Lab #3: Implementing Access Controls
Purpose: To develop and verify system administration procedures which implement access controls for a Windows 8.1 system.
Objectives
1. Develop system administration procedures to manage account policies for a Windows 8.1 system
2. Develop system administration procedures to manage local user accounts and local user groups in a Windows 8.1 system
3. Develop system administration procedures to manage a "drop-box" using discretionary access controls for resources in a Windows
8.1 system
Overview
Access controls are an important part of identity & authorization management business processes. There are three primary types of access controls which are used for desktop computing: mandatory access controls, discretionary access controls, and role-based access controls.
• Mandatory access controls are built into and managed by the operating system. The two types of Windows user accounts, administrator and standard user, are examples of mandatory access controls.
• Discretionary access controls are provided by operating system components (e.g. the file system) and can be managed by system administrators and resource owners.
• Role-based access controls can be implemented under Windows 8 using the "user group" discretionary access control. Each "role" is assigned to a specific user group (one and only one "role" per group).
For this lab, you will write and test step-by-step procedures which can be used to implement access controls using local user accounts, i.e. accounts which only exist on the local workstation or laptop. You will not create or manage domain accounts. Your step-by-step system administration procedures will be used to perform the following tasks:
• Manage local user account policies (including implementing policy-based password restrictions)
• Create and manage local user accounts (both standard user and administrators)
• Create and manage local groups (to implement role-based access controls)
• Create and manage a "drop-box" folder (using group membership and resource permissions to implement role-based access controls)
Your procedures should use the following tools:
• Group Policy Management Console (GPMC)
• PC Settings
• User Accounts (access from Control Panel)
• Windows File Explorer
Deliverables
(a) Step-by-Step Local Computer Account Policies Management System Administration Procedure
(b) Step-by-Step Local User Accounts & Groups Management System Administration Procedure
(c) Step-by-Step Drop-Box Management System Administration Procedure
Submit your deliverables in a SINGLE FILE in MS Word format (.docx or .doc file types) using the corresponding assignment folder entry (in LEO). (Use the Deliverable Template file from Course Resources > Sample Files > CSIA 310 Lab Deliverable Template.docx.) Every deliverable must use the format shown below. (Replace [Section Name] with the heading for the section, e.g. Local Computer Account Policies).
Title:
Operating Environment:
1. Hardware
2. Software
Description:
Notes, Warnings, & Restrictions:
Resources (Further Reading):
1.
2.
3.
Procedures:
[Section Name]
Brief Introduction Paragraph
1.
2.
3.
[Section Name]
Brief Introduction Paragraph
1.
2.
3.
Instructions
Part (a): Managing Local Computer Account Policies
1. Investigate the use of Group Policy Management Console (access using icon on Desktop or via Microsoft Management Console). This tool is used to manage account policies for the local workstation. The group of settings that must be managed are found under: Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\
2. Identify appropriate sources of information (e.g. Windows Help, Microsoft Technet, etc.) for instructions for setting account policies for Windows 8/8.1. Using those sources, research the procedures required to perform the following tasks:
a. Set or change Password Policy (enumerate the individual settings in your procedure, e.g. minimum password age)
b. Set or change Account Lockout Policy (enumerate the individual settings in your procedure)
3. Develop a step-by-step systems administration procedure to manage the local account policies for passwords and account lockout.
4. Test your draft procedures using the virtual machine provided in the online lab environment or using a locally installed Virtual Machine (VM) running Microsoft Windows 8.1 Professional. As you run your tests, collect screen snapshots to illustrate key steps in your procedures.
Part (b): Managing Local User Accounts and Local Groups
1. Investigate the use of the Windows 8.1 PC Settings tool (PC Settings > Accounts > Other Accounts) to create and manage local user accounts
2. Investigate the use of the Windows 8.1 User Accounts tool (Control Panel > Administrative Tools > User Accounts) to create and manage local user accounts
3. Identify appropriate sources of information about both tools (e.g. Windows Help, Microsoft Technet, etc.) with particular focus upon the steps required to create and manage local User Accounts for Windows 8/8.1.
4. Develop step-by-step procedures to create and manage local user accounts using the Accounts menu in the PC Settings tool (Access from the Windows Start Screen). Your procedures should accomplish the following:
a. Create a standard local user account (do not use Microsoft Account for sign-in)
b. Change account type (add or remove administrator access)
5. Develop step-by-step procedures which use the Control Panel User Accounts tool to perform the following tasks:
a. Create a standard account (for a local user)
b. Create an administrator account (privileged access for a local user)
c. Modify a local user account
i. Change Password
ii. Change Account Type (add or remove administrator access)
iii. Change Account Settings (disable, must-change password, etc.)
d. Delete a local user account
e. Turn On/Off "Guest" account
Later in this lab, you will need several local user test accounts. The required accounts are:
a. Instructor01
b. TA01
c. Student01
d. Student02
You may wish to use these accounts as your examples for creating and managing Local User Accounts. (Instructor01 can be your administrator account for step #5.)
6. Investigate the use of the lusrmgr.exe utility to create and manage local Groups. This tool can be accessed via Control Panel > User Accounts (switch to the Advanced tab then click on the Advanced button).
7. Identify appropriate sources of information (e.g. Windows Help, Microsoft Technet, etc.) for instructions for implementing local groups under Windows 8/8.1. Using those sources, research the procedures required to perform the following tasks:
a. Create user groups which correspond to roles within an organization (e.g. instructors, students, managers, employees)
b. Assign individual user accounts to one or more groups.
8. Develop a systems administration procedure for Group Management which can be used to perform the following tasks:
a. Create the following roles using named groups
i. Instructors
ii. Teaching Assistants (TA)
iii. CSIA310_Students
b. Assign a role to one or more users
i. Assign users to a group during group creation
ii. Assign a user to an existing group
c. Remove a role from a user (delete user account from group)
d. Use the following usernames and groups for your examples. (Create the users if you have not done so previously.)
Username Assigned to Group
Instructor01 Instructors
TA01 Teaching Assistants(TA)
Student01 CSIA310_Students
Student02 CSIA310_Students
9. Test your draft procedures using the virtual machine provided in the online lab environment or using a locally installed Virtual Machine (VM) running Microsoft Windows 8.1 Professional. As you run your tests, collect screen snapshots to illustrate key steps in your procedures.
10. Incorporate your screen snapshots for key steps into the draft procedures. Each snapshot should be placed UNDER (after) the step to which it applies. Captions are not required.
11. Make any additional changes required to address issues found during testing of the step-by-step procedures.
Part (c): Creating & Managing a Drop-Box - An Example of Discretionary Access Controls
1. A drop-box is a folder which is write-only for some users (e.g. students) and read-only for other users (e.g. graders). Under Windows 8/8.1, one method for accomplishing this goal is to define user groups corresponding to roles and then assigning / restricting access to resources for specific groups. The figure below shows an example of permission settings for a drop-box that has three assigned roles: instructors, teaching assistants (TA), and students (CSIA310_Students). The instructor role is granted full access. This means that the instructor can grant access, remove access, take ownership, etc. The TA role has limited permissions which only permit the user to read files submitted to the drop-box. The permissions granted to the CSIA310_Students role are even more limited - creating and writing files.
2. Now that you have an idea of what a drop-box is and how it works, investigate the use of Windows Explorer to implement a drop-box. Begin by researching how to set advanced "sharing" and/or "access" permissions (discretionary access controls) under Windows 8/8.1. For this lab, you should focus on the capabilities provided via the right-click menu (for a folder):
a. Right click on folder > Properties > Security tab > Edit
b. Right click on folder > Properties > Security tab > Advanced Settings
3. Investigate the view function for permissions. From the "Advanced Security Settings" pop-up, click on one of the "principals" and then click View. Switch between the "basic permissions" and "advanced permissions" views.
4. Next, you should explore how to view (list) effective access for specific local user account. This will be needed to verify that you have permissions set appropriately and that permissions granted to other groups do not interfere with permissions you wish to set for your "role" groups.
5. Identify appropriate additional sources of information (e.g. Windows Help, Microsoft Technet, etc.) for instructions for configuring resource permissions under Windows 8/8.1.
6. Develop a systems administration procedure for Windows Update to accomplish the following:
a. Create a folder named Assignments
b. Change the owner of Assignments (use "Instructor01" as your example)
c. Remove access for all groups except Administrators and Owners (use check effective access to verify).
d. Give a named group "Full Control" (use the "Instructors" group as your example)
e. Give a named group "Read&Execute" access (use the "TA" group as your example)
f. Give a named group "Write" access ( use the "CSIA310_Students" group)
g. Verify effective access for each of the named groups
7. Test your draft procedures using the virtual machine provided in the online lab environment or using a locally installed Virtual Machine (VM) running Microsoft Windows 8.1 Professional. As you run your tests, collect screen snapshots to illustrate key steps in your procedures.
8. Incorporate your screen snapshots for key steps into the draft procedures. Each snapshot should be placed UNDER (after) the step to which it applies. Captions are not required.
9. Make any additional changes required to address issues found during testing of the step-by-step procedures.
Finalize Your Procedures
1. Using the grading rubric as a guide, refine your step-by-step procedures. Your final products should be suitable for inclusion in an organization's Systems Administrator's Handbook. Remember that you are preparing multiple separate procedures.
2. As appropriate, cite your sources using footnotes or another appropriate citation style.
3. Use the resources section to provide information about recommended readings and any sources that you cite. Use a standard bibliographic format (you may wish to use APA since this is required in other CSIA courses). Information about sources and recommended readings, including in-text citations, should be formatted consistently and professionally.
4. At a minimum, each systems administration or system management procedure document must include the following sections:
a. Title
b. Operating Environment
c. Description
d. Notes, Warnings, & Restrictions
e. Resources (format as Bibliography or Reference list)
f. Procedures
Additional Requirements for this Lab
1. Your step-by-step procedures should tell the reader where to find and how to launch the systems administration tools or applications used to change security configuration settings.
2. You must address each required configuration change separately and include enough detail that your reader will understand how to perform the required steps to implement each change.
3. Use screen snapshots to cue the reader to important steps or provide information required to complete check points for proper completion of a step or set of steps (e.g. including a snapshot which shows the "after" state for a group of security settings).
4. Make sure that your snapshots will enhance the reader's understanding of the procedure and required configuration changes. Too many snapshots or illustrations can make a procedure difficult to use.
5. All snapshots must be created by you for this lab using screen captures showing how you personally performed (tested) the systems administration procedure as written by you. You may not copy and paste images from help pages, manuals, or the Internet.
6. Images (screen snapshots) should be cropped and sized appropriately.
7. A screen snapshot belonging to a specific procedure step does not require a caption.
8. Your procedures must be submitted to Turn It In for originality checking. You are encouraged to consult existing configuration instructions, guidance, and procedures for both content and format. Your work must be substantially your own, however, which means you should paraphrase whenever possible. Credit the sources of information used via footnotes and in your "Resources" section.
9. Make sure that the sources you cite or recommend (additional reading) are authoritative and are the best ones available.
10. Your Operating Environment section should identify the hardware, operating system, and/or software applications to which the procedure applies. For this lab, your procedures will apply to:
a. Hardware: Laptop or Desktop Computers
b. Operating System: Windows 8.1 Professional
11. The Notes, Warnings, & Restrictions section should include important information that is not found elsewhere in the procedures document. For example, this section could include information about alternatives to the selected security configuration settings. Or, this section could include information about related security procedures or policies. This section should also include important information about harm or risk that could occur if the procedure is not correctly followed or implemented. If there are no such warnings then this section should so state.