Disabling Unnecessary Services
In this exercise, you will disable unnecessary services for laptops that are taken by users outside of the corporate network. It is essential that unneeded network services are turned off to minimize the number of ports that are open when these mobile computers are connected to the public network such as the Internet.
Please refer to your course material or use your favourite search engine to research for more information about this topic.
Task 1: Create a Policy to turn off non-essential services
In this step, you will use group policy to disable non-essential network services on user computers.
Step 1
Ensure you have powered on the required devices and connect to PLABC01.
In Server Manager, go to Tools > Active Directory Users andComputers.

Step 2
Expand PRACTICELABS.COM and click Create a new organisationalunit in the current container icon.

Step 3
In New Object-Organizational Unit, type
Mobile Computers

Click OK.

Step 4
Go to Computers container, select PLABWIN701, PLABWIN801 andPLABWIN810 devices.
Right-click on the selection and choose Move…

Step 5
In the Move box, select Mobile Computers and click OK.
Close Active Directory Users and Computers.

Step 6
Go back to Server Manager, go to Tools > Group PolicyManagement.

Step 7
Right-click on Mobile Computers and choose Create a GPO in thisdomain and link it here…

Step 8
In New GPO box, type Mobile Computers Restrictions, then click OK.

Step 9
Right-click on Mobile Computers Restriction and choose Edit…

Step 10
In Group Policy Management, go to Computer Configuration >Policies > Windows Settings > Security Settings > SystemServices.
In the right-details pane, right-click on Themes and chooseProperties.

Step 11
On Themes Properties, select Define this policy setting box and choose Disabled.
Click OK.

Step 12
In Group Policy Management, go to Computer Configuration >Policies > Windows Settings > Security Settings > SystemServices.
In the right-details pane, right-click on Server and choose Properties.

Step 13
On Server Properties, select Define this policy setting box and choose Disabled.
Click OK.

Step 14
In Group Policy Management, go to Computer Configuration >Policies > Windows Settings > Security Settings > Local Policies >Security Options
Right-click on Accounts: Rename administrator account and chooseProperties.

Step 15
In the Accounts: Rename administrator account… click Define thispolicy setting and type
Localpcadmin

Click OK.

Step 16
In Group Policy Management, go to Computer Configuration >Policies > Windows Settings > Security Settings > Local Policies >Security Options
Right-click on Interactive logon: Message text for users attemptingto log on and choose Properties.

Step 17
In the Interactive logon: Message text for users… click Define thispolicy setting in the template and type
This workstation is for authorised users only. Log on to this system is monitored for compliance to security policies.

Click OK.

Step 18
Right-click on Interactive logon: Message title for users attemptingto log on and choose Properties.

Step 19
In the Interactive logon: Message title for users… click Define thispolicy setting in the template and type
Notice

Click OK. Close Group Policy Management Editor and Group Policy Management console.

Task 2: Verify Computer Policy Restriction
Step 1
Switch to Practice Labs web application, click Disable/Enable autologin button.
Verify that x is displayed.
Select PLABWIN701 and click on Reboot this device button.

Step 2
Connect to the PLABWIN701 device after about 1 minute. Then login with the following credentials:
John.smith

Passw0rd

Step 3
Click Agree if you see the BGInfo license agreement page.
Click Start, in Search programs and files box, type
Services.msc

Press enter.

Step 4
Verify that Themes is Disabled.
Right-click on it and choose Properties.

Step 5
Notice that the controls to start and change the Start-up type of this service are not available. Click OK and close Services.

Step 6
Click Start and in Search for programs and files box, type
Gpupdate /force

Press Enter. Log off John Smith.

Step 7
Reconnect to PLABWIN701. Verify that the log on message screen is displayed. Click OK.
Note: If the log on message did not appear, restart PLABWIN701.

Step 8
Sign on as practicelabs\administrator password is Passw0rd

Step 9
Click Start, right-click Computer and choose Manage…

Step 10
Go to Local Users and Groups node, click Users and verify thatLocalpcadmin is present.
This is the renamed Administrator built-in account. The account was renamed because of group policy object.
Close Computer Management and log off Administrator.

Leave all devices powered on in their current state and proceed to the next exercise.
—
Exercise 2 – Protecting Management Interfaces and Applications
In this exercise, you will use group policy objects to protect certain programs from being run by regular users. You will prevent some users to run applications that are not allowed by system administrators.
Please refer to your course material or use your preferred search engine to research this topic in more detail.
Task 1: Disallow users to run some Windows applications
Step 1
Switch to PLABDC01. Go back to Server Manager, go to Tools >Group Policy Management.

Step 2
Right-click on EMEA and choose Create a GPO in this domain andlink it here…

Step 3
In New GPO box, type
Prohibit Access to Control Panel

Click OK.

Step 4
Right-click on Prohibit access to Control Panel and choose Edit…

Step 5
In Group Policy Management Editor, go to User Configuration >Policies > Administrative Templates > Control Panel.
Right-click on Prohibit access to Control Panel and PC settings, choose Edit.

Step 6
In Prohibit access to Control Panel and PC settings, choose Enabled.
Click OK.

Step 7
Back in Group Policy Management Editor, go to User Configuration >Policies > Windows Settings > Security Settings.
Right-click on Software Restriction Policies and select NewSoftware Restriction Policies.

Step 8
Two sets of folders will appear.
Right-click on Additional Rules and choose New Path Rule…

Step 9
From New Path Rule, use the following settings:
Path: C:\Windows\system32\cmd.exe
Security level: Disallowed
Click OK. Close Group Policy Management Editor window.

Task 2: Set a Network Password Policy
Step 1
In Group Policy Management console, right-click on Default DomainPolicy and choose Edit…

Step 2
In Group Policy Management Editor, go to Computer Configuration> Policies > Windows Settings > Security Settings > AccountPolicies and click on Account Lockout Policy.
Right-click on Account lockout threshold and choose Properties.

Step 3
In Account Lockout threshold, change the value to
3

Click OK.

Step 4
If the suggested value change appears, click OK to accept the changes.
Close Group Policy Management Editor window. Keep Group Policy Management console running.

Task 3: Verify the network restrictions
Step 1
Switch to PLABWIN701 and sign on as jan.regus password isPassw0rd

Step 2
Click Agree if you see the BGInfo License Agreement page.
Click Start and in Search programs box, type
Cmd

Press Enter.

Step 3
A message box appears indicating that command prompt is blocked by group policy. Click OK.

Step 4
Click again on Start and in Search box, type
Control

Press Enter.

Step 5
A message box appears, indicating control panel is not allowed to be used by the user currently signed on.
Click OK. Log off Jan Regus from PLABWIN701.

Leave all devices powered on in their current state and proceed to the next exercise.
—
Exercise 3 – Renaming Unnecessary Accounts for Security
In this exercise, you will rename the Guest account which is common to all Windows devices. This account although disabled is provided with the system for convenience purposes-mostly useful for part time users of a network.
Please refer to your course material or use your preferred search engine to research this topic in more detail.
Task 1: Create Policy for Guest Account
Step 1
Switch back to PLABDC01 and reopen Group Policy Management Console.
Expand Forest: PRACTICELABS.COM > Domains >PRACTICELABS.COM. Right-click on Default Domain Policy and choose Edit.

Step 2
In Group Policy Management Editor, go to Computer Configuration> Policies > Windows Settings > Security Settings > Local Policiesand click on Security Options.
Right-click on Accounts: Rename guest account and chooseProperties.

Step 3
In Accounts: Rename guest account… select Define this policysetting box. Type:
Visitor

Click OK.
Close Group Policy Management Editor and Group Policy Management console.

Step 4
Go to Practice Labs web application, select PLABWIN701 and chooseReboot this device button.

Step 5
When PLABWIN701 is done rebooting (green light is on) connect to it and sign on as practicelabs\administrator password is Passw0rd

Step 6
Click Start and right-click Computer choose Manage.

Step 7
Go to Local Users and Groups, go to Users container and verify thatVisitor user account is available.

Shut down all virtual machines used in this exercise using Practice Labs power button function to revert these devices to their default settings.
Alternatively, you may sign out of the lab portal to power down all devices.
Summary
In this module you learnt how to secure a network by doing the following tasks:
How to disable unnecessary services to minimize the attack surface of a computer
How to protect certain programs from being accessed by regular users using group policy.
How to rename non-essential built in user accounts to prevent those accounts from being used by unauthorised users.