Why secure the OS? Operating System Security. Privilege levels in 80X86 processors. The basis of protection: Seperation. Privilege levels - A problem

Size: px
Start display at page:

Download "Why secure the OS? Operating System Security. Privilege levels in 80X86 processors. The basis of protection: Seperation. Privilege levels - A problem"

Transcription

1 Why secure the OS? Operating System Security Works directly on the hardware but can be adapted during runtime Data and process are directly visible Application security can be circumvented from lower layers => good scope because: Hardware is too narrow and inflexible Application and Network is too broad The basis of protection: Seperation Privilege levels in 80X86 processors Physical separation Processes use different physically devices Temporal separation Process (with different security demands) execute at different time Logical separation Processes and objects are logical separated so that they are not aware of each other Cryptographic separation Data and computation is concealed by cryptography to the outside Procedures can access objects only in their own ring or in outer rings Procedures can invoke subroutines only in their own ring I/O OS... function Privilege levels - A problem Reference Monitor Outer ring procedures have a need to execute procedures on a lower ring e.g. An application (level 4) want to save a file (level 3) Solution: A gate (well defined access way) allow the call (execute only) of lower ring procedures To prevent abuse (outer ring asks lower ring to transfer an object to the outer ring) both the current privilege level and the calling privilege level need to be verified Reference Monitors control access to objects Physical - Memory Management Logical - File Management 1

2 Simple Memory protection Tagged Architecture Simple memory protection Fences Each memory segment has a tag which indicates the memory type which implies the allowed operation or explicitly the allowed operations A tagged architecture can have a high granularity Compatibility of code suffers INT INT OP STR R RW X R AND Result AND Result A fence is a predefined address which separates the a process from another (e.g. The OS and the User spaces) Base and Boundary are variable type of fences Base defines a starting address Boundary defines an upper address limit Different types of base and boundary for different spaces can exist Segmentation Paging Higher granularity then fences because it refers to items (data, code) This implies variable length which makes boundary checks problematic Each address reference can be checked for protection Different protection levels can be assigned to objects Shared objects can have different protection levels for the involved parties Same granularity as segmentation but pages are of fixed size The fixed page size enables more effective boundary checks The associate of protection level to the object will not work because pages cannot be associate to a specific object File Access Explicit: The access rights are explicitly defined e.g. ACL or AC-Matrix Implicit: The access rights are bound to some knowledge and who every posses the knowledge get access e.g. cryptography User Management User a subject with access rights Default User Unix: Root (UID 0), daemon, bin... Windows: Administrator, Guest, SUPPORT... Groups a mean to organize users and add granularity Unix: System(GID 0), terminal... Windows: Users, Power Users, Administrator... 2

3 Root in UNIX/LINUX Become root only when absolutely necessary Allow root access only trough su or sudo Allow root access remotely only when using SSH and sudo Think twice before executing a command as root and use absolute path names Do not specify as / root s home directory Restrict the PATH so that it only contains a minimum number of entries Object management -rwxr-xr-x 1 AZ root 10 Apr 15 21:21 file s instead of x in owner and group means that the owners/groups rights and not the users rights are used t for directories means sticky and prevents users other than the owner or root to delete files in such a directory ACL for Linux available under: Setting of rights during object creation Linux the first permission is set by the program but then umask complement logically added (AND) Windows solves this by inheritance - Container objects (directories) pass their ACL rights to child's (files or directories) This inheritance can be blocked and explicit rights can be defined Inherited ACL cannot be edited (grayed) Windows Security Windows 2000, Windows XP and Windows Server Registry The registry contains a lot of security critical information Operating system security configuration User accounts and password Security activities with and for the registry Set security relevant keys (e.g. Disable insecure hash) regedit.exe Protection of registry entries with AC rights Active Directory Windows network use Active Directory to manage identities and broker relationships between distributed resources In AD a two-way transitive trust is assumed by default 3

4 Active Directory Domain/Group Policies The domain model (each domain contains users, groups and machines) forms a tree of domains Additionally users, groups and computers can be organized in Organizational Units (OU). Domain C (Child) Domain B (Child) Domain A (Root) To regulates security policies are used Domain/group policies regulate for one domain/group Inheritance can be controlled Local computer policy A resultant set of policies is build Security Administration Encrypted File System (EFS) EFS can encrypt/decrypt files transparently (Command Line, Explorer and Backup support) when using the NTFS file system How it works File/Directory encrypted symmetrically (AES in 2003 and DES in XP) with a file encryption key (FEK) FEK is encrypted with the users Public Key and eventually with the recovery keys (if enabled) A list of encrypted FEK is attached to the File Event Monitoring Security tool for Windows Event Log service monitors the system Policies configure the event monitor Event viewer shows the events Management Consol See earlier Security Baseline Analyzer Example in the lecture 4

5 Generic Linux Security Linux Kernel 2.4.x and 2.6.x Do not install packages you do not need Verify the Hash Value of the package/files Do not start services and demons you do not need If you want more security in Linux you can use additionally tools System start-up Lock the BIOS Lock LILO (GRUB) Set the permission to lilo.conf Require a PW when booting in single-user (put the user into a root shell) mode Control the start scripts to see what services are started at which run levels Shadow File Passwords are stored in /etc/passwd Root:toarjakdfnjasdjf:0:0:root:/root:/bin /bash PW are hashed but that is not enough because the file can be access by everyone Solution: /etc/shadow Can only be accessed by root Can age PW s syslog system loging utility PAM Plugable authentication module More info: 5

6 PAM.d A file for each PAM aware application File entry Module type control flag module path arguments Module types auth prompt the user for identification account checks aspects of the users account session provides functions before and after session establishment (e.g. environment...) password responsible for updating the user authentication token PAM.d Control flags required must return success; execution continues requisite must return success; failure stop execution optional not required; if the only it determines sufficientif success all remaining are ignored [value1=action1...] extended control flag for more control Arguments A number of argument regulate the reporting behavior (syslog and application) PAM example auth required /lib/security/pam_securetty.so auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow nis password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_console.so Security tools for Linux Bastille Tool to investigate the system weaknesses and harden linux Tripwire Assuring system consistency with check sums CRACK Password cracking program for Linux SARA Vulnerability testing (not only for Linux) Nessus Another scanner where you can also write your own attack scripts... Requirements Trusted operating systems Mechanisms Strong Authentication MAC or RBAC Controlled and monitored invocation of processes Virtualization Assurance 6

7 Security Features I Trusted Solaris Based on standard Solaris SUN Microsystems trustedsolaris/ds-ts8/index.html PAM Authorizations Least privilege is enforced MAC and RBAC support (additionally to DAC) Rights profiles Database of functionally-related procedures which can only be called with specific commands and require pre-defined security attributes Labels Define the required trust to access a resource For each resource a senistivity level is defined. Each subject get a upper and lower clearance level assigned. Access is granted when a match occurs Security Features II Secure desktop based on X11 Trusted Path When security sensitive tasks are conducted the source path is verified Selection Confirmation During cut and paste the security level of the copied is verified and the user (if s/he has the right) can up- /downgrad the level of the copied Trusted Networking and Interconnectivity NFS features MAC and DAC Labeled Printing to print the security level is verified concerning the receiving printer (and evtl. the user) Assurance CC certification Trusted Solaries 8.0 Protection Profiles Labeled Security (LSPP) Role Based Access Control (RBACPP) Controlled Access (CAPP) plus Trusted Desktop and Trusted Networking Assurance Level EAL4+ Some Facts Security-Enhanced Linux Open source secure linux Sponsored by NSA SE-Linux builds on standard Linux and enhance it mainly by MAC Architecture is from DTMach, DTOS, Flask Compatibility Application is promised Kernel Module is promised Default policies are provided which require (minimum) modifications SE-Linux is not a trusted OS because functionality and auditing is lacking! 7

8 Features Type enforced AC (MAC) and RBAC Includes a policy tool that is independent from different policy languages Additional documentation for: Native PAM integration NFS fine grained control Limited secure X-Window system Network security by full IPv6 support Books Linux System Security Mann,Mitchell,Krell, Prentice Hall, ISBN Windows XP Professional Security Weber,Bahadur, McGraw-Hill/Osborne, ISBN Windows Server 2003 Security Infrastructures, DeClercq, Elsevier, ISBN Questions? 8

IT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

IT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao IT Service Delivery And Support Week Four - OS IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao 1 What is an Operating System (OS)? OS is a software that designed to run on specific hardware

More information

Pre-Assessment Answers-1

Pre-Assessment Answers-1 Pre-Assessment Answers-1 0Pre-Assessment Answers Lesson 1 Pre-Assessment Questions 1. What is the name of a statistically unique number assigned to all users on a Windows 2000 system? a. A User Access

More information

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger. Access Control CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Access Control Describe the permissions available to computing processes

More information

Operating system security models

Operating system security models Operating system security models Unix security model Windows security model MEELIS ROOS 1 General Unix model Everything is a file under a virtual root diretory Files Directories Sockets Devices... Objects

More information

RBAC in Solaris 10. Darren J Moffat Staff Engineer, Networking & Security Sun Microsystems, Inc. 7 th October 2004

RBAC in Solaris 10. Darren J Moffat Staff Engineer, Networking & Security Sun Microsystems, Inc. 7 th October 2004 RBAC in Solaris 10 Darren J Moffat Staff Engineer, Networking & Security Sun Microsystems, Inc. 7 th October 2004 Agenda Least Privilege / RBAC in Solaris 10 SMF - Service Management Framework Zones (N1

More information

CS 356 Lecture 7 Access Control. Spring 2013

CS 356 Lecture 7 Access Control. Spring 2013 CS 356 Lecture 7 Access Control Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive,

More information

Datasäkerhet/Data security EDA625 Lect5

Datasäkerhet/Data security EDA625 Lect5 Ch. 6 Unix security Datasäkerhet/Data security EDA625 Lect5 Understand the security features of a typical operating system Users/passwords login procedure user superuser (root) access control (chmod) devices,

More information

Unix, History

Unix, History Operating systems Examples from Unix, VMS, Windows NT on user authentication, memory protection and file and object protection. Trusted Operating Systems, example from PitBull Unix, History Unix, History

More information

LAB #7 Linux Tutorial

LAB #7 Linux Tutorial Gathering information: LAB #7 Linux Tutorial Find the password file on a Linux box Scenario You have access to a Linux computer. You must find the password file on the computer. Objective Get a listing

More information

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms CS 392/681 - Computer Security Module 5 Access Control: Concepts and Mechanisms Course Policies and Logistics Midterm next Thursday!!! Read Chapter 2 and 15 of text 10/15/2002 Module 5 - Access Control

More information

What's New with SELinux

What's New with SELinux What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency National Information Assurance Research Laboratory 1 Advances in

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 13: Operating System Security Department of Computer Science and Engineering University at Buffalo 1 Review Previous topics access control authentication session

More information

IS 2150 / TEL 2810 Information Security and Privacy

IS 2150 / TEL 2810 Information Security and Privacy IS 2150 / TEL 2810 Information Security and Privacy James Joshi Professor, SIS Access Control OS Security Overview Lecture 2, Sept 6, 2016 1 Objectives Understand the basics of access control model Access

More information

CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms

CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms CS 392/681 - Computer Security Module 6 Access Control: Concepts and Mechanisms Course Policies and Logistics Midterm grades Thursday. Read Chapter 2 and 15 th of text Lab 4 postponed - due next week.

More information

CompTIA SY CompTIA Security+

CompTIA SY CompTIA Security+ CompTIA SY0-501 CompTIA Security+ https://killexams.com/pass4sure/exam-detail/sy0-501 QUESTION: 338 The help desk is receiving numerous password change alerts from users in the accounting department. These

More information

FreeBSD Advanced Security Features

FreeBSD Advanced Security Features FreeBSD Advanced Security Features Robert N. M. Watson Security Research Computer Laboratory University of Cambridge 19 May, 2007 Introduction Welcome! Introduction to some of the advanced security features

More information

Computer Security Operating System Security & Access Control. Dr Chris Willcocks

Computer Security Operating System Security & Access Control. Dr Chris Willcocks Computer Security Operating System Security & Access Control Dr Chris Willcocks Lecture Content Access Control ACMs ACLs Introduction to *NIX security - we ll cover this more due to server popularity -

More information

HP-UX Security I. Ideal candidate for this course Experienced system and network administrators responsible for securing and monitoring HP-UX systems

HP-UX Security I. Ideal candidate for this course Experienced system and network administrators responsible for securing and monitoring HP-UX systems Course Data Sheet HP-UX Security I Course description This course teaches you about the most common HP-UX system security vulnerabilities, and introduces a variety of tools and techniques that can be used

More information

Operating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07

Operating System Security. 0Handouts: Quizzes ProsoftTraining All Rights Reserved. Version 3.07 0Handouts: Lesson 1 Quiz 1. What is the working definition of authentication? a. The ability for a person or system to prove identity. b. Protection of data on a system or host from unauthorized access.

More information

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define access control and list the four access control models Describe logical access control

More information

Securing Linux Systems Before Deployment

Securing Linux Systems Before Deployment Securing Linux Systems Before Deployment Richard Williams Senior Support Services Specialist Symark Why secure Linux systems? Your Linux enterprise installation is growing Assets on Linux systems are becoming

More information

User accounts and authorization

User accounts and authorization User accounts and authorization Authentication vs authorization Authentication: proving the identity of someone Authorization: allowing a user to access certain resources 1 Government authorization documents

More information

Strategic Infrastructure Security

Strategic Infrastructure Security Strategic Infrastructure Security Course Number: SCPSIS Length: Certification Exam There are no exams currently associated with this course. Course Overview This course picks up right where Tactical Perimeter

More information

SERVER HARDENING CHECKLIST

SERVER HARDENING CHECKLIST SERVER HARDENING CHECKLIST WINDOWS 2003 SERVER CHECKLIST This checklist contains server hardening procedures for Windows 2003 Server. The procedures listed in this document are a balance of industry best

More information

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control Version 1.0, Last Edited 09/20/2005 Name of Students: Date of Experiment: Part I: Objective The objective of the exercises

More information

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP AN IPSWITCH WHITEPAPER The Definitive Guide to Secure FTP The Importance of File Transfer Are you concerned with the security of file transfer processes in your company? According to a survey of IT pros

More information

Chapter 1: Windows Platform and Architecture. You will learn:

Chapter 1: Windows Platform and Architecture. You will learn: Chapter 1: Windows Platform and Architecture Windows 2000 product family. New features/facilities of. Windows architecture. Changes to the kernel and kernel architecture. New features/facilities. Kernel

More information

A Survey of Access Control Policies. Amanda Crowell

A Survey of Access Control Policies. Amanda Crowell A Survey of Access Control Policies Amanda Crowell What is Access Control? Policies and mechanisms that determine how data and resources can be accessed on a system. The Players Subjects Objects Semi-objects

More information

MU2b Authentication, Authorization and Accounting Questions Set 2

MU2b Authentication, Authorization and Accounting Questions Set 2 MU2b Authentication, Authorization and Accounting Questions Set 2 1. You enable the audit of successful and failed policy changes. Where can you view entries related to policy change attempts? Lesson 2

More information

RSA ACE/Agent 5.0 for PAM Installation and Configuration Guide

RSA ACE/Agent 5.0 for PAM Installation and Configuration Guide RSA ACE/Agent 5.0 for PAM Installation and Configuration Guide Contact Information See our Web sites for regional Customer Support telephone and fax numbers. RSA Security Inc. RSA Security Ireland Limited

More information

O/S & Access Control. Aggelos Kiayias - Justin Neumann

O/S & Access Control. Aggelos Kiayias - Justin Neumann O/S & Access Control Aggelos Kiayias - Justin Neumann One system Many users Objects that require protection memory I/O devices (disks, printers) programs and processes networks stored data in general Separation

More information

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users Operating System Security Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Computer System Components Hardware Provides basic computing resources (CPU, memory, I/O devices). Operating system Controls

More information

Data Security and Privacy. Unix Discretionary Access Control

Data Security and Privacy. Unix Discretionary Access Control Data Security and Privacy Unix Discretionary Access Control 1 Readings for This Lecture Wikipedia Filesystem Permissions Other readings UNIX File and Directory Permissions and Modes http://www.hccfl.edu/pollock/aunix1/filepermissions.htm

More information

RedHat Certified Engineer

RedHat Certified Engineer RedHat Certified Engineer Red Hat Certified Engineer (RHCE) is a performance-based test that measures actual competency on live systems. Called the "crown jewel of Linux certifications," RHCE proves an

More information

SQL Server Security. Marek

SQL Server Security. Marek SQL Server Security Marek Chmel Lead Database Administrator @ AT&T MVP: Data Platform MCSE: Data Management and Analytics MCT: Regional Lead Certified Ethical Hacker CEHv8 marek.chmel@technet.ms @MarekChmel

More information

CSE Computer Security

CSE Computer Security CSE 543 - Computer Security Lecture 15 - Linux Security October 18, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 Retrofit Security in Existing Systems Upside Operating systems are costly to

More information

Chapter 4: Access Control

Chapter 4: Access Control (DAC) Chapter 4: Comp Sci 3600 Security Outline (DAC) 1 2 (DAC) 3 4 5 Attribute-based control (DAC) The prevention of unauthorized use of a resource, including the prevention of use of a resource in an

More information

Operating System Security

Operating System Security Operating System Security Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1 Computer System Components Hardware Provides basic computing resources (CPU, memory, I/O devices). Operating system

More information

Part I. Windows XP Overview, Installation, and Startup COPYRIGHTED MATERIAL

Part I. Windows XP Overview, Installation, and Startup COPYRIGHTED MATERIAL Part I Windows XP Overview, Installation, and Startup COPYRIGHTED MATERIAL Chapter 1 What s New in Windows XP? Windows XP suffers somewhat from a dual personality. In some ways it is a significant release,

More information

Operating Systems Security Access Control

Operating Systems Security Access Control Authorization and access control Operating Systems Security Access Control Ozalp Babaoglu From authentication to authorization Once subjects have been authenticated, the next problem to confront is authorization

More information

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015 OS Security Authentication Radboud University Nijmegen, The Netherlands Winter 2014/2015 What does an OS do? Definition An operating system (OS) is a computer program that manages access of processes (programs)

More information

Access Control. Steven M. Bellovin September 13,

Access Control. Steven M. Bellovin September 13, Access Control Steven M. Bellovin September 13, 2016 1 Security Begins on the Host Even without a network, hosts must enforce the CIA trilogy Something on the host the operating system aided by the hardware

More information

Operating systems and security - Overview

Operating systems and security - Overview Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,

More information

Operating systems and security - Overview

Operating systems and security - Overview Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,

More information

CIT 470: Advanced Network and System Administration. Topics. Namespaces. Accounts and Namespaces. 1. Namespaces 2. Policies

CIT 470: Advanced Network and System Administration. Topics. Namespaces. Accounts and Namespaces. 1. Namespaces 2. Policies CIT 470: Advanced Network and System Administration Accounts and Namespaces CIT 470: Advanced Network and System Administration Slide #1 Topics 1. Namespaces 2. Policies 1. selection 2. lifetime 3. scope

More information

Jérôme Kerviel. Dang Thanh Binh

Jérôme Kerviel. Dang Thanh Binh Dang Thanh Binh Jérôme Kerviel Rogue trader, lost 4.9 billion Largest fraud in banking history at that time Worked in the compliance department of a French bank Defeated security at his bank by concealing

More information

UNIX/Linux Auditing. Baccam Consulting, LLC Training Events

UNIX/Linux Auditing. Baccam Consulting, LLC Training Events UNIX/Linux Auditing Baccam Consulting, LLC tanya@securityaudits.org Training Events www.securityaudits.org/events.html ***CISSP Course being offered April 25-April 29, 2016 Copyright 2005-2016, Baccam

More information

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Protection. CSE473 - Spring Professor Jaeger.   CSE473 Operating Systems - Spring Professor Jaeger Protection CSE473 - Spring 2008 Professor Jaeger www.cse.psu.edu/~tjaeger/cse473-s08/ Protection Protect yourself from untrustworthy users in a common space They may try to access your resources Or modify

More information

Security Design in. Avaya Aura Presence Services. Release 5.2. Issue 1

Security Design in. Avaya Aura Presence Services. Release 5.2. Issue 1 Security Design in Avaya Aura Presence Services Release 5.2 Issue 1 November 2009 2009 Avaya Inc. All Rights Reserved. Notice While reasonable efforts were made to ensure that the information in this document

More information

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Microsoft Corporation Windows 2000 Report Number: CCEVS-VR-02-0025 Dated: 25 October 2002

More information

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics Last time User Authentication Beyond passwords Biometrics Security Policies and Models Trusted Operating Systems and Software Military and Commercial Security Policies 9-1 This time Security Policies and

More information

Use Cases for Unix & Linux

Use Cases for Unix & Linux WHITE PAPER 15 Server Privilege Management PowerBroker for Unix & Linux, PowerBroker Identity Services, and PowerBroker for Sudo Table of Contents Executive Summary... 3 15 Common Use Cases... 4 1. Removing

More information

SSH. Partly a tool, partly an application Features:

SSH. Partly a tool, partly an application Features: Internet security SSH 1 Secure Shell: SSH Partly a tool, partly an application Features: Encrypted login and shell connections Easy, drop-in replacements for rlogin, rsh, rcp Multiple means of authentication

More information

Windows Server 2003 Network Administration Goals

Windows Server 2003 Network Administration Goals Objectives Differentiate between the different editions of Windows Server 2003 Explain Windows Server 2003 network models and server roles Identify concepts relating to Windows Server 2003 network management

More information

Policy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems

Policy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems Policy vs. Mechanism CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms q Access control policy is a specification

More information

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week Announcements Access control John Mitchell u Homework Due today. Next assignment out next week u Graders If interested in working as grader, send email to Anupam u Projects Combine some of the project

More information

Red Hat Enterprise Linux

Red Hat Enterprise Linux Red Hat Enterprise Linux Security www.redhat.com A Powerful Collection of Red Hat Enterprise Linux Security Tools Computing security has never been more important. Increasing regulations, differing requirements

More information

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard? We ve seen: Protection: ACLs, Capabilities, and More Some cryptographic techniques Encryption, hashing, types of keys,... Some kinds of attacks Viruses, worms, DoS,... And a distributed authorization and

More information

Introduction to LAN Introduction to TDC 363 Lecture 05 Course Outline What is NOS?

Introduction to LAN Introduction to TDC 363 Lecture 05 Course Outline What is NOS? Introduction to LAN TDC 363 Lecture 05 Nt Network rkoprti Operating Systems tm Windows Based Networking NetWare Based Networking Book Reading: Chapters 8 1 Course Outline Network operating system (NOS)

More information

Operating Systems Linux 1-2 Measurements Background material

Operating Systems Linux 1-2 Measurements Background material Operating Systems Linux 1-2 Measurements Background material Introduction The Linux measurements were designed to allow you to have an impression about the administration of Linux severs along with providing

More information

Getting Started with Linux

Getting Started with Linux Getting Started with Linux For those with experience using Microsoft Windows there will be many familiar ways of operating in a Linux environment. There are also a few key differences. The main differences

More information

the SWIFT Customer Security

the SWIFT Customer Security TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This

More information

CSE 380 Computer Operating Systems

CSE 380 Computer Operating Systems CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms 1 Policy vs. Mechanism q Access control policy is a specification

More information

Linux Essentials. Smith, Roderick W. Table of Contents ISBN-13: Introduction xvii. Chapter 1 Selecting an Operating System 1

Linux Essentials. Smith, Roderick W. Table of Contents ISBN-13: Introduction xvii. Chapter 1 Selecting an Operating System 1 Linux Essentials Smith, Roderick W. ISBN-13: 9781118106792 Table of Contents Introduction xvii Chapter 1 Selecting an Operating System 1 What Is an OS? 1 What Is a Kernel? 1 What Else Identifies an OS?

More information

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

OS Security. Authentication. Radboud University Nijmegen, The Netherlands. Winter 2014/2015 OS Security Authentication Radboud University Nijmegen, The Netherlands Winter 2014/2015 What does an OS do? Definition An operating system (OS) is a computer program that manages access of processes (programs)

More information

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets Protecting Information Assets - Week 10 - Identity Management and Access Control MIS5206 Week 10 Identity Management and Access Control Presentation Schedule Test Taking Tip Quiz Identity Management and

More information

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control Last time Security Policies and Models Bell La-Padula and Biba Security Models Information Flow Control Trusted Operating System Design Design Elements Security Features 10-1 This time Trusted Operating

More information

Storage and File Hierarchy

Storage and File Hierarchy COS 318: Operating Systems Storage and File Hierarchy Jaswinder Pal Singh Computer Science Department Princeton University (http://www.cs.princeton.edu/courses/cos318/) Topics Storage hierarchy File system

More information

COS 318: Operating Systems

COS 318: Operating Systems COS 318: Operating Systems File Systems: Abstractions and Protection Jaswinder Pal Singh Computer Science Department Princeton University (http://www.cs.princeton.edu/courses/cos318/) Topics What s behind

More information

CS 290 Host-based Security and Malware. Christopher Kruegel

CS 290 Host-based Security and Malware. Christopher Kruegel CS 290 Host-based Security and Malware Christopher Kruegel chris@cs.ucsb.edu Windows Windows > 90 % of all computers run Windows when dealing with security issues, it is important to have (some) knowledge

More information

Introduction to Security

Introduction to Security IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Secure Design Principles OS Security Overview Lecture 2 September 4, 2012 1 Objectives Understand the basic principles of

More information

Policy Enforced Remote Login

Policy Enforced Remote Login NPS-CS-03-004 February 2003 white paper The Center for INFOSEC Studies and Research Policy Enforced Remote Login Thuy D. Nguyen and Timothy E. Levin Center for Information Systems Security Studies and

More information

User & Group Administration

User & Group Administration User & Group Administration David Morgan Users useradd/userdel /home/ /etc/passwd is the user database /etc/shadow has passwords (relocated from passwd) /etc/group whoami su / sudo / SUID process

More information

Case Studies in Access Control

Case Studies in Access Control Joint software development Mail 1 / 38 Situations Roles Permissions Why Enforce Access Controls? Unix Setup Windows ACL Setup Reviewer/Tester Access Medium-Size Group Basic Structure Version Control Systems

More information

Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000)

Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) armahmood786@yahoo.com alphasecure@gmail.com alphapeeler.sf.net/pubkeys/pkey.htm http://alphapeeler.sourceforge.net pk.linkedin.com/in/armahmood

More information

Q) Q) What is Linux and why is it so popular? Answer - Linux is an operating system that uses UNIX like Operating system...

Q) Q) What is Linux and why is it so popular? Answer - Linux is an operating system that uses UNIX like Operating system... Q) Q) What is Linux and why is it so popular? Answer - Linux is an operating system that uses UNIX like Operating system... Q) Q) What is the difference between home directory and working directory? Answer

More information

Managing and Maintaining a Microsoft Windows Server 2003 Environment

Managing and Maintaining a Microsoft Windows Server 2003 Environment COURSE OVERVIEW This course combines five days of instructor-led training with additional e-learning content to provide students with the knowledge and skills that are required to manage accounts and resources,

More information

Post-Class Quiz: Access Control Domain

Post-Class Quiz: Access Control Domain 1. In order to perform data classification process, what must be present? A. A data classification policy. B. A data classification standard. C. A data classification procedure. D. All of the above. 2.

More information

Systems Programming/ C and UNIX

Systems Programming/ C and UNIX Systems Programming/ C and UNIX Alice E. Fischer Lecture 6: Processes October 9, 2017 Alice E. FischerLecture 6: Processes Lecture 5: Processes... 1/26 October 9, 2017 1 / 26 Outline 1 Processes 2 Process

More information

Operating system security

Operating system security Operating system security Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 Outline Access control models in operating systems: 1. Unix 2. Windows Acknowledgements: This

More information

Case Study: Access Control. Steven M. Bellovin October 4,

Case Study: Access Control. Steven M. Bellovin October 4, Case Study: Access Control Steven M. Bellovin October 4, 2015 1 Case Studies in Access Control Joint software development Mail Steven M. Bellovin October 4, 2015 2 Situations Small team on a single machine

More information

<Insert Picture Here> Oracle Solaris 11 Security

<Insert Picture Here> Oracle Solaris 11 Security Oracle Solaris 11 Security Glenn Faden Solaris Security Oracle Corporation Security in Oracle Solaris 11 Built-in, flexible, transparent, hardware assisted Authentication SSH X.509

More information

Unit 2: Manage Files Graphically with Nautilus Objective: Manage files graphically and access remote systems with Nautilus

Unit 2: Manage Files Graphically with Nautilus Objective: Manage files graphically and access remote systems with Nautilus Linux system administrator-i Unit 1: Get Started with the GNOME Graphical Desktop Objective: Get started with GNOME and edit text files with gedit Unit 2: Manage Files Graphically with Nautilus Objective:

More information

Introduction to Computer Security

Introduction to Computer Security Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability,

More information

Secure Architecture Principles

Secure Architecture Principles CS 155 Spring 2016 Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Acknowledgments: Lecture slides are from

More information

Red Hat Enterprise Linux 6 Security Feature Overview. Steve Grubb Principal Engineer, Red Hat June 23, 2010

Red Hat Enterprise Linux 6 Security Feature Overview. Steve Grubb Principal Engineer, Red Hat June 23, 2010 Red Hat Enterprise Linux 6 Security Feature Overview Steve Grubb Principal Engineer, Red Hat June 23, 2010 Overview Minimal Platform Install Libcap-ng OpenSCAP FIPS-140 Stronger Hashes Common Criteria

More information

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components UNIX security Ulf Larson (modified by Erland Jonsson/Magnus Almgren) Computer security group Dept. of Computer Science and Engineering Chalmers University of Technology, Sweden Outline UNIX security ideas

More information

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control Version 2.0, Last Edited 10/1/2006 Students Name: Date of Experiment: Part I: Objective The objective of the exercises

More information

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational

More information

McAfee Certified Assessment Specialist Network

McAfee Certified Assessment Specialist Network McAfee MA0-150 McAfee Certified Assessment Specialist Network Version: 4.0 Topic 1, Volume A QUESTION NO: 1 An attacker has compromised a Linux/Unix host and discovers a suspicious file called "password"

More information

W H IT E P A P E R. Salesforce Security for the IT Executive

W H IT E P A P E R. Salesforce Security for the IT Executive W HITEPAPER Salesforce Security for the IT Executive Contents Contents...1 Introduction...1 Background...1 Settings Related to Security and Compliance...1 Password Settings... 1 Session Settings... 2 Login

More information

CS 356 Operating System Security. Fall 2013

CS 356 Operating System Security. Fall 2013 CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database

More information

Exam : Title : Linux Security. Version : DEMO

Exam : Title : Linux Security. Version : DEMO Exam : 212-77 Title : Linux Security Version : DEMO 1.Which of the following is true of Linux passwords? A. They are changed with the password utility. B. They must be changed once a month. C. They may

More information

CISNTWK-11. Microsoft Network Server. Chapter 4

CISNTWK-11. Microsoft Network Server. Chapter 4 CISNTWK-11 Microsoft Network Server Chapter 4 User and Group Accounts 1 Usage Notes Throughout these slides, the term Active Directory Domain implies Domains Based on Windows Server 2008 Based on Windows

More information

You can access data using the FTP/SFTP protocol. This document will guide you in the procedures for configuring FTP/SFTP access.

You can access data using the FTP/SFTP protocol. This document will guide you in the procedures for configuring FTP/SFTP access. You can access data using the FTP/SFTP protocol. This document will guide you in the procedures for configuring FTP/SFTP access. Overview of Configuring FTP/SFTP Access In order to access data using the

More information

DreamFactory Security Guide

DreamFactory Security Guide DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit

More information

Exercise Sheet 2. (Classifications of Operating Systems)

Exercise Sheet 2. (Classifications of Operating Systems) Exercise Sheet 2 Exercise 1 (Classifications of Operating Systems) 1. At any given moment, only a single program can be executed. What is the technical term for this operation mode? 2. What are half multi-user

More information

Forensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation

Forensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation Forensics Challenges Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation Introduction Encrypted content is a challenge for investigators Makes it difficult

More information

Host. Computer system #1. Host Hardening

Host. Computer system #1. Host Hardening Host Hardening Series of actions to be taken in order to make it hard for an attacker to successfully attack computers in a network environment (March 28, 2016) Abdou Illia Spring 2016 Host In network

More information

COS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy

COS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy Topics COS 318: Operating Systems File Systems hierarchy File system abstraction File system operations File system protection 2 Traditional Data Center Hierarchy Evolved Data Center Hierarchy Clients

More information