Apply Your Knowledge
Exercises
1.1. Evaluating Windows 2000 Security Configuration Settings
Part of evaluating the security of an operating system is determining its security configuration settings. In these projects, you use the Windows 2000 administration tools and utilities to see how security has been implemented for an installed printer, the Windows 2000 system folder (%systemroot%system32), and the Registry. For these projects, you need access to a computer running Windows 2000 and Administrator rights.
Estimated Time: 30 minutes
1. | Click Start, point to Settings, and then click Printers. |
2. | Right-click a printer and click Properties. |
3. | In the printer's Properties dialog box, click the Security tab. The users and groups, and respective permissions to the printer, are displayed as shown in Figure 1.7. For a printer, the available permissions are Print, Manage Printers, and Manage Documents. Figure 1.7. Combination of security level and system access.
|
4. | Click the Administrator user and note the permissions. |
5. | Click the Everyone user and note the permissions. Note the Administrator is allowed to print and manage printer documents. The Everyone group is allowed only to print. |
6. | Click the Advanced button. As shown in Figure 1.8, the list displays the current permission entries for the object, including the users and groups who have permissions, a description of the permissions, and how they are applied. Figure 1.8. Permissions in Access Control Settings dialog box.
|
1.2. Evaluating Windows System Folders Configuration Settings
One of the critical folders in a Windows 2000 system is the %systemroot%system32 folder. This folder contains the core Windows operating system files, as well as subfolders that contain sensitive information such as the Registry hives. If these folders and files are not protected, an attacker can gain access and compromise the system. The purpose of this project is to demonstrate the access control list on these folders and how to change them.
Estimated Time: 30 minutes
1. | Double-click the My Computer icon on your desktop. |
2. | Determine the location of the Windows files by looking at the system environment variables. Click Start, point to Settings, click Control Panel, double-click System, click the Advanced tab, and then click the Environment Variables button. The variable is named windir and is listed in the lower-left section of the Environment Variables dialog box, as shown in Figure 1.9. Figure 1.9. Environment Variables dialog box.
|
3. | In the My Computer window, double-click the drive that contains the Windows operating system files. |
4. | Double-click the folder that contains the root directory for the Windows operating system files. If the folder is empty except for a statement that says you should not view system files, click Show Files. |
5. | Right-click the system32 folder, and then click Properties. |
6. | In the system32 Properties dialog box, click the Security tab. The users and groups and respective permissions to the system32 folder, are displayed as shown in Figure 1.10. Figure 1.10. Windows folder system32 Properties dialog box.
|
7. | If necessary, click the Administrators group and note the permissions. |
8. | Click the Everyone group and note the permissions. |
1.3. Evaluating Windows Registry Configuration Settings
The Windows Registry is a collection of hives that contain the configuration settings for the Windows environment, machine settings, and security setting information. If these hives are not protected, an attacker can gain access and compromise the system. In this project, you view the access control list on these hives.
Estimated Time: 30 minutes
1. | |
2. | Click the title bar of the HKEY_LOCAL_MACHINE on the Local Machine window to make it active. |
3. | Click Security on the menu bar, and then click Permissions. If a window appears stating that you have view permission only, click OK. The Permissions for HKEY_LOCAL_MACHINE dialog box opens and shows the current permissions for HARDWARE. The users and groups, and respective permissions to the object, are displayed as shown in Figure 1.11. Figure 1.11. Permissions for the HKEY_LOCAL_MACHINE dialog box.
|
4. | Click the Administrators group, if necessary, and note the permissions. |
5. | Click the Everyone group and note the permissions. Notice that the Administrators group has Read and Full Control permissions, whereas the Everyone group only has Read. The disabled check box means that you cannot change the setting by clicking it. |
Review Questions
| 1: | What are some of the classic methods used for user authentication? |
| 2: | What is the basic goal of having a business continuity plan? |
| 3: | Explain the concept of data confidentiality as it applies to the goals of information security. |
| 4: | What is the definition of access controls? |
| 5: | What is a denial-of-service attack? |
Exam Questions
| 1: | An attack in which a server is disrupted from performing its normal operations is called ______________.
|
| 2: | Which one of the following is not one of the three critical concepts of information security?
|
| 3: | The technology used to convert a confidential document to an unreadable format, suitable for safe transmission across a network, is called___________.
|
| 4: | Which one of the following key concepts is most impacted by a Web site defacement?
|
| 5: | From what source do the majority of information security attacks originate?
|
| 6: | What are the three objectives of information security?
|
| 7: | What is most affected by a Denial-of-Service attack?
|
| 8: | What is the first step in the risk assessment process?
|
| 9: | What type of security policy addresses employee use of applications such as Napster?
|
| 10: | What type of security policy often states that all employee emails are company property?
|
| 11: | The most effective method of achieving data confidentiality is by using ___________.
|
| 12: | What type of security mechanism determines who may utilize system resources?
|
| 13: | The process of identifying a company's assets, then determining their value and importance to the organization, is called ___________.
|
| 14: | What security tool helps minimize the impact of a disaster on an organization?
|
| 15: | The key to an effective security infrastructure is:
|
Answers to Review Questions
| A1: | The classic methods include username/password combinations, biometric devices, smart cards, and physical keys. See the section “Identifying the Elements of Security.” |
| A2: | The basic goal of a business continuity plan is to document the steps and procedures that could be followed in the event of a disaster. See the section “Identifying the Elements of Security.” |
| A3: | Data confidentiality implies that only the intended recipient should be able to read the data. For instance, the use of encryption can be used to encrypt the data before sending it over the Internet, and only the intended recipient (with the correct decryption key) can unencrypt the data. See the section “Placing Value on Your Assets.” |
| A4: | Access controls are the mechanisms, controls, and methods of limiting access to resources to authorized subjects. See the section “Controlling Access to Data.” |
| A5: | A denial of service is typically one machine trying to prevent another machine from performing its duties. See the section “The Motivation Behind These Attacks.” |
Answers to Exam Questions
| A1: | B. A Denial-of-Service attack prevents the server from performing its operations. IP spoofing is the technique used by hackers to pretend to be someone else by using their IP address. DNS poisoning is where the DNS cache is altered with bogus information. A Trojan horse is a program that seems legitimate, but instead has a malicious intent. See the section “Placing Value on Your Assets.” |
| A2: | D. The three critical points of information security are data availability, data integrity, and data confidentiality. See “Data Protection” in this chapter for more details. |
| A3: | B. Encryption is the technique of taking readable information and converting it to something unreadable. See the section “Identifying the Elements of Security.” |
| A4: | A. Web-site defacements are attacks against data integrity. See the section “Data Protection.” |
| A5: | C. According to a recent Department of Defense report, insiders are responsible for approximately 87% of all information security attacks. See the section “Where Attacks Can Come From” for more details. |
| A6: | C. These are the main goals of information security. See the section “Placing Value on Your Assets.” |
| A7: | B. A Denial-of-Service attack affects the availability of the system. See the section “Placing Value on Your Assets.” |
| A8: | B. The first step in the risk assessment process is to identify all the assets, including computer hardware, data, backup tapes, and network resources that require protection. |
| A9: | C. The software policy covers downloading and/or installing third-party software such as Napster. See the “Identifying the Elements of Security” section of this chapter for further details. |
| A10: | D. Privacy policies often state that employee email is not private and that all email communications are owned by the company. See the “Identifying the Elements of Security” section for further details. |
| A11: | B. Encryption is used to protect the confidentiality of the data. The other answers are incorrect. See the section “Identifying the Elements of Security.” |
| A12: | A. Access controls determine who may access system resources. This is covered in the “Identifying the Elements of Security” section of this chapter. |
| A13: | A. Risk assessment is used to identify, assess, and reduce the risk to an acceptable level. See the section “Assessing and Valuing Security Assets.” |
| A14: | B. The business continuity plan helps minimize the impact of a disaster on an organization while the disaster recovery plan helps “pick up the pieces.” See the section “Identifying the Elements of Security.” |
| A15: | D. The foundation of a solid security infrastructure starts with the security policy. See the section “Identifying the Elements of Security.” |
Suggested Readings and Resources
1. Waldow, Thomas A. The Process of Network Security. Addison-Wesley. 2000
2. Hutt, Arthur . Computer Security Handbook. 3rd Edition. Wiley. 1995
3. Russell, Deborah . Computer Security Basics. O'Reilly. 1991