Advertisement Upgrade to remove ads

CH7

access control

The process by which resources or services are granted or denied on a computer system or network

Four standard access control models used to enforce access control

Identification, authentication, authorization, access

Identification

A user accessing a computer system would present credentials or identification, such as a username

Authentication

Checking the user's credentials to be sure that they are authentic and not fabricated

Authorization

Granting permission to take the action

Access

right given to right of entry specific resources

Object

a specific resource, such as a file or a hardware device

Subject

a user or a process functioning on behalf of the user who attempts to access an object

Operation

the action that is taken by the subject over the objected.

Access Control Models

Provides a predefined framework for hardware and software developers who need to implement access control in their devices or applications

Mandatory Access Control (MAC) Model

The end user cannot implement, modify, or transfer any controls. Most restrictive model because all controls are fixed

Discretionary Access Control (DAC) model

A subject has total control over any objects that he or she owns. Least Restrictive

DAC has two significant weaknesses

1. It relies on the end-user subject to set the proper level of security 2. A subject's permissions will be "inherited" by any programs that the subject executes

User Account Control (UAC)

Operating systems prompt the user for permission whenever software is installed

Three primary security restrictions implemented by UAC

1. Run with limited privileges by default 2. Applications run in standard user accounts 3. Standard users perform common tasks

Role Based Access Control (RBAC) model

an based on a user's job junction within the organization. Sometimes called Non-Discretionary Access Control. Considered a more "real world" approach than the other models. Assigns permissions to particular roles in the organization, and then assigns users to that role. Objects are set to be a certain type, to which subjects with that particular role have access

Rule Based Access Control (RBAC) model

can dynamically assign roles to subjects based on a set of rules defined by a custodian. Also called automated provisioning.

Practices for Access Control

separation of duties, job roation, least privilege, implicit deny

Separation of duties

Requires that if the fraudulent application of a process could potentially result in a breach of security

Job rotation

Instead of one person having sole responsibility for a function, individuals are periodically moved from one job responsibility to another

Least privilege

Each user should be given only the minimal amount of privileges necessary to perform his or her job function

Implicit deny

If a condition is not explicitly met, then it is to be rejected

Logical Access Control Methods

includes ACLs, group polices, account restrictions, and passwords

Methods to implement access control are divided into two broad categories

Physical access control and logical access control

Access control list (ACL)

A set of permissions that is attached to an object that specifies which subjects are allowed to access the object, and what operations they can perform on it

Access control entry (ACE)

Each entry in the ACL table in the Microsoft Windows, Linux, and Mac OS X operating systems

Group Policy

A Microsoft Windows feature that provides centralized management and configuration of computers and remote users using the Microsoft directory services known as Active Directory (AD)

GPOs

the location where group policy settings are stored

Account Restrictions

method to restrict user accounts

Two common account restrictions

time of day restrictions, account expiration

Time of day restrictions

Limit when a user can log on to a system

Account expiration

The process of setting a user's account to expire

Password

A secret combination of letters and numbers that only the user knows

Logical token

The most common logical access control

Attacks on passwords

brute force, dictionary, rainbow

Brute force attack

Simply trying to guess a password through combining a random combination of characters

Dictionary attack

Begins with the attacker creating hashes of common dictionary words

Rainbow tables

Make password attacks easier by creating a large pre-generated data set of hashes from nearly every possible password combination

Domain password policy

Sets password restrictions for a Windows domain

Physical Access Control

primarily protects computer equipment and is designed to prevent unauthorized users from gaining physical access to equipment in order to use, steal, or vandalize it

Computer security

The most fundamental step in physical security is to secure the system itself

Rack-mounted servers

4.45 centimeters (1.75 inches) tall, can be stacked with up to 50 other servers in a closely confined area

Two types of Door Security

preset lock and deadbolt lock

Preset lock

a lock that requires only a key for unlocking the door from the outside

Deadbolt lock

a lock that extends a solid metal bar into the door frame for extra security

Cipher lock

Combination locks that use buttons that must be pushed in the proper sequence to open the door

Tailgate sensor

Use multiple infrared beams that are aimed across a doorway and positioned so that as a person walks through the doorway

Physical tokens

Objects to identify users

ID badge

The most common types of physical tokens

Mantrap

A security device that monitors and controls two interlocking doors to a small room (a vestibule) that separates a nonsecured area from a secured area

Closed circuit television (CCTV)

Using video cameras to transmit a signal to a specific and limited set of receivers

Physical access log

A record or list of individuals who entered a secure area, the time that they entered, and the time they left the area

Please allow access to your computer’s microphone to use Voice Recording.

Having trouble? Click here for help.

We can’t access your microphone!

Click the icon above to update your browser permissions above and try again

Example:

Reload the page to try again!

Reload

Press Cmd-0 to reset your zoom

Press Ctrl-0 to reset your zoom

It looks like your browser might be zoomed in or out. Your browser needs to be zoomed to a normal size to record audio.

Please upgrade Flash or install Chrome
to use Voice Recording.

For more help, see our troubleshooting page.

Your microphone is muted

For help fixing this issue, see this FAQ.

Star this term

You can study starred terms together

NEW! Voice Recording

Create Set