This lab prepares you to plan the design and deployment of security templates by meeting the following objectives:
This lab looks at the planning that Contoso Ltd. must do to ensure consistent security configuration for all Windows 2000–based computers by using security templates to define baseline security for a class of computers on its network.
Make sure that you've completed reading the chapter material before starting the lab. Pay close attention to the sections where the design decisions were applied throughout the chapter for information on building your administrative structure.
Contoso Ltd., an international magazine sales company, wants to ensure consistent security configuration of its Windows 2000–based computers by deploying security templates based on the function a computer provides on the network. The consistent security configuration will be deployed by using a combination of Group Policy (for domain members) and scheduled tasks (for workgroup members).
The following table describes the types of Windows 2000–based computers in use on the Contoso corporate network.
|Computer Type||Numbers and Locations|
Eight DCs exist at the London location. There are two DCs for each of the four domains: contoso.tld, seattle.contoso.tld, lima.contoso.tld, and london.contoso.tld. The four Primary Domain Controller (PDC) emulators at the London office are upgraded Windows NT 4.0 PDCs.
Three DCs for the seattle.contoso.tld are located at the Seattle office.
Two DCs for the lima.contoso.tld are located at the Lima office.
|File and print servers|| |
There are two file and print servers at the London office that are members of the london.contoso.tld domain.
There are two file and print servers at the Seattle office that are members of the seattle.contoso.tld domain.
There are two file and print servers at the Lima office that are members of the lima.contoso.tld domain.
|Mail servers|| |
There are two Exchange 5.5 mail servers at the London office. One mail server functions as the Internet mail gateway and is a member of the contoso.tld domain. The second mail server hosts the mailboxes for all users at the London office and is a member of the london.contoso.tld domain.
There is one Exchange 5.5 mail server at the Seattle office that hosts mailboxes for the Seattle users. This mail server is a member of the seattle.contoso.tld domain.
There is one Exchange 5.5 mail server at the Lima office that hosts mailboxes for the Lima users. This mail server is a member of the lima.contoso.tld domain.
|Terminal servers||There is a single terminal server deployed at each of the three offices. The terminal server in each office is a Windows 2000 member server in the domain.|
|Web servers||At the London office, there are two Web servers that host the contoso.tld external Web site.|
|Sales Force Operations||The London office hosts two servers that function as the servers Sales Force Operations application. These servers are members of the contoso.tld domain and store all data related to the Sales Force Operations application in a custom database.|
The Contoso network has a mix of computers on the corporate network. Each office has Windows 2000, Windows NT 4.0, Windows 98, and Windows for Workgroups 3.11 client computers. The following table shows the statistics on operating systems at each office.
|London||400 Windows 2000 Professional desktops (new installations) |
200 Windows 2000 Professional clients (upgraded from Windows NT 4.0)
100 Windows 2000 Professional clients (upgraded from Windows 98)
200 Windows NT 4.0 Workstation clients
100 Windows 98 clients
250 Windows 2000 Professional mobile laptop salespeople
|Seattle||400 Windows 2000 Professional clients (new installations) |
300 Windows 2000 Professional clients (upgraded from Windows NT 4.0)
300 Windows 98 clients
400 Windows 2000 Professional mobile laptop salespeople
|Lima|| 200 Windows 2000 Professional clients (new installations) |
200 Windows 2000 Professional clients (upgraded from Windows NT 4.0)
200 Windows 2000 Professional clients (upgraded from Windows 98)
100 Windows NT 4.0 Workstation clients
75 Windows 98 clients
10 Windows for Workgroups 3.11 clients
100 Windows 2000 Professional mobile laptop salespeople
In addition, each office has 20 Wyse Winterm terminal services clients installed on the shop floor. These Winterm clients connect to the terminal server located at their office.
The remote sales force uses a custom software application to synchronize the salesperson's client database with the central database on the sales force operations servers. The salespeople will connect first thing in the morning to ensure that they have the latest client information and the current pricing information for today.
The Contoso network team has developed the following security requirements for Windows 2000–based computers:
Figure 8.11 Default folder structure for Contoso's file and print servers
The parameter settings that need to be added are:
EnableSSL: REG_BINARY SSLPort: REG_DWORD
This exercise looks at the computer classes that Contoso will need to develop for their network security plan to ensure that security requirements are met for all computers. The exercise also determines which security template must initially be deployed to ensure that Windows 2000 default security is deployed to all Windows 2000–based computers. Answers to these questions can be found in the appendix.
Complete the following table with your proposed computer classifications for servers and the total number of computers that will require the template applied.
|Server Classification||Total # of Computers|
Complete the following table to indicate which security templates must be used to ensure that the default Windows 2000 security settings are applied to all Windows 2000–based computers. Indicate whether the template is applied automatically or must be applied manually.
|Computer Type||Template||Installation Method|
|DCs (Windows NT 4.0 upgrades)|
|DCs (new installations)|
|Mail servers (new installations)|
|Client computers (new installations)|
|Client computers (upgrades from Windows NT 4.0)|
|Client computers (upgrades from Windows 98)|
This exercise has you identify which incremental security templates you must deploy to fulfill Contoso's security requirements. The exercise also discusses the custom configuration that will be required to extend the security templates to allow the application of settings for the Sales Force Operations application.
The following section identifies which incremental security templates you may use for configuring Windows 2000 computer security for Contoso. Answers to the questions can be found in the appendix.
The following section looks at the customization of security templates that are required for each classification of computer on the Contoso network. Answers to the questions can be found in the appendix.
The following questions involve the steps needed to extend security templates to include settings for the Sales Force Operations application. Answers to the questions can be found in the appendix.
The following exercise helps you determine the best way to deploy the security templates in the Contoso network. Answers to the questions can be found in the appendix.