O Rzy 6 Opa 8 CAc CZ VQ IYf G5 PJ JGHG 8 HJ Su 2 UDu Up R1
O Rzy 6 Opa 8 CAc CZ VQ IYf G5 PJ JGHG 8 HJ Su 2 UDu Up R1
O Rzy 6 Opa 8 CAc CZ VQ IYf G5 PJ JGHG 8 HJ Su 2 UDu Up R1
IDENTIFICATION, AUTHENTICATION,
AND AUTHORIZATION
05
Exercise 1:
Implement Access Controls in Windows Machine
35
Exercise 2:
Manage Access Controls in Linux Machine
57
Exercise 3:
Implement Role-Based Access Control in Windows Admin Center (WAC)
86
Exercise 4:
Implement Centralized Authentication Mechanism
OBJECTIVE
The objective of this lab is to provide expert knowledge in identifying, authenticating, and authorizing users who access critical assets and
resources. This lab includes the following tasks:
• Implementation of role-based access control using tools such as Windows Admin Center (WAC)
Authentication involves verifying the credentials provided by a user while attempting to connect to a network. Both wired and wireless networks
perform authentication of users before allowing them to access the resources in the network.
Authorization refers to the process of providing permission to access the resources or perform an action on the network. Admin can decide the
user privileges and access permissions of users on a multiuser system.
Note: Turn on PfSense Firewall virtual machine and keep it running throughout the lab exercises.
LAB SCENARIO
A security professional must have the required knowledge to manage objects in the Active Directory using different types of accounts and
know the application of account policies using GPO in Windows machine.
OBJECTIVE
This lab demonstrates the implementation of access control policies in Windows machine.
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
9. The Server Manager window appears, click Tools option at the top right corner of the window and select Active Directory Users and
Computers option.
IN WINDOWS
IMPLEMENT
EXERCISE 1:
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
16. Now, we must create a global security group within the NetworkAdmin Organizational Unit.
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
23. The New Object - Computer window appears, type Computer01 in the Computer Name field and click OK
IN WINDOWS
IMPLEMENT
EXERCISE 1:
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
28. Now, we shall modify the existing GPO to set password requirements.
29. To launch Group Policy Management, click Windows Start icon and navigate to Windows Administrative Tools → Group Policy
Management.
Note: Alternatively, you can launch Group Policy Management by typing gpmc.msc in Run. To open Run, right-click on Start and click Run.
IN WINDOWS
IMPLEMENT
EXERCISE 1:
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
Note: To implement the changes in the Policy, make the desired modifications, then click Apply and click OK.
IN WINDOWS
IMPLEMENT
EXERCISE 1:
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
CONTROLS
MACHINE
ACCESS
40. A browser window appears displaying the Group Policy Results file, as shown in the screenshot.
Note: If browser notification appears, click Ask me later.
IN WINDOWS
IMPLEMENT
EXERCISE 1:
CONTROLS
MACHINE
ACCESS
42. This concludes the demonstration of implementing access control policies in Windows machine.
CONTROLS
MACHINE
ACCESS
LAB SCENARIO
A security professional must have the required knowledge to manage access control policies on a Linux machine. First, we will create local user
accounts and groups on a system. Then, we will create directories and files where access control policies will be implemented. Further, we will
configure the ownership to these directories and files.
OBJECTIVE
This lab demonstrates implementation of access controls in Linux machine.
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
6. In the [sudo] password for bob field, type user@123 as a password and press Enter.
Note: The password typed by you will not be visible.
MANAGE ACCESS
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
9. The New password field appears, type test@123 and Enter. In the Retype new password field, enter the same password (test@123) and press
Enter to set the password. Subsequently, a password updated successfully message appears, as shown in the screenshot.
Note: You can set any user password of your choice.
MANAGE ACCESS
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
14. Similarly, type usermod -aG team testuser02 and press Enter to add user testuser02 to the team group.
MANAGE ACCESS
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
mkdir testdirectory
mkdir testdirectory/SecProjects
mkdir testdirectory/TeamProjects
MANAGE ACCESS
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
touch testdirectory/SecProjects/networkreport.txt
touch testdirectory/TeamProjects/workreport.txt
MANAGE ACCESS
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
21. In the terminal window, type ls -ld testdirectory and press Enter to display the permissions of the testdirectory directory.
22. Here, root is the owner of the testdirectory, as shown in the screenshot.
MANAGE ACCESS
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
25. Type ls -ld testdirectory/TeamProjects and press Enter to display the users and groups associated with testdirectory/TeamProjects.
MANAGE ACCESS
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
27. In the terminal window, type chmod u=rwx,g=rwx,o-r testdirectory/SecProjects and press Enter to set the following permission for
testuser01.
MANAGE ACCESS
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
Note: Access Level Parameters: r: read a file or lit the content of a directory, w:
write to a file or directory, x: execute a file or recurse a directory tree.
Note: Reference Parameters: u: user (file owner), g: group (members of the file’s
group), o: others (users who are neither the file’s owner nor members of the file’s
group).
Note: Here, rwx: read, write and execute permissions are given to u(user) and
g(group), o-r: read permission has been removed for o (others).
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
Note: Here, rwx: read, write and execute permissions are given to u(user) and
g(group), rx: Read and execute permissions are given to o(others).
30. Click on the Add icon (+) present on top-left corner of the Terminal window to open another terminal.
MANAGE ACCESS
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
32. In this new Terminal window, type su testuser02 and press Enter.
Note: su stands for substitute user, it is used to execute commands with the privileges of another user account.
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
35. Type ls and press Enter to list the files present in the directory.
36. According to the permissions specified in step#26, it can be observed that testuser02 does not have access to the directory content of
testuser01. The testeruser02 is a normal user with limited access whereas testuser01 has admin level privileges.
MANAGE ACCESS
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
38. This concludes the demonstration of implementing access control policies in Linux machine.
LINUX MACHINE
CONTROLS IN
EXERCISE 2:
LAB SCENARIO
A security professional should be aware of the various tools and tricks available to manage servers and clients. WAC enables you to perform
administrative tasks on any client device (except mobile devices). It uses role-based access control (RBAC) to control the activity of users
connected to the server. WAC allows the management of system activity such as starting various services, adding and removing resources,
and controlling applications.
OBJECTIVE
This lab demonstrates how to install WAC and configure RBAC in WAC to restrict user activities.
OVERVIEW OF WAC
In WAC, RBAC provides limited access to users on the target computers. RBAC in WAC works by configuring every managed server with a
PowerShell Just-Enough Administration endpoint. The roles are defined by the endpoint. After connecting a restricted endpoint, a temporary
local administrator account is created for managing the machine. If the user is not managing the machine utilizing WAC, the temporary
account is automatically deleted.
Administrators: They allow users to use most WAC features without granting them access to Remote Desktop or PowerShell.
Readers: They allow users to view information and settings on the server, but not make changes.
Hyper-V Administrators: They allow users to make changes to the Hyper-V VMs and switches but limits other features to read-only access.
3. To install WAC, navigate to Z:\CCT-Tools\CCT Module 04 Identification, Authentication and Authorization\Windows Admin Center and
double-click WindowsAdminCenter1910.msi.
4. The installation starts. Check I accept these terms. Click Next to continue.
ACCESS CONTROL
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
7. Leave the default settings for port and other options unchanged on the window. Click Install.
ACCESS CONTROL
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
9. Installation continues. Check Open Windows Admin Center. Click Finish to complete the installation.
ACCESS CONTROL
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
11. Wait for a few seconds. The Edge browser loads Windows Admin Center.
12. If a Select a certificate for authentication pop-up appears, select the certificate and click OK.
ACCESS CONTROL
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
20. The Windows Admin Center connects to Webserver and displays all tools under Server Manager.
ACCESS CONTROL
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
22. Using RBAC option in WAC, a security professional can provide only limited access to a user of Web server machine. Here, we will assign
limited access to the already created user (john) in Web Server machine. To configure RBAC for user john, click Settings at the bottom of the
Tools pane on the left.
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
26. A notification (see the Notifications icon at the upper right corner) about scheduling the application of RBAC appears. It takes a maximum
of 10 minutes to start the RBAC service. Wait for 10 minutes, refresh the Webserver connection.
Note: If logged out, log in with the credentials for Webserver as given in Step#17.
Thus, we reconnected to the Webserver. Navigate to Tools → Settings. Click the Role-based Access Control option. You can see that the Role-
based access control status is Applied. Tonya-this
ACCESS CONTROL
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
28. Next, assign a user to the role. Click Local users & groups in the Tools pane on the left.
ACCESS CONTROL
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
32. Scroll down the list that appears in the Manage Membership pane. In the list, uncheck Users, and check Windows Admin Center Readers.
These changes will allow John to view information and settings on the server, but not make changes by assigning the windows admin center
readers role. Click Save.
ACCESS CONTROL
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
40. Click Storage in the Tools pane. Wait for a few seconds; the Storage pane appears on the right side of the window.
ACCESS CONTROL
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
ADMIN CENTER
IN WINDOWS
ROLE-BASED
EXERCISE 3:
IMPLEMENT
(WAC)
LAB SCENARIO
A security professional should be aware of the various tools and tricks available to implement the centralized authentication mechanism. In this
exercise, we will convert the AD Domain Controller machine to an authentication server. All authentication attempts will be forwarded to this
machine. The machine PfSense will be converted to a client which will pass authentication attempts to the authentication server (AD Domain
Controller machine). Here, the RADIUS protocol is used which acts as an authentication protocol between server and client.
OBJECTIVE
This lab will demonstrate the implementation of centralized authentication.
2. In the AD Domain Controller virtual machine, log in with the credentials CCT\Administrator and admin@123.
Note: If the network screen appears, click Yes.
3. Click Start icon at the left bottom corner of the Desktop and click Server Manager.
AUTHENTICATION
CENTRALIZED
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
7. Now, select the Generate radio-button and click Generate to generate the Shared secret key.
Note: The shared secret key is a type of password key which is set on the RADIUS server (here, AD Domain Controller machine). This key value
must be configured on each RADIUS client (here, we will be using the pfSense Firewall machine). If a secret key presented by a RADIUS client
does not match with that of RADIUS server, then the request from the client is not accepted.
AUTHENTICATION
CENTRALIZED
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
11. In the Network Policy Server window, expand the Policies node and select Network Policies node. Right-click Network Policies and click
New.
AUTHENTICATION
CENTRALIZED
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
16. In the Select Group dialog box, type Admin in the Enter the object name to select field and click Check Names button.
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
23. In the Configure Settings wizard, click Add… button present under Attributes field.
AUTHENTICATION
CENTRALIZED
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
30. Open any web browser (here, Mozilla Firefox), enter the URL as http://10.10.1.1 and press Enter.
Note: If an Update available pop-up appears click Dismiss.
31. A Warning: Potential Security Risk Ahead alert appears, click Advanced… button and click Accept the Risk and Continue.
AUTHENTICATION
CENTRALIZED
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
36. In the Hostname or IP address field, enter 10.10.1.19. In the Shared Secret field, paste the key value from the Notepad filed.
AUTHENTICATION
CENTRALIZED
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
48. In the login page, enter Username and Password as john and user@123 respectively and click SIGN IN button.
Note: When, you login to the pfSense platform as a RADIUS client, the user credentials are passed to the RADIUS server (here, the AD Domain
Controller machine) for verification and if the credentials match and user account is present in the Admin-Support group, then the user will
be granted access to the platform.
Note: If a Save login credentials pop-up appears, click Don’t Save.
AUTHENTICATION
CENTRALIZED
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
51. Click ( ) icon from the top-right corner of the dashboard to logout from the account.
52. In the login page, enter Username and Password as bob/user@123 respectively and click SIGN IN button.
AUTHENTICATION
CENTRALIZED
MECHANISM
EXERCISE 4:
IMPLEMENT
MECHANISM
EXERCISE 4:
IMPLEMENT
56. Turn off AD Domain Controller and PfSense Firewall virtual machines.
AUTHENTICATION
CENTRALIZED
MECHANISM
EXERCISE 4:
IMPLEMENT