Assessment 2 Operating Systems and Application Security Hardening
In this assessment, students will be required to design and implement a corporate identity and access management solution. This is a practical assessment, you will need to conduct research to determine the requirements and controls and fully implement your findings using virtual machines. It is an individual assessment which will be submitted in the form of a report.
The first task will commence with determining the security requirements for this environment. Consideration should be given to both the security requirements of the environment itself (e.g. ensuring confidentiality, integrity and availability of the identity/access data itself) and the security implications that the identity and access management system will have on other corporate systems (e.g. ensuring it has the flexibility to support a variety of security best practices for other systems which use it as an identity / access control source). Students should refer to one or more cybersecurity frameworks (e.g. the Australian Signals Directorate Strategies to Mitigate Cybersecurity Incidents, or the NIST Cybersecurity Framework) when making recommendations in their report.
Once the security requirements have been considered, students must detail the specific security hardening controls that they will implement in a virtual machine environment to address these requirements. It would be expected that the noted security hardening requirements will have associated controls implemented in the virtual machine environment. N.B. This assessment should be considered from the perspective of a real-world organisation. As such, the fact that this is a case study environment is not grounds for non-implementation of security controls. Additional specification of the target environment is outlined in the Assessment Scenario section of this document.
The second major task will be to comprehensively document the security control implementation in a virtual machine environment which consists of at least one management server, one internal (managed) Windows client, one internal (managed) Linux client and one BYOD (unmanaged) device. A minimum of two case study services must be implemented and integrated with the identity and access management solution, a file server (demonstrated on all client devices) and user logon (demonstrated on the managed client devices). Additional case study services may also be implemented.
Additional virtual machines may be required to fully explore and demonstrate the implemented security functionality. The documentation of this process should start from the installation of the guest operating systems and conclude with a fully operational and secure corporate environment. Although all stages of the implementation should be documented, the focus of the implementation documentation should be on security controls.
In summary, this report consists of two major sections (in addition to an executive summary, introduction, conclusion and reference list):
1. Investigation (in concert with one or more suitable cybersecurity frameworks) and design of a secure corporate identity and access management solution. This should be followed by an indication and discussion of the specific controls that will be implemented in Section 2, including justifying why they are important, and if any controls will not be implemented, justifying their exclusion.
INFT 5033 – Operating Systems and Application Security Page 2 of 3
2. Practical implementation of the environment using virtual machines. This section is to be documented via the use of annotated screenshots. Please ensure that the screenshots are comprehensive as the virtual machines will not be submitted as part of this assessment. While all sections of the implementation need to be documented, additional focus (screenshots) should be made on sections of the implementation that relate to Operating System and Application security (in contrast to general setup).
The word limit for this assessment is 2,500 words, however the implementation screenshots and their associated (brief) annotations do not count towards the word limit.
You must also ensure that your design and implementation meet the client requirements (outlined below).
Your identity and access management (IAM) solution should be built and secured for the fictional organisation LargeCorp. LargeCorp have three physical sites across a variety of geographical locations. Their internal organisational divisions include: Research and Development, Manufacturing, Human Resources, Finance, Information Technology Services and Marketing. R&D and Manufacturing staff are present at all LargeCorp sites whereas HR, Finance, IT and Marketing are all based at the LargeCorp head office.
Client Requirements: LargeCorp supports both Windows and Linux clients and servers. They are a complex organisation with a variety of departments and subsections. They would like to delegate appropriate rights to managers within their organisation to allow for a level of self-service within the IAM system. While they have asked you to follow justified best practice, they have two specific requests based on their readings: support for multi-factor authentication and automated lifecycle management for user accounts (and other objects where possible).
LargeCorp have requested that all best practices for maintaining confidentiality and integrity of their data and systems be employed. Industry standards require that a justifiably appropriate amount of audit data be collected from identity and access management transactions.
All functionality must be “on-premises”, e.g. cloud hosted storage/security services cannot be leveraged.
There will be numerous guides/walkthroughs/etc. on the internet which will discuss processes for setting up an identity and access management solution. You should carefully consider the reputability of your sources (which will need to be cited in your report). The aim of this assessment is for you to demonstrate your technical security knowledge and understanding, based on your research, not a demonstration of your ability to follow steps devised by others. Hence, it is recommended that you follow reputable guidance from sources such as NIST and the ASD at a high level, but design and implement detailed technical security solutions that you devise. Of course, you can refer to security guidance from product vendors and other reputable sources as part of the process of designing your solutions, however each of the security measures that you choose to implement from within their guidance, and the means you choose to implement them, must be technically justified in the report.
INFT 5033 – Operating Systems and Application Security Page 3 of 3
While it may be possible to build upon some of the practical activities completed in this course, they do not provide sufficient functionality and/or security controls for this assessment on their own.
Although you are asked to reference suitable frameworks/guidelines as part of this assessment, please keep in mind that this is a technical assignment and the weighting of the assessment subcomponents substantially favours the technical discussion and implementation in the assessment. In turn, the majority of the discussion in the report should be technical in nature.
There should be a discernible flow between the two major sections of the report. The reader should be able to easily see the process that was followed to determine what security measures would be required in this scenario, which specific controls are necessary to implement these measures and that each of the controls was practically implemented. It may be beneficial to include summary tables and control identifiers, which transcend the individual sections, to help support these links.
Presenting synonymised (or similarly appropriated) content from other sources is not an appropriate approach for any element of this assessment and will not attract any marks. All content must be either original or appropriately paraphrased and synthesised, preferably from multiple sources. Any content (or ideas) in the report which is not the student’s own original research or implementation results must be clearly and correctly referenced, both in-text and in the reference list. Failure to include both an in-text and reference list citation for this content will result in no marks being awarded for the relevant content and may result in an academic integrity investigation. This is an individual assessment, students should not collaborate with any other person on any element of this assessment.
VMware Workstation can be downloaded for use in this assessment on your home PC via onthehub: https://unisa.onthehub.com. You will need to create an account using your student email address if you have not used this service before.
Microsoft Windows Server and Windows 10 can be sourced from: https://azureforeducation.microsoft.com/devtools.
Such a cheap price for your free time and healthy sleep
All online transactions are done using all major Credit Cards or Electronic Check through PayPal. These are safe, secure, and efficient online payment methods.