From a modeling perspective, the difference between a server (more specifically, a host running network services) and a workstation is relatively small. The main difference is that a server is hosting services (Applications) that can be connected to from the local network or from other parts of the architecture if the routing and firewall rules allow it.
Therefore, the model representation of a server will use the model of a workstation as baseline and then we will add a service to it.
The simplified version consist of an operating system, a client application with network access and a user like with the workstation model described earlier. Furthermore, an additional Application object is added as a child application to the operating system Application.
The Application shall also be connected to an Identity object representing the user account under which the Application is executing, in other words, the user owning the service process. In most cases, and the recommended configuration, is to let services run under a separate service account instead of the Administrator account.
Like with the workstation example described earlier, vulnerabilities representing one unknown vulnerability for the network client and one for the operating system still applies. However, an additional vulnerability object has been added for the potential presence of an unknown vulnerability of the service application. The defense parameters are as follows.
Like with the simplified model of the server described above, the detailed model of the server is also based on the detailed workstation model.
Therefore, all aspects, and descriptions, of the detailed workstation model also applies to the detailed server model as well.
The simplified server model only included one additional service-related Identity; the Service Account.
In a more detailed version, we also want to add the aspect of the service (possibly) holding a local set of user identities that only applies to the service itself. This can represent accounts such as for instance user profiles in a web application.
The "Service Account" is the operating system account under which the service is running. The Application User Account and the Application Admin Account are the application-local accounts. The connection types are shown below.
Depending on which Identity a user possess (or an Attacker manage to impersonate), parts of or the entire storage of a system is accessible. This applies to the operating system as well as to the users and data sets defined within the reign of an Application. Therefore, we can distinguish between user-accessible application data (such as a user's messages and files) and admin-accessible application data (such as the configuration of the application).
In order to re-use this server model, it is recommended to save it as a separate model and then use "Import Model" to add it to a different model where the rest of the architecture is going to be modeled.
The final model of the server is shown below.
Connecting the Server sub-model to a main model is done by connecting the Application object representing network-software to a Network using the ClientAccess type of connection. In addition to this the Application representing the modeled service shall also be connected to every network where it is accessible. Use the NetworkExposure connection.
Updated about 1 year ago