Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 9 Access Control Fundamentals

Published byChristopher Webb Modified over 6 years ago

Similar presentations

Presentation on theme: "Chapter 9 Access Control Fundamentals"— Presentation transcript:

1 Chapter 9 Access Control Fundamentals
Security+ Chapter 9 Access Control Fundamentals Modified 2/16/ jw

2 Jérôme Kerviel Rogue trader, lost €4.9 billion
Largest fraud in banking history at that time Worked in the compliance department of a French bank Defeated security at his bank by concealing transactions with other transactions Arrested in Jan 2008, out and working at a computer consulting firm in April 2008 October 2010 sentenced to 5 years in prison and repay €4.9 billion Links Ch7a, 7b

3 Objectives Define access control and list the four access control models Describe logical access control methods Explain the different types of physical access control Define authentication services

4 Introduction Important foundations in information security
Verifying approved users Controlling their access This chapter introduces principles and practices of controlling access Terminology Four standard control models Best practices Authentication services is also covered in this chapter

5 What Is Access Control? The process by which resources or services are granted or denied access Physical Access Control Fencing, hardware door locks, and mantraps that limit contact with devices Technical Access Control Information system’s mechanism to allow or restrict access to data or devices There are four standard access control models as well as specific practices used to enforce access control

6 Access Control Terminology
Identification A user accessing a computer system would present credentials or identification, such as a username Example: delivery driver presenting employee badge Authentication Checking the user’s credentials to be sure that they are authentic and not fabricated, usually using a password Example: examining the delivery driver’s badge

7 Access Control Terminology
Authorization Granting permission to take action Example: allowing delivery driver to pick up package Example: A computer user is granted access to only certain services or applications in order to perform their duties Access Right given to access specific resources Example: Delivery person can only retrieve box by door Example: User allowed to access only specific data

8 Table 9-1 Basic steps in access control

9 Access Control Terminology (cont’d.)
Computer access control can be accomplished by one of three entities: hardware, software, or a policy Access control can take different forms depending on the resources that are being protected

10 Access Control Terminology (cont’d.)
Other terminology is used to describe how computer systems impose access control: Object Specific resource Example: file or hardware device Subject User or process functioning on behalf of a user Example: computer user Operation Action taken by the subject over an object Example: deleting a file

11 Roles in Access Control
Owner Person responsible for the information Duties: Determines the level of security needed for the data and delegates security duties as required Example: Determines that the file SALARY.XLSX can be read only by department managers Custodian Individual to whom day-to-day actions have been assigned by the owner Duties: Periodically reviews security settings and maintains records of access by end-users Example: Sets and reviews security settings on SALARY.XLSX End-user Description: User who accesses information in the course of routine job responsibilities Duties: Follows organization’s security guidelines and does not attempt to circumvent security Example: Opens SALARY.XLSX

12 Roles in access control

13 Figure 9-1 Access control process and terminology
© Cengage Learning 2012

14 Access Control Models Access control model - Hardware and software predefined framework that custodian can use for controlling access Access control models used by custodians for access control are neither created nor installed by custodians or users; instead, these models are already part of software and hardware. Four major access control models

15

16 Four Major Access Control Models
Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role Based Access Control (RBAC) Rule Based Access Control (RBAC)

17 Mandatory Access Control (MAC) model
Most restrictive model—used by the military Objects and subjects are assigned access levels by the custodians Unclassified, Classified, Secret, Top Secret The end user cannot implement, modify, or transfer any controls Two elements Labels Levels

18 Mandatory Access Control (MAC): Elements
Two key elements to MAC: Labels - Every entity is an object (laptops, files, projects, and so on) and assigned classification label (confidential, secret, and top secret) while subjects assigned privilege label (a clearance) Levels - Hierarchy based on labels is also used, both for objects and subjects (Top secret higher level than secret) Mandatory Access Control (MAC): Elements Two key elements to MAC: Labels - Every entity is an object (laptops, files, projects, and so on) and assigned classification label (confidential, secret, and top secret) while subjects assigned privilege label (a clearance) Levels - Hierarchy based on labels is also used, both for objects and subjects (Top secret higher level than secret) MAC grants permissions by matching object labels with subject labels based on their respective levels

19 Mandatory Access Control (MAC) model
MAC grants permissions by matching object labels with subject labels based on their respective levels Labels indicate level of privilege To determine if file may be opened: Compare object and subject labels Subject must have equal or greater level than object to be granted access

20 Mandatory Access Control (MAC): Major Implementations
Lattice model Subjects and objects are assigned “rung” on lattice and multiple lattices can be placed beside each other Bell-LaPadula Similar to lattice model but subjects may not create new object or perform specific functions on lower level objects Biba Integrity model Goes beyond BLP model and adds protecting data integrity and confidentiality Mandatory Integrity Control (MIC) Based on Biba model, MIC ensures data integrity by controlling access to securable objects Mandatory Access Control (MAC): Major Implementations Lattice model - Subjects and objects are assigned “rung” on lattice and multiple lattices can be placed beside each other Bell-LaPadula - Similar to lattice model but subjects may not create new object or perform specific functions on lower level objects Biba Integrity model - Goes beyond BLP model and adds protecting data integrity and confidentiality Mandatory Integrity Control (MIC) - Based on Biba model, MIC ensures data integrity by controlling access to securable objects

21 Mandatory Access Control (MAC) model
Example of MAC implementation Windows 7 / Vista has four security levels Low Mandatory Level Medium Mandatory Level High Mandatory Level System Mandatory Level Specific actions by a subject with lower classification require administrator approval

22 Discretionary Access Control (DAC) model
The least restrictive--used by operating systems such as UNIX and Windows computers in small networks The owner has total control over any objects that he or she owns along with the programs that are associated with those objects In the DAC model, the owner can also change the permissions for other subjects over their objects

23 Access Control Models (cont’d.)
DAC weaknesses Relies on decisions by end users to set proper security level Incorrect permissions may be granted Subject’s permissions will be “inherited” by any programs the subject executes Trojans are a particular problem with DAC

24 Role Based Access Control (RBAC) model
Sometimes called Non-Discretionary Access Control Used in Windows corporate domains Considered a more “real world” approach than the other models Assigns permissions to particular roles in the organization, such as “Manager, Technician, Sales, Financial” and then assigns users to that role Objects are set to be a certain type, to which subjects with that particular role have access

25 Role Based Access Control (RBAC) model Example

26 Rule Based Access Control (RBAC) model
Also called the Rule-Based Role-Based Access Control (RB-RBAC) model or automated provisioning Controls access with rules defined by a custodian Example: Windows Live Family Safety

27 Rule Based Access Control (RBAC) model (cont’d)
Each resource object contains access properties based on the rules When user attempts access, system checks object’s rules to determine access permission Often used for managing user access to one or more systems Business changes may trigger application of the rules specifying access changes

28 Access control models

29 Best Practices for Access Control
Establishing best practices for limiting access to help secure systems and data Examples of best practices Separation of duties Job rotation Least privilege Implicit deny Mandatory vacations

30 Best Practices for Access Control (cont’d.)
Separation of duties Not giving a single user total control System is not vulnerable to actions of a single person Fraud can result from single user being trusted with complete control of a process Requiring two or more people responsible for functions related to handling money. Network administrators often have too much power and responsibility

31 Best Practices for Access Control (cont’d.)
Separation of duties

32 Best Practices for Access Control (cont’d.)
Job rotation Individuals are periodically moved between job responsibilities Employees can rotate within their department or across departments Advantages of job rotation Limits amount of time individuals are in a position to manipulate security configurations Helps expose Individuals have different perspectives and may uncover vulnerabilities such as the potential for fraud Reduces employee burnout

33 Best Practices for Access Control (cont’d.)
Job rotation Employees can rotate within their department or across departments

34 Best Practices for Access Control (cont’d.)
Least privilege Limiting access to information based on what is needed to perform a job function Helps reduce attack surface by eliminating unnecessary privileges Should apply to users and processes on the system Processes should run at minimum security level needed to correctly function Temptation to assign higher levels of privilege is great

35 Challenges of Least Privilege
Legacy applications Many older software applications were designed to run only with a high level of privilege. Common administrative tasks Printer configuration Disk Defragmentation Software installation/upgrade A software update that is not centrally deployed can require a higher privilege

36 User Account Control (UAC)
Asks the user for permission when installing software Principle of least privilege Users run with limited privileges by default Applications run in standard user accounts Standard users can perform common tasks

37 User Account Control Mac Video

38 Best Practices for Access Control (cont’d.)
Implicit deny If a condition is not explicitly met, access request is rejected Example: network router rejects access to all except conditions matching the rule restrictions Mandatory vacations Limits fraud, because perpetrator must be present daily to hide fraudulent actions Audit of employee’s activities usually scheduled during vacation for sensitive positions Any Complaints?

39 Access Control Methods
The methods to implement access control are divided into two broad categories Physical access control Logical access control Logical access control includes Access control lists (ACLs) Group policies Account restrictions Passwords

40 Access Control Lists Set of permissions attached to an object
Specifies which subjects may access the object and what operations they can perform When subject requests to perform an operation: System checks ACL for an approved entry ACLs usually viewed in relation to operating system files

41 Access Control Lists (cont’d)
The structure behind ACL tables can be complex Each Operating Systems have their own unique structure and rules.

42 access-list DMZ extended permit tcp host 172.16.1.101 any eq ssh
access-list DMZ extended permit tcp host host Mail eq smtp access-list DMZ extended permit tcp host any eq https access-list DMZ extended permit tcp host any eq www access-list DMZ extended deny tcp host eq smtp access-list DMZ extended permit tcp host any eq smtp access-list DMZ extended permit tcp host any eq 8000 access-list DMZ extended permit tcp host DNS1 eq domain access-list DMZ extended permit udp host DNS1 eq domain access-list DMZ extended permit icmp any echo-reply access-list DMZ extended permit udp host any eq ntp access-list DMZ extended permit udp host any eq ntp access-list DMZ extended permit tcp host any eq https access-list DMZ extended permit tcp host any eq www access-list DMZ extended deny tcp host eq smtp access-list DMZ extended permit tcp host any eq smtp access-list DMZ extended permit tcp host any eq 8000 Cisco ASA Firewall ACLs

43 MacOSX file permissions
Figure 9-4 UNIX file permissions © Cengage Learning 2012 Windows file permissions MacOSX file permissions

44 Advanced Security Settings in Windows 7

45 Access Control Lists (cont’d.)
Each entry in the ACL table is called access control entry (ACE) ACE structure (Windows) Security identifier (SID) for the user or group account or logon session Access mask that specifies access rights controlled by ACE Flag that indicates type of ACE Set of flags that determine whether objects can inherit permissions

46 Windows ACLs Cacls Displays or modifies discretionary access control list (DACL) files. Syntax cacls FileName [/t] [/e] [/c] [/g User:permission] [/r User [...]] [/p User:permission [...]] [/d User [...]]

47 Group Policies Microsoft Windows feature that provides centralized management and configuration of computers and remote users using Active Directory (AD) Usually used in enterprise environments Settings stored in Group Policy Objects (GPOs) Local Group Policy Fewer options than a Group Policy Objects Used to configure settings for systems not part of AD

48 Account Restrictions Time of day restrictions Account expiration
Limits the time of day a user may log onto a system Time blocks for permitted access are chosen Can be set on individual systems Account expiration The process of setting a user’s account to expire Security risks Orphaned accounts: accounts that remain active after an employee has left the organization Dormant accounts: not accessed for a lengthy period of time

49 Operating System Time of Day Restrictions

50 Time-of-Day Restrictions
Logon hours in Windows 7

51 Wireless access point Time of Day restrictions

52 Account Restrictions: Account Expiration
Orphaned accounts - Accounts that remain active after employee has left organization Dormant accounts – Accounts not accessed for lengthy period of time Orphaned and Dormant accounts remain a problem in today’s organizations Account expiration - Process of setting a user’s account to expire Account expiration can be explicit (account expires on a set date) or based on specific number of days of inactivity Account Restrictions: Account Expiration Orphaned accounts - Accounts that remain active after employee has left organization Dormant accounts – Accounts not accessed for lengthy period of time Both can be security risks Account expiration - Process of setting a user’s account to expire Account expiration can be explicit (account expires on a set date) or based on specific number of days of inactivity

53 Account Restrictions (cont’d.)
Recommendations for dealing with orphaned or dormant accounts Establish a formal process Terminate access immediately Monitor logs

54 Account Restrictions (cont’d.)
Password expiration sets a time when user must create a new password Different from account expiration Account expiration can be a set date, or a number of days of inactivity

55 Authentication Services
Process of verifying credentials Authentication services provided on a network Dedicated authentication server AAA server if it also performs authorization and accounting Common types of authentication and AAA servers Kerberos, RADIUS, TACACS+, LDAP, SAML

56 RADIUS Remote Authentication Dial In User Service
Developed in 1992 and still in use today Became industry standard with widespread support Suitable for high volume service control applications With the development of IEEE 802.1x port security for both wired and wireless LANs, RADIUS has recently seen even greater usage RADIUS client is typically a device such as a dial-up server, VPN server wireless access point (AP) Responsible for sending user credentials and connection parameters to the RADIUS server

57 RADIUS: Clients RADIUS client is not device requesting authentication
RADIUS client is device like wireless AP or dial-up server responsible for sending user credentials and connection parameters in form of RADIUS message to RADIUS server RADIUS server authenticates and authorizes RADIUS client request and sends back RADIUS message response RADIUS clients also send RADIUS accounting messages to RADIUS servers RADIUS: Clients RADIUS client is not device requesting authentication RADIUS client is device like wireless AP or dial-up server responsible for sending user credentials and connection parameters in form of RADIUS message to RADIUS server RADIUS server authenticates and authorizes RADIUS client request and sends back RADIUS message response RADIUS clients also send RADIUS accounting messages to RADIUS servers

58 RADIUS (cont’d.) RADIUS user profiles stored in central database
All remote servers can share Advantages of a central service Increases security due to a single administered network point Easier to track usage for billing and keeping network statistics

59 Terminal Access Control Access Control System Plus (TACACS+)
Developed by Cisco to replace TACACS, XTACACS & RADIUS Authentication service similar to RADIUS More secure and reliable than RADIUS The centralized server can either be a TACACS+ database Or a database such as a Linux or UNIX password file with TACACS+ protocol support Communicates by forwarding user authentication information to a centralized server

60 Comparison of RADIUS and TACACS+

61 Kerberos An authentication system developed by the Massachusetts Institute of Technology (MIT) Works like using a driver’s license to cash a check Used to verify the identity of networked users Kerberos authentication server issues a ticket to the user The user presents this ticket to the network for a service The service then examines the ticket to verify the identity of the user Tickets are difficult to copy and expire after a few hours or a day

62 Kerberos Used in Windows Active Directory Domains Used in UNIX realms
Developed at MIT Prevents Man-in-the-Middle attacks and replay attacks

63 Kerberos Requirements
A method of issuing tickets used for authentication Key Distribution Center (KDC) grants ticket-granting-tickets, which are presented to request tickets used to access objects Time synchronization within five minutes A database of subjects or users Microsoft's Active Directory

64 Kerberos Details When a user logs on Kerberos uses port 88 (TCP & UDP)
The KDC issues a ticket-granting-ticket with a lifetime of ten hours Kerberos uses port 88 (TCP & UDP) Kerberos uses symmetric cryptography

65 SAML Single Sign-On (SSO) Service
Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorization data. Using SAML, an online service provider can contact a separate online identity provider to authenticate users who are trying to access secure content. SAML is used extensively for online e-commerce business-to-business (B2B) and business-to-consumer (B2C) transactions

66 Security Assertion Markup Language (SAML): Steps 1-3
User attempts to reach website of service provider that requires username and password Service provider generates SAML authentication request encoded and embedded into URL Service provider sends redirect URL to user's browser that includes encoded SAML authentication request, which then sent to identity provider Security Assertion Markup Language (SAML): Steps 1-3 User attempts to reach website of service provider that requires username and password Service provider generates SAML authentication request encoded and embedded into URL Service provider sends redirect URL to user's browser that includes encoded SAML authentication request, which then sent to identity provider

67 Security Assertion Markup Language (SAML): Steps 4-6
Identity provider decodes SAML request and extracts embedded URL, then attempts authenticate user either by asking for login credentials or checking for valid session cookies Identity provider generates SAML response that contains authenticated user's username Identity provider encodes SAML response and returns that information to the user's browser Security Assertion Markup Language (SAML): Steps 4-6 Identity provider decodes SAML request and extracts embedded URL, then attempts authenticate user either by asking for login credentials or checking for valid session cookies Identity provider generates SAML response that contains authenticated user's username Identity provider encodes SAML response and returns that information to the user's browser

68 Security Assertion Markup Language (SAML): Steps 7-8
Within the SAML response, mechanism so that user’s browser can forward information back to service provider, either by displaying a form that requires the user to click on a Submit button or by automatically sending to the service provider. Service provider verifies the SAML response by using the identity provider’s public key; if response successfully verified, user is logged in Security Assertion Markup Language (SAML): Steps 7-8 Within the SAML response, mechanism so that user’s browser can forward information back to service provider, either by displaying a form that requires the user to click on a Submit button or by automatically sending to the service provider. Service provider verifies the SAML response by using the identity provider’s public key; if response successfully verified, user is logged in

69 SAML Transaction SAML Transaction (Figure 11-8)
A figure. Three boxes are labeled “Service Provider,” “User”, and “Identity Provider.” A line from User to Service provider is labeled “1. The user attempts to reach a website of a service provider that requires a username and password.” The Service Provider box contains “2. The service provider generates a SAML authentication request that is then encoded and embedded into a URL. “ A line from the Service Provider to the User box contains “3. The service provider sends a redirect URL to the user's browser that includes the encoded SAML authentication request, which is then sent to the identity provider.” A line form the User to the Identity Provide contains “Redirect URL sent.” The Identity Provider contains, “4. The identity provider decodes the SAML request and extracts the embedded URL.” The Identithy Provider box contains, “5. SAML response created and signed.” A line form the Identity provider to user contains “6. SAML response returned.” A line from the User to the Service Provider contains, “7. User’s browser forwards SAML request.” The Service Provider box contains, “8. SAML request verified and user logged in.”

70 Directory Services A database stored on the network itself that contains information about users and network devices Keeps track of network resources and user’s privileges to those resources Grants or denies access based on its information Can be used with RADIUS X.500 complaint - A ISO standard for directory services

71 LDAP (Lightweight Directory Access Protocol)
Formats and methods to query directories Used by Active Directory An extension of the X.500 standard Secure LDAP (LDAPS) - secured using TLS / SSL encryption LDAP uses ports 389 (unencrypted) or 636 (encrypted) (TCP and UDP)

72 Lightweight Directory Access Protocol (LDAP)
The information is held in a directory information base (DIB) Entries in the DIB are arranged in a tree structure called the directory information tree (DIT)

73 Lightweight Directory Access Protocol (LDAP)
Sometimes called X.500 Lite A simpler subset of Directory Access Protocol (DAP) Protocol for a client application to access an X.500 directory DAP database is too large to run on a personal computer Primary differences LDAP was designed to run over TCP/IP LDAP has simpler functions LDAP encodes its protocol elements in a less complex way than X.500 LDAP is an open protocol

74 Lightweight Directory Access Protocol (LDAP)

75 Lightweight Directory Access Protocol (cont’d.)
Weakness of LDAP Can be subject to LDAP injection attacks Similar to SQL injection attacks Occurs when user input is not properly filtered Source:

76 Summary Access control is the process by which resources or services are denied or granted Four major access control models exist Best practices for implementing access control Separation of duties Job rotation Least privilege Mandatory vacations

77 Summary (cont’d.) Access control lists define which subjects are allowed to access which objects Specify which operations they may perform Group Policy is a Windows feature that provides centralized management and configuration Authentication services can be provided on a network by a dedicated AAA or authentication server RADIUS is the industry standard

Download ppt "Chapter 9 Access Control Fundamentals"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies

Access Control Methodologies
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication.
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Understanding Active Directory

Understanding Active Directory
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

Similar presentations

Ads by Google