Guarantee anonymity to users - security

I have programmed a system for internal behavior reporting for my company's intranet. I should not have access to its data (not being part of the controlling committee, but I have.
I've locked my account away from the data, but I could unlock it. I could store the data in an encrypted format, but, even if chosen by someone else, I should store the salt somewhere and hence read it -> decrypt the data.
From a theoretical point of view (I'm not talking about a particular system or framework or utility), how can I not have access to the data stored in a system I have complete control of?

Seems to me that you could just set passwords such that only one user has access to the database, then allow someone else to set that password. It would make maintenance a bit more tricky, but then again a database shouldn't need a ton of maintenance on a tool like this once all is said, done, and thoroughly tested.
If this is internal, it would be nothing to setup a dedicated, physically secure WAMP or similar machine that's solely dedicated to this purpose. Have someone else tweak root passwords and store them with the "committee" and you're off the hook, in theory.
I suppose if one was to be completely paranoid, one could build a web service to isolate the database completely on a separate network from the reporting functionality. In theory, you could setup the web service on a remote machine that your access is removed from, then use the front-end to collect data and pass it to the webservice. From there, it's completely out of your hands, with no "data out" webservice to retrieve data.
Security is always a messy subject. I've worked in banking, ecommerce, and sports (drug testing) environments where I'm knee-deep in confidential data and it is more than just a bit scary. At some point, you just have to do the best you can do, document your safeguards, be "read in" on proper protocol and required background checks, do thorough testing with independent testers, and then just maintain complete transparency. In the IT world we have access to a ridiculous amount of information, and that's never going to go away.

The basic answer is Mandatory Access Control. The kind of access control most computer user are familir with is Discressionary Access Control. In DAC (Discressionary Access Control) everything on the computer is owned by a user. Users can grant access of an object (file, service, peripheral, memory, etc) to another user. Users can even transfer ownership of an object to another user. In MAC (Manditory Access Control) at least some objects are not owned by any user. The rules governing how users can access or interact with these objects are fixed and unchangable by any user.
In your example the data generated by the reporting system should be protected by Manditory Access Control, but the reporting system configuration may be owned by you. So you can control how the system behaves but not have access to the data it generates.
Microsoft began implementing MAC with Windows Vista. In Vista it was called Mandatory Integrity Control (MIC).
Linux can implement MAC with SELinux or AppArmor.
Mac OS X uses an implementation of the TrustedBSD MAC.
So, why isn't MAC used more often?
I takes effort. It is not easy to set up MAC, and it is hard to change once it is set up. It can be complicated. Most systems and services are built on the DAC model. Turning on MAC often makes services stop working.

Related

Secure data entry process utilizing Microsoft Office environment

I am trying to figure out a way to create a secure data entry process using Microsoft Office (cannot use Azure by the way). The obvious way is to use Microsoft Forms, but the form would be too large as there are over 150 data points that need to be entered.
I have instead created an Excel file that has the ability to load responses to a SharePoint list. This works as long as the list is public and viewers have contribute privileges. The downside to this is that the data is not secure and anyone can view the list. The data has phone numbers, ssn, passports, etc. I tried to make a work around for this by creating a flow that captured any new entries and moved them to my personal private SharePoint list, then deleted the original. This works great, but after testing with my colleague it seems that anyone can join the first team and make an identical flow to that team to capture data themselves.
Is there a way to accept data from anyone internally while also preventing them from accessing the data? I am capable of using SharePoint, Teams, Power Automate, and Access to accomplish this. I am less familiar with access but have used it before. I'm just not sure how secure it is.
I'll be happy to provide further information as needed. Thanks
You could consider Access forms, and then have the tables reside on SharePoint.
You can then say base the form on a query, and in that query you could provide (have) the user name included as part of the query where clause (thus a user removing or changing the forms filter will only provide a view of their own data.). However, such uses if they fired up Access (or even Excel) could wind up with seeing all rows in the table and not what the Access query restricts the data to (the one user).
Unfortantly with Access desktop? And like most desktop software? Well the goal and design and history is that of allowing ease of data editing and viewing. So, just like when you walk into a bank, and wait in line? Well, when you get to the teller, they will fire up a access form based like system and pull up your account information. And any and all tellers can see/view and pull up that data because that is what the software supposed to do, and do well. (get at any customer data).
Now, flip this problem, and create a user web banking system, or even a instant teller. Now the problem is backwards. The software's goal is not ease of editing data in a table, but ONLY allowing the user to see THEIR data. So a very different kind of problem.
It is very (beyond very) to note that web development tools do not out of the blue or automatics restrict data to JUST the one user. It is YOU the developer that makes that choice. So, if we could press a button and have a access form converted to the web? Well, then that access form would do its job in life. That job is to allow you to edit all that data in a table. Not just YOUR data.
For example, have you ever written a Access application that JUST displays each users own data? I am betting not! It is hard to do. (because the roots of Access is ease of editing data). As noted, I cannot stress that web development tools do the SAME thing. They can let you edit data. The editing of data is thus a software issue and development issue. The data system or Access or even SQL server? They just hold data. It is YOUR software that has to decide that ONLY data for the one user is to be displayed.
Now so very often web systems ONLY show YOUR data. But that VERY common case is due to the nature of web systems, and that your not a bank teller, or a company employee, but that of a consumer of that system. And each consumer now is 100% opposite of what most software systems do naturally (that is get data from a table).
So, I can't stress this concept enough. That concept is that web software and systems do NOT make this restricting of data choice for you. It is your developer tools that MUST have this ability and ALSO the choice of how you build such systems.
Web systems can do this data restricting data better for several reasons.
One big reason? Well, most of the time you adopt some kind of security and logon system.
Thus, parts of the web site now are restricted based on your logon system. (hey, maybe you use Facebook logons). So web systems have a very good and wide and broad system of supporting some kind of logon system. For desktop software? not so much.
But EVEN with that very robust and type of security system and logon system?
You the developer STILL have to make the choice of what data they see. Maybe it is traveling salesmen on the road. And thus every user of that web system still has to be able to edit, view and add customers to that system. This common case is not really different then a typical Access form to edit data.
So only SOME types of web applications need that restricting of data to JUST the one logged on user. But, because web systems have that "better" logon system? Then you the developer can thus now use that logon to restrict data with greater ease then what desktop software dev tools often offer (say like access).
So, a lot of this will come down to the web tools used. If you pulling data with Excel, or Access? Then it considerable more difficult to pull JUST data that belongs to a given user. And your software will require designs from day one with these restrictions in mind.
Again, at the risk of repeating myself?
the tools don't' make the data restrictions for you. If you need secure data for ONLY the given user, then you simply have to adopt a set of developer tools that allow this concept in mind. And that tends to mean the tools you use do NOT by default allow users to directly edit or link to some big table of data that contains all users data.
This is also why say a program written in VB6, or now vb.net can be more secure then Access. (because those tools by default don't provide forms that are designed from day one to edit all rows of data). So, the UI does not present default forms and things that gives users the ability to edit all rows. As a result, then the software can now control what records the users sees, and since they don't' have some default form that allows viewing of all rows.
It thus becomes more practical to write software that only dishes out their own data. But again, and I can't stress this:
The choice of what data to display is a choice of the software developer - not the database nor the web development tools.
It thus stands to reason then you have to chose the appropriate tools that will allow you to write software that restricts the data in a manor you require.
General questions on SO in regards to what flavor of ice cream or what dev tools to use tends to be frowned upon, and is quite much against the general rules for solving software and code issues you have and post on SO.
But, if you come from say Access with VBA skills? Then I would suggest adopting the free verison of Visual Studio and go with vb.net + asp.net web forms. Web forms are close to end of life, but they are by far and away the best choice, the least effort (coming from Access) and will give you a robust security model in which you can restrict data on a per user basis.
I would not duck tape and try to cobble together such a system with office tools, since they are not really designed for that type of data restricting you need. So, go with some good quality web tools like Visual Studio (free version is fine) and use SQL server (free version again) is really the way to go here. If you need a truck in place of a car, then get the right kind of truck, and don't try and use a car for that transport of goods, or in this case build a secure web database system.

Windows equivalent of application-scoped Linux Wallet

In Linux, there's a KDE Wallet (and GNOME Wallet) application, that stores passwords and other sensitive data. These wallets by default prevent accidental data access of application other than the one that stored the data.
E.g. if the piece of data was stored by the /bin/app1, then /bin/app2 won't have full access to that data, and the wallet will first ask the user if they really want to allow /bin/app2 to access the data stored by /bin/app1.
I find this feature important for some aspects of local data security for an application I participate in.
On Windows, a somewhat analogous UX is provided by wincred.h, but, as I currently understand, there's no any kind of per-application restrictions in it. It will provide the data access to any application started by the current user, and thus provide less security that the application-scoped defaults of Linux wallets.
Is there any way to achieve a similar application- (or vendor-) scoped security in Windows using only standard APIs?

Password protection and other security measures for MS Access database

I have been asked to secure an Access database at the highest level possible, and something tells me password protecting the file is not sufficient. We have really sensitive data and I need to protect it to the greatest extent possible. Any ideas?
This has been an issue that I have had for several years with Access 2003. We set a Database Password on the database to lock it down so users would need the password to access it. Not necessarily the best option and kind of a pain.
Since you are using MS Access 2007 you might want to check out want Microsoft says are database protection options.
First, when discussing security, we have to define the threat model.
Common threats are:
Unauthorized access of data: Someone that shouldn't be able to read data, is able to read data.
Unauthorized modification of data: Someone that shouldn't be able to modify data, is able to modify data
Unauthorized destruction/corruption of data: Someone is able to vandalize the database
Privilege escalation: Someone who should be able to read or write some of the data, is able to read or write more than intended
Data exfiltration: someone who should be able to read some data is able to copy large amounts of data and move it to an external (or less protected) system.
Malware insertion: someone is able to insert malicious code into the application
The main defense for Access, as discussed, is encrypting the database using a database password. When using an accdb file, this generally offers sufficient protection against unauthorized access and modification of the data. This is a "one privilege fits all" approach, there is one password, if you have it, you have all privileges and can read, write, and insert components at will. Also, when you have write access to the file, but not the password, you are able to damage or delete the file.
A level higher is securing the Access file: using a secure file server to only serve the file to those who should have access to it. This comes with practically all benefits of encryption, and protects against destruction too, as unauthorized users cannot access the file. This also allows us to revoke rights to that folder, assuming the user hasn't made a copy.
If we want to work with user rights, we can separate the file into a front-end file, which does not contain privileged data, and multiple backend files, and secure these files separately, by either using a different password for each file, or storing them on separately secured locations. Again, secure locations offer the additional benefit of protecting against destruction.
Since Access requires users to have write permission to the file (for placing locks) to have read access, however, we can't easily separate read and write permissions this way. One approach I've seen used is using a "shadow folder", where a virtual folder is created for read users, and upon accessing the folder, the most recent database file is placed in it, and overwritten each time. Setting this up, however, is nontrivial.
Another approach which is very common is trying to use VBA to limit which actions users can take, and allowing them only to open specific forms and take specific actions on them. This is possibly combined with tricks like disabling the bypass key, and/or creating a compiled copy (accde/mde) without the original code. However, these will only stop novice attackers, and can practically always be bypassed, either by using a non-Access program to read the data (which will ignore any restriction imposed by VBA), allowing the bypass key through COM, disabling VBA altogether on the machine, etc. A compiled database only makes it impossible to view and modify the code, not the data, and this also can be bypassed by experts by manually reconstructing the code (example commercial service that offers this). Thus, while this may look like proper security at first glance, it has severe flaws.
Compiling the code is useful when combined with signing the code, to protect against unauthorized malware insertion. Since a decompiled, modified and then recompiled copy won't have a valid signature, assuming the attacker can't access the trusted certificate used to sign the code, and systems can be configured not to open compiled databases without that signature, this can help detect malicious modification of the database.
If we want to have separate user privileges, but cannot enforce this using separately secured folders, an option is to have separately encrypted backends with different keys. For usability purposes, we can use a key encryption key to have a separate password for each user, and have that password grant access to the backends which the user is allowed to use. I've created a sample of a database that uses key encyption keys for this Q&A, but nowadays I'd make some changes, such as using a single front-end with both the KEKs and linked tables to the encrypted databases, and using the CNG API for fast encryption in VBA.
Note that some of these options add a lot of complexity, and none properly protects against data exfiltration (which is an increasing threat in the country + sector I work in). Often, it's a lot more simple, in terms of infrastructure, management, etc. to use a different back-end than Access. This can still allow you to use Access as the front end, so users might not even notice a change, but management of permissions is determined by the back end, which can either be secured by using different passwords for each users, or, in case of SQL server, by linking security to an AD domain (SSPI).
In SQL server, we can also add logging, restrict fetching large datasets by only granting rights to stored procedures and limit the amount of requests over time, to mitigate data exfiltration. However, the added complexity this brings to using Access as a client often makes choosing a different client more sensible, if you only use stored procedures linked tables are not available and Access tends to make more requests than necessary.
Note that when choosing to use a different back-end, it is still recommended to compile and sign the Access database to mitigate malware insertion, which is not dependent on the back-end used.
Bonuses:
What about user-level security? That was a technology specifically intended to offer per-user read and write rights, and separate rights for modifying the database and managing users. Unfortunately, it was insecure and there are many tools out there to remove it, and it only applies to the mdb and mde database formats, so is not of any use.
And, of course, you can also secure the user by securing the environment that Access runs in. I've seen a deployment where users are only allowed to access resources in a virtual environment that is behind a firewall disallowing all internet access, is limited to only opening this specific database, doesn't allow storage devices, and doesn't share the clipboard with the main environment. That allows you to have a secure database by using VBA, but severely limits usability of the database (especially the copy-paste limitation frustrates users, but copying and pasting could be used for data exfiltration).
I would suggest you put it on a file server and have a strict access control list.
In the database force users to log in then
add triggers to write out audit info when a record changes (with the user info,date/time).

How can I protect a key against other applications?

Setup
I have a SQLite database which has confidential user information.
This database may be replicated on other machines
I trust the user, but not other applications
The user has occasional access to a global server
Security Goals
Any program other than the authorized one (mine) cannot access the SQLite database.
Breaking the security on one machine will NOT break the security on other machines
The system must be updatable (meaning that if some algorithm such as a specific key generation algorithm is shown to be flawed, it can be changed)
Proposed Design
Use an encrypted SQLite database storing the key within OS secure storage.
Problems
Any windows hack will allow the person to access the key for all machines which violates goal #2
Notes
Similar to this method, if I store the key in the executable, breaking the security will comprimise all systems.
Also, I have referenced windows secure storage. While, I will go to an os specific solution if I have to, I would prefer a non-os specific solution
Any idea on how to meet the design goals?
I think you will need to use TPM hardware e.g. via TBS or something similar, to actually make a secure version of this. My understanding is, TPM lets the application check that it is not being debugged or traced at a software level, and the operating system should prevent any other application pretending to the TPM module that it is your application. I may be wrong though.
You can use some kind of security-through-obscurity kludge, but it will be crackable with a debugger unless you use TPM.

Windows BackupRead / BackupWrite and ACLs

I have been trying to understand what should be the right way in using BackupRead and BackupWrite for backing up data on a computer and especially about restoring it reliably.
Now I understand how to use the API and have been successful. However there's one thing that bothers me.
You can backup, beside the file content itself, any alternate data streams also the security information (ACLs).
Now if I would store the ACL data for backup and then later, once the data needs to be restored on a different machine OR a newly setup machine what should I do with the SIDs which are related to the ACL?
The SID is most likely no longer valid for the machine and how should the right user be selected?
Now I am looking at this on a bigger scale let's say this is a computer with multiple users and hundreds or thousands of objects with different settings this would be mess to get the data restored with the security settings applied to them again.
Is this something, if the user of the software wishes to backup the security settings, what the user has to take about himself and update them accordingly or what?
Additionally BackupRead and BackupWrite will give me the raw binary data of those items which is not all too hard to use however obviously this API does not even intend to face this issue.
Anyone has an idea how a backup application should handle this situation? What is your thought, or any pointers on guidelines for this specific topic?
Thanks a lot.
I think you understand correctly the problems with backup and restore of data. I think that correct understanding of problems is a half of its solving. I suppose that you are, like the most of users of the stackoverflow site, mostly software developer and not an administrator of a large network. So you see on the problem from another side of software developer and not from the side of the administrator. An administrator knows the restrictions of backup and restore of ACLs and already use it.
In general you should understand that the main purpose of backups to save the data and to restore the data later on the same computer or server. Another standard case is: one restore backup from one server to another server after the changing of hardware. In the case the old server will no more exist. Mostly one makes backups of servers and organize to work on the clients so, that no important data will be saved of the client computer.
In the most cases the backed up data has Domain Groups SIDs, Domain Users SIDs, well-known SIDs or SID aliases from the BUILTIN domain in the security descriptors. In the case one need make no changes of SIDs at all. If the administrator do will make some changes in ACL he can use different existing utilities like SubInACL.exe.
If you write Backup/Restore software which you want use for moving the data with the security information you can include in the backup some additional meta-information about the local SIDs of accounts/groups used in the saved security descriptors. In the Restore software you can provide the possibilities to replace SIDs from the saved security descriptors. Many year ago I wrote for one large customer some utilities to clear up the SIDs in SD in the file system, registry and services after domain migration. It was not so complex. So I suggest that you could implement the same feature in you Backup/restore software.
I do believe the Backup* APIs are primarily intended to backup and restore on the same machine, which would render the SID problem irrelevant. However, assuming a scenario where you need to restore a backup on a new install, here's my thoughts on solutions.
For well-known SIDs such as Everyone, Creator Owner and so on, there isn't really any problem.
For domain dependent SIDs you can store them as is, and upon restore you could fixup the domain part, if needed. Likely you should store the domain name as well for such SIDs.
For local users and groups, you should at least store the user/group name for each SID. Fixup on restore could be partially automatic based on these names, or manual (assuming an user interface for the application) where you ask the user whether he wishes to map this user to a new local user, convert these SIDs to a well-known SID, or keep as is.
Most of the issues related to such SIDs can (and probably typically will) be possible to handle automatically. I'd certainly appreciate a backup application that was smart enough to do the restore I asked it to and figure out that "Erik" on the old machine must be "Erik" on the new machine as well.
And a side note, if you do decide to go with such a solution, remember how annoying it is to start an overnight data transfer just to get back to something 5% done blocking on a popup it could just as easily defer :)

Resources