Cyber Security

Module A — Infrastructure Setup

and Security Hardening
Contents
Contents ..................................................................................................................................................................... 2
Introduction to Test Project ........................................................................................................................................ 3
Instructions to the Competitor ................................................................................................................................... 4
Equipment, machinery, installations and materials required...................................................................................... 4
Marking Scheme ......................................................................................................................................................... 4
Test Project objectives ................................................................................................................................................ 5
Best practices. ............................................................................................................................................................ 9
Mark Summary Form .................................................................................................................................................10
Diagrams ...................................................................................................................................................................11

Date: 20.08.19 Version: 1.0

2 of 12
WSC2019_TP54_ModuleA_actual © WorldSkills International
Introduction to Test Project
This Test Project proposal consists of the following documentation/files:
1. WSC2019_TP54_ModuleA_EN.docx
Introduction
Cyber security knowledge is becoming essential nowadays for people who want to build a successful career in any IT
field. This test project contains a lot of challenges from real life experience, primarily IT integration and IT outsourcing.
If you can complete this project with the high score, you are ready to adopt enterprise security policies to the
infrastructure for any multi-branch enterprise.

Description of project and tasks

This test project is designed using a variety of network technologies with which you should be familiar within the
Cisco, Microsoft and Red Hat certification tracks. Tasks are broken down into the following sections:
 Logon and password policies
 Network equipment hardening
 Public services protection
 Events monitoring
 Firewall policy
You are required to apply requested set of security policies to the multi-branch enterprise with existing infrastructure.
All services are fully functional, but security of these services is left off board. Some security aspects are very
straightforward while some may leave room for different implementation options. Implement all requirements to the
best of your ability, in line with industry best practices (in terms of security, high availability and scalability) within the
limitations imposed by the equipment.

Date: 20.08.19 Version: 1.0

3 of 12
WSC2019_TP54_ModuleA_actual © WorldSkills International
Instructions to the Competitor
1. Read all tasks in each section before proceeding with any configuration. The completion of any item may require
the completion of any previous or later item.
2. Before starting the test project, confirm that all devices in your topology are in working order. During the test
project, if any device is locked or inaccessible for any reason, you must recover it. When you complete this test
project, ensure that all devices are accessible to the grading Experts. A device that is not accessible for grading cannot
be marked and may cause you to lose substantial points.
3. Knowledge of implementation and troubleshooting techniques is part of the skills being tested in the configuration
section of the Test Project.
4. Test the functionality of all the requirements before you submit the test project. Be careful, because as you
configure one part, you may break a previous requirement or configuration. Points are only awarded for the
implemented tasks.
5. Save your configurations frequently; accidents do and will happen.
6. Make sure that all your configurations are still working after equipment reboot.
7. Whenever you are required to configure a password, use password P@ssw0rd1! if otherwise is not stated.
8. All virtual machines are pre-installed. Use admin\P@ssw0rd local and domain credentials to access windows virtual
machines (administrator\P@ssw0rd for domain administrator) and root\toor to access linux virtual machines and
cisco devices. Do not change these passwords.
9. On windows machines set minimum password age to 02 days in order to experts can check password policies by
changing passwords
10. Complete additional security and audit measures in Best Practices section. Answers in this best practice section
will be used by experts as a time saver for judgment marking. If you mark a section as Not implemented (or no answer
\ no details specified) configuration check for this section will be skipped. Marks are awarded for both listing the
security measures and the implementation under the “Best Practices” section.
11. All your responses must be written in a word document and saved as PDF with country name as file name.

Equipment, machinery, installations and materials

required
It is expected that all Test Projects can be done by Competitors based on the equipment and materials specified in the
Infrastructure List.

Marking Scheme
According to the WorldSkills Standards Specifications within current Technical Description all marks for this test
project module has a maximum mark of 25.

Date: 20.08.19 Version: 1.0

4 of 12
WSC2019_TP54_ModuleA_actual © WorldSkills International
Test Project objectives
Verify basic configuration
1. Hostnames for all devices and virtual machines are preconfigured according to the topology diagrams.
2. Virtual and physical switching is preconfigured according to the topology diagrams. VLAN numbers on physical
switches are used in accordance with port-groups configuration (if any).
3. IP subnets are preconfigured according to the topology diagrams. For each subnet the gateway device assigned
with the last IP address in this subnet and the client device assigned with the first IP address in this subnet. E.g. in
CORP subnet LED is assigned with last address in this subnet (.254), DC — first available in this subnet (.1), IDS —
next available (.2), etc.
4. Default routing is preconfigured.
5. Server VMs are preconfigured with following roles and services:

Virtual machine Roles \ Services

DC Active Directory Domain Services (nlsz.ru), DNS (nlsz.ru — internal zone), DHCP, Network
Policy Server

IDS SNORT

LOG Splunk

WEB-01 Apache2 web server (www.nlsz.ru)

WEB-02 vsFTPd (ftp.nlsz.ru)

SELECTEL Apache2 web server (www.selectel.ru), DNS (selectel.ru, nlsz.ru — external zone), OpenSSL CA

Logon and password policies

1. Passwords requirements
Note: Password Policy for Windows environment must be implemented through Domain Group Policy and for Linux
systems and networking devices, it has to be local security policy.

Requirement Applied to VM \ device

a) Minimum password length must be no less than 10 DC, Ivan, Boris, Anton, IDS, LOG, Web-01,
characters Web-02, LED, IAR

Date: 20.08.19 Version: 1.0

5 of 12
WSC2019_TP54_ModuleA_actual © WorldSkills International
 Requirement Applied to VM \ device

b) Enforce the password policy to meet complexity requirement DC, Ivan, Boris, Anton, IDS, LOG, Web-01,
Note: If in case, any new user account been created, please Web-02, LED
list the username and password below:

Username Password
-------------- --------------

c) System passwords must be stored in the configuration as a IAR

reversible cipher text

d) Passwords of local users (including existing users) should be IAR

stored in configuration as a scrypt hash

2. Logon security settings

Note: Password Policy for Windows environment must be implemented through Domain Group Policy and for Linux
systems and networking devices, it must be local security policy.

Requirement Applied to VM \ device

a) Before login (local or remote console) user must see banner "For DC, Ivan, Boris, Anton, IDS,
authorized users only" LOG, Web-01, Web-02, LED, IAR

b) In case of 3 failed login attempts, device login must be blocked for 1 DC, Ivan, Boris, Anton, IDS,
min LOG, Web-01, Web-02, LED, IAR

c) Create the following users (refer table below) and must be able to login LED, IAR
remotely. After login users should automatically land in privileged
mode (level 15). Local authentication must be used in case remote
autnetication server is not available.

User Password
User01 P@ssw0rd01
User02 P@ssw0rd02

d) Inactivity timeout must be no greater than 1 min DC, Ivan, Boris, Anton, IDS,
LOG, Web-01, Web-02, LED, IAR

e) Disable cached logins Ivan, Boris, Anton

Date: 20.08.19 Version: 1.0

6 of 12
WSC2019_TP54_ModuleA_actual © WorldSkills International
3. User Rights Assignments & Security Options
Note: User Rights Assignment Policy for Windows environment must be implemented through Domain Group
Policy.

Requirement Applied to VM \ device

a) Restrict Guest to be logon locally for Guests group DC, Ivan

b) Disable FIPS compliant alogrithms for encryption, hashing DC, Ivan

and signing

c) Enforce Digital encryption or signing the secure channel data Ivan

for Domain Member

d) Always Digitally sign the communication for the Server DC

Network equipment hardening

1. Inter-branch communication and teleworker remote access policy

Requirement Applied to VM \ device

a) All traffic between branches and from\to teleworker clients LED, IAR, Nikolai
must be enctypted using the most secure and efficient
ciphers available while traversing via public internet.

Public services protection

Requirement Applied to VM \ device

a) All requests to the corporate web site should be processed Web-01

using HTTPS protocol only. All HTTP requests must be
redirected to HTTPS.

b) Corporate FTP server should accept explicit SSL / TLS Web-02

connections only.

Events monitoring
1. Domain Controller’s Security logs must be sent to Splunk dataset for events aggregation through Splunk
Universal Forwarder.
2. Configure Splunk to receive Logs from Domain Controller on port number 8090.
Note: To access splunk console , go to http://172.16.10.2:8000. Username and password are Splunk/P@ssw0rd.

3. Audit policies must match the listed events below.

Note: Audit Policies for Windows environment must be implemented through Domain Group Policy.

Date: 20.08.19 Version: 1.0

7 of 12
WSC2019_TP54_ModuleA_actual © WorldSkills International
 Requirement Match Applied to VM \ device

a) Credential Validation Success and Failure DC, Ivan, Boris, Anton

b) Computer Account Management Success and Failure DC, Ivan, Boris, Anton

c) Security Group Management Success and Failure DC, Ivan, Boris, Anton

d) Account Lockout Success DC, Ivan, Boris, Anton

e) Logon Success and Failure DC, Ivan, Boris, Anton

f) Logoff Success DC, Ivan, Boris, Anton

g) Sensitive Privilege Use Success and Failure DC, Ivan, Boris, Anton

4. DC performance counters must be configured to measure average disk queue length, processor time and
available memory in MB. Samples must be taken every 30 minutes.
5. All traffic from DMZ network must be mirrored to IDS server. Security alert must be generated for traffic
originated from external networks for any FTP traffic, any ICMP traffic or any traffic, which contains text
"malware" in its payload.

Firewall policy
1. Firewalls on all servers, clients and network equipment must be turned on.
2. Firewall on Domain Controller to be configured to allow the communication to Splunk Server for pushing the
logs on port number 8090.
3. Firewall rules on all devices must be configured with a minimal permission applied only to required traffic
destined to the device

Date: 20.08.19 Version: 1.0

8 of 12
WSC2019_TP54_ModuleA_actual © WorldSkills International
 Name: _________________________________________________________________
Country: ________________________________________________________________
Workstation No: ________ Login Usernames _________________________________

Best practices.
In case, after initial infrastructure audit, you find any security breaches, which are not covered with above security
measures, please add this information and specify details using the table provided below. You must implement your
additional measures to gain full marks for this section.

Network equipment hardening

Additional Security measure Applied to a server \ device
1)

2)

3)

In case IPsec tunnel configuration is updated, please specify components used from the below options:
Internet Key Exchange protocol: □ IKE v1 □ IKE v2
Authentication: □ Pre-shared key □ RSA
Other \ Details (please specify):

Type your Answer: ______________________

In case remote access VPN configuration is updated, please specify technology used
□ Not implemented □ PPTP □ L2TP □ IPsec □ AnyConnect
□ Other (please specify):

Type your Answer: ______________________

Public services protection

Additional Security measures Applied to a server \ device
1)

2)

3)

Date: 20.08.19 Version: 1.0

9 of 12
WSC2019_TP54_ModuleA_actual © WorldSkills International
Events monitoring
Additional Audit measures Applied to a server \ device
1)

2)

3)

Mark Summary Form

ID Description Mark Summary
A Infrastructure Setup and Security Hardening 25.00
A1 Logon and password policies 5.75
A2 Network equipment hardening 4.25
A3 Public services protection 2.75
A4 Events monitoring 6.75
A5 Firewall policy 5.50

Date: 20.08.19 Version: 1.0

10 of 12
WSC2019_TP54_ModuleA_actual © WorldSkills International
Diagrams

Date: 20.08.19 Version: 1.0

WSC2019_TP54_ModuleA_actual © WorldSkills International