Midterm Study Guide CSED 430 October 2007 This guide may be added to; if so, I'll send an email notice. ===================================================== Next Monday's exam will be open-book Hardware (motherboards, etc) and wireless configuration will NOT be on the exam. ====================================================== Some topics with references: NTFS and file permissions chapter 5 of DiNicolo, pp 149-156 (Local) User Rights Domains v standalone What Domain Controllers do for a living DiNicolo chapter 3 has a lot on Active Directory, which is what makes a machine a Domain Controller. Also see the MS documents on my web page. How to prohibit new executables, and some ways that *don't* work Microsoft Software Policy Group Policy and GPOs Active Directory: users, groups, domains, OUs, GPOs Chapter 3 of DiNicolo, and Chapter 4 up through 4-8. What a "profile" is: the collection of all user settings ==================================== MS examples covered: 1. MicroSoft SteadyState (formerly: Shared Computer Toolkit) Strategies for securing a "standalone" (ie NOT connected to a domain) XP workstation. Specific techniques: * MS Disk Protection (similar to DeepFreeze, CenturionGuard, etc) * Local Security Policy Software Restrictions * NTFS permissions 2. Common Scenarios Strategies for securing workstations that ARE part of a domain, using Group Policy Objects (GPOs) Lightly Managed Mobile Heavily Managed Multi-User Appstation TaskStation Kiosk ============================================================== Here are a few sample questions: 1. One way to change a site's password policy is to edit the Default Domain Policy GPO. What is the drawback to that approach, and what is an alternative approach? 2. What are some of the advantages and drawbacks to giving each user their own individual profile? 3. If all users share the same profile, you probably want to disallow saving icons on the desktop. How could you implement that restriction using file permissions? 4. What are some other system restrictions you might want to implement if all users share the same profile? 5. Discuss how to use multiple Organizational Units (OUs) to arrange for decreasing system restrictions for freshmen, sophomores, juniors, and seniors. 6. Suppose you want juniors to encounter more restrictions than seniors, but also to have special permissions (reduced restrictions) for students (either juniors or seniors) in the theater class. Explain why OUs may not be the easiest way to implement this, and suggest an alternative. 7. Suppose we have two GPOs, G1 and G2, linked (in that order) to an OU A. Any user or machine in A, then, is subject to both G1 and G2. Explain how we could achieve the same effect using two nested OUs, each associated with a single GPO. 8. Suppose we want to leave a certain software application, foo.exe, on the machine, but prevent its use by students. (a). Suppose we remove it from the student start menu. Can students still run the program? If so, how? (b). Suppose we make the software readable by everyone, but we DENY execute permission to the STUDENTS group. Can students still run the program? If so, how?