Week 4: Sept 24 Read: DiNicolo pp 16-25 on Active Directory, pp 55-65 on using it (may be hard to follow until it's in front of you) Windows DOMAIN: a logical group of networked computers that share a central directory database of user account/security info.... Review of PROFILEs ============================================================= Basic security groups Administrators: can do anything Power Users: can install software, change settings, propagate viruses Users: read-only for most of system Guest: disabled by default Group Policy: [ignore for now] gpedit.msc group settings: File permissions settings ============================================================= LOCAL SECURITY POLICY (under "Administrative Tools"): what you can do Account Policies password lockout local policies audit user rights assignment security options interactive logon: message text for users attempting to log on... public key policies encrypting file system software restriction policies IP Security policies Most of these settings "live" in the registry. MANY other settings live there, but there's no easy way to tweak them. File permissions do not live in the registry. ===================== ===================== Prohibiting software INSTALLATION: what does this mean? * prohibiting writing to the disk? * prohibiting new executables? Big difference. Prohibiting unauthorized programs: My son's HS: * only approved apps are on a special menu. CMD is not there. (The START menu is itself disabled) * The RUN command is disabled. * Taskmgr RUN is also disabled Question: How do you run something unapproved? Sub foo() pid = Shell("c:\software\googleearth\GoogleEarth.exe") End Sub 1. Word => Tools => Macro => Visual Basic Editor 2. Insert => Module 3. Paste in the code above 4. Run it ================================================== 1. Don't hide things. Make bad behavior impossible, instead Don't hide the registry editor; lock the registry entries! Don't hide software; make it impossible to run things. Whatever you do, don't make use of cmd a possible workaround. How to make it impossible to execute software in a given directory: (a) try with NTFS permissions. Doesn't work well. (b) try with Software Policy ======================================================== Software Restriction Policies ======================================================== Example of having software restrictions Disallowed v Unrestricted defaults Hash: fingerprint of allowed/disallowed programs Certificate: code can be signed; *may* be more general than hash Path: normal people use this Internet Zone: only for software run *within* Internet Explorer Demo: c:/pld/430/noexecute/pldbin change pldbin1 to pldbin2 try running from command line One possible POLICY: Set PATH rules in Software Restriction Policy so that software can only be run from directories that are read-only Look in registry for pldbin1, syzygy Notice how LISTS of directories are stored in the registry: KEYS are random! Software restrictions in conjunction with file permissions Some useless software restrictions: hash, etc The programmer problem: students in programming classes MUST be able to run programs ============================================================================== Lab: 1. Try to find out if Alice is a "limited account" or not 2. Try to CHANGE that status (hint: add or remove alice from "Power Users") 3. Take away alice's right to write to the desktop; see how windows deals with that Real question: how "friendly" is windows about saying no? 4. What if we create a folder within Alice's home dir, owned by Administrators and readable only by Administrators. Can we remove it? If not, make it readable by all but writable only by admin & try again. 5. Get wireless network working hub IP address: 10.20.0.200; hub acct/passwd: ""/"hoofpick" get wireless connectivity get an IP address (set manually to 10.20.0.??) control panel => wireless network => properties => tcp => properties => use the following IP address 10.20.0.xx 255.255.255.0 ping 10.20.0.200 try to see the hub web page plug the hub into the internet; see what happens then! Problem: hub failed to respond at all