Application Security

profilesbadugula
winsec_ppt08_l02.pdf
Home>Computer Science homework help>Application Security

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Security Strategies in Windows

Platforms and Applications

Lesson 2

Access Controls in Microsoft Windows

Page 2Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Learning Objectives

 Implement secure access controls when setting up

Microsoft Windows in a given organization.

Page 3Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Key Concepts

 Principle of least privilege

 Identification, authentication, and authorization of

Microsoft Windows users

 Using access control lists

 Microsoft Windows access management tools

Page 4Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Chapter 3 Slides

Chapter 3: Access Controls in

Microsoft Windows

Page 5Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Security Control Process

Think

Plan

DesignImplement

Evaluate

Page 6Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Principle of Least Privilege

Allow users to do only what is necessary

Allow users the privilege they require to complete assigned tasks

Avoids scope creep

Page 7Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Windows ACLs

 Each object has ACLs.

 ACLs in Active Directory are made up of

lists of access control entries (ACEs).

 Each ACE defines a user or group’s access

privileges for an object.

 Active Directory makes it easy to distribute

ACLs to many computers.

Page 8Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Windows Object Discretionary

Access Control (DACL)

Page 9Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Concepts of Access Controls

 Active Directory allows you to define which

users or groups can log on to groups of

computers.

 Active Directory allows you to define user or

group-based access control lists (ACLs).

• Active Directory can deploy ACLs that restrict

object access by user or group.

 Most applications also implement specific

access controls.

Page 10Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Identification, Authentication,

and Authorization

• User name or identification number (ID)

Identification–who are you?

• Password

• Token

• Biometrics

Authentication– prove it

• Permissions and rightsAuthorization– what can you do?

Page 11Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Windows Security Access Token

(SAT)

Page 12Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

User Access Control

Page 13Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

User Account Control Settings

Page 14Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Distributed SAT

Page 15Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Kerberos

Page 16Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Common Securable Objects

NTFS files and folders

Pipes, named or unnamed

Processes and threads

Registry keys

Windows services

Printers, local and remote

Network shares

Job objects Windows DACLS

Page 17Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Object Properties Dialog Box

Page 18Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Basic Windows Object

Permissions

Page 19Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

DACL Advanced Security

Settings

Page 20Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

SIDs, GUIDs, and CLSIDs

 Security Identifier (SID)

• In Windows, all users, groups, and computers

have unique SIDs

 Globally Unique Identifier (GUID)

• Distinguishes objects that may originate from

different computers

• Used to identify many different types of

objects: Computers, Web browsers, database

records, files, and application components

Page 21Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

SIDs, GUIDs, and CLSIDs (Cont.)

 Class Identifier (CLSID)

• When Windows Registry uses GUIDs to

identify objects and records, GUIDs are stored

as CLSIDs

Page 22Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Special Windows Object

Permissions

Page 23Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Common CLSIDs

Page 24Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Calculating Microsoft Windows

Access Permissions

 Windows resolves object access requests by

following this procedure:

1. Retrieves user and group SIDs from the

process’s SAT.

2. Examines all ACEs in the object’s DACL for

requested permission.

a. If no DACL or ACE is defined for the

requested access, Windows allows the

access.

Page 25Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Calculating Microsoft Windows

Access Permissions (Cont.)

b. If only one ACE exists for the requested

access, access is based on whether the ACE

is defined as “allow” or “deny.”

c. If multiple ACEs exist for the same requested

access, all ACEs must be defined as “allow”

for Windows to allow the access.

3. Returns an access approval or denial based

on permissions.

Page 26Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Windows Object Effective

Permissions

Page 27Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Auditing and Tracking Windows

Access

 Auditing: The process of collecting

performance information on which actions

were taken and storing that information for

later analysis

 First step -- enable auditing

 Tells Windows to record the events that will be

defined for later analysis

 Windows stores audit event notes in event

logs

Page 28Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Local Audit Policy

Page 29Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Access Management Tools

T o o ls

Cacls.exe

Icacls.exe

Robocopy

Page 30Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Practices

 AGULP

• Accounts

• Global groups

• Universal groups

• Local groups

• Permissions

Page 31Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Summary

 Principle of least privilege

 Identification, authentication, and authorization of

Microsoft Windows users

 Using access control lists

 Microsoft Windows access management tools

Page 32Security Strategies in Windows Platforms and Applications © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Virtual Lab

 Using Access Control Lists to Modify File

System Permissions on Windows Systems