Networking Infrastructure 01.pdf

Assignment front sheet Qualification

Unit number, Unit Level, Unit Credit and Title

Pearson BTEC HNC Diploma in Computing and Systems Development

Unit 43: Networking Infrastructure

Student name

Assessor name

Sadaf Farooqi

Himanshu Bhatt

Date issued

Completion date

Submitted on

22 June 2015

27 June 2015

10 July 2015

Assignment title

Understanding of networking infrastructures management (1 of 1)

LO

LO 1

LO 2

Learning Outcome (LO)

AC

Understand the principles of network infrastructure management

1.1

Be able to design complex network infrastructure systems

2.1

1.2 1.3

2.2 2.3

LO 3

Be able to implement complex network infrastructure systems

LO 4

Be able to test complex network infrastructure systems

In this assessment you will have the opportunity to present evidence that shows you are able to:

Task no.

Evidence (Page no)

Evaluate current name resolution services Discuss the technologies that support network infrastructure management Discuss security resources available in network infrastructure management

1.1

6-8

1.2

9

1.3

10

Design a network infrastructure for a given networked environment Evaluate addressing and deployment solutions for a given networked environment Evaluate rights and security requirements for a given networked environment

2.1 2.2

11 12 13 - 15

3.1

Implement a network infrastructure based on a prepared design

3.1

16 - 34

4.1

Critically review and test an implemented system

4.1

35

4.2

Evaluate system and user assurance of the implemented system

4.2

36

Learner declaration

I certify that the work submitted for this assignment is my own and research sources are fully acknowledged. Student signature:

Date: 10/07/2015

1

Achievement Summary Qualification Unit number, Unit Level, Unit Credit and Title

Criteria Reference LO 1 1.1 1.2 1.3 LO 2 2.1 2.2 2.3 LO 3 3.1 LO 4 4.1 4.2

Pearson BTEC HND Diploma in Computing and Systems Development Unit 43: Networking Infrastructure

Assessor name

Himanshu Bhatt

Student name

Sadaf Farooqi

To achieve the criteria the evidence must show that the student is able to:

Achieved (tick)

Evaluate current name resolution services Discuss the technologies that support network infrastructure management Discuss security resources available in network infrastructure management Design a network infrastructure for a given networked environment Evaluate addressing and deployment solutions for a given networked environment Evaluate rights and security requirements for a given networked environment Implement a network infrastructure based on a prepared design Critically review and test an implemented system Evaluate system and user assurance of the implemented system Higher Grade achievements (where applicable) Grade descriptor

M1: Identify and apply strategies to find appropriate solutions

Achieved? (tick)

Grade descriptor

Achieved? (tick)

D1: Use critical reflection to evaluate own work and justify valid conclusions

M2: Select / design and apply appropriate methods / techniques

D2: Take responsibility for managing and organising activities

M3: Present and communicate appropriate findings

D3: Demonstrate convergent/ lateral/ creative thinking

2

Assignment Feedback Formative Feedback: Assessor to Student

Action Plan

Summative feedback

Feedback: Student to Assessor

Assessor Signature

Date

Student Signature

Date

10 July 2015

3

Evidence checklist

Summary of evidence required by student

Evidence presented 6-8

Task 1.1

Evaluate current name resolution services

Task 1.2

Discuss the technologies that support network infrastructure management

9

Task 1.3

Discuss security resources available in network infrastructure management

10

Task 2.1

Design a network infrastructure for a given networked environment

11

Task 2.2

Evaluate addressing and deployment solutions for a given networked environment

12

Task 2.3

Evaluate rights and security requirements for a given networked environment

13 - 15

Task 3.1

Implement a network infrastructure based on a prepared design

16 - 34

Task 4.1

Critically review and test an implemented system

35

Task 4.2

Evaluate system and user assurance of the implemented system

36

Task 5

Make a critical evaluation of own performance

37

4

Contents Task 1: ..................................................................................................................................................................... 6 1.1

Evaluating Name Resolution Services ........................................................................................................... 6

1.2

Network Infrastructure Management Technologies ....................................................................................... 9

1.3

Network Infrastructure Management Security Resources ..............................................................................10

Task 2: ....................................................................................................................................................................11 2.1

Designing a Network Infrastructure ............................................................................................................11

2.2

Evaluating the Network Design ...................................................................................................................12

2.3

Evaluating Rights and Security Requirements ..............................................................................................13

Task 3: ....................................................................................................................................................................16 3.1

Implementing the Network Infrastructure ...................................................................................................16

Task 4: ....................................................................................................................................................................35 4.1

Testing the Network Infrastructure .............................................................................................................35

4.2

Evaluating User and System Assurance .......................................................................................................36

Task 5: ....................................................................................................................................................................37 References: ..............................................................................................................................................................37

5

Task 1: The term Network Infrastructure refers to an interconnected group of computer systems configured and setup in a specific architecture. A complete Network Infrastructure comprises of individual networked computers, cables, switches, routers, wireless access points, backbones and network access methodologies. Corporate intranets are similar to the global intranet but only operate on closed network infrastructures; i.e. they are only accessible to those within it. This infrastructure in particular is reliant on central data storage and consists of computers known as servers, Ethernet cabling, routers and switches as well as computer systems with access to the central storage. Aside from having suitable hardware architecture, network infrastructures also require software components in order to be functional.

Figure 1: Network Infrastructure

1.1

Evaluating Name Resolution Services

Among the services most prominent in handling Network Infrastructures are a set of rules known as Internet Protocols that govern the format in which data is transferred over the internet and within networks. The most common Internet Protocol utilized by nearly every Networking Infrastructure is the DNS or Domain Name Service. This is the primary service responsible for locating and translating Internet Domain Names into IP Addresses. The DNS service automatically converts the names typed into the Web browser to the IP addresses of corresponding Web Site servers. The service utilizes a distributed database for storing name and address information of all public hosts on the internet making it easier for the users to connect to various websites. DNS services are also known to provide support for caching requests and redundancy. It is not uncommon to find Operating Systems configured with Primary, Secondary and Tertiary DNS Servers to allow redundancy. The service itself operates on a client/server architecture with the computers where the service has been installed operating as the Server and the Clients are the PCs and additional networking devices accessing the server. DNS Clients wanting to use the service are required to have the service configured on their network. DNS Servers are mostly assigned static IP Addresses making it easier for clients to access the servers for queries. Aside from being used as the primary method of looking up websites, DNS is also used for:  

Locating the correct servers for delivering Internet Email. Reverse lookups that allow IP Addresses to be converted back to Domain Names.

6

While Internet Protocols such as DNS handle the communication and requests sent over and within the network, it is also necessary to have internal tools for centralizing and managing accesses to the various resources on the network. Directory Services are deployed by most organizations as the preferred method for centralizing network information. Different vendors offer different Directory Services with Window’s Active Directory being the mostly common deployed in smaller organizations. However Novell’s eDirectory, a service software used for managing internal and Web-based relationships, is more commonly utilized by corporate giants as their preferred centralizing agent. eDirectory utilizes dynamic rights inheritance which Aside from providing centralized management, eDirectory can also be used as a Web Service that can be accessed by internal and external users through authenticated logons. However both Active Directory and eDirectory have a lot more to offer aside from an added access to Web Services. Major differences between the two can be seen as below:

Manageability Scalability

Security

Compatibility

Reliability

Windows Active Directory Offers straightforward and expandable management consoles, providing greater coverage over an organization’s infrastructure. Multi-master model that allows multiple directory servers to host the same directory however Windows’ FSMO roles lead to limited management functionalities in the event of master failures. Both services have a similar sized attack services that can be avoided through proper directory implementation. Active Directory offers Group Policy for the management of the network’s clients. However it is only applicable to Window’s Clients. While Active Directory can only be installed on a Windows OS, it does offer endpoint-to-endpoint solutions that allow for the easy installation of the OS and its services across various devices. While Windows may not be able to catch up to Novell’s uptime reputations; Windows offers an array of ServicePacks, hotfixes and patches to handle any downtimes.

Novell eDirectory Offers various tools for the ease of management across various platforms. Also offers multi-master models with the noted difference being that only certified employees are allowed to perform major tasks such as schema updates and all on a single dedicated server. eDirectory’s ZENWorks Suite also offers client/desktop management. However Novell’s security tools are capable of monitoring and administering clients across various other platforms as well. Novell is known for its multi-platform support, with eDirectory packages available for nearly every known platform. However it is because of this that many users prefer to go cross platform instead of utilizing Novell’s own endpoint-toendpoint solutions. Installing Novell’s eDirectory on a Novell Netware Sever is considered to be highly reliable with barely any downtimes recorded.

7

Additional management concerns faced by any Networking Infrastructure, include the management of users, resources and access rights to either one of them. Different Operating Systems deal with these concerns through different tools. Windows Server OS offers a variety of feature to tackle each issue separately. The tasks handled by these features can be seen as below: Resource Management Infrastructure Resource Management is the collective term utilized by large IT corporations when referring to the practises tools and procedures used in the management of their vast resource pools. Large IT corporations such as Data Centres require high-end resource management to address effective resource usage in delivering the established level of services and functionalities. However smaller organizations such as Company A do not require such extensive management methods and can make do with the features bundled with the Operating System running on the network. A noted example would be the Windows System Resource Manager or WSRM; it enables the allocation of resources such as CPU and memory based on task priorities. Administrators have the rights to set limits for the amount of hardware resources that users and running applications are allowed to use. WSRM is also capable of allocating resources among the multiple applications running within the network, applying calendar rules to different policies for delegating resources, collecting and analysing daily resource usage data as well as automatically selecting resource policies based on server properties and events. User Management Securing a network on the outside may seem like the most important task in building a network, however it is equally important to secure the network from within; i.e. configuring network security policies and allocating user permissions. Not everyone in an organization is required to have the same level of access to an organization’s resources. Aside from the misuse of confidential data stored on the network, administrators face various other user related issues which can be handled through proper user management, such as:   

Novice Internet Users – Though they may not have any harmful intentions, their inexpertise can lead to the exposure of sensitive enterprise data to the outside world through accidentally downloaded spyware. Intensive Bandwidth Users – Bandwidth hogging users pose a serious threat to an organization’s workflow by clogging the network’s bandwidth through unnecessary downloads and access to non-work related sites. This can be handled by allocating Bandwidths per user basis. Password Assignments – Weak passwords pose a serious threat to an organization. Policies can be applied to users to ensure passwords meet certain requirements and are changed at intervals.

Windows’ Active Directory services can also be used for the creation and centralization of users within the organization. Assigning individual users to specific User Groups and Organizational Units makes the management of said users a lot easier. Access Control Additional features dedicated to securing the internal network include Access Control. Through Access Control administrators can assign policies to users, groups and computers either restricting them or granting them access to objects on the network. Access Control can be implemented through one of the following methods: 





Permissions: Permissions define the type of access granted to a user, group or object. Access Control allows administrators to set NTFS permissions for objects such as files, registry objects, processes and Active Directory Objects. Permissions available for an object can vary depending on the type of object in question; however most objects are assigned one of the following Read, Modify, Change Owner and Delete. Another form of permissions available to Access Control users is the Inherited Permissions. This feature automatically causes objects within a container to inherit all the inheritable permissions of that container. User Rights: User rights grant specific privileges and logon rights to users and groups within the network. Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories. User Rights differ from Permissions in that they are applied to users, whereas Permissions are attached to objects. Object Auditing: This feature is used to view and analyse the policies and permissions assigned within the network. It allows administrators to log both successful and unsuccessful access attempts to objects.

8

1.2

Network Infrastructure Management Technologies

A Server is a Networking Hardware that supports most of the organization’s functions. It is often referred to as the backbone of the infrastructure. Therefore it is highly important to select networking hardware that is compatible with the infrastructure in mind. The term Infrastructure does not only refer to an organization’s collection of servers but all the various devices connected to the network. Functionality of a network structure is highly dependent on the hardware implemented in the infrastructure which is why it is essential to design the required network infrastructure for an organization before selecting the hardware. In order for an infrastructure to be truly functional, it is important for the hardware on the network to be implemented appropriately with regular checks for monitoring and managing operations and services. Larger Infrastructures such as Data Centres require equally powerful severs and therefore almost always settle for Rack Servers. Smaller organizations in comparison can make do with smaller Tower Servers depending on the size of the organization. A server on its own is only capable of handling the tasks deployed on it, to be able to manage and monitor the infrastructure the server needs to be configured with software known as Operating Systems. The OS selected also varies depending on the needs and size of the infrastructure. A small organization such as Company A can make do with a couple of HP ProLiant servers configured with Microsoft Windows Server OS. Windows Server OS is known for offering a variety of management tools from Resource Monitor to Access Control. Additional devices and hardware required to build a fully operational networking infrastructure, include: 



 

Routers & Switches: Commonly seen as the traffic coordinators of the Network Infrastructure, routers and switches are responsible for the transfer of data within and across networks. As the numbers of IT infrastructure devices, applications, and network connections grow and traffic volume increases, so, too, does the importance of switches and routers in the overall network performance and user productivity. Up to date router and switch management can ensure packet loss protection, higher performances as well as support for redundancy management. Firewalls: Firewall Configuration and Infrastructure Security are two issues highly dependent on each. Having a robust firewall with proper configurations, that only allow traffic in the network where required is essential in maintaining a network’s security. They can be implemented in both hardware and software or as a combination of both. Generally, firewalls are configured to protect against unauthenticated interactive logins from the outside world. Wireless Access: Providing secure and efficient wireless access is a vital component of any effective network management strategy, no matter the size of the business. Wireless Access not only reduces the additional cabling costs that go into wired networks but also opens up a larger platform for the accessing the network’s resources. Remote Access: When setting up management solutions for a network, it is important to configure remote access as well. Remote Access not presents a cost-effective mode of network management but also allows any networking issues faced to be addressed at a moment’s notice even when support personnel are not physically present.

9

1.3

Network Infrastructure Management Security Resources

Security resources available in any given Network Infrastructure are highly dependent on the software supporting said infrastructure. Different OS include different levels of support of different issues targeting a Network Infrastructure. The OS in question here, Microsoft Windows Server 2008, offers a variety of management and support tools, all of which are fairly easy to configure. Among the most commonly used of these features are: 









 

Rights Management: Windows Server OS manages Rights Assignments through its AD RMS or Active Directory Rights Management Service. Through AD RMS administrators can safeguard digital information against unauthorized use, both online and offline. Rights configured are applied to the files themselves, where they stay regardless of where and how the file has been distributed. With add-ons administrators are also capable of applying these policies to third-party document formats. User Management: Creating, monitoring and administering user accounts and activities is mostly handled through the Active Directory Users and Computers feature of the Windows OS. Through Users and Computers an administrator can create local user accounts, reset passwords, disable or activate accounts, rename local accounts as well as assigning logon scripts to said user accounts. Group Allocation: Group Allocation is a term that covers the allocation of resources for various different user and group related activities. Different Sever 2008 features handle the allocation of different resources. Windows System Resource Manager is responsible for the allocation of hardware resources such as memory and processor to highend applications and functions. Whereas by configuring certain policies on user accounts it is possible to allocate storage spaces for each user. Encryption: Every organization frets over the accidental disclosure of valuable information such as customer databases and financial information. Encrypting valuable information is the easiest way to ensure it remains unseen from prying eyes, however the task of individually encrypting every file and folder containing valuable information can be very off-putting. Windows Encrypting File System or EFS, is a powerful tool that simplifies the encryption of files and folders on servers and client computers. EFS policies apply to not only the devices physically present within the network but to remote servers and clients as well. With EFS an administrator can restrict access to the extent where even users who have access to the servers and its file systems are unable to view the data they should not. Virtual Private Network: VPN or Virtual Private Networks are a form of encrypted connections utilized over less secure networks. Using a VPN ensures the appropriate level of security to the connected systems when the underlying network infrastructure alone cannot provide it. VPN connections help enable cost-effective, secure remote access to private networks. It allows administrators to take advantage of the Internet to help provide the functionality and security of private WAN connections at a lower cost, making Network Infrastructure management that much more accessible. RADIUS: Remote Access Dial In Support or the RADIUS Servers are a Windows platform that provide centralized connection authentication and authorization for network access to wireless and VPN connections among others. IPSec: Internet Protocol Security is a Windows Server OS feature that makes use of cryptographic security services for the protection of communications over the Internet Protocol Networks. IPsec supports network-level peer authentication, data origin authentication, data integrity, and data confidentiality (encryption) as well as replay protection. IPSec Policies can be configured via the Windows Firewall with Advanced Security snap-in.

10

Task 2: 2.1

Designing a Network Infrastructure

Designing a Network Infrastructure from scratch is dream job for most Network Administrators. However when designing a network, it is essential to keep the organization’s IT expertise in mind. It would be counterproductive to design an Infrastructure too complex to be handled by the organization themselves. Setting up a Network involves both hardware and software resources, with the latter even more important once the network is up and running to manage and maintain hardware resources. Given the size and architecture of Company A, the administrator has presented a network design catering to the needs of both onsite and remote users. For this summary, the administrator has decided to focuses on the software roles to be implemented in the network.

11

No. 1.

Target Area Deployment

2.

Addressing

3.

Rights

4.

Security

Services  Servers: Microsoft Windows Server 2008  Clients: Microsoft Windows 7  Since it is a small organization, the administrator has opted for manual OS Deployment.  A DNS Server has been configured to allow client computers to connect to the Domain.  Clients are set to receive IP Addresses via the DHCP Server.  Active Directory Domain Services  Active Directory Rights Management Services  File Services  Network Policy and Access Services  Remote Desktop Services  Terminal Services  Windows Server Update Services

Most of the features presented above lean towards the management of the Network, rather than focusing on the hardware architecture of the network.

2.2

Evaluating the Network Design

The administrator intends to configure both DNS and DHCP as the IP Addressing platform for the network. Having previously elaborated on DNS, the administrator will now explain DHCP and its functionalities to the IT department of company A.

DHCP or Dynamic Host Configuration Protocol is another Network Protocol that enables servers to automatically assign IP addresses to client devices on the network. The server hands out IP addresses from a pre-specified range that is assigned by the administrator during the initial configuration of the server. These ranges are known as Scopes; a single DHCP Server can have more than one scope at any given time, with different scopes assigned to different regions in the network. DHCP addresses its clients through the following method:      

A client using DHCP is turned on. A broadcast request called DISCOVER, is sent out to the DHCP Server. This packet is then redirected by the router to the appropriate DHCP Server. Once the Server has received the request packet, it will assign an IP Address to the client based on the availabilities and usage policies set. The Server then sends the client an OFFER packet with the addressing information. Most times, the server will also configure DNS, WINS and NTP settings for the client. Once received by the client, it will send out a REQUEST packet to the server confirming its intention of using the assigned IP Address.

12

DHCP Servers usually assign IP Addresses on a lease basis, the duration of which is pre-assigned. By default this duration is set to 8 Days. Using DHCP to assign addresses to the various clients in the network, minimizes IP conflicts which arises mostly when addressing is done manually (Static Addressing) and at times two or more devices on the network are assigned a similar IP Address. Since DHCP utilizes dynamic leasing of addresses, it is also able to automatically reclaim addresses that are no longer in use. Since the network is reliant on the DHCP Server for it’s the addressing of its devices, the question of the Server’s scalability is one that is always on the minds of the IT personnel. Theoretically DHCP servers are capable of supporting an unlimited number of clients, as such a small organization such as Company A with a single subnet environment need not worry about installing more than one DHCP server on the network. That being said, it is essential for network administrators and IT personnel to keep track of the IP Address ranges specified and if said ranges can keep up with any additions to the organization. Management of the DHCP Servers includes setting exclusion ranges to the scopes, creating IP Address reservations, adjusting lease length durations and specifying the IP Addressing classes to be used with the scopes. Upon completion, the scope should be activated before it can provide services to the clients on the network.

2.3

Evaluating Rights and Security Requirements

Windows Server 2008’s Group Policy Manager is the preferred mode of managing the various computers and users within the network. Through Group Policy administrators can configure:    

User Group security settings Folder redirections Software deployment scripts Permissions and Inheritance Rights.

In order to configure any of the above it is necessary for the administrator to have understanding of the organization’s business needs, security requirements and service level agreements. Implementing a Group Policy solution entails planning, designing, deploying and maintaining said solution. To begin with an OU structure should be in place, making it easier for the administrator to manage the group policies. The design should cover and include:       

Group Policy application scopes Generic policy settings applicable to all corporate users Users and computers classifications based on roles and locations Desktop configurations based on user and computer requirements Recognizing and specifying exceptions to default inheritance policies Delegating administration of Group Policies Evaluating results via Group Policy Results

When new user and computer accounts are created in the domain they are not, by default, part of any Organizational Units making it impossible to assign any group policies to them. Generally Group Policy settings are applied by linking Group Policy Objects or GPOs to sites, domains and OUs.

13

It should be known, even administrators are incapable of modifying the built-in properties and capabilities of the domain user and computer accounts. However this does not mean there are no means of administration available. User account rights provide administrators with the appropriate platform for managing the internal activities affecting a network, despite not being able to modify default settings. Having access to user rights management allows an administrator to monitor and decide which user accounts have access to which resources on the network. User Rights themselves can be split into two categories:  

Logon Rights: These rights are specifically assigned to users themselves and define their interaction within the network. Privileges: These rights are also assigned directly to users, however they are connected to specific system related actions.

Though it is possible to assign user rights at individual levels, feasibility-wise it is advisable to apply user rights to group account basses. This makes it easier for the administrator to apply and monitor rights throughout the domain. An example of this would be, having a group of users with colour print access rights to the printer. When a new staff joins the organization, the administrator can simply move them to the group instead of having to reassign the rights to their individual account. User rights that are assigned to a group are applied to all members of the group while they remain members. If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set of rights and privileges. The administrator for Company A has decided to assign the following User Rights and Privileges:        

Access This Computer from Network Log On Locally Log On as a Service Back Up Files and Directories Create Permanent Shared Objects Generate Security Audits File and Folder Quotas Take Ownership of Files or Other Object

As mentioned previously, Network Infrastructure management involves setting up and managing both internal and external connections to the organization’s network. External access usually requires the configuration of remote access services such as Microsoft’s RAS and VPN. Routing & Remote Access Services RRAS or Routing & Remote Access Service is a Microsoft feature that utilizes hardware and software combinations to connect clients to the host computer also known as the Remote Access Server. When setting up a Remote Access server, the administrator should have a clear design of the solution at hand. When setting up the RRAS, administrators can either select from a list of configuration paths predefined in the setup wizard or choose to manually configure the elements most suitable for their environment. Among the most common Remote Access solutions deployed are: 

Virtual Private Network (VPN): This configuration allows remote access clients to connect to the private network across the internet. Aside from setting the VPN to allow remote clients into the network, administrators can also configure the VPN to determine whether the clients accessing the network have permissions to do so.

14



Dial-up Connections: This configuration allows remote clients to tap into the private network by dialling into a modem bank or similar dial-up equipment. Additional options available for setting up, include the method in which the server responses to access calls and how the server verifies which clients have access to the private network.



Secure Connections (NAT): Network Address Translations or NAT, allows the creation of a shared connection between the Remote Access Server and the computers on the private network. This connection utilizes the translation of traffic between the network’s public address and private network. It also allows for the configuration of additional features such as packet and service filters.

Having explained the solutions available through RRAS, the administrator has decided to deploy the VPN solution for company A. Before deploying any of the above solutions, there are certain issues that should be addressed:   

Determining the interfaces connected to both the internet and the internal private network. Determining whether remote clients will be addressed via the private network’s DHCP server or through the VPN Server. Determining the method of authentication.

Trust Management Trust relationships are a unique feature offered by Microsoft Windows OS that allows two different domains to connect with and share each other’s resources. All Active Directory trusts between domains within a forest are transitive, two-way trusts. Therefore, both domains in a trust relationship are trusted. There a few different trust types that can be implemented across domains:    

External Trusts: These trusts provide access to resources located on domains that are not part of the same forest. They can be either one-way or two-way depending on the requirement. Realm Trusts: These are used to form trust relationships between a non-Windows realm and an AD Domain. Forest Trusts: Forest level trusts are used to share resources between domains of the same forest. Shortcut Trusts: Applied to a single AD Forest, Shortcut Trusts are used to improve user logon times.

Having briefed on the above, the administrator does not see any need to implement Trust Relationships for Company A at the present, given that they are a small organization with a single domain.

15

Task 3: 3.1

Implementing the Network Infrastructure

Addressing - DNS The first step to setting up an Addressing System for the organization is configuring its DNS Sever. Just like any other Server feature, the DNS Server can installed via the Server Manager.

The installation of the DNS Server role does not require any special efforts. It is the configuration following the installation that determines the service provided to the network. Configuration of the DNS Server involves setting up both Forward and Reverse Lookup Zones. The zones themselves also have a few options; Active Directory Integrated, Standard Primary and Standard Secondary.

16

17

18

Once the Forward Lookup and Reverse Lookup Zones have been configured, the administrator is also required to specify the name servers for said domain. Once the Name Server has been added, additional settings that also need to be configured include, Host A and PTR Records. Host A records are responsible for mapping host names to IP Addresses, making it easier to identify external servers in forward lookup zones. Pointer Records in turn create the appropriate entries in the reverse lookup zones. Once the DNS Server has been setup, the administrator needs to configure the DHCP Server as it is the primary source of addressing for the clients on the network. Addressing – DHCP Another Server Role that is installed via the Server Manager. In order to be able to configure DHCP, the DNS Server is required to be operational, as DHCP clients use the DNS IP Address for name resolutions.

19

20

The above screen is through which the administrator specifies the addresses available for allocation to the clients on the network. Configurations at the above screen include:     

Naming the Scope. Specifying the first available address for clients. Specifying the last available address for clients. Specifying the subnet. Specifying the Default Gateway address.

21

Rights Management Rights Management involves assigning Permissions and Policies to the User Accounts and Computers part of the domain. Permissions are applicable to Files Servers and Shared Resources such as Printers, Storage and Folders. Access to these recourses can be defined through two sets of permission entries; share permissions set on a folder and the NTFS permissions set on the folder. The final access permissions to a folder are determined by taking into consideration both share permissions and NTFS permissions. The administrator has decided to apply Full Control for the Everyone Group and to rely entirely on NTFS permissions to restrict access.

NTFS Permissions for Shared Folders can be configured in one of the following ways:  

New Shared Resources: In this scenario, the NTFS permissions for the folder or volume are changed before it is shared on the network. These NTFS permissions apply both locally and when accessing the resource over the network. Existing Shared Resources: These settings apply to existing shared resources, where the NTFS permissions can be modified by accessing Permissions tab on the folder or volume.

The administrator also lists down a list if applicable shared permissions and their roles: No. 1. 2. 3. 4. 5.

Permission Full Control Modify Read and Execute Write Read

Description Permission to Permission to Permission to Permission to Permission to

read, write, change and delete the file. read and write to and delete the file. view file contents and execute file. write to the file. view the files contents.

22

Aside from configuring Folder Permissions, the administrator has also decided to implement Group Policies across the domain to tighten network security and provide easier modes of administration.

The above console contains the Default Domain Policy, a policy that is auto created upon the installation of the AD DS server role. It contains policy settings that apply to all users and computers in the domain. This Default Domain Policy is a Group Policy Object or GPO that is linked to the Organization Units (OU) under this domain.

23

A linked GPO applies to everything falling under the container it was applied to, this includes child OUs and all users and computers linked to them as well. To avoid GPOs from overlapping, the administrator can either link GPOs to individual OUs or remove inherited policies from applying to child OUs. Once a GPO is created, it can be further edited to specify the policies the administrator wants to enforce.

24

Security Management As discussed previously, the administrator has decided to implement a VPN Server as the network’s preferred mode of Remote Access. In order for the VPN Server setup to be functional, the network needs to be configured with DHCP, DNS and Certificate Services. To fully establish the VPN Server, the following steps need to be undertaken:    

Installing IIS on the VPN Server Requesting a certificate through IIS for the VPN Server. Installing the RRAS role on the dedicated server. Configuring the RRAS Role to operate as a VPN Server

25

26

27

28

29

30

Once the RRAS Server Role has been installed, the administrator has to enables the RRAS service before enabling the VPN Server Feature and the NAT Service. Enabling the NAT Service is essential as it allows external clients to gain access to the Certificate Server, which is required to establish the SSTP VPN connection.

31

Remote Desktop The administrator has also decided to install the Remote Desktop Services roles for the environment. Remote Desktop Services allows users to access Windows-based programs that installed on a RD Session Host server either from within the corporate network or over the internet. The installation for the Remote Desktop Services Roles is handled the same way as every other Server Role; via the Server Manager. Once the role has been selected, the administrator can specify which sub-roles are required by the network and configure each accordingly. The roles included in RDS are:      

Remote Remote Remote Remote Remote Remote

Desktop Desktop Desktop Desktop Desktop Desktop

Session Host Virtualization Host Connection Broker Licensing Gateway Web Access

For the current environment, the administrator will proceed with configuring Remote Desktop Licensing and Remote Desktop Web Access.

32

33

34

Security Audit Policies Aside from configuring server roles and features for aiding in the remote management of the network, the administrator has also decided to configure Security Audit Policies. The administrator has explained, having a well-defined, timely auditing strategy is essential in maintaining a secure environment. The administrator intends to utilize Window’s Advanced Audit Policy Settings to configure the required settings. The Audit strategy proposed by the administrator covers the users, computers and resources within the domain. A summary of the Audit Strategy is as shown below:       

Classifying user account types. Specifying the resources & data in terms of user accessibility. Monitoring administrator user accounts activities. Keeping track off and analysing the computers and applications that are part of the domain. Auditing User Account credential validations. Monitoring how shared content is accessed by tracking source of request and user account used for it. Monitoring Account Management related activities such as attempts to create, delete, or modify user or computer accounts, security groups, or distribution groups.

Task 4: 4.1

Testing the Network Infrastructure

Test Plan No.

1.

Network Infrastructure Feature Addressing – DNS

2.

Addressing – DHCP

3.

User Rights – Logon Rights

4.

User Rights – Shared Resources

5.

User Rights – Group Policy Settings

6.

Security – Remote Access

7.

Security – Audit Logs

Objective

Result

Analysis

Verify network clients are able to access network resources

Replies received from PING messages sent to devices on the network

Verify network clients receive IP Addresses as defined in the DHCP Scopes Verify users with Administrative Rights

Auto-IP addresses assigned to client machines on the network

The DNS configurations are functional and accessible by the various devices on the network The DHCP Server Scopes are active and able to provide IP addressing to devices on the network OU configurations and policies have been linked appropriately NTFS Permissions are the primary source regulating folder rights

Verify user account permissions for shared files and folders Verify password policies and account lockout settings Verify successful remote user access

Verify the successful implementation of the above policies and settings

Users of Administrators Group able to access Server files and folders Only users of designated groups such as the Administrators Group are able to modify and delete shared resources All user accounts are required to change their passwords within 7 Days Remote users were successfully able to logon through secure VPN Audit Logs clearly display successful and unsuccessful attempts made to access network resources.

GPOs are configured accurately and linked to the required OUs SSL features of the VPN server are active and provide the required levels of authentication to the those accessing the network Audit Logging has been configured to cover all the important components of Network Infrastructure Management

35

4.2

Evaluating User and System Assurance

A final step in assuring that the implemented network is able to cater to and manage the requirements of the environment, involves the evaluation of the policies and settings applied. The evaluation as suggested by the administrator should cover both system and user assurance. The administrator has come up with a report to display the evaluation results. Evaluation Report Based on the configurations of the system implemented the administrator puts to test the firewall and SSL settings applied to the Network’s VPN Server and Remote Access features. To ensure system security, the administrator invites members of User Groups, not part of the Remote Access group, to access the network resources from personal computers not connected to the network. The SSL configuration applied to the VPN provides a secured bidirectional transport medium with authentication required at the server end. SSL not only makes it difficult for attackers to penetrate the environment but also offers confidentiality and integrity during an active session.

In addition to evaluating the ease through which attackers could access the resources, the test also covered visibility of resources. Users in the Remote Access group were asked to individually access the network and attempt to access resources not assigned to them. The NTFS Permissions applied to Private and Confidential resources such as the files and folders belonging to the Accounting Group, along with the Group Policies linked to the Remote Access group will not allow users not belonging to the Accounting Group to view, access or modify the data linked to its OU. Remote Access users are only able to view and access network resources that have been linked to the VPN Server, after providing their network credentials.

36

In addition to evaluating system security and accessibility, the administrator has also tested the infrastructure’s policy settings, specifically those related to inheritance. Inherited Permissions is a default characteristic applicable to all Windows Folders and Objects, it is designed to ease the task of managing permissions and ensuring consistency of rules applicable to objects within a given container. However the network’s architecture is such that not all Organizational Units require the Inherited Permissions to be applied to all sub containers. For example the Administrator Group includes 5 members, however as per the requirements of the organization, not all administrators are to have access to certain files and folders. Permission Policies are generally applied to an OU, which in this scenario is the Administrators Group. The general policy for this OU has been set to not allow the users within it to access said files and folders. To grant permission to the appointed Administrator, the user account is configured to not accept the inheritance of permissions applied to parent objects. During the evaluation only said Administrator was able to access and modify the data within the restricted folders ensure that the policies have been applied as per the requirements of the organization. The above report, along with the System Test and Analysis presented earlier offer the organization surety in the efficiency of the newly implemented network infrastructure management system while also providing it with a better understanding of the workings of the features supporting the infrastructure.

Task 5: Assignment review I am very grateful for this opportunity that was presented to me in taking this assignment. Intending to sit for my Microsoft Server 2008 certification, I found this to be a great opportunity to relook at several server services and features that I had forgotten. Though my classroom training provided highly useful hands-on practise sessions, there is only so much that can be covered during study sessions bound by time. Looking up and researching on topics and reading actual documentation for certain procedures was certainly taxing but rewarding at the same time. This assignment provided an opportunity for me to re-visit all that I had learned during my training and apply it to real life scenarios. It also allowed me to brush-up my practical skills by getting involved in hands-on tasks. It further helped me in improving my analytical thinking skills by providing scenarios that required me to question what, which and how. It has also provided an opportunity for me to update myself on server hardware and related technology being used currently. Lastly, I would like to note that while this submission may have weak points I gave it my best try and would like to continue improving myself for future assignments.

References: No. 1 2 3 4 5 6 7 8 9 10 11

Website http://www.wisegeek.org/what-is-network-infrastructure.htm http://compnetworking.about.com/cs/domainnamesystem/g/bldef_dns.htm https://www.novell.com/developer/develop_to_edirectory.html https://dirteam.com/sander/2006/10/08/active-directory-and-edirectory/ https://en.wikipedia.org/wiki/Windows_System_Resource_Manager http://blog.pluralsight.com/windows-server-2008-active-directory-user-groups https://kb.iu.edu/d/adov https://technet.microsoft.com/en-us/library/dd349804%28v=ws.10%29.aspx?f=255&MSPPError=2147217396 http://www.howtogeek.com/99723/how-to-set-up-dhcp-in-server-2008-r2/ http://www.windowsecurity.com/articles-tutorials/windows_os_security/Top5-Security-Settings-GroupPolicy-Windows-Server-2008.html http://searchsecurity.techtarget.com/definition/SSL-VPN

Section Task 1 Task 1 Task 1 Task 1 Task 1 Task 1 Task 2 Task 2 Task 3 Task 3 Task 4

37