This course comes with a virtual lab environment where you can practice what you learn.

Similar documents
This course comes with a virtual lab environment where you can practice what you learn.

INF220x Security Practical Exercises

Module 1 Web Application Proxy (WAP) Estimated Time: 120 minutes

INF204x Module 1, Lab 3 - Configure Windows 10 VPN

Overview. Directory Services Practical Exercises

Module 4 Network Controller Estimated Time: 90 minutes

Module 3 Remote Desktop Gateway Estimated Time: 90 minutes

Lab: Configuring and Troubleshooting DNS

LAB 5 IMPLEMENTING WINDOWS IN AN ENTERPRISE ENVIRONMENT

In most cases, the userid is Adatum\Administrator and the password is Pa55w.rd, but read the instructions carefully.

20411D D Enayat Meer

Course CLD221x: Enabling Office 365 Clients

Student Lab Manual MS100.1x: Office 365 Management

Student Lab Manual MS101.1x: Microsoft 365 Security Management

List of Virtual Machines Used in This Lab

Connecting besecure to an Active Directory server

INF204x Module 1 Lab 2: Configuring and Troubleshooting Networking Part 2

User Account Manager

Course CLD209.1x Microsoft Exchange Server 2016 Hybrid Topologies

Integrated Information Technology Services (IITS)

INF204x Module 2 Lab 2: Using Encrypting File System (EFS) on Windows 10 Clients

INF204x Module 1 Lab 1: Configuring and Troubleshooting Networking Part 1

HOL124: Migrating from Exchange Server 5.5/Windows NT 4 Server to Exchange Server 2003/Windows Server Part 1

Connect to Wireless, certificate install and setup Citrix Receiver

Getting Started with Cisco WebEx Meeting Applications

VMware AirWatch Certificate Authentication for EAS with ADCS

edp 8.2 Info Sheet - Integrating the ediscovery Platform 8.2 & Enterprise Vault

Cluster Resource Monitor

29 March 2017 SECURITY SERVER INSTALLATION GUIDE

In most cases, the userid is Adatum\Administrator and the password is Pa55.w0rd, but read the instructions carefully.

Course CLD211.5x Microsoft SharePoint 2016: Search and Content Management

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

Course CLD211.5x Microsoft SharePoint 2016: Search and Content Management

Avaya Modular Messaging Microsoft Outlook Client Release 5.0

Centrify Infrastructure Services

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP. For VMware AirWatch

Step by Step Journey to Migration Exchange 2010 sp3 to Exchange Server 2016 Part-III

Installing and Configuring vcenter Multi-Hypervisor Manager

Install and Configure Windows Server 2016 Core on Hyper-V Step by Step (V1.1)

Databases in Azure Practical Exercises

Media Writer. Installation Guide LX-DOC-MW5.1.9-IN-EN-REVB. Version 5.1.9

Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM. VMware Workspace ONE UEM 1811

Azure 209x Practical Exercises Overview

Dealing with Event Viewer

Azure Security and Compliance Practical Exercises

XIA Configuration Server

VMware AirWatch Integration with Microsoft ADCS via DCOM

Preparing to Use Click to Call

3.1 Getting Software and Certificates

Configuring Microsoft Outlook to Connect to Hosted Exchange Service

Click Studios. Passwordstate. Remote Session Launcher. Installation Instructions

Installing Intellicus DotNet Client on Windows. Version: 16.0

Installation Guide. . All right reserved. For more information about Specops Command and other Specops products, visit

Test Lab Guide: Windows Server 2012 Base Configuration

Contents Upgrading BFInventory iii

Executing PowerShell Agent Commands

One Identity Active Roles 7.2. Azure AD and Office 365 Management Administrator Guide

BLUEPRINT TEAM REPOSITORY. For Requirements Center & Requirements Center Test Definition

10ZiG Technology. Thin Desktop Quick Start Guide

OFFICIAL MICROSOFT LEARNING PRODUCT 10135B Lab Instructions and Lab Answer Key: Configuring, Managing and Troubleshooting Microsoft Exchange Server

Installation Guide Advanced Authentication - Logon Filter. Version 6.1

Using Conference Manager for Microsoft Outlook

Integrating IBM Security Privileged Identity Manager with ObserveIT Enterprise Session Recording

RAP as a Service for Exchange Server: Prerequisites

HDR online thesis. Examiner. Last modified: 09/10/2015 Version 1

dotdefender for IIS Installation Guide

Configure Per-User Dynamic Access Control Lists in ISE

Password Reset Server Installation

Configuring the SMA 500v Virtual Appliance

NBC-IG Installation Guide. Version 7.2

LAB MANUAL. Craig Zacker.

Lab - Share Resources in Windows

Getting Started with Outlook Web App (OWA)

Privileged Access Agent on a Remote Desktop Services Gateway

Installation Guide. Mobile Print for Business version 1.0. July 2014 Issue 1.0

SnapShot Installation Guide

NetIQ Advanced Authentication Framework. Deployment Guide. Version 5.1.0

Executing PowerShell Agent Commands

WA1685 WebSphere Portal v6.1 Programming. Classroom Setup Guide. Web Age Solutions Inc. Web Age Solutions Inc

RSA SecurID Access Configuration for Microsoft Office 365 STS (Secure Token Service)

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Authentication Services ActiveRoles Integration Pack 2.1.x. Administration Guide

Configure DHCP for Failover Step-by-Step.

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

W5AQA D-STAR Use and Gateway Registration

How does it look like?

Microsoft SQL Installation and Setup

Secure Mobile Access Module

Microsoft Dynamics GP Web Client Installation and Administration Guide For Service Pack 1

Partner Integration Portal (PIP) Installation Guide

LepideAuditor for File Server. Installation and Configuration Guide

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

Integrate your CSP Direct Agreement

Comodo IT and Security Manager Software Version 6.9

Aventail Connect Client with Smart Tunneling

INF214x Basic Networking Practical Exercises

Important notice regarding accounts used for installation and configuration

Trial environment setup. Exchange Server Archiver - 1.0

LAB MANUAL. Craig Zacker Patrick Regan.

Sophos Enterprise Console

Transcription:

INF220x Security Practical Exercises Overview This course comes with a virtual lab environment where you can practice what you learn. In most cases, the userid is Adatum\Administrator and the password is Pa55w.rd, but read the instructions carefully. Remember in the lab environment you can copy information to the virtual machines by using the Actions > Paste Content window. Before you paste the content, be sure your cursor is where you want the copied data. And, be sure to check the hyphens (dashes) in PowerShell code. Those characters may not copy correctly. NOTE: These practical exercises are designed to provide you experience as a working System Administrator. The lab steps are not written to be prescriptive, because as part of your day to day tasks you will need to troubleshoot and test different configurations. No one set of steps will be applicable in all cases, you will need to adjust for your situation. These steps were tested when the course was released. You may find changes to the interface as well as changes in how procedures are implemented.

3 Configure Privileged Access Management This is a very important lab to understanding how PAM and MIM work together. Review the tasks that are completed in the different forests on the different servers. Production Forest MEL-DC1 (Domain Controller) Delegate control to the bastion forest Create a new AD Group (ProdAdmins) Add a new user (Chuck) to ProdAdmins Holds the privileged PAM Objects MEL-SVR1 (PAM Client) Install the PAM client Login to SYD-MIM and request privileges Bastion Forest SYD-MIM (MIM Server) Has MIM installed Create the PAM trust Create the PAM domain configuration Create a privileged user (Chuck) Create a privileged group (ProdAdmins) Create a privileged role (ProdAdmins) Hosts the MIM Portal SYD-DC1 (Domain Controller) Holds the privileged PAM Objects

Configure PAM trust and shadow principals In this exercise, you will configure a PAM trust between the production and bastion forests, create the privileged accounts in the production forest, and finally create the shadow principals in the bastion forest. Create PAM trust 1. Sign in to SYD-MIM by using the account Adatumadmin\MIMAdmin with the password Pa$$w0rd. 2. Open a Windows PowerShell window. 3. In the Windows PowerShell window, execute the following command: $cred = get-credential -UserName Adatum\Administrator - Message "Production forest Administrator credentials" 4. At the prompt, sign in by using Pa$$w0rd as the password, and then click OK. 5. In the Windows PowerShell window, execute the following command: New-PAMTrust -SourceForest "adatum.com" -Credentials $cred New-PAMDomainConfiguration -SourceDomain "adatum" - Credentials $cred Test-PAMTrust -SourceForest "adatum.com" -CorpCredentials $cred Test-PAMDomainConfiguration -SourceDomain "adatum" - Credentials $cred 6. Sign in to MEL-DC1 by using the account Adatum\Administrator with the password Pa$$w0rd. 7. Open Active Directory Users and Computers. 8. In Active Directory Users and Computers, right-click Adatum.com, and then click Delegate Control.

9. On the Welcome to the Delegation of Control Wizard page of the Delegation of Control Wizard, click Next. 10. On the Users or Groups page, click Add. 11. On the Select Users, Computers, or Groups page, click Locations. 12. In the Locations dialog box, click ADATUMADMIN.COM, and then click OK. 13. In the Select Users, Computers, or Groups dialog box, type Domain Admins, and then click Check Names. 14. On the Enter Network Credentials dialog box, provide the following credentials, and then click OK: Username: adatumadmin\administrator Password: Pa$$w0rd 15. In the Select Users, Computers, or Groups dialog box, after Domain Admins; type Mimmonitor, click Check Names, and then click OK. 16. On the Users or Groups page, click Next. 17. On the Tasks to Delegate page, select Read All User Information, click Next, and then click Finish. Create privileged accounts and shadow principals 1. Open Windows PowerShell. 2. In the Windows PowerShell window, execute the following commands: New-ADGroup -name ProdAdmins -GroupCategory Security - GroupScope Global -SamAccountName ProdAdmins New-ADUser -SamAccountName Chuck -name Chuck $Pwd = ConvertTo-SecureString 'Pa$$w0rd' -asplaintext -force Set-ADAccountPassword -identity Chuck -NewPassword $Pwd Set-ADUser -identity Chuck -Enabled 1 -DisplayName "Chuck" 3. Switch to SYD-MIM. 4. In the Windows PowerShell window, execute the following commands: $PrivUser = New-PAMUser -SourceDomain adatum.com - SourceAccountName Chuck

$Pwd = ConvertTo-SecureString 'Pa$$w0rd' -asplaintext -force Set-ADAccountPassword -identity priv.chuck -NewPassword $Pwd Set-ADUser -identity priv.chuck -Enabled 1 $cred = get-credential -UserName Adatum\Administrator - Message "Production forest Administrator credentials" 5. In the dialog box, sign in by using Pa$$w0rd as the password, and then click OK. 6. In the Windows PowerShell window, execute the following commands: $PamGroup = New-PAMGroup -SourceGroupName "ProdAdmins" - SourceDomain adatum.com -SourceDC mel-dc1.adatum.com - Credentials $cred $PamRole = New-PAMRole -DisplayName "ProdAdmins" -Privileges $PamGroup -Candidates $PrivUser 7. Sign in to SYD-DC1 by using the account Adatumadmin\Administrator with the password Pa$$w0rd. 8. Open Active Directory Users and Computers. 9. In Active Directory Users and Computers, expand Adatumadmin.com, and then click PAM Objects. 10. Verify that the shadow principals Adatum.ProdAdmins group and PRIV.Chuck user are present. 11. Open Windows PowerShell. 12. In the Windows PowerShell window, execute the following commands: Get-ADGroup -identity Adatum.Prodadmins -properties SIDHistory Get-ADGroup -server mel-dc1.adatum.com -identity ProdAdmins 13. Verify that the SID History value of the Adatum.ProdAdmins group and the SID value of the ProdAdmins group are the same.

Request Privileged Access In this exercise, you install the PAM client on a server in the production forest, and let the PAM user request and use privileged access on the server. Install PAM client 1. Sign in to MEL-SVR1 by using the account Adatum\Administrator with the password Pa$$w0rd. 2. Open File Explorer and navigate to the D: drive. 3. If Internet Explorer does not open, double-click FIMSplash.htm. 4. In the Internet Explorer dialog box, click Yes. 5. On the Microsoft Identity Manager page, click Install Add-ins and Extensions, 64-bit. 6. In the Do you want to run or save setup.exe? dialog box, click Run. 7. On the Welcome to the Microsoft Identity Manager Add-ins and Extensions Setup Wizard page, click Next. 8. On the End-User License Agreement page, click I accept the terms in the License Agreement, and then click Next. 9. On the MIM Customer Experience Improvement Program page, ensure that I don't want to join the program at this time is selected, and then click Next. 10. On the Custom Setup page, click MIM Add-in for Outlook, and then click Entire feature will be unavailable. 11. On the Custom Setup page, click MIM Password and Authentication, and then click Entire feature will be unavailable. 12. On the Custom Setup page, click PAM Client, then click Entire feature will be installed on local hard drive, and then click Next. 13. On the Configure MIM PAM Service Address page, configure the following settings, and then click Next: PAM Server Address: syd-mim.adatumadmin.com

Port: 5725 14. Click Install, and when the installation finishes, click Finish. 15. Open Computer Management. 16. In the Computer Management console, expand Local Users and Groups, click Groups, and then double-click the Administrators group. 17. In the Administrators Properties dialog box, click Add. 18. In the Select Users, Computers, Service Accounts, or Groups dialog box, type adatumadmin\adatum.prodadmins and click Check Names. 19. In the Windows Security dialog box. enter the credentials adatumadmin\administrator and the password Pa$$w0rd. 20. Click OK three times. 21. Restart MEL-SVR1. Request privileged access 1. Sign in to MEL-SVR1 by using the account Adatum\Chuck with the password Pa$$w0rd. 2. Open Windows PowerShell. 3. In the Windows PowerShell window, execute the following command: Whoami /groups 4. Verify that Chuck is not a member of the ProdAdmins group. 5. In the Windows PowerShell window, execute the following command: Install-WindowsFeature WINS 6. Review the error message that informs you that you do not have adequate user rights to make changes to the target computer. 7. Sign out. 8. Sign in to MEL-SVR1 by using the account Adatumadmin\priv.Chuck with the password Pa$$w0rd. 9. In the Windows PowerShell window, execute the following command: Whoami /groups

10. Verify that Chuck is not a member of the ProdAdmins group. 11. In the Windows PowerShell window, execute the following command: Install-WindowsFeature WINS 12. Review the error message that informs you that you do not have adequate user rights to make changes to the target computer. 13. In the Windows PowerShell window, execute the following command. If you receive a permission error open PowerShell again without elevated access. Get-PAMRoleForRequest 14. This will show the available PAM roles to which priv.chuck can request access. 15. In the Windows PowerShell window, execute the following command: New-PamRequest -RoleDisplayName ProdAdmins 16. Sign out. 17. Sign in to MEL-SVR1 by using the account Adatumadmin\priv.Chuck with the password Pa$$w0rd. 18. Open Windows PowerShell as an administrator. 19. In the Windows PowerShell window, execute the following command: Whoami /groups 20. Verify that Chuck now is a member of the ProdAdmins group. 21. In the Windows PowerShell window, execute the following command. If you receive an error open an elevated PowerShell prompt. Install-WindowsFeature WINS 22. Verify that the WINS feature installs correctly.

Manage PAM In this exercise, you will create an additional PAM user, modify a PAM role and view PAM requests. Create a new user 1. Switch to MEL-DC1. 2. In the Windows PowerShell window, execute the following commands: New-ADUser -SamAccountName Melvin -name Melvin $Pwd = ConvertTo-SecureString 'Pa$$w0rd' -asplaintext -force Set-ADAccountPassword -identity Melvin -NewPassword $Pwd Set-ADUser -identity Melvin -Enabled 1 -DisplayName "Melvin" Create a new PAM user 1. Switch to SYD-MIM. 2. In the Windows PowerShell window, execute the following commands: $PrivUser = New-PAMUser -SourceDomain adatum.com - SourceAccountName Melvin $Pwd = ConvertTo-SecureString 'Pa$$w0rd' -asplaintext -force Set-ADAccountPassword -identity priv.melvin -NewPassword $Pwd Set-ADUser -identity priv.melvin -Enabled 1 Modify PAM role 1. On SYD-MIM, open Internet Explorer, and browse to http://sydmim.adatumadmin.com:82/identitymanagement/default.aspx.

2. If prompted, sign in as ADATUMADMIN\Mimadmin by using Pa$$w0rd as the password. 3. In the Microsoft Identity Manager console, in the navigation pane, under Privileged Access Management, click PAM Roles. 4. On the Privileged Access Management Roles page, click ProdAdmins. 5. In the Prodadmins dialog box, on the General tab, modify the PAM Role TTL(sec) to 600, click OK, and then click Submit. 6. In the list of Privileged Access Management roles, click Prodadmins. 7. In the Prodadmins dialog box, click the Candidates tab. 8. On the Candidates tab, click the Browse icon ( ). 9. In the Select Users dialog box, click the magnifying glass icon ( ) next to Search. Chuck and Adatum.Chuck should already be selected. Select ADATUM.Melvin and Melvin, and then click OK twice. 10. Verify the changes listed, and then click Submit to close the ProdAdmins dialog box. View PAM requests 1. On the Microsoft Identity Manager page, in the navigation pane, under Privileged Access Management, click PAM Requests. 2. Click PRIV.Chuck and review the details of when the request was made, when the request expires, and the role requested.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback