Module 9: Configuring Server Security Compliance
Lab: Manage Server Security
Exercise 1: Configuring Windows Software Update Services (WSUS)
Task 1: Start the virtual machines, and log on
1. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch.
2. In the Lab Launcher, next to 6419A-NYC-SVR1, click Launch.
3. In the Lab Launcher, next to 6419A-NYC-CL2, click Launch
4. Log on to each virtual machine as WOODGROVEBANK\Administrator with the password Pa$$w0rd.
5. Minimize the Lab Launcher window.
Task 2: Use the Group Policy Management Console to create and link a Group Policy Object (GPO) to the domain to configure client updates
1. On NYC-DC1, click Start, point to Administrative Tools, and then click Group Policy Management.
2. In the console pane, expand Forest: WoodgroveBank.com, expand Domains, and then click WoodgroveBank.com.
3. Right-click WoodgroveBank.com, and then click Create a GPO in this domain, and Link it here.
4. In the New GPO dialog box, type WSUS, and then click OK.
5. In the details pane, right-click WSUS, and then click Edit.
6. In the Group Policy Management Editor window, under Computer
Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L9-112 Module 9: Configuring Server Security Compliance
7. In the details pane, double-click Configure Automatic Updates.
Note: the order of the settings below may be different and you may need to locate and open each one separately.
8. In the Configure Automatic Updates Properties dialog box, click Enabled, and then click Next Setting.
9. On the Specify intranet Microsoft update service location Properties dialog box, click Enabled.
10. In the Set the intranet update service for detecting updates field, type http://NYC-SVR1.
11. In the Set the intranet statistics server field, type http://NYC-SVR1, and then click Next Setting.
12. On the Automatic Updates detection frequency Properties dialog box, click Enabled, and then click OK.
13. Close Group Policy Management Editor, and then close Group Policy Management.
14. On NYC-CL2, click Start | All Programs |Accessories | Command Prompt.
15. In the Command Prompt, type GPUpdate /force, and then press ENTER.
16. Allow the GPUpdate command to complete.
17. Click Start, click the right-arrow button, and then click Restart.
18. Allow NYC-CL2 to restart.
19. Log on to NYC-CL2 virtual machine as WOODGROVEBANK\Administrator with the password Pa$$w0rd.
Task 3: Use the WSUS administration tool to view WSUS properties 1. On NYC-SVR1, click Start, point to Administrative Tools, and then click
Microsoft Windows Server Update Services 3.0 SP1.
2. In the Update Services window, in the console pane expand NYC-SVR1, and then click Options.
3. In the details pane, click Update Source and Proxy Server.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab: Manage Server Security L9-113
4. Review the options on both tabs, and then click Cancel.
5. In the details pane, click Products and Classifications.
6. Review the options for product support and update classifications, and then click Cancel.
7. In the details pane, click Update Files and Languages.
8. Review the options for downloading updates and support for languages, and then click Cancel.
9. In the details pane, click Synchronization Schedule.
10. Review the options for synchronizing content, and then click Cancel.
Task 4: Create a computer group, and add NYC-CL2 to the new group 1. In the console pane, expand Computers, and then click All Computers.
2. In the Actions pane, click Add Computer Group.
3. In the Add Computer Group dialog box, type HO Computers, and then click Add.
4. In the console pane, expand All Computers, and then click Unassigned Computers.
5. In the details pane, in the Status list, click Any, and then click Refresh.
6. Right-click nyc-cl2.woodgrovebank.com, and then click Change Membership.
7. In the Set Computer Group Membership dialog box, select the HO Computers check box, and then click OK.
Task 5: Approve an update for Windows Vista clients
1. In the console pane, expand Updates, and then click Security Updates.
2. In the details pane, in the Approval list, click Any Except Declined.
3. In the Status list, click Any, and then click Refresh.
Note: Notice all of the updates available.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L9-114 Module 9: Configuring Server Security Compliance
4. In the details pane, click Title to sort the results by title.
5. Scroll down, right-click Security Update for Windows Vista (KB957095), and then click Approve.
6. In the Approve Updates dialog box, click the arrow next to All Computers, click Approved for Install, and then click OK.
7. On the Approval Progress page, when the process is complete, click Close.
8. In the details pane, right-click Security Update for Windows Vista (KB957097), and then click Approve.
9. In the Approve Updates dialog box, click the arrow next to All Computers, point to Deadline, and then click Custom.
10. In the Choose Deadline dialog box, in the Date field, type in yesterday’s date, and then click OK twice.
Note: Entering yesterday’s date will cause the update to be installed as soon as the client computers contact the server. Note that because these VMs use the Microsoft Lab Launcher environment, their date will not correspond with the actual date. This is by design. Take note of the VMs configured date and enter a date one day before the VMs configured date.
11. In the Approval Progress dialog box, click Close.
Task 6: Install an update on the Windows Vista client 1. On NYC-CL2, click Start, type cmd, and then press ENTER.
2. At the Command Prompt, type GPUpdate /force, and then press ENTER.
Note: Wait for the policy to finish updating.
3. At the command prompt, type wuauclt /detectnow, and then press ENTER.
4. The Windows Update dialog box will appear notifying you that the update is being installed and the computer needs to restart. Click Restart now.
Note: It may take several minutes for the Window Update dialog box to appear.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab: Manage Server Security L9-115
5. Log on to NYC-CL2 as WOODGROVEBANK\Administrator with the password of Pa$$w0rd.
6. Click Start, point to All Programs, and then click Windows Update.
7. In the Windows Update window, in the left pane, click View Update History.
8. On the Review your update history page, locate the Security Update for Windows Vista (KB957097).
Note: Due to the limitations of the lab environment, the KB957097 update is pre-loaded on the WSUS server to demonstrate the update process.
9. Close Windows Explorer.
Task 7: View WSUS reports
1. On NYC-SVR1, in the Update Services console pane, click Reports.
2. Review the various reports available in WSUS.
3. In the details pane, click Computer Detailed Status.
4. In the Computers Report for NYC-SVR1 window, click Run Report.
5. On the completed report, note how many updates are listed under nyc-cl2.woodgrovebank.com.
6. Close the Computers Report for NYC-SVR1 window.
7. Close Update Services.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L9-116 Module 9: Configuring Server Security Compliance
Exercise 2: Configure Auditing
Task 1: Examine the current state of the audit policy 1. On NYC-DC1, click Start, and then click Command Prompt.
2. At the command prompt, type Auditpol.exe /get /category:*, press ENTER, and then examine the default audit policy settings.
3. Minimize the command prompt.
Task 2: Enable DS Access auditing on domain controllers
1. On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management.
2. In the console pane, expand WoodgroveBank.com, expand Group Policy Objects, and then right-click the Default Domain Controllers Policy, and then click Edit.
3. In the Group Policy Management Editor console pane, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy. Notice that all policy settings are set to Not Defined.
4. Double-click Audit directory service access.
5. In the Audit directory service access Properties dialog box, select Define these policy settings.
6. Select both the Success and Failure check boxes, and then click OK.
7. Close the Group Policy Management Editor, and then close the Group Policy Management console.
8. Restore the Command Prompt, type Gpupdate and then press ENTER.
9. When the update completes, run the Auditpol.exe /get /category:* command again, and then examine the audit policy.
10. Close Command Prompt.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab: Manage Server Security L9-117
Task 3: Set the SACL for the domain
1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. On the View menu, click Advanced Features.
3. In the console pane, right-click WoodgroveBank.com, and then click Properties.
4. In the WoodgroveBank.com Properties dialog box, click the Security tab.
5. Click Advanced.
6. On the Advanced Security Settings for WoodgroveBank dialog box, click the Auditing tab, and then click Add.
7. In the Select Users, Computers, and Groups dialog box, type Everyone, and then click OK.
8. In the Auditing Entry for WoodgroveBank dialog box, for Write all properties select the Successful and Failed check boxes.
9. Click OK three times.
Task 4: Test the policy
1. In the console tree, right-click Toronto, and then click Rename.
2. Type GTA, and then press ENTER.
3. Minimize Active Directory Users and Computers.
4. Click Start, and then click Server Manager.
5. In the Server Manager console pane, expand Diagnostics, expand Event Viewer, expand Windows Logs, and then click Security.
6. In the details pane, locate the event with the 4662 ID. Double-click then event, and then examine the event.
7. Close the Event Properties dialog box.
8. Minimize Server Manager.
9. Restore Active Directory Users and Computers.
10. In the console pane, click Users.
11. In the details pane, double-click Administrator.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L9-118 Module 9: Configuring Server Security Compliance
12. In the Administrator Properties dialog box, click the Telephones tab.
13. In the Mobile field, type 555-555-5555, and then click OK.
14. Close Active Directory Users and Computers, and then restore Server Manager.
15. In the details pane, locate the newest 4662 event, and double-click to view details.
Note: You may have to wait a minute for the event to appear.
16. Close all open windows.
Task 5: Close all virtual machines and discard undo disks
1. For each virtual machine that is running, close the Virtual Machine Remote Control window.
2. In the Close box, select Turn off machine and discard changes, and then click OK.
3. Close the 6419A Lab Launcher.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab A: Installing the FSRM Role Service L10-119