Beruflich Dokumente
Kultur Dokumente
Hardware Disks
There are four basic types of hardware disks: Serial Advanced Technology
Attachment (SATA), Small Computer System Interface (SCSI), Serial
Attached SCSI (SAS), and Solid State Drives (SSD).
SATA, SCSI, and SAS are mechanical Hard Disk Drives (HDDs). HDDs
consist of circular disks and a head that can read and write information to
the disk. Solid State Drives (SSDs) are based on semiconductors and
have no moving parts.
[1]
Note that even though we are using the term disk when referring to
these different HDD technologies, their difference is not actually based on
the disks mechanical characteristics, but rather on the characteristics of
the disk controller and its interface (as well as the corresponding bus), via
which the disk attaches to and communicates with the computer system.
[1]
Disk Speed
Disks are categorized by capacity and speed. Disk speed is measured in
Input/Output Operations Per Second (IOPS). Here is a general overview of
disk speeds by drive type.
Task Manager
Task Manager provides information about:
Resource Monitor
Resource Monitor provides for detailed information about real time
performance on Windows Servers. You can use Resource Monitor to view
real time data on CPU, Memory, Network and Disk performance. Resource
Monitor can help you identify and resolve conflicts and bottlenecks.
Performance Monitor
Windows Performance Monitor examines how programs you run affect
your computer's performance, both in real time and by collecting log data
for later analysis. Performance Monitor uses:
DISK STRUCTURE
Feature
MBR
GPT
128
2 TB
18 EB
2 TB
256 TB
No
Yes
If your hard disk is larger than 2 TB, and you want to be able to access all of it, you must use
the GPT partition table format. Also, you can convert between the two formats, however this
will result in all the data on the disk being lost
File Systems
ReFS Advantages
File Permissions
Description
Full Control
Modify
(Folders Only)
Read
Write
Special Permissions
It is very important to back up the key that is part of the data recovery agent profile
information. The certificate can be used to restore a user's access if the private key is
forgotten or lost.
There are lots of potential ways to implement both the process and
certificate elements of a EFS implementation. One such method would be
to have a Public Key Infrastructure (PKI) which would allow for more
robust management, issuance, revocation of certificates. This would also
provide for more manageability at scale when large numbers of people
and certificates are involved, potentially spread geographically. This isn't
essential though and for small scale scenarios you can use self signed
certificates, in both domain joined and non-domain joined environments.
1.
2.
3.
DRA must have the File Recovery Key in their local certificate store.
Typically, this is done by exporting the recovery key. Also, it is important
to backup this key and to tightly control access to it.
4.
Test and backup. Test to ensure the recovery agent knows how to
decrypt files. This is extremely important and often overlooked, make
sure your processes work as you envision. Ensure a backup plan is in
place for all the users profile certificates.
In the absence of a full Public Key Infrastructure (PKI) such as Active
Directory Certificate Services (AD CS) to issue and manage certificates for
EFS, you can use the command line tool cipher.exe.
The command cipher /r:<filename> will generate a new self signed File Recovery key,
which can then be imported into Group Policy for use. The key and certificate generated will
be associated with the user who is signed in when it is run by default. It is also possible to
add users to keys and certificates using this tool. From the command line
type cipher.exe /? to see a full list of commands that are available
Teach users to export their certificates and private keys to removable media and store
the media securely when not in use.
Designate more than one recovery agent, and ensure both accounts are secured.
Implement a recovery agent archive program to ensure obsolete recovery keys are
stored.
Load balance your servers when there are many clients using EFS. EFS does
introduce some CPU overhead every time a user encrypts and decrypts a file.
VOLUMES
Volume Types
UEFI Computers
On UEFI (Unified Extensible Firmware Interface) based computers, you
will likely also find Microsoft Reserved Partitions, which are commonly
used operating system managed components that used to be stored in
hidden disk sectors on legacy computers with Basic Input/Output System
(BIOS) firmware (for example, Logical Disk Manager database, used to
store disk metadata).
Extend a Volume
Sometimes after creating a disk volume you find out more space is
needed. For example, you create a 4 GB data drive for the Human
Resources department, but more people are hired and more disk space is
needed. If you have unallocated disk space, you can extend the existing
volume into the unused space.
Your extend options depend on the volume type, which, in turn, depends
on the disk type. Basic volumes can be extended only if the unallocated
space is contiguous. If the space is non-contiguous then the disk must be
dynamic. Dynamic volumes are often referred to as simple volumes.
[1]
. When you extend a simple volume by using unallocated space on one
or more other disks, you convert the volume into a spanned
volume. Spanned volumes link unallocated disk space on multiple disks
together.
Shrink a Volume
Shrinking a volume is the opposite of extending a volume. Shrinking is
used to deallocate unused volume space. For example, the HR
department is only using 10% of its allocated space, and you dont think
this will change so you want to take the unused storage and allocate it to
a different volume.
Note that the terms simple and basic are frequently used interchangeably
when talking about volumes regardless of the underlying disk type.
[1]
Only NTFS volumes have the Shrink Volume option. ReFS does not
support volume shrinking.
You cannot shrink a disk past an immovable file, like a page file.
RAID
Redundant Array of Independent Disks (RAID) is a technology to provide
high reliability and (potentially) high performance storage systems. RAID
combines multiple disks into a single logical unit called a RAID array.
Depending on the configuration, a RAID array can withstand the failure of
one or more of the physical hard disks contained in the array, and/or
provide higher performance than is available by using a single disk.
RAID Performance
RAID subsystems can provide potentially better performance than
individual disks by distributing disk reads and writes across multiple disks.
For example, when implementing disk striping, the server can read
information from all hard disks in the stripe set simultaneously. When
combined with multiple disk controllers, this can provide significant
improvements in storage throughput.
Although RAID can provide better tolerance for disk failure, you should not use
RAID to replace traditional backup. If all the disks were to fail, then you would
still have to resort to performing a restore.
Fault Tolerance
RAID enables fault tolerance by using additional disks to ensure that the
disk subsystem can continue to function even if one or more disks in the
subsystem fail.
RAID Levels
The most common fault tolerant RAID levels are RAID 1 (also known
as mirroring), RAID 5 (also known asstriped set with distributed
parity), and RAID 1+0 (also known as mirrored set in a striped set).
Redundan
Comments
ce
cy
All space
on the
disks is
available.
A single disk
failure results
in the loss of
all data.
Use only in
situations
where you
require high
performance
and can
tolerate data
loss.
Good
Can only
Can tolerate
performance. use the
a single disk
amount of failure.
space that
is available
on the
smallest
disk.
Frequently used
for system and
boot volumes
with hardware
RAID.
Good read
performance,
poor write
performance.
Uses the
equivalent
of one disk
for parity.
Can tolerate
a single disk
failure.
Commonly used
for data storage
where write
performance is
not critical, but
maximizing
disk usage is
important.
RAID
Mirrored set in
1+0
a striped
(or 10) set. Several
drives are
mirrored to a
second set of
drives, and
Very good
read and
write
performance.
Only half
the disk
space is
available
due to
mirroring.
Can tolerate
the failure of
two or more
disks as long
as both disks
are not part
of the same
Frequently used
in scenarios
where
performance
and
redundancy are
critical, and the
each mirror is
striped.
mirror.
cost of the
required
additional disks
is acceptable.
NFS Components
NFS Scenarios
VMware virtual machine storage. In this scenario, disk files for virtual
machines running on VMware hosts reside on NFS exports. You can use Server for NFS to
host the disk files on a Windows Server 2012 R2 file server.
Use the latest version of NFS servers and clients. Currently, NFS
version 4.1 is the latest version and is supported on Windows Server 2012 and later and
Windows 8 and later. By using the latest version of server and client operating systems, you
can take advantage of the latest performance and security improvements, such as client/server
negotiation and improved support for clustered servers.
Enable all available security enhancements. Since NFS version 3.0, NFS
has offered Kerberos security options to strengthen NFS communication. The following
options should be used when possible:
authentication traffic.
The main advantage of NFS is that it doesnt matter what operating system the
server or client is using. NFS is an open standard that allows sharing between
different platforms.
Implementing NFS
NFS Steps
Be sure to distinguish between the Server steps and the Client steps.
1.
Install the NFS role service. The file server that will be hosting the data will
need the Server for NFS role service. This is part of File and Storage services and
will provide the ability the export NFS shares.
2.
Configure the NFS role service. Select your NFS sharing profile, specify
access host information, authentication methods, and permissions. There are two
NFS share profiles.
NFS Share Quick. This is the fastest way to create an NFS share,
but it does not have some of the customizable share options available with Advanced
profiles. However, you can manualy configure these advanced options after the
share has been created.
3.
Install the NFS Client. Install the Client for NFS on any computer that will
need access to the NFS share. Most UNIX and Linux computers have a built-in NFS
client.
4.
Access the drives. This can be as simple as mounting the drive directly. You
could also incorporate the share into your iSCSI storage and Storage Spaces
implementations.
SMB Scenarios
File storage for virtualization (Hyper-V over SMB). Hyper-V can store
virtual machine files, such as configuration, Virtual hard disk (VHD) files, and snapshots, in
file shares over the SMB 3.x protocol. This can be used for both stand-alone file servers and
clustered file servers that provide storage for Hyper-V clusters.
Microsoft SQL Server over SMB. SQL Server can store user database files
on SMB file shares. This is supported with SQL Server 2008 R2 for stand-alone SQL servers
and for both stand-alone and clustered SQL Server installations starting with SQL Server
2012.
Traditional storage for end-user data. The SMB 3.x protocol provides
enhancements to the Information Worker (or client) workloads. These enhancements include
reducing the application latencies experienced by branch office users when accessing data
over wide area networks (WAN) and protecting data from eavesdropping attacks. [1]
SMB Features
The Windows 8.1 operating system and Windows Server 2012 R2 are using SMB
3.02. Here are some of the most important features.
network adapters connected to separate networks, SMB will be able to utilize both
network paths, combining the effective bandwidth and facilitating failover if one of
them becomes unavailable.
VSS for SMB File Shares. Volume Shadow Copy Service (VSS) is
enhanced to allow snapshots at the remote share level. Remote file shares act as a
provider and integrate with a backup infrastructure.
SQL Server over SMB. You can store both stand-alone and clustered
Microsoft SQL Server databases on SMB 3.x shares, which could allow
infrastructure consolidation.
Implementing SMB
1.
Select an SMB profile. If you have the File and Storage Service server role
installed, then you are ready to use SMB. You can create the SMB share in Server
Manager or with Windows PowerShell. There are three SMB profiles to choose from:
2.
Select Share Settings. The Quick and Advanced profiles have some additional
configuration options.
Allow caching of share. This makes the contents of the share available to
offline users.
Encrypt data access. When enabled, remote file access to the share will be
encrypted. This secures the data against unauthorized viewing while the data is transferred
to and from the server.
3.
Configure the permissions. The last task to perform may be the most
important. You need to set permissions for who can access the share and what
privileges they have when they access the share. For example, will everyone have
full control over the share?
BitLocker
BitLocker Features
TPM Scenarios
Two-factor authentication. By leveraging a TPM with BitLocker, twofactor authentication can be achieved on startup. For example, you might require a user to
provide a startup key or a PIN , in addition to the verification provided by TPM. A PIN
consists of four to twenty digits or, if you allow enhanced PINs, four to twenty
letters, symbols, spaces, or numbers.
BitLocker Steps
1.
Enable the BitLocker Drive Encryption feature. The Management tools are
optional, but usually desired.
2.
3.
Decide how you want to protect the drive. For example, for the operating
system drive, you can configure additional authentication at startup in the form of a
startup key or PIN.
4.
Decide where you want to store the recovery key. For example, on a USB
with a backup in Active Directory.
5.
Turn it On. Turn on BitLocker for the volume and encrypt the drive.
The BitLocker recovery key is only used when the primary method to unlock the
drive cannot be used. For example, a user who knows the startup key or PIN
leaves the company or forgets their password, or an encrypted drive is moved to
another computer
BitLocker Cmdlets
Instead of using the BitLocker Drive Encryption applet, as you did in the
previous topic, you can use Windows PowerShell to manage BitLocker.
Windows PowerShell allows you to automate BitLocker operations.
Additionally, it provides support for protectors not exposed through the
applet, such as Active Directory Domain Services authentication.
You can use the Get-Member cmdlet to view the cmdlet properties that
are available.
Get-BitLockerVolume | Get-Member
Once you know what properties are available, you can use the SelectObject cmdlet to view those specific property values.
Get-BitlockerVolume | Select-Object ComputerName,
ProtectionStatus, VolumeStatus, Capacity
Note: The pipe (|) symbol is used to pass information from one cmdlet to
another. This is referred to as a pipeline.
Make multiple of copies of your recovery key files and properly secure them.
Create a naming convention for your files so you know which key goes with
which drive.
Practice unlocking your BitLocker drives and create a set of steps to use.
Use Group Policy to make sure that the entire organization is doing things the
same way.
BitLocker
EFS
database
database
Implemented by individuals
groups
available