© SANS Institute 200 7, Author retains full rights.Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.Sudo for Windows (sudowin) Schley Andrew Kutz 1 Sudo for Windows (sudowin) GCWN Gold Certification Author: Schley Andrew Kutz, [email protected] Adviser: Jim Purcell Accepted: January 20, 2007© SANS Institute 200 7, Author retains full rights.Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.Sudo for Windows (sudowin) Schley Andrew Kutz 2 Outline 1. Abstract ................................................... 4 2. Document Conventions ....................................... 6 3. Introduction / Executive Summary ........................... 7 4. History .................................................... 9 5. Implications .............................................. 10 6. Design .................................................... 12 Server .................................................... 12 Configuration ........................................... 13 Application Settings ................................. 13 Remoting Settings .................................... 14 Remoting Object .................................... 15 Remoting Channel ................................... 16 Diagnostics Settings ................................. 17 Client .................................................... 18 Command Line Client ..................................... 18 Configuration ........................................ 19 GUI Client .............................................. 20 Configuration ........................................ 21 Plugins ................................................... 21 Configuration ........................................... 21 Plugin Configuration Schema .......................... 24 Plugin Types ............................................ 27 Authentication ....................................... 27 NT ................................................. 28 Authorization ........................................ 28 XML ................................................ 28 <sudoers> .......................................... 31 <userGroup> ........................................ 34 <user> ............................................. 35 <commandGroup> ..................................... 35 <command> .......................................... 36 <commandGroupRef> .................................. 37 CredentialsCache ..................................... 38 LocalServer ........................................ 38 CallbackApplication ....................................... 38 7. Walk Through .............................................. 40 Service Startup ......................................... 40 Client Invocation ....................................... 41 8. Implementation ............................................ 45 Requirements .............................................. 45 Installing ................................................ 45 Upgrading ................................................. 46© SANS Institute 200 7, Author retains full rights.Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.Sudo for Windows (sudowin) Schley Andrew Kutz 3 Configuring ............................................... 46 The Sudoers Group ....................................... 46 The Sudoers File ........................................ 47 Uninstalling .............................................. 47 Locations ............................................... 47 Files ................................................ 47 Registry ............................................. 49 Groups ............................................... 51 Active Directory .......................................... 51 Known Issues .............................................. 51 9. Conclusion ................................................ 53© SANS Institute 200 7, Author retains full rights.Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.Sudo for Windows (sudowin) Schley Andrew Kutz 4 1. Abstract The original Sudo application was designed by Bob Coggeshall and Cliff Spencer in 1980 within the halls of the Department of Computer Science at SUNY/Buffalo.1 For twenty-six years, Sudo has provided the foundation of secure computing on UNIX and Linux platforms by allowing systems administrators to delegate privileged commands to trusted users and audit their use. A trusted user can execute a privileged command in their own user context by reaffirming their identity through confirming their passphrase and this execution will then be recorded in an auditable log. Sudo encourages the principal of least privilege – that is, a user operates with a bare minimum number of privileges on a system until the user requests a higher level of privilege in order to accomplish some task. Sudo was developed in reaction to the standard UNIX security model where although some granularity is possible with group and file permissions, delegating security is largely all or nothing. If a user was designated an administrator this usually meant giving them access to the root account’s password. The problem with this model was that it provided no accountability for actions taken on the system since all actions were being executed under the auspices of one user account. In summary, Sudo provides delegation and accountability. The current versions of Microsoft Windows lack equivalent functionality to that which Sudo provides. Therefore the security model in Windows is described by delegating a fixed privilege level 1 http://www.gratisoft.us/sudo/history.html© SANS Institute 200 7, Author retains full rights.Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46© SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.Sudo for Windows (sudowin) Schley Andrew Kutz 5 to distinct user
View Full Document