Transcription
FAKULTÄT FÜR INFORMATIKDER TECHNISCHEN UNIVERSITÄT MÜNCHENMaster’s thesis in computer sciencePrivileged User Password Management inShared EnvironmentsManuel Söhner
FAKULTÄT FÜR INFORMATIKDER TECHNISCHEN UNIVERSITÄT MÜNCHENMaster’s thesis in computer sciencePrivileged User Password Management in SharedEnvironmentsPrivileged User Password Management in uel SöhnerProf. Dr.-Ing. Georg CarleBenjamin Hof, M.ScDaniela Pöhn, Felix von Eye (LRZ)Dr.-Ing. Ingo Pansa (iC Consult GmbH)Submission date: April 15, 2014
I assure the single handed composition of this master’s thesis only supported by declaredresources.Munich, April 15, 2014Manuel Söhner
AcknowledgmentsI would like to thank the advisors Benjamin Hof from the Chair for Network Architecturesand Services, Daniela Pöhn and Felix von Eye from the Leibniz Supercomputing Centre,and Ingo Pansa from iC Consult for their good advice, support, and feedback during thewriting of this thesis.I would also like to thank Prof. Dr.-Ing. Georg Carle for supervising this thesis and for theadvice after the first presentation.vii
AbstractAdministrators often require access to privileged and shared accounts to manage systems,services, and applications. Subsequently, the unlimited power gives them unrestrictedaccess to sensitive data and to important components of the network infrastructure.In order to prevent from insider and outsider threats, the privileged user accounts needto be securely shared between authorized administrators and the access to these accountsneeds to be monitored and audited.This thesis analysis the threats that arise from privileged user accounts in shared environments and brings up countermeasures that need to be taken into account in a privilegeduser password management solution.Besides the security aspects, generic as well as specific requirements of two organizationsare presented. For that purpose, the status quo of the current password management aswell as use cases at the Leibniz Supercomputing Centre (LRZ) and iC Consult GmbH,which is a system integrator specialized in identity and access management, were analyzed.Based on that requirements catalog, three software products are evaluated and comparedto each other. Moreover, the suitability of these products for the purpose of the LRZ andiC Consult is examined.The thesis then proposes a generic architecture that addresses the management of privileged user passwords as well as the fine-grained control of access rights that administrators require to perform actions as privileged user. After that, a demonstrator illustratessome of the use cases that have been brought up during the requirements research by implementing the essential parts of the proposed architecture.In conclusion, the thesis shows that the management of privileged user passwords not onlyrequires a centralized component that securely controls which administrator is authorizedto access what privileged user passwords. Moreover, it is necessary to consider special usecases that normal password managers do not have to consider, for example, an emergencyaccess that allows administrators to use a privileged account which they usually are notauthorized to use. Additionally, the auditing of shared privileged accounts needs to beaddressed and the unrestricted access rights need to be taken into account.ix
Contents1234Introduction1.1 Problem Statement . . . . . . . . . . .1.2 Identity and Access Management . . .1.3 Definitions and Notation . . . . . . . .1.3.1 Terms and Definitions . . . . .1.3.2 Notation for XML Namespaces1.4 Approach and Structure of This Thesis.1123356Related Work2.1 eXtensible Access Control Markup Language . . . . . . . . . .2.2 Distributed Enforcement of XACML Policies With pam xacml2.3 Security Assertion Markup Language . . . . . . . . . . . . . .2.4 OpenID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.5 OAuth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.6 Shibboleth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .991516171819.Threat Model3.1 Basic Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.2 Scenarios Concerning Privileged User Password Management3.3 Threat Targets, Threats and Attacks . . . . . . . . . . . . . . . .3.3.1 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . .3.3.2 Network . . . . . . . . . . . . . . . . . . . . . . . . . . .3.3.3 Account . . . . . . . . . . . . . . . . . . . . . . . . . . .21212325262728Requirements4.1 Operational and Business Requirements . . . . . . . . . . . . . . . . .4.1.1 Security Regulations . . . . . . . . . . . . . . . . . . . . . . . .4.1.2 Information Distribution . . . . . . . . . . . . . . . . . . . . . .4.1.3 Separation of Duties . . . . . . . . . . . . . . . . . . . . . . . .4.1.4 Auditing and Reporting . . . . . . . . . . . . . . . . . . . . . .4.2 Practicability Requirements . . . . . . . . . . . . . . . . . . . . . . . .4.3 Non-Functional Requirements . . . . . . . . . . . . . . . . . . . . . . .4.3.1 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.3.2 Systems Integration . . . . . . . . . . . . . . . . . . . . . . . .4.3.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.4 Use Cases and Requirements at the Leibniz Supercomputing Centre4.4.1 Infrastructure of the LRZ . . . . . . . . . . . . . . . . . . . . .4.4.2 Status Quo and Requirements . . . . . . . . . . . . . . . . . . .3333343536363637373838393939.xi
Contents4.54.65678xiiUse Cases and Requirements of iC Consult4.5.1 Infrastructure of iC Consult . . . . .4.5.2 Status Quo and Requirements . . . .Requirements Catalog . . . . . . . . . . . .Analysis of Established Solutions5.1 CA ControlMinder . . . . . . . . . . . . . . . . . . .5.1.1 System Architecture . . . . . . . . . . . . . .5.1.2 Test Environment . . . . . . . . . . . . . . . .5.1.3 Analysis Based on the Requirements Catalog5.2 Netwrix Privileged Account Manager . . . . . . . .5.2.1 System Architecture . . . . . . . . . . . . . .5.2.2 Test Environment . . . . . . . . . . . . . . . .5.2.3 Analysis Based on the Requirements Catalog5.3 Soffid Identity and Access Management . . . . . . .5.3.1 System Architecture . . . . . . . . . . . . . .5.3.2 Test Environment . . . . . . . . . . . . . . . .5.3.3 Analysis Based on the Requirements Catalog5.4 Summary of Software Analysis . . . . . . . . . . . .Architecture6.1 Components . . . . . . . . . . . . . . . . . . .6.1.1 Policy Administration Point . . . . . .6.1.2 Policy Decision Point . . . . . . . . . .6.1.3 Policy Enforcement Point . . . . . . .6.1.4 Password Manager . . . . . . . . . . .6.1.5 Audit Logging System . . . . . . . . .6.2 Security Considerations . . . . . . . . . . . .6.2.1 Encryption of Credentials . . . . . . .6.2.2 Secure Audit Logs . . . . . . . . . . .6.3 Analysis Based on the Requirements Catalog6.4 Summary . . . . . . . . . . . . . . . . . . . . .Specification and Implementation of a Demonstrator7.1 Authorization for PAM-Enabled Applications . . .7.2 Policy Decision Point . . . . . . . . . . . . . . . . .7.3 Jump Server . . . . . . . . . . . . . . . . . . . . . .7.4 Web Interface and Password Database . . . . . . 6777878798184.8991929394Evaluation8.1 iC Consult Compared to the Leibniz Supercomputing Centre .8.2 Applicability Analysis for the Leibniz Supercomputing Centre8.2.1 Applicability of the Architecture . . . . . . . . . . . . .8.2.2 Applicability of the Analyzed Software . . . . . . . . .8.3 Applicability Analysis for iC Consult . . . . . . . . . . . . . . .8.3.1 Applicability of the Architecture . . . . . . . . . . . . .95959797979898.
Contents8.3.29Applicability of the Analyzed Software . . . . . . . . . . . . . . . . .Conclusion and Future Work9.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9.2.1 Attribute-Based Encryption For Sensitive Data . . . . . . . .9.2.2 Transformation of High-Level Policies to Low-Level Policies9.2.3 Expansion to Other Operating Systems . . . . . . . . . . . .9.2.4 Virtual Environments . . . . . . . . . . . . . . . . . . . . . .Bibliography.98101101102103104104105107xiii
List of Figures3.1The Source of Greatest Risk to Sensitive Data . . . . . . . . . . . . . . . . . .224.1Organization Structure of the LRZ . . . . . . . . . . . . . . . . . . . . . . . .405.15.2495.35.45.5Screenshot of PuTTY Demonstrating Non-Repudiation in CA ControlMinderScreenshot of PuTTY Demonstrating Fine-Grained Access Control in CAControlMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Netwrix Privileged Account Manager . . . . . . . . . . . . . . . . . . . . . .Architecture of Soffid Identity and Access Management . . . . . . . . . . . .Revealing a Password in the Soffid Self-Service Portal . . . . . . . . . . . . .505662636.16.26.3IETF Policy Framework Architecture . . . . . . . . . . . . . . . . . . . . . . .Jump Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Full Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7075867.1Architecture of the Demonstrator . . . . . . . . . . . . . . . . . . . . . . . . .89xv
List of Tables2.12.2Attributes in the XACML Request Message . . . . . . . . . . . . . . . . . . .Attributes in the XACML Response Message . . . . . . . . . . . . . . . . . .10114.1Use Cases at iC Consult . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435.15.25.35.45.55.6Environment Specification for CA ControlMinder (Windows Server) .Environment Specification for CA ControlMinder (Linux Server) . . .Environment Specification for Windows Domain Controller . . . . . .Environment Specification for Netwrix Privileged Account Manager .Environment Specification for Soffid Identity and Access ManagementSummary of the Software Analysis Based on the Requirements Catalog.5151585864686.1Summary of the Architecture Based on the Requirements Catalog . . . . . .877.17.27.3Environment Specification for the Policy Decision Point . . . . . . . . . . . .Environment Specification for the Jump Server . . . . . . . . . . . . . . . . .Environment Specification for the Web Server . . . . . . . . . . . . . . . . . .9090918.1Requirements of the Leibniz Supercomputing Centre Compared to iC Consult 96.xvii
Listings2.12.22.3Example for a Separation of Duties in XACML . . . . . . . . . . . . . . . . .Excerpt of a Break-Glass Policy in XACML . . . . . . . . . . . . . . . . . . .Example for a Policy that Allows the Delegation of Rights . . . . . . . . . .1213147.17.27.37.47.5PAM Configuration for sudo . . . . . . . . . . . . . . . . .Example Request Message for sudo . . . . . . . . . . . . .Example Response Message That Permits the use of sudoProxyCommand in authorized keys File . . . . . . . . . .Command to Reach a Target System via the Jump Server9192939394.xix
1 IntroductionThe recent disclosure of global surveillance, which was uncovered by Edward Snowden,a former contractor of the U.S. National Security Agency (NSA), showed that the unrestricted access of administrators to sensitive data is a crucial aspect in computer networks.Often, privileged user accounts are shared between different administrators and therebythe abuse by an insider is hard to impute to a specific person. In order to reduce the security risk for an organization, the access to privileged user passwords needs to be controlledand the privileged access rights need to be managed.This chapter gives an overview on the problem that is addressed by this thesis and classifies the privileged user password management into the context of identity and accessmanagement.1.1 Problem StatementMany organizations employ at least one administrator that manages the IT infrastructurewith its corresponding business-critical resources. In order to do their job, the administrators are equipped with rights that give them access to operating systems, applications,databases and other data storage. Because of that, they are privileged users which have extensive authority on each system they administrate – and often beyond that. In some cases,those privileged users do not operate with personal accounts but share dedicated superuser accounts. This raises a problem in the area of accountability, since actions cannot beattributed to a specific person once a granted permission got abused [9]. Furthermore, theuser accounts with elevated access rights present a target for external as well as internalattackers and therefore provoke a high security risk.Moreover, privileged user accounts are also included in many network devices and software products that are shipped with a default username and password combination. Sometimes, the credentials are not changed by the IT administrators, which makes it easier forattackers to break into a system and manipulate or steal sensitive data [73].Besides the employees that use privileged identities, there are also applications and services that run under privileged user accounts, which therefore represent a security risk aswell [15]. Once a central component (e.g., a directory service or database) is compromised,it is easy to sabotage other network components or steal identities and data.The problem becomes more complicated in distributed environments, like it is the casewith outsourced departments. Here, different stakeholders are connected in a heteroge-1
1 Introductionneous environment and need to have access to the systems and data. Another example isthe growing sector of cloud computing, where administrators of a service provider haveaccess to the hardware they are managing in order to provide the infrastructure. Thosecould also gain access to the sensitive data or manipulate the system.For that reason, the system administrators need to establish a solution that protects thedata and restricts the access of privileged user accounts, based on the identity’s authorization level. In addition, an organization might also have an interest in reducing the accessof their administrators to a minimum in order to lower the possibility of getting attackedfrom inside the company.In order to solve the above mentioned problems, the organization needs to introduce adedicated security architecture that takes care of the authentication and authorization ofusers and applications. For that purpose, the organization has to manage all stakeholdersas identities and define the access permissions and policies that guard the data. Basisfor that are the business processes inside the institution, as they define the resources astakeholder requires to accomplish a task. That is where another problem could arise sincethe processes have to be analyzed and sometimes changed in order to extend the existinginfrastructure.1.2 Identity and Access ManagementIn most organizations people work with different kinds of sensitive data while fulfillingtheir tasks. In order to control which person has access to which data, the IT administratorsneed to provide a system that enforces access control policies. In most of the cases thesepolicies are derived from the business processes inside the organization. The essentialgoal is to give each person the minimum amount of access in order to secure the dataand protect from faults and malicious actions. In computer science, this idea is generallyreferred to as the principle of least privilege [64]. The simplest approach of achieving that goalis to give each person an individual and thus unique identity (e.g., a personal account) thatrepresents it on every system in the infrastructure.In order to authenticate a user and authorize the resource access, the systems utilize thepredefined information that is part of the individual identity. Controlling all that information is the purpose of the Identity Management (IdM). Besides creating, deleting, andmodifying the identities throughout their existence as part of the identity lifecycle management, the identities need to be monitored. For that purpose, the IdM software oftenprovides a logging component that fulfills the auditing requirements of the organization.Controlling the identities becomes even more important when external users can accessinternal systems or when users have access to external systems. For that purpose, the approach of a Federated Identity Management (FIdM) has been established, where autonomoussecurity domains are interconnected and share identities with uniform standards [6].On the other hand, there is the data that needs to be protected. This can be done by defining roles, access permissions, and policies that determine the necessary rights an identity2
1.3 Definitions and Notationhas to have in order to get access to a resource or object. This task is part of the accessmanagement and complements the identity management. The most important aspect ofthe access management is to apply the principle of least privilege to reduce the risk of people accessing sensitive data they should not have access to. Hence, these tasks are oftencombined to the term Identity and Access Management (IAM).A subarea of IAM is the Privileged Identity Management (PIM), which mostly deals withnon-personal accounts that are used by humans and software. As mentioned in chapter1.1, users with privileged accounts are a security risk and can cause a huge damage tothe organization. This is because privileged accounts have access to sensitive data andare able to change the configuration of hardware and software, most of the time withoutbeing tracked. Thus, these identities have to be managed and monitored accurately. Forthat purpose, the organization firstly defines who is allowed to perform specific actions.Then, the PIM has to monitor each identity and log the actions that have been performed ina session. Furthermore, a partial aspect of that is the Privileged User Password Management(PUPM) and the Shared Account Password Management (SAPM) [40].1.3 Definitions and NotationThis section introduces basic definitions and XML notations that are used throughout theremainder of this thesis.1.3.1 Terms and DefinitionsThe following terms are defined for the context of this thesis and are based on the suggestions of RFC 4949 [28].Attributes provide information that identify a person or system entity. Before the systemcan utilize them, for example, for the authorization process, an authority needs to predefine and assign the attributes to the identities.An identity represents and describes a person or other entity (e.g., a service or application)inside a system with various attributes. These attributes mainly focus on the personal datathat make an identity unique.A (system) user is defined as a person that uses and accesses resources that are providedby the system. In addition, also services and applications are referred to as “user”, sinceapplication-to-application scenarios are almost equal to the human-computer interaction.Policies are the basis of access control since they render the decision which user-assignedattributes grant access.A role represents a job function inside the organization to which users get assigned. Policiesmay define that a role is allowed to perform a specific action in the system.3
1 IntroductionAn object or resource is a system component that contains or receives information. Becauseof that, objects are sensitive resources which need to be protected by an access control.Subjects can perform actions on them and modify their state if the permissions are valid.Subjects are system entities that perform actions on objects, for example, change systemstates or the content of objects. For such actions, they require access rights which need tobe assigned to each subject. Subjects might be human beings as well as applications (e.g.,services or scripts). A subject itself can also be an object, depending on the situation andinteraction. Users are a concrete example of a subject.Assets are system resources that need to be protected since they contain critical or sensitiveinformation of an organization. They are used and managed by the subjects of a system.Accounts are system entities that are mostly assigned uniquely to an identity and used toauthenticate and authorize a user. There are different types of accounts that need to bedifferentiated: Accounts of applications or services Shared, non-personal accounts (e.g., admin and root) Personal accounts with permanently enhanced permissions Break-glass accounts (users can elevate their permissions (e.g., in emergency cases)although they do not have these rights assigned permanently for their day-to-daytasks)In the process of authentication, the identity of a user is confirmed, based on the giveninformation (e.g., credentials such as a username/password combination or certificates).Authorization presupposes authentication and ensures that a user is granted or denied access to a protected resource. Moreover, it is the process of specifying access rights and theassignment to the resources that should be protected. The permissions or rights of a userdepend on the assigned attributes, which are evaluated as part of the policy enforcementprocess. The enforcement is fulfilled by an access control.Accounting is the process of logging and tracking the activity of a user. The collected information (e.g., a session with every command that has been executed) can be used forauditing purpose.Privileged User and Shared AccountFirst and foremost the role of a privileged user is associated with employees that haveenhanced rights allocated to their identity, including system administrators, operators,and users with high-risk access to resources. Besides the personal accounts, a system alsoconsists of pre-existing non-personal accounts that are shared by different people, such asthe superuser on Windows computers (“administrator”), UNIX systems (“root”), routers,and switches. Moreover, there are privileged accounts in applications, such as a database4
1.3 Definitions and Notationadministration account [18]. Additionally, external partners can also have accounts in thesystem that are privileged and thus are a potential security risk. Furthermore, applicationsand services might use or run as privileged processes that can perform security-relevantfunctions in contrast to other processes that are not authorized to execute such actions [28].On the other hand, there are persons that might have access to privileged accounts eventhough they are not authorized to use the elevated access rights that are connected withthese accounts. One example are employees that still have privileges assigned to theiridentity, even though these should have been revoked, for example, because they havefinished a project for which they required enhanced rights. In addition, a user might stillhave valid credentials of shared accounts which cannot be easily revoked [14]. Anotherexample are alumni that have left the company but can still use their account because ithas not been deleted yet.The most dangerous owners of a privileged account are malicious users. They can beseparated into two groups: On the one hand, the external attackers that do not knowanything or very little about the system architecture and try to get access to some sensitivedata and privileged accounts. On the other hand, there are the insiders, that were formeremployees or still work for a company and thus know things about the systems they canuse to exploit loopholes in order to get access to the desired information or sabotage theinfrastructure [69].1.3.2 Notation for XML NamespacesIn order to improve readability, the XML examples in this thesis assume use of the following XML Internal Entity Declarations: !ENTITY xacml ” urn : o a s i s : names : t c : xacml : 1 . 0 : ” !ENTITY xml ” h t t p ://www. w3 . org /2001/XMLSchema#” !ENTITY r u l e combine” urn : o a s i s : names : t c : xacml : 1 . 0 : r u l e combining a l g o r i t h m :” !ENTITY p o l i c y combine” urn : o a s i s : names : t c : xacml : 1 . 0 : p o l i c y combining a l g o r i t h m :” !ENTITY a t t r i b u t e c a t e g o r y” urn : o a s i s : names : t c : xacml : 3 . 0 : a t t r i b u t e c a t e g o r y :” !ENTITY s u b j e c t c a t e g o r y” urn : o a s i s : names : t c : xacml : 3 . 0 : s u b j e c t c a t e g o r y :” !ENTITY f u n c t i o n ” urn : o a s i s : names : t c : xacml : 1 . 0 : f u n c t i o n :” !ENTITY s u b j e c t ” urn : o a s i s : names : t c : xacml : 1 . 0 : s u b j e c t :” !ENTITY r e s o u r c e ” urn : o a s i s : names : t c : xacml : 1 . 0 : r e s o u r c e :” !ENTITY a c t i o n ” urn : o a s i s : names : t c : xacml : 1 . 0 : a c t i o n :” !ENTITY s t a t u s ” urn : o a s i s : names : t c : xacml : 1 . 0 : s t a t u s :” For example, &xml;#string is the same ashttp://www.w3.org/2001/XMLSchema#string.5
1 Introduction1.4 Approach and Structure of This ThesisManaging (privileged) user passwords with software is a common approach. Besidesmaintaining password lists with Excel spreadsheets that are shared via email or saved on anetwork storage, there are password manager tools which can provide several advantagesover the lists approach.However, these software solutions have some limitations when it comes to security goalslike authorization and accounting. Once a user has access to credentials in the passwordmanager, he can log in to the system and perform all actions that are possible with theassigned permissions. This critical problem is especially related to shared accounts (e.g.,“root” on UNIX-like operating systems) since usually there is no information about theperson that used the account. The password manager might provide some kind of logwith information about who accessed a password at a given time but that is not enoughto ensure accountability. Moreover, the management of privileged user passwords onlycontrols who has access to the credentials but it does not offer any control about what amalicious user can do once he has gained access to a privileged account [49].That problem could be solved by reducing the need for shared accounts and only keepingthem for emergency cases. Instead, the permissions a user requires to fulfill the day-today tasks could be assigned to the personal account. This provides accountability andtraceability because every user performs the actions with his unique identity [21].This thesis develops a centralized authorization architecture that provides a fine-grainedaccess control to operating-system components like the file system and to applications.However, there are situations where devices (e.g., routers and switches) cannot be integrated into the architecture because they do not provide the necessary interfaces or cannotbe adjusted. For these, another solution is outlined, as well as for situations where only apassword manager is capable.The structure is as follows: Chapter 2 outlines established solutions that (partly) solvea similar problem in other environments or serve as a basis for the architecture that isdeveloped in this thesis.Following up on this, Chapter 3 explains which threats and challenges need to be takeninto account in order to design a secure architecture for the management of privilegeduser passwords. Moreover, the chapter outlines typical scenarios that occur inside organizations.After that, Chapter 4 describes the generic requirements for a privileged user passwordmanagement as well as specific requirements that exist at the Leibniz SupercomputingCentre and iC Consult GmbH, which is a system integrator specialized in identity andaccess management.Then, Chapter 5 analyzes established products of companies that aim to provide a solutionfor the management of privileged user passwords. The products are then compared to thechallenges and requirements that have been outlined in the preceding chapters.6
1.4 Approach and Structure of This ThesisFollowing, Chapter 6 illustrates the components and security aspects of an architecturethat provides authorization decisions, auditing, and the management of passwords. Forthat purpose, open standards are used, so that the generic architecture can be adapted andextended.After that, Chapter 7 specifies a demonstrator that implements the essential parts of thearchitecture to show some of the scenarios of a privileged user password management.In Chapter 8, the requirements of the Leibniz Supercomputing Centre and iC Consult arecompared and the evaluated software products are analyzed regarding the suitability forthese organizations.At the end, Chapter 9 summarizes the findings and proposes topics and approaches forfuture work.7
2 Related WorkIn order to implement the idea of reducing the need for shared privileged accounts, itrequires a way to model access rights and enforce them when a subject accesses an object.This chapter outlines established standards and solutions
5.4 Environment Specification for Netwrix Privileged Account Manager. . . .58 5.5 Environment Specification for Soffid Identity and Access Management. . .64 5.6 Summary of the S
