Download presentation
Presentation is loading. Please wait.
1
Privilege Management Chapter 22
2
Objectives Identify the differences among user, group, and role management. Implement password and domain password policies. Describe methods of account management (SSO, time of day, logical token, account expiration). Describe methods of access management (MAC, DAC, and RBAC).
3
Key Terms Privileges Administrator Rights Access control list (ACL)
Role Role-based access control (RBAC) Root Rule-based access control (RBAC) Single sign-on (SSO) Superuser Token User Username Administrator Access control list (ACL) Discretionary access control (DAC) Domain controller Domain password policy Group Group policy object Mandatory access control (MAC) Password policy Permissions Privilege management Administrator – the super-user account on a Windows system. The administrator account has all rights and privileges. Access control list (ACL) – A list associated with an object (such as a file) that identifies what level of access each subject (such as a user) has—what they can do to the object (such as read, write, or execute). Discretionary access control (DAC) – This is an access control mechanism in which the owner of an object (such as a file) can decide which other subjects (such as other users) may have access to the object, and what access (read, write, execute) these objects can have. Domain controller - a computer that responds to security authentication requests, such as logging in to a computer, for a Windows domain. Domain password policy - is a password policy for a specific domain. Group - is a collection of users with some common criteria, such as a need for access to a particular dataset or group of applications. Group policy object – In a Microsoft Active Directory setting, the group policy settings are stored in a group policy object (GPO). Mandatory access control (MAC) – This is an access control mechanism in which the security mechanism controls access to all objects (files), and individual subjects (processes or users) cannot change that access. Password policy – the password policy establishes password contruction, reuse restrictions, duration, and consequences of failed logon attempts. Permissions – Authorized actions a subject can perform on an object. Privilege management: – This is the process of restricting a user’s ability to interact with the computer system. Privileges – This means you have the ability to “do something” on a computer system, such as create a directory, delete a file, or run a program. Rights - define the actions a user can perform on a computer system. Role - is usually synonymous with a job or set of functions. Role-based access control (RBAC) – This is an access control mechanism in which—instead of the users being assigned specific access permissions for the objects associated with the computer system or network—a set of roles that the user may perform is assigned to each user. Root – is the superuser account on UNIX and Linux systems. Rule-based access control (RBAC) – This is an access control mechanism based on rules. Single sign-on (SSO) – This is an authentication process by which the user can enter a single user ID and password, and then move from application to application or resource to resource without having to supply further authentication information. Superuser – the account on a system that has all rights by default. Token – This is a hardware device that can be used in a challenge-response authentication process. User - applies to any person accessing a computer system. Username - a unique alphanumeric identifier used to identify a person when logging into or accessing the system.
4
User, Group, and Role Management
User – Any person accessing a computer system Group – Multiple users that are granted access to a resource at the same time Role – Access is granted or denied based on a person’s job or function within the organization
5
User Username – A unique alphanumeric identifier given to every user that is used to identify them when logging into or accessing the system. First Step in Privilege Management – No user should be allowed to create their own account. Permissions – Control what the user is allowed to do with objects on the system. Rights – Define the actions a user can perform on the system itself. Administrator, Root, Superuser – User accounts with extensive access to a system. The user is generally the lowest level addressed by privilege management and the most common area for addressing access, rights, and capabilities. Usernames must be unique to each individual user. Usernames are sometimes based on some combination of the user’s first, middle, and last name and often include numbers as well. In other cases, usernames are based on a series of characters from a semirandom selection process that is designed to deter attacks based on easily guessing valid. The first step in privilege management - no user should not be allowed to create their own account. The administrator then can assign specific permissions to that user. This determines what files the user can access, which programs they can execute, etc. Rights define the actions a user can perform on the system itself. For example: changing the time, adjusting auditing levels, and so on. The administrator account under Windows and the root account under UNIX are special accounts also known as the superuser accounts. If something can be done on the system, the superuser has the power to do it. These accounts are not typically assigned to a specific individual and are often shared to selected individuals in an organization. Also, another account to be aware of on windows systems is the system account since it functions much like a superuser account. Due to the power possessed by the superuser accounts, and the few, if any, restrictions placed on them, they must be protected with strong passwords that are not easily guessed or obtained. These accounts are also the most common targets of attackers—if the attacker can gain root access or assume the privilege level associated with the root account, she can bypass most access controls and accomplish anything she wants on that system.
6
Windows 2008 Server Users Exam Tip: A username is a unique alphanumeric identifier used to identify a user to a computer system. Permissions control what a user is allowed to do with objects on a computer system—what files they can open, what printers they can use, and so on. In Windows security models, permissions define the actions a user can perform on an object (open a file, delete a folder, and so on). Rights define the actions a user can perform on the system itself, such as change the time, adjust auditing levels, and so on. Rights are typically applied to operating system–level tasks.
7
Group Group – A collection of users with some common criteria
A group is a collection of users with some common criteria, such as a need for access to a particular dataset or group of applications. A group can consist of one user or hundreds of users, and each user can belong to one or more groups. By assigning membership in a specific group to a user, you make it much easier to control that user’s access and privileges. This is because once a group is assigned permissions to access a particular resource, adding a new user to that group will automatically allow that user to access that resource. In effect, the user “inherits” the permissions of the group as soon as she is placed in that group. Some operating systems, such as Windows, have built-in groups—groups that are already defined within the operating system, such as Administrators, Power Users, and Everyone. The whole concept of groups revolves around making the tasks of assigning and managing permissions easier, and built-in groups certainly help to make these tasks easier
8
Windows Server 2008 Group Management
9
Role Role – Synonymous with a job or set of functions
Example – Securityadmin in Microsoft SQL Server Under a role access is granted or denied based on a person’s job or function within the organization. For example, the role of securityadmin in Microsoft SQL Server may be applied to someone who is responsible for creating and managing logins, reading error logs, and auditing the application. For simplicity and efficiency, rights and privileges can be assigned to the role securityadmin, and anyone assigned to fulfill that role automatically has the correct rights and privileges to perform the required tasks.
10
Password Policy Components
Password construction Reuse restrictions Duration Protection of passwords Consequences Security+ Objectives 2.4f, 3.6d, 5.3b Password Policy Exam Tip: A password policy is a set of rules designed to enhance computer security by requiring users to employ and maintain strong passwords. A domain password policy is a password policy that applies to a specific domain. A password policy is a set of rules designed to enhance computer security by requiring users to employ and maintain strong passwords. To help users select a good, difficult-to-guess password, most organizations implement and enforce a password policy, which typically has the following components: Password Construction - how many characters a password should have; the use of capitalization, numbers, and special characters; not basing the password on a dictionary word or personal information; not making the password a slight modification of an existing password; and so on. Reuse restrictions - whether or not passwords can be reused, and, if so, with what frequency (how many different passwords must you use before you can use one you’ve used before). Duration - the minimum and maximum number of days a password can be used before it can be changed or must be changed. Protection of passwords - not writing down passwords where others can find them, not saving passwords and not allowing automated logins, not sharing passwords with other users, and so on. Consequences – the repercussions associated with violation of or noncompliance with the policy. For more information on password policies visity Sans.org and type password policy into the search box.
11
Password Policy Options
12
Domain Password Policy Elements
Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store passwords using reversible encryption Domains are logical groups of computers that share a central directory database. The Active Directory database is an example of a domain for recent Windows operating systems. The database contains information about the user accounts and security information for all resources identified within the domain. A domain password policy is a password policy for a specific domain. Since these policies are usually associated with the Windows operating system, a domain password policy is implemented and enforced on the domain controller, which is a computer that responds to security authentication requests, such as logging in to a computer for a windows domain. T he domain password policy usually falls under a group policy object and has the following elements: Enforcing password history - tells the system how many passwords to remember and does not allow a user to reuse an old password. The maximum password age - specifies the number of days a password may be used before it must be changed. The minimum password age - specifies the number of days a password must be used before it can be changed again. The minimum password length - specifies the minimum number of characters that must be used in a password. Password must meet complexity requirements - the password must meet the minimum length requirement and have characters from at least three of the following four groups: English uppercase characters (A through Z), English lowercase characters (a through z), numerals (0 through 9), and nonalphabetic characters (such as !, $, #, %) Store passwords using reversible encryption – which is a form of encryption that can easily be decrypted and is essentially the same as storing a plaintext version of the password (because it’s so easy to reverse the encryption and get the password).This should be used only when applications use protocols that require the user’s password for authentication (such as Challenge-Handshake Authentication Protocol, or CHAP).
13
Single Sign-On Single sign-on (SSO) is an authentication process in which the user can enter a single username and password and then be able to move from application to application or resource to resource without having to supply further authentication information Exam Tip: The Security+ exam will very likely contain questions regarding single sign-on because it is such a prevalent topic and a very common approach to multisystem authentication. Invariably, users will forget the passwords they chose for infrequently accessed systems, which creates more work for system administrators who must assist users with password changes or password recovery efforts. To make remembering passwords easier administrators utilize a technology called single sign-on. Single sign-on (SSO) – To put it simply, allows a user to supply the right username and password once and have access to all the applications and data needed, without having to log in multiple times and remember many different passwords. From a user standpoint, SSO means you need to remember only one username and one password. From a security standpoint single sign on users are more likely to choose a complex password since they will only have to remember a single password. The figure at the bottom of the slide depicts the two step single sign-on process. 1. The user signs in once, providing a username and password to the SSO server. 2. The SSO server provides authentication information to any resource the user accesses during that session. The server interfaces with the other applications and systems—the user does not need to log into each system individually. To be effective and useful, all your applications need to be able to access and use the authentication provided by the SSO process. If your network, like most, contains different operating systems, custom applications, and a diverse user base, SSO may not be a viable option.
14
Time of Day Restrictions
Control certain users, groups, or even roles and limit access to certain resources to specific days and times. Usually specified for individual accounts. Serves as a mechanism to enforce internal controls of critical or sensitive resources. Drawback of time of day restrictions is that it means that a user can’t go to work outside of normal hours to “catch up” with work tasks. Security+ Objective 5.2r Time of Day Restrictions
15
Setting Logon Hours The figure in this slide shows access round the clock, 24/7. This may be inappropriate for certain situations. Example - This type of capability might be used by a bank, for example. The administrator may implement time of day restrictions on the accounts of bank tellers so that they may be logged in only from 8 A.M. to 6 P.M. Monday through Saturday. If a teller attempts to log in outside the allowed hours, he is denied access even if he supplies the proper authentication credentials. If a teller is logged in when his allowable login time expires, the system can be configured to forcibly disconnect he teller or just warn the teller that his login hours have past but still allow them to remain logged in. Be careful implementing time of day restrictions. Some operating systems give you the option of disconnecting users as soon as their “allowed login time” expires regardless of what the user is doing at the time. The more commonly used approach is to allow currently logged-in users to stay connected but reject any login attempts that occur outside of allowed hours.
16
Tokens Token – An authentication factor that typically takes the form of a physical or logical entity that the user must be in possession of to access their account or certain resources Physical tokens – Common Access Cards (CACs), USB tokens, smart cards, and PC cards Software tokens – Stored symmetric keys, asymmetric cryptography used with a pin Security+ Objective 5.2e Tokens Usernames and passwords are “something you know” (which can be used by anyone else that knows or discovers the information). A more secure method of authentication is to combine the “something you know” with “something you have.” In some systems the token is a constantly changing number sequence. The ever-changing sequence of numbers is synchronized to a remote server such that when the user enters the correct username, password, and matching sequence of numbers, they is are allowed to log in. This is so that even if an attacker obtains the username and password, the attacker cannot log in without the matching sequence of numbers
17
Token Authenticator from Blizzard Entertainment
18
Account and Password Expiration
Allows administrators to specify a period of time for which a password or an account will be active When an account has expired, it cannot be used unless the expiration deadline is extended Security+ Objective 5.3b Account Expiration One of the best practices an organization can implement is to attach an expiration date to user passwords so that if an account is compromised the time that it remains compromised is limited. In addition to password expiration, Password history mechanisms should be used. The history is used to keep track of previously used passwords so that they cannot be reused. Both are quite similar, except that it password expiration is generally put in place because a specific account is intended for a specific purpose of limited duration. When an account has expired, it cannot be used unless the expiration deadline is extended.
19
Security Controls and Permissions
Permissions – Control what a user is allowed to do with objects on a system Rights – Define the actions a user can perform on the system itself NTFS (New Technology File System) – The standard file system for Windows Security+ Objective 2.2d Security controls and permissions Exam Tip: Permissions can be applied to specific users or groups to control that user’s or group’s ability to view, modify, access, use, or delete resources such as folders and files. The Windows operating systems use the concepts of permissions and rights to control access to files, folders, and information resources. Folders and files are not the only things that can be safeguarded or controlled using permissions. Even access and use of peripherals, such as printers, can be controlled using permissions. When using the NTFS file system, administrators can grant users and groups permission to perform certain tasks as they relate to files, folders, and Registry keys.
20
Permissions for the Data Folder
The basic categories of NTFS permissions are as follows: Full Control - A user or group can change permissions on the folder/ file, take ownership if someone else owns the folder/file, delete subfolders and files, and perform actions permitted by all other NTFS folder permissions. Modify – Users or groups can view and modify files/folders and their properties, can delete and add files/folders, and can delete or add properties to a file/folder. Read & Execute – Users or groups can view the file/folder and can execute scripts and executables but cannot make any changes (files/ folders are read-only). List Folder Contents - A user or group can list only what is inside the folder (applies to folders only). Read – Users or groups can view the contents of the file/folder and the file/folder properties. Write – Users or groups can write to the file or folder. Windows operating system also uses user rights or privileges to determine what actions a user or group is allowed to perform or access. Examples of user rights: Log on locally – Users or groups can attempt to log onto the local system itself. Access this computer from the network – Users or groups can attempt to access this system through the network connection. Manage auditing and security log – Users or groups can view, modify, and delete auditing and security log information.
21
User Rights Assignment Options from Windows Local Security Settings
22
Security Tab Showing Printer Permissions Under Windows Vista
23
Access Control Lists Routers and firewalls – An ACL is a set of rules used to control traffic flow into or out of an interface or network. System resources – These include elements such as files and folders; an ACL lists permissions attached to an object—who is allowed to view, modify, move, or delete that object Security+ Objective 5.2l ACL
24
Access Control Lists (continued)
The figures shown display the access control list (permissions) for the Data folder on a system. The user identified as Billy Williams on the left has Read & Execute, List Folder Contents, and Read permissions, meaning this user can open the folder, see what’s in the folder, and so on. The figure on the right, user Leah Jones, has only Read permissions on the same folder.
25
Handling Access Control (MAC, DAC, and RBAC)
Four methods for handling access control: Mandatory access control (MAC) Discretionary access control (DAC) Role-based access control (RBAC) Rule-based access control (RBAC)
26
Mandatory Access Control (MAC)
Restricts access based on the sensitivity of the information and whether or not the user has the authority to access that information. U.S. Government security labels: Top Secret Secret Confidential Unclassified Access control and sensitivity labels are required in a MAC system Security+ Objective 5.2n Mandatory Access Control Exam Tip: Mandatory access control restricts access based on the sensitivity of the information and whether or not the user has the authority to access that information. Under a MAC system, each piece of information and every system resource (files, devices, networks, and so on) is labeled with its sensitivity level (such as Public, Engineering Private, and Jones Secret). Users are assigned a clearance level that sets the upper boundary of the information and devices that they are allowed to access. Example: For example, if the administrator defines a file as having an Engineering Private sensitivity level, only the members of the Engineering group with access to private information currently operating at a Private sensitivity level can access that file and its contents. A file with a Public sensitivity label would be available to anyone on the system. US Government Security Labels: Top Secret - The highest security level that is publicly disclosed and is defined as information that would cause “exceptionally grave damage” to national security if disclosed to the public. Secret - The second highest level and is defined as information that would cause “serious damage” to national security if disclosed to the public. Confidential - The lowest level of classified information and is defined as information that would “damage” national security if disclosed. Unclassified - Any of this information can be released to individuals without a clearance. The access control and sensitivity labels are required in a MAC system. Labels are defined and then assigned to users and resources. Users must then operate within their assigned sensitivity and clearance levels—they don’t have the option to modify their own sensitivity levels or the levels of the information resources they create. The labels work in a top-down fashion so that an individual holding a Secret clearance would have access to information at the Secret, Confidential, and Unclassified levels. An individual with a Secret clearance would not have access to Top Secret resources, as that label is above the highest level of the individual’s clearance.
27
Discretionary Access Control (DAC)
Restrict access based on the user’s identity or group membership. Most Common access control system. Commonly used in both UNIX and Windows operating systems. The “discretionary” part of DAC means that a file or resource owner has the ability to change the permissions on that file or resource. Security+ Objective 5.2o Discretionary Access Control Exam Tip: Discretionary access control restricts access based on the user’s identity or group membership. Remember that under the discretionary model, the file’s owner, can change the file’s permissions any time they want.
28
Role-Based Access Control (RBAC)
Role-based access control (RBAC) is the process of managing access and privileges based on the user’s assigned roles The access control model that most closely resembles an organization’s structure. Security+ Objective 5.2p Role-based Access Control Exam Tip: Role-based and rule-based access control are both abbreviated as RBAC, so don’t get the two confused. Role-based focuses on the user’s role (administrator, backup operator, and so on). Rule-based focuses on predefined criteria such as time of day (users can only log in between 8 a.m. and 6 p.m.) or type of network traffic (web traffic is allowed to leave the organization). Role-based and rule-based access control are both abbreviated as RBAC, so don’t get the two confused. Role-based focuses on the user’s role (administrator, backup operator, and so on). When a role is assigned to a specific user, the user gets all the rights and privileges assigned to that role.
29
Rule-Based Access Control (RBAC)
Access is either allowed or denied based on a set of predefined rules. Security+ Objective 5.2p Rule-based Access Control Exam Tip: The Security+ exam will very likely expect you to be able to differentiate between the four major forms of access control discussed here: mandatory access control, discretionary access control, role-based access control, and rule-based access control. Rule-based focuses on predefined criteria such as time of day (users can only log in between 8 A.M. and 6 P.M.) or type of network traffic (web traffic is allowed to leave the organization). Example: A good example is permitted logon hours. Many operating systems give administrators the ability to control the hours during which users can log in. For example, a bank may allow its employees to log in only between the hours of 8 A.M. and 6 P.M. Monday through Saturday. If a user attempts to log in during these hours, the rule will allow the user to attempt the login. If a user attempts to log in outside of these hours, 3 A.M. on Sunday for example, then the rule will reject the login attempt whether or not the user supplies valid login credentials.
30
Chapter Summary Identify the differences among user, group, and role management. Implement password and domain password policies. Describe methods of account management (SSO, time of day, logical token, account expiration). Describe methods of access management (MAC, DAC, and RBAC).
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.