Brillaint Answer

World Wide Trading Company

Active Directory Design and Implementation

Daniel Whalen, Anastasia Wiles, Lance Wood, Damond Dean, Tamesha White

University of Maryland University College

9/27/2015

Abstract

World Wide Trading Company is an employer of 9000 individuals with a corporate headquarters in Hong Kong China. The organization is opening a new location in New York, New York which will accommodate approximately 200 employees. The expectation of this proposal is to design a state of the art modular network capable of supporting the work force with options for scalability. The organization is expected to increase revenue by four times the current status in the next three to four year while reducing operating costs by fifteen percent.

Business Needs

Since WWTC has very few IT staff, and is now preparing to open up a New York office to aid in increase revenue over the next 4 years, it is propose that WWTC take advantage of several features found in Active directory to help meet WWTC’s business needs.

If WWTC took advantage of Active Directory’s Windows deployment services, they could reduce operating cost, as this feature allows WWTC’s IT staff the ability to remotely install a number of new images on computers managed on WWTC’s network at one time. WWTC will also use IPAM to manage IP address on the network since a single forest with multiple domains will be deployed. Implementing IPAM will allow IT staff to manage IP addresses on their network from the New York location or any one single location thus freeing up their time to do other things.

In order to ensure WWTC is able to increase revenue, WWTC will use failover to increase their system’s fault tolerant and to keep their system up and running for customers around the globe. WWTC will also take advantage of BranchCache to improve bandwidth for users for better performance, manageability, scalability, and availability improvements.

WWTC needs improved security since their staff will be dealing with sensitive data. To improved security, WWTC should require staff members to log into the system using a smart card, which is a multifactor authentication. WWTC will also implement File and Print Sharing to make sure that only authorized users have permissions to certain files. These permissions will be assigned based on the needs of each department. WWTC will also use BitLocker to encrypt all of the data stored on a volume. However, since WWTC has a limited number of IT staff, upon startup BitLocker will unencrypt reducing the amount of calls coming in to the service desk.

Active Directory Organizational Units

Office D

Office B

Office C

Office A

New York

HongKong WWTC (HQ)

Forest: WWTC.com

Each location will have its own domains (domains correspond to geographical locations). A single domain for the entire network of the New York office was considered, however, to meet additional scalability, security, and replication requirements more than one domains for the organization has been implemented. New York location domains: VPOPER, VPNWUSA, VPNEUSA, VPSWUSA, VPSEUSA, VPMUSA.

The purpose of a domain is to define the scope of security policy. Each of the six domains has its own security policies and also a trust relationship with all other domains. Each domain stores the information about objects stores within this domain. By structuring the Active Directory of the World-Wide Trading Company this way larger number of objects can be scaled to accommodate the administrative and directory publishing requirements as the New York office expands in a near future. Moreover, there is a possibility that different password requirement between departments will be implemented to increase security of the data.

There is a corresponding site link within Active Directory for WWTC New York office connects its Wide Area Network with other offices and HQ.

Number of Organizational Unit will be created per each department which will consist of servers, printers, computers (including desktops and laptops), users (with second level OUs), and administrators.

· The Organizational Unit will be created so the unique Group Policy Object could be applied to this OU

· A specific group of administrators should have permissions to the objects in the OU

· These new OUs will make it easier for the company’s IT to administer the objects within it

To add users to Active Directory, script (based on Power Shell) that creates users in Active Directory based on the settings in the input file (excel) will be applied (PowerShell: Create Active Directory Users Based On Excel Input, n.d):

# LINE1 (headings in the Excel) 

  

# Implement,FirstName,LastName,MiddleNmae,OfficeName, 

# Description,Mail,StreetAddress,City,ZipCode, 

# State,Country,Organization,Department,EmployeeID, 

# ExtensionAttribute1,Title,Phone,Manager,ProfilePath, 

# ScriptPath,HomeDirectory,HomeDrive,Password, 

# PasswordNeverExpires,Enabled,TargetOU,ProxyAddresses

# LINE2 (first entry, all other entries look the same) 

 # Yes,Allyssa,Smith,H.,Bella,NewYorkWWTC, 

# [email protected],Wallstreet 5000,NewYork,12345, 

# TheStateOfNewYork,UnitedStates,Finance*,ABS15, 

# CEO,+0000000000,Smith,\\profile\path,\\script\path,\\home\\dir,S:,IDDQD_12345#, 

# False,True,"OU=Users,OU=Finance","SMTP:CHECK;SMTP:CHECK2"

· Servers

· Printers

· Computers

· Users

· Finance

· Human Resources

· Operations

· Brokers

· Administrators (IT)

New York

location

· Servers

· Printers

· Computers

· Users

· Finance

· Human Resources

· Operations

· Brokers

· Administrators (IT)

· Servers

· Printers

· Computers

· Users

· Finance

· Human Resources

· Operations

· Brokers

· Administrators (IT)

· Servers

· Printers

· Computers

· Users

· Finance

· Human Resources

· Operations

· Brokers

· Administrators (IT)

· Servers

· Printers

· Computers

· Users

· Finance

· Human Resources

· Operations

· Brokers

· Administrators (IT)

· Servers

· Printers

· Computers

· Users

· Finance

· Human Resources

· Operations

· Brokers

· Administrators (IT)

VPMUSA.WWTC.COM

VPSWUSA.WWTC.COM

VPSEUSA.WWTC.COM

VPNEUSA.WWTC.COM

VPOPER .WWTC.COM

VPNWUSA.WWTC.COM

Active Directory Groups

Groups are a way in which your WWTC active directory engineers and administrators manage the network of users and computers within a Microsoft Server environment. There are 2 types of groups; security groups and distribution groups. These two kinds of groups ensure the ability to provide security to assets and resources as well as providing the ability to send emails to teams instead of individuals.

Distribution groups allow emails to be sent to a section of individuals based on their function within the company, or project within which they are working on. These groups can be a small team of engineers, a large section like human resources, or can be as large as the entire company if need be. They can also be used for simple administrative grouping however they can’t be used for access control.

Security groups on the other hand are broken down to 3 different sections; local, global and universal. Local security groups which are designed for access control and email distribution lists. They can include peripherals, files and other such resources. Global groups come in handy when delegating OU administrative functionality.

The best way in which to do security groups is to add a user in the lowest group possible. When building your active directory environment further up the tree, you want to add the security groups instead of users. This allows for less administrative work when you go to add or remove a user. For example, I have a new broker that works in New York’s new Southwest region. I would add that user to the broker security global security group which is a member of the Southwest USA security group, which is then a member of the New York Domain security group. I add the user to 1 group instead of having to add him to 3. Typically you would also have templates built for each role within your network that would also automatically add these users to the correct security groups.

There are 2 ways of creating groups, first is through the Windows interface inside the server interface under active directory users and computers and following the wizard for a new group. The other is by command line, by typing “dsadd group GroupDN –samid SAMName –secgrp yes | no –scope l | g | u” (Active Directory Security Groups. (n.d.). Retrieved September 27, 2015.).

Active Directory Policy

BitLocker encryption technology

Purpose

WWTC will implement BitLocker Drive Encryption for its improved data protection for user’s computers, by encrypting user’s stored data into the Windows Operating system capacity. All computers have a built in microchip called a Trusted Platform Model (TPM) that holds cryptographic information, for instance encryption keys. WWTC will apply TPM to protect Windows Operating System, user data , and assist to ensure users computers are not tapered with in an invent employees devices are lost or stolen .

Scope

BitLocker can use an enterprise's existing Active Directory Domain Services (AD DS) infrastructure to remotely store recovery keys. BitLocker provides a wizard for setup and management, as well as extensibility and manageability through a Windows Management Instrumentation (WMI) interface with scripting support. BitLocker also has a recovery console integrated into the early boot process to enable the user or helpdesk personnel to regain access to a locked computer Incorporating BitLocker technology devices will require each user to have a separate USB Drive in order to store a PIN or key. TPM version 1.3 will also be included to provide advanced security encryption functions.

After the drive has been encrypted and protected with BitLocker, local and domain administrators can use the Manage BitLocker page in the BitLocker Drive Encryption item in Control Panel to change the password to unlock the drive, remove the password from the drive, add a smart card to unlock the drive, save or print the recovery key again, automatically unlock the drive, duplicate keys, and reset the PIN.

Implementation

BitLocker is installed automatically as part of the operating system installation. However, BitLocker is not enabled until it is turned on by using the BitLocker setup wizard, which can be accessed from either the Control Panel or by right-clicking the drive in Windows Explorer.

At any time after installation and initial operating system setup, the system administrator can use the BitLocker setup wizard to initialize BitLocker. There are two steps in the initialization process:

· On computers that have a TPM, initialize the TPM by using the TPM Initialization Wizard, the BitLocker Drive Encryption item in Control Panel, or by running a script designed to initialize it. 

· Set up BitLocker. Access the BitLocker setup wizard from the Control Panel, which guides you through setup and presents advanced authentication options.

When a local administrator initializes BitLocker, the administrator should also create a recovery password or a recovery key. Without a recovery key or recovery password, all data on the encrypted drive may be inaccessible and unrecoverable if there is a problem with the BitLocker-protected drive

Enforcement

WWTC employees are allowed to take out authorized data off site, which could compromise confidentiality, integrity or availability (CIA).In order to mitigate this issue WWTC will enforce:

· Removable USB drives will only allow for 6GB because what eve extra space is available on the device will be used by using a placeholder file that takes up unused ace.

Enable BranchCache and Encryption

Purpose

BranchCache will allow increased manageability, scalability, and data availability within WWTC network. BranchCache will make copies from Hong Kong file servers and caches information to WWTC New York’s file server. This will allow for client computers at the regional office to have access to content locally, which will eliminate having to use WAN. WWTC will profit from deploying BranchCache by providing proficient optimization of bandwidth (Fritz, 2011).

Scope

All branches will benefit from BranchCache because it will allow for all location want to access information that is stored locally on the New York site. When an3 employee wants to access information the data will no longer be downloaded because it can be found in the BranchCache in NY. WWTC BranchCache will use the default settings to allocate 5% of the disk space for the cache; the value can easily be changed by creating and allocating GPOs. WWTC must ensure there is enough bandwidth because it can become overloaded if wireless network (WLAN) is implemented alongside with the wired method. Enabling BranchCache on WWTC user computers is done through Group Policy .The central office system BranchCache is activated through the local GPO. Computer configurations will include Polices, Administrative Templates, Network, Lanman Server, and Hash Publication for BranchCache. With this policy, you can choose to allow BranchCache to publish content metadata for all file shares on the server, or only for those that have been specially tagged. You’ll need to set up the cache host server with a certificate, because the clients use TLS when talking to the caching server. Import the certificate with the Certificates MMC snap-in, and associate it with BranchCache using the netsh command. Finally, you have to ensure that TCP ports 80 and 443 are open on the caching server. On the client side, BranchCache is turned off by default. You can turn it on through Group Policy, which is the preferred method (Computer Configuration, Policies, Administrative templates, Network, and BranchCache) - or you can use the netsh command, for example if you're only

Implementation

To implement BranchCache forWWTC it would be best to use the a file server located at the central site, WWTC will be running Windows Server 2008 R2 and admins will implement BranchCache For WWTC Network Files role service of the File Services role on the server by using Add Roles Wizard. The next step will be to configure the sharing for all OU on the file share service use the service share feature or you can mark specific shares to use BranchCache.

To implement BranchCache for a Web or application server located at your central site, the Web or application server must be running Windows Server 2008 R2, and you must install the BranchCache feature on the server using the Add Features Wizard. After doing this, you must also start the BranchCache service on your Web or application server by typing netsh BranchCache set service mode=local at an administrative-level command prompt.

To configure a computer running Windows Server 2008 R2 located at the New York office as a Hosted Cache server, admis will install the BranchCache feature on the server, which will enable the feature and configure it to use Hosted Cache server mode, and install a certificate that is trusted by WWTC computers on the server.

In order to configure users running Windows located at a branch office in New York will use BranchCache, Admins will enable BranchCache on the computers, allowing them to configure the computers to use either Distributed Cache mode or Hosted Cache mode as needed. The Windows Firewall will allow users to access the cache on the computers in other branchesl, and open the necessary exceptions in Windows Firewall to allow the computers to access the cache on other computers at the site. BranchCache can be enabled and configured on computers by using Group Poicy .

File Clustering

Purpose

In Windows Server 2012 R2, WWTC will deploy a failover cluster without dependencies in Active Directory Domain Services (AD DS) for network names. Also knowns as an Active Directory-detached cluster. Implementing this deployment method enable WWTC to produce a failover cluster without the previously required permissions for creating computer objects in AD DS or the need to request that computer objects are prestaged in AD DS. After the Active Directory-detached cluster is deployed , the cluster network and network names for any clustered roles with client access points are registered in Domain Name System (DNS). However, there will not be any computer objects are created for the cluster in AD DS. This includes the computer object for the cluster (also known as the cluster name object or CNO) and computer objects for any clustered roles that would typically have client access points in AD DS (also known as virtual computer objects or VCOs).

Implementation

A  failover cluster  will use an independent Microsoft Windows server systems. This systems will consist of a collection of nodes. Nodes have the following characteristics.

· Every node has access to all cluster configuration data.

· Every node communicates with the other nodes in the  cluster  through one or more physically independent networks (sometimes referred to as interconnects). Network adapters, referred to in failover clusters as  network interfaces , attach nodes to networks.

· Every node in the cluster is aware when another system joins or leaves the cluster.

· Every node in the cluster is aware of the resources that are running locally as well as the resources that are running on the other cluster nodes.

· All nodes in the cluster are grouped under a common name, the cluster name, which is used for accessing and managing the cluster.

Roles, Services and Authentication

Purpose

The User Role within WWTC. It provides access to the authenticated services. Once a user uses a computer in their department it will allow users to log into the system. Users will have the ability to access to the Self-Tests and Show Status services (Windows 7, 2011).

Scope

For removable data volumes, a user will be able to perform any of the following services:

· Select / Create key protection methods (key protectors)

· PIN, smartcard

· Select / Create recovery key

· Manage keys

· Reset password

· Copy recovery key

· Create / delete an auto-unlock key

· Turn-off BitLocker (volume decryption.

This will reduce help desk call volume by giving users access to change their own password .

Implementation

The admin will be responsible for servicing BitLocker

· Configure BitLocker into FIPS mode

Select / Create key protection methods (key protectors)

For OS volumes: TPM, TPM+PIN, TPM+USB+PIN, TPM+USB, USB

For data volumes (fixed or removable): PIN , Smartcard

· Select / Create recovery key

· Manage keys

Copy keys (startup key, recovery key)

· Reset PIN

· Disable/ Re-enable protection (go into and out of suspend mode)

· Turn-off BitLocker (volume decryption)

· Data volume management

Reset password

Copy / delete recovery key

Create / delete an auto-unlock key

Smart Cards and Pins

Purpose

Every employees will be issued a Smart cards that will store user certificates and private keys. Smart cards will provide WWTC with cryptographic operations such as digital signing. The pin will be added with the smart card to add additional 2 way authentication process. Pins also offers significantly more protection then a user using a standard network password. Using Password would open up WWTC to brute force attacks, and dictionary attacks .Pins do not travel through the network, which prevents it from being sniffed.

Scope

When you design your public key infrastructure and plan the deployment of smart cards, you have the option of doing any of the following to create a secure system.

Force Users to Use the Smart Card Logon Process    Allowing the CTRL+ALT+DEL secure logon sequence for smart card users defeats the purpose of using smart cards. During the transition to smart cards, you must enable both logon methods until users are trained and the smart card logon process has been tested for your domains. Thereafter, however, you can configure individual user accounts (but not security groups) so that the CTRL+ALT+DEL secure logon process is disabled and users are forced to use their smart cards to log on to their computers. To configure individual user accounts, use the Active Directory Users and Computers console d.

Force Systems to Lock Upon Removal of the Smart Card    

When a user walks away from a computer with an active logon session and the user fails to secure the computer by logging off or locking the computer, an intruder might use the computer for malicious purposes. If you are requiring the use of smart cards for logging on to computers, you can force the systems to lock when users remove their smart cards from the readers. Use this option as necessary to meet your security needs, especially when computers are used in an environment with easy access by the public. You can configure Security options under Security Settings in Group Policy to force groups of computers to lock upon the removal of smart cards.

Combine Smart Cards and Employee Badges 

Many organizations issue card keys and identification badges to their employees. You can add employee card keys and photographs to smart cards to provide a single solution for both building and network access. Such combination cards can be used to grant physical access to buildings and secure rooms, as well as to grant network logon access. Combination cards also can be used for electronic payment debit systems — for example, to pay for employee purchases at the organization's cafeteria or store. For more information about combining card keys and picture badges with smart cards, contact smart card vendors.

Implementation

You can use Certificate Services Web pages and the Smart Card Enrollment Station (available from the Advanced Certificates Request Web page) to issue smart card certificates on behalf of users. Security administrators can centrally issue and manage the smart card program to provide a high level of network user assurance. If you allow users to request their own smart card certificates, it weakens the overall security provided by smart cards.

You can choose to allow smart card certificates to be renewed automatically for Windows 2000–based clients. However, to ensure the highest levels of network security, some organizations might want to re-issue smart cards and PINs on a periodic basis. PINs can be changed only when smart card certificates are issued or renewed by the smart card CSP.

IP Address Manafer ( IPAM)

Purpose

IP Address Manager (IPAM) will give WWTC a centralized management of the IP address space, which includes IPv4 and  IPv6 Address Management . IPAM will help WWTC network engineers to identify whether an IP Address is currently available or not, in the network. The IPAM tool will periodically scan a subnet and provides the availability status of IP addresses in that subnet. Admins will be able to can tell whether a particular IP is reserved or available. IPAM tool can accept multiple subnet inputs, which will help in scan the entire network to get the status of the IP Addresses (Microsoft , 2014).

Scope

IPAM will be able to benefit WWTC by using address space management (ASM), this tool will allow admins to access visibility into all aspects of your IP address infrastructure from a single console. With IPAM, WWTC can create an advance customizable, multi-level hierarchy of address space on the network and use it to manage IPv6 addresses and IPv4 public and private addresses. The ASM tool also gives robust reporting capability that allows detailed tracking of IP address utilization trends with customized thresholds and alerts (Microsoft , 2014).

Key features of ASM include the following.

· Integrated management of dynamic and static IP address space

· Detection and management of conflicts, overlaps, and duplicates in address space across systems

· Highly customizable inventory view of IP address space

· Centralized monitoring and reporting of address utilization statistics and trends

· Support for IPv4 and stateless IPv6 address utilization monitoring

· Automated discovery of IP address ranges from DHCP scopes

· Export and import of IP addresses and IP address ranges with Windows PowerShell support

· IP address usage alerts and notifications with custom thresholds

· Detection and assignment of available IP addresses

Implementation

There are three general methods to deploy IPAM on to WWTC servers:

1. Distributed: An IPAM server deployed at every site in an enterprise.

2. Centralized: One IPAM server in an enterprise.

3. Hybrid: A central IPAM server deployed with dedicated IPAM servers at each site.

Distributed IPAM deployment method, will be used with one IPAM server located at the New York office and also at each branch office. There is no communication or database sharing between different IPAM servers at WWTC. When multiple IPAM servers are deployed, admins will be able to customize the scope of discovery for each IPAM server, or filter the list of managed servers.

IPAM will randomly attempt to locate domain controllers, DNS, and DHCP servers on the network that are within the scope of discovery that you specify. WWTC will decide which method to choose from. In this way, you can select different groups of. servers that are managed or not managed by IPAM.

In order for IPAM to manage WWTC security settings and firewall ports on a server must be configured to allow the IPAM server access so that it can perform required monitoring and configuration functions. Admins will configure these settings manually by using Group Policy Objects (GPOs.

Active Directory Group Policy

Group Policy provides administrator the ability to manage configurations of client machines from a central location. Each machine has local policies that may be configured on an individual basis. However, administering local policy for each machine is a large undertaking. Group Policy allows for implementation at multiple levels to provide flexibility and manageability of special circumstances. Policies may be applied at the domain, site, or a specific organization level. Security Policies such as password enforcement and whole disc encryption will be implemented at the highest level to ensure the policy is propagated throughout the domains; whereas, the removable media policy will be applied to the specific organizational unit dealing with classified and sensitive material.

References

Fritz, S. (2011, May 25). Enable BitLocker,Aitomatically save Keys to Active Directory . Retrieved from Concurrency : http://www.concurrency.com/infrastructure/enable-bitlocker-automatically-save-keys-to-active-directory/

Microsoft . (2014, April 12). IP Address Manafement . Retrieved from technet: https://technet.microsoft.com/en-us/library/hh831353.aspx

Windows 7. (2011, Augest 31). Windows 7 BitLocker Drive Encyptions Security Policy. Retrieved from CSRC: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1332.pdf

Security with Smart Cards." Insert Name of Site in Italics. N.p., n.d. Web. 27 Sep. 2015 <https://technet.microsoft.com/en-us/library/cc962052.aspx>. Security with Smart Cards." Insert Name of Site in Italics. N.p., n.d. Web. 27 Sep. 2015 <https://technet.microsoft.com/en-us/library/cc962052.aspx>.

Active Directory Security Groups. (n.d.). Retrieved September 27, 2015, from https://technet.microsoft.com/en-us/library/dn579255.aspx

Group Type and Scope Usage in Windiws, (n.d.). Retrieved September 27, 2015, from https://support.microsoft.com/en-us/kb/231273

Script Center. PowerShell: Create Active Directory Users Based On Excel Input. Retrieved from https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Create-Active-7e6a39788

Implementing and Managing Group Policy Objects (GPOs). (n.d.). Retrieved September 27, 2015, from http://www.tech-faq.com/implementing-and-managing-group-policy-objects-gpos.html