LAB 8 - Arkansas State University



LAB 8

HARDENING COMPUTERS FOR SPECIFIC ROLES

This lab contains the following exercises and activities:

■ Lab Exercise 8-1: Configuring Software Restriction Policies

■ Lab Exercise 8-2: Testing Software Restriction Policies

■ Lab Exercise 8-3: Installing IIS

■ Lab Exercise 8-4: Securing an IIS Server

■ Lab Cleanup

■ Lab Review Questions

SCENARIO

You are a new network administrator for Contoso, Ltd., a company with a medium-sized network consisting of servers running Microsoft Windows Server 2003 and Microsoft Windows 2000 Server and workstations running Microsoft Windows XP and Microsoft Windows 2000 Professional. You have been assigned to a team of administrators whose task is to increase the security of computers performing specific roles on the network.

Estimated Completion Time: 85 Minutes

After completing this lab, you will be able to:

■ Configure and deploy software restriction policies

■ Control access to an IIS Web server

EXERCISE 8-1: CONFIGURING SOFTWARE RESTRICTION POLICIES

Estimated completion time: 20 minutes

Recently, the management at Contoso has become concerned that employees spend too much paid time running unauthorized software such as games. In addition, the IT director has noticed a dramatic rise in the amount of time spent troubleshooting computer problems that should be resolved easily, due to users’ installation of unauthorized software on their computers. As a result, you have been assigned the task of developing a plan that uses software restriction policies to limit the software users can run on their workstations to programs on a list of approved applications. Toward this end, you have created a platform for testing software restriction policies. In this exercise, you will create a new Group Policy Object (GPO) containing sample of software restriction policies.

1. On your Computerxx server, log on to the domainxxyy domain (where xx and yy are the number assigned to the computers in your student domain) as Administrator, using the password P@$$w0rd.

2. Open the Active Directory Users And Computers console.

3. In the console tree, select the domainxxyy. domain object. On the Action menu, point to New and select Organizational Unit.

4. In the Name text box, type Workstations and click OK.

5. Locate the Computeryy object in your Active Directory tree, and move it to the Workstations OU you just created.

6. Open the Properties dialog box for the Workstations OU, and click the Group Policy tab.

7. Click New to create a new GPO, and call it Software Restriction Policies Test.

8. Click Edit to load the new GPO into the Group Policy Object Editor.

9. In the console tree under Computer Configuration, expand the Windows Settings folder and the Security Settings node, and then click the Software Restriction Policies node.

10. From the Action menu, select New Software Restriction Policies. Two folders and three policies appear in the console.

11. Select the Enforcement policy and, on the Action menu, click Properties. The Enforcement Properties dialog box appears.

12. Select the All Software Files option and click OK.

13. In the console tree, expand the Software Restriction Policies folder and click Security Levels.

14. Two policies appear in the Security Levels folder: Disallowed and Unrestricted.

GL04as06

QUESTION Which of the two policies is currently the default?

15. In the console tree, select the Additional Rules folder and, from the Action menu, select New Hash Rule.

16. The New Hash Rule dialog box appears.

17. Click Browse. In the Open dialog box that appears, browse to the C:\Windows\Notepad.exe file. Then click OK. A hash of the Notepad.exe file appears in the File Hash text box.

18. In the Security Level drop-down list, leave the default Disallowed value in place and then click OK. The new hash rule appears in the Additional Rules folder.

19. Select the Additional Rules folder and, from the Action menu, select New Path Rule. The New Path Rule dialog box appears.

20. Click Browse. In the Browse For File Or Folder dialog box that appears, browse to the C:\Windows\PcHealth\Helpctr\Binaries folder and click OK.

21. In the Security Level drop-down list, leave the default Disallowed value in place and then click OK. The new path rule appears in the Additional Rules folder.

22. Close the Group Policy Object Editor console.

23. Click Close to close the Workstations Properties dialog box.

24. Leave the computer logged on for later exercises.

EXERCISE 8-2: TESTING SOFTWARE RESTRICTION POLICIES

Estimated completion time: 10 minutes

In Exercise 8-1, you created a GPO containing test rules for software restriction policies. In this exercise, you will apply the GPO to your Computeryy server and examine the effect of the policies on the computer.

1. Restart (or turn on) your Computeryy server.

2. On Computeryy, log on to the domainxxyy domain using the Administrator account by typing the password P@$$w0rd.

3. Click Start, and then click Run. Type Notepad, and then click OK.

QUESTION What happens?

4. Click Start, and then click Run. Type Msconfig, and then click OK.

QUESTION What happens?

5. Open Windows Explorer and browse to the C:\Windows folder.

6. Right-click Notepad.exe, and then click Copy.

7. Right-click the C:\Windows folder, and then click Paste. A file called Copy Of Notepad.exe appears at the bottom of the list of files in the C:\Windows folder.

8. Double-click the Copy Of Notepad.exe file.

QUESTION What happens? Why?

10. In Windows Explorer, browse to the C:\Windows\PcHealth\Helpctr\Binaries folder.

11. Right-click Msconfig.exe, and then click Copy.

12. Right-click the C:\Windows folder, and then click Paste. A copy of the Msconfig.exe file appears in the C:\Windows folder.

13. Double-click the Msconfig.exe file in the C:\Windows folder.

QUESTION What happens? Why?

14. Close Windows Explorer.

EXERCISE 8-3: INSTALLING IIS

Estimated completion time: 15 minutes

As your next assignment, you are instructed to configure the security settings on an Internet Information Services (IIS) intranet Web server, so that only specific people are permitted to access it. First, however, you must install IIS on your test server and configure it with a default Web page. IIS may already be installed and the default web page may exist unless you have already deleted it from a previous lab.

1. On Computerxx, click Start, point to Control Panel, and click Add Or Remove Programs.

2. Click Add/Remove Windows Components.

3. In the Components list, clear the Internet Explorer Enhanced Security Configuration.

4. In the Components list, click the Application Server entry (but do not select its check box), and then click Details.

5. Select the Internet Information Services (IIS) check box, and then click OK.

6. Click Next.

7. When the Completing The Windows Components Wizard page appears, click Finish.

8. Close the Add Or Remove Programs window.

9. Click Start, point to All Programs, point to Accessories, and click Notepad.

10. In the Notepad window, type the following:

W A R N I N G !

WARNING!

You have accessed a secured page on a server belonging to

Domainxxyy. Terminate this connection immediately or be prepared to

face departmental sanctions including loss of pay and termination of

employment.

11. Replace the xxyy in the code listing with the number assigned to the computers in your student domain by your administrator.

12. From the File menu, select Save As and save the file in the C:\Inetpub\Wwwroot folder with the name Default.htm.

13. Close Notepad.

14. Click Start, point to Programs, and click Internet Explorer.

15. In the Address text box, type and click GO.

QUESTION What is the result?

16. On Computeryy, open Microsoft Internet Explorer. In the Address box, type , where xx is the number assigned to the computer by your instructor, and click GO.

QUESTION What is the result?

EXERCISE 8-4: SECURING AN IIS SERVER

Estimated completion time: 15 minutes

To limit access to the intranet Web server, you have decided to configure IIS by specifying the IP addresses of the computers that are to be permitted access to the server and denying access to all other addresses. In this exercise, you use the Internet Information Services (IIS) Manager to configure the properties of the default Web site hosted by IIS.

1. On Computerxx, click Start, point to Administrative Tools, and click Internet Information Services (IIS) Manager.

2. In the console tree, expand the Web Sites folder and click Default Web Site.

3. From the Action menu, select Properties. Click the Directory Security tab.

4. Under IP Address And Domain Name Restrictions, click Edit.

5. Select the Denied Access option and click Add. Click DNS Lookup.

6. In the Type The DNS Name text box, type Computeryy and click OK. In the Grant Access dialog box, the IP address of Computeryy appears in the IP address text box.

7. Click OK. In the IP Address And Domain Name Restrictions dialog box, the IP address appears in the Except The Following box, with an access value of Granted.

8. Click OK to close the IP Address And Domain Name Restrictions dialog box.

9. Click OK to close the Default Web Site Properties dialog box.

10. In Internet Explorer, type in the Address box and click GO.

QUESTION What is the result?

11. On Computeryy, in Internet Explorer, type in the Address box, where xx is the number assigned to the computer by your instructor, and click GO.

QUESTION What is the result? Why?

12. Open the IP Address And Domain Name Restrictions dialog box again and select the Grant Access option to disable the IP address restriction.

LAB CLEANUP

On Computerxx, perform the following:

1. Open the Active Directory Users And Computers console.

2. Locate the Computeryy computer object in the Workstations OU and drag it to the Computers container.

3. Close the Active Directory Users And Computers console.

LAB REVIEW QUESTIONS

Estimated completion time: 15 minutes

1. In Exercise 8-1, why was it necessary to move the Computeryy object to an OU before you could apply software restriction policies to it?

2. Assuming that you do not have the permissions needed to create a new OU and move the Computeryy object, what other method could you use to test your software restriction policies on Computeryy?

3. In Exercise 8-4, why was Computerxx unable to connect to the Web server running on the local computer?

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download