Lesson 7: Managing Access Services and Accounts Flashcards
Authorization
process by which subjects (typically authenticated user or computer accounts) are granted rights to access and modify resources. There are two important functions in authorization:
- The process of ensuring that only authorized rights are exercised (policy enforcement).
- The process of determining rights (policy definition).
The more privileges that you allocate to more users, the more you increase the risk that a privilege will be misused. Authorization policies help to reduce risk by limiting the allocation of privileges as far as possible.
implicit deny
Access controls are usually founded on the principle of implicit deny; that is, unless there is a rule specifying that access should be granted, any request for access is denied. This principle can be seen clearly in firewall policies. A firewall filters access requests using a set of rules. The rules are processed in order from top-to-bottom. If a request does not fit any of the rules, it is handled by the last (default) rule, which is to refuse the request.
File access controls work on the same principle. An account must be listed on the ACL to gain access. Any other request for access is denied.
least privilege
A complementary principle is that of least privilege. This means that a user should be granted rights necessary to perform their job and no more.
A core principle of secure access management is that of least privilege. This policy means that a user, group, or role should be allocated the minimum sufficient permissions to be able to perform its job function and no more. Each account should be configured from a template of the appropriate privileges. Deviations from the template should be monitored for increased risk.
Single Sign-On (SSO)
means that a user only has to authenticate to a system once to gain access to all the resources to which the user’s account has been granted rights. An example is the Kerberos authentication and authorization model. This means, for example, that a user authenticated with Windows® is also authenticated with the Windows domain’s SQL Server® and Exchange Server services. The advantage of single sign-on is that each user does not have to manage multiple user accounts and passwords. The disadvantage is that compromising the account also compromises multiple services.
Directory services
the principal means of providing privilege management and authorization on an enterprise network. Depending on the sort of access control model used, the owner or systems administrator can share resources (folders, printers, and other resources) to make them available for network users. The resources can then be protected with a security system based around the authentication credentials provided by each user at logon to gain access to a system-defined account. Windows and UNIX/Linux systems all provide versions of this type of security.
security database
When logging on to the network, the user must supply logon credentials. This username and password (or other authentication data) are compared with the server’s security database, and if both match, the user is authenticated. The server security service generates an access key for the user. This contains the username and group memberships of the authenticated user.
resources
All resources on server-based systems have an Access Control List (ACL) that is used to control access to the resource. The access list contains entries for all usernames and groups that have permission to use the resource. It also records the level of access available for each entry. For example, an access list may allow a user named user1 to view the name of a file in a folder but not read the file contents. Whenever the user attempts to access a resource, his or her access key is provided as identification. The server’s security service matches username and group memberships from the access key with entries in the access list, and from this, it calculates the user’s access privileges.
All this information is stored in a directory. A directory is like a database, where an object is like a record, and things that you know about the object (attributes) are like fields. In order for products from different vendors to be interoperable, most directories are based on the same standard. The principal directory standard is the X. 500 series of standards, developed by the International Telecommunications Union (ITU) in the 1980s. As this standard is complex, most directory services are implementations of the Lightweight Directory Access Protocol (LDAP). LDAP is not a directory standard but a protocol used to query and update an X.500 directory or any type of directory that can present itself as an X.500 directory. LDAP is widely supported in current directory products, such as Windows Active Directory, NetIQ (Novell) eDirectory, Apple OpenDirectory, and the open source OpenLDAP. As well as enterprise networking directories, LDAP also provides a model for Internet directory access, such as providing contact lists for Instant Messaging (IM) applications.
distinguished name
a unique identifier for any given resource within an X.500-like directory. A distinguished name is made up of attribute=value pairs, separated by commas. The most specific attribute is listed first, and successive attributes become progressively broader.
relative distinguished name
The most specific attribute is listed first, and successive attributes become progressively broader. This most specific attribute is also referred to as the relative distinguished name, as it uniquely identifies the object within the context of successive (parent) attribute values.
The types of attributes, what information they contain, and the way object types are defined through attributes (some of which may be required, and some optional) is described by the directory schema. Some of the attributes commonly used include Common Name (CN), Organizational Unit (OU), Organization (O), Country (C), and Domain Component (DC). For example, the Distinguished Name of a web server operated by Widget in the UK might be:
CN=WIDGETWEB, OU=Marketing, O=Widget, C=UK, DC=widget, DC=com
X.500 directories
arranged in a hierarchy called the directory information tree. Each directory starts at the root and passes through several levels of container objects, such as country (optional), organization, and organizational units (also optional). Actual network resources, such as users, computers, printers, folders, or files, are referred to as leaf objects.
Lightweight Directory Access Protocol (LDAP) Security
LDAP runs over TCP and UDP port 389 by default. The basic protocol provides no security and all transmissions are in plaintext, making it vulnerable to sniffing and Man-in-the-Middle (spoofing an LDAP server) attacks. Also, a server that does not require clients to authenticate is vulnerable to overloading by DoS attacks. Authentication (referred to as binding to the server) can be implemented in the following ways:
- No authentication—anonymous access is granted to the directory.
- Simple authentication—the client must supply its DN and password, but these are passed as plaintext. This method could be secured if using IPSec for transport across the network.
- Simple Authentication and Security Layer (SASL)—the client and server negotiate the use of a supported security mechanism. Typically, this will mean the use of either Kerberos or TLS to provide strong certificate-based authentication.
- There is also an unofficial way of securing LDAP using SSL (the older version of TLS) called LDAPS. This is very similar to HTTPS and works over TCP port 636. SSL/TLS also provide a means for the server to authenticate to the client, providing mutual authentication.
LDAP Access
If secure access is required, anonymous and simple authentication access methods should be disabled on the server.
Generally, two levels of access will need to be granted on the directory: read-only access (query) and read/write access (update). This is implemented using an Access Control Policy, but the precise mechanism is vendor-specific and not specified by the LDAP standards documentation.
Unless hosting a public service, the LDAP directory server should also only be accessible from the private network. This means that LDAP ports (389 over TCP and UDP) should be blocked by a firewall from access over the public interface.
LDAP injection attacks
Where LDAP can be queried from some sort of web application, the application design needs to prevent the possibility of LDAP injection attacks. For example, if the web application presents a search form to allow the user to query a directory, a malicious user may enter a search string that includes extra search filters. If the input string is not properly validated, this could allow the user to bypass authentication or inject a different query, possibly allowing the attacker to return privileged information, such as a list of usernames or even passwords.
enterprise authentication
Enterprise networks and ISPs potentially need to support hundreds or thousands of users and numerous different remote and wireless access technologies and devices. The problem arises that each remote access device needs to be configured with authentication information and this information needs to be synchronized between them. A scalable authentication architecture can be developed using the RADIUS or TACACS+ protocols. Under both these protocols, authentication, authorization, and accounting are performed by a separate server (the AAA server). Network access devices, such as switches, routers, VPN access servers, or wireless access points, function as client devices of the AAA server. Rather than storing authentication information, they pass this data between the AAA server and the remote user.
Remote Authentication Dial-in User Service (RADIUS)
The Remote Authentication Dial-in User Service (RADIUS) standard is published as an Internet standard in RFC 2865. There are several RADIUS server and client products. Microsoft has the Network Policy Server (NPS) for Windows platforms and there are open source implementations for UNIX and Linux, such as FreeRADIUS, as well as third-party commercial products, such as Cisco’s Secure Access Control Server, Radiator, and Juniper Networks Steel-Belted RADIUS. Products are not always interoperable as they may not support the same authentication and accounting technologies.
The RADIUS authentication process works as follows:
- The remote user connects to a RADIUS client, such as an access point, switch, or remote access server.
- The RADIUS client prompts the user for their authentication details, such as a username and password or digital certificate. Certificate-based authentication is available if the RADIUS product supports EAP.
- The remote user enters the required information. The RADIUS client uses this information to create an Access-Request packet. The packet contains the following data:
- Username and password (the password portion of the packet is encrypted using MD5). The RADIUS client and server must be configured with the same shared secret. This is used to hash the user password.
- Connection type (port).
- RADIUS client ID (IP address).
- Message authenticator.
- The Access-Request packet is encapsulated and sent to the AAA server using UDP on port 1812 (by default).
- The AAA server decrypts the password (if the password cannot be decrypted, the server does not respond). It then checks the authentication information against its security database. If the authentication is valid, it responds to the client with an Access-Accept packet; otherwise, an Access-Reject packet is returned. Depending on the authentication method, there may be another step where the AAA server issues an Access-Challenge, which must be relayed by the RADIUS client.
- The client checks an authenticator in the response packet; if it is valid and an Access-Accept packet is returned, the client authenticates the user. The client then generates an Accounting-Request (Start) packet and transmits it to the server (on port 1813). It then opens a session with the user.
- The server processes the Accounting-Request and replies with an Accounting-Response.
- When the session is closed (or interrupted), the client and server exchange Accounting-Request (Stop) and Response packets.
Terminal Access Controller Access-Control System Plus (TACACS+)
similar protocol to RADIUS but designed to be more flexible and reliable. TACACS+ was developed by Cisco but is also supported on many of the other third-party and open source RADIUS server implementations. TACACS+ uses TCP communications (over port 49) and this reliable, connection-oriented delivery makes it easier to detect when a server is down. Another feature is that all the data in TACACS+ packets is encrypted (except for the header identifying the packet as TACACS+ data), rather than just the authentication data. TACACS+ is more often used for device administration than for authenticating end user devices. It allows centralized control of accounts set up to manage routers, switches, and firewall appliances, as well as detailed management of the privileges assigned to those accounts.
Note: A TACACS protocol was developed in the 1980s and upgraded by Cisco as the proprietary protocol XTACACS in the 1990s. TACACS+ is incompatible with both of these.
Federation
the notion that a network needs to be accessible to more than just a well-defined group, such as employees. In business, a company might need to make parts of its network open to partners, suppliers, and customers, and likewise have parts of its network open to its staff. The company can manage its staff accounts easily enough. Managing accounts for each supplier or customer internally may be more difficult. Federation means that the company trusts accounts created and managed by a different network. As another example, in the consumer world, a user might want to use both Google Apps™ and Twitter. If Google and Twitter establish a federated network for the purpose of authentication and authorization, then the user can log on to Twitter using his or her Google credentials or vice versa.
In these models, the networks perform federated identity management. The networks establish trust relationships so that the identity of a user (the principal) from network A (the identity provider) can be trusted as authentic by network B (the service provider). As well as trusts, the networks must establish the communications links and protocols that allow users to authenticate and be authorized with access permissions and rights.
Different kinds of trust relationships can be created to model different kinds of business or organizational relationships. Each network can be thought of as a domain. Domains can establish parent-child or peer relationships.
- One-way trust—child trusts parent but parent does not trust child. For example, Domain B might be configured to trust Domain A. Users from Domain A can be authorized to access resources on Domain B. Users from Domain B, however, are not trusted by Domain A.
- Two-way trust—the domains are peers, and both trust one another equally.
A trust relationship can also be non-transitive or transitive:
- Non-transitive trust—the trust relationship remains only between those domains.
- Transitive trust—the trust extends to other trusted domains. For example, if Domain A trusts Domain B, and Domain B trusts Domain C, then Domain A also trusts Domain C.
Security Association Markup Language (SAML)
With a federated network there is also the question of how to handle user identity assertions and transmit authorizations between the principal, the service provider, and the identity provider. One solution to this problem is the Security Association Markup Language (SAML). SAML was developed by the Organization for the Advancement of Structured Information Standards (OASIS). The standard is currently at version 2.0.
- The principal’s User Agent (typically a browser) requests a resource from the Service Provider (SP), making an assertion of identity.
- If the user agent does not already have a valid session, the SP redirects the user agent to the Identity Provider (IdP).
- The user agent authenticates with the IdP. The IdP validates the supplied credentials and if correct, provides an authorization token.
- The user agent presents the SP with the authorization token.
- The SP verifies the token and if accepted, establishes a session and provides access to the resource.
SAML authorizations (or SAML tokens) are written in eXtensible Markup Language (XML). Communications are established using HTTP/HTTPS and the Simple Object Access Protocol (SOAP). These secure tokens are signed using the XML signature specification. The use of a digital signature allows the SP to trust the IdP.
Note: An XML signature wrapping attack allows a malicious user to strip the signature from a token and use it with a different token. The SAML implementation must perform adequate validation of requests to ensure that the signed token is the one being presented.
As an example of a SAML implementation, Amazon Web Services (AWS) can function as a SAML service provider. This allows companies using AWS to develop cloud applications to manage their customers’ user identities and provide them with permissions on AWS without having to create accounts
Shibboleth
an open source implementation of SAML. The main components of Shibboleth are as follows:
- Identity Provider—supports the authentication of users. The software can be integrated with LDAP, Kerberos, X.509, and other directory and authentication systems.
- Embedded Discovery Service—allows the user to select a preferred identity provider.
- Service Provider—processes calls for user authentication by contacting the user’s preferred identity provider and processing the authentication request and authorization response. The service provider can be used with the IIS and Apache web servers.
OpenID
the standard underpinning early “sign on with” features of websites. A solution such as SAML is typical of an enterprise-controlled federated identity management solution. OpenID is an example of a “user-centric” version of federated identity management. It allows users to select their preferred identity provider. This allows a consumer website, referred to as the relying party (RP), to accept new users without having to go through an account creation step first, improving availability.
OpenID
With OpenID, the identity provider does not usually share any profile information or data with the relying party. This requires a different trust relationship to be established. To do so would require the user’s consent. OAuth is a protocol designed to facilitate this sort of transfer of information or resources between sites. With OAuth, the user grants an OAuth consumer site the right to access resources stored on an OAuth provider website.
Compared to SAML transactions, OAuth uses REST (Representational State Transfer) web services, rather than SOAP, and JSON (JavaScript Object Notation) message format and JSON Web Tokens (JWT), rather than XML.
In OAuth, the “auth” stands for “authorization,” not “authentication.” Strictly speaking, if authentication is required, the user authenticates with the OAuth provider, not with the OAuth consumer.
OpenID Connect (OIDC)
technical issues with OpenID (notably incompatibility with native mobile applications) limited adoption of that protocol too.
To resolve these issues, a new set of functions and communication flows was added to the OAuth protocol and called OpenID Connect (OIDC). OpenID Connect replaces OpenID to provide an identity management layer over the OAuth 2 protocol so that a site can request an “authentication service” only.
OIDC is likely to be the mainstream choice for developers implementing federated identity on web/cloud applications and mobile apps.
To implement RADIUS authentication on an NPS in Windows Server 2016:
- In Server Manager, select Tools→Network Policy Server.
- In the Network Policy Server window, select RADIUS Clients and Servers.
- In the right pane, select Configure RADIUS Clients.
- Select Action→New.
- In the New RADIUS Client dialog box, in the Friendly name text box, type the name of your server.
- In the Address (IP or DNS) text box, type your server’s static IP address.
- In the Shared secret and Confirm shared secret text boxes, enter a password and select OK.
- In Server Manager, select Tools→Routing and Remote Access.
- In the Routing and Remote Access window, select your server and select Action→Properties.
- In the Properties window, select the Security tab.
- From the Authentication provider drop-down list, select RADIUS Authentication.
- Select Configure to display the RADIUS Authentication dialog box.
- In the RADIUS Authentication dialog box, select Add.
- In the Add RADIUS Server dialog box, in the Server name text box, type the name of your server to match the friendly name, and select Change.
- In the Change Secret dialog box, in the New secret and Confirm new secret text boxes, type the password you specified earlier.
- Select OK four times.
- If necessary, select Action→All Tasks→Restart to manually restart the server.
Access control or authorization models are generally classed as one of the following:
- Discretionary Access Control (DAC).
- Role-based Access Control (RBAC).
- Mandatory Access Control (MAC).
- Attribute-based Access Control (ABAC).
Discretionary access control (DAC)
stresses the importance of the owner. The owner is originally the creator of the resource, though ownership can be assigned to another user. The owner is granted full control over the resource, meaning that he or she can modify its ACL to grant rights to others. This is the most flexible model and is currently implemented widely in terms of computer and network security. In terms of file system security, it is the model used by most UNIX/Linux distributions and by Microsoft Windows. As the most flexible model, it is also the weakest because it makes centralized administration of security policies the most difficult to enforce. It is also the easiest to compromise, as it is vulnerable to insider threats.
Role-based access control (RBAC)
adds an extra degree of administrative control to the DAC model. Under RBAC, a set of organizational roles are defined, and users allocated to those roles. Under this system, the right to modify roles is reserved to administrative accounts. Therefore, the system is non-discretionary, as each user has no right to modify the ACL of a resource, even though they may be able to change the resource in other ways. Users are said to gain rights implicitly (through being assigned to a role) rather than explicitly (being assigned the right directly).
Ideally, the rights of a role are set at design time and not changed under normal operating conditions. This means that administrators can focus on membership of different role groups, rather than what the roles can do. It also makes it harder for an attacker to “escalate” permissions gained through a hacked user account.
RBAC can be partially implemented in Windows through the concept of group accounts. RBAC is the most commonly implemented system on computer networks, as it re-establishes centralized, administrative control over important resources. To fully implement RBAC, you also need to define what tasks users can perform in a given application. Object-based ACLs are not flexible enough to do this. You also need to “turn off” the discretionary aspect of the underlying OS—not something that is currently supported by Windows.
Mandatory access control (MAC)
based on the idea of security clearance levels. Rather than defining access control lists on resources, each object and each subject is granted a clearance level, referred to as a label. If the model used is a hierarchical one (that is, high clearance users are trusted to access low clearance objects), subjects are only permitted to access objects at their own clearance level or below. Alternatively, each resource and user can be labeled as belonging to a domain (compartmentalized). A user may only access a resource if they belong to the same domain. This is an instance of a Need to Know policy put into practice. The labeling of objects and subjects takes place using pre-established rules. The critical point is that these rules cannot be changed (except by the system owner), and are, therefore, also non-discretionary. Also, a subject is not permitted to change an object’s label or to change his or her own label.
This type of access control is associated with military and secret service organizations, where the inconveniences forced on users are secondary to the need for confidentiality and integrity. The NSA developed Security Enhanced Linux (SELinux) as a means of implementing MAC. Novell’s AppArmor provides similar security mechanisms.
Attribute-based access control (ABAC)
the most fine-grained type of access control model. As the name suggests, an ABAC system is capable of making access decisions based on a combination of subject and object attributes plus any context-sensitive or system-wide attributes. As well as group/role memberships, these attributes could include information about the OS currently being used, the IP address, or the presence of up-to-date patches and anti-malware. An attribute-based system could monitor the number of events or alerts associated with a user account or with a resource, or track access requests to ensure they are consistent in terms of timing of requests or geographic location. It could be programmed to implement policies, such as M-of-N control and separation of duties.
This sort of system is flexible and can be made sensitive to different levels of risk or threat awareness by making access conditional on the acceptance of a wide range of different attribute values. The cost of this flexibility is considerable complexity in terms of defining the logical rules that allow or deny access.
Rule-based access control
a term that can refer to any sort of access control model where access control policies are determined by system-enforced rules rather than system users. As such, RBAC, ABAC, and MAC are all examples of rule-based (or non-discretionary) access control. As well as the formal models, rule-based access control principles are increasingly being implemented to protect computer and network systems founded on discretionary access from the sort of misconfiguration that can occur through DAC.
One example is forcing applications such as web browsers to run in a “sandbox” mode to prevent malicious scripts on a website from using the privileges of the logged-on user to circumvent the security system. A key point is that privileges are restricted regardless of the user’s identity.
