privilege management chapter 22
DESCRIPTION
Objectives Identify the differences among user, group, and role management. Implement password and domain password policies. Describe methods of account management (SSO, time of day, logical token, account expiration). Describe methods of access management (MAC, DAC, and RBAC).TRANSCRIPT
Privilege Management Chapter 22 Objectives Identify the
differences among user, group, and role management. Implement
password and domain password policies. Describe methods of account
management (SSO, time of day, logical token, account expiration).
Describe methods of access management (MAC, DAC, and RBAC). Key
Terms Privileges Administrator Rights Access control list
(ACL)
Role Role-based access control (RBAC) Root Rule-based access
control (RBAC) Single sign-on (SSO) Superuser Token User Username
Administrator Access control list (ACL) Discretionary access
control (DAC) Domain controller Domain password policy Group Group
policy object Mandatory access control (MAC) Password policy
Permissions Privilege management Administrator the super-user
account on a Windows system. The administrator account has all
rights and privileges. Access control list (ACL) A list associated
with an object (such as a file) that identifies what level of
access each subject (such as a user) haswhat they can do to the
object (such as read, write, or execute). Discretionary access
control (DAC) This is an access control mechanism in which the
owner of an object (such as a file) can decide which other subjects
(such as other users) may have access to the object, and what
access (read, write, execute) these objects can have. Domain
controller - a computer that responds to security authentication
requests, such as logging in to a computer, for a Windows domain.
Domain password policy - is a password policy for a specific
domain. Group - is a collection of users with some common criteria,
such as a need for access to a particular dataset or group of
applications. Group policy object In a Microsoft Active Directory
setting, the group policy settings are stored in a group policy
object (GPO). Mandatory access control (MAC) This is an access
control mechanism in which the security mechanism controls access
to all objects (files), and individual subjects (processes or
users) cannot change that access. Password policy the password
policy establishes password contruction, reuse restrictions,
duration, and consequences of failed logon attempts. Permissions
Authorized actions a subject can perform on an object. Privilege
management: This is the process of restricting a users ability to
interact with the computer system. Privileges This means you have
the ability to do something on a computer system, such as create a
directory, delete a file, or run a program. Rights - define the
actions a user can perform on a computer system. Role - is usually
synonymous with a job or set of functions. Role-based access
control (RBAC) This is an access control mechanism in whichinstead
of the users being assigned specific access permissions for the
objects associated with the computer system or networka set of
roles that the user may perform is assigned to each user. Root is
the superuser account on UNIX and Linux systems. Rule-based access
control (RBAC) This is an access control mechanism based on rules.
Single sign-on (SSO) This is an authentication process by which the
user can enter a single user ID and password, and then move from
application to application or resource to resource without having
to supply further authentication information. Superuser the account
on a system that has all rights by default. Token This is a
hardware device that can be used in a challenge-response
authentication process. User - applies to any person accessing a
computer system. Username - a unique alphanumeric identifier used
to identify a person when logging into or accessing the system.
User, Group, and Role Management
User Any person accessing a computer system Group Multiple users
that are granted access to a resource at the same time Role Access
is granted or denied based on a persons job or function within the
organization User Username A unique alphanumeric identifier given
to every user that is used to identify them when logging into or
accessing the system. First Step in Privilege Management No user
should be allowed to create their own account. Permissions Control
what the user is allowed to do with objects on the system. Rights
Define the actions a user can perform on the system itself.
Administrator, Root, Superuser User accounts with extensive access
to a system. The user is generally the lowest level addressed by
privilege management and the most common area for addressing
access, rights, and capabilities. Usernames must be unique to each
individual user. Usernames are sometimes based on some combination
of the users first, middle, and last name and often include numbers
as well. In other cases, usernames are based on a series of
characters from a semirandom selection process that is designed to
deter attacks based on easily guessing valid. The first step in
privilege management - no user should not be allowed to create
their own account. The administrator then can assign specific
permissions to that user. This determines what files the user can
access, which programs they can execute, etc. Rights define the
actions a user can perform on the system itself.For example:
changing the time, adjusting auditing levels, and so on. The
administrator account under Windows and the root account under UNIX
are special accounts also known as the superuser accounts. If
something can be done on the system, the superuser has the power to
do it. These accounts are not typically assigned to a specific
individual and are often shared to selected individuals in an
organization.Also, another account to be aware of on windows
systems is the system account since it functions much like a
superuser account. Due to the power possessed by the superuser
accounts, and the few, if any, restrictions placed on them, they
must be protected with strong passwords that are not easily guessed
or obtained. These accounts are also the most common targets of
attackersif the attacker can gain root access or assume the
privilege level associated with the root account, she can bypass
most access controls and accomplish anything she wants on that
system. Windows 2008 Server Users Exam Tip: A username is a unique
alphanumeric identifier used to identify a user to a computer
system. Permissions control what a user is allowed to do with
objects on a computer systemwhat files they can open, what printers
they can use, and so on. In Windows security models, permissions
define the actions a user can perform on an object (open a file,
delete a folder, and so on). Rights define the actions a user can
perform on the system itself, such as change the time, adjust
auditing levels, and so on. Rights are typically applied to
operating systemlevel tasks. Group Group A collection of users with
some common criteria
A group is a collection of users with some common criteria, such as
a need for access to a particular dataset or group of applications.
A group can consist of one user or hundreds of users, and each user
can belong to one or more groups. By assigning membership in a
specific group to a user, you make it much easier to control that
users access and privileges. This is because once a group is
assigned permissions to access a particular resource, adding a new
user to that group will automatically allow that user to access
that resource. In effect, the user inherits the permissions of the
group as soon as she is placed in that group. Some operating
systems, such as Windows, have built-in groupsgroups that are
already defined within the operating system, such as
Administrators, Power Users, and Everyone. The whole concept of
groups revolves around making the tasks of assigning and managing
permissions easier, and built-in groups certainly help to make
these tasks easier Windows Server 2008 Group Management Role Role
Synonymous with a job or set of functions
Example Securityadmin in Microsoft SQL Server Under a role access
is granted or denied based on a persons job or function within the
organization. For example, the role of securityadmin in Microsoft
SQL Server may be applied to someone who is responsible for
creating and managing logins, reading error logs, and auditing the
application. For simplicity and efficiency, rights and privileges
can be assigned to the role securityadmin, and anyone assigned to
fulfill that role automatically has the correct rights and
privileges to perform the required tasks. Password Policy
Components
Password construction Reuse restrictions Duration Protection of
passwords Consequences Security+ Objectives 2.4f, 3.6d, 5.3b
Password Policy Exam Tip: A password policy is a set of rules
designed to enhance computer security by requiring users to employ
and maintain strong passwords. A domain password policy is a
password policy that applies to a specific domain. A password
policy is a set of rules designed to enhance computer security by
requiring users to employ and maintain strong passwords. To help
users select a good, difficult-to-guess password, most
organizations implement and enforce a password policy, which
typically has the following components: Password Construction - how
many characters a password should have; the use of capitalization,
numbers, and special characters; not basing the password on a
dictionary word or personal information; not making the password a
slight modification of an existing password; and so on. Reuse
restrictions - whether or not passwords can be reused, and, if so,
with what frequency (how many different passwords must you use
before you can use one youve used before). Duration - the minimum
and maximum number of days a password can be used before it can be
changed or must be changed. Protection of passwords - not writing
down passwords where others can find them, not saving passwords and
not allowing automated logins, not sharing passwords with other
users, and so on. Consequences the repercussions associated with
violation of or noncompliance with the policy. For more information
on password policies visity Sans.org and type password policy into
the search box. Password Policy Options Domain Password Policy
Elements
Enforce password history Maximum password age Minimum password age
Minimum password length Password must meet complexity requirements
Store passwords using reversible encryption Domains are logical
groups of computers that share a central directory database. The
Active Directory database is an example of a domain for recent
Windows operating systems. The database contains information about
the user accounts and security information for all resources
identified within the domain. A domain password policy is a
password policy for a specific domain. Since these policies are
usually associated with the Windows operating system, a domain
password policy is implemented and enforced on the domain
controller, which is a computer that responds to security
authentication requests, such as logging in to a computer for a
windows domain. T he domain password policy usually falls under a
group policy object and has the following elements: Enforcing
password history - tells the system how many passwords to remember
and does not allow a user to reuse an old password. The maximum
password age - specifies the number of days a password may be used
before it must be changed. The minimum password age - specifies the
number of days a password must be used before it can be changed
again. The minimum password length - specifies the minimum number
of characters that must be used in a password. Password must meet
complexity requirements - the password must meet the minimum length
requirement and have characters from at least three of the
following four groups: English uppercase characters (A through Z),
English lowercase characters (a through z), numerals (0 through 9),
and nonalphabetic characters (such as !, $, #, %) Store passwords
using reversible encryption which is a form of encryption that can
easily be decrypted and is essentially the same as storing a
plaintext version of the password (because its so easy to reverse
the encryption and get the password).This should be used only when
applications use protocols that require the users password for
authentication (such as Challenge-Handshake Authentication
Protocol, or CHAP). Single Sign-On Single sign-on (SSO) is an
authentication process in which the user can enter a single
username and password and then be able to move from application to
application or resource to resource without having to supply
further authentication information Exam Tip: The Security+ exam
will very likely contain questions regarding single sign-on because
it is such a prevalent topic and a very common approach to
multisystem authentication. Invariably, users will forget the
passwords they chose for infrequently accessed systems, which
creates more work for system administrators who must assist users
with password changes or password recovery efforts.To make
remembering passwords easier administrators utilize a technology
called single sign-on. Single sign-on (SSO) To put it simply,
allows a user to supply the right username and password once and
have access to all the applications and data needed, without having
to log in multiple times and remember many different passwords.
From a user standpoint, SSO means you need to remember only one
username and one password. From a security standpoint single sign
on users are more likely to choose a complex password since they
will only have to remember a single password. The figure at the
bottom of the slide depicts the two step single sign-on process.
1.The user signs in once, providing a username and password to the
SSO server. 2. The SSO server provides authentication information
to any resource the user accesses during that session. The server
interfaces with the other applications and systemsthe user does not
need to log into each system individually. To be effective and
useful, all your applications need to be able to access and use the
authentication provided by the SSO process. If your network, like
most, contains different operating systems, custom applications,
and a diverse user base, SSO may not be a viable option. Time of
Day Restrictions
Control certain users, groups, or even roles and limit access to
certain resources to specific days and times. Usually specified for
individual accounts. Serves as a mechanism to enforce internal
controls of critical or sensitive resources. Drawback of time of
day restrictions is that it means that a user cant go to work
outside of normal hours to catch up with work tasks. Security+
Objective 5.2r Time of Day Restrictions Setting Logon Hours The
figure in this slide shows access round the clock, 24/7. This may
be inappropriate for certain situations. Example - This type of
capability might be used by a bank, for example. The administrator
may implement time of day restrictions on the accounts of bank
tellers so that they may be logged in only from 8 A.M. to 6 P.M.
Monday through Saturday. If a teller attempts to log in outside the
allowed hours, he is denied access even if he supplies the proper
authentication credentials. If a teller is logged in when his
allowable login time expires, the system can be configured to
forcibly disconnect he teller or just warn the teller that his
login hours have past but still allow them to remain logged in. Be
careful implementing time of day restrictions. Some operating
systems give you the option of disconnecting users as soon as their
allowed login time expires regardless of what the user is doing at
the time. The more commonly used approach is to allow currently
logged-in users to stay connected but reject any login attempts
that occur outside of allowed hours. Tokens Token An authentication
factor that typically takes the form of a physical or logical
entity that the user must be in possession of to access their
account or certain resources Physical tokens Common Access Cards
(CACs), USB tokens, smart cards, and PC cards Software tokens
Stored symmetric keys, asymmetric cryptography used with a pin
Security+ Objective 5.2e Tokens Usernames and passwords are
something you know (which can be used by anyone else that knows or
discovers the information). A more secure method of authentication
is to combine the something you know with something you have. In
some systems the token is a constantly changing number sequence.
The ever-changing sequence of numbers is synchronized to a remote
server such that when the user enters the correct username,
password, and matching sequence of numbers, they is are allowed to
log in. This is so that even if an attacker obtains the username
and password, the attacker cannot log in without the matching
sequence of numbers Token Authenticator from Blizzard Entertainment
Account and Password Expiration
Allows administrators to specify a period of time for which a
password or an account will be active When an account has expired,
it cannot be used unless the expiration deadline is extended
Security+ Objective 5.3b Account Expiration One of the best
practices an organization can implement is to attach an expiration
date to user passwords so that if an account is compromised the
time that it remains compromised is limited. In addition to
password expiration, Password history mechanisms should be used.
The history is used to keep track of previously used passwords so
that they cannot be reused. Both are quite similar, except that it
password expiration is generally put in place because a specific
account is intended for a specific purpose of limited duration.When
an account has expired, it cannot be used unless the expiration
deadline is extended. Security Controls and Permissions
Permissions Control what a user is allowed to do with objects on a
system Rights Define the actions a user can perform on the system
itself NTFS (New Technology File System) The standard file system
for Windows Security+ Objective 2.2d Security controls and
permissions Exam Tip: Permissions can be applied to specific users
or groups to control that users or groups ability to view, modify,
access, use, or delete resources such as folders and files. The
Windows operating systems use the concepts of permissions and
rights to control access to files, folders, and information
resources. Folders and files are not the only things that can be
safeguarded or controlled using permissions. Even access and use of
peripherals, such as printers, can be controlled using permissions.
When using the NTFS file system, administrators can grant users and
groups permission to perform certain tasks as they relate to files,
folders, and Registry keys. Permissions for the Data Folder
The basic categories of NTFS permissions are as follows: Full
Control - A user or group can change permissions on the folder/
file, take ownership if someone else owns the folder/file, delete
subfolders and files, and perform actions permitted by all other
NTFS folder permissions. Modify Users or groups can view and modify
files/folders and their properties, can delete and add
files/folders, and can delete or add properties to a file/folder.
Read & Execute Users or groups can view the file/folder and can
execute scripts and executables but cannot make any changes (files/
folders are read-only). List Folder Contents - A user or group can
list only what is inside the folder (applies to folders only). Read
Users or groups can view the contents of the file/folder and the
file/folder properties. Write Users or groups can write to the file
or folder. Windows operating system also uses user rights or
privileges to determine what actions a user or group is allowed to
perform or access. Examples of user rights: Log on locally Users or
groups can attempt to log onto the local system itself. Access this
computer from the network Users or groups can attempt to access
this system through the network connection. Manage auditing and
security log Users or groups can view, modify, and delete auditing
and security log information. User Rights Assignment Options from
Windows Local Security Settings Security Tab Showing Printer
Permissions Under Windows Vista Access Control Lists Routers and
firewallsAn ACL is a set of rules used to control traffic flow into
or out of an interface or network. System resourcesThese include
elements such as files and folders; an ACL lists permissions
attached to an objectwho is allowed to view, modify, move, or
delete that object Security+ Objective 5.2l ACL Access Control
Lists (continued)
The figures shown display the access control list (permissions) for
the Data folder on a system.The user identified as Billy Williams
on the left has Read & Execute, List Folder Contents, and Read
permissions, meaning this user can open the folder, see whats in
the folder, and so on.The figure on the right, user Leah Jones, has
only Read permissions on the same folder. Handling Access Control
(MAC, DAC, and RBAC)
Four methods for handling access control: Mandatory access control
(MAC) Discretionary access control (DAC) Role-based access control
(RBAC) Rule-based access control (RBAC) Mandatory Access Control
(MAC)
Restricts access based on the sensitivity of the information and
whether or not the user has the authority to access that
information. U.S. Government security labels: Top Secret Secret
Confidential Unclassified Access control and sensitivity labels are
required in a MAC system Security+ Objective 5.2n Mandatory Access
Control Exam Tip: Mandatory access control restricts access based
on the sensitivity of the information and whether or not the user
has the authority to access that information. Under a MAC system,
each piece of information and every system resource (files,
devices, networks, and so on) is labeled with its sensitivity level
(such as Public, Engineering Private, and Jones Secret).Users are
assigned a clearance level that sets the upper boundary of the
information and devices that they are allowed to access. Example:
For example, if the administrator defines a file as having an
Engineering Private sensitivity level, only the members of the
Engineering group with access to private information currently
operating at a Private sensitivity level can access that file and
its contents. A file with a Public sensitivity label would be
available to anyone on the system. US Government Security Labels:
Top Secret - The highest security level that is publicly disclosed
and is defined as information that would cause exceptionally grave
damage to national security if disclosed to the public. Secret -
The second highest level and is defined as information that would
cause serious damage to national security if disclosed to the
public. Confidential - The lowest level of classified information
and is defined as information that would damage national security
if disclosed. Unclassified - Any of this information can be
released to individuals without a clearance. The access control and
sensitivity labels are required in a MAC system. Labels are defined
and then assigned to users and resources. Users must then operate
within their assigned sensitivity and clearance levelsthey dont
have the option to modify their own sensitivity levels or the
levels of the information resources they create. The labels work in
a top-down fashion so that an individual holding a Secret clearance
would have access to information at the Secret, Confidential, and
Unclassified levels. An individual with a Secret clearance would
not have access to Top Secret resources, as that label is above the
highest level of the individuals clearance. Discretionary Access
Control (DAC)
Restrict access based on the users identity or group membership.
Most Common access control system. Commonly used in both UNIX and
Windows operating systems. The discretionary part of DAC means that
a file or resource owner has the ability to change the permissions
on that file or resource. Security+ Objective 5.2o Discretionary
Access Control Exam Tip: Discretionary access control restricts
access based on the users identity or group membership. Remember
that under the discretionary model, the files owner, can change the
files permissions any time they want. Role-Based Access Control
(RBAC)
Role-based access control (RBAC) is the process of managing access
and privileges based on the users assigned roles The access control
model that most closely resembles an organizations structure.
Security+ Objective 5.2p Role-based Access Control Exam Tip:
Role-based and rule-based access control are both abbreviated as
RBAC, so dont get the two confused. Role-based focuses on the users
role (administrator, backup operator, and so on). Rule-based
focuses on predefined criteria such as time of day (users can only
log in between 8 a.m. and 6 p.m.) or type of network traffic (web
traffic is allowed to leave the organization). Role-based and
rule-based access control are both abbreviated as RBAC, so dont get
the two confused. Role-based focuses on the users role
(administrator, backup operator, and so on). When a role is
assigned to a specific user, the user gets all the rights and
privileges assigned to that role. Rule-Based Access Control
(RBAC)
Access is either allowed or denied based on a set of predefined
rules. Security+ Objective 5.2p Rule-based Access Control Exam Tip:
The Security+ exam will very likely expect you to be able to
differentiate between the four major forms of access control
discussed here: mandatory access control, discretionary access
control, role-based access control, and rule-based access control.
Rule-based focuses on predefined criteria such as time of day
(users can only log in between 8 A.M. and 6 P.M.) or type of
network traffic (web traffic is allowed to leave the organization).
Example: A good example is permitted logon hours. Many operating
systems give administrators the ability to control the hours during
which users can log in. For example, a bank may allow its employees
to log in only between the hours of 8 A.M. and 6 P.M. Monday
through Saturday. If a user attempts to log in during these hours,
the rule will allow the user to attempt the login. If a user
attempts to log in outside of these hours, 3 A.M. on Sunday for
example, then the rule will reject the login attempt whether or not
the user supplies valid login credentials. Chapter Summary Identify
the differences among user, group, and role management. Implement
password and domain password policies. Describe methods of account
management (SSO, time of day, logical token, account expiration).
Describe methods of access management (MAC, DAC, and RBAC).