Assurance Assignment
Hands-on Activity - Building Systems with Assurance
(DUE December 12, 2005 by midnight EST)

This assignment involves creating a user account in Windows 2000 Professional and implementing policies to ensure data confidentiality, data availablility, and data integrity.

You are going to be connecting to our SAIL (Security and Assurance of Information Lab) Lab through a VPN tunnel. I will post the VPN client software on WebCT for you to download. You will also be using a program called RealVNC (http://www.realvnc.com/) that will allow you to remotely connect and control another computer.

Pre-assignment:

  1. Download the VPN client software from WebCT and install it on your computer.
  2. Run the VPN client and create a New connection
    1. Use a name you will recognize for Connection Entry
    2. I will give you the host name in WebCT
    3. I will give you the group name and password in WebCT
  3. Click on Connect; I will give you your username and password in an email via WebCT
  4. You are now inside the virtual SAIL lab and able to connect to any of the computers there
  1. Download and install the VNC viewer (http://www.realvnc.com/).
  2. Connect to one of the computers: SAIL-1, SAIL-2, or SAIL-3 by typing the IP address and password (IP addresses and passwords are available on WebCT)
  3. Log on as admin1(password available on WebCT [IMPORTANT: if necessary, right mouse click in the title bar at the top of the VNC screen and select "Send CTRL-ALT-DEL" to log onto a computer using VNC]
  4. Create a new standard user with your first initial and last name as the username (e.g. wsummers)
  5. Create a new folder with your name as the username
  6. Explore the systems

Assignment: This assignment allows you to explore the different aspects of data security including confidentiality of data, availability of data, integrity of data and data encryption.

  1. Data Confidentiality - making sure that only those intended to have access to certain data actually have that access.
    1. Log onto the host as admin1.
    2. Open My Computer and then double-click on the C: drive and go to your folder created above.
    3. Create a new folder called Confidentiality in your directory
    4. To secure this folder from other users, right-click the folder and select Properties
    5. Click the Security tab. [this would not be available if the drive was not formatted as NTFS.]
    6. Click the Advanced button
    7. Uncheck the box "Inheritable from parent the permission entries that apply to child object"
    8. Click Copy to retain the permissions
    9. Click Add and Select Users, Computers, or Groups window will pop up.
    10. Make sure your server is listeded in the Locations box.
    11. Enter your username (or click Advanced | Find Now), then click Ok.
    12. Click OK.
    13. With your username still selected, click the Allow Full Control box.
    14. Click the name Users, then click Remove.
    15. Click OK.
    16. Double-click your folder Confidentiality. Your access should be permitted because you only granted yourself access.
    17. Close all windows and log off.
    18. Log on with the user1 account, and navigate to the Confidentiality folder to verify that this account does not have access to the folder.
    19. Close all windows and log off.
  2. Data Availability - ensuring data is available when needed
    1. Log onto the host as admin1.
    2. Open My Computer and then double-click on the C: drive.
    3. Create a new folder called Availability in your directory
    4. To secure this folder from other users, right-click the folder and select Properties
    5. Click the Security tab. [this would not be available if the drive was not formatted as NTFS.
    6. Uncheck the box "Allow inheritable permissions from parent to propagate this object"
    7. Click Remove to clear the permissions
    8. Click Add and Select Users, Computers, or Groups window will pop up.
    9. Make sure your server is selected in the Look in drop down box.
    10. Select your username, then click Add.
    11. Click OK.
    12. With your username still highlighted, click the Allow Full Control box.
    13. Click OK.
    14. Close all windows and log off.
    15. Log on with your username account, and navigate to the Availability folder to verify that your account has access to the folder.
    16. Close all windows and log off.
    17. Log on as admin1 and delete your username account.
    18. Create a new user with your username, then log off.
    19. Log onto your username account, and try to access your folder Availability. Your access should be denied.
    20. Log off your username account.
    21. Log on as stuadmin
    22. Check the Security properties of the Availability folder. Notice the account is no longer listed, but the old SID is.
    23. Close all windows and log off.
  3. Data Integrity - make sure that the contents of the data have not been altered accidentlly or intentionally.
    1. Log onto the host as your username.
    2. Open My Computer and then double-click on the C: drive.
    3. Create a new folder called Integrity in your directory
    4. Create a new Text document and edit the contents to say: This document has not been modified accidentally or intentionally.
    5. Save the file as myFile and close the document
    6. Log off
    7. Log on as user1
    8. Edit myFile and remove the word "not" from the file. Because you did not change the default permissions to the folder, you can read the contents of the file, but not write to the file [Go to the Security and check the permissions for Users and compare them with the permissions for your account
    9. Close all windows and log off.
  4. Data Encryption - taking readable data and making it unreadable
    1. Log onto the host as username.
    2. Open My Computer and then double-click on the C: drive.
    3. Create a new folder called Encryption in your directory
    4. Create a new Text document and edit the contents to say: This document is for my eyes only.
    5. Save the file as Secret.txt and close the document
    6. Right click on the document and select Properties
    7. Click the Advanced button and check the Encrypt contents to secure data box
    8. Click OK and Click OK a second time
    9. Click the radio button that says Encrypt the file only and Click OK
    10. Log off from your account
    11. Log on as user1
    12. Try to access the file Secret.txt. Access should be denied, even though the file permissions for Users are Read.
    13. Close all windows and log off.
  5. Passwords are often the front line defense in any network. This assignment focuses on password policy settings in Microsoft Windows. We will be looking at the policy setting in Windows XP, but the features are similar in most Windows operating systems. We will be sharing the same computers for this assignment. If you make any changes to the settings, please reset everything you changed back to the original before you leave the computer.

  6. Setting Password Length
    1. Log onto as admin1
    2. Select Start | Programs | Administrative Tools | Local Security Policy
    3. Find Password Policy in Account Policies
    4. What is the minimum password length?
  7. Password Complexity
    1. Find Password Policy in Account Policies
    2. Is Password must meet complexity requirements enabled?
  8. Preventing the Display of Last Logon Name
    1. Find Security Option in Local Policies
    2. Is Do not display last user name in login screen enabled?
  9. Setting Account Lockout Policy
    1. Find Account Lockout Policy in Account Policies
      1. How many invalid logon attempts are permitted?
      2. How long is the account locked out?

    Post-assignment: Answer the following questions (you may have to refer to the help in Windows and Microsoft websites)-

    1. Which computer did you use?
    2. What features of NTFS are not available with FAT partitions? [How would you convert a FAT partition to NTFS?]
    3. A safeguard in Windows allows administrators to access data even if they have been explicitely denied. Explain this safeguard.
    4. A user took a leave of absense fron your company for personal reasons. A junior administrator deleted the user's account from Active Directory. To fix the problem, the junior administrator re-created the account. When the user returned to work, he could not access any of his files. Explain what happened.
    5. How can data confidentiality affect data availability?
    6. An Administrator restores a folder of files at the request of the owner of the folder. Two days later the user calls the Help Desk to complain that some data is missing from files that were updated two weeks ago. What could have happened?
    7. In Windows XP, who can access encrypted files?
    8. You have decided to use NTFS encryption to enhance security on your network of six servers. Five of the six servers have compressed drives, and a new administrator says that it would not be a good idea to implement an encryption policy at this time. Why is or isn't the administrator correct?
    9. Explain the differences between data confidentiality, data integrity, and data availability.
    10. What are the minimum and maximum password age on this computer? Why are they important?
    11. What is the difference between Local Polices and Account Policies?
    12. How complex is the password complexity? Can you modify the complexity? What should be included?
    13. What is the purpose of setting a lockout policy?
    14. Describe what you learned from this lab. Describe any problems you had with this lab.