Document

Download Report

Transcript Document 

Limiting Access to Data
&
Configuration file
Limiting Access to Data and
Configuration Files
 Should an attacker obtain remote access to the system through a
non-administrative account, he will often look for ways to elevate his
privileges to gain full control over the host and to access sensitive
data or configuration files.
 By taking the time to set the appropriate access restrictions on such
files, you can significantly impede the attacker's progress.
 In this section we take a brief look at defining file system level
permissions for UNIX and Windows, as well as limiting permissions
to the Registry on Windows systems.
Limiting Access to Data and
Configuration Files
 In order to implement file access restrictions, you need to make sure
the host uses a file system that supports security permissions.
 Legacy file systems for DOS and Windows, such as FAT and FAT32,
cannot restrict file access, granting all local users full control over
any file on the host.
 Microsoft has since equipped Windows with a much more powerful
file system, called NTFS, that allows administrators to control who
can access a local file and what that user can do with it.
Limiting Access to Data and
Configuration Files
 Like NTFS, UNIX-based file systems allow administrators to restrict
file access based on the user's identity.
 UNIX platforms are typically more careful about granting file
permissions than Windows.
 Attackers may still exploit vulnerabilities because of loose file
permissions on default installations of UNIX operating systems.
Limiting Access to Data and
Configuration Files
 Be sure to carefully test the system's configuration after tightening
its file system permissions to verify that the necessary applications
continue to function.
 For
example,
if
you
restrict
default
permissions
in
the
%SystemRoot% directory on Windows, this might create a problem
when a user attempts to print. The %SystemRoot%\system32\spool\
printers folder requires read and write access for users to be able to
print successfully.
Limiting Access to Data and
Configuration Files
 UNIX operating systems typically use files for storing OS and
application-related configuration details.
 Limiting access to such data involves manipulating file system level
access restrictions.
 Although Windows also uses files for storing some configuration
parameters, it increasingly relies on the Registry database for
maintaining local system information.
Limiting Access to Data and
Configuration Files
 You can use the Regedit32 and Regedit utilities that come with
Windows to set access control restrictions on Registry keys.
 If your organization is using Active Directory, you can also distribute
Registry permission settings through Group Policy.