Lab 4 - Building Systems with Assurance

This assignment involves creating a user account in Windows XP and implementing policies to ensure data confidentiality, data availability, and data integrity.

Pre-assignment:

  1. Log on with an administrative account
  2. Create a new standard user with your first initial and last name as the username (e.g. wsummers)
  3. Create a new folder with your name as the username
  4. Explore the systems

Assignment: This assignment allows you to explore the different aspects of data security including confidentiality of data, availability of data, integrity of data and data encryption.

  1. Data Confidentiality - making sure that only those intended to have access to certain data actually have that access.
    1. Log onto the host as admin.
    2. Open My Computer and then double-click on the C: drive.
    3. Create a new folder called Confidentiality in your directory
    4. To secure this folder from other users, right-click the folder and select Properties
    5. Click the Security tab. [this would not be available if the drive was not formatted as NTFS.
    6. Uncheck the box "Allow inheritable permissions from parent to propagate this object"
    7. Click Copy to retain the permissions
    8. Click Add and Select Users, Computers, or Groups window will pop up.
    9. Make sure your server is selected in the Look in drop down box.
    10. Select your username, and then click Add.
    11. Click OK.
    12. With your username still highlighted, click the Allow Full Control box.
    13. Click the name Everyone, then click Remove.
    14. Click OK.
    15. Double-click your folder Confidentiality. Your access should be denied because you only granted yourself access.
    16. Close all windows and log off.
    17. Log on with your username account, and navigate to the Confidentiality folder to verify that your account has access to the folder.
    18. Close all windows and log off.
  2. Data Availability - ensuring data is available when needed
    1. Log onto the host as admin.
    2. Open My Computer and then double-click on the C: drive.
    3. Create a new folder called Availability in your directory
    4. To secure this folder from other users, right-click the folder and select Properties
    5. Click the Security tab. [this would not be available if the drive was not formatted as NTFS.
    6. Uncheck the box "Allow inheritable permissions from parent to propagate this object"
    7. Click Remove to clear the permissions
    8. Click Add and Select Users, Computers, or Groups window will pop up.
    9. Make sure your server is selected in the Look in drop down box.
    10. Select your username, and then click Add.
    11. Click OK.
    12. With your username still highlighted, click the Allow Full Control box.
    13. Click OK.
    14. Close all windows and log off.
    15. Log on with your username account, and navigate to the Availability folder to verify that your account has access to the folder.
    16. Close all windows and log off.
    17. Log on as admin and delete your username account.
    18. Create a new user with your username, then log off.
    19. Log onto your username account, and try to access your folder Availability. Your access should be denied.
    20. Log off your username account.
    21. Log on as admin
    22. Check the Security properties of the Availability folder. Notice the account is no longer listed, but the old SID is.
    23. Close all windows and log off.
  3. Data Integrity - make sure that the contents of the data have not been altered accidentally or intentionally.
    1. Log onto the host as username.
    2. Open My Computer and then double-click on the C: drive.
    3. Create a new folder called Integrity in your directory
    4. Create a new Text document and edit the contents to say: This document has not been modified accidentally or intentionally.
    5. Save the file as myFile and close the document
    6. Log off as firstname
    7. Log on as test (password testing123)
    8. Edit myFile and remove the word "not" from the file. Because you did not assign permissions to the folder, you can modify the contents of the file
    9. Close all windows and log off.
  4. Data Encryption - taking readable data and making it unreadable
    1. Log onto the host as username.
    2. Open My Computer and then double-click on the C: drive.
    3. Create a new folder called Encryption in your directory
    4. Create a new Text document and edit the contents to say: This document is for my eyes only.
    5. Save the file as Secret.txt and close the document
    6. Right click on the document and select Properties
    7. Click the Advanced button and check the Encrypt contents to secure data box
    8. Click OK and Click OK a second time
    9. Click the radio button that says Encrypt the file only and Click OK
    10. Log off as username
    11. Log on as test
    12. Try to access the file Secret.txt. Access should be denied, even though the file permissions are Everyone, Full Control.
    13. Close all windows and log off.

Post-assignment: Answer the following questions (you may have to refer to the help in Windows and Microsoft websites)-

    1. What features of NTFS are not available with FAT partitions?
    2. A safeguard in Windows allows administrators to access data even if they have been explicitly denied. Explain this safeguard.
    3. A user took a leave of absence from your company for personal reasons. A junior administrator deleted the user's account from Active Directory. To fix the problem, the junior administrator re-created the account. When the user returned to work, he could not access any of his files. Explain what happened.
    4. How can data confidentiality affect data availability?
    5. An Administrator restores a folder of files at the request of the owner of the folder. Two days later the user calls the Help Desk to complain that some data is missing from files that were updated two weeks ago. What could have happened?
    6. In Windows 2000, who can access encrypted files?
    7. You have decided to use NTFS encryption to enhance security on your network of six servers. Five of the six servers have compressed drives, and a new administrator says that it would not be a good idea to implement an encryption policy at this time. Why is or isn't the administrator correct?
    8. Explain the differences between data confidentiality, data integrity, and data availability.
    9. Describe what you learned from this lab. Describe any problems you had with this lab.