IT541 – Lab #1 Implementing Access Controls with Windows Active Directory

IT 541

Lab #1 Implementing Access Controls with Windows Active Directory

 

Assignment Grading Rubric

Course: IT 541 Unit: 1 Points: 50

Assignment 1

Outcomes addressed in this activity:

Unit Outcomes:

  • Distinguish between the two main categories of security controls.
  • Distinguish the security areas within the CIA triad.

Course Outcomes:

IT 541-2: Compare authentication and encryption methods.

Assignment Instructions

This Assignment provides a “hands on” element to your studies. It gives you the opportunity to work with the protocols and see how they operate in real-world environments. Read and perform the lab entitled “IT 541 Unit 1 Assignment Lab” found in Doc Sharing; use the lab sheet included at the end of the lab file to submit your results.

Directions for Submitting Your Assignment

Use the Lab #1 Worksheet document found at the back of the lab instructions as a guide for what to submit, and save it as a Word® document, entitled Username-IT 541 Assignment-Unit#.doc (Example: TAllen- IT 541 Assignment-Unit1.doc). Submit your file by selecting the Unit 1: Assignment Dropbox by the end of Unit 1.

Assignment Requirements

  • Answers contain sufficient information to adequately answer the questions
  • No spelling errors
  • No grammar errors

*Two points will be deducted from your grade for each occurrence of not meeting these requirements.

For more information and examples of APA formatting, see the resources in Doc Sharing or visit the KU Writing Center from the KU Homepage.

Also review the KU Policy on Plagiarism. This policy will be strictly enforced on all applicable assignments and discussion posts. If you have any questions, please contact your professor.

Review the grading rubric below before beginning this activity.

Unit 1 Assignment Grading Rubric = 50 points

Assignment Requirements Points Possible Points Earned
Document demonstrates that the student was able to correctly implement an Active Directory system administrative configuration for groups and users. 0–10
Document demonstrates that the student was able to correctly implement global domain departmental groups and user accounts. 0–10
Document demonstrates that the student was able to correctly implement departmental group and user folders with unique access rights per defined requirements. 0–10
Document demonstrates that the student was able to correctly access the server as a user and test errors encountered when attempting to create and save data files. 0–10
Document demonstrates that the student was able to correctly implement a list of new and modified access control parameters in order to create more stringent access controls. 0–10
Total (Sum of all points) 0–50
Points deducted for spelling, grammar, and APA errors
Adjusted total points

Lab #1 – Assessment Worksheet

Implementing Access Controls with Windows Active Directory

Course Name and Number: _____________________________________________________

Student Name: ________________________________________________________________

Instructor Name: ______________________________________________________________

Lab Due Date: ________________________________________________________________

Overview

In this lab, youused theActive Directory Domain Controller tosecure the C-I-A triad,ensuring confidentiality and integrity of network data. You created users and global security groups and assigned the new users to security groups. You followed a given set of access control criteria to ensure authentication on the remote server by applying the new security groups to a set of nested folders. Finally, you verified that authentication by using the new user accounts to access the secured folders on the remote server.

Lab Assessment Questions & Answers

1. Relate how Windows Server 2012 Active Directory and the configuration of access controls achieve C-I-A for departmental LANs, departmental folders, and data.

2. Is it a good practice to include the account or user name in the password? Why or why not?

3. What are some of the best practices to enhance the strength of user passwords in order to maximize confidentiality?

4. Can a user who is defined in Active Directory access a shared drive on a computer if the server with the shared drive is not part of the domain?

5. Does Windows Server 2012 R2 require a user’s logon/password credentials prior to accessing shared drives?

6. When granting access to network systems for guests (i.e., auditors, consultants, third-party individuals, etc.), what security controls do you recommend implementing to maximize CIA of production systems and data?

7. In the Access Controls Criteria table, what sharing changes were made to the MGRfiles folder on TargetWindows01-DC server?

8. In the Access Controls Criteria table, what sharing changes were made on the TargetWindows01-DC server to allow Shopfloor users to read/write files in the C:LabDocumentsSFfiles folder?

9. In the Access Controls Criteria table, what sharing changes were made on the TargetWindows01-DC server to allow HumanResources users to read/write files in the C:LabDocumentsHRfiles folder?

10. Explain how C-I-A can be achieved down to the folder and data file access level for departments and users using Active Directory and Windows Server 2012 R2 access control configurations. Configuring unique access controls for different user types is an example of which kind of access controls?

 

Lab #1 Crafting an Organization-Wide Security Management Policy for Acceptable Use

 

Introduction

When given access to resources, whether IT equipment or some other type of asset, most people will use the resources responsibly. However, a few people, when left to rely on only common courtesy or good judgment, will misuse or abuse those resources. The misuse might be for their own benefit or just for entertainment. While the misuse can be unintentional, it is still a waste of resources. To avoid that waste or outright abuse, a company will document official guidance. For resources within the IT domains, that guidance is called an acceptable use policy (AUP).

An AUP’s purpose is to establish the rules for a specific system, network, or Web site. These policies outline the rules for achieving compliance, for example. They also help an organization mitigate risks and threats because they establish what can and cannot take place.

In this lab, you will define an AUP as it relates to the User Domain, you will identify the key elements of sample AUPs, you will learn how to mitigate threats and risks with an AUP, and you will create your own AUP for an organization.

Learning Objectives

Upon completing this lab, you will be able to:

Define the scope of an acceptable use policy (AUP) as it relates to the User Domain.

Identify the key elements of acceptable use in an organization’s overall security management framework.

Align an AUP with the organization’s goals for compliance.

Mitigate the common risks and threats caused by users in the User Domain with the implementation of an AUP.

Draft an AUP in accordance with the policy framework definition that incorporates a policy statement, standards, procedures, and guidelines.

Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. Lab Report file;

2. Lab Assessments file.

 

Hands-On Steps

uNote:

This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft® Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab deliverable files.

1. On your local computer,createthelab deliverable files.

2. Review theLab Assessment Worksheet. You will find answers to these questions as you proceed through the lab steps.

3. Using Figure 1,review the seven domains of a typical IT infrastructure.

 

Figure 1 Seven domains of a typical IT infrastructure

4. On your local computer,opena newInternet browser window.

5. In the address box of your Internet browser,type the URLhttp://cve.mitre.org andpress Enter to open the Web site.

 

uNote:

CVE stands for Common Vulnerabilities and Exposures, which is a reference system originated by the MITRE Corporation for cataloging known information security vulnerabilities. While MITRE is a U.S. not-for-profit organization, the U.S. Department of Homeland Security provides a portion of the funding to support the CVE database.

6. On the Web site’s left side,click theSearch CVE link.

7. In the box on the right titled CVE List Master Copy,click View CVE List.

8. In the Search Master Copy of CVE box at the bottom of the page,type User Domain into theBy Keyword(s) area andclick Submit.

9. Search the resulting list of articles for entries related to the User Domain.

10. In your Lab Report file,identify the risks, threats, and vulnerabilities commonly found in the User Domain. (Name at leastthree risks/threats.)

uNote:

Your search for relevant risks will be difficult due to the high number of vulnerabilities related to Windows® Active Directory® domains, as opposed to the “User Domain” as one of the seven IT asset domains. Try additional words that describe user-particular risks or threats, for example, surfing, phishing, malicious, downloads, etc.

Consider listed vulnerabilities, such as those that allow an authenticated user to gain unauthorized privileges, or steal others’ passwords or files.

11. In the address box of your Internet browser,type the URLhttp://www.sans.org/reading_room/whitepapers/threats/andpress Enter to open the Web site.

12. Scroll through the list of articles to find articles on threats and vulnerabilities in the User Domain.

13. Choose two articles that discuss two of the risks or threats you listed in step 10.

14. In your Lab Report file,discuss how these articles explain how to mitigate risks or threats in the User Domain.

15. In the address box of your Internet browser,type the following URLs andpress Enter to open the Web sites:

· Health care:http://it.jhu.edu/policies/itpolicies.html

· Higher education:http://www.brown.edu/information-technology/computing-policies/acceptable-use-policy

· U.S. federal government:https://www.jointservicessupport.org/AUP.aspx

16. In your Lab Report file,list the main components of each of the acceptable use policies (AUPs) documented at each of these sites.

17. In your Lab Report file,explain how a risk can be mitigated in the User Domain with an acceptable use policy (AUP). Base your answer on what you discovered in the previous step.

18. Consider the following fictional organization, which needs an acceptable use policy (AUP):

· The organization is a regional XYZ Credit Union/Bank that has multiple branches and locations throughout the region.

· Online banking and use of the Internet are the bank’s strengths, given its limited human resources.

· The customer service department is the organization’s most critical business function.

· The organization wants to be in compliance with the Gramm-Leach-Bliley Act (GLBA) and IT security best practices regarding its employees.

· The organization wants to monitor and control use of the Internet by implementing content filtering.

· The organization wants to eliminate personal use of organization-owned IT assets and systems.

· The organization wants to monitor and control use of the e-mail system by implementing e-mail security controls.

· The organization wants to implement this policy for all the IT assets it owns and to incorporate this policy review into its annual security awareness training.

uNote:

The best style for writing IT policy is straightforward and easy to understand. Avoid “fluff,” or unnecessary wording, and phrasing that could be understood more than one way. Write in concise, direct language.

19. Using the following AUP template, in your Lab Report file,create an acceptable use policy for the XYZ Credit Union/Bank organization (this should not be longer than three pages):

XYZ Credit Union/Bank

Policy Name

Policy Statement

{Insert policy verbiage here.}

Purpose/Objectives

{Insert the policy’s purpose as well as its objectives; include a bulleted list of the policy definition.}

Scope

{Define this policy’s scope and whom it covers.

Which of the seven domains of a typical IT infrastructure are impacted?

What elements, IT assets, or organization-owned assets are within this policy’s scope?}

Standards

{Does this policy point to any hardware, software, or configuration standards? If so, list them here and explain the relationship of this policy to these standards.}

Procedures

{In this section, explain how you intend to implement this policy throughout this organization.}

Guidelines

{In this section, explain any roadblocks or implementation issues that you must overcome and how you will overcome them per the defined policy guidelines.}

uNote:

This completes the lab. Close the Web browser, if you have not already done so.