist saved in the cache of this server. Now, you only need to configure client computers to use the hosted branch cache. This can exist washed on a Windows seven customer past using the netsh control: netsh branchcache fix service mode=HOSTEDCLIENT. You can additionally update multiple Windows seven clients to use the hosted cache by deploying a GPO which can perform the same functions.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B978159749578300013X