CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
Overview Learning Objectives – Understand the OS security functions – Learn about the different levels of privilege – Learn about Vista and Linux protection
OS Design Decisions Turns out there are design decisions that affect the security of the OS Affects ultimate security of the OS and the user experience using the OS One of the most important decisions is that the OS is designed as a monolithic program vs. a highly modular design
OS Design Decisions Monolithic Design – Integrate a great deal of functionality into the OS core – Services are interdependent – Core system is larger – Every flaw in a piece of that system is exposed through all the services that depend on that system
Example Windows design - Monolithic – Decided to integrate IE into OS, – Did this in an attempt to put Netscape out of business, wanted to take over Browser market – Every flaw in IE then exposes desktop to risks that go beyond the browser – Different if browser was separate
OS Design Decisions In contrast, what are the benefits of modular design? – Restricted damage if module has defect – Smaller kernel – Easier to upgrade or repair if flaw Does not affect so much code
Example Linux - All flavors – Modular design from the beginning – Much smaller kernel than Windows – Device drivers and other applications are not part of the kernel – More restricted as to what needs administrative privileges
OS Security Overview Security within OS's – What services should an OS offer for security?
OS Security Overview Security within OS's – What services should an OS offer for security? Secure logon facility – Authenticate users Discretionary Access Control – Allows owner of resource to determine who can access the resource Security Auditing – Record security related events – Keep logs of events Object reuse protection – Deleted items or reused memory should be protected between users
OS Security Overview Security within OS's – What services should an OS offer for security? Facility Management – Support for separate account roles for administrative functions – Users, administrators have different accounts
OS Security functions Discuss two of previous functions 1. User authentication 2. Access to authorized resources User authentication a. Positively ID the user Compare to stored identity b. Authenticate the user User must provide additional information Password, biometric attribute, keycard
OS Security functions Access to authorized resources – Decision based on access rules – Typically authorization based on user or group individual membership and – Labels attached to objects Example: Windows users with admin privilege – Allowed to both view and change user accounts
OS's Manage Privilege Level Two levels of privilege in modern CPU's This is offered by the CPU itself, Intel, AMD – User mode – unprivileged – Kernel mode – privileged The OS runs in Kernel mode User programs – User mode User programs make calls to the OS – To use the hardware resources – Use the OS API to access hardware
User Powers Seems to be a need to have a user with greater powers – Root, superuser or administrator Yet, this comes with added risk – If user makes a mistake, can possibly damage the system – Or, if they get their identity stolen, attacker has full power to OS
User Powers Because of this problem of risk from elevated power, concept of – “Least Privilege” – Only want to operate with the minimum of needed power to get a job done – So, while I could always log in as administrator, if I get my account hijacked or I get infected by malware while I am administrator Attackers then have full access to the machine's resources – Example: In Linux Ubuntu, have sudo command
File System Access In OS's – Data and programs stored as files in directories – Concept of ownership of files either by users or the OS itself – Then files have permissions set for reading, writing or executing them Windows – Access control is done by an Access Control List (ACL) – Ea. object in system – Files, network shares, directories have an ACL
File System Access Windows – ACL has users or groups, operations like read or write, and a permission – allow or deny – How it works When user, Carol, tries to open a file, the kernel checks ACL for the file to see if she is allowed or denied access If not, action fails else Carol is allowed access to resource Linux – Permissions are set for each object Looks at group, user or everyone for read, write and execute privileges
Kernel Level Privilege for Outside Code Kernel mode programs – Usually come with OS and are developed by company creating the OS – Need to support other people's programs – third party programs – Most typical is allowing third party developers to write programs that support a wide range of peripherals Printers, video cards, network cards – Programs, Device Drivers
Windows Privilege Levels In XP and other pre-Vista versions – Had 2 choices of privilege – 1. Administrator or 2. Normal user Administrator – access to everything Normal user – many system level tasks you needed to do, you couldn't do – Consequently, most people ran as Administrator most of the time – Most users not even aware of the need NOT to run as admin
Windows Privilege Levels Vista – Have more choices – Can operate as a restricted normal user and still be able to do almost everything in OS – And when necessary, you can be elevated to an administrator for a short time to accomplish some task – Known at User Account Control (UAC) – Basically, copied sudo in Linux Except it seemed to ask far more often !!!
Security Identifiers (SIDs) Each user account has a SID that uniquely identifies it
Tokens When you log on, you get a security access token Includes your User Name, SID, and groups you belong to Each program you launch gets a copy of your security access token Token
Windows Vista splits the access tokens for users with administrative privileges – Vista included only two types of users. Administrators Tokens provided are a “filtered” standard user token and an “full administrator access” token Standard Users Only provided a “standard user” token – Benefits of the User Account Control (UAC) Installation of software now requires conscious action on the part of the user Malicious code cannot be installed without the knowledge of the user Tokens
Account Types Account Types are a convenience to describe memberships in the most frequently-user groups Administrator accounts are in the Administrators group Standard accounts are in the Users group Guest accounts are in the Guests group
Tasks Only Administrators Can Perform Create, change, and delete user accounts and groups Install and uninstall programs Configure automatic updating or install Windows updates manually Install an ActiveX control Install or remove hardware device drivers Share folders Set permissions Access all files, including those in another user’s folder Take ownership of files Copy or move files into the %ProgramFiles% or %SystemRoot% folders Restore backed-up system files Grant rights to other user accounts and to themselves Configure Parental Controls Configure Windows Firewall
Tasks Available to Standard Users Change the password and picture for their own user account Use programs that have been installed on the computer Install approved ActiveX controls Configure a secure Wi-Fi connection View permissions Create, change, and delete files in their document folders and in shared document folders Restore their own backed-up files View the system clock and calendar, and change the time zone Configure power options Log on in Safe Mode
Guests Guests have privileges similar to Standard accounts Guests cannot create a password
OS Services Services are – Processes that run when the OS starts – Not necessarily started by you, but run by the OS to perform tasks
Windows Vista Services Prior to Vista, many Services received LocalSystem privileges Problem was LocalSystem account had virtually unlimited access to local machine and network resources Vista, one big security measures was to protect running Services by providing them with security token of either LocalService or NetworkService – Are severely limited compared with LocalSystem Vista also included tighter security restrictions to ensure that none of the three system accounts has access to sensitive files, folders or processes
The End Next Time: See miniAssignment 3 Next: Lab today, meet in CEB 342