Information Technology Reference
In-Depth Information
Windows legacy environment (DOS, Windows
95) is that of a single user computer not necessarily
connected to the network where any security that
existed was implemented largely through physical
security mechanisms (a lock on the computer;
the computer in a locked office). These early PC
operating systems were single user systems and
did not limit accessibility to any part of the system.
If a user had access to the computer, the user had
access to all components of the computer. Thus
programs operating in this environment had ac-
cess to operating system resources. By nature of
this design, any programs running in this legacy
Windows environment violated the principle of
least privilege.
For business policy reasons, Microsoft has long
been committed to providing backwards compat-
ibility with legacy applications. Consequently, in
order to run many of these legacy applications in
a Windows environment which supports access
privileges, these programs must operate with
administration privileges, privileges in excess of
“what is needed to complete the job” (Saltzer &
Schroeder, 1975, p. 6).
Linux provides the ability for a program to
assume rights in excess of what the user running
the program has available. Whether or not this is
required would need to be evaluated on a case to
case basis, but it is possible that many of these
applications violate the principle of least privilege
and their execution under different user accounts
provides questionable accountability.
Linux provides a super-user account known
as the
root
account, which has access rights and
control over all objects on the operating system.
The existence of this account violates the principle
of least privilege since the actions performed
using this account rarely require complete and
unfettered access to operating system resources.
For example, administration of the printer queue
does not require the ability to delete all files on
the system as the root account allows.
Linux with MAC provides robust control of
privileges by allowing a set of permissions to be
defined for security principals (objects) such as
users, programs or processes and security objects
such files or devices. It is based on the principal
of least privilege and allows an administrator to
grant an application only the permissions needed
to perform its task. This feature also improves
the implementation of the principle of complete
mediation and fail-safe defaults in providing
mandatory rather than just discretionary control
over the interaction of operating system objects
(security principals). This provides a much better
implementation of the least privilege principle
than current versions of Windows.
Windows provides a similar set of capabilities
with the
administrator
account but provides
the ability to create other accounts which have
some but not all of the administrator account
privileges. Using this capability, administrative
accounts could be established with various gra-
dations of security required for administrative
tasks (for example, a backup account to perform
backups, a network account to perform network
maintenance). The proper use of these limited
administrative accounts provides better compli-
ance with the principle of least privilege.
Both the Linux
root
account and the Win-
dows
administrator
account exist largely
for convenience reasons. The Linux operating
system is derived from the Unix operating system
which began in an academic research environment
where access security was not a major concern.
As Unix matured, however, it quickly became a
best practices standard to severely limit the use
of the root account when running Unix. For this
reason, few legacy applications running on Linux
use root account privileges and it continues to be
widely discouraged.
The ubiquitous buffer overflow attack has
been used extensively on Windows platforms
over the past five years (CERT2, 2003; CERT3,
2005; Microsoft-1; Yegneswarean et al, 2003).
This attack involves exploiting memory bounds
within a program (usually a network program)
and loading the overrun memory with a different
Search WWH ::
Custom Search