Access Control  privilege How does your code manage who has access to what?  authorization  permission Two OS models: Unix Windows.

Slides:

Advertisements

Similar presentations

Managing User, Computer and Group Accounts

Advertisements

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

计算机系信息处理实验室 Lecture 11 Security

6/2/2015B.Ramamurthy1 Security B.Ramamurthy. 6/2/2015B.Ramamurthy2 Computer Security Collection of tools designed to thwart hackers Became necessary with.

CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Sharing Files Richard Newman based on Smith “Elementary Information Security”

Lesson 4: Configuring File and Share Access

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

Lecture 7 Access Control

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

Group Accounts; Securing Resources with Permissions

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

Windows Security Mechanisms Al Bento - University of Baltimore.

Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.

Chapter 5 File and Printer Services

Access Control Lists and NTFS Permissions INFO333 – Lecture Mariusz Nowostawski Noria Foukia.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 11 Case Study 2: Windows Vista Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,

Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.

CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

Operating System Security CS460 Cyber Security Spring 2010.

7.3. Windows Security Descriptors

IOS110 Introduction to Operating Systems using Windows Session 8 1.

Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.

Module 4 Managing Access to Resources in Active Directory ® Domain Services.

Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki.

File Permission and Access. Module 6 File Permission and Access ♦ Introduction Linux is a multi-user system where users can assign different access permission.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.

Active Directory Travis Favors Ryan Manuel Robert Rayer.

G53SEC 1 Access Control principals, objects and their operations.

CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.

1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.

MA194Using WindowsNT1 Topics for the day… WindowsNT Security WindowsNT File System (NTFS) Viewing/Setting Document and Folder Permissions Access Control.

1 Introduction to NTFS Permissions Assign NTFS permissions to specify Which users and groups can gain access to folders and files What they can do with.

Chapter 4 Sharing Files. FIGURE 4.0.F01: Sharing files for reading on Microsoft Windows 8.1. Used with permission from Microsoft.

Access Control Lesson Introduction ●Understand the importance of access control ●Explore ways in which access control can be implemented ●Understand how.

Understand Audit Policies LESSON Security Fundamentals.

Privilege Management Chapter 22.

Computer Security: Principles and Practice

Review on Active Directory. Aim Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve.

Configuring and Managing Resource Access Lecture 5.

Windows Server 2003 檔案分享管理林寶森

Access Control. Many models Traditional Unix model Windows model Role-based access control (SE Linux)‏ Access control for confidentiality (Bell-La Padula.

Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.

11/06/ أساسيات الأتصال و الشبكات Communication & Networks Fundamentals lab 5.

File System Security in Unix Annie Calpe. Overview Unix Basics File System Security: - Account Security: Passwords - File Permissions - Access Control.

ITMT Windows 7 Configuration Chapter 6 – Sharing Resource ITMT 1371 – Windows 7 Configuration 1.

CIT 480: Securing Computer Systems

CS703 - Advanced Operating Systems

Introduction to NTFS Permissions

Lesson 4: Configuring File and Share Access

Secure Architecture Principles Isolation and Least Privilege

Chapter 14: Protection.

CE Operating Systems Lecture 21

OS Access Control Mauricio Sifontes.

Managing Data by Using NTFS

Figure 6-13: Managing Permissions

Presentation transcript:

Access Control  privilege How does your code manage who has access to what?  authorization  permission Two OS models: Unix Windows

Access Control in Unix/Linux  can ____ resources (files) Every user …  has a unique UID (positive integer)  belongs to one or more groups Every file/resource …  other possibilities: sticky bit, setUID, setGID  stores permissions for owner, group & world  potential permissions are _______ User 0 -- ______

The sticky bit One bit of file/dir permission is dedicated as the sticky bit.  Such bits are no longer used for files  Some directories have the “sticky bit” property Example: Any user can write to such a directory. If you create new files, you are the owner and have wr permission and the world has r permission.

Processes in Unix Executing a file initiates process execution.  process permissions normally derive from the owner  any created file has permissions determined by umask To ______ permissions … execute a process from an owner with lesser privilege A forked process/thread inherits permissions. To ________ permissions …

setUID, setGID If the setUID bit is set on an executable file, then when the file executes it assumes the permissions of the file’s owner for the duration of this file’s execution. The rule is not to elevate privilege any more than necessary. EUID  executing file’s owner

Access Control in Windows When a user is authenticated, Windows produces an access token containing:  the user’s _____  a list of group SIDs – one _____ per group A special kind of token (impersonation token) can be granted to services when they are authorized. A copy of the access token is attached to every process and thread the user executes.

Windows Resources Many objects are thought of as resources:  files / directories  registry keys Permissions vary by resource type.  shared memory  job objects (processes)  mutexes, named pipes, semaphores  printers  active directory objects

ACLs Discretionary Access Control List (DACL) – every resource has one - DACL is a list of Access Control Entry (ACE) Access Control Entry (ACE) contains 1) 2) 3) An object can have both explicit and inherited ACEs. Algorithm for authorizing: follow the DACL for the first ACE to ALLOW or DENY matching one of the SIDs in the access token ACEs are ordered by explicit collection before inherited and following inheritance tree. Within each collection all DENY precede all ALLOW

Example Authorization requests: xFile xParentxGParent inherits from SID2 X-DENY SID2 R-DENY SID5 R-DENY SID5 X-DENY SID3 W-ALLOW SID2 R-ALLOW SID4 W-ALLOW SID3 W-DENY SID4 X-ALLOW Write to xFile access token: SID3 & SID4 Write to xFile access token: SID2 & SID4 Read from xFile access token: SID2 & SID5 Execute from xFile access token: SID2, SID3, SID4 & SID5

File Permissions in Windows Full control – read, write, modify, execute, change attributes/permissions and/or take ownership Modify – read, write, modify, execute and/or change attributes Read & execute – display file content, view attributes/owner/permissions and/or execute Read – display file content and/or view attributes/owner/permissions Write – write file content, append to file and/or read/change file attributes

Windows advantages: - finer user granularity (Administrator & operator groups) - ACE’s can specify many groups, not just one - allows for variation in permissions by object type Windows disadvantage: - complexity

Other Access Control Systems Programming languages may or may not provide full access   network security – see CS455 Web access control?   cookies