Testout Security Plus Labsim 7

7.9.4 Configure Advanced Audit Policy You work as the IT security administrator for a small corporate network. As part of an ongoing program to improve security, you want to implement an audit policy for all workstations. You plan to audit user logon, attempts to log on, and other critical events. In this lab, your task is to configure the following audit policy settings in WorkstationGPO: Local Policies Setting Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Enabled Audit: Shut down system immediately if unable to log security audits Enabled Event Log Setting Retention method for security log Enabled: Do not overwrite events (clear log manually) Advanced Audit Policy Configuration Setting Account Logon: Audit Credential Validation Success and Failure Account Management: Audit User Account Management Success and Failure Account Management: Audit Security Group Management Success and Failure Account Management: Audit Other Account Management Events Success and Failure Account Management: Audit Computer Account Management Success Detailed Tracking: Audit Process Creation Success Logon/Logoff: Audit Logon Success and Failure Logon/Logoff: Audit Logoff Success Policy Change: Audit Authentication Policy Change Success Policy Change: Audit Audit Policy Change Success and Failure Privilege Use: Audit Sensitive Privilege Use Success and Failure System: Audit System Integrity Success and Failure System: Audit Security System Extension Success and Failure System: Audit Security State Change Success and Failure System: Audit IPsec Driver Success and Failure Do not use the old audit policies located in Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policies.

Task Summary Enable Audit Policies Hide Details Enable Audit Policies Hide Details Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings:--Enabled Audit: Shut down system immediately if unable to log security audits--Enabled Enable Event Log Policy Hide Details Retention method for security log: Enabled--do not overwrite events (clear log manually) Enable Account Logon Audit Policy Hide Details Audit Credential Validation: Success and Failure Enable Account Management Audit Policies Hide Details Audit User Account Management: Success and Failure Audit Security Group Management: Success and Failure Audit Other Account Management Events: Success and Failure Audit Computer Account Management: Success Enable Detailed Tracking Audit Policy Hide Details Audit Process Creation: Success Enable Logon-Logoff Audit Policies Hide Details Audit Logon: Success and Failure Audit Logoff: Success Enable Policy Change Audit Policies Hide Details Audit Authentication Policy Change: Success Audit Audit Policy Change: Success and Failure Enable Privelege Use Audit Policy Hide Details Audit Sensitive Privilege Use: Success and Failure Enable System Audit Policies Hide Details Audit System Integrity: Success and Failure Audit Security System Extension: Success and Failure Audit Security State Change: Success and Failure Audit IPsec Driver: Success and Failure Explanation In this lab, you configure the following audit policy settings in WorkstationGPO as follows: Local Policies Setting Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Enabled Audit: Shut down system immediately if unable to log security audits Enabled Event Log Setting Retention method for security log Enabled: Do not overwrite events (clear log manually) Advanced Audit Policy Configuration Setting Account Logon: Audit Credential Validation Success and Failure Account Management: Audit User Account Management Success and Failure Account Management: Audit Security Group Management Success and Failure Account Management: Audit Other Account Management Events Success and Failure Account Management: Audit Computer Account Management Success Detailed Tracking: Audit Process Creation Success Logon/Logoff: Audit Logon Success and Failure Logon/Logoff: Audit Logoff Success Policy Change: Audit Authentication Policy Change Success Policy Change: Audit Audit Policy Change Success and Failure Privilege Use: Audit Sensitive Privilege Use Success and Failure System: Audit System Integrity Success and Failure System: Audit Security System Extension Success and Failure System: Audit Security State Change Success and Failure System: Audit IPsec Driver Success and Failure Edit audit policies as follows: 1. From Server Manager, select Tools > Group Policy Management. 2. Expand Forest: CorpNet.com > Domains > CorpNet.com > Group Policy Objects. 3. Right-click WorkstationGPO and select Edit. 4. Under Computer Configuration, expand Policies > Windows Settings > Security Settings. 5. Modify Local Policies as follows: a. Expand Local Policies. b. Select Security Options. c. In the right pane, double-click the policy you want to edit. d. Select Define this policy setting. e. Select the policy settings as required. f. Click OK. g. Click Yes to confirm changes as necessary. h. Repeat steps 5c-5g for additional policy settings. 6. Modify the event log as follows: a. In the left pane, select Event Log. b. In the right pane, double-click the policy you want to edit. c. Select Define this policy setting. d. Select the policy settings as required. e. Click OK. 7. Modify Advanced Audit Policy Configuration as follows: a. In the left pane, expand Advanced Audit Policy Configuration > Audit Policies. b. Select the audit policy category. c. In the right pane, double-click the policy you want to edit. d. Select Configure the following audit events. e. Select the policy settings as required. f. Click OK. g. Repeat steps 7b-7f for additional policy settings.

7.11.4 Secure an iPad You work as the IT security administrator for a small corporate network. The receptionist uses an iPad to manage employee schedules and messages. You need to help her secure the iPad because it contains all employees' personal information. In this lab, your task is to perform the following: • Apply the latest software update. • Configure Auto-Lock with a 5-minute delay. • Configure Passcode Lock using D0gb3rt (0 = zero) as the passcode. • Require the passcode after 5 minutes. • Configure Data Erase to wipe all data after 10 failed passcode attempts. • Require unknown networks to be added manually. • Turn off Bluetooth.

Task Summary Apply the latest IOS update Set Autolock to 5 minutes Enable a passcode Hide Details Turn off Simple passcode Turn Passcode on and set passcode to D0gb3rt Turn on Erase Data Require the passcode after 5 minutes Turn off Ask to Join Networks Turn off Bluetooth Explanation In this lab, you perform the following: • Apply the latest software update. • Configure Auto-Lock with a 5-minute delay. • Configure the Passcode Lock using D0gb3rt (0 = zero) as the passcode. • Require the passcode after 5 minutes. • Configure Data Erase to wipe all data after 10 failed passcode attempts. • Require unknown networks to be added manually. • Turn off Bluetooth. Complete this lab as follows: 1. Apply the latest software update as follows: a. Select Settings. b. Under General, select Software Update. c. Click Download and Install. d. Click Agree. e. Click OK. f. Click Install. g. Click and slide the arrow to unlock the iPad. 2. Configure Auto-Lock as follows: a. Click General. b. Click Auto-Lock. c. Click 5 minutes. 3. Configure passcode lock and data erase as follows: a. From the left menu, select Passcode. b. Select Turn Passcode On. c. Enter the passcode; then click Next. d. Re-enter the passcode; then click Done. e. Set Erase Data to ON. f. Click Enable. g. Click Require Passcode. h. Click After 5 minutes. 4. Require unknown networks be manually added as follows: a. From the left menu, select Wi-Fi. b. Set Ask to Join Networks to OFF. 5. Turn off Bluetooth as follows: a. From the left menu, select Bluetooth. b. Set Bluetooth to OFF.

7.10.5 Configure Email Filters You are the IT security administrator for a small corporate network. You helped your boss remove a lot of junk email, and now he would like you to only allow emails and attachments from senders on his safe sender list. In this lab, your task is to configure email filtering as follows: • Only allow emails from the safe senders list. • Report junk email messages to your email provider. • Only allow attachments from the safe senders list.

Task Summary Set the junk email filter to Exclusive Set to Report junk messages Block attachments from unknown senders Explanation In this lab, your task is to configure email filtering as follows: • Only allow emails from the safe senders list. • Report junk email messages to your email provider. • Only allow attachments from the safe senders list. Complete this lab as follows: 1. In the upper right corner, select Options > More Options. 2. Under Preventing junk email, select Filters and Reporting. 3. Under Choose a junk email filter, select Exclusive. 4. Under Report junk messages, select Report junk. 5. Under Block content from unknown senders, select Block attachments, pictures, and links for anyone not in my safe senders list. 6. Click Save.

7.1.6 Configure Windows Defender You recognize that the threat of malware is increasing, even for your home computer. You want to use Windows Defender to protect your home computer from malware. In this lab, your task is to configure Windows Defender as follows: • Automatic scanning setting: o Frequency: Saturday o Approximate time: 12:00 am o Type: Full scan (A quick scan checks the areas of the computer that spyware is likely to affect, and a full scan checks all files and programs on the computer) o Check for updated definitions before scanning: Enabled • Default actions settings: o Severe alert items: Remove o High alert items: Remove o Medium alert items: Remove o Low alert items: Allow o Apply recommended actions: Enabled • Advanced settings: o Scan email: Enabled o Scan removable drives: Enabled • Administrator settings: o Display items from all users of this computer: Enabled When configuration is complete perform a Quick Scan. To open Windows Defender, select the small icons view in Control Panel or type MSASCui in the search box on the taskbar.

Task Summary Perform a full scan once per week Hide Details Perform the scan on Saturday Perform the scan at midnight (12:00 am) Perform a full system scan Check for updates before scanning Configure default actions to take Hide Details Remove severe alert items Remove high alert items Remove medium alert items Allow low alert items Apply recommended actions to items detected during a scan Configure advanced options Hide Details Scan email Scan removable drives Display items from all users of this computer Perform a quick scan Explanation In this lab, your task is to configure Windows Defender as follows: • Automatic scanning setting: o Frequency: Saturday o Approximate time: 12:00 am o Type: Full scan (A quick scan checks the areas of the computer that spyware is likely to affect, and a full scan checks all files and programs on the computer) o Check for updated definitions before scanning: Enabled • Default actions settings: o Severe alert items: Remove o High alert items: Remove o Medium alert items: Remove o Low alert items: Allow o Apply recommended actions: Enabled • Advanced settings: o Scan email: Enabled o Scan removable drives: Enabled • Administrator settings: o Display items from all users of this computer: Enabled Complete this lab as follows: 1. Right-click Start > Control Panel. 2. In the top right corner under View by, select Small icons from the drop-down list. 3. Select Windows Defender. 4. Select Tools. 5. Under Settings, select Options. 6. Make sure Automatically scan my computer (recommended) is selected to allow Windows Defender to scan the computer automatically. 7. Configure automatic scanning settings as follows: a. Select the frequency. b. Select the approximate time. c. Select the type of scan. d. Select Check for updated definitions before scanning to make sure definitions are up to date prior to a scan. 8. Configure Default actions settings as follows: a. In the left-side menu, select Default actions. b. Select the Severe alert items. c. Select the High alert items. d. Select the Medium alert items. e. Select the Low alert items. f. Select Apply recommended actions to apply actions when items are detected. 9. Configure Advanced settings as follows: a. In the left menu, select Advanced. b. Select Scan email. c. Select Scan removable drives. 10. Configure Administrator settings as follows: a. In the left menu, select Administrator. b. Select Display items from all users of this computer. 11. Select Save. 12. Select Scan to run a quick scan.

7.10.7 Secure Email on iPad You work as the IT security administrator for a small corporate network. The receptionist uses an iPad to manage employee schedules and messages. You need to help her secure her email and browser on the iPad. In this lab, your task is to perform the following: • Configure each email account to use SSL for incoming mail. • Secure the Internet browser as follows: o Turn off AutoFill o Accept cookies only from visited sites o Turn on Fraud Warning o Turn off JavaScript o Turn on Block Pop-ups

Task Summary Configure the Maggie Brown email account for SSL Configure the Emily Smith email account for SSL Turn off AutoFill on Safari Hide Details Set Use Contact Info to OFF Set Names and Passwords to OFF Set BlockCookies to Allow from Websites I Visited Turn on Fraud Warning Turn off JavaScript Turn on Block Pop-ups Explanation In this lab, you perform the following: • Configure each email account to use SSL for incoming mail. • Secure the Internet browser as follows: o Turn off AutoFill o Accept cookies only from visited sites o Turn on Fraud Warning o Turn off JavaScript o Turn on Block Pop-ups Complete this lab as follows: 1. Configure email for SSL as follows: a. Select Settings. b. Select Mail, Contacts, Calendars. c. Select an email account. d. Select Account. e. Select Advanced. f. Under Incoming Settings, set Use SSL to ON. g. Select Account. h. Click Done. i. At the top, select Mail, Contacts. j. Repeat steps 1c-1i for each email account. 2. Secure the Internet browser as follows: a. From the left menu, select Safari. b. Select Passwords & AutoFill. c. Set Use Contact Info to OFF. d. Set Names and Passwords to OFF. e. From the top, select Safari. f. Select Block Cookies. g. Select Allow from Websites I Visit. h. From the top, select Safari. i. Set Fraudulent Website Warning to ON. j. Select Advanced. k. Set JavaScript to OFF. l. From the top, select Safari. m. Set Block Pop-ups to ON.

7.12.8 Create a Guest Network for BYOD You are a network technician for a small corporate network. You need to enable BYOD Guest Access Services on your network for guests and employees that have mobile phones, tablets, and personal computers. In this lab, your task is to perform the following: • Access the Wireless Controller console through Internet Explorer on http://192.168.0.6. o Username: WxAdmin o password: ZDAdminsOnly!$ (O is the capital letter O) • Set up Guest Access Services using the following parameters: o Name: Guest_BYOD. o Authentication: Use guest pass authentication. o The guest should be presented with your terms of use statement and then allowed to go to the URL they were trying to access. o Verify that 192.168.0.0/16 is on the list of restricted subnets. • Create a guest WLAN using the following parameters: o Network name: Guest o ESSID: Guest_BYOD o Type: Guest Access o Authentication: Open o Encryption Method: None o Guest Access Service: Guest_BYOD o Isolate guest wireless clients from other clients on the access point • Open a new Internet Explorer window and request a guest pass using the BYODAdmin user as follows: o URL: 192.168.0.6/guestpass o Username: BYODAdmin o Password: @dm!n1str8r o Use any full name in the Full Name field. o Make a note of or copy and paste the key in the Key field. • Use the key from the guest pass request to authenticate to the wireless LAN Guest_BYOD from the Gst-Lap laptop computer in the lobby.

Task Summary Create a guest access service Hide Details Create Guest_BYOD Use guest pass authentication Present the guest with the terms of use Redirect to the URL that the user intends to visit Create a guest WLAN Hide Details Name: Guest SSID: Guest_BYOD Type: Guest Access Authentication method: Open Encryption Method: None Associate with the Guest_BYOD guest access service Isolate the guests from other clients Request a guest pass Hide Details Generate a guest pass using the BYODAdmin account Connect to Guest_BYOD from Gst-Lap Hide Details Gst-Lap is connected to Guest_BYOD Explanation In this lab, your task is to perform the following: • Access the Wireless Controller console through Internet Explorer on http://192.168.0.6. o Username: WxAdmin o password: ZDAdminsOnly!$ (O is the capital letter O) • Set up Guest Access Services using the following parameters: o Name: Guest_BYOD. o Authentication: Use guest pass authentication. o The guest should be presented with your terms of use statement and then allowed to go to the URL they were trying to access. o Verify that 192.168.0.0/16 is on the list of restricted subnets. • Create a guest WLAN using the following parameters: o Network name: Guest o ESSID: Guest_BYOD o Type: Guest Access o Authentication: Open o Encryption Method: None o Guest Access Service: Guest_BYOD o Isolate guest wireless clients from other clients on the access point • Open a new Internet Explorer window and request a guest pass using the BYODAdmin user as follows: o URL: 192.168.0.6/guestpass o Username: BYODAdmin o Password: @dm!n1str8r o Use any full name in the Full Name field. o Make a note of or copy and paste the key in the Key field. • Use the key from the guest pass request to authenticate to the wireless LAN Guest_BYOD from the Gst-Lap laptop computer in the lobby. Complete this lab as follows: 1. In the Search field on the taskbar, enter Internet Explorer. 2. Under Best Match, select Internet Explorer. 3. Maximize the Internet Explorer window. 4. In the URL field, enter 192.168.0.6 and press Enter. 5. In the Admin Name field, enter WxAdmin. 6. In the Password field, enter ZDAdminsOnly!$ (O is the capital letter O). 7. Select Login. 8. Set up Guest Access Services as follows: a. Select the Configure tab. b. From the left menu, select Guest Access. c. Under Guest Access Service, select Create New. d. In the Name field, enter Guest_BYOD. e. Under Authentication, make sure Use guest pass authentication is selected. f. Under Terms of Use, select Show terms of use. g. Under Redirection, make sure Redirect to the URL that the user intends to visit is selected. h. Expand Restricted Subnet Access. i. Verify that 192.168.0.0/16 is listed. j. Click OK. 9. Create a guest WLAN as follows: a. From the left menu, select WLANs. b. Under WLANs, select Create New. c. In the Name field, enter Guest. d. In the ESSID field, enter Guest_BYOD. e. Under Type, select Guest Access. f. Under Authentication Options, make sure Open is selected. g. Under Encryption Options, make sure None is selected. h. Under Guest Access Service, make sure Guest_BYOD is selected from the drop-down list. i. Select Isolate wireless client traffic from other clients on the same AP. j. Click OK. k. Close Internet Explorer. 10. Request a guest password as follows: a. Open a new Internet Explorer browser window. b. In the URL field, enter 192.168.0.6/guestpass and press Enter. c. In the Username field, enter BYODAdmin. d. Enter @dm!n1str8r as the password. e. Select Login. f. In the Full Name field, enter any full name. g. In the Key field, highlight the key and press Ctrl + C to copy the key. h. Click Next. 11. Access the wireless Guest Access service from the guest laptop in the lobby as follows: a. From the top menu, select Floor 1. b. Select Gst-Lap in the lobby. c. In the notification area, select the wireless network icon. d. Select Guest_BYOD. e. Select Connect. f. Select Yes. g. After Internet Explorer opens to the Guest Access login page, paste the key from the Key field. h. Select Log In.

7.13.6 Create Virtual Machines You have installed Hyper-V on the CorpServer server. You are experimenting with creating virtual machines. In this lab, your task is to create two virtual machines named VM1 and VM2 using the following settings: VM1: • Virtual machine name: VM1 • Virtual machine location: D:\HYPERV • Virtual machine generation: Generation 1 • Startup memory: 1024 MB (Do not use Dynamic Memory) • Networking connection: External • Virtual hard disk name: VM1.vhdx • Virtual hard disk location: D:\HYPERV\Virtual Hard Disks • Virtual hard disk size: 50 GB • Operating system will be installed later VM2: • Virtual machine name: VM2 • Virtual machine location: D:\HYPERV • Generation: Generation 2 • Startup memory: 2048 MB (Use Dynamic Memory) • Networking connection: Internal • Virtual hard disk name: VM2.vhdx • Virtual hard disk location: D:\HYPERV\Virtual Hard Disks • Virtual hard disk size: 250 GB • Operating system will be installed later • Minimum RAM: 512 MB • Maximum RAM: 4096 MB You can create a new virtual hard disk when you create a virtual machine. Virtual disks created along with virtual machines are dynamically expanding disks. If you need to create any other kind of disk, you can either create the disk before the virtual machine or convert the disk type after.

Task Summary Create virtual machine VM1 Hide Details Virtual machine name: VM1 Virtual machine location: D:\HYPERV Generation 1 Startup memory: 1024 MB Networking connection: External Virtual hard disk name: VM1.vhdx Virtual hard disk location: D:\HYPERV\Virtual Hard Disk\VM1.vhdx Virtual hard disk size: 50 GB Set to install operating system later Create virtual machine VM2 Hide Details Virtual machine name: VM2 Virtual machine location: D:\HYPERV Generation 2 Startup memory: 2048 MB Minimum RAM: 512 MB Maximum RAM: 4096 MB Networking connection: Internal Virtual hard disk name: VM2.vhdx Virtual hard disk location: D:\HYPERV\Virtual Hard Disks\VM2.vhdx Virtual hard disk size: 250 GB Set to install operating system later Explanation In this lab, you create two virtual machines named VM1 and VM2 using the following settings: VM1: • Virtual machine name: VM1 • Virtual machine location: D:\HYPERV • Virtual machine generation: Generation 1 • Startup memory: 1024 MB (Do not use Dynamic Memory) • Networking connection: External • Virtual hard disk name: VM1.vhdx • Virtual hard disk location: D:\HYPERV\Virtual Hard Disks • Virtual hard disk size: 50 GB • Operating system will be installed later VM2: • Virtual machine name: VM2 • Virtual machine location: D:\HYPERV • Generation: Generation 2 • Startup memory: 2048 MB (Use Dynamic Memory) • Networking connection: Internal • Virtual hard disk name: VM2.vhdx • Virtual hard disk location: D:\HYPERV\Virtual Hard Disks • Virtual hard disk size: 250 GB • Operating system will be installed later • Minimum RAM: 512 MB • Maximum RAM: 4096 MB 1. Create VM1 on CorpServer as follows: a. In Server Manager, select Tools > Hyper-V Manager. b. Right-click CORPSERVER. c. Select New > Virtual Machine. d. In the Before You Begin window, click Next. e. In the Name field, enter VM1 for the virtual machine. f. Select Store the virtual machine in a different location to modify the path to the virtual machine files. g. In the Location field, verify the location for the virtual machine; then click Next. h. Make sure Generation 1 is selected; then click Next. i. In the Startup memory field, enter the amount of memory to use for the virtual machine; then clickNext. j. In the Connection field, select the network connection from the drop-down list; then click Next. k. Make sure Create a virtual hard disk is selected. l. Modify the virtual hard disk name, location, and size as needed; then click Next. m. Make sure that Install an operating system later is selected; then click Next. n. Click Finish to create the virtual machine. 2. Create VM2 on CorpServer as follows: a. Right-click CORPSERVER. b. Select New > Virtual Machine. c. In the Before You Begin window, click Next. d. In the Name field, enter VM2 for the virtual machine. e. Select Store the virtual machine in a different location to modify the path to the virtual machine files. f. In the Location field, verify the location for the virtual machine; then click Next. g. Select Generation 2; then click Next. h. In the Startup memory field, enter the amount of memory to use for the virtual machine. i. Select Use Dynamic Memory for this virtual machine; then click Next. j. In the Connection field, select the network connection from the drop-down list; then click Next. k. Make sure Create a virtual hard disk is selected. l. Modify the virtual hard disk name, location, and size as needed; then click Next. m. Make sure that Install an operating system later is selected; then click Next. n. Click Finish to create the virtual machine. o. Adjust virtual machine memory: 1. Right-click VM2. 2. Select Settings. 3. From the left pane, select Memory. 4. On the Memory window, enter the minimum RAM. 5. Enter the maximum memory; then click OK.

7.9.6 Enable Device Logs You are the IT security administrator for a small corporate network. You need to enable logging on the switch in the networking closet. In this lab, your task is to perform the following: • Enable Logging and the Syslog Aggregator • Configure RAM Memory Logging as follows: o Emergency, Alert, and Critical: Enable o Error, Warning, Notice, Informational, and Debug: Disable • Configure Flash Memory Logging as follows: o Emergency and Alert: Enable o Critical, Error, Warning, Notice, Informational, and Debug: Disable

Task Summary Enable logging and the Syslog aggregator Set RAM memory logging to Critical Set Flash memory logging to Alerts Explanation In this lab, you perform the following: • Enable Logging and the Syslog aggregator • Configure RAM memory logging as follows: o Emergency, Alert, and Critical: Enable o Error, Warning, Notice, Informational, and Debug: Disable • Configure Flash memory logging as follows: o Emergency and Alert: Enable o Critical, Error, Warning, Notice, Informational, and Debug: Disable Complete this lab as follows: 1. From the left menu, expand the Administration. 2. Expand System Log. 3. Select Log Settings. 4. Under Logging, select Enable. 5. Under Syslog Aggregator, select Enable. 6. Under RAM Memory Logging, enable and disable the appropriate settings. 7. Under Flash Memory Logging, enable and disable the appropriate settings. 8. Click Apply.

7.5.5 Configure NTFS Permissions You need to manage the permissions assigned to various folders. Department data is stored on CorpFiles16 in a folder named D:\Departments. Within the Departments folder, each department has a subfolder where they can publish files to the rest of the company. The default permissions inherited by the D:\Departments folder and each subfolder currently allow all users to read and execute files. In this lab, your task is to configure permissions for each departmental subfolder so that only users within each department can change their department's files. To complete this task, assign the permissions specified in the following table: Folder Domain Local Group Permissions D:\Departments\Accounting Accounting Resources Full Control D:\Departments\Research Research Resources Full Control D:\Departments\Sales Sales Resources Full Control D:\Departments\Support Support Resources Full Control Score Report Start Lab

Task Summary Give the Accounting Resources group Full Control to D:\Departments\Accounting Give the Research Resources group Full Control to D:\Departments\Research Give the Sales Resources group Full Control to D:\Departments\Sales Give the Support Resources group Full Control to D:\Departments\Support Explanation In this lab, you explicitly add permission assignments using the following: Folder Domain Local Group Permissions D:\Departments\Accounting Accounting Resources Full Control D:\Departments\Research Research Resources Full Control D:\Departments\Sales Sales Resources Full Control D:\Departments\Support Support Resources Full Control Complete this lab as follows: 1. From the taskbar, open File Explorer. 2. Browse to and right-click the folder and select Properties. 3. Select the Security tab. 4. Select Edit. 5. Select Add. 6. In the Enter the object names to select field, type the name of the group that will receive permission to the shared folder; then click OK. 7. Select the group. 8. In the Allow column, select the appropriate permission. 9. Click OK twice. 10. Repeat steps 2-9 for each domain local group.

7.5.6 Disable Inheritance Confidential personnel data is stored on the CorpFiles12 file server in a shared directory named Personnel. You need to configure NTFS permissions for this folder so that only managers are authorized to access the folder. In this lab, your task is to perform the following: • Grant the Managers group the Full Control permission to the D:\Personnel folder. • Remove all inherited permissions that are flowing to the D:\Personnel folder. If a permission appears grayed out, it is an inherited permission. To modify it, you need to disable inheritance and create explicit permissions.

Task Summary Grant the Managers group Allow Full Control to D:\Personnel Prevent inherited permissions on the D:\Personnel folder Hide Details Disable inheritance Remove all inherited permissions from the folder Explanation In this lab, you perform the following tasks: • Grant the Managers group the Full Control permission to the D:\Personnel folder. • Remove all inherited permissions that are flowing to the D:\Personnel folder. Complete this lab as follows: 1. Configure NTFS permissions as follows: a. From the taskbar, open File Explorer. b. Browse to the folder you need to modify permissions for. c. Right-click the folder and select Properties. d. Select the Security tab. e. Select Edit. f. Select Add. g. Enter the name of the group that will receive permission to the folder. h. Click OK. i. With the Managers group selected, select the appropriate NTFS permission. j. Click OK. 2. Prevent inherited permissions from parent objects as follows: a. On the Security tab, select Advanced. b. Select Disable inheritance. c. Select Remove all inherited permissions from this object. d. Click OK to close the Advanced Security Settings for Personnel dialog. e. Click OK to close the Properties dialog.

7.3.5 Configure Automatic Updates You need to customize how Windows Update checks for and installs updates on both the Support and ITAdmin desktop systems in your organization. In this lab, your task is to perform the following: • Configure Windows Update on Support (which is running Windows 7) as follows: o Download and install updates automatically each Wednesday at 2:00 am. o Include recommended updates. o Allow any user on the computer to install updates. o Configure driver updates to install drivers if they are not found on the computer. • Configure Windows Update on ITAdmin as follows: o Configure Windows Update to install updates automatically. o Configure Windows Update to install updates for other Microsoft products when Windows is updated. o Configure driver updates to download apps and icons for new devices.

Task Summary On Support, configure Windows Update Hide Details Install updates on Wednesday Install updates at 2:00 am Allow other users to install updates Include recommended updates On Support, configure driver updates to install if they are not found on the computer On ITAdmin, Enable automatic updates Hide Details Install updates automatically Include recommended updates for other Microsoft products On ITAdmin, configure driver updates to download apps and icons for new devices Explanation In this lab, you perform the following tasks: • Configure Windows Update on Support (which is running Windows 7) as follows: o Download and install updates automatically each Wednesday at 2:00 am. o Include recommended updates. o Allow any user on the computer to install updates. o Configure driver updates to install drivers if they are not found on the computer. • Configure Windows Update on ITAdmin as follows: o Configure Windows Update to install updates automatically. o Configure Windows Update to install updates for other Microsoft products when Windows is updated. o Configure driver updates to download apps and icons for new devices. Complete this lab as follows: 1. On Support, modify Windows Update settings as follows: a. Select Start. b. Select Control Panel. c. Select System and Security. d. Select Windows Update. e. On the left, select Change settings. f. Configure the update day and time. g. Select Give me recommended updates the same way I receive important updates to include recommended updates. h. Select Allow all users to install updates on this computer to allow any user to install updates. i. Click OK. 2. On Support, configure how Windows prompts for updated drivers: a. Select Start. b. Right-click Computer and select Properties. c. On the left, select Advanced system settings. d. Select the Hardware tab. e. Select Device Installation Settings. f. Select the required update option; then click Save Changes. g. Click OK. 3. On ITAdmin, modify Windows Update settings as follows: a. From the top menu, select the Floor 1 location tab. b. Select ITAdmin. c. Select Start. d. Select Settings. e. Select Update & security. f. In Windows Update, select Advanced options. g. From the Choose how updates are installed drop-down list, select Automatically. h. Select Give me updates for other Microsoft products when I update Windows to include recommended updates. 4. On ITAdmin, configure how Windows handles apps and icons for devices: a. Right-click Start and select System. b. On the left, select Advanced system settings. c. Select the Hardware tab. d. Select Device Installation Settings. e. Select Yes; then select Save Changes. f. Select OK. 5. Select Yes; then click Save Changes. 6. Click OK

7.4.5 Manage Services with Group Policy You work as the IT security administrator for a small corporate network. You plan to configure AppLocker rules for workstations on your network. As a result, you need to make sure the Application Identity service is running on all workstations. You have also identified several services that should not be running because of security concerns. You want to make sure that these services are not running on any workstations. All workstations reside in a container named Workstations in Active Directory. A GPO named WorkstationGPO is linked to this container. In this lab, your task is to configure the Workstation GPO with the following settings: Service Setting Application Identity Automatic Remote Registry Disabled Routing and Remote Access Disabled SSDP Discovery Disabled UPnP Device Host Disabled

Task Summary Set the Application Identity service to Automatic Set the Remote Registry service to Disabled Set the Routing and Remote Access service to Disabled Set the SSDP Discovery service to Disabled Set the UPnP Device Host service to Disabled Explanation In this lab, you configure the Workstation GPO with the following settings: Service Setting Application Identity Automatic Remote Registry Disabled Routing and Remote Access Disabled SSDP Discovery Disabled UPnP Device Host Disabled Complete this lab as follows: 1. From Server Manager, select Tools > Group Policy Management. 2. Expand Forest: CorpNet.com > Domains > CorpNet.com > Group Policy Objects. 3. Right-click WorkstationGPO and select Edit. 4. Under Computer Configuration, expand Policies > Windows Settings > Security Settings. 5. Select System Services. 6. In the right pane, double-click the policy you want to edit. 7. Select Define this policy setting. 8. Select the policy setting; then click OK. 9. Repeat

7.3.7 Configure Windows Firewall You work as the IT security administrator for a small corporate network. A marketing employee in Office 2 needs assistance enabling Windows Firewall on her computer. In this lab, your task is to configure Windows Firewall as follows: • Turn on Windows Firewall for the Domain and Public network profiles. • Allow the following for the Domain and Public network profiles: o Key Management Service o An application named Arch98 o An application named Apconf • Remove the following exceptions on the Domain network profile: o Windows Media Player o Windows Peer to Peer Collaboration Foundation

Task Summary Turn Windows Firewall On Hide Details Enable the firewall for the Domain network Profile Enable the firewall for the Public network Profile Configure the program exceptions on the Domain network profile Hide Details Allow Key Management Service through the firewall Allow the Arch98 program through the firewall Allow the Apconf program through the firewall Deny the Windows Media Player program through the firewall Deny the Windows Peer to Peer Collaboration Foundation program through the firewall Configure the program exceptions on the Public network profile Hide Details Allow Key Management Service through the firewall Allow the Arch98 program through the firewall Allow the Apconf program through the firewall Explanation In this lab, you configure Windows Firewall as follows: • Turn on Windows Firewall for the Domain and Public network profiles. • Allow the following for the Domain and Public network profiles: o Key Management Service o An application named Arch98 o An application named Apconf • Remove the following exceptions on the Domain network profile: o Windows Media Player o Windows Peer to Peer Collaboration Foundation Complete this lab as follows: 1. Right-click Start and select Control Panel. 2. Select System and Security. 3. Select Windows Firewall. 4. Turn the Windows Firewall on as follows: a. On the left, select Turn Windows Firewall on or off to enable the firewall. b. Under Domain network settings, select Turn on Windows Firewall. c. Under Public network settings, select Turn on Windows Firewall. d. Click OK. 5. Allow programs through the firewall as follows: a. On the left, select Allow an app or feature through Windows Firewall to allow a program through the firewall. b. Select Change settings. c. For Key Management Service, mark the exception box in the Domain and Public columns. d. Select Allow another app to configure an exception for an uncommon program. e. Select Arch98 from the list. f. Select Add. g. Make sure the Domain exception box is selected. h. In the Public column, select the exception box. i. Repeat steps 5d-5h for Apconf. 6. Restrict programs through the firewall as follows: a. Under Allowed apps and features, browse to the program. b. For the program, deselect the Domain exception box. c. Click OK.