Increasing Security with Limited User Accounts and Restricted Groups - Research Paper Example

 As the DULL Company is having 8 PCs with Windows XP Operating System, they would act as client or workstations. Every workstation needs an Ethernet Card so that they can plug into network physically. So the first task is to plug in Ethernet cards in every one of 8 computers and restart every system so that the drivers of Ethernet could be installed by the Operating System. After this static IP should have to be assigned to every system. For this you have to: Open Network Control Panel Open properties of the Ethernet Adapter Card Open properties of TCP/IP Protocol and set the IP address as 191.131.1.2 for the first machine and 191.131.1.9 for the eighth machine. For every machine the subnet mask should be 255.255.255.0. After completing these configurations, save the configuration by clicking OK and restart the machines again. After this a Windows 2003 Server Machine is required having 2.4 GigaHertz processor, 256 MB Ram, 120 GB Hard Disk and Ethernet card. When the machine is ready after the installation of Windows 2003 with Service Pack1 run “Dcpromo” Command from Star Menu so that the Active Directory Services could be installed. This service is able to keep every details of the resources of the network e.g., Workstations, network printers and users. This service is useful in assigning privileges to the users and manages their account policies. After this restart the system. Now set the IP address of Server to 191.131.1.1 and subnet mask to 255.255.255.0. Furthermore a switch of 10 connectors is required. One end of all the 10 connectors are connected to the switch and other ends are then connected to the individual machines including server and printer. At this moment all client machines are in a workgroup, they are not yet logged on to the domain of the servers. Now open “Properties” of My Computer and click on Computer Name Tab. Inside this click “Change” button so that domain name can be assigned. After this restart the system. Now use Active Directory Services for creating user accounts, assign them privileges and access to printer if required. Building A WAN For building a WAN we have to use a Router in each underwriting company and DULL since Ethernet connections cannot be used as they only support a distance of 100 meters and the all the four companies including DULL are at a distance of 10 kms so an individual Router is to be installed at the four companies which give connectivity to their individual LAN with the other LANs. To establish a WAN connection in the DULL environment and to create such long links, or circuits, the actual physical cabling is owned, installed and managed by a company that has the right of way to run cables under streets. Because a company that needs to send data over the WAN circuit does not actually own the cable or line, it is called a leased line. In this case point-to-point WAN links provide basic connectivity between two points. To get a point-to-point WAN link, you would work with a service provider to install a circuit. When the phone company or service provider gives you is similar to what you would have if you made a phone call between two sites but you never hung up. The two devices on either end of the WAN circuit could send and receive bits between each other at any time they want, without needing to dialup a phone number. And because the connection is always available, appoint-to-point WAN connection sometimes is called a leased circuit or leased line because you have the exclusive right to use that circuit, as long as you keep paying for it. (Wendell Odom, CCNA Intro, CCIE, Exam Certification Guide) Now the three under writer companies and the DULL have to buy a Cisco Router each. Four lease lines should have to be taken from the service providers and all the four routers should have to be connected by using those lease lines with each other in a circular manner. Every individual LAN is then connected with their own router. The windows 2003 domain server with a modem, in the dull company is going to act as a VPN server also. In order to make it a VPN server, install and run the Routing and Remote Access Services (RRAS). Once an inbound VPN connection has been authenticated, the VPN server simply acts as a router that provides the VPN client with access to the private network. When talking about the remote accessing and the client is a remote client dialing from its machine to your VPN server then we need security measures. We must use a firewall to block any unused ports. Now talking about client configuration, they need a modem so that they can log in to the remote server domain at the boot time by choosing log on by using dialup connection. Before doing that, the client must have the VPN dial up connection. A VPN dialup connection can be created by new connection wizard and follow the steps as comes the way. During the wizard steps you have to give the IP address of the host computer. Now when the client of the dull company are going to connect through the phone to the VPN server then they will have their remote profile and all the accessible data for which they are authorized. Share Permission Servers, are typically kept in locked rooms, store the company resources (folders, files, documents, spreadsheets, etc). These servers are locked behind closed doors so that the only access that employees have to the resources is over the network. So, one level of security for protecting the resource is the physical security that is provided by not allowing employees direct access to the hardware upon which the resource is located. In order for employees to access the resources stored on the servers, the server must be configured to allow the employees to access the resources over the network. For a Windows environment, this is done through shared folders. When a folder is shared it becomes available over the network so that all users on the network can see the shared folder name. In order to protect the resources that are made available through shared folders, administrators must configure “permissions” for the folders and files that are made available over the network. There are two types of permissions that can be configured on shared folders: SHARE and NTFS. We are going to focus on the share permissions, discussing some pitfalls that are exposed when we use them, as well as some recommended methods to successfully configure permissions for shared folders. To make sure that I am clear about my description of the permissions available on a shared folder, I wanted to start off by describing the two different permissions that can be configured on each shared folder. The two permissions are: share and NTFS. NTFS permissions are an attribute of the folder or file for which they are configured. The NTFS permissions include both standard and special levels of settings. The standard settings are combinations of the special permissions, making the configuration more efficient and easier to establish. These permissions include: Full Control Modify Read and Execute List Folder Contents Read Write Here are 14 special permissions for folders, which include detailed control over creating, modifying, reading, and deleting subfolders and files contained within the folder where the permissions are established. NTFS permissions are associated with the object, so the permissions are always connected with the object during a rename, move, or archive of the object. Share permissions are only associated with the folder that is being shared. For example, if there are 5 subfolders below the folder that is shared, only the initial shared folder can have share permissions configured on it. NTFS permissions can be established on every file and folder within the data storage structure, even if a folder is not shared. Share permissions are configured on the Sharing tab of the shared folder. On this tab, we will have a Permissions button, which exposes the share permissions when selected. Increasing Security with Limited User Accounts and Restricted Groups We may have some users who need access to limited resources on the network (for example, temporary workers). We don’t want them to have as much access as regular users, but they need more access than guests. We can create user accounts for them and place them in a special group for which we customize the user rights. We can also give these group permissions to certain resources (files/folders, shared printers, etc.) Create the group at the level that will be needed for the user to do his/her job. If network resources are not needed, we can create a local account and the user can log onto the local machine instead of the domain. In most cases, we want to create domain accounts so they can be centrally managed, and so the user will be able to work from different machines. Sometimes it’s difficult to keep up with who belongs to a specific group. In Windows XP/Server 2003, we can use restricted groups to gain better control over membership of groups. To do so, we create a restricted groups policy. The policy specifies which users are members of the group. When we apply the policy, only those users allowed in the policy will be members of the restricted group. This prevents addition of members who should not be allowed. Only members added in the policy can belong to the group. Security Plan True network security means protecting network data from both deliberate and accidental threats. A network is no good without the data it can send, manipulate and receive. Threats to the network fall into these general categories: Destruction: Data and hardware can be destroyed by deliberate or negligent acts. Corruption: Data that has been corrupted is untrustworthy and often worthless. Disclosure: Data of a confidential nature can be intercepted. We must vigorously protect passwords and other confidential data.] Interruption: If the network goes down, we cannot use the resources we need. Downtime means unavailable data. Our Security Plan To deal with the problem threats, we need to come up with a security plan. Our plans should include these steps: Examine and analyze each segment of the network for possible security breaches. If we discover a problem threat to our network, consider various responses in terms of their cost and importance. Make affordable changes as needed. Check and maintain controls to keep them working and protecting the network. Security Controls The proper use of controls minimizes threats to data, software and hardware. The extent to which we decide to implement security precautions will depend upon how sensitive our data is, how large our network is, and how susceptible it is to attack. Some controls, which we might want to implement, include the following: Require unique passwords with a minimum length. Require regular, frequent password changes. Restrict login times. Require adequate security on modems. Carefully limit guest accounts. Limit access to network resources to a need-to-know basis. Use software that employs encryption. Use data redundancy on the server (RAID or any other backup system). (Charles Perkins, James Chellis, Matthew Strebe, MCSE Networking Essentials) VPN security Most businesses need more than a personal or simple network firewall can offer, but unless we are running an ISP or data center, the top of the line enterprise firewalls are probably overkill. Assuming we have a medium sized business and are in the market for a firewall in a particular range, we need to find out then what’s out there and the difference between them? Here are some things we want to look for: Architecture: Do we prefer a software firewall that we can install on a new or existing PC or a dedicated appliance? How many concurrent firewall sessions does the firewall need to support? How many VPN tunnels do we need to be able to run concurrently? What VPN protocols do we want to use (IP Sec, PPTP, L2TP)? Do we need integration with Exchange mail servers or Share Point collaboration servers? What type of management user interface (UI) do we prefer: command line interface (CLI), graphical management console, and Web-based interface? Do we need to manage the firewall via SSH, Telnet, or SNMP? Do we need centralized management of multiple firewalls? Do we need high availability (load balancing, fail over) features? There is no One Perfect Firewall. Each product has strengths and weaknesses, and after we have evaluated your needs and decided which features are most important for our organization, we should carefully compare the technical specs and datasheets of different firewall products to determine which meet our own needs best. For example, the Cisco PIX firewalls are reliable and well liked, but many administrators don’t like the PIX Device Manager (PDM) Web interface and prefer to use the CLI. If we are uncomfortable with the command line, this might be a factor in our choice. Sonic Wall mid-range Pro 230 firewalls offer a big price advantage over other brands, but support fewer VPN tunnels (500 as compared to 12,500 for the mid-range Nokia 350 and 8000 for the mid-range Watch guard V80). On the other hand, the Net Screen 50, which costs more than the Sonic Wall provides fewer VPN tunnels (100) and fewer concurrent sessions (8000 vs. Sonic Wall’s 30,000). Buying a firewall for your organization can be a daunting task, but it is made easier by being properly prepared. That means knowing how many users it needs to support (and taking future growth into account), whether we will have VPN users and how many, whether we have Exchange and Share Point servers we need to protect, whether we need to manage multiple servers centrally, and whether we want extra features such as Web caching. We also want to determine whether you prefer that extra functions be performed “off box” (which increases the amount of hardware required but puts less load on the firewall’s processor) or “on box” which may be more convenient and reduce cost. There are many decisions to make when we start to evaluate firewall options. (http://www.windowsecurity.com) Bibliography Wendell Odom, CCNA Intro, CCIE, Exam Certification Guide Charles Perkins, James Chellis, Matthew Strebe, MCSE Networking Essentials Window Security (http://www.windowsecurity.com) Read More