Dr. Cozart,
These look good to me for the most part. The only ones that may not be applicable is the one about joining the domain, and the DNS servers. All of the Windows servers in the lab have already been joined to the domain and have the correct DNS servers. We could spawn up some auxiliary servers on the network and have the students perform those tasks.
One thing I might suggest is some best practices for creating a share and adding a user to the share. In a small business, adding a user directly to the directory is probably OK. But I would refrain from making changes directly to these objects every time a user is created. I would instead direct them to create an Accounting security group in Active directory. Add John Smith as a member of that group. Tie that group to the Share and Directory permissions. This way when another user is added, that user can be added to the group rather than modifying the file system. You would also tie any other shares and objects to that group so that when a user is added to it, they automatically get the permissions that the group is added to. This would be a best practice scenario. I hope that makes sense.
I’m not sure how much experience the students have in Group Policy, or how it pertains to the competition, but I think maybe adding a Logon legal disclaimer may be something interesting. (
Configure the firewall on each server to allow only the critical services of that system (Including Remote Desktop on Windows (tcp/3389) and SSH for Linux (tcp/22)). System Hardening.
Delegate certain AD rights to a user.
oCreate a Marketing OU in active directory and a Marketing Manager user account in that OU.
oCreate a Marketing Manager security group, add the Marketing Manager to the group.
oDelegate Active Directory account unlock and password reset rights to the Marketing Manager group for the Marketing OU.
oSee
Create a temporary technician user account that expires at the end of 5 business days. Set the password and set the option to not allow user to change password. Assign the user the Domain Admins group membership.
oPowershell is also an option for this.
Create a Fine-Grained password policy named High Security Users. (
oCreate AD Group called High Security Users
oPolicy Settings:
Password Settings Precedence: 10
Reversible encryption: FALSE
History length: 24
Password Complexity: TRUE
Minimum Password Length: 12
Minimum age: 01:00:00:00
Maximum age: 30:00:00:00
Lockout Threshold: 5
Observation window: 0:00:30:00
Lockout Duration: 0:00:30:00
oAssign msDS-PSOAppliesTo to the High Security Users group
oCreate user accounts and assign them to the High Security Users group
For the Firewall
oRemove the ability of the DMZ to communicate with the LAN network for DNS. Reassign DNS to the DNS server on the local DMZ subnet.
oSet up egress filtering on the Firewall to only allow basic internet protocols outbound for DMZ and LAN using ANY rules. (TCP/80, TCP/443, UDP/53, UDP/123, TCP/25, TCP/22) [Note: this will break FTP and Passive FTP outbound to the internet.]
oSet explicit rules to allow the LAN to access only certain services in the DMZ instead of an Any rule. Allow only TCP/22 to the linux servers, and allow only TCP/80 to the Ecommerce server from the LAN subnet.
Linux Servers
oCreate a basic user account and set the password.
oGive the user account SUDO or SU rights
Please let me know if these are acceptable, or if you’d like me to come up with more.
Thanks
Bryan JaudonNetwork Administrator II
478.923.3773 | 800.241.2405 x. 2682
Direct: 478.322.7203