Permissions and Log Analysis

Permissions are absolutely essential when it comes to the security of any network (and any single computer for that matter). Here we`ll focus on the realm of server-based networks. Permissions come in many flavors, let`s name a few:

  • File permissions (generally that`s what TI folks mean when they use the word "permission").
  • Internet permissions - essentially it`s a matter of firewalls discussed in this article
  • Content permissions this pertains to Intranet, Extranet, Groupware and Website content; content permissions define levels of access to the content such as rights for content creation, modification, deletion.
  • System permissions this revolves around user permissions to modify parameters of the operating system and applications

The beauty of server-based networks lies in its streamlined process of organizational tasks and centralized control over user permissions. It is very convenient to assign necessary level access for any worker depending on his role within the organization. If we have an accountant we should grant him full-access rights to the financial data on the server and perhaps restrict the ability to modify any graphical files or IT documentation. On the contrary a graphics designer probably shouldn`t have any access to the sensitive information of the firm: legal documents, payroll, etc. Typically it makes sense to define certain Groups of employees and assign specific rights to such Groups based on their role in the organization. It is a one-time task which makes it very convenient to add/remove folks without a necessity to customize this particular level of access each time.

File permissions are the easiest to understand. Basically we have a number of drawers with unique keys and each employee carries his own combination of the keys. More interesting action around permissions unfolds in the lands of Groupware and Web-content (company Website or Extranet/Intranet).

For the first example let`s consider a law-firm. We might need a paralegal to read all correspondence of a lawyer and perhaps even the right to send mail on his behalf. Within an Exchange server this task is made almost trivial. Just a few clicks in Outlook options and here we go, our paralegal can handle a variety of tasks from his chair without asking the lawyer to forward an email or running around to grab a printed copy, etc.

For the second example we`ll pick a scenario of updating the web-content of a firm`s Extranet (which is a website that can be accessed only by employees via Internet from anywhere in the world client locations, airports, satellite offices, etc). A couple bosses must have permissions to publish new announcements and place new events onto a calendar, regular employees only need a reading permission. Everybody must be able to upload their files to the document library without an ability to accidentally delete files of other users. All these tasks are easily achievable via a SharePoint site provided as part of a Microsoft Small Business Server. GPL solutions such as eGroupware, Joomla-based components provide this functionality as well.

A natural question that arises is what happens if someone tries to perform an action that is not permitted? That brings us to the topic of Log files. Aside from simply denying a user from an unwanted action it is often very important to monitor such activity. Sometimes this helps organizations to avert a serious crisis of a security breach - be it internal or external. For instance an employee might try to get an authorized access to a restricted corporate data folder. Granted that an administrator activated auditing service such actions would be reflected in the Log files. This can become vitally important to the Network Protection and protection for the organization in general.

Another common task for most website administrators is to analyze log files for the web-site access. Almost always they would find events of hackers lurking around various services (access to an FTP site or an Administration console). Malicious folks would be looking for vulnerable web scripts and security holes. Log files can be compared to the surveillance security cameras. It is the eyes of the IT security personnel. Once an administrator discovers a source of danger a corresponding action can be undertaken: introducing a new firewall rule banning an intruder; firing an employee who repeatedly violated company`s policy; tightening the permissions around a resource in need of additional protection.

The task of log analysis can become very difficult if done manually. Not only it is difficult to sort through the technical code but the sheer amount of information can be impossible to digest for a single human. This leads to log-analysis software solutions such as Sawmill. Even for a computer it takes a long time to sort through millions of log-file lines and create a report indicating information that might help us discover a security threat.