Lesson 2: Privilege Management

Previous page
Table of content
Next page

Lesson 2: Privilege Management

Networks exist to provide hardware, software, and information resources to users. To protect those resources from damage and theft, you must limit user access to them. You grant some users full access to particular resources, whereas other users receive partial access. Some users get no access at all, and you might even want to prevent those users from knowing that the resources exist. The process of planning how to assign those resources to your users is called privilege management.

After this lesson, you will be able to

  • Understand how to use groups and roles to manage user privileges

  • Understand how centralized management can simplify the privilege management process

  • Describe the differences between mandatory access control, discretionary access control, and role-based access control

Estimated lesson time: 20 minutes

Understanding User, Group, and Role Management

To grant users access to network resources, most operating systems use a set of rights or permissions. Each right or permission provides the user with a specific privilege. For example, a file system typically has two separate permissions that enable a user to read a file and write to it. When you grant users the read permission only, they can look at the file, but they cannot change it. If certain users have to be able to modify the file, you must grant them the write permission as well.

The object of privilege management is to grant each user the rights and permissions to the specific network resources he or she needs to perform his or her assigned tasks, and no more. As mentioned in Chapter 8, this is called the rule of least privilege (also known as the principle of least privilege). Restricting users' access only to what they need prevents unsophisticated or careless users from accidentally damaging or destroying valuable resources, and prevents unauthorized individuals from doing things they should not.

In theory, granting privileges to users is a simple task. For example, to give a user access to a particular file, you add an entry to that file's access control list (ACL) containing the user's name and the specific permissions you want that user to have. However, when you consider that a large organization can have thousands of files stored on its servers and thousands of users who need access to various files, the task of privilege management becomes very daunting indeed.

Using Groups

To simplify the process of managing privileges, network operating systems all make it possible to create groups of users. When users are members of a group, they inherit all privileges granted to that group. Therefore, if you have 50 users who all need access to one file, you can create a group with those 50 users as members, and then create one entry in the file's ACL granting privileges to that group. In this way, you are creating one ACL entry instead of 50, which simplifies the process considerably. In addition, the network resources themselves are typically arranged in a hierarchical structure, with permissions running downstream. File systems and directory services let you assign users permission to access a specific object, and the users then inherit access to all of the subordinates of that object.

These techniques can make the network administrator's life much easier, but it is important for administrators to learn how to manage users and groups properly and consistently. When deciding how to manage users and groups, network administrators should ask themselves questions such as these:

  • How many groups should we create?

  • What should the groups be called?

  • What criteria should we use when creating groups of users?

  • How many users should there be in each group?

  • What privileges should be assigned to each group?

There are no right and wrong answers to these questions. What is important is that the organization create policies for user and group management and compel everyone involved to adhere to them. If one administrator starts creating groups based on the geographical location of the users' work areas, and another administrator starts creating groups based on the first letter of the users' surnames, chaos is sure to ensue.

Creating Groups

When creating groups, the obvious intent is to group users together that have the same needs. If the workers in the Order Entry department all need to look up names in the customer database, it's common sense to create a group with a name such as Order Entry and grant that group the privileges needed to read the database. This is known as role-based privilege management. You should create groups based on specific tasks that multiple workers have to perform and assign the appropriate privileges to those groups. From that point on, when users take on or are relieved of a task, you simply have to add users or remove them from the right group. Most medium- and large-sized organizations never assign privileges to individual users; all privileges are assigned using groups.

Group management is rarely as simple as this example, however. You might have a large number of order entry workers who must be able to read the customer database, and a handful of supervisors who also need to be able to modify entries in that database. This certainly does not mean that you should grant the entire Order Entry group permission to read and modify the database. Instead, you might create two groups, Order Entry Operators and Order Entry Supervisors, with only the supervisors having permission to change database entries. You then make everyone in the department a member of the Order Entry Operators group, but only those few supervisors should be members of the Order Entry Supervisors group. One user can function in many roles, and therefore can be a member of many groups. The privileges assigned to each group of which a user is a member are then combined to create the user's effective permissions.

The relationships between the privileges assigned to different groups can become complicated. For example, one group might explicitly grant a privilege whereas another group explicitly denies that same privilege. If one user is a member of both groups, what are the user's resulting effective privileges? The answer depends on the operating system in use. Most operating systems have a system of priorities that enable you to have one group's privileges override those of another.

Centralized and Decentralized Management

In the early days of network operating systems, every computer maintained its own user accounts, groups, and permissions. When users needed access to the resources of a particular server, an administrator had to create accounts for them on that server and add them to the appropriate groups. This is known as decentralized management, because each server controlled access to its own resources, and administrators had to travel to each server or access it remotely to manage accounts. For each server a user accessed, the computers performed a separate authentication procedure. In some cases, when a user had the same account name and password on multiple servers, the authentication process occurred in the background and was automatic and invisible, but this still meant a great deal of extra work for network administrators, who had to create all of the accounts. Decentralized management is still available on some operating systems that are intended for small networks, but they are not typically used in large organizations.

Single Sign-On

The standard today is for users to perform a single sign-on when starting a computer session, which grants them access to resources all over the network. In most cases, on private networks, the single sign-on is provided by a directory service, such as Microsoft's Active Directory directory service or Novell's Novell Directory Services. Directory services typically use a digital certificate to authenticate a user's identity and grant them access to the resources they need. Directory services provide centralized management, so administrators only have to create one account for each user, all of which are stored in the same place, and the users only have to type their account names and passwords once.

For Web applications, centralized management is provided by applications such as Microsoft Passport. Users perform a single sign-on that authenticates them with the Passport service, and this grants them access to applications at other Web sites where they are registered.

Auditing

In addition to controlling access to network resources, privilege management typically provides administrators with a means of tracking resource usage, called auditing. Depending on the operating system, auditing might enable the administrator to maintain records of what privileges a particular user processes, what resources the users accessed, and when. When access control is based on digital certificates, this provides a nonrepudiation service. A user cannot deny having accessed a particular resource named in the audit, because only that user had control of the certificate that granted access to the resource.

In most cases, auditing is an optional feature that you have to enable manually before the system retains any information. The operating system typically saves the audit information to a log file, which administrators should review on a regular basis. To control the amount of disk space consumed by the logs, it is often possible to specify how long information is retained in the log and how detailed the audit information saved to the log should be. It is common for administrators to assume that logging audit information with the greatest amount of detail is best, but this can make it difficult to review the logs later.

For example, logging every instance in which a user successfully accesses a network resource can result in a huge log file that takes a long time to review and yields little or no useful information. You can use this type of information if you are trying to determine how many users access the resource, but in most cases you would be better served by just logging the unsuccessful access attempts. This is likely to result in a much smaller log file, which you can quickly review to see if unauthorized users are attempting to access secured resources.

Reviewing the audit logs on a regular basis is often delegated to a junior administrator. If this is the case, your organization should have policies in place that specify exactly when specific log results should be escalated to someone higher in the management hierarchy. Retaining your audit logs for an extended period of time is also a good idea, because you might want to use them in the future to compile statistics regarding your network's resource access patterns.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in Appendix A, "Questions and Answers."

  1. Which of the following statements about users and groups is true?

    1. A user can only be a member of one group.

    2. A user's effective permissions can be inherited from multiple groups.

    3. Creating groups enables the network administrator to create fewer user accounts.

    4. Groups cannot have conflicting privileges.

  2. How does centralized administration reduce the workload of the network administrator?

    1. By reducing the number of resources to which users have to be granted privileges.

    2. By reducing the number of groups that need to be created.

    3. By reducing the number of users accounts that need to be created.

    4. By reducing the number of privileges that have to be granted to each user.

  3. When you grant a user account the minimal required permission, what rule are you applying?

Lesson Summary

  • Rather than assign privileges to individual users, operating systems typically enable administrators to create groups, of which users are members. Privileges granted to a group are inherited by all of its members.

  • Creating groups is a matter of determining which users need to have the same privileges.

  • Centralized management, in the form of directory services and other single sign-on applications, has simplified the privilege management process by enabling administrators to create one account for each user, instead of many.

  • Auditing enables administrators to track the privileges granted to a user, the resources that the user has accessed, and the overall usage of a resource.


Previous page
Table of content
Next page
Security+ Certification Training Kit
Security+ Certification Training Kit (Pro-Certification)
ISBN: 0735618224
EAN: 2147483647
Year: 2002
Pages: 55
Authors: Microsoft Corporation, Andy Ruth, Kurt Hudson
BUY ON AMAZON
Image Processing with LabVIEW and IMAQ Vision
Java for RPG Programmers, 2nd Edition
Postfix: The Definitive Guide
Competency-Based Human Resource Management
Microsoft WSH and VBScript Programming for the Absolute Beginner
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy