MyClassNotes: 2020-03-01

Saturday, March 7, 2020

AD DS - Password Policies

Password Policies

Establish password policies based on organizational needs

Ensure users cannot select simple password or reuse passwords

When securing your user accounts use the Password Policy settings. You should configure the properties of the passwords that users might select. Use these settings to make sure users don’t select simple passwords, or passwords that have been recently used. You can only have one standard password policy in a domain.

Setting	Description	Values
Enforce password history	The number of unique, new passwords that must be associated with a user account before an old password can be reused.	Default setting: 24 passwords
Maximum password age	Number of days that a password can be used before the user must change it.	Recommended setting: 42 days
Minimum password age	Number of days that a password must be used before the user can change it.	Default setting: 1 day
Minimum password length	Minimum number of characters that a user’s password must contain.	Default setting: 7 characters High security: 15 characters
Complexity requirements	Required password characteristics. Don't disable.	Does not contain your name or user name. Has at least six characters. Contains characters from different charsets

Contains characters from 3 of these 4 for charsets: Uppercase letters [A–Z]; Lowercase letters [a–z]; Numerals [0–9]; Special, non-alphanumeric characters, such as !@#)(*&^%

Friday, March 6, 2020

AD DS - Account Lockout Policies

Account lockout policies

Set your account lockout policies based on organizational needs

Account lockout policies protect again password guessing

Account lockout policies enable you to define whether accounts should be locked if there are too many logon tries with invalid passwords. Most organizations implement account lockout policies to prevent attackers from using password-guessing techniques to gain access to a network. Using this approach provides a level of security. However, it also exposes your organization to a denial of service attack because an attacker can run scripts to guess user passwords and lock out user accounts. If you decide not to implement account lockout policies, it's important that you monitor failed account logon tries in real time to prevent an attacker from taking advantage of this configuration. There are three corresponding Group Policy settings.

Account lockout policies work together

Setting	Description	Values
Account lockout duration	Defines the number of minutes that a locked account remains locked. After the specified number of minutes, the account automatically unlocks.	Normal setting: 30 minutes Administrator must unlock the account: 0 minutes
Account lockout threshold	Determines the number of failed logon tries that are allowed before a user account is locked out. Set this value high enough to allow for mistyped passwords, but low enough to make sure the failure of brute force attempts to guess a password.	Account is never locked out: 0 attempts Typical: 3 – 5 attempts
Reset account lockout counter after	How many minutes must elapse after a failed logon attempt before the bad logon counter is reset to zero. This setting applies when a user has typed in a password incorrectly, but the user has not exceeded the account lockout threshold.	Recommended value: 30 minutes

Thursday, March 5, 2020

AD DS - Fine-grained Password Policies

Fine-grained Password Policies

Different groups of users may need different password policies

You can use fine-grained password policies to specify multiple password policies, and to apply different password restrictions and account lockout policies to different sets of users in a single domain. For example, Administrators may have different password requirements that are stricter than the policies for a user. If you cannot meet your organization’s security requirements with a single password policy, you should use fine-grained password policies.

Screenshot of the Create Password Settings wizard. The password policy and account lockout settings are shown.

Wednesday, March 4, 2020

Windows Server: Active Directory and its Fundamentals

Active Directory
Microsoft developed a directory service for a Microsoft Domain network and this directory service is referred to as Active Directory. It is included in most Windows Server Operating Systems as a set of processes and services.
Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.

To understand above sentences we need to understand what Directory Service, Microsoft Domain, Domain Controller is. Lets find out what it is.

Directory Service
To administer, manage, locate and organize everyday items and network resources we require a share information infrastructure. Everyday items and network resources can include any or all of files, folders, users, groups, printers, volumes, devices, telephone numbers and other objects.
Directory Service is a service or infrastructure to map the names of network resources to their respective network addresses. It is a critical component of a network operating system. Such service is provided by a server and that server is known as directory server. Each network resources is called object.
What directory service does is, it defines a namespace for the network. Namespace assigns a name, called unique identifier, to each of above mentioned objects. Directories have a set of rules determining how network resources are named and identified; basic requirement is that the identifiers need to be unique and unambiguous.
When user uses a directory services there is no need for user to remember the physical address of a network resource. User can locate the resource using name. However, some directory services may include access control mechanism which could limit the accessibility and availability of directory information to authorized users.

Microsoft Domain
Microsoft domain is a computer network in which all user accounts, computers, printers and other security principals are registered with a central database located on one or more clusters of central computers known as domain controllers. Authentication takes place on domain controllers.
Each user who uses computers within a domain receives a unique user account that can be assigned access to resources within the domain. Active directory is the Windows component in charge of maintaining that central database.

Domain Controller
On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain.
In other words, a server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows Domain type network. It assigns and enforces security policies for all computers and installing or updating software.

Example:
When a user logs into a computer that is part of windows domain, Active Directory is the one that checks thus submitted password and determines whether the user is a system administrator or normal user. Also, it allows management and storage of information at admin level and provides authentication and authorization mechanisms.

Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

Monday, March 2, 2020

AD DS - User Profile

What is a user profile?

When a user signs in to a computer, a folder is created in C:\Users for that user. The folder stores the user profile for the user. Within this folder, subfolders contain documents and settings that represent the user’s profile, including Desktop, Documents, Downloads, Pictures, and Videos.

$Screenshot of the c:\users\default folder structure. The folder includes subfolders like AppData, Desktop, Documents, and Downloads.$

What are the user profile settings?

User profiles keep multiple devices in sync

If a user is likely to sign in at more than one client workstation, it's better that their user profile settings and documents be available on those other client workstations. There are several ways that you can make sure that users can access their profiles from multiple workstations. One way is the user account profile settings.

Configure the Profile path and Home folder path

Profile path. This path is either a local, or more usually, a Universal Naming Convention (UNC) path. The user’s desktop settings are stored in the profile. If a user profile has a UNC path, then the user will have access to their desktop settings regardless of the domain computer they sign in at. This is known as a roaming profile.
Home folder. This is a storage area in which users can save their personal documents. You can specify either a local path, or more usually, a UNC path to the user’s folder. You must also specify a drive letter that's used to map a network drive to the specified UNC path. You can then configure a user’s personal documents to this redirected home folder.

Sunday, March 1, 2020

Windows Server Basics - Quiz

You have finished configuring a server and want to change the server to a Server Core installation. Which PowerShell command should you use?

Install-WindowsFeature Server-Gui-Shell
Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra
Uninstall-WindowsFeature Server-Gui-Shell
Uninstall-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra

Which three statements are true about migrations?

Requires you to re-install and configure all of your applications.
Leaves existing application in place.
Requires you to migrate your server functions.
Requires you to migrate your data.
Leaves existing data in place.

Which three statements about Windows Server 2012 Standard edition and the Windows Server 2012 Datacenter editions are correct?

Standard and Datacenter have different roles and features to account for different size organizations.
Both Standard and Datacenter editions support up to 64 physical processor sockets.
Both support up to 4 TBs of RAM.
Both Standard and Datacenter edition have the same licensing model.
Standard supports up to 4TBs of RAM, and Datacenter supports up to 8TBs of RAM.

Which four are valid editions of the Windows Server 2012 operating system?

Windows Server 2012 Datacenter
Windows Server 2012 Essentials
Windows Server 2012 Enterprise
Windows Server 2012 Foundation
Windows Server 2012 Standard
Windows Server 2012 Business

When choosing between the Windows Server 2012 Standard edition and the Windows Server 2012 Datacenter edition what is your most important consideration?

Number of users.
Roles and features.
Server hardware requirements.
Virtualization needs.

You are working on a server with the Server Core installation option. Which two of the following tools are available?

Command Prompt
Internet Explorer
Server Manager
File Explorer
Windows PowerShell

Which installation option is the default for Windows Server 2012.

Command line
Server Core correct
Server Footprint
Server with a GUI

You have finished installing Windows Server 2012. The server has the Server Core installation. You need to change the name of the computer. Which tool can you use?

ADAC
Ipconfig
SConfig correct
Server Manager

Which server role enables the storage of information about objects on the network and enables this information to be available to users and network administrators?

Active Directory Domain Services (AD DS)
Domain Name Service (DNS)
Dynamic Host Configuration Protocol (DHCP)
Windows Update

You have received your Product Key and need to activate your Windows Server license. Which tool can you use?

Activate.exe
Install-ProductKey
Kms.exe
Slmgr.vbs correct