The National Institute of Standards and Technology (NIST) defines hardening at https://csrc.nist.gov/glossary/term/Hardening as follows:

A process intended to eliminate a means of attack by patching vulnerabilities and turning off nonessential services.

System hardening eliminates needless functionality and involves the deployment of configurations and settings that are secure. This reduces the risk of the exploitation of vulnerabilities and also allows an infrastructure to be compliant with regulations.

From a system-hardening perspective, this is similar to the principle of least privilege, which NIST defines at https://csrc.nist.gov/glossary/term/Principle_of_Least_Privilege as follows:

The principle that users and programs should only have the necessary privileges to complete their tasks.

Finally, NIST defines baseline at https://csrc.nist.gov/glossary/term/baseline as follows:

The set of controls that are applicable to information or an information system to meet legal, regulatory, or policy requirements, as well as address protection needs for the purpose of managing risk.

Taking all of these ideas into account, one of the first things that comes to mind is Microsoft Active Directory (AD), which is a directory service. A directory service provides a repository for resources that can be searched for and accessed by clients. It also provides management capabilities for systems administrators, to control access to and grant authorization for these resources. AD contains information about each and every network resource, each of which is considered an object in the directory. Objects have names, and each class (type) of objects has a schema consisting of attribute (property) names and values that describe it. The different types of objects, with different attribute name/value pairs, include user accounts, group accounts, computers, shared folders, printers, group policies, and much more. A logical grouping of network resources, in the form of objects that share the same AD database and have similar management and security needs, is called a domain. The domain container represents the root of a domain’s hierarchy. A machine storing the AD database is known as a domain controller (DC).

The namespace of AD comes in two forms: contiguous and disjointed. A tree is one or more domains that share a contiguous namespace. For example, the rit.edu (Rochester Institute of Technology) parent domain could contain child domains named csec.rit.edu (for the Department of Computing Security), ischool.rit.edu (for the School of Information), cs.rit.edu (for the Department of Computer Science), se.rit.edu (for the Department of Software Engineering), igm.rit.edu (for the School of Interactive Games and Media), phd.rit.edu (for the Department of Computing and Information Sciences Ph.D.), and other child domains. Resources for the entire enterprise could be housed and controlled in the rit.edu parent domain, while resources specific to each of the departments could be housed and controlled individually in each child domain. Thus, the security and administration can be tightly controlled by various systems administrators, delegated at multiple levels of the hierarchy, for specific parts of the tree. For example, the Department of Computing Security wouldn’t want the parent domain’s systems administrators to be in control of the department’s resources, nor would the parent domain’s systems administrators be able to administer and secure the plethora of resources from all child domains in the tree. The parent and child domains have a two-way trust relationship. This means that users can authenticate in their domain and then be granted access to resources in the other domains. A child domain can even be a parent to another child domain.

A forest is one or more trees that use disjoint namespaces. Let’s say a major company buys out two smaller companies. The parent company might want its subsidiaries to keep their brand names and AD naming conventions. The forest will contain each tree, including the major company’s parent domain and its child domains, the first subsidiary’s parent domain and its child domains, and the second subsidiary’s parent domain and its child domains. These three trees will be placed in a logical container known as a forest, which is the highest level in the hierarchy (just above domain), as it can contain multiple domains, which can consist of trees. Each domain (parent or child) in a forest has a two-way transitive trust relationship. That means users in one of the subsidiaries, in one part of the country, can get access to resources of the major company in another part of the country, after authenticating to their domain, and vice versa.

The global catalog contains information about all objects in a forest, allowing the entire forest to be searched and objects, regardless of location, to be accessed. The global catalog stores all information about all objects in a forest. However, the global catalog in a particular domain contains only partial information—commonly used attributes for searching for objects in other domains. This partial information is all that’s needed to contact a DC from that object’s domain to get more information. The first DC configured in a forest automatically stores this global catalog. A system containing the global catalog is known as a global catalog server.

If a forest only contains one domain, all DCs should be configured as global catalog servers. There are no additional requirements needed for disk space, CPU utilization, or traffic for replication (for synchronization purposes) between the DCs. Each DC can respond to all authentication and service requests. You wouldn’t want some DCs to not perform these functions.

If a forest has multiple domains, it makes sense to strategically designate certain DCs as global catalog servers, based on location, to simplify sign-in requests from users and for searches of the forest. Reasons for placing a global catalog server at a location include if there’s an application that requires a global catalog server to be running at the location, if there are more than 100 users at the location, if a wide area network (WAN) link is not 100 percent available, if roaming users have long sign-in times over a WAN link, and if many roaming users can be found at that location.

In a medium- or large-sized organization, creating multiple domains makes sense, especially if departments span large geographical distances (countries, for example). It wouldn’t be ideal to have DCs replicate over slow WAN links, which could be expensive timewise, delaying other important daily business communications. It also wouldn’t be ideal for different objects to be managed and secured the same way.

If there is a need to connect multiple physical locations from the same domain together, it can be done in AD with a site container. A site is a logical networking (TCP/IP-based) container that groups objects in Active Directory by subnet. The only objects in a site are servers and configuration objects. A big reason for using a site container is to make DC replication easier. A bridgehead server is a representative DC that does the replication exchange from a site. Each site has exactly one bridgehead server. This way, the DCs in the site can replicate among themselves, but only one of them needs to replicate with a bridgehead server from another site. It’s also beneficial to enable clients to access the physically closest DC for sign-in and querying. With sites, a mobile user working at another location can authenticate to and query a DC with the most efficient physical path, instead of using a WAN link to communicate with the DCs at their normal home site.

60 MINUTES

Lab Exercise 14.01: Active Directory Domain Services and Domain Connectivity

Right now, your Windows Server 2019 system is just a virtual machine (VM) running an operating system (OS) that is specialized to respond to requests from clients for authentication, resources, files, and more. Most people call machines (physical or virtual) “servers,” but in reality, a server is actually a software program. Specifically, a server is a service that runs in the background as a process, independent of a sign-in, to provide a service or resource upon request, as long as the authentication and authorization check out. A server operating system is also known as a network operating system (NOS). Microsoft’s Windows Server brand of server operating systems groups services into roles and features. You can install the Domain Name System (DNS) role and/or the Dynamic Host Configuration Protocol (DHCP) role on a Windows Server 2019 system, which would turn the machine into a member server. A member server is a machine running a server operating system, connected to a domain, that has at least one role (server service) installed. If the machine isn’t connected to a domain, it would simply be known as a stand-alone server.

Cross-Reference

Services were discussed in Chapter 2.

When the Active Directory Domain Services (AD DS) role is installed on a server operating system connected to a domain, that machine is now known as a domain controller (or DC for short), performing authentication and authorization for clients domain-wide. Even if the machine has other roles besides AD DS installed, it’s just called a DC. Each DC is on the same level as the other DCs, containing the entire range of objects. This allows for easy and efficient replication (for consistency purposes) between the DCs.

If there is no existing DNS server when the AD DS role is installed, the DNS role must be installed at the same time. You will be prompted to install DNS during the AD DS installation. The reason why DNS must be in place for a domain to exist is very simple. When clients sign in to a domain, they sign in to a domain by the domain’s name. DNS needs to be in place to resolve the query along the form of “Who is the domain controller for the weissman.edu domain?” so the clients can send their requests to that specific machine. The initial query is for an DNS SRV (service) resource record that identifies a machine by its fully qualified domain name (FQDN), running Lightweight Directory Access Protocol (LDAP). Then, that machine’s DNS A (IPv4 host address) or AAAA (IPv6 host address) resource record will resolve the server’s FQDN to its corresponding IP address. Other SRV records are used to find global catalog servers, servers that can perform Kerberos authentication and password changes, and more. DNS is also needed on a domain for other reasons, like resolving computer object hostnames or FQDNs into their corresponding IPv4 addresses (through A resource records) or IPv6 addresses (through AAAA resource records).

Note

The IPv6 resource record type of AAAA was chosen because 128-bit IPv6 addresses are four times the length of 32-bit IPv4 addresses.

Learning Objectives

In this lab exercise, you’ll get started on your journey of hardening a domain. At the end of this lab exercise, you’ll be able to

•   Install AD DS

•   Connect a client system to the domain

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   The Windows Server 2019 VM you installed in Chapter 1

•   The Windows 10 VM you installed in Chapter 1

Let’s Do This!

When you installed the Windows Server 2019 VM and the Windows 10 VM in Chapter 1, you configured the network adapter to be in bridged mode, which puts those VMs on the same network as your host machine. Power on each VM, each in its own separate instance of VMware Workstation Player. Sign in with the credentials you used in Chapter 1. Initially, you will sign in to the Windows Server 2019 VM as Administrator, but that will change later. On the Windows Server 2019 VM, Server Manager will open by default, along with a popup. Click the X in the upper-right corner to close each.

On each VM, click the Start button or in the search box, type cmd, and then click Command Prompt. Next type ipconfig and press ENTER. You should see that the VMs are on the same network as your host machine, based on the IP addresses given by your network’s DHCP server.

On each VM, click the Start button or in the search box, type firewall, and then select Firewall & Network Protection. Select Advanced Settings towards the bottom of the screen and then click the Yes button. In the left pane, click Inbound Rules. Next, right-click Inbound Rules and select New Rule…. Click the Custom radio button in the Rule Type screen and click the Next button. Click the Next button in the Program screen. In the Protocol Type: dropdown in the Protocol and Ports screen, select ICMPv4 and click the Next button. Click the Next button in the Scope screen. Click the Next button in the Action screen. Click the Next button in the Profile screen. In the Name: box, type Ping Allowed and click the Finish button.

Ping each VM from the other by typing ping, followed by the IP address of the other VM, in a command prompt and pressing ENTER on each VM. You should see four replies in each command prompt from the other VM that was pinged.

Servers should always have static IP addresses. You don’t want the server’s IP address to potentially change, as is the case with DHCP. Even though DHCP allows reservations, where the same Media Access Control (MAC) address always gets the same IP address, you don’t want your server to depend on another server. If, for whatever reason, your DHCP servers are down or unreachable, when another server’s lease expires or if it reboots, it will not be able to get an IP address and will be unreachable itself. Furthermore, you can’t install the AD DS role on a system that doesn’t have a statically configured IP address.

Note

You are about to statically configure the Windows Server 2019 VM and the Windows 10 VM. If the IP addresses you choose are in use, there will be problems. Make sure to use fourth octet values that are not currently in use on your network. You’ll notice a problem if the output of ipconfig shows an Automatic Private IP Addressing (APIPA) address that starts with 169.254.x.x, which is essentially an unusable address on a domain.

On the Windows Server 2019 VM, click the Start button or in the search box, type sharing, select Manage Advanced Sharing Settings, click Network And Sharing Center in the address bar at the top of the screen, click Change Adapter Settings in the left pane, right-click the Ethernet0 interface, select Properties, and double-click Internet Protocol Version 4 (TCP/IPv4). Select the Use The Following IP Address: radio button and put in either the IP address it currently has or another one on the same subnet in the IP Address: bar. Since my network ID is 192.168.1.0/24 (a subnet mask of 255.255.255.0 is simply /24 in Classless Inter-Domain Routing [CIDR] notation), I configured my Windows Server 2019 VM with an IP address of 192.168.1.19 (19 in the fourth octet was chosen on purpose, to match the 19 in Windows Server 2019). Put in the subnet mask of your network in the Subnet Mask: bar. In most cases, it will be 255.255.255.0, which can be confirmed with ipconfig in a command prompt on the VM or the host machine. Put in the IP address of the default gateway of your network in the Default Gateway: bar. In most cases, it will be 192.168.1.1, which can be confirmed with ipconfig on the VM or your host machine. In the Use the Following DNS Server Addresses: section, put 127.0.0.1 (the loopback address) in the Preferred DNS Server: bar, which means this machine will be its own primary DNS server (for the domain-related activities). Put 8.8.8.8 in the Alternate DNS Server: bar, to allow a Google Public DNS server to resolve queries for this machine if this machine’s DNS service isn’t running. Click the OK button in the Internet Protocol Version 4 (TCP/IPv4) Properties box. Click the OK button in the Ethernet0 Properties box. It’s a good idea to always “down” and “up” an interface after changes like these, to make sure the changes take effect. First, right-click the Ethernet0 interface and select Disable. Then, right-click the Ethernet0 interface and select Enable.

Although it’s fine to leave the IP address of the Windows 10 machine dynamic, assigned to it from your DHCP server, let’s statically configure the Windows 10 VM with an IP address for consistency and troubleshooting purposes. On the Windows 10 VM, click the Start button or in the search box, type sharing, select Manage Advanced Sharing Settings, click Network and Sharing Center in the address bar at the top, click Change Adapter Settings in the left pane, right-click the Ethernet0 interface, select Properties, and double-click Internet Protocol Version 4 (TCP/IPv4). Select the Use the Following IP Address: radio button and then put in either the currently used IP address or another one on the same subnet in the IP Address: bar. Since my network ID is 192.168.1.0/24 (a subnet mask of 255.255.255.0 is simply /24 in CIDR notation), I configured my Windows 10 VM with an IP address of 192.168.1.10 (10 in the fourth octet was chosen on purpose, to match the 10 in Windows 10). Put in the subnet mask of your network in the Subnet Mask: bar. In most cases, it will be 255.255.255.0, which can be confirmed with ipconfig on the VM or the host machine. Put in the IP address of the default gateway of your network in the Default Gateway: bar. In most cases, it will be 192.168.1.1, which can be confirmed with ipconfig on the VM or your host machine.

Note

If you deviate from or skip this next set of instructions, your Windows 10 VM will not be able to join the domain, so make sure to follow the directions closely.

In the Windows 10 VM adapter settings, in the Preferred DNS Server: bar, enter the IP address of your Windows Server 2019 VM (which you just configured) and set the value for Alternate DNS Server: to 8.8.8.8. Now the Windows Server 2019 VM will be the Windows 10 VM’s DNS server and, eventually, its domain controller.

Step 1 The default hostname for the Windows Server 2019 VM is not a great hostname. Rename the Windows Server 2019 VM.

a.   Click the Start button or in the search box, type This PC, right-click This PC, and select Properties.

b.   In the Computer Name, Domain, and Workgroup Settings section, click Change Settings.

c.   In the System Properties window, click the Change… button.

d.   In the Computer Name/Domain Changes window, in the Computer Name: box, enter something more meaningful than the default name of this computer (I called mine WEISSMAN-SERVER) and then click the OK button.

e.   In the Computer Name/Domain Changes popup, click the OK button.

f.   In the System Properties window, click the Close button.

g.   In the Microsoft Windows popup, click the Restart Now button to restart the VM.

Step 2 Configure a password for the Administrator account. The system will not be able to install the AD DS role if the Administrator account doesn’t have a complex password.

a.   Click the Start button or in the search box, type Computer Management, and then click Computer Management.

b.   In the Computer Management window, in the left pane, click Local Users and Groups.

c.   In the middle pane, double-click the Users folder.

d.   Right-click the Administrator account and select Set Password….

e.   Click the Proceed button.

f.   In the New Password: and Confirm Password: textboxes, enter a password of at least eight characters, using at least three characters from the following groups: uppercase letters, lowercase letters, numbers, and symbols. Click the OK button. Recall the discussion in Chapter 11 about NIST’s 2017 password guidelines, which included dropping the requirement of multiple character sets.

g.   Close the Computer Management window.

3i, 3j

Step 3 Install the AD DS role.

a.   Click the Start button and then click the Server Manager tile. In the Server Manager popup, put a check in the box next to Don’t Show This Message Again and then click the X at the top right of the popup.

b.   Click the Manage hyperlink at the top if the screen and then click Add Roles and Features.

c.   At the Before You Begin screen, click the Next button.

d.   At the Installation Type screen, with Role-based or Feature-based Installation selected, click the Next button.

e.   At the Server Selection screen, with Select a Server from the Server Pool selected and the VM highlighted below, click the Next button.

f.   At the Server Roles screen, put a check in the box next to Active Directory Domain Services. After you put a check in the box, a popup will ask, “Add features that are required for Active Directory Domain Services?” With the check in the Include Management Tools (If Applicable) box, click the Add Features button. Then click the Next button.

g.   At the Features screen, leave the default selections and click the Next button.

h.   At the AD DS screen, read the information and click the Next button.

i.   At the Confirmation screen, put a check in the box next to Restart the Destination Server Automatically If Required. In the popup, click the Yes button and then click the Install button. You’ll notice a progress bar showing the progression of the installation.

j.   When the installation completes, you’ll see the message “Configuration required. Installation succeeded on,” followed by the name of your computer. Click the Close button.

4i, 4j

Step 4 Promote the machine to a domain controller.

a.   Click the yellow triangle with the black exclamation mark in it, under the flag next to Manage. In the Post-deployment Configuration section, click Promote This Server to a Domain Controller.

b.   At the Deployment Configuration screen, select the radio button for Add a New Forest, enter a domain name into the Root Domain Name box (I chose weissman.edu), and click the Next button.

c.   At the Domain Controller Options screen, notice that the Domain Name System (DNS) server checkbox is checked as well as the Global Catalog (GC) checkbox (which can’t be unchecked). Enter a password in the Password: and Confirm Password: textboxes and then click the Next button, leaving the Forest Functional Level: and Domain Function Level: values at their defaults.

d.   At the DNS Options screen, you’ll see a message stating “A delegation for the DNS server cannot be created because the authoritative parent zone cannot be found….” Click Show More and read the last words of the paragraph, “Otherwise, no action is required” (which applies here), and click the OK button. Click the Next button.

e.   At the Additional Options screen, let a default name populate into the textbox and click the Next button.

f.   At the Paths screen, leave the default selections and click the Next button.

g.   At the Review Options screen, review your selections and click the Next button.

h.   At the Prerequisites screen, you should see the message All Prerequisite Checks Passed Successfully. There will be some warnings. Read them, but don’t worry about them. Click the Install button. You’ll notice various progress messages.

i.   At the You’re About to Be Signed Out box, click Close. You’ll see the blue Applying Computer Settings screen with dots going around in a circle for a while.

j.   Press CTRL-ALT-INSERT to unlock the VM when you see the prompt. INSERT is used instead of DELETE to send this control signal to the VM, not the host machine. Alternatively, on the VMware menu, click Player and then click Send Ctrl+Alt+Del. Put in your password. You should see the desktop.

5f

Step 5 Event Viewer, which is found on all versions of Windows, including client and server OSs, can be used for troubleshooting and verification. This helps ensure that any accidental, malicious, or simply unwanted changes are logged and able to be traced, which makes it easy to hold users accountable.

Event Viewer displays the following information to you in a GUI, aggregated from multiple log files:

•   Application Contains events from programs running (for example, a backup of the database completed successfully).

•   Security Contains security and audited events, including sign-in attempts, directories and files accessed, and privilege escalation.

•   System Contains OS information and events, including services that couldn’t start or the last reboot of the OS.

•   Directory Service Contains events correlated to Active Directory functionality, like replication.

•   DNS Server Contains events on the DNS service, which is convenient for troubleshooting name resolution issues.

There are other log files containing events on various features of Windows Server 2019 and its services.

Now, you’ll use Event Viewer to verify that the AD DS role installation succeeded.

Open Server Manager and click Tools at the top of the screen. After the promotion to a domain controller, additional administrative tools will be available. Click Event Viewer.

a.   In the left pane, expand Applications and Services Logs by clicking on the arrow. Select Directory Service.

b.   Click a column header to sort by that column. Click the column header a second time to reverse the order.

c.   Navigate the entries with the UP ARROW and DOWN ARROW keys on the keyboard. The information displayed in the lower pane can be seen in its own window by double-clicking an entry. If you click the Copy button in the popup, you can copy the event information, which can be pasted into a file for future reference. From that popup, you can navigate the other entries by clicking the up- and down-arrow buttons on the popup. Click the Close button to close the popup.

d.   To filter the results, in the Actions section on the right pane, click Filter Current Log… and then customize as desired. To remove the filter and see all results, again, click Clear Filter (which is only visible when a filter is in place) in the Actions section in the right pane. This is helpful for isolating something specific you might be looking for.

e.   Filter by Event ID 1000, which corresponds to Microsoft Active Directory Domain Services startup complete.

Step 6 The default hostname for the Windows 10 VM is not a great hostname. Rename the Windows 10 VM.

a.   Click the Start button or in the search box, type This PC, right-click This PC, and select Properties or click Properties in the right pane.

b.   Click the Rename This PC button and then in the textbox type a more meaningful name than the default name of the computer (I called mine WEISSMAN-CLIENT). Click the Next button and then click the Restart Now button to restart the VM.

c.   Sign in, after the reboot, to the Windows 10 VM.

7f, 7h

Step 7 Join the Windows 10 VM to the Active Directory domain.

a.   Click the Start button or in the search box, type This PC, right-click This PC, and select Properties or click Properties in the right pane.

b.   In the Related Settings section, click Rename This PC (Advanced). A System Properties window, with the Computer Name tab selected, will open.

c.   In the System Properties window, click the Change… button.

d.   In the Member Of section, select the radio button next to Domain, enter the name of the domain you configured earlier (mine is weissman.edu), and click the OK button.

e.   At the Computer Name/Domain Changes popup, enter the username Administrator and the password you configured earlier for the Administrator account on the Windows Server 2019 VM. This is the name and password of an account with permission to join the domain, as indicated in the popup. Click the OK button.

f.   You should see a popup welcoming you to the domain, as shown in Figure 14-1. Click the OK button.

FIGURE 14-1 Welcome to the Weissman.edu domain.

Note

If you weren’t able to join the domain and received a DNS-related error, it’s due to one of two things.

One reason is that you didn’t set the Windows 10 VM’s DNS Preferred DNS server to the IP address of your Windows Server 2019 VM, as instructed in the last paragraph of the “Let’s Do This!” section just before Step 1. That IP address is the only IP address in the world that knows who the DC for your domain is. In this step, my client machine wanted to join the weissman .edu domain, and it needed to ask a DNS server for the IP address of the DC. The only machine in the world that has the answer to that query is my Windows Server 2019 VM. DNS and AD are both running on that machine, so the DNS server gives a response of the IP address of the VM it’s running on. Your machine won’t get the IP address of your DC if it asks 8.8.8.8 or any other DNS server, including your DNS server for your home network in that little box everyone calls router. The only machine in the world that can give a DNS response with the IP address of your domain controller is your Windows 2019 Server VM, which is running the DNS server service for your domain!

The other reason is unique to the network you’re on. If your network has native IPv6 connectivity from an ISP, your queries looking for the IP address of the DC of your domain will be sent to the IPv6 addresses for DNS servers given to your Windows 10 VM from your DHCP server. Even after you change from a dynamic IP address to a static IP address, those DNS server IPv6 addresses will still be the first ones your machine tries. Your machine, in that case as well, will be querying DNS servers that have no idea about the existence of your domain. To solve that issue, click the Start button or in the search box, type sharing, select Manage Advanced Sharing Settings, click Network and Sharing Center in the address bar at the top of the screen, click Change Adapter Settings in the left pane, right-click the Ethernet0 interface, select Properties, uncheck the box next to Internet Protocol Version 6 (TCP/IPv6), and then click the OK button.

g.   In the popup that states “You must restart your computer to apply these changes,” click the OK button. In the System Properties window, click the Close button. In the next popup, click the Restart Now button to reboot.

h.   On the Windows Server 2019 VM, open Server Manager, click Tools, and click Active Directory Users and Computers. Expand your domain by clicking the arrow. Select the Computers container, in the left pane, and notice the client machine that was just added to Active Directory, in the right pane, as shown in Figure 14-2.

FIGURE 14-2 The computer object in Active Directory

i.   Double-click the computer in the right pane. In the window that pops up, notice in the Operating System tab that the correct OS has been identified.

2 HOURS

Lab Exercise 14.02: Organizational Units and Groups

An organizational unit (OU) organizes AD objects, like a folder organizes files on a hard drive. However, unlike folders, which are part of the path of a file, and domains, which are part of the DNS namespace, OUs are not part of the DNS namespace. OUs offer multiple ways to achieve great flexibility, more than just domain administration, in managing resources of business units, departments, and divisions.

Many different objects can be placed inside an OU, including users, groups, computers, and shared folders. OUs can even be placed inside of other OUs. The nesting of OUs allows for the hierarchical grouping of objects and resources in many different ways, and it can flex at any point in one of many different directions, due to business needs or reorganization. When moved, OUs will inherit the permissions of a new parent by default. Permissions set on a parent OU are automatically inherited by all the objects in a child OU, but this behavior can be overridden.

Microsoft recommends to not have more than 10 levels of OUs. Horizontal OUs are more efficient than vertical OUs. More processing will be needed for vertically nested OUs for multiple layers of policies and settings.

Group Policy objects (GPOs) can be applied to all objects in an OU, with inheritance for nested OUs. This will allow you to push out common policies dealing with security and configuration to the objects in an OU. For example, a GPO can restrict users from installing new programs, accessing the Control Panel, and making certain selections for display, networking, desktop, and other settings.

You can even use OUs to delegate administrative control over users and groups to appropriate users and groups. It’s not realistic for a single person, like an IT director, to do all the work. Assigning tasks and responsibilities to others for certain OUs makes much more sense. One systems administrator could be in charge of the Marketing OU, and another one can administer the Human Resources OU. Responsibilities for managing printers and print queue objects can be given to one systems administrator, while another can manage security permissions for users and groups. This delegation occurs at the OU level, not at the object level. Delegation also prevents systems administrators from having huge authority over large numbers of objects. Delegation from a parent OU can be inherited by multiple child OUs, inside of the parent OU, at the same time. Implementing the principle of least privilege, each systems administrator will have just enough control to perform their tasks and not a single drop more.

Security permissions to resources should be assigned to group account objects, not user account objects. Think of the groups as roles that users fill. If security permissions to resources were assigned to user objects, it would be an administrative nightmare. If a user was being moved out of a department in the organization that has access to 100 resources and into a different department that has access to 100 other resources, you’d have to make 200 changes if permissions were assigned to user account objects. If groups are implemented, and permissions to resources are tied to group account objects, all you’d have to do is remove the user’s membership from the original group and add the user as a member to the new group. That would be two changes instead of 200. Furthermore, as is the practice today, users can serve in multiple roles, and as such, they need to have the cumulative permissions of multiple groups. Giving permissions to groups and assigning users to groups is the way to go.

It’s important to understand the differences between groups and OUs. Think of a group as a collection of users or even computers. A group can also be a member of another group. The usage of groups is for security purposes (for example, granting permissions to a resource such as a shared folder, file, server, printer, or application). These permissions cannot be assigned to OUs. Groups have a security identifier (SID) that uniquely identifies them, but OUs do not.

An OU is more like a logical boundary for organizing your infrastructure and applying GPOs to it (GPOs can also be linked to a site and domain) that implement security policies to common objects. GPOs cannot be linked to groups. Whereas an OU can contain group objects, user objects, computer objects, and other OUs, an object can only be inside of a single OU. Conversely, a user object and group objects can be a member of multiple groups.

Learning Objectives

In this lab exercise, you’ll create logical containers for AD objects. At the end of this lab exercise, you’ll be able to

•   Create OUs

•   Delegate control of OUs

•   Configure permissions of OUs

•   Create groups

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   The Windows Server 2019 VM you installed in Chapter 1

•   The Windows 10 VM you installed in Chapter 1

Let’s Do This!

This lab exercise requires the previous lab exercise to be fully completed and builds upon it.

1k

Step 1 Before configuring OUs, you need to decide on a hierarchy and structure that meets your business and technical needs. Names and descriptions of OUs should be short and to the point. Names of objects can be duplicated in multiple OUs, but not in the same OU.

It’s now time to create and manage OUs. The main campus of Finger Lakes Community College (FLCC), of the State University of New York (SUNY) system, is in Canandaigua, New York. There are campus centers in Geneva, Newark, and Victor. In this lab exercise, you’ll set up an Active Directory infrastructure that could be a possible hierarchy for FLCC. The final result can be seen in Figure 14-3.

FIGURE 14-3 The weissman.edu domain

a.   On the Windows Server 2019 VM, open Server Manager, click Tools, and click Active Directory Users and Computers. You’ll notice multiple default containers. Clicking each container reveals the contents in the pane on the right. Builtin contains default group objects. Computers contains the computer object representing your Windows 10 VM that was just joined to the domain. Double-click the computer object to see more information about it. Domain controllers contains a computer object for the Windows Server 2019 VM you’re on now. Double-click the computer object to see more information about it. ForeignSecurityPrincipals and Managed Service Accounts will be empty. Users contains default user objects and group objects.

b.   Right-click the domain name (mine is weissman.edu), mouse over New, and select Organizational Unit.

c.   In the Name: textbox, type Canandaigua, uncheck the box marked Protect Container from Accidental Deletion, and click the OK button.

If this box was checked, and you wanted to remove the OU, you’d have to click View from the menu at the top and then select Advanced Features (this is a toggle selection, so clicking View and then Advanced Features again returns the view to the way it was). With Advanced Features selected, more items appear in the hierarchy, under the domain name, and more tabs appear for each object’s properties listing. Right-click the OU you want to delete, select Properties, and in the Object tab (which, like other tabs, is not visible without Advanced Features selected), remove the check in the box next to Protect Object from Accidental Deletion. Now, the OU will be able to be deleted. How that’s done will be coming up later. If you did turn on Advanced Features, turn it off at this point.

d.   In the same fashion, and also directly underneath the domain name, create these OUs: Geneva, Newark, and Victor. The order in which the OUs are created doesn’t matter. They will be automatically alphabetized the next time you open Active Directory Users and Computers.

e.   Directly inside the Canandaigua OU (this time, right-click the Canandaigua OU, mouse over New, and select Organizational Unit), create the following second-level OUs: Administrative, Clients, Servers, Users, and Groups.

f.   Directly inside the Clients OU, create the following third-level OUs: Faculty, Staff, and Students.

g.   Directly inside the Faculty OU, the Students OU, and the Staff OU, create the following fourth-level OUs: Desktops and Laptops.

h.   Directly inside the Servers OU, create the following third-level OUs: Application Servers, Database Servers, DHCP Servers, DNS Servers, Domain Controllers, Exchange Servers, File Servers, FTP Servers, Mail Servers, Print Servers, RADIUS Servers, Terminal Servers, and VPN Servers.

i.   Directly inside the Users OU, create the following third-level OUs: Faculty, Staff, and Students.

j.   Directly inside the Groups OU, create the following third-level OUs: Bursar, Business Services, Facilities and Grounds, Faculty, Finance, Human Resources, Information Technology, Marketing, Registrar, Research and Development, Staff, and Students. The OUs created here will be containers for various groups in each category. For example, Staff Level 1 won’t have all the permissions as Staff Level 2.

k.   Expand all OUs and compare your work to Figure 14-3.

Note

Computer objects can be created in AD so that they’re in the right OU from the start, which puts them under the control of GPOs applied to OUs. You’d add the computer to the domain the same way you did earlier, but this method would not place the computer object in the default Computers container.

2f

Step 2 Departments, employee roles, resources, and more change over time. The management of networks is challenging enough, but with dynamic changes, it’s even more so. The structure of Active Directory, however, allows for structural changes with simple steps.

You’re about to move, delete, and rename OUs.

a.   FLCC has combined the Bursar and Registrar departments into the One Stop Center (they actually have). Right-click the Bursar OU, select Delete, and click the Yes button when prompted to confirm you want to delete the OU. Anything inside this OU would have been deleted, as well.

b.   Right-click the Registrar OU, select Rename, type One Stop Center, and press ENTER.

c.   Right-click the computer object for your client machine in the default Computers container, select Move…, expand Canandaigua, expand Clients, expand Students, select Desktops, and click the OK button.

d.   Navigate to the Desktops OU and click the computer object in the right pane. Drag and drop that object into the Laptops OU inside of Students in the left pane. Click the Yes button on the popup that warns you about what might happen when you move objects.

e.   Navigate to the Laptops OU and click the computer object in the right pane. Either press CTRL-X or right-click the computer object and select Cut. Either click the Desktops OU and press CTRL-V or right-click and select Paste. Click the Yes button on the popup that warns you about what might happen when you move objects. The pasting could have even been done in the right pane, with the proper OU selected. There are many ways to move objects. OUs can be moved in the same way you just moved the computer object.

f.   Expand all OUs and select the Desktops OU to display the computer object.

3i

Step 3 Delegating control of OUs could allow large organizations to divide roles and responsibilities between multiple systems administrators. For example, a systems administrator can manage objects in a few domains, all user and group objects, or all file and print services. You’ll now delegate control.

a.   Right-click the Users OU inside the Canandaigua OU and select Delegate Control…, which will start the Delegation of Control Wizard. Click the Next button.

b.   In the Users or Groups window, click the Add button. In the Select Users, Computers, or Groups window, click the Advanced button and then click the Find Now button. You’ll see a list of all users and groups. Double-click the border between the Name and E-Mail Address columns to expand the Name column. Scroll down to see all entries; then scroll up and double-click the second item, Account Operators. Click the OK button. Click the Next button.

c.   In the Tasks to Delegate window, with the radio button for Delegate the Following Common Tasks selected, put a check in the box next to the second item, Reset User Passwords and Force Password Change at Next Logon.

d.   Click the Next button.

e.   Click the Finish button.

f.   Select the Builtin container and double-click Account Operators. Notice the description of this group: Members can administer domain user and group accounts. Close the window with either the X button in the top right, the OK button, or the Cancel button.

g.   Click View on the menu bar and select Advanced Features (a toggle selection, as discussed in the previous lab exercise). If you click View again, you’ll see a check next to Advanced Features, which means it is enabled. Don’t select Advanced Features again, as that will toggle it off. There are more items in the Active Directory Users and Computers window now.

h.   Right-click the Users OU inside the Canandaigua OU, select Properties, select the Security tab (which wouldn’t be visible if Advanced Features wasn’t toggled on), and click the Advanced button.

i.   The columns are sortable if you click the column header. Click the Principal column. Click it again to sort by reverse alphabetical order. Click it once more to order the items in alphabetical order. Notice that the first six entries have Account Operators as the Principal, as shown in Figure 14-4. Even though in Step 3c you didn’t select Create/Delete InetOrgPerson Objects, Create/Delete Computer Objects, Create/Delete Group Objects, or Create/Delete User Objects in the Delegation of Control Wizard, members of the Account Operators group have these permissions by default. However, members of the Account Operators group were not able to change passwords, until you delegated that to them.

FIGURE 14-4 Advanced Security Settings for Users

In addition to being able to modify accounts and groups in the domain, as shown previously, members of the Account Operators group can sign in to Domain Controllers through a Default Domain Controllers Policy GPO. Members of this group can’t directly modify any AD administrative-related groups, but can join administrative groups through associated privileges.

Due to the default and over-delegated permissions inherent to the Account Operators group (as well as the other Builtin groups), it is a best practice to actually avoid using it. Creating a new group that has nothing by default, and then assigning permissions, following the principle of least privilege, is a better option. You could make a new group and just grant the permission of reset passwords and force password changes to members, without giving them anything more.

4n

Step 4 Now you’ll perform a more granular type of delegation.

a.   Right-click the Servers OU inside the Canandaigua OU and select Delegate Control…, which will start the Delegation of Control Wizard. Click the Next button.

b.   In the Users or Groups window, click the Add button. In the Select Users, Computers, or Groups window, type server in the textbox and click the Check Names button, which will autocomplete your entry to Server Operators.

Through a GPO linked to the Domain Controllers OU, Server Operators are given permissions to sign in locally to DCs, back up files and directories, force a shutdown of the DC from a remote system, restore files and directories, and shut down the system. As such, this is another example of avoiding the Builtin groups and adhering to the principle of least privilege with your own manually created and delegated groups. You will create your own groups shortly.

c.   Click the OK button. Click the Next button.

d.   In the Tasks to Delegate window, select the radio button next to Create a Custom Task to Delegate and then click the Next button.

e.   Click the radio button next to Only the Following Objects in the Folder.

f.   Put a check in the box next to Computer Objects.

g.   Put checks in the boxes underneath the selection window marked Create Selected Objects in This Folder and Delete Selected Objects in This Folder.

h.   Click the Next button.

i.   In the Permissions screen, with the box next to General checked, scroll through the permissions in the window below. Do the same by checking just Property-Specific and then Creation/Deletion of Specific Child Objects.

j.   Put a checkmark next to the General option, and make sure the other options are not checked. Put a check in the boxes next to Read and Write (which will trigger a check in the box next to Property-Specific). Scroll down to see all the additional checks that were added to specific permissions.

k.   Click the Next button. Click the Finish button.

This gives the members of the Server Operators group the ability to create new Computer objects within the Servers OU and the permissions to read and write all properties for Computer objects.

l.   Select the Builtin container and double-click Server Operators. Notice the description of this group: Members can administer domain servers. Close the window with either the X button in the top right, the OK button, or the Cancel button. As mentioned in regard to Account Operators, it’s probably best to not use the Server Operators group, with its over-delegated permissions.

m.   Right-click the Servers OU inside the Canandaigua OU, select Properties, select the Security tab, and click the Advanced button.

n.   Sort the Principal column, expand it, and examine the entries for Server Operators.

o.   Toggle the Advanced Features off through the View menu bar item.

5c

Step 5 Properties of OUs can be helpful in identifying items like the user responsible for managing an OU. Contact information is important for systems administrators in case they need to get in touch with the person in charge of an OU. Configuring contact information doesn’t grant permissions, like delegation does, and is merely cosmetic. Now, you’ll configure contact information.

a.   Right-click the Victor OU (directly off the domain), select Properties, and click the Managed By tab.

b.   Click the Change… button, click the Advanced button, click the Find Now button, and double-click the Administrator account. Click the OK button.

c.   If there was additional information about the account, it would automatically populate in the respective sections (Office, Street, City, State/Province, Country/Region, Telephone Number, and Fax Number). Click the OK button to close the Victor Properties dialog box.

6a–6c

Step 6 There are two group types in Active Directory: security groups and distribution groups.

Security groups are granted (or denied) permissions to resources. For example, if you want to give a group of users access to an object, like a shared folder, but specify their level of control, create a security group and then assign the permissions to the group. Then each user in the group gets those permissions. You can also send e-mail to security groups. All users in a group would receive the e-mail if a mail system that allows for mail-enabled groups, like Microsoft Exchange, is configured.

Distribution groups are strictly used for telephone lists and e-mail lists, if a mail system that allows for mail-enabled groups, like Microsoft Exchange, is configured. However, distribution groups never receive permissions for objects. They’re just used for providing mass distribution of information in a quick fashion.

Security groups can be broken down further into three different types.

A local security group manages resources on a computer that is not part of a domain, and it’s not considered one of the three types of domain security groups.

The first security group is known as a domain local group, which stays in the domain it was created in. This group is used for granting permission to objects such as servers, folders, shared folders, and printers in a single domain. A domain local group can’t be used in any other domain and must be located in the domain it was created in.

The second security group is known as a global group, which can contain other groups and accounts from the domain in which the group is created. This group can be given permissions in any domain in a forest. A domain local group is used to manage resources in a domain and to give global groups, from the same domain and different domains, access to resources. If you add user accounts that need access to resources, in the same domain as the global group or another domain to the global group, and then add that global group to domain local groups, that would be a great administrative move.

Imagine a company’s AD forest has a domain for the New York headquarters, a domain for a branch office in Texas, and a domain for a branch office in California. The company’s board of trustees needs to be able to access the resources in all three of the domains. You can create a domain local group in each domain, which grants access to the resources needed by the board of trustees members. Then you can create a global group in the New York headquarters domain that has the board of trustees members as user account members. Then you can add the global group to each domain’s domain local group. If a board of trustees member leaves, you simply disable that account. If a new user joins the board of trustees, add that user’s account to the global group. If new resources are added, add permissions for those to the domain local group.

The third security group is known as a universal group, which can contain other groups and accounts from any domain in the forest. A universal group can be given permissions in any domain in a forest. You can add user accounts that need access to resources in multiple (or all) domains to a global group and then add that global group to a single universal group, instead of a domain local group for each domain. This way, you can make one universal group that has access to resources in all three domains needed by the board of trustees members—one global group that has the user accounts of the board of trustees members—and make that global group a member of the universal group. Now you only have to manage two groups instead of four.

Universal groups can have members from any domain, and permissions can be set for any domain object. Universal groups are actually stored in the global catalog. When changes are made to a universal group, all changed properties need to be replicated to the other DCs that are global catalog servers. Since only property changes are replicated, instead of objects, there aren’t worries of a network bottleneck or latency.

The general guidelines are to use global groups to contain user accounts as members, use domain local groups to grant access to a specific domain’s resources, and to use universal groups to provide forest-wide (multiple domains) widespread access to resources.

The Microsoft acronym AGDLP, for role-based access controls, is helpful for remembering how to set up groups. First, create user accounts (A). Next, put the user accounts into global groups (G). Then, put global groups into domain local groups (DL). Finally, assign permissions (P) for resources to the domain local groups.

Alternatively, the Microsoft acronym AGUDLP (also for role-based access controls) can be used. First, create user accounts (A). Next, put the user accounts into global groups (G). Then, put the global groups into universal groups (U). Then, put universal groups into domain local groups (DL). Finally, assign permissions (P) for resources to the domain local groups.

In our board of trustees example, an alternative of assigning specific permissions to specific resources was done to the universal group instead of a domain local group.

Now, you’ll create groups:

a.   Click the Information Technology OU in the Groups OU in the Canandaigua OU. Right-click a blank area in the right pane, mouse over New, and select Group. In the Group Name: textbox, type IT Level 1. Keep the default radio button selection of Global for Group Scope.

b.   Click the Students OU in the Groups OU in the Canandaigua OU. In the same fashion, create a domain local group called Honors Students.

c.   Click the Human Resources OU in the Groups OU in the Canandaigua OU. In the same fashion, create a universal group called HR Managers.

90 MINUTES

Lab Exercise 14.03: Users and Other Active Directory Objects

What would a domain be without users? Creating, modifying, disabling, and deleting user objects, as employees come and go, is a never-ending systems administration responsibility. Other AD objects, like a group object or a computer object, will also need to be modified from time to time. It’s important for both users and administrators to be able to easily search AD and locate the resources needed efficiently.

Learning Objectives

In this lab exercise, you’ll get experience with user account objects. At the end of this lab exercise, you’ll be able to

•   Create new user accounts

•   Add user accounts to group accounts

•   Manage user account properties

•   Sign in to a domain with a new user account

•   Disable user accounts

•   Reset passwords

•   Move, rename, and delete user accounts

•   Query AD

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   The Windows Server 2019 VM you installed in Chapter 1

•   The Windows 10 VM you installed in Chapter 1

Let’s Do This!

This lab exercise requires the previous two lab exercises to be fully completed and builds upon them.

1e

Step 1 Create a new user account object that will later be granted administrative privileges.

Add a user to a group.

a.   In Active Directory Users and Computers, right-click the Staff OU in the Users OU in the Canandaigua OU, mouse over New, and select User.

b.   Fill in the First Name:, Initials: (just type one letter), and Last Name: textboxes. The Full Name: field will automatically populate.

c.   Fill in the User Logon Name: textbox. Create a logon name that has a part of the first name, middle initial, and last name. It can be as simple as just the first letter of the first name, middle name, and last name.

d.   Click the Next button.

e.   Enter a password (as before, it needs to be a complex password) and confirm it. Uncheck the box next to User Must Change Password at Next Logon. Click the Next button. Click the Finish button.

2b

Step 2 Create a second user account object. This one will not be granted administrative privileges.

a.   In the same fashion in which you created the first user in the previous step, create another user. This user should be placed in the Students OU.

b.   For the user’s password configuration, do not uncheck the box next to User Must Change Password at Next Logon.

In enterprise environments, a user account is given a default password, which must be changed the first time a user signs in, so that no one knows it besides that user.

3b–3f

Step 3 Add users to groups.

a.   In Active Directory Users and Computers, right-click the first user object you created (in the Staff OU) and select Properties.

b.   Click the Member Of tab. Click the Add… button. Click the Advanced… button. Click the Find Now button. Scroll down in the bottom pane and double-click the Domain Admins group to auto-populate the group name in the Enter the Object Names to Select textbox. Click the OK button to close the Select Groups window. Click the OK button to close the Properties window.

Note

If you do not do Step 3b, you could lose access to your Windows Server 2019 VM very easily later in this Lab Exercise when you disable the Administrator account.

Now you have an administrative account to use instead of the default Administrator account, which can be found by clicking the default Users container. The Administrator user account will be the first item in the right pane. Allowing someone or, even worse, multiple people to sign in with a default account, especially the Administrator user account, is bad practice because it is not tied to a specific person, and as a result you’ll lack accounting and auditing capabilities. Going forward, you’ll be using the first account you created in this step as your admin user and the second account you created in this step as your non-admin user. Shortly, you’re going to disable the Administrator account so that it can’t be used anymore.

Cybercriminals, through a super admin account, were able to penetrate Verkada, a cloud-based security company, gaining access to close to 150,000 cameras from Verkada itself, as well as its customers from sites including factories, offices, gyms, hospitals, psychiatric wards, jails, police stations, banks, and more. You can read about it at the following sites:

www.darkreading.com/vulnerabilities---threats/verkada-breach-demonstrates-danger-of-overprivileged-users/d/d-id/1340403

www.theverge.com/2021/3/9/22322122/verkada-hack-150000-security-cameras-tesla-factory-cloudflare-jails-hospitals

www.securityinfowatch.com/video-surveillance/article/21213804/global-hackers-raid-verkadas-clients-video-surveillance-data

You can read about the measures Verkada took in the aftermath at www.verkada.com/security-update/.

c.   In the left pane of Active Directory Users and Computers, click the Builtin container (off of the domain root). In the right pane, notice the Administrators group.

The Administrators group (a domain local group) in the Builtin container has the following description: Administrators have complete and unrestricted access to the computer/domain.

d.   Double-click the Administrators group object in the Builtin container. In the Members tab, you can see that the Administrator account (which is located in the Users container) as well as the Domain Admins and Enterprise Admins groups are members of this Administrators group.

The Domain Admins group (as well as the Enterprise Admins group) is automatically made a member of the Administrators group when a machine is promoted to a DC through the Default Domain Policy GPO.

The main reasons why the Builtin Administrators group exists are for backward compatibility and to allow programs checking for administrative rights to check in the same place on any system. This group should really never be touched except for a “break glass in case of emergency” situation.

e.   Double-click the Domain Admins group (a global group) in the Users container. You’ll notice the following description: Designated administrators of the domain.

f.   In the left pane of Active Directory Users and Computers, click the Students OU inside of the Groups OU inside of the Canandaigua OU. In the right pane, right-click the Honors Students group (which you created earlier) and select Properties. Click the Members tab. Click the Add… button. You can add a user to a group or add a group membership to a user. Add your non-admin user to the Students group.

4b, 4c

Step 4 Objects, after creation, will still be subject to changes in terms of their properties. Default properties can change, and new properties can be configured. Right-clicking any object and selecting Properties, or just double-clicking, works for all objects in AD. You’ll do that now.

a.   Right-click the non-admin user you created (the object will be in the Students OU inside the Users OU inside the Canandaigua OU) and select Properties.

b.   With the General tab selected, add any values for the textboxes marked Description:, Office:, Telephone Number:, E-mail:, and Web Page:.

c.   Click the Address tab. Add any values for the textboxes marked Street:, P.O. Box:, City:, State/Province:, Zip/Postal Code:, and County/Region: (this one is a dropdown list). When done, click the OK button.

5d, 5e

Step 5 Sign in to the DC locally with your new admin user account. Disable the Administrator account. Sign in to the domain remotely, from the Windows 10 VM, with your new non-admin user account.

a.   On the Windows Server 2019 VM, click the Start button, click the user icon (the first icon in the column) in the left pane, and then click Sign Out.

b.   Press CTRL-ALT-INSERT to send CTRL-ALT-DELETE to the VM. Alternatively, click the Player menu item in the top left of the VMware Workstation Player interface and then select Send Ctrl+Alt+Del.

c.   In the lower-left corner, click Other User. Enter the credentials of the new admin user you created and press ENTER or click the arrow to the right of the password textbox. There will be a few messages displayed, since this is the first time that user has signed in.

d.   Go to Active Directory Users and Computers. In the Users container, right-click the Administrator account (in the Users container) and select Disable Account. Click the OK button in the confirmation popup.

e.   From the Windows 10 VM, sign in to the domain with your new non-admin user account by doing the following. At the login screen, in the lower-left corner, select Other User. You should see, underneath the User Name and Password textboxes, “Sign in to:” followed by the name of your domain. Underneath that, click How Do I Sign In to Another Domain? You’ll see instructions on how to sign in locally to this machine again, which include typing the machine name, followed by a backslash, followed by a local account.

For now, enter the name of the non-admin user you created and the corresponding password and then sign in to the domain. As expected, you will be prompted to change your password. Click the OK button. Enter a new password and confirm it in the bottom two textboxes. Press ENTER or click the arrow next to the Confirm Password textbox. Click the OK button that confirms the password was changed. There will be a few messages displayed since this is the first time that user has signed in.

Click the Start button or in the search box, type PowerShell, and then select Windows PowerShell. At the prompt, type whoami and press ENTER. The output will show your domain, a backslash, and the name of the user you logged in as.

6a, 6b

Step 6 As you learned in Chapter 11, passwords should be stored in hashed format. If a user forgets their password and calls up the help desk or a systems administrator and says “I forgot my password. Can you tell me what it is?”, the honest answer is “No.” A better request would be “Can you reset my password?”, to which the answer should be a resounding “Yes!”

That’s what you’ll do now.

a.   On the Windows Server 2019 VM, in Active Directory Users and Computers, right-click the non-admin user account and select Reset Password. Enter and confirm a password. Leave the check in the box next to User Must Change Password at Next Logon.

b.   Sign in with the new password and change it when prompted.

7g

Step 7 When a user account needs to be removed from AD because a user quits or is fired, it is a better idea to disable the account than to delete it. The reason is for forensics analysis, if necessary. There might be evidence that you don’t know you’ll need down the road, or there might actually be an active investigation. You can even put disabled accounts into a special OU created for that very purpose. You’ll disable and enable an account now.

a.   From the Windows 10 VM, sign out of the domain with the non-admin user.

b.   From the Windows Server 2019 VM, right-click the non-admin user account and select Disable Account.

c.   Right-click it to see that now it shows Enable Account. Don’t click it, though.

d.   The disabling and enabling of an account can also be done by right-clicking the user account, selecting Properties (or just double-clicking the user account), and going to the Account tab. In the Account Options: section, you would check the box for Account Is Disabled (which is checked now).

e.   You’ll also notice Unlock Account on top. This is not for accounts that are disabled. Accounts get locked automatically due to an Account Lockout Policy, which is set by a GPO due to a certain number of incorrect sign-ons. An administrative user will put a check in this Unlock Account box. Notice that there is no box to click to lock the account, as it an automatic process.

f.   Underneath the Account Options: section, you’ll notice that you can configure a date on which the account will expire. This could be useful, for example, in the context of a contractor account that you know needs to be disabled by a certain time. Using the Account Expires section alleviates you from manually disabling the account, which could be a security vulnerability if forgotten.

Here is a story from 2020 related to this topic:

Twitter contractors using Twitter’s internal tools to spy on celebrities:
www.theverge.com/2020/7/27/21340581/twitter-big-hack-contractors-spied-celebs-beyonce-bitcoin

Here are two of the earliest cyberattack stories that came to light, in this new era of cybersecurity, related to this topic:

Home Depot attackers using login credentials from a heating and ventilation (HVAC) contractor:
www.computerworld.com/article/2844491/home-depot-attackers-broke-in-using-a-vendors-stolen-credentials.html

Target attacked through credentials from a refrigeration contractor:
www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/

If the same process/settings need to be done to multiple objects, even different objects that share common settings/tabs, you can select multiple objects at the same time (with SHIFT or CTRL), right-click any of the objects, and select Properties.

g.   Try to sign in to the domain from the Windows 10 VM as the non-admin user with the disabled account.

h.   From the Windows Server 2019 VM, enable the non-admin user account.

i.   From the Windows 10 VM, sign in to the domain with the non-admin user account.

8a–8d

Step 8 Move, rename, and delete user accounts.

a.   Move the non-admin user to the Staff OU and then back to the Students OU. AD objects (for example, user account objects) can be moved in the same ways you moved OUs earlier.

b.   Right-click the non-admin user account object and select Properties (or just double-click the user account object). Change the value in the Office: field. You’ll notice that it appears to be just as easy to change values related to the various parts of the name of the user, but that’s not the case. Click the OK button to close the Properties window.

c.   There could be many reasons why a systems administrator would need to change name-related information about a user (for example, a female employee got married and now has a new last name). Right-click the user object and select Rename. Delete the existing last name by pressing the RIGHT ARROW key and then the backspace key as many times as necessary. Replace the original last name with the new last name. Press ENTER, and a Rename User dialog box will open up, showing the new value in the Full Name: field. Now you have to change the value in the Last Name: field to match the new last name. Add the initial and period back to the Display Name: field value. Finally, change the User Logon Name: value to match the first letter of the last name. All of this is quite bizarre, as making property changes was how the values were populated and linked together in the first place. Now you have to go through many obstacles to change the user’s name. Click the OK button to finally be done.

d.   Create a third user in any OU. Fill in any information you want during the user account creation. Right-click the user account object (make sure you’re right-clicking the third user you just created) and select Delete. In the dialog box, click the Yes button. This is an irreversible action. Each object in AD has a security identifier (SID) that uniquely identifies it. It’s not the name of the object but rather the SID that uniquely identifies it. That means if you have a user named Bob, delete the user account object Bob, and then create a new user named Bob, the new Bob account isn’t tied to anything related to the old Bob account in terms of encryption, permissions, or access.

As mentioned earlier, for forensic purposes, accounts should be disabled rather than deleted. However, corporate policies might dictate how long to keep disabled accounts around before they will be deleted. Over time, having too many of these orphaned accounts, as they’re known as, could cause lots of confusion in AD.

Note

There happens to be an Active Directory Recycle Bin, which might save you if you accidentally delete the wrong user account object. However, this special AD Recycle Bin is disabled by default. Furthermore, if it is enabled, it could still be emptied at some point by another systems administrator. Be careful when deleting objects in AD.

9b

Step 9 In a large environment, it might be helpful to filter certain items out of the Active Directory Users and Computers display. Try it now.

a.   In the menu bar at the top of Active Directory Users and Computers, click View | Filter Options… and then select the radio button next to Show Only the Following Types of Objects:.

b.   Put a check in the box next to Computers and click the OK button. In the Desktops OU inside of the Students OU inside of the Clients OU inside of the Canandaigua OU, you’ll still be able to see the computer object. However, none of the other objects you created in other OUs will be visible.

c.   To return to the normal view, go back to the Filter Options window and enable the radio button next to Show All Types of Objects.

10c, 10d, 10f, 10g

Step 10 Entering as much information as possible in the various fields on the various tabs of AD objects allows you to find what you’re looking for with ease.

There are multiple ways with various options in the Find dialog box to locate AD objects quickly. You’ll do that now.

a.   In Active Directory Users and Computers, right-click the domain name and select Find.

b.   In the Find: dropdown, keep the default selection of Users, Contacts and Groups. For the In setting, leave the default domain name or choose Entire Directory. Since you only have one domain set up, both choices will yield the same results.

c.   In the Name: textbox, type Domain and then click the Find Now button to see users, contacts, and groups that start with Domain.

d.   Click the dropdown to see other objects you can search by. Pick one of the choices and perform a search by entering corresponding information in the Name: textbox and clicking the Find Now button. Click the OK button warning you that your current search results will be cleared.

e.   Click the Clear All button to clear the current search results and then click the OK button.

f.   Change the Find: selection back to Users, Contacts, and Groups if you changed it in Step 10d. Click the Advanced tab and then click the Field button. Mouse over User and select Last Name. Click the Condition: dropdown and look through the choices, but keep the default selection of Starts With. In the Value: textbox, enter the first letter of the last name of one of your users and then click the Find Now button. Click the Yes button in the popup to add the current criteria to your search. Multiple criteria can be used for a more specific search.

g.   Right-click the result in the Search Results: section. You’ll see the same contextual menu you saw in Active Directory Users and Computers, which gives you the ability to perform account management on the search results from here.

90 MINUTES

Lab Exercise 14.04: Permissions and Shares

Windows NTFS (New Technology File System) permissions are used to secure folders and files by granting rights to resources just to authorized users.

There are five basic NTFS file permissions:

•   Read Allows users to read the contents of a file as well as view attributes, ownership, and permissions.

•   Write Allows everything in Read and also allows users to make changes to the contents of a file and to change file attributes.

•   Read & Execute Allows everything in Read and also allows users to run a file. This permission is granted to program executable files.

•   Modify Allows users everything in Read, Write, and Read & Execute, and also allows users to modify a file’s attributes (including Archive, Hidden, System, Read-only, Compressed, Encrypted, and others) as well as to delete a file.

•   Full control Allows everything in Modify and also allows users to change the permissions or change the owner of a file.

There are six basic NTFS folder permissions (the five NTFS file permissions, with new meanings for folders, and a permission unique to folders):

•   Read Allows users to view and list the contents of a folder.

•   Write Allows users to add files and subfolders to a folder.

•   Read & Execute Allows users to view and list the contents of a folder and execute program executable files in the folder.

•   Modify Allows users to read and create files and subfolders, modify a folder’s attributes, and delete a folder.

•   Full control Allows everything in Modify but also allows users to change the permissions or change the owner of a folder as well as delete subfolders and files in subfolders.

•   List Folder Contents Allows users just to list the contents of a folder but not view the contents of those files and subfolders like Read does.

Advanced permissions include Traverse folder / Execute File, List folder / Read Data, Read Attributes, Create Files / Write Data, Create Folders / Append Data, Write Attributes, Write Extended Attributes, Delete Subfolders and Files (just for folders), Delete, Read Permissions, Change Permissions, and Take Ownership.

Let’s say there is a folder called Accounts 2020. On that folder, the Human Resources group has FC (Full Control), the Managers group has RW (Read, Write), and the Engineers group has RX (Read, Execute). If Bob is a member of all three groups, he gets the highest level of permissions, FC.

An exception to that rule is if there is a Deny permission from one of the groups. Let’s say the Managers group has a Deny instead of RW. Now, Bob has no permissions because that group Deny will override all other group settings that Bob would be getting from the Engineers and Human Resources groups.

A way around this is to give the user individual permissions to the folder. Let’s say the Bob user account was given FC to the folder. Now, even with the Deny from the Managers group, Bob will have FC to the folder. Individual user permissions will override a group Deny permission.

NTFS permissions can be assigned to files and folders, but share permissions can only be assigned to folders, which are inherited by the files and subfolders inside. Share permissions only apply when users are remotely connected, which means accessing those shared folders from machines other than the ones the folders are stored on. Share permissions, like NTFS permissions, are additive, which gives users the highest level of permissions from the groups of which they are members. Share permissions, like NTFS permissions, use a group Deny to override group permissions, and they use individual permissions to override a group Deny permission.

When a folder is shared, it can be accessed from other machines if users have the correct share permissions set through group and/or user permissions. Unlike the many NTFS permissions for both files and folders, there are only three share permissions, and they only apply to folders, not files:

•   Read Allows users to see names of files and subfolders, see contents of files, and run programs. The Everyone group, by default, gets the Read permission.

•   Change Includes everything granted with the Read permission and also allows users to add files and subfolders, change the contents of files, as well as delete files and subfolders. Change is not assigned by default to any group.

•   Full Control Includes everything granted by both the Read and Change permissions and also allows users to change NTFS permissions for files and folders. The Administrators group, by default, gets the Full Control permission.

Naturally, it’s possible for NTFS and shared permissions to conflict. Two simple rules dictate what happens in such a situation. First, local permissions are only the NTFS permissions. Second, the more restrictive permissions between NTFS and share permissions becomes the remote permissions.

Consider the following example, where a user is a member of Group 1, Group 2, and Group 3. The Share permissions and NTFS permissions are for each group.

If a user is in all three groups, what do they have? There is a three-step solution:

1.   Add up permissions in each column individually and find the highest. The highest share permission is Read. The highest NTFS permission is FC.

2.   Share permissions only apply when remote, not local. If a user is accessing the folder locally, only NTFS applies, so FC is the local permission.

3.   The remote permission is the more restrictive of Share and NTFS. Between R and FC, R is more restrictive, so R is the remote permission.

Try another one:

The highest Share permission is FC, while the highest NTFS permission is R.

The local permission would be R. The remote permission would be R, as well, because R is more restrictive than FC.

Try one last one:

The highest Share permission is FC, while the highest NTFS permission is RWX.

Local permissions would be RWX (R from all three groups, X from Group 2, and W from Group 3). Share permissions would be RWX because RWX is more restrictive than FC.

Learning Objectives

In this lab exercise, you’ll deal with local and remote permissions in relation to a shared folder. At the end of this lab exercise, you’ll be able to

•   Create, publish, and access a shared folder

•   Configure and test share permissions

•   Configure and test NTFS permissions

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   The Windows Server 2019 VM you installed in Chapter 1

•   The Windows 10 VM you installed in Chapter 1

Let’s Do This!

This lab exercise requires the previous three lab exercises to be fully completed and builds upon them.

1d, 1e

Step 1 Make a folder and share it.

a.   Click the Start button or in the search box, type This PC, and then click This PC. Double-click the Local Disk C:. In a blank area in the folder, right-click, mouse over New, select Folder, type SecurityPlus (the + sign can be used in a folder name but not in a shared folder name) for the folder name, and press ENTER.

b.   Right-click the folder and select Properties.

c.   Click the Sharing tab, shown in Figure 14-5a, and then click the Advanced Sharing… button (not the Share… button above the Advanced Sharing… button) to open the Advanced Sharing settings shown in Figure 14-5b.

FIGURE 14-5 Sharing a folder by clicking the Advanced Sharing… button (a), checking the Share this folder checkbox (b), and keeping the default Read permission for Everyone (c).

d.   Click the Share This Folder box. The Share Name: textbox will automatically fill in the name of the folder.

e.   Click the Permissions button. Notice that the Everyone group has just the Read permission and no user or group has anything else, as shown in Figure 14-5c. Click the OK button to close the Permissions window. Click the OK button to close the Advanced Sharing window.

f.   Click the Security tab for NTFS permission configuration.

g.   Highlight items in the Group or User Names: section to see their corresponding permissions in the Permissions section. You’ll notice that the Users group has Read & Execute, List Folder Contents, Read, and Special Permissions.

h.   Click the OK button to close the Permissions window. Click the OK button to close the Advanced Sharing window. Click the Close button to close the Properties window.

2d, 2e

Step 2 Publish the shared folder in AD.

a.   Open Active Directory Users and Computers. Expand the current domain and right-click the File Servers OU in the Servers OU in the Canandaigua OU. Mouse over New and select Shared Folder.

b.   In the New Object – Shared Folder dialog box, type SecurityPlus for the name of the folder (although the AD name does not need to match the name of the folder). Then type the Universal Naming Convention (UNC) path to the share (I typed \WEISSMAN-SERVERSecurityPlus). Click the OK button.

c.   Right-click the shared folder object and select Rename. Change the name to Security+ and press ENTER. Some objects, like shared folders, can be easily renamed in this fashion. If you try to rename other types of objects the same way, different things will happen. For example, if you right-clicked a user account object and selected Rename, after typing in a new name, a Rename User window will open, with the new name in the Full Name: field. You’d be able to change other values in the window and would have to click the OK button to finish. In fact, we did just that earlier in this chapter.

d.   Right-click the shared folder object and then select Properties (or just double-click the object). In the Description: textbox, enter CompTIA Security+ Study Material.

e.   Click the Keywords… button. In the New Value: textbox, enter CompTIA and then click the Add button. In a similar fashion, add three more keywords. Click the OK button to close the Keywords window. Click the OK button to close the Properties window.

3a, 3b

Step 3 Populate the shared folder.

a.   From the Windows Server 2019 VM, create a folder inside the SecurityPlus shared folder. Inside of the new folder, right-click a blank area, mouse over New, and select Text Document. Type a name for the file and press ENTER. Double-click the text file icon and populate it with some text. Click the View tab on the menu bar, and in the Show/Hide section, put a check in the box next to File Name Extensions so that the .txt extension is now showing for your text file.

b.   Create a text file, populated with some text, directly inside the SecurityPlus shared folder as well.

4c–4g

Step 4 Access the share remotely.

a.   Sign in to the domain from the Windows 10 VM as the non-admin user.

b.   Search for and select This PC, double-click Network in the left pane, select the Network tab at the top, and click Search Active Directory. In the Find dropdown, select Shared Folders. Search for the share either by name or one of your keywords, clicking the Find Now button to perform the search. Right-click the result and select Explore.

c.   Try to create files and folders inside the share. Try to delete files and folders inside the share. The Read remote permission, of course, does not allow for any of those actions.

d.   Try to read the contents of the text files. The Read remote permission does allow you to do so.

e.   Try to modify the contents of the text files. Once again, you’ll be denied with just the Read remote permission.

f.   Now, remotely sign in as the admin user. Even though the user is the owner of the files and folders in the share with Full Control and member of the Domain Admins group, Read is still the more restrictive of the share/NTFS permissions. As a result, this admin user has the same level of remote access to the shared folder as the non-admin user, the Read permission.

g.   That same admin user account is currently signed in locally to the server. As a result, when locally accessed, that user has Full Control, which allowed the user to create the folder and files there in the first place. From the local access to the Windows Server 2019 VM, try deleting the text file directly in the shared folder (which you weren’t able to do remotely). It will work now because the user has Full Control for NTFS local access. Try adding, deleting, renaming, or modifying something else in the shared folder from the local access. There won’t be any problems.

5d

Step 5 Modify share permissions.

a.   On the Windows Server 2019 VM, click the Start button or in the search box, type This PC, and then click This PC. Double-click the Local Disk C:.

b.   Right-click the SecurityPlus shared folder and select Properties.

c.   Click the Sharing tab and then click the Advanced Sharing button.

d.   Click the Permissions button, the Add button, the Advanced… button, and the Find Now button. Double-click the Domain Admins group and click the OK button. Put a check in the Full Control checkbox in the Allow column.

e.   Click the OK button to close the Permissions window. Click the OK button to close the Advanced Sharing window. Click the Close button to close the Properties window.

6c

Step 6 Access the share remotely with the new permissions.

a.   You should still be signed in to the domain through the Windows 10 VM as the admin user. This time, you’ll access the shared folder in a different way.

Search for and select This PC and then double-click Network from the left pane. In the Computer section, in the right pane, you should see an icon and name of your Windows Server 2019 VM. Double-click it. You’ll see your shared folder, in addition to two default shared folders. The sysvol shared folder is used to deliver and store policy scripts and logon scripts to domain members. If there are logon scripts, they would be stored in the netlogon shared folder. Interestingly, according to https://social.technet.microsoft.com/wiki/contents/articles/8548.active-directory-sysvol-and-netlogon.aspx, the netlogon shared folder is not actually a folder named netlogon on the domain controller, but rather just a folder where all the logon scripts are stored.

If you don’t see your Windows Server 2019 VM from the Windows 10 VM Network applet, try opening the Network applet from the Windows Server 2019 machine. You will be prompted to turn Network Discovery on. Follow the multiple prompts. After that, the icon should be visible from the Windows 10 VM in the Network applet.

b.   Double-click the SecurityPlus shared folder.

c.   Try adding, deleting, renaming, or modifying anything in the shared folder. Now, remotely, those actions work because the user account is a member of the Domain Admins group, which was just granted the Full Control share permission. The admin user has the local NTFS Full Control and now the remote share Full Control, so the most restrictive of the two is… Full Control, which obviously isn’t restrictive at all.

3 HOURS

Lab Exercise 14.05: Group Policy Objects

Allowing any user to install any piece of software on their machine or make any desired change can have significantly adverse effects. Incorrect configuration can cause many hours of troubleshooting and fixing for systems administrators and can cause other issues to crop up. Deleting files to have more space on the hard drive, when some files could be required system files, could be catastrophic. Changing TCP/IP settings, Desktop settings, and other settings could cause big problems to follow. In an enterprise environment, users do not need all rights and privileges an operating system allows them. Once again, the principle of least privilege must reign.

Group Policy objects (GPOs) are rules that can be applied to AD objects at the site, domain, and OU levels to restrict actions from users and computers and to customize settings. Inheritance allows the GPOs to flow down from sites to domains and from domains to OUs. They apply in a cumulative fashion, and if there is a conflict, the settings in the last written-to GPO wins.

GPO configuration information is stored in two locations: the Group Policy container (GPC) and the Group Policy template (GPT). The GPC can be seen in the Policies container in the System container in Active Directory Users and Computers if Advanced Features is turned on. GPOs are identified by a globally unique identifier (GUID), so you technically can have multiple GPOs with the same name. Attributes of the GPO include name, ACL (or access control list, which specifies who can modify the contents), and status. The GPT consists of folders and files in the sysvol share (seen earlier), where most GPO settings are actually stored. Based on the actual GPO, settings could be stored in just one of the GPC and the GPT, both of them, or neither of them.

Learning Objectives

In this lab exercise, you’ll solidify the hardening of the domain with the use of GPOs. At the end of this lab exercise, you’ll be able to

•   Create GPOs

•   Apply GPOs

•   Test GPOs

Lab Materials and Setup

The materials you need for this lab are

•   The Principles of Computer Security: CompTIA Security+ and Beyond textbook

•   The Windows Server 2019 VM you installed in Chapter 1

•   The Windows 10 VM you installed in Chapter 1

Let’s Do This!

This lab exercise requires the previous four lab exercises to be fully completed and builds upon them.

1f

Step 1 Explore and modify the Default Domain Policy.

a.   On the Windows Server 2019 VM, from Server Manager, click Tools and select Group Policy Management.

b.   In the left pane of the Group Policy Management Console (GPMC) that opens, which displays Group Policy Management in the title bar, expand the forest and the domain, to see all the OUs.

c.   A Default Domain Policy GPO exists for each domain in a forest, which represents the main way security settings, like password expiration and account lockout (which locks an account after a certain number of incorrect guesses so that a brute force password guessing attack can’t run until a correct password is found) are implemented. Through a domain policy, you can configure multiple password settings (for example, how often users must change their passwords, password length, the number of unique passwords that must be used before a user can reuse one, and password complexity).

Right-click Default Domain Policy (which will be right under your domain) and select Edit. Put a check in the dialog box that pops up, and select OK to not get the prompt again.

d.   GPO settings fall into one of two initial categories: Computer Configuration and User Configuration. Computer Configuration and User Configuration can each be broken down further into one of two categories: Policies and Preferences. Policies can be broken down further into three categories (click the arrows in the left pane to expand): Software Settings, Windows Settings, and Administrative Templates. Preferences can be broken down to Windows Settings and Control Panel Settings.

In the Group Policy Management Editor (GPME) window that opens, in the left pane, expand Computer Configuration, Policies, Windows Settings, Security Settings, Account Policies, and Password Policy. Navigating can also be accomplished by double-clicking the same selections in the right pane. Select Password Policy in the left pane to display the various policies and their settings in the right pane.

e.   In the right pane, one at a time, double-click each policy, including Enforce Password History, Maximum Password Age, Minimum Password Age, Minimum Password Length, Password Must Meet Complexity Requirements (this is why your passwords were required to be complex all chapter long), and Store Passwords Using Reversible Encryption. Explore the Security Policy Setting and Explain tabs for each policy.

f.   In the right pane, double-click the Minimum Password Length setting.

In the Security Policy Setting dialog box, make sure the box labeled Define This Policy Setting Option is checked. Increase the Password Must Be At Least value to eight characters.

A GPO applied to an OU with differing settings would override anything set at the domain level here.

2d–2f

Step 2 Prohibit access to the Control Panel with a user configuration GPO.

a.   In the left pane of the GPMC, right-click the Students OU in the Users OU in the Canandaigua OU. Select Create a GPO in This Domain, and Link It Here….

b.   In the Name: textbox, type Prohibit Control Panel Access and click the OK button.

c.   In the left pane, with the Students OU expanded, right-click Prohibit Control Panel Access.

Link Enabled (which will be selected) means that the GPO is linked to the OU and that its settings are applied to all objects inside the OU. If the check isn’t next to Link Enabled (it’s a toggle selection), it means that the GPO is assigned to the OU but no settings apply or are in effect.

Enforced means that the policy is assigned and no other GPOs can overwrite its settings or block inheritance from a parent OU. The Enforcing setting is seldom used and is off by default.

Select Edit….

d.   In the GPME window that opens, in the left pane, expand User Configuration, Policies, Administrative Templates, and Control Panel. In the right pane, right-click Prohibit Access to the Control Panel and PC Settings and then select Edit. Alternatively, you can double-click Prohibit Access to the Control Panel and PC Settings.

Unlike a light switch, which can be in the on position or the off position (like binary digits representing one of two possible values), most Group Policy items actually have three possible settings:

•   Enabled means that a GPO setting has been configured, as some settings require setting a value or option.

•   Disabled means that a GPO setting is disabling an option for a user or computer to prevent certain actions.

•   Not Configured means a setting isn’t enabled or disabled, which is the default option for most settings. While the GPO that has Not Configured set doesn’t specify an option, other GPOs or security settings might.

For example, let’s say there’s a policy that enables the installation of signed non-Microsoft updates. Enabled means set the Registry value AcceptTrustedPublisherCerts to 1. Disabled means set it to 0. Not Configured means don’t change the current settings of what the client has already. If you had the setting at Enabled or Disabled and you switch to Not Configured, the Registry key will actually be deleted.

Sometimes, additional information (for example, how many incorrect logon attempts can be made before an account gets locked) needs to be provided.

In this case, Prohibit Access to Control Panel and PC Settings is Not Configured.

Select the Enabled radio button and then click the OK button.

Some Group Policy changes won’t take effect until a new sign-on, and some settings may even require the rebooting of a machine. GPOs are reapplied every 90 minutes, but there is a random offset of 0 to 30 minutes added to this time interval. That means a GPO addition or modification could be applied as early as 60 minutes after or as late as 120 minutes after. Not all settings are reapplied automatically (for example, software settings and password policies).

If you can’t wait for 60–120 minutes and you can’t tell your users to sign out and then sign in again, there are three options. First, on each client machine, the gpupdate command can be entered from a command prompt, which will apply just new and modified GPOs. To apply all GPOs, use the gpupdate /force command.

Second, from an Administrative PowerShell instance on the DC, you could run the following two commands. The first puts all computers in the domain into a variable, while the second pushes out the update.

$computers = Get-ADComputer -Filter *

$computers | ForEach-Object -Process
{Invoke-GPUpdate -Computer $_.name -RandomDelayInMinutes 0 -Force}

Note

The second command wraps to a second line in this book but is to be typed on one line without pressing ENTER until after the closing brace.

Third, right-clicking an OU and selecting Group Policy Update is an option, but the GPMC doesn’t push the update out right away and requires other policy rules to be enabled, so this third option isn’t usually chosen.

e.   From the Windows 10 VM that’s currently signed in to the domain, click the Start button or in the search box, type cmd, and then select Command Prompt. Type gpupdate and press ENTER.

You’ll see the following:

Computer Policy update has completed successfully.
User Policy update has completed successfully.

Sign out and then sign in again as the non-admin user. Click the Start button or in the search box, type Control Panel, and then click Control Panel. You’ll see a popup with the message, “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator,” as shown in Figure 14-6.

FIGURE 14-6 GPO prohibiting Control Panel access

f.   From the Windows 10 VM, sign in as the admin user and access the Control Panel. This user is not in the OU that the GPO is applied to, and the Control Panel will open without a problem.

3e, 3g, 3k

Step 3 Display a logon warning message with a user configuration GPO.

a.   In the GPMC, right-click the Clients OU in the Canandaigua OU, and select Create a GPO in This Domain, and Link It Here.

b.   In the Name: textbox, type Logon Warning and click the OK button.

c.   Expand the Clients OU, right-click the GPO, and select Edit.

d.   In the GPME that opens, in the left pane, expand the following: Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, and Security Options. Select Security Options. In the right pane, scroll down and double-click Interactive Logon: Message Text For Users Attempting To Log On. Read the Explain tab.

e.   Click the box Define This Policy Setting In The Template. In the textbox, type This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you are unauthorized, terminate access now. Click OK to indicate your acceptance of this information.

Then click the OK button.

f.   Double-click Interactive Logon: Message Title For Users Attempting To Log On. Read the Explain tab.

g.   Click the box Define This Policy Setting In The Template. In the textbox, type WARNING: This system is restricted to authorized users.

Then click the OK button.

h.   In the Group Policy Management Console, in the left pane, click the Logon Warning GPO in the Clients OU. In the right pane, click the Settings tab at the top. Click the show links at the right to see information related to this GPO, specifically the show for Interactive Logon.

i.   On the Windows 10 VM, execute gpupdate.

j.   Sign out.

k.   Press any key, and you should see the message text and message title configured in your GPO, as shown in Figure 14-7. Click the OK button and sign in as the non-admin user.

FIGURE 14-7 Logon message

The Message Text and Message Title policies are used for legal purposes. They warn users (malicious or uninformed ones) about what might happen to them if they misuse organizational resources or information. It also lets them know there could be accounting and auditing of their actions, helping reinforce written policies that users should have read. The Message Text and Message Title policies are also used for cybercriminals. No, an attacker won’t say, “Oh shucks, I can’t hack this one,” and move on to another target. However, studies have shown a higher rate of successful prosecution with these warning messages. With this in mind, it’s a good idea to have warning messages approved by a legal department and human resources.

4e, 4i

Step 4 The GPOs made so far were immediately linked as they were created. Now you’ll be able to see that the GPOs are in fact objects that can be created and linked in separate steps.

Hide and disable all items on the desktop with a user configuration GPO.

a.   In the GPMC, in the left pane, expand the Group Policy Objects container. You’ll see the GPOs you’ve created so far, existing as individual objects. Now, expand the OUs that you’ve applied GPOs to already. You’ll notice the Logon Warning GPO in the Clients OU inside the Canandaigua OU as well as the Prohibit Control Panel Access GPO in the Students OU inside of the Users OU inside of the Canandaigua OU. If you’re not sure where or even if a GPO is applied, on the Settings tab, in the right pane, click the Show Link in the Links section.

Deleting a GPO from an OU (or domain or site) doesn’t remove it from the Group Policy Objects section. However, deleting a GPO from the Group Policy Objects section will, in fact, delete the GPO from the location where it is applied.

Applying the same GPO to multiple containers can be done easily from the Group Policy Objects section, as well.

b.   Right-click Group Policy Objects and select New.

c.   In the New GPO dialog box that appears, type Clean Desktop in the Name field. Click the OK button.

d.   Right-click Clean Desktop and select Edit.

e.   In the GPME that opens, in the left pane, expand the following: User Configuration, Policies, Administrative Templates, and Desktop. Select the Desktop item. In the right pane, double-click Hide And Disable All Items On The Desktop and then select the radio button next to Enabled. Click the OK button and then close the GPMC.

f.   In the GPMC, right-click the Students OU in the Users OU in the Canandaigua OU. Select Link An Existing GPO….

g.   In the Select GPO dialog box, click Clean Desktop and then click the OK button.

h.   On the Windows 10 VM, execute gpupdate.

i.   On the Windows 10 VM, sign out and then sign in again as the non-admin user. The desktop will be very clean, and there will be no way to add anything to the desktop. Interestingly enough, if you navigate with Windows Explorer to the Desktop folder (C:Users\%USERNAME%Desktop),
you will still be able to read and write from that folder, but nothing will appear on the desktop of the system.

5i, 5j

Step 5 Before getting to the next GPO, you’ll need to change a setting to get Internet access. Then, you’ll download a browser. Finally, you’ll be able to create a user configuration GPO that uses a specific image for the desktop wallpaper. It’s common for an organization to present a uniformed look to their machines, and the following steps take you through how it’s done.

a.   From Server Manager, click Local Server in the left pane. In the Properties section at the top, in the right column, click On next to IE Enhanced Security Configuration. Select the radio buttons for Off in the Administrators: and Users: sections and then click the OK button.

b.   Since Internet Explorer is the only browser on the system by default and is “end of life” (EOL, not supported in terms of updates or security patches by Microsoft anymore), download and install another browser, like Chrome (www.google.com/chrome/) or Firefox (www.mozilla.org/en-US/firefox/windows/).

c.   Using the new browser, perform a Google search for Weissman Security+. Click the Images tab at the top to find the cover of this book. Click one of the thumbnails, and the regular-sized image will appear on the right. Right-click the image, select Save Image As…. Then select This PC, C:, and the SecurityPlus shared folder. Change the filename to bookcover.jpg and click the Save button.

d.   In the GPMC, right-click the domain and select Create a GPO in This Domain, and Link It Here.

e.   In the Name: textbox, type Desktop Wallpaper and click the OK button.

f.   Right-click the Desktop Wallpaper GPO, beneath the domain container, and select Edit.

g.   In the GPME that opens, in the left pane, expand the following: User Configuration, Policies, Administrative Templates, Desktop. Then select Desktop (this Desktop is nested inside the previous Desktop). In the right pane, double-click Desktop Wallpaper.

h.   Select the radio button next to Enabled.

i.   In the Options: section, specify the path in the Wallpaper Name: textbox, using UNC format like this (substituting your server name in place of WEISSMAN-SERVER):

\WEISSMAN-SERVERSecurityPlusookcover.jpg

The Options: section mentions that a local path specification works too, but there have been known issues with that.

Select Tile in the Wallpaper Style: dropdown. Click the OK button.

j.   Sign out from the Windows Server 2019 VM. Then sign in again as the admin user. Sign out from the Windows 10 VM. Then sign in again as the non-admin user. You should see the new wallpaper on each desktop.

There was a known Windows 10 bug related to this for users who have already logged in. Those users will (in most cases) see just a solid black background and not the image. If, for some reason, you’re seeing a black background on your Windows 10 VM desktop, make sure you selected Tile in the previous step. Depending on the resolution (right-click the desktop, select Display settings, and change the dropdown selection in the Resolution section), the image might not be in view if you didn’t select Tile and you left the default selection of Center. Change to a higher resolution, if so. Then go back and change the selection to Tile.

If that doesn’t fix the black background, it’s likely you’re affected by the bug. In that case, go to %USERPROFILE%AppDataRoamingMicrosoftWindowsThemes and delete the CachedFiles folder (and its contents) along with the TranscodedWallpaper file.

This issue seemingly has been fixed, but if you’re running an older release of Windows 10, you might need to perform the preceding instructions. Alternatively, just create a new user and sign in with that user.

Furthermore, if you have a failed sign-in, where the client can’t communicate with the domain controller and your client uses cached credentials for the domain, you could wind up with the black background, too. The aforementioned solution of deleting the folder and file can be used in that case, as well, to get the image to show as the wallpaper. Storing user credentials in the local cache on a computer allows users to sign in to a computer using domain cached credentials to access local resources when no domain controllers respond to sign-in requests.

If you still don’t see the image as the wallpaper, you may have typed in the path incorrectly or there’s a problem in the way you set up the shared folder that contains the image.

6h, 6n, 6q

Step 6 Earlier you accessed a shared folder from an AD search as well as the Network applet. Now, you’ll make a mapped network drive to the shared folder, with a user configuration GPO, so users don’t need to go search for it.

a.   On the Windows Server 2019 VM, in the GPMC, right-click the domain, select Create a GPO in This Domain, and Link it Here….

b.   In the Name: textbox, type S: Drive. FLCC has an S: drive (S stands for Samples at FLCC) that faculty can write to, but students can only read from. This is one way that faculty can share resources with students.

c.   Right-click S: Drive in the left pane and select Edit….

d.   In the GPME that opens, in the left pane, expand the following: User Configuration, Preferences, Windows Settings, Drive Maps.

e.   Right-click Drive Maps, mouse over New, and select Mapped Drive. On the Action: dropdown menu, you can leave the default selection of Update or select Create. Both choices will do the same thing (Create) at this point.

f.   Click the ellipse button next to the Location: textbox. A custom search will automatically find the SecurityPlus shared folder (with the object name of Security+ showing in the Name section) created earlier. Double-click to select it, which will populate the Location: textbox with the UNC format share name \WEISSMAN-SERVERSecurityPlus (substituting your server name in place of WEISSMAN-SERVER). Alternatively, you can type it in.

g.   Put a check in the Reconnect: box, which will keep the drive persistent and not remove it when a user signs out.

h.   In the Label As: textbox, type S: Drive and then click the dropdown next to the Use: radio button for S:.

i.   Leave the Hide/Show This Drive and Hide/Show All Drives radio buttons at the default No Change selections and then click the OK button.

j.   On the Windows Server 2019 VM and the Windows 10 VM, in a command prompt, execute the gpupdate command.

k.   Create a domain local group named Faculty in the Faculty OU in the Groups OU in the Canandaigua OU. Create a domain local group named Students in the Students OU in the Groups OU in the Canandaigua OU.

l.   For the SecurityPlus folder, grant Full Control for both share and NTFS permissions to the Faculty group. For the SecurityPlus folder, grant just Read for both the remote and NTFS permissions to the Students group.

m.   Create a new user account in the Faculty OU and add that user account to the Faculty group. Add the existing user account in the Students OU to the Students group.

n.   Open This PC on each VM, and you’ll see the S: drive on each.

o.   From the Windows 10 VM, which should be signed in to the domain with your non-admin account that is now a member of the Students group, open the S: drive. Notice that you will be able to just read from the shared SecurityPlus folder.

p.   From the Windows Server 2019 VM, which should be signed in locally with your admin account that is in the Domain Admins group (which has Full Control to both share and NTFS permissions), open the S: drive. By design of Windows, that account in the Domain Admins group will not be able to do more than read when signed in locally. However, sign in with the admin user from the Windows 10 VM, and that admin user will be able to use the Full Control permissions on the S: drive granted to the Domain Admins group.

q.   Sign out of the Windows 10 VM and sign back in with the user account you created in the Faculty OU. This user will have the ability to modify the contents of the shared SecurityPlus folder, unlike the non-admin user in the Students group, which will only be able to read from the shared SecurityPlus folder.

Note

In the event that you see a message, “Could not reconnect all network drives,” and/or there is a red X on the icon for a shared drive in the Network Locations section of the This PC window, double-click it anyway, and it should work. Then, when you go back to This PC, you’ll notice the red X is gone and that green coloring is present, indicating that the drive is accessible.

7f, 7g, 7o, 7r–7u

Step 7 At FLCC, each user has their own U: drive (U for you, your drive), which is an individual shared folder that can act as a cloud for personal files, as you move from client machine to client machine in the domain. You will now make a user configuration GPO for that purpose.

a.   On the Windows Server 2019 VM, make a folder called UDrives off the root of the C: drive.

b.   Share the folder and give Everyone Full Control.

c.   In the Security tab, click the Edit… button, click the Add... button, in the Enter the Object Names to Select textbox, type Students, click the Check Names button, and then click the OK button. With Students selected in the Group or User Names: section, put a check in the Deny column for List Folder Contents. This will prevent users in the Students group from seeing the other user folders in the shared UDrives folder. The Deny will override the List Folder Contents they would be getting from being a member of the Users group, which has that permission by default. Click the OK button to close the permissions window and then read the Windows Security message related to how the deny permission works, as discussed earlier in this chapter. Then click the Yes button.

d.   Create folders that match the exact user logon names of the admin user and the non-admin user in the shared UDrives folder.

e.   Perform the following actions for each user (the admin user and the non-admin user) folder:

Right-click each user folder, select Properties, click the Security tab, click the Advanced button, click the Disable Inheritance button, and then select Remove All Inherited Permissions from This Object. Now, no one has any permissions.

Click the Add button, click Select a Principal, in the Enter the Object Name to Select textbox, type Domain Admins, click the Check Names button, and then click the OK button. Insert a check in the box next to Full Control. Click the OK button. This allows members of the Domain Admins group to do anything to the folder.

This will allow the Domain Admins group members to see the contents of the folders locally. Without this step, if members of the Domain Admins group try to see the contents of the users’ folders locally, even as a member of the Domain Admins group, those Domain Admins group members will face multiple denials when trying to click through. If signed in as a member of the Domain Admins group, you will be able to get through eventually, after clicking through messages like “You don’t currently have permission to access this folder. Click Continue to permanently get access to this folder” and “You have been denied permission to access this folder. To gain access to this folder you will need to use the security tab.”

f.   For just the admin user’s folder, in Advanced Security Settings, click the Add button, click Select a Principal, type the user logon name, click the Check Names button, and click the OK button. Insert a check in the box next to Full Control. Click the OK button to close the Permission Entry window. Click the OK button to close Advanced Security Settings. Click the OK button to close Properties.

g.   For just the non-admin user’s folder in Advanced Security Settings, click the Add button, click Select a Principal, type the non-admin user logon name, click the Check Names button, and click the OK button. Insert a check in the box next to Modify. Click the OK button to close the Permission Entry window. This gives the non-admin user the permissions necessary for an individual shared folder and not a drop more, which would be included with Full Control. Click the OK button to close Advanced Security Settings. Click the OK button to close the properties.

h.   In the Group Policy Management Console, right-click the domain and select Create a GPO in This Domain, and Link It Here….

i.   In the Name: textbox, type U: Drives and click the OK button.

j.   Right-click U: Drives from the left pane and select Edit….

k.   In the GPME that opens, in the left pane, expand the following: User Configuration, Preferences, Windows Settings, and Drive Maps.

l.   Right-click Drive Maps, mouse over New, select Mapped Drive. On the Action: dropdown menu, you can leave the default selection of Update or select Create. Both choices will do the same thing (Create) at this point.

m.   In the Location: textbox, type in \WEISSMAN-SERVERUDrives\%USERNAME% (substituting your server name in place of WEISSMAN-SERVER), which will automatically resolve the %USERNAME% variable to each individual username, to match the shared user folder with the same name. This way, the GPO can apply to all users.

n.   Put a check in the Reconnect: checkbox, which will keep the drive persistent and not remove it when a user signs out.

o.   In the Label As: textbox, type U: Drive, click the dropdown next to the Use: radio button, and then select U.

p.   Leave the Hide/Show This Drive and Hide/Show All Drives radio buttons at the default No Change selections. Then click the OK button.

q.   On the Windows Server 2019 VM and the Windows 10 VM, execute the gpupdate command.

r.   Open This PC on each VM, and you’ll see the U: drive on each VM.

s.   From the Windows 10 VM, signed into with the non-admin user, create files and folders in the U: Drive.

When the non-admin user is creating files and folders in that user’s U: drive, watch locally (in real time) from the Windows Server 2019 VM directly from the user folder in C:UDrives. Add, modify, and delete locally from the Windows Server 2019 VM and then watch (in real time) those changes reflected through the non-admin user’s U: drive from the Windows 10 VM. To view the folder locally, you’ll need to click the Continue button when a popup appears with the following message: “You don’t currently have permission to access this folder. Click Continue to permanently get access to this folder.”

t.   From the Windows Server 2019 VM, create files and folders in the admin user’s U: drive.

u.   Remotely, from the Windows 10 VM, go to \WEISSMAN-SERVER (substituting your server name in place of WEISSMAN-SERVER) signed in as both the non-admin user and the admin user. From there, click the UDrives shared folder. The non-admin user, because of the Deny for List Folder Contents given earlier, will not be able to see folders in that shared folder, but the admin user will be able to, and, of course, will also be able to access and modify any file and folder in the hierarchy.

8g, 8h, 8k

Step 8 Often, it’s helpful to automatically save contents of common folders to a network share. For example, users might not be aware that the Documents folder is local to the machine they’re on, and if they move to another client machine, files saved to a Documents folder of another machine won’t be there. You will now make a user configuration GPO for that purpose.

a.   In the GPMC, right-click the domain and then select Create a GPO in This Domain, and Link It Here….

b.   Put Folder Redirection in the Name: textbox and click the OK button.

c.   Right-click the GPO and select Edit….

d.   In the GPME that opens, in the left pane, expand the following: User Configuration, Policies, Windows Settings, Folder Redirection (notice all the choices of folders that can be redirected), and Documents.

e.   Right-click Documents and select Properties.

f.   Select Basic – Redirect Everyone’s Folder to the Same Location.

g.   In the Target Folder Location dropdown, keep the default selection of Create a folder for Each User Under the Root Path.

h.   In the Root Path: textbox, enter \WEISSMAN-SERVERUDrives (substituting your server name in place of WEISSMAN-SERVER).

i.   Click the Yes button in the Warning popup dealing with legacy systems.

j.   Execute gpupdate from each VM.

k.   Remotely, from the Windows 10 VM, create files and folders in the Documents folder for the non-admin user and the admin user. Sign out and then sign in again, which will create a special Documents folder in each user’s U: drive with the files and folders just created inside of it. After that, any changes made to the Documents folder will be able to be seen in real time from the Windows Server 10 VM.

Lab Analysis

1.   What is the relationship between a tree, domain, and forest?

2.   What is an object in AD?

3.   What are the differences between a group and an OU?

4.   What happens for remote access when there is a conflict between share permissions and NTFS permissions?

5.   To which three levels can GPOs be linked?

Key Term Quiz

Use the terms from the list to complete the sentences that follow.

bridgehead

computer

cumulative

deny

disabled

domain controller

domain local

enabled

global

global catalog

individual

not configured

universal

user

1.   A(n) ____________ has the AD DS role installed on it.

2.   A(n) ____________ server has full information for all AD objects.

3.   There is one ____________ server at each site.

4.   The three types of groups are ____________, ____________, and ____________.

5.   Permissions are ____________, but a group ____________ will override any permission granted from any group, which in turn can be overridden by ____________ user permissions.

6.   Group Policy configuration can be broken down into ____________ and ____________ categories.

7.   The three GPO settings are ____________, ____________, and ____________.