Csce 201 introduction to information security fall 2010 windows xp access control
Download
1 / 22

CSCE 201 - PowerPoint PPT Presentation


  • 480 Views
  • Uploaded on

CSCE 201 Introduction to Information Security Fall 2010 Windows XP Access Control. Reading assignments. Required: An Introduction to Computer Security: The NIST Handbook, http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf : Chapter 17, LOGICAL ACCESS CONTROL, pages 194 - 207

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CSCE 201' - PamelaLan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Csce 201 introduction to information security fall 2010 windows xp access control l.jpg

CSCE 201Introduction to Information Security Fall 2010Windows XP Access Control


Reading assignments l.jpg
Reading assignments

  • Required:

    • An Introduction to Computer Security: The NIST Handbook, http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf : Chapter 17, LOGICAL ACCESS CONTROL, pages 194 - 207

    • Microsoft support, Use access control to restrict who can use your files , 2001, 2005, http://www.microsoft.com/windowsxp/using/security/learnmore/accesscontrol.mspx

  • Recommended:

    • Sudhakar Govindavajhala and Andrew W. Appel, Windows Access Control Demystied, 2006, http://www.cs.princeton.edu/~appel/papers/winval.pdf


Access control models l.jpg
Access Control Models

All accesses

Discretionary AC

Mandatory AC

Role-Based AC

CSCE 201 - Farkas

3


Windows xp professional product documentation l.jpg
Windows XP professional Product Documentation

Access Control

  • Selecting where to apply permissions

  • File and Folder permissions

  • Permissions on a file server

  • Changing inherited permissions

  • Ownership

  • Explicit vs. inherited permissions

  • How inheritance affects file and folder permissions

  • Permissions and security descriptors

  • Permissions

  • Security identifiers

  • Take ownership of a file or folder

  • Best practices: Access Control

  • Set, view, change, or remove file and folder permissions

  • Effective permissions

  • View effective permissions for files and folders

  • Set, view, change, or remove special permissions for files and folders

  • Special permissions for files and folders


Slide5 l.jpg
Best Practiceshttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_topnode.mspx?mfr=true

Permissions

User Rights


Permissions l.jpg
Permissions

  • Apply to objects

  • Selecting where to apply permissions

    • Permission Entry for File or Folder Name

    • Apply onto list

    • Check box: Apply these permissions to objects and/or containers within this container only (Default: empty check box)


Slide7 l.jpg

When the Apply these permissions to objects and/or containers within this container only check box is cleared

When the Apply these permissions to objects and/or containers

within this container only check box is cleared

Source: XP Product Documentation,

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_topnode.mspx?mfr=true


Slide8 l.jpg

When the Apply these permissions to objects and/or containers within this container only check box is cleared

When the Apply these permissions to objects and/or containers

within this container only check box is selected

Source: XP Product Documentation,

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_topnode.mspx?mfr=true

CSCE 201 - Farkas

8


To set view change or remove special permissions for files and folder l.jpg
To set, view, change, or remove special permissions for files and folder

Open Windows Explorer, and then locate the file or folder for which you want to set special permissions 

Right-click the file or folder, click Properties, and then click the Security tab

Click Advanced, and then do one of the following:


Advanced setting l.jpg
Advanced Setting files and folder


Permission setting l.jpg
Permission Setting files and folder

In the Permissions box, select or clear the appropriate Allow or Deny check box

In Apply onto, select the folders or subfolders you would like these permissions to be applied to

To configure security so that the subfolders and files will not inherit these permissions, clear the Apply these permissions to objects and/or containers within this container only check box

Click OK and then, in Advanced Security Settings for FolderName, click OK


Permission assignment l.jpg
Permission Assignment files and folder

  • Assign permissions to groups rather than to users – administration

  • Set permission to be inheritable to child objects.

  • Assign Full control, if appropriate, rather than individual permissions

  • Deny should be used for these special cases

    • Exclude a subset of a group which has Allowed permissions

    • Exclude one special permission when you have already granted full control to a user or group


User rights l.jpg
User Rights files and folder

Administrators can assign specific rights to group accounts or to individual user accounts

Apply to user accounts

Define capabilities at the local level

Can apply to individual user accounts or a group account


Group account l.jpg
Group Account files and folder

Members of a group automatically inherit the rights associated with that group

Rights are applied to all members of the group while they remain members

If a user is a member of multiple groups, the user's rights are cumulative

Simplifies the task of user account administration


User rights15 l.jpg
User Rights files and folder

  • Types of user rights:

    • Privileges: specifies allowable actions on the system, e.g., the right to back up files and directories

    • Logon rights: specifies the ways in which a user can log onto a system, e.g., such as the right to log on to a system remotely

  • In general, user rights assigned to one group do not conflict with the rights assigned to another group

  • Exception: Logon rights


Logon rights l.jpg
Logon Rights files and folder

  • Control access to a system

  • Logon Rights and default settings for Windows XP Professional are available at http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_topnode.mspx?mfr=true

  • Examples:

    • Log on locally, Default setting: Administrators, Power Users, Users, Guest, and Backup Operators

    • Deny access to this computer from network, Default setting: No one

    • Access this computer from a network, Default setting: Administrators, Everyone, Users, Power Users, and Backup Operators


Privileges l.jpg
Privileges files and folder

  • Act as Part of the Operating System, Add Workstations to a Domain, Back Up Files and Directories, Change the System Time, Create a Token Object, Create Permanent Shared Objects, Debug Programs, Force Shutdown from a Remote System, Generate Security Audits, etc.

  • Some of the privileges can override permissions set on an object

    • E.g., the right to perform a backup, takes precedence over all file and directory permissions


Privileges which can override permissions set on an object l.jpg
Privileges, which can override permissions set on an object files and folder

Take Ownership of Files or Other Object – grants WriteOwner access to an object

Manage Auditing and Security Log -- provides several abilities including access to the security log, overriding access restrictions to the security log

Back Up Files and Directories – grants read and write access to an object

Restore Files and Directories – grants read and write access to an object

Debug Programs -- grants read or open access to an object

Bypass Traverse Checking -- provides the reverse access on directories


Assigning user rights l.jpg
Assigning User Rights files and folder

Assigned through the Local Policies node of Group Policy

Log on using an administrator account

Open the Active Directory Users and Computers tool

Right-click the container holding the domain controller and click Properties

Click the Group Policy tab, and then click Edit to edit the Default Domain Policy

In the Group Policy window, expand Computer Configuration, navigate to Windows Settings, to Security Settings, and then to Local Policies


Assigning user rights20 l.jpg
Assigning User Rights files and folder

Select User Rights Assignment

To configure user rights assignment, double-click a user right or right-click on it and select Security. This opens a Security Policy Setting dialog box

Open the Security Policy Setting dialog box for the user right to be modified

Select Define these policy settings to define the policy.

To apply the right to a user or group, click Add

In the Add user or group dialog box, click Browse. This opens the Select Users Or Groups dialog box. The right can now be applied to users and groups


User rights21 l.jpg
User Rights files and folder

  • Assign rights as high in the container tree as possible – administration

  • Apply inheritance to propagate rights through the tree

  • Administrators should

    • use an account with restrictive permissions to perform routine, non-administrative tasks

    • use an account with broader permissions only when performing specific administrative tasks


Next class l.jpg
Next Class files and folder

  • Back up procedures


ad