Install & Secure Windows Server 2016 Domain Controller.pdf
(
6698 KB
)
Pobierz
Installation and Configuration of a
Windows Server 2016 Domain Controller
MOREnet Annual Conference
October 2017
Presented By:
Stephanie Hanson
hansonsj@more.net
&
Jim Long
long@more.net
M issouri Research and Education Network
221 N. Stadium Blv d., Ste. 201
Columbia, M O 65203
P: (57 3) 884 -7200
University of M issouri Sy stem
www.M ORE.net
F: (573) 884 -6673
Contents
CONTENTS .......................................................................................................................................................................... 2
INTRODUCTION .................................................................................................................................................................. 4
SECTION I: INSTALLING WINDOWS 2016 SERVER SOFTWARE ............................................................................................. 5
MUST-READ LINKS! ........................................................................................................................................................ 5
BEST PRACTICES ............................................................................................................................................................. 5
SECTION II: WINDOWS SERVER 2016 INITIALIZATION ....................................................................................................... 16
SECTION III: WELCOME TO SERVER MANAGER ................................................................................................................. 20
NAVIGATING SERVER MANAGER.................................................................................................................................. 21
Server Manager Console Header: ............................................................................................................................. 21
The Notifications Area: ............................................................................................................................................. 21
Manage: .................................................................................................................................................................. 22
Tools: ....................................................................................................................................................................... 23
View: ........................................................................................................................................................................ 24
Help: ........................................................................................................................................................................ 24
MANDATORY CONFIGURATIONS ................................................................................................................................. 25
Set the Time Zone..................................................................................................................................................... 25
Setup the Network Card(s) ....................................................................................................................................... 28
Change the Computer Name .................................................................................................................................... 31
Windows Update...................................................................................................................................................... 33
Enable Remote Desktop ........................................................................................................................................... 37
SECTION IV: BUILDING A DOMAIN CONTROLLER............................................................................................................... 39
DEFINITIONS ................................................................................................................................................................ 39
MUST-READ LINKS! ...................................................................................................................................................... 39
INSTALLING ACTIVE DIRECTORY DOMAIN SERVICES .................................................................................................... 40
The Wizard ........................................................................................................................................................................................................... 41
PROMOTING YOUR SERVER TO A DOMAIN CONTROLLER ............................................................................................ 47
Naming Considerations for Your Domain.................................................................................................................. 47
The Wizard ........................................................................................................................................................................................................... 48
SECTION V: CUSTOMIZING YOUR DOMAIN CONTROLLER ................................................................................................. 57
MUST-READ LINKS! ...................................................................................................................................................... 57
ADMINISTRATOR ACCOUNTS ....................................................................................................................................... 57
Create a New Administrator Account ....................................................................................................................... 59
Add Your New Administrator Account to the Built-In Administrators Security Group ................................................ 61
Secure the Built-in Administrator Account ................................................................................................................ 62
ADDRESSING ERRORS................................................................................................................................................... 65
Troubleshooting Tools .............................................................................................................................................. 70
DNS SERVER CONFIGURATION ..................................................................................................................................... 71
Definitions ................................................................................................................................................................ 71
Must-Read Links!...................................................................................................................................................... 73
Navigating DNS Server Properties............................................................................................................................. 74
Interfaces Tab ...................................................................................................................................................................................................... 75
Forwarders Tab ................................................................................................................................................................................................... 75
Advanced Tab ...................................................................................................................................................................................................... 76
M issouri Research and Education Network
221 N. Stadium Blv d., Ste. 201
University of M issouri Sy stem
P: (57 3) 884 -7200
F: (573) 884 -6673
www.M ORE.net
Columbia, M O 65203
2
Root Hints Tab ..................................................................................................................................................................................................... 77
Debug Logging Tab .............................................................................................................................................................................................. 78
Event Logging Tab ............................................................................................................................................................................................... 78
Monitoring Tab.................................................................................................................................................................................................... 79
Security Tab ......................................................................................................................................................................................................... 79
Navigating Forward Lookup Zones ........................................................................................................................... 80
General Tab ......................................................................................................................................................................................................... 81
Start of Authority Tab ......................................................................................................................................................................................... 83
Name
Servers Tab ............................................................................................................................................................................................... 84
WINS Tab ............................................................................................................................................................................................................. 84
Zone Transfers Tab .............................................................................................................................................................................................. 85
Security Tab ......................................................................................................................................................................................................... 85
Creating Reverse Lookup Zones ................................................................................................................................ 86
The Wizard ........................................................................................................................................................................................................... 87
Creating Conditional Forwarders .............................................................................................................................. 91
SECTION VI: SECURITY POLICIES FOR WINDOWS SERVER 2016 ......................................................................................... 93
MUST-READ LINKS! ...................................................................................................................................................... 93
GROUP POLICY MANAGEMENT .................................................................................................................................... 95
PASSWORD POLICIES.................................................................................................................................................... 97
AUDIT POLICY CONFIGURATION................................................................................................................................. 104
USER RIGHTS ASSIGNMENT........................................................................................................................................ 109
SECURITY OPTIONS .................................................................................................................................................... 112
EVENT LOG POLICIES .................................................................................................................................................. 116
RESTRICTED GROUPS ................................................................................................................................................. 118
Create a New Security Group to Manage Workstations & Member Servers ............................................................ 118
Add Administrative Users to the New Security Group ............................................................................................. 119
Create Your Local Administrator Group Policy ........................................................................................................ 120
SYSTEM SERVICES....................................................................................................................................................... 124
System Services Example Configuration.................................................................................................................. 126
REGISTRY POLICIES ..................................................................................................................................................... 132
FILE SYSTEM PERMISSIONS ........................................................................................................................................ 138
WIRELESS NETWORK POLICIES ................................................................................................................................... 139
SECTION VII: HOSTS FILE GPO ......................................................................................................................................... 140
MUST READ LINKS! ..................................................................................................................................................... 140
CREATE A SHARE ........................................................................................................................................................ 141
The Wizard .........................................................................................................................................................................................................142
DOWNLOAD THE CURRENT MVP HOSTS FILE ............................................................................................................. 156
CREATE THE GPO........................................................................................................................................................ 158
Disable the DNS Client Services............................................................................................................................... 159
Deploy the Hosts File GPO with Group Policy Preferences....................................................................................... 161
TEST, TEST, TEST!!
.............................................................................................................................................. 163
M issouri Research and Education Network
221 N. Stadium Blv d., Ste. 201
University of M issouri Sy stem
P: (57 3) 884 -7200
F: (573) 884 -6673
www.M ORE.net
Columbia, M O 65203
3
Back to Contents
Introduction
This document is intended as a step-by-step guide for installing and setting basic security settings for a
Domain Controller.
We will walkthrough basic settings and configurations, giving you a starting point to create and maintain a
secure Windows 2016 Domain Controller. We advise you use this guide in addition to other available
guides, supplementing this information with strategies outlined on the Microsoft Security site as well as
SANS, NSA and NIST. This will improve the security of your domain.
Do not consider your domain, or computers in your domain invincible from hacking, viruses or worms
because you set certain policies discussed in this guide. You must also keep current service packs,
updates, hot-fixes and security patches applied to the all systems on your network. Not merely Servers, but
also Workstations and any other network devices.
Following Microsoft best practices for security will reduce the chances of security breaches, but maintaining
good practices, end-user communication, and thorough documentation for your own environment is an
absolute necessity!
We hope you enjoy this document!
M issouri Research and Education Network
221 N. Stadium Blv d., Ste. 201
University of M issouri Sy stem
P: (57 3) 884 -7200
F: (573) 884 -6673
www.M ORE.net
Columbia, M O 65203
4
Back to Contents
Section I: Installing Windows 2016 Server Software
MUST-READ LINKS!
Windows Server 2016
https://docs.microsoft.com/en-us/windows-server/windows-server-2016
System Requirements for Windows 2016 Server
https://docs.microsoft.com/en-us/windows-server/get-started/system-requirements
Important Issues in Windows Server 2016
https://docs.microsoft.com/en-us/windows-server/get-started/windows-server-2016-ga-release-notes
BEST PRACTICES
Never install a new system on the public network.
Start system in a development environment then move system to your production network.
Patch system immediately after installation.
Apply all security settings to system.
Configure Host Based Firewall.
Install and update Anti-Virus software.
Verify all settings.
When upgrading or reloading a system, perform a full backup prior to installation.
M issouri Research and Education Network
221 N. Stadium Blv d., Ste. 201
University of M issouri Sy stem
P: (57 3) 884 -7200
F: (573) 884 -6673
www.M ORE.net
Columbia, M O 65203
5
Plik z chomika:
Wentusia
Inne pliki z tego folderu:
Mastering-PowerShell.pdf
(3870 KB)
MCSA Windows Server 2012 Complete Study Guide - Exams 70-410, 70-411, 70-412, and 70-417.pdf
(32002 KB)
Mastering-Windows-Server-2016(1).pdf
(16399 KB)
Install & Secure Windows Server 2016 Domain Controller.pdf
(6698 KB)
Mastering-Windows-Server-2016.pdf
(16399 KB)
Inne foldery tego chomika:
= lang multi
► Psychiatry An Industry of Death [2006]
A.Witort - Zestawy głośnikowe
Adobe Photoshop tutoriale
Airbag
Zgłoś jeśli
naruszono regulamin