Narrowing the scope of "all trustees" for the access token test

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Narrowing the scope of "all trustees" for the access token test

KenSimone

The documentation for the “audited permission” and “effective rights” probes have the following verbiage:

 

“If a pattern match operation is used attempts to identify all the trustees (for exampl a .* pattern) then the search should be limited to just the trustees on the DACL/SACL of the object in question.”

 

I think we can make the same sort of optimization for the access token test.

 

“If a pattern match operation attempts to identify all the trustees (for exampl a .* pattern) then the search should be limited to just the trustees referenced in the Local Security Authority database.”

 

This has the effect of narrowing the list of trustees to anyone who’s been explicitly assigned a right.

 

You can get this list of trustees via the “LsaEnumerateAccountsWithUserRight” windows API, passing NULL as the “UserRights” parameter.

 

We might also want to change the text on all of these to simply state “If an operation other than ‘equals’ is used”.

 

Thoughts?

 

Thanks,

Ken

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Narrowing the scope of "all trustees" for the access token test

KenSimone

I just thought I’d bump this. This is a fairly big optimization for us in environments with a large number of users. Again, the optimization is to define the set of “all trustees” for the access_token probe as trustees that have been assigned rights. This is similar to the optimization that was made for the effective rights probes, where the set of “all trustees” is defined as all trsutees referenced in the acl/dacl of the object being probed.

 

You can get this set of trustees with the “LsaEnumerateAccountsWithUserRight” windows API, passing NULL as the “UserRights” parameter.

 

Thanks,

Ken

 

From: [hidden email] [mailto:[hidden email]]
Sent: Thursday, June 18, 2009 2:49 PM
To: [hidden email]
Subject: [OVAL-DEVELOPER-LIST] Narrowing the scope of "all trustees" for the access token test

 

The documentation for the “audited permission” and “effective rights” probes have the following verbiage:

 

“If a pattern match operation is used attempts to identify all the trustees (for exampl a .* pattern) then the search should be limited to just the trustees on the DACL/SACL of the object in question.”

 

I think we can make the same sort of optimization for the access token test.

 

“If a pattern match operation attempts to identify all the trustees (for exampl a .* pattern) then the search should be limited to just the trustees referenced in the Local Security Authority database.”

 

This has the effect of narrowing the list of trustees to anyone who’s been explicitly assigned a right.

 

You can get this list of trustees via the “LsaEnumerateAccountsWithUserRight” windows API, passing NULL as the “UserRights” parameter.

 

We might also want to change the text on all of these to simply state “If an operation other than ‘equals’ is used”.

 

Thoughts?

 

Thanks,

Ken

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Narrowing the scope of "all trustees" for the access token test

KenSimone

Sorry for the double bump. Just to clarify, my goal is to get this added to the oval specification / documentation.

 

From: [hidden email] [mailto:[hidden email]]
Sent: Friday, June 26, 2009 10:21 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Narrowing the scope of "all trustees" for the access token test

 

I just thought I’d bump this. This is a fairly big optimization for us in environments with a large number of users. Again, the optimization is to define the set of “all trustees” for the access_token probe as trustees that have been assigned rights. This is similar to the optimization that was made for the effective rights probes, where the set of “all trustees” is defined as all trsutees referenced in the acl/dacl of the object being probed.

 

You can get this set of trustees with the “LsaEnumerateAccountsWithUserRight” windows API, passing NULL as the “UserRights” parameter.

 

Thanks,

Ken

 

From: [hidden email] [mailto:[hidden email]]
Sent: Thursday, June 18, 2009 2:49 PM
To: [hidden email]
Subject: [OVAL-DEVELOPER-LIST] Narrowing the scope of "all trustees" for the access token test

 

The documentation for the “audited permission” and “effective rights” probes have the following verbiage:

 

“If a pattern match operation is used attempts to identify all the trustees (for exampl a .* pattern) then the search should be limited to just the trustees on the DACL/SACL of the object in question.”

 

I think we can make the same sort of optimization for the access token test.

 

“If a pattern match operation attempts to identify all the trustees (for exampl a .* pattern) then the search should be limited to just the trustees referenced in the Local Security Authority database.”

 

This has the effect of narrowing the list of trustees to anyone who’s been explicitly assigned a right.

 

You can get this list of trustees via the “LsaEnumerateAccountsWithUserRight” windows API, passing NULL as the “UserRights” parameter.

 

We might also want to change the text on all of these to simply state “If an operation other than ‘equals’ is used”.

 

Thoughts?

 

Thanks,

Ken

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Narrowing the scope of "all trustees" for the access token test

Jon Baker
Administrator

Ken,

 

We appreciate the bump and will look into this a bit more this week. On the surface I really like the proposal. It would bring consistency to the tests that support trustee information gathering that is currently lacking. I think it would also simplify most implementations and could result in better oval content too.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]

 

From: [hidden email] [mailto:[hidden email]]
Sent: Friday, June 26, 2009 2:25 PM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: Re: [OVAL-DEVELOPER-LIST] Narrowing the scope of "all trustees" for the access token test

 

Sorry for the double bump. Just to clarify, my goal is to get this added to the oval specification / documentation.

 

From: [hidden email] [mailto:[hidden email]]
Sent: Friday, June 26, 2009 10:21 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Narrowing the scope of "all trustees" for the access token test

 

I just thought I’d bump this. This is a fairly big optimization for us in environments with a large number of users. Again, the optimization is to define the set of “all trustees” for the access_token probe as trustees that have been assigned rights. This is similar to the optimization that was made for the effective rights probes, where the set of “all trustees” is defined as all trsutees referenced in the acl/dacl of the object being probed.

 

You can get this set of trustees with the “LsaEnumerateAccountsWithUserRight” windows API, passing NULL as the “UserRights” parameter.

 

Thanks,

Ken

 

From: [hidden email] [mailto:[hidden email]]
Sent: Thursday, June 18, 2009 2:49 PM
To: [hidden email]
Subject: [OVAL-DEVELOPER-LIST] Narrowing the scope of "all trustees" for the access token test

 

The documentation for the “audited permission” and “effective rights” probes have the following verbiage:

 

“If a pattern match operation is used attempts to identify all the trustees (for exampl a .* pattern) then the search should be limited to just the trustees on the DACL/SACL of the object in question.”

 

I think we can make the same sort of optimization for the access token test.

 

“If a pattern match operation attempts to identify all the trustees (for exampl a .* pattern) then the search should be limited to just the trustees referenced in the Local Security Authority database.”

 

This has the effect of narrowing the list of trustees to anyone who’s been explicitly assigned a right.

 

You can get this list of trustees via the “LsaEnumerateAccountsWithUserRight” windows API, passing NULL as the “UserRights” parameter.

 

We might also want to change the text on all of these to simply state “If an operation other than ‘equals’ is used”.

 

Thoughts?

 

Thanks,

Ken

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Narrowing the scope of "all trustees" for the access token test

Andrew Buttner
Administrator
In reply to this post by KenSimone
I'm not sure the same narrowing of scope can be taken with the access token test.  Since the access token test is a test on the security principle itself and the rights that it has been granted.  There is no DACL/SACL involved here, right?

I don't see how we can limit this object.  We could limit to only local security principles, but that doesn't seem like it would be very useful in a domain environment.

Any additional thoughts here?

Thanks
Drew



>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]]
>Sent: Thursday, June 18, 2009 3:49 PM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: [OVAL-DEVELOPER-LIST] Narrowing the scope of "all trustees" for
>the access token test
>
>The documentation for the "audited permission" and "effective rights"
>probes have the following verbiage:
>
>
>
>"If a pattern match operation is used attempts to identify all the
>trustees (for exampl a .* pattern) then the search should be limited to
>just the trustees on the DACL/SACL of the object in question."
>
>
>
>I think we can make the same sort of optimization for the access token
>test.
>
>
>
>"If a pattern match operation attempts to identify all the trustees (for
>exampl a .* pattern) then the search should be limited to just the
>trustees referenced in the Local Security Authority database."
>
>
>
>This has the effect of narrowing the list of trustees to anyone who's
>been explicitly assigned a right.
>
>
>
>You can get this list of trustees via the
>"LsaEnumerateAccountsWithUserRight" windows API, passing NULL as the
>"UserRights" parameter.
>
>
>
>We might also want to change the text on all of these to simply state
>"If an operation other than 'equals' is used".
>
>
>
>Thoughts?
>
>
>
>Thanks,
>
>Ken
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
>difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Narrowing the scope of "all trustees" for the access token test

KenSimone
I think there's some confusion based on some text I copied and pasted from MSDN. I'll try to restate this more clearly.

The access_token test gets rights for a given trustee. It's possible to get the set of all trustees that have rights assigned. This set includes both local and domain trustees. This is the set I'm suggesting we use for operations other than "equals". What's not in the set are trustees that, if explicitly tested, would not have any rights assigned.

In my mind, this is basically the same thing as the acl/dacl optimization, where we exclude trustees who don't have any explicit permissions assigned to the object being tested.

Ken

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Monday, June 29, 2009 9:40 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Narrowing the scope of "all trustees" for the access token test

I'm not sure the same narrowing of scope can be taken with the access token test.  Since the access token test is a test on the security principle itself and the rights that it has been granted.  There is no DACL/SACL involved here, right?

I don't see how we can limit this object.  We could limit to only local security principles, but that doesn't seem like it would be very useful in a domain environment.

Any additional thoughts here?

Thanks
Drew



>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]]
>Sent: Thursday, June 18, 2009 3:49 PM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: [OVAL-DEVELOPER-LIST] Narrowing the scope of "all trustees" for
>the access token test
>
>The documentation for the "audited permission" and "effective rights"
>probes have the following verbiage:
>
>
>
>"If a pattern match operation is used attempts to identify all the
>trustees (for exampl a .* pattern) then the search should be limited to
>just the trustees on the DACL/SACL of the object in question."
>
>
>
>I think we can make the same sort of optimization for the access token
>test.
>
>
>
>"If a pattern match operation attempts to identify all the trustees (for
>exampl a .* pattern) then the search should be limited to just the
>trustees referenced in the Local Security Authority database."
>
>
>
>This has the effect of narrowing the list of trustees to anyone who's
>been explicitly assigned a right.
>
>
>
>You can get this list of trustees via the
>"LsaEnumerateAccountsWithUserRight" windows API, passing NULL as the
>"UserRights" parameter.
>
>
>
>We might also want to change the text on all of these to simply state
>"If an operation other than 'equals' is used".
>
>
>
>Thoughts?
>
>
>
>Thanks,
>
>Ken
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
>difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Narrowing the scope of "all trustees" for the access token test

Andrew Buttner
Administrator
I now understand what you are saying here related to the access_token test.  I agree that limiting operations other than "equals" to just those security principles found in the Local Security Authority database would bring this test in line with the effective rights and audit permission tests.

We are now looking at the other part of this proposal (deprecating the resolve group behavior) and should get out some remarks shortly.

Thanks
Drew


>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]]
>Sent: Monday, June 29, 2009 11:15 AM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: Re: [OVAL-DEVELOPER-LIST] Narrowing the scope of "all trustees"
>for the access token test
>
>I think there's some confusion based on some text I copied and pasted
>from MSDN. I'll try to restate this more clearly.
>
>The access_token test gets rights for a given trustee. It's possible to
>get the set of all trustees that have rights assigned. This set includes
>both local and domain trustees. This is the set I'm suggesting we use
>for operations other than "equals". What's not in the set are trustees
>that, if explicitly tested, would not have any rights assigned.
>
>In my mind, this is basically the same thing as the acl/dacl
>optimization, where we exclude trustees who don't have any explicit
>permissions assigned to the object being tested.
>
>Ken
>
>-----Original Message-----
>From: Buttner, Drew [mailto:[hidden email]]
>Sent: Monday, June 29, 2009 9:40 AM
>To: [hidden email]
>Subject: Re: [OVAL-DEVELOPER-LIST] Narrowing the scope of "all trustees"
>for the access token test
>
>I'm not sure the same narrowing of scope can be taken with the access
>token test.  Since the access token test is a test on the security
>principle itself and the rights that it has been granted.  There is no
>DACL/SACL involved here, right?
>
>I don't see how we can limit this object.  We could limit to only local
>security principles, but that doesn't seem like it would be very useful
>in a domain environment.
>
>Any additional thoughts here?
>
>Thanks
>Drew
>
>
>
>>-----Original Message-----
>>From: [hidden email] [mailto:[hidden email]]
>>Sent: Thursday, June 18, 2009 3:49 PM
>>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>>Subject: [OVAL-DEVELOPER-LIST] Narrowing the scope of "all trustees"
>for
>>the access token test
>>
>>The documentation for the "audited permission" and "effective rights"
>>probes have the following verbiage:
>>
>>
>>
>>"If a pattern match operation is used attempts to identify all the
>>trustees (for exampl a .* pattern) then the search should be limited to
>>just the trustees on the DACL/SACL of the object in question."
>>
>>
>>
>>I think we can make the same sort of optimization for the access token
>>test.
>>
>>
>>
>>"If a pattern match operation attempts to identify all the trustees
>(for
>>exampl a .* pattern) then the search should be limited to just the
>>trustees referenced in the Local Security Authority database."
>>
>>
>>
>>This has the effect of narrowing the list of trustees to anyone who's
>>been explicitly assigned a right.
>>
>>
>>
>>You can get this list of trustees via the
>>"LsaEnumerateAccountsWithUserRight" windows API, passing NULL as the
>>"UserRights" parameter.
>>
>>
>>
>>We might also want to change the text on all of these to simply state
>>"If an operation other than 'equals' is used".
>>
>>
>>
>>Thoughts?
>>
>>
>>
>>Thanks,
>>
>>Ken
>>
>>To unsubscribe, send an email message to [hidden email] with
>>SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
>>difficulties, write to [hidden email].
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>[hidden email].
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>[hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].