School of Computer Science – Coursework Issue Sheet
Session 2019/20 Semester 2
Module Name Computer Security Code COMP3006
Module Convenor(s)
(CW Convenor in Bold)
Michael Pound

Coursework Name Portfolio of Lab Work Weight 40%
Deliverable
(a brief description of what is
to be handed-in; e.g.
‘software’, ‘report’,
‘presentation’, etc.)
Written report
Format
(summary of the technical
format of deliverable, e.g.
“C source code as zip file”,
“pdf file, 2000 word max”,
“ppt file, 10 slides max”, etc.)
2000 word pdf submitted via moodle

Issue Date March 19th
Submission Date Wednesday May 26th
Submission Mechanism Via Moodle
Late Policy
(University of Nottingham
default will apply, if blank)
Students are responsible for ensuring that they inform the University of any
circumstances that they consider are affecting their ability to study and/or
undertake assessments as early as possible.
Please see your Student Handbook on Moodle for further information on the
University’s extenuating circumstances procedure.

Late submissions will be subject to the University’s policy regarding late
submissions of assessed work, unless an extenuating circumstances claim
has been approved.
Feedback Date By 12th June
Feedback Mechanism Written feedback via moodle.

Instructions Instructions will be released on moodle.
Assessment Criteria • Submissions will be assessed numerically, from 0 to 100%
• The main assessment criteria for the report are:
- Correctness – Is what you have written technically correct?
- Analysis – Have you justified your decisions with background
knowledge?
- Completeness – Have you explored as many aspects of the subject
as possible?
- Presentation – Is the report well written?


G53SEC COURSEWORK 2019/2020 DEADLINE: 26TH MAY
INTRODUCTION
This coursework requires you to write a detailed report, of up to 2000 words, that covers aspects of
computer security you will have encountered in the labs and lectures. Marks will be awarded for
the correctness and completeness of your answers, have you explored each topic in enough depth,
and is what you have written about technically correct. For top marks, any additional knowledge or
insight beyond what I have told you would demonstrate that you really understand the concepts.
QUESTION 1: PASSWORDS
For this question you are expected to write up to 500 words. A system administrator has asked you
to design a new password and authentication policy for their network, and justify your choices.
Given your experiences in the password labs and lectures, what password policy would you advise?
In other words, what rules would you enforce on users for their passwords? These rules could
involve constraints on the passwords, password use, expiration etc. Would you recommend any
additional authentication measures, and in which cases? How would you suggest storing the
passwords? Bear in mind that this policy would be rolled out to many users, so must be realistic as
well as robust. Be sure to explain the reasoning behind each suggestion.
QUESTION 2: FIREWALLS
In this question you are expected to write up to 500 words. It has become commonplace to use
permitted services such as SSH to “tunnel” traffic that would otherwise be blocked by a network
firewall. Give some examples of reasons an administrator might choose to block ports from normal
traffic. Describe in detail how a protocol such as SSH can be used to circumvent firewall restrictions.
Give an example of a time when someone might use SSH tunneling for a perfectly legitimate reason,
and one where someone might use it for more disreputable purposes.
QUESTION 3: SERVER SECURITY
This question requires you to write up to 1000 words. During lab 7 you scanned and accessed a
vulnerable server, and then worked to improve its security. Describe in detail what actions you
performed, and why, and what actions you would perform if you had more time. Which services did
you install or remove? What configurations did you change? And so on. As you can imagine, there
are countless things you could do to this machine to improve security, try to perform or describe as
many as you feel is reasonable to secure it. Many marks are available here for detail and
justifications of your actions, but given you have 1000 words, try to priorities the critical
vulnerabilities first. In some cases (e.g. distribution upgrades) it is acceptable to say what you would
have done given more time, but feel free to perform these actions if you wish.