Brillaint Answer
batrafuck
RiverLLCNetworkProposal1.docxRiver LLC Network Proposal
Table of Contents
1.0 – Introduction
2.0 – Network Proposal
2.1 – Active Directory
2.2 – Group Policy
2.3 – Domain Name Service
2.4 – File Services
2.5 – Remote Services
2.6 – Windows Server Update Services
3.0 – Summary
4.0 Conclusion
River LLC Network Proposal
1.0 – Introduction
In order to accommodate the needs of an expanding organization with multiple locations across the United States, I have created this network proposal to meet the current and future needs of River LLC. I will cover my recommendations for Active Directory, Group Policy, DNS, File Services, Remote Services and Windows Server Update Service. To do this I will use information from the Testout labs, Microsoft TechNet and other various websites.
2.0 – Network Proposal
This proposal will cover remote access, data security, domain names, and settings to keep the River LLC network safe and secure while accomplishing the needs of the organization.
2.1 – Active Directory
River LLC will utilize a regional domain model. This model will use one main location as the forest root and the other locations as regional domain trees in the domain as seen in figure 2.1.
|
Figure 2.1 (Microsoft Corporation, 2003) |
The forest root will be the Miami location, with Chigago and New York as regional domains. The domain names will be as follows: Maimi will use corp.riverllc.com, the New York location will use newyork.corp.riverllc.com, and the Chicago location |
will use chicago.corp.riverllc.com. Using a regional domain model creates a trust between the forest and all the domain making is easy for users at one location to communicate with users from another location. When River LLC opens a new location, a domain in the forest can easily be created to keep the organization connected.
To controll the traffic across the domain, domain controllers will be placed at all three locations. Using domain conrtrollers at each location will help to minimize traffic across the domain and speed up the login process. One forest level domain controller in Miami will be the Schema Master and Domain Naming Master. Another domain controller in Miami will host the Relative ID (RID) master, Infrastructure master and Primary Domain Controller (PDC) emulator. Two more domain controllers will be used to help distribute the workload. At the Chicago location, one domain controller will host the RID, PDC emulator and Infrastructure master. They will also have an additional three domain controllers to handle the workload. (University of Cambridge, 2015). Since the New York location is smaller and has less security (assumption), they will have two Read-Only Domain Controllers (RODC) and get their configuration from the Miami domain controller. All domain conrtollers at the Miami, Chicago and New York locations will be global catalog servers and cache user credientials. Caching the user credentials will help to speed up the login process for users (Microsoft Corporation, 2012).
Information in Active Directory is a very important and therefore it is paramount that it be backed up. For this, Windows Server Backup tool will be used and backups will be stored offsite using River LLC’s cloud services storage account (assumption). Automatic backups will be performed after hours every day. A full backup will be done first and incremental backups will be done every day for 14 days before another full backup will be done again. If needed, manual backups can be performed at any time (Microsoft Corporation, 2015). Keeping Active Directory backed up will help to minimize downtime in the case of a disaster. Storing the data offsite will ensure that the data is not compromised by the same disaster that effected the network.
2.2 – Group Policy
When using Group Policy, it is important to follow some best practices in order to help keep the network secure. First, the local administrator and guest account will be disable. This eliminates the opportunity for hackers to gain access to an administrator account by using a password cracker to guess the administrator password. If administrator level work needs to be done, the administrator will login using a normal user account and run applications as administrator and proved the administrator credentials when needed. Second, LM, NTLMv1 and LM hash storage will be disabled. LM and NTLMv1 authentication protocols have known vulnerabilities that hackers can exploit. NTLMv2 and Kerberos will be used instead since they are more secure. LM hash storage of passwords can easily be converted to plaintext. If LM hash must be used, do not store them on disk where a hacker could easily access them. Third, a minimum password length and max age of password will be set. The minimum password length for users will be 12 characters. Anything less than that is not considered to be very secure for Windows. For administrative or privileged accounts, 15 characters will be the minimum length. A maximum password age for all user accounts will be set to 90 days. This ensures that if someone is able to get the password to a user account, it will have to be changed in a relatively short period of time. Four, event logs for success and failure of logins will be enabled. This is very important to keeping the network secure. Event log entries made when a failed login attempt occurs will allow for the administrator monitoring the logs to catch someone trying to use a brute force attack to crack a password. Lastly, User Account Control will be enabled. User account controls have been the number one protection tool for people surfing the web. Some users turn it off because some older information has capability problems with it. But, using Microsoft’s free application capability troubleshooting tool, most of these problems can be fixed without disabling user account controls (Grimes, 2013).
Another important part of Group Policy is software deployment. With this feature, software can be deployed in multiple ways. The software can be associated to either users or assets (Computer) and can be published or assigned. Publishing software will allow users to install or uninstall the software from the Add or Remove Programs application. Assigned software will show up in the start menu and can either be automatically installed or installed the first time the user clicks on the icon. Basic software, such as Microsoft Office, will be assigned to all computers in the organization and will be installed the first time a user clicks on the icon. Specialized software, such as an accounting program, will be assigned to the specific user that requires the software and will automatically be installed. This ensures that only the users that need the specialized software are able to access it (Testout Corporation, 2015).
2.3 – Domain Name Service
River LLC will use three registered names on the Internet. These three domains will have the .com root. Each location will have their own external network registered name. For Miami, it will be http://www.riverllc.com. For New York, they will use http://newyork.riverllc.com and for Chicago, it will be http://chicago.riverllc.com. The internal network will use the names stated before; corp.riverllc.com, newyork.corp.riverllc.com and chicago.corp.riverllc.com. Using different internal and external network names will help keep the internal network secure. Each location will have two domain controllers that host Domain Name Service (DNS). Active Directory Integrated Zones will be used and all zones will be Primary zones. Using Active Directory Integrated Zones will help to keep all the DNS information secure by storing it in Active Directory instead of a plain text file (Microsoft Corporation, 2015).
2.4 – File Services
An important part of any organization is data security and storage space. For data security, shares will be secured using Windows Share and NTFS permissions to only give access to the users that need it. Sensitive data such as trade secrets or PII will be encrypted using Encrypting File System (EFS). Computer and server disks will be encrypted using the built in Trusted Platform Module (TPM) in conjunction with Bitlocker. This will encrypt all the data on the drives in case a hard disk were to get into the hands of the wrong person. For information that needs to be shared between River LLC’s three locations, Distributed File System (DFS) will be used. This will create a single network path to access shared folders on multiple servers throughout the domain (Clercq, 2013).
Storage space for users on the server will be managed by File Server Resource Manager (FSRM). FSRM can use hard or soft quotas. A hard quotas will not allow a user to go over the allocated space given to them. A soft quota will warn a user that they have reached their space limit but will not stop them from going over. For River LLC, hard quotas will be used. Users will be allowed 500GB of storage space on the server (Testout Corporation, 2015).
2.5 – Remote Services
Since the sales personnel at the New York office need a secure remote connection to the Miami office, a Virtual Private Network (VPN) will be setup using Secure Socket Tunneling Protocol (SSTP) for data security. SSTP encrypts data with SSL (Secure Socket Layer) and transmits through the same port as HTTPS so no firewall modifications need to be made. Users can using either password or certificate-based authentication. The VPN will work using the existing network connection already in place and will allow for a sales personnel in New York to securely connect and transmit data, as needed, to the Miami office.
2.6 – Windows Server Update Service
|
|
An important part of keeping a network secure is ensuring it is always up-to-date with the latest software updates. Windows Server Update Service (WSUS) will be used to approve the updates for the users after they have been tested by the administrator to ensure they do not cause any problems. For River LLC, a WSUS will be setup at each location to approve updates. The server will download the update from Windows Update and store it on the server. Once the updates have been approved, the users will download the update from the server automatically. The servers will be |
deployed as multiple independent servers. This means the updates and approval will be done at each location independently (Testout Corporation, 2015).
3.0 – Summary
My proposal for River LLC covers six essential areas of focus for properly configuring and securing the network. These six areas are Active Directory, Group Policy, DNS, File Services, Remote Service and Windows Server Update Service. In summary, Active Directory will use a regional domain model that will use Miami as the forest root and New York and Chicago as regional domains. This creates a trust between that allows for communication between all locations. Domain controllers will be used at each location to route traffic from users to its appropriate location. Since New York is smaller with less security, Read-Only domain controller will be used to keep the data configurations secure. Active Directory data and configurations will be backed up daily and stored offsite using River LLC’s cloud services.
Group Policy will follow a basic set of best practices to maximize the security on the network. These best practices are to disable the local administrator account, disable the guest account, don’t login with administrator account, disable LM and NTLMv1, disable LM hash storage, set minimum password length, set maximum password age, enable event logs and enable user account controls. Following these best practices greatly reduces the risk of a hacker gaining unauthorized access to the network. Software will be deployed using Group Policy software deployment and will be either assigned to computers for generic software that all users require or assigned to users for specialty software.
Each location will have its own register domain namespace for DNS. Miami will have the root name of http://www.riverllc.com. New York will have http://newyork.riverllc.com and Chicago will use http://chicago.riverllc.com. All DNS zones will be primary zones and use Active Directory Integrated Zones to secure the data in the DNS servers from hackers. DNS will be hosted on two domain controller at each location for load balancing and fault tolerance.
Files will be secured from unauthorized users by using Windows Share and NTFS permissions. This will ensure that only the users that require access to the data are able to access it. Sensitive data such as trademarks or patent information will be encrypted using Encrypting File System (EFS) for added security. Entire drives on computers and servers will be encrypted using the built in TPM security chip and Bitlocker drive encryption. This will ensure that if a hard drive gets into the wrong hands, they will not be able to access the data on the drive. File sharing between locations will be done using Distributed File System (DFS). This creates a folder that can be access from all locations with shared data inside. File Service Resource Manager (FSRM) will be used to set hard quotas for user storage space on the server so that they cannot exceed allowed storage space. Each user will be allocated 500GB of space on the server.
A Virtual Private Network (VPN) will be deployed so that sales personnel in the New York location can securely connect to the Miami office. Secure Socket Tunneling Protocol (SSTP) will be used to ensure that security of the information passing through the VPN.
Keeping all systems on a network up-to-date is an important part of keeping a network secure. For this, Window Server Update Server (WSUS) will be used at each location. These servers will download the updates from Windows Update and once the updates are approved, user will download the updates from the server. This will minimize the traffic going out to the internet for updates.
4.0 – Conclusion
Using the recommendations I have provided in this proposal will greatly increase the security and functionality of River LLC’s network. It will also allow for the network to easily be expanded in the future as new locations continue to open. I strongly urge you not to wait any longer and allow us to get started immediately with the upgrade of River LLC’s network.
References Clercq, J. D. (2013, February 4). Windows Server 2012 Active Directory Security Changes. Retrieved from Windows IT Pro: http://windowsitpro.com/security/windows-server-2012-active-directory-security-changes Grimes, R. A. (2013, November 26). The 10 Windows group policy settings you need to get right. Retrieved from InfoWorld: http://www.infoworld.com/article/2609578/security/the-10-windows-group-policy-settings-you-need-to-get-right.html?page=2 Microsoft Corporation. (2003, March 28). Regional Domain Model. Retrieved from TechNet: https://technet.microsoft.com/en-us/library/cc785975(v=ws.10).aspx Microsoft Corporation. (2012, April 26). What Is an RODC? Retrieved from Windows Server: https://technet.microsoft.com/en-us/library/cc771030(v=ws.10).aspx Microsoft Corporation. (2015). Understanding Zone Types. Retrieved from Windows Server: https://technet.microsoft.com/en-us/library/cc771898.aspx Microsoft Corporation. (2015, September 6). Windows Server Backup. Retrieved from Windows Server: https://technet.microsoft.com/en-us/library/cc770757.aspx Testout Corporation. (2015, September 30). Testout Labsims. Retrieved from TestOut: http://www.testout.com University of Cambridge. (2015, March 5). Active Directory FSMO Roles . Retrieved from University of Cambridge: http://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroles
