Kaplan IT541 lab 1 and 2 assignment
Lab #1 Implementing Access Controls with Windows Active Directory
Introduction
Computer security is accomplished using many different systems, but the fundamental concepts are all rooted in the security triad known as C-I-A (Confidentiality, Integrity and Availability). C-I-A is a key goal in any security program. Confidentiality is preventing the disclosure of secure information to unauthorized individuals or systems. Integrity is maintaining and assuring the accuracy of data over its life-cycle. For information to be useful, it must be available when needed: thus the need for Availability. This means the data may need to be in highly redundant, highly protected storage areas with adapted power and cooling.
Microsoft has developed the Active Directory Domain structure so that a central authority, the Domain Controller, is the repository for all domain security records. It has several layers of authentication and authorization, including the standard user/password and several options for two-factor authentication. Two-factor authentication combines something you know, such as a password, with something you are (a biometric device such as a fingerprint or a retina scan) or something you possess (a smart card or a USB stick). The Domain Controller can also employ a self-signed or third-party certificate system that adds a distinct third layer to the authentication process. The domain can be a standalone entity, or, in a corporate environment, domains from offices all over the world can be joined together in a forest. In this instance, the local security administrators may have rights to their own office domain tree, but only the corporate administrators would have full access to the entire forest.
In this lab, you willuse theActive Directory Domain Controller tosecure the C-I-A triad,ensuring confidentiality and integrity of network data. You will create users and global security groups, assign the new users to security groups. You will follow a given set of access control criteria to ensure authentication on the remote server by applying the new security groups to a set of nested folders. Finally, you will verify that authentication by using the new user accounts to access the secured folders on the remote server.
This lab has five parts, which should be completed in the order specified.
1. In the first part of the lab, you will use the Active Directory Group Policy Management console to create and link a global password policy for the entire domain.
2. In the second part of the lab, you will use the Active Directory Users and Computers module to create a series of users and global security groups. You will also add the new users to the new security groups, just as you would in a real world domain.
3. In the third part of the lab, you will apply the new security groups to nested folders on the remote server according to a given set of access control criteria.
4. In the fourth part of the lab, you will verify the new users can access the appropriate folders on the remote server.
5. Finally, if assigned by your instructor, you will explore the virtual environment on your own to answer a set of challenge questions that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation.
Upon completing this lab, you will be able to:
· Create Windows 2012 Server Active Directory system administration configurations for defined departmental workgroups and users
· Create Windows 2012 Server global domain departmental groups and user account definitions per defined access control requirements
· Configure Windows 2012 Server departmental group and user folders with unique access rights per the defined access control requirements
· Access a Windows 2012 Server as a user and encounter errors when attempting to create data files and write them to specific folders
· Create a list of new and modified access control parameters to implement stringent security access controls per the defined requirements using Windows 2012 Server
The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.
· Windows Active Directory
· Group Policy Object Editor
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your instructor:
1. Lab Report file including screen captures of the following step(s): Part 1, Step 16; Part 2, Step 23; Part 3, Step 19; and Part 4, Step 7;
2. Lab Assessments file;
3. Optional: Challenge Questions file, if assigned by your instructor.
Hands-On Steps
|
uNote: This lab contains detailed lab procedures, which you should follow as written. Frequently performed tasks are explained in the Common Lab Tasks document on the vWorkstation desktop. You should review these tasks before starting the lab. |
1. From the vWorkstation desktop,openthe Common Lab Tasks file.
If you desire, use the File Transfer button to transfer the file to your local computer and print a copy for your reference.
Figure 1 “Student Landing” vWorkstation
2. On your local computer,createthelab deliverable files.
3. Review theLab Assessment Worksheet at the end of this lab. You will find answers to these questions as you proceed through the lab steps.
Part 1: Group Policy
|
uNote: In the next steps, you will use the Active Directory Group Policy Management console to create and link group policy objects. Windows Group Policy is a powerful, granular method for controlling machine and user access on the Windows desktop and network. In this part of the lab, you will use the Local Group policy to allow users the right to log on to the remote Windows servers on the domain. |
1. Double-click theRDP folder on the vWorkstation desktop to open the folder.
2. Double-click theTargetWindows01 file in the RDP folder to open a remote connection to the Windows machine.
The remote desktop opens with the IP address of the remote machine (172.30.0.15) in the title bar at the top of the window. The FileZilla Server application opens automatically.
Figure 2 TargetWindows01 desktop
3. ClosetheFileZilla Server application; it is not required for this lab.
4. Click theWindows Start button andclicktheAdministration Tools icon to open the Administrative Tools folder in the File Explorer.
Figure 3 Administrative Tools folder
5. Double-click Group Policy Management from the right pane to open the Group Policy Management console.
Figure 4 Group Policy Management console
6. In the left pane,navigate to the Group Policy Objectsfolder (Group Policy Management > Forest > Domains > securelabsondemand.com > Group Policy Objects).
The existing group policy objects in the securelabsondemand.com domain will appear in the right pane of the console.
7. In the right pane,right-clickandselect New from the context menu.
8. Type PasswordGPO in the Name box of the New GPO dialog box andclick OK to create a new password policy object.
9. Right-clickthe newPasswordGPO object andselect Edit from the context menu to open the Group Policy Management Editor.
10. In the Group Policy Management Editor, navigate to the Password Policy object (Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy).
In the right pane of the Group Policy Management Editor, notice that the variety of options for strengthening the password policy. By default, these options are “Not Defined” until they are modified.
Figure 5 Password policies options
11. Double-click Password must meet complexity requirements to explore this policy.
12. Click theDefine this policy checkbox and thenclick theEnabled radio button.
13. Click OK to close the Password must meet complexity requirements window.
|
uNote: |
|
It is important for security practitioners to take into consideration the human element when devising password security policies to ensure confidentiality. Users generally choose easy to remember passwords which typically are weak and easier for others to guess or crack. It would be considered poor practice to include any part of the user’s user name in a password. Typically, the username is easily discovered—usernames are often left in the login screen, or they follow a convention that’s easy to guess. Some standard rules for password selection that are not unique to this course but should be used as guidelines for all passwords in a production system include requiring a non-sequential set of numbers, upper- and lowercase letters, and special characters. Other best practices: · Never leave the administrator account named Administrator · Never use easily guessed passwords: Add password complexity by including a combination of alphanumeric characters, upper and lower-case letters, etc. · Never repeat the username in the password · Change passwords frequently (Maximum password age of 30–90 days) · Wherever possible use two-factor authentication, such as a RSA Secure ID Above all, maintain the password policy. |
14. Double-click Minimum Password Length to explore this policy.
15. Click theDefine this policy setting checkbox andtype 8 in the password must be at least toggle box to set the minimum password length and match the current best practices requirements.
16. Click OK to close the Minimum password length Properties window.
17. Make a screen capture showingthe new policy settingsfor the new PasswordGPO andpasteit into your Lab Report file.
18. Close theGroup Policy Management Editor.
19. In the left pane of the Group Policy Management window,right-click Default Domain Policyandselect Edit from the context.
20. In the left pane,navigate to the Account Policies folder (Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies)to expand the tree directory andselect Password Policy.
Following precedent rules, the Domain Controller policies take precedence over any local policies.
21. Double-click any of the policiesnot marked Not Defined.
22. DeselecttheDefine this policy setting checkbox to change the Policy Setting to Not Defined.
23. Click theExplain tab and take note of what the password policy would define and thenclick OK to close the dialog box.
Figure 6 Exploring policy settings
24. Repeat steps 21-23 for all policiesnot marked Not Defined.
25. Close theGroup Policy Management Editor window.
26. In the Group Policy Management console,right-click securelabsondemand.com in the left pane andselect Link an Existing GPO from the context menu.
27. In the Select GPO dialog box,click PasswordGPO from the list of existing objects available to link to this domain.
Figure 7Existing GPOs
28. Click OK to close the dialog box and apply the changes.
Now, users on the entire securelabsondemand.com domain will have to create passwords at least 8 characters in length, following the policy you documented in step 17.Right-click thePasswordGPO policy andselect Edit from the context menu to confirm the change.
29. Close theGroup Policy Management window.
30. Closethe Administrative Tools window.
Part 2: User and Group Administration
|
uNote: |
|
Active Directory is the database that provides centrally-controlled managed access. It is a security management system for an organization’s Windows computer systems. Active Directory enables a security administrator to control user and resource access from one central location instead of managing that access at each machine on the network. In many organizations, it would be impossible for the security administrators to access every machine. Even machines not joined to the Active Directory domain can still be accessed by their local machine name or IP address, or by using an authorized user name and password; however, this process is much easier with Active Directory. In the next steps, you will use Active Directory to create a series of user accounts and global security groups for the securelabsondemand.com domain. |
1. Right-click theWindows Start icon andselect Searchfrom the context menu.
2. In the Search pane,type activeto retrieve the list possible matches.
Figure 8 Search panel
3. Click Active Directory Users and Computersfrom the resulting list to open the application.
Figure 9 Active Directory Users and Computers
4. In the left navigation pane,double-click securelabsondemand.com to expand all the folders (Organizational Units) in the domain.
5. Double-click theUsers folder to see a list of all existing users and groups.
6. Click theCreate a new group in the current container icon in the toolbar.
Figure 10 Create a New Group icon
7. In the New Object - Group dialog box,type Shopfloor in the Group name box.
Figure 11 Add a new group in Active Directory
8. Verify that the Group scope is Global and the Group type is Security andclick Ok to create the new global security group.
The new Shopfloor group has been added to the list of users and groups in the right pane.
Figure 12 New Group added to Active Directory
9. Repeat steps 6-8to create the following new global security groups.
· Managers
· HumanResources
|
uNote: |
|
Often, users within the same department may require separate access to confidential files and folders. This access is usually determined by the user’s role in the department, as a manager, an HR representative, or an individual contributor. Role-based access controls help departments organize unique access controls for access to folders and data files based on an employee’s role. It is important to maximize the confidentiality and the integrity of confidential data files within a department or group so that only those employees who need access to this confidential data are granted access. An example of role-based access controls is common in human resources and payroll departments where only those employees who need access to employee privacy data and information are privy to the access. In the next steps, you will use Active Directory to create a series of new users and add them to the global security group you created in the previous steps. |
10. Click theAdd a new user in the current container icon on the toolbar.
Figure 13 Create New User icon
11. Type the following information in the New Object – User dialog box andclick Next to continue:
· First name:SFUser
· Last name:01
· User logon name:SFUser01
The Full name and User logon name (pre-Windows 2000) boxes will populate automatically.
Figure 14 Create new user icon in the Active Directory window
12. Type thefollowing information in the password screen:
· Password:P@ssw0rd!
· Confirm password:P@ssw0rd!
|
uNote: You are required to enter a mixed-case password. If you are not using the Citrix Receiver to access this lab, please use the CAPS LOCK button or the On-Screen Keyboard to input the password. |
13. ClicktheUser must change password at next logon checkbox to remove the check. Verify that the rest of the checkboxes are unchecked.
Figure 15 Create a password for a new user
14. Click Next tocontinue.
15. Click Finishtocreate the new user account.
The new user will appear in the right pane with the groups you created earlier.
Figure 16 Click Finish to create the new user account
16. Repeat steps 10-15to create new users using the information in the following table.
|
New Users Data |
||
|
First name |
Last name |
User logon name |
|
SFUser |
02 |
SFUser02 |
|
SF |
Manager |
SFManager |
|
HRUser |
01 |
HRUser01 |
|
HRUser |
02 |
HRUser02 |
|
HR |
Manager |
HRManager |
17. Right-clicktheSFUser01 user andselect Add to a group from the context menu.
18. In theSelect Group dialog box,type Shopfloor in theEnter the object name to select box.
Figure 17 Add a user to an existing group
19. Click OKto complete the process.
20. Click OKto close the success dialog.
21. Repeat steps 17-20to add the new users to the correct global security group(s) using the information in the following table.
|
Security Group Data |
|
|
User logon name |
Global Security Group(s) |
|
SFUser02 |
Shopfloor |
|
SFManager |
Shopfloor; Managers |
|
HRUser01 |
HumanResources |
|
HRUser02 |
HumanResources |
|
HRManager |
HumanResources; Managers |
22. Double-click theManagers group andclick theMembers tab to see the members of that group.
Figure 18 Members of the Managers group
23. Make a screen captureshowing themembers of the Managers groupandpaste itinto your Lab Report file.
24. Close theManagers group dialog box.
25. Repeat steps 22-24for each of the following new global security groups:
· Shopfloor
· HumanResources
26. Close theActive Directory Users and Computers window.
|
uNote: |
|
One of the biggest challenges that face a Windows administrator is how to handle guests, users that have a legitimate need for temporary network access. Typically, best practices would dictate that a guest would be placed in a secure network, isolated from the production network by firewall barriers. If this is not practical, which is often the case with auditors or contract workers, then clear and specific areas of access should be decided, making them as restrictive as possible. For C-I-A requirements, local, self-signed certificates issued to guests who require a higher degree of access that expire when the guest is due to leave and limiting their access is the next best option. Of course, Access Control Lists (ACL) to strictly control the access is also mandatory, disabling the guest user and creating short term complex password users will help as well. In the past, network resources have been protected by non-electronic means--non-disclosure agreements with statements prohibiting the use of flash drives or removable storage devices, but many organizations today create guest user workstations that have the USB ports and CD drives already disabled as an effective means of stopping the introduction of unwanted data, or theft of company data. Newer versions of Windows archiving enable system administrators to recover lost or compromised documents from an archived copy. |
Part 3: Resource Management
|
uNote: In the next steps, you will create a series of folders on the remote TargetWindows01-DC server, the Domain Controller for this virtual lab environment. You will assign custom security permissions to each by using the new global groups to secure those resources. In this way, the domain admin sets up both Authentication using the Active Directory Domain authentication policies, and builds a series of nested “Access Control Lists” to control access to domain resources. This not only locks out unauthorized access, but it also can work to prevent changes to resources by internal users not qualified or authorized to have access. |
1. Click theFile Explorer icon in the TargetWindows01 taskbar to open the File Explorer.
2. Navigateto the home folder (This PC >Local Disk (C:))in the File Explorer.
3. ClicktheNew folder icon in the File Explorer toolbar to create a new unnamed folder.
4. Type LabDocuments andpress Enter to name the new folder.
5. Double-click theC:\LabDocuments folder to open it.
6. Click the New folder icon to create a new folder under the LabDocuments folder.
7. Type SFfiles andpress Enter to name the new subfolder.
8. Repeat steps 6-7to create the following additional subfolders:
· HRfiles
· MGRfiles
Figure 19 LabDocuments folder structure
9. Click theBack arrow button on the File Explorer toolbar to return to the home folder.
10. Right-click theLabDocuments folder andselect Properties from the context menu.
11. In the LabDocuments Properties dialog box,click theSharing tab andclick theShare button to open the File Sharing dialog box.
12. Type ShopFloor in the text box andclick Add to share the LabDocuments folder with the members of the ShopFloor global security group.
13. Right-click theShopFloor group in the bottom section of the dialog box andselect Read, if necessary, from the context menu to restrict members of the Shopfloor group to read-only access to the LabDocuments folder.
|
Note: Applying read-only access to this folders allows members of the Shopfloor group pass-through access to the subfolders. You will duplicate this access for the other two security groups. In the next steps, you will determine what access to apply the departmental subfolders using a provided set of access control criteria. |
Figure 20 File Sharing dialog box
14. Repeat steps 12-13 for each of the new global security groups:
· Managers
· HumanResources
15. ClicktheShare button to complete the file sharing.
16. Click Done to close the dialog box.
17. ClickCloseto close theLabDocuments Properties dialog box.
18. In your Lab Report file,recreate the followingAccess Controls Criteria table.
|
Access Controls Criteria |
|||
|
Access Controls Criteria |
Sharing Changes Made to the Folder |
Access Control Success/Failure |
|
|
1 |
Allow ShopFloor members to read/write files in the C:\LabDocuments\SFfiles folder. HumanResources members do not have any permissions in this folder. |
||
|
2 |
Allow HumanResources members to read/write files in the C:\LabDocuments\HRfiles folder. Shopfloor members do not have access to this folder. |
||
|
3 |
Allow the SFManager to read/write files in the C:\LabDocuments\MGRfiles folder and the C:\LabDocuments\SFfiles folder. The SFManager has no permissions to the HRfiles folder. |
||
|
4 |
Allow the HRManager to read/write files in the C:\LabDocuments\MGRfiles folder and the C:\ LabDocuments\HRfiles folder. The HRManager has no permissions to the SFfiles folder. |
19. For each of the criteria in the left column:
· Determinewhat share changes to make to satisfy the criteria andmake the necessary changes on the TargetWindows01 server. (Hint: Refer to steps 10-17. You may need to add individual users instead of groups to correctly secure each folder.)
· Make a screen capture showing theFile Sharing dialog box for each folder that you changed showing the changes you’ve made andpaste it into the second column of your table.
You will complete the third column later in this lab.
20. Minimize theTargetWindows01 window to return to the vWorkstation desktop.
21. Close theRDP folder.
Part 4: Practical Application
|
Note: In the next steps, you will test the configurations you have just made by logging on using the newly created user accounts and attempting to write files to the secured folders. |
1. Right-click theWindows Start button andselect Run from the menu to open a Windows command prompt.
2. Type net use \\172.30.0.15\LabDocuments/user:SFUser01(the IP address and folder of the TargetWindows01 virtual machine on which you created the three subfolders) andclick OK to enable the SFUser01 account to access the shared folder.
Figure 21 Log on to TargetWindows01 server
3. When prompted,type P@ssw0rd!to connect to theTargetWindows01 server with the SFUser01 password and press Enter.
|
uNote: You are required to enter a mixed-case password. If you are not using the Citrix Receiver to access this lab, please use the CAPS LOCK button or the On-Screen Keyboard to input the password. |
4. Right-click theWindows Start button andselect Run from the menu to open a Windows command prompt.
5. Type \\172.30.0.15\LabDocumentsto open the subfolders to which this user has access andclick OK.
6. In the LabDocuments window,double-click theSFfiles folder.
7. Right-click in the right pane of the SFfiles folder andselect New > Text document from the context menu to create a new unnamed file in the folder.
|
Note: If the sharing properties were set properly in the previous set of steps, you will be able to create this new file. If not, you will receive an error message. |
8. Type SFfiles andpress Enter to name the new file in the folder.
Figure 22Saved text document in the SFfiles folder
9. In your Lab Report file,document the results of this test in the third column of the Access Controls Criteria tab:
· If you were able to create the file,make a screen captureshowing thesuccessfully created file andpaste it into your Lab Report file.
· If you received an error message,make a screen captureshowing theerror message andpaste it into your Lab Report file, briefly describe the changes you would need to make to receive a successful result, andrepeat steps in Part 3 of this lab until you receive a successful result.
10. Close theFile Explorer.
11. Right-click theWindows Start button andselect Run from the menu.
12. Type net use \\172.30.0.15\LabDocuments /deletein the text box andclick OK to remove the cached credentials.
Figure 23 Delete cached credentials to the remote server
13. Repeat steps 1-12 for each of the six users you created inPart 2 of this lab, replacing the user name in step 2 each time.
You will need to test each of three new folders (SFfiles, HRfiles, and MGRfiles) and remember that the SFManager and HRManager users must be able to create files in two subfolders, not just one.
14. Closethevirtual lab, or proceed with Part 5 to answer the challenge question for this lab.
Part 5: Challenge Questions
|
uNote: The following challenge questions are provided to allow independent, unguided work, similar to what you will encounter in a real-world situation. You should aim to improve your skills by getting the correct answer in as few steps as possible. Use screen captures in your lab document where possible to illustrate your answers. |
1. In Active Directory,which account is disabled by default? Explain why this account is disabled by default.
2. Which of thefollowing groups are not an Active Directory built-in group?
a. Guest
b. Human Resources
c. Server Operators
d. Shopfloor
e. Users
3. According to theGroup Policy Management console, who is the owner of the securelabsondemand.com domain?
|
uNote: This completes the lab. Close the virtual lab, if you have not already done so. |
Assignment Grading Rubric
Course: IT541 Unit: 1 Points: 50
Assignment 1
Outcomes addressed in this activity:
Unit Outcomes:
- Distinguish between the two main categories of security controls.
- Distinguish the security areas within the CIA triad.
Course Outcomes:
IT541-2: Compare authentication and encryption methods.
Assignment Instructions
This Assignment provides a "hands on" element to your studies. It gives you the opportunity to work with the protocols and see how they operate in real-world environments. Read and perform the lab entitled "IT 541 Unit 1 Assignment Lab" found in Doc Sharing; use the lab sheet included at the end of the lab file to submit your results.
Directions for Submitting Your Assignment
Use the Lab #1 Worksheet document found at the back of the lab instructions as a guide for what to submit, and save it as a Word® document, entitled Username-IT541 Assignment-Unit#.doc (Example: TAllen- IT541 Assignment-Unit1.doc). Submit your file by selecting the Unit 1: Assignment Dropbox by the end of Unit 1.
Assignment Requirements
- Answers contain sufficient information to adequately answer the questions
- No spelling errors
- No grammar errors
*Two points will be deducted from your grade for each occurrence of not meeting these requirements.
For more information and examples of APA formatting, see the resources in Doc Sharing or visit the KU Writing Center from the KU Homepage.
Also review the KU Policy on Plagiarism. This policy will be strictly enforced on all applicable assignments and discussion posts. If you have any questions, please contact your professor.
Review the grading rubric below before beginning this activity.
Unit 1 Assignment Grading Rubric = 50 points
|
Assignment Requirements |
Points Possible |
Points Earned |
|
Document demonstrates that the student was able to correctly implement an Active Directory system administrative configuration for groups and users. |
0–10 |
|
|
Document demonstrates that the student was able to correctly implement global domain departmental groups and user accounts. |
0–10 |
|
|
Document demonstrates that the student was able to correctly implement departmental group and user folders with unique access rights per defined requirements. |
0–10 |
|
|
Document demonstrates that the student was able to correctly access the server as a user and test errors encountered when attempting to create and save data files. |
0–10 |
|
|
Document demonstrates that the student was able to correctly implement a list of new and modified access control parameters in order to create more stringent access controls. |
0–10 |
|
|
Total (Sum of all points) |
0–50 |
|
|
Points deducted for spelling, grammar, and APA errors |
||
|
Adjusted total points |
Implementing Access Controls with Windows Active Directory
Course Name and Number: _____________________________________________________
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, youused theActive Directory Domain Controller tosecure the C-I-A triad,ensuring confidentiality and integrity of network data. You created users and global security groups and assigned the new users to security groups. You followed a given set of access control criteria to ensure authentication on the remote server by applying the new security groups to a set of nested folders. Finally, you verified that authentication by using the new user accounts to access the secured folders on the remote server.
Lab Assessment Questions & Answers
|
1. Relate how Windows Server 2012 Active Directory and the configuration of access controls achieve C-I-A for departmental LANs, departmental folders, and data. |
|
2. Is it a good practice to include the account or user name in the password? Why or why not? |
|
3. What are some of the best practices to enhance the strength of user passwords in order to maximize confidentiality? |
|
4. Can a user who is defined in Active Directory access a shared drive on a computer if the server with the shared drive is not part of the domain? |
|
5. Does Windows Server 2012 R2 require a user’s logon/password credentials prior to accessing shared drives? |
|
6. When granting access to network systems for guests (i.e., auditors, consultants, third-party individuals, etc.), what security controls do you recommend implementing to maximize CIA of production systems and data? |
|
7. In the Access Controls Criteria table, what sharing changes were made to the MGRfiles folder on TargetWindows01-DC server? |
|
8. In the Access Controls Criteria table, what sharing changes were made on the TargetWindows01-DC server to allow Shopfloor users to read/write files in the C:\LabDocuments\SFfiles folder? |
|
9. In the Access Controls Criteria table, what sharing changes were made on the TargetWindows01-DC server to allow HumanResources users to read/write files in the C:\LabDocuments\HRfiles folder? |
|
10. Explain how C-I-A can be achieved down to the folder and data file access level for departments and users using Active Directory and Windows Server 2012 R2 access control configurations. Configuring unique access controls for different user types is an example of which kind of access controls? |
|
Introduction
When given access to resources, whether IT equipment or some other type of asset, most people will use the resources responsibly. However, a few people, when left to rely on only common courtesy or good judgment, will misuse or abuse those resources. The misuse might be for their own benefit or just for entertainment. While the misuse can be unintentional, it is still a waste of resources. To avoid that waste or outright abuse, a company will document official guidance. For resources within the IT domains, that guidance is called an acceptable use policy (AUP).
An AUP’s purpose is to establish the rules for a specific system, network, or Web site. These policies outline the rules for achieving compliance, for example. They also help an organization mitigate risks and threats because they establish what can and cannot take place.
In this lab, you will define an AUP as it relates to the User Domain, you will identify the key elements of sample AUPs, you will learn how to mitigate threats and risks with an AUP, and you will create your own AUP for an organization.
Learning Objectives
Upon completing this lab, you will be able to:
Define the scope of an acceptable use policy (AUP) as it relates to the User Domain.
Identify the key elements of acceptable use in an organization’s overall security management framework.
Align an AUP with the organization’s goals for compliance.
Mitigate the common risks and threats caused by users in the User Domain with the implementation of an AUP.
Draft an AUP in accordance with the policy framework definition that
incorporates a policy statement, standards, procedures, and guidelines.
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your instructor:
1. Lab Report file;
2. Lab Assessments file.
Hands-On Steps
|
uNote: This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft® Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab deliverable files. |
1. On your local computer,createthelab deliverable files.
2. Review theLab Assessment Worksheet. You will find answers to these questions as you proceed through the lab steps.
3. Using Figure 1,review the seven domains of a typical IT infrastructure.
Figure 1 Seven domains of a typical IT infrastructure
4. On your local computer,opena newInternet browser window.
5. In the address box of your Internet browser,type the URLhttp://cve.mitre.org andpress Enter to open the Web site.
|
uNote: CVE stands for Common Vulnerabilities and Exposures, which is a reference system originated by the MITRE Corporation for cataloging known information security vulnerabilities. While MITRE is a U.S. not-for-profit organization, the U.S. Department of Homeland Security provides a portion of the funding to support the CVE database. |
6. On the Web site’s left side,click theSearch CVE link.
7. In the box on the right titled CVE List Master Copy,click View CVE List.
8. In the Search Master Copy of CVE box at the bottom of the page,type User Domain into theBy Keyword(s) area andclick Submit.
9. Search the resulting list of articles for entries related to the User Domain.
10. In your Lab Report file,identify the risks, threats, and vulnerabilities commonly found in the User Domain. (Name at leastthree risks/threats.)
|
uNote: Your search for relevant risks will be difficult due to the high number of vulnerabilities related to Windows® Active Directory® domains, as opposed to the “User Domain” as one of the seven IT asset domains. Try additional words that describe user-particular risks or threats, for example, surfing, phishing, malicious, downloads, etc. Consider listed vulnerabilities, such as those that allow an authenticated user to gain unauthorized privileges, or steal others’ passwords or files. |
11. In the address box of your Internet browser,type the URLhttp://www.sans.org/reading_room/whitepapers/threats/andpress Enter to open the Web site.
12. Scroll through the list of articles to find articles on threats and vulnerabilities in the User Domain.
13. Choose two articles that discuss two of the risks or threats you listed in step 10.
14. In your Lab Report file,discuss how these articles explain how to mitigate risks or threats in the User Domain.
15. In the address box of your Internet browser,type the following URLs andpress Enter to open the Web sites:
· Health care:http://it.jhu.edu/policies/itpolicies.html
· Higher education:http://www.brown.edu/information-technology/computing-policies/acceptable-use-policy
· U.S. federal government:https://www.jointservicessupport.org/AUP.aspx
16. In your Lab Report file,list the main components of each of the acceptable use policies (AUPs) documented at each of these sites.
17. In your Lab Report file,explain how a risk can be mitigated in the User Domain with an acceptable use policy (AUP). Base your answer on what you discovered in the previous step.
18. Consider the following fictional organization, which needs an acceptable use policy (AUP):
· The organization is a regional XYZ Credit Union/Bank that has multiple branches and locations throughout the region.
· Online banking and use of the Internet are the bank’s strengths, given its limited human resources.
· The customer service department is the organization’s most critical business function.
· The organization wants to be in compliance with the Gramm-Leach-Bliley Act (GLBA) and IT security best practices regarding its employees.
· The organization wants to monitor and control use of the Internet by implementing content filtering.
· The organization wants to eliminate personal use of organization-owned IT assets and systems.
· The organization wants to monitor and control use of the e-mail system by implementing e-mail security controls.
· The organization wants to implement this policy for all the IT assets it owns and to incorporate this policy review into its annual security awareness training.
|
uNote: The best style for writing IT policy is straightforward and easy to understand. Avoid “fluff,” or unnecessary wording, and phrasing that could be understood more than one way. Write in concise, direct language. |
19. Using the following AUP template, in your Lab Report file,create an acceptable use policy for the XYZ Credit Union/Bank organization (this should not be longer than three pages):
XYZ Credit Union/Bank
Policy Name
Policy Statement
{Insert policy verbiage here.}
Purpose/Objectives
{Insert the policy’s purpose as well as its objectives; include a bulleted list of the policy definition.}
Scope
{Define this policy’s scope and whom it covers.
Which of the seven domains of a typical IT infrastructure are impacted?
What elements, IT assets, or organization-owned assets are within this policy’s scope?}
Standards
{Does this policy point to any hardware, software, or configuration standards? If so, list them here and explain the relationship of this policy to these standards.}
Procedures
{In this section, explain how you intend to implement this policy throughout this organization.}
Guidelines
{In this section, explain any roadblocks or implementation issues that you must overcome and how you will overcome them per the defined policy guidelines.}
|
uNote: This completes the lab. Close the Web browser, if you have not already done so. |
Assignment Grading Rubric
Course: IT541 Unit: 2 Points: 100
Assignment 2
Outcomes addressed in this activity:
Unit Outcomes:
- Assess access control models.
- Analyze denial of service response.
- Prepare worm countermeasures.
- Assess denial of service attacks.
Course Outcomes:
IT541-2: Compare authentication and encryption methods.
IT541-4: Apply basic information security Best Practices to business scenarios.
Assignment Instructions
This Assignment provides a "hands on" element to your studies. It gives you the opportunity to work with the protocols and see how they operate in real-world environments. Read and perform the lab entitled “IT541 Assignment 2 Lab"found in Doc Sharing; use the lab sheet included at the end of the lab file to submit your results.
Directions for Submitting Your Assignment:
Use the Lab #2 Worksheet document found at the back of the lab instructions as a guide for what to submit, and save it as a Word document entitled Username-IT541 Assignment-Unit#.doc (Example: TAllen- IT541 Assignment-Unit2.doc). Submit your file by selecting the Unit 2: Assignment Dropbox by the end of Unit 2.
Assignment Requirements:
- Answers contain sufficient information to adequately answer the questions
- No spelling errors
- No grammar errors
*Two points will be deducted from your grade for each occurrence of not meeting these requirements.
For more information and examples of APA formatting, see the resources in Doc Sharing or visit the KU Writing Center from the KU Homepage.
Also review the KU Policy on Plagiarism. This policy will be strictly enforced on all applicable assignments and discussion posts. If you have any questions, please contact your professor.
Review the grading rubric below before beginning this activity.
Unit 2 Assignment Grading Rubric = 100 points
|
Assignment Requirements |
Points Possible |
Points Earned |
|
Document demonstrates that the student was able to correctly define the scope of an acceptable use policy. |
0–20 |
|
|
Document demonstrates that the student was able to correctly identify key elements of acceptable use within an organization as part of an overall security management framework. |
0–20 |
|
|
Document demonstrates that the student was able to correctly align an acceptable use policy with the organization's goals for compliance. |
0–20 |
|
|
Document demonstrates that the student was able to mitigate common risks and threats caused by users within the User Domain with the implementation of an acceptable use policy. |
0–20 |
|
|
Document demonstrates that the student was able to correctly create an acceptable use policy in accordance with the policy framework, incorporating a policy statement, standards, procedures, and guidelines. |
0–20 |
|
|
Total (Sum of all points) |
0–100 |
|
|
Points deducted for spelling, grammar, and APA errors |
||
|
Adjusted total points |
Lab #1 - Assessment Worksheet
Crafting an Organization-Wide Security Management Policy for Acceptable Use
Course Name and Number: _____________________________________________________
Student Name: ________________________________________________________________
Instructor Name: ______________________________________________________________
Lab Due Date: ________________________________________________________________
Overview
In this lab, you defined an AUP as it relates to the User Domain, you identified the key elements of sample AUPs, you learned how to mitigate threats and risks with an AUP, and you created your own AUP for an organization.
Lab Assessment Questions & Answers
|
1. What are three risks and threats of the User Domain? |
|
2. Why do organizations have acceptable use policies (AUPs)? |
|
3. Can Internet use and e-mail use policies be covered in an acceptable use policy? |
|
4. Do compliance laws, such as the Health Insurance Portability and Accountability Act (HIPAA) or GLBA, play a role in AUP definition? |
|
5. Why is an acceptable use policy not a fail-safe means of mitigating risks and threats within the User Domain? |
|
6. Will the AUP apply to all levels of the organization? Why or why not? |
|
7. When should an AUP be implemented and how? |
|
8. Why would an organization want to align its policies with existing compliance requirements? |
|
9. In which domain of the seven domains of a typical IT infrastructure would an acceptable use policy (AUP) reside? How does an AUP help mitigate the risks commonly found with employees and authorized users of an organization’s IT infrastructure? |
|
10. Why must an organization have an acceptable use policy (AUP) even for nonemployees, such as contractors, consultants, and other third parties? |
|
11. What security controls can be deployed to monitor and mitigate users from accessing external Web sites that are potentially in violation of an AUP? |
|
12. What security controls can be deployed to monitor and mitigate users from accessing external webmail systems and services (for example, Hotmail®, Gmail™, Yahoo!®, etc.)? |
|
13. Should an organization terminate the employment of an employee if he/she violates an AUP? |
-
Rating:
/5
Solution: Kaplan IT541 lab 1 and 2 assignment