Ip Address and Security

Kris Corporation's parent domain (kris.local) and child domain (corp.kris.local) for the organization's AD infrastructure are running on Server 2008. The following are concerns related to AD: (1) Kris Corporation is concerned about running multiple domains, and (2) automobile manufacturers are asking Kris Corporation to use a single identity to procure orders in real time. The company has five locations in Atlanta (GA), Baltimore (MD), Chicago (IL), Seattle (WA) and San Diego (CA). The manufacturing plants are in Atlanta and Seattle. Disaster recovery is a big concern. Physical space for servers is an issue at the Atlanta location. Most of the IT staff is in Atlanta, which is the company's headquarters, but other locations have significant IT personnel as well. Business personnel are similarly distributed across the company's locations. Since all locations are independently connected to the internet, file sharing is difficult among sites.

Introduction

Kris Corporation needs to migrate from the Windows Server 2008 to Windows Server 2012 Active Directory (OS) to help solve most of the issues and concerns it currently faces. Active Directory is a database that will ensure that Kris Corporation is able to track all its user accounts and passwords. The database enables passwords and user accounts to be stored and protected in a single location; this enhances the company's security. An Active Directory can comprise of at least 1 domain. Every domain in an Active Directory acts as a security boundary.

A domain controller (DC) is a server used to host each domain. The DC is responsible for managing all the passwords and user accounts for a domain stored in one location. AD has a feature that allows the network administrator to set baseline password parameters, for instance, minimum length, password complexity, password change interval, maximum number of wrong attempts and the lock out feature. These passwords have the ability to enhance security and reduce chances of successful attacks like the brute force attack.

Since Kris Corporation is a large company, Active Directories enable the company's network administrators to simplify processes involved in maintaining its complex network. Updating a single AD object in one process performs an automatic update instead of the network administrator performing manual updates. Network administrators can also give or deny access to particular applications by end-users via the network trees based on Active Directories. Large networks like that of Kris Corporation can be maintained and organized through Active Directories, eliminating the need to conduct every task through a single process.

Active Directories can be highly complex as they support distributed networks (like that of Kris Corporation); therefore, there's need for a network administrator who is knowledgeable in this kind of technology. Without AD, Kris Corporation would find it very hard to effectively store data and information on its vast network. Each of the five company locations is connected on a domain, which stores all information in a central location (the DC), not on the hard drive of each computer. A global catalog (kris.local) controls each domain, keeping track of all the registered network devices. It stores computer names, IP addresses and users to enable the global administrator to monitor and manage everything that occurs on the domain. Since everything is linked on the backend, all a user needs to find any computer on the network is its name.

The domain controller permits everything when using AD, meaning the DC has already assigned permissions to every user in the domain. As a result, users in the Kris Corporation network can experience efficient digital communication as information is available and everything in the network accessible.

Atlanta (DC, Global Catalog Servers, Root Domain -- Kris.local)

Cloud

BaltimoreSeattle Chicago San Diego

Figure 1: A Typical Image of a Single Domain for Kris Corporation Showing How the Four Locations Link to the Headquarter (Atlanta -- acting as the DC & Global Catalog Server) through the Cloud

1. Active Directory

Why and How Should the Company Migrate to 2012 AD?

Why Should the Company Migrate to 2012 AD?

Kris Corporation should migrate from Windows Server 2008 to 2012 AD because it comes with a more advanced AD infrastructure. Windows Server 2012 comes with features optimized for the cloud. It comes with a range of features to enable Kris Corporation deploy highly available applications stored in the cloud; this helps solve the issue of the Atlanta location lacking enough physical space for servers. Hyper-V, Powershell 3.0, SMB 3.0 and the improved virtualization hypervisor are just some of the feature the company needs to exploit to overcome the challenges it has been facing throughout its five locations (Desmond, 2013).

PowerShell 3.0 comes with extra 2,300 cmdlets to give additional granular control over the OS. The company can enjoy a wider data center control through commands executed remotely based on the Powershell remoting feature. Virtualization has been taken a notch higher in the 2012 OS with the Hyper-V 3.0 supporting up to 64 processors and 1TB memory. The VHDX comes with a larger disk storage capacity atop increased resilience than Windows Server 2008. The Server Core is a feature that provides for command-line administration. In 2012 AD, this feature is enhanced for better performance. Unlike running a GUI (graphical user interface), Server Core comes with greater security and supports administration from remote locations. By deploying a role, users of the Kris Corporation network can easily switch between the GUI Server Manager and Server Core views (Desmond, 2013).

Other features of the Windows Server 2012 that Kris Corporation will gain from include: easier replication, dynamic access control, access to better management tools, DHCP failover, AD Recycle Bin improvements and a new DNS system. Replication and DHCP failover will come in handy whenever there are disasters and the organization needs to continue with its operations during and after the disaster. The databases of the different branches can be pointed to an alternative site (replication site) for backup purposes and data accessed. DHCP failover has the ability to continue with IP management operations when the primary DHCP server goes offline thus sustaining the network. This is equally a disaster recovery item (Desmond, 2013).

How Should the Company Migrate to 2012 AD?

By migrating to Windows Server 2012, Kris Corporation is taking a step forward towards adopting a cloud solution. Before the migration can begin, the company must first download Windows Server 2012 R2, perform a full backup of the prevailing Windows Server 2008 and verify AD DS's current Schema version by running regedit command. Navigate to ComputerHKEY_LOCAL_MACHINESYSTEMCurrentcontrolsetServices

TDSParameters and check the Schema's current version. To avoid failure of the new AD server, the organization needs to first carry out the relevant tests and ensure the new AD server works. This can be made possible if a test environment or simulation environment is created. Also, there's the possibility of running both the old AD server and new AD server in parallel for some time to mitigate any failure (parallel change over). A clear fall back plan should be put in place, for instance, the old server should be ready and on standby just in case the new server fails to meet the AD requirements (Desmond, 2013).

Once the newly installed Windows Server 2012 has been determined to work, the migration process can begin.

Step 1: Use the adprep Command to Prepare the Company's Existing Forest (Desmond, 2013)

1. Open Windows Server 2008 R2 AD DS's DVD drive and insert the DVD containing Windows Server 2012.

2. Open the command prompt, type adprep /forestprep and hit the enter key.

3. Using the procedure stated above, check the Schema's current AD DS version.

Step 2: Promote the Domain Controller of Windows Server 2012 Server

1. Open the 'Server Manager Console'and select the 'Add roles and features'.

2. Choose 'Role-based or Feature-based Installation'. Click 'Next'.

3. Under 'Roles', select 'Active Directory Domain Services' option.

4. Click on the 'Add Features' button to accept the required default features.

5. Click on the 'Next' button on the Features screen that pops up.

6. In the next window, check-off 'Restart the destination server automatically if required (this expedites the installation in case the server is automatically reset). Click on the 'Install' button on the same 'Confirm Installation selections' window.

7. Upon completion of installation, click on the 'Close' button to exit the installation window.

8. Notification appears on the dashboard, denoted by a yellow exclamation mark. Click on it and select 'Promote this server to a domain controller' on the drop down menu that comes up.

9. Under 'Select a deployment operation', select the first option 'Add a domain controller into existing domain'.

10. Select or type a proper target domain, which in this case is Kris.local.

11. Click on the 'Change' button to provide the required credentials of the company's network administrator. Click on the 'Next' button.

12. Specify the domain controller capabilities in the new screen: check-off 'Domain Name System (DNS) server' and 'Global Catalog' options. Select the DC site, which in this case should be Atlanta (GA), where the company has its headquarters.

13. Type the 'Directory Services Restore Mode (DSRM) password in the text box provided and confirm it in the appropriate text box.

14. Click on the 'Next' button to move to the next screen.

15. In the 'Additional Options' screen that comes up, choose to install the DC from media by checking off the option or select a point from which the DC can be replicated. The server will always select the best location from which the AD database can be replicated. Once it's done, click on the 'Next' button.

16. Select the specific location for storing the AD database, log files and SYSVOL folders. Click on the 'Next' button.

17. The next step on Schema and Domain preparation was already performed, therefore, this step is automatically run by the system.

18. Click 'Next' to review the selected options on the 'Review Options' screen. Click on the 'View Script' button to automate installations to be done in the future by activating the Powershell script.

19. To proceed, click on the 'Next' button.

20. Upon successful prerequisites checks, click on the 'Install' button to begin the installation process of the DC. Once the Windows Server 2012 DC is setup successfully, the server restarts automatically.

21. Lastly, a configuration update of NIC properties on every server under the target domain should be performed to point to the newly installed Windows Server 2012 DC. Open the DHCP management console and choose the option numbered 006. In the server/scope options window that comes up, the new DC's IP address should be added and configured as a DNS server.

22. Click 'OK'.

Step 3: Verify the Newly Installed Windows Server 2012 DC

1. Open 'Active Directory Users and Computers,' expand

2. Open 'DNS Manager' and right-click on

3. Open 'Active Directory Sites and Services' and under Default-First-Site-Name, ascertain that the company's server is listed under 'Servers' (Desmond, 2013).

Step 4: Flexible Single Master Operations (FSMO) Role Transfer

1. Open the console 'Active Directory Users and Computers' on Kris Corporation's computer server running the newly installed Windows Server 2012.

2. Select Kris Corporation's domain and right-click it. Under the sub-menu that appears, select 'Operations Masters'.

3. Select the RID tab on the 'Operations Masters' window that comes up.

4. Click on the 'Change' button to transfer the operations master role.

5. Click 'Yes' when prompted to confirm the operation.

6. Click 'OK' to continue upon successful transfer of the operations master role.

7. Verify that the Operations Master box features Kris Corporation's new Windows Server 2012.

8. Configure the PDC and Infrastructure tabs (next to the RID tab) by repeating steps 4 to 6.

9. When complete, exit the Operations Masters window by click on the 'Close' button.

10. Exit the 'Active Directory Users and Computers' window by closing it.

Step 5: Windows 2008 R2 Domain Controller Removal

1. Click 'Start' and then 'Run' on the Windows Server 2008 R2 computer and type 'dcpromo' on the command line. Click 'OK'.

2. 'Welcome to the Active Directory Installation Wizard' opens up. On the window, uncheck the option 'Delete the domain because this server is the last domain controller in the domain.'

3. Enter the right password on the 'Administrator Password' page and click on the 'Next' button.

4. Click on the 'Next' button on the 'Summary' page that comes up and wait till the process ends. Click on the 'Finish' button.

5. Click on the 'Finish' button on the 'Completing the Active Directory Domain Services Installation Wizard' page.

6. Click on the 'Restart Now' button on the 'Active Directory Domain Services Installation Wizard' to restart the server.

7. Upon completion of the reboot, delete the 'Windows Server 2008 R2 Server from the 'domain to a workgroup'. On the 'Active Directory Sites and Services' console, delete all unnecessary records (Desmond, 2013).

Should the Company remain at the Multi-Domain model or Migrate to Single Domain?

Yes, the company should migrate to a single domain as explained in the procedure above for migrating to Windows Server 2012. Although having multiple domains reduces the chances of the security of the organization being compromised, it comes with an extra cost. Implementing a single domain alongside other security controls will achieve the functionality of a multiple domain model at a lower cost. This will also give Kris Corporation a single identity to help the automobile manufacturers procure orders in real time (Desmond, 2013).

What Technology can provide a Single Sign-on? How will it be configured?

Active Directory Domain Services (AD DS) keeps all the information regarding network objects, in addition to ensuring that the network administrators and users have access to this information. AD DS makes use of Domain Controllers to ensure that network users have access to resources anywhere on the network, which they are permitted to access via a single sign-on process. The process of installing AD DS is discussed above under the second step of promoting Windows Server 2012 Domain Controller (Desmond, 2013).

2. DNS

Where Should DNS Servers Reside?

The target Domain Controller Server is configured as the primary DNS server as explained in the second step of promoting Windows Server 2012 DC. DNS servers usually reside in the domain controller servers of each domain by having them configured to act as Domain Name Service servers (Minasi, 2014).

What Kind of DNS Security Can the DNS Servers Leverage?

DNS servers are vulnerable to various security threats like resource utilization and cache poisoning attacks and denial of service (Dos) or Distributed Denial of Service (DDoS) attacks resulting from open DNS resolvers; DNS amplification and reflection attacks, etc. DNS servers can leverage a number of DNS security measures to prevent these security threats. Kris Corporation can implement the Berkeley Internet Name Domain, disable recursion, randomize the DNS transaction identifier, randomize UDP source port in BIND, use DNS security extensions and segregate authoritative and recursive resolvers. Unicast reverse path forwarding, IP source guard and access control lists can help prevent spoofing of DNS servers. DNS servers can also leverage firewalls to improve their security. However, the most common attack on DNS servers is the Pharming attack. This is an attack that leverages on outdated DNS server software to redirect traffic to rogue DNS server for purposes of learning the nature of traffic and network of a target for further attacks. Ant-pharming configurations and prevention of remote code execution can be set up on the DNS server to further prevent the attack (Minasi, 2014).

3. DHCP

Will a Form of DHCP Fault Tolerance Be Implemented?

Yes. Three major fault-tolerance options are supported by the Windows DHCP server, namely: setting up a split-scope DHCP, installation of DHCP on a Windows failover cluster and setting up DHCP failover. The latter is a new option in Windows Server 2012. DHCP failover will be implemented to replicate at least one complete DHCP scope to another DHCP server to act as backup in case the primary DHCP server fails. Under the DHCP management console of Windows Server 2012, the DHCP scope is right-clicked to launch the new 'Configure Failover' option. Under this window, select either the 'Load Sharing' (default option) or 'Hot Standby' options (Combee, 2001).

In the load sharing mode, data on IP configuration is leased by two servers at the same time to clients on a specific subnet. The requests are first load balanced before being shared between the couple of DHCP servers. In the latter case, hot standby mode, two DHCP servers have a failover relationship, meaning only one DHCP server is active at a time, leasing IP addresses to clients on a particular subnet or scope. If the primary DHCP servers fails or becomes unavailable, the secondary DHCP server assumes the role of assigning IP addressed. The primary DHCP server in a given subnet or scope can be the secondary DHCP server of another scope or subnet. Therefore, DHCP failover acts as a disaster recovery plan for the Kris Corporation. However, DHCP failover supports only two nodes and is limited to data configuration on IPv4 (Combee, 2001).