{"id":2766,"date":"2020-04-30T10:52:22","date_gmt":"2020-04-30T10:52:22","guid":{"rendered":"https:\/\/wiki.thomasandsofia.com\/?p=2766"},"modified":"2020-05-01T00:58:01","modified_gmt":"2020-05-01T00:58:01","slug":"7-securing-your-domain","status":"publish","type":"post","link":"https:\/\/wiki.thomasandsofia.com\/?p=2766","title":{"rendered":"7 Securing Your Domain"},"content":{"rendered":"<p><a href=\"\/6-manage-your-workstations\/\">&lt; Manage Your Workstations<\/a> | <a href=\"\/active-directory-and-group-policies\/\">Home<\/a> | <a href=\"\/8-how-to-use-powershell-with-active-directory\/\">8 How to use Powershell with AD &gt;<\/a><\/p>\n<h1>30: Configuring Domain Password and Account Lockout Policies with GP<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8419616#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8419616#content<\/a><\/p>\n<p>Know that a Password Policy already exists in the &#8216;Default Domain Policy&#8217;<\/p>\n<ul>\n<li>GPM &gt; &#8230; &gt; domain.tld &gt; Default Domain Policy [RtClk] &gt; Edit\n<ul>\n<li>Computer Configs &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Account Policies &gt;\n<ul>\n<li>Password Policy\n<ul>\n<li>Disable reversible encryption!<\/li>\n<\/ul>\n<\/li>\n<li>Account Lockout Policy: Minutes<\/li>\n<li>Kerberos Policy<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>pgupdate \/force<\/li>\n<li>test<\/li>\n<\/ul>\n<p>Also demontrates locked accounts.\u00a0 Can be unlocked Via AD from the Master acct.<\/p>\n<h1>31: Deploying Fine Grained Password Policies (PSOs)<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8262568#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8262568#content<\/a><\/p>\n<p>PSO = Password Setting Object<\/p>\n<p>Allows you to set a Password Policy on a per-user or per-group level<\/p>\n<ul>\n<li>Create an AD Security Group\n<ul>\n<li>AD &gt; &#8230; &gt; Domain Groups &gt; New &gt; Group &gt; &#8220;7 Day Password Age&#8221;\n<ul>\n<li>Global &amp; Security<\/li>\n<\/ul>\n<\/li>\n<li>&#8220;7 Day Password Age&#8221; [DblClk] &gt; Members tab &gt; Add Members\n<ul>\n<li>Select desired users and\/or groups<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Create the Policy\n<ul>\n<li>Server Manager &gt; Tools &gt; <strong>ADSI Edit<\/strong>\n<ul>\n<li>ADSI Edit [RtClk] &gt; Connect to&#8230;\n<ul>\n<li>Connection Settings\n<ul>\n<li>Leave all defaults<\/li>\n<li>Name: Default naming contect<\/li>\n<li>(*) Select a well known Naming Contect\n<ul>\n<li>Default naming contect<\/li>\n<\/ul>\n<\/li>\n<li>(*) Default (Domain or server that you logged in to)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Default naming contect [Clk] &gt; DC=domain [Clk] &gt; CN=System [Clk] &gt; CN=Password Settings Container [RtClk] &gt; New &gt; Object\n<ul>\n<li>Select a class: nsDS-PasswordSettings &gt; [Next &gt;]<\/li>\n<li>Common-Name: &#8216;7DayPasswordAge&#8217;<\/li>\n<li>Passord Settings Precedence: 1\n<ul>\n<li>The PSO with the lowest value (Closest to 1) wins.<\/li>\n<\/ul>\n<\/li>\n<li>Password reversible&#8230;:FALSE\n<ul>\n<li>Must be UPPER CASE<\/li>\n<\/ul>\n<\/li>\n<li>Password History Length: 24<\/li>\n<li>Password Complexity: TRUE<\/li>\n<li>Min Password Length: 7<\/li>\n<li>Min Pass Age: 00:00:00:00\n<ul>\n<li>Days:Hours:Minutes:Seconds<\/li>\n<\/ul>\n<\/li>\n<li>Max Password Age:07:00:00:00<\/li>\n<li>Lockout Threshold: 3\n<ul>\n<li>Number of failed attempts<\/li>\n<\/ul>\n<\/li>\n<li>Observation window: 00:00:15:00\n<ul>\n<li>Number of consecutive failures within a 15 minute interval<\/li>\n<\/ul>\n<\/li>\n<li>Lockout Duration: 00:00:15:00\n<ul>\n<li>How long the user will be locked out.<\/li>\n<\/ul>\n<\/li>\n<li>[Finish]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Apply the Passwords Settings container to the Security Group\n<ul>\n<li>7DayPasswordAge [RtClk] &gt; Properties &gt; msDS-PSOAppliesTo &gt; [Edit]\n<ul>\n<li>Note: &#8216;7DayPasswordAge&#8217; must be select from within the window and not the left pane, otherwise msDA-PSO&#8230; will not be accessible&#8230;???<\/li>\n<li>[Add Windows Account&#8230;] &gt; Add &#8216;7 Day Password Age&#8217; group<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>How to verify\n<ul>\n<li>Set timeout to 5 minutes<\/li>\n<li>Use Powershell\n<ul>\n<li>Windows Icon &gt; Powershell<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre>import-module ActiveDirectory\r\nGet-ADUser -f {GivenName -eq 'FIRSTNAME'} -properties \"DisplayName\", \"msDS-UserPasswordExpiryTimeComputed\" | Select-Object -Property \"DisplayName\", @{Name=\"ExpiryDate\";Expression={[datetime]::FromFileTime($_.\"msDS-UserPasswordExpiryTimeComputed\")}}<\/pre>\n<p>&nbsp;<\/p>\n<h1>32: Configuring Windows Firewall with Group Policy<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8420356#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8420356#content<\/a><\/p>\n<ul>\n<li>GPM &gt; &#8230; &gt; Domain Computers [RtClk] &gt; New GPO linked here &gt; &#8220;Firewall &#8211; Port 1234&#8221;\n<ul>\n<li>&#8220;Firewall&#8230;&#8221; [RtClk] &gt; Edit&#8230;\n<ul>\n<li>Comp Configs &gt; Policy &gt; Win Settings &gt; Security Settings &gt; Windows Defender Firewall &#8230; &gt; Win Def FW &#8230;\n<ul>\n<li>Select rule type you want (Inbound, Outbound) [RtClk] &gt; New Rule\n<ul>\n<li>Create the rule<\/li>\n<li>Name the rule<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Log into a computer in the &#8216;Domain Computers&#8217; OU\n<ul>\n<li>Run gpupdate \/force<\/li>\n<li>Check your local firewall rules\n<ul>\n<li>Run RSOP.msc<\/li>\n<li>Comp Conf &gt; <strong>Admin Templates<\/strong> &gt; Extra Registry Settings<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>33: Configure Windows Registry Settings with Group Policy<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8420360#content\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8420360#content<\/a><\/p>\n<p>Rule to right click any file and have option to open with NotePad<\/p>\n<p>Be very careful here.\u00a0 Mistakes might not be reversible!<\/p>\n<ul>\n<li>GPM &gt; &#8230; &gt; domain.tld [RtClk] &gt; New GPO and link &gt; &#8220;Registry Settings&#8221;\n<ul>\n<li>&#8220;Registry Settings&#8221; [RtClk] &gt; Edit&#8230;\n<ul>\n<li>Can be either computer or user based.<\/li>\n<li>Pref &gt; Win Settings &gt; Registry [RtClk] &gt; New &gt; Registry Item\n<ul>\n<li>Action: Create<\/li>\n<li>Hive: HKEY_CLASSES_ROOT<\/li>\n<li>Key Path: Hkey_cl_root &gt; * &gt; Shell [Select]\n<ul>\n<li>Update to read &#8216; *\\shell\\Open With Notepad\\command<\/li>\n<\/ul>\n<\/li>\n<li>[x] Default<\/li>\n<li>Value type: REG_SZ<\/li>\n<li>Value data: &#8220;notepad.exe %1&#8221;<\/li>\n<li>[Apply][OK]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Run gpupdate \/force<\/li>\n<li>RtClk any file<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&lt; Manage Your Workstations | Home | 8 How to use Powershell with AD &gt; 30: Configuring Domain Password and Account Lockout Policies with GP https:\/\/www.udemy.com\/course\/active-directory-group-policy-2012\/learn\/lecture\/8419616#content Know that a Password Policy already exists in the &#8216;Default Domain Policy&#8217; GPM &gt; &#8230; &gt; domain.tld &gt; Default Domain Policy [RtClk] &gt; Edit Computer Configs &gt; Policies &gt; ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/?p=2766\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-2766","post","type-post","status-publish","format-standard","hentry","category-active-directory"],"_links":{"self":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/2766","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2766"}],"version-history":[{"count":9,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/2766\/revisions"}],"predecessor-version":[{"id":2779,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/2766\/revisions\/2779"}],"wp:attachment":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2766"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2766"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2766"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}