Scribd Logo
Unggah

Selamat datang di Scribd!

  • Ask Summary: Actions You Were Required To Perform

    Diunggah oleh

    Tim Williams
    69 tayangan11 halaman
    The document summarizes tasks involving configuring security settings in Group Policy Objects (GPOs). Specifically, it involves: 1. Editing the Default Domain Policy GPO to disable the local guest account, rename the local administrator account, and configure various security options. 2. Creating and configuring the ShippingGPO to disable caching of previous logons, require domain authentication to unlock computers, force logoff when hours expire, and disable shutting down without logging on. 3. Disabling the user configuration portion of the ShippingGPO GPO.

    Deskripsi Asli:

    Judul Asli

    Labsim Week 6

    Hak Cipta

    © © All Rights Reserved

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    The document summarizes tasks involving configuring security settings in Group Policy Objects (GPOs). Specifically, it involves: 1. Editing the Default Domain Policy GPO to disable the local guest account, rename the local administrator account, and configure various security options. 2. Creating and configuring the ShippingGPO to disable caching of previous logons, require domain authentication to unlock computers, force logoff when hours expire, and disable shutting down without logging on. 3. Disabling the user configuration portion of the ShippingGPO GPO.

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    69 tayangan11 halaman

    Ask Summary: Actions You Were Required To Perform

    Diunggah oleh

    Tim Williams
    The document summarizes tasks involving configuring security settings in Group Policy Objects (GPOs). Specifically, it involves: 1. Editing the Default Domain Policy GPO to disable the local guest account, rename the local administrator account, and configure various security options. 2. Creating and configuring the ShippingGPO to disable caching of previous logons, require domain authentication to unlock computers, force logoff when hours expire, and disable shutting down without logging on. 3. Disabling the user configuration portion of the ShippingGPO GPO.

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 11

    6.2.

    6
    ask Summary
    Actions you were required to perform
    Configure the Allow log on locally user right in the Default Domain Policy GPO

    Hide Details

    Add Administrators
    Add Backup Operators
    Add Power Users
    Add Users
    Do not add any additional groups
    Create and link the Server Logons GPO

    Hide Details

    Create the GPO


    Link the GPO to the Servers OU
    Configure the Allow log on locally user right in the Server Logons GPO

    Hide Details

    Add Account Operators


    Add Administrators
    Add Backup Operators
    Add Print Operators
    Add Server Operators
    Do not add any additional groups
    Configure the Allow log on through Terminal Services user right in the Server Logons GPO
    Details

    Hide

    Add administrators
    Do not add any additional groups

    Explanation
    To edit user rights, browse to Computer Configuration\Policies\Windows Settings\Security
    Settings\Local Policies\User Rights Assignment. When adding users or groups, be aware of
    the following:

    To add a local user or group, simply type the name of the group you want to add.
    To add a domain user or group, include the domain name in the object name (for
    example: mydomain\Sales).

    Following are steps that an expert might take to perform the tasks in this lab.

    Edit User Rights


    1.
    2.
    3.
    4.
    5.
    6.
    7.
    8.

    9.
    10.
    11.

    Click Start/Administrative Tools/Group Policy Management.


    Browse to the domain or OU where the GPO is linked.
    Right-click the GPO and select Edit....
    In Computer Configuration | Policies | Windows Settings | Security Settings | Local
    Policies, select User Rights Assignment.
    Right-click the rights assignment you want to edit and select Properties.
    Select Define these policy settings:.
    Click the Add User or Group... button.
    Type the name of the user or group. Note: If the user or group is a domain account,
    include the domain in the name (for example: mydomain\Sales). Alternatively, you can
    click the Browse... button to add domain users and groups.
    Click OK.
    Click OK.
    Close the Group Policy

    Create and Link a GPO


    1. Click Start/Administrative Tools/Group Policy Management.
    2. Browse to the domain or OU.
    3. Right-click the domain or OU and select Create a GPO in this domain, and link it
    here....
    4. Type the GPO name and select a starter GPO if required. Click OK.
    5. To link the GPO to additional objects, right-click the object and select Link an Existing
    GPO....
    6. Select the GPO from the list, then click OK.

    Scoring
    Your Score: 0 of 4
    Elapsed Time: 11 minutes 1 second

    6.2.8
    Task Summary
    Actions you were required to perform
    Create, link, and configure the SecureWS GPO

    Hide Details

    Create the SecureWS GPO


    Link the GPO to the domain
    Disable the User Configuration portion of the GPO
    Define the Backup Operators restricted group

    Hide Details

    Add the restricted group


    Configure the group with no members
    Define the Power Users restricted group

    Hide Details

    Add the restricted group


    Configure the group with no members
    Define the Administrators restricted group

    Hide Details

    Add the restricted group


    Add EASTSIM\Domain Admins as a group member
    Add EASTSIM\Remote Admin as a group member
    Do not add any other members

    Explanation
    To configure restricted groups, browse to Computer Configuration\Policies\Windows
    Settings\Security Settings\Restricted Groups. When adding users or groups, be aware of the
    following:

    To add a local user or group, simply type the name of the group you want to add.
    To add a domain user or group, include the domain name in the object name (for
    example: mydomain\Sales).

    Following are steps that an expert might take to perform the tasks in this lab.

    Create and Link a GPO


    1. Click Start/Administrative Tools/Group Policy Management.
    2. Browse to the domain or OU.
    3. Right-click the domain or OU and select Create a GPO in this domain, and link it
    here....
    4. Type the GPO name and select a starter GPO if required. Click OK.
    5. To link the GPO to additional objects, right-click the object and select Link an Existing
    GPO....
    6. Select the GPO from the list, then click OK.

    Configure Restricted Groups


    1.
    2.
    3.
    4.
    5.

    Click Start/Administrative Tools/Group Policy Management.


    Browse to the domain or OU where the GPO is linked.
    Right-click the GPO and select Edit....
    In Computer Configuration, open Policies | Windows Settings | Security Settings.
    Right-click Restricted Groups and select Add Group....

    6. Enter the group name in the Group text box. Note: Typing the group name will match a
    local group. Depending on the computer you are on, you might not be able to browse and
    select the local group that you want.
    7. Click OK.
    8. To add members to the restricted group, click the Add... button.
    9. Type the name of the user or group that will be a member of the restricted group. Note: If
    the user or group is a domain account, include the domain in the name (for example:
    mydomain\Sales). Alternatively, you can click the Browse... button to add domain users
    and groups.
    10. Click OK.

    Edit the GPO Status


    1. In the Group Policy Management console, browse to the Group Policy Objects folder.
    2. Right-click the GPO you want to modify and select GPO Status, then select:
    o Enabled to enable both computer and user settings
    o User Configuration Settings Disabled
    o Computer Configuration Settings Disabled
    o All Settings Disabled

    Scoring
    Your Score: 0 of 4
    Elapsed Time: 6 minutes

    Task Summary
    Actions you were required to perform
    Create, link, and configure the SecureWS GPO

    Hide Details

    Create the SecureWS GPO


    Link the GPO to the domain
    Disable the User Configuration portion of the GPO
    Define the Backup Operators restricted group

    Hide Details

    Add the restricted group


    Configure the group with no members
    Define the Power Users restricted group

    Hide Details

    Add the restricted group


    Configure the group with no members
    Define the Administrators restricted group

    Hide Details

    Add the restricted group


    Add EASTSIM\Domain Admins as a group member
    Add EASTSIM\Remote Admin as a group member
    Do not add any other members

    Explanation
    To configure restricted groups, browse to Computer Configuration\Policies\Windows
    Settings\Security Settings\Restricted Groups. When adding users or groups, be aware of the
    following:

    To add a local user or group, simply type the name of the group you want to add.

    To add a domain user or group, include the domain name in the object name (for
    example: mydomain\Sales).

    Following are steps that an expert might take to perform the tasks in this lab.

    Create and Link a GPO


    1. Click Start/Administrative Tools/Group Policy Management.
    2. Browse to the domain or OU.
    3. Right-click the domain or OU and select Create a GPO in this domain, and link it
    here....
    4. Type the GPO name and select a starter GPO if required. Click OK.
    5. To link the GPO to additional objects, right-click the object and select Link an Existing
    GPO....
    6. Select the GPO from the list, then click OK.

    Configure Restricted Groups


    1.
    2.
    3.
    4.
    5.
    6.

    7.
    8.
    9.

    10.

    Click Start/Administrative Tools/Group Policy Management.


    Browse to the domain or OU where the GPO is linked.
    Right-click the GPO and select Edit....
    In Computer Configuration, open Policies | Windows Settings | Security Settings.
    Right-click Restricted Groups and select Add Group....
    Enter the group name in the Group text box. Note: Typing the group name will match a
    local group. Depending on the computer you are on, you might not be able to browse and
    select the local group that you want.
    Click OK.
    To add members to the restricted group, click the Add... button.
    Type the name of the user or group that will be a member of the restricted group. Note: If
    the user or group is a domain account, include the domain in the name (for example:
    mydomain\Sales). Alternatively, you can click the Browse... button to add domain users
    and groups.
    Click OK.

    Edit the GPO Status


    1. In the Group Policy Management console, browse to the Group Policy Objects folder.
    2. Right-click the GPO you want to modify and select GPO Status, then select:
    o Enabled to enable both computer and user settings
    o User Configuration Settings Disabled
    o Computer Configuration Settings Disabled
    o All Settings Disabled

    Scoring
    Your Score: 3 of 4
    Elapsed Time: 10 minutes 33 seconds

    6.2.7
    Task Summary
    Actions you were required to perform
    Edit the Default Domain Policy security options

    Hide Details

    Disable the local guest account


    Rename the local administrator account to skycaptain
    Do not display the last logon username
    Do not allow anonymous SID/name translation
    Do not allow anonymous SAM account enumeration
    Do not allow anonymous SAM account and share enumeration
    Edit the ShippingGPO security options

    Hide Details

    Do not cache previous logons


    Require domain controller authentication to unlock the computer
    Force logoff when logon hours expire
    Do not allow system shutdown without a logon
    Disable the user settings in ShippingGPO

    Explanation
    Security Options control actions that can be taken on a computer. Edit Security Options by
    browsing to:
    Computer Configuration\Policies\Windows Settings\Security Settings\Local
    Policies\Security Options
    To complete this lab, configure the following settings in the corresponding GPO:
    Group Policy
    Object

    Default Domain
    Policy

    ShippingGPO

    Policy

    Setting

    Accounts: Guest account status

    Disabled

    Accounts: Rename administrator account

    skycaptain

    Interactive logon: Do not display last user name

    Enabled

    Network access: Allow anonymous SID/Name translation

    Disabled

    Network access: Do not allow anonymous enumeration of


    SAM accounts

    Enabled

    Network access: Do not allow anonymous enumeration of


    SAM accounts and shares

    Enabled

    Interactive logon: Number of previous logons to cache

    Interactive logon: Require Domain Controller authentication


    Enabled
    to unlock
    Network security: Force logoff when logon hours expire

    Enabled

    Shutdown: Allow system to be shut down without having to


    log on

    Disabled

    In addition, disable the User Configuration portion of the ShippingGPO group policy object.
    Following are steps that an expert might take to perform the tasks in this lab.

    Edit Security Options

    1.
    2.
    3.
    4.
    5.
    6.
    7.
    8.
    9.

    Click Start/Administrative Tools/Group Policy Management.


    Browse to the domain or OU where the GPO is linked.
    Right-click the GPO and select Edit....
    In Computer Configuration | Policies | Windows Settings | Security Settings | Local
    Policies, select Security Options.
    Right-click the rights assignment you want to edit and select Properties.
    Select Define this policy setting.
    Select Enabled or Disabled, or configure additional values for the policy.
    Click OK.
    Close the Group Policy

    Edit the GPO Status


    1. In the Group Policy Management console, browse to the Group Policy Objects folder.
    2. Right-click the GPO you want to modify and select GPO Status, then select:
    o Enabled to enable both computer and user settings
    o User Configuration Settings Disabled
    o Computer Configuration Settings Disabled
    o All Settings Disabled

    Scoring
    Your Score: 0 of 3
    Elapsed Time: 5 minutes 8 seconds

    6.2.9
    Task Summary
    Actions you were required to perform
    Unlink the SecureWS GPO from the domain
    Link the SecureWS GPO to the Accounting OU
    Link the SecureWS GPO to the Development OU
    Link the SecureWS GPO to the Marketing OU
    Link the SecureWS GPO to the Research OU
    Link the SecureWS GPO to the Sales OU
    Link the SecureWS GPO to the Shipping OU

    Explanation
    Following are steps that an expert might take to perform the tasks in this lab.

    Unlink or Link a GPO


    1. Click Start/Administrative Tools/Group Policy Management.
    2. To unlink a GPO:
    1. Expand the domain or OU where the GPO is linked.
    2. Right-click the GPO link and select Delete.
    3. Click OK.
    3. To link a GPO to a domain or OU:
    1. Right-click the domain or OU and select Link an Existing GPO....
    2. Select the GPO from the list and click OK.

    Scoring
    Your Score: 0 of 7
    Elapsed Time: 7 minutes 51 seconds

    6.3.7
    Task Summary
    Actions you were required to perform
    Add the Domain Controllers group to the ACL for the GPO
    Deny the Read permission
    Deny the Apply Group Policy permission

    Explanation
    To prevent a GPO from applying to specific users or computers, you can edit the permissions for
    the GPO. Deny the Read and Apply group policy permissions.
    Following are steps that an expert might take to perform the tasks in this lab.

    Modify GPO Permissions


    1.
    2.
    3.
    4.
    5.

    Click Start/Administrative Tools/Group Policy Management.


    Browse and select a GPO link or the GPO object in the Group Policy Objects node.
    On the right pane, click the Delegation tab.
    Click the Advanced... button.
    To add a group:
    1. Click Add....
    2. Type the name of the group. Click OK.
    6. To modify permissions assigned to a group:
    1. In the top box, select the group.
    2. Assigned permissions show in the bottom box. Check and uncheck permissions
    as desired.
    7. Click OK.
    8. If you assigned any Deny permissions, click Yes to continue.

    Scoring
    Your Score: 0 of 3
    Elapsed Time: 24 minutes 34 seconds

    6.6.3
    Task Summary
    Actions you were required to perform
    Set the minimum password length to 10
    Enforce password complexity
    Set the maximum password age to 90
    Set the minimum password age to 14
    Enforce password history to remember 10 passwords
    Set the account lockout threshold to 5
    Set the reset account lockout counter after policy to 10
    Set the account lockout duration to 60

    Explanation
    Account policies are set in a GPO linked to the domain. In this scenario, edit the Default Domain
    Policy and configure the following settings:
    Policy

    Password Policy

    Account Lockout
    Policy

    Security setting

    Value

    Minimum password length

    10 characters

    Password must meet complexity


    requirements

    Enabled

    Maximum password age

    90 days

    Minimum password age

    14 days

    Enforce password history

    10 passwords
    remembered

    Account lockout threshold

    5 incorrect passwords

    Reset account lockout counter after

    10 minutes

    Account lockout duration

    60 minutes

    Following are steps that an expert might take to perform the tasks in this lab.

    Edit Account Policies


    1. Click Start/Administrative Tools/Group Policy Management.
    2. Browse to the domain. Right-click the Default Domain Policy and select Edit....
    3. In the Group Policy Management Editor, browse to Computer
    Configuration\Policies\Windows Settings\Security Settings\Account Policies.
    4. Click either the Password Policy or Account Lockout Policy node.
    5. On the right, right-click the policy you want to edit and select Properties.
    6. If the policy is currently undefined, select Define this policy setting.
    7. Edit the value for the policy, then click OK.

    Scoring
    Your Score: 7 of 8
    Elapsed Time: 6 minutes 36 seconds

    6.6.4
    Task Summary
    Actions you were required to perform
    Set the account lockout threshold to 3
    Set the reset account lockout counter after value to 30
    Set the account duration to 0

    Explanation
    To meet the requirements of this lab, edit the Default Domain Policy and modify the following
    policy settings:

    Account lockout threshold = 3


    Reset account lockout counter after = 30
    Account lockout duration = 0 (this locks the account until it is unlocked by an
    administrator)

    Following are steps that an expert might take to perform the tasks in this lab.

    Edit Account Policies


    1. Click Start/Administrative Tools/Group Policy Management.
    2. Browse to the domain. Right-click the Default Domain Policy and select Edit....
    3. In the Group Policy Management Editor, browse to Computer
    Configuration\Policies\Windows Settings\Security Settings\Account Policies.
    4. Click either the Password Policy or Account Lockout Policy node.
    5. On the right, right-click the policy you want to edit and select Properties.
    6. If the policy is currently undefined, select Define this policy setting.
    7. Edit the value for the policy, then click OK.

    Scoring
    Your Score: 2 of 3
    Elapsed Time: 1 minute 50 seconds

    Anda mungkin juga menyukai