100-103.html

入侵检测的相关教程

<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=3//-->
<!--PAGES=100-103//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="098-100.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="103-106.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P>Why not simply itemize all of the permission interpretations and allow users to individually grant or deny these? The NT and UNIX designers alike were making a tradeoff for simplicity over granularity. Rather than explicitly creating a permission for more than a dozen different access rights, grouping and overloading were allowed to <I>simplify</I> the administrator&#146;s task.</P>
<P>You also can assign the permission Special Access for a file that gives the designated user the ability to explicitly specify individual special permissions (R, W, X, D, and P) for the object.</P>
<P>The Windows NT interface for viewing or changing permissions can be confusing to read. When you view the permissions for an object, the permissions are itemized for each subject (user or group). Each line in the lower portion of the display shows the subject and the access permissions. The access permissions include the standard permission name and two sets of special permissions. The first set itemizes special permissions allowed on subfolders (subdirectories), and the second set lists the special permissions for files within the current folder. These sets are not always equal as Tables 3.4 and 3.5 show.</P>
<P>A user can gain access either through permissions granted individually to the user or with permissions defined for any groups to which the user belongs. Access permissions are interpreted with the least privilege principle. <I>Any expressly denied permission overrides any granted permissions</I>. For example, if a user belongs to a group that has read access, but the user is explicitly entered in an ACE with No Access, the user will not be allowed to access the object. No Access overrides any other permissions.</P>
<P>You should know that access control can be specified for other objects in the NT environment including printers. Not all of the access control options identified are available for all objects, however.</P>
<P><FONT SIZE="+1"><B>NT Registry Permissions</B></FONT></P>
<P>The NT Registry is the main repository for storing system configuration information. As applications are added to the system, additional Registry entries are created. It is safe to say that the Registry is mysterious to even experienced systems administrators. Microsoft has responded to some security advisories by creating new Registry entries or by recommending changes to default values stored in the Registry.
</P>
<P>Because the Registry is so critical to the operation of NT itself, a set of access control permissions is defined for Registry entries. Each entry in the Registry consists of a <I>key</I> and a <I>value</I>. Technically, the value can be a complex expression such as a string of characters. Entries are arranged hierarchically, much like a file system. Unfortunately, many parts of the Registry must be readable by all users. Not all users should be allowed to change Registry entries. Just as the NTFS supports standard and special permissions, the Registry has three <I>standard</I> access permissions and 10 <I>special</I> access permissions. Table 3.6 summarizes the standard Registry permissions, and Table 3.7 describes the special permissions.</P>
<TABLE WIDTH="100%"><CAPTION ALIGN=LEFT><B>Table 3.6</B> Standard Registry Permissions
<TR>
<TH COLSPAN="3"><HR>
<TR>
<TH WIDTH="20%" ALIGN=LEFT>Permission
<TH WIDTH="80%" ALIGN=LEFT>Interpretation
<TR>
<TH COLSPAN="3"><HR>
<TR>
<TD>Full Control
<TD>Edit, create, delete, or take ownership of Registry entries
<TR>
<TD>Read
<TD>Read any key value
<TR>
<TD>Special Access
<TD>Any combination of the 10 special permissions
<TR>
<TH COLSPAN="3"><HR>
</TABLE>
<P>
</P>
<TABLE WIDTH="100%"><CAPTION ALIGN=LEFT><B>Table 3.7</B> Special Registry Permissions
<TR>
<TH COLSPAN="3"><HR>
<TR>
<TH WIDTH="30%" ALIGN=LEFT>Permission
<TH WIDTH="70%" ALIGN=LEFT>Interpretation
<TR>
<TH COLSPAN="3"><HR>
<TR>
<TD>Query Value
<TD>Read a value for a key or subkey
<TR>
<TD>Create Subkey
<TD>Set the value of a subkey
<TR>
<TD>Enumerate Subkeys
<TD>List all subkeys within a key or subkey
<TR>
<TD>Notify
<TD>Receive notifications generated by this key or subkey
<TR>
<TD>Create Link
<TD>Create symbolic links to subkeys
<TR>
<TD>Delete
<TD>Delete keys or subkeys
<TR>
<TD>Write DAC
<TD>Modify the DAC for this key
<TR>
<TD>Write Owner
<TD>Take ownership of key or subkey
<TR>
<TD>Read Control
<TD>Read security information for a subkey
<TR>
<TH COLSPAN="3"><HR>
</TABLE>
<P>Just as file access permissions are set by default for NT, Registry permissions are also configured when NT is installed.
</P>
<H3><A NAME="Heading19"></A><FONT COLOR="#000077">How Hackers Get around Access Control</FONT></H3>
<P>Postings in cyberspace as well as recent books have detailed some of the attacks and recommended configurations for NT systems (Sheldon, 1997; Anonymous, 1997; Klander, 1997). Chapter 10, &#147;Intrusion Detection for NT,&#148; is devoted exclusively to describing what can go wrong on NT systems and why intrusion detection is needed despite NT&#146;s C2 rating. The literature on problems with UNIX systems is immense, with Garfinkel and Spafford (1996) on most recommended reading lists.
</P>
<P>In Part 2 of this book, some specific hack attacks will be detailed. For the purposes of this chapter, it is sufficient to state that access control problems can be narrowed down to one of two cases:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;Access control rules defined for an object are too permissive, and the hacker exploits a weakness introduced by this configuration. This situation can be the result of a configuration problem by the vendor, by the administrator, or by a program when it creates the object.
<DD><B>&#149;</B>&nbsp;&nbsp;A user can increase rights or privileges, with the goal of gaining Administrative or root access. Remember, this is usually the result of a software bug.
</DL>
<P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="098-100.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="103-106.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->