Secure Information Sharing Manager

SECURE INFORMATION SHARING MANAGER

STEPHEN D. WISE

A thesis submitted to the Graduate Faculty of the

University of Colorado at Colorado Springs

in partial fulfillment of the

requirements for the degree of

Master Of Science

Department of Computer Science

2007 i

This thesis for the M.S. Of Computer Science degree by

Stephen D. Wise

has been Approved for the

Department of Computer Science by

______

Dr. C. Edward Chow, Chair

______

Dr. Jugal K. Kalita

______

Dr. Xiaobo Zhou

______Date iii

Wise, Stephen D. (M.S., Computer Science)

Secure Information Sharing Manager

Thesis directed by Professor C. Edward Chow

The Secure Information Sharing Manager (SIS-M) prototype is an extension of the research accomplished for Secure Information Sharing Using Attribute Certificates and

Role Based Access Control [1]. The SIS-M research emphasis is to prototype an

Enterprise Management capability based upon Web Based Enterprise Management

(WBEM) standards developed by the Distributed Management Task Force (DMTF).

The SIS-M prototype utilizes the .NET 2.0 Framework and other components (ASP.Net

2.0, Internet Information Services (IIS) 6.0, Active Directory (AD), Certificate Services, and Windows Management Instrumentation (WMI)) to accomplish remote administration tasks in a web-based architecture. The research tasks are to enable 1) system health and status monitoring using Windows Management Instrumentation

(WMI), 2) user account management using the Active Directory Membership Provider,

3) Role Based Access Control (RBAC) using ASP.Net 2.0 Forms Authentication and the Authorization Manager, and 4) automated Client-side Certificate distribution using

Certificate Services. The SIS-M implementation, built within VMware Server Version

1.0.1, includes three Windows 2003 Servers to provide the WBEM and Secure

Information Sharing (SIS) capabilities and two Windows XP clients that simulate external users that require access to the SIS-M or SIS websites for either remote site administration or remote information sharing. iv

CONTENTS

Chapter

1 Introduction...... 1 1.1 Enterprise Management...... 2 1.1.1 The Distributed Management Task Force...... 2 1.1.2 The CIM and WBEM Standards...... 4 1.2 Role Based Access Control...... 5 1.2.1 The Organization for the Advancement of Structured Information Standards 6 1.2.2 RBAC Standards...... 6 1.2.3 Document Organization...... 7 2 SIS-M Architecture Research...... 9 2.1 WBEM Architecture...... 9 2.2 SIS-M WBEM Implementation...... 12 2.3 SIS-M User Account Management Implementation...... 14 2.4 SIS-M RBAC Implementation...... 15 2.5 SIS-M Client-side Certificate Distribution Implementation...... 17 2.6 SIS-M Architecture Description...... 17 3 SIS-M Implementation...... 19 3.1 SIS-M Server and Client Specifications...... 19 3.2 Virtual Network Topology...... 20 3.3 SIS-M Architecture...... 20 3.3.1 The Domain Controller...... 21 3.3.2 The Management Server...... 22 3.3.3 The Secure Information Server...... 22 3.4 System Health and Status Monitoring...... 23 3.4.1 Establishing WMI Namespace Connectivity...... 27 3.4.1.1 WMI Connection Options...... 28 3.4.1.2 Building A WMI Namespace Path...... 28 3.4.1.3 Instantiating WMI Management Scope...... 29 3.4.2 Building And Executing A WMI Query...... 29 3.5 User Account Management...... 31 3.5.1 InformationAccess User Management Capability...... 32 3.5.1.1 Creating Users...... 32 3.5.1.2 Deleting Users...... 33 3.5.1.3 User Account Details...... 33 3.6 Role Based Access Control Management...... 34 3.6.1 InformationAccess RBAC Management Capability...... 35 3.6.2 Create Role...... 35 3.6.3 Delete Role...... 36 3.6.4 Add User To Role...... 37 v

3.6.5 Get Users In Role...... 37 3.6.6 Get All Roles...... 38 3.6.7 Get Roles For User...... 39 3.6.8 Is User In Role...... 40 3.6.9 Remove User From Role...... 41 3.7 Client-side Certificate Distribution...... 41 3.8 RBAC Policy Violation Archive...... 42 3.8.1 Event Log Creation...... 42 3.8.2 Writing Event Log Entries...... 42 3.8.3 Deleting Event Log Entries...... 43 3.9 InformationSharing Web Application...... 44 4 Performance Observations...... 49 4.1 RBAC Policy Violation Archive...... 49 4.2 RBAC Management...... 50 4.3 Health And Status Monitoring...... 51 4.3.1 One Server Retrieving One WMI Object...... 52 4.3.2 Two Servers Retrieving One WMI Object...... 53 4.3.3 Three Servers Retrieving One WMI Object...... 54 4.3.4 One Server Retrieving Five WMI Objects...... 55 4.3.5 Two Servers Retrieving Five WMI Objects...... 56 4.3.6 Three Servers Retrieving Five WMI Objects...... 57 4.3.7 Server Trend For Retrieving One WMI Object...... 58 4.3.8 Server Trend For Retrieving Five WMI Objects...... 59 5 Lessons Learned...... 60 5.1 WMI Win32 Classes And CIM Schema Observations...... 60 5.1.1 Win32_UserAccount...... 60 5.1.2 Win32 Formatted Performance Statistics...... 61 5.2 System Health And Status...... 61 5.3 User Account Management...... 61 5.4 RBAC Management...... 62 5.5 Client-side Certificate Distribution...... 62 6 Future Research...... 64 6.1 Update SIS-M Architecture To Include A UNIX Server...... 64 6.2 Update The SIS-M Prototype To The .Net 3.0 Framework...... 64 6.3 Certificate Authority Architecture...... 64 6.4 Implement Client-side Certificate Mapping...... 65 7 Conclusion...... 66 7.1 System Health And Status Monitoring...... 66 7.2 User Account Management...... 66 7.3 RBAC Management...... 67 7.4 Client-side Certificate Distribution...... 67 7.5 Performance Observations...... 67 8 Bibliography...... 69 9 APPENDIX A: Developer / User Guide...... 72 9.1 The SIS-M Prototype Environment...... 72 9.2 SIS-M Prototype Administration...... 74 9.3 The InformationAccess Application...... 76 9.3.1 The InformationAccess SiteAdministrator Role...... 79 9.3.1.1 Manage Users Capability...... 79 9.3.1.2 Manage RBAC Capability...... 82 vi

9.3.1.3 Monitor Systems Capability...... 91 9.3.1.4 Obtain Client-side Certificate...... 92 9.4 RBAC Policy Violation Archive...... 98 9.5 The InformationSharing Application...... 99 vii

TABLES

Table 1. SIS-M WBEM Implementation Survey Results...... 12 Table 2. Authorization Manager RBAC Elements...... 17 Table 3. SIS-M Virtual Machine Specifications...... 20 viii

FIGURES

Figure

Figure 1. DMTF Technology Diagram...... 3 Figure 2. Summary WBEM Architecture...... 10 Figure 3. WBEM Implementation Evaluation...... 11 Figure 4. WMI Architecture...... 13 Figure 5. SIS-M Virtual Network Topology...... 20 Figure 6. The Trusted Subsystem Model...... 21 Figure 7. Summary Architecture...... 23 Figure 8. WMI Tiers...... 24 Figure 9. Server Health And Status Attributes...... 25 Figure 10. Health And Status Rules...... 27 Figure 11. SIS-M WMI Connection Creation...... 28 Figure 12. SIS-M WMI Connection Attributes...... 29 Figure 13. SIS-M WMI Query Objects...... 30 Figure 14. WMI Query Execution...... 31 Figure 15. Active Directory Connection...... 32 Figure 16. Create User Wizard Definition...... 33 Figure 17. Membership Delete User...... 33 Figure 18. Authorization Manager Connection...... 35 Figure 19. Create Role...... 36 Figure 20. Delete Role...... 37 Figure 21. Add User To Role...... 37 Figure 22. Get Users In Role...... 38 Figure 23. Get All Roles...... 39 Figure 24. Get Roles For User...... 40 Figure 25. Is User In Role...... 41 Figure 26. Remove User From Role...... 41 Figure 27. EventViewer Log File Creation...... 42 Figure 28. Event Log Entry Creation...... 43 Figure 29. Event Log Entry Deletion...... 43 Figure 30. IIS Two-way Authentication Handshake...... 45 Figure 31. Custom 403.7 Error Configuration...... 46 Figure 32. InformationSharing Controls...... 47 Figure 33. InformationSharing RBAC Policy Check...... 48 Figure 34. RBAC Policy Violation Entry Retrieval...... 50 Figure 35. RBAC Management Request Time...... 51 Figure 36. WMI One Server One Object Response Time...... 53 Figure 37. WMI Two Servers One Object Response Time...... 54 Figure 38. WMI Three Servers One Object Response Time...... 55 Figure 39. WMI One Server Five Objects Response Time...... 56 ix

Figure 40. WMI Two Servers Five Objects Response Time...... 57 Figure 41. WMI Three Servers Five Objects Response Time...... 58 Figure 42. Single WMI Object Server Trend...... 59 Figure 43. Five WMI Objects Server Trend...... 59 Figure 44. InformationAccess VS2005 Start Page...... 73 Figure 45. InformationSharing IIS Management Console...... 74 Figure 46. SISDC Active Directoy Users and Computers...... 75 Figure 47. SISDC AzMan Console...... 76 Figure 48. Starting The AzMan Console...... 76 Figure 49. InformationAccess Login Page...... 77 Figure 50. InformationAccess Default Page...... 78 Figure 51. InformationAccess Manage Users...... 79 Figure 52. InformationAccess Create User...... 80 Figure 53. InformationAccess Delete User...... 81 Figure 54. InformationAccess User Account Details Query Result...... 82 Figure 55. InformationAccess Manage RBAC...... 83 Figure 56. InformationAccess Create Role...... 84 Figure 57. InformationAccess Delete Role...... 85 Figure 58. InformationAccess Add User To Role...... 86 Figure 59. InformationAccess Get Users In Role...... 87 Figure 60. InformationAccess Get All Roles...... 88 Figure 61. InformationAccess Get Roles For User...... 89 Figure 62. InformationAccess Is User In Role...... 90 Figure 63. InformationAccess Remove User From Role...... 91 Figure 64. InformationAccess Monitor Systems...... 92 Figure 65. CertSrv Password Protection...... 93 Figure 66. Certificate Services Welcome Page...... 94 Figure 67. Certificate Services Request A Certificate Page...... 95 Figure 68. Certificate Services User Certificate Request Submission...... 96 Figure 69. Certificate Services Issued Certificate...... 97 Figure 70. Certificate Services Successful Certificate Installation...... 98 Figure 71. RBAC Policy Violation Log...... 99 Figure 72. InformationSharing Client-side Certificate Error...... 100 Figure 73. InformationSharing Login Page...... 101 Figure 74. InformationSharing Default Page...... 102 Figure 75. InformationSharing Access Secure Information Page...... 103 Figure 76. InformationSharing RBAC Policy Violation...... 104 Figure 77. InformationSharing File Upload Page...... 105 Figure 78. InformationSharing File Upload Browser...... 106 Chapter 1

1 Introduction

The Network Information and Space Security Center (NISSC) provided a grant to

UCCS to study and implement a Secure Information Sharing (SIS) capability based upon a multi-tiered web architecture. The SIS project objective was to create a web- based implementation proof of concept to share information using Public Key

Certificates (PKC) and Attribute Certificates (AC) to allow multiple agencies to share information securely based upon access rights defined in Role Based Access Control

(RBAC) policies. The research accomplished in Secure Information Sharing Using

Attribute Certificates and Role Based Access Control [1] satisfied the objectives identified in the NISSC grant. Additional PKC and AC research accomplished in

ENgine FOR Controlling Emergent Hierarchical Role-Based Access [21] extended the concepts identified in support of the NISSC grant. The Secure Information Sharing

Manager (SIS-M) research accomplished in this thesis is focused on Enterprise

Management in a secure information sharing environment. The research and associated prototype are to demonstrate remote web-based System Administrator functionality for 2 a Windows 2003 Server enterprise using the .Net 2.0 Framework and other Microsoft

Windows 2003 Server components. A successful prototype enables 1) system health monitoring using Windows Management Instrumentation (WMI), 2) user account management using the Active Directory Membership Provider, 3) Role Based Access

Control (RBAC) using ASP.Net 2.0 Forms Authentication and the Authorization

Manager, and 4) automated Client-side Certificate distribution using Certificate

Services.

1.1 Enterprise Management

The Enterprise Management problem evolved as the Information Technology (IT) industry matured. Each IT vendor, in an effort to expedite products to market, created proprietary enterprise management capabilities that do not easily integrate with other vendors’ capabilities. The results of rapid IT infrastructure maturation and evolution created corporate infrastructures that contain multiple vendor capabilities that are managed uniquely. The lack of an Enterprise Management standard is increasing corporate overhead costs to manage multiple unique systems and applications. This situation is currently impeding the ability of many companies to evolve their current systems to accommodate new business requirements and organizational needs [4].

1.1.1 The Distributed Management Task Force

The Distributed Management Task Force, Inc. (DMTF) is the industry organization leading the development of management standards and the promotion of interoperability for enterprise and Internet environments. DMTF standards provide a common management infrastructure and components for instrumentation, control, and 3 communication in a platform-independent and technology neutral way [4]. The DMTF

Technology Diagram depicted in Figure 1 shows the relationships among Management

Initiatives, Web Based Enterprise Management (WBEM), and the Common Information

Model (CIM).

Figure 1. DMTF Technology Diagram

The Common Information Model (CIM) is the foundation for the DMTF technology solution to distributed enterprise management and describes computing and business entities in Internet, enterprise, and service provider environments. Web-Based

Enterprise Management (WBEM) is a set of management and Internet standard technologies developed to unify the management of distributed computing environments. WBEM standards facilitate the exchange of CIM information in an interoperable and efficient manner. Management Initiatives are designed to deliver 4 market specific solutions such as the Storage Networking Industry Association (SNIA)

Storage Management Initiative (SMI) [4].

1.1.2 The CIM and WBEM Standards

The CIM Schema is comprised of the Core Model, the Common Model, and Schema

Extensions [2] [4] as identified below.

 The Core Model captures notions that are applicable to all areas of

management. The Core Model is a set of classes, associations, properties, and

methods that provide a basic vocabulary for describing managed systems. The

Core Model represents a starting point for determining how to extend the

Common schema.

 The Common Models are information models that capture notions that are

common to particular management areas, but independent of any particular

technology or implementation. Examples of common models include systems,

applications, networks, and devices. The classes, associations, properties, and

methods in the Common Models are intended to provide a view of the area that

is detailed enough to use as a basis for program design and, in some cases,

implementation.

 Extension Schemas represent technology-specific extensions of the common

models. These schemas are specific to environments, such as operating systems.

It is expected that the Common Models will evolve as a result of the promotion

of objects and properties defined in the Extension Schemas.

The WBEM standards are focused on management and Internet standard technologies 5 to accomplish CIM information exchange in an interoperable and efficient manner.

WBEM standards include:

 Mappings

o URI: WBEM URI Mapping Specification 1.0, DSP0207

o XML: Representation of CIM using XML 1.2, DSP0201

 Protocols

o CIM-XML: CIM Operations over HTTP 1.2, DSP0200

o CLP: Command Line Protocol 1.0, DSP0214

 Discovery

o SLP: WBEM Discovery using SLP, DSP0205

 Query Language

o CIM Query Language 1.0, DSP0202

The SIS-M prototype utilizes data in the CORE Model, the CIM Query Language, and a

SIS-M developed health and status rule set to determine Windows 2003 Server health in

SIS-M’s web-based enterprise.

1.2 Role Based Access Control

Corporate infrastructures of today include many disparate domains of corporate information. The corporations also associate some value with each type of information available within their enterprise infrastructure. Some types of sensitive corporate information include, 1) corporate strategy, intellectual property, human resources, and supplier information. Role Based Access Control (RBAC) standards provide a solution 6 for access management within corporate infrastructures. RBAC maps user job roles to application permissions so that the access control administration can be accomplished in terms of the job role of users [1]. The result of a sound RBAC implementation within a corporate infrastructure is secure information access by organizational and job responsibility.

1.2.1 The Organization for the Advancement of Structured Information Standards

The Organization for the Advancement of Structured Information Standards (OASIS) is a not-for-profit consortium that drives the development, convergence and adoption of the open standards for the global information society [9]. OASIS’s Extensible Access

Control Markup Language (XACML) specification describes building blocks that may be used to implement the various elements of the RBAC model presented in

ANSI/INCITS 359 [12] according to The National Institute of Standards and

Technology (NIST).

1.2.2 RBAC Standards

Core RBAC requires support for multiple users per role, multiple roles per user, multiple permissions per role, and multiple roles per permission. The OASIS XACML specification addresses ANSI CORE RBAC requirements with the following five basic elements [10].

 Users are implemented as XACML Subjects.

 Roles are expressed using on or more XACML Subject Attributes.

 Objects are expressed using XACML Resources 7

 Operations are expressed using XACML Actions

 Permissions are expressed using XACML Role Policy Sets and Permission

Policy Sets

XACML addresses Hierarchical RBAC requirements by implementing role inheritance based upon a Policy Set Id Reference where senior roles can inherit permissions from junior roles [1].

In addition to the five RBAC elements defined within the standard, three key components are emphasized to accomplish controlled access to information. The components are [11]:

 Policy Administration Point (PAP): The system entity that creates a policy or

policy set.

 Policy Decision Point (PDP): The system entity that evaluates policy and

renders an authorization decision.

 Policy Enforcement Point (PEP): The system entity that performs access

control, by making decision requests and enforcing authorization decisions.

1.2.3 Document Organization

The remainder of this document is organized as follows; Chapter 2 presents information regarding WBEM and RBAC as the technologies apply to the SIS-M prototype.

Chapter 3 describes the System Health and Status Monitoring, User Account

Management, Role Based Access Control Management, Client-side Certificate

Distribution, and RBAC Policy Violation Archive capabilities implemented within the 8

SIS-M prototype. Chapter 4 contains performance observations for accessing .Net 2.0

Framework classes and Windows components utilized within the SIS-M prototype.

Chapter 5 identifies lessons learned about Microsoft’s WBEM implementation, WMI, and other Windows components utilized within the SIS-M prototype. Chapter 6 recommends SIS-M prototype updates for future research. Conclusions regarding the

SIS-M prototype research and implementation are included in Chapter 7. Finally,

Appendix A, contains information for developers and users. Chapter 2

2 SIS-M Architecture Research

The DMTF standards identified the Enterprise Management requirement set for the SIS-

M prototype. There are several Commercial and Open Source WBEM implementations and each has a varying degree of DMTF standards compliance. A driving SIS-M requirement identified during Secure Information Sharing Using Attribute Certificates and Role Based Access Control [1] research was to implement the SIS-M capabilities on a Windows platform. Therefore, the WBEM implementation utilized by SIS-M must provide the maximum capability possible in a Windows environment and comply with

DMTF standards. The result of the WBEM analysis identified the direction for all other architecture decisions.

2.1 WBEM Architecture

The WBEM architecture is not bound to a particular implementation. A standards compliant WBEM environment based on CIM standards is depicted in Figure 2 and includes:

 The CIM Client is used to obtain management information by querying 10

CIM/WBEM Servers

 The CIM/WBEM Server provides CIM data, upon requests, to CIM clients

locally or remotely.

 The CIM Object Manager maintains a repository of CIM data on the

CIM/WBEM Servers.

 The Providers implement one or more aspects of the CIM Schema that abstracts

the hardware and software implementation away from the CIM clients.

Figure 2. Summary WBEM Architecture

The SIS-M research surveyed two WBEM implementations, WBEM Services and 11

WMI, for the SIS-M prototype. Additionally, research depicted in Figure 3, from the

Design of a WBEM-based Management System for Ubiquitous Computing Servers [5], provided useful information to narrow SIS-M’s WBEM implementation survey.

Figure 3. WBEM Implementation Evaluation

The SIS-M WBEM implementation survey used the driving requirement of operability within a Windows environment as the discriminating attribute to determine the SIS-M

WBEM implementation decision. As noted in Table 1, the SIS-M WBEM survey did not identify WBEM Services providers for managed elements within the Windows environment while multiple WMI providers existed for each managed element the SIS-

M prototype intended to monitor. Therefore, WMI was chosen as the WBEM infrastructure for the SIS-M prototype. 12

WBEM Implementation Attribute WMI WBEM Services Executes In Windows 2003 Environment Yes Yes Supporting Tool Set WMI CIM Studio CIM Workshop Operating System Providers Available Yes No CPU Providers Available Yes No Disk Providers Available Yes No Developer Documentation Available Yes Yes

Table 1. SIS-M WBEM Implementation Survey Results

2.2 SIS-M WBEM Implementation

The SIS-M Health and Status monitoring capability is a management application that integrates rules to evaluate Windows 2003 Server WBEM elements to determine health and status of a given server. The SIS-M Health and Status monitoring capability utilizes the Microsoft WMI Architecture [6] and is depicted in Figure 4. 13

Figure 4. WMI Architecture

The SIS-M Health and Status Monitoring capability is divided into three summary categories, Operating System, CPU, and Disk. Five WMI Win32 classes reside within the WMI CIMOM, also known as the WMI CORE, and are used to derive SIS-M’s health and status within the three summary categories.

 Operating System

o The WMI Win32_ComputerSystem class represents a computer

system running Windows [7]. 14

o The WMI Win32_PerfFormattedData_PerfOS_Memory class

provides pre-calculated performance data from the performance counters

that monitor the physical and virtual memory on the computer. Physical

memory is the amount of random access memory (RAM) on the

computer. Virtual memory consists of space in physical memory and on

disk [7].

 CPU

o The WMI Win32_Processor class represents a device that can interpret

a sequence of instructions on a computer running on a Windows

operating system [7].

 Disk

o The WMI Win32_DiskDrive class represents a physical disk drive as

seen by a computer running the Windows operating system [7].

o The WMI Win32_PerfFormattedData_PerfDisk_PhysicalDisk class

provides pre-calculated data from performance counters that monitor

hard or fixed disk drives on a computer. Disks store file, program, or

paging data and are read to retrieve these items, and written to record

changes to them. The values of physical disk counters are sums of the

values of the logical disks, also known as partitions, into which they are

divided [7].

2.3 SIS-M User Account Management Implementation

The SIS-M User Account Management capability, based upon the decision to utilize 15

WMI for health and status monitoring, is accomplished using Active Directory and the

ActiveDirectoryMembershipProvider implemented within a SIS-M ASP.Net 2.0 application. The ActiveDirectoryMembershipProvider functionality includes [8]:

 Creating new users and passwords.

 Storing membership information in Active Directory.

 Authenticating users who visit your site programmatically or by utilizing

ASP.Net login controls.

 Creating, changing, and resetting user account passwords.

 Exposing a unique identifier for authenticated users that can be used in ASP.Net

personalization and role management.

 Specifying a custom membership provider that allows for system unique

membership functionality.

The ActiveDirectoryMembershipProvider interfaces with Active Directory using LDAP commands. This means that the provider is always pointed at the root of some container, and all provider operations occur within that single container [8]. Therefore, the ActiveDirectoryMembershipProvider and the MembershipUser class in the

System.Web.Security namespace is used to create, delete, and retrieve user details in the

SIS-M User Account Management application.

2.4 SIS-M RBAC Implementation

The SIS-M RBAC Management capability leverages the Windows 2003 Server component called the Authorization Manager (AzMan) and the 16

AuthorizationStoreRoleProvider capability within ASP.Net 2.0.

AuthorizationStoreRoleProvider is a wrapper around a subset of the functionality available in Authorization Manager [8] and facilitates role and policy access through the

Roles class within the System.Web.Security namespace. AzMan contains the following list of attributes and capabilities to manage and enforce authorization policy [13].

 Operation: A low-level permission that a resource manager uses to identify

security procedures.

 Task: A collection of low-level operations.

 Role Definition: A collection of permissions that are needed for a particular

role, where permissions can be tasks or operations.

 Role: The set of permissions that users must have to be able to do their job.

 BizRules: The set of rules / scripts that are attached to a task object that is run at

the time of the access request.

 Scope: A collection of objects or resources with a distinct authorization policy.

 Application Groups: Groups that are applicable only to an authorization store.

 Application Basic Groups: A subset of application groups. A list of members

(Active Directory Users or groups or other application groups).

 LDAP-query Groups: A subset of application groups. Groups that are defined

by an Lightweight Directory Access Protocol (LDAP) query on a given Active

Directory users account attributes.

AzMan policy stores are either integrated into Active Directory, the implementation 17 used in SIS-M, or created as standalone XML files. AzMan addresses the five elements of the CORE RBAC Standard using AzMan elements and capabilities identified in

Table 2.

Table 2. Authorization Manager RBAC Elements

AzMan addresses the three key RBAC components by utilizing the Authorization

Manager Management Console for PAP, BizRules for PDP, and the

AuthorizationStoreRoleProvider and the Roles class for PEP.

2.5 SIS-M Client-side Certificate Distribution Implementation

The SIS-M Client-side Certificate Distribution capability is accomplished using the

Windows 2003 Server Certificate Authority component. An enterprise Certificate

Authority (CA) is fully integrated with Active Directory. Through a process called autoenrollment, a CA can automatically issue certificates to either users or computers without administrative intervention [15]. SIS-M issues client-side certificates remotely using the CertSrv website within the Windows 2003 Server CA component.

2.6 SIS-M Architecture Description

The SIS-M architecture implemented, as a result of the architecture research, to satisfy the SIS-M prototype capabilities of 1) system health monitoring, 2) user account 18 management, 3) Role Based Access Control (RBAC) management and enforcement, and 4) automated Client-side Certificate distribution is comprised of three servers utilizing various Windows 2003 Server components. The SIS-M prototype web-based infrastructure enables remote access for the site administrator and SIS user and is implemented using Windows 2003 Server components, Active Directory, ASP.Net 2.0,

Internet Information Services 6.0, WMI, and Certificate Services.

SIS-M’s functional decomposition and allocation to infrastructure components and capabilities is summarized below.

 System health and status monitoring is accomplished using WMI and a rule set

implemented as part of the SIS-M prototype.

 User account management is accomplished using Active Directory and the

ActiveDirectoryMembershipProvider included within ASP.Net 2.0.

 RBAC management and enforcement is accomplished using ASP.Net 2.0 Forms

Authentication, the Authorization Manager, and the

AuthorizationStoreRoleProvider.

 Automated Client-side certificate distribution is accomplished using the

Windows 2003 Server Certificate Authority components. Chapter 3

3 SIS-M Implementation

The SIS-M implementation is contained within a VMware Server Version 1.0.1 environment. All implementation and SIS-M prototype functional and performance evaluation occurred within the VMware environment. The SIS-M implementation includes three Windows 2003 Servers. The two Windows XP clients simulate external users that require access to the SIS-M and/or SIS websites for either remote site administration, remote secure information sharing, and/or remote information access.

3.1 SIS-M Server and Client Specifications

The Windows 2003 Server and Windows XP client specifications were created by defining Virtual Machine Settings in the VMware Server console. Each SIS-M virtual machine contained two Network Interface Cards, one bridged to establish connectivity outside of the virtual environment, the other to communicate machine-to-machine within the SISMTHESIS.com domain. Table 3 lists the SIS-M virtual machine specifications. 20

Table 3. SIS-M Virtual Machine Specifications

3.2 Virtual Network Topology

Figure 5 depicts the virtual network topology used for SIS-M development. The

Windows XP clients, SIS-M Client and SIS Client, are instantiated external to the

SISMTHESIS domain.

Figure 5. SIS-M Virtual Network Topology

3.3 SIS-M Architecture

The SIS-M architecture supports all the functionality to meet the objects identified for the SIS-M research to include 1) system health monitoring using Windows

Management Instrumentation (WMI), 2) user account management using the Active 21

Directory Membership Provider, 3) Role Based Access Control (RBAC) using ASP.Net

2.0 Forms Authentication and the Authorization Manager, and 4) automated Client-side

Certificate distribution using Certificate Services. The SIS-M architecture prohibits direct client access to any backend resource using the Trusted Subsystem Model [16] as depicted in Figure 6.

Figure 6. The Trusted Subsystem Model

The Trusted Subsystem Model requires all resources are accessed by an ASP.Net worker process with appropriate authorization and credentials rather than the credentials associated with the authorized external user. The worker process is responsible for retrieving all requested resources once the client is authorized within the domain.

3.3.1 The Domain Controller

The Secure Information Sharing Domain Controller (SISDC) server utilizes Active

Directory and contains all user information and AzMan Policies. The server name is

SISDC.sismthesis.com. 22

3.3.2 The Management Server

The Secure Information Sharing Manager capability resides within the server named

Manager. The SIS-M capabilities are implemented in a web-based application called

InformationAccess. The capabilities implemented in the InformationAccess web application include, Manage Users, Manage RBAC, RBAC Violations, and Monitor

Systems. The URL for InformationAccess is https://Manager/InformationAccess. The

InformationAccess capability uses server-side certificates to facilitate secure communications between the client and SIS-M. The server name for Manager is

Manager.sismthesis.com.

3.3.3 The Secure Information Server

The Secure Information Sharing capability resides within the server named Secure. The

SIS capabilities are implemented in a web-based application called InformationSharing.

The URL for InformationSharing is https://Secure/InformationSharing. The

InformationSharing capability requires client-side certificates to establish a connection.

Additionally, this server contains the CA capability and distributes the client-side certificates from another web-based application with the URL, https://Secure/certsrv.

The server name is Secure.sismthesis.com.

Figure 7 summarizes the architecture implemented during the SIS-M prototype development. 23

Figure 7. Summary Architecture

3.4 System Health and Status Monitoring

The System Health and Status Monitoring capability resides within the

InformationAccess web-based application of SIS-M. The capability integrates into the

WMI functionality through the System.Management namespace. Figure 8 generically depicts WMI Tiers [14] and the approach used for ASP.Net applications to interface with WMI through the System.Management namespace. This is the approach implemented in InformationAccess and the data path for all health and status monitoring information. 24

Figure 8. WMI Tiers

Each Windows 2003 Server within SIS-M’s enterprise is evaluated by the summary categories of Operating System, CPU, and Disk. The WMI Win32 Classes and class properties are depicted in Figure 9. 25

Figure 9. Server Health And Status Attributes

The information provided by each attribute is listed below [7].

 The WIN32_ComputerSystem Status property provides the current operational

status of the WIN32_ComputerSystem object.

 The Win32_PerfFormattedData_PerfOS_Memory AvailableMBytes property

provides the amount of physical memory available to processes running on the

computer, in megabytes. It is calculated by summing the space on the Zeroed,

Free, and Standby memory lists. Free memory is ready for use; Zeroed memory

contains memory pages filled with zeros to prevent later processes from seeing

data used by a previous process. Standby memory is memory removed from a

process’ working set, but is still available to be recalled. This property provides

the last observed value only it is not an average. 26

 The Win32_Processor Status property provides the current operational status of

the Win32_Processor object.

 The Win32_Processor Availability property provides availability and status of

the device.

 The Win32_Processor LoadPercentage property provides the load capacity of

each processor, averaged to the last second, where processor loading is the total

computing burden for each processor at one time.

 The Win32_DiskDrive Status property provides the current operational status of

the Win32_DiskDrive object.

 The Win32_PerfFormattedData_PerfDisk_PhysicalDisk PercentIdleTime

property provides the percentage of time during the sample interval that the disk

was idle.

The WMI Win32 Classes property values are assessed against a SIS-M implemented rule set, Figure 10, to determine a SIS-M status for each attribute. The resulting status of the attribute analysis is displayed in the InformationAccess web-based application user interface. 27

Figure 10. Health And Status Rules

3.4.1 Establishing WMI Namespace Connectivity

WMI namespace connectivity is established by creating a connection options object, identifying the WMI namespace path, and instantiating a management scope. Figure 11 shows the server connection algorithm for InformationAccess. 28

Figure 11. SIS-M WMI Connection Creation

3.4.1.1 WMI Connection Options

WMI connections require a username, password, a connection authority address string to validate user credentials for authorized WMI namespace access, and a namespace path.

3.4.1.2 Building A WMI Namespace Path

The WMI namespace path is the combination of the server name and WMI namespace.

SIS-M’s InformationAccess web-based application retrieves the WMI Win32 class 29 information from the root/CIMV2 namespace on each server. The host executing the application requesting management information does not require connection scope because the host’s management namespaces are already within scope and accessible by local query objects with appropriate user credentials.

3.4.1.3 Instantiating WMI Management Scope

The WMI management scope connection requires a valid WMI namespace path and validated user credentials with permissions to access the requested information. A

TargetInvocationException is thrown if the WMI connection information is not accurate. An XMLDocument object is used to retrieve the connection information for each server. The SIS-M implemented XML document is shown in Figure 12.

Figure 12. SIS-M WMI Connection Attributes

3.4.2 Building And Executing A WMI Query

CIM and WBEM support a query mechanism that is used to select sets of properties 30 from CIM object instances stored within the CIMOM or WMI Core. Query definitions allow a WBEM client to specify the nature and the number of instance that are selected and what information is returned from those instances. This enables a WBEM managed environment to place less burden on the network infrastructure [3]. The SIS-M query objects are shown in Figure 13.

Figure 13. SIS-M WMI Query Objects

The InformationAccess web-based application requests all the properties within each

CIM object instance in the query for each server in the enterprise. The WMI namespace connection scope and the query object are required to invoke a request for management information. See Figure 14. Upon successful execution, a

ManagementObjectCollection is returned with the properties necessary to evaluate against SIS-M’s health and status rules. 31

Figure 14. WMI Query Execution

3.5 User Account Management

The user account management capability within InformationAccess is accomplished by using the ActiveDirectoryMembershipProvider. The ASP.Net 2.0 web.config file contains configuration information. InformationAccess defines a connection to Active

Directory installed on SISDC within the web.config file. Additionally, the

ActiveDirectoryMembershipProvider service is added to the web application through configuration settings. Figure 15 is a snapshot of InformationAccess’ web.config that implements the Active Directory connection string and the

ActiveDirectoryMembershipProvider settings. 32

Figure 15. Active Directory Connection

3.5.1 InformationAccess User Management Capability

The user management capability implemented within InformationAccess is accomplished with the Membership and MembershipUser classes in the

System.Web.Security namespace. InformationAccess’ user management functionality includes, creating users, deleting users, and querying for user account details. The user interface is shown in 9.3.1.1.

3.5.1.1 Creating Users

InformationAccess’s configuration settings implemented in the web.config file establish a connection to Active Directory on SISDC and instantiate a membership provider. A new account is established with the CreateUserWizard Server Control. A generic

CreateUserWizard Server Control is depicted in Figure 16. 33

Figure 16. Create User Wizard Definition

3.5.1.2 Deleting Users

InformationAccess’s delete user functionality is also the beneficiary of ASP.Net web.config capabilities. User deletion is accomplished by using the Membership class and calling the method, DeleteUser. The delete user functionality is implemented by the code in Figure 17.

Figure 17. Membership Delete User

3.5.1.3 User Account Details

The user account details are retrieved in a similar manner, using the MembershipUser class. The MembershipUser class properties, listed below, are displayed on a user account details web page within InformationAccess. The user interface is depicted in

Figure 54.

 Comment

 CreationDate 34

 Email

 IsApproved

 IsLockedOut

 IsOnline

 LastActivityDate

 LastLockoutDate

3.6 Role Based Access Control Management

The RBAC management capability within InformationAccess is accomplished by using the AuthorizationStoreRoleProvider. InformationAccess defines a connection to the

Authorization Manager within Active Directory installed on SISDC. Additionally, a roleManager service is added to the web-based application through the configuration settings. Figure 18 is a snapshot of InformationAccess’ web.config that implements the

Authorization Manager connection. The Authorization Manager Connection string includes additional attributes listed below.

 Common Name (CN): SISRBACPolicies

 Domain Component (DC): SISMTHESIS

 Domain Component (DC): COM 35

Figure 18. Authorization Manager Connection

The additional connection string attributes are required to uniquely identify the

Authorization Manager Policy Store within Active Directory that InformationAccess uses to enforce access checks prior to responding to the client.

3.6.1 InformationAccess RBAC Management Capability

The RBAC management capability implemented within InformationAccess is accomplished with the Roles classes in the System.Web.Security namespace.

InformationAccess’ RBAC management functionality includes, creating roles, deleting roles, adding users to roles, query for users in roles, querying for all the roles defined within the system, getting all the roles for a particular user, determining if a user is in a particular role, and removing a user from a particular role.

3.6.2 Create Role

Role creation is accomplished by instantiating a Roles class and using the method,

CreateRole. The create role functionality is implemented by the code in Figure 19. 36

Figure 19. Create Role

3.6.3 Delete Role

Role deletion is accomplished by using the method, DeleteRole. The delete role functionality is implemented by the code in Figure 20. 37

Figure 20. Delete Role

3.6.4 Add User To Role

Adding users to specific roles is accomplished by using the method, AddUserToRole.

The user-to-role assignment functionality is implemented by the code in Figure 21.

Figure 21. Add User To Role

3.6.5 Get Users In Role

Retrieving users in specific roles is accomplished by using the method, GetUserInRole. 38

The user retrieval functionality is implemented by the code in Figure 22.

Figure 22. Get Users In Role

3.6.6 Get All Roles

The Get All Roles functionality is implemented in Figure 23. 39

Figure 23. Get All Roles

3.6.7 Get Roles For User

Retrieving roles for a specific user is accomplished by using the method,

GetRolesForUser. The role retrieval functionality is implemented by the code in Figure

24. 40

Figure 24. Get Roles For User

3.6.8 Is User In Role

Verifying a user is in a specific role is accomplished by using the method,

IsUserInRole. The user-in-role verification functionality is implemented by the code in

Figure 25. 41

Figure 25. Is User In Role

3.6.9 Remove User From Role

Removing a user from a specific role is accomplished by using the method,

RemoveUserFromRole. The functionality is implemented by the code in Figure 26.

Figure 26. Remove User From Role

Section 9.3.1.2 describes InformationAccess’ RBAC Management user interface.

3.7 Client-side Certificate Distribution

The Client-side certificate automated distribution capability is fulfilled completely by

Windows 2003 server components and configuration. See section 9.3.1.4 for the description of Certificate Services. 42

3.8 RBAC Policy Violation Archive

The RBAC policy violation archive capability within InformationAccess is accomplished by using the EventLog classes in the System.Diagnostics namespace.

Each web-based application, InformationAccess and InformationSharing, uses the

EventLog classes to archive RBAC policy violations into the Event Log on the server

SISDC.sismthesis.com.

3.8.1 Event Log Creation

Event Log creation requires an EventSourceCreationData object that contains an event source name, a log file name, and the target host name where the log file resides.

Figure 27 shows the code necessary to establish a custom log file within the

EventViewer on SISDC.sismthesis.com.

Figure 27. EventViewer Log File Creation

3.8.2 Writing Event Log Entries

Figure 28 depicts the code to write an entry into a remote log file with a severity of

Warning. The code establishes a connection to the appropriate log file by using the log 43 name, machine name, and log entry source. The entry is written as a message that is categorized with a severity that can be Information, Warning, or Error.

Figure 28. Event Log Entry Creation

3.8.3 Deleting Event Log Entries

Deleting Event Log entries in the EventViewer follows a similar pattern. A connection must be established to the appropriate log file by using the log name, machine name, and log entry source. The entries are cleared once connectivity is established, as depicted in Figure 29.

Figure 29. Event Log Entry Deletion

3.9 InformationSharing Web Application

A secure information sharing capability is built within the SIS-M prototype in order to 44 effectively evaluate Authorization Manager’s policy enforcement capability. The

InformationSharing web-application resides on the server, named Secure, and requires two-way authentication prior to establishing client connections. Internet Information

Services (IIS) is Secure Socket Layer Version 3.0 compliant [18] and is used to accomplish the two-way authentication prior to establishing a secure connection with the server. Figure 30 shows the two-way authentication handshake [19].

Figure 30. IIS Two-way Authentication Handshake

A client attempting to connect to InformationSharing without a certificate receives an 45 error message. The error message displayed is described in Figure 72.

InformationSharing defines a custom 403.7, Forbidden – Client Certificate Required, error in the IIS Management Console as shown in Figure 31.

Figure 31. Custom 403.7 Error Configuration

The purpose of the InformationSharing web-based application is to provide a user capability to read and deposit information into a common location and make information available based upon a user’s role definition. InformationSharing allows for user content to be uploaded into a common location if the user has appropriate permissions. InformationSharing uses the control flow shown in Figure 32 to enforce 46

RBAC policy compliance. Therefore, a user must have 1) a valid client-side certificate to establish connectivity, 2) a valid user account within the domain, and 3) appropriate permissions defined in Authorization Manager to accomplish any information exchanges using the InformationSharing web-based application.

Figure 32. InformationSharing Controls 47

InformationSharing’s Authorization Manager policy enforcement is accomplished by the code shown in Figure 33.

Figure 33. InformationSharing RBAC Policy Check Chapter 4

4 Performance Observations

The SIS-M prototype uses the .Net 2.0 Framework classes and other Windows components to meet the objectives of this thesis. As part of the research, performance measurements were taken to observe the HTTPS request to HTTPS response time for

RBAC Violation Archive data retrieval, RBAC Management, and Health and Status

Monitoring. The objective of the performance analysis was to capture the performance of the .Net 2.0 Framework classes and Windows components while accomplishing SIS-

M’s InformationAccess web-based application tasks. All measurements were captured using the WireShark [20], formerly Ethereal, network sniffer. The SIS-M performance observations decomposed the HTTPS request to HTTPS response time into four discrete measurements. The Measurements were Client Request, SSL Handshake

Complete, Backend Data Retrieval Complete, and Client Response.

The RBAC Policy Violation Archive implementation is described in section 3.8. The performance measurements observed for retrieving archive information are depicted in 49

Figure 34. Both of SIS-M’s web-based applications, InformationAccess and

InformationSharing, write RBAC Policy Violation entries into a custom Windows

Event Log on the domain controller, SISDC. The objective of this measurement is to observe the performance of the Windows Event Log during a custom archive data retrieval request.

RBAC Archive Information Retrieval

3.500 3.000 2.500 s

d 2.000 n o c

e 1.500 S 1.000 0.500 0.000 RBAC Log SSL Handshake Client Request Retrieval Client Response Complete Complete Run #1 0 0.142373 1.878325 3.029757 Run #2 0 0.039929 1.655951 2.232192 Run #3 0 0.015794 2.371433 2.633444 Run #4 0 0.079289 1.714269 2.687524 Run #5 0 0.015815 1.655792 2.295007 Average 0 0.05864 1.855154 2.5755848

Figure 34. RBAC Policy Violation Entry Retrieval

4.2 RBAC Management

The RBAC Management implementation is described in section 3.6. SIS-M’s web- based application, InformationAccess, accesses the Authorization Manager capabilities contained within Active Directory on SISDC to manage role membership for each user. 50

The objective of this measurement is to observe the performance of Authorization

Manager access. The performance measurements observed for Authorization Manager are depicted in Figure 35.

RBAC Mgt Request Time

1.200 1.000 0.800 s d n

o 0.600 c e

S 0.400 0.200 0.000 RBAC Mgt SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.015862 0.197095 0.847619 Run #2 0 0.01724 0.174485 0.848788 Run #3 0 0.066693 0.295151 0.630357 Run #4 0 0.028176 0.196822 0.525366 Run #5 0 0.023659 0.199299 0.957544 Average 0 0.030326 0.2125704 0.7619348

Figure 35. RBAC Management Request Time

4.3 Health And Status Monitoring

The Health and Status Monitoring implementation is described in section 3.4. SIS-M’s web-based application, InformationAccess, connects to each of the three Windows 2003 servers WMI namespaces to retrieve health and status monitoring information. The objectives of the following measurements are to observe the performance of WMI data retrieval. A set of observations with combinations of servers and WMI objects requested were observed in an attempt to trend the data. The observation sets were: 51

 One Server Retrieving One WMI Object

 Two Servers Retrieving One WMI Object

 Three Servers Retrieving One WMI Object

 One Server Retrieving Five WMI Objects

 Two Servers Retrieving Five WMI Objects

 Three Servers Retrieving Five WMI Objects

The following sections show the performance observations for the combinations of servers and WMI objects.

4.3.1 One Server Retrieving One WMI Object

The One Server Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespace on SISDC. The results are depicted in Figure 36. 52

WMI 1X1 Response Time

14.000 12.000 10.000 s

d 8.000 n o c

e 6.000 S 4.000 2.000 0.000 WMI Object SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.02201 6.91379 7.763398 Run #2 0 0.357341 11.762104 12.294849 Run #3 0 0.061387 6.807595 7.069001 Run #4 0 0.020213 6.014796 7.443219 Run #5 0 0.102926 6.945391 7.696152 Average 0 0.1127754 7.6887352 8.4533238

Figure 36. WMI One Server One Object Response Time

4.3.2 Two Servers Retrieving One WMI Object

The Two Servers Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespaces on SISDC and Secure servers. The results are depicted in Figure 37. 53

12.000

10.000

8.000 s d n

o 6.000 c e S 4.000

0.000 WMI Object SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.029248 10.685066 10.903246 Run #2 0 0.014124 7.753585 8.077432 Run #3 0 0.078561 8.305449 8.716218 Run #4 0 0.043642 7.057637 7.825997 Run #5 0 0.048526 9.740575 10.021231 Average 0 0.0428202 8.7084624 9.1088248

Figure 37. WMI Two Servers One Object Response Time

4.3.3 Three Servers Retrieving One WMI Object

The Three Servers Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespaces on SISDC, Secure, and Manager servers. The results are depicted in Figure

38. 54

14.000 12.000 10.000 s

d 8.000 n o c

e 6.000 S 4.000 2.000 0.000 WMI Object SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.079186 10.587262 11.718099 Run #2 0 0.015713 8.886371 9.500771 Run #3 0 0.04537 7.200216 7.984139 Run #4 0 0.0214 7.053049 7.628529 Run #5 0 0.061156 8.477964 9.074975 Average 0 0.044565 8.4409724 9.1813026

Figure 38. WMI Three Servers One Object Response Time

4.3.4 One Server Retrieving Five WMI Objects

The One Server Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespace on SISDC. The results are depicted in Figure 39. 55

10.000

s 6.000 d n o c

e 4.000 S

Figure 39. WMI One Server Five Objects Response Time

4.3.5 Two Servers Retrieving Five WMI Objects

The Two Servers Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespaces on SISDC and Secure servers. The results are depicted in Figure 40. 56

10.000

8.000 s

d 6.000 n o c

e 4.000 S 2.000

Figure 40. WMI Two Servers Five Objects Response Time

4.3.6 Three Servers Retrieving Five WMI Objects

The Three Servers Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespaces on SISDC, Secure, and Manager servers. The results are depicted in Figure

41. 57

14.000 12.000 10.000 s

d 8.000 n o c

e 6.000 S 4.000 2.000 0.000 Monitor Systems SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.062698 11.84065 13.021709 Run #2 0 0.014455 6.847666 8.026303 Run #3 0 0.040922 7.84767 8.019918 Run #4 0 0.021126 8.119083 8.692987 Run #5 0 0.04444 6.954645 7.008613 Average 0 0.0367282 8.3219428 8.953906

Figure 41. WMI Three Servers Five Objects Response Time

4.3.7 Server Trend For Retrieving One WMI Object

The Server Trend For Retrieving One WMI Object observation shows response time increase for querying one WMI Object relative to the number of WMI namespaces queried. The results are depicted in Figure 42. 58

Single WMI Object Response Time

10.000 8.000 s

d 6.000 n o

c 4.000 e S 2.000 0.000 SSL Handshake WMI Object Client Request Client Response Complete Request WMI 1X1 Avg 0 0.1127754 7.6887352 8.4533238 WMI 2X1 Avg 0 0.0428202 8.7084624 9.1088248 WMI 3X1 Avg 0 0.044565 8.4409724 9.1813026

Figure 42. Single WMI Object Server Trend

4.3.8 Server Trend For Retrieving Five WMI Objects

The Server Trend For Retrieving Five WMI Objects observation shows response time increase for querying five WMI Objects relative to the number of WMI namespaces queried. The results are depicted in Figure 43.

Five WMI Object Response Time

10.000 8.000 s

d 6.000 n o

c 4.000 e S 2.000 0.000 SSL Handshake WMI Object Client Request Client Response Complete Request WMI 1X5 Avg 0 0.0260516 7.7156208 8.2207732 WMI 2X5 Avg 0 0.02791 7.6518718 8.201081 WMI 3X5 Avg 0 0.0367282 8.3219428 8.953906

Figure 43. Five WMI Objects Server Trend Chapter 5

5 Lessons Learned

5.1 WMI Win32 Classes And CIM Schema Observations

The SIS-M research reviewed class hierarchy between CIM Schema classes and the inheritance usage into the WMI Win32 Class definitions. The SIS-M research observed some obscure findings as follows.

5.1.1 Win32_UserAccount

The SIM User / Security Common define classes to manage

 General contact and white pages information for organizations, organization

units and people

 “Users” of services, and the related security information to authenticate and

authorize those “users”

The two classes that represent the users’ access to system resources are

CIM_UsersAccess and CIM_Account [4]. However, Win32_UserAccount does not inherit from either of these two classes. The Win32_UserAccount inherits from

CIM_LogicalElement. Additionally, the CIM_LogicalElement class is the base class 60 for all system components that represent abstract system components, such as profiles, processes, or system capabilities, in the form of logical devices [7].

5.1.2 Win32 Formatted Performance Statistics

The CIM Schema Extension purpose is to provide vendors of Enterprise Management capabilities the avenue to integrate improvements into the CIM Core and Common

Models. The Win32 Formatted Performance Statistics classes used by the SIS-M prototype provided valuable information to the health and status monitoring capability within InformationAccess. The Win32 Formatted Performance Statistics classes inherit from the CIM_StatisticalInformation Class and appear to be candidates for CIM

Common Model Schema updates. However, the SIS-M research did not observe any of the classes Win32 Formatted Performance Statistics or equivalent in the CIM V2.1.2

Schema.

5.2 System Health And Status

The WMI capabilities enabled the SIS-M prototype to achieve health and status monitoring of distributed systems. Defining appropriate user account credentials for access to the remote servers’ WMI namespaces is the key to effectively retrieving valuable management information. The result of inaccurately defining user access credentials results in an obscure TargetInvocationException that is extremely difficult to troubleshoot.

The ActiveDirectoryMembershipProvider, the Membership, and MembershipUser classes combined with ASP.Net 2.0 capability provide a solution to accomplish remote 61

User Account Management. However, the more complex user management functionality does not currently exist. Therefore, an administrator must use the Active

Directory Users and Computers Management Console to add or remove groups and to change user group assignments.

5.4 RBAC Management

The AuthorizationStoreRoleProvider is a wrapper around a subset of the functionality available in Authorization Manager [8]. Therefore, the AzMan capability is not completely supported through the ASP.Net services and some Membership methods throw a NotSupportedException. Also, the SIS-M prototype user accounts must be of the User Principal Name (UPN) format @domain.com for AzMan to effectively apply access policy. The ASP.Net Forms Authentication, which is used in the SIS-M prototype, does not create a WindowsIdentity. Therefore, AzMan requires the full UPN to lookup user groups, permissions, and roles.

The Client-side certificate distribution capability is accomplished by the installation and configuration of Windows 2003 Server components. Specifically, an Enterprise

Certificate Authority (CA) integrated with Active Directory automatically fulfills client requests for certificates and installs the certificate within the remote system. However,

Public Key Infrastructure (PKI) Best Practices state that Root CAs should never be connected to the network to raise the security level of the CAs private key [17]. A PKI in most cases should be architected with an offline Root CA, one or more offline

Intermediate CAs, and one or more networked Issuing Enterprise CAs. Chapter 6

6 Future Research

6.1 Update SIS-M Architecture To Include A UNIX Server

The CIM and WBEM standards are being developed to guide Enterprise Management capabilities in heterogeneous enterprises. Therefore, the SIS-M prototype could be updated to include a UNIX server and an alternative CIM implementation to assess platform interoperability using two CIM and WBEM compliant implementations.

6.2 Update The SIS-M Prototype To The .Net 3.0 Framework

As identified in Section 5, Lessons Learned, some functionality in the .Net 2.0

Framework and ASP.Net 2.0 is not fully implemented and throws a

NotImplementedException. The SIS-M Prototype could be updated to evaluate additional functionality in the next evolution of the .Net Framework and ASP.Net.

6.3 Certificate Authority Architecture

As stated in section 5, a PKI in most cases should be architected with an offline Root

CA, one or more offline Intermediate CAs, and one or more networked Issuing 63

Enterprise CAs. Therefore a more robust CA architecture should be integrated in the

SIS-M prototype to assess and validate automated Client-side certificate distribution from an Issuing CA. Additionally, Certificate Services Web Enrollment pages can be customized by modifying certificate templates.

6.4 Implement Client-side Certificate Mapping

The SIS-M prototype uses Forms Authentication and Authorization Manager to determine identity, authenticate the user, and to authorize access. One-to-One certificate mapping can be used to authenticate users and grant or deny access to Web resources. Therefore, the SIS-M prototype can be updated to evaluate the certificate mapping functionality and assess the performance between both approaches of determining identity, authenticating users, and authorizing access. Chapter 7

7 Conclusion

The SIS-M research and prototype enabled 1) system health monitoring using Windows

Management Instrumentation (WMI), 2) user account management using the Active

Directory Membership Provider, 3) Role Based Access Control (RBAC) using ASP.Net

2.0 Forms Authentication and the Authorization Manager, and 4) automated Client-side

Certificate distribution using Certificate Services.

7.1 System Health And Status Monitoring

The WMI capabilities provide sufficient information to create a health and status monitoring capability. However, as mentioned in Section 5.1.1, the WMI Win 32

Classes do not always inherit from the CIM Schema classes expected. The SIS-M research believes a reason for the observation may be the cost of integrating a standard into an existing product line could be prohibitive and not provide sufficient return on investment in the marketplace. 65

The user account management functionality satisfied the objectives for the SIS-M prototype and may be usable in a small enterprise setting. However, remote user account management does not currently have the fidelity to manage enterprises with many users. Therefore, the Active Directory Users & Computer application is still required to provide robust account management.

7.3 RBAC Management

SIS-M research concluded that AzMan addresses the five elements of the CORE RBAC

Standard using AzMan elements and capabilities identified in Table 2. SIS-M research also concluded that AzMan addresses the three key RBAC components by utilizing the

Authorization Manager Management Console for PAP, BizRules for PDP, and the

AuthorizationStoreRoleProvider and the Roles class for PEP.

The certificate services component within Windows 2003 server achieved all the functionality required in the SIS-M prototype to remotely distribute and automatically install client-side certificates to new users upon request. The SIS-M prototype instantiated only one networked CA and believes a PKI architecture with a Standalone

Root CA, isolated Intermediate CAs, and Enterprise Issuing CAs is required to verify the automated remote distribution of client-side certificates within a more robust architecture.

7.5 Performance Observations

The SIS-M prototype uses the .Net 2.0 Framework classes and other Windows 66 components to meet the objectives of this thesis. The objective of the performance analysis was to capture the performance of the .Net 2.0 Framework classes and

Windows components while accomplishing SIS-M’s InformationAccess web-based application tasks. Multiple performance observations were captured for WMI Object retrieval analysis. The SIS-M WMI performance results, described in section 4.3.7, show a 7.9% increase in HTTPS response time when querying for one WMI Object when executing the WMI query on the three servers, SISDC, Secure, and Manger. The performance results, described in section 4.3.8, show an 8.1% increase in HTTPS response time when querying for five WMI Objects when executing the WMI queries on the three servers. Section 4 describes the performance observation measurements. 8 Bibliography

1 Ganesh, G. and Chow, E. 2005. Secure Information Sharing Using Attribute

Certificates and Role Based Access Control.

2 DMTF Inc. 2006. CIM Schema Version 2.1.2. Portland: Distributed

Management Task Force Incorporated.

3 DMTF Inc. 2006. CIM Query Language Specification Version 1.0.

Portland: Distributed Management Task Force Incorporated.

4 DMTF Inc. and WBEM Solutions Inc. 2003. CIM Tutorial. Portland:

Distributed Management Task Force Incorporated and Pinehurst: WBEM Solutions

Incorporated.

5 Dept. of Computer Science and Engineering, POSTECH. 2004. Design of a

WBEM-based Management System for Ubiquitous Computing Servers.

6 Microsoft Corporation. 2007. WMI Architecture.

http://msdn.microsoft.com/en-us/library/aa394553.aspx (accessed July 2007)

7 Microsoft Corporation. 2007. WMI Win32 Classes.

http://msdn2.microsoft.com/en-us/library/aa394084.aspx (accessed July 2007).

8 Stefan Schackow. 2006. Professional ASP.NET 2.0 Security, Membership,

and Role Management. Indianapolis: Wiley Publishing Inc. 68

9 OASIS. 2007. Who We Are. http://www.oasis-open.org (accessed July

2007).

10 OASIS. 2005. eXtensible Access Control Markup Language (XACML)

Version 2.0, CORE Specification.

11 OASIS. 2005. Core and hierarchical role based access control (RBAC)

profile of XACML v2.0.

12 NIST. 2007. RBAC Standards Roadmap. http://csrc.nist.gov/rbac/rbac-stds-

roadmap.html (accessed August 2007).

13 Microsoft Corporation. 2007. Role-Based Access Control for Multi-tier

Applications Using Authorization Manager.

http://technet2.microsoft.com/windowsserver/en/library/72b55950-86cc-4c7f-8fbf-

3063276cd0b61033.mspx?mfr=true (accessed August 2007).

14 Microsoft Corporation. 2007. WMI .NET Architecture.

http://msdn2.microsoft.com/en-us/library/ms257361(VS.80).aspx (accessed August

2007).

15 Howie, J. 2006. Windows Server 2003 Certificate Services.

http://www.windowsitpro.com/Articles/ArticleID/49733/49733.html (accessed

August 2007).

16 Microsoft Corporation. 2007. Developing Applications Using Windows

Authorization Manager. http://msdn2.microsoft.com/en-us/library/aa480244.aspx

(accessed August 2007).

17 Microsoft Corporation. 2007. Best Practices for Implementing a Microsoft

Windows Server 2003 Public Key Infrastructure. http://technet2.microsoft.com. 69

(accessed September 2007).

18 Microsoft Corporation. 2007. Internet Information Services Security

Overview. http://msdn2.microsoft.com/en-us/library/ms951692.aspx#iissecure_ssl.

(accessed October 2007).

19 WindowsSecurity.com. 2007. Secure Socket Layer.

http://www.windowsecurity.com/articles/Secure_Socket_Layer.html. (accessed

October 2007).

20 WIRESHARK. 2007. Wireshark: What’s on your network?.

http://www.wireshark.org. (accessed October 2007).

21 Khaleel, O. 2007. Engine For Controlling Emergent Hierarchical Role-

Based Access (ENforCE HRBAccess). 9 APPENDIX A: Developer / User Guide

The Developer / User Guide information in this appendix is intended to provide additional information to users and developers for extending the research accomplished during the SIS-M prototype development. The appendix includes information about the

SIS-M prototype development environment and the SIS-M prototype user interface.

9.1 The SIS-M Prototype Environment

The SIS-M prototype environment resides within VMware Server, version 1.0.1. The architecture implemented for the SIS-M prototype is discussed in Section 3.3. The SIS-

M prototype is developed using three Windows 2003 Servers. Each of the servers runs

Windows 2003 Server Enterprise Edition, Service Pack 1. All SIS-M prototype software is written in C#, ASP.Net, and HTML. The Integrated Development

Environment (IDE) used to develop and debug the InformationAccess and

InformationSharing web-based applications is Visual Studio (VS) 2005. The

InformationAccess project resides on the server named Manager and the VS2005 Start

Page is depicted in Figure 44. The InformationSharing project resides on the server named Secure. 71

Figure 44. InformationAccess VS2005 Start Page

Both InformationAccess and InformationSharing execute within Internet Information

Services (IIS) 6.0. Therefore, the IIS Management Console is used for all the configuration settings for the two web-based applications. The IIS Management

Console depicting InformationSharing is shown in Figure 45. 72

Figure 45. InformationSharing IIS Management Console

Note that all three servers and at least one Windows XP client (SISCLI or SISMCLI) must be executing for the SIS-M prototype to be completely functional. The web applications can be accessed by the URIs specified below. The InformationSharing web-based application returns a 403.7 Forbidden – Client Certificate Required Error page unless a certificate from the server named Secure is already installed in Internet

Explorer.

 InformationAccess URI: https://Manager/InformationAccess

 InformationSharing URI: https://Secure/InformationSharing 73

9.2 SIS-M Prototype Administration

SIS-M prototype administration occurs on the Secure Information Sharing Domain

Controller (SISDC) server. The Active Directory Users and Computers Management

Console is depicted in Figure 46 and was used routinely to manipulate user account information within the SISMTHESIS domain.

Figure 46. SISDC Active Directoy Users and Computers

Additionally, the Authorization Manager Management Console (AzMan) was used to manipulate roles, operations, and tasks authorized for each user. AzMan, shown in

Figure 47, is invoked as depicted in Figure 48. 74

Figure 47. SISDC AzMan Console

Figure 48. Starting The AzMan Console

9.3 The InformationAccess Application

Entrance into the InformationAccess web-based application is achieved only by logging in with authenticated user credentials and the user attempting to gain access must be included in the SiteAdministrator Role. The login page for InformationAccess is depicted in Figure 49. 75

Figure 49. InformationAccess Login Page

SiteAdministrator users can login to InformationAccess and see the default page shown in Figure 50. Only users that are assigned to the SiteAdministrator role are able to access the Manage Users, Manage RBAC, RBAC Violations, and Monitor Systems resources identified in the Navigation sidebar. 76

Figure 50. InformationAccess Default Page

A user attempting to login to InformationAccess that is not part of the SiteAdministrator

Role will immediately be logged out and have the session terminated. Additionally, a

RBAC Policy Violation entry will be generated and stored in the Event Log as explained in section 9.4.

9.3.1 The InformationAccess SiteAdministrator Role

SiteAdministrator role membership is required to access the Manage Users, Manage

RBAC, RBAC Violoations, and Monitor Systems resources within InformationAccess.

The following sections identify InformationAccess’ remote management capabilities. 77

9.3.1.1 Manage Users Capability

The Manage Users capability, shown in Figure 51, includes functionality to create users

(Figure 52), delete users (Figure 53), and query for user account details (Figure 54).

Figure 51. InformationAccess Manage Users 78

Figure 52. InformationAccess Create User 79

Figure 53. InformationAccess Delete User 80

Figure 54. InformationAccess User Account Details Query Result

9.3.1.2 Manage RBAC Capability

The Manage RBAC capability, shown in Figure 55, provides the users within the

SiteAdministrator role the functionality to create roles (Figure 56), delete roles (Figure

57), add users to roles (Figure 58), query for users in roles (Figure 59), query for all the roles defined within the system (Figure 60), get all the roles for a particular user (Figure

61), determine if a user is in a particular role (Figure 62), and remove a user from a particular role (Figure 63). 81

Figure 55. InformationAccess Manage RBAC 82

Figure 56. InformationAccess Create Role 83

Figure 57. InformationAccess Delete Role 84

Figure 58. InformationAccess Add User To Role 85

Figure 59. InformationAccess Get Users In Role 86

Figure 60. InformationAccess Get All Roles 87

Figure 61. InformationAccess Get Roles For User 88

Figure 62. InformationAccess Is User In Role 89

Figure 63. InformationAccess Remove User From Role

9.3.1.3 Monitor Systems Capability

The Monitor Systems capability, available to users in the SiteAdministrator role, is the result of WMI Win32 Class attribute values being evaluated against a SIS-M implemented rule set to determine a status. The resulting status of the attribute analysis is displayed in the InformationAccess web-based application user interface, Figure 64. 90

Figure 64. InformationAccess Monitor Systems

9.3.1.4 Obtain Client-side Certificate

The SIS-M prototype automated remote client-side certificate distribution is accomplished by utilizing Windows 2003 Server components and Certificate Services.

The CertSrv web-based application has configuration attributes available in the IIS 91

Management Console. The SIS-M prototype requires a valid user account in the

SISMTHESIS domain prior to requesting a client-side certificate from the server named

Secure. The Enter Network Password dialog box is depicted in Figure 65.

Figure 65. CertSrv Password Protection

The Certificate Services Welcome page, shown in Figure 66, is presented to the authenticated user requesting a client-side certificate. 92

Figure 66. Certificate Services Welcome Page

The authenticated user selects the Request a certificate link and Figure 67 is displayed. 93

Figure 67. Certificate Services Request A Certificate Page

The authenticated user selects the User Certificate link and Figure 68 is displayed. No additional identifying information is required because the user is authenticated within the SISMTHESIS domain. 94

Figure 68. Certificate Services User Certificate Request Submission

The action of selecting the submission button results in a client-side certificate being issued to the user as shown in Figure 69. 95

Figure 69. Certificate Services Issued Certificate

The selection of the Install this certificate link results in a successful installation dialog box as shown in Figure 70. The user now has all the appropriate information to access the InformationSharing web-based application. However, the current browser session must be restarted before attempting to reconnect with InformationSharing and an

InformationAccess user with SiteAdministrator permissions must allocate the new user into the appropriate roles. 96

Figure 70. Certificate Services Successful Certificate Installation

The RBAC Policy Violation Archive supports the RBAC Management capability within

InformationAccess by providing users in the SiteAdministrator role the ability to view attempted accesses by unauthorized users. Only users belonging to the

SiteAdministrator role are able to log into InformationAccess. All other users attempting to log into InformationAccess create a RBAC Policy Violation Log entry and the session is immediately terminated. InformationSharing logs all user attempts to access or upload information without appropriate permissions. The RBAC Policy

Violation Archive is depicted in Figure 71. 97

Figure 71. RBAC Policy Violation Log

9.5 The InformationSharing Application

Accessing the InformationSharing resource and resources within the web-based application is accomplished in three steps.

 Creating an account through InformationAccess.

 Obtaining and installing a Client-side certificate from Certificate Service at the 98

URI https://Secure/CertSrv.

 Requesting and receiving membership enrollment by an InformationAccess

SiteAdministrator

InformationSharing returns an error page, shown in Figure 72, if the client attempting to gain access does not have a Client-side certificate installed.

Figure 72. InformationSharing Client-side Certificate Error

The user must authenticate against the SISMTHESIS domain by using

InformationSharing’s login page, Figure 73. 99

Figure 73. InformationSharing Login Page

An authenticated user is presented with InformationSharing’s default page, Figure 74, to request access to information contained within Authorization Manager’s defined roles. Note that not all roles available in Authorization Manager are presented to the user. By design, the SiteAdministrator role and the ReadOnly roles are not depicted.

Any user that is in a ReadOnly role still must request access to the information by using the role, Executive, Manager, etc, displayed in the selection list. 100

Figure 74. InformationSharing Default Page

Each of the roles displayed in the selection list maps to a storage location for information available in that role only. Therefore, a user must be a member of more than one role to obtain access to more than one storage location. After the user selects a role, the information available in that role storage area is presented to the user, Figure

75. 101

Figure 75. InformationSharing Access Secure Information Page

A RBAC Policy Violation Error Page is presented to the user if they are not a member of the role selected as depicted in Figure 76. 102

Figure 76. InformationSharing RBAC Policy Violation

A user that obtained access to a selected storage location based upon role selection may download files by selecting the Download File button. Additionally, a user with appropriate permissions can upload files into the storage location by selecting the File

Upload button, shown in Figure 77 and Figure 78. 103

Figure 77. InformationSharing File Upload Page 104

Figure 78. InformationSharing File Upload Browser