1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise

Slides:



Advertisements
Similar presentations
What's a Proxy Printer Provider? PWG WIMS-CIM Working Group Rick Landau Dell, CTO Office 2008/08/08 v0.2.
Advertisements

IP ADDRESS MANAGEMENT [IPAM]
Deploying and Managing Active Directory Certificate Services
Module 5: Creating and Configuring Group Policy
System Center Configuration Manager Push Software By, Teresa Behm.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 Secure Information Sharing Manager (SIS-M) MSCS Thesis Proposal Steve Wise.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
Windows Management Instrumentation Tool (WMIT) Mike Lawson & Steve Wise CS526 Semester Project 12/08/03.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Maintaining and Updating Windows Server 2008
The Pros and Cons of Collecting Performance Data using Agentless Technology Dima Seliverstov John Tavares Tianxiang Zhang BMC Software, Inc.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Chapter 7 WORKING WITH GROUPS.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
WINDOWS SERVICES. Introduction You often need programs that run continuously in the background Examples: – servers –Print spooler You often need.
Chapter 7: WORKING WITH GROUPS
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 7: Fundamentals of Administering Windows Server 2008.
CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Planning a Group Policy Management and Implementation Strategy Lesson 10.
PS Security By Deviprasad. Agenda Components of PS Security Security Model User Profiles Roles Permission List. Dynamic Roles Static Roles Building Roles/Rules.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
G53SEC 1 Access Control principals, objects and their operations.
Maintaining and Updating Windows Server Monitoring Windows Server It is important to monitor your Server system to make sure it is running smoothly.
Windows Role-Based Access Control Longhorn Update
Module 5: Creating and Configuring Group Policies.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Microsoft Management Seminar Series SMS 2003 Change Management.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Managing and Monitoring the Microsoft Application Platform Damir Bersinic Ruth Morton IT Pro Advisor Microsoft Canada
1 Active Directory Administration Tasks And Tools Active Directory Administration Tasks Active Directory Administrative Tools Using Microsoft Management.
Introduction to Active Directory
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Module 6 Creating and Configuring Group Policy. Module Overview Overview of Group Policy Configuring the Scope of Group Policy Objects Evaluating the.
Copyright 2007, Information Builders. Slide 1 iWay Web Services and WebFOCUS Consumption Michael Florkowski Information Builders.
HNC COMPUTING - Network Concepts 1 Network Concepts Network Concepts Network Operating Systems Network Operating Systems.
Module 14: Advanced Topics and Troubleshooting. Microsoft ® Windows ® Small Business Server (SBS) 2008 Management Console (Advanced Mode) Managing Windows.
1 Introduction to Active Directory Directory Services Uniquely identify users and resources on a network Provide a single point of network management.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Maintaining and Updating Windows Server 2008 Lesson 8.
Module 9: Preparing to Administer a Server
Module Overview Installing and Configuring a Network Policy Server
THE STEPS TO MANAGE THE GRID
Planning a Group Policy Management and Implementation Strategy
Networks Software.
An Introduction to Computer Networking
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Introduction to Active Directory Directory Services
System Center Operations Manager 2007 – Technical Overview
Module 9: Preparing to Administer a Server
Presentation transcript:

1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise

2 Agenda Background Enterprise Management Problem Project Motivation SIS-M Objectives CIM/WBEM Standards RBAC Standards Architecture Observations –WBEM Implementations –Authorization Manager SIS-M Architecture InformationAccess –Monitor Systems –Manage Users –Manage RBAC –RBAC Violations InformationSharing Performance Observations Lessons Learned Future Research Conclusions

3 Background NISSC Grant For Secure Information Sharing (SIS) –Purpose Utilize Role Based Access Control (RBAC) Implemented With a LDAP and Web Server Application, and RBAC Policies To Share Information Securely –Project Objectives Create Web-based Proof of Concept to Share Information Securely using Public Key Certificates (PKC) and Attribute Certificates (AC) Develop Easy-to-Use Installer Develop Web-based Management Interface The SIS-M Prototype Is A Web-based Management Capability

4 The Enterprise Management Problem The Expansion And Maturation Of Corporate Enterprises Is Increasing Corporate Overhead Costs Required To Manage Multiple Unique Systems And Applications System Administrators Are Responsible For… –User Administration, Security Policy, Performance Monitoring, Problem Detection & Resolution, etc. These Tasks Are Typically Accomplished With Vendor Or Organically Built Proprietary Tools

5 Project Motivation The System I Work On Contains Dozens Of Servers And Hundreds Of Clients –Servers Solaris & Windows Based –Clients Solaris & Windows Based Multiple Vendor Products Are Required –Security Policy Enforcement –Monitor & Manage The Assets –Manage Users

6 SIS-M Objectives The Research And Associated Prototype Are To Demonstrate Web-based Management Capability For A Windows 2003 Server Enterprise To Include… –System Health And Status Monitoring –User Account Management –Role Based Access Control –Automated Client-side Certificate Distribution

7 CIM/WBEM Standards Distributed Management Task Force (DMTF) Is An Industry Organization Responsible For The Development Of Enterprise Management Standards

8 RBAC Standards The Organization For The Advancement Of Structured Information Standards (OASIS) –Extensible Access Control Markup Language (XACML) –CORE RBAC Elements Users Implemented as XACML Subjects Roles Expressed Using XACML Subject Attributes Objects Expressed Using XACML Resources Operations Expressed Using XACML Actions Permission Expressed Using XACML Role Policy Sets And Permission Policy Sets

9 Architecture Observations (WBEM) The CIM Client Is Used To Obtain Management Information By Querying CIM/WBEM Servers The CIM/WBEM Server Provides CIM Data, Upon Request, to CIM Clients The CIMOM Maintains A Repository of CIM Data On The CIM/WBEM Servers The Providers Implement Aspects Of The CIM Schema That Abstracts The Hardware And Software Implementation Away From The CIM Clients The WMI Implementation Includes More Provider Fidelity For Windows 2003 Server

10 Architecture Observations (RBAC) Authorization Manager Components –Operation: A low-level permission that a resource manager uses to identify security procedures –Task: A collection of low-level operations –Role Definition: A collection of permissions that are needed for a particular role, where permissions can be tasks or operations –Role: The set of permissions that users must have to be able to do their job –BizRules: The set of rules / scripts that are attached to a task object that is run at the time of the access request –Scope: A collection of objects or resources with a distinct authorization policy

11 SIS-M Architecture

12 Web-based Application InformationAccess –System Health And Status Monitoring Uses WMI And CIM Query Language (CQL) To Obtain Management Information From Each Server Evaluates The WMI Information To Determine Status Of Each Monitored Element Provides The Capability Through CQL To Retrieve Details About Elements That Fall Out Of Limits

13 Web-based Application InformationAccess –User Account Management Uses An ASP.Net CreateUserWizard Server Control To Create Accounts Within The SISMTHESIS Domain Uses Active Directory Membership Provider And The Membership Class In The System.Web.Security Namespace To Delete Accounts And Retrieve Account Details

14 Web-based Application Certificate Services –Automated Client-side Certificate Distribution Uses Windows Server 2003 Server Components And Certificate Services To Distribute And Remotely Install Client-side Certificates Issued By The Server Named Secure

15 Web-based Application InformationAccess –RBAC Management Uses Authorization Store Role Provider And The Roles Class Contained Within The System.Web.Security Namespace To Manage RBAC Permissions

16 Web-based Application InformationAccess –RBAC Violations Uses the EventLog classes in the System.Diagnostics namespace. RBAC Policy Access Violation from InformationAccess and InformationSharing Write to the custom Event Log on the server SISDC

17 Web-based Application InformationSharing

18 Web-based Application InformationSharing RBAC Violation

19 Performance Observations The Server Trend For Retrieving One WMI Object observation shows response time increase for querying one WMI Object relative to the number of WMI namespaces queried Server Trend For Retrieving One WMI Object Overall 7.9% Delay In HTTPS Response Time

20 Performance Observations The Server Trend For Retrieving Five WMI Objects observation shows response time increase for querying five WMI Objects relative to the number of WMI namespaces queried Server Trend For Retrieving Five WMI Objects Overall 8.1% Delay In HTTPS Response Time

21 Lessons Learned System Health & Status –Defining Appropriate User Credentials For WMI Namespace Access Is Critical –The Information Value Contained Within The CIMOM Is Directly Related To The Provider Implementation Maturity Within WBEM User Account Management –User Account Management Within Windows 2003 Server Is Primarily Accomplished By The Active Directory Users & Computers Management Console And ADSI –The Win32_UserAccount Does Not Inherit From The CIM_UserAccount Defined In The CIM Schema

22 Lessons Learned RBAC Management –The AzMan Capability Is Not Completely Supported Through The ASP.Net Services And Some Membership Methods Throw A Not Supported Exception –AzMan Policy Enforcement Requires User Principal Name (UPN) Formatted User Client-side Certificate Distribution –PKI Best Practices State That Root CAs Should Never Be Connected To The Network To Raise The Security Level Of The CAs Private Key –A PKI In Most Cases Should Be Architected With An Offline Root CA, One Or More Offline Intermediate CAs, and One Or More Netoworked Issuing Enterprise CAs

23 Future Research Update SIS-M Architecture To Include A UNIX Server Update The SIS-M Prototype To The.Net 3.0 Framework Modify Certificate Authority Architecture Implement Client-side Certificate Mapping

24 Conclusion The SIS-M Research And Prototype Enabled –System Health And Status Monitoring Using WMI –User Account Management Using The Active Directory Membership Provider –RBAC Management Using AzMan –Client-side Certificate Distribution Using Certificate Services The CIM / WBEM Standards Appear To Be More Mature Than The Vendor Products Attempting To Comply With The DMTF Standards –May Be Due To The Cost Of Integrating A New Standard Into An Existing Vendor Product Line

25 Backup

26 DMTF Distributed Management Task Force Common Information Model Web Based Enterprise Management

27 CIM 12 3

28 CIM Schema Example

29 WBEM URIXMLCIM-XMLCLPDiscoveryCQL CLP – Command Line Protocol CQL – CIM Query Language

30 WBEM Architecture Proprietary Layer CIM Repository WBEM Server Provider Abstraction CIMOM WBEM Client CIM Client Application CIM Query Language, CIM-XML

31 SIS-M Network Topology SIS-M Client SIS Client SecureSISDCManager Virtual Network SISMThesis Domain

32 System Health & Status Operating System Status CPU Status Disk Status Window 2003 Server

33 SIS-M Health & Status Rules

34 Login Pages

35 Backup Code Backup

36 System Health & Status Monitoring WMI Namespace ConnectionWMI Queries

37 User Account Management Active Directory Connection Membership Class

38 RBAC Management Authorization Manager Policy Store Connection

39 RBAC Management (Cont.) Get Users In RoleCreate Role

40 RBAC Violation Archive Write Violation Create Archive

41 Backup Performance Backup

42 RBAC Violation Log Access The objective of this measurement is to observe the performance of the Windows Event Log during a custom archive data retrieval request

43 RBAC Mgt Access (Authorization Manager) The objective of this measurement is to observe the performance of Authorization Manager Accesses

44 WMI 1X1 Response Time The One Server Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespace on SISDC

45 WMI 2X1 Response Time The Two Servers Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespaces on SISDC and Secure servers

46 WMI 3X1 Response Time The Three Servers Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespaces on the SISDC, Secure, and Manager servers

47 WMI 1X5 Response Time The One Server Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespace on SISDC

48 WMI 2X5 Response Time The Two Servers Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespaces on SISDC and Secure servers

49 WMI 3X5 Response Time The Three Servers Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespaces on SISDC, Secure, and Manager servers