CSED 430 Due: Nov 19 Your assignment is to develop a two-part document describing how to secure a hypothetical computer lab (either using a domain controller + active directory, or a set of standalone machines): 1. A set of POLICY GOALS describing what you want to achieve 2. A setof rules for IMPLEMENTING your goals; that is, the "mechanism". Note that goals and mechanisms are quite separate, and you should begin with the former. One of the purposes of this assignment, in fact, is to encourage you to think in terms of what you want before you get too concerned about how to get it. Note also that some goals may in fact have no mechanism; that is, they may be impossible to implement. It happens. We're talking about "security" goals pertaining to the operation of the workstation here. You might have other usage-related goals -- for example, prohibiting email with attachments, or prohibiting web browsing to certain sites -- but these involve network restrictions that aren't really about controlling the workstation operating environment. For this assignment, you are free (within limits) to say you don't know how to implement a particular goal; you are also free to drop something from the goals section because you don't know how to implement it. You are encouraged to spell out your mechanisms at the system management level (eg, use the Local Security Policy tool to ....) rather than expressing your mechanisms as a utility-software application (eg, use the Microsoft Shared Computer Toolkit User-Restrictions tool to disable ....). However, this also is not strictly required. Some sample goals: * prohibiting user modification of system files and programs * prohibiting user modification of the registry * prohibiting installation of new software * prohibiting use of certain installed software * prohibiting the saving of passwords, browser history, and other sensitive information Note that "restoring all files to their original state upon every reboot" is arguably a mechanism, not a goal. Can you identify a goal that this mechanism achieves? In the real world, one common "meta-goal" is to "play it safe"; that is, to do something in a way that is easily verifiable. Thus, Disk Protection might be considered safer than making-every-important-file-readonly, simply because it is easier to audit and verify. I'll leave it up to you to decide how much you want to incorporate "playing it safe" in your document.