Assignment Solved: No Plagiarism!!

$100.00

Implementing Access Controls with Windows Active Directory (3e)
Introduction
Computer security is accomplished using many different systems, but the fundamental concepts are all rooted in the security triad known as CIA (Confidentiality, Integrity and Availability). CIA is a key goal in any security program. Confidentiality is preventing the disclosure of secure information to unauthorized individuals or systems. Integrity is maintaining and assuring the accuracy of data over its life-cycle. For information to be useful it must be available when needed: thus the need for Availability. This means the data may need to be stored in highly redundant, highly protected areas with adapted power and cooling.
Microsoft has developed the Active Directory Domain structure so that a central authority, the Domain Controller, serves as the repository for all domain security records. It has several layers of authentication and authorization, including the standard username/password credentials and several options for two-factor authentication. Two-factor authentication combines something you know, such as a password, with something you are (a biometric device such as a fingerprint or a retina scan) or something you possess (a smart card or a USB stick). The Domain Controller can also employ a self-signed or third-party certificate system that adds a distinct third layer to the authentication process. The domain can be a standalone entity, or, in a corporate environment, domains from offices all over the world can be joined together in a forest. In this instance, the local security administrators may have rights to their own office’s domain tree, but only the corporate administrators would have full access to the entire forest.
In this lab, you will use Microsoft Windows Active Directory to enforce the CIA triad, ensuring confidentiality and integrity of network data. You will create users and global security groups, then assign the new users to the security groups. Next, you will follow a given set of access control criteria to assign permissions for the new security groups to a set of nested folders. Finally, you will test your access control configuration by using the new user accounts to remotely access the secured folders.
Lab Overview
Each section of this lab is assigned at your instructor’s discretion. Please consult your instructor to confirm which sections you are required to complete for your lab assignment.
SECTION 1 of this lab has three parts which should be completed in the order specified.
1. In the first part of the lab, you will use the Active Directory Users and Computers module to create a series of users and global security groups. You will also add the new users to the new security groups, just as you would in a real-world domain.
2. In the second part of the lab, you will apply the new security groups to nested folders according to a given set of access control criteria.
3. In the third part of the lab, you will verify the new users can remotely access the appropriate folders.
SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will create a separate Organizational Unit for Contractors. You will also explore some of the differences between Share permissions and NTFS permissions.
Finally, you will explore the virtual environment on your own in SECTION 3 of this lab to answer a set of questions and challenges that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.
Learning Objectives
Upon completing this lab, you will be able to:
1. Create new global security groups using Microsoft Windows Active Directory
2. Create new domain users using Microsoft Windows Active Directory
3. Assign domain users to global security groups using Microsoft Windows Active Directory
4. Create a simple folder system to match an organization’s departmental structure
5. Configure departmental group folders with unique access rights per defined access control requirements
6. Remotely access a Windows Server machine using different user accounts and test access rights for your organization’s folder system
Topology
This lab contains the following virtual machines. Please refer to the network topology diagram below.
• TargetWindows01 (Windows Server 2019) [Domain Controller]
• TargetWindows02 (Windows Server 2019)
Tools and Commands
The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.
• Microsoft Server Manager
• Microsoft Windows Active Directory
• icacls.exe
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your instructor:
SECTION 1:
1. Lab Report file including screen captures of the following;
• members of the Managers group;
• updated share permissions for the MGRfiles folder;
• updated share permissions for the HRfiles folder;
• updated share permissions for the SFfiles folder;
• text file for HRUser01 in the HRfiles folder;
• text file for SFManager in the SFfiles folder;
• text file for SFManager in the MGRfiles folder;
2. Any additional information as directed by the lab:
• none;
3. Lab Assessment.
SECTION 2:
1. Lab Report file including screen captures of the following:
• two new users within the Contractors OU;
• contents of the CoreFiles directory;
• updated Security permissions for the yourtown directory;
• result of attempting to create a new test file;
2. Any additional information as directed by the lab;
• description of the results of Part 4, Step 7;
• description of the results of Part 4, Step 10;
• explanation of the results in Part 4, Steps 4, 7, and 10.
SECTION 3:
1. Analysis and Discussion
2. Tools and Commands
3. Challenge Exercise
Section 1: Hands-On Demonstration
Part 1: User and Group Administration
23. Make a screen capture showing the members of the Managers group and paste it into your Lab Report file.
Part 2: Resource Management
19. Make a screen capture showing the updated share permissions for the MGRfile folder and paste it into your lab report.
20. Make a screen capture showing the updated share permissions for the HRfiles folder and paste it into your lab report.
21. Make a screen capture showing the updated share permissions for the SFfiles folder and paste it into your lab report.
Part 3: Practical Application
13. Make a screen capture showing the text file for HRUser01 in the HRfiles folder and paste it into your Lab Report file.
14. Make a screen capture showing the text file for SFManager in the SFfiles folder and paste it into your Lab Report file.
15. Make a screen capture showing the text file for SFManager in the MGRfiles folder and paste it into your Lab Report file.
Section 2: Applied Learning
Part 1: User and Group Administration
7. Make a screen capture showing the two new users within the Contractors OU and paste it into your Lab Report file.
Part 2: Resource Management
4. Make a screen capture showing the contents of the CoreFiles directory and paste it into the Lab Report file.
14. Make a screen capture showing Advanced Security Settings for the yourtown directory and paste it into the Lab Report file.
Part 3: Modify Permissions Using a Script
5. Make a screen capture showing the result of attempting to create a new test file and paste it into the Lab Report file.
7. Repeat steps 2-4 for the ANewuser account and describe the results in the Lab Report file.
Unable to access \\172.30.0.15\CoreFiles.
10. Repeat step 4 and describe the results in the Lab Report file.
Able to create new text file.
11. In the Lab Report file, explain why you received the results you did in steps 4, 7, and 10.
• Step 4: Because while ilastname has NTFS permissions that allow writing to the yourschool directory, their Share permissions only permit Read.
• Step 7: Because while both ilastname and ANewuser have identical NTFS permissions, only ilastname has Share permissions that permit them to Read CoreFiles and its contents.
• Step 11: Because Share permissions only govern remote access to a Share. Since ilastname is now only subject to their NTFS permissions — which give Full Control to the yourschool directory – they’re able to create the text file.
Section 3: Challenge and Analysis
Note: The following challenge questions are provided to allow independent, unguided work, similar to what you will encounter in a real situation. You should aim to improve your skills by getting the correct answer in as few steps as possible. Use screen captures in your lab document where possible to illustrate your answers.
Part 1: Analysis and Discussion
Use the Internet to research the SYSTEM account. Why is it necessary to include this account with full control on a directory?
SYSTEM will allow the operating system to backup, monitor, and record events on the directory.
Part 2: Tools and Commands
Using the icacls utility, document the command that will give the ANewuser account write access to the yourschool folder.
The command is icacls C:\CoreFiles\yourschool /grant ANewuser:w
Part 3: Challenge Exercise
Using your work in this lab as a guide, create a three-level directory structure for your family tree (grandparents, parents, children). You will need to create user accounts for each member of the family (at least 2 in each generation), create groups for each generation, and then secure the folders so that only members of a single generation can write to files within that generation’s directory. Make screen captures to document your progress and describe your process. You may use fake names if you prefer.
Answers will be unique to each student.
Assessment Quiz
1. Which of the following elements of the CIA triad refers to preventing the disclosure of secure information to unauthorized individuals or systems?
a. Confidentiality
b. Integrity
c. Availability
d. Authentication
ANS: A
REF: Introduction
2. Which of the following elements of the CIA triad refers to maintaining and assuring the accuracy of data over its life-cycle?
a. Confidentiality
b. Integrity
c. Availability
d. Authentication
ANS: B
REF: Introduction
3. Microsoft has developed the Active Directory Domain structure so that a central authority, called the __________, is the repository for all domain security records.
a. Domain Controller
b. Windows Group Policy
c. Domain Editor
d. Access Controller
ANS: A
REF: Introduction
4. Which of the following combines something you know, such as a password, with something you are (a biometric device such as a fingerprint or a retina scan) or something you possess (a smart card or a USB stick)?
a. Confidentiality
b. Authentication
c. Two-factor authentication
d. Third-party certificate system
ANS: C
REF: Introduction
5. Which of the following refers to the database that provides centrally controlled managed access?
a. Active Directory
b. Access Directory
c. Default Domain Policy
d. Group Policy Management Editor
ANS: A
REF: Section 1, Note introducing Part 1
6. Which of the following help departments organize unique access controls for access to folders and data files within a department or group so that only those employees who need access to confidential data are granted access?
a. Title-based access controls
b. Role-based access controls
c. Administrative access controls
d. Privacy-based access controls
ANS: B
REF: Section 1, Note following Part 1, Step 11
7. Effective resource management:
a. locks out unauthorized access and can work to prevent changes to resources by internal users not qualified or authorized to have access.
b. applies read-only access to all folders for all users, with the exception of administrators and the organization’s management team.
c. enables a security administrator to control user and resource access from individual machines rather than from a central location.
d. dictates that guest users be placed in a secure network, isolated from the production network by firewall barriers.
ANS: A
REF: Section 1, Note introducing Part 2
8. Which of the following is true about Share permissions in Windows environments?
a. Share permissions apply to local users
b. There are three types: Full, Partial, and None
c. Share permissions apply to all folders and files in the share
d. Share permissions can be set at the file level
ANS: C
REF: Section 1, Note introducing Part 2
9. Which of the following are the three permissions found the Share tool?
a. Read, Modify, and Owner
b. Read, Change, and Full Control
c. Read, Read/Write, and Full Control
d. Read, Read/Write, and Owner
ANS: D
REF: Section 1, Note introducing Part 2
10. Which of the following do members of the Shopfloor group need access to?
a. SFfiles and MGRfiles
b. SFfiles
c. MGRfiles
d. HRfiles
ANS: B
REF: Section 1, Part 2, Step 17

Category: Tags: , ,

Description

Implementing Access Controls with Windows Active Directory (3e)
Introduction
Computer security is accomplished using many different systems, but the fundamental concepts are all rooted in the security triad known as CIA (Confidentiality, Integrity and Availability). CIA is a key goal in any security program. Confidentiality is preventing the disclosure of secure information to unauthorized individuals or systems. Integrity is maintaining and assuring the accuracy of data over its life-cycle. For information to be useful it must be available when needed: thus the need for Availability. This means the data may need to be stored in highly redundant, highly protected areas with adapted power and cooling.
Microsoft has developed the Active Directory Domain structure so that a central authority, the Domain Controller, serves as the repository for all domain security records. It has several layers of authentication and authorization, including the standard username/password credentials and several options for two-factor authentication. Two-factor authentication combines something you know, such as a password, with something you are (a biometric device such as a fingerprint or a retina scan) or something you possess (a smart card or a USB stick). The Domain Controller can also employ a self-signed or third-party certificate system that adds a distinct third layer to the authentication process. The domain can be a standalone entity, or, in a corporate environment, domains from offices all over the world can be joined together in a forest. In this instance, the local security administrators may have rights to their own office’s domain tree, but only the corporate administrators would have full access to the entire forest.
In this lab, you will use Microsoft Windows Active Directory to enforce the CIA triad, ensuring confidentiality and integrity of network data. You will create users and global security groups, then assign the new users to the security groups. Next, you will follow a given set of access control criteria to assign permissions for the new security groups to a set of nested folders. Finally, you will test your access control configuration by using the new user accounts to remotely access the secured folders.
Lab Overview
Each section of this lab is assigned at your instructor’s discretion. Please consult your instructor to confirm which sections you are required to complete for your lab assignment.
SECTION 1 of this lab has three parts which should be completed in the order specified.
1. In the first part of the lab, you will use the Active Directory Users and Computers module to create a series of users and global security groups. You will also add the new users to the new security groups, just as you would in a real-world domain.
2. In the second part of the lab, you will apply the new security groups to nested folders according to a given set of access control criteria.
3. In the third part of the lab, you will verify the new users can remotely access the appropriate folders.
SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will create a separate Organizational Unit for Contractors. You will also explore some of the differences between Share permissions and NTFS permissions.
Finally, you will explore the virtual environment on your own in SECTION 3 of this lab to answer a set of questions and challenges that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.
Learning Objectives
Upon completing this lab, you will be able to:
1. Create new global security groups using Microsoft Windows Active Directory
2. Create new domain users using Microsoft Windows Active Directory
3. Assign domain users to global security groups using Microsoft Windows Active Directory
4. Create a simple folder system to match an organization’s departmental structure
5. Configure departmental group folders with unique access rights per defined access control requirements
6. Remotely access a Windows Server machine using different user accounts and test access rights for your organization’s folder system
Topology
This lab contains the following virtual machines. Please refer to the network topology diagram below.
• TargetWindows01 (Windows Server 2019) [Domain Controller]
• TargetWindows02 (Windows Server 2019)
Tools and Commands
The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.
• Microsoft Server Manager
• Microsoft Windows Active Directory
• icacls.exe
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your instructor:
SECTION 1:
1. Lab Report file including screen captures of the following;
• members of the Managers group;
• updated share permissions for the MGRfiles folder;
• updated share permissions for the HRfiles folder;
• updated share permissions for the SFfiles folder;
• text file for HRUser01 in the HRfiles folder;
• text file for SFManager in the SFfiles folder;
• text file for SFManager in the MGRfiles folder;
2. Any additional information as directed by the lab:
• none;
3. Lab Assessment.
SECTION 2:
1. Lab Report file including screen captures of the following:
• two new users within the Contractors OU;
• contents of the CoreFiles directory;
• updated Security permissions for the yourtown directory;
• result of attempting to create a new test file;
2. Any additional information as directed by the lab;
• description of the results of Part 4, Step 7;
• description of the results of Part 4, Step 10;
• explanation of the results in Part 4, Steps 4, 7, and 10.
SECTION 3:
1. Analysis and Discussion
2. Tools and Commands
3. Challenge Exercise
Section 1: Hands-On Demonstration
Part 1: User and Group Administration
23. Make a screen capture showing the members of the Managers group and paste it into your Lab Report file.
Part 2: Resource Management
19. Make a screen capture showing the updated share permissions for the MGRfile folder and paste it into your lab report.
20. Make a screen capture showing the updated share permissions for the HRfiles folder and paste it into your lab report.
21. Make a screen capture showing the updated share permissions for the SFfiles folder and paste it into your lab report.
Part 3: Practical Application
13. Make a screen capture showing the text file for HRUser01 in the HRfiles folder and paste it into your Lab Report file.
14. Make a screen capture showing the text file for SFManager in the SFfiles folder and paste it into your Lab Report file.
15. Make a screen capture showing the text file for SFManager in the MGRfiles folder and paste it into your Lab Report file.
Section 2: Applied Learning
Part 1: User and Group Administration
7. Make a screen capture showing the two new users within the Contractors OU and paste it into your Lab Report file.
Part 2: Resource Management
4. Make a screen capture showing the contents of the CoreFiles directory and paste it into the Lab Report file.
14. Make a screen capture showing Advanced Security Settings for the yourtown directory and paste it into the Lab Report file.
Part 3: Modify Permissions Using a Script
5. Make a screen capture showing the result of attempting to create a new test file and paste it into the Lab Report file.
7. Repeat steps 2-4 for the ANewuser account and describe the results in the Lab Report file.
Unable to access \\172.30.0.15\CoreFiles.
10. Repeat step 4 and describe the results in the Lab Report file.
Able to create new text file.
11. In the Lab Report file, explain why you received the results you did in steps 4, 7, and 10.
• Step 4: Because while ilastname has NTFS permissions that allow writing to the yourschool directory, their Share permissions only permit Read.
• Step 7: Because while both ilastname and ANewuser have identical NTFS permissions, only ilastname has Share permissions that permit them to Read CoreFiles and its contents.
• Step 11: Because Share permissions only govern remote access to a Share. Since ilastname is now only subject to their NTFS permissions — which give Full Control to the yourschool directory – they’re able to create the text file.
Section 3: Challenge and Analysis
Note: The following challenge questions are provided to allow independent, unguided work, similar to what you will encounter in a real situation. You should aim to improve your skills by getting the correct answer in as few steps as possible. Use screen captures in your lab document where possible to illustrate your answers.
Part 1: Analysis and Discussion
Use the Internet to research the SYSTEM account. Why is it necessary to include this account with full control on a directory?
SYSTEM will allow the operating system to backup, monitor, and record events on the directory.
Part 2: Tools and Commands
Using the icacls utility, document the command that will give the ANewuser account write access to the yourschool folder.
The command is icacls C:\CoreFiles\yourschool /grant ANewuser:w
Part 3: Challenge Exercise
Using your work in this lab as a guide, create a three-level directory structure for your family tree (grandparents, parents, children). You will need to create user accounts for each member of the family (at least 2 in each generation), create groups for each generation, and then secure the folders so that only members of a single generation can write to files within that generation’s directory. Make screen captures to document your progress and describe your process. You may use fake names if you prefer.
Answers will be unique to each student.
Assessment Quiz
1. Which of the following elements of the CIA triad refers to preventing the disclosure of secure information to unauthorized individuals or systems?
a. Confidentiality
b. Integrity
c. Availability
d. Authentication
ANS: A
REF: Introduction
2. Which of the following elements of the CIA triad refers to maintaining and assuring the accuracy of data over its life-cycle?
a. Confidentiality
b. Integrity
c. Availability
d. Authentication
ANS: B
REF: Introduction
3. Microsoft has developed the Active Directory Domain structure so that a central authority, called the __________, is the repository for all domain security records.
a. Domain Controller
b. Windows Group Policy
c. Domain Editor
d. Access Controller
ANS: A
REF: Introduction
4. Which of the following combines something you know, such as a password, with something you are (a biometric device such as a fingerprint or a retina scan) or something you possess (a smart card or a USB stick)?
a. Confidentiality
b. Authentication
c. Two-factor authentication
d. Third-party certificate system
ANS: C
REF: Introduction
5. Which of the following refers to the database that provides centrally controlled managed access?
a. Active Directory
b. Access Directory
c. Default Domain Policy
d. Group Policy Management Editor
ANS: A
REF: Section 1, Note introducing Part 1
6. Which of the following help departments organize unique access controls for access to folders and data files within a department or group so that only those employees who need access to confidential data are granted access?
a. Title-based access controls
b. Role-based access controls
c. Administrative access controls
d. Privacy-based access controls
ANS: B
REF: Section 1, Note following Part 1, Step 11
7. Effective resource management:
a. locks out unauthorized access and can work to prevent changes to resources by internal users not qualified or authorized to have access.
b. applies read-only access to all folders for all users, with the exception of administrators and the organization’s management team.
c. enables a security administrator to control user and resource access from individual machines rather than from a central location.
d. dictates that guest users be placed in a secure network, isolated from the production network by firewall barriers.
ANS: A
REF: Section 1, Note introducing Part 2
8. Which of the following is true about Share permissions in Windows environments?
a. Share permissions apply to local users
b. There are three types: Full, Partial, and None
c. Share permissions apply to all folders and files in the share
d. Share permissions can be set at the file level
ANS: C
REF: Section 1, Note introducing Part 2
9. Which of the following are the three permissions found the Share tool?
a. Read, Modify, and Owner
b. Read, Change, and Full Control
c. Read, Read/Write, and Full Control
d. Read, Read/Write, and Owner
ANS: D
REF: Section 1, Note introducing Part 2
10. Which of the following do members of the Shopfloor group need access to?
a. SFfiles and MGRfiles
b. SFfiles
c. MGRfiles
d. HRfiles
ANS: B
REF: Section 1, Part 2, Step 17

Reviews

There are no reviews yet.

Only logged in customers who have purchased this product may leave a review.

Related products