Laptop Hardening

PRE-REQUISISTES
1. RSA, AT&T Global (agnc_10.4.0.1252) and Citrix to be installed – setup and instruction manual
available on below BOX link
2. 1. Users need to have Domain credentials –(you get mail from gservero
<[email protected]> - Please reach out to Bharathi C R/ Renuka V if not received
escalation point Rahul Budhkar)
3. The below instructions are common for all users who access Barclays network (TIER-2, and
Offsite users)
4. Users having hardened system should complete step 3 and step 5 only as rest of the steps are
completed for them
5. The IDs used to AT&T global are Test IDs and should be only used for test as they will be
disabled once actual IDs are circulated
6. Backup your important files on BOX as you won’t have access to C drive.

Box Link: -
https://ibm.ent.box.com/s/c8ohv85ydvketjc52cap35kwei3tg946

CONTENTS
A. Creating IBMADMIN (local ID) user on the laptop
B. REMOVING the laptop from AZURE
C. Update Host File
D. AT&T VPN CONNECTIVITY CONFIGURATION
D1. Changing computer name (hostname) of laptop
E. Adding machine to Domain
F. Login to Domain account & applying group policy
G. Accessing VDI post system hardening

A. Creating IBMADMIN (local ID) user on the laptop

1. Login to your user on the laptop
2. Click on “Windows + R” Button
3. Type “compmgmt.msc” and Click on OK
4. Click on local User and Groups
5. Double CLICK on users
6. RIGHT CLICK on empty space and CLICK on NEW USER
7. Provide username as “IBMADMIN”
8. Provide a 14-character long password (VERY IMP: REMEMBER THE PROVIDED PASSWORD)

9. Select “User must change the password at next logon”

10. Click on CREATE and CLOSE
11. Right click on IBMADMIN
12. Select the properties
13. Go TO Member of and then Click on Add and then advanced tab
14. Click on find now
15. Select Administrators (second option) and click ok- (IBMADMIN is created)
16. To verify- Right click on IBMADMIN and select the properties-Member of
17. Member of must contain –Users and Administrators
18. Log off from the current profile
B. REMOVING the laptop from AZURE
1. Once you see login screen, click other user-click on sign-in option- select key icon
2. Login to IBMADMIN (USER NAME: .\IBMADMIN & Password)
3. Type “School” on search window
4. Access work or school

5. CLICK on Connected to IBM Azure ID and DISCONNECT

6. CLICK “Yes” and provide Alternate account info (.\IBMADMIN & Password)
7. Click on Disconnect
8. Restart Now
C. Update the Host File

Connect with box link given below

https://ibm.ent.box.com/s/c8ohv85ydvketjc52cap35kwei3tg946/file/640906621369

Download the host file form the mentioned location and replace it on below path of your
operating system

“C:\Windows\System32\drivers\etc\"
Note: - “ C:\Windows\System32\drivers\etc\ “ already having host file just
rename with somethings and replace it from link shared

D. AT&T VPN CONNECTIVITY CONFIGURATION

Connect with box link given below

https://ibm.box.com/s/aa5xc20ny24qvusd3g0nvwv75kt86pjr

Download the AT&T Setup file form the mentioned location

Double click on setup file- agnc_10.4.0.1252

Click Next>

Check the check box “ I accept the terms in license agreement”

Click Next>

Select the radio button “Custom”

Click Next>

Now select AT&T Pre-Logon Access Provider for windows.

Then click on red cross-mark drop down menu feature option and select This feature will be installed on
local hard drive.

Now click on Next

Click on Install. It will take 2-4 min to install the feature update.

Check the check box as “Asia Pacific”

Click Next>

Click Install

Click Finish
AT&T Configuration

1 > Click on Settings and Login Properties.

2> Now click on Server Configure (Highlighted button)
3 > Now add below primary & secondary DNS IP’s.

Primary DNS - 9.255.97.11

Secondary DNS - 9.255.194.218

4> Click on Next.

5> Click on Finish.

9 > Now you can click on connect

10> Once you see some movement in M/KBPS understand you are connected.

*********************************************************************************
D1. Changing computer name (hostname) of laptop
1. Press windows and Type “This PC”
2. Right Click on This PC and select Properties

3. Click on Advanced system settings

4. Select the Computer name
5. Click on Change
6. Give a computer name in below format (Unique for each user)

Hostname: BARLocationEmpID

BAR -- Barclays
Work Location-- B- Bangalore, P- Pune, C-Chennai

For e.g- Project-BARCLAYS Employee office location-Pune EmployeeID- 00626Q

Computer name (hostname) will be--> BARP00626Q

7. Click OK
 8. It will prompt for restart- Restart your laptop

E. Adding machine to Domain

1. Open AT&T Global Network Client and Connect, once connection is established then only follow
below steps. PLEASE NOTE: Every time machine is restarted from now AT&T should be
connected manually
2. Press windows and Type “This PC”
3. Right Click on This PC and select Properties
4. Click on Advanced system settings
5. Select the Computer name
6. Click on Change
7. Select Domain “ibmbarclays.com” OKAY
8. Provide the Domain ID & Password (Domain ID means the ID that we use to login to desktop in
BDS)
9. Click on Okay: Okay: Restart Now
10. Machine Added to domain (Acknowledgement)

F. Login to Domain account & applying group policy

A. After restart of system login to .\ibmadmin

B. Open AT&T Global Network Client

Once AT&T Application launched, click on settings

 Click on Settings and Login Properties.

 Now click on Server Configure (Highlighted button)
 

 Now add below primary & secondary DNS IP’s.

 Primary DNS - 9.255.97.11

 Secondary DNS – 9.255.194.218

 Click on Next.
 Click on Finish.
C After connected to AT&T do Switch user
 Then goto Other User
D & login with your Domain ID & Password

E again Do Switch user &

1 Login to IBMADMIN (USER NAME: .\IBMADMIN & Password)

2. Check AT&T is connected ..if not connect it
3. Once AT&T connected Go to command prompt
4. Type command “Gpupdate /force” and press enter
5. You will get below reply- Computer Policy update has completed successfully.
6. User Policy update has completed successfully.
7. Restart the machine at least twice

F Login with Network sign in option(connecting AT&T from login screen)

1. After the reboot before login connect with AT&T from login screen
2. Login to with Domain ID & password (Domain ID means the ID that we use to login to desktop in
BDS)
3. Provide OKAY for all restrictions and continue the login
4. Sign out from Domain account and Sign in to Admin account-IBMADMIN
5. Copy the AT&T VPN, RSA software, Microsoft Edge, Internet Explorer shortcuts from the
ADMIN profile (Desktop) to the Domain profile (Copy the files, and navigate to My Computer – c
drive-Users-Domain Profile(a folder with your domain name)- Desktop and Paste)

Pls note- Dont put any folder/file or application on your domain desktop apart from AT&T VPN, RSA
software, Microsoft Edge, Internet Explorer
Pls note- Citrix receiver must be installed in ibmadmin account

-RSA need to be configure on mobile as well

****Laptop Hardening is complete****

Now report back to the person who asked you to harden the laptop saying -Hardening is complete, so
that they can initiate the next process (Admin access revocation & some other Access related things)
for you

----------------------------------------------------------------------------------------------------------------------------------------

Once you complete Admin revoke process and got your permanent AT&T and BRID ID, BRID password,
RSA Passcode then you can go for step G

*For admin revoke process – you will receive a mail with all steps

*For Permanent AT&T- you will receive a mail which includes your permanent at&t ID & password

*For BRID ID, BRID password & RSA passcode – contact your Team lead/manager

G. Accessing VDI post system hardening

Follow the below steps for accessing your VDI.

1. Login to the hardened IBM laptop with Domain credentials (Barclays Domain ID & password
which you have received from GCSC team- [email protected] on your IBM mailbox)
2. Open the “AT&T Global Network Client” on your desktop and connect the AT&T using AT&T
credentials (AT&T credentials are provided by Network team on your IBM mailbox)
3. Once the AT&T shows connected status, Open the available browser, and load the ODC URL
(1. https://odcworkspace-mumbai.barclays.com 2. https://odcworkspace-
chennai.barclays.com)
4. Once the ODC URL gets loaded the VDI login page will get displayed. Provide the BRID ID and
password on the respective fields. (BRID credentials are provided by Barclays and should be
gained from your IBM / Barclays PM)

5. Generate the RSA passcord using the configured RSA (from Desktop or mobile device. RSA file
and passcord comes from Barclays. Resource should connect with Barclays LM / Helpdesk for
RSA file / passcord)
 6. Login with the BRID, BRID password and RSA passcord (Select the Barclays domain- Client /
Intranet, if required)
7. Click on the Desktop icon

8. Select and launch your VDI machine by double clicking on the Desktop icon

*********************END OF THE DOCUMENT****************************