Bril Ans

Table of Contents

Table of Contents………………………………………………………………………………...1

Introduction………………………………………………………………………..……………..2

Project Contacts List…………………………………………………………………………….3

LAN Implementation…………………………………………………………………………….3

Router Configuration……………………………………………………………………...7

Switch Configuration……………………………………………………………………..9

Security Implementation……………………………………………………………………….11

Firewall Configuration…………………………………………………………………...12

VPN Configuration………………………………………………………………………13

Access Control List (ACL) Configuration……………………………………………….13

Security Technologies……………………………………………………………………14

Active Directory Implementation ……………………………………………………………..15

Install AD DS Role………………………………………………………………………17

DHCP and DNS Configuration………………………………………………………….18

AD Policies and Features………………………………………………………………...19

Active Directory Group Formation………………………………………………………23

Active Directory GPO Implementation………………………………………………….24

Project Milestone Timeline…………………………………………………………………….26

References………….……………………………………………………………………………27

Introduction

The purpose of the following document is to layout an implementation plan for WWTC’s New York office network infrastructure. WWTC has many business requirements that were considered when choosing appropriate services and hardware for the new network. These specific justifications for network services and features can be seen in the preceding documents detailing the LAN, VoIP, security design, policies, and Active Directory design submissions. This implementation plan will bring all these designs together and detail the specific configurations for all hardware devices to be installed on the network. This plan will also detail the timeline in which the project should be completed as well as outlining key milestone dates for that need to be met in order to keep the overall project on schedule.

Along with hardware configurations for the devices such as routers, switches and firewalls, software configurations have also been included. Software services such as Active Directory (AD), DHCP, DNS, and various GPOs will also be implemented on the network. Various key policies have also been identified that need to be implemented and specific guidelines on how to implement these policies has also been included. This new network for WWTC is fairly complex and will require some time to fully implement. However, it is imperative that this implementation plan be carefully followed as it was designed with modularity in mind and each module builds on the others in a sequence. Should any design or implementation issues or concerns arise during the carryout of this plan, please contact one of the officials designated in the projects contacts list seen in Table 1.

Project Contacts List

Table 1. Project Contacts List

LAN Implementation

The first part of the new network to implement is the local network as this will serve as the base infrastructure in which all other portions and services on the network will be built upon. The LAN is how all the devices on the network will communicate. The current network media installed in the office has sufficient speeds for the new network to operate, so only hardware devices need to be installed and configured. This LAN implementation will also employ a hierarchical IP addressing scheme that will segregate the main WWTC network into multiple subnets that are logically separated on the same physical network. This is done for security and also for efficiency. The core networking devices such as the various levels of routers and switches will be configured as these are subnet boundary devices and ensure traffic destined for a specific host, subnet, or VLAN makes it to its destination in the most efficient way. In addition to configuring the hardware devices, redundancies will also be implemented to ensure constant network availability. There will not be any devices that pose a threat of being a single point of failure as this is a risk that is unneeded. Redundancies at the network device level is crucial to maintaining availability in the event that a hardware failure should occur. A successful deployment of the WWTC LAN is paramount as it will act as the backbone communication method for the rest of the features and services installed on the new network. Table 2 details the LAN implementation task list to be completed.

Table 2. WWTC LAN Implementation Tasks

Before full LAN implementation can begin, addressing schemes need to be identified. Table 3 show all link addresses for the switches and routers on the network and their redundant link addresses while Figure 1 visually illustrates them on a high level network diagram. These addresses will serve as the communication links between all the network devices and represent the backbone of the WWTC network. All data and voice traffic will be transmitted through these devices and along the network media that physically connects them. Use a combination of Tables 3, 4, and Figure 1 to configure each network device with the appropriate IP address and VLAN when following the configuration steps below.

Table 3. WWTC Infrastructure Device Link IP Addresses

Figure 1. WWTC Device Link IP Addresses

Table 4. WWTC VLAN and Subnet Addressing Scheme

Router Configuration

The following configuration example should be followed to configure CR1 and CR2. The example shown is for CR1 but the same commands are used for both routers. The following shows initial configuration including device name, login authentication, VLAN creation and configuration, and DHCP pools for the VLAN assignments.

Router> enable

Router# configure terminal

Router (config) # hostname CR1

CR1(config)# ip domain-name WWTC.com

CR1(config)# enable secret P@ssw0rd

CR1(config)# username Admin secret P@ssw0rd

CR1(config)# crypto key generate rsa 2048

CR1(config)# line con 0

CR1(config-line)# login local

CR1(config-line)# exit

CR1(config)# line vty 0 4

CR1(config-line)# login local

CR1(config-line)# transport input ssh

CR1(config-line)# exec-timeout 1 00

CR1(config-line)# exit

CR1(config)# line vty 5 15

CR1(config-line)# login

CR1(config-line)# exit

CR1(config)# no logging console

CR1(config)# no ip domain-lookup

CR1(config)#int gi0/0.1

CR1(config-subif)#encapsulation dot1q vlan 100

CR1(config-subif)#ip address 172.16.1.0 255.255.255.128

CR1(config)# description Server

CR1(config-subif)#int gi0/0.2

CR1(config-subif)#encapsulation dot1q vlan 110

CR1(config-subif)#ip address 172.16.1.129 255.255.255.192

CR1(config)# description OPR

CR1(config-subif)#int gi0/0.3

CR1(config-subif)#encapsulation dot1q vlan 120

CR1(config-subif)#ip address 172.16.2.0 255.255.255.192

CR1(config)# description NE

CR1(config-subif)#int gi0/0.4

CR1(config-subif)#encapsulation dot1q vlan 130

CR1(config-subif)#ip address 172.16.2.64 255.255.255.192

CR1(config)# description NW

CR1(config-subif)#int gi0/0.5

CR1(config-subif)#encapsulation dot1q vlan 140

CR1(config-subif)#ip address 172.16.2.128 255.255.255.192

CR1(config)# description SE

CR1(config-subif)#int gi0/0.6

CR1(config-subif)#encapsulation dot1q vlan 150

CR1(config-subif)#ip address 172.16.2.192 255.255.255.192

CR1(config)# description SW

CR1(config-subif)#int gi0/0.7

CR1(config-subif)#encapsulation dot1q vlan 160

CR1(config-subif)#ip address 172.16.3.0 255.255.255.192

CR1(config)# description MID

CR1(config-subif)#int gi0/0.8

CR1(config-subif)#encapsulation dot1q vlan 170

CR1(config-subif)#ip address 172.16.4.0 255.255.255.0

CR1(config)# description Wireless

CR1(config-subif)#int gi0/0.9

CR1(config-subif)#encapsulation dot1q vlan 180

CR1(config-subif)#ip address 172.16.5.0 255.255.255.0

CR1(config)# description Voice

CR1(config-subif)#exit

CR1(config)#ip name-server x.x.x.x

CR1(config)#default router x.x.x.x

CR1(config)#ip dhcp pool vlan100

CR1(config-dhcp)#network 172.16.1.0 255.255.255.128

CR1(config-dhcp)#ip dhcp pool vlan110

CR1(config-dhcp)#network 172.16.1.129 255.255.255.192

CR1(config-dhcp)#ip dhcp pool vlan120

CR1(config-dhcp)#network 172.16.2.0 255.255.255.192

CR1(config-dhcp)#ip dhcp pool vlan130

CR1(config-dhcp)#network 172.16.2.64 255.255.255.192

CR1(config-dhcp)#ip dhcp pool vlan140

CR1(config-dhcp)#network 172.16.2.128 255.255.255.192

CR1(config-dhcp)#ip dhcp pool vlan150

CR1(config-dhcp)#network 172.16.2.192 255.255.255.192

CR1(config-dhcp)#ip dhcp pool vlan160

CR1(config-dhcp)#network 172.16.3.0 255.255.255.192

CR1(config-dhcp)#ip dhcp pool vlan170

CR1(config-dhcp)#network 172.16.4.0 255.255.255.0

CR1(config-dhcp)#ip dhcp pool vlan180

CR1(config-dhcp)#network 172.16.5.0 255.255.255.0

CR1(config-dhcp)#end

CR1#copy run start

Switch Configuration

The following example should be used to configure all switches on the network. The commands can be used interchangeably between all the switches, DSW1, DSW2, ASW1-6, SSW1, and SSW2. The configuration includes examples on initial device configuration, login authentication, login banner, configuration of VLANS per port ranges including VoIP and Wireless, setting port security per port ranges, and implementing trunk ports for switch to switch connections. The port ranges to be used are specific to the switch being configured.

Switch>enable

Switch#conf t

Switch(config)# hostname DSW1

DSW1(config)# ip domain-name WWTC.com

DSW1(config)# enable secret P@ssw0rd

DSW1(config)# username Admin secret P@ssw0rd

DSW1(config)# crypto key generate rsa 2048

DSW1(config)# line con 0

DSW1(config-line)# login local

DSW1(config-line)# exit

DSW1(config)# line vty 0 4

DSW1(config-line)# login local

DSW1(config-line)# transport input ssh

DSW1(config-line)# exec-timeout 1 00

DSW1(config-line)# exit

DSW1(config)# line vty 5 15

DSW1(config-line)# login

DSW1(config-line)# exit

DSW1(config)# no logging console

DSW1(config)# no ip domain-lookup

DSW1(config)#banner motd *WARNING

You are accessing a WWTC network device.*

DSW1(config)#banner login *Unauthorized access will be prosecuted*

DSW1(config)#vlan 100

DSW1(config-vlan)#name Server

DSW1(config-vlan)#int range gi0/x-x

DSW1(config-if-range)#switchport mode access

DSW1(config-if-range)#switchport access vlan 100

DSW1(config-if-range)#vlan 110

DSW1(config-vlan)#name OPR

DSW1(config-vlan)#int range gi0/x-x

DSW1(config-if-range)#switchport mode access

DSW1(config-if-range)#switchport access vlan 110

DSW1(config-if-range)#vlan 120

DSW1(config-vlan)#name NE

DSW1(config-vlan)#int range gi0/x-x

DSW1(config-if-range)#switchport mode access

DSW1(config-if-range)#switchport access vlan 120

DSW1(config-if-range)#vlan 130

DSW1(config-vlan)#name NW

DSW1(config-vlan)#int range gi0/x-x

DSW1(config-if-range)#switchport mode access

DSW1(config-if-range)#switchport access vlan 130

DSW1(config)#vlan 140

DSW1(config-vlan)#name SE

DSW1(config-vlan)#int range gi0/x-x

DSW1(config-if-range)#switchport mode access

DSW1(config-if-range)#switchport access vlan 140

DSW1(config-if-range)#vlan 150

DSW1(config-vlan)#name SW

DSW1(config-vlan)#int range gi0/x-x

DSW1(config-if-range)#switchport mode access

DSW1(config-if-range)#switchport access vlan 150

DSW1(config-if-range)#vlan 160

DSW1(config-vlan)#name MID

DSW1(config-vlan)#int range gi0/x-x

DSW1(config-if-range)#switchport mode access

DSW1(config-if-range)#switchport access vlan 160

DSW1(config-if-range)#vlan 170

DSW1(config-vlan)#name Wireless

DSW1(config-vlan)#int range gi0/x-x

DSW1(config-if-range)#switchport mode access

DSW1(config-if-range)#switchport access vlan 170

DSW1(config-if-range)#vlan 180

DSW1(config-vlan)#name Voice

DSW1(config-vlan)#int range gi0/x-x

DSW1(config-if-range)#switchport mode access

DSW1(config-if-range)#switchport access vlan 180

DSW1(config-if-range)#exit

DSW1(config)#int range gi0/x-x

DSW1(config-if-range)#switchport port-security

DSW1(config-if-range)#switchport port-security maximum 2

DSW1(config-if-range)#switchport port-security shutdown

DSW1(config-if-range)#int range gi0/x-x

DSW1(config-if-range)#switchport mode trunk

DSW1(config-if-range)#end

DSW1#copy run start

Security Implementation

Table 5 shows the steps to be taken to implement the prescribed security controls in place for the network. The resources located on the WWTC network are extremely valuable and require careful protection. Any type of data loss or exposure poses a significant threat to WWTC and its customers. Some security measures have already been covered in this document including, switch-port security, network device authentication, and VLAN security. Other security requirements, such as firewall configuration, DMZ configuration and access control list (ACL) configuration are also required in conjunction with the network device security measures already covered.

Table 5. Security Implementation Tasks

Firewall Configuration

Follow the following steps for initial setup of the Cisco Firepower 4100 Firewall ("Cisco Firepower Chassis Manager Configuration Guide, 2.2(1)", n.d.)

1. Connect to the firewall console port

2. Use a web browser to navigate to the IP address of the firewall per the included firewall documentation

3. When the unconfigured system boots, a setup wizard prompts you for the following information required to configure the system:

· Setup mode (restore from full system backup or initial setup)

· Strong password enforcement policy

· Admin password

· System name

· Management port IPv4 address and subnet mask

· Default gateway IPv4

· DNS Server IPv4

· Default domain name

A DMZ can be configured using the Public Server Configuration Wizard on the firewall. This automatically separates a public facing web server from the internal network, keeping them logically separate. This will ensure that traffic destined for the web server does not traverse over WWTC’s private network. This installation wizard requires private and public IP address of the server as well as the services running, like HTTP/HTTPS. All unneeded services should be disabled. Port security on the firewall should also be configured to allow/disallow traffic over specific ports. This security feature blocks all traffic sent over specifically blocked ports and will stop attacks before they make it into the network. Additionally, under the Firewall Rules tab is where specific rules for allowing traffic can be set in accordance with the security policies document. This rules tab should mirror the policies set forth to protect the network.

VPN Configuration

Also within the firewall is the ability to configure a VPN for site-to-site and remote access for users. This provides a secure means for employees to access internal WWTC resources while physically outside of the network. The VPN Wizard tab allows for the creation of the VPN services and can be linked to the other WWTC branch offices for secure links. The wizard takes the user through a step by step process to configure the VPN service on the firewall. This should be followed to create a site-to-site VPN and well as an IPsec Remote Access VPN for remote users.

Access Control List (ACL) Configuration

ACLs are used to either allow or deny specific hosts or even subnets from accessing network resources. ACLs filter network traffic by controlling whether routed packets should be forwarded or blocked at the router's interfaces. The router examines each packet to determine whether to forward or drop the packet, based on the criteria specified by the various ACLs ("Configure Standard Access Control List", 2017). There are many rules that can be associated with a single ACL. These rules should be based on the need for security and access to sensitive areas of the WWTC network. For instance, a good rule that should be implemented through the use of an ACL is to restrict any user who is not a part of the server VLAN from remotely accessing servers for maintenance or diagnostics. The example below shows how to add this ACL and can be used as a template for additional ACLs. The commands used within the creation of an ACL are followed in order, therefore, an absolute rule should be placed as the last rule to either allow or deny all further traffic.

CR1>enable

CR1#conf t

CR1(config)#access-list 1 permit 172.16.1.0 0.0.0.127

>>>Creates access list for Server VLAN IP address range to allow

CR1(config)#access-list 1 deny any any

>>>Adds rule to access list to deny any IP not in the above range

CR1(config)#end

CR1(config)#copy run start

Security Technologies

The primary goal of the security implementations is to protect WWTC’s most valuable assets from attacks. Applying security techniques throughout the network employs defense in depth methodology and eliminates a single point of failure for an intruder to gain access. Even if an intruder were to make it past the firewall, they would still have to navigate past the other security implementations in order to exploit the network. A modular and scalable network design combined with defense in depth methodology is the ideal security architecture basis for the WWTC New York office. This provides redundancy, future growth, and security in an integrated package that meets WWTC’s business goals and enables future growth.

Figure 2 depicts a high level security design for the WWTC New York office that will help protect on the network level. This will halt attacks before they make it to the sensitive internal network that houses confidential data about both the company and its customers. Each level of the network acts as a defense mechanism from the border firewalls to the end users and their computing devices. The firewall will help protect against DoS attacks, reconnaissance attacks, and others with the help of other network devices like the switches and routers (Cohen, 2014). The end user devices help protect from malware attacks and access attacks that can be used as an initial entry point for a larger network based attack. All of these network devices and the architecture around them work together to provide defense in depth for the network and WWTC as a whole.

Figure 2. WWTC Network Device Security Technologies Design

Active Directory Implementation

Active Directory (AD) is a key component for any organization to successfully manage users, groups, resources, policies, and devices on a network while maintaining security. Table 6 shows the tasks necessary in order to implement AD on the WWTC network in order to manage resources and users. AD also allows administrators to logically organize the and configure users and resources based on their assignment within the physical organization of WWTC. This increases productivity and security by only allowing appropriate resources to users and limiting what they can access based on their role within the organization.

Table 6. Active Directory Implementation Tasks

Install AD DS Role

The configuration example below details the step by step process to install AD DS, create the root domain, create the child domain, create Organizational Units (OU), and create replication sites all the PowerShell but it can also be implemented through Server Manager ("Install Active Directory Domain Services", 2017). The OU structure, which includes the parent (WWTC.com) and child domain (NY.WWTC.com) can be seen in Figure 3.

1. Type, Add-WindowsFeature AD-Domain-Services

2. Type, Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath 'C:\Windows\NTDS' -DomainMode 'Win2012' -DomainName 'WWTC.com' -DomainNetbiosName 'WWTC' -ForestMode 'Win2012' -InstallDns:$true -LogPath 'C:\Windows\NTDS' -NoRebootOnCompletion:$true -SysvolPath 'C:\Windows\SYSVOL' -Force:$true

3. Type, Install-ADDSDomain -NoGlobalCatalog:$false –CreateDNSDelegation -Credential (Get-Credential) -DatabasePath "C:\Windows\NTDS" -DomainMode "Win2012" -DomainType "ChildDomain" -InstallDNS:$true -LogPath "CEx:\Windows\NTDS" -NewDomainName "NYC" -NewDomainNetBIOSName "NYC" -ParentDomainName "WWTC.com" -Norebootoncompletion:$false -SiteName "Default-First-Site-Name" -SYSVOLPath "C:\Windows\SYSVOL" -Force:$true

4. Type, New-ADReplicationSiteLink -Name "WWTC-NYC" -SitesIncluded HQ,NYC -Cost 100 -ReplicationFrequencyInMinutes 15 -InterSiteTransportProtocol IP

5. Type, New-ADOrganizationalUnit -Name "NEWYORK" -Path "DC=WWTC,DC=COM"

6. Type, New-ADOrganizationalUnit -Name "VP OPR" -Path "OU=NEWYORK,DC=WWTC,DC=COM”

NOTE: Repeat step 6 replacing –Name “parameter” with the following OU names:

a. VP NW

b. VP NE

c. VP SW

d. VP SE

e. VP MID

Figure 3. WWTC New York Office Active Directory OU Structure

DHCP and DNS Configuration

DHCP and DNS services are vital for communication across the network. DHCP dynamically delivers configuration information to hosts on the network over a TCP/IP network. Without this configuration information, users would not be able to communicate to other users or services on the network or on the Internet. DNS provides name resolution services for devices on the network. This service allows users to only have to remember a user-friendly name of a website or service instead of a lengthy FQDN or IP address. It also works in reverse when properly configured. The steps below detail how to install and initially configure DHCP and DNS using Server Manager ("Configure DHCP Using Policy-based Assignment", 2013).

1. In Server Manager, under Configure this local server, click Add Roles and Features.

2. In the Add Roles and Features Wizard, click Next three times, and then on the Select server roles page select the Active Directory Domain Services checkbox.

3. When you are prompted to add required features, click Add Features.

4. Select the DHCP Server checkbox.

5. When you are prompted to add required features, click Add Features.

6. Select the DNS Server checkbox.

7. When you are prompted to add required features, click Add Features.

8. Click Next five times, and then click Install.

9. Wait for the installation process to complete, verify on the Installation progress page that Configuration required. Installation succeeded on the server is displayed, and then click Close.

A DHCP scope is the range of IP addresses that the DHCP server can lease to clients on a specific subnets. These scopes ensure that hosts on different subnets do not get assigned addresses outside of that specified pool. Therefore, VP OPR employees will be assigned IP addresses based on the scope created for the VP OPR subnet and OU. A list of IP address ranges for each subnet can be seen in Table 4 earlier in this document. The steps below detail how to create DHCP scopes based on the information found in Table 4. IP address information and scope name should change based on the associated subnet/scope being created ("Configure DHCP Using Policy-based Assignment", 2013).

1. In the DHCP console tree, navigate to IPv4. Right-click IPv4 and then click New Scope. The New Scope Wizard opens.

2. Click Next and then type a name for the new scope next to Name (ex: VPOPR-DHCP).

3. Click Next and then in IP Address Range, type 172.16.1.129 next to Start IP address, type 172.16.1.193 next to End IP address, and type 25 next to Length. The value of Subnet mask will change automatically to 255.255.255.128.

4. Click Next and then in Lease Duration under Limited to enter 16 Days, 0 Hours, and 0 Minutes. The lease date can be adjusted based on business needs.

5. Click Next three times, and then in Domain Name and DNS Servers, verify that the Parent domain is WWTC.com.

6. Click Next twice, and then in Activate Scope select Yes, I want to activate this scope now.

7. Click Next, and then click Finish.

8. In the DHCP console tree, right-click VPOPR-DHCP.WWTC.com, and then click Authorize.

9. Refresh the view in the DHCP console and verify that the scope is authorized and is active.

Active Directory Policies and Features

Table 7 details AD policies and features that are required to meet and support WWTC business goals. There are obviously many other AD roles and features that can be implemented on the WWTC network, but the ones outlined in the table represent the features that are required based on current business needs.

Table 7. WWTC Active Directory Services Overview

DNS and DHCP configurations have already been covered. Bitlocker and BranchCache will be covered in the GPO configuration section later in this document. Failover clustering will add fault tolerance to the network and ensure that access to information is not limited by a single point of failure. The steps below detail on how to install and implement failover clustering which adds redundancy should hardware fail ("Failover Cluster Guide", 2012).

1. In the Add Features Wizard, click Failover Clustering, and then click Install.

2. Follow the instructions in the wizard to complete the installation of the feature. When the wizard finishes, close it.

3. Repeat the process for each server that you want to include in the cluster.

4. To open the failover cluster snap-in, click Start, click Administrative Tools, and then click Failover Cluster Management. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.)

5. Confirm that Failover Cluster Management is selected and then, in the center pane under Management, click Create a cluster.

6. Follow the instructions in the wizard and input the following information:

a. The servers to include in the cluster.

b. The name of the cluster.

c. Any IP address information that is not automatically supplied by your DHCP settings.

7. After the wizard runs and the Summary page appears, to view a report of the tasks the wizard performed, click View Report.

8. To close the wizard, click Finish.

The IPAM feature gives administrators complete visibility into the IP address infrastructure all in one shot. This tool can be used to monitor the IP address space for the New York office and make changes as needed. This can include increasing or decreasing DHCP lease times or changing the subnet mask of a particular subnet if more or less addresses are required. This increases scalability and manageability on the network without increasing the workload for the local administrators. IPAM is installed the same way that all other AD roles and features are installed, so the steps below detail IPAM configuration (Roman, 2013).

1. On the IPAM Overview page, click Configure server discovery.

2. Choose each domain that you will manage with the current IPAM server by selecting it from the drop-down list and then clicking Add.

3. To remove a domain from the scope of discovery, click the domain and then click Remove.

4. By default all server roles are enabled in the domains you select. To remove a server role from the scope of discovery for a specific domain, de-select the checkbox under the appropriate server role.

5. Click OK when you are finished.

6. On the IPAM Overview page, click Start server discovery. This will start the IPAM ServerDiscovery task. Alternatively, you can click Manage on the IPAM console menu, and then click Start Server Discovery.

7. Wait for the task to complete. You can click the notification flag to view status of the ServerDiscovery task if desired.

8. When the task has completed running, view the Server inventory page to display the list of discovered servers.

9. If the list of discovered servers is incomplete, verify that the correct node is selected in the lower navigation pane. By default, IPv4 is selected. You can click Refresh to ensure the view is current.

WDS will also be implemented. This feature allows an administrator to remotely install a new operating system on a machine. This saves time by not having to physically visit each machine. This network based style of installation reduces complexity and can be used to deliver operating systems with preconfigured settings and applications already installed. The steps below detail on how to install and implement WDS using Server Manager ("Windows Deployment Services", 2015).

1. In Server Manager, click Add roles and features, click Next.

2. On the Select installation type page, click Role-based or feature-based installation, and then click Next.

3. On the Select destination server page, select the appropriate server, and then click Next. NOTE: The local server is selected by default.

4. On the Select server roles page, scroll down and then select the Windows Deployment Services check box. Click Next.

5. Remote Server Administration Tools are required to manage this feature. Select Include management tools (if applicable). Click Add Features. Click Next.

6. On the Select features page, click Next.

7. On the Select role services page, select the role services to install for Windows Deployment Services. If you wish to install both the Deployment Server and Transport Server, leave these role services selected. Click Next.

8. On the Confirm installation selections page, click Install.

9. Windows Deployment Services will now be added to the server. Installation progress will now be illustrated in the Add Roles and Features Wizard.

Active Directory Group Formation

Groups are a further breakdown of users and devices within the AD structure. Group are designed to assign permission levels and make it easier to manage users and devices with similar roles within the organization. The scopes of the groups can be domain local, global, or universal groups. Domain local groups grant resource permissions on any machines in that particular domain. This means that the permissions applied to a domain local group on the New York domain only has an effect at the New York office. This can be used if there are specific policies that are enforced at one domain location but not others. Domain local groups can also be used for temporary accounts for contractors or interns that will only reside at one domain while at WWTC. This can also be used as a security measure in that the temporary would not be able to enter another branch office and access the resources at the other office.

Global groups also grant permission on the domain level, but can be applied to any domain within the forest. The global groups are more aimed towards the everyday employees and the objects they are assigned too. This ensures that the permission they have at the New York office are the same at other WWTC locations as long as that same group also exists in another domain. For WWTC, this would include all users and devices with the various OUs in AD and each will be assigned to the global group that applies to their department and role. Universal groups are assigned permissions across all domains within the forest. Universal groups should be selectively used as their permissions span the entire enterprise (Dubey, 2011). This type of group should mainly be reserved for those that require permissions across the entire forest.

Groups can be created from Server Manager or from PowerShell. When creating multiple groups in a short amount of time, the PowerShell command line may be a more efficient way to create new groups. Examples of groups for WWTC can be seen in Figure 3 above and can be expanded to include groups by job position including: Execs, Managers, Brokers, HR, Accounting, IT, and Staff. The example below shows how to create a single group using PowerShell’s command line interface. The name, OU, and group type can be substituted with appropriate options for the group being added.

NEW-ADGroup –name “Execs” –groupscope Global –path “OU=VPOPR,DC=NY.WWTC,DC=local”

Active Directory GPO Implementation

A GPO is a set of rules and policies that define how a user or group of users can behave on the network. GPOs are used to enforce the overall policies set forth by organizational security policies and should directly mirror those policies. GPOs can be applied at the domain level, OU level, or object level. More generic rules would be applied at the domain level, while more specific GPOs would be applied closer to specific groups or users and devices. Applying GPOs enables centralized configuration control for administrators and makes it easier to implement rules on a network level (Melber, 2015). Once a GPO is created with the desired sections, different global groups can be added to that GPO and the settings would be applied. The policies at the domain level will be mostly generic and all-encompassing when security is concerned. The policies set for specific groups and departments will be more finely tuned and tailored for those specific groups and will provide additional security at a granular level. The example below shows how to create a new GPO and also how to edit it using the Group Policy Management Console (GPMC) ("Create and Edit a Group Policy Object", 2012).

1. In the GPMC console tree, right-click Group Policy Objects in the forest and domain in which you want to create a GPO.

2. Click New .

3. In the New GPO dialog box, specify a name for the new GPO, and then click OK .

1. In the GPMC console tree, double-click Group Policy Objects in the forest and domain containing the GPO that you want to edit.

2. Right-click the GPO, and then click Edit .

3. In the console tree, edit the settings as appropriate.

The example below shows how to create a password policy GPO using PowerShell. It is a single command that sets the minimum password length to 10 characters, enables password complexity requirements, makes the maximum password age to 45 days, minimum age to 1 day, and lockout duration to 30 minutes after 3 failed attempts to log in.

Set-ADDefaultDomainPasswordPolicy -Identity WWTC.com -ComplexityEnabled $true -MinPasswordLength 10 -MinPasswordAge 1 -MaxPasswordAge 45 -LockoutDuration 00:30:00 -LockoutObservationWindow 00:30:00 -LockoutThreshold 3

Table 8 depicts a short list of other essential GPOs that should be implemented. There are thousands of GPO settings that can be adjusted, but not all of them apply or are useful for the WWTC deployment. All of the GPO settings below are found in GPMC using the following path: Computer Configuration\Windows Setting\Security Settings.

Table 8. WWTC GPOs To Implement

Project Milestone Timeline

Table 9. WWTC New York Office Project Milestone Timeline

References:

Cisco Firepower Chassis Manager Configuration Guide, 2.2(1). Cisco. Retrieved 29 July 2017, from http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos221/web-guide/b_GUI_FXOS_ConfigGuide_221/getting_started.html

Configure Standard Access Control List. (2017). Computernetworkingnotes.com. Retrieved 29 July 2017, from http://www.computernetworkingnotes.com/ccna-study-guide/configure-standard-access-control-list-step-by-step-guide.html

Install Active Directory Domain Services. (2017). Docs.microsoft.com. Retrieved 29 July 2017, from https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-#BKMK_PSForest

Configure DHCP Using Policy-based Assignment. (2013). Technet.microsoft.com. Retrieved 29 July 2017, from https://technet.microsoft.com/en-us/library/hh831538(v=ws.11).aspx

Failover Cluster Guide. (2012). Technet.microsoft.com. Retrieved 29 July 2017, from https://technet.microsoft.com/en-us/library/cc731844(v=ws.10).aspx

Roman, P. (2013). Step-By-Step: Setup Windows Server 2012 IPAM in your environment. Technet.microsoft.com. Retrieved 29 July 2017, from https://blogs.technet.microsoft.com/canitpro/2013/08/15/step-by-step-setup-windows-server-2012-ipam-in-your-environment/

Windows Deployment Services. (2015). Technet.microsoft.com. Retrieved 29 July 2017, from https://technet.microsoft.com/en-us/library/jj648426(v=ws.11).aspx

Dubey, S. (2011). Universal groups, global groups, domain local groups. Retrieved 23 July 2017, from https://sandeshdubey.wordpress.com/2011/10/23/ad-group-types-universal-groups-global-groups-domain-local-groups/

Melber, D. (2015). Windows Administration: 10 Easy Ways To Lock Down Your Computer. Technet.microsoft.com. Retrieved 23 July 2017, from https://technet.microsoft.com/en-us/library/2015.05.lockdown.aspx

Create and Edit a Group Policy Object. (2012). Technet.microsoft.com. Retrieved 30 July 2017, from https://technet.microsoft.com/en-us/library/cc754740(v=ws.11).aspx