Testout Security Plus Labsim 8

8.9.7 Change Your Password You are the IT security administrator for a small corporate network. You use a special user account called Administrator to log on to your Linux computer. You suspect that someone has learned your password. You are currently logged on as Administrator. In this lab, your task is to change your password to r8ting4str. The current password for the Administrator account is7hevn9jan. Remember that the password is not visible as you type it at the command prompt.

Task Summary Change the administrator user password to r8ting4str Explanation In this lab, you change your administrator password from 7hevn9jan to r8ting4str as follows: 1. At the command prompt, type passwd and press Enter. 2. Enter 7hevn9jan and press Enter for the UNIX password. 3. Enter r8ting4str and press Enter for the new password. 4. When prompted to retype the new password, enter r8ting4str and press Enter.

8.13.3 Configure User Account Restrictions You work as the IT security administrator for a small corporate network. Organizational units (OUs) in the domain represent departments. All user accounts for a department are within its departmental OU. As part of your user account maintenance, you need to modify restrictions for user accounts. In this lab, your task is to perform the following: • Borey Chan is a temporary sales account assistant in the Sales/TempSales OU. o Allow logon Monday-Friday, 9:00 am-5:00 pm only. o Expire the user account on December 31st. • Pat Benton has been fired from the Research-Dev department. Disable her account until her replacement is found. • Wendy Pots in the Research-Dev department is returning from maternity leave. While she was gone, you disabled her account to prevent logon. Enable her account to allow logon. • For all users in the Support OU (but not the SupportManagers OU), allow logon only to the Support computer.

Task Summary Add restrictions for Borey Chan Hide Details Allow logon only M-F between 9:00 am and 5:00 pm Expire the account on Dec 31 Disable the Pat Benton account Enable the Wendy Pots account Restrict computers for Support users Hide Details Restrict Janice Rons to the Support computer Restrict Tom Plask to the Support computer Explanation In this lab, your task is to perform the following: • Borey Chan is a temporary sales account assistant in the Sales/TempSales OU. o Allow logon Monday-Friday, 9:00 am-5:00 pm only. o Expire the user account on December 31st. • Pat Benton has been fired from the Research-Dev department. Disable her account until her replacement is found. • Wendy Pots in the Research-Dev department is returning from maternity leave. While she was gone, you disabled her account to prevent logon. Enable her account to allow logon. • For all users in the Support OU (but not the SupportManagers OU), allow logon only to the Support computer. Complete this lab as follows: 1. From Server Manager, select Tools > Active Directory Users and Computers. 2. Expand CorpNet.com. 3. To configure logon hour restrictions for Borey Chan: a. Browse to the Sales/TempSales OU. b. In the right pane, right-click Borey Chan and select Properties. c. Select the Account tab. d. Select Logon Hours. e. Select Logon Denied because logon is allowed for all hours (indicated by blue boxes) by default. f. Click and drag the mouse to highlight the boxes that correspond to hours of permitted logon. g. Select Logon Permitted. The selected boxes turn blue, indicating that logon is allowed during those times. h. Click OK. i. Under Account expires, select End of. j. Enter the date that the user's account will expire. k. Click OK. 4. Disable Pat Benton's account as follows: a. Select the Research-Dev OU. b. Right-click Pat Benton and select Disable Account. c. Click OK to apply the changes. 5. Enable Wendy Pots's account as follows: a. In the Research-Dev OU, right-click Wendy Pots and select Enable Account. b. Click OK. 6. Configure user account restrictions as follows: a. Navigate to the Support OU. b. Press Ctrl and select both the Tom Plack and Janice Rons users to edit multiple users at the same time. In Safari, press Command and select each user. c. Right-click the user accounts and select Properties. d. Select the Account tab. e. Mark Computer restrictions. f. Select Log On To. g. Select The following computers. h. In the Computer name field, enter Support. i. ClickAdd. j. Click OK. 7. Click OK.

8.8.3 Create User Accounts You are the IT Administrator for a small corporate network. You recently added an Active Directory domain on the CorpDC server so you can manage resources centrally. You are populating user accounts in the domain. In this lab, your task is to create the following user accounts on CorpDC in the CorpNet.com domain: User Job Role Juan Suarez Marketing manager Susan Smith Permanent sales employee Borey Chan Temporary sales employee Mark Burnes Sales manager Use the following user account naming standards and specifications as you create each account: • User account name:[First name] + [Last name]. • Logon name: [firstinitial] + [lastname] @CorpNet.com. • Initial password: 1234abcd$ (must be changed at the first logon) • Place each user account in the appropriate departmental OU: o The Marketing\MarketingManagers OU for the marketing manager o The Sales\PermSales OU for the permanent employee o The Sales\TempSales OU for the temporary employee o The Sales\SalesManagers OU for the sales manager • For the Temporary Sales employee: o Limit logon hours to allow logon only from 8 am to 5 pm, Monday through Friday. o Expire the user account on December 31.

Task Summary Create the Juan Suarez account Hide Details Create the Juan Suarez account in the Marketing\MarketingManagers OU Set the first name, last name, and full name properties Use [email protected] for the logon name Specify a password of 1234abcd$ Require a password change at next logon Enable the account Create the Susan Smith account Hide Details Create the Susan Smith account in the Sales\PermSales OU Set the first name, last name, and full name properties Use [email protected] for the logon name Set the password to 1234abcd$ Require a password change at next logon Enable the account Create the Borey Chan account Hide Details Create the Borey Chan account in the Sales\TempSales OU Set the first name, last name, and full name properties Use bchan@CorpNet for the logon name Set the password to 1234abcd$ Require a password change at next logon Enable the account Limit the logon hours of Borey Chan to allow logon only from 8 am to 5 pm, Monday through Friday. Expire the Borey Chan account on December 31st Create the Mark Burnes account Hide Details Create the Mark Burnes account in the Sales\SalesManagers Set the first name, last name, and full name properties Use mburnes@CorpNet for the logon name Set the password to 1234abcd$ Require a password change at next logon Enable the account Explanation In this lab, you use Active Directory Users and Computers to create the following user accounts: User Job Role User Name OU Juan Suarez Marketing manager jsuarez Marketing\MarketingManagers Susan Smith permanent sales employee ssmith Sales\PermSales Borey Chan temporary sales employee bchan Sales\TempSales Mark Burnes Sales manager mburnes Sales\SalesManagers Complete this lab as follows: 1. Create a domain user account as follows: a. From Server Manager, select Tools > Active Directory Users and Computers. b. Browse the Active Directory structure to the appropriate OU. c. Right-click the OU and select New > User. d. Enter the following values for the new user: First name Last name User logon name (this name is required; the user will use it to log on to the domain) e. Click Next. f. Enter the user account's initial password and confirm it. g. Make sure User must change password at next logon is selected; then click Next. h. Click Finish to create the object. i. Repeat steps 1b-1h to create the rest of the users. 2. Modify user account restrictions for the temporary sales employee as follows: a. In Active Directory Users and Computers, browse to the Borey Chan user account. b. Right-click Borey Chan and select Properties. c. Select the Account tab. d. Select Logon hours. e. In the Logon Hours dialog, select Logon Denied to clear the allowed logon hours. By default, logon is always permitted (every hour box is blue). f. Drag the mouse to select a time range. g. Select Logon Permitted to allow logon. h. Click OK. 3. Under Account expires, select End of. 4. In the Date field, enter 12/31 of the current year. 5. Click OK.

8.8.6 Create a Group You are the IT administrator for the CorpNet domain. You have decided to use groups to simplify access control list administration. You want to create a group of department managers. In this lab, your task is to use Active Directory Users and Computers to complete the following tasks on the CorpDC server: • In the Users container, create a group named Managers. o Under group scope, select Global. o Under the group type, select Security. • Make the following users members of the Managers group: o Mark Woods in the Accounting OU o Pat Benton in the Research-Dev OU o Juan Suarez in the Marketing\MarketingManagers OU o Arlene Kimbly in the Research-Dev\ResearchManagers OU o Mark Burnes in the Sales\SalesManagers OU o Shelly Emery in the Support\SupportManagers OU

Task Summary Create a security group named Managers in the Users container Make users members of the Managers group Hide Details Add Mark Woods Add Pat Benton Add Juan Suarez Add Arlene Kimbly Add Mark Burnes Add Shelly Emery Explanation In this lab, you use Active Directory Users and Computers to complete the following tasks on the CorpDC server: • In the Users container, create a group named Managers. o Under group scope, select Global. o Under the group type, select Security. • Make the following users members of the Managers group: o Mark Woods in the Accounting OU o Pat Benton in the Research-Dev OU o Juan Suarez in the Marketing\MarketingManagers OU o Arlene Kimbly in the Research-Dev\ResearchManagers OU o Mark Burnes in the Sales\SalesManagers OU o Shelly Emery in the Support\SupportManagers OU Use Active Directory Users and Computers on CorpDC to create groups and add members to the groups as follows: 1. From Server Manager, select Tools > Active Directory Users and Computers. 2. Expand CorpNet.com. 3. Select Users. 4. From the menu, select the Create a new group in the current container icon. 5. In the Groups name field, enter Managers. 6. Under Group scope, make sure Global is selected. 7. Under Group type, make sure Security is selected and then click OK. 8. Add user accounts to the Managers group as follows: a. Navigate to each user. b. Right-click user and select Add to a group. c. In the Enter the object names to select field, enter Managers. You can also browse to the Managers group as follows: 1. Select Advanced. 2. Select Find Now. 3. Select the group. 4. Click OK twice. d. Click OK twice. e. Repeat steps 8a-8d to add additional users to the group.

8.9.8 Change a User's Password You are the IT security administrator for a small corporate network. Samuel Garcia (sgarcia) has been away on vacation and has forgotten his password. He needs your help to access resources on the computer. In this lab, your task is to perform the following: • Change the password for the sgarcia user account to G20oly04. • Make sure the password is encrypted in the shadow file. You are logged on as wadams. The password for the root account is 1worm4b8.

Task Summary Set the password for user sgarcia to G20oly04 Explanation In this lab, you perform the following: • Change the password for the sgarcia user account to G20oly04. • Make sure the password is encrypted in the shadow file. Complete this lab as follows: 1. At the command prompt, type su -c "passwd sgarcia" and press Enter to complete this task using a single command. 2. Type 1worm4b8 and press Enter for the root user password. 3. Type G20oly04 and press Enter to assign the new password to the sgarcia user account. 4. Re-type G20oly04 and press Enter to confirm the new password to the sgarcia user account. Do not use the usermod -p command to change the password, as this stores the unencrypted version of the password in the/etc/shadow file.

8.13.9 Enforce User Account Control You are the IT security administrator for a small corporate network. The company has a single Active Directory domain named CorpNet.com. You are working on increasing the authentication security of the domain. You want to make sure that User Account Control (UAC) settings are consistent throughout the domain and in accordance with industry recommendations. In this lab, your task is to set the following UAC settings in the Default Domain policy: User Account Control Setting Admin Approval Mode for the Built-in Administrator account Enabled Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled Behavior of the elevation prompt for administrators in Admin Approval mode Prompt for credentials Behavior of the elevation prompt for standard users Automatically deny elevation requests Detect application installations and prompt for elevation Enabled Only elevate UIAccess applications that are installed in secure locations Enabled Only elevate executables that are signed and validated Disabled Run all administrators in Admin Approval Mode Enabled Switch to the secure desktop when prompting for elevation Enabled Virtualize file and registry write failures to per-user locations Enabled

Task Summary Admin Approval Mode for the Built-in Administrator account: Enabled Allow UIAccess applications to prompt for elevation without using the secure desktop: Disabled Behavior of the elevation prompt for administrators in Admin Approval mode: Prompt for credentials Behavior of the elevation prompt for standard users: Automatically deny elevation requests Detect application installations and prompt for elevation: Enabled Only elevate executables that are signed and validated: Disabled Only elevate UIAccess applications that are installed in secure locations: Enabled Run all administrators in Admin Approval Mode: Enabled Switch to the secure desktop when prompting for elevation: Enabled Virtualize file and registry write failures to per-user locations: Enabled Explanation In this lab, your task is to set the following UAC settings in the Default Domain policy: User Account Control Category Setting Admin Approval Mode for the Built-in Administrator account Enabled Allow UIAccess applications to prompt for elevation without using the secure desktop Disabled Behavior of the elevation prompt for administrators in Admin Approval mode Prompt for credentials Behavior of the elevation prompt for standard users Automatically deny elevation requests Detect application installations and prompt for elevation Enabled Only elevate UIAccess applications that are installed in secure locations Enabled Only elevate executables that are signed and validated Disabled Run all administrators in Admin Approval Mode Enabled Switch to the secure desktop when prompting for elevation Enabled Virtualize file and registry write failures to per-user locations Enabled Complete this lab as follows: 1. From Server Manager, select Tools > Group Policy Management. 2. Expand Forest: CorpNet.com > Domains > CorpNet.com. 3. Right-click Default Domain Policy and select Edit. 4. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Local Policies. 5. Select Security Options. 6. In the right pane, double-click the policy you want to edit. 7. If the policy is undefined, select Define this policy setting. 8. Select the policy setting; then click OK. 9. Repeat steps 6-8 for each policy setting.

8.5.5 Configure IE Pop-up Blocker You have a Windows 7 computer at home. You are concerned about privacy and security when surfing the web. You want your computer to block pop-ups from banner ad companies, but you also want your computer to accept pop-ups from legitimate sites, such as your bank's website. In this lab, configure Internet Explorer settings as follows: • Add mybank.com to the list of allowed sites for pop-ups. • Set the pop-up blocking level to High. • Set the security level for the Internet zone to High.

Task Summary Allow pop-ups from mybank.com Set the Pop-up Blocking level to High Set the Internet zone security level to High Explanation In this lab, you configure Internet Explorer settings as follows: • Add mybank.com to the list of allowed sites for pop-ups. • Set the pop-up blocking level to High. • Set the security level for the Internet zone to High. Complete this lab as follows: 1. From the taskbar, open Internet Explorer. 2. Configure the Pop-up Blocker settings as follows: a. Select the Tools icon; then select Internet options. b. Select the Privacy tab. c. Under Pop-up Blocker, select Settings. d. In the Address of website to allow field, enter mybank.com; then select Add. e. From the Blocking Level drop-down list, select High: Block all pop-ups (Ctrl+Alt to override). f. Click Close. g. Click Apply. 3. Configure security zones as follows: a. In Internet Options, select the Security tab. b. In the Select a zone to view or change security settings field, make sure Internet is selected. c. Adjust the security level slider to High. d. Click OK.

8.5.8 Enforce IE Settings Through GPO You work as the IT security administrator for a small corporate network. You need to increase Internet Explorer 10 browser security on your computers by enforcing critical security features. In this lab, your task is to configure the following Internet Explorer policy settings in the WorkstationGPO: Policy Setting Security Zones: Do not allow users to add/delete sites Enabled Security Zones: Do not allow users to change policies Enabled Turn on ActiveX Filtering Enabled Internet Control Panel > Prevent Ignoring Certificate Errors Enabled Internet Control Panel > Security Page > Internet Zone > Java permissions Enabled: Disable Java Internet Control Panel > Security Page > Internet Zone > Turn on Protected Mode Enabled: Enable Internet Control Panel > Security Page > Restricted Sites Zone > Allow File Downloads Enabled: Disable Internet Control Panel > Security Page > Restricted Sites Zone > Java permissions Enabled: Disable Java Internet Control Panel > Security Page > Restricted Sites Zone > Turn on Protected Mode Enabled: Enable Security Features > Object Caching Protection > Internet Explorer Processes Enabled Security Features > Protection From Zone Elevation > Internet Explorer Processes Enabled Security Features > Restrict ActiveX Install > Internet Explorer Processes Enabled Security Features > Restrict File Download > Internet Explorer Processes Enabled The Security Zone and ActiveX Filtering policies can be found at the root of the Internet Explorer folder. There are many other security features that can be enforced for Internet Explorer. Always test any proposed security restrictions before implementing them in your environment.

Task Summary Configure Internet Explorer GPO Settings Hide Details Security Zones: Do not allow users to add/delete sites - Enabled Security Zones: Do not allow users to change policies - Enabled Turn on ActiveX Filtering - Enabled Configure Internet Explorer>Internet Control Panel GPO Settings Hide Details Prevent Ignoring Certificate Errors - Enabled Configure Internet Explorer>Internet Control Panel>Security Page>Internet Zone GPO Settings Hide Details Java permissions - Enabled Java permissions - Set to Java Disabled Turn on Protected Mode - Enabled Turn on Protected Mode - Set to Enable Configure Internet Explorer>Internet Control Panel>Security Page>Restricted Sites Zone GPO Settings Hide Details Allow File Downloads - Enabled Allow File Downloads - Set to Disable Java permissions - Enabled Java permissions - Set to Java Disabled Turn on Protected Mode - Enabled Turn on Protected Mode - Set to Enable Configure Internet Explorer>Security Features GPO Settings Hide Details Object Caching Protection > Internet Explorer Processes - Enabled Protection From Zone Elevation > Internet Explorer Processes - Enabled Restrict ActiveX Install > Internet Explorer Processes - Enabled Restrict File Download > Internet Explorer Processes - Enabled Explanation In this lab, your task is to configure the following Internet Explorer policy settings in the WorkstationGPO: Policy Setting Security Zones: Do not allow users to add/delete sites Enabled Security Zones: Do not allow users to change policies Enabled Turn on ActiveX Filtering Enabled Internet Control Panel > Prevent Ignoring Certificate Errors Enabled Internet Control Panel > Security Page > Internet Zone > Java permissions Enabled: Disable Java Internet Control Panel > Security Page > Internet Zone > Turn on Protected Mode Enabled: Enable Internet Control Panel > Security Page > Restricted Sites Zone > Allow File Downloads Enabled: Disable Internet Control Panel > Security Page > Restricted Sites Zone > Java permissions Enabled: Disable Java Internet Control Panel > Security Page > Restricted Sites Zone > Turn on Protected Mode Enabled: Enable Security Features > Object Caching Protection > Internet Explorer Processes Enabled Security Features > Protection From Zone Elevation > Internet Explorer Processes Enabled Security Features > Restrict ActiveX Install > Internet Explorer Processes Enabled Security Features > Restrict File Download > Internet Explorer Processes Enabled Complete this lab as follows: 1. From Server Manager, select Tools > Group Policy Management. 2. Expand Forest: CorpNet.com > Domains > CorpNet.com > Group Policy Objects. 3. Right-click WorkstationGPO and select Edit. 4. Under Computer Configuration, expand Policies > Administrative Templates > Windows Components. 5. Select Internet Explorer. 6. Browse to the policy you want to change. 7. In the right pane, double-click the policy. 8. Configure the policy settings. 9. Click OK. 10. Repeat steps 6-9 for each policy setting

8.8.7 Create Global Groups You are the IT Administrator for the CorpNet domain. You are in the process of implementing a group strategy for your network. You have decided to create a global group as a shadow group for specific departments in your organization. Each global group will contain all users in the corresponding department. In this lab, your task is to complete the following actions on the CorpDC server: • Create a global security group named Accounting in the Accounting OU. • Create a global security group named Research-Dev in the Research-Dev OU. • Create a global security group named Sales in the Sales OU.

Task Summary Create a global security group named Accounting in the Accounting OU Add the correct employees as members of the Accounting group Hide Details Add Mark Woods as a member of the Accounting group Add Mary Barnes as a member of the Accounting group Create a global security group named Research-Dev in the Research-Dev OU Add the correct employees as members of the Research-Dev group Hide Details Add Andrea Socko as a member of the Research-Dev group Add Arlene Kimbly as a member of the Research-Dev group Add Pat Benton as a member of the Research-Dev group Add Scott Trans as a member of the Research-Dev group Add Stella Hanson as a member of the Research-Dev group Add Tre Julian as a member of the Research-Dev group Add Wendy Pots as a member of the Research-Dev group Create a global security group named Sales in the Sales OU Add the correct employees as members of the Sales group Hide Details Add Susan Smith as a member of the Sales group Add Mark Burnes as a member of the Sales group Add Borey Chan as a member of the Sales group Explanation In this lab, you complete the following tasks: • Create a global security group named Accounting in the Accounting OU. • Create a global security group named Research-Dev in the Research-Dev OU. • Create a global security group named Sales in the Sales OU. • Add all user accounts in the corresponding OUs and sub-OUs as members of the newly-created groups. Following are steps an expert might take to complete this lab: 1. From Server Manager, select Tools > Active Directory Users and Computers. 2. Browse the Active Directory structure to the appropriate OU. 3. Right-click the OU you want to create the group in and select New > Group. 4. In the Group name field, enter the name of the group. 5. Select the group scope. 6. Select the group type; then click OK. 7. Add a user account to a group as follows: a. Right-click the user account and select Add to a group. (Use the Ctrl or Shift keys to select and add multiple user accounts to a group at the same time.) b. In the Enter the object names to select, enter the name of the group. c. Select a group scope and a group type, and then click OK. d. Select Check Names. e. Click OK. f. Click OK. g. Repeat step 7 to add users to the group. 8. Repeat steps 6-8 to add additional users to the group.

8.5.9 Configure IE Preferences in a GPO You work as the IT administrator for a small corporate network. The Sales department would like to make sure that all Internet Explorer users set the corporate intranet website as their home page, regardless of which computer they use. You need to enforce these preferences and a few changes to Internet Explorer security settings. All computers are running Internet Explorer 10. In this lab, your task is to configure the following Internet Explorer policies in the Sales GPO: Tab Setting Value General Home page www.corpnet.local Startup Start with home page Security Zone: Local intranet Low Privacy Location Never allow websites to request your physical location

Task Summary Create an Internet Settings policy Hide Details Create an Internet Explorer 10 policy Set Internet Explorer to start with the corporate intranet homepage Hide Details Set Home page to www.corpnet.local Set to start with the specified homepage Set the security level for the Local intranet zone to Low Prevent websites from requesting your physical location Explanation In this lab, you configure an Internet Explorer 10 policy with the following settings: Tab Setting Value General Home page www.corpnet.local Startup Start with home page Security Zone: Local intranet Low Privacy Location Never allow websites to request your physical location Complete this lab as follows: 1. From Server Manager, select Tools > Group Policy Management. 2. Expand Forest: CorpNet.com > Domains > CorpNet.com > Group Policy Objects. 3. Right-click SalesGPO and select Edit. 4. Under User Configuration, expand Preferences > Control Panel Settings. 5. Right-click Internet Settings and select New > Internet Explorer 10. 6. Under Home page, type the home page address. 7. Under Startup, select Start with home page. 8. Select the Security tab. 9. Select Local intranet. 10. Move the slider down to Low. 11. Select the Privacy tab. 12. Select Never allow websites to request your physical location. 13. Click OK.

8.14.6 Create a Fine-Grained Password Policy You have recently implemented account policies for the domain to configure password and account lockout settings. However, the manager of the accounting department has requested that her department be assigned a more restrictive policy set. You decide to implement a fine-grained password policy. In this lab, your task is to create a new password settings object using Active Directory Administrative Center using the following settings: • Name the object AccountingPasswords. • Set a precedence of 1. • Enforce a minimum password length of 12 characters. • Enforce password history with the last 15 passwords remembered. • Password must meet complexity requirements. • Do not store passwords using reversible encryption. • Protect the object from accidental deletion. • Enforce a minimum password age of 2 days. • Enforce a maximum password age of 30 days. • Enforce an account lockout policy: o Failed attempts allowed: 3 o Reset failed attempt count after 30 minutes o Enable account locked until an administrator unlocks it • Assign the AccountingPasswords object to members of the Accounting department. All users in the Accounting OU are members of the Accounting security group.

Task Summary Create the AccountingPasswords PSO Hide Details Name: AccountingPasswords Precedence: 1 Enforce a minimum password length (12 characters) Enforce password history (15 remembered passwords) Password must meet complexity requirements Do not store passwords using reversible encryption Protect from accidental deletion Set Password age options Hide Details Enforce minimum password age User cannot change the password within (days): 2 Enforce maximum password age User must change the password within (days): 30 Enforce account lockout policy Hide Details Failed attempts allowed: 3 Reset the failed attempt counter after 30 minutes Keep the account locked until an administrator unlocks it Apply the PSO to the Accounting group Explanation In this lab, you should have created a new password settings object using Active Directory Administrative Center with the following settings: Create the PSO in the System > Password Settings Container with the following settings: Setting Value Name AccountingPasswords Precedence 1 Enforce minimum password length 12 characters Enforce password history 15 remembered Password should meet complexity requirements Checked Store passwords using reversible encryption Unchecked Protect the object from accidental deletion Checked Enforce minimum password age 2 days Enforce a maximum password age 30 days Enforce account lockout policy: • Number of failed attempts allowed • Reset failed logon attempts count after (mins) • Account will be locked out 3 30 Until an administrator manually unlocks the account Directly Applies To Accounting Do the following: 1. From Server Manager, select Tools > Active Directory Administrative Center. 2. In the left pane, select CorpNet.com (local). 3. In the center pane, double-click System. 4. Select, then Right-click Password Settings Container and select New > Password Settings. 5. Under Password Settings, enter the password settings. 6. Under Directly Applies To, select Add. 7. Enter the name of the user or group; then click OK. 8. Click OK

8.13.7 Restrict Local Accounts You are the IT security administrator for a small corporate network. You are working to increase the authentication security of the domain. You need to make sure that only authorized users have administrative rights to all local machines. Local users and groups can be controlled through a GPO linked to the domain. In this lab, your task is to edit the Default Domain Policy and configure the Local Users and Groups policy settings as follows: • Create a policy to update the built-in Administrator local group. • Delete all member users. • Delete all member groups. • Add BUILTIN\Administrator to the group. • Add %DOMAINNAME%\Domain Admins to the group. The policy you create should remove all members of the built-in Administrators group and then add only the members specified. Use BUILTIN\Administrator and %DOMAINNAME%\Domain Admins in the policy to indicate which accounts to add.

Task Summary Create the Administrators (built-in) local group Select Delete all member users Select Delete all member groups Add BUILTIN\Administrator to the group Add %DOMAINNAME%\Domain Admins to the group Explanation In this lab, you edit the Default Domain policy and configure the Local Users and Groups policy settings as follows: • Create a policy to update the built-in Administrator local group. • Delete all member users. • Delete all member groups. • Add BUILTIN\Administrator to the group. • Add %DOMAINNAME%\Domain Admins to the group. Complete this lab as follows: 1. From Server Manager, select Tools > Group Policy Management. 2. Expand Forest: CorpNet.com > Domains > CorpNet.com. 3. Right-click Default Domain Policy and select Edit. 4. Under Computer Configuration, expand Preferences > Control Panel Settings. 5. Right-click Local Users and Groups and select New > Local Group. 6. In the Group name field, select Administrators (built-in) from the drop-down list. 7. Select Delete all member users to remove all member users. 8. Select Delete all member groups to remove all member groups. 9. Click Add. 10. In the Name field, enter BUILTIN\Administrator; then click OK. 11. Click Add. 12. In the Name field, enter %DOMAINNAME%\Domain Admins; then click OK. 13. Click OK to save the policy.

8.12.5 Create and Link a GPO You are the IT security administrator for a small corporate network. You would like to use Group Policy to enforce settings for certain workstations on your network. You have prepared and tested a security template file that contains policies that meet your company's requirements. In this lab, your task is to perform the following on CorpDC: • Create a GPO named Workstation Settings. • Link the GPO to the following organizational units (OUs): o TempMarketing OU in the Marketing OU o TempSales OU in the Sales OU o Support OU • Import the ws_sec.inf template file, which is located in C:\Templates.

Task Summary Create the Workstation Settings GPO Link the GPO to the TempMarketing OU Link the GPO to the TempSales OU Link the GPO to the Support OU Import the policy from C:\Templates\ws_sec.inf Explanation In this lab, you perform the following on CorpDC: • Create a GPO named Workstation Settings. • Link the GPO to the following organizational units (OUs): o TempMarketing OU in the Marketing OU o TempSales OU in the Sales OU o Support OU • Import the ws_sec.inf template file located in C:\Templates. Complete this lab as follows: 1. From Server Manager, select Tools > Group Policy Management. 2. Expand Forest: CorpNet.com > Domains > CorpNet.com. 3. Right-click the OU where the policy will be linked and select Create a GPO in this domain, and link it here. 4. In the Name field, enter the GPO name; then click OK. 5. Link the GPO to additional OUs as follows: a. Right-click the next OU and select Link an Existing GPO to link the GPO to another OU. b. Under Group Policy objects, select Workstation Settings from the list; then click OK. c. Repeat step 5 to link additional OUs. 6. Import a security policy template as follows: a. Expand Group Policy Objects. b. Right-click Workstation Settings and select Edit. c. Under Computer Configuration, expand Policies > Windows Settings. d. Right-click Security Settings and select Import Policy. e. Browse to the C:\Templates. f. Select ws_sec.inf; then click Open.

8.6.6 Implement Application Whitelisting with AppLocker You are the IT security administrator for a small corporate network. You are increasing network security by implementing application whitelisting. Your first step is to prevent applications not located in the operating system directory or the program files directory from running on your computers. In addition, the call center application used by the support team runs from C:\CallCenter\CallStart.exe and must be allowed to run. You also want any future versions of the call center application to run without changing any settings. In this lab, your task is to configure AppLocker in the default domain policy as follows: • Create the default rules. o Allow all files located in the Program Files folder. o Allow all files located in the Windows folder. • Allow the Support group to run the call center software found in C:\CallCenter\CallStart.exe. • Configure a publisher rule to allow for future updates from the same vendor

Task Summary Create the default rules Hide Details Allow all files located in the Program Files folder Allow all files located in the Windows folder Allow the Support group to run the call center software Configure a publisher rule to allow for future updates from the same vendor Explanation In this lab, you configure AppLocker in the default domain policy as follows: • Create the default rules. o Allow all files located in the Program Files folder. o Allow all files located in the Windows folder. • Allow the Support group to run the call center software found in C:\CallCenter\CallStart.exe. • Configure a publisher rule to allow for future updates from the same vendor. Complete this lab as follows: 1. From Server Manager, select Tools > Group Policy Management. 2. Expand Forest: CorpNet.com > Domains > CorpNet.com. 3. Right-click Default Domain Policy and select Edit. 4. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Application Control Policies. 5. Select AppLocker. 6. In the right pane, select Configure rule enforcement. 7. Under Executable rules, select Configured. 8. Make sure Enforce rules is selected in the drop-down list. 9. Click OK. 10. Configure a Publisher rule and allow the Support group to run the call center software as follows: a. In the left pane, expand AppLocker. b. Right-click Executable Rules and select Create New Rule. c. Click Next. d. Make sure Allow is selected; then click Select. e. Enter the name of the required group; then click OK. f. Click Next. g. Make sure Publisher is selected; then click Next. h. Select Browse. i. Browse to and select the executable file. j. Select Open. k. Slide the pointer from File version to Publisher; then click Next. l. Click Next. m. Accept the default name and select Create. n. Click Yes to create the default rules now. o. Notice that the Publisher rule was created.

8.9.4 Create a User Account You are the IT security administrator for a small corporate network. You need to create a Linux user account for a new analyst, Paul Wilson. In this lab, your task is to perform the following: • Create the pwilson user account. • Include the full name, Paul Wilson, as a comment for the user account. • Use the password i8cer3al. • View the /etc/passwd file to verify the account's creation.

Task Summary Create the pwilson user account Add Paul Wilson as a comment for the user account Set i8cer3al as the password Explanation In this lab, you perform the following: • Create the pwilson user account. • Include the full name, Paul Wilson, as a comment for the user account. • Set the password to i8cer3al. • View the /etc/passwd file to verify the creation of the account. Complete this lab as follows: 1. At the command prompt, type useradd -c "Paul Wilson" pwilson and press Enter to create the user and set the comment in a single command. 2. Type passwd pwilson and press Enter. 3. Type i8cer3al and press Enter to set the password for the user account. 4. Type i8cer3al and press Enter to confirm the password. 5. Type cat /etc

8.9.6 Delete a User You are the IT security administrator for a small corporate network. An employee, Terry Brown (tbrown), recently left the organization. His colleagues have harvested the files they need from his home and other directories. Company security policy requires that user accounts are entirely removed when employees leave the company. In this lab, your task is to perform the following: • Remove the tbrown user account. • Remove the tbrown home directory. • View the /etc/passwd file and /home directory to verify that the account has been removed.

Task Summary Delete the tbrown user Delete the tbrown home directory Explanation In this lab, you perform the following: • Remove the tbrown user account. • Remove the tbrown home directory. • View the /etc/passwd file and /home directory to verify that the account has been removed. Complete this lab as follows: 1. At the command prompt, type userdel -r tbrown and press Enter to remove the user account and the home directory. (The -r switch removes the home directory when the user account is removed.) 2. Type cat /etc/passwd and ls /home to verify that the account was removed.

8.8.4 Manage User Accounts You are the IT administrator for a small corporate network. You recently added an Active Directory domain on the CorpDC server to manage network resources centrally. Organizational units (OUs) in the domain represent departments. User and computer accounts have been moved into their respective departmental OUs. Over the past few days, several personnel changes have occurred that require changes to the user accounts. In this lab, your task is to use the following information to make the necessary user account changes on CorpDC: • In the Accounting department, Mark Woods has been fired. Disable his account. • In the Research-Dev department, Pat Benton is returning from maternity leave. Her account is disabled to prevent logon. Enable her account. • Andrea Simmons in the Research-Dev department has recently married: o Rename the account Andrea Socko. o Change the last name to Socko. o Change the display name to Andrea Socko. o Change the user logon and the pre-Windows 2000 user logon name to asocko. • In the Accounting department, Mary Barnes has forgotten her password, and now her account is locked: o Reset the password to 1234abcd$. o Require a password change at the next logon. o Unlock the account. • Allow all users in the Support OU to log on only to the Support computer. Do not restrict the users in the SupportManagers OU. To efficiently complete these tasks, right-click the user account and select: • Enable Account to allow logon to the account. • Disable Account to prevent logon to the account. • Rename to rename the account (change the full name) and modify other name-dependent properties for the user account. • Reset Password to unlock a locked account, change the password, and force the user to change the password at the next logon. You can also accomplish most of these tasks by editing the properties for the user account and modifying the settings on the General or Account tabs. However, the only way you can rename the account (and change the full name property) is through the right-click menu.

Task Summary Disable the Mark Woods user account Enable the Pat Benton user account Modify the Andrea Simmons user account Hide Details Rename the account to Andrea Socko Change the last name to Socko Change the display name properties to Andrea Socko Change the user logon name to asocko Change the pre-Windows 2000 user logon name to asocko Unlock the Mary Barnes user account Hide Details Reset the password to 1234abcd$ Require a password change at the next logon Unlock the account Restrict Janice Rons and Tom Plask to use only the Support computer Explanation In this lab, you perform the following tasks: • In the Accounting department, Mark Woods has been fired. Disable his account. • In the Research-Dev department, Pat Benton is returning from maternity leave. Her account is disabled to prevent logon. Enable her account. • Andrea Simmons in the Research-Dev department has recently married: o Rename the account Andrea Socko. o Change the last name to Socko. o Change the display name to Andrea Socko. o Change the user logon and the pre-Windows 2000 user logon name to asocko. • In the Accounting department, Mary Barnes has forgotten her password, and now her account is locked: o Reset the password to 1234abcd$. o Require a password change at the next logon. o Unlock the account. • Allow all users in the Support OU to log on only to the Support computer. Do not restrict the users in the SupportManagers OU. Complete this lab as follows: 1. Disable a user account as follows: a. From Server Manager on CorpDC, select Tools > Active Directory Users and Computers. b. Browse the Active Directory structure and select the Accounting OU. c. Right-click Mark Woods and select Disable Account. d. Click OK to apply the changes. 2. Enable a user account as follows: a. Select the Research-Dev OU. b. Right-click Pat Benton and select Enable Account. c. Click OK. 3. Rename the user account as follows: a. In the Research-Dev OU, right-click Andrea Simmons and select Rename. b. Enter Andrea Socko. c. Click outside the Name field to open the Rename User dialog. d. In the Last name field, enter Socko. e. In the Display name field, enter Andrea Socko. f. In the User logon name field, enter asocko. g. Verify that the pre-Windows 2000 user logon name is asocko. h. Click OK. 4. Unlock a user account as follows: a. In the Accounting OU, right-click Mary Barnes and select Reset Password. b. In the New password field, enter the 1234abcd$. c. In the Confirm password field, enter 1234abcd$. d. Make sure that User must change password at next logon is selected. e. Make sure that Unlock the user's account is selected. f. Click OK. 5. Configure user account restrictions as follows: a. Navigate to and select the Support OU. b. Press Ctrl and select both the Tom Plack and Janice Rons users to edit multiple users at the same time. In Safari, press Command and select each user. c. Right-click the user accounts and select Properties. d. Select the Account tab. e. Mark Computer restrictions. f. Select Log on to. g. Select The following computers. h. In the Computer name field, enter Support; then select Add. i. Click OK. 6. Click OK

8.5.4 Clear the Browser Cache You are working on your home computer. You have just purchased several presents for your family online. You are concerned that Internet Explorer may track your browsing history and let your family discover your purchases. In this lab, your task is to delete all items from your Internet Explorer browser history, including: • Temporary files • Passwords • Form data • Cookies from your favorite websites • ActiveX filtering data

Task Summary Don't preserve cookies and temporary files from your favorite websites Delete Temporary Internet Files Delete Cookies Delete History Delete Form data Delete Passwords Delete Tracking Protection, ActiveX Filtering and Do Not Track Explanation In this lab, your task is to delete all items from your Internet Explorer browser history, including: • Temporary files • Passwords • Form data • Cookies from your favorite websites • ActiveX filtering data Complete this lab as follows: 1. From the taskbar, select Internet Explorer. 2. Select the Tools icon: then select Internet options. 3. On the General tab, select Delete. 4. In Delete Browsing History, deselect Preserve Favorites website data to ensure that all cookies and temporary files are also deleted. 5. Select each type of browsing history you want to delete. 6. Click Delete. 7. Click OK.

8.6.8 Implement Data Execution Preventions (DEP) You work as the IT security administrator for a small corporate network. You are configuring the computer in Office 1 to use Data Execution Prevention (DEP) for all programs and services. You have noticed that the accounting program used on some computers does not function well when DEP is enabled. In this lab, your task is to configure DEP as follows: • Enable DEP for all files. • Disable DEP for C:\Program Files\AccountWizard\AccountWizard.exe. • Restart the computer to activate DEP.

Task Summary Enable DEP for all programs and services Add AccountWizard as an execption for DEP Restart the computer to activate DEP Explanation In this lab, you perform the following tasks: • Enable DEP for all files. • Disable DEP for C:\Program Files\AccountWizard\AccountWizard.exe. • Restart the computer to activate DEP. Enable DEP in Advanced System Properties as follows: 1. Right-click Start and select System. 2. On the left, select Advanced System Settings. 3. Under Performance, select Settings. 4. Select the Data Execution Prevention tab. 5. Select Turn on DEP for all programs and services except those I select. 6. Select Add. 7. Browse to C:\Program Files\AccountWizard. 8. Select AccountWizard.exe. 9. Select Open. 10. Make sure the program that you added is selected; then click OK. 11. Click OK to confirm that a system restart is needed. 12. Click OK to close System Properties. 13. Click Restart Now to restart the computer and activate DEP.

8.9.9 Lock and Unlock User Accounts You are the IT security administrator for a small corporate network. Several employees are going on 6-week research expeditions this year. Vera Edwards (vedwards), Corey Flynn (cflynn), and Bhumika Kahn (bkahn) leave today, and Maggie Brown (mbrown), Brenda Palmer (bpalmer), and Arturo Espinoza (aespinoza) returned today. The company security policy mandates that user accounts for employees gone for longer than two weeks are disabled. In this lab, your task is to perform the following: • Lock the following user accounts: o vedwards o cflynn o bkahn • Unlock the following user accounts: o mbrown o bpalmer o aespinoza • View the /etc/shadow file to verify changes.

Task Summary Lock the user accounts Hide Details Lock the vedwards user account Lock the cflynn user account Lock the bkahn user account Unlock the user accounts Hide Details Unlock the mbrown user account Unlock the bpalmer user account Unlock the aespinoza user account Explanation In this lab, you perform the following: • Lock the following user accounts: o vedwards o cflynn o bkahn • Unlock the following user accounts: o mbrown o bpalmer o aespinoza • View the /etc/shadow file to verify changes. Complete this lab as follows: 1. At the command prompt, type usermod -L or passwd -l followed by the user account name and press Enter to lock the user accounts. 2. Repeat step 1 for each user account. 3. Type usermod -U or passwd -u followed by the user account name and press Enter to unlock the user accounts. 4. Repeat step 2 for each user account. 5. Type cat /etc/shadow to verify the changes. The inclusion of the exclamation point (!) in the password field indicates that the account is disabled.

8.10.4 Add Users to a Group You are the IT security administrator for a small corporate network. Mary Jones (mjones) and Craig Johnson (cjohnson) were recently hired in the human resources department. You have already created a user account for each of them. In this lab, your task is to perform the following: • Append the hr group as a secondary group for the mjones and cjohnson user accounts. • View the /etc/group file or use the groups command to verify the changes. The -g switch with the usermod command sets the primary group membership, not the secondary group membership.

Task Summary Make mjones a secondary member of the hrgroup Hide Details Keep Sales group membership Make cjohnson a secondary member of the hr group Hide Details Keep mgmt2 group membership Explanation In this lab, your task is to perform the following: • Append the hr group as a secondary group for the mjones and cjohnson user accounts. • View the /etc/group file or use the groups command to verify the changes. Complete this lab as follows: 1. At the command prompt, type usermod -aG hr mjones and press Enter to add mjones as member of the hr group. 2. Type usermod -aG hr cjohnson and press Enter to add cjohnson as member of the hr group. 3. Type groups username and press Enter to verify the user account's group membership. 4. Repeat step 3 for the other user.

8.10.5 Remove a User from a Group You are the IT security administrator for a small corporate network. Due to some recent restructuring, Corey Flynn (cflynn) no longer needs to be a member of the hr group but needs to maintain his other group memberships. In this lab, your task is as follows: • Remove cflynn from the hr group. • Preserve cflynn's other group memberships. • Verify the changes using the groups command or by viewing the /etc/group file. You are logged in as root (password: 1worm4b8).

Task Summary Remove cflynn from the hr group Keep cflynn as a member of the it group Keep cflynn as a member of the mgmt1 group Explanation In this lab, you perform the following tasks: • Remove cflynn from the hr group. • Preserve cflynn's other group memberships. • Verify the changes using the groups command or by viewing the /etc/group file. Complete this lab as follows: 1. At the command prompt, type groups cflynn and press Enter to view a list of all groups to which the user belongs. You will see that cflynn currently belongs to the mgmt1, it, and hr secondary groups. The cflynn group is the user's primary group. 2. Type usermod -G mgmt1,it cflynn and press Enter to change group membership. To preserve existing group membership, use the usermod -G command listing all groups to which the user must belong. Do not include the primary group name in the list of groups. 3. Type groups cflynn and press Enter to verify the user account's group membership.

8.13.8 Secure Default Accounts You work as the IT security administrator for a small corporate network. You are improving office computers' security by renaming and disabling default computer accounts. In this lab, your task is to perform the following on the Office 1 computer: • Rename the Administrator account xAdmin. • Disable the Guest account. • Verify that Password never expires is not selected for local users so they must change their passwords regularly. • Delete user accounts with User must change password at next logon selected, which indicates that a user has never logged in.

Task Summary Rename Administrator to xAdmin Disable the Guest account Deselect Password never expires for the Susan account Delete the Sam account, which has not been used Explanation In this lab, your task is to perform the following on the Office 1 computer: • Rename the Administrator account xAdmin. • Disable the Guest account. • Verify that Password never expires is not selected for local users so they must change their passwords regularly. • Delete user accounts with User must change password at next logon selected, which indicates that a user has never logged in. Complete this lab as follows: 1. Right-click Start and select Computer Management. 2. Under System Tools, expand Local Users and Groups. 3. Select Users. 4. Right-click Administrator and select Rename. 5. Enter the new name. 6. Right-click Guest and select Properties. 7. Select Account is disabled and click OK. 8. Right-click a user and select Properties. 9. Deselect Password never expires (if selected). 10. Click OK. 11. Repeat step 8-10 for each user. 12. Right-click the user that has User must change password at next logon selected and select Delete. 13. Click Yes to confirm deletion of the account.

8.9.5 Rename a User Account You are the IT security administrator for a small corporate network. An employee, Brenda Miller (bmiller), recently married. You need to update her Linux user account to reflect her new last name. In this lab, your task is to perform the following: • Rename the user account bpalmer. • Change the comment field to read Brenda Palmer. • Change the home directory to /home/bpalmer, moving the contents of the old home directory to the new location. • View the /etc/passwd file and /home directory to verify the account modifications.

Task Summary Rename the bmiller user account bpalmer Change the comment field to Brenda Palmer Change the home directory to /home/bpalmer Move the home directory contents Explanation In this lab, your task is to do the following: • Rename the user account bpalmer. • Change the comment field to read Brenda Palmer. • Change the home directory to /home/bpalmer, moving the contents of the old home directory to the new location. • View the /etc/passwd file and /home directory to verify the modification of the account. Do the following: • At the command prompt, type usermod -l bpalmer bmiller and press Enter to rename the user account. • Type usermod -c "Brenda Palmer" bpalmer and press Enter to change the comment field to read Brenda Palmer. • Type usermod -d /home/bpalmer -m bpalmer and press Enter to change the home directory to /home/bpalmer and to move the contents of the old home directory to the new location. • Type cat /etc/passwd and ls /home and press Enter to verify that the account was modified. To complete the tasks in the lab using a single command, use usermod -c "Brenda Palmer" -d /home/bpalmer -m -l bpalmer bmiller.

8.10.3 Rename and Create Groups You are the IT security administrator for a small corporate network. Currently, all of the Sales people in your company belong to a Linux group called sales. The manager of the sales team has asked you to create two sales groups, western sales and eastern sales. In this lab, your task is to perform the following: • Rename the sales group western_sales. • Create the eastern_sales group. • Assign aespinoza as the only member of the eastern_sales group and remove aespinoza from all other groups. • Verify the changes by viewing the /etc/group file or using the groups command.

Task Summary Rename the sales group to western_sales Create the eastern_sales group Remove aespinoza from the western_sales group Add aespinoza to the eastern_sales group Explanation In this lab, you perform the following: • Rename the sales group western_sales. • Create the eastern_sales group. • Assign aespinoza as the only member of the eastern_sales group and remove aespinoza from all other groups. • Verify the changes by viewing the /etc/group file or using the groups command. Complete this lab as follows: 1. At the command prompt, type groupmod -n western_sales sales and press Enter to rename the sales group western_sales. 2. Type groupadd eastern_sales and press Enter to create the eastern_sales group. 3. Type usermod -G eastern_sales aespinoza and press Enter to modify group membership. When you assign aespinoza to the eastern_sales group with the usermod -G option, the user account is removed from the western_sales group. 4. Type cat /etc/group or groups username and press Enter to verify the user account's group membership.

8.14.2 Configure Smart Card Authentication You work as the IT administrator for a growing corporate network. The research and development department is working on the latest product enhancements. Last year, some secret product plans were compromised. As a result, the company has decided to implement smart cards for login to every computer in the research and development department. No user should be able to log on to the workstation without using a smart card. In this lab, your task is to perform the following in the Research-DevGPO on CorpDC: • Set the GPO to Enforced. • Enable Interactive logon: Require smart card policy. • Set the Interactive logon: Smart card removal behavior policy to Force logoff. Certificate auto-enrollment has already been enabled for the domain.

Task Summary Set the Research-DevGPO to Enforced Configure smart card enforcement in the GPO Hide Details Enable the Interactive logon: Require smart card policy Enable the Interactive logon: Smart card removal behavior policy to Force Logoff Explanation In this lab, you perform the following in the Research-Dev GPO on CorpDC: • Set the GPO to Enforced. • Enable the Interactive logon: Require smart card policy. • Set the Interactive logon: Smart card removal behavior policy to Force logoff. Complete this lab as follows: 1. From Server Manager, select Tools > Group Policy Management. 2. Expand Forest: CorpNet.com > Domains > CorpNet.com > Research-Dev. 3. Right-click Research-DevGPO and select Enforced 4. Right-click Research-DevGPO and select Edit. 5. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Local Policies. 6. Select Security Options. 7. In the right pane, double-click the policy you want to edit. 8. Select Define this policy setting. 9. Select the policy setting; then click OK. 10. Repeat steps 7-9 for each policy setting.

8.13.5 Configure Account Policies You work as the IT security administrator for a small corporate network. You are in the process of configuring a password policy for the domain. In this lab, your task is to configure the Account Policy settings in the Default Domain Policy using Group Policy Management to meet the following requirements: • Enforce password history: 10 passwords remembered • Maximum password age: 90 days • Minimum password age: 14 days • Minimum password length: 10 characters • Passwords must meet complexity requirements: Enabled • Account lockout duration: 60 minutes • Account lockout threshold: 5 invalid attempts • Reset account lockout counter after: 10 minutes • Any new password must be different from the previous 10 passwords. • If five incorrect passwords are entered within a ten-minute interval, the account will lock. • Keep accounts locked for one hour, and then unlock the account automatically.

Task Summary Set the minimum password length to 10 Enforce password complexity Set the maximum password age to 90 Set the minimum password age to 14 Enforce password history to remember 10 passwords Set the account lockout threshold to 5 Set the reset account lockout after policy to 10 Set the account lockout duration to 60 Explanation In this lab, you configure the account policy settings in the default domain policy using Group Policy Management to meet the following requirements: Policy Security Setting Value Password Policy Enforce password history 10 passwords remembered Maximum password age 90 days Minimum password age 14 days Minimum password length 10 characters Password must meet complexity requirements Enabled Account Lockout Policy Account lockout duration 60 minutes Account lockout threshold 5 incorrect passwords Reset account lockout counter after 10 minutes Following are steps that an expert might take to complete lab: 1. From Server Manager, select Tools > Group Policy Management. 2. Expand the domain. 3. Right-click Default Domain Policy and select Edit. 4. Under Computer Configuration, expand Policies > Windows Settings >Security Settings > Account Policies. 5. Select Password Policy. 6. On the right, right-click the policy you want to edit and select Properties. 7. Edit the value for the policy. 8. Click OK. 9. Repeat steps 6-9 for each password policy that needs to be configured. 10. Select Account Lockout Policy. 11. Browse to the domain. Right-click Default Domain Policy and select Edit. 12. On the right, right-click the policy you want to edit and select Properties. 13. If the policy is undefined, select Define this policy setting. 14. Edit the value for the policy. 15. Click OK. 16. Repeat steps 12-15 for each password policy that needs to be configured. 17. Edit the value for the policy, and then click OK.