Professional Documents
Culture Documents
We would like to extend our sincere appreciation to all our parents and love ones
for their undying support on the completion of this thesis, our instructors for the
knowledge that they had impart us, our colleagues in school who in some way made an
influence to us to carry out this thesis project. Also thank you to our alma mater, ACLC
NTT-4c Group Four would like to show our honest gratitude and thanks to
Albany, How2Pass.com and other websites for the study guides and references being
And most of all, to our almighty GOD who is deserves all the credit, thanks and praise.
1
II Abstract
As we went on our daily school life to learn, we’ve notice how important
computer networks are especially in the field information technology. It can greatly affect
work automation or make it sluggish. So, it is necessary that people should give
importance to its security. Data and information is in constant attack in all mean possible
through known and developing technology. Every organization that uses network for
student and instructors comprise their own data inside the school network. But data being
processes within the network is being compromises because of security lapse. No storage
facility for important file for either student or instructors. Security is in breach the
manifestation.
damage, or hazard. Enabling the network to prevent and detect unauthorized use of any
computer and its resource within it. Security involves concepts, management and
based on organizational needs. Concepts are the “authentication” created and given to a
user. This involves the creation of username and password for individual clients.
Firewalls that can filter on what services that will be allowed to be accessed by the
network user.
2
An Intrusion Prevention System (IPS) that can detect and prevent malicious and
unwanted software. IPS also monitors for suspicious network traffic for contents, volume
and anomalies to protect the network from attacks such as denial of service. Management
in the other hand is the maintenance of software and hardware to prevent malicious
attacks from hacking and spamming. This is the installation of antivirus software that can
The final outcome of this research is a security evaluation on network drives and
client computers within a school local area network that is practical enough to be used in
real applications with acceptable results, without having to be an expert in the security
arena. The concept is base on Microsoft Windows 2000 Server operating system and
DeepFreeze software which are available and existing on the subject for experimentation.
It is built upon concepts drawn from computer information technology professional and
3
CHAPTER 1 INTRODUCTION
1.1 BACKGROUND
This written hypothesis is concern in security evaluation for network drives and
client computers in a school local area network. The school (AMA Computer Learning
Center Mabalacat Branch) in focus for this study has an existing network for each
computer laboratory. The school has a total of three networked computer laboratory. Each
workgroup. Students are restricted on using external removal storage such as flashdrive
and memory stick to prevent infection from unwanted software. Every laboratory session,
student are being monitored by a laboratory facilitate. After finishing machine problem
on each workstation, students are being instructed “not” to shut down their computer
unless their work had been check. This is because there is no available storage location
for them to save their files. There are no network media storage to transfer and store
important data. Another reason is because each computer is in “freeze mode.” Each
computer returns back to its initial state when it was freeze upon restart or shut down. No
files of any sort can be save because it erases all and what only left are the components
before the computer was frozen. Although freezing has been proven effective to prevent
infection and intrusion, malicious and unwanted software are still in present and existing
on each network. As for the instructors respectably, manual encoding of files for both
4
Like the students, files cannot be saved but instead they use external removable
storages to safe keep their files from both corruption and deletion form the
computersbeing used in school. Same situation applies for every school admin personnel,
they can save files to a standalone computer at Admin Office but it is mandatory for them
to save an external memory backup for every data processed in school. Data and files are
5
1.2 PROBLEM STATEMENT
Laboratory Facilitators, security is still at risk when it comes to data storage and
computer usage. . There are no restrictions on network usage. There are no user policies
that can denote different user rights making everyone a user with administrative power.
Malicious codes and programs are spread out in the entire network due to lack of
antivirus and constant plug-in of removable storage and other external devices without
proper supervision. Computer operating services components are all accessible without
any permission and restriction. Though each workstation has been “freeze” to retain its
state and to prevent virus infection, malicious and other threat causing software are still
prevent further damage that may result to data loss and computer hardware malfunction.
Files and folder that are being made have no storage location. There are no existing
media storage to save important school documents, student files, instructor’s class records
and etc. And if a file can be save on a computer, there is no assurance that data secured or
file location is well secured. Although a Server is currently being utilize within the
laboratory, it was not been use for network domain purposes but instead a standalone
6
1.3 OBJECTIVE
GENERAL OBJECTIVE
The main objective of this project is to evaluate the needs of a network in terms of
its workstations and network drive security. Formulate a security concept for both
network drive and workstation. And that these concepts may be applied to examine its
effectiveness. The insights gained from the project would form a set of guidelines for
designing secure workstation and storage location. This project was chosen to address the
SPECIFIC OBJECTIVE
domain.
2.) Secure network drives from unwanted and over flooding of data.
3.) To create different user profile based on individual school personnel data.
5.) Secure the server and client with the use of Antivirus software.
6.) Secure member workstation with the use of existing software and services that
7
1.4 ASSUMPTIONS
The proposed project will greatly improve security for individual workstation and
1.) User profiles were created based on names, year and section, position and
designation.
2.) It is irritating and time consuming every time you want to use a computer you
3.) The proposed project is the best solution for secured data storage and
workstation usage.
8
1.6 SCOPE AND DELIMITATIONS
In general, the focus of this study is directed towards the evaluation and
development of a secured network drive and workstation. About three small to medium
sized Computer Laboratory are in existence in which each is network separately. There is
a single computer installed with Windows 2000 Server but it is only a standalone
computer used for experimentation. Every workstation is already equip and installed with
security software name “DeepFreeze.” The study is largely dependent on the following:
• DeepFreeze software
• Network drive
• Workstation security
• File system
9
In this proposed project, records and files are stored in a secured network drive
located at an existing Windows 2000 Server computer. User account will be created on
the server’s “Active Directory Users and Computers”. Each User will have the ability to
log on with a unique level of permission and restrictions to local computers connected to
the server. However, the proponents are limited only to a local area network. No internet
access. No firewalls involve. Although Windows 2000 Server software was used in this
study, only basic understandings were implied due to the broadness that it might offer to
the topic. Aside from DeepFreeze software and Windows 2000 Server which is already
available and being used in school, a free version of Avast Antivirus software for both
server and client where installed. No other softwares aside from that mention previously
were involved in the course of this study. The system has a secure log-in for students,
instructors and school staff. The study made for this project has been narrow down
10
1.7 SIGNIFICANCE OF THE STUDY
Social: In this study, the proposed project will inspire students to develop more
Student: The proposed project will give each student a place where they can store their
Instructors: The proposed project will give automation in checking student laboratory
work by logging in on any workstation and accessing a single storage location. Aside
from that, each will be authenticated access to given folders within a network drive for
file storage.
School Admin Personnel: The proposed project will minimize network management in
the sense that only the Server will be the focus for administration and maintenance to
retain data integrity. Another is that a drive will be assigned for school administrative
Researchers: The researchers have developed their writing, analysis, and interpretation
Future Researchers: This will benefit other researchers who wish to have similar studies
as they can get background information from the result of this study which will serve as
11
CHAPTER 2 REVIEW OF RELATED LITERATURE
This section presents both foreign and local related literatures relevant to the
study. This relevance is shown by the proponents in order to give more reason and
Brian Floyd (member of IEEE, SCTE), PDF script “Changing the Face Of
Network Security Threat”:
The author of this PDF script states that threats within networks almost occur
daily and that a particular network managed by an administrator must have any sort of
countermeasure
Chad Perrin’s article post "10 services to turn off in MS Windows XP" on Tech
Republic website:
The author of the article state that as long as Microsoft Windows has been a
network capable operating system, it has come with quite a few services turned on by
default, and it is a good idea for the security conscious user of Microsoft’s flagship
12
This will enhance workstation security by disabling unwanted service within existing
This section presents other related studies by the people who conducted studies
similar to the proponents that will also greatly help in the progress of the study. And it
will also help the understanding of the proposition. This written manuscript was made in
reflection of some thesis paper and literary documents made by some IT professionals
like:
Chitturi of “University of Utah, Department of Computer Science” last April and June
of 1998.
13
5. “Evaluation of Security Risk Associated with Network Information System” by Baino
The definitions of terms are based on observable characteristics and how it is used
in the study.
automated devices use within a particular organization like in school, office and small
business establishment.
Partition. A division created within a system hard disk to separate files and to
Format. Process of reinstalling operating software or erasing data for hard drive
and storages.
hazard.
14
Quota. Disk space being allocated for every user on a shared drive or storage
location.
Policy. This are the rights, permission and privileges given to each user on a
domain network.
Services. This are the system programs that runs upon start-up of a given
operating system.
Operating system. the main program/software that enables a device to run, thing
These chapters consist of theories that have to bearing the problem, the
conceptual framework and the operational framework. This study focuses on three major
concepts; research, testing and implementation. Research is done in this study to see and
discovers more but simple ways on securing local area network. The complexity of
network security is so broad that in depth research is needed to fully understand each
concept. Testing is a way of initiating some methods and concepts that may have
importance to a study. This enables researches to know the effectiveness of methods and
concepts. Lastly, implementation is the deployment of tested concept for practical use.
15
CHAPTER 3 METHODOLOGY
problems and objectives posed at the beginning of the study will be answered through a
descriptive research design. The design will focus on describing the experimental and
application procedure as well as their perceptions towards having a secured network drive
and workstation for a school local area network. A causal approach will be used to
identify the factors that affect the users demand for a secured connection between
This study was conducted mostly inside the school being focus for
experimentation. The documentation and data gathering for this manuscript was made
from March 7 to March 19 of the year 2009 due to major revision of the first study made
by our group.
Data was mainly gathered through the use of internet and books pertaining to
Network Security. Then it was narrowed down to the subject involving network drive and
workstation security within a given local area network. Data was also collected upon
testing of manuscript and guides for actual application to know the result needed for this
study.
16
3.4 DATA GATHERING TOOLS
These are the instruments or tools for gathering data in research used as basis for
observations, research and analysis used by the proponents as they conduct the proposed
study.
Observation. This technique is used when the researcher cannot secure adequate or
valid data through the use of the questionnaire or some other technique. It is
considered to be the most direct means of studying people in so far as their overt
gathering tool seeing the system in action gives you additional perspective and better
Analysis. Analysis is the process of breaking-up the whole study into its constituent
parts of the categories according to the specific questions under the statement of the
problem. This is to bring out into focus the essential feature of the study.
17
3.5 ANALYTICAL PROCEDURE/METHODS OF ANALYSIS
At this point, the work of this proposed project will be tested to its fullest ability.
This is the part where the researcher must be able to determine and explain the methods
that will be used throughout the entire project. Applying security concepts and method is
a tedious task not only for the network administrators but also for the simple laboratory
facilitators, because they will decide on the type, scoop and level of security the implied
in a network. At this juncture, the methods used in creating the security concept must be
explained and defined. The following are some security concepts that are essential for
Analysis. It can be considered as the most difficult phase because in this phase
manuals, materials or information’s must first examine thoroughly before applying it for
testing or experimentation.
implementing security, time, accuracy and focus is very essential because of broadness of
each aspect in network security. You need enough space and time to design a security
Testing. At this stage or phase, proposed project will be given to a panel of critics
and end-users for testing. In this way, the researchers can determine the response of the
18
Implementation. The objective of the implementation phase is to deliver a
completely functioning and documented information system. This is the phase wherein
manage based on the concepts and strategies being gone through intensive examination.
19
CHAPTER 4 PRESENTATION AND INTERPRETATION OF
DATA
This chapter presents the data gathering of the study, interpretation of the results
from the conducted research, testing and analysis of security concept used for this
proposed project. Topics and subjects being presented in this chapter were based from
existing manuscripts and guides already available in the World Wide Web. Selecting
based on the scope of this project was crucial because of the complexity of every aspect
in network security.
First and foremost, assessing of what you are to be secured must be done before
implementing any security methods. Another thing is identifying what are the object,
scoop and requirements under a given network for security. The school has three
which all workstations are interconnected without any internet connection. The plan is to
interconnect the three existing computer laboratory (each laboratory has a local area
network) through a common domain with the use of Windows 2000 Server as its domain
controller. Basic domain controller security will be allied but the main focus is securing
the network drive being created within the server. Workstation security will also be given
importance.
20
4.2 NETWORK DRIVE
external, which can be seen physically connected to a file server or even directly to a
network switch, or can internal which is mostly created within a server. For this project,
we created an internal network drive within the server’s hard disk by partitioning it into
number of separate logical disks. This is done mainly to separate system files from user
files preventing any infection (such as virus, Trojan, worms, Malware, etc.) from one disk
to the other. If a LAN has no available network drive for file and folder storage, and the
server being used for a domain has a large and ample disk space, drive partitioning can be
done on the server. Create the necessary partition based on the following:
2. Number groups
21
As for our subject, AMA Computer Learning Center Laboratory, it consists the following:
1. Server disk space has a total of 160 GB of memory space, 20.50 GB used for the
of Lost space.
2. Groups are identified into three categories; Students, Instructors, and School
Admin.
3. Three logical disk drives will be needed; one for the Student, one for the
• Students – 61.5 GB
• Instructors – 20.5 GB
At a basic level, file system security begins by choosing the appropriate file
system. Windows 2000 includes three different file systems: NTFS, FAT32, and FAT. The
NTFS file system is the recommended file system because of its advantages in reliability
22
The FAT and FAT32 file systems are similar to each other, except that FAT32 is
designed for larger disks than FAT. NTFS has always been a more powerful file system
than FAT or FAT32. Windows 2000 Server has a new version of NTFS that includes
• Permissions that you can set on individual files rather than just on folders.
• Active Directory, which you can use to view and control network resources easily.
• Domains, which are part of Active Directory, and which you can use to fine-tune
NTFS.
• Recovery logging of disk activities, which helps you restore information quickly
• Disk quotas, which you can use to monitor and control the amount of disk space
• Better scalability to large drives. The maximum drive size for NTFS is much
greater than that for FAT, and as drive sizes increase, performance with NTFS
23
If you are currently using the FAT file system, you can use the Convert utility that
is included with Windows 2000 to convert to NTFS. And once it is converted to NTFS,
you can use the file and folder permissions to secure data. Windows 2000 gives you
comprehensive control over each file and folder on your hard disk. You can also use
Encrypting File System (EFS) technology, which is a security technology that enables
individual users to encrypt files so that the files cannot be read by others. (Microsoft
Disk quotas track and control disk space usage for volumes. System administrators
• Prevent further disk space use and log an event when a user exceeds a specified
• Log an event when a user exceeds a specified disk space warning level.
When you enable disk quotas, you can set two values: the disk quota limit and the
disk quota warning level. The limit specifies the amount of disk space a user is
allowed to use. The warning level specifies the point at which a user is nearing his or
her quota limit. For example, you can set a user's disk quota limit to 50 megabytes
(MB), and the disk quota warning level to 45 MB. In this case, the user can store no
more than 50 MB of files on the volume. If the user stores more than 45 MB of files
on the volume, you can have the disk quota system log a system event.
24
For instructions on setting disk quota values, see “To assign default quota values.”
You can specify that users can exceed their quota limit. Enabling quotas and not limiting
disk space use are useful when you do not want to deny users access to a volume, but
want to track disk space use on a per-user basis. You can also specify whether or not to
log an event when users exceed either their quota warning level or their quota limit.
When you enable disk quotas for a volume, volume usage is automatically tracked
for new users from that point on. However, existing volume users have no disk quotas
applied to them. You can apply disk quotas to existing volume users by adding new quota
entries in the Quota Entries window. Quotas are enable on both local volumes and
network volumes, but only on those volumes that are shared from the volume's root
Notes:
• To support disk quotas, a disk volume must be formatted with the version of
NTFS used in Windows 2000. Volumes formatted with the version of NTFS used
• If the volume is not NTFS formatted, or if you are not a member of the
Administrators group on the local computer, the Quota tab is not displayed on the
• File compression does not affect quota statistics. For example, if User A is limited
to 3 MB of disk space, he or she can store only 3 MB worth of files, even if the
and groups. A successful operating system must ensure that only properly authenticated
users and computers can logon to the network and that each network resource is available
only to authorized users. In the Microsoft® Windows® 2000 operating system, the
Active Directory™ service plays several major roles in providing security. Among these
roles are the efficient and effective management of user logon authentication and user
authorization. Both are central features of the Windows 2000 security subsystem and both
are fully integrated with Active Directory. (Microsoft TechNet, Microsoft Corporation)
Active Directory user and computer accounts represent a physical entity such as a
computer or person. User accounts and computer accounts (as well as groups) are called
security principals. Security principals are directory objects that are automatically
26
Objects with security identifiers can log on to the network and access domain
This chapter covers the following topics which are important for analysis:
• User Accounts
• Computer Accounts
• Security Principals
domain. The account establishes an identity for the user; the operating system then uses
this identity to authenticate the user and to grant him or her authorization to access
specific domain resources. ser accounts can also be used as service accounts for some
account, and it is then granted access to specific network resources through that user
27
Predefined User Accounts
• Administrator account
• Guest account
You can use these accounts to log on locally to a computer running Windows
2000 and to access resources on the local computer. These accounts are designed
primarily for initial logon and configuration of a local computer. The Guest account is
disabled and you must enable it explicitly if you want to allow unrestricted access to the
member of the Administrators group by default. This account must be protected with a
strong password to avoid the potential for security breach to the computer. (Microsoft
To enable the Windows 2000 user authentication and authorization features, you
create an individual user account for each user who will participate on your network.
Then add each user account—including the Administrator and Guest accounts—to
Window 2000 groups, and assign appropriate rights and permissions to each group.
28
4.6.2 COMPUTER ACCOUNTS
Like user accounts, Windows 2000 computer accounts provide a means for
authenticating and auditing the computer's access to the network2 and its access to
domain resources. Each Windows 2000 computer to which you want to grant access to
resources must have a unique computer account. Computers running Windows 98 and
Windows 95 do not have the advanced security features of those running Windows 2000
and Windows NT, and they cannot be assigned computer accounts in Windows 2000
domains. However, you can log on to a network and use Windows 98 and Windows 95
Active Directory user and computer accounts (as well as groups, covered later)
are referred to as security principals, a term that emphasizes the security that the
operating system implements for these entities. Security principals are directory objects
that are automatically assigned SIDs when they are created. Objects with SIDs can log on
to the network and can then access domain resources. (Microsoft TechNet, Microsoft
Corporation)
forest and a Windows 2000 domain external to your forest, you can grant security
29
To do so, add external security principals to a Windows 2000 group, which causes
Active Directory to create a "foreign security principal" object for those security
principals3. You can make foreign security principals members of domain local groups
(covered later). You cannot manually modify foreign security principals, but you can see
them in the Active Directory Users and Computers interface by enabling Advanced
In the Windows 2000 operating system environment, you can associate Group
(OUs), domains, or sites. Group Policy settings associated with a given container either
affect all users or computers in that container or they affect specified sets of objects
within that container. You can use Group Policy to configure security options, manage
The system applies group policy to computers at boot time or to users when they
log on. (You can also set the group policy refresh interval policy for users or computers;
the default refresh interval for both users and computers is 90 minutes.) (Microsoft
30
Here are three examples of using group policy settings:
• Set the minimum password length and the maximum length of time that a
• Assign logon and logoff scripts to the user accounts in each organizational unit.
• Specify which applications are available to users when they log on.
• User Password or Account Policy to control how passwords are used by user
accounts.
• Audit Policy to control what types of events are recorded in the security log.
• User Rights are applied to groups or users, and affect the activities permitted on
domain.
31
In Windows 2000, Microsoft has re-configured these components into one
consistent hierarchy or tool, the Security Settings snap-in in the Group Policy Editor. This
may be useful if you want to know the proper group policy object to change.
Account Policies
• Password Policy
• Kerberos Policy
Local Policies
• Audit Policy
• Security Options
1. Event Log
2. Restricted Groups
3. System Services
4. Registry
5. File System
32
Group Policy is administered through the use of Group Policy Objects, data
structures that are attached in a specific hierarchy to selected Active Directory Objects,
such as Sites, Domains, or Organizational Units. These GPOs, once created, are applied
in a standard order: LSDOU, which stands for (1) Local, (2)Site, (3)Domain, (4)OU, with
the later policies being superior to the earlier applied policies. When a computer is joined
to a domain with the Active Directory and Group Policy implemented, a local Group
Policy Object is processed. Note that LGPO policy is processed even when the Block
Policy Inheritance option has been specified. Local Group Policy Objects are processed
first, and then domain policy. If a computer is participating in a domain and a conflict
occurs between domain and local computer policy, domain policy prevails. However, if a
Management features of the Microsoft Windows 2000 operating system. Group Policy
specifies settings for groups of users and of computers, including registry-based policy
settings, security settings, software installation, scripts (computer startup and shutdown,
and log on and log off), and folder redirection. A Restricted Group Policy allows you to
33
When a template (or policy) that defines a restricted group is applied to a system,
the Security Configuration Tool Set adds members to the group and removes members
from the group to ensure that the actual group membership coincides with the settings
In this procedure, you will define a restricted group policy for the Local
Administrators group in addition to the restricted group policy that is already defined for
Corporation)
In Windows 2000, administrators use Group Policy to enhance and control users'
configuration that is applied to groups of users and computers. The Windows 2000 Active
Directory™ service enables Group Policy. The policy information is stored in Group
Policy objects (GPOs), which are linked to selected Active Directory containers: sites,
34
A GPO can be used to filter objects based on security group membership, which
centralized manner. To do this, administrators can use filtering based on security groups
to define the scope of Group Policy management, so that Group Policy can be applied
centrally at the domain level, or in a decentralized manner at the OU level, and can then
• Filter the scope of a GPO. This defines which groups of users and computers a
GPO affects.
• Delegate control of a GPO. There are two aspects to managing and delegating
Group Policy: managing the group policy links and managing who can create and
edit GPOs.
snap-in to manage policy settings. Group Policy includes various features for managing
these policy settings. In addition, third parties can extend Group Policy to host other
policy settings. The data generated by Group Policy is stored in a Group Policy object
(GPO), which is replicated in all domain controllers within a single domain. (Microsoft
35
The Group Policy snap-in includes several MMC snap-in extensions, which
constitute the main nodes in the Group Policy snap-in. The extensions are as follows:
you use to mandate registry settings that govern the behavior and appearance of
• Security settings. You use the Security Settings extension to set security options
for computers and users within the scope of a Group Policy object. You can define
• Software installation. You can use the Software Installation snap-in to centrally
manage software in your organization. You can assign and publish software to
• Scripts. You can use scripts to automate computer startup and shutdown and user
logon and logoff. You can use any language supported by Windows Script Host.
Edition (VBScript); JavaScript; PERL; and MS-DOS®-style batch files (.bat and
.cmd).
computers.
36
• Folder redirection. You use Folder Redirection to redirect Windows 2000 special
folders from their default user profile location to an alternate location on the
4.9 ANTIVIRUS
remove computer viruses, as well as many other types of harmful computer software,
collectively referred to as malware. While the first antivirus software was designed
exclusively to combat computer viruses, most modern antivirus software can protect
against a wide range of malware, including worms, rootkits, and Trojans. (Wikipedia.org)
Security
Antivirus programs can in themselves pose a security risk as they often run at the
'System' level of privileges and may hook the kernel — Both of these are necessary for
the software to effectively do its job, however exploitation of the antivirus program itself
could lead to privilege escalation and create a severe security threat. Arguably, use of
When purchasing antivirus software, the agreement may include a clause that the
subscription will be automatically renewed, and the purchaser's credit card automatically
37
For example, McAfee requires one to unsubscribe at least 60 days before the
Effectiveness
software is much reduced from what it was a few years ago, particularly against unknown
or zero day threats. The German computer magazine c't found that detection rates for
these threats had dropped to a frightening 20% to 30%, as compared to 40% to 50% only
one year earlier. At that time only one product managed a detection rate above 50%.[12]
The problem is magnified by the changing intent of virus authors. Some years ago
it was obvious when a virus infection was present. The viruses of the day, written by
because their purpose is to create botnets or steal information for as long as possible
without the user realizing this; consequently, they are often well-hidden. If an infected
user has a less-than-effective antivirus product that says the computer is clean, then the
schedule, on demand and some run scans in real time. If a virus or malware is located the
suspect file is usually placed into a quarantine to terminate its chances of disrupting the
system. Traditional antivirus solutions scan and compare against a publicized and
38
Some antivirus solutions have additional options that employ an heuristic engine
which further examines the file to see if it is behaving in a similar manner to previous
whitelisting, this technology first checks if the file is trusted and only questioning those
that are not.[14] With the addition of wisdom of crowds, antivirus solutions backup other
users to protect each other. By providing these multiple layers of malware protection and
combining them with other security software it is possible to have more effective
protection from the latest zero day attack and the latest crimeware than previously was
number four of the article 10 security tips for all general-purposes OSes, an important
step in the process of securing your system is to shut down unnecessary services. As long
as Microsoft Windows has been a network capable operating system, it has come with
quite a few services turned on by default, and it is a good idea for the security conscious
user of Microsoft’s flagship product to shut down any of these that he or she isn’t using.
services to disable for security purposes will be at least somewhat particular to a given
39
As such, a list like this one needs to be identified with a specific Microsoft
Windows version, though it can still serve as a guide for the knowledgeable MS Windows
turning off the following services. You may be surprised by what is running without your
knowledge.
• Remote Desktop Help Session Manager – This service is used by the Remote
Assistance feature that you can use to allow others remote access to the system to
• Remote Registry – The capabilities provided by the Remote Registry service are
frightening to consider from a security perspective. They allow remote users (in
40
• Routing and Remote Access – This service bundles a number of capabilities
should be provided separately. It is rare that any of them should be necessary for a
typical desktop system such as Microsoft Windows XP, however, so they can all
provides the ability to use the system as a router and NAT device, as a dialup
Domain, it is assumed by the default settings that any and all file system shares
are meant to be universally accessible. In the real world, however, we should only
want to provide shares to very specific, authorized users. As such, Simple File
Sharing, which only provides blanket access to shares without exceptions, is not
what we want to use for sharing file system resources. It is active by default on
-> Tools -> Folder Options, clicking the View tab, and unchecking the Use simple
• SSDP Discovery Service – This service is used to discover UPnP devices on your
network, and is required for the Universal Plug and Play Device Host service (see
below) to operate.
41
• Telnet – The Telnet service is a very old mechanism for providing remote access
to a computer, most commonly known from its use in the bad ol’ days of security
for remote command shell access on Unix servers. These days, using Telnet to
remotely manage a Unix system may be grounds for firing, where an encrypted
• Universal Plug and Play Device Host – Once you have your “Plug and Play”
devices installed on your system, it is often the case that you will not need this
service again.
• Windows Messenger Service – Listed in the Services window under the name
Messenger, the Windows Messenger Service provides “net send” and “Alerter”
42
4.11 DEEP FREEZE
incidental system degradation. Deep Freeze ensures computers are absolutely bulletproof,
even when users have full access to system software and settings. Users get to enjoy a
pristine and unrestricted computing experience, while IT personnel are freed from tedious
(www.faronics.com)
43
CHAPTER 5 SUMMARY, CONCLUSIONS, AND
RECOMMENDATIONS
5.1 SUMMARY
testing and implementation of basic security configuration procedure that are available
for Windows 2000 Server. The security concept is based on Windows 2000 Server’s
Active Directory, Group Policy snap-in and Domain Security policy with the protection
of antivirus software “Avast 4.8 Server and Home Edition” and Deep Freeze software.
The researcher will initiate methods and procedures that are already available for security
implementation. Creation of organization, groups and user accounts will be done for
domain access of network resources. The Server, particularly network drive security will
be implemented through the use of Group Policy snap-in for Active Directory Users and
computers, Domain Security policy and installation of antivirus software Avast. Security
for workstations will done by disabling some operating system services, domain based
Group policy, installation of antivirus software Avast and Deep Freeze software.
44
5.2 CONCLUSION
Group policy has been an effective tool on providing unified permissions and
privileges for users, organization units, groups and computers. It is convenient in the
sense that Group Policy snap-in configuration is only cone on one computer system, the
server (Domain Controller). You just create the necessary organization units, group and
user then snap-in and configure new Group Policy object. All access privileges are being
filtered through this Group Policy configuration. Efficiency has been a means to describe
Group Policy. Domain security is in support to Group Policy. Providing added policy to
the entire domain. Although efficient and easy to apply, it could not fully secure the
server in terms of viral intrusion and malicious code infection. This is why the strength of
against this intrusion for it can detect and prevent unwanted software intrusion provided
constant software updated. Another effective solution support for this is problem
providing workstation security. Group policy snap-in in the server can enhance security
for in can restrict access and privileges of users narrowing potential harm on any network
some security software such as Deep Freeze. This minimizes unwanted configuration and
software installation by restoring back its initial state before it was freeze. In all, the
procedures being implemented in this proposed project are efficient and effective for
45
5.3 RECOMMENDATION
For the school in focus for experiment, we strongly recommend the creation of a
domain server with an existing and secured network drive for unified storage location.
This will increase automation for instructors and students in accessing and saving files.
With an added security, confidentiality of files will be enhances. Instructors and school
admin personnel would only have to login any workstation connected to the domain to
access network resources anywhere within the Local Area Network. Another thing is to
assess workstation security. The school uses protective software but with poor
administration, they become useless. Before installing such software, thorough system
cleanup and assessment of system services should be done for workstation security. And
lastly, appropriate network administration and management should de done for thorough
46
Bibliography
Matt Curtin. March 1997. Introduction to Network Security. Reprinted with the
permission of Kent Information Services, Inc. PDF Script
Brian Floyd. member of IEEE, SCTE. PDF script Changing the Face Of Network
Security Threat
Chad Perrin. IT Security blog post "10 services to turn off in MS Windows XP"
Subject Matter Expert, CramSession.com PDF script, Server 2003 Network Security
Administration Study Guide
John Wait ET al.2000 OSI reference model and layered communication. CISCO CCNA
exam #640 -507 Guide. P.68
John Wait et al.2000.The OSI,TCP/IP and Netware protocol Architectures. CISCO CCNA
exam #640 -507 Guide. P.74
Don Parker, Oct 5 2006.The Routing Protocols. Articles and tutorials: Network protocol
John Wait et al.2000. OSI Transport Layer Functions. CISCO CCNA exam #640 -507
Guide. P.87
Ekhaml, Leticia. 2001. Protecting yourself from internet risks, threats, and crime.
Journal of Educational Media and Library Sciences 39, no. 1: 8-14.
John Wait et al.2000. OSI Data Link Layer Functions. CISCO CCNA exam #640 -507
Guide. P.94
Kanabar, Dina and Vijay Kanabar. 2003. A quick guide to basic network security terms.
Computers in Libraries 23, no. 5: 24-25
John Wait et al.2000.OSI Network Layer Functions. CISCO CCNA exam #640 -507
Guide. P.103
Omar Santos. June 26, 2008. Identifying and classifying Network Security Threats.
CISCO Press.
47
Derek Melber. June 26, 2008.Undestanding Windows Security Templates. Articles: Misc.
Network Security.
SpeedStreamtm Router Family. November 2000. Command Line Interface Guide PDF
Script. Efficient NetworksR
48
APPENDIX A
DISK PARTITION
After assessing the network needs for file storage, partitioning can be executed by the
following procedure:
1. Click START menu then click SETTINGS and the CONTROL PANEL.
COMPUTER MANAGEMENT.
4. Right click the drive intended for the partitioning and then select CREATE PARTITION
and click.
Figure 31: Select group/user/organization for Group Policy Figure 32: Create new object
snap-in
Figure 33: Selecting policies