14.4.1.2 Lab – Troubleshoot Security Problems (Answers)
Introduction
In this lab, you will diagnose the cause of various access security problems and solve them.
Recommended Equipment
- One computer running Windows
Scenario
Company XYZ has hired Devon to manage the training department. Shawna was also hired as a temporary employee to replace Brooks, who is no longer working for the company. You must solve access security problems for the training department. You might need to access the computers as each user and the administrator. Make sure to document the problems and the solutions.
There are several possible errors. Solve one problem at a time until there are no more access problems. Use the following tables when solving problems. The user account information is listed in Table 1. Use only the groups shown in Table 2, They are set up with the proper permissions. The instructor will provide the administrator’s account information.
Table 1: Accounts
User Name | Password | Group for User |
---|---|---|
Brooks | Cisco2001 | Guests |
Devon | Cisco2010 | Academy Student |
Shawna | Cisco2100 | Guests |
Administrator user name: Answers will vary |
Administrator password: Answers will vary |
Administrators |
Table 2: Groups
Groups | Group Permissions |
---|---|
Academy Student | Read & Execute, List Folder Contents, Read, Write |
Guests | Read & Execute, List Folder Contents, Read |
Administrators | Full Control |
Note: There is a file, with a message, in the C:\ITE\Class01 folder.
Answers Note: Students might not solve problems in the same order shown in the Answers document. Students might notice more than one problem at a time while troubleshooting. Remind students to correct and document one problem at a time.
Answers Note: The tables below summarize the correct users and groups and the associated file and folder permissions.
Table 3: Correct Groups and User Accounts
Groups | Group Permissions | Users |
Academy Student | Read & Execute, List Folder Contents, Read, Write | Devon |
Guests | Read & Execute, List Folder Contents, Read | Shawna |
Brooks (Account should be disabled) | ||
Administrators | Full Control | Use local admin account set. |
Correct file and folder Permissions Settings for C:\ITE\Class01
File Name | Users | Folder Permissions | File Permissions |
Curriculum.txt | Shawna | Read & Execute, List Folder Contents, Read | Read & Execute, Read |
Brooks | Account should be Disabled | Account should be Disabled | |
Devon | Read & Execute, List Folder Contents, Read, Write | Read & Execute, Read, Write | |
Admin | Full Control | Full Control |
Lab Setup
In this section, set up the computers with all problems from the list below. The account ITEAdmin is used as the account with administrative privileges in this example.
Important: Tables in the Lab Setup section show the groups, user accounts, and folder and file permissions. Follow the steps to set up initial permissions settings. Test the initial permissions settings to make sure they function properly. Make the indicated changes to create a security breach or access problems.
In this section, a number of problems are introduced for troubleshooting user and group permissions. Below is a summary of problems.
- Brooks’ account is not disabled.
- Incorrect password for Devon’s account.
- Incorrect permission set for the Class01 folder for the group Academy Student.
- Incorrect group assignment for Shawna.
Step 1: Create the Users and Groups.
- Create three user accounts.
- Control Panel > Administrative Tools > Computer Management.
- Expand Local Users and Groups > Right-click Users > Select New User.
- Create the user Brooks. Enter Cisco2001 for the password. Unselect User must change password at next logon. Select User cannot change password checkbox. Click Create.
- Create the user Shawna. Enter Cisco2100 as the password. Unselect User must change password at next logon. Select User cannot change password checkbox. Click Create.
- Create the user Devon. Enter Cisco2222 as the password. Unselect User must change password at next logon. Select User cannot change password checkbox. Click Create. Click Close when finished.
- Create Academy Student group and add users to the group.
- Right-click Groups and select New Group.
- Create a new group name Academy Student.
- Click Create. Click Close when finished.
Step 2: Place the users in the appropriate groups.
- Place Devon and Shawna in the Academy Student group:
- Double-click the group Academy Student.
- Click Add.
- In the Enter the object names to select field, type Devon; Shawna > click OK > OK.
- Place Brooks in the Guests group:
- Double-click the Guests group.
- Click Add.
- In the Enter the object names to select field, type Brooks > click OK > OK.
Step 3: Create the folders and text file.
- Create the directory tree C:\ITE\Class01.
- Add the file Curriculum.txt to the Class01 folder. Open the file and add the following text: Can you add text to this file?. Save the changes.
Step 4: Set up the folder and file permissions.
In this step, the permissions are assigned to their respective groups.
Note: ITEAdmin is used as the user account with administrative privileges in this example.
- Navigate to C:\ITE and right-click Class01 and select Properties.
- Select the Security tab > Click Advanced > click Change Permission > unselect Include inheritable permissions from this object’s parent > click Remove > click OK > click Yes > click OK.
Note: For Windows 8, select the Security tab > Click Advanced > click Disable inheritance > click Remove all inherited permissions from on this object. > click OK > click Yes. - Click Edit. Click Add. In the Enter the object names to select field, type Academy Student; Guests; ITEAdmin > click OK.
- Set the group folder permissions for C:\ITE\Class01:
- In Group or user names, select ITEAdmin. Select Allow Full control.
- Select Academy Student. Verify only the following permissions are selected: Read & Execute, List Folder Contents, Read, and Write.
- For the group Guests, verify only the following checkboxes are selected: Read & Execute, List Folder Contents, and Read. Click OK > OK.
- Navigate to C:\ITE\Class01, change the file permission for the Curriculum.txt. Right-click Curriculum.txt > select Properties > click Security tab > Edit > select group Academy Student > select Deny Full Control checkbox > click OK > click Yes > click OK.
Troubleshooting
You will try to log on as different users Brooks, Shawna, and Devon and determine the possible issue. You will fix possible security issues using an account with administrative privileges.
Step 1: Determine security issues with Brooks’ account.
Log on to the computer as Brooks and save text to the file C:\ITE\Class01\Curriculum.txt.
Using the information from the tables in the Scenario section, should Brooks be able to log on to the computer and change the file? Explain.
Brooks’ account should be disabled because Brooks is no longer with the company.
Can Brooks log on to the computer? Can Brooks access the file?
Brooks can log on to the computer and have read access to the file.
If you determine there is a security breach, how would you fix and validate the solution?
Brooks’ account should be disabled. To disable Brook’s account:
Log in using an account with administrative privileges. Click Control Panel > Administrative Tools > Computer Management. Open User account Brooks > select Account is disabled > click OK.
To validate the solution, try logging on the computer as Brooks.
Step 2: Determine security issues with Devon’s account.
Log on to the computer as Devon and save text to the file C:\ITE\Class01\Curriculum.txt.
Using the information from the tables in the Scenario section, should Devon be able to log on to the computer and change the file? Explain.
Yes. Devon’s account is allowed to log on to the computer, and Devon has write access to the file because he is part of the Academy Student group.
Can Devon log on to the computer? Is the account disabled? Do you have the correct password? Explain the problem.
Devon cannot log on to the computer because the account was set up with an incorrect password.
How would you fix the issue and validate the solution?
To correct Devon’s password:
- Log in using an account with administrative privileges.
- Click Control Panel > Administrative Tools > Computer Management. Right-click User account Devon > select Set Password > click Proceed. Type Cisco2010 twice > Click OK > Click OK.
To validate the solution, log in as Devon.
Navigate to C:\ITE\Class01. Can Devon write to the file? Is there a permission issue? Explain.
Devon cannot access the file. The file permission is set to deny access.
How would you fix the issue and validate the solution?
The permission is set incorrectly for the Academy Student.
- Navigate to C:\ITE\Class01.
- Right-click Curriculum.txt > select Properties > click Security tab > click Edit > select group Academy Student > unselect all the checkboxes in the Deny column > click OK > click OK.
- Note: In Windows 8, Right-click Curriculum.txt > select Properties > click Security tab > click Advanced > select Academy Student > Edit > click Clear all > OK > OK > OK.
To validate the solution, Devon can read and write the file.
Step 3: Determine security issues with Shawna’s account.
Log on to the computer as Shawna and save text to the file C:\ITE\Class01\Curriculum.txt.
Using the information from the tables in the Scenario section, should Shawna be able to log on to the computer and change the file? Explain.
Shawna should be able to log on to the computer. Shawna’s account should only have read access to the file because Shawna is part of the Guests group.
Can Shawna write to the file? Explain.
Shawna can write to the file. The permission for Shawna is incorrect because Shawna belongs to the wrong group.
How would you fix and validate the solution?
Shawna is in the wrong group. To place Shawna in the Guest group:
- Remove Shawna from group Academy Student. Click Control Panel > Administrative Tools > Computer Management. Open group Academy Student, select Shawna > click Remove > click OK.
- Add Shawna to group Guest. Open group Guest > click Add > type Shawna > click OK > click OK.
To validate the solution, log in as Shawna and access the file. Shawna can only read the file.