Lab 6 Assessment Worksheet 1. What are the available password policy options that could be enforced to improve security in a group policy object? * Enforce password history, Maximum password age, Minimum password age, Minimum password length, and Passwords must meet complexity requirements 2. How would you set security permission and user access rights on a home computer using windows XP professional or similar that is not a member of the domain? * When a Windows PC is not a member of the domain, the ONLY user accounts it will trust are those it finds in its local security database. 3. Why is the use of the different password policy options available and why is it important to implement complexity and length requirements? * A password policy sets certain standards for passwords, such as the password complexity and the rules for changing passwords. A password policy minimizes the inherent risk of using passwords by ensuring that they meet adequate complexity standards to thwart brute force attacks and they are changed frequently enough to mitigate the risk of someone revealing or discovering a password. 4. Microsoft defines user rights in two types of categories: logon rights and privileges. Explain the difference of the two from an access control perspective? * Logon rights control who is authorized to log on to a computer and how they can log on. Privileges control access to system-wide resources on a computer and can override the permissions that are set on particular objects. 5. Name at least 5 Logon Rights and 5 Privileges available in Microsoft GPOs? * Logon Rights * Access this computer from the network * Allow logon through Terminal Services * Log on as a batch job * Log on locally * Log on as a service * Privilages * Act as part of the operating system * Add workstations to domain * Adjust memory quotas for a process * Back up files and directories * Bypass traverse checking 6. Which privileges in a GPO can override permissions set on an object? * A user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. However, this requires the ability to read all files on those servers, even files on which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A user right--in this case, the right to perform a backup--takes precedence over all file and directory permissions. 7. What are the benefits of User Rights Assignments in your own words used as security controls and deployed across a domain of servers and workstations? * Rights for special accounts, Prevention of users getting into mischief, and Specialist rights for one off situations. 8. Explain why you would have to create a service account for applications and assign them elevated privileges with a GPO. Present a well thought out argument as to the danger, from the security perspective, in creating service accounts for applications and what can be done to mitigate the risk? * General users are only granted elevated privileges for clearly established purposes that are approved in advance. Users requiring specialized above core software must have it approved through the HQ Triage 3 Software Approval Process in advance of installation. Changes to baseline system configurations must also be approved in advance of implementation as part of the elevated privileges request. Systems administrators and software developers are expected to maintain system configurations within the Agency or locally established baselines. Development of system and application changes and the baselining of new software and applications are expected to occur in development environments and/or the software engineering facilities. 9. Provide at least 3 examples of either Rights or Privileges typically required by a service account in the User Rights Assignments section of a GPO? * Access This Computer from Network * Back Up Files and Directories * Access This Computer from Network 10. Provide an explanation of why restricting access based on time zones or international users helps organizations achieve C-I-A as required by the Senate Chairs Group Policy Object definition? Assume Senate Chairs Group provides 24 x 7 x 365 customer service support in different time zones. * Networks often require access restrictions based on time. The system administrator may not want a particular service to be accessed on weekends, or a traveling user may need access to a filesystem when he/she is working in another time zone.