Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Published byJoy Goodwin Modified over 9 years ago

Similar presentations

Presentation on theme: "Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit."— Presentation transcript:

1 Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit

2 Auditing Logical Access in a Network Environment In this presentation we will discuss: The fundamental concepts of Logical Access Control and protection of data Special considerations for auditing Logical Access in a distributed environment

3 Auditing Logical Access in a Network Environment The fundamental concepts of Logical Access Control and protection of data…

4 Confidentiality, Integrity and Availability Policies and Procedures Technical Architecture The Fundamental Concepts of Logical Access

5 Confidentiality Confidentiality refers to limiting information access and disclosure to authorized users who have a business need for accessing specific data and preventing access by or disclosure to unauthorized ones. Confidentiality is related to the broader concept of data privacy -- limiting access to individuals' personal information. Federal statutes such as FERPA and HIPAA, set the legal terms of privacy. FERPAHIPAA

6 Integrity refers to the trustworthiness of information resources. It includes the concept of "data integrity" -- namely, that data has not been changed inappropriately, whether by accident or deliberately. It also includes "origin" or "source integrity" -- that is, that the data actually came from the person or entity you think it did, rather than an imposter. Integrity

7 Availability Availability may be affected by purely technical issues (e.g., a malfunctioning network device or communications device), natural phenomena (e.g., wind or water), or human causes (accidental or deliberate).

8 Information Owners Individuals who represent Information Owners for the data and tools they use. Information Owners are responsible for determining who should have access to protected resources within their jurisdiction based on users’ job responsibilities, and what those access privileges should be (read, update, etc.).

9 Information Owners Information Owners should be identified for all entity information assets and assigned responsibility for the maintenance of appropriate security measures such as assigning and maintaining asset classification and controls, managing user access to their resources, etc.

10 Data Classification Information, like other assets, must be properly managed from its creation, through authorized use, to proper disposal. As with other assets, not all information has the same use or value, and therefore information requires different levels of protection. All information should be classified and managed based on its confidentiality, integrity and availability characteristics.

11 Data Classification Information must be classified and protected based on its importance to business activities, risks, and security best practices. The Information Owner will classify and secure information within their jurisdiction based on the information’s value, sensitivity to disclosure, consequences of loss or compromise, and ease of recovery.

12 Access Control Owners should make all decisions regarding controls, access privileges of users, and daily decisions regarding information management.

13 Logical Access Control Computer-based access controls are called Logical Access Controls. Logical Access Controls provide a technical means of controlling what information persons can use, the programs they can run, and the modifications they can make.

14 Policies and Procedures Polices are the building blocks of network Logical Access Controls because they describe and document the controls over what level and type of protection is appropriate for individual data resources and who needs access to these resources.

15 User Account Lifecycle Once resource owners have classified data according to its need for protective controls, entities should develop procedures to identify all functions of user management. This should include the generation, modification, and deletion of user accounts for access to the data.

16 Password Management Procedures and standards for managing passwords should be implemented to ensure all authorized individuals accessing entity resources follow proven password management practices. These password rules must be mandated by automated system controls whenever possible.

17 Network Access Control An Organization needs to develop and implement procedures to protect its trusted internal network. Network controls should be developed and implemented to ensure that an authorized user can access only those network resources and services to perform their assigned job responsibilities.

18 Technical Architecture

19 New York State agencies: Most use a client server model  90% of the organizations audited utilize Microsoft Active directory

20 Active Directory The main purpose of Active Directory is to provide central authentication and authorization services for Windows based computers. Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an entire organization.

21 Active Directory Active Directory allows for: Policy-based administration using Group Policies Scalability (domain  tree  forest) Replication of information (load balancing etc.) Security administration (authentication, DACLs) Interoperability

22 Active Directory Objects (and classes in the schema) Object Publishing Domains (trees, forests, trust, OUs) Delegation and Group Policy concepts

23 Active Directory Objects are the entities that make up a network. An object is a distinct, named set of attributes that represents something concrete, such as a user, a printer, or an application. When an Active Directory object is created, it generates values for some of the object's attributes.

24 Active Directory Each attribute object can be used in several different schema class objects. These schema objects exist to allow the schema to be extended or modified when necessary.

25 Active Directory The schema keeps track of: –Classes –Class attributes –Class relationships such as subclasses (Child classes that inherit attributes from the super class) and super classes (Parent classes). –Object relationships such as what objects are contained by other objects or what objects contain other objects.

26 Active Directory Domains: –The framework that holds the objects is viewed at a number of levels. At the top of the structure is the Forest - the collection of every object, its attributes and rules (attribute syntax) in the AD.

27 Active Directory Domains : –The forest holds one or more transitive, trust- linked Trees. A tree holds one or more Domain and domain trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace. A domain has a single DNS name.

28 Active Directory Organizational Units : –The objects held within a domain can be grouped into containers called Organizational Units (OUs).  Give a domain a hierarchy  Ease its administration

29 Active Directory Organizational Units: –The OU is the common level at which to apply group policies, which are AD objects themselves called Group Policy Objects (GPOs), although policies can also be applied to domains or sites.

30 Active Directory Organizational Units: –The OU is the level at which administrative powers are commonly delegated, but granular delegation can be performed on individual objects or attributes as well.

31 Active Directory Business Example: –A Typical structure of a organization  Human Resources  Payroll  Finance

32 Active Directory Business Example: –As an employee assigned to Human Resources my access should be limited to HR applications and folders –Likewise HR Data should not be accessible to other business units

33 Special considerations for auditing logical access in a distributed environment Auditors should: –Review organizations policies & procedures –Compare to known and accepted industry standards –Test whether users’ data access is tied to their job responsibilities –Attempt predetermined “hacks” to test for network vulnerabilities that allow for inappropriate data access

34 Special considerations for auditing logical access in a distributed environment Demonstration

35 Links of Interest http://www.irongeek.com/ http://nvd.nist.gov/ http://sectools.org/ http://johnny.ihackstuff.com/ http://www.dirk-loss.de/onlinetools http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html

36 Questions

Download ppt "Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit."

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Module 14: Implementing an Active Directory Infrastructure.

Module 14: Implementing an Active Directory Infrastructure.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Chapter 2: Developing the Active Directory.

70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Chapter 2: Developing the Active Directory.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
Introduction to Active Directory

Introduction to Active Directory
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Understanding Active Directory

Understanding Active Directory
© Wiley Inc. 2006. All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.

© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

Similar presentations

Ads by Google