CIS 1110A - Computer Operating Systems and Maintenance


Module 14

This lesson discusses chapters 16 and 17. Objectives important to this lesson:

  1. Securing a Windows computer
  2. Securing files and sharing them on a network
  3. Using security in Active Directory
  4. Using access controls, authentication, and user training
  5. Dealing with malware
  6. Using policies to manage computers in an enterprise
  7. Current assignments

Concepts:

Chapter 16 begins with a statement of scope: the author will discuss securing a standalone computer, computers and resources on a LAN, and security on network that uses Active Directory. That's actually a lot, so let's start.

Dr. Andrews points out that securing computers and resources is a necessary activity that includes a paradox. If we secure our devices totally, we will make them painful to use. If we make our devices as easy to use as possible, they will be more vulnerable to attack and misuse. Consider the web interface that allows me to make a reservation for a seat on a airplane. The airline wants to make it easy to use, but they also want to prevent me from accessing the part of their network that would let me reroute aircraft for my own convenience. Security becomes more important the more consequences there are to actual misuse. That is one reason to protect systems with more than one technique, to use layers of protection that attempt to stop a malefactor/attacker by providing multiple kinds of barriers. Using layers of protection is called defense in depth.

Defense typically begins by requiring known users to log in to a system with a user name/ID and a password.

  • Providing the user name on a login screen is identification. The user is stating who they are.
  • Providing the current password for that ID is authentication. The offered password is compared to a stored password for the stated ID, which must match for the login process to continue.
  • Assuming that the ID and password combinations are correct, the user is then allowed access to the resources that have been granted to that ID. This is authorization. That word also means the process an administrator uses to grant rights to resources, but in the context of logging in to a system, it means applying those previously established rights to the user's current session on the system/network. In the simplest sense, it means the user is granted access to the folders in the Users section of the Windows file system associated with that ID, but it can mean much more.

Ever since security on computers has been a thing, we have been advised to use good passwords and not tell anyone what they are. Dr. Andrews gives us an example of a password that meets eight complexity requirements. Complexity level is often set by a system administrator, and it may be different for high level users than for "average" users. Some of her suggestions are good, but the one that needs our attention is the first one: use 16 or more characters, which is the best protection against a password attack. There is nothing magic about the number 16. The longer a password is, the longer it will take a brute force attack, trying all possible characters in all possible combinations, to find it. However, the longer it is, the more a user will come to hate typing it. Try not to make yourself, or anyone else, hate security. It is, of course, more secure to do it, but it is not a good idea.


Unless you have the assistance of a password manager, a program to help manage them, trying to use something that long is beyond most of us. However, a password manager is of little use if you are using a borrowed computer. Pay attention to Dr. Andrews personal story of using a hotel computer to make a credit card purchase. Entering payment card data on a strange machine can lead to a loss of your passwords and ongoing theft from your accounts.

The lesson moves on to discuss policies. For a more user friendly introduction than the one in the text, I recommend starting with this article on HowToGeek. It tells you that policies are useful for administrators in charge of hundreds of computers, but they can be used to manage individual computers as well. A Group Policy is only available in Active Directory, and only for computers running Professional versions (or higher) of Windows. Dr. Andrews mentions three levels of policies:

  • Group Policy - an Active Directory macro that does something to or for computers in a named group
  • Local Group Policy - a policy that can be used to configure Windows for a specific computer.
  • Local Security Policy - a policy that can be used to configure Windows for a specific user

There are other reasons to choose a professional version of Windows. Linus explains several of them, like memory capacity and Hypervisor availability.


It is possible to install a third party program to install a policy manager on the home version of Windows 10, but Microsoft does not support doing so. If you want to experiment with a higher version of Windows than you might have, do it on a virtual machine to maintain the nature of your own. If you really want to load the real policy editor on your Windows Home computer, you can follow this link, read the article, and decide what to do.

The chapter continues with setting a password in BIOS/UEFI, setting security options in Internet Explorer (why just that browser?), and encrypting files and folders.The first one can generally be overridden with a jumper on the motherboard, the second can be undone by using another browser, and the third is actually effective in securing data on your hard drive if your computer is not running. If it is running, you have probably already authenticated with the encryption software and the computer is vulnerable to attack.

The next topic is Windows Firewall, which is a software firewall available through the Network and Sharing Center. The settings for it are not extensive, but it is a built-in option that can be set on each Windows machine.

The chapter turns to the more general topic of Access Control, regarding files and folders. Before digging into it, we should understand some vocabulary oddities. First, we can define that there are three major components of an access control system:

  • Policies - rules that determine whether a subject has access to an object
  • Subjects - A subject may be a user, a network itself, a process running on a computer, or an application that requests access to a resource. It is always an entity that wants permissions to something.
  • Objects - resources that a subject wants to use

There are three categories that a subject may fall under with regard to any particular resource (object):

  • Authorized - those who are known to the system, and are permitted access to the resource
  • Unauthorized - those who are known to the system, but are not permitted access to the resource
  • Unknown - those who are not known to the system; unknown users are typically allowed to authenticate, but not much else

The ability to access an object (such as a file) and do something with it (such as read it), is a level of permission. Access control can be used to grant or remove such permissions, from users and groups. The ability to do a number of things that most users cannot do (as is typically true of administrators) is a privilege level. Someone who has administrator privileges (Administrator account) can do things ordinary users (Standard account) cannot, such as assign permissions to objects.

To make this easier to manage, Windows comes with four default groups that users can be assigned to.

  • Administrators - highest level of privileges
  • Users - standard privileges
  • Guests - small (lowest) number of privileges, that typically disappear when the user logs out of the system
  • Power Users - older concept that still exists for legacy systems; grants the user some administrative privileges for defined objects and systems

If all of this seems like too much work, and you'd rather use a Homegroup anyway, it's a little too late. Windows 10 build 1803 took away that option. Active Directory is more fun, anyway.

Let's skip ahead to some useful skills. When you are on a network, you will have the ability to share drive space on a server drive with users. For instance, my team at work has access to two network shares, which is the stupid label Microsoft uses for such things. One is for the team's shared space, and the other is for the web server we have used for several years. The URL for our web server points to a false root, the actual space on the server that is allocated for our web pages. Browsers think it is an actual root directory of a hard drive. To use those spaces to store files, the easiest thing to do is to map a network drive. A drive pointer (typically toward the end of the alphabet, like X: or W:) is assigned, and it appears to the user that the space they have been given permissions to is an actual entire hard drive. The exercise that starts on page 916 walks you through doing this on a Windows 10 workstation. It was a bit different on Windows 7. A typical user can do this if they have been told the name of the server, and the name of the folder that an administrator has granted permissions to. It is easy because you can only see the part you have permissions to see.

The video below will walk you through the process, and give you a some hints about making your start menu a little better.


The same exercise in the text show you how to map a network printer, which is a phrase I have not heard in years. It is correct, but most people now say they are going to add a network printer to the PC. Look over this part of the lesson if you have never done it. It is much easier to share a printer if you can plug it directly into a network switch, assign it a permanent (static) IP address on your router/DHCP server, and it can be made available to anyone (or only someone) on your local network by granting permissions. Letting the printer have its own IP address makes it usable without having to have a particular PC turned on.

Next, Dr. Andrews gets down to details about using Active Directory (AD) for user IDs, passwords, permissions, and policies. This is the last section of the chapter, which should rightly be a book by itself. She is taking it easy on you, even if you don't believe that yet.

The video below discusses using AD to manage user accounts. He is a good speaker and he delivers a practical lesson. Note his introduction that tells you about some of his other lessons, which you may find useful and enlightening. Since I am not lecturing to you this week, listen to Eli, and he will give you some useful knowledge.


Chapter 17 resembles an early chapter in a network security class. It begins with a lesson on Physical Security. An attacker who has physical access to a computer may be able to boot it with a flash drive, defeating the controls that are part of the device's intended operating system. (Muttering about the last chapter, razzle frazzle muzzle brooker...) As such, we need to consider physical area controls which are concerned with placing a boundary around some area, whether it is a room, a building, a complex, or a larger site. (Area 51?) A basic concern for any room is a door with a lock, assuming that there are walls that prevent access other than by that door. For a larger area, we might start with a fence and locked or guarded gates.

A good way to keep a secret is to never hint that the secret even exists. Your fence perimeter can follow that logic. Sometimes, the best secret is one no one suspects. Remember, however, that a tall, very secure looking fence can be a map marker to an attacker instead of a deterrent.

Even if there is no fence around the building, use the door locks, and only let a few people into the server room. Within your site, chain or steel cables can be fastened to most system units, but that won't stop an enemy with a bolt cutter, only casual thieves. You would be surprised at the number of computers that have been carried out of buildings by people who looked like they were supposed to be doing that.

Tracking who enters and who leaves a location are equally important. This is easier in a well run installation, where you use the same protocols to enter and to leave. In most locations, people are in more of a hurry to leave. Keeping video records of people entering and exiting can provide a post-event record if you can live without a live stream of information. Sometimes, the exit of a person is the more important event, at day care centers, hospitals, and most prisons. Exit points must be watched carefully in such cases. We should watch known exit points, and be watchful for exits that those seeking them may discover. There may be hidden exits from some rooms, buildings, or complexes.

A number of logical controls were mentioned in the last chapter. Logical just means non-physical in this case. Dr. Andrews presents a list that is partly review:

  • anti-virus and anti-malware products
  • email filters
  • obtaining software from reputable sources
  • Access Controls (every object has an Access Control List)
  • managed switches whose ports can be protected
  • VPNs
  • mobile device management

We have already talked about user authentication. Dr. Andrews expands on the topic with two factor authentication and using security devices to confirm identity. When I use Steam, for example, I have to log in to their system, and I also have to receive and enter a token from them on my cell phone to prove who I am. More extensive authentication systems use dedicated hardware and/or protocols to make the process more secure:

RADIUS

Remote Authentication User Dial-In Service has some specific and non-intuitive terminology.

  • supplicant - a wireless device requesting to join a WLAN, or a dial up device requesting to join a LAN
  • authenticator - an access point that accepts or rejects supplicants
  • RADIUS client - an access point that is sending credentials to a RADIUS server
  • RADIUS server - performs authentication, authorization, and accounting functions, and is meant to support a large number of connections.

Kerberos

Kerberos is an authentication system. It is also proper to call it a protocol. It is noteworthy because it can be used on Windows, Linux, and Mac OS X networks. A network user requests access to services, Kerberos issues an identifying ticket, and the ticket is examined by the entity that grants access to the service. This is a standard part of logging in to an Active Directory network.

Terminal Access Control Access Control System (TACACS+)

TACACS+ must have been created by someone with a love for redundancy. It performs authentication, authorization, and accounting functions, and is meant to support a large number of connections.

Lightweight Directory Access Protocol (LDAP)

Directory Service is a database service on a network. LDAP is a protocol that is used to access such databases. We can compare LDAP to DAP (its big brother):

  • LDAP runs in a TCP/IP environment, DAP requires special software
  • LDAP will run on a PC, DAP typically will not
  • Both are used to access information from X.500 compliant databases
  • LDAP is lighter, simpler, easier to use

Another way to have a more secure environment is to teach the users how to be safer. (Radical idea, I know...) There is a real problem with compliance that has nothing to do with willingness or ability. If an employee knows a policy and has followed it for some time, that employee feels no need to look at the posted policy again just to check for changes. People need someone to tell them when something changes. That's what newscasters and managers are for.

There are two components to this process. We should measure the need for each one against the content of the current policy change or implementation:

  • Awareness - Sometimes, information is enough. If this is a change that requires a modification of current skill that can be explained in a meeting or a document, let managers inform their staff and assess the need to train them.
  • Training - If this is a major change in skill or behavior, impress that on your staff by having a formal training activity to show them what to do. Do not make it overly long or tedious. Make it informative, then send them back to work.

Staff should be trained when they are hired or moved to jobs that require special or different knowledge. Creating a computer based training program where it is possible to use one, saves time and expense. Such a system can provide training on demand. This is beneficial when you do not know when you will be hiring, or how many people will need a refresher on the material. This is the kind of training material I have my staff prepare for technical staff and for general staff. It becomes available on our web server to anyone in the organization, and it can be updated easily when updates are needed. The text warns us that although computer based training is less expensive than paying for lost work hours, travel time, and trainer time, it can fail to measure what is actually understood by the student. That is true of classroom training as well, especially when there is no allowance for testing. It is better in either case to have managers measure the performance and understanding of their staff.

Dr. Andrews gives us a long list of virus types and attack methods that are better suited for a longer course. Look at the items on pages 957 and 958, and discuss them on the discussion board for this week. She also gives us several pages on investigating suspected malware and attempting recovery from it. Try to get the general idea here when you complete the assignments for this week.

The final pages of the chapter discuss actions that would belong in any well run organization:

  • manage change
  • make policies about data security, licensing, and general security
  • determine what laws apply to your organization and follow them
  • plan for security incidents and have plans to handle them
  • retain data that is needed but destroy that which is not, electronically and physically



Assignments

  1. Read the chapters for next week.
  2. Complete the assignments and class discussion made in this module, which are due by 6pm next week.