Microsoft Solutions for Small & Medium

Business: Medium IT Solution Series

Medium Business Solution for Core Infrastructure

Plan, Build, Deploy, and Operate

Appendix I

Version 1.0

Abstract

This document provides recommendations and steps for performing tasks that are common to
chapters in this solution and other solutions and guides in the Medium IT Solution Series. It also
provides additional information and guidance that helps IT generalists better understand the solutions
or implement additional features.
Information in this document, including URL and other Internet Web site
references, is subject to change without notice. The entire risk of the use or
the results of the use of this document remains with the user.
Unless otherwise noted, the example companies, organizations, products,
domain names, email addresses, logos, people, places and events depicted
herein are fictitious, and no association with any real company, organization,
product, domain name, email address, logo, person, place or event is intended
or should be inferred.
Complying with all applicable copyright laws is the responsibility of the user.
Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in
any form or by any means (electronic, mechanical, photocopying, recording,
or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or
other intellectual property rights covering subject matter in this document.
Except as expressly provided in any written license agreement from Microsoft,
the furnishing of this document does not give you any license to these patents,
trademarks, copyrights, or other intellectual property.
© 2005 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, and Windows XP are either registered
trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.
Microsoft Corporation • One Microsoft Way • Redmond, WA 98052-6399 •
USA 00
Table of Contents
GUIDELINES FOR CHOOSING DIRECT-ATTACHED STORAGE....................................................1
WINDOWS SERVER 2003 LICENSING MODES....................................................................................2
INITIAL SERVER CONFIGURATION......................................................................................................3
GATHERING INFORMATION FOR INITIAL CONFIGURATION............................................................................3
CREATING DHCP RESERVATIONS..................................................................................................................4
CONFIGURING THE HARDWARE.....................................................................................................................5
CONFIGURING THE OPERATING SYSTEM.......................................................................................................6
ADDING COMPUTERS TO THE ACTIVE DIRECTORY DOMAIN........................................................................7
PRODUCT ACTIVATION..................................................................................................................................7
SECURING THE WIRELESS NETWORK INFRASTRUCTURE.........................................................9
SETTING UP THE SERVER..............................................................................................................................9
Setting Up Internet Authentication Server Components..........................................................................9
Creating an Active Directory Group for Mobile Users and Computers................................................10
Configuring Wireless Internet Authentication Service Policy................................................................10
Adding RADIUS Clients to the Internet Authentication Service............................................................11
Modifying the Wireless Access Policy Profile Settings..........................................................................12
Creating Group Policy Objects (GPOs) for Wireless Properties on the Client Computer....................12
SETTING UP THE WIRELESS ACCESS POINT................................................................................................13
SETTING UP WIRELESS CLIENT COMPUTERS..............................................................................................14
Software Restriction Policies.........................................................................................................................15
Guidelines for Choosing Direct-
attached Storage
In the medium IT environment, planning for the right direct-attached storage (DAS)
configuration for servers typically involves choosing the following:
 Redundant array of independent disks (RAID) configuration: This involves
deciding on the number of arrays required as well as deciding on the following for
each array:
 The RAID level to use.
 The number of disks to use.
 The capacity of the array required.

 Type of hard disk: This involves deciding on the following:

 Type of hard disk to use—integrated device electronics (IDE) or SCSI.
 Disk speed. (10,000 RPM and 15,000 RPM are the widely used speeds.)

 Type of RAID controller: This involves choosing between hardware and software
RAID controllers.
Use the following guidelines while choosing DAS storage for servers:
 RAID configuration: The right RAID configuration depends on the storage
considerations of each server. However, DAS storage attached to any server should
at least be configured in a RAID 1 array with two disks. Additional RAID arrays can
be added to this configuration as necessary based on the considerations.
 Type of hard disk: It is recommended to use SCSI disks on all servers in the medium
IT environment. The appropriate disk speed may be chosen based on the
considerations.
 Type of RAID controller: It is recommended to use hardware RAID controllers on
all servers in the medium IT environment.

Medium Business Solution for Core Infrastructure Appendix I A-1

Windows Server 2003
Licensing Modes
While installing the Windows Server™ 2003 operating system, you must choose a client
licensing mode. One server license is required for each copy of the Windows Server 2003
software installed. In addition, a Windows Server 2003 client access license is required for
each user or device (or combination of both) that accesses the server. Windows® client access
licenses are not required for unauthenticated access to the server such as unidentified users
browsing a public Web site hosted on the server. Authenticated access is defined as an
exchange of user or application credentials between the server operating system and a user
or device.
There are two licensing modes available in the Windows Server 2003 family. These include:
 Per Device/Per User mode: In the Per Device or the Per User mode, each device or
user that accesses or uses a server requires a separate client access license. With one
client access license, a particular device or user can connect to any number of servers
in the environment. For example, if you select the Per Device or the Per User mode
with five licenses, it will allow five users or devices to access any number of servers
with any number of concurrent connections. This is the most commonly used
licensing method for organizations with multiple servers hosting the various services
in the environment.
 Per Server mode: In the “Per Server” mode licensing, each concurrent connection to
a particular server requires a separate client access license. In other words, this server
can support a fixed number of connections at any one time. For example, if you select
the Per Server client-licensing mode with five licenses, this server could have five
concurrent connections at any one time. The clients using the connections do not
need any additional licenses. The Per Server licensing mode is often preferred in
organizations with dedicated servers that only serve a single purpose, but may be
accessed by a wide variety of people. An example might be a dedicated stand-alone
extranet server that has 100 accounts that are authorized to use the server, but never
more than 20 people logged on at any given time.

This solution recommends using the Per User or the Per Device mode licensing. Because
client computers in the medium IT environment consume services from a number of
different servers in the environment on a regular basis, this is the most economical choice.

A-2 Medium IT Solution Series

Initial Server Configuration
This section provides guidance on the initial server configuration. Initial configuration of
servers in the medium IT environment involves the following:
 Gathering information for initial configuration.
 Configuring the hardware.
 Configuring the software (baseline).
 Adding clients to the Active Directory® domain.

Gathering Information for Initial

Configuration
This section discusses the information that should be gathered before you start building the
infrastructure server. This information is needed at various stages of the build process.
Information required to configure the server hardware includes:
 Upgrades to firmware: Upgrades are released periodically by hardware
manufacturers, and newer versions contain fixes to issues and enhancements in the
previous versions.
 Documentation and software utilities: Gather documentation on configuring the
server hardware, for example, RAID and remote management card. Most
manufacturers provide extensive documentation on hardware configuration, and
many even provide software utilities to lead you through the configuration and
make the process easier.
 IP address for the remote management card: The IP address is required to configure
the remote management card. The IP address should match the guidelines
documented in Chapter 3, “Network and Directory Services,” of this solution.
Information about the following is required for completing the server operating system
configuration:
 Server IP address: Find out whether the server requires a manually configured static
IP address or an IP assigned through a Dynamic Host Configuration Protocol
(DHCP) reservation. For information on the IP configuration, refer to the
“Configuring the Hardware and Operating System” section in the relevant chapter or
guide that provides guidance on configuring the server. Based on the requirement,
the following information needs to be gathered:
 IP address: Gather the IP address to be configured for the server. The
recommendations for IP addressing are provided in Chapter 3, “Network and
Directory Services,” of this solution.
 Media access control (MAC) address: This is required only if the server needs to
be configured to receive a static IP configuration form the DHCP server. Gather
the MAC address of the network adapter on the server that connects it to the

Medium Business Solution for Core Infrastructure Appendix I A-3

 local area network (LAN). The MAC address is required to create a DHCP
reservation for the server.

Some manufacturers label the MAC address on the chassis, next to the network
adapter interface. If not found there, you might need to complete the operating
system installation and use the ipconfig /all command to get the MAC address.
Once the MAC address has been obtained, create the DHCP reservation on both
core infrastructure servers. For steps on creating DHCP reservations, refer to the
“Creating DHCP Reservations” section in this appendix.
 Default gateway: The default gateway is set to the private IP address of the firewall.
This solution recommends using 10.0.0.1 as the private IP address of the firewall,
therefore 10.0.0.1 will be the default gateway. If you have a different default gateway
in your environment, use the appropriate address.
 Subnet mask: This solution recommends a flat network and therefore, the subnet
mask will be the same on all computers. It is recommended to use the 255.255.0.0
subnet mask.
 Server name: The recommendations for server names are provided in Chapter 1,
“Core Infrastructure Design Overview,” of this solution. You may also refer to the
“Configuring the Hardware and Operating System” section in the chapter or guide
that provides guidance on configuring the server for the recommended server name.
 Location of service packs: Get the location of any service packs or critical updates
that should already have been downloaded as per the guidance provided in Chapter
1, “Core Infrastructure Design Overview,” of this solution. If not already
downloaded, the service packs for the Windows Server 2003 operating system can be
downloaded from the following URL:
http://www.microsoft.com/windowsserver2003/default.mspx
For documentation on downloading any available critical updates from the Windows
Catalog, refer to the following URL: http://support.microsoft.com/default.aspx?
scid=kb;[LN];323166

Note: You should only download updates and service packs using a computer that is
securely connected to the Internet. You should use a computer that is on a separate
network than the core servers and is connected to the Internet securely.

Creating DHCP Reservations

The DHCP reservations need to be created for all servers in the environment except for the
primary and secondary infrastructure servers (SMBDC and SMBEX) and the firewall server
(SMBISA).

A-4 Medium IT Solution Series

 Note: These steps can also be used for creating DHCP reservations for any network device,
such as network printers and IP cameras.

Use the MAC address of the server and corresponding IP address (from the IP addressing
scheme recommended in Chapter 3, “Network and Directory Services,” of this solution),
gathered earlier, and perform the following steps on both the DHCP servers (SMBDC and
SMBEX).
1. Open the DHCP Microsoft Management Console (MMC) snap-in located in the
Administrative Tools.
2. Expand the DHCP scope.
3. Right-click Reservations and then click New Reservation.
4. On the New Reservation page, provide appropriate information in the text boxes. As
an example, the following information was used while configuring the collaboration
server (SMBEXTNT).
 Reservation name: SMBEXTNT.BusinessName.com
 IP address: 10.0.0.4
 MAC address: 000802455ea0
 Description: Collaboration Server

5. Click Add and then click Close.

6. On the server (in this example, SMBEXTNT), release and renew the DHCP lease by
running the ipconfig /release and ipconfig /renew commands at the command
prompt.
7. Verify that the server gets the reserved IP address.

Configuring the Hardware

Configuring the server hardware involves the following tasks:
 Upgrade the hardware to the latest version of the firmware available from the server
manufacturer.
 Use the documentation or utilities provided by the hardware manufacturer, gathered
in the “Gathering Information for Initial Configuration” section to configure the
server hardware. At the minimum, implement the following configurations:
 RAID array: Use the utility provided by the manufacturer (if available) to
configure the RAID arrays and the system and data partitions. For details on the
RAID configuration to be used, refer to the “Configuring the Hardware and
Operating System” section in the respective chapter or guide.
 Utility partition: Set up a utility partition on the hard disk according to the
instructions provided by the manufacturer or using the utility provided by the
manufacturer. If this capability is not provided by your manufacturer, this step
can be skipped.

Medium Business Solution for Core Infrastructure Appendix I A-5

  Remote management card: Configure the remote management card according to
the instructions provided by the manufacturer. The following configurations
need to be implemented:
 Configure a user account with a secure password on the card.
 Configure the card to obtain IP address from the DHCP server.
 Find the MAC address of the card and configure a DHCP reservation using
the IP address gathered for the remote management card in the "Gathering
Information for Initial Configuration" section in this Appendix. For guidance
on the finding the MAC address, refer to the manufacture’s guide.
 Ensure that at least one remote management card is connected to the same
network as the hardware-based virtual private network (VPN) endpoint.
 If the optional modem is included on your remote management card, ensure
that the phone jack is connected to a telephone line.

Configuring the Operating System

After all of the hardware has been configured, the next step is to do a baseline operating
system installation on the server. Usually, this is done by inserting the installation media in
the CD drive of the server and setting the server to start from CD-ROM according to the
instructions provided by the manufacturer. Perform the following steps
1. Use the following configuration during the setup of the operating system:
 If a utility was not provided by the hardware manufacturer or was not used
during hardware configuration to set up the file systems and partitions, you can
specify these settings during the software installation:
 Implement the RAID configuration and partitioning as recommended in the
“Configuring the Hardware and Operating System” section in the respective
chapter or guide.
 Format any partitions created using NTFS.

 Choose Per User or Per Device mode licensing rather than per server mode. For
information, refer to the “Windows Server 2003 Licensing Modes” section in this
Appendix.
 Complete IP configuration of the server using the IP addressing information
gathered in the "Gathering Information for Initial Configuration" section earlier
in this Appendix.
 Configure the name of both the infrastructure servers. The names of the servers
were gathered in the “Gathering Information for Initial Configuration” section
earlier in this Appendix.

2. Install antivirus software, including the latest virus pattern file on both the servers.
For more information about antivirus software, refer to the Medium Business Guide for
Antivirus.

A-6 Medium IT Solution Series

 3. Install all service packs and critical security updates. For more information about the
procedure for accomplishing this task, refer to the following URL:
http://support.microsoft.com/default.aspx?scid=kb;[LN];323166

Note: After the operating system is installed, Internet Explorer will be available to users. By
default, however, Windows Server 2003 installs the Internet Explorer Enhanced Security
Configuration component, which severely restricts the use of Internet Explorer. This default
configuration should not be changed. It is a security best practice that server logins be used
only for server administration or management and not for other purposes like mail or
Internet browsing. As a result of the enhanced security configuration, many Web sites
visited from a server will not be accessible, or will not work or display correctly. When
testing an internal Web site, configured in the medium IT environment, or an external Web
site, do not complete this testing from the server itself.

Adding Computers to the Active Directory

Domain
Note: The steps provided in this section are valid for client computers as well as servers.

Perform the following steps to join the computer into the Active Directory domain:
1. Right-click My Computer and click Properties.
2. Click the Computer Name tab and then click the Change… button.
3. Click Domain under Member of, and type your domain name (for example,
BusinessName.com).
4. When prompted, provide the user name and password of the domain administrator.
5. Click OK on the Computer Name Changes popup screen.
6. Complete the setup and restart the computer.

Note: There is also an option to join a computer to the domain when installing the operating
system. These steps can be skipped if the computer was already joined to the domain
during installation of the operating system.

Product Activation
After the Windows Server 2003 installation, you will have to activate the Windows
Server 2003, unless you are using volume licensing or your operating system is pre-installed
and pre-activated by your hardware manufacturer. Product activation is quick, simple, and
unobtrusive, and it protects your privacy. It is designed to reduce software piracy of
Microsoft® products. The servers run for a grace period that is stated in your End-User

Medium Business Solution for Core Infrastructure Appendix I A-7

 License Agreement and is typically 30 days. Until you activate your product, it provides
reminders at log on and at common intervals.
If your activation grace period expires, Windows Server 2003 continues to run, but when you
log on locally or through the Remote Desktop Connection client, the Activate Windows
Wizard will be started and you will not be allowed to log on until Windows Server 2003 is
activated.
Product activation can be performed in many ways which including over the Internet and
over the Telephone by calling a toll-free number. This solution recommends using the
Internet for product activation because it is easy and quick.
Perform the following steps to activate Windows Server 2003 over the Internet:
1. Click Start, and then click Activate Windows.
2. Complete the wizard to perform the activation.

A-8 Medium IT Solution Series

Securing the Wireless Network
Infrastructure
The following tasks need to be completed to set up the medium IT secure wireless
infrastructure:
1. Set up server infrastructure, which involves:
a. Verify that the Certificate Services and Internet Authentication Services (IAS) are
installed on the primary infrastructure server.
b. Configuring Active Directory group and memberships.
c. Configure IAS.
d. Configure Active Directory policies.

2. Set up wireless access point, which involves:

a. Set up IP address of the wireless access point.
b. Configure 802.1x PEAP networking settings:
 IP address of the primary RADIUS authentication server
 IP address of the primary RADIUS accounting server

c. Configure shared secret

Setting Up the Server

The 802.1x standard, which uses the Extensible Authentication Protocol (EAP) for wireless
client authentication, fulfills the security requirements of a wireless LAN.
The Extensible Authentication Protocol -TLS uses certificate-based two-way authentication.
The 802.1x solution can be implemented by using certificates for both client and server side,
or by using password for client side and certificate for server side. The second solution that
uses password for client side and certificates for server side is called Protected Extensible
Authentication Protocol (PEAP). The solution for secure wireless networks for medium IT is
based on PEAP because of the complexity involved in managing user certificates.

Setting Up Internet Authentication Server

Components
The following server components need to be configured for PEAP authentication:
 Active Directory groups
 Internet Authentication Service (RADIUS server)
 Certification Authority (CA)

Medium Business Solution for Core Infrastructure Appendix I A-9

 For PEAP authentication to be configured as described in this appendix, it is assumed that
the environment is running Windows Server 2003 and Active Directory. This assumption is
required to ensure that the authorization and authentication services are provided by the
Active Directory directory service.

Creating an Active Directory Group for Mobile

Users and Computers
You need to create a global security group in Active Directory called Mobile Users.
Perform the following steps to create a Mobile Users global security group:
1. Open Active Directory Users and Computers organizational unit (OU).
2. Right-click the Users container and click New Group.
3. In the New Object - Group dialog box, type Mobile Users in both name boxes. Under
Group scope select Global, and under Group Type select Security,

After you have created the group, wireless users need to be added to the Mobile Users group
to be able to connect to the wireless network.
Perform the following steps to grant wireless network access permission to computers (by
adding their computer accounts to the Mobile Users group):
1. Open the Mobile Users group.
2. Select the Members tab.
3. Click Add, click Object Types, and select the Computers check box.
4. Add to the computers that need to be granted wireless access to the Mobile Users
group.
Perform the following steps to grant wireless network access permission to users (by adding
their user accounts to the Mobile Users group):
1. Open the Mobile Users group.
2. Select the Members tab.
3. Click Add, click Object Types, and select the Users check box.
4. Add the users that need to be granted wireless access to the Mobile Users group.

Configuring Wireless Internet Authentication

Service Policy
The IAS must be configured with remote access policy and connection request settings for
the authentication and authorization of wireless users and computers on the wireless
network. In addition, the IAS must be configured to accept connections from RADIUS clients
(wireless access points). Wireless access points must be configured to use the IAS server to
pass authentication requests.

A-10 Medium IT Solution Series

Note: You should wait at least 30 minutes after installing the CA before creating the
wireless access policy. Otherwise, you will not be able to add the server authentication
certificate to the wireless access policy, as described in the following steps.

Perform the following steps using the Internet Authentication Service (IAS) management
console on the primary infrastructure server in the Administrative Tools menu.
1. Right-click the Remote Access Policies folder and click the New Remote Access
Policy option.
2. Name the policy Allow Wireless Access and select the option Use the wizard to set
up a typical policy for a common scenario.
3. Select Wireless as the access method.
4. Grant access, based on the group and add the Mobile Users security group to the list
of groups that have wireless access rights.
5. Select Protected EAP (PEAP) for the EAP type.
6. Select Configure and verify that the certificate issued is set to
core1servername.BusinessName.com, click OK, and click Next.
7. Click the Finish button and exit the wizard.
8. Double-click the wireless access policy just created, click Edit Profile, click the
Authentication tab, and select Microsoft Encrypted Authentication version 2 (MS-
CHAP v2), and click OK.
9. Accept any warning messages that may appear.

Note: The Allow Wireless Access policy created during the installation of IAS can
coexist with other remote access policies. However, ensure that other remote
access policies are listed below the Allow Wireless Access policy list in the
Remote Access Policies folder. Policies at the top of the policy list override
settings configured on lower priority policies. Use the arrows next to the list to move
the Allow Wireless Access policy to the top of the list.

Adding RADIUS Clients to the Internet

Authentication Service
You must add the wireless access point as RADIUS clients to IAS before they can be
configured to connect to the IAS server. Perform the following steps, to add a wireless access
point as a RADIUS client, using the Internet Authentication Service (IAS) management
console:
1. Right-click the RADIUS Clients folder and click New RADIUS Client.
2. Enter a friendly name and the IP address of the wireless access point. This is the
same name and IP address entered for the wireless access point. If you have not set
up the wireless access point yet, use these same values when you configure the
wireless access point.
3. Select RADIUS Standard as the client-vendor attribute, and then enter the shared
secret for this particular wireless access point. Then, select the Request must contain

Medium Business Solution for Core Infrastructure Appendix I A-11

 the Message Authenticator attribute check box. If you have not set up the wireless
access point yet, use the same shared secret when you configure the wireless access
point. Ensure that the shared secret is configured exactly the same on the WAP as the
IAS settings. A 128 bit key requires ether 13 ASCII characters or 26 HEXADECIMAL
characters.

Note: Most wireless access points do not require vendor-specific attributes (VSA). However,
some RADIUS clients may require configuring VSA to function correctly. For more information
on VSA requirements, refer to your vendor-specific documentation.

Modifying the Wireless Access Policy Profile

Settings
Configure Active Directory to ignore user dial-in settings, to avoid potential problems with
some wireless access points. In addition, RADIUS attributes should be set for client re-
authentication at timed intervals to ensure that WEP session keys are refreshed.
Perform the following steps to modify the wireless access policy profile settings:
1. Select the Remote Access Policies folder and select the Allow Wireless Access
policy created for wireless access.
2. Open the properties of the policy, and then click Edit Profile.
3. In the Dial-in Constraints tab, select the Minutes clients can be connected
(Session-Timeout) option, and then enter 30 minutes for value.
4. In the Advanced tab, click Add, and select the follow attributes from the dropdown
list with the indicated settings:
a. Set the Ignore-User-Dialin-Properties attribute to True.
b. Set the Termination-Action attribute to RADIUS-Request.

5. Close the dialog boxes and exit from the Internet Authentication Service (IAS)
management console.

A-12 Medium IT Solution Series

Note: On some wireless 802.1x supporting access points, the “NAS-Port-Type matches”
policy condition may have to be removed.

Creating Group Policy Objects (GPOs) for

Wireless Properties on the Client Computer
Note: In this solution, these tasks have been automated through Group Policy and should
not be done if the guidance provided in the Medium Business Solution for Management and
Security using Active Directory Group Policy will be implemented.

Perform the following steps:

1. Open the Group Policy Management Console by clicking the shortcut under
Administrative Tools.
2. Expand <Forest>\Domains\<BusinessName.com>.
3. Right-click Group Policy Objects and click New.
4. Type the name “Wireless Network Policy” for the GPO.
5. Right-click the GPO and click Edit.
6. Navigate to \Computer Configuration\Windows Settings\Security
Settings\Wireless Network (IEEE 802.11) Policies.
7. Click the Wireless Network (IEEE 802.11) Policies object from the navigation pane,
and click Create Wireless Network Policy... on the Action menu. Use the wizard to
name the policy as Client Computer Wireless Configuration. Select the Edit
Properties check box and click Finish to close the wizard.
8. Select Add on the Preferred Networks tab of the Client Computer Wireless
Configuration policy, type the Network Name or Service Set ID (SSID) of the
wireless network, such as BusinessName WLAN, and select the following:
 Data encryption (WEP enabled)
 Network Authentication (Shared Mode)
 The key is provided automatically

9. Click the IEEE 802.1x tab, and change the EAP type to “Protected EAP (PEAP)”.
10. Click the Settings button for EAP type. Under Trusted Root Certificate Authorities,
select the root CA for the IAS server certificates (which was configured as
BusinessNameCA in Chapter 3, “Network and Directory Services,” of this solution).
11. Click Ok on all of the dialog boxes and close Group Policy Object Editor.

Link the wireless GPO to the OU that will contain computers that will need to access
the wireless network. For more information on OU design and GPOs, refer to the
Medium Business Solution for Management and Security using Active Directory Group
Policy.

Medium Business Solution for Core Infrastructure Appendix I A-13

Setting Up the Wireless Access Point
The procedure for configuring wireless access points varies depending on the make and
model of the device. However, wireless access point vendors generally provide instructions
for configuring the device. Using the instructions provided by the vendor, and make the
following configuration changes on the wireless access point:
 IP address of the wireless AP: Ensure that the IP address of the wireless access point
is the same as the IP address entered in the “Adding RADIUS Clients to the Internet
Authentication Service” step while configuring the IAS. For medium IT environment,
the static IP range 10.0.1.100 to 10.0.1.150 was assigned to wireless access points.
To ease administration of the WAP, in the DNS administration tool, add a HOST and
PTR entry for the WAP device and in the DNS administrator tool on the primary
infrastructure server, add a HOST and PTR entry for the WAP device and establish a
DHCP reservation on both infrastructure servers for the MAC address of the wireless
access point.
 802.1x networking settings: There might be an option to select EAP-TLS or
MD5/Password option. Select the EAP-TLS authentication type.
 IP address of the primary RADIUS authentication server: This address needs to be
the same as the IP address of the Windows server running IAS. If required, enter the
Radius Server Port as 1812.
 IP address of the primary RADIUS accounting server, if required: This is the IP
address of the Windows server running IAS.
 RADIUS shared secret with the primary RADIUS server: Ensure that the shared
secret is the same as that entered in the “Adding RADIUS Clients to the Internet
Authentication Service” step (earlier in this chapter) while configuring the IAS.
Ensure that the shared secret is configured exactly the same in the IAS settings. A
128-bit key requires ether 13 ASCII characters or 26 HEXADECIMAL characters.

In scenarios where multiple wireless access points are used, each wireless access point needs
to be configured with the same settings. Ensure that the SSIDs are the same, but the channels
are different for each wireless access point.

Setting Up Wireless Client Computers

For instructions on how to set up secure wireless access on different types of clients present
in the medium IT environment, refer to Medium Business Solution for Client Configuration.

A-14 Medium IT Solution Series

Software Restriction Policies
If an application is providing a service to the network, such as Microsoft Instant Messenger
or a Web service, it could, in theory, become a target for an attack. As part of the defense-in-
depth solution, you may want to consider producing a list of authorized applications for the
organization. Attempts to install an unauthorized application on any of your client
computers could expose all of them and the data they contain to a greater risk of attacks.
Use Group Policy, to restrict users from running unauthorized applications. The specific area
of Group Policy that handles this feature is called the "Software Restriction Policy," which
you can access through the standard Group Policy MMC snap-in. The following figure
displays a Group Policy MMC screen showing the path where you can set "Software
Restriction Policies" for both your computers and users.
To access this snap-in directly from a Windows® XP client, perform the following steps:
1. Click Start and then Run.
2. Type secpol.msc and then click OK.

For documentation on using Group Policy, refer to the "Windows Server 2003 Group Policy
Technology Center" at the following URL:
http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy
/default.mspx
For more information, refer to the Using Software Restriction Policies to Protect Against
Unauthorized Software page at the following URL:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

Medium Business Solution for Core Infrastructure Appendix I A-15