雷神的微软平台安全宝典（第二章）——纵深防御、平衡EFS、EFS和服务用户、设置EFS共享

Thor’s Microsoft Security Bible

Chapter 2: Internet Information Server (IIS)Authentication and Authorization Models, and Locking Down File Access with EFSand WebDAV

雷神的微软平台安全宝典

第2章：因特网信息服务器（IIS）的鉴别和授权模型，通过EFS和WebDAV技术锁定文档存取

 

 

SECURITY IN DEPTH

纵深防御


We should look at another postulate of IT security: security in depth. In itssimplest form, security in depth is simply a serialized approach to buildingdefenses so that if one particular defense fails, another mechanism is there toimpede the progress of an attacker. Bank security controls are a good exampleof security in depth. There are locked doors, cameras, and guards. The guardsare armed. There is a safe on a timer and limited access to its contents. Thetellers have limited cash on hand and ink bombs. And of course the tellers arearmed with utterly crappy attitudes which should make thieves not even want tobother in the first place.

我们需要关注另外一个有关IT安全问题的假设：纵深防御。从最简单的方式看，防御纵深只是建立防火墙的连续措施，以确保在某个特定防御失效的情况下，依然会有其他的机制来阻止黑客的袭击。银行安全控制就是一个很好的防御纵深的例子。银行不但大门紧锁，还安装了监视器，配置了全副武装的保安。银行里的保险箱装了定时器，且只有少数人有权打开。银行的出纳手头只有少量现金和支票。当然，出纳员们惯有的令人生厌的态度，应该会让小偷们根本不想和他们打交道。


There is another fundamental aspect of bank security: It never costs more thanthe value of the safe’s contents. If it does, then someone is not doing theirjob.

银行安全还有另外一个基本原则：安保费用永远低于被保护对象的价值。如果它真的高于其保护对象的价值，那一定是有人失职了。

In that respect, our jobsare the same.Before we set out to secure something, we need to have insightinto the valueof what we are securing. The data must be quantified before controlscan bequalified. Security professionals who not only command technology, butwho canalso embrace the total cost of ownership of their systems and proceduresarevery valuable assets to a company. As such, utilizing existing technologiesandfeatures is a key to your success, and that is what I like to talk aboutinthis book.

从这一点来看，我们的工作是相同的。在我们开始保护某物之前，我们需要弄清楚我们要保护的东西的实际价值。在操作被授权之前，必须确定文件的数量。那些不仅拥有技术，还欣然接受其系统和程序所有权总成本的专业安全人士，对一个公司来说是非常宝贵的财产。同样地，利用现有的技术和产品特征是你成功的关键，这是我想在这本书中讨论的内容。

LeveragingEFS

平衡EFS


This now seems like a perfect time to introduce EFS into our model. Theconfigurations can become complex at this point, so it is critical tounderstand  the  ramifications  of  each  particular feature  configuration. As we did with our first milestone, we willcontinue to take iterative steps toward our final goal, and not only will wecontinue to support secure remote access to files over HTTP, but we will rollout a feature that will allow our users to have full read and write access totheir files right in Windows Explorer from anywhere they want, all over HTTP,and all in a secure manner. I believe you will find it to be quite cool.

看来现在是将EFS引入我们的模型中的最佳时机。这时的配置可能会变得复杂，所以理解每个特定的功能配置的分支是至关重要的。如同我们在第一阶段做的一样，我们将朝着终极目标继续努力。我们不但会继续支持通过超文本传输协议进行的安全远程访问文件，而且还会开发出一种新的特征，这样将让我们的用户在他们希望的任何地方，都能对Windows浏览器中的文件拥有完全的读写访问权。这些都通过超文本传输协议以一种安全可靠的方式进行。我相信你会发现这会相当酷。

We left Greg and Steve withthe ability toaccess their internal files exter- nally should they need asecure mechanism toretrieve files. It is hardly a dazzling feature, but atleast we have startedthe application off the right way. We are again in asituation whereconfiguring a real-world implemen- tation that does not requirea tremendousamount of administration has in- troduced some concerns. Greg andSteveobviously need read-write access to their shares, so we gave the gSharedgroupread-write access. Not only did this give them both access to eachother’sfiles (which is quite common in businesses), but since the MyWebApp userispart of that group, it also has read-write access.

如果格瑞格和史蒂芬需要一个安全机制来检索文档，我们保留格瑞格和史蒂夫从外部访问他们内部资料的权限。这几乎不算什么显著的特色，但至少我们已经开始正确地应用它了。再一次，配置现实世界中不需要大量管理的装置又引起了一些争议。格瑞格和史蒂夫明显需要共享读写权限，所以我们给了他们共享组的读写权限。这不仅使他们能获取对方的文件（这在商务中很常见），而且由于MyWebApp用户也属于该组，他们还能对获取的文件进行读写。


This presents us with an interesting decision to make regarding adminis-tration. It is far easier to have a users directory where we set group permis-sions to, but that does not conform to least privilege standards. There reallyis not a right or wrong way—just a way that gives you the most benefit at theleast cost. Even if we carved out each user’s permissions per directory andlimited the MyWebApp user to read only, that user still has read rights to allthe files by operational requirement. One might think that you can drill downto the MyWebApp user and limit the rights to list folder contents only, butthat gets tricky quickly. The application pool needs full read access to anydirectory with a web.config file, and if it ever hits a web.config that itcannot read, or any other file that it actually has to read the contents of,your app will immediately throw a server error exception. That being said, youcan actually manually set the rights to list folder contents only for the useron directories that only need the files listed, which is the case for directorybrowsing. In production though, you will most likely have to live with readpermissions.

这给我们呈现了一个有趣的决策，来进行相关管理。在设置了群组访问权限的地方，我们可以更容易地获得一个用户目录，但是这并不符合最低优先标准。这确实没有一个正确或者错误的方法——仅仅是一个以最小的代价带给你最大利益的办法。即使我们按照目录拓展每名用户的权限，并把MyWebApp用户的权限设置为只读，但该用户因操作要求仍然有权浏览所有文件。有人可能会认为你可以深入至MyWebApp用户，通过限制用户权利让其只显示文件夹内容，但那样做，很快就会使问题变得难以处理。应用程式集区需要对任何有网络配置文件的目录拥有完全的读取权限，而且如果碰到一个不能读取的网络配置文件，或者遇到其他任何需要读取内容的文件时，你的应用程序就会立即抛出一个服务器错误的异常提示。说到这里，实际上你可以手动将显示文件夹内容的权限仅设置给名录上需要列出文件的用户，这种情况适用于目录浏览。然而在生产中，您很可能得接受读取权限。


EFS and the Service User

EFS和服务用户


This becomes a real-world threat when an error in a web application or someother vulnerability allows an attacker to execute functions in the context ofthe web application. If an attacker found such a security hole, then he wouldbe able to read whatever files the MyWebApp user had access to. This is why itis important to properly configure the permissions of service users: The scopeshould be limited to explicit assignment of permissions. Regardless, the usersdirectory would be open for read access and that could be dangerous. So we aregoing to explore another route.

当网络应用程序的一个错误或者其他的一些漏洞让攻击者能在网络应用程序环境下非法调用功能，这就成了现实世界中的威胁。如果攻击者找到了这样一个安全漏洞，那么他就可以浏览MyWebApp用户所能浏览的任何文件。这就是合理设定服务用户的使用权限之所以非常重要的原因：作用域应限制在明确的权限分配上。不管怎样，用户目录将变为可读取，这是很危险的。所以我们将探索另一方法。


If we leverage EFS properly, we can enforce transparent encryption of all userfiles per user. When this is done, no matter who has access permissions to thefiles themselves, they will never be able to view their contents unless theyhave the private key certificate, which the MyWebApp user will not be able toget. The application of this goes far beyond simple web access to files. Thiscan be deployed in any number of environments. As it relates to our example,the application pool will be able to fully perform its required function, butall encrypted files will be completely secured from it. The added benefit ofthis is a direct administration benefit because we can leave top level usersdirectory permissions set to read-write at the gShared group level, but stillprotect all user files from information disclosure to the MyWebApp user as wellas all other users—and that is sweet.

如果我们可以恰当平衡EFS，我们就实施每个用户档案的透明加密。加密完成后，任何原本对该文档有访问权限的人在没有密匙证书的情况下都无法浏览文件，而MyWebApp用户是无法获得密匙证书的。这个应用远不止简单地通过网络获取文件，它还可以应用到许多环境中。因为它和我们的示例相关，所以应用程序集区能够完整地执行所需的功能，但所有的加密文件都不会因此而泄露出去。另外，还有一个好处是可以进行直接管理，因为我们给最高级别用户设置直接进入共享用户组的读写权限，但仍保护了所有用户文件的信息不被MyWebApp用户和所有其它用户可见，这真的很贴心。


Setting up EFS on the Share

设置EFS共享


When deploying EFS strategies, one of the first things I have found helpful tounderstand is exactly where data gets encrypted. By that I mean, which physicalasset is applying the cipher algorithm during the encryption pro- cess. It maybe a bit counterintuitive, but when files are encrypted with EFS locally andwithin file shares, they are encrypted by the target system. If you encrypt afile on a local hard drive, your system is the target system, so it performsthe encryption. However, if you encrypt a file on a share or, more appropriately,if you create a file or copy a file into an encrypted folder on a share, thenthe file is actually encrypted and decrypted by the remote server. It may seemodd that with something so personal as user-based encryption the target serverdoes the encryption for shares, but that is the way it works. When I saypersonal I mean a process where a particular user’s EFS certif- icate must beused to encrypt and decrypt data, but where that processing happens on amachine other than the one the user is logged into. Again, this specificallyapplies to remote Server Message Block (SMB) shares, and with that come somedesign and security considerations.

设置EFS策略时，其中，我发现它有助于了解具体是在哪里对数据进行加密。我的意思是，在资料加密过程中，哪个实体资产正在应用加密算法。这可能有点违背常理，但是当本地EFS将文件加密到文件共享后，目标系统也会对它们加密。如果你要给本地硬盘中的一个文件加密，你的系统就是目标系统，你的系统执行加密。但是，如果你要为一个共享文件加密，更确切地说，如果你创建或者复制一个文件到共享加密文件夹，那么这个文件其实是由远程服务器进行加密或解密。目标服务器用如此私人的东西作为基于用户的加密数据对共享加密，这看起来可能有点奇怪，但这就是它的工作模式。我说的“私人”指的是一个程序，在这个程序中必须用一个特定用户的EFS证书来加密和解密数据，且此处理过程是在另外一个机器中进行，而非用户正在登陆使用的机器。其次，这也特定应用于远程服务器信息块（SMB）共享，随之而来的是一些设计和安全方面的考虑。