Die Präsentation wird geladen. Bitte warten

Die Präsentation wird geladen. Bitte warten

Humboldt University Computer Science Department Systems Architecture Group IT-Sicherheit Grundlagen Übung 2 Übungsaufgabe,

Ähnliche Präsentationen

Präsentation zum Thema: "Humboldt University Computer Science Department Systems Architecture Group IT-Sicherheit Grundlagen Übung 2 Übungsaufgabe,"—  Präsentation transkript:

1 Humboldt University Computer Science Department Systems Architecture Group http://sar.informatik.hu-berlin.de IT-Sicherheit Grundlagen Übung 2 Übungsaufgabe, Permissions, ACLs

2 IT-Sicherheit Grundlagen Aktuell: http://heise.de/-1542748http://heise.de/-1542748 Österreichische Bürgerkarte erneut angreifbar Die österreichische Bürgerkarte, die ähnliche Signierfunktionen wie hierzulande der nPerso hat, ist erneut angreifbar: Ein Angreifer kann die Java-basierte Online- Version der Bürgerkartenumgebung (BKU) missbrauchen, um etwa Banktransaktionen zu autorisieren oder PDF- Dokumente mit der qualifizierten Signatur des Opfers (gleichbedeutend mit einer Unterschrift auf Papier) zu unterzeichnen. Dies hat der Sicherheitsexperte Wolfgang Ettlinger herausgefunden. … Dr. Wolf Müller 2

3 IT-Sicherheit Grundlagen Vorstellung: Übungsaufgabe Seitenkanalangriff Crackme https://www2.informatik.hu-berlin.de/sar/Itsec/uebung_ssl/crackme.pdf Dr. Wolf Müller 3

4 IT-Sicherheit Grundlagen Software IDAPro auf gruenau[1-4] idal Terminal idaq GUI Dr. Wolf Müller 4

5 IT-Sicherheit Grundlagen FAT File System MS-DOS FAT12,FAT16 frühe Windows-Versionen FAT16 Single user, single tasking FAT (File Allocation Table) file system. Einfache Dateiattribute: –Directory entry –Read Only –Archive –System –Hidden 8.3 Format für Dateien, Verzeichnisse –12 bit FAT = max 4096 clusters of 512 to 4k bytes (max 16Mb) –16 Bit FAT = max 65,525 clusters of 2k to 32k each (max 2Gb) SHARE.EXE erlaubt Mehrfachzugriff für Dateien Permissions, ACLs?

6 IT-Sicherheit Grundlagen VFAT Windows 95 lange Dateinahmen Single user / multitasking Dateiattribute wie gehabt. 2 Terabyte disk size with FAT32

7 IT-Sicherheit Grundlagen FAT32 Windows 95sr2/ Windows 98 Adressierung mit 32 Bit, 4 Bit reserviert: 2 28 = 268.435.456 Cluster adressierbar Dateien dürfen max. bis zu 4 GiB 1 Byte (= 4.294.967.295 Byte) groß sein

8 IT-Sicherheit Grundlagen OS/2 Single User, Multi-tasking Uses HPFS – High Performance File System, File attributes –As per MS-DOS plus –Creation time and date –Modification time and date –Access time and date 256 character file names 2 Terabyte maximum disk size

9 IT-Sicherheit Grundlagen NTFS Windows NT, 2000, XP, 2003 Various versions of NTFS latest being version 5.0 Multi-user, multi-tasking NTFS is a Journaled File System File attributes and Permissions –Attributes Read Only, System, Hidden and Archive. –Permissions Read Write Execute Delete Ownership Control

10 IT-Sicherheit Grundlagen NTFS (2) Features –File quotas –File compression –Encryption –Indexing service –Drive spanning The machines user need not be given access rights to all the resources. Problem?

11 IT-Sicherheit Grundlagen NTFS - Access Control Lists MFT Security Descriptor Attribute for a file or folder contains two tables of lists: –SACL – System Access Control List, which records auditing information –DACL – Discretionary Access Control List – which maintains list (of Access Control Entities) i.e. users SID and list of permissions for that file or folder Win NT uses static inheritance model –When a folder is created it inherits permission from the parent folder, but if changes are later made to the parent the subfolders do not change unless you select to Apply the changes to subfolders, which can act as a sledgehammer overwriting individually set subfolder permissions Win 2000 uses dynamic inheritance model –As parent folder change, permissions are inherited to the subfolders dynamically. –Win 2000 offers more flexible control over inheritance –ACLs can be resident in the MFT or stored as separate Metadata

12 IT-Sicherheit Grundlagen NTFS – Data Streams file:stream e.g. –echo Hello > test.txt:AWPP –echo GoodBye >> test.txt –more < test.txt –more { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.org/3/901262/slides/slide_12.jpg", "name": "IT-Sicherheit Grundlagen NTFS – Data Streams file:stream e.g.", "description": "–echo Hello > test.txt:AWPP –echo GoodBye >> test.txt –more < test.txt –more

13 IT-Sicherheit Grundlagen File systems role in User Level Security in NTFS NTFS has extended attributes to support secure multi-user access. Access Control List, ACL, maintains list of User, Groups (or Computers) with rights allowed or denied to a resource. Cannot access Local machines data, without valid user account with rights to do so.

14 IT-Sicherheit Grundlagen Local User Accounts Give users access to resources on a single machine, whether that user logs in locally or remotely These accounts reside in the Security Access Manager (SAM) located as a file on the machine. SAM maintains passwords and permissions for the user, and each user is given a Security Identified SID SIDs are used in Access Control Lists on files and folders Local Groups can be created to group similar user permissions. Built in accounts include Administrator and Guest Built in groups include Administrators, Power Users, User, Everyone Standard Permission make the bewildering array of choices easier to work with Only the Administrator or members of the Administrator Group can manage the full set of information for users and groups. The Guest account can represent a security weakness, or can be used to implement Share Level type security for systems not requiring high security

15 IT-Sicherheit Grundlagen Issues with User Level security in workgroups or standalone Each user and or group must be setup on each local and remote machine that user need to access, management is complex Passwords can get out of sync very easily, users may not be set up identically through the system. Verifying a users access rights across a large organisation is an impossibly daunting task System is generally very secure, which can be a problem if users forget passwords, especially to Administrator user account on Local machine. You forget - You regret. In many cases you need administrator rights to install software, or configure the machine ActiveDirectory, WindowsDomains

16 IT-Sicherheit Grundlagen Workgroups or stand alone with User Level sharing Each machine (server or workstation peer ton peer server) that a user wishes to remotely log on to must have that user set up in the database of users for that machine. –Each user is generally defined with a password. Users can be added as members to groups to –Any of the pre-defined standard groups, eg User, Everyone, Power Users, Administrators –or groups can created on the machine. –You must have an Administrator account or someone of that equivalence.

17 IT-Sicherheit Grundlagen Workgroups or stand alone with User Level sharing (cont) How to share a Folder –Set Permissions

18 IT-Sicherheit Grundlagen Workgroups or stand alone with User Level sharing How to share a Folder –Browse to folder –On Share Tab on Properties box check Share Folder –Permissions and security

19 IT-Sicherheit Grundlagen Workgroups or stand alone with User Level sharing (cont) How to share a Folder (cont) –Use Security for Control of inherited rights Fine control of advanced security

20 IT-Sicherheit Grundlagen Workgroups or stand alone with User Level sharing (cont) Log on as a Local User to a machine –Enter Username and Password This username must match a user already setup on this machine, and how has permission to log on as a local user Log on as Remote User to a shared resource –Use Network neighbourhood to Browse thru Workgroup, find a machine, and browse the shareable resources on machine –Select shared resource –If username and password on local machine match then you are granted access, otherwise you must enter the login name and password. The username password pair must be setup on remote machine

21 IT-Sicherheit Grundlagen Win XP – Simple File Sharing Simple File Sharing allows you to access shared files using the Guest Account (which by default has no password) and comes close to the sort of file sharing of Win95/98/ME There is little or no security using this and is best turned off –From with My Computer – Tools – Folder Options from View Tab click Advanced – Sharing and Security.

22 IT-Sicherheit Grundlagen Windows Domains Organises servers and computers into administrative and physical structures, and users log on to the Domain rather than the individual machines. Where networks are large enough to have several domains, Trust relationships can be used to verify the identity of a user logged on to one domain to another domain. Users still need to be created and managed in each domain, the Trust only authenticates the user A domain has one SAM (Security Account Manager) for the Domain, consolidating management The SAM is managed and stored on a machine known as the PDC (Primary Domain Controller), only one machine in a domain can act in this role, it is always advisable to have a Backup Domain Controller (BDC) which has a read only replica of the SAM

23 IT-Sicherheit Grundlagen CD and DVD File Systems ISO-9660 also called CDFS UFS Universal File System –Includes advanced features such as Long and Unicode filenames 64 bit file sizes File symbolic links ACL Access Control Lists Alternate Data Streams –UFS is constantly evolving

24 IT-Sicherheit Grundlagen Linux File Systems Ext2 (Extended File System ) –Is the usual native file system for Linux –Uses inodes and allocation bitmaps (like NTFS) Ext3 –Adds journalling to Ext2 Reiser –Uses balanced tree indexing, is very efficient with large directories of small files (64k block size) –Provides metadata journalling (like NTFS) JFS –A journaled file system based on an IBM file systems from OS/2 Warp XFS Each of the above support ACLs. ACLs which were introduced in the Linux Kernel 2.5.46

25 IT-Sicherheit Grundlagen Linux Permission Systems Traditionally Linux (and Unix) offer 3 sets of permissions for files and directories –Read, Write and Execute for the three groups Owner, Group and Others –This can be very restrictive, being only one owner, and one group per file or directory. Additional control of permissions is provided with ACLs (like the Windows ACLs) Support for ACLs was first brought about for support for Samba (Microsoft file sharing support) Managed through the getfacl and setfacl programs, whereas traditional permissions are managed thru chmod

26 IT-Sicherheit Grundlagen Linux S-Bit Sticky-Bit Aufgaben: 1.Zufriff teilen zwischen mehreren Nutzern 2.1.) automatisiert auch für neue Verzeichnisse 3.S-Bit für Shellskripte? 4.Nur Eigentümer einer Datei (oder der Eigentümer des Verzeichnisses) darf Datei löschen oder umbenennen Dr. Wolf Müller 26

Herunterladen ppt "Humboldt University Computer Science Department Systems Architecture Group IT-Sicherheit Grundlagen Übung 2 Übungsaufgabe,"

Ähnliche Präsentationen