130 likes | 139 Vues
Explore diverse methods of user authentication and policy development in a heterogeneous network environment. Understand complexities and implement policies for Linux and Windows systems. Develop differing password policies for varied user groups. Empower students to make informed decisions based on practical scenarios. Implement authentication modules and domain security policies effectively. Access resources for policy development within organizations. Engage in a hands-on lab with real-world applications and scenarios to enhance cybersecurity knowledge and skills.
E N D
SIGCSE 2003 Undergraduate Cyber Security Course Projects: Password Policy in a Heterogeneous Environment Charles Border Ph.D. Rochester Institute of Technology cborder@it.rit.edu
Where did this lab come from? • Designed for System Administrators • Dictum: No thy network, or perish • Security as a process, not a product • Need to enhance ability of students to • understand the basis for and write policies. • move from a non-technical description of a desired outcome to a technical implementation. • Understand and anticipate the complexity inherent in even the most banal sounding projects.
Activity Outline: • Read scenario (good class discussion) • Survey applications on network (can be provided by instructor) and methods of user authentication. • Develop outline of policy requirements • Modify systems to implement policy (hands-on portion of lab)
Lab Scenario • Developed by instructor to give students an overview of a hypothetical, or real, organization and the technological and management issues they face. • Puts lab exercise into a context and introduces real world ambiguity. • Empowers students to make and justify decisions based on scenario.
Application Survey • What applications are being used by the organization? • Good opportunity to introduce complexity and issues related to scale. • Do all applications handle passwords the same way? • Allows students to conduct research and gain experience reading application documentation.
Policy Requirements • What constitutes an effective policy? • What resources are available to help system administrators develop usage policies? • How should policy requirements be developed? • What are the roles of different members of the organization in effective policy development and implementation?
General Approaches to Implementation • Linux- use of Pluggable Authentication Modules (PAM). • Windows 2000 – Use of Domain Security Policy • Heterogeneous: Use of Windows Services for Unix (free120 day evaluation copies available) • Additional complexity: Develop different policies for different group members, implement as above.
Linux • Authentication of users handled by PAM • PAM allows the separation of the authentication of users from the development of applications. Also allows local system administrators to control how users are authenticated. • Composed of several modules. • The system-auth module can be modified in many ways to customize authentication requirements. • The cracklib module allows password strength checking by comparing proposed new passwords against a set of standards.
Cracklib Password Strength-Checker • Linux-PAM System Administrators Guide • http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html • Compares new password with old for: • Palindromes • Case change only • Similarity • Simplicity • Rotatation • Already Used (Database located in /usr/lib/cracklib-dict.pwd) • Details of each of above can be subject of lab.
Windows 2000 • Win2K uses Kerberos for device authentication and for the transport of user authorization data in the Kerberos ticket. • Making changes to many of the required characteristics of user passwords is as easy as pointing and clicking. • Domain Security Policy • Password Policy
MS Services for Unix • Allows System Administrators to control many characteristics of user passwords on both Win2K domains and Unix systems within those domains. • Unix system administration is accomplished by making the Win2K DC an NIS master server and pushing out consistent passwd and shadow files.
Additional Complexity • Require students to do Win2K and Unix configuration from the command line. • Require sign-offs at different parts of the lab. • As part of scenario require that different groups of users within the organization have different password characteristics. • Use packet captures to verify hypotheses developed by students as to how this process will be implemented.