Contents
Overview 1
Lesson: Determining Threats and
Analyzing Risks to Data 2
Lesson: Designing Security for Data 7
Lab A: Designing Security for Data 15

Module 9: Creating a
Security Design for
Data



Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

 2002 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio,
and Windows Media
are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.


Module 9: Creating a Security Design for Data iii

Instructor Notes
In this module, students will learn how to determine threats and analyze risks to
data in an organization. Students will learn how to design access control for
files and folders in order to protect data that is stored on network servers.
Students will also learn about considerations for encrypting and managing data.
After completing this module, students will be able to:
 Determine threats and analyze risks to data.
 Design security for data.

To teach this module, you need the following materials:
 Microsoft® PowerPoint® file 2830A_09.ppt
 The animation How EFS Works, 2830A_09_A005_1875.htm, located in the
Media folder on the Web page on the Student Materials CD.



It is recommended that you use PowerPoint version 2002 or later to
display the slides for this course. If you use PowerPoint Viewer or an earlier
version of PowerPoint, all of the features of the slides may not be displayed
correctly.

To prepare for this module:
 Read all of the materials for this module.
 Complete the practices.
 Watch the animation.
 Complete the lab and practice discussing the answers.
 Read the additional reading for this module, located under Additional
Reading on the Web page on the Student Materials CD.
 Visit the Web links that are referenced in the module.

Presentation:
60 minutes

Lab:
30 minutes
Required materials
Important
Preparation tasks
iv Module 9: Creating a Security Design for Data

How to Teach This Module
This section contains information that will help you to teach this module.
Lesson: Determining Threats and Analyzing Risks to Data
Use this slide as a refresher for the topic of access control from core courses.
This information is presented only as background knowledge regarding access
control.

This page is intended simply to give examples of vulnerabilities. To elaborate
attacks, draw upon your own experiences. The next page deals with common
vulnerabilities, so try not to skip ahead.
Explain the vulnerabilities, but do not discuss how to secure against them. The
second lesson in the module covers that topic.
Use the practice as an opportunity for discussion.

Lesson: Designing Security for Data
This section describes the instructional methods for teaching this lesson.
Use this slide as a refresher for the topic of access control from core courses.
Tell students that the lab focuses on creating an access control model for
Contoso Pharmaceuticals.
You can play the animation by clicking the arrow on the slide. If necessary,
elaborate on the difference between symmetric and asymmetric encryption.
Refer students to the white paper referenced on the page for more information
about Encrypting File System (EFS).
Spend time on this slide to identify the different ways that data management
can be a potential security issue, and discuss ways to ensure secure management
of data.
Answers may vary. Use the security responses that students give to generate
classroom discussion.
Use this page to review the content of the module. Students can use the
checklist as a basic job aid. The phases mentioned on the page are from
Microsoft Solutions Framework (MSF). Use this page to emphasize that
students must perform threat analysis and risk assessment on their own
networks for the topic covered in this module, and then they must design
security responses to protect the networks.
Assessment
There are assessments for each lesson, located on the Student Materials
compact disc. You can use them as pre-assessments to help students identify

areas of difficulty, or you can use them as post-assessments to validate learning.
Overview of Access
Control
Why Securing Data Is
Important
Common Vulnerabilities
to Data
Practice: Analyzing
Risks to Data
Steps for Designing an
Access Control Model
Multimedia: How EFS
Encr
y
pts Data
Steps for Designing EFS
Policies
Guidelines for Managing
Data Securel
y

Practice: Risk and
Response
Security Policy
Checklist
Module 9: Creating a Security Design for Data v

Lab A: Designing Security for Data
To begin the lab, open Microsoft Internet Explorer and click the name of the
lab. Play the video interviews for students, and then instruct students to begin

the lab with their lab partners. Give students approximately 20 minutes to
complete this lab, and spend about 10 minutes discussing the lab answers as a
class.
Regarding threats to the research scientist’s portable computers, students can
use the R&D Portable Computer Threat Model and the Risk Statements for
R&D Portable Computers documents from previous labs to identify threats to
the scientists’ portable computers. Be sure to emphasize that in this lab, the goal
is to determine how to counter the threats, rather than discussing the threats
themselves.
This lab can be difficult if students do not understand the scope of the lab or
what you expect from them. However, the subject matter of the lab should be
prerequisite knowledge for most students.

In this lab, students open a Microsoft Visio® spreadsheet named CP
File Permissions Template.vsd. They are encouraged to add information to it. If
students use the template, ensure that they rename the file and save the
spreadsheet to the Lab Answers folder on their desktops for discussion.

Students are not required to use the Visio template; tell students that if they
like, they can work with paper and pencil or pen. Use the answers provided in
the Lab section of this module to answer students’ questions about the scope of
Ashley Larson’s request in her e-mail, and to help frame classroom discussion.

Additional answers for this lab are located in the Lab 9 Finance
Server File Permissions Answer.vsd and Lab 9 Security Groups Answer.vsd
files, located in the Answers folder under Webfiles on the Student Materials
CD. Be sure to print the answers out and study them before you conduct the lab.

For general lab suggestions, see the Instructor Notes in Module 2, “Creating a
Plan for Network Security.” Those notes contain detailed suggestions for

facilitating the lab environment used in this course.
Important
Important
General lab su
gg
estions
vi Module 9: Creating a Security Design for Data

Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
This module includes only computer-based interactive lab exercises, and as a
result, there are no lab setup requirements or configuration changes that affect
replication or customization.

The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Automated Classroom Setup Guide for Course 2830A, Designing
Security for Microsoft Networks.

Lab Setup
There are no lab setup requirements that affect replication or customization.
Lab Results
There are no configuration changes on student computers that affect replication
or customization.
Important
Module 9: Creating a Security Design for Data 1


Overview

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
In this module, you will learn how to determine threats and analyze risks to data
in an organization. You will learn how to design access control for files and
folders in order to protect data that is stored on network servers. You will also
learn about considerations for encrypting and managing data.
After completing this module, you will be able to:
 Determine threats and analyze risks to data.
 Design security for data.

Introduction
Ob
j
ectives
2 Module 9: Creating a Security Design for Data

Lesson: Determining Threats and Analyzing Risks to Data

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Securing data means controlling access to it. You control access by using
permissions. Attackers who can subvert or override permissions may be able to
access data on your network.
After completing this lesson, you will be able to:
 Describe access control for data.
 Explain why securing data is important.
 List common vulnerabilities to data.


Introduction
Lesson ob
j
ectives
Module 9: Creating a Security Design for Data 3

Overview of Access Control

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
To control access to data, Microsoft® Windows® 2000 and Microsoft
Windows XP use access tokens and discretionary access control lists (DACLs).
Access tokens define the rights that a user account has. DACLs control the
permissions to Active Directory
® directory service objects and the folder and
file objects in NTFS file system (NTFS).
When a user’s credentials are validated during authentication, the user’s
computer receives and stores an access token. The access token contains the
security identifier (SID) of the user account, the SID of each local and domain
group that the user has membership in, and a list of the user rights for the user.
When a user attempts to access a resource, the SIDs in the access token are
compared to the SIDs in the DACL. The user receives the corresponding
permissions to each matching SID in the access token and DACL. The DACL
of the resource contains an access control entry (ACE) for each permission that
is assigned to the resource. The ACEs define the protections that apply to an
object.
For more information about access control in Windows 2000 and Windows XP,
see Access Control Components, at:

Security/access_control_components.asp.

Key points
Additional readin
g

4 Module 9: Creating a Security Design for Data

Why Securing Data Is Important

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Data is vulnerable to threats from both external and internal attackers. For
example:
An external attacker steals a laptop from an employee’s car. Using a floppy disk
to boot the computer, the attacker replaces the password of the Administrator
account in the local Security Accounts Manager (SAM) database. The attacker
then logs on to the laptop as Administrator and accesses the data.
An internal attacker discovers a server running Windows 2000 that stores
confidential data in folders that are configured with default permissions. The
attacker copies the data and sells it to a competitor. Because auditing was not
configured, the IT staff cannot determine how the server was compromised or
who stole the data.
Key points
External attacker
scenario
Internal attacker
scenario
Module 9: Creating a Security Design for Data 5

Common Vulnerabilities to Data


*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Data is vulnerable to three general threats:
 Incorrect configuration of permissions. A user is able to access data that
should be restricted.
 Physical security of data. A user has local access and can defeat other
security measures or physically destroy data.
 Corruption of data. For example, a virus or irreversible encryption can
corrupt data.

When configuring physical and logical security of data, always assign the least
amount of access and permissions that a user requires to complete her job
duties.
Key points
6 Module 9: Creating a Security Design for Data

Practice: Analyzing Risks to Data

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
After examining threats to data, Northwind Traders determined that if it stores
all user data on a central data server and installs antivirus software on all client
computers, the organization will reduce its Annual Loss Expectancy (ALE) for
data by $150,000.
What are some other threats to data that may prevent Northwind Traders from
reducing the ALE by the anticipated amount?
Answers may vary.
There is no plan for installing antivirus software on the central data server.
The client antivirus software may not be kept up to date.
The server permissions may be incorrectly configured.

Users may continue to store data on their local computers.
If Northwind Traders does not back up data on the central data server
regularly or take other precautions to protect data, a hardware failure or
natural disaster could cause Northwind Traders to lose all data, which
could create a work stoppage for the organization.



Introduction
Question
Module 9: Creating a Security Design for Data 7

Lesson: Designing Security for Data

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
You can secure access to data by ensuring that users have appropriate
permission. An access control model is a methodology for assigning
permissions to users and groups. You can also secure data by using NTFS with
share permissions or by using encryption.
After completing this lesson, you will be able to:
 Design an access control model.
 Describe considerations when using NTFS in combination with share
permissions.
 Design an Encrypting File System (EFS) policy.
 List guidelines for designing security for data.

Introduction
Lesson ob
j

ectives
8 Module 9: Creating a Security Design for Data

Steps for Designing an Access Control Model

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
In Windows 2000 and Windows XP, you can apply access control to data and
to the accounts that access data. You can use an access control model on
accounts to isolate the security of resources from individual accounts. An
access control model also greatly simplifies the application of security on
resources.
AGDLP (account, global group, domain local group, permissions) is an access
control model that you can use to implement security based on user roles in
your organization. The AGDLP model places accounts in groups, places the
groups in domain local groups, and then assigns permissions to the domain
local groups.
To design an access control model based on the principle of AGDLP, follow
these steps:
1. Determine access control requirements:
a. Identify the jobs and functional roles in your organization.
b. Determine the security levels for data on your network.
2. Create the access control model:
a. Create global groups that correspond to jobs or roles.
b. Create domain local groups and assign permissions to the groups.
3. Implement the model:
a. Put accounts in the appropriate global groups.
b. Put global groups in domain local groups, based on the security
requirements of the global group.


Key points
Module 9: Creating a Security Design for Data 9

Considerations for Combining NTFS and Share Permissions

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
You can use NTFS and share permissions together to control the security of
data. NTFS permissions are in effect when a user accesses data on an NTFS
volume locally or remotely. Share permissions are in effect when the data is
accessed remotely over a network.
All files and folders stored on an NTFS volume have an owner, who always has
the permission to control the permissions to the resource. This ability can
enable an owner to subvert a security policy enforced by an IT department. For
example, a user in the Finance group creates a spreadsheet on a Finance server,
which has membership restricted by a security policy to only Finance users.
Because the owner of the spreadsheet has Full Control permissions on the
spreadsheet, the owner could grant another user Full Control, even though that
person might not belong to the Finance group.
By granting Change permissions to the group All Finance Users on the shared
folder on the Finance server, the owner can still create files on the Finance
server but is prevented from assigning Full Control permissions on files to other
users unless the owner has local access to the volume.
For more information about NTFS and share permissions, see:
 The white paper, Default Access Control Settings, under Additional
Reading on the Web page on the Student Materials CD.
 Q313398, HOW TO: Control NTFS Permissions Inheritance in Windows.
 Q318754, HOW TO: Use Xcacls.exe to Modify NTFS Permissions.
 Q301198, HOW TO: Share Files and Folders Over a Network (Domain) in
Windows 2000.


Key points
Additional reading
10 Module 9: Creating a Security Design for Data

Multimedia: How EFS Works

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
This animation shows how EFS uses both symmetric and asymmetric
encryption to encrypt and decrypt data in Windows 2000 and Windows XP.
The animation is located in the Media folder on the Web page on the Student
Materials CD. For more information about EFS, see the white paper,
Encrypting File System for Windows 2000, under Additional Reading on the
Web page on the Student Materials CD.
Key points
Additional readin
g

Module 9: Creating a Security Design for Data 11

Steps for Designing EFS Policies

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
EFS is a powerful tool for securing data. Used improperly, however, it can
prevent legitimate users from accessing their data. To ensure the proper use of
EFS in your organization, design:
1. Policies for encrypting files. If you do not have policies for properly using
encryption, users may irreversibly encrypt files with no method for

recovery. For example, an administrator encrypts all files on a server and
then accidentally deletes his Administrator account.
2. Procedures for recovering encrypted files. Without a procedure, an
administrator may expose the data recovery agent (DRA) to attackers, who
could then use the compromised private key to decrypt all files on the
network. For example, an administrator accidentally leaves a floppy disk on
a user’s desk that contains the administrator’s private key.
3. A user education strategy. Train users or ensure that they take classes about
how to use EFS. Without adequate training, users may be unaware of
policies or may accidentally encrypt a file without knowing how to recover
it. Or, lacking proper knowledge about EFS, users may have a false sense of
security about its use. For example, a user may think that all files in an
encrypted folder are also encrypted, and then may copy the file to a folder
on a floppy disk that is not encrypted.

For more information about designing an EFS policy, see the white paper,
Encrypting File System in Windows XP and Windows .NET Server, under
Additional Reading on the Web page on the Student Materials CD.
Key points
Additional readin
g

12 Module 9: Creating a Security Design for Data

Guidelines for Managing Data Securely

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
A proactive management strategy for data helps ensure that your data remains
protected. Create policies to manage how your organization stores data and

backs up data. Use auditing to ensure that access to data remains secure. Use
management permissions to ensure the secure administration of data. Also
determine an appropriate length of time that your organization retains data and
how you use redundant hardware and hardware replacement schedules to
protect against loss of data due to hardware failure.
For more information about managing data securely, see:
 The white paper, Storage Management Operations Guide, at:

maintain/opsguide/stormgog.asp.
 The white paper, Windows 2000 Server Disaster Recovery Guidelines,
under Additional Reading on the Web page on the Student Materials CD.
 The white paper, Managing Windows 2000 Disks and Backup and Restore,
under Additional Reading on the Web page on the Student Materials CD.

Key points
Additional readin
g

Module 9: Creating a Security Design for Data 13

Practice: Risk and Response

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
For each scenario, choose whether to accept, mitigate, transfer, or avoid the risk
that is presented, and then enter an appropriate security response.
Answers may vary.
Scenario Risk strategy Security response

Attacker steals a portable

computer that contains
critical data
Avoid or
mitigate
Require users to access data on the
network b
y
usin
g
a Virtual Private
Network (VPN) when working
remotel
y
, or use EFS to protect the
data
Many employees have
physical access to data
servers
Avoid Place the data server in a secure
area
Disgruntled user encrypts
all files on her computer
before resigning from the
organization
Mitigate Create an EFS recovery policy
that includes an offline DRA

Introduction
14 Module 9: Creating a Security Design for Data


Security Policy Checklist

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Use the following checklist to guide your security design for data.
Phase Task Details

Planning Model threats STRIDE (Spoofing, Tampering, Repudiation,
Information disclosure, Denial of service, and
Elevation of privilege) and life cycle threat
models
Manage risks Qualitative and quantitative risk analysis

Phase Task Details

Building Create policies and
procedures for:
Using an access control model
Implementing share and NTFS permissions
Encrypting data using EFS
Ensuring the secure management of data

Checklist
Module 9: Creating a Security Design for Data 15

Lab A: Designing Security for Data

*****************************
ILLEGAL FOR NON-TRAINER USE******************************
After completing this lab, you will be able to apply security design concepts to

data.
You are a consultant hired by Contoso Pharmaceuticals to help the company
design security for its network. Each lab uses an interactive application to
convey scenario-based information. To begin a lab, on the desktop, click
Internet Explorer; this opens a Web page that contains links to each lab. Click
a link to begin a lab.
Work with a lab partner to perform the lab.
Ç To complete a lab
1. Read Ashley Larson’s e-mail in each lab to determine the goals for the lab.
2. Click Reply, and then type your answer to Ashley’s questions.
3. Click Send to save your answers to a folder on your desktop.
4. Discuss your answers as a class.


In this lab, you can use a Microsoft Visio® file named CP File
Permissions Template.vsd and add information to it. If you choose to use the
template, rename the file and save it to the Lab Answers folder on your desktop
for discussion.

Objectives
Scenario
Estimated time to
complete this lab:
30 minutes
Important
16 Module 9: Creating a Security Design for Data

Lab A: Designing Security for Data
Lab Questions and Answers


Answers may vary. The following are possible answers.

1. Create a threat model for the research scientists who take their portable
computers to your university partners. Include a list of possible security
measures that you recommend.
Students can use the R&D Portable Computer Threat Model and the
Risk Statements for R&D Portable document from previous labs to
identify threats to the scientists’ portable computers. Likely threats to
the portable computers and recommended security measures include:
Threat Recommended security measures

Attacker steals a portable computer Provide user awareness training,
require hardware locks, encrypt
security information by using EFS,
and install BIOS password
Attacker attempts to gain access to
the portable computer through the
network
Use Internet Connection Firewall and
run antivirus software
Attacker attempts to boot the
computer to special boot media to
access to SAM database
Remove floppy disk and CD-ROM
drives, and disable floppy disk and
CD-ROM drive in the BIOS
Scientist leaves her portable computer
unattended
Use hardware locks, train scientists
about how to lock their computers,

and implement screen saver
passwords



Module 9: Creating a Security Design for Data 17

2. Create an access control model that will satisfy Helmut Hornig’s security
needs:
• The directors in each division must be able to read all files in any
division of the Finance department.
• Directors, team leads, and their teams must be able to read and modify
files in their own divisions, but not in other divisions.
• Only the Finance department administrators can change the permissions
on a file.
Using the AGDLP access control model as a guide, create a security
group structure, assign permissions to groups, and place user accounts
in the groups. Refer to the following text for a proposed solution.
Also, for a proposed solution refer to the following Visio documents:
Lab 9 Finance Server File Permissions Answer and Lab 9 Security
Groups Answer, under Webfiles on the Student Materials CD.
To begin, create the following groups:
• Domain local groups DL_Finance_Files_FC,
DL_Finance_Files_Read, and DL_Finance_Share_Change.
• Domain local groups for each department. For example, for the
Payroll department, create a domain local group named
DL_Payroll_Modify.
• A global group for finance directors named
GG_All_Finance_Directors.
• A global group for each division, for example GG_All_Payroll.

• A global group for the finance administrators, named
GG_All_Finance_Administrators.

Next, assign NTFS permissions to the Finance files. Because the files are
moving to a new server, you need to evaluate the default permissions
and make any necessary changes. On Windows 2000 Server, the default
NTFS permissions give full control to the Everyone group. Make the
following changes:
• Change the root permissions on the volume on the Finance server
where files are stored. Give full control permissions to
DL_Finance_Files_FC, and read permissions to
DL_Finance_Files_Read.
• Create a folder for each division. Assign modify permissions for
each folder to each division’s domain local group. For example, for
Payroll, give modify permissions on the Payroll folder to the group
DL_Payroll_Modify.
18 Module 9: Creating a Security Design for Data

To ensure that the users in the Finance department receive necessary
permissions, place user accounts in the following groups:
• To allow all directors to read all data files on the Finance server,
place the user accounts for all directors in
GG_All_Finance_Directors, and then add the group to
DL_Finance_Files_Read.
• To grant all finance administrators full control over the files on the
Finance server, place the GG_Finance_Adminsitrators group in the
DL_Finance_Files_FC group.
• To enable directors, team leads, and team members to read and
modify files in their own divisions only, first place the user accounts
for the team leads and team members into the global groups for

their divisions. For example, place the Payroll team directors, leads,
and team members in the GG_All_Payroll group. Then, place each
division’s global group in the domain local group for that division.
For example, to grant the Payroll staff permissions to read and
modify payroll files, place the GG_All_Payroll group in the
DL_Payroll_Modify group.

To ensure that users and unauthorized administrators cannot alter
permissions on the finance files, take four actions:
1. Configure Group Policy Restricted Groups to enforce the
membership of groups that are created for the finance files.
This action will control the membership of the Finance server
security groups.
2. Configure the DACL on the security groups on the Finance
server to allow only finance administrators to manage group
membership.
3. Enable account management auditing to track when
administrators change membership in the security groups.
4. When creating the share permissions on the Finance server,
remove the default permission Everyone Full Control, and
grant the finance administrators full control permissions and
the finance users change permissions. Create a global group
named GG_All_Finance_Users that contains the global groups
of each of the five finance divisions. Place this global group in
DL_Finance_Share_Change, and grant the domain local group
Change control on the share. By granting Change control to
users in the Finance department, users will be prevented from
altering permissions on files that they own.