# All American Refinery **Chris DeLuca** >chris@ctcsolutions.tech Cell: 304-881-9840 Office: 681-245-8380 (evenings) **Johnathon Wilkes** >jwilkes@broomcomputers.com >itdepartment@aarefinery.com >Cell: 601-740-0762 >Office: 601-543-0603 **Remote software** [Simplehelp](https://simple-help.com) **Firewall** [OPNsense](https://opnsense.org/) [Protectli Ordered - ETA 9/10/22](https://tools.usps.com/go/TrackConfirmAction?qtc_tLabels1=9405511202557977201745) --- **2FA info** I think DUO might be the simplest to intergrate into Windows and AD but it comes with a cost per user to get the most benefit. We can set it up with less then 10 users for free but there is much more tracking if you go with full price plan. [DUO pricing](https://duo.com/editions-and-pricing) Here is a video explaing the install of the proxy for DUO to use with the firewall. This will need it's own 2012 (or higher) windows server. [How to sync users to DUO from AD](https://www.youtube.com/watch?v=JVBzszfGITY) --- Things to do: * ~~Move DHCP off router to server~~ * ~~Move DNS off router to server (needs done for all domain machines)~~ * ~~static assign other server IP address~~ * need to ~~start~~ finish creating users * Folders in Accounting need to be moved to Admins (Permissions changed?) --- Things to plan out: * File shares hierarchy for permissions * Group Policy * Printers * --- Thoughts: * If there are DOD contracts or cybersecurity insurance needs, might need to enable 2FA on all remote domain accounts and all domain admins. (2FA needs to be on all servers, firewall vpn account) * If we are worried about intellectual property rights what about just having local virtual windows machines that people would VPN into the network then RDP one of them and then log into domain. That way no company data leaves the site and we could backup every VM much easier. Then Laptops that leave are just empty shells and no data exists on them to lose. This would also mean people would not need to have a laptop if they had a computer at home, just the VPN access. * Sonicwall requires yearly subscription to get IPS/IDS. Opnsense does not. --- #### What AAR needs from me AD depolyment with all company laptops. Access remotely as well and locally.() Want to be sure laptops are only used for work. (software?) Protection of company data on the laptops when they are not onsite. --- ### 8/23/22 1. Removed all previous installed server addons. 2. Created network team with both onboard nics 3. Assigned static ip address 10.2.10.4 4. Segregated hard drive to have Data Volume (D: Drive) 5. Renamed server to AARdata 6. Installed all windows updates 7. Installed Active Directory Services 8. Promoted to Main DC 2 hours ### 8/24/22 1. Moved DHCP from the sonicwall to the server 2. Setup DNS forwarders and explanind DHCP options and DNS config. 4. Set DHCP reservation for the other computer on network. 5. Discussed possible virutal local workstations. 6. Removed Active Directory Lightweight Services (unneeded windows Feature that I missed) 1 hour ### 8/31/22 Discussed with Wilkes [NIST 800-171](https://www.varonis.com/blog/nist-800-171) compliance, router replacement as well as suggested server setup. 1 hour ### 9/1/22 1. Discussed VPN and sonicwall vs opnsense 3. setup Wilkes user 4. setup test user 3. user: acc.test 4. pass: P455w0rd! 30 minutes ### 9/3/22 1. Researched DUO for 2FA on Windows and Firewall 2 hours ### 9/6/22 1. Worked with Wilkes to add users, create shared folders, printer and group policy to the Domain. Discussed more about Virtual infrastructure and DUO for 2FA. 5 hours ### 9/7/22 1. Finshed adding the users and home directories. 30 minutes ### 9/12/22 1. Setup vpn and created a few users. Tested and discussed how to move forward with VPN and DUO. 2 hours ### 9/15/22 1. Setup temp windows workstation on the domain. 2. Setup OU in AD to place workstation in for Remote controlling 3. Setup group policy to add remote desktop group to the local workstations 4. Setup group policy to enable RDP on the workstaions and allow though firewall. 5. Tested RDP with my account and a local account. 6. Tested RDP though the VPN 2 hours ### still needs done * ~~check dns for forwardars~~ * ~~Need a list of Users and groups to create AD OU's* Need a list of Users and groups to create AD OU's~~ * ~~Initial domain Group Policy~~ * Add machines to domain * setup VPN * ### hardware suggestions [Unifi 6 Lite](https://www.amazon.com/Ubiquiti-Access-Adapter-Included-U6-Lite-US/dp/B08QG92M83/ref=sr_1_3?crid=3A6U7QQMWBLN4&keywords=unifi+u6-lite&qid=1661988398&sprefix=unifi+u6-lite%2Caps%2C241&sr=8-3) ### New Workstation Info Device name DESKTOP-J6QPABC Processor Intel(R) Core(TM) i5-9500T CPU @ 2.20GHz 2.21 GHz Installed RAM 16.0 GB (15.8 GB usable) Edition Windows 10 Pro Version 21H2 OS build 19044.2006 Experience Windows Feature Experience Pack 120.2212.4180.0 Want to attempt to use it to build out a test environment to host a VMdesktop like we would deploy on the larger servers when they are ### Wilkes Notes 10/4/22 - Added second ethernet cable to dataserver ### Current Server info Dell poweredge T320 32 gigs ram, 8TB storage, E2520 ### Estimated Server Hardware **Server 1** TPM2.0 V3 Chassis Config 0, 24x3.5"HDD,Single PERC, for Riser 1-4 2- Intel Xeon Platinum 8380, 40C/80T Heatsink 165W for 2-CPU System 64G 3200 RDIMM x 32 (2T), Dual Rank 4 - 1.9TB SSD SATA Mixed Use 6Gbps, 2.5" Hot Plug Drive S4610 Hard Drives 12 - 1.2T 10K, SATA 6G, 512n, 2.5 Hot Plug, Hard Drive BOSS S2 Controller Card with 2 - M.2 240G Sticks No Raid S2 ESXi Embedded Image 7.0 U2 OS iDRAC 9 DataCenter 15G with OpenManage Enterprise Advanced, Included in Price (1 Host, 3Year) OpenManage DVD Kit PowerEdge 750 Rear Riser Config 2, Half-Length, 4x16, 2x8 slots, SW GPU Capable Broadcom 5740 Quad Port 10/25Gbe, SFP28, OCP NIC3 Ethernet ISDM Combo Card Reader 32G MicroInternal SD Card Dual Hot Plug, Redundant 2400W Mixed Mode Power Supply with 2 Cords **Server 2** TPM 2.0 V3 Chassis Config 0, 16x2.5"HDD,Single PERC, for Riser 1-4 2- Intel Xeon Platinum 8351 N, 2.4G, 36C/72T, 11.2GT/s, 54M Cache, Turbo HT 225W DDR4-2933 32G 3200 RDIMM x 12 (2T), Dual Rank 6 - 1.2T 10K, SATA 6G, 512n, 2.5 Hot Plug, No Raid BOSS Card w/ 1 - 240G M2 ESXi 7.0 U2 Embedded Image OS iDRAC 15G Express Rear Riser Config 0, Half-Length, 4x8 Broadcom 5740 Quad 1G Ethernet BOSS S2 Controller Card with 1 - M.2 240G Sticks No Raid with Blank S2 ISDM Combo Card Reader 32G MicroInternal SD Card Dual Hot Plug, Redundant 2400W Mixed Mode Power Supply with 2 Cords Note: Should be two of these Hattiesburg MS Office  1318 Hardy St., Second Floor, Hattiesburg MS 39401    1. ~~Mrs. Jean Bates 601-549-6381 office@aarefinery.com~~ 2. ~~Ms. Yvonne Chigwida 267-247-2011 chigwida@aarefinery.com~~ 3. ~~Mr. Jesse Grantham 601-335-3298 grantham@aarefinery.com~~ ** 4.~~Mr. Michael Kay 913-702-7186 kay@aarefinery.com~~ 5. ~~Mr. Eric Malmstrom 312-505-4700 malmstrom@aarefinery.com~~ 6. ~~Mr. Johnathon Wilkes 601-740-0762 itdepartment@aarefinery.com~~ 7. ~~Mr. Sherron Broom 601-408-7910 sjbroom@broomserve.com~~ Mooresville, NC Office 129 Fast Ln., Suite 200, Mooresville NC 28117  1. ~~Mr. Richard Cantwell 704-401-2050 cantwell@aarefinery.com~~ ** 2. ~~Mr. Edward Hunter 704-562-6094 hunter@aarefinery.com~~ Location Unknown ~~Alvin Paguio paguio@aarefinery.com D Patel dpatel@aarefinery.com Francisca Abrokwa-Frempong franca@aarefinery.com Erin O'Connell oconnell@aarefinery.com Jeff Derosia derosia@aarefinery.com ** John Winkleblack winkleblack@aarefinery.com ** Mike Still still@aarefinery.com ** Pya Cope cope@aarefinery.com Rick Degroote degroot@aarefinery.com ** Susan Sjo sjo@aarefinery.com Larry Ditoro lditoro@aarefinery.com ** Theron Larroquette tjlwwc@aarefinery.com ** ~~ 8 ** Users are Board Member Group Everyone else General User ### Troublesome Network Card? [Network Card in Laptops](https://maclookup.app/search/result?mac=5c%3Aba%3Aef%3Aac%3A44%3Aef)