CSCD 303Essential Computer SecurityFall 2010

Lecture 4 - Desktop SecurityReading:

Overview

• Learning Objectives– Understand the OS security functions– Learn about the different levels of

privilege– Learn about Vista and Linux protection

OS Design Decisions

• Turns out there are design decisions that affect the security of the OS

• Affects ultimate security of the OS and the user experience using the OS• One of the most important decisions is

that the OS is designed as a monolithic program vs. a highly modular design

OS Design Decisions

• Monolithic Design– Integrate a great deal of functionality into

the OS core– Services are interdependent – Core system is larger– Every flaw in a piece of that system is

exposed through all the services that depend on that system

Example

• Windows design - Monolithic– Decided to integrate IE into OS, – Did this in an attempt to put Netscape

out of business, wanted to take over Browser market– Every flaw in IE then exposes desktop to

risks that go beyond the browser– Different if browser was separate

OS Design Decisions

• In contrast, what are the benefits of modular design?– Restricted damage if module has defect– Smaller kernel – Easier to upgrade or repair if flaw• Does not affect so much code

Example

• Linux - All flavors– Modular design from the beginning– Much smaller kernel than Windows– Device drivers and other applications are

not part of the kernel – More restricted as to what needs

administrative privileges

OS Security Overview

• Security within OS's–What services should an OS offer for

security?

OS Security Overview

• Security within OS's–What services should an OS offer for

security?• Secure logon facility

– Authenticate users

• Discretionary Access Control– Allows owner of resource to determine who can

access the resource

• Security Auditing– Record security related events– Keep logs of events

• Object reuse protection– Deleted items or reused memory should be protected

between users

OS Security Overview

• Security within OS's–What services should an OS offer for

security?• Facility Management

– Support for separate account roles for administrative functions

– Users, administrators have different accounts

OS Security functions

• Discuss two of previous functions 1. User authentication2. Access to authorized resources

• User authenticationa. Positively ID the user• Compare to stored identity

b. Authenticate the user• User must provide additional information• Password, biometric attribute, keycard

OS Security functions

• Access to authorized resources– Decision based on access rules– Typically authorization based on user or

group individual membership and– Labels attached to objects

• Example: Windows users with admin privilege – Allowed to both view and change user

accounts

OS's Manage Privilege Level

• Two levels of privilege in modern CPU's• This is offered by the CPU itself, Intel,

AMD– User mode – unprivileged– Kernel mode – privileged

• The OS runs in Kernel mode• User programs – User mode• User programs make calls to the OS– To use the hardware resources– Use the OS API to access hardware

User Powers

• Seems to be a need to have a user with greater powers– Root, superuser or administrator

• Yet, this comes with added risk– If user makes a mistake, can possibly

damage the system– Or, if they get their identity stolen,

attacker has full power to OS

User Powers• Because of this problem of risk from

elevated power, concept of – “Least Privilege”– Only want to operate with the minimum of

needed power to get a job done– So, while I could always log in as administrator,

if I get my account hijacked or I get infected by malware while I am administrator• Attackers then have full access to the machine's

resources

– Example: In Linux Ubuntu, have sudo command

File System Access• In OS's– Data and programs stored as files in

directories– Concept of ownership of files either by

users or the OS itself– Then files have permissions set for reading,

writing or executing them

• Windows– Access control is done by an Access Control

List (ACL)– Ea. object in system – Files, network

shares, directories have an ACL

File System Access• Windows– ACL has users or groups, operations like

read or write, and a permission – allow or deny– How it works• When user, Carol, tries to open a file, the kernel

checks ACL for the file to see if she is allowed or denied access• If not, action fails else Carol is allowed access to

resource

• Linux– Permissions are set for each object• Looks at group, user or everyone for read, write

and execute privileges

Kernel Level Privilege for Outside Code

• Kernel mode programs – Usually come with OS and are developed

by company creating the OS– Need to support other people's programs

– third party programs– Most typical is allowing third party

developers to write programs that support a wide range of peripherals• Printers, video cards, network cards

– Programs, Device Drivers

Windows Privilege Levels• In XP and other pre-Vista versions– Had 2 choices of privilege– 1. Administrator or 2. Normal user• Administrator – access to everything• Normal user – many system level tasks you

needed to do, you couldn't do

– Consequently, most people ran as Administrator most of the time– Most users not even aware of the need

NOT to run as admin

Windows Privilege Levels

• Vista– Have more choices– Can operate as a restricted normal user and

still be able to do almost everything in OS– And when necessary, you can be elevated

to an administrator for a short time to accomplish some task– Known at User Account Control (UAC)– Basically, copied sudo in Linux• Except it seemed to ask far more often !!!

Security Identifiers (SIDs)

Each user account has a SID that uniquely identifies it

Tokens

When you log on, you get a security access token Includes your User Name,

SID, and groups you belong to

Each program you launch gets a copy of your security access token

Token

• Windows Vista splits the access tokens for users with administrative privileges– Vista included only two types of users.

• Administrators• Tokens provided are a “filtered” standard user

token and an “full administrator access” token• Standard Users• Only provided a “standard user” token

– Benefits of the User Account Control (UAC)• Installation of software now requires conscious

action on the part of the user• Malicious code cannot be installed without the

knowledge of the user

Tokens

Account Types

Account Types are a convenience to describe memberships in the most frequently-user groups

Administrator accounts are in the Administrators group

Standard accounts are in the Users group

Guest accounts are in the Guests group

Tasks Only Administrators Can Perform

Create, change, and delete user accounts and groups Install and uninstall programs Configure automatic updating or install Windows updates

manually Install an ActiveX control Install or remove hardware device drivers Share folders Set permissions Access all files, including those in another user’s folder Take ownership of files Copy or move files into the %ProgramFiles% or

%SystemRoot% folders Restore backed-up system files Grant rights to other user accounts and to themselves Configure Parental Controls Configure Windows Firewall

Tasks Available to Standard Users

Change the password and picture for their own user account

Use programs that have been installed on the computer

Install approved ActiveX controls Configure a secure Wi-Fi connection View permissions Create, change, and delete files in their document

folders and in shared document folders Restore their own backed-up files View the system clock and calendar, and change

the time zone Configure power options Log on in Safe Mode

Guests

Guests have privileges similar to Standard accounts

Guests cannot create a password

OS Services• Services are– Processes that run when the OS starts– Not necessarily started by you, but run

by the OS to perform tasks

Windows Vista Services

• Prior to Vista, many Services received LocalSystem privileges

• Problem was LocalSystem account had virtually unlimited access to local machine and network resources• Vista, one big security measures was to protect

running Services by providing them with security token of either LocalService or NetworkService– Are severely limited compared with LocalSystem

• Vista also included tighter security restrictions to ensure that none of the three system accounts has access to sensitive files, folders or processes

The End

• Next Time: See miniAssignment 3

• Next: Lab today, meet in CEB 342