Messaging User and Role Security

1) Email Security

a) Email Vulnerabilities

E-mail is vulnerable to security attacks. Messages are sent over the Internet in clear text, making it easy for an attacker to read or modify messages before they reach the intended recipient. E-mail users and mail servers may also receive large amounts unwelcome e-mail. Some common e-mail security weaknesses include:

  • Eavesdropping
  • Spoofing
  • Social Engineering
  • Man-in-the-middle attacks

Other common e-mail security weaknesses include:

Infected files: a common form of e-mail attack occurs through the use of infected files, which could be malicious software, viruses, Trojan horses and worms. This form of attack spreads quickly and reaches a large number of people as messages are forwarded, copied and replied to. Infected files can damage your computer data or cause a DOS attack on the mail server. It can be prevented by installing anti-virus software on Internet gateways, servers and computers.

SPAM: is the e-mail equivalent of junk mail. It occurs when a spammer floods e-mail inboxes with unwanted messages. It is often used for commercial purposes and is a cheap and easy way of sending messages to a large number of people as quickly as possible.

SPAMs can be sent to user’s email account or mailing lists. To access mailing lists, a spammer can use automated tools to access mailing lists on web sites.

E-mail hoaxes and chain letters are types of social engineering which are designed to encourage you to forward the messages to as many people as possible. They don’t contain malicious content but often contain false information or refer to incidents that have already been resolved. The aim of hoax message is to

  • imply the sender’s authority on a matter in order to exploit the recipient’s trust
  • inspire the recipient to become involved in something
  • encourage people to share the message information with as many people as possible
  • appeal to recipient’s greed or gullibility

Despite hoax and chain letters might not be considered as an attack to the organisation, but they can decrease productivity due to the amount of time people spend reading them. They can also reduce network bandwidth if they have large attachments.

Phishing: refers to a form of e-mail scam where a message sender impersonates a famous person or company in an attempt to obtain personal information from the user. Phishing scams often use the official logos and company tag lines in order to make the message look authentic.

Open relays: It necessary to ensure that mail servers are protected against SMTP open relays. This can be done by configuring the SMTP mail relay to never accept messages from IP addresses that are not local or to forward messages to remote locations. But it is also necessary to configure settings that you are able to accept and forward mail from local addresses to local as well as remote network and vice versa.

b) Encryption, PGP and S/MIME:

Pretty Good Privacy (PGP) and Secure/Multi-Purpose Internet Mail Extension (S/MIME) standards are two public key encryption techniques which can be used to ensure the integrity and privacy of information transmitted via email. Integrity and privacy is ensured by wrapping security measures around the email data itself.

Cryptography can be used to send secure email messages across insecure networks. Encryption enables email transmission over insecure links without risking message integrity. Emails can also be stored in encrypted form to protect the contents from being read by unauthorized users.

The main benefits of sending secure messages are:

  • Confidentiality: enables to send encrypted messages without the sender or receiver having to worry about the privacy of the messages being at risk.
  • Integrity: ensures that the message data was not modified during transmission.
  • Authentication: ensures that secure emails can be sent and received using confidential encryption keys known only to the sender and receiver.
  • Nonrepudiation: ensures that a specific user or computer cannot deny that they sent or received a particular piece of data.

When an encrypted email is sent, it is converted into unreadable code by running the message data and key through an algorithm. Before the recipient can read the message, the encryption processed needs to be reversed. For it, the recipient should be provided with the appropriate key to decrypt the message.

There are two types of encryption that can be used for secure email transmission; either conventional cryptography that uses the same key for encryption and decryption or public key cryptography that uses a key that has been distributed publicly for encryption and a confidential key for decryption.

Hash function can also be applied to a message. The hash uses plain text data of any length to create a unique fixed-length output. For example, 1KB and 1MB would both result in the hash output of the same fixed length, known as the message digest.

The basic function of hashing is to ensure that if input is altered, the message digest comes out differently and will not be able to derive the original message from the message digest since the hash function works only in one direction.

The most two common hash functions are SHA-1 and MD5. SHA-1 creates 160-bit digests and is more secure than MD5, which creates 128-bit digests. MD5 is a less secure hash function, but is very popular because it can be used without licensing fees.

PGP and S/MIME both use encryption and digital signatures to secure email. These encryption methods are implemented in different ways.

  • PGP uses a “web of trust” model to establish authenticity, where authentication responsibilities fall to each other. PGP supports four main symmetric encryption methods:

  • CAST: is an algorithm for symmetric encryption. It is used to encrypt data quickly and can withstand cryptanalytic attack. CAST is found in 128-bit key lengths.

  • IDEA: can be licensed from Ascom Systec. It is a good encryption method and can generally withstand attacks. IDEA comes in 128-bit key lengths.

  • 3DES: is based on 56-bit DES. It runs the algorithm 3 times and is slower than IDEA and CAST. 3DES comes in 168-bit key length with an effective key strength of 112 bits.

  • Twofish: was not selected as the standard but was incorporated into PGP. Twofish comes in 128-bit, 192-bit and 256-bit key lengths.

PGP has its own digital certificate format, which is similar to X.509 certificates. These certificates offer more flexibility and extensibility than X.509 certificates. One if the main characteristic of PGP certificate format is that a single certificate can contain multiple signatures i.e. multiple individuals can sign the key/identification pair to declare that a specific key belongs to a specific owner.

A PGP certificate includes the following information:

  • PGP version number
  • Certificate holder’s public key
  • Certificate holder’s information
  • Digital signature of the certificate owner
  • Certificate’s validity period

PGP can be installed and configured by:

  1. Downloading the software from PGP home page
  2. Setting up the PGP and generating a PGP key
  3. Exporting the public keys
  4. Importing the public keys

S/MIME or Secure Multi-Purpose Internet Mail Extensions is a protocol used to add security to MIME formatted e-mail messages. It enables t provide authentication using digital signatures and privacy through the use of encryption.

The six parts of the S/MIME v3 standards are

  • Diffie-Hellman Key Agreement Method with RFC 2631
  • S/MIME Version 3 Certificate Handling with RFC 2632
  • S/MIME Version 3 Message Specification with RFC 2633
  • Enhanced Security Services for S/MIME with RFC 2634
  • Cryptographic Message Syntax with RFC 3369
  • Cryptographic Message Syntax (CMS) Algorithms with RFC 3370

S/MIME was originally designed to work within US government export controls that required supporting 40-bit Rivest Cipher 2 (RC2), which is a weak algorithm. Now the 3DES algorithm is supported and hence is the recommended algorithm to use.

S/MIME recommends three symmetric encryption algorithms: DES, 3DES and RC2. The 64-bit block cipher in RC2 has a variable-sized key. RC2 works faster than DES, but DES and 3DES provide stronger encryption.

Eavesdroppers can make use of digital signature to identify the server. To prevent this, S/MIME applies the digital signature first and then encloses the signature and original message in an encrypted digital envelope. This results in no signature information being exposed to the eavesdropper.

S/MIME uses the X.509 certificate standard and does not define its own certificate type like PGP does. X.509 certificate can be obtained from CA. Here, the requestor has to provide his public key, a proof that the user holds the corresponding private key and his detailed information. Then the requestor has to digitally sign the information and send the certificate request to CA. The CA then performs due diligence to verify the information provided is correct and finally generates the certificates and sends to the requestor

X.509 certificates contain the following information:

  • X.509 Version
  • Certificate holder’s public key
  • Serial number of the certificate
  • Certificate holder’s Distinguished Name (DN)
  • Certificate’s validity period
  • Unique name of the certificate issuer
  • Digital signature of the issuer
  • Signature algorithm identifier

S/MIME uses hierarchical model where the trustworthiness of keys or certificates is based on the trustworthiness of the issuer. The line of trust can be followed up the chain of certificates to the root CA.

Both S/MIME and OpenPGP are protocols that are designed to add authentication and privacy to messages. These protocols are not interoperable but they use some of the same cryptography algorithms. A single email client can use both S/MIME and PGP but the client cannot use these protocols to decrypt messages that have been encrypted using the other protocol.

There are several differences between X.509 and PGP certificate:

  • A PGP certificate can be created by an individual whereas an X.509 certificate needs to be requested from and issued by a recognized CA.

  • PGP provides multiple fields to describe the key’s owner whereas X.509 certificates support only a single name of the key’s owner.

  • PGP can include multiple signatures that demonstrate the validity of the key, whereas an X.509 certificate supports only a single digital signature that verifies a key’s validity.

  • S/MIME is integrated in Microsoft and Netscape products, whereas PGP software needs to be downloaded and installed.

  • S/MIME management is left to a trusted CA, whereas PGP management is left to the user. The user needs to make decision on the validity of identities but will also have increased control over who can be trusted.

Information Rights Management (IRM) enables to specify access permissions to email messages. To use IRM in Outlook 2007, Windows Rights Management Services (RMS) Client Service Pack 1 or higher has to be installed on a computer. It is usually installed on your computer by an RMS or Exchange administrator.

IRM is used to prevent restricted content from being forwarded, modified, printed or faxed. It is also possible to prevent the copying of restricted material using the Print Screen feature in Microsoft Windows. This feature also enables to restrict where specific items may be sent.

IRM also provides the same level of restriction to email attachments that are created using Microsoft Office programs such as Word, Excel and PowerPoint.

Using IRM, it is also possible to set an expiration date for the restricted content so that it can no longer be viewed after a specific period of time.

Digital Signatures: Digitally signed messages enable to prove the sender’s identity to the receiver and help t prevent message tampering. In order to send digitally signed messages a digital ID needs to be obtained from a CA.

To send encrypted messages over the Internet, the sender has to exchange certificate (CER files) with the recipient. For this, the sender sends a digitally signed message. The recipient then adds the sender’s contact details along with the certificate. Alternatively, a sender can also send an email to the recipient with CER file attached. The recipient will then import the CER file into the sender’s contact card. A third way is to create and send a sender’s contact card to the recipient.

2) Instant Messaging

a) Instant Messaging Risks and Countermeasures:

Instant messaging (IM) is areal0tinme communication method. It is also very dangerous because it‘s is easy to personate another person’s identity, access confidential information, or even send a message t the wrong person. Messages those were sent are delivered in seconds, making it easy to carry o out conversations in real time, with the added anger of revealing personal information to potential strangers. There are many IM products such as Skype, AOL Instant Messenger (AIM), Windows Live Messenger, Yahoo! Messenger, ICQ (I seek you) and Internet Relay Chat (IRC).

IM communications operate in either peer-to-peer to peer-to-network configurations. In peer-to-peer model, clients communicate directly with one another. Typically this model can be used for consumer instant messaging (CIM). In per-to-network model, an internal IM server is used to pass messages from client to client. Typically this model can be used for enterprise instant messaging (EIM).

In P2P IM programs, the two clients communicate with each other as long as the port on which they are communicating is not blocked. But there is a possibility that the client will reveal sensitive information such as IP address of the client running the IM application.

P2P instant messaging exposes a security threat to an organisation. Because the IM client installed on the user’s workstation provides an interface for communicating with other IM clients using server resources.

When a user initially signs into the client IM, the socket addresses (IP and port number) are sent to the server, along with the names in the user’s contacts list. A temporary file containing this information is created on the server and the information is further passed on the user’s contact list.

At this point, the server is no longer involved in the communication and all messages pass directly from the user’s computer to the other user’s computer. When the user logs off from the service, t he server sends this information to all the users in the contact list. Then the temporary file is deleted from the server.

IM systems do not support encryption and security features used to protect sensitive data. Hence a server security has to be created to ensure that confidential information cannot be accessed from a workstation.

Using CIM tools increase the security risk to the organisation. CIM tools often send data over public networks in unencrypted from, making it possible for sensitive and confidential data to be intercepted. Hence to secure the network, EIM systems are recommended.

Other security concerns include viruses, worms and other malware that can be transmitted via IM. Bots are also often manipulated using IM. Moreover, DoS attack that use IM causes network congestion.

The security risk posed by CIM tools include:

  • Infected files: users could share infected files over IM.
  • Confidential files: if the file sharing is not configured properly, unauthorized users may gain access to sensitive or confidential data such as personal data, company information or passwords.
  • Lack of encryption
  • Copyright protection: if IM is used to send copyrighted images, documents, music files or software, they can expose the company to legal problems
  • Attacks on software: softwares of IM are to be kept up to date and security patches need to be applied if available

Short Message Service (SMS) is another real-time communication method that enables to send short IM messages to cell phones/mobiles. This service is available on most cell phone carriers and each message sent can be up to 256 bytes long. The SMS standard is part of the Global System for Mobile Communication between various cell phone providers’ clients.

While using SMS if a malformed message is transmitted, the cell phone could crash and become inoperable. SMS messages can also be intercepted and are vulnerable to DoS, spam, sniffing and spoofing attacks. For instance if a hundred text messages per second are sent over a single cell phone network, all cell phones on that network could be disrupted.

With the SMS feature, the call setup information and message share a common control channel i.e. the messages are vulnerable to discovery and exploitation because SMS messages aren’t encrypted ruing transmission by default.

There is also risk from spammers, who can use your cellular account to send text messages. Unless an individual has a restricted plan on text messages, a spam could run up a high cell phone bill.

For creating a policy to prevent users from being able to install IM application such as Windows Live Messenger on a client computer, the Local Security Policy console can be used which enables to create rules and policies for the applications on the current local computer. Here, a new hash rule has to be created that refers to a restriction determining how an application or program will run on the computer.

(Control Panel Administrative Tools) or C:WindowsSystem32secpol.msc Local Security Policy Software Restriction Policies Additional Rules Action New Hash Rule Browse msnmsgr Security Level: Disallowed Apply

The corporate firewall can be used to block the ports used by IM systems. Previously, IM used a specific port for IM communications. Now programs run over random port including port 80 used for HTTP. Hence IM applications are more accessible to users. In those cases, an organisation having own DNS server can create DNS records that resolve IM domain names to – the loopback address. This will prevent the client form being able to connect to the IM sever.

By default, IM applications use various registered ports such as:

  • AOL Instant Messenger uses TCP port 5190 for file transfers and file sharing, whereas TCP port 4443 is used for image transfers.

  • Windows Messenger users TCP port 1863 for HTML-encoded plaintext messages, voice and video fee via UDP port 13324 and 13325, application sharing via TCP port 1503 and file transfers using TCP Port 6891.

  • Yahoo! Messenger users TCP port 5050 for server communication and TCP port 80 for direct file transfers.

  • ICQ messages are unencrypted and sent via TCP port 3570, while voice and video traffic uses UDP port 6701.

  • Skype is port agile because uses any available port while trying to make connection.

If a default port is blocked it is possible to configure IM applications to bypass that port and use another port.

In order to secure IM communication inside the organisation and across the Internet, it is required to use IM products that can encrypt IM messages and secure the service. These tools can be used to connect to public IM applications such as Windows Live Messenger, AIM, Yahoo! Messenger and GoogleTalk. Here are some of the IM products:

  • IBM’s Lotus SameTime
  • Jabber Now
  • Openfire AIM Pro
  • Microsoft’s Live Communications Server

In order t support these products, several protocols have been developed to enable server-to-server and client-t-server interoperability. These protocols also enable all communication to be encrypted. Some of the protocols are:

  • Extensible Messaging and Presence Protocol (XMPP)
  • SIMPLE (SIP of Instant Messaging and Presence Leveraging Extensions)

 Intrusion Detection Systems (IDS) can be used to monitor and prevent IM traffic. IDS enable to examine all inbound and outbound network activity and identify any suspicious patterns that might indicate a network or system attack, attempting to break into or compromise the system.

Since most IM services transmit messages in plain text format, IM sessions are open to the threat of packet sniffing. The risk increases further if the session is transmitted over an unencrypted wireless connection.

Packet sniffing can be prevented by enabling private channel communication, which enables encryption on some IM products such as Microsoft NetMeeting.

Although IM applications have features that increase functionality, these features also have risks attached to them.

  • File transfer of an infected file

  • VoIP, the users could be overheard while having a conversations or someone could intercept the conversation over the network

  • Video consumes more bandwidth and the camera aimed at specific non sharable things could prove catastrophic to an individual as well as an organisation.

  • Application sharing can cause a security/privacy breach while the remote access software is being access on the machine running IM application.

 b) Securing the IM Client:

Secure IM communication can be ensured by:

Securing all file sharing: Do not open files or click links if you’re not sure that the message legitimate and from a legitimate source.

Log out correctly: Not logging off means that any unauthorized person can access the account and send messages. This also enables an intruder to access confidential data from the user’s computer.

Protecting message history: Since message history can be accessed by any attacker accessing the computer, the message log should be encrypted if possible.

Verifying company policies: for installing IM software on company equipment or any specific IM software is approved for the usage.

Uses also need to ensure that they never provide personal information such as credit cards; social security numbers r other sensitive data over IM because they are often sent as clear text.

 3) User and Role-based Security

 a) Local Security Policies

Managing local security policies

In Windows Vista, there are over 2500 settings that can be configured and managed through Group Policy. Group Policy enables administrators t control the actions user can perform on their computers and to automatically configure software. In a workgroup, a Group Policy object needs to be created on each workstation. In a domain, only one Group Policy Object (GPO) to configure all of the workstations on the network.

Following are the types of Group Policy settings which can be configured:

  • Administrative Templates: permit or prevent users from changing Windows Vista settings such as installing new applications or changing the display settings.

  • Security Settings: define policies such as a password policy, an account lockout policy and an auditing policy.

  • Software Settings: enables Windows to automatically install applications on user’s computers or make applications available for users to install.

  • Windows Settings: defines policies that assign startup and shutdown scripts such as assign logon and logoff scripts, configure Internet Explorer and automatically deploy printers.

 On a domain environment, it is possible to configure a password policy only in the Default Domain Policy. A new feature in Windows Server 2008 supports for creating GPO with different password policy settings that can be assigned at different levels in the Active Directory hierarchy such as organisational units.

In Windows Vista, multiple GPOs for each computer enable to tailor GPOs for a particular user or group of users. Here are the various types of local GPS that can be configured in Windows Vista:

Local Computer Policy, which can affect all users of the computers
Administrators, which applies only to the users belonging to the members of the Administrators group.
Non-Administrators, which applies to all users who are not members of the Administrators group.

Specific users, which applies only to the specific user.

Windows Vista applies local GPOs in the order of:

i) Local Computer GPO

ii) Local Administrators and Non-Administrators GPOs

iii) Local user-specific GPO

This means if a specific wall paper is selected in the Local Computer GPO and at the same time if a user-specific GPO setting is changes, then the former will override the setting in the Local Computer GPO.

The policy that Windows Vista applies last takes precedence over all other local GPOs. For instance, while configuring a Windows Vista computer for use in a local school’s library, you want to prevent students from changing any of the configurable settings on the computer. In such instance you need to lock down the computer using the Local Computer GP and then use either the Administrators local GPO r a user-specific local GP to enable the librarians to make configuration changes on the computer.

 Most policy settings allow you to select one of these values:

  • Not configured
  • Enabled
  • Disabled

By default, most policy settings are set to “Not Configured” value i.e. if the policy setting is enabled or disabled in another local GPO – such as the Local Computer GPO, the GPO in which the policy is not defined has no effect on the other policies.

When policy settings are enabled, they will remain enabled as long as al subsequent GPOs that Windows processes are not defined.

Whereas, when policy settings are disabled, Windows disables the policy setting for the user or computer even if a GPO that Windows processed first enabled the setting.

Suppose the user modifies the Local Computer GPO and enables “Prohibit access to the Control Panel” policy setting and then modifies the local Administrators GPO and disable the same setting. In such case Windows Vista applies the Local Computer GPO first – which enables the setting for all users and then applies the Administrators GPO – which disables this setting but only for administrators.

In contrast, if the local Administrator’s GPO is open and set the “Prohibit access to the Control Panel” policy setting to “Not configured”, the administrators would not be able to access the Control Panel.

Group Policy Object Editor is used to define the settings the user wants to use in a local GPO. Windows Vista doesn’t include an administrative console that has the Group Policy Object Editor snap-in loaded. Hence an empty Microsoft Management Console (MMC) is required to be opened and load the following snap-in.

Start Run mmc Console1 Add/Remove Snap-in Group Policy Object Editor Group Policy Object: Local Computer Finish

To create a GPO for the Administrator group, the previous process need to be repeated and add the Group Policy Object Editor in the list of selected snap-ins in the Add or Remove Snap-ins dialog box.

Group Policy Object: Local Computer Browse Users Administrators OK

In this way Local ComputerAdministrators snap-in has been added to the Console.

When returned to the Management Console there are two GPOs listed in the hierarchy pane: Local Computer Policy and Local ComputerAdministrators Policy.

Both GPOs have a User Configuration node which allows configuring and managing settings that control user preferences such as the wallpaper settings in the Control Panel.

The Local Computer GPO also includes a Computer Configuration node which allows configuring and managing the computer regardless of which user logs on.

This new management console can then be saved for future access.

Designing domain GPOs

Active Directory users container objects to logically organise users, group and computer objectrs within a domain. Objects can be grouped together so that they can be managed more easily by creating and assigning GPOs to the relevant containers.

Active Directory supports three types of container objects:

  • Site: container object groups one or more domains based on the speed of the network connecting them. All domain controllers within a site replicate data with each other which generate fairly high volumes of traffic. The site container object is used to specify which domains are connected via high-speed typically LAN connections.

  • Domain: container object group objects that want to share the same domain name. Domains are also used to group objects for management purposes. For instance if each department in an organisation has its own network administrator, a separate domain may be used for each department. In this way the administration of each department’s domain can be delegated to the appropriate network administrator.

  • Organisational Unit (OU): container object groups objects for ease of management. For instance OU may be created for each department in an organisation so that each department’s users and computers can be managed as a group rather than an individual.

A GPO can be created and linked to a site, domain or OU. Linking a GPO to a site affects the greatest number of users and computers because the settings configured in a site GPO apply to all domains, OUs, users and computers within that site container.

The scope of GPO gets narrower when it is linked to a domain. A domain GPO applies only to the OUs, users and computers within that domain. It is possible to have subdomain called child domain, within a domain. Hence a domain GPO also applies to all the subdomains it contains.

The scope of a GPO is more restricted when it is linked to an OU, because here the GPO affects only the users and computers within that OU. Unless inheritance of the GPO is blocked, the OU GPO applies only to OUs it contains.

In a domain environment, Windows applies GPOs in the following order:

  1. Local Computer GPOs
  2. Local Administrators and Non-Administrators GPOs
  3. Local user-specific GPOs
  4. Site GPOs
  5. Domain GPOs
  6. OU GPOs

Hence Windows first applies any local Group Policy objects even when logged on to a domain, followed by the site, domain and OU GPOs in that order. For example if a site GPO is used to prevent users from changing their desktop’s appearance and then create an OU GPO that enables user changes, users whose accounts are in the OU will be able to change their desktop’s appearance, whereas users in all other domains and OUs will not. This is because Windows applies the OU GPU at the last.

When designing Active Directory Group Policy, the various GPOs can be used in the following ways:

  • A site GPO is used to enable or disable the settings required to affect all users and computers within that site.

  • A domain GPO is used to enable or disable the settings required to affect only the users and computers within that domain.

  • An OU GPO is used to enable or disable the settings required to affect only the users and computers within that OU.

During design, it is also possible to disable processing of computer’s local GPOs in order to centrally manage Group Policy using only the options available within Active Directory GPOs. But in practice, most administrators implement Active Directory Group Policy through domain and OU GPOs and not site GPOs.

GPO is managed in a domain environment using the Group Policy Management Console (GPMC). This utility enables to view a list of the GPOs assigned to the sites, domains and OUs within Active Directory. Moreover, GPMC also enables to edit GPO using the Group Policy Object Editor. GPMC is available in Windows Vista and Windows Server 2003 R2 by default. But need to download and install it in Windows Server 2003.

By default, workstation computers automatically check for Group Policy changes whenever it is started, a user logs on or whenever the Group Policy refresh interval expires. But it is possible to force a Group Policy refresh using “gpupdate” command. “gpupdate /force” on an administrative command prompt forces the computer to request and apply the changed policies.

b) Group Policy Settings and Security Templates:

Implementing domain GPOs

Windows Vista contains a number of newly built-in applications that can be managed using operating system’s Group Policy settings in the local computer. For instance Group Policy can be used to create Group Policy Objects (GPOs) to prevent users from turning on Windows Sidebar. Alternatively, users can be allowed to turn on Windows Sidebar but prevent them from installing additional gadgets or from installing unsigned gadgets.

An access to applications can be controlled by configuring GPOs for Computer Configuration or User Configuration. Under Computer Configuration, the setting applies to all users who are able to access the network on the computers to which GPO applies, whereas if User Configuration is used, the setting is applied to the specific users.

Group Policy can be used to configure the following Windows applications:

  • Windows Calendar
  • Windows Mail
  • Windows Messenger
  • Windows Movie Maker
  • Windows Sidebar
  • Windows SideShow

 One of the new policy settings implemented for Windows Vista enables to control users for installing devices on their computers. For instance, “Prevent installation of removable devices” policy setting can be used to prevent users from installing removable devices such as USB flash drives. The key policy settings required to be implemented for preventing users from installing devices are:

  1. Prevent installation of removable devices
  2. Prevent installation of devices using drivers that match these device setup classes
  3. Display a custom message when installation is prevented by policy (balloon text)
  4. Prevent installation of devices not described by other policy settings
  5. Allow installation of devices that match any of these devices Ids
  6. Allow administrator to override Device Installation Restriction policies.

 Security Templates

Both Windows Server 2003 and Windows Vista include support for security templates. Security templates are used to make a copy of the Group Policy security-related settings enabled on a particular computer or server. The security template can then be copied and used to automatically configure the same security settings on another computer using the “secedit.ext” command or the Security Configuration and Analysis snap-in.

Security templates can be used as a configuration baseline for all of the computers on a network. It can be then implemented with additional security requirements necessary for individual or group computers. Alternatively, the security template can be used in conjunction with the Security Configuration and Analysis snap-in to view the differences between a computer’s current security policy settings and the settings in the template.

Earlier version of Windows like Windows Server 2003 and Windows XP came with their own security templates. For example, security templates included with Windows Server 2003 are:

  • Securedc.inf: This template increases the security level of domain controllers by configuring policy settings such as those within Password and Account Lockout policy.

  • Securedws.inf: This template increases the security of workstations and member servers.

Despite Windows Vista doesn’t include any predefined security templates, there are some predefined templates included with the Windows Vista Security Guide. This can be downloaded from Microsoft Download Center web site.

Following are the predefined templates included in the Windows Vista Security Guide:

Vista Default Security template is used to restore a computer to the default security settings.

VSG EC Desktop, VSG EG Laptop and VSG EC Domain templates are used to implement the enterprise configuration (EC) security recommendations included in the Windows Vista Security Guide.

VSG SSLF Desktop, VSG SSLF Laptop and VSG SSLF Domain templates are used to conform to the Specialised Security Limited Functionality (SSLF) security recommendations included in the guide.

 c) User, File System and Printer Security

Access to a shared resource may be controlled by configuring a workgroup, the members of which can then be granted access t the recourses. Despite it secures the resources but also requires managing the security for each individual computer in the workgroup, which can be time consuming and mis-configurations can easily occur.

Domain configuration is a more flexible way of securing network resources. Even though domains are not as easy to setup, but using them to apply security is much easier because it is required to apply only once. Then all the members of the group or container can be assigned security rights.

Within as Active Directory (AD) domain, organisational units (OUs) can be created which reflect organisation’s functional or business structure. For instance creating an OU for the Sales Department and then creating user groups within each OU.

Users are grouped according to their most common needs to access resources and can be members of multiple groups, depending on their resources requirements.

There can be either distribution r security groups be created. Distribution groups are used for email purposes, whereas security groups enables to group users together for the purpose of assigning resource access permissions.

The Access Control List (ACL) for a shared resource enables to set user permissions for individual users or groups. The effective permission is the result of all the combined permissions. Permissions flow down through the file structure with the user inheriting the permissions from the parent folders. Implicit – inherited – denial causes privileges to be denied unless explicit permissions are granted.

In Windows Vista, user permissions can be set on the file or folder level under following categories:

  1. Full Control Permission: enables a user to view folder or file contents, modify existing files or folders, create new files or folders and run programs. This applies to the current folder and al tis child folders unless permission is set that prohibits the inheritance of permissions.
  2. Modify Permission: enables users to make changes to existing files or folders but doesn’t allow new files or folders to be created.
  3. Read and Execute Permission: enables users to view the contents of files or folders or run programs located in the folders.
  4. Read Permissions: enables users to view folder contents and to open folders and files.
  5. Write Permissions: enables users to create new folders and files or modify existing folders and files.
  6. Special Permissions: enable users to perform document management tasks.

 Note: It is considered best practice to grant a user the least privileges they require to perform their tasks.

There are three models to implement access control:

Mandatory Access Control (MAC) is a nondiscretionary control is used in high-security situations. Al users and resources are classified and a security level is assigned to each classification. If the user’s security level does not match or exceed the security level of the resource, access is denied.

Discretionary Access Control (DAC) enables a file owner to specify who can access the files and what can be done with the file. The resource owner creates an ACL that lists users with their access permissions.

Role-Based Access Control (RBAC) is based on a user’s role within the organization. Access is granted to user groups, the members of which have common roles. Users can be assigned more than one role. This nondiscretionary access control should not be confused with rule-based access control.

 Printer permissions are set in a different way from folder and file permissions. Printer permissions are set on the Windows Server 2008 AD domain caroller. Permissions can be set to Allow or Deny and are inherited from the organisational unit where the printer is located. Printer rights can be assigned to individual users or groups.

Printer permissions include:

  • Print
  • Manage printers
  • Manage documents
  • Special permissions (further includes: take ownership, change permissions, read permissions)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.