Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Chapter 3 dnis


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Chapter 3 dnis

  1. 1. The Stuff You Want
  2. 2. • The basic unit of security management in Windows is a securable object. A securable object is some type of object that can have permissions applied to it. Different types of securable objects include: • Files • Directories • Services • Active Directory objects • Registry keys • Threads • Firewall Ports • Kernel objects • Processes • Windows stations and desktops2012/09/11 Compiled by Liezel Grobler - LU3 DNIS 2
  3. 3. • All securable objects have one thing in common: they have a security descriptor (SD) associated with them. The SD is the construct that contains all the security information associated with the object. The control field contains a number of flags that describe the nature of the security descriptor.• The following are pointers in a security descriptor: • Owner • Group • SACL • DACL2012/09/11 Compiled by Liezel Grobler - LU3 DNIS 3
  4. 4. • Three types of access control lists:• Discretionary access control list (DACL) – Records permissions on an object and can be managed by the administrator or the object owner.• System access control list (SACL) – Is identical to DACLs in structure. SACLs control which access attempts gets audited.• Mandatory access control list (MACL) – Records permissions on an object. Is not managed by any given user. All data receives a label specifying its sensitivity2012/09/11 Compiled by Liezel Grobler - LU3 DNIS 4
  5. 5. • The access control list entry (ACE) defines the subject and what permissions that subject has to the object.• ACLs can be inherited from parent objects to child objects.• Generic permissions: • GR – Generic Read • GW – Generic Write • GX – Generic Execute • GA – Combination of GR, GW, and GX2012/09/11 Compiled by Liezel Grobler - LU3 DNIS 5
  6. 6. • When a user logs on to a Windows computer, the operating system creates a token for the user. This token contains a statement of who the user-subject-is, what group it is a member of, and what privileges it has.• The log-on type denoted by several SIDs in the security token is: The LOCAL SID, which means the user logged on to a terminal physically connected to the computer. LOGON SID, which is an identifier for the log-on session assigned to this user. INTERACTIVE SID, which states that the user is logged on interactively to the computer.• When a process attempts to access a securable object, the operating system compares the access token to first the DACL and then the SACL on the object.2012/09/11 Compiled by Liezel Grobler - LU3 DNIS 6
  7. 7. • The comparison with the DACL focuses on three factors: • The requested access • The SIDs in the token • The ACEs in the object’s DACL• ACEs should be stored in an ACL in a defined order: • Noninherited deny ACEs • Noninherited allow ACEs • Inherited deny ACEs • Inherited allow ACEs2012/09/11 Compiled by Liezel Grobler - LU3 DNIS 7
  8. 8. • Change ACLs (cacls) is built into Windows and is a command-line tool.• Icacls include advanced features: • Saving and restoring ACLs • Substituting SIDs • Changing owner • Resetting ACLs • Set integrity level • View SDDL • Remove inherited permissions • Find all permissions for a particular user• SC, the command-line service configuration utility, can show and manage ACLs on services.2012/09/11 Compiled by Liezel Grobler - LU3 DNIS 8
  9. 9. • Subinacl is the only tool that can manage permissions on all these objects:• Files• Services• Printers• Processes• Shares• Registry keys• Kernel objects• SAM objects2012/09/11 Compiled by Liezel Grobler - LU3 DNIS 9
  10. 10. • Major access control changes in Windows Server 2008: • TrustedInstaller Permissions • Network Location SIDs • File System Name Space Changes • Power User Permissions Removed • OWNER_RIGHT and Owner Rights• User rights and privileges are different constructs. User rights only govern the methods by which a user can log on. Privileges determine what users can do after they have logged on.• Authorization Manager (AZMAN) is used to allow third-party developers to implement their own access control mechanisms. Developers can leverage AZMAN to implement role-based access control (RBAC) system.2012/09/11 Compiled by Liezel Grobler - LU3 DNIS 10