Enable Windows Active Directory and User Access Controls

This lab provides students with the hands-on skills needed to create a new Active Directory domain in Windows Server 2003 and demonstrates how to configure a centralized authentication and policy definition for access controls. The Active Directory users and workstation plug-ins will be used to create users, groups, and configure role-based access permissions and controls on objects and folders in a Windows Server 2003 Active Directory system.

Lab Assessment Questions & Answers
1.What two access controls can be set up for Windows Server 2003 folders and authentication?

Authentication and Access Control

2. you can browse a file on a Windows network share, but are not able to copy it or modify it, what type of If

access controls and permissions are probably configured?
Role-based access controls with the following permissions: Read & Execute, List Folder Contents, Read, and Write

3. What is the Windows tool that allows you to administer granular policies and permissions on a Windows ­ network using role-based access?

Assessment Worksheet

4. Relate how Windows Server 2008 R2 Active Directory and the configuration of access controls achieve

CIA for departmental LANs, departmental folders, and data.
Confidentiality – by creating specific user accounts, requiring passwords, and putting users in appropriate groups to enable authorized users the ability to access the data Integrity – by implementing role-based access controls and specific folder and file permissions to restrict who can modify or even view the data

Availability – by being able to give permission to those who need it for a set duration of time with proper authorization and need Windows Server sets all this up on the domain, making it globally available and making implementation and administration easier

5. Would it be a good practice to include the account or user name in the password? Why or why not?

No, passwords should not be able to be easily guessed and instituting a password format policy is good practice. Something that requires a certain length and a combination of uppercase, lowercase, numbers, and/or symbols, while also restricting the ability to have all or part of a username should be mandatory for security purposes.

6. Can a user who is defined in the Active Directory access a shared drive if that user is not part of

the domain?
No, a user needs to be granted specific access to the drive in this case

Windows Server 2003 requires a logon and password to access the system itself, but not a separate logon and password to access individual drives or data.

Enable Windows Active Directory and User Access Controls

7. Does Windows Server 2003 require a user’s logon/password credentials prior to accessing shared drives?

8. Using what you know about access controls, what security controls would you recommend when granting access to LAN systems for guests (i.e., auditors, consultants, third-party individuals, etc.) that will maintain CIA of production systems and data?
I would set up specific user accounts for the different types of guests I get and place those accounts in the appropriate groups to access the data that they would need for the duration of their visit. I would have a basic template of what type of visitor will have what kind of access and create a paper trail should other accesses be required. These user accounts will be disabled when not in use and passwords would be changed after every use of the guest account.