System Management Assignment
advertisement
Systems Management Assignment SystemManagementAssignment Name: Daniel Maher 1 Systems Management Assignment TableofContents System Management Assignment ......................................... 1 Task A.1 ............................................................. 6 Downloading the ISO ................................................ 6 Burning the ISO Image to Disc ...................................... 8 Install Windows AIK ............................................... 13 Building an Answer File ........................................... 18 Windows System Image Manager .................................... 21 Answer Files .................................................... 25 Add and Configure Windows Settings .............................. 26 Create and Modify Partitions .................................... 26 Reseal .......................................................... 33 Setup UI Language ............................................... 34 InstallTo ....................................................... 37 User Data ....................................................... 39 OOBE ............................................................ 42 Internet Explorer ............................................... 44 Validate and Save Settings ...................................... 45 Building a Reference Installation ................................. 47 Creating Bootable Windows PE Media ................................ 50 Capturing the Installation onto a Network Share ................... 56 Setting up a network share ...................................... 56 Capturing the installation onto a Network Share ................. 61 Deploying from a Network Share .................................... 64 Partitioning the Disk ........................................... 65 Deploying the Windows Image from a Network Share ................ 68 Task A2 ............................................................. 70 Bitlocker Overview .............................................. 70 Part B .............................................................. 89 Task A .............................................................. 90 Creating a Virtual Machine ........................................ 90 2 Systems Management Assignment Installing Windows Server 2008 R2 x64 Standard ................... 108 Installing Windows Server 2008 R2 x64 Standard Core .............. 118 Cloning a Virtual Machine in VMWare Workstation .................. 119 Creating and Cloning the Windows 7 Client Virtual Machine ........ 124 Changing Computer Name ........................................... 125 Windows Server 2008 Full ....................................... 125 Windows Server 2008 Core ....................................... 131 Windows 7 ...................................................... 134 Giving all machines a static IP address .......................... 141 Windows Server 2008 R2 Full .................................... 141 Windows Server 2008 Core ....................................... 147 Windows 7 ...................................................... 149 Task B ............................................................. 152 Server1 .......................................................... 152 Disable IPv6 ................................................... 152 Setup a Domain Controller ...................................... 153 Client1 .......................................................... 167 Set DNS Server ................................................. 167 Join MSCCONV.IPA Domain ........................................ 168 Server2 .......................................................... 177 MS‐CORE .......................................................... 186 Active Directory Domain Services Overview ...................... 187 TASK C ............................................................. 188 Install 2 additional hard disks .................................. 188 Mirror the operating system disk ................................. 194 Create a Spanned Volume .......................................... 198 Task D ............................................................. 205 Create Organizational Units (OU) ................................. 205 Creating a user via a TUI ........................................ 211 Advantages of using a TUI environment .......................... 211 3 Systems Management Assignment Creating Users ................................................... 212 Logon Hours .................................................... 216 Create Marketing and IT users .................................. 221 Task E ............................................................. 224 Security Overview ................................................ 224 Prevent Users in Marketing (Sales) from being able to see the IT OU in Active Directory ................................................. 229 Allow users to logon to the Server ............................. 232 Implement 3 Group Policies ....................................... 239 Forward my documents from Client2 to a folder on the root of C on Server2 called User_Docs ................................................. 239 Create Share ................................................... 239 Folder redirection in group policies ........................... 242 Prevent Belfast from accessing the Control Panel. Exclude user13 from this policy ........................................................... 249 Publish any MSI file of your choice from the C drive contents to all users in Dublin ........................................................ 256 Create a Network Share ......................................... 257 MSI GPO ........................................................ 260 Group Policy Overview ............................................ 269 Task F ............................................................. 270 DISM ........................................................... 272 Configure MS‐CORE for Windows Remote Administration .............. 273 Access MS‐CORE from Client2 using remote desktop ................. 273 Task G ............................................................. 276 Install DHCP on Server2 .......................................... 276 DHCP (Dynamic Host Configuration Protocol) ..................... 276 Configure Client2 to obtain its address and TCP/IP settings from DHCP ................................................................. 290 Disable DHCP services ............................................ 296 APIPA (Automatic Private IP Addressing) ........................ 297 Task H ............................................................. 298 4 Systems Management Assignment Decommission Server2 from the Active Directory System ............ 298 References ......................................................... 302 Appendix ........................................................... 304 5 Systems Management Assignment TaskA.1 DownloadingtheISO In the following section, how to install Microsoft Windows 7 using the Lite Touch Installation(LTI) method will be outlined. Open a web browser and enter the URL: http://www.microsoft.com/en‐us/download/details.aspx?id=5753&751be11f‐ ede8‐5a0c‐058c‐2ee190a24fa6=True 6 Systems Management Assignment This page directs you to download the ‘Windows Automated Installation Kit (AIK) for Windows 7’. Click the download button to download the ISO disc image. After you click the download button you will be faced with the web page as above. As the page says the ISO image must be burned to a DVD. 7 Systems Management Assignment BurningtheISOImagetoDisc The ISO file downloaded above has to be burned to a DVD. The steps to do this will be shown as follows. Open an Internet browser (e.g. Internet Explorer), and navigate to: https://ninite.com Ninite is a web site that allows you to download and install multiple computer applications at once. Scroll down the web page. 8 Systems Management Assignment Under the utilities heading select ImgBurn. Then click Get Installer. Now click Download installer. In Internet Explorer a prompt will appear asking you to Run or Save the application. Click Run to install the application immediately. After the installation has completed a shortcut icon for the ImgBurn application should appear on the desktop. Double click this to start the application. 9 Systems Management Assignment After the application begins, you will see a menu as above. Click the option in the top left to ‘Write image file to disc’. 10 Systems Management Assignment Now select the ISO image that you wish to burn to a DVD. To do this, click the folder icon beside where it says ‘Please select a file..’, as can be seen in the screenshot above. Navigate the file system to where you saved the ISO downloaded earlier, select it and click open. 11 Systems Management Assignment Insert a DVD into your disc drive (Ensure that your drive can write DVDs). Now click the icon highlighted above to begin burning the image to disc. When finished you now have the AIK ISO burned to a DVD. 12 Systems Management Assignment InstallWindowsAIK To install the Windows AIK insert the DVD that you ripped the ISO image to into your DVD drive. The setup program should start automatically. If it does not, open Windows explorer and navigate to the DVD drive. Double click on the disc icon to begin the installation. When the above menu appears, select ‘Windows AIK Setup’. 13 Systems Management Assignment After the installation starts you will be greeted by the installation menu as above. Click next to proceed. 14 Systems Management Assignment Agree to the terms of the licence and click next to continue with the installation. 15 Systems Management Assignment Next select the folder to install the program to. In the screenshot above the default installation location has been used. Click next to continue. 16 Systems Management Assignment The installation will then complete. Click Close to complete the installation. 17 Systems Management Assignment BuildinganAnswerFile Now it will be shown how to build an answer file, which is the first step in creating a custom installation. Insert your Windows 7 Enterprise Installation DVD into the computer. Click on the start menu and then click on Computer. 18 Systems Management Assignment Right click on the DVD Drive, D above, and click open. Double click and open the sources folder. 19 Systems Management Assignment Find the install.wim file and copy it to another easily accessible location. 20 Systems Management Assignment WindowsSystemImageManager Open the start menu. Select all programs and search for Microsoft Windows AIK. Click on Microsoft Windows AIK and then double click on Windows System Image Manager. 21 Systems Management Assignment After Windows System Image Manager opens, click the file option in the menu and choose ‘Select Windows Image..’. 22 Systems Management Assignment Select the install.wim file that you copied to your computer earlier and click Open to continue. Windows will now prompt you to create a catalogue file. You will need administrator privileges on your machine to do this. 23 Systems Management Assignment When the catalogue file has been created, again select the file option in the menu and select ‘New Answer File…’. 24 Systems Management Assignment An empty file should now appear in the Answer File pane as can be seen above. AnswerFiles Answer Files are an XML‐based file that contains definitions and values to use during Windows Setup. In an Answer File you cans specify various setup options, including how to partition disks, the product key to apply etc. You can also specify values that apply to the Windows installation such as the names of user accounts (Microsoft Technet. 2014). 25 Systems Management Assignment AddandConfigureWindowsSettings To add Windows settings, find the Windows Image pane and expand the Components node to display available settings as can be seen below. It is important that you select the option appropriate for you CPU architecture, for example, x86 for 32‐bit systems and amd64 for 64‐bit systems. In this example, the system will be an amd64 system. CreateandModifyPartitions Next expand Microsoft‐Windows‐Setup down to Create Partition as above. 26 Systems Management Assignment Right click on Create Partition and click ‘Add Setting to Pass 1 windowsPE’. This then adds the settings for Create Partition to the answer file. 27 Systems Management Assignment Now do the same with Modify Partition, that is expand it, right click ‘Add Setting to Pass 1 windowsPE’. 28 Systems Management Assignment As this installation will have two partitions, repeat the process adding another Create Partition and another Modify Partition. The Answer File menu should now look as it does above. Now click on Disk and modify the properties in the properties menu. Set DiskID to 0 and WillWipeDisk to true. 29 Systems Management Assignment Select the first of the Create Partition options. In the right pane, set extend to true, order to 1, size to an appropriate size (here 60GB has been chosen) and finally set the partition type to Primary. Set the second Create Partition next. Set Extend to false, Order to 2, and Type to Primary. Size is to be left blank. This partition will take the remaining disk space. 30 Systems Management Assignment Next, click on the first ‘Modify Partition’ option. As above, set the Active setting to true, the partition format to NTFS, Order to 1 and PartitionID to 1. Name the partition System in the Label option. Then click on the second Modify Partition option and set the format to NTFS, name the partition Windows, set the order to 2 and the PartitionID to 2. 31 Systems Management Assignment MarkingapartitionasActive An active partition is a partition on a hard drive set as the bootable partition that contains the operating system. On each hard drive only one partition can be set as an active partition. For example, when if using Windows the partition that contains Windows is the active partition (Computer Hope. 2014). 32 Systems Management Assignment Reseal Now navigate to Microsoft‐Windows‐Deployment\Reseal in the Windows Image pane as above. Right click on Reseal and click ‘Add Setting to Pass 7 oobeSystem’. In the Reseal properties window set the Force Shutdown Now option to false and set the Mode option to Audit. 33 Systems Management Assignment SetupUILanguage In the Windows Image Menu Pane navigate to: Microsoft‐Windows‐International‐Core‐WinPE\SetUILanguage Right click on ‘SetUILanguage’ and select ‘Add Settings to Pass1 windows PE’. 34 Systems Management Assignment Click on ‘x86_Microsoft‐Windows‐International‐Core0WinPE_neutral’ as highlighted above. Now set ‘InputLocale’, ‘SystemLocale’ and ‘UserLocale ‘to a locale setting. Above en‐IRE is used for English‐Ireland. Leave ‘UILanguage’ at en‐US to avoid problems. 35 Systems Management Assignment Now again click on ‘SetupUILanguage’. In the properties pane, set the ‘UILanguage’ option to the same option as used previously, in our case, en_IRE. Following this, set the ‘WillShowUI’ option to ‘OnError’. 36 Systems Management Assignment InstallTo Now navigate to: Microsoft‐Windows‐Detup\ImageInstall\OSImage\InstallTo Right click on the ‘InstallTo’ option and select the option to ‘Add Settings to Pass 1 windowsPE’. 37 Systems Management Assignment Now click on the OSImage option in the answer file pane. In the ‘OSImage Properties’ panel set the ‘InstallToAvailablePartition’ to false and the ‘WillShowUI’ option to ‘OnError’ as can be seen in the screenshot above. Next, click on the ‘InstallTo’ option. It is just below the ‘OSImage’ option in the Answer File menu pane. Set the ‘DiskID’ to 0 and the ‘PartitionId’ to 2 in the ‘InstallTo Properties’ pane as is shown above. 38 Systems Management Assignment UserData Browse through the file structure in the Windows Image pane to: Microsoft‐Windows_Setup\UserData Right click on the ‘UserData’ option that is highlighted above and select ‘Add Settings to Pass 1 windowsPE’. 39 Systems Management Assignment Click on the ‘UserData’ option in the Answer File pane and set the ‘AcceptEula’ option to true. 40 Systems Management Assignment Next expand the ‘UserData’ option and click on the ‘ProductKey’ option. In the ‘ProductKey Properties’ pane enter your product key in the Key field and set the ‘WillShowUI’ option to ‘OnError’. 41 Systems Management Assignment OOBE Navigate to: Microsoft‐Windows‐Shell_Setup\OOBE and right click it. Select the ‘Add Settings to Pass 7 oobeSystem’ option. 42 Systems Management Assignment Click on the OOBE option in the Answer File pane as above and set the ‘HideEULAPage’ option to true and the ‘ProtectYourPC’ option to 3. ProtectYourPC This option specifies whether to display the ‘Help protect your computer automatically’ page of the Windows Welcome to the user. There is no default value. If a value is not set, the page opens during the Windows Welcome. 1 – Specifies the recommended level of protection for your computer 2 – Specifies that only updates are installed 3 – Specifies that automatic protection is disabled (Microsoft Technet. 2010) 43 Systems Management Assignment InternetExplorer Next in the Windows Image Pane navigate to Microsoft‐Windows‐IE‐Internet‐Explorer as above. Right click on this and select the option to ‘Add Settings to Pass 4 specialize’. 44 Systems Management Assignment In the ‘Answer File’ pane under the ‘specialize’ option click on the Internet Explorer option. Now in the Internet Explorer properties pane set the ‘Home_Page’ to a website of your choosing ValidateandSaveSettings Now we will validate the answer file. In the Windows System Image Manager click Tools and then click ‘Validate Answer File’. In the messages pane any warning messages will be displayed. To examine and change an incorrect setting, double click on the error message. 45 Systems Management Assignment This will take you to the incorrect setting as above and allow you to change it and fix the error. Click on the File menu, and then click Save Answer File. As above name the file ‘autounnattend.xml’ and save it to the root folder of a USB drive. 46 Systems Management Assignment BuildingaReferenceInstallation Now it will be shown how to build a reference installation using the answer file. This custom installation can then be duplicated to multiple machines. Turn on the computer you wish to use as the reference machine. Insert the Windows 7 installation DVD and the USB drive that has the autounnattend.xml file saved on it. Windows setup, by default, will search the root directory of all removable media for the autounnattend.xml file. Windows should then perform an automated installation using the settings specified in the answer file. 47 Systems Management Assignment After the installation completes, Windows will boot to desktop and the System Preparation Tool will be shown as above. The system preparation tool allows us to remove hardware‐specific information from the installation using the Generalize setting. Also setting the system cleanup Action to OOBE allows us to configure the computer to boot to the Windows Welcome upon the next restart (Microsoft Technet (2).2010). 48 Systems Management Assignment Now set the System Cleanup Action to Enter System Out‐Of‐Box Experience and ensure that Generalize is ticked. Also set the Shutdown Options to Shutdown. An image of this machine can now be captured and deployed to multiple computers. 49 Systems Management Assignment CreatingBootableWindowsPEMedia It will now be shown how to create a bootable version of Windows PE. First, click on the start button, click on ‘All Programs’, and then click on ‘Windows AIK’. Now right click on the ‘Deployment Tools Command Prompt’ and select ‘Run as administrator’. 50 Systems Management Assignment A command prompt as above opens. This command prompt window has automatically set environment variables to point to all the necessary tools installed at C:\Program Files\Windows AIK\Tools (Microsoft Technet (2). 2010). 51 Systems Management Assignment Now type the command: copype.cmd amd64 c:\winpe where amd64 can be replaced by the CPU architecture you require, for example, x86 or ia64. The destination folder must not exist prior to running this command as it will not work. The destination folder can be named anything but so as to remain descriptive name it as above, winpe. 52 Systems Management Assignment The screenshot above shows the successful completion of this command. Next copy the base image ‘winpe.wim’ to the c:\winpe\ISO\sources folder and rename it to ‘boot.wim’: copy c:\winpe\winpe.wim c:\winpe\ISO\sources\boot.wim When successful it will state as above that 1 file(s) copied. 53 Systems Management Assignment Next, we must copy ImageX into \winpe\ISO: copy "c:\program files\Windows AIK\Tools\amd64\imagex.exe" c:\winpe\iso\ Next, we must create a Windows PE disc image using the oscdimg tool from the prompt. Enter the command: oscdimg ‐n ‐bc:\winpe\etfsboot.com c:\winpe\ISO c:\winpe\winpe_amd64.iso The ISO can be named as you wish but again a descriptive name like winpe_amd64.iso is best. Navigate to the C:\winpe folder. Right‐click on the winpe_amd64 disc image and click on Burn disc Image as above. 54 Systems Management Assignment Insert a CD‐ROM into the drive and burn the image to disc by clicking Burn. You now have a bootable Windows PE RAM CD containing the ImageX tool. ImageX ImageX is a command‐line tool that enables OEMs (Original Equipment Manufacturers) and corporations to capture, modify, and apply file‐based disk images for rapid deployment. It works with Windows image (.wim) files. ImageX can be used to create an image, to modify an image without extracting and recreating the image, and also to deploy the image to an environment (Microsoft Technet. 2011). OscdimgTool Oscdimg is a command‐line tool for creating an image file of a customized 32 or 64‐bit version of Windows PE (Microsoft Technet (2). 2011). 55 Systems Management Assignment CapturingtheInstallationontoaNetworkShare Settingupanetworkshare Create a folder called ‘server’. Right click on the folder and click properties. 56 Systems Management Assignment Navigate to the Sharing tab. Click ‘Advanced Sharing..’. 57 Systems Management Assignment Click the ‘Share this folder’ option. Click on the ‘Permissions’ button. 58 Systems Management Assignment Give everyone the following permissions: Change Read Click Apply and OK. On the Advanced Sharing menu again click Apply and OK. 59 Systems Management Assignment In the menu you will now be able to see the share folders network path: \\LAPTOP\server Click close. You have now set up a share folder. 60 Systems Management Assignment CapturingtheinstallationontoaNetworkShare Now it will be shown how to capture an image of your reference computer by using Windows PE and the ImageX tool. Then it will be shown how to store said image on a network share. Insert the Windows PE CD and restart the computer. As the computer restarts press the appropriate key to access the boot order. Change the boot order to boot from the CD/DVD drive that contains the Windows PE CD. If you have successfully booted to the Windows PE command prompt, the screen should look as it does above. 61 Systems Management Assignment Next find the correct drive that contains the PE media, in this case, drive E. Use the DIR command to check this as above. Enter the following command as above to create an image of the reference installation using the ImageX tool located on the Windows PE media: Imagex.exe /capture C: C:\myimage.wim “Win7 amd64” /compress fast /verify Successful completion of the command should look as it does above. 62 Systems Management Assignment Next the image will be moved to a network location. Ensure that you have adequate share permissions and NTFS permissions (if the share is an NTFS formatted drive/folder) to copy the file to the network share. Enter the command: Net use N: \\LAPTOP\server Replace LAPTOP with the name of the computer on your network that contains the share and replace server with the name of the share drive. You will then be asked to enter your username and password on the network system. Switch to the N drive by entering N: at the command prompt. Next make a directory named Images using the ‘md’ command. Copy the myimage.wim file from the C drive into the network share using the copy command: copy c:\myimage.wim n:\Images The wim image file has now been copied to the network share. 63 Systems Management Assignment DeployingfromaNetworkShare Now it will be shown how to deploy the reference image from a network share to a target computer. Insert the Windows PE media into the target computer. Turn on the computer. You may need to change the boot order to boot from disk. If the Windows PE Media has booted correctly you will be faced with the command prompt as above. 64 Systems Management Assignment PartitioningtheDisk Now enter the disk partition utility by entering the command diskpart and pressing enter. Select the disk to use, entering the command as follows: select disk 0 0 represents which physical disk on the machine you wish to use. Next clean the disk using the: clean command as above. The clean command removes partition or volume formatting from the current in focus disk by zeroing sectors (Microsoft. 2013). Next create a primary partition and give it a size of 300MB: create partition primary size=300 Now select partition 1: select partition 1 65 Systems Management Assignment And format the drive: format fs=ntfs label=“System” Assign the drive the letter S: assign letter=S No set the drive as active using the ‘active’ command. This setting informs the system that the partition is a valid system partition (Microsoft.2013). Now we must create another partition where Windows will be installed. So again enter the create partition command: create partition primary Next enter the command: select partition 2 To select the newly created partition. 66 Systems Management Assignment Again format the new partition and label it ‘Windows’: format fs=ntfs label=“Windows” Finally assign this drive the letter C: assign letter=C Run the ‘list volume’ command to see the drives on your system. As can be seen the specified drives have been created. The size of the C volume may vary depending on the size of the hard drive in use in the computer. Now exit diskpart using the exit command. 67 Systems Management Assignment DeployingtheWindowsImagefromaNetworkShare Now we must connect to a network share. Again ensure that you have the relevant permission to access the network share and read from it. Connect to the share as follows: net use N: \\machinename\sharename This assigns the letter N: to the network drive which makes further access easier. After running this command you should be prompted to enter a username and password for the machine. Do this to gain access to the share. Next copy the image file to the C drive, if you have followed the naming conventions in this guide enter the command: copy N:\Images\myimage.wim C: Copying this file may take some time, depending on its size and the speed of your network and computer. To apply the copied image to the C drive, the imageX tool must be used. The D drive represents the disk drive on your machine that contains the Windows PE Media. Enter the command: D:\imagex.exe /apply C:\myimage.wim 1 C: This applies the first image in the wim file to the C drive. Again this may take some time. Next use BCDBoot to initialize the Boot Configuration Data store and copy the boot environment files to the system partition. Enter the following command: C:\windows\system32\bcdboot c:\windows 68 Systems Management Assignment If completed successfully a message will appear as above. Now enter exit into the command prompt to exit from the PE command prompt. You can now boot into the Windows 7 installation. Here we can see the C partition created in Windows PE in the fully booted Windows 7 Enterprise System. 69 Systems Management Assignment TaskA2 BitlockerOverview In Task A2 we will examine how to use Bitlocker to encrypt enforce full drive encryption. Bitlocker provides data protection for your system, by encrypting all data stored on the Windows OS volume. Bitlocker‐To‐Go allows for the encryption of external drives, such as, USB flash drives (Microsoft.2014). Bitlocker usually works with a Trusted Platform Module (TPM). This is a microchip that is built into a computer. It stores cryptographic information, such as, encryption keys. The information that is stored on the TPM can be more secure from physical theft and external software attacks. The TPM ensures that a computer cannot be tampered with even if it is left unattended, lost or stolen (Microsoft.2014). Bitlocker can also be used without a TPM. When using Bitlocker without a TPM the encryption keys are stored on a USB flash drive. Changes to the Bitlocker setup have also to be made by editing the system’s Group Policy. This is the means of using Bitlocker that will be outlined in the following guide (Microsoft.2014). 70 Systems Management Assignment Click on the start button, open the start menu and click to open the control panel. Now click on the System and Security option. 71 Systems Management Assignment Next click on the option for ‘Bitlocker Drive Encryption’. 72 Systems Management Assignment You will now see the menu as above. Click Turn on Bitlocker. 73 Systems Management Assignment Any attempt to turn on Bitlocker will fail as a Trusted Platform module cannot be found. To enable the TPMless implementation of Bitlocker, Bitlocker group policies must be edited. Press the windows key + R to open a run window. Enter: gpedit.msc to open the Local Group Policy Editor. 74 Systems Management Assignment Now under ‘Computer Configuration’, expand ‘Administrative Templates’, expand ‘Windows Components’ and then expand ‘Bitlocker Drive Encryption’. 75 Systems Management Assignment Now click on ‘Operating System Drives’ and in the right pane click on ‘Require additional authentication at startup’. Ensure that you click the top option as highlighted above and not the options for Windows Vista and Windows Server 2008. Then click ‘Edit policy setting’. 76 Systems Management Assignment Now a menu will appear, as above, which will allow you to enable and disable additional authentication at startup for Bitlocker. 77 Systems Management Assignment Change the setting from ‘Not Configured’ to ‘Enabled’. This will allow the use of Bitlocker without a TPM. Click Apply and click OK. Then close the Group Policy Editor. 78 Systems Management Assignment Return to the Bitlocker Drive Encryption menu as above. Now click on ‘Turn On Bitlocker’. 79 Systems Management Assignment Windows must prepare your drive for Bitlocker Encryption. Click next to begin this process. 80 Systems Management Assignment Click ‘Next’ again to begin the Encryption of the drive. 81 Systems Management Assignment Next, you are asked to set the BitLocker startup preferences. The only option available should be to ‘Require a Startup key at every startup’. To use this option you must insert a USB flash drive that has enough space for the key (the keys are a couple of KB’s). After inserting the flash drive click on the ‘Require a Startup key at every startup’. 82 Systems Management Assignment Select the USB drive you wish to use and click save. 83 Systems Management Assignment Next you will be asked how you want to store your recovery key. You can save it to a file, save it to a flash drive or print it. 84 Systems Management Assignment For this example we will save to a flash drive. Click ‘Save the recovery key to a USB flash drive’ and then select the drive you wish to use and click save. Click next to continue. 85 Systems Management Assignment Finally, you will be asked if you are ready to encrypt the drive. Leave the option to ‘Run Bitlocker system check’ ticked and click Continue. A restart will be required, so restart the computer. Leave the USB key that contains the key file inserted in the USB port. 86 Systems Management Assignment After the computer has restarted, the encryption process will begin. It will take some time depending on the size of the drive being encrypted. 87 Systems Management Assignment After the encryption is complete if you open My Computer you can see that the C drive icon now shows a lock icon to signify that it is encrypted. Congratulations! You have now enforced full drive encryption, using Bitlocker. 88 Systems Management Assignment PartB 89 Systems Management Assignment TaskA We will now set up three servers, two with Windows Server 2008 R2 Standard installed and another with Windows Server 2008 R2 Standard Core installed. First it will be shown how to install R2 Standard with a GUI on a virtual machine using VMWare Workstation 10. CreatingaVirtualMachine First, open VMWare Workstation. In the top left corner click on the File menu and select Create New Virtual Machine. 90 Systems Management Assignment Select Custom (advanced) install and click Next. 91 Systems Management Assignment Next you will be able to choose the Virtual Machines hardware compatibility. Leave the settings as they are and click Next. 92 Systems Management Assignment Next you will be asked to choose an operating system to install. Click the radio button next to the ‘I will install the operating system later’ option and click Next. 93 Systems Management Assignment Choose Microsoft Windows as the guest operating system and for the version option select ‘Windows Server 2008 R2 x64’. Click Next to continue. 94 Systems Management Assignment Next you will be asked to give your virtual machine a name and select where to save it. Note that this is only the name of the virtual machine and not the computers name when installed. Name the virtual machine and select a location to install it. Ensure that you have enough space in the save location for the intended virtual machines hard drive (200GB). 95 Systems Management Assignment Assign the number of processors and the number of processors cores from your machine to assign to the virtual machine. The default in this case is fine. Click next to continue. 96 Systems Management Assignment Assign how much physical memory that you wish to allocate to the virtual machine. Assign at least 512MB of memory possibly more if your physical machine allows it. 97 Systems Management Assignment Now select your network type. For this example it is fine to select the option to ‘Use network address translation (NAT)’. Select the radio button beside this option and click Next to continue. 98 Systems Management Assignment Next you will be asked to select I/O controller types. Stick with the recommended setting of LSI Logic SAS and click Next to continue. 99 Systems Management Assignment Next you will be asked to select a disk type. Again stick with the recommended disk type of SCSI and click Next to continue. 100 Systems Management Assignment Following this you will be asked to ‘Select a Disk’. Select the option to ‘Create a new virtual disk’. Then click Next to continue. 101 Systems Management Assignment Now specify the Disk Capacity. As in the specification set the maximum disk size to 200GB. Choose not to allocate all disk space now to conserve disk space and split the virtual disk into multiple files. 102 Systems Management Assignment Next choose a name for the virtual disk file. 103 Systems Management Assignment Before finalising the virtual machine you will be given the opportunity to customize the hardware in the virtual machine. Click Customize Hardware. 104 Systems Management Assignment You can now review the hardware composition of your virtual machine. Click on the CD/DVD drive. Ensure that the drive is selected to ‘Connect at power on’. 105 Systems Management Assignment Under the Connection heading, select the option to ‘Use ISO image file’. Navigate to the Windows Server 2008 R2 x64 ISO on your system and select it. Click close. 106 Systems Management Assignment Click Finish to complete the creation of the virtual machine. 107 Systems Management Assignment InstallingWindowsServer2008R2x64Standard Power on the virtual machine and allow it to boot. Select the language, time and currency format and keyboard or input method that you desire and click Next to continue. 108 Systems Management Assignment Click Install now to begin the installation. 109 Systems Management Assignment Select the version of Windows Server that you intend to install. For this guide Windows Server 2008 R2 Standard (Full Installation) will be installed. 110 Systems Management Assignment Read and accept the licence terms, click the check box to accept the terms and clicking Next to continue. 111 Systems Management Assignment Now choose the type of installation that you want. Choose Custom (advanced) as this is a fresh installation of Windows Server rather than an upgrade from a previous version. 112 Systems Management Assignment Next, select the disk you wish to install Windows on. In this case, select the 200GB disk as above and click Next. 113 Systems Management Assignment Windows Server 2008 R2 will then install. This may take some time. 114 Systems Management Assignment After the installation completes you will be prompted to change the user’s password before logging in for the first time. Click OK. 115 Systems Management Assignment Enter the new password and then confirm it. For the purpose of this example the password will be: Pa$$w0rd Click the blue button with the right facing white arrow to continue. 116 Systems Management Assignment You will see a message confirming that your password has been changed. Click OK and you will be logged in. The installation is complete. 117 Systems Management Assignment InstallingWindowsServer2008R2x64StandardCore Installing Windows Server Core is similar to the full installation. When selecting the operating system that you wish to install, select a version that apples a Server Core Installation. As above, select Windows Server 2008 R2 Standard (Server Core Installation). 118 Systems Management Assignment CloningaVirtualMachineinVMWareWorkstation It will now be shown how to clone a virtual machine. You should clone the Full Installation of Windows Server 2008. Open VMWare Workstation. Right click on the virtual machine you wish to clone, navigate to the Manage option and then click the ‘Clone…’ option. 119 Systems Management Assignment After this an install wizard will appear. Click next to proceed. 120 Systems Management Assignment Choose to clone from ‘The current state in the virtual machine’ and click Next to continue. 121 Systems Management Assignment Now you have to choose the clone method that will be used. The two options are to ‘create a linked clone’ and to ‘create a full clone’. A linked saves space as it only saves changes made to the original clone. A full clone creates a full copy of the virtual machine in its current state. We will use a linked clone to save space. Also, both machines are to be kept on the same machine so a full clone is unnecessary. Select ‘Create a linked clone’ and click Next to continue. 122 Systems Management Assignment Now the virtual machine must be given a name and a save location for it must be chosen. Choose a name that is different from the original but also ensure that you note that it is a clone and not a full virtual machine. To finish creating the clone, click Finish. 123 Systems Management Assignment CreatingandCloningtheWindows7ClientVirtualMachine The installation of Windows 7 has been covered in previous guides. This is contained in the appendix of this guide. Creating the Virtual Machine is similar to creating the Virtual Machine for a windows server. Note the following differences: Assign the machine 60GB of disk space. Also, when selecting the operating system that will be installed, select Windows 7 x64. Use an ISO image of Windows 7 x64 Enterprise also. Clone the machine as with Windows Server 2008 and give it an appropriate name. The settings should remain the same, that is, use a linked clone. Now after all the installations and cloning has been completed, you should have the following: 124 A virtual machine containing Windows Server 2008 R2 x64 Standard. A clone of this virtual machine. Another virtual machine that contains Windows Server 2008 R2 x64 Standard Core version. A virtual machine that contains Windows 7 Enterprise x64. A clone of this virtual machine. Systems Management Assignment ChangingComputerName WindowsServer2008Full Each machine must now be assigned a name as outlined in the specification. To do this, click on the server manager icon (Just to the right of the start button). 125 Systems Management Assignment When the Server Manager window appears, you will see information about the server including the computer current name. Click on the ‘Change System Properties’ option on the upper right hand side. 126 Systems Management Assignment Navigate to the Computer Name tab and click on the ‘Change…’ button. 127 Systems Management Assignment In the Computer name text box enter the new computer name, that is, Server1 and Server2. 128 Systems Management Assignment You must now restart the computer for these changes to be applied. 129 Systems Management Assignment When the server manager is opened you can see the new computer names, as above. 130 Systems Management Assignment WindowsServer2008Core The machine with the core installation must be renamed MS‐CORE. First, login to the machine. At the command prompt type: Hostname This will show the computers current name. 131 Systems Management Assignment To change the machines name, enter the command: netdom renamecomputer <oldname> /newname:<newname> where <oldname> is WIN‐8NB6OFEPCMV and <newname> is MS‐CORE. Enter Y and press Enter to proceed. You will be asked to restart the computer to implement this change. To do this, enter the command: shutdown /r A prompt will appear stating that Windows will shut down in less than a minute. 132 Systems Management Assignment When the computer has restarted, again enter the hostname command. The computer should now be named MS‐CORE as above. 133 Systems Management Assignment Windows7 Now it will be shown how to rename a computer in Windows 7. Click on the start menu and click on the control panel option. Then click on the ‘System and Security’ option. 134 Systems Management Assignment Then click on the System option. 135 Systems Management Assignment Click on Change settings. 136 Systems Management Assignment Navigate to the Computer Name tab and click on the ‘Change…’ option. 137 Systems Management Assignment Enter the new computer names Client1 and Client2 and click OK. Click OK on the System Properties menu. You will be prompted to restart to implement these changes. Restart the computer. 138 Systems Management Assignment 139 Systems Management Assignment 140 Systems Management Assignment GivingallmachinesastaticIPaddress All machines must be given a static IP address from the range 192.168.0.0/24. This notation uses a technique known as CIDR (Classless Inter‐Domain Routing) or Supernetting. The original Internet Protocol (IP) defines IP addresses in four major classes of address structure, classes A to D. Each class allocates one portion of the 32‐bit (IPv4) address format to a network address and the remaining portion to a host machine within the network. With supernetting the /23, for example, at the end of an address says that the first 23 bits are the network parts of the address, leaving the remaining nine bits for specific host addresses (Rouse.2014). WindowsServer2008R2Full Open the server manager and click on View Network Connections. 141 Systems Management Assignment Right click on the connection that appears and click on the properties option in the menu. You will need administrator privileges to access the properties menu. 142 Systems Management Assignment In the Local Area Connection Status menu again click on Properties. 143 Systems Management Assignment Click on Internet Protocol Version 4 and then click the Properties button. 144 Systems Management Assignment 145 Systems Management Assignment Assign the machines a static IP in the range 192.168.0.0/24. This is a class C address. As can be seen above the machines are assigned the addresses 192.168.0.3 and 192.168.0.4. 146 Systems Management Assignment WindowsServer2008Core Enter the command: netsh interface ipv4 show interfaces This will show the machines connections. Note the ldx number in this case 3. Now enter the command as follows to change the IP address: netsh interface ipv4 set address name=“<ID>” source=static address=<StaticIP> mask=<SubnetMask> gateway=<DefaultGateway> Where Id =3, staticIP=192.168.0.5, subnet mask=255.255.255.0 and the gateway=192.168.208.2. To find the machines default gateway enter the ipconfig /all command and take note of it. 147 Systems Management Assignment After running the command run the ipconfig /all command again to confirm the change in IP address has taken place. 148 Systems Management Assignment Windows7 Changing the IP address in Windows 7 to a static IP is similar to the method shown above for Windows Server 2008 R2 (Full). Open the control panel, navigate to the ‘Network and Internet’ section and search for ‘adapter’. 149 Systems Management Assignment The machines connections should appear as above. Follow the instructions from this point in the Windows Server Full instructions to set the IP address. 150 Systems Management Assignment All machines IP addresses have now been set to static addresses from the range of 192.168.0.0/24. 151 Systems Management Assignment TaskB Next the Servers and one of the client machines will be set up to be part of a Forest. Server1 DisableIPv6 To disable IPv6 navigate to Local Area Connection Properties. This is reached by opening the control panel. Navigate to the ‘Network and Sharing Center’ and click on the ‘Change adapter settings’ option. Right click on the connection and click on properties. Unclick the Internet Protocol Version 6 option and click OK. 152 Systems Management Assignment SetupaDomainController Logon to the Server1 machine. Click on the start menu and type dcpromo, clicking on the application that appears in the start menu. This starts the Active Directory Domain Services installation. 153 Systems Management Assignment The Installation Wizard will then begin. Click Next to continue. Do not use the advance mode installation. 154 Systems Management Assignment Read the note on operating compatibility and then click Next to continue. 155 Systems Management Assignment Next you will be asked to configure the Domain Name System (DNS). 156 Systems Management Assignment Click that you wish to solve this problem automatically by installing the DNS server service on this computer. Click next to continue. 157 Systems Management Assignment Click ‘Create a new domain in a new forest’ as this is to be the first tree in a new forest. Click Next. 158 Systems Management Assignment You will now be asked to enter the fully qualified root domain (FQDN) of the new forest root domain. Enter: MSCCONV.IPA And click Next. 159 Systems Management Assignment Now you must select the forest’s functional level. By default it is set at Windows Server 2003. Leave it set to this default and click Next to continue. 160 Systems Management Assignment Next you will be asked to select additional domain controller options. As this is the first domain controller in the forest the settings must remain as they are. Click Next to continue. Click Yes to continue. 161 Systems Management Assignment Now a location for the database, log files and SYSVOL must be chosen. Storing the database and the log files on different volumes can increase recoverability but for this example it is not necessary. Leave the defaults in place and click Next to continue. 162 Systems Management Assignment Enter a password for the directory services restore mode administrator. This should be different to the domain Administrator account as that may be changed regularly. Click Next. 163 Systems Management Assignment You are now given a chance to review the installation settings. They can also be exported for reuse as an answer file. Click next to continue. 164 Systems Management Assignment The Active Directory Domain Services will now install. Click finish and restart the computer when prompted. 165 Systems Management Assignment The MSCCONV.IPA domain has been established and Server1 is a part of it. 166 Systems Management Assignment Client1 First ensure that the Server1 machine is on. Logon to the Client1 machine. Follow the guide above to disable IPv6 on Client1 also. SetDNSServer Navigate to the Internet Protocol Version 4 Properties menu (How to navigate to this was shown in Task A). Click ‘Use the following DNS server addresses’ and enter the IP address of Server1 (as it is the DNS server), which in this case is: 192.168.0.3 167 Systems Management Assignment JoinMSCCONV.IPADomain Open the control panel, click on ‘System and Security’ and then ‘System’. Under the ‘Computer name, domain and workgroup settings’ click Change settings. 168 Systems Management Assignment Select the Computer Name tab and click the Network ID button. 169 Systems Management Assignment Now select the option that describes your network. Select the option that states that this computer will be part of a business network and click Next. 170 Systems Management Assignment Select the option that states ‘My company uses a network with a domain’ and click Next. 171 Systems Management Assignment Enter a user name, password and domain name for your domain account. Use administrator as the username and Pa$$w0rd as the password as that is currently the only domain account available. For the domain name enter MSCCONV.IPA Click Yes. 172 Systems Management Assignment Enable the administrator account on the MSCCONV.IPA domain on the computer by entering the details as above and clicking ‘Add the following domain user account’. Click next. 173 Systems Management Assignment Set the account as an Administrator account and click next. 174 Systems Management Assignment Click Finish and restart the computer to apply the changes. 175 Systems Management Assignment Client1 has been added to the domain. 176 Systems Management Assignment Server2 First ensure that the Server1 machine is on. Also follow the guide above to set Server1 as this machines DNS server. Server2 must be set up as a second domain controller. Disable Ipv6 (Follow the guide for Server1). Login to Server2. Click on the start menu and type dcpromo. Click on the application that appears. Click to add to an existing forest and to add a domain controller to an existing domain. Click next to continue. 177 Systems Management Assignment You are asked to enter the name of any domain in the forest where you plan to install this domain controller. Enter: MSCCONV.IPA Use the following account credentials: MSCCONV.IPA\administrator And click set. Click next to continue. 178 Systems Management Assignment Next select a domain for this additional domain controller. Select MSCCONV.IPA as above and click Next. 179 Systems Management Assignment Next select a site for the new domain controller. Leave it at the default and click Next to continue. 180 Systems Management Assignment Now additional options for the domain controller can be chosen. As this is an additional domain controller there is more flexibility in this section. Tick the ‘Global catalog’ box and click Next to continue. 181 Systems Management Assignment Here the means of replicating data from the existing domain controller is to be specified. Click ‘Replicate data over the network from an existing domain controller’. Click next to continue. 182 Systems Management Assignment Click ‘Use this specific domain controller’ and select Server1.MSCCONV.IPA and continue by clicking Next. 183 Systems Management Assignment Review the settings before completion. These settings can be exported to an answer file. Click Next to continue. Then click Finish to complete the configuration. 184 Systems Management Assignment The wizard then configures the ADDS. This may take some time. Above we can see Server2 has joined the MSCCONV.IPA domain. 185 Systems Management Assignment MS‐CORE MS‐CORE is to be a member server of MSCCONV.IPA. First ensure that the Server1 machine is on. Set Server1 as the MS‐CORE machine DNS server. To do this, enter the following command: netsh interface ipv4 add dnsserver name=“3” address=192.168.0.3 index=1 Where 3 is the ldx number (It is shown how to find this in Task A) and the address is the IP address of Server1 (The DNS server). Next join the MSCCONV.IPA domain. To do this, enter the command: netdom join MS‐CORE /domain:MSCCONV.IPA /userd:Administrator /password:Pa$$w0rd Restart the computer to complete joining the domain: shutdown /r 186 Systems Management Assignment Enter the command: systeminfo This will show the domain that the server has now joined. As can be seen the server MS‐CORE is part of MSCCONV.IPA domain. ActiveDirectoryDomainServicesOverview The Active Directory Domain Services (AD DS) allow for the creation of scalable, secure and manageable infrastructure for user and resource management, and provide support for directory‐enabled applications such as Microsoft Exchange Server. AD DS provides a distributed database that stores and manages information about network resources and application‐specific data from directory‐enabled applications. A server running AD DS is called a domain controller. AD DS can be used to organize elements of a network, such as users, computers and other devices into a hierarchical structure. This includes the Active Directory forest which contains domains and each domain contains organizational units (OUs). Security is integrated into AD DS through logon authentication and access control to resources contained in the directory (Microsoft Technet (2). 2013). 187 Systems Management Assignment TASKC Task C contains three tasks. Firstly, install two additional hard disks of 150GB, secondly, mirror the operating system disk and finally create a spanned volume. Install2additionalharddisks Open VMWare Workstation. Click on the Server1 machine, to open it in the main window. Ensure that the virtual machine is turned off. Click on ‘Edit virtual machine settings’. 188 Systems Management Assignment Click on the ‘Add..’ button. 189 Systems Management Assignment Click on Hard Disk and click Next. Leave the settings at their defaults as above and click Next. 190 Systems Management Assignment Next, select which disk you wish to use. Choose to create a new virtual disk and click Next. 191 Systems Management Assignment Next set the disks size. Set this disk to 150GB, do not allocate all space now and split the virtual disk into multiple files. Click Next to continue. 192 Systems Management Assignment Next specify where to store the configuration details of the physical disk. Leave it at the default and click Finish. Create a second disk following the guide above but make it 200GB in size. 193 Systems Management Assignment Mirrortheoperatingsystemdisk Click on the start menu and type ‘partition’. An application should appear called, ‘Create and format hard disk partitions’. Click on it to open the disk management application. As the two new disk drives have just been connected to the machine and are not formatted, you will be asked to initialize the disks. Ensure both disks are selected, use the MBR partition style and click OK to continue. 194 Systems Management Assignment Right click on the C drive (where it is marked blue, for primary partition) and click on the ‘Add Mirror’ option. 195 Systems Management Assignment Select Disk1, the 200GB drive (as it is the only drive big enough to mirror the C drive). It may be named differently on your machine. Select the disk and click on the ‘Add Mirror’ button. You will also be asked to change the disk to a dynamic volume. Click Yes. 196 Systems Management Assignment A mirror of the C drive will be added to the 200GB drive. In the screenshot above the mirror of drive C can be seen. 197 Systems Management Assignment CreateaSpannedVolume In the disk management application, right click on the unformatted 150GB disk and choose ‘Add New Spanned Volume’. The New Spanned Volume Wizard will begin. Click next to continue. 198 Systems Management Assignment Initially the disk that you right clicked above will be the only selected disk (Disk 2 above). Click on Disk 1 to highlight it and then click the Add button to select it. 199 Systems Management Assignment Disk 2 and the remaining space in Disk 1 are now both selected and will both comprise the spanned volume. Click Next. 200 Systems Management Assignment Next you will be asked to assign a drive letter or path. The default settings as above will be fine. Click Next. 201 Systems Management Assignment The volume must now be formatted. Format the volume as NTFS, leave the allocation unit size as default and give the volume a label of ‘Spanned Volume’ to make it recognisable. Click that you wish to perform a quick format (as these are new unused disks this should be fine) and click Next to continue. 202 Systems Management Assignment You will now be given an opportunity to review the settings for the spanned volume. After you have done this, click Finish. Again you will be asked to convert the basic disks to dynamic disks. Click yes. 203 Systems Management Assignment The spanned volume E can be seen above. 204 Systems Management Assignment TaskD CreateOrganizationalUnits(OU) Firstly in Task D, we must create a number of Organizational Units. Login to Server1 and then click on the start menu. Navigate to the ‘administrative tools’ option and then click on ‘Active Directory Users and Computers’. The Active Directory Users and Computers management console will then open. 205 Systems Management Assignment Click on the MSCCONV.IPA option in the left pane as seen above. Click Action in the menu above, navigate to ‘New’ and then ‘Organizational Unit’. 206 Systems Management Assignment A menu will appear which will allow you to create an new organizational unit (OU). This parent OU is to be called ‘IPA’. Enter the name as above. Leave clicked the option to ‘Protect container from accidental deletion’ for the sake of security. Click OK to continue. 207 Systems Management Assignment Within the parent IPA OU, two child OUs Marketing and IPA must be created. Right click on the IPA OU, navigate to ‘New’ and click on ‘Organizational Unit’. 208 Systems Management Assignment Call the OU ‘Marketing’ and click OK. Create another OU called IT. 209 Systems Management Assignment Next, this time right clicking on IT create another two OU’s called Dublin and Belfast, as above. 210 Systems Management Assignment CreatingauserviaaTUI Now it will be shown how to create a user from the command line. This can be done using the dsadd user command. Enter the above command: Dsadd user “cn=user1, ou=IPA, dc=MSCCONV, dc=IPA” –upn user1 –samid user1 –pwd Pa$$w0rd –mustchpwd no This creates a user named user1 in the IPA OU on the MSCCONV.IPA domain. This user’s password is set to Pa$$w0rd and the user does not have to change its password. AdvantagesofusingaTUIenvironment This method of creating users has its advantages. It is possible to create scripts which would allow for the creation of multiple users at once. Also this method of user creation can be used on server core installations. 211 Systems Management Assignment CreatingUsers User1 has already been created using the command line. Right click on the IPA OU (ad highlighted in the screenshot), navigate to new and click User. 212 Systems Management Assignment Enter the details for user2. 213 Systems Management Assignment Enter the password: Pa$$w0rd and uncheck the ‘User must change password at next logon’ checkbox as per the specification and click Next. 214 Systems Management Assignment Review the details entered and click Finish to complete the creation of the user. 215 Systems Management Assignment LogonHours Create users, user1‐user5 in the IPA OU. Ctrl + click on user 1 to 5 to highlight all of the currently created users. Right click on one of the users and click on properties. 216 Systems Management Assignment You will now be able to modify the properties of multiple users. 217 Systems Management Assignment Navigate to the Account tab and check the ‘Logon hours:’ box. 218 Systems Management Assignment Then click on the ‘Logon hours..’ button. 219 Systems Management Assignment In the specification, it states that users must have 24 hour access Monday to Friday only. Click on Saturday and then click on the ‘Logon Denied’ radio button. Repeat this for Sunday. Saturday and Sunday will be white which signifies that logons will be denied in this period. Click OK and then click Apply and Ok in the properties menu to complete the changes. 220 Systems Management Assignment CreateMarketingandITusers In the marketing OU create 3 more users (Right click on the Marketing OU (highlighted above) New User), user 6 to 8. Set the same password as above, set that users are not to change their passwords at first logon and set the login hours the same as they were set above. 221 Systems Management Assignment In the Dublin sub OU add three users from 9 to 11 with the same settings as above. 222 Systems Management Assignment In the Belfast sub OU add two users, user12 and user13, with the same settings as above. 223 Systems Management Assignment TaskE SecurityOverview A security policy must be formed for this organization with regards to the management of Organizational Units. Crawford and Russel (2008) outline the basic principles of security, with a particular emphasis on Windows Server administration. Security is a process not a product and as such a range of precautions and procedures have to be taken to mitigate risk (the complete elimination of risk is impossible). The three main tenants of security are Confidentiality, Integrity and Availability. Confidentiality means that information that is meant to be private will remain private, Integrity means that data stays in an unaltered state so as to maintain the accuracy and reliability of information and Availability assures that data can be reliably accessed by authorized users in a reasonable amount of time. Crawford and Russel (2008) outline ‘The Eight Rules of Security’. These are the ‘Rule of Least Privilege’: Only give sufficient privilege to accomplish the task at hand The ‘Rule of Change Management’: When you make a change to IT infrastructure, you expose your business to new risk. A change management policy is needed to examine changes for their impact on security before they’re implemented. The ‘Rule of Trust’: Understand the implications of extending trust to anyone or anything within the organization. Almost 80 percent of all security breaches are internal to the network. The Rule of the Weakest Link: You are only as strong as your weakest link 224 Systems Management Assignment The Rule of Seperation: Keep critical business assets isolated and segregated to minimize the risks to those critical assets. Separate services to different hosts and provide access only as required. The ‘Rule of the Three‐Fold Process’: The three‐fold process consists of implementation, monitoring and maintenance. The ‘Rule of Preventative Action’: Proactively assessing the security in your environment. The ‘Rule of Immediate and Proper Response’: Have a plan in place to respond to a security breach. Crawford and Russel (2008) also recommend actions to improve security. These recommendations include thinking in terms of zones, that is, isolating different subjects (people, places etc.) from objects (people, places etc.), creating chokepoints, to limit access and reduce the attack surface of your network, dividing responsibilities, that is, no one should be completely trusted or have complete control, allowing for staff redundancy, that is, at least two people should have the knowledge, authority and privilege to accomplish all administrative and security tasks and finally monitor everyone even the IT administrators. With these concerns in mind a security policy for our test organization will be devised according to recommended security policies. The employees have been separated into organizational units in Task D as outlined in the specification. Each OU has then been given its own security group to contain its’ users. The security groups follow the structure of the OUs, the IPA security group is the parent group and all other groups are members of it. Dublin and Belfast are member groups of the IT security group. This structure allows for a granular approach to security while also making it easy to implement policies across the entire IPA OU. Managing security at group level also makes management of users easier. Rather than giving permissions to each user, users are made members of the groups that they need to complete their roles. This also makes it easier to maintain the system if employees move division or leave the company. 225 Systems Management Assignment 226 Systems Management Assignment 227 Systems Management Assignment 228 Systems Management Assignment PreventUsersinMarketing(Sales)frombeingabletoseetheITOUin ActiveDirectory Now it will be shown how to prevent a group from being able to see another in Active Directory. For this example, Marketing will be stopped from seeing the IT OU. Login to Server1 as an administrator. Click on the start menu, navigate to Administrative Settings and click on ‘Active Directory Users and Computers’. 229 Systems Management Assignment Navigate to the IT OU, right click on it and click on ‘Properties’. 230 Systems Management Assignment Open the Security tab and add the Marketing group to the ‘Group or user names:’ section as above, using the ‘Add..’ button. Now as can be seen above, deny the Marketing group Read and Write permissions. Click Apply and then OK. Exit the ‘Active Directory Users and Computers’ menu. 231 Systems Management Assignment AllowuserstologontotheServer To test that users in the Marketing OU are unable to see the IT OU in Active Directory you must modify Group Policy to allow users to logon locally. Press the Windows Key + R, and enter gpmc.msc to open the Group Policy Management Console. 232 Systems Management Assignment Right click on MSCCONV.IPA and click ‘Link an existing GPO’. Select Default Domain Policy and click OK. Right click on the Default Domain Policy that now appears and click Edit. 233 Systems Management Assignment In the Group Policy Management Editor, navigate to Computer Configuration Windows SettingsSecurity Settings Local Policies. Then click on ‘User Rights Assignment’. Several options will appear in the right pane. Find the policy name ‘Allow log on locally’. 234 Systems Management Assignment Add the above groups: MSCCONV\Domain Admins MSCCONV\Domain Users Click Apply and OK. Exit the Group Policy Management Editor and then the Group Policy Management console. Restart the server. Logon to Server1 as member of the Marketing OU. For this example, we will use user7. 235 Systems Management Assignment Again open Active Directory Users and Groups. Navigate to the IPA OU. Right click on it and click Find. 236 Systems Management Assignment User7, a member of the Marketing OU is unable to see the IT OU. To check that others can still see the IT OU logout of the server and login as user1, which is a member of the IPA OU. 237 Systems Management Assignment Follow the same procedure as above and search for the IT OU. Now as user1 it can be found. 238 Systems Management Assignment Implement3GroupPolicies ForwardmydocumentsfromClient2toafolderontherootofConServer2 calledUser_Docs CreateShare Logon to Server2. On the C Drive create a folder called User_Docs. Navigate to the Sharing tab and click ‘Advanced Sharing’. Click ‘Permissions’. 239 Systems Management Assignment Add ‘Everyone’ to the share permissions and give it Read and Change control. Click Apply and OK. 240 Systems Management Assignment Next go to the Security tab and click the ‘Edit’ button. Add Authenticated Users. Give Authenticated Users the following permissions: Modify Read & Execute List folder contents Read Write Click Apply and Ok. Exit the folder properties menu. 241 Systems Management Assignment Folderredirectioningrouppolicies Press the Windows Key + R and type: gpmc.msc Press Enter to open the group policy management console. Right click on the IPA OU and click ‘Create a new GPO in this domain, and link it here’. Name the GPO ‘Folder Redirection’, leave the Source Starter GPO as none and click OK. Right click on the new GPO as highlighted above and click the Edit option. 242 Systems Management Assignment The Group Policy Management Editor will open. Navigate to: User Configuration Policies Windows Settings Folder Redirection Documents Right click on Documents and click Edit. 243 Systems Management Assignment On the target tab, set the Setting to Basic, which will redirect everyone’s folder to the same location. There is also an advanced option which allows you to select a specific group whose folder you wish to redirect. Set to basic it will apply to all users within the IPA OU, as that is where the GPO has been set. Under ‘Target folder location’ select ‘Create a folder for each user under the root path’. This will create a folder for each user in the share. Next enter the Root Path. This must be the network location of the share. It must be the UNC (Uniform Naming Convention) and follow the standard \\server\share. Enter: \\SERVER2\User_Docs Click Apply and switch to the Settings tab. 244 Systems Management Assignment Unclick the ‘Grant the user exclusive rights to Documents’. Click the ‘Also apply redirection..’ option also. Leave the other settings as they were. Settings should be as above. Click Apply and then OK. Exit the Group Policy Management Editor and then exit the Group Policy Management Console. Open a command prompt on the server. Enter: gpupdate /force And press Enter. When prompted enter y and press Enter. This will forcefully update the group policy on the server. You will be logged out. Following this, log back in. Logon to the Client2 machine using a user account. Open a command prompt. 245 Systems Management Assignment Again use the gpudate /force command. After being logged out, logon to the Client2 machine again with the same user account. 246 Systems Management Assignment Click on the start menu, right click on documents and click properties. We can see that the library location of the ‘My Documents’ folder is now: \\SERVER2\User_Docs\user7 Logon on to Server2 and navigate to the User_Docs folder. 247 Systems Management Assignment We can see that a folder now exists containing the documents for user7 on the server in the share location. 248 Systems Management Assignment PreventBelfastfromaccessingtheControlPanel.Excludeuser13fromthis policy Logon to Server1 and open the Group Policy Management Console, as has been previously shown. Right click on the Belfast OU and click the ‘Create a new GPO…’ option. Name the new GPO Control Panel and click OK. Right click on the Control Panel GPO and click Edit. 249 Systems Management Assignment Navigate as follows: User Configuration Policies Administrative Templates Control Panel. Click on the Control Panel option. In the right panel click on the ‘Prohibit access to the Control Panel’ option. 250 Systems Management Assignment A menu as above will appear. Click on Enabled, and then click Apply and OK. Close the Group Policy Management Editor. 251 Systems Management Assignment Click on the Control Panel GPO and in the right pane select the Delegation tab. Click the Advanced button. Click on the Add button. 252 Systems Management Assignment Enter user13 into the textbox. You can type ‘user13’ and click Check Names to complete the entry. Click OK. Now click on user13. Deny this user Read and Apply group policy privileges. The user should have no other privileges allowed or denied. Click Apply and then OK. 253 Systems Management Assignment Permissions for the Control Panel should look as they do above. Logon to any client machine. Open a command prompt and enter: gpupdate /force Enter Y when prompted and press Enter. You will be logged out. 254 Systems Management Assignment There are two users in the Belfast OU, user12 and user13. Logon to a client machine as user13. As user13 has been excluded from the Control Panel GPO the control panel should still be available as in the screenshot above. Logon to the client machine as user12. Open the start menu. The control panel should not appear as in the screenshot above. 255 Systems Management Assignment PublishanyMSIfileofyourchoicefromtheCdrivecontentstoallusersin Dublin Publishing a MSI file from a server allows a client to install it in the add/remove programs menu in the control panel, from a network share. The MSI file that will be used is an MSI file for the 7Zip application. Open a web browser and go to: http://www.7‐zip.org On the front page download the .msi x64 file. This file has then to be unzipped to access the MSI file. It may be necessary to complete this on another machine if the server cannot unzip a file. 256 Systems Management Assignment CreateaNetworkShare Logon to Server1. On the C drive create a folder called ‘software’. Give the following permissions to Authenticated Users: Full Control Change Read 257 Systems Management Assignment Give the above NTFS permissions: Read and execute List folder contents Read 258 Systems Management Assignment Copy the 7Zip MSI to the new share. 259 Systems Management Assignment MSIGPO Open the Group Policy Management Console. Right click on the Dublin OU and click the ‘Create a new GPO option..’. Name this GPO, ‘7Zip’. Right click on the 7Zip GPO and click Edit. 260 Systems Management Assignment In the Group Policy Management Editor, navigate to: User Configuration Policies Software Settings Software Installation 261 Systems Management Assignment Right click on the Software Installation option. Navigate to New and then click on Package. 262 Systems Management Assignment Find the 7Zip MSI file. Ensure that you access the file from the network not from the C drive. Navigate to: Network server1 software And then click on the MSI file and click Open. 263 Systems Management Assignment You will then be asked the method of software deployment. To comply with the specification click the Published option and click OK. Exit the Group Policy Management Console and logon to a client machine as a user in the Dublin OU (user9, user10 or user11). Open a command prompt and enter: gpupdate /force Enter y when prompted and click Enter to logout. Log back in. For this example user9 will be used. 264 Systems Management Assignment Open the control panel and click on the ‘uninstall a program’ option. In the left pane click ‘Install a program from the network’. 265 Systems Management Assignment Here an option to install 7‐Zip should be available. 266 Systems Management Assignment This can then be installed. Logout and log back in as a user from outside the Dublin OU and also a user that also has access to the control panel. User2 will be used for this example. 267 Systems Management Assignment 268 Systems Management Assignment As can be seen, user2 does not have the option to install 7‐Zip from the network. GroupPolicyOverview Group Policy is a hierarchical infrastructure that allows a network administrator in Active Directory to implement specific configurations for users and computers. User, security and networking policies can also be defined at machine level by Group Policy. Administrators can use Group Policy to define options for what users can do on a network e.g. what they can access. This collection of computer and user settings are referred to as Group Policy Objects (GPOs) (Rouse, M. (2). 2014). 269 Systems Management Assignment TaskF Now we must setup the MS‐CORE server as a file server. Logon to the MS‐CORE server. Enter the following command to enable the Core File Server feature: dism /online /enable‐feature /featurename:CoreFileServer And press Enter. The Core File Server role allows the creation of share folders on the server (Patton‐Tech. 2010). Next enter the command: dism /online /enable‐feature /featurename:NetFx2‐ServerCore 270 Systems Management Assignment This installs the .NET packages necessary for the next step (Patton‐Tech. 2010). Next install the File Server Resource Manager. This needed the .NET packages installed above. Enter the following command: dism /online /enable‐feature /featurename:FSRM‐Infrastructure‐Core The File Server Resource Manager is a suite of tools that allows administrators to understand, control and manage the quantity and type of data stored on their servers (Microsoft Technet. 2005). Next some rule groups must be enabled to allows clients to access the file server through the firewall (Patton‐Tech, 2010). First allow File and Printer sharing with the following command: netsh advfirewall firewall set rule group=“File and Printer Sharing” new enable=yes Next allow Remote Volume Management with the following command: netsh advfirewall firewall set rule group=“Remote Volume Management” new enable=yes 271 Systems Management Assignment Finally allow Remote Administration with the command as follows: netsh advfirewall firewall set rule group=“Remote Administration” new enable=yes MS‐CORE is now setup as a file server. DISM DISM (Deployment Image Servicing Management) is a command‐line tool that is used to mount and service Windows images before deployment. The tools replace the pkgmgr, PEImg and IntlConfg tools that are being retired in Windows 7. DISM provides a centralized tool for performing all of the functions of these tools in a more efficient way. It redirects pckmgr calls from legacy applications running on Windows7 to DISM (Microsoft Technet. 2013)( Microsoft Developers Network. 2014). 272 Systems Management Assignment ConfigureMS‐COREforWindowsRemoteAdministration Establishing the MS‐CORE server for remote administration takes only a small edit to the registry. Enter the command: Cscript %windir%\system32\SCRegEdit.wsf /ar 0 This will update the registry and allows Remote Administration. AccessMS‐COREfromClient2usingremotedesktop Logon to the Client2 machine as an administrator (MSCCONV\administrator). In the start menu, remote desktop connection should be one of the default choices available. If it is not, search in the start menu for the remote desktop connection application. 273 Systems Management Assignment After the program has launched, enter the name of the full name of the MS‐CORE server (MS‐CORE.MSCCONV.IPA) and click Connect. Enter the credentials that will be used to access the MS‐CORE machine. If you logged in as an administrator, continue to use the account. Enter the password, which should be set to: Pa$$w0rd. Click OK. 274 Systems Management Assignment A remote connection to the server will then be made. This may take a little while. Commands can then be run on the MS‐CORE server. The above screenshot shows a directory being made and the dir command being run. 275 Systems Management Assignment TaskG InstallDHCPonServer2 DHCP(DynamicHostConfigurationProtocol) DHCP is a standardized network protocol that dynamically assigns IP addresses to machines on a network. DHCP enables you to create a pool of IP addresses that are given temporarily to machines (Meyers, 2012). Logon on to Server2 as an administrator and open the Server Manager. Click on the Roles option in the left pane. In the Roles menu that appears click the ‘Add Roles’ option. 276 Systems Management Assignment The Add Roles Wizard will then begin. Click Next. 277 Systems Management Assignment Click the Box beside the DHCP Server role and click Next. 278 Systems Management Assignment You will now be given the option to read some literature on DHCP Servers. Do so if you wish. Following this click Next to continue. 279 Systems Management Assignment You will be asked to select the network connections that this DHCP server will use for servicing clients. Only one IP address should be available. If you have followed this guide, the IP address should be the same as above: 192.168.0.4 Make sure it is ticked and click Next to continue. 280 Systems Management Assignment Now you will be asked to enter the IPv4 DNS settings. The parent domain should be: MSCCONV.IPA And the DNS server address should be the IP address of Server1: 192.168.0.3 Validate the DNS server address and then click Next to continue. 281 Systems Management Assignment Click that ‘WINS is not required for applications on this network’ and click Next to continue. 282 Systems Management Assignment Next we must define the DHCP scope. According to the specification, the scope should be: 192.168.0.100 – 192.168.0.150 Click Add. 283 Systems Management Assignment You will now be asked to define the range. Name the scope ‘Scope’. The starting IP address is: 192.168.0.100 And the ending IP address is: 192.168.0.150 You can then define a subnet type of either wired or wireless. For this example, leave it as wired. Ensure that you check the box next to ‘Activate this scope’. Next configure the Subnet mask for the DHCP client. Enter: 255.255.255.0 The default gateway can be left blank. Click OK. 284 Systems Management Assignment Next you will be asked to configure the ‘DHCPv6 Stateless Mode’. Click to ‘Disable DHCPv6 stateless mode for this server’, and click Next to continue. 285 Systems Management Assignment Next you will be asked to give credentials to authorize the DHCP server. As you are logged in as an administrator, Click that you wish to ‘Use current credentials’ and click Next. 286 Systems Management Assignment Before confirmation you are given a chance to review the selected options for the role installation. Click Install to begin the DHCP Server installation. 287 Systems Management Assignment After the installation has completed click Close. Restart the Server. 288 Systems Management Assignment In the start menu, under Administrative Tools, there is now a DHCP option. Click it. The DHCP management console will then open. Server2 can be seen here. 289 Systems Management Assignment ConfigureClient2toobtainitsaddressandTCP/IPsettingsfromDHCP Logon to Client 2. Open a command prompt and enter the: ipconfig /all command. You can see that DHCP is not enabled and the IP address is 192.168.0.1. 290 Systems Management Assignment Open the control panel and click on ‘Network and Internet’. Click on ‘View network status and tasks’. In the left panel click on ‘Change adapter settings’. 291 Systems Management Assignment Right click on the Local Area Connection and click on properties. Click on ‘Internet Protocol Version 4’ and click Properties. 292 Systems Management Assignment The settings should be as above. Change the setting to ‘Obtain an IP address automatically’. 293 Systems Management Assignment Click the Alternate Configuration tab. Ensure that the option ‘Automatic private IP address’ is selected. Click OK. Open a command prompt as an administrator. In order to get your new IP from the newly created DHCP server you may need to run these commands: Ipconfig /release Ipconfig /flushdns Ipconfig /renew 294 Systems Management Assignment As can be seen in the screenshot above, Client2 now uses Server2 as the DHCP Server (192.168.0.4 – the servers IP) and has an IP address in the scope defined when installing the DHCP server 192.168.0.101. On the server open the DHCP management console. If you click on the Address Leases option, you can see the IP address leased to Client2. 295 Systems Management Assignment DisableDHCPservices Now we will disable the DHCP services and see what address Client2 will get. Logon to Server2. Press the Windows Key + R, and enter services.msc. Click Ok. This will open the services menu. Look for the DHCP Server service and select to stop the service. 296 Systems Management Assignment Return to the Client2 machine. Open a command prompt and enter the: ipconfig /all Command. As can be seen the IP address sets to: 169.254.142.31 which is an address in the APIPA range. APIPA(AutomaticPrivateIPAddressing) APIPA automatically assigns am IP address to the system when the client cannot obtain an IP address automatically. The IANA (Internet Assigned Numbers Authority) set aside a range of addresses for this purpose from 169.254.0.1 to 169.254.255.254. If the computer cannot contact a DHCP server, the computer randomly chooses an address in this range and a subnet of 255.255.0.0. If no computer responds to this address, the system assigns this address to itself (Meyers. 2012). 297 Systems Management Assignment TaskH DecommissionServer2fromtheActiveDirectorySystem For this task we must decommission Server2 from the Active Directory System using a method which would be used if the server has become unbootable. Shutdown Server2. Logon to Server1 as an administrator. Click on the start menu, click on the Administrative Tools option and click on ‘Active Directory Sites and Services’. On the left pane navigate down until you see Server2, as follows: Click on Sites Default‐First‐Site‐Name Servers Then click to expand SERVER2. 298 Systems Management Assignment While the server contains other objects you will be unable to delete it. After expanding Server2 another option NTDS Settings appears. Right click on it and select delete. A prompt as above will appear. Click Yes. You will be warned that you are deleting a domain controller. Select the option that ‘This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Installation Wizard (DCPROMO). Click Delete to confirm. You will then be prompted as above that the domain controller is a global catalogue and are you sure that you wish to delete it. Again click yes. 299 Systems Management Assignment Now right click on SERVER2 and select delete. Again you will be prompted as above. Click Yes. 300 Systems Management Assignment Server2 is now completely deleted. 301 Systems Management Assignment References Computer Hope. 2014. Active Partition. Access 3/8/2014 http://www.computerhope.com/jargon/a/activepa.htm Crawford, S. & Russel, C. 2008. Windows Server 2008 Administrator’s Companion. Microsoft Press. Redmond, Washington. Meyers, Mike. 2012. CompTIA A+ Certification All‐in‐One Exam Guide. Eight Edition. McGraw‐Hill. New York. Microsoft. 2013. A Description of the Diskpart Command‐Line Utility. Accessed 20/7/14. http://support.microsoft.com/kb/300415 Microsoft.2014. Bitlocker Drive Encryption Overview. Accessed 21/7/14. http://windows.microsoft.com/en‐ie/windows‐vista/bitlocker‐drive‐encry ption‐overview Microsoft Developers Network. 2014. Deployment Image Services Management (DISM). Accessed on 2/8/2014 http://msdn.microsoft.com/en‐us/library/windows/desktop/dd371719%28v=v s.85%29.aspx Microsoft Technet. 2005. File Server Resource Manager. Accessed 2/8/2014 http://technet.microsoft.com/en‐us/library/cc755603%28v=ws.10%29.aspx Microsoft Technet. 2010. ProtectYourPC. Accessed 3/8/2014 http://technet.microsoft.com/en‐us/library/cc749278%28v=ws.10%29.aspx Microsoft Technet (2). 2010. Step‐by‐Step: Basic Windows 7 Deployment for IT Professionals. Accessed 3/8/2014 http://technet.microsoft.com/en‐us/en%20%E2%80%90%20us/library/dd34934 8%28v=ws.10%29.aspx Microsoft Technet. 2013. DISM – Deployment Image Servicing and Management Technical Reference for Windows. Accessed on 2/8/2014 http://technet.microsoft.com/en‐us/library/hh824821.aspx Microsft Technet (2). 2013. Active Directory Domain Services Overview. Accessed 3/8/2014 http://technet.microsoft.com/en‐us/library/hh831484.aspx 302 Systems Management Assignment Microsoft Technet. 2014. Understanding Answer Files. Accessed 3/8/2014 http://technet.microsoft.com/en‐us/library/cc749113%28v=ws.10%29.aspx Microsoft Technet. 2011. What is Imagex? Accessed 3/8/2014 http://technet.microsoft.com/en‐us/library/cc722145%28v=ws.10%29.aspx Microsoft Technet (2). 2011. Oscdimg Command‐Line Options. Accessed 3/8/2014 http://technet.microsoft.com/en‐us/library/cc749036%28v=ws.10%29.aspx Patton‐Tech. 2010. Windows Server Core 2008 R2 File Server. Accessed on 2/8/2014 http://patton‐tech.com/2010/12/windows‐server‐core‐2008‐r2‐file‐server .html Rouse, M. 2014. Supernetting or Classless Inter‐Domain Routing (CIDR). Accessed on 24/7/2014 http://searchnetworking.techtarget.com/definition/supernetting Rouse, M. (2) 2014. Group Policy. Accessed on 3/8/2014 http://searchwindowsserver.techtarget.com/definition/Group‐Policy 303 Systems Management Assignment Appendix For a more in depth look at Windows 7 installation, follow the guide in the Hardware and Software assignment. 304
