380 likes | 459 Views
COMP3123 Internet Security. Richard Henson University of Worcester October 2011. Week 5: Access Control with Audit & Monitoring: Security through “Group Policies”. Objectives: Explain the purpose of network “controls”
E N D
COMP3123 Internet Security Richard Henson University of Worcester October 2011
Week 5: Access Control with Audit & Monitoring: Security through “Group Policies” • Objectives: • Explain the purpose of network “controls” • Explain how a Group Policy Object (GPO) can be used to efficiently control network users via the local computer’s registry • Implement an agreed GPO for users on an actual network • Explain information auditing and how it is vital for network troubleshooting and accountability
Implementation of Security Policy on/through the network • Policies are necessary for organisations to put their business goals into practice • For ANY policy to be effective, it needs to be broken down into a series of rules or “controls” • these need to be enforced at an operational level • A well-designed network operating system is the ultimate “controller” • should be ideally positioned for putting information security policy into practice
Windows, Information Security, and Group Policies • Breaking down a high level Information Security Policy… • needs to be “operationalised” • or broken down into a series of actions • these actions can be written in such a way as to become group policy settings • The Group Policy Objects will then be an implementation at operational level of most of the strategic level policy statement
Control of Users • Network can never be completely controlled by the operating system & group policy objects • Users granted network access via permissions and rights: • Permissions granted to a user/group of users to give a level of access to a network resources • e.g. writing to a folder, accessing a printer • Rights granted to users so they can interact with aspects of the network environment • e.g. change system date/time, update device drivers • In practice, users exercise free will…
Policy, Network Users, and Accountability • IF properly planned and used, GroupPolicy objects will allow organisational network users to have: • sufficient access to resources do their job • no access to the parts of the network they don’t need to do their job • The network should also be able to monitor itself for signs of illegal activity • and identify which user is responsible… • user IDs & audit logs allow this to be achieved
Windows Networking & Policy Objects • Very many network settings available & resource access can be controlled/audited • User: settings data held on own policy file • Group of users: data held on the group policy file • Networks often have many users… • best way to put controls into practice is through effective use of Group Policy Objects • Organisation needs to identify the groups • then allocate users to groups according to their network needs (no guesswork!)
Group Policy Objects (GPOs) and The Registry • Customised files of data that can overwrite part of the user’s computer’s registry (!) • stored with supporting files (e.g. .msi) on domain controllers - shared folder: SYSVOL • GPOs contain a large number of policy settings • files kept on domain controller • downloaded and overwrite client computer registry: • when computer is booted up (computer/system policy) • when user logs on (user/group policy)
Applying Computer Policies to the Local Registry • Happens during system initialisation • Control: • Operating system • Applications • Start-up and shutdown scripts • Focus on HKEY_LOCAL_MACHINE • all hardware configured • presents the logon screen
Applying User Policies • Applied at login • Control: • desktop settings • application settings • folder redirection • user logon and logoff scripts • Focus on HKEY_CURRENT_USER • Used to apply a configuration to a specific group of users – wherever they log on
Local Security Policy • This week’s practical will show the scope for setting security policy on a local machine: • many different local settings • policy put into action by overwriting local registry settings during system initialisation • Production of policy files: • Windows (from 2000 onwards) provides templates for quick production of local security policy settings • readily editable… • also possible to produce a new template from scratch
The Policy Settings… • 600 in all, including: • accounts policies • local policies • PKI policies • IP security policies • Combination of user policies, computer policies, and group policies can provide very effective control (or “controls”)
Active Directory Group Policy • Very useful for implementing the same security controls on multiple computers: • individually • across a domain • across a site (“forest” of domains) • In each case, the local registry settings are overwritten by a copy of the group policy object
Configuration of Group Policies • Can be managed from Active Directory Services and Sites “snap-in” • consist (usually) of modified template files • held within Active Directory • downloaded to local computers when users who are part of that group (and therefore group policy) log on to the domain
Log on, configuration and Group Policies • When a user logs on: • registry settings have already been set once from local policy (at boot up) • They could log on locally or to the network • Assuming network (domain) logon… • logon information compared with Active Directory store • assuming that user account/password pair are valid… • appropriate policy file(s) for that user downloaded from the Active Directory • overwrite (some) existing settings
Site Policies • Can be applied across domain trees • to a whole domain forest! • Should only be applied regarding issues relating to • physical locations of users • physical locations of computers • Therefore, shouldn’t be used very often…
Domain Policies • The domain is the primary place where group policies for the organisation should be implemented • Example: • Security policy document that lays down specific user login requirements for all users • Should be applied as a domain policy • At operational level… • user logs onto domain • domain sets controls and auditing based on that userID
Settings that can ONLY be set by Group Policies • Certain settings CANNOT be changed by domain users!!! • Event logs • Restricted groups • System services • Registry • File system • Shares & Folder redirection
Account Administration and Accountability • Each user is responsible for all events that happen on the network associated with their userID (username) • To assist users with responsible user of network resources, all aspects of user activity need to be audited or at least monitored • monitored: use of alerts to flag abnormal events e.g. attempted illegal access • audited: details of user activity and effects written to a .log text file
Access Control Models • Centralised • all administrative tasks take place at a very small number of central locations, regardless of where the resource is held • uses centralised authentication, authorisation, and security management servers • De-centralised • admin tasks all done on individual systems • effects and control of resource are at least logically local • physical control of system could still be remote e.g. via group policy objects overwriting registry settings
Roles associated with Information Management & Security • Senior Management • ultimate responsibility for maintaining information security of organisational data… • Designated Information Security Officer/Manager • responsible for maintaining the security of the organisation’s information systems • Owner (of data) • assigns permissions to data depending on sensitivity and value to the organisation
More Roles associated with Security of Organisational Data • Custodian • assigns permissions to data objects using organisational security infrastructure • User • perform work tasks in accordance with organisational information security policy • Auditor • monitors environment for security compliance and violation
“Principle of Least Privilege” and combating Collusion • Principle of least privilege can be applied to administrators • no one administrator should have sweeping powers… • This means an administrator can only cause widespread damage through “collusion” • “the act of convincing others to participate in unethical, security-compromising, and possibly illegal activity” • In the interests of security, organisations must take strong steps to prevent collusion…
Auditing & Monitoring • Gathering information to check what is/was going on… • auditing - digital information environment • monitoring - the physical environment • Purpose – relating to IS policy : • verify compliance • detect intrusions & policy violations…
Functional Control types that can be set by Group Policy • Directive • guidance - how to comply e.g. EU Directives • Preventative • prevent or discourage violations (e.g. of policy) • Detective • detect violations e.g. intrusion detection systems • Corrective • detect & put system back to previous state • Recovery • more extensive version of “correct”; restores state
Security (Internal) Auditing • Testing procedures devised to ensure compliance with policy • at operations level, the mechanism for putting procedures into practice • should be consistent • should take place on regular basis… • Goal: • problem identification • problem resolution • minimise risk • prevent reoccurrence • prevent system downtime
Physical Auditing Tools • CCTV • physical environment monitoring • someone needs to physically look at the recorded video • Keystroke monitoring • check for abuse or impersonations • Dumpster diving • checking litter bins, etc.
System Auditing Tools • Traffic/Trend Analysis • watching for communication patterns… • reveals user ID, data volumes & sending times • can detect covert channels • Event monitoring/auditing • events monitored and type of monitoring controlled through group policies • operating system provides a record by saving details to audit logs • Real time analysis • on the look out for particular events • sends “alerts” when such events have been detected
Useful Auditing Tools • Intrusion Detection/Prevention • checks for (attempted) breaches of security policy • makes sure attempted breaches are not successful (e.g. using strong authentication, traffic filters) • Illegal Software Monitoring • checking for installation of unapproved software that could make the environment insecure
“ethical hacking” • Hacking Activities include… • war dialling” • gathering modem dialling data • sniffing • collecting network packets • reading header data to produce statistical data • possibly reading packet payload • can even recreate packets with different (spoof) IP address • eavesdropping • act of listening into communications, usually with a sniffer • radiation/emanation monitoring • detecting and reading electromagnetic signals around copper cables and other devices to gather data • Social Engineering/blagging • getting information by (deceptively) asking for it…
Hacking – eg’s • war dialling” • gathering modem dialling data • sniffing • collecting network packets • reading header data to produce statistical data • possibly reading packet payload • can even recreate packets with different (spoof) IP address • eavesdropping • act of listening into communications, usually with a sniffer • radiation/emanation monitoring • detecting and reading electromagnetic signals around copper cables and other devices to gather data • Social Engineering/blagging • getting information by (deceptively) asking for it…
Ethical and Unethical hacking • Penetration Testing – “white hat” hacking • trying to hack in to show the weaknesses of the system… • but “Black Hat” hacking could be trying the same things… • When is it ethical? • when the network owner knows about it and has given permission • “white hat” always asks (and is sometimes even paid…) • white hats have professional standing and certification eg CEH • unethical hacking is often also illegal…
Detecting “Inappropriate Activities” • Should be an “acceptable use” policy • clear definition of “inappropriate activities” • Includes certain employee actions • may not themselves be illegal… • BUT may compromise system reliability or CIA or security • Examples… • wasting resources • hosting inappropriate content • racial/sexual harassment • abusing/not respecting assigned access rights
Detecting Illegal Activities • Fraud • violation of the integrity of business processes • may seem attractive and undetected to the perpetrator… • but secure system environments easily designed to detect/protect against fraud • Collusion • act of conspiring to commit a crime • in this case… to make a security violation • detected through detailed user monitoring • prevented through job separation, etc.
Careers in Information Security: Why A Degree isn’t enough… • You need three things to give you a head start in becoming a successful Information Security Specialist: • theoretical knowledge (degree) • practical knowledge (placement) • professional qualifications (further evidence that you know how to apply your stuff in a non-academic environment) • You also need to be a good communicator… • especially at “management level”
Getting Certified as an Information Security Professional • Microsoft provide their own set of syllabuses and exams leading to: • Specialist: MCTS (pass 1-3 exams, one year’s relevant experience) • important to include a security-related module if you wish to follow such a career path on Microsoft networks • Professional: MCITP (pass 1-3 professional exams, as well as MCTS) • Not all networks are Microsoft… • highly regarded security qualifications from ISC2 based on principles and not platform-specific…
Professional Bodies • ISC2 (US/worldwide): exam only • SSCP • seven modules • recommended one year’s experience working with networks (placement would do…) • CISSP • eleven modules • two years working in the Information Security industry considered essential • IISP (UK) • no exams – membership based on experience
Careers in Information Security • At one time, only very large organisations had their own Information Security Officer/Manager • Changing rapidly… • smaller organisations recognising the need to: • comply with legislation/regulations • satisfy supply chain partner expectations • responsibility often includes physical security and training users (minimising the “insider threat”)