Bril Ans

Router(config)# interface gi 0/0.8

Router(config-subif)#encapsulation dot1Q

Router(config-subif)#ip address x.x.x.x x.x.x.x

Router(config-subif)#description “VLAN 8”

Router(config-subif)#no shut

Router(config)# interface gi 0/0.9

Router(config-subif)#encapsulation dot1Q

Router(config-subif)#ip address x.x.x.x x.x.x.x

Router(config-subif)#description “VLAN 9”

Router(config-subif)#no shut

Router(config)# interface gi 0/0.10

Router(config-subif)#encapsulation dot1Q

Router(config-subif)#ip address x.x.x.x x.x.x.x

Router(config-subif)#description “VLAN 10”

Router(config-subif)#no shut

Router(config)# interface gi 0/0.11

Router(config-subif)#encapsulation dot1Q

Router(config-subif)#ip address x.x.x.x x.x.x.x

Router(config-subif)#description “VLAN 11”

Router(config-subif)#no shut

Router(config)# interface gi 0/0.12

Router(config-subif)#encapsulation dot1Q

Router(config-subif)#ip address x.x.x.x x.x.x.x

Router(config-subif)#description “VLAN 12”

Router(config-subif)#no shut

Trunk Router to Switch

Router(config)# interface range gi 0/2 - 5

Router(config-subif)#switchport mode trunk

Router(config-subif)#switchport trunk allowed vlan all

Router(config-subif)#description “Trunk”

Router(config-subif)#no shut

Configuration for all switches Set VLANs

NOTE: Use the configuration below on switches 1-5

S1(config)#vlan 8 S1(config-vlan)#name VLAN 8 S1(config-vlan)#exit

S1(config)#vlan 9 S1(config-vlan)#name VLAN 9 S1(config-vlan)#exit

S1(config)#vlan 10 S1(config-vlan)#name VLAN 10 S1(config-vlan)#exit

S1(config)#vlan 11 S1(config-vlan)#name VLAN 11 S1(config-vlan)#exit

S1(config)#vlan 12 S1(config-vlan)#name VLAN 12 S1(config-vlan)#exit

Configure ports on switch

NOTE: Use the configuration below to configure port access with correct VLAN

S1(config)#int gi 0/20 S1(config-if)#switchport mode access S1(config-if)#switchport access vlan 8 S1(config-if)#exit

Configure systems to accept DHCP

To set your network card for DHCP, follow these steps:

1. Click the Start button

2. Click Control Panel

3. Click Network and Internet

4. Click View network status and tasks under Network and Sharing Center

5. Click Change adapter settings on the left navigation bar

6. Right-click on the network adapter who wish to change, such as Local Area Connection

7. Select Properties

8. Highlight Internet Protocol Version 4 (TCP/IPv4)

9. Click Properties

10. In the General tab, ensure that Obtain an IP address automatically radio button is selected

Security Implementation task

Physically install the Cisco firewall

1. The Cisco firewall will be located in the IT closet, located next to the VP M room.

2. Connect a notebook via Ethernet cable to the correct ports

3. Use the setup wizard to configure basic and advance rules

· 4. On the notebook, open a web browser.

· 5. In the Address field, enter the following URL: 192.168.1.1/admin

4. Run the startup wizard.  Accept any certificates according to the dialog boxes that appear.  Leave the username and password fields empty and click OK. Running the startup wizard will allow you to customize your security policy the way that you want.

Configuring a DMZ

 The Public Server pane automatically configures the security policy to make an inside server accessible from the Internet.

This will allow client to access WWTC’s network from the internet; however, it protects the internal network from the threat of attack.

Step 1: In the main ASDM window, choose Configuration > Firewall > Public Servers. The Public Server pane appears.

Step 2: Click Add, and then enter the public server settings in the Add Public Server dialog box. (For information about any field, click Help.)

Step 3: Click OK. The server appears in the list.

Step 4: Click Apply to submit the configuration to the ASA.

Configuring the VPN

Step 1: In the main ASDM window, choose Wizards > VPN Wizards, then choose one of the following:

A site-to-site VPN will create an IPsec tunnel between two locations.

Configuring the IPS Module

This ASA came with a Security Service Card (SSC), you can use the SSC and configure IPS application to run on the SSC.

Step 1: In the main ASDM window, choose Configuration >Device Setup > SSC Setup. The SSC pane appears.

Configuring a Network Access Server

Step 1: Start by opening the NPS management console.

Choose to configure the server for 802.1x wireless or wired connection.

On the next page, you can add the Radius clients.

On the following page, configure the authentication methods that will be used by the NAS. WWTC will be using MS-CHAPv2.

Step 2: Specify which groups will be allowed or denied to access the network.

On the next page, configure IPv4 and IPv6 IP filters to control what type of network traffic can be sent and received.

On the Next wizard, you must specify the encryption setting to determine the minimum encryption strength(s) that will be allowed between the access client and the network access server. For WWTC we will be using the strongest encryption (MPPE128 bit).

The final wizard will ask you to specify a realm name, which is part of the user name that the ISP uses to identify the connection requested that route to this server.

Configuring VLAN’s

Creating a Honeypot

The honeypot will be an older server that will be located in the network closet. This server will act as a decoy for any hacker that manages to pass though WWTC security.

AD Implement task

There are three steps in implementing Active Directory. The first step is to prepare the forest root, also called the parent domain, WWTC.com. After the preparation, the forest will be created. The last step is to create child domain, NY.WWTC.com. To prepare the forest root, WWTC will deploy the first forest domain controller and then review the Active Directory Domain Services and logical structure design. Before creating the domain controller, the domain functional level and the forest function level must be Windows 2003 or higher.

To raise the functional level, select Tool and select Active Domain Users and Computers. Right click the domain which is WWTC.com and select Raise domain functional level. The domain functional level will be raised up to Windows Server 2003, which is the minimum needed to bring in that first 2012 domain controller. Also, the domain functional level must be raised in order to raise the forest functional level. The forest functional level can be raised in Active Directory Domains and Trusts. Right click on the Active Domain and Trust and select Raise forest functional level. The forest functional level should also be raised up to Windows Server 2003, which is also the minimum that needed.

The next step is to run the adprep /forestprep command in the command prompt to update the Active Directory schema for Windows Server 2012. The adprep /domainaprep command will be run to prepare domain for a Windows Server 2012 domain controller. This command can only be run after the adprep/forestprep command finishes. After the AD environment has prepared, the server will be promoted to a domain controller. From the Server Manager, select Manage and select ‘Add’ a Role or Feature.

Once the AD DS is installed, the user can promote the server to a domain controller by selecting Add a domain controller to an existing domain, as the office in Hong Kong has already done so, shown below.

The last step in AD implementation is to create a child domain, NY.WWTC.com. The first step is to install Active Directory Domain and Services and promote the server to a domain controller. On the Deployment Configuration, select add a new domain to an existing forest, as shown below.

Router Configuration

The commands below are Global Configurations mode commands. These commands will be used to configure the router name. It will also be used to set up the security passwords. We will configure NY.WWTC’s Core Router 1 as an example. Other routers will also follow the same configuration with their IP address and router name.

The commands below will assign an IP address to the interfaces. The commands to assign a login banner is also provided.

Switches configurations

Cisco Catalyst 3850 is the switch that will be implemented for WWTC. This switch provides guaranteed bandwidth between devices. It reduces collisions by reducing the number of devices in a collision domain. Below is a configuration example of one of the switch.

SwitchA# enable (to configure anything on a switch, the first step is to enter enable or privileged mode.

SwitchA # show version (allows the user to examine the current stage of the switch and which interfaces are involved.

Switch>#show ip interface brief (to get the summarized view into all those interfaces and their current status.

switchA# configure terminal (enter the configure mode)

SwitchA(config)# hostname Switch13850

Switch13850 (config) # ip domain-name NY.WWTC.com

Switch13850 (config) # no ip domain-lookup

Switch13850 (config) # enable password pa$$w0rd

Switch13850 (config) # crypto key generate rsa

How many bits in the modulus [512]:2048

Switch13850 (config) # line console 0

Switch13850 (config) # line con 0

Switch13850 (config) # password pa$$w0rd

Switch13850 (config-line) # login local

Switch13850 (config-line) # transport input ssh

Switch13850 (config-line) # exit

Switch13850 (config) # line vty 0 4

Switch13850 (config-line) # password Cisc0

Switch13850 (config-line) # login local

Switch13850 (config-line) # transport input ssh

Switch13850 (config-line) # exec-timeout 5

Switch13850 (config-line) # exit

Switch13850 (config) # line vty 5 15

Switch13850 (config-line) # password P@ssw0rd

Switch13850 (config-line) # login

Switch13850 (config-line) # exit

Switch13850 (config) # line aux 0

Switch13850 (config-line) # password Gr0up5

Switch13850 (config-line) # login

Switch13850 (config-line) # exit

Switch13850 (config) # no logging console

Switch13850 (config) # exit

Switch13850 (config) # interface fa0/0

Switch13850 (config-if) # ip address 172.16.1.135 255.255.255.192

Switch13850 (config-if) # no shutdown

Switch13850 (config-if) #speed 100

Switch13850 (config-if) #duplex full

Switch13850 (config-if) # interface fa0/1

Switch13850 (config-if) # ip address 172.16.1.141 255.255.255.192

Switch13850 (config-if) # no shutdown

Switch13850 (config-if) # speed 100

Switch13850 (config-if) #duplex full Press Ctrl Z

Switch1385 # copy run start

VLAN Configurations

Before applying the VLAN configurations, the user must verify that all of the ports on the switch belong to the only built-in default VLAN which is VLAN 1 using this command show VLAN. VLAN 1 is the only usable VLAN that comes with a new switch. There are ten VLANs for WWTC network. The VLAN range from 2 through 6 will be assigned to the Switch13850 switch. The rest will be assigned to the Switch23850 switch. Below is the example configuration for creating VLANs and the configuration for VLAN 2 OPR on the switch Switch13850.

Switch13850 # enable

Switch13850 # configure terminal

Switch13850 (config) #vlan 2

Switch13850 (config-vlan) #name OPR

Switch13850 (config-vlan) #vlan 3

Switch13850 (config-vlan) # name NW USA

Switch13850 (config-vlan) # vlan 4

Switch13850 (config-vlan) # name SW USA

Switch13850 (config-vlan) # vlan 5

Switch13850 (config-vlan) # name NE USA

Switch13850 (config-vlan) # vlan 6

Switch13850 (config-vlan) # name SE USA

Switch13850 (config-vlan) #exit

Switch13850 (config) # interface fa0/1

Switch13850 (config-if) # switchport access vlan 2

Switch13850 (config-if) #vlan 2

Switch13850 (config-vlan) # switchport port-security mac-address sticky

Switch13850 (config-vlan) # switchport port-security maximum 1

Switch13850 (config-vlan) # switchport port-security violation shutdown

Switch13850 (config-vlan) #ip address 172.16.0.0 255.255.255.224

Switch13850 (config-vlan) # no shutdown

Switch13850 (config-vlan) # exit

Switch13850 (config) # password Gr)up5

Switch13850 (config) # exit

Switch13850 # copy run start

Implement Voice VLAN and Wireless

The Wall Street WWTC office requires wireless network access for users and guests in the lobby and conference room. WWTC will provide a private wireless network and will configure the switches and the wireless routers connect to with a VLAN ID of 12. The wireless network will use the 802.11ac standard and each computer will have 54Mbps bandwidth when connecting to the wireless network. The organization will deploy five Cisco Aironet 2700i Wireless Access Points and one Cisco 4404 Wireless LAN controller. The wireless network will be configured with the IP subnet of 172.16.6.0/24 and the router or gateway address will be 172.16.0.1. The wireless router will provide IP addresses to devices connection to the network with DHCP. The wireless access points will no broadcast their SSID to enhance security and the network will be protected with WPA2 Enterprise.

To configure the Wireless VLAN on the switch the Wireless Access Points or Wireless router connects to the following commands will be issued on the Cisco Switch:

Switch> Enable

Switch# configure Terminal

Switch(config) VLAN 12

Switch(config-vlan) name WIRELESS VLAN

Switch(config-vlan) state active

Switch(config-vlan) exit

Switch(config)Interface FastEthernet */*

Switch(config-If) switchport mode access

Switch(config-If) switchport access vlan 12

Switch(config-if) end

Switch# Copy running-config startup-config (and then select yes or hit enter)

To configure the Router and ensure the proper packets are tagged with the 802.1Q standard, the following commands will be issued from the router:

Router> “Enable

Router# Configure Terminal

Router(config)Interface FastEthernet */*.12

Router(config-subif) IP address 172.16.6.1 255.255.255.0

Router(config-subif) encapsulation dot1q 12

Router(config-subif) end

Router# Copy running-config startup-config (and then select yes or hit enter)

The 4404 Wireless Controller front panel and back panel are shown below. On the front panel the numbers correspond to (1) Service Port (2) Console Port (3) Status, alarm, and power supply LEDs, (4) Utility Port (5) Distribution port 1 (6) Distribution port 1&2 Link and Activity LEDs (7) Distribution port 2 (8) Distribution port 3 (9) Distribution port 3&4 Link and Activity LEDs (10) Distribution port 4

Front Panel

Back Panel

The back panel numbers correspond to (1) VPN termination module Slot 1 (2) VPN termination module slot 0 (3) Power supply slot 1 (4) Slot 2 power supply power receptacle (5) Slot 2 power supply switch (6) Slot 2 power supply LED

The VoIP network for WWTC will be state of the art. The organization will deploy 94 Cisco 7821 IP phones, a Cisco VG350 analog voice gateway and 1 Cisco Unified Communication Manager. The VoIPs for the organization will be assigned their own VLAN to segregate the time-sensitive UDP data packets from other packets on the network and to also improve security. Segregating the traffic will allow administrators to implement QOS and ensure the voice packets take priority and will have bandwidth available. The VoIP VLAN will be assigned an ID of 11 and will have a IP subnet of 172.16.5.0/24 for each of the devices. Each of the phones will be configured to use DHCP and will receive an IP address from the VoIP subnet. Only authorized VoIPs will be input into the CUCM and will be the only VoIPs authorized to make and receive phone calls.

To configure the Voice VLAN on the Cisco switch the following commands will be issued on the switch:

Switch> Enable

Switch# configure Terminal

Switch(config) VLAN 11

Switch(config-vlan) name VoIP VLAN

Switch(config-vlan) state active

Switch(config-vlan) exit

Switch(config)Interface FastEthernet */*

Switch(config-if) switchport mode access

Switch(config-if) switchport voice vlan 11

Switch(config-if) end

Switch# Copy running-config startup-config (and then select yes or hit enter)

To configure the Router and ensure the proper packets are tagged with the 802.1Q standard, the following commands will be issued from the router:

Router> “Enable

Router# Configure Terminal

Router(config)Interface FastEthernet */*.11

Router(config-subif) IP address 172.16.5.1 255.255.255.0

Router(config-subif) encapsulation dot1q 11

Router(config-subif) end

Router# copy running-config startup-config (and then select yes or hit enter)

Security technology

The network design for WWTC offers a slew of new devices meant to protect the internal asset of the company. These devices will protect the network from man-in-the middle attacks. Denial of services attacks (DoS or DDos), social engineering attacks, phishing and etc. In addition, all IT staff member must undergo annual training to ensure their knowledge about cyber-threat is kept up to date.

Key assets

Database servers

· Financial information

· Customer information

· Employee information

· Business information

DHCP

“DHCP servers centrally manage IP addresses and related information and provide it to clients automatically.” (Technet, 2005). There will be two DHCP and DNS servers to provide for fault tolerance. Most networks are meant have networks need one primary online DHCP server and one other DHCP server acting as a secondary or backup server with 80/20 rule for balancing scopes. To account for further fault tolerance we’ll need to account for a hot or cold standby. “Because the hot standby solution requires special attention to its configuration and also manual administration for ensuring fall-over transition for DHCP clients to use it, it is less recommended as a planning alternative than the use of two to three DHCP servers that balance active scope use.” (Technet, 2005).

Our plan is to utilize the AD domain controllers to replicate and propagate information between each other. This provides a benefit of using primary DNS lookup zones that are propagation in a secured manner.

Our plan for DHCP scope follows Microsoft’s recommendation on scopes for larger, stable, enterprise networks. “For larger routed networks, consider increasing the length of scope leases to a longer period of time, such as 16-24 days. This can reduce DHCP-related network broadcast traffic” (Technet, 2005).

Here is our preliminary table for scopes address configuration.

DNS

The Active Directory (AD) NY WWTC site will have two types of DNS zones; Forward and Reverse. The forward lookup zone resolves a name to an IP address and the reverse lookup zone will do the opposite to resolves an IP address to a name.

DNS and DHCP integration

The DHCP server role will provide client IP address, subnet masks, the default gateway mask, and both DNS server IP address to network user’s domain computers.

It is highly advice to setup your network to integrate DNS and DHCP functions. This integration is also done with Active Directory Integrated zone which means that all DNS records are stored within Active Directory.

The DHCP will The Backup directory in the %SystemRoot%\System32\DHCP folder contains backup information for the DHCP configuration and the DHCP database. By default, the DHCP database is backed up every 60 minutes automatically.

Here is our process for enabling the DNS integration with the Windows Server 2012 DHCP server:

1. Log on to the Windows Server 2012 DHCP server with the appropriate account credentials.

2. If not already started, initialize the Server Manager window from the bottom left corner of the screen.

3. On the opened Server Manager window, from the left pane, click to select the DHCP category.

4. From the right pane, under the SERVERS section, right-click the DHCP server from the displayed list.

5. From the context menu that appears, click the DHCP Manager option.

6. On the opened DHCP snap-in, from the left pane, expand the server name. (DC-01.MYDOMAIN.COM for this demonstration.).

7. From the displayed list, click to select and then right-click IPv4 container.

8. From the context menu that appears, click the Properties option.

9. On the opened IPv4 Properties box, go to the DNS tab.

10. From the displayed interface, check the Enable DNS dynamic updates according to the settings below checkbox.

11. Once done, make sure that the Dynamically update DNS A and PTR records only if requested by the DHCP clients radio button is selected.

12. Make sure that the Discard A and PTR records when lease is deleted checkbox is checked

13. Once done, click OK to save the changes that you have made(Viveknayyar, 2013).

AD Policies

BitLocker

To enables a BitLocker system, Group Policies settings must be created. Below are the steps to create GPO settings:

1.  Open "Group Policy Management".

2.  Navigate the the GPO that's linked to the OU that you want to contain your settings for Bitlocker.

3.  Right click on the GPO and select "Edit"

4. Navigate to Computer Configuration->Policies->Administrative Templates->Windows Components->Bitlocker Drive Encryption.

5.  Double Click on "Store Bitlocker Recovery information in Active Directory Domain Services" and configure it as follows:

6.  Click "OK".

7.  Under Computer Configuration->Policies->Administrative Templates->Windows Components->Bitlocker Drive Encryption, click on the appropriate folder for your configuration.  In this example, I'm configuring Bitlocker to encrypt the OS drive.

8.  Double click on "Require additional authentication at startup" and configure your settings as follows:

9.  Click "OK".

10.  Double click on "Choose how Bitlocker-protected operating system drives can be recovered" and configure it as follows:

11.  Click "OK".

12.  Navigate to Computer Configuration >Policies >Administrative Templates >System > Trusted Platform Module and set "Turn on TPM backup to Active Directory Domain Services" to "Enabled".

13.  Click "OK" (UIC, 2015)

BranchCache

Another AD policies that must be configured is BranchCache. It provide substantial performance, manageability, scalability, and availability improvements. Below are the steps to setup File Server for BranchCache

1. Install the BranchCache feature on your file server. You can do this from Server Manager or from PowerShell.

2. Create a file share that is BranchCache Enabled. (It will create the file hashes)

3. Verify the Status of your File Share Server

4. Deploy a Hosted Cache Server

5. Configure the Windows 8 (or 10) Client to use BranchCache (Lewis, 2012).

Create Classification structures for AD

Step 1: Create resource property definitions

Step 2: Create a string content classification rule

Step 3: Create a regular expression content classification rule

Step 4: Verify that the files are classified correctly (Technet, 2012).

IPAM

For highly customizable administrative and monitoring capabilities, IPAM will be deployed, and below are the steps to install IPAM.

Step 1 Install the IPAM Server Role from Add Roles and Features wizard

Step 2 Provisions the IPAM Server

· The Group Policy based provisioning method requires Group Policy Objects (GPOs) to be created in each domain that you manage with the IPAM server. IPAM will automatically configure settings on managed servers by adding the computers to the appropriate GPO.

Step 3 Configure Server Discover

· Add your domain(s) to the list of domains that that will be scanned and managed by IPAM.

Step 4 Start Server Discover

Step5 Set Manageability Status (Joyner, 2013).

Configure Certificate Authority Templates

1. Launch Certificate Authority MMC from Administrative Tools

2. Click on the ‘Certificate Templates’ node and select Manage

3. Right Click on the ‘Smartcard User’ Certificate Template and then select ‘Duplicate’

4. Change your compatibility settings accordingly, this will depend on your CA infrastructure & End User Devices

5. Give the new Template an appropriate name, and ensure that the validity period is 5 years

6. Ensure that the Request Handling Tab matches the following configuration

7. On the Cryptography tab ensure that you select ‘Requests must use one of the following providers’ and then select ‘Microsoft Base Smart Card Crypto Provider’

8. Ensure that the Issuance Requirements match the following settings

9. Once these steps have been completed, go ahead and press OK and go back to the Certificate Authority MMC. Right Click on the Certificate Templates node, Select New and then select ‘Certificate Template to Issue’ (Evans, 2013).

Enroll the Enrollment Agent Certificate

It is recommended that you do this on a Client Machine (IT Administrators Desktop).

1. Launch MMC & Import the Certificates Module & Manger the certificates for ‘My User Account’

2. Right Click on the ‘Personal’ Node, Select ‘All Tasks’ and then Select ‘Request New Certificate’

3. Click Next on the wizard, and then select ‘Active Directory Enrollment Policy’

4. Select the ‘Enrollment Agent’ Certificate, and then click on ‘Enroll’ (Evans, 2013).

Windows Deployment Services (WDS) Installation

· From Server Manager, go to  Configure this local server > Add roles and features

· Click Role-based or feature-based installation

· Choose Windows Deployment Services.

· After the installation is done, open Server Manager, click Tools> Windows Deployment Services.

· In the Install Options window, choose Integrated with Active Directory.

· In the Remote Installation Folder Location, enter a path.

· In the PXE Initial Image Settings, choose Response to known client’s computers.

· After this initial set-up there are further options on how to save Image files for deployment and how to get these files to remote computers.  

· We recommend to create a AD security group like (Allow WDS Installation) and give it Read/Read & Execute permissions (Hasayen, 2014).

AD Forest Domain OU Formation

Open PowerShell

1. Type Add-WindowsFeature AD-Domain-Services

2. Type Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath 'C:\Windows\NTDS' -DomainMode 'Win2012' -DomainName 'WWTC.com' -DomainNetbiosName 'WWTC' -ForestMode 'Win2012' -InstallDns:$true -LogPath 'C:\Windows\NTDS' -NoRebootOnCompletion:$true -SysvolPath 'C:\Windows\SYSVOL' -Force:$true

3. Type Install-ADDSDomain -NoGlobalCatalog:$false –CreateDNSDelegation -Credential (Get-Credential) -DatabasePath "C:\Windows\NTDS" -DomainMode "Win2012" -DomainType "ChildDomain" -InstallDNS:$true -LogPath "CEx:\Windows\NTDS" -NewDomainName "NYC" -NewDomainNetBIOSName "NYC" -ParentDomainName "WWTC.com" -Norebootoncompletion:$false -SiteName "Default-First-Site-Name" -SYSVOLPath "C:\Windows\SYSVOL" -Force:$true

4. Type New-ADReplicationSiteLink -Name "WWTC-NYC" -SitesIncluded HQ,NYC -Cost 100 -ReplicationFrequencyInMinutes 15 -InterSiteTransportProtocol IP

5. Type New-ADOrganizationalUnit -Name "NEWYORK" -Path "DC=WWTC,DC=COM"

6. Type New-ADOrganizationalUnit -Name "Accounting" -Path "OU=NEWYORK,DC=WWTC,DC=COM”

NOTE: Repeat step 6 replacing –Name “parameter” with the following OU names:

a. Accounting

b. Broker

c. Executives

d. HR

e. IT

f. Managers

g. Marketing

h. Sales

i. Security Groups

7. Type New-ADOrganizationalUnit -Name "Users" -Path "OU=Users,DC,NEWYORK,DC=WWTC,DC=COM”

8. Type New-ADOrganizationalUnit -Name "Workstations" -Path "OU=Users,DC,NEWYORK,DC=WWTC,DC=COM”

9. NOTE: Repeat step 7-8 for OU identified by step 6 replacing –Name “parameter” with the following OU names:

a. Users

b. Workstations

10. AD Group Formation

Active Directory groups are created to allow administrators to designate personnel part of a group and then apply permissions or denials to the entire group. This can be especially useful when an organization has separate sections and file server. For instance, if the finance section intends to store all of its sensitive documents on the file server and administrators want to make sure only the people from the finance section can open those files or folders then they would create a finance group. After the group is created then each member of the section would be added to the. The files or folders would then have their NTFS permissions changed to allow the finance group to have the needed access to the files or folders and then everyone else could be denied. This would be much more efficient then specifically allowing each user. The administrators allow the group and then each member of the group has the privileges he or she needs.

WWTC will use Universal, Global, and Domain Local groups for their network. The universal groups will have the permissions and accounts from anywhere in the forest and the local office will have three separate groups: Human Resources (HR), Executives (Execs), and Finance Departments. The global groups will group together other users and computers. These groups will only have accounts from the local New York office Domain, but the permissions sets will carry to all of the other items in the forest. The VPN or remote users will be assigned a global group to ensure they have remote access when they are not at the New York office. Domain local groups can consists of any users or groups from the entire Forest. These groups are used to group together rights and permissions, but they will have permissions with the domain they currently reside in. These Brokers, Managers, and IT staff will be assigned to these groups and the following diagram is a representation of the group setup for the WWTC Forrest:

The following Table represents the group structure and how the imported .csv file would look:

Using Powershell to create groups is more efficient so the administrators should create these groups using Powershell. To create and implement the groups, administrators will need to use the following Powershell commands and where the syntax dictates the group name administrators will input the specific group:

$csv = @ 0

$csv = Import –CSV –Path “C:\Desktop\bulk_input.csv”

#Get Domain Base

$searchbase = Get-ADDomain | ForEach { $_.DistinguishedName }

For Each ($item In $csv)

{

$check = [ADSI]::Exists(“LDAP://$(item.GroupLocation),$($searchbase)”)

If ($check –eq $True)

{

$exists = Get-ADGroup $item GroupName

Write-Host “Group $($item.GroupName) already exists! Group creation skipped!”

}

Catch

{

$create = New-ADGroup –Name $item.GroupName –GroupScope $item.GroupType –path

($($item.GroupLocatio)+ “,” +$($searchbase))

Write-Host Group $($item.GroupName) created!”

}

}

Else

}

Write-Host “Target OU can’t be found! Group creation skipped!”

}

}

AD GPO Implementation

The WWTC Wall Street office will implement the principles of least privilege and apply the principles to the users and devices on the network. To ensure this principal is followed administrators will implement Group Policy. These polices will be implemented to the entire WWTC Forrest and the IT administrators will configure, manage, and update it as necessary. To use Microsoft Windows Group Policy administrators can use the Group Policy Management Snap-In in the administrative tools section. The default domain policy will be only be edited for account policy settings, user rights settings, or auditing policy settings. To create or edit a group policy, administrators will:

To create a new group policy, administrators will complete the following steps

1. In the GPMC console tree, administrators will right-click on the GPO that is under the WWTC Forest

2. Select new

3. In the New GPO Box the name WWTC GPO will be specified and then click ok

To edit an existing group policy, administrators will complete the following steps:

1. In the GPMC console tree, administrators will right-click on the GPO that is under the WWTC Forest

2. Select Edit

3. Select the applicable policies listed below

4. Right click the policy and select enable or disable depending on the task

5. Select OK

6. Complete a GPUpdate.exe from the command prompt of the server

For the other policies a new group policy object will be created and then linked to the applicable groups, users, or devices in Active Directory. The following Group Policies items will be edited to provide better security and follow industry best practices for the network.

Password Policy

Password policy will be edited to enforce complex passwords, enforce changing of password, account lockouts for wrong password inputs, and password history. Complexity requirements will be 12 characters with at least one special character, one number, one uppercase letter, and one lowercase letter. Password history requirements will not allow users to change their password before five days, will not let users use their previous 20 passwords, and will force the users to change their passwords at least every 90 days. Account lockout policies will consist of an account being locked after three unsuccessful logon attempts, and the account will only be unlocked after an administrator unlocks it in Active Directory. In group policy editor the password policies are located in Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies. The instructions above will be followed to edit this policy setting.

Administrators Accounts

The default administrator account will be renamed to something other than Administrators to make it harder for people trying to guess administrator account credentials more difficult. In Group policy editor the administrator account policy is located in Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. The instructions above will be followed to edit this policy setting.

Audit Policies

Audits of system and security events will be audited and logged. Administrators will review these logs consistently for security deviations and irregularities. To enable the various settings administrators will navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configurations The instructions above will be followed to edit this policy setting.

Removable Media Policies

Removable media drives such as CD/DVD drives and USB slots will be disabled. The only users allowed to use these removable media drives will be administrators. The instructions above will be followed to edit this policy setting. To configure this group policy the administrators will navigate to Computer Configuration > Administrative Templates > System > Removable Storage Access

BitLocker

Bitlocker whole drive encryption will be forced on computers designated as a risk to be lost or stolen such as laptops and on devices containing sensitive information. Administrators will navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Bitlocker Drive Encryption. The instructions above will be followed to edit this policy setting.

Automatic Updates

Automatic updates will be forced on devices on the network to ensure the latest security patches and software updates are installed. To configure automatic updates administrators will navigate to Computer Configuration > Administrative Templates > Windows > Windows Update under the WWTC Domain policy The instructions above will be followed to edit this policy setting.

User Access Control

This policy will ensure background applications or software code cannot make changes without the change first being authorized. To enable UAC administrators will navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options The instructions above will be followed to edit this policy setting.

Once the applicable GPO has been update it needs to be linked to an object. In order to link the GPO administrators right click the applicable OU, group, or container in the GPO editor and then select link existing GPO as seen below:

Project Time Line

References

Cisco. (2011, Jan 31). Cisco ASA 5505 Quick Start Guide. Retrieved from http://www.cisco.com/: http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5505/5505-poster.html