View the step-by-step solution to:

Question

Implementing Access Controls with Windows Active Directory (3e) Introduction

Computer security is

accomplished using many different systems, but the fundamental concepts are all rooted in the security triad known as CIA (Confidentiality, Integrity and Availability). CIA is a key goal in any security program. Confidentiality is preventing the disclosure of secure information to unauthorized individuals or systems. Integrity is maintaining and assuring the accuracy of data over its life-cycle. For information to be useful it must be available when needed: thus the need for Availability. This means the data may need to be stored in highly redundant, highly protected areas with adapted power and cooling.



Microsoft has developed the Active Directory Domain structure so that a central authority, the Domain Controller, serves as the repository for all domain security records. It has several layers of authentication and authorization, including the standard username/password credentials and several options for two- factor authentication. Two-factor authentication combines something you know, such as a password, with something you are (a biometric device such as a fingerprint or a retina scan) or something you possess (a smart card or a USB stick). The Domain Controller can also employ a self-signed or third-party certificate system that adds a distinct third layer to the authentication process. The domain can be a standalone entity, or, in a corporate environment, domains from offices all over the world can be joined together in a forest. In this instance, the local security administrators may have rights to their own office's domain tree, but only the corporate administrators would have full access to the entire forest.



In this lab, I will use Microsoft Windows Active Directory to enforce the CIA triad, ensuring confidentiality and integrity of network data. You will create users and global security groups, then assign the new users to the security groups. Next, you will follow a given set of access control criteria to assign permissions for the new security groups to a set of nested folders. Finally, you will test your access control configuration by using the new user accounts to remotely access the secured folders.


Lab Overview

Each section of this lab is assigned at your instructor's discretion. Please consult your instructor to confirm which sections you are required to complete for your lab assignment.

 


SECTION 1 of this lab has three parts which should be completed in the order specified.



1.      In the first part of the lab, you will use the Active Directory Users and Computers module to MAKE A series of users and global security groups. You will also add the new users to the new security groups, just as you would in a real-world domain.


2.      In the second part of the lab, you will apply the new security groups to nested folders according to a given set of access control criteria.

3.      In the third part of the lab, you will verify the new users can remotely access the appropriate folders.

SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will MAKE a separate Organizational Unit for Contractors. You will also explore some of the differences between Share permissions and NTFS permissions.



Finally, you will explore the virtual environment on your own in SECTION 3 of this lab to answer a set of questions and challenges that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.


Learning Objectives

Upon completing this lab, you will be able to:



1.      Create new global security groups using Microsoft Windows Active Directory

2.      Create new domain users using Microsoft Windows Active Directory

3.      Assign domain users to global security groups using Microsoft Windows Active Directory


4.      MAKE simple folder system to match an organization's departmental structure

5.      Configure departmental group folders with unique access rights per defined access control requirements


6.      Remotely access a Windows Server machine using different user accounts and test access rights for your organization's folder system


Topology

This lab contains the following virtual machines. Please refer to the network topology diagram below.



·      TargetWindows01 (Windows Server 2019) [Domain Controller]


·      TargetWindows02 (Windows Server 2019)


Tools and Commands

The following software and/or utilities are required to FINISH lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.



·      Microsoft Server Manager

·      Microsoft Windows Active Directory


·      icacls.exe


Deliverables

Upon completion of this lab, you are required to provide the following deliverables to your instructor:



SECTION 1:



1.      Lab Report file including screen captures of the following;



·      members of the Managers group;


·      updated share permissions for the MGRfiles folder;

·      updated share permissions for the HRfiles folder;


·      updated share permissions for the SFfiles folder;

·      text file for HRUser01 in the HRfiles folder;

·      text file for SFManager in the SFfiles folder;


·      text file for SFManager in the MGRfiles folder;



2.      Any additional information as directed by the lab:



·      none;



3.      Lab Assessment.



SECTION 2:



1.      Lab Report file including screen captures of the following:



·      two new users within the Contractors OU;

·      contents of the CoreFiles directory;

·      updated Security permissions for the yourtown directory;


·      result of attempting to MAKE new test file;


2.      Any additional information as directed by the lab;



·      description of the results of Part 4, Step 7;


·      description of the results of Part 4, Step 10;

·      explanation of the results in Part 4, Steps 4, 7, and 10.



SECTION 3:



1.      Analysis and Discussion


2.      Tools and Commands

3.      Challenge Exercise


Section 1: Hands-On Demonstration

 


Part 1: User and Group Administration

 


23. Make a screen capture showing the members of the Managers group and paste it into your Lab Report file.



Part 2: Resource Management

 


19.  Make a screen capture showing the updated share permissions for the MGRfile folder and

paste it into your lab report.



20.  Make a screen capture showing the updated share permissions for the HRfiles folder and paste

it into your lab report.



21.  Make a screen capture showing the updated share permissions for the SFfiles folder and paste

it into your lab report.



Part 3: Practical Application

 


13.  Make a screen capture showing the text file for HRUser01 in the HRfiles folder and paste it into your Lab Report file.



14.  Make a screen capture showing the text file for SFManager in the SFfiles folder and paste it into your Lab Report file.




15.  Make a screen capture showing the text file for SFManager in the MGRfiles folder and paste it into your Lab Report file.






Section 2: Applied Learning

 


Part 1: User and Group Administration

 


7. Make a screen capture showing the two new users within the Contractors OU and paste it into your Lab Report file.



Part 2: Resource Management

 


4. Make a screen capture showing the contents of the CoreFiles directory and paste it into the Lab Report file.



14. Make a screen capture showing Advanced Security Settings for the yourtown directory and

paste it into the Lab Report file.



Part 3: Modify Permissions Using a Script

 


5. Make a screen capture showing the result of attempting to MAKE A new test file and paste it into the Lab Report file.



7. Repeat steps 2-4 for the ANewuser account and describe the results in the Lab Report file. Unable to access \172.30.0.15CoreFiles.



10.  Repeat step 4 and describe the results in the Lab Report file. Able to create new text file.



11.  In the Lab Report file, explain why you received the results you did in steps 4, 7, and 10.



·      Step 4: Because while ilastname has NTFS permissions that allow writing to the

yourschool directory, their Share permissions only permit Read.

·      Step 7: Because while both ilastname and ANewuser have identical NTFS permissions, only ilastname has Share permissions that permit them to Read CoreFiles and its contents.

·      Step 11: Because Share permissions only govern remote access to a Share. Since ilastname is now only subject to their NTFS permissions -- which give Full Control to the yourschool directory - they're able to create the text file.


Section 3: Challenge and Analysis

Note: The following challenge questions are provided to allow independent, unguided work, similar to what you will encounter in a real situation. You should aim to improve your skills by getting the correct answer in as few steps as possible. Use screen captures in your lab document where possible to illustrate your answers.



Part 1: Analysis and Discussion

Use the Internet to research the SYSTEM account. Why is it necessary to include this account with full control on a directory?

SYSTEM will allow the operating system to backup, monitor, and record events on the directory.

Part 2: Tools and Commands

Using the icacls utility, document the command that will give the ANewuser account write access to the

yourschool folder.


The command is icacls C:CoreFilesyourschool /grant ANewuser:w Part 3: Challenge Exercise

Using your work in this lab as a guide, MAKE A three-level directory structure for your family tree (grandparents, parents, children). You will need to create user accounts for each member of the family (at least 2 in each generation), create groups for each generation, and then secure the folders so that only members of a single generation can write to files within that generation's directory. Make screen captures to document your progress and describe your process. You may use fake names if you prefer.


Answers will be unique to each student.

Recently Asked Questions

Why Join Course Hero?

Course Hero has all the homework and study help you need to succeed! We’ve got course-specific notes, study guides, and practice tests along with expert tutors.

  • -

    Study Documents

    Find the best study resources around, tagged to your specific courses. Share your own to gain free Course Hero access.

    Browse Documents
  • -

    Question & Answers

    Get one-on-one homework help from our expert tutors—available online 24/7. Ask your own questions or browse existing Q&A threads. Satisfaction guaranteed!

    Ask a Question
Let our 24/7 Information Security tutors help you get unstuck! Ask your first question.
A+ icon
Ask Expert Tutors You can ask You can ask ( soon) You can ask (will expire )
Answers in as fast as 15 minutes
A+ icon
Ask Expert Tutors