File and Directory PermissionsAnother type of internal security that you need to maintain for information on your network involves the users’ access to files and directories.. These sett
Trang 1File and Directory Permissions
Another type of internal security that you need to maintain for information on your
network involves the users’ access to files and directories These settings are actually a bit
tougher to manage than user accounts, because you usually have at least 20 directories
and several hundred files for every user on the network The sheer volume of directories
and files makes managing these settings a more difficult job The solution is to establish
regular procedures, follow them, and then periodically spot-audit parts of the directory
tree, particularly areas that contain sensitive files Also, structure the overall network
directories so that you can, for the most part, simply assign permissions at the top levels
These permissions will “flow down” to subdirectories automatically, which makes it
much easier to review who has access to which directories
Network operating systems allow considerable flexibility in setting permissions on
files and directories Using the built-in permissions, you can enable users for different
roles in any given directory These roles control what the user can and cannot do within
that directory Examples of generic directory roles include the following:
N Create only This type of role enables users to add a new file to a directory,
but restricts them from seeing, editing, or deleting existing files, including
any they’ve created This type of role is suitable for allowing users to add new
information to a directory to which they shouldn’t otherwise have access The
directory becomes almost like a mailbox on a street corner: You can only put
new things in it Of course, at least one other user will have full access to the
directory to retrieve and work with the files
N Read only This role enables users to see the files in a directory and even to pull
up the files for viewing on their computer However, the users cannot edit or
change the stored files in any way This type of role is suitable for allowing users
to view information that they should not change (Users with read privileges can
copy a file from a read-only directory to another directory and then do whatever
they like with the copy they made They simply cannot change the copy stored in
the read-only directory itself.)
N Change This role lets users do whatever they like with the files in a directory,
except give other users access to the directory.
N Full control Usually reserved for the “owner” of a directory, this role enables
the owners to do whatever they like with the files in a directory and to grant
other users access to the directory
These roles are created in different ways on different network operating systems
Chapter 17 provides more details on how Windows server operating systems handle
directory permissions
Just as you can set permissions for directories, you can also set security for specific
files File permissions work similarly to directory permissions For specific files, you
can control a user’s ability to read, change, or delete a file File permissions usually
override directory permissions For example, if users had change access to a directory,
Trang 2but you set their permission to access a particular file in that directory to read-only, they would have only read-only access to that file
TIP For a network of any size, I recommend avoiding the use of file-specific network permissions, except in very rare cases It can quickly become an unmanageable mess to remember to which files each user has special permissions and to which files a new hire needs to be given specific permission
Practices and User Education
The most insecure part of any network is the people using it You need to establish good security practices and habits to help protect the network
It’s not enough to design and implement a great security scheme if you do not manage it well on a daily basis To establish good practices, you need to document security-related procedures, and then set up some sort of process to make sure that the employees follow the procedures regularly In fact, you’re far better off having a simple security design that is followed to the letter than having an excellent but complicated security design that is poorly followed For this reason, keep the overall network security design as simple as possible, while remaining consistent with the needs of the company You also need to make sure—to the maximum extent possible—that the users are following prudent procedures You can easily enforce some procedures through settings on the network operating system, but you must handle others through
education The following are some tips to make this easier:
N Spell out for users what is expected of them in terms of security Provide
a document that describes the security of the network and what they need
to do to preserve it Examples of guidelines for the users include choosing secure passwords, not giving their passwords to anyone else, not leaving their computers unattended for long periods of time while they are logged in to the network, not installing software from outside the company, and so forth
N When new employees join the company and are oriented on using the network, make sure that you discuss security issues with them
N Depending on the culture of the company, consider having users sign a form acknowledging their understanding of important security procedures that the company expects them to follow
N Periodically audit users’ security actions If the users have full-control access to directories, examine how they’ve assigned permissions to other users
N Make sure that you review the security logs of the network operating system you use Investigate and follow up on any problems reported
TIP It’s a good idea to document any security-related issues you investigate While most are benign, occasionally you might find one in which the user had inappropriate intent In such cases, your documentation of what you find and what actions you take might become important
Trang 3While it’s important to plan for the worst when designing and administering
network security, you also need to realize that most of the time, security issues arise
from ignorance or other innocent causes, rather from malicious intent
Understanding External Threats
External security is the process of securing the network from external threats Before
the Internet, this process wasn’t difficult Most networks had only external modems
for users to dial in to the network, and it was easy to keep those access points secure
However, now that nearly all networks are connected to the Internet, external security
becomes much more important and also much more difficult
At the beginning of this chapter, I said that no network is ever totally secure This
is especially true when dealing with external security for a network connected to the
Internet Almost daily, crackers discover new techniques that they can use to breach the
security of a network through an Internet connection Even if you were to find a book
that discussed all the threats to a specific type of network, the book would be out of
date soon after it was printed
Three basic types of external security threats exist:
N Front-door threats These threats arise when a person from outside the
company somehow finds, guesses, or cracks a user password and then logs on to
the network The perpetrator could be someone who had an association with the
company at some point or could be someone totally unrelated to the company
N Back-door threats These are threats where software or hardware bugs in
the network’s operating system and hardware enable outsiders to crack the
network’s security After accomplishing this, the outsiders often find a way to log
in to the administrative account and then can do anything they like Back-door
threats can also be deliberately programmed into software you run
N Denial of service (DoS) DoS attacks deny service to the network Examples
include committing specific actions that are known to crash different types of
servers or flooding the company’s Internet connection with useless traffic (such
as a flood of ping requests)
NOTE Another type of external threat exists: computer viruses, Trojan horses, worms, and other
malicious software from outside the company These threats are covered in their own section later in
the chapter
Fortunately, you can do a number of things to implement strong external security
measures They probably won’t keep out a determined and extremely skilled cracker,
but they can make it difficult enough that most crackers will give up and go elsewhere
Trang 4Front-Door Threats
Front-door threats, in which someone from outside the company is able to gain access
to a user account, are probably the most likely threats that you need to protect against These threats can take many forms Chief among them is the disgruntled or terminated employee who once had access to the network Another example is someone guessing
or finding out a password to a valid account on the network or somehow getting a valid password from the owner of the password
Insiders, whether current or ex-employees, are potentially the most dangerous overall Such people have many advantages that some random cracker won’t have They know the important user names on the network already, so they know what accounts to go after They might know other users’ passwords from when they were associated with the company They also know the structure of the network, what the server names are, and other information that makes cracking the network’s security easier
Protecting against a front-door threat revolves around strong internal security protection because, in this case, internal and external security are closely linked This
is the type of threat where all the policies and practices discussed in the section on internal security can help to prevent problems
An additional effective way to protect against front-door threats is to keep network resources that should be accessed from the LAN separate from resources that should
be accessed from outside the LAN, whenever possible For example, if you never need
DEFINE-IT! Important Network Security Devices
Here are some important security devices you should be familiar with:
N A firewall is s system that enforces a security policy between two networks,
such as between a local area network (LAN) and the Internet Firewalls can use many different techniques to enforce security policies
N A proxy server acts as a proxy (an anonymous intermediary), usually for
users of a network For example, it might stand in as a proxy for browsing web pages, so that the user’s computer isn’t connected to the remote system except through the proxy server In the process of providing proxy access to web pages, a proxy server might also speed web access by caching web pages that are accessed so that other users can benefit from having them more quickly available from the local proxy server, and might also provide some firewall protection for the LAN
N Usually built into a router or a firewall, a packet filter enables you to set
criteria for allowed and disallowed packets, source and destination
IP addresses, and IP ports
Trang 5to provide external users access to the company’s accounting server, you can make it
nearly impossible to access that system from outside the LAN
You can separate network resources through a number of measures You can set
up the firewall router to decline any access through the router to that server’s IP or
IPX address If the server doesn’t require IP, you can remove that protocol You can
set up the server to disallow access outside normal working hours Depending on the
network operating system running on the server, you can restrict access to Ethernet MAC
addresses for machines on the LAN that should be able to access the server You can also
set the server to allow each user only one login to the server at a time The specific steps
that you can take depend on the server in question and its network operating system, but
the principle holds true: Segregate internal resources from external resources whenever
possible
Here are some other steps you might take to stymie front-door threats:
N Control which users can access the LAN from outside the LAN For example,
you might be running VPN software for your traveling or home-based users to
access the LAN remotely through the Internet You should enable this access
only for users who need it and not for everyone
N Consider setting up remote access accounts for remote users who are separate
from their normal accounts, and make these accounts more restrictive than
their normal LAN accounts This might not be practicable in all cases, but it’s
a strategy that can help, particularly for users who normally have broad LAN
security clearances
N For modems that users dial in to from a fixed location, such as from their
homes, set up their accounts to use dial-back Dial-back is a feature whereby
you securely enter the phone number of the system from which users are
calling (such as their home phone numbers) When the users want to connect,
they dial the system, request access, and then the remote access system
terminates the connection and dials the preprogrammed phone number to
make the real connection Their computer answers the call and then proceeds
to connect them normally Someone trying to access the system from another
phone number won’t be able to get in if you have dial-back enabled
N If employees with broad access leave the company, review user accounts
where they might have known the password Consider forcing an immediate
password change to such accounts once the employees are gone
NOTE An important aspect of both internal and external security is physical security Make sure
that the room in which your servers are located is physically locked and secure
People trying to access the network who have not been associated with the company
at some point often try a technique euphemistically called social engineering, which is
where they use nontechnological methods to learn user accounts and passwords inside
the company These techniques are most dangerous in larger companies, where not all