group policy - University Of Worcester

Download Report

Transcript group policy - University Of Worcester

COMP3123
Internet Security
Richard Henson
University of Worcester
October 2010
Week 5: Access Control with
Audit & Monitoring: Security
through “Group Policies”

Objectives:
 Explain the purpose of network “controls”
 Explain how a Group Policy Object (GPO) can be
used to efficiently control network users via the
local computer’s registry
 Implement an agreed GPO for users on an actual
network
 Explain information auditing and how it is vital for
network troubleshooting and accountability
Implementation of Security Policy
on/through the network



Policies are necessary for organisations to
put their business goals into practice
For ANY policy to be effective, a series of
“controls” need to be enforced at an
operational level
A well-designed network operating system
should assist with converting information
security policy statements into practice
Windows, Information
Security, and Group Policies
An Information Security Policy should
be a strategic document…
 But that policy has to be fully detailed to
exert the degree of control that is
required at an operational level…
 Fortunately, the planning necessary to
create Group Policy Objects enables
such detail to be fleshed out

Permissions and Rights


Two categories of privileges allocated to
network users…
Permissions:
 granted to a user/group of users to give a level of
access to a network resources
» e.g. writing to a folder, accessing a printer

Rights
 granted to users so they can interact with aspects
of the network environment
» e.g. change system date/time, update device drivers
Policy, Network Users,
and Accountability

Organisational network users should have:
 sufficient access to do their job
 no access to the parts of the network they do not
need, to do their job


IF properly planned and used, Windows
policy objects provide such controls
The network should also be able to monitor
itself for signs of illegal activity
 and identify which user is responsible…
 user IDs & audit logs allow this to be achieved
Windows Networking &
Policy Objects

Very many network settings available &
resource access can be controlled/audited
 for a user – data for providing that control held on a
users own policy file
 for a group of users – data held on a group policy
file

Networks often have many users, so the best
way to put controls into practice is to use
Group Policy Objects
 carefully identify a number of groups
 carefully allocate users to groups according to their
network needs
What are Windows Group
Policy Objects?

Customised files of data that can overwrite
part of the registry (!)
 stored with supporting files (e.g. .msi) on domain
controllers in a shared folder called SYSVOL

Contain a large number of policy settings
 downloaded and applied to:
» domain member client computers, when computer is
booted up (computer/system policy)
» user desktop settings, when user logs on (user/group
policy)
The Registry and
Controlling Users

Users don’t do their work at servers or
domain controllers
 but DO use resources made centrally available
using active directory

Network-mediated control delivered at the
user end through controlling the registry
 client machine boots up with its own registry
settings
 during login, some/many of these get overwritten
by downloaded data
Applying Computer Policies to
the Local Registry
Happens during system initialisation
 Control:

Operating system
Applications
Start-up and shutdown scripts

Focus on HKEY_LOCAL_MACHINE
all hardware configured
presents the logon screen
Applying User Policies


Applied at login
Control:
 desktop settings
 application settings
 folder redirection
 user logon and logoff scripts


Focus on HKEY_CURRENT_USER
Used to apply a configuration to a specific
group of users – wherever they log on
Local Security Policy

You will see in this week’s practical the
scope for setting security policy on a local
machine:
 many different local settings
 put into effect by overwriting registry settings
during system initialisation

Local security settings are obtained from an
editable local security policy file
 Windows (from 2000 onwards) provide templates
for quick production of local security policy
 also possible to produce a template from scratch
Policy Settings Available…


Huge flexibility…
600 settings in all, including:
 accounts policies
 local policies
 PKI policies
 IP security policies

Combination of user policies, computer
policies, and group policies can provide
very effective control (or “controls”)
Active Directory Group Policy

Very useful for implementing the same
security controls on multiple computers:
 individually
 across a domain
 across a site (“forest” of domains)

In each case, the local registry settings are
overwritten by a copy of the group policy
object
Configuration
of Group Policies

Managed from Active Directory
Services and Sites “snap-in”
can use modified template files
settings from template files:
» held within Active Directory
» downloaded to local computers when users log
on to the domain
Configuration
and Group Policies

Logging on and applying policies:
 logon information compared with Active Directory
store
 assuming that user account/password pair are
valid…
» appropriate policy file(s) for that user downloaded from
the Active Directory
 local group policy applied
 then if user is logging on to a domain…
» (some) settings overridden by domain policy
Site Policies
Can be applied across domain trees
» to a whole domain forest!
Should only be applied regarding issues
relating to
» physical locations of users
» physical locations of computers
Therefore, shouldn’t be used very often…
Domain Policies


The domain is the primary place where group
policies for the organisation should be
implemented
Example:
 Security policy document that lays down specific
user login requirements for all users
 Should be applied as a domain policy

At operational level…
 user logs onto domain
 domain sets controls and auditing based on that
userID
Settings that can ONLY be set
by Group Policies

Certain settings CANNOT be
changed by domain users!!!
Event logs
Restricted groups
System services
Registry
File system
Shares & Folder redirection
Account Administration
and Accountability


Each user is responsible for all events that
happen on the network associated with their
userID (username)
To assist users with responsible user of
network resources, all aspects of user activity
need to be audited or at least monitored
 monitored: use of alerts to flag abnormal events
e.g. attempted illegal access
 audited: details of user activity and effects written
to a .log text file
Access Control Models

Centralised
 all administrative tasks take place at a very small
number of central locations, regardless of where
the resource is held
 uses centralised authentication, authorisation, and
security management servers

De-centralised
 admin tasks all done on individual systems
 effects and control of resource are at least
logically local
» physical control of system could still be remote e.g. via
group policy objects overwriting registry settings
Roles associated with Information
Management & Security

Senior Management
 ultimate responsibility for maintaining information
security of organisational data…

Designated Information Security
Officer/Manager
 responsible for maintaining the security of the
organisation’s information systems

Owner (of data)
 assigns permissions to data depending on
sensitivity and value to the organisation
More Roles associated with
Security of Organisational Data

Custodian
 assigns permissions to data objects using
organisational security infrastructure

User
 perform work tasks in accordance with
organisational information security policy

Auditor
 monitors environment for security compliance and
violation
“Principle of Least Privilege”
and combating Collusion

Principle of least privilege can be applied to
administrators
 no one administrator should have sweeping
powers…

This means an administrator can only cause
widespread damage through “collusion”
 “the act of convincing others to participate in
unethical, security-compromising, and possibly
illegal activity”

In the interests of security, organisations must
take strong steps to prevent collusion…
Auditing & Monitoring

Gathering information to check what
is/was going on…
auditing - digital information environment
monitoring - the physical environment

Purpose – relating to IS policy :
verify compliance
detect intrusions & policy violations…
Types of Functional Controls relating
to Information Security Policy

Directive
 guidance - how to comply e.g. EU Directives

Preventative
 prevent or discourage violations (e.g. of policy)

Detective
 detect violations e.g. intrusion detection systems

Corrective
 detect & put system back to previous state

Recovery
 more extensive version of “correct”; restores state
Security (Internal) Auditing

Testing procedures devised to ensure
compliance with policy
 at operations level, the mechanism for putting
procedures into practice
» should be consistent
» should take place on regular basis…

Goal:
 problem identification
 problem resolution
» minimise risk
» prevent reoccurrence
» prevent system downtime
Physical Auditing Tools

CCTV
physical environment monitoring
someone needs to physically look at the
recorded video

Keystroke monitoring
check for abuse or impersonations

Dumpster diving
checking litter bins, etc.
System Auditing Tools

Traffic/Trend Analysis
 watching for communication patterns…
 reveals user ID, data volumes & sending times
 can detect covert channels

Event monitoring/auditing
 events monitored and type of monitoring
controlled through group policies
 operating system provides a record by saving details to audit
logs

Real time analysis
 on the look out for particular events
 sends “alerts” when such events have been
detected
Useful Auditing Tools

Intrusion Detection/Prevention
 checks for (attempted) breaches of security policy
 makes sure attempted breaches are not
successful (e.g. using strong authentication, traffic
filters)

Illegal Software Monitoring
 checking for installation of unapproved software
that could make the environment insecure
“ethical hacking” tools & auditing

Penetration Testing – trying to hack in to show the
weaknesses of the system…
 war dialling
» gathering modem dialling data
 sniffing
» collecting network packets



reading header data to produce statistical data
possibly reading packet payload
can even recreate packets with different (spoof) IP address
 eavesdropping
» act of listening into communications, usually with a sniffer
 radiation/emanation monitoring
» detecting and reading electromagnetic signals around copper
cables and other devices to gather data
 Social Engineering
» getting information by (deceptively) asking for it…
Detecting
“Inappropriate Activities”

Should be an “acceptable use” policy
 clear definition of “inappropriate activities”

Includes certain employee actions
 may not themselves be illegal…
 BUT may compromise system reliability or CIA or
security

Examples…
 wasting resources
 hosting inappropriate content
 racial/sexual harassment
 abusing/not respecting assigned access rights
Detecting Illegal Activities

Fraud
 violation of the integrity of business processes
 may seem attractive and undetected to the
perpetrator…
» but secure system environments easily designed to
detect/protect against fraud

Collusion
 act of conspiring to commit a crime
» in this case… to make a security violation
 detected through detailed user monitoring
 prevented through job separation, etc.
Careers in Information Security:
Why A Degree isn’t enough…

You need three things to give you a head
start in becoming a successful Information
Security Specialist:
 theoretical knowledge (degree)
 practical knowledge (placement)
 professional qualifications (further evidence that
you know how to apply your stuff in a nonacademic environment)

You also need to be a good communicator…
 especially at “management level”
Getting Certified as an
Information Security Professional

Microsoft provide their own set of syllabuses
and exams leading to:
 Specialist: MCTS (pass 1-3 exams, one year’s
relevant experience)
» important to include a security-related module if you wish
to follow such a career path on Microsoft networks
 Professional: MCITP (pass 1-3 professional exams,
as well as MCTS)

Not all networks are Microsoft…
 Highly regarded security qualifications from ISC2
based on principles and not platform-specific…
ISC2 qualifications

SSCP
seven modules
recommended one year’s experience
working with networks (placement would
do…)

CISSP
eleven modules
two years working in the Information
Security industry considered essential