Skip to content

Instantly share code, notes, and snippets.

@primetoxinz

primetoxinz/Windows 1.md

Last active March 29, 2018 15:33
Show Gist options
  • Save primetoxinz/ef7776b728487c4c4d50ad10f9389d0f to your computer and use it in GitHub Desktop.
Save primetoxinz/ef7776b728487c4c4d50ad10f9389d0f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Windows 1.md

Windows 1

Definitions

  • LDAP - The Lightweight Directory Access Protocol is a protocol for maintaining and accessing distributed directory information over an IP network. A client connects to a Directory System Agent (DSA), an LDAP server, via TCP and UDP port 389 or 636 for LDAPS. All information is transmitted using Basic Encoding Rules (BER).

  • Kerberos - A Computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

  • Distribution groups are a feature in AD that allow sending emails to multiple people that are added to the contact list of the group within the domain. Permissions cannot be assigned in a DG.

  • Security Groups allow controlling user and computers to access shared resources, set permissions over the domain, or use it as a distribution list for emails.

  • Security Filtering allows filterint the scope of a GPO, so that it only applies to certain groups or users within the domain.

  • Windows Management Instrumentation (WMI) Filtering

    • To add a WMI Filter, create an entry in the WMI Filters container in your domain.
    • An example filter query to only accept Windows 10 machines select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"
    • This entry can now be selected on GPObjects to only apply to users and computers that apply to that filter.

  • NTP (Network Time Protocol) is important:

    • for security, as time stamps need to be used to validate authentication to prevent many different types of attacks.
    • Synced clocks allow working with many different systems and to corelate events across servers and clients.

  • Linking a GPO simply means to apply that GP to the objects with in the OU.

  • Enforced GOPs cannot be overriden by later policies up the tree

  • Active Directory Domain Service – a Directory Service for use in Windows Domain networks.

  • Domain - a system in which a user may be granted access to a number of computer resources with the use of a single username and password.

  • Domain Controller – server that responds to security auth requests within a Windows Domain. It authenticates and authorizes all users and computers in a Windows Domain, assigning and enforcing secutity policies for all computers and the installation and updating of software.

  • Forest – Top level term for the collection of Directory Trees in the particular instance of AD

  • Group Policy - controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A version of Group Policy called Local Group Policy ("LGPO" or "LocalGPO") also allows Group Policy Object management on standalone and non-domain computers

  • Security Groups are a specific type of distribution group that allows the assign security rights.

Network Info

  • Domain Controller - 128.82.6.193
  • Clients -128.82.6.194-6

Creating a Domain

  • Add a new forest – Root domain name- tyler.undernet.cs.odu.edu

    • Creating Organizational Units Active Directory Users and Computers > tyler.undernet.cs.odu.edu Context Menu > New > Organizational Unit

    • Add a user of USERNAME to the OU Organizational Unit under my domain.
      dsadd user “cn=$USERNAME,ou=$OU,dc=TYLER,dc=undernet,dc=cs,dc=odu,dc=edu”

    • Redirect Computers to the New Machines OU in the tyler.undernet.cs.odu.edu domain
      redircmp “OU=New Machines,DC=TYLER,DC=undernet,DC=cs,DC=odu,DC=odu”

    • Add Clients to domain Setup 6net connection with DNS as the domain controller ip. Settings -> Join Domain -> tyler.undernet

    • Delegate Password resetting tyler.undernet.cs.odu.edu -> Delegate Control (Opens a Wizard) -> Select Systems Staff -> Delegate the following common tasks -> Select only " reset user passwords and force password change at next login". Is there a way to only assign the reset permission for Staff to the Students group?

Group Policy

  • "Allow Users to connect remotely by using Remote Desktop Services."

  • GPOs are processed in the following order: The order in which GPOs are processed is significant because when policy is applied, it overwrites policy that was applied earlier.

    • The local GPO is applied.
    • GPOs linked to sites are applied.
    • GPOs linked to domains are applied.
    • GPOs linked to organizational units are applied. For nested organizational units, GPOs linked to parent organizational units are applied before GPOs linked to child organizational units are applied.

  • Setup to audit all events

  • Policies -> Administrative Templates -> System -> Windows Time Service -> Time Providers -> Enabled Windows NTP Server.

  • Windows Setting -> Security Settings -> Local Policies -> Security Options -> Iteractive Login: Message text

Users

  • Staff1->Password1!
  • Staff2->Password2!
  • Faculty1->Passwordf1!
  • Faculty2->Passwordf2!
  • Student1->Passwords1!
  • Student2->Passwords2!
  • Student3->Passwords3!
  • Windows Clients: Local Admin Account: DESKTOP-CLIENT$NUMBER\Client1 no password

Made password policy - minimum characters 6 instead 7.

Sources

https://msdn.microsoft.com/en-us/library/aa374155(v=vs.85).aspx https://social.technet.microsoft.com/wiki/contents/articles/12370.windows-server-2012-set-up-your-first-domain-controller-step-by-step.aspx https://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1/ https://ryanmangansitblog.com/2013/03/11/deploying-rds-2012-single-server-session-based-deployment/ https://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment