Transcribed TextTranscribed Text

Goal Windows Lab To create Organizational Units, Users, and Group Policy and to apply that policy to our newly created domain, users, and hosts. Additionally, to create a fined-grained password policy for our domain and to enable LAPS to protect our hosts. Deliverables A word or PDF document with screenshots showing all steps were completed and captions/explanations for each. Also, answer any questions. Installing RSAT tools and OU, User, and Group Management Note: This section will be done entirely from within your Windows 10 host. You will log into that VM with your domain user (lastnamefirstinitial) and password (CNS378418!). Everything else with be done using the RSAT tools from within Windows 10, you will not remote desktop to any of the servers until told to do so. Step 1: Download and install the Remote Server Administration Tools for Windows 10 from here. Take a screenshot of the tools along with a window showing your hostname and submit. You can do this by going to Control Panel->System and Security- >Administrative Tools and in a cmd window running ping -a localhost • • • Step 2: Using Administrative tools->AD Users and Computers from the Administrative tools in Windows 10 create the following organizational units: Create 3 OU’s. Chicago. San Francisco, and a London that fall under the Computers OU in Corp. Create 3 OU’s. Domain Admins, Admins, and Employees that fall under the Users OU in Corp. See my example: Step 3: Move your Windows 10 host into the Chicago OU under computers and move your last name, first initial user into the Domain Admins OU under Users. Step 4: Create a new user with the username lastnameadmin and password CNS378418! in the Admins OU. So, my user would be bergadmin. Also, create a user named lastnameuser with the password CNS378418! in the Employees OU. So, mine would be called berguser. Be sure to uncheck the require user to change password on first login box. Step 5: Create another OU called Security Groups under Corp. In that OU create two global security groups called Admins and Employees. Once completed, add your lastnameadmin user to the Admins group and add your lastnameuser user to the Employees group. Configure Group Policy Step 1: We are creating separate group policy objects to do the following • Computer policies applied to the Chicago OU will be the following: 1. Rename the local Administrator Account 2. Disable the Guest Account 3. Disable LM and NTLMv1 4. Disable LM hash storage 5. Disable Anonymous SID Enumeration • Computer policies applied to the London OU will be the following: 6. Enable Event logs for Success and Failure • User policies applied to the Admins OU will be the following: 7. Enable PowerShell Module and Script Block Logging • User policies applied to the Employees OU will be the following: 8. Enable screen saver 9. Set screen saver timeout to 5 min 10. Prompt for password on resume from hibernate/suspend 11. Block all removable devices Do this by researching how to accomplish each task and then Open Administrative Tools-> Group Policy Management on Windows 10, right click on the correct OU, create a GPO, and link it to that OU, then edit. Take a screenshot of each policy and settings like below. Step 2: Use the “gpupdate /force” command on your Windows 10 host to force your host to update group policy and use the “gpresult /r” command to see if the policies have been applied. Answer these questions: • Are all the computer policies applied to your Windows 10 Host? If not, why? • How about your servers? • Are all the user policies applied to your Windows host? If not, why? • How about your servers? • How could we get any computer policies that may be missing to apply? • How could we get any user policies that may be missing to apply? Set up Fine-Grained Password Policy Step 1: Create a fine-grained password policy. Make sure to take a screenshot of all policy settings like above and a shot showing them all listed in the Administrative Console. 1. To enable Fine-Grained Password Policies (FGPP), you need to open the Active Directory Administrative Center (ADAC) in Windows 10, switch to the Tree View and navigate to yourdomain.cns, System, Password Settings Container 2. Right-clickthePasswordSettingsContainerobjectandselect“New”,“Password Settings” 3. Createa“DomainAdminPWPolicy”withaprecedenceof1,32Character Minimum, 24 Password history, enforce complexity, enforce minimum age of 1, Enforce Max age of 90 days, enforce lockout policy of 10 failed attempts, 15 min reset, and 15 min lockout, and apply it to the Domain Admins group. 4. Createa“AdminPWPolicy”withaprecedenceof2,26CharacterMinimum,24 Password history, enforce complexity, enforce minimum age of 1, Enforce Max age of 90 days, enforce lockout policy of 10 failed attempts, 15 min reset, and 15 min lockout, and apply it to the Admin group you created. 5. Createan“EmployeePWPolicy”,applythenewNISTpasswordguidelines,and apply it to the Employees group you created. Make sure to take a screenshot of all policy settings like above and a shot showing them all listed in the Administrative Console. Configure and Deploy LAPS What is LAPS? A lot of organizations will use the same local administrator password across every host, which is a bad idea for a number of reasons. At a basic level, if this password is discovered, it allows anyone to install software as an administrator – at a higher level it facilitates things such as pass-the-hash, using mimikatz, and general reconnaissance against your hosts (usually with the goal of elevating to Domain Admin). In the past you could deploy your Local Administrator Account via Group Policy Preferences, this makes things even easier for an attacker to obtain the shared local administrator password. So, what can be done? LAPS – Local Administrator Password Solution! This is Microsoft’s solution to managing Local Administrator account passwords across an organization. LAPS solution features include: • Sets a unique randomly generated password for each host • Allows automatically changing the Local Administrator Password every X days • Stores Local Administrator Passwords as an attribute of the Computer Object in Active Directory • Password is protected in AD by AD ACL, so a granular security model can be easily implemented • Password is protected during the transport via Kerberos encryption Deployment Steps 1. InstallsLAPSonWindows10Host 2. ExtendSchemaandprepareActiveDirectory 3. ConfigureGroupPolicytoenableandsettherelevantpolicies Step 1: Deploy LAPS on Windows 10 First we are going to install the management portion of LAPS. Download LAPS here and next, next through the installation. On the custom setting page choose all of the management tools. The AdmPwd GPO Extension is required if the machine you’re installing the management portion on will also be managed by LAPS and this will be the case for us. Step 2: Extend the Active Directory Schema Extend the schema of the Active Directory domain by running the following commands from PowerShell: • Import-module AdmPwd.PS • Update-AdmPwdADSchema This should fail? Why? • Are you logged in with your Domain Admin user? • Are Domain Admins allowed to change or update the schema of a domain Step 3: Proper user permissions and Extending the Schema • Open Active Directory Users and Computers from Administrative Tools on Windows 10 and add your lastnamefirstintial user to the Schema Admins group of your domain. After doing so, log off of Windows 10 and log back in as that user. • Now run the commands from above • It should now succeed and look like below • You can use ADSI Edit from admin tools to view the schema modifications. I know...I said 4 attributes in class but there are actually two that are added. Step 4: Setting Permissions • In the same PowerShell session (if you use a new session, remember to import the module using the Import-module AdmPwd.PS command), check the extended rights for users and groups in your Active Directory domain (users and groups with extended rights have the ability to read the LAPS password and other confidential attributes). o Find-AdmPwdExtendedRights -Identity computers | Format-Table o We are using the computer OU in our lab since this is the OU that will be used for all LAPS configured computers o In a default domain setup, Domain Admins are the only group with extended rights. Domain Admins should always have extended rights unless there is a specific reason otherwise o If a user does not have the rights to view the ms-Mcs- AdmPwd attribute, the attribute will appear in ADSI as <not set> • Now let’s create a new group to manage our LAPS computers o In Active Directory Users and Computers from The Administrative Tools. Select the Security Groups OU under Corp and create a new security group named LAPSAdmins o Add your lastnamefirstintial user to the LAPSAdmins group and while you’re at it remove that users from the Schema Admins group. o Now let’s set user access rights, which is an extended right of the ms-Mcs-AdmPwd for all users that will be able to read the stored LAPS account password on computers in the OU ✦ Set-AdmPwdReadPasswordPermission -OrgUnit computers - AllowedPrincipals LAPSAdmins ✦ If there were additional OUs (not sub-OUs) that will contain LAPS-configured computers, then you would repeat the step above for each one. • Set additional user access rights for ms-Mcs-AdmPwdExpirationTime for all users that will be able to write the stored LAPS account password on computers in the OU. This right allows users to force password resets for the LAPS account on managed computers, if allowed by Group Policy. o Set-AdmPwdResetPasswordPermission -OrgUnit computers - AllowedPrincipals LAPSAdmins • Set the SELF built-in account on all machines to Write-level access to the LAPS password and expiration (again, using the OU of the computers that will be LAPS-configured). o Set-AdmPwdComputerSelfPermission -OrgUnit computers o If there were additional OUs (not sub-OUs) that will contain LAPS-configured computers, then you would repeat the step above for each one. o Individual computers control both the password and the expiration date/time of the LAPS account password. Passwords are unique to each computer and the expiration time is set per computer based on the domain’s Group Policy. Step 5: Group Policy • On Server1, download LAPS here and next, next through the installation. On the custom setting page to install the GPO Editor templates. This will install the ADMX and ADML files for LAPS. No other features are required. The MSI installs those files in %systemroot%\PolicyDefinitions directory (adml files are placed in your language directory). • Now that the templates have been installed, open GPMC, create a new Group Policy Object called Deploy_LAPS and link it to the Computers OU under Corp. • Now edit that object. Navigate to Computer Configuration > Administrative Templates > LAPS Define the Password Settings for the LAPS computers 
 Enable LAPS. This turns on local admin password management • You can leave the other two policies not configured. But her is some info about them: o Configure the name of administrator account to be managed ✦ In our case this account is the default Administrator account, but best practice is to disable the default admin account and create a new local admin account, name it something else, and manage it with LAPS. 
 ✦ Please explain why one would do that? o Do not allow password expiration time longer than required by policy ✦ If this is enabled, group policy will not allow our LAPSAdmins group to change the password expiration on a machine longer than allowed by the policy • Close out Group Policy Editor and GPMC • On Windows 10, run a gpupdate /force and a gpresult /r as admin and make sure the new policy you created is applied. If the policy is applied, run the LAPS UI tool on Windows 10 • Enter your Windows 10 hostname in the LAPS UI tool and if all of your permissions are correct you should be able to query the new password for the Administrator user on Windows 10. • The End

Solution PreviewSolution Preview

These solutions may offer step-by-step problem-solving explanations or good writing examples that include modern styles of formatting and construction of bibliographies out of text citations and references. Students may use these solutions for personal skill-building and practice. Unethical use is strictly forbidden.

    By purchasing this solution you'll be able to access the following files:

    for this solution

    or FREE if you
    register a new account!

    PayPal, G Pay, ApplePay, Amazon Pay, and all major credit cards accepted.

    Find A Tutor

    View available Microsoft .NET Framework Tutors

    Get College Homework Help.

    Are you sure you don't want to upload any files?

    Fast tutor response requires as much info as possible.

    Upload a file
    Continue without uploading

    We couldn't find that subject.
    Please select the best match from the list below.

    We'll send you an email right away. If it's not in your inbox, check your spam folder.

    • 1
    • 2
    • 3
    Live Chats