AMA Computer Learning Center Mabalacat Branch

2/F Dau Mart II McArthur Hi-way, Dau Mabalacat Pampanga

Securing Network Drives and Client Computers in a

School Local Area Network

In partial fulfillment of requirement for NAT-700

Special Project on Network Telecommunications and
Technology

Submitted by: Submitted to:

Group # 4 Mr. Adelaido I. Bacani Jr.

Thesis Adviser
Merwyn R. Navarro
Ariel M. Comon
Aljon M. Pelagio
Junrey P. Mole
Jonathan S. Meneses
Kcee E. Antonio
I Acknowledgement

We would like to extend our sincere appreciation to all our parents and love ones

for their undying support on the completion of this thesis, our instructors for the

knowledge that they had impart us, our colleagues in school who in some way made an

influence to us to carry out this thesis project. Also thank you to our alma mater, ACLC

Mabalacat Branch on giving us the opportunity of executing what we learned.

NTT-4c Group Four would like to show our honest gratitude and thanks to

Microsoft TechNet, Wikipedia, CramSession, Tech-faq.com, CISCO, University of

Albany, How2Pass.com and other websites for the study guides and references being

used in this project.

And most of all, to our almighty GOD who is deserves all the credit, thanks and praise.

1
II Abstract

As we went on our daily school life to learn, we’ve notice how important

computer networks are especially in the field information technology. It can greatly affect

everyone’s productivity and efficiency in knowledge acquisition. It can either speed up

work automation or make it sluggish. So, it is necessary that people should give

importance to its security. Data and information is in constant attack in all mean possible

through known and developing technology. Every organization that uses network for

automation uses file storage accompany with a unique security concept.

In school, constant usage of network resources is done on a daily basis. Every

student and instructors comprise their own data inside the school network. But data being

processes within the network is being compromises because of security lapse. No storage

facility for important file for either student or instructors. Security is in breach the

moment a user logs into a workstation. In simple terms, there is no security

manifestation.

Security is defined as a condition of being protected against any danger, threat,

damage, or hazard. Enabling the network to prevent and detect unauthorized use of any

computer and its resource within it. Security involves concepts, management and

administration. Administering security involves set-up and configuration of resources

based on organizational needs. Concepts are the “authentication” created and given to a

user. This involves the creation of username and password for individual clients.

Firewalls that can filter on what services that will be allowed to be accessed by the

network user.

2
 An Intrusion Prevention System (IPS) that can detect and prevent malicious and

unwanted software. IPS also monitors for suspicious network traffic for contents, volume

and anomalies to protect the network from attacks such as denial of service. Management

in the other hand is the maintenance of software and hardware to prevent malicious

attacks from hacking and spamming. This is the installation of antivirus software that can

monitor and prevent unwanted software intrusion in a given network.

The final outcome of this research is a security evaluation on network drives and

client computers within a school local area network that is practical enough to be used in

real applications with acceptable results, without having to be an expert in the security

arena. The concept is base on Microsoft Windows 2000 Server operating system and

DeepFreeze software which are available and existing on the subject for experimentation.

It is built upon concepts drawn from computer information technology professional and

leaders in the industry, and empirically tested.

3
CHAPTER 1 INTRODUCTION

1.1 BACKGROUND

This written hypothesis is concern in security evaluation for network drives and

client computers in a school local area network. The school (AMA Computer Learning

Center Mabalacat Branch) in focus for this study has an existing network for each

computer laboratory. The school has a total of three networked computer laboratory. Each

workstation is installed with Windows XP Professional SP2 and connected together as a

workgroup. Students are restricted on using external removal storage such as flashdrive

and memory stick to prevent infection from unwanted software. Every laboratory session,

student are being monitored by a laboratory facilitate. After finishing machine problem

on each workstation, students are being instructed “not” to shut down their computer

unless their work had been check. This is because there is no available storage location

for them to save their files. There are no network media storage to transfer and store

important data. Another reason is because each computer is in “freeze mode.” Each

computer returns back to its initial state when it was freeze upon restart or shut down. No

files of any sort can be save because it erases all and what only left are the components

before the computer was frozen. Although freezing has been proven effective to prevent

infection and intrusion, malicious and unwanted software are still in present and existing

on each network. As for the instructors respectably, manual encoding of files for both

academic and professional purposes is done either on a standalone computer located at

the faculty or even inside the computer laboratory.

4
 Like the students, files cannot be saved but instead they use external removable

storages to safe keep their files from both corruption and deletion form the

computersbeing used in school. Same situation applies for every school admin personnel,

they can save files to a standalone computer at Admin Office but it is mandatory for them

to save an external memory backup for every data processed in school. Data and files are

in constant vulnerability due to poor security manifestation of computers.

5
1.2 PROBLEM STATEMENT

Although every network is being monitored personally by the assigned

Laboratory Facilitators, security is still at risk when it comes to data storage and

computer usage. . There are no restrictions on network usage. There are no user policies

that can denote different user rights making everyone a user with administrative power.

Malicious codes and programs are spread out in the entire network due to lack of

antivirus and constant plug-in of removable storage and other external devices without

proper supervision. Computer operating services components are all accessible without

any permission and restriction. Though each workstation has been “freeze” to retain its

state and to prevent virus infection, malicious and other threat causing software are still

present within the network. There is no Antivirus software installed on computers to

prevent further damage that may result to data loss and computer hardware malfunction.

Files and folder that are being made have no storage location. There are no existing

media storage to save important school documents, student files, instructor’s class records

and etc. And if a file can be save on a computer, there is no assurance that data secured or

file location is well secured. Although a Server is currently being utilize within the

laboratory, it was not been use for network domain purposes but instead a standalone

server model only.

6
1.3 OBJECTIVE

GENERAL OBJECTIVE

The main objective of this project is to evaluate the needs of a network in terms of

its workstations and network drive security. Formulate a security concept for both

network drive and workstation. And that these concepts may be applied to examine its

effectiveness. The insights gained from the project would form a set of guidelines for

designing secure workstation and storage location. This project was chosen to address the

need for a secured storage facility intended for school use.

SPECIFIC OBJECTIVE

1.) To create network drives in an existing Windows 2000 Server network

domain.

2.) Secure network drives from unwanted and over flooding of data.

3.) To create different user profile based on individual school personnel data.

4.) To create different user levels with permissions and policy.

5.) Secure the server and client with the use of Antivirus software.

6.) Secure member workstation with the use of existing software and services that

are already available.

7
1.4 ASSUMPTIONS

This study is conducted based on the following assumptions:

1.) That the Computer Laboratory Facilitator and School Administrative

Personnel will use the proposed project.

2.) That school has no appropriate file and data storage.

3.) That every workstation has poor security manifestation

1.5 HYPOTHESIS OF THE STUDY

The proposed project will greatly improve security for individual workstation and

network drives. Primarily, this study has the following hypothesis:

1.) User profiles were created based on names, year and section, position and

designation.

2.) It is irritating and time consuming every time you want to use a computer you

have to worry about viruses and where to store your files.

3.) The proposed project is the best solution for secured data storage and

workstation usage.

8
1.6 SCOPE AND DELIMITATIONS

In general, the focus of this study is directed towards the evaluation and

development of a secured network drive and workstation. About three small to medium

sized Computer Laboratory are in existence in which each is network separately. There is

a single computer installed with Windows 2000 Server but it is only a standalone

computer used for experimentation. Every workstation is already equip and installed with

security software name “DeepFreeze.” The study is largely dependent on the following:

• Avast Antivirus software

• DeepFreeze software

• Network drive

• Active Directory Users and Computers

• Workstation security

• Domain security policy

1.) Account and Local policy

2.) System Services

• File system

• Group Policy snap-in

9
 In this proposed project, records and files are stored in a secured network drive

located at an existing Windows 2000 Server computer. User account will be created on

the server’s “Active Directory Users and Computers”. Each User will have the ability to

log on with a unique level of permission and restrictions to local computers connected to

the server. However, the proponents are limited only to a local area network. No internet

access. No firewalls involve. Although Windows 2000 Server software was used in this

study, only basic understandings were implied due to the broadness that it might offer to

the topic. Aside from DeepFreeze software and Windows 2000 Server which is already

available and being used in school, a free version of Avast Antivirus software for both

server and client where installed. No other softwares aside from that mention previously

were involved in the course of this study. The system has a secure log-in for students,

instructors and school staff. The study made for this project has been narrow down

because of lack of enough time to complete further in-depth analysis.

10
1.7 SIGNIFICANCE OF THE STUDY

Social: In this study, the proposed project will inspire students to develop more

enhance method and concept for network security.

Technological: The proposed project will introduced better efficiency in securing

data and workstations under an existing Local Area Network.

The result of this study is beneficial to the following:

Student: The proposed project will give each student a place where they can store their

school works and file without compromising data integrity.

Instructors: The proposed project will give automation in checking student laboratory

work by logging in on any workstation and accessing a single storage location. Aside

from that, each will be authenticated access to given folders within a network drive for

file storage.

School Admin Personnel: The proposed project will minimize network management in

the sense that only the Server will be the focus for administration and maintenance to

retain data integrity. Another is that a drive will be assigned for school administrative

purposes and only school administrator can access it.

Researchers: The researchers have developed their writing, analysis, and interpretation

skills needed to make a good thesis.

Future Researchers: This will benefit other researchers who wish to have similar studies

as they can get background information from the result of this study which will serve as

template to modify their research.

11
CHAPTER 2 REVIEW OF RELATED LITERATURE

2.1 RELATED LITERATURE

This section presents both foreign and local related literatures relevant to the

study. This relevance is shown by the proponents in order to give more reason and

understanding of the proposition.

Brian Floyd (member of IEEE, SCTE), PDF script “Changing the Face Of
Network Security Threat”:

“Security threats arise almost on a daily basis and an

aware administrator needs to be able to respond quickly
and appropriately”

The author of this PDF script states that threats within networks almost occur

daily and that a particular network managed by an administrator must have any sort of

countermeasure

Chad Perrin’s article post "10 services to turn off in MS Windows XP" on Tech

Republic website:

“An important step in the process of securing your

system is to shut down unnecessary services.”

The author of the article state that as long as Microsoft Windows has been a

network capable operating system, it has come with quite a few services turned on by

default, and it is a good idea for the security conscious user of Microsoft’s flagship

product to shut down any of these that he or she isn’t using.

12
This will enhance workstation security by disabling unwanted service within existing

Windows operating system.

2.2 RELATED STUDIES

This section presents other related studies by the people who conducted studies

similar to the proponents that will also greatly help in the progress of the study. And it

will also help the understanding of the proposition. This written manuscript was made in

reflection of some thesis paper and literary documents made by some IT professionals

like:

1. “Detecting Known Host Security Flaws over a Network Connection” by Martin

Andersson of “School of Mathematics and Systems Engineering”, Växjö University

for the “Faculty of Mathematics/Science/Technology”.

2. “Defining Information Security As a Policy” by Göran Pattersson last March 7, 2008

3. A Formal Approach to Practical Network Security Management by Sudhakar

Govindavajhala,Ph.D. of Princeton University dated last 2006.

4. “Implementing Mandatory Network Security in a Policy-flexible System” by Ajaya

Chitturi of “University of Utah, Department of Computer Science” last April and June

of 1998.

13
5. “Evaluation of Security Risk Associated with Network Information System” by Baino

Paul of “Royal Melbourne Institute of Technology, School Of Business Information

Technology” for the Faculty of Business last 2001.

2.3 DEFINITION OF TERMS

The definitions of terms are based on observable characteristics and how it is used

in the study.

Workstation. a particular computer or device user by client user within a

workgroup or domain of a given Local Area Network.

Server. Is a computer installed with latest software capable of managing, securing

and monitor interconnected devices (such as computer, router and switches)

Local Area Network (LAN). Is a simple system of interconnected computers and

automated devices use within a particular organization like in school, office and small

business establishment.

Partition. A division created within a system hard disk to separate files and to

maximize logical spaces.

Format. Process of reinstalling operating software or erasing data for hard drive

and storages.

Security. a condition of being protected against any danger, threat, damage, or

hazard.

14
 Quota. Disk space being allocated for every user on a shared drive or storage

location.

Policy. This are the rights, permission and privileges given to each user on a

domain network.

Antivirus. A software being run on a operating system to prevent unwanted and

damaging codes and viruses.

Services. This are the system programs that runs upon start-up of a given

operating system.

Operating system. the main program/software that enables a device to run, thing

and calculate and given task.

2.4 THEORETICAL FRAMEWORK

These chapters consist of theories that have to bearing the problem, the

conceptual framework and the operational framework. This study focuses on three major

concepts; research, testing and implementation. Research is done in this study to see and

discovers more but simple ways on securing local area network. The complexity of

network security is so broad that in depth research is needed to fully understand each

concept. Testing is a way of initiating some methods and concepts that may have

importance to a study. This enables researches to know the effectiveness of methods and

concepts. Lastly, implementation is the deployment of tested concept for practical use.

15
CHAPTER 3 METHODOLOGY

3.1 RESEARCH DESIGN

The study will utilize both descriptive and causal research designs. The research

problems and objectives posed at the beginning of the study will be answered through a

descriptive research design. The design will focus on describing the experimental and

application procedure as well as their perceptions towards having a secured network drive

and workstation for a school local area network. A causal approach will be used to

identify the factors that affect the users demand for a secured connection between

network drive and workstations.

3.2 TIME AND PLACE OF THE STUDY

This study was conducted mostly inside the school being focus for

experimentation. The documentation and data gathering for this manuscript was made

from March 7 to March 19 of the year 2009 due to major revision of the first study made

by our group.

3.3 SOURCE OF DATA

Data was mainly gathered through the use of internet and books pertaining to

Network Security. Then it was narrowed down to the subject involving network drive and

workstation security within a given local area network. Data was also collected upon

testing of manuscript and guides for actual application to know the result needed for this

study.

16
3.4 DATA GATHERING TOOLS

These are the instruments or tools for gathering data in research used as basis for

drawing conclusions or making inferences. Some of these tools are empirical

observations, research and analysis used by the proponents as they conduct the proposed

study.

Observation. This technique is used when the researcher cannot secure adequate or

valid data through the use of the questionnaire or some other technique. It is

considered to be the most direct means of studying people in so far as their overt

behavior is concerned. Observation of a current operating procedure is another data

gathering tool seeing the system in action gives you additional perspective and better

understanding of system procedures.

Research. Research is simply, the systematic search for pertinent information on a

specific topic or problem. It is systematic study or investigation or something for the

purpose of answering questions posed by the researcher. It includes reviewing

journals, periodicals, and books to obtain background information, technical material,

and news about industry trends and developments.

Analysis. Analysis is the process of breaking-up the whole study into its constituent

parts of the categories according to the specific questions under the statement of the

problem. This is to bring out into focus the essential feature of the study.

17
3.5 ANALYTICAL PROCEDURE/METHODS OF ANALYSIS
At this point, the work of this proposed project will be tested to its fullest ability.

This is the part where the researcher must be able to determine and explain the methods

that will be used throughout the entire project. Applying security concepts and method is

a tedious task not only for the network administrators but also for the simple laboratory

facilitators, because they will decide on the type, scoop and level of security the implied

in a network. At this juncture, the methods used in creating the security concept must be

explained and defined. The following are some security concepts that are essential for

securing data storage and workstation:

Planning. This method designates a plan in which a proposed project

identifies it goals and requirement before deciding for its implementation.

Analysis. It can be considered as the most difficult phase because in this phase

manuals, materials or information’s must first examine thoroughly before applying it for

testing or experimentation.

Design. This is a visualization of the outcome of a proposed project but then in

implementing security, time, accuracy and focus is very essential because of broadness of

each aspect in network security. You need enough space and time to design a security

infrastructure based on different network requirement. It takes a long period of time to

ensure efficiency, reliability, affectivity, integrity and manageability of networks.

Testing. At this stage or phase, proposed project will be given to a panel of critics

and end-users for testing. In this way, the researchers can determine the response of the

user whether the proposed project will work or not.

18
 Implementation. The objective of the implementation phase is to deliver a

completely functioning and documented information system. This is the phase wherein

the said project has already been documented and tested.

Administration. Upon implementation, this is the phase where a network is being

manage based on the concepts and strategies being gone through intensive examination.

19
CHAPTER 4 PRESENTATION AND INTERPRETATION OF
DATA

This chapter presents the data gathering of the study, interpretation of the results

from the conducted research, testing and analysis of security concept used for this

proposed project. Topics and subjects being presented in this chapter were based from

existing manuscripts and guides already available in the World Wide Web. Selecting

based on the scope of this project was crucial because of the complexity of every aspect

in network security.

4.1 ASSESSMENT AND PLANNING FOR SECURITY

First and foremost, assessing of what you are to be secured must be done before

implementing any security methods. Another thing is identifying what are the object,

scoop and requirements under a given network for security. The school has three

computer laboratories in existence; each laboratory classroom has a standalone network

which all workstations are interconnected without any internet connection. The plan is to

interconnect the three existing computer laboratory (each laboratory has a local area

network) through a common domain with the use of Windows 2000 Server as its domain

controller. Basic domain controller security will be allied but the main focus is securing

the network drive being created within the server. Workstation security will also be given

importance.

20
4.2 NETWORK DRIVE

Network drive is a storage location shared within a network. It can either be an

external, which can be seen physically connected to a file server or even directly to a

network switch, or can internal which is mostly created within a server. For this project,

we created an internal network drive within the server’s hard disk by partitioning it into

several logical drives intended for different user.

4.3 DISK PARTITIONING

Partitioning is a process wherein a system hard disk is being divided into a

number of separate logical disks. This is done mainly to separate system files from user

files preventing any infection (such as virus, Trojan, worms, Malware, etc.) from one disk

to the other. If a LAN has no available network drive for file and folder storage, and the

server being used for a domain has a large and ample disk space, drive partitioning can be

done on the server. Create the necessary partition based on the following:

1. Disk space of the servers hard disk

2. Number groups

3. Number of drives needed by the organization

4. Partition space allocation for users

21
As for our subject, AMA Computer Learning Center Laboratory, it consists the following:

1. Server disk space has a total of 160 GB of memory space, 20.50 GB used for the

System drive, 107.3 GB of free and unallocated space and approximately 32 GB

of Lost space.

2. Groups are identified into three categories; Students, Instructors, and School

Admin.

3. Three logical disk drives will be needed; one for the Student, one for the

Instructors and one for the School Admin.

4. Allocated space for each partition will be:

• Students – 61.5 GB

• Instructors – 20.5 GB

• School Admin Personnel – 25.3 GB

4.4 FILE SYSTEM

At a basic level, file system security begins by choosing the appropriate file

system. Windows 2000 includes three different file systems: NTFS, FAT32, and FAT. The

NTFS file system is the recommended file system because of its advantages in reliability

and security and because it is required for large drives.

22
 The FAT and FAT32 file systems are similar to each other, except that FAT32 is

designed for larger disks than FAT. NTFS has always been a more powerful file system

than FAT or FAT32. Windows 2000 Server has a new version of NTFS that includes

many important security features such as:

• Permissions that you can set on individual files rather than just on folders.

• File encryption, which greatly enhances security.

• Active Directory, which you can use to view and control network resources easily.

• Domains, which are part of Active Directory, and which you can use to fine-tune

security options while keeping administration simple. Domain controllers require

NTFS.

• Recovery logging of disk activities, which helps you restore information quickly

in the event of a power failure or other system problems.

• Disk quotas, which you can use to monitor and control the amount of disk space

used by individual users.

• Better scalability to large drives. The maximum drive size for NTFS is much

greater than that for FAT, and as drive sizes increase, performance with NTFS

does not degrade as it does with FAT.

23
 If you are currently using the FAT file system, you can use the Convert utility that

is included with Windows 2000 to convert to NTFS. And once it is converted to NTFS,

you can use the file and folder permissions to secure data. Windows 2000 gives you

comprehensive control over each file and folder on your hard disk. You can also use

Encrypting File System (EFS) technology, which is a security technology that enables

individual users to encrypt files so that the files cannot be read by others. (Microsoft

TechNet, Microsoft Corporation)

4.5 DISK QUOTA

Disk quotas track and control disk space usage for volumes. System administrators

can configure Windows to:

• Prevent further disk space use and log an event when a user exceeds a specified

disk space limit.

• Log an event when a user exceeds a specified disk space warning level.

When you enable disk quotas, you can set two values: the disk quota limit and the

disk quota warning level. The limit specifies the amount of disk space a user is

allowed to use. The warning level specifies the point at which a user is nearing his or

her quota limit. For example, you can set a user's disk quota limit to 50 megabytes

(MB), and the disk quota warning level to 45 MB. In this case, the user can store no

more than 50 MB of files on the volume. If the user stores more than 45 MB of files

on the volume, you can have the disk quota system log a system event.

24
 For instructions on setting disk quota values, see “To assign default quota values.”

You can specify that users can exceed their quota limit. Enabling quotas and not limiting

disk space use are useful when you do not want to deny users access to a volume, but

want to track disk space use on a per-user basis. You can also specify whether or not to

log an event when users exceed either their quota warning level or their quota limit.

When you enable disk quotas for a volume, volume usage is automatically tracked

for new users from that point on. However, existing volume users have no disk quotas

applied to them. You can apply disk quotas to existing volume users by adding new quota

entries in the Quota Entries window. Quotas are enable on both local volumes and

network volumes, but only on those volumes that are shared from the volume's root

directory and are formatted with the NTFS file system.

Notes:

• To support disk quotas, a disk volume must be formatted with the version of

NTFS used in Windows 2000. Volumes formatted with the version of NTFS used

in Windows NT 4.0 are upgraded automatically by Windows 2000 Setup.

• To administer quotas on a volume, you must be a member of the Administrators

group on the computer where the drive resides.

• If the volume is not NTFS formatted, or if you are not a member of the

Administrators group on the local computer, the Quota tab is not displayed on the

volume's Properties page.

 25

• File compression does not affect quota statistics. For example, if User A is limited

to 3 MB of disk space, he or she can store only 3 MB worth of files, even if the

files are compressed.

4.6 Active Directory Users and Computers

A great part of network administration involves management of users, computers,

and groups. A successful operating system must ensure that only properly authenticated

users and computers can logon to the network and that each network resource is available

only to authorized users. In the Microsoft® Windows® 2000 operating system, the

Active Directory™ service plays several major roles in providing security. Among these

roles are the efficient and effective management of user logon authentication and user

authorization. Both are central features of the Windows 2000 security subsystem and both

are fully integrated with Active Directory. (Microsoft TechNet, Microsoft Corporation)

Active Directory user and computer accounts represent a physical entity such as a

computer or person. User accounts and computer accounts (as well as groups) are called

security principals. Security principals are directory objects that are automatically

assigned security identifiers.

26
 Objects with security identifiers can log on to the network and access domain

resources. A user or computer account is used to:

• Authenticate the identity of the user or computer.

• Authorize or deny access to domain resources.

• Administer other security principals.

• Audit actions performed using the user or computer account.

This chapter covers the following topics which are important for analysis:

• User Accounts

• Computer Accounts

• Security Principals

• Group Policy Applied to User and Computer Accounts

4.6.1 USER ACCOUNTS

A user requires an Active Directory user account to log on to a computer or to a

domain. The account establishes an identity for the user; the operating system then uses

this identity to authenticate the user and to grant him or her authorization to access

specific domain resources. ser accounts can also be used as service accounts for some

applications. That is, a service can be configured to log on (authenticate) as a user

account, and it is then granted access to specific network resources through that user

account. (Microsoft TechNet, Microsoft Corporation)

27
Predefined User Accounts

Windows 2000 provides the following two predefined user accounts1:

• Administrator account

• Guest account

You can use these accounts to log on locally to a computer running Windows

2000 and to access resources on the local computer. These accounts are designed

primarily for initial logon and configuration of a local computer. The Guest account is

disabled and you must enable it explicitly if you want to allow unrestricted access to the

computer. The Administrator account is the most powerful account because it is a

member of the Administrators group by default. This account must be protected with a

strong password to avoid the potential for security breach to the computer. (Microsoft

TechNet, Microsoft Corporation)

To enable the Windows 2000 user authentication and authorization features, you

create an individual user account for each user who will participate on your network.

Then add each user account—including the Administrator and Guest accounts—to

Window 2000 groups, and assign appropriate rights and permissions to each group.

(Microsoft TechNet, Microsoft Corporation)

28
4.6.2 COMPUTER ACCOUNTS

Like user accounts, Windows 2000 computer accounts provide a means for

authenticating and auditing the computer's access to the network2 and its access to

domain resources. Each Windows 2000 computer to which you want to grant access to

resources must have a unique computer account. Computers running Windows 98 and

Windows 95 do not have the advanced security features of those running Windows 2000

and Windows NT, and they cannot be assigned computer accounts in Windows 2000

domains. However, you can log on to a network and use Windows 98 and Windows 95

computers in Active Directory domains. (Microsoft TechNet, Microsoft Corporation)

4.6.3 SECURITY PRINCIPALS

Active Directory user and computer accounts (as well as groups, covered later)

are referred to as security principals, a term that emphasizes the security that the

operating system implements for these entities. Security principals are directory objects

that are automatically assigned SIDs when they are created. Objects with SIDs can log on

to the network and can then access domain resources. (Microsoft TechNet, Microsoft

Corporation)

If you establish a trust relationship between a domain in your Windows 2000

forest and a Windows 2000 domain external to your forest, you can grant security

principals from the external domain access to resources in your forest.

29
 To do so, add external security principals to a Windows 2000 group, which causes

Active Directory to create a "foreign security principal" object for those security

principals3. You can make foreign security principals members of domain local groups

(covered later). You cannot manually modify foreign security principals, but you can see

them in the Active Directory Users and Computers interface by enabling Advanced

Features. (Microsoft TechNet, Microsoft Corporation)

4.6.4 GROUP POLICY APPLIED TO USER AND COMPUTER

ACCOUNTS

In the Windows 2000 operating system environment, you can associate Group

Policy configuration settings with three Active Directory containers—organizational units

(OUs), domains, or sites. Group Policy settings associated with a given container either

affect all users or computers in that container or they affect specified sets of objects

within that container. You can use Group Policy to configure security options, manage

applied to network locations.

The system applies group policy to computers at boot time or to users when they

log on. (You can also set the group policy refresh interval policy for users or computers;

the default refresh interval for both users and computers is 90 minutes.) (Microsoft

TechNet, Microsoft Corporation)

30
Here are three examples of using group policy settings:

• Set the minimum password length and the maximum length of time that a

password remains valid for an entire domain.

• Assign logon and logoff scripts to the user accounts in each organizational unit.

• Specify which applications are available to users when they log on.

4.7 DOMAIN SECURITY POLICY

In Microsoft Windows NT Server 4.0, the concept of the Domain Security

Policy referred to an associated group of items considered critical to the secure

configuration of a domain. These included:

• User Password or Account Policy to control how passwords are used by user

accounts.

• Audit Policy to control what types of events are recorded in the security log.

• User Rights are applied to groups or users, and affect the activities permitted on

an individual workstation, a member server, or on all domain controllers in a

domain.

31
 In Windows 2000, Microsoft has re-configured these components into one

consistent hierarchy or tool, the Security Settings snap-in in the Group Policy Editor. This

may be useful if you want to know the proper group policy object to change.

Account Policies

• Password Policy

• Account Lockout Policy

• Kerberos Policy

Local Policies

• Audit Policy

• User Rights Assignment

• Security Options

1. Event Log

2. Restricted Groups

3. System Services

4. Registry

5. File System

6. IP Security Policies on Active Directory

7. Public Key Policies

32
 Group Policy is administered through the use of Group Policy Objects, data

structures that are attached in a specific hierarchy to selected Active Directory Objects,

such as Sites, Domains, or Organizational Units. These GPOs, once created, are applied

in a standard order: LSDOU, which stands for (1) Local, (2)Site, (3)Domain, (4)OU, with

the later policies being superior to the earlier applied policies. When a computer is joined

to a domain with the Active Directory and Group Policy implemented, a local Group

Policy Object is processed. Note that LGPO policy is processed even when the Block

Policy Inheritance option has been specified. Local Group Policy Objects are processed

first, and then domain policy. If a computer is participating in a domain and a conflict

occurs between domain and local computer policy, domain policy prevails. However, if a

computer is no longer participating in a domain, local Group Policy object is applied.

(Microsoft TechNet, Microsoft Corporation)

4.8 GROUP POLICY

Group Policy is the central component of the Change and Configuration

Management features of the Microsoft Windows 2000 operating system. Group Policy

specifies settings for groups of users and of computers, including registry-based policy

settings, security settings, software installation, scripts (computer startup and shutdown,

and log on and log off), and folder redirection. A Restricted Group Policy allows you to

define who should and should not belong to a specific group.

33
 When a template (or policy) that defines a restricted group is applied to a system,

the Security Configuration Tool Set adds members to the group and removes members

from the group to ensure that the actual group membership coincides with the settings

defined in the template (or policy).

In this procedure, you will define a restricted group policy for the Local

Administrators group in addition to the restricted group policy that is already defined for

the local Power Users group in Securews.inf. (Microsoft TechNet, Microsoft

Corporation)

Group Policy and the Active Directory

In Windows 2000, administrators use Group Policy to enhance and control users'

desktops. To simplify the process, administrators can create a specific desktop

configuration that is applied to groups of users and computers. The Windows 2000 Active

Directory™ service enables Group Policy. The policy information is stored in Group

Policy objects (GPOs), which are linked to selected Active Directory containers: sites,

domains, and organizational units (OUs). (Microsoft TechNet, Microsoft Corporation)

34
 A GPO can be used to filter objects based on security group membership, which

allows administrators to manage computers and users in either a centralized or a de-

centralized manner. To do this, administrators can use filtering based on security groups

to define the scope of Group Policy management, so that Group Policy can be applied

centrally at the domain level, or in a decentralized manner at the OU level, and can then

be filtered again by security groups.

Administrators can use security groups in Group Policy to:

• Filter the scope of a GPO. This defines which groups of users and computers a

GPO affects.

• Delegate control of a GPO. There are two aspects to managing and delegating

Group Policy: managing the group policy links and managing who can create and

edit GPOs.

Administrators use the Group Policy Microsoft Management Console (MMC)

snap-in to manage policy settings. Group Policy includes various features for managing

these policy settings. In addition, third parties can extend Group Policy to host other

policy settings. The data generated by Group Policy is stored in a Group Policy object

(GPO), which is replicated in all domain controllers within a single domain. (Microsoft

TechNet, Microsoft Corporation)

35
 The Group Policy snap-in includes several MMC snap-in extensions, which

constitute the main nodes in the Group Policy snap-in. The extensions are as follows:

• Administrative templates. These include registry-based Group Policy, which

you use to mandate registry settings that govern the behavior and appearance of

the desktop, including the operating system components and applications.

• Security settings. You use the Security Settings extension to set security options

for computers and users within the scope of a Group Policy object. You can define

local computer, domain, and network security settings.

• Software installation. You can use the Software Installation snap-in to centrally

manage software in your organization. You can assign and publish software to

users and assign software to computers.

• Scripts. You can use scripts to automate computer startup and shutdown and user

logon and logoff. You can use any language supported by Windows Script Host.

These include the Microsoft Visual Basic® development system, Scripting

Edition (VBScript); JavaScript; PERL; and MS-DOS®-style batch files (.bat and

.cmd).

• Remote Installation Services. You use Remote Installation Services (RIS) to

control the behavior of the Remote Operating System Installation feature as

displayed to client computers.

• Internet Explorer maintenance. You use Internet Explorer Maintenance to

manage and customize Microsoft® Internet Explorer on Windows 2000-based

computers.

36
 • Folder redirection. You use Folder Redirection to redirect Windows 2000 special

folders from their default user profile location to an alternate location on the

network. These special folders include My Documents, Application Data,

Desktop, and the Start Menu.

4.9 ANTIVIRUS

Antivirus software (or anti-virus) is computer software used to identify and

remove computer viruses, as well as many other types of harmful computer software,

collectively referred to as malware. While the first antivirus software was designed

exclusively to combat computer viruses, most modern antivirus software can protect

against a wide range of malware, including worms, rootkits, and Trojans. (Wikipedia.org)

Security

Antivirus programs can in themselves pose a security risk as they often run at the

'System' level of privileges and may hook the kernel — Both of these are necessary for

the software to effectively do its job, however exploitation of the antivirus program itself

could lead to privilege escalation and create a severe security threat. Arguably, use of

antivirus software when compared to Principle of least privilege is largely ineffective

when ramifications of the added software are taken into account.

When purchasing antivirus software, the agreement may include a clause that the

subscription will be automatically renewed, and the purchaser's credit card automatically

billed, at the renewal time without explicit approval.

37
 For example, McAfee requires one to unsubscribe at least 60 days before the

expiration of the present subscription.[6] Norton Antivirus also renews subscriptions

automatically by default. (Wikipedia.org)

Effectiveness

Studies in December 2007 have shown that the effectiveness of Antivirus

software is much reduced from what it was a few years ago, particularly against unknown

or zero day threats. The German computer magazine c't found that detection rates for

these threats had dropped to a frightening 20% to 30%, as compared to 40% to 50% only

one year earlier. At that time only one product managed a detection rate above 50%.[12]

The problem is magnified by the changing intent of virus authors. Some years ago

it was obvious when a virus infection was present. The viruses of the day, written by

amateurs, exhibited destructive behavior or pop-up screen messages.

Modern viruses are often written by professionals, financed by criminal

organizations.[13] It is not in their interests to make their viruses or crimeware evident,

because their purpose is to create botnets or steal information for as long as possible

without the user realizing this; consequently, they are often well-hidden. If an infected

user has a less-than-effective antivirus product that says the computer is clean, then the

virus may go undetected.Traditional antivirus software solutions run virus scanners on

schedule, on demand and some run scans in real time. If a virus or malware is located the

suspect file is usually placed into a quarantine to terminate its chances of disrupting the

system. Traditional antivirus solutions scan and compare against a publicized and

regularly updated dictionary of malware otherwise known as a blacklist.

38
 Some antivirus solutions have additional options that employ an heuristic engine

which further examines the file to see if it is behaving in a similar manner to previous

examples of malware. A new technology utilised by a few antivirus solutions is

whitelisting, this technology first checks if the file is trusted and only questioning those

that are not.[14] With the addition of wisdom of crowds, antivirus solutions backup other

antivirus techniques by harnessing the intelligence and advice of a community of trusted

users to protect each other. By providing these multiple layers of malware protection and

combining them with other security software it is possible to have more effective

protection from the latest zero day attack and the latest crimeware than previously was

the case with just one layer of protection. (Wikipedia.org)

4.10 DISABLING SOME OPERATING SYSTEM SERVICE

As I pointed by Chad Perrin in his article on Tech Republic website, in point

number four of the article 10 security tips for all general-purposes OSes, an important

step in the process of securing your system is to shut down unnecessary services. As long

as Microsoft Windows has been a network capable operating system, it has come with

quite a few services turned on by default, and it is a good idea for the security conscious

user of Microsoft’s flagship product to shut down any of these that he or she isn’t using.

Each version of MS Windows provides different services, of course, so any list of

services to disable for security purposes will be at least somewhat particular to a given

version of Microsoft Windows.

39
 As such, a list like this one needs to be identified with a specific Microsoft

Windows version, though it can still serve as a guide for the knowledgeable MS Windows

user to check out the running services on other versions as well.

If you are running Microsoft Windows XP on your desktop system, consider

turning off the following services. You may be surprised by what is running without your

knowledge.

Operating System Services

• IIS – Microsoft’s Internet Information Services provide the capabilities of a Web

server for your computer.

• NetMeeting Remote Desktop Sharing — NetMeeting is primarily a VoIP and

videoconferencing client for Microsoft Windows, but this service in particular is

necessary to remote desktop access.

• Remote Desktop Help Session Manager – This service is used by the Remote

Assistance feature that you can use to allow others remote access to the system to

help you troubleshoot problems.

• Remote Registry – The capabilities provided by the Remote Registry service are

frightening to consider from a security perspective. They allow remote users (in

theory, only under controlled circumstances) to edit the Windows Registry.

40
• Routing and Remote Access – This service bundles a number of capabilities

together, capabilities that most system administrators would probably agree

should be provided separately. It is rare that any of them should be necessary for a

typical desktop system such as Microsoft Windows XP, however, so they can all

conveniently be turned off as a single service. Routing and Remote Access

provides the ability to use the system as a router and NAT device, as a dialup

access gateway, and a VPN server.

• Simple File Sharing – When a computer is not a part of a Microsoft Windows

Domain, it is assumed by the default settings that any and all file system shares

are meant to be universally accessible. In the real world, however, we should only

want to provide shares to very specific, authorized users. As such, Simple File

Sharing, which only provides blanket access to shares without exceptions, is not

what we want to use for sharing file system resources. It is active by default on

both MS Windows XP Professional and MS Windows XP Home editions.

Unfortunately, this cannot be disabled on MS Windows XP Home. On MS

Windows XP Professional, however, you can disable it by opening My Computer

-> Tools -> Folder Options, clicking the View tab, and unchecking the Use simple

file sharing (Recommended) checkbox in the Advanced settings: pane.

• SSDP Discovery Service – This service is used to discover UPnP devices on your

network, and is required for the Universal Plug and Play Device Host service (see

below) to operate.

41
• Telnet – The Telnet service is a very old mechanism for providing remote access

to a computer, most commonly known from its use in the bad ol’ days of security

for remote command shell access on Unix servers. These days, using Telnet to

remotely manage a Unix system may be grounds for firing, where an encrypted

protocol such as SSH should be used instead.

• Universal Plug and Play Device Host – Once you have your “Plug and Play”

devices installed on your system, it is often the case that you will not need this

service again.

• Windows Messenger Service – Listed in the Services window under the name

Messenger, the Windows Messenger Service provides “net send” and “Alerter”

functionality. It is unrelated to the Windows Messenger instant messaging client,

and is not necessary to use the Windows Messenger IM network.

42
4.11 DEEP FREEZE

Faronics Deep Freeze helps eliminate workstation damage and downtime by

making computer configurations indestructible. Once Deep Freeze is installed on a

workstation, any changes made to the computer—regardless of whether they are

accidental or malicious—are never permanent. Deep Freeze provides immediate

immunity from many of the problems that plague computers today—inevitable

configuration drift, accidental system misconfiguration, malicious software activity, and

incidental system degradation. Deep Freeze ensures computers are absolutely bulletproof,

even when users have full access to system software and settings. Users get to enjoy a

pristine and unrestricted computing experience, while IT personnel are freed from tedious

helpdesk requests, constant system maintenance, and continuous configuration drift.

(www.faronics.com)

43
CHAPTER 5 SUMMARY, CONCLUSIONS, AND
RECOMMENDATIONS

5.1 SUMMARY

The study conducted by the researchers is an in depth research, experimentation,

testing and implementation of basic security configuration procedure that are available

for Windows 2000 Server. The security concept is based on Windows 2000 Server’s

Active Directory, Group Policy snap-in and Domain Security policy with the protection

of antivirus software “Avast 4.8 Server and Home Edition” and Deep Freeze software.

The researcher will initiate methods and procedures that are already available for security

implementation. Creation of organization, groups and user accounts will be done for

domain access of network resources. The Server, particularly network drive security will

be implemented through the use of Group Policy snap-in for Active Directory Users and

computers, Domain Security policy and installation of antivirus software Avast. Security

for workstations will done by disabling some operating system services, domain based

Group policy, installation of antivirus software Avast and Deep Freeze software.

44
5.2 CONCLUSION

Group policy has been an effective tool on providing unified permissions and

privileges for users, organization units, groups and computers. It is convenient in the

sense that Group Policy snap-in configuration is only cone on one computer system, the

server (Domain Controller). You just create the necessary organization units, group and

user then snap-in and configure new Group Policy object. All access privileges are being

filtered through this Group Policy configuration. Efficiency has been a means to describe

Group Policy. Domain security is in support to Group Policy. Providing added policy to

the entire domain. Although efficient and easy to apply, it could not fully secure the

server in terms of viral intrusion and malicious code infection. This is why the strength of

antivirus software such as Avast is needed. Antivirus software is a preventive solution

against this intrusion for it can detect and prevent unwanted software intrusion provided

constant software updated. Another effective solution support for this is problem

providing workstation security. Group policy snap-in in the server can enhance security

for in can restrict access and privileges of users narrowing potential harm on any network

resource. Enhancement can be done by restricting workstation services and installation of

some security software such as Deep Freeze. This minimizes unwanted configuration and

software installation by restoring back its initial state before it was freeze. In all, the

procedures being implemented in this proposed project are efficient and effective for

minimal local area network security needs

45
5.3 RECOMMENDATION

For the school in focus for experiment, we strongly recommend the creation of a

domain server with an existing and secured network drive for unified storage location.

This will increase automation for instructors and students in accessing and saving files.

With an added security, confidentiality of files will be enhances. Instructors and school

admin personnel would only have to login any workstation connected to the domain to

access network resources anywhere within the Local Area Network. Another thing is to

assess workstation security. The school uses protective software but with poor

administration, they become useless. Before installing such software, thorough system

cleanup and assessment of system services should be done for workstation security. And

lastly, appropriate network administration and management should de done for thorough

manifestation of this security concept.

46
Bibliography

Matt Curtin. March 1997. Introduction to Network Security. Reprinted with the
permission of Kent Information Services, Inc. PDF Script

Office of the CIO, University at Albany. Security Threats, Types of Threats

Brian Floyd. member of IEEE, SCTE. PDF script Changing the Face Of Network
Security Threat

Chad Perrin. IT Security blog post "10 services to turn off in MS Windows XP"

Microsoft TechNet, Microsoft Corporation, Step-by-Step Guide to Using the Security

Configuration Tool Set

Subject Matter Expert, CramSession.com PDF script, Server 2003 Network Security
Administration Study Guide

John Wait ET al.2000 OSI reference model and layered communication. CISCO CCNA
exam #640 -507 Guide. P.68

S.M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer

Communication Review, Vol. 19, No. 2, pp. 32-48, April 1989.

John Wait et al.2000.The OSI,TCP/IP and Netware protocol Architectures. CISCO CCNA
exam #640 -507 Guide. P.74

Don Parker, Oct 5 2006.The Routing Protocols. Articles and tutorials: Network protocol

John Wait et al.2000. OSI Transport Layer Functions. CISCO CCNA exam #640 -507
Guide. P.87

Ekhaml, Leticia. 2001. Protecting yourself from internet risks, threats, and crime.
Journal of Educational Media and Library Sciences 39, no. 1: 8-14.

John Wait et al.2000. OSI Data Link Layer Functions. CISCO CCNA exam #640 -507
Guide. P.94

Kanabar, Dina and Vijay Kanabar. 2003. A quick guide to basic network security terms.
Computers in Libraries 23, no. 5: 24-25
John Wait et al.2000.OSI Network Layer Functions. CISCO CCNA exam #640 -507
Guide. P.103

Omar Santos. June 26, 2008. Identifying and classifying Network Security Threats.
CISCO Press.

47
Derek Melber. June 26, 2008.Undestanding Windows Security Templates. Articles: Misc.
Network Security.

SpeedStreamtm Router Family. November 2000. Command Line Interface Guide PDF
Script. Efficient NetworksR

“Windows 2000 Firewalling”. From a anonymous author. June 15, 2007

http://homepages.wmich.edu/~mchugha/w2kfirewall.htm

48
APPENDIX A

DISK PARTITION

After assessing the network needs for file storage, partitioning can be executed by the

following procedure:

1. Click START menu then click SETTINGS and the CONTROL PANEL.

2. Under CONTROL PANEL, click ADMINISTRATIVE TOOLS and then click

COMPUTER MANAGEMENT.

3. Under COMPUTER MANAGEMENT, click DISK MANAGEMENT.

4. Right click the drive intended for the partitioning and then select CREATE PARTITION

and click.

Figure 1: Selecting drives

Figure 2: Partition Wizard

Figure 3: Partition Selection

Figure 4: Specify space

Figure 5: Drive letter assignment

Figure 6: File system
Figure 7: Finishing wizard
Figure 8: Creating logical drive
Figure 9: Partition selection
APPENDIX B

ACTIVE DIERCTORY USER AND COMPUTERS

Figure 10: Creating organization units Figure 11: Naming organization

Figure 12: Creating groups Figure 13: Naming group and scope/type
Figure 14: Creating user account for domain access Figure 15: Naming account users
Figure 16: Configuring user properties Figure 17: User properties
Figure 18: Group membership Figure 19: Account logon configuration
Figure 20: Assigning user and folder path
APPENDIX C

ENABLING DISK QUOTA

On desktop double click My Computer view Network Drive

Figure 21: Selecting drive for enabling quota

Figure 22: Quota management

Figure 23: Adding new quota entries

Figure 24: Selecting user for quota entries

Figure 25: Enabling disk space
Figure
limit
26: Input specified space limit

Figure 27: Limit disk space usage

Figure 28: Quota entries
Figure 29: Full disk quota limit Figure 30: Executed quota
APPENDIX D

GROUP POLICY SNAP-IN FOR ACTIVE DIRECTORY USER AND COMPUTERS

Figure 31: Select group/user/organization for Group Policy Figure 32: Create new object
snap-in
Figure 33: Selecting policies

Figure 34: Account policy

Figure 35: Password policy

Figure 36: Local Policy

Figure 37: User rights assignment

Figure 38: Selecting restriction on Security Option

Figure 39: Selecting and defining policy of System Services

Figure 40: Redirection of folder location

APPENDIX E

DOMAIN SECURITY POLICY

Figure 41: Security setting

Figure 42: Password policy

Figure 43: Defining user rights

Figure 44: Defining and selecting System Service

Figure 45: Defining policy on Security Option