Block 4
Block 4
Block 4
~~~~~~
UNIVERSITY INTRODUCTION TO
Indira Gandhi National Open University INFORMATION- SECURITY
School of Vocational Education and Training
, \
- Indira Gandhi
/
. Ignou
.
MSEI-021
. THE PEOPLE'S Introduction to
I)NIVERStTY
~ Information Security
Indira Gandhi' National, QPen
University
School of Vocational Education and Training
•
Block
. ~
'4"·
..
O_
.._pe_ra_·_tin_g_,
_S_ys_te_m_Sec_u_n_·t_y_:
A_n_O_v_e_rvl_·e...,..w-,----.,...-____.-.:.....-l-9. .
UNIT 3
Opera.ting System Hardening and Controls
UNIT 4
ADC/SAMBA· 36
/ 1
r'rogramme Expert/Design Committee of Post Graduate
Diploma in Information Security (pGDIS)
Prof K.R. Srivathsan Mr. Anup Girdhar, CEO, Sedulity Solutions &
Pro Vice-Chancellor, IGNOU Technologies, New Delhi
Mr. B.J. Srinath, Sr. Director & Scientist Prof. AK Saini, Professor, University School
'G' ,CERT-In, Department of Information of Manag-ement' Studies, Guru Gobind Singh
Technology, Ministry of Communication and Indraprastha University, Delhi
Information Technology, Govt of India
Mr. CS. Rao, Technical Director in Cyber Security
Mr. A.S.A Krishnan, Director, Department of Division, National Infonnatics Centre, Ministry of
Information Technology, Cyber-Laws and Communication and Information Technology
E-Security Group, Ministry of Communication
and Information Technology, Govt of India Prof. CG. Naidu, Director, School of Vocational
Education & Training, IGNOU
Mr. S. Balasubramony, Dy. Superintendent of
Police, CBI, Cyber Crime Investigation Cell, Delhi Prof Manohar Lal, Director, School of Computer
Mr. B.V.C. Rao, Technical Director, National and Information Science, IGNOlJ
• Informatics Centre, Ministry of Communication Prof. K Subramanian, Director, ACIIL, IGNOU
and Information Technology Former Deputy Director General, National
Prof. M.N. Doja, Professor, Department of Computer Informatics Centre, Ministry of Communication
Engineering, Jamia Milia Islamia, New Delhi and Information Technology, Govt of India
Or. D.K. Lobiyai, Associate Professor, 'School of Prof. K. Elumalai, Director, School of Law, IGNOU
Computer and Systems SCiences, JNU New Delhi
Dr. A. Murali M Rao, Joint Director, Computer
Mr. Omveer Singh, Scientist, CERT-In
Division, IGNOU
Department of Information Technology, Cyber-
Laws and E-Security Group, Ministry of Mr. P.v. Suresh, Sr. Assistant Professor, School
Communication and Information Technology of Computer and Information Science IGNOU
Govt of India Ms. Mansi Sharma, Assistant Professor
Dr. Vivek Mudgil,Director, Eninov Systems School of Law, IGNOU
Noida
Ms. Urshla Kant
,Mr. V.V.Subrahmanyam, Assistant Professor Assistant Professor, School of Vocational
School of Computer and Information Science Education & Training, IGNOU
IGNOU Programme Coordinator
Block Preparation
Unit Writers Block Editor Proof Reading
Ms. Urshla Kant Prof. KR. Srivathsan, Ms. Urshla Kant
Assistant Professor, School of Vocational Pro Vice-Chancellor, IGNOU Assistant Professor
Education & Training, IGNOU School of Vocational
(Unit I, 2, 3 & 4) Education & Training
Dr. K.Kiran Kumar IGNOU
Reader, Department of Computer Science'
P.G Center,P.B.S. College
Vijayawada
(Unit 4)
Production
Mr. B.Natrajan Mr. Jitender Sethi Mr. Hemant Parida
Dy. Registrar (Pub.) Asstt. Registrar (Pub.) Proof Reader
MPDD, IGNOU, New Delhi . MP DD, IGNOU, New Delhi MPDD, IGNOU, New Delhi
August, 2011
© Indira Gandhi Nationpl Open University. 2011
ISBN: 978-81-266-5568-7
All rights reserved. No part of this work may be reproduced in any form. by mimeograph or any
other means; without permission in writing from the Indira Gandhi National Open University.
Further information about the School of Vocational Education and Training and the Indira Gandhi
National Open University COUrses may be obtained from the University s office at Maidan Garhi,
New Delhi-110068. or the website of IGNOU www.ignou.ac.in
Printed and published on behalf of the Indira Gandhi National Open University, New Delhi, by
the Registrar, MPDD
Laser typeset by Mctronics Printographics, 27/3 Ward No. I, Opp. Mother Dairy, Mehrauli, New Delhi-30
Printed by : Hi-Tech Graphics, S-39, Okhla Industrial Area, Phase-II, New Delhi-l10020
/
BLOCK INTRODUCTION
Operating System Concepts refers to the process for managing the computer's
hardware and software resources. Basically, the operating system serves as the ..
boss or manager and makes sure all the various parts of the computer get what
they need .. Such operating systems monitor different programs arid users, making'
sure everything runs smoothly, without interference; despite the fact that numerous
de~ices .and programs are used simultaneously. An operating. system also has a
. vital role to play in security. Its job includes .preventing unauthorized users from
accessing the computer system.
This block introduces many of the methods to secure the operating system . such ,.as
authentication, system updates, firewalls etc. This block comprises of four units
and is designed in the. following way;
•
The Unit one introduces operating system. An operating system is software,
consisting of programs and data, that runs on computers, manages computer
hardware resources, and provides common services for execution of various
application software. Operating system is the most important type of system
software in a computer system. Without an operating system, a user cannot run an
application program on their computer, unless the application program is self
booting.
The Unit two covers the detailed descriptions of the operating system security .
. .There are various ways for providing security to operating system which 'is very
essential for the proper working of the computer to perform tasks. This unit helps
in understanding the possible mechanism for the operating system to function
effectively, safely and efficiently.
The Unit three explains operating system hardening and controls. It is very .
important to see over the controls in place for the proper working of operating
system. This unit helps in understanding of the controls and hardening process
needed for the securing of operating system. It emphasizes on the importance of
such mechanism which helps in controlling the operating system to function their
tasks properly and effectively.
The Unit four covers the detailed descriptions of the Active Directory Controller
ami SAMBA. An Active Directory structure is a hierarchical framework of objects.
The objects fall into two broad categories: resources (e.g. printers) ,and security
principals (user or computer accounts and groups). Security principals are Active
Directory objects that are assigned, unique securityidentifiers (SIDs) used to control
access and set security. SAMBA is a free software re-implementation, originally
developed by Andrew Tridgetl, of the SM13/CIFS networking protocol. As of version
3, SAMBA provides file and print services for various Microsoft Windows clients
and can integrate with. a Windows Server domain, either as a Primary Domain
.Controller-.(PDC) or as a domain-member, It can also be part of an Active Directory
domain.
ACKNOWLEDGEMENT
,~ ..
The material we have used is purely for educational purposes. Every effort has ,,'
beenmade to trace the copyright holders of material reproduced in this book:'
Should any infringement have occurred, the publishers and editors apologize and .
will be pleased to make. the necessary corrections in future editions of this book. .
/
Introduction to
UNIT 1 INTRODUCTION TO Operating System
OPERATING SYSTEM
Structure
1.0 Introduction
1.1 Objectives
1.2 What is Operating System?
1.2.1 What Operating System Does?
1.3 History of Operating System
1.4 Types of Operating System
•
1.5 Examples of Operating System
1.6 Graphical User Interface
1.7 Multitasking
1.8 Let Us Sum Up
1.9 Check Your Progress: The Key
1.10 Suggested Readings
1.0 INTRODUCTION
An operating system (sometimes abbreviated as "OS") is the program that, after
being initially loaded into the computer by a boot program, manages all the other
programs in a computer. The other programs are called applications or application
programs. The application programs make use of the operating system by making
requests for services through a defined application program interface (API). In
addition, users can interact directly with the operating system through a user
interface such as a command language or a graphical user interface (GUI).
1.1 OBJECTIVES
After studying this unit, you should be able to:
The operating system of a large computer system has even more work to do. Such
operating systems monitor different programs and users, making sure everything
runs smoothly, without interference, despite the fact that numerous devices and 5
/ I
Operating System Concepts programs are used simultaneously. An operating system also has a vital role to
play in security. Its job includes preventing unauthorized users from accessing the
computer system.
Real-time operating systems are designed to allow computers to process and respond
to input instantly. Usually, general-purpose operating systems, such as disk operating
system (DOS), are not considered real time, as they may require seconds or minutes
to respond to input. Real-time operating systems are typically used when computers
must react to the consistent input of information without delay. For example, real-
time operating systems may be used in navigation.
Today's operating systems tend to have graphical user interfaces (GUIs) that employ
pointing devices for input. A mouse is an example of such a pointing device, as is
a stylus. Commonly used operating systems for IBM-compatible personal computers
includeMicrosoft Windows, Linux and UNIX variations. For Macintosh computers,
Mac OS X, Linux, BSD and some Windows variants are commonly used.
/ 1
computer's hardware and software resources. Basically, the operating system serves Introduction to
as the boss or manager and makes sure all the various parts of the computer get Operating System
When you use your personal computer, you may work on a Word document, print
an e-mail and have your Internet browser open for web surfing, all at the same
time. These three programs need attention from the central processing unit (CPU)
to do whatever task that you, the user, are telling it to do. These programs need
memory and storage and need to be able to send messages to devices such as the
mouse and the printer to accomplish these tasks. The operating system is responsible
for handling these areas, as well as processor and network management.
• It handles input and output to and from attached hardware devices, such as
hard disks, printers and dial-up ports.
• It can offload the management of what are called batch jobs (for example,
printing) so that the initiating application is freed from this work.
All major computer platforms (hardware and software) require and sometimes
include an operating system. Linux, Windows 2000, VMS, OS/400, AIX and
z/OS are all examples of operating systems. 7
/
Operating System Concepts
1.3 HISTORY OF OPERATING SYSTEM
In the 1940s, the earliest electronic digital systems had no 'operating systems.
Electronic systems of this time were so primitive compared to those of today that
instructions were often entered into the system one bit at a time on rows of
mechanical switches or by jumper wires on plug boards. These were special-purpose
systems that, for example, generated ballistics tables for the military or controlled
the printing of payroll checks from data on punched paper cards. After
programmable general purpose computers were invented, machine languages
(consisting of strings of the binary digits 0 and 1 on punched paper tape) were
introduced that speed up the programming process (Stern, 1981).
OS/360 was used on most IBM mainframe computers beginning in 1966, including
the computers that helped' NASA put a man on the moon. In the early 1950s, a
• computer could execute only one program at a time. Each user had sole use of the
computer for a limited period of time and would arrive at a scheduled time with
program and data on punched paper cards and/or punched tape. The program would
be loaded into the machine and the machine would be set to work until the program
completed or crashed. Programs could generally be debugged via a front panel
using toggle switches and panel lights. It is said that Alan Turing was a master of
this on the early Manchester Mark 1 machine and he was already deriving the
primitive conception of an operating system from the principles of the Universal
Turing machine.
Later machines came with libraries of software, which would be linked to a user's
program to assist in operations such as input and output and generating computer
code from human-readable symbolic code. This was the genesis of the modern-
day operating system. However, machines still ran a single job at a time. At
Cambridge University in England the job queue was at one time a washing line
from which tapes were hung with different colored clothes-pegs to indicate job-
priority.
Mainframes
Through the 1950s, many major features were pioneered in the field of operating
systems, including batch processing, input/output interrupt, buffering, multitasking,
spooling, runtime libraries, link-loading and programs for sorting records in files.
These features were included or not included in application software at the option
of application programmers, rather than in a separate operating system used by all
applications. In 1959 the SHARE Operating System was released as an integrated
utility for the IBM 704 and later in the 709 and 7090 mainframes.
During the 1960s, IBM's OS/360 introduced the concept of a single OS spanning
an entire product line, which was crucial for the success of the System/360
machines. IBM's current mainframe operating systems are distant descendants of
this original system and applications written for OS/360 can still be run on modern
machines. In the mid 70's, MVS, a descendant of OS/360, offered the first
implementation of using RAM as a transparent cache for data.
OS/360 also pioneered the concept that the operating system keeps track of all of
the system resources that are used, including program and data space allocation in
main memory and file space in secondary storage and file locking during update.
When the process is terminated for any reason, all of these resources are re-claiined
by the operating system.
The alternative CP-67 system for the S/360-67 started a whole line ofIBM operating
systems focused on the concept of virtual machines. Other operating systems used
on IBM S/360 series main frames included systems developed by IBM: COS/360
8 (Compatabililty Operating System), DOS/360 (Disk Operating System), TSS/360
/
(Time Sharing System), TOS/360 (Tape Operating System), BOS/360 (Basic Introduction to
Operating System) and ACP (Airline Control Program), as well as a few non-IBM Operating System
systems: MTS (Michigan Terminal System), MUSIC (Multi-User System for
Interactive Computing) and ORVYL (Stanford Timesharing System).
Control Data Corporation developed the SCOPE operating system in the 1960s,
for batch processing. In cooperation with the Universityof Minnesota, the KRONOS
and later the NOS operating systems were developed during the 1970s, which
supported simultaneous batch and timesharing use. Like many commercial
timesharing systems, its interface was an extension of the' Dartmouth BASIC
operating systems, one of the pioneering efforts in timesharing and programming
languages. In the late 1970s, Control Data and the University of Illinois developed
the PLATO operating system, which used plasma panel displays and long-distance
time sharing networks. Plato was remarkably innovative for its time, featuring
'" real-time chat and multi-user graphical games. Burroughs Corporation introduced
the B5000 in 1961 with the MCP, (Master Control Program) operating system.
The B5000 was a stack machine designed to exclusively support high-revel
languages with no machine language or assembler and indeed the MCP was the
first OS to be written exclusively in a high-level language ESPOL, a dialect of
ALGOL.
MCP also introduced many other ground-breaking innovations, such as being the
first commercial implementation of virtual memory. During development of the
AS400, IBM made an approach to Burroughs to licence MCP to run on the AS400
hardware. This proposal was declined by Burroughs management to protect its
existing hardware production. MCP is still in use today in the Unisys ClearPathl
MCP line of computers.
In the late 1960s through the late 1970s, several hardware capabilities evolved
that allowed similar or ported software to run on more than one system. Early
systems had utilized microprogramming to implement features on their systems in
order to permit different underlying architecture to appear to be the same as others
in a series. In fact most 360s after the 360/40 (except the 360/165 and 3601168)
were microprogrammed implementations. But soon other means. of achieving
application compatibility were proven to be more significant.
The enormous investment in software for these systems made since 1960s caused
most of the original computer manufacturers to continue to develop compatible
operating systems along with the hardware. The· notable supported mainframe
operating systems include:
/
Operating System Concepts • IBM CP-67 - IBM Systern!360, 1967 to IBM zIVM, present.
Microcomputers
PC-DOS was an early pe~sonal computer OS that featured a command line interface.
Mac OS by Apple Computer became the first widespread OS to feature a graphical
user interface. Many of its features such as windows and icons would later become
commonplace in GUIs.
The first microcomputers did not have the capacity or need for the elaborate
operating systems that had been developed for mainframes and minis; minimalistic
operating systems were developed, often loaded from ROM and known as Monitors.
One notable early disk-based operating system was CP/M, which was supported
• on many early microcomputers and was closely imitated in MS-DOS, which became
wildly popular as the operating system chosen for the IBM PC (IBM's version of
it was called IBM DOS or PC DOS), its successors making Microsoft': In the 80's
Apple Computer Inc. (now Apple Inc.) abandoned its popular Apple II series of
microcomputers to introduce the Apple Macintosh computer with an innovative
Graphical User Interface (GUI) to the Mac OS.
The introduction of the Intel 80386 CPU chip with 32-bit architecture and paging
capabilities, provided personal computers with the ability to run multitasking
operating systems like those of earlier minicomputers and mainframes. Microsoft
responded to this progress by hiring Dave Cutler, who had developed the VMS
operating system for Digital Equipment Corporation. He would lead the
development of the Windows NT operating system, which continues to serve as
the basis for Microsoft's operating systems line. Steve Jobs, a eo-founder of Apple
Inc., started NeXT Computer Inc., which developed the UNIX-like NEXTSTEP
operating system. NEXTSTEP would later be acquired by Apple Inc. and used,
along with code from FreeBSD as the core of Mac OS"X .
. The GNU project was started by activist and programmer Richard Stallman with
the goal of a complete free software replacement to the proprietary UNIX operating
system. While the project was highly successful in duplicating the functionality of
various parts of UNIX, development of the GNU Hurd kernel proved to be
unproductive. In 1991, Finnish computer science student Linus Torvalds, with
cooperation from volunteers collaborating over the Internet, released the first version
of the Linux kernel. It was soon merged with the GNU user space components and
system software to form a complete operating system. Since then, the combination
of the two major components has usually been referred to as simply "Linux" by
the software industry, a naming convention that Stallman and the Free Software
Foundation remain opposed to, preferring the name GNU/Linux. The Berkeley
Software Distribution, known as BSD, is the UNIX derivative distributed by the
University of California, Berkeley, starting in the 1970s. Freely distributed and
ported to many minicomputers, it eventually also gained a following for use on
PCs; mainly as FreeBSD, NetBSD and OpenBSD.
/
aspects of both. An event-driven system switches between tasks based on their Introduction to
priorities or external events while time-sharing operating systems switch tasks based Operating System
on clock interrupts.
When a single program is allowed to run at a time, the system is grouped under a
single-tasking system, while in case the operating system allows the execution of
multiple tasks at one. time, it is classified as a multi-tasking operating system.
Multi-tasking can be of two types namely, pre-emptive .orco-operative. In
pre-emptive multitasking, the operating system slices the ~PU time and dedicates
one slot to each of the programs. UNIX-like operating systems such as Solaris and
Linux support pre-emptive multitasking. Cooperative multitasking is achieved by
relying on each process to give time to the other processes in a defined manner.
MS Windows prior to Windows 95 used to support cooperative multitasking.
4) Distributed
5) Embedded
b) Compare your answers with the one given at the end of the Unit.
11
/ 1
Operating System Concepts 2) What is the use of operating system?
·······························t······················ :.: .
UNIX-like systems run on a wide variety of machine architectures. They are used
heavily for servers in business, as well as workstations in academic and engineering
environments. Free UNIX variants, such as GNU/Linux and BSD, are popular in
these areas.
Some UNIX variants like HP's HP-UX and IBM's AIX are designed to run only
on that vendor's hardware. Others, such as Solaris, can run on multiple types of
hardware, including x86 servers and .PCs. Apple's Mac OS X, a hybrid kernel-
based BSD variant derived from NeXTSTEP, Mach and FreeBSD, has replaced
Apple's earlier (non-UNIX) Mac OS.
UNIX interoperability was sought by establishing the POSIX standard. The POSIX
standard can be applied to any operating system, although it was originally created
<for various UNIX variants.
/
over a network were widely implemented and refined ill BSD. The World Wide Introduction to
Web was also first demonstrated on a number of computers running an OS based Operating System
BSD has its roots in UNIX. In 1974, University of California, Berkeley installed
its first UNIX system. Over time, students and staff in the computer science
department there began adding new programs to make things easier, "Suchas text
editors. When Berkely received new VAX computers in 1978 with UNIX installed,
the school's undergraduates modified UNIX even more in order to take advantage
of the computer's hardware possibilities. The Defense Advanced Research Projects
Agency of the US Department of Defense took interest and decided to fund the
project. Many schools, corporations and government organizations took notice and
started to use Berkeley's version of UNIX instead of the official one distributed
by AT&T.
•
Steve Jobs, upon leaving Apple Inc. in 1985, formed NeXT Inc., a company that
manufactured high-end computers running on a variation ofBSD called NeXTSTEP.
One of these computers was used by Tim Berners-Lee as the first webserver to
create the World Wide Web.
Developers like Keith Bostic encouraged the project to replace any non-free code
that originated with Bell Labs. Once this was done, however, AT&T sued.
Eventually, after two years of legal disputes, the BSD project came out ahead and
spawned a number of free derivatives, such as FreeBSD and NetBSD. In this two
year wait, GNU and Linux appeared.
3) Plan 9
Ken Thompson, Dennis Ritchie and Douglas McIlroy at Bell Labs designed and
developed the C programming language to build the operating system UNIX.
Programmers at Bell Labs went on to develop Plan 9 and Inferno, which were
engineered for modern distributed environments. Plan 9 was designed from the
start to be a networked operating system and had graphics built-in, unlike UNIX,
which added these features to the design later. It is currently released under the
Lucent Public License. Inferno was sold to Vita Nuova Holdings and has been
released under a GPLlMIT license.
/
Operating System Concepts a full-fledged kernel. Programmers from GNU took notice and members of both
projects worked to integrate the finished GNU parts with the Linux kernel in order
to create a full-fledged operating system.
5) Google Chrome OS
Chrome is an operating s1stem based on the Linux kernel and designed by Google.
Chrome targets computer users who spend most of their time on the Internet, it is
technically only a web browser with no other applications and relies on Internet
applications (or Web apps) used in the web browser to accomplish tasks such as
word processing and media viewing.
6) Mac OS X
The operating system was first released in 1999 as Mac OS X Server 1.0, with a
desktop-oriented version (Mac OS X v10.0) following in March 2001. Since then,
six more distinct "client" and "server" editions of Mac OS X have been released,
the most recent being Mac OS X v10.6, which was first made available on August
28, 2009. Releases of Mac OS X are named after big cats; the current version of
Mac OS X is "Snow Leopard".
7) Microsoft Windows
/
with an estimated 88.9 percent total usage share on Web connected computers. Introduction to
Currently, the most widely used version of the Windows family is Windows XP, Operating System
released on October 25, 2001. The newest version is Windows 7 for workstations
and Windows Server 2008 R2 for servers.
Server editions of Windows are widely used. In recent years, Microsoft has
expended significant capital in an effort to promote the use of Windows as a server
, . operating environment. However, Windows' usage on servers is not as widespread
as on personal computers, as Windows competes against Linux and BSD for market
share.
8) Other
Older operating systems which are still used in niche markets include OS/2 from
IBM and Microsoft; Mac OS, the non-UNIX precursor to Apple's Mac OS X;
BeOS; XTS-300. Some, most notably Haiku, RISC OS, MorphOS, AmigaOS 4
and FreeMint continue to be developed as minority platforms for enthusiast
communities and specialist applications. OpenVMS formerly from DEC is still
under active development by Hewlett-Packard. Yet other operating systems are
used almost exclusively in academia, for operating systems education or to do
research on operating system concepts. A typical example of a system that fulfills
both roles is MINIX, while for example Singularity is used purely for research.
Many computer operating systems allow the user to install or create any user
interface they desire. The X Window System in conjunction with GNOME or
KDE is a commonly found setup on most UNIX and UNIX-li~e (BSD, GNU/
Linux, Solaris) systems. A number of Windows shell replacements have been
released for Microsoft Windows, which offer alternatives to the included Windows
shell, but the shell itself cannot be separated from Windows.
15
/ I
Operating System Concepts Numerous UNIX-based GUIs have existed over time, most derived from XII.
Competition among the various vendors of UNIX (HP, IBM, Sun) led to much
fragmentation, though an effort to standardize in the 1990s to COSE and CDE
failed for various reasons and were eventually eclipsed by the widespread adoption
of GNOME and KDE. Prior to free software-based toolkits and desktop
environments, Motif wa~ the prevalent toolkitldesktop combination (and was the
basis upon which CDE was developed).
Graphical user interfaces evolve over time. For example, Windows has modified
its user interface almost every time a new major version of Windows is released
and the Mac OS GUI changed dramatically with the introduction of Mac OS X in
1999.
• 1.7 MULTITASKING
Multitasking refers to the running of multiple independent computer programs on
the same computer; giving the appearance that it is performing the tasks at the
same time. Since most computers can do at most one or two things at one time,
this is generally done via time-sharing, which means that each program uses a
share of the computer's time to execute.
An early model which governed the allocation of time to programs was called
cooperative multitasking. In this model, when control is passed to a program by
the kernel, it may execute for as long as it wants before explicitly returning control
to the kernel. This means that a malicious or malfunctioning program may not
only prevent any other programs from using the CPU, but it can hang the entire
system if it enters an infinite loop.
16
/
Check Your Progress 2 Introduction to
Operating System
Note: a) Space is given below for writing your answers.
b) Compare your answers with the one given at the end of the Unit.
. , .
3) What is multitasking?
•••• ~ •••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••• °0
' ••••••••••••••••••••••••••••••••••••••••••••••••••
For hardware functions such as input and output and memory allocation, the
operating system acts as an intermediary between application programs and the
computer hardware, though the application code is usually executed directly by
the hardware and will frequently call the OS or be interrupted by it. Operating
systems are found on almost any device that contains a computer-from cellular
phones and video game consoles to supercomputers and web servers.
Examples of popular modem operating systems are: BSD, Linux (Ubuntu, Fedora,
OpenSuSE, Mandriva, Arch Linux, Debian, Linux mint etc.), Mac OS X, Microsoft
Windows and UNIX. .
/
Otwratina System COIK:epts resources. Operating systems are responsible for everything from the control
and allocation of memory to recognizing input from external devices and
transmitting output to computer displays. They also manage files on computer
hard drives and control peripherals, like printers and scanners.
• It handles input and output to and from attached hardware devices, such
as hard disks, printers and dial-up ports.
• It can offioad the management of what are called batch jobs (for example,
printing) so that the initiating application is freed from this work.
2) Most of the modem computer systems support graphical user interfaces (GUI)
and often include them. In some computer systems, such as the original
implementation of Mac OS, the GUI is integrated into the kernel. While
technically a .graphical user interface is not an operating system service,
incorporating support for one into the operating system kernel can allow the
GUI to be more responsive by reducing the number of context switches required
for the GUI to perform its output functions. .
.'
3) Multitasking refers to the running of multiple independent computer programs
on the same computer; giving the appearance that it is performing the tasks at
the same time. Since most computers can do at most one or two things at one
time, this is generally done via time-sharing, which means that each program
uses a share of the computer's time to execute.
• www.depik.comlphp/osc.pdf.
• www.ittestpapers.comloperatingsystemconcepts-covers-fundamental-questions-
in-os.html,
18
/
Operating System Security:
UNIT 2 OPERATING SYSTEM An Oven'lew
SECURITY: AN OVERVIEW
Structure
2.0 Introduction
2.1 Objectives
2.2 Operating System Security
2.3 Precautions for Operating System Security ••
2.3.1 Authentication
• 2.3.2 Access Control
2.3.3 Security Models
2.3.4 Patch
2.3.5 Integrity Checks
2.3.6 Software Updates
2.3.7 Firewall
2.3.7.1 Types of Firewalls
2.3.8 Account Management
2.3.9 Antivirus Software
2.4 Let Us Sum Up
2.5 Check Your Progress: The Key
2.6 Suggested Readings
2.0 INTRODUCTION
Computers are becoming largely ubiquitous in today's society. Computers are used
in every field of work and entertainment. In the process of modem-day computing,
a great deal of personal information is accumulated, processed and exchanged .
..This has become especially true with the advent of the Internet. Whether sending
an e-mail, making a purchase online or just surfing a web page, today's computer
user is -subject to many privacy and security concerns. So it is with these concerns
in mind that it is necessary to have decided to improve the reliability and
trustworthiness of the modern computing environment. Operating systems provide
the fundamental mechanisms for securing computer processing. Recently, the
importance of ensuring' such security has become a mainstream issue for all
operating systems.
2.1 OBJECTIVES
After studying this unit, you should be able to:
/
/
1
Operating System Concepts Information security is aimed at the following:
Before you begin using the system, it is helpful to plan and implement security
policies. Security policies are very time-consuming to change later, so up-front
planning can save a lot of time later.
Various flaws in the operating systems of computers are discovered almost daily.
The majority of viruses take advantage of these flaws to infect your computer.
Once a virus enters your system, it can potentially cause devastating damage .
•
2.3.1 Authentication
Authentication is any process by which you verify that someone is who they claim
they are. This usually involves a username and a password, but can include any
other method of demonstrating identity, such as a smart card, retina scan, voice
recognition or fingerprints. Authentication is equivalent to showing your drivers
license at the ticket counter at the airport. Authentication is the process of obtaining
identification credentials such as name and password from a user and validating
those credentials against some authority.
Item control or electronic key management is an area within (and possibly integrated
with) an access control system which concerns the managing of possession and
location of small assets or physical (mechanical) keys.
/
confidentiality aspects of access control. Access permissions are defined through Operating System Security:
an access control matrix and through a partial ordering of security levels. Security An Overview
2.3.4 Patch
A patch is a piece of software designed to fix problems with or update a computer
program or its supporting data. This includes fixing security vulnerabilities and
other bugs and improving the usability or performance. Though meant to fix
problems, poorly designed patches can sometimes introduce new problems.
Patch management is the process of using a strategy and plan of what patches
• should be applied to which systems at a specified time.
Data that has integrity is identically maintained during any operation (such as
transfer, storage or retrieval). Put simply in business terms, data integrity is the
assurance that data is consistent, certified and can be reconciled.
In terms of a database data integrity refers to the process of ensuring that a database
remains an accurate reflection of the universe of discourse it is modelling or
representing. In other words there is a close correspondence between the facts
stored in the database and the real world it models.
Database integrity checks are recommended to ensure -that the database consistency
is intact and if there is a problem with consistency, then it is reported to the
appropriate team(s) so that necessary action can be taken to rectify it. This can be
done with the help of Database Maintenance Plans.
2.3.7 Firewall
Basically, a firewall is a barrier to keep destructive forces away from your property.
In fact, that's why it's called a firewall. Its job is similar to a physical firewall that
keeps a fire from spreading from one area to the next. A firewall is actually a
device~ or program that blocks undesired Internet traffic, including viruses, from
accessing your computer. Both Windows and Mac OS X have built-in firewall
programs that are easy to set up. By blocking unwanted Internet traffic, a lot of
viruses and bugs can be stopped dead in their tracks.
Firewalls make it possible to filter incoming and outgoing traffic that flows through
your system. A firewall can use one or more sets of "rules" to inspect the network
packets as they come in or go out of your network connections and either allows 21
/
Operating System Concepts the traffic through or blocks it. The rules of a firewall can inspect one or more
characteristics of the packets, including but not limited to the protocol type, the
.source or destination host address and the source or destination port.
Firewalls can greatly enhance the security of a host or a network. They can be
used to do one or more Qf the following ·things:
• To protect and insulate the applications, services and machines of your internal
network from unwanted traffic coming in from the public Internet.
• To limit or disable access from hosts of the internal network to services of the
public Internet.
Firewalls block everything that you haven't specifically allowed. Routers with
filtering capabilities are a simplified example of a firewall. Administrators often
configure them to allow all outbound connections from the internal network, but
to block all incoming traffic. So, a user on the internal network would be able to
download e-mail without a problem, but an administrator would need to customize
the router configuration to connect to your home PC from work by using Remote
Desktop. Other applications that might require special firewall configuration are
WebCam servers, collaboration software and multiplayer online games.
You use packet filters to instruct a firewall to drop traffic that meets certain criteria.
For example, you could create a filter that would drop all ping requests. You can
also configure filters with more complex exceptions to a rule. For example, a filter
might assist with troubleshooting the firewall by allowing the firewall to respond
to ping requests coming from a monitoring station's IP address. By default,
Microsoft ISA Server doesn't respond to ping queries on its external interface. You
would need to create a packet filter on the ISA Server computer for it to respond
to a ping request.
Intern t ewal
Network Firewalls
r
/
. firewalls come in two flavors: hardware firewalls and software firewalls. Hardware- Operating System Security:
based network firewalls are generally cheaper than software-based network firewalls . - An Overview
and are the right choice for home users and many small businesses. Software-
based network firewalls often have a larger feature set than hardware-based firewalls
and might fit the needs of larger organizations. Software-basedfirewalls can also
run on the same server as other services" such as e-mail and file sharing, allowing
small organizations to make better use of existing servers. Network firewalls often
include additional features that aren't necessary for host-based firewalls, as
.described in the following sections. Network firewalls, such as the software-based
Microsoft's Internet Security and Acceleration (ISA) Server or the hardware-based
Norte1 Networks Alteon Switched Firewall System, protect the perimeter of a
network by watching traffic that enters and leaves.
Why would you buy third-party firewall software when Windows XP includes ICF
for free? ICF is designed to provide basic intrusion prevention, but doesn't include
the rich features of a third-party firewall application. Most third-party firewalls
protect you from software that .could violate your privacy or allow an attacker to
misuse your computer-features not found in ICF. Also, you can install third-party .
firewall programs on systems that have older versions of Windows. Note that
firewall software doesn't replace antivirus software. You should use both.
1) Mc-Afee
2) Norton Antivirus
3) Quick Heal
..23
/ I
Operatlnl System Concepts 4) Kaspersky
5) Trend Micro
6) Avira
7) Avast
"
8) Panda
9) AVG
Use your antivirus SQ,ftwareto scan for viruses as files are being launched. The
term "virus". is used to describe self-replicating computer programs that propagate
themselves between files on a computer and even between computers. Viruses
usually, but not always, do something malicious, such as overwrite files or waste
• your.bandwidth by sending copies of them to everyone in your address book.
No matter how useful antivirus software can be, it can sometimes have drawbacks.
Antivirus software can impair a computer's performance. Inexperienced users may
also have trouble understanding the prompts and decisions that antivirus software
presents them with. An incorrect decision may lead to a security breach. If the
antivirus software employs heuristic detection, success depends on achieving the
right balance between false positives and false negatives. False positives can be as
destructive as false negatives. Finally, antivirus software generally runs at the highly
trusted
·
kernel level of the operating system, creating a potential avenue of attack..,
Identification Methods
. There are several methods which antivirus software can use to identify malware.
. 24
/
Antivirus capabilities are a feature of some network and host-based firewalls. Operating System Security:
Network firewalls might inspect all incoming e-mail traffic for virus-infected
. . An Overview
attachments and filter them out. Host-based firewalls might change the configuration
of the user's e-mail client so that the e-mail client sends all requests through the
host-based firewall.
FirewaUs are certainly not the only way to protect yoiirself from viruses and if the
firewall you choose doesn't have antivirus features, you'll need to complement it
withantivims software. The best way to protect your organization against viruses
is to use a good-quality commercial antivirus package. These scanners examine
the files, folders, mail messages and Web pages on your computers, looking for
the distinctive patterns of viral code. When the scanner detects something that
looks like a virus, it quarantines the suspect object and warns you about what it
found.
'"
Check Your Progress 1
b) Compare your answers with the one given at the end of the Unit.
.. ; .
.................................................................. - : ' .
· : " ~.. ;, .
· ; '.' ~ '.' .
.............................................................................................................................
. . . .
........ ..•.: ~ ; : ~ .
.. . . .
- '~ .
........................................................................................................................ ' .
/
Operating System Concepts
2.5 CHECK YOUR PROGRESS: THE KEY
Check Your Progress 1
1) Security models
2) Network Firewalls
3) Antivirus Software
Use your antivirus software to scan for vinises as files are being launched. The
term "virus" is used to describe self-replicating computer programs that propagate
themselves between files on a computer and even between computers. Viruses
usually, but not always, do something .malicious, such as overwrite files or waste
your bandwidth by sending copies of them to everyone in your address book.
Firewalls are certainly not the only way to protect yourself from viruses and if the
firewall you choose doesn't have antivirus features, you'll need to complement it
with antivirus software. The best way to protect your organization against viruses
is to use a good-quality commercial antivirus package. These scannersexamine
the files, folders, mail messages and Web pages onyour computers, looking for
the distinctive patterns of viral code. When the scanner detects something that
looks like a virus, it quarantines the suspect object and warns you about what it
found.
26
/
Operating System Security:
2.6 SUGGESTED READINGS An Overview
• http://searchsecurity.techtarget.com/resources/operating-system-security.
• http://technet.microsoft.com/en-usllibrary/cc700820.aspx.
• www.lynuxworks.com/solutions/security.php .
.
,
27
/
Operatlng System Concepts
UNIT 3 OPERATING SYSTEM
HARDENING AND
CONTROLS
Structure
3.0 Introduction
·3.1-. Objectives
3.2 .Operating System Hardening
3.3 Network Hardening
• 3.4 Application Hardening
3.5 Let Us Sum Up
3.6 Check Your Progress: The Key
3.7 Suggested Readings
3.0 INTRODUCTION
Every mechanism needs proper controls to work in the specified dimension. Without
. such controls or tightening framework, operating system cannot function properly
and adequately as required. Therefore, it is extremely important to have the
hardening system in place for the operating system to perfomi work rightly.
3.1 OBJECTIVES
After studying this unit, you should be able to:
Hardening is a not a one time activity, it is an on going task to mitigate the risk to
performing high quality of computing. We have to build-up the secure production
server in such a way to remove the unwanted devices, fix up the miss configuration,
riot allow the default setting, erihancemeritthe current configuration and develop
28 the new system programming arid applying new security patches before going to
/
the production environment. Hardening of the operating system should be support Operating System'
to the high integrity, reliability, availability, privacy, scalability and confidentiality Hardening and Controls
at the lowest level of risk to achieve the highest level of objective ( benefits) from
the critical IT infrastructure of the organization.
Safeguarding information and protecting the integrity of your network and systems
are vital to our business. IT security professional; in many companies have
established policies' applicable to their entire organization, but it may be up to
individual departments that manage the systems to implement security in accordance
'with these policies. Security professionals recognize the need for flexibility when
it comes to iniplementation, due to the unique requirements of each department.
Hardening of an operating system involves the removal of all non essential tools,
utilities and other systems administration options, any of which could. be used to
•• ease a hacker's path to your systems. Following this, the hardening process will
ensure that all appropriate security features are activated and configured correctly.
Again, 'out of the box' systems will likely be set up for ease of access with access
"to administrator account. Some vendors have now recognized that a market exists
for the OS-hardened systems.
Hardening of the operating system includes planning against both accidental and
directed attacks, such as the use of fault-tolerant hardware and software solutions.
Additionally, it is important to implement an effective system for file-level security,
including encrypted file support and.secured file system selection that allows for
the proper level of access control. For example, Microsoft's New Technology File
System (NTFS) allows for file-level access control, whereas most File Allocation .
.; Table-based (FAT-based) systems allow for only Share-level access control.
It is also imperative to include regular update reviews for all deployed operating .
systems in o~der to address newly identified exploits and apply security hotfixes,
patches' and service packs. Many automated attacks use common vulnerabilities,
often ones for which patches and hotfixes are already available. Failure to include
. planning! for application updates on a regular basis, along with update auditing,
can result in an unsecure solution that provides an attacker access to additional
resourcesthroughout an organization's network. '
Operating system hardening also includes configuring log files and auditing,
changing default administrator account names and default passwords and instituting
account lockout and password policies to guarantee strong passwords that will be
resistant to brute-force attacks.
The default installation can include more services than you need -.Disable the
services or features that you do not need to make the system more secure- and
to provide better performance, For more information about Modular Messaging
services, see the installation guide for your configuration. For more information
about Windows services, contact your Avaya representative for a complete
list of Windows services.
29
/
Operating System Concepts • Patch the System
Install all service packs, security patches and hot fixes, especially those that
pertain to the security of the system. Once they are installed, validate all the
hardening procedures to ensure' that the hardening settings are unchanged.
Verify that the service packs did not roll back the configuration settings.
Review and enforce access rights to the file system, directory service and
registry. Global read and write access to key directories can lead to a security
exposure. In most cases, this level of permission is unnecessary.
Ensure that the system is physically secure from unauthorized access. Physical
security enforces strong security controls and system hardening.
Use anti-virus products to monitor, identify and secure your systems from
viruses and worms.
After you configure the security settings on the host, check all the settings to
ensure that they are intact. In many operating systems, when you apply security
patches and make changes to settings, previously made changes are lost.
Firewall and Network Address Translation (NAT) software and hardware solutions
provide the first layer of defense against unauthorized access attempts.
. -
Mapping avenues of access is also critical in hardening a network. This process is
a part of the site survey that should be performed for any network, especially
those that involve public areas where a simple connection through a workstation
might link the protected internal network directly to a public broadband connection.
Wireless networks also create significant avenues for unsecure access to a secured
network. A user who configures a PC card on her workstation to allow for the
synchronization of her compliant wireless PDA may have inadvertently bypassed
all security surrounding an organization's network.
30
/
If a centralized access control system is used, such as those found in Windows and Operating System
Novell networks, resource access and restrictions may be assigned to groups and Hardening and Controls
Leaving protocols and services open and unconfigured when they are not necessary
for your network can be a dangerous situation. When you install items on your
network, we suggest that you do not accept default configurations because the
defaults offered may not meet the business and security requirements of your
network.
Web Servers
Access restrictions to Internet and intranet Web services may be required td ensure
proper authentication for nonpublic sites, whereas anonymous access may be
required for other sites. Access control may be accomplished at the operating system
or application level, with many sites requiring regular updates of Secure Sockets
Layer (SSL) certifications for secured communications.
Regular log review is critical for Web servers to ensure that submitted URL values
are not used to exploit unpatched buffer overruns or other forms of common
exploits. Many Web servers may also include security add-ins, provided to restrict
those URLs that may be meaningfully submitted, filtering out any that do not meet
the defined criteria. Microsoft's URL Scan for the Internet Information Services
(lIS) Web service is one such filtering add-in.
31
/ 1
Operating System Concepts E-mail Services
E-mail servers require network access to transfer Simple Mail Transfer Protocol
(SMTP) traffic. E-mail is often used to transport executable agents, including Trojan
horses and other forms of viral software. E-mail servers may require transport
through firewall solutio~s to 'allow remote Post Office Protocol version 3 (POP3)
or Internet Message Access Protocol (lMAP) access or they may require integration
with VPN solutions to provide secure connections for remote users. User
authentication is also of key importance, especially when e-mail and calendaring
solutions allow delegated review and manipulation. Inadequate hardware may be
attacked through mail bombs and other types of attacks meant to overwhelm the
server's ability to transact e-mail messages.
FTP Servers
• File Transfer Protocol (FTP) servers are used to provide file upload and down load
capabilities to users, whether through anonymous or authenticated connections.
Because of limitations in the protocol, unless an encapsulation scheme is used
between the client and host systems, the logon and password details are passed in
cleartext and may be subject to interception via packet sniffing. Unauthorized parties
may also use FTP servers that allow anonymous access to share files of questionable
or undesirable content while also consuming network bandwidth and server
processmg resources.
DNS Servers
DNS servers are responsible for name resolution and may be subject to many
forms of attack, including attempts at denial of service (DoS) attacks intended to
prevent proper name resolution for key corporate holdings. Hardening DNS server
solutions should include planning for redundant hardware and software solutions,
along with regular backups to protect against loss of name .registrations.
Technologies that allow dynamic updates must also include access control and
authentication to ensure that registrations are valid.
NNTP Servers
Network News Transfer Protocol (NNTP) servers provide user access to newsgroup
posts and share many of the same security considerations that e-mail servers
generate. Access control for news groups may be somewhat more complex, with
moderated groups allowing public anonymous submission with authenticated access
required for post approval. Heavily loaded servers may be rttacked to perform a
denial of service and detailed user account information in public newsgroup posting
stores, such as those of the AOL and MSN communities, may be exploited in
many ways.
User file storage solutions often come under attack when unauthorized access
attempts provide avenues for manipulation. Files may be corrupted, modified,
deleted or manipulated in many ways. Access control through proper restriction of
file and share permissions is necessary, coupled with access auditing and user-
authentication schemes to ensure proper access. Removal of default access
permissions, such as the automatic granting of allow access to everyone group in
Windows systems must be done before network file shares can be secured.
Distributed file system and encrypted file system solutions may require bandwidth
planning and proper user authentication to allow even basic access. Security
planning for these solutions may also include placing user-access authenticating
servers close to the file servers to decrease delays created by authentication traffic.
32 Print servers also pose several risks, including possible security breaches in the
/
event that unauthorized parties may access cached print jobs. Denial of service Operating System
attacks may be used to disrupt normal methods of business. Network connected Hardening and Controls
printers require authentication of access to prevent attackers from generating printed
memos, invoices or any other manner of printed materials as desired.
DHCP Servers
DHCP servers share many of the same security problems associated with other
network services, such as DNS servers. DHCP servers may be overwhelmed by
lease requests if bandwidth and processing resources are insufficient. This can be
worsened by the use of DHCP proxy systems relaying lease requests from widely
deployed subnets. Scope address pools may also be overcome if lease duration is
insufficient and short lease duration may increase request traffic. If the operating
system in use does not support DHCP server authentication, attackers may also
• configure their own DHCP servers within a subnet, taking control of the network
settings of clients obtaining leases from the rogue servers. Planning for DHCP
security must include regular review of networks for unauthorized DHCP servers.
Data Repositories
Data repositories of any type may require specialized security considerations based
on the following:
• The bandwidth and processing resource requirements that are needed to prevent
denial of service attacks
Placement of authentication, name resolution and data stores within secured and
partially secured zones, such as an organization's DMZ, may require the use of
secured VPN connections or the establishment of highly secured bastion hosts.
Role-Based Access Control (RBAC) may be used to improve security and the
elimination of unneeded connection libraries and character sets may help to alleviate
common exploits.
b) Compare your answers with the one given at the end of the Unit.
1) What task you will perform for ensuring operating system hardening?
..............................................................................................................................
...............................................................................................................................
33
I I
Operating System Concepts
............................... .,. : .
.
..............................................................................................................................
.
..............................................................................................................................
. .
/
passwords on the network. Operating System
Hardening and Controls
• Install virus-detection software
Use anti-virus products to monitor, identify and secure your systems from
viruses and worms.
2) FTP Servers
• File Transfer Protocol (FTP) servers are used to provide file upload and download
capabilities to users, whether through anonymous or authenticated connections,
'Because of limitations in the protocol, unless an encapsulation scheme is used
between the client and host systems, the lagon and password details are passed in
cleartext and may be subject to interception via packet sniffing. Unauthorized parties
may also use FTP servers that allow anonymous access to share files of questionable
or undesirable content while also consuming network bandwidth and server
processing resources.
Data repositories of any type may require specialized security considerations based
on the following:
• The bandwidth and processing resource requirements that are needed to prevent
denial of service attacks
Placement of authentication, name resolution and data stores within secured and
partially secured zones, such as an organization's DMZ, may require the use of
secured VPN coimections or the establishment of highly secured bastion hosts.
Role-Based Access Control (RBAC) may be used to improve security and the
elimination of unneeded connection libraries and character sets may help to alleviate
common exploits.
• http://www.interscience.iniijcctlIJCCT_Paper7.pdf.
35
/
Operating System Concepts
UNIT 4 ADC/SAMBA
Structure
4.0 Introduction
4.1 Objectives
4.2 Active Directory Controller
4.2.1 Structure of Active Directory Controller
4.2.1.1 Forests, Trees and Domains
4.2.1.2 Flat-filed, Simulated Hierarchy
4.2.1.3 Shadow Groups
4.2.2 Structural Divisions to Improve Performance
4.3 SAMBA
4.3.1 History of SAMBA
4.3.2 SAMBA as a DC
4.3.3 SAMBA as a Active Directory Domain Member
4.0 INTRODUCTION
The structure of the Active Directory Controller includes Forests, trees, domains,
Flat-filed, simulated hierarchy and Shadow Groups. The different Structural
divisions to improve performance are FSMO Roles, Trust, Adding Users and
Computers to the Active Directory Domain and Using Active Directory with
Desktop Delivery Controller. It also describes digital forensics. SAMBA provides
Windows networking services, on a Unix-like platform. These services range from
simple file and printer sharing, to full management of a NT-style domain. All of
these services are provided in the SAMBA package, which is itself distributed
under the Free Software Foundation's General Public Licence (GPL). SAMBA
allows file and print sharing between computers running Windows and computers
running UNIX.
4.1 OBJE(TIVES
After completion of this unit, you will be able to:
• describe ADC and it's structure; and
• describe SAMBA.
..
4.2 ACTIVE DIRECTORY CONTROLLER (ADC)
4.2.1 Structure of Active Directory Controller
An Active Directory structure is a hierarchical framework of objects. The obje-cts
36 fall into two broad categories: resources (e.g. printers) and security principals (user
/
or computer accounts and groups). Security principals are Active Directory objects ADC/SAMBA
that are assigned unique security identifiers (SIDs) used to control access and set
security.
Each attribute object can be used in several different schema class objects. The
schema object exists to allow the schema to be extended or modified when
necessary. However, because each schema object is integral to the definition of
Active Directory objects, deactivating or changing these objects can have serious
• consequences because it will fundamentally change the structure of Active Directory
itself. A schema object, when altered, will automatically propagate through Active
Directory and once it is created it can only be deactivated - not deleted. Changing
the schema usually requires a fair amount of planning .
..
A Site object in Active Directory represents a geographic location that hosts
networks. Sites contain objects called subnets Sites can be used to assign Group
Policy, facilitate the discovery of resources, manage active directory replication
and manage network link traffic. Sites can be linked to other Sites. Site-linked
objects may be assigned a cost value that represents the speed, reliability, availability
or other real property of a physical resource. Site Links may also be assigned a
schedule.
All objects inside. a common directory database are known as a domain. Each
domain stores information only about the objects that belong to that domain. A
tree consists of a single domain or multiple domains in a contiguous namespace. A
forest is a collection of trees and represents the outermost boundary within which
users, computers, groups and other objects exist. The Active Directory framework
that holds the objects can be viewed at a number of levels. At the top of the
structure is the forest. A forest is a collection of multiple trees that share a common
global catalog, directory schema, logical structure and directory configuration. The
forest, tree and domain are the logical parts in an Active Directory network.
The Active Directory forest contains one or more transitive, trust-linked trees. A
tree is a collection of one or more domains and domain trees in a contiguous
namespace, again linked in a transitive trust hierarchy. Domains are identified by
their DNS name structure, the namespace.
The objects held within a domain can be grouped into containers called·
Organizational Units (OUs). OUs give a domain a hierarchy, ease its administration
and can give a resemblance of the structure of the organization in organizational
or geographical terms. OUs can contain OUs - indeed, domains are containers in
this sense - and can hold multiple nested OUs. Microsoft recommends as few
domains as possible in Active Directory and a reliance on OUs to produce structure
and improve the implementation of policies and administration. The OU is the
common level at which to apply group policies, which are Active Directory objects
themselves called Group Policy Objects (GPOs), although policies can also be
applied to domains or sites. The OU is the level at which administrative powers
are commonly delegated, but granular delegation can be performed on individual
objects or attributes as well.
37
/ I
Operating System Concepts However, Organizational IJnits are just an abstraction for the administrator and do
not function as true contaruers; the underlying domain operates as if objects were
all created in a simple flat-file structure, without any OUs. By contrast, there are
other vendor directories such as Novell eDirectory that allow naming attribute
duplication across separate OUs. Each user logs in by specifying the context of
their account, which is similar to the current working directory of a file system.
Context normally operates in relative form: if the login prompt context is "staff-
ou.accounts-ou.organization", people with accounts in that specific OU need only
type their usemame "fred". But if the login prompt context were set to be one
-Ievel higher, at "accounts-ou.organization", people would need to specify the OU
within that context: "fred.staff-ou". Context can also be specified in absolute form
similar to an absolute directory path by using a leading period: ".fred.staff-
ou.accounts-ou.organization", which disregards the current login prompt context.
Because duplicate usemames cannot exist within separate OUs of a single active
directory domain, unique account name generation poses a significant challenge
for organizations with hundreds to thousands of users that are part of a generalized
mass that can not be easily subdivided into separate domains, such as students in
a public school system or university that must be able to login on any computer
across the district buildings or campus network.
Unlike Active Directory, Novell eDirectory allows organizational units and all users
within the OU t? be assigned rights to an object, without having to create shadow
groups representing the users in each OD.
/
To make up for this non-automated deficiency, network administrators can write ADC/SAMBA
their own custom scripts which periodically run on the server and use LDAP access
commands to add or remove users from groups representing the OUs of the users,
known as Shadow Groups. Microsoft refers to shadow groups in the Server 2008
Reference documentation, but does not explain how to create them. Once created,
these shadow groups are selectable in place of the OU in the administrative console
tools.
The naming of shadow groups is complicated by the fact that OUs can be nested
but groups cannot. Groups can only exist in the root of the domain and group
names are limited in length so matching the naming of a deeply nested string of
OUs for a very large domain is difficult.
Novell e-Directory supports the creation of user groups, but OUs can be natively
• selected as the assigned owner of a secured resource, so shadow groups are
unnecessary.
Although OUs form an administrative boundary, the only true security boundary is
the forest itself and an administrator of any domain in the forest must be trusted
across all domains in the forest.
Physically the Active Directory information is held on one or more equal peer
domain controllers (DCs), replacing the NT PDC/BDC model. Each DC has a
copy of the Active Directory; changes on 'one computer being synchronized
(converged) between all the DC computers by multi-master replication. Servers
joined to Active Directory that are not domain controllers are called Member
Servers.
The Active Directory database is split into different stores or partitions. Microsoft
often refers to these partitions as 'naming contexts'. The 'Schema' partition contains
the definition of object classes and attributes within the Forest. The 'Configuration'
partition contains information on the physical structure and configuration of the
forest (such as the site topology). The 'Domain' partition holds all objects created
in that domain. The first two partitions replicate to all domain controllers in the
Forest. The Domain partition replicates only to Domain Controllers within its
domain. A subset of objects in the domain partition is also replicated to domain
controllers that are configured as global catalogs.
/
Operating System Concepts Active Directory replication is 'pull' rather than 'push'. The Knowledge Consistency
Checker (KCC) creates a replication topology of site links using the defined sites
to manage traffic. Intrasite replication is frequent and automatic as a result of
change notification, which triggers peers to begin a pull replication cycle. Intersite
replication intervals are less frequent and do not use change notification by default,
although this is configurable and c~n be' made identical to intrasite replication.
A different 'cost' can be given to each link (e.g. DS3, Tl, ISDN etc.) and the site
link topology will be altered accordingly by the KCC. Replication between domain
controllers may occur transitively through several site links on same-protocol site
link bridges, if the cost is low, although KCC automatically costs a direct site-to-
site link lower than transitive connections. Site-to-site replication can be configured
to occur between a bridgehead server in each site, which then replicates the changes
to other DCs within the site .
•
In a multi-domain forest the Active Directory database becomes partitioned. That
is, each domain maintains a list of only those objects that belong in that domain.
So, for example, a user created in Domain A would be listed only in Domain A's
domain controllers. Global catalog (GC) servers are used to provide a global listing
of all objects in the Forest. The Global catalog is held on domain controllers
configured as global catalog servers. Global Catalog servers replicate to themselves
all objects from all domains and hence, provide a global listing of objects in the
forest. However, in order to minimize replication traffic and to keep the GC's
database small, only selected attributes of each object are replicated. This is called
the partial attribute set (PAS). The PAS can be modified by modifying the schema
and marking attributes for replication to the GC. .
Replication of Active Directory uses Remote Procedure Calls (RPC over IP [RPC/
IP]). Between Sites you can also choose to use SMTP for replication, but only for
changes in the Schema, Configuration or Partial Attribute Set (Global Catalog)
NCs. SMTP cannot be used for replicating the default Domain partition.
The Active Directory database, the directory store, in Windows 2000 Server uses
the JET Blue-based Extensible Storage Engine (ESE98), limited to 16 terabytes
and 1 billion objects in each domain controller's database. Microsoft has created
NTDS databases with more than 2 billion objects. (NT4's Security Account
Manager could support no more than 40,000 objects). Called NTDS~DIT, it has
two main tables: the data table and the link table. In Windows Server 2003 a third
main table was added for security descriptor single instancing. The features of Active
Directory may be accessed programmatically via the COM interfaces provided by
Active Directory Service Interfaces. Active Directory is a necessary component
for many Windows services in an organization such as Exchange, Security.
40
I
ADC/SAMBA
PDC Emulator 1 per domain Provides backwards compatibility for NT4
clients for PDC operations (like password
changes). The PDCs also run domain specific
processes such as the Security Descriptor
Propagator (SDPROP), and is the master time
server within the domain.
/
4.2.2.2 Trust
• One-way trust - One domain allows access to users on another domain, but
the other domain does not allow access to users on the first domain.
• Trusting domain - The domain that allows access to users from a trusted
domain.
• Trusted domain - The domain that is trusted; whose users have access to the
trusting domain.
• Transitive trust - A trust that can extend beyond two domains to other trusted
domains in the forest.
• Intransitive trust - A one way trust that does not extend beyond two domains.
/
Operating System Concepts Additional trusts can be created by administrators. These trusts can be:
• Shortcut
Windows Server 2003 offers a new trust type - the forest root trust. This type of
trust can be used to connect Windows Server 2003 forests if they are operating at
the 2003 forest functional. level. Authentication across this type of trust is Kerberos
based (as opposed to NTLM). Forest trusts are also transitive for all the domains I
in the forests that are trusted. Forest trusts, however, are not transitive. 1
ADAMlADLDS j
Active Directory Application Mode (AD AM) is a light-weight implementation
of Active Directory. ADAM is capable of running as cl service, on computers running
Microsoft Windows Server 2003 or Windows XPProfessional. mAM shares the
code base with Active Directory and provides the same functionality as Active
• Directory, including an identical API, but does not require the creation of domains
or domain controllers.
There ate also third-party vendors who offer Active Directory integration for Unix
platforms (including UNIX, Linux, Mac OS X and a number of Java- and UNIX-
based applications). Some of these vendors include Centrify (DirectControl),
Computer Associates (UNAB), CyberSafe Limited (TrustBroker), Likewise
Software (Open or Enterprise), Quest Software (Authentication Services), and
Thursby Software Systems (ADmitMac). The open source SAMBA software
provides a way to interface with Active Directory and join the AD domain to
provide authentication and authorization: version 4 (in alpha as of October 2009)
can act as a peer Active Directory domain controller. Microsoft is also in this
market with their free Microsoft Windows Services for UNIX product.
The schema additions shipped with Windows Server 2003 R2 include attributes
that map closely enough to RFC 2307 to be generally usable. The reference
implementation of RFC 2307, nss_Idap and pam Idap provided by PADL.com,
contains support for using these attributes directly, provided they have been
populated. The default Active Directory schema for group membership complies
with the proposed extension, RFC 2307bis. Windows Server 2003 R2 includes a
Microsoft Management Console snap-in that creates and edits the attributes.
An alternate option is to use another directory service such as 389 Directory Server
(formerly Fedora Directory Server) or Sun Microsystems Sun Java System Directory
Server, which can perform a two-way synchronization with Active Directory and
thus provide a "deflected" integration with Active Directory as Unix and Linux
clients will authenticate to FDS and Windows Clients will authenticate to Active
Directory. Another option is to use OpenLDAP with its translucent overlay, which
can extend entries in any remote LDAP server with additional attributes stored in
a local database. Clients pointed at the local database will see entries containing
both the remote and local. attributes, while the remote database remains completely
42 untouched.
/
4.2.2.3 Adding Users and Computers to the Active Directory Domain ADC/SAMBA
T .
a) Click Start, point to Administrative Tools and then click Active Directory
Users and Computers to start the Active Directory Users and Computers
console.
b) Click the domain name that you created and then expand the contents.
e) Type a new password, confirm the password and then click to select one
of the following check boxes:
• Account is disabled
Click Next.
2) After you create the new user, give this user account membership in a group
that permits that user to perform administrative tasks. Because this is a
laboratory environment that you are in control of, you can give this user account
full administrative access by making it a member of the Schema, Enterprise .
and Domain administrators groups. To add the account to the Schema,
Enterprise and Domain administrators groups, follow these steps:
b) In the Select Groups dialog box, specify a group and then click OK
to add the groups that you want to the list.
c) Repeat the selection process for each group in which the user needs
account membership.
d) Click OK to finish.
3) The final step in this process is to add a member server to the domain. This
process also applies to workstations. To add a computer to the domain, follow
these steps:
/
Operating System Concepts c) In the Computer Name Changes dialog box, click Domain under
~ember of and then type the domain name -.Click OK.
d) When you are prompted, type the user name and password of the
account that you previously created and then click OK.
Desktop Delivery Controller uses Active Directory for two main purposes:
When you create a farm, a corresponding Organizational Unit (OU) must be created
in Active Directory if you want desktops to discover the controllers in the farm
through Active Directory. The OU can be created in any domain in the forest that
contains your computers. As best practice the OU should also contain the delivery
controllers in the farm, but this is not enforced or required. A domain administrator
with appropriate privileges can create the OU as an empty container. The domain
administrator can then delegate administrative authority over the OU to the Desktop
Delivery Controller administrator. If the installing administrator has CreateChild
permissions on a parent OU, this. administrator can also create the farm OU through
the Active Directory Configuration wizard during installation. You can use the.
standard Active Directory Users and Computers MMC snap-in to configure these
permissions .:
Note: Only standard Active Directory objects are created and used by Desktop
Delivery Controller. It is not necessary to extend the schema.
44
/
The set of objects created includes: ADC/SAMBA
Ensure that all controllers have the 'Access this computer from the network'
privilege on all virtual desktops running the Virtual Desktop Agent. You can
do this by giving the Controllers security group this privilege. If controllers
do not have this privilege, virtual desktops will fail to register.
• A Service Connection Point (SCP) object that contains information about the
farm, such as the farm's name .
•
Note: If you use the Active Directory Users and Computers administrative
tool to inspect a farm OU, you may have to enable Advanced Features in the
View menu to see SCP objects.
If multiple administrators are likely to add and remove controllers after the initial
installation is complete, they need permissions to create and delete children on the
Registration Services container and Write properties on the Controllers security
group. Either the domain administrator or the original installing administrator can
grant these permissions and Citrix recommends setting up a security group to do
this.
The following points are important to bear in mind when you are using a farm OU
with Desktop Delivery Controller:
/ ,
Operating System Concepts symptoms of such replication delay include desktops that cannot establish
contact with controllers and are, therefore, not available for user connections.
b) Compare your answers with the one given at the end of the Unit.
•
1) Explain active directory structure.
,I
.
............................................................................................................................. .
..............................................................................................................................
. .
46
/
ADC/SAMBA
4.3 SAMBA
SAMBA is the standard Windows interoperability suite of programs for Linux and
Unix. SAMBA is Free Software licensed under the GNU General Public License,
the SAMBA project is a member of the Software Freedom Conservancy. Since
1992, SAMBA has provided secure, stable and fast file and print services for all
clients using the 5MB/CIFS protocol, such as all versions of DOS and Windows,
OS/2, Linux and many others. SAMBA is an important component to seamlessly
integrate LinuxlUnix Servers and Desktops into Active Directory environments
using the winbind daemon.
.
, SAMBA is a free software re-implementation, originally developed by Andrew
Tridgell, of the 5MB/CIFS networking protocol. As of version 3, SAMBA provides
file and print services for various Microsoft Windows clients and can integrate
with a Windows Server domain, either as a Primary Domain Controller (PDC) or
as a domain member. It can also be part of an Active Directory domain.
SAMBA runs on most Unix and Unix-like systems, such as GNU/Linux, Solaris,
AIX and the BSD variants, including Apple's Mac OS X Server (which was added
to the Mac OS X client in version 10.2). SAMBA is standard on nearly all
distributions of Linux and is commonly included as a basic system service on
other Unix-based operating systems as well. SAMBA is released under the GNU
General Public License. The name SAMBA comes from 5MB (Server Message
Block), the name of the standard protocol used by the Microsoft Windows network
file system.
SAMBA allows file and print sharing between computers running Windows and
computers running Unix. It is an implementation of dozens of services and a dozen
protocols, including the NetBIOS over TCP/IP (NBT), 5MB, CIFS (an enhanced
version of 5MB), DCE/RPC or more specifically, MSRPC, the Network
Neighborhood suite of protocols, a WINS server also known as a NetBIOS Name
Server (NBNS), the NT Domain suite of protocols which includes NT Domain
Logons, Secure Accounts Manager (SAM) database, Local Security Authority
(LSA) service, NT-style printing service (SPOOLSS), NTLM and more recently
Active Directory Logon which involves a modified version of Kerberos and a
modified version of LDAP. All, these services and protocols are frequently
incorrectly referred to as just NetBIOS or 5MB. The NetBIOS and WINS protocols
are deprecated on Windows.
SAMBA sets up network shares for chosen Unix directories (including all contained
subdirectories). These appear to Microsoft Windows users as normal Windows
folders accessible via the network. Unix users can either mount the shares directly
as part of their file structure using the smbmount command or, alternatively, can
use a utility, smbclient (libsmb) installed with SAMBA to read the shares with a
similar interface to a standard command line FTP program. Each directory can
have different access privileges overlaid osn top of the normal Unix, file protections.
For example: home directories would have read/write access for all known users,
allowing each to access their own files. However they would still not have access
to the files of others unless that permission would normally exist. Note that the
netlogon share, typically distributed as a read only share from /etc/SAMBA/
netlogon, is the logon directory for user logon scripts.
47
/
Operating System Concepts SAMBA services are implemented as two daemons:
• smbd, which provides the file and printer sharing services and
SAMBA 2.0
•
After years of 1.x and in particular 1.9.x releases, SAMBA 2.0 brought new levels
of protocol completeness to the SAMBA project and initial support for becoming
a domain member.
SAMBA 2.2
SAMBA 3.0
With the introduction of SAMBA 3.0, SAMBA finally used the Unicode character
representation when talking to network clients, solving many issues in non-English
environments. SAMBA 3.0 also featured a vastly improved domain controller and
support for being a client of Active Directory.
4.3.2 SAMBA as a DC
SAMBA 2.2 and in particular SAMBA 3.0 grew to include the ability to be an
NT4 compatible domain controller, a functionality that even allows SAMBA to
'take over' an existing Windows network. This has allowed many sites to remove
Windows servers entirely from their networks. Because SAMBA 3.0 implements
the full requirements of an NT4 DC, it can be used to host some of the legacy
parts of the protocol, not yet found in SAMBA4 - in particular, NetBIOS name
registration and NETLOGON requests.
Patches have been proposed (and some already accepted) to allow this piece of
SAMBA3 infrastructure to handle these. roles, in the SAMBA framework.
/
• Heimdal Kerberos ADC/SAMBA
• HDB Back-end
Within Heimdal, there is an abstraction layer that separates the password database
from the rest of the Kerberos implementation. In the unmodified code, this allows
the administrator to select between an LDAP back-end and a simple key-value
•
database. It is this interface that this project will extend, with a new 'ldb' back-
end to be provided.
•. ,HeimdaIlSAMBA Integration
• Clapd
Clapd is a simple Connectionless LDAP daemon, written as part of the IBM research
effort and designed to answer the basic requests that a Windows client makes over
connectionless LDAP. At present, it is functional to the extent required for my
. domainjoin test, but has failed for others. It will need to be rewritten and properly
integrated into the SAMBA system. . '<,
• ·JUND
An Active Directory domain is strongly based on a DNS domain, particularly due
to the tight integration between Kerberos and DNS and the fact that this allows a
, move toa hierarchical name space; No modifications have been required to the
BIND software .and.only the installation of configuration files is required, In the
future, changes to BIND will be required to support Microsoft's dynamic D~S
update scheme ..
b) Compare your answer with the one given at the end of the Unit.
Explain SAMBA?
". . '
•••••••••••
,••••••
, •••••••••••••••••••••••••••••••••••
I••;••••••••••••••••••••••••••••••••••••••
·•••••;••••••••••••••••••••••••••••••
••••••••• • ," •••••••••• , ••••••• ; •••••••••• ,.". ~ •••••••••••••••••••••••••••••••••••••••••••••••••••••• ~. 0' •••••••••••••••••••••••••• : •••••
........... .............................................................................................•..........
;. ~ ~ ..
•• •••• 0.0 ••••••••••••••• ' •••••• o.! ••••••••••••••••••••••••••••••••••• O! •• ~ •• 0 0' ••• 0 ••• 0 ••• 00 ••• 0 <0:
••• 0 •• 0••••• ~ ••• , •••••••••• ~.~ •• ~ ••••• ' •••
- 49
/
Operating System Concepts
4.4 LET US SUM UP
This unit covers the. detailed descriptions or"the Active Directory Controller and
SAMBA. An Active Directory structure is a hierarchical framework of objects.
The objects fall into two broad categories:" resources (e.g. printers) and security
principals (user or computer accounts artd groups). Security principals are Active
Directory objects that are assigned unique security identifiers (SIDs) used to control
access and set security. SAMBA is a free software re-implementation, originally
developed by Andrew Tridgell, of the 5MB/CIFS networking protocol As of version
3, SAMBA provides file and print services for various Microsoft Windows clients
"and can integrate with a Windows Server domain, either as a Primary Domain
Controller (PDC) or as a domain member. It can also be. part of an Active Directory
domain .
•
4.5 CHECK YOUR PROGRESS: THE KEY
Check Your Progressl
1) The Active Directory structure and storage architecture consists of four parts:
ii) Domain Name System (DNS) support for Active Directory: DNS
provides a name resolution service for domain controller location and a
hierarchical" design that Active Directory can use to provide a naming
convention that can reflect organizational structure,
iii) Schema: The schema provides object definitions that are used to create
the objects that are stored in the directory.
iv) Data store: The data store is the portion of the directory that manages
the storage and retrieval of data on each domain controller.
Schema partition - Defines rules for object creation and modification for all
objects in the .forest. Replicated to all domain controllers in the forest.
Replicated to all domain controllers in the forest, it is known as an enterprise
partition.
Domain partition - Has complete information about all domain objects (Objects
that are part of the domain including Ol.Is, groups.usersand others). Replicated
only to domain controllers in the same domain. Partial domain directory
partition - Has a list of all objects in the directory with partial list of attributes
for each object.
3) Active Directory is Integrated with Domain Naming System (DNS) and requires
it to be present to function. DNS is the naming system used for the Internet
and on many Intranets. You can use DNS which is built into Windows 2000
and newer or use a third party DNS infrastructure such as BIND if you have
itinthe environment. It is recommended you use Window's DNS service as it
50
/
is integrated into Windows and provides the easiest functionality, AD uses DNS ADC/SAMBA
to name domains, computers, servers. and locate services. A DNS server maps
an object's name to its IP address. In' an Active Directory network, it is used
not only to find domain names, but also objects and their IP address. It also
uses Service location records (SRV) to locate services
e http://www.SAMBA.org/SAMBA/docs/SAMBAIntro.htmlwww.secure
computing. corn.
51
/ I
l~OTE
.
,
/
MPDD-IGNOu/P.O. 1T/September, 2011
.,
ISBN: 978-81-266-5568-7