DEV Community

Cover image for Exercise 4 – Configure Security Settings in Active Directory
Kosisochukwu Ugochukwu
Kosisochukwu Ugochukwu

Posted on

Exercise 4 – Configure Security Settings in Active Directory

INTRODUCTION

In this exercise, you will configure security settings in Active Directory that help protect your organization from outdated authentication methods, unauthorized changes, and improper account usage.

Imagine you are the IT administrator responsible for keeping your company’s network safe. Just like you wouldn’t give everyone a master key to the office or allow old locks to stay on the doors, you need to make sure your digital environment is secure.

Here’s what you will do in this exercise:

  • Restrict NTLM authentication for the domain: NTLM is an older authentication method that is less secure and more vulnerable to attacks. By blocking it, you ensure that only stronger authentication methods (like Kerberos) are used in your domain.
  • Enable auditing of user account management in the Sydney OU: This allows you to track when user accounts are created, modified, or deleted in the Sydney office. It’s like having a security camera that records who made changes, helping you detect mistakes or suspicious activity.
  • Deny log on as a service to members of a security group: Some accounts should never be used to run background services, because if they are compromised, attackers could gain persistent access. By denying this right to certain groups, you reduce risk and enforce proper security practices.

By the end of this exercise, you will understand how to apply practical security policies that help protect user accounts, monitor administrative activity, and prevent risky account usage. These are common tasks IT administrators perform to keep systems compliant and safe from threats.

Part 1 – Restrict NTLM Authentication

Here you will block NTLM authentication across the domain.

Steps:

On TAILWIND-DC1, open Server Manager.
From the Tools menu, select Group Policy Management.

Image S1
In Group Policy Management:

Expand forest: tailwindtraders.internal → Domains → tailwindtraders.internal → Group Policy Objects.

Right-click Default Domain Controller Policy → choose Edit.

Image S2
In the Group Policy Management Editor:

Go to:
Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options.

Find and double-click:
Network security: Restrict NTLM: NTLM authentication in this domain.

Image S3
Check Define this policy setting.

Select Deny all → click OK.

Image S4
When prompted, click Yes to confirm the change.

Image S5

Close the Group Policy Management Editor.

Part 2 – Audit User Account Management in the Sydney OU

This sets up auditing so you can track changes made to accounts in the Sydney OU.

Steps:

On TAILWIND-DC1, open Server Manager.
From the Tools menu, select Group Policy Management.

Image S6
In Group Policy Management:

Expand tailwindtraders.internal.

Right-click the Sydney OU → select Create a GPO in this domain, and Link it here….

Image S7
Name the new policy SydneyOUPolicy → click OK.

Image S8
Right-click SydneyOUPolicy → select Edit.

Image S9
In the Group Policy Management Editor:

Go to:
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Management.

Image S10

Double-click Audit User account management.

Image S11
Check Configure the following audit events.

Select both Success and Failure → click OK.

Image S12

Image 13S
Close the Group Policy Management Editor.

Part 3 – Deny Log On As a Service

Here you will prevent members of the Sydney Administrators group from logging on as a service.

Steps:

On TAILWIND-DC1, open Server Manager.
From the Tools menu, select Group Policy Management.

Image S14
Expand the tailwindtraders.internal domain.

Right-click SydneyOUPolicy (created earlier) → select Edit.

Image S15
In the Group Policy Management Editor:

Go to:
Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment.

Double-click Deny log on as a service.

Image S16
Check Define this policy setting.

Click Add User or Group.

Image S17
In the Select Users or Groups window:

Click Browse → Advanced → Find Now.

Image S18

Image S19

Image S20

Select the Sydney Administrators group.

Image 21
Click OK repeatedly until all windows close (about 4–5 confirmations).

Image S22

Image S23

Image 24

Conclusion

In this exercise, you learned how to configure security settings to protect systems and user accounts from potential threats. By applying these configurations, you strengthened overall system security and ensured that users operate within a safe and controlled environment.

Top comments (0)