Components: total points = 111 Lesson Lab 81 points Lab Review Questions 20 Points 1 Minute Response 10 Points

NAME: _______TODD SAYERS_______________________________ DATE: ____4/14/13________

Lab 09a and Lab 09b Scenario

You are a network administrator for Lucerne Publishing. Lucerne Publishing is in the process of deploying numerous Windows Server 2008 computers to several remote locations to provide infrastructure services such as DHCP, DNS, and File and Print Services. To address management concerns about maintaining the security of access to these servers, you are investigating the use of IPSec and the Windows Firewall on a Windows Server 2008 network.

Lab Introduction
This lab is all about security, as you investigate the use of IP Security (IPSec) and the Windows Firewall on a Windows Serer 2008 network. Youll gain experience configuring IPSec to allow and block traffic, and youll manage IPSec authentication and encryption settings to secure communication between two computers. Youll test the configuration of the Windows Firewall, and youll also get the chance to test the new Connection Security Rules functionality within Windows Server 2008.
Please respond to each question. (2 points each) Post one screen shot to show you

have

Lab 09a
Exercise 1: Configuring IPSec to Allow and Block Traffic Task 1: You are logged on to the SEA-SVR1 computer with the user name, Administrator, and the password, Pa$$w0rd. Proceed to the next task.
1. 2. If you need to log on to SEA-SVR1, click the Ctrl-Alt-Delete button. Enter the following:

3.

User name: Administrator Password: Pa$$w0rd Click the Forward button. You are now connected to the SEA-SVR1 computer.

Task 2: You are logged on to the SEA-SVR2 computer with the user name, Administrator, and the password, Pa$$w0rd. Proceed to the next task.
1. 2. If you need to log on to SEA-SVR2, click the Ctrl-Alt-Delete button. Enter the following:

User name: Administrator


3.

Password: Pa$$w0rd Click the Forward button. You are now connected to the SEA-SVR2 computer.

Note:
The Initial Configuration Tasks (ICT) window will be displayed automatically.

Task 3: Configure the Windows Firewall to allow ping.

1. Open Windows Firewall with Advanced Security console on SEA-SVR1 and create a new inbound rule that allows ping with following details, and then log off SEA-SVR1:

Rule Type: Custom Program: All Programs Protocol type: ICMPv4 Name: Lab 9 Allow Ping a. Click StartAdministrative ToolsWindows Firewall with Advanced Security. b. Click Inbound Rules. Right-click Inbound Rules, and click New Rule. c. The Rule Type screen appears. Click the Custom radio button, and click Next. d. The Program screen appears. Click the All programs radio button, and click Next. e. The Protocol and Ports screen appears. In the Protocol type drop-down box, click ICMPv4. f. Click Next 4 times. g. The Name screen appears. In the Name text box, enter Lab 9 Allow Ping. Click Finish. h. Log off of the SEA-SVR1 computer.

2.

On SEA-SVR2, open the Windows Firewall Settings window to disable the firewall settings. a. On SEA-SVR2, click StartControl Panel and then double-click Windows Firewall. Click Turn Windows Firewall on and off. The Windows Firewall Settings window appears. b. On the General tab of the Windows Firewall Settings window, turn off the firewall settings.

Task 4: Configure IPSec Filter Actions on SEA-SVR1.

1. On SEA-SVR1, open the Local Group Policy Editor window. a. Log on to SEA-SVR1 by using the user name, Administrator and Password Pa$$w0rd. b. Click Start, key gpedit.msc, and press Enter. c. The Local Group Policy Editor window appears. Drill down to Computer ConfigurationWindows SettingsSecurity SettingsIP Security Policies on Local Computer. 2. Add an IP filter and change the following settings of the IP filter:

Name: Lab 9 IP Filter List Description: Filter traffic to and from the SEA-SVR2 computer Source address: A Specific IP Address or Subnet IP Address: 10.10.0.12 Destination IP Address: My IP Address a. Right-click IP Security Policies on Local Computer, and click Manage IP filter lists and filter actions. b. The Manage IP filter lists and filter actions screen appears. On the Manage IP Filter Lists tab, click Add.

c. The IP Filter List screen appears. In the Name text box, enter Lab 9 IP Filter List. d. Click Add, and then click Next. e. The IP Filter Description and Mirrored property screen appears. In the Description text box, enter Filter traffic to and from the SEA-SVR2 computer. f. Click Next. The IP Traffic Source screen appears.

Question 1

What are the available options for Source address? My IP address, Any IP Address, A specific DNS Name, A specific, IP Address or Subnet, DNS Servers <dynamic>, WINS Servers <dynamic>, DNS Servers <dynamic>, DHCP Servers <dynamic>, and Default Gateway <dynamic>

g. In the Source address drop-down box, select A specific IP Address or Subnet. In the IP Address or Subnet text box, enter the IP address of the SEA-SVR1 computer (10.10.0.12). h. Click Next. The IP Traffic Destination screen appears. In the Destination address drop-down box, select My IP Address. i. Click Next. The IP Protocol Type screen appears. Accept the default selection, and click Next.

Question 2

What is the default protocol type? Any

j. Click Finish, and then click OK.

Task 5: Configure IPSec block and allow actions.

1.

k. Leave the Manage IP filter lists and filter actions screen open for the next section. Manage IPSec block by adding block filter, Block-Traffic. a. Click the Manage Filter Actions tab. Click Add, and then click Next. b. The Filter Action Name screen appears. In the Name text box, enter Block-Traffic. Click Next. c. The Filter Action General Options screen appears.

Question 3 2. 3.

What action types are available to choose from? Permit, Block, and Negotiate security

d. Select the Block radio button, and then click Next. Click Finish. Manage IPSec actions by adding a permit filter action with name Permit-Traffic. a. Repeat Steps 1a-1d to create a Filter Action called Permit-Traffic with a Filter Action of Permit. b. Click Close. c. Remain logged on to the SEA-SVR1 computer for the next section.

Task 6: Create and Assign an IPSec policy.

1. Create an IP security policy, Lab 9 IP Policy. a. Right-click IP Security Policies on Local Computer. Click Create IP security Policy, then click Next. b. The IP Security Policy Name screen appears. In the Name text box, enter Lab 9 IP Policy. Click Next twice to continue. c. Ensure that the Edit properties checkbox is selected, and then click Finish. 2. Assign a rule to Lab 9 IPSec Policy, with the following details:

IP filter list: Lab 9 IP Filter List Filter action: Block-Traffic IP Filter Action

a. The Lab 9 IPSec Policy Properties screen appears. Select the General tab.

Question 4

How often will the local computer check for policy updates? Every 180 minutes

b. Select the Rules tab. Click Add, and then click Next. c. The Tunnel Endpoint screen appears. Click Next. The Network Type screen appears.

Question 5

What are the network types to which this rule can be applied? All network connections, Local area network (LAN), and Remote access

d. Click Next. The IP Filter List screen appears. Select the radio button next to the Lab 9 IP Filter List that you created in Task 4. Click Next. e. The Filter Action screen appears. Select the radio button next to the Block-Traffic IP Filter Action that you created in Task 6. Click Next. f. Click Finish, and then click OK. g. Remain logged on to the SEA-SVR1 computer.

Task 7: Confirm the functionality of the IPSec policy.

1. On SEA-SVR2, ping the IP address of SEA-SVR1. a. Log on to the SEA-SVR2 computer as a local administrator. Open a command prompt. Type ping 10.10.0.11 and press Enter.

Question 6 2. 3.

Are you able to ping the IP address of the SEA-SVR1 computer (10.10.0.11)? Yes

b. Remain logged on to the SEA-SVR2 computer. On SEA-SVR1, assign the IPSec policy, Lab 9 IPSec Policy, and then ping the IP address of SEASVR1 from SEA-SVR2. a. Return to the SEA-SVR1 computer. Right-click Lab 9 IPSec Policy, and click Assign. b. Remain logged on to the SEA-SVR1 computer. c. Return to the SEA-SVR2 computer as a local administrator. From the command prompt, type ping 10.10.0.11 and press Enter.

Question 7 4.

Are you now able to ping the IP address of the SEA-SVR1 computer (10.10.0.11)? Yes

On SEA-SVR1, un-assign the IPSec policy, Lab 9 IPSec Policy, and then ping the IP address of SEASVR1 from SEA-SVR2. a. Return to the SEA-SVR1 computer. Right-click Lab 9 IPSec Policy, and click Un-assign. b. Return to the SEA-SVR2 computer. From the command prompt, type ping 10.10.0.11 and press Enter.

Question

Are you now able to ping the IP address of the SEA-SVR1 computer (10.10.0.11)?

8 5.

Yes

Log off both SEA-SVR2 and SEA-SVR1. a. Log off of the SEA-SVR2 computer. b. Log off of the SEA-SVR1 computer.

Task 8: You have completed all tasks in this exercise.

1. 2. A successful completion of this exercise results in the configuration of the IPSec policy that allows and blocks the traffic. To proceed to another exercise, click the desired exercise.

Please post one screen shot to show you have completed this exercise:

Exercise 2: Managing IPSec Authentication and Encryption Settings

Task 1: Log on to the SEA-SVR1 computer with the user name, Administrator, and the password, Pa$$w0rd. Proceed to the next task.
1. 2. To log on to SEA-SVR1, click the Ctrl-Alt-Delete button. Enter the following:

3.

User name: Administrator Password: Pa$$w0rd Click the Forward button. You are now connected to the SEA-SVR1 computer.

Note:
If the Initial Configuration Tasks (ICT) screen window opens automatically, place a checkmark next to Do not show this window at logon, and click Close.

Task 2: Log on to the SEA-SVR2 computer with the user name, Administrator, and the password, Pa$$w0rd. Proceed to the next task.
1. 2. To log on to SEA-SVR2, click the Ctrl-Alt-Delete button. Enter the following:

3. 1.

User name: Administrator Password: Pa$$w0rd Click the Forward button. You are now connected to the SEA-SVR2 computer. Open IP Security Policies on Local Computer window by using Local Group Policy Editor on SEASVR1. a. Click Start, key gpedit.msc, and press Enter. b. The Local Group Policy Editor window appears. Drill down to Computer ConfigurationWindows SettingsSecurity SettingsIP Security Policies on Local Computer.

Task 3: Create a new IPSec filter action.

2.

Add a Negotiate security filter action with following details:

Name: Secure-Traffic Filter action: Negotiate security Communicating with computers that do not support IPSec: Do not allow unsecured communications a. Right-click IP Security Policies on Local Computer, and click Manage IP filter lists and filter actions. b. Click the Manage Filter Actions tab, click Add, and then click Next. c. The Filter Action Name screen appears. In the Name text box, enter Secure-Traffic. Click Next. d. The Filter Action General Options screen appears. Verify whether the Negotiate security radio button is selected, and then click Next. e. The Communicating with computers that do not support IPsec screen appears. Verify whether the Do not allow unsecured communication radio button is selected, and then click Next. f. The IP Traffic Security screen appears. Accept the default selection, and click Next. Click Finish, and then click Close. g. Remain logged on to the SEA-SVR1 computer for the next section.

Task 4: Modify an IPSec Rule.

1.

Edit Lab 9 IPSec Rule to use the Secure-Traffic filter action and then assign Lab 9 IPSec Rule. a. Right-click Lab 9 IPSec Policy, and click Properties. b. Click Edit. Select the Filter Action tab. c. Click the Secure-Traffic radio button. Click OK twice. d. Right-click Lab 9 IPSec Policy, and click Assign. e. Remain logged on to the SEA-SVR1 computer for the next section.

Task 5: Configure a pre-shared key authentication method.

1. On the SEA-SVR2, ping the IP address of the SEA-SVR1. a. Log on to the SEA-SVR2 computer as a local administrator. From the command prompt, type ping 10.10.0.11, and press Enter.

Question 9 2. 3.

Are you able to ping the IP address of the SEA-SVR1 computer (10.10.0.11)? Why or why not? Yes, not blocked through filters or firewall

b. Log off of the SEA-SVR2 computer. On the SEA-SVR1, configure the properties of Lab 9 IPSec Rule and create a new authentication method by using the following details:

Edit.

Authentication method: Use this string (pre-shared key) Name: Lab9 Move the new authentication method first in the list. Remove Kerberos authentication method. Assign Lab 9 IPSec Policy: Yes a. Return to the SEA-SVR1 computer. Right-click Lab 9 IPSec Policy, and click Properties, followed by b. Select the Authentication Methods tab.

Question 10

What authentication method(s) is/are currently configured? Kerberos

c. Click Add. The New Authentication Method Properties screen appears. d. Click the Use this string (preshared key) radio button. In the text box, enter Lab9, and click OK. e. Click Move up so that the new authentication method appears first in the list. f. Highlight Kerberos. Click Remove, and then click Yes. Click OK twice to save your changes. g. Confirm that the Lab 9 IPSec Policy on the SEA-SVR1 computer has a value of Yes in the Policy Assigned column, and then log off.

Task 6: Configure a matching IPSec policy on SEA-SVR2.

1. On SEA-SVR2, open the Local Group Policy Editor window, and then open IP Security Policies. a. Log on to the SEA-SVR2 computer as a local administrator. b. Click the Start button, key gpedit.msc, and press Enter. c. The Local Group Policy Editor window opens. Browse to Computer ConfigurationWindows Settings Security SettingsIP Security Policies on Local Computer. 2. On SEA-SVR2, create a new filter action with the name Secure-Traffic by using the following settings:

IP security policy: Lab 9 IPSec Policy


Next.

IP filter list: Lab 9 IP Filter List a. Right-click IP Security Policies on Local Computer, click Create IP Security Policy, and then click b. In the Name text box, enter Lab 9 IPSec Policy. Click Next twice, and then click Finish. c. Click Add. Click Next three times. d. On the IP Filter List screen, click Add. In the Name text box, enter Lab 9 IP Filter List. e. Click Add. Click Next five times, followed by Finish. Click OK. f. On the IP Filter List screen, select the Lab 9 IP Filter List radio button, and click Next. g. The Filter Action screen appears. Click Add, followed by Next. h. In the Name field, enter Secure-Traffic. Click Next four times, and then click Finish. i. On the Filter Action screen, select the Secure-Traffic radio button, and click Next.

3.

Specify an authentication method with following settings:

Authentication method: Use this string to protect the key exchange (pre-shared key) Name: Lab9 a. The Authentication Method screen appears. Click the Use this string to protect the key exchange (preshared key) radio button. Key Lab9 exactly as you did on the SEA-SVR1 computer in Task 4 2d. b. Click Next, click Finish, and then click OK.

4.

Assign the IPSec policy, Lab 9, and then ping the IP address of the SEA-SVR1. a. Right-click Lab 9 IPSec Policy, and click Assign. b. Open a command prompt window and type ping 10.10.0.11 and press Enter.

Question 11 5.

Are you able to ping the IP address of the SEA-SVR1 computer? Why or why not? No, blocked

On SEA-SVR1, ping the IP address of the SEA-SVR2, and then un-assign the IPSec policy, Lab 9, on both SEA-SVR1 and SEA-SVR2. a. Log on to the SEA-SVR1 computer as a local administrator. Open a command prompt window.

Question 12 6. 7.

Are you able to ping the IP address of the SEA-SVR2 computer? Why or why not? Yes, unassigned IPSec filter

b. Un-assign the Lab 9 IPSec Policy on both the SEA-SVR2 and SEA-SVR1 computers. Log off from SEA-SVR1 and SEA-SVR2.

Note:
If directed by your instructor:

At the end of lab exercises, the lab itself, or at other points within the lab specified by your instructor, press the Print Screen key to get a screenshot of what youve completed. You can then paste the screenshot in an e-mail or document and provide this record of your lab completion to your instructor.

a. Log off from SEA-SVR1. b. Log off from SEA-SVR2.

Task 7: You have completed all tasks in this exercise.

1. A successful completion of this exercise results in the following outcomes:

2.

A new IPSec filter action is created. A pre-shared key authentication method is configured on SEA-SVR1. A matching IPSec policy is configured on SEA-SVR2. To proceed to another exercise, click the desired exercise.

Please post one screen shot to show you have completed this exercise:

Lab 09b
Exercise 1: Configuring the Windows Firewall Task 1: Log on to the SEA-SVR1 computer with the user name, Administrator, and the password, Pa$$w0rd. Proceed to the next task.
1. 2. To log on to SEA-SVR1, click the Ctrl-Alt-Delete button. Enter the following:

3.

User name: Administrator Password: Pa$$w0rd Click the Forward button. You are now connected to the SEA-SVR1 computer.

Task 2: Log on to the SEA-DC1 computer with the user name, Administrator, and the password, Pa$$w0rd. Proceed to the next task.
1. 2. To log on to SEA-DC1, click the Ctrl-Alt-Delete button. Enter the following:

3.

User name: Administrator Password: Pa$$w0rd Click the Forward button. You are now connected to the SEA-DC1 computer.

Task 3: Log on to the SEA-SVR2 computer with the user name, Administrator, and the password, Pa$$w0rd. Proceed to the next task.
1. 2. To log on to SEA-SVR2, click the Ctrl-Alt-Delete button. Enter the following:

3.

User name: Administrator Password: Pa$$w0rd Click the Forward button. You are now connected to the SEA-SVR2 computer.

Task 4: Log on to the SEA-SVRCORE computer with the user name, Administrator, and the password, Pa$$w0rd. Proceed to the next task.
1. 2. To log on to SEA-SVRCORE, click the Ctrl-Alt-Delete button. Enter the following:

3. 1.

User name: Administrator Password: Pa$$w0rd Click the Forward button. You are now connected to the SEA-SVRCORE computer. On SEA-SVR1, restore the default settings of SEA-SVR1, and then ping the IP address of the SEASVR2 to verify policy settings. a. Click StartControl Panel. Double-click Windows Firewall. b. The Windows Firewall applet appears. Click Change settings. c. Click the Advanced tab. Click Restore Defaults, then click Yes, and then click OK. d. Close the Windows Firewall applet window, and then close the Windows Control Panel.

Task 5: Reset the Windows Firewall to Defaults.

Note:

Repeat step 1a to 1d on SEA-SVR2.

Question 1 2.

Are you able to ping the remote computer? That is, if you are logged on to the SEASVR1 computer, are you able to ping the SEA-SVR2 computer and vice versa? Yes

Open the shared folder C$ on SEA-SVR2. a. Open Windows Explorer. Attempt to browse to the c$ share on the remote computer by keying \\SEA-SVR2\c$ and pressing Enter. For example, if you are logged on to the SEA-SVR1 computer, key \\SEA-SVR2\c$, and press Enter. If you are logged on to the SEA-SVR2 computer, key \\SEASVR1\c$, and press Enter.

Question 2 3. 1.

Are you able to browse to the c$ share on the remote computer? No

b. Remain logged on to both computers for the next section. On both computers, create a folder with following details:

Task 6: Create test file shares.

Name: Lab9 Location: C:\ Reader right: EVERYONE Configuration: private network a. Create a folder called Lab9 in the root of the C:\ drive. b. Share the folder as \\SEA-SVR1\Lab9 as described in Lab 6. Grant EVERYONE Reader rights to the share. c. When prompted, configure the lab network as a private network. d. Repeat steps 1a to 1c on SEA-SVR2. Replace all references of SVR1 to SVR2. e. Remain logged on to both computers for the next section. Attempt to access \\SEA-SVR2\Lab9 share from SEA-SVR1. a. From the SEA-SVR2 computer, attempt to browse to \\SEA-SVR1\Lab9; from the SEA-SVR1 computer, attempt to browse to \\ SEA-SVR2 \Lab9.

Task 7: Test Windows Server 2008 network locations.

1.

Question 3

Are you able to ping your partner's computer? Why or why not? Yes, have public network access with file and printer sharing

Question 4 3.

Are you able to browse to the Lab9 share? yes

On both computers, modify the network location type to Public, and then ping the IP address of the SEA-SVR2.

a. Click StartControl Panel. Double-click Network and Sharing Center. Click Customize. b. The Set Network Location screen appears. In the Location type radio button, click Public. Click Next, and then click Close. From SEA-SVR1, open a command prompt and type ping 10.10.0.12 and then press Enter.

Note:
You must complete Step 2a and 2b on both computers before answering Questions 5 and 6!

Question 5

Are you able to ping the remote computer? Why or why not? Yes, not blocked by firewall

Question 6

Are you able to browse to the Lab9 share? Yes

Task 8: Create a Windows Firewall exception.

1. On SEA-SVR1 and SEA-SVR2, allow window firewall exception to File and Printer Sharing service. a. On SEA-SVR1, click StartControl Panel. Double-click Windows Firewall. Click Change settings. b. Select the Exceptions tab. Place a checkmark next to File and Printer Sharing. Click OK. c. Repeat steps 1a and 1b on SEA-SVR2.

Question 7 2.

Are you able to browse to the Lab9 share? Yes

Log off from both SEA-SVR1 and SEA-SVR2. a. Log off from SEA-SVR1. b. Log off from SEA-SVR2.

Task 9: You have completed all tasks in this exercise.

1. 2. A successful completion of this exercise results in successful testing of the configuration of the Windows Firewall. To proceed to another exercise, click the desired exercise.

Please post one screen shot to show you have completed this exercise:

Exercise 2: Configuring Connection Security Rules Task 1: Log on to the SEA-SVR1 computer with the user name, Administrator, and the password, Pa$$w0rd. Proceed to the next task.
1. 2. To log on to SEA-SVR1, click the Ctrl-Alt-Delete button. Enter the following:

3.

User name: Administrator Password: Pa$$w0rd Click the Forward button. You are now connected to the SEA-SVR1 computer.

Task 2: Log on to the SEA-SVR2 computer with the user name, Administrator, and the password, Pa$$w0rd. Proceed to the next task.
1. 2. To log on to SEA-SVR2, click the Ctrl-Alt-Delete button. Enter the following:

User name: Administrator Password: Pa$$w0rd

3. 1.

Click the Forward button. You are now connected to the SEA-SVR2 computer. On SEA-SVR1 and SEA-SVR2, create a new connection security rule with following settings, and then ping each machine:

Task 3: Configure a connection security rule.

Rule type: Isolation Requirements: Require authentication for inbound and outbound connections Authentication method: Advanced First authentication method: Select the Preshared key (not recommended) Name: Lab9 Name of the connection security rule: Lab 9 Connection Security Rule a. On SEA-SVR1, click StartAdministrative ToolsWindows Firewall with Advanced Security. b. Click Connection Security Rules, then right-click Connection Security Rules, and click New Rule. c. The Rule Type screen appears. Confirm that the Isolation radio button is selected, and click Next. d. The Requirements screen appears. Select the Require authentication for inbound and outbound connections radio button, and click Next. e. The Authentication Method screen appears.

Question 8

What are the available authentication methods from which to choose? Default. Computer and user (Kerberos V5), Computer (Kerberos V5), Computer certificate, and Advanced

f. Select the Advanced radio button. Click Customize. g. The Customize Advanced Authentication Methods screen appears. In the First authentication methods section, click Add. h. The First Authentication Method screen appears. Click the Preshared key (not recommended) radio button. In the text box, key Lab9. Click OK twice. i. Click Next twice. j. The Name screen appears. In the Name text box, key Lab 9 Connection Security Rule, and then click Finish. k. Open a command prompt window. l. Repeat steps 1a to 1k for SEA-SVR2. m. From SEA-SVR2, ping 10.10.0.11. n. From SEA-SVR1, ping 10.10.0.12.

Question 9

Are you able to ping your partner's computer? Yes

Task 4: Simulate an unauthenticated connection from the SEA-SVR2 computer.

1. On SEA-SVR2, change the preshared key name of Lab 9 with BadAuthentication, and then ping the IP address of the SEA-SVR1. a. Log on to the SEA-SVR2 computer by using the user name, Administrator, and password, Pa$ $w0rd. Click StartAdministrative ToolsWindows Firewall with Advanced Security. b. Click Connection Security Rules. In the right-hand pane, right-click Lab 9 Connection Security Rule, and click Properties.

m. Log off of both computers.

c. Click the Authentication tab. In the Method section, click Customize. d. The Customize Advanced Authentication Methods screen appears. Select the Preshared key method that you configured in Part A, and click Edit. e. Delete the Lab9 text, and key BadAuthentication. Click OK three times. f. Open the command prompt and type ping 10.10.0.11 and press Enter.

Question 10 2.

Are you able to ping the SEA-SVR1 computer? Why or why not? No, dont have same preshared-key

On SEA-SVR2, change the preshared key name of BadAuthentication with Lab 9, and then ping the IP address of the SEA-SVR1. a. Repeat Steps 1a-1f, and replace the BadAuthentication text with the correct pre-shared key by entering Lab9.

Question 11 3. 1.

Are you able to ping the SEA-SVR1 computer? Why or why not? Yes, have same preshared-key

b. Log off of the SEA-SVR2 computer. On SEA-SVR1, monitor the security associations of Windows Firewall. a. Log on to the SEA-SVR1 computer by using the user name, Administrator, and password, Pa$ $w0rd. Click StartAdministrative ToolsWindows Firewall with Advanced Security. b. Expand MonitoringSecurity AssociationsMain Mode.

Task 5: Monitor the Windows Firewall.

Question 12 2. 1. 2.

What Main Mode Association(s) are present? None

c. Log off of the SEA-SVR1 computer. A successful completion of this exercise results in the configuration of the connection security rule. To proceed to another exercise, click the desired exercise.

Task 6: You have completed all tasks in this exercise.

Please post one screen shot to show you have completed this exercise:

Exercise 3: Configuring the Windows Firewall on Server Core Task 1: Log on to the SEA-SVR1 computer with the user name, Administrator, and the password, Pa$$w0rd. Proceed to the next task.
1. 2. To log on to SEA-SVR1, click the Ctrl-Alt-Delete button. Enter the following:

3. 1.

User name: Administrator Password: Pa$$w0rd Click the Forward button. You are now connected to the SEA-SVR1 computer. On SEA-SVRCORE, create C:\Lab9 folder by using the command prompt commands. a. At the command prompt, key cd \, and press Enter to change directories to the root of the C:\ drive. b. At the command prompt, key md Lab9, and press Enter to create the C:\Lab9 folder.

Task 2: Create a file share to test Firewall configuration

2.

Create the \\SEA-SVRCORE\Lab9 share by using the following command and then log off from the SEA-SVRCORE computer.

net share Lab9=C:\Lab9 /GRANT:EVERYONE,READ a. At the command prompt, key net share Lab9=C:\Lab9 /GRANT:EVERYONE,READ , and press Enter to create the \\SEA-SVRCORE\Lab9 share. Type netsh advfirewall firewall set rule group=File and Printer Sharing new enable=No to turn of the File and Printer Sharing. Key shutdown /l, and press Enter to log off of the SEA-SVRCORE computer. 3. 4. Log on to the SEA-SVR1 computer by using user name Administrator and password Pa$$w0rd. a. Log on to the SEA-SVR1 computer as the administrator. From the SEA-SVR1, ping the address of the SEA-SVRCORE computer. a. Open a command prompt window, and type ping 10.10.0.13 and then press Enter.

Question 13

Are you able ping the SEA-SVRCORE computer (10.10.0.13)? No

5.

From the SEA-SVR1, attempt to access \\SEA-SVRCORE\Lab9. a. Attempt to browse to \\SEASVRCORE\Lab9.

Question 14

Are you able to access the file share on the Server Core computer? No

6. 1. 2.

b. Log off of the SEA-SVR1 computer. Log on to SEA-SVRCORE by using user name Administrator and password Pa$$w0rd. a. Log on to the SEA-SVRCORE Server Core computer as the administrator. On SEA-SVRCORE, enable the File and Printer sharing exception in Windows Firewall by using the following command in the command prompt and then log off from the SEA-SVRCORE computer. netsh advfirewall firewall set rule group=File and Printer Sharing new enable=Yes a. To enable the File and Printer sharing exception in the Windows Firewall, at the command prompt, key netsh advfirewall firewall set rule group=File and Printer Sharing new enable=Yes , and press Enter. b. Key shutdown /l, and press Enter to log off of the SEA-SVRCORE computer.

Task 3: Enable exceptions in the Windows Firewall.

3. 4.

Log on to SEA-SVR1 by using user name Administrator and password, Pa$$w0rd. a. Log on to the SEA-SVR1 computer as the administrator. From the SEA-SVR1, ping the address of the SEA-SVRCORE computer.

Note:
After logging on to the SEA-SVR1 computer, switch off the firewall.

a. Open a command prompt window.

Question 15 5.

Are you able ping the SEA-SVRCORE computer (10.10.0.13)? Yes

From the SEA-SVR1, attempt to access \\SEA-SVRCORE\Lab9.

Note:
If directed by your instructor:

At the end of lab exercises, the lab itself, or at other points within the lab specified by your instructor, press the Print Screen key to get a screenshot of what youve completed. You can then paste the screenshot in an e-mail or document and provide this record of your lab completion to your instructor.

a. Attempt to browse to \\ SEA-SVRCORE\Lab9.

Question 16

Are you able to access the file share on the Server Core computer? Yes

b. Log off of the SEA-SVR1 computer.

Task 4: You have completed all tasks in this exercise.

1. A successful completion of this exercise results in the configuration of the Windows Firewall on Server Core.

Please post one screen shot to show you have completed this exercise:

LAB REVIEW QUESTIONS 5 POINTS EACH

1. In your own words, describe what you learned by completing this lab. I learned how to configure the Windows Firewall, create an IPSec Filter Action, configure IPSec Filter Actions, configure IPSec block and allow actions, configure and assign an IPSec policy, modify an IPSec rule, and configure pre-shared key authentication.

2. Why did you not need to configure a separate Windows Firewall exception to allow ping traffic when you enabled the file and printer sharing exception? PING uses ICMP services to send echo requests and echo reply messages. When the file and printer sharing exception is enabled in Windows firewall, it also enables the ICMP services. While ICMP allows PING to be used, it also allows other computers to share files and printers over the network.

3. What filter actions are available to you when you are creating an IPSec policy? Permit, Block, and Negotiate security 4. In a non-Active Directory environment, what options are available to secure IPSec traffic between computers? In a non-Active Directory environment, PKI certificates and pre-shared keys options are available to secure IPSec traffic between computers.

1 MINUTE RESPONSE 10 POINTS

Please take one minute to answer the following two questions about this session. (5 points each) 1. What was the most important or interesting thing introduced in this session? IPSec Filters

2. What was unclear or would you like to know more about? IPSec rules