Shane Bruce

DEFINITIVE USER ACCESS ON A SECURE WEB SERVER Sage Jackson, Senior Research and Designer Laboratory of Information Technologies Department of Electrical Engineering The University of Tennessee Knoxville, TN- ABSTRACT The WHOSINIT application controls internal access to files, programs and applications on a Web Server based on user name/password login. This allows access for each User to the resources on the server to be controlled on a file, Case and directory basis. WHOSINIT, when used in conjunction with a secure web server, allows the administrator to give access to specific Users through a secure graphical point-and-click interface, thus giving easy to use, exhaustive management of access to documents within or beyond the agency. WHOSINIT was developed to be a stand alone management interface that could be adapted to legacy systems. From the initial development, emphasis was placed on generic, flexible structures that could be adapted to a wide variety of data. The objectives of the development effort were: 1. 2. 3. 4. 5. Provide stable and easy to use software, Allow other hierarchical structures to be imported, Implement as a stand-alone program, Provide a point-and-click graphical interface (using a secure web server), and Allow information to be added for individual users. (e.g., e-mail and phone), By using WHOSINIT in conjunction with a Secure Web Server, and only allowing access to the sensitive information by programs that check access through the WHOSINIT controlled database, it is possible to allow definitive management of user access with versatility and ease of use. 1. Introduction Using secure Internet technologies for a law enforcement "Intranet" provides a way for law enforcement officers to share information with each other and outside agencies. Existing encryption technologies ensure that information being transmitted will not be compromised by unauthorized users "listening" to the transmissions. A second security consideration must be addressed when dealing with sensitive counternarcotics information: Prevention of legitimate users from accessing unauthorized information belonging to another user. Agents, particularly those dealing with counternarcotics investigations, will not be comfortable sharing information unless they can be exactly sure who will be accessing that information. In these environments, even in a mid-sized sheriff's office, there are hundreds of thousands of cases and possibly thousands of users. In order to Definitive User Access On A Secure Web Server Laboratory for Information Technologies, University of Tennessee insure that each user can only access the information he or she is authorized to see, a robust and definitive user access scheme is needed. In response to this need the Laboratory for Information Technologies developed WHOSINIT, the Web Hierarchical Operational Security: INternal InTerface. 13. Allow all Users, Groups and Cases to be edited in "Realtime". 14. Secure administration of the server is to be allowed remotely. 15. Robust enough to handle hundreds of thousands of cases, and thousands of users. 16. Speed: able to respond to multiple queries with no server performance degradation. 2. Definition of User Authorization Needs 3. WHOSINIT Solution WHOSINIT is a security management interface for an encrypted web server that can be adapted to legacy systems. Emphasis is placed on generic, flexible structures that can be adapted to wide variety of data. The solution was to create server side applications (cgi scripts) that create and manage all aspects of case maintenance, without relying on the local web server's own internal file access methods. WHOSINIT creates its own case structure and file locations. No case information (picture or text) is accessible except by programs that use the WHOSINIT for an authorization check. The primary objectives of WHOSINIT are control of: 1. 2. 3. 4. Access to individual Cases by an individual User, Access to individual Cases by Groups of Users, Access to individual Cases by Groups of Groups, and Access to individual Cases by any combination of 1, 2 or 3 Each application uses WHOSINIT to check case information before passing any case information back to the user. If an application determines that a user has access, other programs (such as the Image Archive and the Data Miner) will pass the information back via the secure web server. These programs will check user access rights and notify the adminstrator if improper use is attempted (Figure 1). Further design criteria are: 1. Access is granted by directory name and by filename based on the case name. 2. Provide stable, easy to use software. 3. Versatility, allowing data and hierarchical security structures to be imported. 4. Stand alone program (requires Perl 5) 5. Point-and-click graphical user interface 6. Give the administrator an intuitive grasp of the existing security structure. 7. Allow information to be added for individual users (email etc.). 8. Create a case directory structure to be used by other programs. 9. Allow three levels of Access: • Access Granted, • No access, anonymous contact available, and • No access, existence not visible. 10. Show Group hierarchies with Users. 11. Allow text descriptions for Cases and Groups. 12. Allow Users to update their own Personal Information. Figure 1 WHOSINIT Access Control 2 Definitive User Access On A Secure Web Server Laboratory for Information Technologies, University of Tennessee All information stored under control of WHOSINIT is associated with a Case. When a Case is created, a Case directory and path created within the ~server/files directory. Each Case will have its own directory that can only be accessed through WHOSINIT and related programs. If a User or Group has access to that Case they will have access to all files and directories contained within the Case directory. It is also possible to access data from other directory structures on the same server. Any legacy directories, called case file directories (Figure 3), that have the same name as a Case will be treated as belonging to that Case. In other words, if there is a Case called "BLUE", and a directory (besides the one created for the Case itself as was shown in Figure 2) called "BLUE" is also accessable outside the ~server/files area, any User who has access to the Case "BLUE" also has access to the directory "~case/files/BLUE" and all things contained therein. In this case, there are Case directories belonging to GREEN and PURPLE that any person having access to BLUE would also be able to have access. Anyone with access to GREEN would be able to see the directory GREEN, but no other directories unless they had alternative access. When adding a Case to WHOSINIT, several things will take place. Not only is the Case added to the WHOSINIT database, but a directory for that Case is created under the ~server/files directory. When entering the "Case Number" and "Path", a "Path/Case" directory is created. If path=PRIMARY and Case=BLUE the directory ~server/PRIMARY/BLUE would be created for the Case "BLUE". Anyone given access to "BLUE" would have access to everything within that directory. Users with access to BLUE will also be given access to all files of the form BLUE*, where * is a non-alpha-numeric character followed by an arbitrary string of zero or more characters. As other Cases are created they can share paths (Figure 2), but each Case name must be unique. Figure 3 File Structure Figure 2 Case Structure 3 Definitive User Access On A Secure Web Server Laboratory for Information Technologies, University of Tennessee Besides directories with Case Names being available, individual file access is also available. If a file name begins with the Case Name or number and then a non-alpha-numeric character followed by more alpha-numeric characters, and if a User has access to that Case he or she will have access to that file. This was done in order to comply with the ACISS method of storing files. For example, if User has access to Case "BLUE" and the file BLUE*DOG (Note: This is case sensitive.) exists within the file area accessible by WHOSINIT then that User will be able to read that file even if is is not within the specified Case "BLUE" directory. responsible for adminstration of the secure site should have these access rights. To set up this cgi area for Stronghold (or another Apache-related Secure Server) the following could be used in the httpsd.conf file: Options Indexes FollowSymLinks AllowOverride Limit AuthConfig AuthUserFile /usr/local/apache/conf/.htpasswd AuthGroupFile /usr/local/apache/conf/.htgroup AuthName By Password Only! AuthType Basic require group admin All files in the htdocs area are not protected by WHOSINIT; the server controlleshas access to these areas. For documents to be secure through the HTTPD interface, they must be in an area not accessible through the web server. Specific programs have been developed in order to serve these documents (./cgi-bin/results and ./cgibin/showpic). If either of these programs or anything within the WHOSINIT application is modified, or if new applications are added to the cgi-bin directory that do not use WHOSINIT to check access, security could be compromised. Once the httpsd.conf file has been configured, the application files and structure must be copied onto the server. The basic WHOSINIT file layout is as follows: Perm Owner Group path and filename ------------------------------------------------------------dr-xr-x--- root www ~server/adm-bin -r-xr-x--- root www ~server/adm-bin/whosinit* -r-xr-x--- root www ~server/lib -r--r----- root www ~server/lib/access.pl -r--r----- root www ~server/lib/dbmanage.pl -r--r----- root www ~server/lib/formgen.pl -r-xr----- root www ~server/lib/perfmarc.pl* -rwxr-x-- root www ~server/support/htpasswd2* dr-xr-x--- root www ~server/valid -r--r----- root www ~server/valid/global.pl drwxr-x-- www www ~server/valid/cases/ -rw-r----- www www ~server/valid/cases/casepdb.dir -rw-r----- www www ~server/valid/cases/casepdb.pag drwxr-x-- www www ~server/valid/groups/ drwxr-x-- www www ~server/valid/users/ -rwxr-x-- www www ~server/files -rwxr-x-- www www ~server/cgi-bin/showpic The WHOSINIT application controls access to files, programs and applications on a web server based on the username/password login. This allows access for each User to the resources on the server to be controlled by file, Case and/or directory basis. WHOSINIT, when used in conjunction with a secure web server, allows the administrator to give access to specific Users through a secure graphical point-and-click interface, thus giving easy to use, exhaustive management of access to documents within or beyond the agency. If the httpsd.conf configuration example shown above is used and the WHOSINIT files are copied into the areas specified, the URL: 4. Interface and Access WHOSINIT is a CGI script that runs through a web server to a web browser (designed for Netscape 3.x or greater). When a user is given access to the adm-bin directory through the web server configuration file, he/she has complete control of WHOSINIT and all relevant documents that are available through it. Only the people https://server-name/adm-bin/WHOSINIT will start the WHOSINIT application, showing the initial page in FIG 4. 4 Definitive User Access On A Secure Web Server Laboratory for Information Technologies, University of Tennessee This interface is extremely simple to use and highly intuitive for the user. After using WHOSINIT for only a short time, the administrator should have no problems understanding and using all of its functions. all subsets of that Group. It will show not only all the Users and sub-Groups that belong directly to the Group, but all the Users and Groups of the sub-Groups ad infinitum. By selecting links (blue underlined areas) the administrator may make a selection from this page to take him/her to different areas within WHOSINIT. These links can be thought of as a menu; by clicking on one the administrator has made and executed a selection. Most of the Menus will terminate in a form (a page where text can be entered or edited, boxes of selections chosen, or selections from pull down menus made). Figure 5 Group Hierarchy This allows the administrator to see at a glance the Group's infrastructure, giving an intuitive grasp of who has access by Groups (NOTE: This does not show individual Users that have access, unless they belong to a Group). Anyone who has access at a level will have access to all Groups below that level. To add a New Case to the WHOSINIT Database use the form shown in Fig 6. Enter the unique name of the Case you wish to add and the path you want it to have. (The agencies we were dealing with wished to have a year/month/day format, but other formats can be used.) Figure 4 WHOSINIT first page "Contact" is an email address of the person who is to be contacted for any questions concerning this Case. For access purposes, if this field has any value and access is attempted, access will not be given but a blind e-mail request form will be available to request access from the Contact. If this field is blank, the user will never know that this Case exists. "Description" is the textual description of the Case. When a user is using an application, the Case will be described using this description. The WHOSINIT program will not be cached on the browser; it forces the browser to update its pages. This prevents old data from appearing in forms or pages and being accidentally incorporated into new data. The Show Hierarchy function, showin in FIG 5, from the Group Maintenance Menu is a very useful diagnostic tool. It allows you to see the Hierarchies of all the Groups on the Server. For each Group that is a root of a Hierarchy (belongs to no other Group), Show Hierarchy will display The table "Group Access" allows the administrator to give access to all Users within that Group 5 Definitive User Access On A Secure Web Server Laboratory for Information Technologies, University of Tennessee (AND TO ANY GROUP WHICH CONTAINS THAT GROUP AS A SUB-GROUP). The table "Individual User Access" will give access to any User checked regardless of any Group identities. If only one person is to have access to a Case, no Groups are given access, and only that User ID is selected. widespread dissemination and distribution of new and legacy information databases to be securely managed. By using WHOSINIT, an administrator can easily allocate user authorization on a case-bycase basis with fine control. 7. Acknowledgments WHOSINIT was developed initially and entirely by author Sage Jackson and matriculated into the current projects by the University and as a control for some applications written at the behest of law enforcement agencies in the WFCIN project who are participating in ONDCP test bed project. Most of these agencies use the ACISS investigative support system. WHOSINIT was designed to work beyond these boundaries. It is capable of managing thousands of Users and hundreds of thousands of Cases through a secure web interface allowing each SO some independence to controlling their confidential operatives and notes, in some amount of selfcontrol, yet provide secure messaging to both photo's and notes in a case by case bases, into groups and individual users pages. Figure 6 New Case Add Form The original purpose of WHOSINIT was to regulate access to individual Cases from a WAIS search engine using the Data Miner Image Archive tools (see other papers in this proceedings). WHOSINIT can also be used for menu generation. 5. Performance WHOSINIT was developed on a Sun Ultra 1 and tested on several UNIX platforms. As speed was a primary design criteria, WHOSINIT was benchmarked at 2,000 random User verifications per second. This performance was on a Ultra 1 with a WHOSINIT database of 400,000 Cases and 1,000 Users. This User and Case database is actual data from Pinellas County, Florida, where WHOSINIT is being used as part of the West Florida Counterdrug Investigative Network (WFCIN) test bed. As with any security technology, it is only as reliable as those who administer it and/or control access to the same. As part of the Technology Transfer from the military, it should be noted that strong deterrents and incentives are part of an area of expertise filled with extremely high level function group of communications experts. Thank you for your attention. 6. Summary This work is sponsored by the Office of National Drug Control Policy/Counter-drug Technology Assessment Center through the Tennessee Valley Authority under agreement TV-94549V. WHOSINIT provides definitive user access management. Used in conjunction with a secure web server and other server-side applications developed by LIT, WHOSINIT allows the 6