Stop The Automatic Updates! How to Install OS Updates Manually and Configure Security Policies For a More Hardened Device
What are we doing?
This lab consists of 2 exercises that teaches us how to manually update our Windows system, manage those updates, as well as remove them in case any updates cause problems. We then practice OS hardening by first managing our users’ account password policies, and then restoring access for a user who’s been locked out of their computer for inputting their password incorrectly too many times.
Why would we want to do this?
Sometimes, opting out of automatic updates and manually updating our systems is the safer solution.¹ Imagine a critical server crashing or even being offline in the middle of the work day because of an automatic update running in complete conflict with our software critical for operations… yeah that would suck and I’m sure management wouldn’t be very happy either.
So, knowing how to configure updates manually, knowing how to manage them, and knowing how to restore previous updates if new ones create issues can only mean that us handy administrators will know how to protect our network from unwarranted and poorly-timed updates. This also gives us better flexibility and justified use of a safe lab environment where we can test updates on an isolated system before deploying the update on our network.
Also, knowing how to unlock a user’s account because they’ve somehow gotten themselves locked out is a pretty useful skill to have as a network administrator (or any IT person for that matter), so it’s nice to have a useful reference, like this, for when password policies and user accounts need to be managed.
Who would use this?
Even though these tools are fairly safe enough for just about anybody to learn, those who would actually find utility in these basic skills would be those working and administering an IT department of a business.
Thoughts?
Later in this lab (Exercise 2 Task 1), I mention about users having a tendency of using passwords like ‘fourfourfourfour’ and ‘passwordpassword’ and I’m curious to know if there are any ways of preventing these sorts of passwords, besides the obviously stating it in our password policy documentation. Is there a way to make it a constraint within our system, so that if a user tries to create a password like those used above, the system would deny the input?
Vendor
Lab
1.7 — Install OS Updates and Configure Security Policies
Learning Outcomes
- Exercise 1 — Managing Windows Update
- Exercise 2 — Configuring Network Security Policy
After completing this lab, we’ll be able to:
- Manage common Windows update properties (Manually install Windows updates, Manually uninstall updates and restore previous version)
- Utilize OS hardening by applying network account policies in a Windows domain (Manage user password policies, Manage user account lockouts)
CompTIA Network+ Exam Objectives
N10–007 3.5 — Identify policies and best practices (Password Policy)
N10–007 4.5 — Given a scenario, implement network device hardening (Avoiding Common Passwords, Patching and Updates)
N10–007 4.6 — Explain common mitigation techniques and their purposes (Device Hardening)
Exercise 1
Managing Windows Update
In this exercise, we’ll use the built-in Windows Update feature to search and download updates for the system.
In addition, we’ll manage the updates already installed on the system. For this, we view the details of updates already installed, rollback any updates that destabilize the system, and change the active hours configured on the machine.
Learning objective
Use the built-in Windows update feature to manage updates
Task 1 —Use Built-in Windows Update Feature
In this task, we’ll access the Settings app and look for the available updates on the PLABSA01 as well as the PLABWIN10 machines.
Step 1: Connect to PLABWIN10 and open Windows Settings.
Click on Update & Security
Step 2: On the Settings — Windows Update window, notice that the available updates have already been searched and are downloading. This is as per the organization’s update policy setting.
Step 3: Connect to PLABSA01, and open Settings
Step 4: Select the Update & Security option on the Settings — Windows Settings window.
Step 5: On the Settings — Windows Update window, notice that the available updates have already been searched and are downloading. This is as per the organization’s update policy setting.
As mentioned on the Windows Update pane, the update policy is configured to automatically download the updates, and then ask the user to install the downloaded updates.
Task 1 Complete!
Task 2 — Explore the View Update History Link
On the Settings — Windows Update window, we can select the View update history link to view installation history of the updates.
Moreover, the Settings — View update history screen offers features to manage the installed updates. On this window, we have links to uninstall the updates as well as check the system recovery options.
In this task, we’ll explore the View update history link on the Settings — Windows Update window.
Step 1: Ensure that Settings — Windows Update window is displayed on the PLABSA01 server.
Click the View update history link at the bottom of the window.
Step 2: Settings — View update history window is displayed.
Notice the installation details of updates installed so far. The updates are categorized based on the system-feature they update.
Once we’re done viewing the updates, click the Uninstall updates link above the list of updates (We might want to uninstall an update that alters the system configuration in an undesired manner)
Step 3: Installed Updates window is displayed.
To uninstall an update, select the update from the list.
The Uninstall option appears on the Organize menu-ribbon at the top.
Click Uninstall to remove the selected update.
Exit the Uninstalled Updates window.
Step 4: On the Settings — View update history window, select the Recovery options link at the top.
We can use this option to configure the recovery of your system in case we’re having problems with our system.
Note: The link does not display recovery settings screen as recovery setting in the lab is not in the user view.
Exercise 1 Complete!
Now we know how to manually update our system, manage those updates, as well as remove them in case any updates cause problems!
Exercise 2
Configuring Network Security Policy
For enterprise networks, it’s essential that system administrators create restrictive account policies that govern the access and use of network resources by users and computers. This is also known as OS hardening.
The University of Texas at Austin has an ISO hardening checklist they use to protect their servers and makes it available for other to use as well:
Operating System Hardening Checklists²
Take a look at their checklist to get an idea of what’s needed in order to properly harden Windows and Linux servers.
The policies that need to be applied globally on the network are linked to a Group Policy Object (GPO) and defined on the Group Policy Management console. Changes to such policies take effect at all the locations where the GPO is linked.³
In this exercise, we’ll configure network account policies in a Windows domain.
Learning Objective
Practice OS Hardening by managing users’ account password policies, and know how to restore access for a user who’s been locked out
Task 1 — Configure Domain User Password Policy
To restrict access to a network or a system, we can create password-based access.
In this task, we’ll configure various parameters of the password policy for users on the PRACTICELABS.COM domain.
Step 1: Access the Practice Labs web application.
Note: Please take a note of this step as we’ll need to move away from the content pane.
Click the Access your settings folder tab by clicking on the Cog icon.
We’ll be taken to the Settings and customization pane.
Under the Device section, click the slider next to the Server auto login option. The slider should grey out. (To move back to the Access your exercise content pane, click the Paper icon).
Auto login is now disabled.
Step 2: Connect to PLABDC01.
Since the auto-login feature is turned off, the desktop shouldn’t be displayed by default, but if it is, ignore this step and move onto the next. The login screen is displayed listing PRACTICELABS\Administrator as the default sign-in username.
Type the password:
Passw0rdStep 3: The PLABDC01 desktop is displayed.
On the Server Manager, access the menu bar at the top and click Tools > Group Policy Management.
Step 4: On the Group Policy Management console, access the navigation pane at the left.
Expand Forest: PRACTICELABS.COM > Domains > PRACTICELABS.COM if not done already.
Right-click Default Domain Policy, and select Edit.
Step 5: The Group Policy Management Editor is displayed.
On the Default Domain Policy pane on the left, expand Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies then click Password Policy.
Notice the password policies currently implemented on the domain, and their corresponding details, are listed in the details pane at the right.
Notice the settings for the Minimum password age policy.
Step 6: The Minimum password age policy is used to prevent users from changing their passwords repeatedly. Changes can be made only after the minimum password age has elapsed.
To allow users to change their passwords without any age restrictions, go to the details pane at the right.
Right-click the Minimum password age policy and select Properties.
Step 7: The Minimum password age Properties dialog box is displayed.
On the Security Policy Settings tab, locate the Password can be changed after selection box.
Change the setting to 0 days.
Click OK.
Notice in this settings window, as well as in the Windows that we’ll subsequently open, the Define this policy setting checkbox. This checkbox enables or disables the parameter. If we choose to uncheck this box for any parameter, we essentially disable that specific policy.
Step 8: We should be back on the Group Policy Management Editor window. On the details pane at the right, notice the changed value corresponding to the Minimum password age policy.
Similarly, we can define other parameters.
For example, to define the minimum password length, right-click the Minimum password length policy and select Properties.
Change the setting to 10 characters.
(Special Note: In order to really protect our password, we should limit the minimum characters to 16 for regular users and 25 for privileged users⁴ although Microsoft’s password policy recommendations say to limit it to 12 characters since users have a habit of practicing unsafe habits like repeating words for passwords like ‘fourfourfourfour’ or ‘passwordpassword’⁵ but, for this lab, we’ll go ahead and change it to 10 characters.)
Step 9: To expire a password after 30 days, right-click Maximum password age and select Properties.
Step 10: On the Maximum password age Properties dialog box, set the Password will expire in box to 30.
Click OK.
Step 11: We’re navigated back to the Group Policy Management Editor.
Notice the Enforce password history policy. This setting configures the system to keep a list of specified number of passwords used previously and to prevent users from reusing the listed older passwords.
Right-click the Enforce password history policy and select Properties.
Step 12: On the Enforce password history Properties dialog box, change the setting of the Keep password history for box to 20.
Click OK.
Step 13: Now we’ll define the account lockout policy. To do this, access the left pane of Group Policy Management Editor.
Navigate to the Account Lockout Policy just below the Password Policy item and click it. The policies implemented and their settings appear in the details pane to the right.
Step 14: To specify the number of unsuccessful logon attempts a user can make before being locked out, right-click the Account lockout threshold policy and select Properties.
This setting is useful to mitigate against brute force password discovery attacks.
Step 15: On the Account lockout threshold Properties dialog box, go to the Account will lockout after box and change the setting to 3.
Click OK.
Step 16: The Suggested Value Changes information box appears.
Here suggested values for the duration of the lockout period that will take place after three failed attempts are displayed. Read the information regarding the suggested changes and click OK.
Step 17: Notice the modified Account Lockout Policy is now displayed.
Exit Group Policy Management Editor.
Close all the open windows.
Task 1 Complete!
Keep all devices powered on and in their current state then proceed to the next task.
Task 2 — Propagate the Policy Modifications
In a typical Windows network, it takes 5 minutes before the group policy changes to reach other domain controllers and it takes 90 minutes before client workstations become aware of group policy changes.
However, we can run the gpupdate.exe PowerShell command to implement the modifications immediately.
In this task, we’ll manually propagate the new password security policy by running gpupdate.exe.
Step 1: On PLABDC01, open the Windows PowerShell application.
Step 2: On the Windows PowerShell window, input the following command at the prompt:
gpupdate /forceStep 3: Notice that Windows is updating the policy.
Step 4: Once the Computer Policy and the User Policy updates are complete, confirmation messages will appear.
To exit the window, input the following command:
exit
Task 2 Complete!
Keep all devices powered on and in their current state then proceed to the next task.
Task 3 — Test Account Lockout
In this task, we’ll test the account lockout policy we defined and propagated in the previous tasks.
To test the account lockout, we’ll deliberately try to log onto the network using an incorrect password.
Step 1: Connect to our PLABWIN10 device.
Click the Other user option on the sign on screen.
Step 2: Other user login screen is displayed.
Sign on as testuser and enter test as a password.
Press Enter.
Note: testuser is a legitimate user that exists on our PLABDC01 domain controller and has a password of Passw0rd.
Step 3: The system issues an error.
Click OK.
Step 4: We’re navigated back to the logon screen.
Again, type test in the password field and press Enter. Press OK when prompted with the error message.
Repeat this one more time.
Step 5: Back on the login screen, try to logon again using testuser as the user name and Passw0rd as password.
Note that the lockout occurs after the third attempt. However, the user isn’t informed of the lockout until they actually try to log in with the correct credentials after the lockout has occurred.
Notice that we’re now locked out as Test User.
Click OK.
Task 3 Complete!
Task 4 — Manage Account Lockout
In this task, we’ll modify the group policy to unlock a user account. We can access the group policy on the domain controller server.
In this task, we’ll access the Active Directory Users and Computers console on PLABDC01.
Step 1: Switch to PLABDC01.
Click the Start button, find and open the Windows Administrative Tools folder, find and click the Active Directory Users and Computers menu-item.
Step 2: On the left pane, expand PRACTICELABS.COM > Builtin. Find the locked-out user — Test User — listed on the details pane at the right.
Step 3: Right-click Test User and select Properties.
On the Test User Properties dialog box, access the Account tab.
Step 4: On the Account tab, to unlock the account, check the Unlock account. This account is currently locked out on this Active Directory Domain Controller check box.
Click OK.
Exit the Active Directory Users and Computers window.
Step 7: Switch back to our PLABWIN10 device.
Sign back on as testuser, using Passw0rd as the password.
Step 8: The user Test User should now be able to sign on successfully.
This is a new user that has never logged in before; therefore, the login process may take longer than normal.
Exercise 2 Complete!
Now we know how to manage our password policy within our network and also know how to restore access for a locked-out user!
[1]: The Pros and Cons of Automatic Software Updates
[2]: Operating System Hardening Checklists
[3]: Lab 1.7 Install OS Updates and Configure Security Policy
[4]: How long should your password be?
[5]: Password policy recommendations
