1 / 38

COMP3123 Internet Security

COMP3123 Internet Security. Richard Henson University of Worcester October 2011. Week 5: Access Control with Audit & Monitoring: Security through “Group Policies”. Objectives: Explain the purpose of network “controls”

sondra
Télécharger la présentation

COMP3123 Internet Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMP3123 Internet Security Richard Henson University of Worcester October 2011

  2. Week 5: Access Control with Audit & Monitoring: Security through “Group Policies” • Objectives: • Explain the purpose of network “controls” • Explain how a Group Policy Object (GPO) can be used to efficiently control network users via the local computer’s registry • Implement an agreed GPO for users on an actual network • Explain information auditing and how it is vital for network troubleshooting and accountability

  3. Implementation of Security Policy on/through the network • Policies are necessary for organisations to put their business goals into practice • For ANY policy to be effective, it needs to be broken down into a series of rules or “controls” • these need to be enforced at an operational level • A well-designed network operating system is the ultimate “controller” • should be ideally positioned for putting information security policy into practice

  4. Windows, Information Security, and Group Policies • Breaking down a high level Information Security Policy… • needs to be “operationalised” • or broken down into a series of actions • these actions can be written in such a way as to become group policy settings • The Group Policy Objects will then be an implementation at operational level of most of the strategic level policy statement

  5. Control of Users • Network can never be completely controlled by the operating system & group policy objects • Users granted network access via permissions and rights: • Permissions granted to a user/group of users to give a level of access to a network resources • e.g. writing to a folder, accessing a printer • Rights granted to users so they can interact with aspects of the network environment • e.g. change system date/time, update device drivers • In practice, users exercise free will…

  6. Policy, Network Users, and Accountability • IF properly planned and used, GroupPolicy objects will allow organisational network users to have: • sufficient access to resources do their job • no access to the parts of the network they don’t need to do their job • The network should also be able to monitor itself for signs of illegal activity • and identify which user is responsible… • user IDs & audit logs allow this to be achieved

  7. Windows Networking & Policy Objects • Very many network settings available & resource access can be controlled/audited • User: settings data held on own policy file • Group of users: data held on the group policy file • Networks often have many users… • best way to put controls into practice is through effective use of Group Policy Objects • Organisation needs to identify the groups • then allocate users to groups according to their network needs (no guesswork!)

  8. Group Policy Objects (GPOs) and The Registry • Customised files of data that can overwrite part of the user’s computer’s registry (!) • stored with supporting files (e.g. .msi) on domain controllers - shared folder: SYSVOL • GPOs contain a large number of policy settings • files kept on domain controller • downloaded and overwrite client computer registry: • when computer is booted up (computer/system policy) • when user logs on (user/group policy)

  9. Applying Computer Policies to the Local Registry • Happens during system initialisation • Control: • Operating system • Applications • Start-up and shutdown scripts • Focus on HKEY_LOCAL_MACHINE • all hardware configured • presents the logon screen

  10. Applying User Policies • Applied at login • Control: • desktop settings • application settings • folder redirection • user logon and logoff scripts • Focus on HKEY_CURRENT_USER • Used to apply a configuration to a specific group of users – wherever they log on

  11. Local Security Policy • This week’s practical will show the scope for setting security policy on a local machine: • many different local settings • policy put into action by overwriting local registry settings during system initialisation • Production of policy files: • Windows (from 2000 onwards) provides templates for quick production of local security policy settings • readily editable… • also possible to produce a new template from scratch

  12. The Policy Settings… • 600 in all, including: • accounts policies • local policies • PKI policies • IP security policies • Combination of user policies, computer policies, and group policies can provide very effective control (or “controls”)

  13. Active Directory Group Policy • Very useful for implementing the same security controls on multiple computers: • individually • across a domain • across a site (“forest” of domains) • In each case, the local registry settings are overwritten by a copy of the group policy object

  14. Configuration of Group Policies • Can be managed from Active Directory Services and Sites “snap-in” • consist (usually) of modified template files • held within Active Directory • downloaded to local computers when users who are part of that group (and therefore group policy) log on to the domain

  15. Log on, configuration and Group Policies • When a user logs on: • registry settings have already been set once from local policy (at boot up) • They could log on locally or to the network • Assuming network (domain) logon… • logon information compared with Active Directory store • assuming that user account/password pair are valid… • appropriate policy file(s) for that user downloaded from the Active Directory • overwrite (some) existing settings

  16. Site Policies • Can be applied across domain trees • to a whole domain forest! • Should only be applied regarding issues relating to • physical locations of users • physical locations of computers • Therefore, shouldn’t be used very often…

  17. Domain Policies • The domain is the primary place where group policies for the organisation should be implemented • Example: • Security policy document that lays down specific user login requirements for all users • Should be applied as a domain policy • At operational level… • user logs onto domain • domain sets controls and auditing based on that userID

  18. Settings that can ONLY be set by Group Policies • Certain settings CANNOT be changed by domain users!!! • Event logs • Restricted groups • System services • Registry • File system • Shares & Folder redirection

  19. Account Administration and Accountability • Each user is responsible for all events that happen on the network associated with their userID (username) • To assist users with responsible user of network resources, all aspects of user activity need to be audited or at least monitored • monitored: use of alerts to flag abnormal events e.g. attempted illegal access • audited: details of user activity and effects written to a .log text file

  20. Access Control Models • Centralised • all administrative tasks take place at a very small number of central locations, regardless of where the resource is held • uses centralised authentication, authorisation, and security management servers • De-centralised • admin tasks all done on individual systems • effects and control of resource are at least logically local • physical control of system could still be remote e.g. via group policy objects overwriting registry settings

  21. Roles associated with Information Management & Security • Senior Management • ultimate responsibility for maintaining information security of organisational data… • Designated Information Security Officer/Manager • responsible for maintaining the security of the organisation’s information systems • Owner (of data) • assigns permissions to data depending on sensitivity and value to the organisation

  22. More Roles associated with Security of Organisational Data • Custodian • assigns permissions to data objects using organisational security infrastructure • User • perform work tasks in accordance with organisational information security policy • Auditor • monitors environment for security compliance and violation

  23. “Principle of Least Privilege” and combating Collusion • Principle of least privilege can be applied to administrators • no one administrator should have sweeping powers… • This means an administrator can only cause widespread damage through “collusion” • “the act of convincing others to participate in unethical, security-compromising, and possibly illegal activity” • In the interests of security, organisations must take strong steps to prevent collusion…

  24. Auditing & Monitoring • Gathering information to check what is/was going on… • auditing - digital information environment • monitoring - the physical environment • Purpose – relating to IS policy : • verify compliance • detect intrusions & policy violations…

  25. Functional Control types that can be set by Group Policy • Directive • guidance - how to comply e.g. EU Directives • Preventative • prevent or discourage violations (e.g. of policy) • Detective • detect violations e.g. intrusion detection systems • Corrective • detect & put system back to previous state • Recovery • more extensive version of “correct”; restores state

  26. Security (Internal) Auditing • Testing procedures devised to ensure compliance with policy • at operations level, the mechanism for putting procedures into practice • should be consistent • should take place on regular basis… • Goal: • problem identification • problem resolution • minimise risk • prevent reoccurrence • prevent system downtime

  27. Physical Auditing Tools • CCTV • physical environment monitoring • someone needs to physically look at the recorded video • Keystroke monitoring • check for abuse or impersonations • Dumpster diving • checking litter bins, etc.

  28. System Auditing Tools • Traffic/Trend Analysis • watching for communication patterns… • reveals user ID, data volumes & sending times • can detect covert channels • Event monitoring/auditing • events monitored and type of monitoring controlled through group policies • operating system provides a record by saving details to audit logs • Real time analysis • on the look out for particular events • sends “alerts” when such events have been detected

  29. Useful Auditing Tools • Intrusion Detection/Prevention • checks for (attempted) breaches of security policy • makes sure attempted breaches are not successful (e.g. using strong authentication, traffic filters) • Illegal Software Monitoring • checking for installation of unapproved software that could make the environment insecure

  30. “ethical hacking” • Hacking Activities include… • war dialling” • gathering modem dialling data • sniffing • collecting network packets • reading header data to produce statistical data • possibly reading packet payload • can even recreate packets with different (spoof) IP address • eavesdropping • act of listening into communications, usually with a sniffer • radiation/emanation monitoring • detecting and reading electromagnetic signals around copper cables and other devices to gather data • Social Engineering/blagging • getting information by (deceptively) asking for it…

  31. Hacking – eg’s • war dialling” • gathering modem dialling data • sniffing • collecting network packets • reading header data to produce statistical data • possibly reading packet payload • can even recreate packets with different (spoof) IP address • eavesdropping • act of listening into communications, usually with a sniffer • radiation/emanation monitoring • detecting and reading electromagnetic signals around copper cables and other devices to gather data • Social Engineering/blagging • getting information by (deceptively) asking for it…

  32. Ethical and Unethical hacking • Penetration Testing – “white hat” hacking • trying to hack in to show the weaknesses of the system… • but “Black Hat” hacking could be trying the same things… • When is it ethical? • when the network owner knows about it and has given permission • “white hat” always asks (and is sometimes even paid…) • white hats have professional standing and certification eg CEH • unethical hacking is often also illegal…

  33. Detecting “Inappropriate Activities” • Should be an “acceptable use” policy • clear definition of “inappropriate activities” • Includes certain employee actions • may not themselves be illegal… • BUT may compromise system reliability or CIA or security • Examples… • wasting resources • hosting inappropriate content • racial/sexual harassment • abusing/not respecting assigned access rights

  34. Detecting Illegal Activities • Fraud • violation of the integrity of business processes • may seem attractive and undetected to the perpetrator… • but secure system environments easily designed to detect/protect against fraud • Collusion • act of conspiring to commit a crime • in this case… to make a security violation • detected through detailed user monitoring • prevented through job separation, etc.

  35. Careers in Information Security: Why A Degree isn’t enough… • You need three things to give you a head start in becoming a successful Information Security Specialist: • theoretical knowledge (degree) • practical knowledge (placement) • professional qualifications (further evidence that you know how to apply your stuff in a non-academic environment) • You also need to be a good communicator… • especially at “management level”

  36. Getting Certified as an Information Security Professional • Microsoft provide their own set of syllabuses and exams leading to: • Specialist: MCTS (pass 1-3 exams, one year’s relevant experience) • important to include a security-related module if you wish to follow such a career path on Microsoft networks • Professional: MCITP (pass 1-3 professional exams, as well as MCTS) • Not all networks are Microsoft… • highly regarded security qualifications from ISC2 based on principles and not platform-specific…

  37. Professional Bodies • ISC2 (US/worldwide): exam only • SSCP • seven modules • recommended one year’s experience working with networks (placement would do…) • CISSP • eleven modules • two years working in the Information Security industry considered essential • IISP (UK) • no exams – membership based on experience

  38. Careers in Information Security • At one time, only very large organisations had their own Information Security Officer/Manager • Changing rapidly… • smaller organisations recognising the need to: • comply with legislation/regulations • satisfy supply chain partner expectations • responsibility often includes physical security and training users (minimising the “insider threat”)

More Related