Hello dear readers. In this post, I would like to implement the following scenario in Microsoft Active Directory.
Scenario: I am building a small domain for the Small Book Company, a small bookstore that wishes to have an Active Directory management system to tie together the six computers used as point-of-sale and inventory look-up, research, and entry as well as the dozen or so employees. My job is to set up the domain server, and then create the necessary groups to facilitate this system. The company information is listed below. Deliverables are detailed at the end.
Small Book Company
Employees: 12
Jobs–These are basically generic user roles:
- Sales StaffโWill use the system to complete sales (requires read access), and look up resources (read access).
- ManagersโEnter inventory (write access), Lookup Resources (read), Sales (read), reports (read), and update inventory (modify access)
- AdministratorโFull control of systems for management and administration
Systems:
- POS: 6 Point-of-Sale systems (POS) used to make sales and lookup inventory
- Management PC: Management PC is used to enter and modify inventory
- Active Directory Server: Used for management
- Book Database (inventory) SystemโRetains inventory of books and sales, Runs on a separate server.
- File Share: Used to share documents with staff.
Domain Name: SmallBookCompany.com
Policies:
- Must have a password policy on computer resources
- Must have Windows Firewall enabled on all computer resources
- The Administrator for the system must be able to edit policies
Additional:
- Must implement a backup plan
Let us start!
For the lab, I implemented AGDLP(Account, Global Group, Domain Local Group, Permission). I created the domain SmallBooksCompany.com. In the domain, I created 3 organizational units: Sales, Managers, and BookFacility. The sales organizational unit contains global security group Sales and domain local group Sales Resources. Managers organizational unit contains global security group Managers and domain local group Managers Resources. BookFacility contains domain local group Servers.
Firstly, as illustrated above, I created Active Directory PC used for management, and a Book Database server used to retain an inventory of books and sales. I created domain local security group Servers that contain Active Directory PC, Book Database server, and built-in Administrator.
Above is an overview of Sales OU. I created 6 POSs and 1 global security group with the users shown above. The users go to the global group, and resources and permissions go to the domain local group.
Next, I created Managers PC, Managers global group, and Managers Resources domain local group. I have six managers, which is certainly unnecessary, but this would not be the case in a real-world implementation.
The screenshot above illustrates the password policy taken into effect. I edited Default Domain Policy, so changes made are linked across the domain SmallBooksCompany.com
Firewall rules are configured by me. For public profiles, both Inbound and Outbound connections must be blocked because we do not want unattended online activities.
In the default domain policy, under the delegation tab, I added Administrator along with its privileges as illustrated above. Again, changes made in the default domain policy are going to affect the entire domain.
Regarding hardening the domain controller, I disabled the Guest account so that no one can log in as a guest.
Above, some audit changes were made to monitor logs, attempts to change policies and other events.
I created a folder BookFacilityDoc and shared it across the network using Quick SMB. The above screenshot illustrates share permissions given to necessary users/groups. As can be seen, full control was given to every known group/user to leave the final decision on NTFS permissions. In other words, in NTFS vs Share permissions, the lowest permissions take precedence.
Here are the NTFS permissions illustrated in the screenshot above.
I created 3 iSCSi disks and implemented RAID-5 for redundancy. The disks should be available across the network for file sharing and storage. The RAID works as a good backup plan in case one of the disks goes down. That was my Active Directory implementation.
