Network+ Practice Labs: Install OS Updates and Configure Security Policies

source: cybrary.it

Vendor

Lab

Learning Outcomes

  • Exercise 2 — Configuring Network Security Policy

After completing this lab, we’ll be able to:

  • Manage common Windows update properties (Manually install Windows updates, Manually uninstall updates and restore previous version)
  • Utilize OS hardening by applying network account policies in a Windows domain (Manage user password policies, Manage user account lockouts)

CompTIA Network+ Exam Objectives

N10–007 4.5 — Given a scenario, implement network device hardening (Avoiding Common Passwords, Patching and Updates)

N10–007 4.6 — Explain common mitigation techniques and their purposes (Device Hardening)

What are we doing?

Why would we want to do this?

So, knowing how to configure updates manually, knowing how to manage them, and knowing how to restore previous updates if new ones create issues can only mean that us handy administrators will know how to protect our network from unwarranted and poorly-timed updates. This also gives us better flexibility and justified use of a safe lab environment where we can test updates on an isolated system before deploying the update on our network.

Also, knowing how to unlock a user’s account because they’ve somehow gotten themselves locked out is a pretty useful skill to have as a network administrator (or any IT person for that matter), so it’s nice to have a useful reference, like this, for when password policies and user accounts need to be managed.

Who would use this?

Thoughts?

source: Practice Labs

Exercise 1

In this exercise, we’ll use the built-in Windows Update feature to search and download updates for the system.

In addition, we’ll manage the updates already installed on the system. For this, we view the details of updates already installed, rollback any updates that destabilize the system, and change the active hours configured on the machine.

Learning objective

Task 1 —Use Built-in Windows Update Feature

Step 1: Connect to PLABWIN10 and open Windows Settings.

Click on Update & Security

source: author

Step 2: On the Settings — Windows Update window, notice that the available updates have already been searched and are downloading. This is as per the organization’s update policy setting.

Step 3: Connect to PLABSA01, and open Settings

Step 4: Select the Update & Security option on the Settings — Windows Settings window.

Step 5: On the Settings — Windows Update window, notice that the available updates have already been searched and are downloading. This is as per the organization’s update policy setting.

As mentioned on the Windows Update pane, the update policy is configured to automatically download the updates, and then ask the user to install the downloaded updates.

Task 1 Complete!

Task 2 — Explore the View Update History Link

Moreover, the Settings — View update history screen offers features to manage the installed updates. On this window, we have links to uninstall the updates as well as check the system recovery options.

In this task, we’ll explore the View update history link on the Settings — Windows Update window.

Step 1: Ensure that Settings — Windows Update window is displayed on the PLABSA01 server.

Click the View update history link at the bottom of the window.

Step 2: Settings — View update history window is displayed.

Notice the installation details of updates installed so far. The updates are categorized based on the system-feature they update.

Once we’re done viewing the updates, click the Uninstall updates link above the list of updates (We might want to uninstall an update that alters the system configuration in an undesired manner)

Step 3: Installed Updates window is displayed.

To uninstall an update, select the update from the list.

The Uninstall option appears on the Organize menu-ribbon at the top.

Click Uninstall to remove the selected update.

Exit the Uninstalled Updates window.

Step 4: On the Settings — View update history window, select the Recovery options link at the top.

We can use this option to configure the recovery of your system in case we’re having problems with our system.

Note: The link does not display recovery settings screen as recovery setting in the lab is not in the user view.

Exercise 1 Complete!

Exercise 2

For enterprise networks, it’s essential that system administrators create restrictive account policies that govern the access and use of network resources by users and computers. This is also known as OS hardening.

The University of Texas at Austin has an ISO hardening checklist they use to protect their servers and makes it available for other to use as well:

Operating System Hardening Checklists²

Take a look at their checklist to get an idea of what’s needed in order to properly harden Windows and Linux servers.

The policies that need to be applied globally on the network are linked to a Group Policy Object (GPO) and defined on the Group Policy Management console. Changes to such policies take effect at all the locations where the GPO is linked.³

In this exercise, we’ll configure network account policies in a Windows domain.

Learning Objective

Task 1 — Configure Domain User Password Policy

In this task, we’ll configure various parameters of the password policy for users on the PRACTICELABS.COM domain.

Step 1: Access the Practice Labs web application.

Note: Please take a note of this step as we’ll need to move away from the content pane.

Click the Access your settings folder tab by clicking on the Cog icon.

We’ll be taken to the Settings and customization pane.

Under the Device section, click the slider next to the Server auto login option. The slider should grey out. (To move back to the Access your exercise content pane, click the Paper icon).

Auto login is now disabled.

Step 2: Connect to PLABDC01.

Since the auto-login feature is turned off, the desktop shouldn’t be displayed by default, but if it is, ignore this step and move onto the next. The login screen is displayed listing PRACTICELABS\Administrator as the default sign-in username.

Type the password:

Passw0rd

Step 3: The PLABDC01 desktop is displayed.

On the Server Manager, access the menu bar at the top and click Tools > Group Policy Management.

Step 4: On the Group Policy Management console, access the navigation pane at the left.

Expand Forest: PRACTICELABS.COM > Domains > PRACTICELABS.COM if not done already.

Right-click Default Domain Policy, and select Edit.

Step 5: The Group Policy Management Editor is displayed.

On the Default Domain Policy pane on the left, expand Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies then click Password Policy.

Notice the password policies currently implemented on the domain, and their corresponding details, are listed in the details pane at the right.

Notice the settings for the Minimum password age policy.

Step 6: The Minimum password age policy is used to prevent users from changing their passwords repeatedly. Changes can be made only after the minimum password age has elapsed.

To allow users to change their passwords without any age restrictions, go to the details pane at the right.

Right-click the Minimum password age policy and select Properties.

Step 7: The Minimum password age Properties dialog box is displayed.

On the Security Policy Settings tab, locate the Password can be changed after selection box.

Change the setting to 0 days.

Click OK.

Notice in this settings window, as well as in the Windows that we’ll subsequently open, the Define this policy setting checkbox. This checkbox enables or disables the parameter. If we choose to uncheck this box for any parameter, we essentially disable that specific policy.

Step 8: We should be back on the Group Policy Management Editor window. On the details pane at the right, notice the changed value corresponding to the Minimum password age policy.

Similarly, we can define other parameters.

For example, to define the minimum password length, right-click the Minimum password length policy and select Properties.

Change the setting to 10 characters.

(Special Note: In order to really protect our password, we should limit the minimum characters to 16 for regular users and 25 for privileged users⁴ although Microsoft’s password policy recommendations say to limit it to 12 characters since users have a habit of practicing unsafe habits like repeating words for passwords like ‘fourfourfourfour’ or ‘passwordpassword’⁵ but, for this lab, we’ll go ahead and change it to 10 characters.)

Step 9: To expire a password after 30 days, right-click Maximum password age and select Properties.

Step 10: On the Maximum password age Properties dialog box, set the Password will expire in box to 30.

Click OK.

Step 11: We’re navigated back to the Group Policy Management Editor.

Notice the Enforce password history policy. This setting configures the system to keep a list of specified number of passwords used previously and to prevent users from reusing the listed older passwords.

Right-click the Enforce password history policy and select Properties.

Step 12: On the Enforce password history Properties dialog box, change the setting of the Keep password history for box to 20.

Click OK.

Step 13: Now we’ll define the account lockout policy. To do this, access the left pane of Group Policy Management Editor.

Navigate to the Account Lockout Policy just below the Password Policy item and click it. The policies implemented and their settings appear in the details pane to the right.

Step 14: To specify the number of unsuccessful logon attempts a user can make before being locked out, right-click the Account lockout threshold policy and select Properties.

This setting is useful to mitigate against brute force password discovery attacks.

Step 15: On the Account lockout threshold Properties dialog box, go to the Account will lockout after box and change the setting to 3.

Click OK.

Step 16: The Suggested Value Changes information box appears.

Here suggested values for the duration of the lockout period that will take place after three failed attempts are displayed. Read the information regarding the suggested changes and click OK.

Step 17: Notice the modified Account Lockout Policy is now displayed.

Exit Group Policy Management Editor.

Close all the open windows.

Task 1 Complete!

Task 2 — Propagate the Policy Modifications

However, we can run the gpupdate.exe PowerShell command to implement the modifications immediately.

In this task, we’ll manually propagate the new password security policy by running gpupdate.exe.

Step 1: On PLABDC01, open the Windows PowerShell application.

Step 2: On the Windows PowerShell window, input the following command at the prompt:

gpupdate /force

Step 3: Notice that Windows is updating the policy.

Step 4: Once the Computer Policy and the User Policy updates are complete, confirmation messages will appear.

To exit the window, input the following command:

exit

Task 2 Complete!

Task 3 — Test Account Lockout

To test the account lockout, we’ll deliberately try to log onto the network using an incorrect password.

Step 1: Connect to our PLABWIN10 device.

Click the Other user option on the sign on screen.

Step 2: Other user login screen is displayed.

Sign on as testuser and enter test as a password.

Press Enter.

Note: testuser is a legitimate user that exists on our PLABDC01 domain controller and has a password of Passw0rd.

Step 3: The system issues an error.

Click OK.

Step 4: We’re navigated back to the logon screen.

Again, type test in the password field and press Enter. Press OK when prompted with the error message.

Repeat this one more time.

Step 5: Back on the login screen, try to logon again using testuser as the user name and Passw0rd as password.

Note that the lockout occurs after the third attempt. However, the user isn’t informed of the lockout until they actually try to log in with the correct credentials after the lockout has occurred.

Notice that we’re now locked out as Test User.

Click OK.

Task 3 Complete!

Task 4 — Manage Account Lockout

In this task, we’ll access the Active Directory Users and Computers console on PLABDC01.

Step 1: Switch to PLABDC01.

Click the Start button, find and open the Windows Administrative Tools folder, find and click the Active Directory Users and Computers menu-item.

Step 2: On the left pane, expand PRACTICELABS.COM > Builtin. Find the locked-out user — Test User — listed on the details pane at the right.

Step 3: Right-click Test User and select Properties.

On the Test User Properties dialog box, access the Account tab.

Step 4: On the Account tab, to unlock the account, check the Unlock account. This account is currently locked out on this Active Directory Domain Controller check box.

Click OK.

Exit the Active Directory Users and Computers window.

Step 7: Switch back to our PLABWIN10 device.

Sign back on as testuser, using Passw0rd as the password.

Step 8: The user Test User should now be able to sign on successfully.

This is a new user that has never logged in before; therefore, the login process may take longer than normal.

Exercise 2 Complete!

Anxious Buddhist | Hobby Eater | Maze Master