Windows Server Deployment Proposal

Contoso Advertising has two locations. The main site location is in Pensacola, Florida (FL) with a smaller site in Casper, Wyoming (WY). Multiple servers will be distributed throughout these sites to support the various services required by each department. Throughout the growing enterprise, there will initially be 90 employees distributed into five departments between the two sites. Contoso has a small Executive department of 9 personnel, 15 employees in the Accounts and Sales department, 49 personnel staffing the Creative, Media, and Production department, 12 members of the Human Resources and Finance department and 5 IT employees. As FL is Contoso’s main site, the majority of employees will be based there with one-third of each department working out of the WY site to split company responsibilities between locations.

Windows Server 2012 will be the Operating System (OS) deployed to all servers within the organization due to a few key features. Firstly, the use of PowerShell within Windows Server 2012 will be very important to the management of Contoso’s network. Microsoft has vastly increased the number of available PowerShell cmdlets to allow for more robust management from the command line (Otey, 2011). This will allow the IT staff to manage company assets via command line interface and script out a majority of routine network management duties. Furthermore, Microsoft’s Server Manager utility can remotely manage multiple servers, up to 100 at a single time (Microsoft, 2013). This will allow the IT employees to manage the entire organization remotely without physically visiting each server as well as eliminating the need for the Remote Desktop Protocol (RDP) for management tasks. These two features in particular will simplify the network management for Contoso’s small IT support staff throughout both sites. Other features such as the use of Storage Tiers will be quite impactful for users throughout the organization, particularly the employees in the Creative, Media, and Production department. These are just a few features that Contoso can take advantage of within their organization.

Deployment and Server Configurations:

Contoso’s network will be constructed with 24 total servers throughout the enterprise to handle organizational growth over the next few years while being configured to have robust failover solutions. This will be done to ensure the company can recover from any single failure while still fulfilling their organizational goals. Services for Contoso’s daily operations, such as Domain Controllers, Dynamic Host Control Protocol (DHCP), Domain Name Servers (DNS), file servers, web servers and print servers will be provided by these servers. In addition, both sites will be mirrored to allow each site to function if the WAN link between the sites happens to go down, but also for organizational purposes and ease of management by the small IT department. If implemented properly, Contoso’s enterprise network can scale to their expected growth while having incredibly high reliability.

The main FL site will have two Domain Controllers FL_DC1 and FL_DC2. The primary domain controller, FL_DC1, will be configured to run Domain Name Services (DNS), Dynamic Host Control Protocol (DHCP) as well as performing the role of Domain Controller. FL_DC2 will be a copy of FL_DC1 and will act as a backup in case of corruption or server failure. Both Domain Controllers will run the Server Core version of Windows Server with the graphical user interface (GUI). The Active Directory role will need to be installed to provide Directory Services along with being able to organize and manage the organization through the use of group policy discussed later in the proposal. Additionally, FL_DC2 will be designated as a Global Catalogue to aid in any type of searching to be done throughout the other site, decreasing the burden on the primary DC.  A full chart of needed servers and their intended purpose can be seen below.

Server

Role

Location

FL_DC*

Primary/Secondary Domain Controller/DNS/DHCP Server

Pensacola, Florida

FL_FS_HRF*

Primary/Secondary HRF File Server

Pensacola, Florida

FL_FS_CMP*

Primary/Secondary CMP File Server

Pensacola, Florida

FL_FS*

Primary/Secondary File Server/Print Server

Pensacola, Florida

FL_MX*

Primary/Secondary Mail Server

Pensacola, Florida

FL_WWW*

Primary/Secondary Web Server

Pensacola, Florida

WY_DC*

Primary/Secondary Domain Controller/DNS/DHCP Server

Casper, Wyoming

WY_FS_HRF*

Primary/Secondary HRF File Server

Casper, Wyoming

WY_FS_CMP*

Primary/Secondary CMP File Server

Casper, Wyoming

WY_FS*

Primary/Secondary File Server/Print Server

Casper, Wyoming

WY_MX*

Primary/Secondary Mail Server

Casper, Wyoming

WY_WWW*

Primary/Secondary Web Server

Casper, Wyoming

As the Human Resources and Finances department will be dealing with highly sensitive financial data for the company, they will have their own exclusive file server, FL_FS_HRF1, which will be backed up to FL_FS_HRF2. Full backups will be conducted weekly with differential backups occurring every night. Shares will be hosted on this server with permissions applied to only allow members of the Human Resources and Finances department access to any resources on it.

The other department to have their own dedicated file servers is the Creative, Media, and Production employees. Similar to the Finance department, there will be a primary server and a backup, FL_FS_CMP1 and FL_FS_CMP2. These servers will also follow the same backup schedule as the Finance department as well as having its share accesses locked down to only those employees within the department. Storage pools will be created to implement storage tiers on the primary file server. Multiple traditional mechanical hard disk drives (HDD) and solid state drives (SSD) will be assigned to the storage pool. The SSD tier will be configured to house the most frequently accessed data while the HDD tier will house data accessed less often. The storage tier optimization task will be scheduled to run every evening during off hours.

The rest of the personnel at the FL site will use a single file server FL_FS1, which will also be backed up to FL_FS2 in a manner similar to the Finance and Creative departments. Storage on this server will be split among the other departments and quotas will be enforced using the File Server Resource Manager (FSRM). Using this method of quota management will allow the IT department to centrally control and monitor the daily storage resources and generate storage reports to analyze disk usage trends (Microsoft, 2008). Users will be set up for home folders nested under their respective department share with access being granted only to those members of the department, and each user of that department only having access to their own personal folder through application of NTFS permissions. Users will all be given the same amount of space initially and expansion requests will be scrutinized. Due to the more advanced features of FSRM as compared to NTFS quotas, administrative notification scripts can be set to run when a user nears their allocated quota limit (Microsoft, 2008). The IT department will implement a semi-automated process with administrative scripts once these quotas are met to trigger a quota increase request process. All file servers in the network will be installed with Server Core with the GUI.

Having a public presence on the internet will be crucial for Contoso to gain new clients and allow their business to grow over the next few years. Company mail servers will also be needed to communicate internally and interface with their customers as well. The FL site will have their own dedicated mail and web servers, with FL_MX1 and FL_WWW1 acting as primary, and FL_MX2 and FL_WWW2 being mirrored backups for their respective roles. These servers will run the Server Core edition of Windows Server 2012 because of its stability improvements as well as it being inherently more secure than other editions of Windows Server due to far less running services than full GUI versions (Microsoft, 2017). Public facing assets, such as mail or web servers, are often the first point of cyber-attacks and Server Core will decrease the attack footprint.

The WY site will have the exact same configuration as the primary FL site as seen in the network diagram below. Backup solutions and fault tolerance were built-in to this proposal to prevent downtime for the network and prevent monetary loss for the company. In the event that any one node within the network fails, Contoso can continue with their day to day operations while resolutions are developed and implemented by the IT department. This configuration was chosen to have the maximum reliability and fault tolerance which will be crucial for a growing organization. A simplified diagram of Contoso’s network can be seen below to illustrate how their network could be structured to accomplish the goals of this deployment proposal.

NETWORK DIAGRAM

Active Directory and Group Policy:

Contoso’s network will have two domains within a single forest, one for each site. The FL site will be contoso.com and the WY site will be north.contoso.com with each new site that Contoso builds in the future following a similar structure. Domain Controllers will be placed in each site for management within their domain. Organizational Units (OU) will be used for organization with Active Directory with each department having their own OU nested under their domain. Active Directory objects will be created for each user and will be organized by job role and placed into their respective OUs. Computer objects within Active Directory will follow a similar structure. This is to ensure proper organization, application of Group Policy, and ease of network management throughout the domain.

Software programs needed throughout the organization will be deployed through the use of group policy, if the number of employees that require it are high enough or it is not feasible for the IT department to physically visit every computer for installation. This can be done with the group policy management console within Windows Server. Packages can be configured that will deploy .msi files and will be installed upon next computer reboot, if the policy was configured under the computer configuration section of the GPO management editor. Programs like Adobe Reader, Photoshop, and QuickBooks could be deployed to different departments while Wireshark or Zenmap could be deployed to different servers throughout the network for traffic analysis. Software restriction policies will also be used in the domain as they will be able to control execution of software at the discretion of the network administrators (Microsoft, 2004). Using these policies, the IT department can configure the environment to prevent unauthorized programs at their discretion based on a hash, certificate, path, or zone identifiers.

To maintain a high level of security throughout the enterprise, a strong password policy will be strictly enforced. Strong passwords that are often changed will be used as passwords are continuously vulnerable, especially during password assignment, management, and use (Microsoft, 2017). Contoso employees will be required to have a password of at least 10 characters in length with a mixture of mixed case characters, special characters, and numbers. Password age thresholds will be set in the password policy for a maximum age of 45 days and a minimum age of 30 days. A password history of 10 will be set to prevent users from cycling back to previously used passwords quickly. This will ensure that if any user credentials are compromised, they won’t be of use to an undetected malicious user for long.

In addition to the general password policy just discussed, the administrators will also be subject to a fine-grained password policy for security reasons. Fine-grained password policies will allow for multiple password policies to affect different users throughout a domain (Microsoft, 2012). Contoso will be able to use this feature of Windows Server to enforce stronger password restrictions upon select users, the IT department in this situation. Additional complexity, password history, minimum and maximum password ages, as well as increased password length requirements will be enforced upon these employees to protect the corporate network. In the event of a network breach, accounts with high power or permissions, such as the members of the IT department, will be the first group to be targeted by malicious users. By having frequently changing and complex passwords, this will increase the time for passwords to be cracked as well as shorten the available time for them to be used by malicious cyber actors.

Additional security measures to be enforced will include the disabling of user accounts after 10 days of no activity. Account deletion will occur after 30 days of inactivity, unless prior arrangement is made through the IT support department. This will be done to ensure access to network and company resources remain secure from malicious attacks. Furthermore, account logon hours will be applied as determined by the employees’ regular work hours with an hour of buffer time at the start and end of their regular work day.

In addition to the hardware firewalls already in place, the use of Windows Firewall will be applied to each computer within the organization through group policy and rules will be tailored to each department. For example, outbound traffic from the Human Resources and Finance department user workstations to the Creative, Media, and Production file server will be blocked. Special precautions for the public facing infrastructure, such as the mail and web servers, will have extra restrictions placed on them for additional security. For example, incoming ICMP traffic from the public internet will be blocked to prevent against Denial of Service (DOS) attacks. Windows Defender will also be active on all employee workstations throughout the enterprise as well as all servers. The right configuration of the hardware and software firewalls and Microsoft’s security product should protect Contoso from numerous cyber threats. These are just a few policies laid out to begin the hardening of the network and the IT department will develop others as they see fit.

Print Services:

The print and document services role will be installed on the primary file server at each site, FL_FS1 and WY_FS1, with multiple print devices located throughout the environment. Specifically, there will initially be two print devices located within each department to accommodate printer pooling as a means of load balancing the print jobs between the many users. Any employee will be able to print to other print devices outside of their department, but they will have a lower priority than employees utilizing their own department resources.

DNS and DHCP:

IPv4 addresses will be used throughout the organization for simplicity of management as that is still widely used today. In the future when Contoso grows and global adoption rates of IPv6 increase, reconsideration of addressing will take place. As there will be many network-critical devices throughout the enterprise network, such as file servers, printers, and domain controllers, these computers will all be assigned static IP addresses rather than have DHCP reservations. This will be done to ensure that critical devices are always reachable in case of a DHCP failure. Other devices such as employee workstations, company laptops, or other mobile devices will have address management performed through the use of DHCP. Scopes will be configured to have lease durations of 16 hours. This will ensure that an address assignment covers a full work day while still being short enough to prevent the pool of available addresses from running low from mobile devices entering and leaving the network throughout the day. DNS and DHCP services will be handled by the primary domain controllers of each site, respectively. Those servers will also act as a backup for their sister servers in the opposite site for failover solutions in the event of server failure or corruption. The 80/20 rule will be applied within each scope; the primary DHCP server provides roughly 80% of the addresses within its scope with the secondary providing the remaining addresses. This will be done to provide address assignment in situations where the primary DHCP server is unable to fulfill its services (Microsoft, 2005).

Summary:

In summary, the network infrastructure and hardware will be set up at both sites in a mirrored fashion to provide ease of management for the IT department in addition to allowing for easy growth over the next few years. The multiple domains and logical structure of active directory will ease the burden of organization and administration of the enterprise network. Each server will have a dedicated backup server for cases of machine failure, corruption, or other disaster. Security practices such as the password policy, use of Windows security software, and additional firewall restrictions will ensure that the company sensitive business matters are protected. Estimating conservatively, the IT department could complete the initial setup within a week. While this network deployment may seem excessive, Contoso Advertising is a growing enterprise that requires a solution that will be able to scale as their organization grows.

 

References

Manage Multiple, Remote Servers with Server Manager. (2013, June 24). Retrieved January 10, 2017, from

Microsoft. (2008, January 21). File Server Resource Manager. Retrieved February 01, 2017, from

Microsoft. (2017). Why Is Server Core Useful? Retrieved January 18, 2017, from

Microsoft. (2017). Configuring Password Policies. Retrieved February 09, 2017, from

Microsoft. (2005, January 21). Best Practices. Retrieved February 20, 2017, from

Microsoft. (2012, October 19). AD DS: Fine-Grained Password Policies. Retrieved February 25, 2017, from

Microsoft. (2004, May 25). Using Software Restriction Policies to Protect Against Unauthorized Software. Retrieved February 25, 2017, from

Otey, M. (2011, October 17). Top 10: New Features in Windows Server 2012. Retrieved January 10, 2017, from