Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Conformity

Laboratory3

Laboratory #3
Lab #3: Apply Hardened User Account Management & Security Controls
Learning Objectives and Outcomes
Upon completing this lab, students will be able to complete the following tasks:
Configure a password policy by editing the /etc/login.defs file and implementing stringent
password security measures on a Fedora Linux Server
Enforce a password change every 60 days showing a warning 14 days prior to the password’s
expiration across the system for all users
Configure a minimum password length of 8 characters with stringent complexity requirements
Create users and groups with the proper permissions and restrictions to enforce role-based
access
controls
Create a temporary user account that expires in 90 days to enforce the proper principle of
least
privilege with contractors and temporary workers/consultants
Required Setup and Tools
This lab does not require the use of the Mock IT Infrastructure - Cisco core backbone network.
In
addition, the Instructor VM workstation and Student VM workstations should be physically
disconnected
from the internal network and be isolated on the classroom dedicated layer 2 switch. This will
allow for a
shared DHCP server to be used to allocate the IP addresses for the instructor and student
workstations.
The following is required for this equipment-based lab:
A) A classroom workstation (with at least 2 Gig RAM) capable of supporting the removable hard
drive with the VM server farm connected to the classroom layer 2 switch.
B) An instructor workstation (with at least 4 Gig RAM recommended) that shall act as the
Instructor’s demo lab workstation. The instructor will display the Instructor workstation on the
LCD projector to demo the loading and configuring of the Instructor VM workstation using
VMware Player.
C) Students Lab workstations will use their own VM server farm and VM student workstation.
VMware Player will be used to run the Student VM and the Target VM.
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -56-
The following summarizes the setup, configuration, and equipment needed to perform Lab #3:
1. A Virtualized Server Farm with the following components:
a. Microsoft DHCP server for allocating student IP host addresses
b. A Student and/or Instructor VM workstation
c. Fedora Linux Target VM
2. Standard onsite student workstation must have the following software applications loaded to
perform this lab:
a. VMware Player 3.x
b. Microsoft Office 2007 or higher for Lab Assessment Questions & Answers
Recommended Procedures
Instructor Demo Lab #3:
This lab is an extension of Lab #1 and Lab #2. Additional security hardening for user accounts
and guest
accounts will be enabled. The instructor will demonstrate the steps to configure user accounts
with a
secure password policy. The instructor will also demonstrate how to configure a temporary user
account
with automatic password expiration in 90 days for 3rd party contractors and temporary
workers/consultants.
Equipment-Based Lab #3 – Instructor Steps:
The Instructor will perform the following demonstration using VMware Player:
1. Connect the instructor-removable hard drive to your workstation
2. Boot up the Instructor VM and Microsoft DHCP VM server to allocate an IP host address
3. Enable your DOS command prompt and type “ipconfig” and “ping” your allocated IP host
address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router
172.30.0.1
4. Connect your instructor workstation to the LCD projector and show the VMware Player library
and how to add, remove and copy VMs to and from the library and the local computer
5. Login to the Instructor VM using the following credentials:
Login ID: “instructor” (case sensitive)
Password: “ISS316Security” (case sensitive)
6. From the GNOME Desktop , at the top left side, click on “Applications”-> Systems Tools ->
Terminal
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -57-
Configure Stringent Passwords as Per Policy Requirements
7. Open and edit the /etc/login.defs file to enforce:
a. a password change every 60 days
b. show a warning 14 days prior to the password expiring
c. require a minimum password length of 8 characters'.
Type the command : su -c ‘ vi /etc/login.defs ’ and press <enter>.
8. Password: ISS316Security
Figure 13 – Opening a file in vi as root user
9. Press the “ i “ to enter INSERT mode in the vi editor.
10. Change Password aging controls as shown in figure below :
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -58-
Figure 14 – Editing /etc/login.defs
11. Save the changes and exit the file. Hit the escape key to exit from insert mode, then hit the
“shift” & “:” keys to enter command mode. At the colon prompt in command mode, type wq to
exit and save changes.
Create User Account, Login Credential, and Define Groups
12. Create four user accounts for the administrators .Two accounts for database administrators,
and
two accounts for the web administrators. Provide the accounts with the user names : dbadmin1,
dbadmin2, webadmin1 & webadmin2. Use the useradd command to create the accounts.
a) Type the command: su -c ' useradd dbadmin1 ' and press <enter>.
b) Password: ISS316Security
c) Type the command: su -c ' useradd dbadmin2 ' and press <enter>.
d) Password: ISS316Security
e) Type the command: su -c ' useradd webadmin1' and press <enter>.
f) Password: ISS316Security
g) Type the command: su -c ' useradd webadmin2 ' and press <enter>.
h) Password: ISS316Security
13. Set a password for each of the accounts created: passwd (account names).
Note: If a weak password is chosen, a warning message will appear. However, since the
command is run
with root privileges the weak password is allowed.
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -59-
14. Type the command: su -c ' passwd dbadmin1 ' and press <enter>.
15. Password: ISS316Security
16. A prompt will appear for dbadmin's new password. Enter the password: lab3 and press
<enter>.
17. Enter the password lab3 again to confirm. Press enter to complete.
Figure 15 – Adding user account and setting password
18. Force a password change for each user the first time they login.
a) Type the command: su -c ' chage -d 0 dbadmin1' and press <enter>.
b) Password: ISS316Security
c) Type the command: su -c ' chage -d 0 dbadmin2' and press <enter>.
d) Password: ISS316Security
e) Type the command: su -c ' chage -d 0 webadmin1' and press <enter>.
f) Password: ISS316Security
g) Type the command: su -c ' chage -d 0 webadmin2' and press
h) Password: ISS316Security
Note : After the -d , it should be a zero, not the letter o .
19. Create two group accounts one named dba and another named web.
a) Type the command: su -c ' groupadd dba ' and press <enter>.
b) Password: ISS316Security
c) Type the command: su -c ' groupadd web ' and press <enter>.
d) Password: ISS316Security
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -60-
Figure 16 – Adding groups
20. Add users dbadmin1 and dbadmin2 to the “dba” group.
a) Type the command: su -c ' usermod -G dba dbadmin1 ’ and press <enter>.
b) Password: ISS316Security
c) Type the command : su -c ' usermod -G dba dbadmin2’ and press <enter>.
d) Password: ISS316Security
21. Add users webadmin1 and webadmin2 to the “web” group.
22. Type the command : su -c ' usermod -G web webadmin1 ' and press <enter>.
23. Password: ISS316Security
24. Type the same command: su -c ' usermod -G web webadmin2 ' and press <enter>.
25. Password: ISS316Security
Add Instructor Account to Wheel Group
26. Add the student user account to the “wheel” group.
27. Type the command : su -c ' usermod -G wheel instructor ' and press <enter>.
28. Password: ISS316Security
NOTE: The instructor will need to be a member of the wheel group to perform su
commands from
Labs 3 - 10 and any sudo commands.
Figure 17 – Adding instructor to the wheel group
Create Temporary User Accounts and Set to Automatic Expire in 90 Days
Jane Temp is a contractor assisting in building a Linux online backing infrastructure for only the
next 90
days.
29. Create temporary user account name. Type the command: su -c ' useradd jtemp ' and
press
<enter>.
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -61-
30. Password: ISS316Security
31. Set a password for temporary user. Type the command: su -c ' passwd jtemp ' and press
<enter>.
32. Password: ISS316Security
33. Ensure the user is forced to change the password upon first login. Type the command: su -c
'
chage -d 0 jtemp ' and press <enter>.
34. Password: ISS316Security
Note: After the -d is the number zero. It is not the letter o.
Figure 18 – Adding user account for jtemp
35. Set the account to expire in 90 days. Type the command: su -c ' chage -E 2011-12-31
jtemp
' and press <enter>. When prompted, enter the password for root ( ISS316Security ).
Note: Replace the date in the command with a date that 90 from the day of the lab. If 2011-1231 is an
older date, the user's account will immediately expire! The date takes the format YYYY-MM-DD.
For
example, if the desired expiration date is the last day of 2011, the command is entered as
shown in figure
below.
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -62-
Figure 19 -- Setting an account to expire after a number of days
Important: Before completing the final task in this lab, the instructor account should be a
member of
the “wheel” group on the vm as directed in previous steps in this lab. . Failure to do so will
prevent the
instructor user account from using any future 'su -c ' or sudo commands on the vm !
Restrict use of su command
36. Open /etc/pam.d/su for editing. Type the command: su -c ' vi /etc/pam.d/su ' and press
<enter>.
37. Password: ISS316Security
38. Press “ i “ key to enter INSERT mode .
39. Locate the line : "#auth required pam_wheel.so use_uid" .
40. Remove the hash (#) at the beginning of the line. Place the cursor over the # and press the
“x”
key. #auth required pam_wheel.so use_uid
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -63-
Figure 20 – Locking down use of the su command
41. Save the changes and exit the file. Press the escape key to exit from INSERT mode, then
press
the “shift” & “:” keys to enter command mode. At the colon prompt in command mode, type wq
to exit and save changes.
Equipment-Based Lab #3 – Student Steps:
Students should perform the following steps:
1. Connect the student-removable hard drive to your workstation
2. Boot up the Student VM and Microsoft DHCP VM server to allocate an IP host address
3. Enable your DOS command prompt and type “ipconfig” and “ping” your allocated IP host
address 172.30.0.__ , the DHCP server 172.30.0.10, and the IP default gateway router
172.30.0.1
4. Login to the Student VM using the following credentials:
Login ID: “student” (case sensitive)
Password: “ISS316Security” (case sensitive)
5. From the GNOME Desktop , at the top left side, click on “Applications”-> Systems Tools ->
Terminal
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -64-
Configure Stringent Passwords as Per Policy Requirements
6. Open and edit the /etc/login.defs file to enforce:
a. a password change every 60 days
b. show a warning 14 days prior to the password expiring
c. Require a minimum password length of 8 characters'.
Type the command : su -c ‘ vi /etc/login.defs ’ and press <enter>.
7. Password: ISS316Security
Figure 13 – Opening a file in vi as root user
8. Press the “ i “ to enter INSERT mode in the vi editor.
9. Change Password aging controls as shown in figure below :
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -65-
Figure 14 – Editing /etc/login.defs
10. Save the changes and exit the file. Hit the escape key to exit from insert mode, then hit the
“shift” & “:” keys to enter command mode. At the colon prompt in command mode, type wq to
exit and save changes.
Create User Account, Login Credential, and Define Groups
11. Create four user accounts for the administrators .Two accounts for database administrators,
and
two accounts for the web administrators. Provide the accounts with the user names : dbadmin1,
dbadmin2, webadmin1 & webadmin2. Use the useradd command to create the accounts.
a) Type the command: su -c ' useradd dbadmin1 ' and press <enter>.
b) Password: ISS316Security
c) Type the command: su -c ' useradd dbadmin2 ' and press <enter>.
d) Password: ISS316Security
e) Type the command: su -c ' useradd webadmin1' and press <enter>.
f) Password: ISS316Security
g) Type the command: su -c ' useradd webadmin2 ' and press <enter>.
h) Password: ISS316Security
12. Set a password for each of the accounts created: passwd (account names).
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -66-
Note: If a weak password is chosen, a warning message will appear. However, since the
command is run
with root privileges the weak password is allowed.
13. Type the command: su -c ' passwd dbadmin1 ' and press <enter>.
14. Password: ISS316Security
15. A prompt will appear for dbadmin's new password. Enter the password: lab3 and press
<enter>
16. Enter the password lab3 again to confirm. Press enter to complete.
Figure 15 – Adding user account and setting password
17. Force a password change for each user the first time they login.
a) Type the command: su -c ' chage -d 0 dbadmin1' and press <enter>.
b) Password: ISS316Security
c) Type the command: su -c ' chage -d 0 dbadmin2' and press <enter>.
d) Password: ISS316Security
e) Type the command: su -c ' chage -d 0 webadmin1' and press <enter>.
f) Password: ISS316Security
g) Type the command: su -c ' chage -d 0 webadmin2' and press
h) Password: ISS316Security
Note : After the -d , it should be a zero, not the letter o .
18. Create two group accounts one named dba and another named web.
a) Type the command: su -c ' groupadd dba ' and press <enter>.
b) Password: ISS316Security
c) Type the command: su -c ' groupadd web ' and press <enter>.
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -67-
d) Password: ISS316Security
Figure 16 – Adding groups
19. Add users dbadmin1 and dbadmin2 to the “dba” group.
a) Type the command: su -c ' usermod -G dba dbadmin1 ’ and press <enter>.
b) Password: ISS316Security
c) Type the command : su -c ' usermod -G dba dbadmin2’ and press <enter>.
d) Password: ISS316Security
20. Add users webadmin1 and webadmin2 to the “web” group.
21. Type the command : su -c ' usermod -G web webadmin1 ' and press <enter>.
22. Password: ISS316Security
23. Type the same command: su -c ' usermod -G web webadmin2 ' and press <enter>.
24. Password: ISS316Security
Add Student Account to Wheel Group
25. Add the student user account to the “wheel” group.
26. Type the command : su -c ' usermod -G wheel student ' and press <enter>.
27. Password: ISS316Security
NOTE: The student will need to be a member of the wheel group to execute and sudo
commands
from Labs 3 - 10 .
Figure 17 – Adding student to the wheel group
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -68-
Create Temporary User Accounts and Set to Automatic Expire in 90 Days
Jane Temp is a contractor assisting in building a Linux online backing infrastructure for only the
next 90
days.
28. Create temporary user account name. Type the command: su -c ' useradd jtemp ' and
press
<enter>.
29. Password: ISS316Security
30. Set a password for temporary user. Type the command: su -c ' passwd jtemp ' and press
<enter>.
31. Password: ISS316Security
32. Ensure the user is forced to change the password upon first login. Type the command: su -c
'
chage -d 0 jtemp ' and press <enter>.
33. Password: ISS316Security
Note: After the -d is the number zero. It is not the letter o.
Figure 18 – Adding user account for jtemp
34. Set the account to expire in 90 days. Type the command: su -c ' chage -E 2011-12-31
jtemp '
and press <enter>. When prompted, enter the password for root ( ISS316Security ).
Note: Replace the date in the command with a date that 90 from the day of the lab. If 2011-1231 is an
older date, the user's account will immediately expire! The date takes the format YYYY-MM-DD.
For
example, if the desired expiration date is the last day of 2011, the command is entered as
shown in figure
below.
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -69-
Figure 19 -- Setting an account to expire after a number of days
Important: Before completing the final task in this lab, the student account should be a member
of the
“wheel” group as described in Step 14 of this lab ( Lab 3) . Failure to do so will prevent the
student user
account from using any future 'su -c ' or sudo commands !
Restrict use of su command
35. Open /etc/pam.d/su for editing. Type the command: su -c ' vi /etc/pam.d/su ' and press
<enter>.
36. Password: ISS316Security
37. Press “ i “ key to enter INSERT mode .
38. Locate the line : "#auth required pam_wheel.so use_uid" .
39. Remove the hash (#) at the beginning of the line. Place the cursor over the # and press the
“x”
key. #auth required pam_wheel.so use_uid
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -70-
Figure 20 – Locking down use of the su command
40. Save the changes and exit the file. Press the escape key to exit from INSERT mode, then
press
the “shift” & “:” keys to enter command mode. At the colon prompt in command mode, type wq
to exit and save changes.
Deliverables
Upon completion of Lab #3: Apply Hardened User Account Management & Security Controls,
the
students are required to provide the following deliverables:
1. Lab #3 - Students are to submit screenshots of the following files:
a. Output of the /etc/login.defs file
b. Output of the “groups” command
c. Output of the newly modified /etc/pam.d/su file
2. Lab #3 – Lab Assessment Questions & Answers
Evaluation Criteria and Rubrics
The following are the evaluation criteria and rubrics for Lab #3 that the students must perform:
Was the student able to configure a password policy by editing the /etc/login.defs file and
implementing stringent password security measures on a Fedora Linux Server? – [20%]
Was the student able to enforce a password change every 60 days showing a warning 14
days
prior to the password’s expiration across the system for all users? – [20%]
Was the student able to configure a minimum password length of 8 characters with stringent
complexity requirements? – [20%]
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -71-
Was the student able to create the users and groups with the proper permissions and
restrictions to
enforce role-based access controls? – [20%]
Was the student able to create a temporary user account that expires in 90 days to enforce
proper
principle of least privilege with contractors and temporary workers/consultants? – [20%]
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -72-
Lab #3 – Assessment Worksheet
Apply Hardened User Account Management & Security Controls
Course Name & Number:
______________________________________________________________
Student Name:
_______________________________________________________________________
Instructor Name:
_____________________________________________________________________
Lab Due Date:
_______________________________________________________________________
Overview
This lab is an extension of the previous equipment-based labs and incorporates security
hardening for user
accounts, password policies, and creation of temporary user accounts with automatic account
and
password deletion. In this lab, students will be required to implement and configure security
hardening on
the Fedora Linux Server. They will use the steps to configure user accounts with a secure
password policy
definition. Finally, they will also apply stringent password policies for temporary user accounts
whose
login credentials and passwords will expire in 90 days.
Lab Assessment Questions & Answers
1. What is the significance of creating Groups and adding Users to Groups? Explain.
To assign role-based access permissions and assign the proper access to Groups as opposed
to managing
permissions on individual user accounts.
2. Given a scenario where there are five (5) database administrators that may periodically need
access to
a given system. Discuss a concept to better manage these administrators' access permissions.
Create a group and add the DBAs to the group. Then give the necessary permissions to the
group.
3. The new web administrator's account has been set up and a password provided. What is the
process to
force a password change upon first login?
use the chage -d 0 <username> command
Instructor Lab Manual
Copyright © 2013 Jones & Bartlett Learning, LLC, an Ascend Learning Company Current Version Date: 10/10/2011
www.jblearning.com
All Rights Reserved. -73-
4. What is the purpose of the “su” command? Explain its significance.
The su command in Linux stands for “set user” and can be used to run commands as a different
user other
than that which you are logged in as at the time. It is typically used to impersonate the super
user so that
privileged commands can be run without logging completely out of the system and back in as
the desired
user.
5. Restricting the use of the 'su' command can be configured using what mechanism?
The Pluggable Authentication Module (PAM), specifically, the “su” module
6. What is the purpose of the login.defs file? Explain the contents and configuration options?
The login.defs file is used to define the configuration associated with logins into the local Linux
system.
7. What is the PASS_MIN_DAYS setting? Why would it be a good idea to set the
PASS_MIN_DAYS
setting?
It shows the minimum number of days allowed between password changes. Any password
changes
attempted sooner than this will be rejected.
8. What is the PASS_MAX_DAYS setting? Why would it be a good idea to set the
PASS_MAX_DAYS setting?
It shows the maximum number of days allowed between password changes. Logins attempted
after than
this will be rejected.
9. Will changes to the commands /etc/login.defs settings (PASS_MAX_DAYS,
PASS_MIN_DAYS and
PASS_WARN_AGE) take effect to existing accounts?
Any changes to these settings will not affect the existing accounts.
10. Describe the password and account settings you would configure if you were told that there
were a
few contractors that needed accounts on the Linux system for the next 14 days.
The Pluggable Authentication
Related documents
Slide 1
Slide 1
How to start Whitepins - AMAS-Team
How to start Whitepins - AMAS-Team
TPR O-chem Chapter 2
TPR O-chem Chapter 2
Mastering Biology
Mastering Biology
Download