INF220x Security Practical Exercises Overview This course comes with a virtual lab environment where you can practice what you learn. In most cases, the userid is Adatum\Administrator and the password is Pa55w.rd, but read the instructions carefully. Remember in the lab environment you can copy information to the virtual machines by using the Actions > Paste Content window. Before you paste the content, be sure your cursor is where you want the copied data. And, be sure to check the hyphens (dashes) in PowerShell code. Those characters may not copy correctly. NOTE: These practical exercises are designed to provide you experience as a working System Administrator. The lab steps are not written to be prescriptive, because as part of your day to day tasks you will need to troubleshoot and test different configurations. No one set of steps will be applicable in all cases, you will need to adjust for your situation. These steps were tested when the course was released. You may find changes to the interface as well as changes in how procedures are implemented.
2 Implementing Active Directory Rights Management Services Configure AD RMS prerequisites In this exercise, you will create a service account for AD RMS, create groups for later use, and create the DNS record for the AD RMS service. Create the AD RMS service account 1. Sign in to LON-DC1 by using the account Adatum\Administrator with the password Pa55w.rd. 2. Start Active Directory Administrative Center. 3. In the navigation pane, click Adatum (local), and in the content pane, double-click Users. 4. In the tasks pane, in the Users section, click New, and then click User. 5. In the Create User dialog box, provide the following details, and then click OK: First name: ADRMSService User UPN logon: ADRMSService User SamAccountName logon: Adatum\ADRMSService Password: Pa55w.rd Confirm Password: Pa55w.rd Password never expires: Enabled (you should select the Other password options option first) User cannot change password: Enabled Create groups for AD RMS 1. In the tasks pane, in the Users section, click New, and then click Group. 2. In the Create Group dialog box, type the following details, and then click OK: Group name: ADRMS_SuperUsers
E-mail: ADRMS_SuperUsers@adatum.com 3. In the tasks pane, in the Users section, click New, and then click Group. 4. In the Create Group dialog box, type the following details, and then click OK: Group name: Management E-mail: management@adatum.com 5. In the navigation pane, click Adatum (local), and then in the content pane, double-click Managers. 6. Ctrl+click the following users: Abigail Rees Adam Hobbs 7. In the Tasks pane, click Add to group. 8. In the Select Groups dialog box, type Management, and then click OK. 9. In the content pane, double-click Abigail Rees. 10. In the Abigail Rees window, in the E-mail box, type abigail@adatum.com. 11. Close the Active Directory Administrative Center. Create DNS host record for the AD RMS service 1. Start DNS Manager. 2. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com. 3. Right-click Adatum.com, and then click New Host (A or AAAA). 4. In the New Host window, in the Name box, type adrms. 5. In the IP address box, type 172.16.0.21, and then click Add Host. 6. In the DNS window, click OK. 7. Click Done. 8. Close DNS Manager.
Install AD RMS In this exercise, you will install and configure the AD RMS role service. Note: In this exercise, you configure ADRMS to use unencrypted http and enable anonymous authentication. This should not be done in a production environment. Install the AD RMS role service 1. Sign in to LON SVR1 by using the account Adatum\Administrator with the password Pa55w.rd. 2. Start an administrative Windows PowerShell window. 3. In Windows PowerShell, run the following command: Install-WindowsFeature ADRMS-Server -IncludeManagementTools Configure the AD RMS role service 1. Start Server Manager. 2. In Server Manager, click the Notifications ( ) icon, and then click Perform additional configuration. 3. In the AD RMS configuration wizard, on the AD RMS page, click Next. 4. On the AD RMS Cluster page, ensure that Create a new AD RMS root cluster is selected, and then click Next. 5. On the Configuration Database page, click Use Windows Internal Database on this server, and then click Next. 6. On the Service Account page, click Specify. 7. In the Windows Security dialog box, type the following details, click OK, and then click Next: User name: ADRMSService Password: Pa55w.rd
8. On the Cryptographic Mode page, ensure that Cryptographic Mode 2 is selected, and then click Next. 9. On the Cluster Key Storage page, ensure that Use AD RMS centrally managed key storage is selected, and then click Next. 10. On the Cluster Key Password page, in both password boxes, type Pa55w.rd, and then click Next. 11. On the Cluster Web Site page, ensure that Default Web Site is selected, and then click Next. 12. On the Cluster Address page, provide the following information, and then click Next: Connection Type: Use an unencrypted connection (http://) Fully Qualified Domain Name: adrms.adatum.com Port: 80 13. On the Licensor Certificate page, type Adatum RMS, and then click Next. 14. On the SCP Registration page, ensure that Register the SCP now is selected, and then click Next. 15. On the Confirmation page, click Install. 16. When installation finishes, click Close. 17. Open Internet Information Services (IIS) Manager. 18. In the Internet Information Services (IIS) Manager console, expand LON-SVR1 (ADATUM\Administrator), expand Sites, expand Default Web Site, and then click _wmcs. 19. In the content pane, in the IIS section, double-click Authentication, click Anonymous Authentication, and then, in the Actions pane, click Enable. 20. In the Connections pane, expand _wmcs, and then click licensing. 21. In the content pane, in the IIS section, double-click Authentication, click Anonymous Authentication, and then, in the Actions pane, click Enable. 22. Close the Internet Information Services (IIS) Manager console. 23. Sign out.
Configure AD RMS In this exercise, you will configure rights protection using AD RMS rights policy templates and their distribution. You will also configure the Super Users group for disaster recovery scenarios, and an exclusion policy to prevent an application from using AD RMS. Configure AD RMS templates 1. Sign in to LON SVR1 by using the account Adatum\Administrator with the password Pa55w.rd. 2. Open Active Directory Rights Management Services. 3. In the AD RMS console, expand the lon-svr1 (Local) node, and then click the Rights Policy Templates node. 4. In the Actions pane, click Create Distributed Rights Policy Template. 5. In the Create Distributed Rights Policy Template Wizard, on the Add Template Identification information page, click Add. 6. On the Add New Template Identification Information page, provide the following information, click Add, and then click Next: Language: English (United States) Name: ManagementReadOnly Description: Management read access only. No copy or print. 7. Language: English (United States) 8. Name: ManagementReadOnly 9. Description: Management read access only. No copy or print. 10. On the Add User Rights page, click Add. 11. On the Add User or Group page, type management@adatum.com, and then click OK.
12. When management@adatum.com is selected, under Rights for management@adatum.com, click View. Ensure that Grant owner (author) full control right with no expiration is selected, and then click Next. 13. On the Specify Expiration Policy page, select the following settings, and then click Next: Content Expiration: Expires after the following duration (days): 7 Use license expiration: Expires after the following duration (days): 7 14. On the Specify Extended Policy page, click Require a new use license every time content is consumed (disable client-side caching), and then click Next. 15. On the Specify Revocation Policy page, click Finish. Configure distribution of rights policy templates 1. On LON-SVR1, open Windows PowerShell. 2. At the Windows PowerShell command prompt, execute the following four commands: New-Item c:\rms -ItemType Directory New-SmbShare -Name RMS -Path c:\rms -FullAccess ADATUM\ADRMSService New-Item c:\documents -ItemType Directory New-SmbShare -Name Documents -Path c:\documents -FullAccess Everyone 3. Close Windows PowerShell. 4. In the AD RMS console, in the navigation pane, click the Rights Policy Templates node, and then, in the Distributed Rights Policy Template Information area, click Change distributed rights policy templates file location. 5. In the Rights Policy Templates dialog box, click Enable export. 6. In the Specify templates file location (UNC) box, type \\LON-SVR1\RMS, and then click OK. 7. Open File Explorer.
8. Navigate to the C:\RMS folder, and verify that ManagementReadOnly.xml is present. 9. Close the File Explorer window. Configure AD RMS Super Users group 1. In the AD RMS console, in the navigation pane, click Security Policies. 2. In the Security Policies area, in the Super Users section, click Change super user settings. 3. In the Actions pane, click Enable Super Users. 4. In the Super Users area, click Change super user group. 5. In the Super Users dialog box, in the Super user group box, type ADRMS_SuperUsers@adatum.com, and then click OK. Configure exclusion policies 1. In the AD RMS console, in the navigation pane, expand the Exclusion Policies node, and then click Applications. 2. In the Actions pane, click Enable Application Exclusion. 3. In the Actions pane, click Exclude Application. 4. In the Exclude Application dialog box, type the following information, and then click Finish: Application File name: Powerpnt.exe Minimum version: 14.0.0.0 Maximum version: 17.0.0.0 5. Close the AD RMS console.
Protect content using AD RMS In this exercise, you will protect content with the ManagementReadOnly template using Microsoft Word. Protect content using Microsoft Word 1. Sign in to LON-CL1 by using the account Adatum\Administrator with the password Pa55w.rd. 2. Open Internet Explorer. 3. In Internet Explorer, click the Gear ( )icon, and then click Internet Options. 4. In the Internet Properties window, click the Security tab. 5. On the Security tab, click Local intranet, and then click Sites. 6. In the Local intranet window, click Advanced. 7. In the Local intranet window, in the Add this website to the zone box, type http://adrms.adatum.com, and then click Add. 8. Click Close. 9. Click OK twice. 10. Close Internet Explorer. 11. Sign out. 12. Sign in to LON-CL1 by using the account Adatum\Adam with the password Pa55w.rd. 13. Open Word 2016. 14. If the Microsoft Office Activation Wizard appears, click Close. If the First things first window appears, click Ask me later, and then click Accept. If the Welcome to your new Office window appears, close it. 15. In Microsoft Word 2016, click Blank document. 16. In the Word document, type the following text: This information is for management only, and it should not be modified. Click File, click Protect
Document, click Restrict Access, and then click Connect to Rights Management Servers and get templates. 17. In the Windows Security dialog box, sign in as Adatum\Adam with the password Pa55w.rd. 18. Click Protect Document, click Restrict Access, and then click ManagementReadOnly. 19. Click Save, and then click Browse. 20. In the Save As dialog box, save the document in the \\lon-svr1\documents share with the name Management Only.docx. 21. Close Word 2016. 22. Sign out.