Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.
For the best experience please use the latest Chrome, Safari or Firefox browser.
CIS 527
Users & Permissions
User Accounts
- Allows multiple people to share resources
- Each user can have different permissions
- Aids in auditing (who did what)
- Protects system from unauthorized use
Authentication vs. Authorization
- Authentication - Confirming a user is who he or she claims to be (logging in)
- Authorization - Allow an authenticated user access to specific resources
- Authentication DOES NOT IMPLY Authorization
Authentication Methods
One or more of the following factors
- Ownership factors - something user has
- Knowledge factors - something user knows
- Inherence factors - something user is or does
Authorization Methods
- Security Policies
- Access Control Lists (ACL)
- File System Security Settings
User Identification
- Operating systems refer to users by a unique identifier
- Linux: user identifier (UID)
- Windows: security identifier (SID)
- This allows user to change usernames without affecting the account
User Account Information
- UID / SID
- Username
- Password
- Home directory
- Group(s)
Groups
- List of user accounts
- Aid in assigning access to users
- Each user may be a part of one or many groups
- Unique identifier
- Linux: group identifier (GID)
- Windows: security identifier (SID)
Windows 10 - Settings
Windows 10 - Control Panel
Windows 10 - Management
Windows 10 Default Accounts
- Administrator
- Access to everything
- Cannot be deleted
- Disabled by default
- Has no password by default
- Guest
- Limited access
- Disabled by default
Windows 10 Pseudo Accounts
- LocalSystem - system-level tasks & services
- LocalService - fewer rights than LocalSystem
- NetworkService - fewer rights than LocalService, but allows network access
Windows 10 Default Groups
- Administrators - complete access
- Event Log Readers - read event logs
- Guests - access system only
- Power Users - not used
- Remote Desktop Users - log on remotely
- Users - normal users
Many others, refer to documentation
User Account Control
- Protects the system from unwanted changes
- Allows administrators to run commands from a non-administrator account
Local Group Policy Editor
WIN+R - gpedit.msc
Ubuntu Account Types
- Super User (root)
- Complete control of the system
- Disabled by default on Ubuntu
- UID = 0; GID = 0
- Regular User
- User who can log on to the system
- System User
- Used by programs and services to interact with the system
Ubuntu Accounts
Regular Users:
- UID: starting at 1000 and up
- Each account has a private group created with matching GID and is made a member of that group
- Each account receives a skeleton directory in /home
Ubuntu Accounts - System Settings
Ubuntu Accounts - Users & Groups
Install "gnome-system-tools"
/etc/passwd
/etc/shadow
/etc/group
Commands
- groupadd - add a group
- groupdel - remove a group
- groupmod - modify group
- gpasswd - change group administrator or password
- useradd - add a system user
- userdel - remove a user
- usermod - modify a user
- adduser - add a regular user
- passwd - change password
sudo
- Short for "super user do"
- Allows regular users to run commands as root user
- User and rights listed in /etc/sudoers
- Add users to the "sudo" or "admin" group to give them access
- Use 'visudo' command to edit file
Best Practices
- Each person must have a unique account
- Enforce strong passwords & regular changes
- Assign minimal rights by default
- Log any logins/logouts/sudo usage
- Remove unneeded users ASAP
- Don't use admin account for daily use
File Permissions
- Determines which users can read/write files or folders
- Based on user and group memberships and file settings
- Helps prevent unwanted access to files
Windows Permissions
Windows Permissions
- Full Control - Can take ownership & change permissions
- Modify - Read/Write/Change/Delete
- Read & Execute
- List Folder Contents - Folders Only
- Read - Access files
- Write - Modify files
Ubuntu Permissions
Ubuntu Permissions
- 3 classes: User, Group, Others
- 3 rights:
- Read - Can read contents
- Write - Can create/modify/delete
- Execute - Can run programs/scripts
Modifying Ubuntu Permissions
- chmod - Change permissions
- chmod [class][op][mode] file/folder
- chmod [octal_mode] filename/folder
- chown - Change User/Group (sudo)
- chown [user]:[group] filename/folder
- chgrp - Change Group (must own file)
- chgrp [group] filename/folder
Ubuntu Permission Example
- Users: acct, hr, user, guest, root
- /files: All users except guest should have rwx, guest r only
- /files/acctg: acct should have rwx, hr should have r, all else no access
- /files/hr: hr and acct should have rwx, user should have rx, all else no access
Ubuntu Permission Example
- group1: acct, hr, user
- group2: acct, hr
- group3: hr
- /files: root:group1 rwxrwxr__
- /files/acctg: acct:group3 rwxr_____
- /files/hr: user:group2 r_xrwx___
Assignments
- Lab 1 - Building Secure Workstations: Due Monday Feb 1st by 11:30 AM