Chapter Three

User Administration Concepts &

Mechanisms
 User Administration
• What is user administration?
• Manage the individuals who can access Service now by defining
them as users in the system and assigning them to groups
• Members of the user Administrator role can add users or remove
users from Planning Server
• Also manage membership for the Modeler data administrator, and
User Administrator roles, but not the Global administrator role.
• To administer any part of the Planning Server system or to access
business data, users must be assigned to Planning Server roles.
 Cont’d…
• You must add users to the Planning Server system before they
can be assigned to roles or use Planning Server applications.
• Users must have valid domain accounts.
• On the User Administrator Role page, users who currently
belong to the role are listed in the User ID column next to the
appropriate application or model site.
• Except for the Global Administrator role, which has a system-
wide scope, administrative roles have either an application scope
or a model-site scope.
 Cont’d…
• Application scope permissions apply for all model sites in the
application.
• Model-site scope permissions apply only for the specific model
site.
• You must belong to the Global Administrator or User
Administrator role to add users to or remove users from the User
Administrator role.
• Before you can add a user to any Planning Server role, the user
must first be added to Planning Server from the Users page.
 SAS User Administration
• In order to make access distinctions and track user activity, a
security system must know who is making each request.
• In the platform, the primary user administration task is to store
each user's external account ID in the SAS metadata.
• SAS uses its copy of these IDs to establish a unique SAS identity
for each connecting user.
• All of a user's metadata layer memberships, permissions, and
capabilities are ultimately tied to the user's SAS identity.
 Cont’d…
• Note: It is not necessary to store passwords in the SAS metadata
for the purpose of identifying a user.
• SAS identity is determined by examining stored user IDs, not by
examining stored passwords.
• Note: For some service identities and metadata administrators,
you can use a SAS internal account instead of a stored SAS copy
of an external account ID
 Who Can Manage Users, Groups, and Roles?

• In the initial configuration for a new deployment:-

• The SAS Administrators group has the user administration role
• So members of that group can perform almost all user
management tasks.
User capabilities
• The following table outlines the distribution of user administration
capabilities.
Cont’d…
 Cont’d…
 For restricted user administrators (users who have the user
administration role but are not unrestricted), the following constraints
apply:
• Restricted user administrators cannot update the unrestricted role.
• To update or delete an identity, restricted user administrators must
have the Write Metadata permission for that identity.
 For example, you can prevent a restricted user administrator from
updating User A’s metadata
 definition by taking away his or her default grant of the Write
Metadata permission (on User A’s Authorization tab, explicitly deny
the Write Metadata permission to the restricted user administrator).
 Cont’d…
To change a role's capabilities, restricted user administrators
must have the Write Metadata permission for the associated
software component.
 To access user management features in SAS Management
Console, restricted user administrators must have the User
Manager capability
Groups of users
Both Unix and NT allow users to belong to multiple groups.
A group is an association of usernames which can be referred to
collectively by a single name.
 Cont’d…

 NT also allows the creation of groups.

 Groups are created by command, rather than by file editing, using :net
group groupname /ADD Users may then be added with the syntax, net
group groupname username1 username2... /ADD they can also be edited
with the GUI on a local host.
 NT distinguishes global groups (consisting only of domain registered
users) from local groups, which may also contain locally registered
users.
 Some standard groups are defined by the system, e.g. administrators,
users & Guest
 The Administrators group has privileged access to the system.
 Account policy
• Most organizations need a strict policy for assigning accounts and opening the
system for users.
• Users are the foremost danger to a computing system, so the responsibility of
owning an account should not be dealt out lightly.
• There are many ways in which accounts can be abused.
• Users can misuse accounts for villainous purposes and they can abuse the
terms on which the account was issued, wasting resources on personal
endeavors.
• For example, in Norway, where education is essentially free, students have
been known to undergo semester registration simply to have an account, giving
them essentially free access to the Internet and a place to host their web sites.
 Cont’d…
• Policy rules are required for guiding user behavior, and also for making system
rules clear.
• Experience indicates that simple rules are always preferable, though this is so
far unsubstantiated by any specific studies.
• A complex and highly specific rule, that is understood only by its author, may
seem smart, but most users will immediately write it off as being nonsense.
• Such a rule is ill advised because it is opaque.
• The reason for the rule is not clear to all parties, and thus it is unlikely to be
respected.
 Cont’d…
• What should an account policy contain?
1. Rules about what users are allowed/not allowed to do.
2. Specifications of what mandatory enforcement users can expect,
e.g. tidying of garbage files.
• Any account policy should contain a clause about weak passwords.
• If weak passwords are discovered, it must be understood by users
that their account can be closed immediately.
• Users need to understand that this is a necessary security initiative.
 The privileged account’s or super user’s Environment

User support services

• All users require help at some time or another.
• The fact that normal users are not privileged users means
that they must occasionally rely on a super user to clean up a
mess, or fix a problem which is beyond their control.
• If we are to distinguish between privileged and non-
privileged users, we cannot deny users this service.
 Support policy
• The amount of support that one offers users is a matter of policy.
• One has the choice between supporting users directly, and investing
time in making them self-sufficient.
• Which of these two strategies pays most dividends depends on the
nature of the problem.
• In almost all cases both strategies are needed. Thus one looks for a
mixture of the following:
• Training users.
• Helping users.
• Documenting and providing the answers to frequently asked
questions.
 Cont’d…
• The proportion of time spent on each must be chosen as policy.
• System administrators’ time is usually in short supply, though
increased automation is steadily freeing us to concentrate on
higher level problems, like support.
• The ability to support a system depends on its size in relation to
the available resource personnel.
• Supporting hardware and software means fixing errors, upgrading
and perhaps providing tuition or telephone help-desks.
 Cont’d…
• E-mail help-desks such as Rust, Gnats, Near net, Net log, PTS, Queue MH
can assist in the organization of support services, but they are mainly task-
tracking tools.
• Sometimes hosts and software packages are labelled unsupported in order to
emphasize to users that they are on their own if they insist on using those
facilities.
• One of the challenges system administrators sometimes have to endure on
coming to a new site, where chaos reigns, is the transition from anarchy to a
smaller set of supported platforms and software.
 Cont’d…
• This can be a tough problem, since users always prefer freedom to
restriction.
• Support services need to be carefully considered and tailored to
each local environment.
 User Identification and Authentication Concepts
 The modern world needs people with a complex identity
who are intellectually autonomous and prepared to cope with
uncertainty;
who are able to tolerate ambiguity and not be driven by fear into
a rigid, single-solution approach to problems,
who are rational, fore sight full and who look for facts;
who can draw inferences and can control their behavior in the
light of foreseen consequences,
who are altruistic and enjoy doing for others, and
who understand social forces and trends.
 Security Landscape
Information is an asset for today’s organizations and
individuals. Information may be less or more important and
very often has a monetary value. The disclosure, improper
modification, or unavailability of information may incur
expenses (loss) or missed profits for the organization or the
individual. Therefore, most organizations and individuals
protect information to a certain extent.
IT security is the science of protecting information
 Cont…

 The information assets of a business organization are owned by a business

owner, and those of an individual are owned by the actual individual.
 Organizations delegate the responsibility of protecting information assets to
 the IT department,
 the Information Security department, or
 the Information Risk Management department;
 individuals typically protect their own resources, but they may interact with
other individuals and organizations, and may seek advice or transfer
protection responsibilities to other individuals and organizations.
 Both organizations and individuals typically have three main requirements to
information asset protection:
 Confidentiality
information protection from disclosure to unauthorized
individuals and other organizations.
 Information that represents a patent, a trade secret, most
types of military information, or financial information are
examples of information that typically needs protection from
disclosure. The company payroll information is normally a
resource that requires protection from unauthorized
disclosure.
 Integrity
information protection from accidental or intentional
modification that may affect data validity.
Financial transactions are a typical example of an information
asset that requires integrity protection. If an individual wants to
transfer $1000 and someone modifies the amount to $20,000, it
does make a difference.
 Availability
information and services that expose information to
organizations and individual users must be available when
users need them.
 If an online Web banking application uses very secure
technologies for user authentication, information encryption,
and signing but the site is down and not available to users who
need it, then it will hardly meet protection requirements.
 Authentication, Authorization, and Accounting
Whether a security system serves the purposes of information
asset protection or provides for general security outside the
scope of IT,
 it is common to have three main security processes working
together to provide access to assets in a controlled manner.
These processes are:
 Cont…

Authentication:
 often referred to as Identification and Authentication, determining
and validating user identity.
Authorization:
 providing users with the access to resources that they are allowed to
have and preventing users from accessing resources that they are not
allowed to access.
Accounting:
 providing an audit trail of user actions. This is sometimes referred to
as auditing.
 The following sections discuss these three processes and the
relationship between them.
 Cont…

User Logon Process

 Authentication and authorization work very closely together, and it is
often difficult to distinguish where authentication finishes and where
authorization starts.
 In theory, authentication is only supposed to ascertain the identity of
the user.
 Authorization, on the other hand, is only responsible for determining
whether or not the user should be allowed access.
 To provide for the logical interdependence between authentication and
authorization, operating systems and applications typically implement
the so-called user logon process.
 (or login process, also sign-in process ).
 Cont…

 The logon process provides for user identification;

it initiates an authentication dialogue between the user and the
system, and
generates an operating system or application-specific structure
for the user,
referred to as an access token.
This access token is then attached to every process launched by
the user, and
 is used in the process of authorization to determine whether the
user has or has not been granted access.
 Cont..
The access token structure sits in between user authentication
and authorization.
The access token contains user authorization information but this
information is typically provided as part of the user identification
and authentication process.
The logon process can also perform non-security-related tasks.
For example, the process can set up the user work environment
by applying specific settings and user preferences at the time of
logon.
 Accounting
Users are responsible for their actions in a computer system.
Users can be authorized to access a resource; and if they access
it,
the operating system or application needs to provide an audit
trail that gives historical data on when and how a user accessed
a resource.
On the other hand, if a user tries to access a resource and is not
allowed to do so, an audit trail is still required to determine an
attempt to violate system authorization and, in some cases,
authentication policies.
 Cont…
Accounting is the process of maintaining an audit trail for user
actions on the system.
Accounting may be useful from a security perspective to determine
authorized or unauthorized actions;
it may also provide information for successful and unsuccessful
authentication to the system.
Accounting should be provided, regardless of whether or not
successful authentication or authorization has already taken place.
A user may or may not have been able to authenticate to the system,
and accounting should provide an audit trail of both successful and
unsuccessful attempts.
 Bypassing Authentication
 If an attacker does not have a username and a password or other credentials,
and is not able to authenticate to a system, he may try to bypass the
authentication process.
 This can be accomplished in a number of ways, depending on the
application, and the type of access that attackers have to the computer where
the application is running.
 If an application is running locally on a computer, and an attacker has
physical access to this computer, then the attacker can potentially obtain
administrative privileges, which may well be already available or may be
obtained by privilege escalation.
 Once the attacker has administrative access, he can typically access all files
and processes on the local computer, which allows him to debug running
applications or swap files on the file system.
 Cont…
The attacker can therefore debug an application that requires
authentication, and potentially modify the application to replace the
command or statement that compares the user password with
commands that do nothing or return successful authentication. The
user can then access the application.
The modification can be performed for either code that is already in
memory or for executable files on the file system, and take effect
the next time the executable is launched.
To protect against such attacks, the operating system can implement
tools that detect and potentially alert the administrator or the user if
they determine that the content of the file has been changed.
 Cont…
 This includes software that scans files on the file system and saves their
hashes in a hash database, as well as signed executable.
 The above authentication bypassing technique is more difficult to
implement for network servers — unless the server is vulnerable to some
attack over the network, where techniques such as smashing the
application stack can be used to launch arbitrary code, or obtain
administrative or local access.
 However, there are other approaches for bypassing authentication to
network servers.
 One common approach is authentication to Web resources. Very often,
these resources are published with anonymous authentication.
 Default Passwords
 One of the major challenges of secure user authentication is represented by
default passwords.
 Many software and hardware vendors assign default passwords for built-in
users in their operating systems, software, and hardware.
 Very often, system architects and engineers implementing a solution are
too busy concentrating on the business functionality and features of the
system or application, and security is often left in the second place.
 If the system designer or implementer fails to change the default
passwords, someone else knowing or guessing what the device may be,
might happen to have network access to the device and authentication
accordingly.
 System designers and engineers should always change the default
passwords on all devices.
 Privilege Escalation

During the logon process, a user authenticates using a set of

credentials.
When a user tries to access resources, this request is actually
performed by processes running on behalf of the user, that use
the user access token to be authorized by resource servers.
 In some cases, users may be able to find a security hole in an
application or an operating system. Very often, a service or an
application may be running with its own account on a server.
This account may have limited or unrestricted access
privileges.
 Cont…
 By providing invalid input, an attacker can change the authentication
logic of the service or application and assume the credentials of this
application.
 A popular attack of this type is represented by the stack overflow attack.
 By providing invalid parameters (typically strings longer than the buffer
reserved for user input by the application), an attacker can inject code and
an incorrect return address pointing to the injected code into the
application stack.
 This may force the application to execute arbitrary code using its own
privileges.
 The risk of privilege escalation attacks can be mitigated by strict checking
of input parameters and other secure code writing techniques.
 Obtaining Physical Access
 Security is not only a matter of strong authentication mechanisms, secure
code, and cryptography.
 There are multiple other factors that affect the security of a system, and
physical security is one of them.
 If an attacker has physical access to a computer, he may be able to bypass or
alter authentication mechanisms and easily get to the resources needed to
access even without authenticating.
 For example, if an attacker is able to steal or temporarily be in possession of a
laptop with confidential files, this attacker can boot into an operating system
of his choice, such as a live Linux operating system available on a CD, and
access files on the file system of the laptop while completely bypassing local
authentication mechanisms imposed by the operating system installed on the
laptop.
 Cont…
Alternatively or in addition, an attacker can steal the password
database from the laptop and launch offline attacks against it to
crack usernames and passwords.
The attacker can then use cracked usernames and passwords to
authenticate and access resources, which may even leave an
audit trail as if a valid user authenticated to the system and
accessed resources.
Another physical access attack method would be to modify the
password of a user in the local security database on the laptop.
 What is scripting?
• Simply a script is a small, interpreted program that can carry
out a series of tasks and make decisions based on specific
conditions it finds.
• By "interpreted," we mean that when it is run, it is carried out
one line at a time, as opposed to "compiled," which is the
process of turning it into machine language before it is run.
• A script is created using ASCII text, so Windows Notepad or a
similar text editor is the only tool required.
 Cont’d…
• A number of scripting "languages" are available for you to
choose from, each with its own capabilities and limitations.
• These languages include Windows native shell scripting, Visual
Basic Scripting Edition, JavaScript, Kixtart, and Perl.
• Which one you choose will ultimately depend on a combination
of the tasks required and your own experience and inclinations.
 How is scripting used?
• Scripting lets you automate various network administration tasks, such
as those that are performed every day or even several times a day.
• For example, login scripts run every time a user logs in to the network
• and can perform tasks like mapping network drives for the user based
on certain conditions, such as group membership.
• Another example of script use might be a situation where you want to
have each Windows NT server create a new Emergency Restore Disk
and then copy the contents of that disk to a network location.
 Cont’d…
• Other tasks might need to be carried out only once, such as a
modification to the registry
• However, to a large number of servers that are widely distributed
geographically.
• In a case like this, you could create and distribute a single script
to run the task on each server.
 Cont’d…
• You can start scripts manually, but you can also start them automatically,
either by a specific event or scheduled via the Windows Task Scheduler.
• Windows NT allows scripts to be run automatically each time a user logs
in to the network.
• Windows 2000 goes much further and can be configured to automatically
run separate scripts upon:
• Machine startup, Machine shutdown, User login, User logout
• You could, for instance, map specific network drives when a user logs in
and then automatically copy that user's Favorites folder to a network share
when he or she logs out so that the data is preserved in a central location.
 Shell scripting
• A shell is more than an interface that allows a user to communicate with, or issue
commands directly to, the operating system.
• The concept of a shell has been around in UNIX for many years.
• In fact, there are several shells in the UNIX world, each with its own features and
commands that make it suitable for various tasks.
• In Windows, there is no such diversity.
• You have only one shell, the Windows shell, which is built into the operating system.
• And you are undoubtedly already familiar with the interface, although you probably
call it the command prompt or, if you're a real old-timer, perhaps the DOS prompt.
• Technically speaking, it's called a command shell and is run by executing the file
Cmd.exe, found in C:\Winnt\System32.
• Probably the easiest way to run it is to simply click Start | Run, type cmd in the text
box, and click OK, or create a shortcut to Cmd.exe.
 Cont’d…
• The Windows shell comes with a set of built-in commands, many of which are well
known and commonly used, such as dir, copy, del, cd, etc.
• Commands and their associated parameters are usually issued one at a time at the
command line.
• More important for our purposes is the fact that commands can also be used in a
batch mode.
• That is, using a text editor, you can write a separate command on each line, saving
the finished product with the extension of either .bat or .cmd.
• This turns the text file into an executable that will be run as an interpreted program,
carrying out each command one line at a time, in order. This is what we call shell
scripting.
 Cont’d…
• Although the Windows scripting language is far from being a full-scale programming
language,
• It does come with some useful commands and features that allow it to have some of the
flexibility you'd expect to find in a program. Some of these features are:
Conditional processing
• You can have your script test to see whether a certain condition exists, and if it does, do
one thing, and if it doesn't, do something else.
Error trapping
• Every time a command is carried out, Windows generates an error level, with error level
0 being "no error."
• This allows you to include a provision in your script to gracefully exit from an error it
might encounter.
 System variables
• Information about a given computer and the user who is logged on to that computer can
be found in the registry, at HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.
• Some of that information, which can be of use in scripting, is available in the form of
system variables.
• To get an idea of what is available, you can open the command shell and type the
command set.
• This will display a list of all the system variables and their current values.
• These can then be referenced in a script by bracketing them with the percent symbol.
• For instance, %username% will refer to the username of whoever is currently logged on
to the computer.
• An example of its use would be to copy the current user's Favorites folder and all
subfolders on the local machine to that user's home folder on the server:
 Windows Scripting Host
• The Windows Scripting Host (WSH) is a set of three files (Wscript.exe,
Cscript.exe, and Wsh.ocx) that provide an environment for other scripting
languages to run in.
• Built into the WSH are two "engines“ for the scripting languages Visual Basic
Scripting Edition (VBS) and JScript, which is a Microsoft version of JavaScript.
• You can also load other engines for such scripting languages such as Perl or REXX,
if you want.
• Although the shell scripting language remains a fixed part of the operating system,
WSH can be separately updated and upgraded, since it exists as separate files.
• In addition, it can be installed on several versions of Windows.
• To determine which version is currently installed, type cscript at the command
shell.
 Cont’d…

• The WSH makes use of a rather strange concept called an object model
• which can take some getting used to for a newcomer to scripting and
programming.
• Each object has a set of methods associated with it.
• The root object for WSH is called WScript, and from it, other objects
can be created and used within scripts to accomplish tasks.
• Both VBS and JScript are object-based languages, and each uses its own
object model that works in conjunction with the WSH object model.