group policy - University Of Worcester
Download
Report
Transcript group policy - University Of Worcester
COMP3123
Internet Security
Richard Henson
University of Worcester
October 2010
Week 5: Access Control with
Audit & Monitoring: Security
through “Group Policies”
Objectives:
Explain the purpose of network “controls”
Explain how a Group Policy Object (GPO) can be
used to efficiently control network users via the
local computer’s registry
Implement an agreed GPO for users on an actual
network
Explain information auditing and how it is vital for
network troubleshooting and accountability
Implementation of Security Policy
on/through the network
Policies are necessary for organisations to
put their business goals into practice
For ANY policy to be effective, a series of
“controls” need to be enforced at an
operational level
A well-designed network operating system
should assist with converting information
security policy statements into practice
Windows, Information
Security, and Group Policies
An Information Security Policy should
be a strategic document…
But that policy has to be fully detailed to
exert the degree of control that is
required at an operational level…
Fortunately, the planning necessary to
create Group Policy Objects enables
such detail to be fleshed out
Permissions and Rights
Two categories of privileges allocated to
network users…
Permissions:
granted to a user/group of users to give a level of
access to a network resources
» e.g. writing to a folder, accessing a printer
Rights
granted to users so they can interact with aspects
of the network environment
» e.g. change system date/time, update device drivers
Policy, Network Users,
and Accountability
Organisational network users should have:
sufficient access to do their job
no access to the parts of the network they do not
need, to do their job
IF properly planned and used, Windows
policy objects provide such controls
The network should also be able to monitor
itself for signs of illegal activity
and identify which user is responsible…
user IDs & audit logs allow this to be achieved
Windows Networking &
Policy Objects
Very many network settings available &
resource access can be controlled/audited
for a user – data for providing that control held on a
users own policy file
for a group of users – data held on a group policy
file
Networks often have many users, so the best
way to put controls into practice is to use
Group Policy Objects
carefully identify a number of groups
carefully allocate users to groups according to their
network needs
What are Windows Group
Policy Objects?
Customised files of data that can overwrite
part of the registry (!)
stored with supporting files (e.g. .msi) on domain
controllers in a shared folder called SYSVOL
Contain a large number of policy settings
downloaded and applied to:
» domain member client computers, when computer is
booted up (computer/system policy)
» user desktop settings, when user logs on (user/group
policy)
The Registry and
Controlling Users
Users don’t do their work at servers or
domain controllers
but DO use resources made centrally available
using active directory
Network-mediated control delivered at the
user end through controlling the registry
client machine boots up with its own registry
settings
during login, some/many of these get overwritten
by downloaded data
Applying Computer Policies to
the Local Registry
Happens during system initialisation
Control:
Operating system
Applications
Start-up and shutdown scripts
Focus on HKEY_LOCAL_MACHINE
all hardware configured
presents the logon screen
Applying User Policies
Applied at login
Control:
desktop settings
application settings
folder redirection
user logon and logoff scripts
Focus on HKEY_CURRENT_USER
Used to apply a configuration to a specific
group of users – wherever they log on
Local Security Policy
You will see in this week’s practical the
scope for setting security policy on a local
machine:
many different local settings
put into effect by overwriting registry settings
during system initialisation
Local security settings are obtained from an
editable local security policy file
Windows (from 2000 onwards) provide templates
for quick production of local security policy
also possible to produce a template from scratch
Policy Settings Available…
Huge flexibility…
600 settings in all, including:
accounts policies
local policies
PKI policies
IP security policies
Combination of user policies, computer
policies, and group policies can provide
very effective control (or “controls”)
Active Directory Group Policy
Very useful for implementing the same
security controls on multiple computers:
individually
across a domain
across a site (“forest” of domains)
In each case, the local registry settings are
overwritten by a copy of the group policy
object
Configuration
of Group Policies
Managed from Active Directory
Services and Sites “snap-in”
can use modified template files
settings from template files:
» held within Active Directory
» downloaded to local computers when users log
on to the domain
Configuration
and Group Policies
Logging on and applying policies:
logon information compared with Active Directory
store
assuming that user account/password pair are
valid…
» appropriate policy file(s) for that user downloaded from
the Active Directory
local group policy applied
then if user is logging on to a domain…
» (some) settings overridden by domain policy
Site Policies
Can be applied across domain trees
» to a whole domain forest!
Should only be applied regarding issues
relating to
» physical locations of users
» physical locations of computers
Therefore, shouldn’t be used very often…
Domain Policies
The domain is the primary place where group
policies for the organisation should be
implemented
Example:
Security policy document that lays down specific
user login requirements for all users
Should be applied as a domain policy
At operational level…
user logs onto domain
domain sets controls and auditing based on that
userID
Settings that can ONLY be set
by Group Policies
Certain settings CANNOT be
changed by domain users!!!
Event logs
Restricted groups
System services
Registry
File system
Shares & Folder redirection
Account Administration
and Accountability
Each user is responsible for all events that
happen on the network associated with their
userID (username)
To assist users with responsible user of
network resources, all aspects of user activity
need to be audited or at least monitored
monitored: use of alerts to flag abnormal events
e.g. attempted illegal access
audited: details of user activity and effects written
to a .log text file
Access Control Models
Centralised
all administrative tasks take place at a very small
number of central locations, regardless of where
the resource is held
uses centralised authentication, authorisation, and
security management servers
De-centralised
admin tasks all done on individual systems
effects and control of resource are at least
logically local
» physical control of system could still be remote e.g. via
group policy objects overwriting registry settings
Roles associated with Information
Management & Security
Senior Management
ultimate responsibility for maintaining information
security of organisational data…
Designated Information Security
Officer/Manager
responsible for maintaining the security of the
organisation’s information systems
Owner (of data)
assigns permissions to data depending on
sensitivity and value to the organisation
More Roles associated with
Security of Organisational Data
Custodian
assigns permissions to data objects using
organisational security infrastructure
User
perform work tasks in accordance with
organisational information security policy
Auditor
monitors environment for security compliance and
violation
“Principle of Least Privilege”
and combating Collusion
Principle of least privilege can be applied to
administrators
no one administrator should have sweeping
powers…
This means an administrator can only cause
widespread damage through “collusion”
“the act of convincing others to participate in
unethical, security-compromising, and possibly
illegal activity”
In the interests of security, organisations must
take strong steps to prevent collusion…
Auditing & Monitoring
Gathering information to check what
is/was going on…
auditing - digital information environment
monitoring - the physical environment
Purpose – relating to IS policy :
verify compliance
detect intrusions & policy violations…
Types of Functional Controls relating
to Information Security Policy
Directive
guidance - how to comply e.g. EU Directives
Preventative
prevent or discourage violations (e.g. of policy)
Detective
detect violations e.g. intrusion detection systems
Corrective
detect & put system back to previous state
Recovery
more extensive version of “correct”; restores state
Security (Internal) Auditing
Testing procedures devised to ensure
compliance with policy
at operations level, the mechanism for putting
procedures into practice
» should be consistent
» should take place on regular basis…
Goal:
problem identification
problem resolution
» minimise risk
» prevent reoccurrence
» prevent system downtime
Physical Auditing Tools
CCTV
physical environment monitoring
someone needs to physically look at the
recorded video
Keystroke monitoring
check for abuse or impersonations
Dumpster diving
checking litter bins, etc.
System Auditing Tools
Traffic/Trend Analysis
watching for communication patterns…
reveals user ID, data volumes & sending times
can detect covert channels
Event monitoring/auditing
events monitored and type of monitoring
controlled through group policies
operating system provides a record by saving details to audit
logs
Real time analysis
on the look out for particular events
sends “alerts” when such events have been
detected
Useful Auditing Tools
Intrusion Detection/Prevention
checks for (attempted) breaches of security policy
makes sure attempted breaches are not
successful (e.g. using strong authentication, traffic
filters)
Illegal Software Monitoring
checking for installation of unapproved software
that could make the environment insecure
“ethical hacking” tools & auditing
Penetration Testing – trying to hack in to show the
weaknesses of the system…
war dialling
» gathering modem dialling data
sniffing
» collecting network packets
reading header data to produce statistical data
possibly reading packet payload
can even recreate packets with different (spoof) IP address
eavesdropping
» act of listening into communications, usually with a sniffer
radiation/emanation monitoring
» detecting and reading electromagnetic signals around copper
cables and other devices to gather data
Social Engineering
» getting information by (deceptively) asking for it…
Detecting
“Inappropriate Activities”
Should be an “acceptable use” policy
clear definition of “inappropriate activities”
Includes certain employee actions
may not themselves be illegal…
BUT may compromise system reliability or CIA or
security
Examples…
wasting resources
hosting inappropriate content
racial/sexual harassment
abusing/not respecting assigned access rights
Detecting Illegal Activities
Fraud
violation of the integrity of business processes
may seem attractive and undetected to the
perpetrator…
» but secure system environments easily designed to
detect/protect against fraud
Collusion
act of conspiring to commit a crime
» in this case… to make a security violation
detected through detailed user monitoring
prevented through job separation, etc.
Careers in Information Security:
Why A Degree isn’t enough…
You need three things to give you a head
start in becoming a successful Information
Security Specialist:
theoretical knowledge (degree)
practical knowledge (placement)
professional qualifications (further evidence that
you know how to apply your stuff in a nonacademic environment)
You also need to be a good communicator…
especially at “management level”
Getting Certified as an
Information Security Professional
Microsoft provide their own set of syllabuses
and exams leading to:
Specialist: MCTS (pass 1-3 exams, one year’s
relevant experience)
» important to include a security-related module if you wish
to follow such a career path on Microsoft networks
Professional: MCITP (pass 1-3 professional exams,
as well as MCTS)
Not all networks are Microsoft…
Highly regarded security qualifications from ISC2
based on principles and not platform-specific…
ISC2 qualifications
SSCP
seven modules
recommended one year’s experience
working with networks (placement would
do…)
CISSP
eleven modules
two years working in the Information
Security industry considered essential