PROTECTING DATA

1
PROTECTING DATA

• Chapter 6

2
DESIGNING AN AUTHORIZATION STRATEGY

• Three main approaches
• User/ACL
• Account Group/ACL
• Account Group/Resource Group

3
DESIGNING GROUP SECURITY

• Delegate the right and responsibility of creating
  groups
• Create restricted groups policies
• Specify group naming conventions

4
APPROACHES TO DESIGNING PERMISSIONS

• Two main approaches
• Remove all permissions and add those required
• Reduce default permissions as required

5
BEST PRACTICES FOR DESIGNING PERMISSIONS

• Use security templates and Group Policy objects
  (GPOs)
• Apply permissions high on a tree, and use
  inheritance
• Avoid changing default permissions
• Avoid assigning Deny permissions

6
THE PROCESS OF HARDENING PERMISSIONS

• Use Microsoft Baseline Security Analyzer (MBSA)
  to identify vulnerabilities
• Review security guides
• Identify missing permissions

7
TROUBLESHOOTING PERMISSIONS WITH AUDITING
8
MBSA IDENTIFYING VULNERABILITIES
9
DESIGNING DELEGATION

• Required for large organizations
• Grants different support groups only the rights
  they need
• Help-desk operators can reset passwords
• Provisioning personnel can add computers to the
  domain
• Security personnel can disable and unlock
  accounts
• Consider delegation when designing organizational
  unit (OU) structure

10
GUIDELINES FOR DELEGATING ADMINISTRATION

• Create security groups for each administrative
  role
• If users perform multiple roles, create roles for
  each separate task
• Assign permissions to OUs, and not directly to
  objects
• Avoid granting Full Control permissions
• Set Active Directory quotas for users who can
  create objects

11
DEFAULT AUDITING SETTINGS

• Do not support auditing
• Microsoft Windows 95, Windows 98, Windows Me
• Do not have auditing enabled
• Microsoft Windows NT, Windows 2000, Windows XP
• Has auditing enabled
• Microsoft Windows Server 2003

12
ARCHIVING AUDIT LOGS

• Do not allow audit logs to be automatically
  deleted
• Archive logs to a central computer or to
  removable media with
• Dumpel.exe
• Microsoft Operations Manager (MOM)
• Archived logs enable you to identify an attack
  that occurred months ago

13
AUDITING FOR INTRUSION DETECTION

• Not effective because
• Too difficult to monitor Security event logs
• Too many benign events occur
• Too difficult to identify attack from event logs
• Too difficult to correlate events on different
  computers
• Use third-party intrusion-detection software
  (IDS) instead

14
USING EVENTCOMBMT
15
AUDITING LOGON EVENTS

• Users log on or log off with local accounts
• Attackers attempt password-guessing attacks
  against the local user database
• Users attempt to log on with local accounts after
  hours or without proper privileges
• A user attempts to use a locked out local account

16
AUDITING ACCOUNT LOGON EVENTS

• Users log on or log off with domain accounts
• Attackers attempt password-guessing attacks
  against the domain
• Users attempt to log on with domain accounts
  after hours or without proper privileges
• A user attempts to use a locked out domain account

17
AUDITING ACCOUNT MANAGEMENT

• New user accounts are created
• Passwords are changed
• Accounts are disabled or enabled
• Security group memberships are changed
• Accounts are locked out

18
AUDITING DIRECTORY SERVICES ACCESS

• Required to audit Active Directory objects
• Must enable Directory Services Access auditing,
  and then enable auditing on individual resources
• Enable this type of auditing only on key Active
  Directory objects

19
AUDITING OBJECT ACCESS

• Required to audit files, folders, registry keys,
  and other local resources
• Must also enable auditing on individual resources
• Useful for troubleshooting missing permissions
• Useful for tracking access to critical files

20
AUDITING POLICY CHANGE

• Tracks changes to policies, including rights
  attackers will attempt to gain
• Act as part of the operating system
• Backup files or folders
• Debug programs
• Load device drivers
• Manage the Security events log
• Take ownership of files

21
AUDITING PRIVILEGE USE

• Tracks the usage of important privileges
• Act as part of the operating system
• Backup files or folders
• Debug programs
• Load device drivers
• Manage the Security events log
• Take ownership of files

22
AUDITING PROCESS TRACKING

• Used to examine processes on a very detailed
  level
• Not typically useful in security auditing

23
AUDITING SYSTEM EVENTS

• When a computer shuts down
• When a computer starts
• Can identify when employees arrive or leave work
• Can identify when a thief stole an internal
  component (memory)

24
USING EFS

• Protects data when operating system security is
  bypassed
• Useful for
• Notebooks that might be stolen
• Attackers with bootable CD-ROMs

25
EMERGENCY BOOT CD WITHOUT EFS
26
EMERGENCY BOOT CD WITH EFS
27
EFS BEST PRACTICES

• Audit EFS to ensure that files remain encrypted
• Encrypt folders instead of confidential files
• Have key recovery agents available
• Train users to enable encryption

28
SUMMARY

• Most enterprises should use the account/group
  resource group authorization method
• Delegate administrative rights, but do it
  carefully, and with auditing
• There are two ways to assign permissions
• Remove all permissions and assign only those
  necessary
• Restrict default permissions to reduce the risk
  of specific vulnerabilities

29
SUMMARY (CONT.)

• Auditing is useful for identifying a compromise
  after the fact, but not for IDS
• Use EFS to protect files when an attacker can
  bypass the operating system