Scribd Logo
Upload

Welcome to Scribd!

  • Mod 07 Exercise 1 Task 1

    Uploaded by

    pa S
    12 views5 pages
    MCSA Windows Server 2016

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    MCSA Windows Server 2016

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    12 views5 pages

    Mod 07 Exercise 1 Task 1

    Uploaded by

    pa S
    MCSA Windows Server 2016

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Exercise 1: Implementing security policies for accounts, passwords, and

    administrative groups
    Scenario
    A. Datum management has indicated that it is important that all management processes are as secure as
    possible, to help prevent a security breach. The company’s security and management teams have
    identified its business requirements with respect to account logons and password security. In this
    exercise, you will define and implement the Group Policy settings to meet the company’s requirements.

    Supporting documentation
    A. Datum GPO strategy proposal
    Requirements overview
    A. Datum has identified the following requirements regarding account logon and password
    policies:
     All users must use a password that is at least eight characters long. For IT administrators,
    the minimum length must be 10 characters.
     Passwords for all users must be complex and stored securely.
     All users, except IT administrators, must change their password every 60 days or less.
     IT administrators must change their password every 30 days or less.
     If users enter the wrong password more than five times within 20 minutes, their accounts
    must be locked. For normal users, accounts are unlocked automatically after one hour.
     For IT administrators, accounts must be locked after three incorrect password attempts. IT
    administrator accounts are never unlocked automatically. An administrator must unlock the
    account. IT administrator accounts include all members of the IT group and the Domain
    Admins group.
     No users should be able to use at least 10 of their previous passwords.
     The membership list for the local Administrators group on all member servers must be
    limited to only the local Administrator account, the Domain Admins group, and the IT
    group.
     The Domain Admins group must include only the Administrator account.
     The Enterprise Admins and Schema Admins groups must be empty during normal
    operations. Users must be added explicitly to these groups only when they need to perform
    tasks that require this level of administrative rights.
     Other built-in groups, such as Account Operators and Server Operators, should contain no
    members. If users are added to one of these groups, they should be removed from the
    group automatically.
     All changes made to user objects and security groups in AD DS must be audited.

    Proposals
    List the settings that you must configure to meet A. Datum’s requirements regarding
    password policies and account lockout.
    Configuration for all Configuration for IT
    Setting users administrators
    Enforce password history
    A. Datum GPO strategy proposal

    Maximum password age


    Minimum password age
    Minimum password length
    Passwords must meet
    complexity requirements
    Store password using reversible
    encryption
    Account lockout duration
    Account lockout threshold
    Reset account lockout counter
    after

    1. How can you configure that IT administrators have different password and account lockout
    settings than regular users?
    2. How can you identify IT administrators in terms of more restricted password and account
    lockout settings?
    3. How can you meet the requirement to limit the membership list for the local Administrators
    groups on all member servers to only the local Administrator account, the Domain Admins
    group, and the IT group?
    4. How can you meet the requirement that the Domain Admins group must include only the
    Administrator account, and that the Enterprise Admins and Schema Admins groups must be
    empty during normal operations?
    5. How can you meet the requirement that other built-in groups, such as Account Operators
    and Server Operators, must not contain members?
    6. How can you meet the requirement that you must audit all changes to AD DS?

    The main tasks for this exercise are as follows:

    1. Identify the required settings.


    2. Configure password settings for all users.
    3. Configure a PSO for IT administrators.
    4. Implement administrative security policies.
    5. Implement administrative auditing.
     Task 1: Identify the required settings
    1. Read the documentation provided.
    2. Fill in the table of settings according to the requirements of A. Datum Corporation.

    3. Answer the additional questions from the proposals document.


    Lab Answer Key
    Exercise 1: Implementing security policies for accounts, passwords, and
    administrative groups
     Task 1: Identify the required settings
    1. Read the documentation provided.
    2. Fill in the table of settings according to the requirements of A. Datum Corporation.

    Configuration for all Configuration for IT


    Setting
    users administrators

    Enforce password history 10 10

    Maximum password age 60 days 30 days

    Minimum password age 1 day 1 day

    Minimum password length 8 characters 10 characters

    Passwords must meet True True


    complexity requirements

    Store password using False False


    reversible encryption

    Account lockout duration 1 hour Administrator must unlock

    Account lockout threshold 5 3

    Reset account lockout 20 minutes 20 minutes


    counter after

    3. Answer the additional questions from the proposals document.


    o How can you configure that IT administrators have different password and account lockout settings
    than regular users?

    Answer: Use the Default Domain Policy, which applies to all users, and create a fine-grained
    password policy object that applies only to the required administrative groups.

    o How can you identify IT administrators in terms of more restricted password and account lockout
    settings?
    Answer: The administrative password and account lockout settings should apply to the IT group and
    the Domain Admins group.

    o How can you meet the requirement to limit the membership list for the local Administrators groups
    on all member servers to only the local Administrator account, the Domain Admins group, and the
    IT group?

    Answer: Ensure that you have domain member servers in the same OU hierarchy. Assign a policy to
    it, and then use the restricted groups feature to restrict the local Administrators group forcefully to
    contain only administrators, the Domain Admins group, and the IT group.
    o How can you meet the requirement that the Domain Admins group must include only the
    Administrator account and that the Enterprise Admins and Schema Admins groups must be empty
    during normal operations?

    Answer: You cannot configure groups other than local groups with the restricted groups feature.
    For Domain Admins, Enterprise Admins, and Schema Admins, you must configure the group
    membership manually and audit their changes.

    o How can you meet the requirement that other built-in groups, such as Account Operators and
    Server Operators, must not contain members?

    Answer: Use the restricted groups feature.

    o How can you meet the requirement that you must audit all changes to users or groups in Active
    Directory Domain Services (AD DS)?

    Answer: Configure advanced auditing policies to audit directory services changes.

    You might also like