Download
csce 201 introduction to information security fall 2010 windows xp access control n.
Skip this Video
Loading SlideShow in 5 Seconds..
CSCE 201 Introduction to Information Security Fall 2010 Windows XP Access Control PowerPoint Presentation
Download Presentation
CSCE 201 Introduction to Information Security Fall 2010 Windows XP Access Control

CSCE 201 Introduction to Information Security Fall 2010 Windows XP Access Control

517 Vues Download Presentation
Télécharger la présentation

CSCE 201 Introduction to Information Security Fall 2010 Windows XP Access Control

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. CSCE 201Introduction to Information Security Fall 2010Windows XP Access Control

  2. Reading assignments • Required: • An Introduction to Computer Security: The NIST Handbook, http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf : Chapter 17, LOGICAL ACCESS CONTROL, pages 194 - 207 • Microsoft support, Use access control to restrict who can use your files , 2001, 2005, http://www.microsoft.com/windowsxp/using/security/learnmore/accesscontrol.mspx • Recommended: • Sudhakar Govindavajhala and Andrew W. Appel, Windows Access Control Demystied, 2006, http://www.cs.princeton.edu/~appel/papers/winval.pdf

  3. Access Control Models All accesses Discretionary AC Mandatory AC Role-Based AC CSCE 201 - Farkas 3

  4. Windows XP professional Product Documentation Access Control • Selecting where to apply permissions • File and Folder permissions • Permissions on a file server • Changing inherited permissions • Ownership • Explicit vs. inherited permissions • How inheritance affects file and folder permissions • Permissions and security descriptors • Permissions • Security identifiers • Take ownership of a file or folder • Best practices: Access Control • Set, view, change, or remove file and folder permissions • Effective permissions • View effective permissions for files and folders • Set, view, change, or remove special permissions for files and folders • Special permissions for files and folders

  5. Best Practiceshttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_topnode.mspx?mfr=true Permissions User Rights

  6. Permissions • Apply to objects • Selecting where to apply permissions • Permission Entry for File or Folder Name • Apply onto list • Check box: Apply these permissions to objects and/or containers within this container only (Default: empty check box)

  7. When the Apply these permissions to objects and/or containers within this container only check box is cleared When the Apply these permissions to objects and/or containers within this container only check box is cleared Source: XP Product Documentation, http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_topnode.mspx?mfr=true

  8. When the Apply these permissions to objects and/or containers within this container only check box is cleared When the Apply these permissions to objects and/or containers within this container only check box is selected Source: XP Product Documentation, http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_topnode.mspx?mfr=true CSCE 201 - Farkas 8

  9. To set, view, change, or remove special permissions for files and folder Open Windows Explorer, and then locate the file or folder for which you want to set special permissions  Right-click the file or folder, click Properties, and then click the Security tab Click Advanced, and then do one of the following:

  10. Advanced Setting

  11. Permission Setting In the Permissions box, select or clear the appropriate Allow or Deny check box In Apply onto, select the folders or subfolders you would like these permissions to be applied to To configure security so that the subfolders and files will not inherit these permissions, clear the Apply these permissions to objects and/or containers within this container only check box Click OK and then, in Advanced Security Settings for FolderName, click OK

  12. Permission Assignment • Assign permissions to groups rather than to users – administration • Set permission to be inheritable to child objects. • Assign Full control, if appropriate, rather than individual permissions • Deny should be used for these special cases • Exclude a subset of a group which has Allowed permissions • Exclude one special permission when you have already granted full control to a user or group

  13. User Rights Administrators can assign specific rights to group accounts or to individual user accounts Apply to user accounts Define capabilities at the local level Can apply to individual user accounts or a group account

  14. Group Account Members of a group automatically inherit the rights associated with that group Rights are applied to all members of the group while they remain members If a user is a member of multiple groups, the user's rights are cumulative Simplifies the task of user account administration

  15. User Rights • Types of user rights: • Privileges: specifies allowable actions on the system, e.g., the right to back up files and directories • Logon rights: specifies the ways in which a user can log onto a system, e.g., such as the right to log on to a system remotely • In general, user rights assigned to one group do not conflict with the rights assigned to another group • Exception: Logon rights

  16. Logon Rights • Control access to a system • Logon Rights and default settings for Windows XP Professional are available at http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_topnode.mspx?mfr=true • Examples: • Log on locally, Default setting: Administrators, Power Users, Users, Guest, and Backup Operators • Deny access to this computer from network, Default setting: No one • Access this computer from a network, Default setting: Administrators, Everyone, Users, Power Users, and Backup Operators

  17. Privileges • Act as Part of the Operating System, Add Workstations to a Domain, Back Up Files and Directories, Change the System Time, Create a Token Object, Create Permanent Shared Objects, Debug Programs, Force Shutdown from a Remote System, Generate Security Audits, etc. • Some of the privileges can override permissions set on an object • E.g., the right to perform a backup, takes precedence over all file and directory permissions

  18. Privileges, which can override permissions set on an object Take Ownership of Files or Other Object – grants WriteOwner access to an object Manage Auditing and Security Log -- provides several abilities including access to the security log, overriding access restrictions to the security log Back Up Files and Directories – grants read and write access to an object Restore Files and Directories – grants read and write access to an object Debug Programs -- grants read or open access to an object Bypass Traverse Checking -- provides the reverse access on directories

  19. Assigning User Rights Assigned through the Local Policies node of Group Policy Log on using an administrator account Open the Active Directory Users and Computers tool Right-click the container holding the domain controller and click Properties Click the Group Policy tab, and then click Edit to edit the Default Domain Policy In the Group Policy window, expand Computer Configuration, navigate to Windows Settings, to Security Settings, and then to Local Policies

  20. Assigning User Rights Select User Rights Assignment To configure user rights assignment, double-click a user right or right-click on it and select Security. This opens a Security Policy Setting dialog box Open the Security Policy Setting dialog box for the user right to be modified Select Define these policy settings to define the policy. To apply the right to a user or group, click Add In the Add user or group dialog box, click Browse. This opens the Select Users Or Groups dialog box. The right can now be applied to users and groups

  21. User Rights • Assign rights as high in the container tree as possible – administration • Apply inheritance to propagate rights through the tree • Administrators should • use an account with restrictive permissions to perform routine, non-administrative tasks • use an account with broader permissions only when performing specific administrative tasks

  22. Next Class • Back up procedures