1. Access Control for Windows Operating System
M.S. in Information Security
Capella University
TS5520 – Operating System Theory and Practice
Instructor – Kris Jamsa
By Amar Yousif, CISSP
amaryousif@yahoo.com
June 2005
2. Access Control for Windows Operating System
TS5520
Abstract
Why do we lock the office building at night? Who has the key to the front door and why?
Who has the key to your office and why? Who has the master key and why? Is the
building monitored via security CCTV systems and why?
The answers to the above questions can be summed up in two words (Access Control),
physical Access Control in this case. In the digital age, our valuable data no longer
reside only in file cabinets behind locked doors; computers and digital storage facilities
nowadays contain our most valuable data as well. Thus, Access Control in the digital
context is as important as physical Access Control.
Access Control is an integral part of the system security and it directly affects the three
tenets of Information Security; Confidentiality, Integrity, and Availability. In this paper, we
will attempt to explore the Access Control implementation in the Windows Operating
System.
Amar Yousif Page 2 6/20/2005
3. Access Control for Windows Operating System
TS5520
Table of Contents
Abstract ............................................................................................................................... 2
Table of Contents................................................................................................................ 3
The Concept of Access Control .......................................................................................... 4
What is Access Control?................................................................................................. 4
Why is Access Control needed? ..................................................................................... 6
Access Control Models ................................................................................................... 7
Mandatory Access Control (MAC)............................................................................. 7
Discretionary Access Control (DAC) ......................................................................... 7
Role-Based Access Control (RBAC).......................................................................... 8
Windows Access Control Model ........................................................................................ 9
Active Directory.............................................................................................................. 9
Identification and Authentication ................................................................................... 9
Authorization and Accounting...................................................................................... 10
How it works................................................................................................................. 11
Conclusion ........................................................................................................................ 13
References......................................................................................................................... 14
Amar Yousif Page 3 6/20/2005
4. Access Control for Windows Operating System
TS5520
The Concept of Access Control
What is Access Control?
Microsoft’s TechNet uses the travel analogy to explain some of the concepts of Access
Control. I will attempt to use the same analogy to relate the three tenets of Access
Control; Authentication, Authorization, and Accounting.
Authentication:
When traveling, you show your passport to airport security personnel for identification
purposes. Security personnel will then inspect your passport to verify authenticity. This is
the process of Identification and Authentication, often referred to as Authentication only.
In the digital security context, Authentication is accomplished via the use of passwords
(something you know), smart cards (something you have), biometrics (something you
are), or a combination of any two (two-factor authentication).
Authorization:
Let us go back to the travel analogy; once security personnel authenticate your passport,
they will deny, allow, or limit entrance to the country based on your passport type,
nationality, and visa status. This is the process of Authorization. One way to accomplish
this process in the digital security context is via user privileges and object access control
lists.
Amar Yousif Page 4 6/20/2005
5. Access Control for Windows Operating System
TS5520
Accounting:
Upon determining your level of Authorization, security personnel may log your passport
data, take your fingerprints, or both for tracking purposes. This is the process of
Accounting. Most modern operating systems implement comprehensive auditing
capabilities to allow for user activities accounting.
Krutz and Vines (2003) define Access Control as “The process of limiting access to the
resources of a system only to authorized programs, processes, or other systems (on a
network).” (p. 882).
Although Accounting is not a part of the above definition, I believe it to be an inseparable
part of Access Control for modern systems. Thus, my modified definition of Access
Control (The process of limiting access to the resources of a system only to
authenticated and authorized principals and the mechanisms with which the principal’s
actions are tracked and logged).
Amar Yousif Page 5 6/20/2005
6. Access Control for Windows Operating System
TS5520
Why is Access Control needed?
Simply put, Access Control is needed to preserve the three tenets of information
security; Confidentiality, Integrity, and Availability. Kurtz and Vines (2001) indicate that
proper Access Control assures the following:
1. The information is not disclosed to unauthorized persons or processes thus
preserving Confidentiality.
2. Integrity is preserved through:
a. The prevention of the modification of information by unauthorized
personnel.
b. The prevention of unauthorized or unintentional modification of
information by authorized personnel.
c. Preservation of internal and external consistency.
3. The system’s authorized users have timely and uninterrupted access to the
information in the system thus preserving Availability. (p. 43-44).
Amar Yousif Page 6 6/20/2005
7. Access Control for Windows Operating System
TS5520
Access Control Models
Chiefly, Access Control Models can be categorized as Mandatory, Discretionary, or
Role-based Access Controls depending on the methodology with which permissions and
privileges are granted and controlled.
Mandatory Access Control (MAC)
In MAC, the Authorization of an object to access a subject depends on the object’s
clearance and the subject’s classification. Krutz and Vines (2003) cite a military MAC
system as an example. In such system, the documents are classified as unclassified,
confidential, secret, and top secret. In order for a user to access a secret level
document, the user’s clearance must be equal to, or higher of, the documents
classification level, secret in this case. (p. 45).
Discretionary Access Control (DAC)
As the name implies, the Authorization of an object to access a subject is determined by
the subject’s owner discretion. DAC is often used to limit access to files using Access
Control Lists (ACL). The file owner determines who can access the file.
Amar Yousif Page 7 6/20/2005
8. Access Control for Windows Operating System
TS5520
Role-Based Access Control (RBAC)
In 2004 Reynaldo J. de la Fuente published a review for David Ferraiolo, D. Richard
Kuhn and Ramaswamy Chandramouli book titled (Role-Based Access Control) in which
he explained “In 1992, US National Institute of Standards and Technology (NIST)
initiated a study of commercial and government organizations, and found that access
control needs were not being met by products on the market at the time. Discretionary
access control (DAC) was too flexible and allowed wrong behaviors in badly managed
organizations. Mandatory access control (MAC) was suitable only for organizations
connected with extremely high security or US Department of Defense requirements.
A process was needed to support subject-based security policies, such as access based
on competency, conflict-of-interest rules, or access based on a strict concept of least
privilege. Supporting such policies without disregarding the organizational structure
requires the ability to restrict access based on a user function or role within the
enterprise.
A solution to meet these needs was proposed in 1992 by Ferraiolo and Kuhn, integrating
features of existing application-specific approaches in a generalized role-based access
control (RBAC) model”.
As Fuente explained, it is that proposed solution that gave birth to the RBAC as we know
it today. In RBAC, roles, as opposed to users, are granted access and permissions over
objects by the system administrator and then the appropriate users are assigned to
these roles.
Amar Yousif Page 8 6/20/2005
9. Access Control for Windows Operating System
TS5520
Windows Access Control Model
Active Directory
Microsoft first introduced Active Directory in Windows 2000 operating system as a
central repository of system objects. William and Watts (2000) explain that each object
within Active Directory has a set of attributes associated with it; these attributes are used
to describe the object and make it unique (p. 25). Objects within Active Directory include
users, groups, computers, servers, domains, sites, OUs, etc.
Users within Active Directory can be organized in groups to allow for better management
of privileges and permissions.
Identification and Authentication
Microsoft’s TechNet (2003) explains that modern Windows Server operating systems
provide a method for applications and users to authenticate by using the Security
Support Provider Interface (SSPI). SSPI is Windows implementation of IETF’s Generic
Security Services Application Programming Interface (GSSAPI) and it is the foundation
of Authentication in Windows 2003.
Windows support two methods for selecting authentication protocols; (Single Protocol)
where the client must use the protocol predetermined by Windows, and (Negotiate
Protocol) where the client can choose to use Kerberos, NTLM, Secure Channel, or
Digest as its communication protocol.
Amar Yousif Page 9 6/20/2005
10. Access Control for Windows Operating System
TS5520
Authorization and Accounting
Once the user in authenticated, the system must determine its proper Authorization level
over system objects and track its actions. TechNet (2003) indicates that Authorization
and Accounting in Windows is based on the following principles:
User-based Authorization: Every application that a user starts runs in the security
context of that user.
Discretionary Access Control (DAC): The user who owns a securable object can control
who has permission to use it and in what way.
Inheritance of Permissions: Objects inherent the security attributes of their parent folder.
Administrative Privileges: Special users within the system can be granted security
administrative privileges (e.g. give permissions to other users, assign users to security
groups, run backup jobs, set system wide security policies, etc.)
Auditing of System Events: The system is capable of capturing users and administrator
actions in an audit trail.
Amar Yousif Page 10 6/20/2005
11. Access Control for Windows Operating System
TS5520
How it works
Cooke (2004) states that Access Control is geared to answer a question as simple as
(can Bob open the file?); (Bob) being the subject, (open) being the action, and (file)
being the object. For the system to make a decision in this case, the system must:
1. Authenticate Bob and issue an Access Token (remember Identification and
Authentication). A unique Access Token is issued to every authenticated user, it
holds the security attributes of the user and it is passed to all processes and
threads acting on the user’s behalf (remember User-Based Authorization).
2. The process or the thread acting on the user behalf will call the system API
associated with the (open) action. In windows, all user actions are accomplished
by calling an Application Programming Interface. The object (file) is passed as a
parameter to the API.
3. At this point all needed parameters are identified for the system to make a
decision. The subject (Bob) is identify through the Access Token associated with
the process requesting the API, the action (open) is identified by calling the
respective API, and the object is identified as a parameter that is passed to the
API by the requesting process.
4. The part of the system that makes the decision is called the Reference Monitor
(RM).
5. The RM will inspect the object’s Security Descriptor (which is associated with the
object and holds the Access Control List that defines who is authorized to access
the object and in what way) and look for the subject authorization. See figure 1.
6. Based on the information stored in the Security Descriptor, the RM may allow or
deny access to the object.
Amar Yousif Page 11 6/20/2005
12. Access Control for Windows Operating System
TS5520
Figure 1
Amar Yousif Page 12 6/20/2005
13. Access Control for Windows Operating System
TS5520
Conclusion
Access Control in Windows is designed as a Discretionary Access Control model that is
fitted to act as a Role-Based Access Control model due to its groups and administrative
privileges’ capabilities. Groups can be regarded as roles, permissions and privileges can
be assigned to these groups/roles, and finally users can be joined to the said
groups/roles.
Amar Yousif Page 13 6/20/2005
14. Access Control for Windows Operating System
TS5520
References
Cooke, P. (2004). How Access Control Works. Retrieved June 18, 2005, from
http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1025647,00.htm
l
De la Fuente, R. (2004). Role-based Access Control (RBAC): By David Ferraiolo, D. Richard
Kuhn and Ramaswamy Chandramouli. Retrieved June 18, 2005, from
http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=15068&TEMPLATE=/Cont
entManagement/ContentDisplay.cfm
Krutz, R.L., & Vines, R.D. (2003). The CISSP Prep Guide: Gold Edition. Indianapolis, Indiana:
Wiley Publishing, Inc.
Microsoft TechNet. (2003). logon and Authentication Technologies. Retrieved June 18, 2005,
from
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/78cb5d3c-
d0b2-4d20-a693-fa66bde1a63b.mspx
Microsoft TechNet. (2003). Authorization and Access Control Technologies. Retrieved June 18,
2005, from
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/addc004e-
a1ad-4fba-8caa-1c9c3eb0fa86.mspx
Willis, W., Watts, D.V., & Bruzzese, J.P. (2000). Windows 2000: Directory Services. Scottsdale,
AZ: The Coriolis Group.
Amar Yousif Page 14 6/20/2005