ATHABASCA UNIVERSITY USING ROLE-BASED dtpr.lib. athabasca university using role-based access control

  • View
    212

  • Download
    0

Embed Size (px)

Text of ATHABASCA UNIVERSITY USING ROLE-BASED dtpr.lib. athabasca university using role-based access control

  • ATHABASCA UNIVERSITY

    USING ROLE-BASED ACCESS CONTROL WITH ACTIVE

    DIRECTORY TO SECURE NETWORKED COMPUTERS DURING

    COMPUTER BASED EXAMS

    BY

    MARINUS M. L. BOOGAART

    An essay submitted in partial fulfillment

    of the requirements for the degree of

    MASTER OF SCIENCE in INFORMATION SYSTEMS

    Athabasca, Alberta

    July 2008

    Marty Boogaart, 2008

  • i

    DEDICATION

    To Gwyn, who is the love of my life; and to my children, Kerry, Cole, and Chase, of

    whom I am so very proud.

  • ii

    ABSTRACT

    Is it that we are witnessing a growing trend towards dishonesty, or is it a reflection of

    the rapidly expanding Internet and intranet technologies that are merely providing all

    students with new and irresistible opportunities to cheat? It is often difficult to detect

    cheating; so it is better to simply prevent it. This paper explores Role-based access

    control (RBAC) and its applicability to Active Directory as a means of restricting

    student access to computer and network resources during computer-based

    examinations. RBAC is a model for managing the security of computer-system

    resources through the creation of user-roles. Roles provide users with the least

    privileges to accomplish the work assigned to them. Active Directory is a directory

    service that stores information about objects such as users, computers, and network

    resources; but, it is more, in that it is integrated with Windows security, enabling

    administrators to manage access to all directory objects. Two questions asked in

    the introduction are: (i) "Can RBAC be easily applied to Active Directory?" and (ii)

    "Can Active Directory's inheritance of privileges be managed in such a way that

    limits to access may be easily and temporally applied?" The answer to both is no.

    The bottom line is that Active Directory's DAC security is inherently not role-based,

    nor does it purport to be role-based. Although Active Directory is not RBAC

    compliant, it does possess enough security features that Lethbridge College may be

    able to use scripting to simulate pseudo RBAC roles. This is an approach that is

    recommended for further exploration.

  • iii

    ACKNOWLEDGMENTS

    I wish to acknowledge three people who helped make the writing of this essay a

    pleasure and one person for contributing great, free software to the cause of secure

    computer exams. Thank you Dr. Oscar Lin for your encouraging words, careful

    review, and patient support as you guided me through the process of writing this

    essay. Thank you to Dale Jarrell, who has enough to do, but still made time to

    review my work and also encourage me. Thanks to Terry Allred, for setting up an

    independent test network where I could play with Active Directory, and also for

    acting as a sounding board as he listened to my ideas about Active Directory. And

    special thanks go to Dalibor Malek, the author of the free, site-specific browser that

    he calls Mango. I wrote him and asked about adding an option to prevent an SSB

    from vectoring away from its target domain, and within two days he had added the

    necessary option, which makes locking down an exam-browser free and easy.

  • iv

    TABLE OF CONTENTS

    CHAPTER I ............................................................................................. 1

    INTRODUCTION........................................................................................... 1

    CHAPTER II ............................................................................................ 7

    ROLE-BASED ACCESS CONTROL (RBAC) MODEL ........................................ 7

    Basic Security Concepts and Terminology .............................................................8

    Information Security Risks..................................................................................8

    Security Principles ..............................................................................................8

    Access Control ...................................................................................................9

    Access Control List (ACL) ................................................................................10

    Permissions versus Privileges..........................................................................10

    Authentication versus Authorization .................................................................11

    User versus Subject .........................................................................................11

    Other Terms .....................................................................................................11

    Trusted Computer Systems Evaluation Criterias DAC and MAC ........................12

    Discretionary Access Control (DAC) ................................................................12

    Mandatory Access Control (MAC)....................................................................13

    MAC Issues ......................................................................................................14

    RBAC Introduction ................................................................................................14

    Core RBAC ...........................................................................................................16

    Hierarchical RBAC................................................................................................17

  • v

    Separation of Duties (SoD): Static and Dynamic RBAC.......................................18

    RBAC Summary ...................................................................................................19

    CHAPTER III ......................................................................................... 22

    MICROSOFT ACTIVE DIRECTORY IMPLEMENTATION ..................................... 22

    The X.500 Directory Standard ..............................................................................23

    Objects..................................................................................................................24

    Containers ............................................................................................................25

    Domain .............................................................................................................25

    Organization Unit (OU) .....................................................................................27

    Group................................................................................................................27

    Site ...................................................................................................................29

    Trees and Forests.................................................................................................30

    Domain Trees...................................................................................................30

    Forests..............................................................................................................32

    Security.................................................................................................................32

    Objects and Permissions..................................................................................32

    Group Policy and Rights...................................................................................34

    Rights Trump Permissions ...............................................................................38

    Delegation of Administration.............................................................................38

    Microsoft Authorization Manager (AzMan) ...........................................................39

    Active Directory Comparison to RBAC .................................................................41

    A Simple Demonstration of an Active Directory Implementation for Exam Security

    ..............................................................................................................................45

  • vi

    CHAPTER IV......................................................................................... 48

    ROLE ENGINEERING ................................................................................. 48

    Role Engineering Approaches ..............................................................................49

    Bottom-up Approach.........................................................................................49

    Top-down Approach .........................................................................................49

    Hybrid Approach...............................................................................................50

    Scenario-driven Role Engineering ........................................................................50

    Terminology......................................................................................................50

    Composition of Work Profiles ...........................................................................51

    The Scenario Model .........................................................................................51

    Steps in a Scenario-Driven Process.................................................................52

    CHAPTER V.......................................................................................... 55

    CONCLUSIONS AND RECOMMENDATIONS.................................................... 55

Recommended

View more >