SIGCSE 2003 Undergraduate Cyber Security Course Projects:

1. SIGCSE 2003 Undergraduate Cyber Security Course Projects: Password Policy in a Heterogeneous Environment Charles Border Ph.D. Rochester Institute of Technology cborder@it.rit.edu

2. Where did this lab come from? • Designed for System Administrators • Dictum: No thy network, or perish • Security as a process, not a product • Need to enhance ability of students to • understand the basis for and write policies. • move from a non-technical description of a desired outcome to a technical implementation. • Understand and anticipate the complexity inherent in even the most banal sounding projects.

3. Lab Topology

4. Activity Outline: • Read scenario (good class discussion) • Survey applications on network (can be provided by instructor) and methods of user authentication. • Develop outline of policy requirements • Modify systems to implement policy (hands-on portion of lab)

5. Lab Scenario • Developed by instructor to give students an overview of a hypothetical, or real, organization and the technological and management issues they face. • Puts lab exercise into a context and introduces real world ambiguity. • Empowers students to make and justify decisions based on scenario.

6. Application Survey • What applications are being used by the organization? • Good opportunity to introduce complexity and issues related to scale. • Do all applications handle passwords the same way? • Allows students to conduct research and gain experience reading application documentation.

7. Policy Requirements • What constitutes an effective policy? • What resources are available to help system administrators develop usage policies? • How should policy requirements be developed? • What are the roles of different members of the organization in effective policy development and implementation?

8. General Approaches to Implementation • Linux- use of Pluggable Authentication Modules (PAM). • Windows 2000 – Use of Domain Security Policy • Heterogeneous: Use of Windows Services for Unix (free120 day evaluation copies available) • Additional complexity: Develop different policies for different group members, implement as above.

9. Linux • Authentication of users handled by PAM • PAM allows the separation of the authentication of users from the development of applications. Also allows local system administrators to control how users are authenticated. • Composed of several modules. • The system-auth module can be modified in many ways to customize authentication requirements. • The cracklib module allows password strength checking by comparing proposed new passwords against a set of standards.

10. Cracklib Password Strength-Checker • Linux-PAM System Administrators Guide • http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html • Compares new password with old for: • Palindromes • Case change only • Similarity • Simplicity • Rotatation • Already Used (Database located in /usr/lib/cracklib-dict.pwd) • Details of each of above can be subject of lab.

11. Windows 2000 • Win2K uses Kerberos for device authentication and for the transport of user authorization data in the Kerberos ticket. • Making changes to many of the required characteristics of user passwords is as easy as pointing and clicking. • Domain Security Policy • Password Policy

12. MS Services for Unix • Allows System Administrators to control many characteristics of user passwords on both Win2K domains and Unix systems within those domains. • Unix system administration is accomplished by making the Win2K DC an NIS master server and pushing out consistent passwd and shadow files.

13. Additional Complexity • Require students to do Win2K and Unix configuration from the command line. • Require sign-offs at different parts of the lab. • As part of scenario require that different groups of users within the organization have different password characteristics. • Use packet captures to verify hypotheses developed by students as to how this process will be implemented.