Windows Server Homelab: Implementing Security Policies | Fine-Grained Passwords

00:07

hello everyone welcome back to the

00:08

channel this video is a continuation of

00:11

our Windows Server home lab series and

00:14

this is the sixth episode and we are

00:16

going to be focusing on security

00:17

policies on this video so we are going

00:19

to be implementing the essential

00:21

security measures for all of our

00:23

computers in the workplace so in this

00:26

video we are going to be covering how to

00:28

implement security policies and security

00:30

policies or a set of configurations that

00:33

can be applied onto the desktops to

00:35

enhance their security and security is

00:37

very important in the workplace we also

00:40

have a request from the comment section

00:41

to cover different password rules for

00:44

different users example letting admin

00:47

making basic passwords but have strong

00:49

password rules standard users so later

00:52

on we can also make different settings

00:54

for different users just like from this

00:57

request we can set up different

00:59

parameters for it admin and different

01:02

password parameters for the users so if

01:05

you're interested in today's video

01:06

please keep on watching and without

01:08

further Ado let's get started okay so if

01:11

you're planning to follow along and

01:12

create the security policies in this

01:14

home lab you should check on the

01:16

prerequisites first and you should have

01:18

all of this first before you can do this

01:21

lab so you should have a Windows Server

01:23

installed with active directory tools

01:26

Group Policy Management console and a

01:28

Windows client for testing that is

01:31

joined to The Domain okay so for our

01:33

first activity we are going to do a

01:34

password policy configuration and we are

01:37

going to configure and enforce a strong

01:38

password for all of our active directory

01:41

users so this is really basic and we are

01:44

going to configure the minimum password

01:47

length password complexity and password

01:50

age in this activity because the default

01:52

for the minimum password in Windows

01:55

server is eight characters and that is

01:58

no longer the standard for strong

02:00

passwords it should be at least 12

02:02

characters or more to make it strong in

02:05

this digital age so we have to also

02:08

protect our users from attacks by

02:11

enforcing this security policy okay so

02:13

on the Windows Server open the group

02:15

policy Management console and then

02:17

create a new group policy object or you

02:20

can also edit the default domain policy

02:23

so for this case we are just going to

02:24

edit the default domain policy because

02:26

we want this to apply to all of the ad

02:28

users under our main so you can right

02:31

click on this and click edit and what do

02:34

we choose in here is it going to be

02:36

computer configuration or user

02:39

configuration this needs to be applied

02:41

to all the computers when a user login

02:43

so we should select computer

02:45

configuration in here and then select

02:47

policies and then window settings and

02:51

security settings and then under account

02:53

policies there are different policy but

02:56

for this situation we should be

02:58

selecting password policy policy and

03:01

this is where you can set up the

03:02

different policy for strong passwords

03:05

for ad users so first we can select

03:08

enforce password history in here this is

03:11

setting up how many password the system

03:13

should

03:16

remember and then we can also set up the

03:18

maximum password age on when the

03:21

password should expire usually we do it

03:23

every quarter at work but it also

03:25

depends on your company then we can set

03:28

up the minimum password length to create

03:30

stronger passwords so typically eight

03:33

characters is the minimum now or

03:36

sometimes there's more so it also

03:38

depends on your company and last is

03:40

password must meet complexity

03:42

requirements so this should be always

03:45

enabled to enforce strong password so

03:48

this is where systems is stricter when

03:50

taking a new password that you're going

03:52

to set up like it's not going to take a

03:54

basic password and there's different

03:56

characters that you should meet for the

03:59

p the passwords for example you should

04:01

have a symbol or capital letter or a

04:03

number so this is how you configure and

04:06

enforce a strong password policy for ad

04:08

users through the group

04:12

policy so to test if our new password

04:16

policy works we can create a test user

04:19

account and attempt to set a week

04:21

password to verify that the password

04:24

policy is enforced make sure to check

04:26

user must change password at next log on

04:29

because we want to to check if we can

04:30

change the password to meet the

04:32

complexity

04:34

rules okay so let's test the account

04:36

that you just created so now log into

04:39

the new

04:42

account okay so it's going to ask us to

04:45

change the password so let us type in

04:47

some basic passwords so we can test if

04:50

the password complexity was

04:52

enforced so I've typed in 1 2 3 4 5 6 7

04:56

in here and see if it will take it so as

05:00

you can see in here we are getting this

05:01

message now that we are not meeting the

05:03

complexity requirements so that's a good

05:05

sign that our policy was enforced so now

05:08

I'm going to type in the password that

05:10

meets all the requirements in here and

05:12

also the minimum length

05:15

required and let's see if the system

05:17

will take it and change the

05:19

password okay so our password was

05:22

changed so it means that our policy

05:24

works so that is how you can test this

05:27

so for our next activity we are going to

05:29

do the account lockout policy

05:31

configuration and we are going to

05:33

configure an account lockout policy to

05:36

protect against boot Force attacks so in

05:39

this activity we are going to set a

05:41

threshold for password how many password

05:44

attempts they have before their account

05:47

will be locked out and the duration of

05:50

the lock out like how long will they be

05:52

locked out before they can be unlocked

05:55

from their accounts so the higher the

05:57

threshold is set the higher the

05:59

probability also for a successful Brute

06:02

Force attack which gives them more

06:04

opportunities to guess the password and

06:07

be successful with the attack okay so we

06:09

can open the group policy Management

06:11

console again and we can create a new GP

06:14

or edit the default domain

06:16

policy so I'm going to edit the default

06:19

policy here I'm going to right click on

06:21

it and click on

06:22

edit so we are going to choose computer

06:25

configuration in here and then go to

06:27

policies and then select window settings

06:30

and security settings and under that

06:33

will be account policies and under

06:35

account policies you can see the account

06:37

lockout policy which we are looking for

06:39

to set this up so let's configure the

06:42

account lockout duration to 30 minutes

06:46

then let's set the account lck out

06:47

threshold to three invalid log on

06:50

attempts just for the sake of this home

06:52

lab you can choose it depending on your

06:55

company policy then let's set up the

06:58

account lockout counter after 30

07:04

minutes so to test this policy you can

07:07

use a test user account and attempt

07:09

multiple failed login attempts to verify

07:12

that the account gets logged out then

07:14

you will see this message that is

07:16

currently locked out which means that

07:17

our policy

07:20

worked next is user rights assignment

07:23

and this is assign and restrict user

07:26

rights to enhance security this is more

07:28

of a role-based access and we can

07:30

restrict different user groups for

07:32

different tasks for example we can deny

07:34

standard users to log in locally or

07:37

directly to the servers because we don't

07:38

want them to be messing around with the

07:40

servers if they can figure out or

07:42

accidentally log into them and we can

07:44

also restrict using or allowing them

07:47

remote desktop services so standard

07:50

users can just log into to different

07:52

computers or servers remotely using RDS

07:55

so for this lab open the group policy

07:58

Management console then you can create a

08:00

new GPO or edit the default domain

08:03

policy I'm going to create a new GPO so

08:05

I'll right click on this group policy

08:07

objects and click on new and let's type

08:10

in user rights for

08:12

example expand the group policy objects

08:15

and look for user rights and right click

08:17

and click edit and then navigate to

08:19

computer configuration then select

08:22

policies then window settings and select

08:25

security settings under local policies

08:28

select user right assignment so the

08:31

first example that you want to do is to

08:32

deny log on locally so look for deny log

08:36

on locally in this list and check Define

08:39

these policies and then add groups for

08:42

users who should not log on directly to

08:44

the servers so just make sure that you

08:47

already have groups added in active

08:49

directory so you have something to add

08:51

to this lab just like each group or

08:53

Accounting Group so that's what you are

08:56

going to add in this restriction so

08:59

let's let's add the HR department for

09:02

example then next we just want to

09:04

specify groups or users that are allowed

09:06

to use remote desktop just like it

09:09

department for example so find allow log

09:12

on through remote desktop services and

09:14

click on Define these policy settings

09:16

and then you can add the users or groups

09:19

you want to allow to use remote desktop

09:22

just like the IT

09:25

department so let's test the Deni log on

09:28

locally policy first I am going to go to

09:31

my Windows server and I'm going to sign

09:33

out from admin account and I'm just

09:36

going to use a regular user account that

09:37

is not a member of the it group and

09:40

let's see if we can sign in to the

09:43

Windows Server so I'm getting this error

09:46

message which means that our policy

09:48

Works cuz I'm not allowed to log onto

09:50

this Windows Server directly because I'm

09:52

not an admin the next policy we're

09:55

testing is allowing log on through

09:57

remote desktop services so in testing

10:00

this just make sure that you're logged

10:01

in as regular user and not as admin so

10:05

open the remote desktop program then

10:08

type in the name of your server and then

10:10

click connect and it's going to ask you

10:12

to enter your

10:14

password and then click okay and then as

10:17

you can see you're getting this error

10:18

message so this means that our policy

10:21

work because we're not allowed to use

10:22

remote desktop with this regular user

10:26

account okay so for our last Hands-On

10:28

lab it's going to be implementing fine

10:30

grained password policies so this is

10:33

covering the request from the comment

10:35

yes earlier which will be applying

10:37

different password policies to different

10:39

groups of users so for example your

10:41

organization wants to apply stricter

10:43

policies to admin accounts while

10:46

allowing standard users to have more

10:49

lenient requirements or vice versa if

10:52

you want admins to have less stricter

10:55

requirements and more stricter with

10:57

standard users so this is how you

11:00

implement this kind of security policy

11:02

so the concept of applying and

11:05

implementing different password policies

11:07

to different user groups is called

11:09

theine grain password policies and

11:12

window server and we also use different

11:14

tools other than the group policy

11:16

management to implement this since this

11:18

is more advanced settings so for this

11:22

configuration we're not going to use

11:23

Group Policy but we're going to use a

11:26

tool that's called active directory

11:28

administrative Center and you can find

11:31

it under your windows admin tools okay

11:34

so go ahead and open the active

11:36

directory administrative Center so to

11:39

your left side click on your domain name

11:41

and then select system and select

11:45

password settings container because we

11:47

are going to create a new password

11:49

settings object or

11:51

PSO next go to the upper right side

11:53

click on new and password settings so

11:56

this is where you're going to type the

11:58

name for your password set settings

12:00

we're going to do the admin password

12:01

policy first thenx is precedence this

12:05

determines the order in which the policy

12:07

objects are applied when multiple

12:09

password settings are applied to a user

12:12

or a group so the password setting with

12:14

the lowest president number has the

12:16

highest priority and will be applied for

12:19

example there's a user with two password

12:21

setting first setting with the

12:23

Precedence of 20 and second with the

12:26

Precedence of 30 so the one with the

12:28

lower number will take presidence and

12:30

that's the one with presidence

12:32

20 so for this admin password setting

12:35

I'm going to put number one to make it

12:37

the highest precedence and below is

12:39

where you can edit the settings to make

12:42

stricter policies for admin for example

12:45

set up the minimum password length in

12:47

here and also enforce password history

12:50

in here so I'm just going to put 15 for

12:53

minimum password length and three for

12:55

password history then at the bottom you

12:58

can click on ADD so we can add the

13:00

groups where we want this admin password

13:03

setting applied or implemented to in

13:06

this case I'm going to select the group

13:07

for it

13:09

admins then just click on okay and now

13:12

we have created a password setting

13:14

object here for

13:16

admin then if you want to create another

13:18

one for regular users we can create

13:21

another password settings object or PSO

13:24

and follow the same process type in the

13:27

name of the setting and then type in the

13:29

presidence here I'm going to use a

13:31

number two just to make it lower than

13:34

the admin presidence and below is where

13:36

you can change the settings to make it

13:38

less stricter than the admin or more

13:41

stricter depending on your company

13:43

policy and same process you can add the

13:45

groups where you want this to be

13:47

implemented and then click on okay and

13:50

then you have created another password

13:52

setting

13:53

object okay so that would be it for this

13:56

episode of our home lab series if you

13:58

have any questions please let me know in

14:00

the comment section down below and I

14:02

hope you learn something from this video

14:04

thank you so much and hope to see you

14:05

guys in the next one