Chapter 7 Access Control Model

1
Chapter 7Access Control Model

• 9 Nov 2001
• SungKyu CHIE
• CC Lab., Computer Science Dpt.
• Graduate School of Yonsei University

2
CONTENTS

• Access Control The Basics
• Access Control Overflow
• Permissions
• Security Identifiers
• Access Tokens
• Access Control Lists
• Security Descriptors
• Access Checking
• Audit Generation

3
Introduction

• W2K security controls the use of system network
  resources through
• user authentication
• authorization
• W2K uses the access control model
• determining if an authenticated user has the
  correct authorization to access a resource
• what can do cant do
• Shared resources
• by restricting access to unauthorized users
• by limiting the extent of access to authorized
  users

4
Access Control The Basics

• Access control
• the model by which the operating system ensures
  authorized use of its objects by subject, or
  security principals
• Security principals
• include users, groups and services
• perform actions on files, folders, printers,
  registry keys, Active Directory entries,
• type of access allowed depend on the type of
  object
• e.g files read, write, modify, and execute

5
Access Control The Basics (cont.)

• To make object management easier for complex
  systems
• object owners grants permissions to security
  group rather than to individual users
• defining permissions for container objects
• e.g. folder

6
Access Control Overflow

• To better understand how W2K implements access
  control
• when determining
• who can access
• what shared resources
• with what permissions
• Access Token
• when a user logs on, the system creates an access
  token for that user
• contains users SID, SID of groups, and users
  privilege
• when a user starts up an app., each thread get a
  copy of the access token

7
Access Control Overflow (cont.)

• Security descriptor
• defines the security information for the object
• includes a discretionary access control list
• DACL
• is made up of access control entries(ACEs)
• for object configured with permissions
• SACL system access control list
• for object configured with auditing
• security descriptor additionally contains
• ACE contains
• a set of bit flags in an access mask
• the SID of the security principal

8
Access token security descriptor
Users Access Token
User Security ID Group Security ID Privilege
info. other access info.
Objects Security Descriptor
Owner Security ID
Group Security ID
SACL
ACE ACE .
DACL
ACE ACE .
Each ACE is interrogated until a match is found
9
Permissions

• An objects owner grants permission to users and
  group of users
• based on desire to make the object available
• By setting group permissions
• rather than individual user permissions
• access control requirements can simply be
  processed
• Active Directory directory service
• in addition to permission that reference an
  entire object
• provide more exacting control over shared
  resources
• e.g. address book for buddy biz associates

10
Permissions (cont.)

• 4 separate types of access rights
• generic, standard, SACL and object-specific
• Generic access rights
• GENERIC_EXECUTE / GENERIC_READ
• GENERIC_WRITE / GENERIC_ALL
• Standard access rights
• DELETE / READ_CONTROL not SACL
• SYNCHRONIZE
• WRITE_DAC / WRITE_OWNER
• Permission Inheritance
• NT control model characteristic
• set permissions only once to control access

11
User Rights

• W2K divides authorization for computer access
  into 2 categories
• Logon right
• OS controls how a security principal accesses the
  computer
• Privileges
• involves the authorization required to manage
  system resources
• e.g. loading device drivers and changing the
  system time

12
Security Identifiers

• Generated when
• the principals account or security group is
  created
• Local Security Authority(LSA) generates
• SID is unique for that system
• Access control structures
• Access token
• The security descriptor
• Each ACE in a security descriptor

13
Security Identifiers (cont.)

• Constant SIDs on every system
• Dialup (S-1-5-1)
• Network (S-1-5-2)
• Administrators (S-1-5-32-544)
• Guests (S-1-5-32-546)
• Power Users (S-1-5-32-547)
• Print Operators (S-1-5-32-550)

14
Security Identifiers (cont.)

• General format of SID
• S-R-X-Y1-Y2Yn-1-Yn
• This format breaks down as
• S string is a SID
• R version number of SID structure, W2K is 1
• X identifier authority,
• NT authority5, World authority1
• Y1Yn-1 indicates subauthorities
• Yn the last item in the series of
  subauthorities
• known as the relative identifier

15
Access Tokens

• LSA uses the SIDs to create an access token for
  the user
• The access token uses the following fields
• User / Groups / Privileges / Owner
• Primary Group
• Default Discretionary Access Control List
• Source / Type / Impersonation Level
• Statistics / Restricting SIDs / Session ID
• Impersonation
• Anonymous / Identify / Impersonate / Delegate

16
Access Control Lists

• W2K security subsystem allows for
  multidimensional, object-based access control
• objects owner -gt access to each object
  objects properties -gt each requesting user
  group -gt type of access requested -gt whether
  allowed or denied
• 2 types of ACLs
• DACL which security principal can access the
  object and how
• SACL which access requests by which security
  principals should be audited
• Access Control Entries access / system
• Object-Specific ACEs fro Active Directory

17
Security Descriptors

• Has a defined structure
• header revision no., a set of control flag
• owner SID for the objects owner
• primary group
• DACL controlled by the objects owner
• SACL used for auditing
• Default Security Descriptors
• is specified at creation time
• default security information

18
Inheritance

• For the purpose of inheritance W2K divides
  objects into two types
• container object
• non-container object
• Inheritance rule
• INHERITED_ACE
• INHERIT_ONLY_ACE
• CONTAINER_INHERIT_ACE
• OBJECT_INHERIT_ACE
• NO_PROPAGATE_INHERIT_ACE

19
Access control entry ordering

• Fig.7-2 illustrates how ACEs are canonically
  ordered in a DACL or SACL

Explicit Deny ACE Explicit Deny ACE
Explicit Allow ACE Explicit Allow ACE
Explicit Allow ACE First-tier inherited Deny
ACE First-tier inherited Allow ACE
Second-tier inherited Deny ACE Second-tier
inherited Allow ACE
Denied ACEs
Explicit ACEs
Allowed ACEs
First-tier ACEs
Inherited ACEs
Second-tier ACEs
20
Access Checking

• Access mask (fig.7-3)
• 015 object-specific access rights
• 1622 standard Access rights
• 23 right to access SACL
• 2427 reserved
• 28 generic all
• 29 generic execute
• 30 generic write
• 31 generic read

21
Audit Generation

• Auditing an object means
• writing the successful or failed attempts to
  access the object to a security log
• Auditing process requires
• the requesting threads access token and desired
  access mask
• using the SACL information