PERTANDINGAN

WORLDSKILLS MALAYSIA
KATEGORI BELIA (WSMB)
TAHUN 2022

(IT NETWORK
SYSTEM
ADMINISTRATION)

PRA-KELAYAKAN
(5 JAM)
JABATAN PEMBANGUNAN KEMAHIRAN
KEMENTERIAN SUMBER MANUSIA
Description of project and tasks

PART A: WINDOWS SERVER

Work Task DC Server

NOTE: Please use the default configuration if you are not given the details

• This server is already preinstalled (Windows Server 2019 with GUI)

• Conf igure the server with the settings specified in the diagram at the end of the document
• Modify the default Firewall rules to allow ICMP (ping) traffic

Active Directory
• Install and configure Active Directory Domain Service for ITNSA.MY
• Import users from csv file located in C:\ITNSA\User.zip on host PC. You may use the
Powershell script provided in the same folder but the script has error that need to
repaired:
• Account placed in appropriate OU
• Accounts is enabled with all properties in CSV file
• Userprincipalname with @itnsa.my suffix
• User is not required to change password at first login
DNS
• Install and configure DNS Service
• Create also a reverse zone for the internal subnet
• Create static A records for all servers
• Make sure client able to communicate to wsmb.my domain
DHCP
• Install and configure DHCP Service:
• Range 192.168.1.100 – 192.168.1.200/24 (Clients)
• Def ault Gateway 192.168.1.1
• DNS Server 10.0.0.4
PKI
• Install and configure Certificate Service
• Install only the “Certificate Authority”
• Create a template for Domain Computers

• Name the template “ITNSA-ClientServerCert”

• Publish the template in Active Directory
• Set the subject name format to “common name”
GPO
• Install and configure Policy Management
• Setup the following settings
• All users should receive a login banner that reads
• Title: “Welcome to WSMB2022”
• Message: “Only authorized personnel allowed to access”
• Prohibit this message on all servers!!!
• Autoenrollment of the “ITNSA-ClientServerCert” Certificate to all clients and servers
• Create a GPO called “managers” to automatically issue a certificate for the "Manager"
group members using Managers template.
Work Task Core Server
NOTE: Please use the default configuration if you are not given the details

• This server is already preinstalled (Windows Server 2019 Core no GUI)

• Conf igure the server with the settings specified in the diagram at the end of the document
• Modify the default Firewall rules to allow ICMP (ping) traffic
• This server is to operate as a Windows Server 2019 CORE installation with no GUI

ISCSI
• Conf igure iSCSI Initiator.
• Use iqn.2022-05.itnsa.my:core as Initiator name
• Connect iSCSI target disk “iqn.2022-05.itnsa.my:wsmb2022-tgt"
RAID
• Install and configure RAID 1
• Add 1 new 5 GB drives AND iSCSI disk
• Create 1 Raid 1 array with the remaining drives (D:\)
File Sharing
• Create f ile share f or user’s home drives:
• Access UNC path: \\core.itnsa.my\homes
• Local path: "D:\homes\"
• Limit home folders so that users cannot store more than 10 MB of data and cannot
save bitmap (*.bmp) files.
• Create a f ile share f or local path D:\witness and share it as \\core\witness
• Create a f ile share f or local path D:\WSC and share it as \\core\WSC
• Create two subfolders inside D:\WSC and share and configure access control on each
f older as follows:
• Create a “Junior Skills” folder.
• Allow read-only access for users who have "Junior" as the job title.
• Allow f ull access to the users who are also part of the "WSJ" organizational unit and
also belong to the "Manager" group.
• Create a “Secret Challenges” folder
• Allow modify access only for "Agent" group.
• This f older should be hidden for all users who have insufficient permission to access
the f older.
• Install and configure DFS so that the “WSC” share and “Public” share from DC are
accessible by accessing \\itnsa.my\shares.

IIS

• Create websites “WWW.ITNSA.MY” and file location on C:\WWW

• Use intranet.html as main page
• Enable HTTPS using certificate signed by DC server
• Make sure no certificate warning is shown
Work Task (CLNT,STAFF,REMOTE) same VM CHANGE VMNET2, VMNET3, VMNET5
NOTE: Please use the default configuration if you are not given the details

• This client is already preinstalled (Windows 10 Enterprise Edition)

• Conf igure the client with the settings specified in the diagram at the end of the document
• Modify the default Firewall rules to allow ICMP (ping) traffic
• Enable and set the local administrator password to Skills39
• Set the power configuration so the client will never go to sleep while plugged in
• Install outlook/thunderbird and configure mailbox for ITNSA10
• Send/Reply email to ITNSA20
• Install and configure FileZilla client to access BRCH-SRV ftp service
• Staf f will be connected to BRCH-RTR port G0/2 to test NAT,DNS and Web access on
BRCH-SRV

PART B: LINUX SERVER

(All LINUX Package are Pre-Installed)

Work Task STRG-SRV
NOTE: Please use the default configuration if you are not given the details
• The base Debian OS has been set up on LINUX SERVER
Conf igure the server with the settings specified in the diagram at the end of the document
ISCSI
• Conf igure the iSCSI target.
• Add new disk of 10 GB for storing the virtual machines.
• Format the new disk using ext4 and mount as /NFS/ISCSI.
• Create 5 GB of iSCSI virtual disk "/NFS/ISCSI/WSMB2022.img".
• Conf igure the target name as " iqn.2022-05.itnsa.my:wsmb2022-tgt".

Work Task BRCH-SVR Server

Conf igure IP Alias : 10.20.30.[3 , 5 , 10 ,21]

DNS
• Install and configure Bind9
• Conf igure DNS for WSMB.MY
• Create a reverse zone f or the 131.107.0.0/24 network
• Add static records for dns, ftp, www, mail, and intranet
•
• Conf igure Public DNS for ITNSA.MY
• Create a reverse zone f or the 203.12.220.0/27 network
• Add static records for dns, www
WEB
• Install nginx with php7
• Show on both websites the website name (the fully qualified domain name) and
the current date and time (either client time or server time)
• Enable HTTPS using certificate signed by DC server
• Make sure no certificate warning is shown
• Create websites “WWW.WSMB.MY” and “INTRANET.WSMB.MY”
• Make sure “INTRANET.WSMB.MY” is protected by authentication
• Allow users from “ITNSA10” to “ITNSA20”
• As a basic security measure, make sure nginx doesn´t expose any version and OS
MAIL (Postfix,Dovecot,rouncube)
• You may use any software for the mail server. Functional testing will be applied
• Mail User can access webmail using https://mail.wsmb.my
• Create user ITNSA10 to ITNSA20 with password “Skills39”
• Make sure ITNSA10 to ITMSA20 have access via IMAPS and SMTPS
• Use certif icates signed by DC server for SSL/TLS encryption
FTP
• Install and configure Proftpd Over SSL/TLS
• Use a certif icate signed by DC server
• Use implicit encryption
• Create a FTP user account for each website of the webserver
• User “WebAdmin” with password “Skills39”
• User “intranet” with password “Skills39”
• Make sure the users are jailed in their respective website document root directories.
• Make sure f ile transfer to the server is possible.
 PART C: NETWORK

Table 1: IP Address

VMNET
HOSTNAME IP ADDRESS
MAPPING
DC ETH0 10.0.0.4 VMNET1
CORE ETH0 10.0.0.3 VMNET1
STRG-SVR ENS33 10.0.0.5 VMNET3
BRCH-SRV ENS33 10.20.30.[2,3,5.10.21] VMNET4
CLNT,STAFF,
ETH0 DHCP VMNET2,6,5
REMOTE
ISP-RTR G0/0 131.107.0.1 G0/1 203.12.220.30 G0/2 121.122.5.1/27
BRCH-RTR G0/0 131.107.0.254 G0/1.10 172.16.1.1 G0/1.20 10.20.30.1
CORP-FW G0/1 203.12.220.1 G0/2 20.20.20.1
G0/0.10 10.0.0.1 G0/0.20 192.168.1.1 G0/0.99 11.22.33.254
CORP-SW1 VLAN99 11.22.33.1
CORP-SW2 VLAN99 11.22.33.2
CORP-SW3 VLAN99 11.22.33.3

Table 2: VLAN and Port

HOSTNAME VLAN/Port
CORP-SW[1-3] VLAN10 NAME: SVR VLAN20 NAME:LAN VLAN99 NAME:MGMT
BRCH-SW VLAN10 NAME:SVR VLAN20 NAME:LAN

G0/2 TRUNK TO G0/3 TRUNK TO TRUNK TO

CORP-SW1 G0/0
G1/2 CORP-SW2 G1/3 CORP-SW3 CORP-FW
STRG-SRV -
VLAN 10
G0/1
G0/2 TRUNK TO G0/0 TRUNK TO
CORP-SW2 VLAN 10 DC -G0/1
G1/2 CORP-SW1 G1/0 CORP-SW3
G0/3 TRUNK TO G0/0 TRUNK TO
CORP-SW3 VLAN20 CLNT -G0/1
G1/3 CORP-SW1 G1/0 CORP-SW2

Table 3: VTP

VTP Server CORP-SW1

VTP Client CORP-SW[2-3]
VTP Domain ITNSA.MY
VTP Password Skills39
VTP Version 2

• Conf igure hostname, IP Address, VLAN and VTP based on Table 1, Table 2 and Table 3
SWITCH
• Conf igure LACP for link between CORP-SW1, CORP-SW2 and CORP-SW3
• CORP-SW3 will be in passive mode for both link
• CORP-Sw2 will be in passive mode for link to CORP-SW1
• Use MGMT as the native VLAN for trunks
VPN
• Conf igure site-to-site VPN between CORP-FW and BRCH-RTR
• Allow both site internal networks passing through VPN
• VPN must be encrypted using IPSEC
• You may use any authentication method to established the VPN
DHCP
• Conf igure DHCP on ISP-RTR
• Use appropriate range and gateway for 121.122.5.10-20/27
• Use BRCH-SVR public IP as DNS server
SECURITY
• Conf igure DHCP Snooping on CORP switches to allow only DC server to serve DHCP
• On CORP-FW:
• LAN and SVR VLAN should able to access to all services
• Only WWW is allowed to access from Internet
• Block other access
ROUTING
• Conf igure OSPF between CORP-FW, ISP-RTR and BRCH-RTR
• OSPF advertisement disabled on all LAN interface
• Only share public IP to OSPF neighbor
• Protect OSPF link with md5 authentication with password “Skills39”
NAT
• Mapped the following service from BRCH-RTR TO BRCH-SVR

• DNS - (131.107.0.3 TO 10.20.30.3 )

• Web - (131.107.0.5 TO 10.20.30.5 )
• Mail - (131.107.0.10 TO 10.20.30.10 )
• Ftp - (131.107.0.21 TO 10.20.30.21 )

Mapped the following service from Internet TO www.itnsa.my

• Web - (203.12.220.3 TO 10.0.0.3)
 STAFF

BRCH-RTR BRCH-SW
-VPN
-Routing
-Nat
Internet 172.16.1.1/26
ISP-RTR
-DHCP 10.20.30.1/24
CORP-FW
-Routing -Routing 131.107.0.254/24
STRG-SVR:
-VPN
-ISCS
-NAT 131.107.0.1/24
-SECURITY 10.20.30.2/24
10.0.0.5/24 BRCH-SVR
121.122.5.0/27
203.12.220.30/27 -Web
-DNS
CLIENT
203.12.220.1/27 -FTP
-MAIL
CORP-SW1 REMOTE -DHCP
CORP-SW3 11.22.33.LAST IP/28
10.0.0.1/24
192.168..1.1/24
11.22.33.1/28

11.22.33.3/28
CORP-SW CORP-SW2
-VTP
-LACP 11.22.33.2/28
-VLAN

DC
CORE -AD
-ICSI -DNS
-RAID -DHCP
-FILE -PKI
10.0.0.4/24
-GPO
10.0.0.3/24