overview - classes.ischool.syr.educlasses.ischool.syr.edu/ist346/...workstationos.docx · web...

IST346: Lab Last Update: 2/11/2010 9:39 PM

L03 WORKSTATIONS

OVERVIEW

This lab will help you understand the management issues associated with computer workstations operating systems and demonstrate how to issue commands to maintain them.

LEARNING OBJECTIVES

Upon completion of this lab, you should be able to

Demonstrate and explain the user security models used by the Windows and Linux operating systems Understand the steps required to patch and update these operating systems. Define configuration management with an eye towards how it is used in practice. Understand how the Windows and Linux operating systems handle configuration data internally.

LAB BREAKDOWN

This lab consists of 3 parts:

1. Explore OS configuration management 2. Introduce the user security models used by these Operating Systems.3. Learn to patch and update Operating Systems

REQUIREMENTS

Before you start this lab you will need:

1. Your PSD (Portable Storage Device) connected to a lab computer, or a computer running VMware Server 1.09 / VMware Workstation 6.X.

2. These virtual machines, from the VM Garden, on your PSD:a. Centos5 (Centos Linux 5)b. Vista1 (Windows Vista)

3. Configure the network interfaces on Vista1 and Centos5 to use NAT (If they’re not already).4. Startup the Centos5 virtual machine:

a. Double click on the shortcut inside the folder. This will open the virtual machine in VMware.

b. Click on the power on button in VMware to start the virtual machine.c. When the logon prompt appears, logon as User with password SU2orange!d. Open the Bash prompt: Applications Accessories Terminal

5. Startup the Vista1 virtual machine:

a. Double click on the shortcut inside the folder. This will open the virtual machine in VMware.


b. Click on the power on button in VMware to start the virtual machine.c. When the logon prompt appears, logon as User with password SU2orange!

d. Open the windows Command prompt: Start All Programs Accessories Command Prompt.

PART 1 – CONFIGURATION MANAGEMENT

This section will introduce and demonstrate how the Windows and Linux operating systems deal with configuration data internals.

ALL COMPUTER OPERATING SYSTEMS NEED CONFIGURATION DATA.

Operating systems contain a lot of files to support the kernel, device drivers, command shells, GUI shells and various utilities. For each of these items there are settings. These settings tweak the behavior of the operating system components. Where are those settings stored and how can they be administered on a larger scale? These settings (from the system side of things, anyway) is the underlying theme of this section.

Example: Both Windows and Linux let you change how the mouse behaves.

You might wonder – why should we care? After all, can’t we just use the “control panel” dialogs of the operating system to configure these settings? Isn’t that the reason they exist in the first place? Sure but again we must come back to scale - what if you had to change the highlighted setting in the example above on 400 lab computers? I guess you could do a little “sneaker net” and pay a visit to each computer, but as the infomercials claim “there’s got to be a better way.”

HOW L INUX AND W INDOWS STORE CONFIGURATION DATA:

The Linux operating system stores configuration data in the /etc folders on the filesystem. These folders are /etc for system settings and /usr/etc or /usr/local/etc for user settings. In addition, user settings associated with the user’s profile are stored in hidden directories in the user’s home folder. In Linux hidden directories begin with a period “.”


Since Linux settings are simply files and folders they’re easy to backup and copy from one system to the next. There is a lack of uniformity among the settings files, which can make the learning curve a little steep.

The Windows operating system stored its configuration data in the Registry (For details about the registry, see http://en.wikipedia.org/wiki/Windows_Registry). The Registry is simply a hierarchical database of configuration settings for users, computers and system services.

The Windows Registry is a massive complex beast, but at least it has uniform consistency among the settings for various applications and services. One major knock on the registry is that since it is a database it is difficult to simply backup and restores single settings. The registry can also get corrupted leading to problems as well.

Do deal with the complexity of the windows registry and the myriad of settings that go with it, SA’s use tools like Group policy to control the settings on multiple machines. Group policy is so complex; you could probably dedicate an entire course to the subject! This Url: http://support.microsoft.com/kb/307882 has a step-by step walk-through of local group policy settings if you’re interested in a 10 minute sidebar.

PART 1A: IP CONFIGURATION SETTINGS IN L INUX

We learned last week that the ifconfig command will report the computer’s IP address, MAC address, etc. Where is this configuration data stored in Linux?

1. Open the Bash command prompt2. Type in /sbin/ifconfig to once again view your network settings. The default network interface it

named eth03. The network card settings for eth0 are in this file:

/etc/sysconfig/networking/devices/ifcfg-eth0So you can use the cat command to view the network settings, type this:cat /etc/sysconfig/networking/devices/ifcfg-eth0

4. The DNS information can be found here : /etc/resolv.conf

5. Information obtained from the DHCP server can be found here/var/lib/dhclient/dhclient-eth0.leases

6. To view each of these files again use the cat command, example:cat /etc/resolv.confcat var/lib/dhclient/dhclient-eth0.leases

As you can see the Linux information is spread all over the place, but at least the files are easy to backup and copy.

PART 1B: IP CONFIGURATION SETTINGS IN W INDOWS

The ipconfig windows command displays the computer IP information. Where is this configuration data stored in Windows?

1. Click on Start Run Type in regedit to run the registry editor. 2. Double-click through the following Registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{057E4C96-1B6F-4A32-908C-892ED9D0E447}

http://support.microsoft.com/kb/307882

http://en.wikipedia.org/wiki/Windows_Registry


3. In the Right side of the registry editor you will see the IP information.

All of the Windows information is consolidated into one large database. Convenient, but locating a specific setting can akin to locating needle in a haystack!

QUESTIONS

Q 1.1 What is the IP Address of your Windows Vista1 virtual machine?

Q 1.2 What is the IP Address of your Linux Cetnos5 virtual machine?

Q 1.3 What is the nameserver (DNS server used by your Windows Vista1 virtual machine)?

Q 1.4 What is the nameserver (DNS server used by your Linux Centos5 virtual machine)?

Q1.4 What Linux command could you type to make a backup coyp of the resolv.conf file called resolv.conf.bak

PART 2 – USER SECURITY MODELS

LEAST PRIVILEGE

Just like you don’t need to be a mechanic to drive a car, you don’t need to be an SA to use a computer. But some IT shops give their end-users full administrative access to their systems, which is akin to dolling out a repair manual and complete toolbox with every car! In most circumstances the knowledge and task workers that use their office computers should not need administrative rights to their own systems, and those that do will suffer “entropy” or “system degradation” at a more rapid pace than those who do not. Why? It is far too easy to inadvertently change your system or install unwanted software without your knowledge when you’re an administrator. In fact, surfing the web as admin makes it far too easy for attackers to infect your computer with malware (http://en.wikipedia.org/wiki/Malware).

http://en.wikipedia.org/wiki/Malware


Malware: Have you ever said “yes” to a dialog like this?

A user not running under administrative credentials cannot install this software application.

SECURITY MODELS WALK-THRU

In this section we will explore the user security models of the Windows and Linux operating systems. The recipe for both operating systems will be the same, and we’ll walk you through the steps in the section below.

1. Elevate your rights to Administrator/root2. Create 2 new users called Tony and Mary with password SU2orange!3. Logon to the computer as user Tony and create some content in your home directory.4. Then logon as Mary and attempt to edit the same content5. Then logon as root/Administrator and again attempt to edit the same content

PART 2A: F IRST, IN L INUX USING THE CENTOS5 VM CLI:

Note: Each of these commands should be entered from the Linux bash prompt.

THE SETUP: ADDING THE TONY AND MARY ACCOUNTS

1. Who are you? Type: whoami to get the effective username of the current running user. You should be a user named User.

2. Users don’t have full rights to the system. For example you cannot create another user. Try this: /usr/sbin/useradd and you should see an error message Permission Denied. This is a good thing as it prevents users from “inadvertently” placing a workstation out of a desired / configured state.

3. What if you *need* to add a user? Then you must elevate your rights to a level with permissions to execute the command. In the Unix world, this is “root” in the Windows world, it is “Administrator.” Type:


su – (yes, that’s a hyphen) and then enter the root password SU2orange! This will log you in as root. Now you’ve got the keys to the kingdom, baby! To verify you can type whoami again and you should now see root.

4. Okay, now we can get down to business. Let’s create 2 users and set their passwords to SU2orange!: Enter each of these commands into the bash prompt, one at a time.useradd tony useradd marypasswd tonypasswd maryNote: the passwd command will prompt you to enter a password, enter SU2orange!

5. Now that you’ve made the Tony and Mary accounts it is time to hang up your administrative hat. Type: exit to logout of the root account. Type: whoami to verify you are indeed the User again.

UNDERSTANDING HOW USER SECURITY WORKS IN LINUX

1. Now it’s time to experience first-hand how the Linux user security model works. First login as user Tony, type: su –l tony (It’s an “L” not a “1”) and enter Tony’s password of SU2orange!. Verify you’re logged in as tony by typing whoami

2. As you may recall, a home directory is a user’s personal space for files. The security model of most operating systems is that only the user or administrator has access to a user’s home directory. Make sure you’re in Tony’s home directory, by typing: pwd print working directory. The response should be the /home/tony directory. If it is not, repeat step one – as you did something wrong. (If whoami returns user tony, then you can try to change to Tony’s home directory by typing cd ~ )

3. Let’s create a private message, type: gedit private-message.txt & (don’t forget the & symbol to return to the command prompt!) This will open the GEdit utility. Enter some text and save it and exit the GEdit program. You can verify the file is there by typing: cat private-message.txt

4. Now, let’s try and get to the file as user Mary. Type: exit to logout as Tony, then type: su –l mary to logon as Mary. You will have to enter Mary’s password of SU2orange! Finally, verify you’re really Mary with a whoami command.

5. And finally try to open the private-message.txt file. We’re fairly certain you won’t be able to do it. For example if you type: cd /home/tony or cat /home/tony/private-message.txt you will see the Permission Denied error. Yeah! It works! Note: later on in the course we will look at how you can manipulate security to allow Mary access to the file.

6. Type exit to logout as user Mary. You should once again be User

PART 2B: W INDOWS V ISTA1 VM CLI:

Note: Each of these commands should be entered from the command prompt in your vista1 vm.

Windows Vista introduces a new security concept called User Account Control or UAC. The design behind UAC is to elevate the user’s rights to the Administrator’s level as needed to complete the task – at the moment the task is launched. It is important to note that the existing user’s rights are elevated as opposed to assuming the identity of another user as in the case of the su command on Linux. UAC avoids the need to even use the Administrator account in the Windows operating system, and this account is actually disabled in default installations. UAC can be


turned off, and when it is off the security model behaves like the Linux example in Part 3a. You can learn more about UAC by visiting: http://technet.microsoft.com/en-us/library/cc709691%28WS.10%29.aspx

Note: We will leave UAC enabled in our Windows operating systems to present a different perspective on security.

Let’s get it started…

1. From your windows command prompt, type whoami you should be logged on as User. Try to add the user Tony, by typing net user tony /add you will see the cryptic system error 5 access is denied. Bummer. But expected.

2. What we need to do is elevate the User account to the Administrator level so that we can run the administrative commands. To do this, we need to re-launch the command prompt in a special way: Start

All Programs Accessories Right-click on Command Prompt. And choose Run at Administrator from the context-menu. You should now have two command prompts, one of which is at the Administrator level:Tale of two command prompts (notice both are logged on as user):

6. Now from the Administrator: Command Prompt, let’s make some user magic, type:net user tony /addnet user mary /addnet user tony *net user mary *Once Again: Be sure to enter SU2orange! For Tony’s and Mary’s password. You may now close the Administrator: Command Prompt by typing the exit command.

http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx


7. Now back in the “regular” command prompt, to logon as Tony and open a command prompt, type: runas /profile /user:tony cmd.exe and enter Tony’s password SU2orange! You’ll see yet another windows that’s all about Tony.

8. Change into Tony’s home directory: cd %userprofile% and type cd to verify you’re in the correct place: c:\Users\Tony

9. Next, let’s make Tony’s private message: notepad private-message.txt and type in some text and save and close notepad. You can verify the file (and its contents) are there by typing: type c:\users\tony\private-message.txt if the file is present, type: exit to logout as Tony.

10. Back at the regular command prompt, let’s logon as mary, type: runas /profile /user:tony cmd.exe and for grins try to open the private message enter the command: type c:\users\tony\private-message.txt bet you can’t do it! You should see Access is Denied… and that’s a good thing.

11. Final note in mary’s command prompt type: tasklist /v | find “cmd.exe” you should see 2 cmd.exe ‘s running one as VISTA1\user and the other as VISTA1\mary, of course!

QUESTIONS

Q2.1 Through these exercises you added 2 users. What is the problem with using this approach to add 1000 users?

Q2.2 What is the Linux command to set a user’s password?

Q2.3 Why doesn’t the useradd command work unless you’re logged in as the user root?

Q2.4 We added the Tony account to both Windows and Linux Hosts do you foresee any maintenance issues with having one user with two separate logons?

Q2.5 When you run something as administrator using UAC which user’s credentials are used to run the program - the users’ or the administrators’?

Q2.6 What command do you enter at the windows command prompt to find all the processes being run by the user Mary? Hint: See Part 3b Step 11

Q2.7 What command do you type at the Linux bash prompt to find all processes being run by the user Mary? Hint: Linux equivalent to Part 3b Step 11

PART 3 – PATCHING OPERATING SYSTEMS

Important! Please complete the requirements before beginning the lab.

A WORD ABOUT PATCHING IN THE ENTERPRISE

It goes beyond saying – updating and “patching” your systems is a critical administrative task. The complexity of computer software makes it inherently buggy, and routinely updating your system is the first line of defense in keeping the malware off your systems.

Today, it is easier than ever to keep your systems up to date, and some SA’s are “patch-happy” –blindly updating their systems on a routine schedule. Once and a while there can be unintended consequences of this practice. For


example, an update can break some critical system functionality or a legacy application. When this happens, you’ll have to roll back your operating system patches – if you’re fortunate enough to figure out which patch is causing the problem!

To avoid these types of issues, and other potential “CLM’s” (Career limiting moves) it is good practice to review your patches before installing them, and roll them out using the “one-some-many” approach. This gives you a chance to at worst case break a few systems rather than bring the entire company down for an afternoon!

Note: You need administrative rights to install updates to the Operating System.

PART 3.A PATCHING WINDOWS SYSTEMS

Windows patches can be installed using the wuapp.exe utility. This utility launches Windows Update Microsoft’s patch-management solution.

Windows Update in Action:

Notice the shield on the Install Updates button. This means UAC will kick in and elevated user rights are required to install the updates.

You try it! Install updates on your Vista1 VM until it is current. Reboot your computer when the updates are complete.

WHAT IF YOU NEED TO UNINSTALL A WINDOWS UPDATE?

Rest assured, the day will come where you need to roll back a windows update. How does one accomplish this task? Well until we get into Power Shell there isn’t a command-line interface for Windows Updates, so to uninstall them you’ll need to use the control panel:


PART 3.B PATCHING L INUX SYSTEMS

Since Linux is open-source, the patch management tends to be more flexible than its windows counterpart, and the same vehicle which patches the operating system can also be used to add and remove the components of the operating system. To accomplish this we use the yum utility.

A screenshot of yum in action:

You Try it! Update your Centos5 VM

1. Open a Bash Prompt


2. Switch to the root user, type: su – and then enter the password SU2orange!3. As the root user, type: yum update follow the on-screen prompts.4. Reboot your computer to apply the updates, type: reboot

QUESTIONS

Q3.1 Why do operating systems need to be patched?

Q3.2 Why do you need administrator’s rights to patch the operating system?

Q3.3 Does the approach to patching the Windows and Linux operating systems explained in this section scale to 100’s of computers - Why or why not?

Q3.4 What are the potential problems with automatically patching your systems?

Q3.5 What are the potential benefits of automatically patching your systems?

THIS CONCLUDES OUR LAB.

TO AVOID DATA LOSS, POWER OFF ALL VIRTUAL MACHINES BEFORE DISCONNECTING YOUR PSD

overview - classes.ischool.syr.educlasses.ischool.syr.edu/ist346/...workstationos.docx · web...

Documents