Lab 8-1: Planning Security Templates
Lab Objectives
This lab prepares you to plan the design and deployment of security templates by meeting the following objectives:
- Identify computer roles on the network
- Determine which standard security templates can be used in a given situation
- Design custom security templates
- Plan the deployment of security templates in workgroup and domain environments
About this Lab
This lab looks at the planning that Contoso Ltd. must do to ensure consistent security configuration for all Windows 2000–based computers by using security templates to define baseline security for a class of computers on its network.
Before You Begin
Make sure that you've completed reading the chapter material before starting the lab. Pay close attention to the sections where the design decisions were applied throughout the chapter for information on building your administrative structure.
Scenario: Contoso Ltd.
Contoso Ltd., an international magazine sales company, wants to ensure consistent security configuration of its Windows 2000–based computers by deploying security templates based on the function a computer provides on the network. The consistent security configuration will be deployed by using a combination of Group Policy (for domain members) and scheduled tasks (for workgroup members).
Windows 2000–based Computer Deployment
The following table describes the types of Windows 2000–based computers in use on the Contoso corporate network.
| Computer Type | Numbers and Locations |
|---|---|
| DCs | Eight DCs exist at the London location. There are two DCs for each of the four domains: contoso.tld, seattle.contoso.tld, lima.contoso.tld, and london.contoso.tld. The four Primary Domain Controller (PDC) emulators at the London office are upgraded Windows NT 4.0 PDCs. Three DCs for the seattle.contoso.tld are located at the Seattle office. Two DCs for the lima.contoso.tld are located at the Lima office. |
| File and print servers | There are two file and print servers at the London office that are members of the london.contoso.tld domain. There are two file and print servers at the Seattle office that are members of the seattle.contoso.tld domain. There are two file and print servers at the Lima office that are members of the lima.contoso.tld domain. |
| Mail servers | There are two Exchange 5.5 mail servers at the London office. One mail server functions as the Internet mail gateway and is a member of the contoso.tld domain. The second mail server hosts the mailboxes for all users at the London office and is a member of the london.contoso.tld domain. There is one Exchange 5.5 mail server at the Seattle office that hosts mailboxes for the Seattle users. This mail server is a member of the seattle.contoso.tld domain. There is one Exchange 5.5 mail server at the Lima office that hosts mailboxes for the Lima users. This mail server is a member of the lima.contoso.tld domain. |
| Terminal servers | There is a single terminal server deployed at each of the three offices. The terminal server in each office is a Windows 2000 member server in the domain. |
| Web servers | At the London office, there are two Web servers that host the contoso.tld external Web site. |
| Sales Force Operations | The London office hosts two servers that function as the servers Sales Force Operations application. These servers are members of the contoso.tld domain and store all data related to the Sales Force Operations application in a custom database. |
Client Computer Details
The Contoso network has a mix of computers on the corporate network. Each office has Windows 2000, Windows NT 4.0, Windows 98, and Windows for Workgroups 3.11 client computers. The following table shows the statistics on operating systems at each office.
| Location | Client Computers |
|---|---|
| London | 400 Windows 2000 Professional desktops (new installations) 200 Windows 2000 Professional clients (upgraded from Windows NT 4.0) 100 Windows 2000 Professional clients (upgraded from Windows 98) 200 Windows NT 4.0 Workstation clients 100 Windows 98 clients 250 Windows 2000 Professional mobile laptop salespeople |
| Seattle | 400 Windows 2000 Professional clients (new installations) 300 Windows 2000 Professional clients (upgraded from Windows NT 4.0) 300 Windows 98 clients 400 Windows 2000 Professional mobile laptop salespeople |
| Lima | 200 Windows 2000 Professional clients (new installations) 200 Windows 2000 Professional clients (upgraded from Windows NT 4.0) 200 Windows 2000 Professional clients (upgraded from Windows 98) 100 Windows NT 4.0 Workstation clients 75 Windows 98 clients 10 Windows for Workgroups 3.11 clients 100 Windows 2000 Professional mobile laptop salespeople |
In addition, each office has 20 Wyse Winterm terminal services clients installed on the shop floor. These Winterm clients connect to the terminal server located at their office.
The Sales Force Operations Software
The remote sales force uses a custom software application to synchronize the salesperson's client database with the central database on the sales force operations servers. The salespeople will connect first thing in the morning to ensure that they have the latest client information and the current pricing information for today.
Security Requirements
The Contoso network team has developed the following security requirements for Windows 2000–based computers:
- All Windows 2000–based computers must be deployed initially with Windows 2000 default security.
- The DCs for each of the three domains must ensure that passwords are eight characters in length and complex.
- The DCs must audit all account management and logon attempts, whether they're successful or unsuccessful.
- File and print servers will have a common folder structure deployed on each computer's D drive. This folder structure will make it easier to configure NTFS permissions by using security templates. The folder structure is shown in Figure 8.11.
Figure 8.11 Default folder structure for Contoso's file and print servers
- The Web servers will host both internal and externally available data. You must configure NTFS permissions to ensure that only authenticated users are able to access internal data.
- All terminal server access must be based on the individual user accounts. A user should be allowed to connect to the server only if the user, or a group that the user belongs to, is directly assigned permissions to a resource.
- The Sales Force Operations servers require the periodic modification of specific registry entries. These registry settings enable SSL encryption for the Sales Force Operations application. The two registry values that must be configured are located in the following registry location:
HKEY_LOCAL_MACHINE\Software\Contoso\SFO\Parameters\
The parameter settings that need to be added are:
EnableSSL: REG_BINARY SSLPort: REG_DWORD
- Contoso needs to support Windows 98, Windows NT 4.0, and Windows 2000 client computers on the network for a long time. Contoso wants to implement the strongest form of security without excluding the down-level clients from the network.
Exercise 1: Determining Computer Classifications
This exercise looks at the computer classes that Contoso will need to develop for their network security plan to ensure that security requirements are met for all computers. The exercise also determines which security template must initially be deployed to ensure that Windows 2000 default security is deployed to all Windows 2000–based computers. Answers to these questions can be found in the appendix.
Complete the following table with your proposed computer classifications for servers and the total number of computers that will require the template applied.
Server Classification Total # of Computers Complete the following table to indicate which security templates must be used to ensure that the default Windows 2000 security settings are applied to all Windows 2000–based computers. Indicate whether the template is applied automatically or must be applied manually.
Computer Type Template Installation Method DCs (Windows NT 4.0 upgrades) DCs (new installations) Mail servers (new installations) Client computers (new installations) Client computers (upgrades from Windows NT 4.0) Client computers (upgrades from Windows 98)
Answers
Exercise 2: Developing Custom Security Templates
This exercise has you identify which incremental security templates you must deploy to fulfill Contoso's security requirements. The exercise also discusses the custom configuration that will be required to extend the security templates to allow the application of settings for the Sales Force Operations application.
Determining Incremental Template Requirements
The following section identifies which incremental security templates you may use for configuring Windows 2000 computer security for Contoso. Answers to the questions can be found in the appendix.
- Can you apply the High Security incremental security template to the Windows 2000–based computers at Contoso?
- What incremental template can you apply to all Windows 2000–based computers to increase security over the default levels?
- Which security template requires individual user and group membership to be used for securing terminal services access?
Designing Custom Templates for Server Classifications
The following section looks at the customization of security templates that are required for each classification of computer on the Contoso network. Answers to the questions can be found in the appendix.
- How many security templates must be configured to meet DC security requirements?
- What settings must be included in the DC's security template to meet Contoso's password security requirements?
- Where would you apply the security template to ensure that all DCs enforce the password settings?
- What settings must be included in the DC's security template to meet Contoso's audit security requirements?
- Where would you apply the security template to ensure that all DCs enforce the audit settings?
- Is it possible to create a security template to secure the file and print server folder structure shown in Figure 8.11?
Extending the Security Configuration Tool Set to Support the Sales Force Operations Application
The following questions involve the steps needed to extend security templates to include settings for the Sales Force Operations application. Answers to the questions can be found in the appendix.
- Does the Security Configuration Tool Set currently have entries for the Sales Force Operations software within Security Options?
- How can you extend the Security Configuration Tool Set to include the required registry settings?
- What values must you add to the [Register Registry Values] section?
- What values must you add to the [Strings] section?
- Once the Sceregvl.inf file is edited, what must you do?
Answers
Exercise 3: Planning Deployment of the Security Templates
The following exercise helps you determine the best way to deploy the security templates in the Contoso network. Answers to the questions can be found in the appendix.
- What security templates can you apply by importing the security templates into Group Policy objects?
- Draw an OU structure that supports the deployment of security templates by importing the security templates into Group Policy objects.
- What method can you use to ensure that the security template for Web servers is deployed to the Web servers?
Answers
EAN: 2147483647
Pages: 172