More Related Content Similar to Operating system security (a brief) (20) Operating system security (a brief)2. IBM Global Business Services
Objectives
What is OS Security ?
OS security breakdown
Security in different OS environments
© 2007 2 OS Security March-2007 IBM Corporation
3. IBM Global Business Services
OS security is important
„ Fundamental basis of most systems
„ Control hardware/software resources
Introduction
© 2007 3 OS Security March-2007 IBM Corporation
4. IBM Global Business Services
Road Map
OS security basics
Security For User Accounts
File Systems
Networking
Architecture
Authentication
Unix Authentication
PAM
Windows Authentication
GINA
Access Control
Impersonation
Logging And Auditing
API
Memory Protection
Buffer Overflow
SAP On Windows
SAP User Security
Best Practices On
SAP-Windows
Environments
Best Practices On
SAP-Unix/Linux
Environments
© 2007 4 OS Security March-2007 IBM Corporation
5. IBM Global Business Services
OS security basics
Security is typically achieved based on
„ separation and controlled sharing
Separation applies to (everything)
„ Internal resources, typically process memory and
OS data structures
„ User resources, typically files
„ System resources from normal users
Sharing with access control protection
Contd.
© 2007 5 OS Security March-2007 IBM Corporation
6. IBM Global Business Services
OS security basics
Separation and controlled sharing require
„ Memory protection
„ Subjects (users and processes) identification and authentication
„ Objects (files and other resources) identification
„ Access control for all
© 2007 6 OS Security March-2007 IBM Corporation
7. IBM Global Business Services
Accounts
User identification and authentication
„ Based on account identifier and credentials
Accounts hold user rights and privileges
„ For access control
Accounts may belong to groups
„ Group has associated rights and privileges
„ Group-based access control
© 2007 7 OS Security March-2007 IBM Corporation
8. IBM Global Business Services
UNIX accounts
Each user has an account
„ On a computer or an NIS(+) domain
„ Non-human users are for system processes
Account has name and password
„ Authentication based on hashed password
„ OS supports password strength, aging policies
„ Add-on supports for other mechanisms such as Kerberos, s/key, etc.
available
A user may belong to many groups
„ Has the groups’ rights
„ But effectively only 1 group at a time
© 2007 8 OS Security March-2007 IBM Corporation
9. IBM Global Business Services
Windows accounts
Each user has an account
„ On a computer and/or an Active Directory domain
„ Non-human accounts are for system processes
Account typically has name and password
„ Authentication based on Kerberos or hashed password (for NT compatibility
only)
„ OS supports password strength, aging policies
„ Certificates and smartcards are also supported (in 2000/XP, but not
commonly used yet)
A user may belong to many groups
„ Has the union of the groups’ rights at any time
© 2007 9 OS Security March-2007 IBM Corporation
10. IBM Global Business Services
Networking
Most systems allow users network access
OS tools and services enable these access
„ Their own security issues
Required integrated network access are explained later
„ Integrated domain authentication
„ Network file shares
© 2007 10 OS Security March-2007 IBM Corporation
11. IBM Global Business Services
UNIX networking
Traditionally set of r- commands
„ rlogin, rsh, rcp, etc. and corresponding servers
„ Host address based authentication
„ Implicit trust on ports lower than 1024
„ Send passwords in clear-text if required
„ Very insecure, should not be used anymore
The ubiquitous telnet, ftp
„ Clear-text passwords in basic setup
More secure tools available
„ SSH, Kerberized telnet, ftp
Integrated NFS, NIS(+) explained later
© 2007 11 OS Security March-2007 IBM Corporation
12. IBM Global Business Services
Windows networking
Essentially similar tools
„ telnet, ftp with clear-text passwords
„ SSH, and augmented versions of telnet, ftp more
secure
Integrated networking explained later
„ Server Message Block (SMB) based
integrated domain authentication, file shares access
© 2007 12 OS Security March-2007 IBM Corporation
13. IBM Global Business Services
File systems
File systems security governs
„ Access control to files based on subjects
„ Security of files sharing
„ Files encryption (if any)
Files include
„ Data, program and
„ Other file-based resources, e.g. system caches, named
pipes
© 2007 13 OS Security March-2007 IBM Corporation
14. IBM Global Business Services
UNIX file systems
Basically one system with native UNIX format
Access controls using permission bits
„ read, write, execute permissions
„ owner, group or others
„ E.g. –rwxr-x---
„ Coarse-grained
Files sharing using Network File System (NFS)
„ Machine access to shares is based on IP address
„ User access to shares based on permission bits
„ Add-on support for Kerberos auth. available
No support for files encryption
© 2007 14 OS Security March-2007 IBM Corporation
15. IBM Global Business Services
Windows file systems
FAT (for backward compatibility)
„ FAT supports no access control
NTFS (NT File System)
„ Access control based on user IDs and file permissions
„ Basic permissions are Read, Write, Execute, Delete, Change
Permissions, Take Ownership
„ Standard permissions are basic ones combined
„ Different permissions to a file can be granted to individual
users/groups using ACL
„ More fine-grained, flexible than UNIX
Contd.
© 2007 15 OS Security March-2007 IBM Corporation
16. IBM Global Business Services
Windows file systems
Files sharing using Common Internet File System (CIFS)
„ Shares are managed in directory (in common with domain management
– more later)
„ Machine access to shares is based on computer account in domain and
inter-domain trust
„ User access to shares is based on share passwords or standard ACLs
„ NT systems use hashed password SMB auth.
„ Windows 2000/XP use Kerberos authentication
Encrypting File System (EFS)
„ Files encryption using random secret keys, which are in turn encrypted
with EFS public keys
© 2007 16 OS Security March-2007 IBM Corporation
17. IBM Global Business Services
UNIX security: Architecture
Basic UNIX based on monolithic kernel
Fundamental OS security based on
„ User id and password
„ Group id
„ Process id
„ File permission bits
„ Process memory protection
© 2007 17 OS Security March-2007 IBM Corporation
18. IBM Global Business Services
Windows security: Architecture
Windows (NT/2000/XP) have layered components on top of
a kernel
Security Reference Monitor (SRM)
„ Part of the kernel
„ Handles core of access control checks
Protected security services include
„ Win logon process
„ Local Security Authority (LSA) and policy database
„ Security Account Manager (SAM) and database
„ These services perform user authentication, and non-core part of
access control
Contd.
© 2007 18 OS Security March-2007 IBM Corporation
19. IBM Global Business Services
Windows security: Architecture
Security identifiers (SID)
„ Represent uniquely each user or group
Access control entry (ACE)
„ Contains permissions to an object explicitly denied or granted to a
subject (SID)
Access control list (ACL)
„ List of ACE’s for an object
Security descriptor of an object
„ Contains is owner SID, primary group SID, its ACL, the applicable
system ACL
Access token for a logged on user
„ Contains the user’s SID, primary group SID, etc.
© 2007 19 OS Security March-2007 IBM Corporation
20. IBM Global Business Services
UNIX security: Authentication
Username and clear-text password
„ For single computer or NIS(+) domain
„ System stores (modified DES) hashed passwords
„ /etc/passwd readable by everyone, or
„ /etc/shadow readable only by root, or
„ NIS(+) database
„ Passwords are hashed before matching
„ Logged on users are identified by numeric IDs
„ Passwords are open to dictionary attacks
Integration of Kerberos and others methods
„ Pluggable Auth. Module (PAM) for Solaris, Linux
„ Security Integration Architecture (SIA) for HP/UX
© 2007 20 OS Security March-2007 IBM Corporation
21. IBM Global Business Services
Pluggable Authentication Module (PAM)
Login Telnet Ftp
PAM API
PAM Framework
PAM
Configuration
PAM SPI
UNIX Kerberos Smart Cards
© 2007 21 OS Security March-2007 IBM Corporation
22. IBM Global Business Services
Windows security: Authentication
NT uses NTLM authentication
„ NT (MD4) and LM (DES-based) hashed password
„ Domains integration relies on sending hashed passwords through
insecure SMB protocols
„ Inter-domain trusts are one-way, non-transitive
Windows 2000/XP in domains use Kerberos
„ NTLM supported for backward compatibility
„ Domains are managed by Active Directory
„ Integrated Kerberos auth. as domain controllers are KDCs
„ Enable hierarchical organization and delegation
„ Inter-domain trusts are two-way, transitive thereby simplifying trust
management
Logged on users run processes with their access tokens,
basis for access control, impersonation
© 2007 22 OS Security March-2007 IBM Corporation
23. IBM Global Business Services
Graphical Identification And Authentication
(GINA)
Win Logon
GINA
LSA
Shell
Registry
Win Logon Shell
My GINA Registry
GINA LSA
LSA
© 2007 23 OS Security March-2007 IBM Corporation
24. IBM Global Business Services
UNIX security: Access control
Only discretionary access control (DAC)
„ Based on file permissions and UID, GID, PID
„ File has permission bits, UID (owner), GID
„ File permission bits are r, w, e, and s (later)
„ A process has real and effective UID and GID
„ Kernel matches these IDs to control a process’s access to a file
„ Super-user (root) has all access to everything
„ Some variants such as Solaris 2.5 or newer have
ACL systems for more fine-grained controls
Some experimental systems (e.g. SE Linux) have
Mandatory Access Control (MAC)
© 2007 24 OS Security March-2007 IBM Corporation
25. IBM Global Business Services
Windows security: Access control
Discretionary access control
„ Based on subject SIDs and object ACLs
„ Each object has an ACL
„ Null ACL or empty means no restrictions or no access
„ Each process has an access token with its owner SID, group SIDs
„ Access control checks are matching of access tokens against ACLs
„ Administrators group can access everything
„ SRM performs core matching
Less so discretionary access control
„ Some system-wide policies applying to subjects, regardless of individual
object’s ACL
© 2007 25 OS Security March-2007 IBM Corporation
26. IBM Global Business Services
UNIX security: Logging and auditing
Flexible and comprehensive “syslog”
„ Logging daemon can store locally or on remote server
„ System processes store relevant information through logging APIs
„ System administrators can configure what to log, and where to
store logs
„ However, auditing tools are not natively available in the basic OS
© 2007 26 OS Security March-2007 IBM Corporation
27. IBM Global Business Services
Windows security: Logging & auditing
The LSA and SRM create logs through the system event
logger
The LSA logs mostly logon events based on its audit policy
The SRM logs access check events based on the system
access control list (SACL)
„ Each object has an SACL
Logs are stored locally
© 2007 27 OS Security March-2007 IBM Corporation
28. IBM Global Business Services
UNIX security: Impersonation
Static privileges are often too restricted
Impersonation allows dynamic changes in a user or process’s
security privileges
Programs run with its owner or group ID instead of user who runs
them if
„ Set-UID (suid) bit set, or
„ Set-GID (sgid) bit set
Flaws in these programs can be extremely dangerous
User can impersonate other users by
„ Running “su” to have an impersonated shell
„ Running “sudo” to impersonate for a command
© 2007 28 OS Security March-2007 IBM Corporation
29. IBM Global Business Services
Windows security: Impersonation
No equivalence of UNIX suid, sgid or “su”, “sudo” programs
But processes frequently programmatically impersonate others
„ A thread takes on access token of another subject
„ This access token may be exact copy or variant of a primary access token
„ Thread gets security privileges of the impersonated subject
Impersonation is application-controlled, as opposed to administrator-controlled
in UNIX
© 2007 29 OS Security March-2007 IBM Corporation
30. IBM Global Business Services
OS security: buffer overflow
Example code:
int auth_user() {
char name[32];
printf(“Enter username: “);
gets(name);
/* do authentication */ }
User enters more than 32 characters
Variable name gets the first 32 characters
The rest goes on the program stack
May override program pointer
Program then jumps to unexpected code
© 2007 30 OS Security March-2007 IBM Corporation
31. IBM Global Business Services
OS security: memory protection
Standard process memory protection
„ Process memory is accessed through page table
„ No process can normally access another’s memory
„ Historically for safety, but critical for security
Buffer overflow
„ Arguments and program pointer on the stack
„ Writing beyond the buffer for an argument may overwrite the
program pointer
„ Careful selection of argument data may get program to execute
malicious code
„ Compilers and/or operating system can help prevent this from
happening
© 2007 31 OS Security March-2007 IBM Corporation
32. IBM Global Business Services
UNIX security: APIs
Basic OS supports few security APIs
„ Essentially user, password, and process management
APIs
Modern variants support more
„ E.g. PAM APIs
Add-on services are relatively common
„ Kerberos APIs, GSSAPI, OpenSSL
© 2007 32 OS Security March-2007 IBM Corporation
33. IBM Global Business Services
Windows security: APIs
Windows support
„ Essential user, password, process management APIs
„ Graphical Identification and Authentication (GINA) APIs, fairly
similar to PAM, SIA
„ Security Services Providers Interface (SSPI) similar to GSSAPI
„ CryptoAPI supports encryption, smartcards
© 2007 33 OS Security March-2007 IBM Corporation
34. IBM Global Business Services
SAP And Windows Security
© 2007 34 OS Security March-2007 IBM Corporation
35. IBM Global Business Services
Protecting the Operating System Users Used in an SAP System
User type User Function and Rights Security Measures
Windows users Administrator The local superuser who has
unlimited access to all local
resources.
Change the user name and hide its
password. Create other users for
administrative tasks and limit their
rights to those tasks for which they are
used
Guest A local guest account who has guest
access to all local resources.
User type User Function and Rights Security Measures
SAP system users <sapsid>adm The SAP system administrator who has
unlimited access to all local resources
related to SAP systems.
• Change its password regularly.
• Restrict its access rights to instance-specific
resources for the SAP system only.
SAPService<S
APSID>
A special user who runs the Windows
services related to SAP systems.
• Cancel the user’s right to Log on locally.
• Restrict its access rights to instance-specific
and database-specific resources only.
© 2007 35 OS Security March-2007 IBM Corporation
36. IBM Global Business Services
An Windows Environment For SAP Security Should Encompass
Security Of
1. Data Relevant to the SAP System
2. Database Files
3. Protection for Dynamically-Created Files
4. Protecting Shared Memory
5. Defining Start and Stop Permissions
6. Secure Using Windows Trusted Domains
© 2007 36 OS Security March-2007 IBM Corporation
37. IBM Global Business Services
An UNIX/Linux Environment For SAP Security Should Encompass
Security Of
Protecting Specific Properties, Files and Services
SUID/SGID programs
Password file (passwd)
BSD services rlogin and remsh/rsh,
Services such as Network Information System (NIS) or Network File
System (NFS)
Protected SAP System Directory Structures Under UNIX/LINUX
© 2007 37 OS Security March-2007 IBM Corporation
Editor's Notes Ideally
Both discretionary and mandatory access controls
Least privilege principle
A file system (often also written as filesystem) is a method for storing and organizing computer files and the data they contain to make it easy to find and access them. File systems may use a storage device such as a hard disk or CD-ROM and involve maintaining the physical location of the files, they might provide access to data on a file server by acting as clients for a network protocol (e.g., NFS, SMB, or 9P clients), or they may be virtual and exist only as an access method for virtual data (e.g. procfs).
Pluggable Authentication Modules
(Source Wikipedia)
Pluggable authentication modules or PAM are a mechanism to integrate multiple low-level authentication schemes into a high-level API, which allows for programs that rely on authentication to be written independently of the underlying authentication scheme. PAM were first developed in 1996 by Sun Microsystems, and are currently supported in AIX, HP-UX, Solaris, Linux, FreeBSD, Mac OS X and NetBSD. PAM was later standardized as part of the X/Open UNIX standardization process, resulting in the XSSO standard.
The pluggable nature of PAM is one reason for using dynamic linking of system binaries. However, there needs to be a recovery mechanism in case a problem appears with the linker or shared libraries; for example both NetBSD and FreeBSD supply a /rescue directory of statically linked versions of important system binaries.
As the XSSO standard differs from both the original Sun API, and also from most other implementations, PAM implementations do not all operate in the same manner. For this and other reasons, OpenBSD has chosen to adopt BSD Authentication, an alternative authentication framework which originated from BSD/OS.
GINA
(Source Wikipedia)
In computing, GINA refers to the graphical identification and authentication library, a component of some Microsoft Windows operating systems that provides secure authentication and interactive logon services.
GINA is a dynamically linked library that is loaded in the context of the Winlogon process when the machine is started. It is responsible for handling the secure attention sequence (SAS), typically Control-Alt-Delete, and interacting with the user when this sequence is received. GINA is also responsible for starting initial processes for a user (such as the Windows Shell) when they first log on.
In Windows Vista, GINA has been entirely replaced by Credential Providers, which allow for significantly increased flexibility in supporting multiple credential collection methods. GINA libraries will not work with Windows Vista.
Secure Using Windows Trusted Domains
establish separate domains for your company data and your SAP system
use the Windows trusted domain concept as certain SAP-specific features and Windows-specific services require trusted relationships between domains for their purposes
Protecting Data Relevant to the SAP System
set up all your SAP system servers in one Windows domain
use the Windows trusted domain concept as certain SAP-specific features and Windows-specific services require trusted relationships between domains for their purposes