GoalScenarioThings you need to knowYour tasksWindows XP ACL Class Exercise Goal Use Windows XP security subsystem to protect elements on a NTFS file system Scenario You need to set up a file system for the GeeWhiz company. This company has three sets of employees: • Engineers • Financial folks • System Administrators Each set of folks would like a place on the file system where in general they have full control and other folks have read-only access. But each group of folks would like to have the following subareas with different access: • A pub area that gives all users read and write access. • A priv area that blocks everyone except for folks of the same set. The lab machines have been populated with the following users • Alice – Currently an engineer, but she used to be a financial person and she still sometimes fulfills that role. • Bob – An engineer. • Carol and Dave are both Financial folks • Ellen and Gus are both sys admins Each user’s password is their name plus “-test”, e.g., alice’s password is alice-test. The following groups are also on these machines • Engineering • Financial • Administrators Things you need to know You will need to adjust the audit policies for the SACLS to have any effect. Go to Control Panel -> Administrative Tools -> Local Security Settings ->Local Policies -> Audit Policies. Be careful of enabling too many audit policies. They can get very verbose. Cyber Security ‘06The event viewer is in Control Panel -> Event Viewer You can look at assigned privileges in Control Panel -> Administrative Tools -> Local Security Settings ->Local Policies ->User Rights Assignment. Your tasks You will need to perform the following tasks. 1. Implement the directory structure that satisfies the security requirements described above. 2. Augment the scenario to block Alice from access to the financial private area (Alice is a member of the Financial group). 3. Cause audit messages to be sent to the event viewer when people without access attempt to access one of the private areas. 4. Is it feasible to block access from one of the administrative users? Why or why not? 5. If you had a larger user community, would you change your file system security design? Do your clients have to adjust ACLs if they work within your base directory structure? Can you prevent your clients from changing your DAC goals? 6. In the private directories, can you create directories or files that can be accessed by non-group users? Cyber Security
View Full Document