Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:"— Presentation transcript:

1 CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:

2 Overview Learning Objectives – Understand the OS security functions – Learn about the different levels of privilege – Learn about Vista and Linux protection

3 OS Design Decisions Turns out there are design decisions that affect the security of the OS Affects ultimate security of the OS and the user experience using the OS One of the most important decisions is that the OS is designed as a monolithic program vs. a highly modular design

4 OS Design Decisions Monolithic Design – Integrate a great deal of functionality into the OS core – Services are interdependent – Core system is larger – Every flaw in a piece of that system is exposed through all the services that depend on that system

5 Example Windows design - Monolithic – Decided to integrate IE into OS, – Did this in an attempt to put Netscape out of business, wanted to take over Browser market – Every flaw in IE then exposes desktop to risks that go beyond the browser – Different if browser was separate

6 OS Design Decisions In contrast, what are the benefits of modular design? – Restricted damage if module has defect – Smaller kernel – Easier to upgrade or repair if flaw Does not affect so much code

7 Example Linux - All flavors – Modular design from the beginning – Much smaller kernel than Windows – Device drivers and other applications are not part of the kernel – More restricted as to what needs administrative privileges

8 OS Security Overview Security within OS's – What services should an OS offer for security?

9 OS Security Overview Security within OS's – What services should an OS offer for security? Secure logon facility – Authenticate users Discretionary Access Control – Allows owner of resource to determine who can access the resource Security Auditing – Record security related events – Keep logs of events Object reuse protection – Deleted items or reused memory should be protected between users

10 OS Security Overview Security within OS's – What services should an OS offer for security? Facility Management – Support for separate account roles for administrative functions – Users, administrators have different accounts

11 OS Security functions Discuss two of previous functions 1. User authentication 2. Access to authorized resources User authentication a. Positively ID the user Compare to stored identity b. Authenticate the user User must provide additional information Password, biometric attribute, keycard

12 OS Security functions Access to authorized resources – Decision based on access rules – Typically authorization based on user or group individual membership and – Labels attached to objects Example: Windows users with admin privilege – Allowed to both view and change user accounts

13 OS's Manage Privilege Level Two levels of privilege in modern CPU's This is offered by the CPU itself, Intel, AMD – User mode – unprivileged – Kernel mode – privileged The OS runs in Kernel mode User programs – User mode User programs make calls to the OS – To use the hardware resources – Use the OS API to access hardware

14 User Powers Seems to be a need to have a user with greater powers – Root, superuser or administrator Yet, this comes with added risk – If user makes a mistake, can possibly damage the system – Or, if they get their identity stolen, attacker has full power to OS

15 User Powers Because of this problem of risk from elevated power, concept of – “Least Privilege” – Only want to operate with the minimum of needed power to get a job done – So, while I could always log in as administrator, if I get my account hijacked or I get infected by malware while I am administrator Attackers then have full access to the machine's resources – Example: In Linux Ubuntu, have sudo command

16 File System Access In OS's – Data and programs stored as files in directories – Concept of ownership of files either by users or the OS itself – Then files have permissions set for reading, writing or executing them Windows – Access control is done by an Access Control List (ACL)‏ – Ea. object in system – Files, network shares, directories have an ACL

17 File System Access Windows – ACL has users or groups, operations like read or write, and a permission – allow or deny – How it works When user, Carol, tries to open a file, the kernel checks ACL for the file to see if she is allowed or denied access If not, action fails else Carol is allowed access to resource Linux – Permissions are set for each object Looks at group, user or everyone for read, write and execute privileges

18 Kernel Level Privilege for Outside Code Kernel mode programs – Usually come with OS and are developed by company creating the OS – Need to support other people's programs – third party programs – Most typical is allowing third party developers to write programs that support a wide range of peripherals Printers, video cards, network cards – Programs, Device Drivers

19 Windows Privilege Levels In XP and other pre-Vista versions – Had 2 choices of privilege – 1. Administrator or 2. Normal user Administrator – access to everything Normal user – many system level tasks you needed to do, you couldn't do – Consequently, most people ran as Administrator most of the time – Most users not even aware of the need NOT to run as admin

20 Windows Privilege Levels Vista – Have more choices – Can operate as a restricted normal user and still be able to do almost everything in OS – And when necessary, you can be elevated to an administrator for a short time to accomplish some task – Known at User Account Control (UAC)‏ – Basically, copied sudo in Linux Except it seemed to ask far more often !!!

21 Security Identifiers (SIDs)‏  Each user account has a SID that uniquely identifies it

22 Tokens  When you log on, you get a security access token Includes your User Name, SID, and groups you belong to  Each program you launch gets a copy of your security access token Token

23 Windows Vista splits the access tokens for users with administrative privileges – Vista included only two types of users. Administrators Tokens provided are a “filtered” standard user token and an “full administrator access” token Standard Users Only provided a “standard user” token – Benefits of the User Account Control (UAC)‏ Installation of software now requires conscious action on the part of the user Malicious code cannot be installed without the knowledge of the user Tokens

24 Account Types  Account Types are a convenience to describe memberships in the most frequently-user groups  Administrator accounts are in the Administrators group  Standard accounts are in the Users group  Guest accounts are in the Guests group

25 Tasks Only Administrators Can Perform  Create, change, and delete user accounts and groups  Install and uninstall programs  Configure automatic updating or install Windows updates manually  Install an ActiveX control  Install or remove hardware device drivers  Share folders  Set permissions  Access all files, including those in another user’s folder  Take ownership of files  Copy or move files into the %ProgramFiles% or %SystemRoot% folders  Restore backed-up system files  Grant rights to other user accounts and to themselves  Configure Parental Controls  Configure Windows Firewall

26 Tasks Available to Standard Users  Change the password and picture for their own user account  Use programs that have been installed on the computer  Install approved ActiveX controls  Configure a secure Wi-Fi connection  View permissions  Create, change, and delete files in their document folders and in shared document folders  Restore their own backed-up files  View the system clock and calendar, and change the time zone  Configure power options  Log on in Safe Mode

27 Guests  Guests have privileges similar to Standard accounts  Guests cannot create a password

28 OS Services Services are – Processes that run when the OS starts – Not necessarily started by you, but run by the OS to perform tasks

29 Windows Vista Services Prior to Vista, many Services received LocalSystem privileges Problem was LocalSystem account had virtually unlimited access to local machine and network resources Vista, one big security measures was to protect running Services by providing them with security token of either LocalService or NetworkService – Are severely limited compared with LocalSystem Vista also included tighter security restrictions to ensure that none of the three system accounts has access to sensitive files, folders or processes

30 The End Next Time: See miniAssignment 3 Next: Lab today, meet in CEB 342

Download ppt "CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:"

Similar presentations

Operating-System Structures

Operating-System Structures
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Understand Database Security Concepts

Understand Database Security Concepts
Upgrading Software CIT 1100 Chapter4.

Upgrading Software CIT 1100 Chapter4.
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:

Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.

Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.
Operating Systems.

Operating Systems.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Installing software on personal computer

Installing software on personal computer
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Group Accounts; Securing Resources with Permissions

Group Accounts; Securing Resources with Permissions
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
CSCD 303 Essential Computer Security Spring 2013 Lecture 6 - Desktop Security.

CSCD 303 Essential Computer Security Spring 2013 Lecture 6 - Desktop Security.
Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.

Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.

Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.

Similar presentations

Ads by Google