CST 620 Project 4: System Level Security

Hands-on Instructions: System Level Security

For this lab we will explore configuring users and groups for both Windows and Linux environments. You will be presented with some scenarios to add users with specific requirements, and you will need to create the users and apply them to the appropriate groups. Remember, the focus is on testing and documenting controls. Be sure to document your work through solid notetaking and screenshots as you’ll need both for your Report.

In this scenario, you have 4 users with the below requirements;

  1. Dale – Dale need to log into the computer remotely and will be a normal user
  2. Cindy– Cindy is a systems administrator and will need complete and unrestricted access to the computer
  3. Steve– Steve is from the help desk and needs to have almost everything the systems administrator has for access
  4. Jeda – Jane is a supervisor for the Systems Engineering team and the Help Desk

The first part of this lab is to create user accounts for these people on your Windows VM.

  1. Log onto your Windows VM and open
  2. Right click on the Windows menu and select “Computer Management”
  1. Expand Local Users and Groups and select “Users”
  1. In the window right click and select “add new user” and create these new users and add a description based on their job function.

Now that the User Accounts are created, we want to create groups for some of the users here to ensure we only allow the permissions we want for the job function these users perform.

  • Validate that all users are in the “Users” group
  • Dale is a normal user and should not need any further permissions
  • Cindy is a Systems Engineer and will need to have full access to the computer to remotely manage the computer
  • Steve is from the Help Desk and will need to be able to login remotely and help Dale. However, Steve does not need to be able to fully administer the computer
  • Jade is the Systems Engineering and Help Desk supervisor
  1. Create a group.
    1. Click Start > Control Panel > Administrative Tools > Computer Management.
    2. In the Computer Management window, expand System Tools > Local Users and Groups > Groups.
    3. Click Action > New Group.
  2. Enter the label System Engineering and select “create”
  3. Label the next group Help Desk
  4. Next create a new group and label the group Supervisors

  1. Now that we have the local groups created, we need to add users to the local groups.
  2. Right click on the local groups you created and add the users based on their role.

In the next portion of this lab we will assign permissions to the groups we have just created. There are built in groups in Windows that most organizations use. However, for this lab we will explore the different options to create more role based specific access to groups of users.

  1. Click Start > Control Panel > Administrative Tools > Local Security Policy
  2. Expand local policies and select “User Rights Assignment”
  3. Review all of the listed option you have to choose from. There are a lot of options so take care to review them all and become familiar with them. It may be helpful to sort the list by security setting to get an idea of what permissions the built-in groups have.
  4. Find the policy that will allow log on through remote desktop services
  1. Right click on the policy and select “Properties”
  2. Note the two local groups that are listed as having the permissions that the policy provides.
  1. Thinking back to our scenario, we have Dale that needs to login remotely as well as the Helpdesk and the Systems Engineering team. Select “Add User or Group” and add the appropriate groups or Individual ‘s to the policy.

Take Note

You must select the option to allow both users and groups here. You must select the “Object Types” button to select “Groups”  See the screenshot below as an example of what is needed.

Now that we have given permissions to login remotely, we need to provide other permissions to restrict some access to the Help Desk group.

  1. Give the Help Desk Group the following permissions in addition to the log on through Remote Desktop Services we added in the step above.
    1. Restore files and Directories
    2. Allow log on locally
    3. Access this computer from the network
    4. Back up files and directories
    5. Change the system time
    6. Change the time zone
    7. Create symbolic links
    8. Debug programs
    9. Load and unload device drivers

The next portion will be to provide permissions to the System Engineering team. Now, of you may be asking, “Why don’t we just add them to the local administrator group?” That is a great question. From a security perspective we want to avoid adding users directly into the built-in groups. From an account management perspective, it is easier to manage users that come and go from the organization if we design custom built groups based on the user’s role.

  1. Grant the following permissions to the System Engineering group.
    1. Force shutdown from a remote system
    2. Manage auditing and secruity log
    3. Modify fireware environment values
    4. Perform volume maintenace tasks
    5. Remove computer from dockcing station
    6. Take ownership of files or other objects
    7. Shut down the system
    8. Profile system performance
    9. Increase scehdule priority
    10. Adjust memory quotas for a process
    11. Create Global objects
    12. Impersonate a client after authentication

  1. The final step here is to provide the System Engineering group the same priviledges as the Help Desk group. We must ensure the System Engineering team has the same permissions as the Help Desk team without giving the Help Desk team the same permissions as the System Engineers.
    1. Open Computer Management
    2. Expand the Local Users and Group menu item
    3. Select Groups
    4. Add Cindy, the Systems Engineer to the Help Desk Group
    5. Also add Jeda, the supervisor, to the Help Desk group

Now we have our users created, assigned to groups based on their roles within the organization, and we have customized permissions added to the new roles-based groups we created. Log out of your Windows VM and RDP back into the Windows VM with the new users you created and try to install software or modify things on the VM. Take note of things you can and cannot do with each user.

The next phase of this lab will include creating users and permissions on the Kali VM. We have the same scenario as we did before

  • Dale – Dale need to log into the computer remotely and will be a normal user
  • Cindy– Cindy is a systems administrator and will need complete and unrestricted access to the computer
  • Steve– Steve is from the help desk and needs to have almost everything the systems administrator has for access
  • Jeda – Jane is a supervisor for the Systems Engineering team and the Help Desk
  1. Connect to your Kali VM
  2. Open a Terminal Window
  3. Enter the below command to create a user account and a password for each of our users (remember Linuc is case sensitive!!)
    1. useradd username
    2. passwd username

Now that the users are added and their passwords are set, we want to allo the users to ssh into the Kali VM. Follow the below steps to permit the newly created users to ssh.

  1. From the command prompt edit the sshd_config filenano /etc/ssh/sshd_config
  2. Next add the below statement for each new user that was createdAllowUsers         cindy     steve     jeda       dale (enter the tab key and NOT a space)
  1. When you are done adding the new users restart the sshd service with the following commandsystemctl restart sshd

Next we want to add a few new groups to add the users to. Groups in Linux are different than the groups we saw in Windows. There are many different options, but generally speaking, the “root” user is the system’s administrator and then there is everyone else. There are not the same built-in groups.

  1. Enter the below command to create three groups (helpdesk, systemengineering, & supervisors)groupadd helpdesk
    groupadd systemengineering
    groupadd supervisors

Now we want to add the newly created users to these newly created groups based on their roles

  1. Enter the following command to add users to their respective groupsusermod –a –G helpdesk steve
    usermod –a –G systemengineering cindy
    usermod –a –G supervisors,systemengineering,helpdesk jdea

For the final stage in the section, we will give permission for Cindy and Jeda to “su” in the Kali Linux VM. These users require these permissions to be able to manage the Kali VM. Enter the below commands to add Cindy and Jeda to the “su” group

usermod –a –G sudo cindy
usermod –a –G sudo jeda

Now that we have added Jeda and Cindy to the sudoers group we need to verify their access. You will need to use the “root” password to “su” for elevated permissions.

  1. Ssh with the users Cindy and Jeda
  2. Enter the command “su” once you are connected via ssh
  3. You should see the command prompt change indicating the role has changed to root
  4. Use the “whoami” command to validate your permissions level

© 2023 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity of information located at external sites.

Answer Preview: System Level Security