LooL المرجع :testking.com
!Sim 1:

Edit Default DC Policy.
Disable: "Microsoft network server: Digitally sign communications (always)" Default: Enabled for domain controllers
Enable: Microsoft network server: Digitally sign communications (if client agrees)

==
Sim 2:

Edit GPO2

Enable: "Network security: LAN Manager authentication level"

Select: Send NTLMv2 response only\refuse LM & NTLM:

Link GPO2 to servers and clients. <<Link to domain>>

NTLM v2 available since Windows NT 4.0 SP4.
==
Sim 3: Seems ok.

When use Network Neighborhood or NET VIEW to view network resources, Computer Browser service provides a list of computers sharing resources in your domain along and of other domain and workgroup names across the WAN.
==
Sim 4: Control Panel | Add Remove Programs | Windows Components: Uncheck both "Application Server" & "Windows Media Services"
==
Sim 5: Seems ok.
==
Sim 6: Seems ok.
==
Sim 7: Seems ok.
==
Sim 8: Seems ok.
==
Sim 9: 1. Configure Certificate Services to issue code-signing certificates

-Open Certificate Services, right-cklick on certificate templates, click on New certificate template to issue ans selct Code signing

2. Use the Certificate Services Web interface to request a code-signing
certificate for yourself

-In IE connect to hxxp://servername/certsrv, click on Request a Certificate, user certificate, submit, install this certificate, close IE

3. Ensure That only a user name Bruno has the authority to add certicates
to active directory.
-In Certificate Services click on CA Name, security, add, type in Bruno. In the Permissions click, allow on Issue and Manage Certificates. Remove all others

==
Sim 10: Certification Authority | 'Certificate Services' | Issued Certificates | Revoke Tess King certificate.
Rt Clk 'Revoked Certificates' | Publish | Publish CRL.
==
Sim 11: Seems ok. When you enable this setting, it will prevent Internet Information Services (IIS) from being installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS may not receive a warning that IIS cannot be installed because of this Group Policy. Enabling this setting will not have any effect on IIS if IIS is already installed on the computer.
==
Sim 12: Update Server Option 006 DNS Servers. Otherwise ok.
==
Sim 13: Rt Clk Routing & Remote Access | Add Server: NY Server. Otherwise ok.
==
Sim 14: Seems ok. See 17.
==
Sim 15: Open IIS Manager | Web Sites | Default Web Site | Rt Clk CertSvr Virtual Directory | Permissions | Authenticated Users | Check Read & Execute.
Rt Clk CertSvr Virtual Directory | Properties | Virtual Directory | Configuration | Options | Enable Session State.
Directory Security | Authentication & Access Control | Edit | Uncheck 'Enable Anonymous Access' & Check 'Integrated Windows Authentication'.
==
Sim 16: Seems ok.
==
Sim 17: Open Dsa.msc. Link GPO1 IP Security Policy: Secure Server (Require Security) to HR Servers OU. Link GPO2 IP Security Policy: Client (Respond Only) to testking.com domain.
==
Sim 18: Control Panel | Add Remove Programs | Add Remove Windows Components | Certificate Services | CA type: Enterprise Root CA | Common Name for CA: rootca | Validity Period: 3 Years.
==
Sim 19: SIM 19:

go to admin tools > cert authority
select the issued certs
right click Mary's - revoke
select the pending certs
right click and issue
check issued certs - Mary Gibson

best wishes