7 Securing Your Domain

  Active Directory

< Manage Your Workstations | Home | 8 How to use Powershell with AD >

30: Configuring Domain Password and Account Lockout Policies with GP

https://www.udemy.com/course/active-directory-group-policy-2012/learn/lecture/8419616#content

Know that a Password Policy already exists in the ‘Default Domain Policy’

  • GPM > … > domain.tld > Default Domain Policy [RtClk] > Edit
    • Computer Configs > Policies > Windows Settings > Security Settings > Account Policies >
      • Password Policy
        • Disable reversible encryption!
      • Account Lockout Policy: Minutes
      • Kerberos Policy
  • pgupdate /force
  • test

Also demontrates locked accounts.  Can be unlocked Via AD from the Master acct.

31: Deploying Fine Grained Password Policies (PSOs)

https://www.udemy.com/course/active-directory-group-policy-2012/learn/lecture/8262568#content

PSO = Password Setting Object

Allows you to set a Password Policy on a per-user or per-group level

  • Create an AD Security Group
    • AD > … > Domain Groups > New > Group > “7 Day Password Age”
      • Global & Security
    • “7 Day Password Age” [DblClk] > Members tab > Add Members
      • Select desired users and/or groups
  • Create the Policy
    • Server Manager > Tools > ADSI Edit
      • ADSI Edit [RtClk] > Connect to…
        • Connection Settings
          • Leave all defaults
          • Name: Default naming contect
          • (*) Select a well known Naming Contect
            • Default naming contect
          • (*) Default (Domain or server that you logged in to)
      • Default naming contect [Clk] > DC=domain [Clk] > CN=System [Clk] > CN=Password Settings Container [RtClk] > New > Object
        • Select a class: nsDS-PasswordSettings > [Next >]
        • Common-Name: ‘7DayPasswordAge’
        • Passord Settings Precedence: 1
          • The PSO with the lowest value (Closest to 1) wins.
        • Password reversible…:FALSE
          • Must be UPPER CASE
        • Password History Length: 24
        • Password Complexity: TRUE
        • Min Password Length: 7
        • Min Pass Age: 00:00:00:00
          • Days:Hours:Minutes:Seconds
        • Max Password Age:07:00:00:00
        • Lockout Threshold: 3
          • Number of failed attempts
        • Observation window: 00:00:15:00
          • Number of consecutive failures within a 15 minute interval
        • Lockout Duration: 00:00:15:00
          • How long the user will be locked out.
        • [Finish]
  • Apply the Passwords Settings container to the Security Group
    • 7DayPasswordAge [RtClk] > Properties > msDS-PSOAppliesTo > [Edit]
      • Note: ‘7DayPasswordAge’ must be select from within the window and not the left pane, otherwise msDA-PSO… will not be accessible…???
      • [Add Windows Account…] > Add ‘7 Day Password Age’ group
  • How to verify
    • Set timeout to 5 minutes
    • Use Powershell
      • Windows Icon > Powershell
import-module ActiveDirectory
Get-ADUser -f {GivenName -eq 'FIRSTNAME'} -properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "DisplayName", @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

 

32: Configuring Windows Firewall with Group Policy

https://www.udemy.com/course/active-directory-group-policy-2012/learn/lecture/8420356#content

  • GPM > … > Domain Computers [RtClk] > New GPO linked here > “Firewall – Port 1234”
    • “Firewall…” [RtClk] > Edit…
      • Comp Configs > Policy > Win Settings > Security Settings > Windows Defender Firewall … > Win Def FW …
        • Select rule type you want (Inbound, Outbound) [RtClk] > New Rule
          • Create the rule
          • Name the rule
  • Log into a computer in the ‘Domain Computers’ OU
    • Run gpupdate /force
    • Check your local firewall rules
      • Run RSOP.msc
      • Comp Conf > Admin Templates > Extra Registry Settings

33: Configure Windows Registry Settings with Group Policy

https://www.udemy.com/course/active-directory-group-policy-2012/learn/lecture/8420360#content

Rule to right click any file and have option to open with NotePad

Be very careful here.  Mistakes might not be reversible!

  • GPM > … > domain.tld [RtClk] > New GPO and link > “Registry Settings”
    • “Registry Settings” [RtClk] > Edit…
      • Can be either computer or user based.
      • Pref > Win Settings > Registry [RtClk] > New > Registry Item
        • Action: Create
        • Hive: HKEY_CLASSES_ROOT
        • Key Path: Hkey_cl_root > * > Shell [Select]
          • Update to read ‘ *\shell\Open With Notepad\command
        • [x] Default
        • Value type: REG_SZ
        • Value data: “notepad.exe %1”
        • [Apply][OK]
  • Run gpupdate /force
  • RtClk any file

 

LEAVE A COMMENT