Friday, November 11, 2016

HOWTO - Generate a SSH RSA key pair for key based login


Generating a new SSH  key can be useful if U want to do passwordless authentication to a Linux server.

A SSH RSA key consists of a private public keypair, the private key will be kept secret and is your key to prove to the server who you say you are.

In below workflow the communication steps to do key-based authentication to a SSH server are summarised.




To generate a SSH RSA keypair, enter below command in a bash shell:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
-t  Specifies the type of key to use, in this case we will use the RSA key type.

-b Specifies the bitlenght to use, 1024, 2048, 4096 are possible values, the higher you go, the stronger your security will be, and the more time it will take to break your RSA key.

-C Specifies a label for your key.


This will create your SSH RSA key pair.
Generating public/private rsa key pair.

When u are asked to provide a location, press enter.  This will save your RSA key pair to your home folder.
Enter a file in which to save the key (/Users/you/.ssh/id_rsa): [Press enter]

In the end you will be asked for a password, your private key in this key pair will be encrypted with that password, so if someone steals your RSA key, it will be useless without that password.   You can also leave your password empty, but if your key get's stolen then, somone else will be able to use it.
In any case, note that you will need to provide that password, each time if the private key will be used.  
Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type passphrase again]








Friday, June 3, 2016

HOWTO - Setup a Fips Compliant Root Certificate Authority on a Raspberry Pi with OpenSSL - using the True Random Number Generator (TRNG)


For people wondering if the Raspberry Pi is a device on which you can safely implement OpenSSL on, please read my previous article about testing the True Random Number Generator on the Pi.
http://random-notes-of-a-sysadmin.blogspot.be/2016/04/is-raspberry-pi-suitable-and-safe-to.html

Why am I selecting a Raspberry Pi to host my Certificate Authority on one might ask?
Because it's safe, small, cheap, fit's on my SD card which can be put away on a safe place if not used... (want to do a double tier setup with it), and it's cheaper than buying a certificate from an official provider.
I did more or less the same setup on Windows 2012R2, this worked very good, but it seems to have more overhead to set it up than a on a Rapberry Pi.

For people who are not really up to dat with what a Certificate Authority is, it's better to first read up on some readily available resource before diving into this tutorial as to get a better understanding how this whole puzzle fit's together.  A suggestion for a nice article on X.509 certificates: https://en.wikipedia.org/wiki/X.509

So in this tutorial we will be building a Root Certificate authority on our Raspberry Pi with the OpenSSL toolkit.



First start off by downloading your copy of Raspbian Jessie Lite from the Raspberry Foundation web site, write to SD card, boot it up, and log in with username pi and raspberry as password.

Let's get our Raspbian OS up to date:


  • expand your SD card with raspi-config 
  • sudo apt-get update 
  • sudo apt-get -y dist-upgrade 
  • sudo apt-get install -y rpi-update 
  • sudo rpi-update
The Raspbian Jessie Lite image from the raspberry pi foundation already seems to contain an installed version of openssl, the modify date of my Raspbian Jessie Lite image is 18/03/2016 and the installed openssl version is OpenSSL 1.0.1k 8 Jan 2015.
According to the openssl website this version will only be supported up to end of 2016.

For people wanting to compile a more recent version of OpenSSL, better first check out the release strategy of OpenSSL and verify what suit's you best.

In our tutorial, we will be compiling a FIPS 140-2 compliant module for OpenSSL, a module compliant to the Federal Information Processing Standard of America, in other words, verified source code.
If you want to know what FIPS is actually all about, read up on https://www.openssl.org/docs/fipsnotes.html which gives you a high level overview on FIPS.

First we will download the latest FIPS module source distribution tarball:

  • wget https://www.openssl.org/source/openssl-fips-2.0.12.tar.gz
Now we will verify the integrity of this download according to instructions in the FIPS security policy at https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf (page 26)

  • openssl sha1 -hmac etaonrishdlcupfm openssl-fips-2.0.12.tar.gz 
Now compare the resulting 'digest ' with the 'digest' written down in the security policy, this needs to be an exact match, or else your download has been tampered with.

Unzip, configure, build, and install the module.

  • gunzip -c openssl-fips-2.0.12.tar.gz | tar xf -
  • cd openssl-fips-2.0.12
  • ./config
  • make
  • sudo make install
Ok, we now have OpenSSL and a FIPS 140-2 compliant module in place for usage.

In your home folder, (/home/pi in my case) create a folder which will hold all the files for your Certificate Authority.

  • mkdir /home/pi/My-RootCA
  • cd /home/pi/My-RootCA
  • mkdir certs crl newcerts private
  • chmod 700 private
  • touch index.txt
  • echo 1000 > serial
Before we will start creating our certificate authority, we will build a configuration file with configuration details of our certificate authority.  It will contain details needed by OpenSSL to perform it's function.  Save this file to your folder containing your certificate authority.

# OpenSSL Root Certificate Authority Configuration File.
[ openssl_conf_section ]
# Configuration module list
alg_section = evp_sect

[ evp_sect ]
# Set to "yes" to enter FIPS mode if supported
fips_mode = yes

[ ca ]
default_ca = CA_default

CA_default ]
# Directory and file locations.
dir               = /home/pi/My-RootCA
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key = $dir/private/My-RootCA.key.pem
certificate = $dir/certs/My-RootCA.cert.pem
# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/My-RootCA.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 90

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha512
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 1825
preserve          = no
policy            = policy_strict

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = supplied


[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 4096
distinguished_name  = req_distinguished_name
string_mask         = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha512
# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = BE
stateOrProvinceName_default     = MyState
localityName_default            = MyCity
0.organizationName_default      = Private Individual
organizationalUnitName_default  = Crypto Security
emailAddress_default            = MyEmail@gmail.com

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
authorityInfoAccess = caIssuers;URI:http://My.Server.net:8080/pki/My-RootCA.cert.pem
crlDistributionPoints = URI:http://My.Server.net:8080:8080/pki/My-RootCA.crl.pem

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
authorityInfoAccess = caIssuers;URI:http://My.Server.net:8080/pki/My-IntermediateCA.cert.pem
crlDistributionPoints = URI:http://My.Server.net:8080/pki/My-IntermediateCA.cert.pem

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

We will now start to build our Root Certificate Authority.
First will generate an RSA key with random seed data taken from /dev/hwrng (our Raspberry Pi random number generator).
This key will be encrypted with the AES256 cipher and a seed password that we set for it.
Each time that we want to use this private key, we will need to provide the password to decrypt the private key.

Before commencing, you should remove and disable any network connectivity to your Raspberry Pi, remove any connected network cables, make sure you don't have keyloggers and stuff, this for obvious reasons.

  • sudo openssl genrsa -aes256 -rand /dev/hwrng -out private/My-RootCA.key.pem 4096
Now that our private key is created, we will create a certificate for our Root Authority using this private key.

  • req -config openssl.cnf -key private/My-RootCA.key.pem -new -x509 -days 3650 -sha512 -extensions v3_ca -out certs/My-RootCA.cert.pem
This concludes the configuration of the Root Certificate Authority, next we will process the Intermediate Certificate Authority.




Next is the set-up of the Intermediate Authority, the steps are identical as above until the defenition of the config file.

In your home folder, (/home/pi in my case) create a folder which will hold all the files for your Certificate Authority.

  • mkdir /home/pi/My-IntermediateCA
  • cd /home/pi/My-IntermediateCA
  • mkdir certs crl newcerts private csr
  • chmod 700 private
  • touch index.txt
  • echo 1000 > serial
  • echo 1000 > crlnumber

Before we will start creating our certificate authority, we will build a configuration file with configuration details of our certificate authority.  It will contain details needed by OpenSSL to perform it's function.  Save this file to your folder containing your certificate authority.
# OpenSSL Intermediate Certificate Authority Configuration File.

[ openssl_conf_section ]
# Configuration module list
alg_section = evp_sect

[ evp_sect ]
# Set to "yes" to enter FIPS mode if supported
fips_mode = yes

[ ca ]
default_ca = CA_default

CA_default ]
# Directory and file locations.
dir               = /home/pi/My-IntermediateCA
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = /dev/hwrng

# The root key and root certificate.
private_key = $dir/private/My-IntermediateCA.key.pem
certificate = $dir/certs/My-IntermediateCA.cert.pem
# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/My-IntermediateCA.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 90

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha512
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 1825
preserve          = no
policy            = policy_loose

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = supplied


[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 4096
distinguished_name  = req_distinguished_name
string_mask         = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha512
# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = BE
stateOrProvinceName_default     = MyState
localityName_default            = MyCity
0.organizationName_default      = Private Individual
organizationalUnitName_default  = Crypto Security
emailAddress_default            = MyEmail@gmail.com

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
authorityInfoAccess = caIssuers;URI:http://My.Server.net:8080/pki/My-RootCA.cert.pem
crlDistributionPoints = URI:http://My.Server.net:8080/pki/My-RootCA.crl.pem

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
authorityInfoAccess = caIssuers;URI:http://My.Server.net:8080/pki/My-IntermediateCA.cert.pem
crlDistributionPoints = URI:http://My.Server.net:8080/pki/My-IntermediateCA.crl.pem

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
We will also be needing a private key for our Intermediate Certificate Authority, so we will generate one in the next step:

  • sudo openssl genrsa -aes256 -rand /dev/hwrng -out private/My-IntermediateCA.key.pem 4096

To also create a certificate for our Intermediate Authority, we will need to make a certificate signing request which we will sign with our root authority, since this is offline, we will need to copy this to usb drive and copy it over to our root authority.

  • openssl req -config openssl.cnf -new -sha256 -key private/My-IntermediateCA.key.pem -out csr/My-IntermediateCA.csr.pem
On our Root authority, we will sign the Certificate Signing Request from our Intermediate Certificate Authority, once transferred from usb device.

  • openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 1825 -notext -md sha512 -in csr/intermediate.csr.pem -out certs/intermediate.cert.pem
For other parties to be able to verify the validity of our certificates by checking revocation information, we will generate a Certificate Revocation List on our Root Certificate Authority.

  • openssl ca -config intermediate/openssl.cnf \ -gencrl -out intermediate/crl/intermediate.crl.pem
Next you should copy the Root Certificate, Intermediate Certificate, and Certificate Revocation List to the "authorityInfoAccess" and "crlDistributionPoints" locations specified in your config files, so other parties would be able to trust or validate this information.

Now that we have authorized an Intermediate Certificate Authority in our certificate chain, there is no more immediate need for our Root Authority to stay online.
It should be taken offline and stored in a physically secured location.  (like that coffee can buried in your backyard.)

The Intermediate Certificate Authority in the chain can now be used to sign any user or server certifcates.
If the integrity of your Intermediate Certificate Authority is breached, it will not damage the integrity of the Root Certificate Authority.





Tuesday, May 10, 2016

HOWTO - Prepare for Microsoft Exam 70-410 - Installing and Configuring Windows Server 2012/R2

Hi, if you are preparing for Microsoft Exam 70-410, make sure to prepare yourself a learning road-map.
If you start off without reviewing the 'objective domain' then you will have no idea what to study and how deep to study it.
The server certification track of microsoft consists of three exams, 70-410, 70-411, and 70-412, each with it's own objective domain.

A nice video on the exam 70-410 and it's objective domain can be found on Microsoft Virtual Academy.  It will give you a great understanding of what to study and how deep, make sure to check it out.

https://www.microsoft.com/en-gb/learning/exam-70-410.aspx

Install and configure servers (15-20%)


  • Install servers
    • Plan for a server installation
      • Windows Server 2012 R2 Foundation
        • max 15 users, no CAL's
        • single CPU socket, no limit on cores
        • max 32 Gb Ram
        • no virtualisation rights
      • Windows Server 2012 R2 Essentials
        • max 25 users and 50 devices
        • preconfigured connectivity to cloud-based services
          • Remote Web Access
          • My Server app for Windows/RT/Phone
          • Microsoft Azure Backup integration
          • Office 356 integration
        • no virtualisation rights
      • Windows Server 2012 R2 Standard
        • the entirety of Windows Server
        • max two cpu sockets, no limit on cores
        • two virtual instances included
      • Windows Server 2012 R2 Datacenter
        • the entirety of Windows Server
        • max two cpu sockets, no limit on cores
        • unlimited virtual instances included

      • Windows Server 2012 R2 User Interfaces
        • Server with a Gui
          • windows gui with start screen, server manager, and management console
        • Windows Server Core
          • server without a start screen, explorer, IE and desktop
        • Full Desktop Experience
          • Server with a gui, with desktop experience installed
          • Windows store and apps supported as well

    • Plan for server roles
      • In server manager - install roles and features
      • in powershell - get-windowsfeature, install-windowsfeature
      • grouped as roles with role services and features which do not fit in the roles
      • installing a role installs the framework for further role services
      • Server core only supports a subset of roles
        • AD Certificate Services
        • AD Domain Services
        • AD Lightweight Domain Services
        • AD Right Management Services
        • DHCP Server
        • DNS Server
        • File and Storage Services
        • Hyper-V
        • Print and Document Services
        • Remote Access Services
        • Streaming Media Services
        • Web Server (IIS)
        • Windows Server Update Services
    • Plan for a server upgrade
    • install Server Core, optimise resource utilisation by using Features on Demand, migrate roles from previous versions of Windows Server
    • Looking at the tools available, and knowing them
    • configuring services needs to be known well
  • Configure servers
    • Configure Server Core, delegate administration, add and remove features in offline images, deploy roles on remote servers, convert Server Core to/from full GUI, configure services, configure NIC teaming, install and configure Windows PowerShell Desired State Configuration (DSC)
    • know which features exists and what they do https://technet.microsoft.com/library/hh831669
  • Configure local storage
    • Design storage spaces, configure basic and dynamic disks, configure master boot record (MBR) and GUID partition table (GPT) disks, manage volumes, create and mount virtual hard disks (VHDs), configure storage pools and disk pools, create storage pools by using disk enclosures
    • know the differences between mbr and gpt disks



Configure server roles and features (15-20%)


  • Configure file and share access
    • Create and configure shares, configure share permissions, configure offline files, configure NTFS permissions, configure access-based enumeration (ABE), configure Volume Shadow Copy Service (VSS), configure NTFS quotas, create and configure Work Folders
    • deep knowledge about ntfs and share permissions required
    • know volume shadow copy services
  • Configure print and document services
    • Configure the Easy Print print driver, configure Enterprise Print Management, configure drivers, configure printer pooling, configure print priorities, configure printer permissions
    • know what a printer pool is
    • know difference between printer and print device
    • print priorities
    • shared print queues
  • Configure servers for remote management
    • Configure WinRM, configure down-level server management, configure servers for day-to-day management tasks, configure multi-server management, configure Server Core, configure Windows Firewall, manage non-domain joined servers
    • quickconfig switch, group policy



Configure Hyper-V (15-20%)


  • Create and configure virtual machine settings
    • Configure dynamic memory, configure smart paging, configure Resource Metering, configure guest integration services, create and configure Generation 1 and 2 virtual machines, configure and use enhanced session mode, configure RemoteFX
  • Create and configure virtual machine storage
    • Create VHDs and VHDX, configure differencing drives, modify VHDs, configure pass-through disks, manage checkpoints, implement a virtual Fibre Channel adapter, configure storage Quality of Service
  • Create and configure virtual networks
    • Configure Hyper-V virtual switches, optimise network performance, configure MAC addresses; configure network isolation, configure synthetic and legacy virtual network adapters, configure NIC teaming in virtual machines
    • know the differences between switches external internal private
    • new virtual machine
    • virtual switch, create, difference
    • new hard disks, learn the wizards



Deploy and configure core network services (15-20%)

Real world experience is a must-have for this topic


  • Configure IPv4 and IPv6 addressing
    • Configure IP address options, configure IPv4 or IPv6 subnetting, configure supernetting, configure interoperability between IPv4 and IPv6, configure Intra-site Automatic Tunnel Addressing Protocol (ISATAP), configure Teredo
    • know ipv4/6 interoperability tools and differences

  • Deploy and configure Dynamic Host Configuration Protocol (DHCP) service
    • Create and configure scopes, configure a DHCP reservation, configure DHCP options, configure client and server for PXE boot, configure DHCP relay agent, authorise DHCP server
  • Deploy and configure DNS service
    • Configure Active Directory integration of primary zones, configure forwarders, configure Root Hints, manage DNS cache, create A and PTR resource records
Follow the IPV6 bootcamp



Install and administer Active Directory (15-20%)

Limited to below topics but deeply integrated

  • Install domain controllers
    • Add or remove a domain controller from a domain, upgrade a domain controller, install Active Directory Domain Services (AD DS) on a Server Core installation, install a domain controller from Install from Media (IFM), resolve DNS SRV record registration issues, configure a global catalogue server, deploy Active Directory infrastructure as a service (IaaS) in Microsoft Azure
  • Create and manage Active Directory users and computers
    • Automate the creation of Active Directory accounts; create, copy, configure and delete users and computers; configure templates; perform bulk Active Directory operations; configure user rights; offline domain join; manage inactive and disabled accounts
  • Create and manage Active Directory groups and organisational units (OUs)
    • Configure group nesting; convert groups, including security, distribution, universal, domain local and domain global; manage group membership using Group Policy; enumerate group membership; delegate the creation and management of Active Directory objects; manage default Active Directory containers; create, copy, configure and delete groups and OUs



Create and manage Group Policy (15-20%)


  • Create Group Policy objects (GPOs)
    • Configure a Central Store, manage starter GPOs, configure GPO links, configure multiple local Group Policies
  • Configure security policies
    • Configure User Rights Assignment, configure Security Options settings. Configure Security templates, configure Audit Policy, configure Local Users and Groups, configure User Account Control (UAC)
  • Configure application restriction policies
    • Configure rule enforcement, configure AppLocker rules, configure Software Restriction Policies
  • Configure Windows Firewall
    • Configure rules for multiple profiles using Group Policy; configure connection security rules; configure Windows Firewall to allow or deny applications, scopes, ports, and users; configure authenticated firewall exceptions; import and export settings