This hands-on lab provides a Microsoft Windows administrator with an understanding of how to establish basic security controls on a Windows Domain Controller, serving DNS. You will learn how to configure Domain Name System Security (DNSSEC) Extensions, which is a suite of extensions that add security to the Domain Name System (DNS) protocol by enabling validation of DNS responses. You will enable DNSSEC within the Name Resolution Policy Table (NRPT) of the domain’s group policy. Finally, you will configure specified directories on the server to use Encrypting File System (EFS) to add a layer of protection on the individual files and folders. EFS is a native file-level encryption capability on Windows. Your files are encrypted with a symmetric key bound to the user account, so it shares the same vulnerability of the user’s credentials. Note: depending on the sensitivity of the information stored, EFS may not be sufficient protection. These basic skills are essential for a security administrator on a Windows domain.
Understand the scenario
You are a system administrator for a company that has DNS servers and file servers that run Windows Server 2016. You need to mitigate security threats against the DNS server and resource record tampering, and you need to protect data at rest on the file servers. First, you will configure DNSSEC. Next, you will use EFS to encrypt files and folders. You have a virtual machine named DC1 that runs Microsoft Windows Server 2016. DC1 is configured as a domain controller for an Active Directory domain named Contoso. You will connect to the virtual machine console directly in the lab environment.
Digitally sign a DNS zone:
The Domain Name Service (DNS) functions with either a forward or reverse lookup zone. In this case, you will be configuring a Forward Lookup Zone for your DNS server, which will allow your server to resolve queries where a client sends a name request, and the server returns the registered IP address. After setting up a primary forward DNS zone, you will digitally sign the zone. This configuration gives assurance that the server’s DNS responses are not forged.
Configure the Name Resolution Policy Table:
The Name Resolution Policy Table (NRPT) is a group policy object configured to enforce Domain Name Service Security (DNSSEC). For this task, you will configure the group policy for all domain computers to use DNSSEC for DNS queries within your domain. Finally, you will learn how to update your group policy so that the new changes go into effect.
Encrypt files and folders using EFS:
Microsoft Windows includes a native file-level encryption capability called the Encrypting File System (EFS). It uses symmetric key encryption, which is bound to the user account. It has an inherent weakness, because if the user credentials are compromised, then the encrypted files can be decrypted. Despite the inherent weakness, it is a good practice to, at a minimum and depending on the sensitivity of the information being protected, implement EFS. In this lesson, you will also gain experience using the native Windows command-line tool, cipher.exe, to manage file and folder level encryption.
Lab Summary Conclusion:
In this hands-on virtual lab, you will learn how to implement basic protections for a Windows Domain Controller that is serving DNS. You will configure a forward lookup zone, digitally sign the zone, and modify the NRPT to enforce DNSSEC. Then you will learn how to use EFS and the command line tool cipher.exe to manage file and folder level encryption on your system. These skills are essential for anyone pursuing a career as a security administrator or a Windows administrator.
Other Challenges in this series
- GUIDED CHALLENGE: Enable SSL/TLS on a Website
- ADVANCED CHALLENGE: Can You Secure a Website Using an SSL/TLS Certificate?