220 likes | 348 Views
CSCE 201 Introduction to Information Security Fall 2010 Windows XP Access Control. Reading assignments. Required: An Introduction to Computer Security: The NIST Handbook, http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf : Chapter 17, LOGICAL ACCESS CONTROL, pages 194 - 207
E N D
CSCE 201Introduction to Information Security Fall 2010Windows XP Access Control
Reading assignments • Required: • An Introduction to Computer Security: The NIST Handbook, http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf : Chapter 17, LOGICAL ACCESS CONTROL, pages 194 - 207 • Microsoft support, Use access control to restrict who can use your files , 2001, 2005, http://www.microsoft.com/windowsxp/using/security/learnmore/accesscontrol.mspx • Recommended: • Sudhakar Govindavajhala and Andrew W. Appel, Windows Access Control Demystied, 2006, http://www.cs.princeton.edu/~appel/papers/winval.pdf
Access Control Models All accesses Discretionary AC Mandatory AC Role-Based AC CSCE 201 - Farkas 3
Windows XP professional Product Documentation Access Control • Selecting where to apply permissions • File and Folder permissions • Permissions on a file server • Changing inherited permissions • Ownership • Explicit vs. inherited permissions • How inheritance affects file and folder permissions • Permissions and security descriptors • Permissions • Security identifiers • Take ownership of a file or folder • Best practices: Access Control • Set, view, change, or remove file and folder permissions • Effective permissions • View effective permissions for files and folders • Set, view, change, or remove special permissions for files and folders • Special permissions for files and folders
Best Practiceshttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_topnode.mspx?mfr=true Permissions User Rights
Permissions • Apply to objects • Selecting where to apply permissions • Permission Entry for File or Folder Name • Apply onto list • Check box: Apply these permissions to objects and/or containers within this container only (Default: empty check box)
When the Apply these permissions to objects and/or containers within this container only check box is cleared When the Apply these permissions to objects and/or containers within this container only check box is cleared Source: XP Product Documentation, http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_topnode.mspx?mfr=true
When the Apply these permissions to objects and/or containers within this container only check box is cleared When the Apply these permissions to objects and/or containers within this container only check box is selected Source: XP Product Documentation, http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_topnode.mspx?mfr=true CSCE 201 - Farkas 8
To set, view, change, or remove special permissions for files and folder Open Windows Explorer, and then locate the file or folder for which you want to set special permissions Right-click the file or folder, click Properties, and then click the Security tab Click Advanced, and then do one of the following:
Permission Setting In the Permissions box, select or clear the appropriate Allow or Deny check box In Apply onto, select the folders or subfolders you would like these permissions to be applied to To configure security so that the subfolders and files will not inherit these permissions, clear the Apply these permissions to objects and/or containers within this container only check box Click OK and then, in Advanced Security Settings for FolderName, click OK
Permission Assignment • Assign permissions to groups rather than to users – administration • Set permission to be inheritable to child objects. • Assign Full control, if appropriate, rather than individual permissions • Deny should be used for these special cases • Exclude a subset of a group which has Allowed permissions • Exclude one special permission when you have already granted full control to a user or group
User Rights Administrators can assign specific rights to group accounts or to individual user accounts Apply to user accounts Define capabilities at the local level Can apply to individual user accounts or a group account
Group Account Members of a group automatically inherit the rights associated with that group Rights are applied to all members of the group while they remain members If a user is a member of multiple groups, the user's rights are cumulative Simplifies the task of user account administration
User Rights • Types of user rights: • Privileges: specifies allowable actions on the system, e.g., the right to back up files and directories • Logon rights: specifies the ways in which a user can log onto a system, e.g., such as the right to log on to a system remotely • In general, user rights assigned to one group do not conflict with the rights assigned to another group • Exception: Logon rights
Logon Rights • Control access to a system • Logon Rights and default settings for Windows XP Professional are available at http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_topnode.mspx?mfr=true • Examples: • Log on locally, Default setting: Administrators, Power Users, Users, Guest, and Backup Operators • Deny access to this computer from network, Default setting: No one • Access this computer from a network, Default setting: Administrators, Everyone, Users, Power Users, and Backup Operators
Privileges • Act as Part of the Operating System, Add Workstations to a Domain, Back Up Files and Directories, Change the System Time, Create a Token Object, Create Permanent Shared Objects, Debug Programs, Force Shutdown from a Remote System, Generate Security Audits, etc. • Some of the privileges can override permissions set on an object • E.g., the right to perform a backup, takes precedence over all file and directory permissions
Privileges, which can override permissions set on an object Take Ownership of Files or Other Object – grants WriteOwner access to an object Manage Auditing and Security Log -- provides several abilities including access to the security log, overriding access restrictions to the security log Back Up Files and Directories – grants read and write access to an object Restore Files and Directories – grants read and write access to an object Debug Programs -- grants read or open access to an object Bypass Traverse Checking -- provides the reverse access on directories
Assigning User Rights Assigned through the Local Policies node of Group Policy Log on using an administrator account Open the Active Directory Users and Computers tool Right-click the container holding the domain controller and click Properties Click the Group Policy tab, and then click Edit to edit the Default Domain Policy In the Group Policy window, expand Computer Configuration, navigate to Windows Settings, to Security Settings, and then to Local Policies
Assigning User Rights Select User Rights Assignment To configure user rights assignment, double-click a user right or right-click on it and select Security. This opens a Security Policy Setting dialog box Open the Security Policy Setting dialog box for the user right to be modified Select Define these policy settings to define the policy. To apply the right to a user or group, click Add In the Add user or group dialog box, click Browse. This opens the Select Users Or Groups dialog box. The right can now be applied to users and groups
User Rights • Assign rights as high in the container tree as possible – administration • Apply inheritance to propagate rights through the tree • Administrators should • use an account with restrictive permissions to perform routine, non-administrative tasks • use an account with broader permissions only when performing specific administrative tasks
Next Class • Back up procedures