Upload
mhervz14
View
2.671
Download
1
Embed Size (px)
Citation preview
AMA Computer Learning Center Mabalacat Branch2/F Dau Mart II McArthur Hi-way, Dau Mabalacat Pampanga
Securing Network Drives and Client Computers in a School Local Area Network
In partial fulfillment of requirement for NAT-700 Special Project on Network Telecommunications and
Technology
Submitted by: Submitted to:
Group # 4 Mr. Adelaido I. Bacani Jr. Thesis AdviserMerwyn R. NavarroAriel M. ComonAljon M. PelagioJunrey P. MoleJonathan S. MenesesKcee E. Antonio
I Acknowledgement
We would like to extend our sincere appreciation to all our parents and love ones
for their undying support on the completion of this thesis, our instructors for the
knowledge that they had impart us, our colleagues in school who in some way made an
influence to us to carry out this thesis project. Also thank you to our alma mater, ACLC
Mabalacat Branch on giving us the opportunity of executing what we learned.
NTT-4c Group Four would like to show our honest gratitude and thanks to
Microsoft TechNet, Wikipedia, CramSession, Tech-faq.com, CISCO, University of
Albany, How2Pass.com and other websites for the study guides and references being
used in this project.
And most of all, to our almighty GOD who is deserves all the credit, thanks and praise.
1
II Abstract
As we went on our daily school life to learn, we’ve notice how important
computer networks are especially in the field information technology. It can greatly affect
everyone’s productivity and efficiency in knowledge acquisition. It can either speed up
work automation or make it sluggish. So, it is necessary that people should give
importance to its security. Data and information is in constant attack in all mean possible
through known and developing technology. Every organization that uses network for
automation uses file storage accompany with a unique security concept.
In school, constant usage of network resources is done on a daily basis. Every
student and instructors comprise their own data inside the school network. But data being
processes within the network is being compromises because of security lapse. No storage
facility for important file for either student or instructors. Security is in breach the
moment a user logs into a workstation. In simple terms, there is no security
manifestation.
Security is defined as a condition of being protected against any danger, threat,
damage, or hazard. Enabling the network to prevent and detect unauthorized use of any
computer and its resource within it. Security involves concepts, management and
administration. Administering security involves set-up and configuration of resources
based on organizational needs. Concepts are the “authentication” created and given to a
user. This involves the creation of username and password for individual clients.
Firewalls that can filter on what services that will be allowed to be accessed by the
network user.
2
An Intrusion Prevention System (IPS) that can detect and prevent malicious and
unwanted software. IPS also monitors for suspicious network traffic for contents, volume
and anomalies to protect the network from attacks such as denial of service. Management
in the other hand is the maintenance of software and hardware to prevent malicious
attacks from hacking and spamming. This is the installation of antivirus software that can
monitor and prevent unwanted software intrusion in a given network.
The final outcome of this research is a security evaluation on network drives and
client computers within a school local area network that is practical enough to be used in
real applications with acceptable results, without having to be an expert in the security
arena. The concept is base on Microsoft Windows 2000 Server operating system and
DeepFreeze software which are available and existing on the subject for experimentation.
It is built upon concepts drawn from computer information technology professional and
leaders in the industry, and empirically tested.
3
CHAPTER 1 INTRODUCTION
1.1 BACKGROUND
This written hypothesis is concern in security evaluation for network drives and
client computers in a school local area network. The school (AMA Computer Learning
Center Mabalacat Branch) in focus for this study has an existing network for each
computer laboratory. The school has a total of three networked computer laboratory.
Each workstation is installed with Windows XP Professional SP2 and connected together
as a workgroup. Students are restricted on using external removal storage such as
flashdrive and memory stick to prevent infection from unwanted software. Every
laboratory session, student are being monitored by a laboratory facilitate. After finishing
machine problem on each workstation, students are being instructed “not” to shut down
their computer unless their work had been check. This is because there is no available
storage location for them to save their files. There are no network media storage to
transfer and store important data. Another reason is because each computer is in “freeze
mode.” Each computer returns back to its initial state when it was freeze upon restart or
shut down. No files of any sort can be save because it erases all and what only left are the
components before the computer was frozen. Although freezing has been proven
effective to prevent infection and intrusion, malicious and unwanted software are still in
present and existing on each network. As for the instructors respectably, manual encoding
of files for both academic and professional purposes is done either on a standalone
computer located at the faculty or even inside the computer laboratory.
4
Like the students, files cannot be saved but instead they use external removable
storages to safe keep their files from both corruption and deletion form the
computersbeing used in school. Same situation applies for every school admin personnel,
they can save files to a standalone computer at Admin Office but it is mandatory for them
to save an external memory backup for every data processed in school. Data and files are
in constant vulnerability due to poor security manifestation of computers.
5
1.2 PROBLEM STATEMENT
Although every network is being monitored personally by the assigned
Laboratory Facilitators, security is still at risk when it comes to data storage and
computer usage. . There are no restrictions on network usage. There are no user policies
that can denote different user rights making everyone a user with administrative power.
Malicious codes and programs are spread out in the entire network due to lack of
antivirus and constant plug-in of removable storage and other external devices without
proper supervision. Computer operating services components are all accessible without
any permission and restriction. Though each workstation has been “freeze” to retain its
state and to prevent virus infection, malicious and other threat causing software are still
present within the network. There is no Antivirus software installed on computers to
prevent further damage that may result to data loss and computer hardware malfunction.
Files and folder that are being made have no storage location. There are no existing
media storage to save important school documents, student files, instructor’s class
records and etc. And if a file can be save on a computer, there is no assurance that data
secured or file location is well secured. Although a Server is currently being utilize
within the laboratory, it was not been use for network domain purposes but instead a
standalone server model only.
6
1.3 OBJECTIVE
GENERAL OBJECTIVE
The main objective of this project is to evaluate the needs of a network in terms of
its workstations and network drive security. Formulate a security concept for both
network drive and workstation. And that these concepts may be applied to examine its
effectiveness. The insights gained from the project would form a set of guidelines for
designing secure workstation and storage location. This project was chosen to address the
need for a secured storage facility intended for school use.
SPECIFIC OBJECTIVE
1.) To create network drives in an existing Windows 2000 Server network
domain.
2.) Secure network drives from unwanted and over flooding of data.
3.) To create different user profile based on individual school personnel data.
4.) To create different user levels with permissions and policy.
5.) Secure the server and client with the use of Antivirus software.
6.) Secure member workstation with the use of existing software and services that
are already available.
7
1.4 ASSUMPTIONS
This study is conducted based on the following assumptions:
1.) That the Computer Laboratory Facilitator and School Administrative
Personnel will use the proposed project.
2.) That school has no appropriate file and data storage.
3.) That every workstation has poor security manifestation
1.5 HYPOTHESIS OF THE STUDY
The proposed project will greatly improve security for individual workstation and
network drives. Primarily, this study has the following hypothesis:
1.) User profiles were created based on names, year and section, position and
designation.
2.) It is irritating and time consuming every time you want to use a computer you
have to worry about viruses and where to store your files.
3.) The proposed project is the best solution for secured data storage and
workstation usage.
8
1.6 SCOPE AND DELIMITATIONS
In general, the focus of this study is directed towards the evaluation and
development of a secured network drive and workstation. About three small to medium
sized Computer Laboratory are in existence in which each is network separately. There is
a single computer installed with Windows 2000 Server but it is only a standalone
computer used for experimentation. Every workstation is already equip and installed with
security software name “DeepFreeze.” The study is largely dependent on the following:
Avast Antivirus software
DeepFreeze software
Network drive
Active Directory Users and Computers
Workstation security
Domain security policy
1.) Account and Local policy
2.) System Services
File system
Group Policy snap-in
9
In this proposed project, records and files are stored in a secured network drive
located at an existing Windows 2000 Server computer. User account will be created on
the server’s “Active Directory Users and Computers”. Each User will have the ability to
log on with a unique level of permission and restrictions to local computers connected to
the server. However, the proponents are limited only to a local area network. No internet
access. No firewalls involve. Although Windows 2000 Server software was used in this
study, only basic understandings were implied due to the broadness that it might offer to
the topic. Aside from DeepFreeze software and Windows 2000 Server which is already
available and being used in school, a free version of Avast Antivirus software for both
server and client where installed. No other softwares aside from that mention previously
were involved in the course of this study. The system has a secure log-in for students,
instructors and school staff. The study made for this project has been narrow down
because of lack of enough time to complete further in-depth analysis.
10
1.7 SIGNIFICANCE OF THE STUDY
Social: In this study, the proposed project will inspire students to develop more
enhance method and concept for network security.
Technological: The proposed project will introduced better efficiency in securing
data and workstations under an existing Local Area Network.
The result of this study is beneficial to the following:
Student: The proposed project will give each student a place where they can store their
school works and file without compromising data integrity.
Instructors: The proposed project will give automation in checking student laboratory
work by logging in on any workstation and accessing a single storage location. Aside
from that, each will be authenticated access to given folders within a network drive for
file storage.
School Admin Personnel: The proposed project will minimize network management in
the sense that only the Server will be the focus for administration and maintenance to
retain data integrity. Another is that a drive will be assigned for school administrative
purposes and only school administrator can access it.
Researchers: The researchers have developed their writing, analysis, and interpretation
skills needed to make a good thesis.
Future Researchers: This will benefit other researchers who wish to have similar studies
as they can get background information from the result of this study which will serve as
template to modify their research.
11
CHAPTER 2 REVIEW OF RELATED LITERATURE
2.1 RELATED LITERATURE
This section presents both foreign and local related literatures relevant to the
study. This relevance is shown by the proponents in order to give more reason and
understanding of the proposition.
Brian Floyd (member of IEEE, SCTE), PDF script “Changing the Face Of Network Security Threat”:
“Security threats arise almost on a daily basis and an aware administrator needs to be able to respond quickly and appropriately”
The author of this PDF script states that threats within networks almost occur
daily and that a particular network managed by an administrator must have any sort of
countermeasure
Chad Perrin’s article post "10 services to turn off in MS Windows XP" on Tech
Republic website:
“An important step in the process of securing your system is to shut down unnecessary services.”
The author of the article state that as long as Microsoft Windows has been a
network capable operating system, it has come with quite a few services turned on by
default, and it is a good idea for the security conscious user of Microsoft’s flagship
product to shut down any of these that he or she isn’t using.
12
This will enhance workstation security by disabling unwanted service within existing
Windows operating system.
2.2 RELATED STUDIES
This section presents other related studies by the people who conducted studies
similar to the proponents that will also greatly help in the progress of the study. And it
will also help the understanding of the proposition. This written manuscript was made in
reflection of some thesis paper and literary documents made by some IT professionals
like:
1. “Detecting Known Host Security Flaws over a Network Connection” by Martin
Andersson of “School of Mathematics and Systems Engineering”, Växjö University
for the “Faculty of Mathematics/Science/Technology”.
2. “Defining Information Security As a Policy” by Göran Pattersson last March 7, 2008
3. A Formal Approach to Practical Network Security Management by Sudhakar
Govindavajhala,Ph.D. of Princeton University dated last 2006.
4. “Implementing Mandatory Network Security in a Policy-flexible System” by Ajaya
Chitturi of “University of Utah, Department of Computer Science” last April and
June of 1998.
13
5. “Evaluation of Security Risk Associated with Network Information System” by Baino
Paul of “Royal Melbourne Institute of Technology, School Of Business Information
Technology” for the Faculty of Business last 2001.
2.3 DEFINITION OF TERMS
The definitions of terms are based on observable characteristics and how it is used
in the study.
Workstation. a particular computer or device user by client user within a
workgroup or domain of a given Local Area Network.
Server. Is a computer installed with latest software capable of managing, securing
and monitor interconnected devices (such as computer, router and switches)
Local Area Network (LAN). Is a simple system of interconnected computers and
automated devices use within a particular organization like in school, office and small
business establishment.
Partition. A division created within a system hard disk to separate files and to
maximize logical spaces.
Format. Process of reinstalling operating software or erasing data for hard drive
and storages.
Security. a condition of being protected against any danger, threat, damage, or
hazard.
14
Quota. Disk space being allocated for every user on a shared drive or storage
location.
Policy. This are the rights, permission and privileges given to each user on a
domain network.
Antivirus. A software being run on a operating system to prevent unwanted and
damaging codes and viruses.
Services. This are the system programs that runs upon start-up of a given
operating system.
Operating system. the main program/software that enables a device to run, thing
and calculate and given task.
2.4 THEORETICAL FRAMEWORK
These chapters consist of theories that have to bearing the problem, the
conceptual framework and the operational framework. This study focuses on three major
concepts; research, testing and implementation. Research is done in this study to see and
discovers more but simple ways on securing local area network. The complexity of
network security is so broad that in depth research is needed to fully understand each
concept. Testing is a way of initiating some methods and concepts that may have
importance to a study. This enables researches to know the effectiveness of methods and
concepts. Lastly, implementation is the deployment of tested concept for practical use.
15
CHAPTER 3 METHODOLOGY
3.1 RESEARCH DESIGN
The study will utilize both descriptive and causal research designs. The research
problems and objectives posed at the beginning of the study will be answered through a
descriptive research design. The design will focus on describing the experimental and
application procedure as well as their perceptions towards having a secured network drive
and workstation for a school local area network. A causal approach will be used to
identify the factors that affect the users demand for a secured connection between
network drive and workstations.
3.2 TIME AND PLACE OF THE STUDY
This study was conducted mostly inside the school being focus for
experimentation. The documentation and data gathering for this manuscript was made
from March 7 to March 19 of the year 2009 due to major revision of the first study made
by our group.
3.3 SOURCE OF DATA
Data was mainly gathered through the use of internet and books pertaining to
Network Security. Then it was narrowed down to the subject involving network drive and
workstation security within a given local area network. Data was also collected upon
testing of manuscript and guides for actual application to know the result needed for this
study.
16
3.4 DATA GATHERING TOOLS
These are the instruments or tools for gathering data in research used as basis for
drawing conclusions or making inferences. Some of these tools are empirical
observations, research and analysis used by the proponents as they conduct the proposed
study.
Observation. This technique is used when the researcher cannot secure adequate or
valid data through the use of the questionnaire or some other technique. It is
considered to be the most direct means of studying people in so far as their overt
behavior is concerned. Observation of a current operating procedure is another data
gathering tool seeing the system in action gives you additional perspective and better
understanding of system procedures.
Research. Research is simply, the systematic search for pertinent information on a
specific topic or problem. It is systematic study or investigation or something for the
purpose of answering questions posed by the researcher. It includes reviewing
journals, periodicals, and books to obtain background information, technical material,
and news about industry trends and developments.
Analysis. Analysis is the process of breaking-up the whole study into its constituent
parts of the categories according to the specific questions under the statement of the
problem. This is to bring out into focus the essential feature of the study.
17
3.5 ANALYTICAL PROCEDURE/METHODS OF ANALYSIS
At this point, the work of this proposed project will be tested to its fullest ability.
This is the part where the researcher must be able to determine and explain the methods
that will be used throughout the entire project. Applying security concepts and method is
a tedious task not only for the network administrators but also for the simple laboratory
facilitators, because they will decide on the type, scoop and level of security the implied
in a network. At this juncture, the methods used in creating the security concept must be
explained and defined. The following are some security concepts that are essential for
securing data storage and workstation:
Planning. This method designates a plan in which a proposed project
identifies it goals and requirement before deciding for its implementation.
Analysis. It can be considered as the most difficult phase because in this phase
manuals, materials or information’s must first examine thoroughly before applying it for
testing or experimentation.
Design. This is a visualization of the outcome of a proposed project but then in
implementing security, time, accuracy and focus is very essential because of broadness of
each aspect in network security. You need enough space and time to design a security
infrastructure based on different network requirement. It takes a long period of time to
ensure efficiency, reliability, affectivity, integrity and manageability of networks.
Testing. At this stage or phase, proposed project will be given to a panel of critics
and end-users for testing. In this way, the researchers can determine the response of the
user whether the proposed project will work or not.
18
Implementation. The objective of the implementation phase is to deliver a
completely functioning and documented information system. This is the phase wherein
the said project has already been documented and tested.
Administration. Upon implementation, this is the phase where a network is being
manage based on the concepts and strategies being gone through intensive examination.
19
CHAPTER 4 PRESENTATION AND INTERPRETATION OF DATA
This chapter presents the data gathering of the study, interpretation of the results
from the conducted research, testing and analysis of security concept used for this
proposed project. Topics and subjects being presented in this chapter were based from
existing manuscripts and guides already available in the World Wide Web. Selecting
based on the scope of this project was crucial because of the complexity of every aspect
in network security.
4.1 ASSESSMENT AND PLANNING FOR SECURITY
First and foremost, assessing of what you are to be secured must be done before
implementing any security methods. Another thing is identifying what are the object,
scoop and requirements under a given network for security. The school has three
computer laboratories in existence; each laboratory classroom has a standalone network
which all workstations are interconnected without any internet connection. The plan is to
interconnect the three existing computer laboratory (each laboratory has a local area
network) through a common domain with the use of Windows 2000 Server as its domain
controller. Basic domain controller security will be allied but the main focus is securing
the network drive being created within the server. Workstation security will also be given
importance.
20
4.2 NETWORK DRIVE
Network drive is a storage location shared within a network. It can either be an
external, which can be seen physically connected to a file server or even directly to a
network switch, or can internal which is mostly created within a server. For this project,
we created an internal network drive within the server’s hard disk by partitioning it into
several logical drives intended for different user.
4.3 DISK PARTITIONING
Partitioning is a process wherein a system hard disk is being divided into a
number of separate logical disks. This is done mainly to separate system files from user
files preventing any infection (such as virus, Trojan, worms, Malware, etc.) from one disk
to the other. If a LAN has no available network drive for file and folder storage, and the
server being used for a domain has a large and ample disk space, drive partitioning can be
done on the server. Create the necessary partition based on the following:
1. Disk space of the servers hard disk
2. Number groups
3. Number of drives needed by the organization
4. Partition space allocation for users
21
As for our subject, AMA Computer Learning Center Laboratory, it consists the
following:
1. Server disk space has a total of 160 GB of memory space, 20.50 GB used for the
System drive, 107.3 GB of free and unallocated space and approximately 32 GB
of Lost space.
2. Groups are identified into three categories; Students, Instructors, and School
Admin.
3. Three logical disk drives will be needed; one for the Student, one for the
Instructors and one for the School Admin.
4. Allocated space for each partition will be:
Students – 61.5 GB
Instructors – 20.5 GB
School Admin Personnel – 25.3 GB
4.4 FILE SYSTEM
At a basic level, file system security begins by choosing the appropriate file
system. Windows 2000 includes three different file systems: NTFS, FAT32, and FAT.
The NTFS file system is the recommended file system because of its advantages in
reliability and security and because it is required for large drives.
22
The FAT and FAT32 file systems are similar to each other, except that FAT32 is
designed for larger disks than FAT. NTFS has always been a more powerful file system
than FAT or FAT32. Windows 2000 Server has a new version of NTFS that includes
many important security features such as:
Permissions that you can set on individual files rather than just on folders.
File encryption, which greatly enhances security.
Active Directory, which you can use to view and control network resources
easily.
Domains, which are part of Active Directory, and which you can use to fine-tune
security options while keeping administration simple. Domain controllers require
NTFS.
Recovery logging of disk activities, which helps you restore information quickly
in the event of a power failure or other system problems.
Disk quotas, which you can use to monitor and control the amount of disk space
used by individual users.
Better scalability to large drives. The maximum drive size for NTFS is much
greater than that for FAT, and as drive sizes increase, performance with NTFS
does not degrade as it does with FAT.
23
If you are currently using the FAT file system, you can use the Convert utility that
is included with Windows 2000 to convert to NTFS. And once it is converted to NTFS,
you can use the file and folder permissions to secure data. Windows 2000 gives you
comprehensive control over each file and folder on your hard disk. You can also use
Encrypting File System (EFS) technology, which is a security technology that enables
individual users to encrypt files so that the files cannot be read by others. (Microsoft
TechNet, Microsoft Corporation)
4.5 DISK QUOTA
Disk quotas track and control disk space usage for volumes. System administrators
can configure Windows to:
Prevent further disk space use and log an event when a user exceeds a specified
disk space limit.
Log an event when a user exceeds a specified disk space warning level.
When you enable disk quotas, you can set two values: the disk quota limit and the
disk quota warning level. The limit specifies the amount of disk space a user is
allowed to use. The warning level specifies the point at which a user is nearing his or
her quota limit. For example, you can set a user's disk quota limit to 50 megabytes
(MB), and the disk quota warning level to 45 MB. In this case, the user can store no
more than 50 MB of files on the volume. If the user stores more than 45 MB of files
on the volume, you can have the disk quota system log a system event.
24
For instructions on setting disk quota values, see “To assign default quota values.”
You can specify that users can exceed their quota limit. Enabling quotas and not limiting
disk space use are useful when you do not want to deny users access to a volume, but
want to track disk space use on a per-user basis. You can also specify whether or not to
log an event when users exceed either their quota warning level or their quota limit.
When you enable disk quotas for a volume, volume usage is automatically tracked
for new users from that point on. However, existing volume users have no disk quotas
applied to them. You can apply disk quotas to existing volume users by adding new quota
entries in the Quota Entries window. Quotas are enable on both local volumes and
network volumes, but only on those volumes that are shared from the volume's root
directory and are formatted with the NTFS file system.
Notes:
To support disk quotas, a disk volume must be formatted with the version of
NTFS used in Windows 2000. Volumes formatted with the version of NTFS used
in Windows NT 4.0 are upgraded automatically by Windows 2000 Setup.
To administer quotas on a volume, you must be a member of the Administrators
group on the computer where the drive resides.
If the volume is not NTFS formatted, or if you are not a member of the
Administrators group on the local computer, the Quota tab is not displayed on the
volume's Properties page.
25
File compression does not affect quota statistics. For example, if User A is limited
to 3 MB of disk space, he or she can store only 3 MB worth of files, even if the
files are compressed.
4.6 Active Directory Users and Computers
A great part of network administration involves management of users, computers,
and groups. A successful operating system must ensure that only properly authenticated
users and computers can logon to the network and that each network resource is available
only to authorized users. In the Microsoft® Windows® 2000 operating system, the
Active Directory™ service plays several major roles in providing security. Among these
roles are the efficient and effective management of user logon authentication and user
authorization. Both are central features of the Windows 2000 security subsystem and
both are fully integrated with Active Directory. (Microsoft TechNet, Microsoft
Corporation)
Active Directory user and computer accounts represent a physical entity such as a
computer or person. User accounts and computer accounts (as well as groups) are called
security principals. Security principals are directory objects that are automatically
assigned security identifiers.
26
Objects with security identifiers can log on to the network and access domain
resources. A user or computer account is used to:
Authenticate the identity of the user or computer.
Authorize or deny access to domain resources.
Administer other security principals.
Audit actions performed using the user or computer account.
This chapter covers the following topics which are important for analysis:
User Accounts
Computer Accounts
Security Principals
Group Policy Applied to User and Computer Accounts
4.6.1 USER ACCOUNTS
A user requires an Active Directory user account to log on to a computer or to a
domain. The account establishes an identity for the user; the operating system then uses
this identity to authenticate the user and to grant him or her authorization to access
specific domain resources. ser accounts can also be used as service accounts for some
applications. That is, a service can be configured to log on (authenticate) as a user
account, and it is then granted access to specific network resources through that user
account. (Microsoft TechNet, Microsoft Corporation)
27
Predefined User Accounts
Windows 2000 provides the following two predefined user accounts1:
Administrator account
Guest account
You can use these accounts to log on locally to a computer running Windows
2000 and to access resources on the local computer. These accounts are designed
primarily for initial logon and configuration of a local computer. The Guest account is
disabled and you must enable it explicitly if you want to allow unrestricted access to the
computer. The Administrator account is the most powerful account because it is a
member of the Administrators group by default. This account must be protected with a
strong password to avoid the potential for security breach to the computer. (Microsoft
TechNet, Microsoft Corporation)
To enable the Windows 2000 user authentication and authorization features, you
create an individual user account for each user who will participate on your network.
Then add each user account—including the Administrator and Guest accounts—to
Window 2000 groups, and assign appropriate rights and permissions to each group.
(Microsoft TechNet, Microsoft Corporation)
28
4.6.2 COMPUTER ACCOUNTS
Like user accounts, Windows 2000 computer accounts provide a means for
authenticating and auditing the computer's access to the network2 and its access to
domain resources. Each Windows 2000 computer to which you want to grant access to
resources must have a unique computer account. Computers running Windows 98 and
Windows 95 do not have the advanced security features of those running Windows 2000
and Windows NT, and they cannot be assigned computer accounts in Windows 2000
domains. However, you can log on to a network and use Windows 98 and Windows 95
computers in Active Directory domains. (Microsoft TechNet, Microsoft Corporation)
4.6.3 SECURITY PRINCIPALS
Active Directory user and computer accounts (as well as groups, covered later)
are referred to as security principals, a term that emphasizes the security that the
operating system implements for these entities. Security principals are directory objects
that are automatically assigned SIDs when they are created. Objects with SIDs can log on
to the network and can then access domain resources. (Microsoft TechNet, Microsoft
Corporation)
If you establish a trust relationship between a domain in your Windows 2000
forest and a Windows 2000 domain external to your forest, you can grant security
principals from the external domain access to resources in your forest.
29
To do so, add external security principals to a Windows 2000 group, which causes
Active Directory to create a "foreign security principal" object for those security
principals3. You can make foreign security principals members of domain local groups
(covered later). You cannot manually modify foreign security principals, but you can see
them in the Active Directory Users and Computers interface by enabling Advanced
Features. (Microsoft TechNet, Microsoft Corporation)
4.6.4 GROUP POLICY APPLIED TO USER AND COMPUTER ACCOUNTS
In the Windows 2000 operating system environment, you can associate Group
Policy configuration settings with three Active Directory containers—organizational
units (OUs), domains, or sites. Group Policy settings associated with a given container
either affect all users or computers in that container or they affect specified sets of objects
within that container. You can use Group Policy to configure security options, manage
applied to network locations.
The system applies group policy to computers at boot time or to users when they
log on. (You can also set the group policy refresh interval policy for users or computers;
the default refresh interval for both users and computers is 90 minutes.) (Microsoft
TechNet, Microsoft Corporation)
30
Here are three examples of using group policy settings:
Set the minimum password length and the maximum length of time that a
password remains valid for an entire domain.
Assign logon and logoff scripts to the user accounts in each organizational unit.
Specify which applications are available to users when they log on.
4.7 DOMAIN SECURITY POLICY
In Microsoft Windows NT Server 4.0, the concept of the Domain Security
Policy referred to an associated group of items considered critical to the secure
configuration of a domain. These included:
User Password or Account Policy to control how passwords are used by user
accounts.
Audit Policy to control what types of events are recorded in the security log.
User Rights are applied to groups or users, and affect the activities permitted on
an individual workstation, a member server, or on all domain controllers in a
domain.
31
In Windows 2000, Microsoft has re-configured these components into one
consistent hierarchy or tool, the Security Settings snap-in in the Group Policy Editor.
This may be useful if you want to know the proper group policy object to change.
Account Policies
Password Policy
Account Lockout Policy
Kerberos Policy
Local Policies
Audit Policy
User Rights Assignment
Security Options
1. Event Log
2. Restricted Groups
3. System Services
4. Registry
5. File System
6. IP Security Policies on Active Directory
7. Public Key Policies
32
Group Policy is administered through the use of Group Policy Objects, data
structures that are attached in a specific hierarchy to selected Active Directory Objects,
such as Sites, Domains, or Organizational Units. These GPOs, once created, are applied
in a standard order: LSDOU, which stands for (1) Local, (2)Site, (3)Domain, (4)OU, with
the later policies being superior to the earlier applied policies. When a computer is joined
to a domain with the Active Directory and Group Policy implemented, a local Group
Policy Object is processed. Note that LGPO policy is processed even when the Block
Policy Inheritance option has been specified. Local Group Policy Objects are processed
first, and then domain policy. If a computer is participating in a domain and a conflict
occurs between domain and local computer policy, domain policy prevails. However, if a
computer is no longer participating in a domain, local Group Policy object is applied.
(Microsoft TechNet, Microsoft Corporation)
4.8 GROUP POLICY
Group Policy is the central component of the Change and Configuration
Management features of the Microsoft Windows 2000 operating system. Group Policy
specifies settings for groups of users and of computers, including registry-based policy
settings, security settings, software installation, scripts (computer startup and shutdown,
and log on and log off), and folder redirection. A Restricted Group Policy allows you to
define who should and should not belong to a specific group.
33
When a template (or policy) that defines a restricted group is applied to a system,
the Security Configuration Tool Set adds members to the group and removes members
from the group to ensure that the actual group membership coincides with the settings
defined in the template (or policy).
In this procedure, you will define a restricted group policy for the Local
Administrators group in addition to the restricted group policy that is already defined for
the local Power Users group in Securews.inf. (Microsoft TechNet, Microsoft
Corporation)
Group Policy and the Active Directory
In Windows 2000, administrators use Group Policy to enhance and control users'
desktops. To simplify the process, administrators can create a specific desktop
configuration that is applied to groups of users and computers. The Windows 2000
Active Directory™ service enables Group Policy. The policy information is stored in
Group Policy objects (GPOs), which are linked to selected Active Directory containers:
sites, domains, and organizational units (OUs). (Microsoft TechNet, Microsoft
Corporation)
34
A GPO can be used to filter objects based on security group membership, which
allows administrators to manage computers and users in either a centralized or a de-
centralized manner. To do this, administrators can use filtering based on security groups
to define the scope of Group Policy management, so that Group Policy can be applied
centrally at the domain level, or in a decentralized manner at the OU level, and can then
be filtered again by security groups.
Administrators can use security groups in Group Policy to:
Filter the scope of a GPO. This defines which groups of users and computers a
GPO affects.
Delegate control of a GPO. There are two aspects to managing and delegating
Group Policy: managing the group policy links and managing who can create and
edit GPOs.
Administrators use the Group Policy Microsoft Management Console (MMC)
snap-in to manage policy settings. Group Policy includes various features for managing
these policy settings. In addition, third parties can extend Group Policy to host other
policy settings. The data generated by Group Policy is stored in a Group Policy object
(GPO), which is replicated in all domain controllers within a single domain. (Microsoft
TechNet, Microsoft Corporation)
35
The Group Policy snap-in includes several MMC snap-in extensions, which
constitute the main nodes in the Group Policy snap-in. The extensions are as follows:
Administrative templates. These include registry-based Group Policy, which
you use to mandate registry settings that govern the behavior and appearance of
the desktop, including the operating system components and applications.
Security settings. You use the Security Settings extension to set security options
for computers and users within the scope of a Group Policy object. You can
define local computer, domain, and network security settings.
Software installation. You can use the Software Installation snap-in to centrally
manage software in your organization. You can assign and publish software to
users and assign software to computers.
Scripts. You can use scripts to automate computer startup and shutdown and user
logon and logoff. You can use any language supported by Windows Script Host.
These include the Microsoft Visual Basic® development system, Scripting
Edition (VBScript); JavaScript; PERL; and MS-DOS®-style batch files (.bat
and .cmd).
Remote Installation Services. You use Remote Installation Services (RIS) to
control the behavior of the Remote Operating System Installation feature as
displayed to client computers.
Internet Explorer maintenance. You use Internet Explorer Maintenance to
manage and customize Microsoft® Internet Explorer on Windows 2000-based
computers.
36
Folder redirection. You use Folder Redirection to redirect Windows 2000
special folders from their default user profile location to an alternate location on
the network. These special folders include My Documents, Application Data,
Desktop, and the Start Menu.
4.9 ANTIVIRUS
Antivirus software (or anti-virus) is computer software used to identify and
remove computer viruses, as well as many other types of harmful computer software,
collectively referred to as malware. While the first antivirus software was designed
exclusively to combat computer viruses, most modern antivirus software can protect
against a wide range of malware, including worms, rootkits, and Trojans. (Wikipedia.org)
Security
Antivirus programs can in themselves pose a security risk as they often run at the
'System' level of privileges and may hook the kernel — Both of these are necessary for
the software to effectively do its job, however exploitation of the antivirus program itself
could lead to privilege escalation and create a severe security threat. Arguably, use of
antivirus software when compared to Principle of least privilege is largely ineffective
when ramifications of the added software are taken into account.
When purchasing antivirus software, the agreement may include a clause that the
subscription will be automatically renewed, and the purchaser's credit card automatically
billed, at the renewal time without explicit approval.
37
For example, McAfee requires one to unsubscribe at least 60 days before the
expiration of the present subscription.[6] Norton Antivirus also renews subscriptions
automatically by default. (Wikipedia.org)
Effectiveness
Studies in December 2007 have shown that the effectiveness of Antivirus
software is much reduced from what it was a few years ago, particularly against unknown
or zero day threats. The German computer magazine c't found that detection rates for
these threats had dropped to a frightening 20% to 30%, as compared to 40% to 50% only
one year earlier. At that time only one product managed a detection rate above 50%.[12]
The problem is magnified by the changing intent of virus authors. Some years ago
it was obvious when a virus infection was present. The viruses of the day, written by
amateurs, exhibited destructive behavior or pop-up screen messages.
Modern viruses are often written by professionals, financed by criminal
organizations.[13] It is not in their interests to make their viruses or crimeware evident,
because their purpose is to create botnets or steal information for as long as possible
without the user realizing this; consequently, they are often well-hidden. If an infected
user has a less-than-effective antivirus product that says the computer is clean, then the
virus may go undetected.Traditional antivirus software solutions run virus scanners on
schedule, on demand and some run scans in real time. If a virus or malware is located the
suspect file is usually placed into a quarantine to terminate its chances of disrupting the
system. Traditional antivirus solutions scan and compare against a publicized and
regularly updated dictionary of malware otherwise known as a blacklist.
38
Some antivirus solutions have additional options that employ an heuristic engine
which further examines the file to see if it is behaving in a similar manner to previous
examples of malware. A new technology utilised by a few antivirus solutions is
whitelisting, this technology first checks if the file is trusted and only questioning those
that are not.[14] With the addition of wisdom of crowds, antivirus solutions backup other
antivirus techniques by harnessing the intelligence and advice of a community of trusted
users to protect each other. By providing these multiple layers of malware protection and
combining them with other security software it is possible to have more effective
protection from the latest zero day attack and the latest crimeware than previously was
the case with just one layer of protection. (Wikipedia.org)
4.10 DISABLING SOME OPERATING SYSTEM SERVICE
As I pointed by Chad Perrin in his article on Tech Republic website, in point
number four of the article 10 security tips for all general-purposes OSes , an important
step in the process of securing your system is to shut down unnecessary services. As long
as Microsoft Windows has been a network capable operating system, it has come with
quite a few services turned on by default, and it is a good idea for the security conscious
user of Microsoft’s flagship product to shut down any of these that he or she isn’t using.
Each version of MS Windows provides different services, of course, so any list of
services to disable for security purposes will be at least somewhat particular to a given
version of Microsoft Windows.
39
As such, a list like this one needs to be identified with a specific Microsoft
Windows version, though it can still serve as a guide for the knowledgeable MS
Windows user to check out the running services on other versions as well.
If you are running Microsoft Windows XP on your desktop system, consider
turning off the following services. You may be surprised by what is running without your
knowledge.
Operating System Services
IIS – Microsoft’s Internet Information Services provide the capabilities of a Web
server for your computer.
NetMeeting Remote Desktop Sharing — NetMeeting is primarily a VoIP and
videoconferencing client for Microsoft Windows, but this service in particular is
necessary to remote desktop access.
Remote Desktop Help Session Manager – This service is used by the Remote
Assistance feature that you can use to allow others remote access to the system to
help you troubleshoot problems.
Remote Registry – The capabilities provided by the Remote Registry service are
frightening to consider from a security perspective. They allow remote users (in
theory, only under controlled circumstances) to edit the Windows Registry.
40
Routing and Remote Access – This service bundles a number of capabilities
together, capabilities that most system administrators would probably agree
should be provided separately. It is rare that any of them should be necessary for a
typical desktop system such as Microsoft Windows XP, however, so they can all
conveniently be turned off as a single service. Routing and Remote Access
provides the ability to use the system as a router and NAT device, as a dialup
access gateway, and a VPN server.
Simple File Sharing – When a computer is not a part of a Microsoft Windows
Domain, it is assumed by the default settings that any and all file system shares
are meant to be universally accessible. In the real world, however, we should only
want to provide shares to very specific, authorized users. As such, Simple File
Sharing, which only provides blanket access to shares without exceptions, is not
what we want to use for sharing file system resources. It is active by default on
both MS Windows XP Professional and MS Windows XP Home editions.
Unfortunately, this cannot be disabled on MS Windows XP Home. On MS
Windows XP Professional, however, you can disable it by opening My Computer
-> Tools -> Folder Options, clicking the View tab, and unchecking the Use simple
file sharing (Recommended) checkbox in the Advanced settings: pane.
SSDP Discovery Service – This service is used to discover UPnP devices on your
network, and is required for the Universal Plug and Play Device Host service (see
below) to operate.
41
Telnet – The Telnet service is a very old mechanism for providing remote access
to a computer, most commonly known from its use in the bad ol’ days of security
for remote command shell access on Unix servers. These days, using Telnet to
remotely manage a Unix system may be grounds for firing, where an encrypted
protocol such as SSH should be used instead.
Universal Plug and Play Device Host – Once you have your “Plug and Play”
devices installed on your system, it is often the case that you will not need this
service again.
Windows Messenger Service – Listed in the Services window under the name
Messenger, the Windows Messenger Service provides “net send” and “Alerter”
functionality. It is unrelated to the Windows Messenger instant messaging client,
and is not necessary to use the Windows Messenger IM network.
42
4.11 DEEP FREEZE
Faronics Deep Freeze helps eliminate workstation damage and downtime by
making computer configurations indestructible. Once Deep Freeze is installed on a
workstation, any changes made to the computer—regardless of whether they are
accidental or malicious—are never permanent. Deep Freeze provides immediate
immunity from many of the problems that plague computers today—inevitable
configuration drift, accidental system misconfiguration, malicious software activity, and
incidental system degradation. Deep Freeze ensures computers are absolutely bulletproof,
even when users have full access to system software and settings. Users get to enjoy a
pristine and unrestricted computing experience, while IT personnel are freed from tedious
helpdesk requests, constant system maintenance, and continuous configuration drift.
(www.faronics.com)
43
CHAPTER 5 SUMMARY, CONCLUSIONS, AND RECOMMENDATIONS
5.1 SUMMARY
The study conducted by the researchers is an in depth research, experimentation,
testing and implementation of basic security configuration procedure that are available
for Windows 2000 Server. The security concept is based on Windows 2000 Server’s
Active Directory, Group Policy snap-in and Domain Security policy with the protection
of antivirus software “Avast 4.8 Server and Home Edition” and Deep Freeze software.
The researcher will initiate methods and procedures that are already available for security
implementation. Creation of organization, groups and user accounts will be done for
domain access of network resources. The Server, particularly network drive security will
be implemented through the use of Group Policy snap-in for Active Directory Users and
computers, Domain Security policy and installation of antivirus software Avast. Security
for workstations will done by disabling some operating system services, domain based
Group policy, installation of antivirus software Avast and Deep Freeze software.
44
5.2 CONCLUSION
Group policy has been an effective tool on providing unified permissions and
privileges for users, organization units, groups and computers. It is convenient in the
sense that Group Policy snap-in configuration is only cone on one computer system, the
server (Domain Controller). You just create the necessary organization units, group and
user then snap-in and configure new Group Policy object. All access privileges are being
filtered through this Group Policy configuration. Efficiency has been a means to describe
Group Policy. Domain security is in support to Group Policy. Providing added policy to
the entire domain. Although efficient and easy to apply, it could not fully secure the
server in terms of viral intrusion and malicious code infection. This is why the strength of
antivirus software such as Avast is needed. Antivirus software is a preventive solution
against this intrusion for it can detect and prevent unwanted software intrusion provided
constant software updated. Another effective solution support for this is problem
providing workstation security. Group policy snap-in in the server can enhance security
for in can restrict access and privileges of users narrowing potential harm on any network
resource. Enhancement can be done by restricting workstation services and installation of
some security software such as Deep Freeze. This minimizes unwanted configuration and
software installation by restoring back its initial state before it was freeze. In all, the
procedures being implemented in this proposed project are efficient and effective for
minimal local area network security needs
45
5.3 RECOMMENDATION
For the school in focus for experiment, we strongly recommend the creation of a
domain server with an existing and secured network drive for unified storage location.
This will increase automation for instructors and students in accessing and saving files.
With an added security, confidentiality of files will be enhances. Instructors and school
admin personnel would only have to login any workstation connected to the domain to
access network resources anywhere within the Local Area Network. Another thing is to
assess workstation security. The school uses protective software but with poor
administration, they become useless. Before installing such software, thorough system
cleanup and assessment of system services should be done for workstation security. And
lastly, appropriate network administration and management should de done for thorough
manifestation of this security concept.
46
Bibliography
Matt Curtin. March 1997. Introduction to Network Security. Reprinted with the permission of Kent Information Services, Inc. PDF Script
Office of the CIO, University at Albany. Security Threats, Types of Threats
Brian Floyd. member of IEEE, SCTE. PDF script Changing the Face Of Network Security Threat
Chad Perrin. IT Security blog post "10 services to turn off in MS Windows XP"
Microsoft TechNet, Microsoft Corporation, Step-by-Step Guide to Using the Security Configuration Tool Set
Subject Matter Expert, CramSession.com PDF script, Server 2003 Network Security Administration Study Guide
John Wait ET al.2000 OSI reference model and layered communication. CISCO CCNA exam #640 -507 Guide. P.68
S.M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communication Review, Vol. 19, No. 2, pp. 32-48, April 1989.
John Wait et al.2000.The OSI,TCP/IP and Netware protocol Architectures. CISCO CCNA exam #640 -507 Guide. P.74
Don Parker, Oct 5 2006.The Routing Protocols. Articles and tutorials: Network protocol
John Wait et al.2000. OSI Transport Layer Functions. CISCO CCNA exam #640 -507 Guide. P.87
Ekhaml, Leticia. 2001. Protecting yourself from internet risks, threats, and crime. Journal of Educational Media and Library Sciences 39, no. 1: 8-14.
John Wait et al.2000. OSI Data Link Layer Functions. CISCO CCNA exam #640 -507 Guide. P.94
Kanabar, Dina and Vijay Kanabar. 2003. A quick guide to basic network security terms. Computers in Libraries 23, no. 5: 24-25John Wait et al.2000.OSI Network Layer Functions. CISCO CCNA exam #640 -507 Guide. P.103
Omar Santos. June 26, 2008. Identifying and classifying Network Security Threats. CISCO Press.
47Derek Melber. June 26, 2008.Undestanding Windows Security Templates. Articles: Misc. Network Security.
SpeedStreamtm Router Family. November 2000. Command Line Interface Guide PDF Script. Efficient NetworksR
“Windows 2000 Firewalling”. From a anonymous author. June 15, 2007 http://homepages.wmich.edu/~mchugha/w2kfirewall.htm
Figure 1: Selecting drives
48
APPENDIX A
DISK PARTITION
After assessing the network needs for file storage, partitioning can be executed by the
following procedure:
1. Click START menu then click SETTINGS and the CONTROL PANEL.
2. Under CONTROL PANEL, click ADMINISTRATIVE TOOLS and then click
COMPUTER MANAGEMENT.
3. Under COMPUTER MANAGEMENT, click DISK MANAGEMENT.
4. Right click the drive intended for the partitioning and then select CREATE PARTITION
and click.
Figure 2: Partition Wizard
Figure 3: Partition Selection
Figure 4: Specify space
Figure 5: Drive letter assignment
Figure 7: Finishing wizard
Figure 6: File system
Figure 8: Creating logical drive
Figure 9: Partition selection
Figure 10: Creating organization units Figure 11: Naming organization
APPENDIX B
ACTIVE DIERCTORY USER AND COMPUTERS
Figure 12: Creating groups Figure 13: Naming group and scope/type
Figure 15: Naming account usersFigure 14: Creating user account for domain access
Figure 16: Configuring user properties Figure 17: User properties
Figure 18: Group membership Figure 19: Account logon configuration
Figure 20: Assigning user and folder path
Figure 21: Selecting drive for enabling quota
Figure 22: Quota management
APPENDIX C
ENABLING DISK QUOTA
On desktop double click My Computer view Network Drive
Figure 23: Adding new quota entries
Figure 24: Selecting user for quota entries
Figure 27: Limit disk space usage
Figure 25: Enabling disk space limitFigure 26: Input specified space limit
Figure 28: Quota entries
Figure 29: Full disk quota limit Figure 30: Executed quota
Figure 31: Select group/user/organization for Group Policy snap-in
Figure 32: Create new object
APPENDIX D
GROUP POLICY SNAP-IN FOR ACTIVE DIRECTORY USER AND COMPUTERS
Figure 33: Selecting policies
Figure 34: Account policy
Figure 35: Password policy
Figure 36: Local Policy
Figure 37: User rights assignment
Figure 38: Selecting restriction on Security Option
Figure 39: Selecting and defining policy of System Services
Figure 40: Redirection of folder location
Figure 41: Security setting
APPENDIX E
DOMAIN SECURITY POLICY
Figure 43: Defining user rights
Figure 42: Password policy
Figure 44: Defining and selecting System Service
Figure 45: Defining policy on Security Option