security+ all-in-one edition chapter 19 – privilege management brian e. brzezicki
TRANSCRIPT
Security+All-In-One Edition
Chapter 19 – Privilege Management
Brian E. Brzezicki
Access ControlThere are a few methods of restricting access
to a system, we will talk about in this chapter
• DAC
• MAC
• Role Based
• Rule Based
Discretionary Access Control ()
Concept that a “data owner” are allowed authorize access to subjects. This is based on their discretion.
• Most commercial solutions implement Discretionary Access Control
• ACLs are a common implementation of access controls in Discretionary systems
Discretionary access control
User Based
User Based – a DAC method where every user is assigned a unique ID.
Permissions are granted to each individual user. If a user has permissions to a resource.. They can access it.
Advantages?
Problems?
Group Based
A DAC method where groups are created. Users are placed in Groups. Permissions are given to groups.
If a user is in a group that has permission to a resource.. Then that user has permission to the resource
Advantages?
Problems?
Group Based Access Control
Combination of Access
When you have user and group based access control, often groups AND users both are assigned permissions to resources. And the total combination of permissions are your effective permissions.
Example: John has Read access to file1.txtJohn is a member of managers, which has write
access to file1.txtJohns effective access is: read + write
UnixUnix uses a “bit map” of permissions. The main
permissions are• Read • Write• Execute
And these permissions can be assigned to 3 categories: Owner, Group, All Others
Ex. (see next page)Owner Group OthersRWX R-W ---
Unix Permissions
Windows PermissionsWindows uses Access Control Lists (also called NTFS
permissions)
ACLs are a much more flexible model that allows you to assign ANY combination of permissions to any Combination of users and groups.
(more)
Windows ACLsThe basic permissions ACL permissions are
• Full Control
• Modify
• Read
• Read and Execute
• Write
Windows ACLsWindows ACLs are additive
Joe is a member of the managers groupJoe is a member of the IT group
file1.txtmanager = read, writeIT = read
What are Joes “effective” permissions to file1.txt?
Windows No access permissionNo access is a special permissions in windowsIt NULLIFIES all other permissions.
Joes is a member of managersJoe is a member of ITfile1.txt:
managers = full controlit = read
joe = denyWhat is Joes effective permissions?
MAC
Mandatory Access ControlMandatory Access Control, means that the
system is configured with a set of RULES for access and strictly enforce them. The Data Owner is not able to arbitrarily set permissions for users or groups.
Military system use MAC system, usually in a “clearance level” model
(more)
MAC and clearancesClearance Levels – data is classified into a level by the
data owner• Top Secret – exceptionally grave damage to
national security• Secret – serious damage to national security• Confidential – damaging national security• Unclassified – public
(more)
MAC and clearancesNow users are given a clearance level
For example: Bob has secret clearance
If bob want to access a document, the OS looks at the documents classification and Bobs clearance level
Bob only will get access if his clearance “dominates”.
Example question 1Budget.txt
classification: secret
Bob Clearance: top secret
Can bob read the file budget.txt?
Example question2super-secret-file.txt
classification: Top Secret
Bob Clearance: secret
Can bob access the file “super-secret-file.txt?”
Role Based Access Control (546)Access to resources are given to job positions
or “roles”. Users are assigned to roles, and then they have the access rights that the roles have.
• Much more scalable model than individually signing permissions
• Avoids Authorization Creep
• Great for large companies
• Great if there is a lot of turn over
Rule BasedThe Decision to grant access to an item is based on a
set of rules, (yes or no questions)
Example: You may access a file IF• You are in the management group• The time is between 9AM-5PM Monday-FridayFirewalls use rule based access control to analyze a
packet and see if should be allowed based on the “firewall rules”
Advantages:• Very flexible type of control• Can be combined with other types of access
controls
Auditing
AuditingIf you are going to bother to protect a resource.
You should enable auditing on the resource
• You should check the audit logs to determine who is accessing what
• See if people are accessing things they don’t really need (then remove permissions)
• See if people are accessing things “too much” • Determine if people access is not sufficient for
their job requirements
Audit Files and LogsUnix/Linux – Syslog (framework)
Windows – Event Viewer (see next slide)
Applications – Specific log files for application.
• Firewall logs
• Anti-virus logs
• Database logs
• Web server logs
• Mail server logs
• DNS server logs
Event Viewer
Open up event viewer if you’ve never used it before, and look around!
Chapter 19 - ReviewQ. What is role based access control
Q. What is MAC? Where is it usually used?
Q. What is DAC? Where is it usually used?
Q. What is rule based access control?
Chapter 19 - ReviewQ. should user IDs be shared?
Q. Why is auditing necessary?
Q. What types of access control does windows 2000+ server use for files and directories?
Q. What are the 3 Unix access permissions, What are the 3 different “components” they can be applied to?