CHAPTER Privilege Management 19 In this chapter, you will •฀Learn฀the฀differences฀between฀user,฀group,฀and฀role฀management •฀Explore฀password฀policies •฀Discover฀the฀advantage฀of฀single฀sign-ons •฀Understand฀the฀pros฀and฀cons฀of฀centralized฀versus฀decentralized฀privilege฀ management •฀Learn฀about฀different฀auditing฀types฀(privilege,฀usage,฀and฀escalation) •฀Explore฀methods฀of฀managing฀access฀(MAC,฀DAC,฀and฀RBAC) •฀Discuss฀rights฀and฀privileges฀under฀Windows฀operating฀systems Computer systems are in such wide use now that they touch almost every facet of our lives: they process credit card transactions, handle airline reservations, store a vast amount of personal information, and manage car engines to ensure optimal fuel efficiency Most of the time, computers—particularly the more complicated systems, such as PCs, servers, and mainframes—require interaction from a human user The user interacts with the applications and operating system to complete tasks and perform specific functions On single-user systems such as PCs, the individual user typically has access to most of the system’s resources, processing capability, and stored data On multiuser systems, such as servers and mainframes, an individual user may have very limited access to the system and the data stored on that system An administrator responsible for managing and maintaining the multiuser system may have much greater access So how does the computer system know which users should have access to what data? How does the operating system know what applications a user is allowed to use? On early computer systems, anyone with physical access had fairly significant rights to the system and could typically access any file or execute any application As computers became more popular and it became obvious that some way of separating and restricting users was needed, the concepts of users, groups, and privileges came into being These concepts continue to be developed and refined and are now part of what we call privilege management Though privilege management has become a crucial part of modern operating systems and computer operations, it’s really quite a simple concept Privilege management 555 CompTIA Security+ All-in-One Exam Guide, Third Edition 556 is the process of restricting a user’s ability to interact with the computer system A user’s interaction with a computer system covers a fairly broad area and includes viewing, modifying, and deleting data; running applications; stopping and starting processes; and controlling computer resources Essentially, everything a user can to or with a computer system falls into the realm of privilege management Privilege management occurs at many different points within an operating system or even within applications running on a particular operating system While UNIX and Windows operating systems have a slightly different approach to privilege management, they share some similar approaches and concepts that are covered in this chapter User, Group, and Role Management To manage the privileges of many different people effectively on the same system, a mechanism for separating people into distinct entities (users) is required, so you can control access on an individual level At the same time, it’s convenient and efficient to be able to lump users together when granting many different people (groups) access to a resource at the same time At other times, it’s useful to be able to grant or restrict access based on a person’s job or function within the organization (role) While you can manage privileges on the basis of users alone, managing user, group, and role assignments together is far more convenient and efficient User The term user generally applies to any person accessing a computer system In privilege management, a user is a single individual, such as “John Forthright” or “Sally Jenkins.” This is generally the lowest level addressed by privilege management and the most common area for addressing access, rights, and capabilities When accessing a computer system, each user is generally given a user ID—a unique alphanumeric identifier he or she will use to identify himself or herself when logging in or accessing the system User IDs are often based on some combination of the user’s first, middle, and last name and often include numbers as well When developing a scheme for selecting user IDs, you should keep in mind that user IDs must be unique to each user, but they must also be fairly easy for the user to remember and use With some notable exceptions, in general a user wanting to access a computer system must first have a user ID created for him on the system he wishes to use This is usually done by a system administrator, security administrator, or other privileged user, and this is the first step in privilege management—a user should not be allowed to create his own account Once the account is created and a user ID is selected, the administrator can assign specific permissions to that user Permissions control what the user is allowed to on the system—which files he may access, which programs he may execute, and so on While PCs typically have only one or two user accounts, larger systems such as servers and mainframes can have hundreds of accounts on the same system Figure 19-1 shows the Users management tab from the Computer Management utility on a Windows 2003 Chapter 19: Privilege Management 557 Computer฀Management฀utility฀showing฀list฀of฀user฀accounts system Note that several user accounts have been created on this system, each identified by a unique user ID A few “special” user accounts don’t typically match up one-to-one with a real person These accounts are reserved for special functions and typically have much more access and control over the computer system than the average user account Two such accounts are the administrator account under Windows and the root account under UNIX The administrator and root accounts are known as superusers—if something can be done on the system, the superuser has the power to it These accounts are not typically assigned to a specific individual and are often shared, accessed only when the full capabilities of that account are required Due to the power possessed by these accounts, and the few, if any, restrictions placed on them, they must be protected with strong passwords that are not easily guessed or obtained These accounts are also the most common targets of attackers—if the attacker can gain root access or assume the privilege level associated with the root account, she can bypass most access controls and accomplish anything she wants on that system PART V Figure 19-1 CompTIA Security+ All-in-One Exam Guide, Third Edition 558 Groups Under privilege management, a group is a collection of users with some common criteria, such as a need for access to a particular dataset or group of applications A group can consist of one user or hundreds of users, and each user can belong to one or more groups Figure 19-2 shows a common approach to grouping users—building groups based on job function By assigning a user membership in a specific group, you make it much easier to control that user’s access and privileges For example, if every member of the engineering department needs access to product development documents, administrators can place all the users in the engineering department in a single group and allow that group to access the necessary documents Once a group is assigned permissions to access a particular resource, adding a new user to that group will automatically allow that user to access that resource In effect, the user “inherits” the permissions of the group as soon as she is placed in that group As Figure 19-3 shows, a computer system can have many different groups, each with its own rights and privileges As you can see from the description for the Administrators group in Figure 19-3, this group has complete and unrestricted access to the system This includes access to all files, applications, and datasets Anyone who belongs to the Administrators group or is placed in this group will have a great deal of access and control over the system Role Another common method of managing access and privileges is by roles A role is usually synonymous with a job or set of functions For example, the role of “backup operator” may be applied to someone who is responsible for making sure that the system and any data residing on the system is regularly and successfully saved (usually to some sort of removable media, such as tapes) Backup operators need to accomplish specific functions and will need access to certain resources—for example, they may need to be able to read files on the system and save them to tape In general, anyone serving in the role of backup operator will need the same rights and privileges as every other backup ... hundreds of accounts on the same system Figure 19- 1 shows the Users management tab from the Computer Management utility on a Windows 2003 Chapter 19: Privilege Management 557 Computer฀Management฀utility฀showing฀list฀of฀user฀accounts... bypass most access controls and accomplish anything she wants on that system PART V Figure 19- 1 CompTIA Security+ All-in-One Exam Guide, Third Edition 558 Groups Under privilege management, a group... Figure 19- 3 shows, a computer system can have many different groups, each with its own rights and privileges As you can see from the description for the Administrators group in Figure 19- 3, this