Operating System And Application Server Security Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The Data flow within the internal &external is highly secured. There is a Windows Domain Controller, Web Server, & Network File System on Linux. Users on LAN will access NFS, Kerberos is implemented to provide authentication & LDA is used to exchange account data information by implementing Kerberos LDAP we don't required to execute divided by users & groups on Linux file system.

The manual instruction is organized purely configuration of operating system (Linux Ubuntu Server, Linux Database Server , Windows Server 2008 & Windows Xp /vista clients) is to be used by the systems administrator of Wharf Traders Limited. The manual instruction gives a clear logical guide on how to configure properly security controls to secure the functioning and communicating policy within the internal & external of Wharf Traders Limited. The procedure mentioned in this manual assumes that system administrator has strong familiarity with Windows server 2008 GUI and command line environment and also the same with Linux Ubuntu environment. Hence, note that this will not provide any detailed step-by-step procedures for configuration and maintenance. In any particular scenario when there is need for further information references mentioned in manual can be referred to get much detail information. There have been several instances while writing manual, where security is indexed as top priority and tested thoroughly through virtual machines before writing.

During, design phase various issues such as backup scenario has been taken into mind and hence proposed solution of off site storage and onsite storage has been suggested in order to fulfil secure backup procedures.

Group policy is covered briefly so that system administrator can make required changes as per requirement of scenario. Please bear in mind that policies are dynamic and can be changed by the time.

Infrastructure Overview

Overview of the infrastructure design in this instruction manual is used by the Warf Trade office system administrator. This will explain the communication network internal and external that includes several servers and clients system likes

Windows Server 2008

Linux Server

Windows XP / Vista

Within Wharf Trader Limited Network internal LAN (Local Area Network). Additionally, the setup of Linux servers (Ubuntu operating system) for secures communication between internal network organisation and its external clients. A Network Figure shown below for Wharf Trader limited in Figure 1.

Figure 1

.Classification of Data Flow within LAN network and external network

Classification of Data

Wharf Trader

Department

Data Classification

Level of Classification

Data Flow

Data Security

channel

(Encryption)

LAN & WAN

Internal network

External network

Corporate Finance

Highly Sensitive

Top Secret

Highly Secure

Highly Secure

SSH, SFTP, IPsec,Firewall

Investment Advice

Sensitive

Confidential

Secure

Secure

SSL, IPsec

Research

Normal

Restricted

Secure

Secure

IPsec

Back Office

Normal

Restricted

Secure

Secure

IPsecThe Classification of data is very important to support Wharf Trader's organisation day to day operation for transferring & storing of sensitive data over the LAN network and Intranet infrastructure. It is critical to distinguish the amount of the data wants to be controlled securely transfer hence, to assigning the right stage of security & classification according to its high stage of sensitivity data. The classifications of data for each department in Wharf Trader Limited are shown below in Figure 2.

Figure 2

Data Flow Diagram between Corporate Department and Clients

Figure 3

Data Flow Diagram between Investment Advice Department and Clients

Figure 4

Data Flow Diagram between all Departments and File server

Figure-5

1.3. General Overview of Server & Cataloging

The Setup of different servers for Wharf Trader's functional domain comprises of the following set of servers including their services:

Primary Domain Controllers (WHARFTRADER-DC1).

Secondary Domain Controllers (WHARFTRADER-DC2).

A File server/ Member Server (WHARFTRADER-SRV1).

A Backup File server/Member Server (WHARFTRADER-SRV2).

Corporate Finance Server (Linux-Corporate)

Investment advice Server (Linux-Investment)

Database Server (Linux-Wharf)

Backup Server (Linux-Corporate& Investment Backup server)

Servers Characterization and Services Configuration

All the Basic configuration of Servers is required to define in this manual Instruction, this configuration is very important for new system administrator.

Server Configuration

Operating System

Role of system Required

Configuration

Method of LAN IP

Microsoft Windows Server 2008

Primary Domain Controller :

Active Directory (AD) ,Domain Services (DS)

Domain Name System (DNS)

Mail Server

Primary Domain Controller in Wharf Trader Limited is to supply user's authentication, authorisation & access control network resources within the domain.

Computer name

WHARFTRADER-DC1

Full DNS name

WHARFTRADER.COM

IP address

201.132.1.1

Subnet mask

255.255.255.0

Default gateway

201.132.1.254

Primary DNS server

201.132.1.1

Secondary DNS server

201.132.1.2

Secondary Domain Controller :

Duplication of the schema containing users & workstations domain controller from the Primary Domain Controller & vice versa.

The Aim of this secondary Domain Controller supply to the network authentication of internal network within the organisation in the event of the server failure.

Computer name

WHARFTRADER-DC2

Full DNS name

WHARFTRADER.COM

IP address

201.132.1.2

Subnet mask

255.255.255.0

Default gateway

201.132.1.254

Primary DNS server

201.132.1.1

Secondary DNS server

201.132.1.2

Figure 1.1

Operating System

Role of system Required

Configuration

Method of LAN IP

Microsoft Windows Server 2008

File Server Service:

The File Server supply is to the file sharing between Research Department, Corporate Finance & Investment Advice. To communication between the client workstations & File Server inside LAN is highly secured with IP security technology.

Dynamic Host Configuration Protocol (DHCP):

DHCP Server supply is to the simplicity of management of IP addresses assigning the automatically IP address of different departments.

IIS (Internet Information Service) :

IIS is support to internet hosting with in the network, this gives excellent communication between users.

Computer name

WHARFTRADER-SVR1

Full DNS name

WHARFTRADER.COM

IP address

201.132.1.3

Subnet mask

255.255.255.0

Default gateway

201.132.1.254

Preferred DNS server

201.132.1.1

Secondary DNS server

201.132.1.2

DHCP IP range:

Self range define

Corporate Finance

201.132.5.10

Investment Advice

201.132.6.10

Research

201.132.7.10

Back Office

201.132.8.10

Figure 1.2

Operating System

Role of system Required

Configuration

Method of LAN IP

Microsoft Windows Server 2008

File Server Service:

The File server service is to supply additional backup to network services hosted by WHARFTRADER-SVR1

Computer name

WHARFTRADER-SVR2

Full DNS name

WHARFTRADER.COM

IP address

201.132.1.4

Subnet mask

255.255.255.0

Default gateway

201.132.1.254

Preferred DNS server

201.132.1.1

Secondary DNS server

201.132.1.2

DHCP IP range:

Self range define

Corporate Finance

201.132.5.10

Investment Advice

201.132.6.10

Research

201.132.7.10

Back Office

201.132.8.10

Figure 1.3

Operating System

Role of system Required

Configuration

Method of LAN IP

Ubuntu Server (Edition 9.10)

(Linux Kernel 2.6.31)

Linux-Corporate Server

Server supply the transferring of documents (highly sensitive or top secret) using securely communication application such as SFTP over SSH

This is to provide the highly secured communication between corporate finance & clients' workstation (accountants and lawyers).

Computer name

Linux-Corporate

IP address

201.132.10.5

Subnet mask

255.255.255.0

Default gateway

201.132.10.254

Primary DNS server

201.132.1.1

Secondary DNS server

201.132.1.2

Figure 1.4

Operating System

Role of system Required

Configuration

Method of LAN IP

Ubuntu Server (Edition 9.10)

(Linux Kernel 2.6.31)

Linux-Investment Advice Server

Server supply the transferring of documents ( highly sensitive ) using securely communication application such as SFTP over SSH This is to supply to securely communication between investment department & market brokers

Computer name

Linux-Corporate

IP address

201.132.10.8

Subnet mask

255.255.255.0

Default gateway

201.132.10.254

Primary DNS server

201.132.1.1

Secondary DNS server

201.132.1.2

Figure 1.5

Operating System

Role of system Required

Configuration

Method of LAN IP

Ubuntu Server Edition 9.10)

(Linux Kernel 2.6.31)

Linux-database Server

Database server is to supply the secured data communication between clients (e.g. investment clients) using securely communication

Computer name

Linux-Database

IP address

201.132.10.6

Subnet mask

255.255.255.0

Default gateway

201.132.10.254

Preferred DNS server

201.132.1.1

Secondary DNS server

201.132.1.2

Figure 1.6

Operating System

Role of system Required

Configuration

Method of LAN IP

Ubuntu Server Edition 9.10)

(Linux Kernel 2.6.31)

Linux-Backup Server

Backup Server is supply additional to Linux-corporate server & Linux-investment server in event of Linux Server failures.

Computer name

Linux-Backup

IP address

201.132.10.7

Subnet mask

255.255.255.0

Default gateway

201.132.10.254

Preferred DNS server

201.132.1.1

Secondary DNS server

201.132.1.2

Figure 1.7

1.4. Domain Controllers configuration

Domain Controller configuration with Active Directory & DNS

The Domain Controller configuration with Active Directory & DNS with execution is required to support authentication, authorization & access control process for all users within same domain but communication between different departments in Wharf Trader limited operational environment. The domain Users from the different department will be assigning with suitable security & adding access to the usage of the IT resources supplied by Wharf Trader Limited.

Primary Domain Controller Configuration Windows Server 2008 R2

Follow these steps:

1. Preparation of the Primary Domain Controller. Configuration of the primary Domain Controller support setting as shown in Figure 1.1.

Computer Name: WHARFTRADER-DC1

IP address: 201.132.1.1

Subnet mask: 255.255.255.0

Default gateway: 201.132.1.254

2. Then promote the primary Domain Controller (PDC); there are few configurations to keep in records:

Fully Qualified Domain Name of the forest root domain: WHARFTRADER.COM

Domain Name NetBIOS , default name: WHARFTRADER

Additional Domain Controller Options then click & checked boxed by DNS Server selected

DNS portion manually: Yes

Then Active Directory Services Restore Mode Administrator Password always Use a difficult password with combinations of Lowercase, Uppercase, Characters numbers & symbols.

3. Log On as a Domain Administrator.

4. Make sure the DNS Zone for the Primary Domain Controller (PDC)

Secondary Domain Controller configuration Windows Server 2008 R2.

The Secondary Domain Controller in the domain is to improve the redundancy & reliability of network services. Including further Domain Controllers provide fault tolerance, balance the load of active Domain Controllers, & provide further infrastructure support to domain users & Groups.

Follow these steps:

Preparation of the Secondary Domain Controller & Configuration of the secondary Domain Controller is to support setting as shown in Figure1.1.

Computer Name: WHARFTRADER-DC2

IP address: 201.132.1.2

Subnet mask: 255.255.255.0

Default gateway: 201.132.1.254

Then Connect to the Secondary Domain Controller to WHARFTRADER.COM

Install & configure the DNS server Service on the Secondary Domain Controller

Then Promote the Secondary Domain Controller, there are few step for configurations to keep in mind:

Advance Operational Configuration: active forest ADC then Add a domain controller to an active domain

Network ID Name: The Domain name is WHARFTRADER.COM

Then Configuration of the Secondary Domain Controller as a Global Catalog Server.

No required creation of the DNS allocation

Installation through Media: consider to any replication of data over the network from an active domain controller

Log On as a domain Administrator.

Important Note: Configuration of Secondary Domain Controller, as a Global Catalog Server is to supply as a backup server in the event of a system failure.

Configurations of File Server & DHCP services

A File Server service is required for the organisation to host the Research material from the Research Department. These research materials include price of shares & likely companies' information from the Trade market. This information is shared between the investment advice & corporate finance departments.

File Server configuration of Service Role on Windows Server 2008.

Follow these steps:

Assigning the File Server support detailed setting as shown in Figure 1.3

.

Computer name: WHARFTRADER-SVR1

IP address: 201.132.1.3

Subnet mask: 255.255.255.0

Default gateway: 201.132.1.254

Join the File Server /Member Server to WHARFTRADER.COM Domain

Then Promote the File Server /Member Server as a File Server.

Make sure the Server Manager console to certify the File Services role is added.

DHCP Services Role of configuration on Windows Server 2008

Follow these steps:

Then Promote the File /Member Server as a DHCP Server.

verify the Server Manager console to make sure the DHCP Server Services role is added

There are few steps for configurations :

Create new Scope assign IP address range for different departments.

Create new Reservation to ensure that a DHCP Users from each department is always assigned the same IP address range.

Log On as an Administrator of Domain Group. When accessing this File / Member Server.

Network File System services configuration Role on Windows Server 2008

Follow these steps:

Configuration of Network File System (NFS) service as an NFS server

Configuration of the NFS authentication (mkcommadmin)

Creation of a NFS file system shared folder

identify permissions for folders ( Read, Write, & Execute permissions)

Mount the NFS shared folder from the Linux Server (Linux _corporate , investment advice Server)

Install SSH server in Windows Server 2008 is required to secure the traffic from the Linux server for files transfers (files , audit logs & Backup )

File / Member Server:

Windows Server 2008 is defining a default Domain Controller Policy. Default domain policy is enabled for default Password policy. (Deployment by security policy)

1.5. Linux Server configuration (Ubuntu Server - Linux Kernel 2.6.3.1)

Linux server configuration is to support the secure communication traffic between corporate finance clients (For example new market participant & their others advisors such as lawyers and accountants).

Linux-Corporate Server configuration (Ubuntu Server)

Follow these steps:

Preparation of the Linux Server configuration

Computer name: Linux-Corporate

IP address: 201.132.10.5

Subnet mask: 255.255.255.0

Default gateway: 201.132.10.254

Linux Server (Ubuntu -) installation process is accomplish , there are few configurations to keep in mind :

Change the root password to a difficult long password

Creation of a lesser privilege for users & group , these users have root access through the sudo utility tools are as required ( wcsadmin)

Make sure a strong password policy:

Password Complexity

Maximum Password Age before Password Expiration

Minimum Password Length (at least 8 characters long)

Linux-Investment Server Configuration (Ubuntu Server)

Follow these steps:

Preparation of the Linux Server configuration

Computer name: Linux-Investment

IP address: 201.132.10.8

Subnet mask: 255.255.255.0

Default gateway: 201.132.10.254

installation of Linux Server (Ubuntu -) is installed, there are few configurations to keep in mind :

Change the server root password to a difficult long password

Creation of a lesser privilege for users & groups; these users have root access through the sudo utility tools as required ( wcsadmin)

Make sure a strong password policy:

Password Complexity

Maximum Password Age before Password Expiration

Minimum Password Length (at least 8 characters long)

Linux-Database Server configuration (Ubuntu Server)

Follow these steps:

1. Preparation of the Linux Server configuration setting as shown in figure 1.7

Computer Name: Linux-Investment

IP address: 201.32.10.6

Subnet mask: 255.255.255.0

Default gateway: 201.132.10.254

2. Linux-Database Server installation (Ubuntu - Linux) then re does the following steps as shown above configuring in Linux-Corporate Server.

Linux-Backup Server configuration (Ubuntu Server)

Follow these steps:

1. Prepare the Linux Backup Server configuration as mention figure in 1.7

Computer Name: Linux-Investment

IP address: 201.132.10.7

Subnet mask: 255.255.255.0

Default gateway: 201.132.10.254

2. Once the Linux-Backup Server (Ubuntu - Linux) is installed for two different departments' likes corporate finance & investment advice servers.

2. The necessity to create and maintain users and groups for project and other work in this environment and the storage and transfer of sensitive data across the network and over the Internet infrastructure.

Users and Group Management:

To create and maintain users and groups for each departments

The main aim of deploying Active Directory is to facilitate the procedure of IT resources within the organisation network. Hence the creation of users and groups is to launch authentication, authorisation & access control to individual groups in domain.

Below diagram showing for wharf trader different department management of memberships in relation to groups & users within a domain with access control permissions to the IT resources.

Figure-1.8

There are four main departments in Wharf Trader domain. Storage planning of users, groups, and other objects in "folders" called OUs (organizational units) is necessary for facilitate the ease of management for administrators.

The task for managing users & groups accounts for individual department includes:

1. Creation of Organisation Units (OUs).

2. Creation of Users for each department.

3. Creation of Global Groups in each department.

4. Allotting Users to their particular Global Groups.

5. Allotting Global Groups to Domain Local Groups for committed resources usage.

6. Allotting of Computers to their particular Sub-OU.

Organisation Units (OUs) creation

Follow these steps:

Follow the steps to create the respective Organisation Units (OUs):

Launch the Active Directory Users and Computers from the Administrative Tools menu.

Right-click on the domain (WHARFTRADER.COM) and choose New and then Organizational Unit. (Organisation Unit Dialog box will appear)

In the Organisation Unit Dialog box, type the name of the department (Investment Advice) and press OK to complete the creation.

Create two Sub-OU users and computers objects respectively

(.e.g. IA_UG Accounts, IA_Workstations)

Repeat the above steps to complete the rest of the department.

Creation of users

Follow these steps:

There are following steps to create User Open Start menu program from Administrator Active Directory Users & computer.

Open the Active Directory Users & Computers from the Administrative Tools menu.

Expand the domain (WHARFTRADER.COM), Click the respective OU (Investment Advice) & Sub-OU (e.g. IA_UG Accounts)

Right-click on the Sub-OU (IA_UG Accounts), choose New User.

Then new Object will come pop up.

New Object - assign the User (William) & press OK to continue.

Password-setting screen pop up then give the user's password, & then changed it on when you sign first log-on by selecting "User must change password at next logon".

Click "Finish" on the next screen accomplish user creation process.

Repeat the above steps to accomplish rest of the users.

Important Note: "Windows Server 2008 has a default password policy:

Enforce password history: 24 passwords remembered

Maximum password age: 42 days

Minimum password age: 1 days

Minimum password length: 7 characters

Password must meet complexity requirements: Enabled "

This default password policy setting will be re-defined in the functioning of a suitable security and maintenance management policy section.

Creation of Global Groups

Follow these steps:

There are Following steps to create Global Groups User Open Start menu program from Administrator Active Directory Users & computer

Open the Active Directory Users & Computers from the Administrative Tools menu.

Expand the domain (WHARFTRADER.COM), click the respective OU ( Investment Advice ) & Sub-OU ( IA_UG Accounts)

Right-click on the particular Sub-OU (IA_UG Accounts), click to New & select Group from the shortcut menu. (New Object - Group Dialog box pop up)

New Object - Group Dialog box pop up , there are few configurations to keep in mind:

Group Scope, select Global

Group Type, select Security

The required information filled in such as the name of the Group

(e.g. IA_Grp) & press OK to complete the Group creation process.

Do again the above following steps to accomplish the rest of the Groups.

Allotting Users to their particular Global Groups

Follow these steps:

1. There are following steps to assign Users to their respective Global Groups Open Start menu program from Administrator Active Directory Users & computer

Open the Active Directory Users & Computers from Administrative Tools menu.

Expand the domain tree (WHARFTRADER.COM), Click the respective OU (e.g. Investment Advice ) & Sub-OU (e.g. IA_UG Accounts)

Right click on the highlighted group name & select Properties.

Click on the Members Tab & then click Add.

Click Advanced, & then click Find Now. All the group members will appear in the lower panel.

Select the users account to be added & click OK to complete the process.

Do again the above following steps to add users to their respective groups.

Right click on created GPO edit then User Configuration pop up will open then select Policies/Preferences. In group policy one can configure following items

Controls & 'lock down' what users can do,

To manage software installations, updates,

Repairs and software removals,

Enables 'one to many' management.

Configuration of the roaming profiles & users data management,

Important Note: In order to Apply Group Policy Click on Start menu then click Run pop up open then Write gpupdate to apply the group policy.

Assigning Global Groups to Domain Local Groups for devoted resources usage

The creation of Domain Local Group is to give group permission to Global Groups to access the resources such Black printer and scanner within the domain.

Follow these steps:

Creation of new Domain Local Group based on the same process in Group creation. the configurations keep in mind :

Group Scope, select Domain Local

Group Type, select Security

Allotting permission for each resource (e.g. Black printer) to the Domain Local Group.

As the final step, we assign suitable Global Groups as members of the particular Domain Local Group (e.g. rBlackPrintersPrint group).

This is suitable to creation of an Organisational Unit to group the Domain Local Group to ease Global Groups accessing the resources within the domain.

Domain Local Group task as shown below in Figure 1.9

Allotting of Computers to their particular Sub-OU

The aim of computers container in the domain tree is to house the domain newly joined computers. The computer name for these computers will show their departments prefix (e.g. IAPC1). The method of allotting these computers to their particular Sub-OU is to drag and drop these computers from the computers container to their particular Sub-OU (e.g. IA_Workstations).

Follow these steps:

Go to the computers container in the domain tree

Then Drag & drop these workstations from the computers area to their particular Sub-OU as shown below in Figure 1.9 with workstations clients.

Figure-1.9

3. Detailed procedures for authentication, authorisation and access control, both internal to the LAN and external to the Linux server(s) and to any database server if implemented.

Authentication, Authorisation & Access Control with in internal LAN & external Linux Server & Database server (optional).

Authentication

It is a procedure by which you verity that someone who is they claim they are. This should involve a username & password also consist of any other technique of delegation identity just like smart card, retina scan, voice recognition & fingerprints

.

The default authentication of design for Windows Environment is based on Kerberos authentication. While Kerberos authentication is suitable in supervision a larger network with circulated resources, there are few points

Keep in mind:

The Single Point of Failure - The cause of including two Domain Controllers within a Domain is for redundancy function in case one of the Domain Controllers is down.

The time-clock synchronisation between Users and KDC (Key Distribution Centre) within 5 minutes.

All users' performance as domain users to the Domain Controllers, An authorization user of the finding out the person after the authentication & identification is allowed to access the resources. It is regularly firm by finding out if the particular users are a part of a particular group's then person has paid a particular level of security support. This is nothing but equivalent to checking the guest list at private party

IPsec functioning on File server.

The use of IP security (IPsec) method to secure the communication channel to make sure sensitive data transfer across the internal network is protected between all departments' workstations & File Server. To protect the flow data in transfer against network sniffing.

Tasks:

Implement IPsec via Group Policy for every department Organisation Units then contacting the File/Member Server.

Make sure that those workstations in the domain are IPsec alert in order to communicate with the File/Member Server.

Secure File Transfer Protocol (SFTP) / Secure Shell (SSH).

The authentications to the Linux servers are based on the users account created (e.g. /etc/passwd).The login certificate send across over the network to Linux server should in plaintext. Hence, their login certificate should protection in transfer against network sniffing. These contain transfers of high sensitive data of documents between the different departments clients like investment advice /corporate. Thus, Secure Shell (SSH/SFTP) application is used to protect the data flow of documents transfer; this channel creates a secure communication between the workstations to Linux server as well as external to it. (SSH for Remote Connections - users workstations)

Follow these steps:

Creation of users & groups to allow only those users (e.g. Investment Advisors Corporate Finance /) to use Linux server

Make sure the Secure Shell server service (e.g. SSH) is configuring & running in the Linux servers (Ubuntu Server)

Backup a copy file (/etc/ssh/sshd_config) to protect this from script

There are following step to security configurations keep in mind while configuring the SSH (e.g. SSH) server configuration file /etc/ssh/sshd_config). "

Use SSH Protocol

Use Public Key Based Authentication

install Idle Log Out Timeout Interval

Disable root Login via SSH

Disable Empty Passwords

Use Strong SSH Passwords & Passphrase

Allow Users and Groups Access Authenticate

Change SSH Port & Limit IP Binding

Chroot SSHD

Use TCP covering to update /etc/hosts.allow and /etc/hosts.deny

Use Port Knocking "

The Creation of shared folders to allow internal users (e.g. Investment Advice/ Corporate Finance) their particular clients for files data flow & documents transfers."

Permission for users to authenticate the Read, Write to the folder.

No permission allows for any users authenticated changing the permission of the folder except for root administrator.

Permission for user only allow firm file (e.g. Doc, PDF txt etc) to stored in the shared folder. "

Database Server

Database Server is essential to execute in DMZ because remote users will be authenticated through website over SSL and their Logon's will be maintained by Database Server running MySql. PHP along with CGI can be used to create script to securely access file server. Apache Web Server will be the only machine which will have communication with NFS & users over internet. I think details of configuration of Database Server & programming & not required

4. the advisability of, and methodology for, encryption of data in transit and for storage,

Users, Groups, Storage Transfer of Highly Sensitive Data

Encryption File System on Windows Server 2008 Platform

The methodology for encryption data in transit and for storage the Kerberos method is used in encryption /decryption of data while in transit in internal & external network The encryption of this files on the file server storage security is necessary in direct to protect sensitive data flow & documents stored by Research departments. These files should store individually on different folders on file server to provide & right to use by different departments (.e.g. Investment Advice, corporate finance) correspondingly.

The Encryption File System (EFS): only encrypts data while it is stored on the file server in hard disk. Still, Encryption File System does not encrypt data when broadcasted across the network. The function of IPsec is executed as a protection method to secure the data and documents in transfer.

Follow these steps:"

Enable the Local Policy to allow EFS maintain on the File Server.

keep in mind of this option while EFS is allow:

Encrypt the inside of the user's Documents folder

Setting suitable permissions for users & groups from each department is necessary to protect the encrypted file, folder against removal and listing of files, directories. Anybody whose suitable permissions could delete with list encrypted file and folder. The main cause of using EFS in combination with NTFS permission is recommended. "

Important Note: The policy setting for Encryption File System is located in the Local Group Policy Editor under Local Computer Policy \ Windows Settings \ Security Settings \ Public Key Policies \ Encrypting File System.

Linux Server Storage Security

The storage security between Corporate Finance / Investment Advisors & their respective clients shall be protected once it is transfer to the relevant folder on the Linux server. The function of applying storage security on each users & groups folder is to keep data confidential from other users to the organization.

5. Integration with, and configuration for, other services, which will be required to be supported such as essential Web access and secure messaging systems,

Installation and configuration of MY SQL

Data base Server configuration on Linux Ubuntu server. There are following few steps mention below configuration of the MYSQL.

Log in using root privileges & install MY SQL.

After installation clear log files.

Get source file to the system from website to get the latest version.

Unpack the source file to begin installation

Build & install MY SQL

Configure MY SQL with correct privileges & ownership.

Give permission only to MY SQL & root user for making any changes.

It is essential that database starts every time when a system reboots up. Therefore create start script.

Create IP tables to allow MY SQL at higher different port for communication.

Apache Configuration

Apache web server is required on Linux Ubuntu server. There are following few steps mention below configuration of the Apache web server.

:

Configure the Apache from source file.

Clear the logs file.

Start configuration by editing http.conf file.

Make changes in IP Tables to call apache on higher ports.

Apache Web Server installed DNS is configured correctly and FQDN and Hostname are www.km985.com.

• Copy KM985.crt and KM985.key into /etc/apache2/ssl

• Enable SSL a2enmod SSL

• Creation of a stub SSL conf files & establish symbolic link between them. Copy of this command default configuration files to SSL folder cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl than creation of symbolic link through this option -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl

• Configuration of this document Root cd /var/www creation of this directory mkdir km985 than create folder for SSL In Var directory cd /var Mkdir www-ssl & creation of this folder for your site into www-ssl by cd www-ssl and mkdir km985.

• Configuration of this HTTP over port 80 cd /etc/apache2/sites-available & open default file in VI

• NameVirtualHost *:80 <Virtual Host *:80> ServerName www.km985.com:80, Document root /var/www/km985/ & close it

• Open file vi /etc/apache2/sites-available/ssl

• Then Change NameVirtualHost *:443 (Default port for SSL), <Virtual host *:443> ServerName www.km985.com:443, DocumentRoot /var/www-ssl/km985 & close it.

• Now Configure ports.conf in /etc/apache2 to listen on port 443.

• Then Go back to /etc/apache2/sites-available/ & vi to SSL Add the following comment on this area

• SSLEngine on

• SSLCertificateFile /etc/apache2/ssl/km985.crt

• SSLCertificateKeyFile /etc/apache2/ssl/km985.key

• Then goto /etc/ and vi Hosts file

• Adding IP & domain name (e.g. 201.132.10.5 km985.com)

• Then Restart Apache /etc/init.d/apache2 restart

Apache Web Server is now ready to host secure website named www.km985.com.

Important Note: This configuration is checked on my Virtual Server i.e. KM985.osass.org and I used Local CA authority to create certificate but for www.km985.com me need to get this Certificate from Certification Authority like www.thawte.com and www.verisign.com.

6. Practical procedures for restoration in the event of a system failure,

Restoration procedures in the event of system failure.

Restoration utility for windows & Linux servers Backup

The Windows Server Backup utility feature built-in Windows Server 2008 is a backup tool that supplies a solution for daily backup and recovery requirements. This tool option is very powerful in Windows Server2008 Backup. This tool utility is able to take full backing up a windows server data. The Select volumes of the system state are. failures of hard disk event occurs, this is possible to execute a system recovery that will restore full system including volumes, files, folder certain applications, the system state onto the new hard disk, by using a full backup of the windows server in the Recovery Environment.

Backup Windows Server 2008

The significance of containing data backup procedures is to prevent data failure in the event of a accomplish system failure. The main cause of the Windows Server Backup program is planned to support an organisation in planning a restoration procedures.

Follow these steps:"

Backup of all crucial systems such as Domain Controllers & File Server

Domain Controllers of WHARFTRADER.COM"

System state of the Servers to recover back its normal state before system failure.

- System Boot Files

SYSVOL folder (includes all the Group Policies)

Active Directory

Event Logs

Select volumes that control the Shared File & Folder

Backup of the selected users workstations from individual department based on data essentially status

Creation of a suitable Backup Schedule to run servers.

Types of Backup to keep in mind:

Normal Backup of wharftrader.com

Incremental Backup of wharftrader.com

Differential Backup of wharftrader.com

All Backup data should store at the central storage devices with RAID Level capability of hard disk.

Backup of files & folder will executed to verify that the data is written to the storage medium actual copy if restore on an entirely divided machine"

Important Note: To create & execute of backup jobs must be a member part of the Domain Administrator group (e.g. Backup Operator, Administrator)

Procedures for Restoration Linux Server Backup

Tar & Cron Utilities:

The easiest ways to takes backup of a Linux server is using the accessible command line utilities (tar & cron) for backup & restoration. The tar & corn utility is to create a file based on the selected files & directories the cron utility to schedule and accomplished of backup jobs using scripts. The scripts shall execute the moving of the files to the central storage using the NFS mount function."

Follow these steps:

Creation of a shell script to take backup all essential system files & directories.

System state of the Servers to recover back its normal state before system failure System Files (e.g. /etc /usr /local /opt /var /root /boot)

System Log Files (e.g. /var/log/syslog)

Directories that hold significant information (e.g. investment advisors/ corporate finance /)

Make sure the SSH server is running to secure connection to the NFS shared folder in the central storage during documents or files transfer.

The shell script should create a secure channel with SSH server running in the File Server for shifting of backup files across the internal securely network.

Use the cron utility to create a suitable schedule of the backup jobs."

Important Note: Only System administrator can make the backup, restore of files, and make routine the backup process.

7. Basic audit procedures to detect possible network compromise,

Audit Procedures

System Auditing for windows & Linux

The Audit functionality in Windows Platform machine has offers a logging in machine that allows the domain administrator to monitor all the systems if any nasty activity occurs in local machines or outside user attack this even of logging file is very important as it give an early warning of attempts to crack into system within the domain. These event logs file very help full when even generate in domain.

Follow these steps:"

Configure & Enable Auditing in the Default Domain Policy.

Ensure the Default Domain Policy is link to the respective OU that host the workstations (.e.g. IA Workstations)

Verify the workstations have received the policy.

Ensure that the audit logs shall not be overwritten when full

Ensure the audit logs are saved and backup daily to the central storage based on the back policy.

Audit policy configuration in the following few steps.

Open start Active Directory Users & Groups  View Menu Advance right click on object box  properties  security button  Click Advance option  auditing then press Tab button  Add button  Give name  then ok  There will be two tabs object & properties. Object tab will permit you to audit standard & control rights as property tab allows you to audit property accesses. Configure what is your required & apply it.

Configuration of Auditing Package for Linux (Ubuntu)

The audit package for Linux (Ubuntu) includes the essential audit utilities for monitoring the system & the network. These audit utilities to perform storing &searching for audit records produce by the audit subsystem.

Follow these steps:

Configuration of this Auditing Package.

Usage of audit utilities to monitor the main files &directories :

Password File (/etc/passwd)

File System (/etc/shadow)

syscall audit (e.g. sshd)

Make sure that the audit logs files shall not be overwritten when hard disk full

Make sure the audit logs files are saved & backup daily to the main storage based on the backup policy."

Important Note: frequently review the audit & event logs file regularly.

8. The implementation of an appropriate security and maintenance management policy.

An appropriate security & maintenance management policy.

WSUS Service for Windows server 2008

Windows Server Update version 3.0 (WSUS) is a services to provide software updates to all workstations inside the organisation/company. The aim of this WSUS server is to download all security patches of policy updates & also this server downloads any updates from Microsoft side. All domain clients workstation send the request of for any updates when WSUS server has any updates then server approval for this client request.

Follow these steps:"

Installation / configuration of patch file management software (WSUS) inside one of the Member Server.

The plan Schedule task for the security updates in off-peak hours.

Apply updates only as essential

Identify a backup system for normal returns.

To keep an audit track for changes

Only administrative staff are authorised to support the security updates are allowed for testing."

Patched Management Service for Linux Server on Linux- Ubuntu

The software package updates for Linux Server (Ubuntu Server) using Ubuntu package management system for Ubuntu based scheme.

Follow these steps:"

The Usage of Ubuntu's package management system to install new software packages for security updates for Linux servers. (e.g. Linux Server)

The planed Schedule task for the security updates in off-peak hours.

Apply updates only as necessary

Identify a backup system for normal returns.

keep an audit track for changes

Only administrative staff are authorised to support the security updates are authorized for testing."

Group Policy configuration

Configuration of a suitable Domain Policy for Security on Windows Server 2008

Using the Group Policy nested of a manual configuration process makes it simple to manage & update changes for many users &computers. The use of GPOs was to make sure that exact policy settings, user rights & computer behaviour apply to computers / users in an OU.

Performance of a based line security for Wharf Trader's company infrastructure requires a minimum of the following GPOs:

A policy for the domain

A policy to provide the based line security settings for the domain controller

Creating an IPsec Security Policy split from the above mention policies to permits each workstation from individual department Units in Wharf Trader organisation to access the File /Member Server with encrypted channel.

An IPsec security policy applicable to the workstation for each Organisation Units (OU) in Wharf Trader Domain.

Domain Policy Settings

This security setting is applied to the domain through the Computer Configuration node in the Group Policy Object Editor. The following few step of setting groups appear in the Windows Settings sub-node within the Computer Configuration node:

Password Policy

Account Lockout Policy Settings

Audit Policy Settings

Password Policy Configuration

"Configure the default domain policy:

Enforce password history: 24 passwords remembered

Maximum password age: 90 days

Minimum password age: 1 day

Minimum password length: 8 characters

Password must meet complexity requirements: Enabled

Store passwords using reversible encryption: Disabled"

Account Lockout Policy Configuration

"Configure the default domain policy:

Account lockout duration: 15 minute(s)

Account lockout threshold: 10 invalid logon attempt(s)

Reset account lockout counter after: 15 minute(s)"

Audit Policy Configuration

"Audit account logon events: Success

Audit account management: Success

Audit directory service access: Not Defined

Audit logon events: Success

Audit object access: Not Defined

Audit policy change: Success

Audit privilege use: Not Defined

Audit process tracking: Not Defined

Audit system events: Success"

Domain Controller Policy Settings

These security settings are applied only to the domain controller through the Computer Configuration node in the Group Policy Object Editor. The following setting groups appear in the Windows Settings sub-node within the Computer Configuration node:

User Right task Settings

Security Options Settings

User Right Assignment Configuration

"Add workstations to domain: Administrators

Allow log on through Terminal Services: Administrators

Debug programs: Administrators

Deny access to this computer from the network: Guests

Deny log on as a batch job: Guests

Deny log on locally: Guests

Deny log on through Terminal Services: Guests

Profile single process: Administrators

Profile system performance: Administrators

Remove computer from docking station: Administrators

Replace a process level token: Network Service, Local service

Restore files and directories: Backup Operators, Administrators

Shut down the system: Backup Operators, Administrators"

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.