Ama Computer Learning Center Mabalacat Branch

AMA Computer Learning Center Mabalacat Branch 2/F Dau Mart II McArthur Hi-way, Dau Mabalacat Pampanga

Securing Network Drives and Client Computers in a School Local Area Network

In partial fulfillment of requirement for NAT-700 Special Project on Network Telecommunications and Technology

Submitted by: Group # 4 Merwyn R. Navarro Ariel M. Comon Aljon M. Pelagio Junrey P. Mole Jonathan S. Meneses Kcee E. Antonio

Submitted to: Mr. Adelaido I. Bacani Jr. Thesis Adviser

I Acknowledgement We would like to extend our sincere appreciation to all our parents and love ones for their undying support on the completion of this thesis, our instructors for the knowledge that they had impart us, our colleagues in school who in some way made an influence to us to carry out this thesis project. Also thank you to our alma mater, ACLC Mabalacat Branch on giving us the opportunity of executing what we learned. NTT-4c Group Four would like to show our honest gratitude and thanks to Microsoft TechNet, Wikipedia, CramSession, Tech-faq.com, CISCO, University of Albany, How2Pass.com and other websites for the study guides and references being used in this project.

And most of all, to our almighty GOD who is deserves all the credit, thanks and praise.

1

II Abstract As we went on our daily school life to learn, we’ve notice how important computer networks are especially in the field information technology. It can greatly affect everyone’s productivity and efficiency in knowledge acquisition. It can either speed up work automation or make it sluggish. So, it is necessary that people should give importance to its security. Data and information is in constant attack in all mean possible through known and developing technology. Every organization that uses network for automation uses file storage accompany with a unique security concept. In school, constant usage of network resources is done on a daily basis. Every student and instructors comprise their own data inside the school network. But data being processes within the network is being compromises because of security lapse. No storage facility for important file for either student or instructors. Security is in breach the moment a user logs into a workstation.

In simple terms, there is no security

manifestation. Security is defined as a condition of being protected against any danger, threat, damage, or hazard. Enabling the network to prevent and detect unauthorized use of any computer and its resource within it. Security involves concepts, management and administration. Administering security involves set-up and configuration of resources based on organizational needs. Concepts are the “authentication” created and given to a user. This involves the creation of username and password for individual clients. Firewalls that can filter on what services that will be allowed to be accessed by the network user. 2

An Intrusion Prevention System (IPS) that can detect and prevent malicious and unwanted software. IPS also monitors for suspicious network traffic for contents, volume and anomalies to protect the network from attacks such as denial of service. Management in the other hand is the maintenance of software and hardware to prevent malicious attacks from hacking and spamming. This is the installation of antivirus software that can monitor and prevent unwanted software intrusion in a given network. The final outcome of this research is a security evaluation on network drives and client computers within a school local area network that is practical enough to be used in real applications with acceptable results, without having to be an expert in the security arena. The concept is base on Microsoft Windows 2000 Server operating system and DeepFreeze software which are available and existing on the subject for experimentation. It is built upon concepts drawn from computer information technology professional and leaders in the industry, and empirically tested.

3

CHAPTER 1 INTRODUCTION 1.1 BACKGROUND This written hypothesis is concern in security evaluation for network drives and client computers in a school local area network. The school (AMA Computer Learning Center Mabalacat Branch) in focus for this study has an existing network for each computer laboratory. The school has a total of three networked computer laboratory. Each workstation is installed with Windows XP Professional SP2 and connected together as a workgroup. Students are restricted on using external removal storage such as flashdrive and memory stick to prevent infection from unwanted software. Every laboratory session, student are being monitored by a laboratory facilitate. After finishing machine problem on each workstation, students are being instructed “not” to shut down their computer unless their work had been check. This is because there is no available storage location for them to save their files. There are no network media storage to transfer and store important data. Another reason is because each computer is in “freeze mode.” Each computer returns back to its initial state when it was freeze upon restart or shut down. No files of any sort can be save because it erases all and what only left are the components before the computer was frozen. Although freezing has been proven effective to prevent infection and intrusion, malicious and unwanted software are still in present and existing on each network. As for the instructors respectably, manual encoding of files for both academic and professional purposes is done either on a standalone computer located at the faculty or even inside the computer laboratory. 4

Like the students, files cannot be saved but instead they use external removable storages to safe keep their files from both corruption and deletion form the computersbeing used in school. Same situation applies for every school admin personnel, they can save files to a standalone computer at Admin Office but it is mandatory for them to save an external memory backup for every data processed in school. Data and files are in constant vulnerability due to poor security manifestation of computers.

5

1.2 PROBLEM STATEMENT Although every network is being monitored personally by the assigned Laboratory Facilitators, security is still at risk when it comes to data storage and computer usage. . There are no restrictions on network usage. There are no user policies that can denote different user rights making everyone a user with administrative power. Malicious codes and programs are spread out in the entire network due to lack of antivirus and constant plug-in of removable storage and other external devices without proper supervision. Computer operating services components are all accessible without any permission and restriction. Though each workstation has been “freeze” to retain its state and to prevent virus infection, malicious and other threat causing software are still present within the network. There is no Antivirus software installed on computers to prevent further damage that may result to data loss and computer hardware malfunction. Files and folder that are being made have no storage location. There are no existing media storage to save important school documents, student files, instructor’s class records and etc. And if a file can be save on a computer, there is no assurance that data secured or file location is well secured. Although a Server is currently being utilize within the laboratory, it was not been use for network domain purposes but instead a standalone server model only.

6

1.3 OBJECTIVE GENERAL OBJECTIVE The main objective of this project is to evaluate the needs of a network in terms of its workstations and network drive security. Formulate a security concept for both network drive and workstation. And that these concepts may be applied to examine its effectiveness. The insights gained from the project would form a set of guidelines for designing secure workstation and storage location. This project was chosen to address the need for a secured storage facility intended for school use.

SPECIFIC OBJECTIVE 1.) To create network drives in an existing Windows 2000 Server network domain. 2.) Secure network drives from unwanted and over flooding of data. 3.) To create different user profile based on individual school personnel data. 4.) To create different user levels with permissions and policy. 5.) Secure the server and client with the use of Antivirus software. 6.) Secure member workstation with the use of existing software and services that are already available.

7

1.4 ASSUMPTIONS This study is conducted based on the following assumptions: 1.) That the Computer Laboratory Facilitator and School Administrative Personnel will use the proposed project. 2.) That school has no appropriate file and data storage. 3.) That every workstation has poor security manifestation

1.5 HYPOTHESIS OF THE STUDY The proposed project will greatly improve security for individual workstation and network drives. Primarily, this study has the following hypothesis: 1.) User profiles were created based on names, year and section, position and designation. 2.) It is irritating and time consuming every time you want to use a computer you have to worry about viruses and where to store your files. 3.) The proposed project is the best solution for secured data storage and workstation usage.

8

1.6 SCOPE AND DELIMITATIONS In general, the focus of this study is directed towards the evaluation and development of a secured network drive and workstation. About three small to medium sized Computer Laboratory are in existence in which each is network separately. There is a single computer installed with Windows 2000 Server but it is only a standalone computer used for experimentation. Every workstation is already equip and installed with security software name “DeepFreeze.” The study is largely dependent on the following: •

Avast Antivirus software

•

DeepFreeze software

•

Network drive

•

Active Directory Users and Computers

•

Workstation security

•

Domain security policy 1.) Account and Local policy 2.) System Services

•

File system

•

Group Policy snap-in

9

In this proposed project, records and files are stored in a secured network drive located at an existing Windows 2000 Server computer. User account will be created on the server’s “Active Directory Users and Computers”. Each User will have the ability to log on with a unique level of permission and restrictions to local computers connected to the server. However, the proponents are limited only to a local area network. No internet access. No firewalls involve. Although Windows 2000 Server software was used in this study, only basic understandings were implied due to the broadness that it might offer to the topic. Aside from DeepFreeze software and Windows 2000 Server which is already available and being used in school, a free version of Avast Antivirus software for both server and client where installed. No other softwares aside from that mention previously were involved in the course of this study. The system has a secure log-in for students, instructors and school staff. The study made for this project has been narrow down because of lack of enough time to complete further in-depth analysis.

10

1.7 SIGNIFICANCE OF THE STUDY Social: In this study, the proposed project will inspire students to develop more enhance method and concept for network security. Technological: The proposed project will introduced better efficiency in securing data and workstations under an existing Local Area Network. The result of this study is beneficial to the following: Student: The proposed project will give each student a place where they can store their school works and file without compromising data integrity. Instructors: The proposed project will give automation in checking student laboratory work by logging in on any workstation and accessing a single storage location. Aside from that, each will be authenticated access to given folders within a network drive for file storage. School Admin Personnel: The proposed project will minimize network management in the sense that only the Server will be the focus for administration and maintenance to retain data integrity. Another is that a drive will be assigned for school administrative purposes and only school administrator can access it. Researchers: The researchers have developed their writing, analysis, and interpretation skills needed to make a good thesis. Future Researchers: This will benefit other researchers who wish to have similar studies as they can get background information from the result of this study which will serve as template to modify their research. 11

CHAPTER 2 REVIEW OF RELATED LITERATURE 2.1 RELATED LITERATURE This section presents both foreign and local related literatures relevant to the study. This relevance is shown by the proponents in order to give more reason and understanding of the proposition. Brian Floyd (member of IEEE, SCTE), PDF script “Changing the Face Of Network Security Threat”: “Security threats arise almost on a daily basis and an aware administrator needs to be able to respond quickly and appropriately” The author of this PDF script states that threats within networks almost occur daily and that a particular network managed by an administrator must have any sort of countermeasure

Chad Perrin’s article post "10 services to turn off in MS Windows XP" on Tech Republic website: “An important step in the process of securing your system is to shut down unnecessary services.” The author of the article state that as long as Microsoft Windows has been a network capable operating system, it has come with quite a few services turned on by default, and it is a good idea for the security conscious user of Microsoft’s flagship product to shut down any of these that he or she isn’t using. 12

This will enhance workstation security by disabling unwanted service within existing Windows operating system.

2.2 RELATED STUDIES This section presents other related studies by the people who conducted studies similar to the proponents that will also greatly help in the progress of the study. And it will also help the understanding of the proposition. This written manuscript was made in reflection of some thesis paper and literary documents made by some IT professionals like: 1. “Detecting Known Host Security Flaws over a Network Connection” by Martin Andersson of “School of Mathematics and Systems Engineering”, Växjö University for the “Faculty of Mathematics/Science/Technology”. 2. “Defining Information Security As a Policy” by Göran Pattersson last March 7, 2008 3. A Formal Approach to Practical Network Security Management by Sudhakar Govindavajhala,Ph.D. of Princeton University dated last 2006. 4. “Implementing Mandatory Network Security in a Policy-flexible System” by Ajaya Chitturi of “University of Utah, Department of Computer Science” last April and June of 1998.

13

5. “Evaluation of Security Risk Associated with Network Information System” by Baino Paul of “Royal Melbourne Institute of Technology, School Of Business Information Technology” for the Faculty of Business last 2001.

2.3 DEFINITION OF TERMS The definitions of terms are based on observable characteristics and how it is used in the study. Workstation. a particular computer or device user by client user within a workgroup or domain of a given Local Area Network. Server. Is a computer installed with latest software capable of managing, securing and monitor interconnected devices (such as computer, router and switches) Local Area Network (LAN). Is a simple system of interconnected computers and automated devices use within a particular organization like in school, office and small business establishment. Partition. A division created within a system hard disk to separate files and to maximize logical spaces. Format. Process of reinstalling operating software or erasing data for hard drive and storages. Security. a condition of being protected against any danger, threat, damage, or hazard. 14

Quota. Disk space being allocated for every user on a shared drive or storage location. Policy. This are the rights, permission and privileges given to each user on a domain network. Antivirus. A software being run on a operating system to prevent unwanted and damaging codes and viruses. Services. This are the system programs that runs upon start-up of a given operating system. Operating system. the main program/software that enables a device to run, thing and calculate and given task.

2.4 THEORETICAL FRAMEWORK These chapters consist of theories that have to bearing the problem, the conceptual framework and the operational framework. This study focuses on three major concepts; research, testing and implementation. Research is done in this study to see and discovers more but simple ways on securing local area network. The complexity of network security is so broad that in depth research is needed to fully understand each concept. Testing is a way of initiating some methods and concepts that may have importance to a study. This enables researches to know the effectiveness of methods and concepts. Lastly, implementation is the deployment of tested concept for practical use.

15

CHAPTER 3 METHODOLOGY 3.1 RESEARCH DESIGN The study will utilize both descriptive and causal research designs. The research problems and objectives posed at the beginning of the study will be answered through a descriptive research design. The design will focus on describing the experimental and application procedure as well as their perceptions towards having a secured network drive and workstation for a school local area network. A causal approach will be used to identify the factors that affect the users demand for a secured connection between network drive and workstations.

3.2 TIME AND PLACE OF THE STUDY This study was conducted mostly inside the school being focus for experimentation. The documentation and data gathering for this manuscript was made from March 7 to March 19 of the year 2009 due to major revision of the first study made by our group.

3.3 SOURCE OF DATA Data was mainly gathered through the use of internet and books pertaining to Network Security. Then it was narrowed down to the subject involving network drive and workstation security within a given local area network. Data was also collected upon testing of manuscript and guides for actual application to know the result needed for this study. 16

3.4 DATA GATHERING TOOLS These are the instruments or tools for gathering data in research used as basis for drawing conclusions or making inferences. Some of these tools are empirical observations, research and analysis used by the proponents as they conduct the proposed study. Observation. This technique is used when the researcher cannot secure adequate or valid data through the use of the questionnaire or some other technique. It is considered to be the most direct means of studying people in so far as their overt behavior is concerned. Observation of a current operating procedure is another data gathering tool seeing the system in action gives you additional perspective and better understanding of system procedures. Research. Research is simply, the systematic search for pertinent information on a specific topic or problem. It is systematic study or investigation or something for the purpose of answering questions posed by the researcher. It includes reviewing journals, periodicals, and books to obtain background information, technical material, and news about industry trends and developments. Analysis. Analysis is the process of breaking-up the whole study into its constituent parts of the categories according to the specific questions under the statement of the problem. This is to bring out into focus the essential feature of the study.

17

3.5 ANALYTICAL PROCEDURE/METHODS OF ANALYSIS At this point, the work of this proposed project will be tested to its fullest ability. This is the part where the researcher must be able to determine and explain the methods that will be used throughout the entire project. Applying security concepts and method is a tedious task not only for the network administrators but also for the simple laboratory facilitators, because they will decide on the type, scoop and level of security the implied in a network. At this juncture, the methods used in creating the security concept must be explained and defined. The following are some security concepts that are essential for securing data storage and workstation: Planning. This method designates a plan in which a proposed project identifies it goals and requirement before deciding for its implementation. Analysis. It can be considered as the most difficult phase because in this phase manuals, materials or information’s must first examine thoroughly before applying it for testing or experimentation. Design. This is a visualization of the outcome of a proposed project but then in implementing security, time, accuracy and focus is very essential because of broadness of each aspect in network security. You need enough space and time to design a security infrastructure based on different network requirement. It takes a long period of time to ensure efficiency, reliability, affectivity, integrity and manageability of networks. Testing. At this stage or phase, proposed project will be given to a panel of critics and end-users for testing. In this way, the researchers can determine the response of the user whether the proposed project will work or not. 18

Implementation. The objective of the implementation phase is to deliver a completely functioning and documented information system. This is the phase wherein the said project has already been documented and tested. Administration. Upon implementation, this is the phase where a network is being manage based on the concepts and strategies being gone through intensive examination.

19

CHAPTER 4 PRESENTATION AND INTERPRETATION OF DATA This chapter presents the data gathering of the study, interpretation of the results from the conducted research, testing and analysis of security concept used for this proposed project. Topics and subjects being presented in this chapter were based from existing manuscripts and guides already available in the World Wide Web. Selecting based on the scope of this project was crucial because of the complexity of every aspect in network security.

4.1 ASSESSMENT AND PLANNING FOR SECURITY First and foremost, assessing of what you are to be secured must be done before implementing any security methods. Another thing is identifying what are the object, scoop and requirements under a given network for security. The school has three computer laboratories in existence; each laboratory classroom has a standalone network which all workstations are interconnected without any internet connection. The plan is to interconnect the three existing computer laboratory (each laboratory has a local area network) through a common domain with the use of Windows 2000 Server as its domain controller. Basic domain controller security will be allied but the main focus is securing the network drive being created within the server. Workstation security will also be given importance.

20

4.2 NETWORK DRIVE Network drive is a storage location shared within a network. It can either be an external, which can be seen physically connected to a file server or even directly to a network switch, or can internal which is mostly created within a server. For this project, we created an internal network drive within the server’s hard disk by partitioning it into several logical drives intended for different user.

4.3 DISK PARTITIONING Partitioning is a process wherein a system hard disk is being divided into a number of separate logical disks. This is done mainly to separate system files from user files preventing any infection (such as virus, Trojan, worms, Malware, etc.) from one disk to the other. If a LAN has no available network drive for file and folder storage, and the server being used for a domain has a large and ample disk space, drive partitioning can be done on the server. Create the necessary partition based on the following: 1. Disk space of the servers hard disk 2. Number groups 3. Number of drives needed by the organization 4. Partition space allocation for users

21

As for our subject, AMA Computer Learning Center Laboratory, it consists the following: 1. Server disk space has a total of 160 GB of memory space, 20.50 GB used for the System drive, 107.3 GB of free and unallocated space and approximately 32 GB of Lost space. 2. Groups are identified into three categories; Students, Instructors, and School Admin. 3. Three logical disk drives will be needed; one for the Student, one for the Instructors and one for the School Admin. 4. Allocated space for each partition will be: •

Students – 61.5 GB

•

Instructors – 20.5 GB

•

School Admin Personnel – 25.3 GB

4.4 FILE SYSTEM At a basic level, file system security begins by choosing the appropriate file system. Windows 2000 includes three different file systems: NTFS, FAT32, and FAT. The NTFS file system is the recommended file system because of its advantages in reliability and security and because it is required for large drives.

22

The FAT and FAT32 file systems are similar to each other, except that FAT32 is designed for larger disks than FAT. NTFS has always been a more powerful file system than FAT or FAT32. Windows 2000 Server has a new version of NTFS that includes many important security features such as: •

Permissions that you can set on individual files rather than just on folders.

•

File encryption, which greatly enhances security.

•

Active Directory, which you can use to view and control network resources easily.

•

Domains, which are part of Active Directory, and which you can use to fine-tune security options while keeping administration simple. Domain controllers require NTFS.

•

Recovery logging of disk activities, which helps you restore information quickly in the event of a power failure or other system problems.

•

Disk quotas, which you can use to monitor and control the amount of disk space used by individual users.

•

Better scalability to large drives. The maximum drive size for NTFS is much greater than that for FAT, and as drive sizes increase, performance with NTFS does not degrade as it does with FAT.

23

If you are currently using the FAT file system, you can use the Convert utility that is included with Windows 2000 to convert to NTFS. And once it is converted to NTFS, you can use the file and folder permissions to secure data. Windows 2000 gives you comprehensive control over each file and folder on your hard disk. You can also use Encrypting File System (EFS) technology, which is a security technology that enables individual users to encrypt files so that the files cannot be read by others. (Microsoft TechNet, Microsoft Corporation)

4.5 DISK QUOTA Disk quotas track and control disk space usage for volumes. System administrators can configure Windows to: •

Prevent further disk space use and log an event when a user exceeds a specified disk space limit.

•

Log an event when a user exceeds a specified disk space warning level.

When you enable disk quotas, you can set two values: the disk quota limit and the disk quota warning level. The limit specifies the amount of disk space a user is allowed to use. The warning level specifies the point at which a user is nearing his or her quota limit. For example, you can set a user's disk quota limit to 50 megabytes (MB), and the disk quota warning level to 45 MB. In this case, the user can store no more than 50 MB of files on the volume. If the user stores more than 45 MB of files on the volume, you can have the disk quota system log a system event. 24

For instructions on setting disk quota values, see “To assign default quota values.” You can specify that users can exceed their quota limit. Enabling quotas and not limiting disk space use are useful when you do not want to deny users access to a volume, but want to track disk space use on a per-user basis. You can also specify whether or not to log an event when users exceed either their quota warning level or their quota limit. When you enable disk quotas for a volume, volume usage is automatically tracked for new users from that point on. However, existing volume users have no disk quotas applied to them. You can apply disk quotas to existing volume users by adding new quota entries in the Quota Entries window. Quotas are enable on both local volumes and network volumes, but only on those volumes that are shared from the volume's root directory and are formatted with the NTFS file system.

Notes: •

To support disk quotas, a disk volume must be formatted with the version of NTFS used in Windows 2000. Volumes formatted with the version of NTFS used in Windows NT 4.0 are upgraded automatically by Windows 2000 Setup.

•

To administer quotas on a volume, you must be a member of the Administrators group on the computer where the drive resides.

•

If the volume is not NTFS formatted, or if you are not a member of the Administrators group on the local computer, the Quota tab is not displayed on the volume's Properties page.

25 •

File compression does not affect quota statistics. For example, if User A is limited to 3 MB of disk space, he or she can store only 3 MB worth of files, even if the files are compressed.

4.6 Active Directory Users and Computers A great part of network administration involves management of users, computers, and groups. A successful operating system must ensure that only properly authenticated users and computers can logon to the network and that each network resource is available only to authorized users. In the Microsoft® Windows® 2000 operating system, the Active Directory™ service plays several major roles in providing security. Among these roles are the efficient and effective management of user logon authentication and user authorization. Both are central features of the Windows 2000 security subsystem and both are fully integrated with Active Directory. (Microsoft TechNet, Microsoft Corporation) Active Directory user and computer accounts represent a physical entity such as a computer or person. User accounts and computer accounts (as well as groups) are called security principals. Security principals are directory objects that are automatically assigned security identifiers.

26

Objects with security identifiers can log on to the network and access domain resources. A user or computer account is used to: •

Authenticate the identity of the user or computer.

•

Authorize or deny access to domain resources.

•

Administer other security principals.

•

Audit actions performed using the user or computer account.

This chapter covers the following topics which are important for analysis: •

User Accounts

•

Computer Accounts

•

Security Principals

•

Group Policy Applied to User and Computer Accounts

4.6.1 USER ACCOUNTS A user requires an Active Directory user account to log on to a computer or to a domain. The account establishes an identity for the user; the operating system then uses this identity to authenticate the user and to grant him or her authorization to access specific domain resources. ser accounts can also be used as service accounts for some applications. That is, a service can be configured to log on (authenticate) as a user account, and it is then granted access to specific network resources through that user account. (Microsoft TechNet, Microsoft Corporation) 27

Predefined User Accounts Windows 2000 provides the following two predefined user accounts1: •

Administrator account

•

Guest account You can use these accounts to log on locally to a computer running Windows

2000 and to access resources on the local computer. These accounts are designed primarily for initial logon and configuration of a local computer. The Guest account is disabled and you must enable it explicitly if you want to allow unrestricted access to the computer. The Administrator account is the most powerful account because it is a member of the Administrators group by default. This account must be protected with a strong password to avoid the potential for security breach to the computer. (Microsoft TechNet, Microsoft Corporation) To enable the Windows 2000 user authentication and authorization features, you create an individual user account for each user who will participate on your network. Then add each user account—including the Administrator and Guest accounts—to Window 2000 groups, and assign appropriate rights and permissions to each group. (Microsoft TechNet, Microsoft Corporation)

28

4.6.2 COMPUTER ACCOUNTS Like user accounts, Windows 2000 computer accounts provide a means for authenticating and auditing the computer's access to the network2 and its access to domain resources. Each Windows 2000 computer to which you want to grant access to resources must have a unique computer account. Computers running Windows 98 and Windows 95 do not have the advanced security features of those running Windows 2000 and Windows NT, and they cannot be assigned computer accounts in Windows 2000 domains. However, you can log on to a network and use Windows 98 and Windows 95 computers in Active Directory domains. (Microsoft TechNet, Microsoft Corporation)

4.6.3 SECURITY PRINCIPALS Active Directory user and computer accounts (as well as groups, covered later) are referred to as security principals, a term that emphasizes the security that the operating system implements for these entities. Security principals are directory objects that are automatically assigned SIDs when they are created. Objects with SIDs can log on to the network and can then access domain resources. (Microsoft TechNet, Microsoft Corporation) If you establish a trust relationship between a domain in your Windows 2000 forest and a Windows 2000 domain external to your forest, you can grant security principals from the external domain access to resources in your forest.

29

To do so, add external security principals to a Windows 2000 group, which causes Active Directory to create a "foreign security principal" object for those security principals3. You can make foreign security principals members of domain local groups (covered later). You cannot manually modify foreign security principals, but you can see them in the Active Directory Users and Computers interface by enabling Advanced Features. (Microsoft TechNet, Microsoft Corporation)

4.6.4 GROUP POLICY APPLIED TO USER AND COMPUTER ACCOUNTS In the Windows 2000 operating system environment, you can associate Group Policy configuration settings with three Active Directory containers—organizational units (OUs), domains, or sites. Group Policy settings associated with a given container either affect all users or computers in that container or they affect specified sets of objects within that container. You can use Group Policy to configure security options, manage applied to network locations. The system applies group policy to computers at boot time or to users when they log on. (You can also set the group policy refresh interval policy for users or computers; the default refresh interval for both users and computers is 90 minutes.) (Microsoft TechNet, Microsoft Corporation)

30

Here are three examples of using group policy settings: •

Set the minimum password length and the maximum length of time that a password remains valid for an entire domain.

•

Assign logon and logoff scripts to the user accounts in each organizational unit.

•

Specify which applications are available to users when they log on.

4.7 DOMAIN SECURITY POLICY In Microsoft Windows NT Server 4.0, the concept of the Domain Security Policy referred to an associated group of items considered critical to the secure configuration of a domain. These included: •

User Password or Account Policy to control how passwords are used by user accounts.

•

Audit Policy to control what types of events are recorded in the security log.

•

User Rights are applied to groups or users, and affect the activities permitted on an individual workstation, a member server, or on all domain controllers in a domain.

31

In Windows 2000, Microsoft has re-configured these components into one consistent hierarchy or tool, the Security Settings snap-in in the Group Policy Editor. This may be useful if you want to know the proper group policy object to change. Account Policies •

Password Policy

•

Account Lockout Policy

•

Kerberos Policy

Local Policies •

Audit Policy

•

User Rights Assignment

•

Security Options 1. Event Log 2. Restricted Groups 3. System Services 4. Registry 5. File System 6. IP Security Policies on Active Directory 7. Public Key Policies

32

Group Policy is administered through the use of Group Policy Objects, data structures that are attached in a specific hierarchy to selected Active Directory Objects, such as Sites, Domains, or Organizational Units. These GPOs, once created, are applied in a standard order: LSDOU, which stands for (1) Local, (2)Site, (3)Domain, (4)OU, with the later policies being superior to the earlier applied policies. When a computer is joined to a domain with the Active Directory and Group Policy implemented, a local Group Policy Object is processed. Note that LGPO policy is processed even when the Block Policy Inheritance option has been specified. Local Group Policy Objects are processed first, and then domain policy. If a computer is participating in a domain and a conflict occurs between domain and local computer policy, domain policy prevails. However, if a computer is no longer participating in a domain, local Group Policy object is applied. (Microsoft TechNet, Microsoft Corporation)

4.8 GROUP POLICY Group Policy is the central component of the Change and Configuration Management features of the Microsoft Windows 2000 operating system. Group Policy specifies settings for groups of users and of computers, including registry-based policy settings, security settings, software installation, scripts (computer startup and shutdown, and log on and log off), and folder redirection. A Restricted Group Policy allows you to define who should and should not belong to a specific group.

33

When a template (or policy) that defines a restricted group is applied to a system, the Security Configuration Tool Set adds members to the group and removes members from the group to ensure that the actual group membership coincides with the settings defined in the template (or policy). In this procedure, you will define a restricted group policy for the Local Administrators group in addition to the restricted group policy that is already defined for the local Power Users group in Securews.inf. (Microsoft TechNet, Microsoft Corporation)

Group Policy and the Active Directory In Windows 2000, administrators use Group Policy to enhance and control users' desktops. To simplify the process, administrators can create a specific desktop configuration that is applied to groups of users and computers. The Windows 2000 Active Directory™ service enables Group Policy. The policy information is stored in Group Policy objects (GPOs), which are linked to selected Active Directory containers: sites, domains, and organizational units (OUs). (Microsoft TechNet, Microsoft Corporation)

34

A GPO can be used to filter objects based on security group membership, which allows administrators to manage computers and users in either a centralized or a decentralized manner. To do this, administrators can use filtering based on security groups to define the scope of Group Policy management, so that Group Policy can be applied centrally at the domain level, or in a decentralized manner at the OU level, and can then be filtered again by security groups.

Administrators can use security groups in Group Policy to: •

Filter the scope of a GPO. This defines which groups of users and computers a GPO affects.

•

Delegate control of a GPO. There are two aspects to managing and delegating Group Policy: managing the group policy links and managing who can create and edit GPOs. Administrators use the Group Policy Microsoft Management Console (MMC)

snap-in to manage policy settings. Group Policy includes various features for managing these policy settings. In addition, third parties can extend Group Policy to host other policy settings. The data generated by Group Policy is stored in a Group Policy object (GPO), which is replicated in all domain controllers within a single domain. (Microsoft TechNet, Microsoft Corporation)

35

The Group Policy snap-in includes several MMC snap-in extensions, which constitute the main nodes in the Group Policy snap-in. The extensions are as follows: •

Administrative templates. These include registry-based Group Policy, which you use to mandate registry settings that govern the behavior and appearance of the desktop, including the operating system components and applications.

•

Security settings. You use the Security Settings extension to set security options for computers and users within the scope of a Group Policy object. You can define local computer, domain, and network security settings.

•

Software installation. You can use the Software Installation snap-in to centrally manage software in your organization. You can assign and publish software to users and assign software to computers.

•

Scripts. You can use scripts to automate computer startup and shutdown and user logon and logoff. You can use any language supported by Windows Script Host. These include the Microsoft Visual Basic® development system, Scripting Edition (VBScript); JavaScript; PERL; and MS-DOS®-style batch files (.bat and .cmd).

•

Remote Installation Services. You use Remote Installation Services (RIS) to control the behavior of the Remote Operating System Installation feature as displayed to client computers.

•

Internet Explorer maintenance. You use Internet Explorer Maintenance to manage and customize Microsoft® Internet Explorer on Windows 2000-based computers. 36

•

Folder redirection. You use Folder Redirection to redirect Windows 2000 special folders from their default user profile location to an alternate location on the network. These special folders include My Documents, Application Data, Desktop, and the Start Menu.

4.9 ANTIVIRUS Antivirus software (or anti-virus) is computer software used to identify and remove computer viruses, as well as many other types of harmful computer software, collectively referred to as malware. While the first antivirus software was designed exclusively to combat computer viruses, most modern antivirus software can protect against a wide range of malware, including worms, rootkits, and Trojans. (Wikipedia.org) Security Antivirus programs can in themselves pose a security risk as they often run at the 'System' level of privileges and may hook the kernel — Both of these are necessary for the software to effectively do its job, however exploitation of the antivirus program itself could lead to privilege escalation and create a severe security threat. Arguably, use of antivirus software when compared to Principle of least privilege is largely ineffective when ramifications of the added software are taken into account. When purchasing antivirus software, the agreement may include a clause that the subscription will be automatically renewed, and the purchaser's credit card automatically billed, at the renewal time without explicit approval. 37

For example, McAfee requires one to unsubscribe at least 60 days before the expiration of the present subscription.[6] Norton Antivirus also renews subscriptions automatically by default. (Wikipedia.org) Effectiveness Studies in December 2007 have shown that the effectiveness of Antivirus software is much reduced from what it was a few years ago, particularly against unknown or zero day threats. The German computer magazine c't found that detection rates for these threats had dropped to a frightening 20% to 30%, as compared to 40% to 50% only one year earlier. At that time only one product managed a detection rate above 50%.[12] The problem is magnified by the changing intent of virus authors. Some years ago it was obvious when a virus infection was present. The viruses of the day, written by amateurs, exhibited destructive behavior or pop-up screen messages. Modern viruses are often written by professionals, financed by criminal organizations.[13] It is not in their interests to make their viruses or crimeware evident, because their purpose is to create botnets or steal information for as long as possible without the user realizing this; consequently, they are often well-hidden. If an infected user has a less-than-effective antivirus product that says the computer is clean, then the virus may go undetected.Traditional antivirus software solutions run virus scanners on schedule, on demand and some run scans in real time. If a virus or malware is located the suspect file is usually placed into a quarantine to terminate its chances of disrupting the system. Traditional antivirus solutions scan and compare against a publicized and regularly updated dictionary of malware otherwise known as a blacklist. 38

Some antivirus solutions have additional options that employ an heuristic engine which further examines the file to see if it is behaving in a similar manner to previous examples of malware. A new technology utilised by a few antivirus solutions is whitelisting, this technology first checks if the file is trusted and only questioning those that are not.[14] With the addition of wisdom of crowds, antivirus solutions backup other antivirus techniques by harnessing the intelligence and advice of a community of trusted users to protect each other. By providing these multiple layers of malware protection and combining them with other security software it is possible to have more effective protection from the latest zero day attack and the latest crimeware than previously was the case with just one layer of protection. (Wikipedia.org)

4.10 DISABLING SOME OPERATING SYSTEM SERVICE As I pointed by Chad Perrin in his article on Tech Republic website, in point number four of the article 10 security tips for all general-purposes OSes, an important step in the process of securing your system is to shut down unnecessary services. As long as Microsoft Windows has been a network capable operating system, it has come with quite a few services turned on by default, and it is a good idea for the security conscious user of Microsoft’s flagship product to shut down any of these that he or she isn’t using. Each version of MS Windows provides different services, of course, so any list of services to disable for security purposes will be at least somewhat particular to a given version of Microsoft Windows.

39

As such, a list like this one needs to be identified with a specific Microsoft Windows version, though it can still serve as a guide for the knowledgeable MS Windows user to check out the running services on other versions as well. If you are running Microsoft Windows XP on your desktop system, consider turning off the following services. You may be surprised by what is running without your knowledge.

Operating System Services •

IIS – Microsoft’s Internet Information Services provide the capabilities of a Web server for your computer.

•

NetMeeting Remote Desktop Sharing — NetMeeting is primarily a VoIP and videoconferencing client for Microsoft Windows, but this service in particular is necessary to remote desktop access.

•

Remote Desktop Help Session Manager – This service is used by the Remote Assistance feature that you can use to allow others remote access to the system to help you troubleshoot problems.

•

Remote Registry – The capabilities provided by the Remote Registry service are frightening to consider from a security perspective. They allow remote users (in theory, only under controlled circumstances) to edit the Windows Registry.

40

•

Routing and Remote Access – This service bundles a number of capabilities together, capabilities that most system administrators would probably agree should be provided separately. It is rare that any of them should be necessary for a typical desktop system such as Microsoft Windows XP, however, so they can all conveniently be turned off as a single service. Routing and Remote Access provides the ability to use the system as a router and NAT device, as a dialup access gateway, and a VPN server.

•

Simple File Sharing – When a computer is not a part of a Microsoft Windows Domain, it is assumed by the default settings that any and all file system shares are meant to be universally accessible. In the real world, however, we should only want to provide shares to very specific, authorized users. As such, Simple File Sharing, which only provides blanket access to shares without exceptions, is not what we want to use for sharing file system resources. It is active by default on both MS Windows XP Professional and MS Windows XP Home editions. Unfortunately, this cannot be disabled on MS Windows XP Home. On MS Windows XP Professional, however, you can disable it by opening My Computer -> Tools -> Folder Options, clicking the View tab, and unchecking the Use simple file sharing (Recommended) checkbox in the Advanced settings: pane.

•

SSDP Discovery Service – This service is used to discover UPnP devices on your network, and is required for the Universal Plug and Play Device Host service (see below) to operate.

41

•

Telnet – The Telnet service is a very old mechanism for providing remote access to a computer, most commonly known from its use in the bad ol’ days of security for remote command shell access on Unix servers. These days, using Telnet to remotely manage a Unix system may be grounds for firing, where an encrypted protocol such as SSH should be used instead.

•

Universal Plug and Play Device Host – Once you have your “Plug and Play” devices installed on your system, it is often the case that you will not need this service again.

•

Windows Messenger Service – Listed in the Services window under the name Messenger, the Windows Messenger Service provides “net send” and “Alerter” functionality. It is unrelated to the Windows Messenger instant messaging client, and is not necessary to use the Windows Messenger IM network.

42

4.11 DEEP FREEZE Faronics Deep Freeze helps eliminate workstation damage and downtime by making computer configurations indestructible. Once Deep Freeze is installed on a workstation, any changes made to the computer—regardless of whether they are accidental or malicious—are never permanent. Deep Freeze provides immediate immunity from many of the problems that plague computers today—inevitable configuration drift, accidental system misconfiguration, malicious software activity, and incidental system degradation. Deep Freeze ensures computers are absolutely bulletproof, even when users have full access to system software and settings. Users get to enjoy a pristine and unrestricted computing experience, while IT personnel are freed from tedious helpdesk requests, constant system maintenance, and continuous configuration drift. (www.faronics.com)

43

CHAPTER 5 SUMMARY, CONCLUSIONS, AND RECOMMENDATIONS 5.1 SUMMARY The study conducted by the researchers is an in depth research, experimentation, testing and implementation of basic security configuration procedure that are available for Windows 2000 Server. The security concept is based on Windows 2000 Server’s Active Directory, Group Policy snap-in and Domain Security policy with the protection of antivirus software “Avast 4.8 Server and Home Edition” and Deep Freeze software. The researcher will initiate methods and procedures that are already available for security implementation. Creation of organization, groups and user accounts will be done for domain access of network resources. The Server, particularly network drive security will be implemented through the use of Group Policy snap-in for Active Directory Users and computers, Domain Security policy and installation of antivirus software Avast. Security for workstations will done by disabling some operating system services, domain based Group policy, installation of antivirus software Avast and Deep Freeze software.

44

5.2 CONCLUSION Group policy has been an effective tool on providing unified permissions and privileges for users, organization units, groups and computers. It is convenient in the sense that Group Policy snap-in configuration is only cone on one computer system, the server (Domain Controller). You just create the necessary organization units, group and user then snap-in and configure new Group Policy object. All access privileges are being filtered through this Group Policy configuration. Efficiency has been a means to describe Group Policy. Domain security is in support to Group Policy. Providing added policy to the entire domain. Although efficient and easy to apply, it could not fully secure the server in terms of viral intrusion and malicious code infection. This is why the strength of antivirus software such as Avast is needed. Antivirus software is a preventive solution against this intrusion for it can detect and prevent unwanted software intrusion provided constant software updated. Another effective solution support for this is problem providing workstation security. Group policy snap-in in the server can enhance security for in can restrict access and privileges of users narrowing potential harm on any network resource. Enhancement can be done by restricting workstation services and installation of some security software such as Deep Freeze. This minimizes unwanted configuration and software installation by restoring back its initial state before it was freeze. In all, the procedures being implemented in this proposed project are efficient and effective for minimal local area network security needs

45

5.3 RECOMMENDATION For the school in focus for experiment, we strongly recommend the creation of a domain server with an existing and secured network drive for unified storage location. This will increase automation for instructors and students in accessing and saving files. With an added security, confidentiality of files will be enhances. Instructors and school admin personnel would only have to login any workstation connected to the domain to access network resources anywhere within the Local Area Network. Another thing is to assess workstation security. The school uses protective software but with poor administration, they become useless. Before installing such software, thorough system cleanup and assessment of system services should be done for workstation security. And lastly, appropriate network administration and management should de done for thorough manifestation of this security concept.

46

Bibliography Matt Curtin. March 1997. Introduction to Network Security. Reprinted with the permission of Kent Information Services, Inc. PDF Script Office of the CIO, University at Albany. Security Threats, Types of Threats Brian Floyd. member of IEEE, SCTE. PDF script Changing the Face Of Network Security Threat Chad Perrin. IT Security blog post "10 services to turn off in MS Windows XP" Microsoft TechNet, Microsoft Corporation, Step-by-Step Guide to Using the Security Configuration Tool Set Subject Matter Expert, CramSession.com PDF script, Server 2003 Network Security Administration Study Guide John Wait ET al.2000 OSI reference model and layered communication. CISCO CCNA exam #640 -507 Guide. P.68 S.M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communication Review, Vol. 19, No. 2, pp. 32-48, April 1989. John Wait et al.2000.The OSI,TCP/IP and Netware protocol Architectures. CISCO CCNA exam #640 -507 Guide. P.74 Don Parker, Oct 5 2006.The Routing Protocols. Articles and tutorials: Network protocol John Wait et al.2000. OSI Transport Layer Functions. CISCO CCNA exam #640 -507 Guide. P.87 Ekhaml, Leticia. 2001. Protecting yourself from internet risks, threats, and crime. Journal of Educational Media and Library Sciences 39, no. 1: 8-14. John Wait et al.2000. OSI Data Link Layer Functions. CISCO CCNA exam #640 -507 Guide. P.94 Kanabar, Dina and Vijay Kanabar. 2003. A quick guide to basic network security terms. Computers in Libraries 23, no. 5: 24-25 John Wait et al.2000.OSI Network Layer Functions. CISCO CCNA exam #640 -507 Guide. P.103 Omar Santos. June 26, 2008. Identifying and classifying Network Security Threats. CISCO Press. 47

Derek Melber. June 26, 2008.Undestanding Windows Security Templates. Articles: Misc. Network Security. SpeedStreamtm Router Family. November 2000. Command Line Interface Guide PDF Script. Efficient NetworksR “Windows 2000 Firewalling”. From a anonymous http://homepages.wmich.edu/~mchugha/w2kfirewall.htm

48

author.

June

15,

2007

APPENDIX A DISK PARTITION After assessing the network needs for file storage, partitioning can be executed by the following procedure:

1. Click START menu then click SETTINGS and the CONTROL PANEL. 2. Under CONTROL PANEL, click ADMINISTRATIVE TOOLS and then click COMPUTER MANAGEMENT. 3. Under COMPUTER MANAGEMENT, click DISK MANAGEMENT. 4. Right click the drive intended for the partitioning and then select CREATE PARTITION and click.

Figure 1: Selecting drives

Figure 2: Partition Wizard

Figure 3: Partition Selection

Figure 4: Specify space

Figure 5: Drive letter assignment

Figure 6: File system

Figure 7: Finishing wizard Figure 8: Creating logical drive

Figure 9: Partition selection

APPENDIX B ACTIVE DIERCTORY USER AND COMPUTERS

Figure 10: Creating organization units

Figure 11: Naming organization

Figure 12: Creating groups

Figure 13: Naming group and scope/type

Figure 14: Creating user account for domain access

Figure 15: Naming account users

Figure 16: Configuring user properties

Figure 17: User properties

Figure 18: Group membership

Figure 19: Account logon configuration

Figure 20: Assigning user and folder path

APPENDIX C ENABLING DISK QUOTA On desktop double click My Computer view Network Drive

Figure 21: Selecting drive for enabling quota

Figure 22: Quota management

Figure 23: Adding new quota entries

Figure 24: Selecting user for quota entries

Figure 25: Enabling disk space Figure limit 26: Input specified space limit

Figure 27: Limit disk space usage

Figure 28: Quota entries

Figure 29: Full disk quota limit

Figure 30: Executed quota

APPENDIX D GROUP POLICY SNAP-IN FOR ACTIVE DIRECTORY USER AND COMPUTERS

Figure 31: Select group/user/organization for Group Policy snap-in

Figure 32: Create new object

Figure 33: Selecting policies

Figure 34: Account policy

Figure 35: Password policy

Figure 36: Local Policy

Figure 37: User rights assignment

Figure 38: Selecting restriction on Security Option

Figure 39: Selecting and defining policy of System Services

Figure 40: Redirection of folder location

APPENDIX E DOMAIN SECURITY POLICY

Figure 41: Security setting

Figure 42: Password policy

Figure 43: Defining user rights

Figure 44: Defining and selecting System Service

Figure 45: Defining policy on Security Option