SECURE INFORMATION SHARING MANAGER
by
STEPHEN D. WISE
A thesis submitted to the Graduate Faculty of the
University of Colorado at Colorado Springs
in partial fulfillment of the
requirements for the degree of
Master Of Science
Department of Computer Science
2007 i
© Copyright By Stephen D. Wise 2007
All Rights Reserved ii
This thesis for the M.S. Of Computer Science degree by
Stephen D. Wise
has been Approved for the
Department of Computer Science by
______
Dr. C. Edward Chow, Chair
______
Dr. Jugal K. Kalita
______
Dr. Xiaobo Zhou
______Date iii
Wise, Stephen D. (M.S., Computer Science)
Secure Information Sharing Manager
Thesis directed by Professor C. Edward Chow
The Secure Information Sharing Manager (SIS-M) prototype is an extension of the research accomplished for Secure Information Sharing Using Attribute Certificates and
Role Based Access Control [1]. The SIS-M research emphasis is to prototype an
Enterprise Management capability based upon Web Based Enterprise Management
(WBEM) standards developed by the Distributed Management Task Force (DMTF).
The SIS-M prototype utilizes the .NET 2.0 Framework and other components (ASP.Net
2.0, Internet Information Services (IIS) 6.0, Active Directory (AD), Certificate Services, and Windows Management Instrumentation (WMI)) to accomplish remote administration tasks in a web-based architecture. The research tasks are to enable 1) system health and status monitoring using Windows Management Instrumentation
(WMI), 2) user account management using the Active Directory Membership Provider,
3) Role Based Access Control (RBAC) using ASP.Net 2.0 Forms Authentication and the Authorization Manager, and 4) automated Client-side Certificate distribution using
Certificate Services. The SIS-M implementation, built within VMware Server Version
1.0.1, includes three Windows 2003 Servers to provide the WBEM and Secure
Information Sharing (SIS) capabilities and two Windows XP clients that simulate external users that require access to the SIS-M or SIS websites for either remote site administration or remote information sharing. iv
CONTENTS
Chapter
1 Introduction...... 1 1.1 Enterprise Management...... 2 1.1.1 The Distributed Management Task Force...... 2 1.1.2 The CIM and WBEM Standards...... 4 1.2 Role Based Access Control...... 5 1.2.1 The Organization for the Advancement of Structured Information Standards 6 1.2.2 RBAC Standards...... 6 1.2.3 Document Organization...... 7 2 SIS-M Architecture Research...... 9 2.1 WBEM Architecture...... 9 2.2 SIS-M WBEM Implementation...... 12 2.3 SIS-M User Account Management Implementation...... 14 2.4 SIS-M RBAC Implementation...... 15 2.5 SIS-M Client-side Certificate Distribution Implementation...... 17 2.6 SIS-M Architecture Description...... 17 3 SIS-M Implementation...... 19 3.1 SIS-M Server and Client Specifications...... 19 3.2 Virtual Network Topology...... 20 3.3 SIS-M Architecture...... 20 3.3.1 The Domain Controller...... 21 3.3.2 The Management Server...... 22 3.3.3 The Secure Information Server...... 22 3.4 System Health and Status Monitoring...... 23 3.4.1 Establishing WMI Namespace Connectivity...... 27 3.4.1.1 WMI Connection Options...... 28 3.4.1.2 Building A WMI Namespace Path...... 28 3.4.1.3 Instantiating WMI Management Scope...... 29 3.4.2 Building And Executing A WMI Query...... 29 3.5 User Account Management...... 31 3.5.1 InformationAccess User Management Capability...... 32 3.5.1.1 Creating Users...... 32 3.5.1.2 Deleting Users...... 33 3.5.1.3 User Account Details...... 33 3.6 Role Based Access Control Management...... 34 3.6.1 InformationAccess RBAC Management Capability...... 35 3.6.2 Create Role...... 35 3.6.3 Delete Role...... 36 3.6.4 Add User To Role...... 37 v
3.6.5 Get Users In Role...... 37 3.6.6 Get All Roles...... 38 3.6.7 Get Roles For User...... 39 3.6.8 Is User In Role...... 40 3.6.9 Remove User From Role...... 41 3.7 Client-side Certificate Distribution...... 41 3.8 RBAC Policy Violation Archive...... 42 3.8.1 Event Log Creation...... 42 3.8.2 Writing Event Log Entries...... 42 3.8.3 Deleting Event Log Entries...... 43 3.9 InformationSharing Web Application...... 44 4 Performance Observations...... 49 4.1 RBAC Policy Violation Archive...... 49 4.2 RBAC Management...... 50 4.3 Health And Status Monitoring...... 51 4.3.1 One Server Retrieving One WMI Object...... 52 4.3.2 Two Servers Retrieving One WMI Object...... 53 4.3.3 Three Servers Retrieving One WMI Object...... 54 4.3.4 One Server Retrieving Five WMI Objects...... 55 4.3.5 Two Servers Retrieving Five WMI Objects...... 56 4.3.6 Three Servers Retrieving Five WMI Objects...... 57 4.3.7 Server Trend For Retrieving One WMI Object...... 58 4.3.8 Server Trend For Retrieving Five WMI Objects...... 59 5 Lessons Learned...... 60 5.1 WMI Win32 Classes And CIM Schema Observations...... 60 5.1.1 Win32_UserAccount...... 60 5.1.2 Win32 Formatted Performance Statistics...... 61 5.2 System Health And Status...... 61 5.3 User Account Management...... 61 5.4 RBAC Management...... 62 5.5 Client-side Certificate Distribution...... 62 6 Future Research...... 64 6.1 Update SIS-M Architecture To Include A UNIX Server...... 64 6.2 Update The SIS-M Prototype To The .Net 3.0 Framework...... 64 6.3 Certificate Authority Architecture...... 64 6.4 Implement Client-side Certificate Mapping...... 65 7 Conclusion...... 66 7.1 System Health And Status Monitoring...... 66 7.2 User Account Management...... 66 7.3 RBAC Management...... 67 7.4 Client-side Certificate Distribution...... 67 7.5 Performance Observations...... 67 8 Bibliography...... 69 9 APPENDIX A: Developer / User Guide...... 72 9.1 The SIS-M Prototype Environment...... 72 9.2 SIS-M Prototype Administration...... 74 9.3 The InformationAccess Application...... 76 9.3.1 The InformationAccess SiteAdministrator Role...... 79 9.3.1.1 Manage Users Capability...... 79 9.3.1.2 Manage RBAC Capability...... 82 vi
9.3.1.3 Monitor Systems Capability...... 91 9.3.1.4 Obtain Client-side Certificate...... 92 9.4 RBAC Policy Violation Archive...... 98 9.5 The InformationSharing Application...... 99 vii
TABLES
Table
Table 1. SIS-M WBEM Implementation Survey Results...... 12 Table 2. Authorization Manager RBAC Elements...... 17 Table 3. SIS-M Virtual Machine Specifications...... 20 viii
FIGURES
Figure
Figure 1. DMTF Technology Diagram...... 3 Figure 2. Summary WBEM Architecture...... 10 Figure 3. WBEM Implementation Evaluation...... 11 Figure 4. WMI Architecture...... 13 Figure 5. SIS-M Virtual Network Topology...... 20 Figure 6. The Trusted Subsystem Model...... 21 Figure 7. Summary Architecture...... 23 Figure 8. WMI Tiers...... 24 Figure 9. Server Health And Status Attributes...... 25 Figure 10. Health And Status Rules...... 27 Figure 11. SIS-M WMI Connection Creation...... 28 Figure 12. SIS-M WMI Connection Attributes...... 29 Figure 13. SIS-M WMI Query Objects...... 30 Figure 14. WMI Query Execution...... 31 Figure 15. Active Directory Connection...... 32 Figure 16. Create User Wizard Definition...... 33 Figure 17. Membership Delete User...... 33 Figure 18. Authorization Manager Connection...... 35 Figure 19. Create Role...... 36 Figure 20. Delete Role...... 37 Figure 21. Add User To Role...... 37 Figure 22. Get Users In Role...... 38 Figure 23. Get All Roles...... 39 Figure 24. Get Roles For User...... 40 Figure 25. Is User In Role...... 41 Figure 26. Remove User From Role...... 41 Figure 27. EventViewer Log File Creation...... 42 Figure 28. Event Log Entry Creation...... 43 Figure 29. Event Log Entry Deletion...... 43 Figure 30. IIS Two-way Authentication Handshake...... 45 Figure 31. Custom 403.7 Error Configuration...... 46 Figure 32. InformationSharing Controls...... 47 Figure 33. InformationSharing RBAC Policy Check...... 48 Figure 34. RBAC Policy Violation Entry Retrieval...... 50 Figure 35. RBAC Management Request Time...... 51 Figure 36. WMI One Server One Object Response Time...... 53 Figure 37. WMI Two Servers One Object Response Time...... 54 Figure 38. WMI Three Servers One Object Response Time...... 55 Figure 39. WMI One Server Five Objects Response Time...... 56 ix
Figure 40. WMI Two Servers Five Objects Response Time...... 57 Figure 41. WMI Three Servers Five Objects Response Time...... 58 Figure 42. Single WMI Object Server Trend...... 59 Figure 43. Five WMI Objects Server Trend...... 59 Figure 44. InformationAccess VS2005 Start Page...... 73 Figure 45. InformationSharing IIS Management Console...... 74 Figure 46. SISDC Active Directoy Users and Computers...... 75 Figure 47. SISDC AzMan Console...... 76 Figure 48. Starting The AzMan Console...... 76 Figure 49. InformationAccess Login Page...... 77 Figure 50. InformationAccess Default Page...... 78 Figure 51. InformationAccess Manage Users...... 79 Figure 52. InformationAccess Create User...... 80 Figure 53. InformationAccess Delete User...... 81 Figure 54. InformationAccess User Account Details Query Result...... 82 Figure 55. InformationAccess Manage RBAC...... 83 Figure 56. InformationAccess Create Role...... 84 Figure 57. InformationAccess Delete Role...... 85 Figure 58. InformationAccess Add User To Role...... 86 Figure 59. InformationAccess Get Users In Role...... 87 Figure 60. InformationAccess Get All Roles...... 88 Figure 61. InformationAccess Get Roles For User...... 89 Figure 62. InformationAccess Is User In Role...... 90 Figure 63. InformationAccess Remove User From Role...... 91 Figure 64. InformationAccess Monitor Systems...... 92 Figure 65. CertSrv Password Protection...... 93 Figure 66. Certificate Services Welcome Page...... 94 Figure 67. Certificate Services Request A Certificate Page...... 95 Figure 68. Certificate Services User Certificate Request Submission...... 96 Figure 69. Certificate Services Issued Certificate...... 97 Figure 70. Certificate Services Successful Certificate Installation...... 98 Figure 71. RBAC Policy Violation Log...... 99 Figure 72. InformationSharing Client-side Certificate Error...... 100 Figure 73. InformationSharing Login Page...... 101 Figure 74. InformationSharing Default Page...... 102 Figure 75. InformationSharing Access Secure Information Page...... 103 Figure 76. InformationSharing RBAC Policy Violation...... 104 Figure 77. InformationSharing File Upload Page...... 105 Figure 78. InformationSharing File Upload Browser...... 106 Chapter 1
1 Introduction
The Network Information and Space Security Center (NISSC) provided a grant to
UCCS to study and implement a Secure Information Sharing (SIS) capability based upon a multi-tiered web architecture. The SIS project objective was to create a web- based implementation proof of concept to share information using Public Key
Certificates (PKC) and Attribute Certificates (AC) to allow multiple agencies to share information securely based upon access rights defined in Role Based Access Control
(RBAC) policies. The research accomplished in Secure Information Sharing Using
Attribute Certificates and Role Based Access Control [1] satisfied the objectives identified in the NISSC grant. Additional PKC and AC research accomplished in
ENgine FOR Controlling Emergent Hierarchical Role-Based Access [21] extended the concepts identified in support of the NISSC grant. The Secure Information Sharing
Manager (SIS-M) research accomplished in this thesis is focused on Enterprise
Management in a secure information sharing environment. The research and associated prototype are to demonstrate remote web-based System Administrator functionality for 2 a Windows 2003 Server enterprise using the .Net 2.0 Framework and other Microsoft
Windows 2003 Server components. A successful prototype enables 1) system health monitoring using Windows Management Instrumentation (WMI), 2) user account management using the Active Directory Membership Provider, 3) Role Based Access
Control (RBAC) using ASP.Net 2.0 Forms Authentication and the Authorization
Manager, and 4) automated Client-side Certificate distribution using Certificate
Services.
1.1 Enterprise Management
The Enterprise Management problem evolved as the Information Technology (IT) industry matured. Each IT vendor, in an effort to expedite products to market, created proprietary enterprise management capabilities that do not easily integrate with other vendors’ capabilities. The results of rapid IT infrastructure maturation and evolution created corporate infrastructures that contain multiple vendor capabilities that are managed uniquely. The lack of an Enterprise Management standard is increasing corporate overhead costs to manage multiple unique systems and applications. This situation is currently impeding the ability of many companies to evolve their current systems to accommodate new business requirements and organizational needs [4].
1.1.1 The Distributed Management Task Force
The Distributed Management Task Force, Inc. (DMTF) is the industry organization leading the development of management standards and the promotion of interoperability for enterprise and Internet environments. DMTF standards provide a common management infrastructure and components for instrumentation, control, and 3 communication in a platform-independent and technology neutral way [4]. The DMTF
Technology Diagram depicted in Figure 1 shows the relationships among Management
Initiatives, Web Based Enterprise Management (WBEM), and the Common Information
Model (CIM).
Figure 1. DMTF Technology Diagram
The Common Information Model (CIM) is the foundation for the DMTF technology solution to distributed enterprise management and describes computing and business entities in Internet, enterprise, and service provider environments. Web-Based
Enterprise Management (WBEM) is a set of management and Internet standard technologies developed to unify the management of distributed computing environments. WBEM standards facilitate the exchange of CIM information in an interoperable and efficient manner. Management Initiatives are designed to deliver 4 market specific solutions such as the Storage Networking Industry Association (SNIA)
Storage Management Initiative (SMI) [4].
1.1.2 The CIM and WBEM Standards
The CIM Schema is comprised of the Core Model, the Common Model, and Schema
Extensions [2] [4] as identified below.
The Core Model captures notions that are applicable to all areas of
management. The Core Model is a set of classes, associations, properties, and
methods that provide a basic vocabulary for describing managed systems. The
Core Model represents a starting point for determining how to extend the
Common schema.
The Common Models are information models that capture notions that are
common to particular management areas, but independent of any particular
technology or implementation. Examples of common models include systems,
applications, networks, and devices. The classes, associations, properties, and
methods in the Common Models are intended to provide a view of the area that
is detailed enough to use as a basis for program design and, in some cases,
implementation.
Extension Schemas represent technology-specific extensions of the common
models. These schemas are specific to environments, such as operating systems.
It is expected that the Common Models will evolve as a result of the promotion
of objects and properties defined in the Extension Schemas.
The WBEM standards are focused on management and Internet standard technologies 5 to accomplish CIM information exchange in an interoperable and efficient manner.
WBEM standards include:
Mappings
o URI: WBEM URI Mapping Specification 1.0, DSP0207
o XML: Representation of CIM using XML 1.2, DSP0201
Protocols
o CIM-XML: CIM Operations over HTTP 1.2, DSP0200
o CLP: Command Line Protocol 1.0, DSP0214
Discovery
o SLP: WBEM Discovery using SLP, DSP0205
Query Language
o CIM Query Language 1.0, DSP0202
The SIS-M prototype utilizes data in the CORE Model, the CIM Query Language, and a
SIS-M developed health and status rule set to determine Windows 2003 Server health in
SIS-M’s web-based enterprise.
1.2 Role Based Access Control
Corporate infrastructures of today include many disparate domains of corporate information. The corporations also associate some value with each type of information available within their enterprise infrastructure. Some types of sensitive corporate information include, 1) corporate strategy, intellectual property, human resources, and supplier information. Role Based Access Control (RBAC) standards provide a solution 6 for access management within corporate infrastructures. RBAC maps user job roles to application permissions so that the access control administration can be accomplished in terms of the job role of users [1]. The result of a sound RBAC implementation within a corporate infrastructure is secure information access by organizational and job responsibility.
1.2.1 The Organization for the Advancement of Structured Information Standards
The Organization for the Advancement of Structured Information Standards (OASIS) is a not-for-profit consortium that drives the development, convergence and adoption of the open standards for the global information society [9]. OASIS’s Extensible Access
Control Markup Language (XACML) specification describes building blocks that may be used to implement the various elements of the RBAC model presented in
ANSI/INCITS 359 [12] according to The National Institute of Standards and
Technology (NIST).
1.2.2 RBAC Standards
Core RBAC requires support for multiple users per role, multiple roles per user, multiple permissions per role, and multiple roles per permission. The OASIS XACML specification addresses ANSI CORE RBAC requirements with the following five basic elements [10].
Users are implemented as XACML Subjects.
Roles are expressed using on or more XACML Subject Attributes.
Objects are expressed using XACML Resources 7
Operations are expressed using XACML Actions
Permissions are expressed using XACML Role Policy Sets and Permission
Policy Sets
XACML addresses Hierarchical RBAC requirements by implementing role inheritance based upon a Policy Set Id Reference where senior roles can inherit permissions from junior roles [1].
In addition to the five RBAC elements defined within the standard, three key components are emphasized to accomplish controlled access to information. The components are [11]:
Policy Administration Point (PAP): The system entity that creates a policy or
policy set.
Policy Decision Point (PDP): The system entity that evaluates policy and
renders an authorization decision.
Policy Enforcement Point (PEP): The system entity that performs access
control, by making decision requests and enforcing authorization decisions.
1.2.3 Document Organization
The remainder of this document is organized as follows; Chapter 2 presents information regarding WBEM and RBAC as the technologies apply to the SIS-M prototype.
Chapter 3 describes the System Health and Status Monitoring, User Account
Management, Role Based Access Control Management, Client-side Certificate
Distribution, and RBAC Policy Violation Archive capabilities implemented within the 8
SIS-M prototype. Chapter 4 contains performance observations for accessing .Net 2.0
Framework classes and Windows components utilized within the SIS-M prototype.
Chapter 5 identifies lessons learned about Microsoft’s WBEM implementation, WMI, and other Windows components utilized within the SIS-M prototype. Chapter 6 recommends SIS-M prototype updates for future research. Conclusions regarding the
SIS-M prototype research and implementation are included in Chapter 7. Finally,
Appendix A, contains information for developers and users. Chapter 2
2 SIS-M Architecture Research
The DMTF standards identified the Enterprise Management requirement set for the SIS-
M prototype. There are several Commercial and Open Source WBEM implementations and each has a varying degree of DMTF standards compliance. A driving SIS-M requirement identified during Secure Information Sharing Using Attribute Certificates and Role Based Access Control [1] research was to implement the SIS-M capabilities on a Windows platform. Therefore, the WBEM implementation utilized by SIS-M must provide the maximum capability possible in a Windows environment and comply with
DMTF standards. The result of the WBEM analysis identified the direction for all other architecture decisions.
2.1 WBEM Architecture
The WBEM architecture is not bound to a particular implementation. A standards compliant WBEM environment based on CIM standards is depicted in Figure 2 and includes:
The CIM Client is used to obtain management information by querying 10
CIM/WBEM Servers
The CIM/WBEM Server provides CIM data, upon requests, to CIM clients
locally or remotely.
The CIM Object Manager maintains a repository of CIM data on the
CIM/WBEM Servers.
The Providers implement one or more aspects of the CIM Schema that abstracts
the hardware and software implementation away from the CIM clients.
Figure 2. Summary WBEM Architecture
The SIS-M research surveyed two WBEM implementations, WBEM Services and 11
WMI, for the SIS-M prototype. Additionally, research depicted in Figure 3, from the
Design of a WBEM-based Management System for Ubiquitous Computing Servers [5], provided useful information to narrow SIS-M’s WBEM implementation survey.
Figure 3. WBEM Implementation Evaluation
The SIS-M WBEM implementation survey used the driving requirement of operability within a Windows environment as the discriminating attribute to determine the SIS-M
WBEM implementation decision. As noted in Table 1, the SIS-M WBEM survey did not identify WBEM Services providers for managed elements within the Windows environment while multiple WMI providers existed for each managed element the SIS-
M prototype intended to monitor. Therefore, WMI was chosen as the WBEM infrastructure for the SIS-M prototype. 12
WBEM Implementation Attribute WMI WBEM Services Executes In Windows 2003 Environment Yes Yes Supporting Tool Set WMI CIM Studio CIM Workshop Operating System Providers Available Yes No CPU Providers Available Yes No Disk Providers Available Yes No Developer Documentation Available Yes Yes
Table 1. SIS-M WBEM Implementation Survey Results
2.2 SIS-M WBEM Implementation
The SIS-M Health and Status monitoring capability is a management application that integrates rules to evaluate Windows 2003 Server WBEM elements to determine health and status of a given server. The SIS-M Health and Status monitoring capability utilizes the Microsoft WMI Architecture [6] and is depicted in Figure 4. 13
Figure 4. WMI Architecture
The SIS-M Health and Status Monitoring capability is divided into three summary categories, Operating System, CPU, and Disk. Five WMI Win32 classes reside within the WMI CIMOM, also known as the WMI CORE, and are used to derive SIS-M’s health and status within the three summary categories.
Operating System
o The WMI Win32_ComputerSystem class represents a computer
system running Windows [7]. 14
o The WMI Win32_PerfFormattedData_PerfOS_Memory class
provides pre-calculated performance data from the performance counters
that monitor the physical and virtual memory on the computer. Physical
memory is the amount of random access memory (RAM) on the
computer. Virtual memory consists of space in physical memory and on
disk [7].
CPU
o The WMI Win32_Processor class represents a device that can interpret
a sequence of instructions on a computer running on a Windows
operating system [7].
Disk
o The WMI Win32_DiskDrive class represents a physical disk drive as
seen by a computer running the Windows operating system [7].
o The WMI Win32_PerfFormattedData_PerfDisk_PhysicalDisk class
provides pre-calculated data from performance counters that monitor
hard or fixed disk drives on a computer. Disks store file, program, or
paging data and are read to retrieve these items, and written to record
changes to them. The values of physical disk counters are sums of the
values of the logical disks, also known as partitions, into which they are
divided [7].
2.3 SIS-M User Account Management Implementation
The SIS-M User Account Management capability, based upon the decision to utilize 15
WMI for health and status monitoring, is accomplished using Active Directory and the
ActiveDirectoryMembershipProvider implemented within a SIS-M ASP.Net 2.0 application. The ActiveDirectoryMembershipProvider functionality includes [8]:
Creating new users and passwords.
Storing membership information in Active Directory.
Authenticating users who visit your site programmatically or by utilizing
ASP.Net login controls.
Creating, changing, and resetting user account passwords.
Exposing a unique identifier for authenticated users that can be used in ASP.Net
personalization and role management.
Specifying a custom membership provider that allows for system unique
membership functionality.
The ActiveDirectoryMembershipProvider interfaces with Active Directory using LDAP commands. This means that the provider is always pointed at the root of some container, and all provider operations occur within that single container [8]. Therefore, the ActiveDirectoryMembershipProvider and the MembershipUser class in the
System.Web.Security namespace is used to create, delete, and retrieve user details in the
SIS-M User Account Management application.
2.4 SIS-M RBAC Implementation
The SIS-M RBAC Management capability leverages the Windows 2003 Server component called the Authorization Manager (AzMan) and the 16
AuthorizationStoreRoleProvider capability within ASP.Net 2.0.
AuthorizationStoreRoleProvider is a wrapper around a subset of the functionality available in Authorization Manager [8] and facilitates role and policy access through the
Roles class within the System.Web.Security namespace. AzMan contains the following list of attributes and capabilities to manage and enforce authorization policy [13].
Operation: A low-level permission that a resource manager uses to identify
security procedures.
Task: A collection of low-level operations.
Role Definition: A collection of permissions that are needed for a particular
role, where permissions can be tasks or operations.
Role: The set of permissions that users must have to be able to do their job.
BizRules: The set of rules / scripts that are attached to a task object that is run at
the time of the access request.
Scope: A collection of objects or resources with a distinct authorization policy.
Application Groups: Groups that are applicable only to an authorization store.
Application Basic Groups: A subset of application groups. A list of members
(Active Directory Users or groups or other application groups).
LDAP-query Groups: A subset of application groups. Groups that are defined
by an Lightweight Directory Access Protocol (LDAP) query on a given Active
Directory users account attributes.
AzMan policy stores are either integrated into Active Directory, the implementation 17 used in SIS-M, or created as standalone XML files. AzMan addresses the five elements of the CORE RBAC Standard using AzMan elements and capabilities identified in
Table 2.
Table 2. Authorization Manager RBAC Elements
AzMan addresses the three key RBAC components by utilizing the Authorization
Manager Management Console for PAP, BizRules for PDP, and the
AuthorizationStoreRoleProvider and the Roles class for PEP.
2.5 SIS-M Client-side Certificate Distribution Implementation
The SIS-M Client-side Certificate Distribution capability is accomplished using the
Windows 2003 Server Certificate Authority component. An enterprise Certificate
Authority (CA) is fully integrated with Active Directory. Through a process called autoenrollment, a CA can automatically issue certificates to either users or computers without administrative intervention [15]. SIS-M issues client-side certificates remotely using the CertSrv website within the Windows 2003 Server CA component.
2.6 SIS-M Architecture Description
The SIS-M architecture implemented, as a result of the architecture research, to satisfy the SIS-M prototype capabilities of 1) system health monitoring, 2) user account 18 management, 3) Role Based Access Control (RBAC) management and enforcement, and 4) automated Client-side Certificate distribution is comprised of three servers utilizing various Windows 2003 Server components. The SIS-M prototype web-based infrastructure enables remote access for the site administrator and SIS user and is implemented using Windows 2003 Server components, Active Directory, ASP.Net 2.0,
Internet Information Services 6.0, WMI, and Certificate Services.
SIS-M’s functional decomposition and allocation to infrastructure components and capabilities is summarized below.
System health and status monitoring is accomplished using WMI and a rule set
implemented as part of the SIS-M prototype.
User account management is accomplished using Active Directory and the
ActiveDirectoryMembershipProvider included within ASP.Net 2.0.
RBAC management and enforcement is accomplished using ASP.Net 2.0 Forms
Authentication, the Authorization Manager, and the
AuthorizationStoreRoleProvider.
Automated Client-side certificate distribution is accomplished using the
Windows 2003 Server Certificate Authority components. Chapter 3
3 SIS-M Implementation
The SIS-M implementation is contained within a VMware Server Version 1.0.1 environment. All implementation and SIS-M prototype functional and performance evaluation occurred within the VMware environment. The SIS-M implementation includes three Windows 2003 Servers. The two Windows XP clients simulate external users that require access to the SIS-M and/or SIS websites for either remote site administration, remote secure information sharing, and/or remote information access.
3.1 SIS-M Server and Client Specifications
The Windows 2003 Server and Windows XP client specifications were created by defining Virtual Machine Settings in the VMware Server console. Each SIS-M virtual machine contained two Network Interface Cards, one bridged to establish connectivity outside of the virtual environment, the other to communicate machine-to-machine within the SISMTHESIS.com domain. Table 3 lists the SIS-M virtual machine specifications. 20
Table 3. SIS-M Virtual Machine Specifications
3.2 Virtual Network Topology
Figure 5 depicts the virtual network topology used for SIS-M development. The
Windows XP clients, SIS-M Client and SIS Client, are instantiated external to the
SISMTHESIS domain.
Figure 5. SIS-M Virtual Network Topology
3.3 SIS-M Architecture
The SIS-M architecture supports all the functionality to meet the objects identified for the SIS-M research to include 1) system health monitoring using Windows
Management Instrumentation (WMI), 2) user account management using the Active 21
Directory Membership Provider, 3) Role Based Access Control (RBAC) using ASP.Net
2.0 Forms Authentication and the Authorization Manager, and 4) automated Client-side
Certificate distribution using Certificate Services. The SIS-M architecture prohibits direct client access to any backend resource using the Trusted Subsystem Model [16] as depicted in Figure 6.
Figure 6. The Trusted Subsystem Model
The Trusted Subsystem Model requires all resources are accessed by an ASP.Net worker process with appropriate authorization and credentials rather than the credentials associated with the authorized external user. The worker process is responsible for retrieving all requested resources once the client is authorized within the domain.
3.3.1 The Domain Controller
The Secure Information Sharing Domain Controller (SISDC) server utilizes Active
Directory and contains all user information and AzMan Policies. The server name is
SISDC.sismthesis.com. 22
3.3.2 The Management Server
The Secure Information Sharing Manager capability resides within the server named
Manager. The SIS-M capabilities are implemented in a web-based application called
InformationAccess. The capabilities implemented in the InformationAccess web application include, Manage Users, Manage RBAC, RBAC Violations, and Monitor
Systems. The URL for InformationAccess is https://Manager/InformationAccess. The
InformationAccess capability uses server-side certificates to facilitate secure communications between the client and SIS-M. The server name for Manager is
Manager.sismthesis.com.
3.3.3 The Secure Information Server
The Secure Information Sharing capability resides within the server named Secure. The
SIS capabilities are implemented in a web-based application called InformationSharing.
The URL for InformationSharing is https://Secure/InformationSharing. The
InformationSharing capability requires client-side certificates to establish a connection.
Additionally, this server contains the CA capability and distributes the client-side certificates from another web-based application with the URL, https://Secure/certsrv.
The server name is Secure.sismthesis.com.
Figure 7 summarizes the architecture implemented during the SIS-M prototype development. 23
Figure 7. Summary Architecture
3.4 System Health and Status Monitoring
The System Health and Status Monitoring capability resides within the
InformationAccess web-based application of SIS-M. The capability integrates into the
WMI functionality through the System.Management namespace. Figure 8 generically depicts WMI Tiers [14] and the approach used for ASP.Net applications to interface with WMI through the System.Management namespace. This is the approach implemented in InformationAccess and the data path for all health and status monitoring information. 24
Figure 8. WMI Tiers
Each Windows 2003 Server within SIS-M’s enterprise is evaluated by the summary categories of Operating System, CPU, and Disk. The WMI Win32 Classes and class properties are depicted in Figure 9. 25
Figure 9. Server Health And Status Attributes
The information provided by each attribute is listed below [7].
The WIN32_ComputerSystem Status property provides the current operational
status of the WIN32_ComputerSystem object.
The Win32_PerfFormattedData_PerfOS_Memory AvailableMBytes property
provides the amount of physical memory available to processes running on the
computer, in megabytes. It is calculated by summing the space on the Zeroed,
Free, and Standby memory lists. Free memory is ready for use; Zeroed memory
contains memory pages filled with zeros to prevent later processes from seeing
data used by a previous process. Standby memory is memory removed from a
process’ working set, but is still available to be recalled. This property provides
the last observed value only it is not an average. 26
The Win32_Processor Status property provides the current operational status of
the Win32_Processor object.
The Win32_Processor Availability property provides availability and status of
the device.
The Win32_Processor LoadPercentage property provides the load capacity of
each processor, averaged to the last second, where processor loading is the total
computing burden for each processor at one time.
The Win32_DiskDrive Status property provides the current operational status of
the Win32_DiskDrive object.
The Win32_PerfFormattedData_PerfDisk_PhysicalDisk PercentIdleTime
property provides the percentage of time during the sample interval that the disk
was idle.
The WMI Win32 Classes property values are assessed against a SIS-M implemented rule set, Figure 10, to determine a SIS-M status for each attribute. The resulting status of the attribute analysis is displayed in the InformationAccess web-based application user interface. 27
Figure 10. Health And Status Rules
3.4.1 Establishing WMI Namespace Connectivity
WMI namespace connectivity is established by creating a connection options object, identifying the WMI namespace path, and instantiating a management scope. Figure 11 shows the server connection algorithm for InformationAccess. 28
Figure 11. SIS-M WMI Connection Creation
3.4.1.1 WMI Connection Options
WMI connections require a username, password, a connection authority address string to validate user credentials for authorized WMI namespace access, and a namespace path.
3.4.1.2 Building A WMI Namespace Path
The WMI namespace path is the combination of the server name and WMI namespace.
SIS-M’s InformationAccess web-based application retrieves the WMI Win32 class 29 information from the root/CIMV2 namespace on each server. The host executing the application requesting management information does not require connection scope because the host’s management namespaces are already within scope and accessible by local query objects with appropriate user credentials.
3.4.1.3 Instantiating WMI Management Scope
The WMI management scope connection requires a valid WMI namespace path and validated user credentials with permissions to access the requested information. A
TargetInvocationException is thrown if the WMI connection information is not accurate. An XMLDocument object is used to retrieve the connection information for each server. The SIS-M implemented XML document is shown in Figure 12.
Figure 12. SIS-M WMI Connection Attributes
3.4.2 Building And Executing A WMI Query
CIM and WBEM support a query mechanism that is used to select sets of properties 30 from CIM object instances stored within the CIMOM or WMI Core. Query definitions allow a WBEM client to specify the nature and the number of instance that are selected and what information is returned from those instances. This enables a WBEM managed environment to place less burden on the network infrastructure [3]. The SIS-M query objects are shown in Figure 13.
Figure 13. SIS-M WMI Query Objects
The InformationAccess web-based application requests all the properties within each
CIM object instance in the query for each server in the enterprise. The WMI namespace connection scope and the query object are required to invoke a request for management information. See Figure 14. Upon successful execution, a
ManagementObjectCollection is returned with the properties necessary to evaluate against SIS-M’s health and status rules. 31
Figure 14. WMI Query Execution
3.5 User Account Management
The user account management capability within InformationAccess is accomplished by using the ActiveDirectoryMembershipProvider. The ASP.Net 2.0 web.config file contains configuration information. InformationAccess defines a connection to Active
Directory installed on SISDC within the web.config file. Additionally, the
ActiveDirectoryMembershipProvider service is added to the web application through configuration settings. Figure 15 is a snapshot of InformationAccess’ web.config that implements the Active Directory connection string and the
ActiveDirectoryMembershipProvider settings. 32
Figure 15. Active Directory Connection
3.5.1 InformationAccess User Management Capability
The user management capability implemented within InformationAccess is accomplished with the Membership and MembershipUser classes in the
System.Web.Security namespace. InformationAccess’ user management functionality includes, creating users, deleting users, and querying for user account details. The user interface is shown in 9.3.1.1.
3.5.1.1 Creating Users
InformationAccess’s configuration settings implemented in the web.config file establish a connection to Active Directory on SISDC and instantiate a membership provider. A new account is established with the CreateUserWizard Server Control. A generic
CreateUserWizard Server Control is depicted in Figure 16. 33
Figure 16. Create User Wizard Definition
3.5.1.2 Deleting Users
InformationAccess’s delete user functionality is also the beneficiary of ASP.Net web.config capabilities. User deletion is accomplished by using the Membership class and calling the method, DeleteUser. The delete user functionality is implemented by the code in Figure 17.
Figure 17. Membership Delete User
3.5.1.3 User Account Details
The user account details are retrieved in a similar manner, using the MembershipUser class. The MembershipUser class properties, listed below, are displayed on a user account details web page within InformationAccess. The user interface is depicted in
Figure 54.
Comment
CreationDate 34
IsApproved
IsLockedOut
IsOnline
LastActivityDate
LastLockoutDate
3.6 Role Based Access Control Management
The RBAC management capability within InformationAccess is accomplished by using the AuthorizationStoreRoleProvider. InformationAccess defines a connection to the
Authorization Manager within Active Directory installed on SISDC. Additionally, a roleManager service is added to the web-based application through the configuration settings. Figure 18 is a snapshot of InformationAccess’ web.config that implements the
Authorization Manager connection. The Authorization Manager Connection string includes additional attributes listed below.
Common Name (CN): SISRBACPolicies
Domain Component (DC): SISMTHESIS
Domain Component (DC): COM 35
Figure 18. Authorization Manager Connection
The additional connection string attributes are required to uniquely identify the
Authorization Manager Policy Store within Active Directory that InformationAccess uses to enforce access checks prior to responding to the client.
3.6.1 InformationAccess RBAC Management Capability
The RBAC management capability implemented within InformationAccess is accomplished with the Roles classes in the System.Web.Security namespace.
InformationAccess’ RBAC management functionality includes, creating roles, deleting roles, adding users to roles, query for users in roles, querying for all the roles defined within the system, getting all the roles for a particular user, determining if a user is in a particular role, and removing a user from a particular role.
3.6.2 Create Role
Role creation is accomplished by instantiating a Roles class and using the method,
CreateRole. The create role functionality is implemented by the code in Figure 19. 36
Figure 19. Create Role
3.6.3 Delete Role
Role deletion is accomplished by using the method, DeleteRole. The delete role functionality is implemented by the code in Figure 20. 37
Figure 20. Delete Role
3.6.4 Add User To Role
Adding users to specific roles is accomplished by using the method, AddUserToRole.
The user-to-role assignment functionality is implemented by the code in Figure 21.
Figure 21. Add User To Role
3.6.5 Get Users In Role
Retrieving users in specific roles is accomplished by using the method, GetUserInRole. 38
The user retrieval functionality is implemented by the code in Figure 22.
Figure 22. Get Users In Role
3.6.6 Get All Roles
The Get All Roles functionality is implemented in Figure 23. 39
Figure 23. Get All Roles
3.6.7 Get Roles For User
Retrieving roles for a specific user is accomplished by using the method,
GetRolesForUser. The role retrieval functionality is implemented by the code in Figure
24. 40
Figure 24. Get Roles For User
3.6.8 Is User In Role
Verifying a user is in a specific role is accomplished by using the method,
IsUserInRole. The user-in-role verification functionality is implemented by the code in
Figure 25. 41
Figure 25. Is User In Role
3.6.9 Remove User From Role
Removing a user from a specific role is accomplished by using the method,
RemoveUserFromRole. The functionality is implemented by the code in Figure 26.
Figure 26. Remove User From Role
Section 9.3.1.2 describes InformationAccess’ RBAC Management user interface.
3.7 Client-side Certificate Distribution
The Client-side certificate automated distribution capability is fulfilled completely by
Windows 2003 server components and configuration. See section 9.3.1.4 for the description of Certificate Services. 42
3.8 RBAC Policy Violation Archive
The RBAC policy violation archive capability within InformationAccess is accomplished by using the EventLog classes in the System.Diagnostics namespace.
Each web-based application, InformationAccess and InformationSharing, uses the
EventLog classes to archive RBAC policy violations into the Event Log on the server
SISDC.sismthesis.com.
3.8.1 Event Log Creation
Event Log creation requires an EventSourceCreationData object that contains an event source name, a log file name, and the target host name where the log file resides.
Figure 27 shows the code necessary to establish a custom log file within the
EventViewer on SISDC.sismthesis.com.
Figure 27. EventViewer Log File Creation
3.8.2 Writing Event Log Entries
Figure 28 depicts the code to write an entry into a remote log file with a severity of
Warning. The code establishes a connection to the appropriate log file by using the log 43 name, machine name, and log entry source. The entry is written as a message that is categorized with a severity that can be Information, Warning, or Error.
Figure 28. Event Log Entry Creation
3.8.3 Deleting Event Log Entries
Deleting Event Log entries in the EventViewer follows a similar pattern. A connection must be established to the appropriate log file by using the log name, machine name, and log entry source. The entries are cleared once connectivity is established, as depicted in Figure 29.
Figure 29. Event Log Entry Deletion
3.9 InformationSharing Web Application
A secure information sharing capability is built within the SIS-M prototype in order to 44 effectively evaluate Authorization Manager’s policy enforcement capability. The
InformationSharing web-application resides on the server, named Secure, and requires two-way authentication prior to establishing client connections. Internet Information
Services (IIS) is Secure Socket Layer Version 3.0 compliant [18] and is used to accomplish the two-way authentication prior to establishing a secure connection with the server. Figure 30 shows the two-way authentication handshake [19].
Figure 30. IIS Two-way Authentication Handshake
A client attempting to connect to InformationSharing without a certificate receives an 45 error message. The error message displayed is described in Figure 72.
InformationSharing defines a custom 403.7, Forbidden – Client Certificate Required, error in the IIS Management Console as shown in Figure 31.
Figure 31. Custom 403.7 Error Configuration
The purpose of the InformationSharing web-based application is to provide a user capability to read and deposit information into a common location and make information available based upon a user’s role definition. InformationSharing allows for user content to be uploaded into a common location if the user has appropriate permissions. InformationSharing uses the control flow shown in Figure 32 to enforce 46
RBAC policy compliance. Therefore, a user must have 1) a valid client-side certificate to establish connectivity, 2) a valid user account within the domain, and 3) appropriate permissions defined in Authorization Manager to accomplish any information exchanges using the InformationSharing web-based application.
Figure 32. InformationSharing Controls 47
InformationSharing’s Authorization Manager policy enforcement is accomplished by the code shown in Figure 33.
Figure 33. InformationSharing RBAC Policy Check Chapter 4
4 Performance Observations
The SIS-M prototype uses the .Net 2.0 Framework classes and other Windows components to meet the objectives of this thesis. As part of the research, performance measurements were taken to observe the HTTPS request to HTTPS response time for
RBAC Violation Archive data retrieval, RBAC Management, and Health and Status
Monitoring. The objective of the performance analysis was to capture the performance of the .Net 2.0 Framework classes and Windows components while accomplishing SIS-
M’s InformationAccess web-based application tasks. All measurements were captured using the WireShark [20], formerly Ethereal, network sniffer. The SIS-M performance observations decomposed the HTTPS request to HTTPS response time into four discrete measurements. The Measurements were Client Request, SSL Handshake
Complete, Backend Data Retrieval Complete, and Client Response.
4.1 RBAC Policy Violation Archive
The RBAC Policy Violation Archive implementation is described in section 3.8. The performance measurements observed for retrieving archive information are depicted in 49
Figure 34. Both of SIS-M’s web-based applications, InformationAccess and
InformationSharing, write RBAC Policy Violation entries into a custom Windows
Event Log on the domain controller, SISDC. The objective of this measurement is to observe the performance of the Windows Event Log during a custom archive data retrieval request.
RBAC Archive Information Retrieval
3.500 3.000 2.500 s
d 2.000 n o c
e 1.500 S 1.000 0.500 0.000 RBAC Log SSL Handshake Client Request Retrieval Client Response Complete Complete Run #1 0 0.142373 1.878325 3.029757 Run #2 0 0.039929 1.655951 2.232192 Run #3 0 0.015794 2.371433 2.633444 Run #4 0 0.079289 1.714269 2.687524 Run #5 0 0.015815 1.655792 2.295007 Average 0 0.05864 1.855154 2.5755848
Figure 34. RBAC Policy Violation Entry Retrieval
4.2 RBAC Management
The RBAC Management implementation is described in section 3.6. SIS-M’s web- based application, InformationAccess, accesses the Authorization Manager capabilities contained within Active Directory on SISDC to manage role membership for each user. 50
The objective of this measurement is to observe the performance of Authorization
Manager access. The performance measurements observed for Authorization Manager are depicted in Figure 35.
RBAC Mgt Request Time
1.200 1.000 0.800 s d n
o 0.600 c e
S 0.400 0.200 0.000 RBAC Mgt SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.015862 0.197095 0.847619 Run #2 0 0.01724 0.174485 0.848788 Run #3 0 0.066693 0.295151 0.630357 Run #4 0 0.028176 0.196822 0.525366 Run #5 0 0.023659 0.199299 0.957544 Average 0 0.030326 0.2125704 0.7619348
Figure 35. RBAC Management Request Time
4.3 Health And Status Monitoring
The Health and Status Monitoring implementation is described in section 3.4. SIS-M’s web-based application, InformationAccess, connects to each of the three Windows 2003 servers WMI namespaces to retrieve health and status monitoring information. The objectives of the following measurements are to observe the performance of WMI data retrieval. A set of observations with combinations of servers and WMI objects requested were observed in an attempt to trend the data. The observation sets were: 51
One Server Retrieving One WMI Object
Two Servers Retrieving One WMI Object
Three Servers Retrieving One WMI Object
One Server Retrieving Five WMI Objects
Two Servers Retrieving Five WMI Objects
Three Servers Retrieving Five WMI Objects
The following sections show the performance observations for the combinations of servers and WMI objects.
4.3.1 One Server Retrieving One WMI Object
The One Server Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespace on SISDC. The results are depicted in Figure 36. 52
WMI 1X1 Response Time
14.000 12.000 10.000 s
d 8.000 n o c
e 6.000 S 4.000 2.000 0.000 WMI Object SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.02201 6.91379 7.763398 Run #2 0 0.357341 11.762104 12.294849 Run #3 0 0.061387 6.807595 7.069001 Run #4 0 0.020213 6.014796 7.443219 Run #5 0 0.102926 6.945391 7.696152 Average 0 0.1127754 7.6887352 8.4533238
Figure 36. WMI One Server One Object Response Time
4.3.2 Two Servers Retrieving One WMI Object
The Two Servers Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespaces on SISDC and Secure servers. The results are depicted in Figure 37. 53
WMI 2X1 Response Time
12.000
10.000
8.000 s d n
o 6.000 c e S 4.000
2.000
0.000 WMI Object SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.029248 10.685066 10.903246 Run #2 0 0.014124 7.753585 8.077432 Run #3 0 0.078561 8.305449 8.716218 Run #4 0 0.043642 7.057637 7.825997 Run #5 0 0.048526 9.740575 10.021231 Average 0 0.0428202 8.7084624 9.1088248
Figure 37. WMI Two Servers One Object Response Time
4.3.3 Three Servers Retrieving One WMI Object
The Three Servers Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespaces on SISDC, Secure, and Manager servers. The results are depicted in Figure
38. 54
WMI 3X1 Response Time
14.000 12.000 10.000 s
d 8.000 n o c
e 6.000 S 4.000 2.000 0.000 WMI Object SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.079186 10.587262 11.718099 Run #2 0 0.015713 8.886371 9.500771 Run #3 0 0.04537 7.200216 7.984139 Run #4 0 0.0214 7.053049 7.628529 Run #5 0 0.061156 8.477964 9.074975 Average 0 0.044565 8.4409724 9.1813026
Figure 38. WMI Three Servers One Object Response Time
4.3.4 One Server Retrieving Five WMI Objects
The One Server Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespace on SISDC. The results are depicted in Figure 39. 55
WMI 1X5 Response Time
10.000
8.000
s 6.000 d n o c
e 4.000 S
2.000
0.000 WMI Object SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.042058 8.47447 8.917341 Run #2 0 0.010382 6.439772 6.835655 Run #3 0 0.030147 8.462035 9.430691 Run #4 0 0.014877 7.484855 7.951533 Run #5 0 0.032794 7.716972 7.968646 Average 0 0.0260516 7.7156208 8.2207732
Figure 39. WMI One Server Five Objects Response Time
4.3.5 Two Servers Retrieving Five WMI Objects
The Two Servers Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespaces on SISDC and Secure servers. The results are depicted in Figure 40. 56
WMI 2X5 Response Time
10.000
8.000 s
d 6.000 n o c
e 4.000 S 2.000
0.000 WMI Object SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.019284 8.119123 8.37916 Run #2 0 0.031845 7.852518 8.396238 Run #3 0 0.043652 7.560822 8.286355 Run #4 0 0.025252 7.851054 8.656812 Run #5 0 0.019517 6.875842 7.28684 Average 0 0.02791 7.6518718 8.201081
Figure 40. WMI Two Servers Five Objects Response Time
4.3.6 Three Servers Retrieving Five WMI Objects
The Three Servers Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespaces on SISDC, Secure, and Manager servers. The results are depicted in Figure
41. 57
WMI 3X5 Response Time
14.000 12.000 10.000 s
d 8.000 n o c
e 6.000 S 4.000 2.000 0.000 Monitor Systems SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.062698 11.84065 13.021709 Run #2 0 0.014455 6.847666 8.026303 Run #3 0 0.040922 7.84767 8.019918 Run #4 0 0.021126 8.119083 8.692987 Run #5 0 0.04444 6.954645 7.008613 Average 0 0.0367282 8.3219428 8.953906
Figure 41. WMI Three Servers Five Objects Response Time
4.3.7 Server Trend For Retrieving One WMI Object
The Server Trend For Retrieving One WMI Object observation shows response time increase for querying one WMI Object relative to the number of WMI namespaces queried. The results are depicted in Figure 42. 58
Single WMI Object Response Time
10.000 8.000 s
d 6.000 n o
c 4.000 e S 2.000 0.000 SSL Handshake WMI Object Client Request Client Response Complete Request WMI 1X1 Avg 0 0.1127754 7.6887352 8.4533238 WMI 2X1 Avg 0 0.0428202 8.7084624 9.1088248 WMI 3X1 Avg 0 0.044565 8.4409724 9.1813026
Figure 42. Single WMI Object Server Trend
4.3.8 Server Trend For Retrieving Five WMI Objects
The Server Trend For Retrieving Five WMI Objects observation shows response time increase for querying five WMI Objects relative to the number of WMI namespaces queried. The results are depicted in Figure 43.
Five WMI Object Response Time
10.000 8.000 s
d 6.000 n o
c 4.000 e S 2.000 0.000 SSL Handshake WMI Object Client Request Client Response Complete Request WMI 1X5 Avg 0 0.0260516 7.7156208 8.2207732 WMI 2X5 Avg 0 0.02791 7.6518718 8.201081 WMI 3X5 Avg 0 0.0367282 8.3219428 8.953906
Figure 43. Five WMI Objects Server Trend Chapter 5
5 Lessons Learned
5.1 WMI Win32 Classes And CIM Schema Observations
The SIS-M research reviewed class hierarchy between CIM Schema classes and the inheritance usage into the WMI Win32 Class definitions. The SIS-M research observed some obscure findings as follows.
5.1.1 Win32_UserAccount
The SIM User / Security Common define classes to manage
General contact and white pages information for organizations, organization
units and people
“Users” of services, and the related security information to authenticate and
authorize those “users”
The two classes that represent the users’ access to system resources are
CIM_UsersAccess and CIM_Account [4]. However, Win32_UserAccount does not inherit from either of these two classes. The Win32_UserAccount inherits from
CIM_LogicalElement. Additionally, the CIM_LogicalElement class is the base class 60 for all system components that represent abstract system components, such as profiles, processes, or system capabilities, in the form of logical devices [7].
5.1.2 Win32 Formatted Performance Statistics
The CIM Schema Extension purpose is to provide vendors of Enterprise Management capabilities the avenue to integrate improvements into the CIM Core and Common
Models. The Win32 Formatted Performance Statistics classes used by the SIS-M prototype provided valuable information to the health and status monitoring capability within InformationAccess. The Win32 Formatted Performance Statistics classes inherit from the CIM_StatisticalInformation Class and appear to be candidates for CIM
Common Model Schema updates. However, the SIS-M research did not observe any of the classes Win32 Formatted Performance Statistics or equivalent in the CIM V2.1.2
Schema.
5.2 System Health And Status
The WMI capabilities enabled the SIS-M prototype to achieve health and status monitoring of distributed systems. Defining appropriate user account credentials for access to the remote servers’ WMI namespaces is the key to effectively retrieving valuable management information. The result of inaccurately defining user access credentials results in an obscure TargetInvocationException that is extremely difficult to troubleshoot.
5.3 User Account Management
The ActiveDirectoryMembershipProvider, the Membership, and MembershipUser classes combined with ASP.Net 2.0 capability provide a solution to accomplish remote 61
User Account Management. However, the more complex user management functionality does not currently exist. Therefore, an administrator must use the Active
Directory Users and Computers Management Console to add or remove groups and to change user group assignments.
5.4 RBAC Management
The AuthorizationStoreRoleProvider is a wrapper around a subset of the functionality available in Authorization Manager [8]. Therefore, the AzMan capability is not completely supported through the ASP.Net services and some Membership methods throw a NotSupportedException. Also, the SIS-M prototype user accounts must be of the User Principal Name (UPN) format
5.5 Client-side Certificate Distribution
The Client-side certificate distribution capability is accomplished by the installation and configuration of Windows 2003 Server components. Specifically, an Enterprise
Certificate Authority (CA) integrated with Active Directory automatically fulfills client requests for certificates and installs the certificate within the remote system. However,
Public Key Infrastructure (PKI) Best Practices state that Root CAs should never be connected to the network to raise the security level of the CAs private key [17]. A PKI in most cases should be architected with an offline Root CA, one or more offline
Intermediate CAs, and one or more networked Issuing Enterprise CAs. Chapter 6
6 Future Research
6.1 Update SIS-M Architecture To Include A UNIX Server
The CIM and WBEM standards are being developed to guide Enterprise Management capabilities in heterogeneous enterprises. Therefore, the SIS-M prototype could be updated to include a UNIX server and an alternative CIM implementation to assess platform interoperability using two CIM and WBEM compliant implementations.
6.2 Update The SIS-M Prototype To The .Net 3.0 Framework
As identified in Section 5, Lessons Learned, some functionality in the .Net 2.0
Framework and ASP.Net 2.0 is not fully implemented and throws a
NotImplementedException. The SIS-M Prototype could be updated to evaluate additional functionality in the next evolution of the .Net Framework and ASP.Net.
6.3 Certificate Authority Architecture
As stated in section 5, a PKI in most cases should be architected with an offline Root
CA, one or more offline Intermediate CAs, and one or more networked Issuing 63
Enterprise CAs. Therefore a more robust CA architecture should be integrated in the
SIS-M prototype to assess and validate automated Client-side certificate distribution from an Issuing CA. Additionally, Certificate Services Web Enrollment pages can be customized by modifying certificate templates.
6.4 Implement Client-side Certificate Mapping
The SIS-M prototype uses Forms Authentication and Authorization Manager to determine identity, authenticate the user, and to authorize access. One-to-One certificate mapping can be used to authenticate users and grant or deny access to Web resources. Therefore, the SIS-M prototype can be updated to evaluate the certificate mapping functionality and assess the performance between both approaches of determining identity, authenticating users, and authorizing access. Chapter 7
7 Conclusion
The SIS-M research and prototype enabled 1) system health monitoring using Windows
Management Instrumentation (WMI), 2) user account management using the Active
Directory Membership Provider, 3) Role Based Access Control (RBAC) using ASP.Net
2.0 Forms Authentication and the Authorization Manager, and 4) automated Client-side
Certificate distribution using Certificate Services.
7.1 System Health And Status Monitoring
The WMI capabilities provide sufficient information to create a health and status monitoring capability. However, as mentioned in Section 5.1.1, the WMI Win 32
Classes do not always inherit from the CIM Schema classes expected. The SIS-M research believes a reason for the observation may be the cost of integrating a standard into an existing product line could be prohibitive and not provide sufficient return on investment in the marketplace. 65
7.2 User Account Management
The user account management functionality satisfied the objectives for the SIS-M prototype and may be usable in a small enterprise setting. However, remote user account management does not currently have the fidelity to manage enterprises with many users. Therefore, the Active Directory Users & Computer application is still required to provide robust account management.
7.3 RBAC Management
SIS-M research concluded that AzMan addresses the five elements of the CORE RBAC
Standard using AzMan elements and capabilities identified in Table 2. SIS-M research also concluded that AzMan addresses the three key RBAC components by utilizing the
Authorization Manager Management Console for PAP, BizRules for PDP, and the
AuthorizationStoreRoleProvider and the Roles class for PEP.
7.4 Client-side Certificate Distribution
The certificate services component within Windows 2003 server achieved all the functionality required in the SIS-M prototype to remotely distribute and automatically install client-side certificates to new users upon request. The SIS-M prototype instantiated only one networked CA and believes a PKI architecture with a Standalone
Root CA, isolated Intermediate CAs, and Enterprise Issuing CAs is required to verify the automated remote distribution of client-side certificates within a more robust architecture.
7.5 Performance Observations
The SIS-M prototype uses the .Net 2.0 Framework classes and other Windows 66 components to meet the objectives of this thesis. The objective of the performance analysis was to capture the performance of the .Net 2.0 Framework classes and
Windows components while accomplishing SIS-M’s InformationAccess web-based application tasks. Multiple performance observations were captured for WMI Object retrieval analysis. The SIS-M WMI performance results, described in section 4.3.7, show a 7.9% increase in HTTPS response time when querying for one WMI Object when executing the WMI query on the three servers, SISDC, Secure, and Manger. The performance results, described in section 4.3.8, show an 8.1% increase in HTTPS response time when querying for five WMI Objects when executing the WMI queries on the three servers. Section 4 describes the performance observation measurements. 8 Bibliography
1 Ganesh, G. and Chow, E. 2005. Secure Information Sharing Using Attribute
Certificates and Role Based Access Control.
2 DMTF Inc. 2006. CIM Schema Version 2.1.2. Portland: Distributed
Management Task Force Incorporated.
3 DMTF Inc. 2006. CIM Query Language Specification Version 1.0.
Portland: Distributed Management Task Force Incorporated.
4 DMTF Inc. and WBEM Solutions Inc. 2003. CIM Tutorial. Portland:
Distributed Management Task Force Incorporated and Pinehurst: WBEM Solutions
Incorporated.
5 Dept. of Computer Science and Engineering, POSTECH. 2004. Design of a
WBEM-based Management System for Ubiquitous Computing Servers.
6 Microsoft Corporation. 2007. WMI Architecture.
http://msdn.microsoft.com/en-us/library/aa394553.aspx (accessed July 2007)
7 Microsoft Corporation. 2007. WMI Win32 Classes.
http://msdn2.microsoft.com/en-us/library/aa394084.aspx (accessed July 2007).
8 Stefan Schackow. 2006. Professional ASP.NET 2.0 Security, Membership,
and Role Management. Indianapolis: Wiley Publishing Inc. 68
9 OASIS. 2007. Who We Are. http://www.oasis-open.org (accessed July
2007).
10 OASIS. 2005. eXtensible Access Control Markup Language (XACML)
Version 2.0, CORE Specification.
11 OASIS. 2005. Core and hierarchical role based access control (RBAC)
profile of XACML v2.0.
12 NIST. 2007. RBAC Standards Roadmap. http://csrc.nist.gov/rbac/rbac-stds-
roadmap.html (accessed August 2007).
13 Microsoft Corporation. 2007. Role-Based Access Control for Multi-tier
Applications Using Authorization Manager.
http://technet2.microsoft.com/windowsserver/en/library/72b55950-86cc-4c7f-8fbf-
3063276cd0b61033.mspx?mfr=true (accessed August 2007).
14 Microsoft Corporation. 2007. WMI .NET Architecture.
http://msdn2.microsoft.com/en-us/library/ms257361(VS.80).aspx (accessed August
2007).
15 Howie, J. 2006. Windows Server 2003 Certificate Services.
http://www.windowsitpro.com/Articles/ArticleID/49733/49733.html (accessed
August 2007).
16 Microsoft Corporation. 2007. Developing Applications Using Windows
Authorization Manager. http://msdn2.microsoft.com/en-us/library/aa480244.aspx
(accessed August 2007).
17 Microsoft Corporation. 2007. Best Practices for Implementing a Microsoft
Windows Server 2003 Public Key Infrastructure. http://technet2.microsoft.com. 69
(accessed September 2007).
18 Microsoft Corporation. 2007. Internet Information Services Security
Overview. http://msdn2.microsoft.com/en-us/library/ms951692.aspx#iissecure_ssl.
(accessed October 2007).
19 WindowsSecurity.com. 2007. Secure Socket Layer.
http://www.windowsecurity.com/articles/Secure_Socket_Layer.html. (accessed
October 2007).
20 WIRESHARK. 2007. Wireshark: What’s on your network?.
http://www.wireshark.org. (accessed October 2007).
21 Khaleel, O. 2007. Engine For Controlling Emergent Hierarchical Role-
Based Access (ENforCE HRBAccess). 9 APPENDIX A: Developer / User Guide
The Developer / User Guide information in this appendix is intended to provide additional information to users and developers for extending the research accomplished during the SIS-M prototype development. The appendix includes information about the
SIS-M prototype development environment and the SIS-M prototype user interface.
9.1 The SIS-M Prototype Environment
The SIS-M prototype environment resides within VMware Server, version 1.0.1. The architecture implemented for the SIS-M prototype is discussed in Section 3.3. The SIS-
M prototype is developed using three Windows 2003 Servers. Each of the servers runs
Windows 2003 Server Enterprise Edition, Service Pack 1. All SIS-M prototype software is written in C#, ASP.Net, and HTML. The Integrated Development
Environment (IDE) used to develop and debug the InformationAccess and
InformationSharing web-based applications is Visual Studio (VS) 2005. The
InformationAccess project resides on the server named Manager and the VS2005 Start
Page is depicted in Figure 44. The InformationSharing project resides on the server named Secure. 71
Figure 44. InformationAccess VS2005 Start Page
Both InformationAccess and InformationSharing execute within Internet Information
Services (IIS) 6.0. Therefore, the IIS Management Console is used for all the configuration settings for the two web-based applications. The IIS Management
Console depicting InformationSharing is shown in Figure 45. 72
Figure 45. InformationSharing IIS Management Console
Note that all three servers and at least one Windows XP client (SISCLI or SISMCLI) must be executing for the SIS-M prototype to be completely functional. The web applications can be accessed by the URIs specified below. The InformationSharing web-based application returns a 403.7 Forbidden – Client Certificate Required Error page unless a certificate from the server named Secure is already installed in Internet
Explorer.
InformationAccess URI: https://Manager/InformationAccess
InformationSharing URI: https://Secure/InformationSharing 73
9.2 SIS-M Prototype Administration
SIS-M prototype administration occurs on the Secure Information Sharing Domain
Controller (SISDC) server. The Active Directory Users and Computers Management
Console is depicted in Figure 46 and was used routinely to manipulate user account information within the SISMTHESIS domain.
Figure 46. SISDC Active Directoy Users and Computers
Additionally, the Authorization Manager Management Console (AzMan) was used to manipulate roles, operations, and tasks authorized for each user. AzMan, shown in
Figure 47, is invoked as depicted in Figure 48. 74
Figure 47. SISDC AzMan Console
Figure 48. Starting The AzMan Console
9.3 The InformationAccess Application
Entrance into the InformationAccess web-based application is achieved only by logging in with authenticated user credentials and the user attempting to gain access must be included in the SiteAdministrator Role. The login page for InformationAccess is depicted in Figure 49. 75
Figure 49. InformationAccess Login Page
SiteAdministrator users can login to InformationAccess and see the default page shown in Figure 50. Only users that are assigned to the SiteAdministrator role are able to access the Manage Users, Manage RBAC, RBAC Violations, and Monitor Systems resources identified in the Navigation sidebar. 76
Figure 50. InformationAccess Default Page
A user attempting to login to InformationAccess that is not part of the SiteAdministrator
Role will immediately be logged out and have the session terminated. Additionally, a
RBAC Policy Violation entry will be generated and stored in the Event Log as explained in section 9.4.
9.3.1 The InformationAccess SiteAdministrator Role
SiteAdministrator role membership is required to access the Manage Users, Manage
RBAC, RBAC Violoations, and Monitor Systems resources within InformationAccess.
The following sections identify InformationAccess’ remote management capabilities. 77
9.3.1.1 Manage Users Capability
The Manage Users capability, shown in Figure 51, includes functionality to create users
(Figure 52), delete users (Figure 53), and query for user account details (Figure 54).
Figure 51. InformationAccess Manage Users 78
Figure 52. InformationAccess Create User 79
Figure 53. InformationAccess Delete User 80
Figure 54. InformationAccess User Account Details Query Result
9.3.1.2 Manage RBAC Capability
The Manage RBAC capability, shown in Figure 55, provides the users within the
SiteAdministrator role the functionality to create roles (Figure 56), delete roles (Figure
57), add users to roles (Figure 58), query for users in roles (Figure 59), query for all the roles defined within the system (Figure 60), get all the roles for a particular user (Figure
61), determine if a user is in a particular role (Figure 62), and remove a user from a particular role (Figure 63). 81
Figure 55. InformationAccess Manage RBAC 82
Figure 56. InformationAccess Create Role 83
Figure 57. InformationAccess Delete Role 84
Figure 58. InformationAccess Add User To Role 85
Figure 59. InformationAccess Get Users In Role 86
Figure 60. InformationAccess Get All Roles 87
Figure 61. InformationAccess Get Roles For User 88
Figure 62. InformationAccess Is User In Role 89
Figure 63. InformationAccess Remove User From Role
9.3.1.3 Monitor Systems Capability
The Monitor Systems capability, available to users in the SiteAdministrator role, is the result of WMI Win32 Class attribute values being evaluated against a SIS-M implemented rule set to determine a status. The resulting status of the attribute analysis is displayed in the InformationAccess web-based application user interface, Figure 64. 90
Figure 64. InformationAccess Monitor Systems
9.3.1.4 Obtain Client-side Certificate
The SIS-M prototype automated remote client-side certificate distribution is accomplished by utilizing Windows 2003 Server components and Certificate Services.
The CertSrv web-based application has configuration attributes available in the IIS 91
Management Console. The SIS-M prototype requires a valid user account in the
SISMTHESIS domain prior to requesting a client-side certificate from the server named
Secure. The Enter Network Password dialog box is depicted in Figure 65.
Figure 65. CertSrv Password Protection
The Certificate Services Welcome page, shown in Figure 66, is presented to the authenticated user requesting a client-side certificate. 92
Figure 66. Certificate Services Welcome Page
The authenticated user selects the Request a certificate link and Figure 67 is displayed. 93
Figure 67. Certificate Services Request A Certificate Page
The authenticated user selects the User Certificate link and Figure 68 is displayed. No additional identifying information is required because the user is authenticated within the SISMTHESIS domain. 94
Figure 68. Certificate Services User Certificate Request Submission
The action of selecting the submission button results in a client-side certificate being issued to the user as shown in Figure 69. 95
Figure 69. Certificate Services Issued Certificate
The selection of the Install this certificate link results in a successful installation dialog box as shown in Figure 70. The user now has all the appropriate information to access the InformationSharing web-based application. However, the current browser session must be restarted before attempting to reconnect with InformationSharing and an
InformationAccess user with SiteAdministrator permissions must allocate the new user into the appropriate roles. 96
Figure 70. Certificate Services Successful Certificate Installation
9.4 RBAC Policy Violation Archive
The RBAC Policy Violation Archive supports the RBAC Management capability within
InformationAccess by providing users in the SiteAdministrator role the ability to view attempted accesses by unauthorized users. Only users belonging to the
SiteAdministrator role are able to log into InformationAccess. All other users attempting to log into InformationAccess create a RBAC Policy Violation Log entry and the session is immediately terminated. InformationSharing logs all user attempts to access or upload information without appropriate permissions. The RBAC Policy
Violation Archive is depicted in Figure 71. 97
Figure 71. RBAC Policy Violation Log
9.5 The InformationSharing Application
Accessing the InformationSharing resource and resources within the web-based application is accomplished in three steps.
Creating an account through InformationAccess.
Obtaining and installing a Client-side certificate from Certificate Service at the 98
URI https://Secure/CertSrv.
Requesting and receiving membership enrollment by an InformationAccess
SiteAdministrator
InformationSharing returns an error page, shown in Figure 72, if the client attempting to gain access does not have a Client-side certificate installed.
Figure 72. InformationSharing Client-side Certificate Error
The user must authenticate against the SISMTHESIS domain by using
InformationSharing’s login page, Figure 73. 99
Figure 73. InformationSharing Login Page
An authenticated user is presented with InformationSharing’s default page, Figure 74, to request access to information contained within Authorization Manager’s defined roles. Note that not all roles available in Authorization Manager are presented to the user. By design, the SiteAdministrator role and the ReadOnly roles are not depicted.
Any user that is in a ReadOnly role still must request access to the information by using the role, Executive, Manager, etc, displayed in the selection list. 100
Figure 74. InformationSharing Default Page
Each of the roles displayed in the selection list maps to a storage location for information available in that role only. Therefore, a user must be a member of more than one role to obtain access to more than one storage location. After the user selects a role, the information available in that role storage area is presented to the user, Figure
75. 101
Figure 75. InformationSharing Access Secure Information Page
A RBAC Policy Violation Error Page is presented to the user if they are not a member of the role selected as depicted in Figure 76. 102
Figure 76. InformationSharing RBAC Policy Violation
A user that obtained access to a selected storage location based upon role selection may download files by selecting the Download File button. Additionally, a user with appropriate permissions can upload files into the storage location by selecting the File
Upload button, shown in Figure 77 and Figure 78. 103
Figure 77. InformationSharing File Upload Page 104
Figure 78. InformationSharing File Upload Browser