MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)

Lab Objectives

This lab prepares you to secure access between Windows 2000 and heterogeneous networks by meeting the following objectives:

• Design secure access to Windows 2000 resources by Macintosh users
• Design secure access to Novell NetWare resources by Windows 2000 users
• Design secure access to Windows 2000 resources by UNIX users

About This Lab

This lab looks at the design decisions you must make in order to allow heterogeneous clients to participate securely in a Windows 2000 network.

Before You Begin

Make sure that you've completed reading the chapter material before starting the lab. Pay close attention to the sections where the design decisions were applied throughout the chapter for information on designing your administrative structure.

Scenario: Contoso Ltd.

Contoso Ltd., an international magazine sales company, must design methods to securely integrate Windows 2000, Macintosh, NetWare, and UNIX resources that exist in the corporate network.

The Contoso Network

Contoso's Windows 2000 network uses an empty forest root named contoso.tld with three domains based on their geographic locations, as shown in Figure 16.8.

Figure 16.8 The contoso.tld forest structure

Users and computers at the Seattle, Lima, and London offices have their accounts located in the domain associated with their home office. This model is used both for users who access the network using only Microsoft clients and for users who access the network using Macintosh, NetWare, and UNIX clients.

Providing Access to Macintosh Clients

Several of the graphics personnel at Contoso use iMAC computers for creating graphics used in Contoso's magazine layouts. While some users use Macintosh computers exclusively, several users split their time between a Windows 2000 Professional workstation and an iMAC computer.

Contoso wishes to meet the following objectives when providing file and print access to the Windows 2000 resources on the network:

• All authentication information must be encrypted as it's transmitted across the network.
• Only authorized users will be allowed to log on from Macintosh computers.
• Three file servers are designated for access by Macintosh users: SFMLima, SFMSeattle, and SFMLondon. On each server, Macintosh users will have access only to the D:\Data and D:\Graphics folders.
• Macintosh users will require access to either the Data folder or the Graphics folder. No users will require access to both folders.
• Users must use the same password whether connecting to the network from Windows 2000 Professional computers or from Macintosh computers.
• All Macintosh users must be able to create, modify, delete, and read existing documents in the folders.

Providing Access to NetWare Resources

At the London office an older accounting software package runs on a NetWare 4.11 server named BIGRED. The data stored on the NetWare server is historical data that the accounting department frequently queries when it produces sales forecasts for the upcoming year. Members of the accounting department at each of the three offices must access the NetWare server to query the historical data.

Access to the NetWare 4.11 server must be secured so that only authorized members of the accounting department can access the data. Because the data is historical, members of the accounting department should have only read access to the data on the NetWare server. This configuration prevents any attempts to modify the data.

Sue Jackson, who's the administrator of the NetWare server, must have full access to the NetWare server from her Windows 2000 Professional client computer. Sue must be able to manage the NDS structure and assign trustee rights to all data stored on the NetWare server.

Your security design must consider the following issues faced by Contoso:

• The routers providing the WAN links to the London office from Seattle and Lima support only TCP/IP transmissions, as shown in Figure 16.9.

  Figure 16.9 Accounting clients at all three offices accessing the BIGRED NetWare server

• The user accounts that are used by Windows 2000 Professional users to access the NetWare server are stored in the naming context OU=accounting.OU=london.O=contoso.
• Access to the historical accounting stored on the BIGRED server must be limited to members of the accounting department.

Providing Access to UNIX Clients

The multimedia office at the Seattle office develops Internet-based Java content that advertises product offerings on the Internet. The graphic components of the Web presence are developed on Silicon Graphics, Inc. (SGI) UNIX workstations.

The SGI UNIX workstations must store the graphics and multimedia files that they create on a Windows 2000 server named GRAPHICS that's located at the Seattle office. You must develop a secure method for the graphics and multimedia files to be stored on the Windows 2000 server that meets the following business objectives:

• The UNIX users must place the graphics in the FromUNIX folder on the GRAPHICS server. The UNIX users must be able to create, read, modify, and delete any files in the folder.
• The UNIX users must use authenticated protocols to transfer data to the GRAPHICS server.
• Due to management concerns, authentication must not use plaintext when transmitted on the network.
• UNIX users shouldn't have to provide alternate credentials. The UNIX users should have to provide only the credentials stored at the UNIX NIS server named NISCONTOSO.contoso.tld, which is at the London office.

Exercise 1: Securing Macintosh User Access

This exercise looks at the design required to provide secure resources access to Macintosh users. Answers to these questions can be found in the appendix.

1. If some Contoso employees who use both Windows 2000 Professional and Macintosh computers implement passwords greater than eight characters, what must you include in your network design to allow the employees to authenticate at both of their computers?

2. Assuming that different users will require access to the Data and Graphics folders, how many Mac-accessible volumes must you create on each server hosting File Services for Macintosh?

3. How can you limit access to the data stored on the three servers to only authorized Macintosh users?

4. What file system is required on the D drive of the SFMLima, SFMSeattle, and SFMLondon servers?

5. What permissions must you assign to the global groups in each domain to allow required access to the data in the D:\Data and D:\Graphic folders?

6. Contoso has two employees named Francisco Ramirez. Each has a user account named FRamirez, but the two accounts are located in separate domains. Francisco Ramirez, a graphics artist at the Lima office, has an account in the lima.contoso.tld domain, and Francisco Ramirez, the Director of Marketing in London, has an account in the london.contoso.tld domain. Both users have found that they can log on to the network at their home offices, but when they travel to other offices, network authentication fails on their iBook Macintosh laptop computers. What must you do to ensure that they can log on to the network at all offices?

Answers

Exercise 2: Securing Access to NetWare Resources

This exercise looks at the design required to give secure resources access to resources stored on the NetWare network. Answers to these questions can be found in the appendix.

1. Can CSNW be installed on all Windows 2000 Professional computers to provide the accounting department members access to the historical accounting data stored on the BIGRED NetWare server?

2. The solution shown in Figure 16.10 has been proposed to allow the accounting personnel to access data on the BIGRED NetWare file server.

   Figure 16.10 Proposed solution to access historical accounting data on the BIGRED NetWare server

   • A GSNW server will be set up at the Seattle office to connect to the BIGRED NetWare server. All accounting clients at the Seattle office will access the data through the SeattleGate GSNW server.
   • A GSNW server will be set up at the Lima office to connect to the BIGRED NetWare server. All accounting clients at the Lima office will access the data through the LimaGate GSNW server.
   • A GSNW server will be set up at the London office to connect to the BIGRED NetWare server. All accounting clients at the London office will access the data through the LondonGate GSNW server.
   • The LondonGate, SeattleGate, and LimaGate GSNW servers will have both TCP/IP and NWLink IPX/SPX installed.

   Will this proposed solution work in the existing network environment? If not, what must you do to make the solution work?

3. The solution shown in Figure 16.11 has been proposed to allow the accounting personnel to access data on the BIGRED NetWare file server.

   Figure 16.11 Proposed solution to access historical accounting data on the BIGRED NetWare server

   • A GSNW server named LondonGate will be set up at the London office to connect to the BIGRED NetWare server. All accounting clients at the Lima, Seattle, and London offices will access the data through the LondonGate GSNW server.
   • The LondonGate GSNW server will have both TCP/IP and NWLink IPX/SPX installed.

   Will this proposed solution work in the existing network environment? If not, what must you do to make the solution work?

4. Can Sue Jackson use a GSNW solution to manage the NetWare server from her Windows 2000 Professional client computer? If not, what must you do to provide her administrative access?

5. What must you do at the GSNW server to ensure that only the accounting department can access the BIGRED NetWare server?

6. What naming context must you define in GSNW to authenticate the gateway account?

7. What must you do at the BIGRED server to grant the GSNW server access to the historical accounting data?

Answers

Exercise 3: Securing UNIX User Access

This exercise looks at the design required to provide secure resources access to UNIX users. Answers to these questions can be found in the appendix.

1. What security risks would prevent the use of FTP to transfer the graphics and multimedia files to the GRAPHICS server?

2. What service from the Services for UNIX 2.0 suite will allow the UNIX users to securely transfer data to the FromUNIX folder on the GRAPHICS server?

3. What must you do to provide single sign-on capabilities to the UNIX users so that they don't have to enter alternate credentials when they access the GRAPHICS server?

4. What permissions must be configured at the FromUNIX folder to meet security requirements?

5. What can you do to ensure that the passwords for the Active Directory accounts match the passwords for the UNIX UIDs?

Answers