Grand Rapids, MI Questions and Answers Take Charge of your Security (5-16-2006)

Good Day Grand Rapids!  Again thank you for coming out and seeing me at the event and I hope to see you next time I am in town.  I also encourage to look into membership into the West Michigan NT User Group.  This is a great group and it is run by a great president, Richard Kenyon and when I am in town in the evenings you can usually find me there.  You asked a few questions during the show, so here are the answers.  The wireless scripts that I used in the show are available on the DVD ( drive: \Security Tools\Whitepapers) or you can download it for free from here: https://www.microsoft.com/downloads/details.aspx?FamilyID=60c5d0a1-9820-480e-aa38-63485eca8b9b&displaylang=en 

As always feel free to comment if I missed any question or if you need additional information.

Q: How does Small Business Server 2003 (SBS) implement the wireless solutions we discussed and what are the differences?
A:
 SBS does come with the Internet Authentication Server.  So the same methodologies that I used during the event will apply to SBS.    In the securing wireless whitepaper in appendix C it talks about tested solutions on different versions of Windows take a look here: https://www.microsoft.com/technet/security/topics/cryptographyetc/peap_c.mspx 
There are a couple of GREAT whitepapers on securing the wireless network for small business:

An there are how 2003 standard works with certificate services.  Consider that Certificate Services in Window Server 2003 Standard Edition does not provide:

  • Auto enrollment of certificates to both computers and users
  • Version 2 certificate templates
  • Editable certificate templates
  • Archival of keys

Q: What are some good wireless scanning tools?
A:
I would recommend taking a look at the wireless monitor snap-in for MMC: https://technet2.microsoft.com/WindowsServer/en/Library/97b73d75-5305-42b1-9935-d5ddb21943371033.mspx?mfr=true 

Q:How does the licensing work for wireless clients?
A:
  That is a tough question for me to answer.  Mainly it has to do with how you purchased your CALS for your organization.  Take a look here:  https://www.microsoft.com/windowsserver2003/howtobuy/licensing/overview.mspx 

Q: Where can I get the Group Policy Management Console (GPMC)?
A:
  It is located on the DVD that everyone got at the event.  You can also download the tool for free here: https://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en 

Q: How do you maintain wireless security with machines not in the domain?
A:
Well, the PEAP/802.1x/WPA2 we discussed will tie you into a domain, so it’s not necessarily designed to protect the client as much as it is the network. We were really talking about protecting the Network.  The best thing you can do to protect his own machine would be to ensure mutual authentication (which will force the server to AutN to the client) also to ensure that his Windows Firewall is enabled and configured properly.

Q: What are the commands I used in the “forensics” part of the session?
A:
 Take a look at this blog entry I did for a previous TechNet Event:
https://blogs.technet.com/matthewms/archive/2006/05/02/427040.asp