Secure Information Sharing Manager

SECURE INFORMATION SHARING MANAGER bySTEPHEN D. WISEA thesis submitted to the Graduate Faculty of theUniversity of Colorado at Colorado Springs in partial fulfillment of the requirements for the degree ofMaster Of ScienceDepartment of Computer Science2007 i© Copyright By Stephen D. Wise 2007All Rights Reserved iiThis thesis for the M.S. Of Computer Science degree byStephen D. Wise has been Approved for theDepartment of Computer Science by______Dr. C. Edward Chow, Chair______Dr. Jugal K. Kalita______Dr. Xiaobo Zhou______Date iiiWise, Stephen D. (M.S., Computer Science)Secure Information Sharing ManagerThesis directed by Professor C. Edward ChowThe Secure Information Sharing Manager (SIS-M) prototype is an extension of the research accomplished for Secure Information Sharing Using Attribute Certificates andRole Based Access Control [1]. The SIS-M research emphasis is to prototype anEnterprise Management capability based upon Web Based Enterprise Management(WBEM) standards developed by the Distributed Management Task Force (DMTF).The SIS-M prototype utilizes the .NET 2.0 Framework and other components (ASP.Net2.0, Internet Information Services (IIS) 6.0, Active Directory (AD), Certificate Services, and Windows Management Instrumentation (WMI)) to accomplish remote administration tasks in a web-based architecture. The research tasks are to enable 1) system health and status monitoring using Windows Management Instrumentation(WMI), 2) user account management using the Active Directory Membership Provider,3) Role Based Access Control (RBAC) using ASP.Net 2.0 Forms Authentication and the Authorization Manager, and 4) automated Client-side Certificate distribution usingCertificate Services. The SIS-M implementation, built within VMware Server Version1.0.1, includes three Windows 2003 Servers to provide the WBEM and SecureInformation Sharing (SIS) capabilities and two Windows XP clients that simulate external users that require access to the SIS-M or SIS websites for either remote site administration or remote information sharing. ivCONTENTSChapter1 Introduction...... 1 1.1 Enterprise Management...... 2 1.1.1 The Distributed Management Task Force...... 2 1.1.2 The CIM and WBEM Standards...... 4 1.2 Role Based Access Control...... 5 1.2.1 The Organization for the Advancement of Structured Information Standards 6 1.2.2 RBAC Standards...... 6 1.2.3 Document Organization...... 7 2 SIS-M Architecture Research...... 9 2.1 WBEM Architecture...... 9 2.2 SIS-M WBEM Implementation...... 12 2.3 SIS-M User Account Management Implementation...... 14 2.4 SIS-M RBAC Implementation...... 15 2.5 SIS-M Client-side Certificate Distribution Implementation...... 17 2.6 SIS-M Architecture Description...... 17 3 SIS-M Implementation...... 19 3.1 SIS-M Server and Client Specifications...... 19 3.2 Virtual Network Topology...... 20 3.3 SIS-M Architecture...... 20 3.3.1 The Domain Controller...... 21 3.3.2 The Management Server...... 22 3.3.3 The Secure Information Server...... 22 3.4 System Health and Status Monitoring...... 23 3.4.1 Establishing WMI Namespace Connectivity...... 27 3.4.1.1 WMI Connection Options...... 28 3.4.1.2 Building A WMI Namespace Path...... 28 3.4.1.3 Instantiating WMI Management Scope...... 29 3.4.2 Building And Executing A WMI Query...... 29 3.5 User Account Management...... 31 3.5.1 InformationAccess User Management Capability...... 32 3.5.1.1 Creating Users...... 32 3.5.1.2 Deleting Users...... 33 3.5.1.3 User Account Details...... 33 3.6 Role Based Access Control Management...... 34 3.6.1 InformationAccess RBAC Management Capability...... 35 3.6.2 Create Role...... 35 3.6.3 Delete Role...... 36 3.6.4 Add User To Role...... 37 v3.6.5 Get Users In Role...... 37 3.6.6 Get All Roles...... 38 3.6.7 Get Roles For User...... 39 3.6.8 Is User In Role...... 40 3.6.9 Remove User From Role...... 41 3.7 Client-side Certificate Distribution...... 41 3.8 RBAC Policy Violation Archive...... 42 3.8.1 Event Log Creation...... 42 3.8.2 Writing Event Log Entries...... 42 3.8.3 Deleting Event Log Entries...... 43 3.9 InformationSharing Web Application...... 44 4 Performance Observations...... 49 4.1 RBAC Policy Violation Archive...... 49 4.2 RBAC Management...... 50 4.3 Health And Status Monitoring...... 51 4.3.1 One Server Retrieving One WMI Object...... 52 4.3.2 Two Servers Retrieving One WMI Object...... 53 4.3.3 Three Servers Retrieving One WMI Object...... 54 4.3.4 One Server Retrieving Five WMI Objects...... 55 4.3.5 Two Servers Retrieving Five WMI Objects...... 56 4.3.6 Three Servers Retrieving Five WMI Objects...... 57 4.3.7 Server Trend For Retrieving One WMI Object...... 58 4.3.8 Server Trend For Retrieving Five WMI Objects...... 59 5 Lessons Learned...... 60 5.1 WMI Win32 Classes And CIM Schema Observations...... 60 5.1.1 Win32_UserAccount...... 60 5.1.2 Win32 Formatted Performance Statistics...... 61 5.2 System Health And Status...... 61 5.3 User Account Management...... 61 5.4 RBAC Management...... 62 5.5 Client-side Certificate Distribution...... 62 6 Future Research...... 64 6.1 Update SIS-M Architecture To Include A UNIX Server...... 64 6.2 Update The SIS-M Prototype To The .Net 3.0 Framework...... 64 6.3 Certificate Authority Architecture...... 64 6.4 Implement Client-side Certificate Mapping...... 65 7 Conclusion...... 66 7.1 System Health And Status Monitoring...... 66 7.2 User Account Management...... 66 7.3 RBAC Management...... 67 7.4 Client-side Certificate Distribution...... 67 7.5 Performance Observations...... 67 8 Bibliography...... 69 9 APPENDIX A: Developer / User Guide...... 72 9.1 The SIS-M Prototype Environment...... 72 9.2 SIS-M Prototype Administration...... 74 9.3 The InformationAccess Application...... 76 9.3.1 The InformationAccess SiteAdministrator Role...... 79 9.3.1.1 Manage Users Capability...... 79 9.3.1.2 Manage RBAC Capability...... 82 vi9.3.1.3 Monitor Systems Capability...... 91 9.3.1.4 Obtain Client-side Certificate...... 92 9.4 RBAC Policy Violation Archive...... 98 9.5 The InformationSharing Application...... 99 viiTABLESTable Table 1. SIS-M WBEM Implementation Survey Results...... 12 Table 2. Authorization Manager RBAC Elements...... 17 Table 3. SIS-M Virtual Machine Specifications...... 20 viiiFIGURESFigureFigure 1. DMTF Technology Diagram...... 3 Figure 2. Summary WBEM Architecture...... 10 Figure 3. WBEM Implementation Evaluation...... 11 Figure 4. WMI Architecture...... 13 Figure 5. SIS-M Virtual Network Topology...... 20 Figure 6. The Trusted Subsystem Model...... 21 Figure 7. Summary Architecture...... 23 Figure 8. WMI Tiers...... 24 Figure 9. Server Health And Status Attributes...... 25 Figure 10. Health And Status Rules...... 27 Figure 11. SIS-M WMI Connection Creation...... 28 Figure 12. SIS-M WMI Connection Attributes...... 29 Figure 13. SIS-M WMI Query Objects...... 30 Figure 14. WMI Query Execution...... 31 Figure 15. Active Directory Connection...... 32 Figure 16. Create User Wizard Definition...... 33 Figure 17. Membership Delete User...... 33 Figure 18. Authorization Manager Connection...... 35 Figure 19. Create Role...... 36 Figure 20. Delete Role...... 37 Figure 21. Add User To Role...... 37 Figure 22. Get Users In Role...... 38 Figure 23. Get All Roles...... 39 Figure 24. Get Roles For User...... 40 Figure 25. Is User In Role...... 41 Figure 26. Remove User From Role...... 41 Figure 27. EventViewer Log File Creation...... 42 Figure 28. Event Log Entry Creation...... 43 Figure 29. Event Log Entry Deletion...... 43 Figure 30. IIS Two-way Authentication Handshake...... 45 Figure 31. Custom 403.7 Error Configuration...... 46 Figure 32. InformationSharing Controls...... 47 Figure 33. InformationSharing RBAC Policy Check...... 48 Figure 34. RBAC Policy Violation Entry Retrieval...... 50 Figure 35. RBAC Management Request Time...... 51 Figure 36. WMI One Server One Object Response Time...... 53 Figure 37. WMI Two Servers One Object Response Time...... 54 Figure 38. WMI Three Servers One Object Response Time...... 55 Figure 39. WMI One Server Five Objects Response Time...... 56 ixFigure 40. WMI Two Servers Five Objects Response Time...... 57 Figure 41. WMI Three Servers Five Objects Response Time...... 58 Figure 42. Single WMI Object Server Trend...... 59 Figure 43. Five WMI Objects Server Trend...... 59 Figure 44. InformationAccess VS2005 Start Page...... 73 Figure 45. InformationSharing IIS Management Console...... 74 Figure 46. SISDC Active Directoy Users and Computers...... 75 Figure 47. SISDC AzMan Console...... 76 Figure 48. Starting The AzMan Console...... 76 Figure 49. InformationAccess Login Page...... 77 Figure 50. InformationAccess Default Page...... 78 Figure 51. InformationAccess Manage Users...... 79 Figure 52. InformationAccess Create User...... 80 Figure 53. InformationAccess Delete User...... 81 Figure 54. InformationAccess User Account Details Query Result...... 82 Figure 55. InformationAccess Manage RBAC...... 83 Figure 56. InformationAccess Create Role...... 84 Figure 57. InformationAccess Delete Role...... 85 Figure 58. InformationAccess Add User To Role...... 86 Figure 59. InformationAccess Get Users In Role...... 87 Figure 60. InformationAccess Get All Roles...... 88 Figure 61. InformationAccess Get Roles For User...... 89 Figure 62. InformationAccess Is User In Role...... 90 Figure 63. InformationAccess Remove User From Role...... 91 Figure 64. InformationAccess Monitor Systems...... 92 Figure 65. CertSrv Password Protection...... 93 Figure 66. Certificate Services Welcome Page...... 94 Figure 67. Certificate Services Request A Certificate Page...... 95 Figure 68. Certificate Services User Certificate Request Submission...... 96 Figure 69. Certificate Services Issued Certificate...... 97 Figure 70. Certificate Services Successful Certificate Installation...... 98 Figure 71. RBAC Policy Violation Log...... 99 Figure 72. InformationSharing Client-side Certificate Error...... 100 Figure 73. InformationSharing Login Page...... 101 Figure 74. InformationSharing Default Page...... 102 Figure 75. InformationSharing Access Secure Information Page...... 103 Figure 76. InformationSharing RBAC Policy Violation...... 104 Figure 77. InformationSharing File Upload Page...... 105 Figure 78. InformationSharing File Upload Browser...... 106 Chapter 11 IntroductionThe Network Information and Space Security Center (NISSC) provided a grant to UCCS to study and implement a Secure Information Sharing (SIS) capability based upon a multi-tiered web architecture. The SIS project objective was to create a web- based implementation proof of concept to share information using Public Key Certificates (PKC) and Attribute Certificates (AC) to allow multiple agencies to share information securely based upon access rights defined in Role Based Access Control (RBAC) policies. The research accomplished in Secure Information Sharing Using Attribute Certificates and Role Based Access Control [1] satisfied the objectives identified in the NISSC grant. Additional PKC and AC research accomplished in ENgine FOR Controlling Emergent Hierarchical Role-Based Access [21] extended the concepts identified in support of the NISSC grant. The Secure Information Sharing Manager (SIS-M) research accomplished in this thesis is focused on Enterprise Management in a secure information sharing environment. The research and associated prototype are to demonstrate remote web-based System Administrator functionality for 2 a Windows 2003 Server enterprise using the .Net 2.0 Framework and other Microsoft Windows 2003 Server components. A successful prototype enables 1) system health monitoring using Windows Management Instrumentation (WMI), 2) user account management using the Active Directory Membership Provider, 3) Role Based Access Control (RBAC) using ASP.Net 2.0 Forms Authentication and the Authorization Manager, and 4) automated Client-side Certificate distribution using Certificate Services. 1.1 Enterprise ManagementThe Enterprise Management problem evolved as the Information Technology (IT) industry matured. Each IT vendor, in an effort to expedite products to market, created proprietary enterprise management capabilities that do not easily integrate with other vendors’ capabilities. The results of rapid IT infrastructure maturation and evolution created corporate infrastructures that contain multiple vendor capabilities that are managed uniquely. The lack of an Enterprise Management standard is increasing corporate overhead costs to manage multiple unique systems and applications. This situation is currently impeding the ability of many companies to evolve their current systems to accommodate new business requirements and organizational needs [4].1.1.1 The Distributed Management Task ForceThe Distributed Management Task Force, Inc. (DMTF) is the industry organization leading the development of management standards and the promotion of interoperability for enterprise and Internet environments. DMTF standards provide a common management infrastructure and components for instrumentation, control, and 3 communication in a platform-independent and technology neutral way [4]. The DMTF Technology Diagram depicted in Figure 1 shows the relationships among Management Initiatives, Web Based Enterprise Management (WBEM), and the Common InformationModel (CIM).Figure 1. DMTF Technology DiagramThe Common Information Model (CIM) is the foundation for the DMTF technology solution to distributed enterprise management and describes computing and business entities in Internet, enterprise, and service provider environments. Web-Based Enterprise Management (WBEM) is a set of management and Internet standard technologies developed to unify the management of distributed computing environments. WBEM standards facilitate the exchange of CIM information in an interoperable and efficient manner. Management Initiatives are designed to deliver 4 market specific solutions such as the Storage Networking Industry Association (SNIA) Storage Management Initiative (SMI) [4]. 1.1.2 The CIM and WBEM StandardsThe CIM Schema is comprised of the Core Model, the Common Model, and Schema Extensions [2] [4] as identified below. The Core Model captures notions that are applicable to all areas of management. The Core Model is a set of classes, associations, properties, and methods that provide a basic vocabulary for describing managed systems. The Core Model represents a starting point for determining how to extend the Common schema. The Common Models are information models that capture notions that are common to particular management areas, but independent of any particular technology or implementation. Examples of common models include systems, applications, networks, and devices. The classes, associations, properties, and methods in the Common Models are intended to provide a view of the area that is detailed enough to use as a basis for program design and, in some cases, implementation. Extension Schemas represent technology-specific extensions of the common models. These schemas are specific to environments, such as operating systems.It is expected that the Common Models will evolve as a result of the promotion of objects and properties defined in the Extension Schemas.The WBEM standards are focused on management and Internet standard technologies 5 to accomplish CIM information exchange in an interoperable and efficient manner. WBEM standards include: Mappings o URI: WBEM URI Mapping Specification 1.0, DSP0207 o XML: Representation of CIM using XML 1.2, DSP0201 Protocols o CIM-XML: CIM Operations over HTTP 1.2, DSP0200 o CLP: Command Line Protocol 1.0, DSP0214 Discovery o SLP: WBEM Discovery using SLP, DSP0205 Query Language o CIM Query Language 1.0, DSP0202The SIS-M prototype utilizes data in the CORE Model, the CIM Query Language, and aSIS-M developed health and status rule set to determine Windows 2003 Server health inSIS-M’s web-based enterprise.1.2 Role Based Access ControlCorporate infrastructures of today include many disparate domains of corporate information. The corporations also associate some value with each type of information available within their enterprise infrastructure. Some types of sensitive corporate information include, 1) corporate strategy, intellectual property, human resources, and supplier information. Role Based Access Control (RBAC) standards provide a solution 6 for access management within corporate infrastructures. RBAC maps user job roles to application permissions so that the access control administration can be accomplished in terms of the job role of users [1]. The result of a sound RBAC implementation within a corporate infrastructure is secure information access by organizational and job responsibility. 1.2.1 The Organization for the Advancement of Structured Information StandardsThe Organization for the Advancement of Structured Information Standards (OASIS) is a not-for-profit consortium that drives the development, convergence and adoption of the open standards for the global information society [9]. OASIS’s Extensible Access Control Markup Language (XACML) specification describes building blocks that may be used to implement the various elements of the RBAC model presented in ANSI/INCITS 359 [12] according to The National Institute of Standards and Technology (NIST).1.2.2 RBAC StandardsCore RBAC requires support for multiple users per role, multiple roles per user, multiple permissions per role, and multiple roles per permission. The OASIS XACML specification addresses ANSI CORE RBAC requirements with the following five basic elements [10]. Users are implemented as XACML Subjects. Roles are expressed using on or more XACML Subject Attributes. Objects are expressed using XACML Resources 7 Operations are expressed using XACML Actions Permissions are expressed using XACML Role Policy Sets and Permission Policy SetsXACML addresses Hierarchical RBAC requirements by implementing role inheritance based upon a Policy Set Id Reference where senior roles can inherit permissions from junior roles [1].In addition to the five RBAC elements defined within the standard, three key components are emphasized to accomplish controlled access to information. The components are [11]: Policy Administration Point (PAP): The system entity that creates a policy or policy set. Policy Decision Point (PDP): The system entity that evaluates policy and renders an authorization decision. Policy Enforcement Point (PEP): The system entity that performs access control, by making decision requests and enforcing authorization decisions. 1.2.3 Document OrganizationThe remainder of this document is organized as follows; Chapter 2 presents information regarding WBEM and RBAC as the technologies apply to the SIS-M prototype. Chapter 3 describes the System Health and Status Monitoring, User Account Management, Role Based Access Control Management, Client-side Certificate Distribution, and RBAC Policy Violation Archive capabilities implemented within the 8SIS-M prototype. Chapter 4 contains performance observations for accessing .Net 2.0 Framework classes and Windows components utilized within the SIS-M prototype. Chapter 5 identifies lessons learned about Microsoft’s WBEM implementation, WMI, and other Windows components utilized within the SIS-M prototype. Chapter 6 recommends SIS-M prototype updates for future research. Conclusions regarding the SIS-M prototype research and implementation are included in Chapter 7. Finally, Appendix A, contains information for developers and users. Chapter 22 SIS-M Architecture ResearchThe DMTF standards identified the Enterprise Management requirement set for the SIS-M prototype. There are several Commercial and Open Source WBEM implementations and each has a varying degree of DMTF standards compliance. A driving SIS-M requirement identified during Secure Information Sharing Using Attribute Certificates and Role Based Access Control [1] research was to implement the SIS-M capabilities on a Windows platform. Therefore, the WBEM implementation utilized by SIS-M must provide the maximum capability possible in a Windows environment and comply with DMTF standards. The result of the WBEM analysis identified the direction for all other architecture decisions. 2.1 WBEM ArchitectureThe WBEM architecture is not bound to a particular implementation. A standards compliant WBEM environment based on CIM standards is depicted in Figure 2 and includes: The CIM Client is used to obtain management information by querying 10CIM/WBEM Servers The CIM/WBEM Server provides CIM data, upon requests, to CIM clients locally or remotely. The CIM Object Manager maintains a repository of CIM data on the CIM/WBEM Servers. The Providers implement one or more aspects of the CIM Schema that abstracts the hardware and software implementation away from the CIM clients.Figure 2. Summary WBEM ArchitectureThe SIS-M research surveyed two WBEM implementations, WBEM Services and 11WMI, for the SIS-M prototype. Additionally, research depicted in Figure 3, from the Design of a WBEM-based Management System for Ubiquitous Computing Servers [5], provided useful information to narrow SIS-M’s WBEM implementation survey.Figure 3. WBEM Implementation EvaluationThe SIS-M WBEM implementation survey used the driving requirement of operability within a Windows environment as the discriminating attribute to determine the SIS-M WBEM implementation decision. As noted in Table 1, the SIS-M WBEM survey did not identify WBEM Services providers for managed elements within the Windows environment while multiple WMI providers existed for each managed element the SIS-M prototype intended to monitor. Therefore, WMI was chosen as the WBEM infrastructure for the SIS-M prototype. 12WBEM Implementation Attribute WMI WBEM Services Executes In Windows 2003 Environment Yes Yes Supporting Tool Set WMI CIM Studio CIM Workshop Operating System Providers Available Yes No CPU Providers Available Yes No Disk Providers Available Yes No Developer Documentation Available Yes YesTable 1. SIS-M WBEM Implementation Survey Results2.2 SIS-M WBEM ImplementationThe SIS-M Health and Status monitoring capability is a management application that integrates rules to evaluate Windows 2003 Server WBEM elements to determine health and status of a given server. The SIS-M Health and Status monitoring capability utilizes the Microsoft WMI Architecture [6] and is depicted in Figure 4. 13Figure 4. WMI ArchitectureThe SIS-M Health and Status Monitoring capability is divided into three summary categories, Operating System, CPU, and Disk. Five WMI Win32 classes reside within the WMI CIMOM, also known as the WMI CORE, and are used to derive SIS-M’s health and status within the three summary categories.  Operating System o The WMI Win32_ComputerSystem class represents a computer system running Windows [7]. 14 o The WMI Win32_PerfFormattedData_PerfOS_Memory class provides pre-calculated performance data from the performance counters that monitor the physical and virtual memory on the computer. Physical memory is the amount of random access memory (RAM) on the computer. Virtual memory consists of space in physical memory and on disk [7].  CPU o The WMI Win32_Processor class represents a device that can interpret a sequence of instructions on a computer running on a Windows operating system [7]. Disk o The WMI Win32_DiskDrive class represents a physical disk drive as seen by a computer running the Windows operating system [7]. o The WMI Win32_PerfFormattedData_PerfDisk_PhysicalDisk class provides pre-calculated data from performance counters that monitor hard or fixed disk drives on a computer. Disks store file, program, or paging data and are read to retrieve these items, and written to record changes to them. The values of physical disk counters are sums of the values of the logical disks, also known as partitions, into which they are divided [7]. 2.3 SIS-M User Account Management ImplementationThe SIS-M User Account Management capability, based upon the decision to utilize 15WMI for health and status monitoring, is accomplished using Active Directory and the ActiveDirectoryMembershipProvider implemented within a SIS-M ASP.Net 2.0 application. The ActiveDirectoryMembershipProvider functionality includes [8]: Creating new users and passwords. Storing membership information in Active Directory. Authenticating users who visit your site programmatically or by utilizing ASP.Net login controls. Creating, changing, and resetting user account passwords. Exposing a unique identifier for authenticated users that can be used in ASP.Net personalization and role management. Specifying a custom membership provider that allows for system unique membership functionality.The ActiveDirectoryMembershipProvider interfaces with Active Directory using LDAP commands. This means that the provider is always pointed at the root of some container, and all provider operations occur within that single container [8]. Therefore, the ActiveDirectoryMembershipProvider and the MembershipUser class in the System.Web.Security namespace is used to create, delete, and retrieve user details in theSIS-M User Account Management application.2.4 SIS-M RBAC ImplementationThe SIS-M RBAC Management capability leverages the Windows 2003 Server component called the Authorization Manager (AzMan) and the 16AuthorizationStoreRoleProvider capability within ASP.Net 2.0. AuthorizationStoreRoleProvider is a wrapper around a subset of the functionality available in Authorization Manager [8] and facilitates role and policy access through theRoles class within the System.Web.Security namespace. AzMan contains the following list of attributes and capabilities to manage and enforce authorization policy [13]. Operation: A low-level permission that a resource manager uses to identify security procedures. Task: A collection of low-level operations. Role Definition: A collection of permissions that are needed for a particular role, where permissions can be tasks or operations. Role: The set of permissions that users must have to be able to do their job. BizRules: The set of rules / scripts that are attached to a task object that is run at the time of the access request. Scope: A collection of objects or resources with a distinct authorization policy. Application Groups: Groups that are applicable only to an authorization store. Application Basic Groups: A subset of application groups. A list of members (Active Directory Users or groups or other application groups).  LDAP-query Groups: A subset of application groups. Groups that are defined by an Lightweight Directory Access Protocol (LDAP) query on a given Active Directory users account attributes.AzMan policy stores are either integrated into Active Directory, the implementation 17 used in SIS-M, or created as standalone XML files. AzMan addresses the five elements of the CORE RBAC Standard using AzMan elements and capabilities identified inTable 2.Table 2. Authorization Manager RBAC ElementsAzMan addresses the three key RBAC components by utilizing the Authorization Manager Management Console for PAP, BizRules for PDP, and the AuthorizationStoreRoleProvider and the Roles class for PEP.2.5 SIS-M Client-side Certificate Distribution ImplementationThe SIS-M Client-side Certificate Distribution capability is accomplished using the Windows 2003 Server Certificate Authority component. An enterprise Certificate Authority (CA) is fully integrated with Active Directory. Through a process called autoenrollment, a CA can automatically issue certificates to either users or computers without administrative intervention [15]. SIS-M issues client-side certificates remotely using the CertSrv website within the Windows 2003 Server CA component. 2.6 SIS-M Architecture DescriptionThe SIS-M architecture implemented, as a result of the architecture research, to satisfy the SIS-M prototype capabilities of 1) system health monitoring, 2) user account 18 management, 3) Role Based Access Control (RBAC) management and enforcement, and 4) automated Client-side Certificate distribution is comprised of three servers utilizing various Windows 2003 Server components. The SIS-M prototype web-based infrastructure enables remote access for the site administrator and SIS user and is implemented using Windows 2003 Server components, Active Directory, ASP.Net 2.0, Internet Information Services 6.0, WMI, and Certificate Services.SIS-M’s functional decomposition and allocation to infrastructure components and capabilities is summarized below. System health and status monitoring is accomplished using WMI and a rule set implemented as part of the SIS-M prototype. User account management is accomplished using Active Directory and the ActiveDirectoryMembershipProvider included within ASP.Net 2.0. RBAC management and enforcement is accomplished using ASP.Net 2.0 FormsAuthentication, the Authorization Manager, and the AuthorizationStoreRoleProvider. Automated Client-side certificate distribution is accomplished using the Windows 2003 Server Certificate Authority components. Chapter 33 SIS-M ImplementationThe SIS-M implementation is contained within a VMware Server Version 1.0.1 environment. All implementation and SIS-M prototype functional and performance evaluation occurred within the VMware environment. The SIS-M implementation includes three Windows 2003 Servers. The two Windows XP clients simulate external users that require access to the SIS-M and/or SIS websites for either remote site administration, remote secure information sharing, and/or remote information access. 3.1 SIS-M Server and Client SpecificationsThe Windows 2003 Server and Windows XP client specifications were created by defining Virtual Machine Settings in the VMware Server console. Each SIS-M virtual machine contained two Network Interface Cards, one bridged to establish connectivity outside of the virtual environment, the other to communicate machine-to-machine within the SISMTHESIS.com domain. Table 3 lists the SIS-M virtual machine specifications. 20Table 3. SIS-M Virtual Machine Specifications3.2 Virtual Network TopologyFigure 5 depicts the virtual network topology used for SIS-M development. The Windows XP clients, SIS-M Client and SIS Client, are instantiated external to the SISMTHESIS domain.Figure 5. SIS-M Virtual Network Topology3.3 SIS-M ArchitectureThe SIS-M architecture supports all the functionality to meet the objects identified for the SIS-M research to include 1) system health monitoring using Windows Management Instrumentation (WMI), 2) user account management using the Active 21Directory Membership Provider, 3) Role Based Access Control (RBAC) using ASP.Net2.0 Forms Authentication and the Authorization Manager, and 4) automated Client-side Certificate distribution using Certificate Services. The SIS-M architecture prohibits direct client access to any backend resource using the Trusted Subsystem Model [16] as depicted in Figure 6. Figure 6. The Trusted Subsystem ModelThe Trusted Subsystem Model requires all resources are accessed by an ASP.Net worker process with appropriate authorization and credentials rather than the credentials associated with the authorized external user. The worker process is responsible for retrieving all requested resources once the client is authorized within the domain. 3.3.1 The Domain ControllerThe Secure Information Sharing Domain Controller (SISDC) server utilizes Active Directory and contains all user information and AzMan Policies. The server name is SISDC.sismthesis.com. 223.3.2 The Management ServerThe Secure Information Sharing Manager capability resides within the server named Manager. The SIS-M capabilities are implemented in a web-based application called InformationAccess. The capabilities implemented in the InformationAccess web application include, Manage Users, Manage RBAC, RBAC Violations, and Monitor Systems. The URL for InformationAccess is https://Manager/InformationAccess. The InformationAccess capability uses server-side certificates to facilitate secure communications between the client and SIS-M. The server name for Manager is Manager.sismthesis.com.3.3.3 The Secure Information ServerThe Secure Information Sharing capability resides within the server named Secure. TheSIS capabilities are implemented in a web-based application called InformationSharing.The URL for InformationSharing is https://Secure/InformationSharing. The InformationSharing capability requires client-side certificates to establish a connection. Additionally, this server contains the CA capability and distributes the client-side certificates from another web-based application with the URL, https://Secure/certsrv. The server name is Secure.sismthesis.com.Figure 7 summarizes the architecture implemented during the SIS-M prototype development. 23Figure 7. Summary Architecture3.4 System Health and Status MonitoringThe System Health and Status Monitoring capability resides within the InformationAccess web-based application of SIS-M. The capability integrates into the WMI functionality through the System.Management namespace. Figure 8 generically depicts WMI Tiers [14] and the approach used for ASP.Net applications to interface with WMI through the System.Management namespace. This is the approach implemented in InformationAccess and the data path for all health and status monitoring information. 24Figure 8. WMI TiersEach Windows 2003 Server within SIS-M’s enterprise is evaluated by the summary categories of Operating System, CPU, and Disk. The WMI Win32 Classes and class properties are depicted in Figure 9. 25Figure 9. Server Health And Status AttributesThe information provided by each attribute is listed below [7]. The WIN32_ComputerSystem Status property provides the current operational status of the WIN32_ComputerSystem object. The Win32_PerfFormattedData_PerfOS_Memory AvailableMBytes property provides the amount of physical memory available to processes running on the computer, in megabytes. It is calculated by summing the space on the Zeroed, Free, and Standby memory lists. Free memory is ready for use; Zeroed memory contains memory pages filled with zeros to prevent later processes from seeing data used by a previous process. Standby memory is memory removed from a process’ working set, but is still available to be recalled. This property provides the last observed value only it is not an average. 26 The Win32_Processor Status property provides the current operational status of the Win32_Processor object. The Win32_Processor Availability property provides availability and status of the device. The Win32_Processor LoadPercentage property provides the load capacity of each processor, averaged to the last second, where processor loading is the total computing burden for each processor at one time. The Win32_DiskDrive Status property provides the current operational status of the Win32_DiskDrive object.  The Win32_PerfFormattedData_PerfDisk_PhysicalDisk PercentIdleTime property provides the percentage of time during the sample interval that the disk was idle.The WMI Win32 Classes property values are assessed against a SIS-M implemented rule set, Figure 10, to determine a SIS-M status for each attribute. The resulting status of the attribute analysis is displayed in the InformationAccess web-based application user interface. 27Figure 10. Health And Status Rules3.4.1 Establishing WMI Namespace ConnectivityWMI namespace connectivity is established by creating a connection options object, identifying the WMI namespace path, and instantiating a management scope. Figure 11 shows the server connection algorithm for InformationAccess. 28Figure 11. SIS-M WMI Connection Creation3.4.1.1 WMI Connection OptionsWMI connections require a username, password, a connection authority address string to validate user credentials for authorized WMI namespace access, and a namespace path.3.4.1.2 Building A WMI Namespace PathThe WMI namespace path is the combination of the server name and WMI namespace. SIS-M’s InformationAccess web-based application retrieves the WMI Win32 class 29 information from the root/CIMV2 namespace on each server. The host executing the application requesting management information does not require connection scope because the host’s management namespaces are already within scope and accessible by local query objects with appropriate user credentials.3.4.1.3 Instantiating WMI Management ScopeThe WMI management scope connection requires a valid WMI namespace path and validated user credentials with permissions to access the requested information. A TargetInvocationException is thrown if the WMI connection information is not accurate. An XMLDocument object is used to retrieve the connection information for each server. The SIS-M implemented XML document is shown in Figure 12.Figure 12. SIS-M WMI Connection Attributes3.4.2 Building And Executing A WMI QueryCIM and WBEM support a query mechanism that is used to select sets of properties 30 from CIM object instances stored within the CIMOM or WMI Core. Query definitions allow a WBEM client to specify the nature and the number of instance that are selected and what information is returned from those instances. This enables a WBEM managed environment to place less burden on the network infrastructure [3]. The SIS-M query objects are shown in Figure 13. Figure 13. SIS-M WMI Query ObjectsThe InformationAccess web-based application requests all the properties within each CIM object instance in the query for each server in the enterprise. The WMI namespace connection scope and the query object are required to invoke a request for management information. See Figure 14. Upon successful execution, a ManagementObjectCollection is returned with the properties necessary to evaluate against SIS-M’s health and status rules. 31Figure 14. WMI Query Execution3.5 User Account ManagementThe user account management capability within InformationAccess is accomplished by using the ActiveDirectoryMembershipProvider. The ASP.Net 2.0 web.config file contains configuration information. InformationAccess defines a connection to Active Directory installed on SISDC within the web.config file. Additionally, the ActiveDirectoryMembershipProvider service is added to the web application through configuration settings. Figure 15 is a snapshot of InformationAccess’ web.config that implements the Active Directory connection string and the ActiveDirectoryMembershipProvider settings. 32Figure 15. Active Directory Connection3.5.1 InformationAccess User Management CapabilityThe user management capability implemented within InformationAccess is accomplished with the Membership and MembershipUser classes in the System.Web.Security namespace. InformationAccess’ user management functionality includes, creating users, deleting users, and querying for user account details. The user interface is shown in 9.3.1.1.3.5.1.1 Creating UsersInformationAccess’s configuration settings implemented in the web.config file establish a connection to Active Directory on SISDC and instantiate a membership provider. A new account is established with the CreateUserWizard Server Control. A generic CreateUserWizard Server Control is depicted in Figure 16. 33Figure 16. Create User Wizard Definition3.5.1.2 Deleting UsersInformationAccess’s delete user functionality is also the beneficiary of ASP.Net web.config capabilities. User deletion is accomplished by using the Membership class and calling the method, DeleteUser. The delete user functionality is implemented by the code in Figure 17.Figure 17. Membership Delete User3.5.1.3 User Account DetailsThe user account details are retrieved in a similar manner, using the MembershipUser class. The MembershipUser class properties, listed below, are displayed on a user account details web page within InformationAccess. The user interface is depicted inFigure 54. Comment CreationDate 34 Email IsApproved IsLockedOut IsOnline LastActivityDate LastLockoutDate3.6 Role Based Access Control ManagementThe RBAC management capability within InformationAccess is accomplished by using the AuthorizationStoreRoleProvider. InformationAccess defines a connection to the Authorization Manager within Active Directory installed on SISDC. Additionally, a roleManager service is added to the web-based application through the configuration settings. Figure 18 is a snapshot of InformationAccess’ web.config that implements theAuthorization Manager connection. The Authorization Manager Connection string includes additional attributes listed below. Common Name (CN): SISRBACPolicies Domain Component (DC): SISMTHESIS Domain Component (DC): COM 35Figure 18. Authorization Manager ConnectionThe additional connection string attributes are required to uniquely identify the Authorization Manager Policy Store within Active Directory that InformationAccess uses to enforce access checks prior to responding to the client.3.6.1 InformationAccess RBAC Management CapabilityThe RBAC management capability implemented within InformationAccess is accomplished with the Roles classes in the System.Web.Security namespace. InformationAccess’ RBAC management functionality includes, creating roles, deleting roles, adding users to roles, query for users in roles, querying for all the roles defined within the system, getting all the roles for a particular user, determining if a user is in a particular role, and removing a user from a particular role. 3.6.2 Create Role Role creation is accomplished by instantiating a Roles class and using the method, CreateRole. The create role functionality is implemented by the code in Figure 19. 36Figure 19. Create Role3.6.3 Delete RoleRole deletion is accomplished by using the method, DeleteRole. The delete role functionality is implemented by the code in Figure 20. 37Figure 20. Delete Role3.6.4 Add User To RoleAdding users to specific roles is accomplished by using the method, AddUserToRole. The user-to-role assignment functionality is implemented by the code in Figure 21.Figure 21. Add User To Role3.6.5 Get Users In RoleRetrieving users in specific roles is accomplished by using the method, GetUserInRole. 38The user retrieval functionality is implemented by the code in Figure 22.Figure 22. Get Users In Role3.6.6 Get All RolesThe Get All Roles functionality is implemented in Figure 23. 39Figure 23. Get All Roles3.6.7 Get Roles For UserRetrieving roles for a specific user is accomplished by using the method, GetRolesForUser. The role retrieval functionality is implemented by the code in Figure24. 40Figure 24. Get Roles For User3.6.8 Is User In RoleVerifying a user is in a specific role is accomplished by using the method, IsUserInRole. The user-in-role verification functionality is implemented by the code inFigure 25. 41Figure 25. Is User In Role3.6.9 Remove User From RoleRemoving a user from a specific role is accomplished by using the method, RemoveUserFromRole. The functionality is implemented by the code in Figure 26.Figure 26. Remove User From RoleSection 9.3.1.2 describes InformationAccess’ RBAC Management user interface.3.7 Client-side Certificate DistributionThe Client-side certificate automated distribution capability is fulfilled completely by Windows 2003 server components and configuration. See section 9.3.1.4 for the description of Certificate Services. 423.8 RBAC Policy Violation ArchiveThe RBAC policy violation archive capability within InformationAccess is accomplished by using the EventLog classes in the System.Diagnostics namespace. Each web-based application, InformationAccess and InformationSharing, uses the EventLog classes to archive RBAC policy violations into the Event Log on the server SISDC.sismthesis.com. 3.8.1 Event Log CreationEvent Log creation requires an EventSourceCreationData object that contains an event source name, a log file name, and the target host name where the log file resides.Figure 27 shows the code necessary to establish a custom log file within the EventViewer on SISDC.sismthesis.com.Figure 27. EventViewer Log File Creation3.8.2 Writing Event Log EntriesFigure 28 depicts the code to write an entry into a remote log file with a severity of Warning. The code establishes a connection to the appropriate log file by using the log 43 name, machine name, and log entry source. The entry is written as a message that is categorized with a severity that can be Information, Warning, or Error.Figure 28. Event Log Entry Creation3.8.3 Deleting Event Log EntriesDeleting Event Log entries in the EventViewer follows a similar pattern. A connection must be established to the appropriate log file by using the log name, machine name, and log entry source. The entries are cleared once connectivity is established, as depicted in Figure 29.Figure 29. Event Log Entry Deletion3.9 InformationSharing Web ApplicationA secure information sharing capability is built within the SIS-M prototype in order to 44 effectively evaluate Authorization Manager’s policy enforcement capability. The InformationSharing web-application resides on the server, named Secure, and requires two-way authentication prior to establishing client connections. Internet Information Services (IIS) is Secure Socket Layer Version 3.0 compliant [18] and is used to accomplish the two-way authentication prior to establishing a secure connection with the server. Figure 30 shows the two-way authentication handshake [19].Figure 30. IIS Two-way Authentication HandshakeA client attempting to connect to InformationSharing without a certificate receives an 45 error message. The error message displayed is described in Figure 72. InformationSharing defines a custom 403.7, Forbidden – Client Certificate Required, error in the IIS Management Console as shown in Figure 31.Figure 31. Custom 403.7 Error ConfigurationThe purpose of the InformationSharing web-based application is to provide a user capability to read and deposit information into a common location and make information available based upon a user’s role definition. InformationSharing allows for user content to be uploaded into a common location if the user has appropriate permissions. InformationSharing uses the control flow shown in Figure 32 to enforce 46RBAC policy compliance. Therefore, a user must have 1) a valid client-side certificate to establish connectivity, 2) a valid user account within the domain, and 3) appropriate permissions defined in Authorization Manager to accomplish any information exchanges using the InformationSharing web-based application.Figure 32. InformationSharing Controls 47InformationSharing’s Authorization Manager policy enforcement is accomplished by the code shown in Figure 33.Figure 33. InformationSharing RBAC Policy Check Chapter 44 Performance ObservationsThe SIS-M prototype uses the .Net 2.0 Framework classes and other Windows components to meet the objectives of this thesis. As part of the research, performance measurements were taken to observe the HTTPS request to HTTPS response time for RBAC Violation Archive data retrieval, RBAC Management, and Health and Status Monitoring. The objective of the performance analysis was to capture the performance of the .Net 2.0 Framework classes and Windows components while accomplishing SIS-M’s InformationAccess web-based application tasks. All measurements were captured using the WireShark [20], formerly Ethereal, network sniffer. The SIS-M performance observations decomposed the HTTPS request to HTTPS response time into four discrete measurements. The Measurements were Client Request, SSL Handshake Complete, Backend Data Retrieval Complete, and Client Response.4.1 RBAC Policy Violation ArchiveThe RBAC Policy Violation Archive implementation is described in section 3.8. The performance measurements observed for retrieving archive information are depicted in 49Figure 34. Both of SIS-M’s web-based applications, InformationAccess and InformationSharing, write RBAC Policy Violation entries into a custom Windows Event Log on the domain controller, SISDC. The objective of this measurement is to observe the performance of the Windows Event Log during a custom archive data retrieval request.RBAC Archive Information Retrieval3.500 3.000 2.500 s d 2.000 n o c e 1.500 S 1.000 0.500 0.000 RBAC Log SSL Handshake Client Request Retrieval Client Response Complete Complete Run #1 0 0.142373 1.878325 3.029757 Run #2 0 0.039929 1.655951 2.232192 Run #3 0 0.015794 2.371433 2.633444 Run #4 0 0.079289 1.714269 2.687524 Run #5 0 0.015815 1.655792 2.295007 Average 0 0.05864 1.855154 2.5755848Figure 34. RBAC Policy Violation Entry Retrieval4.2 RBAC ManagementThe RBAC Management implementation is described in section 3.6. SIS-M’s web- based application, InformationAccess, accesses the Authorization Manager capabilities contained within Active Directory on SISDC to manage role membership for each user. 50The objective of this measurement is to observe the performance of Authorization Manager access. The performance measurements observed for Authorization Manager are depicted in Figure 35.RBAC Mgt Request Time1.200 1.000 0.800 s d n o 0.600 c eS 0.400 0.200 0.000 RBAC Mgt SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.015862 0.197095 0.847619 Run #2 0 0.01724 0.174485 0.848788 Run #3 0 0.066693 0.295151 0.630357 Run #4 0 0.028176 0.196822 0.525366 Run #5 0 0.023659 0.199299 0.957544 Average 0 0.030326 0.2125704 0.7619348Figure 35. RBAC Management Request Time4.3 Health And Status MonitoringThe Health and Status Monitoring implementation is described in section 3.4. SIS-M’s web-based application, InformationAccess, connects to each of the three Windows 2003 servers WMI namespaces to retrieve health and status monitoring information. The objectives of the following measurements are to observe the performance of WMI data retrieval. A set of observations with combinations of servers and WMI objects requested were observed in an attempt to trend the data. The observation sets were: 51 One Server Retrieving One WMI Object Two Servers Retrieving One WMI Object Three Servers Retrieving One WMI Object One Server Retrieving Five WMI Objects Two Servers Retrieving Five WMI Objects Three Servers Retrieving Five WMI ObjectsThe following sections show the performance observations for the combinations of servers and WMI objects.4.3.1 One Server Retrieving One WMI ObjectThe One Server Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespace on SISDC. The results are depicted in Figure 36. 52WMI 1X1 Response Time14.000 12.000 10.000 s d 8.000 n o c e 6.000 S 4.000 2.000 0.000 WMI Object SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.02201 6.91379 7.763398 Run #2 0 0.357341 11.762104 12.294849 Run #3 0 0.061387 6.807595 7.069001 Run #4 0 0.020213 6.014796 7.443219 Run #5 0 0.102926 6.945391 7.696152 Average 0 0.1127754 7.6887352 8.4533238Figure 36. WMI One Server One Object Response Time4.3.2 Two Servers Retrieving One WMI ObjectThe Two Servers Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespaces on SISDC and Secure servers. The results are depicted in Figure 37. 53WMI 2X1 Response Time12.00010.0008.000 s d n o 6.000 c e S 4.0002.0000.000 WMI Object SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.029248 10.685066 10.903246 Run #2 0 0.014124 7.753585 8.077432 Run #3 0 0.078561 8.305449 8.716218 Run #4 0 0.043642 7.057637 7.825997 Run #5 0 0.048526 9.740575 10.021231 Average 0 0.0428202 8.7084624 9.1088248Figure 37. WMI Two Servers One Object Response Time4.3.3 Three Servers Retrieving One WMI ObjectThe Three Servers Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespaces on SISDC, Secure, and Manager servers. The results are depicted in Figure38. 54WMI 3X1 Response Time14.000 12.000 10.000 s d 8.000 n o c e 6.000 S 4.000 2.000 0.000 WMI Object SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.079186 10.587262 11.718099 Run #2 0 0.015713 8.886371 9.500771 Run #3 0 0.04537 7.200216 7.984139 Run #4 0 0.0214 7.053049 7.628529 Run #5 0 0.061156 8.477964 9.074975 Average 0 0.044565 8.4409724 9.1813026Figure 38. WMI Three Servers One Object Response Time4.3.4 One Server Retrieving Five WMI ObjectsThe One Server Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespace on SISDC. The results are depicted in Figure 39. 55WMI 1X5 Response Time10.0008.000 s 6.000 d n o c e 4.000 S2.0000.000 WMI Object SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.042058 8.47447 8.917341 Run #2 0 0.010382 6.439772 6.835655 Run #3 0 0.030147 8.462035 9.430691 Run #4 0 0.014877 7.484855 7.951533 Run #5 0 0.032794 7.716972 7.968646 Average 0 0.0260516 7.7156208 8.2207732Figure 39. WMI One Server Five Objects Response Time4.3.5 Two Servers Retrieving Five WMI ObjectsThe Two Servers Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespaces on SISDC and Secure servers. The results are depicted in Figure 40. 56WMI 2X5 Response Time10.0008.000 s d 6.000 n o c e 4.000 S 2.0000.000 WMI Object SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.019284 8.119123 8.37916 Run #2 0 0.031845 7.852518 8.396238 Run #3 0 0.043652 7.560822 8.286355 Run #4 0 0.025252 7.851054 8.656812 Run #5 0 0.019517 6.875842 7.28684 Average 0 0.02791 7.6518718 8.201081Figure 40. WMI Two Servers Five Objects Response Time4.3.6 Three Servers Retrieving Five WMI ObjectsThe Three Servers Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespaces on SISDC, Secure, and Manager servers. The results are depicted in Figure41. 57WMI 3X5 Response Time14.000 12.000 10.000 s d 8.000 n o c e 6.000 S 4.000 2.000 0.000 Monitor Systems SSL Handshake Client Request Request Client Response Complete Complete Run #1 0 0.062698 11.84065 13.021709 Run #2 0 0.014455 6.847666 8.026303 Run #3 0 0.040922 7.84767 8.019918 Run #4 0 0.021126 8.119083 8.692987 Run #5 0 0.04444 6.954645 7.008613 Average 0 0.0367282 8.3219428 8.953906Figure 41. WMI Three Servers Five Objects Response Time4.3.7 Server Trend For Retrieving One WMI ObjectThe Server Trend For Retrieving One WMI Object observation shows response time increase for querying one WMI Object relative to the number of WMI namespaces queried. The results are depicted in Figure 42. 58Single WMI Object Response Time10.000 8.000 s d 6.000 n o c 4.000 e S 2.000 0.000 SSL Handshake WMI Object Client Request Client Response Complete Request WMI 1X1 Avg 0 0.1127754 7.6887352 8.4533238 WMI 2X1 Avg 0 0.0428202 8.7084624 9.1088248 WMI 3X1 Avg 0 0.044565 8.4409724 9.1813026Figure 42. Single WMI Object Server Trend4.3.8 Server Trend For Retrieving Five WMI ObjectsThe Server Trend For Retrieving Five WMI Objects observation shows response time increase for querying five WMI Objects relative to the number of WMI namespaces queried. The results are depicted in Figure 43.Five WMI Object Response Time10.000 8.000 s d 6.000 n o c 4.000 e S 2.000 0.000 SSL Handshake WMI Object Client Request Client Response Complete Request WMI 1X5 Avg 0 0.0260516 7.7156208 8.2207732 WMI 2X5 Avg 0 0.02791 7.6518718 8.201081 WMI 3X5 Avg 0 0.0367282 8.3219428 8.953906Figure 43. Five WMI Objects Server Trend Chapter 55 Lessons Learned5.1 WMI Win32 Classes And CIM Schema ObservationsThe SIS-M research reviewed class hierarchy between CIM Schema classes and the inheritance usage into the WMI Win32 Class definitions. The SIS-M research observed some obscure findings as follows.5.1.1 Win32_UserAccountThe SIM User / Security Common define classes to manage General contact and white pages information for organizations, organization units and people “Users” of services, and the related security information to authenticate and authorize those “users”The two classes that represent the users’ access to system resources are CIM_UsersAccess and CIM_Account [4]. However, Win32_UserAccount does not inherit from either of these two classes. The Win32_UserAccount inherits from CIM_LogicalElement. Additionally, the CIM_LogicalElement class is the base class 60 for all system components that represent abstract system components, such as profiles, processes, or system capabilities, in the form of logical devices [7]. 5.1.2 Win32 Formatted Performance StatisticsThe CIM Schema Extension purpose is to provide vendors of Enterprise Management capabilities the avenue to integrate improvements into the CIM Core and Common Models. The Win32 Formatted Performance Statistics classes used by the SIS-M prototype provided valuable information to the health and status monitoring capability within InformationAccess. The Win32 Formatted Performance Statistics classes inherit from the CIM_StatisticalInformation Class and appear to be candidates for CIM Common Model Schema updates. However, the SIS-M research did not observe any of the classes Win32 Formatted Performance Statistics or equivalent in the CIM V2.1.2 Schema.5.2 System Health And StatusThe WMI capabilities enabled the SIS-M prototype to achieve health and status monitoring of distributed systems. Defining appropriate user account credentials for access to the remote servers’ WMI namespaces is the key to effectively retrieving valuable management information. The result of inaccurately defining user access credentials results in an obscure TargetInvocationException that is extremely difficult to troubleshoot.5.3 User Account ManagementThe ActiveDirectoryMembershipProvider, the Membership, and MembershipUser classes combined with ASP.Net 2.0 capability provide a solution to accomplish remote 61User Account Management. However, the more complex user management functionality does not currently exist. Therefore, an administrator must use the Active Directory Users and Computers Management Console to add or remove groups and to change user group assignments.5.4 RBAC ManagementThe AuthorizationStoreRoleProvider is a wrapper around a subset of the functionality available in Authorization Manager [8]. Therefore, the AzMan capability is not completely supported through the ASP.Net services and some Membership methods throw a NotSupportedException. Also, the SIS-M prototype user accounts must be of the User Principal Name (UPN) format <username>@domain.com for AzMan to effectively apply access policy. The ASP.Net Forms Authentication, which is used in the SIS-M prototype, does not create a WindowsIdentity. Therefore, AzMan requires the full UPN to lookup user groups, permissions, and roles. 5.5 Client-side Certificate DistributionThe Client-side certificate distribution capability is accomplished by the installation and configuration of Windows 2003 Server components. Specifically, an Enterprise Certificate Authority (CA) integrated with Active Directory automatically fulfills client requests for certificates and installs the certificate within the remote system. However, Public Key Infrastructure (PKI) Best Practices state that Root CAs should never be connected to the network to raise the security level of the CAs private key [17]. A PKI in most cases should be architected with an offline Root CA, one or more offline Intermediate CAs, and one or more networked Issuing Enterprise CAs. Chapter 66 Future Research6.1 Update SIS-M Architecture To Include A UNIX ServerThe CIM and WBEM standards are being developed to guide Enterprise Management capabilities in heterogeneous enterprises. Therefore, the SIS-M prototype could be updated to include a UNIX server and an alternative CIM implementation to assess platform interoperability using two CIM and WBEM compliant implementations.6.2 Update The SIS-M Prototype To The .Net 3.0 FrameworkAs identified in Section 5, Lessons Learned, some functionality in the .Net 2.0 Framework and ASP.Net 2.0 is not fully implemented and throws a NotImplementedException. The SIS-M Prototype could be updated to evaluate additional functionality in the next evolution of the .Net Framework and ASP.Net.6.3 Certificate Authority ArchitectureAs stated in section 5, a PKI in most cases should be architected with an offline Root CA, one or more offline Intermediate CAs, and one or more networked Issuing 63Enterprise CAs. Therefore a more robust CA architecture should be integrated in the SIS-M prototype to assess and validate automated Client-side certificate distribution from an Issuing CA. Additionally, Certificate Services Web Enrollment pages can be customized by modifying certificate templates.6.4 Implement Client-side Certificate MappingThe SIS-M prototype uses Forms Authentication and Authorization Manager to determine identity, authenticate the user, and to authorize access. One-to-One certificate mapping can be used to authenticate users and grant or deny access to Web resources. Therefore, the SIS-M prototype can be updated to evaluate the certificate mapping functionality and assess the performance between both approaches of determining identity, authenticating users, and authorizing access. Chapter 77 ConclusionThe SIS-M research and prototype enabled 1) system health monitoring using WindowsManagement Instrumentation (WMI), 2) user account management using the Active Directory Membership Provider, 3) Role Based Access Control (RBAC) using ASP.Net2.0 Forms Authentication and the Authorization Manager, and 4) automated Client-side Certificate distribution using Certificate Services. 7.1 System Health And Status MonitoringThe WMI capabilities provide sufficient information to create a health and status monitoring capability. However, as mentioned in Section 5.1.1, the WMI Win 32 Classes do not always inherit from the CIM Schema classes expected. The SIS-M research believes a reason for the observation may be the cost of integrating a standard into an existing product line could be prohibitive and not provide sufficient return on investment in the marketplace. 657.2 User Account ManagementThe user account management functionality satisfied the objectives for the SIS-M prototype and may be usable in a small enterprise setting. However, remote user account management does not currently have the fidelity to manage enterprises with many users. Therefore, the Active Directory Users & Computer application is still required to provide robust account management.7.3 RBAC ManagementSIS-M research concluded that AzMan addresses the five elements of the CORE RBACStandard using AzMan elements and capabilities identified in Table 2. SIS-M research also concluded that AzMan addresses the three key RBAC components by utilizing the Authorization Manager Management Console for PAP, BizRules for PDP, and the AuthorizationStoreRoleProvider and the Roles class for PEP.7.4 Client-side Certificate DistributionThe certificate services component within Windows 2003 server achieved all the functionality required in the SIS-M prototype to remotely distribute and automatically install client-side certificates to new users upon request. The SIS-M prototype instantiated only one networked CA and believes a PKI architecture with a Standalone Root CA, isolated Intermediate CAs, and Enterprise Issuing CAs is required to verify the automated remote distribution of client-side certificates within a more robust architecture.7.5 Performance ObservationsThe SIS-M prototype uses the .Net 2.0 Framework classes and other Windows 66 components to meet the objectives of this thesis. The objective of the performance analysis was to capture the performance of the .Net 2.0 Framework classes and Windows components while accomplishing SIS-M’s InformationAccess web-based application tasks. Multiple performance observations were captured for WMI Object retrieval analysis. The SIS-M WMI performance results, described in section 4.3.7, show a 7.9% increase in HTTPS response time when querying for one WMI Object when executing the WMI query on the three servers, SISDC, Secure, and Manger. The performance results, described in section 4.3.8, show an 8.1% increase in HTTPS response time when querying for five WMI Objects when executing the WMI queries on the three servers. Section 4 describes the performance observation measurements. 8 Bibliography1 Ganesh, G. and Chow, E. 2005. Secure Information Sharing Using AttributeCertificates and Role Based Access Control.2 DMTF Inc. 2006. CIM Schema Version 2.1.2. Portland: Distributed Management Task Force Incorporated.3 DMTF Inc. 2006. CIM Query Language Specification Version 1.0. Portland: Distributed Management Task Force Incorporated.4 DMTF Inc. and WBEM Solutions Inc. 2003. CIM Tutorial. Portland: Distributed Management Task Force Incorporated and Pinehurst: WBEM SolutionsIncorporated.5 Dept. of Computer Science and Engineering, POSTECH. 2004. Design of a WBEM-based Management System for Ubiquitous Computing Servers.6 Microsoft Corporation. 2007. WMI Architecture. http://msdn.microsoft.com/en-us/library/aa394553.aspx (accessed July 2007)7 Microsoft Corporation. 2007. WMI Win32 Classes. http://msdn2.microsoft.com/en-us/library/aa394084.aspx (accessed July 2007).8 Stefan Schackow. 2006. Professional ASP.NET 2.0 Security, Membership, and Role Management. Indianapolis: Wiley Publishing Inc. 689 OASIS. 2007. Who We Are. http://www.oasis-open.org (accessed July 2007).10 OASIS. 2005. eXtensible Access Control Markup Language (XACML) Version 2.0, CORE Specification.11 OASIS. 2005. Core and hierarchical role based access control (RBAC) profile of XACML v2.0.12 NIST. 2007. RBAC Standards Roadmap. http://csrc.nist.gov/rbac/rbac-stds- roadmap.html (accessed August 2007).13 Microsoft Corporation. 2007. Role-Based Access Control for Multi-tier Applications Using Authorization Manager. http://technet2.microsoft.com/windowsserver/en/library/72b55950-86cc-4c7f-8fbf-3063276cd0b61033.mspx?mfr=true (accessed August 2007).14 Microsoft Corporation. 2007. WMI .NET Architecture. http://msdn2.microsoft.com/en-us/library/ms257361(VS.80).aspx (accessed August2007). 15 Howie, J. 2006. Windows Server 2003 Certificate Services. http://www.windowsitpro.com/Articles/ArticleID/49733/49733.html (accessed August 2007).16 Microsoft Corporation. 2007. Developing Applications Using Windows Authorization Manager. http://msdn2.microsoft.com/en-us/library/aa480244.aspx (accessed August 2007).17 Microsoft Corporation. 2007. Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure. http://technet2.microsoft.com. 69(accessed September 2007).18 Microsoft Corporation. 2007. Internet Information Services Security Overview. http://msdn2.microsoft.com/en-us/library/ms951692.aspx#iissecure_ssl. (accessed October 2007).19 WindowsSecurity.com. 2007. Secure Socket Layer. http://www.windowsecurity.com/articles/Secure_Socket_Layer.html. (accessed October 2007). 20 WIRESHARK. 2007. Wireshark: What’s on your network?. http://www.wireshark.org. (accessed October 2007). 21 Khaleel, O. 2007. Engine For Controlling Emergent Hierarchical Role-Based Access (ENforCE HRBAccess). 9 APPENDIX A: Developer / User GuideThe Developer / User Guide information in this appendix is intended to provide additional information to users and developers for extending the research accomplished during the SIS-M prototype development. The appendix includes information about theSIS-M prototype development environment and the SIS-M prototype user interface.9.1 The SIS-M Prototype EnvironmentThe SIS-M prototype environment resides within VMware Server, version 1.0.1. The architecture implemented for the SIS-M prototype is discussed in Section 3.3. The SIS-M prototype is developed using three Windows 2003 Servers. Each of the servers runs Windows 2003 Server Enterprise Edition, Service Pack 1. All SIS-M prototype software is written in C#, ASP.Net, and HTML. The Integrated Development Environment (IDE) used to develop and debug the InformationAccess and InformationSharing web-based applications is Visual Studio (VS) 2005. The InformationAccess project resides on the server named Manager and the VS2005 Start Page is depicted in Figure 44. The InformationSharing project resides on the server named Secure. 71Figure 44. InformationAccess VS2005 Start PageBoth InformationAccess and InformationSharing execute within Internet Information Services (IIS) 6.0. Therefore, the IIS Management Console is used for all the configuration settings for the two web-based applications. The IIS Management Console depicting InformationSharing is shown in Figure 45. 72Figure 45. InformationSharing IIS Management ConsoleNote that all three servers and at least one Windows XP client (SISCLI or SISMCLI) must be executing for the SIS-M prototype to be completely functional. The web applications can be accessed by the URIs specified below. The InformationSharing web-based application returns a 403.7 Forbidden – Client Certificate Required Error page unless a certificate from the server named Secure is already installed in Internet Explorer. InformationAccess URI: https://Manager/InformationAccess InformationSharing URI: https://Secure/InformationSharing 739.2 SIS-M Prototype AdministrationSIS-M prototype administration occurs on the Secure Information Sharing Domain Controller (SISDC) server. The Active Directory Users and Computers Management Console is depicted in Figure 46 and was used routinely to manipulate user account information within the SISMTHESIS domain.Figure 46. SISDC Active Directoy Users and ComputersAdditionally, the Authorization Manager Management Console (AzMan) was used to manipulate roles, operations, and tasks authorized for each user. AzMan, shown inFigure 47, is invoked as depicted in Figure 48. 74Figure 47. SISDC AzMan ConsoleFigure 48. Starting The AzMan Console9.3 The InformationAccess ApplicationEntrance into the InformationAccess web-based application is achieved only by logging in with authenticated user credentials and the user attempting to gain access must be included in the SiteAdministrator Role. The login page for InformationAccess is depicted in Figure 49. 75Figure 49. InformationAccess Login PageSiteAdministrator users can login to InformationAccess and see the default page shown in Figure 50. Only users that are assigned to the SiteAdministrator role are able to access the Manage Users, Manage RBAC, RBAC Violations, and Monitor Systems resources identified in the Navigation sidebar. 76Figure 50. InformationAccess Default PageA user attempting to login to InformationAccess that is not part of the SiteAdministratorRole will immediately be logged out and have the session terminated. Additionally, a RBAC Policy Violation entry will be generated and stored in the Event Log as explained in section 9.4. 9.3.1 The InformationAccess SiteAdministrator RoleSiteAdministrator role membership is required to access the Manage Users, Manage RBAC, RBAC Violoations, and Monitor Systems resources within InformationAccess. The following sections identify InformationAccess’ remote management capabilities. 779.3.1.1 Manage Users CapabilityThe Manage Users capability, shown in Figure 51, includes functionality to create users(Figure 52), delete users (Figure 53), and query for user account details (Figure 54).Figure 51. InformationAccess Manage Users 78Figure 52. InformationAccess Create User 79Figure 53. InformationAccess Delete User 80Figure 54. InformationAccess User Account Details Query Result9.3.1.2 Manage RBAC CapabilityThe Manage RBAC capability, shown in Figure 55, provides the users within the SiteAdministrator role the functionality to create roles (Figure 56), delete roles (Figure 57), add users to roles (Figure 58), query for users in roles (Figure 59), query for all the roles defined within the system (Figure 60), get all the roles for a particular user (Figure61), determine if a user is in a particular role (Figure 62), and remove a user from a particular role (Figure 63). 81Figure 55. InformationAccess Manage RBAC 82Figure 56. InformationAccess Create Role 83Figure 57. InformationAccess Delete Role 84Figure 58. InformationAccess Add User To Role 85Figure 59. InformationAccess Get Users In Role 86Figure 60. InformationAccess Get All Roles 87Figure 61. InformationAccess Get Roles For User 88Figure 62. InformationAccess Is User In Role 89Figure 63. InformationAccess Remove User From Role9.3.1.3 Monitor Systems Capability The Monitor Systems capability, available to users in the SiteAdministrator role, is the result of WMI Win32 Class attribute values being evaluated against a SIS-M implemented rule set to determine a status. The resulting status of the attribute analysis is displayed in the InformationAccess web-based application user interface, Figure 64. 90Figure 64. InformationAccess Monitor Systems9.3.1.4 Obtain Client-side CertificateThe SIS-M prototype automated remote client-side certificate distribution is accomplished by utilizing Windows 2003 Server components and Certificate Services. The CertSrv web-based application has configuration attributes available in the IIS 91Management Console. The SIS-M prototype requires a valid user account in the SISMTHESIS domain prior to requesting a client-side certificate from the server namedSecure. The Enter Network Password dialog box is depicted in Figure 65.Figure 65. CertSrv Password ProtectionThe Certificate Services Welcome page, shown in Figure 66, is presented to the authenticated user requesting a client-side certificate. 92Figure 66. Certificate Services Welcome PageThe authenticated user selects the Request a certificate link and Figure 67 is displayed. 93Figure 67. Certificate Services Request A Certificate PageThe authenticated user selects the User Certificate link and Figure 68 is displayed. No additional identifying information is required because the user is authenticated within the SISMTHESIS domain. 94Figure 68. Certificate Services User Certificate Request SubmissionThe action of selecting the submission button results in a client-side certificate being issued to the user as shown in Figure 69. 95Figure 69. Certificate Services Issued CertificateThe selection of the Install this certificate link results in a successful installation dialog box as shown in Figure 70. The user now has all the appropriate information to access the InformationSharing web-based application. However, the current browser session must be restarted before attempting to reconnect with InformationSharing and an InformationAccess user with SiteAdministrator permissions must allocate the new user into the appropriate roles. 96Figure 70. Certificate Services Successful Certificate Installation9.4 RBAC Policy Violation ArchiveThe RBAC Policy Violation Archive supports the RBAC Management capability withinInformationAccess by providing users in the SiteAdministrator role the ability to view attempted accesses by unauthorized users. Only users belonging to the SiteAdministrator role are able to log into InformationAccess. All other users attempting to log into InformationAccess create a RBAC Policy Violation Log entry and the session is immediately terminated. InformationSharing logs all user attempts to access or upload information without appropriate permissions. The RBAC Policy Violation Archive is depicted in Figure 71. 97Figure 71. RBAC Policy Violation Log9.5 The InformationSharing ApplicationAccessing the InformationSharing resource and resources within the web-based application is accomplished in three steps. Creating an account through InformationAccess. Obtaining and installing a Client-side certificate from Certificate Service at the 98URI https://Secure/CertSrv. Requesting and receiving membership enrollment by an InformationAccess SiteAdministratorInformationSharing returns an error page, shown in Figure 72, if the client attempting to gain access does not have a Client-side certificate installed.Figure 72. InformationSharing Client-side Certificate ErrorThe user must authenticate against the SISMTHESIS domain by using InformationSharing’s login page, Figure 73. 99Figure 73. InformationSharing Login PageAn authenticated user is presented with InformationSharing’s default page, Figure 74, to request access to information contained within Authorization Manager’s defined roles. Note that not all roles available in Authorization Manager are presented to the user. By design, the SiteAdministrator role and the ReadOnly roles are not depicted. Any user that is in a ReadOnly role still must request access to the information by using the role, Executive, Manager, etc, displayed in the selection list. 100Figure 74. InformationSharing Default PageEach of the roles displayed in the selection list maps to a storage location for information available in that role only. Therefore, a user must be a member of more than one role to obtain access to more than one storage location. After the user selects a role, the information available in that role storage area is presented to the user, Figure 75. 101Figure 75. InformationSharing Access Secure Information PageA RBAC Policy Violation Error Page is presented to the user if they are not a member of the role selected as depicted in Figure 76. 102Figure 76. InformationSharing RBAC Policy ViolationA user that obtained access to a selected storage location based upon role selection may download files by selecting the Download File button. Additionally, a user with appropriate permissions can upload files into the storage location by selecting the File Upload button, shown in Figure 77 and Figure 78. 103Figure 77. InformationSharing File Upload Page 104Figure 78. InformationSharing File Upload Browser

Secure Information Sharing Manager

Details

Download

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

Support