CIS 333 Security

Week 3

1. What are the three fundamental elements of an effective access control solution for information systems?

Authorization, Identification, and authentication

2. What two access controls can be setup for Windows Server 2003 folders and authentication?

Authorization and access control. http://technet.microsoft.com/en-us/library/cc782880(v=ws.10).aspx 3. If you can browse a file on a Windows network share, but are not able to copy it or modify it, what type of access controls and permissions are probably configured? What type of access control would best describe this access control situation?

List folder contents permissions http://technet.microsoft.com/en-us/library/bb727008.aspx This falls under security policy based control

4. What is the mechanism on a Windows server where you can administer granular policies and permissions on a Windows network using role-based access?

Group policy editor. http://technet.microsoft.com/en-us/library/bb726984.aspx 5. What is two-factor authentication, and why is it an effective access control technique?

Two of the three knowledge(password, pin number, etc), ownership (mobile phone, email address, etc) or characteristics (fingerprint, biometric) authentication and gives the user the ability to identify themselves through at least two points of information. This helps the user in the event that one of the pieces of information is lost or forgotten.

6. Relate how Windows Server 2008 R2 Active Directory and the configuration of access controls achieve CIA for departmental LANs, departmental folders, and data.

Confidentiality - Maintains access across multiple systems with control over access at a central point. Reducing the number of systems that need an independent user/password combo reduces the chance that any one of them might be discovered.

Integrity - permissions are maintained in a central location and can be used for blanket permissions through groups or at a granular level.

Availability - A central point of permissions provides easier maintenance not only in making systems available to a system user, but also to remove permissions quickly should a user need to be removed from the system.

7. Is it a good practice to include the account or user name in the password? Why or why not?

Brute force attacks are going to start with the most statistically predictable combinations first. Using a person’s name in the password is something that is predictable and thus used first.

8. Can a user who is defined in the Active Directory access a shared drive if that user is not part of the domain?

Machines that are not part of the domain can not access shared folders.

9. Does Windows Server 2003 require a user’s logon/password credentials prior to access shared drives?

Since shared drives can be governed by permissions, yes, you must log in first.

10. When granting access to LAN systems for guests (i.e. auditors, consultants, third-party individuals, etc.), what security controls do you recommend be implemented to maximize CIA of production systems and data?

Read only.