Computer Configuration

Computer components include a variety of different configuration settings that affect how users interact with the components and how the components contribute to the enforcement of various security policies . For example, some components can be configured to automatically lock a workstation after a period of inactivity. This can be more effective than just depending on users to properly follow the procedural security settings established for the component.

Tutorials

Players configure individual components by right clicking while the cursor is over the component in either the OFFICE or NETWORK screens.

Most of the computer configuration choices are made via the COMPONENT screen. Selecting an entry in the COMPUTER SELECTION list displays settings for that computer. Additionally, the ZONE screen defines default configuration settings for components that are purchased and placed within each zone. This lets the player define a set of defaults that are then inherited by components as they are purchased, rather they needing to configure each component separately. Note that the COMPONENT and ZONE screens display two kinds of component settings: configuration settings and procedural settings. The former are enforced by the component (or IT support staff). The latter are procedures to be followed by users. This encyclopedia page describes configuration settings. Configuration settings fall into five broad categories:

User Identification & Authentication
Authentication policies
Application software and settings
Component Management
Network Connections

User Identification and Authentication
If a workstation has the "Require Local Authentication" policy, then users must be authenticated prior to gaining access to the workstation. Similarly, if component has the "Require Remote Authentication" policy, then users must be authenticated prior to gaining remote access to the component.

A component must recognize a user's identity if the component is to authenticate the user. And the component must recognize user and group identifiers to control user access to assets protected by discretionary access control mechanisms (e.g., ACLs). Additionally, user identity information is necessary if the component is to produce audit logs in support of user accountability. Lists of identifiable users may be maintained locally on individual components, or they may be maintained centrally on an authentication server. User identity information may be obtained via an ID Device (e.g., a card reader). The "User & Group Identity" pane lists the locally managed users and groups. The LOCAL button is used to manage that list. If an authentication server is used for the component, then the name of that server is listed. The SERVER button is used to identify an authentication server for the component (as an alternative, the clients of a server can be enumerated on the server itself).

The PROFILE button defines an optional authorization profile used by the component to limit user access to components based on group membership and clearances. If a component has a authorization profile and the component is configured to use an authentication server, then the user must conform to that profile in order to access the component (assuming "Local Authentication" or "Remote Authentication" is required for the component)¹. Additionally, if a workstation has an appropriate ID Device (i.e., one that includes a card reader), then the user may directly access (i.e., login to) the workstation if the user conforms to the workstation's authorization profile. Note that this access is permitted even if the user has no identity information on the workstation or on an authentication server.


Click "LOCAL" to edit users and groups defined locally at this computer.	Click "SERVER" to select an authentication server for this client.	Click "PROFILE" to define an authorization profile (in terms of group membership and clearances) for this component.

Authorization profiles are expressed in terms of groups and/or clearances. A user conforms to an authorization profile if that user is a member of any group in the profile and the user's clearance dominates at least one Secrecy level (if any) and one Integrity level (if any) in the profile.

ID Devices can be purchased and placed next to workstations within selected scenarios. There is no need to "connect" ID Devices to workstations -- that is implicit if they are on the same desk. Some of these devices read smart cards that include user authorizations in terms of group membership and clearances thereby allowing users to access workstations having suitable authorization profiles.

Some scenarios include visitors, who are identified as such. Visitors cannot be added to local identity lists or to authentication servers. However, you can define authorization profiles that include visitor attributes (e.g., group membership) and deploy ID Devices that are able to provide workstations with user authorization data (e.g., a card reader). Authorization profiles that enable workstation access can be defined on local workstations, or on authentication servers.

If a workstation does not require local authentication, and the workstation has no identify list or authentication server, then local assets that are created by users will not protected by ACLs.

If the selected entry in the COMPUTER SELECTION list is a server, then the Authentication Server button appears on the "User and Group Identity" pane. This button is used to define the users and groups known to an authentication server, and it simplifies assigning clients to an authentication server. See "how to configure an authentication server". If an authentication server is configured with a validation profile, then that profile is applied to workstations having ID devices.²

When discretionary access control mechanisms require group information, the component must know about the group either via the local list or via the authentication server. Players need not maintain group membership, players only need to add the group name (e.g., "Engineering") to the local list or the authentication server (group membership is fixed and not defined by players.)

[NOTE: The game does not support centralized management of workstation security configurations (e.g., an ability to "push" configurations to individual workstations. ) The closest it comes is the ability to set defaults for a zone, and have components inherit those defaults. But there is no way to push new defaults to workstations.]

Also see:

How to permit a user to locally access a workstation
How to permit a user to remotely access a component
Identifying Users In Hostile Environments

Component Authentication Policies	Description
Require Local Authentication	Require some form of authentication when accessing the component locally (e.g., accessing a workstation)
Require remote authentication	Requires some form of authentication when being accessed from a remote computer.
Enforce Password Policy	The computer enforces the password policy that is defined within the procedural settings. If an authentication server is used, then the server enforces this policy, and the server is used to define the password policy (the individual workstation's procedural settings are ignored).
Automatic screen lock	Locks the keyboard and screen after a fixed amount of inactivity, requiring a password to regain access to the component.
Require One-time password	Remote authentication requires use of one-time passwords, e.g., from on-time password generators. If an authentication server is used, then the server controls this policy.
Use biometric peripheral	Require users to authenticate using a biometric peripheral in addition to whatever password policy is in place. If an authentication server is used, then the server controls this policy. Use of this setting requires the associated workstation to have a biometric peripheral (e.g., a hand scanner).
Use Card Reader	Require user to authenticate using a card reader in addition to whatever password policy is in place. If an authentication server is used, then the server controls this policy. Use of this setting requires the associated workstation to have a card reader.

Application Software and Settings	Description
Applications software	Components are purchased with an initial set of applications software. Players can purchase additional software for components, and can remove software from components via the SOFTWARE button that is displayed when a component is selected in the OFFICE or NETWORK screens. Applications cannot be managed via the COMPONENT screen.
Browser settings	Limits on the operation of browsers, e.g., whether they execute scripts or active content such as java. Values include "loose", "normal", or "strict".
Email settings	Limits on the operation of email clients, e.g., whether they execute active content such as scripts. Values include "loose", "normal", or "strict".
Scan email attachments	All email attachments are scanned for viruses. This setting is applicable to email servers.
Strip email attachments	Strip off all email attachments. This setting is applicable to email servers.

Component Management	Description
Self administer	Permit user to administer their own components, permitting users to change other component configuration settings, e.g., password change frequency.
Self administer mandatory access controls.	Permit the user to change MAC settings on the component. This is only applicable to components with operating systems that enforce mandatory policies.
User software installation	Permit users to install software on the component, or limit this to support staff.
Disable removable media	Disable all forms of removable media on the component, including USB ports and floppy drives.
Block local storage	Prevent the component from storing any assets locally.
Backup	Routinely backup the information on this component.
Offsite backup	Store a copy of backups in a different physical site.
Un-interruptible power	Use an un-interruptible power supply to power this component.
Configuration management	The degree of configuration management applied to the component and its software. Values include: "weak", "moderate", and "strict".

Network Connections	Within the COMPONENT screen, beneath the COMPUTER SELECTION list is a list of NETWORKS to which the component is connected. Depending on the type of component, up to three buttons may appear beneath the NETWORKS list:
ACL	Clicking this button displays the access control list that is to be applied to this network.
SL	If the component includes an O/S that enforces a mandatory access control policy, the SL button will result in a window via which to select the single secrecy label and/or integrity label associated with this network connection. The O/S associates this label with all information read from the connection, and will constrain information written to the connection to that which is equal to or less sensitive than the label.
ML	If the component includes an O/S that enforces a mandatory access control policy, the ML button will result in a window via which to select range of secrecy and/or integrity labels associated with this connection.

¹Limiting user access via validation profiles only applies when authentication servers are used. If no authentication server is used, then the access is explicitly limited by the accounts defined on that component, and thus validation profiles would be superfluous . (This footnote only applies to users who have explicit accounts and does not apply to visitors that use ID Devices.) Note that limiting labeled session levels is an independent (and not yet implemented) issue.
²Validation profiles defined within authentication servers are only used when permitting access to workstations that have authorization based ID Devices. Using them to constrain access to components without ID Devices would be superfluous since the authentication servers already enumerate who can access its clients.