Use your favourite AI tool, YouTube, WWW site or Instruction Manual to complete the parts in this lab.
Use this file to add your screenshots and answers to questions. Each screenshot must have a notepad window open with your name in it the validate it is you. Note: not all Labs have step by step instructions, this is intentional. You will need to research the steps, implement them on your laptop/VMs and then present the screenshots below.
This lab focuses on securing infrastructure services by configuring DNS, DHCP, PXE, and system hardening practices. The goal is to implement security best practices and verify configurations using screenshots
- Implement and configure DNS Over HTTP (DoH) on Windows and Linux VMs.
- Set up DNSSEC for secure DNS resolution.
- Install and configure DHCP servers on Windows and Linux.
- Deploy PXE for remote system boot.
- Harden system security using CIS Benchmarks and DoD STIG.
Screenshot for Windows
Screenshot for Linux
3. Install DNS Server on your Windows VM, config it to use DNSSEC and connect to Google DNS Server. Obtain results from nslookup.
Screenshot nslookup for Windows
4. Install DNS Server on your LINUX VMs, config it to use DNSSEC and connect to Google DNS Server. Obtain results from nsLookup.
Screenshot nslookup for Linux
Screenshot of the Windows DHCP configuration file.
Configure the DHCP Server
Add the following lines to the dhcpd.conf file. Replace 192.168.1.0 with your VMs network address, and 192.168.1.10 192.168.1.50 with your desired IP address range: subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.10 192.168.1.50; option domain-name-servers ns1.example.org, ns2.example.org; option domain-name "example.org"; option routers 192.168.1.1; option broadcast-address 192.168.1.255; default-lease-time 600; max-lease-time 7200; }
Save and close the file. Restart the DHCP Server Verify the DHCP Server
Some network devices and endpoints should always have a static IP address to ensure stability and reliability. These include:
- Routers & Gateways" They manage network traffic, so changing their IP could disrupt connectivity.
- Switches (Managed): If they support remote management, they need a fixed IP for configuration access.
- Firewalls: To ensure proper security enforcement and rule application.
- DNS Servers: A static I 8000 P prevents network-wide DNS resolution failures.
- DHCP Servers: If DHCP had a dynamic IP, clients wouldn’t always find it.
- Web Servers: Hosting websites requires a consistent address for domain resolution.
- File & Database Servers: Clients need a stable connection to access resources.
- Mail Servers: Ensures mail delivery without disruptions.
- Active Directory Domain Controllers: Essential for network authentication.
- Printers: Ensures that users can always find and print to them.
- CCTV Cameras: For stable monitoring and remote access.
- VoIP Phones: To avoid call interruptions or dropped connections.
- VPN Servers: Provides remote access without frequent configuration changes.
- IoT Devices (Smart Security Systems, Automation Controllers, etc.): Ensures seamless operation.
Screenshot of the Linux DHCP configuration file and that the DHCP server is running.
Question(s): What is the main benefit of PXE? PXE Explained: PreBoot Execution Environment, how to deploy an operating system. – YouTube PXE WDS windows server 2019 - YouTube
PXE (Preboot Execution Environment) allows computers to boot from a network without needing local storage (hard drive, USB, or CD/DVD).
- Automated OS Deployment: Quickly install operating systems on multiple machines over the network.
- No Need for Boot Media: Eliminates the need for USBs or DVDs to install OS.
- Centralized Management: IT teams can manage and update systems remotely.
- Faster System Recovery: Easily reinstall or repair OS in case of system failure.
- Ideal for setting up large numbers of computers (e.g., in enterprises, schools, or data centers).
2. Install and configure Microsoft Windows Deployment Services from the Server Manager on Windows. Configure MDS as a standalone server with not installing images at this time.
Take a screenshot of the Install Images folder from within WDS
The Install Images folder in Windows Deployment Services (WDS) stores the operating system installation files used for deploying Windows to client computers via PXE boot. What Goes in the Install Images Folder?
- Windows Installation Images (.WIM files): These files, typically extracted from a Windows ISO (sources\install.wim), contain the operating system setup.
- Custom Captured Images: If deploying a pre-configured system, custom .WIM images captured from existing installations can be added.
- Multiple OS Versions: The folder can store various Windows versions (e.g., Windows 10, Windows 11, Windows Server 2022) to support different deployment needs.
The CIS link is in the slide deck (Benchmarks). You will have to register with an email address. Review the contents and provide an example network setting safeguard from CIS Control 13
The safeguard in your screenshot is related to encrypting sensitive data at rest (CIS Control 3.11) and encrypting or hashing all authentication credentials (CIS Control 16.4). An example network setting safeguard from CIS Control 13 is:
Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
- Profile Applicability: Level 1 - Domain Controller, Level 1 - Member Server
- Description: This setting prevents unauthorized users from turning on Internet Connection Sharing (ICS), which could expose internal network resources to external devices.
- Rationale: Preventing ICS ensures that end-users cannot unintentionally or maliciously share their internet connection, reducing attack vectors.
- Remediation: Configure the following Group Policy setting:
- Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network
- Recommended Value: Enabled. Should you use CIS Benchmarks?
Yes, you should use them, as they provide industry-recognized security best practices that help reduce vulnerabilities and enhance network security. Which Level should you use?
- Level 1: Basic security that balances usability and security. Suitable for general enterprise environments.
- Level 2: More restrictive settings for high-security environments. If you prioritize security over usability and are working in a highly sensitive environment, Level 2 is preferable. Otherwise, Level 1 is a good baseline.
Linux Safeguard Screenshot:
Deploy a network-based intrusion detection system (NIDS) to monitor network traffic for malicious activity.
Helps detect unauthorized access, malware, and unusual network behaviors before they cause harm.
Use tools like Snort, Suricata, or Zeek to analyze network traffic.
Windows Safeguard Screenshot:
Goto DOD STIP website in the slide deck. Security Technical Implementation Guides (STIGs) – DoD Cyber Exchange Look for: DoD WinSvr 2022 MS and DC v1r4/Reports/ Look for and open the report: DoD WinSvr 2022 MS STIG Comp v1r4.html Open Account Policies/Password Policies
14 characters minimum.
Take screenshot of the STIG
Yes, I would use DoD STIGs (Security Technical Implementation Guides) because they establish stringent security configurations that enhance system protection, ensure compliance with frameworks like NIST and CIS, and reduce cyber risks through strong password policies, access controls, and network security measures. They are especially valuable in high-security environments such as government and enterprise systems. However, STIGs can be complex to implement, overly restrictive, and may affect usability, making them less suitable for smaller organizations or general-purpose systems. While they are crucial for securing critical infrastructure, a more balanced approach—such as CIS Level 1 Benchmarks—might be better suited for environments that need to balance security with usability.