Privilege Management

Privileges are defined as user rights that are generally granted to specific users or groups of users within a specific system or network. These rights allow users or groups of users to carry out specific operating system tasks such as the backing up a system, shutting down a system, or changing a systems time. Figure 6.1 displays the many local user rights assigned within the Windows 2000 Professional operating system.

Figure 6.1: Windows 2000 Professional local rights.

User/Group/Role Management

The concepts of managing users and groups can be best explained by describing the basic administration of users and groups inherent with the Microsoft operating system, Windows NT.

A Windows NT workstation can participate in a workgroup or domain environment. In a workgroup, each individual computer system houses its own SAM (Security Accounts Manager) database. In a domain model environment, the SAM database is located in a more central location such as a PDC and BDC. This allows administrators to control user access to the network as well as provide the sharing of network resources from a centralized location.

A work group model mirrors a peer-to-peer network in which security and the sharing of resources is controlled at every individual machine. Imagine organizing a work group of 200 users. You would have to control user access to the workgroup and password protected shares at every single system!

Windows NT comes with an administration tool known as User Manager. User Manager has several built-in groups. Figure 6.2 displays User Manager. These groups are designed for ease of administration. A Windows NT built in-group has preassigned user rights. Windows NT user rights allow users or groups of users to carry out specific tasks such and the right to backup the system, shut down the system, or change the system time. After a user ID has been created in User Manager, it can be placed in a group. When the User ID is placed in the group, the ID inherits all of the rights associated with that group. For example, if the user ID JSHMOE were created and added to the Administrators group, the user JSHMOE would inherit all of the user rights associated with the Administrator group.

Figure 6.2: The Windows NT User Manager.

Every Windows NT workstation or server has a set of built-in local groups. If a user has been placed into a local group, it is possible for the user to access resources and be granted rights on the local system. To ease domain-level administration efforts, Windows NT Server also makes use of global groups. Simply put, many users can be placed into a Global group. The Global group can then be added to a local group located on a workstation or server. The end result is that all users in the Global group can access resources assigned to the local group on a particular workstation or server.

In addition to creating user IDs and the assignment of user rights, User Manager also has the ability to audit the success and failure of events that occur on the system. An administrator can audit access to files and objects, users who have logged on or logged off of the system, and security policy changes, just to name a few. The results of the events that have been audited are displayed in the Windows NT Event Viewer.

LSA, SID, and ACL

Security access to all resources and the entire security sign-on process that takes place behind the scenes when a user logs on to a network running an operating system server such as Windows NT is beyond the scope of this book. However, a basic explanation and several important terms are in order to provide you with a general understanding of how this process works. This might assist you with the basics of understanding general authentication practices.

When a user logs onto NT workstation, the LSA (Local Security Authority) generates what is called a security access token or SAT for short. This SAT is assigned an SID (Security ID) for the user. The unique user SID contains access rights and privileges that have been assigned to the user's ID that was created in User Manager or User Manager for domains. Windows NT maintains what is called an Access Control List for all objects that exist in the Windows NT domain. An object can be a file, folder, or printer share, just to name a few. In order for a user to be granted access to an object on the domain, the user's SAT must be accepted by the ACL.

Single Sign-On (SSO)

Single Sign-On (SSO) user authentication is the use of one username and one password in order to give the user access to all resources, applications, and other shares that the user has been given permission to use. In other words, a user only has to sign on one time to an authenticating server. From that point on, permissions are used to grant access to the user for various resources so that the user does not have to keep entering passwords.

The Single Sign-On model is popular in most client/server network environments. Server operating system software such as Windows NT, Windows 2000, and Novell are based on a Single Sign-On authentication model. This allows ease of user administration by allowing users to be placed into groups. The groups are then assigned permissions to recourses as opposed to assigning access permissions to each individual user.

The main benefits of implementing Single Sign-Ons are as follows:

• Users only have to sign on one time with a primary server or in domain controller in order to access enterprise-wide recourses if needed.

• Risks involved with individual users having to remember multiple user IDs and passwords are eliminated or reduced.

• Administrative overhead is reduced. Administrators don't have to waste precious time resetting passwords on shares because users lost or forgot them.

The inherent threat that is associated with the use of SSO is that if a hacker or attacker gains a single user ID and associated password, an entire network can be compromised.

Two-Factor SSO is often a better way to go in order to provide better security in single sign-on environment. With Two-factor SSO, a user provides an ID and a password combination and is also required to authenticated with a token or biometric device. Most password cracking programs are written with the targeting of SSO operating systems in mind. Use Two-Factor SSO for better security if possible.

Centralized/Decentralized

In the world of security policy and practices there are two main types of access control environments: centralized and decentralized. Centralized access control security practices focus on maintaining and storing user IDs, passwords, permissions, and access rights in a single centralized location. The decentralized access approach to network security focuses on the control and storage of user IDs, passwords, permissions, and access rights across an enterprise in multiple locations. Most modern day client/server networks implement the decentralized approach.

Security Roles and Responsibilities

The Security+ examination might question you on the following security roles and responsibilities. These are very general descriptions that are common to most businesses as well as most information security related exams:

• Management: Responsible for ensuring that all employees follow security policies and practices. Responsible for protecting all company assets. Responsible for exercising due care in all of their affairs.

• Owner: Responsible for the protection of company information. The owner's responsibilities include determining the classification level of data, making changes to the classification level, and assigning or delegating who will be responsible for data and the security of data. (Data classification levels are described under the 'Documentation' section later in this chapter.)

• Custodian: This is a delegated position that is responsible for the protection and testing of data and procedures. Custodian duties include the verification of system backups and restores as well as keeping updated documentation that supports testing and production efforts.

• User: Anyone who uses data routinely to carry out their normal job responsibilities. Users should be responsible and accountable for the data they work with.