Question Three

Protection of information access and sharing on your servers and network is significant in your
career development. Information needs to be protected in order to prevent information being
misused by third parties for fraud, such as phishing scams and identity theft. Information
protection is also crucial to help prevent cybercrimes by ensuring details and contact information
are protected to prevent fraud.

1.Summarize the account lockout policies in Windows Server 2016 in support of information
access and sharing.

Account lockout duration

This security setting determines the number of minutes a locked-out account remains locked out
before automatically becoming unlocked. The available range is from 0 minutes through 99,999
minutes. If you set the account lockout duration to 0, the account will be locked out until an
administrator explicitly unlocks it.

If an account lockout threshold is defined, the account lockout duration must be greater than or
equal to the reset time.

Default: None, because this policy setting only has meaning when an Account lockout threshold
is specified.

Account lockout threshold

This security setting determines the number of failed logon attempts that causes a user account to
be locked out. A locked-out account cannot be used until it is reset by an administrator or until
the lockout duration for the account has expired. You can set a value between 0 and 999 failed
logon attempts. If you set the value to 0, the account will never be locked out.

Failed password attempts against workstations or member servers that have been locked using
either CTRL+ALT+DELETE or password-protected screen savers count as failed logon
attempts.

Default: 0.
Allow Administrator account lockout.

This security setting determines whether the builtin Administrator account is subject to account
lockout policy.

Reset account lockout counter after

This security setting determines the number of minutes that must elapse after a failed logon
attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available
range is 1 minute to 99,999 minutes.

If an account lockout threshold is defined, this reset time must be less than or equal to the
Account lockout duration.

Default: None, because this policy setting only has meaning when an Account lockout threshold
is specified.

ii) Discuss the role of each password policy in Windows Server 2016 in support of information
access and sharing

Enforce password history.

This security setting determines the number of unique new passwords that have to be associated
with a user account before an old password can be reused. The value must be between 0 and 24
passwords.

This policy enables administrators to enhance security by ensuring that old passwords are not
reused continually.

Default:

24 on domain controllers.

0 on stand-alone servers.

Note: By default, member computers follow the configuration of their domain controllers.

To maintain the effectiveness of the password history, do not allow passwords to be changed
immediately after they were just changed by also enabling the Minimum password age security
policy setting. For information about the minimum password age security policy setting, see
Minimum password age.

Maximum password age.

This security setting determines the period of time (in days) that a password can be used before
the system requires the user to change it. You can set passwords to expire after a number of days
between 1 and 999, or you can specify that passwords never expire by setting the number of days
to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must
be less than the maximum password age. If the maximum password age is set to 0, the minimum
password age can be any value between 0 and 998 days.

Note: It is a security best practice to have passwords expire every 30 to 90 days, depending on
your environment. This way, an attacker has a limited amount of time in which to crack a user's
password and have access to your network resources.

Default: 42 days.

Minimum password age.

This security setting determines the period of time (in days) that a password must be used before
the user can change it. You can set a value between 1 and 998 days, or you can allow changes
immediately by setting the number of days to 0.

The minimum password age must be less than the Maximum password age, unless the maximum
password age is set to 0, indicating that passwords will never expire. If the maximum password
age is set to 0, the minimum password age can be set to any value between 0 and 998.

Configure the minimum password age to be more than 0 if you want Enforce password history to
be effective. Without a minimum password age, users can cycle through passwords repeatedly
until they get to an old favorite. The default setting does not follow this recommendation, so that
an administrator can

specify a password for a user and then require the user to change the administrator-defined
password when the user logs on. If the password history is set to 0, the user does not have to
choose a new password. For this reason, Enforce password history is set to 1 by default.

Minimum password length.

This security setting determines the least number of characters that a password for a user account
may contain.

The maximum value for this setting is dependent on the value of the Relax minimum password
length limits setting.

If the Relax minimum password length limits setting is not defined, this setting may be
configured from 0 to 14.

If the Relax minimum password length limits setting is defined and disabled, this setting may be
configured from 0 to 14.

If the Relax minimum password length limits setting is defined and enabled, this setting may be
configured from 0 to 128.

Setting the required number of characters to 0 means that no password is required.

Note: By default, member computers follow the configuration of their domain controllers.

Minimum password length audit.

This security setting determines the minimum password length for which password length audit
warning events are issued. This setting may be configured from 1 to 128.

You should only enable and configure this setting when trying to determine the potential impact
of increasing the minimum password length setting in your environment.

If this setting is not defined, audit events will not be issued.

If this setting is defined and is less than or equal to the minimum password length setting, audit
events will not be issued.

If this setting is defined and is greater than the minimum password length setting, and the length
of a new account password is less than this setting, an audit event will be issued.

Password must meet complexity requirements.

This security setting determines whether passwords must meet complexity requirements.

If this policy is enabled, passwords must meet the following minimum requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive
characters
Be at least six characters in length

Contain characters from three of the following four categories:

English uppercase characters (A through Z)

English lowercase characters (a through z)

Base 10 digits (0 through 9)

Non-alphabetic characters (for example, !, $, #, %)

Complexity requirements are enforced when passwords are changed or created.

Relax minimum password length legacy limits.

This setting controls whether the minimum password length setting can be increased beyond the
legacy limit of 14.

If this setting is not defined, minimum password length may be configured to a maximum of 14.

If this setting is defined and disabled, minimum password length may be configured to a
maximum of 14.

If this setting is defined and enabled, minimum password length may be configured higher than
14.

Store passwords using reversible encryption.

This security setting determines whether the operating system stores passwords using reversible
encryption.

This policy provides support for applications that use protocols that require knowledge of the
user's password for authentication purposes. Storing passwords using reversible encryption is
essentially the same as storing plaintext versions of the passwords. For this reason, this policy
should never be enabled unless application requirements outweigh the need to protect password
information.

This policy is required when using Challenge-Handshake Authentication Protocol (CHAP)

authentication through remote access or Internet Authentication Services (IAS). It is also
required when using Digest Authentication in Internet Information Services (IIS).
Question Four

Figure 1 shows a screen shoot of the Active Directory Users and Computers. Use it to answer
questions that follow.

Figure 1: Active Directory Users and Computers

i) With evidence from Figure 1, name the domain name and its significance in
security of information
domain name significances in security of information
Identity and Authentication: Domain names are used to identify and authenticate
users and devices within a Windows domain environment. When a user logs into a
Windows domain, their credentials are verified against the domain's Active Directory,
which authenticates users based on their username and password stored in the domain
database.

Access Control: Domain names help enforce access control policies within a
network. By organizing resources (such as files, folders, printers, etc.) under a
domain structure, administrators can easily manage permissions and access rights for
users and groups. This ensures that only authorized individuals have access to
sensitive information.

Centralized Management: In a Windows domain environment, administrators can

centrally manage user accounts, group policies, security settings, and other
configurations through Active Directory. This centralized management simplifies
administration tasks and ensures consistent security policies across the network.

Single Sign-On (SSO): Domain names enable Single Sign-On functionality, allowing
users to access multiple resources within the domain without having to log in
separately for each service. Once authenticated to the domain, users can seamlessly
access authorized resources without re-entering credentials.

Auditing and Logging: Domain names facilitate auditing and logging of user
activities within the network. Active Directory logs provide detailed information
about user logins, access attempts, changes to security settings, and other relevant
events, helping administrators monitor and track security incidents.

Trust Relationships: Domain names can establish trust relationships between

different domains within a network or across networks. Trust relationships allow
users in one domain to access resources in another domain, subject to appropriate
permissions and security policies.

Encryption and Secure Communication: Domain names are integral to

implementing encryption and secure communication protocols such as SSL/TLS
 within a Windows domain environment. By using domain names to identify servers
and clients, administrators can ensure that communication channels are encrypted and
protected from eavesdropping and tampering.

Overall, domain names serve as foundational elements in securing information within a

Windows environment by facilitating authentication, access control, centralized management,
auditing, trust relationships, and secure communication. Properly configured domain structures
and security policies are essential for safeguarding sensitive data and mitigating security risks.

ii) assume you’re the top security manager of the above domain, 3 ICT members will be working
under you. Explain how you could use the administrator account to limit the 3 members to

(i) Group policy creator owners:

(ii) Domain users and Schema admins

ii) Explain how you could use the administrator account to limit Logon Hours and
Logon To workstation for any user on the domain above

To use the administrator account to limit Logon Hours and Logon To workstation for any
user on the domain in a Windows setting, you would typically follow these steps:

1. Log in to the domain controller using the administrator account.

2. Open the Active Directory Users and Computers console. You can access this by typing
"dsa.msc" in the Run dialog box or by searching for "Active Directory Users and Computers"
in the Start menu.

3. Locate the user account for which you want to set Logon Hours and Logon To workstation
restrictions within the Users folder in the console.

4. Right-click on the user account and select "Properties" from the context menu.

5. In the Properties window, go to the "Account" tab.

 6. Under the Account tab, you will find options to set Logon Hours and Logon To
workstation restrictions: - To set Logon Hours restrictions: Click on the "Logon Hours"
button. Here, you can specify the days and times during which the user is allowed to log in to
the network. - To set Logon To workstation restrictions: Click on the "Log On To..." button.
In this window, you can specify the computers or workstations to which the user is allowed
to log in.

7. After setting the desired restrictions, click "OK" to save the changes.

iv) Explain the security roles of

(i) Domain admins:

Domain Admins have the highest level of administrative privileges within a domain.

They can manage users, groups, computers, domain controllers, and Group Policy objects
(GPOs) across the entire domain.

They have the authority to create, delete, and modify objects in Active Directory.

(ii) Domain Controllers:

Domain Controllers are servers that authenticate users, enforce security policies, and manage
Active Directory services.

They replicate directory information and authenticate users within the domain.

Domain Controllers host the Active Directory database and provide services like LDAP,
Kerberos, and DNS.

(iii) Group policy Creator owners:

Group Policy Creator Owners have the authority to create and modify Group Policy objects
(GPOs) at the domain level.

They can define and enforce security settings, software deployment, and other configurations
across the domain.

(iv) Administrator:
The Administrator account is a built-in account with elevated privileges on a local computer or
domain.

It can perform administrative tasks, install software, and make system-wide changes.

(v) Enterprise admins:

Enterprise Admins have administrative privileges across all domains in a forest.

They can manage trust relationships, schema modifications, and enterprise-wide settings.