August 11, 2024
In this NICE challenge we’re tasked with creating OUs and assinging permissions, GPOs, and configuring basic ACLs on a Linux fileshare.
Recently we let go of one of our system administrators and he left a bit of a mess. I need you to establish adequate security controls that will bring some of our new users into compliance with the company Systems security policy of least privilege.
We will use the Active Directory Administrative Center to create the OUs.
In the Server Manager, select the Active Directory Administrative Center from the Tools drop-down in the upper-right corner.
Within this utility, select New at the bottom of the right-hand pane and assign the appropriate name of the OU, in our case this will be Accounting.
Repeat these steps to create the Human Resources group.
While within the Active Directory Administrative Center, double click the Accounting OU, select new from the top of the right-hand pane, and name the group, in our case, it will be AccountingSec.
Note: Make sure the Group Type is set to Security
While we’re creating the group we can assign users to it. In our case, we need to assign Brimlock Stones to the group.
To do this, we’ll start by clicking the Add button under the Members section.
Within this screen we can enter Brimlock and select Check Names, which will automatically fill in the appropriate user information.
Once that is done, create the group by selecting OK in the Add User and Create Group windows.
Repeat these steps for the HRSec Security Group and add Sergio Chanel’s account to the group.
We need to move these accounts into their respective OUs as well. For this, we’ll use Active Directory Users and Computers, located in the Server Manager’s Tools dropdown.
Note if you need a refresher, refer to how we opened the Active Directory Administrative Center at the beginning of this challenge.
From within the Active Directory Users and Computers window, we can right-click Brimlock’s account, select “Move…”, and assign him to the Accounting OU.
Repeat these steps for Sergio’s account.
To link the Accounting GPO to the Accounting OU we’ll open the Group Policy Management tool from the Server Manager.
From here we can right-click the Accounting OU and select “Create a GPO in this domain, and link it here…” We’ll name it “Accounting” as instructed.
After it has been created, right-click it again and select enforced.
Repeat these steps for the HR GPO
We can start by right-clicking the Accounting GPO and selecting Edit.
From within this window, use the left-hand pane to navigate to User Configuration -> Preferences -> Windows Settings -> Drive Maps.
Right Click Drive Maps and select “New - Mapped Drive”
In the new window, set the location to the path of the shared folder. For us, this will be \\fileshare\Accounting.
We were instructed to map this share to the drive letter T, so chose T from the Drive Letter drop-down.
Repeat these steps to map the HR share to drive H.
Note: Be sure to apply the drive mapping to the HR GPO and NOT the Accounting GPO
From within the Group Policy Management window, navigate to the Accounting GPO.
Under Security Filtering, add the AccountingSec group.
Repeat these steps for the HR GPO.
To Set the permissions for the AccountingSec group, open the File Explorer and navigate to “Network”.
Note: you may have to enable device discovery
Now navigate to the Accounting Share, right-click, add the AccountingSec group, and set the permissions to Full Control.
After applying, the settings should resemble those in the following screenshot.
Repeat these steps for the HRSec group/share.
We’ve been instructed to configure the ACL on the Fileshare to only allow Brimlock and Sergio to access specific files.
To do this, we’ll log into the Fileshare and use the setfacl command.
Note: though we could accomplish similar results by setting file permissions, we are expected to use ACLs for this specific challenge.
The command setfacl is used to set ACL fields, while getfacl is used to view the ACL fields.
By running the getfacl command on the AccountingForcasts.ods file we can see the current permissions.
We can remove all existing ACLs with the setfacl -b command, but the default user, group, and other values will remain.
u::rwx means that the owner of the file has read, write, and execute command. While the other::r-x means any unspecified users will be able to read and execute.
To remove these privileges we will use the setfacl command.
We can remove each of these permissions by using the modify switch, -m, and providing blank values represented with -.
To add the permissions for Brimlock Stones, we’ll use the modify switch again, but provide his username between the ::.
Repeat these steps for the HR share and Sergio’s account.
Previous post
Next post