Security Stack Worksheet for Authorization and Access Control

IMPACT

ANALYSIS ID BEFORE PLAN

PERCENT

IMPROVEMENT NEW VALUE

Quality Management worksheet completed for this element? (check box)

Physical

Build an access control matrix for sensitive physical resources including rooms, buildings, safes, closets, and so forth.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Go back over your access control matrix and verify that you have addressed each of the businesspeople groups.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Define, within your access control matrix, specific authentication mechanism

requirements, as in badges and biometrics

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Identify opportunities to assign fewer access rights where they are not needed.

Network

Define a network segmenting plan that supports your access control requirements. ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ List all points of entry into your network.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ For each point of entry, define how access control is enforced at entry. Look for

opportunities to further restrict access.

Worksheet 3.2 Security Stack Worksheet for Authorization and Access Control.

(continued)

For each point of entry, define how user access is controlled as attempts are made to move through the network. One approach to controlling this access is through source IP address filtering, for example.

Application

Investigate approaches for reducing the number of logins required by your users by looking for common single sign-on access control opportunities.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Consider how you can use a directory service to manage access control more effectively across your applications.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Carefully write an access control matrix for all application resources including application processes, configuration files, databases, and general data files.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Identify opportunities to assign fewer access rights where they are not needed.

Operating System

Similar to your application access control matrix, write another matrix for operating system processes and resources.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Identify opportunities to assign fewer access rights where they are not needed.

______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Turn off, disable, and uninstall as many unneeded operating system functions as possible, keeping only what you need.

NETWORK

Partition the network with access control in mind and focus on the point of entry. Typically, access control to the network itself is partitioned according to who people are and, if we’re more sophisticated, how they entered the network (by looking at any source addresses in packets, as opposed to just filtering based on destination). Dial-up users may, for example, gain access only to restricted areas of the network. Or users in product development might not have a network route to the finance portion of the network. This type of access control is often enforced by network address filtering, whereby, using our example, address ranges assigned to finance people would be in a different range from those assigned to development folks, and network routers would filter out traf- fic to prevent product developers from accessing finance servers. If, for some reason, finance had an application to which product developers or others required access, it could be placed in a special predefined shared areaof the network set aside for such interorganizational applications.

APPLICATION

Design with a directory service to prevent authentication overload.

Imagine an organization where the average employee has access to seven corporate applications. Imagine the poor administrator who must configure specific authorization privileges to each user in the system for each of those applications. Now imagine yourorganization because odds are that this may come close to describing the situation there. Count the applications most users access. Fortunately, with the proliferation of directory services and role-based authentication and access control, we are moving away from this high-volume access control configuration and into a more manageable common repository and management scheme. (Directory services are discussed repeatedly in the remaining chapters. Also see the glossary and “For Further Reading” at the end of this book.)

Don’t stop at individuals. You must be careful when granting access control permissions to application software processes. Remember that we talked about the danger of giving too many permissions to a Web server process, or any other software process for that matter. The pri- mary reason for this is that, if a hacker manages to compromise just one process that has been granted too much access (such as in full, unbri- dled, supernatural rights on your server), the hacker then has full control of the server. If the process doesn’t require such broad access rights, restrict them at the operating system level.

OPERATING SYSTEM

Address operating system access control in your security plan. As just noted, operating system process-level (executable permission) access control is very important. If you perform an audit of how it’s currently being done in your organization, you may discover it’s the first time anyone has even asked the question on any comprehensive basis—not counting, of course, a hacker who is planning to make his or her way through your systems in the future. Relative to operating system access control in general, it is assigned to individuals, groups of individuals, roles (depending on your operating system), all executable files, data files, configuration files, and resources. The files used by the operating system itself are assigned permissions, not just application files; review how these permissions are assigned.

When it comes to rights, think “less is more.” Remember, give the fewest rights, the minimum required.

Do not use default access control configurations without first thoroughly reviewing them. Do not become a victim of vendor support cost- reduction tactics, for whom “on” is easier than “off.” Vendors routinely

SUPERNATURAL EVIL: CHMOD 777 AND YOUR WEB SERVER

For those of you familiar with the UNIX or Linux operating systems, you may be familiar with the chmodcommand, which allows you to assign permissions to a given file. Suppose you use chmod to assign rights to a file that is your Web server program—for example, the file my_Webserver_program.exe. When you assign rights to that file with chmod, the program will run as a process under UNIX/Linux and will assume the rights you have assigned to it. Suppose further that you issue the command chmod 777 my_Webserver_program.exe. The 777 in UNIX/Linux means, “Give me absolutely every form of control I could possibly want on this computer.” You can think of that simply as supernatural control. If a hacker performs a buffer exploit on your Web server process (see the Secure Software security element in Chapter 4 for more details on buffer exploits), then he or she gains the rights you assigned to your Web server. In this case, those would be supernatural rights. In such an event, you have a very serious security incident on your hands. Avoid it by assigning fewer rights to the Web server process. An experienced system administrator is capable of determining which rights are needed and which ones aren’t. Often, when troubleshooting or when being just plain lazy, we assign 777 supernatural rights to files in order to get things working quickly. This is a bad move from a security standpoint.

ship their products with too much access allowed—too much enabled— to save time and money in support costs, the thinking being that if capabilities are enabled right out of the box, they tend to work for all users whatever their needs. The problem is that they also work for the hacker. Therefore, when it comes to access control, keep in mind that your requirements may be different from those of the software provider.

Think open standards and interoperability for access control. Operating system vendors have increasingly come to realize that if they control authentication and access control and extend it to the applications (a logical and good thing), they have a long-term hold on you (typically a bad thing) because authentication and access control configuration and administration represent a heavy investment not easily replaced by something new. The answer is open standards and interoperability for access control. Directory service standards such as LDAP pave the way for this.

T I P These worksheets are also available in an electronic format from the Web

In document Mission Critical Security Planner pdf (Page 110-114)