Chapter 16 begins with a statement of scope: the author will discuss securing a standalone computer, computers and resources on a LAN, and security on network that uses Active Directory. That's actually a lot, so let's start.
Dr. Andrews points out that securing computers and resources is a necessary activity that includes a paradox. If we secure our devices totally, we will make them painful to use. If we make our devices as easy to use as possible, they will be more vulnerable to attack and misuse. Consider the web interface that allows me to make a reservation for a seat on a airplane. The airline wants to make it easy to use, but they also want to prevent me from accessing the part of their network that would let me reroute aircraft for my own convenience. Security becomes more important the more consequences there are to actual misuse. That is one reason to protect systems with more than one technique, to use layers of protection that attempt to stop a malefactor/attacker by providing multiple kinds of barriers. Using layers of protection is called defense in depth.
Defense typically begins by requiring known users to log in to a system with a user name/ID and a password.
Ever since security on computers has been a thing, we have been advised to use good passwords and not tell anyone what they are. Dr. Andrews gives us an example of a password that meets eight complexity requirements. Complexity level is often set by a system administrator, and it may be different for high level users than for "average" users. Some of her suggestions are good, but the one that needs our attention is the first one: use 16 or more characters, which is the best protection against a password attack. There is nothing magic about the number 16. The longer a password is, the longer it will take a brute force attack, trying all possible characters in all possible combinations, to find it. However, the longer it is, the more a user will come to hate typing it. Try not to make yourself, or anyone else, hate security. It is, of course, more secure to do it, but it is not a good idea.
Unless you have the assistance of a password manager, a program to help manage them, trying to use something that long is beyond most of us. However, a password manager is of little use if you are using a borrowed computer. Pay attention to Dr. Andrews personal story of using a hotel computer to make a credit card purchase. Entering payment card data on a strange machine can lead to a loss of your passwords and ongoing theft from your accounts.
The lesson moves on to discuss policies. For a more user friendly introduction than the one in the text, I recommend starting with this article on HowToGeek. It tells you that policies are useful for administrators in charge of hundreds of computers, but they can be used to manage individual computers as well. A Group Policy is only available in Active Directory, and only for computers running Professional versions (or higher) of Windows. Dr. Andrews mentions three levels of policies:
There are other reasons to choose a professional version of Windows. Linus explains several of them, like memory capacity and Hypervisor availability.
It is possible to install a third party program to install a policy manager on the home version of Windows 10, but Microsoft does not support doing so. If you want to experiment with a higher version of Windows than you might have, do it on a virtual machine to maintain the nature of your own. If you really want to load the real policy editor on your Windows Home computer, you can follow this link, read the article, and decide what to do.
The chapter continues with setting a password in BIOS/UEFI, setting security options in Internet Explorer (why just that browser?), and encrypting files and folders.The first one can generally be overridden with a jumper on the motherboard, the second can be undone by using another browser, and the third is actually effective in securing data on your hard drive if your computer is not running. If it is running, you have probably already authenticated with the encryption software and the computer is vulnerable to attack.
The next topic is Windows Firewall, which is a software firewall available through the Network and Sharing Center. The settings for it are not extensive, but it is a built-in option that can be set on each Windows machine.
The chapter turns to the more general topic of Access
Control, regarding files and folders. Before digging
into it, we should understand some vocabulary oddities. First, we
can define that there are three major components
of an access control system:
There are three categories that a subject may fall under with regard to any particular resource (object):
The ability to access an object (such as a file) and do something with it (such as read it), is a level of permission. Access control can be used to grant or remove such permissions, from users and groups. The ability to do a number of things that most users cannot do (as is typically true of administrators) is a privilege level. Someone who has administrator privileges (Administrator account) can do things ordinary users (Standard account) cannot, such as assign permissions to objects.
To make this easier to manage, Windows comes with four default groups that users can be assigned to.
If all of this seems like too much work, and you'd rather use a Homegroup anyway, it's a little too late. Windows 10 build 1803 took away that option. Active Directory is more fun, anyway.
Let's skip ahead to some useful skills. When you are on a network, you will have the ability to share drive space on a server drive with users. For instance, my team at work has access to two network shares, which is the stupid label Microsoft uses for such things. One is for the team's shared space, and the other is for the web server we have used for several years. The URL for our web server points to a false root, the actual space on the server that is allocated for our web pages. Browsers think it is an actual root directory of a hard drive. To use those spaces to store files, the easiest thing to do is to map a network drive. A drive pointer (typically toward the end of the alphabet, like X: or W:) is assigned, and it appears to the user that the space they have been given permissions to is an actual entire hard drive. The exercise that starts on page 916 walks you through doing this on a Windows 10 workstation. It was a bit different on Windows 7. A typical user can do this if they have been told the name of the server, and the name of the folder that an administrator has granted permissions to. It is easy because you can only see the part you have permissions to see.
The video below will walk you through the process, and give you a some hints about making your start menu a little better.
The same exercise in the text show you how to map a network printer, which is a phrase I have not heard in years. It is correct, but most people now say they are going to add a network printer to the PC. Look over this part of the lesson if you have never done it. It is much easier to share a printer if you can plug it directly into a network switch, assign it a permanent (static) IP address on your router/DHCP server, and it can be made available to anyone (or only someone) on your local network by granting permissions. Letting the printer have its own IP address makes it usable without having to have a particular PC turned on.
Next, Dr. Andrews gets down to details about using Active Directory (AD) for user IDs, passwords, permissions, and policies. This is the last section of the chapter, which should rightly be a book by itself. She is taking it easy on you, even if you don't believe that yet.
The video below discusses using AD to manage user accounts. He is a good speaker and he delivers a practical lesson. Note his introduction that tells you about some of his other lessons, which you may find useful and enlightening. Since I am not lecturing to you this week, listen to Eli, and he will give you some useful knowledge.
Chapter 17 resembles an early chapter in a network security class. It begins with a lesson on Physical Security. An attacker who has physical access to a computer may be able to boot it with a flash drive, defeating the controls that are part of the device's intended operating system. (Muttering about the last chapter, razzle frazzle muzzle brooker...) As such, we need to consider physical area controls which are concerned with placing a boundary around some area, whether it is a room, a building, a complex, or a larger site. (Area 51?) A basic concern for any room is a door with a lock, assuming that there are walls that prevent access other than by that door. For a larger area, we might start with a fence and locked or guarded gates.
A good way to keep a secret is to never hint that the secret even exists. Your fence perimeter can follow that logic. Sometimes, the best secret is one no one suspects. Remember, however, that a tall, very secure looking fence can be a map marker to an attacker instead of a deterrent.
Even if there is no fence around the building, use the door locks, and only let a few people into the server room. Within your site, chain or steel cables can be fastened to most system units, but that won't stop an enemy with a bolt cutter, only casual thieves. You would be surprised at the number of computers that have been carried out of buildings by people who looked like they were supposed to be doing that.Tracking who enters and who leaves a location are equally important. This is easier in a well run installation, where you use the same protocols to enter and to leave. In most locations, people are in more of a hurry to leave. Keeping video records of people entering and exiting can provide a post-event record if you can live without a live stream of information. Sometimes, the exit of a person is the more important event, at day care centers, hospitals, and most prisons. Exit points must be watched carefully in such cases. We should watch known exit points, and be watchful for exits that those seeking them may discover. There may be hidden exits from some rooms, buildings, or complexes.
A number of logical controls were mentioned in the last chapter. Logical just means non-physical in this case. Dr. Andrews presents a list that is partly review:
We have already talked about user authentication. Dr. Andrews expands on the topic with two factor authentication and using security devices to confirm identity. When I use Steam, for example, I have to log in to their system, and I also have to receive and enter a token from them on my cell phone to prove who I am. More extensive authentication systems use dedicated hardware and/or protocols to make the process more secure:
Remote Authentication User Dial-In Service has some specific and non-intuitive terminology.
Kerberos is an authentication system. It is also proper to call it a protocol. It is noteworthy because it can be used on Windows, Linux, and Mac OS X networks. A network user requests access to services, Kerberos issues an identifying ticket, and the ticket is examined by the entity that grants access to the service. This is a standard part of logging in to an Active Directory network.
Terminal Access Control Access Control System (TACACS+)
TACACS+ must have been created by someone with a love for redundancy. It performs authentication, authorization, and accounting functions, and is meant to support a large number of connections.
Lightweight Directory Access Protocol (LDAP)
Directory Service is a database service on a network. LDAP is a protocol that is used to access such databases. We can compare LDAP to DAP (its big brother):
Another way to have a more secure environment is to teach the users how to be safer. (Radical idea, I know...) There is a real problem with compliance that has nothing to do with willingness or ability. If an employee knows a policy and has followed it for some time, that employee feels no need to look at the posted policy again just to check for changes. People need someone to tell them when something changes. That's what newscasters and managers are for.
There are two components to this process. We should measure the need for each one against the content of the current policy change or implementation:
Staff should be trained when they are hired or moved to jobs that require special or different knowledge. Creating a computer based training program where it is possible to use one, saves time and expense. Such a system can provide training on demand. This is beneficial when you do not know when you will be hiring, or how many people will need a refresher on the material. This is the kind of training material I have my staff prepare for technical staff and for general staff. It becomes available on our web server to anyone in the organization, and it can be updated easily when updates are needed. The text warns us that although computer based training is less expensive than paying for lost work hours, travel time, and trainer time, it can fail to measure what is actually understood by the student. That is true of classroom training as well, especially when there is no allowance for testing. It is better in either case to have managers measure the performance and understanding of their staff.
Dr. Andrews gives us a long list of virus types and attack methods that are better suited for a longer course. Look at the items on pages 957 and 958, and discuss them on the discussion board for this week. She also gives us several pages on investigating suspected malware and attempting recovery from it. Try to get the general idea here when you complete the assignments for this week.
The final pages of the chapter discuss actions that would belong in any well run organization: