Question 1

A university has several academic functions as on organization .The management decides to

access the computers in examination cell and the students are not allowed to access any
information in the stored on the computers in examination cell suggest a solution in your
Operating System state clearly the assumptions that you have made.

Expectations

 State some of the vulnerabilities in the operating system which can be exploited remotely.

 Clearly design a network of university for which you have to implement the solution.

 Develop a policy of how machines should be allowed the access to the examination cell
computers which are to be safeguarded.

 State the role of system administrators in this process.

 Give IPTABLES for the network you have thought.

What more changes would you do on the machines to make them secure

Solution

Vulnerabilities in the operating system

1) Computer crime attacks are continuing to grow in seriousness. These facts suggest that
network security is a contradiction in terms for many organizations. The reality of network
information security is that in too many instances we do not know who is doing what, where,
when and how.
2) Protecting network information is difficult today. Information is being produced, massaged,
distributed and updated in such an avalanche so, that it appears that it is done in old days
without sufficient control, review or
administration .

3) Network security is weak and sometimes even nonexistent for several reasons. For instance,
network administrators often understand that while security is an important part of their job,
management evaluates their performance by how available, open, transparent and
unrestrictive their network is.

4) Peer-to-Peer networking systems (both Windows and Macintosh AppleTalk) for

Workgroups allow people on the network to share files and printers, which open up your
files to anyone using another computer in the group.

5) Vendors often highlight security features. However, weak password schemes that do not
provide minimal user authentication enable knowledgeable people to easily break down
many security mechanisms. In addition, vendors often consider security secondary to more
"productive" network aspects.

6) Passwords are a weak form of protection for many reasons. One major reason is that
passwords depend on the weakest link in the computer and network security chain; namely,
the human user. Most users think that security procedures are a joke and so, they do not pay
sufficient attention to wisely choosing passwords nor protecting them.

There are several ways in which an intruder can attack password-protected systems. The
most common form of attack is password guessing. People often choose their own name,
username, telephone number, or some variant as their password; next, they choose the name
of family members or friends, pets, special interests, or some variant. An attacker find this
information by the Finger utility, a known security weakness waiting to be exploited,
displays the status of all currently active users complete with username, one item of
information that an attacker cannot do without. Finger listings also display the users' real
name; the PLAN.TXT and PROJECT.TXT files often supply additional personal
information with which an intruder can launch a password guessing attack, as well as
information about the last login. Many individual's WWW pages supply even more personal
information.

Many systems even supply a GUEST account with no password, but do not strictly limit the
capabilities of that account.

7) Managers can also weaken security by regarding it as a cost, rather than as a necessity. This
is particularly true during the current downsizing movement.
 8) Some applications, such as FTP program which allows you to get files from and send files to
another computer, may have an option in their configuration which allow other computers to
get into your computer and have access to your files while the program is running.

9) The primary weakness with Ethernet is that it is a broadcast system . Every message sent out
by any computer on an Ethernet LAN segment reaches all parts of that segment and
potentially could be read by any computer on the segment. Sniffing type programs can
record, read and analyze all the messages on a segment. Actually others can read your
password and subsequently login to any account. They can also change the information and
forge totally different messages.

10) Some security risks arise from the possibility of intentional misuse of our computer by
intruders via the Internet. Others are risks that we would face even if you weren't connected
to the Internet (e.g. hard disk failures, theft, power outages). The bad news is that we
probably cannot plan for every possible risk. The good news is that you can plan to take
some simple steps to reduce the chance that we'll be affected by the most common threats --
and some of those steps help with both the intentional and accidental risks we're likely to
face.

There is a central examination cell which is act as server from which paper transfer to the
different labs of university which is connected with the server. We want to design a network
which is local to college by using class A of I.P. of network and also different lab is
connected among each other with password protected layer i.e. we provide access to only
those files to be able to see from one lab to another which is allowed by administrator(shown
by ). Moreover the network in a lab is of LAN type Peer to Peer among different
computer of lab and data transfer is allowed only with the permission of administrator.

policy design for allow accessing in Lab for

examination which made able to conduct
test safely
Permissions for files and folders
Folder permissions include Full Control, Modify, Read & Execute, List Folder Contents,
Read, and Write. Each of these permissions consists of a logical group of special
permissions that are listed and defined in the following sections.

Note This article assumes that we are using Windows XP on a domain. By default,
 simplified sharing is enabled in Windows XP if you are not connected to a domain. This
means that the Security tab and advanced options for permissions are not available.

If you are not joined to a domain and want to view the Security tab, view the Set, view,
change, or remove special permissions for files and folders section in this article.

Troubleshooting

If the Security tab is not available and you cannot configure special permissions for users
and groups, you may be experiencing the following issues :

 The file or folder where you want to apply special permissions is not on an NTFS drive.
You can set permissions only on drives that are formatted to use NTFS.
 Simple file sharing is turned on. By default, simplified sharing is turned on.

Note: -Although the List Folder Contents and the Read & Executefolder permissions
appear to have the same special permissions, these permissions are inherited differently. List
Folder Contents is inherited by folders but not files and it only appears when you view
folder permissions. Read & Execute is inherited by both files and folders and is always
present when you view file or folder permissions.

Note In Windows XP Professional, the Everyone group does not include the Anonymous
Logon group.

Special permissions defined

You can set any or all the following special permissions on files and folders.

Traverse Folder/Execute File

For folders: The Traverse Folder permission applies only to folders. This permission
allows or denies the user from moving through folders to reach other files or folders, even if
the user has no permissions for the traversed folders. Traverse Folder takes effect only
when the group or user is not granted the Bypass Traverse Checking user right. The
Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By
default, the Everyone group is given the Bypass Traverse Checking user right.
For files: The Execute File permission allows or denies access to program files that are
running.

If you set the Traverse Folder permission on a folder, the Execute File permission is not
automatically set on all files in that folder.

List Folder/Read Data

The List Folder permission allows or denies the user from viewing file names and subfolder
names in the folder. The List Folder permission applies only to folders and affects only the
contents of that folder. This permission is not affected if the folder that you are setting the
permission on is listed in the folder list.

The Read Data permission applies only to files and allows or denies the user from viewing
data in files.

Read Attributes
The Read Attributes permission allows or denies the user from viewing the attributes of a
file or folder, such as read-only and hidden attributes. Attributes are defined by NTFS.

Read Extended Attributes

The Read Extended Attributes permission allows or denies the user from viewing the
extended attributes of a file or folder. Extended attributes are defined by programs and they
may vary by program.

Create Files/Write Data

The Create Files permission applies only to folders and allows or denies the user from
creating files in the folder.

The Write Data permission applies only to files and allows or denies the user from making
changes to the file and overwriting existing content by NTFS.
 Create Folders/Append Data
The Create Folders permission applies only to folders and allows or denies the user from
creating folders in the folder.

The Append Data permission applies only to files and allows or denies the user from
making changes to the end of the file but not from changing, deleting, or overwriting
existing data .

Write Attributes
The Write Attributes permission allows or denies the user from changing the attributes of a
file or folder, such as read-only or hidden. Attributes are defined by NTFS.

The Write Attributes permission does not imply that you can create or delete files or
folders. It includes only the permission to make changes to the attributes of a file or folder.
To allow or to deny create or delete operations, there isCreate Files/Write Data, Create
Folders/Append Data, Delete Subfolders and Files, and Delete attributes.

Write Extended Attributes

The Write Extended Attributes permission allows or denies the user from changing the
extended attributes of a file or folder. Extended attributes are defined by programs and may
vary by program.

The Write Extended Attributes permission does not imply that the user can create or delete
files or folders; it includes only the permission to make changes to the attributes of a file or
folder.

 t.

Role of system administrator

A system administrator's responsibilities might include:-
1) Analyzing system logs and identifying potential issues with computer systems.
2) Introducing and integrating new technologies into existing data center environments.
3) Performing routine audits of systems and software.
4) Performing backups.
5) Applying operating system updates, patches, and configuration changes.
6) Installing and configuring new hardware and software.
7) Adding, removing, or updating user account information, resetting passwords etc.
8) Answering technical queries.

Changes on machine to make it secure

1) Use a switched network:
2) Bridges and Routers:
3) LAN Security Architecture (LSA):
4) Consult your system support personnel if you work from home

5) Use virus protection software

6) Use a firewall
7) Don't open unknown email attachments

Don't run programs of unknown origin

8) Disable hidden filename extensions

10)Keep all applications, including your operating system, patched

11)Turn off your computer or disconnect from the network when not in use

12) Disable Java, JavaScript, and ActiveX if possible

13) Disable scripting features in email programs

14) Make regular backups of critical data and a boot disk in case our
computer is damaged or compromised