Kaplan IT541 lab 1 and 2 assignment

| September 28, 2018

Lab #1 Implementing
Access Controls with Windows Active Directory
Introduction
Computer security is accomplished using
many different systems, but the fundamental concepts are all rooted in the
security triad known as C-I-A (Confidentiality, Integrity and Availability). C-I-A
is a key goal in any security program. Confidentiality is preventing the
disclosure of secure information to unauthorized individuals or systems.
Integrity is maintaining and assuring the accuracy of data over its life-cycle.
For information to be useful, it must be available when needed: thus the need
for Availability. This means the data may need to be in highly redundant,
highly protected storage areas with adapted power and cooling.

Microsoft has developed the Active
Directory Domain structure so that a central authority, the Domain Controller,
is the repository for all domain security records. It has several layers of
authentication and authorization, including the standard user/password and
several options for two-factor authentication. Two-factor authentication
combines something you know, such as a password, with something you are (a
biometric device such as a fingerprint or a retina scan) or something you
possess (a smart card or a USB stick). The Domain Controller can also employ a
self-signed or third-party certificate system that adds a distinct third layer
to the authentication process. The domain can be a standalone entity, or, in a
corporate environment, domains from offices all over the world can be joined
together in a forest. In this instance, the local security administrators may
have rights to their own office domain tree, but only the corporate
administrators would have full access to the entire forest.

In
this lab, you willuse theActive
Directory Domain Controller tosecure the C-I-A triad,ensuring confidentiality and
integrity of network data. You will create users and global security groups,
assign the new users to security groups. You will follow a given set of access
control criteria to ensure authentication on the remote server by applying the
new security groups to a set of nested folders. Finally, you will verify that
authentication by using the new user accounts to access the secured folders on
the remote server.

This
lab has five parts, which should be completed in the order specified.

1. In
the first part of the lab, you will use the Active Directory Group Policy
Management console to create and link a global password policy for the entire
domain.

2. In
the second part of the lab, you will use the Active Directory Users and
Computers module to create a series of users and global security groups. You
will also add the new users to the new security groups, just as you would in a
real world domain.

3. In
the third part of the lab, you will apply the new security groups to nested
folders on the remote server according to a given set of access control
criteria.

4. In
the fourth part of the lab, you will verify the new users can access the
appropriate folders on the remote server.

5.
Finally, if assigned by your
instructor, you will explore the virtual environment on your own to answer a
set of challenge questions that allow you to use the skills you learned in the
lab to conduct independent, unguided work, similar to what you will encounter
in a real-world situation.
Learning
Objectives
Upon completing this lab, you will be
able to:
·
Create Windows 2012 Server Active
Directory system administration configurations for
defined departmental workgroups and users
·
Create Windows
2012 Server global domain departmental groups and user account definitions per
defined access control requirements
·
Configure Windows
2012 Server departmental group and user folders with unique access rights per
the defined access control requirements
·
Access a Windows
2012 Server as a user and encounter errors when attempting to create data files
and write them to specific folders
·
Create a list
of new and modified access control parameters to implement stringent security
access controls per the defined requirements using Windows 2012 Server
Tools and
Software
The following software and/or utilities
are required to complete this lab. Students are encouraged to explore the
Internet to learn more about the products and tools used in this lab.
·
Windows Active Directory
·
Group Policy Object Editor

Deliverables
Upon
completion of this lab, you are required to provide the following deliverables
to your instructor:

1.
Lab Report file including screen captures
of the following step(s): Part 1, Step 16; Part 2, Step 23; Part 3, Step 19; and
Part 4, Step 7;
2.
Lab Assessments file;
3.
Optional: Challenge Questions file, if
assigned by your instructor.

Hands-On Steps

uNote:
This lab contains detailed lab procedures, which you should follow
as written. Frequently performed tasks are explained in the Common Lab Tasks
document on the vWorkstation desktop. You should review these tasks before starting the lab.

1.
From the vWorkstation desktop,openthe
Common Lab Tasks file.
If you desire, use the File
Transfer button to transfer the file to your local computer and print a copy
for your reference.

Figure 1 “Student Landing” vWorkstation
2.
On your local computer,createthelab
deliverable files.
3.
Review theLab Assessment Worksheet at the end of this lab. You will find answers to these questions as
you proceed through the lab steps.
Part 1: Group Policy

uNote:
In the next steps, you
will use the Active Directory Group Policy Management console to create and
link group policy objects. Windows Group Policy is a powerful, granular
method for controlling machine and user access on the Windows desktop and
network. In this part of the lab, you will use the Local Group policy to
allow users the right to log on to the remote Windows servers on the domain.

1.
Double-click theRDP folder on the vWorkstation
desktop to open the folder.

2.
Double-click theTargetWindows01 file in the RDP
folder to open a remote connection to the Windows machine.
The remote desktop opens with the
IP address of the remote machine (172.30.0.15) in the title bar at the top of
the window. The FileZilla Server application opens automatically.

Figure
2 TargetWindows01 desktop
3.
ClosetheFileZilla Server application; it is
not required for this lab.
4.
Click theWindows Start button andclicktheAdministration Tools icon to open the
Administrative Tools folder in the File Explorer.

Figure
3 Administrative Tools folder
5.
Double-click Group Policy Management
from the right pane to open the Group Policy Management console.

Figure
4 Group Policy Management console

6.
In the left pane,navigate to the Group Policy Objectsfolder (Group Policy Management > Forest
> Domains > securelabsondemand.com > Group Policy Objects).
The existing group policy objects in the securelabsondemand.com
domain will appear in the right pane of the console.
7.
In the right pane,right-clickandselect New from the context menu.
8.
Type PasswordGPO in the Name box of
the New GPO dialog box andclick OK to create a new password policy object.
9.
Right-clickthe newPasswordGPO object andselect Edit from the context menu to
open the Group Policy Management Editor.
10. In the Group Policy Management Editor, navigate to the Password Policy object
(Computer
ConfigurationPoliciesWindows SettingsSecurity SettingsAccount
PoliciesPassword Policy).
In the right pane of the Group Policy Management Editor, notice that
the variety of options for strengthening the password policy. By default, these
options are “Not Defined” until they are modified.

Figure
5 Password policies options
11. Double-click Password must meet
complexity requirements to explore this policy.
12. Click
theDefine this policy checkbox and thenclick
theEnabled radio button.
13. Click OK to close the Password must meet complexity requirements window.

uNote:

It is important for
security practitioners to take into consideration the human element when
devising password security policies to ensure confidentiality. Users
generally choose easy to remember passwords which typically are weak and
easier for others to guess or crack. It would be considered poor practice to
include any part of the user’s user name in a password. Typically, the username
is easily discovered—usernames are often left in the login screen, or they follow
a convention that’s easy to guess.

Some standard rules for
password selection that are not unique to this course but should be used as
guidelines for all passwords in a production system include requiring a
non-sequential set of numbers, upper- and lowercase letters, and special
characters. Other best practices:

·
Never leave the administrator
account named Administrator
·
Never use easily guessed
passwords: Add password complexity by including a combination of alphanumeric
characters, upper and lower-case letters, etc.
·
Never repeat the username in
the password
·
Change passwords frequently
(Maximum password age of 30–90 days)
·
Wherever possible use
two-factor authentication, such as a RSA Secure ID
Above all, maintain the
password policy.

14. Double-click Minimum Password Length to explore this policy.
15. Click
theDefine this policy setting checkbox andtype 8 in the password must be at least toggle box to set the minimum
password length and match the current best practices requirements.
16. Click OK to close the Minimum password length Properties window.
17. Make a screen capture showingthe new policy settingsfor the new PasswordGPO andpasteit into your Lab Report file.
18. Close
theGroup Policy Management Editor.
19.
In the left pane of the Group
Policy Management window,right-click Default Domain Policyandselect Edit from the context.
20.
In the left pane,navigate to the Account Policies
folder (Computer Configuration > Policies
> Windows Settings > Security Settings > Account Policies)to expand the tree directory andselect Password Policy.
Following precedent rules, the Domain Controller policies take
precedence over any local policies.
21.
Double-click any of the policiesnot marked Not Defined.
22.
DeselecttheDefine this policy setting checkbox to change the Policy Setting to Not
Defined.
23.
Click theExplain tab and take note of what the
password policy would define and thenclick OK to close the dialog box.

Figure
6 Exploring policy settings
24. Repeat steps 21-23 for all policiesnot marked Not Defined.
25. Close
theGroup Policy Management Editor
window.
26. In the Group Policy Management console,right-click securelabsondemand.com in
the left pane andselect Link an Existing GPO from the context menu.
27. In the Select GPO dialog box,click
PasswordGPO from the list of existing objects available
to link to this domain.

Figure
7Existing GPOs
28. Click OK to close the dialog box and apply the changes.
Now, users on the entire securelabsondemand.com domain will have to
create passwords at least 8 characters in length, following the policy you
documented in step 17.Right-click thePasswordGPO policy andselect Edit from the context menu to confirm the change.
29. Close
theGroup Policy Management window.
30.
Closethe
Administrative Tools window.
Part
2: User and Group Administration

uNote:

Active Directory is the
database that provides centrally-controlled managed access. It is a security
management system for an organization’s Windows computer systems. Active
Directory enables a security administrator to control user and resource
access from one central location instead of managing that access at each
machine on the network. In many organizations, it would be impossible for the
security administrators to access every machine. Even machines not joined to
the Active Directory domain can still be accessed by their local machine name
or IP address, or by using an authorized user name and password; however,
this process is much easier with Active Directory.

In the next steps, you will
use Active Directory to create a series of user accounts and global security groups
for the securelabsondemand.com domain.

1.
Right-click theWindows Start icon andselect Searchfrom the context menu.
2.
In the Search pane,type activeto retrieve the list possible matches.

Figure
8 Search panel
3.
Click Active Directory Users and Computersfrom the resulting list to open the application.

Figure
9 Active Directory Users and Computers
4.
In the left navigation pane,double-click securelabsondemand.com to expand all the folders (Organizational Units) in the
domain.
5.
Double-click theUsers folder to see a list of all
existing users and groups.
6.
Click theCreate a new group in the current container icon in the toolbar.

Figure
10 Create a New Group icon
7.
In the New Object – Group dialog box,type Shopfloor in the Group name box.

Figure
11 Add a new group in Active Directory
8.
Verify that the Group scope is Global and the Group type is
Security andclick Ok to create the new global security group.
The new Shopfloor group has been added to the list of users and
groups in the right pane.

Figure
12 New Group added to Active Directory
9.
Repeat steps 6-8to
create the following new global security groups.
·
Managers
·
HumanResources

uNote:

Often, users within the
same department may require separate access to confidential files and
folders. This access is usually determined by the user’s role in the
department, as a manager, an HR representative, or an individual contributor.
Role-based access controls help departments organize unique access controls
for access to folders and data files based on an employee’s role. It is
important to maximize the confidentiality and the integrity of confidential
data files within a department or group so that only those employees who need
access to this confidential data are granted access. An example of role-based
access controls is common in human resources and payroll departments where
only those employees who need access to employee privacy data and information
are privy to the access.

In the next steps, you
will use Active Directory to create a series of new users and add them to the
global security group you created in the previous steps.

10. Click theAdd a new user in the current
container icon on the toolbar.

Figure
13 Create New User icon
11. Type
the following information in the New Object – User dialog box andclick Next to continue:
·
First name:SFUser
·
Last name:01
·
User logon name:SFUser01

The Full name and User logon name (pre-Windows 2000) boxes will populate
automatically.

Figure
14 Create new user icon in the Active Directory window
12. Type thefollowing information in the password screen:
·
Password:P@ssw0rd!
·
Confirm password:P@ssw0rd!

uNote:
You are required to enter
a mixed-case password. If you are not using the Citrix Receiver to access
this lab, please use the CAPS LOCK button or the On-Screen Keyboard to input
the password.

13. ClicktheUser must change password at next logon checkbox to remove the check. Verify that the rest of the checkboxes
are unchecked.

Figure
15 Create a password for a new user
14. Click Next tocontinue.
15. Click Finishtocreate the new user account.
The new user will appear in the right pane with the groups you
created earlier.

Figure
16 Click Finish to create the new user account
16. Repeat steps 10-15to create new users using the information in the following
table.

New Users Data

First name

Last name

User logon name

SFUser

02

SFUser02

SF

Manager

SFManager

HRUser

01

HRUser01

HRUser

02

HRUser02

HR

Manager

HRManager

17. Right-clicktheSFUser01 user andselect Add to a group from the context menu.
18. In theSelect Group dialog box,type Shopfloor in theEnter the object name to select box.

Figure
17 Add a user to an existing group
19. Click OKto complete the
process.
20. Click OKto close the success dialog.
21. Repeat steps 17-20to add the new users to the correct global security group(s)
using the information in the following table.

Security Group Data

User logon name

Global Security Group(s)

SFUser02

Shopfloor

SFManager

Shopfloor; Managers

HRUser01

HumanResources

HRUser02

HumanResources

HRManager

HumanResources; Managers

22. Double-click theManagers group andclick
theMembers tab to see the members of that group.

Figure
18 Members of the Managers group
23. Make a screen captureshowing
themembers of the Managers groupandpaste
itinto your Lab Report file.
24. Close
theManagers group dialog box.
25. Repeat steps 22-24for each of the following new global security groups:
·
Shopfloor
·
HumanResources
26. Close
theActive Directory Users and Computers
window.

uNote:

One of the biggest
challenges that face a Windows administrator is how to handle guests, users
that have a legitimate need for temporary network access. Typically, best
practices would dictate that a guest would be placed in a secure network,
isolated from the production network by firewall barriers. If this is not
practical, which is often the case with auditors or contract workers, then
clear and specific areas of access should be decided, making them as
restrictive as possible.

For C-I-A requirements,
local, self-signed certificates issued to guests who require a higher degree
of access that expire when the guest is due to leave and limiting their
access is the next best option. Of course, Access Control Lists (ACL) to
strictly control the access is also mandatory, disabling the guest user and
creating short term complex password users will help as well. In the past,
network resources have been protected by non-electronic means–non-disclosure
agreements with statements prohibiting the use of flash drives or removable
storage devices, but many organizations today create guest user workstations that
have the USB ports and CD drives already disabled as an effective means of
stopping the introduction of unwanted data, or theft of company data. Newer versions
of Windows archiving enable system administrators to recover lost or compromised
documents from an archived copy.

Part
3: Resource Management

uNote:
In the next steps, you
will create a series of folders on the remote TargetWindows01-DC server, the
Domain Controller for this virtual lab environment. You will assign custom
security permissions to each by using the new global groups to secure those
resources. In this way, the domain admin sets up both Authentication using
the Active Directory Domain authentication policies, and builds a series of
nested “Access Control Lists” to control access to domain resources. This not
only locks out unauthorized access, but it also can work to prevent changes
to resources by internal users not qualified or authorized to have access.

1.
Click theFile Explorer icon in the
TargetWindows01 taskbar to open the File Explorer.
2.
Navigateto the home folder (This PC >Local Disk (C:))in the File Explorer.
3.
ClicktheNew folder icon in the File Explorer
toolbar to create a new unnamed folder.
4.
Type LabDocuments andpress Enter to name the new folder.
5.
Double-click theC:LabDocuments folder to open it.
6.
Click the New folder icon to create a new folder
under the LabDocuments folder.
7.
Type SFfiles andpress Enter to name the new
subfolder.
8.
Repeat steps 6-7to create the
following additional subfolders:
·
HRfiles
·
MGRfiles

Figure
19 LabDocuments folder structure
9.
Click theBack arrow button on the File
Explorer toolbar to return to the home folder.
10. Right-click theLabDocuments folder andselect Properties from the context menu.
11. In the LabDocuments Properties dialog box,click theSharing tab andclick theShare button to open the File Sharing
dialog box.
12. Type ShopFloor in the text box andclick Add to share the LabDocuments folder with the members of the ShopFloor global
security group.
13. Right-click theShopFloor group in the bottom section of the dialog box andselect Read, if necessary, from the
context menu to restrict members of the Shopfloor group to read-only access to
the LabDocuments folder.

Note:
Applying read-only access
to this folders allows members of the Shopfloor group pass-through access to
the subfolders. You will duplicate this access for the other two security
groups. In the next steps, you will determine what access to apply the
departmental subfolders using a provided set of access control criteria.

Figure
20 File Sharing dialog box
14. Repeat steps 12-13 for each of the
new global security groups:
·
Managers
·
HumanResources
15. ClicktheShare button to complete the file sharing.
16. Click Done to close the dialog box.
17. ClickCloseto close theLabDocuments Properties dialog box.
18. In your Lab Report file,recreate the followingAccess Controls Criteria table.

Access Controls Criteria

Access Controls Criteria

Sharing Changes Made to the Folder

Access Control Success/Failure

1

Allow ShopFloor members to read/write files in the C:LabDocumentsSFfiles
folder. HumanResources members do not have any permissions in this folder.

2

Allow HumanResources members to read/write files in the C:LabDocumentsHRfiles
folder. Shopfloor members do not have access to this folder.

3

Allow the SFManager to read/write files in the C:LabDocumentsMGRfiles
folder and the C:LabDocumentsSFfiles folder. The SFManager has no
permissions to the HRfiles folder.

4

Allow the HRManager to read/write files in the C:LabDocumentsMGRfiles
folder and the C: LabDocumentsHRfiles folder. The HRManager has no
permissions to the SFfiles folder.

19. For each of the criteria in the left column:
·
Determinewhat share changes to make
to satisfy the criteria andmake the necessary changes on the TargetWindows01 server. (Hint:
Refer to steps 10-17. You may need to add individual users instead of groups to
correctly secure each folder.)
·
Make a screen capture showing theFile Sharing dialog box for each
folder that you changed showing the changes you’ve made andpaste it into the second column of
your table.
You will complete the third column later in this lab.
20. Minimize theTargetWindows01 window to return to the vWorkstation desktop.
21. Close
theRDP folder.
Part
4: Practical Application

Note:
In
the next steps, you will test the configurations you have just made by
logging on using the newly created user
accounts and attempting to write files to the secured folders.

1.
Right-click theWindows Start button andselect Run from the menu to open a
Windows command prompt.
2.
Type net use \172.30.0.15LabDocuments/user:SFUser01(the IP address and folder of the TargetWindows01 virtual machine on
which you created the three subfolders) andclick OK to enable the SFUser01
account to access the shared folder.

Figure
21 Log on to TargetWindows01 server
3. When prompted,type P@ssw0rd!to connect to theTargetWindows01 server with the SFUser01 password and
press Enter.

uNote:
You are required to enter
a mixed-case password. If you are not using the Citrix Receiver to access
this lab, please use the CAPS LOCK button or the On-Screen Keyboard to input
the password.

4.
Right-click theWindows Start button andselect Run from the menu to open a
Windows command prompt.
5.
Type \172.30.0.15LabDocumentsto
open the subfolders to which this user has access andclick OK.
6.
In the LabDocuments window,double-click theSFfiles folder.
7.
Right-click in the right pane of the
SFfiles folder andselect New > Text document from the context menu to create a new unnamed file in the folder.

Note:
If the sharing properties
were set properly in the previous set of steps, you will be able to create
this new file. If not, you will receive an error message.

8.
Type SFfiles andpress Enter to name the new file in
the folder.

Figure
22Saved text
document in the SFfiles folder
9.
In your Lab Report file,document the results of this test in
the third column of the Access Controls Criteria tab:
·
If you were able to create the file,make a screen captureshowing thesuccessfully created file andpaste it into your Lab Report file.
·
If you received an error message,make a screen captureshowing theerror message andpaste it into your Lab Report file,
briefly describe the changes you would need to
make to receive a successful result, andrepeat steps in
Part 3
of this lab until you receive a successful result.
10. Close
theFile Explorer.
11. Right-click theWindows Start button andselect Run from the menu.
12. Type net use \172.30.0.15LabDocuments
/deletein the text box andclick OK to remove the cached credentials.

Figure
23 Delete cached credentials to the remote server
13. Repeat steps 1-12 for each of the six users you created inPart 2 of this lab, replacing the user name in step 2 each time.
You will need to test each of three new folders (SFfiles, HRfiles,
and MGRfiles) and remember that the SFManager and HRManager users must be able
to create files in two subfolders, not just one.
14. Closethevirtual lab, or proceed with Part 5 to answer the challenge question for this
lab.

Part
5: Challenge Questions

uNote:
The following challenge
questions are provided to allow independent, unguided work, similar to what
you will encounter in a real-world situation. You should aim to improve your
skills by getting the correct answer in as few steps as possible. Use screen
captures in your lab document where possible to illustrate your answers.

1.
In Active Directory,which account is disabled by default? Explain why this account is
disabled by default.
2.
Which of thefollowing groups are not an Active Directory built-in group?
a.
Guest
b.
Human Resources
c.
Server Operators
d.
Shopfloor
e. Users
3.
According to theGroup Policy Management console, who is the owner of the
securelabsondemand.com domain?

uNote:
This completes the lab. Close the virtual lab, if you have not already done so.

Assignment Grading Rubric
Course:
IT541 Unit: 1 Points: 50
Assignment 1

Outcomes addressed in
this activity:

Unit Outcomes:

Distinguish
between the two main categories of security controls.Distinguish
the security areas within the CIA triad.

Course Outcomes:

IT541-2: Compare authentication and
encryption methods.

Assignment Instructions

This Assignment provides a “hands on” element to your studies.
It gives you the opportunity to work with the protocols and see how they
operate in real-world environments. Read and perform the lab entitled “IT
541 Unit 1 Assignment Lab” found in Doc Sharing; use the lab sheet
included at the end of the lab file to submit your results.

Directions for
Submitting Your Assignment

Use the Lab #1 Worksheet document found at the back of the lab
instructions as a guide for what to submit, and save it as a Word® document,
entitled Username-IT541 Assignment-Unit#.doc (Example: TAllen- IT541
Assignment-Unit1.doc). Submit your file by selecting the Unit 1: Assignment
Dropbox by the end of Unit 1.
Assignment Requirements

Answers
contain sufficient information to adequately answer the questionsNo
spelling errorsNo
grammar errors

*Two points will be deducted from your grade for each occurrence of not
meeting these requirements.

For more information and examples of APA
formatting, see the resources in Doc Sharing or visit the KU Writing Center
from the KU Homepage.

Also review the KU Policy on Plagiarism. This policy will be strictly
enforced on all applicable assignments and discussion posts. If you have any
questions, please contact your professor.

Review the grading rubric below before beginning this activity.

Unit 1 Assignment
Grading Rubric = 50 points

Assignment Requirements

Points Possible

Points Earned

Document demonstrates that the student was able to correctly implement
an Active Directory system administrative configuration for groups and users.

0–10

Document demonstrates that the student was able to correctly implement
global domain departmental groups and user accounts.

0–10

Document demonstrates that the student was able to correctly implement
departmental group and user folders with unique access rights per defined
requirements.

0–10

Document demonstrates that the student was able to correctly access the
server as a user and test errors encountered when attempting to create and
save data files.

0–10

Document demonstrates that the student was able to correctly implement
a list of new and modified access control parameters in order to create more
stringent access controls.

0–10

Total (Sum of all
points)

0–50

Points deducted for
spelling, grammar, and APA errors

Adjusted total points

Lab #1 – Assessment
Worksheet
Implementing Access Controls with
Windows Active Directory
Course
Name and Number: _____________________________________________________

Student
Name: ________________________________________________________________

Instructor
Name: ______________________________________________________________

Lab
Due Date: ________________________________________________________________
Overview
In
this lab, youused theActive
Directory Domain Controller tosecure the C-I-A triad,ensuring confidentiality and
integrity of network data. You created users and global security groups and
assigned the new users to security groups. You followed a given set of access
control criteria to ensure authentication on the remote server by applying the
new security groups to a set of nested folders. Finally, you verified that
authentication by using the new user accounts to access the secured folders on
the remote server.
Lab Assessment Questions & Answers

1.
Relate how Windows Server
2012 Active Directory and the configuration of access controls achieve C-I-A
for departmental LANs, departmental folders, and data.

2.
Is it a good practice to
include the account or user name in the password? Why or why not?

3.
What are some of the best
practices to enhance the strength of user passwords in order to maximize
confidentiality?

4.
Can a user who is defined in
Active Directory access a shared drive on a computer if the server with the
shared drive is not part of the domain?

5.
Does Windows Server 2012 R2
require a user’s logon/password credentials prior to accessing shared drives?

6.
When granting access to
network systems for guests (i.e., auditors, consultants, third-party
individuals, etc.), what security controls do you recommend implementing to
maximize CIA of production systems and data?

7.
In the Access Controls
Criteria table, what sharing changes were made to the MGRfiles folder on
TargetWindows01-DC server?

8.
In the Access Controls
Criteria table, what sharing changes were made on the TargetWindows01-DC
server to allow Shopfloor users to read/write files in the
C:LabDocumentsSFfiles folder?

9.
In the Access Controls
Criteria table, what sharing changes were made on the TargetWindows01-DC
server to allow HumanResources users to read/write files in the
C:LabDocumentsHRfiles folder?

10. Explain how C-I-A can be achieved down to the folder and data file
access level for departments and users using Active Directory and Windows
Server 2012 R2 access control configurations. Configuring unique access
controls for different user types is an example of which kind of access
controls?

Lab #1 Crafting an Organization-Wide
Security Management Policy for Acceptable Use

.jpg”>

Introduction
When given access to resources, whether IT
equipment or some other type of asset, most people will use the resources
responsibly. However, a few people, when left to rely on only common courtesy
or good judgment, will misuse or abuse those resources. The misuse might be for
their own benefit or just for entertainment. While the misuse can be
unintentional, it is still a waste of resources. To avoid that waste or
outright abuse, a company will document official guidance. For resources within
the IT domains, that guidance is called an acceptable use policy (AUP).
An AUP’s purpose is to establish the rules
for a specific system, network, or Web site. These policies outline the rules
for achieving compliance, for example. They also help an organization mitigate
risks and threats because they establish what can and cannot take place.
In this lab, you will define an AUP as it
relates to the User Domain, you will identify the key elements of sample AUPs,
you will learn how to mitigate threats and risks with an AUP, and you will
create your own AUP for an organization.
Learning Objectives
Upon completing this lab, you will be
able to:
Define the scope of an acceptable use policy (AUP) as it relates to
the User Domain.
Identify the key elements of acceptable use in an organization’s
overall security management framework.
Align an AUP with the organization’s goals for compliance.
Mitigate the common risks and threats caused by users in the User
Domain with the implementation of an AUP.
Draft an AUP in accordance with the policy framework definition that
incorporates a policy statement, standards, procedures, and guidelines.

Deliverables
Upon completion of this lab, you are
required to provide the following deliverables to your instructor:
1.
Lab Report file;
2.
Lab Assessments file.

Hands-On Steps

uNote:
This is a paper-based lab.
To successfully complete the deliverables for this lab, you will need access
to Microsoft® Word or another compatible word processor. For some labs, you
may also need access to a graphics line drawing application, such as Visio or
PowerPoint. Refer to the Preface of this manual for information on creating
the lab deliverable files.

1.
On your local computer,createthelab
deliverable files.
2.
Review theLab Assessment Worksheet. You will find answers to these questions as you proceed through
the lab steps.
3. Using
Figure 1,review the seven
domains of a typical IT infrastructure.
.jpg” alt=”38375_Lab01_Fig01.tif”>
Figure 1 Seven domains of a typical IT infrastructure
4.
On your local computer,opena
newInternet browser
window.
5.
In the address box
of your Internet browser,type the URLhttp://cve.mitre.org andpress Enter to open the Web
site.

uNote:
CVE stands for Common
Vulnerabilities and Exposures, which is a reference system originated by the
MITRE Corporation for cataloging known information security vulnerabilities.
While MITRE is a U.S. not-for-profit organization, the U.S. Department of
Homeland Security provides a portion of the funding to support the CVE
database.

6.
On the Web site’s left
side,click theSearch CVE link.
7.
In the box on the right
titled CVE List Master Copy,click View CVE List.
8.
In the Search Master Copy
of CVE box at the bottom of the page,type User Domain into theBy Keyword(s) area andclick Submit.
9.
Search the resulting list of articles for entries related to
the User Domain.
10. In your Lab Report file,identify the risks,
threats, and vulnerabilities commonly found in the User Domain. (Name at leastthree risks/threats.)

uNote:
Your search for relevant
risks will be difficult due to the high number of vulnerabilities related to
Windows® Active Directory® domains, as opposed to the “User Domain” as one of
the seven IT asset domains. Try additional words that describe
user-particular risks or threats, for example, surfing, phishing, malicious,
downloads, etc.
Consider listed
vulnerabilities, such as those that allow an authenticated user to gain
unauthorized privileges, or steal others’ passwords or files.

11. In the address box of your Internet browser,type the URLhttp://www.sans.org/reading_room/whitepapers/threats/andpress Enter to open the Web
site.
12. Scroll through the list of articles to find articles on threats and
vulnerabilities in the User Domain.
13. Choose two articles that discuss two of the risks or threats you listed in step
10.
14. In your Lab Report file,discuss how these
articles explain how to mitigate risks or threats in the User Domain.
15. In the address box of your Internet browser,type the following URLs andpress Enter to open the Web sites:
·
Health
care:http://it.jhu.edu/policies/itpolicies.html
·
Higher
education:http://www.brown.edu/information-technology/computing-policies/acceptable-use-policy
·
U.S.
federal government:https://www.jointservicessupport.org/AUP.aspx
16. In your Lab Report file,list the main
components of each of the acceptable use policies (AUPs) documented at each of
these sites.
17. In your Lab Report file,explain how a risk can be
mitigated in the User Domain with an acceptable use policy (AUP). Base your
answer on what you discovered in the previous step.
18. Consider the following fictional organization, which needs an acceptable use
policy (AUP):
·
The
organization is a regional XYZ Credit Union/Bank that has multiple branches and
locations throughout the region.
·
Online
banking and use of the Internet are the bank’s strengths, given its limited
human resources.
·
The
customer service department is the organization’s most critical business
function.
·
The
organization wants to be in compliance with the Gramm-Leach-Bliley Act (GLBA)
and IT security best practices regarding its employees.
·
The
organization wants to monitor and control use of the Internet by implementing
content filtering.
·
The
organization wants to eliminate personal use of organization-owned IT assets
and systems.
·
The
organization wants to monitor and control use of the e-mail system by
implementing e-mail security controls.
·
The
organization wants to implement this policy for all the IT assets it owns and
to incorporate this policy review into its annual security awareness training.

uNote:
The best style for writing
IT policy is straightforward and easy to understand. Avoid “fluff,” or
unnecessary wording, and phrasing that could be understood more than one way.
Write in concise, direct language.

19. Using the following AUP template, in
your Lab Report file,create an acceptable use policy for the XYZ Credit Union/Bank organization
(this should not be longer than three pages):
XYZ Credit Union/Bank
Policy Name
Policy
Statement
{Insert policy verbiage here.}
Purpose/Objectives
{Insert the policy’s purpose as well as its objectives;
include a bulleted list of the policy definition.}

Scope
{Define this policy’s scope and whom it covers.
Which of the seven domains of a typical IT
infrastructure are impacted?
What elements, IT assets, or organization-owned assets
are within this policy’s scope?}
Standards
{Does this policy point to any hardware, software, or
configuration standards? If so, list them here and explain the relationship of
this policy to these standards.}
Procedures
{In this section, explain how you intend to implement
this policy throughout this organization.}
Guidelines
{In this section, explain any roadblocks or
implementation issues that you must overcome and how you will overcome them per
the defined policy guidelines.}

uNote:
This completes the lab. Close the Web browser, if you have not already done so.

Assignment
Grading Rubric

Course: IT541 Unit: 2
Points: 100
Assignment 2
Outcomes addressed in
this activity:
Unit Outcomes:
Assess
access control models.Analyze
denial of service response.Prepare
worm countermeasures.Assess
denial of service attacks.
Course Outcomes:
IT541-2: Compare authentication and
encryption methods.
IT541-4: Apply basic information security
Best Practices to business scenarios.
Assignment Instructions
This Assignment provides a “hands on” element to your studies.
It gives you the opportunity to work with the protocols and see how they
operate in real-world environments. Read and perform the lab entitled “IT541
Assignment 2 Lab”found in Doc Sharing; use the lab sheet included at
the end of the lab file to submit your results.
Directions for
Submitting Your Assignment:
Use the Lab #2 Worksheet document found at the back of the lab
instructions as a guide for what to submit, and save it as a Word document entitled
Username-IT541 Assignment-Unit#.doc (Example: TAllen- IT541
Assignment-Unit2.doc). Submit your file by selecting the Unit 2: Assignment
Dropbox by the end of Unit 2.
Assignment Requirements:

Answers
contain sufficient information to adequately answer the questionsNo
spelling errorsNo
grammar errors
*Two points will be deducted from your grade for each occurrence of not
meeting these requirements.
For more information and examples of APA
formatting, see the resources in Doc Sharing or visit the KU Writing Center
from the KU Homepage.
Also review the KU Policy on Plagiarism. This policy will be strictly
enforced on all applicable assignments and discussion posts. If you have any
questions, please contact your professor.
Review the grading rubric below before beginning this activity.
Unit 2 Assignment
Grading Rubric = 100 points

Assignment
Requirements

Points Possible

Points Earned

Document demonstrates that the student was able to correctly define the
scope of an acceptable use policy.

0–20

Document demonstrates that the student was able to correctly identify
key elements of acceptable use within an organization as part of an overall
security management framework.

0–20

Document demonstrates that the student was able to correctly align an acceptable
use policy with the organization’s goals for compliance.

0–20

Document demonstrates that the student was able to mitigate common
risks and threats caused by users within the User Domain with the
implementation of an acceptable use policy.

0–20

Document demonstrates that the student was able to correctly create an
acceptable use policy in accordance with the policy framework, incorporating
a policy statement, standards, procedures, and guidelines.

0–20

Total (Sum of all
points)

0–100

Points deducted for
spelling, grammar, and APA errors

Adjusted total points

Lab #1 – Assessment
Worksheet
Crafting an Organization-Wide Security
Management Policy for Acceptable Use
Course
Name and Number: _____________________________________________________

Student
Name: ________________________________________________________________

Instructor
Name: ______________________________________________________________

Lab
Due Date: ________________________________________________________________
Overview
In this lab, you
defined an AUP as it relates to the User Domain, you identified the key
elements of sample AUPs, you learned how to mitigate threats and risks with an
AUP, and you created your own AUP for an organization.
Lab Assessment Questions & Answers

1.
What are three risks and threats of the User Domain?

2.
Why do organizations have acceptable use policies (AUPs)?

3.
Can Internet use and e-mail use policies be covered in an acceptable
use policy?

4.
Do compliance laws, such as the Health Insurance Portability and
Accountability Act (HIPAA) or GLBA, play a role in AUP definition?

5.
Why is an acceptable use policy not a fail-safe means of mitigating
risks and threats within the User Domain?

6.
Will the AUP apply to all levels of the organization? Why or why not?

7.
When should an AUP be implemented and how?

8.
Why would an organization want to align its policies with existing
compliance requirements?

9.
In which domain of the seven domains of a typical IT infrastructure
would an acceptable use policy (AUP) reside? How does an AUP help mitigate
the risks commonly found with employees and authorized users of an
organization’s IT infrastructure?

10. Why must an organization have an
acceptable use policy (AUP) even for nonemployees, such as contractors,
consultants, and other third parties?

11. What security controls can be deployed to
monitor and mitigate users from accessing external Web sites that are
potentially in violation of an AUP?

12. What security controls can be deployed to
monitor and mitigate users from accessing external webmail systems and
services (for example, Hotmail®, Gmail™, Yahoo!®, etc.)?

13. Should an organization terminate the
employment of an employee if he/she violates an AUP?

Get a 30 % discount on an order above $ 100
Use the following coupon code:
RESEARCH
Order your essay today and save 30% with the discount code: RESEARCHOrder Now
Positive SSL