This lab prepares you to secure file and print resources by meeting the following objectives:
This lab looks at three topics:
Make sure that you've completed reading the chapter material before starting the lab. Pay close attention to the sections where the design decisions were applied throughout the chapter for information on building your administrative structure.
Contoso Ltd., an international magazine sales company, wants to design security for all user home directories, security for a transfer file location, print security for the legal department, and EFS security for the mobile sales people.
The following folder structure will exist on a DC located at either the Seattle, Lima, or London location. The user's home folder is stored on a DCat his location.
You will create a folder structure on each of the DCs, as shown in Figure 6.13.
Figure 6.13 The users' directory structure
The d:\Users folder will be located on an NTFS partition to allow local file security to be defined for all folders in the hierarchy.
You will define the following shared folders on the network to allow administrators to access all folders and to allow users to access their home folders and the shared folder.
Shared Name | Location | Purpose |
---|---|---|
Users | D:\users | To provide an entry point that allows access to all user home directories and the shared folder (subject to NTFS permissions). Must be accessible by all users of the network. |
User# | D:\users\User# | The personal home folder for User#. In practice, User# would be replaced with the user's logon name. Should only be accessible by the user associated with the personal home folder. |
To provide more specific security, Contoso has defined the following NTFS permissions requirements:
In a separate case, the legal department is concerned that highly confidential documents related to the acquisition of another company may have been compromised when a printed copy of a document went missing.
The legal department wants to have a printer available that can be used only by itself, that's physically accessible only by its members, and that isn't subject to inspection as the print job is sent to the printer.
Contoso has several salespeople who use a laptop computer as their primary computer. The salespeople connect to the network every day to download their latest pricing database. This database is key to the salespeople because it sets the pricing for that day for the products that they will sell.
Over the past few months laptops have been stolen from some of Contoso's salespeople. While it may be just a coincidence, a competing magazine sales company has released a pricing strategy that undercuts all Contoso pricing.
Management is concerned about the effects of the stolen laptops and wants to better secure the pricing database and other key documents found on the salespeople's laptops. Management isn't concerned about desktop computers located at Contoso offices.
The IT department must design local file security for the pricing database so that only the laptop's user can access the data. In addition, a folder must be provided to allow documents to be encrypted when placed within the folder. The IT department wants to ensure that only salespeople have this ability. They want to prevent all other users from using EFS to encrypt data on their computers until they develop a recovery strategy for the EFS encryption.
For each domain, you must define a recovery agent account that allows recovery of encrypted data on the salespeople's laptops. The recovery agent must not exist as an account on the network. If data must be recovered from a user's laptop, the user must go into her home office in London, Seattle, or Lima. A network administrator then uses the recovery key to recover any encrypted files. The administrator must work with another administrator to attach the EFS recovery private key to the administrative account. Once the recovery is performed, a second administrator must verify the removal of the EFS recovery private key from the administrator's account.
This exercise looks at the design of Share and NTFS permissions to protect the d:\Users folder hierarchy based on the design requirements outlined in the lab scenario.
This exercise looks at designing the share permissions necessary for meeting Contoso's requirements for providing user home folders and a transfer folder. Answers to these questions can be found in the appendix.
This exercise looks at designing the NTFS permissions necessary for meeting Contoso's requirements for providing user home folders and a transfer folder. Answers to the questions can be found in the appendix.
Folder | Permissions |
---|---|
D:\Users | |
D:\Users\User1 | |
D:\Users\User2 | |
D:\Users\User3 | |
D:\Users\Transfer |
Answers
This exercise looks at planning security for the legal department to secure the printing of highly confidential legal documents. Answers to these questions can be found in the appendix.
Group | Permissions |
---|---|
Administrators | |
Print Operators | |
Legal Department | |
Creator Owner |
Answers
This exercise looks at planning the EFS deployment to provide local file encryption to laptop users. Answers to these questions can be found in the appendix.
Figure 6.14 The OU structure of Contoso's London office
Answers