Comp3123 internet security
Sponsored Links
This presentation is the property of its rightful owner.
1 / 38

COMP3123 Internet Security PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

COMP3123 Internet Security. Richard Henson University of Worcester October 2011. Week 5: Access Control with Audit & Monitoring: Security through “Group Policies”. Objectives: Explain the purpose of network “controls”

Download Presentation

COMP3123 Internet Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

COMP3123 Internet Security

Richard Henson

University of Worcester

October 2011

Week 5: Access Control with Audit & Monitoring: Security through “Group Policies”

  • Objectives:

    • Explain the purpose of network “controls”

    • Explain how a Group Policy Object (GPO) can be used to efficiently control network users via the local computer’s registry

    • Implement an agreed GPO for users on an actual network

    • Explain information auditing and how it is vital for network troubleshooting and accountability

Implementation of Security Policy on/through the network

  • Policies are necessary for organisations to put their business goals into practice

  • For ANY policy to be effective, it needs to be broken down into a series of rules or “controls”

    • these need to be enforced at an operational level

  • A well-designed network operating system is the ultimate “controller”

    • should be ideally positioned for putting information security policy into practice

Windows, Information Security, and Group Policies

  • Breaking down a high level Information Security Policy…

    • needs to be “operationalised”

    • or broken down into a series of actions

    • these actions can be written in such a way as to become group policy settings

  • The Group Policy Objects will then be an implementation at operational level of most of the strategic level policy statement

Control of Users

  • Network can never be completely controlled by the operating system & group policy objects

  • Users granted network access via permissions and rights:

    • Permissions granted to a user/group of users to give a level of access to a network resources

      • e.g. writing to a folder, accessing a printer

  • Rights granted to users so they can interact with aspects of the network environment

    • e.g. change system date/time, update device drivers

  • In practice, users exercise free will…

  • Policy, Network Users, and Accountability

    • IF properly planned and used, GroupPolicy objects will allow organisational network users to have:

      • sufficient access to resources do their job

      • no access to the parts of the network they don’t need to do their job

    • The network should also be able to monitor itself for signs of illegal activity

      • and identify which user is responsible…

      • user IDs & audit logs allow this to be achieved

    Windows Networking & Policy Objects

    • Very many network settings available & resource access can be controlled/audited

      • User: settings data held on own policy file

      • Group of users: data held on the group policy file

    • Networks often have many users…

      • best way to put controls into practice is through effective use of Group Policy Objects

    • Organisation needs to identify the groups

      • then allocate users to groups according to their network needs (no guesswork!)

    Group Policy Objects (GPOs) and The Registry

    • Customised files of data that can overwrite part of the user’s computer’s registry (!)

      • stored with supporting files (e.g. .msi) on domain controllers - shared folder: SYSVOL

    • GPOs contain a large number of policy settings

      • files kept on domain controller

      • downloaded and overwrite client computer registry:

        • when computer is booted up (computer/system policy)

        • when user logs on (user/group policy)

    Applying Computer Policies to the Local Registry

    • Happens during system initialisation

    • Control:

      • Operating system

      • Applications

      • Start-up and shutdown scripts


      • all hardware configured

      • presents the logon screen

    Applying User Policies

    • Applied at login

    • Control:

      • desktop settings

      • application settings

      • folder redirection

      • user logon and logoff scripts

    • Focus on HKEY_CURRENT_USER

    • Used to apply a configuration to a specific group of users – wherever they log on

    Local Security Policy

    • This week’s practical will show the scope for setting security policy on a local machine:

      • many different local settings

      • policy put into action by overwriting local registry settings during system initialisation

    • Production of policy files:

      • Windows (from 2000 onwards) provides templates for quick production of local security policy settings

        • readily editable…

      • also possible to produce a new template from scratch

    The Policy Settings…

    • 600 in all, including:

      • accounts policies

      • local policies

      • PKI policies

      • IP security policies

    • Combination of user policies, computer policies, and group policies can provide very effective control (or “controls”)

    Active Directory Group Policy

    • Very useful for implementing the same security controls on multiple computers:

      • individually

      • across a domain

      • across a site (“forest” of domains)

    • In each case, the local registry settings are overwritten by a copy of the group policy object

    Configuration of Group Policies

    • Can be managed from Active Directory Services and Sites “snap-in”

      • consist (usually) of modified template files

        • held within Active Directory

      • downloaded to local computers when users who are part of that group (and therefore group policy) log on to the domain

    Log on, configuration and Group Policies

    • When a user logs on:

      • registry settings have already been set once from local policy (at boot up)

      • They could log on locally or to the network

    • Assuming network (domain) logon…

      • logon information compared with Active Directory store

      • assuming that user account/password pair are valid…

        • appropriate policy file(s) for that user downloaded from the Active Directory

        • overwrite (some) existing settings

    Site Policies

    • Can be applied across domain trees

      • to a whole domain forest!

    • Should only be applied regarding issues relating to

      • physical locations of users

      • physical locations of computers

    • Therefore, shouldn’t be used very often…

    Domain Policies

    • The domain is the primary place where group policies for the organisation should be implemented

    • Example:

      • Security policy document that lays down specific user login requirements for all users

      • Should be applied as a domain policy

    • At operational level…

      • user logs onto domain

      • domain sets controls and auditing based on that userID

    Settings that can ONLY be set by Group Policies

    • Certain settings CANNOT be changed by domain users!!!

      • Event logs

      • Restricted groups

      • System services

      • Registry

      • File system

      • Shares & Folder redirection

    Account Administration and Accountability

    • Each user is responsible for all events that happen on the network associated with their userID (username)

    • To assist users with responsible user of network resources, all aspects of user activity need to be audited or at least monitored

      • monitored: use of alerts to flag abnormal events e.g. attempted illegal access

      • audited: details of user activity and effects written to a .log text file

    Access Control Models

    • Centralised

      • all administrative tasks take place at a very small number of central locations, regardless of where the resource is held

      • uses centralised authentication, authorisation, and security management servers

    • De-centralised

      • admin tasks all done on individual systems

      • effects and control of resource are at least logically local

        • physical control of system could still be remote e.g. via group policy objects overwriting registry settings

    Roles associated with Information Management & Security

    • Senior Management

      • ultimate responsibility for maintaining information security of organisational data…

    • Designated Information Security Officer/Manager

      • responsible for maintaining the security of the organisation’s information systems

    • Owner (of data)

      • assigns permissions to data depending on sensitivity and value to the organisation

    More Roles associated with Security of Organisational Data

    • Custodian

      • assigns permissions to data objects using organisational security infrastructure

    • User

      • perform work tasks in accordance with organisational information security policy

    • Auditor

      • monitors environment for security compliance and violation

    “Principle of Least Privilege” and combating Collusion

    • Principle of least privilege can be applied to administrators

      • no one administrator should have sweeping powers…

    • This means an administrator can only cause widespread damage through “collusion”

      • “the act of convincing others to participate in unethical, security-compromising, and possibly illegal activity”

    • In the interests of security, organisations must take strong steps to prevent collusion…

    Auditing & Monitoring

    • Gathering information to check what is/was going on…

      • auditing - digital information environment

      • monitoring - the physical environment

    • Purpose – relating to IS policy :

      • verify compliance

      • detect intrusions & policy violations…

    Functional Control types that can be set by Group Policy

    • Directive

      • guidance - how to comply e.g. EU Directives

    • Preventative

      • prevent or discourage violations (e.g. of policy)

    • Detective

      • detect violations e.g. intrusion detection systems

    • Corrective

      • detect & put system back to previous state

    • Recovery

      • more extensive version of “correct”; restores state

    Security (Internal) Auditing

    • Testing procedures devised to ensure compliance with policy

      • at operations level, the mechanism for putting procedures into practice

        • should be consistent

        • should take place on regular basis…

    • Goal:

      • problem identification

      • problem resolution

        • minimise risk

        • prevent reoccurrence

        • prevent system downtime

    Physical Auditing Tools

    • CCTV

      • physical environment monitoring

      • someone needs to physically look at the recorded video

    • Keystroke monitoring

      • check for abuse or impersonations

    • Dumpster diving

      • checking litter bins, etc.

    System Auditing Tools

    • Traffic/Trend Analysis

      • watching for communication patterns…

      • reveals user ID, data volumes & sending times

      • can detect covert channels

    • Event monitoring/auditing

      • events monitored and type of monitoring controlled through group policies

      • operating system provides a record by saving details to audit logs

    • Real time analysis

      • on the look out for particular events

      • sends “alerts” when such events have been detected

    Useful Auditing Tools

    • Intrusion Detection/Prevention

      • checks for (attempted) breaches of security policy

      • makes sure attempted breaches are not successful (e.g. using strong authentication, traffic filters)

    • Illegal Software Monitoring

      • checking for installation of unapproved software that could make the environment insecure

    “ethical hacking”

    • Hacking Activities include…

      • war dialling”

        • gathering modem dialling data

      • sniffing

        • collecting network packets

          • reading header data to produce statistical data

          • possibly reading packet payload

          • can even recreate packets with different (spoof) IP address

      • eavesdropping

        • act of listening into communications, usually with a sniffer

      • radiation/emanation monitoring

        • detecting and reading electromagnetic signals around copper cables and other devices to gather data

      • Social Engineering/blagging

        • getting information by (deceptively) asking for it…

    Hacking – eg’s

    • war dialling”

      • gathering modem dialling data

    • sniffing

      • collecting network packets

        • reading header data to produce statistical data

        • possibly reading packet payload

        • can even recreate packets with different (spoof) IP address

    • eavesdropping

      • act of listening into communications, usually with a sniffer

    • radiation/emanation monitoring

      • detecting and reading electromagnetic signals around copper cables and other devices to gather data

    • Social Engineering/blagging

      • getting information by (deceptively) asking for it…

    Ethical and Unethical hacking

    • Penetration Testing – “white hat” hacking

      • trying to hack in to show the weaknesses of the system…

      • but “Black Hat” hacking could be trying the same things…

    • When is it ethical?

      • when the network owner knows about it and has given permission

        • “white hat” always asks (and is sometimes even paid…)

        • white hats have professional standing and certification eg CEH

      • unethical hacking is often also illegal…

    Detecting “Inappropriate Activities”

    • Should be an “acceptable use” policy

      • clear definition of “inappropriate activities”

    • Includes certain employee actions

      • may not themselves be illegal…

      • BUT may compromise system reliability or CIA or security

    • Examples…

      • wasting resources

      • hosting inappropriate content

      • racial/sexual harassment

      • abusing/not respecting assigned access rights

    Detecting Illegal Activities

    • Fraud

      • violation of the integrity of business processes

      • may seem attractive and undetected to the perpetrator…

        • but secure system environments easily designed to detect/protect against fraud

    • Collusion

      • act of conspiring to commit a crime

        • in this case… to make a security violation

      • detected through detailed user monitoring

      • prevented through job separation, etc.

    Careers in Information Security: Why A Degree isn’t enough…

    • You need three things to give you a head start in becoming a successful Information Security Specialist:

      • theoretical knowledge (degree)

      • practical knowledge (placement)

      • professional qualifications (further evidence that you know how to apply your stuff in a non-academic environment)

    • You also need to be a good communicator…

      • especially at “management level”

    Getting Certified as an Information Security Professional

    • Microsoft provide their own set of syllabuses and exams leading to:

      • Specialist: MCTS (pass 1-3 exams, one year’s relevant experience)

        • important to include a security-related module if you wish to follow such a career path on Microsoft networks

      • Professional: MCITP (pass 1-3 professional exams, as well as MCTS)

    • Not all networks are Microsoft…

      • highly regarded security qualifications from ISC2 based on principles and not platform-specific…

    Professional Bodies

    • ISC2 (US/worldwide): exam only

      • SSCP

        • seven modules

        • recommended one year’s experience working with networks (placement would do…)

      • CISSP

        • eleven modules

        • two years working in the Information Security industry considered essential

    • IISP (UK)

      • no exams – membership based on experience

    Careers in Information Security

    • At one time, only very large organisations had their own Information Security Officer/Manager

    • Changing rapidly…

      • smaller organisations recognising the need to:

        • comply with legislation/regulations

        • satisfy supply chain partner expectations

      • responsibility often includes physical security and training users (minimising the “insider threat”)

  • Login