� Security risks exist for all operating systems and are not new. � It is important to know the existing threats. Operating System Security � It is also important to understand the operations and the vulnerabilities of your OS. � Try to harden your OS , the morale is Chapter 9 It is easier to pick the “ low hanging fruit ” first. Lecturer: Pei-yih Ting 2 1 Operating System Security Overview Terms and Concepts � An operating system (OS) is a layer of S/W between � OS Security Terms and Concepts the hardware and user. It manages and controls � Organize System Security access to hardware components � Build-in Security Subsystems Resource Example Descriptions � System Security Principles and Practices Primary Random Access Physical memory that resides in the computer and is easily � Windows Security Design storage Memory (RAM) accessible by the processing unit. Primary storage is volatile and the contents are lost when power is removed. � UNIX and Linux Security Design Secondary Disk drives, floppy Nonvolatile storage for data. Includes both fixed and storage disk drives, removable random access and sequential storage. � System Backups CD/DVD-ROM drives, tape drives � Typical System Security Threats Processor(s) Central processing The component(s) where instructions are executed. There unit (CPU) may be several CPUs, as well as other special-purpose � Well-Known Windows Risks processors. Input / Keyboard, monitor, Any device used either to collect data from the outside world � Well-Known UNIX Risks Output printer, mouse, or to present data to the world. devices scanner � System Forensics Network Network interface Hardware device that connects the computer bus to an components card (NIC) external network using either cables or wireless connections. 3 4
OS Security Terms and Organizing System Security Concepts (cont ’ d) � If the OS is not secure, there can be no guarantee � First steps in security are identifying and that any resource managed by the OS is secure. authenticating a user � Older OS focused on ensuring data confidentiality � Typically through username/password combination � Make sure only authorized users could see sensitive data � Third step is to authorize a user for specific access � Modern OS performs four basic functions � Can be based on roles, security labels, identification, etc. � Positively identify a user � Record accesses for later auditing � Restrict access to authorized resources � OS security functionality is generally layered � Record user activity � Ensure proper communications with other computers � At least a user layer and a kernel layer and devices (sending and receiving data) � The reference monitor that intercepts and authorizes to support confidentiality, integrity, and availability requests is part of the security kernel of data � Kernel programs often have a high privilege level 5 6 Built-in Security Subsystems System Security Principles and Mechanisms and Practices � A secure OS is a result of solid planning � To make installation and use easier, modern � Security planning starts with understanding potential operating systems default to low security risks � The process of increasing the security level is called hardening � Use risk assessment to determine and rank risks � As operating systems mature, more security � Do not blindly follow “ Hardening Your Computer in 10 Easy Steps ” � Implement controls for important risks (harden the system) functionalities become built in � A control is a mechanism that limits access to an object � For example, Kerberos ships with current Windows � Test results of hardening � Identification and authentication are mainly generic, the � Implemented controls work simplest one is username/password, alternatives are � All functions are operating with the implemented controls (Access smart card or biometric device is not so restrictive) � Proper OS security implementation is more secure and � Train users to understand and use proper security controls efficient than security layers added on 7 8
Windows Security Design Windows Security (cont ’ d) � Security model differs among Window products � The AD database can be physically distributed, no � Model described here is for MS Windows server security bottlenecks or single points of failure � Built on the concept of Active Directory (AD) � Network resources (printers, computers, users, or directory objects, etc.) are grouped in domains � AD is a directory service data structure allowing easy � Domains can be hierarchically grouped into trees and forests accessing and addressing of objects across a network � Domains can form direct trust relationships with other � Objects are files, folders, shares, or printers domains � Subjects are logically grouped, users, groups, or � Access rules are specified at the domain level and computers inherited through groups and individual objects --- � Each object has a discretionary access control list easy management: An administrator (DACL) that specifies which subjects can access the � can apply group attributes to a set of objects object � only has to maintain the exceptions to the generic access permissions � AD provides the framework for specifying, storing, addressing, and querying object access information 9 10 Windows Security (cont ’ d) Windows Security (cont ’ d) � MMC is the primary interface for defining and � Access conflicts are resolved by giving priority to the most specific rule governing an object maintaining Group Policy objects. ex. If Mary is a member of the programmer group, what if Mary is granted to modify ReadMe.doc, but the programmer group is not granted. Mary retains her right to write, because the use is more specific than the group. � Access conflicts are resolved by giving priority to deny over allow ex. Continuing the above example, if the programmer group was specifically denied access to the ReadMe.doc file, Mary would not be able to access the file as long as she remains a member of the group. � Except for the above domain security, local security is specified in local security objects. � Both domain and local security object attributes are maintained by the Microsoft Management Console (MMC) 11 12
Windows Security (cont ’ d) UNIX and Linux Security Design � Using gpedit.msc to change group policy directly � Basic security is constructed around files under windows 2000 � Everything is presented as a file (files, directories, devices, processes) � Understanding file permissions is crucial � Each file has a mode field � 10 character field that specifies type of file and permissions for the owner, group, and world � Permission types are read, write, and execute � View the mode field using the ls – l filename command 13 14 15 16
System Backups Typical System Security Threats � Threats come in two forms � A backup is a complete or partial copy of the system � A subject is given more authorization to access or � Typically stored on removable media modify resources than he or she should have � Typically scheduled on a regular basis � Authorized subjects are denied access to resources � Used to recover from system problems, attacks, they should be able to use disasters, etc. � Software bugs are a common security threat � Can be a major vulnerability � Caused by sloppy programming � A portable copy of your system is easier to gain access to � Provide opportunities to attackers by leaving system in � Usually the access control does not extend to the backup an unexpected state, sometimes with high privilege � Must be very careful to protect your backups levels � Verify the media on which you copy your system � Best defense is to have well trained programmers and follow established software development methods � Backups on an old or poor quality media may not be � There are also some runtime protection environments restorable 17 18 System Security Threats (cont ’ d) System Security Threats (cont ’ d) � Impersonation or Identity Theft � Back Doors � Compromising a password gives an attacker a way to � An entry point into a program that bypasses the impersonate or hijack a user ’ s identity normal security mechanisms � Users often do not protect their passwords � Software developers often include these for easier appropriately development and testing � Insidious because audit logs can ’ t distinguish between � Can be used by developer for malicious purposes or the real user and the attacker discovered by an attacker � Defense is to teach users the importance of password � Formal testing of software should find most back doors. security 19 20
Recommend
More recommend
