Active directory interview questions, part 1 of 2

Some questions from a recent interview for Active Directory specialist position:

 

  • What are some extended Active Directory attribute that are created when you install common enterprise Microsoft offerings?
    1. Depending on the MS product being deployed, there could be various changes on the schema. The good thing is that they are all well documented with sufficient description in Technet.
    2. For example, when installing Exchange 2016, attributes that are being created are: ms-Exch-UG-Event-Subscription-Link and ms-Exch-UG-Event-Subscription-BL.
    3. When deploying Skype for bussienss: msExchUserHoldPolicies, msRTCSIP-UserRoutingGroupId, msRTCSIP-MirrorBackEndServer
    4. etc.

 

  • Name 3 usage case of AD delegation that would be useful in a company
    1. Delegate Microsoft BitLocker Decryption rights to Help Desk
    2. Delegate new user creation and Identity and access management team [IAM]
    3. Delegate password reset to Global Service Desk users [GSD]

 

  • Solve for this scenario.
    o   User A needs access to
    §  \\company.share\Public
    §  \\company.share\Confidential
    §  \\company.share\Secret
    o   User B needs access to
    §  \\company.share\Public
    §  \\company.share\Confidential\Public
    §  Cannot have access to \\company.share\Confidential
    o   Solution needs to be scalable for the future


    1. Make 2 groups – User-a-category and User-b-category
    2. For the user-a-category, assign appropriate NTFS access to the specified folders in \\company.share\.
    3. For the user-b-category, assign NTFS access to the specified folders in \\company.share\.
    4. Set security permissions to the \\company.share\Confidential folder.

 

  • If a user calls and tells you a newly created distribution group is unable to accept email from clients.  What is the problem?:
    1. Analyze the error code, generated by sending emails [if available]
    2. Check if Group scope is appropriate  [Universe/Global/Domain local]
    3. Check if “Sender authentication” is enabled
    4. Check with Get-TransportServer | Get-MessageTrackingLog -sender “address of sender” -recipient “address of DL”
    5. Check if there isn’t an anti-spam filter interfering [althou this could be  depending if internal/external messages are being received]
    6. Remove the user from the group and add him again [some classical IT troubleshooting]

 

  • What is a loop back group policy?
    1. Allows user configuration settings to be applied, based on the computers GPO. Thus computers policies take precedence over user’s policies/ settings. Works in 2 modes:
    2. replace: the user policies defined in the computer’s GPO replace the user policies, normally applied to the user
    3. merge: the user policies defined in the computer’s GPO and the user policies normally applied on the user’s are merged. If a conflict occurs, the user policies in the computer’s default GPO overwrite the user’s normal policies.

Part 2 will be on soon.

 

Making remote server management easier

After making sure the networking is done, installation is complete, AD is created, DNS/ DHCP are proparly configured, time to make life easier by enabling remote server management.

On the managed servers, you need Remote server

  • On the computer that you want to manage remotely open a Windows PowerShell session with elevated user rights.
  • Type the following, and then press Enter to enable all required firewall rule exceptions.

    Configure-SMRemoting.exe -enable

On the management server

  • Navigate to server manager, in the upper right cornet select Manage and add Server
  • Fill the newly opened window with something like this:
Configure Remote Management in Server Manager
Configure Remote Management in Server Manager
  • Wait few seconds for the refreshment
  • Enjoy the improved functionality :).
Configure Remote Management in Server Manager
Configure Remote Management in Server Manager

 

Basic GDPR

Away from the bit more interesting technical side of information security, there is allways the law and compliance issues. And with May 2018 aproaching, GDPR is a good topic.

General Data Protection Regulation (GDPR) is governance designed to safeguard sensitive data for all individuals and businesses based in the European Union (EU).

Once implemented in May 2018, the act will override the previous regulation installed back in 1995. It is applicable on all sovereign members, thus having an expansive scope. GDPR Compliance will guarantee consistency and transparency of personal data for all concerned.

Any organization controlling or processing data must abide by the GDPR. Companies must serve a steep cost of utilizing this classification as well.
Leading professional services firm PwC suggest that up to 68% of US based enterprises expect to spend between one and ten million dollars to comply with the GDPR. Although based abroad, any business handling EU data is also exposed to GDPR.

Failure to comply is also accompanied by precipitous costs. Penalties may tantamount to 20 million Euros or 4% of global turnover in some cases. Other estimates strongly hint that a slew of businesses will fall in the non-compliance category.

Personal data which is relevant includes basic identification, medical records, information of the cultural variety, political opinions and gender related data as well.

Security is decisive on the internet. In the past, data leakages have comprised individuals and companies alike. Under the forthcoming GDPR, if there is a breach, then the relevant authorities must be notified with immediate effect.

In the United Kingdom, this will be the Information Commissioner’s Office. Interestingly, despite the inception of Brexit, which would mean the UK exit the EU, the former are still liable to enforce GDPR. Statement whih will probably have to change depending on the ongoing Brexit activities.

The GDPR is bound to alter the landscape of data handling. The immediate need to comply with this privacy protection measure has created a sense of urgency in the region. Since there is an assemblage of stakeholders, the precedent this governance will set will not be completed swiftly.

Improved home lab

So, after the new hardware upgrade, time to set-up proper functioning lab.

Some background: the infrastructure in question will be for engineering company with about ~50 employees. It will have 4 branches, 3 operating within the major economical regions – EMEA, APAC, AMCS, and fourth one – the HQ. This will be used for setting up the active directory structure later on. Every branch will have local HR, finance, engineering team, on-site support and all the basic departments (definitely not the most optimized solution, but should be interesting).

Underlying infrastructure: Heavily based on Microsoft products: composed Workstations with Windows 10, on-premise Exchange, File & Share servers. To spice up the things, there will be some Linux based instances, use primary for java, web & middleware, sandboxing and testing. In the end there would be also some android devices, just for the sake of testing BYOD scenarios. Active directory will be used for proper management.

Security solutions: here is the funny part – hopefully more thinks will break and will have to be fixed for the fun.

  • Antivirus: Symantec Endpoint Protection, McAfee Enterprise & Microsoft Defender.
  • Encryption: Checkpoint Full Disk Encryption and Microsoft BitLocker
  • Network Security: Symantec Endpoint Protection, Splunk, AlienVault
  • Vulnerability management: Nessus
  • Penetration testing: Kali OS, Parrot OS
    More to be added in the future.