Network Access Control Lists (ACLs)

Learn to design firewall rules using Layer 3 and Layer 4 metrics to secure enterprise subnets.

Scenario Objectives: Protect the Finance Subnet

Your task is to configure the router ACL rules controlling traffic flowing into the Finance Subnet. You must satisfy the following security policies:

  • Allow Finance workstations (IP range: 10.0.1.0/24) to access the Finance Subnet.
  • Allow external mail traffic on port 25 (SMTP) and web traffic on port 443 (HTTPS) to flow through.
  • Block all traffic coming from the Human Resources subnet (10.0.2.0/24) and Development subnet (10.0.3.0/24) to the Finance Subnet.
  • Enforce an implicit deny rule at the lowest priority.

ACL Rule Configurator

Define a new rule and add it to the ACL table below. Rules are evaluated top-to-bottom.

Priority Action Source Protocol:Port Actions

Network Traffic Simulator

Finance WS
HR Workstation
Dev Workstation
ACL
Finance Subnet (10.0.4.0/24)
Finance DB

Windows File System Permissions (NTFS)

Understand the Windows Access Control Model: security groups, inheritance, and permission overrides.

Scenario Objectives: Secure the Confidential Folder

You need to configure the NTFS permissions for the directory D:\EnterpriseShare\Confidential. You have the following requirements:

  • Disinherit permissions from parent directory (D:\EnterpriseShare) to start with a clean state.
  • Allow Finance-Group to have full Read, Write, and Modify permissions, but restrict them from Full Control.
  • Allow HR-Group to only Read files. Ensure they cannot Write or Modify files.
  • Deny all access to the group All-Employees.

File Explorer

D:\EnterpriseShare (Parent)
Confidential
Confidential Properties
×
General Sharing Security Customize

Group or user names:

Finance-Group (FIN-SEC)
HR-Group (HR-SEC)
All-Employees (Domain Users)

Permissions for Finance-Group

Permissions: Allow Deny
Full Control
Modify
Read & Execute
List Folder Contents
Read
Write

Linux Permissions & Ownership

Master standard Linux user/group/others (ugo) permissions, symbolic & octal chmod, chown, and chgrp.

Scenario Objectives: Secure Web Assets

You need to secure a critical script in a shared project directory /var/www/html:

  • The file index.html must have read/write for owner, read-only for group, and no access for others.
  • The deployment script deploy.sh must have read/write/executable permissions for the owner, read/executable for the group, and no access for others.
  • Set the owner of both files to web-admin.
  • Set the group of both files to developers.

File Permissions View

index.html
-rwxrwxrwx root root
deploy.sh
-rwxrwxrwx root root

Quick Linux Octal Guide

Read (r) = 4
Write (w) = 2
Execute (x) = 1
bash - web-admin@enterprise-server: /var/www/html

Type "help" to list available commands. Task: Secure the files according to policy requirements.

$