Windows Server 2012 Immersion Experience Enabling Secure Remote Users with RemoteApp, DirectAccess, and Dynamic Access Control Windows Server 2012 Hands-on lab In this experience, you will configure a secure remote experience for employees of Contoso, Inc. This experience begins by leveraging both RemoteApp and VDI to allow those users to work securely on remote applications from home computers. Next, you will grant those users access to corporate resources by enabling them to leverage DirectAccess. Finally, you will grant those users access to secure files via Dynamic Access Control by modifying properties of the user accounts. Produced by HynesITe, Inc Version 1.0 12/19/2012
This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet website references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright 2012 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Hyper-V, Internet Explorer, Windows PowerShell, and Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Introduction Estimated time to complete this lab 60 minutes Overview In this experience, you will configure a secure remote experience for employees of Contoso, Inc. This experience begins by leveraging both RemoteApp and VDI to allow those users to work securely on remote applications from home computers. Next, you will grant those users access to corporate resources by enabling them to leverage DirectAccess. Finally, you will grant those users access to secure files via Dynamic Access Control by modifying properties of the user accounts. Virtual machine technology This lab is completed using virtual machines that run on Windows Server 2012 Hyper-V technology. To log on to the virtual machines, press CTRL+ALT+END and enter your logon credentials. Technical Architecture This experience uses eight servers and one workstation. Two of the servers are physical servers with dual network interfaces. Computer Role Configuration DC Domain controller, iscsi SAN Contains a virtual iscsi SAN to provide storage for cluster nodes on a STORAGE network. DAServer A server with DirectAccess components pre-installed Has Remote Access tools preinstalled but not configured. WLANRouter A NAT/router Contains DHCP and DNS for the home network. Server1 A file server A file server with file classification and RMS components installed. RDS1 A remote desktop services server A server on which you will install Remote Desktop Services. Admin A client workstation with Windows 8 with RSAT. RSAT DAClient A home computer which is unmanaged running Windows 8 Enterprise An unmanaged computer. Note regarding pre-release software Portions of this lab include software that is not yet released, and as such may still contain active or known issues. While every effort has been made to ensure this lab functions as written, unknown or unanticipated results may be encountered as a result of using pre-release software. Note regarding user account control Some steps in this lab may be subject to user account control. User account control is a technology which provides additional security to computers by requesting that users confirm actions that require Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 3
administrative rights. Tasks that generate a user account control confirmation are denoted using a shield icon. If you encounter a shield icon, confirm your action by selecting the appropriate button in the dialog box that is presented. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 4
Experience 1: Enabling Remote Application Access In this experience, you will enable a user to access a remote application via RemoteApp and Virtual Desktop Infrastructure (VDI). The VDI implementation will be based on session desktop using Remote Desktop Services. You will first enable RemoteApp and publish Microsoft Office 2013 applications. Next, you will configure the user with access to a full desktop located on the corporate network. Install and configure Remote Desktop Services In this step, you will use Server Manager to quickly establish session-based VDI and RemoteApp publishing. Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! Open Server Manager. Click Add roles and Features. On the Before You Begin page, click Next. On the Installation Type page, click Remote Desktop Services installation, and then click Next. On the Deployment Type page, click Quick Start, and then click Next. On the Deployment Scenario page, click Session-based desktop deployment, and then click Next. On the Server Selection page, click RDS1.contoso.com, click Add (the right arrow button), and then click Next. Check the Restart the destination server automatically if required check box, and then click Deploy. NOTE: The installation and configuration will take approximately 4 minutes. Please wait for this to complete before proceeding. When the installation has completed, click Close. Configure a publishing certificate In this step, you will review the results of Quick Setup and configure a publishing certificate. This will leverage a wildcard certificate which already exists and is stored on \\dc\sslcerts. Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! In Server Manager, click Remote Desktop Services. NOTE: Server Manager is optimized for a minimum screen size of 1366x768. If possible, you may wish to adjust your desktop resolution to this value. In Server Manager, review the installed roles and services for Remote Desktop Services. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 5
Click Collections. On the Tasks menu, click Edit Deployment Properties. Click Certificates. Click RD Connection Broker Enable Single Sign-On. Click Select existing certificate. Click Browse. In File name, type \\dc\sslcerts, and then press ENTER. Click _.contoso.com, and then click Open. In Password, type Passw0rd! Check the Allow the certificate to be added check box, and then click OK. Click Apply. Repeat steps 6 through 12 for RD Connection Broker Publishing, and for RD Web Access. Test RemoteApp publishing In this step, you will test RemoteApp publishing to validate that it is functional. Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! Open Internet Explorer. Navigate to https://rds1.contoso.com/rdweb. Click Allow to run the RDS web add-on. Check the This is a private computer check box. Log on as Contoso\Administrator using the password Passw0rd! Click WordPad, and then click Connect. In the Connecting to RDS1.Contoso.com window, click OK. Close WordPad. Close Internet Explorer. Enable session-based VDI In this step, you will add session-based VDI to your Remote Desktop Services configuration. Since sessionbased VDI and RemoteApp programs cannot co-exist on the same RDS server, you will first remove the RemoteApp programs. If you wish to publish both session desktops and RemoteApp programs, you can simply add a second RDS server to the deployment. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 6
Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! Switch to Server Manager. Click Collections. In the contents pane, right-click QuickSessionCollection, and then click Remove Collection. Click Yes. On the Tasks menu, click Create Session Collection. In Before You Begin, click Next. In Collection Name, in Name, type Session Desktops, and then click Next. Click RDS1.contoso.com, click Add, and then click Next. In User Groups, click Next. In User Profile Disks, in Location of user profile disks, type c:\userdisks, and then click Next. Click Create. When the process completes, click Close. Test session-based VDI In this step, you will test your session-based VDI configuration. Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! Open Internet Explorer. Navigate to https://rds1.contoso.com/rdweb. Click Allow to run the RDS web add-on. Check the This is a private computer check box. Log on as Contoso\Administrator using the password Passw0rd! Click Session Desktops, and then click Connect. On the RDP control toolbar, click Close, and then click OK. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 7
Experience 2: Implementing DirectAccess for Remote Users In this experience, you will implement DirectAccess to grant authorized remote users access to the internal network so they may gain access to applications published on Remote Desktop Services. Implement a DirectAccess server In this step, you will configure an existing DA server to accept client connections. This server has already had the minimum components for RemoteAccess installed by running Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! Open Server Manager. On the Tools menu, click Remote Access Management. In Tasks, click Manage a Remote Server. Type DAServer, and then click OK. In the Remote Access Management console, click Run the Getting Started Wizard. Click Deploy both DirectAccess and VPN (recommended). On the Remote Access Server Setup page, verify that Edge is selected as the network topology. On the same page, type 206.10.15.1 as the IPv4 address that will be used by remote access clients to connect, and then click Next. NOTE: In addition to an IP address, you can also use a Fully Qualified Domain Name (FQDN), such as Daserver.contoso.com. NOTE: By default, the Getting Started Wizard deploys the DirectAccess settings to all mobile computers in the domain by applying a WMI filter to the client settings GPO. This may not be not appropriate for some environments; therefore you will perform the following steps to change the client security group setting for DirectAccess from Domain Computers to DA_Clients. On the Configure Remote Access page, click the here link to edit the wizard settings. In the Remote Access Review dialog box, next to Remote Clients, click Change. In the Select Groups window, clear the Enable DirectAccess for mobile computers only check box. NOTE: This setting allows the GPO to use a WMI filter to detect mobile clients and filter the application of the GPO only to them. Click Domain Computers (Contoso\Domain Computers), and then click Remove. Click Add, type DA-Clients, and then click OK. Click Next. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 8
In the DirectAccess Client setup window, double-click the white box next to the arrow with the asterisk. In the Type drop-down list, click Ping, and then in the text box, type dc.contoso.com. Click Validate. A green check mark will appear indicating a successful ping. Click Add. NOTE: In the DirectAccess Client setup window, note the friendly name, Workplace Connection, of the DirectAccess connection that will be created on clients. In the DirectAccess Client setup window, click Finish. On the Remote Access Review page, click OK, and then click Finish. NOTE: As the wizard runs, you can click the More details arrow to reveal the actions being performed. NOTE: The wizard will automatically provision self-signed certificates for IP-HTTPS and the network location server. You can configure DirectAccess to use certificates issued by a Public Key Infrastructure (PKI) Certificate Authority. The wizard will also automatically enable Kerberos proxy and enable NAT64 and DNS64 for protocol translation in the IPv4-only environment. NOTE: The wizard automatically creates two Group Policy objects (GPO) containing DirectAccess settings. One GPO is called DirectAccess Server Settings and is filtered to apply the settings only to the DirectAccess server computer account. The second GPO is called DirectAccess Client Settings and is filtered to apply settings to the DA_Clients global group previously created. Since the wizard detects that it is using Domain Admin credentials, it will also link both GPOs to the root of the domain. The GPOs can be created using Domain User credentials and later linked using Domain Admin credentials if necessary. After the wizard successfully completes applying the configuration, click Close. In the console tree of the Remote Access Management console, select Operations Status. Wait until the status of all monitors display the message Working. NOTE: You may have to refresh the display to see the change in status. To do so, in the Tasks pane, under Monitoring, click Refresh periodically to update the display. Leave the Remote Access Manager console open for use in subsequent exercises. Provision a computer account for DirectAccess In this step, you will provision a new computer account for DirectAccess access. This will be used to perform an offline domain join on a new remote computer, allowing users to connect via DirectAccess to access company resources. This step involves several complex tasks which have been consolidated in a simple Windows PowerShell script. Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 9
Open the Windows PowerShell ISE. Open the script file c:\scripts\directaccess.ps1. Highlight Line 1, and then press F8 to run the line. Click Yes to enable scripts. Highlight all remaining lines (2 through 6), and then press F8 to provision the computer account. Configure the client using offline domain join To have a workgroup client be able to join the domain, a system administrator can create a file that contains all the information required to join the domain. This file will be used on the client to allow the client to configure itself to join the domain even though it is not in contact with a domain controller. In this step, you will use the previously created offline domain join file to join the client computer to the domain. Begin this task logged on to DAClient as BenSmith using the password Passw0rd! Open the Start screen. Click Internet Explorer. Please ensure that you open the version of Internet Explorer from the Start screen of the Windows 8 Formatted: Caution client and not version of Internet Explorer that you launch from the desktop. The instructions that immediately follow are specific to the Start screen version of Internet Explorer. Navigate to http://daserver.contoso.com/client.txt. In the Set up Internet Explorer dialog box, click No. Click Save to download the file. When the download is complete, click Close. Navigate to the Start screen. Type CMD. On the Start screen, right-click CMD. NOTE: A check mark will appear next to the icon. On the taskbar, click Run as administrator. In the User Account Control prompt, click Yes. At the command prompt, type the following commands, pressing ENTER after each one. copy c:\users\bensmith\downloads\client.txt c:\windows Cd.. Djoin.exe /requestodj /loadfile client.txt /windowspath %systemroot% /localos Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 10
At the command prompt, type the following command, and then press ENTER to restart the client. Shutdown /t 0 /r /f Wait one minute for the client to reboot. Access corporate resources using VDI over DirectAccess In this step, you will use DirectAccess to securely access the corporate VDI implementation to gain access to internal applications from a remote location. Begin this task logged on to DAClient as Contoso\BenSmith using the password Passw0rd! Ensure you are logged on to DAClient as Contoso\BenSmith using the password Passw0rd! IMPORTANT: The default logon will present the local user BenSmith. You must select Other User to log on as the domain BenSmith. NOTE: Wait for the initial introduction to complete. Navigate to the desktop. Open Internet Explorer. Navigate to https://rds1.contoso.com/rdweb. Click No. Click Ask me later. If prompted, Cclick Allow to run the RDS web add-on. Check the This is a private computer check box. Log on as Contoso\Bensmith using the password Passw0rd! Click Session Desktops, and then click Connect. On the RDP control toolbar, click Close, and then click OK. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 11
Experience 3: Securing Document Access with Dynamic Access Control and Rights Management In this experience, you will implement Dynamic Access Control to ensure that remote users can only access documents to which they have permission, based on the attributes of the document and the attributes of their user account. Note that much of this implementation has been completed to save time. You will review the specifics of the implementation before working with documents and rules. Review the Dynamic Access Control implementation In this step, you will review the existing Dynamic Access Control implementation which allows rules to be created based on the country and department of users. Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! Open Server Manager. In Server Manager, on the Tools menu, click Active Directory Administrative Center. In Active Directory Administrative Center, switch to Tree View, and then expand Dynamic Access Control. Click Central Access Rules. Double-click User-Department-Country-Match-Resource-Department-Country. Review the bottom entry in the Current Permissions area. NOTE: This is an existing rule that matches the country and department of files with the country and department of user accounts to grant user access. Click Cancel. Click Central Access Policies. Double-click File-Server-Policy. NOTE: The existing rule is assigned to this policy, which is deployed to file servers via Group Policy. Click Cancel. Create a new personally identifiable information (PII) rule In this step, you will create a new rule which grants access to files containing personally identifiable information (PII) only to approved users. This rule will be applied to a user group called PII-Approved and will grant them read-only access. Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! In Active Directory Administrative Center, click Resource Properties. Right-click Personally Identifiable Information (PII_MS), and then click Enable. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 12
Click Central Access Rules. In the Tasks pane, click New, and then click Central Access Rule. In Name, type Contains-PII. In Target Resources, click Edit. Add the condition [Resource] [Personally Identifiable Information] [Exists] In Permissions, click Use the following permissions as current permissions, and then click Edit. Double-click the entry Owner Rights, and then click Add a condition. Add the condition [Resource] [Personally Identifiable Information] [Any of] [Value] [Not PII, Public], and then click OK. Click Add. Click Select a principal. Type PII_Approved, add the account, and tand then click Add a condition. Add the condition [Resource] [Personally Identifiable Information] [Any of] [Value] [High, Low, Moderate]. Check the Full Control check box, and then click OK. Double-click File-Server-Policy. In Member Central Access Rules, click Add. Click Contains-PII, click Add (>>), and then click OK. Click OK to close File-Server-Policy. Review manual file classification on Server1 In this step, you will implement file classification on Server1 by classifying folders and testing the results of folder classification. Begin this task logged on to Server1 as Contoso\Administrator using the password Passw0rd! NOTE: If available, you may log on directly to Server1, or you may use Remote Desktop to connect to Server1. Interactive logon is required as the property pages in question are only available locally. Open Windows PowerShell. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 13
Type the following commands, pressing ENTER after each one. Gpupdate /force Update-FSRMClassificationPropertyDefinition Open Windows Explorer. Navigate to C:\Shares\CorpData. Right-click CorpData, and then click Properties. Click the Classification tab. NOTE: The folder has been previously classified manually as United States and Sales. NOTE: Personally Identifiable Information classification has not been configured. Close all open windows. Implement automatic classification for files containing PII In this step, you will configure an automatic classification rule which will search for files containing a US social security number and then classify them as HIGH PII. Begin this task logged on to Server1 as Contoso\Administrator using the password Passw0rd! Open Server Manager. On the Tools menu, click File Server Resource Manager. Expand Classification Management, and then click Classification Properties. NOTE: Country, Department, and Personally Identifiable Information are all deployed via Group Policy as part of the global properties stored in Active Directory. Click Classification Rules. In the actions pane, click Create Classification Rule. In General, in Rule name, type SSN Classifier. In Scope, check the User Files check box, and then click Add. In the Browse for Folder window, navigate to C:\Shares\CorpData, and then click OK. In Classification, in Classification method, select Content Classifier. In Property, in Choose a property to assign to files, select Personally Identifiable Information. In Specify a value, select High. Click Configure. On the Parameters tab, in the first entry, in the Expression field, type the following regular expression, and then click OK. \d{3}-\d{2}-\d{4} Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 14
NOTE: This is a regular expression for a US SSN format. In Evaluation Type, check the Re-evaluate existing property values check box, and then select Overwrite the existing value. In the Actions pane, click Configure Classification Schedule. Check the Enable fixed schedule check box, and then check each of the 7 weekdays. Check the Allow continuous classification for new files check box. Leave File Server Resource Manager open. You will use this in the next experience. Validate Dynamic Access Control rules In this step, you will use the built-in Effective Access calculator to verify that the correct users can access the CorpData folder based on Dynamic Access Control rules. Begin this task logged on to Server1 as Contoso\Administrator using the password Passw0rd! Open Windows Explorer. Navigate to C:\Shares\CorpData. Right-click CorpData, and then click Properties. On the Security tab, click Advanced. Click Effective Access. Click Select a user. Type AliceCiccu, and then click OK. Click View effective access. NOTE: Alice is denied access because her user attributes do not match the requirements for the folder. Click Select a user. Type BenSmith, and then click OK. Click View effective access. NOTE: Ben is allowed access, because his user account is configured with the correct attributes. Close the Properties of the CorpData folder. Test Dynamic Access Control with automatic classification In this step, you will test access to files using Dynamic Access Control and file classification from your DirectAccess-connected computer. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 15
Begin this task logged on to DAClient as Contoso\BenSmith using the password Passw0rd! Open Windows Explorer. Navigate to \\Server1\CorpData. Using Microsoft Word, create and save a file named SecureData, with the following text in the CorpData folder. My SSN is 111-22-3333 When prompted to configure Word, select Ask me later, and then click Accept. Close Welcome screen for Office. Formatted: Additional Information Wait approximately 10 seconds. Open SecureData.docx. NOTE: You are now denied access because of the Personally Identifiable Information rule. Switch to Admin, ensuring you are logged on as Contoso\Administrator. Open Windows PowerShell. Type the following command, and then press ENTER. Add-ADGroupMember Identify Identity PII_Approved Members BenSmith Switch to DAClient. Log off and then log on as Contoso\BenSmith using the password Passw0rd! Open the file \\Server1\CorpData\SecureData.docx. Field Code Changed NOTE: You can now open the file because you have been approved to view PII. Implement Automatic Protection of PII Documents with RMS In this step, you will implement an Active Directory Rights Management Services policy which prevents printing of documents classified as PII. For the purpose of streamlining this experience, AD RMS has been installed on Server1 and configured using installation defaults. You will only be required to create the RMS policies. Begin this task logged on to Server1 as Contoso\Administrator using the password Passw0rd! Open Server Manager. On the Tools menu, click Active Directory Rights Management Services. Navigate to Server1.contoso.com\Rights Policy Templates. In the contents pane, click Create distributed rights policy template. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 16
Click Add. In Name, type Do Not Print, and then in Description, type Prevent printing. Click Add. Click Next. Click Add, click Anyone, and then click OK. In Rights for ANYONE, check the following rights. NOTE: Some rights will automatically include other prerequisite rights. 1. Export (Save As) 2. Reply 3. Reply-All 4. Forward Click Next until you reach the end of the wizard, and then click Finish. Close Active Directory Rights Management Services. Include RMS in file classification In this step, you will modify the file classification process to include the Do Not Print RMS template when files contain PII. Begin this task logged on to Server1 as Contoso\Administrator using the password Passw0rd! Switch to File Server Resource Manager. Click File Management Tasks. In the Actions pane, click Create File Management Task. In Task name, type Apply RMS Policy for PII. On the Scope tab, click Add, select C:\Shares\CorpData, and then click OK. On the Action tab, in Type, select RMS Encryption. In Select a template, click Do Not Print. On the Condition tab, click Add. Configure the condition [Personally Identifiable Information] [Equal] [High], and then click OK. Repeat step 8 and 9 to add a condition for PII equal to Moderate and PII equal to Low. Test RMS Auto-Classification Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 17
In this step, you will verify that files are automatically classified Do Not Print if they contain a PII value of Low, Moderate, or High. Begin this task logged on to Server1 as Contoso\Administrator using the password Passw0rd! In File Server Resource Manager, click File Management Tasks. Select Apply RMS Policy for PII. Formatted: Intense Emphasis In the Actions pane, click Run File Management Task Now. Click Wait for the task to complete, and then click OK. Switch to DAClient, and the log on as Contoso\BenSmith using the password Passw0rd!. Navigate to \\Server1\CorpData. Open SecureData using Microsoft Word. NOTE: During the launch of Microsoft Word, RMS is configured. NOTE: You have the Do Not Print permission on this file. This is the end of this lab. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 18