Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION

Transcription

1 Sharing Files Chapter 4 NOT ABOUT FOR SALE THIS OR CHAPTER DISTRIBUTION In this chapter, we work with the mechanisms provided by operating systems like Unix and Windows to protect files and folders. We also take a technical look at the fifth phase of the security process: monitoring the system. The chapter focuses on these topics: R SALE OR DISTRIBUTION Tailoring the security policy to grant special NOT access FOR to SALE individuals OR or DISTRIBUTION groups Permission flags in Unix-like systems Access control lists in Macintosh and Windows systems Monitoring system events through logging 4.1 Controlled Sharing Earlier in the text, we chose between Bob s isolation policy and a share-everything policy. What happens if Bob needs to share files with one or two other users but not with the rest of the suite? Bob hired a clerk to do data entry for his new client, a big surveying company. The new clerk, Tina, has her own login on Bob s computer ( tina ). However, the isolation policy blocks Bob and Tina from sharing files, unless Bob logs in as administrator and bypasses the access restrictions. R SALE OR It DISTRIBUTION is clear that we can create files and folders NOT and establish FOR SALE access OR rights DISTRIBUTION for them. We can share files with some people and hide them from others, simply by configuring the right permissions. In small cases we might get this correct through trial-and-error, but we might also leak data while implementing our solution. Instead, we begin with identifying our objectives, threats, risks, and requirements. We plan and implement our controls based on the requirements. When we NOT write FOR the requirements SALE OR and DISTRIBUTION policy, we want to capture our general intent. When we write up implementation details, we get specific. In this case, the requirements talk about people and general types of information (Bob, Tina, and shared bookkeeping..

2 134 Chapter 4 Sharing Files data). Jones Implementation & Bartlett controls Learning, talk about files, folders, users, and access Jones rights. Here & Bartlett are Learn the two requirements we add to our isolation policy: Bob and Tina shall be able to read and modify the surveying company s bookkeeping data. No one shall have access to bookkeeping data, except Bob and Tina. Jones & Although Bartlett global Learning, restrictions like no one shall are sometimes Jones hard & Bartlett to verify, accurate Learning, NOT FOR SALE policy statements OR DISTRIBUTION may require them. Tailored File Security Policies To share the project files, Bob needs to adjust his user isolation security policy. Practical problems like this often arise when using one-size-fits-all policies like isolate everyone or share everything. We address such things with tailored access policies. Three examples of tailored policies are: 1. Privacy 2. Shared reading 3. Jones Shared updating & Bartlett Learning, NOT We can FOR describe SALE a tailored OR DISTRIBUTION policy in several ways. Here we take a systematic NOT FOR approach. SALE OR DIST We implement each tailored policy underneath a systemwide default policy of either isolation or sharing. The tailored policy specifies additional access rights. These new rights may add to or replace the default rights. For each new set of rights, the tailored Jones & policy Bartlett needs Learning, to consider four things: NOT FOR SALE 1. Which OR DISTRIBUTION files or other resources are involved (for example, NOT FOR files relating SALE to OR Surveyors DISTRIBUTION or perhaps Tina s personal files )? 2. Which users are granted these new rights (for example, users editing the books for Surveyors )? s & Bartlett Learning, 3. Do we Deny by Default, or do we Jones retain the & default Bartlett access Learning, rights for these files? 4. Which access rights do we enforce: NOT full FOR access, SALE execute, OR read-only, DISTRIBUTION or no access? Typically, the files in question will reside within a particular directory and be used by a particular group of people. When we describe the policy, however, we must be careful to describe what we want, rather than how we ll do it. Bob s Sharing Dilemma Bob needs to implement a tailored updating policy so that he can share files with Tina. But how should he do it? For each file, we can control access by the owner, administrators, and the rest of the users. If that s all we have, there s no way to grant access to two specific users while Jones & Bartlett blocking access Learning, to the rest. NOT FOR SALE Bob OR could DISTRIBUTION solve this sharing dilemma if he always logs NOT in FOR to a system SALE administration OR DISTRIBUTION account. On some systems, these accounts use a specific user identity with a name like system or root that receives all system-related access rights. If Bob does this, the..

3 4.1 Controlled Sharing 135 account will have Jones full access & Bartlett to Tina s Learning, files. If he wants to create files to share with Tina, Jones & Bartlett Learn however, he must make Tina the owner of those files. Otherwise, he wouldn t be able to restrict access exclusively to Tina and himself. This solution poses a problem: Least Privilege. It may seem convenient to log into a system routinely as root or some other administrative identity, but it poses a real risk to the system. If Bob unexpectedly exposes the system to a virus or malicious website Jones while using & Bartlett administrative Learning, privileges, the system may quickly become Jones compromised. & Bartlett Learning, NOT FOR We can SALE solve Bob s OR DISTRIBUTION problem if we can specify additional access NOT rights FOR for each SALE file OR and DISTRIBUTION folder. There are two choices, depending on which operating system we use: 1. Keep a list of access rights for each file, called the access control list (ACL). Each entry in the ACL identifies a specific user and contains a list of access rights s & Bartlett Learning, granted to that user. This is available on modern Jones versions & Bartlett of Windows Learning, and on Apple s OS X. 2. Keep one additional set of access rights, and associate it with a user group. Associate a group with each file, just as we associate a user, the owner, with each file. This is available on all Unix-based systems. Windows uses Jones a simple & Bartlett version of ACLs Learning, to provide basic file sharing on home editions of Windows. NOT FOR All SALE Unix-based OR systems DISTRIBUTION provide group-based access controls. Practical Tip: Always organize your files into separate folders according to their access rights. Bob and Tina need to share the bookkeeping files for the surveying company. They put the files they need to share into a specific folder. They set up the folder s access rights to let them share the files. Neither Bob nor Tina should store files in that folder unless both of them should be sharing that file. If Bob hires another clerk to work on a different customer s books, he should set up a separate folder for that clerk. s & Bartlett Learning, Basic File Sharing on Windows R SALE OR Windows DISTRIBUTION provides a very simple mechanism for NOT sharing FOR files SALE among OR users DISTRIBUTION on a personal computer. The mechanism begins with an isolation policy; users have no access to other users personal files. Building on the isolation policy, we assign additional permissions to selected users. To implement tailored sharing, we put the files in a folder and enable file sharing for that folder. File sharing recognizes three sets of access rights: 1. Owner rights: the person who owns the folder, who has full rights to read, modify, or delete anything in the folder. This can t be changed from the file-sharing window. Jones 2. & Reader Bartlett rights: Learning, users with the right to read files in the folder. NOT FOR 3. Read/Write SALE OR rights: DISTRIBUTION users who can both read and write files NOT in the FOR folder. SALE OR DISTRIBUTION On Windows 8.1, Bob can easily share files or folders for reading. First, he creates the shared folder, named Survey. Next, he right-clicks on the folder and selects Share.. 4Sharing Files

4 136 Chapter 4 Sharing Files Used with permission from Microsoft. Figure 4.1 Jones & Sharing Bartlett files Learning, for reading on Microsoft Windows 8.1. with from the menu. This displays a submenu that lists users with whom he can share the folder (Figure 4.1). Bob selects Tina from the list, and Windows allows her to read the file. s & Bartlett Learning, Bob must take different steps to grant Jones Tina both & Bartlett read and write Learning, access to the files. Instead of selecting Tina s name from the Share With menu, he selects Specific People. This displays the basic file-sharing window (Figure 4.2). Bob uses the Add button in the window to add Tina as the user with whom he will share. Next, he sets her access rights to Read/Write. The Windows 7 Sharing Wizard provides a similar mechanism. The Share With menu works together with the basic file-sharing window to establish access Jones rights. & Bartlett If the Share Learning, With menu selects a user name, then the name Jones will appear & Bartlett Learn in the NOT file-sharing FOR SALE window OR with DISTRIBUTION Read access rights. We can use the window NOT FOR to grant SALE OR DIST Read/Write rights or to remove rights entirely User Groups If Bob and Tina are using a Unix-based system or a professional Jones & version Bartlett of Windows, Learning, they can use group rights to protect their files. They define NOT a FOR user group, SALE which OR serves DISTRIBUTION as another set of users for whom we specify access rights. A simple implementation adds two items to each file s access control data: the name of the file s group, and a set of flags..

5 4.1 Controlled Sharing 137 4Sharing Files Figure 4.2 Microsoft s basic file-sharing window. Used with permission from Microsoft. for access rights. If a user belongs to the file s group and tries to access the file, the system applies the group access rights. In Bob s case, he sets up a survey group that contains Tina and himself (Figure 4.3). He then ensures that each file containing survey information belongs to that group. Each file in the group contains the following access information: File s owner: Either Bob or Tina File s group: Survey, containing Tina and Bob Owner access: RW- System access: RW- Group access: RW- NOT FOR World SALE access: OR DISTRIBUTION To provide access rights for groups, the system integrates group identifiers into many of the same places as user identifiers. When a process begins, it inherits a group identifier..

6 138 Chapter 4 Sharing Files Used with permission from Microsoft. Figure 4.3 s & Bartlett Learning, Editing the survey user group on Windows. from the user who started it. When the process tries to access a file, the system checks the user identity and the group identity, and it applies the specified rights if one of them matches. If neither matches, the process receives any rights granted to the world NOT of FOR users. SALE OR DISTRIBUTION Administrative Groups In a sense, access permissions for the world represent permissions for a particular group. Likewise, some systems have one or more built-in administrative groups that provide special privileges for managing the system. In Windows, this is the role of the Administrators group. Unix-based systems often have a similar group that is sometimes called the wheel group...

7 4.1 Controlled Sharing 139 If a system provides Jones administrative & Bartlett Learning, groups, administrators can log in using personal user identities. If the identity is a member of the administrative group, the user receives administrative access to the computer s resources. This provides better control than logging in directly with a privileged user name like root or SYSTEM. If administrators log in with individual, personalized identities, we can more easily track their individual actions. If an administrator performs a malicious act, we can identify the user who Jones performed & Bartlett the act, even Learning, if that user was logged in as an administrator. NOT FOR Even though SALE the OR administrative DISTRIBUTION groups give us a better way of NOT tracking FOR administrative SALE OR DISTRIBUTION actions, it s still risky to log in with such power. Many organizations provide administrators with two separate identities: one for routine activities and one for more risky administrative tasks. The administrative identifier is a member of the administrative group. s & Bartlett When Learning, logged with the administrative identity, Jones the user has & Bartlett full administrative Learning, powers. When Bob set up the computer shared with Alice, he created separate user names for users and for administration. The users bob and alice are regular users. SuperBob is like the Bob account, except that it is also in the Administrators group. When Bob hired Tina, he logged in as SuperBob and created a separate user name for Tina. He also established the survey group containing the two of them (Figure 4.3) Least Privilege and Administrative Users Despite the risks, many people routinely log into their personal computers with full administrative powers. Some see it as their right and privilege, because they own the computer in question. Many users don t realize the risks involved. Jones If Bob & Bartlett visits a malicious Learning, website or downloads a virus while logged Jones in as & an Bartlett administrator, FOR the SALE malicious OR software DISTRIBUTION can use his administrative privileges NOT to FOR infest his SALE computer. OR DISTRIBUTION Learning, NOT If Bob is logged in only as a regular user, then the infestation will, at most, affect his user environment. Many viruses are blocked when they try to infest a regular user; they depend on administrative privileges for their attacks to work. Not all administrative accounts have unlimited rights. Some systems define user s & Bartlett identities Learning, that represent special activities performed Jones by the & operating Bartlett system. Learning, If we display R SALE OR the process DISTRIBUTION status on Unix (the ps command), NOT or the FOR Task SALE Manager OR on DISTRIBUTION Windows (Figure 4.4), we can list all running processes along with the user names associated with those processes. The display shows one or more special user identities for running network services, including the file Jones server and & Bartlett web server. Learning, Other identities, like SYSTEM and LOCAL SERVICE, are NOT responsible FOR SALE for utility OR processes DISTRIBUTION that keep the system running. Individuals can t log in with such user names. Administration By Regular Users As an alternative to having administrators with too much power, some operating systems provide ways of temporarily granting administrative powers to people logged in to regular user accounts. The temporary permission relies on the person authenticating as an authorized administrator. The temporary administrative privilege applies to a program started by the user and disappears when the program ends... 4Sharing Files

8 140 Chapter 4 Sharing Files Used with permission from Microsoft. Figure 4.4 The Task Manager s process display on Microsoft Windows. For years, the all-powerful Unix root account has been too powerful for individual users to use, but too useful to eliminate entirely. Today, Unix-based systems may have administrators who belong to administrative groups, but the administrators still must s & Bartlett Learning, rely on root to make serious changes to Jones the system. & Bartlett Typically, Learning, they use the setuid opera- tion, which temporarily changes a user s NOT identity. FO To run a program as root, the administrator runs the setuid program, specifies the new user identity to be root, and directs it to run an administrative function under that user identity. The setuid function prompts for the root password, and it starts the program Jones if the & user Bartlett types the Learning, right password. Most Unix administrators today Jones use a & Bartlett Learn prepackaged NOT FOR sudo SALE function OR DISTRIBUTION that runs setuid with the identity of root. Apple s OS X provides sudo, like most Unix-based systems, but it also implements a separate mechanism for configuring sensitive parts of the system. For example, Figure 4.5 shows a screen that changes the system s behavior when restarting. To enable the Target Disk Mode button, the user first must click on the padlock, which demands an Jones & Bartlett administrator s Learning, password. Once the user types the password, Jones the & padlock Bartlett switches Learning, to NOT FOR SALE unlocked OR DISTRIBUTION and the system enables the button. The same user interface allows regular users to modify many critical system preferences. OS X uses a similar arrangement to allow regular users to adjust the rights on files and..

9 4.1 Controlled Sharing 141 4Sharing Files Figure 4.5 Screen shot reprinted with permission from Apple Inc. OS X padlock unlocks with an administrator s password. R SALE OR folders: DISTRIBUTION Again, there is a padlock that controls NOT the permission FOR SALE settings OR and DISTRIBUTION an administrative password unlocks that lock. User Account Control On Windows Starting with Windows Vista, Microsoft s operating systems provide a similar mechanism, called user account control, or UAC for short. Whenever a user tries to run an administrative function, Windows tells the user and asks for approval. If the user is a regular, nonadministrative user, then the user must provide an administrative password before the task proceeds (Figure 4.6). The principle behind UAC is that the really dangerous attacks on a computer begin with some extraordinary event, like using administrative privileges or making changes to critical programs in the Windows operating system. For example, the attack might try to Figure 4.6 User account control pop-up window. Used with permission from Microsoft...

10 142 Chapter 4 Sharing Files install Jones a back door. & Bartlett If the system Learning, always asks before performing such actions, Jones there & is Bartlett a Learn better chance that a user will detect the attack and repel it. 4.2 File Permission Flags Jones & In Bartlett earlier examples, Learning, we indicated file permissions and other Jones access & rights Bartlett by abbreviations: Learning, NOT FOR SALE R for OR read, DISTRIBUTION W for write, and so on. If the system granted NOT FOR a particular SALE right, OR we DISTRIBUTION showed the appropriate letter and showed a hyphen ( - ) otherwise. These correspond to file permission flags that the system sets to true if the right is present and false otherwise. s & Bartlett Learning, The best-known modern implementation Jones of file & permission Bartlett Learning, flags is Unix. Ken Thompson and Dennis Ritchie at Bell NOT Telephone FOR Laboratories SALE OR originally DISTRIBUTION developed Unix in the early 1970s. Since then, Unix technology has been the foundation of many systems, including the Solaris operating system, Apple s Macintosh OS X, and the open source Gnu and Linux software. Unix-like systems became so significant in computing that the IEEE developed standards for such systems through its Portable Operating System Interface Jones (POSIX) & Bartlett committee. Learning, Some experts refer to Unix file permissions Jones as POSIX & Bartlett Learn file NOT permissions. FO Unix implements three file-access rights (read, write, and execute/search) for each of these three sets of identities: 1. Owner (called user rights in Unix): the user who owns a file 2. Group: users belonging to the group associated with the file 3. World (called other rights in Unix): all other users Figure 4.7 illustrates Unix permission flags for a typical file. The owner typically has the right to read and write the file. Users in the file s group, and all other users, customarily receive permission to read the file but not to write it. If a file is executable, then anyone s & Bartlett Learning, granted the right to read the file also is granted Jones permission & Bartlett to execute Learning, it. In practice, most files that have execute permission also NOT have FOR read permission. SALE OR This DISTRIBUTION is not technically required in all cases, but it is customary. NOT Owner FOR SALE RightsOR DISTRIBUTION Group Rights World NOT Rights FOR SALE OR DIST Read Write Execute Read Write Execute Read Write Execute Figure 4.7 Unix file permissions for a typical file...

11 4.2 File Permission Flags 143 ls -l total 56 1 rick ops 4321 Nov 23 08:58 data1.txt -rwxr-xr-x 1 rick ops Nov 23 10:19 hello -rw-r--r--@ 1 rick rick 59 Nov 23 10:18 hello.c 4Sharing Files Figure 4.8 NOT Unix FOR directory SALE listing OR DISTRIBUTION command ls. Unix uses similar permission flags to protect folders, which are always called directories. Learning, To open a file listed in a particular directory Jones or to search & Bartlett a directory Learning, to find another s & Bartlett R SALE OR directory DISTRIBUTION inside it, a user needs execute access NOT to that FOR directory. SALE To OR list DISTRIBUTION the contents of a directory, the user needs read access to that directory. To create or delete files, the user needs write access to the files directory. Figure 4.8 illustrates permission flags as they appear in text-oriented Unix shell commands. The typed command appears italics. The ls command lists files in the current directory. If we type ls -l we get the long directory listing shown here that includes file ownership and permissions. The left column contains permission codes rw-r- and such to indicate access rights for each file. After skipping the first hyphen, the three-letter groups indicate rights for the file s owner, the file s group, and the rest of the world, respectively. File names appear in Jones the right & column. Bartlett The Learning, permissions for the data files data1.txt and Jones hello.c & Bartlett match the Learning, NOT permissions FOR SALE shown OR in DISTRIBUTION Figure 4.7. The column containing rick NOT denotes FOR the SALE files owner, OR DISTRIBUTION and the next column to the right identifies the owning group (either rick or ops ). Unix users have several commands for adjusting a file s rights: chmod short for change mode, it can change the rights granted to the owner, s & Bartlett Learning, group, or rest of the world, for a file R SALE OR DISTRIBUTION chown short for change owner, it changes NOT FOR the identity SALE of a OR file s DISTRIBUTION owner chgrp short for change group, it changes the identity of the group associated with a file Permission Flags and Ambiguities Bob wants to create a file and allow everyone, including Tina, to see it, but he also wants to protect it from change. The file belongs to the survey group, which contains Tina and Bob. Table 4.1 shows the access rules Bob set up. Bob gives the world read access to the file. He gives the group no access to the file. Will Tina be able to read the file? Jones Because & Bartlett Tina is both Learning, a member of the survey group and a member Jones of & the Bartlett world, Learning, NOT the FOR access SALE rights OR are ambiguous. DISTRIBUTION On the one hand, a missing access NOT right FOR might SALE mean OR that DISTRIBUTION we should forbid access to Tina, since she s a member of the survey group and the group is granted no access. However, Bob, the owner, is also a member of the survey group...

12 144 Chapter 4 Sharing Files Jones & Bartlett TABLE 4.1 Learning, Ambiguous access rules Effective Access Identity Class Access Bob Tina World Owner (Bob) RW RW Group (Bob and Tina) ing, System (administrators) RW World (everyone else) R- NOT?? FOR R- SALE OR DISTRIBUTION Should we forbid access to him, too? On the other hand, the missing rights may simply mean that Tina acquires any rights she deserves from being a member of the world. On Microsoft Windows, access permissions tend to accumulate. As a member of both the survey group and the world, Tina receives all accesses granted to those groups. In this example, Tina has read access. Unix-based systems combine rules differently. If a permission flag fails to grant a particular Jones right, & then Bartlett the right Learning, is denied. When checking permissions, the Jones system selects & Bartlett Learn the NOT set of FOR users (owner, SALE group, OR DISTRIBUTION or world) that best fits the user accessing NOT the file. FOR The SALE OR DIST choice is made as follows: If the root user accesses a file, the system grants full access to the file. If the file s owner accesses a file, the system applies the owner rights. Jones & Bartlett If a group Learning, member (who is not the file s owner) accesses Jones the & file, Bartlett the system Learning, applies NOT FOR SALE the OR group DISTRIBUTION rights. If the user is neither the owner nor a member of the file s group, the system applies the world rights. When we apply the Unix rules to Tina, the system denies access. Unix-like systems block s & Bartlett Learning, access to the file through explicit denial: Jones Because & Tina Bartlett is a member Learning, of the group and the group has no access rights, Tina receives NOT no FOR access rights. SALE If OR Bob accesses DISTRIBUTION the file, however, the system applies the owner rights and grants read/write access. If a user is neither Bob nor a member of the survey group, then the system applies world rights and allows read-only access. Tina herself would have read access if she weren t a member of the survey group. If Bob Jones removes & Bartlett read access Learning, rights from one of his own files, he can no longer Jones read & the Bartlett Learn file, even if the rest of the world has read access. Because it is Bob s file, he can change the permissions back to allow read access, but he won t be able to read the file until he changes the permissions. Jones & Bartlett Permission Learning, Flag Examples Let us return to Bob s desktop computer policy and extend it to protect the surveyor customer files (a tailored updating policy). First, we review the five generic risks, the sixth associated with Bob, and add a seventh:..

13 4.2 File Permission Flags 145 TABLE 4.2 Jones Policy & additions Bartlett for tailored Learning, sharing of the survey files Policy NOT Policy FOR Statement SALE OR DISTRIBUTION Risks 8 The system shall have a regular user named Tina. 4, 7 9 Tina shall have a password to protect her login. 2, 3, 4, 5, 7 10 All surveying company files shall belong to the survey group. 7 Jones & 11 Bartlett Only Bob Learning, and Tina shall be members of the survey group. Jones 4, & 7 Bartlett Learning, NOT FOR 12SALE Bob OR and DISTRIBUTION Tina shall have full access to files in the survey group. NOT FOR 1, 4, SALE 7 OR DISTRIBUTION 4Sharing Files 7. Disclosure of the surveyor company files to people outside the bookkeeping s & Bartlett Learning, company, which could compromise the company Jones to & its Bartlett competitor. Learning, Bob s original policy appears in Tables 3.3 and 3.4. To address the seventh risk, we add the policy statements shown in Table 4.2. To implement this policy, we create an account for Tina, and Tina establishes a password for it; then we add to the security controls listed in Table 3.7. This yields the controls listed Jones in Table 4.3. & Bartlett Remember Learning, what an X ( execute ) permission means when applied NOT to a directory: FOR SALE It indicates OR DISTRIBUTION the right to search the directory when trying NOT to FOR SALE OR DIST locate a file by name. Note that we always specify group access permissions, even for personal files. When creating a new user, most Unix-based systems automatically create a separate group just for that user. By default, all files created by that user belong to the user s personal group. When Bob or Tina creates files containing surveyor company information, they must explicitly assign those files to the survey group. Security Controls For The File-Sharing Policy Now let us look at a more general example: the file-sharing policy described in Table 3.5. The policy grants read access to all files by default and execute access to shared application programs. Table 4.4 shows the appropriate security controls. Occasionally, either Bob or Tina should go through and set the access rights on all files (and folders) inside their shared folder. This ensures that both have access rights to everything and that nobody else has inadvertently been given access rights to anything. TABLE 4.3 Security controls for Tina and the shared project files Control Owning Group Access Rights Policy Number File Owner (members) Owner Group World Statement 11 Tina s directory Tina Tina RWX RWX 4, 9 12 Tina s files Tina Tina RWX RW- 4, 9 13 Project directory Bob or Tina Bob, Tina RWX RWX 10, 11, Project files Bob or Tina Bob, Tina RWX RW- 10, 11, 12..

14 146 Chapter 4 Sharing Files TABLE Jones 4.4 Security & Bartlett controls Learning, for the file-sharing policy in Table 3.5 Control Owning Group Access Rights Policy Number File Owner (members) Owner Group World Statement 1 Executables System System RWX RWX R-X 1, 3 2 User directories User User RWX RWX R-X 4, 5 Jones & Bartlett 3 Learning, User files User User RWX Jones RW- & Bartlett R-- 4, Learning, Access Control Lists and OS X In many access control problems, we have a single group of users who all need identical access rights to a particular set of files. We can easily solve such problems with group permissions. There are, however, cases where we can t use file permission flags and a single user group to achieve Least Privilege. Consider a policy that requires these three conditions: 1. Block access to the user community in general. 2. Grant read-only access to one group of users. 3. Grant read/write access to a second group of users. We can t do this with Unix-style permission flags and achieve Least Privilege. We might Jones & come Bartlett close Learning, if we grant read-only access to everyone and read/write Jones & access Bartlett to the Learning, second group. We also might come close if we create a single large group out of the first and second groups. We then grant read/write access to all, and we tell members of the first group to restrain themselves. To achieve Least Privilege, we need access control lists (ACLs). In Section 4.1, we introduced Windows home edition ACLs that grant rights to specific users. This particular implementation can solve the problem just described: We s & Bartlett Learning, list all users individually and grant the appropriate Jones & access Bartlett to each Learning, one. This is a reasonable solution if we are controlling the rights NOT for only FOR a handful SALE of OR people. DISTRIBUTION It becomes impractical as the groups grow in size. To implement the policy for larger groups, it is easier and more reliable to establish separate user groups. We then establish permissions for each group instead of setting permissions on a per-user basis. It is much easier to verify correct group membership than it is to review the access rights for dozens of individual users. NOT Fortunately, FOR most SALE modern OR DISTRIBUTION ACL implementation can specify permissions NOT for FOR groups SALE of OR DIST users as well as individuals. Modern Unix-based systems that include ACLs, like Apple s OS X, support group permissions as well as individual user permissions. Professional and business versions of Windows also support group permissions. NOT FOR SALE Macintosh OR OS DISTRIBUTION X ACLs Macintosh OS X ACLs are built on top of standard Unix permissions and designed to work well with Windows-style ACLs (Figure 4.9). Most users interact with these ACLs..

15 4.3 Access Control Lists and OS X 147 4Sharing Files Screen shot reprinted with permission from Apple Inc. Figure 4.9 Macintosh ACL for Bob and Tina s shared file. through the standard Macintosh GUI, known as the Finder. Superficially, OS X ACLs are similar to the simple Windows ACLs shown in Figure 4.2. We start with access allowed by the owner, and we can add access rights for other users. As with the earlier example, one of the users can simply add access rights for the s & Bartlett other. Learning, Just as Tina granted access to Bob, Bob can Jones grant access & Bartlett for Tina Learning, (Figure 4.9). R SALE OR To DISTRIBUTION modify the ACL, we must first unlock it NOT by clicking FOR on SALE the padlock OR DISTRIBUTION in the lower right-hand corner. Unfortunately, we need administrator rights to make changes to an ACL. Thus, Bob had to type in an administrator s name and password in order to fix the ACL. Once we unlock the ACL, we add another user by clicking on the + box in the lower left-hand Jones corner. The & Bartlett Finder then Learning, displays a list of existing users, and we click the name we NOT wish to FOR add. SALE OR DISTRIBUTION To change the access rights in an ACL entry, we have two choices. If we want to remove all access permissions, we can delete the corresponding ACL entry. To do this, we select the corresponding row and then click on the - sign in the lower left. Default rights, like those assigned to the owner, owning group, or world, can t be Jones deleted. & To Bartlett remove access Learning, for one of those, we click on the corresponding Jones entry & Bartlett under Learning, NOT Privilege FOR SALE and choose OR DISTRIBUTION the access rights we want. Figure 4.10 shows NOT the FOR pop-up SALE menu OR DISTRIBUTION to choose the access rights. In the example, we choose No Access rights for everyone not listed in the ACL...

16 148 Chapter 4 Sharing Files Screen shot reprinted with permission from Apple Inc. Figure Jones 4.10 & Bartlett Learning, Modifying NOT FOR the rights SALE on a OR Macintosh DISTRIBUTION ACL entry. Jones & Bartlett Unlike the Learning, simple Windows ACLs described earlier, OS Jones X allows & Bartlett us to add ACL Learning, NOT FOR SALE entries for OR groups DISTRIBUTION as well as users. We first create a group NOT by FOR selecting SALE User OR Accounts DISTRIBUTION under the System Preferences application. We unlock the application by clicking on the padlock in the lower left and typing an administrator s password; then we click on the plus + sign above the padlock, and we choose to create a group. Once the group exists, we can modify its name and members by editing the screen shown in Figure s & Bartlett Learning, We give the group the name survey Jones and select & Bartlett members by Learning, checking them in the Membership window. In the figure, NOT we have FOR selected SALE Bob OR and DISTRIBUTION Tina as members. Note that other groups also may be members of groups. To include a group in an ACL, we first display and unlock the ACL, then we click the plus sign to add a new entry. We select the group s name from the list, and then set the group s Jones access & rights. Bartlett Learning, NOT When we FOR create SALE a new OR file on DISTRIBUTION a Macintosh, the file grants full rights to NOT the owner FOR and SALE OR DIST read-only access to everyone else. This does not, however, mean that we are sharing files by default. Every user has a home directory that carries his or her user name; within that directory are personal directories with names like Desktop, Documents, Downloads, Library, and Pictures. By default, other users cannot read these directories. Even if they Jones & Bartlett have read access Learning, to the files themselves, they can t read the Jones files because & Bartlett they can t Learning, reach NOT FOR SALE them easily. OR DISTRIBUTION Only the Public directory grants read access NOT to users FOR in SALE general. OR DISTRIBUTION If we wish to share files with others, we either place the files in the Public directory, or in another directory that s not part of our user file directories. For example, Bob might..

17 4.3 Access Control Lists and OS X 149 4Sharing Files Figure 4.11 Choosing users for a group in Apple s OS X. Screen shot reprinted with permission from Apple Inc. R SALE OR create DISTRIBUTION a Projects directory in the root directory NOT that FOR is readable SALE by OR everyone. DISTRIBUTION Within that directory, he creates a new directory for every project, and he sets access permissions to allow project members only. When Tina creates a file in their shared survey directory, the file will grant full access to her and Jones read access & Bartlett to everyone Learning, else. This is the default behavior. The protections on its directory will protect the file from other users. The system will not, however, automatically fill in the ACL with permissions for Bob. He will be able to read the file because, by default, he receives read access with the rest of the world. Unlike the rest of the world, he can read the directory. This allows him to actually read the file. Although this approach will protect the survey files from being read by outsiders, it Jones is best & to Bartlett explicitly change Learning, permissions to block access by people outside Jones the & group. Bartlett Bob Learning, NOT won t FOR share SALE his administrative OR DISTRIBUTION password with Tina, so she can t NOT change FOR ACLs SALE herself. OR DISTRIBUTION However, she can type in a chmod command by hand to remove access by the world ( others ) to her new files...

18 150 Chapter 4 Sharing Files 4.4 Jones Microsoft & Bartlett Windows Learning, ACLs ACLs first appeared in Windows operating systems with the introduction of Windows NT in The ACLs evolved over subsequent releases of professional versions of Windows, including Windows 8.1. The basic file sharing introduced in Section uses Jones & the Bartlett ACL system Learning, through a simplified interface. All changes Jones made through & Bartlett basic Learning, file NOT FOR SALE sharing OR are reflected DISTRIBUTION in the ACLs. Windows has produced a particularly effective ACL implementation by providing flexible and sophisticated inheritance. In most cases, the file in a folder inherits access rights cleanly and simply from the enclosing directory. Files and folders automatically inherit changes made to an enclosing folder s access rights. This makes it easier to s & Bartlett Learning, manage rights in file hierarchies. The ACLs used in Macintosh OS X NOT and Sun s FOR Solaris SALE operating OR DISTRIBUTION system are similar to those in Windows to ensure they work well together. Version 4 of the Network File System also adopted an ACL mechanism that is very similar to Windows. Although these ACLs are similar, each has its own interface, graphical and otherwise, for viewing and changing Jones ACLs. & In Bartlett addition, Learning, the other systems use different techniques to Jones inherit ACL & Bartlett Learn settings and apply default rights. On Windows, we display a file s ACL by selecting the file and choosing the Properties menu entry. The ACLs reside under the Security tab (Figure 4.12). The top pane Figure 4.12 Access control list from Microsoft Windows. Used with permission from Microsoft...

19 4.4 Microsoft Windows ACLs 151 of the ACL window Jones lists & the Bartlett entries for Learning, different users or classes of users. When we Jones click & Bartlett Learn on one of those entries, the lower pane displays the corresponding access rights and restrictions. A check mark under Allow grants that right; a check mark under Deny blocks that right. As with earlier ACL examples, the access rights in Figure 4.12 can t be expressed with a set of file permission flags. The ACL describes rights for two different users, Bob and Jones SYSTEM, & Bartlett and for Learning, two different groups, Administrators and Jones Survey. & Windows Bartlett Learning, NOT provides FOR SALE several different OR DISTRIBUTION displays for ACLs. The display in Figure NOT 4.12 FOR only SALE shows the OR DISTRIBUTION rights for the user or group chosen in the display s upper pane. In the figure we see only the rights granted to the survey group. We need to select the other entries individually to see the rights granted to those users or groups. s & Bartlett When Learning, a Windows ACL has two or more entries Jones that apply & Bartlett to the current Learning, process, the access rights are combined. We discussed this earlier with the example in Table 4.1. If Bob gives read access to everyone and omits any access rights for the survey group, Tina can still read it. The absence of a right does not forbid access in Windows ACLs. 4Sharing Files Denying Jones Acces Windows allows us to explicitly deny access rights. The ACLs provide separate Allow and Deny flags (Figure 4.13) for each right. On Unix, we deny access by being silent, by failing to grant access rights. On Windows, we can specifically deny access to particular users or groups. This produces more ambiguity: What does it mean if one ACL Jones entry grants & Bartlett access while Learning, another denies access? NOT FOR Windows SALE resolves OR DISTRIBUTION this by always applying the Deny entries first. NOT The FOR system SALE looks OR at DISTRIBUTION the access rights being requested and the identity of the process making the request. If a Deny entry matches a user name or group associated with the process, Windows denies the specified access rights. Windows then reviews the Allow entries. If any entry matches the process owner or one of its groups, then the corresponding access rights are granted, s & Bartlett unless Learning, the right was previously denied through a Jones Deny entry. & Bartlett Learning, R SALE OR This DISTRIBUTION makes Deny access convenient in some NOT cases FOR but tricky SALE in others. OR DISTRIBUTION Let us return to the example of Bob, Tina, and the survey group. Clearly Bob wants to give read/write access to the survey group, so he puts the appropriate rights in the ACL. After a meeting with the secretive manager of the surveying company, he decides to revise the ACLs. He adds an ACL entry Jones to his & survey Bartlett files to Learning, specifically deny access by the user Alice. When Alice NOT logs in, FOR she is SALE denied access OR DISTRIBUTION to the survey files even if some other ACL NOT entry FOR SALE OR DIST grants her access by mistake. This produces the result Bob wants. Following another uncomfortable talk with the surveying company manager, however, Bob gets worried. If he creates another user, then he ll have to update the ACLs to deny that new user, too. Bob decides it s easier to simply deny access by Users to the survey data Jones files. He & assumes Bartlett that Learning, Tina will still have access since she is a member Jones of the survey & Bartlett group. Learning, NOT FOR Instead, SALE Windows OR DISTRIBUTION applies all Deny ACL entries first. Because NOT Tina FOR (and Bob, SALE for that OR DISTRIBUTION matter) is a user and all users are denied access, Tina is denied access; nobody can access the survey files until Bob removes the Deny entry...

20 152 Chapter 4 Sharing Files Used with permission from Microsoft. Figure 4.13 Denying access in a Windows ACL. The Deny feature can make an ACL hard to interpret. The Windows ACL display in Figure 4.14 lists the rights by the sets of users involved. However, a single set of users may be subject to both Allow and Deny rights, and all Deny rights are applied first. We must examine the list twice: once applying the Deny rights, and again applying the Allow rights. NOT FOR SALE Determining OR DISTRIBUTION Access Rights To determine the actual rights applied to a particular file under Windows, we have two choices. First, we can manually review the rights for each user and group. We need to..

21 4.4 Microsoft Windows ACLs 153 4Sharing Files Used with permission from Microsoft. Figure 4.14 Advanced security settings for Windows ACLs. keep track of Allow and Deny rights, apply the Deny rights first, and apply Allow rights only if they don t contradict an earlier Deny right in the ACL. Our second choice is to s & Bartlett click Learning, on the Advanced button at the bottom of Jones the ACL & window. Bartlett This Learning, opens another R SALE OR window DISTRIBUTION that gives us finer control over the access NOT rights. FOR If we SALE click OR on the DISTRIBUTION Effective Permissions tab in that window, we can ask Windows to determine the access rights granted to a particular user or group. Building Effective Acls In general, Deny by Default yields the best approach to building ACLs. We start with no rules granting access to anyone. We add access rights required by the owner and the system, and then we add access rights required by others who use the files. We won t need to use Deny entries if we haven t granted access rights we must later rescind. Occasionally, we might encounter a case where it s more practical to use a Deny entry than to build the ACL using Deny by Default. For example, a college may have a user group for all students called, of course, Students. As soon as people register, they are added to the group. However, there are certain items that incoming freshmen aren t allowed to use. We can implement this with Deny by Default if we create a separate..

22 154 Chapter 4 Sharing Files group Jones containing & Bartlett Students Learning, Minus Freshmen. However, it is easier to create Jones a separate & Bartlett Learn group named Freshmen and create a Deny entry that applies just to Freshmen. It should be easier to move students in and out of the Freshmen group than to maintain a separate Students Minus Freshmen group. Jones & Bartlett Default Learning, File Protection When we create a file, we rarely stop and think about NOT its access FOR rights. SALE We assume OR DISTRIBUTION the file will receive appropriate rights automatically. In practice, we often rely on the file s directory to protect the file for us. In Unix-based systems, new files are assigned a default set of file-protection flags. These flags usually grant the owner full access and provide read-only access to everyone else. If the file is in a private folder, like My Documents, the folder itself is unreadable by others. Even if users are allowed to read the file, they can t actually reach it if they can t retrieve it from its folder. Inherited Rights Systems Jones that support & Bartlett ACLs, Learning, like Apple s OS X, often support an inheritance mechanism for NOT assigning FOR ACLs SALE to new OR files. DISTRIBUTION We assign the ACL we want to a particular folder. When we create new files in that folder, the files receive the inherited ACLs. While this makes ACLs a bit more practical, there are still shortcomings. In OS X, for example, there is no way to assign the inherited ACLs except through typed commands. The mechanism rarely is used in practice. Another problem is that the systems often use static inheritance. If we make any changes to the inherited ACL, we will need to manually propagate the changed ACL to all files in the folder. Mac OS X and other Unix-based systems often provide tools to simplify the problem of changing access rights on a set of files. For example, OS X provides a menu item Apply to enclosed items that applies a folder s access rights to all files and folders it contains. Dynamic ACLs Microsoft Windows 2000 introduced dynamic ACLs that inherit access rights from the enclosing folder. In other words, the files themselves don t really keep their own ACLs. Instead, they use the parent ACL, which is retrieved from their folder. When we create a new file, it simply inherits access rights from the folder in which we save the file. This Jones inheritance & Bartlett is dynamic Learning, because we can change permissions on all files in a folder just NOT by changing FOR SALE permissions OR on DISTRIBUTION the folder itself. As long as the files inside the folder inherit their ACL from the folder, we change all ACLs when we change the folder s ACL. Dynamic ACLs also make it more difficult to establish tailored access rights. According to Deny by Default, we make fewest mistakes when we start with no access rights and then add the ones we need. The inherited rights may include rights we don t want to grant, and then we must disable inheritance before we establish the rights we want. Windows usually applies a global user isolation policy. When we create a file in our own Documents directory, we are generally the only user with access to it. The system..

23 4.4 Microsoft Windows ACLs 155 may grant administrative Jones & access Bartlett to certain Learning, groups and identities as well to support built-in system functions, but regular users are not granted access by default. It can be difficult to grant access to files stored in a user s personal folders. When Bob created his Survey Folder, he placed it on the root directory of his C: drive. This makes it easy for other users to find. The path name is short and simple. This does not pose a security problem as long as Bob restricts the folder s access rights. Bob can t Jones do this & from Bartlett the ACL Learning, display the Properties window (Figure 4.12). Jones He must & Bartlett click on Learning, NOT the FOR Advanced SALE OR button DISTRIBUTION at the bottom to see the Advanced ACL NOT display FOR (Figure SALE 4.14). OR DISTRIBUTION The display shows the default permissions established for the new Survey Folder. The right two columns describe the inheritance; the entire ACL is inherited from the C: drive root. By default, Users and Authenticated Users have broad access rights to the folder. s & Bartlett This Learning, is a problem. Folders created in the root directory Jones of Bob s & Bartlett tower computer Learning, share their contents by default. This grants access to Alice and to any other new users brought in. To set the permissions correctly, Bob must eliminate the undesired rights. He can t simply delete the offending inherited entries and leave other inherited entries in place. He can t deny access to Authenticated Users, since that also denies access to Tina and him. He must disable inheritance on the Survey Files folder to eliminate the unwanted access permissions. Jones He clicks & Bartlett on the button Learning, marked Disable inheritance, located below the Add NOT button. FOR SALE He may OR reenable DISTRIBUTION inheritance by clicking the button again. When Bob clicks the Disable inheritance button, Windows asks him which permissions, if any, it should give to this disinherited folder. He may either convert inherited permissions into explicit permissions, which simply copies the existing permissions, or he may remove all permissions. It is probably safer to convert the permissions and then remove the unwanted ones. If we remove all inherited permissions, we may accidentally hide files or folders from the system and disable useful services like file backups. Bob converts the permissions instead of removing them. Below the inheritance button is a check box about replacing child object permissions. The check box lets us copy existing, inherited permissions to files and folders enclosed in s & Bartlett this Learning, one. This doesn t apply to Bob s situation, since Jones he has & just Bartlett created Learning, an empty folder. R SALE OR There DISTRIBUTION are no files or subfolders. After the system copies the permissions, Bob deletes the rights for Users and Authenticated users. He leaves the rights for SYSTEM and Administrators; it isn t clear which system features will fail if we omit those. We leave system-specific permissions in place unless we have a really compelling reason to remove them. Finally, Bob Jones adds ACL & entries. Bartlett He adds Learning, one for himself, giving him full control. He Jones adds & Bartlett Learn another for the NOT survey FOR group, SALE and OR gives DISTRIBUTION it full control. This yields the ACL in Figure NOT FOR SALE OR DIST New files or folders created in the Survey Folder will inherit this ACL. Though unnecessary, Bob could add a Deny entry for Alice, as illustrated in Figure In either case, the new access rules apply to all files and folders inside the Survey Folder. Jones The & access Bartlett rights Learning, shown a file s Security tab combine both the Jones inherited & rights Bartlett and Learning, NOT any FOR rights SALE we apply OR directly DISTRIBUTION to that file. Inherited rights appear NOT as rights FOR with SALE greyed-out OR DISTRIBUTION boxes either checked or unchecked. If we decide to change the rights of a file, the locally assigned (not inherited) rights appear as solid boxes. 4Sharing Files..

24 156 Chapter 4 Sharing Files Used with permission from Microsoft. Figure 4.15 Jones & Revised Bartlett ACL Learning, for the survey folder. For example, in Figure 4.16 we see the access rights for Everyone. The two greyedout boxes show that Everyone has inherited Read and Read & Execute rights. We s & Bartlett Learning, have also checked the Modify and Write Jones boxes, & Bartlett granting Learning, those permissions to Everyone as well. Thus, Everyone can NOT read, FOR execute, SALE and modify OR DISTRIBUTION the file A Different Trojan Horse Alice hired a new clerk, Eve, who will also create advertising fliers on the computer NOT Bob shares FOR with SALE Alice. OR Bob DISTRIBUTION has created a new login for Eve. Eve took advantage of shared root folders to install a computer game on Bob s computer. Eve told Tina about the game. Tina tried it but didn t enjoy it. Later, however, Bob noticed that confidential files had been copied from the survey folder to the game folder. NOT FOR SALE How did OR this DISTRIBUTION happen? Bob established his access restrictions NOT FOR correctly. SALE His OR computer DISTRIBUTION followed the appropriate Chain of Control while it started up. Why did his information leak out anyway? It can be very hard to track down the cause of such leaks...

25 4.4 Microsoft Windows ACLs 157 4Sharing Files Used with permission from Microsoft. Figure 4.16 Adding to inherited rights in a Windows ACL. s & Bartlett In Learning, this case, we blame it on Eve s computer game. Jones The game & Bartlett contained Learning, a Trojan horse R SALE OR feature DISTRIBUTION that looked in restricted directories and NOT copied FOR whatever SALE files OR the DISTRIBUTION process could find. Nothing happened when Eve or Alice played the game, since they didn t have access to the survey folder. When the game ran from Bob s or Tina s login, it copied every file in the survey folder to the game folder. Trojan horse software illustrates a common shortcoming of file-based access control. When a user runs Jones some & software, Bartlett the Learning, software inherits the user s access rights. If the Jones & Bartlett Learn software wants NOT to steal FOR information SALE OR from DISTRIBUTION the user, then the user might not detect NOT the theft. FOR SALE OR DIST A Trojan Horse Program To understand how Bob s defenses failed, let us look at the file protection. Table 4.5 lists the access rights applied to the sensitive files. Specifically, Bob only granted access to Tina. He specifically didn t grant access to Eve, and he may still be denying access to Alice. Thus, a user logged in as Alice or Eve can t possibly read or write survey files. At least, they can t read or write such files directly...

26 158 Chapter 4 Sharing Files When Tina runs a program, the program starts a process. The process follows the instructions listed in the program, using the access rights belonging to Tina. If the program says, Let s copy files from the survey folder to somewhere else, then the process follows those instructions. Alice or Eve still can t read files in the Survey Folder, but the process creates new copies of those files. Anyone can read those new files. Figure 4.17 shows how the Trojan game works. Within the figure, we divide up the resources Jones into & those Bartlett on the Learning, left, belonging to Tina, and those on the right, Jones belonging & Bartlett Learn to NOT Eve. The FOR arrows SALE and OR the RWX DISTRIBUTION notations indicate the user access NOT rights. FOR Eve SALE OR DIST cannot access the survey folder directly because there is no arrow connecting it to Eve s process. Tina s Resources Eve s Resources Tina s Game Process Jones R-X & Bartlett Learning, Game s Executable File Figure 4.17 RW- RW- RW- Private Spreadsheet Spreadsheet Copy Trojan game copies one of the survey files. TABLE Jones 4.5 & Access Bartlett rights Learning, applied to the stolen files Access Rights for World Effective Access Resources or Other Users Tina s Processes Eve s Processes Survey files RW- Eve s shared game file R-X R-X RWX Jones & Bartlett Copied Learning, survey files RW- RW- Jones & Bartlett RW- Learning, RWX Jones & Bartlett Learn Eve s Process..

27 4.5 Monitoring Cyber System Security 159 Whenever the Jones game starts & Bartlett running, Learning, it activates its Trojan feature. The game looks Jones for & Bartlett Learn files in protected folders, like the survey folder, and copies each one to the games folder belonging to Eve. Once the copying is finished, the game itself starts running. The Trojan feature may cause a slight delay in starting the game, but the delay won t be enough to arouse suspicion. When we run a program, we implicitly trust the program s author to write a program Jones that does & Bartlett us no real damage. Learning, We assume that the author isn t going Jones to insert & malicious Bartlett Learning, NOT features FOR SALE like the one OR that DISTRIBUTION copies Tina s secret files. This implicit NOT trust also FOR extends SALE to OR DISTRIBUTION anyone who has the right to modify a program we run. When Tina runs the game, she trusts Eve not to insert malicious features into that game. Socially, Eve s assumption might be reasonable; people avoid working with others they can t really trust. Transitive Trust: A Basic Principle We use the term Transitive Trust to describe this implicit spreading of trust. If we trust a particular entity to protect our data, then we implicitly trust anyone that the entity trusts. In this case, the surveying company trusts Tina and Bob to keep their bookkeeping data secret. Bob trusts his computer. If we apply Transitive Trust, we see that all implicitly trust Bob s computer s defenses. Bob also implicitly trusts Eve with the bookkeeping NOT data, FOR not SALE realizing OR that DISTRIBUTION his employee, Tina, will run the game NOT that FOR SALE OR DIST Eve owns. Jones 4.5 Monitoring & Bartlett Learning, Cyber System Security This section addresses the final step of our risk management frameworks: monitoring the system for correct and secure operation. There are many ways to monitor a system. The simplest approach is to set up alerts or alarms that occur when something really unusual happens. s & Bartlett For Learning, example, companies that use online banking Jones often & configure Bartlett the Learning, software to send R SALE OR warning DISTRIBUTION messages to cell phones when really large NOT transactions FOR SALE take OR place. DISTRIBUTION Hundreds of public, nonprofit, and private enterprises have had their bank accounts looted by cyber thieves. This type of alert reports all large transactions, making it harder for thieves to attack without detection. Most computing Jones systems & Bartlett also provide Learning, event logging. A typical computer is the proverbial black box: Jones & Bartlett Learn NOT The FOR outside SALE gives few OR clues DISTRIBUTION of what goes on inside. As computers NOT have FOR SALE OR DIST evolved, they have done more and more while displaying less and less. Early computers contained vast arrays of blinking lights, each connected to an internal signal or data item. While these lights provided a great deal of raw data about the computer s behavior, they could only display status and errors at the hardware level. Jones Inside & Bartlett a running program, Learning, the computer produces countless intermediate Jones & results Bartlett we Learning, NOT never FOR see. SALE The final OR result DISTRIBUTION is our focus. We ignore everything else NOT the computer FOR SALE does, OR DISTRIBUTION except for the answers we need. The computer forgets everything else, too, unless we make it keep records... 4Sharing Files

28 160 Chapter 4 Sharing Files Used with permission from Microsoft. Figure 4.18 Windows security event log. Forgetfulness poses a security problem. If an attack occurs, we want to know everything we can about the process that performed the attack. When did it start? Who started it? What was it supposed to be doing? We can t answer those questions unless the computer keeps records of what it does. NOT FOR SALE We call OR those DISTRIBUTION records in a set of files called the event log NOT or the FOR audit SALE trail. While OR DISTRIBUTION filebased access controls provide preventative controls that block security violations, event logging provides detective controls that help us detect security violations we failed to block. Figure 4.18 displays an event log from Microsoft Windows. Catching An Intruder In an ideal world, the security system notifies us immediately when an intruder appears. We receive an alert on a cell phone or a box pops up on the computer display, announcing the problem. Computers can t always provide such clear-cut warnings. Detection is harder when the intruder Jones masquerades & Bartlett as Learning, someone else. If the intruder behaves more or Jones less like & the Bartlett Learn legitimate NOT FOR user, we ll SALE detect OR the DISTRIBUTION intrusion only by looking at larger patterns NOT of FOR behavior. SALE OR DIST We need to analyze the event log. An Incident: In 1986, the astronomy department of the University of California, Berkeley, owned a Unix timesharing system. Computers were expensive back then, and they paid for the machine by charging research projects $300 an hour to use it. The Unix system had a built-in mechanism that kept a log of system events. The department expanded the mechanism so they could calculate the amount of time spent by each project and send monthly bills...

29 4.5 Monitoring Cyber System Security 161 The system Jones seemed & to Bartlett work flawlessly Learning, until the lab manager noticed a 75-cent difference between the amount of computing time used and the amount billed. He told his new lab assistant, Clifford Stoll, to find out why. Stoll appreciated that the 75-cent difference, though small, did not make sense. It indicated a real problem with the system or its accounting. Stoll s research uncovered an intruder who was nicknamed the Wily Hacker. Stoll ultimately tracked him across the 1980s Internet to his home in Germany. Stoll s investigation led him to other computer centers visited by the Wily Hacker, and Stoll s story took most sites by surprise. Few systems actually kept event logs of any kind, and fewer still actually bothered to look at the logs. This was true even of government and military systems the intruder visited. s & Bartlett Typically, Learning, we can detect intruders only if they Jones leave evidence & Bartlett of their Learning, visit. For example, we DISTRIBUTION might find files created while the nominal NOT owner FOR was SALE out of OR town DISTRIBUTION and out of R SALE OR touch. If intruders clean up after themselves, we might have no records at all. Logging gives us a separate record of what happens on our computer so that we can retrace such incidents. Trust, But Verify: A Basic Principle Russian expert Suzanne Massey met several times with U.S. President Ronald Reagan to provide insight on the Russian people. She introduced him to a Russian proverb that in English says Trust, but verify. In other words, if we want to prevent a bad outcome but we can t directly control the relevant events, then we should monitor those events closely instead. Cybersecurity controls can t prevent all bad outcomes. If we lock computers so tightly that they are perfectly safe, they will be perfectly useless. We need to allow a broad range of potentially risky activities. Instead of forbidding such activities, we monitor our systems. We try to detect trouble as soon as it develops. Event logging is an important tool in verifying that things are okay, but it is not the only tool. Many antivirus systems try to automatically scan every file that enters the system, and thus try to prevent a malware-infected file from being installed. But antivirus programs can t monitor every path a file might take into the system. Antivirus programs also run periodic scans to detect malware that somehow entered the system. The antivirus scan verifies that the system contains no recognizable malware. A firewall can play a role Jones in detecting & Bartlett intrusions. Learning, No firewall can block all attacks, but higher performance NOT firewall FOR systems SALE may OR include DISTRIBUTION features to detect intrusions by monitoring network traffic Logging Events An event log is no more or less than a data file. Whenever a significant Jones event & Bartlett takes Learning, place, the system writes a brief description of that event into the NOT log. In FOR practice, SALE most OR DISTRIBUTION systems keep several separate event logs. Each operating system takes its own approach to logging, but many keep separate logs for system events and security events... 4Sharing Files

30 162 Chapter 4 Sharing Files Jones The system & Bartlett log records Learning, the start-up and shutdown of the system itself Jones and of & major Bartlett Learn processes. It also may record the opening and closing of important files or other major system resources. The security log records all major access control requests, like logins, and all access control denials, like password failures or attempts to read protected files. Jones & Bartlett Most systems Learning, also have one or more additional logs for Jones collecting & Bartlett events from Learning, NOT FOR SALE application OR programs. DISTRIBUTION These logs are very important NOT for many FOR organizations, SALE OR because DISTRIBUTION the applications perform business tasks. In a bank, for example, the software that processes account deposits and withdrawals keeps a log of all such transactions. Later, an auditing program compares account balances against the transaction log to verify correctness. A Log Entry When something important (an event) takes place inside a program, the program creates a log entry. The program then passes the log entry to the appropriate event log. A typical log entry contains the following: NOT Time FOR and date SALE of the OR event DISTRIBUTION Source of the event the process or system component that detected it User identity a user associated with the event Type of event what happened, classified into a category of events Jones & Bartlett Event Learning, details these vary with the type of event and Jones the details & Bartlett of the occurrence Learning, NOT FOR SALE Figure OR 4.18 DISTRIBUTION shows the Event Viewer used by Windows NOT to FOR display SALE log entries. OR The DISTRIBUTION left pane of the window gives a choice of several management displays; under Event Viewer it offers to display any of five different event logs. The figure shows the Application log, which reports events from applications. Most are for information, while others report a Warning or Error. The table shows selected columns from each log entry. We may also select a log entry and examine its other contents. A well-written application will produce an event log to keep track of what it does and to report inconsistencies and other unusual events. Many organizations use these logs when they perform an information systems audit. This is a formal review of the system s integrity and of the data it maintains regarding the organization s Jones & business. Bartlett These Learning, audits often occur when auditing a firm s financial Jones & Bartlett Learn condition. NOT FOR Auditors SALE or security OR DISTRIBUTION experts may perform more specific security NOT audits. FOR If SALE the OR DIST system logs keep a record of all significant events, then they provide an audit trail by which an investigator can reconstruct what took place. Jones & Bartlett The Event Logging Learning, Mechanism NOT FOR SALE Figure 4.19 OR shows DISTRIBUTION the major elements of the event logging mechanism. Here are the four steps in logging an event:..

31 4.5 Monitoring Cyber System Security 163 Logging Program process 4Sharing Files Program Program Jones & Bartlett Audit Learning, NOT FOR SALE log OR DISTRIBUTION Log Input Buffer Log viewer Figure 4.19 Event logging in the operating system. 1. A program detects a significant event. The program constructs a log entry to describe the event, and it places it in an input buffer to pass to the logging process. The program then tells the logging process that a new event has Jones & occurred. Bartlett Learning, NOT FOR 2. The SALE logging OR process DISTRIBUTION retrieves the event from the buffer. NOT If so configured, FOR SALE the OR DISTRIBUTION logger may discard less-important events and keep only the more important ones. 3. The logging process writes the events to the log file. Systems may keep separate log files for different purposes. Windows, for example, keeps five separate logs. 4. System administrators use a log viewer to monitor the logs and to discover interesting events or trends. Some systems have automated log monitors. Some administrators study the logs themselves. The first challenge in event logging is to control the amount of information collected. Some programmers like to treat everything that happens as a significant event, and this yields vast numbers of events. As the logs grow larger, it becomes harder to see really important events. Most systems place a limit on the log files size, because they can devour the free space on a hard drive. In practice, we include or exclude events from the log at every point in the logging process. Programmers often include debug settings in their programs that increase or Jones decrease & the Bartlett amount Learning, of logging performed. If the program runs well, Jones we tell & it Bartlett to ignore Learning, NOT more FOR common SALE events. OR DISTRIBUTION If the program has problems, we tell it to NOT report FOR its behavior SALE in OR DISTRIBUTION greater detail...

32 164 Chapter 4 Sharing Files Detecting Jones Attacks & Bartlett By Reviewing Learning, The Logs It isn t NOT enough FOR to SALE just collect OR log DISTRIBUTION entries; we also need to detect and respond NOT to FOR significant SALE OR DIST occurrences. When Berkeley was being visited by the Wily Hacker, they relied on Unix event logs to make researchers pay for their fair share of computing costs. They would not have looked at their logs and detected the Hacker s activities otherwise. The Berkeley event logs did not contain an event record saying The Wily Hacker was here, nor did the logger pop up a message saying Intruder Alert! Cliff Stoll simply NOT FOR SALE knew there OR was DISTRIBUTION a 75-cent anomaly in the logging and NOT accounting FOR records. SALE It OR took DISTRIBUTION a great deal of analysis to suggest the existence of the intruder, and even more investigation to actually find and catch him. Following the exposure of the Wily Hacker and the Morris worm in the late 1980s, s & Bartlett Learning, the U.S. government dispatched teams of Jones experts & to Bartlett assess the Learning, security of government computer systems. The experts took NOT a red team FOR approach: SALE OR They DISTRIBUTION tested security by trying to break into the systems. They succeeded in almost every case. Even worse, they were almost never detected, no matter how obvious they thought they were. Two conditions contributed to the red teams successes. First, most computer systems did not monitor or pay attention to events that might indicate an attack. While some military systems were required to keep event logs, few sites actually did so, and fewer still paid NOT any attention FOR SALE to the OR data DISTRIBUTION they collected. The second condition reflected NOT the FOR poor SALE OR DIST quality of computers at that time; computer behavior was very erratic. If something unusual took place, operators naturally blamed it on software failures. Responsible system administrators no longer ignore logs. Most have tools that Jones & automatically Bartlett Learning, check logs for unexpected patterns and potential Jones problems. & Bartlett A few Learning, have NOT FOR SALE the knowledge OR DISTRIBUTION and insight to analyze the logs themselves. NOT To FOR do this, SALE the administrator OR DISTRIBUTION must have a good understanding of how the system works and what the different log events mean, as well as be familiar with normal event patterns. It takes practice to review event logs effectively. A good way to start is to look at a log and try to find evidence of known activities. For s & Bartlett Learning, example, the Windows log identifies successful Jones and & Bartlett failed login Learning, attempts. If there have been several recent login failures, the NOT log should FOR reflect SALE them. OR If DISTRIBUTION there was trouble while trying to install new software, the log should reflect the errors External Security Requirements Early mainframe computers were staffed with operators. Although the computers often were festooned with hundreds of lights and switches, most operators NOT relied FOR on SALE OR DIST its console display to track the computer s behavior. The console contained a printer, and its printout was called the console log. Every major event that occurred inside the computer was reported on the log. This helped the operators keep the computer Jones & Bartlett running efficiently. Learning, The log also reported security relevant Jones events, & like Bartlett login failures Learning, NOT FOR SALE on a timesharing OR DISTRIBUTION system. As computers shrank in size and cost, vendors eliminated the console and its log. This made the computers cheaper and easier to operate, but it also eliminated a lot of..

33 4.5 Monitoring Cyber System Security 165 information about Jones what & the Bartlett system was Learning, doing. In 1983, the U.S. Department of Defense (DOD) published requirements for trusted operating systems titled Trusted Computer System Evaluation Criteria (TCSEC), often called the Orange Book. One requirement was that operating systems keep a log of security relevant events. This requirement remained when the Orange Book was replaced by a new set of standards called the Common Criteria in Jones The & Orange Bartlett Book Learning, and Common Criteria are examples of standards Jones that & establish Bartlett Learning, NOT cybersecurity FOR SALE requirements, OR DISTRIBUTION including logging requirements. The NOT risk FOR management SALE OR DISTRIBUTION frameworks call for system monitoring, which usually includes event logging. 4Sharing Files Laws, Regulations, And Industry Rules Recent U.S. laws, regulations, and industry rules establish security requirements for computer systems and are listed below. In general, the rules require organizations to monitor their computer systems for intrusions or other misuse; the organizations must provide evidence that they do so. SOX (Sarbanes-Oxley Act), enacted by Congress in 2002, establishes requirements for financial and accounting practices. HIPAA (Health Insurance Portability and Accountability Act), passed in 1996, establishes security standards for certain types of health information. Rules governing HIPAA implementation call for system logging. GLBA (Gramm-Leach-Bliley Act), passed in 1999, requires financial institutions to protect customer information against security threats. FISMA (Federal Information Security Management Act), passed in 2002, requires U.S. government agencies to implement agency-wide information security programs. NIST promotes its Risk Management Framework to comply with FISMA. PCI DSS (Payment Card Industry Data Security Standard) is an industry standard s & Bartlett Learning, followed by everyone who issues and processes Jones credit & Bartlett and debit cards. Learning, One requirement is that organizations track NOT all access FOR to network SALE OR resources DISTRIBUTION and cardholder data. ISO is a family of international standards for information security based on continuous process improvement. The standards call for continuous security monitoring, Jones both to & detect Bartlett security Learning, problems and to assess the effectiveness of Jones the & Bartlett Learn security NOT processes FOR themselves. SALE OR DISTRIBUTION Some, but not all, of these specifically require logging and log monitoring. In practice, effective logging can show that the organization complies with more general security rules. Standards for financial accounting may also persuade an organization to keep logs, Jones and the & logs Bartlett may play Learning, an important role in subsequent financial audits. Jone NOT FOR Many SALE organizations OR DISTRIBUTION set up their logs to meet auditing requirements. NOT FOR Corporations SALE OR DISTRIBUTION routinely hire independent accounting firms to perform annual audits of the company s financial status. The accounting firm must have access to the computers used to process..

34 166 Chapter 4 Sharing Files the corporation s Jones & Bartlett financial data. Learning, The audit process examines cybersecurity Jones measures & and Bartlett Learn uses NOT the logs FOR to verify SALE that OR the DISTRIBUTION measures have been working. Financial audits aren t the only reason a company keeps logs. If a company accepts credit card transactions, the computers that handle those transactions are subject to PCI DSS requirements, and these mandate event logging. If the company has an in-house clinic, its records are covered by HIPAA regulations, which also require security event Jones & logging. Bartlett Learning, External Requirements And The Security Process In the risk management frameworks, we implement security controls based on elements analyzed in earlier steps: requirements, risks, threat agents, and ultimately on the assets we protect. When external requirements oblige us to incorporate particular security measures, we need to include them in NOT the framework. FOR SALE This OR isn t DISTRIBUTION always an easy task. What if our assessment doesn t yield any risks that these requirements address? For example, enterprise-grade Internet firewalls often earn a Common Criteria certification based on a protection profile. The profile places many requirements on the firewall Jones product. & Bartlett Some of Learning, these requirements might not directly address Jones threats & the Bartlett Learn vendor NOT has FOR identified. SALE This OR may DISTRIBUTION be an error on the vendor s part, or the NOT Common FOR SALE OR DIST Criteria evaluation may pose requirements that this particular product doesn t really need. In either case, the vendor must choose between saving money on the product implementation or earning Common Criteria certification. To incorporate these additional requirements, we take one of three approaches: NOT FOR SALE 1. Interpret OR DISTRIBUTION external requirements in the context NOT of our FOR identified SALE risks OR and then DISTRIBUTION combine them with our other security requirements. 2. Analyze as risks any legal or contractual problems that could arise from lacking a certification. s & Bartlett Learning, 3. Treat certifications as assets. We do not want to simply add the NOT external FOR requirements SALE OR to our DISTRIBUTION policy. While this is the easiest way to do the planning and design, it may yield the most risk. For example, the external requirement may call for strong authentication, and the implementation may simply choose a product that a vendor claims will provide strong authentication. This solution Jones may & Bartlett be more expensive Learning, than comparably strong alternatives. Jones Moreover, & Bartlett Learn the NOT strong FOR authentication SALE OR may DISTRIBUTION defend against the wrong types of attacks. The first approach is also the simplest from a practical standpoint: We add to our policy by interpreting these external requirements. This allows us to integrate the external requirements with our strategy to address the threats. This works in situations where we develop a policy based on someone else s risk assessment. Jones & Bartlett The second Learning, approach acknowledges that we face risks Jones if we ignore & Bartlett the external Learning, NOT FOR SALE requirements. OR DISTRIBUTION At some point, every organization makes NOT an explicit FOR SALE or implicit OR assessment DISTRIBUTION of the risks and benefits of complying with external rules. Most organizations make..

35 4.6 Resources 167 decisions on standards Jones and & Bartlett compliance Learning, through a separate decision-making process. Jones A & Bartlett Learn few may perform NOT a FOR single SALE assessment OR that DISTRIBUTION incorporates both security risks with risks NOT of FOR SALE OR DIST noncompliance. In the third approach, certifications of products and processes or regulatory compliance may be treated as assets themselves. This is the best approach when dealing with ISO certifications, since detailed requirements are often tailored to the organization. For Jones example, & Bartlett the organization Learning, may be required to implement processes Jones to track & and Bartlett repair Learning, NOT flaws FOR found SALE in their OR systems, DISTRIBUTION but the details of detecting and tracking NOT flaws FOR will SALE be OR DISTRIBUTION customized to the organization. 4Sharing Files 4.6 Resources IMPORTANT TERMS INTRODUCED administrative group information systems audit audit trail log entry Common Criteria Jones & Bartlett Orange Book Learning, event logging NOT FOR SALE other OR rights DISTRIBUTION file permission flags red team group rights setuid Transitive Trust Trust, but Verify user group user rights NOT ACRONYMS FOR SALE INTRODUCED OR DISTRIBUTION ACL Access control list DOD Department of Defense FISMA Federal Information Security Management Act GLBA Gramm-Leach-Bliley Act s & Bartlett HIPAA Health Learning, Insurance Portability and Accountability Jones & Act Bartlett Learning, R SALE OR PCI DSS Payment DISTRIBUTION Card Industry Data Security NOT Standard FO POSIX Portable Operating System Interface SOX Sarbanes-Oxley Act TCSEC Trusted Computer System Evaluation Criteria UAC User account Jones control & Bartlett Learning, Review Questions R1. Summarize how each of the three Jones tailored & Bartlett file security Learning, policies changes NOT FOR the SALE access rights OR DISTRIBUTION of files under the two default security policies. R2. Explain how Windows home edition ACLs can solve Jones Bob s & security Bartlett Learning, problem...

36 168 Chapter 4 Sharing Files R3. Explain Jones how & Bartlett the user Learning, group R13. Explain how access Jones restrictions & Bartlett on Learn NOT feature FOR of Unix SALE can OR solve DISTRIBUTION Bob s a folder or directory NOT can FOR block SALE a OR DIST security policy problem. user s access to a file, even if the file R4. Explain why it is safer for itself may be readable by that user. administrators to use two different R14. If we create a Windows ACL in accounts when working with a which we Deny all permissions Jones & Bartlett computer. Learning, Explain the difference to Alice, Jones but & we Bartlett Grant Learning, all NOT FOR SALE between OR DISTRIBUTION the two accounts. permissions NOT FOR to SALE everyone, OR does DISTRIBUTION Alice R5. Describe the behavior of sudo on have any access to the file? Unix. When is sudo used? R15. When we create a file, explain how R6. Describe the behavior of the padlock that file acquires its initial ACL s & Bartlett Learning, icon on Apple s OS X. When is the Jones & Bartlett under Windows. Learning, padlock used? NOT FOR R16. SALE If we OR change DISTRIBUTION the ACL for a folder R7. Describe the behavior of user account under Windows, what typically control (UAC) on modern versions of happens to the ACLs for the files Microsoft Windows. In what circumstances Jones does & Bartlett a UAC pop-up Learning, appear? R17. Why is a program containing Jones & a Bartlett Learn within that folder? R8. NOT Summarize FOR SALE the behavior OR DISTRIBUTION of Unix Trojan considered NOT malicious? FOR SALE OR DIST file-permission flags. Identify the sets R18. Explain how a Trojan program can of users that such permissions can make secret data belonging to one control and what access rights are user visible to another user. enforced for each set. R19. Give an example of Transitive R9. Explain how Unix-like systems decide Trust. Explain who trusts whom which of its three sets of access rights and why. to apply when a particular user s R20. Describe the typical contents of an process opens a file. entry in an event log. R10. List the columns that we need to R21. Describe the typical steps taken to s & Bartlett Learning, provide when describing security Jones & Bartlett log an event. Learning, controls implemented with Unixstyle permission flags. and industry standards that lead NOT FOR R22. SALE Summarize OR DISTRIBUTION some laws, regulations, R11. Describe the basic features of an systems to maintain event logs. access control list. R23. Explain three ways to incorporate R12. Jones Compare & the Bartlett access rights Learning, external security requirements Jones & Bartlett Learn NOT established FOR SALE in Figure OR 4.3 DISTRIBUTION with into the six-phase NOT security FOR SALE OR DIST those established in Figure 4.2. process Exercises E1. This may be most appropriate as an in-class exercise. Form teams of three or more class members with user names (for example, users A, B, C, and D). Find shared hard NOT drive space FOR that SALE is accessible OR DISTRIBUTION by all team members. Then do the following:..

37 4.6 Resources 169 Team Jones members & should Bartlett Learning, Set access rights for this folder Jones & Bartlett Learn individually NOT FOR create SALE folders OR that DISTRIBUTION to allow execute or search are accessible to no other team access by the second user members through Deny by ( User 2 ), but grant no read Default. Remove inherited access access. rights if needed to achieve this. Create one or two wordprocessing Jones files inside & Bartlett that Learning, Jones & Each Bartlett team Learning, member should NOT FOR SALE create a OR single DISTRIBUTION word-processing computer. file and store it in the new Log in as User 2 and answer the following folder. The name of the file questions about attempts to access the files. should be his or her user name: s & Bartlett Learning, A creates A.doc, B creates Jones a. Try & Bartlett to display Learning, the new folder. B.doc, and so on. Make these NOT FOR What SALE happens? OR DISTRIBUTION files readable by the World. b. Open the word-processing A should add read/search access program. Tell it to open one of rights to its folder for B, B User 1 s new files. Instead of should add rights for C, and browsing through folders to C for D, and so on. Be sure find the file, start from the root that NOT no other FOR access SALE rights OR are DISTRIBUTION of the hard drive and type in the granted to team members for file s full path name. Describe accessing the individual folders. what happens. Without changing access rights c. Log in as User 1 and remove the Jones & or Bartlett moving Learning, the word-processing search Jones or execute & Bartlett right Learning, NOT FOR SALE files outside OR DISTRIBUTION of these original from the NOT folder. FOR Log SALE back in OR as DISTRIBUTION folders, each student should User 2 and again open the copy other team members word-processing program. Tell files into his or her own folder. the word processor to open the Repeat this until each student file. Start from the root of the has a copy of all team members hard drive, and type in the file s files. NOT FOR full SALE path name. OR DISTRIBUTION What happens? Describe how this took place. E3. In Section 3.7.2, a set of problems examine a scenario in which Riko E2. Create two separate user identities is writing a program for Bob. The on your Jones system. Both & Bartlett should be Learning, program is to be protected according regular, NOT nonadministrative FOR SALE OR users. DISTRIBUTION to the security policy given NOT in FOR SALE OR DIST (You may use existing regular user identities for this.) Log in as one Table 3.8. Answer the following questions based on that scenario. of the users (we ll call it User 1 ) and do the following: a. Use Unix permission flags to provide security controls for NOT FOR SALE Create OR a folder DISTRIBUTION on the hard Riko s NOT file. Make FOR the SALE list of OR DISTRIBUTION drive. Put it in a place that all users can reach. permissions in the format of Table Sharing Files

38 170 Chapter 4 Sharing Files Jones b. Make & a Bartlett list of the Learning, advantages in in Figures 4.15 and Jones 4.16, create & Bartlett Learn NOT FOR solving SALE this problem OR DISTRIBUTION with Unix a survey folder that NOT shares FOR files SALE OR DIST permission flags versus using between two users. Capture and Windows professional ACLs. save or print out each window that Which would you prefer? Why? pops up as you set up the correct c. Make a list of the advantages access situation. Explain each Jones & Bartlett in Learning, solving this problem with step Jones you take & and Bartlett what happens. Learning, NOT FOR SALE OR Windows DISTRIBUTION professional ACLs NOT After setting FOR up SALE the appropriate OR DISTRIBUTION versus using Windows home ACL on the folder, create a file in edition ACLs. Which would the folder. Use the Advanced you prefer? Why? display (as in Figure 4.16) to show s & Bartlett Learning, the ACL inherited by the newly E4. Apply Transitive Trust to a created file. computer you use. Identify E6. Locate the event log on your own organizations that you implicitly computer. Examine the log and trust, particularly the hardware locate events caused by a recent and software vendors that provide action of yours (logging in, for Jones the programs & Bartlett you run Learning, on your example). Print out Jones that part & of Bartlett Learn NOT computer. FOR SALE Also note OR any DISTRIBUTION users who can modify programs you would typically use, including administrative users. E5. (Windows Professional only) Following the example described the log, highlighting the entries caused by your behavior. Explain why you believe the log entry reflects your own action...