1 6 6 CHAPTER 4 Network Access Security Before You Begin To complete the lessons in this chapter, you must have done the following: n Installed and confi gured the evaluation edition of Windows Server 2008 Enterprise Edition in accordance with the instructions listed in the Introduction. REAL WORLD Orin Thomas O ne of the biggest shifts in thinking that has gone on since I became an IT professional is the shift in thinking about the LAN as a protected network environment. When I started out, fi rewalls were placed only at the border between a protected network environment and the Internet. Today’s thinking is different in that it recognizes that the LAN is also potentially hostile to the health of sys- tems. This shift of thinking is evident in the features shipped with Windows Vista and Windows Server 2008, namely the improved fi rewall and technologies such as Network Access Protection (NAP). Despite our best intentions, not every host that connects to the network we are responsible for managing is entirely under our control. Nothing is stopping a member of the sales team who has been overseas at trade shows for the past three months from connecting his or her laptop computer to the company network upon return. This is not problematic if the member of the sales team has ensured that antivirus protection, antispyware, and Windows Updates have been applied to that computer while he or she was away from the network. But what if, when the laptop computer was away from an environment in which harmful Web content is automatically fi ltered by Microsoft Internet Secu- rity and Acceleration (ISA) Server 2006, that laptop became infected? Without the technologies in Windows Server 2008, the act of connecting that computer to the LAN might activate a virulent worm. As IT professionals, we always need to be able to shift our thinking. Today, if we want to remain secure, we must consider the local area network as potentially hostile as we consider the Internet. REAL WORLD Orin Thomas O ne of the biggest shifts in thinking that has gone on since I became an IT professional is the shift in thinking about the LAN as a protected network environment. When I started out, fi rewalls were placed only at the border between a protected network environment and the Internet. Today’s thinking is different in that it recognizes that the LAN is also potentially hostile to the health of sys- tems. This shift of thinking is evident in the features shipped with Windows Vista and Windows Server 2008, namely the improved fi rewall and technologies such as Network Access Protection (NAP). Despite our best intentions, not every host that connects to the network we are responsible for managing is entirely under our control. Nothing is stopping a member of the sales team who has been overseas at trade shows for the past three months from connecting his or her laptop computer to the company network upon return. This is not problematic if the member of the sales team has ensured that antivirus protection, antispyware, and Windows Updates have been applied to that computer while he or she was away from the network. But what if, when the laptop computer was away from an environment in which harmful Web content is automatically fi ltered by Microsoft Internet Secu- rity and Acceleration (ISA) Server 2006, that laptop became infected? Without the technologies in Windows Server 2008, the act of connecting that computer to the LAN might activate a virulent worm. As IT professionals, we always need to be able to shift our thinking. Today, if we want to remain secure, we must consider the local area network as potentially hostile as we consider the Internet. Lesson 1: Wireless Access CHAPTER 4 167 Lesson 1: Wireless Access In the past decade, wireless network speeds have grown from painfully slow to fast enough that wireless technology is an acceptable replacement for traditional cabling. As wireless net- working technology has matured, so have the methods through which administrators manage wireless clients in Windows Server network environments. Windows Server 2008 Group Policy gives you a way to automate the confi guration of wireless network connections, ensuring that the people who use mobile computers within your organization can do so in a seamless and secure manner. In this lesson, you learn about the wireless technologies Windows clients and servers support, how you can confi gure secure authentication and encryption for wireless network connections, and how to deploy connection information automatically to clients through Group Policy. After this lesson, you will be able to: n Understand wireless network concepts. n Understand the difference between ad hoc and infrastructure modes. n Confi gure Group Policy related to wireless networks. n Understand the difference between wireless authentication methods. n Confi gure wireless local area network (WLAN) authentication, using 802.1x. Estimated lesson time: 40 minutes Wireless Network Components The fi rst part of this lesson covers the basic concepts behind WLANs. If you are an experi- enced administrator and already know the most commonly used IEEE 802.11 standards, what a service set identifi er (SSID) does, the difference between ad hoc and infrastructure modes, and what a wireless access point (WAP) is, you should move forward to the section titled, “Wireless LAN Authentication.” IEEE 802.11 Standards IEEE 802.11 is a collection of standards for WLANs developed by the Institute of Electronic and Electrical Engineers (IEEE), a professional organization that develops industry standards related to information technology, electricity, and electronics. The standards you are most likely to encounter in a modern network environment are as follows: n 802.11b This is an older wireless networking standard that has a maximum theoreti- cal network throughput of 11 megabits per second (Mbps) and an approximate range of 35 meters (about 100 feet). After this lesson, you will be able to: n Understand wireless network concepts. n Understand the difference between ad hoc and infrastructure modes. n Confi gure Group Policy related to wireless networks. n Understand the difference between wireless authentication methods. n Confi gure wireless local area network (WLAN) authentication, using 802.1x. Estimated lesson time: 40 minutes 1 6 8 CHAPTER 4 Network Access Security n 802.11g This is a newer standard than 802.11b and has a maximum theoretical net- work throughput of 64 Mbps and an approximate range of 35 meters. WAPs that use this standard can be configured to work in mixed mode, which supports both 802.11b and 802.11g clients at the cost of reduced network throughput. n 802.11n Although this standard is awaiting formal approval, vendors sell prod- ucts that use a draft version of the standard. It has a maximum theoretical network throughput of 300 Mbps and an approximate range of 70 meters (about 200 feet) and is backward compatible with 802.11b and 802.11g. This means that clients that support the older standards can connect to an 802.11n wireless network. When considering the purchase of WAPs, remember that access points that support the 802.11n standard will be able support connections from clients that use 802.11b and 802.11g as well as 802.11n. Purchasing a WAP that is not compatible with existing wireless client hard- ware will mean that you have to replace that hardware for it to work with the new WLAN. WAPs WAPs are hardware devices that allow wireless clients, such as laptop computers, to access wireless networks directly and, through routing and switching, to access traditional physi- cal networks, as shown in Figure 4-1. In many small businesses, a single hardware device functions as an external firewall, internal switch, and wireless access point. In most larger organizations, WAPs function as a bridge that allows wireless computers, such as laptops and Tablet PCs, to access resources such as servers that are connected to traditional wired networks. Laptop computer wireless client Tablet PC wireless client Wireless access point allows wireless clients to connect to resources on wire networks Traditional clients connected to wired network Traditional servers connected to wired network FIGURE 4-1 A basic WLAN. Lesson 1: Wireless Access CHAPTER 4 169 NOTE 802.11 WIRELESS TO 3G/HSPDA Although WAPs have been defi ned earlier as connecting to traditional wired networks, some new-model mobile phones have software that can function as WAPs connecting to 3G/HSPDA data networks. This technology enables multiple 802.11 wireless clients to con- nect to a mobile phone WAP and to share the mobile phone’s data connection. SSID SSID (service set identifi er) is a wireless network name that can be up to 32 characters in length. You assign SSIDs to WAPs when you run a WAP’s confi guration utility. Some WAPs enable you to confi gure multiple SSIDs, with each SSID assigned to a different wireless net- work. It is customary to confi gure access points to broadcast SSIDs so that wireless clients can detect which wireless networks are available in a particular location. As with creating names for servers and client workstations, in large organizations it is essential to have a coherent and meaningful naming scheme for SSIDs. It is far easier for staff to locate a malfunctioning WAP named “CONTOSO-RM435-WAVERLEY” than it is to locate “ORINS-NEW-WIRELESS-ROUTER.” With 32 characters, you can be descriptive, so there is no need to be cryptic when deploying SSIDs in your organization. Although it is possible to confi gure WAPs not to broadcast SSIDs, Microsoft does not recommend this as a form of security because even when SSIDs are not broadcast, it is pos- sible to detect a hidden SSID by using an appropriate set of tools. You should secure wireless networks by confi guring strong authentication methods, not by hiding the network ID and hoping that an attacker is not profi cient enough to fi gure it out. MORE INFO MORE ON NONBROADCAST WIRELESS NETWORKS To learn more about why Microsoft recommends broadcasting SSIDs, consult the following article on TechNet: http://technet.microsoft.com/en-au/library/bb726942.aspx. AD Hoc Mode vs. Infrastructure Mode Wireless networks in most Windows Server 2008 network environments will function in what is known as infrastructure mode as opposed to what is termed ad hoc mode. An infra- structure mode network has a wireless access point that manages communication between wireless clients. Ad hoc networks are created between wireless clients themselves and do not pass through a WAP. Infrastructure mode WLANs are more prevalent in business envi- ronments and typically connect wireless clients to traditional wired networks. Because the 70-648 and 70-649 exams concentrate on the server rather than on client operating sys- tems, the focus of this lesson is on infrastructure mode rather than on ad hoc mode wireless networks. NOTE 802.11 WIRELESS TO 3G/HSPDA NOTE 802.11 WIRELESS TO 3G/HSPDANOTE Although WAPs have been defi ned earlier as connecting to traditional wired networks, some new-model mobile phones have software that can function as WAPs connecting to 3G/HSPDA data networks. This technology enables multiple 802.11 wireless clients to con- nect to a mobile phone WAP and to share the mobile phone’s data connection. MORE INFO MORE ON NONBROADCAST WIRELESS NETWORKS To learn more about why Microsoft recommends broadcasting SSIDs, consult the following article on TechNet: http://technet.microsoft.com/en-au/library/bb726942.aspx . http://technet.microsoft.com/en-au/library/bb726942.aspx.http://technet.microsoft.com/en-au/library/bb726942.aspx 1 7 0 CHAPTER 4 Network Access Security NOTE WIRELESS NETWORKING ON WINDOWS SERVER 2008 By default, WLAN service is not installed on Windows Server 2008. You can add it through the Features node of the Server Manager console. WLAN Authentication You can restrict access to a wireless network by confi guring WAPs to authenticate clients before allowing connections. It is also possible to protect wireless network traffi c through encryption. The strength of WLAN encryption depends on the wireless standard used, although it is possible to use other network traffi c encryption technologies in conjunction with WLAN encryption. Ensure that you encrypt wireless traffi c because anyone within range of the WAP is able to capture all network communication between the access point and the client. Windows clients support the following wireless security standards: n Unsecured Unsecured wireless access points allow connections from any client with compatible hardware. When connecting to an unsecured wireless network, Windows Vista and Windows Server 2008 will warn users that it is possible for third parties to access transmissions sent to the WAP from the client. SSL and IPsec-encrypted traffi c transmitted across networks with no security remains encrypted because this encryp- tion is occurring at a higher layer of the Open Systems Interconnection (OSI) model. n Wired Equivalent Protection (WEP) WEP is an older wireless security standard that has vulnerabilities in its cryptographic design. WEP can be confi gured to use either 64-bit or 128-bit encryption. Tools are available that enable attackers to learn a WAP’s WEP key by intercepting and analyzing existing wireless traffi c. WEP is often used to deter people from casually connecting to an access point without authorization but will not deter a sophisticated attacker who is determined to get access. The WAP per- forms authentication when WEP is in use. n Wi-Fi Protected Access with Preshared Key (WPA-PSK/WPA2-PSK, WPA-Personal /WPA2-Personal) This standard uses a preshared key similar to WEP. Although the cryptography behind WPA-PSK is more sophisticated, making it more diffi cult to compromise than WEP, it is possible to calculate WPA-PSK preshared keys by using brute-force techniques, given enough time. With WPA-PSK, the access point performs authentication. WPA2-PSK (802.11i) uses stronger cryptography and is more secure than WPA-PSK, but the preshared key can still be calculated, given enough time and data. n Wi-Fi Protected Access with Extensible Authentication Protocol (WPA-EAP/WPA 2-EAP, WPA-Enterprise/WPA2-Enterprise) When this standard is used, the WAP for- wards authentication requests to a RADIUS server. On computers confi gured with the Windows Server 2008 operating system, the Network Policy Server (NPS) role provides RADIUS authentication functionality. You can learn more about RADIUS by reviewing Chapter 3, “Network Access Confi guration.” WPA2-Enterprise supports smart-card, NOTE WIRELESS NETWORKING ON WINDOWS SERVER 2008 NOTE WIRELESS NETWORKING ON WINDOWS SERVER 2008NOTE By default, WLAN service is not installed on Windows Server 2008. You can add it through the Features node of the Server Manager console. Lesson 1: Wireless Access CHAPTER 4 171 certifi cate-based, and password-based authentication. WPA2-Enterprise (802.11i) is more cryptographically secure than WPA-Enterprise; deploy WPA2-Enterprise if all clients in your network environment support this protocol. When comparing these protocols from a security standpoint, Microsoft recommends deploying the WPA2-Enterprise or WPA-Enterprise authentication methods ahead of others that are available. These wireless standards are much more diffi cult to compromise than stan- dards that use preshared keys. If a preshared key is compromised, it is necessary to update all clients and access points with new preshared keys to re-secure the network. If you are going to deploy WPA2-Enterprise and WPA-Enterprise in a Windows Server 2008 environment, you must deploy a Public Key Infrastructure (PKI) as well as enable auto-enrollment within Group Policy. Chapter 7, “Active Directory Certifi cate Services,” covers these topics in detail. MORE INFO WIRELESS NETWORKING TECHCENTER To fi nd out more about wireless networking in Microsoft operating systems, consult the wireless networking TechCenter on TechNet at: http://technet.microsoft.com/en-us /network/bb530679.aspx. Quick Check 1. Which wireless authentication protocol is the most secure out of the following: WPA2-EAP, WPA-EAP, WPA2-PSK, WPA-PSK, and WEP? 2. Which wireless authentication protocols do not use a preshared key to authenti- cate the client to the WAP? Quick Check Answers 1. WPA2-EAP is more cryptographically secure than WPA-EAP, WPA2-PSK, WPA- PSK, and WEP. 2. WPA2-Enterprise (WPA2-EAP) and WPA-Enterprise (WPA-EAP) do not use pre- shared keys to authenticate the client to the access point. Wireless Group Policy Wireless network (IEEE 802.11) policies enable clients within your organization to connect to wireless networks with a minimum amount of end-user intervention and enable you to confi gure properties for specifi c access point identifi ers, called SSIDs, in your organiza- tion. A wireless network policy consists of a collection of profi les. A profi le addresses how the client should address specifi c SSIDs in your organization. A single profi le can address multiple SSIDs, and the specifi c authentication methods and encryption technologies each access point supports. For example, you might create one profi le for WAP1, WAP2, and WAP3 SSIDs, specifying the WPA2-Enterprise authentication method, the Microsoft PEAP network MORE INFO WIRELESS NETWORKING TECHCENTER To fi nd out more about wireless networking in Microsoft operating systems, consult the wireless networking TechCenter on TechNet at: http://technet.microsoft.com/en-us /network/bb530679.aspx . /network/bb530679.aspx./network/bb530679.aspx Quick Check 1 . Which wireless authentication protocol is the most secure out of the following: WPA2-EAP, WPA-EAP, WPA2-PSK, WPA-PSK, and WEP? 2 . Which wireless authentication protocols do not use a preshared key to authenti- cate the client to the WAP? Quick Check Answers 1 . WPA2-EAP is more cryptographically secure than WPA-EAP, WPA2-PSK, WPA- PSK, and WEP. 2 . WPA2-Enterprise (WPA2-EAP) and WPA-Enterprise (WPA-EAP) do not use pre- shared keys to authenticate the client to the access point. 1 2 1 2 Quick Check 1 1 7 2 CHAPTER 4 Network Access Security authentication method, and the AES encryption algorithm. You might create another profile for SSID WAP4 that specifies the WPA2-Personal authentication method and the TKIP encryp- tion algorithm. When you select the WPA/WPA2-Enterprise authentication method, you must also specify a network authentication method, as shown in Figure 4-2. It is necessary to specify the network authentication method because authentication occurs against an NPS/RADIUS server rather than against the WAP. Four basic authentication modes are available: Computer Authentication, User Re-authentication, User Authentication, and Guest Authentication. When the computer-only authentication mode is selected, the computer account authenticates the WAP connection prior to logon, allowing users transparent access to the network, similar to using a wired network. When the User Authentication mode is selected, authentication occurs after the users log on to their computers. You should not select this option unless the Single Sign On option is enabled in Advanced Properties because errors can occur during the authentication process if logon details are not cached. FIGURE 4-2 Wireless authentication policy. When you select the User Re-authentication option, authentication is performed using computer credentials when a user is not logged on and user credentials when a user is logged on. You can configure this method so that a computer has limited access to the network until user credentials are provided. It is not necessary for a network authentication method to be specified when the WPA/WPA2-Personal method is selected because no network authentica- tion is required, due to the use of preshared keys. The advanced security settings, shown in Figure 4-3, enable you to enforce advanced cryptography settings, enable Single Sign On, enable Fast Roaming, and use only cryptography that uses the FIPS 140-2 certified stan- dard. Enable Single Sign On if you have chosen to implement the User Authentication mode because this will allow sign-on when a user’s credentials have not been cached. Lesson 1: Wireless Access CHAPTER 4 173 FIGURE 4-3 Advanced Security Settings. Wireless network policies are configured on a per-client–operating system basis. You can configure a wireless network policy for Windows Vista or for Windows XP. It is important to note that computers running Windows XP are not influenced by the Windows Vista policy and vice versa. Although you can apply policies for both client operating systems in the same GPO, many network administrators find it simpler to separate client computers into differ- ent organizational units (OUs) and to apply separate policies if the settings for one operating system are significantly different from the settings for the other. Wireless authentication policies also enable you to restrict wireless clients from connecting to either infrastructure or ad hoc mode networks. It is also possible to configure policies that allow users to view networks that they are denied access to, to use Group Policy profiles only for allowed networks, and to allow any user to create a wireless network profile. You config- ure some of these settings in the practice at the end of this lesson. If it is necessary to troubleshoot wireless network policies, the commands available when netsh is in the wlan context are useful. It is also possible to use the netsh wlan commands to examine currently applied Group Policy settings. The netsh wlan commands enable you to configure wireless clients by using commands or scripts rather than through Group Policy. The command that provides the most information is netsh wlan show all, and you can use this command as a starting point to debug problems with wireless access policies. 1 7 4 CHAPTER 4 Network Access Security MORE INFO MORE ON NETSH WLAN To fi nd more detailed information on using netsh wlan to confi gure wireless connectivity and security settings, consult the following TechNet document: http://technet2 .microsoft.com/windowsserver2008/en/library/f435edbe-1d50-4774-bae2 -0dda33eaeb2f1033.mspx?mfr=true. Confi guring Network Policy and Access Services for Wireless Authentication You can confi gure the Network Policy and Access Services role in Windows Server 2008 as a RADIUS server to authenticate WPA2-Enterprise and WPA-Enterprise connections to WAPs. Although NPS as a RADIUS server for remote access connections is covered in Chapter 3, this lesson focuses specifi cally on using NPS to support the WPA/WPA2-Enterprise protocols on WAPs. You must add each access point as a RADIUS client. Confi guring an access point as a RADIUS client involves setting up a shared secret password that you confi gure on both the access point and the RADIUS server. This shared secret can be generated automatically, as shown in Figure 4-4. The practice at the end of this lesson involves setting up a hypothetical access point as a RADIUS client. FIGURE 4-4 Configuring an access point as a RADIUS client. After you add each WAP in your organization as a RADIUS client, you can select from the following authentication methods: MORE INFO MORE ON NETSH WLAN To fi nd more detailed information on using netsh wlan to confi gure wireless connectivity and security settings, consult the following TechNet document: http://technet2 .microsoft.com/windowsserver2008/en/library/f435edbe-1d50-4774-bae2 -0dda33eaeb2f1033.mspx?mfr=true . Lesson 1: Wireless Access CHAPTER 4 175 n Microsoft: Smart Card Or Other Certifi cate This method requires a user to provide a certifi cate by using a smart card. The user is prompted to insert the smart card when he or she attempts to connect to the wireless network. n Microsoft: Protected EAP (PEAP) This method requires the installation of a com- puter certifi cate on both the RADIUS/NPS server and the installation of a computer or user certifi cate on all wireless clients. Clients must trust the certifi cation authority (CA) that issued the certifi cate on the RADIUS/NPS server, and the RADIUS/NPS server must trust the CA that issued the client certifi cates. You accomplish this most easily by deploying certifi cates issued by Active Directory Certifi cate Services (AD CS). n Microsoft: Secured Password (EAP-MSCHAP v2) This method requires a computer certifi cate to be installed on the RADIUS/NPS server and the issuing CA to be trusted by all wireless clients. Clients authenticate by using domain logon and password. These authentication methods should be the same as those you specifi ed in the profi les for each access point’s SSID when confi guring 802.11 wireless access Group Policy. Check the WAP documentation for details on how to confi gure the device to forward authentication information to a RADIUS server. MORE INFO WINDOWS SERVER 2008 AND 802.1X To learn more about Windows Server 2008 and 802.1x wireless authentication, consult the following article on TechNet: http://technet2.microsoft.com/windowsserver2008/en /library/710a912a-0377-414a-91d1-47698e4629361033.mspx?mfr=true. EXAM TIP Remember that if an authentication method relies on a preshared key, you will not need a RADIUS server, but if you are pairing an access point with a RADIUS server, you will need a shared secret. PracticE Confi guring Wireless Access In this practice, you perform tasks similar to those you would perform when confi guring a Windows Server 2008 network environment to support wireless access by client computers running Windows Vista. The fi rst exercise confi gures NPS for wireless access; the second exer- cise confi gures Group Policy to support wireless access. ExErcisE 1 Confi gure NPS for Wireless Access In this exercise, you confi gure server Glasgow to function as a Network Policy/RADIUS server so that it is able to process WPA2-Enterprise authentication traffi c. You also confi gure a hypo- thetical access point named wap1.contoso.internal with a shared secret that will pair it with the RADIUS server. MORE INFO WINDOWS SERVER 2008 AND 802.1X To learn more about Windows Server 2008 and 802.1x wireless authentication, consult the following article on TechNet: http://technet2.microsoft.com/windowsserver2008/en /library/710a912a-0377-414a-91d1-47698e4629361033.mspx?mfr=true . [...]... ISOLatION To learn more about domain isolation on Windows Server 2008 networks, consult the following TechNet link: http://technet2 .microsoft. com/windowsserver2008/en /library/ 135 110b6-23ab-45f2-8cd1-8b76b2e38b3d1 033 .mspx?mfr=true Authentication Exemption Authentication exemptions enable you to specify a group of computers, either through their Active Directory computer account name or IP address, to which... possible to enable authentication by using the NTLMv2 protocol or a preshared key Figure 4-16  Isolation rule authentication options 1 90 CHAPTER 4 Network Access Security MORE INFO SerVer ISOLatION To learn more about server isolation on Windows Server 2008 networks, consult the following TechNet link: http://technet2 .microsoft. com/windowsserver2008/en /library/13e8dad2-c99f-415b-a38a-669418d765c61 033 .mspx?mfr=true... to that rule If it matches no inbound rules, the packet is dropped Windows Server 2008 automatically enables appropriate inbound rules when you install or enable a role or feature that requires incoming connections For example, if you enable the Web Server (IIS) role, WFAS is automatically configured to allow inbound HTTP traffic on port 80 and inbound HTTPS traffic on port 4 43 Windows Server 2008. .. WAP The executives want to use the Windows Meeting Space application, included with Windows Vista, to set up a temporary network so that they can share documents They are currently unable to do this Which of the following configuration changes should you make to the GPO applied to the Wireless_Clients OU to enable them to meet their goals? A Configure the policy to allow users to view denied networks... Access Security Lesson 2: Windows Firewall with advanced Security Windows Server 2008 ships with a firewall enabled by default In this lesson, you learn about Windows Firewall with Advanced Security and the features it includes that differentiate it from earlier firewall software included with Microsoft Windows operating systems such as Microsoft Windows Server 20 03 You learn how to create inbound and... Place all the Windows Web Server 2008 computer accounts in the same OU B Configure all WFAS rules on one computer running Windows Web Server 2008 Export the firewall policy by using the WFAS console C Import the firewall policy into a Group Policy object and apply it to the OU D Configure all WFAS rules on one computer running Windows Web Server 2008 Use the netsh firewall dump command to export the... on each of the other 29 c ­ omputers running Windows Web Server 2008 5 You must configure firewall rules on a computer running Windows Server 2008 to allow DNS, HTTPS, and SMTP traffic Which of the following ports correspond to these protocols? (Choose three Each correct answer presents part of a complete solution.) A 53 B 110 C 80 D 25 E 4 43 Lesson 2:  Windows Firewall with Advanced Security CHAPTER... configure connection security rules, a technology that is new to Windows Vista and Windows Server 2008 After this lesson, you will be able to: n Configure incoming and outgoing traffic filtering n Configure Active Directory account integration n Identify common ports and protocols n Understand the difference between Microsoft Windows Firewall and Windows Firewall with Advanced Security n Configure firewalls... Rules Wizard to create your own The first page of the Inbound Rules Wizard, shown in Figure 4- 13, enables you to select which type of rule you create Your options are Program, Port, Predefined, and Custom The list of predefined rules is extensive and covers almost every type of feature or role service you can install on a computer running Windows Server 2008 Custom rules enable you to define all... Isolation rule D Authentication exemption 2 You want to ensure that only computers that have authenticated to the domain are able to communicate with your organization’s file servers Which of the following would you configure in a GPO linked to the OU that hosts the file server s computer accounts? a Isolation connection security rule b Server -to- server connection security rule C Authentication exemption . following TechNet document: http://technet2 .microsoft. com/windowsserver2008/en/library/f 435 edbe-1d50-4774-bae2 -0dda33eaeb2f1 033 .mspx?mfr=true . Lesson 1: Wireless Access CHAPTER 4 175 n Microsoft: . WAP documentation for details on how to confi gure the device to forward authentication information to a RADIUS server. MORE INFO WINDOWS SERVER 2008 AND 802.1X To learn more about Windows Server. settings, consult the following TechNet document: http://technet2 .microsoft. com/windowsserver2008/en/library/f 435 edbe-1d50-4774-bae2 -0dda33eaeb2f1 033 .mspx?mfr=true. Confi guring Network Policy