Types Of Attacks Week Five – Group Project Active Directory Jeannie Johnson, Brian D. Harvey Information Security Techniques II (CMIS - 4103 - 1) January 4, 2013 Professor Farhan Siddiqui 1 ACTIVE DIRECTORY 2 In this week’s assignment, we are tasked with “diagraming how we would set up a domain called fictionaldomain.com within Windows Active Directory. We are to choose how to organize the domain with the following: 1) Departments: manufacturing, administration, legal, IT, and finance. 2) Each department will be in its own subnet, though some departments need to communicate with the others. We were to determine which departments need to communicate with other departments “(Walden, 2013). The second part of this assignment is to “create several fictional users within each unit with specific titles, such as CEO in administration, system administrator in IT, attorney in legal, assembly line worker in manufacturing, etc. Include at least 10 different total users from among all five departments. We are also to identify who will have what type of access. For instance, there may be some users who will have access to everything, whereas other users will have access to just Accounts Payable, etc.” (Walden, 2013) For the purpose of this scenario the Domain Controller server will be set up with the information provided in the tables listed below. It is assumed that this server is set up with RAID 5 and is a SBS (Small Business Server). DOMAIN The domain shall be fictionaldomain.com. ORGANIZATIONAL UNIT The Organizational Units (OU) will be the following: Group Accounting Manufacturing Administration Legal Organizational Unit ACCT MANU ADMIN LEGL FQDN Group ACCT.fictionaldomain.com MANU.fictionaldomain.com ADMIN.fictionaldomain.com LEGL.fictionaldomain.com ACTIVE DIRECTORY IT IT IT.fictionaldomain.com Folder USERS LEGAL IT ACCOUNTING ADMINISTRATION Manufacturing / CAD Drive Mapping U: L: I: P: Q: R: Path \USERS$\%USERNAME% \LEGAL \IT \ACCOUNTING \ADMINISTRATION \MANUFACTURING Shared Folder Finance Legal Manufacturing IT FORMS LEGAL SHARED Drive Mapping Z: Y: X: W: F: V: Path \Accounting\ACCT_Access \Legal\LEGAL_Access \MANUFACTURING\CAD \IT\PUBLIC \Forms \Legal\Legal_Shared 3 SHARES and MAPPINGS USER ACCOUNTS User Account Department Role / Title Access Type Access to Directories U: \USERS\%USERNAME% L:\Legal\Legal_Access Z: \Accounting\ACCT_Access ASmith Administration Chief Executive Officer (CEO) Limited to home directory and listed directories X: \MANUFACTURING\CAD W:\IT\PUBLIC Q:\Administration F:\Forms V:\LEGAL\LEGAL_SHARED JJones IT Sys Admin Full Access to all directories Root of C: and all sub directories U: \USERS\%USERNAME% ACTIVE DIRECTORY LStevens Legal Attorney Limited to home directory and listed directories 4 L:\Legal Y:\Legal\Legal_Access W:\IT\PUBLIC F:\Forms V:\LEGAL\LEGAL_SHARED U: \USERS\%USERNAME% RLewis Manufacturing Plant Foreman Limited to home directory and listed directories X: \MANUFACTURING\CAD R: \MANUFACTURING W:\IT\PUBLIC F:\Forms U: \USERS\%USERNAME% P:\Accounting KRichards Finance Accountant Limited to home directory and listed directories Z: \Accounting\ACCT_Access W:\IT\PUBLIC F:\Forms V:\LEGAL\LEGAL_SHARED U: \USERS\%USERNAME% ZZTop Legal Lead Attorney Limited to home directory and listed directories L:\Legal Y:\Legal\Legal_Access W:\IT\PUBLIC F:\Forms V:\LEGAL\LEGAL_SHARED U: \USERS\%USERNAME% LSkynrd Manufacturing Production Line Limited to home directory and listed directories X: \MANUFACTURING\CAD R: \MANUFACTURING W:\IT\PUBLIC F:\Forms ACTIVE DIRECTORY 5 U: \USERS\%USERNAME% L:\Legal\Legal_Access Z: \Accounting\ACCT_Access BLieve Administration Chief Financial Officer (CFO) Limited to home directory and listed directories X: \MANUFACTURING\CAD W:\IT\PUBLIC Q:\Administration P:\Accounting F:\Forms V:\LEGAL\LEGAL_SHARED UWinsome IT Engineer Full Access to all Directories Root of C: and all sub directories U: \USERS\%USERNAME% ULosesome Finance Accountant Limited to home directory and listed directories P:\Accounting Z: \Accounting\ACCT_Access W:\IT\PUBLIC F:\Forms V:\LEGAL\LEGAL_SHARED SUBNETS and IP RANGES Group IT Finance Administration Legal Manufacturing Subnet 255.255.255.252 255.255.255.248 255.255.255.240 255.255.255.224 255.255.255.192 IP Range 192.168.1.1 - 192.168.1.2 192.168.1.1 - 192.168.1.6 192.168.1.1 - 192.168.1.14 192.168.1.1 - 192.168.1.30 192.168.1.1 - 192.168.1.62 ACTIVE DIRECTORY ORGANIZATIONAL CHART Fictitionaldomain.com Finance OU ULosesome KRichards IT OU UWinsome JJones Administration OU BLieve ASmith Manufacturing OU LSkynrd RLewis Legal OU LStevens ZZTop 6 ACTIVE DIRECTORY 7 There are five different departments in this organization. The first department is the financing department and the subnet of this department is 255.255.255.248. The accountants, ULosesome and KRichards, in the financing department both need to be able to communicate with the legal and IT departments. The IT department and its subnet is 255.255.255.252. The IT engineer, UWinsome, and the IT system administrator, JJones, needs to be able to communicate with all departments. The next department is the Administration department and its subnet is 255.255.255.240. The CEO, ASmith, and the CFO, BLieve, of Administration both need to be able to communicate with all departments except for accounting. The other two departments are manufacturing and legal. The manufacturing departments’ subnet is 255.255.255.192. LSkynyrd, a production line associate, needs to be able to communicate with the head of the manufacturing department and the IT department. RLewis, plant foreman of manufacturing, needs to be able to communicate within the manufacturing department as well as communicate with the IT department. The Legal departments’ subnet is 255.255.255.224. ZZTop, lead attorney, and LStevens, attorney needs to be able to communicate with all departments. This structure ensures only properly authenticated users and computers can log on to the system and that each resource is available to only authorized users. It confirms the identity of any user trying to log on to the domain and only allows them access to the areas determined by the rights that are assigned to that specific user. When a user tries to access an object a security identifier (SID) compares the access control to determine whether the user has permission to access the object and, if access is allowed, what type of access they are able to have. For ACTIVE DIRECTORY 8 example, user account UWinsome the IT engineer has full access to all departments while ASmith the chief executive officer of administration has access to the home directory and listed directories. This allows for only authorized personnel to be able to change certain aspects, such as read, write and execute, in different departments. If there were no structure anyone could change the permission of users and cause problems within the company. For example if ULosesome's, the financial accountant, permissions were not limited they could easily change manufacturing forms, files and information. This could cause manufacturing to lose important information and not get work done due to loss or change of the information. ACTIVE DIRECTORY References: Dhillon, Gurpreet (2007). Principles of Information Systems Security. John Wiley and Sons, Hoboken New Jersey Stewart, James (2010). Security+ Fast Pass. Laureate Inc. Hoboken, New Jersey Strebe, Michael (2004). Network Security Foundations. Sybex Inc. San Francisco, CA. 9