en gine for c ontrolling e mergent h ierarchical r ole- b ased a ccess (enforce hrbaccess)

5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 11

ENENginegine forfor CControllingontrolling EEmergent mergent HHierarchicalierarchical RRole-ole-BBasedased AAccessccess

(ENforCE (ENforCE HRBAccess)HRBAccess)

Osama KhaleelOsama KhaleelThesis DefenseThesis Defense

May 2007May 2007Master of Science in Computer ScienceMaster of Science in Computer Science

University of Colorado, Colorado SpringsUniversity of Colorado, Colorado Springs

Committee Members:Committee Members:Dr. Edward Chow, ChairDr. Edward Chow, Chair

Dr. Terry BoultDr. Terry BoultDr. Xiaobo ZhouDr. Xiaobo Zhou


Thesis Defense OutlinesThesis Defense Outlines

Intro & BackgroundIntro & Background DesignDesign ImplementationImplementation Performance AnalysisPerformance Analysis Lessons Learned Lessons Learned Future WorkFuture Work ContributionContribution DemoDemo Q & AQ & A


Introduction Introduction Roles in any organization are Hierarchical by their Roles in any organization are Hierarchical by their

nature.nature.

Resources in any organization vary:Resources in any organization vary: From a simple HTML web page,From a simple HTML web page, To RDP/SSH access in which a user can gain full control.To RDP/SSH access in which a user can gain full control.

Mission becomes more complicated when users Mission becomes more complicated when users should access resources: should access resources: Securely and Securely and Based on their ROLES.Based on their ROLES.

Password-based protection is way far from Password-based protection is way far from satisfying high-level security requirements.satisfying high-level security requirements.


ROLENAMEDIRECTACCESS

CEOPAM ZALABAKAdmin Tool

CFOBRIAN BURNETTFinance-Mgmt

SSHMySQL

Project Manager

TERRY BOULTProjects-Manager

RDP

IT ManagerKATE TALLMANResource-ManagerPasswords-Reset

SalesManager

JIM TIDWELLSales-Write

AccountingManager

JULIE BREWSTERFinance-Write

NetworkAdmin

EDWARD CHOWVLAN-Manager

SSH

DatabaseAdmin

XIAOBO ZHOUMySQL Interface

MySQLSSH IF(ITMgr & CEO)

DeveloperOSAMA KHALEELReports-Submission

RDP IF (ProjMgr)

EngineerBILL KRETSCHMEREngineer-update-Read

AccountantAMIE WOODYView-Orders

MySQL IF(ANY)

SalesmanLEVI GRAYSales-Read


Background Background AuthenticationAuthentication

Public Key Certificate (PKC)Public Key Certificate (PKC) Certificate Authority (CA)Certificate Authority (CA) Certificate Revocation List (CRL)Certificate Revocation List (CRL)

AuthorizationAuthorization Attribute Certificate (AC)Attribute Certificate (AC) Attribute Authority (AA)Attribute Authority (AA)

Role-Based Access Control (RBAC)Role-Based Access Control (RBAC) CoreCore HierarchicalHierarchical

eXtensible Access Control Markup Language (XACML)eXtensible Access Control Markup Language (XACML) Policy Enforcement Point (PEP)Policy Enforcement Point (PEP) Policy Decision Point (PDP)Policy Decision Point (PDP)

Active Directory (AD) [Active Directory (AD) [store certificatesstore certificates]] ISAPI Filter [ISAPI Filter [secure web-resource accesssecure web-resource access]] ASP.NET Application File (Global.asax) [ASP.NET Application File (Global.asax) [secure net-resource secure net-resource

accessaccess]] Iptables [Iptables [system firewallsystem firewall]]

Public Key Infrastructure (PKI)

Privilege Management Infrastructure (PMI)

Policy

Engine


RBAC:RBAC: a mechanism/model for restricting access a mechanism/model for restricting access based on the Role of authorized users. based on the Role of authorized users. Core: roles are assigned to users, and permissions are Core: roles are assigned to users, and permissions are

associated with roles – not directly with users.associated with roles – not directly with users. Hierarchical: an enhancement to the core, in which senior Hierarchical: an enhancement to the core, in which senior

roles inherit permissions from more junior roles. roles inherit permissions from more junior roles.

XACML:XACML: an XML-based OASIS standard that an XML-based OASIS standard that describes:describes: A policy language A policy language A request/response language A request/response language

The main three components in XACML are Rule, The main three components in XACML are Rule, Policy, and PolicySet Policy, and PolicySet

XACML RBAC profile has two main components:XACML RBAC profile has two main components: Permission PolicySet (PPS) Permission PolicySet (PPS) Role PolicySet (RPS). Role PolicySet (RPS).

One PPS and one RPS for each defined Role .One PPS and one RPS for each defined Role .


PPS:PPS: defines Policies and Rules needed to the defines Policies and Rules needed to the

Permissions associated with a certain Role. Permissions associated with a certain Role. Contains a set of PPS references using Contains a set of PPS references using

"<PolicySetIdReference>" to inherit "<PolicySetIdReference>" to inherit permissions from the more junior role permissions from the more junior role associated with this PPS reference associated with this PPS reference

RPS:RPS: defines the Role namedefines the Role name includes ONLY one PPS to includes ONLY one PPS to associate this Role with its associate this Role with its permissions defined in the permissions defined in the corresponding PPS.corresponding PPS.

<PolicySet PolicySetId="CFOPermissions"> <Policy PolicyId="PolicyForCFORole"> <Rule RuleId="FinanceManagementRule" Effect="Permit"> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="function: regexp-string-match"> <AttributeValue DataType=“string">

https://ncdcrx3.uccs.edu/financial/finMgmt.aspx </AttributeValue> </ResourceMatch> </Resource> </Resources> </Target> </Rule> </Policy>

<PolicySetIdReference>SalesMgrPermissions</PolicySetIdReference><PolicySetIdReference>AccMgrPermissions</PolicySetIdReference>

</PolicySet>

<PolicySet PolicySetId="RPS:CFO"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="function: string-equal"> <SubjectAttributeDesignator DataType="string" AttributeId="role"/> <AttributeValue DataType="string"> CFO </AttributeValue> </SubjectMatch> </Subject> </Subjects> </Target>

<PolicySetIdReference>CFOPermissions</PolicySetIdReference>

</PolicySet>


Design Design

By taking advantage of the concepts & By taking advantage of the concepts & technologies just mentioned, the goal is technologies just mentioned, the goal is to build a structure/engine that to build a structure/engine that provides:provides: AuthenticationAuthentication AuthorizationAuthorization Secure access based on users ROLESSecure access based on users ROLES Protection for ANY type of resourcesProtection for ANY type of resources Fine grained control based on active Fine grained control based on active

sessionssessions PKI & PMI management toolPKI & PMI management tool


ENforCE Test-BedENforCE Test-Bed

Windows XPWin2003 IIS Win2003 DC

10.0.0.1110.0.0.13 10.0.0.12 10.0.0.10

Local switch

FedoraCore4 Gateway/Firewall

10.0.0.1

128.198.162.53 128.198.162.52 128.198.162.51128.198.162.50

Main switch


ENforCE “Big Picture”ENforCE “Big Picture”

Policy Enforcement

Point

Policy Enforcement

Point

Global.asaxASP.NET

Application

FC4 machine (Firewall)FC4 machine (Firewall)

Iptables Control DaemonNetwork- resourceAccess

IIS Authentication

ISAPI

Protected web resources


Http request

XML response

Session policy source


Get User's AC

Domain ControllerDomain Controller

Active DirectoryActive

Directory

Http request

Protected Network resources


XML response

User Request

Open/Close commands

RPS

PPSCheck session policy

Policy Decision

Point

Policy Decision

Point

GetDecision

Permit/Deny access

Permit/Deny


ImplementationImplementation Two types of access:Two types of access:

Web-based resources (Web-based resources (http://ncdcrx3.uccs.eduhttp://ncdcrx3.uccs.edu)) Network-based resources (Network-based resources (http://ncdcrx4.uccs.eduhttp://ncdcrx4.uccs.edu))

Web resources: accessed directly through IIS using https (port Web resources: accessed directly through IIS using https (port 443)443)

Network resources: Network resources: Activate a web-session firstActivate a web-session first ENforCE will open the firewall for the specified service ENforCE will open the firewall for the specified service Physically access the service through the firewall.Physically access the service through the firewall. Service port varies (e.g. SSH:22, RDP:3389)Service port varies (e.g. SSH:22, RDP:3389)

ISAPI FilterISAPI Filter Enforces Web-Resource Access Enforces Web-Resource Access (C/C++ - MFC) (C/C++ - MFC) Global.asaxGlobal.asax Enforces Net-Resource AccessEnforces Net-Resource Access (C#/ASP.NET) (C#/ASP.NET) Policy EnginePolicy Engine PEP, PDP, Policy, RBACPEP, PDP, Policy, RBAC (XACML - Java) (XACML - Java) Firewall DaemonFirewall Daemon Updates Iptables RulesUpdates Iptables Rules (Java - JSSE) (Java - JSSE)

http://ncdcrx3.uccs.edu/

http://ncdcrx4.uccs.edu/


Web resources (ISAPI)Web resources (ISAPI)

ISAPI

IIS

1) Web request

IIS Authentication



Policy Enforcement

Point

Policy Enforcement

Point

2) Http request with attributes

5) XML response with decision

Policy Decision

Point

Policy Decision

Point

4) Get Decision6) Permit/Deny access

Domain ControllerDomain Controller

Active DirectoryActive

Directory

3) Get User's AC


Network resources Network resources (Global.asax)(Global.asax)



IIS1) Request a session

IIS Authentication



Policy Enforcement

Point

Policy Enforcement

Point

2) Http request with attributes

7) XML response with decision

PDPPDP

FC4 machine (Firewall)FC4 machine (Firewall)

Global.asax

ASP.NET Application

Iptables Control Daemon

6) Open/Close commands

8) Physically access the services

4) Get decision

DCDC

ADAD

3) Get User's AC

5) Check session policy


Requests to PEPRequests to PEP1)1) From ISAPI (Access a web resource): From ISAPI (Access a web resource):

http://localhost:8080/sispep/servlets/sispephttp://localhost:8080/sispep/servlets/sispep ? ?• subjectsubject= CN=Edward Chow, C=US, S=CO, ...., [email protected], OU=Computer = CN=Edward Chow, C=US, S=CO, ...., [email protected], OU=Computer

Science Science &&• URLURL=https://ncdcrx3.uccs.edu/it/img.jpg =https://ncdcrx3.uccs.edu/it/img.jpg && • methodmethod=GET =GET && • serviceservice=web=web

2)2) From Global.asax (Open a network resource): From Global.asax (Open a network resource): http://localhost:8080/sispep/servlets/sispephttp://localhost:8080/sispep/servlets/sispep ? ?

• subjectsubject= CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer = CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer Science Science &&

• URLURL=https://ncdcrx4.uccs.edu/ssh/session.aspx =https://ncdcrx4.uccs.edu/ssh/session.aspx && • serviceservice=ssh =ssh && • IPIP=128.198.55.11 =128.198.55.11 && • sessionIDsessionID=23hjhY43=23hjhY43 && • actionaction==openopen

3)3) From Global.asax (Close a network resource): From Global.asax (Close a network resource): http://localhost:8080/sispep/servlets/sispephttp://localhost:8080/sispep/servlets/sispep ? ?

• subjectsubject= CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer = CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer Science Science &&

• URLURL=https://ncdcrx4.uccs.edu/ssh/session.aspx =https://ncdcrx4.uccs.edu/ssh/session.aspx && • serviceservice=ssh =ssh && • IPIP=128.198.55.11 =128.198.55.11 && • sessionIDsessionID=23hjf73G2=23hjf73G2 && • actionaction==closeclose

http://localhost:8080/sispep/servlets/sispep




Conditional Active-Session Access Conditional Active-Session Access (CASA)(CASA)

Idea : Junior role can ONLY access a network resource IF its Senior role Idea : Junior role can ONLY access a network resource IF its Senior role has an active session for that resource.has an active session for that resource.

Why? To add finer access control Why? To add finer access control How? PEP maintains a table. An entry looks like: How? PEP maintains a table. An entry looks like:

29gY3k0*ss29gY3k0*sshh

EngineeEngineerr

SubjecSubjectt

https://ncdcrx4.uccs.edu/ssh/https://ncdcrx4.uccs.edu/ssh/net.aspxnet.aspx

128.198.162.128.198.162.5050

PEP reads an XML policy file (session PEP reads an XML policy file (session policy). policy). The session policy file supports 3 cases:The session policy file supports 3 cases:

1) A 1) A CERTAINCERTAIN Senior Role is Senior Role is requiredrequired

2) 2) ANYANY Senior Role is required Senior Role is required((NOTNOT including itself including itself))

3) 3) N-SeniorN-Senior Roles are required Roles are required

<Service name “SSH”> <Senior>ProjectMngr </Senior> <Junior>Developer </Junior> </Service>

<Service name=“ MySQL”> <Senior>ANY</Senior> <Junior>Accountant </Junior> </Service>

<Service name=“SSH”> <Senior>ITManager </Senior> <Junior>DB Admin </Junior> </Service>

<Service name=“SSH”> <Senior>CEO </Senior> <Junior>DBAdmin </Junior> </Service>


CASA (cont’d)CASA (cont’d) PEP reads the session policy file and creates two things:PEP reads the session policy file and creates two things:

1) Hierarchical-Role tree

To answer: Is Role A senior to Role B ?

2) Session Policy Table

To decide: For the requested service, Is Junior’s access constrained by Senior’s ?

SSHCFO : Sales MngrANY : Developer

RDPCEO : DB AdminITMngr : DB Admin

Senior : Junior


Code Highlights (1)Code Highlights (1) ISAPI Filter:ISAPI Filter: should define 2 functions: should define 2 functions:

GetFilterVersion():GetFilterVersion(): register event notifications register event notifications PVer->dwFlags = SF_NOTIFY_SECURE_PORT| SF_NOTIFY_AUTH_COMPLETE;PVer->dwFlags = SF_NOTIFY_SECURE_PORT| SF_NOTIFY_AUTH_COMPLETE;

HttpFilterProc():HttpFilterProc(): put the actual code that will be executed; put the actual code that will be executed; Intercept URL:Intercept URL:

pfc->GetServerVariable(pfc, “URL”, reqUrlBuf, &bufSize);pfc->GetServerVariable(pfc, “URL”, reqUrlBuf, &bufSize); Intercept request method: Intercept request method:

pfc->GetServerVariable(pfc, “REQUEST_METHOD”, methBuf, pfc->GetServerVariable(pfc, “REQUEST_METHOD”, methBuf, &bufSize2);&bufSize2);

Intercept user’s PKC: Intercept user’s PKC: pfc->ServerSupportFunction(pfc, HSE_REQ_GET_CERT_INFO_EX, &ccex, pfc->ServerSupportFunction(pfc, HSE_REQ_GET_CERT_INFO_EX, &ccex,

dwSize); dwSize); Submit a request to the PEP:Submit a request to the PEP:

HttpFile = (CHttpFile*) pHttpSession.OpenURL(pepUrl);HttpFile = (CHttpFile*) pHttpSession.OpenURL(pepUrl); Parse the XML response: Parse the XML response:

CMarkup xml;CMarkup xml; and use this object to traverse the XML response. and use this object to traverse the XML response.


Code Highlights (2)Code Highlights (2) Global.asax:Global.asax:

Application_BeginRequest()Application_BeginRequest() User’s PKC:User’s PKC: Request.ClientCertificate.Subject;Request.ClientCertificate.Subject; URL:URL: Request.Url.AbsoluteUri;Request.Url.AbsoluteUri; IP:IP: Request.ServerVariables["REMOTE_ADDR"];Request.ServerVariables["REMOTE_ADDR"];

Application_AcquireRequestState()Application_AcquireRequestState() Session.Timeout = 1; // in minutesSession.Timeout = 1; // in minutes srvSessionID = Session.SessionID;srvSessionID = Session.SessionID; uri = new Uri(PolicyEnforcementPointUrl);uri = new Uri(PolicyEnforcementPointUrl); webReq = WebRequest.Create(“PEPURI”); webReq = WebRequest.Create(“PEPURI”); PEPResponse = webReq.GetResponse();PEPResponse = webReq.GetResponse(); If (! Permit)If (! Permit)

Response.Redirect(“Error Page”);Response.Redirect(“Error Page”);

Session_End()Session_End() Similar to AcquireRequestState()’s code but the action is “Similar to AcquireRequestState()’s code but the action is “closeclose”.”.


Code Highlights (3)Code Highlights (3) Iptables Daemon:Iptables Daemon:

Create SSL context: Create SSL context: sslctx = SSLContext.getInstance("TLSv1" , "SunJSSE");sslctx = SSLContext.getInstance("TLSv1" , "SunJSSE");

Define keyStores:Define keyStores: PEPstore = KeyStore.getInstance("JKS" , "SUN");PEPstore = KeyStore.getInstance("JKS" , "SUN"); PEPtrust = KeyStore.getInstance("JKS", "SUN");PEPtrust = KeyStore.getInstance("JKS", "SUN");

Define & init the trusted keystore:Define & init the trusted keystore: TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509" , "SunJSSE");TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509" , "SunJSSE"); tmf.init(PEPtrust);tmf.init(PEPtrust);

Define & init the owned keystore (for the private key):Define & init the owned keystore (for the private key): KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509" , "SunJSSE");KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509" , "SunJSSE"); kmf.init(PEPstore , keypass);kmf.init(PEPstore , keypass);

Init the SSL context:Init the SSL context: sslctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null) ;sslctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null) ; SSLServerSocketFactory ssf = sslctx.getServerSocketFactory();SSLServerSocketFactory ssf = sslctx.getServerSocketFactory();

Init the SSL server socket:Init the SSL server socket: secSock = (SSLServerSocket) ssf.createServerSocket(9876);secSock = (SSLServerSocket) ssf.createServerSocket(9876); secSock.setNeedClientAuth(true);secSock.setNeedClientAuth(true);

Execute commands on Fedora Core OS:Execute commands on Fedora Core OS: rt = Runtime.getRuntime();rt = Runtime.getRuntime(); rt.exec(“cmd1”);rt.exec(“cmd1”);


Performance Analysis Performance Analysis Web resources (ISAPI)

Network resources (Global.asax) – new session

Network resources (Global.asax) – session refresh

Unit: ms

ResourceRetrieve AC from ADPDP decisionTotal request time

Finance Mgmnt5.47503.034510.3476

Sales Write6.28644.387213.7203

Posting orders6.98204.9234513.8433

View orders5.17344.109311.7390

Resource

Retrieve AC from AD

PDP decisio

n

CASA decisio

n

Firewall updat

e

Total request

time

SSH5.87303.82642.365415.509329.4374

RDP5.76394.92763.109317.120432.2841

MySQL6.19273.10432.583114.762730.6392

ResourceRetrieve AC from AD

PDP decisionCASA decision

Total request time

SSH6.80934.32983.948520.5912

RDP7.76023.87492.203720.5382

MySQL6.31753.78292.558219.7045


Lessons LearnedLessons Learned It is not a good idea to use too many packages with different programming It is not a good idea to use too many packages with different programming

languages in one component (i.e. the Admin tool). languages in one component (i.e. the Admin tool).

At the vary beginning, I tried to use a package called "CryptLib" [59] to At the vary beginning, I tried to use a package called "CryptLib" [59] to create ACs, but it didn't work.create ACs, but it didn't work.

I tried to use an HttpModule, but it turned out that it is triggered by aspx I tried to use an HttpModule, but it turned out that it is triggered by aspx pages and can handle request-level events only. On the other hand, ISAPI pages and can handle request-level events only. On the other hand, ISAPI filters and Global.asax were very good choices to go for:filters and Global.asax were very good choices to go for:

ISAPI is very fast and works with any type of files.ISAPI is very fast and works with any type of files. Global.asax has the ability to deal with session and application level events.Global.asax has the ability to deal with session and application level events.

Don't start implementing something from scratch unless you have spent Don't start implementing something from scratch unless you have spent sufficient time to do research about it and to make sure that it is not already sufficient time to do research about it and to make sure that it is not already exist. exist.

Generally speaking, it is really a good thing that a developer does not limit Generally speaking, it is really a good thing that a developer does not limit him/herself to a certain programming language or technology. him/herself to a certain programming language or technology.

In fact, when I started working on this thesis, I only knew Java and some security In fact, when I started working on this thesis, I only knew Java and some security related things, so it took me some time to teach myself the required stuff to get related things, so it took me some time to teach myself the required stuff to get this work done.this work done.

Now anyone who reads about this thesis can see that Java, C#, ASP.NET, JSP, Now anyone who reads about this thesis can see that Java, C#, ASP.NET, JSP, C/C++, XACML, Iptables, X509 certificates, ISAPI filters, OpenSSL, Tomcat, IIS, and C/C++, XACML, Iptables, X509 certificates, ISAPI filters, OpenSSL, Tomcat, IIS, and Active Directory have been used. It wasn't easy though!Active Directory have been used. It wasn't easy though!


Future WorkFuture Work Extend the system to work in a multi-agency Extend the system to work in a multi-agency

environment. environment.

Develop more services that can take advantage of Develop more services that can take advantage of the existing RBAC architecture. For instance:the existing RBAC architecture. For instance: RBAC E-Voting: users can vote based on their roles.RBAC E-Voting: users can vote based on their roles. RBAC Instant Messenger: users can chat based on their roles.RBAC Instant Messenger: users can chat based on their roles. RBAC E-Mail: users can send e-mails based on their roles.RBAC E-Mail: users can send e-mails based on their roles. RBAC XXX and so on…RBAC XXX and so on…

Support more Operating systems (Mac, Solaris …)Support more Operating systems (Mac, Solaris …)

Improve the Admin tool to initialize and modify Active Improve the Admin tool to initialize and modify Active Directory, and to be able to generate XACML policies.Directory, and to be able to generate XACML policies.

Support Wireless access.Support Wireless access.


Thesis ContributionsThesis Contributions Provide an architecture for small-mid sized Provide an architecture for small-mid sized (potentially (potentially

large-scale) large-scale) companies to address companies to address accessing sensitive accessing sensitive resources securely according to hierarchical role-based resources securely according to hierarchical role-based access policy. access policy.

Extend XACML’s implementation to handle Hierarchical Extend XACML’s implementation to handle Hierarchical Role-Based Access Control (HRBAC) model.Role-Based Access Control (HRBAC) model.

Add a new concept of secure access in which Add a new concept of secure access in which a Senior a Senior Role can restrict its Junior Role's access using active Role can restrict its Junior Role's access using active sessions.sessions.

Enhance IIS 6.0 with two components:Enhance IIS 6.0 with two components: ENforCE-ISAPI FilterENforCE-ISAPI Filter ENforCE-Global.asaxENforCE-Global.asax

Simplify Simplify PKIPKI and and PMIPMI management, therefore, reducing management, therefore, reducing management cost and errors.management cost and errors.

Filed an Invention

Disclosure with CU TTO


ENforCE DemoENforCE Demo

Q & AQ & A

For References and more details, please refer to the Thesis report:

http://cs.uccs.edu/~gsc/pub/master/okhaleel/doc/osamaThesisReport.doc

http://cs.uccs.edu/~gsc/pub/master/okhaleel/doc/osamaThesisReport.doc


Authentication:Authentication: the process in which someone provides some the process in which someone provides some kind of credentials to prove his or her identity.kind of credentials to prove his or her identity.

CA:CA: a trusted third party that issues digital certificates to be used a trusted third party that issues digital certificates to be used by other parties. It guarantees that the individual granted the by other parties. It guarantees that the individual granted the certificate is really who claims to be.certificate is really who claims to be.

PKC:PKC: a digitally signed document that binds a public key to a a digitally signed document that binds a public key to a subject (identity). This binding is asserted by a trusted CA.subject (identity). This binding is asserted by a trusted CA.

CRL:CRL: a list signed by the issuing CA that contains the serial a list signed by the issuing CA that contains the serial numbers of the revoked certificates. numbers of the revoked certificates.

Authorization:Authorization: the process that is used to determine whether the the process that is used to determine whether the subject has the required permissions to access some protected subject has the required permissions to access some protected resources. resources.

AC:AC: a digitally signed document that binds a set of attributes like a digitally signed document that binds a set of attributes like membership, role, or security clearance to the AC holder.membership, role, or security clearance to the AC holder.

AA:AA: a trusted third party that is responsible for issuing, a trusted third party that is responsible for issuing, maintaining, and revoking ACs. maintaining, and revoking ACs.


AD:AD: a distributed directory service included in the Windows a distributed directory service included in the Windows server 2000/2003 server 2000/2003 The Microsoft's implementation of LDAPThe Microsoft's implementation of LDAP Used to store and manage all information about network resources Used to store and manage all information about network resources

across the domain: computers, groups, users, …across the domain: computers, groups, users, …

ISAPI filters:ISAPI filters: DLLs that can be used to enhance and modify the DLLs that can be used to enhance and modify the functionality of IIS. functionality of IIS. Powerful -> they can modify both incoming and outgoing Powerful -> they can modify both incoming and outgoing

DataStream for EVERY request.DataStream for EVERY request.

Global.asax:Global.asax: a file resides in the root directory of the ASP.NET a file resides in the root directory of the ASP.NET application.application. Contains code to handle application-level and session-level events Contains code to handle application-level and session-level events

raised by ASP.NET. raised by ASP.NET.

Iptables:Iptables: a generic table structure for defining a set of rules to a generic table structure for defining a set of rules to deal with network packets. deal with network packets. Rules are grouped into chains. Rules are grouped into chains. Chains are grouped into tablesChains are grouped into tables Each table is associated with a different kind of packet processing.Each table is associated with a different kind of packet processing.

en gine for c ontrolling e mergent h ierarchical r ole- b ased a ccess (enforce hrbaccess)

Documents

webbased resources http

role of authorized users

defined role

certain role

rdpssh access

passwordbased protection

junior roles

xmlbased oasis standard