Graduate Program in Information Science and Telecommunications and Networking School of Information Sciences University of Pittsburgh TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control Version 1.0, Last Edited 09/20/2005 Name of Students: ______________________________________________________ ______________________________________________________ Date of Experiment: ______________________________________________________Graduate Program in Information Science and Telecommunications and Networking School of Information Sciences University of Pittsburgh Part I: Objective The objective of the exercises presented here is to familiarize the students with the access control features available in the Microsoft Windows, UNIX-based and Solaris systems, and to induce the student to analyze the similarities and differences in the access control in different operating systems. Part II: Equipment/Software • A PC with Microsoft Windows 2000 installed on it. • A PC with Linux installed on it. • A PC with Solaris 8 (or above) installed on it. 1. Microsoft Windows Access control refers to the ability of a user to access a particular object and possibly modify it. In terms of operating systems, access control refers to the ability of a user to read, write or execute a certain file or folder. In this laboratory, we shall study the access control framework for Microsoft Windows and UNIX-based platforms, by taking Microsoft Windows 2000 and Linux as respective examples. The Microsoft Windows 2000/XP/2003 series of OSs introduced access control for files, directories and devices. Before we introduce access control for these operating systems, let us take a look at how objects are arranged in these systems. The Active Directory service was introduced in the NT family of operating systems as a means of arranging all users, devices and objects at a centralized location and allowing these networked entities to find each other through this service. Entities are known as objects and they are arranged into a hierarchical structure known as the logical structure by the administrators. A collection of objects that share the same security policies is known as a domain (a container object) and multiple domains can be arranged hierarchically into a tree. A forest is a complete instance of the Active Directory that consists of a set of domains that trust each other through a two-way transitive trust. This arrangement of objects into logical structures enables easy management of the objects and allows for more flexible access control. The place Active Directory has in the network is shown in Figure 1. Figure 1: Active DirectoryGraduate Program in Information Science and Telecommunications and Networking School of Information Sciences University of Pittsburgh Every entity - users, groups, domains, processes - has a Security Identifier (SID) uniquely associated with it. The SID is very similar to the UID in UNIX. Objects that have some operations associated with them and to which access must be controlled are called securable objects. Securable objects have security descriptors associated with them that consist of DACLs that describe which users or groups have what access rights over them, SACLs that describe how auditing is done and the SID of the owner of the object. Every time an object is created, a security descriptor can be assigned to it, but if it is not assigned, it will inherit it from its parent object. A security context is associated with every process (or user) which describes which groups it belongs to, what privileges it has and what accounts are associated with it. The security context is maintained in an access token. ACLs for an object contain the SID of the intended trustee and an access mask for the various access rights. When access is requested, the access token of the accessing object, is checked with the security descriptor of the accessed object, to see if the access should be permitted or not. An example is given in figure 2. For added security, to protect sensitive data, the Encrypted File System (EFS) was introduced in the NT families. The EFS allows users to encrypt objects created by them so that no other object can access them. The encryption is done using an EFS certificate that the user gets and multiple users can be added to allow access, with the help of their EFS certificates. Lab Procedures Exercise 1.1: Adding users to the system 1. Go to Start -> Control Panel -> Users and Passwords. 2. If a user telcom2810 already exists, remove it. 3. Click on Add to add a new user. Enter the username as telcom2810 and password as introtosecurity. Select Restricted User as the group for its group membership. 4. Click OK. Exercise 1.2: Studying the effects of using the Read-Only and Hidden attributes of a file. 1. Create a TXT document in your My Documents folder. 2. Right-click on the icon, and select Properties. 3. Check the Read-Only checkbox and click on OK. 4. Then open the document, add some text and try to save the changes. a. What happens? Explain why it happens. User: MarkUser: MarkGroup1: AdministratorsGroup1: AdministratorsGroup2: WritersGroup2: WritersControl flagsControl flagsGroup SIDGroup SIDDACL PointerDACL PointerSACL PointerSACL PointerDenyDenyWritersWritersRead, WriteRead, WriteAllowAllowMarkMarkRead, WriteRead, WriteOwner SIDOwner SIDRevision NumberRevision NumberAccess tokenSecurity descriptorAccess request: writeAction: denied• User Mark requests write permission• Descriptor denies permission to group• Reference Monitor denies requestFigure 2: Example of Access RequestGraduate Program in Information Science and Telecommunications and Networking School of Information Sciences University of Pittsburgh ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ 5. Copy the file and place it in the C:/Documents and Settings/All Users/Documents folder. 6. Then logoff and logon as telcom2810. 7. Open the C:/Documents and Settings/All Users/Documents folder and try modifying the contents of the file. Are the results the same as in Step 4? 8. Repeat Step 2
View Full Document
Unlocking...