Implementing Access Controls with Windows Active Directory (3e) Introduction
Computer security is
accomplished using many different systems, but the fundamental concepts are all rooted in the security triad known as CIA (Confidentiality, Integrity and Availability). CIA is a key goal in any security program. Confidentiality is preventing the disclosure of secure information to unauthorized individuals or systems. Integrity is maintaining and assuring the accuracy of data over its life-cycle. For information to be useful it must be available when needed: thus the need for Availability. This means the data may need to be stored in highly redundant, highly protected areas with adapted power and cooling.
Microsoft has developed the Active Directory Domain structure so that a central authority, the Domain Controller, serves as the repository for all domain security records. It has several layers of authentication and authorization, including the standard username/password credentials and several options for two- factor authentication. Two-factor authentication combines something you know, such as a password, with something you are (a biometric device such as a fingerprint or a retina scan) or something you possess (a smart card or a USB stick). The Domain Controller can also employ a self-signed or third-party certificate system that adds a distinct third layer to the authentication process. The domain can be a standalone entity, or, in a corporate environment, domains from offices all over the world can be joined together in a forest. In this instance, the local security administrators may have rights to their own office's domain tree, but only the corporate administrators would have full access to the entire forest.
In this lab, I will use Microsoft Windows Active Directory to enforce the CIA triad, ensuring confidentiality and integrity of network data. You will create users and global security groups, then assign the new users to the security groups. Next, you will follow a given set of access control criteria to assign permissions for the new security groups to a set of nested folders. Finally, you will test your access control configuration by using the new user accounts to remotely access the secured folders.
Each section of this lab is assigned at your instructor's discretion. Please consult your instructor to confirm which sections you are required to complete for your lab assignment.
SECTION 1 of this lab has three parts which should be completed in the order specified.
1. In the first part of the lab, you will use the Active Directory Users and Computers module to MAKE A series of users and global security groups. You will also add the new users to the new security groups, just as you would in a real-world domain.
2. In the second part of the lab, you will apply the new security groups to nested folders according to a given set of access control criteria.
3. In the third part of the lab, you will verify the new users can remotely access the appropriate folders.
SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will MAKE a separate Organizational Unit for Contractors. You will also explore some of the differences between Share permissions and NTFS permissions.
Finally, you will explore the virtual environment on your own in SECTION 3 of this lab to answer a set of questions and challenges that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.
Upon completing this lab, you will be able to:
1. Create new global security groups using Microsoft Windows Active Directory
2. Create new domain users using Microsoft Windows Active Directory
3. Assign domain users to global security groups using Microsoft Windows Active Directory
4. MAKE simple folder system to match an organization's departmental structure
5. Configure departmental group folders with unique access rights per defined access control requirements
6. Remotely access a Windows Server machine using different user accounts and test access rights for your organization's folder system
This lab contains the following virtual machines. Please refer to the network topology diagram below.
· TargetWindows01 (Windows Server 2019) [Domain Controller]
· TargetWindows02 (Windows Server 2019)
Tools and Commands
The following software and/or utilities are required to FINISH lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.
· Microsoft Server Manager
· Microsoft Windows Active Directory
Upon completion of this lab, you are required to provide the following deliverables to your instructor:
1. Lab Report file including screen captures of the following;
· members of the Managers group;
· updated share permissions for the MGRfiles folder;
· updated share permissions for the HRfiles folder;
· updated share permissions for the SFfiles folder;
· text file for HRUser01 in the HRfiles folder;
· text file for SFManager in the SFfiles folder;
· text file for SFManager in the MGRfiles folder;
2. Any additional information as directed by the lab:
3. Lab Assessment.
1. Lab Report file including screen captures of the following:
· two new users within the Contractors OU;
· contents of the CoreFiles directory;
· updated Security permissions for the yourtown directory;
· result of attempting to MAKE new test file;
2. Any additional information as directed by the lab;
· description of the results of Part 4, Step 7;
· description of the results of Part 4, Step 10;
· explanation of the results in Part 4, Steps 4, 7, and 10.
1. Analysis and Discussion
2. Tools and Commands
3. Challenge Exercise
Section 1: Hands-On Demonstration
Part 1: User and Group Administration
23. Make a screen capture showing the members of the Managers group and paste it into your Lab Report file.
Part 2: Resource Management
19. Make a screen capture showing the updated share permissions for the MGRfile folder and
paste it into your lab report.
20. Make a screen capture showing the updated share permissions for the HRfiles folder and paste
it into your lab report.
21. Make a screen capture showing the updated share permissions for the SFfiles folder and paste
it into your lab report.
Part 3: Practical Application
13. Make a screen capture showing the text file for HRUser01 in the HRfiles folder and paste it into your Lab Report file.
14. Make a screen capture showing the text file for SFManager in the SFfiles folder and paste it into your Lab Report file.
15. Make a screen capture showing the text file for SFManager in the MGRfiles folder and paste it into your Lab Report file.
Section 2: Applied Learning
Part 1: User and Group Administration
7. Make a screen capture showing the two new users within the Contractors OU and paste it into your Lab Report file.
Part 2: Resource Management
4. Make a screen capture showing the contents of the CoreFiles directory and paste it into the Lab Report file.
14. Make a screen capture showing Advanced Security Settings for the yourtown directory and
paste it into the Lab Report file.
Part 3: Modify Permissions Using a Script
5. Make a screen capture showing the result of attempting to MAKE A new test file and paste it into the Lab Report file.
7. Repeat steps 2-4 for the ANewuser account and describe the results in the Lab Report file. Unable to access \172.30.0.15CoreFiles.
10. Repeat step 4 and describe the results in the Lab Report file. Able to create new text file.
11. In the Lab Report file, explain why you received the results you did in steps 4, 7, and 10.
· Step 4: Because while ilastname has NTFS permissions that allow writing to the
yourschool directory, their Share permissions only permit Read.
· Step 7: Because while both ilastname and ANewuser have identical NTFS permissions, only ilastname has Share permissions that permit them to Read CoreFiles and its contents.
· Step 11: Because Share permissions only govern remote access to a Share. Since ilastname is now only subject to their NTFS permissions -- which give Full Control to the yourschool directory - they're able to create the text file.
Section 3: Challenge and Analysis
Note: The following challenge questions are provided to allow independent, unguided work, similar to what you will encounter in a real situation. You should aim to improve your skills by getting the correct answer in as few steps as possible. Use screen captures in your lab document where possible to illustrate your answers.
Part 1: Analysis and Discussion
Use the Internet to research the SYSTEM account. Why is it necessary to include this account with full control on a directory?
SYSTEM will allow the operating system to backup, monitor, and record events on the directory.
Part 2: Tools and Commands
Using the icacls utility, document the command that will give the ANewuser account write access to the
The command is icacls C:CoreFilesyourschool /grant ANewuser:w Part 3: Challenge Exercise
Using your work in this lab as a guide, MAKE A three-level directory structure for your family tree (grandparents, parents, children). You will need to create user accounts for each member of the family (at least 2 in each generation), create groups for each generation, and then secure the folders so that only members of a single generation can write to files within that generation's directory. Make screen captures to document your progress and describe your process. You may use fake names if you prefer.
Answers will be unique to each student.
Recently Asked Questions
- the roles and significance of the five core technologies in the overall system, their relationships and interdependence.
- Assessment Task 01 - Install, operate and troubleshoot medium enterprise routers 3. Which type of cable should be used to make between below devices: a. A
- 1. Some virtual teams at Boeing have discussions focused on military aircraft. Do some Internet research on UC security mechanisms and identify and briefly