Managing the Access Grid – A Process View to Minimize Insider Misuse Risks

While I recently worked in the area of identity management, I had not much time for blogging. Now, our work has been published during the Wi2013 conference, which has been held in Leipzig from 27th of February to the 1st of March 2013. While this is a scientific paper, I have not much to say in addition to the paper’s content.

Abstract:

It is generally agreed upon the fact that the quality of Identity- and Access Management (IAM) data such as user accounts, access privileges or consistent user representation among different security domains is low. Growing user populations in medium- and large-sized organizations lead to a so called “identity chaos” in which over-privileged employees increase the risk of insider misuse. Recent governance and compliance mandates have amplified the importance of minimizing these risks. In order to fulfill these requirements, organizations focus on implementing role-based user management. To set up a role-based access control system, they face the challenge of modeling suitable roles for their employees. In this paper we show how the role modeling process can be improved by utilizing the so called access grid, a visualization technique to incorporate human interaction into the process of role creation.

If you’re interested, you can find the paper on http://epub.uni-regensburg.de/27930/

Meier, Stefan und Fuchs, Ludwig und Pernul, Günther (2013) Managing the Access Grid – A Process View to Minimize Insider Misuse Risks. In: Proceedings of the 11th International Conference on Wirtschaftsinformatik (WI2013), 27.2.-1.3.13, Leipzig.

Require authentication for all Apple Wiki Server 3 sites

Since migrating to the new Apple OS X Lion Server, I also use the included Wiki Server 3 to store information and for collaboration reasons. Using the original configuration, some sites in the wiki can be accessed by everyone without authentication. This was annoying me now for a few weeks. Today, I created a new wiki for a project. And now I didn’t want to live with this fact any longer.

Even Google seemed to have no solution for my problem. So I started to look for the relevant files in the file system. The good news was, after searching in the ”/etc/apache2/” directory I found out, that all files relating to the wiki server are stored in  “/usr/share/collabd/coreclient/“. After an “ls -al” I realized, that I’m right in the middle of a Ruby on Rails application.

After opening the rails-app with TextMate and a short code review I found a before_filter called “:ensure_user_is_authenticated“. For those, who are not familiar with Ruby on Rails: a before_filter is a method executed before all other code in a controller.

Now, it was pretty easy to solve my problem. The only thing I had to do was to add the following before filter to the “application_controller.rb” file located in the “/usr/share/collabd/coreclient/app/controllers” directory:

before_filter :ensure_user_is_authenticated

The line above is in the best case placed below the last line of the already existing before_filters and above the after_filter line in the “application_controller.rb” file. In my case this was line 31.

After saving the file and restarting the wiki server, every user has to authenticate before the wiki is displayed.

Windows Small Business Server 2011 Installation (network issues)

Today, I had to install a brand new server with Microsoft Windows Small Business Server 2011 Standard (SBS). As always I inserted the Install-DVD, booted from it and followed the instructions on the screen. After copying the files, the server reboots and the installation wizard for step 2 of the SBS setup appears. Reffering to http://technet.microsoft.com/en-us/library/gg680347.aspx, the setup is divided into two steps. Step 1 is the installation of the operating system. Step 2 is the SBS configuration. While there was no problem in step 1, I had a major problem in step 2, because the SBS configuration wizard requires a network connection. This is no problem if the hardware components are supported by Windows out-of-the-box. But in my case the network interface controller (nic) was not installed by default. On a “normal” Windows Server you would be able to install the driver on a common way. But on an SBS 2011, you are not able to come to the desktop, not even in “Safe Mode”. Every time Windows starts up, the wizard for step 2 is appearing. If you cancel the wizard, Windows makes a reboot.

After thinking about a installation of the server with the OPK, I came over a very simple solution for that problem:

  • press ”Ctrl-Alt-Del” while the SBS configuration wizard is open
  • open “Task Manager”
  • click on “New Task…”
  • type in “mmc” and click on “OK”
  • add the “Computer Management” Snap-in to the opened MMC
  • open the “Device Manager” in the tree
  • install the nic or any other driver from CD/DVD or a removable medium Windows knows out-of-the-box

After the nic installation I was able to continue my SBS configuration wizard without any other problems.

touch & find to localize recent changed files

This week I discovered the abilities of find in combination with touch for fast findig recent changed files.

First you,ve to make a reference file with touch. You do this by typing

touch -t MMDDhhmm filename

in the bash promt. The MMDDhhmm has to be replaced by a special date and time, e.g. 02241154 = February 24th, 11:54 .

After this you can type in

sudo find / -newer filename

And you get all files on your system newer than the reference file in a list on the bash promt.

This command is tested under Mac OS X 10.6 . The special command may differ on another unix-like OS.

Windows Small Business Server 2008 Sicherung

Die neue Windows Sicherung, enthalten im Windows Server 2008 sowie im Windows Small Business Server 2008 kann von Haus aus bei geplanten Sicherungen nicht auf Netzlaufwerke sichern. Paradoxerweise kann man jedoch bei einer Einmalsicherung die Daten auf einem Netzlaufwerk ablegen. Mit einem kleinen Workaround ist es aber dennoch möglich mit der Windows Sicherung eine geplante Sicherung auf ein Netzlaufwerk zu machen:
Das Tool “wbadmin” kann die Windows Sicherung über die Kommandozeile und somit über eine Batchdatei steuern. Die Batchdatei kann man dann schließlich über die “Aufgabenplanung” geplant ausführen lassen.

Man benötigt nun also nur den Befehl “wbadmin” mit den nötigen Optionen:

wbadmin start backup -backupTarget:\\%DATENSICHERUNGSFESTPLATTE%\%FREIGABE%\%ORDNER% -include:c: -allCritical -vssFull -quiet

beim obigen Befehl muss man natürlich noch die Werte

  • %DATENSICHERUNGSFESTPLATTE%
  • %FREIGABE%
  • %ORDNER%

gegen etwas gültiges austauschen. Ein fertiger Befehl könnte dann so aussehen:

wbadmin start backup -backupTarget:\\netzwerkfestplatte1\daten\sicherung -include:c: -allCritical -vssFull -quiet

Bei diesem Befehl wird allerdings nur der lokale Datenträger C: gesichert. Wenn jemand mehr Laufwerke sichern möchte, so kann er nach dem -include:c: die anderen Laufwerke mit Kommata getrennt noch anfügen, also z.B. -include:c:,d:

Ein Vorteil dieser Methode ist, dass man sich auch gleich die Befehle für das stoppen von Diensten und das starten nach der Sicherung in die Datei einbauen kann. Einfach vor und nach dem Sicherungsbefehl einfügen.

Hat man die Batchdatei fertig, so kann man in der “Aufgabenplanung” eine neue Aufgabe hinzufügen und diese entsprechend planen.

Ein Problem der bisher vorgestellten Methode ist, dass man bei jeder Sicherung das alte Backup überschreibt. Um dieses Problem zu umgehen kann man sich aber verschiedene Ordner anlegen und mehrere Batchdateien die dann immer abwechselnd in einen anderen Ordner schreiben. So legt man sich z.B. 5 Ordner (Montag – Freitag) und 5 Batchdateien (Montag – Freitag) an, in denen man den %ORDNER% entsprechend des jeweiligen Tages anpasst. In der “Aufgabenplanung” muss man dann entsprechend auch 5 Aufgaben anlegen und in diesem Fall wöchentlich am jeweiligen Tag ausführen lassen.

Eine Ausführliche Befehlsreferenz zu “wbadmin” gibt es bei Microsoft auf der Webseite http://technet.microsoft.com/de-de/library/cc754015(WS.10).aspx .

My new Website & Blog

As you can see, today I moved my Website into a WordPressblog. I thought about making a new Website in a new theme. My current CMS (wrote by myself) didn’t longer serve my needs. I was not able to put photos or bare html into my posts. One day I decided to not develop my own cms any further but go to WordPress.

From then my plan was to make an own WordPress Theme. But I mentioned that it is a lot of work to do. Now I have decided to use this theme. I’ve changed a few things, mainly the color of the links and the sidebar.

Hope you like my new Blog, and: Have a lot of fun!