In a world of remotely exploitable vulnerabilities and inherently vulnerable protocols, permissions on a control system server may seem insignificant. With 20+ Bandolier security audit files under my belt, though, I have a different opinion.

Think about all the application resources that get installed on a server or workstation – files, directories, shared directories, services, DCOM, objects, registry keys, etc… More often than not, they get installed with an ACL that leaves them wide open.

Now think about the types of settings, particularly those buried in configuration files – hashed (or often even plaintext) passwords, application authentication and authorization settings, communication settings, and trust levels. A little imagination could make for some interesting security impact.

An argument could be made that with local access of any type, you are already owned but I think that’s a narrow view of the attack vector. I have a hard time accepting that everyone that has an account needs full access to to all the application components. What I will concede is that this risk is probably not the first thing you should worry about if you have a weak perimeter, don’t patch, etc… But it is a risk that is, relatively speaking, easy to fix.

For a short term/quick fix, try to divide up access between Administrators and Users and get rid of the Everyone/Full Permissions ACL’s. The Bandolier files have a lot of ACL’s constructed around permissions divided between Administrators and Users.

My advice for SCADA and DCS vendors (especially those that deploy with a domain) is to take this a step further by creating Windows groups that match user roles within the application. Having groups for different roles or AOR’s makes setting up the ACL’s much easier and allows for a more granular level of permissions assignment.

To summarize:

BAD = Permissions granted to Everyone group

BETTER  = Permissions divided between Administrators and Users groups

BEST = Permissions divided between Engineers, Senior Engineers, Operator I, Operator II, IT Administrators, Service Accounts, etc…

(My examples are Windows-centric but the same concept applies to *nix systems.)

Taking the BEST option not only makes for better security but also allows for easier configuration auditing with tools like Bandolier. A little application of the Principle of Least Privilege goes a long way.

And then there is user access auditing for key files… but I’ll save that for another post.