MOAC 70-410 - Installing and Configuring Windows Server 2012 R2 Lab Manual

LAB 17
CONFIGURING
SECURITY POLICIES

THIS LAB CONTAINS THE FOLLOWING EXERCISES AND ACTIVITIES:

Exercise 17.1 Configuring Security Policies

Lab Challenge Assigning User Rights

Exercise 17.2 Configuring Audit Policies

Lab Challenge Viewing Auditing Data

BEFORE YOU BEGIN

The lab environment consists of three servers connected to a local area network, one
of which is configured to function as the domain controller for a domain called
adatum.com. The computers required for this lab are listed in Table 17-1.

Table 17-1
Computers Required for Lab 17
Computer Operating System Computer Name
Domain controller 1 Windows Server 2012 R2 SERVERA
Member server 2 Windows Server 2012 R2 SERVERB
Member server 3 Windows Server 2012 R2 SERVERC

In addition to the computers, you also require the software listed in Table 17-2 to
complete Lab 17.
MOAC 70-410 - Installing and Configuring Windows Server 2012 R2 Lab Manual

Table 17-2
Software Required for Lab 17
Software required for Lab 17Software Location
Lab 17 student worksheet Lab17_worksheet.docx (provided by instructor)

Working with Lab Worksheets

Each lab in this manual requires that you answer questions, take screen shots, and
perform other activities that you will document in a worksheet named for the lab, such
as Lab17_worksheet.docx. It is recommended that you use a USB flash drive to store
your worksheets, so you can submit them to your instructor for review. As you
perform the exercises in each lab, open the appropriate worksheet file, fill in the
required information, and save the file to your flash drive.

After completing this lab, you will be able to:

 Configure security policies

 Configure and assign user rights

 Configure audit policies

Estimated lab time: 60 minutes

Exercise
17.1 Configuring Security Policies
Overview In this exercise, you examine the default Security Policy settings for
your domain and then create a GPO containing new and revised
settings.
Mindset How can you control access to your network computers using security
policies?
Completion time 15 minutes

1. On the SERVERB computer, install the Group Policy Management feature using the
Add Roles and Features Wizard, just as you did in Exercise 16.1.

2. In Server Manager, click Tools > Group Policy Management. The Group Policy
Management console appears.

3. Browse to the Group Policy Objects folder.

MOAC 70-410 - Installing and Configuring Windows Server 2012 R2 Lab Manual

How can you tell which of the policies in the Security Options
folder have changed settings in the Default Domain Policy
GPO?
Question
1 Go to the DDP GPO that is in the Group Policy
Management console, click on the settings tab and click
the show all link, with that you will see the policies
configured in the GPO

4. Press Alt+Prt Scr to take a screen shot showing the existing Security Options settings in
the Default Domain Policy GPO. Press Ctrl+V to paste the image on the page provided
in the Lab 17 worksheet file.

5. Right-click the Group Policy Objects folder and, on the context menu, click New.
The New GPO dialog box appears.

6. In the Name text box, type Revised Domain and click OK. A new Revised
Domain GPO appears in the Group Policy Objects folder.

7. Right-click the Revised Domain GPO and, in the context menu, click Edit. The
Group Policy Management Editor console appears.
MOAC 70-410 - Installing and Configuring Windows Server 2012 R2 Lab Manual

8. In the Group Policy Management Editor console, browse to the Computer

Configuration > Policies > Windows Settings > Security Settings > Local
Policies > Security Options folder.

9. In the Security Options folder, double-click the Devices: Allowed to format and
eject removable media policy. The Devices: Allowed to format and eject
removable media policy dialog box appears (see Figure 17-1).

Figure 17-1
The Devices: Allowed to format and eject removable media policy dialog box

10. Select the Define this policy setting check box, and in the drop-down list, select
Administrators and Interactive Users. Then click OK.

11. Define and enable the following Security Options policies:

 Devices: Restrict CD-ROM access to locally logged on user only policy

 Devices: Restrict floppy access to locally logged on user only policy

 Network Security: Force logoff when logon hours expire

12. Close the Group Policy Management Editor console.

MOAC 70-410 - Installing and Configuring Windows Server 2012 R2 Lab Manual

13. In the Group Policy Management console, right-click the adatum.com domain
and, in the context menu, click Link an Existing GPO. The Select GPO dialog
box appears.

14. Select the Revised Domain GPO and click OK.

15. Select the adatum.com domain and click the Linked Group Policy Objects tab in
the right pane.

16. Select the Revised Domain GPO and click the Move link up arrow. The Revised
Domain GPO now appears first in the list of linked GPOs.

Why is it necessary for the Revised Options GPO to appear

first in the list?
Question
The link will order controls when the likes is applied.
2
Since the links order is higher and has high precedence,
so by s changing the link of the precedence, it is secure
that the GPO of the Revised Domain will applied first.

End of exercise. Leave all windows open for the next exercise.

Lab
Challenge Assigning User Rights
Overview In this exercise, you add a selection of user rights assignments to the
ones that already exist.

Completion time 15 minutes

Your organization has created a new job role called the director, and your job is to provide the
new directors with the domain controller user rights they need to perform their jobs. The
Directors group has already been created in the adatum.com domain. To complete this challenge,
you must grant the Directors group the following user rights to all the domain controllers on the
network, without interfering with any of the existing rights.

 Deny logon locally

 Add workstations to domain

 Force shutdown from a remote system

 Enable computer and user accounts to be trusted for delegation

 Manage auditing and security log

MOAC 70-410 - Installing and Configuring Windows Server 2012 R2 Lab Manual

 Shut down the system

Write out the basic steps you have to perform to accomplish the challenge and then take a screen
shot showing the user rights you configured and press Ctrl+V to paste the image on the page
provided in the Lab 17 worksheet file.

End of exercise. Leave all windows open for the next exercise.

Exercise
17.2 Configuring Audit Policies
Overview In this exercise, you configure the auditing policies to monitor
account logons and access to specific objects.

Mindset How can you use the auditing capabilities in Windows Server 2012 R2 to
increase the security of your network without overwhelming yourself
with data?
Completion time 20 minutes

1. On SERVERB, in the Group Policy Management console, create a new GPO

called Audit Policies and open it in the Group Policy Management Editor.

2. Browse to the Computer Configuration > Policies > Windows Settings > Security
Settings > Local Policies > Audit Policy node. The audit policies appear in the
right pane.

3. Double-click the Audit account logon events policy. The Audit account logon
events Properties sheet appears.

4. Select the Define these policy settings check box.

5. Select the Failure check box, clear the Success check box, and click OK.

Why, in this case, is the auditing of event failures more useful

than the auditing of successes?
Question
3
With failure audits, the entries can be generated when
the logon attempts is unsuccessful.
MOAC 70-410 - Installing and Configuring Windows Server 2012 R2 Lab Manual

6. Double-click the Audit object access policy. The Audit object access Properties
sheet appears.

7. Select the Define these policy settings check box.

8. Select the Failure and the Success check boxes and click OK.

9. Press Alt+Prt Scr to take a screen shot showing the policies you configured.
Press Ctrl+V to paste the image on the page provided in the Lab 17 worksheet
file.

10. Under Security Settings, select the Event Log node.

11. In the right pane, double-click the Maximum security log size policy.

12. Select the Define this policy setting check box, leave the spinbox value at 16384
kilobytes, and click OK.

Why is it prudent to limit the event log size when using

Question auditing.
4
So that the file doesn’t exceed a certain size.

13. Close the Group Policy Management Editor console.

14. Link the Audit Policies GPO to the adatum.com domain.

15. Click the File Explorer icon on the Taskbar. The File Explorer window appears.
MOAC 70-410 - Installing and Configuring Windows Server 2012 R2 Lab Manual

16. In the left pane, browse to the C: drive on the local computer.

17. Right-click the C:\Windows folder and, in the context menu, click Properties.
The Windows Properties sheet appears.

18. Click the Security tab.

19. Click Advanced. The Advanced Security Settings for Windows dialog box
appears.

20. Click the Auditing tab (see Figure 17-2).

Figure 17-2
The Advanced Security Settings for Windows dialog box

21. Click Add. The Auditing Entry for Windows dialog box appears.

22. Click Select a Principal. The Select User, Computer, Service Account, or Group
dialog box appears.

23. In the Enter the object name to select text box, type Administrator and click
OK.

24. Select the Full Control check box and click OK.

25. Click OK to close the Advanced Security Settings for Windows dialog box.

26. Click Continue to bypass error messages, if necessary. Click OK to close the
Windows Properties sheet.

27. Open an administrative Command Prompt window and type gpupdate /force to
update the system’s Group Policy settings.
MOAC 70-410 - Installing and Configuring Windows Server 2012 R2 Lab Manual

End of exercise. Leave all windows open for the next exercise.

Lab
Challenge Viewing Auditing Data
Overview To complete this exercise, you must demonstrate that your
SERVERB computer is actually gathering the auditing data you
configured its policies to gather.
Mindset How do you display auditing data?
Completion time 10 minutes

To complete this challenge, display the auditing data you configured your server
to gather in Exercise 17.2. Press Alt+Prt Scr to take a screen shot showing a
sample of the data you gathered. Press Ctrl+V to paste the image on the page
provided in the Lab 17 worksheet file.

End of lab. You can log off or start a different lab. If you want to restart this lab,
you’ll need to click the End Lab button in order for the lab to be reset.