to

S
,
X
a*in
A
[
S
0,
X
]store
{

in
A[

S
,
X
]R2
grant

to

S
,
X
ownerin
A
[
S
0,
X
]store

in
A
[
S
,
X
]R3
deleteafrom

S
,
X

controlin
A
[
S
0,
S
]
or
ownerin
A
[
S
0,
X
]
deleteafrom
A
[
S
,
X
]R4
w

read

S,

X
controlin
A
[
S
0,
S
]

or
ownerin
A
[
S
0,
X
]
copy
A
[
S
,
X
]into
w
R5
createobject

X
Noneaddcolumnfor
X
to
A
storeownerin
A
[
S
0,
X
]
R6
destroyobject

X
ownerin
A
[
S
0,
X]
deletecolumnfor
X
from
A
R7
createsubject

S
None
addrowfor
S
to
A
execute
createobject

S
storecontrolin
A
[
S
,
S
]R8
destroysubject

S
ownerin
A
[
S
0,
S
]deleterowfor
S
from
A
execute
destroyobject

S
Thesetofrulesin
Table15.1
isanexampleoftherulesetthatcouldbedefinedforanaccess
controlsystem.Thefollowingareexamplesofadditionaloralternativerulesthatcouldbe
included.Atransferonlyrightcouldbedefined,whichresultsinthetransferredrightbeing
addedtothetargetsubjectanddeletedfromthetransferringsubject.Thenumberofownersof
anobjectorasubjectcouldbelimitedtoonebynotallowingthecopyflagtoaccompanythe
ownerright.
Theabilityofonesubjecttocreateanothersubjectandtohave
owner
accessrighttothat
subjectcanbeusedtodefineahierarchyofsubjects.Forexample,in
Figure15.5
,
S1

owns
S2

and
S
,sothat
S

and
S

aresubordinateto
S

.Bytherulesof
T
able15.1
,

cangrantand
3
2
3
1
1
deleteto
S
accessrightsthat
S

alreadyhas.Thus,asubjectcancreateanothersubjectwitha
2
1
subsetofitsownaccessrights.Thismightbeuseful,forexample,ifasubjectisinvokingan
applicationthatisnotfullytrusted,anddoesnotwantthatapplicationtobeabletotransfer
accessrightstoothersubjects.

RoleBasedAccessControl
TraditionalDACsystemsdefinetheaccessrightsofindividualusersandgroupsofusers.In
contrast,RBACisbasedontherolesthatusersassumeinasystemratherthantheusers
identity.Typically,RBACmodelsdefinearoleasajobfunctionwithinanorganization.RBAC
systemsassignaccessrightstorolesinsteadofindividualusers.Inturn,usersareassignedto
differentroles,eitherstaticallyordynamically,accordingtotheirresponsibilities.
RBACnowenjoyswidespreadcommercialuseandremainsanareaofactiveresearch.The
NationalInstituteofStandardsandTechnology(NIST)hasissuedastandard,
Security
RequirementsforCryptographicModules
(FIPSPUB1402,May25,2001),thatrequires
supportforaccesscontrolandadministrationthroughroles.
Therelationshipofuserstorolesismanytomany,asistherelationshipofrolestoresources,or
systemobjects(
Figure15.7
).Thesetofuserschanges,insomeenvironmentsfrequently,and

theassignmentofausertooneormorerolesmayalsobedynamic.Thesetofrolesinthe
systeminmostenvironmentsislikelytobestatic,withonlyoccasionaladditionsordeletions.
Eachrolewillhavespecificaccessrightstooneormoreresources.Thesetofresourcesand
thespecificaccessrightsassociatedwithaparticularrolearealsolikelytochangeinfrequently.

Figure15.7Users,Roles,andResources
WecanusetheaccessmatrixrepresentationtodepictthekeyelementsofanRBACsystemin
simpleterms,asshownin
Figure15.8
.Theuppermatrixrelatesindividualuserstoroles.
Typicallytherearemanymoreusersthanroles.Eachmatrixentryiseitherblankormarked,the
latterindicatingthatthisuserisassignedtothisrole.Notethatasingleusermaybeassigned
multipleroles(morethanonemarkinarow)andthatmultipleusersmaybeassignedtoa
singlerole(morethanonemarkinacolumn).Thelowermatrixhasthesamestructureasthe
DACmatrix,withrolesassubjects.Typically,therearefewrolesandmanyobjects,or
resources.Inthismatrixtheentriesarethespecificaccessrightsenjoyedbytheroles.Notethat
arolecanbetreatedasanobject,allowingthedefinitionofrolehierarchies.
RBAClendsitselftoaneffectiveimplementationoftheprincipleofleastprivilege.Thatis,each
roleshouldcontaintheminimumsetofaccessrightsneededforthatrole.Auserisassignedto
arolethatenableshimorhertoperformonlywhatisrequiredforthatrole.Multipleusers
assignedtothesameroleenjoythesameminimalsetofaccessrights.

Figure15.8AccessControlMatrix
RepresentationofRBAC

15.4UnixAccessControl
TraditionalUNIXFileAccessControl
MostUNIXsystemsdependon,oratleastarebasedon,thefileaccesscontrolscheme
introducedwiththeearlyversionsofUNIX.EachUNIXuserisassignedauniqueuser
identificationnumber(userID).Auserisalsoamemberofaprimarygroup,andpossiblya
numberofothergroups,eachidentifiedbyagroupID.Whenafileiscreated,itisdesignatedas
ownedbyaparticularuserandmarkedwiththatusersID.Italsobelongstoaspecificgroup,
whichinitiallyiseitheritscreatorsprimarygrouporthegroupofitsparentdirectoryifthat
directoryhasSetGIDpermissionset.Associatedwitheachfileisasetof12protectionbits.The
ownerID,groupID,andprotectionbitsarepartofthefilesinode.
Nineoftheprotectionbitsspecifyread,write,andexecutepermissionfortheownerofthefile,
othermembersofthegrouptowhichthisfilebelongs,andallotherusers.Theseforma
hierarchyofowner,group,andallothers,withthehighestrelevantsetofpermissionsbeing
used.
Figure15.9a
showsanexampleinwhichthefileownerhasreadandwriteaccessall
othermembersofthefilesgrouphavereadaccess,andusersoutsidethegrouphaveno
accessrightstothefile.Whenappliedtoadirectory,thereadandwritebitsgranttherighttolist
andtocreate/rename/deletefilesinthedirectory.
8
Theexecutebitgrantstherighttosearchthe
directoryforacomponentofafilename.
8
Notethatthepermissionsthatapplytoadirectoryaredistinctfromthosethatapplytoanyfile
ordirectoryitcontains.Thefactthatauserhastherighttowritetothedirectorydoesnotgive
theusertherighttowritetoafileinthatdirectory.Thatisgovernedbythepermissionsofthe
specificfile.Theuserwould,however,havetherighttorenamethefile.

Figure15.9UNIXFileAccessControl
Theremainingthreebitsdefinespecialadditionalbehaviorforfilesordirectories.Twoofthese
arethesetuserID(SetUID)andsetgroupID(SetGID)permissions.Ifthesearesetonan
executablefile,theoperatingsystemfunctionsasfollows.Whenauser(withexecuteprivileges

forthisfile)executesthefile,thesystemtemporarilyallocatestherightsoftheusersIDofthe
filecreatororthefilesgroup,respectively,tothoseoftheuserexecutingthefile.Theseare
knownastheeffectiveuserIDandeffectivegroupIDandareusedinadditiontothereal
userIDandrealgroupIDoftheexecutinguserwhenmakingaccesscontroldecisionsforthis
program.Thischangeisonlyeffectivewhiletheprogramisbeingexecuted.Thisfeature
enablesthecreationanduseofprivilegedprogramsthatmayusefilesnormallyinaccessibleto
otherusers.Itenablesuserstoaccesscertainfilesinacontrolledfashion.Alternatively,when
appliedtoadirectory,theSetGIDpermissionindicatesthatnewlycreatedfileswillinheritthe
groupofthisdirectory.TheSetUIDpermissionisignored.
ThefinalpermissionbitistheStickybit.Whensetonafile,thisoriginallyindicatedthatthe
systemshouldretainthefilecontentsinmemoryfollowingexecution.Thisisnolongerused.
Whenappliedtoadirectory,though,itspecifiesthatonlytheownerofanyfileinthedirectory
canrename,move,ordeletethatfile.Thisisusefulformanagingfilesinsharedtemporary
directories.
OneparticularuserIDisdesignatedas
superuser.
Thesuperuserisexemptfromtheusualfile
accesscontrolconstraintsandhassystemwideaccess.Anyprogramthatisownedby,and
SetUIDto,thesuperuserpotentiallygrantsunrestrictedaccesstothesystemtoanyuser
executingthatprogram.Hence,greatcareisneededwhenwritingsuchprograms.
Thisaccessschemeisadequatewhenfileaccessrequirementsalignwithusersandamodest
numberofgroupsofusers.Forexample,supposeauserwantstogivereadaccessforfileXto
usersAandBandreadaccessforfileYtousersBandC.Wewouldneedatleasttwouser
groups,anduserBwouldneedtobelongtobothgroupsinordertoaccessthetwofiles.
However,iftherearealargenumberofdifferentgroupingsofusersrequiringarangeofaccess
rightstodifferentfiles,thenaverylargenumberofgroupsmaybeneededtoprovidethis.This
rapidlybecomesunwieldyanddifficulttomanage,evenifpossibleatall.
9
Onewaytoovercome
thisproblemistouseaccesscontrollists,whichareprovidedinmostmodernUNIXsystems.
9
MostUNIXsystemsimposealimitonthemaximumnumberofgroupsanyusermaybelong
to,aswellastothetotalnumberofgroupspossibleonthesystem.
AfinalpointtonoteisthatthetraditionalUNIXfileaccesscontrolschemeimplementsasimple
protectiondomainstructure.Adomainisassociatedwiththeuser,andswitchingthedomain
correspondstochangingtheuserIDtemporarily.

AccessControlListsinUNIX
ManymodernUNIXandUNIXbasedoperatingsystemssupportaccesscontrollists,including
FreeBSD,OpenBSD,Linux,andSolaris.Inthissection,wedescribetheFreeBSDapproach,
butotherimplementationshaveessentiallythesamefeaturesandinterface.Thefeatureis
referredtoasextendedaccesscontrollist,whilethetraditionalUNIXapproachisreferredtoas
minimalaccesscontrollist.
FreeBSDallowstheadministratortoassignalistofUNIXuserIDsandgroupstoafilebyusing
thesetfaclcommand.Anynumberofusersandgroupscanbeassociatedwithafile,eachwith
threeprotectionbits(read,write,execute),offeringaflexiblemechanismforassigningaccess

rights.AfileneednothaveanACLbutmaybeprotectedsolelybythetraditionalUNIXfile
accessmechanism.FreeBSDfilesincludeanadditionalprotectionbitthatindicateswhetherthe
filehasanextendedACL.
FreeBSDandmostUNIXimplementationsthatsupportextendedACLsusethefollowing
strategy(e.g.,
Figure15.9b
):
1. Theownerclassandotherclassentriesinthe9bitpermissionfieldhavethesame
meaningasintheminimalACLcase.
2. Thegroupclassentryspecifiesthepermissionsfortheownergroupforthisfile.These
permissionsrepresentthemaximumpermissionsthatcanbeassignedtonamedusers
ornamedgroups,otherthantheowninguser.Inthislatterrole,thegroupclassentry
functionsasamask.
3. Additionalnamedusersandnamedgroupsmaybeassociatedwiththefile,eachwitha
threebitpermissionfield.Thepermissionslistedforanameduserornamedgroupare
comparedtothemaskfield.Anypermissionforthenameduserornamedgroupthatis
notpresentinthemaskfieldisdisallowed.
Whenaprocessrequestsaccesstoafilesystemobject,twostepsareperformed.Step1
selectstheACLentrythatmostcloselymatchestherequestingprocess.TheACLentriesare
lookedatinthefollowingorder:owner,namedusers,owningornamedgroups,andothers.
Onlyasingleentrydeterminesaccess.Step2checksifthematchingentrycontainssufficient
permissions.Aprocesscanbeamemberinmorethanonegroupsomorethanonegroup
entrycanmatch.Ifanyofthesematchinggroupentriescontaintherequestedpermissions,one
thatcontainstherequestedpermissionsispicked(theresultisthesamenomatterwhichentry
ispicked).Ifnoneofthematchinggroupentriescontainstherequestedpermissions,accesswill
bedeniednomatterwhichentryispicked.

15.5OperatingSystemsHardening
Thefirstcriticalstepinsecuringasystemistosecurethebaseoperatingsystemuponwhichall
otherapplicationsandservicesrely.Agood
security
foundationneedsaproperlyinstalled,
patched,andconfiguredoperatingsystem.Unfortunately,thedefaultconfigurationformany
operatingsystemsoftenmaximizeseaseofuseandfunctionality,ratherthan
security
.Further,
sinceeveryorganizationhasitsown
security
needs,theappropriate
security
profile,andhence
configuration,willalsodiffer.Whatisrequiredforaparticularsystemshouldbeidentifiedduring
theplanningphase,aswehavejustdiscussed.
Whilethedetailsofhowtosecureeachspecificoperatingsystemdiffer,thebroadapproachis
similar.Appropriate
security
configurationguidesandchecklistsexistformostcommon
operatingsystems,andtheseshouldbeconsulted,thoughalwaysinformedbythespecific
needsofeachorganizationandtheirsystems.Insomecases,automatedtoolsmaybe
availabletofurtherassistinsecuringthesystemconfiguration.
[NIST08]suggeststhefollowingbasicstepsshouldbeusedtosecureanoperatingsystem:
Installandpatchtheoperatingsystem

Hardenandconfiguretheoperatingsystemtoadequatelyaddresstheidentified
security
needsofthesystemby:
Removingunnecessaryservices,applications,andprotocols
Configuringusers,groupsandpermissions
Configuringresourcecontrols
Installandconfigureadditional
security
controls,suchasantivirus,hostbasedfirewalls,
andintrusiondetectionsystems(IDS),ifneeded
Testthe
security
ofthebasicoperatingsystemtoensurethatthestepstakenadequately
addressits
security
needs

OperatingSystemInstallation:Initial
SetupandPatching
System
security
beginswiththeinstallationoftheoperatingsystem.Aswehavealreadynoted,
anetworkconnected,unpatchedsystemisvulnerabletoexploitduringitsinstallationor
continueduse.Henceitisimportantthatthesystemnotbeexposedwhileitisinthisvulnerable
state.Ideallynewsystemsshouldbeconstructedonaprotectednetwork.Thismaybea
completelyisolatednetwork,withtheoperatingsystemimageandallavailablepatches
transferredtoitusingremovablemediasuchasDVDsorUSBdrives.Giventheexistenceof
malwarethatcanpropagateusingremovablemedia,careisneededtoensurethemediaused
hereisnotsoinfected.Alternatively,anetworkwithseverelyrestrictedaccesstothewider
internetmaybeused.Ideallyitshouldhavenoinboundaccess,andhaveoutboundaccessonly
tothekeysitesneededforthesysteminstallationandpatchingprocess.Ineithercase,thefull
installationandhardeningprocessshouldoccurbeforethesystemisdeployedtoitsintended,
moreaccessible,andhencevulnerable,location.
Theinitialinstallationshouldcomprisetheminimumnecessaryforthedesiredsystem,with
additionalsoftwarepackagesincludedonlyiftheyarerequiredforthefunctionofthesystem.
Weexploretherationaleforminimizingthenumberofpackagesonthesystemshortly.
Theoverallbootprocessmustalsobesecured.Thismayrequireadjustingoptionson,or
specifyingapasswordrequiredforchangesto,theBIOScodeusedwhenthesysteminitially
boots.Itmayalsorequirelimitingwhichmediathesystemisnormallypermittedtobootfrom.
Thisisnecessarytopreventanattackerfromchangingthebootprocesstoinstallacovert
hypervisorortojustbootasystemoftheirchoicefromexternalmediainordertobypassthe
normalsystemaccesscontrolsonlocallystoreddata.Theuseofacryptographicfilesystem
mayalsobeusedtoaddressthisthreat,aswenotelater.
Careisalsorequiredwiththeselectionandinstallationofanyadditionaldevicedrivercode,
sincethisexecuteswithfullkernellevelprivileges,butisoftensuppliedbyathirdparty.The
integrityandsourceofsuchdrivercodemustbecarefullyvalidatedgiventhehighleveloftrustit
has.Amaliciousdrivercanpotentiallybypassmany
security
controlstoinstallmalware.Given
thecontinuingdiscoveryofsoftwareandothervulnerabilitiesforcommonlyusedoperating
systemsandapplications,itiscriticalthatthesystembekeptasuptodateaspossible,withall

critical
security
relatedpatchesinstalled.Nearlyallcommonlyusedsystemsnowprovide
utilitiesthatcanautomaticallydownloadandinstall
security
updates.Thesetoolsshouldbe
configuredandusedtominimizetheamountoftimeasystemisvulnerabletoweaknessesfor
whichpatchesareavailable.
Notethatonchangecontrolledsystems,youshouldnotrunautomaticupdates,because
security
patchescan,onrarebutsignificantoccasions,introduceinstability.Forsystemson
whichavailabilityanduptimeareofparamountimportance,therefore,youshouldstageand
validateallpatchesontestsystemsbeforedeployingtheminproduction.

RemoveUnnecessaryServices,
Application,andProtocols
Becauseanyofthesoftwarerunningonasystemmaycontainsoftwarevulnerabilities,clearlyif
fewersoftwarepackagesareavailabletorun,thentheriskisreduced.Thereisclearlya
balancebetweenusability,providingallsoftwarethatmayberequiredatsometime,and
security
andadesiretolimittheamountofsoftwareinstalled.Therangeofservices,applications,and
protocolsrequiredwillvarywidelybetweenorganizations,andindeedbetweensystemswithin
anorganization.Thesystemplanningprocessshouldidentifywhatisactuallyrequiredfora
givensystem,sothatasuitableleveloffunctionalityisprovided,whileeliminatingsoftwarethat
isnotrequiredtoimprove
security
.
Thedefaultconfigurationformostdistributedsystemsissettomaximizeeaseofuseand
functionality,ratherthan
security
.Whenperformingtheinitialinstallation,thesupplieddefaults
shouldnotbeused,butrathertheinstallationshouldbecustomizedsothatonlytherequired
packagesareinstalled.Ifadditionalpackagesareneededlater,theycanbeinstalledwhenthey
arerequired.[NIST08]andmanyofthe
security
hardeningguidesprovidelistsofservices,
applications,andprotocolsthatshouldnotbeinstalledifnotrequired.
[NIST08]alsostatesastrongpreferencefornotinstallingunwantedsoftware,ratherthan
installingandthenlaterremovingordisablingit.Theyarguethispreferencebecausetheynote
thatmanyuninstallscriptsfailtocompletelyremoveallcomponentsofapackage.Theyalso
notethatdisablingaservicemeansthatwhileitisnotavailableasaninitialpointofattack,
shouldanattackersucceedingainingsomeaccesstoasystem,thendisabledsoftwarecould
bereenabledandusedtofurthercompromiseasystem.Itisbetterfor
security
ifunwanted
softwareisnotinstalled,andthusnotavailableforuseatall.

ConfigureUsers,Groups,and
Authentication

Notalluserswithaccesstoasystemwillhavethesameaccesstoalldataandresourceson
thatsystem.Allmodernoperatingsystemsimplementaccesscontrolstodataandresources.
Nearlyallprovidesomeformofdiscretionaryaccesscontrols.Somesystemsmayprovide
rolebasedormandatoryaccesscontrolmechanismsaswell.
Thesystemplanningprocessshouldconsiderthecategoriesofusersonthesystem,the
privilegestheyhave,thetypesofinformationtheycanaccess,andhowandwheretheyare
definedandauthenticated.Someuserswillhaveelevatedprivilegestoadministerthesystem
otherswillbenormalusers,sharingappropriateaccesstofilesandotherdataasrequiredand
theremayevenbeguestaccountswithverylimitedaccess.ThethirdofthefourkeyDSD
mitigationstrategiesistorestrictelevatedprivilegestoonlythoseusersthatrequirethem.
Further,itishighlydesirablethatsuchusersonlyaccesselevatedprivilegeswhenneededto
performsometaskthatrequiresthem,andtootherwiseaccessthesystemasanormaluser.
Thisimproves
security
byprovidingasmallerwindowofopportunityforanattackertoexploitthe
actionsofsuchprivilegedusers.Someoperatingsystemsprovidespecialtoolsoraccess
mechanismstoassistadministrativeuserstoelevatetheirprivilegesonlywhennecessary,and
toappropriatelylogtheseactions.
Onekeydecisioniswhethertheusers,thegroupstheybelongto,andtheirauthentication
methodsarespecifiedlocallyonthesystem,orwilluseacentralizedauthenticationserver.
Whicheverischosen,theappropriatedetailsarenowconfiguredonthesystem.
Alsoatthisstage,anydefaultaccountsincludedaspartofthesysteminstallationshouldbe
secured.Thosewhicharenotrequiredshouldbeeitherremovedoratleastdisabled.System
accountsthatmanageservicesonthesystemshouldbesetsotheycannotbeusedfor
interactivelogins.Andanypasswordsinstalledbydefaultshouldbechangedtonewvalueswith
appropriate
security
.
Anypolicythatappliestoauthenticationcredentials,andespeciallytopassword
security
,isalso
configured.Thisincludesdetailsofwhichauthenticationmethodsareacceptedfordifferent
methodsofaccountaccess.Anditincludesdetailsoftherequiredlength,complexity,andage
allowedforpasswords.

ConfigureResourceControls
Oncetheusersandtheirassociatedgroupsaredefined,appropriatepermissionscanbeseton
dataandresourcestomatchthespecifiedpolicy.Thismaybetolimitwhichuserscanexecute
someprograms,especiallythosethatmodifythesystemstate,ortolimitwhichuserscanread
orwritedataincertaindirectorytrees.Manyofthe
security
hardeningguidesprovidelistsof
recommendedchangestothedefaultaccessconfigurationtoimprove
security
.

InstallAdditional
Security
Controls
Further
security
improvementmaybepossiblebyinstallingandconfiguringadditional
security
toolssuchasantivirussoftware,hostbasedfirewalls,IDSorIPSsoftware,orapplication

whitelisting.Someofthesemaybesuppliedaspartoftheoperatingsystemsinstallation,but
notconfiguredandenabledbydefault.Othersarethirdpartyproductsthatareacquiredand
used.
Giventhewidespreadprevalenceofmalware,appropriateantivirus(which,asnoted,
addressesawiderangeofmalwaretypes)isacritical
security
componentonmanysystems.
AntivirusproductshavetraditionallybeenusedonWindowssystems,sincetheirhighusemade
themapreferredtargetforattackers.However,thegrowthinotherplatforms,particularly
smartphones,hasledtomoremalwarebeingdevelopedforthem.Henceappropriateantivirus
productsshouldbeconsideredforanysystemaspartofits
security
profile.
Hostbasedfirewalls,IDS,andIPSsoftwarealsomayimprove
security
bylimitingremote
networkaccesstoservicesonthesystem.Ifremoteaccesstoaserviceisnotrequired,though
somelocalaccessis,thensuchrestrictionshelpsecuresuchservicesfromremoteexploitbyan
attacker.Firewallsaretraditionallyconfiguredtolimitaccessbyportorprotocol,fromsomeor
allexternalsystems.Somemayalsobeconfiguredtoallowaccessfromortospecificprograms
onthesystems,tofurtherrestrictthepointsofattack,andtopreventanattackerinstallingand
accessingtheirownmalware.IDSandIPSsoftwaremayincludeadditionalmechanismssuch
astrafficmonitoringorfileintegritycheckingtoidentifyandevenrespondtosometypesof
attack.
Anotheradditionalcontrolistowhitelistapplications.Thislimitstheprogramsthatcanexecute
onthesystemtojustthoseinanexplicitlist.Suchatoolcanpreventanattackerinstallingand
runningtheirownmalware,andwasthelastofthefourkeyDSDmitigationstrategies.Whilethis
willimprove
security
,itfunctionsbestinanenvironmentwithapredictablesetofapplications
thatusersrequire.Anychangeinsoftwareusagewouldrequireachangeintheconfiguration,
whichmayresultinincreasedITsupportdemands.Notallorganizationsorallsystemswillbe
sufficientlypredictabletosuitthistypeofcontrol.

TesttheSystem
Security
Thefinalstepintheprocessofinitiallysecuringthebaseoperatingsystemis
security
testing.
Thegoalistoensurethattheprevious
security
configurationstepsarecorrectlyimplemented
andtoidentifyanypossiblevulnerabilitiesthatmustbecorrectedormanaged.
Suitablechecklistsareincludedinmany
security
hardeningguides.Therearealsoprograms
specificallydesignedtoreviewasystemtoensurethatasystemmeetsthebasic
security
requirements,andtoscanforknownvulnerabilitiesandpoorconfigurationpractices.This
shouldbedonefollowingtheinitialhardeningofthesystem,andthenrepeatedperiodicallyas
partofthe
security
maintenanceprocess.

15.6
Security
Maintenance
Oncethesystemisappropriatelybuilt,secured,anddeployed,theprocessofmaintaining
security
iscontinuous.Thisresultsfromtheconstantlychangingenvironment,thediscoveryof

newvulnerabilities,andhenceexposuretonewthreats.[NIST08]suggeststhatthisprocessof
security
maintenanceincludesthefollowingadditionalsteps:
Monitoringandanalyzinglogginginformation
Performingregularbackups
Recoveringfrom
security
compromises
Regularlytestingsystem
security
Usingappropriatesoftwaremaintenanceprocessestopatchandupdateallcritical
software,andtomonitorandreviseconfigurationasneeded
Wehavealreadynotedtheneedtoconfigureautomaticpatchingandupdatewherepossibleor
tohaveaprocesstomanuallytestandinstallpatchesonconfigurationcontrolledsystems,and
thatthesystemshouldberegularlytestedusingchecklistorautomatedtoolswherepossible.

Logging
[NIST08]notesthatloggingisacornerstoneofasound
security
posture.Loggingisareactive
controlthatcanonlyinformyouaboutbadthingsthathavealreadyhappened.Buteffective
logginghelpsensurethatintheeventofasystembreachorfailure,systemadministratorscan
morequicklyandaccuratelyidentifywhathappenedandthusmosteffectivelyfocustheir
remediationandrecoveryefforts.Thekeyistoensureyoucapturethecorrectdatainthelogs
andthenappropriatelymonitorandanalyzethisdata.Logginginformationcanbegeneratedby
thesystem,network,andapplications.Therangeofloggingdataacquiredshouldbe
determinedduringthesystemplanningstage,asitdependsonthe
security
requirementsand
informationsensitivityoftheserver.
Loggingcangeneratesignificantvolumesofinformation.Itisimportantthatsufficientspaceis
allocatedforthem.Asuitableautomaticlogrotationandarchivesystemshouldalsobe
configuredtoassistinmanagingtheoverallsizeofthelogginginformation.
Manualanalysisoflogsistediousandisnotareliablemeansofdetectingadverseevents.
Rather,someformofautomatedanalysisispreferred,asitismorelikelytoidentifyabnormal
activity.

DataBackupandArchive
Performingregularbackupsofdataonasystemisanothercriticalcontrolthatassistswith
maintainingtheintegrityofthesystemanduserdata.Therearemanyreasonswhydatacanbe
lostfromasystem,includinghardwareorsoftwarefailures,oraccidentalordeliberate
corruption.Theremayalsobelegaloroperationalrequirementsfortheretentionofdata.
Backup
istheprocessofmakingcopiesofdataatregularintervals,allowingtherecoveryof
lostorcorrupteddataoverrelativelyshorttimeperiodsofafewhourstosomeweeks.
Archive
is
theprocessofretainingcopiesofdataoverextendedperiodsoftime,beingmonthsoryears,in
ordertomeetlegalandoperationalrequirementstoaccesspastdata.Theseprocessesare
oftenlinkedandmanagedtogether,althoughtheydoaddressdistinctneeds.

Theneedsandpolicyrelatingtobackupandarchiveshouldbedeterminedduringthesystem
planningstage.Keydecisionsincludewhetherthebackupcopiesshouldbekeptonlineor
offline,andwhethercopiesshouldbestoredlocallyortransportedtoaremotesite.The
tradeoffsincludeeaseofimplementationandcostversesgreater
security
androbustness
againstdifferentthreats.
Agoodexampleoftheconsequencesofpoorchoicesherewasseenintheattackonan
Australianhostingproviderinearly2011.Theattackersdestroyednotonlythelivecopiesof
thousandsofcustomerssitesbutalsoalloftheonlinebackupcopies.Asaresult,many
customerswhohadnotkepttheirownbackupcopieslostalloftheirsitecontentanddata,with
seriousconsequencesformanyofthem,andforthehostingprovideraswell.Inother
examples,manyorganizationswhoonlyretainedonsitebackupshavelostalltheirdataasa
resultoffireorfloodingintheirITcenter.Theserisksmustbeappropriatelyevaluated.

15.7Windows
Security
AgoodexampleoftheaccesscontrolconceptswehavebeendiscussingistheWindows
accesscontrolfacility,whichusesobjectorientedconceptstoprovideapowerfulandflexible
accesscontrolcapability.
Windowsprovidesauniformaccesscontrolfacilitythatappliestoprocesses,threads,files,
semaphores,windows,andotherobjects.Accesscontrolisgovernedbytwoentities:anaccess
tokenassociatedwitheachprocessanda
security
descriptorassociatedwitheachobjectfor
whichinterprocessaccessispossible.

AccessControlScheme
WhenauserlogsontoaWindowssystem,Windowsusesaname/passwordschemeto
authenticatetheuser.Ifthelogonisaccepted,aprocessiscreatedfortheuserandanaccess
tokenisassociatedwiththatprocessobject.Theaccesstoken,whosedetailsaredescribed
later,includea
security
ID(SID),whichistheidentifierbywhichthisuserisknowntothesystem
forpurposesof
security
.ThetokenalsocontainsSIDsforthe
security
groupstowhichtheuser
belongs.Iftheinitialuserprocessspawnsanewprocess,thenewprocessobjectinheritsthe
sameaccesstoken.
Theaccesstokenservestwopurposes:
1. Itkeepsallnecessary
security
informationtogethertospeedaccessvalidation.When
anyprocessassociatedwithauserattemptsaccess,the
security
subsystemcanmake
useofthetokenassociatedwiththatprocesstodeterminetheusersaccessprivileges.
2. Itallowseachprocesstomodifyits
security
characteristicsinlimitedwayswithout
affectingotherprocessesrunningonbehalfoftheuser.
Thechiefsignificanceofthesecondpointhastodowithprivilegesthatmaybeassociatedwith
auser.Theaccesstokenindicateswhichprivilegesausermayhave.Generally,thetokenis
initializedwitheachoftheseprivilegesinadisabledstate.Subsequently,ifoneoftheusers

processesneedstoperformaprivilegedoperation,theprocessmayenabletheappropriate
privilegeandattemptaccess.Itwouldbeundesirabletosharethesametokenamongallofthe
usersprocesses,becauseinthatcaseenablingaprivilegeforoneprocessenablesitforallof
them.
Associatedwitheachobjectforwhichinterprocessaccessispossibleisa
security
descriptor.
Thechiefcomponentofthe
security
descriptorisanaccesscontrollistthatspecifiesaccess
rightsforvarioususersandusergroupsforthisobject.Whenaprocessattemptstoaccessthis
object,theSIDsintheprocesstokenarematchedagainsttheaccesscontrollistoftheobjectto
determineifaccesswillbeallowedordenied.
Whenanapplicationopensareferencetoasecurableobject,Windowsverifiesthattheobjects
security
descriptorgrantstheprocesstherequestedaccess.Ifthechecksucceeds,Windows
cachestheresultinggrantedaccessrights.
AnimportantaspectofWindows
security
istheconceptofimpersonation,whichsimplifiesthe
useof
security
inaclient/serverenvironment.IfclientandservertalkthroughanRPC
connection,theservercantemporarilyassumetheidentityoftheclientsothatitcanevaluatea
requestforaccessrelativetothatclientsrights.Aftertheaccess,theserverrevertstoitsown
identity.

AccessToken
Figure15.10a
showsthegeneralstructureofanaccesstoken,whichincludesthefollowing
parameters:
Security
ID:Identifiesauseruniquelyacrossallofthemachinesonthenetwork.This
generallycorrespondstoauserslogonname.SpecialuserSIDswereaddedin
Windows7forusebyprocessesandservices.ThesespeciallymanagedSIDsare
designedforsecuremanagementtheydonotusetheordinarypasswordpoliceshuman
accountsdo.
GroupSIDs:Alistofthegroupstowhichthisuserbelongs.Agroupissimplyasetof
userIDsthatareidentifiedasagroupforpurposesofaccesscontrol.Eachgrouphasa
uniquegroupSID.AccesstoanobjectcanbedefinedonthebasisofgroupSIDs,
individualSIDs,oracombination.ThereisalsoanSIDwhichreflectstheprocess
integritylevel(low,medium,high,orsystem).
Privileges:Alistof
security
sensitivesystemservicesthatthisusermaycall,for
example,CreateToken.AnotherexampleistheSetBackupPrivilegeuserswiththis
privilegeareallowedtouseabackuptooltobackupfilesthattheynormallywouldnot
beabletoread.
Defaultowner:Ifthisprocesscreatesanotherobject,thisfieldspecifiestheownerofthe
newobject.Generally,theownerofanewobjectisthesameastheownerofthe
spawningprocess.However,ausermayspecifythatthedefaultownerofanyprocesses
spawnedbythisprocessisagroupSIDtowhichthisuserbelongs.

DefaultACL:Thisisaninitiallistofprotectionsappliedtotheobjectsthattheuser
creates.TheusermaysubsequentlyaltertheACLforanyobjectthatitownsorthatone
ofitsgroupsowns.

Figure15.10Windows
Security
Structures
Security
Descriptors
Figure15.10b
showsthegeneralstructureofa
security
descriptor,whichincludesthefollowing
parameters:
Flags:Definethetypeandcontentsofa
security
descriptor.Theyindicatewhetherornot
theSACLandDACLarepresent,whetherornottheywereplacedontheobjectbya
defaultingmechanism,andwhetherthepointersinthedescriptoruseabsoluteorrelative
addressing.Relativedescriptorsarerequiredforobjectsthataretransmittedovera
network,suchasinformationtransmittedinanRPC.
Owner:Theowneroftheobjectcangenerallyperformanyactiononthe
security
descriptor.TheownercanbeanindividualoragroupSID.Theownerhastheauthority
tochangethecontentsoftheDACL.

Systemaccesscontrollist(SACL):Specifieswhatkindsofoperationsontheobject
shouldgenerateauditmessages.Anapplicationmusthavethecorrespondingprivilege
initsaccesstokentoreadorwritetheSACLofanyobject.Thisistoprevent
unauthorizedapplicationsfromreadingSACLs(therebylearningwhatnottodotoavoid
generatingaudits)orwritingthem(togeneratemanyauditstocauseanillicitoperation
togounnoticed).TheSACLalsospecifiestheobjectintegritylevel.Processescannot
modifyanobjectunlesstheprocessintegritylevelmeetsorexceedsthelevelonthe
object.
Discretionaryaccesscontrollist(DACL):Determineswhichusersandgroupscan
accessthisobjectforwhichoperations.Itconsistsofalistofaccesscontrolentries
(ACEs).
Whenanobjectiscreated,thecreatingprocesscanassignasowneritsownSIDoranygroup
SIDinitsaccesstoken.Thecreatingprocesscannotassignanownerthatisnotinthecurrent
accesstoken.Subsequently,anyprocessthathasbeengrantedtherighttochangetheowner
ofanobjectmaydoso,butagainwiththesamerestriction.Thereasonfortherestrictionisto
preventauserfromcoveringhisorhertracksafterattemptingsomeunauthorizedaction.
Letuslookinmoredetailatthestructureofaccesscontrollists,becausetheseareattheheart
oftheWindowsaccesscontrolfacility(
Figure15.10c
).Eachlistconsistsofanoverallheader
andavariablenumberofaccesscontrolentries.Eachentryspecifiesanindividualoragroup
SIDandanaccessmaskthatdefinestherightstobegrantedtothisSID.Whenaprocess
attemptstoaccessanobject,theobjectmanagerintheWindowsExecutivereadstheSIDand
groupSIDsfromtheaccesstokenalongwiththeintegritylevelSID.Iftheaccessrequested
includesmodifyingtheobject,theintegritylevelischeckedagainsttheobjectintegritylevelin
theSACL.Ifthattestpasses,theobjectmanagerthenscansdowntheobjectsDACL.Ifa
matchisfoundthatis,ifanACEisfoundwithanSIDthatmatchesoneoftheSIDsfromthe
accesstokenthentheprocesscanhavetheaccessrightsspecifiedbytheaccessmaskin
thatACE.Thisalsomayincludedenyingaccess,inwhichcasetheaccessrequestfails.The
firstmatchingACEdeterminestheresultoftheaccesscheck.
Figure15.11
showsthecontentsoftheaccessmask.Theleastsignificant16bitsspecify
accessrightsthatapplytoaparticulartypeofobject.Forexample,bit0forafileobjectis
FILE_READ_DATAaccessandbit0foraneventobjectisEVENT_QUERY_STATEaccess.
Themostsignificant16bitsofthemaskcontainbitsthatapplytoalltypesofobjects.Fiveof
thesearereferredtoasstandardaccesstypes:
Synchronize:Givespermissiontosynchronizeexecutionwithsomeeventassociated
withthisobject.Inparticular,thisobjectcanbeusedinawaitfunction.
Write_owner:Allowsaprogramtomodifytheowneroftheobject.Thisisusefulbecause
theownerofanobjectcanalwayschangetheprotectionontheobject.(Theownermay
notbedeniedWriteDACaccess.)
Write_DAC:AllowstheapplicationtomodifytheDACLandhencetheprotectiononthis
object
Read_control:AllowstheapplicationtoquerytheownerandDACLfieldsofthe
security
descriptorofthisobject
Delete:Allowstheapplicationtodeletethisobject

Figure15.11AccessMask
Thehighorderhalfoftheaccessmaskalsocontainsthefourgenericaccesstypes.Thesebits
provideaconvenientwaytosetspecificaccesstypesinanumberofdifferentobjecttypes.For
example,supposeanapplicationwishestocreateseveraltypesofobjectsandensurethat
usershavereadaccesstotheobjects,eventhoughreadhasasomewhatdifferentmeaningfor
eachobjecttype.Toprotecteachobjectofeachtypewithoutthegenericaccessbits,the
applicationwouldhavetoconstructadifferentACEforeachtypeofobjectandbecarefulto
passthecorrectACEwhencreatingeachobject.ItismoreconvenienttocreateasingleACE
thatexpressesthegenericconceptallowread,andsimplyapplythisACEtoeachobjectthat
iscreated,andhavetherightthinghappen.Thatisthepurposeofthegenericaccessbits,
whichareasfollows:
Generic_all:Allowsallaccess
Generic_execute:Allowsexecutionifexecutable
Generic_write:Allowswriteaccess
Generic_read:Allowsreadonlyaccess
Thegenericbitsalsoaffectthestandardaccesstypes.Forexample,forafileobject,the
Generic_ReadbitmapstothestandardbitsRead_ControlandSynchronizeandtothe
objectspecificbitsFile_Read_Data,File_Read_Attributes,andFile_Read_EA.PlacinganACE
onafileobjectthatgrantssomeSIDGeneric_Readgrantsthosefiveaccessrightsasifthey
hadbeenspecifiedindividuallyintheaccessmask.
Theremainingtwobitsintheaccessmaskhavespecialmeanings.The
Access_System_
Security
bitallowsmodifyingauditandalarmcontrolforthisobject.However,

notonlymustthisbitbesetintheACEforanSIDbuttheaccesstokenfortheprocesswiththat
SIDmusthavethecorrespondingprivilegeenabled.
Finally,theMaximum_Allowedbitisnotreallyanaccessbit,butabitthatmodifiesthealgorithm
forscanningtheDACLforthisSID.Normally,WindowswillscanthroughtheDACLuntilit
reachesanACEthatspecificallygrants(bitset)ordenies(bitnotset)theaccessrequestedby
therequestingprocessoruntilitreachestheendoftheDACLinthelattercaseaccessis
denied.TheMaximum_Allowedbitallowstheobjectsownertodefineasetofaccessrightsthat
isthemaximumthatwillbeallowedtoagivenuser.Withthisinmind,supposethatan
applicationdoesnotknowalloftheoperationsthatitisgoingtobeaskedtoperformonan
objectduringasession.Therearethreeoptionsforrequestingaccess:
1. Attempttoopentheobjectforallpossibleaccesses.Thedisadvantageofthisapproach
isthataccessmaybedeniedeventhoughtheapplicationmayhavealloftheaccess
rightsactuallyrequiredforthissession.
2. Onlyopentheobjectwhenaspecificaccessisrequested,andopenanewhandletothe
objectforeachdifferenttypeofrequest.Thisisgenerallythepreferredmethodbecause
itwillnotunnecessarilydenyaccess,norwillitallowmoreaccessthannecessary.In
manycasestheobjectitselfdoesnotneedtobereferencedasecondtime,butthe
DuplicateHandlefunctioncanbeusedtomakeacopyofthehandlewithalowerlevelof
access.
3. AttempttoopentheobjectforasmuchaccessastheobjectwillallowthisSID.The
advantageisthattheclientapplicationwillnotbeartificiallydeniedaccess,butthe
applicationmayhavemoreaccessthanitneeds.Thislattersituationmaymaskbugsin
theapplication.
AnimportantfeatureofWindows
security
isthatapplicationscanmakeuseoftheWindows
security
frameworkforuserdefinedobjects.Forexample,adatabaseservermightcreateits
own
security
descriptorsandattachthemtoportionsofadatabase.Inadditiontonormal
read/writeaccessconstraints,theservercouldsecuredatabasespecificoperations,suchas
scrollingwithinaresultsetorperformingajoin.Itwouldbetheserversresponsibilitytodefine
themeaningofspecialrightsandperformaccesschecks.Butthecheckswouldoccurina
standardcontext,usingsystemwideuser/groupaccountsandauditlogs.Theextensible
security
modelshouldalsoproveusefultoimplementersofnonMicrosoftfilesystems.

15.8Summary
Thescopeofoperatingsystem
security
isbroad.Thischapterfocusesonsomeofthemost
importanttopics.ThemostprominentissueforOS
security
iscounteringthreadfromintruders
andmalicioussoftware.Intrudersattempttogainunauthorizedaccesstosystemresources,
whilemalicioussoftwareisdesignedtopenetratesystemdefensesandbecomeexecutableon
targetsystems.Countermeasurestobothtypesofthreatincludeintrusiondetectionsystems,
authenticationprotocols,accesscontrolmechanisms,andfirewalls.
OneofthemostcommontechniquesforcompromisingOS
security
isthebufferoverflowattack.
Aconditionataninterfaceunderwhichmoreinputcanbeplacedintoabufferordataholding

areathanthecapacityallocated,overwritingotherinformation.Attackersexploitsucha
conditiontocrashasystemortoinsertspeciallycraftedcodethatallowsthemtogaincontrolof
thesystem.Systemdesignersuseavarietyofcompiletimeandruntimedefensestocounter
thistypeofattack.
Anotherimportantareaof
security
defenseisaccesscontrol.Accesscontrolmeasuresinclude
thosethatsecureaccesstofilesystemandtotheOSuserinterface.Traditionaltechniquesfor
accesscontrolarereferredtoasdiscretionaryaccesscontrol.Amoreflexibleapproachthathas
gainedconsiderablesupportisrolebasedaccesscontrol,inwhichaccessdependsnotonlyon
theidentityoftheuserbutonthespecificrolethatusercanassumeforaspecifictaskorsetof
tasks.

15.9RecommendedReading
1. Thetopicsinthischapterarecoveredinmoredetailin[STAL12].
2. STAL12
Stallings,W.,andBrownL.Computer
Security
:PrinciplesandPractice.Upper
SaddleRiver,NJ:Pearson,2012.

15.10KeyTerms,ReviewQuestions,and
Problems
KeyTerms
1. accesscontrol
2. accesscontrollist(ACL)
3. accesscontrolpolicy
4. accessmatrix
5. addressspacerandomization
6. authentication
7. bufferoverrun
8. bufferoverflow
9. capabilitytickets
10. discretionaryaccesscontrol(DAC)
11. filesystemaccesscontrol
12. firewall
13. guardpage
14. intruder
15. intrusiondetection
16. logging

17. malicioussoftware
18. malware
19. rolebasedaccesscontrol(RBAC)
20. stackoverflow

ReviewQuestions
1. 15.1.Whataretypicalaccessrightsthatmaybegrantedordeniedtoaparticularuser
foraparticularfile?
2. 15.2.Listandbrieflydefinethreeclassesofintruders.
3. 15.3.Ingeneralterms,whatarefourmeansofauthenticatingausersidentity?
4. 15.4.BrieflydescribethedifferencebetweenDACandRBAC.
5. 15.5.Whattypesofprogramminglanguagesarevulnerabletobufferoverflows?
6. 15.6.Whatarethetwobroadcategoriesofdefensesagainstbufferoverflows?
7. 15.7.Listandbrieflydescribesomeofthedefensesagainstbufferoverflowsthatcanbe
usedwhencompilingnewprograms.
8. 15.8.Listandbrieflydescribesomeofthedefensesagainstbufferoverflowsthatcanbe
implementedwhenrunningexisting,vulnerableprograms.

Problems
1. 15.1.Statesomethreatsthatresultfromaprocessrunningwithadministratororroot
privilegesonasystem.
2. 15.2.InthecontextofanIDS,wedefineafalsepositivetobeanalarmgeneratedbyan
IDSinwhichtheIDSalertstoaconditionthatisactuallybenign.Afalsenegativeoccurs
whenanIDSfailstogenerateanalarmwhenanalertworthyconditionisineffect.Using
thefollowingdiagram,depicttwocurvesthatroughlyindicatefalsepositivesandfalse
negatives,respectively.

3.
4. 15.3.Rewritethefunctionshownin
Figure15.2a
sothatitisnolongervulnerabletoa
stackbufferoverflow.
5. 15.4.FortheDACmodeldiscussedinSection
15.3
,analternativerepresentationofthe
protectionstateisadirectedgraph.Eachsubjectandeachobjectintheprotectionstate
isrepresentedbyanode(asinglenodeisusedforanentitythatisbothsubjectand
object).Adirectedlinefromasubjecttoanobjectindicatesanaccessright,andthe
labelonthelinkdefinestheaccessright.
1. Drawadirectedgraphthatcorrespondstotheaccessmatrixof
Figure15.3a
.
2. Drawadirectedgraphthatcorrespondstotheaccessmatrixof
Figure15.5
.
3. Isthereaonetoonecorrespondencebetweenthedirectedgraphrepresentation
andtheaccessmatrixrepresentation?Explain.
6. 15.5.Setuser(SetUID)andsetgroup(SetGID)programsandscriptsareapowerful
mechanismprovidedbyUnixtosupportcontrolledinvocationtomanageaccessto
sensitiveresources.However,preciselybecauseofthisitisapotential
security
hole,
andbugsinsuchprogramshaveledtomanycompromisesonUnixsystems.Detaila
commandyoucouldusetolocateallsetuserorgroupscriptsandprogramsonaUnix
system,andhowyoumightusethisinformation.
7. 15.6.Userahmedownsadirectory,stuff,containingatextfilecalledourstuff.txtthat
heshareswithusersbelongingtothegroupstaff.Thoseusersmayreadandchange
thisfile,butnotdeleteit.Theymaynotaddotherfilestothedirectory.Othersmay
neitherreadnorwriteorexecuteanythinginstuff.Whatwouldappropriateownerships
andpermissionsforboththedirectorystuffandthefileourstuff.txtlooklike?(Write
youranswersintheformoflonglistingoutput.)

8. 15.7.UNIXtreatsfiledirectoriesinthesamefashionasfilesthatis,botharedefinedby
thesametypeofdatastructure,calledaninode.Aswithfiles,directoriesincludea9bit
protectionstring.Ifcareisnottaken,thiscancreateaccesscontrolproblems.For
example,considerafilewithprotectionmode644(octal)containedinadirectorywith
protectionmode730.Howmightthefilebecompromisedinthiscase?
9. 15.8.InthetraditionalUNIXfileaccessmodel,UNIXsystemsprovideadefaultsetting
fornewlycreatedfilesanddirectories,whichtheownermaylaterchange.Thedefaultis
typicallyfullaccessfortheownercombinedwithoneofthefollowing:noaccessfor
groupandother,read/executeaccessforgroupandnoneforother,orread/execute
accessforbothgroupandother.Brieflydiscusstheadvantagesanddisadvantagesof
eachofthesecases,includinganexampleofatypeoforganizationwhereeachwould
beappropriate.
10. 15.9.ConsideruseraccountsonasystemwithaWebserverconfiguredtoprovide
accesstouserWebareas.Ingeneral,thisschemeusesastandarddirectoryname,
suchaspublic_html,inausershomedirectory.ThisactsastheusersWebareaifit
exists.However,toallowtheWebservertoaccessthepagesinthisdirectory,itmust
haveatleastsearch(execute)accesstotheusershomedirectory,read/executeaccess
totheWebdirectory,andreadaccesstoanyWebpagesinit.Considertheinteractionof
thisrequirementwiththecasesyoudiscussedfortheprecedingproblem.What
consequencesdoesthisrequirementhave?NotethataWebservertypicallyexecutes
asaspecialuserandinagroupthatisnotsharedwithmostusersonthesystem.Are
theresomecircumstanceswhenrunningsuchaWebserviceissimplynotappropriate?
Explain.
11. 15.10.Assumeasystemwith
N
jobpositions.Forjobposition
i
,thenumberofindividual
usersinthatpositionis
U
andthenumberofpermissionsrequiredforthejobpositionis
i
P
.
i
1. ForatraditionalDACscheme,howmanyrelationshipsbetweenusersand
permissionsmustbedefined?
2. ForanRBACscheme,howmanyrelationshipsbetweenusersandpermissions
mustbedefined?
12. 15.11.Whyisloggingimportant?Whatareitslimitationsasa
security
control?Whatare
prosandconsofremotelogging?
13. 15.12.Consideranautomatedauditloganalysistool(e.g.,swatch).Canyoupropose
someruleswhichcouldbeusedtodistinguishsuspiciousactivitiesfromnormaluser
behavioronasystemforsomeorganization?
14. 15.13.Whataretheadvantagesanddisadvantagesofusingafileintegritycheckingtool
(e.g.,tripwire).Thisisaprogramwhichnotifiestheadministratorofanychangestofiles
onaregularbasis?Considerissuessuchaswhichfilesyoureallyonlywanttochange
rarely,whichfilesmaychangemoreoften,andwhichmaychangeoften.Discusshow
thisinfluencestheconfigurationofthetool,especiallyastowhichpartsofthefilesystem
arescanned,andhowmuchworkmonitoringitsresponsesimposesonthe
administrator.

15. 15.14.SomehavearguedthatUnix/Linuxsystemsreuseasmallnumberof
security
featuresinmanycontextsacrossthesystemwhileWindowssystemsprovideamuch
largernumberofmorespecificallytargeted
security
featuresusedintheappropriate
contexts.Thismaybeseenasatradeoffbetweensimplicityverseslackofflexibilityin
theUnix/Linuxapproachagainstabettertargetedbutmorecomplexandharderto
correctlyconfigureapproachinWindows.Discussthistradeoffasitimpactsonthe
security
oftheserespectivesystems,andtheloadplacedonadministratorsinmanaging
their
security
.