Information Security Techniques II - C

advertisement
Types Of Attacks
Week Five – Group Project
Active Directory
Jeannie Johnson, Brian D. Harvey
Information Security Techniques II (CMIS - 4103 - 1)
January 4, 2013
Professor Farhan Siddiqui
1
ACTIVE DIRECTORY
2
In this week’s assignment, we are tasked with “diagraming how we would set up a domain called
fictionaldomain.com within Windows Active Directory. We are to choose how to organize the
domain with the following: 1) Departments: manufacturing, administration, legal, IT, and
finance. 2) Each department will be in its own subnet, though some departments need to
communicate with the others. We were to determine which departments need to communicate
with other departments “(Walden, 2013).
The second part of this assignment is to “create several fictional users within each unit with
specific titles, such as CEO in administration, system administrator in IT, attorney in legal,
assembly line worker in manufacturing, etc. Include at least 10 different total users from among
all five departments. We are also to identify who will have what type of access. For instance,
there may be some users who will have access to everything, whereas other users will have
access to just Accounts Payable, etc.” (Walden, 2013)
For the purpose of this scenario the Domain Controller server will be set up with the
information provided in the tables listed below. It is assumed that this server is set up with RAID
5 and is a SBS (Small Business Server).
DOMAIN
The domain shall be fictionaldomain.com.
ORGANIZATIONAL UNIT
The Organizational Units (OU) will be the following:
Group
Accounting
Manufacturing
Administration
Legal
Organizational Unit
ACCT
MANU
ADMIN
LEGL
FQDN Group
ACCT.fictionaldomain.com
MANU.fictionaldomain.com
ADMIN.fictionaldomain.com
LEGL.fictionaldomain.com
ACTIVE DIRECTORY
IT
IT
IT.fictionaldomain.com
Folder
USERS
LEGAL
IT
ACCOUNTING
ADMINISTRATION
Manufacturing / CAD
Drive Mapping
U:
L:
I:
P:
Q:
R:
Path
\USERS$\%USERNAME%
\LEGAL
\IT
\ACCOUNTING
\ADMINISTRATION
\MANUFACTURING
Shared Folder
Finance
Legal
Manufacturing
IT
FORMS
LEGAL SHARED
Drive Mapping
Z:
Y:
X:
W:
F:
V:
Path
\Accounting\ACCT_Access
\Legal\LEGAL_Access
\MANUFACTURING\CAD
\IT\PUBLIC
\Forms
\Legal\Legal_Shared
3
SHARES and MAPPINGS
USER ACCOUNTS
User Account
Department
Role / Title
Access Type
Access to Directories
U: \USERS\%USERNAME%
L:\Legal\Legal_Access
Z: \Accounting\ACCT_Access
ASmith
Administration
Chief Executive
Officer (CEO)
Limited to home
directory and
listed directories
X:
\MANUFACTURING\CAD
W:\IT\PUBLIC
Q:\Administration
F:\Forms
V:\LEGAL\LEGAL_SHARED
JJones
IT
Sys Admin
Full Access to all
directories
Root of C: and all sub
directories
U: \USERS\%USERNAME%
ACTIVE DIRECTORY
LStevens
Legal
Attorney
Limited to home
directory and
listed directories
4
L:\Legal
Y:\Legal\Legal_Access
W:\IT\PUBLIC
F:\Forms
V:\LEGAL\LEGAL_SHARED
U: \USERS\%USERNAME%
RLewis
Manufacturing
Plant Foreman
Limited to home
directory and
listed directories
X:
\MANUFACTURING\CAD
R: \MANUFACTURING
W:\IT\PUBLIC
F:\Forms
U: \USERS\%USERNAME%
P:\Accounting
KRichards
Finance
Accountant
Limited to home
directory and
listed directories
Z: \Accounting\ACCT_Access
W:\IT\PUBLIC
F:\Forms
V:\LEGAL\LEGAL_SHARED
U: \USERS\%USERNAME%
ZZTop
Legal
Lead Attorney
Limited to home
directory and
listed directories
L:\Legal
Y:\Legal\Legal_Access
W:\IT\PUBLIC
F:\Forms
V:\LEGAL\LEGAL_SHARED
U: \USERS\%USERNAME%
LSkynrd
Manufacturing
Production Line
Limited to home
directory and
listed directories
X:
\MANUFACTURING\CAD
R: \MANUFACTURING
W:\IT\PUBLIC
F:\Forms
ACTIVE DIRECTORY
5
U: \USERS\%USERNAME%
L:\Legal\Legal_Access
Z: \Accounting\ACCT_Access
BLieve
Administration
Chief Financial
Officer (CFO)
Limited to home
directory and
listed directories
X:
\MANUFACTURING\CAD
W:\IT\PUBLIC
Q:\Administration
P:\Accounting
F:\Forms
V:\LEGAL\LEGAL_SHARED
UWinsome
IT
Engineer
Full Access to all
Directories
Root of C: and all sub
directories
U: \USERS\%USERNAME%
ULosesome
Finance
Accountant
Limited to home
directory and
listed directories
P:\Accounting
Z: \Accounting\ACCT_Access
W:\IT\PUBLIC
F:\Forms
V:\LEGAL\LEGAL_SHARED
SUBNETS and IP RANGES
Group
IT
Finance
Administration
Legal
Manufacturing
Subnet
255.255.255.252
255.255.255.248
255.255.255.240
255.255.255.224
255.255.255.192
IP Range
192.168.1.1 - 192.168.1.2
192.168.1.1 - 192.168.1.6
192.168.1.1 - 192.168.1.14
192.168.1.1 - 192.168.1.30
192.168.1.1 - 192.168.1.62
ACTIVE DIRECTORY
ORGANIZATIONAL CHART
Fictitionaldomain.com
Finance OU
ULosesome
KRichards
IT OU
UWinsome
JJones
Administration OU
BLieve
ASmith
Manufacturing OU
LSkynrd
RLewis
Legal OU
LStevens
ZZTop
6
ACTIVE DIRECTORY
7
There are five different departments in this organization. The first department is the
financing department and the subnet of this department is 255.255.255.248. The accountants,
ULosesome and KRichards, in the financing department both need to be able to communicate
with the legal and IT departments. The IT department and its subnet is 255.255.255.252. The IT
engineer, UWinsome, and the IT system administrator, JJones, needs to be able to communicate
with all departments. The next department is the Administration department and its subnet is
255.255.255.240. The CEO, ASmith, and the CFO, BLieve, of Administration both need to be
able to communicate with all departments except for accounting.
The other two departments are manufacturing and legal. The manufacturing departments’
subnet is 255.255.255.192. LSkynyrd, a production line associate, needs to be able to
communicate with the head of the manufacturing department and the IT department. RLewis,
plant foreman of manufacturing, needs to be able to communicate within the manufacturing
department as well as communicate with the IT department. The Legal departments’ subnet is
255.255.255.224. ZZTop, lead attorney, and LStevens, attorney needs to be able to communicate
with all departments.
This structure ensures only properly authenticated users and computers can log on to the
system and that each resource is available to only authorized users. It confirms the identity of
any user trying to log on to the domain and only allows them access to the areas determined by
the rights that are assigned to that specific user. When a user tries to access an object a security
identifier (SID) compares the access control to determine whether the user has permission to
access the object and, if access is allowed, what type of access they are able to have. For
ACTIVE DIRECTORY
8
example, user account UWinsome the IT engineer has full access to all departments while
ASmith the chief executive officer of administration has access to the home directory and listed
directories.
This allows for only authorized personnel to be able to change certain aspects, such as
read, write and execute, in different departments. If there were no structure anyone could change
the permission of users and cause problems within the company. For example if ULosesome's,
the financial accountant, permissions were not limited they could easily change manufacturing
forms, files and information. This could cause manufacturing to lose important information and
not get work done due to loss or change of the information.
ACTIVE DIRECTORY
References:
Dhillon, Gurpreet (2007). Principles of Information Systems Security. John Wiley and Sons,
Hoboken New Jersey
Stewart, James (2010). Security+ Fast Pass. Laureate Inc. Hoboken, New Jersey
Strebe, Michael (2004). Network Security Foundations. Sybex Inc. San Francisco, CA.
9
Download