You are on page 1of 68

Introduction

A hypermarket is superstore which combines both a super market and a departmental store. Usually
hypermarket are very large in space because they sell many products not only groceries but also
includes Dry goods, furniture, home appliances, apparels, accessories and food items under one roof.
The companies aim will be mostly concentrated in selling of high volumes because they will have lower
profit margins. Apparently they will have less number of branches but the branches they have will be
widely spread. Some of the major hypermarkets all over the world are
Big Bazaar India
Carrefour Malaysia
Wal-Mart US
Tesco plc UK
Cold storage, Giant, ShengSiong Singapore
All these hypermarkets are remaining on top of the list because of the quality of service and various
types of products with cheaper prices provided by them. The main reason why people are rushing
towards hypermarket is that they can get all kind of products under one roof.
As the day to day crowd increases in the hypermarket, the quality of service must be increased. This
automatically results in a need of well equipped and high performing IT infrastructure that could give
them a 24/7 connectivity and high speed data transfer. Now-a-days all the hypermarkets around the
world have a developed IT infrastructure which helps them in various purposes.
Since our project is to design a network for hypermarket. We are going to create our own hypermarket
scenario and their requirements in IT are going to be implemented and configured.
KLHL Hypermarket
KLHL is one of the biggest hypermarket chains famous in Malaysia and they are now planning to expand
their chain to Singapore. The hypermarket scenario is going to have branches where the product sales
would take place, warehouse where the goods are going to be received and stored and then going to be
delivered to the branches and then we have a Headquarters which will be the reporting place for sales
and warehouse. The headquarters is the final junction where all the decisions like price fixing for the
products, the day to day collections reports, Employee information, goods that received and that has to
be transferred to the branches will be collected, updated, verified and will be processed.
Offices No of Branches No of staffs
Head Quarters One 90
Warehouse Two 80 (40 in each)
Sales Branches Sixteen 480 (30 in each)

The network that is going to be configured for the hypermarket has to be highly secured because there
is money transactions involved and should provide a good performance for uninterrupted service.

The server operating system used is Microsoft Windows server 2008 R2 and the client systems in all the
branches, warehouse and headquarters are going to be Ubuntu. Based on the scenario mentioned
above the Active directory network is designed with the user accounts and computer accounts.
Active Directory Schema
We are going to use active directory to provide authentication and authorization for users and
devices in the company. Active directory will simplify the management and enhance the security of our
company.
Domain Design
Our company has a number of sites, including one headquarter, 16 branches, and two
warehouses, each of which is located at different place and performs a series of functions conducted by
departments. The headquarters has several departments. They are integrated management
department, Finance department, operation department, purchasing department, human resource
department, and IT department. In the each branch, there are human resource department, finance
department, IT department, sales department, and inventory department. Each of warehouses contains
inventory department and logistics department. All the branches and warehouses connect to
headquarter via WAN. Because many branches are far away from headquarters, the bandwidth of WAN
may be limited. Most of them are less than 2 mbps. In headquarter, there are about 90 persons,
including staffs and managers, that need computer to perform their job. In branch, there are about 30
users. Each warehouse has around 10 users. The department and number of staff are shown in the
following tables.


Headquarter :
Executive Not a department, but I plan to create a OU
for it to grant special permission.
Integrated management department 10
Finance 20
Operation 20
Purchasing 20
IT 10
HR 10
Total 90

Warehouse
Inventory 10
Logistics 10
Total 20

Branch
Managers 2
HR 5
Finance 10
Sales 20
Inventory 5
Total 42

Imaging that if all the branches, warehouse as well as headquarter belong to a single domain, the
limited bandwidth may be largely consumed, because, within a domain, the domain controllers will
perform a full replication. Furthermore, all the DCs in this single domain will maintain the same
information of the entire company. This will also utilize lots of resource on the DCs, and it is often
unnecessary for branches to maintain the data of other branches. It will even increase the probability of
potential security problem. In addition, sometime the branch should be granted more indecency from
headquarter to ease the management. However, providing a single domain, the branches will largely
rely on headquarter in term of IT management.
Therefore, we decide to divide branches from headquarter. Each branch will form a single domain
and contain at least one DCs. Creating multiple domains will isolate replication between the DCs. More
specifically, inside a domain the DCs will replicate all the data in AD database. On the other hand, the
data spread to the entire forest is less and can be configured. As a result, the bandwidth requirement is
reduced, and all the branches will only maintain their own information.
But how about the other two warehouses? Should we assign them another 2 domain like the
branches? Of course, we can. They are also far from the branch and have slow WAN connection to
headquarter. However, warehouse is slightly different with branch. It is managed directly by
headquarter. Comparing to branch, it have less independence. We have a better choice for it instead of
a delegated domain. The answer is Read-Only Domain controller (RODC). RODC is introduced in
windows server 2008. So, in order to deploy it, we have to use windows server 2008 in our forest. RODC
will download the data from writable server and do not allow us to directly change any thing on it. Also,
it will not upload any thing to the writable DC. These features will make sure that the warehouse DC is
totally under the control of headquarter. Accordingly, the security is increased remarkably.
Furthermore, for a normal DC within the same domain with headquarter, it will receive all the AD
information for this domain, including headquarter. It requires more bandwidth and may be not secure.
However, the RODC will only download the account information it need. Also, there are only a small
amount of users in warehouse, which will not consume too much bandwidth. Therefore, RODC is
suitable for warehouse. Finally, RODC will not maintain the password for any users by default, which
also largely increases the security. In addition, because we do not need too much configuration on
RODC, it reduces the management overhead of warehouse.

Now we have 18 domains for branches and one single domain for headquarter and warehouse.
We decide to set branch domains as child domain, and headquarter is parent domain. So the
headquarter has domain name KLHL.org.sg. We are going to use branch + number to represent branch
domain, such as branch1.KLHL.org.sg, branch2.KLHL.org.sg and so on.
Organization Unit Design
A good organization unit (OU) design can help us to easily apply group policy and even to delegate
administration. Group policy can be applied to each individual OU with different level of control.
Therefore, if the OU is properly designed so that the objects in each OU should have similar level of
restriction, it will facilitate the deploying of group policy.

In order to provide the more granular control over the objects in the domain, we are going to examine
the factors of objects that will affect the policy. First of all, in the company, the different departments
may have different policies. For example, finance department may apply more strict policy than other
departments. Next, in each department, there are computers and users. Computers and users have
different policy options. Although the policy management tool can automatically recognize them, we are
going to divide them into different OU, because they contain different sub-OU. After that, it is obviously
that the computers can be divided into clients and servers. They perform different roles so that the
policies will also different. Finally, the users will include staffs and managers. They may also have
different policies. The managers may have less strict policies than staffs.
For the KLHL.org.sg domain, we will create a headquarter OU and a warehouse OU. Under the
headquarter OU, there are OUs for the department. In addition to this, we will also create one OU
named executive to provide the special privilege for the leaders of the company. To create
department OUs in the first level will facilitate the delegation of administration, and it can also clearly
represent the business model. After that, following our previous analysis, we create computer and user
OU in each department OU. Then create client and server OUs in computer OUs and stuff and manager
OUs in user OUs. As show in the following figure, the other department OU have similar OU with
finance, which is omitted.



Site Topology Design
Site topology represents the physical structure of the forest. A proper site topology design will increase
the efficiency of replication. In our company, each branch, warehouse and headquarter is consider as a
headquarter
integrated
managment
departement
Finance
department
computer
client
server
user
staff
manager
operation
department
purchasing
department
IT department
human resource
department
executive
single site, because the connection between them is slow. All the other sites are connected to
headquarter.
The number of DCs for each branch should be at least two. Although there are only 42 users, the
branches are where our business operates. So, if there only provides a single DC, once this DC fails, all
the computers in the counter cannot login so that the business will stop. Even if there is only 1 hour
down time, it will also significantly influence the business in term of economy and reputation. Hence, we
need a backup DC in each branch. For headquarter, two DCs are also highly recommended. It will
provide high availability for our company. In the warehouse, one DC may be enough, because there are
only 10 users and it less critical than branches where the entire business relies on computer.
Additionally, the two DCs can even be placed to two different subnets where the chance of failure
simultaneously is very low.
Login across domain
Sometime the staff or manager from headquarter May need to login at branch. This is possible, when
enable global catalog (GC) on the branch DC. But global catalog will also consume a lot of resource.
Normally there are only a limited number of persons have this requirement, but GC will generate much
more replication traffic. Fortunately, we can easily add the persons who want to login across domain to
a universal group and enable universal group caching. As a result, persons in this group can login across
domain. Comparing to GC, this feature will save lots of resources, as less data are spread. Furthermore,
it also increases the security, because not all the person can login across domain.
Printing, File-sharing and Login Permission
Printing permission
The group policy will specify what the computer and user can do, and what they cannot do, it can only
apply to OU and domain. In order to assign different permission for users to access printer and shared
files, we need to create groups.
Assume that each department has it local printer. All the staff and manager can use the local printer,
and manager also can manage the printer. First of all, we should add the users in each OU for staff and
manager to a single group.
Take human resource department for example. See the following picture.


Then We will install the pinter and share it first. After that we can assign permission for the staffs and
managers, according to the policy.

It is good idea to check list in the directory so that the user can easily search it from active directory

As show in the figure, manager of HR has the permission to manage and print, and staffs have the only
printing permission.
The configuration of other department is similar. As a result managers can get more control over the
printers.

File-sharing permission
File-sharing permission is more complicated than printing permission. There are share level permission
and NTFS permission. Share level permission only applies to shared folder. It cannot perform on files. On
the other hand, NTFS permission can apply to both folders and files. Therefore, we can set permission to
shared folder use share level permission. Then, all the file inside the folder will be inherit this
permission. After that, we can set special file or folder with different level of permission, using NTFS
permission. NTFS permission allow us to block the inheritance and set a different permission.
There are two shared folder in human resource department. GeneralHR and HRManager. Assume that
both manager and staff of HR department can read and write the files in GeneralHR folder, but
operation department can only read the files in the folder.
The file in HRManager can be read and written by manager of HR. It will deny all the action conducted
by staffs in both HR and operation department. The manager of operation department can only read the
files inside.
GeneralHR:


HRManager:


In some situation, staff or manager may need to share the file, but they do not want to others to change
it. By default, the permission of the file will inherit the permission setting of the shared folder so that
other staff can also change it. We can use NTFS to break this rules so that only manager can change the
file.
By default, the HR staff can read and write:

Block the inheritable permission:

Apply new permission:

Assume than, each department haves two folders. One is for staff. Another is for manager. For the
manager folder, manager can read and write, Staff can read only. For the staff folder, both manager and
staff can read and write the folder. The permission for the other department depends on the company
policy. Some managers from other departments can also read the folder, but, normally, cannot change.
However, in general, the folders for finance department are undesired to be read by other department.
Finally, executive should have the right to read and write all the folders.
We grants permission based on users department and position. Because different departments perform
different function for company, normally, it is not necessary for them to share files. Also, managers have
more right than staff.
Security
When it comes to security there are two types of security that has to be implemented always.
Physical Security
Network Operating System Security
Network Security
The physical security restricts the unauthorized access to the server room, backup disks storage room
and to the room where all the important files like license agreement, hard copy backups of various
documents are going to be kept. By the restriction we can avoid physical damage, theft, intruders and
other unnecessary activities inside the server room. A security device may be a physical device that an
authorized user of computer services is given to ease authentication. This is to identify a person in case
of the person is trying to become an intruder. This device is used in place of a password to prove that
the person is who they claim to be. This device operates likes an electronic key to access something. In
KLHL following physical security methods are used.
Biometric Technology
Access card System
24/7 Surveillance cameras
Biometric technology
Biometric is the science and technology of measuring and analyzing biological data. Biometric
technology utilizes computerized methods to identify a person by their unique physical or behavioral
characteristics. Developments and utilizes have increased with demand to match concerns over
international, business and personal security. Biometric refers to technologies that measure and analyze
human body characteristics, such as fingerprints, eyes retinas, voice patterns, facial pattern and hand
measurement. It is for authentication purposes.
Authentication by biometric verification is becoming increasingly common in corporate and public
security system, consumer electronics and point of sale applications. In addition to security, the driving
force behind biometric verification has been convenience.
To prevent identify theft, biometric data is usually encrypted when it`s gathered. How the biometric
verification works is to convert the biometric input, a software application is used to identify specific
points of data as match points. The match points in the database are processed using an algorithm that
translates that information into a numeric value. The database value is compared with the biometric
input the end user has entered into the scanner and authentication is either approved or denied.
Fingerprint reader or scanner
Biometric fingerprint reader is the most appreciable achievement of this technology, which is sprouting
a breakthrough in security provisions. Based upon storing and comparing the key points of one`s fingers,
these devices have proved their potential in areas like access control and employee attendance
management. With advanced functionality and dedicated performance, a fingerprint reader can be the
best choice for your organizational security.

This purpose of using this device is to aid employers record employee attendance data while they are
sign in and sign out. This fingerprint reader helps our office to manage attendance records more easily.
All our employees have to pass the fingerprint verification first, before they can enter to the office.
Therefore if someone is trying enter to the office that the person cannot access. Because the fingerprint
reader modify is unauthorized. The fingerprint reader can put as a door lock. This fingerprint door lock is
one of the most beneficial securities biometric can provide security to warehouse. These devices are
locating at the warehouse or storage. It is used to store all the stocks in the warehouse.
There are got some other type of fingerprint that shown in the URL below:
http://www.theposwarehouse.com/aldelo-fingerprint-server/
In the computer network access control, computers and networks can be attacked by intruders and
people with the bad intentions and the reasons can be different. Prevent from hacking passwords,
stealing information, misusing network and etc, therefore your computers and networks need to be
protected from unauthorized access. Biometric help computer network access control efficiently as well
as at organizational level. The various biometric techniques ensure that every login to computer and
network is authorized by carrying out the process of biometric identification.
Smart card
The imperative smart card devices provide an embedded integrated circuit that can be either a secure
equivalent intelligence with internal memory. This card connects to a reader with direct physical contact
or with a remote contactless radio frequency interface. With an embedded microcontroller, smart cards
have the ability to store large amount of data, carry out their own on card functions and interact
intelligently with a smart card reader.

The purpose of using smart cards for every staffs because the smart card which provides a number of
features that can be used afford or enhance privacy protection in system. This smart cards device
provides for authenticating, strong secure data storage, encryption and personal device for headquarter
main office.
Surveillance Cameras
Surveillance Cameras are used for the monitoring the physical activities in the branches, warehouse and
headquarters in order to avoid intrusion inside the office.


Network Operating System Security
The NOS security is very important in a network because the network is going to be used 24/7 so that
the chances of attacks increases. The strong security policy will automatically result in highly secured
network. The NOS security is consists of Local Security Policies and Group policy management.
Security Policy
In this hypermarket business, a security policy is a document that indicates how a company is planning
to protect their information technology assets and company physical. An information technology such as
document is never end, but as a technology it is continuously updated. A company`s security policy may
an acceptable use policy and a description of how the company is planning to train their employees
about protecting the company assets. The enlightenment of how security measurements will be
enforced and a process for estimating the usefulness of the security policy to make sure that the
required will be made.
Managing policies are important to a secure organization. Security policies are requirement in
enterprise networks nowadays. In the company every person requires to understand the importance of
the role that the policies are acting or running in maintaining security. Without a security policy, you
will make your company vulnerable to a lot of political attacks.
A security policy is a set of objectives, rules of behavior for administrators, users and requirements for
system configuration and management that to make sure security of computer system in an
organization.
This is the Main of utilizing the IT security policies, to confidentiality of all the data is to be
maintained through and mandatory access control, and the access control should meet the require
security functionality. Internet and external service access is restricted to authorized personnel only.
Accessing data on all workstations are to be secure through encryption because it is assigning a
confidentiality of data and prevent loss of the equipment. It is only for an authorized user or IT
Department to install the software and the software must have a licensed. If an unauthorized software
has been found. Then the IT department will removed it from the workstation immediately. All the
removable media and drives disk from external sources must be virus proved before they can use in the
organization. The data can be transferred for the purposes decide in the organizations data protection
policy. For the password must consist of a combination at least 8 alphanumeric characters and the
password will be changed every 30days. The configuration for the all workstation must be modified by
the IT department. Therefore to prevent the loss of availability resources, the IT department will
taken to backup all the data, applications and the configurations of all workstations.
Access control rules
Define the access control is by which system grants or rescind the right to access to the data or do some
action. Generally, a user just login to a system, and then utilizing some authentication system.
Authentication is a process which a system verifies identify of a user who wishes to access it. In generally
access control is based on the identity of the user who is requesting to access to a resource. Then, the
access control device controls the operations that the users have the right or havent had the right by
comparing to another user ID to an access control database. The access control system must be:
Data rights, the right persons must have the right to update and retrieve the information in a
database.
Program permissions, the right persons must have the right to execute a program on an
application server.
File permissions, the right persons must have the right to create, read, edit and delete on a file
server.
Definition of the security policy, http://hitachi-id.com/concepts/security_policy.html, [Accessed on 13
Augustus 2012]
Users will be given rights to all systems to enable them to execute their job function. Users need access
to system that must fill up the application forms that provided from the IT department. It is no any users
have the right to configure and manage any system. The IT department will have the right to configure
the network/server passwords and system passwords. The system administrator will be the responsible
for the maintaining data integrity and verify the end user access rights. Our IT department will set an
individual username and password for those who are access to the network systems. The usernames will
consist of surname and initials. The usernames and passwords must not be shared to other users. All
users must have an alphanumeric password of at least 8 characters. The passwords that are already set
up will be expired in 30 days. The user account will be locked if the user is unable to log in after three
times incorrect attempts. Network supervisor passwords and system supervisor passwords will be
stored in a secure location in case of an emergency purpose. For the auditing that already set, it will
implemented on all systems to record login failures or attempts, successful and logins and changes
made to all systems. The default passwords on the system such as SQL server will be changed after
installation. Users are accessing to the network system will be limited for normal working day. File
system have the maximum security implemented, for the users will be given read and filescan rights to
directories. The files will be flagged as read because it is to prevent accidental deletion.
Host System administration practices
Host system is a network which affords services to computers or other users on that network. Typically
host system run on a multi-user operating systems. It is such as Unix, VMS and MVS.
Account Policies
The account policies settings in group policy are practical at the domain level. The account policies
present for password policy, account lockout policy and Kerberos policy. The domain account policies
settings become the default local account policies settings of any windows based computer that is a
member of the domain. This account policy on the user is a document which defines the requirements
for maintaining and requesting an account on the computer network or system within the organization.
It is extremely imperative for huge sites for those users that have a lots account on many system.
Several sites have users write, read, executable, and sign an account policy as part of the account
request process.
Password Policy
A strength password policy is one of the most important things of your security position. A lot of security
breaches involve simple brute force and dictionary attack against weak passwords. When you plan to
propose any form of remote access involving your local password system, ensure that you adequately
address minimum and maximum password requirements, and review your authentication systems. It
allows enforcing the use of strong passwords through a suitable password policy. In the password
complexity requirements setting that must provide the control of the complexity and lifetime of the
passwords.

Account Policy settings, http://technet.microsoft.com/en-
us/library/cc757692(v=ws.10).aspx#w2k3tr_sepol_accou_set_kuwh, [Accessed on 14 Augustus 2012]
Account Lockout Policy
When an unsuccessful password submission while you are trying to log on to a computer that might
represent an attacker`s is trying to find out an account password by the errored. Settings the account
lockout policy settings will let you to secure your computer. If there is no account lockout policy on your
computer, an authorized user can repeatedly try to break into your computer. Therefore, you have to
set an account lockout policy and the system will locks out the user account according to the
requirement that you set in the account lockout policy. These policy settings are:
Account lockout duration
The security setting verifies the number of minutes a locked out account remains lockout before
automatically unlocked. The range is from 0 minutes through 99,999 minutes. The default is
none, because the policy setting will work when the account lockout threshold is identified.
Account lockout threshold
The security setting shows how many time of failed when a user try to logon to an account that
will cause a user account to be locked out. The account will be unlocked by the administrator or
wait until the lockout duration for the account has expired. The administrator will set a value for
the failed logon, if not the account will never be locked out. The default is none.
If the account lockout threshold is identified, then the account lockout duration must be greater
than the reset time.
Reset account lockout counter after
The security setting verifies the number of minutes that will pass after a failed logon, before the
failed logon attempt counter is reset to 0. The default is none, because the policy setting will
work when the account lockout threshold is identified.
If the account lockout threshold is identified, then this reset time must be less than the account
lockout duration.
Account Policy settings, http://technet.microsoft.com/en-
us/library/cc757692(v=ws.10).aspx#w2k3tr_sepol_accou_set_tdtx, [Accessed on 14 Augustus 2012]

Kerberos Policy
By default the Kerberos policy authentication protocol provides the device for domain authentication
services and the authorization data that is intended for the user to access a resource and execute a task
on the resource. If the lifetime of Kerberos tickets are reduced, the risk of a legitimate user`s credentials
have being stolen and they are successful utilized by an attacker. On the other hand the authorization
overhead increases. These policy settings are:
Enforce user logon restrictions
The security setting verifies whether the Kerberos authenticates the entire request for a session
ticket that against the user rights policy of the user account. Authentication the entire request
for a session ticket is non-compulsory, therefore the additional step require more time and it
will slow the network access to services. The default is enabled.
Maximum lifetime for service ticket
The security setting verifies the maximum amount of time that set in minutes. The settings must
be greater than 10 minutes and equal to and less than the setting for maximum lifetime for user
ticket. The default is 10 hours.
Maximum lifetime for user ticket
The security setting verifies the maximum amount of time that set in hours. When a user`s ticket
granting ticket expires, a new one must be requested or the existing one must be renewed. The
default is 10 hours.
Maximum lifetime for user ticket renewal
The security setting verifies the period of time that set in days during a user`s TGT will be
renewed. The default is 7 day.
Maximum tolerance for computer clock synchronization
The security setting verifies the maximum time difference that set in minutes. The Kerberos lets
between the time on the client computer`s clock and the time on the domain controller that
provides Kerberos authentication. But this setting is not determined. To manage this setting
then the computer is requiring to restart. The default is 5 minutes.
Group policy settings local policies Kerberos policy,
http://www.vanstechelman.eu/windows/group_policy_settings/local_policies/kerberos_policy
[Accessed on 15 Augustus 2012]

Local Security policy
A security policy can be described as a set of rules and performs that how an organization protect and
control its assets. They are such as network connectivity, important information and computer system.
Based on the policy security, determine the organization priorities and philosophies are very important
to keep the computer secure. The security policy the application of the rules is control or completed by
the technical administrator of the security policy. A security policy is a template utilized to organize and
choose the several securities from the operating system. Windows operating systems support three
types of security policies:
WindowSecurity.com http://www.windowsecurity.com/articles/understanding-roles-server-2003-
security-policies.html, [Accessed on 15 Augustus 2012]
Audit policy
It verifies whether security events are save the security log in Event Viewer on the computer either it is
success or fail. An audit log records any entry files or policy setting that can trigger an audit entry. The
audit policy will indicate when the user takes action, the time and date. Security auditing is very
imperative to an administrative to control the entire system. Because audit logs will indicate a security
breach occasionally, therefore an accurate audit policy setting contains the important information about
the breach. Every workstations in our headquarter have a sensible auditing policy settings, therefore an
authentication users can held accountable for their actions and the unauthorized users can be tracked
and detected. The audit policy settings are control in the following below:
Local policy settings, http://technet.microsoft.com/en-
us/library/cc772979(v=ws.10)#w2k3tr_sepol_local_set_knkn, [Accessed on 15 Augustus 2012]
Audit account logon events
This policy setting verifies if a user is logging on or logging off from another computer. Then the
computer will able recording the audit events that utilized to authorize the account.
Audit account management
This policy setting verifies each audit event of account management on a computer that must
checking the user account is created, changed and deleted. The user account is renamed,
enabled or disabled. The user account password is already set or changed.
Audit directory service access
This policy setting verifies to audit the user who is accessing to an active directory object that
has indicated its own system access control list.
Audit logon events
This policy setting verifies for the user instance of a user is logging on or logging off from a
computer and creating a network connection to the computer that is recording in this audit
logon event.
Audit object access
This policy setting verifies for all the users who are accessing to a folders, files, printer and other
that has indicated its own system access control list.
Audit policy change
This policy setting verifies all incident of a change to user rights assignment policies, trust
policies and audit policies.
Audit privilege use
This policy setting verifies all users executing according to the user right.
Audit process tracking
This policy setting verifies the tracking information for an indirect object access, process exit,
and program activation and handles duplication.
Audit system events
This policy setting verifies when a user is going to shut down or restart the computer.

Group Policy Settings Local Policies Audit Policy,
http://www.vanstechelman.eu/windows/group_policy_settings/local_policies/audit_policy, [Accessed
on 15 Augustus 2012]
User Rights Assignment
This user rights assignment provides for a user that is allowing performing on a computer
system or domain. Two types of user rights are Logon rights and Privileges. First, Logon right provides
for an authorized user who can log on to the computer. And then second, Privileges manage access to
the resources on a computer and can reject the permissions that are already set on the specified. The
user rights assignment policy settings are control in the following below:
Local policy settings, http://technet.microsoft.com/en-
us/library/cc772979(v=ws.10)#w2k3tr_sepol_local_set_rmin, [Accessed on 15 Augustus 2012]
Access this computer from the network
This policy setting allows the groups and users to connect to the computer over the network.
Remote desktop services will not affected by the user right.



Act as part of the operating system
This policy setting is allowed a process to simulate any user without authentication. Therefore,
the process gains access to the same local resources as that user. Just assign this user right to
trusted user. For the default is none, because it is only assigning to the trusted users.
Add workstation to domain
This policy setting verifies which users or groups can add workstation to domain. This policy
setting can only control on the domain controller. By default, for an authentication user can
create up to 10 computer accounts in the domain. Adding a workstation to a domain allows that
workstation to verify the groups and accounts that already exist in Active Directory. For the
default is an authenticated user on domain controller.
Adjust memory quotas for a process
This privilege verifies who can modify the maximum memory in the process. This user right
described in the default domain controller group policy object and in the local security policy of
servers and workstations. For the default is an administrators, network service and local service.
Allow log on locally
This policy verifies which users can interactively log on to this computer. Logon can start up by
CTRL + ALT + DEL on the keyboard. In addition this logon right must require the administrative
application that can log on users. To identify the policy for a group or user, it must give the
administrator group this right. For the default on workstations and servers are administrator,
backup operators and users. For the default on domain controllers are account operator,
administrators, backup operators, print operators and server operators.
Allow log on through terminal services
This policy setting verifies which groups or users have the permission to log on as a terminal
services client. For the default on the servers and workstation are remote desktop users. On the
domain controllers are administrators.
Back up files and directories
This policy setting verifies which groups or users can bypass the file and directory and other
permissions for the purposes of backing up the system. For the default on servers and
workstations are administrators and backup operators. For the default on the domain
controllers are administrators, backup operators and server operators.
Bypass traverse checking
This policy setting verifies which groups or users can pass through the directory trees although
the users without the right permission to pass through the directory. The right users dont allow
the users to do anything; it does allow the users to pass through directories. For the default on
servers and workstations are administrators, backup operators, everyone, users, local service
and network service. For the default on domain controllers are administrators, authenticated
users, everyone, local service, and network service and pre-windows 2000 compatible access.
Change the system time
This policy setting verifies which groups and users have the right to modify the date and time on
the internal clock of the computer. Users are already assigned that the user right will involve the
form of event logs. For the default on servers and workstations are administrators and local
service. For default on domain controllers are administrators, server operators and local service.
Change the time zone
This policy setting verifies which groups or users can modify time zone on the local computer
time, which is the computer`s system time plus the time zone offset. System time itself will not
affected by a change on the time zone. For the defaults are administrator and users.
Debug program
This policy setting verifies which users can use a debugger to process to the kernel. For the
default are administrators.
Deny access to this computer from the network
This security setting verifies which groups or users are prevented from accessing computer to
the network. Users who can logon onto the computer from the network can determine amount
of account and group names and shared resources. Users have the permission to access shared
files and folders over the network are just to modify data. For the default is none because deny
log on is a batch job.
Deny log on as a services
This security setting verifies which accounts are prevented from registering process as a service.
For the default is none, because the security setting does not relevant to the system, network
service and local service accounts.
Deny log on locally
This security setting verifies which users are prevented from logging on at the computer. For the
default is none, because for this security policy is applying to everyone group, therefore no user
can able to log on locally.
Deny log on through terminal services
This security setting verifies which groups or users are not allowed to logging on as a terminal
services client.
Force shutdown from a remote system
This security setting verifies which users have the permission to force shutdown a computer
from a remote location on the network. For the default on servers and workstations are
administrators. For the default on domain controllers are administrator and server operators.
Manage auditing and security log
This security setting verifies which users can indicate auditing options for the resources such as
file, active directory objects and registry keys. The default is administrator.
Perform volume maintenance tasks
This security setting verifies which groups and users can run maintenance tasks on a volume,
such as remote defragmentation. The default is administrator.
Profile system performance
This security setting verifies which users can utilize performance monitoring tools to monitor the
performance of system processes. The default is administrator.
Restore file and directories
This security setting verifies which users can bypass file, directory, registry and other objects
permissions when restoring backup up files and directories and decide which users can set any
valid security object. For the default on servers and workstations are administrators, backup
operators. For the default on domain controllers are administrators, backup operator and server
operators.
Shut down the system
This security setting verifies which users who are logged on locally to the computer can shut
down the operating system using the shut down command. The default on workstations is
administrator, backup operators and users. The default on servers is administrators and backup
operators. The default on domain controller are administrator, backup operators, server
operators and print operators.
Synchronize directory service data
This security setting verifies which groups and users have the right authority to synchronize all
the directory service data. It is as active directory synchronization. The default is administrators.
Group policy settings local policies user rights assignment,
http://www.vanstechelman.eu/windows/group_policy_settings/local_policies/user_rights_assignment,
[Accessed on 15 Augustus 2012]

Security Options
This security option section will enables or disables the computer security policy settings. It is
such as administrator and guest account names, access to floppy disk and CD drives, driver installation
and logon prompts. This security option policy setting can be organized in the following below:





Network Security
The network security involves monitoring and securing the whole network. This is done by having a
Antivirus, Anti spam, By Using Windows Firewall, Hardware Firewall and by also using Intrusion
detection and Intrusion Protection System to the network. Some of them are explained below.
Virus protection
Our IT department will keep available up to date virus scanning software for the scanning and
removal of suspected viruses. The corporate file servers will be protected with the Virus scanning
software and the workstations also are protected by the Virus scanning software. All the server and
workstation, the IT department will be often updated with the latest anti-Virus. No require disk that is
brought from outside the Organization unit is to be used before the disk has been scanned. All the
removable media having the executable software will be protected. For the new software introduced
that our IT department will scan and test before it is installing in the computer. This is same thing, for
the removable thing such as disk and USB that will be scanned by the IT department before they are
utilized on site. Our IT department will keep backups the data in order to recover the data if the data
lost or got virus. Our executive will support for the organization anti-policies and create the resources
available to implement them. Our users will be notified of virus incident and will be kept informed of
current procedures and policies. The IT department will review the anti-Virus policies frequently. Our
staff will be accountable for any breaches of the organization anti-Virus policies. The last instruction for
all users, must inform to the IT department as soon as possible if any viruses infect to the machine and
any removable disk which the virus will spread and eradicate it.

Window firewall with advanced security
The goal of a windows firewall with advanced security configuration in your organization is to
improve the security of each computer by blocking unwanted network traffic from entering the
computer and protecting wanted network traffic as it traverses the network. Network traffic that does
not require the rule will be dropped in the windows firewall with advanced security. Users can oblige to
the network traffic which is allowed to be protected by using the encryption and authentication. The
capability to control the windows firewall with advanced security by utilizing the group policy. Then let
the administrator adjust about the settings that across the organization in a way that is not easily
avoided by the user.
Creating rules that allow required incoming network traffic
By the default, windows firewall will blocks all incoming network connections that do not match
the rule. On the client computer that don`t host any services, this will be sufficient. However, any
program that performs as a network service that the administrative will create rules to permit the
unsolicited network packets from remote computer that want to connect to the application or network
service. In this settings can configure inbound firewall to do the following rules:
Allow a network service to listen for network traffic.
Allow a program to listen for any network traffic, it requires operating.
Allow a program to listen for network traffic on a specified TCP or UDP port only.
Be relevant with the different firewall behavior based on the network location type to which
computer is connected.
Use predefined rule groups to support common network services.
Limit network traffic from identified IP address.
Blocking unwanted outbound network traffic
By default, windows firewall allows all outbound network connections, because it is very large of
variety of potential outbound network aware client programs and it can be also very large amount of
work to try to restrict outbound traffic. On the other hand, some organization list of the application is
recognized, and dictates that no other application must be permitted to access the network,. The
windows firewall with advanced security supports changing default outbound rule to block network
traffic that is not permitted by an outbound allow rule. Therefore in these settings, the administrator
can configure the firewall to block all outbound traffic and then create outbound firewall rules that
allow after the programs have been approved and send outbound traffic from a computer.
Why we have a security policy?
We have a security policy because it is instrumental in creating a secure organization. If there is
no security policy, a company will dont know where or what process to allow to follow in order to
secure their company environment. This is the major goal why the company lays a security policy. Of
course it is for security. In the others words, a security policy create a standards for what is permitted or
denied within the framework of the company. The regulars are established for protecting the network
resources and for providing program management responsibilities and assigning the guidelines, basic
rules and definitions for every user or staff in the organization. For example, if the IT user wants to
execute a firewall, the user needs to get familiar with the company`s security policy on the internet
usage and what is permissible.
The security policies help to build consistent standards across the organization. By doing this, it will
avoided the risks and penalties for failure to adhere to the regulation within the policy. Because when I
cover here, a policy identifies the responsibilities and roles of every user in the company in ensuring
security. Expectantly, a policy will be inclusive and clear to be easily implemented and followed. It is
important the policy will flexible to cover and contain a wide range of data, activities, system and
resources.
A security policy is a way of establishing the importance of security within the organization. A security
policy is always distributed endorsement by upper management. In this manner upper management
provides tacit acknowledgement of security as a company priority. This purpose aim to establish the
cooperation of an organization`s personnel.
What makes a good security policy?
A good security policy contained of several factors. However, the most important factor is the
factor must be usable. A security policy is no worthwhile with in organizations if they can`t implement
the regulation and guidelines within the policy. It must be briefly, detail, and clear as possible to provide
the information required to implement the regulation.
When creating a security policy, it is good to have a review by the representatives from the IT
department, operator department and human resources department. After reviewed, at the end, it
must finalize with the executives. This will create a document that is representation and addresses the
concerns of all interest within the organization.
Then the purchase department will make a decision whether the products will meet the
requirement by the IT department, as the products will require addressing security as outlined within
the document. Therefore, a good security policy will aim to create standards for hardware, software and
supporting network equipment. Privacy is the area that should not be addressed by the IT security
department only, but also the human resources and management department did.
In order to be effective, the security policy must be updated and reviewed on a periodic and
regulate basis to make sure that it is up to data and covers all the applicable situations, environments
and system within the organization.
Mail Server
The mail server is the server that is responsible for all the mail process in an organization. The mail
server handles incoming and outgoing mails, controls the user accounts and their mailboxes, ensures the
delivery of the mails sent from the users and provides the end to end user interface with high
performance. In recent days mail has become the most used method for communication between
customer and the sales channel, customer service, complaints and also in between offices. Almost all
the companies have mail server and mail Ids published to their website.
In olden days people used to have one common mail for various purposes. But nowadays due to the
advanced technology and due to the increasing needs almost all the companies who are involving in
money transaction and sales are using a powerful mail server which allows them to create and use
different mail IDs for different purposes. Mails sent from an organization represent the organization, so
it is necessary to have a highly performing mail server that offers an uninterrupted mail service. At the
same time it is necessary to maintain security principles for the mail server due to increasing Hacks,
virus and worm attacks through mails.
KLHL HYPERMARKET
In our scenario we are using Hmail Server software for configuring a mail server for mail
communications. Every staffs have been assigned with a mail ID in our organization. The mail server is
configured in a separate server which will handle all incoming and outgoing mail transactions in the
organization. The staffs would require a mail client to send and receive the mails. We are using
Microsoft Outlook for the systems using windows and we are using Claws Mail for the systems that
use Ubuntu as their operating system. So the following are the components that are involved to have an
mail server in our organization
Hmail Server Software
Microsoft Outlook
Claws Mail
Hmail Server Software
This is free mail server software for Microsoft Windows. It is a developing software which is been used
in many small organizations currently. This mail server project was started in 2002 and first started in
sourceforge.net where the developing and the download were made available for the public use. But
later on since it was used by many small organizations and due to contribution and development it was
later on moved to its own website. All the source code of this mail server could be retrieved from
Novells Novell Forge. There are mail version of this software has been released and the one that we use
for our organization is Version 5.3.3. This mail server software supports commonly used protocols like
SMTP, POP3, IMAP.
SMTP Simple mail transfer protocol. This protocol is used when an email is being delivered from one
email client to another client or from one email server to another email server (Outgoing Mail Server).
This protocol uses port 25 for delivery emails.
POP3 Post office protocol. This protocol helps in downloading an email from the mail server. This
protocol downloads the mail from the mail server and its deletes the mail from the server. This protocol
uses port 110 for downloading emails.
IMAP Internet Message Access Protocol. This protocol is also similar like POP3 which helps in
downloading the mail from the server. But the features of IMAP protocol are different from POP3
because it lets the email in the server after downloading it does not delete the mail from the email
server. But for using a IMAP protocol the server requires more CPU resource and disk space as the mail
is going to be in the mail server. This protocol uses port 143.
Features of Hmail Server
Support for IPv6
Domain Keys Identified Mail
Auto Ban Settings
Score Based Spam Protection
Built in SSL Settings
Spam Assassin Integration
Public Folders
Ability to Link with Systems Antivirus
Configuration for Hmail in KLHL
In KLHL scenario the Hmail server has been configured in manner at which it is easy to maintain. We
have created a domain in the mail server at the name of KLHL.ORG.SG so that all the mail IDs domain
will be like username@klhl.org.sg which helps in easily identifying where the mail is from whether it is
within the organization or from other places.

The organization uses SMTP and POP3 protocols for sending and receiving the mail. The local hose name
and the servers IP address are binded to the server. The Anti Spam option has two default spam sites
enabled for filtering spam.




Microsoft Outlook
Microsoft Outlook is the client mail software that is used in windows operating system for the sending
and receiving mails. We use outlook 2007 which comes in package with the Microsoft office 2007 pack.
Outlook is software which is not only used for sending and receiving mail. But it also offers some other
functionality like calendar, and help sin maintaining, categorizing the contacts in a user friendly way. It
also has the facility to assign tasks and to do list for the users who are using it. It also has SharePoint
services and other settings also. Outlook supports all the protocols that is currently in use like POP3,
SMTP and IMAP.

Claws Mail
Claws mail is the client mail software that is used in the systems which use Ubuntu as their operating
system. This is free mail software that is available in the software market for free. It is simple and
elegant mail software to use. It is user friendly and it doesnt require many complicated configuration to
make it work. We can use multiple accounts together in the same client and a mail could be sent and
received from all the mail IDs that has been configured from the same window.


DNS in KLHL
DNS the domain name service plays a very important part in the organization that it acts as the brain of
the organizations network. Without the DNS the whole network is collapsed and the client will not be
able to contact the server for any service that the server offers. There are various zones that have been
created in the DNS pool for the KLHL organization.
First of all the while installing the active directory service the DNS server role has also been installed
together with the server in order to provide the name resolution for other servers and client. So while
installing the DNS server there is a active directory integrated zone that is being created.
The second created zone is for the FTP site. In this organization we use a FTP server for sharing files
with users. So we created an new zone called ftp.klhl.org.sg for providing the name resolution for the ftp
site. In the zone there is a host added to it which contains the IP address of the server in it. So that the
result it will redirect the query to the server.
The third zone that we created is for the Mail server in the name of klhl.org.sg. In this zone there is a
host and a mail exchanger is added to it for providing the fully qualified domain name of the server and
to redirect the request to the Server
The last zone that has been created in the DNS pool is for the website. The website name is
www.klhl.com. By creating a zone and by adding a host to it we are providing the name resolution to the
client. So once the website name is typed in the browser the name is resolute to IP address by the DNS
zone that has been added to the server.
All the above mentioned zone are primary zone that have been added to the forward lookup zone of the
domain KLHL.ORG.SG and all of them are Active directory integrated zones
Backup
An organization may face server failures due to various reasons like hardware failures, Operating system
failures or even due to a disaster that could collapse the whole network. So there must be always a
backup of servers and datas that has to be done in order continue the business. The backups acts as
the first line of defense against server failures and it will be the last hope if everything fails.
There are many questions that have to be answered in order to have a good backup.
What are the things that are needed to be back up?
What type of backup has to be done?
How many days it is going to be kept?
Whether we are going to have an onsite backup or offsite backup?
In KLHL the software that is going to be used for backup is Windows Server Backup Features that is an in
built feature that helps in backup. This software is used because it is easy to do backup and restore, user
friendly, scheduling and more options are available. We have the facility of storing the backup directly
into another remote share folder where the datas would be stored.

KLHL is an organization where all the datas are considered very important and in order to have a perfect
backup the whole system is done backup including the system state, bare metal recovery and the hard
disk volumes. By doing a back up of whole system we will never miss out any datas. The backup has
been stored to a network location in the network which is dedicated only for storing backup. By storing
backup in a network location we have an advantage where the datas that has been backed up will be
overwritten while doing a next back up so that the storage space will be reduced which will be
something like an incremental backup. Moreover every individual system using Windows operating
system has been configured with a shadow copies so that they can replace any files that has been
deleted accidentally.

The staffs those are working in the company are requested to use the FTP site that has been configured
for their department to download and upload files what they work. So that the datas that are used day
to day are also backed up. So logically the datas the staffs working in the company are using the space
allocated to them in the server and they are used their systems only as a workstation for process.
The servers at the warehouse and the branches are also backed up at the main backup server in the
head quarters in the same way by using a dedicated remote location for storing the backups. So that all
the transaction datas and the active directory usage datas are also backed up without fail.

The backups are scheduled in KLHL so the backups will be automatically done without interruption. The
backups will be scheduled at 11.30 pm daily so that the branch and the warehouse operations will be
over at that time and the systems will be at rest so that the performance is not affected during sales.
And moreover this time has been chosen because the transaction made during the day will be
completed updated at this time and the branches will be closed.

The backups are stored as an image file in the remote location. Image backup is chosen because this
makes the restoring easier and faster. The Image files are in VHD format that will allow us to use in a
virtual environment so that in case of any failure of server the backup could be used in a virtual machine
in order to get the server up and working immediately. Other than this backup there are some manual
back up are scheduled.
Scheule Time Type
Monday to Sunday 11.30 PM Scheduled Full Backup (All
Servers)
Every Friday 8.30 PM Manual Full Backup (Client
System)
Every Monday 10.00 AM Manual Full Backup(Backup
Server for offsite Backup)

In client systems using Ubuntu not all the datas are going to be backed up, only the system setting and
the C-Drive alone will be taken backup just restore a client system immediately. Because getting an
Ubuntu client connected to the Windows domain is little bit tough.
Moreover some of the software licensing agreement, operating systems license agreement, insurance
papers and hardware warranty papers are kept backup both in hardcopies and softcopies both in onsite
and offsite backup locations. Some software and operating systems that are allowed to have a copy
(Microsoft doesnt allow to have a more than one copy of its operating systems) is also backed up in the
form of images and CDs and also taken for backups.
The backup server is going to be located in the headquarters and there is going to be another offsite
backup that is going to be kept in another secured place.
IIS
IIS is called as the Internet information service that is an web server application that is an additional role
in windows server 2008 R2 that helps and support to maintain and manage the following
HTTP
HTTPS
FTP
FTPS
SMTP
NNTP
SharePoint Services
ASP.NET
With the help of IIS 7 we are managing a web server and a FTP server for providing a website and for
providing an FTP site to the staffs.
Web Server
Although IIS 7 offers various features we are using it for managing the webpage of the company. This
handles all the HTTP and HTTPS requests received and it redirects it to the webpage that has been
already loaded in the server. This requires configuring the webpage and adding a entry in the DNS so
that the webpage name is resolved by the DNS whenever there is a request raised for the Webpage. IIS
also helps in enabling the output caching in the web server that optimizes the performance by cache the
dynamic PHP content in memory. Since the content has been cached the script that is used doesnt need
to be run every time whenever the request is raised. There are two types of cache policies
Vary by QueryString In this the URL is same but the query string value varies
Vary by header Which can vary the cache based on the HTTP headers that are sent from the client to
the server


The website used in KLHL is www.klhl.com.

FTP Server

Another use of Internet information Service 7 in KLHL is that it helps in maintaining the FTP server. This
helps us to provide a share file system with the staffs. Normally FTP servers are used for downloading
files from the web server. But in KLHL the same FTP is used for also uploading files to the server. Staffs
are allowed to use the web server via two modes once is through the browser as a web page which will
allow them only to download the files that they want from the server. The other is by using client
software called Bare FTP that allows them to both download and upload files in the FTP server. This is
how the staffs are going to have a shared file service and an authentication system.

Every organizational unit is going to be allotted separate FTP site where they will be allowed access via
the group policies. This provides security that the other department members will not be able to access
the FTP site of other departments.

The File server Resource manager will be used in the FTP server for allotting quotas for the department
and also for the screening of the of quotas so that no one will be able to store media files like photos,
videos and music files. The quotas will be linked to the antivirus so that the files that are uploaded will
be scanned to ensure that there is no virus uploaded.
Remote Access
Although staffs use FTP to download and upload files to the server, sometimes they also may require
remote access to the server for various purposes like trouble shooting, access to the network and server
resources, etc. In order to provide remote access for the staffs we are using two methods.
Remote Desktop
VPN
Remote Desktop
Remote desktop is the method through which a user can access the server directly, he can see the
server and incase he can also trouble shoot the server in case of any problems. Since using remote
desktop the server could be easily attacked the remote desktop is offered only for the IT users and
Administrators for doing troubleshooting of the server. The access would be granted to them by creating
a user group and by linking them to a group policy we can restrict the options like remote shutdown,
restart, Control+alt+delete etc could be restricted.

We are using software called Remmina which is free inbuilt software in Ubuntu for remote access.
This software allows us to configure the remote desktop connection to the server with minimal and user
allocated graphics and it also has many options.
VPN

The other method through which the staff of KLHL is allowed to access to the server remotely is by using
a VPN (Virtual Private Network). VPN is a cost effective, secured and easy way to connect to a network
remotely. The VPN connection uses an internet connection to connect to the local area network. The
staffs are allowed VPN connection using RRAS (Routing and Remote Access Service) which uses NPS
(Network policy server) for restricting the user who can connect to the network and who cannot
connect to the network. The VPN uses PPTP (Point to Point Tunneling Protocol) or L2TP (Layer 2
Tunneling Protocol) for connecting to the network.


By default the Ubuntu has an option for configuring VPN connection which help us in connecting to the
network easily.
Processes that are Automated
There are some processes that are automated in KLHL network during creation and after
implementation of the network they are
Unattended Installation of Server Operating system for branch networks Using Windows
Deploying Service
Backup Feature Scheduled Backup using Windows Backup Feature
User Account Releasing The locked user account are automatically released using lockout
policies
Disk Quota scanning Using File screening the Disk Quotas are scanned automatically to avoid
storing Multimedia Contents in the FTP Server
Remote Session If a remote session remains UN operated for more than 30 minutes the
session is ended automatically
Shadow Copy Systems that use Windows operating system are enabled Shadow copies and
automated
Active directory Replication The active directory datas between the RODC, Child Domains and
the Forest Domain Controller are replicated automatically without interrupt
Print Server If one printer is failed all the request from one printer is forwarded to the other
printer automatically because of the print server
Account Lock If a password is entered wrongly more than 5 times it is locked automatically

Performance analysis or monitor (Including the third party analyzer software)
PAL ( Performance Analyzer of Log ) this third party software are useful for analyze those
storage congestion by quickly identify the disk or application responsible for the poor
performance in the server , we do know that task manager are useful tool also provide by
window server which is useful tools for gaining a preliminary analysis of performance concern ,
but for myself that I release task manager is an interactive tool that doesnt allow user to save
the performance metrics for the following analysis or subsequent analysis , this could be an
issue that show performance intermittent one that come and goes by . PAL is an automate
analysis of Performance monitor tools counters identifying if process surpass a limited line of
system.
The performance monitor windows tools can be use to record the performance to log file and
could become an advantages for those intermittent issue , which is performance monitor allow
user to graph the certain performance counters to congestion , but unfortunately there are
actually hundred or even thousand counter possible to review which can take hours or even
days .
In attempt to automate the analysis of performance monitor counters , a third party I choose
called PAL performance analysis of Log was developed by Microsoft and its open source
software , this software could read performance monitor counters from a log file and it apply to
pre determined threshold values to detect or identify any counters that are already been
marked as exaggerate or over , the software then produce a list of alert report along with some
graph that show explanation in detail .
You could download or check for further information about this software through this website
(http://www.codeplex.com/PAL)
The PAL software guides user through the process of analyze all performance data , user could
provide the location of performance log file , while troubleshoot the storage performance
problem in windows , there are few of tools that could be use to identify system congestion or
bottleneck , such as task manager that been provide by Microsoft it self . however we need
more in depth analysis so that why I recommend this third party software PAL for those who
want to increase their storage performance .

Picture shows that some of option inside the PAL software.
Network Load Balancing
Every user has experience the frustration of overloaded in desktop which is include myself ,
some people got too many programs or new application open at one time that make the
performance of desktop machine been going slowly , this also could happen to our server , even
though a application or web server is likely to only running a few application which is critical ,
the more request or connection tries to process on the more calculated resources it use up and
the slower it execute by user. That slows execution make poor of application performance. The
only solution is to free up some resource, by adding second server and load balancing.
For website running on the window server 2008 operating system , most experience site
administrator specially look at distribute a new hardware when CPU utilization surpass ongoing
usage or exceed a constant 70% , the website running on Linux server are typically better in
term of CPU utilization and performance may not reduce until the CPU utilization is over 90% ,
for example like if user maintaining a constant 90% of CPU utilization on Linux server , that rate
will only left 10% of Utilization which can be easily give a quick of spiking in the traffic ,
performance will reduce considerably when this degradation threshold is achieve so its to be
dodged . if site or app that been constructed properly, additional server hardware are good
issue to have , it mean that your site is probably success , and when adding second web server
to handle the load , both desktop machine need to appear to web audience at large single
domain name to resolve this sort of load balancing infrastructure is needed to disport load
between the desktop machine . this mean that each server are doing less job and into faster
execution times and thus better application performance , this load balancing could take
performance in deciding to choose which server should be fastest response .
Software that already available in Microsoft window which is the network load balancing is
effective but doesnt offer a well configuration option of a hardware , network load balancing
provide a high existence by automatically detect the failure of server also network load
balancing consider the performance of server such as web server , therefore client could
request across the multiple server inside the cluster . as the traffic increasing by request ,
additional server can be added to cluster to make scalability .
Resource Monitor
When Microsoft itself add the complete resource monitor tools for windows operating system ,
it was an outstanding tools that be able to allow administrator user to pick up deep knowledge
assuming the operating condition of mission critical window server , I provide a small GUI
picture resource monitor windows to show user a list of all running processes that are using
inside the disk resources . inside the picture contain some name of the executable and a
number of performance statistics like ,
- IMAGE - Executable file name, those are the name of process that is active using the
resource disk.
- PID - the ID number that connected or associated with the resource process , this is very
useful for user if user want to use the other utilities to manage the process , if you want
to easily match up with the task manager processes
- READ Byte / sec - The medium number of byte that been read per second by the
process in the previous minute.
- WRITE Byte / sec - the average or medium number of byte that been written per second
in the previous minute of process
- TOTAL Byte /sec. the average byte number that been accessed per second in the
previous minute
You could see that information in this picture is not particularly useful when troubleshooting
except it show you which are the process that consuming the most disk performance resource .
you also can see that there is ton of reads from the disk by the process named DPMRA.exe ,
resource monitor window provide user some useful troubleshooting information which is the
response time metric , its directly observe without having a well understand of the main
storage configuration .

Picture show that Resource Monitor in Process .
CPU statistic
CPU features and hardware are very fast on evolving , and the performance testing and analysis
method may need to evolve as well as the evolve of CPU feature , if user only rely on CPU
utilization as a fundamental performance metrics , user could make a big mistake interpreting
the data , we all know the performance tab in window task manager , while confusion over the
meaning of the physical memory counters is a common question for performance team , in this
section I would like to explain how CPU utilization that refer here as CPU usage may not mean
what user expect in my section .
CPU utilization of the task manager is a key performance metric , that could be use to track CPU
performance regression or improvement , and also its useful data point for the performance
issue investigation , its reported in number of place in the window operating system , include
task manager that I mention , the resource monitor and performance monitor .
As the current processor technology is much more complex that a single processor package
may have multiple cores of dynamically frequencies change , these technology advances could
change the behavior of CPU utilization reporting and increase the complicated performance
analysis for administrator itself , for those administrator that unaware , CPU utilization is
typically used to track CPU performance improvement when run the specific piece of code .
CPU utilization could also be able to use for investigate the performance issue like type of
scenario to become a common as the developer use window performance tool kit to assist their
debugging work , CPU utilization has important points of view on other system performance
characteristics , namely power consumption and some people may think that the magnitude of
CPU utilization is the only important if congestion on CPU at 100% , but not all the case are
same , each of additional % percentage of CPU utilization consume a bit more juice from the
outlet and which is cost over head and if user going to pay the electricity bill for datacenter that
mean u care about that issue .
CPU utilization data are almost useful and its piece of information that could tell you
something about the system performance inside , the real issue comes when user try to put on
piece of data in content by comparing it to another piece of data from a different system or test
run , not CPU utilization measurement are comparable , even the two of this measurement
taken on the same make , there is still few of source potential error for people using utilization
for the performance analysis , hardware and configuration feature , OS configuration and
feature and measurement tools that could affect this thing .
Log file, event viewer purpose and benefit
Administrator can use the event viewer that been provide by Microsoft to mange and view the
event logs , inside the event log contain many information about the software and hardware
problem and about some security event on your computer , a computer that run window server
2008 record event in at least three kind of logs which is the system , application and security .
a computer running window server 2008 which is configured as a domain controller record
event in two additional logs , the directory server service log and the file replication server log ,
a computer running window server 2008 like what my work done , which is configured the
domain name system server to record the event related to Domain name server in additional
logs ,
I could show you some powerful policy setting that allow user to configure five setting for
application , security , setup and system event log . the log file policy setting path , it allow you
to provide a specific location where the event log service write its log file , and you as a
administrator must provide a path and filename when relocating where window write the log
file

Is located on computer configuration\policies\administrative templates\window
component\event log service .

The next two policy setting are related , the event logging service is use to retain the old event
and backup the log automatically when its full policy setting when the event log finally reach
the maximum file size , with retain the old event policy setting enabled , the event logging
service stop writing new event to the event log when the log file achieve or surpass the
maximum value and you lose all new event , with this policy is disabled , new event over write
the old event , and when you enabling the back up log automatically when full and the retain
old event policy setting , the event log service closes the current event log , renames it , and
then create a new log , the back up log automatically when full policy setting works only when
you enable the retain old event policy setting .



Maximum log size policy setting , the setting and one that I think is the most beneficial are the
log access setting , enabling g this setting will allow administrator to enter a security descriptor
for the log file , the descriptor of security control who can read , write or clear the event log .





These policy setting for the event logging service are provide more flexibility and control. Using
these group policy to control where event logs are written , how large they can grow , how they
are maintained , and who can manage them are the key to change control and the security
auditing .
Window server 2008 include those ability to collect the copies of event from multi remote
computer , and store them on the one computer , and then forwarding and collecting the event
in this way can be carry out across the internet and can also use the encryption , depending
how its configured , using the event collecting the feature are needed to configure both the
forwarding and collecting computer .the process of collecting event depend on the WINDOW
REMOTE MANAGEMENT service , and the window event collector service , both are these
service must be running on the computer that used for forwarding and collecting process .





The tips for quickly filter the event log in window server 2008
The event viewer in window server are automatically create some filtered view for the event
logs , filter view are listed under Custom view node , we could see that when administrator
select the event node could see all the error and warning for all logs . when administrator
expand the server node roles and then select the role specific view , administrator could see
the list of all event for the selected role , to do so please follow the steps .
1. In the server manager expand the event viewer node and the diagnostics node
2. Select the costume view which is give action pane or the action menu and then create a
custom view.
3. Use the logged list to select the include time frame for the logged event , administrator
also can choose to include event from the last 30 days or weeks
4. Use the event level check the box to specify the level of event to include , select verbose
to get additional detail of it
5. You can create a custom view for a specific set of event sources or set of logs
- Use the event log list select the event logs to include and then select the multiple event
logs by selecting their relate check box, if you select the specific event log, all other
event logs are hided.
- Use the event sources to list and select event source to include, administrator could
select multiple event sources by select their related check box, if you select the specific
event source, all other event sources are hided.
6. Optionally, user and the computer box to specify user and computer that should be
included, if administrator dont specify the user and computer to be included, the event
generated by all user and computer are included .
7. When administrator click ok , window display the save filter to custom view dialog
8. Type a name and description for the custom view
9. Select where to save the custom view and by default custom view are saved under the
custom view node , administrator can create a new node by clicking new folder ,
entering the name of the new folder and click OK
10. And last step is click ok to close the save filter to custom view dialog box , administrator
should now see a filtered list of event , review these event carefully and take step to
correct any problem that may occur or exist .




If administrator wants to see particular type of event, then administrator can filter the log by
follow these step:
1. In the server manager, expand the diagnostic node and the event viewer node
2. Expand the window log , or services log as consistent for the type of log that
administrator want to configure with , and now administrator should now see a list of
event logs
3. Select the log that administrator want to work with , in the action pane or the action
menu click filter current log
4. Use the logged list to select the included time frame for the logged event , and now
administrator could choose to include event from the last hour or maybe last week
5. Use the event level check box to determine the level of event to include , select verbose
to get additional detail of it
6. Use the event source to list the select event source to include , if administrator select
specific event source , all other event source are excepted .
7. Optionally , use the computer and user box to decide computer and user that should be
include , if administrator do not determine the computer and the user to include , event
generated by all user and computer are included
8. Click OK , and now administrator could see a filtered list of event , review these event
carefully and take step to correct any issue that exist , to clear the filter and see all event
for the log , click clear filter in the action pane .











Individual Report - Lawrence
INDIVIDUAL REPORT
LOG BOOK
WEEK 1 = Im been doing researching for Linux and window server 2008 about
how to monitoring the performance and analyzing it after finished install the
software inside my computer , with the support of VMWARE tools .
WEEK 2 = starting to learn about some basic code of LINUX like GET-APT or other
login and upgrade command , and doing some research for it and document it as
a individual report and the first part
WEEK 3 = for week 3 , myself doing self presentation about how to operate the
Linux , to be true first presentation I didnt do enough research to show lecture
how to operate the Linux , and using Linux also the first experience I get from this
Subject , after that I get my point for individual presentation
WEEK 4 = week 4 Im documented the research I got about how the performance
monitoring about log file , network load balancing , network usage , CPU statistic
.
WEEK 5 = from the question requirement said that we need a third party
software to show and help us to get the deep analysis and monitoring for our
server like web server , active directory server , and other server , get myself a
third party software called Performance
analysis of log
this third party software call PAL (
performance analysis of log ) The PAL
software guides user through the process of
analyze all performance data , user could
provide the location of performance log file ,
while troubleshoot the storage performance
problem in windows , there are few of tools that could be use to identify system
congestion or bottleneck , such as task manager that been provide by Microsoft it
self . however we need more in depth analysis so that why I recommend this third
party software PAL for those who want to increase their storage performance .
WEEK 6 = My final presentation about how to monitoring and analysis the process
of USAGE , lecture asked me to monitor the log file and show the result . I been
show him all the things include memory usage , logical disk usage , and etc .




Modification , learning opportunities , outcomes , and the reason of my report
Some modification that been done on my window server are providing another
third party software call NET Framework to change my laptop frame work for
supporting my another software Performance analyzing of log , the experience I
get so far are good enough to show my friend how the basic thing that system
administrator doing his job , I still need a lot of things to learn about this
administrator things . and also I have got some opportunities to operate the
server , this thanks to our group leader Karthic subramaniam that been doing a lot
of thing and assist us , thanks to him .
Some outcomes that occur in my studies is I couldnt explain well about some
network balancing and network usage documentation , and also I been
encounter so many error after analysis the file server using third party software , I
try to put some more software to boost up the performance inside the CPU
statistic .


Individual Report Hengky Supianto
Individual report
No matter what in our unit of analysis is in a research project, the important thing is to be clear
about what our unit of analysis is. This is when I start a research project that I must know and
decide what I am doing to search. Otherwise I will run the risk of drawing invalid conclusion
because my statements about one unit of analysis are actually based on the analysis of another
unit of analysis.
Based on my analysis working with Group policies must be understand the basic concepts behind
them. I have a brief look at how to work with group policies and how to link them together.
About the auditing during I was doing a testing or configuration. The auditing process is quite
complicated, typically when you put in large distributed networks. Creating account log files
may provide you to access to the type of information which it requires as a network
administrator.
Organizations face security threats from a wide range of sources and are vulnerable to attacks
such as hacking and computer viruses. The information security by the IT department indicates is
not sufficient and it requires to be supported by the policies and procedures. Security policies are
the foundation and an organization in the information security. Therefore the security policies set
up the computer usage guidelines for staff in the course of their job duties.
A company has to acknowledge the fact that security threats exist and how to prevent and
respond to them. Implementing and identifying the suitable controls that needed for the
participation and planning for all the staff or department in the organization is very important for
the success of information security management. The objective of a good implemented security
policy is enhanced information integrity, availability and confidentiality from both outside and
inside the organization.
I recommend in the IT department need consider and concentrate on what the company is
required, staying up to date with attacks, convenience for customers and vulnerabilities, creating
a solid authentication and authorization system. And then the IT department should has to create
a good bond within the industry and therefore the IT department can keep track with the newest
technologies to do its best to keep up to date with what is going on in the security world.

An individual logbook
The first week, I reinstall my windows server 2008 R2. Because there are got some
problem in the log in account, said that I am not the administrator then cannot login to the
administrator account. It must be wrong or forgot the password account during the installation.
Therefore, I decide to reinstall it. Before I reinstall, I am going to find out about the windows
server 2008 R2 Evaluation. Window server 2008 R2 is an expanding existing technology and
accumulation new features to allow the organizations to increase the flexibility and reliability of
their server infrastructures. Thus I can make sure to install and run properly.
The second week, I do a research about the proposed active directory for an organization
unit. I watch from a video about active directory tutorial such as what is the purpose for an active
directory, installing an active directory in the window server 2008 R2 and the functionality and
improve administrator in windows server 2008 R2.
The third week, my group leader assigned me to do about the Security Policy for the
charity organization unit. Then I started analyzed what are the security devices that are suitable
for the physical and logical in the organization. Then about the network operating system
security, I figure out in the Window server 2008 R2 in the local security control there.
The fourth week, I analyzed the problem and about how to control and set the rules in the
security policy. It is such as access control rules, account policies, local policies, Windows
firewall with advanced security, virus protection, user rights policies, group policies, password
policies, and authentication policies.
The Fifth Week, I analyzed to solve the problem which I found during the security
policy. I am using virtual machine to test the problem and find the solution in the websites. And
the sixth week, I am finding why we need to have a security policy because it is instrumental in
creating a secure organization. I am also finding what makes a good security policy; it must
briefly, to the point detail and clear as possible t provide the information to implement the
regulation.













Individual Part LI Ao
Log Book
Week 1
install Linux, Learn Linux configuration
commands leared: ls, chmod, cd, pwd, touch, mkdir, cp, wv, rm, cat, more, ln, vi, mount
Learned how set permission for file, how to create, remove, copy, and write files
Learned how to create new user and group
Learned how to create link for file
Learned to mount device to file
Week 2
Learn Linux booting process,
Learn to change run level, and the default run level
Learn the process management of Linux, display process, kill process, change priority
Compress and decompress
Learn how to install software (apt-get)
Week 3
Learn to create Schedule task (crontab, at)
Learn how to recovery, when forgot password.
Install window server 2008
Week 4
Set up DC server on windows
Login domain from Ubuntu
Add a child domain
Set the child domain as global catalog, connect child domain and Ubuntu, login from Ubuntu to
parent domain

Problem: Client cannot join domain
Action to analyze the problem: check connectivity (ping the server IP address, success), check the
DNS problem (ping the domain name, fail) -> DNS problem
Action to solve the problem: Set the default DNS of Ubuntu to DC server
Week 5
Read book about active directory and learn the detail of active directory
Design the active directory for hypermarket
Learn why to create a new domain,
Learn the concept of site and try to configure it.
Learn read-only DC
Problem: Cannot remove OU
Action to analyze the problem: search this problem on the Internet
Action to solve the problem: uncheck protect object from accidental deletion in properties of the
OU.
Week 6
Learn how to share folder and set permission for them
Learn the different between file sharing permission and NTFS permission
Design different permissions to different groups in hypermarket

Reflective Report
I have learned many things from this course. For the Linux, I can perform a number of basic
configurations with command line and learn some knowledge about how operating system works.
Furthermore, I also changed my notion about windows after this course. I believed that, as a server,
Linux is more powerful than windows. But after this course, I realized that windows also have many
advantages. It can centralize the management. As a result, the management of authentication and
authorization become simply. The privilege and permission for user can be easily defined. In
addition, I also learn the concept of site in active directory. It describes the physical topology of the
forest in order to optimize the replication of AD data between sites. It can even set the cost of the
links. For the course of computer network, I learned that router works on network layer, and it can
use routing protocol to optimize the traffic. As a contrast, AD is a service in application layer, and it
also can use KCC (knowledge consistency checker) to optimize the replication. Anther difference is
that KCC cannot learn the topology automatically like OSPF. we need to manually configure it
according the real network connection. But, any way, this concept broadens my horizons.
In this course, I designed active directory schema for the hypermarket and perform file
sharing with permission control for staffs. During the implementation, I suffer from some problem.
For example, at the beginning, I cannot join in the domain. The problem is that the DNS server
address on client is incorrect. After changed the DNS server address to the DC, the problem is
solved. And another time, I cannot move or delete OU. Then I searched this problem on the Internet
and finally got the solution. Normally, OU is protected to avoid accidental deletion. To solve this, I
opened the advanced view and uncheck protect object from accidental deletion in properties of
the OU.
In the demonstration session, I show the active directory I created. It includes domains,
OUs, sites, users and groups. Also I perform the file-sharing function and set different permission to
different groups.
In the next five years, I think I will focus on the networking realm. From this course, I
acquire a basic skill to configure Linux. I realize the power of Linux. We can do many things on it. So
I plan to learn how to configure firewall and IDS on Linux, such as iptable and snort. Also, from
window server grant me some idea about security in term of authentication and authorization. In
addition, I also gained a clearer picture about what types of traffic are running inside the enterprise,
such as the replication of AC data. These types of data may have different requirement. Take
replication of AC data for instance, it is more delay-tolerant than other applications. So in the real
network, we can set it with a lower priority to improve the network QoS.











Individual Report Karthic Subramaniam
Logbook




Date Process Done Error that Arised Things that have been learnt / Solution / Result
Installed Windows server 2008 R2 in Vmplayer to
create a server Success - No Error NA
Run DCPROMO.EXE in the server operating system
in order to create a global catalog server which is
the first server in the domain "klhl.org.sg" Success - No Error
While installing came to know that Without DNS server
the Active directory services could not be installed.
DNS server role was installed together with the
server while installing the Dcpromo Success - No Error
While installing came to know that DNS server role
could not be installed without assigning an ipaddress to
the server. So manually assigned a IP address to the
server without using DHCP
Forest funtional Level was selected at Windows
Server 2008 R2 Success - No Error
Directory services password was given Success - No Error
Came to know that the Directory services password is
required while removing the role from the server
Then other roles installed to the server as per the
requirement IIS role, Print Services Role, Remote
Desktop Services Role were installed Success - No Error
While installing these roles came to know that the
services installed are automatically choosing the
supporting features that have to be installed together.
Ex - .net features for IIS
Once all the roles have been installed as per the
scenario the organizational units and the users were
created Success - No Error NA
After creation in order to create a basic client server
architecture started installing Ubuntu OS in another
Virtual Machine Success - No Error NA
Ip address to Ubuntu was assigned
Note able to ping the server with IP
or the Domain Name
The IP address was manually assigned with the server's
IP address as Gateway. Then was able to ping it.
After installation tried to find an inbult option for
adding Ubuntu to the domain and active directory
There was no inbuilt option to join
Ubuntu to active directory domin
After searching for a solution came to know about the
Likewise open which is an easy option for adding
Ubuntu to windows Server
Using likewise open the client was able to connect
to the server in a easier manner Had authentication problems
Later on corrected it by installing the supporting
packages of likewise open
After connecting it to the domain tried to log on to
the server by entering the username and password
during logon screen
The other user option was not
avilable which allows the user to
enter the username and password
directly.
In order to enable the other user login, changed the
greeter code in the/etc/lightdm/lightdm.conf (greeter-
show-manual-login = true)
Then after editing the greeter code tried to log into
the system Success - No Error
Was able to log in to the server using the administrator
username and password
The a website was created using the IIS role in the
server Success - No Error Learned how to create a website using IIS
Wee
k 1
Wee
k 2





Tried to access the created website from the Ubuntu
Client
Not able to open and got a error
saying not able to resolve the
hostname
In order to correct it we created a DNS entry in the
forward lookup zone of the server which helped in
resolving the website name
After the DNS entry, tried to open the webpage
from the ubuntu client Success - No Error
Was able to open the website and the contents of the
website folder was listed first because we enable the
Directory browsing in the IIS
For remote access from the server we used a third
party software called remmina for accessing the
server
Not able to access because the
Username didnt have the access
In order to correct it we went into the active directory
and changed the settings in the under remote access
tab
Then after giving certain permission to the
Username we tried to have a remote desktop Success - No Error NA
Then we tried to have a good backup policy for the
server. We tried to create the software back up
policy using the Windows server backup
Came up with an error showing
that the server backup features are
not installed.
In order to solve it we installed the server backup
features in the features tab by add features tab
After adding the features we tried to access it Success - No Error NA
We created backup policy where it will create Full
image backups daily at 10PM and it will store it to
the network location Success - No Error
Learnt that Windows server back had the facilty of
scheduling the back and by storing it in the remote
shared location it will erase the older files and it will do
a new update.
For file sharing we created and creation and
uploading to the server we have planned to create
an FTP site which will have permissions to read and
write NA
Came to know that an FTP site is also some like a
website which will be created in the IIS.
In order to create the FTP site we created a folder in
the Server we stored the files that have to be
shared Success - No Error Learned to create a FTP site in IIS with SSL security
After creating tried to access it through a browser
from the Ubuntu client.
Came up with an error saying that
unable to resolve the FTP site
In order to solve it we create a zone in the DNS pool of
the server which helps in resolving the FTP Site
After resolving we tried to access from the brower Success - No Error
Was able to access but since there were no security we
decided to restrict it with some specified users.
We created a group called FTP_USERS were users
have been added and the same was linked with the
FTP site. Success - No Error NA
After Linking we tried to access it from the client
again. Success - No Error
Learnet to add authentication to the FTP site.. And
learned to create a user group and adding folder
permissions to it.
Atlast tried to create a mail server in the
organization NA
Cable to know about many mail server that is available
for the Windows server
We decided to use Microsoft exchange server 2010
for Mail NA
Came to know the configuration and maintainence and
working of Exchange 2010 is bit tougher although it has
many advantages like integrating with the active
directory
Wee
k 3
Wee
k 4
Wee
k5

Reflective Report
Individual Report
My part of this project includes
Mail Server
FTP Server
Backup Server
Web Server
Remote Access
Modifications that may be required
On my personal view on this project there are some things that could be changed and upgraded for
having a high performance and highly secured network.
Mail Server In mail server am currently using the Hmail server which is free version mail server
software for windows. But personally I have an idea of using Microsoft Exchange 2010 for Mail server.
Although it may be looking complicated to configure it ay suit best for our organization because of the
advantages it have. It has a facility of integrating with the active directory in the network so that the
username in the active directory are allotted an E-Mail Id for communication purposes. Other than that
we can allocate space limits for each and every user. We can make different mailboxes for different
users with different limits. We can restrict the users attachment type and attachment limit. This could
greatly help in utilizing the space for the mail server. This could also help the remote users to check the
mail without using their client software by using Microsoft Outlook Web Access (OWA). Moreover on
considering the network for the next 5 years the mail server will not have any problems but will require
much human assistance for even creating an email ID.
Then decided to use the Hmail server which is a free
mail server for windows NA
Learned how to configure the mail server and how the
protocols used in a mail server
After configuring the mail server we choosed
Outlook 2007 which is available with the office 2007
pack for windows and we tried to use Claws mail for
Ubuntu Success - No Error
Learned how to install and configure the mail client in
the client systems
Tried to send an email from one client to another
Came up with a error that the mail
server is not found
In order to solve it we created a DNS zone in the server
for the mail server with a mail exchanger in it
After creating the DNS zone we tried to send a mail
from client to client
Came up with an error saying
unable to contact SMTP server
In order to solve it we changed the SMTP settings in
the client. We ticked the option that authentication is
necessary and the username and password was given in
it
After doing the correction we again tried to send a
mail Success - No Error Learned how to solve error in the mail client
After finalizing everything we checked everytihing
together next to next
Success - No Error (Had minor
errors which was corrected at the
same time)
Learned how to connect a Ubuntu client to the server
with various funtionalities and with the help of third
party softwares.
Wee
k 6
FTP Server The FTP server currently we use is a normal unsecured FTP server. This has been designed
taken in mind that the company network many be connected in a intranet connection. But this
connection could be upgraded to a FTPS secure site for each department and some folder restriction
could be applied for all the users so that the user will be accessing only their site and only their folder in
the accessed site. This will help us to maintain the privacy and to restrict the unauthorized access.
Backup Server The Backup server that is currently designed in this project is using Windows server
backup features. But we may use some third party software preferably Symantec Backup software and
High performance backup server with high quality hardware like Dell Power edge server Connected to a
maximum storage Tape drive. In windows server backup we could do only full backup. But third party
softwares may allow us to do incremental, differential and even hybrid backups. This will also allow us
to have a backup at different file formats. After backup the storage drive may be stored in an offsite
location.
It is also proffered to use some cloud service that offers online backup. The backup could be done
directly from backup server, so that there is one more copy of the backup is present online and that
could be restored at any point of time. Moreover the cloud services have multiple copies of the backup
so that the datas will not be lost at any kind of disaster.
Web Server The Web server part could also be developed using some .NET features and the site could
be published in a Secured page using SSL, so that the URL become https://www.klhl.com. By using a
secured site hacking becomes difficult and the datas that are transferred online will be encrypted and
secured. The sites need to be more secure because there is going to be online purchase in the website.
Remote Access In this project remote access to the server is achieved by two ways.
VPN The VPN access could be restricted to the staffs by creating a group and adding users to
it. So that the staffs who really has the need to access the server will be enabled access and the
performance of the server will be good because many users are connected to the network but
not using it properly, this could be restricted.
Remote Access The remote access are currently given access only to the IT department users
for trouble shooting purposes. But some of the mangers and Finance department staffs will also
require direct access to the server for security and for convenient access to the files in the
server. So in order to solve it we can use Remote desktop services that are offered by the Server
2008 R2. This enables us to give personalized desktop by using remote desktop virtualization
host and also enables us to give remote web access.
Thing Learnt
By this project there are many things that have been learnt. Some of them are
Importance of DNS & its working
Active Directory and its Working
Web server Configuration
How to configure an FTP site and how it Works
How to integrate Ubuntu into an Active Directory
How to enable other user login in the Ubuntu 12.04
There are many other things that have been learned via this project. This project gave me a great scope
for learning about windows and Ubuntu. There were many problems that took place during the project.
All problems that took place and the things that I managed to cope is clearly mentioned in the Log book.
Conclusion
The network that has been designed now will be working perfect for the next 5 years. But if the
recommended softwares and hardwares are added this network will be having an highly performing
and high secured network. Because normally based on the success the hypermarkets will increase the
number of branches they have. If the number of branches increases the needs will also get increased
and then will require additional usage. So in order to cope up the network resources has to be
increased.