LAB7

1. Setting Up Least Privileges
I started by creating a Group Policy Object (GPO) named "Least Privilege Policy" in the Group Policy Management Console (GPMC). The goal was to enforce the principle of least privilege.

In the User Rights Assignment section under Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, I configured settings like "Deny access to this computer from the network" for non-admin users and "Deny log on through Remote Desktop Services" for Domain Users.

I tested these settings by applying the policy to the TestUsers Organizational Unit (OU) and created two test users, TestUser1 and TestUser2.

The PowerShell command I used to create the GPO was:
New-GPO -Name "Least Privilege Policy" | New-GPLink -Target "OU=TestUsers,DC=obaydomain,DC=local"

Next, I configured roles and permissions using the Delegation of Control Wizard in Active Directory Users and Computers. This allowed me to delegate specific permissions to test users in the TestUsers OU.

2. Jump Server / Privileged Access Workstation (PAW) Setup
I prepared a jump server to ensure secure remote access for administrative tasks.

First, I configured Remote Desktop Services (RDS) and added an inbound firewall rule using PowerShell to allow remote access only from trusted IP addresses.

The PowerShell command I used for the firewall rule was:
New-NetFirewallRule -DisplayName "Allow Trusted IPs for RDP" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 3389 -RemoteAddress 10.0.0.0/180

I tested the jump server setup by attempting a Remote Desktop connection to the server using a test user. After troubleshooting issues with permissions, I ensured that TestUser1 was a member of the Remote Desktop Users group in Active Directory.

3. Auditing Tasks
For auditing, I configured both basic and advanced audit policies to monitor security events.

I enabled "Audit logon events" and "Audit object access" in the Local Security Policy, found under Local Policies, Audit Policy.

For advanced auditing, I used the Advanced Audit Policy Configuration in GPMC and set it to monitor actions like file access and privilege use.

The PowerShell command I used to enable basic auditing was:
Auditpol.exe /set /subcategory:"Logon" /success:enable /failure:enable

To verify, I reviewed the Security logs in Event Viewer for events related to logon attempts and object access.

4. Implementing the Protected Users Group
I created a Protected Users group in the Users container within Active Directory.

To add TestUser1 to this group, I used the following PowerShell command:
Add-ADGroupMember -Identity "Protected Users" -Members "TestUser1"

I tested this by attempting non-Kerberos authentication and ensuring NTLM was blocked for the Protected User account. I reviewed the Security logs on the domain controller to confirm Event ID 4624, which shows Kerberos authentication.

5. Configuring Windows Defender Credential Guard
Finally, I worked on enabling Credential Guard for enhanced protection.

In GPMC, I navigated to Computer Configuration, Administrative Templates, System, Device Guard, Turn On Virtualization-Based Security and enabled the policy.

I also tried to configure Credential Guard using PowerShell with the following commands:
Enable-WindowsOptionalFeature -Online -FeatureName IsolatedUserMode
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Name "EnableVirtualizationBasedSecurity" -Value 1