The Golden Rules (and Some Others)

Before we continue, it's important to define some core security vocabulary. Although we've generally defined security, the concept can still be somewhat nebulous. No doubt you've heard that "a system is secure" or that "system A is more secure than system B," but what do such phrases mean? Specifically, security is often thought of as comprising the following categories:

• Authentication
• Authorization
• Auditing
• Privacy
• Integrity
• Availability
• Nonrepudiation

The first three categories are sometimes referred to the "Golden Rules" because they start with the letters Au, the chemical symbol for gold in the periodic table of elements. In the following sections, we'll describe these categories in detail.

Authentication

Authentication is the process by which an entity, also called a principal, verifies that another entity is indeed who or what it claims to be. A principal can be a user, some executable code, or a computer. Authentication requires evidence in the form of credentials, and evidence can be in one or more of the following forms:

• Something known (such as a password or a secret)
• Something possessed (such as a smart card)
• Something unique about the entity (in the case of humans, a signature, for example)

Proving that a principal is not an imposter depends upon the trustworthiness of the credentials. Credentials are trustworthy to the extent that they are correct or not—that is, absolutely. If a principal possesses the correct credentials, identity is verified regardless of who the principal is. In other words, authentication is a black-and-white process, resulting in a positive or negative response to a claim of identity.

However, the strength of the credentials is also important. For example, access to highly secure data might require credentials such as biometrics—for example, your thumbprint, a voice analysis, or a retinal scan, all of which are incredibly difficult to forge. Because biometrics are hard to counterfeit, they are often referred to as strong credentials. Passwords, on the other hand, are a weak credential because they are relatively easy to falsify.

Examples of some current authentication technologies include the following:

• Kerberos Kerberos is the default network authentication scheme for Microsoft Windows 2000.
• Windows NTLM This is the default protocol for Microsoft Windows NT 4 and is included in Windows 2000 for backward compatibility. It's also referred to as Windows NT Challenge/Response authentication.
• Basic Basic authentication is part of the HTTP 1.0 specification supported by most Web servers and Web browsers. It's insecure, because passwords are not encrypted. All versions of Microsoft Internet Information Services (IIS) support Basic authentication.
• Digest Digest authentication is part of the HTTP 1.1 specification and resolves many of the insecurities in Basic authentication. Internet Information Services 5 supports Digest authentication.

Chapter 3, "Windows 2000 Security Overview," Chapter 4, "Internet Explorer Security Overview," Chapter 5, "Internet Information Services Security Overview," Chapter 6, "SQL Server Security Overview," Chapter 7, "COM+ Security Overview," and Chapter 8, "Practical Authentication and Authorization," will further cover authentication issues.

Authorization

Once a principal's identity is authenticated, the principal will want to access resources, such as printers, files, Registry keys, Active Directory attributes, and tables in a database. Access is determined by performing an access check to see if the authenticated entity has access to the resource being requested.

Access is determined by comparing information about the principal with access control information associated with the resource—this information, for example, might be held in an access control list (discussed in Chapter 3). If Alice is given full access to the file Info.txt, she can read, write, and delete that file. Suppose Bob has read-only access to this same file. If he attempts to write to or delete the file, he will be denied access.

As you can see, degrees of authorization exist—Alice might have complete access to A, B, and C, while Bob might have only read access to B, and so on.

Examples of authorization mechanisms include

• Windows 2000 access control lists (ACLs) An ACL describes the capabilities (such as read, write, execute) of a principal on a resource.
• Windows 2000 privileges Such as the ability to debug or log on across the network.
• Permissions Permissions (that is, create, read, update, and delete) such as in a Microsoft SQL Server database.
• Role checking in a COM+ component The ability to programmatically determine whether a principal can perform an action (such as withdraw funds); based on the principal's membership in an administrative-defined role.

Chapter 3 and Chapter 8 will describe authorization in detail.

Auditing

The aim of auditing, also called logging, is to collect information about successful and failed access to objects, use of privileges, and other important security actions and to log them in some form of file for later analysis. Logging also aids in debugging applications because without logging you can only guess why someone was denied access to a resource.

Examples of audit logs include

• The Windows 2000 Security Event Log Contains data about who logged on, what files they accessed, which COM+ objects were accessed, and so on.
• The Internet Information Services 5 log Contains data about Web page hits, how long the access took, and from what IP address the request came. IIS also writes to the Windows 2000 security event log files.
• SQL Server log Contains information about who logged on and off SQL Server. SQL Server uses the Windows 2000 log files as well as its own custom text files for auditing purposes.

Chapter 3 and Chapter 9, "Practical Privacy, Integrity, Auditing, and Nonrepudiation," cover auditing in detail.

Privacy

Privacy, sometimes referred to as confidentiality, is a means of hiding information from prying eyes and is usually performed using encryption. By using privacy technologies, Alice can send a secret message to Bob, and anyone using a network protocol analyzer, such as Microsoft Network Monitor, cannot see what Alice has sent.

Examples of privacy technology include

• Secure Sockets Layer (SSL) or Transport Layer Security (TLS) Both use encryption algorithms to scramble data as it travels across insecure networks such as the Internet.
• Internet Protocol Security (IPSec) An IETF (Internet Engineering Task Force) standard and a new security feature in Windows 2000 that provides data encryption of low-level IP packets.

Chapter 3 and Chapter 9 go into privacy in detail.

Integrity

Integrity refers to the ability to protect data from being deleted or changed either maliciously or by accident. If Alice orders 100 widgets from Bob, she doesn't want an attacker to modify the order en route to Bob to 1000 widgets. In the worst case, integrity checks determine whether the data has been changed.

NOTE

---

Maliciously adjusted data is usually more serious than deleted data. If data is missing because it has been deleted, you know you need to use the last backup made to reinstate the missing data. However, if data is maliciously changed, you might not notice the change for a long time and the erroneous data might be used to make critical business decisions.

Examples of integrity technology include

• SSL/TLS Both use Message Authentication Code (MAC) algorithms to verify that data is not tampered with.
• IPSec Provides integrity checking of low-level IP packets.

Chapter 9 covers integrity in detail.

Availability

Another important aspect of security is availability, or the ensuring that a legitimate user is not denied access to a requested resource. For example, Alice, a valid user, won't be able to place an order by using your Web-based application if Bob, a malicious user, has launched an attack against your Web site that consumes all your network bandwidth. As far as Alice is concerned, your Web site is unavailable, so she might go elsewhere, perhaps to a competitor, to place her order.

Examples of availability technology include

• Load-balancing hardware and softwareSpreads heavy workloads over multiple devices to help ensure access
• Failover hardware and softwareAllows work requests to be switched from a failed device to a backup device

Please note that load-balancing and failover technologies are beyond the scope of this book.

Nonrepudiation

Nonrepudiation is a technique for providing proof that an action occurred so as to prevent a principal from fraudulently reneging on a transaction. For example, if Alice purchases an item, she might have to sign for the item upon receipt. The vendor can then use the signed receipt as evidence that Alice did indeed receive the package.

A complete nonrepudiation plan requires providing authentication, authorization, auditing, and data integrity. Nonrepudiation also requires that you inform the principal that the action he or she is about to take is legally binding. As you can imagine, nonrepudiation is extremely important for e-commerce.

We'll cover nonrepudiation in Chapter 9.